diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /security/manager | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager')
1424 files changed, 256386 insertions, 0 deletions
diff --git a/security/manager/android_stub.h b/security/manager/android_stub.h new file mode 100644 index 0000000000..8e83f76568 --- /dev/null +++ b/security/manager/android_stub.h @@ -0,0 +1,31 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* This file allows NSS to build by stubbing out + * features that aren't provided by Android/Bionic */ + +#ifndef ANDROID_STUB_H +#define ANDROID_STUB_H + +/* sysinfo is defined but not implemented. + * we may be able to implement it ourselves. */ +#define _SYS_SYSINFO_H_ + +#include <sys/cdefs.h> +#include <sys/resource.h> +#include <linux/kernel.h> +#include <unistd.h> + +#ifndef ANDROID_VERSION +# include <android/api-level.h> +# define ANDROID_VERSION __ANDROID_API__ +#endif + +#if ANDROID_VERSION < 21 +# define RTLD_NOLOAD 0 +#endif + +#define sysinfo(foo) -1 + +#endif /* ANDROID_STUB_H */ diff --git a/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties new file mode 100644 index 0000000000..d698db12af --- /dev/null +++ b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties @@ -0,0 +1,331 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +SSL_ERROR_EXPORT_ONLY_SERVER=Unable to communicate securely. Peer does not support high-grade encryption. +SSL_ERROR_US_ONLY_SERVER=Unable to communicate securely. Peer requires high-grade encryption which is not supported. +SSL_ERROR_NO_CYPHER_OVERLAP=Cannot communicate securely with peer: no common encryption algorithm(s). +SSL_ERROR_NO_CERTIFICATE=Unable to find the certificate or key necessary for authentication. +SSL_ERROR_BAD_CERTIFICATE=Unable to communicate securely with peer: peers’s certificate was rejected. +SSL_ERROR_BAD_CLIENT=The server has encountered bad data from the client. +SSL_ERROR_BAD_SERVER=The client has encountered bad data from the server. +SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE=Unsupported certificate type. +SSL_ERROR_UNSUPPORTED_VERSION=Peer using unsupported version of security protocol. +SSL_ERROR_WRONG_CERTIFICATE=Client authentication failed: private key in key database does not match public key in certificate database. +SSL_ERROR_BAD_CERT_DOMAIN=Unable to communicate securely with peer: requested domain name does not match the server’s certificate. +SSL_ERROR_POST_WARNING=Unrecognized SSL error code. +SSL_ERROR_SSL2_DISABLED=Peer only supports SSL version 2, which is locally disabled. +SSL_ERROR_BAD_MAC_READ=SSL received a record with an incorrect Message Authentication Code. +SSL_ERROR_BAD_MAC_ALERT=SSL peer reports incorrect Message Authentication Code. +SSL_ERROR_BAD_CERT_ALERT=SSL peer cannot verify your certificate. +SSL_ERROR_REVOKED_CERT_ALERT=SSL peer rejected your certificate as revoked. +SSL_ERROR_EXPIRED_CERT_ALERT=SSL peer rejected your certificate as expired. +SSL_ERROR_SSL_DISABLED=Cannot connect: SSL is disabled. +SSL_ERROR_FORTEZZA_PQG=Cannot connect: SSL peer is in another FORTEZZA domain. +SSL_ERROR_UNKNOWN_CIPHER_SUITE=An unknown SSL cipher suite has been requested. +SSL_ERROR_NO_CIPHERS_SUPPORTED=No cipher suites are present and enabled in this program. +SSL_ERROR_BAD_BLOCK_PADDING=SSL received a record with bad block padding. +SSL_ERROR_RX_RECORD_TOO_LONG=SSL received a record that exceeded the maximum permissible length. +SSL_ERROR_TX_RECORD_TOO_LONG=SSL attempted to send a record that exceeded the maximum permissible length. +SSL_ERROR_RX_MALFORMED_HELLO_REQUEST=SSL received a malformed Hello Request handshake message. +SSL_ERROR_RX_MALFORMED_CLIENT_HELLO=SSL received a malformed Client Hello handshake message. +SSL_ERROR_RX_MALFORMED_SERVER_HELLO=SSL received a malformed Server Hello handshake message. +SSL_ERROR_RX_MALFORMED_CERTIFICATE=SSL received a malformed Certificate handshake message. +SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH=SSL received a malformed Server Key Exchange handshake message. +SSL_ERROR_RX_MALFORMED_CERT_REQUEST=SSL received a malformed Certificate Request handshake message. +SSL_ERROR_RX_MALFORMED_HELLO_DONE=SSL received a malformed Server Hello Done handshake message. +SSL_ERROR_RX_MALFORMED_CERT_VERIFY=SSL received a malformed Certificate Verify handshake message. +SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH=SSL received a malformed Client Key Exchange handshake message. +SSL_ERROR_RX_MALFORMED_FINISHED=SSL received a malformed Finished handshake message. +SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER=SSL received a malformed Change Cipher Spec record. +SSL_ERROR_RX_MALFORMED_ALERT=SSL received a malformed Alert record. +SSL_ERROR_RX_MALFORMED_HANDSHAKE=SSL received a malformed Handshake record. +SSL_ERROR_RX_MALFORMED_APPLICATION_DATA=SSL received a malformed Application Data record. +SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST=SSL received an unexpected Hello Request handshake message. +SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO=SSL received an unexpected Client Hello handshake message. +SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO=SSL received an unexpected Server Hello handshake message. +SSL_ERROR_RX_UNEXPECTED_CERTIFICATE=SSL received an unexpected Certificate handshake message. +SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH=SSL received an unexpected Server Key Exchange handshake message. +SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST=SSL received an unexpected Certificate Request handshake message. +SSL_ERROR_RX_UNEXPECTED_HELLO_DONE=SSL received an unexpected Server Hello Done handshake message. +SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY=SSL received an unexpected Certificate Verify handshake message. +SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH=SSL received an unexpected Client Key Exchange handshake message. +SSL_ERROR_RX_UNEXPECTED_FINISHED=SSL received an unexpected Finished handshake message. +SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER=SSL received an unexpected Change Cipher Spec record. +SSL_ERROR_RX_UNEXPECTED_ALERT=SSL received an unexpected Alert record. +SSL_ERROR_RX_UNEXPECTED_HANDSHAKE=SSL received an unexpected Handshake record. +SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA=SSL received an unexpected Application Data record. +SSL_ERROR_RX_UNKNOWN_RECORD_TYPE=SSL received a record with an unknown content type. +SSL_ERROR_RX_UNKNOWN_HANDSHAKE=SSL received a handshake message with an unknown message type. +SSL_ERROR_RX_UNKNOWN_ALERT=SSL received an alert record with an unknown alert description. +SSL_ERROR_CLOSE_NOTIFY_ALERT=SSL peer has closed this connection. +SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT=SSL peer was not expecting a handshake message it received. +SSL_ERROR_DECOMPRESSION_FAILURE_ALERT=SSL peer was unable to successfully decompress an SSL record it received. +SSL_ERROR_HANDSHAKE_FAILURE_ALERT=SSL peer was unable to negotiate an acceptable set of security parameters. +SSL_ERROR_ILLEGAL_PARAMETER_ALERT=SSL peer rejected a handshake message for unacceptable content. +SSL_ERROR_UNSUPPORTED_CERT_ALERT=SSL peer does not support certificates of the type it received. +SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT=SSL peer had some unspecified issue with the certificate it received. +SSL_ERROR_GENERATE_RANDOM_FAILURE=SSL experienced a failure of its random number generator. +SSL_ERROR_SIGN_HASHES_FAILURE=Unable to digitally sign data required to verify your certificate. +SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE=SSL was unable to extract the public key from the peer’s certificate. +SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE=Unspecified failure while processing SSL Server Key Exchange handshake. +SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE=Unspecified failure while processing SSL Client Key Exchange handshake. +SSL_ERROR_ENCRYPTION_FAILURE=Bulk data encryption algorithm failed in selected cipher suite. +SSL_ERROR_DECRYPTION_FAILURE=Bulk data decryption algorithm failed in selected cipher suite. +SSL_ERROR_SOCKET_WRITE_FAILURE=Attempt to write encrypted data to underlying socket failed. +SSL_ERROR_MD5_DIGEST_FAILURE=MD5 digest function failed. +SSL_ERROR_SHA_DIGEST_FAILURE=SHA-1 digest function failed. +SSL_ERROR_MAC_COMPUTATION_FAILURE=MAC computation failed. +SSL_ERROR_SYM_KEY_CONTEXT_FAILURE=Failure to create Symmetric Key context. +SSL_ERROR_SYM_KEY_UNWRAP_FAILURE=Failure to unwrap the Symmetric key in Client Key Exchange message. +SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED=SSL Server attempted to use domestic-grade public key with export cipher suite. +SSL_ERROR_IV_PARAM_FAILURE=PKCS11 code failed to translate an IV into a param. +SSL_ERROR_INIT_CIPHER_SUITE_FAILURE=Failed to initialize the selected cipher suite. +SSL_ERROR_SESSION_KEY_GEN_FAILURE=Client failed to generate session keys for SSL session. +SSL_ERROR_NO_SERVER_KEY_FOR_ALG=Server has no key for the attempted key exchange algorithm. +SSL_ERROR_TOKEN_INSERTION_REMOVAL=PKCS#11 token was inserted or removed while operation was in progress. +SSL_ERROR_TOKEN_SLOT_NOT_FOUND=No PKCS#11 token could be found to do a required operation. +SSL_ERROR_NO_COMPRESSION_OVERLAP=Cannot communicate securely with peer: no common compression algorithm(s). +SSL_ERROR_HANDSHAKE_NOT_COMPLETED=Cannot initiate another SSL handshake until current handshake is complete. +SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE=Received incorrect handshakes hash values from peer. +SSL_ERROR_CERT_KEA_MISMATCH=The certificate provided cannot be used with the selected key exchange algorithm. +SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA=No certificate authority is trusted for SSL client authentication. +SSL_ERROR_SESSION_NOT_FOUND=Client’s SSL session ID not found in server’s session cache. +SSL_ERROR_DECRYPTION_FAILED_ALERT=Peer was unable to decrypt an SSL record it received. +SSL_ERROR_RECORD_OVERFLOW_ALERT=Peer received an SSL record that was longer than is permitted. +SSL_ERROR_UNKNOWN_CA_ALERT=Peer does not recognize and trust the CA that issued your certificate. +SSL_ERROR_ACCESS_DENIED_ALERT=Peer received a valid certificate, but access was denied. +SSL_ERROR_DECODE_ERROR_ALERT=Peer could not decode an SSL handshake message. +SSL_ERROR_DECRYPT_ERROR_ALERT=Peer reports failure of signature verification or key exchange. +SSL_ERROR_EXPORT_RESTRICTION_ALERT=Peer reports negotiation not in compliance with export regulations. +SSL_ERROR_PROTOCOL_VERSION_ALERT=Peer reports incompatible or unsupported protocol version. +SSL_ERROR_INSUFFICIENT_SECURITY_ALERT=Server requires ciphers more secure than those supported by client. +SSL_ERROR_INTERNAL_ERROR_ALERT=Peer reports it experienced an internal error. +SSL_ERROR_USER_CANCELED_ALERT=Peer user canceled handshake. +SSL_ERROR_NO_RENEGOTIATION_ALERT=Peer does not permit renegotiation of SSL security parameters. +SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED=SSL server cache not configured and not disabled for this socket. +SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT=SSL peer does not support requested TLS hello extension. +SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT=SSL peer could not obtain your certificate from the supplied URL. +SSL_ERROR_UNRECOGNIZED_NAME_ALERT=SSL peer has no certificate for the requested DNS name. +SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT=SSL peer was unable to get an OCSP response for its certificate. +SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT=SSL peer reported bad certificate hash value. +SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET=SSL received an unexpected New Session Ticket handshake message. +SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET=SSL received a malformed New Session Ticket handshake message. +SSL_ERROR_DECOMPRESSION_FAILURE=SSL received a compressed record that could not be decompressed. +SSL_ERROR_RENEGOTIATION_NOT_ALLOWED=Renegotiation is not allowed on this SSL socket. +SSL_ERROR_UNSAFE_NEGOTIATION=Peer attempted old style (potentially vulnerable) handshake. +SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD=SSL received an unexpected uncompressed record. +SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY=SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. +SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID=SSL received invalid NPN extension data. +SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2=SSL feature not supported for SSL 2.0 connections. +SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS=SSL feature not supported for servers. +SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS=SSL feature not supported for clients. +SSL_ERROR_INVALID_VERSION_RANGE=SSL version range is not valid. +SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION=SSL peer selected a cipher suite disallowed for the selected protocol version. +SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST=SSL received a malformed Hello Verify Request handshake message. +SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST=SSL received an unexpected Hello Verify Request handshake message. +SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION=SSL feature not supported for the protocol version. +SSL_ERROR_RX_UNEXPECTED_CERT_STATUS=SSL received an unexpected Certificate Status handshake message. +SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM=Unsupported hash algorithm used by TLS peer. +SSL_ERROR_DIGEST_FAILURE=Digest function failed. +SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM=Incorrect signature algorithm specified in a digitally-signed element. +SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK=The next protocol negotiation extension was enabled, but the callback was cleared prior to being needed. +SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL=The server supports no protocols that the client advertises in the ALPN extension. +SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT=The server rejected the handshake because the client downgraded to a lower TLS version than the server supports. +SSL_ERROR_WEAK_SERVER_CERT_KEY=The server certificate included a public key that was too weak. +SSL_ERROR_RX_SHORT_DTLS_READ=Not enough room in buffer for DTLS record. +SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM=No supported TLS signature algorithm was configured. +SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM=The peer used an unsupported combination of signature and hash algorithm. +SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET=The peer tried to resume without a correct extended_master_secret extension. +SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET=The peer tried to resume with an unexpected extended_master_secret extension. +SEC_ERROR_IO=An I/O error occurred during security authorization. +SEC_ERROR_LIBRARY_FAILURE=security library failure. +SEC_ERROR_BAD_DATA=security library: received bad data. +SEC_ERROR_OUTPUT_LEN=security library: output length error. +SEC_ERROR_INPUT_LEN=security library has experienced an input length error. +SEC_ERROR_INVALID_ARGS=security library: invalid arguments. +SEC_ERROR_INVALID_ALGORITHM=security library: invalid algorithm. +SEC_ERROR_INVALID_AVA=security library: invalid AVA. +SEC_ERROR_INVALID_TIME=Improperly formatted time string. +SEC_ERROR_BAD_DER=security library: improperly formatted DER-encoded message. +SEC_ERROR_BAD_SIGNATURE=Peer’s certificate has an invalid signature. +SEC_ERROR_EXPIRED_CERTIFICATE=Peer’s Certificate has expired. +SEC_ERROR_REVOKED_CERTIFICATE=Peer’s Certificate has been revoked. +SEC_ERROR_UNKNOWN_ISSUER=Peer’s Certificate issuer is not recognized. +SEC_ERROR_BAD_KEY=Peer’s public key is invalid. +SEC_ERROR_BAD_PASSWORD=The security password entered is incorrect. +SEC_ERROR_RETRY_PASSWORD=New password entered incorrectly. Please try again. +SEC_ERROR_NO_NODELOCK=security library: no nodelock. +SEC_ERROR_BAD_DATABASE=security library: bad database. +SEC_ERROR_NO_MEMORY=security library: memory allocation failure. +SEC_ERROR_UNTRUSTED_ISSUER=Peer’s certificate issuer has been marked as not trusted by the user. +SEC_ERROR_UNTRUSTED_CERT=Peer’s certificate has been marked as not trusted by the user. +SEC_ERROR_DUPLICATE_CERT=Certificate already exists in your database. +SEC_ERROR_DUPLICATE_CERT_NAME=Downloaded certificate’s name duplicates one already in your database. +SEC_ERROR_ADDING_CERT=Error adding certificate to database. +SEC_ERROR_FILING_KEY=Error refiling the key for this certificate. +SEC_ERROR_NO_KEY=The private key for this certificate cannot be found in key database +SEC_ERROR_CERT_VALID=This certificate is valid. +SEC_ERROR_CERT_NOT_VALID=This certificate is not valid. +SEC_ERROR_CERT_NO_RESPONSE=Cert Library: No Response +SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE=The certificate issuer’s certificate has expired. Check your system date and time. +SEC_ERROR_CRL_EXPIRED=The CRL for the certificate’s issuer has expired. Update it or check your system date and time. +SEC_ERROR_CRL_BAD_SIGNATURE=The CRL for the certificate’s issuer has an invalid signature. +SEC_ERROR_CRL_INVALID=New CRL has an invalid format. +SEC_ERROR_EXTENSION_VALUE_INVALID=Certificate extension value is invalid. +SEC_ERROR_EXTENSION_NOT_FOUND=Certificate extension not found. +SEC_ERROR_CA_CERT_INVALID=Issuer certificate is invalid. +SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID=Certificate path length constraint is invalid. +SEC_ERROR_CERT_USAGES_INVALID=Certificate usages field is invalid. +SEC_INTERNAL_ONLY=**Internal ONLY module** +SEC_ERROR_INVALID_KEY=The key does not support the requested operation. +SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION=Certificate contains unknown critical extension. +SEC_ERROR_OLD_CRL=New CRL is not later than the current one. +SEC_ERROR_NO_EMAIL_CERT=Not encrypted or signed: you do not yet have an email certificate. +SEC_ERROR_NO_RECIPIENT_CERTS_QUERY=Not encrypted: you do not have certificates for each of the recipients. +SEC_ERROR_NOT_A_RECIPIENT=Cannot decrypt: you are not a recipient, or matching certificate and private key not found. +SEC_ERROR_PKCS7_KEYALG_MISMATCH=Cannot decrypt: key encryption algorithm does not match your certificate. +SEC_ERROR_PKCS7_BAD_SIGNATURE=Signature verification failed: no signer found, too many signers found, or improper or corrupted data. +SEC_ERROR_UNSUPPORTED_KEYALG=Unsupported or unknown key algorithm. +SEC_ERROR_DECRYPTION_DISALLOWED=Cannot decrypt: encrypted using a disallowed algorithm or key size. +XP_SEC_FORTEZZA_BAD_CARD=Fortezza card has not been properly initialized. Please remove it and return it to your issuer. +XP_SEC_FORTEZZA_NO_CARD=No Fortezza cards Found +XP_SEC_FORTEZZA_NONE_SELECTED=No Fortezza card selected +XP_SEC_FORTEZZA_MORE_INFO=Please select a personality to get more info on +XP_SEC_FORTEZZA_PERSON_NOT_FOUND=Personality not found +XP_SEC_FORTEZZA_NO_MORE_INFO=No more information on that Personality +XP_SEC_FORTEZZA_BAD_PIN=Invalid Pin +XP_SEC_FORTEZZA_PERSON_ERROR=Couldn’t initialize Fortezza personalities. +SEC_ERROR_NO_KRL=No KRL for this site’s certificate has been found. +SEC_ERROR_KRL_EXPIRED=The KRL for this site’s certificate has expired. +SEC_ERROR_KRL_BAD_SIGNATURE=The KRL for this site’s certificate has an invalid signature. +SEC_ERROR_REVOKED_KEY=The key for this site’s certificate has been revoked. +SEC_ERROR_KRL_INVALID=New KRL has an invalid format. +SEC_ERROR_NEED_RANDOM=security library: need random data. +SEC_ERROR_NO_MODULE=security library: no security module can perform the requested operation. +SEC_ERROR_NO_TOKEN=The security card or token does not exist, needs to be initialized, or has been removed. +SEC_ERROR_READ_ONLY=security library: read-only database. +SEC_ERROR_NO_SLOT_SELECTED=No slot or token was selected. +SEC_ERROR_CERT_NICKNAME_COLLISION=A certificate with the same nickname already exists. +SEC_ERROR_KEY_NICKNAME_COLLISION=A key with the same nickname already exists. +SEC_ERROR_SAFE_NOT_CREATED=error while creating safe object +SEC_ERROR_BAGGAGE_NOT_CREATED=error while creating baggage object +XP_JAVA_REMOVE_PRINCIPAL_ERROR=Couldn’t remove the principal +XP_JAVA_DELETE_PRIVILEGE_ERROR=Couldn’t delete the privilege +XP_JAVA_CERT_NOT_EXISTS_ERROR=This principal doesn’t have a certificate +SEC_ERROR_BAD_EXPORT_ALGORITHM=Required algorithm is not allowed. +SEC_ERROR_EXPORTING_CERTIFICATES=Error attempting to export certificates. +SEC_ERROR_IMPORTING_CERTIFICATES=Error attempting to import certificates. +SEC_ERROR_PKCS12_DECODING_PFX=Unable to import. Decoding error. File not valid. +SEC_ERROR_PKCS12_INVALID_MAC=Unable to import. Invalid MAC. Incorrect password or corrupt file. +SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM=Unable to import. MAC algorithm not supported. +SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE=Unable to import. Only password integrity and privacy modes supported. +SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE=Unable to import. File structure is corrupt. +SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM=Unable to import. Encryption algorithm not supported. +SEC_ERROR_PKCS12_UNSUPPORTED_VERSION=Unable to import. File version not supported. +SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT=Unable to import. Incorrect privacy password. +SEC_ERROR_PKCS12_CERT_COLLISION=Unable to import. Same nickname already exists in database. +SEC_ERROR_USER_CANCELLED=The user pressed cancel. +SEC_ERROR_PKCS12_DUPLICATE_DATA=Not imported, already in database. +SEC_ERROR_MESSAGE_SEND_ABORTED=Message not sent. +SEC_ERROR_INADEQUATE_KEY_USAGE=Certificate key usage inadequate for attempted operation. +SEC_ERROR_INADEQUATE_CERT_TYPE=Certificate type not approved for application. +SEC_ERROR_CERT_ADDR_MISMATCH=Address in signing certificate does not match address in message headers. +SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY=Unable to import. Error attempting to import private key. +SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN=Unable to import. Error attempting to import certificate chain. +SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME=Unable to export. Unable to locate certificate or key by nickname. +SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY=Unable to export. Private Key could not be located and exported. +SEC_ERROR_PKCS12_UNABLE_TO_WRITE=Unable to export. Unable to write the export file. +SEC_ERROR_PKCS12_UNABLE_TO_READ=Unable to import. Unable to read the import file. +SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED=Unable to export. Key database corrupt or deleted. +SEC_ERROR_KEYGEN_FAIL=Unable to generate public/private key pair. +SEC_ERROR_INVALID_PASSWORD=Password entered is invalid. Please pick a different one. +SEC_ERROR_RETRY_OLD_PASSWORD=Old password entered incorrectly. Please try again. +SEC_ERROR_BAD_NICKNAME=Certificate nickname already in use. +SEC_ERROR_NOT_FORTEZZA_ISSUER=Peer FORTEZZA chain has a non-FORTEZZA Certificate. +SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY=A sensitive key cannot be moved to the slot where it is needed. +SEC_ERROR_JS_INVALID_MODULE_NAME=Invalid module name. +SEC_ERROR_JS_INVALID_DLL=Invalid module path/filename +SEC_ERROR_JS_ADD_MOD_FAILURE=Unable to add module +SEC_ERROR_JS_DEL_MOD_FAILURE=Unable to delete module +SEC_ERROR_OLD_KRL=New KRL is not later than the current one. +SEC_ERROR_CKL_CONFLICT=New CKL has different issuer than current CKL. Delete current CKL. +SEC_ERROR_CERT_NOT_IN_NAME_SPACE=The Certifying Authority for this certificate is not permitted to issue a certificate with this name. +SEC_ERROR_KRL_NOT_YET_VALID=The key revocation list for this certificate is not yet valid. +SEC_ERROR_CRL_NOT_YET_VALID=The certificate revocation list for this certificate is not yet valid. +SEC_ERROR_UNKNOWN_CERT=The requested certificate could not be found. +SEC_ERROR_UNKNOWN_SIGNER=The signer’s certificate could not be found. +SEC_ERROR_CERT_BAD_ACCESS_LOCATION=The location for the certificate status server has invalid format. +SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE=The OCSP response cannot be fully decoded; it is of an unknown type. +SEC_ERROR_OCSP_BAD_HTTP_RESPONSE=The OCSP server returned unexpected/invalid HTTP data. +SEC_ERROR_OCSP_MALFORMED_REQUEST=The OCSP server found the request to be corrupted or improperly formed. +SEC_ERROR_OCSP_SERVER_ERROR=The OCSP server experienced an internal error. +SEC_ERROR_OCSP_TRY_SERVER_LATER=The OCSP server suggests trying again later. +SEC_ERROR_OCSP_REQUEST_NEEDS_SIG=The OCSP server requires a signature on this request. +SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST=The OCSP server has refused this request as unauthorized. +SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS=The OCSP server returned an unrecognizable status. +SEC_ERROR_OCSP_UNKNOWN_CERT=The OCSP server has no status for the certificate. +SEC_ERROR_OCSP_NOT_ENABLED=You must enable OCSP before performing this operation. +SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER=You must set the OCSP default responder before performing this operation. +SEC_ERROR_OCSP_MALFORMED_RESPONSE=The response from the OCSP server was corrupted or improperly formed. +SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE=The signer of the OCSP response is not authorized to give status for this certificate. +SEC_ERROR_OCSP_FUTURE_RESPONSE=The OCSP response is not yet valid (contains a date in the future). +SEC_ERROR_OCSP_OLD_RESPONSE=The OCSP response contains out-of-date information. +SEC_ERROR_DIGEST_NOT_FOUND=The CMS or PKCS #7 Digest was not found in signed message. +SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE=The CMS or PKCS #7 Message type is unsupported. +SEC_ERROR_MODULE_STUCK=PKCS #11 module could not be removed because it is still in use. +SEC_ERROR_BAD_TEMPLATE=Could not decode ASN.1 data. Specified template was invalid. +SEC_ERROR_CRL_NOT_FOUND=No matching CRL was found. +SEC_ERROR_REUSED_ISSUER_AND_SERIAL=You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. +SEC_ERROR_BUSY=NSS could not shutdown. Objects are still in use. +SEC_ERROR_EXTRA_INPUT=DER-encoded message contained extra unused data. +SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE=Unsupported elliptic curve. +SEC_ERROR_UNSUPPORTED_EC_POINT_FORM=Unsupported elliptic curve point form. +SEC_ERROR_UNRECOGNIZED_OID=Unrecognized Object Identifier. +SEC_ERROR_OCSP_INVALID_SIGNING_CERT=Invalid OCSP signing certificate in OCSP response. +SEC_ERROR_REVOKED_CERTIFICATE_CRL=Certificate is revoked in issuer’s certificate revocation list. +SEC_ERROR_REVOKED_CERTIFICATE_OCSP=Issuer’s OCSP responder reports certificate is revoked. +SEC_ERROR_CRL_INVALID_VERSION=Issuer’s Certificate Revocation List has an unknown version number. +SEC_ERROR_CRL_V1_CRITICAL_EXTENSION=Issuer’s V1 Certificate Revocation List has a critical extension. +SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION=Issuer’s V2 Certificate Revocation List has an unknown critical extension. +SEC_ERROR_UNKNOWN_OBJECT_TYPE=Unknown object type specified. +SEC_ERROR_INCOMPATIBLE_PKCS11=PKCS #11 driver violates the spec in an incompatible way. +SEC_ERROR_NO_EVENT=No new slot event is available at this time. +SEC_ERROR_CRL_ALREADY_EXISTS=CRL already exists. +SEC_ERROR_NOT_INITIALIZED=NSS is not initialized. +SEC_ERROR_TOKEN_NOT_LOGGED_IN=The operation failed because the PKCS#11 token is not logged in. +SEC_ERROR_OCSP_RESPONDER_CERT_INVALID=Configured OCSP responder’s certificate is invalid. +SEC_ERROR_OCSP_BAD_SIGNATURE=OCSP response has an invalid signature. +SEC_ERROR_OUT_OF_SEARCH_LIMITS=Cert validation search is out of search limits +SEC_ERROR_INVALID_POLICY_MAPPING=Policy mapping contains anypolicy +SEC_ERROR_POLICY_VALIDATION_FAILED=Cert chain fails policy validation +SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE=Unknown location type in cert AIA extension +SEC_ERROR_BAD_HTTP_RESPONSE=Server returned bad HTTP response +SEC_ERROR_BAD_LDAP_RESPONSE=Server returned bad LDAP response +SEC_ERROR_FAILED_TO_ENCODE_DATA=Failed to encode data with ASN1 encoder +SEC_ERROR_BAD_INFO_ACCESS_LOCATION=Bad information access location in cert extension +SEC_ERROR_LIBPKIX_INTERNAL=Libpkix internal error occurred during cert validation. +SEC_ERROR_PKCS11_GENERAL_ERROR=A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred. +SEC_ERROR_PKCS11_FUNCTION_FAILED=A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed. Trying the same operation again might succeed. +SEC_ERROR_PKCS11_DEVICE_ERROR=A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot. +SEC_ERROR_BAD_INFO_ACCESS_METHOD=Unknown information access method in certificate extension. +SEC_ERROR_CRL_IMPORT_FAILED=Error attempting to import a CRL. +SEC_ERROR_EXPIRED_PASSWORD=The password expired. +SEC_ERROR_LOCKED_PASSWORD=The password is locked. +SEC_ERROR_UNKNOWN_PKCS11_ERROR=Unknown PKCS #11 error. +SEC_ERROR_BAD_CRL_DP_URL=Invalid or unsupported URL in CRL distribution point name. +SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a signature algorithm that is disabled because it is not secure. +MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE=The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden. +MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY=The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case. +MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE=The server presented a certificate with a key size that is too small to establish a secure connection. +MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA=An X.509 version 1 certificate that is not a trust anchor was used to issue the server’s certificate. X.509 version 1 certificates are deprecated and should not be used to sign other certificates. +MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE=The server presented a certificate that is not yet valid. +MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE=A certificate that is not yet valid was used to issue the server’s certificate. +MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH=The signature algorithm in the signature field of the certificate does not match the algorithm in its signatureAlgorithm field. +MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING=The OCSP response does not include a status for the certificate being verified. +MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG=The server presented a certificate that is valid for too long. +MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING=A required TLS feature is missing. +MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING=The server presented a certificate that contains an invalid encoding of an integer. Common causes include negative serial numbers, negative RSA moduli, and encodings that are longer than necessary. +MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME=The server presented a certificate with an empty issuer distinguished name. +MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED=An additional policy constraint failed when validating this certificate. +MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT=The certificate is not trusted because it is self-signed. diff --git a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties new file mode 100644 index 0000000000..c7f946dd60 --- /dev/null +++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties @@ -0,0 +1,123 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +CertPasswordPrompt=Please enter the password for the PKCS#11 token %S. + +CertPasswordPromptDefault=Please enter your Primary Password. + +# The following strings have special requirements: they must fit in a 32 or 64 +# bytes buffer after being encoded to UTF-8. +# +# It's possible to verify the length of a translation using the Browser Console +# in Firefox and evaluating the following code: +# +# (new TextEncoder().encode('YOURSTRING')).length +# +# Simply replace YOURSTRING with your translation. +# +# If it's not possible to produce an understandable translation within these +# limits, keeping the English text is an acceptable workaround. + +# LOCALIZATION NOTE (RootCertModuleName): string limit is 64 bytes after +# conversion to UTF-8. +# length_limit = 64 bytes +RootCertModuleName=Builtin Roots Module +# LOCALIZATION NOTE (ManufacturerID): string limit is 32 bytes after conversion +# to UTF-8. +# length_limit = 32 bytes +ManufacturerID=Mozilla.org +# LOCALIZATION NOTE (LibraryDescription): string limit is 32 bytes after +# conversion to UTF-8. +# length_limit = 32 bytes +LibraryDescription=PSM Internal Crypto Services +# LOCALIZATION NOTE (TokenDescription): string limit is 32 bytes after +# conversion to UTF-8. +# length_limit = 32 bytes +TokenDescription=Generic Crypto Services +# LOCALIZATION NOTE (PrivateTokenDescription): string limit is 32 bytes after +# conversion to UTF-8. +# length_limit = 32 bytes +PrivateTokenDescription=Software Security Device +# LOCALIZATION NOTE (SlotDescription): string limit is 64 bytes after conversion +# to UTF-8. +# length_limit = 64 bytes +SlotDescription=PSM Internal Cryptographic Services +# LOCALIZATION NOTE (PrivateSlotDescription): string limit is 64 bytes after +# conversion to UTF-8. +# length_limit = 64 bytes +PrivateSlotDescription=PSM Private Keys +# LOCALIZATION NOTE (Fips140TokenDescription): string limit is 32 bytes after +# conversion to UTF-8. +# length_limit = 32 bytes +Fips140TokenDescription=Software Security Device (FIPS) +# LOCALIZATION NOTE (Fips140SlotDescription): string limit is 64 bytes after +# conversion to UTF-8. +# length_limit = 64 bytes +Fips140SlotDescription=FIPS 140 Cryptographic, Key and Certificate Services + +# LOCALIZATION NOTE (nick_template): $1s is the common name from a cert (e.g. "Mozilla"), $2s is the CA name (e.g. VeriSign) +nick_template=%1$s’s %2$s ID + +CertDumpKUSign=Signing +CertDumpKUNonRep=Non-repudiation +CertDumpKUEnc=Key Encipherment +CertDumpKUDEnc=Data Encipherment +CertDumpKUKA=Key Agreement +CertDumpKUCertSign=Certificate Signer +CertDumpKUCRLSigner=CRL Signer + +PSMERR_SSL_Disabled=Can’t connect securely because the SSL protocol has been disabled. +PSMERR_SSL2_Disabled=Can’t connect securely because the site uses an older, insecure version of the SSL protocol. +PSMERR_HostReusedIssuerSerial=You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:\n\nYour certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. + +# LOCALIZATION NOTE (SSLConnectionErrorPrefix2): %1$S is the host string, %2$S is more detailed information (localized as well). +SSLConnectionErrorPrefix2=An error occurred during a connection to %1$S. %2$S\n + +certErrorIntro=%S uses an invalid security certificate. + +certErrorTrust_SelfSigned=The certificate is not trusted because it is self-signed. +certErrorTrust_UnknownIssuer=The certificate is not trusted because the issuer certificate is unknown. +certErrorTrust_UnknownIssuer2=The server might not be sending the appropriate intermediate certificates. +certErrorTrust_UnknownIssuer3=An additional root certificate may need to be imported. +certErrorTrust_CaInvalid=The certificate is not trusted because it was issued by an invalid CA certificate. +certErrorTrust_Issuer=The certificate is not trusted because the issuer certificate is not trusted. +certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. +certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired. +certErrorTrust_Untrusted=The certificate does not come from a trusted source. +certErrorTrust_MitM=Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate. + +certErrorMismatch=The certificate is not valid for the name %S. +# LOCALIZATION NOTE (certErrorMismatchSinglePrefix): %S is replaced by the domain for which the certificate is valid +certErrorMismatchSinglePrefix=The certificate is only valid for %S. +certErrorMismatchMultiple=The certificate is only valid for the following names: + +# LOCALIZATION NOTE (certErrorExpiredNow): Do not translate %1$S (date+time of expired certificate) or %2$S (current date+time) +certErrorExpiredNow=The certificate expired on %1$S. The current time is %2$S. + +# LOCALIZATION NOTE (certErrorNotYetValidNow): Do not translate %1$S (date+time certificate will become valid) or %2$S (current date+time) +certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S. + +certErrorMitM=Websites prove their identity via certificates, which are issued by certificate authorities. +# LOCALIZATION NOTE (certErrorMitM2): %S is brandShortName +certErrorMitM2=%S is backed by the non-profit Mozilla, which administers a completely open certificate authority (CA) store. The CA store helps ensure that certificate authorities are following best practices for user security. +# LOCALIZATION NOTE (certErrorMitM3): %S is brandShortName +certErrorMitM3=%S uses the Mozilla CA store to verify that a connection is secure, rather than certificates supplied by the user’s operating system. So, if an antivirus program or a network is intercepting a connection with a security certificate issued by a CA that is not in the Mozilla CA store, the connection is considered unsafe. + +certErrorSymantecDistrustAdministrator=You may notify the website’s administrator about this problem. + +# LOCALIZATION NOTE (certErrorCodePrefix3): %S is replaced by the error code. +certErrorCodePrefix3=Error code: %S + +P12DefaultNickname=Imported Certificate +CertUnknown=Unknown +CertNoEmailAddress=(no email address) +CaCertExists=This certificate is already installed as a certificate authority. +NotACACert=This is not a certificate authority certificate, so it can’t be imported into the certificate authority list. +UserCertIgnoredNoPrivateKey=This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested. +UserCertImported=Your personal certificate has been installed. You should keep a backup copy of this certificate. +CertOrgUnknown=(Unknown) +CertNotStored=(Not Stored) +CertExceptionPermanent=Permanent +CertExceptionTemporary=Temporary diff --git a/security/manager/locales/en-US/chrome/pippki/pippki.properties b/security/manager/locales/en-US/chrome/pippki/pippki.properties new file mode 100644 index 0000000000..7583c03728 --- /dev/null +++ b/security/manager/locales/en-US/chrome/pippki/pippki.properties @@ -0,0 +1,34 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# Download Cert dialog +# LOCALIZATION NOTE(newCAMessage1): +# %S is a string representative of the certificate being downloaded/imported. +newCAMessage1=Do you want to trust “%S†for the following purposes? +unnamedCA=Certificate Authority (unnamed) + +# PKCS#12 file dialogs +getPKCS12FilePasswordMessage=Please enter the password that was used to encrypt this certificate backup: + +# Page Info +pageInfo_NoEncryption=Connection Not Encrypted +pageInfo_Privacy_None1=The website %S does not support encryption for the page you are viewing. +pageInfo_Privacy_None2=Information sent over the Internet without encryption can be seen by other people while it is in transit. +pageInfo_Privacy_None4=The page you are viewing was not encrypted before being transmitted over the Internet. +# LOCALIZATION NOTE (pageInfo_EncryptionWithBitsAndProtocol and pageInfo_BrokenEncryption): +# %1$S is the name of the encryption standard, +# %2$S is the key size of the cipher. +# %3$S is protocol version like "SSL 3" or "TLS 1.2" +pageInfo_EncryptionWithBitsAndProtocol=Connection Encrypted (%1$S, %2$S bit keys, %3$S) +pageInfo_BrokenEncryption=Broken Encryption (%1$S, %2$S bit keys, %3$S) +pageInfo_Privacy_Encrypted1=The page you are viewing was encrypted before being transmitted over the Internet. +pageInfo_Privacy_Encrypted2=Encryption makes it difficult for unauthorized people to view information traveling between computers. It is therefore unlikely that anyone read this page as it traveled across the network. +pageInfo_MixedContent=Connection Partially Encrypted +pageInfo_MixedContent2=Parts of the page you are viewing were not encrypted before being transmitted over the Internet. +pageInfo_WeakCipher=Your connection to this website uses weak encryption and is not private. Other people can view your information or modify the website’s behavior. +pageInfo_CertificateTransparency_Compliant=This website complies with the Certificate Transparency policy. + +# Token Manager +password_not_set=(not set) +enable_fips=Enable FIPS diff --git a/security/manager/locales/en-US/security/certificates/certManager.ftl b/security/manager/locales/en-US/security/certificates/certManager.ftl new file mode 100644 index 0000000000..4e8d372291 --- /dev/null +++ b/security/manager/locales/en-US/security/certificates/certManager.ftl @@ -0,0 +1,228 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +certmgr-title = + .title = Certificate Manager + +certmgr-tab-mine = + .label = Your Certificates + +certmgr-tab-remembered = + .label = Authentication Decisions + +certmgr-tab-people = + .label = People + +certmgr-tab-servers = + .label = Servers + +certmgr-tab-ca = + .label = Authorities + +certmgr-mine = You have certificates from these organizations that identify you +certmgr-remembered = These certificates are used to identify you to websites +certmgr-people = You have certificates on file that identify these people +certmgr-server = These entries identify server certificate error exceptions +certmgr-ca = You have certificates on file that identify these certificate authorities + +certmgr-edit-ca-cert2 = + .title = Edit CA certificate trust settings + .style = min-width: 48em; + +certmgr-edit-cert-edit-trust = Edit trust settings: + +certmgr-edit-cert-trust-ssl = + .label = This certificate can identify websites. + +certmgr-edit-cert-trust-email = + .label = This certificate can identify mail users. + +certmgr-delete-cert2 = + .title = Delete Certificate + .style = min-width: 48em; min-height: 24em; + +certmgr-cert-host = + .label = Host + +certmgr-cert-name = + .label = Certificate Name + +certmgr-cert-server = + .label = Server + +certmgr-token-name = + .label = Security Device + +certmgr-begins-label = + .label = Begins On + +certmgr-expires-label = + .label = Expires On + +certmgr-email = + .label = E-Mail Address + +certmgr-serial = + .label = Serial Number + +certmgr-fingerprint-sha-256 = + .label = SHA-256 Fingerprint + +certmgr-view = + .label = View… + .accesskey = V + +certmgr-edit = + .label = Edit Trust… + .accesskey = E + +certmgr-export = + .label = Export… + .accesskey = x + +certmgr-delete = + .label = Delete… + .accesskey = D + +certmgr-delete-builtin = + .label = Delete or Distrust… + .accesskey = D + +certmgr-backup = + .label = Backup… + .accesskey = B + +certmgr-backup-all = + .label = Backup All… + .accesskey = k + +certmgr-restore = + .label = Import… + .accesskey = m + +certmgr-add-exception = + .label = Add Exception… + .accesskey = x + +exception-mgr = + .title = Add Security Exception + +exception-mgr-extra-button = + .label = Confirm Security Exception + .accesskey = C + +exception-mgr-supplemental-warning = Legitimate banks, stores, and other public sites will not ask you to do this. + +exception-mgr-cert-location-url = + .value = Location: + +exception-mgr-cert-location-download = + .label = Get Certificate + .accesskey = G + +exception-mgr-cert-status-view-cert = + .label = View… + .accesskey = V + +exception-mgr-permanent = + .label = Permanently store this exception + .accesskey = P + +pk11-bad-password = The password entered was incorrect. +pkcs12-decode-err = Failed to decode the file. Either it is not in PKCS #12 format, has been corrupted, or the password you entered was incorrect. +pkcs12-unknown-err-restore = Failed to restore the PKCS #12 file for unknown reasons. +pkcs12-unknown-err-backup = Failed to create the PKCS #12 backup file for unknown reasons. +pkcs12-unknown-err = The PKCS #12 operation failed for unknown reasons. +pkcs12-info-no-smartcard-backup = It is not possible to back up certificates from a hardware security device such as a smart card. +pkcs12-dup-data = The certificate and private key already exist on the security device. + +## PKCS#12 file dialogs + +choose-p12-backup-file-dialog = File Name to Backup +file-browse-pkcs12-spec = PKCS12 Files +choose-p12-restore-file-dialog = Certificate File to Import + +## Import certificate(s) file dialog + +file-browse-certificate-spec = Certificate Files +import-ca-certs-prompt = Select File containing CA certificate(s) to import +import-email-cert-prompt = Select File containing somebody’s Email certificate to import + +## For editing certificates trust + +# Variables: +# $certName: the name of certificate +edit-trust-ca = The certificate “{ $certName }†represents a Certificate Authority. + +## For Deleting Certificates + +delete-user-cert-title = + .title = Delete your Certificates +delete-user-cert-confirm = Are you sure you want to delete these certificates? +delete-user-cert-impact = If you delete one of your own certificates, you can no longer use it to identify yourself. + + +delete-ssl-override-title = + .title = Delete Server Certificate Exception +delete-ssl-override-confirm = Are you sure you want to delete this server exception? +delete-ssl-override-impact = If you delete a server exception, you restore the usual security checks for that server and require it uses a valid certificate. + +delete-ca-cert-title = + .title = Delete or Distrust CA Certificates +delete-ca-cert-confirm = You have requested to delete these CA certificates. For built-in certificates all trust will be removed, which has the same effect. Are you sure you want to delete or distrust? +delete-ca-cert-impact = If you delete or distrust a certificate authority (CA) certificate, this application will no longer trust any certificates issued by that CA. + + +delete-email-cert-title = + .title = Delete E-Mail Certificates +delete-email-cert-confirm = Are you sure you want to delete these people’s e-mail certificates? +delete-email-cert-impact = If you delete a person’s e-mail certificate, you will no longer be able to send encrypted e-mail to that person. + +# Used for semi-uniquely representing a cert. +# +# Variables: +# $serialNumber : the serial number of the cert in AA:BB:CC hex format. +cert-with-serial = + .value = Certificate with serial number: { $serialNumber } + +# Used to indicate that the user chose not to send a client authentication certificate to a server that requested one in a TLS handshake. +send-no-client-certificate = Send no client certificate + +# Used when no cert is stored for an override +no-cert-stored-for-override = (Not Stored) + +# When a certificate is unavailable (for example, it has been deleted or the token it exists on has been removed). +certificate-not-available = (Unavailable) + +## Used to show whether an override is temporary or permanent + +permanent-override = Permanent +temporary-override = Temporary + +## Add Security Exception dialog + +add-exception-branded-warning = You are about to override how { -brand-short-name } identifies this site. +add-exception-invalid-header = This site attempts to identify itself with invalid information. +add-exception-domain-mismatch-short = Wrong Site +add-exception-domain-mismatch-long = The certificate belongs to a different site, which could mean that someone is trying to impersonate this site. +add-exception-expired-short = Outdated Information +add-exception-expired-long = The certificate is not currently valid. It may have been stolen or lost, and could be used by someone to impersonate this site. +add-exception-unverified-or-bad-signature-short = Unknown Identity +add-exception-unverified-or-bad-signature-long = The certificate is not trusted because it hasn’t been verified as issued by a trusted authority using a secure signature. +add-exception-valid-short = Valid Certificate +add-exception-valid-long = This site provides valid, verified identification. There is no need to add an exception. +add-exception-checking-short = Checking Information +add-exception-checking-long = Attempting to identify this site… +add-exception-no-cert-short = No Information Available +add-exception-no-cert-long = Unable to obtain identification status for this site. + +## Certificate export "Save as" and error dialogs + +save-cert-as = Save Certificate To File +cert-format-base64 = X.509 Certificate (PEM) +cert-format-base64-chain = X.509 Certificate with chain (PEM) +cert-format-der = X.509 Certificate (DER) +cert-format-pkcs7 = X.509 Certificate (PKCS#7) +cert-format-pkcs7-chain = X.509 Certificate with chain (PKCS#7) +write-file-failure = File Error diff --git a/security/manager/locales/en-US/security/certificates/deviceManager.ftl b/security/manager/locales/en-US/security/certificates/deviceManager.ftl new file mode 100644 index 0000000000..0e73acb813 --- /dev/null +++ b/security/manager/locales/en-US/security/certificates/deviceManager.ftl @@ -0,0 +1,132 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +## Strings used for device manager + +devmgr-window = + .title = Device Manager + .style = min-width: 67em; min-height: 32em; + +devmgr-devlist = + .label = Security Modules and Devices + +devmgr-header-details = + .label = Details + +devmgr-header-value = + .label = Value + +devmgr-button-login = + .label = Log In + .accesskey = n + +devmgr-button-logout = + .label = Log Out + .accesskey = O + +devmgr-button-changepw = + .label = Change Password + .accesskey = P + +devmgr-button-load = + .label = Load + .accesskey = L + +devmgr-button-unload = + .label = Unload + .accesskey = U + +devmgr-button-enable-fips = + .label = Enable FIPS + .accesskey = F + +devmgr-button-disable-fips = + .label = Disable FIPS + .accesskey = F + +## Strings used for load device + +load-device = + .title = Load PKCS#11 Device Driver + +load-device-info = Enter the information for the module you want to add. + +load-device-modname = + .value = Module Name + .accesskey = M + +load-device-modname-default = + .value = New PKCS#11 Module + +load-device-filename = + .value = Module filename + .accesskey = f + +load-device-browse = + .label = Browse… + .accesskey = B + +## Token Manager + +devinfo-status = + .label = Status + +devinfo-status-disabled = + .label = Disabled + +devinfo-status-not-present = + .label = Not Present + +devinfo-status-uninitialized = + .label = Uninitialized + +devinfo-status-not-logged-in = + .label = Not Logged In + +devinfo-status-logged-in = + .label = Logged In + +devinfo-status-ready = + .label = Ready + +devinfo-desc = + .label = Description + +devinfo-man-id = + .label = Manufacturer + +devinfo-hwversion = + .label = HW Version +devinfo-fwversion = + .label = FW Version + +devinfo-modname = + .label = Module + +devinfo-modpath = + .label = Path + +login-failed = Failed to Login + +devinfo-label = + .label = Label + +devinfo-serialnum = + .label = Serial Number + +fips-nonempty-primary-password-required = FIPS mode requires that you have a Primary Password set for each security device. Please set the password before trying to enable FIPS mode. +unable-to-toggle-fips = Unable to change the FIPS mode for the security device. It is recommended that you exit and restart this application. +load-pk11-module-file-picker-title = Choose a PKCS#11 device driver to load + +# Load Module Dialog +load-module-help-empty-module-name = + .value = The module name cannot be empty. + +# Do not translate 'Root Certs' +load-module-help-root-certs-module-name = + .value = ‘Root Certs‘ is reserved and cannot be used as the module name. + +add-module-failure = Unable to add module +del-module-warning = Are you sure you want to delete this security module? +del-module-error = Unable to delete module diff --git a/security/manager/locales/en-US/security/pippki/pippki.ftl b/security/manager/locales/en-US/security/pippki/pippki.ftl new file mode 100644 index 0000000000..b4ab82c816 --- /dev/null +++ b/security/manager/locales/en-US/security/pippki/pippki.ftl @@ -0,0 +1,107 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +password-quality-meter = Password quality meter + +## Change Password dialog + +change-device-password-window = + .title = Change Password + +# Variables: +# $tokenName (String) - Security device of the change password dialog +change-password-token = Security Device: { $tokenName } +change-password-old = Current password: +change-password-new = New password: +change-password-reenter = New password (again): + +pippki-failed-pw-change = Unable to change password. +pippki-incorrect-pw = You did not enter the correct current password. Please try again. +pippki-pw-change-ok = Password successfully changed. + +pippki-pw-empty-warning = Your stored passwords and private keys will not be protected. +pippki-pw-erased-ok = You have deleted your password. { pippki-pw-empty-warning } +pippki-pw-not-wanted = Warning! You have decided not to use a password. { pippki-pw-empty-warning } + +pippki-pw-change2empty-in-fips-mode = You are currently in FIPS mode. FIPS requires a non-empty password. + +## Reset Primary Password dialog + +reset-primary-password-window2 = + .title = Reset Primary Password + .style = min-width: 40em +reset-password-button-label = + .label = Reset +reset-primary-password-text = If you reset your Primary Password, all your stored web and e-mail passwords, personal certificates, and private keys will be forgotten. Are you sure you want to reset your Primary Password? + +pippki-reset-password-confirmation-title = Reset Primary Password +pippki-reset-password-confirmation-message = Your Primary Password has been reset. + +## Downloading cert dialog + +download-cert-window2 = + .title = Downloading Certificate + .style = min-width: 46em +download-cert-message = You have been asked to trust a new Certificate Authority (CA). +download-cert-trust-ssl = + .label = Trust this CA to identify websites. +download-cert-trust-email = + .label = Trust this CA to identify email users. +download-cert-message-desc = Before trusting this CA for any purpose, you should examine its certificate and its policy and procedures (if available). +download-cert-view-cert = + .label = View +download-cert-view-text = Examine CA certificate + +## Client Authentication Ask dialog + +client-auth-window = + .title = User Identification Request +client-auth-send-no-certificate = + .label = Don’t send a certificate + +# Variables: +# $hostname (String) - The domain name of the site requesting the client authentication certificate +client-auth-site-identification = “{ $hostname }†has requested that you identify yourself with a certificate: +client-auth-cert-details = Details of selected certificate: +# Variables: +# $issuedTo (String) - The subject common name of the currently-selected client authentication certificate +client-auth-cert-details-issued-to = Issued to: { $issuedTo } +# Variables: +# $serialNumber (String) - The serial number of the certificate (hexadecimal of the form "AA:BB:...") +client-auth-cert-details-serial-number = Serial number: { $serialNumber } +# Variables: +# $notBefore (String) - The date before which the certificate is not valid (e.g. Apr 21, 2023, 1:47:53 PM UTC) +# $notAfter (String) - The date after which the certificate is not valid +client-auth-cert-details-validity-period = Valid from { $notBefore } to { $notAfter } +# Variables: +# $keyUsages (String) - A list of already-localized key usages for which the certificate may be used +client-auth-cert-details-key-usages = Key usages: { $keyUsages } +# Variables: +# $emailAddresses (String) - A list of email addresses present in the certificate +client-auth-cert-details-email-addresses = Email addresses: { $emailAddresses } +# Variables: +# $issuedBy (String) - The issuer common name of the certificate +client-auth-cert-details-issued-by = Issued by: { $issuedBy } +# Variables: +# $storedOn (String) - The name of the token holding the certificate (for example, "OS Client Cert Token (Modern)") +client-auth-cert-details-stored-on = Stored on: { $storedOn } +client-auth-cert-remember-box = + .label = Remember this decision + +## Set password (p12) dialog + +set-password-window = + .title = Choose a Certificate Backup Password +set-password-message = The certificate backup password you set here protects the backup file that you are about to create. You must set this password to proceed with the backup. +set-password-backup-pw = + .value = Certificate backup password: +set-password-repeat-backup-pw = + .value = Certificate backup password (again): +set-password-reminder = Important: If you forget your certificate backup password, you will not be able to restore this backup later. Please record it in a safe location. + +## Protected authentication alert + +# Variables: +# $tokenName (String) - The name of the token to authenticate to (for example, "OS Client Cert Token (Modern)") +protected-auth-alert = Please authenticate to the token “{ $tokenName }â€. How to do so depends on the token (for example, using a fingerprint reader or entering a code with a keypad). diff --git a/security/manager/locales/jar.mn b/security/manager/locales/jar.mn new file mode 100644 index 0000000000..a61529289a --- /dev/null +++ b/security/manager/locales/jar.mn @@ -0,0 +1,14 @@ +#filter substitution +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +[localization] @AB_CD@.jar: + security (%security/**/*.ftl) + +@AB_CD@.jar: +% locale pipnss @AB_CD@ %locale/@AB_CD@/pipnss/ +% locale pippki @AB_CD@ %locale/@AB_CD@/pippki/ + locale/@AB_CD@/pipnss/pipnss.properties (%chrome/pipnss/pipnss.properties) + locale/@AB_CD@/pipnss/nsserrors.properties (%chrome/pipnss/nsserrors.properties) + locale/@AB_CD@/pippki/pippki.properties (%chrome/pippki/pippki.properties) diff --git a/security/manager/locales/moz.build b/security/manager/locales/moz.build new file mode 100644 index 0000000000..d988c0ff9b --- /dev/null +++ b/security/manager/locales/moz.build @@ -0,0 +1,7 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +JAR_MANIFESTS += ["jar.mn"] diff --git a/security/manager/moz.build b/security/manager/moz.build new file mode 100644 index 0000000000..3890007503 --- /dev/null +++ b/security/manager/moz.build @@ -0,0 +1,13 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +with Files("**"): + BUG_COMPONENT = ("Core", "Security: PSM") + +DIRS += ["ssl", "locales"] + +if CONFIG["MOZ_BUILD_APP"] != "mobile/android": + DIRS += ["pki"] diff --git a/security/manager/pki/components.conf b/security/manager/pki/components.conf new file mode 100644 index 0000000000..7abebd9d6f --- /dev/null +++ b/security/manager/pki/components.conf @@ -0,0 +1,18 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +Classes = [ + { + 'cid': '{518e071f-1dd2-11b2-937e-c45f14def778}', + 'contract_ids': [ + '@mozilla.org/nsCertificateDialogs;1', + '@mozilla.org/nsTokenPasswordDialogs;1', + ], + 'type': 'nsNSSDialogs', + 'headers': ['/security/manager/pki/nsNSSDialogs.h'], + 'init_method': 'Init', + }, +] diff --git a/security/manager/pki/moz.build b/security/manager/pki/moz.build new file mode 100644 index 0000000000..5f0bf95738 --- /dev/null +++ b/security/manager/pki/moz.build @@ -0,0 +1,34 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +DIRS += ["resources"] + +UNIFIED_SOURCES += [ + "nsNSSDialogHelper.cpp", + "nsNSSDialogs.cpp", +] + +XPCOM_MANIFESTS += [ + "components.conf", +] + +LOCAL_INCLUDES += [ + "!/dist/public/nss", +] + +FINAL_LIBRARY = "xul" + +if CONFIG["CC_TYPE"] in ("clang", "gcc"): + CXXFLAGS += [ + "-Wextra", + # -Wextra enables this warning, but it's too noisy to be useful. + "-Wno-missing-field-initializers", + ] + + # Gecko headers aren't warning-free enough for us to enable these warnings. + CXXFLAGS += [ + "-Wno-unused-parameter", + ] diff --git a/security/manager/pki/nsIASN1Tree.idl b/security/manager/pki/nsIASN1Tree.idl new file mode 100644 index 0000000000..b44362e5b2 --- /dev/null +++ b/security/manager/pki/nsIASN1Tree.idl @@ -0,0 +1,24 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" +#include "nsITreeView.idl" +#include "nsIX509Cert.idl" + +[scriptable, uuid(de142307-7b88-4e0a-b232-250f310e25d8)] +interface nsIASN1Tree : nsITreeView { + [must_use] + void loadASN1Structure(in nsIASN1Object asn1Object); + + [must_use] + AString getDisplayData(in unsigned long index); +}; + +%{C++ + +#define NS_ASN1TREE_CONTRACTID "@mozilla.org/security/nsASN1Tree;1" + +%} diff --git a/security/manager/pki/nsNSSDialogHelper.cpp b/security/manager/pki/nsNSSDialogHelper.cpp new file mode 100644 index 0000000000..18691aa6e9 --- /dev/null +++ b/security/manager/pki/nsNSSDialogHelper.cpp @@ -0,0 +1,45 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSDialogHelper.h" + +#include "mozIDOMWindow.h" +#include "mozilla/dom/ScriptSettings.h" +#include "nsCOMPtr.h" +#include "nsIWindowWatcher.h" +#include "nsServiceManagerUtils.h" + +static const char kOpenDialogParam[] = "centerscreen,chrome,modal,titlebar"; +static const char kOpenWindowParam[] = "centerscreen,chrome,titlebar"; + +nsresult nsNSSDialogHelper::openDialog(mozIDOMWindowProxy* window, + const char* url, nsISupports* params, + bool modal) { + nsresult rv; + nsCOMPtr<nsIWindowWatcher> windowWatcher = + do_GetService(NS_WINDOWWATCHER_CONTRACTID, &rv); + if (NS_FAILED(rv)) return rv; + + nsCOMPtr<mozIDOMWindowProxy> parent = window; + + if (!parent) { + windowWatcher->GetActiveWindow(getter_AddRefs(parent)); + } + + // We're loading XUL into this window, and it's happening on behalf of the + // system, not on behalf of content. Make sure the initial about:blank window + // gets a system principal, otherwise we'll bork when trying to wrap the + // nsIKeyGenThread |arguments| property into the unprivileged scoope. + MOZ_ASSERT(!strncmp("chrome://", url, strlen("chrome://"))); + mozilla::dom::AutoNoJSAPI nojsapi; + + nsCOMPtr<mozIDOMWindowProxy> newWindow; + rv = windowWatcher->OpenWindow( + parent, nsDependentCString(url), "_blank"_ns, + nsDependentCString(modal ? kOpenDialogParam : kOpenWindowParam), params, + getter_AddRefs(newWindow)); + return rv; +} diff --git a/security/manager/pki/nsNSSDialogHelper.h b/security/manager/pki/nsNSSDialogHelper.h new file mode 100644 index 0000000000..a7f3d5e474 --- /dev/null +++ b/security/manager/pki/nsNSSDialogHelper.h @@ -0,0 +1,39 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSDialogHelper_h +#define nsNSSDialogHelper_h + +#include "nsError.h" + +class mozIDOMWindowProxy; +class nsISupports; + +/** + * Helper class that uses the window watcher service to open a standard dialog, + * with or without a parent context. + */ +class nsNSSDialogHelper { + public: + /** + * Opens a XUL dialog. + * + * @param window + * Parent window of the dialog, or nullptr to signal no parent. + * @param url + * URL to the XUL dialog. + * @param params + * Parameters to pass to the dialog. Same semantics as the + * nsIWindowWatcher.openWindow() |aArguments| parameter. + * @param modal + * true if the dialog should be modal, false otherwise. + * @return The result of opening the dialog. + */ + static nsresult openDialog(mozIDOMWindowProxy* window, const char* url, + nsISupports* params, bool modal = true); +}; + +#endif // nsNSSDialogHelper_h diff --git a/security/manager/pki/nsNSSDialogs.cpp b/security/manager/pki/nsNSSDialogs.cpp new file mode 100644 index 0000000000..159c873d34 --- /dev/null +++ b/security/manager/pki/nsNSSDialogs.cpp @@ -0,0 +1,216 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Dialog services for PIP. + */ + +#include "nsNSSDialogs.h" + +#include "mozIDOMWindow.h" +#include "nsArray.h" +#include "nsComponentManagerUtils.h" +#include "nsEmbedCID.h" +#include "nsHashPropertyBag.h" +#include "nsIDialogParamBlock.h" +#include "nsIInterfaceRequestor.h" +#include "nsIInterfaceRequestorUtils.h" +#include "nsIPK11Token.h" +#include "nsIPromptService.h" +#include "nsIWindowWatcher.h" +#include "nsIX509CertDB.h" +#include "nsIX509Cert.h" +#include "nsNSSDialogHelper.h" +#include "nsPromiseFlatString.h" +#include "nsServiceManagerUtils.h" +#include "nsString.h" +#include "nsVariant.h" + +#define PIPSTRING_BUNDLE_URL "chrome://pippki/locale/pippki.properties" + +nsNSSDialogs::nsNSSDialogs() = default; + +nsNSSDialogs::~nsNSSDialogs() = default; + +NS_IMPL_ISUPPORTS(nsNSSDialogs, nsITokenPasswordDialogs, nsICertificateDialogs) + +nsresult nsNSSDialogs::Init() { + nsresult rv; + + nsCOMPtr<nsIStringBundleService> service = + do_GetService(NS_STRINGBUNDLE_CONTRACTID, &rv); + if (NS_FAILED(rv)) return rv; + + rv = service->CreateBundle(PIPSTRING_BUNDLE_URL, + getter_AddRefs(mPIPStringBundle)); + return rv; +} + +NS_IMETHODIMP +nsNSSDialogs::SetPassword(nsIInterfaceRequestor* ctx, nsIPK11Token* token, + /*out*/ bool* canceled) { + // |ctx| is allowed to be null. + NS_ENSURE_ARG(canceled); + + *canceled = false; + + // Get the parent window for the dialog + nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx); + + nsCOMPtr<nsIDialogParamBlock> block = + do_CreateInstance(NS_DIALOGPARAMBLOCK_CONTRACTID); + if (!block) return NS_ERROR_FAILURE; + + nsCOMPtr<nsIMutableArray> objects = nsArrayBase::Create(); + if (!objects) { + return NS_ERROR_FAILURE; + } + nsresult rv = objects->AppendElement(token); + if (NS_FAILED(rv)) { + return rv; + } + rv = block->SetObjects(objects); + if (NS_FAILED(rv)) { + return rv; + } + + rv = nsNSSDialogHelper::openDialog( + parent, "chrome://pippki/content/changepassword.xhtml", block); + + if (NS_FAILED(rv)) return rv; + + int32_t status; + + rv = block->GetInt(1, &status); + if (NS_FAILED(rv)) return rv; + + *canceled = (status == 0); + + return rv; +} + +NS_IMETHODIMP +nsNSSDialogs::ConfirmDownloadCACert(nsIInterfaceRequestor* ctx, + nsIX509Cert* cert, + /*out*/ uint32_t* trust, + /*out*/ bool* importConfirmed) { + // |ctx| is allowed to be null. + NS_ENSURE_ARG(cert); + NS_ENSURE_ARG(trust); + NS_ENSURE_ARG(importConfirmed); + + nsCOMPtr<nsIMutableArray> argArray = nsArrayBase::Create(); + if (!argArray) { + return NS_ERROR_FAILURE; + } + + nsresult rv = argArray->AppendElement(cert); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr<nsIWritablePropertyBag2> retVals = new nsHashPropertyBag(); + rv = argArray->AppendElement(retVals); + if (NS_FAILED(rv)) { + return rv; + } + + // Get the parent window for the dialog + nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx); + rv = nsNSSDialogHelper::openDialog( + parent, "chrome://pippki/content/downloadcert.xhtml", argArray); + if (NS_FAILED(rv)) { + return rv; + } + + rv = retVals->GetPropertyAsBool(u"importConfirmed"_ns, importConfirmed); + if (NS_FAILED(rv)) { + return rv; + } + + *trust = nsIX509CertDB::UNTRUSTED; + if (!*importConfirmed) { + return NS_OK; + } + + bool trustForSSL = false; + rv = retVals->GetPropertyAsBool(u"trustForSSL"_ns, &trustForSSL); + if (NS_FAILED(rv)) { + return rv; + } + bool trustForEmail = false; + rv = retVals->GetPropertyAsBool(u"trustForEmail"_ns, &trustForEmail); + if (NS_FAILED(rv)) { + return rv; + } + + *trust |= trustForSSL ? nsIX509CertDB::TRUSTED_SSL : 0; + *trust |= trustForEmail ? nsIX509CertDB::TRUSTED_EMAIL : 0; + + return NS_OK; +} + +NS_IMETHODIMP +nsNSSDialogs::SetPKCS12FilePassword(nsIInterfaceRequestor* ctx, + /*out*/ nsAString& password, + /*out*/ bool* confirmedPassword) { + // |ctx| is allowed to be null. + NS_ENSURE_ARG(confirmedPassword); + + // Get the parent window for the dialog + nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx); + nsCOMPtr<nsIWritablePropertyBag2> retVals = new nsHashPropertyBag(); + nsresult rv = nsNSSDialogHelper::openDialog( + parent, "chrome://pippki/content/setp12password.xhtml", retVals); + if (NS_FAILED(rv)) { + return rv; + } + + rv = retVals->GetPropertyAsBool(u"confirmedPassword"_ns, confirmedPassword); + if (NS_FAILED(rv)) { + return rv; + } + + if (!*confirmedPassword) { + return NS_OK; + } + + return retVals->GetPropertyAsAString(u"password"_ns, password); +} + +NS_IMETHODIMP +nsNSSDialogs::GetPKCS12FilePassword(nsIInterfaceRequestor* ctx, + nsAString& _password, bool* _retval) { + *_retval = false; + + nsCOMPtr<nsIPromptService> promptSvc( + do_GetService(NS_PROMPTSERVICE_CONTRACTID)); + if (!promptSvc) { + return NS_ERROR_FAILURE; + } + + nsAutoString msg; + nsresult rv = + mPIPStringBundle->GetStringFromName("getPKCS12FilePasswordMessage", msg); + if (NS_FAILED(rv)) { + return rv; + } + + // Get the parent window for the dialog + nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx); + char16_t* pwTemp = nullptr; + rv = promptSvc->PromptPassword(parent, nullptr, msg.get(), &pwTemp, _retval); + if (NS_FAILED(rv)) { + return rv; + } + + if (*_retval) { + _password.Assign(pwTemp); + free(pwTemp); + } + + return NS_OK; +} diff --git a/security/manager/pki/nsNSSDialogs.h b/security/manager/pki/nsNSSDialogs.h new file mode 100644 index 0000000000..7528492a5a --- /dev/null +++ b/security/manager/pki/nsNSSDialogs.h @@ -0,0 +1,37 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSDialogs_h +#define nsNSSDialogs_h + +#include "nsCOMPtr.h" +#include "nsICertificateDialogs.h" +#include "nsIStringBundle.h" +#include "nsITokenPasswordDialogs.h" + +#define NS_NSSDIALOGS_CID \ + { \ + 0x518e071f, 0x1dd2, 0x11b2, { \ + 0x93, 0x7e, 0xc4, 0x5f, 0x14, 0xde, 0xf7, 0x78 \ + } \ + } + +class nsNSSDialogs : public nsICertificateDialogs, + public nsITokenPasswordDialogs { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSITOKENPASSWORDDIALOGS + NS_DECL_NSICERTIFICATEDIALOGS + nsNSSDialogs(); + + nsresult Init(); + + protected: + virtual ~nsNSSDialogs(); + nsCOMPtr<nsIStringBundle> mPIPStringBundle; +}; + +#endif // nsNSSDialogs_h diff --git a/security/manager/pki/resources/content/certManager.css b/security/manager/pki/resources/content/certManager.css new file mode 100644 index 0000000000..9259472771 --- /dev/null +++ b/security/manager/pki/resources/content/certManager.css @@ -0,0 +1,34 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* Good enough support for equalsize=always for the cert manager use cases. + * You probably shouldn't use this as-is elsewhere, this selector is somewhat + * slow, it relies on stuff having display: flex, and you probably can use + * something simpler if you need this */ +[equalsize="always"] > * { + flex: 1; + contain: inline-size; +} + +treecol { + flex: 1 auto; + width: 0; /* Don't let intrinsic sizes affect our minimum size. */ +} + +#certmanager { + /* This prevents horizontal scrollbars due to <tree> and non-XUL layout + * interactions */ + padding: 0; +} + +/* This matches the <tree> height from dialog.css */ +richlistbox { + min-height: 15em; + contain: size; +} + +richlistbox, +richlistitem { + min-height: 30px; +} diff --git a/security/manager/pki/resources/content/certManager.js b/security/manager/pki/resources/content/certManager.js new file mode 100644 index 0000000000..b1fcaff30f --- /dev/null +++ b/security/manager/pki/resources/content/certManager.js @@ -0,0 +1,771 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* import-globals-from pippki.js */ +"use strict"; + +const gCertFileTypes = "*.p7b; *.crt; *.cert; *.cer; *.pem; *.der"; + +var { NetUtil } = ChromeUtils.importESModule( + "resource://gre/modules/NetUtil.sys.mjs" +); + +var key; + +var certdialogs = Cc["@mozilla.org/nsCertificateDialogs;1"].getService( + Ci.nsICertificateDialogs +); + +/** + * List of certs currently selected in the active tab. + * + * @type {nsIX509Cert[]} + */ +var selected_certs = []; +var selected_tree_items = []; +var selected_index = []; +var certdb; + +/** + * Cert tree for the "Authorities" tab. + * + * @type {nsICertTree} + */ +var caTreeView; +/** + * Cert tree for the "Servers" tab. + * + * @type {nsICertTree} + */ +var serverTreeView; + +var overrideService; + +function createRichlistItem(item) { + let innerHbox = document.createXULElement("hbox"); + innerHbox.setAttribute("align", "center"); + innerHbox.setAttribute("flex", "1"); + + let row = document.createXULElement("label"); + row.setAttribute("flex", "1"); + row.setAttribute("crop", "end"); + row.setAttribute("style", "margin-inline-start: 15px;"); + if ("raw" in item) { + row.setAttribute("value", item.raw); + } else { + document.l10n.setAttributes(row, item.l10nid); + } + row.setAttribute("ordinal", "1"); + innerHbox.appendChild(row); + + return innerHbox; +} + +var serverRichList = { + richlist: undefined, + + buildRichList() { + let overrides = overrideService.getOverrides().map(item => { + return { + hostPort: item.hostPort, + asciiHost: item.asciiHost, + port: item.port, + originAttributes: item.originAttributes, + fingerprint: item.fingerprint, + }; + }); + overrides.sort((a, b) => { + let criteria = ["hostPort", "fingerprint"]; + for (let c of criteria) { + let res = a[c].localeCompare(b[c]); + if (res !== 0) { + return res; + } + } + return 0; + }); + + this.richlist.textContent = ""; + this.richlist.clearSelection(); + + let frag = document.createDocumentFragment(); + for (let override of overrides) { + let richlistitem = this._richBoxAddItem(override); + frag.appendChild(richlistitem); + } + this.richlist.appendChild(frag); + + this._setButtonState(); + this.richlist.addEventListener("select", () => this._setButtonState()); + }, + + _richBoxAddItem(item) { + let richlistitem = document.createXULElement("richlistitem"); + + richlistitem.setAttribute("host", item.asciiHost); + richlistitem.setAttribute("port", item.port); + richlistitem.setAttribute("hostPort", item.hostPort); + richlistitem.setAttribute("fingerprint", item.fingerprint); + richlistitem.setAttribute( + "originAttributes", + JSON.stringify(item.originAttributes) + ); + + let hbox = document.createXULElement("hbox"); + hbox.setAttribute("flex", "1"); + hbox.setAttribute("equalsize", "always"); + + hbox.appendChild(createRichlistItem({ raw: item.hostPort })); + hbox.appendChild(createRichlistItem({ raw: item.fingerprint })); + + richlistitem.appendChild(hbox); + + return richlistitem; + }, + + deleteSelectedRichListItem() { + let selectedItem = this.richlist.selectedItem; + if (!selectedItem) { + return; + } + + let retVals = { + deleteConfirmed: false, + }; + window.browsingContext.topChromeWindow.openDialog( + "chrome://pippki/content/deletecert.xhtml", + "", + "chrome,centerscreen,modal", + "websites_tab", + [ + { + hostPort: selectedItem.attributes.hostPort.value, + }, + ], + retVals + ); + + if (retVals.deleteConfirmed) { + overrideService.clearValidityOverride( + selectedItem.attributes.host.value, + selectedItem.attributes.port.value, + JSON.parse(selectedItem.attributes.originAttributes.value) + ); + this.buildRichList(); + } + }, + + addException() { + let retval = { + exceptionAdded: false, + }; + window.browsingContext.topChromeWindow.openDialog( + "chrome://pippki/content/exceptionDialog.xhtml", + "", + "chrome,centerscreen,modal", + retval + ); + if (retval.exceptionAdded) { + this.buildRichList(); + } + }, + + _setButtonState() { + let websiteDeleteButton = document.getElementById("websites_deleteButton"); + websiteDeleteButton.disabled = this.richlist.selectedIndex < 0; + }, +}; +/** + * Cert tree for the "People" tab. + * + * @type {nsICertTree} + */ +var emailTreeView; +/** + * Cert tree for the "Your Certificates" tab. + * + * @type {nsICertTree} + */ +var userTreeView; + +var clientAuthRememberService; + +var rememberedDecisionsRichList = { + richlist: undefined, + + buildRichList() { + let rememberedDecisions = clientAuthRememberService.getDecisions(); + + let oldItems = this.richlist.querySelectorAll("richlistitem"); + for (let item of oldItems) { + item.remove(); + } + + let frag = document.createDocumentFragment(); + for (let decision of rememberedDecisions) { + let richlistitem = this._richBoxAddItem(decision); + frag.appendChild(richlistitem); + } + this.richlist.appendChild(frag); + + this.richlist.addEventListener("select", () => this.setButtonState()); + }, + + _richBoxAddItem(item) { + let richlistitem = document.createXULElement("richlistitem"); + + richlistitem.setAttribute("entryKey", item.entryKey); + richlistitem.setAttribute("dbKey", item.dbKey); + + let hbox = document.createXULElement("hbox"); + hbox.setAttribute("flex", "1"); + hbox.setAttribute("equalsize", "always"); + + hbox.appendChild(createRichlistItem({ raw: item.asciiHost })); + if (item.dbKey == "") { + hbox.appendChild( + createRichlistItem({ l10nid: "send-no-client-certificate" }) + ); + + hbox.appendChild(createRichlistItem({ raw: "" })); + } else { + let tmpCert = certdb.findCertByDBKey(item.dbKey); + // The certificate corresponding to this item's dbKey may not be + // available (for example, if it was stored on a token that's been + // removed, or if it was deleted). + if (tmpCert) { + hbox.appendChild(createRichlistItem({ raw: tmpCert.commonName })); + hbox.appendChild(createRichlistItem({ raw: tmpCert.serialNumber })); + } else { + hbox.appendChild( + createRichlistItem({ l10nid: "certificate-not-available" }) + ); + hbox.appendChild( + createRichlistItem({ l10nid: "certificate-not-available" }) + ); + } + } + + richlistitem.appendChild(hbox); + + return richlistitem; + }, + + deleteSelectedRichListItem() { + let selectedItem = this.richlist.selectedItem; + let index = this.richlist.selectedIndex; + if (index < 0) { + return; + } + + clientAuthRememberService.forgetRememberedDecision( + selectedItem.attributes.entryKey.value + ); + + this.buildRichList(); + this.setButtonState(); + }, + + viewSelectedRichListItem() { + let selectedItem = this.richlist.selectedItem; + let index = this.richlist.selectedIndex; + if (index < 0) { + return; + } + + if (selectedItem.attributes.dbKey.value != "") { + let cert = certdb.findCertByDBKey(selectedItem.attributes.dbKey.value); + viewCertHelper(window, cert); + } + }, + + setButtonState() { + let rememberedDeleteButton = document.getElementById( + "remembered_deleteButton" + ); + let rememberedViewButton = document.getElementById("remembered_viewButton"); + + rememberedDeleteButton.disabled = this.richlist.selectedIndex < 0; + rememberedViewButton.disabled = + this.richlist.selectedItem == null + ? true + : this.richlist.selectedItem.attributes.dbKey.value == ""; + }, +}; + +function LoadCerts() { + certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + var certcache = certdb.getCerts(); + + caTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance( + Ci.nsICertTree + ); + caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT); + document.getElementById("ca-tree").view = caTreeView; + + emailTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance( + Ci.nsICertTree + ); + emailTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.EMAIL_CERT); + document.getElementById("email-tree").view = emailTreeView; + + userTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance( + Ci.nsICertTree + ); + userTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.USER_CERT); + document.getElementById("user-tree").view = userTreeView; + + clientAuthRememberService = Cc[ + "@mozilla.org/security/clientAuthRememberService;1" + ].getService(Ci.nsIClientAuthRememberService); + + overrideService = Cc["@mozilla.org/security/certoverride;1"].getService( + Ci.nsICertOverrideService + ); + + rememberedDecisionsRichList.richlist = + document.getElementById("rememberedList"); + serverRichList.richlist = document.getElementById("serverList"); + + rememberedDecisionsRichList.buildRichList(); + serverRichList.buildRichList(); + + rememberedDecisionsRichList.setButtonState(); + + enableBackupAllButton(); +} + +function enableBackupAllButton() { + let backupAllButton = document.getElementById("mine_backupAllButton"); + backupAllButton.disabled = userTreeView.rowCount < 1; +} + +function getSelectedCerts() { + var ca_tab = document.getElementById("ca_tab"); + var mine_tab = document.getElementById("mine_tab"); + var others_tab = document.getElementById("others_tab"); + var items = null; + if (ca_tab.selected) { + items = caTreeView.selection; + } else if (mine_tab.selected) { + items = userTreeView.selection; + } else if (others_tab.selected) { + items = emailTreeView.selection; + } + selected_certs = []; + var cert = null; + var nr = 0; + if (items != null) { + nr = items.getRangeCount(); + } + if (nr > 0) { + for (let i = 0; i < nr; i++) { + var o1 = {}; + var o2 = {}; + items.getRangeAt(i, o1, o2); + var min = o1.value; + var max = o2.value; + for (let j = min; j <= max; j++) { + if (ca_tab.selected) { + cert = caTreeView.getCert(j); + } else if (mine_tab.selected) { + cert = userTreeView.getCert(j); + } else if (others_tab.selected) { + cert = emailTreeView.getCert(j); + } + if (cert) { + var sc = selected_certs.length; + selected_certs[sc] = cert; + selected_index[sc] = j; + } + } + } + } +} + +function getSelectedTreeItems() { + var ca_tab = document.getElementById("ca_tab"); + var mine_tab = document.getElementById("mine_tab"); + var others_tab = document.getElementById("others_tab"); + var items = null; + if (ca_tab.selected) { + items = caTreeView.selection; + } else if (mine_tab.selected) { + items = userTreeView.selection; + } else if (others_tab.selected) { + items = emailTreeView.selection; + } + selected_certs = []; + selected_tree_items = []; + selected_index = []; + var tree_item = null; + var nr = 0; + if (items != null) { + nr = items.getRangeCount(); + } + if (nr > 0) { + for (let i = 0; i < nr; i++) { + var o1 = {}; + var o2 = {}; + items.getRangeAt(i, o1, o2); + var min = o1.value; + var max = o2.value; + for (let j = min; j <= max; j++) { + if (ca_tab.selected) { + tree_item = caTreeView.getTreeItem(j); + } else if (mine_tab.selected) { + tree_item = userTreeView.getTreeItem(j); + } else if (others_tab.selected) { + tree_item = emailTreeView.getTreeItem(j); + } + if (tree_item) { + var sc = selected_tree_items.length; + selected_tree_items[sc] = tree_item; + selected_index[sc] = j; + } + } + } + } +} + +/** + * Returns true if nothing in the given cert tree is selected or if the + * selection includes a container. Returns false otherwise. + * + * @param {nsICertTree} certTree + * @returns {boolean} + */ +function nothingOrContainerSelected(certTree) { + var certTreeSelection = certTree.selection; + var numSelectionRanges = certTreeSelection.getRangeCount(); + + if (numSelectionRanges == 0) { + return true; + } + + for (var i = 0; i < numSelectionRanges; i++) { + var o1 = {}; + var o2 = {}; + certTreeSelection.getRangeAt(i, o1, o2); + var minIndex = o1.value; + var maxIndex = o2.value; + for (var j = minIndex; j <= maxIndex; j++) { + if (certTree.isContainer(j)) { + return true; + } + } + } + + return false; +} + +async function promptError(aErrorCode) { + if (aErrorCode != Ci.nsIX509CertDB.Success) { + let msgName = "pkcs12-unknown-err"; + switch (aErrorCode) { + case Ci.nsIX509CertDB.ERROR_PKCS12_NOSMARTCARD_EXPORT: + msgName = "pkcs12-info-no-smartcard-backup"; + break; + case Ci.nsIX509CertDB.ERROR_PKCS12_RESTORE_FAILED: + msgName = "pkcs12-unknown-err-restore"; + break; + case Ci.nsIX509CertDB.ERROR_PKCS12_BACKUP_FAILED: + msgName = "pkcs12-unknown-err-backup"; + break; + case Ci.nsIX509CertDB.ERROR_PKCS12_CERT_COLLISION: + case Ci.nsIX509CertDB.ERROR_PKCS12_DUPLICATE_DATA: + msgName = "pkcs12-dup-data"; + break; + case Ci.nsIX509CertDB.ERROR_BAD_PASSWORD: + msgName = "pk11-bad-password"; + break; + case Ci.nsIX509CertDB.ERROR_DECODE_ERROR: + msgName = "pkcs12-decode-err"; + break; + default: + break; + } + let [message] = await document.l10n.formatValues([{ id: msgName }]); + let prompter = Services.ww.getNewPrompter(window); + prompter.alert(null, message); + } +} + +/** + * Enables or disables buttons corresponding to a cert tree depending on what + * is selected in the cert tree. + * + * @param {nsICertTree} certTree + * @param {Array} idList A list of string identifiers for button elements to + * enable or disable. + */ +function enableButtonsForCertTree(certTree, idList) { + let disableButtons = nothingOrContainerSelected(certTree); + + for (let id of idList) { + document.getElementById(id).setAttribute("disabled", disableButtons); + } +} + +function ca_enableButtons() { + let idList = [ + "ca_viewButton", + "ca_editButton", + "ca_exportButton", + "ca_deleteButton", + ]; + enableButtonsForCertTree(caTreeView, idList); +} + +function mine_enableButtons() { + let idList = ["mine_viewButton", "mine_backupButton", "mine_deleteButton"]; + enableButtonsForCertTree(userTreeView, idList); +} + +function email_enableButtons() { + let idList = ["email_viewButton", "email_exportButton", "email_deleteButton"]; + enableButtonsForCertTree(emailTreeView, idList); +} + +async function backupCerts() { + getSelectedCerts(); + var numcerts = selected_certs.length; + if (numcerts == 0) { + return; + } + + var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker); + let [backupFileDialog, filePkcs12Spec] = await document.l10n.formatValues([ + { id: "choose-p12-backup-file-dialog" }, + { id: "file-browse-pkcs12-spec" }, + ]); + fp.init(window, backupFileDialog, Ci.nsIFilePicker.modeSave); + fp.appendFilter(filePkcs12Spec, "*.p12"); + fp.appendFilters(Ci.nsIFilePicker.filterAll); + fp.defaultExtension = "p12"; + fp.open(rv => { + if ( + rv == Ci.nsIFilePicker.returnOK || + rv == Ci.nsIFilePicker.returnReplace + ) { + let password = {}; + if (certdialogs.setPKCS12FilePassword(window, password)) { + let errorCode = certdb.exportPKCS12File( + fp.file, + selected_certs, + password.value + ); + promptError(errorCode); + } + } + }); +} + +function backupAllCerts() { + // Select all rows, then call doBackup() + userTreeView.selection.selectAll(); + backupCerts(); +} + +function editCerts() { + getSelectedCerts(); + + for (let cert of selected_certs) { + window.browsingContext.topChromeWindow.openDialog( + "chrome://pippki/content/editcacert.xhtml", + "", + "chrome,centerscreen,modal", + cert + ); + } +} + +async function restoreCerts() { + var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker); + let [restoreFileDialog, filePkcs12Spec, fileCertSpec] = + await document.l10n.formatValues([ + { id: "choose-p12-restore-file-dialog" }, + { id: "file-browse-pkcs12-spec" }, + { id: "file-browse-certificate-spec" }, + ]); + fp.init(window, restoreFileDialog, Ci.nsIFilePicker.modeOpen); + fp.appendFilter(filePkcs12Spec, "*.p12; *.pfx"); + fp.appendFilter(fileCertSpec, gCertFileTypes); + fp.appendFilters(Ci.nsIFilePicker.filterAll); + fp.open(rv => { + if (rv != Ci.nsIFilePicker.returnOK) { + return; + } + + // If this is an X509 user certificate, import it as one. + + var isX509FileType = false; + var fileTypesList = gCertFileTypes.slice(1).split("; *"); + for (var type of fileTypesList) { + if (fp.file.path.endsWith(type)) { + isX509FileType = true; + break; + } + } + + if (isX509FileType) { + let fstream = Cc[ + "@mozilla.org/network/file-input-stream;1" + ].createInstance(Ci.nsIFileInputStream); + fstream.init(fp.file, -1, 0, 0); + let dataString = NetUtil.readInputStreamToString( + fstream, + fstream.available() + ); + let dataArray = []; + for (let i = 0; i < dataString.length; i++) { + dataArray.push(dataString.charCodeAt(i)); + } + fstream.close(); + let prompter = Services.ww.getNewPrompter(window); + let interfaceRequestor = { + getInterface() { + return prompter; + }, + }; + certdb.importUserCertificate( + dataArray, + dataArray.length, + interfaceRequestor + ); + } else { + // Otherwise, assume it's a PKCS12 file and import it that way. + let password = {}; + let errorCode = Ci.nsIX509CertDB.ERROR_BAD_PASSWORD; + while ( + errorCode == Ci.nsIX509CertDB.ERROR_BAD_PASSWORD && + certdialogs.getPKCS12FilePassword(window, password) + ) { + errorCode = certdb.importPKCS12File(fp.file, password.value); + if ( + errorCode == Ci.nsIX509CertDB.ERROR_BAD_PASSWORD && + !password.value.length + ) { + // It didn't like empty string password, try no password. + errorCode = certdb.importPKCS12File(fp.file, null); + } + promptError(errorCode); + } + } + + var certcache = certdb.getCerts(); + userTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.USER_CERT); + userTreeView.selection.clearSelection(); + caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT); + caTreeView.selection.clearSelection(); + enableBackupAllButton(); + }); +} + +async function exportCerts() { + getSelectedCerts(); + + for (let cert of selected_certs) { + await exportToFile(window, cert); + } +} + +/** + * Deletes the selected certs in the active tab. + */ +function deleteCerts() { + getSelectedTreeItems(); + let numcerts = selected_tree_items.length; + if (numcerts == 0) { + return; + } + + const treeViewMap = { + mine_tab: userTreeView, + ca_tab: caTreeView, + others_tab: emailTreeView, + }; + let selTab = document.getElementById("certMgrTabbox").selectedItem; + let selTabID = selTab.getAttribute("id"); + + if (!(selTabID in treeViewMap)) { + return; + } + + let retVals = { + deleteConfirmed: false, + }; + window.browsingContext.topChromeWindow.openDialog( + "chrome://pippki/content/deletecert.xhtml", + "", + "chrome,centerscreen,modal", + selTabID, + selected_tree_items, + retVals + ); + + if (retVals.deleteConfirmed) { + let treeView = treeViewMap[selTabID]; + + for (let t = numcerts - 1; t >= 0; t--) { + treeView.deleteEntryObject(selected_index[t]); + } + + selected_tree_items = []; + selected_index = []; + treeView.selection.clearSelection(); + if (selTabID == "mine_tab") { + enableBackupAllButton(); + } + } +} + +function viewCerts() { + getSelectedCerts(); + + for (let cert of selected_certs) { + viewCertHelper(window, cert); + } +} + +async function addCACerts() { + var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker); + let [importCa, fileCertSpec] = await document.l10n.formatValues([ + { id: "import-ca-certs-prompt" }, + { id: "file-browse-certificate-spec" }, + ]); + fp.init(window, importCa, Ci.nsIFilePicker.modeOpen); + fp.appendFilter(fileCertSpec, gCertFileTypes); + fp.appendFilters(Ci.nsIFilePicker.filterAll); + fp.open(rv => { + if (rv == Ci.nsIFilePicker.returnOK) { + certdb.importCertsFromFile(fp.file, Ci.nsIX509Cert.CA_CERT); + let certcache = certdb.getCerts(); + caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT); + caTreeView.selection.clearSelection(); + } + }); +} + +async function addEmailCert() { + var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker); + let [importEmail, fileCertSpec] = await document.l10n.formatValues([ + { id: "import-email-cert-prompt" }, + { id: "file-browse-certificate-spec" }, + ]); + fp.init(window, importEmail, Ci.nsIFilePicker.modeOpen); + fp.appendFilter(fileCertSpec, gCertFileTypes); + fp.appendFilters(Ci.nsIFilePicker.filterAll); + fp.open(rv => { + if (rv == Ci.nsIFilePicker.returnOK) { + certdb.importCertsFromFile(fp.file, Ci.nsIX509Cert.EMAIL_CERT); + var certcache = certdb.getCerts(); + emailTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.EMAIL_CERT); + emailTreeView.selection.clearSelection(); + caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT); + caTreeView.selection.clearSelection(); + } + }); +} diff --git a/security/manager/pki/resources/content/certManager.xhtml b/security/manager/pki/resources/content/certManager.xhtml new file mode 100644 index 0000000000..194509bdd6 --- /dev/null +++ b/security/manager/pki/resources/content/certManager.xhtml @@ -0,0 +1,333 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE window> + +<window + windowtype="mozilla:certmanager" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" + data-l10n-id="certmgr-title" + onload="LoadCerts();" + persist="screenX screenY width height" +> + <dialog id="certmanager" buttons="accept"> + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + <html:link + rel="stylesheet" + href="chrome://pippki/content/certManager.css" + /> + + <html:link + rel="localization" + href="security/certificates/certManager.ftl" + /> + </linkset> + + <script src="chrome://pippki/content/pippki.js" /> + <script src="chrome://pippki/content/certManager.js" /> + + <tabbox id="certmanagertabs" flex="1" persist="selectedIndex"> + <tabs id="certMgrTabbox"> + <tab id="mine_tab" data-l10n-id="certmgr-tab-mine" /> + <tab id="remembered_tab" data-l10n-id="certmgr-tab-remembered" /> + <tab id="others_tab" data-l10n-id="certmgr-tab-people" /> + <tab id="websites_tab" data-l10n-id="certmgr-tab-servers" /> + <tab id="ca_tab" data-l10n-id="certmgr-tab-ca" selected="true" /> + </tabs> + <tabpanels flex="1"> + <vbox id="myCerts" flex="1"> + <description data-l10n-id="certmgr-mine"></description> + <separator class="thin" /> + <tree + id="user-tree" + flex="1" + enableColumnDrag="true" + onselect="mine_enableButtons()" + > + <treecols> + <!-- + The below code may suggest that 'ordinal' is still a supported XUL + XUL attribute. It is not. This is a crutch so that we can + continue persisting the CSS order property, + which is the appropriate replacement for the ordinal attribute + but cannot yet be easily persisted. The code that synchronizes + the attribute with the CSS lives in + toolkit/content/widget/tree.js and is specific to tree elements. + --> + <treecol + id="certcol" + data-l10n-id="certmgr-cert-name" + primary="true" + persist="hidden width ordinal" + /> + <splitter class="tree-splitter" /> + <treecol + id="tokencol" + data-l10n-id="certmgr-token-name" + persist="hidden width ordinal" + /> + <splitter class="tree-splitter" /> + <treecol + id="serialnumcol" + data-l10n-id="certmgr-serial" + persist="hidden width ordinal" + /> + <splitter class="tree-splitter" /> + <treecol + id="issuedcol" + data-l10n-id="certmgr-begins-label" + hidden="true" + persist="hidden width ordinal" + /> + <splitter class="tree-splitter" /> + <treecol + id="expiredcol" + data-l10n-id="certmgr-expires-label" + persist="hidden width ordinal" + /> + </treecols> + <treechildren ondblclick="viewCerts();" /> + </tree> + + <separator class="thin" /> + + <hbox> + <button + id="mine_viewButton" + class="normal" + data-l10n-id="certmgr-view" + disabled="true" + oncommand="viewCerts();" + /> + <button + id="mine_backupButton" + class="normal" + data-l10n-id="certmgr-backup" + disabled="true" + oncommand="backupCerts();" + /> + <button + id="mine_backupAllButton" + class="normal" + data-l10n-id="certmgr-backup-all" + oncommand="backupAllCerts();" + /> + <button + id="mine_restoreButton" + class="normal" + data-l10n-id="certmgr-restore" + oncommand="restoreCerts();" + /> + <button + id="mine_deleteButton" + class="normal" + data-l10n-id="certmgr-delete" + disabled="true" + oncommand="deleteCerts();" + /> + </hbox> + </vbox> + <vbox id="rememberedCerts" flex="1"> + <description data-l10n-id="certmgr-remembered"></description> + <separator class="thin" /> + + <listheader equalsize="always"> + <treecol + id="hostcol" + data-l10n-id="certmgr-cert-host" + primary="true" + persist="hidden width ordinal" + /> + <treecol + id="certcol" + data-l10n-id="certmgr-cert-name" + primary="true" + persist="hidden width ordinal" + /> + <treecol + id="serialnumcol" + data-l10n-id="certmgr-serial" + persist="hidden width ordinal" + /> + </listheader> + <richlistbox id="rememberedList" flex="1" selected="false" /> + + <separator class="thin" /> + + <hbox> + <button + id="remembered_deleteButton" + class="normal" + data-l10n-id="certmgr-delete" + oncommand="rememberedDecisionsRichList.deleteSelectedRichListItem()" + /> + + <button + id="remembered_viewButton" + class="normal" + data-l10n-id="certmgr-view" + oncommand="rememberedDecisionsRichList.viewSelectedRichListItem()" + /> + </hbox> + </vbox> + <vbox id="othersCerts" flex="1"> + <description data-l10n-id="certmgr-people"></description> + <separator class="thin" /> + <tree id="email-tree" flex="1" onselect="email_enableButtons()"> + <treecols> + <treecol + id="certcol" + data-l10n-id="certmgr-cert-name" + primary="true" + /> + <splitter class="tree-splitter" /> + <treecol id="emailcol" data-l10n-id="certmgr-email" /> + <splitter class="tree-splitter" /> + <treecol id="expiredcol" data-l10n-id="certmgr-expires-label" /> + </treecols> + <treechildren flex="1" ondblclick="viewCerts();" /> + </tree> + + <separator class="thin" /> + + <hbox> + <button + id="email_viewButton" + data-l10n-id="certmgr-view" + disabled="true" + oncommand="viewCerts();" + /> + <button + id="email_addButton" + data-l10n-id="certmgr-restore" + oncommand="addEmailCert();" + /> + <button + id="email_exportButton" + data-l10n-id="certmgr-export" + disabled="true" + oncommand="exportCerts();" + /> + <button + id="email_deleteButton" + data-l10n-id="certmgr-delete" + disabled="true" + oncommand="deleteCerts();" + /> + </hbox> + </vbox> + + <vbox id="webCerts" flex="1"> + <description data-l10n-id="certmgr-server"></description> + <separator class="thin" /> + + <listheader equalsize="always"> + <treecol + id="sitecol" + data-l10n-id="certmgr-cert-server" + primary="true" + /> + <treecol + id="sha256col" + data-l10n-id="certmgr-fingerprint-sha-256" + /> + </listheader> + <richlistbox + ondblclick="serverRichList.viewSelectedRichListItem();" + id="serverList" + flex="1" + selected="false" + /> + + <separator class="thin" /> + + <hbox> + <button + id="websites_deleteButton" + data-l10n-id="certmgr-delete" + oncommand="serverRichList.deleteSelectedRichListItem();" + /> + <button + id="websites_exceptionButton" + data-l10n-id="certmgr-add-exception" + oncommand="serverRichList.addException();" + /> + </hbox> + </vbox> + <vbox id="CACerts" flex="1"> + <description data-l10n-id="certmgr-ca"></description> + <separator class="thin" /> + <tree + id="ca-tree" + flex="1" + enableColumnDrag="true" + onselect="ca_enableButtons()" + > + <treecols> + <!-- + The below code may suggest that 'ordinal' is still a supported XUL + XUL attribute. It is not. This is a crutch so that we can + continue persisting the CSS order property, + which is the appropriate replacement for the ordinal attribute + but cannot yet be easily persisted. The code that synchronizes + the attribute with the CSS lives in + toolkit/content/widget/tree.js and is specific to tree elements. + --> + <treecol + id="certcol" + data-l10n-id="certmgr-cert-name" + primary="true" + persist="hidden width ordinal" + /> + <splitter class="tree-splitter" /> + <treecol + id="tokencol" + data-l10n-id="certmgr-token-name" + persist="hidden width ordinal" + /> + </treecols> + <treechildren ondblclick="viewCerts();" /> + </tree> + + <separator class="thin" /> + + <hbox> + <button + id="ca_viewButton" + data-l10n-id="certmgr-view" + disabled="true" + oncommand="viewCerts();" + /> + <button + id="ca_editButton" + data-l10n-id="certmgr-edit" + disabled="true" + oncommand="editCerts();" + /> + <button + id="ca_addButton" + data-l10n-id="certmgr-restore" + oncommand="addCACerts();" + /> + <button + id="ca_exportButton" + data-l10n-id="certmgr-export" + disabled="true" + oncommand="exportCerts();" + /> + <button + id="ca_deleteButton" + data-l10n-id="certmgr-delete-builtin" + disabled="true" + oncommand="deleteCerts();" + /> + </hbox> + </vbox> + </tabpanels> + </tabbox> + </dialog> +</window> diff --git a/security/manager/pki/resources/content/changepassword.js b/security/manager/pki/resources/content/changepassword.js new file mode 100644 index 0000000000..b498bf9ce0 --- /dev/null +++ b/security/manager/pki/resources/content/changepassword.js @@ -0,0 +1,212 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +const { XPCOMUtils } = ChromeUtils.importESModule( + "resource://gre/modules/XPCOMUtils.sys.mjs" +); + +ChromeUtils.defineLazyGetter( + this, + "l10n", + () => new Localization(["security/pippki/pippki.ftl"], true) +); + +var params; +var token; +var pw1; + +function doPrompt(messageL10nId) { + let msg = l10n.formatValueSync(messageL10nId); + Services.prompt.alert(window, null, msg); +} + +function onLoad() { + document.getElementById("set_password").getButton("accept").disabled = true; + document.addEventListener("dialogaccept", setPassword); + + pw1 = document.getElementById("pw1"); + params = window.arguments[0].QueryInterface(Ci.nsIDialogParamBlock); + token = params.objects.GetElementAt(0).QueryInterface(Ci.nsIPK11Token); + + document.l10n.setAttributes( + document.getElementById("tokenName"), + "change-password-token", + { tokenName: token.tokenName } + ); + process(); +} + +function process() { + let bundle = document.getElementById("pippki_bundle"); + let oldpwbox = document.getElementById("oldpw"); + let msgBox = document.getElementById("message"); + // If the token is unitialized, don't use the old password box. + // Otherwise, do. + if ((token.needsLogin() && token.needsUserInit) || !token.needsLogin()) { + oldpwbox.hidden = true; + msgBox.setAttribute("value", bundle.getString("password_not_set")); + msgBox.hidden = false; + + if (!token.needsLogin()) { + oldpwbox.setAttribute("inited", "empty"); + } else { + oldpwbox.setAttribute("inited", "true"); + } + + // Select first password field + document.getElementById("pw1").focus(); + } else { + // Select old password field + oldpwbox.hidden = false; + msgBox.hidden = true; + oldpwbox.setAttribute("inited", "false"); + oldpwbox.focus(); + } + + // Return value 0 means "canceled" + params.SetInt(1, 0); + + checkPasswords(); +} + +function setPassword(event) { + var oldpwbox = document.getElementById("oldpw"); + var initpw = oldpwbox.getAttribute("inited"); + + var success = false; + + if (initpw == "false" || initpw == "empty") { + try { + var oldpw = ""; + var passok = 0; + + if (initpw == "empty") { + passok = 1; + } else { + oldpw = oldpwbox.value; + passok = token.checkPassword(oldpw); + } + + if (passok) { + if (initpw == "empty" && pw1.value == "") { + // checkPasswords() should have prevented this path from being reached. + } else { + if (pw1.value == "") { + var secmoddb = Cc[ + "@mozilla.org/security/pkcs11moduledb;1" + ].getService(Ci.nsIPKCS11ModuleDB); + if (secmoddb.isFIPSEnabled) { + // empty passwords are not allowed in FIPS mode + doPrompt("pippki-pw-change2empty-in-fips-mode"); + passok = 0; + } + } + if (passok) { + token.changePassword(oldpw, pw1.value); + if (pw1.value == "") { + doPrompt("pippki-pw-erased-ok"); + } else { + doPrompt("pippki-pw-change-ok"); + } + success = true; + } + } + } else { + oldpwbox.focus(); + oldpwbox.setAttribute("value", ""); + doPrompt("pippki-incorrect-pw"); + } + } catch (e) { + doPrompt("pippki-failed-pw-change"); + } + } else { + token.initPassword(pw1.value); + if (pw1.value == "") { + doPrompt("pippki-pw-not-wanted"); + } + success = true; + } + + if (success && params) { + // Return value 1 means "successfully executed ok" + params.SetInt(1, 1); + } + + // Terminate dialog + if (!success) { + event.preventDefault(); + } +} + +function setPasswordStrength() { + // We weigh the quality of the password by checking the number of: + // - Characters + // - Numbers + // - Non-alphanumeric chars + // - Upper and lower case characters + + let pw = document.getElementById("pw1").value; + + let pwlength = pw.length; + if (pwlength > 5) { + pwlength = 5; + } + + let numnumeric = pw.replace(/[0-9]/g, ""); + let numeric = pw.length - numnumeric.length; + if (numeric > 3) { + numeric = 3; + } + + let symbols = pw.replace(/\W/g, ""); + let numsymbols = pw.length - symbols.length; + if (numsymbols > 3) { + numsymbols = 3; + } + + let numupper = pw.replace(/[A-Z]/g, ""); + let upper = pw.length - numupper.length; + if (upper > 3) { + upper = 3; + } + + let pwstrength = + pwlength * 10 - 20 + numeric * 10 + numsymbols * 15 + upper * 10; + + // Clamp strength to [0, 100]. + if (pwstrength < 0) { + pwstrength = 0; + } + if (pwstrength > 100) { + pwstrength = 100; + } + + let meter = document.getElementById("pwmeter"); + meter.setAttribute("value", pwstrength); +} + +function checkPasswords() { + let pw1 = document.getElementById("pw1").value; + let pw2 = document.getElementById("pw2").value; + + var oldpwbox = document.getElementById("oldpw"); + if (oldpwbox) { + var initpw = oldpwbox.getAttribute("inited"); + + if (initpw == "empty" && pw1 == "") { + // The token has already been initialized, therefore this dialog + // was called with the intention to change the password. + // The token currently uses an empty password. + // We will not allow changing the password from empty to empty. + document + .getElementById("set_password") + .getButton("accept").disabled = true; + return; + } + } + + document.getElementById("set_password").getButton("accept").disabled = + pw1 != pw2; +} diff --git a/security/manager/pki/resources/content/changepassword.xhtml b/security/manager/pki/resources/content/changepassword.xhtml new file mode 100644 index 0000000000..7215f3a536 --- /dev/null +++ b/security/manager/pki/resources/content/changepassword.xhtml @@ -0,0 +1,77 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE window> + +<window + data-l10n-id="change-device-password-window" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" + onload="onLoad();" +> + <dialog id="set_password" buttons="accept,cancel"> + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + + <html:link rel="localization" href="security/pippki/pippki.ftl" /> + </linkset> + + <stringbundle + id="pippki_bundle" + src="chrome://pippki/locale/pippki.properties" + /> + + <script src="chrome://global/content/globalOverlay.js" /> + <script src="chrome://global/content/editMenuOverlay.js" /> + + <script src="chrome://pippki/content/changepassword.js" /> + + <hbox align="center"> + <label + id="tokenName" + data-l10n-id="change-password-token" + data-l10n-args='{"tokenName":""}' + /> + </hbox> + + <separator /> + + <vbox> + <hbox class="input-row"> + <label flex="1" data-l10n-id="change-password-old" /> + <html:input id="oldpw" type="password" /> + <!-- This textbox is inserted as a workaround to the fact that making the 'type' + & 'disabled' property of the 'oldpw' textbox toggle between ['password' & + 'false'] and ['text' & 'true'] - as would be necessary if the menu has more + than one tokens, some initialized and some not - does not work properly. So, + either the textbox 'oldpw' or the textbox 'message' would be displayed, + depending on the state of the token selected + --> + <html:input id="message" disabled="true" /> + </hbox> + <hbox class="input-row"> + <label flex="1" data-l10n-id="change-password-new" /> + <html:input + id="pw1" + type="password" + oninput="setPasswordStrength(); checkPasswords();" + /> + </hbox> + <hbox class="input-row"> + <label flex="1" data-l10n-id="change-password-reenter" /> + <html:input id="pw2" type="password" oninput="checkPasswords();" /> + </hbox> + </vbox> + + <vbox style="margin: 6px"> + <label + for="pwmeter" + style="display: flex" + data-l10n-id="password-quality-meter" + /> + <html:progress id="pwmeter" value="0" max="100" /> + </vbox> + </dialog> +</window> diff --git a/security/manager/pki/resources/content/clientauthask.css b/security/manager/pki/resources/content/clientauthask.css new file mode 100644 index 0000000000..0b8217bc4b --- /dev/null +++ b/security/manager/pki/resources/content/clientauthask.css @@ -0,0 +1,17 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +:root { + min-width: 48em; +} + +.important { + font-weight: bold; +} + +.details { + text-overflow: ellipsis; + overflow: hidden; + white-space: nowrap; +} diff --git a/security/manager/pki/resources/content/clientauthask.js b/security/manager/pki/resources/content/clientauthask.js new file mode 100644 index 0000000000..e9df667dbe --- /dev/null +++ b/security/manager/pki/resources/content/clientauthask.js @@ -0,0 +1,162 @@ +/* -*- tab-width: 2; indent-tabs-mode: nil; js-indent-level: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* import-globals-from pippki.js */ +"use strict"; + +const { parse, pemToDER } = ChromeUtils.importESModule( + "chrome://global/content/certviewer/certDecoder.mjs" +); + +/** + * @file Implements the functionality of clientauthask.xhtml: a dialog that allows + * a user pick a client certificate for TLS client authentication. + * @param {object} window.arguments.0 + * An Object with the properties: + * {String} hostname + * The hostname of the server requesting client authentication. + * {Array<nsIX509Cert>} certArray + * Array of certificates the user can choose from + * {Object} retVal + * Object to set the return values of calling the dialog on. + * See ClientAuthAskReturnValues. + */ + +/** + * @typedef ClientAuthAskReturnValues + * @type {object} + * @property {nsIX509Cert} cert + * The certificate, if chosen. null otherwise. + * @property {boolean} rememberDecision + * Set to true if the user wanted their cert selection to be + * remembered, false otherwise. + */ + +/** + * The array of certs the user can choose from. + * + * @type {Array<nsIX509Cert>} + */ +var certArray; + +/** + * The checkbox storing whether the user wants to remember the selected cert. + * + * @type {HTMLInputElement} Element checkbox, has to have |checked| property. + */ +var rememberBox; + +async function onLoad() { + let rememberSetting = Services.prefs.getBoolPref( + "security.remember_cert_checkbox_default_setting" + ); + rememberBox = document.getElementById("rememberBox"); + rememberBox.checked = rememberSetting; + + certArray = window.arguments[0].certArray; + + document.l10n.setAttributes( + document.getElementById("clientAuthSiteIdentification"), + "client-auth-site-identification", + { hostname: window.arguments[0].hostname } + ); + + let selectElement = document.getElementById("nicknames"); + for (let i = 0; i < certArray.length; i++) { + let menuItemNode = document.createXULElement("menuitem"); + let cert = certArray[i]; + let nickAndSerial = `${cert.displayName} [${cert.serialNumber}]`; + menuItemNode.setAttribute("value", i); + menuItemNode.setAttribute("label", nickAndSerial); // This is displayed. + selectElement.menupopup.appendChild(menuItemNode); + if (i == 0) { + selectElement.selectedItem = menuItemNode; + } + } + + await setDetails(); + document.addEventListener("dialogaccept", doOK); + document.addEventListener("dialogcancel", doCancel); + + Services.obs.notifyObservers( + document.getElementById("certAuthAsk"), + "cert-dialog-loaded" + ); +} + +/** + * Populates the details section with information concerning the selected cert. + */ +async function setDetails() { + let index = parseInt(document.getElementById("nicknames").value); + let cert = certArray[index]; + document.l10n.setAttributes( + document.getElementById("clientAuthCertDetailsIssuedTo"), + "client-auth-cert-details-issued-to", + { issuedTo: cert.subjectName } + ); + document.l10n.setAttributes( + document.getElementById("clientAuthCertDetailsSerialNumber"), + "client-auth-cert-details-serial-number", + { serialNumber: cert.serialNumber } + ); + const formatter = new Intl.DateTimeFormat(undefined, { + dateStyle: "medium", + timeStyle: "long", + }); + document.l10n.setAttributes( + document.getElementById("clientAuthCertDetailsValidityPeriod"), + "client-auth-cert-details-validity-period", + { + notBefore: formatter.format(new Date(cert.validity.notBefore / 1000)), + notAfter: formatter.format(new Date(cert.validity.notAfter / 1000)), + } + ); + let parsedCert = await parse(pemToDER(cert.getBase64DERString())); + let keyUsages = parsedCert.ext.keyUsages; + if (keyUsages && keyUsages.purposes.length) { + document.l10n.setAttributes( + document.getElementById("clientAuthCertDetailsKeyUsages"), + "client-auth-cert-details-key-usages", + { keyUsages: keyUsages.purposes.join(", ") } + ); + } + let emailAddresses = cert.getEmailAddresses(); + if (emailAddresses.length) { + document.l10n.setAttributes( + document.getElementById("clientAuthCertDetailsEmailAddresses"), + "client-auth-cert-details-email-addresses", + { emailAddresses: emailAddresses.join(", ") } + ); + } + document.l10n.setAttributes( + document.getElementById("clientAuthCertDetailsIssuedBy"), + "client-auth-cert-details-issued-by", + { issuedBy: cert.issuerName } + ); + document.l10n.setAttributes( + document.getElementById("clientAuthCertDetailsStoredOn"), + "client-auth-cert-details-stored-on", + { storedOn: cert.tokenName } + ); +} + +async function onCertSelected() { + await setDetails(); +} + +function doOK() { + let { retVals } = window.arguments[0]; + let index = parseInt(document.getElementById("nicknames").value); + let cert = certArray[index]; + retVals.cert = cert; + retVals.rememberDecision = rememberBox.checked; +} + +function doCancel() { + let { retVals } = window.arguments[0]; + retVals.cert = null; + retVals.rememberDecision = rememberBox.checked; +} diff --git a/security/manager/pki/resources/content/clientauthask.xhtml b/security/manager/pki/resources/content/clientauthask.xhtml new file mode 100644 index 0000000000..717dec5670 --- /dev/null +++ b/security/manager/pki/resources/content/clientauthask.xhtml @@ -0,0 +1,116 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE window> + +<window + data-l10n-id="client-auth-window" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" + onload="onLoad();" +> + <dialog + id="certAuthAsk" + buttons="accept,cancel" + buttonidcancel="client-auth-send-no-certificate" + > + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + <html:link + rel="stylesheet" + href="chrome://pippki/content/clientauthask.css" + /> + + <html:link rel="localization" href="security/pippki/pippki.ftl" /> + </linkset> + + <stringbundleset id="stringbundleset"> + <stringbundle + id="pippki_bundle" + src="chrome://pippki/locale/pippki.properties" + /> + </stringbundleset> + + <script src="chrome://pippki/content/pippki.js" /> + <script src="chrome://pippki/content/clientauthask.js" /> + <script src="chrome://global/content/globalOverlay.js" /> + <script src="chrome://global/content/editMenuOverlay.js" /> + + <description + class="important" + id="clientAuthSiteIdentification" + data-l10n-id="client-auth-site-identification" + data-l10n-args='{"hostname":""}' + ></description> + + <!-- The items in this menulist must never be sorted, + but remain in the order filled by the application +--> + <menulist id="nicknames" oncommand="onCertSelected();" native="true"> + <menupopup /> + </menulist> + + <description + class="important" + data-l10n-id="client-auth-cert-details" + ></description> + + <description + id="clientAuthCertDetailsIssuedTo" + class="details" + data-l10n-id="client-auth-cert-details-issued-to" + data-l10n-args='{"issuedTo":""}' + ></description> + + <description + id="clientAuthCertDetailsSerialNumber" + class="details" + data-l10n-id="client-auth-cert-details-serial-number" + data-l10n-args='{"serialNumber":""}' + ></description> + + <description + id="clientAuthCertDetailsValidityPeriod" + class="details" + data-l10n-id="client-auth-cert-details-validity-period" + data-l10n-args='{"notBefore":"","notAfter":""}' + ></description> + + <description + id="clientAuthCertDetailsKeyUsages" + class="details" + data-l10n-id="client-auth-cert-details-key-usages" + data-l10n-args='{"keyUsages":""}' + ></description> + + <description + id="clientAuthCertDetailsEmailAddresses" + class="details" + data-l10n-id="client-auth-cert-details-email-addresses" + data-l10n-args='{"emailAddresses":""}' + ></description> + + <description + id="clientAuthCertDetailsIssuedBy" + class="details" + data-l10n-id="client-auth-cert-details-issued-by" + data-l10n-args='{"issuedBy":""}' + ></description> + + <description + id="clientAuthCertDetailsStoredOn" + class="details" + data-l10n-id="client-auth-cert-details-stored-on" + data-l10n-args='{"storedOn":""}' + ></description> + + <checkbox + id="rememberBox" + data-l10n-id="client-auth-cert-remember-box" + checked="true" + native="true" + /> + </dialog> +</window> diff --git a/security/manager/pki/resources/content/deletecert.css b/security/manager/pki/resources/content/deletecert.css new file mode 100644 index 0000000000..b959b9c492 --- /dev/null +++ b/security/manager/pki/resources/content/deletecert.css @@ -0,0 +1,24 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +dialog::part(content-box) { + flex: 1; +} + +#confirm, +#impact { + /* We don't want these to impact the horizontal size of the dialog */ + contain: inline-size; +} + +#impact { + margin-block-start: 12px; +} + +#certlist { + flex: 1; + min-height: 8em; + contain: size; + min-width: 35em; +} diff --git a/security/manager/pki/resources/content/deletecert.js b/security/manager/pki/resources/content/deletecert.js new file mode 100644 index 0000000000..7d926863ed --- /dev/null +++ b/security/manager/pki/resources/content/deletecert.js @@ -0,0 +1,121 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* import-globals-from pippki.js */ +"use strict"; + +/** + * @file Implements the functionality of deletecert.xhtml: a dialog that allows a + * user to confirm whether to delete certain certificates. + * @param {string} window.arguments.0 + * One of the tab IDs listed in certManager.xhtml. + * @param {object[]} window.arguments.1 + * An array of objects representing the certs to delete. + * Each must have a 'cert' property or a 'hostPort' property. + * @param {DeleteCertReturnValues} window.arguments.2 + * Object holding the return values of calling the dialog. + */ + +/** + * @typedef DeleteCertReturnValues + * @type {object} + * @property {boolean} deleteConfirmed + * Set to true if the user confirmed deletion of the given certs, + * false otherwise. + */ + +/** + * Returns the element to represent the given cert to delete. + * + * @param {object} certToDelete + * The item to represent. + * @returns {Element} + * A element of each cert tree item. + */ +function getLabelForCertToDelete(certToDelete) { + let element = document.createXULElement("label"); + let cert = certToDelete.cert; + if (!cert) { + element.setAttribute("value", certToDelete.hostPort); + return element; + } + + const attributes = [ + cert.commonName, + cert.organizationalUnit, + cert.organization, + cert.subjectName, + ]; + for (let attribute of attributes) { + if (attribute) { + element.setAttribute("value", attribute); + return element; + } + } + + document.l10n.setAttributes(element, "cert-with-serial", { + serialNumber: cert.serialNumber, + }); + return element; +} + +/** + * onload() handler. + */ +function onLoad() { + let typeFlag = window.arguments[0]; + let confirm = document.getElementById("confirm"); + let impact = document.getElementById("impact"); + let prefixForType; + switch (typeFlag) { + case "mine_tab": + prefixForType = "delete-user-cert-"; + break; + case "websites_tab": + prefixForType = "delete-ssl-override-"; + break; + case "ca_tab": + prefixForType = "delete-ca-cert-"; + break; + case "others_tab": + prefixForType = "delete-email-cert-"; + break; + default: + return; + } + + document.l10n.setAttributes( + document.documentElement, + prefixForType + "title" + ); + document.l10n.setAttributes(confirm, prefixForType + "confirm"); + document.l10n.setAttributes(impact, prefixForType + "impact"); + + document.addEventListener("dialogaccept", onDialogAccept); + document.addEventListener("dialogcancel", onDialogCancel); + + let box = document.getElementById("certlist"); + let certsToDelete = window.arguments[1]; + for (let certToDelete of certsToDelete) { + let listItem = document.createXULElement("richlistitem"); + let label = getLabelForCertToDelete(certToDelete); + listItem.appendChild(label); + box.appendChild(listItem); + } +} + +/** + * ondialogaccept() handler. + */ +function onDialogAccept() { + let retVals = window.arguments[2]; + retVals.deleteConfirmed = true; +} + +/** + * ondialogcancel() handler. + */ +function onDialogCancel() { + let retVals = window.arguments[2]; + retVals.deleteConfirmed = false; +} diff --git a/security/manager/pki/resources/content/deletecert.xhtml b/security/manager/pki/resources/content/deletecert.xhtml new file mode 100644 index 0000000000..08e48ade58 --- /dev/null +++ b/security/manager/pki/resources/content/deletecert.xhtml @@ -0,0 +1,36 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE window> + +<window + data-l10n-id="certmgr-delete-cert2" + data-l10n-attrs="style" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" + onload="onLoad();" +> + <dialog id="deleteCertificate" buttons="accept,cancel"> + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + <html:link + rel="stylesheet" + href="chrome://pippki/content/deletecert.css" + /> + + <html:link + rel="localization" + href="security/certificates/certManager.ftl" + /> + </linkset> + + <script src="pippki.js" /> + <script src="chrome://pippki/content/deletecert.js" /> + + <description id="confirm" /> + <richlistbox id="certlist" class="box-padded" /> + <description id="impact" /> + </dialog> +</window> diff --git a/security/manager/pki/resources/content/device_manager.js b/security/manager/pki/resources/content/device_manager.js new file mode 100644 index 0000000000..deb58d2ff3 --- /dev/null +++ b/security/manager/pki/resources/content/device_manager.js @@ -0,0 +1,433 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +const { XPCOMUtils } = ChromeUtils.importESModule( + "resource://gre/modules/XPCOMUtils.sys.mjs" +); + +var secmoddb; +var skip_enable_buttons = false; + +/* Do the initial load of all PKCS# modules and list them. */ +function LoadModules() { + secmoddb = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + RefreshDeviceList(); +} + +async function doPrompt(l10n_id) { + let [msg] = await document.l10n.formatValues([{ id: l10n_id }]); + Services.prompt.alert(window, null, msg); +} + +async function doConfirm(l10n_id) { + let [msg] = await document.l10n.formatValues([{ id: l10n_id }]); + return Services.prompt.confirm(window, null, msg); +} + +function RefreshDeviceList() { + for (let module of secmoddb.listModules()) { + let slots = module.listSlots(); + AddModule(module, slots); + } + + // Set the text on the FIPS button. + SetFIPSButton(); +} + +function SetFIPSButton() { + var fipsButton = document.getElementById("fipsbutton"); + if (secmoddb.isFIPSEnabled) { + document.l10n.setAttributes(fipsButton, "devmgr-button-disable-fips"); + } else { + document.l10n.setAttributes(fipsButton, "devmgr-button-enable-fips"); + } + + var can_toggle = secmoddb.canToggleFIPS; + if (can_toggle) { + fipsButton.removeAttribute("disabled"); + } else { + fipsButton.setAttribute("disabled", "true"); + } +} + +/* Add a module to the tree. slots is the array of slots in the module, + * to be represented as children. + */ +function AddModule(module, slots) { + var tree = document.getElementById("device_list"); + var item = document.createXULElement("treeitem"); + var row = document.createXULElement("treerow"); + var cell = document.createXULElement("treecell"); + cell.setAttribute("label", module.name); + row.appendChild(cell); + item.appendChild(row); + var parent = document.createXULElement("treechildren"); + for (let slot of slots) { + var child_item = document.createXULElement("treeitem"); + var child_row = document.createXULElement("treerow"); + var child_cell = document.createXULElement("treecell"); + child_cell.setAttribute("label", slot.name); + child_row.appendChild(child_cell); + child_item.appendChild(child_row); + child_item.setAttribute("pk11kind", "slot"); + // 'slot' is an attribute on any HTML element, hence 'slotObject' instead. + child_item.slotObject = slot; + parent.appendChild(child_item); + } + item.appendChild(parent); + item.setAttribute("pk11kind", "module"); + item.module = module; + item.setAttribute("open", "true"); + item.setAttribute("container", "true"); + tree.appendChild(item); +} + +var selected_slot; +var selected_module; + +/* get the slot selected by the user (can only be one-at-a-time) */ +function getSelectedItem() { + let tree = document.getElementById("device_tree"); + if (tree.currentIndex < 0) { + return; + } + let item = tree.view.getItemAtIndex(tree.currentIndex); + selected_slot = null; + selected_module = null; + if (item) { + let kind = item.getAttribute("pk11kind"); + if (kind == "slot") { + selected_slot = item.slotObject; + } else { + // (kind == "module") + selected_module = item.module; + } + } +} + +function enableButtons() { + if (skip_enable_buttons) { + return; + } + + var login_toggle = "true"; + var logout_toggle = "true"; + var pw_toggle = "true"; + var unload_toggle = "true"; + getSelectedItem(); + if (selected_module) { + unload_toggle = "false"; + showModuleInfo(); + } else if (selected_slot) { + // here's the workaround - login functions are all with token, + // so grab the token type + var selected_token = selected_slot.getToken(); + if (selected_token != null) { + if (selected_token.needsLogin() || !selected_token.needsUserInit) { + pw_toggle = "false"; + if (selected_token.needsLogin()) { + if (selected_token.isLoggedIn()) { + logout_toggle = "false"; + } else { + login_toggle = "false"; + } + } + } + + if ( + !Services.policies.isAllowed("createMasterPassword") && + selected_token.isInternalKeyToken && + !selected_token.hasPassword + ) { + pw_toggle = "true"; + } + } + showSlotInfo(); + } + document + .getElementById("login_button") + .setAttribute("disabled", login_toggle); + document + .getElementById("logout_button") + .setAttribute("disabled", logout_toggle); + document + .getElementById("change_pw_button") + .setAttribute("disabled", pw_toggle); + document + .getElementById("unload_button") + .setAttribute("disabled", unload_toggle); +} + +// clear the display of information for the slot +function ClearInfoList() { + let infoList = document.getElementById("info_list"); + while (infoList.hasChildNodes()) { + infoList.firstChild.remove(); + } +} + +function ClearDeviceList() { + ClearInfoList(); + + skip_enable_buttons = true; + var tree = document.getElementById("device_tree"); + tree.view.selection.clearSelection(); + skip_enable_buttons = false; + + // Remove the existing listed modules so that a refresh doesn't display the + // module that just changed. + let deviceList = document.getElementById("device_list"); + while (deviceList.hasChildNodes()) { + deviceList.firstChild.remove(); + } +} + +// show a list of info about a slot +function showSlotInfo() { + var present = true; + ClearInfoList(); + switch (selected_slot.status) { + case Ci.nsIPKCS11Slot.SLOT_DISABLED: + AddInfoRow( + "devinfo-status", + { l10nID: "devinfo-status-disabled" }, + "tok_status" + ); + present = false; + break; + case Ci.nsIPKCS11Slot.SLOT_NOT_PRESENT: + AddInfoRow( + "devinfo-status", + { l10nID: "devinfo-status-not-present" }, + "tok_status" + ); + present = false; + break; + case Ci.nsIPKCS11Slot.SLOT_UNINITIALIZED: + AddInfoRow( + "devinfo-status", + { l10nID: "devinfo-status-uninitialized" }, + "tok_status" + ); + break; + case Ci.nsIPKCS11Slot.SLOT_NOT_LOGGED_IN: + AddInfoRow( + "devinfo-status", + { l10nID: "devinfo-status-not-logged-in" }, + "tok_status" + ); + break; + case Ci.nsIPKCS11Slot.SLOT_LOGGED_IN: + AddInfoRow( + "devinfo-status", + { l10nID: "devinfo-status-logged-in" }, + "tok_status" + ); + break; + case Ci.nsIPKCS11Slot.SLOT_READY: + AddInfoRow( + "devinfo-status", + { l10nID: "devinfo-status-ready" }, + "tok_status" + ); + break; + default: + return; + } + AddInfoRow("devinfo-desc", { label: selected_slot.desc }, "slot_desc"); + AddInfoRow("devinfo-man-id", { label: selected_slot.manID }, "slot_manID"); + AddInfoRow( + "devinfo-hwversion", + { label: selected_slot.HWVersion }, + "slot_hwv" + ); + AddInfoRow( + "devinfo-fwversion", + { label: selected_slot.FWVersion }, + "slot_fwv" + ); + if (present) { + showTokenInfo(); + } +} + +function showModuleInfo() { + ClearInfoList(); + AddInfoRow("devinfo-modname", { label: selected_module.name }, "module_name"); + AddInfoRow( + "devinfo-modpath", + { label: selected_module.libName }, + "module_path" + ); +} + +// add a row to the info list, as [col1 col2] (ex.: ["status" "logged in"]) +function AddInfoRow(l10nID, col2, cell_id) { + var tree = document.getElementById("info_list"); + var item = document.createXULElement("treeitem"); + var row = document.createXULElement("treerow"); + var cell1 = document.createXULElement("treecell"); + document.l10n.setAttributes(cell1, l10nID); + cell1.setAttribute("crop", "never"); + row.appendChild(cell1); + var cell2 = document.createXULElement("treecell"); + if (col2.l10nID) { + document.l10n.setAttributes(cell2, col2.l10nID); + } else { + cell2.setAttribute("label", col2.label); + } + cell2.setAttribute("crop", "never"); + cell2.setAttribute("id", cell_id); + row.appendChild(cell2); + item.appendChild(row); + tree.appendChild(item); +} + +// log in to a slot +function doLogin() { + getSelectedItem(); + // here's the workaround - login functions are with token + var selected_token = selected_slot.getToken(); + try { + selected_token.login(false); + var tok_status = document.getElementById("tok_status"); + if (selected_token.isLoggedIn()) { + document.l10n.setAttributes(tok_status, "devinfo-status-logged-in"); + } else { + document.l10n.setAttributes(tok_status, "devinfo-status-not-logged-in"); + } + } catch (e) { + doPrompt("login-failed"); + } + enableButtons(); +} + +// log out of a slot +function doLogout() { + getSelectedItem(); + // here's the workaround - login functions are with token + var selected_token = selected_slot.getToken(); + try { + selected_token.logoutAndDropAuthenticatedResources(); + var tok_status = document.getElementById("tok_status"); + if (selected_token.isLoggedIn()) { + document.l10n.setAttributes(tok_status, "devinfo-status-logged-in"); + } else { + document.l10n.setAttributes(tok_status, "devinfo-status-not-logged-in"); + } + } catch (e) {} + enableButtons(); +} + +// load a new device +function doLoad() { + window.browsingContext.topChromeWindow.open( + "load_device.xhtml", + "loaddevice", + "chrome,centerscreen,modal" + ); + ClearDeviceList(); + RefreshDeviceList(); +} + +async function deleteSelected() { + getSelectedItem(); + if (selected_module && (await doConfirm("del-module-warning"))) { + try { + secmoddb.deleteModule(selected_module.name); + } catch (e) { + doPrompt("del-module-error"); + return false; + } + selected_module = null; + return true; + } + return false; +} + +async function doUnload() { + if (await deleteSelected()) { + ClearDeviceList(); + RefreshDeviceList(); + } +} + +function changePassword() { + getSelectedItem(); + let params = Cc["@mozilla.org/embedcomp/dialogparam;1"].createInstance( + Ci.nsIDialogParamBlock + ); + let objects = Cc["@mozilla.org/array;1"].createInstance(Ci.nsIMutableArray); + objects.appendElement(selected_slot.getToken()); + params.objects = objects; + window.browsingContext.topChromeWindow.openDialog( + "changepassword.xhtml", + "", + "chrome,centerscreen,modal", + params + ); + showSlotInfo(); + enableButtons(); +} + +// ------------------------------------- Old code + +function showTokenInfo() { + var selected_token = selected_slot.getToken(); + AddInfoRow("devinfo-label", { label: selected_token.tokenName }, "tok_label"); + AddInfoRow( + "devinfo-man-id", + { label: selected_token.tokenManID }, + "tok_manID" + ); + AddInfoRow( + "devinfo-serialnum", + { label: selected_token.tokenSerialNumber }, + "tok_sNum" + ); + AddInfoRow( + "devinfo-hwversion", + { label: selected_token.tokenHWVersion }, + "tok_hwv" + ); + AddInfoRow( + "devinfo-fwversion", + { label: selected_token.tokenFWVersion }, + "tok_fwv" + ); +} + +function toggleFIPS() { + if (!secmoddb.isFIPSEnabled) { + // A restriction of FIPS mode is, the password must be set + // In FIPS mode the password must be non-empty. + // This is different from what we allow in NON-Fips mode. + + var tokendb = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + var internal_token = tokendb.getInternalKeyToken(); // nsIPK11Token + if (!internal_token.hasPassword) { + // Token has either no or an empty password. + doPrompt("fips-nonempty-primary-password-required"); + return; + } + } + + try { + secmoddb.toggleFIPSMode(); + } catch (e) { + doPrompt("unable-to-toggle-fips"); + return; + } + + // Remove the existing listed modules so that a refresh doesn't display the + // module that just changed. + ClearDeviceList(); + + RefreshDeviceList(); +} diff --git a/security/manager/pki/resources/content/device_manager.xhtml b/security/manager/pki/resources/content/device_manager.xhtml new file mode 100644 index 0000000000..cca3e19e75 --- /dev/null +++ b/security/manager/pki/resources/content/device_manager.xhtml @@ -0,0 +1,113 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE dialog> + +<window + windowtype="mozilla:devicemanager" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" + data-l10n-id="devmgr-window" + data-l10n-attrs="style" + persist="screenX screenY width height" + onload="LoadModules();" +> + <dialog id="devicemanager" buttons="accept"> + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + + <html:link + rel="localization" + href="security/certificates/deviceManager.ftl" + /> + </linkset> + + <script src="chrome://pippki/content/device_manager.js" /> + + <hbox flex="1" style="margin: 5px"> + <!-- List of devices --> + <tree + id="device_tree" + seltype="single" + onselect="enableButtons();" + hidecolumnpicker="true" + flex="1" + style="min-width: 15em" + > + <treecols> + <treecol + id="deviceCol" + flex="1" + primary="true" + data-l10n-id="devmgr-devlist" + /> + </treecols> + <treechildren id="device_list" /> + </tree> + <!-- / List of devices --> + <!-- Device status --> + <tree + id="info_tree" + seltype="single" + hidecolumnpicker="true" + style="flex: 3 3; min-width: 10em" + > + <treecols> + <treecol + id="title1Col" + style="flex: 5 5 auto" + primary="true" + data-l10n-id="devmgr-header-details" + /> + <treecol + id="title2Col" + style="flex: 7 7 auto" + data-l10n-id="devmgr-header-value" + /> + </treecols> + <treechildren id="info_list" /> + </tree> + <!-- / Device status --> + <vbox> + <!-- Buttons for manipulating devices --> + <button + id="login_button" + data-l10n-id="devmgr-button-login" + oncommand="doLogin();" + disabled="true" + /> + <button + id="logout_button" + data-l10n-id="devmgr-button-logout" + oncommand="doLogout();" + disabled="true" + /> + <button + id="change_pw_button" + data-l10n-id="devmgr-button-changepw" + oncommand="changePassword();" + disabled="true" + /> + <button + id="load_button" + data-l10n-id="devmgr-button-load" + oncommand="doLoad();" + /> + <button + id="unload_button" + data-l10n-id="devmgr-button-unload" + oncommand="doUnload();" + disabled="true" + /> + <button + id="fipsbutton" + data-l10n-id="devmgr-button-enable-fips" + oncommand="toggleFIPS();" + /> + </vbox> + <!-- / Buttons for manipulating devices --> + </hbox> + </dialog> +</window> diff --git a/security/manager/pki/resources/content/downloadcert.js b/security/manager/pki/resources/content/downloadcert.js new file mode 100644 index 0000000000..8451997441 --- /dev/null +++ b/security/manager/pki/resources/content/downloadcert.js @@ -0,0 +1,83 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* import-globals-from pippki.js */ +"use strict"; + +/** + * @file Implements the functionality of downloadcert.xhtml: a dialog that allows + * a user to confirm whether to import a certificate, and if so what trust + * to give it. + * @param {nsISupports} window.arguments.0 + * Certificate to confirm import of, queryable to nsIX509Cert. + * @param {nsISupports} window.arguments.1 + * Object to set the return values of calling the dialog on, queryable + * to the underlying type of DownloadCertReturnValues. + */ + +/** + * @typedef DownloadCertReturnValues + * @type {nsIWritablePropertyBag2} + * @property {boolean} importConfirmed + * Set to true if the user confirmed import of the cert and accepted + * the dialog, false otherwise. + * @property {boolean} trustForSSL + * Set to true if the cert should be trusted for SSL, false otherwise. + * Undefined value if |importConfirmed| is not true. + * @property {boolean} trustForEmail + * Set to true if the cert should be trusted for e-mail, false + * otherwise. Undefined value if |importConfirmed| is not true. + */ + +/** + * The cert to potentially import. + * + * @type {nsIX509Cert} + */ +var gCert; + +/** + * onload() handler. + */ +function onLoad() { + gCert = window.arguments[0].QueryInterface(Ci.nsIX509Cert); + + document.addEventListener("dialogaccept", onDialogAccept); + document.addEventListener("dialogcancel", onDialogCancel); + + let bundle = document.getElementById("pippki_bundle"); + let caName = gCert.commonName; + if (!caName.length) { + caName = bundle.getString("unnamedCA"); + } + + setText("trustHeader", bundle.getFormattedString("newCAMessage1", [caName])); +} + +/** + * Handler for the "View Cert" button. + */ +function viewCert() { + viewCertHelper(window, gCert, "window"); +} + +/** + * ondialogaccept() handler. + */ +function onDialogAccept() { + let checkSSL = document.getElementById("trustSSL"); + let checkEmail = document.getElementById("trustEmail"); + + let retVals = window.arguments[1].QueryInterface(Ci.nsIWritablePropertyBag2); + retVals.setPropertyAsBool("importConfirmed", true); + retVals.setPropertyAsBool("trustForSSL", checkSSL.checked); + retVals.setPropertyAsBool("trustForEmail", checkEmail.checked); +} + +/** + * ondialogcancel() handler. + */ +function onDialogCancel() { + let retVals = window.arguments[1].QueryInterface(Ci.nsIWritablePropertyBag2); + retVals.setPropertyAsBool("importConfirmed", false); +} diff --git a/security/manager/pki/resources/content/downloadcert.xhtml b/security/manager/pki/resources/content/downloadcert.xhtml new file mode 100644 index 0000000000..83c1fc1ac0 --- /dev/null +++ b/security/manager/pki/resources/content/downloadcert.xhtml @@ -0,0 +1,66 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE window> + +<window + data-l10n-id="download-cert-window2" + data-l10n-attrs="title, style" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" + onload="onLoad();" +> + <dialog id="download_cert" buttons="accept,cancel"> + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + + <html:link rel="localization" href="security/pippki/pippki.ftl" /> + </linkset> + + <stringbundle + id="pippki_bundle" + src="chrome://pippki/locale/pippki.properties" + /> + + <script src="chrome://pippki/content/pippki.js" /> + <script src="chrome://pippki/content/downloadcert.js" /> + + <!-- Let 'em know what they're doing --> + <vbox> + <description data-l10n-id="download-cert-message"></description> + </vbox> + + <separator /> + + <!-- checkboxes for trust bits + - "do you want to?" + - * trust for SSL + - * trust for email + --> + <vbox> + <description id="trustHeader" /> + <checkbox data-l10n-id="download-cert-trust-ssl" id="trustSSL" /> + <checkbox data-l10n-id="download-cert-trust-email" id="trustEmail" /> + </vbox> + + <separator /> + + <vbox> + <description data-l10n-id="download-cert-message-desc"></description> + <separator /> + <hbox> + <button + id="viewC-button" + data-l10n-id="download-cert-view-cert" + oncommand="viewCert();" + /> + <description + style="margin: 4px" + data-l10n-id="download-cert-view-text" + ></description> + </hbox> + </vbox> + </dialog> +</window> diff --git a/security/manager/pki/resources/content/editcacert.js b/security/manager/pki/resources/content/editcacert.js new file mode 100644 index 0000000000..ecb6b3e3ce --- /dev/null +++ b/security/manager/pki/resources/content/editcacert.js @@ -0,0 +1,52 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* import-globals-from pippki.js */ +"use strict"; + +var gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); +/** + * Cert to edit the trust of. + * + * @type {nsIX509Cert} + */ +var gCert = window.arguments[0]; + +document.addEventListener("DOMContentLoaded", init); + +function init() { + document.addEventListener("dialogaccept", onDialogAccept); + + let sslCheckbox = document.getElementById("trustSSL"); + sslCheckbox.checked = gCertDB.isCertTrusted( + gCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_SSL + ); + + let emailCheckbox = document.getElementById("trustEmail"); + emailCheckbox.checked = gCertDB.isCertTrusted( + gCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_EMAIL + ); + + let certMsg = document.getElementById("certmsg"); + document.l10n.setAttributes(certMsg, "edit-trust-ca", { + certName: gCert.commonName, + }); +} + +/** + * ondialogaccept() handler. + */ +function onDialogAccept() { + let sslCheckbox = document.getElementById("trustSSL"); + let emailCheckbox = document.getElementById("trustEmail"); + let trustSSL = sslCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_SSL : 0; + let trustEmail = emailCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_EMAIL : 0; + + gCertDB.setCertTrust(gCert, Ci.nsIX509Cert.CA_CERT, trustSSL | trustEmail); +} diff --git a/security/manager/pki/resources/content/editcacert.xhtml b/security/manager/pki/resources/content/editcacert.xhtml new file mode 100644 index 0000000000..cdd0afedb9 --- /dev/null +++ b/security/manager/pki/resources/content/editcacert.xhtml @@ -0,0 +1,35 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE window> + +<window + data-l10n-id="certmgr-edit-ca-cert2" + data-l10n-attrs="style" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" +> + <dialog id="editCaCert" buttons="accept,cancel"> + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + + <html:link + rel="localization" + href="security/certificates/certManager.ftl" + /> + </linkset> + + <script src="chrome://pippki/content/pippki.js" /> + <script src="chrome://pippki/content/editcacert.js" /> + + <description id="certmsg" /> + <separator /> + <description data-l10n-id="certmgr-edit-cert-edit-trust" /> + <vbox align="start"> + <checkbox data-l10n-id="certmgr-edit-cert-trust-ssl" id="trustSSL" /> + <checkbox data-l10n-id="certmgr-edit-cert-trust-email" id="trustEmail" /> + </vbox> + </dialog> +</window> diff --git a/security/manager/pki/resources/content/exceptionDialog.css b/security/manager/pki/resources/content/exceptionDialog.css new file mode 100644 index 0000000000..b2c8eb7a7b --- /dev/null +++ b/security/manager/pki/resources/content/exceptionDialog.css @@ -0,0 +1,35 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +:root { + max-width: 40em; + min-width: 35em; +} + +#warningSupplemental, +.description { + font-weight: bold; +} + +.longDescription { + padding-bottom: 1em; +} + +#warningText, +#warningSupplemental, +#headerDescription, +.longDescription { + /* Don't let these affect the min horizontal size of the dialog */ + contain: inline-size; + white-space: pre-wrap; +} + +.description:empty, +.longDescription:empty { + display: none; +} + +#locationTextBox { + flex: 1; +} diff --git a/security/manager/pki/resources/content/exceptionDialog.js b/security/manager/pki/resources/content/exceptionDialog.js new file mode 100644 index 0000000000..02fed06a38 --- /dev/null +++ b/security/manager/pki/resources/content/exceptionDialog.js @@ -0,0 +1,322 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* import-globals-from pippki.js */ +"use strict"; + +var gDialog; +var gSecInfo; +var gCert; +var gChecking; +var gBroken; +var gNeedReset; + +const { PrivateBrowsingUtils } = ChromeUtils.importESModule( + "resource://gre/modules/PrivateBrowsingUtils.sys.mjs" +); + +function initExceptionDialog() { + gNeedReset = false; + gDialog = document.getElementById("exceptiondialog"); + let warningText = document.getElementById("warningText"); + document.l10n.setAttributes(warningText, "add-exception-branded-warning"); + let confirmButton = gDialog.getButton("extra1"); + let l10nUpdatedElements = [confirmButton, warningText]; + confirmButton.disabled = true; + + var args = window.arguments; + if (args && args[0]) { + if (args[0].location) { + // We were pre-seeded with a location. + document.getElementById("locationTextBox").value = args[0].location; + document.getElementById("checkCertButton").disabled = false; + + if (args[0].securityInfo) { + gSecInfo = args[0].securityInfo; + gCert = gSecInfo.serverCert; + gBroken = true; + l10nUpdatedElements = l10nUpdatedElements.concat(updateCertStatus()); + } else if (args[0].prefetchCert) { + // We can optionally pre-fetch the certificate too. Don't do this + // synchronously, since it would prevent the window from appearing + // until the fetch is completed, which could be multiple seconds. + // Instead, let's use a timer to spawn the actual fetch, but update + // the dialog to "checking..." state right away, so that the UI + // is appropriately responsive. Bug 453855 + document.getElementById("checkCertButton").disabled = true; + gChecking = true; + l10nUpdatedElements = l10nUpdatedElements.concat(updateCertStatus()); + + window.setTimeout(checkCert, 0); + } + } + + // Set out parameter to false by default + args[0].exceptionAdded = false; + } + + for (let id of [ + "warningSupplemental", + "certLocationLabel", + "checkCertButton", + "statusDescription", + "statusLongDescription", + "viewCertButton", + "permanent", + ]) { + let element = document.getElementById(id); + l10nUpdatedElements.push(element); + } + + document.l10n + .translateElements(l10nUpdatedElements) + .then(() => window.sizeToContent()); + + document.addEventListener("dialogextra1", addException); + document.addEventListener("dialogextra2", checkCert); +} + +/** + * Helper function for checkCert. Set as the onerror/onload callbacks for an + * XMLHttpRequest. Sets gSecInfo, gCert, gBroken, and gChecking according to + * the load information from the request. Probably should not be used directly. + * + * @param {XMLHttpRequest} req + * The XMLHttpRequest created and sent by checkCert. + * @param {Event} evt + * The load or error event. + */ +function grabCert(req, evt) { + if (req.channel && req.channel.securityInfo) { + gSecInfo = req.channel.securityInfo; + gCert = gSecInfo ? gSecInfo.serverCert : null; + } + gBroken = evt.type == "error"; + gChecking = false; + document.l10n + .translateElements(updateCertStatus()) + .then(() => window.sizeToContent()); +} + +/** + * Attempt to download the certificate for the location specified, and populate + * the Certificate Status section with the result. + */ +async function checkCert() { + gCert = null; + gSecInfo = null; + gChecking = true; + gBroken = false; + await document.l10n.translateElements(updateCertStatus()); + window.sizeToContent(); + + let uri = getURI(); + + if (uri) { + let req = new XMLHttpRequest(); + req.open("GET", uri.prePath); + req.onerror = grabCert.bind(this, req); + req.onload = grabCert.bind(this, req); + req.send(null); + } else { + gChecking = false; + await document.l10n.translateElements(updateCertStatus()); + window.sizeToContent(); + } +} + +/** + * Build and return a URI, based on the information supplied in the + * Certificate Location fields + * + * @returns {nsIURI} + * URI constructed from the information supplied on success, null + * otherwise. + */ +function getURI() { + // Use fixup service instead of just ioservice's newURI since it's quite + // likely that the host will be supplied without a protocol prefix, resulting + // in malformed uri exceptions being thrown. + let locationTextBox = document.getElementById("locationTextBox"); + let { preferredURI: uri } = Services.uriFixup.getFixupURIInfo( + locationTextBox.value + ); + + if (!uri) { + return null; + } + + let mutator = uri.mutate(); + if (uri.scheme == "http") { + mutator.setScheme("https"); + } + + if (uri.port == -1) { + mutator.setPort(443); + } + + return mutator.finalize(); +} + +function resetDialog() { + document.getElementById("viewCertButton").disabled = true; + document.getElementById("permanent").disabled = true; + gDialog.getButton("extra1").disabled = true; + setText("headerDescription", ""); + setText("statusDescription", ""); + setText("statusLongDescription", ""); + setText("status2Description", ""); + setText("status2LongDescription", ""); + setText("status3Description", ""); + setText("status3LongDescription", ""); + window.sizeToContent(); +} + +/** + * Called by input textboxes to manage UI state + */ +function handleTextChange() { + var checkCertButton = document.getElementById("checkCertButton"); + checkCertButton.disabled = !document.getElementById("locationTextBox").value; + if (gNeedReset) { + gNeedReset = false; + resetDialog(); + } +} + +function updateCertStatus() { + var shortDesc, longDesc; + let l10nUpdatedElements = []; + if (gCert) { + if (gBroken) { + var mms = "add-exception-domain-mismatch-short"; + var mml = "add-exception-domain-mismatch-long"; + var exs = "add-exception-expired-short"; + var exl = "add-exception-expired-long"; + var uts = "add-exception-unverified-or-bad-signature-short"; + var utl = "add-exception-unverified-or-bad-signature-long"; + if ( + gSecInfo.overridableErrorCategory == + Ci.nsITransportSecurityInfo.ERROR_TRUST + ) { + shortDesc = uts; + longDesc = utl; + } else if ( + gSecInfo.overridableErrorCategory == + Ci.nsITransportSecurityInfo.ERROR_DOMAIN + ) { + shortDesc = mms; + longDesc = mml; + } else if ( + gSecInfo.overridableErrorCategory == + Ci.nsITransportSecurityInfo.ERROR_TIME + ) { + shortDesc = exs; + longDesc = exl; + } + // In these cases, we do want to enable the "Add Exception" button + gDialog.getButton("extra1").disabled = false; + + // If the Private Browsing service is available and the mode is active, + // don't store permanent exceptions, since they would persist after + // private browsing mode was disabled. + var inPrivateBrowsing = inPrivateBrowsingMode(); + var pe = document.getElementById("permanent"); + pe.disabled = inPrivateBrowsing; + pe.checked = !inPrivateBrowsing; + + let headerDescription = document.getElementById("headerDescription"); + document.l10n.setAttributes( + headerDescription, + "add-exception-invalid-header" + ); + l10nUpdatedElements.push(headerDescription); + } else { + shortDesc = "add-exception-valid-short"; + longDesc = "add-exception-valid-long"; + gDialog.getButton("extra1").disabled = true; + document.getElementById("permanent").disabled = true; + } + + // We're done checking the certificate, so allow the user to check it again. + document.getElementById("checkCertButton").disabled = false; + document.getElementById("viewCertButton").disabled = false; + + // Notify observers about the availability of the certificate + Services.obs.notifyObservers(null, "cert-exception-ui-ready"); + } else if (gChecking) { + shortDesc = "add-exception-checking-short"; + longDesc = "add-exception-checking-long"; + // We're checking the certificate, so we disable the Get Certificate + // button to make sure that the user can't interrupt the process and + // trigger another certificate fetch. + document.getElementById("checkCertButton").disabled = true; + document.getElementById("viewCertButton").disabled = true; + gDialog.getButton("extra1").disabled = true; + document.getElementById("permanent").disabled = true; + } else { + shortDesc = "add-exception-no-cert-short"; + longDesc = "add-exception-no-cert-long"; + // We're done checking the certificate, so allow the user to check it again. + document.getElementById("checkCertButton").disabled = false; + document.getElementById("viewCertButton").disabled = true; + gDialog.getButton("extra1").disabled = true; + document.getElementById("permanent").disabled = true; + } + let statusDescription = document.getElementById("statusDescription"); + let statusLongDescription = document.getElementById("statusLongDescription"); + document.l10n.setAttributes(statusDescription, shortDesc); + document.l10n.setAttributes(statusLongDescription, longDesc); + l10nUpdatedElements.push(statusDescription); + l10nUpdatedElements.push(statusLongDescription); + + gNeedReset = true; + return l10nUpdatedElements; +} + +/** + * Handle user request to display certificate details + */ +function viewCertButtonClick() { + if (gCert) { + viewCertHelper(this, gCert); + } +} + +/** + * Handle user request to add an exception for the specified cert + */ +function addException() { + if (!gCert || !gSecInfo) { + return; + } + + var overrideService = Cc["@mozilla.org/security/certoverride;1"].getService( + Ci.nsICertOverrideService + ); + var permanentCheckbox = document.getElementById("permanent"); + var shouldStorePermanently = + permanentCheckbox.checked && !inPrivateBrowsingMode(); + var uri = getURI(); + overrideService.rememberValidityOverride( + uri.asciiHost, + uri.port, + {}, + gCert, + !shouldStorePermanently + ); + + let args = window.arguments; + if (args && args[0]) { + args[0].exceptionAdded = true; + } + + gDialog.acceptDialog(); +} + +/** + * @returns {boolean} Whether this dialog is in private browsing mode. + */ +function inPrivateBrowsingMode() { + return PrivateBrowsingUtils.isWindowPrivate(window); +} diff --git a/security/manager/pki/resources/content/exceptionDialog.xhtml b/security/manager/pki/resources/content/exceptionDialog.xhtml new file mode 100644 index 0000000000..c913c698f2 --- /dev/null +++ b/security/manager/pki/resources/content/exceptionDialog.xhtml @@ -0,0 +1,91 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE window> + +<window windowtype="mozilla:exceptiondialog" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" + data-l10n-id="exception-mgr" + onload="initExceptionDialog();"> +<dialog id="exceptiondialog" + buttonidextra1="exception-mgr-extra-button" + buttons="cancel,extra1,extra2" + defaultButton="extra2"> + + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + <html:link + rel="stylesheet" + href="chrome://pippki/content/exceptionDialog.css" + /> + + <html:link rel="localization" href="branding/brand.ftl"/> + <html:link rel="localization" href="security/certificates/certManager.ftl"/> + </linkset> + + <script src="chrome://global/content/globalOverlay.js"/> + <script src="chrome://global/content/editMenuOverlay.js"/> + + <script src="chrome://pippki/content/pippki.js"/> + <script src="chrome://pippki/content/exceptionDialog.js"/> + + <hbox> + <vbox> +#ifdef MOZ_WIDGET_GTK + <image src="moz-icon://stock/gtk-dialog-warning?size=dialog"/> +#else + <image src="chrome://global/skin/icons/warning-large.png"/> +#endif + <spacer flex="1"/> + </vbox> + <vbox flex="1"> + <!-- Note that because of the styling, there must be no whitespace within + the description tags --> + <description id="warningText"/> + <description id="warningSupplemental" + data-l10n-id="exception-mgr-supplemental-warning"/> + </vbox> + </hbox> + + <hbox align="center"> + <label control="locationTextBox" + id="certLocationLabel" + data-l10n-id="exception-mgr-cert-location-url"/> + <html:input id="locationTextBox" + oninput="handleTextChange();" + value="https://" + class="uri-element"/> + <button id="checkCertButton" + disabled="true" + dlgtype="extra2" + data-l10n-id="exception-mgr-cert-location-download"/> + </hbox> + + <hbox align="center"> + <description id="headerDescription" + flex="1"/> + <button id="viewCertButton" + data-l10n-id="exception-mgr-cert-status-view-cert" + disabled="true" + oncommand="viewCertButtonClick();"/> + </hbox> + <description id="statusDescription" + class="description"/> + <description id="statusLongDescription" + class="longDescription"/> + <description id="status2Description" + class="description"/> + <description id="status2LongDescription" + class="longDescription"/> + <description id="status3Description" + class="description"/> + <description id="status3LongDescription" + class="longDescription"/> + <checkbox id="permanent" + disabled="true" + data-l10n-id="exception-mgr-permanent"/> +</dialog> +</window> diff --git a/security/manager/pki/resources/content/load_device.js b/security/manager/pki/resources/content/load_device.js new file mode 100644 index 0000000000..0f77e1f1bd --- /dev/null +++ b/security/manager/pki/resources/content/load_device.js @@ -0,0 +1,75 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* import-globals-from pippki.js */ +"use strict"; + +document.addEventListener("dialogaccept", onDialogAccept); + +/** + * @file Implements the functionality of load_device.xhtml: a dialog that allows + * a PKCS #11 module to be loaded into Firefox. + */ + +async function onBrowseBtnPress() { + let fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker); + let [loadPK11ModuleFilePickerTitle] = await document.l10n.formatValues([ + { id: "load-pk11-module-file-picker-title" }, + ]); + fp.init(window, loadPK11ModuleFilePickerTitle, Ci.nsIFilePicker.modeOpen); + fp.appendFilters(Ci.nsIFilePicker.filterAll); + fp.open(rv => { + if (rv == Ci.nsIFilePicker.returnOK) { + document.getElementById("device_path").value = fp.file.path; + } + + // This notification gets sent solely for test purposes. It should not be + // used by production code. + Services.obs.notifyObservers(window, "LoadPKCS11Module:FilePickHandled"); + }); +} + +/** + * ondialogaccept() handler. + * + * @param {object} event + * The event causing this handler function to be called. + */ +function onDialogAccept(event) { + let nameBox = document.getElementById("device_name"); + let pathBox = document.getElementById("device_path"); + let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + + try { + pkcs11ModuleDB.addModule(nameBox.value, pathBox.value, 0, 0); + } catch (e) { + addModuleFailure("add-module-failure"); + event.preventDefault(); + } +} + +async function addModuleFailure(l10nID) { + let [AddModuleFailure] = await document.l10n.formatValues([{ id: l10nID }]); + alertPromptService(null, AddModuleFailure); +} + +function validateModuleName() { + let name = document.getElementById("device_name").value; + let helpText = document.getElementById("helpText"); + helpText.value = ""; + let dialogNode = document.querySelector("dialog"); + dialogNode.removeAttribute("buttondisabledaccept"); + if (name == "") { + document.l10n.setAttributes(helpText, "load-module-help-empty-module-name"); + dialogNode.setAttribute("buttondisabledaccept", true); + } + if (name == "Root Certs") { + document.l10n.setAttributes( + helpText, + "load-module-help-root-certs-module-name" + ); + dialogNode.setAttribute("buttondisabledaccept", true); + } +} diff --git a/security/manager/pki/resources/content/load_device.xhtml b/security/manager/pki/resources/content/load_device.xhtml new file mode 100644 index 0000000000..8963b8c177 --- /dev/null +++ b/security/manager/pki/resources/content/load_device.xhtml @@ -0,0 +1,55 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE window> + +<window + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" + data-l10n-id="load-device" +> + <dialog id="loaddevice" buttons="accept,cancel"> + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + + <html:link + rel="localization" + href="security/certificates/deviceManager.ftl" + /> + </linkset> + + <script src="chrome://global/content/globalOverlay.js" /> + <script src="chrome://global/content/editMenuOverlay.js" /> + + <script src="chrome://pippki/content/pippki.js" /> + <script src="chrome://pippki/content/load_device.js" /> + + <html:style> + #device_name, #device_path { flex: 1; } + </html:style> + + <description data-l10n-id="load-device-info"></description> + <hbox align="center"> + <label data-l10n-id="load-device-modname" control="device_name" /> + <html:input + id="device_name" + data-l10n-id="load-device-modname-default" + data-l10n-attrs="value" + onchange="validateModuleName();" + /> + </hbox> + <hbox align="center"> + <label data-l10n-id="load-device-filename" control="device_path" /> + <html:input id="device_path" /> + <button + id="browse" + flex="1" + data-l10n-id="load-device-browse" + oncommand="onBrowseBtnPress();" + /> + </hbox> + <label id="helpText" value="" /> + </dialog> +</window> diff --git a/security/manager/pki/resources/content/pippki.js b/security/manager/pki/resources/content/pippki.js new file mode 100644 index 0000000000..8094074281 --- /dev/null +++ b/security/manager/pki/resources/content/pippki.js @@ -0,0 +1,300 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +/* + * These are helper functions to be included + * pippki UI js files. + */ + +function setText(id, value) { + let element = document.getElementById(id); + if (!element) { + return; + } + if (element.hasChildNodes()) { + element.firstChild.remove(); + } + element.appendChild(document.createTextNode(value)); +} + +async function viewCertHelper(parent, cert, openingOption = "tab") { + if (!cert) { + return; + } + + let win = Services.wm.getMostRecentBrowserWindow(); + let results = await asyncDetermineUsages(cert); + let chain = getBestChain(results); + if (!chain) { + chain = [cert]; + } + let certs = chain.map(elem => encodeURIComponent(elem.getBase64DERString())); + let certsStringURL = certs.map(elem => `cert=${elem}`); + certsStringURL = certsStringURL.join("&"); + let url = `about:certificate?${certsStringURL}`; + let opened = win.switchToTabHavingURI(url, false, {}); + if (!opened) { + win.openTrustedLinkIn(url, openingOption); + } +} + +function getPKCS7Array(certArray) { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let pkcs7String = certdb.asPKCS7Blob(certArray); + let pkcs7Array = new Uint8Array(pkcs7String.length); + for (let i = 0; i < pkcs7Array.length; i++) { + pkcs7Array[i] = pkcs7String.charCodeAt(i); + } + return pkcs7Array; +} + +function getPEMString(cert) { + var derb64 = cert.getBase64DERString(); + // Wrap the Base64 string into lines of 64 characters with CRLF line breaks + // (as specified in RFC 1421). + var wrapped = derb64.replace(/(\S{64}(?!$))/g, "$1\r\n"); + return ( + "-----BEGIN CERTIFICATE-----\r\n" + + wrapped + + "\r\n-----END CERTIFICATE-----\r\n" + ); +} + +function alertPromptService(title, message) { + // XXX Bug 1425832 - Using Services.prompt here causes tests to report memory + // leaks. + // eslint-disable-next-line mozilla/use-services + var ps = Cc["@mozilla.org/prompter;1"].getService(Ci.nsIPromptService); + ps.alert(window, title, message); +} + +const DEFAULT_CERT_EXTENSION = "crt"; + +/** + * Generates a filename for a cert suitable to set as the |defaultString| + * attribute on an Ci.nsIFilePicker. + * + * @param {nsIX509Cert} cert + * The cert to generate a filename for. + * @returns {string} + * Generated filename. + */ +function certToFilename(cert) { + let filename = cert.displayName; + + // Remove unneeded and/or unsafe characters. + filename = filename + .replace(/\s/g, "") + .replace(/\./g, "_") + .replace(/\\/g, "") + .replace(/\//g, ""); + + // Ci.nsIFilePicker.defaultExtension is more of a suggestion to some + // implementations, so we include the extension in the file name as well. This + // is what the documentation for Ci.nsIFilePicker.defaultString says we should do + // anyways. + return `${filename}.${DEFAULT_CERT_EXTENSION}`; +} + +async function exportToFile(parent, cert) { + if (!cert) { + return; + } + + let results = await asyncDetermineUsages(cert); + let chain = getBestChain(results); + if (!chain) { + chain = [cert]; + } + + let formats = { + base64: "*.crt; *.pem", + "base64-chain": "*.crt; *.pem", + der: "*.der", + pkcs7: "*.p7c", + "pkcs7-chain": "*.p7c", + }; + let [saveCertAs, ...formatLabels] = await document.l10n.formatValues( + ["save-cert-as", ...Object.keys(formats).map(f => "cert-format-" + f)].map( + id => ({ id }) + ) + ); + + var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker); + fp.init(parent, saveCertAs, Ci.nsIFilePicker.modeSave); + fp.defaultString = certToFilename(cert); + fp.defaultExtension = DEFAULT_CERT_EXTENSION; + for (let format of Object.values(formats)) { + fp.appendFilter(formatLabels.shift(), format); + } + fp.appendFilters(Ci.nsIFilePicker.filterAll); + let filePickerResult = await new Promise(resolve => { + fp.open(resolve); + }); + + if ( + filePickerResult != Ci.nsIFilePicker.returnOK && + filePickerResult != Ci.nsIFilePicker.returnReplace + ) { + return; + } + + var content = ""; + switch (fp.filterIndex) { + case 1: + content = getPEMString(cert); + for (let i = 1; i < chain.length; i++) { + content += getPEMString(chain[i]); + } + break; + case 2: + // IOUtils.write requires a typed array. + // nsIX509Cert.getRawDER() returns an array (not a typed array), so we + // convert it here. + content = Uint8Array.from(cert.getRawDER()); + break; + case 3: + // getPKCS7Array returns a typed array already, so no conversion is + // necessary. + content = getPKCS7Array([cert]); + break; + case 4: + content = getPKCS7Array(chain); + break; + case 0: + default: + content = getPEMString(cert); + break; + } + + if (typeof content === "string") { + content = new TextEncoder().encode(content); + } + + try { + await IOUtils.write(fp.file.path, content); + } catch (ex) { + let title = await document.l10n.formatValue("write-file-failure"); + alertPromptService(title, ex.toString()); + } + if (Cu.isInAutomation) { + Services.obs.notifyObservers(null, "cert-export-finished"); + } +} + +const PRErrorCodeSuccess = 0; + +// Certificate usages we care about in the certificate viewer. +const certificateUsageSSLClient = 0x0001; +const certificateUsageSSLServer = 0x0002; +const certificateUsageSSLCA = 0x0008; +const certificateUsageEmailSigner = 0x0010; +const certificateUsageEmailRecipient = 0x0020; + +// A map from the name of a certificate usage to the value of the usage. +// Useful for printing debugging information and for enumerating all supported +// usages. +const certificateUsages = { + certificateUsageSSLClient, + certificateUsageSSLServer, + certificateUsageSSLCA, + certificateUsageEmailSigner, + certificateUsageEmailRecipient, +}; + +/** + * Returns a promise that will resolve with a results array consisting of what + * usages the given certificate successfully verified for. + * + * @param {nsIX509Cert} cert + * The certificate to determine valid usages for. + * @returns {Promise} + * A promise that will resolve with the results of the verifications. + */ +function asyncDetermineUsages(cert) { + let promises = []; + let now = Date.now() / 1000; + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + Object.keys(certificateUsages).forEach(usageString => { + promises.push( + new Promise((resolve, reject) => { + let usage = certificateUsages[usageString]; + certdb.asyncVerifyCertAtTime( + cert, + usage, + 0, + null, + now, + (aPRErrorCode, aVerifiedChain, aHasEVPolicy) => { + resolve({ + usageString, + errorCode: aPRErrorCode, + chain: aVerifiedChain, + }); + } + ); + }) + ); + }); + return Promise.all(promises); +} + +/** + * Given a results array, returns the "best" verified certificate chain. Since + * the primary use case is for TLS server certificates in Firefox, such a + * verified chain will be returned if present. Otherwise, the priority is: TLS + * client certificate, email signer, email recipient, CA. Returns null if no + * usage verified successfully. + * + * @param {Array} results + * An array of results from `asyncDetermineUsages`. See `displayUsages`. + * @returns {Array} An array of `nsIX509Cert` representing the verified + * certificate chain for the given usage, or null if there is none. + */ +function getBestChain(results) { + let usages = [ + certificateUsageSSLServer, + certificateUsageSSLClient, + certificateUsageEmailSigner, + certificateUsageEmailRecipient, + certificateUsageSSLCA, + ]; + for (let usage of usages) { + let chain = getChainForUsage(results, usage); + if (chain) { + return chain; + } + } + return null; +} + +/** + * Given a results array, returns the chain corresponding to the desired usage, + * if verifying for that usage succeeded. Returns null otherwise. + * + * @param {Array} results + * An array of results from `asyncDetermineUsages`. See `displayUsages`. + * @param {number} usage + * A numerical value corresponding to a usage. See `certificateUsages`. + * @returns {Array} An array of `nsIX509Cert` representing the verified + * certificate chain for the given usage, or null if there is none. + */ +function getChainForUsage(results, usage) { + for (let result of results) { + if ( + certificateUsages[result.usageString] == usage && + result.errorCode == PRErrorCodeSuccess + ) { + return result.chain; + } + } + return null; +} diff --git a/security/manager/pki/resources/content/resetpassword.js b/security/manager/pki/resources/content/resetpassword.js new file mode 100644 index 0000000000..30db349794 --- /dev/null +++ b/security/manager/pki/resources/content/resetpassword.js @@ -0,0 +1,28 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* import-globals-from pippki.js */ +"use strict"; + +document.addEventListener("dialogaccept", resetPassword); + +function resetPassword() { + var pk11db = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + var token = pk11db.getInternalKeyToken(); + token.reset(); + + try { + Services.logins.removeAllUserFacingLogins(); + } catch (e) {} + + let l10n = new Localization(["security/pippki/pippki.ftl"], true); + if (l10n) { + Services.prompt.alert( + window, + l10n.formatValueSync("pippki-reset-password-confirmation-title"), + l10n.formatValueSync("pippki-reset-password-confirmation-message") + ); + } +} diff --git a/security/manager/pki/resources/content/resetpassword.xhtml b/security/manager/pki/resources/content/resetpassword.xhtml new file mode 100644 index 0000000000..c473654da4 --- /dev/null +++ b/security/manager/pki/resources/content/resetpassword.xhtml @@ -0,0 +1,49 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE window> + +<window + data-l10n-id="reset-primary-password-window2" + data-l10n-attrs="title, style" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" +> + <dialog + id="reset_password" + buttons="accept,cancel" + buttonidaccept="reset-password-button-label" + defaultButton="cancel" + > + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + + <html:link rel="localization" href="security/pippki/pippki.ftl" /> + </linkset> + + <stringbundle + id="pippki_bundle" + src="chrome://pippki/locale/pippki.properties" + /> + + <script src="chrome://pippki/content/pippki.js" /> + <script src="chrome://pippki/content/resetpassword.js" /> + + <hbox flex="1"> + <vbox> + <image class="alert-icon" style="margin: 5px" /> + </vbox> + <vbox style="margin: 5px" flex="1"> + <hbox flex="1"> + <vbox flex="1"> + <description + data-l10n-id="reset-primary-password-text" + ></description> + </vbox> + </hbox> + </vbox> + </hbox> + </dialog> +</window> diff --git a/security/manager/pki/resources/content/setp12password.js b/security/manager/pki/resources/content/setp12password.js new file mode 100644 index 0000000000..14200c36ce --- /dev/null +++ b/security/manager/pki/resources/content/setp12password.js @@ -0,0 +1,127 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +/** + * @file Implements the functionality of setp12password.xhtml: a dialog that lets + * the user confirm the password to set on a PKCS #12 file. + * @param {nsISupports} window.arguments.0 + * Object to set the return values of calling the dialog on, queryable + * to the underlying type of SetP12PasswordReturnValues. + */ + +/** + * @typedef SetP12PasswordReturnValues + * @type {nsIWritablePropertyBag2} + * @property {boolean} confirmedPassword + * Set to true if the user entered two matching passwords and + * confirmed the dialog. + * @property {string} password + * The password the user entered. Undefined value if + * |confirmedPassword| is not true. + */ + +/** + * onload() handler. + */ +function onLoad() { + // Ensure the first password textbox has focus. + document.getElementById("pw1").focus(); + document.addEventListener("dialogaccept", onDialogAccept); + document.addEventListener("dialogcancel", onDialogCancel); +} + +/** + * ondialogaccept() handler. + */ +function onDialogAccept() { + let password = document.getElementById("pw1").value; + + let retVals = window.arguments[0].QueryInterface(Ci.nsIWritablePropertyBag2); + retVals.setPropertyAsBool("confirmedPassword", true); + retVals.setPropertyAsAString("password", password); +} + +/** + * ondialogcancel() handler. + */ +function onDialogCancel() { + let retVals = window.arguments[0].QueryInterface(Ci.nsIWritablePropertyBag2); + retVals.setPropertyAsBool("confirmedPassword", false); +} + +/** + * Calculates the strength of the given password, suitable for use in updating + * a progress bar that represents said strength. + * + * The strength of the password is calculated by checking the number of: + * - Characters + * - Numbers + * - Non-alphanumeric chars + * - Upper case characters + * + * @param {string} password + * The password to calculate the strength of. + * @returns {number} + * The strength of the password in the range [0, 100]. + */ +function getPasswordStrength(password) { + let lengthStrength = password.length; + if (lengthStrength > 5) { + lengthStrength = 5; + } + + let nonNumericChars = password.replace(/[0-9]/g, ""); + let numericStrength = password.length - nonNumericChars.length; + if (numericStrength > 3) { + numericStrength = 3; + } + + let nonSymbolChars = password.replace(/\W/g, ""); + let symbolStrength = password.length - nonSymbolChars.length; + if (symbolStrength > 3) { + symbolStrength = 3; + } + + let nonUpperAlphaChars = password.replace(/[A-Z]/g, ""); + let upperAlphaStrength = password.length - nonUpperAlphaChars.length; + if (upperAlphaStrength > 3) { + upperAlphaStrength = 3; + } + + let strength = + lengthStrength * 10 - + 20 + + numericStrength * 10 + + symbolStrength * 15 + + upperAlphaStrength * 10; + if (strength < 0) { + strength = 0; + } + if (strength > 100) { + strength = 100; + } + + return strength; +} + +/** + * oninput() handler for both password textboxes. + * + * @param {boolean} recalculatePasswordStrength + * Whether to recalculate the strength of the first password. + */ +function onPasswordInput(recalculatePasswordStrength) { + let pw1 = document.getElementById("pw1").value; + + if (recalculatePasswordStrength) { + document.getElementById("pwmeter").value = getPasswordStrength(pw1); + } + + // Disable the accept button if the two passwords don't match, and enable it + // if the passwords do match. + let pw2 = document.getElementById("pw2").value; + document.getElementById("setp12password").getButton("accept").disabled = + pw1 != pw2; +} diff --git a/security/manager/pki/resources/content/setp12password.xhtml b/security/manager/pki/resources/content/setp12password.xhtml new file mode 100644 index 0000000000..5f43a1e811 --- /dev/null +++ b/security/manager/pki/resources/content/setp12password.xhtml @@ -0,0 +1,56 @@ +<?xml version="1.0"?> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> + +<!DOCTYPE window> + +<window + data-l10n-id="set-password-window" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + xmlns:html="http://www.w3.org/1999/xhtml" + style="width: 48em" + onload="onLoad();" +> + <dialog id="setp12password" buttons="accept,cancel"> + <linkset> + <html:link rel="stylesheet" href="chrome://global/skin/global.css" /> + + <html:link rel="localization" href="security/pippki/pippki.ftl" /> + </linkset> + + <script src="chrome://global/content/globalOverlay.js" /> + <script src="chrome://global/content/editMenuOverlay.js" /> + + <script src="chrome://pippki/content/setp12password.js" /> + + <description data-l10n-id="set-password-message"></description> + <separator /> + <vbox> + <hbox class="input-row"> + <label flex="1" data-l10n-id="set-password-backup-pw" /> + <html:input id="pw1" type="password" oninput="onPasswordInput(true);" /> + </hbox> + <hbox class="input-row"> + <label flex="1" data-l10n-id="set-password-repeat-backup-pw" /> + <html:input + id="pw2" + type="password" + oninput="onPasswordInput(false);" + /> + </hbox> + </vbox> + <separator /> + <description data-l10n-id="set-password-reminder"></description> + <separator /> + + <vbox style="margin: 6px"> + <html:label + for="pwmeter" + style="display: flex" + data-l10n-id="password-quality-meter" + ></html:label> + <html:progress id="pwmeter" value="0" max="100" /> + </vbox> + </dialog> +</window> diff --git a/security/manager/pki/resources/jar.mn b/security/manager/pki/resources/jar.mn new file mode 100644 index 0000000000..15e808ae19 --- /dev/null +++ b/security/manager/pki/resources/jar.mn @@ -0,0 +1,33 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +pippki.jar: +% content pippki %content/pippki/ + content/pippki/certManager.js (content/certManager.js) + content/pippki/certManager.css (content/certManager.css) + content/pippki/certManager.xhtml (content/certManager.xhtml) + content/pippki/changepassword.js (content/changepassword.js) + content/pippki/changepassword.xhtml (content/changepassword.xhtml) + content/pippki/clientauthask.css (content/clientauthask.css) + content/pippki/clientauthask.js (content/clientauthask.js) + content/pippki/clientauthask.xhtml (content/clientauthask.xhtml) + content/pippki/deletecert.js (content/deletecert.js) + content/pippki/deletecert.css (content/deletecert.css) + content/pippki/deletecert.xhtml (content/deletecert.xhtml) + content/pippki/device_manager.js (content/device_manager.js) + content/pippki/device_manager.xhtml (content/device_manager.xhtml) + content/pippki/downloadcert.js (content/downloadcert.js) + content/pippki/downloadcert.xhtml (content/downloadcert.xhtml) + content/pippki/editcacert.js (content/editcacert.js) + content/pippki/editcacert.xhtml (content/editcacert.xhtml) + content/pippki/exceptionDialog.css (content/exceptionDialog.css) + content/pippki/exceptionDialog.js (content/exceptionDialog.js) +* content/pippki/exceptionDialog.xhtml (content/exceptionDialog.xhtml) + content/pippki/load_device.js (content/load_device.js) + content/pippki/load_device.xhtml (content/load_device.xhtml) + content/pippki/pippki.js (content/pippki.js) + content/pippki/resetpassword.js (content/resetpassword.js) + content/pippki/resetpassword.xhtml (content/resetpassword.xhtml) + content/pippki/setp12password.js (content/setp12password.js) + content/pippki/setp12password.xhtml (content/setp12password.xhtml) diff --git a/security/manager/pki/resources/moz.build b/security/manager/pki/resources/moz.build new file mode 100644 index 0000000000..d988c0ff9b --- /dev/null +++ b/security/manager/pki/resources/moz.build @@ -0,0 +1,7 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +JAR_MANIFESTS += ["jar.mn"] diff --git a/security/manager/ssl/AppSignatureVerification.cpp b/security/manager/ssl/AppSignatureVerification.cpp new file mode 100644 index 0000000000..399516dd9c --- /dev/null +++ b/security/manager/ssl/AppSignatureVerification.cpp @@ -0,0 +1,1410 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSCertificateDB.h" + +#include "AppTrustDomain.h" +#include "CryptoTask.h" +#include "NSSCertDBTrustDomain.h" +#include "ScopedNSSTypes.h" +#include "SharedCertVerifier.h" +#include "certdb.h" +#include "cms.h" +#include "cosec.h" +#include "mozilla/Base64.h" +#include "mozilla/Casting.h" +#include "mozilla/Logging.h" +#include "mozilla/Preferences.h" +#include "mozilla/RefPtr.h" +#include "mozilla/UniquePtr.h" +#include "mozilla/Unused.h" +#include "nsCOMPtr.h" +#include "nsComponentManagerUtils.h" +#include "nsDependentString.h" +#include "nsHashKeys.h" +#include "nsIFile.h" +#include "nsIInputStream.h" +#include "nsIStringEnumerator.h" +#include "nsIZipReader.h" +#include "nsNSSCertificate.h" +#include "nsNetUtil.h" +#include "nsProxyRelease.h" +#include "nsString.h" +#include "nsTHashtable.h" +#include "mozpkix/pkix.h" +#include "mozpkix/pkixnss.h" +#include "mozpkix/pkixutil.h" +#include "secerr.h" +#include "secmime.h" + +using namespace mozilla::pkix; +using namespace mozilla; +using namespace mozilla::psm; + +extern mozilla::LazyLogModule gPIPNSSLog; + +namespace { + +// A convenient way to pair the bytes of a digest with the algorithm that +// purportedly produced those bytes. Only SHA-1 and SHA-256 are supported. +struct DigestWithAlgorithm { + nsresult ValidateLength() const { + size_t hashLen; + switch (mAlgorithm) { + case SEC_OID_SHA256: + hashLen = SHA256_LENGTH; + break; + case SEC_OID_SHA1: + hashLen = SHA1_LENGTH; + break; + default: + MOZ_ASSERT_UNREACHABLE( + "unsupported hash type in DigestWithAlgorithm::ValidateLength"); + return NS_ERROR_FAILURE; + } + if (mDigest.Length() != hashLen) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + return NS_OK; + } + + nsAutoCString mDigest; + SECOidTag mAlgorithm; +}; + +// The digest must have a lifetime greater than or equal to the returned string. +inline nsDependentCSubstring DigestToDependentString( + nsTArray<uint8_t>& digest) { + return nsDependentCSubstring(BitwiseCast<char*, uint8_t*>(digest.Elements()), + digest.Length()); +} + +// Reads a maximum of 8MB from a stream into the supplied buffer. +// The reason for the 8MB limit is because this function is used to read +// signature-related files and we want to avoid OOM. The uncompressed length of +// an entry can be hundreds of times larger than the compressed version, +// especially if someone has specifically crafted the entry to cause OOM or to +// consume massive amounts of disk space. +// +// @param stream The input stream to read from. +// @param buf The buffer that we read the stream into, which must have +// already been allocated. +nsresult ReadStream(const nsCOMPtr<nsIInputStream>& stream, + /*out*/ SECItem& buf) { + // The size returned by Available() might be inaccurate so we need + // to check that Available() matches up with the actual length of + // the file. + uint64_t length; + nsresult rv = stream->Available(&length); + if (NS_WARN_IF(NS_FAILED(rv))) { + return rv; + } + + // Cap the maximum accepted size of signature-related files at 8MB (which + // should be much larger than necessary for our purposes) to avoid OOM. + static const uint32_t MAX_LENGTH = 8 * 1000 * 1000; + if (length > MAX_LENGTH) { + return NS_ERROR_FILE_TOO_BIG; + } + + // With bug 164695 in mind we +1 to leave room for null-terminating + // the buffer. + SECITEM_AllocItem(buf, static_cast<uint32_t>(length + 1)); + + // buf.len == length + 1. We attempt to read length + 1 bytes + // instead of length, so that we can check whether the metadata for + // the entry is incorrect. + uint32_t bytesRead; + rv = stream->Read(BitwiseCast<char*, unsigned char*>(buf.data), buf.len, + &bytesRead); + if (NS_WARN_IF(NS_FAILED(rv))) { + return rv; + } + if (bytesRead != length) { + return NS_ERROR_FILE_CORRUPTED; + } + + buf.data[buf.len - 1] = 0; // null-terminate + + return NS_OK; +} + +// Finds exactly one (signature metadata) JAR entry that matches the given +// search pattern, and then loads it. Fails if there are no matches or if +// there is more than one match. If bufDigest is not null then on success +// bufDigest will contain the digeset of the entry using the given digest +// algorithm. +nsresult FindAndLoadOneEntry( + nsIZipReader* zip, const nsACString& searchPattern, + /*out*/ nsACString& filename, + /*out*/ SECItem& buf, + /*optional, in*/ SECOidTag digestAlgorithm = SEC_OID_SHA1, + /*optional, out*/ nsTArray<uint8_t>* bufDigest = nullptr) { + nsCOMPtr<nsIUTF8StringEnumerator> files; + nsresult rv = zip->FindEntries(searchPattern, getter_AddRefs(files)); + if (NS_FAILED(rv) || !files) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + bool more; + rv = files->HasMore(&more); + NS_ENSURE_SUCCESS(rv, rv); + if (!more) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + rv = files->GetNext(filename); + NS_ENSURE_SUCCESS(rv, rv); + + // Check if there is more than one match, if so then error! + rv = files->HasMore(&more); + NS_ENSURE_SUCCESS(rv, rv); + if (more) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + nsCOMPtr<nsIInputStream> stream; + rv = zip->GetInputStream(filename, getter_AddRefs(stream)); + NS_ENSURE_SUCCESS(rv, rv); + + rv = ReadStream(stream, buf); + if (NS_WARN_IF(NS_FAILED(rv))) { + return NS_ERROR_SIGNED_JAR_ENTRY_INVALID; + } + + if (bufDigest) { + rv = Digest::DigestBuf(digestAlgorithm, + Span<uint8_t>{buf.data, buf.len - 1}, *bufDigest); + NS_ENSURE_SUCCESS(rv, rv); + } + + return NS_OK; +} + +// Verify the digest of an entry. We avoid loading the entire entry into memory +// at once, which would require memory in proportion to the size of the largest +// entry. Instead, we require only a small, fixed amount of memory. +// +// @param stream an input stream from a JAR entry or file depending on whether +// it is from a signed archive or unpacked into a directory +// @param digestFromManifest The digest that we're supposed to check the file's +// contents against, from the manifest +// @param buf A scratch buffer that we use for doing the I/O, which must have +// already been allocated. The size of this buffer is the unit +// size of our I/O. +nsresult VerifyStreamContentDigest( + nsIInputStream* stream, const DigestWithAlgorithm& digestFromManifest, + SECItem& buf) { + MOZ_ASSERT(buf.len > 0); + nsresult rv = digestFromManifest.ValidateLength(); + if (NS_FAILED(rv)) { + return rv; + } + + uint64_t len64; + rv = stream->Available(&len64); + NS_ENSURE_SUCCESS(rv, rv); + if (len64 > UINT32_MAX) { + return NS_ERROR_SIGNED_JAR_ENTRY_TOO_LARGE; + } + + Digest digest; + + rv = digest.Begin(digestFromManifest.mAlgorithm); + NS_ENSURE_SUCCESS(rv, rv); + + uint64_t totalBytesRead = 0; + for (;;) { + uint32_t bytesRead; + rv = stream->Read(BitwiseCast<char*, unsigned char*>(buf.data), buf.len, + &bytesRead); + NS_ENSURE_SUCCESS(rv, rv); + + if (bytesRead == 0) { + break; // EOF + } + + totalBytesRead += bytesRead; + if (totalBytesRead >= UINT32_MAX) { + return NS_ERROR_SIGNED_JAR_ENTRY_TOO_LARGE; + } + + rv = digest.Update(buf.data, bytesRead); + NS_ENSURE_SUCCESS(rv, rv); + } + + if (totalBytesRead != len64) { + // The metadata we used for Available() doesn't match the actual size of + // the entry. + return NS_ERROR_SIGNED_JAR_ENTRY_INVALID; + } + + // Verify that the digests match. + nsTArray<uint8_t> outArray; + rv = digest.End(outArray); + NS_ENSURE_SUCCESS(rv, rv); + + nsDependentCSubstring digestStr(DigestToDependentString(outArray)); + if (!digestStr.Equals(digestFromManifest.mDigest)) { + return NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY; + } + + return NS_OK; +} + +nsresult VerifyEntryContentDigest(nsIZipReader* zip, + const nsACString& aFilename, + const DigestWithAlgorithm& digestFromManifest, + SECItem& buf) { + nsCOMPtr<nsIInputStream> stream; + nsresult rv = zip->GetInputStream(aFilename, getter_AddRefs(stream)); + if (NS_FAILED(rv)) { + return NS_ERROR_SIGNED_JAR_ENTRY_MISSING; + } + + return VerifyStreamContentDigest(stream, digestFromManifest, buf); +} + +// On input, nextLineStart is the start of the current line. On output, +// nextLineStart is the start of the next line. +nsresult ReadLine(/*in/out*/ const char*& nextLineStart, + /*out*/ nsCString& line, bool allowContinuations = true) { + line.Truncate(); + size_t previousLength = 0; + size_t currentLength = 0; + for (;;) { + const char* eol = strpbrk(nextLineStart, "\r\n"); + + if (!eol) { // Reached end of file before newline + eol = nextLineStart + strlen(nextLineStart); + } + + previousLength = currentLength; + line.Append(nextLineStart, eol - nextLineStart); + currentLength = line.Length(); + + // The spec says "No line may be longer than 72 bytes (not characters)" + // in its UTF8-encoded form. + static const size_t lineLimit = 72; + if (currentLength - previousLength > lineLimit) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + // The spec says: "Implementations should support 65535-byte + // (not character) header values..." + if (currentLength > 65535) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + if (*eol == '\r') { + ++eol; + } + if (*eol == '\n') { + ++eol; + } + + nextLineStart = eol; + + if (*eol != ' ') { + // not a continuation + return NS_OK; + } + + // continuation + if (!allowContinuations) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + ++nextLineStart; // skip space and keep appending + } +} + +// The header strings are defined in the JAR specification. +#define JAR_MF_SEARCH_STRING "(M|/M)ETA-INF/(M|m)(ANIFEST|anifest).(MF|mf)$" +#define JAR_COSE_MF_SEARCH_STRING "(M|/M)ETA-INF/cose.manifest$" +#define JAR_SF_SEARCH_STRING "(M|/M)ETA-INF/*.(SF|sf)$" +#define JAR_RSA_SEARCH_STRING "(M|/M)ETA-INF/*.(RSA|rsa)$" +#define JAR_COSE_SEARCH_STRING "(M|/M)ETA-INF/cose.sig$" +#define JAR_META_DIR "META-INF" +#define JAR_MF_HEADER "Manifest-Version: 1.0" +#define JAR_SF_HEADER "Signature-Version: 1.0" + +nsresult ParseAttribute(const nsAutoCString& curLine, + /*out*/ nsAutoCString& attrName, + /*out*/ nsAutoCString& attrValue) { + // Find the colon that separates the name from the value. + int32_t colonPos = curLine.FindChar(':'); + if (colonPos == kNotFound) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + // set attrName to the name, skipping spaces between the name and colon + int32_t nameEnd = colonPos; + for (;;) { + if (nameEnd == 0) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; // colon with no name + } + if (curLine[nameEnd - 1] != ' ') break; + --nameEnd; + } + curLine.Left(attrName, nameEnd); + + // Set attrValue to the value, skipping spaces between the colon and the + // value. The value may be empty. + int32_t valueStart = colonPos + 1; + int32_t curLineLength = curLine.Length(); + while (valueStart != curLineLength && curLine[valueStart] == ' ') { + ++valueStart; + } + curLine.Right(attrValue, curLineLength - valueStart); + + return NS_OK; +} + +// Parses the version line of the MF or SF header. +nsresult CheckManifestVersion(const char*& nextLineStart, + const nsACString& expectedHeader) { + // The JAR spec says: "Manifest-Version and Signature-Version must be first, + // and in exactly that case (so that they can be recognized easily as magic + // strings)." + nsAutoCString curLine; + nsresult rv = ReadLine(nextLineStart, curLine, false); + if (NS_FAILED(rv)) { + return rv; + } + if (!curLine.Equals(expectedHeader)) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + return NS_OK; +} + +// Parses a signature file (SF) based on the JDK 8 JAR Specification. +// +// The SF file must contain a SHA*-Digest-Manifest attribute in the main +// section (where the * is either 1 or 256, depending on the given digest +// algorithm). All other sections are ignored. This means that this will NOT +// parse old-style signature files that have separate digests per entry. +// The JDK8 x-Digest-Manifest variant is better because: +// +// (1) It allows us to follow the principle that we should minimize the +// processing of data that we do before we verify its signature. In +// particular, with the x-Digest-Manifest style, we can verify the digest +// of MANIFEST.MF before we parse it, which prevents malicious JARs +// exploiting our MANIFEST.MF parser. +// (2) It is more time-efficient and space-efficient to have one +// x-Digest-Manifest instead of multiple x-Digest values. +// +// filebuf must be null-terminated. On output, mfDigest will contain the +// decoded value of the appropriate SHA*-DigestManifest, if found. +nsresult ParseSF(const char* filebuf, SECOidTag digestAlgorithm, + /*out*/ nsAutoCString& mfDigest) { + const char* digestNameToFind = nullptr; + switch (digestAlgorithm) { + case SEC_OID_SHA256: + digestNameToFind = "sha256-digest-manifest"; + break; + case SEC_OID_SHA1: + digestNameToFind = "sha1-digest-manifest"; + break; + default: + MOZ_ASSERT_UNREACHABLE("bad argument to ParseSF"); + return NS_ERROR_FAILURE; + } + + const char* nextLineStart = filebuf; + nsresult rv = + CheckManifestVersion(nextLineStart, nsLiteralCString(JAR_SF_HEADER)); + if (NS_FAILED(rv)) { + return rv; + } + + for (;;) { + nsAutoCString curLine; + rv = ReadLine(nextLineStart, curLine); + if (NS_FAILED(rv)) { + return rv; + } + + if (curLine.Length() == 0) { + // End of main section (blank line or end-of-file). We didn't find the + // SHA*-Digest-Manifest we were looking for. + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + nsAutoCString attrName; + nsAutoCString attrValue; + rv = ParseAttribute(curLine, attrName, attrValue); + if (NS_FAILED(rv)) { + return rv; + } + + if (attrName.EqualsIgnoreCase(digestNameToFind)) { + rv = Base64Decode(attrValue, mfDigest); + if (NS_FAILED(rv)) { + return rv; + } + + // There could be multiple SHA*-Digest-Manifest attributes, which + // would be an error, but it's better to just skip any erroneous + // duplicate entries rather than trying to detect them, because: + // + // (1) It's simpler, and simpler generally means more secure + // (2) An attacker can't make us accept a JAR we would otherwise + // reject just by adding additional SHA*-Digest-Manifest + // attributes. + return NS_OK; + } + + // ignore unrecognized attributes + } + + MOZ_ASSERT_UNREACHABLE("somehow exited loop in ParseSF without returning"); + return NS_ERROR_FAILURE; +} + +// Parses MANIFEST.MF. The filenames of all entries will be returned in +// mfItems. buf must be a pre-allocated scratch buffer that is used for doing +// I/O. Each file's contents are verified against the entry in the manifest with +// the digest algorithm that matches the given one. This algorithm comes from +// the signature file. If the signature file has a SHA-256 digest, then SHA-256 +// entries must be present in the manifest file. If the signature file only has +// a SHA-1 digest, then only SHA-1 digests will be used in the manifest file. +nsresult ParseMF(const char* filebuf, nsIZipReader* zip, + SECOidTag digestAlgorithm, + /*out*/ nsTHashtable<nsCStringHashKey>& mfItems, + ScopedAutoSECItem& buf) { + const char* digestNameToFind = nullptr; + switch (digestAlgorithm) { + case SEC_OID_SHA256: + digestNameToFind = "sha256-digest"; + break; + case SEC_OID_SHA1: + digestNameToFind = "sha1-digest"; + break; + default: + MOZ_ASSERT_UNREACHABLE("bad argument to ParseMF"); + return NS_ERROR_FAILURE; + } + + const char* nextLineStart = filebuf; + nsresult rv = + CheckManifestVersion(nextLineStart, nsLiteralCString(JAR_MF_HEADER)); + if (NS_FAILED(rv)) { + return rv; + } + + // Skip the rest of the header section, which ends with a blank line. + { + nsAutoCString line; + do { + rv = ReadLine(nextLineStart, line); + if (NS_FAILED(rv)) { + return rv; + } + } while (line.Length() > 0); + + // Manifest containing no file entries is OK, though useless. + if (*nextLineStart == '\0') { + return NS_OK; + } + } + + nsAutoCString curItemName; + nsAutoCString digest; + + for (;;) { + nsAutoCString curLine; + rv = ReadLine(nextLineStart, curLine); + if (NS_FAILED(rv)) { + return rv; + } + + if (curLine.Length() == 0) { + // end of section (blank line or end-of-file) + + if (curItemName.Length() == 0) { + // '...Each section must start with an attribute with the name as + // "Name",...', so every section must have a Name attribute. + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + if (digest.IsEmpty()) { + // We require every entry to have a digest, since we require every + // entry to be signed and we don't allow duplicate entries. + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + if (mfItems.Contains(curItemName)) { + // Duplicate entry + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + // Verify that the entry's content digest matches the digest from this + // MF section. + DigestWithAlgorithm digestWithAlgorithm = {digest, digestAlgorithm}; + rv = VerifyEntryContentDigest(zip, curItemName, digestWithAlgorithm, buf); + if (NS_FAILED(rv)) { + return rv; + } + + mfItems.PutEntry(curItemName); + + if (*nextLineStart == '\0') { + // end-of-file + break; + } + + // reset so we know we haven't encountered either of these for the next + // item yet. + curItemName.Truncate(); + digest.Truncate(); + + continue; // skip the rest of the loop below + } + + nsAutoCString attrName; + nsAutoCString attrValue; + rv = ParseAttribute(curLine, attrName, attrValue); + if (NS_FAILED(rv)) { + return rv; + } + + // Lines to look for: + + // (1) Digest: + if (attrName.EqualsIgnoreCase(digestNameToFind)) { + if (!digest.IsEmpty()) { // multiple SHA* digests in section + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + rv = Base64Decode(attrValue, digest); + if (NS_FAILED(rv)) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + continue; + } + + // (2) Name: associates this manifest section with a file in the jar. + if (attrName.LowerCaseEqualsLiteral("name")) { + if (MOZ_UNLIKELY(curItemName.Length() > 0)) // multiple names in section + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + + if (MOZ_UNLIKELY(attrValue.Length() == 0)) + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + + curItemName = attrValue; + + continue; + } + + // (3) Magic: the only other must-understand attribute + if (attrName.LowerCaseEqualsLiteral("magic")) { + // We don't understand any magic, so we can't verify an entry that + // requires magic. Since we require every entry to have a valid + // signature, we have no choice but to reject the entry. + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + // unrecognized attributes must be ignored + } + + return NS_OK; +} + +nsresult VerifyCertificate(Span<const uint8_t> signerCert, + AppTrustedRoot trustedRoot, + nsTArray<Span<const uint8_t>>&& collectedCerts) { + AppTrustDomain trustDomain(std::move(collectedCerts)); + nsresult rv = trustDomain.SetTrustedRoot(trustedRoot); + if (NS_FAILED(rv)) { + return rv; + } + Input certDER; + mozilla::pkix::Result result = + certDER.Init(signerCert.Elements(), signerCert.Length()); + if (result != Success) { + return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result)); + } + + result = BuildCertChain( + trustDomain, certDER, Now(), EndEntityOrCA::MustBeEndEntity, + KeyUsage::digitalSignature, KeyPurposeId::id_kp_codeSigning, + CertPolicyId::anyPolicy, nullptr /*stapledOCSPResponse*/); + if (result == mozilla::pkix::Result::ERROR_EXPIRED_CERTIFICATE || + result == mozilla::pkix::Result::ERROR_NOT_YET_VALID_CERTIFICATE) { + // For code-signing you normally need trusted 3rd-party timestamps to + // handle expiration properly. The signer could always mess with their + // system clock so you can't trust the certificate was un-expired when + // the signing took place. The choice is either to ignore expiration + // or to enforce expiration at time of use. The latter leads to the + // user-hostile result that perfectly good code stops working. + // + // Our package format doesn't support timestamps (nor do we have a + // trusted 3rd party timestamper), but since we sign all of our apps and + // add-ons ourselves we can trust ourselves not to mess with the clock + // on the signing systems. We also have a revocation mechanism if we + // need it. Under these conditions it's OK to ignore cert errors related + // to time validity (expiration and "not yet valid"). + // + // This is an invalid approach if + // * we issue certs to let others sign their own packages + // * mozilla::pkix returns "expired" when there are "worse" problems + // with the certificate or chain. + // (see bug 1267318) + result = Success; + } + if (result != Success) { + return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result)); + } + + return NS_OK; +} + +// Given a SECOidTag representing a digest algorithm (either SEC_OID_SHA1 or +// SEC_OID_SHA256), returns the first signerInfo in the given signedData that +// purports to have been created using that digest algorithm, or nullptr if +// there is none. +// The returned signerInfo is owned by signedData, so the caller must ensure +// that the lifetime of the signerInfo is contained by the lifetime of the +// signedData. +NSSCMSSignerInfo* GetSignerInfoForDigestAlgorithm(NSSCMSSignedData* signedData, + SECOidTag digestAlgorithm) { + MOZ_ASSERT(digestAlgorithm == SEC_OID_SHA1 || + digestAlgorithm == SEC_OID_SHA256); + if (digestAlgorithm != SEC_OID_SHA1 && digestAlgorithm != SEC_OID_SHA256) { + return nullptr; + } + + int numSigners = NSS_CMSSignedData_SignerInfoCount(signedData); + if (numSigners < 1) { + return nullptr; + } + for (int i = 0; i < numSigners; i++) { + NSSCMSSignerInfo* signerInfo = + NSS_CMSSignedData_GetSignerInfo(signedData, i); + // NSS_CMSSignerInfo_GetDigestAlgTag isn't exported from NSS. + SECOidData* digestAlgOID = SECOID_FindOID(&signerInfo->digestAlg.algorithm); + if (!digestAlgOID) { + continue; + } + if (digestAlgorithm == digestAlgOID->offset) { + return signerInfo; + } + } + return nullptr; +} + +Span<const uint8_t> GetPKCS7SignerCert( + NSSCMSSignerInfo* signerInfo, + nsTArray<Span<const uint8_t>>& collectedCerts) { + if (!signerInfo) { + return {}; + } + // The NSS APIs use the term "CMS", but since these are all signed by Mozilla + // infrastructure, we know they are actually PKCS7. This means that this only + // needs to handle issuer/serial number signer identifiers. + if (signerInfo->signerIdentifier.identifierType != NSSCMSSignerID_IssuerSN) { + return {}; + } + CERTIssuerAndSN* issuerAndSN = signerInfo->signerIdentifier.id.issuerAndSN; + if (!issuerAndSN) { + return {}; + } + Input issuer; + mozilla::pkix::Result result = + issuer.Init(issuerAndSN->derIssuer.data, issuerAndSN->derIssuer.len); + if (result != Success) { + return {}; + } + Input serialNumber; + result = serialNumber.Init(issuerAndSN->serialNumber.data, + issuerAndSN->serialNumber.len); + if (result != Success) { + return {}; + } + for (const auto& certDER : collectedCerts) { + Input certInput; + result = certInput.Init(certDER.Elements(), certDER.Length()); + if (result != Success) { + continue; // probably too big + } + // Since this only decodes the certificate and doesn't attempt to build a + // verified chain with it, the EndEntityOrCA parameter doesn't matter. + BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr); + result = cert.Init(); + if (result != Success) { + continue; + } + if (InputsAreEqual(issuer, cert.GetIssuer()) && + InputsAreEqual(serialNumber, cert.GetSerialNumber())) { + return certDER; + } + } + return {}; +} + +nsresult VerifySignature(AppTrustedRoot trustedRoot, const SECItem& buffer, + nsTArray<uint8_t>& detachedSHA1Digest, + nsTArray<uint8_t>& detachedSHA256Digest, + /*out*/ SECOidTag& digestAlgorithm, + /*out*/ nsTArray<uint8_t>& signerCert) { + if (NS_WARN_IF(!buffer.data || buffer.len == 0 || + detachedSHA1Digest.Length() == 0 || + detachedSHA256Digest.Length() == 0)) { + return NS_ERROR_INVALID_ARG; + } + + UniqueNSSCMSMessage cmsMsg(NSS_CMSMessage_CreateFromDER( + const_cast<SECItem*>(&buffer), nullptr, nullptr, nullptr, nullptr, + nullptr, nullptr)); + if (!cmsMsg) { + return NS_ERROR_CMS_VERIFY_NOT_SIGNED; + } + + if (!NSS_CMSMessage_IsSigned(cmsMsg.get())) { + return NS_ERROR_CMS_VERIFY_NOT_SIGNED; + } + + NSSCMSContentInfo* cinfo = NSS_CMSMessage_ContentLevel(cmsMsg.get(), 0); + if (!cinfo) { + return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO; + } + + // We're expecting this to be a PKCS#7 signedData content info. + if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) != + SEC_OID_PKCS7_SIGNED_DATA) { + return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO; + } + + // signedData is non-owning + NSSCMSSignedData* signedData = + static_cast<NSSCMSSignedData*>(NSS_CMSContentInfo_GetContent(cinfo)); + if (!signedData) { + return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO; + } + + nsTArray<Span<const uint8_t>> collectedCerts; + if (signedData->rawCerts) { + for (size_t i = 0; signedData->rawCerts[i]; ++i) { + Span<const uint8_t> cert(signedData->rawCerts[i]->data, + signedData->rawCerts[i]->len); + collectedCerts.AppendElement(std::move(cert)); + } + } + + NSSCMSSignerInfo* signerInfo = + GetSignerInfoForDigestAlgorithm(signedData, SEC_OID_SHA256); + nsTArray<uint8_t>* tmpDetachedDigest = &detachedSHA256Digest; + digestAlgorithm = SEC_OID_SHA256; + if (!signerInfo) { + signerInfo = GetSignerInfoForDigestAlgorithm(signedData, SEC_OID_SHA1); + if (!signerInfo) { + return NS_ERROR_CMS_VERIFY_NOT_SIGNED; + } + tmpDetachedDigest = &detachedSHA1Digest; + digestAlgorithm = SEC_OID_SHA1; + } + + const SECItem detachedDigest = { + siBuffer, tmpDetachedDigest->Elements(), + static_cast<unsigned int>(tmpDetachedDigest->Length())}; + + // Get the certificate that issued the PKCS7 signature. + Span<const uint8_t> signerCertSpan = + GetPKCS7SignerCert(signerInfo, collectedCerts); + if (signerCertSpan.IsEmpty()) { + return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING; + } + + nsresult rv = + VerifyCertificate(signerCertSpan, trustedRoot, std::move(collectedCerts)); + if (NS_FAILED(rv)) { + return rv; + } + signerCert.Clear(); + signerCert.AppendElements(signerCertSpan); + + // Ensure that the PKCS#7 data OID is present as the PKCS#9 contentType. + const char* pkcs7DataOidString = "1.2.840.113549.1.7.1"; + ScopedAutoSECItem pkcs7DataOid; + if (SEC_StringToOID(nullptr, &pkcs7DataOid, pkcs7DataOidString, 0) != + SECSuccess) { + return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING; + } + + // NSS_CMSSignerInfo_Verify relies on NSS_CMSSignerInfo_GetSigningCertificate + // having been called already. This relies on the signing certificate being + // decoded as a CERTCertificate. + // This assertion should never fail, as this certificate has been + // successfully verified, which means it fits in the size of an unsigned int. + SECItem signingCertificateItem = { + siBuffer, const_cast<unsigned char*>(signerCertSpan.Elements()), + AssertedCast<unsigned int>(signerCertSpan.Length())}; + UniqueCERTCertificate signingCertificateHandle(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &signingCertificateItem, nullptr, false, true)); + if (!signingCertificateHandle) { + return mozilla::psm::GetXPCOMFromNSSError(SEC_ERROR_PKCS7_BAD_SIGNATURE); + } + // NB: This function does not return an owning reference, unlike with many + // other NSS APIs. + if (!NSS_CMSSignerInfo_GetSigningCertificate(signerInfo, + CERT_GetDefaultCertDB())) { + return mozilla::psm::GetXPCOMFromNSSError(SEC_ERROR_PKCS7_BAD_SIGNATURE); + } + return MapSECStatus(NSS_CMSSignerInfo_Verify( + signerInfo, const_cast<SECItem*>(&detachedDigest), &pkcs7DataOid)); +} + +class CoseVerificationContext { + public: + explicit CoseVerificationContext(AppTrustedRoot aTrustedRoot) + : mTrustedRoot(aTrustedRoot) {} + ~CoseVerificationContext() = default; + + AppTrustedRoot GetTrustedRoot() { return mTrustedRoot; } + void SetCert(Span<const uint8_t> certDER) { + mCertDER.Clear(); + mCertDER.AppendElements(certDER); + } + + nsTArray<uint8_t> TakeCert() { return std::move(mCertDER); } + + private: + AppTrustedRoot mTrustedRoot; + nsTArray<uint8_t> mCertDER; +}; + +// Verification function called from cose-rust. +// Returns true if everything goes well and the signature and certificate chain +// are good, false in any other case. +bool CoseVerificationCallback(const uint8_t* aPayload, size_t aPayloadLen, + const uint8_t** aCertChain, size_t aCertChainLen, + const size_t* aCertsLen, const uint8_t* aEECert, + size_t aEECertLen, const uint8_t* aSignature, + size_t aSignatureLen, uint8_t aSignatureAlgorithm, + void* ctx) { + if (!ctx || !aPayload || !aEECert || !aSignature) { + return false; + } + // The ctx here is a pointer to a CoseVerificationContext object + CoseVerificationContext* context = static_cast<CoseVerificationContext*>(ctx); + AppTrustedRoot aTrustedRoot = context->GetTrustedRoot(); + + CK_MECHANISM_TYPE mechanism; + SECOidTag oid; + uint32_t hash_length; + SECItem param = {siBuffer, nullptr, 0}; + switch (aSignatureAlgorithm) { + case ES256: + mechanism = CKM_ECDSA; + oid = SEC_OID_SHA256; + hash_length = SHA256_LENGTH; + break; + case ES384: + mechanism = CKM_ECDSA; + oid = SEC_OID_SHA384; + hash_length = SHA384_LENGTH; + break; + case ES512: + mechanism = CKM_ECDSA; + oid = SEC_OID_SHA512; + hash_length = SHA512_LENGTH; + break; + default: + return false; + } + + uint8_t hashBuf[HASH_LENGTH_MAX]; + SECStatus rv = PK11_HashBuf(oid, hashBuf, aPayload, aPayloadLen); + if (rv != SECSuccess) { + return false; + } + SECItem hashItem = {siBuffer, hashBuf, hash_length}; + Input certInput; + if (certInput.Init(aEECert, aEECertLen) != Success) { + return false; + } + // Since this only decodes the certificate and doesn't attempt to build a + // verified chain with it, the EndEntityOrCA parameter doesn't matter. + BackCert backCert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr); + if (backCert.Init() != Success) { + return false; + } + Input spkiInput = backCert.GetSubjectPublicKeyInfo(); + SECItem spkiItem = {siBuffer, const_cast<uint8_t*>(spkiInput.UnsafeGetData()), + spkiInput.GetLength()}; + UniqueCERTSubjectPublicKeyInfo spki( + SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem)); + if (!spki) { + return false; + } + UniqueSECKEYPublicKey key(SECKEY_ExtractPublicKey(spki.get())); + SECItem signatureItem = {siBuffer, const_cast<uint8_t*>(aSignature), + static_cast<unsigned int>(aSignatureLen)}; + rv = PK11_VerifyWithMechanism(key.get(), mechanism, ¶m, &signatureItem, + &hashItem, nullptr); + if (rv != SECSuccess) { + return false; + } + + nsTArray<Span<const uint8_t>> collectedCerts; + for (size_t i = 0; i < aCertChainLen; ++i) { + Span<const uint8_t> cert(aCertChain[i], aCertsLen[i]); + collectedCerts.AppendElement(std::move(cert)); + } + + Span<const uint8_t> certSpan = {aEECert, aEECertLen}; + nsresult nrv = + VerifyCertificate(certSpan, aTrustedRoot, std::move(collectedCerts)); + bool result = true; + if (NS_FAILED(nrv)) { + result = false; + } + + // Passing back the signing certificate in form of the DER cert. + context->SetCert(certSpan); + if (NS_FAILED(nrv)) { + result = false; + } + + return result; +} + +nsresult VerifyAppManifest(SECOidTag aDigestToUse, nsCOMPtr<nsIZipReader> aZip, + nsTHashtable<nsCStringHashKey>& aIgnoredFiles, + const SECItem& aManifestBuffer) { + // Allocate the I/O buffer only once per JAR, instead of once per entry, in + // order to minimize malloc/free calls and in order to avoid fragmenting + // memory. + ScopedAutoSECItem buf(128 * 1024); + + nsTHashtable<nsCStringHashKey> items; + + nsresult rv = + ParseMF(BitwiseCast<char*, unsigned char*>(aManifestBuffer.data), aZip, + aDigestToUse, items, buf); + if (NS_FAILED(rv)) { + return rv; + } + + // Verify every entry in the file. + nsCOMPtr<nsIUTF8StringEnumerator> entries; + rv = aZip->FindEntries(""_ns, getter_AddRefs(entries)); + if (NS_FAILED(rv)) { + return rv; + } + if (!entries) { + return NS_ERROR_UNEXPECTED; + } + + for (;;) { + bool hasMore; + rv = entries->HasMore(&hasMore); + NS_ENSURE_SUCCESS(rv, rv); + + if (!hasMore) { + break; + } + + nsAutoCString entryFilename; + rv = entries->GetNext(entryFilename); + NS_ENSURE_SUCCESS(rv, rv); + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("Verifying digests for %s", entryFilename.get())); + + if (entryFilename.Length() == 0) { + return NS_ERROR_SIGNED_JAR_ENTRY_INVALID; + } + + // The files that comprise the signature mechanism are not covered by the + // signature. Ignore these files. + if (aIgnoredFiles.Contains(entryFilename)) { + continue; + } + + // Entries with names that end in "/" are directory entries, which are not + // signed. + // + // Since bug 1415991 we don't support unpacked JARs. The "/" entries are + // therefore harmless. + if (entryFilename.Last() == '/') { + continue; + } + + nsCStringHashKey* item = items.GetEntry(entryFilename); + if (!item) { + return NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY; + } + + // Remove the item so we can check for leftover items later + items.RemoveEntry(item); + } + + // We verified that every entry that we require to be signed is signed. But, + // were there any missing entries--that is, entries that are mentioned in the + // manifest but missing from the archive? + if (items.Count() != 0) { + return NS_ERROR_SIGNED_JAR_ENTRY_MISSING; + } + + return NS_OK; +} + +// This corresponds to the preference "security.signed_app_signatures.policy". +// The lowest order bit determines which PKCS#7 algorithms are accepted. +// xxx_0_: SHA-1 and/or SHA-256 PKCS#7 allowed +// xxx_1_: SHA-256 PKCS#7 allowed +// The next two bits determine whether COSE is required and PKCS#7 is allowed +// x_00_x: COSE disabled, ignore files, PKCS#7 must verify +// x_01_x: COSE is verified if present, PKCS#7 must verify +// x_10_x: COSE is required, PKCS#7 must verify if present +// x_11_x: COSE is required, PKCS#7 disabled (fail when present) +class SignaturePolicy { + public: + explicit SignaturePolicy(int32_t preference) + : mProcessCose(true), + mCoseRequired(false), + mProcessPK7(true), + mPK7Required(true), + mSHA1Allowed(true), + mSHA256Allowed(true) { + mCoseRequired = (preference & 0b100) != 0; + mProcessCose = (preference & 0b110) != 0; + mPK7Required = (preference & 0b100) == 0; + mProcessPK7 = (preference & 0b110) != 0b110; + if ((preference & 0b1) == 0) { + mSHA1Allowed = true; + mSHA256Allowed = true; + } else { + mSHA1Allowed = false; + mSHA256Allowed = true; + } + } + ~SignaturePolicy() = default; + bool ProcessCOSE() { return mProcessCose; } + bool COSERequired() { return mCoseRequired; } + bool PK7Required() { return mPK7Required; } + bool ProcessPK7() { return mProcessPK7; } + bool IsPK7HashAllowed(SECOidTag aHashAlg) { + if (aHashAlg == SEC_OID_SHA256 && mSHA256Allowed) { + return true; + } + if (aHashAlg == SEC_OID_SHA1 && mSHA1Allowed) { + return true; + } + return false; + } + + private: + bool mProcessCose; + bool mCoseRequired; + bool mProcessPK7; + bool mPK7Required; + bool mSHA1Allowed; + bool mSHA256Allowed; +}; + +nsresult VerifyCOSESignature(AppTrustedRoot aTrustedRoot, nsIZipReader* aZip, + SignaturePolicy& aPolicy, + nsTHashtable<nsCStringHashKey>& aIgnoredFiles, + /* out */ bool& aVerified, + /* out */ nsTArray<uint8_t>& aCoseCertDER) { + NS_ENSURE_ARG_POINTER(aZip); + bool required = aPolicy.COSERequired(); + aVerified = false; + + // Read COSE signature file. + nsAutoCString coseFilename; + ScopedAutoSECItem coseBuffer; + nsresult rv = FindAndLoadOneEntry( + aZip, nsLiteralCString(JAR_COSE_SEARCH_STRING), coseFilename, coseBuffer); + if (NS_FAILED(rv)) { + return required ? NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE : NS_OK; + } + + // Verify COSE signature. + nsAutoCString mfFilename; + ScopedAutoSECItem manifestBuffer; + rv = FindAndLoadOneEntry(aZip, nsLiteralCString(JAR_COSE_MF_SEARCH_STRING), + mfFilename, manifestBuffer); + if (NS_FAILED(rv)) { + return required ? NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE : rv; + } + MOZ_ASSERT(manifestBuffer.len >= 1); + MOZ_ASSERT(coseBuffer.len >= 1); + CoseVerificationContext context(aTrustedRoot); + bool coseVerification = verify_cose_signature_ffi( + manifestBuffer.data, manifestBuffer.len - 1, coseBuffer.data, + coseBuffer.len - 1, &context, CoseVerificationCallback); + if (!coseVerification) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + // CoseVerificationCallback sets the context certificate to the first cert + // it encounters. + aCoseCertDER = context.TakeCert(); + + // aIgnoredFiles contains the PKCS#7 manifest and signature files iff the + // PKCS#7 verification was successful. + aIgnoredFiles.PutEntry(mfFilename); + aIgnoredFiles.PutEntry(coseFilename); + rv = VerifyAppManifest(SEC_OID_SHA256, aZip, aIgnoredFiles, manifestBuffer); + if (NS_FAILED(rv)) { + return rv; + } + + aVerified = true; + return NS_OK; +} + +nsresult VerifyPK7Signature( + AppTrustedRoot aTrustedRoot, nsIZipReader* aZip, SignaturePolicy& aPolicy, + /* out */ nsTHashtable<nsCStringHashKey>& aIgnoredFiles, + /* out */ bool& aVerified, + /* out */ nsTArray<uint8_t>& aSignerCert) { + NS_ENSURE_ARG_POINTER(aZip); + bool required = aPolicy.PK7Required(); + aVerified = false; + + // Signature (RSA) file + nsAutoCString sigFilename; + ScopedAutoSECItem sigBuffer; + nsresult rv = FindAndLoadOneEntry( + aZip, nsLiteralCString(JAR_RSA_SEARCH_STRING), sigFilename, sigBuffer); + if (NS_FAILED(rv)) { + return required ? NS_ERROR_SIGNED_JAR_NOT_SIGNED : NS_OK; + } + + // Signature (SF) file + nsAutoCString sfFilename; + ScopedAutoSECItem sfBuffer; + rv = FindAndLoadOneEntry(aZip, nsLiteralCString(JAR_SF_SEARCH_STRING), + sfFilename, sfBuffer); + if (NS_FAILED(rv)) { + return required ? NS_ERROR_SIGNED_JAR_MANIFEST_INVALID : NS_OK; + } + + // Calculate both the SHA-1 and SHA-256 hashes of the signature file - we + // don't know what algorithm the PKCS#7 signature used. + nsTArray<uint8_t> sfCalculatedSHA1Digest; + rv = Digest::DigestBuf(SEC_OID_SHA1, sfBuffer.data, sfBuffer.len - 1, + sfCalculatedSHA1Digest); + if (NS_FAILED(rv)) { + return rv; + } + + nsTArray<uint8_t> sfCalculatedSHA256Digest; + rv = Digest::DigestBuf(SEC_OID_SHA256, sfBuffer.data, sfBuffer.len - 1, + sfCalculatedSHA256Digest); + if (NS_FAILED(rv)) { + return rv; + } + + // Verify PKCS#7 signature. + // If we get here, the signature has to verify even if PKCS#7 is not required. + sigBuffer.type = siBuffer; + SECOidTag digestToUse; + rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedSHA1Digest, + sfCalculatedSHA256Digest, digestToUse, aSignerCert); + if (NS_FAILED(rv)) { + return rv; + } + + // Check the digest used for the signature against the policy. + if (!aPolicy.IsPK7HashAllowed(digestToUse)) { + return NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE; + } + + nsAutoCString mfDigest; + rv = ParseSF(BitwiseCast<char*, unsigned char*>(sfBuffer.data), digestToUse, + mfDigest); + if (NS_FAILED(rv)) { + return rv; + } + + // Read PK7 manifest (MF) file. + ScopedAutoSECItem manifestBuffer; + nsTArray<uint8_t> digestArray; + nsAutoCString mfFilename; + rv = FindAndLoadOneEntry(aZip, nsLiteralCString(JAR_MF_SEARCH_STRING), + mfFilename, manifestBuffer, digestToUse, + &digestArray); + if (NS_FAILED(rv)) { + return rv; + } + + nsDependentCSubstring calculatedDigest( + BitwiseCast<char*, uint8_t*>(digestArray.Elements()), + digestArray.Length()); + if (!mfDigest.Equals(calculatedDigest)) { + return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; + } + + // Verify PKCS7 manifest file hashes. + aIgnoredFiles.PutEntry(sfFilename); + aIgnoredFiles.PutEntry(sigFilename); + aIgnoredFiles.PutEntry(mfFilename); + rv = VerifyAppManifest(digestToUse, aZip, aIgnoredFiles, manifestBuffer); + if (NS_FAILED(rv)) { + aIgnoredFiles.Clear(); + return rv; + } + + aVerified = true; + return NS_OK; +} + +nsresult OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile, + SignaturePolicy aPolicy, + /* out, optional */ nsIZipReader** aZipReader, + /* out, optional */ nsIX509Cert** aSignerCert) { + NS_ENSURE_ARG_POINTER(aJarFile); + + if (aZipReader) { + *aZipReader = nullptr; + } + + if (aSignerCert) { + *aSignerCert = nullptr; + } + + nsresult rv; + + static NS_DEFINE_CID(kZipReaderCID, NS_ZIPREADER_CID); + nsCOMPtr<nsIZipReader> zip = do_CreateInstance(kZipReaderCID, &rv); + NS_ENSURE_SUCCESS(rv, rv); + + rv = zip->Open(aJarFile); + NS_ENSURE_SUCCESS(rv, rv); + + bool pk7Verified = false; + bool coseVerified = false; + nsTHashtable<nsCStringHashKey> ignoredFiles; + nsTArray<uint8_t> pkcs7CertDER; + nsTArray<uint8_t> coseCertDER; + + // First we have to verify the PKCS#7 signature if there is one. + // This signature covers all files (except for the signature files itself), + // including the COSE signature files. Only when this verification is + // successful the respective files will be ignored in the subsequent COSE + // signature verification. + if (aPolicy.ProcessPK7()) { + rv = VerifyPK7Signature(aTrustedRoot, zip, aPolicy, ignoredFiles, + pk7Verified, pkcs7CertDER); + if (NS_FAILED(rv)) { + return rv; + } + } + + if (aPolicy.ProcessCOSE()) { + rv = VerifyCOSESignature(aTrustedRoot, zip, aPolicy, ignoredFiles, + coseVerified, coseCertDER); + if (NS_FAILED(rv)) { + return rv; + } + } + + // Bits 1 and 2 + // 00 = Didn't Process PKCS#7 signatures + // 01 = Processed but no valid cert or signature + // 10 = Processed and valid cert found, but addon didn't match manifest + // 11 = Processed and valid. + // Bits 3 and 4 are the same but for COSE. + uint32_t bucket = 0; + bucket += aPolicy.ProcessCOSE(); + bucket += !coseCertDER.IsEmpty(); + bucket += coseVerified; + bucket <<= 2; + bucket += aPolicy.ProcessPK7(); + bucket += !pkcs7CertDER.IsEmpty(); + bucket += pk7Verified; + Telemetry::Accumulate(Telemetry::ADDON_SIGNATURE_VERIFICATION_STATUS, bucket); + + if ((aPolicy.PK7Required() && !pk7Verified) || + (aPolicy.COSERequired() && !coseVerified)) { + return NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE; + } + + // Return the reader to the caller if they want it + if (aZipReader) { + zip.forget(aZipReader); + } + + // Return the signer's certificate to the reader if they want it. + if (aSignerCert) { + // The COSE certificate is authoritative. + if (aPolicy.COSERequired() || !coseCertDER.IsEmpty()) { + if (coseCertDER.IsEmpty()) { + return NS_ERROR_FAILURE; + } + nsCOMPtr<nsIX509Cert> signerCert( + new nsNSSCertificate(std::move(coseCertDER))); + signerCert.forget(aSignerCert); + } else { + if (pkcs7CertDER.IsEmpty()) { + return NS_ERROR_FAILURE; + } + nsCOMPtr<nsIX509Cert> signerCert( + new nsNSSCertificate(std::move(pkcs7CertDER))); + signerCert.forget(aSignerCert); + } + } + + return NS_OK; +} + +class OpenSignedAppFileTask final : public CryptoTask { + public: + OpenSignedAppFileTask(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile, + SignaturePolicy aPolicy, + nsIOpenSignedAppFileCallback* aCallback) + : mTrustedRoot(aTrustedRoot), + mJarFile(aJarFile), + mPolicy(aPolicy), + mCallback(new nsMainThreadPtrHolder<nsIOpenSignedAppFileCallback>( + "OpenSignedAppFileTask::mCallback", aCallback)) {} + + private: + virtual nsresult CalculateResult() override { + return OpenSignedAppFile(mTrustedRoot, mJarFile, mPolicy, + getter_AddRefs(mZipReader), + getter_AddRefs(mSignerCert)); + } + + virtual void CallCallback(nsresult rv) override { + (void)mCallback->OpenSignedAppFileFinished(rv, mZipReader, mSignerCert); + } + + const AppTrustedRoot mTrustedRoot; + const nsCOMPtr<nsIFile> mJarFile; + const SignaturePolicy mPolicy; + nsMainThreadPtrHandle<nsIOpenSignedAppFileCallback> mCallback; + nsCOMPtr<nsIZipReader> mZipReader; // out + nsCOMPtr<nsIX509Cert> mSignerCert; // out +}; + +static const int32_t sDefaultSignaturePolicy = 0b10; + +} // unnamed namespace + +NS_IMETHODIMP +nsNSSCertificateDB::OpenSignedAppFileAsync( + AppTrustedRoot aTrustedRoot, nsIFile* aJarFile, + nsIOpenSignedAppFileCallback* aCallback) { + NS_ENSURE_ARG_POINTER(aJarFile); + NS_ENSURE_ARG_POINTER(aCallback); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + int32_t policyInt = + Preferences::GetInt("security.signed_app_signatures.policy", + static_cast<int32_t>(sDefaultSignaturePolicy)); + SignaturePolicy policy(policyInt); + RefPtr<OpenSignedAppFileTask> task( + new OpenSignedAppFileTask(aTrustedRoot, aJarFile, policy, aCallback)); + return task->Dispatch(); +} diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp new file mode 100644 index 0000000000..2cdf275ade --- /dev/null +++ b/security/manager/ssl/AppTrustDomain.cpp @@ -0,0 +1,319 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "AppTrustDomain.h" + +#include "MainThreadUtils.h" +#include "cert_storage/src/cert_storage.h" +// FIXME: these two must be included before certdb.h { +#include "seccomon.h" +#include "certt.h" +// } +#include "certdb.h" +#include "mozilla/ArrayUtils.h" +#include "mozilla/Casting.h" +#include "mozilla/Logging.h" +#include "mozilla/Preferences.h" +#include "mozpkix/pkixnss.h" +#include "NSSCertDBTrustDomain.h" +#include "nsComponentManagerUtils.h" +#include "nsDirectoryServiceUtils.h" +#include "nsIContentSignatureVerifier.h" +#include "nsIX509CertDB.h" +#include "nsNSSCertificate.h" +#include "nsNetUtil.h" +#include "prerror.h" + +// Generated by gen_cert_header.py, which gets called by the build system. +#include "xpcshell.inc" +// Add-on signing Certificates +#include "addons-public.inc" +#include "addons-public-intermediate.inc" +#include "addons-stage.inc" +// Content signature root certificates +#include "content-signature-dev.inc" +#include "content-signature-local.inc" +#include "content-signature-prod.inc" +#include "content-signature-stage.inc" + +using namespace mozilla::pkix; + +extern mozilla::LazyLogModule gPIPNSSLog; + +namespace mozilla { +namespace psm { + +AppTrustDomain::AppTrustDomain(nsTArray<Span<const uint8_t>>&& collectedCerts) + : mIntermediates(std::move(collectedCerts)), + mCertBlocklist(do_GetService(NS_CERT_STORAGE_CID)) {} + +nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) { + switch (trustedRoot) { + case nsIX509CertDB::AppXPCShellRoot: + mTrustedRoot = {xpcshellRoot}; + break; + + case nsIX509CertDB::AddonsPublicRoot: + mTrustedRoot = {addonsPublicRoot}; + break; + + case nsIX509CertDB::AddonsStageRoot: + mTrustedRoot = {addonsStageRoot}; + break; + + case nsIContentSignatureVerifier::ContentSignatureLocalRoot: + mTrustedRoot = {contentSignatureLocalRoot}; + break; + + case nsIContentSignatureVerifier::ContentSignatureProdRoot: + mTrustedRoot = {contentSignatureProdRoot}; + break; + + case nsIContentSignatureVerifier::ContentSignatureStageRoot: + mTrustedRoot = {contentSignatureStageRoot}; + break; + + case nsIContentSignatureVerifier::ContentSignatureDevRoot: + mTrustedRoot = {contentSignatureDevRoot}; + break; + + default: + return NS_ERROR_INVALID_ARG; + } + + // If we're verifying add-ons signed by our production root, we want to make + // sure a valid intermediate certificate is available for path building. + if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) { + mAddonsIntermediate = {addonsPublicIntermediate}; + } + + return NS_OK; +} + +pkix::Result AppTrustDomain::FindIssuer(Input encodedIssuerName, + IssuerChecker& checker, Time) { + MOZ_ASSERT(!mTrustedRoot.IsEmpty()); + if (mTrustedRoot.IsEmpty()) { + return pkix::Result::FATAL_ERROR_INVALID_STATE; + } + + nsTArray<Input> candidates; + Input rootInput; + pkix::Result rv = + rootInput.Init(mTrustedRoot.Elements(), mTrustedRoot.Length()); + // This should never fail, since the possible roots are all hard-coded and + // they should never be too long. + if (rv != Success) { + return rv; + } + candidates.AppendElement(std::move(rootInput)); + if (!mAddonsIntermediate.IsEmpty()) { + Input intermediateInput; + rv = intermediateInput.Init(mAddonsIntermediate.Elements(), + mAddonsIntermediate.Length()); + // Again, this should never fail for the same reason as above. + if (rv != Success) { + return rv; + } + candidates.AppendElement(std::move(intermediateInput)); + } + for (const auto& intermediate : mIntermediates) { + Input intermediateInput; + rv = intermediateInput.Init(intermediate.Elements(), intermediate.Length()); + // This is untrusted input, so skip any intermediates that are too large. + if (rv != Success) { + continue; + } + candidates.AppendElement(std::move(intermediateInput)); + } + + for (const auto& candidate : candidates) { + bool keepGoing; + rv = checker.Check(candidate, nullptr /*additionalNameConstraints*/, + keepGoing); + if (rv != Success) { + return rv; + } + if (!keepGoing) { + return Success; + } + } + + // If the above did not succeed in building a verified certificate chain, + // fall back to searching for candidates in NSS. This is important in case an + // intermediate involved in add-on signing expires before it is replaced. See + // bug 1548973. + SECItem encodedIssuerNameSECItem = UnsafeMapInputToSECItem(encodedIssuerName); + UniqueCERTCertList nssCandidates(CERT_CreateSubjectCertList( + nullptr, CERT_GetDefaultCertDB(), &encodedIssuerNameSECItem, 0, false)); + if (nssCandidates) { + for (CERTCertListNode* n = CERT_LIST_HEAD(nssCandidates); + !CERT_LIST_END(n, nssCandidates); n = CERT_LIST_NEXT(n)) { + Input certDER; + pkix::Result rv = + certDER.Init(n->cert->derCert.data, n->cert->derCert.len); + if (rv != Success) { + continue; // probably too big + } + + bool keepGoing; + rv = checker.Check(certDER, nullptr /*additionalNameConstraints*/, + keepGoing); + if (rv != Success) { + return rv; + } + if (!keepGoing) { + break; + } + } + } + + return Success; +} + +pkix::Result AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA, + const CertPolicyId& policy, + Input candidateCertDER, + /*out*/ TrustLevel& trustLevel) { + MOZ_ASSERT(policy.IsAnyPolicy()); + MOZ_ASSERT(!mTrustedRoot.IsEmpty()); + if (!policy.IsAnyPolicy()) { + return pkix::Result::FATAL_ERROR_INVALID_ARGS; + } + if (mTrustedRoot.IsEmpty()) { + return pkix::Result::FATAL_ERROR_INVALID_STATE; + } + + nsTArray<uint8_t> issuerBytes; + nsTArray<uint8_t> serialBytes; + nsTArray<uint8_t> subjectBytes; + nsTArray<uint8_t> pubKeyBytes; + + pkix::Result result = + BuildRevocationCheckArrays(candidateCertDER, endEntityOrCA, issuerBytes, + serialBytes, subjectBytes, pubKeyBytes); + if (result != Success) { + return result; + } + + int16_t revocationState; + nsresult nsrv = mCertBlocklist->GetRevocationState( + issuerBytes, serialBytes, subjectBytes, pubKeyBytes, &revocationState); + if (NS_FAILED(nsrv)) { + return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; + } + + if (revocationState == nsICertStorage::STATE_ENFORCE) { + return pkix::Result::ERROR_REVOKED_CERTIFICATE; + } + + // mTrustedRoot is the only trust anchor for this validation. + Span<const uint8_t> candidateCertDERSpan = {candidateCertDER.UnsafeGetData(), + candidateCertDER.GetLength()}; + if (mTrustedRoot == candidateCertDERSpan) { + trustLevel = TrustLevel::TrustAnchor; + return Success; + } + + trustLevel = TrustLevel::InheritsTrust; + return Success; +} + +pkix::Result AppTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg, + /*out*/ uint8_t* digestBuf, + size_t digestBufLen) { + return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen); +} + +pkix::Result AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time, + Duration, + /*optional*/ const Input*, + /*optional*/ const Input*, + /*optional*/ const Input*) { + // We don't currently do revocation checking. If we need to distrust an Apps + // certificate, we will use the active distrust mechanism. + return Success; +} + +pkix::Result AppTrustDomain::IsChainValid(const DERArray& certChain, Time time, + const CertPolicyId& requiredPolicy) { + MOZ_ASSERT(requiredPolicy.IsAnyPolicy()); + return Success; +} + +pkix::Result AppTrustDomain::CheckSignatureDigestAlgorithm( + DigestAlgorithm digestAlg, EndEntityOrCA, Time) { + switch (digestAlg) { + case DigestAlgorithm::sha256: // fall through + case DigestAlgorithm::sha384: // fall through + case DigestAlgorithm::sha512: + return Success; + case DigestAlgorithm::sha1: + return pkix::Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED; + } + return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; +} + +pkix::Result AppTrustDomain::CheckRSAPublicKeyModulusSizeInBits( + EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits) { + if (modulusSizeInBits < 2048u) { + return pkix::Result::ERROR_INADEQUATE_KEY_SIZE; + } + return Success; +} + +pkix::Result AppTrustDomain::VerifyRSAPKCS1SignedData( + Input data, DigestAlgorithm digestAlgorithm, Input signature, + Input subjectPublicKeyInfo) { + // TODO: We should restrict signatures to SHA-256 or better. + return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, nullptr); +} + +pkix::Result AppTrustDomain::VerifyRSAPSSSignedData( + Input data, DigestAlgorithm digestAlgorithm, Input signature, + Input subjectPublicKeyInfo) { + return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, nullptr); +} + +pkix::Result AppTrustDomain::CheckECDSACurveIsAcceptable( + EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) { + switch (curve) { + case NamedCurve::secp256r1: // fall through + case NamedCurve::secp384r1: // fall through + case NamedCurve::secp521r1: + return Success; + } + + return pkix::Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE; +} + +pkix::Result AppTrustDomain::VerifyECDSASignedData( + Input data, DigestAlgorithm digestAlgorithm, Input signature, + Input subjectPublicKeyInfo) { + return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, nullptr); +} + +pkix::Result AppTrustDomain::CheckValidityIsAcceptable( + Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/, + KeyPurposeId /*keyPurpose*/) { + return Success; +} + +pkix::Result AppTrustDomain::NetscapeStepUpMatchesServerAuth( + Time /*notBefore*/, + /*out*/ bool& matches) { + matches = false; + return Success; +} + +void AppTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension /*extension*/, + Input /*extensionData*/) {} + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h new file mode 100644 index 0000000000..4d09cdabdf --- /dev/null +++ b/security/manager/ssl/AppTrustDomain.h @@ -0,0 +1,94 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef AppTrustDomain_h +#define AppTrustDomain_h + +#include "mozilla/Span.h" +#include "mozpkix/pkixtypes.h" +#include "nsCOMPtr.h" +#include "nsDebug.h" +#include "nsICertStorage.h" +#include "nsIX509CertDB.h" +#include "nsTArray.h" + +namespace mozilla { +namespace psm { + +class AppTrustDomain final : public mozilla::pkix::TrustDomain { + public: + typedef mozilla::pkix::Result Result; + + explicit AppTrustDomain(nsTArray<Span<const uint8_t>>&& collectedCerts); + + nsresult SetTrustedRoot(AppTrustedRoot trustedRoot); + + virtual Result GetCertTrust( + mozilla::pkix::EndEntityOrCA endEntityOrCA, + const mozilla::pkix::CertPolicyId& policy, + mozilla::pkix::Input candidateCertDER, + /*out*/ mozilla::pkix::TrustLevel& trustLevel) override; + virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName, + IssuerChecker& checker, + mozilla::pkix::Time time) override; + virtual Result CheckRevocation( + mozilla::pkix::EndEntityOrCA endEntityOrCA, + const mozilla::pkix::CertID& certID, mozilla::pkix::Time time, + mozilla::pkix::Duration validityDuration, + /*optional*/ const mozilla::pkix::Input* stapledOCSPresponse, + /*optional*/ const mozilla::pkix::Input* aiaExtension, + /*optional*/ const mozilla::pkix::Input* sctExtension) override; + virtual Result IsChainValid( + const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time, + const mozilla::pkix::CertPolicyId& requiredPolicy) override; + virtual Result CheckSignatureDigestAlgorithm( + mozilla::pkix::DigestAlgorithm digestAlg, + mozilla::pkix::EndEntityOrCA endEntityOrCA, + mozilla::pkix::Time notBefore) override; + virtual Result CheckRSAPublicKeyModulusSizeInBits( + mozilla::pkix::EndEntityOrCA endEntityOrCA, + unsigned int modulusSizeInBits) override; + virtual Result VerifyRSAPKCS1SignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, + mozilla::pkix::Input subjectPublicKeyInfo) override; + virtual Result VerifyRSAPSSSignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, + mozilla::pkix::Input subjectPublicKeyInfo) override; + virtual Result CheckECDSACurveIsAcceptable( + mozilla::pkix::EndEntityOrCA endEntityOrCA, + mozilla::pkix::NamedCurve curve) override; + virtual Result VerifyECDSASignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, + mozilla::pkix::Input subjectPublicKeyInfo) override; + virtual Result CheckValidityIsAcceptable( + mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter, + mozilla::pkix::EndEntityOrCA endEntityOrCA, + mozilla::pkix::KeyPurposeId keyPurpose) override; + virtual Result NetscapeStepUpMatchesServerAuth( + mozilla::pkix::Time notBefore, + /*out*/ bool& matches) override; + virtual void NoteAuxiliaryExtension( + mozilla::pkix::AuxiliaryExtension extension, + mozilla::pkix::Input extensionData) override; + virtual Result DigestBuf(mozilla::pkix::Input item, + mozilla::pkix::DigestAlgorithm digestAlg, + /*out*/ uint8_t* digestBuf, + size_t digestBufLen) override; + + private: + Span<const uint8_t> mTrustedRoot; + Span<const uint8_t> mAddonsIntermediate; + nsTArray<Span<const uint8_t>> mIntermediates; + nsCOMPtr<nsICertStorage> mCertBlocklist; +}; + +} // namespace psm +} // namespace mozilla + +#endif // AppTrustDomain_h diff --git a/security/manager/ssl/CertStorageMemoryReporting.cpp b/security/manager/ssl/CertStorageMemoryReporting.cpp new file mode 100644 index 0000000000..524d16fc02 --- /dev/null +++ b/security/manager/ssl/CertStorageMemoryReporting.cpp @@ -0,0 +1,17 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsIMemoryReporter.h" + +// Rust doesn't support weak-linking, so MFBT_API functions like +// moz_malloc_size_of need a C++ wrapper that uses the regular ABI +// +// We're not using MOZ_DEFINE_MALLOC_SIZE_OF here because that makes the +// function `static`, which would make it not visible outside this file +extern "C" size_t cert_storage_malloc_size_of(void* aPtr) { + MOZ_REPORT(aPtr); + return moz_malloc_size_of(aPtr); +} diff --git a/security/manager/ssl/ClientAuthDialogService.sys.mjs b/security/manager/ssl/ClientAuthDialogService.sys.mjs new file mode 100644 index 0000000000..7019dcc5cd --- /dev/null +++ b/security/manager/ssl/ClientAuthDialogService.sys.mjs @@ -0,0 +1,68 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// ClientAuthDialogService implements nsIClientAuthDialogService, and aims to +// open a dialog asking the user to select a client authentication certificate. +// Ideally the dialog will be tab-modal to the tab corresponding to the load +// that resulted in the request for the client authentication certificate. +export function ClientAuthDialogService() {} + +// Given a loadContext (CanonicalBrowsingContext), attempts to return a +// TabDialogBox for the browser corresponding to loadContext. +function getTabDialogBoxForLoadContext(loadContext) { + let tabBrowser = loadContext?.topFrameElement?.getTabBrowser(); + if (!tabBrowser) { + return null; + } + for (let browser of tabBrowser.browsers) { + if (browser.browserId == loadContext.top?.browserId) { + return tabBrowser.getTabDialogBox(browser); + } + } + return null; +} + +ClientAuthDialogService.prototype = { + classID: Components.ID("{d7d2490d-2640-411b-9f09-a538803c11ee}"), + QueryInterface: ChromeUtils.generateQI(["nsIClientAuthDialogService"]), + + chooseCertificate: function ClientAuthDialogService_chooseCertificate( + hostname, + certArray, + loadContext, + callback + ) { + const clientAuthAskURI = "chrome://pippki/content/clientauthask.xhtml"; + let retVals = { cert: null, rememberDecision: false }; + // First attempt to find a TabDialogBox for the loadContext. This allows + // for a tab-modal dialog specific to the tab causing the load, which is a + // better user experience. + let tabDialogBox = getTabDialogBoxForLoadContext(loadContext); + if (tabDialogBox) { + tabDialogBox + .open(clientAuthAskURI, {}, { hostname, certArray, retVals }) + .closedPromise.then(() => { + callback.certificateChosen(retVals.cert, retVals.rememberDecision); + }); + return; + } + // Otherwise, attempt to open a window-modal dialog on the window that at + // least has the tab the load is occurring in. + let browserWindow = loadContext?.topFrameElement?.ownerGlobal; + // Failing that, open a window-modal dialog on the most recent window. + if (!browserWindow) { + browserWindow = Services.wm.getMostRecentBrowserWindow(); + } + if (browserWindow) { + browserWindow.gDialogBox + .open(clientAuthAskURI, { hostname, certArray, retVals }) + .then(() => { + callback.certificateChosen(retVals.cert, retVals.rememberDecision); + }); + return; + } + // Otherwise, continue the connection with no certificate. + callback.certificateChosen(null, false); + }, +}; diff --git a/security/manager/ssl/CommonSocketControl.cpp b/security/manager/ssl/CommonSocketControl.cpp new file mode 100644 index 0000000000..2208333fb3 --- /dev/null +++ b/security/manager/ssl/CommonSocketControl.cpp @@ -0,0 +1,519 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "CommonSocketControl.h" + +#include "PublicKeyPinningService.h" +#include "SharedCertVerifier.h" +#include "SharedSSLState.h" +#include "mozilla/ErrorResult.h" +#include "mozilla/StaticPrefs_network.h" +#include "mozilla/dom/Promise.h" +#include "nsICertOverrideService.h" +#include "nsISocketProvider.h" +#include "nsITlsHandshakeListener.h" +#include "nsNSSComponent.h" +#include "nsNSSHelper.h" +#include "secerr.h" +#include "ssl.h" +#include "sslt.h" + +using namespace mozilla; + +extern LazyLogModule gPIPNSSLog; + +NS_IMPL_ISUPPORTS(CommonSocketControl, nsITLSSocketControl) + +CommonSocketControl::CommonSocketControl(const nsCString& aHostName, + int32_t aPort, uint32_t aProviderFlags) + : mHostName(aHostName), + mPort(aPort), + mCanceled(false), + mHandshakeCompleted(false), + mJoined(false), + mSentClientCert(false), + mFailedVerification(false), + mSSLVersionUsed(nsITLSSocketControl::SSL_VERSION_UNKNOWN), + mProviderFlags(aProviderFlags), + mSecurityState(0), + mErrorCode(0), + mServerCert(nullptr), + mCertificateTransparencyStatus(0), + mMadeOCSPRequests(false), + mUsedPrivateDNS(false), + mNPNCompleted(false), + mResumed(false), + mIsBuiltCertChainRootBuiltInRoot(false) { +#if defined(MOZ_DIAGNOSTIC_ASSERT_ENABLED) + mOwningThread = PR_GetCurrentThread(); +#endif +} + +void CommonSocketControl::SetStatusErrorBits( + const nsCOMPtr<nsIX509Cert>& cert, + nsITransportSecurityInfo::OverridableErrorCategory + overridableErrorCategory) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + SetServerCert(cert, mozilla::psm::EVStatus::NotEV); + mOverridableErrorCategory = Some(overridableErrorCategory); +} + +static void CreateCertChain(nsTArray<RefPtr<nsIX509Cert>>& aOutput, + nsTArray<nsTArray<uint8_t>>&& aCertList) { + nsTArray<nsTArray<uint8_t>> certList = std::move(aCertList); + aOutput.Clear(); + for (auto& certBytes : certList) { + RefPtr<nsIX509Cert> cert = new nsNSSCertificate(std::move(certBytes)); + aOutput.AppendElement(cert); + } +} + +void CommonSocketControl::SetServerCert( + const nsCOMPtr<nsIX509Cert>& aServerCert, + mozilla::psm::EVStatus aEVStatus) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mServerCert = aServerCert; + mIsEV = Some(aEVStatus == mozilla::psm::EVStatus::EV); +} + +void CommonSocketControl::SetSucceededCertChain( + nsTArray<nsTArray<uint8_t>>&& aCertList) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return CreateCertChain(mSucceededCertChain, std::move(aCertList)); +} + +void CommonSocketControl::SetFailedCertChain( + nsTArray<nsTArray<uint8_t>>&& aCertList) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return CreateCertChain(mFailedCertChain, std::move(aCertList)); +} + +void CommonSocketControl::SetCanceled(PRErrorCode errorCode) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + MOZ_ASSERT(errorCode != 0); + if (errorCode == 0) { + errorCode = SEC_ERROR_LIBRARY_FAILURE; + } + + mErrorCode = errorCode; + mCanceled = true; +} + +// NB: GetErrorCode may be called before an error code is set (if ever). In that +// case, this returns 0, which is treated as a successful value. +int32_t CommonSocketControl::GetErrorCode() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + // We're in an inconsistent state if we think we've been canceled but no error + // code was set or we haven't been canceled but an error code was set. + MOZ_ASSERT( + !((mCanceled && mErrorCode == 0) || (!mCanceled && mErrorCode != 0))); + if ((mCanceled && mErrorCode == 0) || (!mCanceled && mErrorCode != 0)) { + mCanceled = true; + mErrorCode = SEC_ERROR_LIBRARY_FAILURE; + } + + return mErrorCode; +} + +NS_IMETHODIMP +CommonSocketControl::ProxyStartSSL(void) { return NS_ERROR_NOT_IMPLEMENTED; } + +NS_IMETHODIMP +CommonSocketControl::StartTLS(void) { return NS_ERROR_NOT_IMPLEMENTED; } + +NS_IMETHODIMP +CommonSocketControl::SetNPNList(nsTArray<nsCString>& aNPNList) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::GetAlpnEarlySelection(nsACString& _retval) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::GetEarlyDataAccepted(bool* aEarlyDataAccepted) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::DriveHandshake(void) { return NS_ERROR_NOT_IMPLEMENTED; } + +NS_IMETHODIMP +CommonSocketControl::JoinConnection(const nsACString& npnProtocol, + const nsACString& hostname, int32_t port, + bool* _retval) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + nsresult rv = TestJoinConnection(npnProtocol, hostname, port, _retval); + if (NS_SUCCEEDED(rv) && *_retval) { + // All tests pass - this is joinable + mJoined = true; + } + return rv; +} + +NS_IMETHODIMP +CommonSocketControl::TestJoinConnection(const nsACString& npnProtocol, + const nsACString& hostname, + int32_t port, bool* _retval) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *_retval = false; + + // Different ports may not be joined together + if (port != GetPort()) return NS_OK; + + // Make sure NPN has been completed and matches requested npnProtocol + if (!mNPNCompleted || !mNegotiatedNPN.Equals(npnProtocol)) { + return NS_OK; + } + + IsAcceptableForHost(hostname, _retval); // sets _retval + return NS_OK; +} + +NS_IMETHODIMP +CommonSocketControl::IsAcceptableForHost(const nsACString& hostname, + bool* _retval) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + NS_ENSURE_ARG(_retval); + + *_retval = false; + + // If this is the same hostname then the certicate status does not + // need to be considered. They are joinable. + if (hostname.Equals(GetHostName())) { + *_retval = true; + return NS_OK; + } + + // Before checking the server certificate we need to make sure the + // handshake has completed. + if (!mHandshakeCompleted || !HasServerCert()) { + return NS_OK; + } + + // Security checks can only be skipped when running xpcshell tests. + if (PR_GetEnv("XPCSHELL_TEST_PROFILE_DIR")) { + nsCOMPtr<nsICertOverrideService> overrideService = + do_GetService(NS_CERTOVERRIDE_CONTRACTID); + if (overrideService) { + bool securityCheckDisabled = false; + overrideService->GetSecurityCheckDisabled(&securityCheckDisabled); + if (securityCheckDisabled) { + *_retval = true; + return NS_OK; + } + } + } + + // If the cert has error bits (e.g. it is untrusted) then do not join. + if (mOverridableErrorCategory.isSome()) { + return NS_OK; + } + + // If the connection is using client certificates then do not join + // because the user decides on whether to send client certs to hosts on a + // per-domain basis. + if (mSentClientCert) return NS_OK; + + // Ensure that the server certificate covers the hostname that would + // like to join this connection + + nsCOMPtr<nsIX509Cert> cert(GetServerCert()); + if (!cert) { + return NS_OK; + } + nsTArray<uint8_t> certDER; + if (NS_FAILED(cert->GetRawDER(certDER))) { + return NS_OK; + } + + // An empty mSucceededCertChain means the server certificate verification + // failed before, so don't join in this case. + if (mSucceededCertChain.IsEmpty()) { + return NS_OK; + } + + // See where CheckCertHostname() is called in + // CertVerifier::VerifySSLServerCert. We are doing the same hostname-specific + // checks here. If any hostname-specific checks are added to + // CertVerifier::VerifySSLServerCert we need to add them here too. + pkix::Input serverCertInput; + mozilla::pkix::Result rv = + serverCertInput.Init(certDER.Elements(), certDER.Length()); + if (rv != pkix::Success) { + return NS_OK; + } + + pkix::Input hostnameInput; + rv = hostnameInput.Init( + BitwiseCast<const uint8_t*, const char*>(hostname.BeginReading()), + hostname.Length()); + if (rv != pkix::Success) { + return NS_OK; + } + + rv = CheckCertHostname(serverCertInput, hostnameInput); + if (rv != pkix::Success) { + return NS_OK; + } + + nsTArray<nsTArray<uint8_t>> rawDerCertList; + nsTArray<Span<const uint8_t>> derCertSpanList; + for (const auto& cert : mSucceededCertChain) { + rawDerCertList.EmplaceBack(); + nsresult nsrv = cert->GetRawDER(rawDerCertList.LastElement()); + if (NS_FAILED(nsrv)) { + return nsrv; + } + derCertSpanList.EmplaceBack(rawDerCertList.LastElement()); + } + bool chainHasValidPins; + nsresult nsrv = mozilla::psm::PublicKeyPinningService::ChainHasValidPins( + derCertSpanList, PromiseFlatCString(hostname).BeginReading(), pkix::Now(), + mIsBuiltCertChainRootBuiltInRoot, chainHasValidPins, nullptr); + if (NS_FAILED(nsrv)) { + return NS_OK; + } + + if (!chainHasValidPins) { + return NS_OK; + } + + // All tests pass + *_retval = true; + return NS_OK; +} + +void CommonSocketControl::RebuildCertificateInfoFromSSLTokenCache() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!mSessionCacheInfo) { + MOZ_LOG( + gPIPNSSLog, LogLevel::Debug, + ("CommonSocketControl::RebuildCertificateInfoFromSSLTokenCache cannot " + "find cached info.")); + return; + } + + mozilla::net::SessionCacheInfo& info = *mSessionCacheInfo; + nsCOMPtr<nsIX509Cert> cert( + new nsNSSCertificate(std::move(info.mServerCertBytes))); + if (info.mOverridableErrorCategory == + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET) { + SetServerCert(cert, info.mEVStatus); + } else { + SetStatusErrorBits(cert, info.mOverridableErrorCategory); + } + SetCertificateTransparencyStatus(info.mCertificateTransparencyStatus); + if (info.mSucceededCertChainBytes) { + SetSucceededCertChain(std::move(*info.mSucceededCertChainBytes)); + } + + if (info.mIsBuiltCertChainRootBuiltInRoot) { + SetIsBuiltCertChainRootBuiltInRoot(*info.mIsBuiltCertChainRootBuiltInRoot); + } + + if (info.mFailedCertChainBytes) { + SetFailedCertChain(std::move(*info.mFailedCertChainBytes)); + } +} + +NS_IMETHODIMP +CommonSocketControl::GetKEAUsed(int16_t* aKEAUsed) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::GetKEAKeyBits(uint32_t* aKEAKeyBits) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::GetProviderFlags(uint32_t* aProviderFlags) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *aProviderFlags = mProviderFlags; + return NS_OK; +} + +NS_IMETHODIMP +CommonSocketControl::GetSSLVersionUsed(int16_t* aSSLVersionUsed) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *aSSLVersionUsed = mSSLVersionUsed; + return NS_OK; +} + +NS_IMETHODIMP +CommonSocketControl::GetSSLVersionOffered(int16_t* aSSLVersionOffered) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::GetMACAlgorithmUsed(int16_t* aMACAlgorithmUsed) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +bool CommonSocketControl::GetDenyClientCert() { return true; } + +void CommonSocketControl::SetDenyClientCert(bool aDenyClientCert) {} + +NS_IMETHODIMP +CommonSocketControl::GetClientCertSent(bool* arg) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *arg = mSentClientCert; + return NS_OK; +} + +NS_IMETHODIMP +CommonSocketControl::GetFailedVerification(bool* arg) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *arg = mFailedVerification; + return NS_OK; +} + +NS_IMETHODIMP +CommonSocketControl::GetEsniTxt(nsACString& aEsniTxt) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::SetEsniTxt(const nsACString& aEsniTxt) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::GetEchConfig(nsACString& aEchConfig) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::SetEchConfig(const nsACString& aEchConfig) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::GetRetryEchConfig(nsACString& aEchConfig) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::SetHandshakeCallbackListener( + nsITlsHandshakeCallbackListener* callback) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +CommonSocketControl::DisableEarlyData(void) { return NS_ERROR_NOT_IMPLEMENTED; } + +NS_IMETHODIMP +CommonSocketControl::GetPeerId(nsACString& aResult) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!mPeerId.IsEmpty()) { + aResult.Assign(mPeerId); + return NS_OK; + } + + if (mProviderFlags & + nsISocketProvider::ANONYMOUS_CONNECT) { // See bug 466080 + mPeerId.AppendLiteral("anon:"); + } + if (mProviderFlags & nsISocketProvider::NO_PERMANENT_STORAGE) { + mPeerId.AppendLiteral("private:"); + } + if (mProviderFlags & nsISocketProvider::BE_CONSERVATIVE) { + mPeerId.AppendLiteral("beConservative:"); + } + + mPeerId.Append(mHostName); + mPeerId.Append(':'); + mPeerId.AppendInt(GetPort()); + nsAutoCString suffix; + mOriginAttributes.CreateSuffix(suffix); + mPeerId.Append(suffix); + + aResult.Assign(mPeerId); + return NS_OK; +} + +NS_IMETHODIMP +CommonSocketControl::GetSecurityInfo(nsITransportSecurityInfo** aSecurityInfo) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + // Make sure peerId is set. + nsAutoCString unused; + nsresult rv = GetPeerId(unused); + if (NS_FAILED(rv)) { + return rv; + } + nsCOMPtr<nsITransportSecurityInfo> securityInfo( + new psm::TransportSecurityInfo( + mSecurityState, mErrorCode, mFailedCertChain.Clone(), mServerCert, + mSucceededCertChain.Clone(), mCipherSuite, mKeaGroupName, + mSignatureSchemeName, mProtocolVersion, + mCertificateTransparencyStatus, mIsAcceptedEch, + mIsDelegatedCredential, mOverridableErrorCategory, mMadeOCSPRequests, + mUsedPrivateDNS, mIsEV, mNPNCompleted, mNegotiatedNPN, mResumed, + mIsBuiltCertChainRootBuiltInRoot, mPeerId)); + securityInfo.forget(aSecurityInfo); + return NS_OK; +} + +NS_IMETHODIMP +CommonSocketControl::AsyncGetSecurityInfo(JSContext* aCx, + mozilla::dom::Promise** aPromise) { + MOZ_RELEASE_ASSERT(NS_IsMainThread()); + NS_ENSURE_ARG_POINTER(aCx); + NS_ENSURE_ARG_POINTER(aPromise); + + nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx); + if (!globalObject) { + return NS_ERROR_UNEXPECTED; + } + + ErrorResult result; + RefPtr<mozilla::dom::Promise> promise = + mozilla::dom::Promise::Create(globalObject, result); + if (result.Failed()) { + return result.StealNSResult(); + } + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "CommonSocketControl::AsyncGetSecurityInfo", + [promise, self = RefPtr{this}]() mutable { + nsCOMPtr<nsITransportSecurityInfo> securityInfo; + nsresult rv = self->GetSecurityInfo(getter_AddRefs(securityInfo)); + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "CommonSocketControl::AsyncGetSecurityInfoResolve", + [rv, promise = std::move(promise), + securityInfo = std::move(securityInfo)]() { + if (NS_FAILED(rv)) { + promise->MaybeReject(rv); + } else { + promise->MaybeResolve(securityInfo); + } + })); + NS_DispatchToMainThread(runnable.forget()); + })); + nsCOMPtr<nsIEventTarget> target( + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID)); + if (!target) { + return NS_ERROR_FAILURE; + } + nsresult rv = target->Dispatch(runnable, NS_DISPATCH_NORMAL); + if (NS_FAILED(rv)) { + return rv; + } + + promise.forget(aPromise); + return NS_OK; +} + +NS_IMETHODIMP CommonSocketControl::Claim() { return NS_ERROR_NOT_IMPLEMENTED; } + +NS_IMETHODIMP CommonSocketControl::SetBrowserId(uint64_t) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP CommonSocketControl::GetBrowserId(uint64_t*) { + return NS_ERROR_NOT_IMPLEMENTED; +} diff --git a/security/manager/ssl/CommonSocketControl.h b/security/manager/ssl/CommonSocketControl.h new file mode 100644 index 0000000000..ca0bf2bcf7 --- /dev/null +++ b/security/manager/ssl/CommonSocketControl.h @@ -0,0 +1,191 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef CommonSocketControl_h +#define CommonSocketControl_h + +#include "CertVerifier.h" +#include "TransportSecurityInfo.h" +#include "mozilla/Maybe.h" +#include "mozilla/net/SSLTokensCache.h" +#include "nsIInterfaceRequestor.h" +#include "nsITLSSocketControl.h" +#include "nsSocketTransportService2.h" + +#if defined(MOZ_DIAGNOSTIC_ASSERT_ENABLED) +# include "prthread.h" +# define COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD() \ + MOZ_DIAGNOSTIC_ASSERT(mOwningThread == PR_GetCurrentThread()) +#else +# define COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD() \ + do { \ + } while (false) +#endif + +// CommonSocketControl is the base class that implements nsITLSSocketControl. +// Various concrete TLS socket control implementations inherit from this class. +// Currently these implementations consist of NSSSocketControl (a socket +// control for NSS) and QuicSocketControl (a socket control for quic). +// NB: these classes must only be used on the socket thread (the one exception +// being tests that incidentally use CommonSocketControl on the main thread +// (and only the main thread)). This is enforced via the macro +// COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD() that should be called at the +// beginning of every function in this class and all subclasses. +class CommonSocketControl : public nsITLSSocketControl { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSITLSSOCKETCONTROL + + CommonSocketControl(const nsCString& aHostName, int32_t aPort, + uint32_t aProviderFlags); + + // Use "errorCode" 0 to indicate success. + virtual void SetCertVerificationResult(PRErrorCode errorCode) { + MOZ_ASSERT_UNREACHABLE("Subclasses must override this."); + } + + const nsACString& GetHostName() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mHostName; + } + int32_t GetPort() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mPort; + } + void SetMadeOCSPRequests(bool aMadeOCSPRequests) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mMadeOCSPRequests = aMadeOCSPRequests; + } + bool GetMadeOCSPRequests() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mMadeOCSPRequests; + } + void SetUsedPrivateDNS(bool aUsedPrivateDNS) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mUsedPrivateDNS = aUsedPrivateDNS; + } + bool GetUsedPrivateDNS() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mUsedPrivateDNS; + } + + void SetServerCert(const nsCOMPtr<nsIX509Cert>& aServerCert, + mozilla::psm::EVStatus aEVStatus); + already_AddRefed<nsIX509Cert> GetServerCert() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return do_AddRef(mServerCert); + } + bool HasServerCert() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mServerCert != nullptr; + } + void SetStatusErrorBits(const nsCOMPtr<nsIX509Cert>& cert, + nsITransportSecurityInfo::OverridableErrorCategory + overridableErrorCategory); + bool HasUserOverriddenCertificateError() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mOverridableErrorCategory.isSome() && + *mOverridableErrorCategory != + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET; + } + void SetSucceededCertChain(nsTArray<nsTArray<uint8_t>>&& certList); + void SetFailedCertChain(nsTArray<nsTArray<uint8_t>>&& certList); + void SetIsBuiltCertChainRootBuiltInRoot( + bool aIsBuiltCertChainRootBuiltInRoot) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mIsBuiltCertChainRootBuiltInRoot = aIsBuiltCertChainRootBuiltInRoot; + } + void SetCertificateTransparencyStatus( + uint16_t aCertificateTransparencyStatus) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mCertificateTransparencyStatus = aCertificateTransparencyStatus; + } + void SetOriginAttributes(const mozilla::OriginAttributes& aOriginAttributes) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mOriginAttributes = aOriginAttributes; + } + mozilla::OriginAttributes& GetOriginAttributes() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mOriginAttributes; + } + + void SetSecurityState(uint32_t aSecurityState) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mSecurityState = aSecurityState; + } + void SetResumed(bool aResumed) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mResumed = aResumed; + } + + uint32_t GetProviderFlags() const { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mProviderFlags; + } + void SetSSLVersionUsed(uint16_t version) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mSSLVersionUsed = version; + } + void SetSessionCacheInfo(mozilla::net::SessionCacheInfo&& aInfo) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mSessionCacheInfo.reset(); + mSessionCacheInfo.emplace(std::move(aInfo)); + } + void RebuildCertificateInfoFromSSLTokenCache(); + void SetCanceled(PRErrorCode errorCode); + bool IsCanceled() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mCanceled; + } + int32_t GetErrorCode(); + + protected: + virtual ~CommonSocketControl() = default; + + nsCString mHostName; + int32_t mPort; + mozilla::OriginAttributes mOriginAttributes; + + bool mCanceled; + mozilla::Maybe<mozilla::net::SessionCacheInfo> mSessionCacheInfo; + bool mHandshakeCompleted; + bool mJoined; + bool mSentClientCert; + bool mFailedVerification; + uint16_t mSSLVersionUsed; + uint32_t mProviderFlags; + + // Fields used to build a TransportSecurityInfo + uint32_t mSecurityState; + PRErrorCode mErrorCode; + // Peer cert chain for failed connections. + nsTArray<RefPtr<nsIX509Cert>> mFailedCertChain; + nsCOMPtr<nsIX509Cert> mServerCert; + nsTArray<RefPtr<nsIX509Cert>> mSucceededCertChain; + mozilla::Maybe<uint16_t> mCipherSuite; + mozilla::Maybe<nsCString> mKeaGroupName; + mozilla::Maybe<nsCString> mSignatureSchemeName; + mozilla::Maybe<uint16_t> mProtocolVersion; + uint16_t mCertificateTransparencyStatus; + mozilla::Maybe<bool> mIsAcceptedEch; + mozilla::Maybe<bool> mIsDelegatedCredential; + mozilla::Maybe<nsITransportSecurityInfo::OverridableErrorCategory> + mOverridableErrorCategory; + bool mMadeOCSPRequests; + bool mUsedPrivateDNS; + mozilla::Maybe<bool> mIsEV; + bool mNPNCompleted; + nsCString mNegotiatedNPN; + bool mResumed; + bool mIsBuiltCertChainRootBuiltInRoot; + nsCString mPeerId; + +#if defined(MOZ_DIAGNOSTIC_ASSERT_ENABLED) + const PRThread* mOwningThread; +#endif +}; + +#endif // CommonSocketControl_h diff --git a/security/manager/ssl/ContentSignatureVerifier.cpp b/security/manager/ssl/ContentSignatureVerifier.cpp new file mode 100644 index 0000000000..bc0a7c5d06 --- /dev/null +++ b/security/manager/ssl/ContentSignatureVerifier.cpp @@ -0,0 +1,454 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "ContentSignatureVerifier.h" + +#include "AppTrustDomain.h" +#include "CryptoTask.h" +#include "ScopedNSSTypes.h" +#include "SharedCertVerifier.h" +#include "cryptohi.h" +#include "keyhi.h" +#include "mozilla/Base64.h" +#include "mozilla/Logging.h" +#include "mozilla/dom/Promise.h" +#include "nsCOMPtr.h" +#include "nsPromiseFlatString.h" +#include "nsSecurityHeaderParser.h" +#include "nsWhitespaceTokenizer.h" +#include "mozpkix/pkix.h" +#include "mozpkix/pkixtypes.h" +#include "mozpkix/pkixutil.h" +#include "secerr.h" +#include "ssl.h" + +NS_IMPL_ISUPPORTS(ContentSignatureVerifier, nsIContentSignatureVerifier) + +using namespace mozilla; +using namespace mozilla::pkix; +using namespace mozilla::psm; +using dom::Promise; + +static LazyLogModule gCSVerifierPRLog("ContentSignatureVerifier"); +#define CSVerifier_LOG(args) MOZ_LOG(gCSVerifierPRLog, LogLevel::Debug, args) + +// Content-Signature prefix +const unsigned char kPREFIX[] = {'C', 'o', 'n', 't', 'e', 'n', 't', + '-', 'S', 'i', 'g', 'n', 'a', 't', + 'u', 'r', 'e', ':', 0}; + +class VerifyContentSignatureTask : public CryptoTask { + public: + VerifyContentSignatureTask(const nsACString& aData, + const nsACString& aCSHeader, + const nsACString& aCertChain, + const nsACString& aHostname, + AppTrustedRoot aTrustedRoot, + RefPtr<Promise>& aPromise) + : mData(aData), + mCSHeader(aCSHeader), + mCertChain(aCertChain), + mHostname(aHostname), + mTrustedRoot(aTrustedRoot), + mSignatureVerified(false), + mPromise(new nsMainThreadPtrHolder<Promise>( + "VerifyContentSignatureTask::mPromise", aPromise)) {} + + private: + virtual nsresult CalculateResult() override; + virtual void CallCallback(nsresult rv) override; + + nsCString mData; + nsCString mCSHeader; + nsCString mCertChain; + nsCString mHostname; + AppTrustedRoot mTrustedRoot; + bool mSignatureVerified; + nsMainThreadPtrHandle<Promise> mPromise; +}; + +NS_IMETHODIMP +ContentSignatureVerifier::AsyncVerifyContentSignature( + const nsACString& aData, const nsACString& aCSHeader, + const nsACString& aCertChain, const nsACString& aHostname, + AppTrustedRoot aTrustedRoot, JSContext* aCx, Promise** aPromise) { + NS_ENSURE_ARG_POINTER(aCx); + + nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx); + if (NS_WARN_IF(!globalObject)) { + return NS_ERROR_UNEXPECTED; + } + + ErrorResult result; + RefPtr<Promise> promise = Promise::Create(globalObject, result); + if (NS_WARN_IF(result.Failed())) { + return result.StealNSResult(); + } + + RefPtr<VerifyContentSignatureTask> task(new VerifyContentSignatureTask( + aData, aCSHeader, aCertChain, aHostname, aTrustedRoot, promise)); + nsresult rv = task->Dispatch(); + if (NS_FAILED(rv)) { + return rv; + } + + promise.forget(aPromise); + return NS_OK; +} + +static nsresult VerifyContentSignatureInternal( + const nsACString& aData, const nsACString& aCSHeader, + const nsACString& aCertChain, const nsACString& aHostname, + AppTrustedRoot aTrustedRoot, + /* out */ + mozilla::Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS& + aErrorLabel, + /* out */ nsACString& aCertFingerprint, /* out */ uint32_t& aErrorValue); +static nsresult ParseContentSignatureHeader( + const nsACString& aContentSignatureHeader, + /* out */ nsCString& aSignature); + +nsresult VerifyContentSignatureTask::CalculateResult() { + // 3 is the default, non-specific, "something failed" error. + Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS errorLabel = + Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err3; + nsAutoCString certFingerprint; + uint32_t errorValue = 3; + nsresult rv = VerifyContentSignatureInternal( + mData, mCSHeader, mCertChain, mHostname, mTrustedRoot, errorLabel, + certFingerprint, errorValue); + if (NS_FAILED(rv)) { + CSVerifier_LOG(("CSVerifier: Signature verification failed")); + if (certFingerprint.Length() > 0) { + Telemetry::AccumulateCategoricalKeyed(certFingerprint, errorLabel); + } + Accumulate(Telemetry::CONTENT_SIGNATURE_VERIFICATION_STATUS, errorValue); + if (rv == NS_ERROR_INVALID_SIGNATURE) { + return NS_OK; + } + return rv; + } + + mSignatureVerified = true; + Accumulate(Telemetry::CONTENT_SIGNATURE_VERIFICATION_STATUS, 0); + + return NS_OK; +} + +void VerifyContentSignatureTask::CallCallback(nsresult rv) { + if (NS_FAILED(rv)) { + mPromise->MaybeReject(rv); + } else { + mPromise->MaybeResolve(mSignatureVerified); + } +} + +bool IsNewLine(char16_t c) { return c == '\n' || c == '\r'; } + +nsresult ReadChainIntoCertList(const nsACString& aCertChain, + nsTArray<nsTArray<uint8_t>>& aCertList) { + bool inBlock = false; + bool certFound = false; + + const nsCString header = "-----BEGIN CERTIFICATE-----"_ns; + const nsCString footer = "-----END CERTIFICATE-----"_ns; + + nsCWhitespaceTokenizerTemplate<IsNewLine> tokenizer(aCertChain); + + nsAutoCString blockData; + while (tokenizer.hasMoreTokens()) { + nsDependentCSubstring token = tokenizer.nextToken(); + if (token.IsEmpty()) { + continue; + } + if (inBlock) { + if (token.Equals(footer)) { + inBlock = false; + certFound = true; + // base64 decode data, make certs, append to chain + nsAutoCString derString; + nsresult rv = Base64Decode(blockData, derString); + if (NS_FAILED(rv)) { + CSVerifier_LOG(("CSVerifier: decoding the signature failed")); + return rv; + } + nsTArray<uint8_t> derBytes(derString.Data(), derString.Length()); + aCertList.AppendElement(std::move(derBytes)); + } else { + blockData.Append(token); + } + } else if (token.Equals(header)) { + inBlock = true; + blockData = ""; + } + } + if (inBlock || !certFound) { + // the PEM data did not end; bad data. + CSVerifier_LOG(("CSVerifier: supplied chain contains bad data")); + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +// Given data to verify, a content signature header value, a string representing +// a list of PEM-encoded certificates, and a hostname to validate the +// certificates against, this function attempts to validate the certificate +// chain, extract the signature from the header, and verify the data using the +// key in the end-entity certificate from the chain. Returns NS_OK if everything +// is satisfactory and a failing nsresult otherwise. The output parameters are +// filled with telemetry data to report in the case of failures. +static nsresult VerifyContentSignatureInternal( + const nsACString& aData, const nsACString& aCSHeader, + const nsACString& aCertChain, const nsACString& aHostname, + AppTrustedRoot aTrustedRoot, + /* out */ + Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS& aErrorLabel, + /* out */ nsACString& aCertFingerprint, + /* out */ uint32_t& aErrorValue) { + nsTArray<nsTArray<uint8_t>> certList; + nsresult rv = ReadChainIntoCertList(aCertChain, certList); + if (NS_FAILED(rv)) { + return rv; + } + if (certList.Length() < 1) { + return NS_ERROR_FAILURE; + } + // The 0th element should be the end-entity that issued the content + // signature. + nsTArray<uint8_t>& certBytes(certList.ElementAt(0)); + Input certInput; + mozilla::pkix::Result result = + certInput.Init(certBytes.Elements(), certBytes.Length()); + if (result != Success) { + return NS_ERROR_FAILURE; + } + + // Get EE certificate fingerprint for telemetry. + unsigned char fingerprint[SHA256_LENGTH] = {0}; + SECStatus srv = + PK11_HashBuf(SEC_OID_SHA256, fingerprint, certInput.UnsafeGetData(), + certInput.GetLength()); + if (srv != SECSuccess) { + return NS_ERROR_FAILURE; + } + SECItem fingerprintItem = {siBuffer, fingerprint, SHA256_LENGTH}; + UniquePORTString tmpFingerprintString( + CERT_Hexify(&fingerprintItem, false /* don't use colon delimiters */)); + if (!tmpFingerprintString) { + return NS_ERROR_OUT_OF_MEMORY; + } + aCertFingerprint.Assign(tmpFingerprintString.get()); + + nsTArray<Span<const uint8_t>> certSpans; + // Collect just the CAs. + for (size_t i = 1; i < certList.Length(); i++) { + Span<const uint8_t> certSpan(certList.ElementAt(i).Elements(), + certList.ElementAt(i).Length()); + certSpans.AppendElement(std::move(certSpan)); + } + AppTrustDomain trustDomain(std::move(certSpans)); + rv = trustDomain.SetTrustedRoot(aTrustedRoot); + if (NS_FAILED(rv)) { + return rv; + } + // Check the signerCert chain is good + result = BuildCertChain( + trustDomain, certInput, Now(), EndEntityOrCA::MustBeEndEntity, + KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_codeSigning, + CertPolicyId::anyPolicy, nullptr /*stapledOCSPResponse*/); + if (result != Success) { + // if there was a library error, return an appropriate error + if (IsFatalError(result)) { + return NS_ERROR_FAILURE; + } + // otherwise, assume the signature was invalid + if (result == mozilla::pkix::Result::ERROR_EXPIRED_CERTIFICATE) { + aErrorLabel = + Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err4; + aErrorValue = 4; + } else if (result == + mozilla::pkix::Result::ERROR_NOT_YET_VALID_CERTIFICATE) { + aErrorLabel = + Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err5; + aErrorValue = 5; + } else { + // Building cert chain failed for some other reason. + aErrorLabel = + Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err6; + aErrorValue = 6; + } + CSVerifier_LOG(("CSVerifier: The supplied chain is bad (%s)", + MapResultToName(result))); + return NS_ERROR_INVALID_SIGNATURE; + } + + // Check the SAN + Input hostnameInput; + + result = hostnameInput.Init( + BitwiseCast<const uint8_t*, const char*>(aHostname.BeginReading()), + aHostname.Length()); + if (result != Success) { + return NS_ERROR_FAILURE; + } + + result = CheckCertHostname(certInput, hostnameInput); + if (result != Success) { + // EE cert isnot valid for the given host name. + aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err7; + aErrorValue = 7; + return NS_ERROR_INVALID_SIGNATURE; + } + + pkix::BackCert backCert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr); + result = backCert.Init(); + // This should never fail, because we've already built a verified certificate + // chain with this certificate. + if (result != Success) { + aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err8; + aErrorValue = 8; + CSVerifier_LOG(("CSVerifier: couldn't decode certificate to get spki")); + return NS_ERROR_INVALID_SIGNATURE; + } + Input spkiInput = backCert.GetSubjectPublicKeyInfo(); + SECItem spkiItem = {siBuffer, const_cast<uint8_t*>(spkiInput.UnsafeGetData()), + spkiInput.GetLength()}; + UniqueCERTSubjectPublicKeyInfo spki( + SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem)); + if (!spki) { + aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err8; + aErrorValue = 8; + CSVerifier_LOG(("CSVerifier: couldn't decode spki")); + return NS_ERROR_INVALID_SIGNATURE; + } + mozilla::UniqueSECKEYPublicKey key(SECKEY_ExtractPublicKey(spki.get())); + if (!key) { + aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err8; + aErrorValue = 8; + CSVerifier_LOG(("CSVerifier: unable to extract a key")); + return NS_ERROR_INVALID_SIGNATURE; + } + + nsAutoCString signature; + rv = ParseContentSignatureHeader(aCSHeader, signature); + if (NS_FAILED(rv)) { + return rv; + } + + // Base 64 decode the signature + nsAutoCString rawSignature; + rv = Base64Decode(signature, rawSignature); + if (NS_FAILED(rv)) { + CSVerifier_LOG(("CSVerifier: decoding the signature failed")); + return rv; + } + + // get signature object + ScopedAutoSECItem signatureItem; + SECItem rawSignatureItem = { + siBuffer, + BitwiseCast<unsigned char*, const char*>(rawSignature.get()), + uint32_t(rawSignature.Length()), + }; + // We have a raw ecdsa signature r||s so we have to DER-encode it first + // Note that we have to check rawSignatureItem->len % 2 here as + // DSAU_EncodeDerSigWithLen asserts this + if (rawSignatureItem.len == 0 || rawSignatureItem.len % 2 != 0) { + CSVerifier_LOG(("CSVerifier: signature length is bad")); + return NS_ERROR_FAILURE; + } + if (DSAU_EncodeDerSigWithLen(&signatureItem, &rawSignatureItem, + rawSignatureItem.len) != SECSuccess) { + CSVerifier_LOG(("CSVerifier: encoding the signature failed")); + return NS_ERROR_FAILURE; + } + + // this is the only OID we support for now + SECOidTag oid = SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE; + mozilla::UniqueVFYContext cx( + VFY_CreateContext(key.get(), &signatureItem, oid, nullptr)); + if (!cx) { + // Creating context failed. + aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err9; + aErrorValue = 9; + return NS_ERROR_INVALID_SIGNATURE; + } + + if (VFY_Begin(cx.get()) != SECSuccess) { + // Creating context failed. + aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err9; + aErrorValue = 9; + return NS_ERROR_INVALID_SIGNATURE; + } + if (VFY_Update(cx.get(), kPREFIX, sizeof(kPREFIX)) != SECSuccess) { + aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err1; + aErrorValue = 1; + return NS_ERROR_INVALID_SIGNATURE; + } + if (VFY_Update(cx.get(), + reinterpret_cast<const unsigned char*>(aData.BeginReading()), + aData.Length()) != SECSuccess) { + aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err1; + aErrorValue = 1; + return NS_ERROR_INVALID_SIGNATURE; + } + if (VFY_End(cx.get()) != SECSuccess) { + aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err1; + aErrorValue = 1; + return NS_ERROR_INVALID_SIGNATURE; + } + + return NS_OK; +} + +static nsresult ParseContentSignatureHeader( + const nsACString& aContentSignatureHeader, + /* out */ nsCString& aSignature) { + // We only support p384 ecdsa. + constexpr auto signature_var = "p384ecdsa"_ns; + + aSignature.Truncate(); + + const nsCString& flatHeader = PromiseFlatCString(aContentSignatureHeader); + nsSecurityHeaderParser parser(flatHeader); + nsresult rv = parser.Parse(); + if (NS_FAILED(rv)) { + CSVerifier_LOG(("CSVerifier: could not parse ContentSignature header")); + return NS_ERROR_FAILURE; + } + LinkedList<nsSecurityHeaderDirective>* directives = parser.GetDirectives(); + + for (nsSecurityHeaderDirective* directive = directives->getFirst(); + directive != nullptr; directive = directive->getNext()) { + CSVerifier_LOG( + ("CSVerifier: found directive '%s'", directive->mName.get())); + if (directive->mName.EqualsIgnoreCase(signature_var)) { + if (!aSignature.IsEmpty()) { + CSVerifier_LOG(("CSVerifier: found two ContentSignatures")); + return NS_ERROR_INVALID_SIGNATURE; + } + + CSVerifier_LOG(("CSVerifier: found a ContentSignature directive")); + aSignature.Assign(directive->mValue); + } + } + + // we have to ensure that we found a signature at this point + if (aSignature.IsEmpty()) { + CSVerifier_LOG( + ("CSVerifier: got a Content-Signature header but didn't find a " + "signature.")); + return NS_ERROR_FAILURE; + } + + // Bug 769521: We have to change b64 url to regular encoding as long as we + // don't have a b64 url decoder. This should change soon, but in the meantime + // we have to live with this. + aSignature.ReplaceChar('-', '+'); + aSignature.ReplaceChar('_', '/'); + + return NS_OK; +} diff --git a/security/manager/ssl/ContentSignatureVerifier.h b/security/manager/ssl/ContentSignatureVerifier.h new file mode 100644 index 0000000000..a10c9fe89c --- /dev/null +++ b/security/manager/ssl/ContentSignatureVerifier.h @@ -0,0 +1,32 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef ContentSignatureVerifier_h +#define ContentSignatureVerifier_h + +#include "nsIContentSignatureVerifier.h" +#include "nsString.h" + +// 45a5fe2f-c350-4b86-962d-02d5aaaa955a +#define NS_CONTENTSIGNATUREVERIFIER_CID \ + { \ + 0x45a5fe2f, 0xc350, 0x4b86, { \ + 0x96, 0x2d, 0x02, 0xd5, 0xaa, 0xaa, 0x95, 0x5a \ + } \ + } +#define NS_CONTENTSIGNATUREVERIFIER_CONTRACTID \ + "@mozilla.org/security/contentsignatureverifier;1" + +class ContentSignatureVerifier final : public nsIContentSignatureVerifier { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSICONTENTSIGNATUREVERIFIER + + private: + ~ContentSignatureVerifier() = default; +}; + +#endif // ContentSignatureVerifier_h diff --git a/security/manager/ssl/CredentialManagerSecret.cpp b/security/manager/ssl/CredentialManagerSecret.cpp new file mode 100644 index 0000000000..ec25b8731f --- /dev/null +++ b/security/manager/ssl/CredentialManagerSecret.cpp @@ -0,0 +1,103 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "CredentialManagerSecret.h" + +#include <windows.h> +#include <wincred.h> + +#include "mozilla/Logging.h" +#include "mozilla/SyncRunnable.h" + +// This is the implementation of CredentialManagerSecretSecret, an instantiation +// of OSKeyStore for Windows. It uses the system credential manager, hence the +// name. + +using namespace mozilla; + +LazyLogModule gCredentialManagerSecretLog("credentialmanagersecret"); +struct ScopedDelete { + void operator()(CREDENTIALA* cred) { CredFree(cred); } +}; + +template <class T> +struct ScopedMaybeDelete { + void operator()(T* ptr) { + if (ptr) { + ScopedDelete del; + del(ptr); + } + } +}; +typedef std::unique_ptr<CREDENTIALA, ScopedMaybeDelete<CREDENTIALA>> + ScopedCREDENTIALA; + +CredentialManagerSecret::CredentialManagerSecret() {} + +CredentialManagerSecret::~CredentialManagerSecret() {} + +nsresult CredentialManagerSecret::StoreSecret(const nsACString& aSecret, + const nsACString& aLabel) { + if (aSecret.Length() > CRED_MAX_CREDENTIAL_BLOB_SIZE) { + // Windows doesn't allow blobs larger than CRED_MAX_CREDENTIAL_BLOB_SIZE + // bytes. + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("StoreSecret secret must not be larger than 512 bytes (got %zd)", + aSecret.Length())); + return NS_ERROR_FAILURE; + } + CREDENTIALA cred = {0}; + cred.Type = CRED_TYPE_GENERIC; + const nsCString& label = PromiseFlatCString(aLabel); + cred.TargetName = const_cast<LPSTR>(label.get()); + cred.CredentialBlobSize = aSecret.Length(); + const nsCString& secret = PromiseFlatCString(aSecret); + cred.CredentialBlob = (LPBYTE)secret.get(); + cred.Persist = CRED_PERSIST_LOCAL_MACHINE; + cred.UserName = const_cast<char*>(""); // -Wwritable-strings + + // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credwritea + BOOL ok = CredWriteA(&cred, 0); + if (!ok) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("CredWriteW failed %lu", GetLastError())); + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +nsresult CredentialManagerSecret::DeleteSecret(const nsACString& aLabel) { + // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-creddeletea + const nsCString& label = PromiseFlatCString(aLabel); + BOOL ok = CredDeleteA(label.get(), CRED_TYPE_GENERIC, 0); + int error = GetLastError(); + if (!ok && error != ERROR_NOT_FOUND) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("CredDeleteA failed %d", error)); + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +nsresult CredentialManagerSecret::RetrieveSecret( + const nsACString& aLabel, + /* out */ nsACString& aSecret) { + aSecret.Truncate(); + PCREDENTIALA pcred_raw = nullptr; + const nsCString& label = PromiseFlatCString(aLabel); + // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credreada + BOOL ok = CredReadA(label.get(), CRED_TYPE_GENERIC, 0, &pcred_raw); + ScopedCREDENTIALA pcred(pcred_raw); + if (!ok) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("CredReadA failed %lu", GetLastError())); + return NS_ERROR_FAILURE; + } + MOZ_ASSERT(pcred); + aSecret.Assign(reinterpret_cast<const char*>(pcred->CredentialBlob), + pcred->CredentialBlobSize); + return NS_OK; +} diff --git a/security/manager/ssl/CredentialManagerSecret.h b/security/manager/ssl/CredentialManagerSecret.h new file mode 100644 index 0000000000..7f94493edc --- /dev/null +++ b/security/manager/ssl/CredentialManagerSecret.h @@ -0,0 +1,26 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef CredentialManagerSecret_h +#define CredentialManagerSecret_h + +#include "OSKeyStore.h" +#include "nsString.h" + +class CredentialManagerSecret final : public AbstractOSKeyStore { + public: + CredentialManagerSecret(); + + virtual nsresult RetrieveSecret(const nsACString& label, + /* out */ nsACString& secret) override; + virtual nsresult StoreSecret(const nsACString& secret, + const nsACString& label) override; + virtual nsresult DeleteSecret(const nsACString& label) override; + + virtual ~CredentialManagerSecret(); +}; + +#endif // CredentialManagerSecret_h diff --git a/security/manager/ssl/CryptoTask.cpp b/security/manager/ssl/CryptoTask.cpp new file mode 100644 index 0000000000..a466a374f6 --- /dev/null +++ b/security/manager/ssl/CryptoTask.cpp @@ -0,0 +1,43 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "CryptoTask.h" +#include "nsNSSComponent.h" +#include "nsNetCID.h" + +namespace mozilla { + +nsresult CryptoTask::Dispatch() { + // Ensure that NSS is initialized, since presumably CalculateResult + // will use NSS functions + if (!EnsureNSSInitializedChromeOrContent()) { + return NS_ERROR_FAILURE; + } + + // The stream transport service (note: not the socket transport service) can + // be used to perform background tasks or I/O that would otherwise block the + // main thread. + nsCOMPtr<nsIEventTarget> target( + do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID)); + if (!target) { + return NS_ERROR_FAILURE; + } + return target->Dispatch(this, NS_DISPATCH_NORMAL); +} + +NS_IMETHODIMP +CryptoTask::Run() { + if (!NS_IsMainThread()) { + mRv = CalculateResult(); + NS_DispatchToMainThread(this); + } else { + // back on the main thread + CallCallback(mRv); + } + return NS_OK; +} + +} // namespace mozilla diff --git a/security/manager/ssl/CryptoTask.h b/security/manager/ssl/CryptoTask.h new file mode 100644 index 0000000000..2cbd082d7a --- /dev/null +++ b/security/manager/ssl/CryptoTask.h @@ -0,0 +1,52 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla__CryptoTask_h +#define mozilla__CryptoTask_h + +#include "mozilla/Attributes.h" +#include "nsThreadUtils.h" + +namespace mozilla { + +/** + * Frequently we need to run a task on a background thread without blocking + * the main thread, and then call a callback on the main thread with the + * result. This class provides the framework for that. Subclasses must: + * + * (1) Override CalculateResult for the off-the-main-thread computation. + * (2) Override CallCallback() for the on-the-main-thread call of the + * callback. + */ +class CryptoTask : public Runnable { + public: + nsresult Dispatch(); + + protected: + CryptoTask() : Runnable("CryptoTask"), mRv(NS_ERROR_NOT_INITIALIZED) {} + + virtual ~CryptoTask() = default; + + /** + * Called on a background thread (never the main thread). Its result will be + * passed to CallCallback on the main thread. + */ + virtual nsresult CalculateResult() = 0; + + /** + * Called on the main thread with the result from CalculateResult(). + */ + virtual void CallCallback(nsresult rv) = 0; + + private: + NS_IMETHOD Run() final; + + nsresult mRv; +}; + +} // namespace mozilla + +#endif // mozilla__CryptoTask_h diff --git a/security/manager/ssl/DER.sys.mjs b/security/manager/ssl/DER.sys.mjs new file mode 100644 index 0000000000..3620cf9f29 --- /dev/null +++ b/security/manager/ssl/DER.sys.mjs @@ -0,0 +1,333 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// A minimal ASN.1 DER decoder. Supports input lengths up to 65539 (one byte for +// the outer tag, one byte for the 0x82 length-length indicator, two bytes +// indicating a contents length of 65535, and then the 65535 bytes of contents). +// Intended to be used like so: +// +// let bytes = <an array of bytes describing a SEQUENCE OF INTEGER>; +// let der = new DER.DERDecoder(bytes); +// let contents = new DER.DERDecoder(der.readTagAndGetContents(DER.SEQUENCE)); +// while (!contents.atEnd()) { +// let integerBytes = contents.readTagAndGetContents(DER.INTEGER); +// <... do something with integerBytes ...> +// } +// der.assertAtEnd(); +// +// For CHOICE, use readTLVChoice and pass an array of acceptable tags. +// The convenience function readBIT_STRING is provided to handle the unused bits +// aspect of BIT STRING. It returns an object that has the properties contents +// (an array of bytes consisting of the bytes making up the BIT STRING) and +// unusedBits (indicating the number of unused bits at the end). +// All other functions generally return an array of bytes or a single byte as +// appropriate. +// peekTag can be used to see if the next tag is an expected given tag. +// readTLV reads and returns an entire (tag, length, value) tuple (again +// returned as an array of bytes). +// +// NB: While DERDecoder must be given an array, it does not validate that each +// element in the array is an integer in the range [0, 255]. If the input to be +// decoded could conceivably violate this property, callers should perform this +// check before using DERDecoder. + +const UNIVERSAL = 0 << 6; +const CONSTRUCTED = 1 << 5; +const CONTEXT_SPECIFIC = 2 << 6; + +const INTEGER = UNIVERSAL | 0x02; // 0x02 +const BIT_STRING = UNIVERSAL | 0x03; // 0x03 +const NULL = UNIVERSAL | 0x05; // 0x05 +const OBJECT_IDENTIFIER = UNIVERSAL | 0x06; // 0x06 +const PrintableString = UNIVERSAL | 0x13; // 0x13 +const TeletexString = UNIVERSAL | 0x14; // 0x14 +const IA5String = UNIVERSAL | 0x16; // 0x16 +const UTCTime = UNIVERSAL | 0x17; // 0x17 +const GeneralizedTime = UNIVERSAL | 0x18; // 0x18 +const UTF8String = UNIVERSAL | 0x0c; // 0x0c +const SEQUENCE = UNIVERSAL | CONSTRUCTED | 0x10; // 0x30 +const SET = UNIVERSAL | CONSTRUCTED | 0x11; // 0x31 + +const ERROR_INVALID_INPUT = "invalid input"; +const ERROR_DATA_TRUNCATED = "data truncated"; +const ERROR_EXTRA_DATA = "extra data"; +const ERROR_INVALID_LENGTH = "invalid length"; +const ERROR_UNSUPPORTED_ASN1 = "unsupported asn.1"; +const ERROR_UNSUPPORTED_LENGTH = "unsupported length"; +const ERROR_INVALID_BIT_STRING = "invalid BIT STRING encoding"; + +/** Class representing a decoded BIT STRING. */ +class BitString { + /** + * @param {number} unusedBits the number of unused bits + * @param {number[]} contents an array of bytes comprising the BIT STRING + */ + constructor(unusedBits, contents) { + this._unusedBits = unusedBits; + this._contents = contents; + } + + /** + * Get the number of unused bits in the BIT STRING + * + * @returns {number} the number of unused bits + */ + get unusedBits() { + return this._unusedBits; + } + + /** + * Get the contents of the BIT STRING + * + * @returns {number[]} an array of bytes representing the contents + */ + get contents() { + return this._contents; + } +} + +/** Class representing DER-encoded data. Provides methods for decoding it. */ +class DERDecoder { + /** + * @param {number[]} bytes an array of bytes representing the encoded data + */ + constructor(bytes) { + // Reject non-array inputs. + if (!Array.isArray(bytes)) { + throw new Error(ERROR_INVALID_INPUT); + } + if (bytes.length > 65539) { + throw new Error(ERROR_UNSUPPORTED_LENGTH); + } + this._bytes = bytes; + this._cursor = 0; + } + + /** + * Asserts that the decoder is at the end of the given data. Throws an error + * if this is not the case. + */ + assertAtEnd() { + if (!this.atEnd()) { + throw new Error(ERROR_EXTRA_DATA); + } + } + + /** + * Determines whether or not the decoder is at the end of the given data. + * + * @returns {boolean} true if the decoder is at the end and false otherwise + */ + atEnd() { + return this._cursor == this._bytes.length; + } + + /** + * Reads the next byte of data. Throws if no more data is available. + * + * @returns {number} the next byte of data + */ + readByte() { + if (this._cursor >= this._bytes.length) { + throw new Error(ERROR_DATA_TRUNCATED); + } + let val = this._bytes[this._cursor]; + this._cursor++; + return val; + } + + /** + * Given the next expected tag, reads and asserts that the next tag is in fact + * the given tag. + * + * @param {number} expectedTag the expected next tag + */ + _readExpectedTag(expectedTag) { + let tag = this.readByte(); + if (tag != expectedTag) { + throw new Error(`unexpected tag: found ${tag} instead of ${expectedTag}`); + } + } + + /** + * Decodes and returns the length portion of an ASN.1 TLV tuple. Throws if the + * length is incorrectly encoded or if it describes a length greater than + * 65535 bytes. Indefinite-length encoding is not supported. + * + * @returns {number} the length of the value of the TLV tuple + */ + _readLength() { + let nextByte = this.readByte(); + if (nextByte < 0x80) { + return nextByte; + } + if (nextByte == 0x80) { + throw new Error(ERROR_UNSUPPORTED_ASN1); + } + if (nextByte == 0x81) { + let length = this.readByte(); + if (length < 0x80) { + throw new Error(ERROR_INVALID_LENGTH); + } + return length; + } + if (nextByte == 0x82) { + let length1 = this.readByte(); + let length2 = this.readByte(); + let length = (length1 << 8) | length2; + if (length < 256) { + throw new Error(ERROR_INVALID_LENGTH); + } + return length; + } + throw new Error(ERROR_UNSUPPORTED_LENGTH); + } + + /** + * Reads <length> bytes of data if available. Throws if less than <length> + * bytes are available. + * + * @param {number} length the number of bytes to read. Must be non-negative. + * @returns {number[]} the next <length> bytes of data + */ + readBytes(length) { + if (length < 0) { + throw new Error(ERROR_INVALID_LENGTH); + } + if (this._cursor + length > this._bytes.length) { + throw new Error(ERROR_DATA_TRUNCATED); + } + let bytes = this._bytes.slice(this._cursor, this._cursor + length); + this._cursor += length; + return bytes; + } + + /** + * Given an expected next ASN.1 tag, ensures that that tag is next and returns + * the contents of that tag. Throws if a different tag is encountered or if + * the data is otherwise incorrectly encoded. + * + * @param {number} tag the next expected ASN.1 tag + * @returns {number[]} the contents of the tag + */ + readTagAndGetContents(tag) { + this._readExpectedTag(tag); + let length = this._readLength(); + return this.readBytes(length); + } + + /** + * Returns the next byte without advancing the decoder. Throws if no more data + * is available. + * + * @returns {number} the next available byte + */ + _peekByte() { + if (this._cursor >= this._bytes.length) { + throw new Error(ERROR_DATA_TRUNCATED); + } + return this._bytes[this._cursor]; + } + + /** + * Given an expected tag, reads the next entire ASN.1 TLV tuple, asserting + * that the tag matches. + * + * @param {number} tag the expected tag + * @returns {number[]} an array of bytes representing the TLV tuple + */ + _readExpectedTLV(tag) { + let mark = this._cursor; + this._readExpectedTag(tag); + let length = this._readLength(); + // read the bytes so we know they're there (also to advance the cursor) + this.readBytes(length); + return this._bytes.slice(mark, this._cursor); + } + + /** + * Reads the next ASN.1 tag, length, and value and returns them as an array of + * bytes. + * + * @returns {number[]} an array of bytes representing the next ASN.1 TLV + */ + readTLV() { + let nextTag = this._peekByte(); + return this._readExpectedTLV(nextTag); + } + + /** + * Convenience function for decoding a BIT STRING. Reads and returns the + * contents of the expected next BIT STRING. Throws if the next TLV isn't a + * BIT STRING or if the BIT STRING is incorrectly encoded. + * + * @returns {BitString} the next BIT STRING + */ + readBIT_STRING() { + let contents = this.readTagAndGetContents(BIT_STRING); + if (contents.length < 1) { + throw new Error(ERROR_INVALID_BIT_STRING); + } + let unusedBits = contents[0]; + if (unusedBits > 7) { + throw new Error(ERROR_INVALID_BIT_STRING); + } + // Zero bytes of content but some amount of padding is invalid. + if (contents.length == 1 && unusedBits != 0) { + throw new Error(ERROR_INVALID_BIT_STRING); + } + return new BitString(unusedBits, contents.slice(1, contents.length)); + } + + /** + * Looks to see if the next ASN.1 tag is the expected given tag. + * + * @param {number} tag the expected next ASN.1 tag + * @returns {boolean} true if the next tag is the given one and false otherwise + */ + peekTag(tag) { + if (this._cursor >= this._bytes.length) { + return false; + } + return this._bytes[this._cursor] == tag; + } + + /** + * Given a list of possible next ASN.1 tags, returns the next TLV if the next + * tag is in the list. Throws if the next tag is not in the list or if the + * data is incorrectly encoded. + * + * @param {number[]} tagList the list of potential next tags + * @returns {number[]} the contents of the next TLV if the next tag is in + * <tagList> + */ + readTLVChoice(tagList) { + let tag = this._peekByte(); + if (!tagList.includes(tag)) { + throw new Error( + `unexpected tag: found ${tag} instead of one of ${tagList}` + ); + } + return this._readExpectedTLV(tag); + } +} + +export const DER = { + UNIVERSAL, + CONSTRUCTED, + CONTEXT_SPECIFIC, + INTEGER, + BIT_STRING, + NULL, + OBJECT_IDENTIFIER, + PrintableString, + TeletexString, + IA5String, + UTCTime, + GeneralizedTime, + UTF8String, + SEQUENCE, + SET, + DERDecoder, +}; diff --git a/security/manager/ssl/DataStorageManager.cpp b/security/manager/ssl/DataStorageManager.cpp new file mode 100644 index 0000000000..a1d6daa7f8 --- /dev/null +++ b/security/manager/ssl/DataStorageManager.cpp @@ -0,0 +1,68 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "DataStorageManager.h" +#include "MainThreadUtils.h" +#include "nsIMemoryReporter.h" +#include "nsString.h" + +using VoidPtrToSizeFn = uintptr_t (*)(const void* ptr); + +extern "C" nsresult make_data_storage(const nsAString* basename, + size_t valueLength, + VoidPtrToSizeFn sizeOfOp, + VoidPtrToSizeFn enclosingSizeOfOp, + nsIDataStorage** result); + +MOZ_DEFINE_MALLOC_SIZE_OF(DataStorageMallocSizeOf) +MOZ_DEFINE_MALLOC_ENCLOSING_SIZE_OF(DataStorageMallocEnclosingSizeOf) + +namespace mozilla { + +NS_IMPL_ISUPPORTS(DataStorageManager, nsIDataStorageManager) + +NS_IMETHODIMP +DataStorageManager::Get(nsIDataStorageManager::DataStorage aDataStorage, + nsIDataStorage** aResult) { + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + nsAutoString filename; + size_t valueLength = 1024; + switch (aDataStorage) { + case nsIDataStorageManager::AlternateServices: + if (mAlternateServicesCreated) { + return NS_ERROR_ALREADY_INITIALIZED; + } + mAlternateServicesCreated = true; + filename.Assign(u"AlternateServices"_ns); + break; + case nsIDataStorageManager::ClientAuthRememberList: + if (mClientAuthRememberListCreated) { + return NS_ERROR_ALREADY_INITIALIZED; + } + mClientAuthRememberListCreated = true; + filename.Assign(u"ClientAuthRememberList"_ns); + break; + case nsIDataStorageManager::SiteSecurityServiceState: + if (mSiteSecurityServiceStateCreated) { + return NS_ERROR_ALREADY_INITIALIZED; + } + mSiteSecurityServiceStateCreated = true; + filename.Assign(u"SiteSecurityServiceState"_ns); + // For most nsIDataStorage use cases, values can be quite long (1024 + // bytes by default). For HSTS, much less information is stored, so save + // space by limiting values to 24 bytes. + valueLength = 24; + break; + default: + return NS_ERROR_INVALID_ARG; + } + return make_data_storage(&filename, valueLength, &DataStorageMallocSizeOf, + &DataStorageMallocEnclosingSizeOf, aResult); +} + +} // namespace mozilla diff --git a/security/manager/ssl/DataStorageManager.h b/security/manager/ssl/DataStorageManager.h new file mode 100644 index 0000000000..3475b4d1dd --- /dev/null +++ b/security/manager/ssl/DataStorageManager.h @@ -0,0 +1,29 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_DataStorageManager_h +#define mozilla_DataStorageManager_h + +#include "nsIDataStorage.h" + +namespace mozilla { + +class DataStorageManager final : public nsIDataStorageManager { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIDATASTORAGEMANAGER + + private: + ~DataStorageManager() = default; + + bool mAlternateServicesCreated = false; + bool mClientAuthRememberListCreated = false; + bool mSiteSecurityServiceStateCreated = false; +}; + +} // namespace mozilla + +#endif // mozilla_DataStorageManager_h diff --git a/security/manager/ssl/EnterpriseRoots.cpp b/security/manager/ssl/EnterpriseRoots.cpp new file mode 100644 index 0000000000..7fd9126ec7 --- /dev/null +++ b/security/manager/ssl/EnterpriseRoots.cpp @@ -0,0 +1,514 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "EnterpriseRoots.h" + +#include "mozilla/ArrayUtils.h" +#include "mozilla/Casting.h" +#include "mozilla/Logging.h" +#include "mozilla/Unused.h" +#include "mozpkix/Result.h" +#include "nsCRT.h" +#include "nsNSSCertHelper.h" +#include "nsThreadUtils.h" + +#ifdef MOZ_WIDGET_ANDROID +# include "mozilla/java/EnterpriseRootsWrappers.h" +#endif // MOZ_WIDGET_ANDROID + +#ifdef XP_MACOSX +# include <Security/Security.h> +# include "KeychainSecret.h" +#endif + +#ifdef XP_WIN +# include <windows.h> +# include <wincrypt.h> +#endif // XP_WIN + +extern mozilla::LazyLogModule gPIPNSSLog; + +using namespace mozilla; + +void EnterpriseCert::CopyBytes(nsTArray<uint8_t>& dest) const { + dest.Assign(mDER); +} + +pkix::Result EnterpriseCert::GetInput(pkix::Input& input) const { + return input.Init(mDER.Elements(), mDER.Length()); +} + +bool EnterpriseCert::GetIsRoot() const { return mIsRoot; } + +bool EnterpriseCert::IsKnownRoot(UniqueSECMODModule& rootsModule) { + if (!rootsModule) { + return false; + } + + SECItem certItem = {siBuffer, mDER.Elements(), + static_cast<unsigned int>(mDER.Length())}; + AutoSECMODListReadLock lock; + for (int i = 0; i < rootsModule->slotCount; i++) { + PK11SlotInfo* slot = rootsModule->slots[i]; + if (PK11_FindEncodedCertInSlot(slot, &certItem, nullptr) != + CK_INVALID_HANDLE) { + return true; + } + } + return false; +} + +#ifdef XP_WIN +struct CertStoreLocation { + const wchar_t* mName; + const bool mIsRoot; + + CertStoreLocation(const wchar_t* name, bool isRoot) + : mName(name), mIsRoot(isRoot) {} +}; + +// The documentation doesn't make this clear, but the certificate location +// identified by "ROOT" contains trusted root certificates. The certificate +// location identified by "CA" contains intermediate certificates. +const CertStoreLocation kCertStoreLocations[] = { + CertStoreLocation(L"ROOT", true), CertStoreLocation(L"CA", false)}; + +// Because HCERTSTORE is just a typedef void*, we can't use any of the nice +// scoped or unique pointer templates. To elaborate, any attempt would +// instantiate those templates with T = void. When T gets used in the context +// of T&, this results in void&, which isn't legal. +class ScopedCertStore final { + public: + explicit ScopedCertStore(HCERTSTORE certstore) : certstore(certstore) {} + + ~ScopedCertStore() { CertCloseStore(certstore, 0); } + + HCERTSTORE get() { return certstore; } + + private: + ScopedCertStore(const ScopedCertStore&) = delete; + ScopedCertStore& operator=(const ScopedCertStore&) = delete; + HCERTSTORE certstore; +}; + +// To determine if a certificate would be useful when verifying a server +// certificate for TLS server auth, Windows provides the function +// `CertGetEnhancedKeyUsage`, which combines the extended key usage extension +// with something called "enhanced key usage", which appears to be a Microsoft +// concept. +static bool CertCanBeUsedForTLSServerAuth(PCCERT_CONTEXT certificate) { + DWORD usageSize = 0; + if (!CertGetEnhancedKeyUsage(certificate, 0, NULL, &usageSize)) { + return false; + } + nsTArray<uint8_t> usageBytes; + usageBytes.SetLength(usageSize); + PCERT_ENHKEY_USAGE usage( + reinterpret_cast<PCERT_ENHKEY_USAGE>(usageBytes.Elements())); + if (!CertGetEnhancedKeyUsage(certificate, 0, usage, &usageSize)) { + return false; + } + // https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetenhancedkeyusage: + // "If the cUsageIdentifier member is zero, the certificate might be valid + // for all uses or the certificate might have no valid uses. The return from + // a call to GetLastError can be used to determine whether the certificate is + // good for all uses or for none. If GetLastError returns CRYPT_E_NOT_FOUND, + // the certificate is good for all uses. If it returns zero, the certificate + // has no valid uses." + if (usage->cUsageIdentifier == 0) { + return GetLastError() == static_cast<DWORD>(CRYPT_E_NOT_FOUND); + } + for (DWORD i = 0; i < usage->cUsageIdentifier; i++) { + if (!nsCRT::strcmp(usage->rgpszUsageIdentifier[i], + szOID_PKIX_KP_SERVER_AUTH) || + !nsCRT::strcmp(usage->rgpszUsageIdentifier[i], + szOID_ANY_ENHANCED_KEY_USAGE)) { + return true; + } + } + return false; +} + +// Loads the enterprise roots at the registry location corresponding to the +// given location flag. +// Supported flags are: +// CERT_SYSTEM_STORE_LOCAL_MACHINE +// (for HKLM\SOFTWARE\Microsoft\SystemCertificates) +// CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY +// (for HKLM\SOFTWARE\Policy\Microsoft\SystemCertificates) +// CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE +// (for HKLM\SOFTWARE\Microsoft\EnterpriseCertificates) +// CERT_SYSTEM_STORE_CURRENT_USER +// (for HKCU\SOFTWARE\Microsoft\SystemCertificates) +// CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY +// (for HKCU\SOFTWARE\Policy\Microsoft\SystemCertificates) +static void GatherEnterpriseCertsForLocation(DWORD locationFlag, + nsTArray<EnterpriseCert>& certs, + UniqueSECMODModule& rootsModule) { + MOZ_ASSERT(locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE || + locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY || + locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE || + locationFlag == CERT_SYSTEM_STORE_CURRENT_USER || + locationFlag == CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY, + "unexpected locationFlag for GatherEnterpriseRootsForLocation"); + if (!(locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE || + locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY || + locationFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE || + locationFlag == CERT_SYSTEM_STORE_CURRENT_USER || + locationFlag == CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY)) { + return; + } + + DWORD flags = + locationFlag | CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG; + // The certificate store being opened should consist only of certificates + // added by a user or administrator and not any certificates that are part + // of Microsoft's root store program. + // The 3rd parameter to CertOpenStore should be NULL according to + // https://msdn.microsoft.com/en-us/library/windows/desktop/aa376559%28v=vs.85%29.aspx + for (const auto& location : kCertStoreLocations) { + ScopedCertStore certStore(CertOpenStore(CERT_STORE_PROV_SYSTEM_REGISTRY_W, + 0, NULL, flags, location.mName)); + if (!certStore.get()) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("failed to open certificate store")); + continue; + } + PCCERT_CONTEXT certificate = nullptr; + uint32_t numImported = 0; + while ((certificate = CertFindCertificateInStore( + certStore.get(), X509_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, + certificate))) { + if (!CertCanBeUsedForTLSServerAuth(certificate)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("skipping cert not relevant for TLS server auth")); + continue; + } + EnterpriseCert enterpriseCert(certificate->pbCertEncoded, + certificate->cbCertEncoded, + location.mIsRoot); + if (!enterpriseCert.IsKnownRoot(rootsModule)) { + certs.AppendElement(std::move(enterpriseCert)); + numImported++; + } else { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("skipping known root cert")); + } + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("imported %u certs from %S", numImported, location.mName)); + } +} + +static void GatherEnterpriseCertsWindows(nsTArray<EnterpriseCert>& certs, + UniqueSECMODModule& rootsModule) { + GatherEnterpriseCertsForLocation(CERT_SYSTEM_STORE_LOCAL_MACHINE, certs, + rootsModule); + GatherEnterpriseCertsForLocation(CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, + certs, rootsModule); + GatherEnterpriseCertsForLocation(CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, + certs, rootsModule); + GatherEnterpriseCertsForLocation(CERT_SYSTEM_STORE_CURRENT_USER, certs, + rootsModule); + GatherEnterpriseCertsForLocation(CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY, + certs, rootsModule); +} +#endif // XP_WIN + +#ifdef XP_MACOSX +enum class CertificateTrustResult { + CanUseAsIntermediate, + CanUseAsTrustAnchor, + DoNotUse, +}; + +ScopedCFType<CFArrayRef> GetCertificateTrustSettingsInDomain( + const SecCertificateRef certificate, SecTrustSettingsDomain domain) { + CFArrayRef trustSettingsRaw; + OSStatus rv = + SecTrustSettingsCopyTrustSettings(certificate, domain, &trustSettingsRaw); + if (rv != errSecSuccess || !trustSettingsRaw) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" SecTrustSettingsCopyTrustSettings failed (or not found) for " + "domain %" PRIu32, + domain)); + return nullptr; + } + ScopedCFType<CFArrayRef> trustSettings(trustSettingsRaw); + return trustSettings; +} + +// This function processes trust settings returned by +// SecTrustSettingsCopyTrustSettings. See the documentation at +// https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting +// `trustSettings` is an array of CFDictionaryRef. Each dictionary may impose +// a constraint. +CertificateTrustResult ProcessCertificateTrustSettings( + ScopedCFType<CFArrayRef>& trustSettings) { + // If the array is empty, the certificate is a trust anchor. + const CFIndex numTrustDictionaries = CFArrayGetCount(trustSettings.get()); + if (numTrustDictionaries == 0) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" empty trust settings -> trust anchor")); + return CertificateTrustResult::CanUseAsTrustAnchor; + } + CertificateTrustResult currentTrustSettings = + CertificateTrustResult::CanUseAsIntermediate; + for (CFIndex i = 0; i < numTrustDictionaries; i++) { + CFDictionaryRef trustDictionary = reinterpret_cast<CFDictionaryRef>( + CFArrayGetValueAtIndex(trustSettings.get(), i)); + // kSecTrustSettingsApplication specifies an external application that + // determines the certificate's trust settings. + // kSecTrustSettingsPolicyString appears to be a mechanism like name + // constraints. + // These are not supported, so conservatively assume this certificate is + // distrusted if either are present. + if (CFDictionaryContainsKey(trustDictionary, + kSecTrustSettingsApplication) || + CFDictionaryContainsKey(trustDictionary, + kSecTrustSettingsPolicyString)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" found unsupported policy -> assuming distrusted")); + return CertificateTrustResult::DoNotUse; + } + + // kSecTrustSettingsKeyUsage seems to be essentially the equivalent of the + // x509 keyUsage extension. For parity, we allow + // kSecTrustSettingsKeyUseSignature, kSecTrustSettingsKeyUseSignCert, and + // kSecTrustSettingsKeyUseAny. + if (CFDictionaryContainsKey(trustDictionary, kSecTrustSettingsKeyUsage)) { + CFNumberRef keyUsage = (CFNumberRef)CFDictionaryGetValue( + trustDictionary, kSecTrustSettingsKeyUsage); + int32_t keyUsageValue; + if (!keyUsage || + CFNumberGetValue(keyUsage, kCFNumberSInt32Type, &keyUsageValue) || + keyUsageValue < 0) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" no trust settings key usage or couldn't get value")); + return CertificateTrustResult::DoNotUse; + } + switch ((uint64_t)keyUsageValue) { + case kSecTrustSettingsKeyUseSignature: // fall-through + case kSecTrustSettingsKeyUseSignCert: // fall-through + case kSecTrustSettingsKeyUseAny: + break; + default: + return CertificateTrustResult::DoNotUse; + } + } + + // If there is a specific policy, ensure that it's for the + // 'kSecPolicyAppleSSL' policy, which is the TLS server auth policy (i.e. + // x509 + domain name checking). + if (CFDictionaryContainsKey(trustDictionary, kSecTrustSettingsPolicy)) { + SecPolicyRef policy = (SecPolicyRef)CFDictionaryGetValue( + trustDictionary, kSecTrustSettingsPolicy); + if (!policy) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" kSecTrustSettingsPolicy present, but null?")); + continue; + } + ScopedCFType<CFDictionaryRef> policyProperties( + SecPolicyCopyProperties(policy)); + CFStringRef policyOid = (CFStringRef)CFDictionaryGetValue( + policyProperties.get(), kSecPolicyOid); + if (!CFEqual(policyOid, kSecPolicyAppleSSL)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" policy doesn't match")); + continue; + } + } + + // By default, the trust setting result value is + // kSecTrustSettingsResultTrustRoot. + int32_t trustSettingsValue = kSecTrustSettingsResultTrustRoot; + if (CFDictionaryContainsKey(trustDictionary, kSecTrustSettingsResult)) { + CFNumberRef trustSetting = (CFNumberRef)CFDictionaryGetValue( + trustDictionary, kSecTrustSettingsResult); + if (!trustSetting || !CFNumberGetValue(trustSetting, kCFNumberSInt32Type, + &trustSettingsValue)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" no trust settings result or couldn't get value")); + continue; + } + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" trust setting: %d", trustSettingsValue)); + if (trustSettingsValue == kSecTrustSettingsResultDeny) { + return CertificateTrustResult::DoNotUse; + } + if (trustSettingsValue == kSecTrustSettingsResultTrustRoot || + trustSettingsValue == kSecTrustSettingsResultTrustAsRoot) { + currentTrustSettings = CertificateTrustResult::CanUseAsTrustAnchor; + } + } + return currentTrustSettings; +} + +CertificateTrustResult GetCertificateTrustResult( + const SecCertificateRef certificate) { + ScopedCFType<CFStringRef> subject( + SecCertificateCopySubjectSummary(certificate)); + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("determining trust for '%s'", + CFStringGetCStringPtr(subject.get(), kCFStringEncodingUTF8))); + // There are three trust settings domains: kSecTrustSettingsDomainUser, + // kSecTrustSettingsDomainAdmin, and kSecTrustSettingsDomainSystem. User + // overrides admin and admin overrides system. However, if the given + // certificate has trust settings in the system domain, it shipped with the + // OS, so we don't want to use it. + ScopedCFType<CFArrayRef> systemTrustSettings( + GetCertificateTrustSettingsInDomain(certificate, + kSecTrustSettingsDomainSystem)); + if (systemTrustSettings) { + return CertificateTrustResult::DoNotUse; + } + + // At this point, if there is no trust information regarding this + // certificate, it can be used as an intermediate. + CertificateTrustResult certificateTrustResult = + CertificateTrustResult::CanUseAsIntermediate; + + // Process trust information in the user domain, if any. + ScopedCFType<CFArrayRef> userTrustSettings( + GetCertificateTrustSettingsInDomain(certificate, + kSecTrustSettingsDomainUser)); + if (userTrustSettings) { + certificateTrustResult = ProcessCertificateTrustSettings(userTrustSettings); + // If there is definite information one way or another (either indicating + // this is a trusted root or a distrusted certificate), use that + // information. + if (certificateTrustResult != + CertificateTrustResult::CanUseAsIntermediate) { + return certificateTrustResult; + } + } + + // Process trust information in the admin domain, if any. + ScopedCFType<CFArrayRef> adminTrustSettings( + GetCertificateTrustSettingsInDomain(certificate, + kSecTrustSettingsDomainAdmin)); + if (adminTrustSettings) { + certificateTrustResult = + ProcessCertificateTrustSettings(adminTrustSettings); + } + + // Use whatever result we ended up with. + return certificateTrustResult; +} + +OSStatus GatherEnterpriseCertsMacOS(nsTArray<EnterpriseCert>& certs, + UniqueSECMODModule& rootsModule) { + // The following builds a search dictionary corresponding to: + // { class: "certificate", + // match limit: "match all" } + // This operates on items that have been added to the keychain and thus gives + // us all 3rd party certificates. Unfortunately, if a root that shipped with + // the OS has had its trust settings changed, it can also be returned from + // this query. Further work (below) filters such certificates out. + const CFStringRef keys[] = {kSecClass, kSecMatchLimit}; + const void* values[] = {kSecClassCertificate, kSecMatchLimitAll}; + static_assert(ArrayLength(keys) == ArrayLength(values), + "mismatched SecItemCopyMatching key/value array sizes"); + // https://developer.apple.com/documentation/corefoundation/1516782-cfdictionarycreate + ScopedCFType<CFDictionaryRef> searchDictionary(CFDictionaryCreate( + nullptr, (const void**)&keys, (const void**)&values, ArrayLength(keys), + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)); + CFTypeRef items; + // https://developer.apple.com/documentation/security/1398306-secitemcopymatching + OSStatus rv = SecItemCopyMatching(searchDictionary.get(), &items); + if (rv != errSecSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("SecItemCopyMatching failed")); + return rv; + } + // If given a match limit greater than 1 (which we did), SecItemCopyMatching + // returns a CFArrayRef. + ScopedCFType<CFArrayRef> arr(reinterpret_cast<CFArrayRef>(items)); + CFIndex count = CFArrayGetCount(arr.get()); + uint32_t numImported = 0; + for (CFIndex i = 0; i < count; i++) { + // Because we asked for certificates, each CFTypeRef in the array is really + // a SecCertificateRef. + const SecCertificateRef certificate = + (const SecCertificateRef)CFArrayGetValueAtIndex(arr.get(), i); + CertificateTrustResult certificateTrustResult = + GetCertificateTrustResult(certificate); + if (certificateTrustResult == CertificateTrustResult::DoNotUse) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("skipping distrusted cert")); + continue; + } + ScopedCFType<CFDataRef> der(SecCertificateCopyData(certificate)); + if (!der) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("couldn't get bytes of certificate?")); + continue; + } + bool isRoot = + certificateTrustResult == CertificateTrustResult::CanUseAsTrustAnchor; + EnterpriseCert enterpriseCert(CFDataGetBytePtr(der.get()), + CFDataGetLength(der.get()), isRoot); + if (!enterpriseCert.IsKnownRoot(rootsModule)) { + certs.AppendElement(std::move(enterpriseCert)); + numImported++; + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("importing as %s", isRoot ? "root" : "intermediate")); + } else { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("skipping known root cert")); + } + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("imported %u certs", numImported)); + return errSecSuccess; +} +#endif // XP_MACOSX + +#ifdef MOZ_WIDGET_ANDROID +void GatherEnterpriseCertsAndroid(nsTArray<EnterpriseCert>& certs, + UniqueSECMODModule& rootsModule) { + if (!jni::IsAvailable()) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("JNI not available")); + return; + } + jni::ObjectArray::LocalRef roots = + java::EnterpriseRoots::GatherEnterpriseRoots(); + uint32_t numImported = 0; + for (size_t i = 0; i < roots->Length(); i++) { + jni::ByteArray::LocalRef root = roots->GetElement(i); + // Currently we treat all certificates gleaned from the Android + // CA store as roots. + EnterpriseCert enterpriseCert( + reinterpret_cast<uint8_t*>(root->GetElements().Elements()), + root->Length(), true); + if (!enterpriseCert.IsKnownRoot(rootsModule)) { + certs.AppendElement(std::move(enterpriseCert)); + numImported++; + } else { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("skipping known root cert")); + } + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("imported %u certs", numImported)); +} +#endif // MOZ_WIDGET_ANDROID + +nsresult GatherEnterpriseCerts(nsTArray<EnterpriseCert>& certs) { + MOZ_ASSERT(!NS_IsMainThread()); + if (NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + certs.Clear(); + UniqueSECMODModule rootsModule(SECMOD_FindModule(kRootModuleName)); +#ifdef XP_WIN + GatherEnterpriseCertsWindows(certs, rootsModule); +#endif // XP_WIN +#ifdef XP_MACOSX + OSStatus rv = GatherEnterpriseCertsMacOS(certs, rootsModule); + if (rv != errSecSuccess) { + return NS_ERROR_FAILURE; + } +#endif // XP_MACOSX +#ifdef MOZ_WIDGET_ANDROID + GatherEnterpriseCertsAndroid(certs, rootsModule); +#endif // MOZ_WIDGET_ANDROID + return NS_OK; +} diff --git a/security/manager/ssl/EnterpriseRoots.h b/security/manager/ssl/EnterpriseRoots.h new file mode 100644 index 0000000000..25567d4511 --- /dev/null +++ b/security/manager/ssl/EnterpriseRoots.h @@ -0,0 +1,38 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef EnterpriseRoots_h +#define EnterpriseRoots_h + +#include "ScopedNSSTypes.h" +#include "mozpkix/Input.h" +#include "mozpkix/Result.h" +#include "nsTArray.h" + +class EnterpriseCert { + public: + EnterpriseCert(const uint8_t* data, size_t len, bool isRoot) + : mDER(data, len), mIsRoot(isRoot) {} + EnterpriseCert(const EnterpriseCert& other) + : mDER(other.mDER.Clone()), mIsRoot(other.mIsRoot) {} + EnterpriseCert(EnterpriseCert&& other) + : mDER(std::move(other.mDER)), mIsRoot(other.mIsRoot) {} + + void CopyBytes(nsTArray<uint8_t>& dest) const; + mozilla::pkix::Result GetInput(mozilla::pkix::Input& input) const; + bool GetIsRoot() const; + // Is this certificate a known, built-in root? + bool IsKnownRoot(mozilla::UniqueSECMODModule& rootsModule); + + private: + nsTArray<uint8_t> mDER; + bool mIsRoot; +}; + +// This may block and must not be called from the main thread. +nsresult GatherEnterpriseCerts(nsTArray<EnterpriseCert>& certs); + +#endif // EnterpriseRoots_h diff --git a/security/manager/ssl/IPCClientCertsChild.cpp b/security/manager/ssl/IPCClientCertsChild.cpp new file mode 100644 index 0000000000..bea0e27dff --- /dev/null +++ b/security/manager/ssl/IPCClientCertsChild.cpp @@ -0,0 +1,17 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "IPCClientCertsChild.h" + +#include "mozilla/ipc/BackgroundChild.h" +#include "mozilla/ipc/PBackgroundChild.h" + +namespace mozilla::psm { + +IPCClientCertsChild::IPCClientCertsChild() = default; + +} // namespace mozilla::psm diff --git a/security/manager/ssl/IPCClientCertsChild.h b/security/manager/ssl/IPCClientCertsChild.h new file mode 100644 index 0000000000..17020fce2e --- /dev/null +++ b/security/manager/ssl/IPCClientCertsChild.h @@ -0,0 +1,36 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_psm_IPCClientCertsChild_h__ +#define mozilla_psm_IPCClientCertsChild_h__ + +#include "mozilla/psm/PIPCClientCertsChild.h" + +namespace mozilla { + +namespace ipc { +class BackgroundChildImpl; +} // namespace ipc + +namespace psm { + +class IPCClientCertsChild final : public PIPCClientCertsChild { + friend class mozilla::ipc::BackgroundChildImpl; + + public: + IPCClientCertsChild(); + + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(IPCClientCertsChild); + + private: + ~IPCClientCertsChild() = default; +}; + +} // namespace psm +} // namespace mozilla + +#endif diff --git a/security/manager/ssl/IPCClientCertsParent.cpp b/security/manager/ssl/IPCClientCertsParent.cpp new file mode 100644 index 0000000000..3b726df979 --- /dev/null +++ b/security/manager/ssl/IPCClientCertsParent.cpp @@ -0,0 +1,130 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "IPCClientCertsParent.h" +#include "ScopedNSSTypes.h" +#include "nsNetCID.h" +#include "nsNSSComponent.h" +#include "nsNSSIOLayer.h" + +#include "mozilla/SyncRunnable.h" + +namespace mozilla::psm { + +IPCClientCertsParent::IPCClientCertsParent() = default; + +// When the IPC client certs module needs to find certificate and key objects +// in the socket process, it will cause this function to be called in the +// parent process. The parent process needs to find all certificates with +// private keys (because these are potential client certificates). +mozilla::ipc::IPCResult IPCClientCertsParent::RecvFindObjects( + nsTArray<IPCClientCertObject>* aObjects) { + nsCOMPtr<nsIEventTarget> socketThread( + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID)); + if (!socketThread) { + return IPC_OK(); + } + // Look for client certificates on the socket thread. + UniqueCERTCertList certList; + mozilla::SyncRunnable::DispatchToThread( + socketThread, NS_NewRunnableFunction( + "IPCClientCertsParent::RecvFindObjects", [&certList]() { + certList = + psm::FindClientCertificatesWithPrivateKeys(); + })); + if (!certList) { + return IPC_OK(); + } + CERTCertListNode* n = CERT_LIST_HEAD(certList); + while (!CERT_LIST_END(n, certList)) { + nsTArray<uint8_t> certDER(n->cert->derCert.data, n->cert->derCert.len); + uint32_t slotType; + UniqueSECKEYPublicKey pubkey(CERT_ExtractPublicKey(n->cert)); + if (!pubkey) { + return IPC_OK(); + } + switch (SECKEY_GetPublicKeyType(pubkey.get())) { + case rsaKey: + case rsaPssKey: { + slotType = PK11_DoesMechanism(n->cert->slot, CKM_RSA_PKCS_PSS) + ? kIPCClientCertsSlotTypeModern + : kIPCClientCertsSlotTypeLegacy; + nsTArray<uint8_t> modulus(pubkey->u.rsa.modulus.data, + pubkey->u.rsa.modulus.len); + RSAKey rsakey(modulus, certDER, slotType); + aObjects->AppendElement(std::move(rsakey)); + break; + } + case ecKey: { + slotType = kIPCClientCertsSlotTypeModern; + nsTArray<uint8_t> params(pubkey->u.ec.DEREncodedParams.data, + pubkey->u.ec.DEREncodedParams.len); + ECKey eckey(params, certDER, slotType); + aObjects->AppendElement(std::move(eckey)); + break; + } + default: + n = CERT_LIST_NEXT(n); + continue; + } + Certificate cert(certDER, slotType); + aObjects->AppendElement(std::move(cert)); + + n = CERT_LIST_NEXT(n); + } + return IPC_OK(); +} + +// When the IPC client certs module needs to sign data using a key managed by +// the parent process, it will cause this function to be called in the parent +// process. The parent process needs to find the key corresponding to the +// given certificate and sign the given data with the given parameters. +mozilla::ipc::IPCResult IPCClientCertsParent::RecvSign(ByteArray aCert, + ByteArray aData, + ByteArray aParams, + ByteArray* aSignature) { + SECItem certItem = {siBuffer, const_cast<uint8_t*>(aCert.data().Elements()), + static_cast<unsigned int>(aCert.data().Length())}; + aSignature->data().Clear(); + + UniqueCERTCertificate cert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &certItem, nullptr, false, true)); + if (!cert) { + return IPC_OK(); + } + UniqueSECKEYPrivateKey key(PK11_FindKeyByAnyCert(cert.get(), nullptr)); + if (!key) { + return IPC_OK(); + } + SECItem params = {siBuffer, aParams.data().Elements(), + static_cast<unsigned int>(aParams.data().Length())}; + SECItem* paramsPtr = aParams.data().Length() > 0 ? ¶ms : nullptr; + CK_MECHANISM_TYPE mechanism; + switch (key->keyType) { + case ecKey: + mechanism = CKM_ECDSA; + break; + case rsaKey: + mechanism = aParams.data().Length() > 0 ? CKM_RSA_PKCS_PSS : CKM_RSA_PKCS; + break; + default: + return IPC_OK(); + } + uint32_t len = PK11_SignatureLen(key.get()); + UniqueSECItem sig(::SECITEM_AllocItem(nullptr, nullptr, len)); + SECItem hash = {siBuffer, aData.data().Elements(), + static_cast<unsigned int>(aData.data().Length())}; + SECStatus srv = + PK11_SignWithMechanism(key.get(), mechanism, paramsPtr, sig.get(), &hash); + if (srv != SECSuccess) { + return IPC_OK(); + } + aSignature->data().AppendElements(sig->data, sig->len); + return IPC_OK(); +} + +} // namespace mozilla::psm diff --git a/security/manager/ssl/IPCClientCertsParent.h b/security/manager/ssl/IPCClientCertsParent.h new file mode 100644 index 0000000000..46ce96523b --- /dev/null +++ b/security/manager/ssl/IPCClientCertsParent.h @@ -0,0 +1,40 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_psm_IPCClientCertsParent_h__ +#define mozilla_psm_IPCClientCertsParent_h__ + +#include "mozilla/psm/PIPCClientCertsParent.h" + +namespace mozilla { + +namespace net { +class SocketProcessBackgroundParent; +} // namespace net + +namespace psm { + +class IPCClientCertsParent final : public PIPCClientCertsParent { + friend class mozilla::net::SocketProcessBackgroundParent; + + public: + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(IPCClientCertsParent) + + mozilla::ipc::IPCResult RecvFindObjects( + nsTArray<IPCClientCertObject>* aObjects); + mozilla::ipc::IPCResult RecvSign(ByteArray aCert, ByteArray aData, + ByteArray aParams, ByteArray* aSignature); + + private: + IPCClientCertsParent(); + ~IPCClientCertsParent() = default; +}; + +} // namespace psm +} // namespace mozilla + +#endif diff --git a/security/manager/ssl/KeychainSecret.cpp b/security/manager/ssl/KeychainSecret.cpp new file mode 100644 index 0000000000..4b0d2bf5fd --- /dev/null +++ b/security/manager/ssl/KeychainSecret.cpp @@ -0,0 +1,160 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "KeychainSecret.h" + +#include <Security/Security.h> + +#include "mozilla/Logging.h" + +// This is the implementation of KeychainSecret, an instantiation of OSKeyStore +// for OS X. It uses the system keychain, hence the name. + +using namespace mozilla; + +LazyLogModule gKeychainSecretLog("keychainsecret"); + +KeychainSecret::KeychainSecret() {} + +KeychainSecret::~KeychainSecret() {} + +ScopedCFType<CFStringRef> MozillaStringToCFString(const nsACString& stringIn) { + // https://developer.apple.com/documentation/corefoundation/1543419-cfstringcreatewithbytes + ScopedCFType<CFStringRef> stringOut(CFStringCreateWithBytes( + nullptr, reinterpret_cast<const UInt8*>(stringIn.BeginReading()), + stringIn.Length(), kCFStringEncodingUTF8, false)); + return stringOut; +} + +nsresult KeychainSecret::StoreSecret(const nsACString& aSecret, + const nsACString& aLabel) { + // This creates a CFDictionary of the form: + // { class: generic password, + // account: the given label, + // value: the given secret } + // "account" is the way we differentiate different secrets. + // By default, secrets stored by the application (Firefox) in this way are not + // accessible to other applications, so we shouldn't need to worry about + // unauthorized access or namespace collisions. This will be the case as long + // as we never set the kSecAttrAccessGroup attribute on the CFDictionary. The + // platform enforces this restriction using the application-identifier + // entitlement that each application bundle should have. See + // https://developer.apple.com/documentation/security/1401659-secitemadd?language=objc#discussion + + // The keychain does not overwrite secrets by default (unlike other backends + // like libsecret and credential manager). To be consistent, we first delete + // any previously-stored secrets that use the given label. + nsresult rv = DeleteSecret(aLabel); + if (NS_FAILED(rv)) { + MOZ_LOG(gKeychainSecretLog, LogLevel::Debug, + ("DeleteSecret before StoreSecret failed")); + return rv; + } + const CFStringRef keys[] = {kSecClass, kSecAttrAccount, kSecValueData}; + ScopedCFType<CFStringRef> label(MozillaStringToCFString(aLabel)); + if (!label) { + MOZ_LOG(gKeychainSecretLog, LogLevel::Debug, + ("MozillaStringToCFString failed")); + return NS_ERROR_FAILURE; + } + ScopedCFType<CFDataRef> secret(CFDataCreate( + nullptr, reinterpret_cast<const UInt8*>(aSecret.BeginReading()), + aSecret.Length())); + if (!secret) { + MOZ_LOG(gKeychainSecretLog, LogLevel::Debug, ("CFDataCreate failed")); + return NS_ERROR_FAILURE; + } + const void* values[] = {kSecClassGenericPassword, label.get(), secret.get()}; + static_assert(ArrayLength(keys) == ArrayLength(values), + "mismatched SecItemAdd key/value array sizes"); + ScopedCFType<CFDictionaryRef> addDictionary(CFDictionaryCreate( + nullptr, (const void**)&keys, (const void**)&values, ArrayLength(keys), + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)); + // https://developer.apple.com/documentation/security/1401659-secitemadd + OSStatus osrv = SecItemAdd(addDictionary.get(), nullptr); + if (osrv != errSecSuccess) { + MOZ_LOG(gKeychainSecretLog, LogLevel::Debug, + ("SecItemAdd failed: %d", osrv)); + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +nsresult KeychainSecret::DeleteSecret(const nsACString& aLabel) { + // To delete a secret, we create a CFDictionary of the form: + // { class: generic password, + // account: the given label } + // and then call SecItemDelete. + const CFStringRef keys[] = {kSecClass, kSecAttrAccount}; + ScopedCFType<CFStringRef> label(MozillaStringToCFString(aLabel)); + if (!label) { + MOZ_LOG(gKeychainSecretLog, LogLevel::Debug, + ("MozillaStringToCFString failed")); + return NS_ERROR_FAILURE; + } + const void* values[] = {kSecClassGenericPassword, label.get()}; + static_assert(ArrayLength(keys) == ArrayLength(values), + "mismatched SecItemDelete key/value array sizes"); + ScopedCFType<CFDictionaryRef> deleteDictionary(CFDictionaryCreate( + nullptr, (const void**)&keys, (const void**)&values, ArrayLength(keys), + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)); + // https://developer.apple.com/documentation/security/1395547-secitemdelete + OSStatus rv = SecItemDelete(deleteDictionary.get()); + if (rv != errSecSuccess && rv != errSecItemNotFound) { + MOZ_LOG(gKeychainSecretLog, LogLevel::Debug, + ("SecItemDelete failed: %d", rv)); + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +nsresult KeychainSecret::RetrieveSecret(const nsACString& aLabel, + /* out */ nsACString& aSecret) { + // To retrieve a secret, we create a CFDictionary of the form: + // { class: generic password, + // account: the given label, + // match limit: match one, + // return attributes: true, + // return data: true } + // This searches for and returns the attributes and data for the secret + // matching the given label. We then extract the data (i.e. the secret) and + // return it. + const CFStringRef keys[] = {kSecClass, kSecAttrAccount, kSecMatchLimit, + kSecReturnAttributes, kSecReturnData}; + ScopedCFType<CFStringRef> label(MozillaStringToCFString(aLabel)); + if (!label) { + MOZ_LOG(gKeychainSecretLog, LogLevel::Debug, + ("MozillaStringToCFString failed")); + return NS_ERROR_FAILURE; + } + const void* values[] = {kSecClassGenericPassword, label.get(), + kSecMatchLimitOne, kCFBooleanTrue, kCFBooleanTrue}; + static_assert(ArrayLength(keys) == ArrayLength(values), + "mismatched SecItemCopyMatching key/value array sizes"); + ScopedCFType<CFDictionaryRef> searchDictionary(CFDictionaryCreate( + nullptr, (const void**)&keys, (const void**)&values, ArrayLength(keys), + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)); + CFTypeRef item; + // https://developer.apple.com/documentation/security/1398306-secitemcopymatching + OSStatus rv = SecItemCopyMatching(searchDictionary.get(), &item); + if (rv != errSecSuccess) { + MOZ_LOG(gKeychainSecretLog, LogLevel::Debug, + ("SecItemCopyMatching failed: %d", rv)); + return NS_ERROR_FAILURE; + } + ScopedCFType<CFDictionaryRef> dictionary( + reinterpret_cast<CFDictionaryRef>(item)); + CFDataRef secret = reinterpret_cast<CFDataRef>( + CFDictionaryGetValue(dictionary.get(), kSecValueData)); + if (!secret) { + MOZ_LOG(gKeychainSecretLog, LogLevel::Debug, + ("CFDictionaryGetValue failed")); + return NS_ERROR_FAILURE; + } + aSecret.Assign(reinterpret_cast<const char*>(CFDataGetBytePtr(secret)), + CFDataGetLength(secret)); + return NS_OK; +} diff --git a/security/manager/ssl/KeychainSecret.h b/security/manager/ssl/KeychainSecret.h new file mode 100644 index 0000000000..7a0850a001 --- /dev/null +++ b/security/manager/ssl/KeychainSecret.h @@ -0,0 +1,49 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef KeychainSecret_h +#define KeychainSecret_h + +#include "CoreFoundation/CFBase.h" + +#include "OSKeyStore.h" +#include "nsString.h" + +template <typename T> +class ScopedCFType { + public: + explicit ScopedCFType(T value) : mValue(value) {} + + MOZ_IMPLICIT ScopedCFType(decltype(nullptr)) : mValue(nullptr) {} + + ~ScopedCFType() { + if (mValue) { + CFRelease((CFTypeRef)mValue); + } + } + + T get() { return mValue; } + + explicit operator bool() const { return mValue != nullptr; } + + private: + T mValue; +}; + +class KeychainSecret final : public AbstractOSKeyStore { + public: + KeychainSecret(); + + virtual nsresult RetrieveSecret(const nsACString& label, + /* out */ nsACString& secret) override; + virtual nsresult StoreSecret(const nsACString& secret, + const nsACString& label) override; + virtual nsresult DeleteSecret(const nsACString& label) override; + + virtual ~KeychainSecret(); +}; + +#endif // KeychainSecret_h diff --git a/security/manager/ssl/LibSecret.cpp b/security/manager/ssl/LibSecret.cpp new file mode 100644 index 0000000000..4b50c4d0b3 --- /dev/null +++ b/security/manager/ssl/LibSecret.cpp @@ -0,0 +1,321 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "LibSecret.h" + +#include <gio/gio.h> +#include <gmodule.h> +#include <memory> + +#include "mozilla/Base64.h" +#include "mozilla/Logging.h" +#include "MainThreadUtils.h" +#include "prlink.h" + +// This is the implementation of LibSecret, an instantiation of OSKeyStore for +// Linux. + +using namespace mozilla; + +LazyLogModule gLibSecretLog("libsecret"); + +static PRLibrary* libsecret = nullptr; + +typedef struct _SecretService SecretService; +typedef struct _SecretCollection SecretCollection; + +typedef enum { + SECRET_SCHEMA_NONE = 0, + SECRET_SCHEMA_DONT_MATCH_NAME = 1 << 1 +} SecretSchemaFlags; + +typedef enum { + SECRET_SCHEMA_ATTRIBUTE_STRING = 0, + SECRET_SCHEMA_ATTRIBUTE_INTEGER = 1, + SECRET_SCHEMA_ATTRIBUTE_BOOLEAN = 2, +} SecretSchemaAttributeType; + +typedef struct { + const gchar* name; + SecretSchemaAttributeType type; +} SecretSchemaAttribute; + +typedef struct { + const gchar* name; + SecretSchemaFlags flags; + SecretSchemaAttribute attributes[32]; + + /* <private> */ + gint reserved; + gpointer reserved1; + gpointer reserved2; + gpointer reserved3; + gpointer reserved4; + gpointer reserved5; + gpointer reserved6; + gpointer reserved7; +} SecretSchema; + +typedef enum { + SECRET_COLLECTION_NONE = 0 << 0, + SECRET_COLLECTION_LOAD_ITEMS = 1 << 1, +} SecretCollectionFlags; + +typedef enum { + SECRET_SERVICE_NONE = 0, + SECRET_SERVICE_OPEN_SESSION = 1 << 1, + SECRET_SERVICE_LOAD_COLLECTIONS = 1 << 2, +} SecretServiceFlags; + +typedef enum { + SECRET_ERROR_PROTOCOL = 1, + SECRET_ERROR_IS_LOCKED = 2, + SECRET_ERROR_NO_SUCH_OBJECT = 3, + SECRET_ERROR_ALREADY_EXISTS = 4, +} SecretError; + +#define SECRET_COLLECTION_DEFAULT "default" + +typedef SecretCollection* (*secret_collection_for_alias_sync_fn)( + SecretService*, const gchar*, SecretCollectionFlags, GCancellable*, + GError**); +typedef SecretService* (*secret_service_get_sync_fn)(SecretServiceFlags, + GCancellable*, GError**); +typedef gboolean (*secret_password_clear_sync_fn)(const SecretSchema*, + GCancellable*, GError**, ...); +typedef gchar* (*secret_password_lookup_sync_fn)(const SecretSchema*, + GCancellable*, GError**, ...); +typedef gboolean (*secret_password_store_sync_fn)(const SecretSchema*, + const gchar*, const gchar*, + const gchar*, GCancellable*, + GError**, ...); +typedef void (*secret_password_free_fn)(const gchar*); +typedef GQuark (*secret_error_get_quark_fn)(); + +static secret_collection_for_alias_sync_fn secret_collection_for_alias_sync = + nullptr; +static secret_service_get_sync_fn secret_service_get_sync = nullptr; +static secret_password_clear_sync_fn secret_password_clear_sync = nullptr; +static secret_password_lookup_sync_fn secret_password_lookup_sync = nullptr; +static secret_password_store_sync_fn secret_password_store_sync = nullptr; +static secret_password_free_fn secret_password_free = nullptr; +static secret_error_get_quark_fn secret_error_get_quark = nullptr; + +nsresult MaybeLoadLibSecret() { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + if (!libsecret) { + libsecret = PR_LoadLibrary("libsecret-1.so.0"); + if (!libsecret) { + return NS_ERROR_NOT_AVAILABLE; + } + +// With TSan, we cannot unload libsecret once we have loaded it because +// TSan does not support unloading libraries that are matched from its +// suppression list. Hence we just keep the library loaded in TSan builds. +#ifdef MOZ_TSAN +# define UNLOAD_LIBSECRET(x) \ + do { \ + } while (0) +#else +# define UNLOAD_LIBSECRET(x) PR_UnloadLibrary(x) +#endif + +#define FIND_FUNCTION_SYMBOL(function) \ + function = (function##_fn)PR_FindFunctionSymbol(libsecret, #function); \ + if (!(function)) { \ + UNLOAD_LIBSECRET(libsecret); \ + libsecret = nullptr; \ + return NS_ERROR_NOT_AVAILABLE; \ + } + FIND_FUNCTION_SYMBOL(secret_collection_for_alias_sync); + FIND_FUNCTION_SYMBOL(secret_service_get_sync); + FIND_FUNCTION_SYMBOL(secret_password_clear_sync); + FIND_FUNCTION_SYMBOL(secret_password_lookup_sync); + FIND_FUNCTION_SYMBOL(secret_password_store_sync); + FIND_FUNCTION_SYMBOL(secret_password_free); + FIND_FUNCTION_SYMBOL(secret_error_get_quark); +#undef FIND_FUNCTION_SYMBOL + } + + return NS_OK; +} + +struct ScopedDelete { + void operator()(SecretService* ss) { + if (ss) g_object_unref(ss); + } + void operator()(SecretCollection* sc) { + if (sc) g_object_unref(sc); + } + void operator()(GError* error) { + if (error) g_error_free(error); + } + void operator()(GList* list) { + if (list) g_list_free(list); + } + void operator()(char* val) { + if (val) secret_password_free(val); + } +}; + +template <class T> +struct ScopedMaybeDelete { + void operator()(T* ptr) { + if (ptr) { + ScopedDelete del; + del(ptr); + } + } +}; + +typedef std::unique_ptr<GError, ScopedMaybeDelete<GError>> ScopedGError; +typedef std::unique_ptr<GList, ScopedMaybeDelete<GList>> ScopedGList; +typedef std::unique_ptr<char, ScopedMaybeDelete<char>> ScopedPassword; +typedef std::unique_ptr<SecretCollection, ScopedMaybeDelete<SecretCollection>> + ScopedSecretCollection; +typedef std::unique_ptr<SecretService, ScopedMaybeDelete<SecretService>> + ScopedSecretService; + +LibSecret::LibSecret() = default; + +LibSecret::~LibSecret() { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return; + } + if (libsecret) { + secret_collection_for_alias_sync = nullptr; + secret_service_get_sync = nullptr; + secret_password_clear_sync = nullptr; + secret_password_lookup_sync = nullptr; + secret_password_store_sync = nullptr; + secret_password_free = nullptr; + secret_error_get_quark = nullptr; + UNLOAD_LIBSECRET(libsecret); + libsecret = nullptr; + } +} + +static const SecretSchema kSchema = { + "mozilla.firefox", + SECRET_SCHEMA_NONE, + {{"string", SECRET_SCHEMA_ATTRIBUTE_STRING}, /* the label */ + {"NULL", SECRET_SCHEMA_ATTRIBUTE_STRING}}}; + +nsresult GetScopedServices(ScopedSecretService& aSs, + ScopedSecretCollection& aSc) { + MOZ_ASSERT(secret_service_get_sync && secret_collection_for_alias_sync); + if (!secret_service_get_sync || !secret_collection_for_alias_sync) { + return NS_ERROR_FAILURE; + } + GError* raw_error = nullptr; + aSs = ScopedSecretService(secret_service_get_sync( + static_cast<SecretServiceFlags>( + SECRET_SERVICE_OPEN_SESSION), // SecretServiceFlags + nullptr, // GCancellable + &raw_error)); + ScopedGError error(raw_error); + if (error || !aSs) { + MOZ_LOG(gLibSecretLog, LogLevel::Debug, ("Couldn't get a secret service")); + return NS_ERROR_FAILURE; + } + + aSc = ScopedSecretCollection(secret_collection_for_alias_sync( + aSs.get(), "default", static_cast<SecretCollectionFlags>(0), + nullptr, // GCancellable + &raw_error)); + error.reset(raw_error); + if (!aSc) { + MOZ_LOG(gLibSecretLog, LogLevel::Debug, + ("Couldn't get a secret collection")); + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +nsresult LibSecret::StoreSecret(const nsACString& aSecret, + const nsACString& aLabel) { + MOZ_ASSERT(secret_password_store_sync); + if (!secret_password_store_sync) { + return NS_ERROR_FAILURE; + } + // libsecret expects a null-terminated string, so to be safe we store the + // secret (which could be arbitrary bytes) base64-encoded. + nsAutoCString base64; + nsresult rv = Base64Encode(aSecret, base64); + if (NS_FAILED(rv)) { + MOZ_LOG(gLibSecretLog, LogLevel::Debug, ("Error base64-encoding secret")); + return rv; + } + GError* raw_error = nullptr; + bool stored = secret_password_store_sync( + &kSchema, SECRET_COLLECTION_DEFAULT, PromiseFlatCString(aLabel).get(), + PromiseFlatCString(base64).get(), + nullptr, // GCancellable + &raw_error, "string", PromiseFlatCString(aLabel).get(), nullptr); + ScopedGError error(raw_error); + if (raw_error) { + MOZ_LOG(gLibSecretLog, LogLevel::Debug, ("Error storing secret")); + return NS_ERROR_FAILURE; + } + + return stored ? NS_OK : NS_ERROR_FAILURE; +} + +nsresult LibSecret::DeleteSecret(const nsACString& aLabel) { + MOZ_ASSERT(secret_password_clear_sync && secret_error_get_quark); + if (!secret_password_clear_sync || !secret_error_get_quark) { + return NS_ERROR_FAILURE; + } + GError* raw_error = nullptr; + Unused << secret_password_clear_sync( + &kSchema, + nullptr, // GCancellable + &raw_error, "string", PromiseFlatCString(aLabel).get(), nullptr); + ScopedGError error(raw_error); + if (raw_error && !(raw_error->domain == secret_error_get_quark() && + raw_error->code == SECRET_ERROR_NO_SUCH_OBJECT)) { + MOZ_LOG(gLibSecretLog, LogLevel::Debug, ("Error deleting secret")); + return NS_ERROR_FAILURE; + } + + return NS_OK; +} + +nsresult LibSecret::RetrieveSecret(const nsACString& aLabel, + /* out */ nsACString& aSecret) { + MOZ_ASSERT(secret_password_lookup_sync && secret_password_free); + if (!secret_password_lookup_sync || !secret_password_free) { + return NS_ERROR_FAILURE; + } + GError* raw_error = nullptr; + aSecret.Truncate(); + ScopedPassword s(secret_password_lookup_sync( + &kSchema, + nullptr, // GCancellable + &raw_error, "string", PromiseFlatCString(aLabel).get(), nullptr)); + ScopedGError error(raw_error); + if (raw_error || !s) { + MOZ_LOG(gLibSecretLog, LogLevel::Debug, + ("Error retrieving secret or didn't find it")); + return NS_ERROR_FAILURE; + } + // libsecret expects a null-terminated string, so to be safe we store the + // secret (which could be arbitrary bytes) base64-encoded, which means we have + // to base64-decode it here. + nsAutoCString base64Encoded(s.get()); + nsresult rv = Base64Decode(base64Encoded, aSecret); + if (NS_FAILED(rv)) { + MOZ_LOG(gLibSecretLog, LogLevel::Debug, ("Error base64-decoding secret")); + return rv; + } + + return NS_OK; +} diff --git a/security/manager/ssl/LibSecret.h b/security/manager/ssl/LibSecret.h new file mode 100644 index 0000000000..b4aa8fbce8 --- /dev/null +++ b/security/manager/ssl/LibSecret.h @@ -0,0 +1,29 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef LibSecret_h +#define LibSecret_h + +#include "OSKeyStore.h" + +#include "nsString.h" + +nsresult MaybeLoadLibSecret(); + +class LibSecret final : public AbstractOSKeyStore { + public: + LibSecret(); + + virtual nsresult RetrieveSecret(const nsACString& label, + /* out */ nsACString& secret) override; + virtual nsresult StoreSecret(const nsACString& secret, + const nsACString& label) override; + virtual nsresult DeleteSecret(const nsACString& label) override; + + virtual ~LibSecret(); +}; + +#endif // LibSecret_h diff --git a/security/manager/ssl/NSSErrorsService.cpp b/security/manager/ssl/NSSErrorsService.cpp new file mode 100644 index 0000000000..06c0b1e790 --- /dev/null +++ b/security/manager/ssl/NSSErrorsService.cpp @@ -0,0 +1,212 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "NSSErrorsService.h" + +#include "nsIStringBundle.h" +#include "nsNSSComponent.h" +#include "nsServiceManagerUtils.h" +#include "mozpkix/pkixnss.h" +#include "secerr.h" +#include "sslerr.h" + +#define PIPNSS_STRBUNDLE_URL "chrome://pipnss/locale/pipnss.properties" +#define NSSERR_STRBUNDLE_URL "chrome://pipnss/locale/nsserrors.properties" + +namespace mozilla { +namespace psm { + +static_assert(mozilla::pkix::ERROR_BASE == + nsINSSErrorsService::MOZILLA_PKIX_ERROR_BASE, + "MOZILLA_PKIX_ERROR_BASE and " + "nsINSSErrorsService::MOZILLA_PKIX_ERROR_BASE do not match."); +static_assert(mozilla::pkix::ERROR_LIMIT == + nsINSSErrorsService::MOZILLA_PKIX_ERROR_LIMIT, + "MOZILLA_PKIX_ERROR_LIMIT and " + "nsINSSErrorsService::MOZILLA_PKIX_ERROR_LIMIT do not match."); + +static bool IsPSMError(PRErrorCode error) { + return (error >= mozilla::pkix::ERROR_BASE && + error < mozilla::pkix::ERROR_LIMIT); +} + +NS_IMPL_ISUPPORTS(NSSErrorsService, nsINSSErrorsService) + +NSSErrorsService::~NSSErrorsService() = default; + +nsresult NSSErrorsService::Init() { + nsresult rv; + nsCOMPtr<nsIStringBundleService> bundleService( + do_GetService(NS_STRINGBUNDLE_CONTRACTID, &rv)); + if (NS_FAILED(rv) || !bundleService) return NS_ERROR_FAILURE; + + bundleService->CreateBundle(PIPNSS_STRBUNDLE_URL, + getter_AddRefs(mPIPNSSBundle)); + if (!mPIPNSSBundle) rv = NS_ERROR_FAILURE; + + bundleService->CreateBundle(NSSERR_STRBUNDLE_URL, + getter_AddRefs(mNSSErrorsBundle)); + if (!mNSSErrorsBundle) rv = NS_ERROR_FAILURE; + + return rv; +} + +#define EXPECTED_SEC_ERROR_BASE (-0x2000) +#define EXPECTED_SSL_ERROR_BASE (-0x3000) + +#if SEC_ERROR_BASE != EXPECTED_SEC_ERROR_BASE || \ + SSL_ERROR_BASE != EXPECTED_SSL_ERROR_BASE +# error \ + "Unexpected change of error code numbers in lib NSS, please adjust the mapping code" +/* + * Please ensure the NSS error codes are mapped into the positive range 0x1000 + * to 0xf000 Search for NS_ERROR_MODULE_SECURITY to ensure there are no + * conflicts. The current code also assumes that NSS library error codes are + * negative. + */ +#endif + +bool IsNSSErrorCode(PRErrorCode code) { + return IS_SEC_ERROR(code) || IS_SSL_ERROR(code) || IsPSMError(code); +} + +nsresult GetXPCOMFromNSSError(PRErrorCode code) { + if (!code) { + MOZ_CRASH("Function failed without calling PR_GetError"); + } + + // The error codes within each module must be a 16 bit value. + // For simplicity we use the positive value of the NSS code. + return (nsresult)NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_SECURITY, + -1 * code); +} + +NS_IMETHODIMP +NSSErrorsService::IsNSSErrorCode(int32_t aNSPRCode, bool* _retval) { + if (!_retval) { + return NS_ERROR_INVALID_ARG; + } + + *_retval = mozilla::psm::IsNSSErrorCode(aNSPRCode); + return NS_OK; +} + +NS_IMETHODIMP +NSSErrorsService::GetXPCOMFromNSSError(int32_t aNSPRCode, + nsresult* aXPCOMErrorCode) { + if (!aXPCOMErrorCode) { + return NS_ERROR_INVALID_ARG; + } + + if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) { + return NS_ERROR_INVALID_ARG; + } + + *aXPCOMErrorCode = mozilla::psm::GetXPCOMFromNSSError(aNSPRCode); + + return NS_OK; +} + +NS_IMETHODIMP +NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode, + uint32_t* aErrorClass) { + NS_ENSURE_ARG(aErrorClass); + + if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY || + NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) { + return NS_ERROR_FAILURE; + } + + int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode); + + if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) { + return NS_ERROR_FAILURE; + } + + if (mozilla::psm::ErrorIsOverridable(aNSPRCode)) { + *aErrorClass = ERROR_CLASS_BAD_CERT; + } else { + *aErrorClass = ERROR_CLASS_SSL_PROTOCOL; + } + + return NS_OK; +} + +bool ErrorIsOverridable(PRErrorCode code) { + switch (code) { + // Overridable errors. + case mozilla::pkix::MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED: + case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: + case mozilla::pkix::MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME: + case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE: + case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED: + case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE: + case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE: + case mozilla::pkix::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT: + case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA: + case SEC_ERROR_CA_CERT_INVALID: + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: + case SEC_ERROR_EXPIRED_CERTIFICATE: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + case SEC_ERROR_INVALID_TIME: + case SEC_ERROR_UNKNOWN_ISSUER: + case SSL_ERROR_BAD_CERT_DOMAIN: + return true; + // Non-overridable errors. + default: + return false; + } +} + +static const char* getOverrideErrorStringName(PRErrorCode aErrorCode) { + switch (aErrorCode) { + case SSL_ERROR_SSL_DISABLED: + return "PSMERR_SSL_Disabled"; + case SSL_ERROR_SSL2_DISABLED: + return "PSMERR_SSL2_Disabled"; + case SEC_ERROR_REUSED_ISSUER_AND_SERIAL: + return "PSMERR_HostReusedIssuerSerial"; + case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED: + return "certErrorTrust_MitM"; + default: + return nullptr; + } +} + +NS_IMETHODIMP +NSSErrorsService::GetErrorMessage(nsresult aXPCOMErrorCode, + nsAString& aErrorMessage) { + if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY || + NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) { + return NS_ERROR_FAILURE; + } + + int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode); + + if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) { + return NS_ERROR_FAILURE; + } + + nsCOMPtr<nsIStringBundle> theBundle = mPIPNSSBundle; + const char* idStr = getOverrideErrorStringName(aNSPRCode); + + if (!idStr) { + idStr = PR_ErrorToName(aNSPRCode); + theBundle = mNSSErrorsBundle; + } + + if (!idStr || !theBundle) { + return NS_ERROR_FAILURE; + } + + nsAutoString msg; + nsresult rv = theBundle->GetStringFromName(idStr, msg); + if (NS_SUCCEEDED(rv)) { + aErrorMessage = msg; + } + return rv; +} + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/NSSErrorsService.h b/security/manager/ssl/NSSErrorsService.h new file mode 100644 index 0000000000..a19bea9e5f --- /dev/null +++ b/security/manager/ssl/NSSErrorsService.h @@ -0,0 +1,56 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef NSSErrorsService_h +#define NSSErrorsService_h + +#include "mozilla/Attributes.h" +#include "nsCOMPtr.h" +#include "nsILineInputStream.h" +#include "nsINSSErrorsService.h" +#include "nsISafeOutputStream.h" +#include "nsIStringBundle.h" +#include "prerror.h" + +class nsIStringBundle; + +namespace mozilla { +namespace psm { + +class NSSErrorsService final : public nsINSSErrorsService { + NS_DECL_ISUPPORTS + NS_DECL_NSINSSERRORSSERVICE + + public: + nsresult Init(); + + private: + // For XPCOM implementations that are not a base class for some other + // class, it is good practice to make the destructor non-virtual and + // private. Then the only way to delete the object is via Release. +#ifdef _MSC_VER + // C4265: Class has virtual members but destructor is not virtual + __pragma(warning(disable : 4265)) +#endif + ~NSSErrorsService(); + + nsCOMPtr<nsIStringBundle> mPIPNSSBundle; + nsCOMPtr<nsIStringBundle> mNSSErrorsBundle; +}; + +bool IsNSSErrorCode(PRErrorCode code); +nsresult GetXPCOMFromNSSError(PRErrorCode code); +bool ErrorIsOverridable(PRErrorCode code); + +} // namespace psm +} // namespace mozilla + +#define NS_NSSERRORSSERVICE_CID \ + { \ + 0x9ef18451, 0xa157, 0x4d17, { \ + 0x81, 0x32, 0x47, 0xaf, 0xef, 0x21, 0x36, 0x89 \ + } \ + } + +#endif // NSSErrorsService_h diff --git a/security/manager/ssl/NSSKeyStore.cpp b/security/manager/ssl/NSSKeyStore.cpp new file mode 100644 index 0000000000..4a516294c0 --- /dev/null +++ b/security/manager/ssl/NSSKeyStore.cpp @@ -0,0 +1,154 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "NSSKeyStore.h" + +#include "mozilla/AbstractThread.h" +#include "mozilla/Base64.h" +#include "mozilla/Logging.h" +#include "mozilla/SyncRunnable.h" +#include "nsIThread.h" +#include "nsNSSComponent.h" +#include "nsPK11TokenDB.h" +#include "nsXULAppAPI.h" + +/* Implementing OSKeyStore when there is no platform specific one. + * This key store instead puts the keys into the NSS DB. + */ + +using namespace mozilla; +using mozilla::SyncRunnable; + +LazyLogModule gNSSKeyStoreLog("nsskeystore"); + +NSSKeyStore::NSSKeyStore() { + MOZ_ASSERT(XRE_IsParentProcess()); + if (!XRE_IsParentProcess()) { + // This shouldn't happen as this is only initialised when creating the + // OSKeyStore, which is ParentProcessOnly. + return; + } + Unused << EnsureNSSInitializedChromeOrContent(); + Unused << InitToken(); +} +NSSKeyStore::~NSSKeyStore() = default; + +nsresult NSSKeyStore::InitToken() { + if (!mSlot) { + mSlot = UniquePK11SlotInfo(PK11_GetInternalKeySlot()); + if (!mSlot) { + MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug, + ("Error getting internal key slot")); + return NS_ERROR_NOT_AVAILABLE; + } + } + return NS_OK; +} + +nsresult NSSKeyStore::StoreSecret(const nsACString& aSecret, + const nsACString& aLabel) { + NS_ENSURE_STATE(mSlot); + + // It is possible for multiple keys to have the same nickname in NSS. To + // prevent the problem of not knowing which key to use in the future, simply + // delete all keys with this nickname before storing a new one. + nsresult rv = DeleteSecret(aLabel); + if (NS_FAILED(rv)) { + MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug, + ("DeleteSecret before StoreSecret failed")); + return rv; + } + + uint8_t* p = BitwiseCast<uint8_t*, const char*>(aSecret.BeginReading()); + UniqueSECItem key(SECITEM_AllocItem(nullptr, nullptr, aSecret.Length())); + if (!key) { + return NS_ERROR_OUT_OF_MEMORY; + } + key->type = siBuffer; + memcpy(key->data, p, aSecret.Length()); + key->len = aSecret.Length(); + UniquePK11SymKey symKey( + PK11_ImportSymKey(mSlot.get(), CKM_AES_GCM, PK11_OriginUnwrap, + CKA_DECRYPT | CKA_ENCRYPT, key.get(), nullptr)); + if (!symKey) { + MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug, ("Error creating NSS SymKey")); + return NS_ERROR_FAILURE; + } + UniquePK11SymKey storedKey( + PK11_ConvertSessionSymKeyToTokenSymKey(symKey.get(), nullptr)); + if (!storedKey) { + MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug, + ("Error storing NSS SymKey in DB")); + return NS_ERROR_FAILURE; + } + SECStatus srv = + PK11_SetSymKeyNickname(storedKey.get(), PromiseFlatCString(aLabel).get()); + if (srv != SECSuccess) { + MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug, ("Error naming NSS SymKey")); + (void)PK11_DeleteTokenSymKey(storedKey.get()); + return NS_ERROR_FAILURE; + } + + return NS_OK; +} + +nsresult NSSKeyStore::DeleteSecret(const nsACString& aLabel) { + NS_ENSURE_STATE(mSlot); + + UniquePK11SymKey symKey(PK11_ListFixedKeysInSlot( + mSlot.get(), const_cast<char*>(PromiseFlatCString(aLabel).get()), + nullptr)); + if (!symKey) { + // Couldn't find the key or something is wrong. Be nice. + return NS_OK; + } + for (PK11SymKey* tmp = symKey.get(); tmp; tmp = PK11_GetNextSymKey(tmp)) { + SECStatus srv = PK11_DeleteTokenSymKey(tmp); + if (srv != SECSuccess) { + MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug, ("Error deleting NSS SymKey")); + return NS_ERROR_FAILURE; + } + } + return NS_OK; +} + +bool NSSKeyStore::SecretAvailable(const nsACString& aLabel) { + if (!mSlot) { + return false; + } + + UniquePK11SymKey symKey(PK11_ListFixedKeysInSlot( + mSlot.get(), const_cast<char*>(PromiseFlatCString(aLabel).get()), + nullptr)); + if (!symKey) { + return false; + } + return true; +} + +nsresult NSSKeyStore::EncryptDecrypt(const nsACString& aLabel, + const std::vector<uint8_t>& inBytes, + std::vector<uint8_t>& outBytes, + bool encrypt) { + NS_ENSURE_STATE(mSlot); + + UniquePK11SymKey symKey(PK11_ListFixedKeysInSlot( + mSlot.get(), const_cast<char*>(PromiseFlatCString(aLabel).get()), + nullptr)); + if (!symKey) { + MOZ_LOG(gNSSKeyStoreLog, LogLevel::Debug, + ("Error finding key for given label")); + return NS_ERROR_FAILURE; + } + return DoCipher(symKey, inBytes, outBytes, encrypt); +} + +// Because NSSKeyStore overrides AbstractOSKeyStore's EncryptDecrypt and +// SecretAvailable functions, this isn't necessary. +nsresult NSSKeyStore::RetrieveSecret(const nsACString& aLabel, + /* out */ nsACString& aSecret) { + return NS_ERROR_NOT_IMPLEMENTED; +} diff --git a/security/manager/ssl/NSSKeyStore.h b/security/manager/ssl/NSSKeyStore.h new file mode 100644 index 0000000000..6e0411d6cc --- /dev/null +++ b/security/manager/ssl/NSSKeyStore.h @@ -0,0 +1,34 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef NSSKeyStore_h +#define NSSKeyStore_h + +#include "OSKeyStore.h" +#include "nsString.h" + +class NSSKeyStore final : public AbstractOSKeyStore { + public: + NSSKeyStore(); + + virtual nsresult RetrieveSecret(const nsACString& aLabel, + /* out */ nsACString& aSecret) override; + virtual nsresult StoreSecret(const nsACString& secret, + const nsACString& label) override; + virtual nsresult DeleteSecret(const nsACString& label) override; + virtual nsresult EncryptDecrypt(const nsACString& label, + const std::vector<uint8_t>& inBytes, + std::vector<uint8_t>& outBytes, + bool encrypt) override; + virtual bool SecretAvailable(const nsACString& label) override; + virtual ~NSSKeyStore(); + + private: + nsresult InitToken(); + mozilla::UniquePK11SlotInfo mSlot = nullptr; +}; + +#endif // NSSKeyStore_h diff --git a/security/manager/ssl/NSSSocketControl.cpp b/security/manager/ssl/NSSSocketControl.cpp new file mode 100644 index 0000000000..e8f0f99dae --- /dev/null +++ b/security/manager/ssl/NSSSocketControl.cpp @@ -0,0 +1,732 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "NSSSocketControl.h" + +#include "ssl.h" +#include "sslexp.h" +#include "nsISocketProvider.h" +#include "secerr.h" +#include "mozilla/Base64.h" +#include "nsNSSCallbacks.h" + +using namespace mozilla; +using namespace mozilla::psm; + +extern LazyLogModule gPIPNSSLog; + +NSSSocketControl::NSSSocketControl(const nsCString& aHostName, int32_t aPort, + SharedSSLState& aState, + uint32_t providerFlags, + uint32_t providerTlsFlags) + : CommonSocketControl(aHostName, aPort, providerFlags), + mFd(nullptr), + mCertVerificationState(BeforeCertVerification), + mSharedState(aState), + mForSTARTTLS(false), + mTLSVersionRange{0, 0}, + mHandshakePending(true), + mPreliminaryHandshakeDone(false), + mEarlyDataAccepted(false), + mDenyClientCert(false), + mFalseStartCallbackCalled(false), + mFalseStarted(false), + mIsFullHandshake(false), + mNotedTimeUntilReady(false), + mEchExtensionStatus(EchExtensionStatus::kNotPresent), + mSentXyberShare(false), + mHasTls13HandshakeSecrets(false), + mIsShortWritePending(false), + mShortWritePendingByte(0), + mShortWriteOriginalAmount(-1), + mKEAUsed(nsITLSSocketControl::KEY_EXCHANGE_UNKNOWN), + mKEAKeyBits(0), + mMACAlgorithmUsed(nsITLSSocketControl::SSL_MAC_UNKNOWN), + mProviderTlsFlags(providerTlsFlags), + mSocketCreationTimestamp(TimeStamp::Now()), + mPlaintextBytesRead(0), + mClaimed(!(providerFlags & nsISocketProvider::IS_SPECULATIVE_CONNECTION)), + mPendingSelectClientAuthCertificate(nullptr), + mBrowserId(0) {} + +NS_IMETHODIMP +NSSSocketControl::GetKEAUsed(int16_t* aKea) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *aKea = mKEAUsed; + return NS_OK; +} + +NS_IMETHODIMP +NSSSocketControl::GetKEAKeyBits(uint32_t* aKeyBits) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *aKeyBits = mKEAKeyBits; + return NS_OK; +} + +NS_IMETHODIMP +NSSSocketControl::GetSSLVersionOffered(int16_t* aSSLVersionOffered) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *aSSLVersionOffered = mTLSVersionRange.max; + return NS_OK; +} + +NS_IMETHODIMP +NSSSocketControl::GetMACAlgorithmUsed(int16_t* aMac) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *aMac = mMACAlgorithmUsed; + return NS_OK; +} + +void NSSSocketControl::NoteTimeUntilReady() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (mNotedTimeUntilReady) { + return; + } + mNotedTimeUntilReady = true; + + auto timestampNow = TimeStamp::Now(); + if (!(mProviderFlags & nsISocketProvider::IS_RETRY)) { + Telemetry::AccumulateTimeDelta(Telemetry::SSL_TIME_UNTIL_READY_FIRST_TRY, + mSocketCreationTimestamp, timestampNow); + } + + if (mProviderFlags & nsISocketProvider::BE_CONSERVATIVE) { + Telemetry::AccumulateTimeDelta(Telemetry::SSL_TIME_UNTIL_READY_CONSERVATIVE, + mSocketCreationTimestamp, timestampNow); + } + + switch (GetEchExtensionStatus()) { + case EchExtensionStatus::kGREASE: + Telemetry::AccumulateTimeDelta(Telemetry::SSL_TIME_UNTIL_READY_ECH_GREASE, + mSocketCreationTimestamp, timestampNow); + break; + case EchExtensionStatus::kReal: + Telemetry::AccumulateTimeDelta(Telemetry::SSL_TIME_UNTIL_READY_ECH, + mSocketCreationTimestamp, timestampNow); + break; + default: + break; + } + // This will include TCP and proxy tunnel wait time + Telemetry::AccumulateTimeDelta(Telemetry::SSL_TIME_UNTIL_READY, + mSocketCreationTimestamp, timestampNow); + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] NSSSocketControl::NoteTimeUntilReady\n", mFd)); +} + +void NSSSocketControl::SetHandshakeCompleted() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!mHandshakeCompleted) { + enum HandshakeType { + Resumption = 1, + FalseStarted = 2, + ChoseNotToFalseStart = 3, + NotAllowedToFalseStart = 4, + }; + + HandshakeType handshakeType = !IsFullHandshake() ? Resumption + : mFalseStarted ? FalseStarted + : mFalseStartCallbackCalled + ? ChoseNotToFalseStart + : NotAllowedToFalseStart; + // This will include TCP and proxy tunnel wait time + if (mKeaGroupName.isSome()) { + Telemetry::AccumulateTimeDelta( + Telemetry::SSL_TIME_UNTIL_HANDSHAKE_FINISHED_KEYED_BY_KA, + *mKeaGroupName, mSocketCreationTimestamp, TimeStamp::Now()); + } + + // If the handshake is completed for the first time from just 1 callback + // that means that TLS session resumption must have been used. + Telemetry::Accumulate(Telemetry::SSL_RESUMED_SESSION, + handshakeType == Resumption); + Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_TYPE, handshakeType); + } + + // Remove the plaintext layer as it is not needed anymore. + // The plaintext layer is not always present - so it's not a fatal error if it + // cannot be removed. + // Note that PR_PopIOLayer may modify its stack, so a pointer returned by + // PR_GetIdentitiesLayer may not point to what we think it points to after + // calling PR_PopIOLayer. We must operate on the pointer returned by + // PR_PopIOLayer. + if (PR_GetIdentitiesLayer(mFd, + nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity)) { + PRFileDesc* poppedPlaintext = + PR_PopIOLayer(mFd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity); + poppedPlaintext->dtor(poppedPlaintext); + } + + mHandshakeCompleted = true; + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] NSSSocketControl::SetHandshakeCompleted\n", (void*)mFd)); + + mIsFullHandshake = false; // reset for next handshake on this connection + + if (mTlsHandshakeCallback) { + auto callback = std::move(mTlsHandshakeCallback); + Unused << callback->HandshakeDone(); + } +} + +void NSSSocketControl::SetNegotiatedNPN(const char* value, uint32_t length) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!value) { + mNegotiatedNPN.Truncate(); + } else { + mNegotiatedNPN.Assign(value, length); + } + mNPNCompleted = true; +} + +#define MAX_ALPN_LENGTH 255 + +NS_IMETHODIMP +NSSSocketControl::GetAlpnEarlySelection(nsACString& aAlpnSelected) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + aAlpnSelected.Truncate(); + + SSLPreliminaryChannelInfo info; + SECStatus rv = SSL_GetPreliminaryChannelInfo(mFd, &info, sizeof(info)); + if (rv != SECSuccess || !info.canSendEarlyData) { + return NS_ERROR_NOT_AVAILABLE; + } + + SSLNextProtoState alpnState; + unsigned char chosenAlpn[MAX_ALPN_LENGTH]; + unsigned int chosenAlpnLen; + rv = SSL_GetNextProto(mFd, &alpnState, chosenAlpn, &chosenAlpnLen, + AssertedCast<unsigned int>(ArrayLength(chosenAlpn))); + + if (rv != SECSuccess) { + return NS_ERROR_NOT_AVAILABLE; + } + + if (alpnState == SSL_NEXT_PROTO_EARLY_VALUE) { + aAlpnSelected.Assign(BitwiseCast<char*, unsigned char*>(chosenAlpn), + chosenAlpnLen); + } + + return NS_OK; +} + +NS_IMETHODIMP +NSSSocketControl::GetEarlyDataAccepted(bool* aAccepted) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *aAccepted = mEarlyDataAccepted; + return NS_OK; +} + +void NSSSocketControl::SetEarlyDataAccepted(bool aAccepted) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mEarlyDataAccepted = aAccepted; +} + +bool NSSSocketControl::GetDenyClientCert() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mDenyClientCert; +} + +void NSSSocketControl::SetDenyClientCert(bool aDenyClientCert) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mDenyClientCert = aDenyClientCert; +} + +NS_IMETHODIMP +NSSSocketControl::DriveHandshake() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!mFd) { + return NS_ERROR_FAILURE; + } + if (IsCanceled()) { + PRErrorCode errorCode = GetErrorCode(); + MOZ_DIAGNOSTIC_ASSERT(errorCode, "handshake cancelled without error code"); + return GetXPCOMFromNSSError(errorCode); + } + + SECStatus rv = SSL_ForceHandshake(mFd); + + if (rv != SECSuccess) { + PRErrorCode errorCode = PR_GetError(); + MOZ_ASSERT(errorCode, "handshake failed without error code"); + // There is a bug in NSS. Sometimes SSL_ForceHandshake will return + // SECFailure without setting an error code. In these cases, cancel + // the connection with SEC_ERROR_LIBRARY_FAILURE. + if (!errorCode) { + errorCode = SEC_ERROR_LIBRARY_FAILURE; + } + if (errorCode == PR_WOULD_BLOCK_ERROR) { + return NS_BASE_STREAM_WOULD_BLOCK; + } + + SetCanceled(errorCode); + return GetXPCOMFromNSSError(errorCode); + } + return NS_OK; +} + +bool NSSSocketControl::GetForSTARTTLS() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mForSTARTTLS; +} + +void NSSSocketControl::SetForSTARTTLS(bool aForSTARTTLS) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mForSTARTTLS = aForSTARTTLS; +} + +NS_IMETHODIMP +NSSSocketControl::ProxyStartSSL() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return ActivateSSL(); +} + +NS_IMETHODIMP +NSSSocketControl::StartTLS() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return ActivateSSL(); +} + +NS_IMETHODIMP +NSSSocketControl::SetNPNList(nsTArray<nsCString>& protocolArray) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!mFd) return NS_ERROR_FAILURE; + + // the npn list is a concatenated list of 8 bit byte strings. + nsCString npnList; + + for (uint32_t index = 0; index < protocolArray.Length(); ++index) { + if (protocolArray[index].IsEmpty() || protocolArray[index].Length() > 255) + return NS_ERROR_ILLEGAL_VALUE; + + npnList.Append(protocolArray[index].Length()); + npnList.Append(protocolArray[index]); + } + + if (SSL_SetNextProtoNego( + mFd, BitwiseCast<const unsigned char*, const char*>(npnList.get()), + npnList.Length()) != SECSuccess) + return NS_ERROR_FAILURE; + + return NS_OK; +} + +nsresult NSSSocketControl::ActivateSSL() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (SECSuccess != SSL_OptionSet(mFd, SSL_SECURITY, true)) + return NS_ERROR_FAILURE; + if (SECSuccess != SSL_ResetHandshake(mFd, false)) return NS_ERROR_FAILURE; + + mHandshakePending = true; + + return SetResumptionTokenFromExternalCache(mFd); +} + +nsresult NSSSocketControl::GetFileDescPtr(PRFileDesc** aFilePtr) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + *aFilePtr = mFd; + return NS_OK; +} + +nsresult NSSSocketControl::SetFileDescPtr(PRFileDesc* aFilePtr) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mFd = aFilePtr; + return NS_OK; +} + +void NSSSocketControl::SetCertVerificationWaiting() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + // mCertVerificationState may be BeforeCertVerification for the first + // handshake on the connection, or AfterCertVerification for subsequent + // renegotiation handshakes. + MOZ_ASSERT(mCertVerificationState != WaitingForCertVerification, + "Invalid state transition to WaitingForCertVerification"); + mCertVerificationState = WaitingForCertVerification; +} + +// Be careful that SetCertVerificationResult does NOT get called while we are +// processing a SSL callback function, because SSL_AuthCertificateComplete will +// attempt to acquire locks that are already held by libssl when it calls +// callbacks. +void NSSSocketControl::SetCertVerificationResult(PRErrorCode errorCode) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + SetUsedPrivateDNS(GetProviderFlags() & nsISocketProvider::USED_PRIVATE_DNS); + MOZ_ASSERT(mCertVerificationState == WaitingForCertVerification, + "Invalid state transition to AfterCertVerification"); + + if (mFd) { + SECStatus rv = SSL_AuthCertificateComplete(mFd, errorCode); + // Only replace errorCode if there was originally no error. + // SSL_AuthCertificateComplete will return SECFailure with the error code + // set to PR_WOULD_BLOCK_ERROR if there is a pending event to select a + // client authentication certificate. This is not an error. + if (rv != SECSuccess && PR_GetError() != PR_WOULD_BLOCK_ERROR && + errorCode == 0) { + errorCode = PR_GetError(); + if (errorCode == 0) { + NS_ERROR("SSL_AuthCertificateComplete didn't set error code"); + errorCode = PR_INVALID_STATE_ERROR; + } + } + } + + if (errorCode) { + mFailedVerification = true; + SetCanceled(errorCode); + } + + if (mPlaintextBytesRead && !errorCode) { + Telemetry::Accumulate(Telemetry::SSL_BYTES_BEFORE_CERT_CALLBACK, + AssertedCast<uint32_t>(mPlaintextBytesRead)); + } + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] SetCertVerificationResult to AfterCertVerification, " + "mTlsHandshakeCallback=%p", + (void*)mFd, mTlsHandshakeCallback.get())); + + mCertVerificationState = AfterCertVerification; + if (mTlsHandshakeCallback) { + Unused << mTlsHandshakeCallback->CertVerificationDone(); + } +} + +void NSSSocketControl::ClientAuthCertificateSelected( + nsTArray<uint8_t>& certBytes, nsTArray<nsTArray<uint8_t>>& certChainBytes) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + // If mFd is nullptr, the connection has been closed already, so we don't + // need to do anything here. + if (!mFd) { + return; + } + SECItem certItem = { + siBuffer, + const_cast<uint8_t*>(certBytes.Elements()), + static_cast<unsigned int>(certBytes.Length()), + }; + UniqueCERTCertificate cert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &certItem, nullptr, false, true)); + UniqueSECKEYPrivateKey key; + if (cert) { + key.reset(PK11_FindKeyByAnyCert(cert.get(), nullptr)); + mClientCertChain.reset(CERT_NewCertList()); + if (key && mClientCertChain) { + for (const auto& certBytes : certChainBytes) { + SECItem certItem = { + siBuffer, + const_cast<uint8_t*>(certBytes.Elements()), + static_cast<unsigned int>(certBytes.Length()), + }; + UniqueCERTCertificate cert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &certItem, nullptr, false, true)); + if (cert) { + if (CERT_AddCertToListTail(mClientCertChain.get(), cert.get()) == + SECSuccess) { + Unused << cert.release(); + } + } + } + } + } + + bool sendingClientAuthCert = cert && key; + if (sendingClientAuthCert) { + mSentClientCert = true; + Telemetry::ScalarAdd(Telemetry::ScalarID::SECURITY_CLIENT_AUTH_CERT_USAGE, + u"sent"_ns, 1); + } + + Unused << SSL_ClientCertCallbackComplete( + mFd, sendingClientAuthCert ? SECSuccess : SECFailure, + sendingClientAuthCert ? key.release() : nullptr, + sendingClientAuthCert ? cert.release() : nullptr); + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] ClientAuthCertificateSelected mTlsHandshakeCallback=%p", + (void*)mFd, mTlsHandshakeCallback.get())); + if (mTlsHandshakeCallback) { + Unused << mTlsHandshakeCallback->ClientAuthCertificateSelected(); + } +} + +SharedSSLState& NSSSocketControl::SharedState() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mSharedState; +} + +void NSSSocketControl::SetSharedOwningReference(SharedSSLState* aRef) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mOwningSharedRef = aRef; +} + +NS_IMETHODIMP +NSSSocketControl::DisableEarlyData() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!mFd) { + return NS_OK; + } + if (IsCanceled()) { + return NS_OK; + } + + if (SSL_OptionSet(mFd, SSL_ENABLE_0RTT_DATA, false) != SECSuccess) { + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +NS_IMETHODIMP +NSSSocketControl::SetHandshakeCallbackListener( + nsITlsHandshakeCallbackListener* callback) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mTlsHandshakeCallback = callback; + return NS_OK; +} + +PRStatus NSSSocketControl::CloseSocketAndDestroy() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + + mPendingSelectClientAuthCertificate = nullptr; + + PRFileDesc* popped = PR_PopIOLayer(mFd, PR_TOP_IO_LAYER); + MOZ_ASSERT( + popped && popped->identity == nsSSLIOLayerHelpers::nsSSLIOLayerIdentity, + "SSL Layer not on top of stack"); + + // The plaintext layer is not always present - so it's not a fatal error if it + // cannot be removed. + // Note that PR_PopIOLayer may modify its stack, so a pointer returned by + // PR_GetIdentitiesLayer may not point to what we think it points to after + // calling PR_PopIOLayer. We must operate on the pointer returned by + // PR_PopIOLayer. + if (PR_GetIdentitiesLayer(mFd, + nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity)) { + PRFileDesc* poppedPlaintext = + PR_PopIOLayer(mFd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity); + poppedPlaintext->dtor(poppedPlaintext); + } + + // We need to clear the callback to make sure the ssl layer cannot call the + // callback after mFD is nulled. + SSL_SetResumptionTokenCallback(mFd, nullptr, nullptr); + + PRStatus status = mFd->methods->close(mFd); + + // the NSSSocketControl instance can out-live the connection, so we need some + // indication that the connection has been closed. mFd == nullptr is that + // indication. This is needed, for example, when the connection is closed + // before we have finished validating the server's certificate. + mFd = nullptr; + + if (status != PR_SUCCESS) return status; + + popped->identity = PR_INVALID_IO_LAYER; + popped->dtor(popped); + + return PR_SUCCESS; +} + +NS_IMETHODIMP +NSSSocketControl::GetEsniTxt(nsACString& aEsniTxt) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + aEsniTxt = mEsniTxt; + return NS_OK; +} + +NS_IMETHODIMP +NSSSocketControl::SetEsniTxt(const nsACString& aEsniTxt) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mEsniTxt = aEsniTxt; + + if (mEsniTxt.Length()) { + nsAutoCString esniBin; + if (NS_OK != Base64Decode(mEsniTxt, esniBin)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("[%p] Invalid ESNIKeys record. Couldn't base64 decode\n", + (void*)mFd)); + return NS_OK; + } + + if (SECSuccess != + SSL_EnableESNI(mFd, reinterpret_cast<const PRUint8*>(esniBin.get()), + esniBin.Length(), nullptr)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("[%p] Invalid ESNIKeys record %s\n", (void*)mFd, + PR_ErrorToName(PR_GetError()))); + return NS_OK; + } + } + + return NS_OK; +} + +NS_IMETHODIMP +NSSSocketControl::GetEchConfig(nsACString& aEchConfig) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + aEchConfig = mEchConfig; + return NS_OK; +} + +NS_IMETHODIMP +NSSSocketControl::SetEchConfig(const nsACString& aEchConfig) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mEchConfig = aEchConfig; + + if (mEchConfig.Length()) { + if (SECSuccess != + SSL_SetClientEchConfigs( + mFd, reinterpret_cast<const PRUint8*>(aEchConfig.BeginReading()), + aEchConfig.Length())) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("[%p] Invalid EchConfig record %s\n", (void*)mFd, + PR_ErrorToName(PR_GetError()))); + return NS_OK; + } + UpdateEchExtensionStatus(EchExtensionStatus::kReal); + } + return NS_OK; +} + +NS_IMETHODIMP +NSSSocketControl::GetRetryEchConfig(nsACString& aEchConfig) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!mFd) { + return NS_ERROR_FAILURE; + } + + ScopedAutoSECItem retryConfigItem; + SECStatus rv = SSL_GetEchRetryConfigs(mFd, &retryConfigItem); + if (rv != SECSuccess) { + return NS_ERROR_FAILURE; + } + aEchConfig = nsCString(reinterpret_cast<const char*>(retryConfigItem.data), + retryConfigItem.len); + return NS_OK; +} + +NS_IMETHODIMP +NSSSocketControl::GetPeerId(nsACString& aResult) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!mPeerId.IsEmpty()) { + aResult.Assign(mPeerId); + return NS_OK; + } + + if (mProviderFlags & + nsISocketProvider::ANONYMOUS_CONNECT) { // See bug 466080 + mPeerId.AppendLiteral("anon:"); + } + if (mProviderFlags & nsISocketProvider::NO_PERMANENT_STORAGE) { + mPeerId.AppendLiteral("private:"); + } + if (mProviderFlags & nsISocketProvider::BE_CONSERVATIVE) { + mPeerId.AppendLiteral("beConservative:"); + } + + mPeerId.AppendPrintf("tlsflags0x%08x:", mProviderTlsFlags); + + mPeerId.Append(mHostName); + mPeerId.Append(':'); + mPeerId.AppendInt(GetPort()); + nsAutoCString suffix; + mOriginAttributes.CreateSuffix(suffix); + mPeerId.Append(suffix); + + aResult.Assign(mPeerId); + return NS_OK; +} + +nsresult NSSSocketControl::SetResumptionTokenFromExternalCache(PRFileDesc* fd) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!fd) { + return NS_ERROR_INVALID_ARG; + } + + // If SSL_NO_CACHE option was set, we must not use the cache + PRIntn val; + if (SSL_OptionGet(fd, SSL_NO_CACHE, &val) != SECSuccess) { + return NS_ERROR_FAILURE; + } + + if (val != 0) { + return NS_OK; + } + + nsTArray<uint8_t> token; + nsAutoCString peerId; + nsresult rv = GetPeerId(peerId); + if (NS_FAILED(rv)) { + return rv; + } + + uint64_t tokenId = 0; + mozilla::net::SessionCacheInfo info; + rv = mozilla::net::SSLTokensCache::Get(peerId, token, info, &tokenId); + if (NS_FAILED(rv)) { + if (rv == NS_ERROR_NOT_AVAILABLE) { + // It's ok if we can't find the token. + return NS_OK; + } + + return rv; + } + + SECStatus srv = SSL_SetResumptionToken(fd, token.Elements(), token.Length()); + if (srv == SECFailure) { + PRErrorCode error = PR_GetError(); + mozilla::net::SSLTokensCache::Remove(peerId, tokenId); + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("Setting token failed with NSS error %d [id=%s]", error, + PromiseFlatCString(peerId).get())); + // We don't consider SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR as a hard error, + // since this error means this token is just expired or can't be decoded + // correctly. + if (error == SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR) { + return NS_OK; + } + + return NS_ERROR_FAILURE; + } + + SetSessionCacheInfo(std::move(info)); + + return NS_OK; +} + +void NSSSocketControl::SetPreliminaryHandshakeInfo( + const SSLChannelInfo& channelInfo, const SSLCipherSuiteInfo& cipherInfo) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mResumed = channelInfo.resumed; + mCipherSuite.emplace(channelInfo.cipherSuite); + mProtocolVersion.emplace(channelInfo.protocolVersion & 0xFF); + mKeaGroupName.emplace(getKeaGroupName(channelInfo.keaGroup)); + mSignatureSchemeName.emplace(getSignatureName(channelInfo.signatureScheme)); + mIsDelegatedCredential.emplace(channelInfo.peerDelegCred); + mIsAcceptedEch.emplace(channelInfo.echAccepted); +} + +NS_IMETHODIMP NSSSocketControl::Claim() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mClaimed = true; + return NS_OK; +} + +NS_IMETHODIMP NSSSocketControl::SetBrowserId(uint64_t browserId) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mBrowserId = browserId; + return NS_OK; +} + +NS_IMETHODIMP NSSSocketControl::GetBrowserId(uint64_t* browserId) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!browserId) { + return NS_ERROR_INVALID_ARG; + } + *browserId = mBrowserId; + return NS_OK; +} diff --git a/security/manager/ssl/NSSSocketControl.h b/security/manager/ssl/NSSSocketControl.h new file mode 100644 index 0000000000..f607340b76 --- /dev/null +++ b/security/manager/ssl/NSSSocketControl.h @@ -0,0 +1,366 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef NSSSocketControl_h +#define NSSSocketControl_h + +#include "CommonSocketControl.h" +#include "SharedSSLState.h" +#include "TLSClientAuthCertSelection.h" +#include "nsThreadUtils.h" + +extern mozilla::LazyLogModule gPIPNSSLog; + +class SelectClientAuthCertificate; + +class NSSSocketControl final : public CommonSocketControl { + public: + NSSSocketControl(const nsCString& aHostName, int32_t aPort, + mozilla::psm::SharedSSLState& aState, uint32_t providerFlags, + uint32_t providerTlsFlags); + + NS_INLINE_DECL_REFCOUNTING_INHERITED(NSSSocketControl, CommonSocketControl); + + void SetForSTARTTLS(bool aForSTARTTLS); + bool GetForSTARTTLS(); + + nsresult GetFileDescPtr(PRFileDesc** aFilePtr); + nsresult SetFileDescPtr(PRFileDesc* aFilePtr); + + bool IsHandshakePending() const { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mHandshakePending; + } + void SetHandshakeNotPending() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mHandshakePending = false; + } + + void SetTLSVersionRange(SSLVersionRange range) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mTLSVersionRange = range; + } + SSLVersionRange GetTLSVersionRange() const { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mTLSVersionRange; + }; + + // From nsITLSSocketControl. + NS_IMETHOD ProxyStartSSL(void) override; + NS_IMETHOD StartTLS(void) override; + NS_IMETHOD SetNPNList(nsTArray<nsCString>& aNPNList) override; + NS_IMETHOD GetAlpnEarlySelection(nsACString& _retval) override; + NS_IMETHOD GetEarlyDataAccepted(bool* aEarlyDataAccepted) override; + NS_IMETHOD DriveHandshake(void) override; + NS_IMETHOD GetKEAUsed(int16_t* aKEAUsed) override; + NS_IMETHOD GetKEAKeyBits(uint32_t* aKEAKeyBits) override; + NS_IMETHOD GetSSLVersionOffered(int16_t* aSSLVersionOffered) override; + NS_IMETHOD GetMACAlgorithmUsed(int16_t* aMACAlgorithmUsed) override; + bool GetDenyClientCert() override; + void SetDenyClientCert(bool aDenyClientCert) override; + NS_IMETHOD GetEsniTxt(nsACString& aEsniTxt) override; + NS_IMETHOD SetEsniTxt(const nsACString& aEsniTxt) override; + NS_IMETHOD GetEchConfig(nsACString& aEchConfig) override; + NS_IMETHOD SetEchConfig(const nsACString& aEchConfig) override; + NS_IMETHOD GetPeerId(nsACString& aResult) override; + NS_IMETHOD GetRetryEchConfig(nsACString& aEchConfig) override; + NS_IMETHOD DisableEarlyData(void) override; + NS_IMETHOD SetHandshakeCallbackListener( + nsITlsHandshakeCallbackListener* callback) override; + NS_IMETHOD Claim() override; + NS_IMETHOD SetBrowserId(uint64_t browserId) override; + NS_IMETHOD GetBrowserId(uint64_t* browserId) override; + + PRStatus CloseSocketAndDestroy(); + + void SetNegotiatedNPN(const char* value, uint32_t length); + void SetEarlyDataAccepted(bool aAccepted); + + void SetHandshakeCompleted(); + bool IsHandshakeCompleted() const { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mHandshakeCompleted; + } + void NoteTimeUntilReady(); + + void SetFalseStartCallbackCalled() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mFalseStartCallbackCalled = true; + } + void SetFalseStarted() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mFalseStarted = true; + } + + // Note that this is only valid *during* a handshake; at the end of the + // handshake, it gets reset back to false. + void SetFullHandshake() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mIsFullHandshake = true; + } + bool IsFullHandshake() const { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mIsFullHandshake; + } + + void UpdateEchExtensionStatus(EchExtensionStatus aEchExtensionStatus) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mEchExtensionStatus = std::max(aEchExtensionStatus, mEchExtensionStatus); + } + EchExtensionStatus GetEchExtensionStatus() const { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mEchExtensionStatus; + } + + void WillSendXyberShare() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mSentXyberShare = true; + } + + bool SentXyberShare() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mSentXyberShare; + } + + void SetHasTls13HandshakeSecrets() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mHasTls13HandshakeSecrets = true; + } + + bool HasTls13HandshakeSecrets() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mHasTls13HandshakeSecrets; + } + + bool GetJoined() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mJoined; + } + + uint32_t GetProviderTlsFlags() const { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mProviderTlsFlags; + } + + mozilla::psm::SharedSSLState& SharedState(); + + enum CertVerificationState { + BeforeCertVerification, + WaitingForCertVerification, + AfterCertVerification + }; + + void SetCertVerificationWaiting(); + + // Use errorCode == 0 to indicate success; + void SetCertVerificationResult(PRErrorCode errorCode) override; + + void ClientAuthCertificateSelected( + nsTArray<uint8_t>& certBytes, + nsTArray<nsTArray<uint8_t>>& certChainBytes); + + bool IsWaitingForCertVerification() const { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mCertVerificationState == WaitingForCertVerification; + } + void AddPlaintextBytesRead(uint64_t val) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mPlaintextBytesRead += val; + } + + bool IsPreliminaryHandshakeDone() const { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mPreliminaryHandshakeDone; + } + void SetPreliminaryHandshakeDone() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mPreliminaryHandshakeDone = true; + } + + void SetKEAUsed(int16_t kea) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mKEAUsed = kea; + } + + void SetKEAKeyBits(uint32_t keaBits) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mKEAKeyBits = keaBits; + } + + void SetMACAlgorithmUsed(int16_t mac) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mMACAlgorithmUsed = mac; + } + + void SetShortWritePending(int32_t amount, unsigned char data) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mIsShortWritePending = true; + mShortWriteOriginalAmount = amount; + mShortWritePendingByte = data; + } + + bool IsShortWritePending() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return mIsShortWritePending; + } + + unsigned char const* GetShortWritePendingByteRef() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + return &mShortWritePendingByte; + } + + int32_t ResetShortWritePending() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mIsShortWritePending = false; + return mShortWriteOriginalAmount; + } + +#ifdef DEBUG + // These helpers assert that the caller does try to send the same data + // as it was previously when we hit the short-write. This is a measure + // to make sure we communicate correctly to the consumer. + void RememberShortWrittenBuffer(const unsigned char* data) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + mShortWriteBufferCheck = + mozilla::MakeUnique<char[]>(mShortWriteOriginalAmount); + memcpy(mShortWriteBufferCheck.get(), data, mShortWriteOriginalAmount); + } + void CheckShortWrittenBuffer(const unsigned char* data, int32_t amount) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!mShortWriteBufferCheck) return; + MOZ_ASSERT(amount >= mShortWriteOriginalAmount, + "unexpected amount length after short write"); + MOZ_ASSERT( + !memcmp(mShortWriteBufferCheck.get(), data, mShortWriteOriginalAmount), + "unexpected buffer content after short write"); + mShortWriteBufferCheck = nullptr; + } +#endif + + void SetSharedOwningReference(mozilla::psm::SharedSSLState* ref); + + nsresult SetResumptionTokenFromExternalCache(PRFileDesc* fd); + + void SetPreliminaryHandshakeInfo(const SSLChannelInfo& channelInfo, + const SSLCipherSuiteInfo& cipherInfo); + + void SetPendingSelectClientAuthCertificate( + nsCOMPtr<nsIRunnable>&& selectClientAuthCertificate) { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + MOZ_LOG( + gPIPNSSLog, mozilla::LogLevel::Debug, + ("[%p] setting pending select client auth certificate", (void*)mFd)); + // If the connection corresponding to this socket hasn't been claimed, it + // is a speculative connection. The connection will block until the "choose + // a client auth certificate" dialog has been shown. The dialog will only + // be shown when this connection gets claimed. However, necko will never + // claim the connection as long as it is blocking. Thus, this connection + // can't proceed, so it's best to cancel it. Necko will create a new, + // non-speculative connection instead. + if (!mClaimed) { + SetCanceled(PR_CONNECT_RESET_ERROR); + } else { + mPendingSelectClientAuthCertificate = + std::move(selectClientAuthCertificate); + } + } + + void MaybeDispatchSelectClientAuthCertificate() { + COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD(); + if (!IsWaitingForCertVerification() && mClaimed && + mPendingSelectClientAuthCertificate) { + MOZ_LOG(gPIPNSSLog, mozilla::LogLevel::Debug, + ("[%p] dispatching pending select client auth certificate", + (void*)mFd)); + mozilla::Unused << NS_DispatchToMainThread( + mPendingSelectClientAuthCertificate); + mPendingSelectClientAuthCertificate = nullptr; + } + } + + private: + ~NSSSocketControl() = default; + + PRFileDesc* mFd; + + CertVerificationState mCertVerificationState; + + mozilla::psm::SharedSSLState& mSharedState; + bool mForSTARTTLS; + SSLVersionRange mTLSVersionRange; + bool mHandshakePending; + bool mPreliminaryHandshakeDone; // after false start items are complete + + nsresult ActivateSSL(); + + nsCString mEsniTxt; + nsCString mEchConfig; + bool mEarlyDataAccepted; + bool mDenyClientCert; + bool mFalseStartCallbackCalled; + bool mFalseStarted; + bool mIsFullHandshake; + bool mNotedTimeUntilReady; + EchExtensionStatus mEchExtensionStatus; // Currently only used for telemetry. + bool mSentXyberShare; + bool mHasTls13HandshakeSecrets; + + // True when SSL layer has indicated an "SSL short write", i.e. need + // to call on send one or more times to push all pending data to write. + bool mIsShortWritePending; + + // These are only valid if mIsShortWritePending is true. + // + // Value of the last byte pending from the SSL short write that needs + // to be passed to subsequent calls to send to perform the flush. + unsigned char mShortWritePendingByte; + + // Original amount of data the upper layer has requested to write to + // return after the successful flush. + int32_t mShortWriteOriginalAmount; + +#ifdef DEBUG + mozilla::UniquePtr<char[]> mShortWriteBufferCheck; +#endif + + // mKEA* are used in false start and http/2 detetermination + // Values are from nsITLSSocketControl + int16_t mKEAUsed; + uint32_t mKEAKeyBits; + int16_t mMACAlgorithmUsed; + + uint32_t mProviderTlsFlags; + mozilla::TimeStamp mSocketCreationTimestamp; + uint64_t mPlaintextBytesRead; + + bool mClaimed; + nsCOMPtr<nsIRunnable> mPendingSelectClientAuthCertificate; + + // Regarding the client certificate message in the TLS handshake, RFC 5246 + // (TLS 1.2) says: + // If the certificate_authorities list in the certificate request + // message was non-empty, one of the certificates in the certificate + // chain SHOULD be issued by one of the listed CAs. + // (RFC 8446 (TLS 1.3) has a similar provision) + // These certificates may be known to gecko but not NSS (e.g. enterprise + // intermediates). In order to make these certificates discoverable to NSS + // so it can include them in the message, we cache them here as temporary + // certificates. + mozilla::UniqueCERTCertList mClientCertChain; + + // if non-null this is a reference to the mSharedState (which is + // not an owning reference). If this is used, the info has a private + // state that does not share things like intolerance lists with the + // rest of the session. This is normally used when you have per + // socket tls flags overriding session wide defaults. + RefPtr<mozilla::psm::SharedSSLState> mOwningSharedRef; + + nsCOMPtr<nsITlsHandshakeCallbackListener> mTlsHandshakeCallback; + + uint64_t mBrowserId; +}; + +#endif // NSSSocketControl_h diff --git a/security/manager/ssl/OSKeyStore.cpp b/security/manager/ssl/OSKeyStore.cpp new file mode 100644 index 0000000000..5ab289b0dd --- /dev/null +++ b/security/manager/ssl/OSKeyStore.cpp @@ -0,0 +1,628 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "OSKeyStore.h" + +#include "mozilla/Base64.h" +#include "mozilla/dom/Promise.h" +#include "nsThreadUtils.h" +#include "nsXPCOM.h" +#include "pk11pub.h" + +#if defined(XP_MACOSX) +# include "KeychainSecret.h" +#elif defined(XP_WIN) +# include "CredentialManagerSecret.h" +#elif defined(MOZ_WIDGET_GTK) +# include "LibSecret.h" +# include "NSSKeyStore.h" +#else +# include "NSSKeyStore.h" +#endif + +NS_IMPL_ISUPPORTS(OSKeyStore, nsIOSKeyStore) + +using namespace mozilla; +using dom::Promise; + +OSKeyStore::OSKeyStore() : mKs(nullptr) { + MOZ_ASSERT(NS_IsMainThread()); + if (NS_WARN_IF(!NS_IsMainThread())) { + return; + } + +#if defined(XP_MACOSX) + mKs.reset(new KeychainSecret()); +#elif defined(XP_WIN) + mKs.reset(new CredentialManagerSecret()); +#elif defined(MOZ_WIDGET_GTK) + if (NS_SUCCEEDED(MaybeLoadLibSecret())) { + mKs.reset(new LibSecret()); + } else { + mKs.reset(new NSSKeyStore()); + } +#else + mKs.reset(new NSSKeyStore()); +#endif +} + +static nsresult GenerateRandom(std::vector<uint8_t>& r) { + if (r.empty()) { + return NS_ERROR_INVALID_ARG; + } + UniquePK11SlotInfo slot(PK11_GetInternalSlot()); + if (!slot) { + return NS_ERROR_FAILURE; + } + + SECStatus srv = PK11_GenerateRandomOnSlot(slot.get(), r.data(), r.size()); + if (srv != SECSuccess) { + r.clear(); + return NS_ERROR_FAILURE; + } + + return NS_OK; +} + +nsresult OSKeyStore::SecretAvailable(const nsACString& aLabel, + /* out */ bool* aAvailable) { + NS_ENSURE_STATE(mKs); + *aAvailable = mKs->SecretAvailable(aLabel); + return NS_OK; +} + +nsresult OSKeyStore::GenerateSecret(const nsACString& aLabel, + /* out */ nsACString& aRecoveryPhrase) { + NS_ENSURE_STATE(mKs); + size_t keyByteLength = mKs->GetKeyByteLength(); + std::vector<uint8_t> secret(keyByteLength); + nsresult rv = GenerateRandom(secret); + if (NS_FAILED(rv) || secret.size() != keyByteLength) { + return NS_ERROR_FAILURE; + } + nsAutoCString secretString; + secretString.Assign(BitwiseCast<char*, uint8_t*>(secret.data()), + secret.size()); + + nsCString base64; + rv = Base64Encode(secretString, base64); + if (NS_FAILED(rv)) { + return rv; + } + + rv = mKs->StoreSecret(secretString, aLabel); + if (NS_FAILED(rv)) { + return rv; + } + + aRecoveryPhrase = std::move(base64); + return NS_OK; +} + +nsresult OSKeyStore::RecoverSecret(const nsACString& aLabel, + const nsACString& aRecoveryPhrase) { + NS_ENSURE_STATE(mKs); + nsAutoCString secret; + nsresult rv = Base64Decode(aRecoveryPhrase, secret); + if (NS_FAILED(rv)) { + return rv; + } + if (secret.Length() != mKs->GetKeyByteLength()) { + return NS_ERROR_INVALID_ARG; + } + rv = mKs->StoreSecret(secret, aLabel); + if (NS_FAILED(rv)) { + return rv; + } + + return NS_OK; +} + +nsresult OSKeyStore::DeleteSecret(const nsACString& aLabel) { + NS_ENSURE_STATE(mKs); + return mKs->DeleteSecret(aLabel); +} + +enum Cipher { Encrypt = true, Decrypt = false }; + +nsresult OSKeyStore::EncryptBytes(const nsACString& aLabel, + const std::vector<uint8_t>& aInBytes, + /*out*/ nsACString& aEncryptedBase64Text) { + NS_ENSURE_STATE(mKs); + + aEncryptedBase64Text.Truncate(); + std::vector<uint8_t> outBytes; + nsresult rv = + mKs->EncryptDecrypt(aLabel, aInBytes, outBytes, Cipher::Encrypt); + if (NS_FAILED(rv)) { + return rv; + } + nsAutoCString ciphertext; + ciphertext.Assign(BitwiseCast<char*, uint8_t*>(outBytes.data()), + outBytes.size()); + + nsCString base64ciphertext; + rv = Base64Encode(ciphertext, base64ciphertext); + if (NS_FAILED(rv)) { + return rv; + } + aEncryptedBase64Text = std::move(base64ciphertext); + return NS_OK; +} + +nsresult OSKeyStore::DecryptBytes(const nsACString& aLabel, + const nsACString& aEncryptedBase64Text, + /*out*/ uint32_t* outLen, + /*out*/ uint8_t** outBytes) { + NS_ENSURE_STATE(mKs); + NS_ENSURE_ARG_POINTER(outLen); + NS_ENSURE_ARG_POINTER(outBytes); + *outLen = 0; + *outBytes = nullptr; + + nsAutoCString ciphertext; + nsresult rv = Base64Decode(aEncryptedBase64Text, ciphertext); + if (NS_FAILED(rv)) { + return rv; + } + uint8_t* tmp = BitwiseCast<uint8_t*, const char*>(ciphertext.BeginReading()); + const std::vector<uint8_t> ciphertextBytes(tmp, tmp + ciphertext.Length()); + std::vector<uint8_t> plaintextBytes; + rv = mKs->EncryptDecrypt(aLabel, ciphertextBytes, plaintextBytes, + Cipher::Decrypt); + if (NS_FAILED(rv)) { + return rv; + } + + *outBytes = (uint8_t*)moz_xmalloc(plaintextBytes.size()); + memcpy(*outBytes, plaintextBytes.data(), plaintextBytes.size()); + *outLen = plaintextBytes.size(); + return NS_OK; +} + +// Async interfaces that return promises because the key store implementation +// might block, e.g. asking for a password. + +nsresult GetPromise(JSContext* aCx, /* out */ RefPtr<Promise>& aPromise) { + nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx); + if (NS_WARN_IF(!globalObject)) { + return NS_ERROR_UNEXPECTED; + } + ErrorResult result; + aPromise = Promise::Create(globalObject, result); + if (NS_WARN_IF(result.Failed())) { + return result.StealNSResult(); + } + return NS_OK; +} + +void BackgroundGenerateSecret(const nsACString& aLabel, + RefPtr<Promise>& aPromise, + RefPtr<OSKeyStore> self) { + nsAutoCString recovery; + nsresult rv = self->GenerateSecret(aLabel, recovery); + nsAutoString recoveryString; + if (NS_SUCCEEDED(rv)) { + CopyUTF8toUTF16(recovery, recoveryString); + } + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundGenerateSecreteOSKSResolve", + [rv, aPromise = std::move(aPromise), recoveryString]() { + if (NS_FAILED(rv)) { + aPromise->MaybeReject(rv); + } else { + aPromise->MaybeResolve(recoveryString); + } + })); + NS_DispatchToMainThread(runnable.forget()); +} + +NS_IMETHODIMP +OSKeyStore::AsyncGenerateSecret(const nsACString& aLabel, JSContext* aCx, + Promise** promiseOut) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + NS_ENSURE_ARG_POINTER(aCx); + + RefPtr<Promise> promiseHandle; + nsresult rv = GetPromise(aCx, promiseHandle); + if (NS_FAILED(rv)) { + return rv; + } + + RefPtr<OSKeyStore> self = this; + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundGenerateSecret", + [self, promiseHandle, aLabel = nsAutoCString(aLabel)]() mutable { + BackgroundGenerateSecret(aLabel, promiseHandle, self); + })); + + promiseHandle.forget(promiseOut); + return NS_DispatchBackgroundTask(runnable.forget(), + NS_DISPATCH_EVENT_MAY_BLOCK); +} + +void BackgroundSecretAvailable(const nsACString& aLabel, + RefPtr<Promise>& aPromise, + RefPtr<OSKeyStore> self) { + bool available = false; + nsresult rv = self->SecretAvailable(aLabel, &available); + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundSecreteAvailableOSKSResolve", + [rv, aPromise = std::move(aPromise), available = available]() { + if (NS_FAILED(rv)) { + aPromise->MaybeReject(rv); + } else { + aPromise->MaybeResolve(available); + } + })); + NS_DispatchToMainThread(runnable.forget()); +} + +NS_IMETHODIMP +OSKeyStore::AsyncSecretAvailable(const nsACString& aLabel, JSContext* aCx, + Promise** promiseOut) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + NS_ENSURE_ARG_POINTER(aCx); + + RefPtr<Promise> promiseHandle; + nsresult rv = GetPromise(aCx, promiseHandle); + if (NS_FAILED(rv)) { + return rv; + } + + RefPtr<OSKeyStore> self = this; + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundSecretAvailable", + [self, promiseHandle, aLabel = nsAutoCString(aLabel)]() mutable { + BackgroundSecretAvailable(aLabel, promiseHandle, self); + })); + + promiseHandle.forget(promiseOut); + return NS_DispatchBackgroundTask(runnable.forget(), + NS_DISPATCH_EVENT_MAY_BLOCK); +} + +void BackgroundRecoverSecret(const nsACString& aLabel, + const nsACString& aRecoveryPhrase, + RefPtr<Promise>& aPromise, + RefPtr<OSKeyStore> self) { + nsresult rv = self->RecoverSecret(aLabel, aRecoveryPhrase); + nsCOMPtr<nsIRunnable> runnable( + NS_NewRunnableFunction("BackgroundRecoverSecreteOSKSResolve", + [rv, aPromise = std::move(aPromise)]() { + if (NS_FAILED(rv)) { + aPromise->MaybeReject(rv); + } else { + aPromise->MaybeResolveWithUndefined(); + } + })); + NS_DispatchToMainThread(runnable.forget()); +} + +NS_IMETHODIMP +OSKeyStore::AsyncRecoverSecret(const nsACString& aLabel, + const nsACString& aRecoveryPhrase, + JSContext* aCx, Promise** promiseOut) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + NS_ENSURE_ARG_POINTER(aCx); + + RefPtr<Promise> promiseHandle; + nsresult rv = GetPromise(aCx, promiseHandle); + if (NS_FAILED(rv)) { + return rv; + } + + RefPtr<OSKeyStore> self = this; + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundRecoverSecret", + [self, promiseHandle, aLabel = nsAutoCString(aLabel), + aRecoveryPhrase = nsAutoCString(aRecoveryPhrase)]() mutable { + BackgroundRecoverSecret(aLabel, aRecoveryPhrase, promiseHandle, self); + })); + + promiseHandle.forget(promiseOut); + return NS_DispatchBackgroundTask(runnable.forget(), + NS_DISPATCH_EVENT_MAY_BLOCK); +} + +void BackgroundDeleteSecret(const nsACString& aLabel, RefPtr<Promise>& aPromise, + RefPtr<OSKeyStore> self) { + nsresult rv = self->DeleteSecret(aLabel); + nsCOMPtr<nsIRunnable> runnable( + NS_NewRunnableFunction("BackgroundDeleteSecreteOSKSResolve", + [rv, aPromise = std::move(aPromise)]() { + if (NS_FAILED(rv)) { + aPromise->MaybeReject(rv); + } else { + aPromise->MaybeResolveWithUndefined(); + } + })); + NS_DispatchToMainThread(runnable.forget()); +} + +NS_IMETHODIMP +OSKeyStore::AsyncDeleteSecret(const nsACString& aLabel, JSContext* aCx, + Promise** promiseOut) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + NS_ENSURE_ARG_POINTER(aCx); + + RefPtr<Promise> promiseHandle; + nsresult rv = GetPromise(aCx, promiseHandle); + if (NS_FAILED(rv)) { + return rv; + } + + RefPtr<OSKeyStore> self = this; + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundDeleteSecret", + [self, promiseHandle, aLabel = nsAutoCString(aLabel)]() mutable { + BackgroundDeleteSecret(aLabel, promiseHandle, self); + })); + + promiseHandle.forget(promiseOut); + return NS_DispatchBackgroundTask(runnable.forget(), + NS_DISPATCH_EVENT_MAY_BLOCK); +} + +static void BackgroundEncryptBytes(const nsACString& aLabel, + const std::vector<uint8_t>& aInBytes, + RefPtr<Promise>& aPromise, + RefPtr<OSKeyStore> self) { + nsAutoCString ciphertext; + nsresult rv = self->EncryptBytes(aLabel, aInBytes, ciphertext); + nsAutoString ctext; + CopyUTF8toUTF16(ciphertext, ctext); + + nsCOMPtr<nsIRunnable> runnable( + NS_NewRunnableFunction("BackgroundEncryptOSKSResolve", + [rv, aPromise = std::move(aPromise), ctext]() { + if (NS_FAILED(rv)) { + aPromise->MaybeReject(rv); + } else { + aPromise->MaybeResolve(ctext); + } + })); + NS_DispatchToMainThread(runnable.forget()); +} + +NS_IMETHODIMP +OSKeyStore::AsyncEncryptBytes(const nsACString& aLabel, + const nsTArray<uint8_t>& inBytes, JSContext* aCx, + Promise** promiseOut) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + NS_ENSURE_ARG_POINTER(aCx); + + RefPtr<Promise> promiseHandle; + nsresult rv = GetPromise(aCx, promiseHandle); + if (NS_FAILED(rv)) { + return rv; + } + + RefPtr<OSKeyStore> self = this; + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundEncryptBytes", + [promiseHandle, + inBytes = std::vector<uint8_t>(inBytes.Elements(), + inBytes.Elements() + inBytes.Length()), + aLabel = nsAutoCString(aLabel), self]() mutable { + BackgroundEncryptBytes(aLabel, inBytes, promiseHandle, self); + })); + + promiseHandle.forget(promiseOut); + return NS_DispatchBackgroundTask(runnable.forget(), + NS_DISPATCH_EVENT_MAY_BLOCK); +} + +void BackgroundDecryptBytes(const nsACString& aLabel, + const nsACString& aEncryptedBase64Text, + RefPtr<Promise>& aPromise, + RefPtr<OSKeyStore> self) { + uint8_t* plaintext = nullptr; + uint32_t plaintextLen = 0; + nsresult rv = self->DecryptBytes(aLabel, aEncryptedBase64Text, &plaintextLen, + &plaintext); + nsTArray<uint8_t> plain; + if (plaintext) { + MOZ_ASSERT(plaintextLen > 0); + plain.AppendElements(plaintext, plaintextLen); + free(plaintext); + } + + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundDecryptOSKSResolve", + [rv, aPromise = std::move(aPromise), plain = std::move(plain)]() { + if (NS_FAILED(rv)) { + aPromise->MaybeReject(rv); + } else { + aPromise->MaybeResolve(plain); + } + })); + NS_DispatchToMainThread(runnable.forget()); +} + +NS_IMETHODIMP +OSKeyStore::AsyncDecryptBytes(const nsACString& aLabel, + const nsACString& aEncryptedBase64Text, + JSContext* aCx, Promise** promiseOut) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + NS_ENSURE_ARG_POINTER(aCx); + + RefPtr<Promise> promiseHandle; + nsresult rv = GetPromise(aCx, promiseHandle); + if (NS_FAILED(rv)) { + return rv; + } + + RefPtr<OSKeyStore> self = this; + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundDecryptBytes", + [promiseHandle, self, + aEncryptedBase64Text = nsAutoCString(aEncryptedBase64Text), + aLabel = nsAutoCString(aLabel)]() mutable { + BackgroundDecryptBytes(aLabel, aEncryptedBase64Text, promiseHandle, + self); + })); + + promiseHandle.forget(promiseOut); + return NS_DispatchBackgroundTask(runnable.forget(), + NS_DISPATCH_EVENT_MAY_BLOCK); +} + +// Generic AES-GCM cipher wrapper for NSS functions. + +nsresult AbstractOSKeyStore::BuildAesGcmKey(std::vector<uint8_t> aKeyBytes, + /* out */ UniquePK11SymKey& aKey) { + if (aKeyBytes.size() != mKeyByteLength) { + return NS_ERROR_INVALID_ARG; + } + + UniquePK11SlotInfo slot(PK11_GetInternalSlot()); + if (!slot) { + return NS_ERROR_FAILURE; + } + + UniqueSECItem key = + UniqueSECItem(SECITEM_AllocItem(nullptr, nullptr, mKeyByteLength)); + if (!key) { + return NS_ERROR_FAILURE; + } + key->type = siBuffer; + memcpy(key->data, aKeyBytes.data(), mKeyByteLength); + key->len = mKeyByteLength; + + UniquePK11SymKey symKey( + PK11_ImportSymKey(slot.get(), CKM_AES_GCM, PK11_OriginUnwrap, + CKA_DECRYPT | CKA_ENCRYPT, key.get(), nullptr)); + + if (!symKey) { + return NS_ERROR_FAILURE; + } + aKey.swap(symKey); + + return NS_OK; +} + +nsresult AbstractOSKeyStore::DoCipher(const UniquePK11SymKey& aSymKey, + const std::vector<uint8_t>& inBytes, + std::vector<uint8_t>& outBytes, + bool encrypt) { + NS_ENSURE_ARG_POINTER(aSymKey); + outBytes.clear(); + + // Build params. + // We need to get the IV from inBytes if we decrypt. + if (!encrypt && (inBytes.size() < mIVLength || inBytes.empty())) { + return NS_ERROR_INVALID_ARG; + } + + const uint8_t* ivp = nullptr; + std::vector<uint8_t> ivBuf; + if (encrypt) { + // Generate a new IV. + ivBuf.resize(mIVLength); + nsresult rv = GenerateRandom(ivBuf); + if (NS_FAILED(rv) || ivBuf.size() != mIVLength) { + return NS_ERROR_FAILURE; + } + ivp = ivBuf.data(); + } else { + // An IV was passed in. Use the first mIVLength bytes from inBytes as IV. + ivp = inBytes.data(); + } + + CK_GCM_PARAMS gcm_params; + gcm_params.pIv = const_cast<unsigned char*>(ivp); + gcm_params.ulIvLen = mIVLength; + gcm_params.ulIvBits = gcm_params.ulIvLen * 8; + gcm_params.ulTagBits = 128; + gcm_params.pAAD = nullptr; + gcm_params.ulAADLen = 0; + + SECItem paramsItem = {siBuffer, reinterpret_cast<unsigned char*>(&gcm_params), + sizeof(CK_GCM_PARAMS)}; + + size_t blockLength = 16; + outBytes.resize(inBytes.size() + blockLength); + unsigned int outLen = 0; + SECStatus srv = SECFailure; + if (encrypt) { + srv = PK11_Encrypt(aSymKey.get(), CKM_AES_GCM, ¶msItem, outBytes.data(), + &outLen, inBytes.size() + blockLength, inBytes.data(), + inBytes.size()); + // Prepend the used IV to the ciphertext. + Unused << outBytes.insert(outBytes.begin(), ivp, ivp + mIVLength); + outLen += mIVLength; + } else { + // Remove the IV from the input. + std::vector<uint8_t> input(inBytes); + input.erase(input.begin(), input.begin() + mIVLength); + srv = PK11_Decrypt(aSymKey.get(), CKM_AES_GCM, ¶msItem, outBytes.data(), + &outLen, input.size() + blockLength, input.data(), + input.size()); + } + if (srv != SECSuccess || outLen > outBytes.size()) { + outBytes.clear(); + return NS_ERROR_FAILURE; + } + if (outLen < outBytes.size()) { + outBytes.resize(outLen); + } + + return NS_OK; +} + +bool AbstractOSKeyStore::SecretAvailable(const nsACString& aLabel) { + nsAutoCString secret; + nsresult rv = RetrieveSecret(aLabel, secret); + if (NS_FAILED(rv) || secret.Length() == 0) { + return false; + } + return true; +} + +nsresult AbstractOSKeyStore::EncryptDecrypt(const nsACString& aLabel, + const std::vector<uint8_t>& inBytes, + std::vector<uint8_t>& outBytes, + bool encrypt) { + nsAutoCString secret; + nsresult rv = RetrieveSecret(aLabel, secret); + if (NS_FAILED(rv) || secret.Length() == 0) { + return NS_ERROR_FAILURE; + } + + uint8_t* p = BitwiseCast<uint8_t*, const char*>(secret.BeginReading()); + std::vector<uint8_t> buf(p, p + secret.Length()); + UniquePK11SymKey symKey; + rv = BuildAesGcmKey(buf, symKey); + if (NS_FAILED(rv)) { + return NS_ERROR_FAILURE; + } + return DoCipher(symKey, inBytes, outBytes, encrypt); +} diff --git a/security/manager/ssl/OSKeyStore.h b/security/manager/ssl/OSKeyStore.h new file mode 100644 index 0000000000..8094b448d9 --- /dev/null +++ b/security/manager/ssl/OSKeyStore.h @@ -0,0 +1,98 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Generic key store implementation for platforms that we don't support with OS +// specific implementations. + +#ifndef OSKeyStore_h +#define OSKeyStore_h + +#include "nsCOMPtr.h" +#include "nsIOSKeyStore.h" +#include "nsString.h" +#include "ScopedNSSTypes.h" + +#include <memory> +#include <vector> + +class AbstractOSKeyStore { + public: + // Retrieve a secret with the given label. + virtual nsresult RetrieveSecret(const nsACString& aLabel, + /* out */ nsACString& aSecret) = 0; + // Store a new secret with the given label. + virtual nsresult StoreSecret(const nsACString& secret, + const nsACString& label) = 0; + // Delete the secret with the given label. + virtual nsresult DeleteSecret(const nsACString& label) = 0; + virtual ~AbstractOSKeyStore() = default; + + // Returns true if the secret with the given label is available in the key + // store, false otherwise. + virtual bool SecretAvailable(const nsACString& label); + // Perform encryption or decryption operation with the given secret and input + // bytes. The output is written in outBytes. This function can make use of the + // AesGcm class to use NSS for encryption and decryption. + virtual nsresult EncryptDecrypt(const nsACString& label, + const std::vector<uint8_t>& inBytes, + std::vector<uint8_t>& outBytes, bool encrypt); + + size_t GetKeyByteLength() { return mKeyByteLength; } + + protected: + /* These helper functions are implemented in OSKeyStore.cpp and implement + * common functionality of the abstract key store to encrypt and decrypt. + */ + nsresult DoCipher(const mozilla::UniquePK11SymKey& aSymKey, + const std::vector<uint8_t>& inBytes, + std::vector<uint8_t>& outBytes, bool aEncrypt); + nsresult BuildAesGcmKey(std::vector<uint8_t> keyBytes, + /* out */ mozilla::UniquePK11SymKey& aKey); + + private: + const size_t mKeyByteLength = 16; + const size_t mIVLength = 12; +}; + +#define NS_OSKEYSTORE_CONTRACTID "@mozilla.org/security/oskeystore;1" +#define NS_OSKEYSTORE_CID \ + { \ + 0x57972956, 0x5718, 0x42d2, { \ + 0x80, 0x70, 0xb3, 0xfc, 0x72, 0x21, 0x2e, 0xaf \ + } \ + } + +nsresult GetPromise(JSContext* aCx, + /* out */ RefPtr<mozilla::dom::Promise>& aPromise); + +class OSKeyStore final : public nsIOSKeyStore { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIOSKEYSTORE + + OSKeyStore(); + nsresult GenerateSecret(const nsACString& aLabel, + /* out */ nsACString& aRecoveryPhrase); + nsresult SecretAvailable(const nsACString& aLabel, + /* out */ bool* aAvailable); + nsresult RecoverSecret(const nsACString& aLabel, + const nsACString& aRecoveryPhrase); + nsresult DeleteSecret(const nsACString& aLabel); + nsresult EncryptBytes(const nsACString& aLabel, + const std::vector<uint8_t>& aInBytes, + /*out*/ nsACString& aEncryptedBase64Text); + nsresult DecryptBytes(const nsACString& aLabel, + const nsACString& aEncryptedBase64Text, + /*out*/ uint32_t* outLen, + /*out*/ uint8_t** outBytes); + + private: + ~OSKeyStore() = default; + + std::unique_ptr<AbstractOSKeyStore> mKs; +}; + +#endif // OSKeyStore_h diff --git a/security/manager/ssl/OSReauthenticator.cpp b/security/manager/ssl/OSReauthenticator.cpp new file mode 100644 index 0000000000..b63b8d557f --- /dev/null +++ b/security/manager/ssl/OSReauthenticator.cpp @@ -0,0 +1,562 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "OSReauthenticator.h" + +#include "OSKeyStore.h" +#include "nsNetCID.h" +#include "mozilla/dom/Promise.h" +#include "mozilla/Logging.h" +#include "mozilla/Maybe.h" +#include "mozilla/Preferences.h" +#include "nsComponentManagerUtils.h" +#include "nsIBaseWindow.h" +#include "nsIDocShell.h" +#include "nsISupportsUtils.h" +#include "nsIWidget.h" +#include "nsPIDOMWindow.h" +#include "nsServiceManagerUtils.h" +#include "nsThreadUtils.h" +#include "mozilla/ipc/IPCTypes.h" + +NS_IMPL_ISUPPORTS(OSReauthenticator, nsIOSReauthenticator) + +extern mozilla::LazyLogModule gCredentialManagerSecretLog; + +using mozilla::LogLevel; +using mozilla::Maybe; +using mozilla::Preferences; +using mozilla::WindowsHandle; +using mozilla::dom::Promise; + +#define PREF_BLANK_PASSWORD "security.osreauthenticator.blank_password" +#define PREF_PASSWORD_LAST_CHANGED_LO \ + "security.osreauthenticator.password_last_changed_lo" +#define PREF_PASSWORD_LAST_CHANGED_HI \ + "security.osreauthenticator.password_last_changed_hi" + +#if defined(XP_WIN) +# include <combaseapi.h> +# include <ntsecapi.h> +# include <wincred.h> +# include <windows.h> +# include "nsIWindowsRegKey.h" // Must be included after <windows.h> for HKEY definition +# define SECURITY_WIN32 +# include <security.h> +# include <shlwapi.h> +# if !defined(__MINGW32__) +# include <Lm.h> +# undef ACCESS_READ // nsWindowsRegKey defines its own ACCESS_READ +# endif // !defined(__MINGW32__) +struct HandleCloser { + typedef HANDLE pointer; + void operator()(HANDLE h) { + if (h != INVALID_HANDLE_VALUE) { + CloseHandle(h); + } + } +}; +struct BufferFreer { + typedef LPVOID pointer; + ULONG mSize; + explicit BufferFreer(ULONG size) : mSize(size) {} + void operator()(LPVOID b) { + SecureZeroMemory(b, mSize); + CoTaskMemFree(b); + } +}; +struct LsaDeregistrator { + typedef HANDLE pointer; + void operator()(HANDLE h) { + if (h != INVALID_HANDLE_VALUE) { + LsaDeregisterLogonProcess(h); + } + } +}; +typedef std::unique_ptr<HANDLE, HandleCloser> ScopedHANDLE; +typedef std::unique_ptr<LPVOID, BufferFreer> ScopedBuffer; +typedef std::unique_ptr<HANDLE, LsaDeregistrator> ScopedLsaHANDLE; + +constexpr int64_t Int32Modulo = 2147483648; + +// Get the token info holding the sid. +std::unique_ptr<char[]> GetTokenInfo(ScopedHANDLE& token) { + DWORD length = 0; + // https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-gettokeninformation + mozilla::Unused << GetTokenInformation(token.get(), TokenUser, nullptr, 0, + &length); + if (!length || GetLastError() != ERROR_INSUFFICIENT_BUFFER) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Unable to obtain current token info.")); + return nullptr; + } + std::unique_ptr<char[]> token_info(new char[length]); + if (!GetTokenInformation(token.get(), TokenUser, token_info.get(), length, + &length)) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Unable to obtain current token info (second call, possible " + "system error.")); + return nullptr; + } + return token_info; +} + +std::unique_ptr<char[]> GetUserTokenInfo() { + // Get current user sid to make sure the same user got logged in. + HANDLE token; + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token)) { + // Couldn't get a process token. This will fail any unlock attempts later. + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Unable to obtain process token.")); + return nullptr; + } + ScopedHANDLE scopedToken(token); + return GetTokenInfo(scopedToken); +} + +Maybe<int64_t> GetPasswordLastChanged(const WCHAR* username) { +# if defined(__MINGW32__) + // NetUserGetInfo requires Lm.h which is not provided in MinGW builds + return mozilla::Nothing(); +# else + LPUSER_INFO_1 user_info = NULL; + DWORD passwordAgeInSeconds = 0; + + NET_API_STATUS ret = + NetUserGetInfo(NULL, username, 1, reinterpret_cast<LPBYTE*>(&user_info)); + + if (ret == NERR_Success) { + // Returns seconds since last password change. + passwordAgeInSeconds = user_info->usri1_password_age; + NetApiBufferFree(user_info); + } else { + return mozilla::Nothing(); + } + + // Return the time that the password was changed so we can use this + // for future comparisons. + return mozilla::Some(PR_Now() - passwordAgeInSeconds * PR_USEC_PER_SEC); +# endif +} + +bool IsAutoAdminLogonEnabled() { + // https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows + nsresult rv; + nsCOMPtr<nsIWindowsRegKey> regKey = + do_CreateInstance("@mozilla.org/windows-registry-key;1", &rv); + if (NS_FAILED(rv)) { + return false; + } + + rv = regKey->Open( + nsIWindowsRegKey::ROOT_KEY_LOCAL_MACHINE, + nsLiteralString( + u"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"), + nsIWindowsRegKey::ACCESS_READ); + if (NS_FAILED(rv)) { + return false; + } + + nsAutoString value; + rv = regKey->ReadStringValue(u"AutoAdminLogon"_ns, value); + if (NS_FAILED(rv)) { + return false; + } + regKey->Close(); + + return value.Equals(u"1"_ns); +} + +bool IsRequireSignonEnabled() { + // https://docs.microsoft.com/en-us/windows-hardware/customize/power-settings/no-subgroup-settings-prompt-for-password-on-resume + nsresult rv; + nsCOMPtr<nsIWindowsRegKey> regKey = + do_CreateInstance("@mozilla.org/windows-registry-key;1", &rv); + if (NS_FAILED(rv)) { + return true; + } + + rv = regKey->Open(nsIWindowsRegKey::ROOT_KEY_LOCAL_MACHINE, + u"System\\CurrentControlSet\\Control\\Power\\User\\Power" + "Schemes"_ns, + nsIWindowsRegKey::ACCESS_READ); + if (NS_FAILED(rv)) { + return true; + } + + nsAutoString activePowerScheme; + rv = regKey->ReadStringValue(u"ActivePowerScheme"_ns, activePowerScheme); + if (NS_FAILED(rv)) { + return true; + } + regKey->Close(); + + rv = regKey->Open(nsIWindowsRegKey::ROOT_KEY_LOCAL_MACHINE, + u"System\\CurrentControlSet\\Control\\Power\\User\\Power" + "Schemes\\"_ns + + activePowerScheme + + u"\\0e796bdb-100d-47d6-a2d5-f7d2daa51f51"_ns, + nsIWindowsRegKey::ACCESS_READ); + if (NS_FAILED(rv)) { + return true; + } + + uint32_t value; + rv = regKey->ReadIntValue(u"ACSettingIndex"_ns, &value); + if (NS_FAILED(rv)) { + return true; + } + regKey->Close(); + + return !!value; +} + +// Use the Windows credential prompt to ask the user to authenticate the +// currently used account. +static nsresult ReauthenticateUserWindows( + const nsAString& aMessageText, const nsAString& aCaptionText, + const WindowsHandle& hwndParent, + /* out */ bool& reauthenticated, + /* inout */ bool& isBlankPassword, + /* inout */ int64_t& prefLastChanged, + /* out */ bool& isAutoAdminLogonEnabled, + /* out */ bool& isRequireSignonEnabled) { + reauthenticated = false; + isAutoAdminLogonEnabled = false; + isRequireSignonEnabled = true; + + // Check if the user has a blank password before proceeding + DWORD usernameLength = CREDUI_MAX_USERNAME_LENGTH + 1; + WCHAR username[CREDUI_MAX_USERNAME_LENGTH + 1] = {0}; + + if (!GetUserNameEx(NameSamCompatible, username, &usernameLength)) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Error getting username")); + return NS_ERROR_FAILURE; + } + + if (!IsOS(OS_DOMAINMEMBER)) { + const WCHAR* usernameNoDomain = username; + // Don't include the domain portion of the username when calling LogonUser. + LPCWSTR backslash = wcschr(username, L'\\'); + if (backslash) { + usernameNoDomain = backslash + 1; + } + + Maybe<int64_t> lastChanged = GetPasswordLastChanged(usernameNoDomain); + if (lastChanged.isSome()) { + bool shouldCheckAgain = lastChanged.value() > prefLastChanged; + // Update the value stored in preferences + prefLastChanged = lastChanged.value(); + + if (shouldCheckAgain) { + HANDLE logonUserHandle = INVALID_HANDLE_VALUE; + bool result = + LogonUser(usernameNoDomain, L".", L"", LOGON32_LOGON_INTERACTIVE, + LOGON32_PROVIDER_DEFAULT, &logonUserHandle); + if (result) { + CloseHandle(logonUserHandle); + } + // ERROR_ACCOUNT_RESTRICTION: Indicates a referenced user name and + // authentication information are valid, but some user account + // restriction has prevented successful authentication (such as + // time-of-day restrictions). + reauthenticated = isBlankPassword = + (result || GetLastError() == ERROR_ACCOUNT_RESTRICTION); + } else if (isBlankPassword) { + reauthenticated = true; + } + + if (reauthenticated) { + return NS_OK; + } + } else { + isBlankPassword = false; + } + } else { + // Update any preferences, assuming domain members do not have blank + // passwords + isBlankPassword = false; + } + + isAutoAdminLogonEnabled = IsAutoAdminLogonEnabled(); + + isRequireSignonEnabled = IsRequireSignonEnabled(); + + // Is used in next iteration if the previous login failed. + DWORD err = 0; + std::unique_ptr<char[]> userTokenInfo = GetUserTokenInfo(); + + // CredUI prompt. + CREDUI_INFOW credui = {}; + credui.cbSize = sizeof(credui); + credui.hwndParent = reinterpret_cast<HWND>(hwndParent); + const nsString& messageText = PromiseFlatString(aMessageText); + credui.pszMessageText = messageText.get(); + const nsString& captionText = PromiseFlatString(aCaptionText); + credui.pszCaptionText = captionText.get(); + credui.hbmBanner = nullptr; // ignored + + while (!reauthenticated) { + HANDLE lsa = INVALID_HANDLE_VALUE; + // Get authentication handle for future user authentications. + // https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaconnectuntrusted + if (LsaConnectUntrusted(&lsa) != ERROR_SUCCESS) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Error acquiring lsa. Authentication attempts will fail.")); + return NS_ERROR_FAILURE; + } + ScopedLsaHANDLE scopedLsa(lsa); + + if (!userTokenInfo || lsa == INVALID_HANDLE_VALUE) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Error setting up login and user token.")); + return NS_ERROR_FAILURE; + } + + ULONG authPackage = 0; + ULONG outCredSize = 0; + LPVOID outCredBuffer = nullptr; + + // Get user's Windows credentials. + // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-creduipromptforwindowscredentialsw + err = CredUIPromptForWindowsCredentialsW( + &credui, err, &authPackage, nullptr, 0, &outCredBuffer, &outCredSize, + nullptr, CREDUIWIN_ENUMERATE_CURRENT_USER); + ScopedBuffer scopedOutCredBuffer(outCredBuffer, BufferFreer(outCredSize)); + if (err == ERROR_CANCELLED) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Error getting authPackage for user login, user cancel.")); + return NS_OK; + } + if (err != ERROR_SUCCESS) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Error getting authPackage for user login.")); + return NS_ERROR_FAILURE; + } + + // Verify the credentials. + TOKEN_SOURCE source; + PCHAR contextName = const_cast<PCHAR>("Mozilla"); + size_t nameLength = + std::min(TOKEN_SOURCE_LENGTH, static_cast<int>(strlen(contextName))); + // Note that the string must not be longer than TOKEN_SOURCE_LENGTH. + memcpy(source.SourceName, contextName, nameLength); + // https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-allocatelocallyuniqueid + if (!AllocateLocallyUniqueId(&source.SourceIdentifier)) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Error allocating ID for logon process.")); + return NS_ERROR_FAILURE; + } + + NTSTATUS substs; + void* profileBuffer = nullptr; + ULONG profileBufferLength = 0; + QUOTA_LIMITS limits = {0}; + LUID luid; + HANDLE token = INVALID_HANDLE_VALUE; + LSA_STRING name; + name.Buffer = contextName; + name.Length = strlen(name.Buffer); + name.MaximumLength = name.Length; + // https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsalogonuser + NTSTATUS sts = LsaLogonUser( + scopedLsa.get(), &name, (SECURITY_LOGON_TYPE)Interactive, authPackage, + scopedOutCredBuffer.get(), outCredSize, nullptr, &source, + &profileBuffer, &profileBufferLength, &luid, &token, &limits, &substs); + ScopedHANDLE scopedToken(token); + LsaFreeReturnBuffer(profileBuffer); + if (sts == ERROR_SUCCESS) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("User logged in successfully.")); + } else { + err = LsaNtStatusToWinError(sts); + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Login failed with %lx (%lx).", sts, err)); + continue; + } + + // The user can select any user to log-in on the authentication prompt. + // Make sure that the logged in user is the current user. + std::unique_ptr<char[]> logonTokenInfo = GetTokenInfo(scopedToken); + if (!logonTokenInfo) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Error getting logon token info.")); + return NS_ERROR_FAILURE; + } + PSID logonSID = + reinterpret_cast<TOKEN_USER*>(logonTokenInfo.get())->User.Sid; + PSID userSID = reinterpret_cast<TOKEN_USER*>(userTokenInfo.get())->User.Sid; + if (EqualSid(userSID, logonSID)) { + MOZ_LOG(gCredentialManagerSecretLog, LogLevel::Debug, + ("Login successfully (correct user).")); + reauthenticated = true; + break; + } else { + err = ERROR_LOGON_FAILURE; + } + } + return NS_OK; +} +#endif // XP_WIN + +static nsresult ReauthenticateUser(const nsAString& prompt, + const nsAString& caption, + const WindowsHandle& hwndParent, + /* out */ bool& reauthenticated, + /* inout */ bool& isBlankPassword, + /* inout */ int64_t& prefLastChanged, + /* out */ bool& isAutoAdminLogonEnabled, + /* out */ bool& isRequireSignonEnabled) { + reauthenticated = false; +#if defined(XP_WIN) + return ReauthenticateUserWindows( + prompt, caption, hwndParent, reauthenticated, isBlankPassword, + prefLastChanged, isAutoAdminLogonEnabled, isRequireSignonEnabled); +#elif defined(XP_MACOSX) + return ReauthenticateUserMacOS(prompt, reauthenticated, isBlankPassword); +#else + return NS_OK; +#endif // Reauthentication is not implemented for this platform. +} + +static void BackgroundReauthenticateUser(RefPtr<Promise>& aPromise, + const nsAString& aMessageText, + const nsAString& aCaptionText, + const WindowsHandle& hwndParent, + bool isBlankPassword, + int64_t prefLastChanged) { + nsAutoCString recovery; + bool reauthenticated; + bool isAutoAdminLogonEnabled; + bool isRequireSignonEnabled; + nsresult rv = ReauthenticateUser( + aMessageText, aCaptionText, hwndParent, reauthenticated, isBlankPassword, + prefLastChanged, isAutoAdminLogonEnabled, isRequireSignonEnabled); + + nsTArray<int32_t> prefLastChangedUpdates; +#if defined(XP_WIN) + // Increase the lastChanged time to account for clock skew. + prefLastChanged += PR_USEC_PER_SEC; + // Need to split the 64bit integer to its hi and lo bits before sending it + // back to JS. + int32_t prefLastChangedHi = prefLastChanged / Int32Modulo; + int32_t prefLastChangedLo = prefLastChanged % Int32Modulo; + prefLastChangedUpdates.AppendElement(prefLastChangedHi); + prefLastChangedUpdates.AppendElement(prefLastChangedLo); +#endif + + nsTArray<int32_t> results; + results.AppendElement(reauthenticated); + results.AppendElement(isBlankPassword); +#if defined(XP_WIN) + results.AppendElement(isAutoAdminLogonEnabled); + results.AppendElement(isRequireSignonEnabled); +#endif + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundReauthenticateUserResolve", + [rv, results = std::move(results), + prefLastChangedUpdates = std::move(prefLastChangedUpdates), + aPromise = std::move(aPromise)]() { + if (NS_FAILED(rv)) { + aPromise->MaybeReject(rv); + } else { + aPromise->MaybeResolve(results); + } + + nsresult rv = Preferences::SetBool(PREF_BLANK_PASSWORD, results[1]); + if (NS_FAILED(rv)) { + return; + } + if (prefLastChangedUpdates.Length() > 1) { + rv = Preferences::SetInt(PREF_PASSWORD_LAST_CHANGED_HI, + prefLastChangedUpdates[0]); + if (NS_FAILED(rv)) { + return; + } + Preferences::SetInt(PREF_PASSWORD_LAST_CHANGED_LO, + prefLastChangedUpdates[1]); + } + })); + NS_DispatchToMainThread(runnable.forget()); +} + +NS_IMETHODIMP +OSReauthenticator::AsyncReauthenticateUser(const nsAString& aMessageText, + const nsAString& aCaptionText, + mozIDOMWindow* aParentWindow, + JSContext* aCx, + Promise** promiseOut) { + NS_ENSURE_ARG_POINTER(aCx); + + RefPtr<Promise> promiseHandle; + nsresult rv = GetPromise(aCx, promiseHandle); + if (NS_FAILED(rv)) { + return rv; + } + + WindowsHandle hwndParent = 0; + if (aParentWindow) { + nsPIDOMWindowInner* win = nsPIDOMWindowInner::From(aParentWindow); + nsIDocShell* docShell = win->GetDocShell(); + if (docShell) { + nsCOMPtr<nsIBaseWindow> baseWindow = do_QueryInterface(docShell); + if (baseWindow) { + nsCOMPtr<nsIWidget> widget; + baseWindow->GetMainWidget(getter_AddRefs(widget)); + if (widget) { + hwndParent = reinterpret_cast<WindowsHandle>( + widget->GetNativeData(NS_NATIVE_WINDOW)); + } + } + } + } + + int64_t prefLastChanged = 0; + bool isBlankPassword = false; +#if defined(XP_WIN) + // These preferences are only supported on Windows. + // Preferences are read/write main-thread only. + int32_t prefLastChangedLo; + int32_t prefLastChangedHi; + rv = Preferences::GetBool(PREF_BLANK_PASSWORD, &isBlankPassword); + if (NS_FAILED(rv)) { + return rv; + } + rv = Preferences::GetInt(PREF_PASSWORD_LAST_CHANGED_LO, &prefLastChangedLo); + if (NS_FAILED(rv)) { + return rv; + } + rv = Preferences::GetInt(PREF_PASSWORD_LAST_CHANGED_HI, &prefLastChangedHi); + if (NS_FAILED(rv)) { + return rv; + } + prefLastChanged = prefLastChangedHi * Int32Modulo + prefLastChangedLo; +#endif + + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundReauthenticateUser", + [promiseHandle, aMessageText = nsAutoString(aMessageText), + aCaptionText = nsAutoString(aCaptionText), hwndParent, isBlankPassword, + prefLastChanged]() mutable { + BackgroundReauthenticateUser(promiseHandle, aMessageText, aCaptionText, + hwndParent, isBlankPassword, + prefLastChanged); + })); + + nsCOMPtr<nsIEventTarget> target( + do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID)); + if (!target) { + return NS_ERROR_FAILURE; + } + rv = target->Dispatch(runnable, NS_DISPATCH_NORMAL); + if (NS_WARN_IF(NS_FAILED(rv))) { + return rv; + } + + promiseHandle.forget(promiseOut); + return NS_OK; +} diff --git a/security/manager/ssl/OSReauthenticator.h b/security/manager/ssl/OSReauthenticator.h new file mode 100644 index 0000000000..837dfa91c0 --- /dev/null +++ b/security/manager/ssl/OSReauthenticator.h @@ -0,0 +1,36 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef OSReauthenticator_h +#define OSReauthenticator_h + +#include "nsIOSReauthenticator.h" + +#define NS_OSREAUTHENTICATOR_CONTRACTID \ + "@mozilla.org/security/osreauthenticator;1" +#define NS_OSREAUTHENTICATOR_CID \ + { \ + 0x4fe082ae, 0x6ff0, 0x4b41, { \ + 0xb2, 0x4f, 0xea, 0xa6, 0x64, 0xf6, 0xe4, 0x6a \ + } \ + } + +class OSReauthenticator : public nsIOSReauthenticator { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIOSREAUTHENTICATOR + + private: + virtual ~OSReauthenticator() = default; +}; + +#ifdef XP_MACOSX +nsresult ReauthenticateUserMacOS(const nsAString& aPrompt, + /* out */ bool& aReauthenticated, + /* out */ bool& aIsBlankPassword); +#endif // XP_MACOSX + +#endif // OSReauthenticator_h diff --git a/security/manager/ssl/OSReauthenticatorDarwin.mm b/security/manager/ssl/OSReauthenticatorDarwin.mm new file mode 100644 index 0000000000..5776f60674 --- /dev/null +++ b/security/manager/ssl/OSReauthenticatorDarwin.mm @@ -0,0 +1,63 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "OSReauthenticator.h" + +#include "nsCocoaUtils.h" + +using namespace mozilla; + +#include <CoreFoundation/CoreFoundation.h> +#include <LocalAuthentication/LocalAuthentication.h> + +static const int32_t kPasswordNotSetErrorCode = -1000; + +nsresult ReauthenticateUserMacOS(const nsAString& aPrompt, + /* out */ bool& aReauthenticated, + /* out */ bool& aIsBlankPassword) { + // The idea here is that we ask to be authorized to unlock the user's session. + // This should cause a prompt to come up for the user asking them for their + // password. If they correctly enter it, we'll set aReauthenticated to true. + + LAContext* context = [[LAContext alloc] init]; + NSString* prompt = nsCocoaUtils::ToNSString(aPrompt); + + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + + __block BOOL biometricSuccess = NO; // mark variable r/w across the block + __block BOOL errorPasswordNotSet = NO; // mark variable r/w across the block + + // Note: This is an async callback in an already-async Promise chain. + [context evaluatePolicy:LAPolicyDeviceOwnerAuthentication + localizedReason:prompt + reply:^(BOOL success, NSError* error) { + dispatch_async(dispatch_get_main_queue(), ^{ + // error is not particularly useful in this context, and + // we have no mechanism to really return it. We could + // use it to set the nsresult, but this is a best-effort + // mechanism and there's no particular case for + // propagating up XPCOM. The one exception being a user + // account that has no passcode set, which we handle + // below. + errorPasswordNotSet = + error && [error code] == kPasswordNotSetErrorCode; + biometricSuccess = success || errorPasswordNotSet; + dispatch_semaphore_signal(sema); + }); + }]; + + // What we want to do here is convert this into a blocking call, since + // our calling methods expect us to block and set aReauthenticated on return. + dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER); + dispatch_release(sema); + sema = NULL; + + aReauthenticated = biometricSuccess; + aIsBlankPassword = errorPasswordNotSet; + + [context release]; + return NS_OK; +} diff --git a/security/manager/ssl/PIPCClientCerts.ipdl b/security/manager/ssl/PIPCClientCerts.ipdl new file mode 100644 index 0000000000..5adecae93d --- /dev/null +++ b/security/manager/ssl/PIPCClientCerts.ipdl @@ -0,0 +1,32 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +include PSMIPCTypes; + +using mozilla::OriginAttributes from "mozilla/ipc/BackgroundUtils.h"; + +namespace mozilla { +namespace psm { + +[ChildProc=Socket] +sync protocol PIPCClientCerts +{ +parent: + // Called from the socket process to the parent process to find client + // certificates and associated keys. + sync FindObjects() returns (IPCClientCertObject[] aObjects); + + // Called from the socket process to the parent process to sign the given + // data with the given parameters using the key associated with the given + // certificate. Used when a TLS server requests a client authentication + // certificate. + sync Sign(ByteArray aCert, ByteArray aData, ByteArray aParams) + returns (ByteArray aSignature); + + async __delete__(); +}; + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/PKCS11ModuleDB.cpp b/security/manager/ssl/PKCS11ModuleDB.cpp new file mode 100644 index 0000000000..3825abb8b2 --- /dev/null +++ b/security/manager/ssl/PKCS11ModuleDB.cpp @@ -0,0 +1,184 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "PKCS11ModuleDB.h" + +#include "ScopedNSSTypes.h" +#include "nsComponentManagerUtils.h" +#include "nsIMutableArray.h" +#include "nsNSSCertHelper.h" +#include "nsNSSComponent.h" +#include "nsNativeCharsetUtils.h" +#include "nsPKCS11Slot.h" +#include "nsServiceManagerUtils.h" + +namespace mozilla { +namespace psm { + +NS_IMPL_ISUPPORTS(PKCS11ModuleDB, nsIPKCS11ModuleDB) + +// Convert the UTF16 name of the module as it appears to the user to the +// internal representation. For most modules this just involves converting from +// UTF16 to UTF8. For the builtin root module, it also involves mapping from the +// localized name to the internal, non-localized name. +static nsresult NormalizeModuleNameIn(const nsAString& moduleNameIn, + nsCString& moduleNameOut) { + nsAutoString localizedRootModuleName; + nsresult rv = + GetPIPNSSBundleString("RootCertModuleName", localizedRootModuleName); + if (NS_FAILED(rv)) { + return rv; + } + if (moduleNameIn.Equals(localizedRootModuleName)) { + moduleNameOut.Assign(kRootModuleName); + return NS_OK; + } + moduleNameOut.Assign(NS_ConvertUTF16toUTF8(moduleNameIn)); + return NS_OK; +} + +// Delete a PKCS11 module from the user's profile. +NS_IMETHODIMP +PKCS11ModuleDB::DeleteModule(const nsAString& aModuleName) { + if (aModuleName.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + + nsAutoCString moduleNameNormalized; + nsresult rv = NormalizeModuleNameIn(aModuleName, moduleNameNormalized); + if (NS_FAILED(rv)) { + return rv; + } + // modType is an output variable. We ignore it. + int32_t modType; + SECStatus srv = SECMOD_DeleteModule(moduleNameNormalized.get(), &modType); + if (srv != SECSuccess) { + return NS_ERROR_FAILURE; + } + + return NS_OK; +} + +// Add a new PKCS11 module to the user's profile. +NS_IMETHODIMP +PKCS11ModuleDB::AddModule(const nsAString& aModuleName, + const nsAString& aLibraryFullPath, + int32_t aCryptoMechanismFlags, int32_t aCipherFlags) { + if (aModuleName.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + + // "Root Certs" is the name some NSS command-line utilities will give the + // roots module if they decide to load it when there happens to be a + // `MOZ_DLL_PREFIX "nssckbi" MOZ_DLL_SUFFIX` file in the directory being + // operated on. This causes failures, so as a workaround, the PSM + // initialization code will unconditionally remove any module named "Root + // Certs". We should prevent the user from adding an unrelated module named + // "Root Certs" in the first place so PSM doesn't delete it. See bug 1406396. + if (aModuleName.EqualsLiteral("Root Certs")) { + return NS_ERROR_ILLEGAL_VALUE; + } + + // There appears to be a deadlock if we try to load modules concurrently, so + // just wait until the loadable roots module has been loaded. + nsresult rv = BlockUntilLoadableCertsLoaded(); + if (NS_FAILED(rv)) { + return rv; + } + + nsAutoCString moduleNameNormalized; + rv = NormalizeModuleNameIn(aModuleName, moduleNameNormalized); + if (NS_FAILED(rv)) { + return rv; + } + nsCString fullPath; + CopyUTF16toUTF8(aLibraryFullPath, fullPath); + uint32_t mechFlags = SECMOD_PubMechFlagstoInternal(aCryptoMechanismFlags); + uint32_t cipherFlags = SECMOD_PubCipherFlagstoInternal(aCipherFlags); + SECStatus srv = SECMOD_AddNewModule(moduleNameNormalized.get(), + fullPath.get(), mechFlags, cipherFlags); + if (srv != SECSuccess) { + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +NS_IMETHODIMP +PKCS11ModuleDB::ListModules(nsISimpleEnumerator** _retval) { + NS_ENSURE_ARG_POINTER(_retval); + + nsresult rv = BlockUntilLoadableCertsLoaded(); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID); + if (!array) { + return NS_ERROR_FAILURE; + } + + /* lock down the list for reading */ + AutoSECMODListReadLock lock; + for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list; + list = list->next) { + nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(list->module); + nsresult rv = array->AppendElement(module); + if (NS_FAILED(rv)) { + return rv; + } + } + + /* Get the modules in the database that didn't load */ + for (SECMODModuleList* list = SECMOD_GetDeadModuleList(); list; + list = list->next) { + nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(list->module); + nsresult rv = array->AppendElement(module); + if (NS_FAILED(rv)) { + return rv; + } + } + + return array->Enumerate(_retval, NS_GET_IID(nsIPKCS11Module)); +} + +NS_IMETHODIMP +PKCS11ModuleDB::GetCanToggleFIPS(bool* aCanToggleFIPS) { + NS_ENSURE_ARG_POINTER(aCanToggleFIPS); + + *aCanToggleFIPS = SECMOD_CanDeleteInternalModule(); + return NS_OK; +} + +NS_IMETHODIMP +PKCS11ModuleDB::ToggleFIPSMode() { + // The way to toggle FIPS mode in NSS is extremely obscure. Basically, we + // delete the internal module, and it gets replaced with the opposite module + // (i.e. if it was FIPS before, then it becomes non-FIPS next). + // SECMOD_GetInternalModule() returns a pointer to a local copy of the + // internal module stashed in NSS. We don't want to delete it since it will + // cause much pain in NSS. + SECMODModule* internal = SECMOD_GetInternalModule(); + if (!internal) { + return NS_ERROR_FAILURE; + } + + if (SECMOD_DeleteInternalModule(internal->commonName) != SECSuccess) { + return NS_ERROR_FAILURE; + } + + return NS_OK; +} + +NS_IMETHODIMP +PKCS11ModuleDB::GetIsFIPSEnabled(bool* aIsFIPSEnabled) { + NS_ENSURE_ARG_POINTER(aIsFIPSEnabled); + + *aIsFIPSEnabled = PK11_IsFIPS(); + return NS_OK; +} + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/PKCS11ModuleDB.h b/security/manager/ssl/PKCS11ModuleDB.h new file mode 100644 index 0000000000..c167afe410 --- /dev/null +++ b/security/manager/ssl/PKCS11ModuleDB.h @@ -0,0 +1,35 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef PKCS11ModuleDB_h +#define PKCS11ModuleDB_h + +#include "nsIPKCS11ModuleDB.h" + +namespace mozilla { +namespace psm { + +#define NS_PKCS11MODULEDB_CID \ + { \ + 0xff9fbcd7, 0x9517, 0x4334, { \ + 0xb9, 0x7a, 0xce, 0xed, 0x78, 0x90, 0x99, 0x74 \ + } \ + } + +class PKCS11ModuleDB : public nsIPKCS11ModuleDB { + public: + PKCS11ModuleDB() = default; + + NS_DECL_ISUPPORTS + NS_DECL_NSIPKCS11MODULEDB + + protected: + virtual ~PKCS11ModuleDB() = default; +}; + +} // namespace psm +} // namespace mozilla + +#endif // PKCS11ModuleDB_h diff --git a/security/manager/ssl/PSMIPCTypes.ipdlh b/security/manager/ssl/PSMIPCTypes.ipdlh new file mode 100644 index 0000000000..54bce317c2 --- /dev/null +++ b/security/manager/ssl/PSMIPCTypes.ipdlh @@ -0,0 +1,51 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 ft=cpp : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +namespace mozilla { +namespace psm { + +struct ByteArray{ + uint8_t[] data; +}; + +// For ECKey, RSAKey, and Certificate, slotType indicates which slot this object +// should exist on: +// 1: modern (supports EC, RSA-PSS) +// 2: legacy (only supports RSA PKCS#1v1.5) + +struct ECKey{ + uint8_t[] params; // the EC point representing this key + uint8_t[] cert; // the encoded certificate containing this key + uint32_t slotType; +}; + +struct RSAKey{ + uint8_t[] modulus; // the modulus of this RSA key + uint8_t[] cert; // the encoded certificate containing this key + uint32_t slotType; +}; + +struct Certificate{ + uint8_t[] der; // the encoding of this certificate + uint32_t slotType; +}; + +// Helper type for sending keys and certificates over IPC for use by IPC client +// certs. +union IPCClientCertObject{ + ECKey; + RSAKey; + Certificate; +}; + +struct DelegatedCredentialInfoArg { + uint32_t scheme; + uint32_t authKeyBits; +}; + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/PSMRunnable.cpp b/security/manager/ssl/PSMRunnable.cpp new file mode 100644 index 0000000000..b962f52af3 --- /dev/null +++ b/security/manager/ssl/PSMRunnable.cpp @@ -0,0 +1,42 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "PSMRunnable.h" + +namespace mozilla { +namespace psm { + +SyncRunnableBase::SyncRunnableBase() + : Runnable("psm::SyncRunnableBase"), monitor("SyncRunnableBase::monitor") {} + +nsresult SyncRunnableBase::DispatchToMainThreadAndWait() { + nsresult rv; + if (NS_IsMainThread()) { + RunOnTargetThread(); + rv = NS_OK; + } else { + mozilla::MonitorAutoLock lock(monitor); + rv = NS_DispatchToMainThread(this); + if (NS_SUCCEEDED(rv)) { + lock.Wait(); + } + } + + return rv; +} + +NS_IMETHODIMP +SyncRunnableBase::Run() { + RunOnTargetThread(); + mozilla::MonitorAutoLock(monitor).Notify(); + return NS_OK; +} + +nsresult NotifyObserverRunnable::Run() { + mObserver->Observe(nullptr, mTopic, nullptr); + return NS_OK; +} + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/PSMRunnable.h b/security/manager/ssl/PSMRunnable.h new file mode 100644 index 0000000000..faafb14c60 --- /dev/null +++ b/security/manager/ssl/PSMRunnable.h @@ -0,0 +1,49 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef PSMRunnable_h +#define PSMRunnable_h + +#include "mozilla/Monitor.h" +#include "nsThreadUtils.h" +#include "nsIObserver.h" +#include "nsProxyRelease.h" + +namespace mozilla { +namespace psm { + +// Wait for the event to run on the target thread without spinning the event +// loop on the calling thread. (Dispatching events to a thread using +// NS_DispatchAndSpinEventLoopUntilComplete would cause the event loop on the +// calling thread to spin.) +class SyncRunnableBase : public Runnable { + public: + NS_DECL_NSIRUNNABLE + nsresult DispatchToMainThreadAndWait(); + + protected: + SyncRunnableBase(); + virtual void RunOnTargetThread() = 0; + + private: + mozilla::Monitor monitor MOZ_UNANNOTATED; +}; + +class NotifyObserverRunnable : public Runnable { + public: + NotifyObserverRunnable(nsIObserver* observer, const char* topicStringLiteral) + : Runnable("psm::NotifyObserverRunnable"), + mObserver(new nsMainThreadPtrHolder<nsIObserver>( + "psm::NotifyObserverRunnable::mObserver", observer)), + mTopic(topicStringLiteral) {} + NS_DECL_NSIRUNNABLE + private: + nsMainThreadPtrHandle<nsIObserver> mObserver; + const char* const mTopic; +}; + +} // namespace psm +} // namespace mozilla + +#endif diff --git a/security/manager/ssl/PSelectTLSClientAuthCert.ipdl b/security/manager/ssl/PSelectTLSClientAuthCert.ipdl new file mode 100644 index 0000000000..bca7c543d8 --- /dev/null +++ b/security/manager/ssl/PSelectTLSClientAuthCert.ipdl @@ -0,0 +1,24 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 ft=cpp : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +include PSMIPCTypes; + +namespace mozilla { +namespace psm { + +[ChildProc=Socket] +protocol PSelectTLSClientAuthCert +{ +child: + async TLSClientAuthCertSelected(ByteArray aSelectedCertBytes, + ByteArray[] aSelectedCertChainBytes); + + async __delete__(); +}; + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/PVerifySSLServerCert.ipdl b/security/manager/ssl/PVerifySSLServerCert.ipdl new file mode 100644 index 0000000000..92a14160ce --- /dev/null +++ b/security/manager/ssl/PVerifySSLServerCert.ipdl @@ -0,0 +1,31 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 ft=cpp : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +include PSMIPCTypes; + +using mozilla::OriginAttributes from "mozilla/ipc/BackgroundUtils.h"; + +namespace mozilla { +namespace psm { + +[ChildProc=Socket] +protocol PVerifySSLServerCert +{ +child: + async OnVerifiedSSLServerCertSuccess(ByteArray[] aBuiltCertChain, + uint16_t aCertTransparencyStatus, + uint8_t aEVStatus, + bool isBuiltCertChainRootBuiltInRoot, bool aMadeOCSPRequests); + + async OnVerifiedSSLServerCertFailure(int32_t aFinalError, + uint32_t aOverridableErrorCategory, bool aMadeOCSPRequests); + + async __delete__(); +}; + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/PublicKeyPinningService.cpp b/security/manager/ssl/PublicKeyPinningService.cpp new file mode 100644 index 0000000000..e3d02ce326 --- /dev/null +++ b/security/manager/ssl/PublicKeyPinningService.cpp @@ -0,0 +1,393 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "PublicKeyPinningService.h" + +#include "RootCertificateTelemetryUtils.h" +#include "mozilla/ArrayUtils.h" +#include "mozilla/Base64.h" +#include "mozilla/BinarySearch.h" +#include "mozilla/Casting.h" +#include "mozilla/Logging.h" +#include "mozilla/Span.h" +#include "mozilla/StaticPrefs_security.h" +#include "mozilla/Telemetry.h" +#include "nsDependentString.h" +#include "nsServiceManagerUtils.h" +#include "nsSiteSecurityService.h" +#include "mozpkix/pkixtypes.h" +#include "mozpkix/pkixutil.h" +#include "seccomon.h" +#include "sechash.h" + +#include "StaticHPKPins.h" // autogenerated by genHPKPStaticpins.js + +using namespace mozilla; +using namespace mozilla::pkix; +using namespace mozilla::psm; + +LazyLogModule gPublicKeyPinningLog("PublicKeyPinningService"); + +NS_IMPL_ISUPPORTS(PublicKeyPinningService, nsIPublicKeyPinningService) + +enum class PinningMode : uint32_t { + Disabled = 0, + AllowUserCAMITM = 1, + Strict = 2, + EnforceTestMode = 3 +}; + +PinningMode GetPinningMode() { + PinningMode pinningMode = static_cast<PinningMode>( + StaticPrefs::security_cert_pinning_enforcement_level_DoNotUseDirectly()); + switch (pinningMode) { + case PinningMode::Disabled: + return PinningMode::Disabled; + case PinningMode::AllowUserCAMITM: + return PinningMode::AllowUserCAMITM; + case PinningMode::Strict: + return PinningMode::Strict; + case PinningMode::EnforceTestMode: + return PinningMode::EnforceTestMode; + default: + return PinningMode::Disabled; + } +} + +/** + Computes in the location specified by base64Out the SHA256 digest + of the DER Encoded subject Public Key Info for the given cert +*/ +static nsresult GetBase64HashSPKI(const BackCert& cert, + nsACString& hashSPKIDigest) { + Input derPublicKey = cert.GetSubjectPublicKeyInfo(); + + hashSPKIDigest.Truncate(); + nsTArray<uint8_t> digestArray; + nsresult nsrv = + Digest::DigestBuf(SEC_OID_SHA256, derPublicKey.UnsafeGetData(), + derPublicKey.GetLength(), digestArray); + if (NS_FAILED(nsrv)) { + return nsrv; + } + return Base64Encode(nsDependentCSubstring( + BitwiseCast<char*, uint8_t*>(digestArray.Elements()), + digestArray.Length()), + hashSPKIDigest); +} + +/* + * Sets certMatchesPinset to true if a given cert matches any fingerprints from + * the given pinset and false otherwise. + */ +static nsresult EvalCert(const BackCert& cert, + const StaticFingerprints* fingerprints, + /*out*/ bool& certMatchesPinset) { + certMatchesPinset = false; + if (!fingerprints) { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: No hashes found\n")); + return NS_ERROR_INVALID_ARG; + } + + nsAutoCString base64Out; + nsresult rv = GetBase64HashSPKI(cert, base64Out); + if (NS_FAILED(rv)) { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: GetBase64HashSPKI failed!\n")); + return rv; + } + + if (fingerprints) { + for (size_t i = 0; i < fingerprints->size; i++) { + if (base64Out.Equals(fingerprints->data[i])) { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: found pin base_64 ='%s'\n", base64Out.get())); + certMatchesPinset = true; + return NS_OK; + } + } + } + return NS_OK; +} + +/* + * Sets certListIntersectsPinset to true if a given chain matches any + * fingerprints from the given static fingerprints and false otherwise. + */ +static nsresult EvalChain(const nsTArray<Span<const uint8_t>>& derCertList, + const StaticFingerprints* fingerprints, + /*out*/ bool& certListIntersectsPinset) { + certListIntersectsPinset = false; + if (!fingerprints) { + MOZ_ASSERT(false, "Must pass in at least one type of pinset"); + return NS_ERROR_FAILURE; + } + + EndEntityOrCA endEntityOrCA = EndEntityOrCA::MustBeEndEntity; + for (const auto& cert : derCertList) { + Input certInput; + mozilla::pkix::Result rv = certInput.Init(cert.data(), cert.size()); + if (rv != mozilla::pkix::Result::Success) { + return NS_ERROR_INVALID_ARG; + } + BackCert backCert(certInput, endEntityOrCA, nullptr); + rv = backCert.Init(); + if (rv != mozilla::pkix::Result::Success) { + return NS_ERROR_INVALID_ARG; + } + + nsresult nsrv = EvalCert(backCert, fingerprints, certListIntersectsPinset); + if (NS_FAILED(nsrv)) { + return nsrv; + } + if (certListIntersectsPinset) { + break; + } + endEntityOrCA = EndEntityOrCA::MustBeCA; + } + + if (!certListIntersectsPinset) { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: no matches found\n")); + } + return NS_OK; +} + +class TransportSecurityPreloadBinarySearchComparator { + public: + explicit TransportSecurityPreloadBinarySearchComparator( + const char* aTargetHost) + : mTargetHost(aTargetHost) {} + + int operator()(const TransportSecurityPreload& val) const { + return strcmp(mTargetHost, val.mHost); + } + + private: + const char* mTargetHost; // non-owning +}; + +#ifdef DEBUG +static Atomic<bool> sValidatedPinningPreloadList(false); + +static void ValidatePinningPreloadList() { + if (sValidatedPinningPreloadList) { + return; + } + for (const auto& entry : kPublicKeyPinningPreloadList) { + // If and only if a static entry is a Mozilla entry, it has a telemetry ID. + MOZ_ASSERT((entry.mIsMoz && entry.mId != kUnknownId) || + (!entry.mIsMoz && entry.mId == kUnknownId)); + } + sValidatedPinningPreloadList = true; +} +#endif // DEBUG + +// Returns via one of the output parameters the most relevant pinning +// information that is valid for the given host at the given time. +static nsresult FindPinningInformation( + const char* hostname, mozilla::pkix::Time time, + /*out*/ const TransportSecurityPreload*& staticFingerprints) { +#ifdef DEBUG + ValidatePinningPreloadList(); +#endif + if (!hostname || hostname[0] == 0) { + return NS_ERROR_INVALID_ARG; + } + staticFingerprints = nullptr; + const TransportSecurityPreload* foundEntry = nullptr; + const char* evalHost = hostname; + const char* evalPart; + // Notice how the (xx = strchr) prevents pins for unqualified domain names. + while (!foundEntry && (evalPart = strchr(evalHost, '.'))) { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: Querying pinsets for host: '%s'\n", evalHost)); + size_t foundEntryIndex; + if (BinarySearchIf(kPublicKeyPinningPreloadList, 0, + ArrayLength(kPublicKeyPinningPreloadList), + TransportSecurityPreloadBinarySearchComparator(evalHost), + &foundEntryIndex)) { + foundEntry = &kPublicKeyPinningPreloadList[foundEntryIndex]; + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: Found pinset for host: '%s'\n", evalHost)); + if (evalHost != hostname) { + if (!foundEntry->mIncludeSubdomains) { + // Does not apply to this host, continue iterating + foundEntry = nullptr; + } + } + } else { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: Didn't find pinset for host: '%s'\n", evalHost)); + } + // Add one for '.' + evalHost = evalPart + 1; + } + + if (foundEntry && foundEntry->pinset) { + if (time > TimeFromEpochInSeconds(kPreloadPKPinsExpirationTime / + PR_USEC_PER_SEC)) { + return NS_OK; + } + staticFingerprints = foundEntry; + } + return NS_OK; +} + +// Returns true via the output parameter if the given certificate list meets +// pinning requirements for the given host at the given time. It must be the +// case that either there is an intersection between the set of hashes of +// subject public key info data in the list and the most relevant non-expired +// pinset for the host or there is no pinning information for the host. +static nsresult CheckPinsForHostname( + const nsTArray<Span<const uint8_t>>& certList, const char* hostname, + bool enforceTestMode, mozilla::pkix::Time time, + /*out*/ bool& chainHasValidPins, + /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) { + chainHasValidPins = false; + if (certList.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + if (!hostname || hostname[0] == 0) { + return NS_ERROR_INVALID_ARG; + } + + const TransportSecurityPreload* staticFingerprints = nullptr; + nsresult rv = FindPinningInformation(hostname, time, staticFingerprints); + if (NS_FAILED(rv)) { + return rv; + } + // If we have no pinning information, the certificate chain trivially + // validates with respect to pinning. + if (!staticFingerprints) { + chainHasValidPins = true; + return NS_OK; + } + if (staticFingerprints) { + bool enforceTestModeResult; + rv = EvalChain(certList, staticFingerprints->pinset, enforceTestModeResult); + if (NS_FAILED(rv)) { + return rv; + } + chainHasValidPins = enforceTestModeResult; + if (staticFingerprints->mTestMode && !enforceTestMode) { + chainHasValidPins = true; + } + + if (pinningTelemetryInfo) { + // If and only if a static entry is a Mozilla entry, it has a telemetry + // ID. + if ((staticFingerprints->mIsMoz && + staticFingerprints->mId == kUnknownId) || + (!staticFingerprints->mIsMoz && + staticFingerprints->mId != kUnknownId)) { + return NS_ERROR_FAILURE; + } + + Telemetry::HistogramID histogram; + int32_t bucket; + // We can collect per-host pinning violations for this host because it is + // operationally critical to Firefox. + if (staticFingerprints->mIsMoz) { + histogram = staticFingerprints->mTestMode + ? Telemetry::CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST + : Telemetry::CERT_PINNING_MOZ_RESULTS_BY_HOST; + bucket = staticFingerprints->mId * 2 + (enforceTestModeResult ? 1 : 0); + } else { + histogram = staticFingerprints->mTestMode + ? Telemetry::CERT_PINNING_TEST_RESULTS + : Telemetry::CERT_PINNING_RESULTS; + bucket = enforceTestModeResult ? 1 : 0; + } + pinningTelemetryInfo->accumulateResult = true; + pinningTelemetryInfo->certPinningResultHistogram = Some(histogram); + pinningTelemetryInfo->certPinningResultBucket = bucket; + + // We only collect per-CA pinning statistics upon failures. + if (!enforceTestModeResult) { + int32_t binNumber = RootCABinNumber(certList.LastElement()); + if (binNumber != ROOT_CERTIFICATE_UNKNOWN) { + pinningTelemetryInfo->accumulateForRoot = true; + pinningTelemetryInfo->rootBucket = binNumber; + } + } + } + + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: Pin check %s for %s host '%s' (mode=%s)\n", + enforceTestModeResult ? "passed" : "failed", + staticFingerprints->mIsMoz ? "mozilla" : "non-mozilla", hostname, + staticFingerprints->mTestMode ? "test" : "production")); + } + + return NS_OK; +} + +nsresult PublicKeyPinningService::ChainHasValidPins( + const nsTArray<Span<const uint8_t>>& certList, const char* hostname, + mozilla::pkix::Time time, bool isBuiltInRoot, + /*out*/ bool& chainHasValidPins, + /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) { + PinningMode pinningMode(GetPinningMode()); + if (pinningMode == PinningMode::Disabled || + (!isBuiltInRoot && pinningMode == PinningMode::AllowUserCAMITM)) { + chainHasValidPins = true; + return NS_OK; + } + + chainHasValidPins = false; + if (certList.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + if (!hostname || hostname[0] == 0) { + return NS_ERROR_INVALID_ARG; + } + nsAutoCString canonicalizedHostname(CanonicalizeHostname(hostname)); + bool enforceTestMode = pinningMode == PinningMode::EnforceTestMode; + return CheckPinsForHostname(certList, canonicalizedHostname.get(), + enforceTestMode, time, chainHasValidPins, + pinningTelemetryInfo); +} + +NS_IMETHODIMP +PublicKeyPinningService::HostHasPins(nsIURI* aURI, bool* hostHasPins) { + NS_ENSURE_ARG(aURI); + NS_ENSURE_ARG(hostHasPins); + *hostHasPins = false; + PinningMode pinningMode(GetPinningMode()); + if (pinningMode == PinningMode::Disabled) { + return NS_OK; + } + nsAutoCString hostname; + nsresult rv = nsSiteSecurityService::GetHost(aURI, hostname); + if (NS_FAILED(rv)) { + return rv; + } + if (nsSiteSecurityService::HostIsIPAddress(hostname)) { + return NS_OK; + } + + const TransportSecurityPreload* staticFingerprints = nullptr; + rv = FindPinningInformation(hostname.get(), Now(), staticFingerprints); + if (NS_FAILED(rv)) { + return rv; + } + if (staticFingerprints) { + *hostHasPins = !staticFingerprints->mTestMode || + pinningMode == PinningMode::EnforceTestMode; + } + return NS_OK; +} + +nsAutoCString PublicKeyPinningService::CanonicalizeHostname( + const char* hostname) { + nsAutoCString canonicalizedHostname(hostname); + ToLowerCase(canonicalizedHostname); + while (canonicalizedHostname.Length() > 0 && + canonicalizedHostname.Last() == '.') { + canonicalizedHostname.Truncate(canonicalizedHostname.Length() - 1); + } + return canonicalizedHostname; +} diff --git a/security/manager/ssl/PublicKeyPinningService.h b/security/manager/ssl/PublicKeyPinningService.h new file mode 100644 index 0000000000..46bcf01d18 --- /dev/null +++ b/security/manager/ssl/PublicKeyPinningService.h @@ -0,0 +1,54 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef PublicKeyPinningService_h +#define PublicKeyPinningService_h + +#include "CertVerifier.h" +#include "nsIPublicKeyPinningService.h" +#include "nsString.h" +#include "nsTArray.h" +#include "mozilla/Span.h" +#include "mozpkix/Time.h" + +namespace mozilla { +namespace psm { + +class PublicKeyPinningService final : public nsIPublicKeyPinningService { + public: + PublicKeyPinningService() = default; + + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIPUBLICKEYPINNINGSERVICE + + /** + * Sets chainHasValidPins to true if the given (host, certList) passes pinning + * checks, or to false otherwise. If the host is pinned, returns true via + * chainHasValidPins if one of the keys in the given certificate chain matches + * the pin set specified by the hostname. The certList's head is the EE cert + * and the tail is the trust anchor. + * Note: if an alt name is a wildcard, it won't necessarily find a pinset + * that would otherwise be valid for it + */ + static nsresult ChainHasValidPins( + const nsTArray<Span<const uint8_t>>& certList, const char* hostname, + mozilla::pkix::Time time, bool isBuiltInRoot, + /*out*/ bool& chainHasValidPins, + /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo); + + /** + * Given a hostname of potentially mixed case with potentially multiple + * trailing '.' (see bug 1118522), canonicalizes it to lowercase with no + * trailing '.'. + */ + static nsAutoCString CanonicalizeHostname(const char* hostname); + + private: + ~PublicKeyPinningService() = default; +}; + +} // namespace psm +} // namespace mozilla + +#endif // PublicKeyPinningService_h diff --git a/security/manager/ssl/PublicSSL.h b/security/manager/ssl/PublicSSL.h new file mode 100644 index 0000000000..06a67fac5f --- /dev/null +++ b/security/manager/ssl/PublicSSL.h @@ -0,0 +1,24 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_SSL_h +#define mozilla_SSL_h + +namespace mozilla { + +void ClearPrivateSSLState(); + +namespace psm { + +void InitializeSSLServerCertVerificationThreads(); +void StopSSLServerCertVerificationThreads(); +void DisableMD5(); +nsresult InitializeCipherSuite(); + +} // namespace psm +} // namespace mozilla + +#endif diff --git a/security/manager/ssl/RemoteSecuritySettings.sys.mjs b/security/manager/ssl/RemoteSecuritySettings.sys.mjs new file mode 100644 index 0000000000..5283a21a3c --- /dev/null +++ b/security/manager/ssl/RemoteSecuritySettings.sys.mjs @@ -0,0 +1,709 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +import { RemoteSettings } from "resource://services-settings/remote-settings.sys.mjs"; + +import { X509 } from "resource://gre/modules/psm/X509.sys.mjs"; + +const SECURITY_STATE_BUCKET = "security-state"; +const SECURITY_STATE_SIGNER = "onecrl.content-signature.mozilla.org"; + +const INTERMEDIATES_DL_PER_POLL_PREF = + "security.remote_settings.intermediates.downloads_per_poll"; +const INTERMEDIATES_DL_PARALLEL_REQUESTS = + "security.remote_settings.intermediates.parallel_downloads"; +const INTERMEDIATES_ENABLED_PREF = + "security.remote_settings.intermediates.enabled"; +const LOGLEVEL_PREF = "browser.policies.loglevel"; + +const CRLITE_FILTERS_ENABLED_PREF = + "security.remote_settings.crlite_filters.enabled"; + +const lazy = {}; + +ChromeUtils.defineLazyGetter(lazy, "gTextDecoder", () => new TextDecoder()); + +ChromeUtils.defineLazyGetter(lazy, "log", () => { + let { ConsoleAPI } = ChromeUtils.importESModule( + "resource://gre/modules/Console.sys.mjs" + ); + return new ConsoleAPI({ + prefix: "RemoteSecuritySettings.jsm", + // tip: set maxLogLevel to "debug" and use log.debug() to create detailed + // messages during development. See LOG_LEVELS in Console.sys.mjs for details. + maxLogLevel: "error", + maxLogLevelPref: LOGLEVEL_PREF, + }); +}); + +// Converts a JS string to an array of bytes consisting of the char code at each +// index in the string. +function stringToBytes(s) { + let b = []; + for (let i = 0; i < s.length; i++) { + b.push(s.charCodeAt(i)); + } + return b; +} + +// Converts an array of bytes to a JS string using fromCharCode on each byte. +function bytesToString(bytes) { + if (bytes.length > 65535) { + throw new Error("input too long for bytesToString"); + } + return String.fromCharCode.apply(null, bytes); +} + +class CRLiteCoverage { + constructor(b64LogID, minTimestamp, maxTimestamp) { + this.b64LogID = b64LogID; + this.minTimestamp = minTimestamp; + this.maxTimestamp = maxTimestamp; + } +} +CRLiteCoverage.prototype.QueryInterface = ChromeUtils.generateQI([ + "nsICRLiteCoverage", +]); + +class CertInfo { + constructor(cert, subject) { + this.cert = cert; + this.subject = subject; + this.trust = Ci.nsICertStorage.TRUST_INHERIT; + } +} +CertInfo.prototype.QueryInterface = ChromeUtils.generateQI(["nsICertInfo"]); + +class RevocationState { + constructor(state) { + this.state = state; + } +} + +class IssuerAndSerialRevocationState extends RevocationState { + constructor(issuer, serial, state) { + super(state); + this.issuer = issuer; + this.serial = serial; + } +} +IssuerAndSerialRevocationState.prototype.QueryInterface = + ChromeUtils.generateQI(["nsIIssuerAndSerialRevocationState"]); + +class SubjectAndPubKeyRevocationState extends RevocationState { + constructor(subject, pubKey, state) { + super(state); + this.subject = subject; + this.pubKey = pubKey; + } +} +SubjectAndPubKeyRevocationState.prototype.QueryInterface = + ChromeUtils.generateQI(["nsISubjectAndPubKeyRevocationState"]); + +function setRevocations(certStorage, revocations) { + return new Promise(resolve => + certStorage.setRevocations(revocations, resolve) + ); +} + +/** + * Helper function that returns a promise that will resolve with whether or not + * the nsICertStorage implementation has prior data of the given type. + * + * @param {Integer} dataType a Ci.nsICertStorage.DATA_TYPE_* constant + * indicating the type of data + + * @returns {Promise} a promise that will resolve with true if the data type is + * present + */ +function hasPriorData(dataType) { + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + return new Promise(resolve => { + certStorage.hasPriorData(dataType, (rv, hasPriorData) => { + if (rv == Cr.NS_OK) { + resolve(hasPriorData); + } else { + // If calling hasPriorData failed, assume we need to reload everything + // (even though it's unlikely doing so will succeed). + resolve(false); + } + }); + }); +} + +/** + * Revoke the appropriate certificates based on the records from the blocklist. + * + * @param {object} options + * @param {object} options.data Current records in the local db. + * @param {Array} options.data.current + * @param {Array} options.data.created + * @param {Array} options.data.updated + * @param {Array} options.data.deleted + */ +const updateCertBlocklist = async function ({ + data: { current, created, updated, deleted }, +}) { + let items = []; + + // See if we have prior revocation data (this can happen when we can't open + // the database and we have to re-create it (see bug 1546361)). + let hasPriorRevocationData = await hasPriorData( + Ci.nsICertStorage.DATA_TYPE_REVOCATION + ); + + // If we don't have prior data, make it so we re-load everything. + if (!hasPriorRevocationData) { + deleted = []; + updated = []; + created = current; + } + + let toDelete = deleted.concat(updated.map(u => u.old)); + for (let item of toDelete) { + if (item.issuerName && item.serialNumber) { + items.push( + new IssuerAndSerialRevocationState( + item.issuerName, + item.serialNumber, + Ci.nsICertStorage.STATE_UNSET + ) + ); + } else if (item.subject && item.pubKeyHash) { + items.push( + new SubjectAndPubKeyRevocationState( + item.subject, + item.pubKeyHash, + Ci.nsICertStorage.STATE_UNSET + ) + ); + } + } + + const toAdd = created.concat(updated.map(u => u.new)); + + for (let item of toAdd) { + if (item.issuerName && item.serialNumber) { + items.push( + new IssuerAndSerialRevocationState( + item.issuerName, + item.serialNumber, + Ci.nsICertStorage.STATE_ENFORCE + ) + ); + } else if (item.subject && item.pubKeyHash) { + items.push( + new SubjectAndPubKeyRevocationState( + item.subject, + item.pubKeyHash, + Ci.nsICertStorage.STATE_ENFORCE + ) + ); + } + } + + try { + const certList = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + await setRevocations(certList, items); + } catch (e) { + lazy.log.error(e); + } +}; + +export var RemoteSecuritySettings = { + _initialized: false, + OneCRLBlocklistClient: null, + IntermediatePreloadsClient: null, + CRLiteFiltersClient: null, + + /** + * Initialize the clients (cheap instantiation) and setup their sync event. + * This static method is called from BrowserGlue.sys.mjs soon after startup. + * + * @returns {object} instantiated clients for security remote settings. + */ + init() { + // Avoid repeated initialization (work-around for bug 1730026). + if (this._initialized) { + return this; + } + this._initialized = true; + + this.OneCRLBlocklistClient = RemoteSettings("onecrl", { + bucketName: SECURITY_STATE_BUCKET, + signerName: SECURITY_STATE_SIGNER, + }); + this.OneCRLBlocklistClient.on("sync", updateCertBlocklist); + + this.IntermediatePreloadsClient = new IntermediatePreloads(); + + this.CRLiteFiltersClient = new CRLiteFilters(); + this.CRLiteFiltersClient.cleanAttachmentCache(); + + return this; + }, +}; + +class IntermediatePreloads { + constructor() { + this.client = RemoteSettings("intermediates", { + bucketName: SECURITY_STATE_BUCKET, + signerName: SECURITY_STATE_SIGNER, + localFields: ["cert_import_complete"], + }); + + this.client.on("sync", this.onSync.bind(this)); + Services.obs.addObserver( + this.onObservePollEnd.bind(this), + "remote-settings:changes-poll-end" + ); + + lazy.log.debug("Intermediate Preloading: constructor"); + } + + async updatePreloadedIntermediates() { + if (!Services.prefs.getBoolPref(INTERMEDIATES_ENABLED_PREF, true)) { + lazy.log.debug("Intermediate Preloading is disabled"); + Services.obs.notifyObservers( + null, + "remote-security-settings:intermediates-updated", + "disabled" + ); + return; + } + + // Download attachments that are awaiting download, up to a max. + const maxDownloadsPerRun = Services.prefs.getIntPref( + INTERMEDIATES_DL_PER_POLL_PREF, + 100 + ); + const parallelDownloads = Services.prefs.getIntPref( + INTERMEDIATES_DL_PARALLEL_REQUESTS, + 8 + ); + + // Bug 1519256: Move this to a separate method that's on a separate timer + // with a higher frequency (so we can attempt to download outstanding + // certs more than once daily) + + // See if we have prior cert data (this can happen when we can't open the database and we + // have to re-create it (see bug 1546361)). + let hasPriorCertData = await hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CERTIFICATE + ); + // If we don't have prior data, make it so we re-load everything. + if (!hasPriorCertData) { + let current; + try { + current = await this.client.db.list(); + } catch (err) { + lazy.log.warn( + `Unable to list intermediate preloading collection: ${err}` + ); + return; + } + const toReset = current.filter(record => record.cert_import_complete); + try { + await this.client.db.importChanges( + undefined, // do not touch metadata. + undefined, // do not touch collection timestamp. + toReset.map(r => ({ ...r, cert_import_complete: false })) + ); + } catch (err) { + lazy.log.warn( + `Unable to update intermediate preloading collection: ${err}` + ); + return; + } + } + let current; + try { + current = await this.client.db.list(); + } catch (err) { + lazy.log.warn( + `Unable to list intermediate preloading collection: ${err}` + ); + return; + } + const waiting = current.filter(record => !record.cert_import_complete); + + lazy.log.debug( + `There are ${waiting.length} intermediates awaiting download.` + ); + if (!waiting.length) { + // Nothing to do. + Services.obs.notifyObservers( + null, + "remote-security-settings:intermediates-updated", + "success" + ); + return; + } + + let toDownload = waiting.slice(0, maxDownloadsPerRun); + let recordsCertsAndSubjects = []; + for (let i = 0; i < toDownload.length; i += parallelDownloads) { + const chunk = toDownload.slice(i, i + parallelDownloads); + const downloaded = await Promise.all( + chunk.map(record => this.maybeDownloadAttachment(record)) + ); + recordsCertsAndSubjects = recordsCertsAndSubjects.concat(downloaded); + } + + let certInfos = []; + let recordsToUpdate = []; + for (let { record, cert, subject } of recordsCertsAndSubjects) { + if (cert && subject) { + certInfos.push(new CertInfo(cert, subject)); + recordsToUpdate.push(record); + } + } + const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + let result = await new Promise(resolve => { + certStorage.addCerts(certInfos, resolve); + }).catch(err => err); + if (result != Cr.NS_OK) { + lazy.log.error(`certStorage.addCerts failed: ${result}`); + return; + } + try { + await this.client.db.importChanges( + undefined, // do not touch metadata. + undefined, // do not touch collection timestamp. + recordsToUpdate.map(r => ({ ...r, cert_import_complete: true })) + ); + } catch (err) { + lazy.log.warn( + `Unable to update intermediate preloading collection: ${err}` + ); + return; + } + + Services.obs.notifyObservers( + null, + "remote-security-settings:intermediates-updated", + "success" + ); + } + + async onObservePollEnd(subject, topic, data) { + lazy.log.debug(`onObservePollEnd ${subject} ${topic}`); + + try { + await this.updatePreloadedIntermediates(); + } catch (err) { + lazy.log.warn(`Unable to update intermediate preloads: ${err}`); + } + } + + // This method returns a promise to RemoteSettingsClient.maybeSync method. + async onSync({ data: { current, created, updated, deleted } }) { + if (!Services.prefs.getBoolPref(INTERMEDIATES_ENABLED_PREF, true)) { + lazy.log.debug("Intermediate Preloading is disabled"); + return; + } + + lazy.log.debug(`Removing ${deleted.length} Intermediate certificates`); + await this.removeCerts(deleted); + } + + /** + * Attempts to download the attachment, assuming it's not been processed + * already. Does not retry, and always resolves (e.g., does not reject upon + * failure.) Errors are reported via console.error. + * + * @param {AttachmentRecord} record defines which data to obtain + * @returns {Promise} a Promise that will resolve to an object with the properties + * record, cert, and subject. record is the original record. + * cert is the base64-encoded bytes of the downloaded certificate (if + * downloading was successful), and null otherwise. + * subject is the base64-encoded bytes of the subject distinguished + * name of the same. + */ + async maybeDownloadAttachment(record) { + let result = { record, cert: null, subject: null }; + + let dataAsString = null; + try { + let buffer = await this.client.attachments.downloadAsBytes(record, { + retries: 0, + }); + dataAsString = lazy.gTextDecoder.decode(new Uint8Array(buffer)); + } catch (err) { + if (err.name == "BadContentError") { + lazy.log.debug(`Bad attachment content.`); + } else { + lazy.log.error(`Failed to download attachment: ${err}`); + } + return result; + } + + let certBase64; + let subjectBase64; + try { + // split off the header and footer + certBase64 = dataAsString.split("-----")[2].replace(/\s/g, ""); + // get an array of bytes so we can use X509.jsm + let certBytes = stringToBytes(atob(certBase64)); + let cert = new X509.Certificate(); + cert.parse(certBytes); + // get the DER-encoded subject and get a base64-encoded string from it + // TODO(bug 1542028): add getters for _der and _bytes + subjectBase64 = btoa( + bytesToString(cert.tbsCertificate.subject._der._bytes) + ); + } catch (err) { + lazy.log.error(`Failed to decode cert: ${err}`); + return result; + } + result.cert = certBase64; + result.subject = subjectBase64; + return result; + } + + async maybeSync(expectedTimestamp, options) { + return this.client.maybeSync(expectedTimestamp, options); + } + + async removeCerts(recordsToRemove) { + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + let hashes = recordsToRemove.map(record => record.derHash); + let result = await new Promise(resolve => { + certStorage.removeCertsByHashes(hashes, resolve); + }).catch(err => err); + if (result != Cr.NS_OK) { + lazy.log.error(`Failed to remove some intermediate certificates`); + } + } +} + +// Helper function to compare filters. One filter is "less than" another filter (i.e. it sorts +// earlier) if its timestamp is farther in the past than the other. +function compareFilters(filterA, filterB) { + return filterA.effectiveTimestamp - filterB.effectiveTimestamp; +} + +class CRLiteFilters { + constructor() { + this.client = RemoteSettings("cert-revocations", { + bucketName: SECURITY_STATE_BUCKET, + signerName: SECURITY_STATE_SIGNER, + localFields: ["loaded_into_cert_storage"], + }); + + Services.obs.addObserver( + this.onObservePollEnd.bind(this), + "remote-settings:changes-poll-end" + ); + } + + async cleanAttachmentCache() { + // Bug 1795710 - misuse of Remote Settings `downloadToDisk` caused us to + // keep filters and stashes on disk indefinitely. We're no longer caching + // these downloads, so if there are any filters still in the cache they can + // be removed. + let cachePath = PathUtils.join( + PathUtils.localProfileDir, + ...this.client.attachments.folders + ); + + try { + let needCleanup = await IOUtils.exists(cachePath); + if (needCleanup) { + let cacheFiles = await IOUtils.getChildren(cachePath); + let staleFilters = cacheFiles.filter( + path => path.endsWith("filter") || path.endsWith("filter.stash") + ); + if (cacheFiles.length == staleFilters.length) { + // Expected case. No files other than filters, we can remove the + // entire directory + await IOUtils.remove(cachePath, { recursive: true }); + } else { + for (let filter of staleFilters) { + await IOUtils.remove(filter); + } + } + } + } catch (e) { + lazy.log.error("Could not clean cert-revocations attachment cache", e); + } + } + + async onObservePollEnd(subject, topic, data) { + if (!Services.prefs.getBoolPref(CRLITE_FILTERS_ENABLED_PREF, true)) { + lazy.log.debug("CRLite filter downloading is disabled"); + Services.obs.notifyObservers( + null, + "remote-security-settings:crlite-filters-downloaded", + "disabled" + ); + return; + } + + let hasPriorFilter = await hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL + ); + if (!hasPriorFilter) { + let current = await this.client.db.list(); + let toReset = current.filter( + record => !record.incremental && record.loaded_into_cert_storage + ); + await this.client.db.importChanges( + undefined, // do not touch metadata. + undefined, // do not touch collection timestamp. + toReset.map(r => ({ ...r, loaded_into_cert_storage: false })) + ); + } + let hasPriorStash = await hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL + ); + if (!hasPriorStash) { + let current = await this.client.db.list(); + let toReset = current.filter( + record => record.incremental && record.loaded_into_cert_storage + ); + await this.client.db.importChanges( + undefined, // do not touch metadata. + undefined, // do not touch collection timestamp. + toReset.map(r => ({ ...r, loaded_into_cert_storage: false })) + ); + } + + let current = await this.client.db.list(); + let fullFilters = current.filter(filter => !filter.incremental); + if (fullFilters.length < 1) { + lazy.log.debug("no full CRLite filters to download?"); + Services.obs.notifyObservers( + null, + "remote-security-settings:crlite-filters-downloaded", + "unavailable" + ); + return; + } + fullFilters.sort(compareFilters); + lazy.log.debug("fullFilters:", fullFilters); + let fullFilter = fullFilters.pop(); // the most recent filter sorts last + let incrementalFilters = current.filter( + filter => + // Return incremental filters that are more recent than (i.e. sort later than) the full + // filter. + filter.incremental && compareFilters(filter, fullFilter) > 0 + ); + incrementalFilters.sort(compareFilters); + // Map of id to filter where that filter's parent has the given id. + let parentIdMap = {}; + for (let filter of incrementalFilters) { + if (filter.parent in parentIdMap) { + lazy.log.debug(`filter with parent id ${filter.parent} already seen?`); + } else { + parentIdMap[filter.parent] = filter; + } + } + let filtersToDownload = []; + let nextFilter = fullFilter; + while (nextFilter) { + filtersToDownload.push(nextFilter); + nextFilter = parentIdMap[nextFilter.id]; + } + const certList = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + filtersToDownload = filtersToDownload.filter( + filter => !filter.loaded_into_cert_storage + ); + lazy.log.debug("filtersToDownload:", filtersToDownload); + let filtersDownloaded = []; + for (let filter of filtersToDownload) { + try { + let attachment = await this.client.attachments.downloadAsBytes(filter); + let bytes = new Uint8Array(attachment); + lazy.log.debug( + `Downloaded ${filter.details.name}: ${bytes.length} bytes` + ); + filter.bytes = bytes; + filtersDownloaded.push(filter); + } catch (e) { + lazy.log.error("failed to download CRLite filter", e); + } + } + let fullFiltersDownloaded = filtersDownloaded.filter( + filter => !filter.incremental + ); + if (fullFiltersDownloaded.length) { + if (fullFiltersDownloaded.length > 1) { + lazy.log.warn("trying to install more than one full CRLite filter?"); + } + let filter = fullFiltersDownloaded[0]; + + let coverage = []; + if (filter.coverage) { + for (let entry of filter.coverage) { + coverage.push( + new CRLiteCoverage( + entry.logID, + entry.minTimestamp, + entry.maxTimestamp + ) + ); + } + } + let enrollment = filter.enrolledIssuers ? filter.enrolledIssuers : []; + + await new Promise(resolve => { + certList.setFullCRLiteFilter(filter.bytes, enrollment, coverage, rv => { + lazy.log.debug(`setFullCRLiteFilter: ${rv}`); + resolve(); + }); + }); + } + let stashes = filtersDownloaded.filter(filter => filter.incremental); + let totalLength = stashes.reduce( + (sum, filter) => sum + filter.bytes.length, + 0 + ); + let concatenatedStashes = new Uint8Array(totalLength); + let offset = 0; + for (let filter of stashes) { + concatenatedStashes.set(filter.bytes, offset); + offset += filter.bytes.length; + } + if (concatenatedStashes.length) { + lazy.log.debug( + `adding concatenated incremental updates of total length ${concatenatedStashes.length}` + ); + await new Promise(resolve => { + certList.addCRLiteStash(concatenatedStashes, rv => { + lazy.log.debug(`addCRLiteStash: ${rv}`); + resolve(); + }); + }); + } + + for (let filter of filtersDownloaded) { + delete filter.bytes; + } + + await this.client.db.importChanges( + undefined, // do not touch metadata. + undefined, // do not touch collection timestamp. + filtersDownloaded.map(r => ({ ...r, loaded_into_cert_storage: true })) + ); + + Services.obs.notifyObservers( + null, + "remote-security-settings:crlite-filters-downloaded", + `finished;${filtersDownloaded + .map(filter => filter.details.name) + .join(",")}` + ); + } +} diff --git a/security/manager/ssl/RootCertificateTelemetryUtils.cpp b/security/manager/ssl/RootCertificateTelemetryUtils.cpp new file mode 100644 index 0000000000..d6bd54d741 --- /dev/null +++ b/security/manager/ssl/RootCertificateTelemetryUtils.cpp @@ -0,0 +1,139 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "RootCertificateTelemetryUtils.h" + +#include "RootHashes.inc" // Note: Generated by genRootCAHashes.js +#include "ScopedNSSTypes.h" +#include "mozilla/ArrayUtils.h" +#include "mozilla/Logging.h" +#include "nsINSSComponent.h" +#include "nsNSSCertHelper.h" +#include "nsServiceManagerUtils.h" +#include "pk11pub.h" + +namespace mozilla { +namespace psm { + +mozilla::LazyLogModule gPublicKeyPinningTelemetryLog( + "PublicKeyPinningTelemetryService"); + +// Used in the BinarySearch method, this does a memcmp between the pointer +// provided to its construtor and whatever the binary search is looking for. +// +// This implementation assumes everything to be of HASH_LEN, so it should not +// be used generically. +class BinaryHashSearchArrayComparator { + public: + explicit BinaryHashSearchArrayComparator(const uint8_t* aTarget, size_t len) + : mTarget(aTarget) { + MOZ_ASSERT(len == HASH_LEN, "Hashes should be of the same length."); + } + + int operator()(const CertAuthorityHash val) const { + return memcmp(mTarget, val.hash, HASH_LEN); + } + + private: + const uint8_t* mTarget; +}; + +// Perform a hash of the provided cert, then search in the RootHashes.inc data +// structure for a matching bin number. +// If no matching root is found, this may be a CA from the softoken (cert9.db), +// it may be a CA from an external PKCS#11 token, or it may be a CA from OS +// storage (Enterprise Root). +// See also the constants in RootCertificateTelemetryUtils.h. +int32_t RootCABinNumber(Span<const uint8_t> cert) { + nsTArray<uint8_t> digestArray; + + // Compute SHA256 hash of the certificate + nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, cert, digestArray); + if (NS_WARN_IF(NS_FAILED(rv))) { + return ROOT_CERTIFICATE_HASH_FAILURE; + } + + // Compare against list of stored hashes + size_t idx; + + MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug, + ("pkpinTelem: First bytes %02x %02x %02x %02x\n", + digestArray.ElementAt(0), digestArray.ElementAt(1), + digestArray.ElementAt(2), digestArray.ElementAt(3))); + + if (mozilla::BinarySearchIf(ROOT_TABLE, 0, ArrayLength(ROOT_TABLE), + BinaryHashSearchArrayComparator( + digestArray.Elements(), digestArray.Length()), + &idx)) { + MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug, + ("pkpinTelem: Telemetry index was %zu, bin is %d\n", idx, + ROOT_TABLE[idx].binNumber)); + return (int32_t)ROOT_TABLE[idx].binNumber; + } + + // Didn't find this certificate in the built-in list. It may be an enterprise + // root (gathered from the OS) or it may be from the softoken or an external + // PKCS#11 token. + nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID)); + if (!component) { + return ROOT_CERTIFICATE_UNKNOWN; + } + nsTArray<nsTArray<uint8_t>> enterpriseRoots; + rv = component->GetEnterpriseRoots(enterpriseRoots); + if (NS_FAILED(rv)) { + return ROOT_CERTIFICATE_UNKNOWN; + } + for (const auto& enterpriseRoot : enterpriseRoots) { + if (enterpriseRoot.Length() == cert.size() && + memcmp(enterpriseRoot.Elements(), cert.data(), + enterpriseRoot.Length()) == 0) { + return ROOT_CERTIFICATE_ENTERPRISE_ROOT; + } + } + + SECItem certItem = {siBuffer, const_cast<uint8_t*>(cert.data()), + static_cast<unsigned int>(cert.size())}; + UniquePK11SlotInfo softokenSlot(PK11_GetInternalKeySlot()); + if (!softokenSlot) { + return ROOT_CERTIFICATE_UNKNOWN; + } + CK_OBJECT_HANDLE softokenCertHandle = + PK11_FindEncodedCertInSlot(softokenSlot.get(), &certItem, nullptr); + if (softokenCertHandle != CK_INVALID_HANDLE) { + return ROOT_CERTIFICATE_SOFTOKEN; + } + // In theory this should never find the certificate in the root module, + // because then it should have already matched our built-in list. This is + // here as a backstop to catch situations where a built-in root was added but + // the built-in telemetry information was not updated. + UniqueSECMODModule rootsModule(SECMOD_FindModule(kRootModuleName)); + AutoSECMODListReadLock secmodLock; + if (!rootsModule || rootsModule->slotCount != 1) { + return ROOT_CERTIFICATE_UNKNOWN; + } + CK_OBJECT_HANDLE builtinCertHandle = + PK11_FindEncodedCertInSlot(rootsModule->slots[0], &certItem, nullptr); + if (builtinCertHandle == CK_INVALID_HANDLE) { + return ROOT_CERTIFICATE_EXTERNAL_TOKEN; + } + + // We have no idea what this is. + return ROOT_CERTIFICATE_UNKNOWN; +} + +// Attempt to increment the appropriate bin in the provided Telemetry probe ID. +// If there was a hash failure, we do nothing. +void AccumulateTelemetryForRootCA(mozilla::Telemetry::HistogramID probe, + const Span<const uint8_t> cert) { + int32_t binId = RootCABinNumber(cert); + + if (binId != ROOT_CERTIFICATE_HASH_FAILURE) { + Accumulate(probe, binId); + } +} + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/RootCertificateTelemetryUtils.h b/security/manager/ssl/RootCertificateTelemetryUtils.h new file mode 100644 index 0000000000..01d033ec59 --- /dev/null +++ b/security/manager/ssl/RootCertificateTelemetryUtils.h @@ -0,0 +1,37 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef RootCertificateTelemetryUtils_h +#define RootCertificateTelemetryUtils_h + +#include "mozilla/Span.h" +#include "mozilla/Telemetry.h" + +namespace mozilla { +namespace psm { + +// Note: New CAs will show up as UNKNOWN_ROOT until +// RootHashes.inc is updated to include them. 0 is reserved by +// genRootCAHashes.js for the unknowns. +#define ROOT_CERTIFICATE_UNKNOWN 0 +// 1 indicates the CA is not a built-in and comes from the softoken (cert9.db) +#define ROOT_CERTIFICATE_SOFTOKEN 1 +// 2 indicates the CA is not a bilt-in and comes from an external PKCS#11 token +#define ROOT_CERTIFICATE_EXTERNAL_TOKEN 2 +// 3 indicates the CA is not a built-in and comes from the OS via the +// "Enterprise Roots" feature +#define ROOT_CERTIFICATE_ENTERPRISE_ROOT 3 +#define ROOT_CERTIFICATE_HASH_FAILURE -1 + +int32_t RootCABinNumber(Span<const uint8_t> cert); + +void AccumulateTelemetryForRootCA(mozilla::Telemetry::HistogramID probe, + const Span<const uint8_t> cert); + +} // namespace psm +} // namespace mozilla + +#endif // RootCertificateTelemetryUtils_h diff --git a/security/manager/ssl/RootHashes.inc b/security/manager/ssl/RootHashes.inc new file mode 100644 index 0000000000..4060eddd4b --- /dev/null +++ b/security/manager/ssl/RootHashes.inc @@ -0,0 +1,1597 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/*****************************************************************************/ +/* This is an automatically generated file. If you're not */ +/* RootCertificateTelemetryUtils.cpp, you shouldn't be #including it. */ +/*****************************************************************************/ + +#define HASH_LEN 32 +struct CertAuthorityHash { + // See bug 1338873 about making these fields const. + uint8_t hash[HASH_LEN]; + int32_t binNumber; +}; + +static const struct CertAuthorityHash ROOT_TABLE[] = { + { + /* DigiCert_TLS_ECC_P384_Root_G5 */ + { 0x01, 0x8E, 0x13, 0xF0, 0x77, 0x25, 0x32, 0xCF, 0x80, 0x9B, 0xD1, 0xB1, 0x72, 0x81, 0x86, 0x72, + 0x83, 0xFC, 0x48, 0xC6, 0xE1, 0x3B, 0xE9, 0xC6, 0x98, 0x12, 0x85, 0x4A, 0x49, 0x0C, 0x1B, 0x05 }, + 243 /* Bin Number */ + }, + { + /* CommScope_Public_Trust_RSA_Root_01 */ + { 0x02, 0xBD, 0xF9, 0x6E, 0x2A, 0x45, 0xDD, 0x9B, 0xF1, 0x8F, 0xC7, 0xE1, 0xDB, 0xDF, 0x21, 0xA0, + 0x37, 0x9B, 0xA3, 0xC9, 0xC2, 0x61, 0x03, 0x44, 0xCF, 0xD8, 0xD6, 0x06, 0xFE, 0xC1, 0xED, 0x81 }, + 262 /* Bin Number */ + }, + { + /* Entrust_Root_Certification_Authority___EC1 */ + { 0x02, 0xED, 0x0E, 0xB2, 0x8C, 0x14, 0xDA, 0x45, 0x16, 0x5C, 0x56, 0x67, 0x91, 0x70, 0x0D, 0x64, + 0x51, 0xD7, 0xFB, 0x56, 0xF0, 0xB2, 0xAB, 0x1D, 0x3B, 0x8E, 0xB0, 0x70, 0xE5, 0x6E, 0xDF, 0xF5 }, + 164 /* Bin Number */ + }, + { + /* AffirmTrust_Commercial */ + { 0x03, 0x76, 0xAB, 0x1D, 0x54, 0xC5, 0xF9, 0x80, 0x3C, 0xE4, 0xB2, 0xE2, 0x01, 0xA0, 0xEE, 0x7E, + 0xEF, 0x7B, 0x57, 0xB6, 0x36, 0xE8, 0xA9, 0x3C, 0x9B, 0x8D, 0x48, 0x60, 0xC9, 0x6F, 0x5F, 0xA7 }, + 109 /* Bin Number */ + }, + { + /* ACEDICOM_Root */ + { 0x03, 0x95, 0x0F, 0xB4, 0x9A, 0x53, 0x1F, 0x3E, 0x19, 0x91, 0x94, 0x23, 0x98, 0xDF, 0xA9, 0xE0, + 0xEA, 0x32, 0xD7, 0xBA, 0x1C, 0xDD, 0x9B, 0xC8, 0x5D, 0xB5, 0x7E, 0xD9, 0x40, 0x0B, 0x43, 0x4A }, + 98 /* Bin Number */ + }, + { + /* Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068 */ + { 0x04, 0x04, 0x80, 0x28, 0xBF, 0x1F, 0x28, 0x64, 0xD4, 0x8F, 0x9A, 0xD4, 0xD8, 0x32, 0x94, 0x36, + 0x6A, 0x82, 0x88, 0x56, 0x55, 0x3F, 0x3B, 0x14, 0x30, 0x3F, 0x90, 0x14, 0x7F, 0x5D, 0x40, 0xEF }, + 102 /* Bin Number */ + }, + { + /* Chambers_of_Commerce_Root___2008 */ + { 0x06, 0x3E, 0x4A, 0xFA, 0xC4, 0x91, 0xDF, 0xD3, 0x32, 0xF3, 0x08, 0x9B, 0x85, 0x42, 0xE9, 0x46, + 0x17, 0xD8, 0x93, 0xD7, 0xFE, 0x94, 0x4E, 0x10, 0xA7, 0x93, 0x7E, 0xE2, 0x9D, 0x96, 0x93, 0xC0 }, + 104 /* Bin Number */ + }, + { + /* DST_Root_CA_X3 */ + { 0x06, 0x87, 0x26, 0x03, 0x31, 0xA7, 0x24, 0x03, 0xD9, 0x09, 0xF1, 0x05, 0xE6, 0x9B, 0xCF, 0x0D, + 0x32, 0xE1, 0xBD, 0x24, 0x93, 0xFF, 0xC6, 0xD9, 0x20, 0x6D, 0x11, 0xBC, 0xD6, 0x77, 0x07, 0x39 }, + 52 /* Bin Number */ + }, + { + /* TrustCor_RootCert_CA_2 */ + { 0x07, 0x53, 0xE9, 0x40, 0x37, 0x8C, 0x1B, 0xD5, 0xE3, 0x83, 0x6E, 0x39, 0x5D, 0xAE, 0xA5, 0xCB, + 0x83, 0x9E, 0x50, 0x46, 0xF1, 0xBD, 0x0E, 0xAE, 0x19, 0x51, 0xCF, 0x10, 0xFE, 0xC7, 0xC9, 0x65 }, + 191 /* Bin Number */ + }, + { + /* AddTrust_Public_CA_Root */ + { 0x07, 0x91, 0xCA, 0x07, 0x49, 0xB2, 0x07, 0x82, 0xAA, 0xD3, 0xC7, 0xD7, 0xBD, 0x0C, 0xDF, 0xC9, + 0x48, 0x58, 0x35, 0x84, 0x3E, 0xB2, 0xD7, 0x99, 0x60, 0x09, 0xCE, 0x43, 0xAB, 0x6C, 0x69, 0x27 }, + 16 /* Bin Number */ + }, + { + /* D_TRUST_EV_Root_CA_1_2020 */ + { 0x08, 0x17, 0x0D, 0x1A, 0xA3, 0x64, 0x53, 0x90, 0x1A, 0x2F, 0x95, 0x92, 0x45, 0xE3, 0x47, 0xDB, + 0x0C, 0x8D, 0x37, 0xAB, 0xAA, 0xBC, 0x56, 0xB8, 0x1A, 0xA1, 0x00, 0xDC, 0x95, 0x89, 0x70, 0xDB }, + 242 /* Bin Number */ + }, + { + /* OU_Equifax_Secure_Certificate_Authority_O_Equifax_C_US */ + { 0x08, 0x29, 0x7A, 0x40, 0x47, 0xDB, 0xA2, 0x36, 0x80, 0xC7, 0x31, 0xDB, 0x6E, 0x31, 0x76, 0x53, + 0xCA, 0x78, 0x48, 0xE1, 0xBE, 0xBD, 0x3A, 0x0B, 0x01, 0x79, 0xA7, 0x07, 0xF9, 0x2C, 0xF1, 0x78 }, + 4 /* Bin Number */ + }, + { + /* AffirmTrust_Networking */ + { 0x0A, 0x81, 0xEC, 0x5A, 0x92, 0x97, 0x77, 0xF1, 0x45, 0x90, 0x4A, 0xF3, 0x8D, 0x5D, 0x50, 0x9F, + 0x66, 0xB5, 0xE2, 0xC5, 0x8F, 0xCD, 0xB5, 0x31, 0x05, 0x8B, 0x0E, 0x17, 0xF3, 0xF0, 0xB4, 0x1B }, + 110 /* Bin Number */ + }, + { + /* Chambers_of_Commerce_Root */ + { 0x0C, 0x25, 0x8A, 0x12, 0xA5, 0x67, 0x4A, 0xEF, 0x25, 0xF2, 0x8B, 0xA7, 0xDC, 0xFA, 0xEC, 0xEE, + 0xA3, 0x48, 0xE5, 0x41, 0xE6, 0xF5, 0xCC, 0x4E, 0xE6, 0x3B, 0x71, 0xB3, 0x61, 0x60, 0x6A, 0xC3 }, + 39 /* Bin Number */ + }, + { + /* COMODO_Certification_Authority */ + { 0x0C, 0x2C, 0xD6, 0x3D, 0xF7, 0x80, 0x6F, 0xA3, 0x99, 0xED, 0xE8, 0x09, 0x11, 0x6B, 0x57, 0x5B, + 0xF8, 0x79, 0x89, 0xF0, 0x65, 0x18, 0xF9, 0x80, 0x8C, 0x86, 0x05, 0x03, 0x17, 0x8B, 0xAF, 0x66 }, + 63 /* Bin Number */ + }, + { + /* Buypass_Class_2_CA_1 */ + { 0x0F, 0x4E, 0x9C, 0xDD, 0x26, 0x4B, 0x02, 0x55, 0x50, 0xD1, 0x70, 0x80, 0x63, 0x40, 0x21, 0x4F, + 0xE9, 0x44, 0x34, 0xC9, 0xB0, 0x2F, 0x69, 0x7E, 0xC7, 0x10, 0xFC, 0x5F, 0xEA, 0xFB, 0x5E, 0x38 }, + 80 /* Bin Number */ + }, + { + /* Class_2_Primary_CA */ + { 0x0F, 0x99, 0x3C, 0x8A, 0xEF, 0x97, 0xBA, 0xAF, 0x56, 0x87, 0x14, 0x0E, 0xD5, 0x9A, 0xD1, 0x82, + 0x1B, 0xB4, 0xAF, 0xAC, 0xF0, 0xAA, 0x9A, 0x58, 0xB5, 0xD5, 0x7A, 0x33, 0x8A, 0x3A, 0xFB, 0xCB }, + 51 /* Bin Number */ + }, + { + /* CommScope_Public_Trust_ECC_Root_01 */ + { 0x11, 0x43, 0x7C, 0xDA, 0x7B, 0xB4, 0x5E, 0x41, 0x36, 0x5F, 0x45, 0xB3, 0x9A, 0x38, 0x98, 0x6B, + 0x0D, 0xE0, 0x0D, 0xEF, 0x34, 0x8E, 0x0C, 0x7B, 0xB0, 0x87, 0x36, 0x33, 0x80, 0x0B, 0xC3, 0x8B }, + 264 /* Bin Number */ + }, + { + /* emSign_Root_CA___C1 */ + { 0x12, 0x56, 0x09, 0xAA, 0x30, 0x1D, 0xA0, 0xA2, 0x49, 0xB9, 0x7A, 0x82, 0x39, 0xCB, 0x6A, 0x34, + 0x21, 0x6F, 0x44, 0xDC, 0xAC, 0x9F, 0x39, 0x54, 0xB1, 0x42, 0x92, 0xF2, 0xE8, 0xC8, 0x60, 0x8F }, + 208 /* Bin Number */ + }, + { + /* Global_Chambersign_Root___2008 */ + { 0x13, 0x63, 0x35, 0x43, 0x93, 0x34, 0xA7, 0x69, 0x80, 0x16, 0xA0, 0xD3, 0x24, 0xDE, 0x72, 0x28, + 0x4E, 0x07, 0x9D, 0x7B, 0x52, 0x20, 0xBB, 0x8F, 0xBD, 0x74, 0x78, 0x16, 0xEE, 0xBE, 0xBA, 0xCA }, + 105 /* Bin Number */ + }, + { + /* OU_Starfield_Class_2_Certification_Authority_O__Starfield_Technologies__Inc___C_US */ + { 0x14, 0x65, 0xFA, 0x20, 0x53, 0x97, 0xB8, 0x76, 0xFA, 0xA6, 0xF0, 0xA9, 0x95, 0x8E, 0x55, 0x90, + 0xE4, 0x0F, 0xCC, 0x7F, 0xAA, 0x4F, 0xB7, 0xC2, 0xC8, 0x67, 0x75, 0x21, 0xFB, 0x5F, 0xB6, 0x58 }, + 44 /* Bin Number */ + }, + { + /* Certplus_Root_CA_G1 */ + { 0x15, 0x2A, 0x40, 0x2B, 0xFC, 0xDF, 0x2C, 0xD5, 0x48, 0x05, 0x4D, 0x22, 0x75, 0xB3, 0x9C, 0x7F, + 0xCA, 0x3E, 0xC0, 0x97, 0x80, 0x78, 0xB0, 0xF0, 0xEA, 0x76, 0xE5, 0x61, 0xA6, 0xC7, 0x43, 0x3E }, + 176 /* Bin Number */ + }, + { + /* GTS_Root_R3 */ + { 0x15, 0xD5, 0xB8, 0x77, 0x46, 0x19, 0xEA, 0x7D, 0x54, 0xCE, 0x1C, 0xA6, 0xD0, 0xB0, 0xC4, 0x03, + 0xE0, 0x37, 0xA9, 0x17, 0xF1, 0x31, 0xE8, 0xA0, 0x4E, 0x1E, 0x6B, 0x7A, 0x71, 0xBA, 0xBC, 0xE5 }, + 201 /* Bin Number */ + }, + { + /* Network_Solutions_Certificate_Authority */ + { 0x15, 0xF0, 0xBA, 0x00, 0xA3, 0xAC, 0x7A, 0xF3, 0xAC, 0x88, 0x4C, 0x07, 0x2B, 0x10, 0x11, 0xA0, + 0x77, 0xBD, 0x77, 0xC0, 0x97, 0xF4, 0x01, 0x64, 0xB2, 0xF8, 0x59, 0x8A, 0xBD, 0x83, 0x86, 0x0C }, + 64 /* Bin Number */ + }, + { + /* Baltimore_CyberTrust_Root */ + { 0x16, 0xAF, 0x57, 0xA9, 0xF6, 0x76, 0xB0, 0xAB, 0x12, 0x60, 0x95, 0xAA, 0x5E, 0xBA, 0xDE, 0xF2, + 0x2A, 0xB3, 0x11, 0x19, 0xD6, 0x44, 0xAC, 0x95, 0xCD, 0x4B, 0x93, 0xDB, 0xF3, 0xF2, 0x6A, 0xEB }, + 11 /* Bin Number */ + }, + { + /* COMODO_ECC_Certification_Authority */ + { 0x17, 0x93, 0x92, 0x7A, 0x06, 0x14, 0x54, 0x97, 0x89, 0xAD, 0xCE, 0x2F, 0x8F, 0x34, 0xF7, 0xF0, + 0xB6, 0x6D, 0x0F, 0x3A, 0xE3, 0xA3, 0xB8, 0x4D, 0x21, 0xEC, 0x15, 0xDB, 0xBA, 0x4F, 0xAD, 0xC7 }, + 66 /* Bin Number */ + }, + { + /* GlobalSign */ + { 0x17, 0x9F, 0xBC, 0x14, 0x8A, 0x3D, 0xD0, 0x0F, 0xD2, 0x4E, 0xA1, 0x34, 0x58, 0xCC, 0x43, 0xBF, + 0xA7, 0xF5, 0x9C, 0x81, 0x82, 0xD7, 0x83, 0xA5, 0x13, 0xF6, 0xEB, 0xEC, 0x10, 0x0C, 0x89, 0x24 }, + 158 /* Bin Number */ + }, + { + /* Amazon_Root_CA_3 */ + { 0x18, 0xCE, 0x6C, 0xFE, 0x7B, 0xF1, 0x4E, 0x60, 0xB2, 0xE3, 0x47, 0xB8, 0xDF, 0xE8, 0x68, 0xCB, + 0x31, 0xD0, 0x2E, 0xBB, 0x3A, 0xDA, 0x27, 0x15, 0x69, 0xF5, 0x03, 0x43, 0xB4, 0x6D, 0xB3, 0xA4 }, + 185 /* Bin Number */ + }, + { + /* QuoVadis_Root_CA_3 */ + { 0x18, 0xF1, 0xFC, 0x7F, 0x20, 0x5D, 0xF8, 0xAD, 0xDD, 0xEB, 0x7F, 0xE0, 0x07, 0xDD, 0x57, 0xE3, + 0xAF, 0x37, 0x5A, 0x9C, 0x4D, 0x8D, 0x73, 0x54, 0x6B, 0xF4, 0xF1, 0xFE, 0xD1, 0xE1, 0x8D, 0x35 }, + 33 /* Bin Number */ + }, + { + /* Amazon_Root_CA_2 */ + { 0x1B, 0xA5, 0xB2, 0xAA, 0x8C, 0x65, 0x40, 0x1A, 0x82, 0x96, 0x01, 0x18, 0xF8, 0x0B, 0xEC, 0x4F, + 0x62, 0x30, 0x4D, 0x83, 0xCE, 0xC4, 0x71, 0x3A, 0x19, 0xC3, 0x9C, 0x01, 0x1E, 0xA4, 0x6D, 0xB4 }, + 184 /* Bin Number */ + }, + { + /* China_Internet_Network_Information_Center_EV_Certificates_Root */ + { 0x1C, 0x01, 0xC6, 0xF4, 0xDB, 0xB2, 0xFE, 0xFC, 0x22, 0x55, 0x8B, 0x2B, 0xCA, 0x32, 0x56, 0x3F, + 0x49, 0x84, 0x4A, 0xCF, 0xC3, 0x2B, 0x7B, 0xE4, 0xB0, 0xFF, 0x59, 0x9F, 0x9E, 0x8C, 0x7A, 0xF7 }, + 133 /* Bin Number */ + }, + { + /* Swisscom_Root_CA_1 */ + { 0x21, 0xDB, 0x20, 0x12, 0x36, 0x60, 0xBB, 0x2E, 0xD4, 0x18, 0x20, 0x5D, 0xA1, 0x1E, 0xE7, 0xA8, + 0x5A, 0x65, 0xE2, 0xBC, 0x6E, 0x55, 0xB5, 0xAF, 0x7E, 0x78, 0x99, 0xC8, 0xA2, 0x66, 0xD9, 0x2E }, + 47 /* Bin Number */ + }, + { + /* SSL_com_EV_Root_Certification_Authority_ECC */ + { 0x22, 0xA2, 0xC1, 0xF7, 0xBD, 0xED, 0x70, 0x4C, 0xC1, 0xE7, 0x01, 0xB5, 0xF4, 0x08, 0xC3, 0x10, + 0x88, 0x0F, 0xE9, 0x56, 0xB5, 0xDE, 0x2A, 0x4A, 0x44, 0xF9, 0x9C, 0x87, 0x3A, 0x25, 0xA7, 0xC8 }, + 196 /* Bin Number */ + }, + { + /* VeriSign_Universal_Root_Certification_Authority */ + { 0x23, 0x99, 0x56, 0x11, 0x27, 0xA5, 0x71, 0x25, 0xDE, 0x8C, 0xEF, 0xEA, 0x61, 0x0D, 0xDF, 0x2F, + 0xA0, 0x78, 0xB5, 0xC8, 0x06, 0x7F, 0x4E, 0x82, 0x82, 0x90, 0xBF, 0xB8, 0x60, 0xE8, 0x4B, 0x3C }, + 90 /* Bin Number */ + }, + { + /* Telia_Root_CA_v2 */ + { 0x24, 0x2B, 0x69, 0x74, 0x2F, 0xCB, 0x1E, 0x5B, 0x2A, 0xBF, 0x98, 0x89, 0x8B, 0x94, 0x57, 0x21, + 0x87, 0x54, 0x4E, 0x5B, 0x4D, 0x99, 0x11, 0x78, 0x65, 0x73, 0x62, 0x1F, 0x6A, 0x74, 0xB8, 0x2C }, + 240 /* Bin Number */ + }, + { + /* Security_Communication_RootCA3 */ + { 0x24, 0xA5, 0x5C, 0x2A, 0xB0, 0x51, 0x44, 0x2D, 0x06, 0x17, 0x76, 0x65, 0x41, 0x23, 0x9A, 0x4A, + 0xD0, 0x32, 0xD7, 0xC5, 0x51, 0x75, 0xAA, 0x34, 0xFF, 0xDE, 0x2F, 0xBC, 0x4F, 0x5C, 0x52, 0x94 }, + 249 /* Bin Number */ + }, + { + /* Izenpe_com */ + { 0x25, 0x30, 0xCC, 0x8E, 0x98, 0x32, 0x15, 0x02, 0xBA, 0xD9, 0x6F, 0x9B, 0x1F, 0xBA, 0x1B, 0x09, + 0x9E, 0x2D, 0x29, 0x9E, 0x0F, 0x45, 0x48, 0xBB, 0x91, 0x4F, 0x36, 0x3B, 0xC0, 0xD4, 0x53, 0x1F }, + 103 /* Bin Number */ + }, + { + /* OpenTrust_Root_CA_G2 */ + { 0x27, 0x99, 0x58, 0x29, 0xFE, 0x6A, 0x75, 0x15, 0xC1, 0xBF, 0xE8, 0x48, 0xF9, 0xC4, 0x76, 0x1D, + 0xB1, 0x6C, 0x22, 0x59, 0x29, 0x25, 0x7B, 0xF4, 0x0D, 0x08, 0x94, 0xF2, 0x9E, 0xA8, 0xBA, 0xF2 }, + 179 /* Bin Number */ + }, + { + /* GTS_Root_R1 */ + { 0x2A, 0x57, 0x54, 0x71, 0xE3, 0x13, 0x40, 0xBC, 0x21, 0x58, 0x1C, 0xBD, 0x2C, 0xF1, 0x3E, 0x15, + 0x84, 0x63, 0x20, 0x3E, 0xCE, 0x94, 0xBC, 0xF9, 0xD3, 0xCC, 0x19, 0x6B, 0xF0, 0x9A, 0x54, 0x72 }, + 199 /* Bin Number */ + }, + { + /* Certinomis___Root_CA */ + { 0x2A, 0x99, 0xF5, 0xBC, 0x11, 0x74, 0xB7, 0x3C, 0xBB, 0x1D, 0x62, 0x08, 0x84, 0xE0, 0x1C, 0x34, + 0xE5, 0x1C, 0xCB, 0x39, 0x78, 0xDA, 0x12, 0x5F, 0x0E, 0x33, 0x26, 0x88, 0x83, 0xBF, 0x41, 0x58 }, + 168 /* Bin Number */ + }, + { + /* GlobalSign */ + { 0x2C, 0xAB, 0xEA, 0xFE, 0x37, 0xD0, 0x6C, 0xA2, 0x2A, 0xBA, 0x73, 0x91, 0xC0, 0x03, 0x3D, 0x25, + 0x98, 0x29, 0x52, 0xC4, 0x53, 0x64, 0x73, 0x49, 0x76, 0x3A, 0x3A, 0xB5, 0xAD, 0x6C, 0xCF, 0x69 }, + 197 /* Bin Number */ + }, + { + /* Starfield_Root_Certificate_Authority___G2 */ + { 0x2C, 0xE1, 0xCB, 0x0B, 0xF9, 0xD2, 0xF9, 0xE1, 0x02, 0x99, 0x3F, 0xBE, 0x21, 0x51, 0x52, 0xC3, + 0xB2, 0xDD, 0x0C, 0xAB, 0xDE, 0x1C, 0x68, 0xE5, 0x31, 0x9B, 0x83, 0x91, 0x54, 0xDB, 0xB7, 0xF5 }, + 107 /* Bin Number */ + }, + { + /* OU_ApplicationCA_O_Japanese_Government_C_JP */ + { 0x2D, 0x47, 0x43, 0x7D, 0xE1, 0x79, 0x51, 0x21, 0x5A, 0x12, 0xF3, 0xC5, 0x8E, 0x51, 0xC7, 0x29, + 0xA5, 0x80, 0x26, 0xEF, 0x1F, 0xCC, 0x0A, 0x5F, 0xB3, 0xD9, 0xDC, 0x01, 0x2F, 0x60, 0x0D, 0x19 }, + 85 /* Bin Number */ + }, + { + /* TunTrust_Root_CA */ + { 0x2E, 0x44, 0x10, 0x2A, 0xB5, 0x8C, 0xB8, 0x54, 0x19, 0x45, 0x1C, 0x8E, 0x19, 0xD9, 0xAC, 0xF3, + 0x66, 0x2C, 0xAF, 0xBC, 0x61, 0x4B, 0x6A, 0x53, 0x96, 0x0A, 0x30, 0xF7, 0xD0, 0xE2, 0xEB, 0x41 }, + 227 /* Bin Number */ + }, + { + /* SSL_com_EV_Root_Certification_Authority_RSA_R2 */ + { 0x2E, 0x7B, 0xF1, 0x6C, 0xC2, 0x24, 0x85, 0xA7, 0xBB, 0xE2, 0xAA, 0x86, 0x96, 0x75, 0x07, 0x61, + 0xB0, 0xAE, 0x39, 0xBE, 0x3B, 0x2F, 0xE9, 0xD0, 0xCC, 0x6D, 0x4E, 0xF7, 0x34, 0x91, 0x42, 0x5C }, + 195 /* Bin Number */ + }, + { + /* CommScope_Public_Trust_ECC_Root_02 */ + { 0x2F, 0xFB, 0x7F, 0x81, 0x3B, 0xBB, 0xB3, 0xC8, 0x9A, 0xB4, 0xE8, 0x16, 0x2D, 0x0F, 0x16, 0xD7, + 0x15, 0x09, 0xA8, 0x30, 0xCC, 0x9D, 0x73, 0xC2, 0x62, 0xE5, 0x14, 0x08, 0x75, 0xD1, 0xAD, 0x4A }, + 263 /* Bin Number */ + }, + { + /* IdenTrust_Public_Sector_Root_CA_1 */ + { 0x30, 0xD0, 0x89, 0x5A, 0x9A, 0x44, 0x8A, 0x26, 0x20, 0x91, 0x63, 0x55, 0x22, 0xD1, 0xF5, 0x20, + 0x10, 0xB5, 0x86, 0x7A, 0xCA, 0xE1, 0x2C, 0x78, 0xEF, 0x95, 0x8F, 0xD4, 0xF4, 0x38, 0x9F, 0x2F }, + 162 /* Bin Number */ + }, + { + /* vTrus_ECC_Root_CA */ + { 0x30, 0xFB, 0xBA, 0x2C, 0x32, 0x23, 0x8E, 0x2A, 0x98, 0x54, 0x7A, 0xF9, 0x79, 0x31, 0xE5, 0x50, + 0x42, 0x8B, 0x9B, 0x3F, 0x1C, 0x8E, 0xEB, 0x66, 0x33, 0xDC, 0xFA, 0x86, 0xC5, 0xB2, 0x7D, 0xD3 }, + 231 /* Bin Number */ + }, + { + /* DigiCert_Global_Root_G3 */ + { 0x31, 0xAD, 0x66, 0x48, 0xF8, 0x10, 0x41, 0x38, 0xC7, 0x38, 0xF3, 0x9E, 0xA4, 0x32, 0x01, 0x33, + 0x39, 0x3E, 0x3A, 0x18, 0xCC, 0x02, 0x29, 0x6E, 0xF9, 0x7C, 0x2A, 0xC9, 0xEF, 0x67, 0x31, 0xD0 }, + 150 /* Bin Number */ + }, + { + /* Microsec_e_Szigno_Root_CA */ + { 0x32, 0x7A, 0x3D, 0x76, 0x1A, 0xBA, 0xDE, 0xA0, 0x34, 0xEB, 0x99, 0x84, 0x06, 0x27, 0x5C, 0xB1, + 0xA4, 0x77, 0x6E, 0xFD, 0xAE, 0x2F, 0xDF, 0x6D, 0x01, 0x68, 0xEA, 0x1C, 0x4F, 0x55, 0x67, 0xD0 }, + 70 /* Bin Number */ + }, + { + /* SSL_com_Root_Certification_Authority_ECC */ + { 0x34, 0x17, 0xBB, 0x06, 0xCC, 0x60, 0x07, 0xDA, 0x1B, 0x96, 0x1C, 0x92, 0x0B, 0x8A, 0xB4, 0xCE, + 0x3F, 0xAD, 0x82, 0x0E, 0x4A, 0xA3, 0x0B, 0x9A, 0xCB, 0xC4, 0xA7, 0x4E, 0xBD, 0xCE, 0xBC, 0x65 }, + 194 /* Bin Number */ + }, + { + /* GTS_Root_R4 */ + { 0x34, 0x9D, 0xFA, 0x40, 0x58, 0xC5, 0xE2, 0x63, 0x12, 0x3B, 0x39, 0x8A, 0xE7, 0x95, 0x57, 0x3C, + 0x4E, 0x13, 0x13, 0xC8, 0x3F, 0xE6, 0x8F, 0x93, 0x55, 0x6C, 0xD5, 0xE8, 0x03, 0x1B, 0x3C, 0x7D }, + 239 /* Bin Number */ + }, + { + /* GTS_Root_R3 */ + { 0x34, 0xD8, 0xA7, 0x3E, 0xE2, 0x08, 0xD9, 0xBC, 0xDB, 0x0D, 0x95, 0x65, 0x20, 0x93, 0x4B, 0x4E, + 0x40, 0xE6, 0x94, 0x82, 0x59, 0x6E, 0x8B, 0x6F, 0x73, 0xC8, 0x42, 0x6B, 0x01, 0x0A, 0x6F, 0x48 }, + 238 /* Bin Number */ + }, + { + /* Microsoft_ECC_Root_Certificate_Authority_2017 */ + { 0x35, 0x8D, 0xF3, 0x9D, 0x76, 0x4A, 0xF9, 0xE1, 0xB7, 0x66, 0xE9, 0xC9, 0x72, 0xDF, 0x35, 0x2E, + 0xE1, 0x5C, 0xFA, 0xC2, 0x27, 0xAF, 0x6A, 0xD1, 0xD7, 0x0E, 0x8E, 0x4A, 0x6E, 0xDC, 0xBA, 0x02 }, + 212 /* Bin Number */ + }, + { + /* EBG_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_ */ + { 0x35, 0xAE, 0x5B, 0xDD, 0xD8, 0xF7, 0xAE, 0x63, 0x5C, 0xFF, 0xBA, 0x56, 0x82, 0xA8, 0xF0, 0x0B, + 0x95, 0xF4, 0x84, 0x62, 0xC7, 0x10, 0x8E, 0xE9, 0xA0, 0xE5, 0x29, 0x2B, 0x07, 0x4A, 0xAF, 0xB2 }, + 82 /* Bin Number */ + }, + { + /* DigiCert_TLS_RSA4096_Root_G5 */ + { 0x37, 0x1A, 0x00, 0xDC, 0x05, 0x33, 0xB3, 0x72, 0x1A, 0x7E, 0xEB, 0x40, 0xE8, 0x41, 0x9E, 0x70, + 0x79, 0x9D, 0x2B, 0x0A, 0x0F, 0x2C, 0x1D, 0x80, 0x69, 0x31, 0x65, 0xF7, 0xCE, 0xC4, 0xAD, 0x75 }, + 244 /* Bin Number */ + }, + { + /* GeoTrust_Primary_Certification_Authority */ + { 0x37, 0xD5, 0x10, 0x06, 0xC5, 0x12, 0xEA, 0xAB, 0x62, 0x64, 0x21, 0xF1, 0xEC, 0x8C, 0x92, 0x01, + 0x3F, 0xC5, 0xF8, 0x2A, 0xE9, 0x8E, 0xE5, 0x33, 0xEB, 0x46, 0x19, 0xB8, 0xDE, 0xB4, 0xD0, 0x6C }, + 58 /* Bin Number */ + }, + { + /* Staat_der_Nederlanden_Root_CA___G3 */ + { 0x3C, 0x4F, 0xB0, 0xB9, 0x5A, 0xB8, 0xB3, 0x00, 0x32, 0xF4, 0x32, 0xB8, 0x6F, 0x53, 0x5F, 0xE1, + 0x72, 0xC1, 0x85, 0xD0, 0xFD, 0x39, 0x86, 0x58, 0x37, 0xCF, 0x36, 0x18, 0x7F, 0xA6, 0xF4, 0x28 }, + 159 /* Bin Number */ + }, + { + /* Microsec_e_Szigno_Root_CA_2009 */ + { 0x3C, 0x5F, 0x81, 0xFE, 0xA5, 0xFA, 0xB8, 0x2C, 0x64, 0xBF, 0xA2, 0xEA, 0xEC, 0xAF, 0xCD, 0xE8, + 0xE0, 0x77, 0xFC, 0x86, 0x20, 0xA7, 0xCA, 0xE5, 0x37, 0x16, 0x3D, 0xF3, 0x6E, 0xDB, 0xF3, 0x78 }, + 99 /* Bin Number */ + }, + { + /* PSCProcert */ + { 0x3C, 0xFC, 0x3C, 0x14, 0xD1, 0xF6, 0x84, 0xFF, 0x17, 0xE3, 0x8C, 0x43, 0xCA, 0x44, 0x0C, 0x00, + 0xB9, 0x67, 0xEC, 0x93, 0x3E, 0x8B, 0xFE, 0x06, 0x4C, 0xA1, 0xD7, 0x2C, 0x90, 0xF2, 0xAD, 0xB0 }, + 132 /* Bin Number */ + }, + { + /* EE_Certification_Centre_Root_CA */ + { 0x3E, 0x84, 0xBA, 0x43, 0x42, 0x90, 0x85, 0x16, 0xE7, 0x75, 0x73, 0xC0, 0x99, 0x2F, 0x09, 0x79, + 0xCA, 0x08, 0x4E, 0x46, 0x85, 0x68, 0x1F, 0xF1, 0x95, 0xCC, 0xBA, 0x8A, 0x22, 0x9B, 0x8A, 0x76 }, + 128 /* Bin Number */ + }, + { + /* DigiCert_Assured_ID_Root_CA */ + { 0x3E, 0x90, 0x99, 0xB5, 0x01, 0x5E, 0x8F, 0x48, 0x6C, 0x00, 0xBC, 0xEA, 0x9D, 0x11, 0x1E, 0xE7, + 0x21, 0xFA, 0xBA, 0x35, 0x5A, 0x89, 0xBC, 0xF1, 0xDF, 0x69, 0x56, 0x1E, 0x3D, 0xC6, 0x32, 0x5C }, + 48 /* Bin Number */ + }, + { + /* Trusted_Certificate_Services */ + { 0x3F, 0x06, 0xE5, 0x56, 0x81, 0xD4, 0x96, 0xF5, 0xBE, 0x16, 0x9E, 0xB5, 0x38, 0x9F, 0x9F, 0x2B, + 0x8F, 0xF6, 0x1E, 0x17, 0x08, 0xDF, 0x68, 0x81, 0x72, 0x48, 0x49, 0xCD, 0x5D, 0x27, 0xCB, 0x69 }, + 30 /* Bin Number */ + }, + { + /* HARICA_TLS_ECC_Root_CA_2021 */ + { 0x3F, 0x99, 0xCC, 0x47, 0x4A, 0xCF, 0xCE, 0x4D, 0xFE, 0xD5, 0x87, 0x94, 0x66, 0x5E, 0x47, 0x8D, + 0x15, 0x47, 0x73, 0x9F, 0x2E, 0x78, 0x0F, 0x1B, 0xB4, 0xCA, 0x9B, 0x13, 0x30, 0x97, 0xD4, 0x01 }, + 229 /* Bin Number */ + }, + { + /* emSign_Root_CA___G1 */ + { 0x40, 0xF6, 0xAF, 0x03, 0x46, 0xA9, 0x9A, 0xA1, 0xCD, 0x1D, 0x55, 0x5A, 0x4E, 0x9C, 0xCE, 0x62, + 0xC7, 0xF9, 0x63, 0x46, 0x03, 0xEE, 0x40, 0x66, 0x15, 0x83, 0x3D, 0xC8, 0xC8, 0xD0, 0x03, 0x67 }, + 206 /* Bin Number */ + }, + { + /* OISTE_WISeKey_Global_Root_GA_CA */ + { 0x41, 0xC9, 0x23, 0x86, 0x6A, 0xB4, 0xCA, 0xD6, 0xB7, 0xAD, 0x57, 0x80, 0x81, 0x58, 0x2E, 0x02, + 0x07, 0x97, 0xA6, 0xCB, 0xDF, 0x4F, 0xFF, 0x78, 0xCE, 0x83, 0x96, 0xB3, 0x89, 0x37, 0xD7, 0xF5 }, + 69 /* Bin Number */ + }, + { + /* Secure_Global_CA */ + { 0x42, 0x00, 0xF5, 0x04, 0x3A, 0xC8, 0x59, 0x0E, 0xBB, 0x52, 0x7D, 0x20, 0x9E, 0xD1, 0x50, 0x30, + 0x29, 0xFB, 0xCB, 0xD4, 0x1C, 0xA1, 0xB5, 0x06, 0xEC, 0x27, 0xF1, 0x5A, 0xDE, 0x7D, 0xAC, 0x69 }, + 62 /* Bin Number */ + }, + { + /* DigiCert_Global_Root_CA */ + { 0x43, 0x48, 0xA0, 0xE9, 0x44, 0x4C, 0x78, 0xCB, 0x26, 0x5E, 0x05, 0x8D, 0x5E, 0x89, 0x44, 0xB4, + 0xD8, 0x4F, 0x96, 0x62, 0xBD, 0x26, 0xDB, 0x25, 0x7F, 0x89, 0x34, 0xA4, 0x43, 0xC7, 0x01, 0x61 }, + 49 /* Bin Number */ + }, + { + /* Entrust_Root_Certification_Authority___G2 */ + { 0x43, 0xDF, 0x57, 0x74, 0xB0, 0x3E, 0x7F, 0xEF, 0x5F, 0xE4, 0x0D, 0x93, 0x1A, 0x7B, 0xED, 0xF1, + 0xBB, 0x2E, 0x6B, 0x42, 0x73, 0x8C, 0x4E, 0x6D, 0x38, 0x41, 0x10, 0x3D, 0x3A, 0xA7, 0xF3, 0x39 }, + 163 /* Bin Number */ + }, + { + /* T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_ */ + { 0x44, 0x04, 0xE3, 0x3B, 0x5E, 0x14, 0x0D, 0xCF, 0x99, 0x80, 0x51, 0xFD, 0xFC, 0x80, 0x28, 0xC7, + 0xC8, 0x16, 0x15, 0xC5, 0xEE, 0x73, 0x7B, 0x11, 0x1B, 0x58, 0x82, 0x33, 0xA9, 0xB5, 0x35, 0xA0 }, + 54 /* Bin Number */ + }, + { + /* Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015 */ + { 0x44, 0xB5, 0x45, 0xAA, 0x8A, 0x25, 0xE6, 0x5A, 0x73, 0xCA, 0x15, 0xDC, 0x27, 0xFC, 0x36, 0xD2, + 0x4C, 0x1C, 0xB9, 0x95, 0x3A, 0x06, 0x65, 0x39, 0xB1, 0x15, 0x82, 0xDC, 0x48, 0x7B, 0x48, 0x33 }, + 175 /* Bin Number */ + }, + { + /* Go_Daddy_Root_Certificate_Authority___G2 */ + { 0x45, 0x14, 0x0B, 0x32, 0x47, 0xEB, 0x9C, 0xC8, 0xC5, 0xB4, 0xF0, 0xD7, 0xB5, 0x30, 0x91, 0xF7, + 0x32, 0x92, 0x08, 0x9E, 0x6E, 0x5A, 0x63, 0xE2, 0x74, 0x9D, 0xD3, 0xAC, 0xA9, 0x19, 0x8E, 0xDA }, + 106 /* Bin Number */ + }, + { + /* TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi___Surum_1 */ + { 0x46, 0xED, 0xC3, 0x68, 0x90, 0x46, 0xD5, 0x3A, 0x45, 0x3F, 0xB3, 0x10, 0x4A, 0xB8, 0x0D, 0xCA, + 0xEC, 0x65, 0x8B, 0x26, 0x60, 0xEA, 0x16, 0x29, 0xDD, 0x7E, 0x86, 0x79, 0x90, 0x64, 0x87, 0x16 }, + 188 /* Bin Number */ + }, + { + /* T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H5 */ + { 0x49, 0x35, 0x1B, 0x90, 0x34, 0x44, 0xC1, 0x85, 0xCC, 0xDC, 0x5C, 0x69, 0x3D, 0x24, 0xD8, 0x55, + 0x5C, 0xB2, 0x08, 0xD6, 0xA8, 0x14, 0x13, 0x07, 0x69, 0x9F, 0x4A, 0xF0, 0x63, 0x19, 0x9D, 0x78 }, + 166 /* Bin Number */ + }, + { + /* D_TRUST_Root_Class_3_CA_2_2009 */ + { 0x49, 0xE7, 0xA4, 0x42, 0xAC, 0xF0, 0xEA, 0x62, 0x87, 0x05, 0x00, 0x54, 0xB5, 0x25, 0x64, 0xB6, + 0x50, 0xE4, 0xF4, 0x9E, 0x42, 0xE3, 0x48, 0xD6, 0xAA, 0x38, 0xE0, 0x39, 0xE9, 0x57, 0xB1, 0xC1 }, + 130 /* Bin Number */ + }, + { + /* thawte_Primary_Root_CA___G3 */ + { 0x4B, 0x03, 0xF4, 0x58, 0x07, 0xAD, 0x70, 0xF2, 0x1B, 0xFC, 0x2C, 0xAE, 0x71, 0xC9, 0xFD, 0xE4, + 0x60, 0x4C, 0x06, 0x4C, 0xF5, 0xFF, 0xB6, 0x86, 0xBA, 0xE5, 0xDB, 0xAA, 0xD7, 0xFD, 0xD3, 0x4C }, + 88 /* Bin Number */ + }, + { + /* Certification_Authority_of_WoSign */ + { 0x4B, 0x22, 0xD5, 0xA6, 0xAE, 0xC9, 0x9F, 0x3C, 0xDB, 0x79, 0xAA, 0x5E, 0xC0, 0x68, 0x38, 0x47, + 0x9C, 0xD5, 0xEC, 0xBA, 0x71, 0x64, 0xF7, 0xF2, 0x2D, 0xC1, 0xD6, 0x5F, 0x63, 0xD8, 0x57, 0x08 }, + 152 /* Bin Number */ + }, + { + /* Staat_der_Nederlanden_EV_Root_CA */ + { 0x4D, 0x24, 0x91, 0x41, 0x4C, 0xFE, 0x95, 0x67, 0x46, 0xEC, 0x4C, 0xEF, 0xA6, 0xCF, 0x6F, 0x72, + 0xE2, 0x8A, 0x13, 0x29, 0x43, 0x2F, 0x9D, 0x8A, 0x90, 0x7A, 0xC4, 0xCB, 0x5D, 0xAD, 0xC1, 0x5A }, + 160 /* Bin Number */ + }, + { + /* GlobalSign_Root_R46 */ + { 0x4F, 0xA3, 0x12, 0x6D, 0x8D, 0x3A, 0x11, 0xD1, 0xC4, 0x85, 0x5A, 0x4F, 0x80, 0x7C, 0xBA, 0xD6, + 0xCF, 0x91, 0x9D, 0x3A, 0x5A, 0x88, 0xB0, 0x3B, 0xEA, 0x2C, 0x63, 0x72, 0xD9, 0x3C, 0x40, 0xC9 }, + 221 /* Bin Number */ + }, + { + /* USERTrust_ECC_Certification_Authority */ + { 0x4F, 0xF4, 0x60, 0xD5, 0x4B, 0x9C, 0x86, 0xDA, 0xBF, 0xBC, 0xFC, 0x57, 0x12, 0xE0, 0x40, 0x0D, + 0x2B, 0xED, 0x3F, 0xBC, 0x4D, 0x4F, 0xBD, 0xAA, 0x86, 0xE0, 0x6A, 0xDC, 0xD2, 0xA9, 0xAD, 0x7A }, + 156 /* Bin Number */ + }, + { + /* ComSign_Secured_CA */ + { 0x50, 0x79, 0x41, 0xC7, 0x44, 0x60, 0xA0, 0xB4, 0x70, 0x86, 0x22, 0x0D, 0x4E, 0x99, 0x32, 0x57, + 0x2A, 0xB5, 0xD1, 0xB5, 0xBB, 0xCB, 0x89, 0x80, 0xAB, 0x1C, 0xB1, 0x76, 0x51, 0xA8, 0x44, 0xD2 }, + 76 /* Bin Number */ + }, + { + /* OU_Security_Communication_RootCA2_O__SECOM_Trust_Systems_CO__LTD___C_JP */ + { 0x51, 0x3B, 0x2C, 0xEC, 0xB8, 0x10, 0xD4, 0xCD, 0xE5, 0xDD, 0x85, 0x39, 0x1A, 0xDF, 0xC6, 0xC2, + 0xDD, 0x60, 0xD8, 0x7B, 0xB7, 0x36, 0xD2, 0xB5, 0x21, 0x48, 0x4A, 0xA4, 0x7A, 0x0E, 0xBE, 0xF6 }, + 118 /* Bin Number */ + }, + { + /* COMODO_RSA_Certification_Authority */ + { 0x52, 0xF0, 0xE1, 0xC4, 0xE5, 0x8E, 0xC6, 0x29, 0x29, 0x1B, 0x60, 0x31, 0x7F, 0x07, 0x46, 0x71, + 0xB8, 0x5D, 0x7E, 0xA8, 0x0D, 0x5B, 0x07, 0x27, 0x34, 0x63, 0x53, 0x4B, 0x32, 0xB4, 0x02, 0x34 }, + 154 /* Bin Number */ + }, + { + /* LuxTrust_Global_Root_2 */ + { 0x54, 0x45, 0x5F, 0x71, 0x29, 0xC2, 0x0B, 0x14, 0x47, 0xC4, 0x18, 0xF9, 0x97, 0x16, 0x8F, 0x24, + 0xC5, 0x8F, 0xC5, 0x02, 0x3B, 0xF5, 0xDA, 0x5B, 0xE2, 0xEB, 0x6E, 0x1D, 0xD8, 0x90, 0x2E, 0xD5 }, + 187 /* Bin Number */ + }, + { + /* DigiCert_Trusted_Root_G4 */ + { 0x55, 0x2F, 0x7B, 0xDC, 0xF1, 0xA7, 0xAF, 0x9E, 0x6C, 0xE6, 0x72, 0x01, 0x7F, 0x4F, 0x12, 0xAB, + 0xF7, 0x72, 0x40, 0xC7, 0x8E, 0x76, 0x1A, 0xC2, 0x03, 0xD1, 0xD9, 0xD2, 0x0A, 0xC8, 0x99, 0x88 }, + 151 /* Bin Number */ + }, + { + /* AC_RAIZ_FNMT_RCM_SERVIDORES_SEGUROS */ + { 0x55, 0x41, 0x53, 0xB1, 0x3D, 0x2C, 0xF9, 0xDD, 0xB7, 0x53, 0xBF, 0xBE, 0x1A, 0x4E, 0x0A, 0xE0, + 0x8D, 0x0A, 0xA4, 0x18, 0x70, 0x58, 0xFE, 0x60, 0xA2, 0xB8, 0x62, 0xB2, 0xE4, 0xB8, 0x7B, 0xCB }, + 220 /* Bin Number */ + }, + { + /* Trustwave_Global_ECC_P384_Certification_Authority */ + { 0x55, 0x90, 0x38, 0x59, 0xC8, 0xC0, 0xC3, 0xEB, 0xB8, 0x75, 0x9E, 0xCE, 0x4E, 0x25, 0x57, 0x22, + 0x5F, 0xF5, 0x75, 0x8B, 0xBD, 0x38, 0xEB, 0xD4, 0x82, 0x76, 0x60, 0x1E, 0x1B, 0xD5, 0x80, 0x97 }, + 218 /* Bin Number */ + }, + { + /* Actalis_Authentication_Root_CA */ + { 0x55, 0x92, 0x60, 0x84, 0xEC, 0x96, 0x3A, 0x64, 0xB9, 0x6E, 0x2A, 0xBE, 0x01, 0xCE, 0x0B, 0xA8, + 0x6A, 0x64, 0xFB, 0xFE, 0xBC, 0xC7, 0xAA, 0xB5, 0xAF, 0xC1, 0x55, 0xB3, 0x7F, 0xD7, 0x60, 0x66 }, + 121 /* Bin Number */ + }, + { + /* Starfield_Services_Root_Certificate_Authority___G2 */ + { 0x56, 0x8D, 0x69, 0x05, 0xA2, 0xC8, 0x87, 0x08, 0xA4, 0xB3, 0x02, 0x51, 0x90, 0xED, 0xCF, 0xED, + 0xB1, 0x97, 0x4A, 0x60, 0x6A, 0x13, 0xC6, 0xE5, 0x29, 0x0F, 0xCB, 0x2A, 0xE6, 0x3E, 0xDA, 0xB5 }, + 108 /* Bin Number */ + }, + { + /* OpenTrust_Root_CA_G1 */ + { 0x56, 0xC7, 0x71, 0x28, 0xD9, 0x8C, 0x18, 0xD9, 0x1B, 0x4C, 0xFD, 0xFF, 0xBC, 0x25, 0xEE, 0x91, + 0x03, 0xD4, 0x75, 0x8E, 0xA2, 0xAB, 0xAD, 0x82, 0x6A, 0x90, 0xF3, 0x45, 0x7D, 0x46, 0x0E, 0xB4 }, + 178 /* Bin Number */ + }, + { + /* BJCA_Global_Root_CA2 */ + { 0x57, 0x4D, 0xF6, 0x93, 0x1E, 0x27, 0x80, 0x39, 0x66, 0x7B, 0x72, 0x0A, 0xFD, 0xC1, 0x60, 0x0F, + 0xC2, 0x7E, 0xB6, 0x6D, 0xD3, 0x09, 0x29, 0x79, 0xFB, 0x73, 0x85, 0x64, 0x87, 0x21, 0x28, 0x82 }, + 251 /* Bin Number */ + }, + { + /* Telekom_Security_TLS_ECC_Root_2020 */ + { 0x57, 0x8A, 0xF4, 0xDE, 0xD0, 0x85, 0x3F, 0x4E, 0x59, 0x98, 0xDB, 0x4A, 0xEA, 0xF9, 0xCB, 0xEA, + 0x8D, 0x94, 0x5F, 0x60, 0xB6, 0x20, 0xA3, 0x8D, 0x1A, 0x3C, 0x13, 0xB2, 0xBC, 0x7B, 0xA8, 0xE1 }, + 266 /* Bin Number */ + }, + { + /* Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068 */ + { 0x57, 0xDE, 0x05, 0x83, 0xEF, 0xD2, 0xB2, 0x6E, 0x03, 0x61, 0xDA, 0x99, 0xDA, 0x9D, 0xF4, 0x64, + 0x8D, 0xEF, 0x7E, 0xE8, 0x44, 0x1C, 0x3B, 0x72, 0x8A, 0xFA, 0x9B, 0xCD, 0xE0, 0xF9, 0xB2, 0x6A }, + 230 /* Bin Number */ + }, + { + /* TWCA_Global_Root_CA */ + { 0x59, 0x76, 0x90, 0x07, 0xF7, 0x68, 0x5D, 0x0F, 0xCD, 0x50, 0x87, 0x2F, 0x9F, 0x95, 0xD5, 0x75, + 0x5A, 0x5B, 0x2B, 0x45, 0x7D, 0x81, 0xF3, 0x69, 0x2B, 0x61, 0x0A, 0x98, 0x67, 0x2F, 0x0E, 0x1B }, + 139 /* Bin Number */ + }, + { + /* Hongkong_Post_Root_CA_3 */ + { 0x5A, 0x2F, 0xC0, 0x3F, 0x0C, 0x83, 0xB0, 0x90, 0xBB, 0xFA, 0x40, 0x60, 0x4B, 0x09, 0x88, 0x44, + 0x6C, 0x76, 0x36, 0x18, 0x3D, 0xF9, 0x84, 0x6E, 0x17, 0x10, 0x1A, 0x44, 0x7F, 0xB8, 0xEF, 0xD6 }, + 210 /* Bin Number */ + }, + { + /* TrustCor_ECA_1 */ + { 0x5A, 0x88, 0x5D, 0xB1, 0x9C, 0x01, 0xD9, 0x12, 0xC5, 0x75, 0x93, 0x88, 0x93, 0x8C, 0xAF, 0xBB, + 0xDF, 0x03, 0x1A, 0xB2, 0xD4, 0x8E, 0x91, 0xEE, 0x15, 0x58, 0x9B, 0x42, 0x97, 0x1D, 0x03, 0x9C }, + 192 /* Bin Number */ + }, + { + /* Certum_Trusted_Network_CA */ + { 0x5C, 0x58, 0x46, 0x8D, 0x55, 0xF5, 0x8E, 0x49, 0x7E, 0x74, 0x39, 0x82, 0xD2, 0xB5, 0x00, 0x10, + 0xB6, 0xD1, 0x65, 0x37, 0x4A, 0xCF, 0x83, 0xA7, 0xD4, 0xA3, 0x2D, 0xB7, 0x68, 0xC4, 0x40, 0x8E }, + 113 /* Bin Number */ + }, + { + /* CFCA_EV_ROOT */ + { 0x5C, 0xC3, 0xD7, 0x8E, 0x4E, 0x1D, 0x5E, 0x45, 0x54, 0x7A, 0x04, 0xE6, 0x87, 0x3E, 0x64, 0xF9, + 0x0C, 0xF9, 0x53, 0x6D, 0x1C, 0xCC, 0x2E, 0xF8, 0x00, 0xF3, 0x55, 0xC4, 0xC5, 0xFD, 0x70, 0xFD }, + 165 /* Bin Number */ + }, + { + /* IdenTrust_Commercial_Root_CA_1 */ + { 0x5D, 0x56, 0x49, 0x9B, 0xE4, 0xD2, 0xE0, 0x8B, 0xCF, 0xCA, 0xD0, 0x8A, 0x3E, 0x38, 0x72, 0x3D, + 0x50, 0x50, 0x3B, 0xDE, 0x70, 0x69, 0x48, 0xE4, 0x2F, 0x55, 0x60, 0x30, 0x19, 0xE5, 0x28, 0xAE }, + 161 /* Bin Number */ + }, + { + /* GeoTrust_Primary_Certification_Authority___G2 */ + { 0x5E, 0xDB, 0x7A, 0xC4, 0x3B, 0x82, 0xA0, 0x6A, 0x87, 0x61, 0xE8, 0xD7, 0xBE, 0x49, 0x79, 0xEB, + 0xF2, 0x61, 0x1F, 0x7D, 0xD7, 0x9B, 0xF9, 0x1C, 0x1C, 0x6B, 0x56, 0x6A, 0x21, 0x9E, 0xD7, 0x66 }, + 89 /* Bin Number */ + }, + { + /* Equifax_Secure_Global_eBusiness_CA_1 */ + { 0x5F, 0x0B, 0x62, 0xEA, 0xB5, 0xE3, 0x53, 0xEA, 0x65, 0x21, 0x65, 0x16, 0x58, 0xFB, 0xB6, 0x53, + 0x59, 0xF4, 0x43, 0x28, 0x0A, 0x4A, 0xFB, 0xD1, 0x04, 0xD7, 0x7D, 0x10, 0xF9, 0xF0, 0x4C, 0x07 }, + 12 /* Bin Number */ + }, + { + /* SwissSign_Gold_CA___G2 */ + { 0x62, 0xDD, 0x0B, 0xE9, 0xB9, 0xF5, 0x0A, 0x16, 0x3E, 0xA0, 0xF8, 0xE7, 0x5C, 0x05, 0x3B, 0x1E, + 0xCA, 0x57, 0xEA, 0x55, 0xC8, 0x68, 0x8F, 0x64, 0x7C, 0x68, 0x81, 0xF2, 0xC8, 0x35, 0x7B, 0x95 }, + 56 /* Bin Number */ + }, + { + /* OU_certSIGN_ROOT_CA_G2_O_CERTSIGN_SA_C_RO */ + { 0x65, 0x7C, 0xFE, 0x2F, 0xA7, 0x3F, 0xAA, 0x38, 0x46, 0x25, 0x71, 0xF3, 0x32, 0xA2, 0x36, 0x3A, + 0x46, 0xFC, 0xE7, 0x02, 0x09, 0x51, 0x71, 0x07, 0x02, 0xCD, 0xFB, 0xB6, 0xEE, 0xDA, 0x33, 0x05 }, + 215 /* Bin Number */ + }, + { + /* Staat_der_Nederlanden_Root_CA___G2 */ + { 0x66, 0x8C, 0x83, 0x94, 0x7D, 0xA6, 0x3B, 0x72, 0x4B, 0xEC, 0xE1, 0x74, 0x3C, 0x31, 0xA0, 0xE6, + 0xAE, 0xD0, 0xDB, 0x8E, 0xC5, 0xB3, 0x1B, 0xE3, 0x77, 0xBB, 0x78, 0x4F, 0x91, 0xB6, 0x71, 0x6F }, + 93 /* Bin Number */ + }, + { + /* AddTrust_External_CA_Root */ + { 0x68, 0x7F, 0xA4, 0x51, 0x38, 0x22, 0x78, 0xFF, 0xF0, 0xC8, 0xB1, 0x1F, 0x8D, 0x43, 0xD5, 0x76, + 0x67, 0x1C, 0x6E, 0xB2, 0xBC, 0xEA, 0xB4, 0x13, 0xFB, 0x83, 0xD9, 0x65, 0xD0, 0x6D, 0x2F, 0xF2 }, + 15 /* Bin Number */ + }, + { + /* ISRG_Root_X2 */ + { 0x69, 0x72, 0x9B, 0x8E, 0x15, 0xA8, 0x6E, 0xFC, 0x17, 0x7A, 0x57, 0xAF, 0xB7, 0x17, 0x1D, 0xFC, + 0x64, 0xAD, 0xD2, 0x8C, 0x2F, 0xCA, 0x8C, 0xF1, 0x50, 0x7E, 0x34, 0x45, 0x3C, 0xCB, 0x14, 0x70 }, + 233 /* Bin Number */ + }, + { + /* VeriSign_Class_3_Public_Primary_Certification_Authority___G4 */ + { 0x69, 0xDD, 0xD7, 0xEA, 0x90, 0xBB, 0x57, 0xC9, 0x3E, 0x13, 0x5D, 0xC8, 0x5E, 0xA6, 0xFC, 0xD5, + 0x48, 0x0B, 0x60, 0x32, 0x39, 0xBD, 0xC4, 0x54, 0xFC, 0x75, 0x8B, 0x2A, 0x26, 0xCF, 0x7F, 0x79 }, + 91 /* Bin Number */ + }, + { + /* Visa_eCommerce_Root */ + { 0x69, 0xFA, 0xC9, 0xBD, 0x55, 0xFB, 0x0A, 0xC7, 0x8D, 0x53, 0xBB, 0xEE, 0x5C, 0xF1, 0xD5, 0x97, + 0x98, 0x9F, 0xD0, 0xAA, 0xAB, 0x20, 0xA2, 0x51, 0x51, 0xBD, 0xF1, 0x73, 0x3E, 0xE7, 0xD1, 0x22 }, + 26 /* Bin Number */ + }, + { + /* Certum_EC_384_CA */ + { 0x6B, 0x32, 0x80, 0x85, 0x62, 0x53, 0x18, 0xAA, 0x50, 0xD1, 0x73, 0xC9, 0x8D, 0x8B, 0xDA, 0x09, + 0xD5, 0x7E, 0x27, 0x41, 0x3D, 0x11, 0x4C, 0xF7, 0x87, 0xA0, 0xF5, 0xD0, 0x6C, 0x03, 0x0C, 0xF6 }, + 225 /* Bin Number */ + }, + { + /* OISTE_WISeKey_Global_Root_GB_CA */ + { 0x6B, 0x9C, 0x08, 0xE8, 0x6E, 0xB0, 0xF7, 0x67, 0xCF, 0xAD, 0x65, 0xCD, 0x98, 0xB6, 0x21, 0x49, + 0xE5, 0x49, 0x4A, 0x67, 0xF5, 0x84, 0x5E, 0x7B, 0xD1, 0xED, 0x01, 0x9F, 0x27, 0xB8, 0x6B, 0xD6 }, + 169 /* Bin Number */ + }, + { + /* NetLock_Arany__Class_Gold__F_tan_s_tv_ny */ + { 0x6C, 0x61, 0xDA, 0xC3, 0xA2, 0xDE, 0xF0, 0x31, 0x50, 0x6B, 0xE0, 0x36, 0xD2, 0xA6, 0xFE, 0x40, + 0x19, 0x94, 0xFB, 0xD1, 0x3D, 0xF9, 0xC8, 0xD4, 0x66, 0x59, 0x92, 0x74, 0xC4, 0x46, 0xEC, 0x98 }, + 92 /* Bin Number */ + }, + { + /* Certplus_Root_CA_G2 */ + { 0x6C, 0xC0, 0x50, 0x41, 0xE6, 0x44, 0x5E, 0x74, 0x69, 0x6C, 0x4C, 0xFB, 0xC9, 0xF8, 0x0F, 0x54, + 0x3B, 0x7E, 0xAB, 0xBB, 0x44, 0xB4, 0xCE, 0x6F, 0x78, 0x7C, 0x6A, 0x99, 0x71, 0xC4, 0x2F, 0x17 }, + 177 /* Bin Number */ + }, + { + /* Entrust_net_Certification_Authority__2048_ */ + { 0x6D, 0xC4, 0x71, 0x72, 0xE0, 0x1C, 0xBC, 0xB0, 0xBF, 0x62, 0x58, 0x0D, 0x89, 0x5F, 0xE2, 0xB8, + 0xAC, 0x9A, 0xD4, 0xF8, 0x73, 0x80, 0x1E, 0x0C, 0x10, 0xB9, 0xC8, 0x37, 0xD2, 0x1E, 0xB1, 0x77 }, + 10 /* Bin Number */ + }, + { + /* UTN_USERFirst_Hardware */ + { 0x6E, 0xA5, 0x47, 0x41, 0xD0, 0x04, 0x66, 0x7E, 0xED, 0x1B, 0x48, 0x16, 0x63, 0x4A, 0xA3, 0xA7, + 0x9E, 0x6E, 0x4B, 0x96, 0x95, 0x0F, 0x82, 0x79, 0xDA, 0xFC, 0x8D, 0x9B, 0xD8, 0x81, 0x21, 0x37 }, + 38 /* Bin Number */ + }, + { + /* AffirmTrust_Premium */ + { 0x70, 0xA7, 0x3F, 0x7F, 0x37, 0x6B, 0x60, 0x07, 0x42, 0x48, 0x90, 0x45, 0x34, 0xB1, 0x14, 0x82, + 0xD5, 0xBF, 0x0E, 0x69, 0x8E, 0xCC, 0x49, 0x8D, 0xF5, 0x25, 0x77, 0xEB, 0xF2, 0xE9, 0x3B, 0x9A }, + 111 /* Bin Number */ + }, + { + /* GTS_Root_R4 */ + { 0x71, 0xCC, 0xA5, 0x39, 0x1F, 0x9E, 0x79, 0x4B, 0x04, 0x80, 0x25, 0x30, 0xB3, 0x63, 0xE1, 0x21, + 0xDA, 0x8A, 0x30, 0x43, 0xBB, 0x26, 0x66, 0x2F, 0xEA, 0x4D, 0xCA, 0x7F, 0xC9, 0x51, 0xA4, 0xBD }, + 202 /* Bin Number */ + }, + { + /* Entrust_Root_Certification_Authority */ + { 0x73, 0xC1, 0x76, 0x43, 0x4F, 0x1B, 0xC6, 0xD5, 0xAD, 0xF4, 0x5B, 0x0E, 0x76, 0xE7, 0x27, 0x28, + 0x7C, 0x8D, 0xE5, 0x76, 0x16, 0xC1, 0xE6, 0xE6, 0x14, 0x1A, 0x2B, 0x2C, 0xBC, 0x7D, 0x8E, 0x4C }, + 18 /* Bin Number */ + }, + { + /* DigiCert_High_Assurance_EV_Root_CA */ + { 0x74, 0x31, 0xE5, 0xF4, 0xC3, 0xC1, 0xCE, 0x46, 0x90, 0x77, 0x4F, 0x0B, 0x61, 0xE0, 0x54, 0x40, + 0x88, 0x3B, 0xA9, 0xA0, 0x1E, 0xD0, 0x0B, 0xA6, 0xAB, 0xD7, 0x80, 0x6E, 0xD3, 0xB1, 0x18, 0xCF }, + 50 /* Bin Number */ + }, + { + /* O_Government_Root_Certification_Authority_C_TW */ + { 0x76, 0x00, 0x29, 0x5E, 0xEF, 0xE8, 0x5B, 0x9E, 0x1F, 0xD6, 0x24, 0xDB, 0x76, 0x06, 0x2A, 0xAA, + 0xAE, 0x59, 0x81, 0x8A, 0x54, 0xD2, 0x77, 0x4C, 0xD4, 0xC0, 0xB2, 0xC0, 0x11, 0x31, 0xE1, 0xB3 }, + 46 /* Bin Number */ + }, + { + /* DST_ACES_CA_X6 */ + { 0x76, 0x7C, 0x95, 0x5A, 0x76, 0x41, 0x2C, 0x89, 0xAF, 0x68, 0x8E, 0x90, 0xA1, 0xC7, 0x0F, 0x55, + 0x6C, 0xFD, 0x6B, 0x60, 0x25, 0xDB, 0xEA, 0x10, 0x41, 0x6D, 0x7E, 0xB6, 0x83, 0x1F, 0x8C, 0x40 }, + 53 /* Bin Number */ + }, + { + /* America_Online_Root_Certification_Authority_1 */ + { 0x77, 0x40, 0x73, 0x12, 0xC6, 0x3A, 0x15, 0x3D, 0x5B, 0xC0, 0x0B, 0x4E, 0x51, 0x75, 0x9C, 0xDF, + 0xDA, 0xC2, 0x37, 0xDC, 0x2A, 0x33, 0xB6, 0x79, 0x46, 0xE9, 0x8E, 0x9B, 0xFA, 0x68, 0x0A, 0xE3 }, + 24 /* Bin Number */ + }, + { + /* Certainly_Root_R1 */ + { 0x77, 0xB8, 0x2C, 0xD8, 0x64, 0x4C, 0x43, 0x05, 0xF7, 0xAC, 0xC5, 0xCB, 0x15, 0x6B, 0x45, 0x67, + 0x50, 0x04, 0x03, 0x3D, 0x51, 0xC6, 0x0C, 0x62, 0x02, 0xA8, 0xE0, 0xC3, 0x34, 0x67, 0xD3, 0xA0 }, + 245 /* Bin Number */ + }, + { + /* Sonera_Class2_CA */ + { 0x79, 0x08, 0xB4, 0x03, 0x14, 0xC1, 0x38, 0x10, 0x0B, 0x51, 0x8D, 0x07, 0x35, 0x80, 0x7F, 0xFB, + 0xFC, 0xF8, 0x51, 0x8A, 0x00, 0x95, 0x33, 0x71, 0x05, 0xBA, 0x38, 0x6B, 0x15, 0x3D, 0xD9, 0x27 }, + 35 /* Bin Number */ + }, + { + /* A_Trust_nQual_03 */ + { 0x79, 0x3C, 0xBF, 0x45, 0x59, 0xB9, 0xFD, 0xE3, 0x8A, 0xB2, 0x2D, 0xF1, 0x68, 0x69, 0xF6, 0x98, + 0x81, 0xAE, 0x14, 0xC4, 0xB0, 0x13, 0x9A, 0xC7, 0x88, 0xA7, 0x8A, 0x1A, 0xFC, 0xCA, 0x02, 0xFB }, + 116 /* Bin Number */ + }, + { + /* Sectigo_Public_Server_Authentication_Root_R46 */ + { 0x7B, 0xB6, 0x47, 0xA6, 0x2A, 0xEE, 0xAC, 0x88, 0xBF, 0x25, 0x7A, 0xA5, 0x22, 0xD0, 0x1F, 0xFE, + 0xA3, 0x95, 0xE0, 0xAB, 0x45, 0xC7, 0x3F, 0x93, 0xF6, 0x56, 0x54, 0xEC, 0x38, 0xF2, 0x5A, 0x06 }, + 253 /* Bin Number */ + }, + { + /* DigiCert_Assured_ID_Root_G2 */ + { 0x7D, 0x05, 0xEB, 0xB6, 0x82, 0x33, 0x9F, 0x8C, 0x94, 0x51, 0xEE, 0x09, 0x4E, 0xEB, 0xFE, 0xFA, + 0x79, 0x53, 0xA1, 0x14, 0xED, 0xB2, 0xF4, 0x49, 0x49, 0x45, 0x2F, 0xAB, 0x7D, 0x2F, 0xC1, 0x85 }, + 147 /* Bin Number */ + }, + { + /* America_Online_Root_Certification_Authority_2 */ + { 0x7D, 0x3B, 0x46, 0x5A, 0x60, 0x14, 0xE5, 0x26, 0xC0, 0xAF, 0xFC, 0xEE, 0x21, 0x27, 0xD2, 0x31, + 0x17, 0x27, 0xAD, 0x81, 0x1C, 0x26, 0x84, 0x2D, 0x00, 0x6A, 0xF3, 0x73, 0x06, 0xCC, 0x80, 0xBD }, + 25 /* Bin Number */ + }, + { + /* DigiCert_Assured_ID_Root_G3 */ + { 0x7E, 0x37, 0xCB, 0x8B, 0x4C, 0x47, 0x09, 0x0C, 0xAB, 0x36, 0x55, 0x1B, 0xA6, 0xF4, 0x5D, 0xB8, + 0x40, 0x68, 0x0F, 0xBA, 0x16, 0x6A, 0x95, 0x2D, 0xB1, 0x00, 0x71, 0x7F, 0x43, 0x05, 0x3F, 0xC2 }, + 148 /* Bin Number */ + }, + { + /* NetLock_Kozjegyzoi__Class_A__Tanusitvanykiado */ + { 0x7F, 0x12, 0xCD, 0x5F, 0x7E, 0x5E, 0x29, 0x0E, 0xC7, 0xD8, 0x51, 0x79, 0xD5, 0xB7, 0x2C, 0x20, + 0xA5, 0xBE, 0x75, 0x08, 0xFF, 0xDB, 0x5B, 0xF8, 0x1A, 0xB9, 0x68, 0x4A, 0x7F, 0xC9, 0xF6, 0x67 }, + 41 /* Bin Number */ + }, + { + /* AddTrust_Qualified_CA_Root */ + { 0x80, 0x95, 0x21, 0x08, 0x05, 0xDB, 0x4B, 0xBC, 0x35, 0x5E, 0x44, 0x28, 0xD8, 0xFD, 0x6E, 0xC2, + 0xCD, 0xE3, 0xAB, 0x5F, 0xB9, 0x7A, 0x99, 0x42, 0x98, 0x8E, 0xB8, 0xF4, 0xDC, 0xD0, 0x60, 0x16 }, + 17 /* Bin Number */ + }, + { + /* Atos_TrustedRoot_Root_CA_RSA_TLS_2021 */ + { 0x81, 0xA9, 0x08, 0x8E, 0xA5, 0x9F, 0xB3, 0x64, 0xC5, 0x48, 0xA6, 0xF8, 0x55, 0x59, 0x09, 0x9B, + 0x6F, 0x04, 0x05, 0xEF, 0xBF, 0x18, 0xE5, 0x32, 0x4E, 0xC9, 0xF4, 0x57, 0xBA, 0x00, 0x11, 0x2F }, + 257 /* Bin Number */ + }, + { + /* OU_VeriSign_Trust_Network_OU___c__1998_VeriSign__Inc____For_authorized_use_only__OU_Class_3_Public_Primary_Certification_Authority___G2_O__VeriSign__Inc___C_US */ + { 0x83, 0xCE, 0x3C, 0x12, 0x29, 0x68, 0x8A, 0x59, 0x3D, 0x48, 0x5F, 0x81, 0x97, 0x3C, 0x0F, 0x91, + 0x95, 0x43, 0x1E, 0xDA, 0x37, 0xCC, 0x5E, 0x36, 0x43, 0x0E, 0x79, 0xC7, 0xA8, 0x88, 0x63, 0x8B }, + 5 /* Bin Number */ + }, + { + /* OISTE_WISeKey_Global_Root_GC_CA */ + { 0x85, 0x60, 0xF9, 0x1C, 0x36, 0x24, 0xDA, 0xBA, 0x95, 0x70, 0xB5, 0xFE, 0xA0, 0xDB, 0xE3, 0x6F, + 0xF1, 0x1A, 0x83, 0x23, 0xBE, 0x94, 0x86, 0x85, 0x4F, 0xB3, 0xF3, 0x4A, 0x55, 0x71, 0x19, 0x8D }, + 198 /* Bin Number */ + }, + { + /* SSL_com_Root_Certification_Authority_RSA */ + { 0x85, 0x66, 0x6A, 0x56, 0x2E, 0xE0, 0xBE, 0x5C, 0xE9, 0x25, 0xC1, 0xD8, 0x89, 0x0A, 0x6F, 0x76, + 0xA8, 0x7E, 0xC1, 0x6D, 0x4D, 0x7D, 0x5F, 0x29, 0xEA, 0x74, 0x19, 0xCF, 0x20, 0x12, 0x3B, 0x69 }, + 193 /* Bin Number */ + }, + { + /* QuoVadis_Root_CA_2 */ + { 0x85, 0xA0, 0xDD, 0x7D, 0xD7, 0x20, 0xAD, 0xB7, 0xFF, 0x05, 0xF8, 0x3D, 0x54, 0x2B, 0x20, 0x9D, + 0xC7, 0xFF, 0x45, 0x28, 0xF7, 0xD6, 0x77, 0xB1, 0x83, 0x89, 0xFE, 0xA5, 0xE5, 0xC4, 0x9E, 0x86 }, + 32 /* Bin Number */ + }, + { + /* UTN___DATACorp_SGC */ + { 0x85, 0xFB, 0x2F, 0x91, 0xDD, 0x12, 0x27, 0x5A, 0x01, 0x45, 0xB6, 0x36, 0x53, 0x4F, 0x84, 0x02, + 0x4A, 0xD6, 0x8B, 0x69, 0xB8, 0xEE, 0x88, 0x68, 0x4F, 0xF7, 0x11, 0x37, 0x58, 0x05, 0xB3, 0x48 }, + 37 /* Bin Number */ + }, + { + /* emSign_ECC_Root_CA___G3 */ + { 0x86, 0xA1, 0xEC, 0xBA, 0x08, 0x9C, 0x4A, 0x8D, 0x3B, 0xBE, 0x27, 0x34, 0xC6, 0x12, 0xBA, 0x34, + 0x1D, 0x81, 0x3E, 0x04, 0x3C, 0xF9, 0xE8, 0xA8, 0x62, 0xCD, 0x5C, 0x57, 0xA3, 0x6B, 0xBE, 0x6B }, + 207 /* Bin Number */ + }, + { + /* E_Tugra_Global_Root_CA_ECC_v3 */ + { 0x87, 0x3F, 0x46, 0x85, 0xFA, 0x7F, 0x56, 0x36, 0x25, 0x25, 0x2E, 0x6D, 0x36, 0xBC, 0xD7, 0xF1, + 0x6F, 0xC2, 0x49, 0x51, 0xF2, 0x64, 0xE4, 0x7E, 0x1B, 0x95, 0x4F, 0x49, 0x08, 0xCD, 0xCA, 0x13 }, + 248 /* Bin Number */ + }, + { + /* EC_ACC */ + { 0x88, 0x49, 0x7F, 0x01, 0x60, 0x2F, 0x31, 0x54, 0x24, 0x6A, 0xE2, 0x8C, 0x4D, 0x5A, 0xEF, 0x10, + 0xF1, 0xD8, 0x7E, 0xBB, 0x76, 0x62, 0x6F, 0x4A, 0xE0, 0xB7, 0xF9, 0x5B, 0xA7, 0x96, 0x87, 0x99 }, + 119 /* Bin Number */ + }, + { + /* QuoVadis_Root_CA_3_G3 */ + { 0x88, 0xEF, 0x81, 0xDE, 0x20, 0x2E, 0xB0, 0x18, 0x45, 0x2E, 0x43, 0xF8, 0x64, 0x72, 0x5C, 0xEA, + 0x5F, 0xBD, 0x1F, 0xC2, 0xD9, 0xD2, 0x05, 0x73, 0x07, 0x09, 0xC5, 0xD8, 0xB8, 0x69, 0x0F, 0x46 }, + 146 /* Bin Number */ + }, + { + /* NAVER_Global_Root_Certification_Authority */ + { 0x88, 0xF4, 0x38, 0xDC, 0xF8, 0xFF, 0xD1, 0xFA, 0x8F, 0x42, 0x91, 0x15, 0xFF, 0xE5, 0xF8, 0x2A, + 0xE1, 0xE0, 0x6E, 0x0C, 0x70, 0xC3, 0x75, 0xFA, 0xAD, 0x71, 0x7B, 0x34, 0xA4, 0x9E, 0x72, 0x65 }, + 219 /* Bin Number */ + }, + { + /* vTrus_Root_CA */ + { 0x8A, 0x71, 0xDE, 0x65, 0x59, 0x33, 0x6F, 0x42, 0x6C, 0x26, 0xE5, 0x38, 0x80, 0xD0, 0x0D, 0x88, + 0xA1, 0x8D, 0xA4, 0xC6, 0xA9, 0x1F, 0x0D, 0xCB, 0x61, 0x94, 0xE2, 0x06, 0xC5, 0xC9, 0x63, 0x87 }, + 232 /* Bin Number */ + }, + { + /* QuoVadis_Root_CA_1_G3 */ + { 0x8A, 0x86, 0x6F, 0xD1, 0xB2, 0x76, 0xB5, 0x7E, 0x57, 0x8E, 0x92, 0x1C, 0x65, 0x82, 0x8A, 0x2B, + 0xED, 0x58, 0xE9, 0xF2, 0xF2, 0x88, 0x05, 0x41, 0x34, 0xB7, 0xF1, 0xF4, 0xBF, 0xC9, 0xCC, 0x74 }, + 144 /* Bin Number */ + }, + { + /* CA_WoSign_ECC_Root */ + { 0x8B, 0x45, 0xDA, 0x1C, 0x06, 0xF7, 0x91, 0xEB, 0x0C, 0xAB, 0xF2, 0x6B, 0xE5, 0x88, 0xF5, 0xFB, + 0x23, 0x16, 0x5C, 0x2E, 0x61, 0x4B, 0xF8, 0x85, 0x56, 0x2D, 0x0D, 0xCE, 0x50, 0xB2, 0x9B, 0x02 }, + 171 /* Bin Number */ + }, + { + /* Root_CA_Generalitat_Valenciana */ + { 0x8C, 0x4E, 0xDF, 0xD0, 0x43, 0x48, 0xF3, 0x22, 0x96, 0x9E, 0x7E, 0x29, 0xA4, 0xCD, 0x4D, 0xCA, + 0x00, 0x46, 0x55, 0x06, 0x1C, 0x16, 0xE1, 0xB0, 0x76, 0x42, 0x2E, 0xF3, 0x42, 0xAD, 0x63, 0x0E }, + 115 /* Bin Number */ + }, + { + /* AddTrust_Class_1_CA_Root */ + { 0x8C, 0x72, 0x09, 0x27, 0x9A, 0xC0, 0x4E, 0x27, 0x5E, 0x16, 0xD0, 0x7F, 0xD3, 0xB7, 0x75, 0xE8, + 0x01, 0x54, 0xB5, 0x96, 0x80, 0x46, 0xE3, 0x1F, 0x52, 0xDD, 0x25, 0x76, 0x63, 0x24, 0xE9, 0xA7 }, + 14 /* Bin Number */ + }, + { + /* GTS_Root_R2 */ + { 0x8D, 0x25, 0xCD, 0x97, 0x22, 0x9D, 0xBF, 0x70, 0x35, 0x6B, 0xDA, 0x4E, 0xB3, 0xCC, 0x73, 0x40, + 0x31, 0xE2, 0x4C, 0xF0, 0x0F, 0xAF, 0xCF, 0xD3, 0x2D, 0xC7, 0x6E, 0xB5, 0x84, 0x1C, 0x7E, 0xA8 }, + 237 /* Bin Number */ + }, + { + /* thawte_Primary_Root_CA */ + { 0x8D, 0x72, 0x2F, 0x81, 0xA9, 0xC1, 0x13, 0xC0, 0x79, 0x1D, 0xF1, 0x36, 0xA2, 0x96, 0x6D, 0xB2, + 0x6C, 0x95, 0x0A, 0x97, 0x1D, 0xB4, 0x6B, 0x41, 0x99, 0xF4, 0xEA, 0x54, 0xB7, 0x8B, 0xFB, 0x9F }, + 59 /* Bin Number */ + }, + { + /* TC_TrustCenter_Class_3_CA_II */ + { 0x8D, 0xA0, 0x84, 0xFC, 0xF9, 0x9C, 0xE0, 0x77, 0x22, 0xF8, 0x9B, 0x32, 0x05, 0x93, 0x98, 0x06, + 0xFA, 0x5C, 0xB8, 0x11, 0xE1, 0xC8, 0x13, 0xF6, 0xA1, 0x08, 0xC7, 0xD3, 0x36, 0xB3, 0x40, 0x8E }, + 73 /* Bin Number */ + }, + { + /* T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H6 */ + { 0x8D, 0xE7, 0x86, 0x55, 0xE1, 0xBE, 0x7F, 0x78, 0x47, 0x80, 0x0B, 0x93, 0xF6, 0x94, 0xD2, 0x1D, + 0x36, 0x8C, 0xC0, 0x6E, 0x03, 0x3E, 0x7F, 0xAB, 0x04, 0xBB, 0x5E, 0xB9, 0x9D, 0xA6, 0xB7, 0x00 }, + 167 /* Bin Number */ + }, + { + /* Amazon_Root_CA_1 */ + { 0x8E, 0xCD, 0xE6, 0x88, 0x4F, 0x3D, 0x87, 0xB1, 0x12, 0x5B, 0xA3, 0x1A, 0xC3, 0xFC, 0xB1, 0x3D, + 0x70, 0x16, 0xDE, 0x7F, 0x57, 0xCC, 0x90, 0x4F, 0xE1, 0xCB, 0x97, 0xC6, 0xAE, 0x98, 0x19, 0x6E }, + 183 /* Bin Number */ + }, + { + /* SSL_com_TLS_RSA_Root_CA_2022 */ + { 0x8F, 0xAF, 0x7D, 0x2E, 0x2C, 0xB4, 0x70, 0x9B, 0xB8, 0xE0, 0xB3, 0x36, 0x66, 0xBF, 0x75, 0xA5, + 0xDD, 0x45, 0xB5, 0xDE, 0x48, 0x0F, 0x8E, 0xA8, 0xD4, 0xBF, 0xE6, 0xBE, 0xBC, 0x17, 0xF2, 0xED }, + 255 /* Bin Number */ + }, + { + /* QuoVadis_Root_CA_2_G3 */ + { 0x8F, 0xE4, 0xFB, 0x0A, 0xF9, 0x3A, 0x4D, 0x0D, 0x67, 0xDB, 0x0B, 0xEB, 0xB2, 0x3E, 0x37, 0xC7, + 0x1B, 0xF3, 0x25, 0xDC, 0xBC, 0xDD, 0x24, 0x0E, 0xA0, 0x4D, 0xAF, 0x58, 0xB4, 0x7E, 0x18, 0x40 }, + 145 /* Bin Number */ + }, + { + /* T_TeleSec_GlobalRoot_Class_2 */ + { 0x91, 0xE2, 0xF5, 0x78, 0x8D, 0x58, 0x10, 0xEB, 0xA7, 0xBA, 0x58, 0x73, 0x7D, 0xE1, 0x54, 0x8A, + 0x8E, 0xCA, 0xCD, 0x01, 0x45, 0x98, 0xBC, 0x0B, 0x14, 0x3E, 0x04, 0x1B, 0x17, 0x05, 0x25, 0x52 }, + 142 /* Bin Number */ + }, + { + /* CA_Disig */ + { 0x92, 0xBF, 0x51, 0x19, 0xAB, 0xEC, 0xCA, 0xD0, 0xB1, 0x33, 0x2D, 0xC4, 0xE1, 0xD0, 0x5F, 0xBA, + 0x75, 0xB5, 0x67, 0x90, 0x44, 0xEE, 0x0C, 0xA2, 0x6E, 0x93, 0x1F, 0x74, 0x4F, 0x2F, 0x33, 0xCF }, + 94 /* Bin Number */ + }, + { + /* Trustwave_Global_ECC_P256_Certification_Authority */ + { 0x94, 0x5B, 0xBC, 0x82, 0x5E, 0xA5, 0x54, 0xF4, 0x89, 0xD1, 0xFD, 0x51, 0xA7, 0x3D, 0xDF, 0x2E, + 0xA6, 0x24, 0xAC, 0x70, 0x19, 0xA0, 0x52, 0x05, 0x22, 0x5C, 0x22, 0xA7, 0x8C, 0xCF, 0xA8, 0xB4 }, + 217 /* Bin Number */ + }, + { + /* Cybertrust_Global_Root */ + { 0x96, 0x0A, 0xDF, 0x00, 0x63, 0xE9, 0x63, 0x56, 0x75, 0x0C, 0x29, 0x65, 0xDD, 0x0A, 0x08, 0x67, + 0xDA, 0x0B, 0x9C, 0xBD, 0x6E, 0x77, 0x71, 0x4A, 0xEA, 0xFB, 0x23, 0x49, 0xAB, 0x39, 0x3D, 0xA3 }, + 77 /* Bin Number */ + }, + { + /* ISRG_Root_X1 */ + { 0x96, 0xBC, 0xEC, 0x06, 0x26, 0x49, 0x76, 0xF3, 0x74, 0x60, 0x77, 0x9A, 0xCF, 0x28, 0xC5, 0xA7, + 0xCF, 0xE8, 0xA3, 0xC0, 0xAA, 0xE1, 0x1A, 0x8F, 0xFC, 0xEE, 0x05, 0xC0, 0xBD, 0xDF, 0x08, 0xC6 }, + 181 /* Bin Number */ + }, + { + /* Trustwave_Global_Certification_Authority */ + { 0x97, 0x55, 0x20, 0x15, 0xF5, 0xDD, 0xFC, 0x3C, 0x87, 0x88, 0xC0, 0x06, 0x94, 0x45, 0x55, 0x40, + 0x88, 0x94, 0x45, 0x00, 0x84, 0xF1, 0x00, 0x86, 0x70, 0x86, 0xBC, 0x1A, 0x2B, 0xB5, 0x8D, 0xC8 }, + 216 /* Bin Number */ + }, + { + /* T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_ */ + { 0x97, 0x8C, 0xD9, 0x66, 0xF2, 0xFA, 0xA0, 0x7B, 0xA7, 0xAA, 0x95, 0x00, 0xD9, 0xC0, 0x2E, 0x9D, + 0x77, 0xF2, 0xCD, 0xAD, 0xA6, 0xAD, 0x6B, 0xA7, 0x4A, 0xF4, 0xB9, 0x1C, 0x66, 0x59, 0x3C, 0x50 }, + 129 /* Bin Number */ + }, + { + /* Buypass_Class_2_Root_CA */ + { 0x9A, 0x11, 0x40, 0x25, 0x19, 0x7C, 0x5B, 0xB9, 0x5D, 0x94, 0xE6, 0x3D, 0x55, 0xCD, 0x43, 0x79, + 0x08, 0x47, 0xB6, 0x46, 0xB2, 0x3C, 0xDF, 0x11, 0xAD, 0xA4, 0xA0, 0x0E, 0xFF, 0x15, 0xFB, 0x48 }, + 125 /* Bin Number */ + }, + { + /* GLOBALTRUST_2020 */ + { 0x9A, 0x29, 0x6A, 0x51, 0x82, 0xD1, 0xD4, 0x51, 0xA2, 0xE3, 0x7F, 0x43, 0x9B, 0x74, 0xDA, 0xAF, + 0xA2, 0x67, 0x52, 0x33, 0x29, 0xF9, 0x0F, 0x9A, 0x0D, 0x20, 0x07, 0xC3, 0x34, 0xE2, 0x3C, 0x9A }, + 223 /* Bin Number */ + }, + { + /* ACCVRAIZ1 */ + { 0x9A, 0x6E, 0xC0, 0x12, 0xE1, 0xA7, 0xDA, 0x9D, 0xBE, 0x34, 0x19, 0x4D, 0x47, 0x8A, 0xD7, 0xC0, + 0xDB, 0x18, 0x22, 0xFB, 0x07, 0x1D, 0xF1, 0x29, 0x81, 0x49, 0x6E, 0xD1, 0x04, 0x38, 0x41, 0x13 }, + 138 /* Bin Number */ + }, + { + /* VeriSign_Class_3_Public_Primary_Certification_Authority___G5 */ + { 0x9A, 0xCF, 0xAB, 0x7E, 0x43, 0xC8, 0xD8, 0x80, 0xD0, 0x6B, 0x26, 0x2A, 0x94, 0xDE, 0xEE, 0xE4, + 0xB4, 0x65, 0x99, 0x89, 0xC3, 0xD0, 0xCA, 0xF1, 0x9B, 0xAF, 0x64, 0x05, 0xE4, 0x1A, 0xB7, 0xDF }, + 60 /* Bin Number */ + }, + { + /* UCA_Global_G2_Root */ + { 0x9B, 0xEA, 0x11, 0xC9, 0x76, 0xFE, 0x01, 0x47, 0x64, 0xC1, 0xBE, 0x56, 0xA6, 0xF9, 0x14, 0xB5, + 0xA5, 0x60, 0x31, 0x7A, 0xBD, 0x99, 0x88, 0x39, 0x33, 0x82, 0xE5, 0x16, 0x1A, 0xA0, 0x49, 0x3C }, + 203 /* Bin Number */ + }, + { + /* GeoTrust_Universal_CA_2 */ + { 0xA0, 0x23, 0x4F, 0x3B, 0xC8, 0x52, 0x7C, 0xA5, 0x62, 0x8E, 0xEC, 0x81, 0xAD, 0x5D, 0x69, 0x89, + 0x5D, 0xA5, 0x68, 0x0D, 0xC9, 0x1D, 0x1C, 0xB8, 0x47, 0x7F, 0x33, 0xF8, 0x78, 0xB9, 0x5B, 0x0B }, + 23 /* Bin Number */ + }, + { + /* Hellenic_Academic_and_Research_Institutions_RootCA_2015 */ + { 0xA0, 0x40, 0x92, 0x9A, 0x02, 0xCE, 0x53, 0xB4, 0xAC, 0xF4, 0xF2, 0xFF, 0xC6, 0x98, 0x1C, 0xE4, + 0x49, 0x6F, 0x75, 0x5E, 0x6D, 0x45, 0xFE, 0x0B, 0x2A, 0x69, 0x2B, 0xCD, 0x52, 0x52, 0x3F, 0x36 }, + 174 /* Bin Number */ + }, + { + /* GeoTrust_Universal_CA */ + { 0xA0, 0x45, 0x9B, 0x9F, 0x63, 0xB2, 0x25, 0x59, 0xF5, 0xFA, 0x5D, 0x4C, 0x6D, 0xB3, 0xF9, 0xF7, + 0x2F, 0xF1, 0x93, 0x42, 0x03, 0x35, 0x78, 0xF0, 0x73, 0xBF, 0x1D, 0x1B, 0x46, 0xCB, 0xB9, 0x12 }, + 22 /* Bin Number */ + }, + { + /* SZAFIR_ROOT_CA2 */ + { 0xA1, 0x33, 0x9D, 0x33, 0x28, 0x1A, 0x0B, 0x56, 0xE5, 0x57, 0xD3, 0xD3, 0x2B, 0x1C, 0xE7, 0xF9, + 0x36, 0x7E, 0xB0, 0x94, 0xBD, 0x5F, 0xA7, 0x2A, 0x7E, 0x50, 0x04, 0xC8, 0xDE, 0xD7, 0xCA, 0xFE }, + 172 /* Bin Number */ + }, + { + /* OU_Security_Communication_EV_RootCA1_O__SECOM_Trust_Systems_CO__LTD___C_JP */ + { 0xA2, 0x2D, 0xBA, 0x68, 0x1E, 0x97, 0x37, 0x6E, 0x2D, 0x39, 0x7D, 0x72, 0x8A, 0xAE, 0x3A, 0x9B, + 0x62, 0x96, 0xB9, 0xFD, 0xBA, 0x60, 0xBC, 0x2E, 0x11, 0xF6, 0x47, 0xF2, 0xC6, 0x75, 0xFB, 0x37 }, + 68 /* Bin Number */ + }, + { + /* thawte_Primary_Root_CA___G2 */ + { 0xA4, 0x31, 0x0D, 0x50, 0xAF, 0x18, 0xA6, 0x44, 0x71, 0x90, 0x37, 0x2A, 0x86, 0xAF, 0xAF, 0x8B, + 0x95, 0x1F, 0xFB, 0x43, 0x1D, 0x83, 0x7F, 0x1E, 0x56, 0x88, 0xB4, 0x59, 0x71, 0xED, 0x15, 0x57 }, + 87 /* Bin Number */ + }, + { + /* QuoVadis_Root_Certification_Authority */ + { 0xA4, 0x5E, 0xDE, 0x3B, 0xBB, 0xF0, 0x9C, 0x8A, 0xE1, 0x5C, 0x72, 0xEF, 0xC0, 0x72, 0x68, 0xD6, + 0x93, 0xA2, 0x1C, 0x99, 0x6F, 0xD5, 0x1E, 0x67, 0xCA, 0x07, 0x94, 0x60, 0xFD, 0x6D, 0x88, 0x73 }, + 31 /* Bin Number */ + }, + { + /* WellsSecure_Public_Root_Certificate_Authority */ + { 0xA7, 0x12, 0x72, 0xAE, 0xAA, 0xA3, 0xCF, 0xE8, 0x72, 0x7F, 0x7F, 0xB3, 0x9F, 0x0F, 0xB3, 0xD1, + 0xE5, 0x42, 0x6E, 0x90, 0x60, 0xB0, 0x6E, 0xE6, 0xF1, 0x3E, 0x9A, 0x3C, 0x58, 0x33, 0xCD, 0x43 }, + 65 /* Bin Number */ + }, + { + /* OU_RSA_Security_2048_V3_O_RSA_Security_Inc */ + { 0xAF, 0x8B, 0x67, 0x62, 0xA1, 0xE5, 0x28, 0x22, 0x81, 0x61, 0xA9, 0x5D, 0x5C, 0x55, 0x9E, 0xE2, + 0x66, 0x27, 0x8F, 0x75, 0xD7, 0x9E, 0x83, 0x01, 0x89, 0xA5, 0x03, 0x50, 0x6A, 0xBD, 0x6B, 0x4C }, + 19 /* Bin Number */ + }, + { + /* GlobalSign */ + { 0xB0, 0x85, 0xD7, 0x0B, 0x96, 0x4F, 0x19, 0x1A, 0x73, 0xE4, 0xAF, 0x0D, 0x54, 0xAE, 0x7A, 0x0E, + 0x07, 0xAA, 0xFD, 0xAF, 0x9B, 0x71, 0xDD, 0x08, 0x62, 0x13, 0x8A, 0xB7, 0x32, 0x5A, 0x24, 0xA2 }, + 235 /* Bin Number */ + }, + { + /* E_Tugra_Certification_Authority */ + { 0xB0, 0xBF, 0xD5, 0x2B, 0xB0, 0xD7, 0xD9, 0xBD, 0x92, 0xBF, 0x5D, 0x4D, 0xC1, 0x3D, 0xA2, 0x55, + 0xC0, 0x2C, 0x54, 0x2F, 0x37, 0x83, 0x65, 0xEA, 0x89, 0x39, 0x11, 0xF5, 0x5E, 0x55, 0xF2, 0x3C }, + 141 /* Bin Number */ + }, + { + /* Atos_TrustedRoot_Root_CA_ECC_TLS_2021 */ + { 0xB2, 0xFA, 0xE5, 0x3E, 0x14, 0xCC, 0xD7, 0xAB, 0x92, 0x12, 0x06, 0x47, 0x01, 0xAE, 0x27, 0x9C, + 0x1D, 0x89, 0x88, 0xFA, 0xCB, 0x77, 0x5F, 0xA8, 0xA0, 0x08, 0x91, 0x4E, 0x66, 0x39, 0x88, 0xA8 }, + 258 /* Bin Number */ + }, + { + /* Certainly_Root_E1 */ + { 0xB4, 0x58, 0x5F, 0x22, 0xE4, 0xAC, 0x75, 0x6A, 0x4E, 0x86, 0x12, 0xA1, 0x36, 0x1C, 0x5D, 0x9D, + 0x03, 0x1A, 0x93, 0xFD, 0x84, 0xFE, 0xBB, 0x77, 0x8F, 0xA3, 0x06, 0x8B, 0x0F, 0xC4, 0x2D, 0xC2 }, + 246 /* Bin Number */ + }, + { + /* GeoTrust_Primary_Certification_Authority___G3 */ + { 0xB4, 0x78, 0xB8, 0x12, 0x25, 0x0D, 0xF8, 0x78, 0x63, 0x5C, 0x2A, 0xA7, 0xEC, 0x7D, 0x15, 0x5E, + 0xAA, 0x62, 0x5E, 0xE8, 0x29, 0x16, 0xE2, 0xCD, 0x29, 0x43, 0x61, 0x88, 0x6C, 0xD1, 0xFB, 0xD4 }, + 86 /* Bin Number */ + }, + { + /* Deutsche_Telekom_Root_CA_2 */ + { 0xB6, 0x19, 0x1A, 0x50, 0xD0, 0xC3, 0x97, 0x7F, 0x7D, 0xA9, 0x9B, 0xCD, 0xAA, 0xC8, 0x6A, 0x22, + 0x7D, 0xAE, 0xB9, 0x67, 0x9E, 0xC7, 0x0B, 0xA3, 0xB0, 0xC9, 0xD9, 0x22, 0x71, 0xC1, 0x70, 0xD3 }, + 75 /* Bin Number */ + }, + { + /* Certum_Trusted_Network_CA_2 */ + { 0xB6, 0x76, 0xF2, 0xED, 0xDA, 0xE8, 0x77, 0x5C, 0xD3, 0x6C, 0xB0, 0xF6, 0x3C, 0xD1, 0xD4, 0x60, + 0x39, 0x61, 0xF4, 0x9E, 0x62, 0x65, 0xBA, 0x01, 0x3A, 0x2F, 0x03, 0x07, 0xB6, 0xD0, 0xB8, 0x04 }, + 173 /* Bin Number */ + }, + { + /* Buypass_Class_3_CA_1 */ + { 0xB7, 0xB1, 0x2B, 0x17, 0x1F, 0x82, 0x1D, 0xAA, 0x99, 0x0C, 0xD0, 0xFE, 0x50, 0x87, 0xB1, 0x28, + 0x44, 0x8B, 0xA8, 0xE5, 0x18, 0x4F, 0x84, 0xC5, 0x1E, 0x02, 0xB5, 0xC8, 0xFB, 0x96, 0x2B, 0x24 }, + 81 /* Bin Number */ + }, + { + /* OpenTrust_Root_CA_G3 */ + { 0xB7, 0xC3, 0x62, 0x31, 0x70, 0x6E, 0x81, 0x07, 0x8C, 0x36, 0x7C, 0xB8, 0x96, 0x19, 0x8F, 0x1E, + 0x32, 0x08, 0xDD, 0x92, 0x69, 0x49, 0xDD, 0x8F, 0x57, 0x09, 0xA4, 0x10, 0xF7, 0x5B, 0x62, 0x92 }, + 180 /* Bin Number */ + }, + { + /* IGC_A */ + { 0xB9, 0xBE, 0xA7, 0x86, 0x0A, 0x96, 0x2E, 0xA3, 0x61, 0x1D, 0xAB, 0x97, 0xAB, 0x6D, 0xA3, 0xE2, + 0x1C, 0x10, 0x68, 0xB9, 0x7D, 0x55, 0x57, 0x5E, 0xD0, 0xE1, 0x12, 0x79, 0xC1, 0x1C, 0x89, 0x32 }, + 67 /* Bin Number */ + }, + { + /* Hellenic_Academic_and_Research_Institutions_RootCA_2011 */ + { 0xBC, 0x10, 0x4F, 0x15, 0xA4, 0x8B, 0xE7, 0x09, 0xDC, 0xA5, 0x42, 0xA7, 0xE1, 0xD4, 0xB9, 0xDF, + 0x6F, 0x05, 0x45, 0x27, 0xE8, 0x02, 0xEA, 0xA9, 0x2D, 0x59, 0x54, 0x44, 0x25, 0x8A, 0xFE, 0x71 }, + 120 /* Bin Number */ + }, + { + /* emSign_ECC_Root_CA___C3 */ + { 0xBC, 0x4D, 0x80, 0x9B, 0x15, 0x18, 0x9D, 0x78, 0xDB, 0x3E, 0x1D, 0x8C, 0xF4, 0xF9, 0x72, 0x6A, + 0x79, 0x5D, 0xA1, 0x64, 0x3C, 0xA5, 0xF1, 0x35, 0x8E, 0x1D, 0xDB, 0x0E, 0xDC, 0x0D, 0x7E, 0xB3 }, + 209 /* Bin Number */ + }, + { + /* AffirmTrust_Premium_ECC */ + { 0xBD, 0x71, 0xFD, 0xF6, 0xDA, 0x97, 0xE4, 0xCF, 0x62, 0xD1, 0x64, 0x7A, 0xDD, 0x25, 0x81, 0xB0, + 0x7D, 0x79, 0xAD, 0xF8, 0x39, 0x7E, 0xB4, 0xEC, 0xBA, 0x9C, 0x5E, 0x84, 0x88, 0x82, 0x14, 0x23 }, + 112 /* Bin Number */ + }, + { + /* Secure_Certificate_Services */ + { 0xBD, 0x81, 0xCE, 0x3B, 0x4F, 0x65, 0x91, 0xD1, 0x1A, 0x67, 0xB5, 0xFC, 0x7A, 0x47, 0xFD, 0xEF, + 0x25, 0x52, 0x1B, 0xF9, 0xAA, 0x4E, 0x18, 0xB9, 0xE3, 0xDF, 0x2E, 0x34, 0xA7, 0x80, 0x3B, 0xE8 }, + 29 /* Bin Number */ + }, + { + /* TrustAsia_Global_Root_CA_G4 */ + { 0xBE, 0x4B, 0x56, 0xCB, 0x50, 0x56, 0xC0, 0x13, 0x6A, 0x52, 0x6D, 0xF4, 0x44, 0x50, 0x8D, 0xAA, + 0x36, 0xA0, 0xB5, 0x4F, 0x42, 0xE4, 0xAC, 0x38, 0xF7, 0x2A, 0xF4, 0x70, 0xE4, 0x79, 0x65, 0x4C }, + 259 /* Bin Number */ + }, + { + /* SwissSign_Silver_CA___G2 */ + { 0xBE, 0x6C, 0x4D, 0xA2, 0xBB, 0xB9, 0xBA, 0x59, 0xB6, 0xF3, 0x93, 0x97, 0x68, 0x37, 0x42, 0x46, + 0xC3, 0xC0, 0x05, 0x99, 0x3F, 0xA9, 0x8F, 0x02, 0x0D, 0x1D, 0xED, 0xBE, 0xD4, 0x8A, 0x81, 0xD5 }, + 57 /* Bin Number */ + }, + { + /* e_Szigno_Root_CA_2017 */ + { 0xBE, 0xB0, 0x0B, 0x30, 0x83, 0x9B, 0x9B, 0xC3, 0x2C, 0x32, 0xE4, 0x44, 0x79, 0x05, 0x95, 0x06, + 0x41, 0xF2, 0x64, 0x21, 0xB1, 0x5E, 0xD0, 0x89, 0x19, 0x8B, 0x51, 0x8A, 0xE2, 0xEA, 0x1B, 0x99 }, + 214 /* Bin Number */ + }, + { + /* GlobalSign */ + { 0xBE, 0xC9, 0x49, 0x11, 0xC2, 0x95, 0x56, 0x76, 0xDB, 0x6C, 0x0A, 0x55, 0x09, 0x86, 0xD7, 0x6E, + 0x3B, 0xA0, 0x05, 0x66, 0x7C, 0x44, 0x2C, 0x97, 0x62, 0xB4, 0xFB, 0xB7, 0x73, 0xDE, 0x22, 0x8C }, + 157 /* Bin Number */ + }, + { + /* SecureSign_RootCA11 */ + { 0xBF, 0x0F, 0xEE, 0xFB, 0x9E, 0x3A, 0x58, 0x1A, 0xD5, 0xF9, 0xE9, 0xDB, 0x75, 0x89, 0x98, 0x57, + 0x43, 0xD2, 0x61, 0x08, 0x5C, 0x4D, 0x31, 0x4F, 0x6F, 0x5D, 0x72, 0x59, 0xAA, 0x42, 0x16, 0x12 }, + 97 /* Bin Number */ + }, + { + /* TWCA_Root_Certification_Authority */ + { 0xBF, 0xD8, 0x8F, 0xE1, 0x10, 0x1C, 0x41, 0xAE, 0x3E, 0x80, 0x1B, 0xF8, 0xBE, 0x56, 0x35, 0x0E, + 0xE9, 0xBA, 0xD1, 0xA6, 0xB9, 0xBD, 0x51, 0x5E, 0xDC, 0x5C, 0x6D, 0x5B, 0x87, 0x11, 0xAC, 0x44 }, + 117 /* Bin Number */ + }, + { + /* GDCA_TrustAUTH_R5_ROOT */ + { 0xBF, 0xFF, 0x8F, 0xD0, 0x44, 0x33, 0x48, 0x7D, 0x6A, 0x8A, 0xA6, 0x0C, 0x1A, 0x29, 0x76, 0x7A, + 0x9F, 0xC2, 0xBB, 0xB0, 0x5E, 0x42, 0x0F, 0x71, 0x3A, 0x13, 0xB9, 0x92, 0x89, 0x1D, 0x38, 0x93 }, + 189 /* Bin Number */ + }, + { + /* OU_ePKI_Root_Certification_Authority_O__Chunghwa_Telecom_Co___Ltd___C_TW */ + { 0xC0, 0xA6, 0xF4, 0xDC, 0x63, 0xA2, 0x4B, 0xFD, 0xCF, 0x54, 0xEF, 0x2A, 0x6A, 0x08, 0x2A, 0x0A, + 0x72, 0xDE, 0x35, 0x80, 0x3E, 0x2F, 0xF5, 0xFF, 0x52, 0x7A, 0xE5, 0xD8, 0x72, 0x06, 0xDF, 0xD5 }, + 78 /* Bin Number */ + }, + { + /* OU_Trustis_FPS_Root_CA_O_Trustis_Limited_C_GB */ + { 0xC1, 0xB4, 0x82, 0x99, 0xAB, 0xA5, 0x20, 0x8F, 0xE9, 0x63, 0x0A, 0xCE, 0x55, 0xCA, 0x68, 0xA0, + 0x3E, 0xDA, 0x5A, 0x51, 0x9C, 0x88, 0x02, 0xA0, 0xD3, 0xA6, 0x73, 0xBE, 0x8F, 0x8E, 0x55, 0x7D }, + 122 /* Bin Number */ + }, + { + /* SSL_com_TLS_ECC_Root_CA_2022 */ + { 0xC3, 0x2F, 0xFD, 0x9F, 0x46, 0xF9, 0x36, 0xD1, 0x6C, 0x36, 0x73, 0x99, 0x09, 0x59, 0x43, 0x4B, + 0x9A, 0xD6, 0x0A, 0xAF, 0xBB, 0x9E, 0x7C, 0xF3, 0x36, 0x54, 0xF1, 0x44, 0xCC, 0x1B, 0xA1, 0x43 }, + 256 /* Bin Number */ + }, + { + /* OU_Go_Daddy_Class_2_Certification_Authority_O__The_Go_Daddy_Group__Inc___C_US */ + { 0xC3, 0x84, 0x6B, 0xF2, 0x4B, 0x9E, 0x93, 0xCA, 0x64, 0x27, 0x4C, 0x0E, 0xC6, 0x7C, 0x1E, 0xCC, + 0x5E, 0x02, 0x4F, 0xFC, 0xAC, 0xD2, 0xD7, 0x40, 0x19, 0x35, 0x0E, 0x81, 0xFE, 0x54, 0x6A, 0xE4 }, + 43 /* Bin Number */ + }, + { + /* GTS_Root_R2 */ + { 0xC4, 0x5D, 0x7B, 0xB0, 0x8E, 0x6D, 0x67, 0xE6, 0x2E, 0x42, 0x35, 0x11, 0x0B, 0x56, 0x4E, 0x5F, + 0x78, 0xFD, 0x92, 0xEF, 0x05, 0x8C, 0x84, 0x0A, 0xEA, 0x4E, 0x64, 0x55, 0xD7, 0x58, 0x5C, 0x60 }, + 200 /* Bin Number */ + }, + { + /* T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_ */ + { 0xC4, 0x70, 0xCF, 0x54, 0x7E, 0x23, 0x02, 0xB9, 0x77, 0xFB, 0x29, 0xDD, 0x71, 0xA8, 0x9A, 0x7B, + 0x6C, 0x1F, 0x60, 0x77, 0x7B, 0x03, 0x29, 0xF5, 0x60, 0x17, 0xF3, 0x28, 0xBF, 0x4F, 0x6B, 0xE6 }, + 55 /* Bin Number */ + }, + { + /* Microsoft_RSA_Root_Certificate_Authority_2017 */ + { 0xC7, 0x41, 0xF7, 0x0F, 0x4B, 0x2A, 0x8D, 0x88, 0xBF, 0x2E, 0x71, 0xC1, 0x41, 0x22, 0xEF, 0x53, + 0xEF, 0x10, 0xEB, 0xA0, 0xCF, 0xA5, 0xE6, 0x4C, 0xFA, 0x20, 0xF4, 0x18, 0x85, 0x30, 0x73, 0xE0 }, + 213 /* Bin Number */ + }, + { + /* StartCom_Certification_Authority */ + { 0xC7, 0x66, 0xA9, 0xBE, 0xF2, 0xD4, 0x07, 0x1C, 0x86, 0x3A, 0x31, 0xAA, 0x49, 0x20, 0xE8, 0x13, + 0xB2, 0xD1, 0x98, 0x60, 0x8C, 0xB7, 0xB7, 0xCF, 0xE2, 0x11, 0x43, 0xB8, 0x36, 0xDF, 0x09, 0xEA }, + 45 /* Bin Number */ + }, + { + /* StartCom_Certification_Authority_G2 */ + { 0xC7, 0xBA, 0x65, 0x67, 0xDE, 0x93, 0xA7, 0x98, 0xAE, 0x1F, 0xAA, 0x79, 0x1E, 0x71, 0x2D, 0x37, + 0x8F, 0xAE, 0x1F, 0x93, 0xC4, 0x39, 0x7F, 0xEA, 0x44, 0x1B, 0xB7, 0xCB, 0xE6, 0xFD, 0x59, 0x95 }, + 124 /* Bin Number */ + }, + { + /* Sectigo_Public_Server_Authentication_Root_E46 */ + { 0xC9, 0x0F, 0x26, 0xF0, 0xFB, 0x1B, 0x40, 0x18, 0xB2, 0x22, 0x27, 0x51, 0x9B, 0x5C, 0xA2, 0xB5, + 0x3E, 0x2C, 0xA5, 0xB3, 0xBE, 0x5C, 0xF1, 0x8E, 0xFE, 0x1B, 0xEF, 0x47, 0x38, 0x0C, 0x53, 0x83 }, + 254 /* Bin Number */ + }, + { + /* GeoTrust_Global_CA_2 */ + { 0xCA, 0x2D, 0x82, 0xA0, 0x86, 0x77, 0x07, 0x2F, 0x8A, 0xB6, 0x76, 0x4F, 0xF0, 0x35, 0x67, 0x6C, + 0xFE, 0x3E, 0x5E, 0x32, 0x5E, 0x01, 0x21, 0x72, 0xDF, 0x3F, 0x92, 0x09, 0x6D, 0xB7, 0x9B, 0x85 }, + 21 /* Bin Number */ + }, + { + /* GlobalSign */ + { 0xCA, 0x42, 0xDD, 0x41, 0x74, 0x5F, 0xD0, 0xB8, 0x1E, 0xB9, 0x02, 0x36, 0x2C, 0xF9, 0xD8, 0xBF, + 0x71, 0x9D, 0xA1, 0xBD, 0x1B, 0x1E, 0xFC, 0x94, 0x6F, 0x5B, 0x4C, 0x99, 0xF4, 0x2C, 0x1B, 0x9E }, + 7 /* Bin Number */ + }, + { + /* DigiCert_Global_Root_G2 */ + { 0xCB, 0x3C, 0xCB, 0xB7, 0x60, 0x31, 0xE5, 0xE0, 0x13, 0x8F, 0x8D, 0xD3, 0x9A, 0x23, 0xF9, 0xDE, + 0x47, 0xFF, 0xC3, 0x5E, 0x43, 0xC1, 0x14, 0x4C, 0xEA, 0x27, 0xD4, 0x6A, 0x5A, 0xB1, 0xCB, 0x5F }, + 149 /* Bin Number */ + }, + { + /* GlobalSign */ + { 0xCB, 0xB5, 0x22, 0xD7, 0xB7, 0xF1, 0x27, 0xAD, 0x6A, 0x01, 0x13, 0x86, 0x5B, 0xDF, 0x1C, 0xD4, + 0x10, 0x2E, 0x7D, 0x07, 0x59, 0xAF, 0x63, 0x5A, 0x7C, 0xF4, 0x72, 0x0D, 0xC9, 0x63, 0xC5, 0x3B }, + 101 /* Bin Number */ + }, + { + /* GlobalSign_Root_E46 */ + { 0xCB, 0xB9, 0xC4, 0x4D, 0x84, 0xB8, 0x04, 0x3E, 0x10, 0x50, 0xEA, 0x31, 0xA6, 0x9F, 0x51, 0x49, + 0x55, 0xD7, 0xBF, 0xD2, 0xE2, 0xC6, 0xB4, 0x93, 0x01, 0x01, 0x9A, 0xD6, 0x1D, 0x9F, 0x50, 0x58 }, + 222 /* Bin Number */ + }, + { + /* XRamp_Global_Certification_Authority */ + { 0xCE, 0xCD, 0xDC, 0x90, 0x50, 0x99, 0xD8, 0xDA, 0xDF, 0xC5, 0xB1, 0xD2, 0x09, 0xB7, 0x37, 0xCB, + 0xE2, 0xC1, 0x8C, 0xFB, 0x2C, 0x10, 0xC0, 0xFF, 0x0B, 0xCF, 0x0D, 0x32, 0x86, 0xFC, 0x1A, 0xA2 }, + 42 /* Bin Number */ + }, + { + /* Equifax_Secure_eBusiness_CA_1 */ + { 0xCF, 0x56, 0xFF, 0x46, 0xA4, 0xA1, 0x86, 0x10, 0x9D, 0xD9, 0x65, 0x84, 0xB5, 0xEE, 0xB5, 0x8A, + 0x51, 0x0C, 0x42, 0x75, 0xB0, 0xE5, 0xF9, 0x4F, 0x40, 0xBB, 0xAE, 0x86, 0x5E, 0x19, 0xF6, 0x73 }, + 13 /* Bin Number */ + }, + { + /* TrustCor_RootCert_CA_1 */ + { 0xD4, 0x0E, 0x9C, 0x86, 0xCD, 0x8F, 0xE4, 0x68, 0xC1, 0x77, 0x69, 0x59, 0xF4, 0x9E, 0xA7, 0x74, + 0xFA, 0x54, 0x86, 0x84, 0xB6, 0xC4, 0x06, 0xF3, 0x90, 0x92, 0x61, 0xF4, 0xDC, 0xE2, 0x57, 0x5C }, + 190 /* Bin Number */ + }, + { + /* Staat_der_Nederlanden_Root_CA */ + { 0xD4, 0x1D, 0x82, 0x9E, 0x8C, 0x16, 0x59, 0x82, 0x2A, 0xF9, 0x3F, 0xCE, 0x62, 0xBF, 0xFC, 0xDE, + 0x26, 0x4F, 0xC8, 0x4E, 0x8B, 0x95, 0x0C, 0x5F, 0xF2, 0x75, 0xD0, 0x52, 0x35, 0x46, 0x95, 0xA3 }, + 36 /* Bin Number */ + }, + { + /* UCA_Extended_Validation_Root */ + { 0xD4, 0x3A, 0xF9, 0xB3, 0x54, 0x73, 0x75, 0x5C, 0x96, 0x84, 0xFC, 0x06, 0xD7, 0xD8, 0xCB, 0x70, + 0xEE, 0x5C, 0x28, 0xE7, 0x73, 0xFB, 0x29, 0x4E, 0xB4, 0x1E, 0xE7, 0x17, 0x22, 0x92, 0x4D, 0x24 }, + 204 /* Bin Number */ + }, + { + /* Certification_Authority_of_WoSign_G2 */ + { 0xD4, 0x87, 0xA5, 0x6F, 0x83, 0xB0, 0x74, 0x82, 0xE8, 0x5E, 0x96, 0x33, 0x94, 0xC1, 0xEC, 0xC2, + 0xC9, 0xE5, 0x1D, 0x09, 0x03, 0xEE, 0x94, 0x6B, 0x02, 0xC3, 0x01, 0x58, 0x1E, 0xD9, 0x9E, 0x16 }, + 170 /* Bin Number */ + }, + { + /* Certigna_Root_CA */ + { 0xD4, 0x8D, 0x3D, 0x23, 0xEE, 0xDB, 0x50, 0xA4, 0x59, 0xE5, 0x51, 0x97, 0x60, 0x1C, 0x27, 0x77, + 0x4B, 0x9D, 0x7B, 0x18, 0xC9, 0x4D, 0x5A, 0x05, 0x95, 0x11, 0xA1, 0x02, 0x50, 0xB9, 0x31, 0x68 }, + 205 /* Bin Number */ + }, + { + /* CA______ */ + { 0xD6, 0xF0, 0x34, 0xBD, 0x94, 0xAA, 0x23, 0x3F, 0x02, 0x97, 0xEC, 0xA4, 0x24, 0x5B, 0x28, 0x39, + 0x73, 0xE4, 0x47, 0xAA, 0x59, 0x0F, 0x31, 0x0C, 0x77, 0xF4, 0x8F, 0xDF, 0x83, 0x11, 0x22, 0x54 }, + 153 /* Bin Number */ + }, + { + /* AAA_Certificate_Services */ + { 0xD7, 0xA7, 0xA0, 0xFB, 0x5D, 0x7E, 0x27, 0x31, 0xD7, 0x71, 0xE9, 0x48, 0x4E, 0xBC, 0xDE, 0xF7, + 0x1D, 0x5F, 0x0C, 0x3E, 0x0A, 0x29, 0x48, 0x78, 0x2B, 0xC8, 0x3E, 0xE0, 0xEA, 0x69, 0x9E, 0xF4 }, + 28 /* Bin Number */ + }, + { + /* Certum_CA */ + { 0xD8, 0xE0, 0xFE, 0xBC, 0x1D, 0xB2, 0xE3, 0x8D, 0x00, 0x94, 0x0F, 0x37, 0xD2, 0x7D, 0x41, 0x34, + 0x4D, 0x99, 0x3E, 0x73, 0x4B, 0x99, 0xD5, 0x65, 0x6D, 0x97, 0x78, 0xD4, 0xD8, 0x14, 0x36, 0x24 }, + 27 /* Bin Number */ + }, + { + /* GTS_Root_R1 */ + { 0xD9, 0x47, 0x43, 0x2A, 0xBD, 0xE7, 0xB7, 0xFA, 0x90, 0xFC, 0x2E, 0x6B, 0x59, 0x10, 0x1B, 0x12, + 0x80, 0xE0, 0xE1, 0xC7, 0xE4, 0xE4, 0x0F, 0xA3, 0xC6, 0x88, 0x7F, 0xFF, 0x57, 0xA7, 0xF4, 0xCF }, + 236 /* Bin Number */ + }, + { + /* HARICA_TLS_RSA_Root_CA_2021 */ + { 0xD9, 0x5D, 0x0E, 0x8E, 0xDA, 0x79, 0x52, 0x5B, 0xF9, 0xBE, 0xB1, 0x1B, 0x14, 0xD2, 0x10, 0x0D, + 0x32, 0x94, 0x98, 0x5F, 0x0C, 0x62, 0xD9, 0xFA, 0xBD, 0x9C, 0xD9, 0x99, 0xEC, 0xCB, 0x7B, 0x1D }, + 228 /* Bin Number */ + }, + { + /* Swisscom_Root_EV_CA_2 */ + { 0xD9, 0x5F, 0xEA, 0x3C, 0xA4, 0xEE, 0xDC, 0xE7, 0x4C, 0xD7, 0x6E, 0x75, 0xFC, 0x6D, 0x1F, 0xF6, + 0x2C, 0x44, 0x1F, 0x0F, 0xA8, 0xBC, 0x77, 0xF0, 0x34, 0xB1, 0x9E, 0x5D, 0xB2, 0x58, 0x01, 0x5D }, + 135 /* Bin Number */ + }, + { + /* Entrust_Root_Certification_Authority___G4 */ + { 0xDB, 0x35, 0x17, 0xD1, 0xF6, 0x73, 0x2A, 0x2D, 0x5A, 0xB9, 0x7C, 0x53, 0x3E, 0xC7, 0x07, 0x79, + 0xEE, 0x32, 0x70, 0xA6, 0x2F, 0xB4, 0xAC, 0x42, 0x38, 0x37, 0x24, 0x60, 0xE6, 0xF0, 0x1E, 0x88 }, + 211 /* Bin Number */ + }, + { + /* TeliaSonera_Root_CA_v1 */ + { 0xDD, 0x69, 0x36, 0xFE, 0x21, 0xF8, 0xF0, 0x77, 0xC1, 0x23, 0xA1, 0xA5, 0x21, 0xC1, 0x22, 0x24, + 0xF7, 0x22, 0x55, 0xB7, 0x3E, 0x03, 0xA7, 0x26, 0x06, 0x93, 0xE8, 0xA2, 0x4B, 0x0F, 0xA3, 0x89 }, + 140 /* Bin Number */ + }, + { + /* TrustAsia_Global_Root_CA_G3 */ + { 0xE0, 0xD3, 0x22, 0x6A, 0xEB, 0x11, 0x63, 0xC2, 0xE4, 0x8F, 0xF9, 0xBE, 0x3B, 0x50, 0xB4, 0xC6, + 0x43, 0x1B, 0xE7, 0xBB, 0x1E, 0xAC, 0xC5, 0xC3, 0x6B, 0x5D, 0x5E, 0xC5, 0x09, 0x03, 0x9A, 0x08 }, + 260 /* Bin Number */ + }, + { + /* StartCom_Certification_Authority */ + { 0xE1, 0x78, 0x90, 0xEE, 0x09, 0xA3, 0xFB, 0xF4, 0xF4, 0x8B, 0x9C, 0x41, 0x4A, 0x17, 0xD6, 0x37, + 0xB7, 0xA5, 0x06, 0x47, 0xE9, 0xBC, 0x75, 0x23, 0x22, 0x72, 0x7F, 0xCC, 0x17, 0x42, 0xA9, 0x11 }, + 123 /* Bin Number */ + }, + { + /* CA_Disig_Root_R2 */ + { 0xE2, 0x3D, 0x4A, 0x03, 0x6D, 0x7B, 0x70, 0xE9, 0xF5, 0x95, 0xB1, 0x42, 0x20, 0x79, 0xD2, 0xB9, + 0x1E, 0xDF, 0xBB, 0x1F, 0xB6, 0x51, 0xA0, 0x63, 0x3E, 0xAA, 0x8A, 0x9D, 0xC5, 0xF8, 0x07, 0x03 }, + 137 /* Bin Number */ + }, + { + /* CNNIC_ROOT */ + { 0xE2, 0x83, 0x93, 0x77, 0x3D, 0xA8, 0x45, 0xA6, 0x79, 0xF2, 0x08, 0x0C, 0xC7, 0xFB, 0x44, 0xA3, + 0xB7, 0xA1, 0xC3, 0x79, 0x2C, 0xB7, 0xEB, 0x77, 0x29, 0xFD, 0xCB, 0x6A, 0x8D, 0x99, 0xAE, 0xA7 }, + 84 /* Bin Number */ + }, + { + /* Amazon_Root_CA_4 */ + { 0xE3, 0x5D, 0x28, 0x41, 0x9E, 0xD0, 0x20, 0x25, 0xCF, 0xA6, 0x90, 0x38, 0xCD, 0x62, 0x39, 0x62, + 0x45, 0x8D, 0xA5, 0xC6, 0x95, 0xFB, 0xDE, 0xA3, 0xC2, 0x2B, 0x0B, 0xFB, 0x25, 0x89, 0x70, 0x92 }, + 186 /* Bin Number */ + }, + { + /* VeriSign_Class_4_Public_Primary_Certification_Authority___G3 */ + { 0xE3, 0x89, 0x36, 0x0D, 0x0F, 0xDB, 0xAE, 0xB3, 0xD2, 0x50, 0x58, 0x4B, 0x47, 0x30, 0x31, 0x4E, + 0x22, 0x2F, 0x39, 0xC1, 0x56, 0xA0, 0x20, 0x14, 0x4E, 0x8D, 0x96, 0x05, 0x61, 0x79, 0x15, 0x06 }, + 9 /* Bin Number */ + }, + { + /* Certigna */ + { 0xE3, 0xB6, 0xA2, 0xDB, 0x2E, 0xD7, 0xCE, 0x48, 0x84, 0x2F, 0x7A, 0xC5, 0x32, 0x41, 0xC7, 0xB7, + 0x1D, 0x54, 0x14, 0x4B, 0xFB, 0x40, 0xC1, 0x1F, 0x3F, 0x1D, 0x0B, 0x42, 0xF5, 0xEE, 0xA1, 0x2D }, + 71 /* Bin Number */ + }, + { + /* T_B_TAK_UEKAE_K_k_Sertifika_Hizmet_Sa_lay_c_s____S_r_m_3 */ + { 0xE4, 0xC7, 0x34, 0x30, 0xD7, 0xA5, 0xB5, 0x09, 0x25, 0xDF, 0x43, 0x37, 0x0A, 0x0D, 0x21, 0x6E, + 0x9A, 0x79, 0xB9, 0xD6, 0xDB, 0x83, 0x73, 0xA0, 0xC6, 0x9E, 0xB1, 0xCC, 0x31, 0xC7, 0xC5, 0x2A }, + 79 /* Bin Number */ + }, + { + /* D_TRUST_BR_Root_CA_1_2020 */ + { 0xE5, 0x9A, 0xAA, 0x81, 0x60, 0x09, 0xC2, 0x2B, 0xFF, 0x5B, 0x25, 0xBA, 0xD3, 0x7D, 0xF3, 0x06, + 0xF0, 0x49, 0x79, 0x7C, 0x1F, 0x81, 0xD8, 0x5A, 0xB0, 0x89, 0xE6, 0x57, 0xBD, 0x8F, 0x00, 0x44 }, + 241 /* Bin Number */ + }, + { + /* e_Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi */ + { 0xE6, 0x09, 0x07, 0x84, 0x65, 0xA4, 0x19, 0x78, 0x0C, 0xB6, 0xAC, 0x4C, 0x1C, 0x0B, 0xFB, 0x46, + 0x53, 0xD9, 0xD9, 0xCC, 0x6E, 0xB3, 0x94, 0x6E, 0xB7, 0xF3, 0xD6, 0x99, 0x97, 0xBA, 0xD5, 0x98 }, + 100 /* Bin Number */ + }, + { + /* TC_TrustCenter_Class_2_CA_II */ + { 0xE6, 0xB8, 0xF8, 0x76, 0x64, 0x85, 0xF8, 0x07, 0xAE, 0x7F, 0x8D, 0xAC, 0x16, 0x70, 0x46, 0x1F, + 0x07, 0xC0, 0xA1, 0x3E, 0xEF, 0x3A, 0x1F, 0xF7, 0x17, 0x53, 0x8D, 0x7A, 0xBA, 0xD3, 0x91, 0xB4 }, + 72 /* Bin Number */ + }, + { + /* Security_Communication_ECC_RootCA1 */ + { 0xE7, 0x4F, 0xBD, 0xA5, 0x5B, 0xD5, 0x64, 0xC4, 0x73, 0xA3, 0x6B, 0x44, 0x1A, 0xA7, 0x99, 0xC8, + 0xA6, 0x8E, 0x07, 0x74, 0x40, 0xE8, 0x28, 0x8B, 0x9F, 0xA1, 0xE5, 0x0E, 0x4B, 0xBA, 0xCA, 0x11 }, + 250 /* Bin Number */ + }, + { + /* OU_Security_Communication_RootCA1_O_SECOM_Trust_net_C_JP */ + { 0xE7, 0x5E, 0x72, 0xED, 0x9F, 0x56, 0x0E, 0xEC, 0x6E, 0xB4, 0x80, 0x00, 0x73, 0xA4, 0x3F, 0xC3, + 0xAD, 0x19, 0x19, 0x5A, 0x39, 0x22, 0x82, 0x01, 0x78, 0x95, 0x97, 0x4A, 0x99, 0x02, 0x6B, 0x6C }, + 34 /* Bin Number */ + }, + { + /* USERTrust_RSA_Certification_Authority */ + { 0xE7, 0x93, 0xC9, 0xB0, 0x2F, 0xD8, 0xAA, 0x13, 0xE2, 0x1C, 0x31, 0x22, 0x8A, 0xCC, 0xB0, 0x81, + 0x19, 0x64, 0x3B, 0x74, 0x9C, 0x89, 0x89, 0x64, 0xB1, 0x74, 0x6D, 0x46, 0xC3, 0xD4, 0xCB, 0xD2 }, + 155 /* Bin Number */ + }, + { + /* OU_certSIGN_ROOT_CA_O_certSIGN_C_RO */ + { 0xEA, 0xA9, 0x62, 0xC4, 0xFA, 0x4A, 0x6B, 0xAF, 0xEB, 0xE4, 0x15, 0x19, 0x6D, 0x35, 0x1C, 0xCD, + 0x88, 0x8D, 0x4F, 0x53, 0xF3, 0xFA, 0x8A, 0xE6, 0xD7, 0xC4, 0x66, 0xA9, 0x4E, 0x60, 0x42, 0xBB }, + 83 /* Bin Number */ + }, + { + /* VeriSign_Class_3_Public_Primary_Certification_Authority___G3 */ + { 0xEB, 0x04, 0xCF, 0x5E, 0xB1, 0xF3, 0x9A, 0xFA, 0x76, 0x2F, 0x2B, 0xB1, 0x20, 0xF2, 0x96, 0xCB, + 0xA5, 0x20, 0xC1, 0xB9, 0x7D, 0xB1, 0x58, 0x95, 0x65, 0xB8, 0x1C, 0xB9, 0xA1, 0x7B, 0x72, 0x44 }, + 8 /* Bin Number */ + }, + { + /* OU_AC_RAIZ_FNMT_RCM_O_FNMT_RCM_C_ES */ + { 0xEB, 0xC5, 0x57, 0x0C, 0x29, 0x01, 0x8C, 0x4D, 0x67, 0xB1, 0xAA, 0x12, 0x7B, 0xAF, 0x12, 0xF7, + 0x03, 0xB4, 0x61, 0x1E, 0xBC, 0x17, 0xB7, 0xDA, 0xB5, 0x57, 0x38, 0x94, 0x17, 0x9B, 0x93, 0xFA }, + 182 /* Bin Number */ + }, + { + /* GlobalSign_Root_CA */ + { 0xEB, 0xD4, 0x10, 0x40, 0xE4, 0xBB, 0x3E, 0xC7, 0x42, 0xC9, 0xE3, 0x81, 0xD3, 0x1E, 0xF2, 0xA4, + 0x1A, 0x48, 0xB6, 0x68, 0x5C, 0x96, 0xE7, 0xCE, 0xF3, 0xC1, 0xDF, 0x6C, 0xD4, 0x33, 0x1C, 0x99 }, + 6 /* Bin Number */ + }, + { + /* TC_TrustCenter_Universal_CA_I */ + { 0xEB, 0xF3, 0xC0, 0x2A, 0x87, 0x89, 0xB1, 0xFB, 0x7D, 0x51, 0x19, 0x95, 0xD6, 0x63, 0xB7, 0x29, + 0x06, 0xD9, 0x13, 0xCE, 0x0D, 0x5E, 0x10, 0x56, 0x8A, 0x8A, 0x77, 0xE2, 0x58, 0x61, 0x67, 0xE7 }, + 74 /* Bin Number */ + }, + { + /* Juur_SK */ + { 0xEC, 0xC3, 0xE9, 0xC3, 0x40, 0x75, 0x03, 0xBE, 0xE0, 0x91, 0xAA, 0x95, 0x2F, 0x41, 0x34, 0x8F, + 0xF8, 0x8B, 0xAA, 0x86, 0x3B, 0x22, 0x64, 0xBE, 0xFA, 0xC8, 0x07, 0x90, 0x15, 0x74, 0xE9, 0x39 }, + 95 /* Bin Number */ + }, + { + /* Buypass_Class_3_Root_CA */ + { 0xED, 0xF7, 0xEB, 0xBC, 0xA2, 0x7A, 0x2A, 0x38, 0x4D, 0x38, 0x7B, 0x7D, 0x40, 0x10, 0xC6, 0x66, + 0xE2, 0xED, 0xB4, 0x84, 0x3E, 0x4C, 0x29, 0xB4, 0xAE, 0x1D, 0x5B, 0x93, 0x32, 0xE6, 0xB2, 0x4D }, + 126 /* Bin Number */ + }, + { + /* D_TRUST_Root_Class_3_CA_2_EV_2009 */ + { 0xEE, 0xC5, 0x49, 0x6B, 0x98, 0x8C, 0xE9, 0x86, 0x25, 0xB9, 0x34, 0x09, 0x2E, 0xEC, 0x29, 0x08, + 0xBE, 0xD0, 0xB0, 0xF3, 0x16, 0xC2, 0xD4, 0x73, 0x0C, 0x84, 0xEA, 0xF1, 0xF3, 0xD3, 0x48, 0x81 }, + 131 /* Bin Number */ + }, + { + /* Global_Chambersign_Root */ + { 0xEF, 0x3C, 0xB4, 0x17, 0xFC, 0x8E, 0xBF, 0x6F, 0x97, 0x87, 0x6C, 0x9E, 0x4E, 0xCE, 0x39, 0xDE, + 0x1E, 0xA5, 0xFE, 0x64, 0x91, 0x41, 0xD1, 0x02, 0x8B, 0x7D, 0x11, 0xC0, 0xB2, 0x29, 0x8C, 0xED }, + 40 /* Bin Number */ + }, + { + /* E_Tugra_Global_Root_CA_RSA_v3 */ + { 0xEF, 0x66, 0xB0, 0xB1, 0x0A, 0x3C, 0xDB, 0x9F, 0x2E, 0x36, 0x48, 0xC7, 0x6B, 0xD2, 0xAF, 0x18, + 0xEA, 0xD2, 0xBF, 0xE6, 0xF1, 0x17, 0x65, 0x5E, 0x28, 0xC4, 0x06, 0x0D, 0xA1, 0xA3, 0xF4, 0xC2 }, + 247 /* Bin Number */ + }, + { + /* Telekom_Security_TLS_RSA_Root_2023 */ + { 0xEF, 0xC6, 0x5C, 0xAD, 0xBB, 0x59, 0xAD, 0xB6, 0xEF, 0xE8, 0x4D, 0xA2, 0x23, 0x11, 0xB3, 0x56, + 0x24, 0xB7, 0x1B, 0x3B, 0x1E, 0xA0, 0xDA, 0x8B, 0x66, 0x55, 0x17, 0x4E, 0xC8, 0x97, 0x86, 0x46 }, + 265 /* Bin Number */ + }, + { + /* HiPKI_Root_CA___G1 */ + { 0xF0, 0x15, 0xCE, 0x3C, 0xC2, 0x39, 0xBF, 0xEF, 0x06, 0x4B, 0xE9, 0xF1, 0xD2, 0xC4, 0x17, 0xE1, + 0xA0, 0x26, 0x4A, 0x0A, 0x94, 0xBE, 0x1F, 0x0C, 0x8D, 0x12, 0x18, 0x64, 0xEB, 0x69, 0x49, 0xCC }, + 234 /* Bin Number */ + }, + { + /* Swisscom_Root_CA_2 */ + { 0xF0, 0x9B, 0x12, 0x2C, 0x71, 0x14, 0xF4, 0xA0, 0x9B, 0xD4, 0xEA, 0x4F, 0x4A, 0x99, 0xD5, 0x58, + 0xB4, 0x6E, 0x4C, 0x25, 0xCD, 0x81, 0x14, 0x0D, 0x29, 0xC0, 0x56, 0x13, 0x91, 0x4C, 0x38, 0x41 }, + 134 /* Bin Number */ + }, + { + /* SecureTrust_CA */ + { 0xF1, 0xC1, 0xB5, 0x0A, 0xE5, 0xA2, 0x0D, 0xD8, 0x03, 0x0E, 0xC9, 0xF6, 0xBC, 0x24, 0x82, 0x3D, + 0xD3, 0x67, 0xB5, 0x25, 0x57, 0x59, 0xB4, 0xE7, 0x1B, 0x61, 0xFC, 0xE9, 0xF7, 0x37, 0x5D, 0x73 }, + 61 /* Bin Number */ + }, + { + /* Atos_TrustedRoot_2011 */ + { 0xF3, 0x56, 0xBE, 0xA2, 0x44, 0xB7, 0xA9, 0x1E, 0xB3, 0x5D, 0x53, 0xCA, 0x9A, 0xD7, 0x86, 0x4A, + 0xCE, 0x01, 0x8E, 0x2D, 0x35, 0xD5, 0xF8, 0xF9, 0x6D, 0xDF, 0x68, 0xA6, 0xF4, 0x1A, 0xA4, 0x74 }, + 143 /* Bin Number */ + }, + { + /* BJCA_Global_Root_CA1 */ + { 0xF3, 0x89, 0x6F, 0x88, 0xFE, 0x7C, 0x0A, 0x88, 0x27, 0x66, 0xA7, 0xFA, 0x6A, 0xD2, 0x74, 0x9F, + 0xB5, 0x7A, 0x7F, 0x3E, 0x98, 0xFB, 0x76, 0x9C, 0x1F, 0xA7, 0xB0, 0x9C, 0x2C, 0x44, 0xD5, 0xAE }, + 252 /* Bin Number */ + }, + { + /* CA_Disig_Root_R1 */ + { 0xF9, 0x6F, 0x23, 0xF4, 0xC3, 0xE7, 0x9C, 0x07, 0x7A, 0x46, 0x98, 0x8D, 0x5A, 0xF5, 0x90, 0x06, + 0x76, 0xA0, 0xF0, 0x39, 0xCB, 0x64, 0x5D, 0xD1, 0x75, 0x49, 0xB2, 0x16, 0xC8, 0x24, 0x40, 0xCE }, + 136 /* Bin Number */ + }, + { + /* Hongkong_Post_Root_CA_1 */ + { 0xF9, 0xE6, 0x7D, 0x33, 0x6C, 0x51, 0x00, 0x2A, 0xC0, 0x54, 0xC6, 0x32, 0x02, 0x2D, 0x66, 0xDD, + 0xA2, 0xE7, 0xE3, 0xFF, 0xF1, 0x0A, 0xD0, 0x61, 0xED, 0x31, 0xD8, 0xBB, 0xB4, 0x10, 0xCF, 0xB2 }, + 96 /* Bin Number */ + }, + { + /* ANF_Secure_Server_Root_CA */ + { 0xFB, 0x8F, 0xEC, 0x75, 0x91, 0x69, 0xB9, 0x10, 0x6B, 0x1E, 0x51, 0x16, 0x44, 0xC6, 0x18, 0xC5, + 0x13, 0x04, 0x37, 0x3F, 0x6C, 0x06, 0x43, 0x08, 0x8D, 0x8B, 0xEF, 0xFD, 0x1B, 0x99, 0x75, 0x99 }, + 224 /* Bin Number */ + }, + { + /* Certinomis___Autorit__Racine */ + { 0xFC, 0xBF, 0xE2, 0x88, 0x62, 0x06, 0xF7, 0x2B, 0x27, 0x59, 0x3C, 0x8B, 0x07, 0x02, 0x97, 0xE1, + 0x2D, 0x76, 0x9E, 0xD1, 0x0E, 0xD7, 0x93, 0x07, 0x05, 0xA8, 0x09, 0x8E, 0xFF, 0xC1, 0x4D, 0x17 }, + 114 /* Bin Number */ + }, + { + /* T_TeleSec_GlobalRoot_Class_3 */ + { 0xFD, 0x73, 0xDA, 0xD3, 0x1C, 0x64, 0x4F, 0xF1, 0xB4, 0x3B, 0xEF, 0x0C, 0xCD, 0xDA, 0x96, 0x71, + 0x0B, 0x9C, 0xD9, 0x87, 0x5E, 0xCA, 0x7E, 0x31, 0x70, 0x7A, 0xF3, 0xE9, 0x6D, 0x52, 0x2B, 0xBD }, + 127 /* Bin Number */ + }, + { + /* Certum_Trusted_Root_CA */ + { 0xFE, 0x76, 0x96, 0x57, 0x38, 0x55, 0x77, 0x3E, 0x37, 0xA9, 0x5E, 0x7A, 0xD4, 0xD9, 0xCC, 0x96, + 0xC3, 0x01, 0x57, 0xC1, 0x5D, 0x31, 0x76, 0x5B, 0xA9, 0xB1, 0x57, 0x04, 0xE1, 0xAE, 0x78, 0xFD }, + 226 /* Bin Number */ + }, + { + /* GeoTrust_Global_CA */ + { 0xFF, 0x85, 0x6A, 0x2D, 0x25, 0x1D, 0xCD, 0x88, 0xD3, 0x66, 0x56, 0xF4, 0x50, 0x12, 0x67, 0x98, + 0xCF, 0xAB, 0xAA, 0xDE, 0x40, 0x79, 0x9C, 0x72, 0x2D, 0xE4, 0xD2, 0xB5, 0xDB, 0x36, 0xA7, 0x3A }, + 20 /* Bin Number */ + }, + { + /* CommScope_Public_Trust_RSA_Root_02 */ + { 0xFF, 0xE9, 0x43, 0xD7, 0x93, 0x42, 0x4B, 0x4F, 0x7C, 0x44, 0x0C, 0x1C, 0x3D, 0x64, 0x8D, 0x53, + 0x63, 0xF3, 0x4B, 0x82, 0xDC, 0x87, 0xAA, 0x7A, 0x9F, 0x11, 0x8F, 0xC5, 0xDE, 0xE1, 0x01, 0xF1 }, + 261 /* Bin Number */ + }, +}; + diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp new file mode 100644 index 0000000000..1a0c669579 --- /dev/null +++ b/security/manager/ssl/SSLServerCertVerification.cpp @@ -0,0 +1,1134 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// During certificate authentication, we call CertVerifier::VerifySSLServerCert. +// This function may make zero or more HTTP requests (e.g. to gather revocation +// information). Our fetching logic for these requests processes them on the +// socket transport service thread. +// +// Because the connection for which we are verifying the certificate is +// happening on the socket transport thread, if our cert auth hook were to call +// VerifySSLServerCert directly, there would be a deadlock: VerifySSLServerCert +// would cause an event to be asynchronously posted to the socket transport +// thread, and then it would block the socket transport thread waiting to be +// notified of the HTTP response. However, the HTTP request would never actually +// be processed because the socket transport thread would be blocked and so it +// wouldn't be able process HTTP requests. +// +// Consequently, when we are asked to verify a certificate, we must always call +// VerifySSLServerCert on another thread. To accomplish this, our auth cert hook +// dispatches a SSLServerCertVerificationJob to a pool of background threads, +// and then immediately returns SECWouldBlock to libssl. These jobs are where +// VerifySSLServerCert is actually called. +// +// When our auth cert hook returns SECWouldBlock, libssl will carry on the +// handshake while we validate the certificate. This will free up the socket +// transport thread so that HTTP requests--including the OCSP requests needed +// for cert verification as mentioned above--can be processed. +// +// Once VerifySSLServerCert returns, the cert verification job dispatches a +// SSLServerCertVerificationResult to the socket transport thread; the +// SSLServerCertVerificationResult will notify libssl that the certificate +// authentication is complete. Once libssl is notified that the authentication +// is complete, it will continue the TLS handshake (if it hasn't already +// finished) and it will begin allowing us to send/receive data on the +// connection. +// +// Timeline of events (for connections managed by the socket transport service): +// +// * libssl calls SSLServerCertVerificationJob::Dispatch on the socket +// transport thread. +// * SSLServerCertVerificationJob::Dispatch queues a job +// (instance of SSLServerCertVerificationJob) to its background thread +// pool and returns. +// * One of the background threads calls CertVerifier::VerifySSLServerCert, +// which may enqueue some HTTP request(s) onto the socket transport thread, +// and then blocks that background thread waiting for the responses and/or +// timeouts or errors for those requests. +// * Once those HTTP responses have all come back or failed, the +// CertVerifier::VerifySSLServerCert function returns a result indicating +// that the validation succeeded or failed. +// * If the validation succeeded, then a SSLServerCertVerificationResult +// event is posted to the socket transport thread, and the cert +// verification thread becomes free to verify other certificates. +// * Otherwise, we do cert override processing to see if the validation +// error can be convered by override rules. The result of this processing +// is similarly dispatched in a SSLServerCertVerificationResult. +// * The SSLServerCertVerificationResult event will either wake up the +// socket (using SSL_AuthCertificateComplete) if validation succeeded or +// there was an error override, or it will set an error flag so that the +// next I/O operation on the socket will fail, causing the socket transport +// thread to close the connection. +// +// SSLServerCertVerificationResult must be dispatched to the socket transport +// thread because we must only call SSL_* functions on the socket transport +// thread since they may do I/O, because many parts of NSSSocketControl and the +// PSM NSS I/O layer are not thread-safe, and because we need the event to +// interrupt the PR_Poll that may waiting for I/O on the socket for which we +// are validating the cert. +// +// When socket process is enabled, libssl is running on socket process. To +// perform certificate authentication with CertVerifier, we have to send all +// needed information to parent process and send the result back to socket +// process via IPC. The workflow is described below. +// 1. In AuthCertificateHookInternal(), we call RemoteProcessCertVerification() +// instead of SSLServerCertVerificationJob::Dispatch when we are on socket +// process. +// 2. In RemoteProcessCertVerification(), PVerifySSLServerCert actors will be +// created on IPDL background thread for carrying needed information via IPC. +// 3. On parent process, VerifySSLServerCertParent is created and it calls +// SSLServerCertVerificationJob::Dispatch for doing certificate verification +// on one of CertVerificationThreads. +// 4. When validation is done, OnVerifiedSSLServerCertSuccess IPC message is +// sent through the IPDL background thread when +// CertVerifier::VerifySSLServerCert returns Success. Otherwise, +// OnVerifiedSSLServerCertFailure is sent. +// 5. After setp 4, PVerifySSLServerCert actors will be released. The +// verification result will be dispatched via +// SSLServerCertVerificationResult. + +#include "SSLServerCertVerification.h" + +#include <cstring> + +#include "CertVerifier.h" +#include "CryptoTask.h" +#include "ExtendedValidation.h" +#include "NSSCertDBTrustDomain.h" +#include "NSSSocketControl.h" +#include "PSMRunnable.h" +#include "RootCertificateTelemetryUtils.h" +#include "ScopedNSSTypes.h" +#include "SharedCertVerifier.h" +#include "SharedSSLState.h" +#include "VerifySSLServerCertChild.h" +#include "cert.h" +#include "mozilla/Assertions.h" +#include "mozilla/Casting.h" +#include "mozilla/RefPtr.h" +#include "mozilla/Telemetry.h" +#include "mozilla/UniquePtr.h" +#include "mozilla/Unused.h" +#include "mozilla/glean/GleanMetrics.h" +#include "nsComponentManagerUtils.h" +#include "nsContentUtils.h" +#include "nsICertOverrideService.h" +#include "nsIPublicKeyPinningService.h" +#include "nsISiteSecurityService.h" +#include "nsISocketProvider.h" +#include "nsThreadPool.h" +#include "nsNetUtil.h" +#include "nsNSSCertificate.h" +#include "nsNSSComponent.h" +#include "nsNSSIOLayer.h" +#include "nsServiceManagerUtils.h" +#include "nsString.h" +#include "nsURLHelper.h" +#include "nsXPCOMCIDInternal.h" +#include "mozpkix/pkix.h" +#include "mozpkix/pkixcheck.h" +#include "mozpkix/pkixnss.h" +#include "mozpkix/pkixutil.h" +#include "secerr.h" +#include "secport.h" +#include "ssl.h" +#include "sslerr.h" +#include "sslexp.h" + +extern mozilla::LazyLogModule gPIPNSSLog; + +using namespace mozilla::pkix; + +namespace mozilla { +namespace psm { + +// do not use a nsCOMPtr to avoid static initializer/destructor +nsIThreadPool* gCertVerificationThreadPool = nullptr; + +// Called when the socket transport thread starts, to initialize the SSL cert +// verification thread pool. By tying the thread pool startup/shutdown directly +// to the STS thread's lifetime, we ensure that they are *always* available for +// SSL connections and that there are no races during startup and especially +// shutdown. (Previously, we have had multiple problems with races in PSM +// background threads, and the race-prevention/shutdown logic used there is +// brittle. Since this service is critical to things like downloading updates, +// we take no chances.) Also, by doing things this way, we avoid the need for +// locks, since gCertVerificationThreadPool is only ever accessed on the socket +// transport thread. +void InitializeSSLServerCertVerificationThreads() { + // TODO: tuning, make parameters preferences + gCertVerificationThreadPool = new nsThreadPool(); + NS_ADDREF(gCertVerificationThreadPool); + + (void)gCertVerificationThreadPool->SetIdleThreadLimit(5); + (void)gCertVerificationThreadPool->SetIdleThreadTimeout(30 * 1000); + (void)gCertVerificationThreadPool->SetThreadLimit(5); + (void)gCertVerificationThreadPool->SetName("SSL Cert"_ns); +} + +// Called when the socket transport thread finishes, to destroy the thread +// pool. Since the socket transport service has stopped processing events, it +// will not attempt any more SSL I/O operations, so it is clearly safe to shut +// down the SSL cert verification infrastructure. Also, the STS will not +// dispatch many SSL verification result events at this point, so any pending +// cert verifications will (correctly) fail at the point they are dispatched. +// +// The other shutdown race condition that is possible is a race condition with +// shutdown of the nsNSSComponent service. We use the +// nsNSSShutdownPreventionLock where needed (not here) to prevent that. +void StopSSLServerCertVerificationThreads() { + if (gCertVerificationThreadPool) { + gCertVerificationThreadPool->Shutdown(); + NS_RELEASE(gCertVerificationThreadPool); + } +} + +// A probe value of 1 means "no error". +uint32_t MapOverridableErrorToProbeValue(PRErrorCode errorCode) { + switch (errorCode) { + case SEC_ERROR_UNKNOWN_ISSUER: + return 2; + case SEC_ERROR_CA_CERT_INVALID: + return 3; + case SEC_ERROR_UNTRUSTED_ISSUER: + return 4; + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + return 5; + case SEC_ERROR_UNTRUSTED_CERT: + return 6; + case SEC_ERROR_INADEQUATE_KEY_USAGE: + return 7; + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: + return 8; + case SSL_ERROR_BAD_CERT_DOMAIN: + return 9; + case SEC_ERROR_EXPIRED_CERTIFICATE: + return 10; + case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: + return 11; + case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA: + return 12; + case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE: + return 13; + case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE: + return 14; + case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE: + return 15; + case SEC_ERROR_INVALID_TIME: + return 16; + case mozilla::pkix::MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME: + return 17; + case mozilla::pkix::MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED: + return 18; + case mozilla::pkix::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT: + return 19; + case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED: + return 20; + } + NS_WARNING( + "Unknown certificate error code. Does MapOverridableErrorToProbeValue " + "handle everything in CategorizeCertificateError?"); + return 0; +} + +static uint32_t MapCertErrorToProbeValue(PRErrorCode errorCode) { + uint32_t probeValue; + switch (errorCode) { + // see security/pkix/include/pkix/Result.h +#define MOZILLA_PKIX_MAP(name, value, nss_name) \ + case nss_name: \ + probeValue = value; \ + break; + MOZILLA_PKIX_MAP_LIST +#undef MOZILLA_PKIX_MAP + default: + return 0; + } + + // Since FATAL_ERROR_FLAG is 0x800, fatal error values are much larger than + // non-fatal error values. To conserve space, we remap these so they start at + // (decimal) 90 instead of 0x800. Currently there are ~50 non-fatal errors + // mozilla::pkix might return, so saving space for 90 should be sufficient + // (similarly, there are 4 fatal errors, so saving space for 10 should also + // be sufficient). + static_assert( + FATAL_ERROR_FLAG == 0x800, + "mozilla::pkix::FATAL_ERROR_FLAG is not what we were expecting"); + if (probeValue & FATAL_ERROR_FLAG) { + probeValue ^= FATAL_ERROR_FLAG; + probeValue += 90; + } + return probeValue; +} + +// If the given PRErrorCode is an overridable certificate error, return which +// category (trust, time, domain mismatch) it falls in. If it is not +// overridable, return Nothing. +Maybe<nsITransportSecurityInfo::OverridableErrorCategory> +CategorizeCertificateError(PRErrorCode certificateError) { + switch (certificateError) { + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + case SEC_ERROR_UNKNOWN_ISSUER: + case SEC_ERROR_CA_CERT_INVALID: + case mozilla::pkix::MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED: + case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: + case mozilla::pkix::MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME: + case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE: + case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED: + case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE: + case mozilla::pkix::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT: + case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA: + return Some( + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TRUST); + + case SSL_ERROR_BAD_CERT_DOMAIN: + return Some( + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_DOMAIN); + + case SEC_ERROR_INVALID_TIME: + case SEC_ERROR_EXPIRED_CERTIFICATE: + case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE: + return Some( + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TIME); + + default: + break; + } + return Nothing(); +} + +// Helper function to determine if overrides are allowed for this host. +// Overrides are not allowed for known HSTS hosts or hosts with pinning +// information. However, IP addresses can never be HSTS hosts and don't have +// pinning information. +static nsresult OverrideAllowedForHost( + uint64_t aPtrForLog, const nsACString& aHostname, + const OriginAttributes& aOriginAttributes, /*out*/ bool& aOverrideAllowed) { + aOverrideAllowed = false; + + // If this is an IP address, overrides are allowed, because an IP address is + // never an HSTS host. nsISiteSecurityService takes this into account + // already, but the real problem here is that calling NS_NewURI with an IPv6 + // address fails. We do this to avoid that. A more comprehensive fix would be + // to have Necko provide an nsIURI to PSM and to use that here (and + // everywhere). However, that would be a wide-spanning change. + if (net_IsValidIPv6Addr(aHostname)) { + aOverrideAllowed = true; + return NS_OK; + } + + // If this is an HTTP Strict Transport Security host or a pinned host and the + // certificate is bad, don't allow overrides (RFC 6797 section 12.1). + bool strictTransportSecurityEnabled = false; + bool isStaticallyPinned = false; + nsCOMPtr<nsISiteSecurityService> sss(do_GetService(NS_SSSERVICE_CONTRACTID)); + if (!sss) { + MOZ_LOG( + gPIPNSSLog, LogLevel::Debug, + ("[0x%" PRIx64 "] Couldn't get nsISiteSecurityService to check HSTS", + aPtrForLog)); + return NS_ERROR_FAILURE; + } + + nsCOMPtr<nsIURI> uri; + nsresult rv = NS_NewURI(getter_AddRefs(uri), "https://"_ns + aHostname); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[0x%" PRIx64 "] Creating new URI failed", aPtrForLog)); + return rv; + } + + rv = + sss->IsSecureURI(uri, aOriginAttributes, &strictTransportSecurityEnabled); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[0x%" PRIx64 "] checking for HSTS failed", aPtrForLog)); + return rv; + } + + nsCOMPtr<nsIPublicKeyPinningService> pkps = + do_GetService(NS_PKPSERVICE_CONTRACTID, &rv); + if (!pkps) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[0x%" PRIx64 + "] Couldn't get nsIPublicKeyPinningService to check pinning", + aPtrForLog)); + return NS_ERROR_FAILURE; + } + rv = pkps->HostHasPins(uri, &isStaticallyPinned); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[0x%" PRIx64 "] checking for static pin failed", aPtrForLog)); + return rv; + } + + aOverrideAllowed = !strictTransportSecurityEnabled && !isStaticallyPinned; + return NS_OK; +} + +// This function assumes that we will only use the SPDY connection coalescing +// feature on connections where we have negotiated SPDY using NPN. If we ever +// talk SPDY without having negotiated it with SPDY, this code will give wrong +// and perhaps unsafe results. +// +// Returns SECSuccess on the initial handshake of all connections, on +// renegotiations for any connections where we did not negotiate SPDY, or on any +// SPDY connection where the server's certificate did not change. +// +// Prohibit changing the server cert only if we negotiated SPDY, +// in order to support SPDY's cross-origin connection pooling. +static SECStatus BlockServerCertChangeForSpdy( + NSSSocketControl* socketControl, const UniqueCERTCertificate& serverCert) { + if (!socketControl->IsHandshakeCompleted()) { + // first handshake on this connection, not a + // renegotiation. + return SECSuccess; + } + + // Filter out sockets that did not neogtiate SPDY via NPN + nsCOMPtr<nsITransportSecurityInfo> securityInfo; + nsresult rv = socketControl->GetSecurityInfo(getter_AddRefs(securityInfo)); + MOZ_ASSERT(NS_SUCCEEDED(rv), "GetSecurityInfo() failed during renegotiation"); + if (NS_FAILED(rv) || !securityInfo) { + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + nsAutoCString negotiatedNPN; + rv = securityInfo->GetNegotiatedNPN(negotiatedNPN); + MOZ_ASSERT(NS_SUCCEEDED(rv), + "GetNegotiatedNPN() failed during renegotiation"); + + if (NS_SUCCEEDED(rv) && !StringBeginsWith(negotiatedNPN, "spdy/"_ns)) { + return SECSuccess; + } + // If GetNegotiatedNPN() failed we will assume spdy for safety's safe + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("BlockServerCertChangeForSpdy failed GetNegotiatedNPN() call." + " Assuming spdy.")); + } + + // Check to see if the cert has actually changed + nsCOMPtr<nsIX509Cert> cert(socketControl->GetServerCert()); + if (!cert) { + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + nsTArray<uint8_t> certDER; + if (NS_FAILED(cert->GetRawDER(certDER))) { + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + if (certDER.Length() == serverCert->derCert.len && + memcmp(certDER.Elements(), serverCert->derCert.data, certDER.Length()) == + 0) { + return SECSuccess; + } + + // Report an error - changed cert is confirmed + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("SPDY refused to allow new cert during renegotiation")); + PR_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, 0); + return SECFailure; +} + +void GatherTelemetryForSingleSCT(const ct::VerifiedSCT& verifiedSct) { + // See SSL_SCTS_ORIGIN in Histograms.json. + uint32_t origin = 0; + switch (verifiedSct.origin) { + case ct::VerifiedSCT::Origin::Embedded: + origin = 1; + break; + case ct::VerifiedSCT::Origin::TLSExtension: + origin = 2; + break; + case ct::VerifiedSCT::Origin::OCSPResponse: + origin = 3; + break; + default: + MOZ_ASSERT_UNREACHABLE("Unexpected VerifiedSCT::Origin type"); + } + Telemetry::Accumulate(Telemetry::SSL_SCTS_ORIGIN, origin); + + // See SSL_SCTS_VERIFICATION_STATUS in Histograms.json. + uint32_t verificationStatus = 0; + switch (verifiedSct.status) { + case ct::VerifiedSCT::Status::Valid: + verificationStatus = 1; + break; + case ct::VerifiedSCT::Status::UnknownLog: + verificationStatus = 2; + break; + case ct::VerifiedSCT::Status::InvalidSignature: + verificationStatus = 3; + break; + case ct::VerifiedSCT::Status::InvalidTimestamp: + verificationStatus = 4; + break; + case ct::VerifiedSCT::Status::ValidFromDisqualifiedLog: + verificationStatus = 5; + break; + default: + MOZ_ASSERT_UNREACHABLE("Unexpected VerifiedSCT::Status type"); + } + Telemetry::Accumulate(Telemetry::SSL_SCTS_VERIFICATION_STATUS, + verificationStatus); +} + +void GatherCertificateTransparencyTelemetry( + const nsTArray<uint8_t>& rootCert, bool isEV, + const CertificateTransparencyInfo& info) { + if (!info.enabled) { + // No telemetry is gathered when CT is disabled. + return; + } + + for (const ct::VerifiedSCT& sct : info.verifyResult.verifiedScts) { + GatherTelemetryForSingleSCT(sct); + } + + // Decoding errors are reported to the 0th bucket + // of the SSL_SCTS_VERIFICATION_STATUS enumerated probe. + for (size_t i = 0; i < info.verifyResult.decodingErrors; ++i) { + Telemetry::Accumulate(Telemetry::SSL_SCTS_VERIFICATION_STATUS, 0); + } + + // Handle the histogram of SCTs counts. + uint32_t sctsCount = + static_cast<uint32_t>(info.verifyResult.verifiedScts.size()); + // Note that sctsCount can also be 0 in case we've received SCT binary data, + // but it failed to parse (e.g. due to unsupported CT protocol version). + Telemetry::Accumulate(Telemetry::SSL_SCTS_PER_CONNECTION, sctsCount); + + // Report CT Policy compliance by CA. + switch (info.policyCompliance) { + case ct::CTPolicyCompliance::Compliant: + AccumulateTelemetryForRootCA( + Telemetry::SSL_CT_POLICY_COMPLIANT_CONNECTIONS_BY_CA, rootCert); + break; + case ct::CTPolicyCompliance::NotEnoughScts: + case ct::CTPolicyCompliance::NotDiverseScts: + AccumulateTelemetryForRootCA( + Telemetry::SSL_CT_POLICY_NON_COMPLIANT_CONNECTIONS_BY_CA, rootCert); + break; + case ct::CTPolicyCompliance::Unknown: + default: + MOZ_ASSERT_UNREACHABLE("Unexpected CTPolicyCompliance type"); + } +} + +// This function collects telemetry about certs. It will be called on one of +// CertVerificationThread. When the socket process is used this will be called +// on the parent process. +static void CollectCertTelemetry( + mozilla::pkix::Result aCertVerificationResult, EVStatus aEVStatus, + CertVerifier::OCSPStaplingStatus aOcspStaplingStatus, + KeySizeStatus aKeySizeStatus, + const PinningTelemetryInfo& aPinningTelemetryInfo, + const nsTArray<nsTArray<uint8_t>>& aBuiltCertChain, + const CertificateTransparencyInfo& aCertificateTransparencyInfo, + const IssuerSources& issuerSources) { + uint32_t evStatus = (aCertVerificationResult != Success) ? 0 // 0 = Failure + : (aEVStatus != EVStatus::EV) ? 1 // 1 = DV + : 2; // 2 = EV + Telemetry::Accumulate(Telemetry::CERT_EV_STATUS, evStatus); + + if (aOcspStaplingStatus != CertVerifier::OCSP_STAPLING_NEVER_CHECKED) { + Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, aOcspStaplingStatus); + } + + if (aKeySizeStatus != KeySizeStatus::NeverChecked) { + Telemetry::Accumulate(Telemetry::CERT_CHAIN_KEY_SIZE_STATUS, + static_cast<uint32_t>(aKeySizeStatus)); + } + + if (aPinningTelemetryInfo.accumulateForRoot) { + Telemetry::Accumulate(Telemetry::CERT_PINNING_FAILURES_BY_CA, + aPinningTelemetryInfo.rootBucket); + } + + if (aPinningTelemetryInfo.accumulateResult) { + MOZ_ASSERT(aPinningTelemetryInfo.certPinningResultHistogram.isSome()); + Telemetry::Accumulate( + aPinningTelemetryInfo.certPinningResultHistogram.value(), + aPinningTelemetryInfo.certPinningResultBucket); + } + + if (aCertVerificationResult == Success && aBuiltCertChain.Length() > 0) { + const nsTArray<uint8_t>& rootCert = aBuiltCertChain.LastElement(); + AccumulateTelemetryForRootCA(Telemetry::CERT_VALIDATION_SUCCESS_BY_CA, + rootCert); + GatherCertificateTransparencyTelemetry(rootCert, aEVStatus == EVStatus::EV, + aCertificateTransparencyInfo); + + mozilla::glean::tls::certificate_verifications.Add(1); + if (issuerSources.contains(IssuerSource::TLSHandshake)) { + mozilla::glean::verification_used_cert_from::tls_handshake.AddToNumerator( + 1); + } + if (issuerSources.contains(IssuerSource::PreloadedIntermediates)) { + mozilla::glean::verification_used_cert_from::preloaded_intermediates + .AddToNumerator(1); + } + if (issuerSources.contains(IssuerSource::ThirdPartyCertificates)) { + mozilla::glean::verification_used_cert_from::third_party_certificates + .AddToNumerator(1); + } + if (issuerSources.contains(IssuerSource::NSSCertDB)) { + mozilla::glean::verification_used_cert_from::nss_cert_db.AddToNumerator( + 1); + } + if (issuerSources.contains(IssuerSource::BuiltInRootsModule)) { + mozilla::glean::verification_used_cert_from::built_in_roots_module + .AddToNumerator(1); + } + } +} + +// Note: Takes ownership of |peerCertChain| if SECSuccess is not returned. +Result AuthCertificate( + CertVerifier& certVerifier, void* aPinArg, + const nsTArray<uint8_t>& certBytes, + const nsTArray<nsTArray<uint8_t>>& peerCertChain, + const nsACString& aHostName, const OriginAttributes& aOriginAttributes, + const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse, + const Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, + const Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags, + Time time, uint32_t certVerifierFlags, + /*out*/ nsTArray<nsTArray<uint8_t>>& builtCertChain, + /*out*/ EVStatus& evStatus, + /*out*/ CertificateTransparencyInfo& certificateTransparencyInfo, + /*out*/ bool& aIsBuiltCertChainRootBuiltInRoot, + /*out*/ bool& aMadeOCSPRequests) { + CertVerifier::OCSPStaplingStatus ocspStaplingStatus = + CertVerifier::OCSP_STAPLING_NEVER_CHECKED; + KeySizeStatus keySizeStatus = KeySizeStatus::NeverChecked; + PinningTelemetryInfo pinningTelemetryInfo; + + nsTArray<nsTArray<uint8_t>> peerCertsBytes; + // Don't include the end-entity certificate. + if (!peerCertChain.IsEmpty()) { + std::transform( + peerCertChain.cbegin() + 1, peerCertChain.cend(), + MakeBackInserter(peerCertsBytes), + [](const auto& elementArray) { return elementArray.Clone(); }); + } + + IssuerSources issuerSources; + Result rv = certVerifier.VerifySSLServerCert( + certBytes, time, aPinArg, aHostName, builtCertChain, certVerifierFlags, + Some(std::move(peerCertsBytes)), stapledOCSPResponse, + sctsFromTLSExtension, dcInfo, aOriginAttributes, &evStatus, + &ocspStaplingStatus, &keySizeStatus, &pinningTelemetryInfo, + &certificateTransparencyInfo, &aIsBuiltCertChainRootBuiltInRoot, + &aMadeOCSPRequests, &issuerSources); + + CollectCertTelemetry(rv, evStatus, ocspStaplingStatus, keySizeStatus, + pinningTelemetryInfo, builtCertChain, + certificateTransparencyInfo, issuerSources); + + return rv; +} + +PRErrorCode AuthCertificateParseResults( + uint64_t aPtrForLog, const nsACString& aHostName, int32_t aPort, + const OriginAttributes& aOriginAttributes, + const nsCOMPtr<nsIX509Cert>& aCert, mozilla::pkix::Time aTime, + PRErrorCode aCertVerificationError, + /* out */ + nsITransportSecurityInfo::OverridableErrorCategory& + aOverridableErrorCategory) { + uint32_t probeValue = MapCertErrorToProbeValue(aCertVerificationError); + Telemetry::Accumulate(Telemetry::SSL_CERT_VERIFICATION_ERRORS, probeValue); + + Maybe<nsITransportSecurityInfo::OverridableErrorCategory> + maybeOverridableErrorCategory = + CategorizeCertificateError(aCertVerificationError); + // If this isn't an overridable error, return it now. This will stop the + // connection and report the given error. + if (!maybeOverridableErrorCategory.isSome()) { + return aCertVerificationError; + } + aOverridableErrorCategory = *maybeOverridableErrorCategory; + + bool overrideAllowed = false; + nsresult rv = OverrideAllowedForHost(aPtrForLog, aHostName, aOriginAttributes, + overrideAllowed); + if (NS_FAILED(rv)) { + return aCertVerificationError; + } + + if (!overrideAllowed) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[0x%" PRIx64 "] HSTS or pinned host - no overrides allowed", + aPtrForLog)); + return aCertVerificationError; + } + + nsCOMPtr<nsICertOverrideService> overrideService = + do_GetService(NS_CERTOVERRIDE_CONTRACTID); + if (!overrideService) { + return aCertVerificationError; + } + bool haveOverride; + bool isTemporaryOverride; + rv = overrideService->HasMatchingOverride(aHostName, aPort, aOriginAttributes, + aCert, &isTemporaryOverride, + &haveOverride); + if (NS_FAILED(rv)) { + return aCertVerificationError; + } + Unused << isTemporaryOverride; + if (haveOverride) { + uint32_t probeValue = + MapOverridableErrorToProbeValue(aCertVerificationError); + Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, probeValue); + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[0x%" PRIx64 "] certificate error overridden", aPtrForLog)); + return 0; + } + + return aCertVerificationError; +} + +static nsTArray<nsTArray<uint8_t>> CreateCertBytesArray( + const UniqueCERTCertList& aCertChain) { + nsTArray<nsTArray<uint8_t>> certsBytes; + for (CERTCertListNode* n = CERT_LIST_HEAD(aCertChain); + !CERT_LIST_END(n, aCertChain); n = CERT_LIST_NEXT(n)) { + nsTArray<uint8_t> certBytes; + certBytes.AppendElements(n->cert->derCert.data, n->cert->derCert.len); + certsBytes.AppendElement(std::move(certBytes)); + } + return certsBytes; +} + +/*static*/ +SECStatus SSLServerCertVerificationJob::Dispatch( + uint64_t addrForLogging, void* aPinArg, + nsTArray<nsTArray<uint8_t>>&& peerCertChain, const nsACString& aHostName, + int32_t aPort, const OriginAttributes& aOriginAttributes, + Maybe<nsTArray<uint8_t>>& stapledOCSPResponse, + Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, + Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags, Time time, + uint32_t certVerifierFlags, + BaseSSLServerCertVerificationResult* aResultTask) { + // Runs on the socket transport thread + if (!aResultTask || peerCertChain.IsEmpty()) { + MOZ_ASSERT_UNREACHABLE( + "must have result task and non-empty peer cert chain"); + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + + if (!gCertVerificationThreadPool) { + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; + } + + RefPtr<SSLServerCertVerificationJob> job(new SSLServerCertVerificationJob( + addrForLogging, aPinArg, std::move(peerCertChain), aHostName, aPort, + aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension, dcInfo, + providerFlags, time, certVerifierFlags, aResultTask)); + + nsresult nrv = gCertVerificationThreadPool->Dispatch(job, NS_DISPATCH_NORMAL); + if (NS_FAILED(nrv)) { + // We can't call SetCertVerificationResult here to change + // mCertVerificationState because SetCertVerificationResult will call + // libssl functions that acquire SSL locks that are already being held at + // this point. However, we can set an error with PR_SetError and return + // SECFailure, and the correct thing will happen (the error will be + // propagated and this connection will be terminated). + PRErrorCode error = nrv == NS_ERROR_OUT_OF_MEMORY ? PR_OUT_OF_MEMORY_ERROR + : PR_INVALID_STATE_ERROR; + PR_SetError(error, 0); + return SECFailure; + } + + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + return SECWouldBlock; +} + +NS_IMETHODIMP +SSLServerCertVerificationJob::Run() { + // Runs on a cert verification thread and only on parent process. + MOZ_ASSERT(XRE_IsParentProcess()); + + MOZ_LOG( + gPIPNSSLog, LogLevel::Debug, + ("[%" PRIx64 "] SSLServerCertVerificationJob::Run\n", mAddrForLogging)); + + RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); + if (!certVerifier) { + PR_SetError(SEC_ERROR_NOT_INITIALIZED, 0); + return NS_OK; + } + + TimeStamp jobStartTime = TimeStamp::Now(); + EVStatus evStatus; + CertificateTransparencyInfo certificateTransparencyInfo; + bool isCertChainRootBuiltInRoot = false; + bool madeOCSPRequests = false; + nsTArray<nsTArray<uint8_t>> builtChainBytesArray; + nsTArray<uint8_t> certBytes(mPeerCertChain.ElementAt(0).Clone()); + Result rv = AuthCertificate( + *certVerifier, mPinArg, certBytes, mPeerCertChain, mHostName, + mOriginAttributes, mStapledOCSPResponse, mSCTsFromTLSExtension, mDCInfo, + mProviderFlags, mTime, mCertVerifierFlags, builtChainBytesArray, evStatus, + certificateTransparencyInfo, isCertChainRootBuiltInRoot, + madeOCSPRequests); + + if (rv == Success) { + Telemetry::AccumulateTimeDelta( + Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX, jobStartTime, + TimeStamp::Now()); + Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, 1); + + mResultTask->Dispatch( + std::move(builtChainBytesArray), std::move(mPeerCertChain), + TransportSecurityInfo::ConvertCertificateTransparencyInfoToStatus( + certificateTransparencyInfo), + evStatus, true, 0, + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET, + isCertChainRootBuiltInRoot, mProviderFlags, madeOCSPRequests); + return NS_OK; + } + + Telemetry::AccumulateTimeDelta( + Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX, + jobStartTime, TimeStamp::Now()); + + PRErrorCode error = MapResultToPRErrorCode(rv); + nsITransportSecurityInfo::OverridableErrorCategory overridableErrorCategory = + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET; + nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes))); + PRErrorCode finalError = AuthCertificateParseResults( + mAddrForLogging, mHostName, mPort, mOriginAttributes, cert, mTime, error, + overridableErrorCategory); + + // NB: finalError may be 0 here, in which the connection will continue. + mResultTask->Dispatch( + std::move(builtChainBytesArray), std::move(mPeerCertChain), + nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE, + EVStatus::NotEV, false, finalError, overridableErrorCategory, false, + mProviderFlags, madeOCSPRequests); + return NS_OK; +} + +// Takes information needed for cert verification, does some consistency +// checks and calls SSLServerCertVerificationJob::Dispatch. +SECStatus AuthCertificateHookInternal( + CommonSocketControl* socketControl, const void* aPtrForLogging, + const nsACString& hostName, nsTArray<nsTArray<uint8_t>>&& peerCertChain, + Maybe<nsTArray<uint8_t>>& stapledOCSPResponse, + Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, + Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags, + uint32_t certVerifierFlags) { + // Runs on the socket transport thread + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] starting AuthCertificateHookInternal\n", aPtrForLogging)); + + if (!socketControl || peerCertChain.IsEmpty()) { + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; + } + + bool onSTSThread; + nsresult nrv; + nsCOMPtr<nsIEventTarget> sts = + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv); + if (NS_SUCCEEDED(nrv)) { + nrv = sts->IsOnCurrentThread(&onSTSThread); + } + + if (NS_FAILED(nrv)) { + NS_ERROR("Could not get STS service or IsOnCurrentThread failed"); + PR_SetError(PR_UNKNOWN_ERROR, 0); + return SECFailure; + } + + MOZ_ASSERT(onSTSThread); + + if (!onSTSThread) { + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; + } + + uint64_t addr = reinterpret_cast<uintptr_t>(aPtrForLogging); + RefPtr<SSLServerCertVerificationResult> resultTask = + new SSLServerCertVerificationResult(socketControl); + + if (XRE_IsSocketProcess()) { + return RemoteProcessCertVerification( + std::move(peerCertChain), hostName, socketControl->GetPort(), + socketControl->GetOriginAttributes(), stapledOCSPResponse, + sctsFromTLSExtension, dcInfo, providerFlags, certVerifierFlags, + resultTask); + } + + // We *must* do certificate verification on a background thread because + // we need the socket transport thread to be free for our OCSP requests, + // and we *want* to do certificate verification on a background thread + // because of the performance benefits of doing so. + return SSLServerCertVerificationJob::Dispatch( + addr, socketControl, std::move(peerCertChain), hostName, + socketControl->GetPort(), socketControl->GetOriginAttributes(), + stapledOCSPResponse, sctsFromTLSExtension, dcInfo, providerFlags, Now(), + certVerifierFlags, resultTask); +} + +// Extracts whatever information we need out of fd (using SSL_*) and passes it +// to AuthCertificateHookInternal. AuthCertificateHookInternal will call +// SSLServerCertVerificationJob::Dispatch. SSLServerCertVerificationJob +// should never do anything with fd except logging. +SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig, + PRBool isServer) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] starting AuthCertificateHook\n", fd)); + + // Modern libssl always passes PR_TRUE for checkSig, and we have no means of + // doing verification without checking signatures. + MOZ_ASSERT(checkSig, "AuthCertificateHook: checkSig unexpectedly false"); + + // PSM never causes libssl to call this function with PR_TRUE for isServer, + // and many things in PSM assume that we are a client. + MOZ_ASSERT(!isServer, "AuthCertificateHook: isServer unexpectedly true"); + + NSSSocketControl* socketInfo = static_cast<NSSSocketControl*>(arg); + + UniqueCERTCertificate serverCert(SSL_PeerCertificate(fd)); + + if (!checkSig || isServer || !socketInfo || !serverCert) { + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; + } + socketInfo->SetFullHandshake(); + + if (BlockServerCertChangeForSpdy(socketInfo, serverCert) != SECSuccess) { + return SECFailure; + } + + UniqueCERTCertList peerCertChain(SSL_PeerCertificateChain(fd)); + if (!peerCertChain) { + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; + } + + nsTArray<nsTArray<uint8_t>> peerCertsBytes = + CreateCertBytesArray(peerCertChain); + + // SSL_PeerStapledOCSPResponses will never return a non-empty response if + // OCSP stapling wasn't enabled because libssl wouldn't have let the server + // return a stapled OCSP response. + // We don't own these pointers. + const SECItemArray* csa = SSL_PeerStapledOCSPResponses(fd); + Maybe<nsTArray<uint8_t>> stapledOCSPResponse; + // we currently only support single stapled responses + if (csa && csa->len == 1) { + stapledOCSPResponse.emplace(); + stapledOCSPResponse->SetCapacity(csa->items[0].len); + stapledOCSPResponse->AppendElements(csa->items[0].data, csa->items[0].len); + } + + Maybe<nsTArray<uint8_t>> sctsFromTLSExtension; + const SECItem* sctsFromTLSExtensionSECItem = SSL_PeerSignedCertTimestamps(fd); + if (sctsFromTLSExtensionSECItem) { + sctsFromTLSExtension.emplace(); + sctsFromTLSExtension->SetCapacity(sctsFromTLSExtensionSECItem->len); + sctsFromTLSExtension->AppendElements(sctsFromTLSExtensionSECItem->data, + sctsFromTLSExtensionSECItem->len); + } + + uint32_t providerFlags = 0; + socketInfo->GetProviderFlags(&providerFlags); + + uint32_t certVerifierFlags = 0; + if (!socketInfo->SharedState().IsOCSPStaplingEnabled() || + !socketInfo->SharedState().IsOCSPMustStapleEnabled()) { + certVerifierFlags |= CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST; + } + + // Get DC information + Maybe<DelegatedCredentialInfo> dcInfo; + SSLPreliminaryChannelInfo channelPreInfo; + SECStatus rv = SSL_GetPreliminaryChannelInfo(fd, &channelPreInfo, + sizeof(channelPreInfo)); + if (rv != SECSuccess) { + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; + } + if (channelPreInfo.peerDelegCred) { + dcInfo.emplace(DelegatedCredentialInfo(channelPreInfo.signatureScheme, + channelPreInfo.authKeyBits)); + } + + // If we configured an ECHConfig and NSS returned the public name + // for verification, ECH was rejected. Proceed, verifying to the + // public name. The result determines how NSS will fail (i.e. with + // any provided retry_configs if successful). See draft-ietf-tls-esni-08. + nsCString echConfig; + nsresult nsrv = socketInfo->GetEchConfig(echConfig); + bool verifyToEchPublicName = + NS_SUCCEEDED(nsrv) && echConfig.Length() && channelPreInfo.echPublicName; + + const nsCString echPublicName(channelPreInfo.echPublicName); + const nsACString& hostname = + verifyToEchPublicName ? echPublicName : socketInfo->GetHostName(); + socketInfo->SetCertVerificationWaiting(); + rv = AuthCertificateHookInternal(socketInfo, static_cast<const void*>(fd), + hostname, std::move(peerCertsBytes), + stapledOCSPResponse, sctsFromTLSExtension, + dcInfo, providerFlags, certVerifierFlags); + return rv; +} + +// Takes information needed for cert verification, does some consistency +// checks and calls SSLServerCertVerificationJob::Dispatch. +// This function is used for Quic. +SECStatus AuthCertificateHookWithInfo( + CommonSocketControl* socketControl, const nsACString& aHostName, + const void* aPtrForLogging, nsTArray<nsTArray<uint8_t>>&& peerCertChain, + Maybe<nsTArray<nsTArray<uint8_t>>>& stapledOCSPResponses, + Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags) { + if (peerCertChain.IsEmpty()) { + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; + } + + // we currently only support single stapled responses + Maybe<nsTArray<uint8_t>> stapledOCSPResponse; + if (stapledOCSPResponses && (stapledOCSPResponses->Length() == 1)) { + stapledOCSPResponse.emplace(stapledOCSPResponses->ElementAt(0).Clone()); + } + + uint32_t certVerifierFlags = 0; + // QuicSocketControl does not have a SharedState as NSSSocketControl. + // Here we need prefs for ocsp. This are prefs they are the same for + // PublicSSLState and PrivateSSLState, just take them from one of them. + if (!PublicSSLState()->IsOCSPStaplingEnabled() || + !PublicSSLState()->IsOCSPMustStapleEnabled()) { + certVerifierFlags |= CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST; + } + + // Need to update Quic stack to reflect the PreliminaryInfo fields + // for Delegated Credentials. + Maybe<DelegatedCredentialInfo> dcInfo; + + return AuthCertificateHookInternal(socketControl, aPtrForLogging, aHostName, + std::move(peerCertChain), + stapledOCSPResponse, sctsFromTLSExtension, + dcInfo, providerFlags, certVerifierFlags); +} + +NS_IMPL_ISUPPORTS_INHERITED0(SSLServerCertVerificationResult, Runnable) + +SSLServerCertVerificationResult::SSLServerCertVerificationResult( + CommonSocketControl* socketControl) + : Runnable("psm::SSLServerCertVerificationResult"), + mSocketControl(socketControl), + mCertificateTransparencyStatus(0), + mEVStatus(EVStatus::NotEV), + mSucceeded(false), + mFinalError(0), + mOverridableErrorCategory( + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET), + mProviderFlags(0) {} + +void SSLServerCertVerificationResult::Dispatch( + nsTArray<nsTArray<uint8_t>>&& aBuiltChain, + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, + uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus, + bool aSucceeded, PRErrorCode aFinalError, + nsITransportSecurityInfo::OverridableErrorCategory + aOverridableErrorCategory, + bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags, + bool aMadeOCSPRequests) { + mBuiltChain = std::move(aBuiltChain); + mPeerCertChain = std::move(aPeerCertChain); + mCertificateTransparencyStatus = aCertificateTransparencyStatus; + mEVStatus = aEVStatus; + mSucceeded = aSucceeded; + mFinalError = aFinalError; + mOverridableErrorCategory = aOverridableErrorCategory; + mIsBuiltCertChainRootBuiltInRoot = aIsBuiltCertChainRootBuiltInRoot; + mProviderFlags = aProviderFlags; + mMadeOCSPRequests = aMadeOCSPRequests; + + if (mSucceeded && mBuiltChain.IsEmpty()) { + MOZ_ASSERT_UNREACHABLE( + "if the handshake succeeded, the built chain shouldn't be empty"); + mSucceeded = false; + mFinalError = SEC_ERROR_LIBRARY_FAILURE; + } + if (!mSucceeded && mPeerCertChain.IsEmpty()) { + MOZ_ASSERT_UNREACHABLE( + "if the handshake failed, the peer chain shouldn't be empty"); + mFinalError = SEC_ERROR_LIBRARY_FAILURE; + } + + nsresult rv; + nsCOMPtr<nsIEventTarget> stsTarget = + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv); + MOZ_ASSERT(stsTarget, "Failed to get socket transport service event target"); + rv = stsTarget->Dispatch(this, NS_DISPATCH_NORMAL); + MOZ_ASSERT(NS_SUCCEEDED(rv), + "Failed to dispatch SSLServerCertVerificationResult"); +} + +NS_IMETHODIMP +SSLServerCertVerificationResult::Run() { +#ifdef DEBUG + bool onSTSThread = false; + nsresult nrv; + nsCOMPtr<nsIEventTarget> sts = + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv); + if (NS_SUCCEEDED(nrv)) { + nrv = sts->IsOnCurrentThread(&onSTSThread); + } + + MOZ_ASSERT(onSTSThread); +#endif + + if (mSucceeded && !XRE_IsSocketProcess() && + !(mProviderFlags & nsISocketProvider::NO_PERMANENT_STORAGE)) { + // This dispatches an event that will run when the socket thread is idle. + SaveIntermediateCerts(mBuiltChain); + } + + mSocketControl->SetMadeOCSPRequests(mMadeOCSPRequests); + + if (mSucceeded) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("SSLServerCertVerificationResult::Run setting NEW cert")); + nsTArray<uint8_t> certBytes(mBuiltChain.ElementAt(0).Clone()); + nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes))); + mSocketControl->SetServerCert(cert, mEVStatus); + mSocketControl->SetSucceededCertChain(std::move(mBuiltChain)); + + mSocketControl->SetIsBuiltCertChainRootBuiltInRoot( + mIsBuiltCertChainRootBuiltInRoot); + mSocketControl->SetCertificateTransparencyStatus( + mCertificateTransparencyStatus); + } else { + nsTArray<uint8_t> certBytes(mPeerCertChain.ElementAt(0).Clone()); + nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes))); + // Certificate validation failed; store the peer certificate chain on + // mSocketControl so it can be used for error reporting. + mSocketControl->SetFailedCertChain(std::move(mPeerCertChain)); + if (mOverridableErrorCategory != + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET) { + mSocketControl->SetStatusErrorBits(cert, mOverridableErrorCategory); + } + } + + mSocketControl->SetCertVerificationResult(mFinalError); + return NS_OK; +} + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/SSLServerCertVerification.h b/security/manager/ssl/SSLServerCertVerification.h new file mode 100644 index 0000000000..694563152d --- /dev/null +++ b/security/manager/ssl/SSLServerCertVerification.h @@ -0,0 +1,161 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef _SSLSERVERCERTVERIFICATION_H +#define _SSLSERVERCERTVERIFICATION_H + +#include "CertVerifier.h" +#include "CommonSocketControl.h" +#include "ScopedNSSTypes.h" +#include "mozilla/Maybe.h" +#include "mozpkix/pkix.h" +#include "nsITransportSecurityInfo.h" +#include "nsIX509Cert.h" +#include "nsTArray.h" +#include "nsThreadUtils.h" +#include "prerror.h" +#include "prio.h" +#include "seccomon.h" +#include "secoidt.h" + +using namespace mozilla::pkix; + +namespace mozilla { +namespace psm { + +enum class EVStatus : uint8_t; + +SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig, + PRBool isServer); + +// This function triggers the certificate verification. The verification is +// asynchronous and the info object will be notified when the verification has +// completed via SetCertVerificationResult. +SECStatus AuthCertificateHookWithInfo( + CommonSocketControl* socketControl, const nsACString& aHostName, + const void* aPtrForLogging, nsTArray<nsTArray<uint8_t>>&& peerCertChain, + Maybe<nsTArray<nsTArray<uint8_t>>>& stapledOCSPResponses, + Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags); + +// Base class for dispatching the certificate verification result. +class BaseSSLServerCertVerificationResult { + public: + NS_INLINE_DECL_PURE_VIRTUAL_REFCOUNTING + + virtual void Dispatch(nsTArray<nsTArray<uint8_t>>&& aBuiltChain, + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, + uint16_t aCertificateTransparencyStatus, + EVStatus aEVStatus, bool aSucceeded, + PRErrorCode aFinalError, + nsITransportSecurityInfo::OverridableErrorCategory + aOverridableErrorCategory, + bool aIsBuiltCertChainRootBuiltInRoot, + uint32_t aProviderFlags, bool aMadeOCSPRequests) = 0; +}; + +// Dispatched to the STS thread to notify the infoObject of the verification +// result. +// +// This will cause the PR_Poll in the STS thread to return, so things work +// correctly even if the STS thread is blocked polling (only) on the file +// descriptor that is waiting for this result. +class SSLServerCertVerificationResult final + : public BaseSSLServerCertVerificationResult, + public Runnable { + public: + NS_DECL_ISUPPORTS_INHERITED + NS_DECL_NSIRUNNABLE + + explicit SSLServerCertVerificationResult(CommonSocketControl* socketControl); + + void Dispatch(nsTArray<nsTArray<uint8_t>>&& aBuiltChain, + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, + uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus, + bool aSucceeded, PRErrorCode aFinalError, + nsITransportSecurityInfo::OverridableErrorCategory + aOverridableErrorCategory, + bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags, + bool aMadeOCSPRequests) override; + + private: + ~SSLServerCertVerificationResult() = default; + + const RefPtr<CommonSocketControl> mSocketControl; + nsTArray<nsTArray<uint8_t>> mBuiltChain; + nsTArray<nsTArray<uint8_t>> mPeerCertChain; + uint16_t mCertificateTransparencyStatus; + EVStatus mEVStatus; + bool mSucceeded; + PRErrorCode mFinalError; + nsITransportSecurityInfo::OverridableErrorCategory mOverridableErrorCategory; + bool mIsBuiltCertChainRootBuiltInRoot; + uint32_t mProviderFlags; + bool mMadeOCSPRequests; +}; + +class SSLServerCertVerificationJob : public Runnable { + public: + SSLServerCertVerificationJob(const SSLServerCertVerificationJob&) = delete; + + // Must be called only on the socket transport thread + static SECStatus Dispatch(uint64_t addrForLogging, void* aPinArg, + nsTArray<nsTArray<uint8_t>>&& peerCertChain, + const nsACString& aHostName, int32_t aPort, + const OriginAttributes& aOriginAttributes, + Maybe<nsTArray<uint8_t>>& stapledOCSPResponse, + Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, + Maybe<DelegatedCredentialInfo>& dcInfo, + uint32_t providerFlags, Time time, + uint32_t certVerifierFlags, + BaseSSLServerCertVerificationResult* aResultTask); + + private: + NS_DECL_NSIRUNNABLE + + // Must be called only on the socket transport thread + SSLServerCertVerificationJob(uint64_t addrForLogging, void* aPinArg, + nsTArray<nsTArray<uint8_t>>&& peerCertChain, + const nsACString& aHostName, int32_t aPort, + const OriginAttributes& aOriginAttributes, + Maybe<nsTArray<uint8_t>>& stapledOCSPResponse, + Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, + Maybe<DelegatedCredentialInfo>& dcInfo, + uint32_t providerFlags, Time time, + uint32_t certVerifierFlags, + BaseSSLServerCertVerificationResult* aResultTask) + : Runnable("psm::SSLServerCertVerificationJob"), + mAddrForLogging(addrForLogging), + mPinArg(aPinArg), + mPeerCertChain(std::move(peerCertChain)), + mHostName(aHostName), + mPort(aPort), + mOriginAttributes(aOriginAttributes), + mProviderFlags(providerFlags), + mCertVerifierFlags(certVerifierFlags), + mTime(time), + mStapledOCSPResponse(std::move(stapledOCSPResponse)), + mSCTsFromTLSExtension(std::move(sctsFromTLSExtension)), + mDCInfo(std::move(dcInfo)), + mResultTask(aResultTask) {} + + uint64_t mAddrForLogging; + void* mPinArg; + nsTArray<nsTArray<uint8_t>> mPeerCertChain; + nsCString mHostName; + int32_t mPort; + OriginAttributes mOriginAttributes; + const uint32_t mProviderFlags; + const uint32_t mCertVerifierFlags; + const Time mTime; + Maybe<nsTArray<uint8_t>> mStapledOCSPResponse; + Maybe<nsTArray<uint8_t>> mSCTsFromTLSExtension; + Maybe<DelegatedCredentialInfo> mDCInfo; + RefPtr<BaseSSLServerCertVerificationResult> mResultTask; +}; + +} // namespace psm +} // namespace mozilla + +#endif diff --git a/security/manager/ssl/ScopedNSSTypes.h b/security/manager/ssl/ScopedNSSTypes.h new file mode 100644 index 0000000000..6ae25db868 --- /dev/null +++ b/security/manager/ssl/ScopedNSSTypes.h @@ -0,0 +1,464 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This header provides smart pointers and various helpers for code that needs +// to interact with NSS. + +#ifndef ScopedNSSTypes_h +#define ScopedNSSTypes_h + +#include <limits> +#include <memory> + +#include "cert.h" +#include "cms.h" +#include "cryptohi.h" +#include "keyhi.h" +#include "mozilla/Likely.h" +#include "mozilla/UniquePtr.h" +#include "nsDebug.h" +#include "nsError.h" +#include "NSSErrorsService.h" +#include "pk11hpke.h" +#include "pk11pub.h" +#include "pkcs12.h" +#include "prerror.h" +#include "prio.h" +#include "prmem.h" +#include "sechash.h" +#include "secmod.h" +#include "secpkcs7.h" +#include "secport.h" + +#ifndef MOZ_NO_MOZALLOC +# include "mozilla/mozalloc_oom.h" +#endif + +// Normally this would be included from nsNSSComponent.h, but that file includes +// this file. +bool EnsureNSSInitializedChromeOrContent(); + +namespace mozilla { + +// NSPR APIs use PRStatus/PR_GetError and NSS APIs use SECStatus/PR_GetError to +// report success/failure. This function makes it more convenient and *safer* +// to translate NSPR/NSS results to nsresult. It is safer because it +// refuses to translate any bad PRStatus/SECStatus into an NS_OK, even when the +// NSPR/NSS function forgot to call PR_SetError. The actual enforcement of +// this happens in mozilla::psm::GetXPCOMFromNSSError. +// IMPORTANT: This must be called immediately after the function returning the +// SECStatus result. The recommended usage is: +// nsresult rv = MapSECStatus(f(x, y, z)); +inline nsresult MapSECStatus(SECStatus rv) { + if (rv == SECSuccess) { + return NS_OK; + } + + return mozilla::psm::GetXPCOMFromNSSError(PR_GetError()); +} + +namespace internal { + +inline void PK11_DestroyContext_true(PK11Context* ctx) { + PK11_DestroyContext(ctx, true); +} + +inline void SECKEYEncryptedPrivateKeyInfo_true( + SECKEYEncryptedPrivateKeyInfo* epki) { + SECKEY_DestroyEncryptedPrivateKeyInfo(epki, true); +} + +// If this was created via PK11_ListFixedKeysInSlot, we may have a list of keys, +// in which case we have to free them all (and if not, this will still free the +// one key). +inline void FreeOneOrMoreSymKeys(PK11SymKey* keys) { + PK11SymKey* next; + while (keys) { + next = PK11_GetNextSymKey(keys); + PK11_FreeSymKey(keys); + keys = next; + } +} + +} // namespace internal + +// Emulates MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE, but for UniquePtrs. +#define MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(name, Type, Deleter) \ + struct name##DeletePolicy { \ + void operator()(Type* aValue) { Deleter(aValue); } \ + }; \ + typedef std::unique_ptr<Type, name##DeletePolicy> name; + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11Context, PK11Context, + internal::PK11_DestroyContext_true) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11SlotInfo, PK11SlotInfo, + PK11_FreeSlot) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11SymKey, PK11SymKey, + internal::FreeOneOrMoreSymKeys) + +// Common base class for Digest and HMAC. Should not be used directly. +// Subclasses must implement a `Begin` function that initializes +// `mDigestContext` and calls `SetLength`. +class DigestBase { + protected: + explicit DigestBase() : mLen(0), mDigestContext(nullptr) {} + + public: + nsresult Update(Span<const uint8_t> in) { + return Update(in.Elements(), in.Length()); + } + + nsresult Update(const unsigned char* buf, const uint32_t len) { + if (!mDigestContext) { + return NS_ERROR_NOT_INITIALIZED; + } + return MapSECStatus(PK11_DigestOp(mDigestContext.get(), buf, len)); + } + + nsresult End(/*out*/ nsTArray<uint8_t>& out) { + if (!mDigestContext) { + return NS_ERROR_NOT_INITIALIZED; + } + out.SetLength(mLen); + uint32_t len; + nsresult rv = MapSECStatus( + PK11_DigestFinal(mDigestContext.get(), out.Elements(), &len, mLen)); + NS_ENSURE_SUCCESS(rv, rv); + mDigestContext = nullptr; + NS_ENSURE_TRUE(len == mLen, NS_ERROR_UNEXPECTED); + + return NS_OK; + } + + protected: + nsresult SetLength(SECOidTag hashType) { + switch (hashType) { + case SEC_OID_MD5: + mLen = MD5_LENGTH; + break; + case SEC_OID_SHA1: + mLen = SHA1_LENGTH; + break; + case SEC_OID_SHA256: + mLen = SHA256_LENGTH; + break; + case SEC_OID_SHA384: + mLen = SHA384_LENGTH; + break; + case SEC_OID_SHA512: + mLen = SHA512_LENGTH; + break; + default: + return NS_ERROR_INVALID_ARG; + } + return NS_OK; + } + + private: + uint8_t mLen; + + protected: + UniquePK11Context mDigestContext; +}; + +/** A more convenient way of dealing with digests calculated into + * stack-allocated buffers. NSS must be initialized on the main thread before + * use, and the caller must ensure NSS isn't shut down, typically by + * being within the lifetime of XPCOM. + * + * Typical usage, for digesting a buffer in memory: + * + * nsCOMPtr<nsISupports> nssDummy = do_GetService("@mozilla.org/psm;1", &rv); + * nsTArray<uint8_t> digestArray; + * nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, mybuffer, myBufferLen, + * digestArray); + * NS_ENSURE_SUCCESS(rv, rv); + * + * Less typical usage, for digesting while doing streaming I/O and similar: + * + * Digest digest; + * nsresult rv = digest.Begin(SEC_OID_SHA256); + * NS_ENSURE_SUCCESS(rv, rv); + * for (...) { + * rv = digest.Update(buf, len); + * NS_ENSURE_SUCCESS(rv, rv); + * } + * nsTArray<uint8_t> digestArray; + * rv = digest.End(digestArray); + * NS_ENSURE_SUCCESS(rv, rv) + */ +class Digest : public DigestBase { + public: + explicit Digest() = default; + + static nsresult DigestBuf(SECOidTag hashAlg, Span<const uint8_t> buf, + /*out*/ nsTArray<uint8_t>& out) { + return Digest::DigestBuf(hashAlg, buf.Elements(), buf.Length(), out); + } + + static nsresult DigestBuf(SECOidTag hashAlg, const uint8_t* buf, uint32_t len, + /*out*/ nsTArray<uint8_t>& out) { + Digest digest; + + nsresult rv = digest.Begin(hashAlg); + if (NS_FAILED(rv)) { + return rv; + } + + rv = digest.Update(buf, len); + if (NS_FAILED(rv)) { + return rv; + } + + rv = digest.End(out); + if (NS_FAILED(rv)) { + return rv; + } + + return rv; + } + + nsresult Begin(SECOidTag hashAlg) { + if (!EnsureNSSInitializedChromeOrContent()) { + return NS_ERROR_FAILURE; + } + + switch (hashAlg) { + case SEC_OID_SHA1: + case SEC_OID_SHA256: + case SEC_OID_SHA384: + case SEC_OID_SHA512: + break; + + default: + return NS_ERROR_INVALID_ARG; + } + + mDigestContext = UniquePK11Context(PK11_CreateDigestContext(hashAlg)); + if (!mDigestContext) { + return mozilla::psm::GetXPCOMFromNSSError(PR_GetError()); + } + + nsresult rv = SetLength(hashAlg); + NS_ENSURE_SUCCESS(rv, rv); + return MapSECStatus(PK11_DigestBegin(mDigestContext.get())); + } +}; + +// A helper class to calculate HMACs over some data given a key. +// Only SHA256 and, sadly, MD5 are supported at the moment. +// Typical usage: +// (ensure NSS is initialized) +// (obtain raw bytes for a key, some data to calculate the HMAC for) +// HMAC hmac; +// nsresult rv = hmac.Begin(SEC_OID_SHA256, Span(key)); +// NS_ENSURE_SUCCESS(rv, rv); +// rv = hmac.Update(buf, len); +// NS_ENSURE_SUCCESS(rv, rv); +// nsTArray<uint8_t> calculatedHmac; +// rv = hmac.End(calculatedHmac); +// NS_ENSURE_SUCCESS(rv, rv); +class HMAC : public DigestBase { + public: + explicit HMAC() = default; + + nsresult Begin(SECOidTag hashAlg, Span<const uint8_t> key) { + if (!EnsureNSSInitializedChromeOrContent()) { + return NS_ERROR_FAILURE; + } + CK_MECHANISM_TYPE mechType; + switch (hashAlg) { + case SEC_OID_SHA256: + mechType = CKM_SHA256_HMAC; + break; + case SEC_OID_MD5: + mechType = CKM_MD5_HMAC; + break; + default: + return NS_ERROR_INVALID_ARG; + } + if (key.Length() > std::numeric_limits<unsigned int>::max()) { + return NS_ERROR_INVALID_ARG; + } + // SECItem's data field is a non-const unsigned char*. The good news is the + // data won't be mutated, but the bad news is the constness needs to be + // casted away. + SECItem keyItem = {siBuffer, const_cast<unsigned char*>(key.Elements()), + static_cast<unsigned int>(key.Length())}; + UniquePK11SlotInfo slot(PK11_GetInternalSlot()); + if (!slot) { + return mozilla::psm::GetXPCOMFromNSSError(PR_GetError()); + } + UniquePK11SymKey symKey( + PK11_ImportSymKey(slot.get(), CKM_GENERIC_SECRET_KEY_GEN, + PK11_OriginUnwrap, CKA_SIGN, &keyItem, nullptr)); + if (!symKey) { + return mozilla::psm::GetXPCOMFromNSSError(PR_GetError()); + } + SECItem emptyData = {siBuffer, nullptr, 0}; + mDigestContext = UniquePK11Context(PK11_CreateContextBySymKey( + mechType, CKA_SIGN, symKey.get(), &emptyData)); + if (!mDigestContext) { + return mozilla::psm::GetXPCOMFromNSSError(PR_GetError()); + } + + nsresult rv = SetLength(hashAlg); + NS_ENSURE_SUCCESS(rv, rv); + return MapSECStatus(PK11_DigestBegin(mDigestContext.get())); + } +}; + +namespace internal { + +inline void PORT_FreeArena_false(PLArenaPool* arena) { + // PL_FreeArenaPool can't be used because it doesn't actually free the + // memory, which doesn't work well with memory analysis tools. + return PORT_FreeArena(arena, false); +} + +} // namespace internal + +// Wrapper around NSS's SECItem_AllocItem that handles OOM the same way as +// other allocators. +inline void SECITEM_AllocItem(SECItem& item, uint32_t len) { + if (MOZ_UNLIKELY(!SECITEM_AllocItem(nullptr, &item, len))) { +#ifndef MOZ_NO_MOZALLOC + mozalloc_handle_oom(len); + if (MOZ_UNLIKELY(!SECITEM_AllocItem(nullptr, &item, len))) +#endif + { + MOZ_CRASH(); + } + } +} + +class ScopedAutoSECItem final : public SECItem { + public: + explicit ScopedAutoSECItem(uint32_t initialAllocatedLen = 0) { + data = nullptr; + len = 0; + if (initialAllocatedLen > 0) { + SECITEM_AllocItem(*this, initialAllocatedLen); + } + } + + void reset() { SECITEM_FreeItem(this, false); } + + ~ScopedAutoSECItem() { reset(); } +}; + +class MOZ_RAII AutoSECMODListReadLock final { + public: + AutoSECMODListReadLock() : mLock(SECMOD_GetDefaultModuleListLock()) { + MOZ_ASSERT(mLock, "should have SECMOD lock (has NSS been initialized?)"); + SECMOD_GetReadLock(mLock); + } + + ~AutoSECMODListReadLock() { SECMOD_ReleaseReadLock(mLock); } + + private: + SECMODListLock* mLock; +}; + +namespace internal { + +inline void SECITEM_FreeItem_true(SECItem* s) { + return SECITEM_FreeItem(s, true); +} + +inline void SECOID_DestroyAlgorithmID_true(SECAlgorithmID* a) { + return SECOID_DestroyAlgorithmID(a, true); +} + +inline void VFY_DestroyContext_true(VFYContext* ctx) { + VFY_DestroyContext(ctx, true); +} + +inline void PK11_HPKE_DestroyContext_true(HpkeContext* cx) { + PK11_HPKE_DestroyContext(cx, true); +} + +} // namespace internal + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificate, CERTCertificate, + CERT_DestroyCertificate) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificateList, + CERTCertificateList, + CERT_DestroyCertificateList) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificatePolicies, + CERTCertificatePolicies, + CERT_DestroyCertificatePoliciesExtension) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificateRequest, + CERTCertificateRequest, + CERT_DestroyCertificateRequest) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertList, CERTCertList, + CERT_DestroyCertList) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTName, CERTName, + CERT_DestroyName) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTOidSequence, CERTOidSequence, + CERT_DestroyOidSequence) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTSubjectPublicKeyInfo, + CERTSubjectPublicKeyInfo, + SECKEY_DestroySubjectPublicKeyInfo) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTUserNotice, CERTUserNotice, + CERT_DestroyUserNotice) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTValidity, CERTValidity, + CERT_DestroyValidity) + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueHASHContext, HASHContext, + HASH_Destroy) + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueNSSCMSMessage, NSSCMSMessage, + NSS_CMSMessage_Destroy) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueNSSCMSSignedData, NSSCMSSignedData, + NSS_CMSSignedData_Destroy) + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11GenericObject, + PK11GenericObject, + PK11_DestroyGenericObject) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11SlotList, PK11SlotList, + PK11_FreeSlotList) + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePLArenaPool, PLArenaPool, + internal::PORT_FreeArena_false) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePORTString, char, PORT_Free) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePRFileDesc, PRFileDesc, PR_Close) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePRString, char, PR_Free) + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECAlgorithmID, SECAlgorithmID, + internal::SECOID_DestroyAlgorithmID_true) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECItem, SECItem, + internal::SECITEM_FreeItem_true) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECKEYPrivateKey, SECKEYPrivateKey, + SECKEY_DestroyPrivateKey) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECKEYPrivateKeyList, + SECKEYPrivateKeyList, + SECKEY_DestroyPrivateKeyList) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECKEYPublicKey, SECKEYPublicKey, + SECKEY_DestroyPublicKey) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECMODModule, SECMODModule, + SECMOD_DestroyModule) + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSGNDigestInfo, SGNDigestInfo, + SGN_DestroyDigestInfo) + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueVFYContext, VFYContext, + internal::VFY_DestroyContext_true) + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSEC_PKCS12DecoderContext, + SEC_PKCS12DecoderContext, + SEC_PKCS12DecoderFinish) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSEC_PKCS12ExportContext, + SEC_PKCS12ExportContext, + SEC_PKCS12DestroyExportContext) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE( + UniqueSECKEYEncryptedPrivateKeyInfo, SECKEYEncryptedPrivateKeyInfo, + internal::SECKEYEncryptedPrivateKeyInfo_true) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueHpkeContext, HpkeContext, + internal::PK11_HPKE_DestroyContext_true) +} // namespace mozilla + +#endif // ScopedNSSTypes_h diff --git a/security/manager/ssl/SecretDecoderRing.cpp b/security/manager/ssl/SecretDecoderRing.cpp new file mode 100644 index 0000000000..8cfebde8f9 --- /dev/null +++ b/security/manager/ssl/SecretDecoderRing.cpp @@ -0,0 +1,344 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "SecretDecoderRing.h" + +#include "ScopedNSSTypes.h" +#include "mozilla/Base64.h" +#include "mozilla/Casting.h" +#include "mozilla/Logging.h" +#include "mozilla/Services.h" +#include "mozilla/ErrorResult.h" +#include "mozilla/dom/Promise.h" +#include "nsCOMPtr.h" +#include "nsIInterfaceRequestor.h" +#include "nsIInterfaceRequestorUtils.h" +#include "nsIObserverService.h" +#include "nsITokenPasswordDialogs.h" +#include "nsNSSComponent.h" +#include "nsNSSHelper.h" +#include "nsNetCID.h" +#include "nsPK11TokenDB.h" +#include "pk11func.h" +#include "pk11sdr.h" // For PK11SDR_Encrypt, PK11SDR_Decrypt + +static mozilla::LazyLogModule gSDRLog("sdrlog"); + +using namespace mozilla; +using dom::Promise; + +NS_IMPL_ISUPPORTS(SecretDecoderRing, nsISecretDecoderRing) + +void BackgroundSdrEncryptStrings(const nsTArray<nsCString>& plaintexts, + RefPtr<Promise>& aPromise) { + nsCOMPtr<nsISecretDecoderRing> sdrService = + do_GetService(NS_SECRETDECODERRING_CONTRACTID); + nsTArray<nsString> cipherTexts(plaintexts.Length()); + + nsresult rv = NS_ERROR_FAILURE; + for (const auto& plaintext : plaintexts) { + nsCString cipherText; + rv = sdrService->EncryptString(plaintext, cipherText); + + if (NS_WARN_IF(NS_FAILED(rv))) { + break; + } + + cipherTexts.AppendElement(NS_ConvertASCIItoUTF16(cipherText)); + } + + nsCOMPtr<nsIRunnable> runnable( + NS_NewRunnableFunction("BackgroundSdrEncryptStringsResolve", + [rv, aPromise = std::move(aPromise), + cipherTexts = std::move(cipherTexts)]() { + if (NS_FAILED(rv)) { + aPromise->MaybeReject(rv); + } else { + aPromise->MaybeResolve(cipherTexts); + } + })); + NS_DispatchToMainThread(runnable.forget()); +} + +void BackgroundSdrDecryptStrings(const nsTArray<nsCString>& encryptedStrings, + RefPtr<Promise>& aPromise) { + nsCOMPtr<nsISecretDecoderRing> sdrService = + do_GetService(NS_SECRETDECODERRING_CONTRACTID); + nsTArray<nsString> plainTexts(encryptedStrings.Length()); + + nsresult rv = NS_ERROR_FAILURE; + for (const auto& encryptedString : encryptedStrings) { + nsCString plainText; + rv = sdrService->DecryptString(encryptedString, plainText); + + if (NS_FAILED(rv)) { + if (rv == NS_ERROR_NOT_AVAILABLE) { + // Master Password entry was canceled. Don't keep prompting again. + break; + } + + // NS_ERROR_ILLEGAL_VALUE or NS_ERROR_FAILURE could be due to bad data for + // a single string but we still want to decrypt the others. + // Callers of `decryptMany` in crypto-SDR.js assume there will be an + // equal number of usernames and passwords so use an empty string to keep + // this assumption true. + MOZ_LOG(gSDRLog, LogLevel::Warning, + ("Couldn't decrypt string: %s", encryptedString.get())); + plainTexts.AppendElement(nullptr); + rv = NS_OK; + continue; + } + + plainTexts.AppendElement(NS_ConvertUTF8toUTF16(plainText)); + } + + nsCOMPtr<nsIRunnable> runnable( + NS_NewRunnableFunction("BackgroundSdrDecryptStringsResolve", + [rv, aPromise = std::move(aPromise), + plainTexts = std::move(plainTexts)]() { + if (NS_FAILED(rv)) { + aPromise->MaybeReject(rv); + } else { + aPromise->MaybeResolve(plainTexts); + } + })); + NS_DispatchToMainThread(runnable.forget()); +} + +nsresult SecretDecoderRing::Encrypt(const nsACString& data, + /*out*/ nsACString& result) { + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + return NS_ERROR_NOT_AVAILABLE; + } + + /* Make sure token is initialized. */ + nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); + nsresult rv = setPassword(slot.get(), ctx); + if (NS_FAILED(rv)) { + return rv; + } + + /* Force authentication */ + if (PK11_Authenticate(slot.get(), true, ctx) != SECSuccess) { + return NS_ERROR_FAILURE; + } + + /* Use default key id */ + SECItem keyid; + keyid.data = nullptr; + keyid.len = 0; + SECItem request; + request.data = BitwiseCast<unsigned char*, const char*>(data.BeginReading()); + request.len = data.Length(); + ScopedAutoSECItem reply; + if (PK11SDR_Encrypt(&keyid, &request, &reply, ctx) != SECSuccess) { + return NS_ERROR_FAILURE; + } + + result.Assign(BitwiseCast<char*, unsigned char*>(reply.data), reply.len); + return NS_OK; +} + +nsresult SecretDecoderRing::Decrypt(const nsACString& data, + /*out*/ nsACString& result) { + /* Find token with SDR key */ + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + return NS_ERROR_NOT_AVAILABLE; + } + + /* Force authentication */ + nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); + if (PK11_Authenticate(slot.get(), true, ctx) != SECSuccess) { + return NS_ERROR_NOT_AVAILABLE; + } + + SECItem request; + request.data = BitwiseCast<unsigned char*, const char*>(data.BeginReading()); + request.len = data.Length(); + ScopedAutoSECItem reply; + if (PK11SDR_Decrypt(&request, &reply, ctx) != SECSuccess) { + return NS_ERROR_FAILURE; + } + + result.Assign(BitwiseCast<char*, unsigned char*>(reply.data), reply.len); + return NS_OK; +} + +NS_IMETHODIMP +SecretDecoderRing::EncryptString(const nsACString& text, + /*out*/ nsACString& encryptedBase64Text) { + nsAutoCString encryptedText; + nsresult rv = Encrypt(text, encryptedText); + if (NS_FAILED(rv)) { + return rv; + } + + rv = Base64Encode(encryptedText, encryptedBase64Text); + if (NS_FAILED(rv)) { + return rv; + } + + return NS_OK; +} + +NS_IMETHODIMP +SecretDecoderRing::AsyncEncryptStrings(const nsTArray<nsCString>& plaintexts, + JSContext* aCx, Promise** aPromise) { + MOZ_RELEASE_ASSERT(NS_IsMainThread()); + NS_ENSURE_ARG(!plaintexts.IsEmpty()); + NS_ENSURE_ARG_POINTER(aCx); + NS_ENSURE_ARG_POINTER(aPromise); + + nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx); + if (NS_WARN_IF(!globalObject)) { + return NS_ERROR_UNEXPECTED; + } + + ErrorResult result; + RefPtr<Promise> promise = Promise::Create(globalObject, result); + if (NS_WARN_IF(result.Failed())) { + return result.StealNSResult(); + } + + // plaintexts are already expected to be UTF-8. + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundSdrEncryptStrings", + [promise, plaintexts = plaintexts.Clone()]() mutable { + BackgroundSdrEncryptStrings(plaintexts, promise); + })); + + nsCOMPtr<nsIEventTarget> target( + do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID)); + if (!target) { + return NS_ERROR_FAILURE; + } + nsresult rv = target->Dispatch(runnable, NS_DISPATCH_NORMAL); + if (NS_WARN_IF(NS_FAILED(rv))) { + return rv; + } + + promise.forget(aPromise); + return NS_OK; +} + +NS_IMETHODIMP +SecretDecoderRing::DecryptString(const nsACString& encryptedBase64Text, + /*out*/ nsACString& decryptedText) { + nsAutoCString encryptedText; + nsresult rv = Base64Decode(encryptedBase64Text, encryptedText); + if (NS_FAILED(rv)) { + return rv; + } + + rv = Decrypt(encryptedText, decryptedText); + if (NS_FAILED(rv)) { + return rv; + } + + return NS_OK; +} + +NS_IMETHODIMP +SecretDecoderRing::AsyncDecryptStrings( + const nsTArray<nsCString>& encryptedStrings, JSContext* aCx, + Promise** aPromise) { + MOZ_RELEASE_ASSERT(NS_IsMainThread()); + NS_ENSURE_ARG(!encryptedStrings.IsEmpty()); + NS_ENSURE_ARG_POINTER(aCx); + NS_ENSURE_ARG_POINTER(aPromise); + + nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx); + if (NS_WARN_IF(!globalObject)) { + return NS_ERROR_UNEXPECTED; + } + + ErrorResult result; + RefPtr<Promise> promise = Promise::Create(globalObject, result); + if (NS_WARN_IF(result.Failed())) { + return result.StealNSResult(); + } + + // encryptedStrings are expected to be base64. + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "BackgroundSdrDecryptStrings", + [promise, encryptedStrings = encryptedStrings.Clone()]() mutable { + BackgroundSdrDecryptStrings(encryptedStrings, promise); + })); + + nsCOMPtr<nsIEventTarget> target( + do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID)); + if (!target) { + return NS_ERROR_FAILURE; + } + nsresult rv = target->Dispatch(runnable, NS_DISPATCH_NORMAL); + if (NS_WARN_IF(NS_FAILED(rv))) { + return rv; + } + + promise.forget(aPromise); + return NS_OK; +} + +NS_IMETHODIMP +SecretDecoderRing::ChangePassword() { + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + return NS_ERROR_NOT_AVAILABLE; + } + + // nsPK11Token::nsPK11Token takes its own reference to slot, so we pass a + // non-owning pointer here. + nsCOMPtr<nsIPK11Token> token = new nsPK11Token(slot.get()); + + nsCOMPtr<nsITokenPasswordDialogs> dialogs; + nsresult rv = getNSSDialogs(getter_AddRefs(dialogs), + NS_GET_IID(nsITokenPasswordDialogs), + NS_TOKENPASSWORDSDIALOG_CONTRACTID); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); + bool canceled; // Ignored + return dialogs->SetPassword(ctx, token, &canceled); +} + +NS_IMETHODIMP +SecretDecoderRing::Logout() { + PK11_LogoutAll(); + nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(NS_NSSCOMPONENT_CID)); + if (!nssComponent) { + return NS_ERROR_NOT_AVAILABLE; + } + return nssComponent->ClearSSLExternalAndInternalSessionCache(); +} + +NS_IMETHODIMP +SecretDecoderRing::LogoutAndTeardown() { + PK11_LogoutAll(); + nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(NS_NSSCOMPONENT_CID)); + if (!nssComponent) { + return NS_ERROR_NOT_AVAILABLE; + } + + // LogoutAuthenticatedPK11 also clears the SSL caches. + nsresult rv = nssComponent->LogoutAuthenticatedPK11(); + if (NS_FAILED(rv)) { + return rv; + } + + // After we just logged out, we need to prune dead connections to make + // sure that all connections that should be stopped, are stopped. See + // bug 517584. + nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService(); + if (os) { + os->NotifyObservers(nullptr, "net:prune-dead-connections", nullptr); + } + + return NS_OK; +} diff --git a/security/manager/ssl/SecretDecoderRing.h b/security/manager/ssl/SecretDecoderRing.h new file mode 100644 index 0000000000..23187ae45d --- /dev/null +++ b/security/manager/ssl/SecretDecoderRing.h @@ -0,0 +1,37 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SecretDecoderRing_h +#define SecretDecoderRing_h + +#include "nsISecretDecoderRing.h" +#include "nsString.h" + +#define NS_SECRETDECODERRING_CONTRACTID "@mozilla.org/security/sdr;1" + +#define NS_SECRETDECODERRING_CID \ + { \ + 0x0c4f1ddc, 0x1dd2, 0x11b2, { \ + 0x9d, 0x95, 0xf2, 0xfd, 0xf1, 0x13, 0x04, 0x4b \ + } \ + } + +class SecretDecoderRing : public nsISecretDecoderRing { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSISECRETDECODERRING + + SecretDecoderRing() = default; + + protected: + virtual ~SecretDecoderRing() = default; + + private: + nsresult Encrypt(const nsACString& data, /*out*/ nsACString& result); + nsresult Decrypt(const nsACString& data, /*out*/ nsACString& result); +}; + +#endif // SecretDecoderRing_h diff --git a/security/manager/ssl/SelectTLSClientAuthCertChild.h b/security/manager/ssl/SelectTLSClientAuthCertChild.h new file mode 100644 index 0000000000..cdf8999cda --- /dev/null +++ b/security/manager/ssl/SelectTLSClientAuthCertChild.h @@ -0,0 +1,42 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTCHILD_H_ +#define SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTCHILD_H_ + +#include "mozilla/psm/PSelectTLSClientAuthCertChild.h" +#include "TLSClientAuthCertSelection.h" + +namespace mozilla { +namespace psm { + +// Socket process component of the SelectTLSClientAuthCert IPC protocol. When +// the parent process selects a client authentication certificate (or opts for +// no certificate), RecvTLSClientAuthCertSelected will be called via IPC with +// the bytes of the certificate (and the bytes of the associated certificate +// chain). That function dispatches an event to the socket thread that notifies +// NSS that the associated connection can continue. +class SelectTLSClientAuthCertChild : public PSelectTLSClientAuthCertChild { + public: + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SelectTLSClientAuthCertChild, override) + + explicit SelectTLSClientAuthCertChild( + ClientAuthCertificateSelected* continuation); + + ipc::IPCResult RecvTLSClientAuthCertSelected( + ByteArray&& aSelectedCertBytes, + nsTArray<ByteArray>&& aSelectedCertChainBytes); + + private: + ~SelectTLSClientAuthCertChild() = default; + + RefPtr<ClientAuthCertificateSelected> mContinuation; +}; + +} // namespace psm +} // namespace mozilla + +#endif // SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTCHILD_H_ diff --git a/security/manager/ssl/SelectTLSClientAuthCertParent.h b/security/manager/ssl/SelectTLSClientAuthCertParent.h new file mode 100644 index 0000000000..efe7aa8420 --- /dev/null +++ b/security/manager/ssl/SelectTLSClientAuthCertParent.h @@ -0,0 +1,54 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTPARENT_H_ +#define SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTPARENT_H_ + +#include "mozilla/OriginAttributes.h" +#include "mozilla/psm/PSelectTLSClientAuthCertParent.h" + +namespace mozilla { +namespace psm { + +// Parent process component of the SelectTLSClientAuthCert IPC protocol. When +// the socket process encounters a TLS server that requests a client +// authentication certificate, Dispatch will be called via IPC with the +// information associated with that connection. That function dispatches an +// event to the main thread that determines what certificate to select, if any +// (usually by opening a dialog for the user to interact with). When a +// certificate (or no certificate) has been selected, TLSClientAuthCertSelected +// will be called on the IPC thread, which will cause +// SelectTLSClientAuthCertChild::RecvTLSClientAuthCertSelected to be called via +// IPC, which will get the appropriate information to NSS to continue the +// connection. +class SelectTLSClientAuthCertParent : public PSelectTLSClientAuthCertParent { + public: + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SelectTLSClientAuthCertParent, override) + + SelectTLSClientAuthCertParent() = default; + + bool Dispatch(const nsACString& aHostName, + const OriginAttributes& aOriginAttributes, const int32_t& aPort, + const uint32_t& aProviderFlags, + const uint32_t& aProviderTlsFlags, + const ByteArray& aServerCertBytes, + nsTArray<ByteArray>&& aCANames, + const uint64_t& aBrowsingContextID); + + void TLSClientAuthCertSelected( + const nsTArray<uint8_t>& aSelectedCertBytes, + nsTArray<nsTArray<uint8_t>>&& aSelectedCertChainBytes); + + private: + ~SelectTLSClientAuthCertParent() = default; + + void ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason aWhy) override; +}; + +} // namespace psm +} // namespace mozilla + +#endif // SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTPARENT_H_ diff --git a/security/manager/ssl/SharedCertVerifier.h b/security/manager/ssl/SharedCertVerifier.h new file mode 100644 index 0000000000..9c8b7534cc --- /dev/null +++ b/security/manager/ssl/SharedCertVerifier.h @@ -0,0 +1,38 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SharedCertVerifier_h +#define SharedCertVerifier_h + +#include "CertVerifier.h" +#include "EnterpriseRoots.h" +#include "mozilla/RefPtr.h" +#include "mozilla/TimeStamp.h" + +namespace mozilla { +namespace psm { + +class SharedCertVerifier : public mozilla::psm::CertVerifier { + protected: + ~SharedCertVerifier(); + + public: + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier) + + SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc, + mozilla::TimeDuration ocspSoftTimeout, + mozilla::TimeDuration ocspHardTimeout, + uint32_t certShortLifetimeInDays, + NetscapeStepUpPolicy netscapeStepUpPolicy, + CertificateTransparencyMode ctMode, CRLiteMode crliteMode, + const nsTArray<EnterpriseCert>& thirdPartyCerts) + : mozilla::psm::CertVerifier( + odc, osc, ocspSoftTimeout, ocspHardTimeout, certShortLifetimeInDays, + netscapeStepUpPolicy, ctMode, crliteMode, thirdPartyCerts) {} +}; + +} // namespace psm +} // namespace mozilla + +#endif // SharedCertVerifier_h diff --git a/security/manager/ssl/SharedSSLState.cpp b/security/manager/ssl/SharedSSLState.cpp new file mode 100644 index 0000000000..d0d9667472 --- /dev/null +++ b/security/manager/ssl/SharedSSLState.cpp @@ -0,0 +1,192 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "SharedSSLState.h" +#include "nsClientAuthRemember.h" +#include "nsComponentManagerUtils.h" +#include "nsICertOverrideService.h" +#include "mozilla/OriginAttributes.h" +#include "nsNSSComponent.h" +#include "nsIObserverService.h" +#include "mozilla/Services.h" +#include "nsThreadUtils.h" +#include "nsCRT.h" +#include "nsServiceManagerUtils.h" +#include "PSMRunnable.h" +#include "PublicSSL.h" +#include "ssl.h" +#include "nsNetCID.h" +#include "mozilla/Atomics.h" +#include "mozilla/Unused.h" + +using mozilla::Atomic; +using mozilla::Unused; +using mozilla::psm::SyncRunnableBase; + +namespace { + +static Atomic<bool> sCertOverrideSvcExists(false); + +class MainThreadClearer : public SyncRunnableBase { + public: + MainThreadClearer() : mShouldClearSessionCache(false) {} + + void RunOnTargetThread() override { + // In some cases it's possible to cause PSM/NSS to initialize while XPCOM + // shutdown is in progress. We want to avoid this, since they do not handle + // the situation well, hence the flags to avoid instantiating the services + // if they don't already exist. + + bool certOverrideSvcExists = sCertOverrideSvcExists.exchange(false); + if (certOverrideSvcExists) { + sCertOverrideSvcExists = true; + nsCOMPtr<nsICertOverrideService> icos = + do_GetService(NS_CERTOVERRIDE_CONTRACTID); + if (icos) { + icos->ClearValidityOverride("all:temporary-certificates"_ns, 0, + OriginAttributes()); + } + } + + // This needs to be checked on the main thread to avoid racing with NSS + // initialization. + mShouldClearSessionCache = mozilla::psm::PrivateSSLState() && + mozilla::psm::PrivateSSLState()->SocketCreated(); + } + bool mShouldClearSessionCache; +}; + +} // namespace + +namespace mozilla { + +void ClearPrivateSSLState() { + // This only works if it is called on the socket transport + // service thread immediately after closing all private SSL + // connections. +#ifdef DEBUG + nsresult rv; + nsCOMPtr<nsIEventTarget> sts = + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv); + MOZ_ASSERT(NS_SUCCEEDED(rv)); + bool onSTSThread; + rv = sts->IsOnCurrentThread(&onSTSThread); + MOZ_ASSERT(NS_SUCCEEDED(rv) && onSTSThread); +#endif + + RefPtr<MainThreadClearer> runnable = new MainThreadClearer; + runnable->DispatchToMainThreadAndWait(); + + // If NSS isn't initialized, this throws an assertion. We guard it by checking + // if the session cache might even have anything worth clearing. + if (runnable->mShouldClearSessionCache) { + nsNSSComponent::DoClearSSLExternalAndInternalSessionCache(); + } +} + +namespace psm { + +namespace { +class PrivateBrowsingObserver : public nsIObserver { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSIOBSERVER + explicit PrivateBrowsingObserver(SharedSSLState* aOwner) : mOwner(aOwner) {} + + protected: + virtual ~PrivateBrowsingObserver() = default; + + private: + SharedSSLState* mOwner; +}; + +SharedSSLState* gPublicState; +SharedSSLState* gPrivateState; +} // namespace + +NS_IMPL_ISUPPORTS(PrivateBrowsingObserver, nsIObserver) + +NS_IMETHODIMP +PrivateBrowsingObserver::Observe(nsISupports* aSubject, const char* aTopic, + const char16_t* aData) { + if (!nsCRT::strcmp(aTopic, "last-pb-context-exited")) { + mOwner->ResetStoredData(); + } + return NS_OK; +} + +SharedSSLState::SharedSSLState(uint32_t aTlsFlags) + : mIOLayerHelpers(aTlsFlags), + mMutex("SharedSSLState::mMutex"), + mSocketCreated(false), + mOCSPStaplingEnabled(false), + mOCSPMustStapleEnabled(false), + mSignedCertTimestampsEnabled(false) { + mIOLayerHelpers.Init(); +} + +SharedSSLState::~SharedSSLState() = default; + +void SharedSSLState::NotePrivateBrowsingStatus() { + MOZ_ASSERT(NS_IsMainThread(), "Not on main thread"); + mObserver = new PrivateBrowsingObserver(this); + nsCOMPtr<nsIObserverService> obsSvc = mozilla::services::GetObserverService(); + obsSvc->AddObserver(mObserver, "last-pb-context-exited", false); +} + +void SharedSSLState::ResetStoredData() { + MOZ_ASSERT(NS_IsMainThread(), "Not on main thread"); + mIOLayerHelpers.clearStoredData(); +} + +void SharedSSLState::NoteSocketCreated() { + MutexAutoLock lock(mMutex); + mSocketCreated = true; +} + +bool SharedSSLState::SocketCreated() { + MutexAutoLock lock(mMutex); + return mSocketCreated; +} + +/*static*/ +void SharedSSLState::GlobalInit() { + MOZ_ASSERT(NS_IsMainThread(), "Not on main thread"); + gPublicState = new SharedSSLState(); + gPrivateState = new SharedSSLState(); + gPrivateState->NotePrivateBrowsingStatus(); +} + +/*static*/ +void SharedSSLState::GlobalCleanup() { + MOZ_ASSERT(NS_IsMainThread(), "Not on main thread"); + + if (gPrivateState) { + gPrivateState->Cleanup(); + delete gPrivateState; + gPrivateState = nullptr; + } + + if (gPublicState) { + gPublicState->Cleanup(); + delete gPublicState; + gPublicState = nullptr; + } +} + +/*static*/ +void SharedSSLState::NoteCertOverrideServiceInstantiated() { + sCertOverrideSvcExists = true; +} + +void SharedSSLState::Cleanup() { mIOLayerHelpers.Cleanup(); } + +SharedSSLState* PublicSSLState() { return gPublicState; } + +SharedSSLState* PrivateSSLState() { return gPrivateState; } + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/SharedSSLState.h b/security/manager/ssl/SharedSSLState.h new file mode 100644 index 0000000000..31562fc76b --- /dev/null +++ b/security/manager/ssl/SharedSSLState.h @@ -0,0 +1,74 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SharedSSLState_h +#define SharedSSLState_h + +#include "nsNSSIOLayer.h" + +class nsIObserver; + +namespace mozilla { +namespace psm { + +class SharedSSLState { + public: + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedSSLState) + explicit SharedSSLState(uint32_t aTlsFlags = 0); + + static void GlobalInit(); + static void GlobalCleanup(); + + nsSSLIOLayerHelpers& IOLayerHelpers() { return mIOLayerHelpers; } + + // Main-thread only + void ResetStoredData(); + void NotePrivateBrowsingStatus(); + void SetOCSPStaplingEnabled(bool staplingEnabled) { + mOCSPStaplingEnabled = staplingEnabled; + } + void SetOCSPMustStapleEnabled(bool mustStapleEnabled) { + mOCSPMustStapleEnabled = mustStapleEnabled; + } + void SetSignedCertTimestampsEnabled(bool signedCertTimestampsEnabled) { + mSignedCertTimestampsEnabled = signedCertTimestampsEnabled; + } + + // The following methods may be called from any thread + bool SocketCreated(); + void NoteSocketCreated(); + static void NoteCertOverrideServiceInstantiated(); + bool IsOCSPStaplingEnabled() const { return mOCSPStaplingEnabled; } + bool IsOCSPMustStapleEnabled() const { return mOCSPMustStapleEnabled; } + bool IsSignedCertTimestampsEnabled() const { + return mSignedCertTimestampsEnabled; + } + + private: + ~SharedSSLState(); + + void Cleanup(); + + nsCOMPtr<nsIObserver> mObserver; + nsSSLIOLayerHelpers mIOLayerHelpers; + + // True if any sockets have been created that use this shared data. + // Requires synchronization between the socket and main threads for + // reading/writing. + Mutex mMutex MOZ_UNANNOTATED; + bool mSocketCreated; + bool mOCSPStaplingEnabled; + bool mOCSPMustStapleEnabled; + bool mSignedCertTimestampsEnabled; +}; + +SharedSSLState* PublicSSLState(); +SharedSSLState* PrivateSSLState(); + +} // namespace psm +} // namespace mozilla + +#endif diff --git a/security/manager/ssl/StaticHPKPins.errors b/security/manager/ssl/StaticHPKPins.errors new file mode 100644 index 0000000000..72958f2291 --- /dev/null +++ b/security/manager/ssl/StaticHPKPins.errors @@ -0,0 +1,33 @@ +Can't find hash in builtin certs for Chrome nickname GoogleG2, inserting GOOGLE_PIN_GoogleG2 +Can't find hash in builtin certs for Chrome nickname RapidSSL, inserting GOOGLE_PIN_RapidSSL +Can't find hash in builtin certs for Chrome nickname DigiCertSHA2HighAssuranceServerCA, inserting GOOGLE_PIN_DigiCertSHA2HighAssuranceServerCA +Can't find hash in builtin certs for Chrome nickname VeriSignClass1, inserting GOOGLE_PIN_VeriSignClass1 +Can't find hash in builtin certs for Chrome nickname VeriSignClass4_G3, inserting GOOGLE_PIN_VeriSignClass4_G3 +Can't find hash in builtin certs for Chrome nickname VeriSignClass3_G2, inserting GOOGLE_PIN_VeriSignClass3_G2 +Can't find hash in builtin certs for Chrome nickname VeriSignClass2_G2, inserting GOOGLE_PIN_VeriSignClass2_G2 +Can't find hash in builtin certs for Chrome nickname GeoTrustGlobal2, inserting GOOGLE_PIN_GeoTrustGlobal2 +Can't find hash in builtin certs for Chrome nickname Entrust_SSL, inserting GOOGLE_PIN_Entrust_SSL +Can't find hash in builtin certs for Chrome nickname AddTrustPublicCARoot, inserting GOOGLE_PIN_AddTrustPublicCARoot +Can't find hash in builtin certs for Chrome nickname AddTrustQualifiedCARoot, inserting GOOGLE_PIN_AddTrustQualifiedCARoot +Can't find hash in builtin certs for Chrome nickname SecureCertificateServices, inserting GOOGLE_PIN_SecureCertificateServices +Can't find hash in builtin certs for Chrome nickname TrustedCertificateServices, inserting GOOGLE_PIN_TrustedCertificateServices +Can't find hash in builtin certs for Chrome nickname UTNDATACorpSGC, inserting GOOGLE_PIN_UTNDATACorpSGC +Can't find hash in builtin certs for Chrome nickname UTNUSERFirstHardware, inserting GOOGLE_PIN_UTNUSERFirstHardware +Can't find hash in builtin certs for Chrome nickname UTNUSERFirstObject, inserting GOOGLE_PIN_UTNUSERFirstObject +Can't find hash in builtin certs for Chrome nickname GTECyberTrustGlobalRoot, inserting GOOGLE_PIN_GTECyberTrustGlobalRoot +Can't find hash in builtin certs for Chrome nickname GoDaddySecure, inserting GOOGLE_PIN_GoDaddySecure +Can't find hash in builtin certs for Chrome nickname SymantecClass3EVG3, inserting GOOGLE_PIN_SymantecClass3EVG3 +Can't find hash in builtin certs for Chrome nickname DigiCertECCSecureServerCA, inserting GOOGLE_PIN_DigiCertECCSecureServerCA +Can't find hash in builtin certs for Chrome nickname COMODORSADomainValidationSecureServerCA, inserting GOOGLE_PIN_COMODORSADomainValidationSecureServerCA +Writing pinset test +Writing pinset google +Writing pinset tor +Writing pinset twitterCom +Writing pinset twitterCDN +Writing pinset dropbox +Writing pinset facebook +Writing pinset spideroak +Writing pinset yahoo +Writing pinset swehackCom +Writing pinset ncsccs +Writing pinset tumblr diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h new file mode 100644 index 0000000000..6b72b7a6bf --- /dev/null +++ b/security/manager/ssl/StaticHPKPins.h @@ -0,0 +1,783 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/*****************************************************************************/ +/* This is an automatically generated file. If you're not */ +/* PublicKeyPinningService.cpp, you shouldn't be #including it. */ +/*****************************************************************************/ +#include <stdint.h> +/* AffirmTrust Commercial */ +static const char kAffirmTrust_CommercialFingerprint[] = + "bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU="; + +/* AffirmTrust Networking */ +static const char kAffirmTrust_NetworkingFingerprint[] = + "lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA="; + +/* AffirmTrust Premium */ +static const char kAffirmTrust_PremiumFingerprint[] = + "x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc="; + +/* AffirmTrust Premium ECC */ +static const char kAffirmTrust_Premium_ECCFingerprint[] = + "MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8="; + +/* Baltimore CyberTrust Root */ +static const char kBaltimore_CyberTrust_RootFingerprint[] = + "Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o="; + +/* COMODO Certification Authority */ +static const char kCOMODO_Certification_AuthorityFingerprint[] = + "AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4="; + +/* COMODO ECC Certification Authority */ +static const char kCOMODO_ECC_Certification_AuthorityFingerprint[] = + "58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU="; + +/* COMODO RSA Certification Authority */ +static const char kCOMODO_RSA_Certification_AuthorityFingerprint[] = + "grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="; + +/* Comodo AAA Services root */ +static const char kComodo_AAA_Services_rootFingerprint[] = + "vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM="; + +/* DigiCert Assured ID Root CA */ +static const char kDigiCert_Assured_ID_Root_CAFingerprint[] = + "I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o="; + +/* DigiCert Assured ID Root G2 */ +static const char kDigiCert_Assured_ID_Root_G2Fingerprint[] = + "8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik="; + +/* DigiCert Assured ID Root G3 */ +static const char kDigiCert_Assured_ID_Root_G3Fingerprint[] = + "Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw="; + +/* DigiCert Global Root CA */ +static const char kDigiCert_Global_Root_CAFingerprint[] = + "r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; + +/* DigiCert Global Root G2 */ +static const char kDigiCert_Global_Root_G2Fingerprint[] = + "i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY="; + +/* DigiCert Global Root G3 */ +static const char kDigiCert_Global_Root_G3Fingerprint[] = + "uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc="; + +/* DigiCert High Assurance EV Root CA */ +static const char kDigiCert_High_Assurance_EV_Root_CAFingerprint[] = + "WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; + +/* DigiCert TLS ECC P384 Root G5 */ +static const char kDigiCert_TLS_ECC_P384_Root_G5Fingerprint[] = + "oC+voZLIy4HLE0FVT5wFtxzKKokLDRKY1oNkfJYe+98="; + +/* DigiCert TLS RSA4096 Root G5 */ +static const char kDigiCert_TLS_RSA4096_Root_G5Fingerprint[] = + "ape1HIIZ6T5d7GS61YBs3rD4NVvkfnVwELcCRW4Bqv0="; + +/* DigiCert Trusted Root G4 */ +static const char kDigiCert_Trusted_Root_G4Fingerprint[] = + "Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw="; + +/* End Entity Test Cert */ +static const char kEnd_Entity_Test_CertFingerprint[] = + "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="; + +/* Entrust Root Certification Authority */ +static const char kEntrust_Root_Certification_AuthorityFingerprint[] = + "bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU="; + +/* Entrust Root Certification Authority - EC1 */ +static const char kEntrust_Root_Certification_Authority___EC1Fingerprint[] = + "/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI="; + +/* Entrust Root Certification Authority - G2 */ +static const char kEntrust_Root_Certification_Authority___G2Fingerprint[] = + "du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U="; + +/* Entrust.net Premium 2048 Secure Server CA */ +static const char kEntrust_net_Premium_2048_Secure_Server_CAFingerprint[] = + "HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg="; + +/* FacebookBackup */ +static const char kFacebookBackupFingerprint[] = + "q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; + +/* GOOGLE_PIN_DigiCertECCSecureServerCA */ +static const char kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint[] = + "PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw="; + +/* GOOGLE_PIN_R3LetsEncrypt */ +static const char kGOOGLE_PIN_R3LetsEncryptFingerprint[] = + "jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="; + +/* GOOGLE_PIN_R4LetsEncrypt */ +static const char kGOOGLE_PIN_R4LetsEncryptFingerprint[] = + "5VReIRNHJBiRxVSgOTTN6bdJZkpZ0m1hX+WPd5kPLQM="; + +/* GOOGLE_PIN_RapidSSL */ +static const char kGOOGLE_PIN_RapidSSLFingerprint[] = + "lT09gPUeQfbYrlxRtpsHrjDblj9Rpz+u7ajfCrg4qDM="; + +/* GOOGLE_PIN_SymantecClass3EVG3 */ +static const char kGOOGLE_PIN_SymantecClass3EVG3Fingerprint[] = + "gMxWOrX4PMQesK9qFNbYBxjBfjUvlkn/vN1n+L9lE5E="; + +/* GTS Root R1 */ +static const char kGTS_Root_R1Fingerprint[] = + "hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc="; + +/* GTS Root R2 */ +static const char kGTS_Root_R2Fingerprint[] = + "Vfd95BwDeSQo+NUYxVEEIlvkOlWY2SalKK1lPhzOx78="; + +/* GTS Root R3 */ +static const char kGTS_Root_R3Fingerprint[] = + "QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g="; + +/* GTS Root R4 */ +static const char kGTS_Root_R4Fingerprint[] = + "mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c="; + +/* GlobalSign ECC Root CA - R4 */ +static const char kGlobalSign_ECC_Root_CA___R4Fingerprint[] = + "CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk="; + +/* GlobalSign ECC Root CA - R5 */ +static const char kGlobalSign_ECC_Root_CA___R5Fingerprint[] = + "fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8="; + +/* GlobalSign Root CA */ +static const char kGlobalSign_Root_CAFingerprint[] = + "K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; + +/* GlobalSign Root CA - R3 */ +static const char kGlobalSign_Root_CA___R3Fingerprint[] = + "cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A="; + +/* GlobalSign Root CA - R6 */ +static const char kGlobalSign_Root_CA___R6Fingerprint[] = + "aCdH+LpiG4fN07wpXtXKvOciocDANj0daLOJKNJ4fx4="; + +/* GlobalSign Root R46 */ +static const char kGlobalSign_Root_R46Fingerprint[] = + "rn+WLLnmp9v3uDP7GPqbcaiRdd+UnCMrap73yz3yu/w="; + +/* Go Daddy Class 2 CA */ +static const char kGo_Daddy_Class_2_CAFingerprint[] = + "VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8="; + +/* Go Daddy Root Certificate Authority - G2 */ +static const char kGo_Daddy_Root_Certificate_Authority___G2Fingerprint[] = + "Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA="; + +/* GoogleBackup2048 */ +static const char kGoogleBackup2048Fingerprint[] = + "IPMbDAjLVSGntGO3WP53X/zilCVndez5YJ2+vJvhJsA="; + +/* ISRG Root X1 */ +static const char kISRG_Root_X1Fingerprint[] = + "C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="; + +/* ISRG Root X2 */ +static const char kISRG_Root_X2Fingerprint[] = + "diGVwiVYbubAI3RW4hB9xU8e/CH2GnkuvVFZE8zmgzI="; + +/* Let's Encrypt Authority X3 */ +static const char kLet_s_Encrypt_Authority_X3Fingerprint[] = + "YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; + +/* Let's Encrypt Authority X4 */ +static const char kLet_s_Encrypt_Authority_X4Fingerprint[] = + "sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; + +/* Starfield Class 2 CA */ +static const char kStarfield_Class_2_CAFingerprint[] = + "FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ="; + +/* Starfield Root Certificate Authority - G2 */ +static const char kStarfield_Root_Certificate_Authority___G2Fingerprint[] = + "gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ="; + +/* TestSPKI */ +static const char kTestSPKIFingerprint[] = + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; + +/* Tor1 */ +static const char kTor1Fingerprint[] = + "bYz9JTDk89X3qu3fgswG+lBQso5vI0N1f0Rx4go4nLo="; + +/* Tor2 */ +static const char kTor2Fingerprint[] = + "xXCxhTdn7uxXneJSbQCqoAvuW3ZtQl2pDVTf2sewS8w="; + +/* Tor3 */ +static const char kTor3Fingerprint[] = + "CleC1qwUR8JPgH1nXvSe2VHxDe5/KfNs96EusbfSOfo="; + +/* USERTrust ECC Certification Authority */ +static const char kUSERTrust_ECC_Certification_AuthorityFingerprint[] = + "ICGRfpgmOUXIWcQ/HXPLQTkFPEFPoDyjvH7ohhQpjzs="; + +/* USERTrust RSA Certification Authority */ +static const char kUSERTrust_RSA_Certification_AuthorityFingerprint[] = + "x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4="; + +/* Pinsets are each an ordered list by the actual value of the fingerprint */ +struct StaticFingerprints { + // See bug 1338873 about making these fields const. + size_t size; + const char* const* data; +}; + +/* PreloadedHPKPins.json pinsets */ +static const char* const kPinset_google_root_pems_Data[] = { + kEntrust_Root_Certification_Authority___EC1Fingerprint, + kCOMODO_ECC_Certification_AuthorityFingerprint, + kDigiCert_Assured_ID_Root_G2Fingerprint, + kCOMODO_Certification_AuthorityFingerprint, + kGlobalSign_ECC_Root_CA___R4Fingerprint, + kDigiCert_Assured_ID_Root_G3Fingerprint, + kStarfield_Class_2_CAFingerprint, + kEntrust_net_Premium_2048_Secure_Server_CAFingerprint, + kDigiCert_Assured_ID_Root_CAFingerprint, + kUSERTrust_ECC_Certification_AuthorityFingerprint, + kGlobalSign_Root_CAFingerprint, + kGo_Daddy_Root_Certificate_Authority___G2Fingerprint, + kAffirmTrust_Premium_ECCFingerprint, + kGTS_Root_R3Fingerprint, + kGTS_Root_R2Fingerprint, + kGo_Daddy_Class_2_CAFingerprint, + kDigiCert_Trusted_Root_G4Fingerprint, + kDigiCert_High_Assurance_EV_Root_CAFingerprint, + kBaltimore_CyberTrust_RootFingerprint, + kGlobalSign_Root_CA___R6Fingerprint, + kAffirmTrust_CommercialFingerprint, + kEntrust_Root_Certification_AuthorityFingerprint, + kGlobalSign_Root_CA___R3Fingerprint, + kEntrust_Root_Certification_Authority___G2Fingerprint, + kGlobalSign_ECC_Root_CA___R5Fingerprint, + kStarfield_Root_Certificate_Authority___G2Fingerprint, + kCOMODO_RSA_Certification_AuthorityFingerprint, + kGTS_Root_R1Fingerprint, + kDigiCert_Global_Root_G2Fingerprint, + kAffirmTrust_NetworkingFingerprint, + kGTS_Root_R4Fingerprint, + kDigiCert_Global_Root_CAFingerprint, + kDigiCert_Global_Root_G3Fingerprint, + kComodo_AAA_Services_rootFingerprint, + kAffirmTrust_PremiumFingerprint, + kUSERTrust_RSA_Certification_AuthorityFingerprint, +}; +static const StaticFingerprints kPinset_google_root_pems = { + sizeof(kPinset_google_root_pems_Data) / sizeof(const char*), + kPinset_google_root_pems_Data +}; + +static const char* const kPinset_mozilla_services_Data[] = { + kISRG_Root_X1Fingerprint, + kDigiCert_High_Assurance_EV_Root_CAFingerprint, + kDigiCert_TLS_RSA4096_Root_G5Fingerprint, + kDigiCert_Global_Root_G2Fingerprint, + kDigiCert_TLS_ECC_P384_Root_G5Fingerprint, + kDigiCert_Global_Root_CAFingerprint, +}; +static const StaticFingerprints kPinset_mozilla_services = { + sizeof(kPinset_mozilla_services_Data) / sizeof(const char*), + kPinset_mozilla_services_Data +}; + +static const char* const kPinset_mozilla_test_Data[] = { + kEnd_Entity_Test_CertFingerprint, +}; +static const StaticFingerprints kPinset_mozilla_test = { + sizeof(kPinset_mozilla_test_Data) / sizeof(const char*), + kPinset_mozilla_test_Data +}; + +/* Chrome static pinsets */ +static const char* const kPinset_test_Data[] = { + kTestSPKIFingerprint, +}; +static const StaticFingerprints kPinset_test = { + sizeof(kPinset_test_Data) / sizeof(const char*), + kPinset_test_Data +}; + +static const char* const kPinset_google_Data[] = { + kGlobalSign_ECC_Root_CA___R4Fingerprint, + kGoogleBackup2048Fingerprint, + kGTS_Root_R3Fingerprint, + kGTS_Root_R2Fingerprint, + kGTS_Root_R1Fingerprint, + kGTS_Root_R4Fingerprint, +}; +static const StaticFingerprints kPinset_google = { + sizeof(kPinset_google_Data) / sizeof(const char*), + kPinset_google_Data +}; + +static const char* const kPinset_tor_Data[] = { + kGOOGLE_PIN_R4LetsEncryptFingerprint, + kTor3Fingerprint, + kDigiCert_High_Assurance_EV_Root_CAFingerprint, + kLet_s_Encrypt_Authority_X3Fingerprint, + kTor1Fingerprint, + kGOOGLE_PIN_R3LetsEncryptFingerprint, + kGOOGLE_PIN_RapidSSLFingerprint, + kLet_s_Encrypt_Authority_X4Fingerprint, + kTor2Fingerprint, +}; +static const StaticFingerprints kPinset_tor = { + sizeof(kPinset_tor_Data) / sizeof(const char*), + kPinset_tor_Data +}; + +static const char* const kPinset_facebook_Data[] = { + kCOMODO_ECC_Certification_AuthorityFingerprint, + kISRG_Root_X1Fingerprint, + kUSERTrust_ECC_Certification_AuthorityFingerprint, + kGlobalSign_Root_CAFingerprint, + kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint, + kDigiCert_Trusted_Root_G4Fingerprint, + kDigiCert_High_Assurance_EV_Root_CAFingerprint, + kGlobalSign_Root_CA___R6Fingerprint, + kDigiCert_TLS_RSA4096_Root_G5Fingerprint, + kGlobalSign_Root_CA___R3Fingerprint, + kISRG_Root_X2Fingerprint, + kGOOGLE_PIN_SymantecClass3EVG3Fingerprint, + kCOMODO_RSA_Certification_AuthorityFingerprint, + kDigiCert_Global_Root_G2Fingerprint, + kDigiCert_TLS_ECC_P384_Root_G5Fingerprint, + kFacebookBackupFingerprint, + kDigiCert_Global_Root_CAFingerprint, + kGlobalSign_Root_R46Fingerprint, + kDigiCert_Global_Root_G3Fingerprint, + kUSERTrust_RSA_Certification_AuthorityFingerprint, +}; +static const StaticFingerprints kPinset_facebook = { + sizeof(kPinset_facebook_Data) / sizeof(const char*), + kPinset_facebook_Data +}; + +/* Domainlist */ +struct TransportSecurityPreload { + // See bug 1338873 about making these fields const. + const char* mHost; + bool mIncludeSubdomains; + bool mTestMode; + bool mIsMoz; + int32_t mId; + const StaticFingerprints* pinset; +}; + +/* Sort hostnames for binary search. */ +static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "2mdn.net", true, false, false, -1, &kPinset_google_root_pems }, + { "accounts.firefox.com", true, false, true, 4, &kPinset_mozilla_services }, + { "accounts.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "addons.mozilla.net", true, false, true, 2, &kPinset_mozilla_services }, + { "addons.mozilla.org", true, false, true, 1, &kPinset_mozilla_services }, + { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "android.com", true, false, false, -1, &kPinset_google_root_pems }, + { "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services }, + { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "apps.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla_services }, + { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla_services }, + { "blog.torproject.org", true, false, false, -1, &kPinset_tor }, + { "blogger.com", true, false, false, -1, &kPinset_google_root_pems }, + { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, + { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, + { "business.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "cdn.ampproject.org", true, false, false, -1, &kPinset_google_root_pems }, + { "cdn.mozilla.net", true, false, true, 16, &kPinset_mozilla_services }, + { "cdn.mozilla.org", true, false, true, 17, &kPinset_mozilla_services }, + { "check.torproject.org", true, false, false, -1, &kPinset_tor }, + { "checkout.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "chrome-devtools-frontend.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "chrome.com", true, false, false, -1, &kPinset_google_root_pems }, + { "chrome.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "chromereporting-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, + { "chromiumbugs.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "chromiumcodereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "classroom.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "cloud.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "code.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "code.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "codereview.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "codereview.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, + { "contributor.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "corp.goog", true, false, false, -1, &kPinset_google_root_pems }, + { "crash-reports-xpsp2.mozilla.com", false, false, true, 11, &kPinset_mozilla_services }, + { "crash-reports.mozilla.com", false, false, true, 10, &kPinset_mozilla_services }, + { "crash-stats.mozilla.org", false, false, true, 12, &kPinset_mozilla_services }, + { "crbug.com", true, false, false, -1, &kPinset_google_root_pems }, + { "crosbug.com", true, false, false, -1, &kPinset_google_root_pems }, + { "crrev.com", true, false, false, -1, &kPinset_google_root_pems }, + { "datastudio.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems }, + { "developers.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "dist.torproject.org", true, false, false, -1, &kPinset_tor }, + { "dl.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "dns.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "docs.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "domains.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "doubleclick.net", true, false, false, -1, &kPinset_google_root_pems }, + { "download.mozilla.org", false, false, true, 14, &kPinset_mozilla_services }, + { "drive.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "encrypted.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "example.test", true, true, false, -1, &kPinset_test }, + { "exclude-subdomains.pinning.example.com", false, false, false, -1, &kPinset_mozilla_test }, + { "facebook.com", true, false, false, -1, &kPinset_facebook }, + { "fi.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "firebaseio.com", true, false, false, -1, &kPinset_google_root_pems }, + { "firefox.com", true, true, true, 15, &kPinset_mozilla_services }, + { "g.co", false, false, false, -1, &kPinset_google_root_pems }, + { "g4w.co", true, false, false, -1, &kPinset_google_root_pems }, + { "ggpht.com", true, false, false, -1, &kPinset_google_root_pems }, + { "glass.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "gmail.com", false, false, false, -1, &kPinset_google_root_pems }, + { "goo.gl", true, false, false, -1, &kPinset_google_root_pems }, + { "google", true, false, false, -1, &kPinset_google_root_pems }, + { "google-analytics.com", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ac", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ad", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ae", true, false, false, -1, &kPinset_google_root_pems }, + { "google.af", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ag", true, false, false, -1, &kPinset_google_root_pems }, + { "google.am", true, false, false, -1, &kPinset_google_root_pems }, + { "google.as", true, false, false, -1, &kPinset_google_root_pems }, + { "google.at", true, false, false, -1, &kPinset_google_root_pems }, + { "google.az", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ba", true, false, false, -1, &kPinset_google_root_pems }, + { "google.be", true, false, false, -1, &kPinset_google_root_pems }, + { "google.bf", true, false, false, -1, &kPinset_google_root_pems }, + { "google.bg", true, false, false, -1, &kPinset_google_root_pems }, + { "google.bi", true, false, false, -1, &kPinset_google_root_pems }, + { "google.bj", true, false, false, -1, &kPinset_google_root_pems }, + { "google.bs", true, false, false, -1, &kPinset_google_root_pems }, + { "google.by", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ca", true, false, false, -1, &kPinset_google_root_pems }, + { "google.cat", true, false, false, -1, &kPinset_google_root_pems }, + { "google.cc", true, false, false, -1, &kPinset_google_root_pems }, + { "google.cd", true, false, false, -1, &kPinset_google_root_pems }, + { "google.cf", true, false, false, -1, &kPinset_google_root_pems }, + { "google.cg", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ch", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ci", true, false, false, -1, &kPinset_google_root_pems }, + { "google.cl", true, false, false, -1, &kPinset_google_root_pems }, + { "google.cm", true, false, false, -1, &kPinset_google_root_pems }, + { "google.cn", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.ao", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.bw", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.ck", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.cr", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.hu", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.id", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.il", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.im", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.in", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.je", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.jp", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.ke", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.kr", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.ls", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.ma", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.mz", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.nz", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.th", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.tz", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.ug", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.uk", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.uz", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.ve", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.vi", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.za", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.zm", true, false, false, -1, &kPinset_google_root_pems }, + { "google.co.zw", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.af", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ag", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ai", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ar", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.au", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.bd", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.bh", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.bn", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.bo", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.br", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.by", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.bz", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.cn", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.co", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.cu", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.cy", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.do", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ec", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.eg", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.et", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.fj", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ge", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.gh", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.gi", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.gr", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.gt", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.hk", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.iq", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.jm", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.jo", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.kh", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.kw", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.lb", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ly", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.mt", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.mx", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.my", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.na", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.nf", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ng", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ni", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.np", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.nr", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.om", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.pa", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.pe", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ph", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.pk", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.pl", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.pr", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.py", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.qa", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ru", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.sa", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.sb", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.sg", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.sl", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.sv", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.tj", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.tn", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.tr", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.tw", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ua", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.uy", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.vc", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.ve", true, false, false, -1, &kPinset_google_root_pems }, + { "google.com.vn", true, false, false, -1, &kPinset_google_root_pems }, + { "google.cv", true, false, false, -1, &kPinset_google_root_pems }, + { "google.cz", true, false, false, -1, &kPinset_google_root_pems }, + { "google.de", true, false, false, -1, &kPinset_google_root_pems }, + { "google.dj", true, false, false, -1, &kPinset_google_root_pems }, + { "google.dk", true, false, false, -1, &kPinset_google_root_pems }, + { "google.dm", true, false, false, -1, &kPinset_google_root_pems }, + { "google.dz", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ee", true, false, false, -1, &kPinset_google_root_pems }, + { "google.es", true, false, false, -1, &kPinset_google_root_pems }, + { "google.fi", true, false, false, -1, &kPinset_google_root_pems }, + { "google.fm", true, false, false, -1, &kPinset_google_root_pems }, + { "google.fr", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ga", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ge", true, false, false, -1, &kPinset_google_root_pems }, + { "google.gg", true, false, false, -1, &kPinset_google_root_pems }, + { "google.gl", true, false, false, -1, &kPinset_google_root_pems }, + { "google.gm", true, false, false, -1, &kPinset_google_root_pems }, + { "google.gp", true, false, false, -1, &kPinset_google_root_pems }, + { "google.gr", true, false, false, -1, &kPinset_google_root_pems }, + { "google.gy", true, false, false, -1, &kPinset_google_root_pems }, + { "google.hk", true, false, false, -1, &kPinset_google_root_pems }, + { "google.hn", true, false, false, -1, &kPinset_google_root_pems }, + { "google.hr", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ht", true, false, false, -1, &kPinset_google_root_pems }, + { "google.hu", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ie", true, false, false, -1, &kPinset_google_root_pems }, + { "google.im", true, false, false, -1, &kPinset_google_root_pems }, + { "google.info", true, false, false, -1, &kPinset_google_root_pems }, + { "google.iq", true, false, false, -1, &kPinset_google_root_pems }, + { "google.is", true, false, false, -1, &kPinset_google_root_pems }, + { "google.it", true, false, false, -1, &kPinset_google_root_pems }, + { "google.it.ao", true, false, false, -1, &kPinset_google_root_pems }, + { "google.je", true, false, false, -1, &kPinset_google_root_pems }, + { "google.jo", true, false, false, -1, &kPinset_google_root_pems }, + { "google.jobs", true, false, false, -1, &kPinset_google_root_pems }, + { "google.jp", true, false, false, -1, &kPinset_google_root_pems }, + { "google.kg", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ki", true, false, false, -1, &kPinset_google_root_pems }, + { "google.kz", true, false, false, -1, &kPinset_google_root_pems }, + { "google.la", true, false, false, -1, &kPinset_google_root_pems }, + { "google.li", true, false, false, -1, &kPinset_google_root_pems }, + { "google.lk", true, false, false, -1, &kPinset_google_root_pems }, + { "google.lt", true, false, false, -1, &kPinset_google_root_pems }, + { "google.lu", true, false, false, -1, &kPinset_google_root_pems }, + { "google.lv", true, false, false, -1, &kPinset_google_root_pems }, + { "google.md", true, false, false, -1, &kPinset_google_root_pems }, + { "google.me", true, false, false, -1, &kPinset_google_root_pems }, + { "google.mg", true, false, false, -1, &kPinset_google_root_pems }, + { "google.mk", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ml", true, false, false, -1, &kPinset_google_root_pems }, + { "google.mn", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ms", true, false, false, -1, &kPinset_google_root_pems }, + { "google.mu", true, false, false, -1, &kPinset_google_root_pems }, + { "google.mv", true, false, false, -1, &kPinset_google_root_pems }, + { "google.mw", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ne", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ne.jp", true, false, false, -1, &kPinset_google_root_pems }, + { "google.net", true, false, false, -1, &kPinset_google_root_pems }, + { "google.nl", true, false, false, -1, &kPinset_google_root_pems }, + { "google.no", true, false, false, -1, &kPinset_google_root_pems }, + { "google.nr", true, false, false, -1, &kPinset_google_root_pems }, + { "google.nu", true, false, false, -1, &kPinset_google_root_pems }, + { "google.off.ai", true, false, false, -1, &kPinset_google_root_pems }, + { "google.pk", true, false, false, -1, &kPinset_google_root_pems }, + { "google.pl", true, false, false, -1, &kPinset_google_root_pems }, + { "google.pn", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ps", true, false, false, -1, &kPinset_google_root_pems }, + { "google.pt", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ro", true, false, false, -1, &kPinset_google_root_pems }, + { "google.rs", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ru", true, false, false, -1, &kPinset_google_root_pems }, + { "google.rw", true, false, false, -1, &kPinset_google_root_pems }, + { "google.sc", true, false, false, -1, &kPinset_google_root_pems }, + { "google.se", true, false, false, -1, &kPinset_google_root_pems }, + { "google.sh", true, false, false, -1, &kPinset_google_root_pems }, + { "google.si", true, false, false, -1, &kPinset_google_root_pems }, + { "google.sk", true, false, false, -1, &kPinset_google_root_pems }, + { "google.sm", true, false, false, -1, &kPinset_google_root_pems }, + { "google.sn", true, false, false, -1, &kPinset_google_root_pems }, + { "google.so", true, false, false, -1, &kPinset_google_root_pems }, + { "google.st", true, false, false, -1, &kPinset_google_root_pems }, + { "google.td", true, false, false, -1, &kPinset_google_root_pems }, + { "google.tg", true, false, false, -1, &kPinset_google_root_pems }, + { "google.tk", true, false, false, -1, &kPinset_google_root_pems }, + { "google.tl", true, false, false, -1, &kPinset_google_root_pems }, + { "google.tm", true, false, false, -1, &kPinset_google_root_pems }, + { "google.tn", true, false, false, -1, &kPinset_google_root_pems }, + { "google.to", true, false, false, -1, &kPinset_google_root_pems }, + { "google.tt", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ua", true, false, false, -1, &kPinset_google_root_pems }, + { "google.us", true, false, false, -1, &kPinset_google_root_pems }, + { "google.uz", true, false, false, -1, &kPinset_google_root_pems }, + { "google.vg", true, false, false, -1, &kPinset_google_root_pems }, + { "google.vu", true, false, false, -1, &kPinset_google_root_pems }, + { "google.ws", true, false, false, -1, &kPinset_google_root_pems }, + { "googleadservices.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googlecode.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googlecommerce.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googlegroups.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googlemail.com", false, false, false, -1, &kPinset_google_root_pems }, + { "googleplex.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googlesource.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googlesyndication.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googletagmanager.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googletagservices.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googleusercontent.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googlevideo.com", true, false, false, -1, &kPinset_google_root_pems }, + { "googleweblight.com", true, false, false, -1, &kPinset_google_root_pems }, + { "goto.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "groups.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "gstatic.cn", true, false, false, -1, &kPinset_google_root_pems }, + { "gstatic.com", true, false, false, -1, &kPinset_google_root_pems }, + { "gvt1.com", true, false, false, -1, &kPinset_google_root_pems }, + { "gvt2.com", true, false, false, -1, &kPinset_google_root_pems }, + { "gvt3.com", true, false, false, -1, &kPinset_google_root_pems }, + { "hangout", true, false, false, -1, &kPinset_google_root_pems }, + { "hangouts.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "history.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "hostedtalkgadget.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "inbox.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "include-subdomains.pinning.example.com", true, false, false, -1, &kPinset_mozilla_test }, + { "lens.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "login.corp.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "m.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "mail-settings.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "mail.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "market.android.com", true, false, false, -1, &kPinset_google_root_pems }, + { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "messenger.com", true, false, false, -1, &kPinset_facebook }, + { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "myactivity.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "oauthaccountmanager.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, + { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "passwordsleakcheck-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, + { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test }, + { "pinningtest.appspot.com", true, false, false, -1, &kPinset_test }, + { "pixel.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "play.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "profiles.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "remotedesktop.corp.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "research.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "script.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "secure.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "security.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "services.mozilla.com", true, false, true, 6, &kPinset_mozilla_services }, + { "sites.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "spreadsheets.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "static.googleadsserving.cn", true, false, false, -1, &kPinset_google_root_pems }, + { "stats.g.doubleclick.net", true, false, false, -1, &kPinset_google_root_pems }, + { "sync.services.mozilla.com", true, false, true, 13, &kPinset_mozilla_services }, + { "t.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "tablet.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "talk.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "talkgadget.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "telemetry.mozilla.org", true, true, true, 8, &kPinset_mozilla_services }, + { "test-mode.pinning.example.com", true, true, false, -1, &kPinset_mozilla_test }, + { "testpilot.firefox.com", false, false, true, 9, &kPinset_mozilla_services }, + { "torproject.org", false, false, false, -1, &kPinset_tor }, + { "touch.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "translate.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, + { "tunnel-staging.googlezip.net", true, false, false, -1, &kPinset_google_root_pems }, + { "tunnel.googlezip.net", true, false, false, -1, &kPinset_google_root_pems }, + { "ua5v.com", true, false, false, -1, &kPinset_google_root_pems }, + { "upload.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "urchin.com", true, false, false, -1, &kPinset_google_root_pems }, + { "w-spotlight.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "wallet.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "webfilings-eu-mirror.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "webfilings-eu.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "webfilings-mirror-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "webfilings.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "wf-bigsky-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "wf-demo-eu.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "wf-demo-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "wf-dogfood-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "wf-pentest.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "wf-staging-hr.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "wf-training-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "wf-training-master.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "wf-trial-hrd.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "withgoogle.com", true, false, false, -1, &kPinset_google_root_pems }, + { "withyoutube.com", true, false, false, -1, &kPinset_google_root_pems }, + { "www.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "www.g.co", false, false, false, -1, &kPinset_google_root_pems }, + { "www.gmail.com", false, false, false, -1, &kPinset_google_root_pems }, + { "www.googlegroups.com", true, false, false, -1, &kPinset_google_root_pems }, + { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems }, + { "www.messenger.com", true, false, false, -1, &kPinset_facebook }, + { "www.torproject.org", true, false, false, -1, &kPinset_tor }, + { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "youtu.be", true, false, false, -1, &kPinset_google_root_pems }, + { "youtube-nocookie.com", true, false, false, -1, &kPinset_google_root_pems }, + { "youtube.com", true, false, false, -1, &kPinset_google_root_pems }, + { "ytimg.com", true, false, false, -1, &kPinset_google_root_pems }, +}; + +// Pinning Preload List Length = 397; + +static const int32_t kUnknownId = -1; + +static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1718621549468000); diff --git a/security/manager/ssl/TLSClientAuthCertSelection.cpp b/security/manager/ssl/TLSClientAuthCertSelection.cpp new file mode 100644 index 0000000000..05636c83e9 --- /dev/null +++ b/security/manager/ssl/TLSClientAuthCertSelection.cpp @@ -0,0 +1,1050 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Implements the client authentication certificate selection callback for NSS. +// nsNSSIOLayer.cpp sets the callback by calling SSL_GetClientAuthDataHook and +// identifying SSLGetClientAuthDataHook as the function to call when a TLS +// server requests a client authentication certificate. +// +// In the general case, SSLGetClientAuthDataHook (running on the socket thread), +// dispatches an event to the main thread to ask the user to select a client +// authentication certificate. Meanwhile, it returns SECWouldBlock so that other +// network I/O can occur. When the user selects a client certificate (or opts +// not to send one), an event is dispatched to the socket thread that gives NSS +// the appropriate information to proceed with the TLS connection. +// +// If networking is being done on the socket process, SSLGetClientAuthDataHook +// sends an IPC call to the parent process to ask the user to select a +// certificate. Meanwhile, it again returns SECWouldBlock so other network I/O +// can occur. When a certificate (or no certificate) has been selected, the +// parent process sends an IPC call back to the socket process, which causes an +// event to be dispatched to the socket thread to continue to the TLS +// connection. + +#include "TLSClientAuthCertSelection.h" +#include "cert_storage/src/cert_storage.h" +#include "mozilla/Logging.h" +#include "mozilla/dom/BrowsingContext.h" +#include "mozilla/ipc/Endpoint.h" +#include "mozilla/net/SocketProcessBackgroundChild.h" +#include "mozilla/psm/SelectTLSClientAuthCertChild.h" +#include "mozilla/psm/SelectTLSClientAuthCertParent.h" +#include "nsArray.h" +#include "nsArrayUtils.h" +#include "nsNSSComponent.h" +#include "nsIClientAuthDialogService.h" +#include "nsIMutableArray.h" +#include "nsINSSComponent.h" +#include "NSSCertDBTrustDomain.h" +#include "nsIClientAuthRememberService.h" +#include "nsIX509CertDB.h" +#include "nsNSSHelper.h" +#include "mozpkix/pkixnss.h" +#include "mozpkix/pkixutil.h" +#include "mozpkix/pkix.h" +#include "secerr.h" +#include "sslerr.h" + +using namespace mozilla; +using namespace mozilla::pkix; +using namespace mozilla::psm; + +extern LazyLogModule gPIPNSSLog; + +mozilla::pkix::Result BuildChainForCertificate( + nsTArray<uint8_t>& certBytes, nsTArray<nsTArray<uint8_t>>& certChainBytes, + const nsTArray<nsTArray<uint8_t>>& caNames, + const nsTArray<nsTArray<uint8_t>>& enterpriseCertificates); + +// Possible behaviors for choosing a cert for client auth. +enum class UserCertChoice { + // Ask the user to choose a cert. + Ask = 0, + // Automatically choose a cert. + Auto = 1, +}; + +// Returns the most appropriate user cert choice based on the value of the +// security.default_personal_cert preference. +UserCertChoice nsGetUserCertChoice() { + nsAutoCString value; + nsresult rv = + Preferences::GetCString("security.default_personal_cert", value); + if (NS_FAILED(rv)) { + return UserCertChoice::Ask; + } + + // There are three cases for what the preference could be set to: + // 1. "Select Automatically" -> Auto. + // 2. "Ask Every Time" -> Ask. + // 3. Something else -> Ask. This might be a nickname from a migrated cert, + // but we no longer support this case. + return value.EqualsLiteral("Select Automatically") ? UserCertChoice::Auto + : UserCertChoice::Ask; +} + +static bool hasExplicitKeyUsageNonRepudiation(CERTCertificate* cert) { + // There is no extension, v1 or v2 certificate + if (!cert->extensions) return false; + + SECStatus srv; + SECItem keyUsageItem; + keyUsageItem.data = nullptr; + + srv = CERT_FindKeyUsageExtension(cert, &keyUsageItem); + if (srv == SECFailure) return false; + + unsigned char keyUsage = keyUsageItem.data[0]; + PORT_Free(keyUsageItem.data); + + return !!(keyUsage & KU_NON_REPUDIATION); +} + +ClientAuthInfo::ClientAuthInfo(const nsACString& hostName, + const OriginAttributes& originAttributes, + int32_t port, uint32_t providerFlags, + uint32_t providerTlsFlags) + : mHostName(hostName), + mOriginAttributes(originAttributes), + mPort(port), + mProviderFlags(providerFlags), + mProviderTlsFlags(providerTlsFlags) {} + +ClientAuthInfo::ClientAuthInfo(ClientAuthInfo&& aOther) noexcept + : mHostName(std::move(aOther.mHostName)), + mOriginAttributes(std::move(aOther.mOriginAttributes)), + mPort(aOther.mPort), + mProviderFlags(aOther.mProviderFlags), + mProviderTlsFlags(aOther.mProviderTlsFlags) {} + +const nsACString& ClientAuthInfo::HostName() const { return mHostName; } + +const OriginAttributes& ClientAuthInfo::OriginAttributesRef() const { + return mOriginAttributes; +} + +int32_t ClientAuthInfo::Port() const { return mPort; } + +uint32_t ClientAuthInfo::ProviderFlags() const { return mProviderFlags; } + +uint32_t ClientAuthInfo::ProviderTlsFlags() const { return mProviderTlsFlags; } + +nsTArray<nsTArray<uint8_t>> CollectCANames(CERTDistNames* caNames) { + MOZ_ASSERT(caNames); + + nsTArray<nsTArray<uint8_t>> collectedCANames; + if (!caNames) { + return collectedCANames; + } + + for (int i = 0; i < caNames->nnames; i++) { + nsTArray<uint8_t> caName; + caName.AppendElements(caNames->names[i].data, caNames->names[i].len); + collectedCANames.AppendElement(std::move(caName)); + } + return collectedCANames; +} + +// This TrustDomain only exists to facilitate the mozilla::pkix path building +// algorithm. It considers any certificate with an issuer distinguished name in +// the set of given CA names to be a trust anchor. It does essentially no +// validation or verification (in particular, the signature checking function +// always returns "Success"). +class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain { + public: + ClientAuthCertNonverifyingTrustDomain( + const nsTArray<nsTArray<uint8_t>>& caNames, + const nsTArray<nsTArray<uint8_t>>& thirdPartyCertificates) + : mCANames(caNames), + mCertStorage(do_GetService(NS_CERT_STORAGE_CID)), + mThirdPartyCertificates(thirdPartyCertificates) {} + + virtual mozilla::pkix::Result GetCertTrust( + pkix::EndEntityOrCA endEntityOrCA, const pkix::CertPolicyId& policy, + pkix::Input candidateCertDER, + /*out*/ pkix::TrustLevel& trustLevel) override; + virtual mozilla::pkix::Result FindIssuer(pkix::Input encodedIssuerName, + IssuerChecker& checker, + pkix::Time time) override; + + virtual mozilla::pkix::Result CheckRevocation( + EndEntityOrCA endEntityOrCA, const pkix::CertID& certID, Time time, + mozilla::pkix::Duration validityDuration, + /*optional*/ const Input* stapledOCSPresponse, + /*optional*/ const Input* aiaExtension, + /*optional*/ const Input* sctExtension) override { + return pkix::Success; + } + + virtual mozilla::pkix::Result IsChainValid( + const pkix::DERArray& certChain, pkix::Time time, + const pkix::CertPolicyId& requiredPolicy) override; + + virtual mozilla::pkix::Result CheckSignatureDigestAlgorithm( + pkix::DigestAlgorithm digestAlg, pkix::EndEntityOrCA endEntityOrCA, + pkix::Time notBefore) override { + return pkix::Success; + } + virtual mozilla::pkix::Result CheckRSAPublicKeyModulusSizeInBits( + pkix::EndEntityOrCA endEntityOrCA, + unsigned int modulusSizeInBits) override { + return pkix::Success; + } + virtual mozilla::pkix::Result VerifyRSAPKCS1SignedData( + pkix::Input data, pkix::DigestAlgorithm, pkix::Input signature, + pkix::Input subjectPublicKeyInfo) override { + return pkix::Success; + } + virtual mozilla::pkix::Result VerifyRSAPSSSignedData( + pkix::Input data, pkix::DigestAlgorithm, pkix::Input signature, + pkix::Input subjectPublicKeyInfo) override { + return pkix::Success; + } + virtual mozilla::pkix::Result CheckECDSACurveIsAcceptable( + pkix::EndEntityOrCA endEntityOrCA, pkix::NamedCurve curve) override { + return pkix::Success; + } + virtual mozilla::pkix::Result VerifyECDSASignedData( + pkix::Input data, pkix::DigestAlgorithm, pkix::Input signature, + pkix::Input subjectPublicKeyInfo) override { + return pkix::Success; + } + virtual mozilla::pkix::Result CheckValidityIsAcceptable( + pkix::Time notBefore, pkix::Time notAfter, + pkix::EndEntityOrCA endEntityOrCA, + pkix::KeyPurposeId keyPurpose) override { + return pkix::Success; + } + virtual mozilla::pkix::Result NetscapeStepUpMatchesServerAuth( + pkix::Time notBefore, + /*out*/ bool& matches) override { + matches = true; + return pkix::Success; + } + virtual void NoteAuxiliaryExtension(pkix::AuxiliaryExtension extension, + pkix::Input extensionData) override {} + virtual mozilla::pkix::Result DigestBuf(pkix::Input item, + pkix::DigestAlgorithm digestAlg, + /*out*/ uint8_t* digestBuf, + size_t digestBufLen) override { + return pkix::DigestBufNSS(item, digestAlg, digestBuf, digestBufLen); + } + + nsTArray<nsTArray<uint8_t>> TakeBuiltChain() { + return std::move(mBuiltChain); + } + + private: + const nsTArray<nsTArray<uint8_t>>& mCANames; // non-owning + nsCOMPtr<nsICertStorage> mCertStorage; + const nsTArray<nsTArray<uint8_t>>& mThirdPartyCertificates; // non-owning + nsTArray<nsTArray<uint8_t>> mBuiltChain; +}; + +mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::GetCertTrust( + pkix::EndEntityOrCA endEntityOrCA, const pkix::CertPolicyId& policy, + pkix::Input candidateCertDER, + /*out*/ pkix::TrustLevel& trustLevel) { + // If the server did not specify any CA names, all client certificates are + // acceptable. + if (mCANames.Length() == 0) { + trustLevel = pkix::TrustLevel::TrustAnchor; + return pkix::Success; + } + BackCert cert(candidateCertDER, endEntityOrCA, nullptr); + mozilla::pkix::Result rv = cert.Init(); + if (rv != pkix::Success) { + return rv; + } + // If this certificate's issuer distinguished name is in the set of acceptable + // CA names, we say this is a trust anchor so that the client certificate + // issued from this certificate will be presented as an option for the user. + // We also check the certificate's subject distinguished name to account for + // the case where client certificates that have the id-kp-OCSPSigning EKU + // can't be trust anchors according to mozilla::pkix, and thus we may be + // looking directly at the issuer. + pkix::Input issuer(cert.GetIssuer()); + pkix::Input subject(cert.GetSubject()); + for (const auto& caName : mCANames) { + pkix::Input caNameInput; + rv = caNameInput.Init(caName.Elements(), caName.Length()); + if (rv != pkix::Success) { + continue; // probably too big + } + if (InputsAreEqual(issuer, caNameInput) || + InputsAreEqual(subject, caNameInput)) { + trustLevel = pkix::TrustLevel::TrustAnchor; + return pkix::Success; + } + } + trustLevel = pkix::TrustLevel::InheritsTrust; + return pkix::Success; +} + +// In theory this implementation should only need to consider intermediate +// certificates, since in theory it should only need to look at the issuer +// distinguished name of each certificate to determine if the client +// certificate is considered acceptable to the server. +// However, because we need to account for client certificates with the +// id-kp-OCSPSigning EKU, and because mozilla::pkix doesn't allow such +// certificates to be trust anchors, we need to consider the issuers of such +// certificates directly. These issuers could be roots, so we have to consider +// roots here. +mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::FindIssuer( + pkix::Input encodedIssuerName, IssuerChecker& checker, pkix::Time time) { + // First try all relevant certificates known to Gecko, which avoids calling + // CERT_CreateSubjectCertList, because that can be expensive. + Vector<pkix::Input> geckoCandidates; + if (!mCertStorage) { + return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; + } + nsTArray<uint8_t> subject; + subject.AppendElements(encodedIssuerName.UnsafeGetData(), + encodedIssuerName.GetLength()); + nsTArray<nsTArray<uint8_t>> certs; + nsresult rv = mCertStorage->FindCertsBySubject(subject, certs); + if (NS_FAILED(rv)) { + return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; + } + for (auto& cert : certs) { + pkix::Input certDER; + mozilla::pkix::Result rv = certDER.Init(cert.Elements(), cert.Length()); + if (rv != pkix::Success) { + continue; // probably too big + } + if (!geckoCandidates.append(certDER)) { + return mozilla::pkix::Result::FATAL_ERROR_NO_MEMORY; + } + } + + for (const auto& thirdPartyCertificate : mThirdPartyCertificates) { + pkix::Input thirdPartyCertificateInput; + mozilla::pkix::Result rv = thirdPartyCertificateInput.Init( + thirdPartyCertificate.Elements(), thirdPartyCertificate.Length()); + if (rv != pkix::Success) { + continue; // probably too big + } + if (!geckoCandidates.append(thirdPartyCertificateInput)) { + return mozilla::pkix::Result::FATAL_ERROR_NO_MEMORY; + } + } + + bool keepGoing = true; + for (pkix::Input candidate : geckoCandidates) { + mozilla::pkix::Result rv = checker.Check(candidate, nullptr, keepGoing); + if (rv != pkix::Success) { + return rv; + } + if (!keepGoing) { + return pkix::Success; + } + } + + SECItem encodedIssuerNameItem = + pkix::UnsafeMapInputToSECItem(encodedIssuerName); + // NSS seems not to differentiate between "no potential issuers found" and + // "there was an error trying to retrieve the potential issuers." We assume + // there was no error if CERT_CreateSubjectCertList returns nullptr. + UniqueCERTCertList candidates(CERT_CreateSubjectCertList( + nullptr, CERT_GetDefaultCertDB(), &encodedIssuerNameItem, 0, false)); + Vector<pkix::Input> nssCandidates; + if (candidates) { + for (CERTCertListNode* n = CERT_LIST_HEAD(candidates); + !CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) { + pkix::Input certDER; + mozilla::pkix::Result rv = + certDER.Init(n->cert->derCert.data, n->cert->derCert.len); + if (rv != pkix::Success) { + continue; // probably too big + } + if (!nssCandidates.append(certDER)) { + return mozilla::pkix::Result::FATAL_ERROR_NO_MEMORY; + } + } + } + + for (pkix::Input candidate : nssCandidates) { + mozilla::pkix::Result rv = checker.Check(candidate, nullptr, keepGoing); + if (rv != pkix::Success) { + return rv; + } + if (!keepGoing) { + return pkix::Success; + } + } + return pkix::Success; +} + +mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::IsChainValid( + const pkix::DERArray& certArray, pkix::Time, const pkix::CertPolicyId&) { + mBuiltChain.Clear(); + + size_t numCerts = certArray.GetLength(); + for (size_t i = 0; i < numCerts; ++i) { + nsTArray<uint8_t> certBytes; + const pkix::Input* certInput = certArray.GetDER(i); + MOZ_ASSERT(certInput != nullptr); + if (!certInput) { + return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; + } + certBytes.AppendElements(certInput->UnsafeGetData(), + certInput->GetLength()); + mBuiltChain.AppendElement(std::move(certBytes)); + } + + return pkix::Success; +} + +nsTArray<nsTArray<uint8_t>> GetEnterpriseCertificates() { + nsTArray<nsTArray<uint8_t>> enterpriseCertificates; + nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID)); + if (!component) { + return nsTArray<nsTArray<uint8_t>>{}; + } + nsresult rv = component->GetEnterpriseIntermediates(enterpriseCertificates); + if (NS_FAILED(rv)) { + return nsTArray<nsTArray<uint8_t>>{}; + } + nsTArray<nsTArray<uint8_t>> enterpriseRoots; + rv = component->GetEnterpriseRoots(enterpriseRoots); + if (NS_FAILED(rv)) { + return nsTArray<nsTArray<uint8_t>>{}; + } + enterpriseCertificates.AppendElements(std::move(enterpriseRoots)); + return enterpriseCertificates; +} + +bool FindRememberedDecision( + const ClientAuthInfo& clientAuthInfo, + const nsTArray<nsTArray<uint8_t>>& caNames, + const nsTArray<nsTArray<uint8_t>>& enterpriseCertificates, + nsTArray<uint8_t>& rememberedCertBytes, + nsTArray<nsTArray<uint8_t>>& rememberedCertChainBytes) { + rememberedCertBytes.Clear(); + rememberedCertChainBytes.Clear(); + + if (clientAuthInfo.ProviderTlsFlags() != 0) { + return false; + } + + nsCOMPtr<nsIClientAuthRememberService> clientAuthRememberService( + do_GetService(NS_CLIENTAUTHREMEMBERSERVICE_CONTRACTID)); + if (!clientAuthRememberService) { + return false; + } + + nsCString rememberedDBKey; + bool found; + nsresult rv = clientAuthRememberService->HasRememberedDecision( + clientAuthInfo.HostName(), clientAuthInfo.OriginAttributesRef(), + rememberedDBKey, &found); + if (NS_FAILED(rv)) { + return false; + } + if (!found) { + return false; + } + // An empty dbKey indicates that the user chose not to use a certificate + // and chose to remember this decision + if (rememberedDBKey.IsEmpty()) { + return true; + } + nsCOMPtr<nsIX509CertDB> certdb(do_GetService(NS_X509CERTDB_CONTRACTID)); + if (!certdb) { + return false; + } + nsCOMPtr<nsIX509Cert> foundCert; + rv = certdb->FindCertByDBKey(rememberedDBKey, getter_AddRefs(foundCert)); + if (NS_FAILED(rv)) { + return false; + } + if (!foundCert) { + return false; + } + rv = foundCert->GetRawDER(rememberedCertBytes); + if (NS_FAILED(rv)) { + return false; + } + if (BuildChainForCertificate(rememberedCertBytes, rememberedCertChainBytes, + caNames, enterpriseCertificates) != Success) { + return false; + } + return true; +} + +// Filter potential client certificates by the specified CA names, if any. This +// operation potentially builds a certificate chain for each candidate client +// certificate. Keeping those chains around means they don't have to be +// re-built later when the user selects a particular client certificate. +void FilterPotentialClientCertificatesByCANames( + UniqueCERTCertList& potentialClientCertificates, + const nsTArray<nsTArray<uint8_t>>& caNames, + const nsTArray<nsTArray<uint8_t>>& enterpriseCertificates, + nsTArray<nsTArray<nsTArray<uint8_t>>>& potentialClientCertificateChains) { + if (!potentialClientCertificates) { + return; + } + + CERTCertListNode* n = CERT_LIST_HEAD(potentialClientCertificates); + while (!CERT_LIST_END(n, potentialClientCertificates)) { + nsTArray<nsTArray<uint8_t>> builtChain; + nsTArray<uint8_t> certBytes; + certBytes.AppendElements(n->cert->derCert.data, n->cert->derCert.len); + mozilla::pkix::Result result = BuildChainForCertificate( + certBytes, builtChain, caNames, enterpriseCertificates); + if (result != pkix::Success) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("removing cert '%s'", n->cert->subjectName)); + CERTCertListNode* toRemove = n; + n = CERT_LIST_NEXT(n); + CERT_RemoveCertListNode(toRemove); + continue; + } + potentialClientCertificateChains.AppendElement(std::move(builtChain)); + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("keeping cert '%s'\n", n->cert->subjectName)); + n = CERT_LIST_NEXT(n); + } +} + +void ClientAuthCertificateSelectedBase::SetSelectedClientAuthData( + nsTArray<uint8_t>&& selectedCertBytes, + nsTArray<nsTArray<uint8_t>>&& selectedCertChainBytes) { + mSelectedCertBytes = std::move(selectedCertBytes); + mSelectedCertChainBytes = std::move(selectedCertChainBytes); +} + +NS_IMETHODIMP +ClientAuthCertificateSelected::Run() { + mSocketInfo->ClientAuthCertificateSelected(mSelectedCertBytes, + mSelectedCertChainBytes); + return NS_OK; +} + +void SelectClientAuthCertificate::DispatchContinuation( + nsTArray<uint8_t>&& selectedCertBytes) { + nsTArray<nsTArray<uint8_t>> selectedCertChainBytes; + // Attempt to find a pre-built certificate chain corresponding to the + // selected certificate. + for (const auto& clientCertificateChain : mPotentialClientCertificateChains) { + if (clientCertificateChain.Length() > 0 && + clientCertificateChain[0] == selectedCertBytes) { + for (const auto& certificateBytes : clientCertificateChain) { + selectedCertChainBytes.AppendElement(certificateBytes.Clone()); + } + break; + } + } + mContinuation->SetSelectedClientAuthData(std::move(selectedCertBytes), + std::move(selectedCertChainBytes)); + nsCOMPtr<nsIEventTarget> socketThread( + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID)); + if (socketThread) { + (void)socketThread->Dispatch(mContinuation, NS_DISPATCH_NORMAL); + } +} + +// Helper function to build a certificate chain from the given certificate to a +// trust anchor in the set indicated by the peer (mCANames). This is essentially +// best-effort, so no signature verification occurs. +mozilla::pkix::Result BuildChainForCertificate( + nsTArray<uint8_t>& certBytes, nsTArray<nsTArray<uint8_t>>& certChainBytes, + const nsTArray<nsTArray<uint8_t>>& caNames, + const nsTArray<nsTArray<uint8_t>>& enterpriseCertificates) { + ClientAuthCertNonverifyingTrustDomain trustDomain(caNames, + enterpriseCertificates); + pkix::Input certDER; + mozilla::pkix::Result result = + certDER.Init(certBytes.Elements(), certBytes.Length()); + if (result != pkix::Success) { + return result; + } + // Client certificates shouldn't be CAs, but for interoperability reasons we + // attempt to build a path with each certificate as an end entity and then as + // a CA if that fails. + const pkix::EndEntityOrCA kEndEntityOrCAParams[] = { + pkix::EndEntityOrCA::MustBeEndEntity, pkix::EndEntityOrCA::MustBeCA}; + // mozilla::pkix rejects certificates with id-kp-OCSPSigning unless it is + // specifically required. A client certificate should never have this EKU. + // Unfortunately, there are some client certificates in private PKIs that + // have this EKU. For interoperability, we attempt to work around this + // restriction in mozilla::pkix by first building the certificate chain with + // no particular EKU required and then again with id-kp-OCSPSigning required + // if that fails. + const pkix::KeyPurposeId kKeyPurposeIdParams[] = { + pkix::KeyPurposeId::anyExtendedKeyUsage, + pkix::KeyPurposeId::id_kp_OCSPSigning}; + for (const auto& endEntityOrCAParam : kEndEntityOrCAParams) { + for (const auto& keyPurposeIdParam : kKeyPurposeIdParams) { + mozilla::pkix::Result result = BuildCertChain( + trustDomain, certDER, Now(), endEntityOrCAParam, + KeyUsage::noParticularKeyUsageRequired, keyPurposeIdParam, + pkix::CertPolicyId::anyPolicy, nullptr); + if (result == pkix::Success) { + certChainBytes = trustDomain.TakeBuiltChain(); + return pkix::Success; + } + } + } + return mozilla::pkix::Result::ERROR_UNKNOWN_ISSUER; +} + +class ClientAuthDialogCallback : public nsIClientAuthDialogCallback { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSICLIENTAUTHDIALOGCALLBACK + + explicit ClientAuthDialogCallback( + SelectClientAuthCertificate* selectClientAuthCertificate) + : mSelectClientAuthCertificate(selectClientAuthCertificate) {} + + private: + virtual ~ClientAuthDialogCallback() = default; + + RefPtr<SelectClientAuthCertificate> mSelectClientAuthCertificate; +}; + +NS_IMPL_ISUPPORTS(ClientAuthDialogCallback, nsIClientAuthDialogCallback) + +NS_IMETHODIMP +ClientAuthDialogCallback::CertificateChosen(nsIX509Cert* cert, + bool rememberDecision) { + MOZ_ASSERT(mSelectClientAuthCertificate); + if (!mSelectClientAuthCertificate) { + return NS_ERROR_FAILURE; + } + const ClientAuthInfo& info = mSelectClientAuthCertificate->Info(); + nsCOMPtr<nsIClientAuthRememberService> clientAuthRememberService( + do_GetService(NS_CLIENTAUTHREMEMBERSERVICE_CONTRACTID)); + if (info.ProviderTlsFlags() == 0 && rememberDecision && + clientAuthRememberService) { + (void)clientAuthRememberService->RememberDecision( + info.HostName(), info.OriginAttributesRef(), cert); + } + nsTArray<uint8_t> selectedCertBytes; + if (cert) { + nsresult rv = cert->GetRawDER(selectedCertBytes); + if (NS_FAILED(rv)) { + selectedCertBytes.Clear(); + mSelectClientAuthCertificate->DispatchContinuation( + std::move(selectedCertBytes)); + return rv; + } + } + mSelectClientAuthCertificate->DispatchContinuation( + std::move(selectedCertBytes)); + return NS_OK; +} + +NS_IMETHODIMP +SelectClientAuthCertificate::Run() { + // We check the value of a pref, so this should only be run on the main + // thread. + MOZ_ASSERT(NS_IsMainThread()); + + nsTArray<uint8_t> selectedCertBytes; + if (!mPotentialClientCertificates || + CERT_LIST_EMPTY(mPotentialClientCertificates)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("no potential client certificates available")); + DispatchContinuation(std::move(selectedCertBytes)); + return NS_OK; + } + + // find valid user cert and key pair + if (nsGetUserCertChoice() == UserCertChoice::Auto) { + // automatically find the right cert + UniqueCERTCertificate lowPrioNonrepCert; + // loop through the list until we find a cert with a key + for (CERTCertListNode* node = CERT_LIST_HEAD(mPotentialClientCertificates); + !CERT_LIST_END(node, mPotentialClientCertificates); + node = CERT_LIST_NEXT(node)) { + UniqueSECKEYPrivateKey tmpKey(PK11_FindKeyByAnyCert(node->cert, nullptr)); + if (tmpKey) { + if (hasExplicitKeyUsageNonRepudiation(node->cert)) { + // Not a preferred cert + if (!lowPrioNonrepCert) { // did not yet find a low prio cert + lowPrioNonrepCert.reset(CERT_DupCertificate(node->cert)); + } + } else { + // this is a good cert to present + selectedCertBytes.AppendElements(node->cert->derCert.data, + node->cert->derCert.len); + DispatchContinuation(std::move(selectedCertBytes)); + return NS_OK; + } + } + if (PR_GetError() == SEC_ERROR_BAD_PASSWORD) { + // problem with password: bail + break; + } + } + + if (lowPrioNonrepCert) { + selectedCertBytes.AppendElements(lowPrioNonrepCert->derCert.data, + lowPrioNonrepCert->derCert.len); + } + DispatchContinuation(std::move(selectedCertBytes)); + return NS_OK; + } + + // Not Auto => ask the user to select a certificate + nsTArray<RefPtr<nsIX509Cert>> certArray; + for (CERTCertListNode* node = CERT_LIST_HEAD(mPotentialClientCertificates); + !CERT_LIST_END(node, mPotentialClientCertificates); + node = CERT_LIST_NEXT(node)) { + RefPtr<nsIX509Cert> tempCert(new nsNSSCertificate(node->cert)); + certArray.AppendElement(tempCert); + } + + nsCOMPtr<nsIClientAuthDialogService> clientAuthDialogService( + do_GetService(NS_CLIENTAUTHDIALOGSERVICE_CONTRACTID)); + if (!clientAuthDialogService) { + DispatchContinuation(std::move(selectedCertBytes)); + return NS_ERROR_FAILURE; + } + nsCOMPtr<nsILoadContext> loadContext = nullptr; + if (mBrowserId != 0) { + loadContext = + mozilla::dom::BrowsingContext::GetCurrentTopByBrowserId(mBrowserId); + } + RefPtr<nsIClientAuthDialogCallback> callback( + new ClientAuthDialogCallback(this)); + nsresult rv = clientAuthDialogService->ChooseCertificate( + mInfo.HostName(), certArray, loadContext, callback); + if (NS_FAILED(rv)) { + DispatchContinuation(std::move(selectedCertBytes)); + return rv; + } + return NS_OK; +} + +SECStatus SSLGetClientAuthDataHook(void* arg, PRFileDesc* socket, + CERTDistNames* caNamesDecoded, + CERTCertificate** pRetCert, + SECKEYPrivateKey** pRetKey) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] SSLGetClientAuthDataHook", socket)); + + if (!arg || !socket || !caNamesDecoded || !pRetCert || !pRetKey) { + PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0); + return SECFailure; + } + + *pRetCert = nullptr; + *pRetKey = nullptr; + + RefPtr<NSSSocketControl> info(static_cast<NSSSocketControl*>(arg)); + Telemetry::ScalarAdd(Telemetry::ScalarID::SECURITY_CLIENT_AUTH_CERT_USAGE, + u"requested"_ns, 1); + + if (info->GetDenyClientCert()) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] Not returning client cert due to denyClientCert attribute", + socket)); + return SECSuccess; + } + + if (info->GetJoined()) { + // We refuse to send a client certificate when there are multiple hostnames + // joined on this connection, because we only show the user one hostname + // (mHostName) in the client certificate UI. + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] Not returning client cert due to previous join", socket)); + return SECSuccess; + } + + UniqueCERTCertificate serverCert(SSL_PeerCertificate(socket)); + if (!serverCert) { + PR_SetError(SSL_ERROR_NO_CERTIFICATE, 0); + return SECFailure; + } + + uint64_t browserId; + if (NS_FAILED(info->GetBrowserId(&browserId))) { + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + + nsTArray<nsTArray<uint8_t>> caNames(CollectCANames(caNamesDecoded)); + + // Currently, the IPC client certs module only refreshes its view of + // available certificates and keys if the platform issues a search for all + // certificates or keys. In the socket process, such a search may not have + // happened, so this ensures it has. + // Additionally, instantiating certificates in NSS is not thread-safe and has + // performance implications, so search for them here (on the socket thread) + // when not in the socket process. + UniqueCERTCertList potentialClientCertificates( + FindClientCertificatesWithPrivateKeys()); + + RefPtr<ClientAuthCertificateSelected> continuation( + new ClientAuthCertificateSelected(info)); + // If this is the socket process, dispatch an IPC call to select a client + // authentication certificate in the parent process. + // Otherwise, dispatch an event to the main thread to do the selection. + // When those events finish, they will run the continuation, which gives the + // appropriate information to the NSSSocketControl, which then calls + // SSL_ClientCertCallbackComplete to continue the connection. + if (XRE_IsSocketProcess()) { + RefPtr<SelectTLSClientAuthCertChild> selectClientAuthCertificate( + new SelectTLSClientAuthCertChild(continuation)); + nsAutoCString hostname(info->GetHostName()); + nsTArray<uint8_t> serverCertBytes; + nsTArray<ByteArray> caNamesBytes; + for (const auto& caName : caNames) { + caNamesBytes.AppendElement(ByteArray(std::move(caName))); + } + serverCertBytes.AppendElements(serverCert->derCert.data, + serverCert->derCert.len); + OriginAttributes originAttributes(info->GetOriginAttributes()); + int32_t port(info->GetPort()); + uint32_t providerFlags(info->GetProviderFlags()); + uint32_t providerTlsFlags(info->GetProviderTlsFlags()); + nsCOMPtr<nsIRunnable> remoteSelectClientAuthCertificate( + NS_NewRunnableFunction( + "RemoteSelectClientAuthCertificate", + [selectClientAuthCertificate( + std::move(selectClientAuthCertificate)), + hostname(std::move(hostname)), + originAttributes(std::move(originAttributes)), port, providerFlags, + providerTlsFlags, serverCertBytes(std::move(serverCertBytes)), + caNamesBytes(std::move(caNamesBytes)), + browserId(browserId)]() mutable { + ipc::Endpoint<PSelectTLSClientAuthCertParent> parentEndpoint; + ipc::Endpoint<PSelectTLSClientAuthCertChild> childEndpoint; + PSelectTLSClientAuthCert::CreateEndpoints(&parentEndpoint, + &childEndpoint); + if (NS_FAILED(net::SocketProcessBackgroundChild::WithActor( + "SendInitSelectTLSClientAuthCert", + [endpoint = std::move(parentEndpoint), + hostname(std::move(hostname)), + originAttributes(std::move(originAttributes)), port, + providerFlags, providerTlsFlags, + serverCertBytes(std::move(serverCertBytes)), + caNamesBytes(std::move(caNamesBytes)), browserId]( + net::SocketProcessBackgroundChild* aActor) mutable { + Unused << aActor->SendInitSelectTLSClientAuthCert( + std::move(endpoint), hostname, originAttributes, + port, providerFlags, providerTlsFlags, + ByteArray(serverCertBytes), caNamesBytes, + browserId); + }))) { + return; + } + + if (!childEndpoint.Bind(selectClientAuthCertificate)) { + return; + } + })); + info->SetPendingSelectClientAuthCertificate( + std::move(remoteSelectClientAuthCertificate)); + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + return SECWouldBlock; + } + + ClientAuthInfo authInfo(info->GetHostName(), info->GetOriginAttributes(), + info->GetPort(), info->GetProviderFlags(), + info->GetProviderTlsFlags()); + nsTArray<nsTArray<uint8_t>> enterpriseCertificates( + GetEnterpriseCertificates()); + nsTArray<uint8_t> rememberedCertBytes; + nsTArray<nsTArray<uint8_t>> rememberedCertChainBytes; + if (FindRememberedDecision(authInfo, caNames, enterpriseCertificates, + rememberedCertBytes, rememberedCertChainBytes)) { + continuation->SetSelectedClientAuthData( + std::move(rememberedCertBytes), std::move(rememberedCertChainBytes)); + nsresult rv = NS_DispatchToCurrentThread(continuation); + if (NS_FAILED(rv)) { + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + return SECWouldBlock; + } + + nsTArray<nsTArray<nsTArray<uint8_t>>> potentialClientCertificateChains; + FilterPotentialClientCertificatesByCANames(potentialClientCertificates, + caNames, enterpriseCertificates, + potentialClientCertificateChains); + if (!potentialClientCertificates || + CERT_LIST_EMPTY(potentialClientCertificates)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] no client certificates available after filtering by CA", + socket)); + return SECSuccess; + } + nsCOMPtr<nsIRunnable> selectClientAuthCertificate( + new SelectClientAuthCertificate( + std::move(authInfo), std::move(serverCert), + std::move(potentialClientCertificates), + std::move(potentialClientCertificateChains), continuation, + browserId)); + info->SetPendingSelectClientAuthCertificate( + std::move(selectClientAuthCertificate)); + + // Meanwhile, tell NSS this connection is blocking for now. + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + return SECWouldBlock; +} + +// Helper continuation for when a client authentication certificate has been +// selected in the parent process and the information needs to be sent to the +// socket process. +class RemoteClientAuthCertificateSelected + : public ClientAuthCertificateSelectedBase { + public: + explicit RemoteClientAuthCertificateSelected( + SelectTLSClientAuthCertParent* selectTLSClientAuthCertParent) + : mSelectTLSClientAuthCertParent(selectTLSClientAuthCertParent), + mEventTarget(GetCurrentSerialEventTarget()) {} + + NS_IMETHOD Run() override; + + private: + RefPtr<SelectTLSClientAuthCertParent> mSelectTLSClientAuthCertParent; + nsCOMPtr<nsISerialEventTarget> mEventTarget; +}; + +NS_IMETHODIMP +RemoteClientAuthCertificateSelected::Run() { + // When this runs, it dispatches an event to the IPC thread it originally came + // from in order to send the IPC call to the socket process that a client + // authentication certificate has been selected. + return mEventTarget->Dispatch( + NS_NewRunnableFunction( + "psm::RemoteClientAuthCertificateSelected::Run", + [parent(mSelectTLSClientAuthCertParent), + certBytes(std::move(mSelectedCertBytes)), + builtCertChain(std::move(mSelectedCertChainBytes))]() mutable { + parent->TLSClientAuthCertSelected(certBytes, + std::move(builtCertChain)); + }), + NS_DISPATCH_NORMAL); +} + +namespace mozilla::psm { + +// Given some information from the socket process about a connection that +// requested a client authentication certificate, this function dispatches an +// event to the main thread to ask the user to select one. When the user does so +// (or selects no certificate), the continuation runs and sends the information +// back via IPC. +bool SelectTLSClientAuthCertParent::Dispatch( + const nsACString& aHostName, const OriginAttributes& aOriginAttributes, + const int32_t& aPort, const uint32_t& aProviderFlags, + const uint32_t& aProviderTlsFlags, const ByteArray& aServerCertBytes, + nsTArray<ByteArray>&& aCANames, const uint64_t& aBrowserId) { + RefPtr<ClientAuthCertificateSelectedBase> continuation( + new RemoteClientAuthCertificateSelected(this)); + ClientAuthInfo authInfo(aHostName, aOriginAttributes, aPort, aProviderFlags, + aProviderTlsFlags); + nsCOMPtr<nsIEventTarget> socketThread = + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID); + if (NS_WARN_IF(!socketThread)) { + return false; + } + // Dispatch the work of instantiating a CERTCertificate and searching for + // client certificates to the socket thread. + nsresult rv = socketThread->Dispatch(NS_NewRunnableFunction( + "SelectTLSClientAuthCertParent::Dispatch", + [authInfo(std::move(authInfo)), continuation(std::move(continuation)), + serverCertBytes(aServerCertBytes), caNames(std::move(aCANames)), + browserId(aBrowserId)]() mutable { + SECItem serverCertItem{ + siBuffer, + const_cast<uint8_t*>(serverCertBytes.data().Elements()), + static_cast<unsigned int>(serverCertBytes.data().Length()), + }; + UniqueCERTCertificate serverCert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &serverCertItem, nullptr, false, true)); + if (!serverCert) { + return; + } + nsTArray<nsTArray<uint8_t>> caNamesArray; + for (auto& caName : caNames) { + caNamesArray.AppendElement(std::move(caName.data())); + } + nsTArray<nsTArray<uint8_t>> enterpriseCertificates( + GetEnterpriseCertificates()); + nsTArray<uint8_t> rememberedCertBytes; + nsTArray<nsTArray<uint8_t>> rememberedCertChainBytes; + if (FindRememberedDecision(authInfo, caNamesArray, + enterpriseCertificates, rememberedCertBytes, + rememberedCertChainBytes)) { + continuation->SetSelectedClientAuthData( + std::move(rememberedCertBytes), + std::move(rememberedCertChainBytes)); + (void)NS_DispatchToCurrentThread(continuation); + return; + } + UniqueCERTCertList potentialClientCertificates( + FindClientCertificatesWithPrivateKeys()); + nsTArray<nsTArray<nsTArray<uint8_t>>> potentialClientCertificateChains; + FilterPotentialClientCertificatesByCANames( + potentialClientCertificates, caNamesArray, enterpriseCertificates, + potentialClientCertificateChains); + RefPtr<SelectClientAuthCertificate> selectClientAuthCertificate( + new SelectClientAuthCertificate( + std::move(authInfo), std::move(serverCert), + std::move(potentialClientCertificates), + std::move(potentialClientCertificateChains), continuation, + browserId)); + Unused << NS_DispatchToMainThread(selectClientAuthCertificate); + })); + return NS_SUCCEEDED(rv); +} + +void SelectTLSClientAuthCertParent::TLSClientAuthCertSelected( + const nsTArray<uint8_t>& aSelectedCertBytes, + nsTArray<nsTArray<uint8_t>>&& aSelectedCertChainBytes) { + if (!CanSend()) { + return; + } + + nsTArray<ByteArray> selectedCertChainBytes; + for (auto& certBytes : aSelectedCertChainBytes) { + selectedCertChainBytes.AppendElement(ByteArray(certBytes)); + } + + Unused << SendTLSClientAuthCertSelected(aSelectedCertBytes, + selectedCertChainBytes); + Close(); +} + +void SelectTLSClientAuthCertParent::ActorDestroy( + mozilla::ipc::IProtocol::ActorDestroyReason aWhy) {} + +SelectTLSClientAuthCertChild::SelectTLSClientAuthCertChild( + ClientAuthCertificateSelected* continuation) + : mContinuation(continuation) {} + +// When the user has selected (or not) a client authentication certificate in +// the parent, this function receives that information in the socket process and +// dispatches a continuation to the socket process to continue the connection. +ipc::IPCResult SelectTLSClientAuthCertChild::RecvTLSClientAuthCertSelected( + ByteArray&& aSelectedCertBytes, + nsTArray<ByteArray>&& aSelectedCertChainBytes) { + nsTArray<uint8_t> selectedCertBytes(std::move(aSelectedCertBytes.data())); + nsTArray<nsTArray<uint8_t>> selectedCertChainBytes; + for (auto& certBytes : aSelectedCertChainBytes) { + selectedCertChainBytes.AppendElement(std::move(certBytes.data())); + } + mContinuation->SetSelectedClientAuthData(std::move(selectedCertBytes), + std::move(selectedCertChainBytes)); + + nsCOMPtr<nsIEventTarget> socketThread = + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID); + if (NS_WARN_IF(!socketThread)) { + return IPC_OK(); + } + nsresult rv = socketThread->Dispatch(mContinuation, NS_DISPATCH_NORMAL); + Unused << NS_WARN_IF(NS_FAILED(rv)); + + return IPC_OK(); +} + +} // namespace mozilla::psm diff --git a/security/manager/ssl/TLSClientAuthCertSelection.h b/security/manager/ssl/TLSClientAuthCertSelection.h new file mode 100644 index 0000000000..5ff311d272 --- /dev/null +++ b/security/manager/ssl/TLSClientAuthCertSelection.h @@ -0,0 +1,120 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_ +#define SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_ + +#include "NSSSocketControl.h" +#include "nsIX509Cert.h" +#include "nsNSSIOLayer.h" +#include "nsThreadUtils.h" +#include "ssl.h" + +class NSSSocketControl; + +// NSS callback to select a client authentication certificate. See documentation +// at the top of TLSClientAuthCertSelection.cpp. +SECStatus SSLGetClientAuthDataHook(void* arg, PRFileDesc* socket, + CERTDistNames* caNames, + CERTCertificate** pRetCert, + SECKEYPrivateKey** pRetKey); + +// Base class for continuing the operation of selecting a client authentication +// certificate. Should not be used directly. +class ClientAuthCertificateSelectedBase : public mozilla::Runnable { + public: + ClientAuthCertificateSelectedBase() + : Runnable("ClientAuthCertificateSelectedBase") {} + + // Call to indicate that a client authentication certificate has been + // selected. + void SetSelectedClientAuthData( + nsTArray<uint8_t>&& selectedCertBytes, + nsTArray<nsTArray<uint8_t>>&& selectedCertChainBytes); + + protected: + nsTArray<uint8_t> mSelectedCertBytes; + // The bytes of the certificates that form a chain from the selected + // certificate to a root. Necessary so NSS can include them in the TLS + // handshake (see note about mClientCertChain in NSSSocketControl). + nsTArray<nsTArray<uint8_t>> mSelectedCertChainBytes; +}; + +class ClientAuthCertificateSelected : public ClientAuthCertificateSelectedBase { + public: + explicit ClientAuthCertificateSelected(NSSSocketControl* socketInfo) + : mSocketInfo(socketInfo) {} + + NS_IMETHOD Run() override; + + private: + RefPtr<NSSSocketControl> mSocketInfo; +}; + +// This class is used to store the needed information for invoking the client +// cert selection UI. +class ClientAuthInfo final { + public: + explicit ClientAuthInfo(const nsACString& hostName, + const mozilla::OriginAttributes& originAttributes, + int32_t port, uint32_t providerFlags, + uint32_t providerTlsFlags); + ~ClientAuthInfo() = default; + ClientAuthInfo(ClientAuthInfo&& aOther) noexcept; + + const nsACString& HostName() const; + const mozilla::OriginAttributes& OriginAttributesRef() const; + int32_t Port() const; + uint32_t ProviderFlags() const; + uint32_t ProviderTlsFlags() const; + + ClientAuthInfo(const ClientAuthInfo&) = delete; + void operator=(const ClientAuthInfo&) = delete; + + private: + nsCString mHostName; + mozilla::OriginAttributes mOriginAttributes; + int32_t mPort; + uint32_t mProviderFlags; + uint32_t mProviderTlsFlags; +}; + +// Helper runnable to select a client authentication certificate. Gets created +// on the socket thread or an IPC thread, runs on the main thread, and then runs +// its continuation on the socket thread. +class SelectClientAuthCertificate : public mozilla::Runnable { + public: + SelectClientAuthCertificate( + ClientAuthInfo&& info, mozilla::UniqueCERTCertificate&& serverCert, + mozilla::UniqueCERTCertList&& potentialClientCertificates, + nsTArray<nsTArray<nsTArray<uint8_t>>>&& potentialClientCertificateChains, + ClientAuthCertificateSelectedBase* continuation, uint64_t browserId) + : Runnable("SelectClientAuthCertificate"), + mInfo(std::move(info)), + mServerCert(std::move(serverCert)), + mPotentialClientCertificates(std::move(potentialClientCertificates)), + mPotentialClientCertificateChains( + std::move(potentialClientCertificateChains)), + mContinuation(continuation), + mBrowserId(browserId) {} + + NS_IMETHOD Run() override; + + const ClientAuthInfo& Info() { return mInfo; } + void DispatchContinuation(nsTArray<uint8_t>&& selectedCertBytes); + + private: + ClientAuthInfo mInfo; + mozilla::UniqueCERTCertificate mServerCert; + mozilla::UniqueCERTCertList mPotentialClientCertificates; + nsTArray<nsTArray<nsTArray<uint8_t>>> mPotentialClientCertificateChains; + RefPtr<ClientAuthCertificateSelectedBase> mContinuation; + + uint64_t mBrowserId; + nsCOMPtr<nsIInterfaceRequestor> mSecurityCallbacks; +}; + +#endif // SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_ diff --git a/security/manager/ssl/TransportSecurityInfo.cpp b/security/manager/ssl/TransportSecurityInfo.cpp new file mode 100644 index 0000000000..2bc39157e7 --- /dev/null +++ b/security/manager/ssl/TransportSecurityInfo.cpp @@ -0,0 +1,1131 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "TransportSecurityInfo.h" + +#include "ipc/IPCMessageUtils.h" +#include "mozilla/Base64.h" +#include "mozpkix/pkixtypes.h" +#include "nsBase64Encoder.h" +#include "nsIObjectInputStream.h" +#include "nsIObjectOutputStream.h" +#include "nsIWebProgressListener.h" +#include "nsNSSCertHelper.h" +#include "nsNSSComponent.h" +#include "nsNSSHelper.h" +#include "nsReadableUtils.h" +#include "nsServiceManagerUtils.h" +#include "nsStringStream.h" +#include "nsXULAppAPI.h" +#include "nsIX509Cert.h" +#include "secerr.h" +#include "ssl.h" + +#include "mozilla/ipc/IPDLParamTraits.h" + +// nsITransportSecurityInfo should not be created via do_CreateInstance. This +// stub prevents that. +template <> +already_AddRefed<nsISupports> +mozCreateComponent<mozilla::psm::TransportSecurityInfo>() { + return nullptr; +} + +namespace mozilla { +namespace psm { + +TransportSecurityInfo::TransportSecurityInfo( + uint32_t aSecurityState, PRErrorCode aErrorCode, + nsTArray<RefPtr<nsIX509Cert>>&& aFailedCertChain, + nsCOMPtr<nsIX509Cert>& aServerCert, + nsTArray<RefPtr<nsIX509Cert>>&& aSucceededCertChain, + Maybe<uint16_t> aCipherSuite, Maybe<nsCString> aKeaGroupName, + Maybe<nsCString> aSignatureSchemeName, Maybe<uint16_t> aProtocolVersion, + uint16_t aCertificateTransparencyStatus, Maybe<bool> aIsAcceptedEch, + Maybe<bool> aIsDelegatedCredential, + Maybe<OverridableErrorCategory> aOverridableErrorCategory, + bool aMadeOCSPRequests, bool aUsedPrivateDNS, Maybe<bool> aIsEV, + bool aNPNCompleted, const nsCString& aNegotiatedNPN, bool aResumed, + bool aIsBuiltCertChainRootBuiltInRoot, const nsCString& aPeerId) + : mSecurityState(aSecurityState), + mErrorCode(aErrorCode), + mFailedCertChain(std::move(aFailedCertChain)), + mServerCert(aServerCert), + mSucceededCertChain(std::move(aSucceededCertChain)), + mCipherSuite(aCipherSuite), + mKeaGroupName(aKeaGroupName), + mSignatureSchemeName(aSignatureSchemeName), + mProtocolVersion(aProtocolVersion), + mCertificateTransparencyStatus(aCertificateTransparencyStatus), + mIsAcceptedEch(aIsAcceptedEch), + mIsDelegatedCredential(aIsDelegatedCredential), + mOverridableErrorCategory(aOverridableErrorCategory), + mMadeOCSPRequests(aMadeOCSPRequests), + mUsedPrivateDNS(aUsedPrivateDNS), + mIsEV(aIsEV), + mNPNCompleted(aNPNCompleted), + mNegotiatedNPN(aNegotiatedNPN), + mResumed(aResumed), + mIsBuiltCertChainRootBuiltInRoot(aIsBuiltCertChainRootBuiltInRoot), + mPeerId(aPeerId) {} + +NS_IMPL_ISUPPORTS(TransportSecurityInfo, nsITransportSecurityInfo) + +NS_IMETHODIMP +TransportSecurityInfo::GetSecurityState(uint32_t* state) { + *state = mSecurityState; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetErrorCode(int32_t* state) { + *state = mErrorCode; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetErrorCodeString(nsAString& aErrorString) { + const char* codeName = PR_ErrorToName(mErrorCode); + aErrorString.Truncate(); + if (codeName) { + aErrorString = NS_ConvertASCIItoUTF16(codeName); + } + + return NS_OK; +} + +// 16786594-0296-4471-8096-8f84497ca428 +#define TRANSPORTSECURITYINFO_CID \ + { \ + 0x16786594, 0x0296, 0x4471, { \ + 0x80, 0x96, 0x8f, 0x84, 0x49, 0x7c, 0xa4, 0x28 \ + } \ + } +static NS_DEFINE_CID(kTransportSecurityInfoCID, TRANSPORTSECURITYINFO_CID); + +// This is a new magic value. However, it re-uses the first 4 bytes +// of the previous value. This is so when older versions attempt to +// read a newer serialized TransportSecurityInfo, they will actually +// fail and return NS_ERROR_FAILURE instead of silently failing. +#define TRANSPORTSECURITYINFOMAGIC \ + { \ + 0xa9863a23, 0x1faa, 0x4169, { \ + 0xb0, 0xd2, 0x81, 0x29, 0xec, 0x7c, 0xb1, 0xde \ + } \ + } +static NS_DEFINE_CID(kTransportSecurityInfoMagic, TRANSPORTSECURITYINFOMAGIC); + +NS_IMETHODIMP +TransportSecurityInfo::ToString(nsACString& aResult) { + RefPtr<nsBase64Encoder> stream(new nsBase64Encoder()); + nsCOMPtr<nsIObjectOutputStream> objStream(NS_NewObjectOutputStream(stream)); + nsresult rv = objStream->WriteID(kTransportSecurityInfoCID); + if (NS_FAILED(rv)) { + return rv; + } + rv = objStream->WriteID(NS_ISUPPORTS_IID); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->WriteID(kTransportSecurityInfoMagic); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->Write32(mSecurityState); + if (NS_FAILED(rv)) { + return rv; + } + // mSubRequestsBrokenSecurity was removed in bug 748809 + rv = objStream->Write32(0); + if (NS_FAILED(rv)) { + return rv; + } + // mSubRequestsNoSecurity was removed in bug 748809 + rv = objStream->Write32(0); + if (NS_FAILED(rv)) { + return rv; + } + rv = objStream->Write32(static_cast<uint32_t>(mErrorCode)); + if (NS_FAILED(rv)) { + return rv; + } + + // Re-purpose mErrorMessageCached to represent serialization version + // If string doesn't match exact version it will be treated as older + // serialization. + rv = objStream->WriteWStringZ(NS_ConvertUTF8toUTF16("9").get()); + if (NS_FAILED(rv)) { + return rv; + } + + // moved from nsISSLStatus + rv = NS_WriteOptionalCompoundObject(objStream, mServerCert, + NS_GET_IID(nsIX509Cert), true); + NS_ENSURE_SUCCESS(rv, rv); + + rv = objStream->Write16(mCipherSuite.isSome() ? *mCipherSuite : 0); + NS_ENSURE_SUCCESS(rv, rv); + + rv = objStream->Write16(mProtocolVersion.isSome() ? *mProtocolVersion : 0); + NS_ENSURE_SUCCESS(rv, rv); + + rv = objStream->Write32(mOverridableErrorCategory.isSome() + ? *mOverridableErrorCategory + : OverridableErrorCategory::ERROR_UNSET); + NS_ENSURE_SUCCESS(rv, rv); + rv = objStream->WriteBoolean(mIsEV.isSome() ? *mIsEV : false); + NS_ENSURE_SUCCESS(rv, rv); + + rv = objStream->WriteBoolean(mIsEV.isSome()); // previously mHasIsEV + NS_ENSURE_SUCCESS(rv, rv); + rv = objStream->WriteBoolean( + mCipherSuite.isSome()); // previously mHaveCipherSuiteAndProtocol + NS_ENSURE_SUCCESS(rv, rv); + rv = objStream->WriteBoolean( + mOverridableErrorCategory.isSome()); // previously mHaveCertErrorBits + NS_ENSURE_SUCCESS(rv, rv); + + rv = objStream->Write16(mCertificateTransparencyStatus); + NS_ENSURE_SUCCESS(rv, rv); + + rv = objStream->WriteStringZ(mKeaGroupName.isSome() ? (*mKeaGroupName).get() + : ""); + NS_ENSURE_SUCCESS(rv, rv); + + rv = objStream->WriteStringZ( + mSignatureSchemeName.isSome() ? (*mSignatureSchemeName).get() : ""); + NS_ENSURE_SUCCESS(rv, rv); + + rv = objStream->Write16(mSucceededCertChain.Length()); + NS_ENSURE_SUCCESS(rv, rv); + + for (const auto& cert : mSucceededCertChain) { + rv = objStream->WriteCompoundObject(cert, NS_GET_IID(nsIX509Cert), true); + NS_ENSURE_SUCCESS(rv, rv); + } + // END moved from nsISSLStatus + rv = objStream->Write16(mFailedCertChain.Length()); + NS_ENSURE_SUCCESS(rv, rv); + for (const auto& cert : mFailedCertChain) { + rv = objStream->WriteCompoundObject(cert, NS_GET_IID(nsIX509Cert), true); + NS_ENSURE_SUCCESS(rv, rv); + } + + rv = objStream->WriteBoolean( + mIsDelegatedCredential.isSome() ? *mIsDelegatedCredential : false); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->WriteBoolean(mNPNCompleted); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->WriteStringZ(mNegotiatedNPN.get()); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->WriteBoolean(mResumed); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->WriteBoolean(mIsBuiltCertChainRootBuiltInRoot); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->WriteBoolean(mIsAcceptedEch.isSome() ? *mIsAcceptedEch + : false); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->WriteStringZ(mPeerId.get()); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->WriteBoolean(mMadeOCSPRequests); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->WriteBoolean(mUsedPrivateDNS); + if (NS_FAILED(rv)) { + return rv; + } + + rv = stream->Finish(aResult); + if (NS_FAILED(rv)) { + return rv; + } + + return NS_OK; +} + +nsresult TransportSecurityInfo::ReadOldOverridableErrorBits( + nsIObjectInputStream* aStream, + OverridableErrorCategory& aOverridableErrorCategory) { + bool isDomainMismatch; + nsresult rv = aStream->ReadBoolean(&isDomainMismatch); + NS_ENSURE_SUCCESS(rv, rv); + bool isNotValidAtThisTime; + rv = aStream->ReadBoolean(&isNotValidAtThisTime); + NS_ENSURE_SUCCESS(rv, rv); + bool isUntrusted; + rv = aStream->ReadBoolean(&isUntrusted); + NS_ENSURE_SUCCESS(rv, rv); + if (isUntrusted) { + aOverridableErrorCategory = + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TRUST; + } else if (isDomainMismatch) { + aOverridableErrorCategory = + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_DOMAIN; + } else if (isNotValidAtThisTime) { + aOverridableErrorCategory = + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TIME; + } else { + aOverridableErrorCategory = + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET; + } + + return NS_OK; +} + +// This is for backward compatibility to be able to read nsISSLStatus +// serialized object. +nsresult TransportSecurityInfo::ReadSSLStatus( + nsIObjectInputStream* aStream, nsCOMPtr<nsIX509Cert>& aServerCert, + Maybe<uint16_t>& aCipherSuite, Maybe<uint16_t>& aProtocolVersion, + Maybe<OverridableErrorCategory>& aOverridableErrorCategory, + Maybe<bool>& aIsEV, uint16_t& aCertificateTransparencyStatus, + Maybe<nsCString>& aKeaGroupName, Maybe<nsCString>& aSignatureSchemeName, + nsTArray<RefPtr<nsIX509Cert>>& aSucceededCertChain) { + bool nsISSLStatusPresent; + nsresult rv = aStream->ReadBoolean(&nsISSLStatusPresent); + NS_ENSURE_SUCCESS(rv, rv); + if (!nsISSLStatusPresent) { + return NS_OK; + } + // nsISSLStatus present. Prepare to read elements. + // Throw away cid, validate iid + nsCID cid; + nsIID iid; + rv = aStream->ReadID(&cid); + NS_ENSURE_SUCCESS(rv, rv); + rv = aStream->ReadID(&iid); + NS_ENSURE_SUCCESS(rv, rv); + + static const nsIID nsSSLStatusIID = { + 0xfa9ba95b, + 0xca3b, + 0x498a, + {0xb8, 0x89, 0x7c, 0x79, 0xcf, 0x28, 0xfe, 0xe8}}; + if (!iid.Equals(nsSSLStatusIID)) { + return NS_ERROR_UNEXPECTED; + } + + nsCOMPtr<nsISupports> cert; + rv = aStream->ReadObject(true, getter_AddRefs(cert)); + NS_ENSURE_SUCCESS(rv, rv); + + if (cert) { + aServerCert = do_QueryInterface(cert); + if (!aServerCert) { + return NS_NOINTERFACE; + } + } + + uint16_t cipherSuite; + rv = aStream->Read16(&cipherSuite); + NS_ENSURE_SUCCESS(rv, rv); + + // The code below is a workaround to allow serializing new fields + // while preserving binary compatibility with older streams. For more details + // on the binary compatibility requirement, refer to bug 1248628. + // Here, we take advantage of the fact that mProtocolVersion was originally + // stored as a 16 bits integer, but the highest 8 bits were never used. + // These bits are now used for stream versioning. + uint16_t protocolVersionAndStreamFormatVersion; + rv = aStream->Read16(&protocolVersionAndStreamFormatVersion); + NS_ENSURE_SUCCESS(rv, rv); + const uint8_t streamFormatVersion = + (protocolVersionAndStreamFormatVersion >> 8) & 0xFF; + + OverridableErrorCategory overridableErrorCategory; + rv = ReadOldOverridableErrorBits(aStream, overridableErrorCategory); + NS_ENSURE_SUCCESS(rv, rv); + bool isEV; + rv = aStream->ReadBoolean(&isEV); + NS_ENSURE_SUCCESS(rv, rv); + bool hasIsEVStatus; + rv = aStream->ReadBoolean(&hasIsEVStatus); + NS_ENSURE_SUCCESS(rv, rv); + if (hasIsEVStatus) { + aIsEV.emplace(isEV); + } + bool haveCipherSuiteAndProtocol; + rv = aStream->ReadBoolean(&haveCipherSuiteAndProtocol); + if (haveCipherSuiteAndProtocol) { + aCipherSuite.emplace(cipherSuite); + aProtocolVersion.emplace(protocolVersionAndStreamFormatVersion & 0xFF); + } + NS_ENSURE_SUCCESS(rv, rv); + bool haveCertErrorBits; + rv = aStream->ReadBoolean(&haveCertErrorBits); + NS_ENSURE_SUCCESS(rv, rv); + if (haveCertErrorBits) { + aOverridableErrorCategory.emplace(overridableErrorCategory); + } + + // Added in version 1 (see bug 1305289). + if (streamFormatVersion >= 1) { + rv = aStream->Read16(&aCertificateTransparencyStatus); + NS_ENSURE_SUCCESS(rv, rv); + } + + // Added in version 2 (see bug 1304923). + if (streamFormatVersion >= 2) { + nsCString keaGroupName; + rv = aStream->ReadCString(keaGroupName); + NS_ENSURE_SUCCESS(rv, rv); + if (haveCipherSuiteAndProtocol) { + aKeaGroupName.emplace(keaGroupName); + } + + nsCString signatureSchemeName; + rv = aStream->ReadCString(signatureSchemeName); + NS_ENSURE_SUCCESS(rv, rv); + if (haveCipherSuiteAndProtocol) { + aSignatureSchemeName.emplace(signatureSchemeName); + } + } + + // Added in version 3 (see bug 1406856). + if (streamFormatVersion >= 3) { + rv = ReadCertList(aStream, aSucceededCertChain); + if (NS_FAILED(rv)) { + return rv; + } + + // Read only to consume bytes from the stream. + nsTArray<RefPtr<nsIX509Cert>> failedCertChain; + rv = ReadCertList(aStream, failedCertChain); + if (NS_FAILED(rv)) { + return rv; + } + } + return rv; +} + +// This is for backward compatability to be able to read nsIX509CertList +// serialized object. +nsresult TransportSecurityInfo::ReadCertList( + nsIObjectInputStream* aStream, nsTArray<RefPtr<nsIX509Cert>>& aCertList) { + bool nsIX509CertListPresent; + + nsresult rv = aStream->ReadBoolean(&nsIX509CertListPresent); + NS_ENSURE_SUCCESS(rv, rv); + if (!nsIX509CertListPresent) { + return NS_OK; + } + // nsIX509CertList present. Prepare to read elements. + // Throw away cid, validate iid + nsCID cid; + nsIID iid; + rv = aStream->ReadID(&cid); + NS_ENSURE_SUCCESS(rv, rv); + rv = aStream->ReadID(&iid); + NS_ENSURE_SUCCESS(rv, rv); + + static const nsIID nsIX509CertListIID = { + 0xae74cda5, + 0xcd2f, + 0x473f, + {0x96, 0xf5, 0xf0, 0xb7, 0xff, 0xf6, 0x2c, 0x68}}; + + if (!iid.Equals(nsIX509CertListIID)) { + return NS_ERROR_UNEXPECTED; + } + + uint32_t certListSize; + rv = aStream->Read32(&certListSize); + NS_ENSURE_SUCCESS(rv, rv); + + return ReadCertificatesFromStream(aStream, certListSize, aCertList); +} + +nsresult TransportSecurityInfo::ReadCertificatesFromStream( + nsIObjectInputStream* aStream, uint32_t aSize, + nsTArray<RefPtr<nsIX509Cert>>& aCertList) { + nsresult rv; + for (uint32_t i = 0; i < aSize; ++i) { + nsCOMPtr<nsISupports> support; + rv = aStream->ReadObject(true, getter_AddRefs(support)); + NS_ENSURE_SUCCESS(rv, rv); + nsCOMPtr<nsIX509Cert> cert = do_QueryInterface(support); + if (!cert) { + return NS_ERROR_UNEXPECTED; + } + RefPtr<nsIX509Cert> castedCert(cert.get()); + aCertList.AppendElement(castedCert); + } + return NS_OK; +} + +static nsITransportSecurityInfo::OverridableErrorCategory +IntToOverridableErrorCategory(uint32_t intVal) { + switch (intVal) { + case static_cast<uint32_t>( + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TRUST): + return nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TRUST; + case static_cast<uint32_t>( + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_DOMAIN): + return nsITransportSecurityInfo::OverridableErrorCategory::ERROR_DOMAIN; + case static_cast<uint32_t>( + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TIME): + return nsITransportSecurityInfo::OverridableErrorCategory::ERROR_TIME; + default: + break; + } + return nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET; +} + +nsresult TransportSecurityInfo::Read(const nsCString& aSerializedSecurityInfo, + nsITransportSecurityInfo** aResult) { + *aResult = nullptr; + + nsCString decodedSecurityInfo; + nsresult rv = Base64Decode(aSerializedSecurityInfo, decodedSecurityInfo); + if (NS_FAILED(rv)) { + return rv; + } + nsCOMPtr<nsIInputStream> inputStream; + rv = NS_NewCStringInputStream(getter_AddRefs(inputStream), + std::move(decodedSecurityInfo)); + if (NS_FAILED(rv)) { + return rv; + } + nsCOMPtr<nsIObjectInputStream> objStream( + NS_NewObjectInputStream(inputStream)); + if (!objStream) { + return rv; + } + + nsCID cid; + rv = objStream->ReadID(&cid); + if (NS_FAILED(rv)) { + return rv; + } + if (!cid.Equals(kTransportSecurityInfoCID)) { + return NS_ERROR_UNEXPECTED; + } + nsIID iid; + rv = objStream->ReadID(&iid); + if (NS_FAILED(rv)) { + return rv; + } + if (!iid.Equals(NS_ISUPPORTS_IID)) { + return rv; + } + + nsID id; + rv = objStream->ReadID(&id); + if (NS_FAILED(rv)) { + return rv; + } + if (!id.Equals(kTransportSecurityInfoMagic)) { + return NS_ERROR_UNEXPECTED; + } + + uint32_t aSecurityState = 0; + PRErrorCode aErrorCode = 0; + nsTArray<RefPtr<nsIX509Cert>> aFailedCertChain; + nsCOMPtr<nsIX509Cert> aServerCert; + nsTArray<RefPtr<nsIX509Cert>> aSucceededCertChain; + Maybe<uint16_t> aCipherSuite; + Maybe<nsCString> aKeaGroupName; + Maybe<nsCString> aSignatureSchemeName; + Maybe<uint16_t> aProtocolVersion; + uint16_t aCertificateTransparencyStatus; + Maybe<bool> aIsAcceptedEch; + Maybe<bool> aIsDelegatedCredential; + Maybe<OverridableErrorCategory> aOverridableErrorCategory; + bool aMadeOCSPRequests = false; + bool aUsedPrivateDNS = false; + Maybe<bool> aIsEV; + bool aNPNCompleted = false; + nsCString aNegotiatedNPN; + bool aResumed = false; + bool aIsBuiltCertChainRootBuiltInRoot = false; + nsCString aPeerId; + rv = objStream->Read32(&aSecurityState); + if (NS_FAILED(rv)) { + return rv; + } + // mSubRequestsBrokenSecurity was removed in bug 748809 + uint32_t unusedSubRequestsBrokenSecurity; + rv = objStream->Read32(&unusedSubRequestsBrokenSecurity); + if (NS_FAILED(rv)) { + return rv; + } + // mSubRequestsNoSecurity was removed in bug 748809 + uint32_t unusedSubRequestsNoSecurity; + rv = objStream->Read32(&unusedSubRequestsNoSecurity); + if (NS_FAILED(rv)) { + return rv; + } + uint32_t errorCode; + rv = objStream->Read32(&errorCode); + if (NS_FAILED(rv)) { + return rv; + } + // PRErrorCode will be a negative value + aErrorCode = static_cast<PRErrorCode>(errorCode); + + // Re-purpose mErrorMessageCached to represent serialization version + // If string doesn't match exact version it will be treated as older + // serialization. + nsAutoString serVersion; + rv = objStream->ReadString(serVersion); + if (NS_FAILED(rv)) { + return rv; + } + + int32_t serVersionParsedToInt = 0; + + if (!serVersion.IsEmpty()) { + char first = serVersion.First(); + // Check whether the first character of serVersion is a number + // since ToInteger() skipps some non integer values. + if (first >= '0' && first <= '9') { + nsresult error = NS_OK; + serVersionParsedToInt = serVersion.ToInteger(&error); + if (NS_FAILED(error)) { + return error; + } + } + } + + // moved from nsISSLStatus + if (serVersionParsedToInt < 1) { + // nsISSLStatus may be present + rv = ReadSSLStatus(objStream, aServerCert, aCipherSuite, aProtocolVersion, + aOverridableErrorCategory, aIsEV, + aCertificateTransparencyStatus, aKeaGroupName, + aSignatureSchemeName, aSucceededCertChain); + NS_ENSURE_SUCCESS(rv, rv); + } else { + nsCOMPtr<nsISupports> cert; + rv = NS_ReadOptionalObject(objStream, true, getter_AddRefs(cert)); + NS_ENSURE_SUCCESS(rv, rv); + + if (cert) { + aServerCert = do_QueryInterface(cert); + if (!aServerCert) { + return NS_NOINTERFACE; + } + } + + uint16_t cipherSuite; + rv = objStream->Read16(&cipherSuite); + NS_ENSURE_SUCCESS(rv, rv); + + uint16_t protocolVersion; + rv = objStream->Read16(&protocolVersion); + NS_ENSURE_SUCCESS(rv, rv); + + OverridableErrorCategory overridableErrorCategory; + if (serVersionParsedToInt < 8) { + rv = ReadOldOverridableErrorBits(objStream, overridableErrorCategory); + NS_ENSURE_SUCCESS(rv, rv); + } else { + uint32_t overridableErrorCategoryInt; + rv = objStream->Read32(&overridableErrorCategoryInt); + NS_ENSURE_SUCCESS(rv, rv); + overridableErrorCategory = + IntToOverridableErrorCategory(overridableErrorCategoryInt); + } + bool isEV; + rv = objStream->ReadBoolean(&isEV); + NS_ENSURE_SUCCESS(rv, rv); + bool hasIsEVStatus; + rv = objStream->ReadBoolean(&hasIsEVStatus); + NS_ENSURE_SUCCESS(rv, rv); + if (hasIsEVStatus) { + aIsEV.emplace(isEV); + } + bool haveCipherSuiteAndProtocol; + rv = objStream->ReadBoolean(&haveCipherSuiteAndProtocol); + NS_ENSURE_SUCCESS(rv, rv); + if (haveCipherSuiteAndProtocol) { + aCipherSuite.emplace(cipherSuite); + aProtocolVersion.emplace(protocolVersion); + } + bool haveCertErrorBits; + rv = objStream->ReadBoolean(&haveCertErrorBits); + NS_ENSURE_SUCCESS(rv, rv); + if (haveCertErrorBits) { + aOverridableErrorCategory.emplace(overridableErrorCategory); + } + + rv = objStream->Read16(&aCertificateTransparencyStatus); + NS_ENSURE_SUCCESS(rv, rv); + + nsCString keaGroupName; + rv = objStream->ReadCString(keaGroupName); + NS_ENSURE_SUCCESS(rv, rv); + if (haveCipherSuiteAndProtocol) { + aKeaGroupName.emplace(keaGroupName); + } + + nsCString signatureSchemeName; + rv = objStream->ReadCString(signatureSchemeName); + NS_ENSURE_SUCCESS(rv, rv); + if (haveCipherSuiteAndProtocol) { + aSignatureSchemeName.emplace(signatureSchemeName); + } + + if (serVersionParsedToInt < 3) { + // The old data structure of certList(nsIX509CertList) presents + rv = ReadCertList(objStream, aSucceededCertChain); + NS_ENSURE_SUCCESS(rv, rv); + } else { + uint16_t certCount; + rv = objStream->Read16(&certCount); + NS_ENSURE_SUCCESS(rv, rv); + + rv = + ReadCertificatesFromStream(objStream, certCount, aSucceededCertChain); + NS_ENSURE_SUCCESS(rv, rv); + } + } + // END moved from nsISSLStatus + if (serVersionParsedToInt < 3) { + // The old data structure of certList(nsIX509CertList) presents + rv = ReadCertList(objStream, aFailedCertChain); + NS_ENSURE_SUCCESS(rv, rv); + } else { + uint16_t certCount; + rv = objStream->Read16(&certCount); + NS_ENSURE_SUCCESS(rv, rv); + + rv = ReadCertificatesFromStream(objStream, certCount, aFailedCertChain); + NS_ENSURE_SUCCESS(rv, rv); + } + + // mIsDelegatedCredential added in bug 1562773 + if (serVersionParsedToInt >= 2) { + bool isDelegatedCredential; + rv = objStream->ReadBoolean(&isDelegatedCredential); + if (NS_FAILED(rv)) { + return rv; + } + // If aCipherSuite is Some, the serialized TransportSecurityinfo had its + // cipher suite and protocol information, which means it has this + // information. + if (aCipherSuite.isSome()) { + aIsDelegatedCredential.emplace(isDelegatedCredential); + } + } + + // mNPNCompleted, mNegotiatedNPN, mResumed added in bug 1584104 + if (serVersionParsedToInt >= 4) { + rv = objStream->ReadBoolean(&aNPNCompleted); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->ReadCString(aNegotiatedNPN); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->ReadBoolean(&aResumed); + if (NS_FAILED(rv)) { + return rv; + } + } + + // mIsBuiltCertChainRootBuiltInRoot added in bug 1485652 + if (serVersionParsedToInt >= 5) { + rv = objStream->ReadBoolean(&aIsBuiltCertChainRootBuiltInRoot); + if (NS_FAILED(rv)) { + return rv; + } + } + + // mIsAcceptedEch added in bug 1678079 + if (serVersionParsedToInt >= 6) { + bool isAcceptedEch; + rv = objStream->ReadBoolean(&isAcceptedEch); + if (NS_FAILED(rv)) { + return rv; + } + // If aCipherSuite is Some, the serialized TransportSecurityinfo had its + // cipher suite and protocol information, which means it has this + // information. + if (aCipherSuite.isSome()) { + aIsAcceptedEch.emplace(isAcceptedEch); + } + } + + // mPeerId added in bug 1738664 + if (serVersionParsedToInt >= 7) { + rv = objStream->ReadCString(aPeerId); + if (NS_FAILED(rv)) { + return rv; + } + } + + if (serVersionParsedToInt >= 9) { + rv = objStream->ReadBoolean(&aMadeOCSPRequests); + if (NS_FAILED(rv)) { + return rv; + } + + rv = objStream->ReadBoolean(&aUsedPrivateDNS); + if (NS_FAILED(rv)) { + return rv; + }; + } + + RefPtr<nsITransportSecurityInfo> securityInfo(new TransportSecurityInfo( + aSecurityState, aErrorCode, std::move(aFailedCertChain), aServerCert, + std::move(aSucceededCertChain), aCipherSuite, aKeaGroupName, + aSignatureSchemeName, aProtocolVersion, aCertificateTransparencyStatus, + aIsAcceptedEch, aIsDelegatedCredential, aOverridableErrorCategory, + aMadeOCSPRequests, aUsedPrivateDNS, aIsEV, aNPNCompleted, aNegotiatedNPN, + aResumed, aIsBuiltCertChainRootBuiltInRoot, aPeerId)); + securityInfo.forget(aResult); + return NS_OK; +} + +void TransportSecurityInfo::SerializeToIPC(IPC::MessageWriter* aWriter) { + WriteParam(aWriter, mSecurityState); + WriteParam(aWriter, mErrorCode); + WriteParam(aWriter, mFailedCertChain); + WriteParam(aWriter, mServerCert); + WriteParam(aWriter, mSucceededCertChain); + WriteParam(aWriter, mCipherSuite); + WriteParam(aWriter, mKeaGroupName); + WriteParam(aWriter, mSignatureSchemeName); + WriteParam(aWriter, mProtocolVersion); + WriteParam(aWriter, mCertificateTransparencyStatus); + WriteParam(aWriter, mIsAcceptedEch); + WriteParam(aWriter, mIsDelegatedCredential); + WriteParam(aWriter, mOverridableErrorCategory); + WriteParam(aWriter, mMadeOCSPRequests); + WriteParam(aWriter, mUsedPrivateDNS); + WriteParam(aWriter, mIsEV); + WriteParam(aWriter, mNPNCompleted); + WriteParam(aWriter, mNegotiatedNPN); + WriteParam(aWriter, mResumed); + WriteParam(aWriter, mIsBuiltCertChainRootBuiltInRoot); + WriteParam(aWriter, mPeerId); +} + +bool TransportSecurityInfo::DeserializeFromIPC( + IPC::MessageReader* aReader, RefPtr<nsITransportSecurityInfo>* aResult) { + uint32_t aSecurityState; + PRErrorCode aErrorCode; + nsTArray<RefPtr<nsIX509Cert>> aFailedCertChain; + nsCOMPtr<nsIX509Cert> aServerCert; + nsTArray<RefPtr<nsIX509Cert>> aSucceededCertChain; + Maybe<uint16_t> aCipherSuite; + Maybe<nsCString> aKeaGroupName; + Maybe<nsCString> aSignatureSchemeName; + Maybe<uint16_t> aProtocolVersion; + uint16_t aCertificateTransparencyStatus; + Maybe<bool> aIsAcceptedEch; + Maybe<bool> aIsDelegatedCredential; + Maybe<OverridableErrorCategory> aOverridableErrorCategory; + bool aMadeOCSPRequests; + bool aUsedPrivateDNS; + Maybe<bool> aIsEV; + bool aNPNCompleted; + nsCString aNegotiatedNPN; + bool aResumed; + bool aIsBuiltCertChainRootBuiltInRoot; + nsCString aPeerId; + + if (!ReadParam(aReader, &aSecurityState) || + !ReadParam(aReader, &aErrorCode) || + !ReadParam(aReader, &aFailedCertChain) || + !ReadParam(aReader, &aServerCert) || + !ReadParam(aReader, &aSucceededCertChain) || + !ReadParam(aReader, &aCipherSuite) || + !ReadParam(aReader, &aKeaGroupName) || + !ReadParam(aReader, &aSignatureSchemeName) || + !ReadParam(aReader, &aProtocolVersion) || + !ReadParam(aReader, &aCertificateTransparencyStatus) || + !ReadParam(aReader, &aIsAcceptedEch) || + !ReadParam(aReader, &aIsDelegatedCredential) || + !ReadParam(aReader, &aOverridableErrorCategory) || + !ReadParam(aReader, &aMadeOCSPRequests) || + !ReadParam(aReader, &aUsedPrivateDNS) || !ReadParam(aReader, &aIsEV) || + !ReadParam(aReader, &aNPNCompleted) || + !ReadParam(aReader, &aNegotiatedNPN) || !ReadParam(aReader, &aResumed) || + !ReadParam(aReader, &aIsBuiltCertChainRootBuiltInRoot) || + !ReadParam(aReader, &aPeerId)) { + return false; + } + + RefPtr<nsITransportSecurityInfo> securityInfo(new TransportSecurityInfo( + aSecurityState, aErrorCode, std::move(aFailedCertChain), aServerCert, + std::move(aSucceededCertChain), aCipherSuite, aKeaGroupName, + aSignatureSchemeName, aProtocolVersion, aCertificateTransparencyStatus, + aIsAcceptedEch, aIsDelegatedCredential, aOverridableErrorCategory, + aMadeOCSPRequests, aUsedPrivateDNS, aIsEV, aNPNCompleted, aNegotiatedNPN, + aResumed, aIsBuiltCertChainRootBuiltInRoot, aPeerId)); + *aResult = std::move(securityInfo); + return true; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetFailedCertChain( + nsTArray<RefPtr<nsIX509Cert>>& aFailedCertChain) { + MOZ_ASSERT(aFailedCertChain.IsEmpty()); + if (!aFailedCertChain.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + aFailedCertChain.AppendElements(mFailedCertChain); + return NS_OK; +} + +NS_IMETHODIMP TransportSecurityInfo::GetServerCert(nsIX509Cert** aServerCert) { + NS_ENSURE_ARG_POINTER(aServerCert); + nsCOMPtr<nsIX509Cert> cert = mServerCert; + cert.forget(aServerCert); + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetSucceededCertChain( + nsTArray<RefPtr<nsIX509Cert>>& aSucceededCertChain) { + MOZ_ASSERT(aSucceededCertChain.IsEmpty()); + if (!aSucceededCertChain.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + aSucceededCertChain.AppendElements(mSucceededCertChain); + return NS_OK; +} + +NS_IMETHODIMP TransportSecurityInfo::GetIsBuiltCertChainRootBuiltInRoot( + bool* aIsBuiltInRoot) { + NS_ENSURE_ARG_POINTER(aIsBuiltInRoot); + *aIsBuiltInRoot = mIsBuiltCertChainRootBuiltInRoot; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetCipherName(nsACString& aCipherName) { + if (mCipherSuite.isNothing()) { + return NS_ERROR_NOT_AVAILABLE; + } + SSLCipherSuiteInfo cipherInfo; + if (SSL_GetCipherSuiteInfo(*mCipherSuite, &cipherInfo, sizeof(cipherInfo)) != + SECSuccess) { + return NS_ERROR_FAILURE; + } + + aCipherName.Assign(cipherInfo.cipherSuiteName); + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetKeyLength(uint32_t* aKeyLength) { + NS_ENSURE_ARG_POINTER(aKeyLength); + + if (mCipherSuite.isNothing()) { + return NS_ERROR_NOT_AVAILABLE; + } + SSLCipherSuiteInfo cipherInfo; + if (SSL_GetCipherSuiteInfo(*mCipherSuite, &cipherInfo, sizeof(cipherInfo)) != + SECSuccess) { + return NS_ERROR_FAILURE; + } + + *aKeyLength = cipherInfo.symKeyBits; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetSecretKeyLength(uint32_t* aSecretKeyLength) { + NS_ENSURE_ARG_POINTER(aSecretKeyLength); + + if (mCipherSuite.isNothing()) { + return NS_ERROR_NOT_AVAILABLE; + } + SSLCipherSuiteInfo cipherInfo; + if (SSL_GetCipherSuiteInfo(*mCipherSuite, &cipherInfo, sizeof(cipherInfo)) != + SECSuccess) { + return NS_ERROR_FAILURE; + } + + *aSecretKeyLength = cipherInfo.effectiveKeyBits; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetKeaGroupName(nsACString& aKeaGroupName) { + if (mKeaGroupName.isNothing()) { + return NS_ERROR_NOT_AVAILABLE; + } + aKeaGroupName.Assign(*mKeaGroupName); + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetSignatureSchemeName(nsACString& aSignatureScheme) { + if (mSignatureSchemeName.isNothing()) { + return NS_ERROR_NOT_AVAILABLE; + } + aSignatureScheme.Assign(*mSignatureSchemeName); + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetProtocolVersion(uint16_t* aProtocolVersion) { + if (mProtocolVersion.isNothing()) { + return NS_ERROR_NOT_AVAILABLE; + } + *aProtocolVersion = *mProtocolVersion; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetCertificateTransparencyStatus( + uint16_t* aCertificateTransparencyStatus) { + NS_ENSURE_ARG_POINTER(aCertificateTransparencyStatus); + + *aCertificateTransparencyStatus = mCertificateTransparencyStatus; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetMadeOCSPRequests(bool* aMadeOCSPRequests) { + *aMadeOCSPRequests = mMadeOCSPRequests; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetUsedPrivateDNS(bool* aUsedPrivateDNS) { + *aUsedPrivateDNS = mUsedPrivateDNS; + return NS_OK; +} + +// static +uint16_t TransportSecurityInfo::ConvertCertificateTransparencyInfoToStatus( + const mozilla::psm::CertificateTransparencyInfo& info) { + using mozilla::ct::CTPolicyCompliance; + + if (!info.enabled) { + // CT disabled. + return nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE; + } + + switch (info.policyCompliance) { + case CTPolicyCompliance::Compliant: + return nsITransportSecurityInfo:: + CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT; + case CTPolicyCompliance::NotEnoughScts: + return nsITransportSecurityInfo :: + CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS; + case CTPolicyCompliance::NotDiverseScts: + return nsITransportSecurityInfo :: + CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS; + case CTPolicyCompliance::Unknown: + default: + MOZ_ASSERT_UNREACHABLE("Unexpected CTPolicyCompliance type"); + } + + return nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetOverridableErrorCategory( + OverridableErrorCategory* aOverridableErrorCategory) { + NS_ENSURE_ARG_POINTER(aOverridableErrorCategory); + + if (mOverridableErrorCategory.isSome()) { + *aOverridableErrorCategory = *mOverridableErrorCategory; + } else { + *aOverridableErrorCategory = OverridableErrorCategory::ERROR_UNSET; + } + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetIsExtendedValidation(bool* aIsEV) { + NS_ENSURE_ARG_POINTER(aIsEV); + + *aIsEV = false; + // Never allow bad certs for EV, regardless of overrides. + if (mOverridableErrorCategory.isSome()) { + return NS_OK; + } + + if (!mIsEV.isSome()) { + return NS_ERROR_NOT_AVAILABLE; + } + + *aIsEV = *mIsEV; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetIsAcceptedEch(bool* aIsAcceptedEch) { + NS_ENSURE_ARG_POINTER(aIsAcceptedEch); + + if (mIsAcceptedEch.isNothing()) { + return NS_ERROR_NOT_AVAILABLE; + } + *aIsAcceptedEch = *mIsAcceptedEch; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetIsDelegatedCredential(bool* aIsDelegatedCredential) { + NS_ENSURE_ARG_POINTER(aIsDelegatedCredential); + + if (mIsDelegatedCredential.isNothing()) { + return NS_ERROR_NOT_AVAILABLE; + } + *aIsDelegatedCredential = *mIsDelegatedCredential; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetNegotiatedNPN(nsACString& aNegotiatedNPN) { + if (!mNPNCompleted) { + return NS_ERROR_NOT_CONNECTED; + } + + aNegotiatedNPN = mNegotiatedNPN; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetResumed(bool* aResumed) { + NS_ENSURE_ARG_POINTER(aResumed); + *aResumed = mResumed; + return NS_OK; +} + +NS_IMETHODIMP +TransportSecurityInfo::GetPeerId(nsACString& aResult) { + aResult.Assign(mPeerId); + return NS_OK; +} + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/TransportSecurityInfo.h b/security/manager/ssl/TransportSecurityInfo.h new file mode 100644 index 0000000000..648e80b7e2 --- /dev/null +++ b/security/manager/ssl/TransportSecurityInfo.h @@ -0,0 +1,107 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef TransportSecurityInfo_h +#define TransportSecurityInfo_h + +#include "CertVerifier.h" // For CertificateTransparencyInfo, EVStatus +#include "ScopedNSSTypes.h" +#include "mozilla/Assertions.h" +#include "mozilla/BasePrincipal.h" +#include "mozilla/Components.h" +#include "mozilla/Maybe.h" +#include "mozilla/RefPtr.h" +#include "mozilla/ipc/TransportSecurityInfoUtils.h" +#include "mozpkix/pkixtypes.h" +#include "nsIObjectInputStream.h" +#include "nsITransportSecurityInfo.h" +#include "nsIX509Cert.h" +#include "nsString.h" + +namespace mozilla { +namespace psm { + +// TransportSecurityInfo implements nsITransportSecurityInfo, which is a +// collection of attributes describing the outcome of a TLS handshake. It is +// constant - once created, it cannot be modified. It should probably not be +// instantiated directly, but rather accessed via +// nsITLSSocketControl.securityInfo. +class TransportSecurityInfo : public nsITransportSecurityInfo { + public: + TransportSecurityInfo( + uint32_t aSecurityState, PRErrorCode aErrorCode, + nsTArray<RefPtr<nsIX509Cert>>&& aFailedCertChain, + nsCOMPtr<nsIX509Cert>& aServerCert, + nsTArray<RefPtr<nsIX509Cert>>&& aSucceededCertChain, + Maybe<uint16_t> aCipherSuite, Maybe<nsCString> aKeaGroupName, + Maybe<nsCString> aSignatureSchemeName, Maybe<uint16_t> aProtocolVersion, + uint16_t aCertificateTransparencyStatus, Maybe<bool> aIsAcceptedEch, + Maybe<bool> aIsDelegatedCredential, + Maybe<OverridableErrorCategory> aOverridableErrorCategory, + bool aMadeOCSPRequests, bool aUsedPrivateDNS, Maybe<bool> aIsEV, + bool aNPNCompleted, const nsCString& aNegotiatedNPN, bool aResumed, + bool aIsBuiltCertChainRootBuiltInRoot, const nsCString& aPeerId); + + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSITRANSPORTSECURITYINFO + + static bool DeserializeFromIPC(IPC::MessageReader* aReader, + RefPtr<nsITransportSecurityInfo>* aResult); + static nsresult Read(const nsCString& aSerializedSecurityInfo, + nsITransportSecurityInfo** aResult); + static uint16_t ConvertCertificateTransparencyInfoToStatus( + const mozilla::psm::CertificateTransparencyInfo& info); + + private: + virtual ~TransportSecurityInfo() = default; + + const uint32_t mSecurityState; + const PRErrorCode mErrorCode; + // Peer cert chain for failed connections. + const nsTArray<RefPtr<nsIX509Cert>> mFailedCertChain; + const nsCOMPtr<nsIX509Cert> mServerCert; + const nsTArray<RefPtr<nsIX509Cert>> mSucceededCertChain; + const mozilla::Maybe<uint16_t> mCipherSuite; + const mozilla::Maybe<nsCString> mKeaGroupName; + const mozilla::Maybe<nsCString> mSignatureSchemeName; + const mozilla::Maybe<uint16_t> mProtocolVersion; + const uint16_t mCertificateTransparencyStatus; + const mozilla::Maybe<bool> mIsAcceptedEch; + const mozilla::Maybe<bool> mIsDelegatedCredential; + const mozilla::Maybe<OverridableErrorCategory> mOverridableErrorCategory; + const bool mMadeOCSPRequests; + const bool mUsedPrivateDNS; + const mozilla::Maybe<bool> mIsEV; + const bool mNPNCompleted; + const nsCString mNegotiatedNPN; + const bool mResumed; + const bool mIsBuiltCertChainRootBuiltInRoot; + const nsCString mPeerId; + + static nsresult ReadOldOverridableErrorBits( + nsIObjectInputStream* aStream, + OverridableErrorCategory& aOverridableErrorCategory); + static nsresult ReadSSLStatus( + nsIObjectInputStream* aStream, nsCOMPtr<nsIX509Cert>& aServerCert, + Maybe<uint16_t>& aCipherSuite, Maybe<uint16_t>& aProtocolVersion, + Maybe<OverridableErrorCategory>& aOverridableErrorCategory, + Maybe<bool>& aIsEV, uint16_t& aCertificateTransparencyStatus, + Maybe<nsCString>& aKeaGroupName, Maybe<nsCString>& aSignatureSchemeName, + nsTArray<RefPtr<nsIX509Cert>>& aSucceededCertChain); + + // This function is used to read the binary that are serialized + // by using nsIX509CertList + static nsresult ReadCertList(nsIObjectInputStream* aStream, + nsTArray<RefPtr<nsIX509Cert>>& aCertList); + static nsresult ReadCertificatesFromStream( + nsIObjectInputStream* aStream, uint32_t aSize, + nsTArray<RefPtr<nsIX509Cert>>& aCertList); +}; + +} // namespace psm +} // namespace mozilla + +#endif // TransportSecurityInfo_h diff --git a/security/manager/ssl/VerifySSLServerCertChild.cpp b/security/manager/ssl/VerifySSLServerCertChild.cpp new file mode 100644 index 0000000000..6c9795486e --- /dev/null +++ b/security/manager/ssl/VerifySSLServerCertChild.cpp @@ -0,0 +1,143 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "VerifySSLServerCertChild.h" + +#include "CertVerifier.h" +#include "mozilla/ipc/Endpoint.h" +#include "mozilla/net/SocketProcessBackgroundChild.h" +#include "mozilla/psm/PVerifySSLServerCertParent.h" +#include "mozilla/psm/PVerifySSLServerCertChild.h" +#include "nsNSSIOLayer.h" +#include "nsSerializationHelper.h" + +#include "secerr.h" + +extern mozilla::LazyLogModule gPIPNSSLog; + +namespace mozilla { +namespace psm { + +VerifySSLServerCertChild::VerifySSLServerCertChild( + SSLServerCertVerificationResult* aResultTask, + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags) + : mResultTask(aResultTask), + mPeerCertChain(std::move(aPeerCertChain)), + mProviderFlags(aProviderFlags) {} + +ipc::IPCResult VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertSuccess( + nsTArray<ByteArray>&& aBuiltCertChain, + const uint16_t& aCertTransparencyStatus, const uint8_t& aEVStatus, + const bool& aIsBuiltCertChainRootBuiltInRoot, + const bool& aMadeOCSPRequests) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertSuccess", + this)); + + nsTArray<nsTArray<uint8_t>> certBytesArray; + for (auto& cert : aBuiltCertChain) { + certBytesArray.AppendElement(std::move(cert.data())); + } + + mResultTask->Dispatch( + std::move(certBytesArray), std::move(mPeerCertChain), + aCertTransparencyStatus, static_cast<EVStatus>(aEVStatus), true, 0, + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET, + aIsBuiltCertChainRootBuiltInRoot, mProviderFlags, aMadeOCSPRequests); + return IPC_OK(); +} + +ipc::IPCResult VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertFailure( + const int32_t& aFinalError, const uint32_t& aOverridableErrorCategory, + const bool& aMadeOCSPRequests) { + mResultTask->Dispatch( + nsTArray<nsTArray<uint8_t>>(), std::move(mPeerCertChain), + nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE, + EVStatus::NotEV, false, aFinalError, + static_cast<nsITransportSecurityInfo::OverridableErrorCategory>( + aOverridableErrorCategory), + false, mProviderFlags, aMadeOCSPRequests); + return IPC_OK(); +} + +SECStatus RemoteProcessCertVerification( + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, const nsACString& aHostName, + int32_t aPort, const OriginAttributes& aOriginAttributes, + Maybe<nsTArray<uint8_t>>& aStapledOCSPResponse, + Maybe<nsTArray<uint8_t>>& aSctsFromTLSExtension, + Maybe<DelegatedCredentialInfo>& aDcInfo, uint32_t aProviderFlags, + uint32_t aCertVerifierFlags, SSLServerCertVerificationResult* aResultTask) { + if (!aResultTask) { + PR_SetError(SEC_ERROR_INVALID_ARGS, 0); + return SECFailure; + } + + nsTArray<ByteArray> peerCertBytes; + for (auto& certBytes : aPeerCertChain) { + peerCertBytes.AppendElement(ByteArray(certBytes)); + } + + Maybe<ByteArray> stapledOCSPResponse; + if (aStapledOCSPResponse) { + stapledOCSPResponse.emplace(); + stapledOCSPResponse->data().Assign(*aStapledOCSPResponse); + } + + Maybe<ByteArray> sctsFromTLSExtension; + if (aSctsFromTLSExtension) { + sctsFromTLSExtension.emplace(); + sctsFromTLSExtension->data().Assign(*aSctsFromTLSExtension); + } + + Maybe<DelegatedCredentialInfoArg> dcInfo; + if (aDcInfo) { + dcInfo.emplace(); + dcInfo.ref().scheme() = static_cast<uint32_t>(aDcInfo->scheme); + dcInfo.ref().authKeyBits() = static_cast<uint32_t>(aDcInfo->authKeyBits); + } + + ipc::Endpoint<PVerifySSLServerCertParent> parentEndpoint; + ipc::Endpoint<PVerifySSLServerCertChild> childEndpoint; + PVerifySSLServerCert::CreateEndpoints(&parentEndpoint, &childEndpoint); + + // Create a dedicated nsCString, so that our lambda below can take an + // ownership stake in the underlying string buffer: + nsCString hostName(aHostName); + + if (NS_FAILED(net::SocketProcessBackgroundChild::WithActor( + "SendInitVerifySSLServerCert", + [endpoint = std::move(parentEndpoint), + peerCertBytes = std::move(peerCertBytes), + hostName = std::move(hostName), port(aPort), + originAttributes(aOriginAttributes), + stapledOCSPResponse = std::move(stapledOCSPResponse), + sctsFromTLSExtension = std::move(sctsFromTLSExtension), + dcInfo = std::move(dcInfo), providerFlags(aProviderFlags), + certVerifierFlags(aCertVerifierFlags)]( + net::SocketProcessBackgroundChild* aActor) mutable { + Unused << aActor->SendInitVerifySSLServerCert( + std::move(endpoint), peerCertBytes, hostName, port, + originAttributes, stapledOCSPResponse, sctsFromTLSExtension, + dcInfo, providerFlags, certVerifierFlags); + }))) { + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + + RefPtr<VerifySSLServerCertChild> authCert = new VerifySSLServerCertChild( + aResultTask, std::move(aPeerCertChain), aProviderFlags); + if (!childEndpoint.Bind(authCert)) { + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + return SECWouldBlock; +} + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/VerifySSLServerCertChild.h b/security/manager/ssl/VerifySSLServerCertChild.h new file mode 100644 index 0000000000..94fd5d48d0 --- /dev/null +++ b/security/manager/ssl/VerifySSLServerCertChild.h @@ -0,0 +1,62 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_psm_VerifySSLServerCertChild_h__ +#define mozilla_psm_VerifySSLServerCertChild_h__ + +#include "mozilla/psm/PVerifySSLServerCertChild.h" + +#include "SSLServerCertVerification.h" +#include "mozilla/RefPtr.h" +#include "nsISupportsImpl.h" +#include "nsString.h" +#include "seccomon.h" + +namespace mozilla { +namespace psm { + +class DelegatedCredentialInfo; + +// This class implements the socket process part of the server certificate +// verification IPC protocol. +class VerifySSLServerCertChild : public PVerifySSLServerCertChild { + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VerifySSLServerCertChild, override); + + explicit VerifySSLServerCertChild( + SSLServerCertVerificationResult* aResultTask, + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags); + + ipc::IPCResult RecvOnVerifiedSSLServerCertSuccess( + nsTArray<ByteArray>&& aBuiltCertChain, + const uint16_t& aCertTransparencyStatus, const uint8_t& aEVStatus, + const bool& aIsBuiltCertChainRootBuiltInRoot, + const bool& aMadeOCSPRequests); + + ipc::IPCResult RecvOnVerifiedSSLServerCertFailure( + const int32_t& aFinalError, const uint32_t& aOverridableErrorCategory, + const bool& aMadeOCSPRequests); + + private: + ~VerifySSLServerCertChild() = default; + + RefPtr<SSLServerCertVerificationResult> mResultTask; + nsTArray<nsTArray<uint8_t>> mPeerCertChain; + uint32_t mProviderFlags; +}; + +SECStatus RemoteProcessCertVerification( + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, const nsACString& aHostName, + int32_t aPort, const OriginAttributes& aOriginAttributes, + Maybe<nsTArray<uint8_t>>& aStapledOCSPResponse, + Maybe<nsTArray<uint8_t>>& aSctsFromTLSExtension, + Maybe<DelegatedCredentialInfo>& aDcInfo, uint32_t aProviderFlags, + uint32_t aCertVerifierFlags, SSLServerCertVerificationResult* aResultTask); + +} // namespace psm +} // namespace mozilla + +#endif diff --git a/security/manager/ssl/VerifySSLServerCertParent.cpp b/security/manager/ssl/VerifySSLServerCertParent.cpp new file mode 100644 index 0000000000..5aaaba8197 --- /dev/null +++ b/security/manager/ssl/VerifySSLServerCertParent.cpp @@ -0,0 +1,179 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "VerifySSLServerCertParent.h" + +#include "cert.h" +#include "nsNSSComponent.h" +#include "secerr.h" +#include "SharedCertVerifier.h" +#include "NSSCertDBTrustDomain.h" +#include "SSLServerCertVerification.h" +#include "nsNSSIOLayer.h" +#include "nsISocketProvider.h" +#include "mozilla/Unused.h" + +extern mozilla::LazyLogModule gPIPNSSLog; + +using namespace mozilla::pkix; + +namespace mozilla { +namespace psm { + +VerifySSLServerCertParent::VerifySSLServerCertParent() {} + +void VerifySSLServerCertParent::OnVerifiedSSLServerCert( + const nsTArray<ByteArray>& aBuiltCertChain, + uint16_t aCertificateTransparencyStatus, uint8_t aEVStatus, bool aSucceeded, + PRErrorCode aFinalError, uint32_t aOverridableErrorCategory, + bool aIsBuiltCertChainRootBuiltInRoot, bool aMadeOCSPRequests) { + if (!CanSend()) { + return; + } + + if (aSucceeded) { + Unused << SendOnVerifiedSSLServerCertSuccess( + aBuiltCertChain, aCertificateTransparencyStatus, aEVStatus, + aIsBuiltCertChainRootBuiltInRoot, aMadeOCSPRequests); + } else { + Unused << SendOnVerifiedSSLServerCertFailure( + aFinalError, aOverridableErrorCategory, aMadeOCSPRequests); + } + + Close(); +} + +namespace { + +class IPCServerCertVerificationResult final + : public BaseSSLServerCertVerificationResult { + public: + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(IPCServerCertVerificationResult, + override) + + IPCServerCertVerificationResult(nsIEventTarget* aTarget, + VerifySSLServerCertParent* aParent) + : mTarget(aTarget), mParent(aParent) {} + + void Dispatch(nsTArray<nsTArray<uint8_t>>&& aBuiltChain, + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, + uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus, + bool aSucceeded, PRErrorCode aFinalError, + nsITransportSecurityInfo::OverridableErrorCategory + aOverridableErrorCategory, + bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags, + bool aMadeOCSPRequests) override; + + private: + ~IPCServerCertVerificationResult() = default; + + nsCOMPtr<nsIEventTarget> mTarget; + RefPtr<VerifySSLServerCertParent> mParent; +}; + +void IPCServerCertVerificationResult::Dispatch( + nsTArray<nsTArray<uint8_t>>&& aBuiltChain, + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, + uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus, + bool aSucceeded, PRErrorCode aFinalError, + nsITransportSecurityInfo::OverridableErrorCategory + aOverridableErrorCategory, + bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags, + bool aMadeOCSPRequests) { + nsTArray<ByteArray> builtCertChain; + if (aSucceeded) { + for (auto& cert : aBuiltChain) { + builtCertChain.AppendElement(ByteArray(cert)); + } + } + + nsresult nrv = mTarget->Dispatch( + NS_NewRunnableFunction( + "psm::VerifySSLServerCertParent::OnVerifiedSSLServerCert", + [parent(mParent), builtCertChain{std::move(builtCertChain)}, + aCertificateTransparencyStatus, aEVStatus, aSucceeded, aFinalError, + aOverridableErrorCategory, aIsBuiltCertChainRootBuiltInRoot, + aMadeOCSPRequests, aProviderFlags]() { + if (aSucceeded && + !(aProviderFlags & nsISocketProvider::NO_PERMANENT_STORAGE)) { + nsTArray<nsTArray<uint8_t>> certBytesArray; + for (const auto& cert : builtCertChain) { + certBytesArray.AppendElement(cert.data().Clone()); + } + // This dispatches an event that will run when the socket thread + // is idle. + SaveIntermediateCerts(certBytesArray); + } + parent->OnVerifiedSSLServerCert( + builtCertChain, aCertificateTransparencyStatus, + static_cast<uint8_t>(aEVStatus), aSucceeded, aFinalError, + static_cast<uint32_t>(aOverridableErrorCategory), + aIsBuiltCertChainRootBuiltInRoot, aMadeOCSPRequests); + }), + NS_DISPATCH_NORMAL); + MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(nrv)); + Unused << nrv; +} + +} // anonymous namespace + +bool VerifySSLServerCertParent::Dispatch( + nsTArray<ByteArray>&& aPeerCertChain, const nsACString& aHostName, + const int32_t& aPort, const OriginAttributes& aOriginAttributes, + const Maybe<ByteArray>& aStapledOCSPResponse, + const Maybe<ByteArray>& aSctsFromTLSExtension, + const Maybe<DelegatedCredentialInfoArg>& aDcInfo, + const uint32_t& aProviderFlags, const uint32_t& aCertVerifierFlags) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("VerifySSLServerCertParent::Dispatch")); + + mBackgroundThread = GetCurrentSerialEventTarget(); + + nsTArray<nsTArray<uint8_t>> peerCertBytes; + for (auto& certBytes : aPeerCertChain) { + nsTArray<uint8_t> bytes; + peerCertBytes.AppendElement(std::move(certBytes.data())); + } + + Maybe<nsTArray<uint8_t>> stapledOCSPResponse; + if (aStapledOCSPResponse) { + stapledOCSPResponse.emplace(aStapledOCSPResponse->data().Clone()); + } + + Maybe<nsTArray<uint8_t>> sctsFromTLSExtension; + if (aSctsFromTLSExtension) { + sctsFromTLSExtension.emplace(aSctsFromTLSExtension->data().Clone()); + } + + Maybe<DelegatedCredentialInfo> dcInfo; + if (aDcInfo) { + dcInfo.emplace(); + dcInfo->scheme = static_cast<SSLSignatureScheme>(aDcInfo->scheme()); + dcInfo->authKeyBits = aDcInfo->authKeyBits(); + } + + RefPtr<IPCServerCertVerificationResult> resultTask = + new IPCServerCertVerificationResult(mBackgroundThread, this); + SECStatus status = SSLServerCertVerificationJob::Dispatch( + 0, nullptr, std::move(peerCertBytes), aHostName, aPort, aOriginAttributes, + stapledOCSPResponse, sctsFromTLSExtension, dcInfo, aProviderFlags, Now(), + aCertVerifierFlags, resultTask); + + if (status != SECWouldBlock) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("VerifySSLServerCertParent::Dispatch - dispatch failed")); + return false; + } + + return true; +} + +void VerifySSLServerCertParent::ActorDestroy(ActorDestroyReason aWhy) {} + +VerifySSLServerCertParent::~VerifySSLServerCertParent() = default; + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/VerifySSLServerCertParent.h b/security/manager/ssl/VerifySSLServerCertParent.h new file mode 100644 index 0000000000..de2c062935 --- /dev/null +++ b/security/manager/ssl/VerifySSLServerCertParent.h @@ -0,0 +1,60 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_psm_VerifySSLServerCertParent_h__ +#define mozilla_psm_VerifySSLServerCertParent_h__ + +#include "mozilla/psm/PVerifySSLServerCertParent.h" +#include "mozpkix/Time.h" +#include "ScopedNSSTypes.h" +#include "SharedCertVerifier.h" + +namespace mozilla { +namespace psm { + +// This class implements the main process side of the server certificate +// verification for socket process. +// SSLServerCertVerificationJob::Dispatch is called in +// VerifySSLServerCertParent::Dispatch with IPCServerCertVerificationResult and +// the result of the certificate verification will be sent to the socket process +// via IPC. +class VerifySSLServerCertParent : public PVerifySSLServerCertParent { + public: + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VerifySSLServerCertParent, override) + + VerifySSLServerCertParent(); + + bool Dispatch(nsTArray<ByteArray>&& aPeerCertChain, + const nsACString& aHostName, const int32_t& aPort, + const OriginAttributes& aOriginAttributes, + const Maybe<ByteArray>& aStapledOCSPResponse, + const Maybe<ByteArray>& aSctsFromTLSExtension, + const Maybe<DelegatedCredentialInfoArg>& aDcInfo, + const uint32_t& aProviderFlags, + const uint32_t& aCertVerifierFlags); + + void OnVerifiedSSLServerCert(const nsTArray<ByteArray>& aBuiltCertChain, + uint16_t aCertificateTransparencyStatus, + uint8_t aEVStatus, bool aSucceeded, + PRErrorCode aFinalError, + uint32_t aOverridableErrorCategory, + bool aIsBuiltCertChainRootBuiltInRoot, + bool aMadeOCSPRequests); + + private: + virtual ~VerifySSLServerCertParent(); + + // PVerifySSLServerCertParent + void ActorDestroy(ActorDestroyReason aWhy) override; + + nsCOMPtr<nsISerialEventTarget> mBackgroundThread; +}; + +} // namespace psm +} // namespace mozilla + +#endif // mozilla_psm_VerifySSLServerCertParent_h__ diff --git a/security/manager/ssl/X509.sys.mjs b/security/manager/ssl/X509.sys.mjs new file mode 100644 index 0000000000..0d85ca5730 --- /dev/null +++ b/security/manager/ssl/X509.sys.mjs @@ -0,0 +1,641 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +import { DER } from "resource://gre/modules/psm/DER.sys.mjs"; + +const ERROR_UNSUPPORTED_ASN1 = "unsupported asn.1"; +const ERROR_TIME_NOT_VALID = "Time not valid"; +const ERROR_LIBRARY_FAILURE = "library failure"; + +const X509v3 = 2; + +/** + * Helper function to read a NULL tag from the given DER. + * + * @param {DER} der a DER object to read a NULL from + * @returns {null} an object representing an ASN.1 NULL + */ +function readNULL(der) { + return new NULL(der.readTagAndGetContents(DER.NULL)); +} + +/** + * Class representing an ASN.1 NULL. When encoded as DER, the only valid value + * is 05 00, and thus the contents should always be an empty array. + */ +class NULL { + /** + * @param {number[]} bytes the contents of the NULL tag (should be empty) + */ + constructor(bytes) { + // Lint TODO: bytes should be an empty array + this._contents = bytes; + } +} + +/** + * Helper function to read an OBJECT IDENTIFIER from the given DER. + * + * @param {DER} der the DER to read an OBJECT IDENTIFIER from + * @returns {OID} the value of the OBJECT IDENTIFIER + */ +function readOID(der) { + return new OID(der.readTagAndGetContents(DER.OBJECT_IDENTIFIER)); +} + +/** Class representing an ASN.1 OBJECT IDENTIFIER */ +class OID { + /** + * @param {number[]} bytes the encoded contents of the OBJECT IDENTIFIER + * (not including the ASN.1 tag or length bytes) + */ + constructor(bytes) { + this._values = []; + // First octet has value 40 * value1 + value2 + // Lint TODO: validate that value1 is one of {0, 1, 2} + // Lint TODO: validate that value2 is in [0, 39] if value1 is 0 or 1 + let value1 = Math.floor(bytes[0] / 40); + let value2 = bytes[0] - 40 * value1; + this._values.push(value1); + this._values.push(value2); + bytes.shift(); + let accumulator = 0; + // Lint TODO: prevent overflow here + while (bytes.length) { + let value = bytes.shift(); + accumulator *= 128; + if (value > 128) { + accumulator += value - 128; + } else { + accumulator += value; + this._values.push(accumulator); + accumulator = 0; + } + } + } +} + +/** + * Class that serves as an abstract base class for more specific classes that + * represent datatypes from RFC 5280 and others. Given an array of bytes + * representing the DER encoding of such types, this framework simplifies the + * process of making a new DER object, attempting to parse the given bytes, and + * catching and stashing thrown exceptions. Subclasses are to implement + * parseOverride, which should read from this._der to fill out the structure's + * values. + */ +class DecodedDER { + constructor() { + this._der = null; + this._error = null; + } + + /** + * Returns the first exception encountered when decoding or null if none has + * been encountered. + * + * @returns {Error} the first exception encountered when decoding or null + */ + get error() { + return this._error; + } + + /** + * Does the actual work of parsing the data. To be overridden by subclasses. + * If an implementation of parseOverride throws an exception, parse will catch + * that exception and stash it in the error property. This enables parent + * levels in a nested decoding hierarchy to continue to decode as much as + * possible. + */ + parseOverride() { + throw new Error(ERROR_LIBRARY_FAILURE); + } + + /** + * Public interface to be called to parse all data. Calls parseOverride inside + * a try/catch block. If an exception is thrown, stashes the error, which can + * be obtained via the error getter (above). + * + * @param {number[]} bytes encoded DER to be decoded + */ + parse(bytes) { + this._der = new DER.DERDecoder(bytes); + try { + this.parseOverride(); + } catch (e) { + this._error = e; + } + } +} + +/** + * Helper function for reading the next SEQUENCE out of a DER and creating a new + * DER out of the resulting bytes. + * + * @param {DER} der the underlying DER object + * @returns {DER} the contents of the SEQUENCE + */ +function readSEQUENCEAndMakeDER(der) { + return new DER.DERDecoder(der.readTagAndGetContents(DER.SEQUENCE)); +} + +/** + * Helper function for reading the next item identified by tag out of a DER and + * creating a new DER out of the resulting bytes. + * + * @param {DER} der the underlying DER object + * @param {number} tag the expected next tag in the DER + * @returns {DER} the contents of the tag + */ +function readTagAndMakeDER(der, tag) { + return new DER.DERDecoder(der.readTagAndGetContents(tag)); +} + +// Certificate ::= SEQUENCE { +// tbsCertificate TBSCertificate, +// signatureAlgorithm AlgorithmIdentifier, +// signatureValue BIT STRING } +class Certificate extends DecodedDER { + constructor() { + super(); + this._tbsCertificate = new TBSCertificate(); + this._signatureAlgorithm = new AlgorithmIdentifier(); + this._signatureValue = []; + } + + get tbsCertificate() { + return this._tbsCertificate; + } + + get signatureAlgorithm() { + return this._signatureAlgorithm; + } + + get signatureValue() { + return this._signatureValue; + } + + parseOverride() { + let contents = readSEQUENCEAndMakeDER(this._der); + this._tbsCertificate.parse(contents.readTLV()); + this._signatureAlgorithm.parse(contents.readTLV()); + + let signatureValue = contents.readBIT_STRING(); + if (signatureValue.unusedBits != 0) { + throw new Error(ERROR_UNSUPPORTED_ASN1); + } + this._signatureValue = signatureValue.contents; + contents.assertAtEnd(); + this._der.assertAtEnd(); + } +} + +// TBSCertificate ::= SEQUENCE { +// version [0] EXPLICIT Version DEFAULT v1, +// serialNumber CertificateSerialNumber, +// signature AlgorithmIdentifier, +// issuer Name, +// validity Validity, +// subject Name, +// subjectPublicKeyInfo SubjectPublicKeyInfo, +// issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, +// -- If present, version MUST be v2 or v3 +// subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, +// -- If present, version MUST be v2 or v3 +// extensions [3] EXPLICIT Extensions OPTIONAL +// -- If present, version MUST be v3 +// } +class TBSCertificate extends DecodedDER { + constructor() { + super(); + this._version = null; + this._serialNumber = []; + this._signature = new AlgorithmIdentifier(); + this._issuer = new Name(); + this._validity = new Validity(); + this._subject = new Name(); + this._subjectPublicKeyInfo = new SubjectPublicKeyInfo(); + this._extensions = []; + } + + get version() { + return this._version; + } + + get serialNumber() { + return this._serialNumber; + } + + get signature() { + return this._signature; + } + + get issuer() { + return this._issuer; + } + + get validity() { + return this._validity; + } + + get subject() { + return this._subject; + } + + get subjectPublicKeyInfo() { + return this._subjectPublicKeyInfo; + } + + get extensions() { + return this._extensions; + } + + parseOverride() { + let contents = readSEQUENCEAndMakeDER(this._der); + + let versionTag = DER.CONTEXT_SPECIFIC | DER.CONSTRUCTED | 0; + if (!contents.peekTag(versionTag)) { + this._version = 1; + } else { + let versionContents = readTagAndMakeDER(contents, versionTag); + let versionBytes = versionContents.readTagAndGetContents(DER.INTEGER); + if (versionBytes.length == 1 && versionBytes[0] == X509v3) { + this._version = 3; + } else { + // Lint TODO: warn about non-v3 certificates (this INTEGER could take up + // multiple bytes, be negative, and so on). + this._version = versionBytes; + } + versionContents.assertAtEnd(); + } + + let serialNumberBytes = contents.readTagAndGetContents(DER.INTEGER); + this._serialNumber = serialNumberBytes; + this._signature.parse(contents.readTLV()); + this._issuer.parse(contents.readTLV()); + this._validity.parse(contents.readTLV()); + this._subject.parse(contents.readTLV()); + this._subjectPublicKeyInfo.parse(contents.readTLV()); + + // Lint TODO: warn about unsupported features + let issuerUniqueIDTag = DER.CONTEXT_SPECIFIC | DER.CONSTRUCTED | 1; + if (contents.peekTag(issuerUniqueIDTag)) { + contents.readTagAndGetContents(issuerUniqueIDTag); + } + let subjectUniqueIDTag = DER.CONTEXT_SPECIFIC | DER.CONSTRUCTED | 2; + if (contents.peekTag(subjectUniqueIDTag)) { + contents.readTagAndGetContents(subjectUniqueIDTag); + } + + let extensionsTag = DER.CONTEXT_SPECIFIC | DER.CONSTRUCTED | 3; + if (contents.peekTag(extensionsTag)) { + let extensionsSequence = readTagAndMakeDER(contents, extensionsTag); + let extensionsContents = readSEQUENCEAndMakeDER(extensionsSequence); + while (!extensionsContents.atEnd()) { + // TODO: parse extensions + this._extensions.push(extensionsContents.readTLV()); + } + extensionsContents.assertAtEnd(); + extensionsSequence.assertAtEnd(); + } + contents.assertAtEnd(); + this._der.assertAtEnd(); + } +} + +// AlgorithmIdentifier ::= SEQUENCE { +// algorithm OBJECT IDENTIFIER, +// parameters ANY DEFINED BY algorithm OPTIONAL } +class AlgorithmIdentifier extends DecodedDER { + constructor() { + super(); + this._algorithm = null; + this._parameters = null; + } + + get algorithm() { + return this._algorithm; + } + + get parameters() { + return this._parameters; + } + + parseOverride() { + let contents = readSEQUENCEAndMakeDER(this._der); + this._algorithm = readOID(contents); + if (!contents.atEnd()) { + if (contents.peekTag(DER.NULL)) { + this._parameters = readNULL(contents); + } else if (contents.peekTag(DER.OBJECT_IDENTIFIER)) { + this._parameters = readOID(contents); + } + } + contents.assertAtEnd(); + this._der.assertAtEnd(); + } +} + +// Name ::= CHOICE { -- only one possibility for now -- +// rdnSequence RDNSequence } +// +// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName +class Name extends DecodedDER { + constructor() { + super(); + this._rdns = []; + } + + get rdns() { + return this._rdns; + } + + parseOverride() { + let contents = readSEQUENCEAndMakeDER(this._der); + while (!contents.atEnd()) { + let rdn = new RelativeDistinguishedName(); + rdn.parse(contents.readTLV()); + this._rdns.push(rdn); + } + contents.assertAtEnd(); + this._der.assertAtEnd(); + } +} + +// RelativeDistinguishedName ::= +// SET SIZE (1..MAX) OF AttributeTypeAndValue +class RelativeDistinguishedName extends DecodedDER { + constructor() { + super(); + this._avas = []; + } + + get avas() { + return this._avas; + } + + parseOverride() { + let contents = readTagAndMakeDER(this._der, DER.SET); + // Lint TODO: enforce SET SIZE restrictions + while (!contents.atEnd()) { + let ava = new AttributeTypeAndValue(); + ava.parse(contents.readTLV()); + this._avas.push(ava); + } + contents.assertAtEnd(); + this._der.assertAtEnd(); + } +} + +// AttributeTypeAndValue ::= SEQUENCE { +// type AttributeType, +// value AttributeValue } +// +// AttributeType ::= OBJECT IDENTIFIER +// +// AttributeValue ::= ANY -- DEFINED BY AttributeType +class AttributeTypeAndValue extends DecodedDER { + constructor() { + super(); + this._type = null; + this._value = new DirectoryString(); + } + + get type() { + return this._type; + } + + get value() { + return this._value; + } + + parseOverride() { + let contents = readSEQUENCEAndMakeDER(this._der); + this._type = readOID(contents); + // We don't support universalString or bmpString. + // IA5String is supported because it is valid if `type == id-emailaddress`. + // Lint TODO: validate that the type of string is valid given `type`. + this._value.parse( + contents.readTLVChoice([ + DER.UTF8String, + DER.PrintableString, + DER.TeletexString, + DER.IA5String, + ]) + ); + contents.assertAtEnd(); + this._der.assertAtEnd(); + } +} + +// DirectoryString ::= CHOICE { +// teletexString TeletexString (SIZE (1..MAX)), +// printableString PrintableString (SIZE (1..MAX)), +// universalString UniversalString (SIZE (1..MAX)), +// utf8String UTF8String (SIZE (1..MAX)), +// bmpString BMPString (SIZE (1..MAX)) } +class DirectoryString extends DecodedDER { + constructor() { + super(); + this._type = null; + this._value = null; + } + + get type() { + return this._type; + } + + get value() { + return this._value; + } + + parseOverride() { + if (this._der.peekTag(DER.UTF8String)) { + this._type = DER.UTF8String; + } else if (this._der.peekTag(DER.PrintableString)) { + this._type = DER.PrintableString; + } else if (this._der.peekTag(DER.TeletexString)) { + this._type = DER.TeletexString; + } else if (this._der.peekTag(DER.IA5String)) { + this._type = DER.IA5String; + } + // Lint TODO: validate that the contents are actually valid for the type + this._value = this._der.readTagAndGetContents(this._type); + this._der.assertAtEnd(); + } +} + +// Time ::= CHOICE { +// utcTime UTCTime, +// generalTime GeneralizedTime } +class Time extends DecodedDER { + constructor() { + super(); + this._type = null; + this._time = null; + } + + get time() { + return this._time; + } + + parseOverride() { + if (this._der.peekTag(DER.UTCTime)) { + this._type = DER.UTCTime; + } else if (this._der.peekTag(DER.GeneralizedTime)) { + this._type = DER.GeneralizedTime; + } + let contents = readTagAndMakeDER(this._der, this._type); + let year; + // Lint TODO: validate that the appropriate one of {UTCTime,GeneralizedTime} + // is used according to RFC 5280 and what the value of the date is. + // TODO TODO: explain this better (just quote the rfc). + if (this._type == DER.UTCTime) { + // UTCTime is YYMMDDHHMMSSZ in RFC 5280. If YY is greater than or equal + // to 50, the year is 19YY. Otherwise, it is 20YY. + let y1 = this._validateDigit(contents.readByte()); + let y2 = this._validateDigit(contents.readByte()); + let yy = y1 * 10 + y2; + if (yy >= 50) { + year = 1900 + yy; + } else { + year = 2000 + yy; + } + } else { + // GeneralizedTime is YYYYMMDDHHMMSSZ in RFC 5280. + year = 0; + for (let i = 0; i < 4; i++) { + let y = this._validateDigit(contents.readByte()); + year = year * 10 + y; + } + } + + let m1 = this._validateDigit(contents.readByte()); + let m2 = this._validateDigit(contents.readByte()); + let month = m1 * 10 + m2; + if (month == 0 || month > 12) { + throw new Error(ERROR_TIME_NOT_VALID); + } + + let d1 = this._validateDigit(contents.readByte()); + let d2 = this._validateDigit(contents.readByte()); + let day = d1 * 10 + d2; + if (day == 0 || day > 31) { + throw new Error(ERROR_TIME_NOT_VALID); + } + + let h1 = this._validateDigit(contents.readByte()); + let h2 = this._validateDigit(contents.readByte()); + let hour = h1 * 10 + h2; + if (hour > 23) { + throw new Error(ERROR_TIME_NOT_VALID); + } + + let min1 = this._validateDigit(contents.readByte()); + let min2 = this._validateDigit(contents.readByte()); + let minute = min1 * 10 + min2; + if (minute > 59) { + throw new Error(ERROR_TIME_NOT_VALID); + } + + let s1 = this._validateDigit(contents.readByte()); + let s2 = this._validateDigit(contents.readByte()); + let second = s1 * 10 + s2; + if (second > 60) { + // leap-seconds mean this can be as much as 60 + throw new Error(ERROR_TIME_NOT_VALID); + } + + let z = contents.readByte(); + if (z != "Z".charCodeAt(0)) { + throw new Error(ERROR_TIME_NOT_VALID); + } + // Lint TODO: verify that the Time doesn't specify a nonsensical + // month/day/etc. + // months are zero-indexed in JS + this._time = new Date(Date.UTC(year, month - 1, day, hour, minute, second)); + + contents.assertAtEnd(); + this._der.assertAtEnd(); + } + + /** + * Takes a byte that is supposed to be in the ASCII range for "0" to "9". + * Validates the range and then converts it to the range 0 to 9. + * + * @param {number} d the digit in question (as ASCII in the range ["0", "9"]) + * @returns {number} the numerical value of the digit (in the range [0, 9]) + */ + _validateDigit(d) { + if (d < "0".charCodeAt(0) || d > "9".charCodeAt(0)) { + throw new Error(ERROR_TIME_NOT_VALID); + } + return d - "0".charCodeAt(0); + } +} + +// Validity ::= SEQUENCE { +// notBefore Time, +// notAfter Time } +class Validity extends DecodedDER { + constructor() { + super(); + this._notBefore = new Time(); + this._notAfter = new Time(); + } + + get notBefore() { + return this._notBefore; + } + + get notAfter() { + return this._notAfter; + } + + parseOverride() { + let contents = readSEQUENCEAndMakeDER(this._der); + this._notBefore.parse( + contents.readTLVChoice([DER.UTCTime, DER.GeneralizedTime]) + ); + this._notAfter.parse( + contents.readTLVChoice([DER.UTCTime, DER.GeneralizedTime]) + ); + contents.assertAtEnd(); + this._der.assertAtEnd(); + } +} + +// SubjectPublicKeyInfo ::= SEQUENCE { +// algorithm AlgorithmIdentifier, +// subjectPublicKey BIT STRING } +class SubjectPublicKeyInfo extends DecodedDER { + constructor() { + super(); + this._algorithm = new AlgorithmIdentifier(); + this._subjectPublicKey = null; + } + + get algorithm() { + return this._algorithm; + } + + get subjectPublicKey() { + return this._subjectPublicKey; + } + + parseOverride() { + let contents = readSEQUENCEAndMakeDER(this._der); + this._algorithm.parse(contents.readTLV()); + let subjectPublicKeyBitString = contents.readBIT_STRING(); + if (subjectPublicKeyBitString.unusedBits != 0) { + throw new Error(ERROR_UNSUPPORTED_ASN1); + } + this._subjectPublicKey = subjectPublicKeyBitString.contents; + + contents.assertAtEnd(); + this._der.assertAtEnd(); + } +} + +export var X509 = { Certificate }; diff --git a/security/manager/ssl/X509CertValidity.cpp b/security/manager/ssl/X509CertValidity.cpp new file mode 100644 index 0000000000..1d5dc54aa6 --- /dev/null +++ b/security/manager/ssl/X509CertValidity.cpp @@ -0,0 +1,96 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "X509CertValidity.h" + +#include "mozpkix/pkixder.h" +#include "mozpkix/pkixutil.h" +#include "nsComponentManagerUtils.h" +#include "secder.h" + +NS_IMPL_ISUPPORTS(X509CertValidity, nsIX509CertValidity) + +using namespace mozilla; +using namespace mozilla::pkix; + +X509CertValidity::X509CertValidity(Input certDER) + : mNotBefore(0), mNotAfter(0), mTimesInitialized(false) { + using namespace mozilla::pkix::der; + + // We're not building a verified certificate chain, so the EndEntityOrCA + // parameter doesn't matter. + BackCert cert(certDER, EndEntityOrCA::MustBeEndEntity, nullptr); + pkix::Result rv = cert.Init(); + if (rv != Success) { + return; + } + // Validity ::= SEQUENCE { + // notBefore Time, + // notAfter Time } + // + // Time ::= CHOICE { + // utcTime UTCTime, + // generalTime GeneralizedTime } + // + // NB: BackCert::GetValidity returns the value of the Validity of the + // certificate (i.e. notBefore and notAfter, without the enclosing SEQUENCE + // and length) + Reader reader(cert.GetValidity()); + uint8_t expectedTag = reader.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME; + Input notBefore; + pkix::Result result = ExpectTagAndGetValue(reader, expectedTag, notBefore); + if (result != Success) { + return; + } + SECItemType notBeforeType = + expectedTag == UTCTime ? siUTCTime : siGeneralizedTime; + SECItem notBeforeItem = { + notBeforeType, const_cast<unsigned char*>(notBefore.UnsafeGetData()), + notBefore.GetLength()}; + SECStatus srv = DER_DecodeTimeChoice(&mNotBefore, ¬BeforeItem); + if (srv != SECSuccess) { + return; + } + expectedTag = reader.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME; + Input notAfter; + result = ExpectTagAndGetValue(reader, expectedTag, notAfter); + if (result != Success) { + return; + } + SECItemType notAfterType = + expectedTag == UTCTime ? siUTCTime : siGeneralizedTime; + SECItem notAfterItem = {notAfterType, + const_cast<unsigned char*>(notAfter.UnsafeGetData()), + notAfter.GetLength()}; + srv = DER_DecodeTimeChoice(&mNotAfter, ¬AfterItem); + if (srv != SECSuccess) { + return; + } + + mTimesInitialized = true; +} + +NS_IMETHODIMP +X509CertValidity::GetNotBefore(PRTime* aNotBefore) { + NS_ENSURE_ARG(aNotBefore); + + if (!mTimesInitialized) { + return NS_ERROR_FAILURE; + } + + *aNotBefore = mNotBefore; + return NS_OK; +} + +NS_IMETHODIMP +X509CertValidity::GetNotAfter(PRTime* aNotAfter) { + NS_ENSURE_ARG(aNotAfter); + + if (!mTimesInitialized) { + return NS_ERROR_FAILURE; + } + + *aNotAfter = mNotAfter; + return NS_OK; +} diff --git a/security/manager/ssl/X509CertValidity.h b/security/manager/ssl/X509CertValidity.h new file mode 100644 index 0000000000..8201c52253 --- /dev/null +++ b/security/manager/ssl/X509CertValidity.h @@ -0,0 +1,31 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef X509CertValidity_h +#define X509CertValidity_h + +#include "mozpkix/Input.h" +#include "nsIX509CertValidity.h" +#include "prtime.h" + +class X509CertValidity : public nsIX509CertValidity { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIX509CERTVALIDITY + + explicit X509CertValidity(mozilla::pkix::Input certDER); + + X509CertValidity(const X509CertValidity& x) = delete; + X509CertValidity& operator=(const X509CertValidity& x) = delete; + + protected: + virtual ~X509CertValidity() = default; + + private: + PRTime mNotBefore; + PRTime mNotAfter; + bool mTimesInitialized; +}; + +#endif // X509CertValidity_h diff --git a/security/manager/ssl/addons-public-intermediate.crt b/security/manager/ssl/addons-public-intermediate.crt Binary files differnew file mode 100644 index 0000000000..d37979bf38 --- /dev/null +++ b/security/manager/ssl/addons-public-intermediate.crt diff --git a/security/manager/ssl/addons-public.crt b/security/manager/ssl/addons-public.crt Binary files differnew file mode 100644 index 0000000000..6ab711b996 --- /dev/null +++ b/security/manager/ssl/addons-public.crt diff --git a/security/manager/ssl/addons-stage.crt b/security/manager/ssl/addons-stage.crt Binary files differnew file mode 100644 index 0000000000..73e48cadfe --- /dev/null +++ b/security/manager/ssl/addons-stage.crt diff --git a/security/manager/ssl/builtins/Cargo.toml b/security/manager/ssl/builtins/Cargo.toml new file mode 100644 index 0000000000..b3f2e9c7b8 --- /dev/null +++ b/security/manager/ssl/builtins/Cargo.toml @@ -0,0 +1,18 @@ +[package] +name = "builtins-static" +version = "0.1.0" +authors = ["John Schanck <jschanck@mozilla.com>"] +edition = "2021" +license = "MPL-2.0" + +[dependencies] +pkcs11-bindings = "0.1.1" +smallvec = { version = "1.9.0", features = ["const_new"] } +mozilla-central-workspace-hack = { version = "0.1", features = ["builtins-static"], optional = true } + +[build-dependencies] +bindgen = { default-features = false, features = ["runtime"], version = "0.69" } +nom = "7.1.1" + +[lib] +crate-type = ["staticlib"] diff --git a/security/manager/ssl/builtins/build.rs b/security/manager/ssl/builtins/build.rs new file mode 100644 index 0000000000..8375f3368d --- /dev/null +++ b/security/manager/ssl/builtins/build.rs @@ -0,0 +1,568 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +extern crate bindgen; +extern crate nom; + +use bindgen::callbacks::*; +use bindgen::*; + +use nom::branch::alt; +use nom::bytes::complete::{tag, take_until}; +use nom::character::complete::{ + char, multispace0, newline, not_line_ending, one_of, space0, space1, +}; +use nom::combinator::{fail, recognize}; +use nom::multi::{many1, separated_list0}; +use nom::sequence::{delimited, separated_pair, terminated, tuple}; +use nom::IResult; + +use std::collections::HashMap; +use std::env; +use std::fmt; +use std::fs::File; +use std::io::{BufWriter, Write}; +use std::path::PathBuf; + +fn octal_block_to_vec_u8(octal_block: &str) -> Vec<u8> { + octal_block + .lines() + .flat_map(|x| x.split('\\').skip(1)) + .map(|x| u8::from_str_radix(x, 8).expect("octal value out of range.")) + .collect() +} + +fn octal_block_to_hex_string(octal: &str) -> String { + octal_block_to_vec_u8(octal) + .iter() + .map(|x| format!("0x{:02X}, ", x)) + .collect() +} + +// Wrapper around values parsed out of certdata.txt +enum Ck<'a> { + Class(&'a str), + Comment(&'a str), + DistrustAfter(Option<&'a str>), + Empty, + MultilineOctal(&'a str), + OptionBool(&'a str), + Trust(&'a str), + Utf8(&'a str), +} + +// Translation of parsed values into the output rust code +impl fmt::Display for Ck<'_> { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + match self { + Ck::Class(s) => write!(f, "{s}_BYTES"), + Ck::Comment(s) => write!(f, "{}", s.replace('#', "//")), + Ck::DistrustAfter(None) => write!(f, "Some(CK_FALSE_BYTES)"), + Ck::DistrustAfter(Some(s)) => write!(f, "Some(&[{}])", octal_block_to_hex_string(s)), + Ck::Empty => write!(f, "None"), + Ck::MultilineOctal(s) => write!(f, "&[{}]", octal_block_to_hex_string(s)), + Ck::OptionBool(s) => write!(f, "Some({s}_BYTES)"), + Ck::Trust(s) => write!(f, "{s}_BYTES"), + Ck::Utf8(s) => write!(f, "\"{s}\\0\""), + } + } +} + +impl PartialEq for Ck<'_> { + fn eq(&self, other: &Self) -> bool { + match (self, other) { + (Ck::Class(s), Ck::Class(t)) => s.eq(t), + (Ck::Comment(s), Ck::Comment(t)) => s.eq(t), + (Ck::DistrustAfter(None), Ck::DistrustAfter(None)) => true, + (Ck::DistrustAfter(Some(s)), Ck::DistrustAfter(Some(t))) => { + // compare the data rather than the presentation + let vec_s = octal_block_to_vec_u8(s); + let vec_t = octal_block_to_vec_u8(t); + vec_s.eq(&vec_t) + } + (Ck::Empty, Ck::Empty) => true, + (Ck::MultilineOctal(s), Ck::MultilineOctal(t)) => { + // compare the data rather than the presentation + let vec_s = octal_block_to_vec_u8(s); + let vec_t = octal_block_to_vec_u8(t); + vec_s.eq(&vec_t) + } + (Ck::Trust(s), Ck::Trust(t)) => s.eq(t), + (Ck::Utf8(s), Ck::Utf8(t)) => s.eq(t), + _ => false, + } + } +} + +fn class(i: &str) -> IResult<&str, Ck> { + let (i, _) = tag("CK_OBJECT_CLASS")(i)?; + let (i, _) = space1(i)?; + let (i, class) = alt(( + tag("CKO_NSS_BUILTIN_ROOT_LIST"), + tag("CKO_CERTIFICATE"), + tag("CKO_NSS_TRUST"), + ))(i)?; + let (i, _) = space0(i)?; + let (i, _) = newline(i)?; + Ok((i, Ck::Class(class))) +} + +fn trust(i: &str) -> IResult<&str, Ck> { + let (i, _) = tag("CK_TRUST")(i)?; + let (i, _) = space1(i)?; + let (i, trust) = alt(( + tag("CKT_NSS_TRUSTED_DELEGATOR"), + tag("CKT_NSS_MUST_VERIFY_TRUST"), + tag("CKT_NSS_NOT_TRUSTED"), + ))(i)?; + let (i, _) = space0(i)?; + let (i, _) = newline(i)?; + Ok((i, Ck::Trust(trust))) +} + +// Parses a CK_BBOOL and wraps it with Ck::OptionBool so that it gets printed as +// "Some(CK_TRUE_BYTES)" instead of "CK_TRUE_BYTES". +fn option_bbool(i: &str) -> IResult<&str, Ck> { + let (i, _) = tag("CK_BBOOL")(i)?; + let (i, _) = space1(i)?; + let (i, b) = alt((tag("CK_TRUE"), tag("CK_FALSE")))(i)?; + let (i, _) = space0(i)?; + let (i, _) = newline(i)?; + Ok((i, Ck::OptionBool(b))) +} + +fn bbool_true(i: &str) -> IResult<&str, Ck> { + let (i, _) = tag("CK_BBOOL")(i)?; + let (i, _) = space1(i)?; + let (i, _) = tag("CK_TRUE")(i)?; + let (i, _) = space0(i)?; + let (i, _) = newline(i)?; + Ok((i, Ck::Empty)) +} + +fn bbool_false(i: &str) -> IResult<&str, Ck> { + let (i, _) = tag("CK_BBOOL")(i)?; + let (i, _) = space1(i)?; + let (i, _) = tag("CK_FALSE")(i)?; + let (i, _) = space0(i)?; + let (i, _) = newline(i)?; + Ok((i, Ck::Empty)) +} + +fn utf8(i: &str) -> IResult<&str, Ck> { + let (i, _) = tag("UTF8")(i)?; + let (i, _) = space1(i)?; + let (i, _) = char('"')(i)?; + let (i, utf8) = take_until("\"")(i)?; + let (i, _) = char('"')(i)?; + let (i, _) = space0(i)?; + let (i, _) = newline(i)?; + Ok((i, Ck::Utf8(utf8))) +} + +fn certificate_type(i: &str) -> IResult<&str, Ck> { + let (i, _) = tag("CK_CERTIFICATE_TYPE")(i)?; + let (i, _) = space1(i)?; + let (i, _) = tag("CKC_X_509")(i)?; + let (i, _) = space0(i)?; + let (i, _) = newline(i)?; + Ok((i, Ck::Empty)) +} + +// A CKA_NSS_{EMAIL,SERVER}_DISTRUST_AFTER line in certdata.txt is encoded either as a CK_BBOOL +// with value CK_FALSE (when there is no distrust after date) or as a MULTILINE_OCTAL block. +fn distrust_after(i: &str) -> IResult<&str, Ck> { + let (i, value) = alt((multiline_octal, bbool_false))(i)?; + match value { + Ck::Empty => Ok((i, Ck::DistrustAfter(None))), + Ck::MultilineOctal(data) => Ok((i, Ck::DistrustAfter(Some(data)))), + _ => unreachable!(), + } +} + +fn octal_octet(i: &str) -> IResult<&str, &str> { + recognize(tuple(( + tag("\\"), + one_of("0123"), // 255 = \377 + one_of("01234567"), + one_of("01234567"), + )))(i) +} + +fn multiline_octal(i: &str) -> IResult<&str, Ck> { + let (i, _) = tag("MULTILINE_OCTAL")(i)?; + let (i, _) = space0(i)?; + let (i, _) = newline(i)?; + let (i, lines) = recognize(many1(terminated(many1(octal_octet), newline)))(i)?; + let (i, _) = tag("END")(i)?; + let (i, _) = space0(i)?; + let (i, _) = newline(i)?; + return Ok((i, Ck::MultilineOctal(lines))); +} + +fn distrust_comment(i: &str) -> IResult<&str, (&str, Ck)> { + let (i, comment) = recognize(delimited( + alt(( + tag("# For Email Distrust After: "), + tag("# For Server Distrust After: "), + )), + not_line_ending, + newline, + ))(i)?; + Ok((i, ("DISTRUST_COMMENT", Ck::Comment(comment)))) +} + +fn comment(i: &str) -> IResult<&str, (&str, Ck)> { + let (i, comment) = recognize(many1(delimited(char('#'), not_line_ending, newline)))(i)?; + Ok((i, ("COMMENT", Ck::Comment(comment)))) +} + +fn certdata_line(i: &str) -> IResult<&str, (&str, Ck)> { + let (i, (attr, value)) = alt(( + distrust_comment, // must be listed before `comment` + comment, + separated_pair(tag("CKA_CLASS"), space1, class), + separated_pair(tag("CKA_CERTIFICATE_TYPE"), space1, certificate_type), + separated_pair(alt((tag("CKA_ID"), tag("CKA_LABEL"))), space1, utf8), + separated_pair( + alt(( + tag("CKA_ISSUER"), + tag("CKA_CERT_SHA1_HASH"), + tag("CKA_CERT_MD5_HASH"), + tag("CKA_SERIAL_NUMBER"), + tag("CKA_SUBJECT"), + tag("CKA_VALUE"), + )), + space1, + multiline_octal, + ), + separated_pair( + alt(( + tag("CKA_NSS_SERVER_DISTRUST_AFTER"), + tag("CKA_NSS_EMAIL_DISTRUST_AFTER"), + )), + space1, + distrust_after, + ), + separated_pair( + alt(( + tag("CKA_TRUST_EMAIL_PROTECTION"), + tag("CKA_TRUST_CODE_SIGNING"), + tag("CKA_TRUST_SERVER_AUTH"), + )), + space1, + trust, + ), + separated_pair(tag("CKA_NSS_MOZILLA_CA_POLICY"), space1, option_bbool), + separated_pair(tag("CKA_TOKEN"), space1, bbool_true), + separated_pair( + alt(( + tag("CKA_TRUST_STEP_UP_APPROVED"), + tag("CKA_PRIVATE"), + tag("CKA_MODIFIABLE"), + )), + space1, + bbool_false, + ), + ))(i)?; + Ok((i, (attr, value))) +} + +type Block<'a> = HashMap<&'a str, Ck<'a>>; + +fn attr<'a>(block: &'a Block, attr: &str) -> &'a Ck<'a> { + block.get(attr).unwrap_or(&Ck::Empty) +} + +fn parse(i: &str) -> IResult<&str, Vec<Block>> { + let mut out: Vec<Block> = vec![]; + let (i, _) = take_until("BEGINDATA\n")(i)?; + let (i, _) = tag("BEGINDATA\n")(i)?; + let (i, mut raw_blocks) = separated_list0(many1(char('\n')), many1(certdata_line))(i)?; + let (i, _) = multispace0(i)?; // allow trailing whitespace + if !i.is_empty() { + // The first line of i contains an error. + let (line, _) = i.split_once('\n').unwrap_or((i, "")); + fail::<_, &str, _>(line)?; + } + for raw_block in raw_blocks.drain(..) { + out.push(raw_block.into_iter().collect()) + } + Ok((i, out)) +} + +#[derive(Debug)] +struct PKCS11TypesParseCallbacks; + +impl ParseCallbacks for PKCS11TypesParseCallbacks { + fn int_macro(&self, _name: &str, _value: i64) -> Option<IntKind> { + Some(IntKind::U8) + } +} + +// If we encounter a problem parsing certdata.txt we'll try to turn it into a compile time +// error in builtins.rs. We need to output definitions for ROOT_LIST_LABEL and BUILTINS to +// cut down on the number of errors the compiler produces. +macro_rules! emit_build_error { + ($out:ident, $err:expr) => { + writeln!($out, "std::compile_error!(\"{}\");", $err)?; + writeln!($out, "pub static ROOT_LIST_LABEL: [u8; 0] = [];")?; + writeln!($out, "pub static BUILTINS: [Root; 0] = [];")?; + }; +} + +fn main() -> std::io::Result<()> { + println!("cargo:rerun-if-changed=../../../nss/lib/ckfw/builtins/certdata.txt"); + println!("cargo:rerun-if-changed=../../../nss/lib/ckfw/builtins/nssckbi.h"); + + let bindings = Builder::default() + .header("../../../nss/lib/ckfw/builtins/nssckbi.h") + .allowlist_var("NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR") + .allowlist_var("NSS_BUILTINS_CRYPTOKI_VERSION_MINOR") + .allowlist_var("NSS_BUILTINS_LIBRARY_VERSION_MAJOR") + .allowlist_var("NSS_BUILTINS_LIBRARY_VERSION_MINOR") + .allowlist_var("NSS_BUILTINS_HARDWARE_VERSION_MAJOR") + .allowlist_var("NSS_BUILTINS_HARDWARE_VERSION_MINOR") + .allowlist_var("NSS_BUILTINS_FIRMWARE_VERSION_MAJOR") + .allowlist_var("NSS_BUILTINS_FIRMWARE_VERSION_MINOR") + .parse_callbacks(Box::new(PKCS11TypesParseCallbacks)) + .generate() + .expect("Unable to generate bindings."); + + let out_path = PathBuf::from(env::var("OUT_DIR").expect("OUT_DIR should be set in env.")); + bindings + .write_to_file(out_path.join("version.rs")) + .expect("Could not write version.rs."); + + let mut out = BufWriter::new( + File::create(out_path.join("builtins.rs")).expect("Could not write builtins.rs."), + ); + + let input: &str = &std::fs::read_to_string("../../../nss/lib/ckfw/builtins/certdata.txt") + .expect("Unable to read certdata.txt."); + + let blocks = match parse(input) { + Ok((_, blocks)) => blocks, + Err(e) => { + let input = match e { + nom::Err::Error(nom::error::Error { input, .. }) => input, + _ => "Unknown", + }; + emit_build_error!( + out, + &format!( + "Could not parse certdata.txt. Failed at: \'{}\'\");", + input.escape_debug().to_string().escape_debug() + ) + ); + return Ok(()); + } + }; + + let root_lists: Vec<&Block> = blocks + .iter() + .filter(|x| attr(x, "CKA_CLASS") == &Ck::Class("CKO_NSS_BUILTIN_ROOT_LIST")) + .collect(); + + if root_lists.len() != 1 { + emit_build_error!( + out, + "certdata.txt does not define a CKO_NSS_BUILTIN_ROOT_LIST object." + ); + return Ok(()); + } + + let mut certs: Vec<&Block> = blocks + .iter() + .filter(|x| attr(x, "CKA_CLASS") == &Ck::Class("CKO_CERTIFICATE")) + .collect(); + + let trusts: Vec<&Block> = blocks + .iter() + .filter(|x| attr(x, "CKA_CLASS") == &Ck::Class("CKO_NSS_TRUST")) + .collect(); + + if certs.len() != trusts.len() { + emit_build_error!( + out, + "certdata.txt has a mismatched number of certificate and trust objects" + ); + return Ok(()); + } + + // Ensure that every certificate has a CKA_SUBJECT attribute for the sort + for (i, cert) in certs.iter().enumerate() { + match cert.get("CKA_SUBJECT") { + Some(Ck::MultilineOctal(_)) => (), + _ => { + emit_build_error!( + out, + format!("Certificate {i} in certdata.txt has no CKA_SUBJECT attribute.") + ); + return Ok(()); + } + } + } + + certs.sort_by_cached_key(|x| match x.get("CKA_SUBJECT") { + Some(Ck::MultilineOctal(data)) => octal_block_to_vec_u8(data), + _ => unreachable!(), + }); + + // Write out arrays for the DER encoded certificate, serial number, and subject of each root. + // Since the serial number and the subject are in the DER cert, we don't need to store + // additional data for them. + for (i, cert) in certs.iter().enumerate() { + // Preserve the comment from certdata.txt + match attr(cert, "COMMENT") { + Ck::Empty => (), + comment => write!(out, "{comment}")?, + }; + + let der = attr(cert, "CKA_VALUE"); + writeln!(out, "static ROOT_{i}: &[u8] = {der};")?; + + // Search for the serial number and subject in the DER cert. We want to search on the raw + // bytes, not the octal presentation, so we have to unpack the enums. + let der_data = match der { + Ck::MultilineOctal(x) => octal_block_to_vec_u8(x), + _ => unreachable!(), + }; + let serial_data = match attr(cert, "CKA_SERIAL_NUMBER") { + Ck::MultilineOctal(x) => octal_block_to_vec_u8(x), + _ => unreachable!(), + }; + let subject_data = match attr(cert, "CKA_SUBJECT") { + Ck::MultilineOctal(x) => octal_block_to_vec_u8(x), + _ => unreachable!(), + }; + + fn need_u16(out: &mut impl Write, attr: &str, what: &str, i: usize) -> std::io::Result<()> { + emit_build_error!( + out, + format!("Certificate {i} in certdata.txt has a {attr} whose {what} doesn't fit in a u8. Time to upgrade to u16 at the expense of size?") + ); + Ok(()) + } + + let serial_len = serial_data.len(); + if let Some(serial_offset) = &der_data.windows(serial_len).position(|s| s == serial_data) { + if *serial_offset > u8::MAX.into() { + return need_u16(&mut out, "CKA_SERIAL_NUMBER", "offset", i); + } + if serial_len > u8::MAX.into() { + return need_u16(&mut out, "CKA_SERIAL_NUMBER", "length", i); + } + writeln!( + out, + "const SERIAL_{i}: (u8, u8) = ({serial_offset}, {serial_len});" + )?; + } else { + emit_build_error!( + out, + format!("Certificate {i} in certdata.txt has a CKA_SERIAL_NUMBER that does not match its CKA_VALUE.") + ); + return Ok(()); + } + + let subject_len = subject_data.len(); + if let Some(subject_offset) = &der_data + .windows(subject_len) + .position(|s| s == subject_data) + { + if *subject_offset > u8::MAX.into() { + return need_u16(&mut out, "CKA_SUBJECT", "offset", i); + } + if subject_len > u8::MAX.into() { + return need_u16(&mut out, "CKA_SUBJECT", "length", i); + } + writeln!( + out, + "const SUBJECT_{i}: (u8, u8) = ({subject_offset}, {subject_len});" + )?; + } else { + emit_build_error!( + out, + format!("Certificate {i} in certdata.txt has a CKA_SUBJECT that does not match its CKA_VALUE.") + ); + return Ok(()); + } + } + + let root_list_label = attr(root_lists[0], "CKA_LABEL"); + let root_list_label_len = match root_list_label { + Ck::Utf8(x) => x.len() + 1, + _ => unreachable!(), + }; + writeln!( + out, + "pub const ROOT_LIST_LABEL: [u8; {root_list_label_len}] = *b{root_list_label};" + )?; + + writeln!(out, "pub static BUILTINS: [Root; {}] = [", certs.len())?; + for (i, cert) in certs.iter().enumerate() { + let subject = attr(cert, "CKA_SUBJECT"); + let issuer = attr(cert, "CKA_ISSUER"); + let label = attr(cert, "CKA_LABEL"); + if !subject.eq(issuer) { + writeln!(out, "];")?; // end the definition of BUILTINS + let label = format!("{}", label); + writeln!( + out, + "std::compile_error!(\"Certificate with label {} is not self-signed\");", + label.escape_debug() + )?; + return Ok(()); + } + let mozpol = attr(cert, "CKA_NSS_MOZILLA_CA_POLICY"); + let server_distrust = attr(cert, "CKA_NSS_SERVER_DISTRUST_AFTER"); + let email_distrust = attr(cert, "CKA_NSS_EMAIL_DISTRUST_AFTER"); + let matching_trusts: Vec<&&Block> = trusts + .iter() + .filter(|trust| { + (attr(cert, "CKA_ISSUER") == attr(trust, "CKA_ISSUER")) + && (attr(cert, "CKA_SERIAL_NUMBER") == attr(trust, "CKA_SERIAL_NUMBER")) + }) + .collect(); + if matching_trusts.len() != 1 { + writeln!(out, "];")?; // end the definition of BUILTINS + let label = format!("{}", label); + writeln!(out, "std::compile_error!(\"Could not find unique trust object for {} in certdata.txt\");", label.escape_debug())?; + return Ok(()); + } + let trust = *matching_trusts[0]; + let sha1 = match attr(trust, "CKA_CERT_SHA1_HASH") { + Ck::MultilineOctal(x) => octal_block_to_hex_string(x), + _ => unreachable!(), + }; + let md5 = match attr(trust, "CKA_CERT_MD5_HASH") { + Ck::MultilineOctal(x) => octal_block_to_hex_string(x), + _ => unreachable!(), + }; + let server = attr(trust, "CKA_TRUST_SERVER_AUTH"); + let email = attr(trust, "CKA_TRUST_EMAIL_PROTECTION"); + + writeln!( + out, + " Root {{ + label: {label}, + der_name: SUBJECT_{i}, + der_serial: SERIAL_{i}, + der_cert: ROOT_{i}, + mozilla_ca_policy: {mozpol}, + server_distrust_after: {server_distrust}, + email_distrust_after: {email_distrust}, + sha1: [{sha1}], + md5: [{md5}], + trust_server: {server}, + trust_email: {email}, + }}," + )?; + } + writeln!(out, "];")?; + + let _ = out.flush(); + Ok(()) +} diff --git a/security/manager/ssl/builtins/dynamic-library/builtins.symbols b/security/manager/ssl/builtins/dynamic-library/builtins.symbols new file mode 100644 index 0000000000..562ecea21d --- /dev/null +++ b/security/manager/ssl/builtins/dynamic-library/builtins.symbols @@ -0,0 +1 @@ +C_GetFunctionList diff --git a/security/manager/ssl/builtins/dynamic-library/moz.build b/security/manager/ssl/builtins/dynamic-library/moz.build new file mode 100644 index 0000000000..2413a4c441 --- /dev/null +++ b/security/manager/ssl/builtins/dynamic-library/moz.build @@ -0,0 +1,38 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +USE_LIBS += ["builtins-static"] + +# see notes in ipcclientcerts/dynamic-library/moz.build + +if CONFIG["OS_ARCH"] == "Linux" and CONFIG["OS_TARGET"] != "Android": + SOURCES += [ + "stub.cpp", + ] +else: + SOURCES += [ + "stub.c", + ] + +if CONFIG["OS_TARGET"] == "Android": + OS_LIBS += ["m"] + +if CONFIG["OS_ARCH"] == "WINNT": + OS_LIBS += [ + "advapi32", + "userenv", + "ws2_32", + ] + OS_LIBS += [ + "bcrypt", + "ntdll", + ] + + +SharedLibrary("nssckbi") + +NoVisibilityFlags() +SYMBOLS_FILE = "builtins.symbols" diff --git a/security/manager/ssl/builtins/dynamic-library/stub.c b/security/manager/ssl/builtins/dynamic-library/stub.c new file mode 100644 index 0000000000..75139c48bf --- /dev/null +++ b/security/manager/ssl/builtins/dynamic-library/stub.c @@ -0,0 +1,27 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "pkcs11.h" + +// see notes in ipcclientcerts/dynamic-library/stub.c + +CK_RV BUILTINSC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); + +CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { + return BUILTINSC_GetFunctionList(ppFunctionList); +} + +#ifdef __MINGW32__ +# include "mozilla/Assertions.h" +void _Unwind_Resume() { MOZ_CRASH("Unexpected call to _Unwind_*"); } +void _Unwind_GetDataRelBase() { _Unwind_Resume(); } +void _Unwind_GetTextRelBase() { _Unwind_Resume(); } +void _Unwind_GetLanguageSpecificData() { _Unwind_Resume(); } +void _Unwind_GetIPInfo() { _Unwind_Resume(); } +void _Unwind_GetRegionStart() { _Unwind_Resume(); } +void _Unwind_SetGR() { _Unwind_Resume(); } +void _Unwind_SetIP() { _Unwind_Resume(); } +void _GCC_specific_handler() { _Unwind_Resume(); } +#endif diff --git a/security/manager/ssl/builtins/dynamic-library/stub.cpp b/security/manager/ssl/builtins/dynamic-library/stub.cpp new file mode 100644 index 0000000000..414f5a68c1 --- /dev/null +++ b/security/manager/ssl/builtins/dynamic-library/stub.cpp @@ -0,0 +1,17 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "pkcs11.h" + +// see notes in ipcclientcerts/dynamic-library/stub.cpp + +extern "C" { + +CK_RV BUILTINSC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); + +CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { + return BUILTINSC_GetFunctionList(ppFunctionList); +} +} diff --git a/security/manager/ssl/builtins/moz.build b/security/manager/ssl/builtins/moz.build new file mode 100644 index 0000000000..f612798d79 --- /dev/null +++ b/security/manager/ssl/builtins/moz.build @@ -0,0 +1,9 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +DIRS += ["dynamic-library"] + +RustLibrary("builtins-static") diff --git a/security/manager/ssl/builtins/src/certdata.rs b/security/manager/ssl/builtins/src/certdata.rs new file mode 100644 index 0000000000..211abce475 --- /dev/null +++ b/security/manager/ssl/builtins/src/certdata.rs @@ -0,0 +1,52 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +use pkcs11_bindings::nss::*; +use pkcs11_bindings::*; + +// We need to expand some PKCS#11 / NSS constants as byte arrays for pattern matching and +// C_GetAttributeValue queries. We use native endianness, because PKCS#11 sits between an +// application and a device driver that are running on the same machine. +pub const CKC_X_509_BYTES: &[u8] = &CKC_X_509.to_ne_bytes(); +pub const CKO_CERTIFICATE_BYTES: &[u8] = &CKO_CERTIFICATE.to_ne_bytes(); +pub const CKO_NSS_BUILTIN_ROOT_LIST_BYTES: &[u8] = &CKO_NSS_BUILTIN_ROOT_LIST.to_ne_bytes(); +pub const CKO_NSS_TRUST_BYTES: &[u8] = &CKO_NSS_TRUST.to_ne_bytes(); +pub const CKT_NSS_MUST_VERIFY_TRUST_BYTES: &[u8] = &CKT_NSS_MUST_VERIFY_TRUST.to_ne_bytes(); +pub const CKT_NSS_NOT_TRUSTED_BYTES: &[u8] = &CKT_NSS_NOT_TRUSTED.to_ne_bytes(); +pub const CKT_NSS_TRUSTED_DELEGATOR_BYTES: &[u8] = &CKT_NSS_TRUSTED_DELEGATOR.to_ne_bytes(); +pub const CK_FALSE_BYTES: &[u8] = &CK_FALSE.to_ne_bytes(); +pub const CK_TRUE_BYTES: &[u8] = &CK_TRUE.to_ne_bytes(); + +#[derive(PartialEq, Eq)] +pub struct Root { + pub label: &'static str, + pub der_name: (u8, u8), + pub der_serial: (u8, u8), + pub der_cert: &'static [u8], + pub mozilla_ca_policy: Option<&'static [u8]>, + pub server_distrust_after: Option<&'static [u8]>, + pub email_distrust_after: Option<&'static [u8]>, + pub sha1: [u8; 20], + pub md5: [u8; 16], + pub trust_server: &'static [u8], + pub trust_email: &'static [u8], +} + +impl Root { + pub fn der_name(&self) -> &'static [u8] { + &self.der_cert[self.der_name.0 as usize..][..self.der_name.1 as usize] + } + pub fn der_serial(&self) -> &'static [u8] { + &self.der_cert[self.der_serial.0 as usize..][..self.der_serial.1 as usize] + } +} + +impl PartialOrd for Root { + fn partial_cmp(&self, other: &Root) -> Option<std::cmp::Ordering> { + self.der_name().partial_cmp(other.der_name()) + } +} + +include!(concat!(env!("OUT_DIR"), "/builtins.rs")); diff --git a/security/manager/ssl/builtins/src/internal.rs b/security/manager/ssl/builtins/src/internal.rs new file mode 100644 index 0000000000..30bd1fcea7 --- /dev/null +++ b/security/manager/ssl/builtins/src/internal.rs @@ -0,0 +1,344 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +use pkcs11_bindings::nss::*; +use pkcs11_bindings::*; + +use smallvec::SmallVec; + +use crate::certdata::*; + +// The token stores 2N+1 objects: one NSS root list object, N certificate objects, and N trust +// objects. +// +// Internally, the token identifies each object by its ObjectClass (RootList, Certificate, +// or Trust) and its index in the list of objects of the same class. +// +// The PKCS#11 interface, on the other hand, identifies each object with a unique, non-zero, +// unsigned long. This ulong is referred to as the object's CK_OBJECT_HANDLE. +// +// We're free to choose the mapping between ObjectHandles and CK_OBJECT_HANDLEs. Currently we +// encode the ObjectClass in the low 2 bits of the CK_OBJECT_HANDLE and the index in the higher +// bits. We use the values 1, 2, and 3 for ObjectClass to avoid using 0 as a CK_OBJECT_HANDLE. +// +#[derive(Clone, Copy)] +pub enum ObjectClass { + RootList = 1, + Certificate = 2, + Trust = 3, +} + +#[derive(Clone, Copy)] +pub struct ObjectHandle { + class: ObjectClass, + index: usize, +} + +impl TryFrom<CK_OBJECT_HANDLE> for ObjectHandle { + type Error = (); + fn try_from(handle: CK_OBJECT_HANDLE) -> Result<Self, Self::Error> { + if let Ok(handle) = usize::try_from(handle) { + let index = handle >> 2; + let class = match handle & 3 { + 1 if index == 0 => ObjectClass::RootList, + 2 if index < BUILTINS.len() => ObjectClass::Certificate, + 3 if index < BUILTINS.len() => ObjectClass::Trust, + _ => return Err(()), + }; + Ok(ObjectHandle { class, index }) + } else { + Err(()) + } + } +} + +impl From<ObjectHandle> for CK_OBJECT_HANDLE { + fn from(object_handle: ObjectHandle) -> CK_OBJECT_HANDLE { + match CK_OBJECT_HANDLE::try_from(object_handle.index) { + Ok(index) => (index << 2) | (object_handle.class as CK_OBJECT_HANDLE), + Err(_) => 0, + } + } +} + +pub fn get_attribute(attribute: CK_ATTRIBUTE_TYPE, object: &ObjectHandle) -> Option<&'static [u8]> { + match object.class { + ObjectClass::RootList => get_root_list_attribute(attribute), + ObjectClass::Certificate => get_cert_attribute(attribute, &BUILTINS[object.index]), + ObjectClass::Trust => get_trust_attribute(attribute, &BUILTINS[object.index]), + } +} + +// Every attribute that appears in certdata.txt must have a corresponding match arm in one of the +// get_*_attribute functions. +// +fn get_root_list_attribute(attribute: CK_ATTRIBUTE_TYPE) -> Option<&'static [u8]> { + match attribute { + CKA_CLASS => Some(CKO_NSS_BUILTIN_ROOT_LIST_BYTES), + CKA_TOKEN => Some(CK_TRUE_BYTES), + CKA_PRIVATE => Some(CK_FALSE_BYTES), + CKA_MODIFIABLE => Some(CK_FALSE_BYTES), + CKA_LABEL => Some(&ROOT_LIST_LABEL[..]), + _ => None, + } +} + +fn get_cert_attribute(attribute: CK_ATTRIBUTE_TYPE, cert: &Root) -> Option<&[u8]> { + match attribute { + CKA_CLASS => Some(CKO_CERTIFICATE_BYTES), + CKA_TOKEN => Some(CK_TRUE_BYTES), + CKA_PRIVATE => Some(CK_FALSE_BYTES), + CKA_MODIFIABLE => Some(CK_FALSE_BYTES), + CKA_LABEL => Some(cert.label.as_bytes()), + CKA_CERTIFICATE_TYPE => Some(CKC_X_509_BYTES), + CKA_SUBJECT => Some(cert.der_name()), + CKA_ID => Some(b"0\0"), // null terminated to match C implementation + CKA_ISSUER => Some(cert.der_name()), + CKA_SERIAL_NUMBER => Some(cert.der_serial()), + CKA_VALUE => Some(cert.der_cert), + CKA_NSS_MOZILLA_CA_POLICY => cert.mozilla_ca_policy, + CKA_NSS_SERVER_DISTRUST_AFTER => cert.server_distrust_after, + CKA_NSS_EMAIL_DISTRUST_AFTER => cert.email_distrust_after, + _ => None, + } +} + +fn get_trust_attribute(attribute: CK_ATTRIBUTE_TYPE, cert: &Root) -> Option<&[u8]> { + match attribute { + CKA_CLASS => Some(CKO_NSS_TRUST_BYTES), + CKA_TOKEN => Some(CK_TRUE_BYTES), + CKA_PRIVATE => Some(CK_FALSE_BYTES), + CKA_MODIFIABLE => Some(CK_FALSE_BYTES), + CKA_LABEL => Some(cert.label.as_bytes()), + CKA_CERT_SHA1_HASH => Some(&cert.sha1[..]), + CKA_CERT_MD5_HASH => Some(&cert.md5[..]), + CKA_ISSUER => Some(cert.der_name()), + CKA_SERIAL_NUMBER => Some(cert.der_serial()), + CKA_TRUST_STEP_UP_APPROVED => Some(CK_FALSE_BYTES), + CKA_TRUST_SERVER_AUTH => Some(cert.trust_server), + CKA_TRUST_EMAIL_PROTECTION => Some(cert.trust_email), + CKA_TRUST_CODE_SIGNING => Some(CKT_NSS_MUST_VERIFY_TRUST_BYTES), + _ => None, + } +} + +// A query matches an object if each term matches some attribute of the object. A search result is +// a list of object handles. Typical queries yield zero or one results, so we optimize for this +// case. +// +pub type Query<'a> = [(CK_ATTRIBUTE_TYPE, &'a [u8])]; +pub type SearchResult = SmallVec<[ObjectHandle; 1]>; + +pub fn search(query: &Query) -> SearchResult { + // The BUILTINS list is sorted by name. So if the query includes a CKA_SUBJECT or CKA_ISSUER + // field we can binary search. + for &(attr, value) in query { + if attr == CKA_SUBJECT || attr == CKA_ISSUER { + return search_by_name(value, query); + } + } + + let mut results: SearchResult = SearchResult::default(); + + // A query with no name term might match the root list object + if match_root_list(query) { + results.push(ObjectHandle { + class: ObjectClass::RootList, + index: 0, + }); + } + + // A query with a CKA_CLASS term matches exactly one type of object, and we should avoid + // iterating over BUILTINS when CKO_CLASS is neither CKO_CERTIFICATE_BYTES nor + // CKO_NSS_TRUST_BYTES. + let mut maybe_cert = true; + let mut maybe_trust = true; + for &(attr, value) in query { + if attr == CKA_CLASS { + maybe_cert = value.eq(CKO_CERTIFICATE_BYTES); + maybe_trust = value.eq(CKO_NSS_TRUST_BYTES); + break; + } + } + + if !(maybe_cert || maybe_trust) { + return results; // The root list or nothing. + } + + for (index, builtin) in BUILTINS.iter().enumerate() { + if maybe_cert && match_cert(query, builtin) { + results.push(ObjectHandle { + class: ObjectClass::Certificate, + index, + }); + } + if maybe_trust && match_trust(query, builtin) { + results.push(ObjectHandle { + class: ObjectClass::Trust, + index, + }); + } + } + results +} + +fn search_by_name(name: &[u8], query: &Query) -> SearchResult { + let mut results: SearchResult = SearchResult::default(); + + let index = match BUILTINS.binary_search_by_key(&name, |r| r.der_name()) { + Ok(index) => index, + _ => return results, + }; + + // binary search returned a matching index, but maybe not the smallest + let mut min = index; + while min > 0 && name.eq(BUILTINS[min - 1].der_name()) { + min -= 1; + } + + // ... and maybe not the largest. + let mut max = index; + while max < BUILTINS.len() - 1 && name.eq(BUILTINS[max + 1].der_name()) { + max += 1; + } + + for (index, builtin) in BUILTINS.iter().enumerate().take(max + 1).skip(min) { + if match_cert(query, builtin) { + results.push(ObjectHandle { + class: ObjectClass::Certificate, + index, + }); + } + if match_trust(query, builtin) { + results.push(ObjectHandle { + class: ObjectClass::Trust, + index, + }); + } + } + + results +} + +fn match_root_list(query: &Query) -> bool { + for &(typ, x) in query { + match get_root_list_attribute(typ) { + Some(y) if x.eq(y) => (), + _ => return false, + } + } + true +} + +fn match_cert(query: &Query, cert: &Root) -> bool { + for &(typ, x) in query { + match get_cert_attribute(typ, cert) { + Some(y) if x.eq(y) => (), + _ => return false, + } + } + true +} + +fn match_trust(query: &Query, cert: &Root) -> bool { + for &(typ, x) in query { + match get_trust_attribute(typ, cert) { + Some(y) if x.eq(y) => (), + _ => return false, + } + } + true +} + +#[cfg(test)] +mod internal_tests { + use crate::certdata::BUILTINS; + use crate::internal::*; + use pkcs11_bindings::*; + + // commented out to avoid vendoring x509_parser + // fn is_valid_utctime(utctime: &[u8]) -> bool { + // /* TODO: actual validation */ + // utctime.len() == 13 + // } + // #[test] + // fn test_certdata() { + // for root in BUILTINS { + // // the der_cert field is valid DER + // let parsed_cert = X509Certificate::from_der(root.der_cert); + // assert!(parsed_cert.is_ok()); + + // // the der_cert field has no trailing data + // let (trailing, parsed_cert) = parsed_cert.unwrap(); + // assert!(trailing.is_empty()); + + // // the der_serial field matches the encoded serial + // assert!(root.der_serial.len() > 2); + // assert!(root.der_serial[0] == 0x02); // der integer + // assert!(root.der_serial[1] <= 20); // no more than 20 bytes long + // assert!(root.der_serial[1] as usize == root.der_serial.len() - 2); + // assert!(parsed_cert.raw_serial().eq(&root.der_serial[2..])); + + // // the der_name field matches the encoded subject + // assert!(parsed_cert.subject.as_raw().eq(root.der_name)); + + // // the der_name field matches the encoded issuer + // assert!(parsed_cert.issuer.as_raw().eq(root.der_name)); + + // // The server_distrust_after field is None or a valid UTC time + // if let Some(utctime) = root.server_distrust_after { + // assert!(is_valid_utctime(&utctime)); + // } + + // // The email_distrust_after field is None or a valid UTC time + // if let Some(utctime) = root.email_distrust_after { + // assert!(is_valid_utctime(&utctime)); + // } + + // assert!( + // root.trust_server == CKT_NSS_MUST_VERIFY_TRUST_BYTES + // || root.trust_server == CKT_NSS_TRUSTED_DELEGATOR_BYTES + // || root.trust_server == CKT_NSS_NOT_TRUSTED_BYTES + // ); + // assert!( + // root.trust_email == CKT_NSS_MUST_VERIFY_TRUST_BYTES + // || root.trust_email == CKT_NSS_TRUSTED_DELEGATOR_BYTES + // || root.trust_email == CKT_NSS_NOT_TRUSTED_BYTES + // ); + // } + // } + + #[test] + fn test_builtins_sorted() { + for i in 0..(BUILTINS.len() - 1) { + assert!(BUILTINS[i].der_name.le(BUILTINS[i + 1].der_name)); + } + } + + #[test] + fn test_search() { + // search for an element that will not be found + let result = search(&[(CKA_TOKEN, &[CK_FALSE])]); + assert_eq!(result.len(), 0); + + // search for root list + let result = search(&[(CKA_CLASS, CKO_NSS_BUILTIN_ROOT_LIST_BYTES)]); + assert!(result.len() == 1); + + // search by name + let result = search(&[ + (CKA_CLASS, CKO_CERTIFICATE_BYTES), + (CKA_SUBJECT, BUILTINS[0].der_name), + ]); + assert!(result.len() >= 1); + + // search by issuer and serial + let result = search(&[ + (CKA_ISSUER, BUILTINS[0].der_name), + (CKA_SERIAL_NUMBER, BUILTINS[0].der_serial), + ]); + assert!(result.len() >= 1); + } +} diff --git a/security/manager/ssl/builtins/src/lib.rs b/security/manager/ssl/builtins/src/lib.rs new file mode 100644 index 0000000000..17b05b454d --- /dev/null +++ b/security/manager/ssl/builtins/src/lib.rs @@ -0,0 +1,9 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +mod certdata; +mod internal; +mod pkcs11; +mod version; diff --git a/security/manager/ssl/builtins/src/pkcs11.rs b/security/manager/ssl/builtins/src/pkcs11.rs new file mode 100644 index 0000000000..fb60aee187 --- /dev/null +++ b/security/manager/ssl/builtins/src/pkcs11.rs @@ -0,0 +1,1229 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#![allow(non_snake_case)] + +use pkcs11_bindings::*; +use std::slice; + +use std::collections::btree_map::Entry; +use std::collections::{BTreeMap, BTreeSet}; +use std::sync::atomic::{AtomicU32, Ordering}; +use std::sync::{Mutex, MutexGuard}; + +use crate::internal::{get_attribute, search}; +use crate::internal::{ObjectHandle, Query, SearchResult}; + +use crate::version::*; + +const BUILTINS_VERSION: CK_VERSION = CK_VERSION { + major: NSS_BUILTINS_LIBRARY_VERSION_MAJOR, + minor: NSS_BUILTINS_LIBRARY_VERSION_MINOR, +}; + +const FIRMWARE_VERSION: CK_VERSION = CK_VERSION { + major: NSS_BUILTINS_FIRMWARE_VERSION_MAJOR, + minor: NSS_BUILTINS_FIRMWARE_VERSION_MINOR, +}; + +const CRYPTOKI_VERSION: CK_VERSION = CK_VERSION { + major: NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR, + minor: NSS_BUILTINS_CRYPTOKI_VERSION_MINOR, +}; +const HARDWARE_VERSION: CK_VERSION = CK_VERSION { + major: NSS_BUILTINS_HARDWARE_VERSION_MAJOR, + minor: NSS_BUILTINS_HARDWARE_VERSION_MINOR, +}; + +const MANUFACTURER_ID_BYTES: &[u8; 32] = b"Mozilla Foundation "; +const LIBRARY_DESCRIPTION_BYTES: &[u8; 32] = b"NSS Builtin Object Cryptoki Modu"; + +const SLOT_COUNT: CK_ULONG = 1; +const SLOT_ID_ROOTS: CK_SLOT_ID = 1; +const SLOT_DESCRIPTION_ROOTS_BYTES: &[u8; 64] = + b"NSS Builtin Objects "; + +const TOKEN_LABEL_ROOTS_BYTES: &[u8; 32] = b"Builtin Object Token "; +const TOKEN_MODEL_BYTES: &[u8; 16] = b"1 "; +const TOKEN_SERIAL_NUMBER_BYTES: &[u8; 16] = b"1 "; +const TOKEN_UTC_TIME: &[u8; 16] = b" "; + +#[derive(Debug)] +struct PK11Error(CK_RV); + +// The token assigns session handles using a counter. It would make sense to use a 64 bit counter, +// as there would then be no risk of exhausting the session handle space. However, +// CK_SESSION_HANDLE is defined as a C unsigned long, which is a u32 on some platforms. +// +// We start the counter at 1 since PKCS#11 reserves 0 to signal an invalid handle +// +type SessionHandle = u32; +static NEXT_HANDLE: AtomicU32 = AtomicU32::new(1); + +// The token needs to keep track of which sessions are open. +// +type SessionSet = BTreeSet<SessionHandle>; +static OPEN_SESSIONS: Mutex<Option<SessionSet>> = Mutex::new(None); + +// Helper functions for accessing OPEN_SESSIONS +// +type SessionSetGuard = MutexGuard<'static, Option<SessionSet>>; + +fn get_open_sessions_guard() -> Result<SessionSetGuard, PK11Error> { + OPEN_SESSIONS + .lock() + .map_err(|_| PK11Error(CKR_DEVICE_ERROR)) +} + +fn get_open_sessions(guard: &mut SessionSetGuard) -> Result<&mut SessionSet, PK11Error> { + let sessions = guard + .as_mut() + .ok_or(PK11Error(CKR_CRYPTOKI_NOT_INITIALIZED))?; + Ok(sessions) +} + +// The token needs to cache search results until the client reads them or closes the session. +// +type SearchCache = BTreeMap<SessionHandle, SearchResult>; +static SEARCHES: Mutex<Option<SearchCache>> = Mutex::new(None); + +// Helper functions for accessing SEARCHES +// +type SearchCacheGuard = MutexGuard<'static, Option<SearchCache>>; + +fn get_search_cache_guard() -> Result<SearchCacheGuard, PK11Error> { + SEARCHES.lock().map_err(|_| PK11Error(CKR_DEVICE_ERROR)) +} + +fn get_search_cache(guard: &mut SearchCacheGuard) -> Result<&mut SearchCache, PK11Error> { + let searches = guard + .as_mut() + .ok_or(PK11Error(CKR_CRYPTOKI_NOT_INITIALIZED))?; + Ok(searches) +} + +fn validate_session(handle: SessionHandle) -> Result<(), PK11Error> { + let mut guard = get_open_sessions_guard()?; + let sessions = get_open_sessions(&mut guard)?; + if sessions.contains(&handle) { + return Ok(()); + } + if handle < NEXT_HANDLE.load(Ordering::SeqCst) { + Err(PK11Error(CKR_SESSION_CLOSED)) + } else { + // Possible that NEXT_HANDLE wrapped and we should return CKR_SESSION_CLOSED. + // But this is best-effort. + Err(PK11Error(CKR_SESSION_HANDLE_INVALID)) + } +} + +// The internal implementation of C_Initialize +fn initialize() -> Result<(), PK11Error> { + { + let mut search_cache_guard = get_search_cache_guard()?; + if (*search_cache_guard).is_some() { + return Err(PK11Error(CKR_CRYPTOKI_ALREADY_INITIALIZED)); + } + *search_cache_guard = Some(SearchCache::default()); + } + + { + let mut session_guard = get_open_sessions_guard()?; + if (*session_guard).is_some() { + return Err(PK11Error(CKR_CRYPTOKI_ALREADY_INITIALIZED)); + } + *session_guard = Some(SessionSet::default()); + } + + Ok(()) +} + +// The internal implementation of C_Finalize +fn finalize() -> Result<(), PK11Error> { + { + let mut guard = get_search_cache_guard()?; + // Try to access the search cache to ensure we're initialized. + // Returns CKR_CRYPTOKI_NOT_INITIALIZED if we're not. + let _ = get_search_cache(&mut guard)?; + *guard = None; + } + + let mut guard = get_open_sessions_guard()?; + let _ = get_open_sessions(&mut guard)?; + *guard = None; + + Ok(()) +} + +// Internal implementation of C_OpenSession +fn open_session() -> Result<SessionHandle, PK11Error> { + let mut handle = NEXT_HANDLE.fetch_add(1, Ordering::SeqCst); + if handle == 0 { + // skip handle 0 if the addition wraps + handle = NEXT_HANDLE.fetch_add(1, Ordering::SeqCst); + } + + let mut guard = get_open_sessions_guard()?; + let sessions = get_open_sessions(&mut guard)?; + while !sessions.insert(handle) { + // this only executes if NEXT_HANDLE wraps while sessions with + // small handles are still open. + handle = NEXT_HANDLE.fetch_add(1, Ordering::SeqCst); + } + + Ok(handle) +} + +// Internal implementation of C_CloseSession +fn close_session(session: SessionHandle) -> Result<(), PK11Error> { + { + let mut guard = get_search_cache_guard()?; + let searches = get_search_cache(&mut guard)?; + searches.remove(&session); + } + + { + let mut guard = get_open_sessions_guard()?; + let sessions = get_open_sessions(&mut guard)?; + if sessions.remove(&session) { + Ok(()) + } else if session < NEXT_HANDLE.load(Ordering::SeqCst) { + Err(PK11Error(CKR_SESSION_CLOSED)) + } else { + Err(PK11Error(CKR_SESSION_HANDLE_INVALID)) + } + } +} + +// Internal implementation of C_CloseAllSessions +fn close_all_sessions() -> Result<(), PK11Error> { + { + let mut guard = get_search_cache_guard()?; + let searches = get_search_cache(&mut guard)?; + searches.clear(); + } + + { + let mut guard = get_open_sessions_guard()?; + let sessions = get_open_sessions(&mut guard)?; + sessions.clear(); + } + + Ok(()) +} + +// Internal implementation of C_FindObjectsInit +fn find_objects_init(session: SessionHandle, query: &Query) -> Result<usize, PK11Error> { + validate_session(session)?; + + let results = search(query); + let count = results.len(); + + let mut guard = get_search_cache_guard()?; + let searches = get_search_cache(&mut guard)?; + match searches.entry(session) { + Entry::Occupied(_) => Err(PK11Error(CKR_OPERATION_ACTIVE)), + Entry::Vacant(v) => { + v.insert(results); + Ok(count) + } + } +} + +// Internal implementation of C_FindObjects +fn find_objects(session: SessionHandle, out: &mut [CK_OBJECT_HANDLE]) -> Result<usize, PK11Error> { + validate_session(session)?; + + let mut guard = get_search_cache_guard()?; + let searches = get_search_cache(&mut guard)?; + if let Some(objects) = searches.get_mut(&session) { + for (i, out_i) in out.iter_mut().enumerate() { + match objects.pop() { + Some(object) => *out_i = object.into(), + None => return Ok(i), + } + } + Ok(out.len()) + } else { + Ok(0) + } +} + +// Internal implementation of C_FindObjectsFinal +fn find_objects_final(session: SessionHandle) -> Result<(), PK11Error> { + validate_session(session)?; + + let mut guard = get_search_cache_guard()?; + let searches = get_search_cache(&mut guard)?; + searches.remove(&session); + Ok(()) +} + +extern "C" fn C_Initialize(_pInitArgs: CK_VOID_PTR) -> CK_RV { + match initialize() { + Ok(_) => CKR_OK, + Err(PK11Error(e)) => e, + } +} + +extern "C" fn C_Finalize(pReserved: CK_VOID_PTR) -> CK_RV { + if !pReserved.is_null() { + return CKR_ARGUMENTS_BAD; + } + match finalize() { + Ok(_) => CKR_OK, + Err(PK11Error(e)) => e, + } +} + +extern "C" fn C_GetInfo(pInfo: CK_INFO_PTR) -> CK_RV { + if pInfo.is_null() { + return CKR_ARGUMENTS_BAD; + } + unsafe { + *pInfo = CK_INFO { + cryptokiVersion: CRYPTOKI_VERSION, + manufacturerID: *MANUFACTURER_ID_BYTES, + flags: 0, + libraryDescription: *LIBRARY_DESCRIPTION_BYTES, + libraryVersion: BUILTINS_VERSION, + }; + } + CKR_OK +} + +extern "C" fn C_GetSlotList( + _tokenPresent: CK_BBOOL, + pSlotList: CK_SLOT_ID_PTR, + pulCount: CK_ULONG_PTR, +) -> CK_RV { + if pulCount.is_null() { + return CKR_ARGUMENTS_BAD; + } + if !pSlotList.is_null() { + if unsafe { *pulCount } < SLOT_COUNT { + return CKR_BUFFER_TOO_SMALL; + } + unsafe { + *pSlotList = SLOT_ID_ROOTS; + } + } + unsafe { + *pulCount = SLOT_COUNT; + } + CKR_OK +} + +extern "C" fn C_GetSlotInfo(slotID: CK_SLOT_ID, pInfo: CK_SLOT_INFO_PTR) -> CK_RV { + if (slotID != SLOT_ID_ROOTS) || pInfo.is_null() { + return CKR_ARGUMENTS_BAD; + } + unsafe { + *pInfo = CK_SLOT_INFO { + slotDescription: *SLOT_DESCRIPTION_ROOTS_BYTES, + manufacturerID: *MANUFACTURER_ID_BYTES, + flags: CKF_TOKEN_PRESENT, + hardwareVersion: HARDWARE_VERSION, + firmwareVersion: FIRMWARE_VERSION, + }; + } + CKR_OK +} + +extern "C" fn C_GetTokenInfo(slotID: CK_SLOT_ID, pInfo: CK_TOKEN_INFO_PTR) -> CK_RV { + if (slotID != SLOT_ID_ROOTS) || pInfo.is_null() { + return CKR_ARGUMENTS_BAD; + } + unsafe { + *pInfo = CK_TOKEN_INFO { + label: *TOKEN_LABEL_ROOTS_BYTES, + manufacturerID: *MANUFACTURER_ID_BYTES, + model: *TOKEN_MODEL_BYTES, + serialNumber: *TOKEN_SERIAL_NUMBER_BYTES, + flags: CKF_WRITE_PROTECTED, + ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION, + ulSessionCount: 0, + ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION, + ulRwSessionCount: 0, + ulMaxPinLen: CK_UNAVAILABLE_INFORMATION, + ulMinPinLen: CK_UNAVAILABLE_INFORMATION, + ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION, + ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION, + ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION, + ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION, + hardwareVersion: HARDWARE_VERSION, + firmwareVersion: FIRMWARE_VERSION, + utcTime: *TOKEN_UTC_TIME, + }; + } + CKR_OK +} + +extern "C" fn C_GetMechanismList( + slotID: CK_SLOT_ID, + _pMechanismList: CK_MECHANISM_TYPE_PTR, + pulCount: CK_ULONG_PTR, +) -> CK_RV { + if slotID != SLOT_ID_ROOTS || pulCount.is_null() { + return CKR_ARGUMENTS_BAD; + } + unsafe { + *pulCount = 0; + } + CKR_OK +} + +extern "C" fn C_GetMechanismInfo( + _slotID: CK_SLOT_ID, + _type: CK_MECHANISM_TYPE, + _pInfo: CK_MECHANISM_INFO_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_InitToken( + _slotID: CK_SLOT_ID, + _pPin: CK_UTF8CHAR_PTR, + _ulPinLen: CK_ULONG, + _pLabel: CK_UTF8CHAR_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_InitPIN( + _hSession: CK_SESSION_HANDLE, + _pPin: CK_UTF8CHAR_PTR, + _ulPinLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SetPIN( + _hSession: CK_SESSION_HANDLE, + _pOldPin: CK_UTF8CHAR_PTR, + _ulOldLen: CK_ULONG, + _pNewPin: CK_UTF8CHAR_PTR, + _ulNewLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_OpenSession( + slotID: CK_SLOT_ID, + flags: CK_FLAGS, + _pApplication: CK_VOID_PTR, + _Notify: CK_NOTIFY, + phSession: CK_SESSION_HANDLE_PTR, +) -> CK_RV { + if slotID != SLOT_ID_ROOTS || phSession.is_null() { + return CKR_ARGUMENTS_BAD; + } + // [pkcs11-base-v3.0, Section 5.6.1] + // For legacy reasons, the CKF_SERIAL_SESSION bit MUST always be set; if a call to + // C_OpenSession does not have this bit set, the call should return unsuccessfully with the + // error code CKR_SESSION_PARALLEL_NOT_SUPPORTED. + if flags & CKF_SERIAL_SESSION == 0 { + return CKR_SESSION_PARALLEL_NOT_SUPPORTED; + } + let session_id = match open_session() { + Ok(session_id) => session_id as CK_SESSION_HANDLE, + Err(PK11Error(e)) => return e, + }; + unsafe { *phSession = session_id }; + CKR_OK +} + +extern "C" fn C_CloseSession(hSession: CK_SESSION_HANDLE) -> CK_RV { + let session: SessionHandle = match hSession.try_into() { + Ok(session) => session, + Err(_) => return CKR_SESSION_HANDLE_INVALID, + }; + match close_session(session) { + Ok(_) => CKR_OK, + Err(PK11Error(e)) => e, + } +} + +extern "C" fn C_CloseAllSessions(slotID: CK_SLOT_ID) -> CK_RV { + if slotID != SLOT_ID_ROOTS { + return CKR_ARGUMENTS_BAD; + } + match close_all_sessions() { + Ok(_) => CKR_OK, + Err(PK11Error(e)) => e, + } +} + +extern "C" fn C_GetSessionInfo(_hSession: CK_SESSION_HANDLE, _pInfo: CK_SESSION_INFO_PTR) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GetOperationState( + _hSession: CK_SESSION_HANDLE, + _pOperationState: CK_BYTE_PTR, + _pulOperationStateLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SetOperationState( + _hSession: CK_SESSION_HANDLE, + _pOperationState: CK_BYTE_PTR, + _ulOperationStateLen: CK_ULONG, + _hEncryptionKey: CK_OBJECT_HANDLE, + _hAuthenticationKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Login( + _hSession: CK_SESSION_HANDLE, + _userType: CK_USER_TYPE, + _pPin: CK_UTF8CHAR_PTR, + _ulPinLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Logout(_hSession: CK_SESSION_HANDLE) -> CK_RV { + CKR_OK +} + +extern "C" fn C_CreateObject( + _hSession: CK_SESSION_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, + _phObject: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_CopyObject( + _hSession: CK_SESSION_HANDLE, + _hObject: CK_OBJECT_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, + _phNewObject: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DestroyObject(_hSession: CK_SESSION_HANDLE, _hObject: CK_OBJECT_HANDLE) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GetObjectSize( + _hSession: CK_SESSION_HANDLE, + _hObject: CK_OBJECT_HANDLE, + _pulSize: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GetAttributeValue( + _hSession: CK_SESSION_HANDLE, + hObject: CK_OBJECT_HANDLE, + pTemplate: CK_ATTRIBUTE_PTR, + ulCount: CK_ULONG, +) -> CK_RV { + if pTemplate.is_null() { + return CKR_ARGUMENTS_BAD; + } + + let count: usize = match ulCount.try_into() { + Ok(count) => count, + Err(_) => return CKR_ARGUMENTS_BAD, + }; + + // C_GetAttributeValue has a session handle parameter because PKCS#11 objects can have + // session-bound lifetimes and access controls. We don't have any session objects, and all of + // our token objects are public. So there's no good reason to validate the session handle. + // + //let session: SessionHandle = match hSession.try_into() { + // Ok(session) => session, + // Err(_) => return CKR_SESSION_HANDLE_INVALID, + //}; + // + //if let Err(PK11Error(e)) = validate_session(session) { + // return e; + //} + + let handle: ObjectHandle = match hObject.try_into() { + Ok(handle) => handle, + Err(_) => return CKR_OBJECT_HANDLE_INVALID, + }; + + let attrs: &mut [CK_ATTRIBUTE] = unsafe { slice::from_raw_parts_mut(pTemplate, count) }; + + let mut rv = CKR_OK; + + // Handle requests with null pValue fields + for attr in attrs.iter_mut().filter(|x| x.pValue.is_null()) { + attr.ulValueLen = match get_attribute(attr.type_, &handle) { + None => { + // [pkcs11-base-v3.0, Section 5.7.5] + // 2. [...] if the specified value for the object is invalid (the object does not possess + // such an attribute), then the ulValueLen field in that triple is modified to hold the + // value CK_UNAVAILABLE_INFORMATION. + rv = CKR_ATTRIBUTE_TYPE_INVALID; + CK_UNAVAILABLE_INFORMATION + } + Some(attr) => { + // [pkcs11-base-v3.0, Section 5.7.5] + // 3. [...] if the pValue field has the value NULL_PTR, then the ulValueLen field is modified + // to hold the exact length of the specified attribute for the object. + attr.len() as CK_ULONG + } + } + } + + // Handle requests with non-null pValue fields + for attr in attrs.iter_mut().filter(|x| !x.pValue.is_null()) { + let dst_len: usize = match attr.ulValueLen.try_into() { + Ok(dst_len) => dst_len, + Err(_) => return CKR_ARGUMENTS_BAD, + }; + attr.ulValueLen = match get_attribute(attr.type_, &handle) { + None => { + // [pkcs11-base-v3.0, Section 5.7.5] + // 2. [...] if the specified value for the object is invalid (the object does not possess + // such an attribute), then the ulValueLen field in that triple is modified to hold the + // value CK_UNAVAILABLE_INFORMATION. + rv = CKR_ATTRIBUTE_TYPE_INVALID; + CK_UNAVAILABLE_INFORMATION + } + Some(src) if dst_len >= src.len() => { + // [pkcs11-base-v3.0, Section 5.7.5] + // 4. [...] if the length specified in ulValueLen is large enough to hold the value + // of the specified attribute for the object, then that attribute is copied into + // the buffer located at pValue, and the ulValueLen field is modified to hold + // the exact length of the attribute. + let dst: &mut [u8] = + unsafe { slice::from_raw_parts_mut(attr.pValue as *mut u8, dst_len) }; + dst[..src.len()].copy_from_slice(src); + src.len() as CK_ULONG + } + _ => { + // [pkcs11-base-v3.0, Section 5.7.5] + // 5. Otherwise, the ulValueLen field is modified to hold the value + // CK_UNAVAILABLE_INFORMATION. + rv = CKR_BUFFER_TOO_SMALL; + CK_UNAVAILABLE_INFORMATION + } + }; + } + + // [pkcs11-base-v3.0, Section 5.7.5] + // If case 2 applies to any of the requested attributes, then the call should return the value + // CKR_ATTRIBUTE_TYPE_INVALID. If case 5 applies to any of the requested attributes, then the + // call should return the value CKR_BUFFER_TOO_SMALL. As usual, if more than one of these + // error codes is applicable, Cryptoki may return any of them. Only if none of them applies to + // any of the requested attributes will CKR_OK be returned. + rv +} + +extern "C" fn C_SetAttributeValue( + _hSession: CK_SESSION_HANDLE, + _hObject: CK_OBJECT_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_FindObjectsInit( + hSession: CK_SESSION_HANDLE, + pTemplate: CK_ATTRIBUTE_PTR, + ulCount: CK_ULONG, +) -> CK_RV { + if pTemplate.is_null() { + return CKR_ARGUMENTS_BAD; + } + let count: usize = match ulCount.try_into() { + Ok(count) => count, + Err(_) => return CKR_ARGUMENTS_BAD, + }; + let session: SessionHandle = match hSession.try_into() { + Ok(session) => session, + Err(_) => return CKR_SESSION_HANDLE_INVALID, + }; + + let raw_attrs: &[CK_ATTRIBUTE] = unsafe { slice::from_raw_parts_mut(pTemplate, count) }; + + let mut query: Vec<(CK_ATTRIBUTE_TYPE, &[u8])> = Vec::with_capacity(raw_attrs.len()); + for attr in raw_attrs { + match usize::try_from(attr.ulValueLen) { + Ok(len) => query.push((attr.type_, unsafe { + slice::from_raw_parts_mut(attr.pValue as *mut u8, len) + })), + Err(_) => return CKR_ARGUMENTS_BAD, + } + } + + match find_objects_init(session, &query) { + Ok(_) => CKR_OK, + Err(PK11Error(e)) => e, + } +} + +extern "C" fn C_FindObjects( + hSession: CK_SESSION_HANDLE, + phObject: CK_OBJECT_HANDLE_PTR, + ulMaxObjectCount: CK_ULONG, + pulObjectCount: CK_ULONG_PTR, +) -> CK_RV { + if phObject.is_null() || pulObjectCount.is_null() { + return CKR_ARGUMENTS_BAD; + } + let max_object_count: usize = match ulMaxObjectCount.try_into() { + Ok(max_object_count) => max_object_count, + Err(_) => return CKR_ARGUMENTS_BAD, + }; + let session: SessionHandle = match hSession.try_into() { + Ok(session) => session, + Err(_) => return CKR_SESSION_HANDLE_INVALID, + }; + let out: &mut [CK_OBJECT_HANDLE] = + unsafe { slice::from_raw_parts_mut(phObject, max_object_count) }; + match find_objects(session, out) { + Ok(num_found) => { + unsafe { *pulObjectCount = num_found as CK_ULONG }; + CKR_OK + } + Err(PK11Error(e)) => e, + } +} + +extern "C" fn C_FindObjectsFinal(hSession: CK_SESSION_HANDLE) -> CK_RV { + let session: SessionHandle = match hSession.try_into() { + Ok(session) => session, + Err(_) => return CKR_SESSION_HANDLE_INVALID, + }; + match find_objects_final(session) { + Ok(()) => CKR_OK, + Err(PK11Error(e)) => e, + } +} + +extern "C" fn C_EncryptInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Encrypt( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pEncryptedData: CK_BYTE_PTR, + _pulEncryptedDataLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_EncryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, + _pEncryptedPart: CK_BYTE_PTR, + _pulEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_EncryptFinal( + _hSession: CK_SESSION_HANDLE, + _pLastEncryptedPart: CK_BYTE_PTR, + _pulLastEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Decrypt( + _hSession: CK_SESSION_HANDLE, + _pEncryptedData: CK_BYTE_PTR, + _ulEncryptedDataLen: CK_ULONG, + _pData: CK_BYTE_PTR, + _pulDataLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pEncryptedPart: CK_BYTE_PTR, + _ulEncryptedPartLen: CK_ULONG, + _pPart: CK_BYTE_PTR, + _pulPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptFinal( + _hSession: CK_SESSION_HANDLE, + _pLastPart: CK_BYTE_PTR, + _pulLastPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestInit(_hSession: CK_SESSION_HANDLE, _pMechanism: CK_MECHANISM_PTR) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Digest( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pDigest: CK_BYTE_PTR, + _pulDigestLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestKey(_hSession: CK_SESSION_HANDLE, _hKey: CK_OBJECT_HANDLE) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestFinal( + _hSession: CK_SESSION_HANDLE, + _pDigest: CK_BYTE_PTR, + _pulDigestLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Sign( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pSignature: CK_BYTE_PTR, + _pulSignatureLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignFinal( + _hSession: CK_SESSION_HANDLE, + _pSignature: CK_BYTE_PTR, + _pulSignatureLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignRecoverInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignRecover( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pSignature: CK_BYTE_PTR, + _pulSignatureLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Verify( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pSignature: CK_BYTE_PTR, + _ulSignatureLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyFinal( + _hSession: CK_SESSION_HANDLE, + _pSignature: CK_BYTE_PTR, + _ulSignatureLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyRecoverInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyRecover( + _hSession: CK_SESSION_HANDLE, + _pSignature: CK_BYTE_PTR, + _ulSignatureLen: CK_ULONG, + _pData: CK_BYTE_PTR, + _pulDataLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestEncryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, + _pEncryptedPart: CK_BYTE_PTR, + _pulEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptDigestUpdate( + _hSession: CK_SESSION_HANDLE, + _pEncryptedPart: CK_BYTE_PTR, + _ulEncryptedPartLen: CK_ULONG, + _pPart: CK_BYTE_PTR, + _pulPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignEncryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, + _pEncryptedPart: CK_BYTE_PTR, + _pulEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptVerifyUpdate( + _hSession: CK_SESSION_HANDLE, + _pEncryptedPart: CK_BYTE_PTR, + _ulEncryptedPartLen: CK_ULONG, + _pPart: CK_BYTE_PTR, + _pulPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GenerateKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, + _phKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GenerateKeyPair( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _pPublicKeyTemplate: CK_ATTRIBUTE_PTR, + _ulPublicKeyAttributeCount: CK_ULONG, + _pPrivateKeyTemplate: CK_ATTRIBUTE_PTR, + _ulPrivateKeyAttributeCount: CK_ULONG, + _phPublicKey: CK_OBJECT_HANDLE_PTR, + _phPrivateKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_WrapKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hWrappingKey: CK_OBJECT_HANDLE, + _hKey: CK_OBJECT_HANDLE, + _pWrappedKey: CK_BYTE_PTR, + _pulWrappedKeyLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_UnwrapKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hUnwrappingKey: CK_OBJECT_HANDLE, + _pWrappedKey: CK_BYTE_PTR, + _ulWrappedKeyLen: CK_ULONG, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulAttributeCount: CK_ULONG, + _phKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DeriveKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hBaseKey: CK_OBJECT_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulAttributeCount: CK_ULONG, + _phKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SeedRandom( + _hSession: CK_SESSION_HANDLE, + _pSeed: CK_BYTE_PTR, + _ulSeedLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GenerateRandom( + _hSession: CK_SESSION_HANDLE, + _RandomData: CK_BYTE_PTR, + _ulRandomLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GetFunctionStatus(_hSession: CK_SESSION_HANDLE) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_CancelFunction(_hSession: CK_SESSION_HANDLE) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_WaitForSlotEvent( + _flags: CK_FLAGS, + _pSlot: CK_SLOT_ID_PTR, + _pRserved: CK_VOID_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +pub static FUNCTION_LIST: CK_FUNCTION_LIST = CK_FUNCTION_LIST { + version: CRYPTOKI_VERSION, + C_Initialize: Some(C_Initialize), + C_Finalize: Some(C_Finalize), + C_GetInfo: Some(C_GetInfo), + C_GetFunctionList: None, + C_GetSlotList: Some(C_GetSlotList), + C_GetSlotInfo: Some(C_GetSlotInfo), + C_GetTokenInfo: Some(C_GetTokenInfo), + C_GetMechanismList: Some(C_GetMechanismList), + C_GetMechanismInfo: Some(C_GetMechanismInfo), + C_InitToken: Some(C_InitToken), + C_InitPIN: Some(C_InitPIN), + C_SetPIN: Some(C_SetPIN), + C_OpenSession: Some(C_OpenSession), + C_CloseSession: Some(C_CloseSession), + C_CloseAllSessions: Some(C_CloseAllSessions), + C_GetSessionInfo: Some(C_GetSessionInfo), + C_GetOperationState: Some(C_GetOperationState), + C_SetOperationState: Some(C_SetOperationState), + C_Login: Some(C_Login), + C_Logout: Some(C_Logout), + C_CreateObject: Some(C_CreateObject), + C_CopyObject: Some(C_CopyObject), + C_DestroyObject: Some(C_DestroyObject), + C_GetObjectSize: Some(C_GetObjectSize), + C_GetAttributeValue: Some(C_GetAttributeValue), + C_SetAttributeValue: Some(C_SetAttributeValue), + C_FindObjectsInit: Some(C_FindObjectsInit), + C_FindObjects: Some(C_FindObjects), + C_FindObjectsFinal: Some(C_FindObjectsFinal), + C_EncryptInit: Some(C_EncryptInit), + C_Encrypt: Some(C_Encrypt), + C_EncryptUpdate: Some(C_EncryptUpdate), + C_EncryptFinal: Some(C_EncryptFinal), + C_DecryptInit: Some(C_DecryptInit), + C_Decrypt: Some(C_Decrypt), + C_DecryptUpdate: Some(C_DecryptUpdate), + C_DecryptFinal: Some(C_DecryptFinal), + C_DigestInit: Some(C_DigestInit), + C_Digest: Some(C_Digest), + C_DigestUpdate: Some(C_DigestUpdate), + C_DigestKey: Some(C_DigestKey), + C_DigestFinal: Some(C_DigestFinal), + C_SignInit: Some(C_SignInit), + C_Sign: Some(C_Sign), + C_SignUpdate: Some(C_SignUpdate), + C_SignFinal: Some(C_SignFinal), + C_SignRecoverInit: Some(C_SignRecoverInit), + C_SignRecover: Some(C_SignRecover), + C_VerifyInit: Some(C_VerifyInit), + C_Verify: Some(C_Verify), + C_VerifyUpdate: Some(C_VerifyUpdate), + C_VerifyFinal: Some(C_VerifyFinal), + C_VerifyRecoverInit: Some(C_VerifyRecoverInit), + C_VerifyRecover: Some(C_VerifyRecover), + C_DigestEncryptUpdate: Some(C_DigestEncryptUpdate), + C_DecryptDigestUpdate: Some(C_DecryptDigestUpdate), + C_SignEncryptUpdate: Some(C_SignEncryptUpdate), + C_DecryptVerifyUpdate: Some(C_DecryptVerifyUpdate), + C_GenerateKey: Some(C_GenerateKey), + C_GenerateKeyPair: Some(C_GenerateKeyPair), + C_WrapKey: Some(C_WrapKey), + C_UnwrapKey: Some(C_UnwrapKey), + C_DeriveKey: Some(C_DeriveKey), + C_SeedRandom: Some(C_SeedRandom), + C_GenerateRandom: Some(C_GenerateRandom), + C_GetFunctionStatus: Some(C_GetFunctionStatus), + C_CancelFunction: Some(C_CancelFunction), + C_WaitForSlotEvent: Some(C_WaitForSlotEvent), +}; + +#[no_mangle] +pub unsafe fn BUILTINSC_GetFunctionList(ppFunctionList: CK_FUNCTION_LIST_PTR_PTR) -> CK_RV { + if ppFunctionList.is_null() { + return CKR_ARGUMENTS_BAD; + } + // CK_FUNCTION_LIST_PTR is a *mut CK_FUNCTION_LIST, but as per the + // specification, the caller must treat it as *const CK_FUNCTION_LIST. + *ppFunctionList = std::ptr::addr_of!(FUNCTION_LIST) as CK_FUNCTION_LIST_PTR; + CKR_OK +} + +#[cfg(test)] +mod pkcs11_tests { + use crate::certdata::*; + use crate::internal::*; + use crate::pkcs11::*; + + #[test] + fn test_main() { + // We need to run tests serially because of C_Initialize / C_Finalize calls. + test_simple(); + test_c_get_function_list(); + test_c_get_attribute(); + } + + fn test_simple() { + let query = &[(CKA_CLASS, CKO_CERTIFICATE_BYTES)]; + initialize().expect("initialize should not fail."); + let hSession = open_session().expect("open_session should not fail."); + let count = find_objects_init(hSession, query).expect("find_objects_init should not fail."); + assert_eq!(count, BUILTINS.len()); + let mut results: [CK_OBJECT_HANDLE; 10] = [0; 10]; + let n_read = + find_objects(hSession, &mut results).expect("find_objects_init should not fail."); + assert_eq!(n_read, 10); + finalize().expect("finalize should not fail."); + } + + fn test_c_get_function_list() { + let c_null = 0 as *mut std::ffi::c_void; + let mut pFunctionList: CK_FUNCTION_LIST_PTR = c_null as CK_FUNCTION_LIST_PTR; + let rv = unsafe { crate::pkcs11::BUILTINSC_GetFunctionList(&mut pFunctionList) }; + assert_eq!(CKR_OK, rv); + if let Some(pC_Initialize) = unsafe { (*pFunctionList).C_Initialize } { + let rv = unsafe { pC_Initialize(c_null) }; + assert_eq!(CKR_OK, rv); + } else { + assert!(false); + } + + if let Some(pC_Finalize) = unsafe { (*pFunctionList).C_Finalize } { + let rv = unsafe { pC_Finalize(c_null) }; + assert_eq!(CKR_OK, rv); + } else { + assert!(false); + } + } + + fn test_c_get_attribute() { + let c_null = 0 as *mut std::ffi::c_void; + let template: &mut [CK_ATTRIBUTE] = &mut [CK_ATTRIBUTE { + type_: CKA_SUBJECT, + pValue: c_null, + ulValueLen: 0, + }]; + let template_ptr = &mut template[0] as CK_ATTRIBUTE_PTR; + let object: CK_OBJECT_HANDLE = 2; + let mut session: CK_SESSION_HANDLE = 0; + assert_eq!(CKR_OK, C_Initialize(c_null)); + assert_eq!( + CKR_OK, + C_OpenSession( + SLOT_ID_ROOTS, + CKF_SERIAL_SESSION, + c_null, + None, + &mut session as *mut CK_SESSION_HANDLE + ) + ); + assert_eq!( + CKR_OK, + C_GetAttributeValue(session, object, template_ptr, 1) + ); + let len = template[0].ulValueLen as usize; + assert_eq!(len, BUILTINS[0].der_name.len()); + + let value: &mut [u8] = &mut vec![0; 1]; + let value_ptr: *mut u8 = &mut value[0] as *mut u8; + template[0].pValue = value_ptr as *mut std::ffi::c_void; + template[0].ulValueLen = 1; + assert_eq!( + CKR_BUFFER_TOO_SMALL, + C_GetAttributeValue(session, object, template_ptr, 1) + ); + assert_eq!(template[0].ulValueLen, CK_UNAVAILABLE_INFORMATION); + + let value: &mut [u8] = &mut vec![0; len]; + let value_ptr: *mut u8 = &mut value[0] as *mut u8; + template[0].pValue = value_ptr as *mut std::ffi::c_void; + template[0].ulValueLen = len as CK_ULONG; + assert_eq!( + CKR_OK, + C_GetAttributeValue(session, object, template_ptr, 1) + ); + assert_eq!(value, BUILTINS[0].der_name); + assert_eq!(CKR_OK, C_Finalize(c_null)); + } +} diff --git a/security/manager/ssl/builtins/src/version.rs b/security/manager/ssl/builtins/src/version.rs new file mode 100644 index 0000000000..f4fc63711d --- /dev/null +++ b/security/manager/ssl/builtins/src/version.rs @@ -0,0 +1,6 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +include!(concat!(env!("OUT_DIR"), "/version.rs")); diff --git a/security/manager/ssl/cert_storage/Cargo.toml b/security/manager/ssl/cert_storage/Cargo.toml new file mode 100644 index 0000000000..5d505843f5 --- /dev/null +++ b/security/manager/ssl/cert_storage/Cargo.toml @@ -0,0 +1,24 @@ +[package] +name = "cert_storage" +version = "0.0.1" +authors = ["Dana Keeler <dkeeler@mozilla.com>", "Mark Goodwin <mgoodwin@mozilla.com"] +license = "MPL-2.0" + +[dependencies] +base64 = "0.21.0" +byteorder = "1.2.7" +crossbeam-utils = "0.8" +cstr = "0.2" +log = "0.4" +moz_task = { path = "../../../../xpcom/rust/moz_task" } +nserror = { path = "../../../../xpcom/rust/nserror" } +nsstring = { path = "../../../../xpcom/rust/nsstring" } +rkv = { version = "0.19", default-features = false } +rust_cascade = "1.4.0" +sha2 = "0.10.2" +storage_variant = { path = "../../../../storage/variant" } +tempfile = "3" +thin-vec = { version = "0.2.1", features = ["gecko-ffi"] } +time = "0.1" +xpcom = { path = "../../../../xpcom/rust/xpcom" } +wr_malloc_size_of = { path = "../../../../gfx/wr/wr_malloc_size_of" } diff --git a/security/manager/ssl/cert_storage/src/cert_storage.h b/security/manager/ssl/cert_storage/src/cert_storage.h new file mode 100644 index 0000000000..e420067b03 --- /dev/null +++ b/security/manager/ssl/cert_storage/src/cert_storage.h @@ -0,0 +1,24 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _cert_storage_h_ +#define _cert_storage_h_ + +#include "nsISupportsUtils.h" // for nsresult, etc. + +// {16e5c837-f877-4e23-9c64-eddf905e30e6} +#define NS_CERT_STORAGE_CID \ + { \ + 0x16e5c837, 0xf877, 0x4e23, { \ + 0x9c, 0x64, 0xed, 0xdf, 0x90, 0x5e, 0x30, 0xe6 \ + } \ + } + +extern "C" { +nsresult cert_storage_constructor(REFNSIID iid, void** result); +}; + +#endif // _cert_storage_h_ diff --git a/security/manager/ssl/cert_storage/src/lib.rs b/security/manager/ssl/cert_storage/src/lib.rs new file mode 100644 index 0000000000..71c966fa4c --- /dev/null +++ b/security/manager/ssl/cert_storage/src/lib.rs @@ -0,0 +1,1807 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +extern crate base64; +extern crate byteorder; +extern crate crossbeam_utils; +#[macro_use] +extern crate cstr; +#[macro_use] +extern crate log; +extern crate moz_task; +extern crate nserror; +extern crate nsstring; +extern crate rkv; +extern crate rust_cascade; +extern crate sha2; +extern crate thin_vec; +extern crate time; +#[macro_use] +extern crate xpcom; +extern crate storage_variant; +extern crate tempfile; + +extern crate wr_malloc_size_of; +use wr_malloc_size_of as malloc_size_of; + +use base64::prelude::*; +use byteorder::{LittleEndian, NetworkEndian, ReadBytesExt, WriteBytesExt}; +use crossbeam_utils::atomic::AtomicCell; +use malloc_size_of::{MallocSizeOf, MallocSizeOfOps}; +use moz_task::{create_background_task_queue, is_main_thread, Task, TaskRunnable}; +use nserror::{ + nsresult, NS_ERROR_FAILURE, NS_ERROR_NOT_SAME_THREAD, NS_ERROR_NULL_POINTER, + NS_ERROR_UNEXPECTED, NS_OK, +}; +use nsstring::{nsACString, nsCStr, nsCString, nsString}; +use rkv::backend::{BackendEnvironmentBuilder, SafeMode, SafeModeDatabase, SafeModeEnvironment}; +use rkv::{StoreError, StoreOptions, Value}; +use rust_cascade::Cascade; +use sha2::{Digest, Sha256}; +use std::collections::{HashMap, HashSet}; +use std::ffi::CString; +use std::fmt::Display; +use std::fs::{create_dir_all, remove_file, File, OpenOptions}; +use std::io::{BufRead, BufReader, Read, Write}; +use std::mem::size_of; +use std::path::{Path, PathBuf}; +use std::str; +use std::sync::{Arc, RwLock}; +use std::time::{SystemTime, UNIX_EPOCH}; +use storage_variant::VariantType; +use thin_vec::ThinVec; +use xpcom::interfaces::{ + nsICRLiteCoverage, nsICRLiteTimestamp, nsICertInfo, nsICertStorage, nsICertStorageCallback, + nsIFile, nsIHandleReportCallback, nsIIssuerAndSerialRevocationState, nsIMemoryReporter, + nsIMemoryReporterManager, nsIProperties, nsIRevocationState, nsISerialEventTarget, + nsISubjectAndPubKeyRevocationState, nsISupports, +}; +use xpcom::{nsIID, GetterAddrefs, RefPtr, ThreadBoundRefPtr, XpCom}; + +const PREFIX_REV_IS: &str = "is"; +const PREFIX_REV_SPK: &str = "spk"; +const PREFIX_SUBJECT: &str = "subject"; +const PREFIX_CERT: &str = "cert"; +const PREFIX_DATA_TYPE: &str = "datatype"; + +const LAST_CRLITE_UPDATE_KEY: &str = "last_crlite_update"; + +const COVERAGE_SERIALIZATION_VERSION: u8 = 1; +const COVERAGE_V1_ENTRY_BYTES: usize = 48; + +const ENROLLMENT_SERIALIZATION_VERSION: u8 = 1; +const ENROLLMENT_V1_ENTRY_BYTES: usize = 32; + +type Rkv = rkv::Rkv<SafeModeEnvironment>; +type SingleStore = rkv::SingleStore<SafeModeDatabase>; + +macro_rules! make_key { + ( $prefix:expr, $( $part:expr ),+ ) => { + { + let mut key = $prefix.as_bytes().to_owned(); + $( key.extend_from_slice($part); )+ + key + } + } +} + +#[allow(non_camel_case_types, non_snake_case)] + +/// `SecurityStateError` is a type to represent errors in accessing or +/// modifying security state. +#[derive(Debug)] +struct SecurityStateError { + message: String, +} + +impl<T: Display> From<T> for SecurityStateError { + /// Creates a new instance of `SecurityStateError` from something that + /// implements the `Display` trait. + fn from(err: T) -> SecurityStateError { + SecurityStateError { + message: format!("{}", err), + } + } +} + +struct EnvAndStore { + env: Rkv, + store: SingleStore, +} + +impl MallocSizeOf for EnvAndStore { + fn size_of(&self, _ops: &mut MallocSizeOfOps) -> usize { + self.env + .read() + .and_then(|reader| { + let iter = self.store.iter_start(&reader)?.into_iter(); + Ok(iter + .map(|r| { + r.map(|(k, v)| k.len() + v.serialized_size().unwrap_or(0) as usize) + .unwrap_or(0) + }) + .sum()) + }) + .unwrap_or(0) + } +} + +/// `SecurityState` +struct SecurityState { + profile_path: PathBuf, + env_and_store: Option<EnvAndStore>, + crlite_filter: Option<Cascade>, + /// Maps issuer spki hashes to sets of serial numbers. + crlite_stash: Option<HashMap<Vec<u8>, HashSet<Vec<u8>>>>, + /// Maps an RFC 6962 LogID to a pair of 64 bit unix timestamps + crlite_coverage: Option<HashMap<Vec<u8>, (u64, u64)>>, + /// Set of `SHA256(subject || spki)` values for enrolled issuers + crlite_enrollment: Option<HashSet<Vec<u8>>>, + /// Tracks the number of asynchronous operations which have been dispatched but not completed. + remaining_ops: i32, +} + +impl SecurityState { + pub fn new(profile_path: PathBuf) -> SecurityState { + // Since this gets called on the main thread, we don't actually want to open the DB yet. + // We do this on-demand later, when we're probably on a certificate verification thread. + SecurityState { + profile_path, + env_and_store: None, + crlite_filter: None, + crlite_stash: None, + crlite_coverage: None, + crlite_enrollment: None, + remaining_ops: 0, + } + } + + pub fn db_needs_opening(&self) -> bool { + self.env_and_store.is_none() + } + + pub fn open_db(&mut self) -> Result<(), SecurityStateError> { + if self.env_and_store.is_some() { + return Ok(()); + } + + let store_path = get_store_path(&self.profile_path)?; + + // Open the store in read-write mode to create it (if needed) and migrate data from the old + // store (if any). + // If opening initially fails, try to remove and recreate the database. Consumers will + // repopulate the database as necessary if this happens (see bug 1546361). + let env = make_env(store_path.as_path()).or_else(|_| { + remove_db(store_path.as_path())?; + make_env(store_path.as_path()) + })?; + let store = env.open_single("cert_storage", StoreOptions::create())?; + + // if the profile has a revocations.txt, migrate it and remove the file + let mut revocations_path = self.profile_path.clone(); + revocations_path.push("revocations.txt"); + if revocations_path.exists() { + SecurityState::migrate(&revocations_path, &env, &store)?; + remove_file(revocations_path)?; + } + + // We already returned early if env_and_store was Some, so this should take the None branch. + match self.env_and_store.replace(EnvAndStore { env, store }) { + Some(_) => Err(SecurityStateError::from( + "env and store already initialized? (did we mess up our threading model?)", + )), + None => Ok(()), + }?; + self.load_crlite_filter()?; + Ok(()) + } + + fn migrate( + revocations_path: &PathBuf, + env: &Rkv, + store: &SingleStore, + ) -> Result<(), SecurityStateError> { + let f = File::open(revocations_path)?; + let file = BufReader::new(f); + let value = Value::I64(nsICertStorage::STATE_ENFORCE as i64); + let mut writer = env.write()?; + + // Add the data from revocations.txt + let mut dn: Option<Vec<u8>> = None; + for line in file.lines() { + let l = match line.map_err(|_| SecurityStateError::from("io error reading line data")) { + Ok(data) => data, + Err(e) => return Err(e), + }; + if l.len() == 0 || l.starts_with("#") { + continue; + } + let leading_char = match l.chars().next() { + Some(c) => c, + None => { + return Err(SecurityStateError::from( + "couldn't get char from non-empty str?", + )); + } + }; + // In future, we can maybe log migration failures. For now, ignore decoding and storage + // errors and attempt to continue. + // Check if we have a new DN + if leading_char != '\t' && leading_char != ' ' { + if let Ok(decoded_dn) = BASE64_STANDARD.decode(&l) { + dn = Some(decoded_dn); + } + continue; + } + let l_sans_prefix = match BASE64_STANDARD.decode(&l[1..]) { + Ok(decoded) => decoded, + Err(_) => continue, + }; + if let Some(name) = &dn { + if leading_char == '\t' { + let _ = store.put( + &mut writer, + &make_key!(PREFIX_REV_SPK, name, &l_sans_prefix), + &value, + ); + } else { + let _ = store.put( + &mut writer, + &make_key!(PREFIX_REV_IS, name, &l_sans_prefix), + &value, + ); + } + } + } + + writer.commit()?; + Ok(()) + } + + fn read_entry(&self, key: &[u8]) -> Result<Option<i16>, SecurityStateError> { + let env_and_store = match self.env_and_store.as_ref() { + Some(env_and_store) => env_and_store, + None => return Err(SecurityStateError::from("env and store not initialized?")), + }; + let reader = env_and_store.env.read()?; + match env_and_store.store.get(&reader, key) { + Ok(Some(Value::I64(i))) + if i <= (std::i16::MAX as i64) && i >= (std::i16::MIN as i64) => + { + Ok(Some(i as i16)) + } + Ok(None) => Ok(None), + Ok(_) => Err(SecurityStateError::from( + "Unexpected type when trying to get a Value::I64", + )), + Err(_) => Err(SecurityStateError::from( + "There was a problem getting the value", + )), + } + } + + pub fn get_has_prior_data(&self, data_type: u8) -> Result<bool, SecurityStateError> { + if data_type == nsICertStorage::DATA_TYPE_CRLITE_FILTER_FULL { + return Ok(self.crlite_filter.is_some() + && self.crlite_coverage.is_some() + && self.crlite_enrollment.is_some()); + } + if data_type == nsICertStorage::DATA_TYPE_CRLITE_FILTER_INCREMENTAL { + return Ok(self.crlite_stash.is_some()); + } + + let env_and_store = match self.env_and_store.as_ref() { + Some(env_and_store) => env_and_store, + None => return Err(SecurityStateError::from("env and store not initialized?")), + }; + let reader = env_and_store.env.read()?; + match env_and_store + .store + .get(&reader, &make_key!(PREFIX_DATA_TYPE, &[data_type])) + { + Ok(Some(Value::Bool(true))) => Ok(true), + Ok(None) => Ok(false), + Ok(_) => Err(SecurityStateError::from( + "Unexpected type when trying to get a Value::Bool", + )), + Err(_) => Err(SecurityStateError::from( + "There was a problem getting the value", + )), + } + } + + pub fn set_batch_state( + &mut self, + entries: &[EncodedSecurityState], + typ: u8, + ) -> Result<(), SecurityStateError> { + let env_and_store = match self.env_and_store.as_mut() { + Some(env_and_store) => env_and_store, + None => return Err(SecurityStateError::from("env and store not initialized?")), + }; + let mut writer = env_and_store.env.write()?; + // Make a note that we have prior data of the given type now. + env_and_store.store.put( + &mut writer, + &make_key!(PREFIX_DATA_TYPE, &[typ]), + &Value::Bool(true), + )?; + + for entry in entries { + let key = match entry.key() { + Ok(key) => key, + Err(e) => { + warn!("error base64-decoding key parts - ignoring: {}", e.message); + continue; + } + }; + env_and_store + .store + .put(&mut writer, &key, &Value::I64(entry.state() as i64))?; + } + + writer.commit()?; + Ok(()) + } + + pub fn get_revocation_state( + &self, + issuer: &[u8], + serial: &[u8], + subject: &[u8], + pub_key: &[u8], + ) -> Result<i16, SecurityStateError> { + let mut digest = Sha256::default(); + digest.update(pub_key); + let pub_key_hash = digest.finalize(); + + let subject_pubkey = make_key!(PREFIX_REV_SPK, subject, &pub_key_hash); + let issuer_serial = make_key!(PREFIX_REV_IS, issuer, serial); + + let st: i16 = match self.read_entry(&issuer_serial) { + Ok(Some(value)) => value, + Ok(None) => nsICertStorage::STATE_UNSET, + Err(_) => { + return Err(SecurityStateError::from( + "problem reading revocation state (from issuer / serial)", + )); + } + }; + + if st != nsICertStorage::STATE_UNSET { + return Ok(st); + } + + match self.read_entry(&subject_pubkey) { + Ok(Some(value)) => Ok(value), + Ok(None) => Ok(nsICertStorage::STATE_UNSET), + Err(_) => { + return Err(SecurityStateError::from( + "problem reading revocation state (from subject / pubkey)", + )); + } + } + } + + fn issuer_is_enrolled(&self, subject: &[u8], pub_key: &[u8]) -> bool { + if let Some(crlite_enrollment) = self.crlite_enrollment.as_ref() { + let mut digest = Sha256::default(); + digest.update(subject); + digest.update(pub_key); + let issuer_id = digest.finalize(); + return crlite_enrollment.contains(&issuer_id.to_vec()); + } + return false; + } + + fn filter_covers_some_timestamp(&self, timestamps: &[CRLiteTimestamp]) -> bool { + if let Some(crlite_coverage) = self.crlite_coverage.as_ref() { + for entry in timestamps { + if let Some(&(low, high)) = crlite_coverage.get(entry.log_id.as_ref()) { + if low <= entry.timestamp && entry.timestamp <= high { + return true; + } + } + } + } + return false; + } + + fn note_crlite_update_time(&mut self) -> Result<(), SecurityStateError> { + let seconds_since_epoch = Value::U64( + SystemTime::now() + .duration_since(UNIX_EPOCH) + .map_err(|_| SecurityStateError::from("could not get current time"))? + .as_secs(), + ); + let env_and_store = match self.env_and_store.as_mut() { + Some(env_and_store) => env_and_store, + None => return Err(SecurityStateError::from("env and store not initialized?")), + }; + let mut writer = env_and_store.env.write()?; + env_and_store + .store + .put(&mut writer, LAST_CRLITE_UPDATE_KEY, &seconds_since_epoch) + .map_err(|_| SecurityStateError::from("could not store timestamp"))?; + writer.commit()?; + Ok(()) + } + + fn is_crlite_fresh(&self) -> bool { + let now = match SystemTime::now().duration_since(UNIX_EPOCH) { + Ok(t) => t.as_secs(), + _ => return false, + }; + let env_and_store = match self.env_and_store.as_ref() { + Some(env_and_store) => env_and_store, + None => return false, + }; + let reader = match env_and_store.env.read() { + Ok(reader) => reader, + _ => return false, + }; + match env_and_store.store.get(&reader, LAST_CRLITE_UPDATE_KEY) { + Ok(Some(Value::U64(last_update))) if last_update < u64::MAX / 2 => { + now < last_update + 60 * 60 * 24 * 10 + } + _ => false, + } + } + + pub fn set_full_crlite_filter( + &mut self, + filter: Vec<u8>, + enrolled_issuers: Vec<nsCString>, + coverage_entries: &[(nsCString, u64, u64)], + ) -> Result<(), SecurityStateError> { + // First drop any existing crlite filter and clear the accumulated stash. + { + let _ = self.crlite_filter.take(); + let _ = self.crlite_stash.take(); + let _ = self.crlite_coverage.take(); + let _ = self.crlite_enrollment.take(); + let mut path = get_store_path(&self.profile_path)?; + path.push("crlite.stash"); + // Truncate the stash file if it exists. + if path.exists() { + File::create(path).map_err(|e| { + SecurityStateError::from(format!("couldn't truncate stash file: {}", e)) + })?; + } + } + // Write the new full filter. + let mut path = get_store_path(&self.profile_path)?; + path.push("crlite.filter"); + { + let mut filter_file = File::create(&path)?; + filter_file.write_all(&filter)?; + } + + // Serialize the coverage metadata as a 1 byte version number followed by any number of 48 + // byte entries. Each entry is a 32 byte (opaque) log id, followed by two 8 byte + // timestamps. Each timestamp is an 8 byte unsigned integer in little endian. + let mut coverage_bytes = + Vec::with_capacity(size_of::<u8>() + coverage_entries.len() * COVERAGE_V1_ENTRY_BYTES); + coverage_bytes.push(COVERAGE_SERIALIZATION_VERSION); + for (b64_log_id, min_t, max_t) in coverage_entries { + let log_id = match BASE64_STANDARD.decode(&b64_log_id) { + Ok(log_id) if log_id.len() == 32 => log_id, + _ => { + warn!("malformed log ID - skipping: {}", b64_log_id); + continue; + } + }; + coverage_bytes.extend_from_slice(&log_id); + coverage_bytes.extend_from_slice(&min_t.to_le_bytes()); + coverage_bytes.extend_from_slice(&max_t.to_le_bytes()); + } + // Write the coverage file for the new filter + let mut path = get_store_path(&self.profile_path)?; + path.push("crlite.coverage"); + { + let mut coverage_file = File::create(&path)?; + coverage_file.write_all(&coverage_bytes)?; + } + + // Serialize the enrollment list as a 1 byte version number followed by: + // Version 1: any number of 32 byte values of the form `SHA256(subject || spki)`. + let mut enrollment_bytes = Vec::with_capacity( + size_of::<u8>() + enrolled_issuers.len() * ENROLLMENT_V1_ENTRY_BYTES, + ); + enrollment_bytes.push(ENROLLMENT_SERIALIZATION_VERSION); + for b64_issuer_id in enrolled_issuers { + let issuer_id = match BASE64_STANDARD.decode(&b64_issuer_id) { + Ok(issuer_id) if issuer_id.len() == 32 => issuer_id, + _ => { + warn!("malformed issuer ID - skipping: {}", b64_issuer_id); + continue; + } + }; + enrollment_bytes.extend_from_slice(&issuer_id); + } + // Write the enrollment file for the new filter + let mut path = get_store_path(&self.profile_path)?; + path.push("crlite.enrollment"); + { + let mut enrollment_file = File::create(&path)?; + enrollment_file.write_all(&enrollment_bytes)?; + } + + self.note_crlite_update_time()?; + self.load_crlite_filter()?; + Ok(()) + } + + fn load_crlite_filter(&mut self) -> Result<(), SecurityStateError> { + if self.crlite_filter.is_some() || self.crlite_coverage.is_some() { + return Err(SecurityStateError::from( + "Both crlite_filter and crlite_coverage should be None here", + )); + } + + let mut path = get_store_path(&self.profile_path)?; + path.push("crlite.filter"); + // Before we've downloaded any filters, this file won't exist. + if !path.exists() { + return Ok(()); + } + let mut filter_file = File::open(path)?; + let mut filter_bytes = Vec::new(); + let _ = filter_file.read_to_end(&mut filter_bytes)?; + let crlite_filter = Cascade::from_bytes(filter_bytes) + .map_err(|_| SecurityStateError::from("invalid CRLite filter"))? + .ok_or(SecurityStateError::from("expecting non-empty filter"))?; + + let mut path = get_store_path(&self.profile_path)?; + path.push("crlite.coverage"); + if !path.exists() { + return Ok(()); + } + + // Deserialize the coverage metadata. + // The format is described in `set_full_crlite_filter`. + let coverage_file = File::open(path)?; + let coverage_file_len = coverage_file.metadata()?.len() as usize; + let mut coverage_reader = BufReader::new(coverage_file); + match coverage_reader.read_u8() { + Ok(COVERAGE_SERIALIZATION_VERSION) => (), + _ => return Err(SecurityStateError::from("unknown CRLite coverage version")), + } + if (coverage_file_len - 1) % COVERAGE_V1_ENTRY_BYTES != 0 { + return Err(SecurityStateError::from("truncated CRLite coverage file")); + } + let coverage_count = (coverage_file_len - 1) / COVERAGE_V1_ENTRY_BYTES; + let mut crlite_coverage: HashMap<Vec<u8>, (u64, u64)> = HashMap::new(); + for _ in 0..coverage_count { + let mut coverage_entry = [0u8; COVERAGE_V1_ENTRY_BYTES]; + match coverage_reader.read_exact(&mut coverage_entry) { + Ok(()) => (), + _ => return Err(SecurityStateError::from("truncated CRLite coverage file")), + }; + let log_id = &coverage_entry[0..32]; + let min_timestamp: u64; + let max_timestamp: u64; + match (&coverage_entry[32..40]).read_u64::<LittleEndian>() { + Ok(value) => min_timestamp = value, + _ => return Err(SecurityStateError::from("truncated CRLite coverage file")), + } + match (&coverage_entry[40..48]).read_u64::<LittleEndian>() { + Ok(value) => max_timestamp = value, + _ => return Err(SecurityStateError::from("truncated CRLite coverage file")), + } + crlite_coverage.insert(log_id.to_vec(), (min_timestamp, max_timestamp)); + } + + let mut path = get_store_path(&self.profile_path)?; + path.push("crlite.enrollment"); + if !path.exists() { + return Ok(()); + } + + // Deserialize the enrollment metadata. + // The format is described in `set_full_crlite_filter`. + let enrollment_file = File::open(path)?; + let enrollment_file_len = enrollment_file.metadata()?.len() as usize; + let mut enrollment_reader = BufReader::new(enrollment_file); + match enrollment_reader.read_u8() { + Ok(ENROLLMENT_SERIALIZATION_VERSION) => (), + _ => { + return Err(SecurityStateError::from( + "unknown CRLite enrollment version", + )) + } + } + if (enrollment_file_len - 1) % ENROLLMENT_V1_ENTRY_BYTES != 0 { + return Err(SecurityStateError::from("truncated CRLite enrollment file")); + } + let enrollment_count = (enrollment_file_len - 1) / ENROLLMENT_V1_ENTRY_BYTES; + let mut crlite_enrollment: HashSet<Vec<u8>> = HashSet::new(); + for _ in 0..enrollment_count { + let mut enrollment_entry = [0u8; ENROLLMENT_V1_ENTRY_BYTES]; + match enrollment_reader.read_exact(&mut enrollment_entry) { + Ok(()) => (), + _ => return Err(SecurityStateError::from("truncated CRLite enrollment file")), + }; + let issuer_id = &enrollment_entry[..]; + crlite_enrollment.insert(issuer_id.to_vec()); + } + + let old_crlite_filter_should_be_none = self.crlite_filter.replace(crlite_filter); + assert!(old_crlite_filter_should_be_none.is_none()); + let old_crlite_coverage_should_be_none = self.crlite_coverage.replace(crlite_coverage); + assert!(old_crlite_coverage_should_be_none.is_none()); + let old_crlite_enrollment_should_be_none = + self.crlite_enrollment.replace(crlite_enrollment); + assert!(old_crlite_enrollment_should_be_none.is_none()); + Ok(()) + } + + pub fn add_crlite_stash(&mut self, stash: Vec<u8>) -> Result<(), SecurityStateError> { + // Append the update to the previously-seen stashes. + let mut path = get_store_path(&self.profile_path)?; + path.push("crlite.stash"); + let mut stash_file = OpenOptions::new().append(true).create(true).open(path)?; + stash_file.write_all(&stash)?; + let crlite_stash = self.crlite_stash.get_or_insert(HashMap::new()); + load_crlite_stash_from_reader_into_map(&mut stash.as_slice(), crlite_stash)?; + self.note_crlite_update_time()?; + Ok(()) + } + + pub fn is_cert_revoked_by_stash( + &self, + issuer_spki: &[u8], + serial: &[u8], + ) -> Result<bool, SecurityStateError> { + let crlite_stash = match self.crlite_stash.as_ref() { + Some(crlite_stash) => crlite_stash, + None => return Ok(false), + }; + let mut digest = Sha256::default(); + digest.update(issuer_spki); + let lookup_key = digest.finalize().to_vec(); + let serials = match crlite_stash.get(&lookup_key) { + Some(serials) => serials, + None => return Ok(false), + }; + Ok(serials.contains(&serial.to_vec())) + } + + pub fn get_crlite_revocation_state( + &self, + issuer: &[u8], + issuer_spki: &[u8], + serial_number: &[u8], + timestamps: &[CRLiteTimestamp], + ) -> i16 { + if !self.is_crlite_fresh() { + return nsICertStorage::STATE_NO_FILTER; + } + if !self.issuer_is_enrolled(issuer, issuer_spki) { + return nsICertStorage::STATE_NOT_ENROLLED; + } + if !self.filter_covers_some_timestamp(timestamps) { + return nsICertStorage::STATE_NOT_COVERED; + } + let mut digest = Sha256::default(); + digest.update(issuer_spki); + let mut lookup_key = digest.finalize().to_vec(); + lookup_key.extend_from_slice(serial_number); + debug!("CRLite lookup key: {:?}", lookup_key); + let result = match &self.crlite_filter { + Some(crlite_filter) => crlite_filter.has(lookup_key), + // This can only happen if the backing file was deleted or if it or our database has + // become corrupted. In any case, we have no information. + None => return nsICertStorage::STATE_NO_FILTER, + }; + match result { + true => nsICertStorage::STATE_ENFORCE, + false => nsICertStorage::STATE_UNSET, + } + } + + // To store certificates, we create a Cert out of each given cert, subject, and trust tuple. We + // hash each certificate with sha-256 to obtain a unique* key for that certificate, and we store + // the Cert in the database. We also look up or create a CertHashList for the given subject and + // add the new certificate's hash if it isn't present in the list. If it wasn't present, we + // write out the updated CertHashList. + // *By the pigeon-hole principle, there exist collisions for sha-256, so this key is not + // actually unique. We rely on the assumption that sha-256 is a cryptographically strong hash. + // If an adversary can find two different certificates with the same sha-256 hash, they can + // probably forge a sha-256-based signature, so assuming the keys we create here are unique is + // not a security issue. + pub fn add_certs( + &mut self, + certs: &[(nsCString, nsCString, i16)], + ) -> Result<(), SecurityStateError> { + let env_and_store = match self.env_and_store.as_mut() { + Some(env_and_store) => env_and_store, + None => return Err(SecurityStateError::from("env and store not initialized?")), + }; + let mut writer = env_and_store.env.write()?; + // Make a note that we have prior cert data now. + env_and_store.store.put( + &mut writer, + &make_key!(PREFIX_DATA_TYPE, &[nsICertStorage::DATA_TYPE_CERTIFICATE]), + &Value::Bool(true), + )?; + + for (cert_der_base64, subject_base64, trust) in certs { + let cert_der = match BASE64_STANDARD.decode(&cert_der_base64) { + Ok(cert_der) => cert_der, + Err(e) => { + warn!("error base64-decoding cert - skipping: {}", e); + continue; + } + }; + let subject = match BASE64_STANDARD.decode(&subject_base64) { + Ok(subject) => subject, + Err(e) => { + warn!("error base64-decoding subject - skipping: {}", e); + continue; + } + }; + let mut digest = Sha256::default(); + digest.update(&cert_der); + let cert_hash = digest.finalize(); + let cert_key = make_key!(PREFIX_CERT, &cert_hash); + let cert = Cert::new(&cert_der, &subject, *trust)?; + env_and_store + .store + .put(&mut writer, &cert_key, &Value::Blob(&cert.to_bytes()?))?; + let subject_key = make_key!(PREFIX_SUBJECT, &subject); + let empty_vec = Vec::new(); + let old_cert_hash_list = match env_and_store.store.get(&writer, &subject_key)? { + Some(Value::Blob(hashes)) => hashes.to_owned(), + Some(_) => empty_vec, + None => empty_vec, + }; + let new_cert_hash_list = CertHashList::add(&old_cert_hash_list, &cert_hash)?; + if new_cert_hash_list.len() != old_cert_hash_list.len() { + env_and_store.store.put( + &mut writer, + &subject_key, + &Value::Blob(&new_cert_hash_list), + )?; + } + } + + writer.commit()?; + Ok(()) + } + + // Given a list of certificate sha-256 hashes, we can look up each Cert entry in the database. + // We use this to find the corresponding subject so we can look up the CertHashList it should + // appear in. If that list contains the given hash, we remove it and update the CertHashList. + // Finally we delete the Cert entry. + pub fn remove_certs_by_hashes( + &mut self, + hashes_base64: &[nsCString], + ) -> Result<(), SecurityStateError> { + let env_and_store = match self.env_and_store.as_mut() { + Some(env_and_store) => env_and_store, + None => return Err(SecurityStateError::from("env and store not initialized?")), + }; + let mut writer = env_and_store.env.write()?; + let reader = env_and_store.env.read()?; + + for hash in hashes_base64 { + let hash = match BASE64_STANDARD.decode(&hash) { + Ok(hash) => hash, + Err(e) => { + warn!("error decoding hash - ignoring: {}", e); + continue; + } + }; + let cert_key = make_key!(PREFIX_CERT, &hash); + if let Some(Value::Blob(cert_bytes)) = env_and_store.store.get(&reader, &cert_key)? { + if let Ok(cert) = Cert::from_bytes(cert_bytes) { + let subject_key = make_key!(PREFIX_SUBJECT, &cert.subject); + let empty_vec = Vec::new(); + // We have to use the writer here to make sure we have an up-to-date view of + // the cert hash list. + let old_cert_hash_list = match env_and_store.store.get(&writer, &subject_key)? { + Some(Value::Blob(hashes)) => hashes.to_owned(), + Some(_) => empty_vec, + None => empty_vec, + }; + let new_cert_hash_list = CertHashList::remove(&old_cert_hash_list, &hash)?; + if new_cert_hash_list.len() != old_cert_hash_list.len() { + env_and_store.store.put( + &mut writer, + &subject_key, + &Value::Blob(&new_cert_hash_list), + )?; + } + } + } + match env_and_store.store.delete(&mut writer, &cert_key) { + Ok(()) => {} + Err(StoreError::KeyValuePairNotFound) => {} + Err(e) => return Err(SecurityStateError::from(e)), + }; + } + writer.commit()?; + Ok(()) + } + + // Given a certificate's subject, we look up the corresponding CertHashList. In theory, each + // hash in that list corresponds to a certificate with the given subject, so we look up each of + // these (assuming the database is consistent and contains them) and add them to the given list. + // If we encounter an inconsistency, we continue looking as best we can. + pub fn find_certs_by_subject( + &self, + subject: &[u8], + certs: &mut ThinVec<ThinVec<u8>>, + ) -> Result<(), SecurityStateError> { + let env_and_store = match self.env_and_store.as_ref() { + Some(env_and_store) => env_and_store, + None => return Err(SecurityStateError::from("env and store not initialized?")), + }; + let reader = env_and_store.env.read()?; + certs.clear(); + let subject_key = make_key!(PREFIX_SUBJECT, subject); + let empty_vec = Vec::new(); + let cert_hash_list_bytes = match env_and_store.store.get(&reader, &subject_key)? { + Some(Value::Blob(hashes)) => hashes, + Some(_) => &empty_vec, + None => &empty_vec, + }; + let cert_hash_list = CertHashList::new(cert_hash_list_bytes)?; + for cert_hash in cert_hash_list.into_iter() { + let cert_key = make_key!(PREFIX_CERT, cert_hash); + // If there's some inconsistency, we don't want to fail the whole operation - just go + // for best effort and find as many certificates as we can. + if let Some(Value::Blob(cert_bytes)) = env_and_store.store.get(&reader, &cert_key)? { + if let Ok(cert) = Cert::from_bytes(cert_bytes) { + let mut thin_vec_cert = ThinVec::with_capacity(cert.der.len()); + thin_vec_cert.extend_from_slice(&cert.der); + certs.push(thin_vec_cert); + } + } + } + Ok(()) + } +} + +impl MallocSizeOf for SecurityState { + fn size_of(&self, ops: &mut MallocSizeOfOps) -> usize { + self.profile_path.size_of(ops) + + self.env_and_store.size_of(ops) + + self + .crlite_filter + .as_ref() + .map_or(0, |crlite_filter| crlite_filter.approximate_size_of()) + + self.crlite_stash.size_of(ops) + + self.crlite_coverage.size_of(ops) + + self.remaining_ops.size_of(ops) + } +} + +const CERT_SERIALIZATION_VERSION_1: u8 = 1; + +// A Cert consists of its DER encoding, its DER-encoded subject, and its trust (currently +// nsICertStorage::TRUST_INHERIT, but in the future nsICertStorage::TRUST_ANCHOR may also be used). +// The length of each encoding must be representable by a u16 (so 65535 bytes is the longest a +// certificate can be). +struct Cert<'a> { + der: &'a [u8], + subject: &'a [u8], + trust: i16, +} + +impl<'a> Cert<'a> { + fn new(der: &'a [u8], subject: &'a [u8], trust: i16) -> Result<Cert<'a>, SecurityStateError> { + if der.len() > u16::max as usize { + return Err(SecurityStateError::from("certificate is too long")); + } + if subject.len() > u16::max as usize { + return Err(SecurityStateError::from("subject is too long")); + } + Ok(Cert { + der, + subject, + trust, + }) + } + + fn from_bytes(encoded: &'a [u8]) -> Result<Cert<'a>, SecurityStateError> { + if encoded.len() < size_of::<u8>() { + return Err(SecurityStateError::from("invalid Cert: no version?")); + } + let (mut version, rest) = encoded.split_at(size_of::<u8>()); + let version = version.read_u8()?; + if version != CERT_SERIALIZATION_VERSION_1 { + return Err(SecurityStateError::from("invalid Cert: unexpected version")); + } + + if rest.len() < size_of::<u16>() { + return Err(SecurityStateError::from("invalid Cert: no der len?")); + } + let (mut der_len, rest) = rest.split_at(size_of::<u16>()); + let der_len = der_len.read_u16::<NetworkEndian>()? as usize; + if rest.len() < der_len { + return Err(SecurityStateError::from("invalid Cert: no der?")); + } + let (der, rest) = rest.split_at(der_len); + + if rest.len() < size_of::<u16>() { + return Err(SecurityStateError::from("invalid Cert: no subject len?")); + } + let (mut subject_len, rest) = rest.split_at(size_of::<u16>()); + let subject_len = subject_len.read_u16::<NetworkEndian>()? as usize; + if rest.len() < subject_len { + return Err(SecurityStateError::from("invalid Cert: no subject?")); + } + let (subject, mut rest) = rest.split_at(subject_len); + + if rest.len() < size_of::<i16>() { + return Err(SecurityStateError::from("invalid Cert: no trust?")); + } + let trust = rest.read_i16::<NetworkEndian>()?; + if rest.len() > 0 { + return Err(SecurityStateError::from("invalid Cert: trailing data?")); + } + + Ok(Cert { + der, + subject, + trust, + }) + } + + fn to_bytes(&self) -> Result<Vec<u8>, SecurityStateError> { + let mut bytes = Vec::with_capacity( + size_of::<u8>() + + size_of::<u16>() + + self.der.len() + + size_of::<u16>() + + self.subject.len() + + size_of::<i16>(), + ); + bytes.write_u8(CERT_SERIALIZATION_VERSION_1)?; + if self.der.len() > u16::max as usize { + return Err(SecurityStateError::from("certificate is too long")); + } + bytes.write_u16::<NetworkEndian>(self.der.len() as u16)?; + bytes.extend_from_slice(&self.der); + if self.subject.len() > u16::max as usize { + return Err(SecurityStateError::from("subject is too long")); + } + bytes.write_u16::<NetworkEndian>(self.subject.len() as u16)?; + bytes.extend_from_slice(&self.subject); + bytes.write_i16::<NetworkEndian>(self.trust)?; + Ok(bytes) + } +} + +// A CertHashList is a list of sha-256 hashes of DER-encoded certificates. +struct CertHashList<'a> { + hashes: Vec<&'a [u8]>, +} + +impl<'a> CertHashList<'a> { + fn new(hashes_bytes: &'a [u8]) -> Result<CertHashList<'a>, SecurityStateError> { + if hashes_bytes.len() % Sha256::output_size() != 0 { + return Err(SecurityStateError::from( + "unexpected length for cert hash list", + )); + } + let mut hashes = Vec::with_capacity(hashes_bytes.len() / Sha256::output_size()); + for hash in hashes_bytes.chunks_exact(Sha256::output_size()) { + hashes.push(hash); + } + Ok(CertHashList { hashes }) + } + + fn add(hashes_bytes: &[u8], new_hash: &[u8]) -> Result<Vec<u8>, SecurityStateError> { + if hashes_bytes.len() % Sha256::output_size() != 0 { + return Err(SecurityStateError::from( + "unexpected length for cert hash list", + )); + } + if new_hash.len() != Sha256::output_size() { + return Err(SecurityStateError::from("unexpected cert hash length")); + } + for hash in hashes_bytes.chunks_exact(Sha256::output_size()) { + if hash == new_hash { + return Ok(hashes_bytes.to_owned()); + } + } + let mut combined = hashes_bytes.to_owned(); + combined.extend_from_slice(new_hash); + Ok(combined) + } + + fn remove(hashes_bytes: &[u8], cert_hash: &[u8]) -> Result<Vec<u8>, SecurityStateError> { + if hashes_bytes.len() % Sha256::output_size() != 0 { + return Err(SecurityStateError::from( + "unexpected length for cert hash list", + )); + } + if cert_hash.len() != Sha256::output_size() { + return Err(SecurityStateError::from("unexpected cert hash length")); + } + let mut result = Vec::with_capacity(hashes_bytes.len()); + for hash in hashes_bytes.chunks_exact(Sha256::output_size()) { + if hash != cert_hash { + result.extend_from_slice(hash); + } + } + Ok(result) + } +} + +impl<'a> IntoIterator for CertHashList<'a> { + type Item = &'a [u8]; + type IntoIter = std::vec::IntoIter<&'a [u8]>; + + fn into_iter(self) -> Self::IntoIter { + self.hashes.into_iter() + } +} + +// Helper struct for get_crlite_revocation_state. +struct CRLiteTimestamp { + log_id: ThinVec<u8>, + timestamp: u64, +} + +// Helper struct for set_batch_state. Takes a prefix, two base64-encoded key +// parts, and a security state value. +struct EncodedSecurityState { + prefix: &'static str, + key_part_1_base64: nsCString, + key_part_2_base64: nsCString, + state: i16, +} + +impl EncodedSecurityState { + fn new( + prefix: &'static str, + key_part_1_base64: nsCString, + key_part_2_base64: nsCString, + state: i16, + ) -> EncodedSecurityState { + EncodedSecurityState { + prefix, + key_part_1_base64, + key_part_2_base64, + state, + } + } + + fn key(&self) -> Result<Vec<u8>, SecurityStateError> { + let key_part_1 = BASE64_STANDARD.decode(&self.key_part_1_base64)?; + let key_part_2 = BASE64_STANDARD.decode(&self.key_part_2_base64)?; + Ok(make_key!(self.prefix, &key_part_1, &key_part_2)) + } + + fn state(&self) -> i16 { + self.state + } +} + +fn get_path_from_directory_service(key: &str) -> Result<PathBuf, nserror::nsresult> { + let directory_service: RefPtr<nsIProperties> = + xpcom::components::Directory::service().map_err(|_| NS_ERROR_FAILURE)?; + let cs_key = CString::new(key).map_err(|_| NS_ERROR_FAILURE)?; + + let mut requested_dir = GetterAddrefs::<nsIFile>::new(); + unsafe { + (*directory_service) + .Get( + (&cs_key).as_ptr(), + &nsIFile::IID as *const nsIID, + requested_dir.void_ptr(), + ) + .to_result() + }?; + + let dir_path = requested_dir.refptr().ok_or(NS_ERROR_FAILURE)?; + let mut path = nsString::new(); + unsafe { (*dir_path).GetPath(&mut *path).to_result() }?; + Ok(PathBuf::from(format!("{}", path))) +} + +fn get_profile_path() -> Result<PathBuf, nserror::nsresult> { + get_path_from_directory_service("ProfD").or_else(|_| get_path_from_directory_service("TmpD")) +} + +fn get_store_path(profile_path: &PathBuf) -> Result<PathBuf, SecurityStateError> { + let mut store_path = profile_path.clone(); + store_path.push("security_state"); + create_dir_all(store_path.as_path())?; + Ok(store_path) +} + +fn make_env(path: &Path) -> Result<Rkv, SecurityStateError> { + let mut builder = Rkv::environment_builder::<SafeMode>(); + builder.set_max_dbs(2); + + // 16MB is a little over twice the size of the current dataset. When we + // eventually switch to the LMDB backend to create the builder above, + // we should set this as the map size, since it cannot currently resize. + // (The SafeMode backend warns when a map size is specified, so we skip it + // for now to avoid console spam.) + + // builder.set_map_size(16777216); + + // Bug 1595004: Migrate databases between backends in the future, + // and handle 32 and 64 bit architectures in case of LMDB. + Rkv::from_builder(path, builder).map_err(SecurityStateError::from) +} + +fn unconditionally_remove_file(path: &Path) -> Result<(), SecurityStateError> { + match remove_file(path) { + Ok(()) => Ok(()), + Err(e) => match e.kind() { + std::io::ErrorKind::NotFound => Ok(()), + _ => Err(SecurityStateError::from(e)), + }, + } +} + +fn remove_db(path: &Path) -> Result<(), SecurityStateError> { + // Remove LMDB-related files. + let db = path.join("data.mdb"); + unconditionally_remove_file(&db)?; + let lock = path.join("lock.mdb"); + unconditionally_remove_file(&lock)?; + + // Remove SafeMode-related files. + let db = path.join("data.safe.bin"); + unconditionally_remove_file(&db)?; + + Ok(()) +} + +// Helper function to read stash information from the given reader and insert the results into the +// given stash map. +fn load_crlite_stash_from_reader_into_map( + reader: &mut dyn Read, + dest: &mut HashMap<Vec<u8>, HashSet<Vec<u8>>>, +) -> Result<(), SecurityStateError> { + // The basic unit of the stash file is an issuer subject public key info + // hash (sha-256) followed by a number of serial numbers corresponding + // to revoked certificates issued by that issuer. More specifically, + // each unit consists of: + // 4 bytes little-endian: the number of serial numbers following the issuer spki hash + // 1 byte: the length of the issuer spki hash + // issuer spki hash length bytes: the issuer spki hash + // as many times as the indicated serial numbers: + // 1 byte: the length of the serial number + // serial number length bytes: the serial number + // The stash file consists of any number of these units concatenated + // together. + loop { + let num_serials = match reader.read_u32::<LittleEndian>() { + Ok(num_serials) => num_serials, + Err(_) => break, // end of input, presumably + }; + let issuer_spki_hash_len = reader.read_u8().map_err(|e| { + SecurityStateError::from(format!("error reading stash issuer_spki_hash_len: {}", e)) + })?; + let mut issuer_spki_hash = vec![0; issuer_spki_hash_len as usize]; + reader.read_exact(&mut issuer_spki_hash).map_err(|e| { + SecurityStateError::from(format!("error reading stash issuer_spki_hash: {}", e)) + })?; + let serials = dest.entry(issuer_spki_hash).or_insert(HashSet::new()); + for _ in 0..num_serials { + let serial_len = reader.read_u8().map_err(|e| { + SecurityStateError::from(format!("error reading stash serial_len: {}", e)) + })?; + let mut serial = vec![0; serial_len as usize]; + reader.read_exact(&mut serial).map_err(|e| { + SecurityStateError::from(format!("error reading stash serial: {}", e)) + })?; + let _ = serials.insert(serial); + } + } + Ok(()) +} + +// This is a helper struct that implements the task that asynchronously reads the CRLite stash on a +// background thread. +struct BackgroundReadStashTask { + profile_path: PathBuf, + security_state: Arc<RwLock<SecurityState>>, +} + +impl BackgroundReadStashTask { + fn new( + profile_path: PathBuf, + security_state: &Arc<RwLock<SecurityState>>, + ) -> BackgroundReadStashTask { + BackgroundReadStashTask { + profile_path, + security_state: Arc::clone(security_state), + } + } +} + +impl Task for BackgroundReadStashTask { + fn run(&self) { + let mut path = match get_store_path(&self.profile_path) { + Ok(path) => path, + Err(e) => { + error!("error getting security_state path: {}", e.message); + return; + } + }; + path.push("crlite.stash"); + // Before we've downloaded any stashes, this file won't exist. + if !path.exists() { + return; + } + let stash_file = match File::open(path) { + Ok(file) => file, + Err(e) => { + error!("error opening stash file: {}", e); + return; + } + }; + let mut stash_reader = BufReader::new(stash_file); + let mut crlite_stash = HashMap::new(); + match load_crlite_stash_from_reader_into_map(&mut stash_reader, &mut crlite_stash) { + Ok(()) => {} + Err(e) => { + error!("error loading crlite stash: {}", e.message); + return; + } + } + let mut ss = match self.security_state.write() { + Ok(ss) => ss, + Err(_) => return, + }; + match ss.crlite_stash.replace(crlite_stash) { + Some(_) => { + error!("replacing existing crlite stash when reading for the first time?"); + return; + } + None => {} + } + } + + fn done(&self) -> Result<(), nsresult> { + Ok(()) + } +} + +fn do_construct_cert_storage( + iid: *const xpcom::nsIID, + result: *mut *mut xpcom::reexports::libc::c_void, +) -> Result<(), nserror::nsresult> { + let path_buf = get_profile_path()?; + let security_state = Arc::new(RwLock::new(SecurityState::new(path_buf.clone()))); + let cert_storage = CertStorage::allocate(InitCertStorage { + security_state: security_state.clone(), + queue: create_background_task_queue(cstr!("cert_storage"))?, + }); + let memory_reporter = MemoryReporter::allocate(InitMemoryReporter { security_state }); + + // Dispatch a task to the background task queue to asynchronously read the CRLite stash file (if + // present) and load it into cert_storage. This task does not hold the + // cert_storage.security_state mutex for the majority of its operation, which allows certificate + // verification threads to query cert_storage without blocking. This is important for + // performance, but it means that certificate verifications that happen before the task has + // completed will not have stash information, and thus may not know of revocations that have + // occurred since the last full CRLite filter was downloaded. As long as the last full filter + // was downloaded no more than 10 days ago, this is no worse than relying on OCSP responses, + // which have a maximum validity of 10 days. + // NB: because the background task queue is serial, this task will complete before other tasks + // later dispatched to the queue run. This means that other tasks that interact with the stash + // will do so with the correct set of preconditions. + let load_crlite_stash_task = Box::new(BackgroundReadStashTask::new( + path_buf, + &cert_storage.security_state, + )); + let runnable = TaskRunnable::new("LoadCrliteStash", load_crlite_stash_task)?; + TaskRunnable::dispatch(runnable, cert_storage.queue.coerce())?; + + if let Some(reporter) = memory_reporter.query_interface::<nsIMemoryReporter>() { + if let Some(reporter_manager) = xpcom::get_service::<nsIMemoryReporterManager>(cstr!( + "@mozilla.org/memory-reporter-manager;1" + )) { + unsafe { reporter_manager.RegisterStrongReporter(&*reporter) }; + } + } + + unsafe { cert_storage.QueryInterface(iid, result).to_result() } +} + +// This is a helper for creating a task that will perform a specific action on a background thread. +struct SecurityStateTask< + T: Default + VariantType, + F: FnOnce(&mut SecurityState) -> Result<T, SecurityStateError>, +> { + callback: AtomicCell<Option<ThreadBoundRefPtr<nsICertStorageCallback>>>, + security_state: Arc<RwLock<SecurityState>>, + result: AtomicCell<(nserror::nsresult, T)>, + task_action: AtomicCell<Option<F>>, +} + +impl<T: Default + VariantType, F: FnOnce(&mut SecurityState) -> Result<T, SecurityStateError>> + SecurityStateTask<T, F> +{ + fn new( + callback: &nsICertStorageCallback, + security_state: &Arc<RwLock<SecurityState>>, + task_action: F, + ) -> Result<SecurityStateTask<T, F>, nsresult> { + let mut ss = security_state.write().or(Err(NS_ERROR_FAILURE))?; + ss.remaining_ops = ss.remaining_ops.wrapping_add(1); + + Ok(SecurityStateTask { + callback: AtomicCell::new(Some(ThreadBoundRefPtr::new(RefPtr::new(callback)))), + security_state: Arc::clone(security_state), + result: AtomicCell::new((NS_ERROR_FAILURE, T::default())), + task_action: AtomicCell::new(Some(task_action)), + }) + } +} + +impl<T: Default + VariantType, F: FnOnce(&mut SecurityState) -> Result<T, SecurityStateError>> Task + for SecurityStateTask<T, F> +{ + fn run(&self) { + let mut ss = match self.security_state.write() { + Ok(ss) => ss, + Err(_) => return, + }; + // this is a no-op if the DB is already open + if ss.open_db().is_err() { + return; + } + if let Some(task_action) = self.task_action.swap(None) { + let rv = task_action(&mut ss) + .and_then(|v| Ok((NS_OK, v))) + .unwrap_or((NS_ERROR_FAILURE, T::default())); + self.result.store(rv); + } + } + + fn done(&self) -> Result<(), nsresult> { + let threadbound = self.callback.swap(None).ok_or(NS_ERROR_FAILURE)?; + let callback = threadbound.get_ref().ok_or(NS_ERROR_FAILURE)?; + let result = self.result.swap((NS_ERROR_FAILURE, T::default())); + let variant = result.1.into_variant(); + let nsrv = unsafe { callback.Done(result.0, &*variant) }; + + let mut ss = self.security_state.write().or(Err(NS_ERROR_FAILURE))?; + ss.remaining_ops = ss.remaining_ops.wrapping_sub(1); + + match nsrv { + NS_OK => Ok(()), + e => Err(e), + } + } +} + +#[no_mangle] +pub extern "C" fn cert_storage_constructor( + iid: *const xpcom::nsIID, + result: *mut *mut xpcom::reexports::libc::c_void, +) -> nserror::nsresult { + if !is_main_thread() { + return NS_ERROR_NOT_SAME_THREAD; + } + match do_construct_cert_storage(iid, result) { + Ok(()) => NS_OK, + Err(e) => e, + } +} + +macro_rules! try_ns { + ($e:expr) => { + match $e { + Ok(value) => value, + Err(_) => return NS_ERROR_FAILURE, + } + }; + ($e:expr, or continue) => { + match $e { + Ok(value) => value, + Err(err) => { + error!("{}", err); + continue; + } + } + }; +} + +// This macro is a way to ensure the DB has been opened while minimizing lock acquisitions in the +// common (read-only) case. First we acquire a read lock and see if we even need to open the DB. If +// not, we can continue with the read lock we already have. Otherwise, we drop the read lock, +// acquire the write lock, open the DB, drop the write lock, and re-acquire the read lock. While it +// is possible for two or more threads to all come to the conclusion that they need to open the DB, +// this isn't ultimately an issue - `open_db` will exit early if another thread has already done the +// work. +macro_rules! get_security_state { + ($self:expr) => {{ + let ss_read_only = try_ns!($self.security_state.read()); + if !ss_read_only.db_needs_opening() { + ss_read_only + } else { + drop(ss_read_only); + { + let mut ss_write = try_ns!($self.security_state.write()); + try_ns!(ss_write.open_db()); + } + try_ns!($self.security_state.read()) + } + }}; +} + +#[xpcom(implement(nsICertStorage), atomic)] +struct CertStorage { + security_state: Arc<RwLock<SecurityState>>, + queue: RefPtr<nsISerialEventTarget>, +} + +/// CertStorage implements the nsICertStorage interface. The actual work is done by the +/// SecurityState. To handle any threading issues, we have an atomic-refcounted read/write lock on +/// the one and only SecurityState. So, only one thread can use SecurityState's &mut self functions +/// at a time, while multiple threads can use &self functions simultaneously (as long as there are +/// no threads using an &mut self function). The Arc is to allow for the creation of background +/// tasks that use the SecurityState on the queue owned by CertStorage. This allows us to not block +/// the main thread. +#[allow(non_snake_case)] +impl CertStorage { + unsafe fn HasPriorData( + &self, + data_type: u8, + callback: *const nsICertStorageCallback, + ) -> nserror::nsresult { + if !is_main_thread() { + return NS_ERROR_NOT_SAME_THREAD; + } + if callback.is_null() { + return NS_ERROR_NULL_POINTER; + } + let task = Box::new(try_ns!(SecurityStateTask::new( + &*callback, + &self.security_state, + move |ss| ss.get_has_prior_data(data_type), + ))); + let runnable = try_ns!(TaskRunnable::new("HasPriorData", task)); + try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce())); + NS_OK + } + + unsafe fn GetRemainingOperationCount(&self, state: *mut i32) -> nserror::nsresult { + if !is_main_thread() { + return NS_ERROR_NOT_SAME_THREAD; + } + if state.is_null() { + return NS_ERROR_NULL_POINTER; + } + let ss = try_ns!(self.security_state.read()); + *state = ss.remaining_ops; + NS_OK + } + + unsafe fn SetRevocations( + &self, + revocations: *const ThinVec<Option<RefPtr<nsIRevocationState>>>, + callback: *const nsICertStorageCallback, + ) -> nserror::nsresult { + if !is_main_thread() { + return NS_ERROR_NOT_SAME_THREAD; + } + if revocations.is_null() || callback.is_null() { + return NS_ERROR_NULL_POINTER; + } + + let revocations = &*revocations; + let mut entries = Vec::with_capacity(revocations.len()); + + // By continuing when an nsIRevocationState attribute value is invalid, + // we prevent errors relating to individual blocklist entries from + // causing sync to fail. We will accumulate telemetry on these failures + // in bug 1254099. + + for revocation in revocations.iter().flatten() { + let mut state: i16 = 0; + try_ns!(revocation.GetState(&mut state).to_result(), or continue); + + if let Some(revocation) = + (*revocation).query_interface::<nsIIssuerAndSerialRevocationState>() + { + let mut issuer = nsCString::new(); + try_ns!(revocation.GetIssuer(&mut *issuer).to_result(), or continue); + + let mut serial = nsCString::new(); + try_ns!(revocation.GetSerial(&mut *serial).to_result(), or continue); + + entries.push(EncodedSecurityState::new( + PREFIX_REV_IS, + issuer, + serial, + state, + )); + } else if let Some(revocation) = + (*revocation).query_interface::<nsISubjectAndPubKeyRevocationState>() + { + let mut subject = nsCString::new(); + try_ns!(revocation.GetSubject(&mut *subject).to_result(), or continue); + + let mut pub_key_hash = nsCString::new(); + try_ns!(revocation.GetPubKey(&mut *pub_key_hash).to_result(), or continue); + + entries.push(EncodedSecurityState::new( + PREFIX_REV_SPK, + subject, + pub_key_hash, + state, + )); + } + } + + let task = Box::new(try_ns!(SecurityStateTask::new( + &*callback, + &self.security_state, + move |ss| ss.set_batch_state(&entries, nsICertStorage::DATA_TYPE_REVOCATION), + ))); + let runnable = try_ns!(TaskRunnable::new("SetRevocations", task)); + try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce())); + NS_OK + } + + unsafe fn GetRevocationState( + &self, + issuer: *const ThinVec<u8>, + serial: *const ThinVec<u8>, + subject: *const ThinVec<u8>, + pub_key: *const ThinVec<u8>, + state: *mut i16, + ) -> nserror::nsresult { + // TODO (bug 1541212): We really want to restrict this to non-main-threads only in non-test + // contexts, but we can't do so until bug 1406854 is fixed. + if issuer.is_null() || serial.is_null() || subject.is_null() || pub_key.is_null() { + return NS_ERROR_NULL_POINTER; + } + *state = nsICertStorage::STATE_UNSET; + let ss = get_security_state!(self); + match ss.get_revocation_state(&*issuer, &*serial, &*subject, &*pub_key) { + Ok(st) => { + *state = st; + NS_OK + } + _ => NS_ERROR_FAILURE, + } + } + + unsafe fn SetFullCRLiteFilter( + &self, + filter: *const ThinVec<u8>, + enrolled_issuers: *const ThinVec<nsCString>, + coverage: *const ThinVec<Option<RefPtr<nsICRLiteCoverage>>>, + callback: *const nsICertStorageCallback, + ) -> nserror::nsresult { + if !is_main_thread() { + return NS_ERROR_NOT_SAME_THREAD; + } + if filter.is_null() + || coverage.is_null() + || callback.is_null() + || enrolled_issuers.is_null() + { + return NS_ERROR_NULL_POINTER; + } + + let filter_owned = (*filter).to_vec(); + let enrolled_issuers_owned = (*enrolled_issuers).to_vec(); + + let coverage = &*coverage; + let mut coverage_entries = Vec::with_capacity(coverage.len()); + for entry in coverage.iter().flatten() { + let mut b64_log_id = nsCString::new(); + try_ns!((*entry).GetB64LogID(&mut *b64_log_id).to_result(), or continue); + let mut min_timestamp: u64 = 0; + try_ns!((*entry).GetMinTimestamp(&mut min_timestamp).to_result(), or continue); + let mut max_timestamp: u64 = 0; + try_ns!((*entry).GetMaxTimestamp(&mut max_timestamp).to_result(), or continue); + coverage_entries.push((b64_log_id, min_timestamp, max_timestamp)); + } + + let task = Box::new(try_ns!(SecurityStateTask::new( + &*callback, + &self.security_state, + move |ss| ss.set_full_crlite_filter( + filter_owned, + enrolled_issuers_owned, + &coverage_entries + ), + ))); + let runnable = try_ns!(TaskRunnable::new("SetFullCRLiteFilter", task)); + try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce())); + NS_OK + } + + unsafe fn AddCRLiteStash( + &self, + stash: *const ThinVec<u8>, + callback: *const nsICertStorageCallback, + ) -> nserror::nsresult { + if !is_main_thread() { + return NS_ERROR_NOT_SAME_THREAD; + } + if stash.is_null() || callback.is_null() { + return NS_ERROR_NULL_POINTER; + } + let stash_owned = (*stash).to_vec(); + let task = Box::new(try_ns!(SecurityStateTask::new( + &*callback, + &self.security_state, + move |ss| ss.add_crlite_stash(stash_owned), + ))); + let runnable = try_ns!(TaskRunnable::new("AddCRLiteStash", task)); + try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce())); + NS_OK + } + + unsafe fn IsCertRevokedByStash( + &self, + issuer_spki: *const ThinVec<u8>, + serial_number: *const ThinVec<u8>, + is_revoked: *mut bool, + ) -> nserror::nsresult { + if issuer_spki.is_null() || serial_number.is_null() || is_revoked.is_null() { + return NS_ERROR_NULL_POINTER; + } + let ss = get_security_state!(self); + *is_revoked = match ss.is_cert_revoked_by_stash(&*issuer_spki, &*serial_number) { + Ok(is_revoked) => is_revoked, + Err(_) => return NS_ERROR_FAILURE, + }; + NS_OK + } + + unsafe fn GetCRLiteRevocationState( + &self, + issuer: *const ThinVec<u8>, + issuerSPKI: *const ThinVec<u8>, + serialNumber: *const ThinVec<u8>, + timestamps: *const ThinVec<Option<RefPtr<nsICRLiteTimestamp>>>, + state: *mut i16, + ) -> nserror::nsresult { + // TODO (bug 1541212): We really want to restrict this to non-main-threads only, but we + // can't do so until bug 1406854 is fixed. + if issuer.is_null() + || issuerSPKI.is_null() + || serialNumber.is_null() + || state.is_null() + || timestamps.is_null() + { + return NS_ERROR_NULL_POINTER; + } + let timestamps = &*timestamps; + let mut timestamp_entries = Vec::with_capacity(timestamps.len()); + for timestamp_entry in timestamps.iter().flatten() { + let mut log_id = ThinVec::with_capacity(32); + try_ns!(timestamp_entry.GetLogID(&mut log_id).to_result(), or continue); + let mut timestamp: u64 = 0; + try_ns!(timestamp_entry.GetTimestamp(&mut timestamp).to_result(), or continue); + timestamp_entries.push(CRLiteTimestamp { log_id, timestamp }); + } + let ss = get_security_state!(self); + *state = ss.get_crlite_revocation_state( + &*issuer, + &*issuerSPKI, + &*serialNumber, + ×tamp_entries, + ); + NS_OK + } + + unsafe fn AddCerts( + &self, + certs: *const ThinVec<Option<RefPtr<nsICertInfo>>>, + callback: *const nsICertStorageCallback, + ) -> nserror::nsresult { + if !is_main_thread() { + return NS_ERROR_NOT_SAME_THREAD; + } + if certs.is_null() || callback.is_null() { + return NS_ERROR_NULL_POINTER; + } + let certs = &*certs; + let mut cert_entries = Vec::with_capacity(certs.len()); + for cert in certs.iter().flatten() { + let mut der = nsCString::new(); + try_ns!((*cert).GetCert(&mut *der).to_result(), or continue); + let mut subject = nsCString::new(); + try_ns!((*cert).GetSubject(&mut *subject).to_result(), or continue); + let mut trust: i16 = 0; + try_ns!((*cert).GetTrust(&mut trust).to_result(), or continue); + cert_entries.push((der, subject, trust)); + } + let task = Box::new(try_ns!(SecurityStateTask::new( + &*callback, + &self.security_state, + move |ss| ss.add_certs(&cert_entries), + ))); + let runnable = try_ns!(TaskRunnable::new("AddCerts", task)); + try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce())); + NS_OK + } + + unsafe fn RemoveCertsByHashes( + &self, + hashes: *const ThinVec<nsCString>, + callback: *const nsICertStorageCallback, + ) -> nserror::nsresult { + if !is_main_thread() { + return NS_ERROR_NOT_SAME_THREAD; + } + if hashes.is_null() || callback.is_null() { + return NS_ERROR_NULL_POINTER; + } + let hashes = (*hashes).to_vec(); + let task = Box::new(try_ns!(SecurityStateTask::new( + &*callback, + &self.security_state, + move |ss| ss.remove_certs_by_hashes(&hashes), + ))); + let runnable = try_ns!(TaskRunnable::new("RemoveCertsByHashes", task)); + try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce())); + NS_OK + } + + unsafe fn FindCertsBySubject( + &self, + subject: *const ThinVec<u8>, + certs: *mut ThinVec<ThinVec<u8>>, + ) -> nserror::nsresult { + // TODO (bug 1541212): We really want to restrict this to non-main-threads only, but we + // can't do so until bug 1406854 is fixed. + if subject.is_null() || certs.is_null() { + return NS_ERROR_NULL_POINTER; + } + let ss = get_security_state!(self); + match ss.find_certs_by_subject(&*subject, &mut *certs) { + Ok(()) => NS_OK, + Err(_) => NS_ERROR_FAILURE, + } + } +} + +extern "C" { + fn cert_storage_malloc_size_of(ptr: *const xpcom::reexports::libc::c_void) -> usize; +} + +#[xpcom(implement(nsIMemoryReporter), atomic)] +struct MemoryReporter { + security_state: Arc<RwLock<SecurityState>>, +} + +#[allow(non_snake_case)] +impl MemoryReporter { + unsafe fn CollectReports( + &self, + callback: *const nsIHandleReportCallback, + data: *const nsISupports, + _anonymize: bool, + ) -> nserror::nsresult { + let ss = try_ns!(self.security_state.read()); + let mut ops = MallocSizeOfOps::new(cert_storage_malloc_size_of, None); + let size = ss.size_of(&mut ops); + let callback = match RefPtr::from_raw(callback) { + Some(ptr) => ptr, + None => return NS_ERROR_UNEXPECTED, + }; + // This does the same as MOZ_COLLECT_REPORT + callback.Callback( + &nsCStr::new() as &nsACString, + &nsCStr::from("explicit/cert-storage/storage") as &nsACString, + nsIMemoryReporter::KIND_HEAP, + nsIMemoryReporter::UNITS_BYTES, + size as i64, + &nsCStr::from("Memory used by certificate storage") as &nsACString, + data, + ); + NS_OK + } +} diff --git a/security/manager/ssl/components.conf b/security/manager/ssl/components.conf new file mode 100644 index 0000000000..7bdcae356a --- /dev/null +++ b/security/manager/ssl/components.conf @@ -0,0 +1,155 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +Headers = [ + '/security/manager/ssl/nsNSSModule.h', +] + +Classes = [ + { + 'cid': '{4cb64dfd-ca98-4e24-befd-0d9285a33bcb}', + 'contract_ids': ['@mozilla.org/psm;1'], + 'type': 'nsNSSComponent', + 'headers': ['nsNSSComponent.h'], + 'init_method': 'Init', + }, + { + 'cid': '{9ef18451-a157-4d17-8132-47afef213689}', + 'contract_ids': ['@mozilla.org/nss_errors_service;1'], + 'type': 'mozilla::psm::NSSErrorsService', + 'headers': ['NSSErrorsService.h'], + 'init_method': 'Init', + }, + { + 'cid': '{23ad3531-11d2-4e8e-805a-6a752e91681a}', + 'contract_ids': ['@mozilla.org/security/nssversion;1'], + 'type': 'nsNSSVersion', + 'headers': ['/security/manager/ssl/nsNSSVersion.h'], + }, + { + 'cid': '{0c4f1ddc-1dd2-11b2-9d95-f2fdf113044b}', + 'contract_ids': ['@mozilla.org/security/sdr;1'], + 'type': 'SecretDecoderRing', + 'legacy_constructor': 'mozilla::psm::NSSConstructor<SecretDecoderRing>', + }, + { + 'cid': '{b084a2ce-1dd1-11b2-bf10-8324f8e065cc}', + 'contract_ids': ['@mozilla.org/security/pk11tokendb;1'], + 'type': 'nsPK11TokenDB', + 'legacy_constructor': 'mozilla::psm::NSSConstructor<nsPK11TokenDB>', + }, + { + 'cid': '{ff9fbcd7-9517-4334-b97a-ceed78909974}', + 'contract_ids': ['@mozilla.org/security/pkcs11moduledb;1'], + 'type': 'mozilla::psm::PKCS11ModuleDB', + 'legacy_constructor': 'mozilla::psm::NSSConstructor<mozilla::psm::PKCS11ModuleDB>', + }, + { + 'cid': '{660a3226-915c-4ffb-bb20-8985a632df05}', + 'contract_ids': [], + 'type': 'nsNSSCertificate', + 'headers': ['nsNSSCertificate.h'], + }, + { + 'cid': '{fb0bbc5c-452e-4783-b32c-80124693d871}', + 'contract_ids': ['@mozilla.org/security/x509certdb;1'], + 'type': 'nsNSSCertificateDB', + 'legacy_constructor': 'mozilla::psm::NSSConstructor<nsNSSCertificateDB>', + }, + { + 'cid': '{1dbc6eb6-0972-4bdb-9dc4-acd0abf72369}', + 'contract_ids': ['@mozilla.org/security/clientAuthRememberService;1'], + 'type': 'nsClientAuthRememberService', + 'headers': ['nsClientAuthRemember.h'], + 'init_method': 'Init', + }, + { + 'cid': '{36a1d3b3-d886-4317-96ff-87b0005cfef7}', + 'contract_ids': ['@mozilla.org/security/hash;1'], + 'headers': ['/security/manager/ssl/crypto_hash/crypto_hash.h'], + 'legacy_constructor': 'crypto_hash_constructor', + }, + { + 'cid': '{45a5fe2f-c350-4b86-962d-02d5aaaa955a}', + 'contract_ids': ['@mozilla.org/security/contentsignatureverifier;1'], + 'type': 'ContentSignatureVerifier', + 'legacy_constructor': 'mozilla::psm::NSSConstructor<ContentSignatureVerifier>', + }, + { + 'cid': '{67ba681d-5485-4fff-952c-2ee337ffdcd6}', + 'contract_ids': ['@mozilla.org/security/certoverride;1'], + 'type': 'nsCertOverrideService', + 'headers': ['/security/manager/ssl/nsCertOverrideService.h'], + 'init_method': 'Init', + }, + { + 'cid': '{be65e2b7-fe46-4e0f-88e0-4b385db4d68a}', + 'contract_ids': ['@mozilla.org/security/random-generator;1'], + 'type': 'nsRandomGenerator', + 'legacy_constructor': 'mozilla::psm::NSSConstructor<nsRandomGenerator>', + }, + { + 'cid': '{16786594-0296-4471-8096-8f84497ca428}', + 'contract_ids': ['@mozilla.org/security/transportsecurityinfo;1'], + 'type': 'mozilla::psm::TransportSecurityInfo', + }, + { + 'cid': '{16955eee-6c48-4152-9309-c42a465138a1}', + 'contract_ids': ['@mozilla.org/ssservice;1'], + 'type': 'nsSiteSecurityService', + 'headers': ['/security/manager/ssl/nsSiteSecurityService.h'], + 'init_method': 'Init', + 'processes': ProcessSelector.MAIN_PROCESS_ONLY, + }, + { + 'cid': '{57972956-5718-42d2-8070-b3fc72212eaf}', + 'contract_ids': ['@mozilla.org/security/oskeystore;1'], + 'type': 'OSKeyStore', + 'legacy_constructor': 'mozilla::psm::NSSConstructor<OSKeyStore>', + }, + { + 'cid': '{4fe082ae-6ff0-4b41-b24f-eaa664f6e46a}', + 'contract_ids': ['@mozilla.org/security/osreauthenticator;1'], + 'type': 'OSReauthenticator', + 'legacy_constructor': 'mozilla::psm::NSSConstructor<OSReauthenticator>', + }, + { + 'cid': '{16e5c837-f877-4e23-9c64-eddf905e30e6}', + 'contract_ids': ['@mozilla.org/security/certstorage;1'], + 'headers': ['/security/manager/ssl/cert_storage/src/cert_storage.h'], + 'legacy_constructor': 'cert_storage_constructor', + }, + { + 'cid': '{f64432b9-e8c6-41b4-b2da-8eb004344bba}', + 'contract_ids': ['@mozilla.org/security/publickeypinningservice;1'], + 'type': 'psm::PublicKeyPinningService', + 'headers': ['/security/manager/ssl/PublicKeyPinningService.h'], + }, + { + 'cid': '{4ea60761-31d6-491d-9e34-4b53a26c416c}', + 'contract_ids': ['@mozilla.org/security/nsCertTree;1'], + 'type': 'nsCertTree', + 'legacy_constructor': 'mozilla::psm::NSSConstructor<nsCertTree>', + }, + { + 'cid': '{9676cfc4-6e84-11ec-a30d-d3cd0af86e01}', + 'contract_ids': ['@mozilla.org/security/CRLiteTimestamp;1'], + 'type': 'mozilla::psm::CRLiteTimestamp', + 'headers': ['/security/certverifier/CRLiteTimestamp.h'], + }, + { + 'cid': '{71b49926-fd4e-43e2-ab8d-d9b049413c0b}', + 'contract_ids': ['@mozilla.org/security/datastoragemanager;1'], + 'type': 'mozilla::DataStorageManager', + 'headers': ['/security/manager/ssl/DataStorageManager.h'], + }, + { + 'cid': '{d7d2490d-2640-411b-9f09-a538803c11ee}', + 'contract_ids': ['@mozilla.org/security/ClientAuthDialogService;1'], + 'esModule': 'resource://gre/modules/psm/ClientAuthDialogService.sys.mjs', + 'constructor': 'ClientAuthDialogService', + }, +] diff --git a/security/manager/ssl/content-signature-local.crt b/security/manager/ssl/content-signature-local.crt Binary files differnew file mode 100644 index 0000000000..2acff7d7d6 --- /dev/null +++ b/security/manager/ssl/content-signature-local.crt diff --git a/security/manager/ssl/content-signature-prod.crt b/security/manager/ssl/content-signature-prod.crt Binary files differnew file mode 100644 index 0000000000..6ab711b996 --- /dev/null +++ b/security/manager/ssl/content-signature-prod.crt diff --git a/security/manager/ssl/content-signature-stage.crt b/security/manager/ssl/content-signature-stage.crt Binary files differnew file mode 100644 index 0000000000..38d36cb3f4 --- /dev/null +++ b/security/manager/ssl/content-signature-stage.crt diff --git a/security/manager/ssl/crashtests/398665-1.html b/security/manager/ssl/crashtests/398665-1.html new file mode 100644 index 0000000000..85afb1137f --- /dev/null +++ b/security/manager/ssl/crashtests/398665-1.html @@ -0,0 +1 @@ +<html><body><keygen></keygen></body></html> diff --git a/security/manager/ssl/crashtests/crashtests.list b/security/manager/ssl/crashtests/crashtests.list new file mode 100644 index 0000000000..fbc5b85043 --- /dev/null +++ b/security/manager/ssl/crashtests/crashtests.list @@ -0,0 +1 @@ +load 398665-1.html diff --git a/security/manager/ssl/crypto_hash/Cargo.toml b/security/manager/ssl/crypto_hash/Cargo.toml new file mode 100644 index 0000000000..f842368d4b --- /dev/null +++ b/security/manager/ssl/crypto_hash/Cargo.toml @@ -0,0 +1,15 @@ +[package] +name = "crypto_hash" +version = "0.1.0" +edition = "2021" + +[dependencies] +base64 = "0.21" +digest = "0.10.2" +libc = "0.2" +md-5 = "0.10.2" +nserror = { path = "../../../../xpcom/rust/nserror" } +nsstring = { path = "../../../../xpcom/rust/nsstring" } +sha1 = "0.10.2" +sha2 = "0.10.2" +xpcom = { path = "../../../../xpcom/rust/xpcom" } diff --git a/security/manager/ssl/crypto_hash/crypto_hash.h b/security/manager/ssl/crypto_hash/crypto_hash.h new file mode 100644 index 0000000000..a85993b041 --- /dev/null +++ b/security/manager/ssl/crypto_hash/crypto_hash.h @@ -0,0 +1,46 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsICryptoHash.h" + +extern "C" { +nsresult crypto_hash_constructor(REFNSIID iid, void** result); +}; + +nsresult NS_NewCryptoHash(uint32_t aHashType, nsICryptoHash** aOutHasher) { + MOZ_ASSERT(aOutHasher); + + nsCOMPtr<nsICryptoHash> hasher; + nsresult rv = + crypto_hash_constructor(NS_ICRYPTOHASH_IID, getter_AddRefs(hasher)); + if (NS_FAILED(rv)) { + return rv; + } + rv = hasher->Init(aHashType); + if (NS_FAILED(rv)) { + return rv; + } + hasher.forget(aOutHasher); + + return NS_OK; +} + +nsresult NS_NewCryptoHash(const nsACString& aHashType, + nsICryptoHash** aOutHasher) { + MOZ_ASSERT(aOutHasher); + + nsCOMPtr<nsICryptoHash> hasher; + nsresult rv = + crypto_hash_constructor(NS_ICRYPTOHASH_IID, getter_AddRefs(hasher)); + if (NS_FAILED(rv)) { + return rv; + } + rv = hasher->InitWithString(aHashType); + if (NS_FAILED(rv)) { + return rv; + } + hasher.forget(aOutHasher); + + return NS_OK; +} diff --git a/security/manager/ssl/crypto_hash/src/lib.rs b/security/manager/ssl/crypto_hash/src/lib.rs new file mode 100644 index 0000000000..9303f3cfd9 --- /dev/null +++ b/security/manager/ssl/crypto_hash/src/lib.rs @@ -0,0 +1,177 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +extern crate base64; +extern crate digest; +extern crate libc; +extern crate md5; +extern crate nsstring; +extern crate sha1; +extern crate sha2; +#[macro_use] +extern crate xpcom; + +use base64::Engine; +use digest::{Digest, DynDigest}; +use nserror::{ + nsresult, NS_ERROR_FAILURE, NS_ERROR_INVALID_ARG, NS_ERROR_NOT_AVAILABLE, + NS_ERROR_NOT_INITIALIZED, NS_OK, +}; +use nsstring::{nsACString, nsCString}; +use xpcom::interfaces::{nsICryptoHash, nsIInputStream}; +use xpcom::xpcom_method; + +use std::borrow::Borrow; +use std::sync::Mutex; + +enum Algorithm { + Md5, + Sha1, + Sha256, + Sha384, + Sha512, +} + +impl TryFrom<u32> for Algorithm { + type Error = nsresult; + + fn try_from(value: u32) -> Result<Self, Self::Error> { + match value { + nsICryptoHash::MD5 => Ok(Algorithm::Md5), + nsICryptoHash::SHA1 => Ok(Algorithm::Sha1), + nsICryptoHash::SHA256 => Ok(Algorithm::Sha256), + nsICryptoHash::SHA384 => Ok(Algorithm::Sha384), + nsICryptoHash::SHA512 => Ok(Algorithm::Sha512), + _ => Err(NS_ERROR_INVALID_ARG), + } + } +} + +impl TryFrom<&nsACString> for Algorithm { + type Error = nsresult; + + fn try_from(value: &nsACString) -> Result<Self, Self::Error> { + match value.to_utf8().borrow() { + "md5" => Ok(Algorithm::Md5), + "sha1" => Ok(Algorithm::Sha1), + "sha256" => Ok(Algorithm::Sha256), + "sha384" => Ok(Algorithm::Sha384), + "sha512" => Ok(Algorithm::Sha512), + _ => Err(NS_ERROR_INVALID_ARG), + } + } +} + +#[xpcom(implement(nsICryptoHash), atomic)] +struct CryptoHash { + digest: Mutex<Option<Box<dyn DynDigest>>>, +} + +impl CryptoHash { + xpcom_method!(init => Init(algorithm: u32)); + fn init(&self, algorithm: u32) -> Result<(), nsresult> { + let algorithm = algorithm.try_into()?; + self.init_with_algorithm(algorithm) + } + + xpcom_method!(init_with_string => InitWithString(algorithm: *const nsACString)); + fn init_with_string(&self, algorithm: &nsACString) -> Result<(), nsresult> { + let algorithm = algorithm.try_into()?; + self.init_with_algorithm(algorithm) + } + + fn init_with_algorithm(&self, algorithm: Algorithm) -> Result<(), nsresult> { + let digest = match algorithm { + Algorithm::Md5 => Box::new(md5::Md5::new()) as Box<dyn DynDigest>, + Algorithm::Sha1 => Box::new(sha1::Sha1::new()) as Box<dyn DynDigest>, + Algorithm::Sha256 => Box::new(sha2::Sha256::new()) as Box<dyn DynDigest>, + Algorithm::Sha384 => Box::new(sha2::Sha384::new()) as Box<dyn DynDigest>, + Algorithm::Sha512 => Box::new(sha2::Sha512::new()) as Box<dyn DynDigest>, + }; + let mut guard = self.digest.lock().map_err(|_| NS_ERROR_FAILURE)?; + if let Some(_expected_none_digest) = (*guard).replace(digest) { + return Err(NS_ERROR_FAILURE); + } + Ok(()) + } + + xpcom_method!(update => Update(data: *const u8, len: u32)); + fn update(&self, data: *const u8, len: u32) -> Result<(), nsresult> { + let mut guard = self.digest.lock().map_err(|_| NS_ERROR_FAILURE)?; + let digest = match (*guard).as_mut() { + Some(digest) => digest, + None => return Err(NS_ERROR_NOT_INITIALIZED), + }; + // Safety: this is safe as long as xpcom gave us valid arguments. + let data = unsafe { + std::slice::from_raw_parts(data, len.try_into().map_err(|_| NS_ERROR_INVALID_ARG)?) + }; + digest.update(data); + Ok(()) + } + + xpcom_method!(update_from_stream => UpdateFromStream(stream: *const nsIInputStream, len: u32)); + fn update_from_stream(&self, stream: &nsIInputStream, len: u32) -> Result<(), nsresult> { + let mut guard = self.digest.lock().map_err(|_| NS_ERROR_FAILURE)?; + let digest = match (*guard).as_mut() { + Some(digest) => digest, + None => return Err(NS_ERROR_NOT_INITIALIZED), + }; + let mut available = 0u64; + unsafe { stream.Available(&mut available as *mut u64).to_result()? }; + let mut to_read = if len == u32::MAX { available } else { len as u64 }; + if available == 0 || available < to_read { + return Err(NS_ERROR_NOT_AVAILABLE); + } + let mut buf = vec![0u8; 4096]; + let buf_len = buf.len() as u64; + while to_read > 0 { + let chunk_len = if to_read >= buf_len { buf_len as u32 } else { to_read as u32 }; + let mut read = 0u32; + unsafe { + stream + .Read( + buf.as_mut_ptr() as *mut libc::c_char, + chunk_len, + &mut read as *mut u32, + ) + .to_result()? + }; + if read > chunk_len { + return Err(NS_ERROR_FAILURE); + } + digest.update(&buf[0..read.try_into().map_err(|_| NS_ERROR_FAILURE)?]); + to_read -= read as u64; + } + Ok(()) + } + + xpcom_method!(finish => Finish(ascii: bool) -> nsACString); + fn finish(&self, ascii: bool) -> Result<nsCString, nsresult> { + let mut guard = self.digest.lock().map_err(|_| NS_ERROR_FAILURE)?; + let digest = match (*guard).take() { + Some(digest) => digest, + None => return Err(NS_ERROR_NOT_INITIALIZED), + }; + let result = digest.finalize(); + if ascii { + Ok(nsCString::from( + base64::engine::general_purpose::STANDARD.encode(result), + )) + } else { + Ok(nsCString::from(result)) + } + } +} + +#[no_mangle] +pub extern "C" fn crypto_hash_constructor( + iid: *const xpcom::nsIID, + result: *mut *mut xpcom::reexports::libc::c_void, +) -> nserror::nsresult { + let crypto_hash = CryptoHash::allocate(InitCryptoHash { + digest: Mutex::new(None), + }); + unsafe { crypto_hash.QueryInterface(iid, result) } +} diff --git a/security/manager/ssl/data_storage/Cargo.toml b/security/manager/ssl/data_storage/Cargo.toml new file mode 100644 index 0000000000..a90b44c69d --- /dev/null +++ b/security/manager/ssl/data_storage/Cargo.toml @@ -0,0 +1,18 @@ +[package] +name = "data_storage" +version = "0.0.1" +edition = "2021" +license = "MPL-2.0" + +[dependencies] +byteorder = "1" +cstr = "0.2" +firefox-on-glean = { path = "../../../../toolkit/components/glean/api" } +log = "0.4" +malloc_size_of_derive = { path = "../../../../xpcom/rust/malloc_size_of_derive" } +moz_task = { path = "../../../../xpcom/rust/moz_task" } +nserror = { path = "../../../../xpcom/rust/nserror" } +nsstring = { path = "../../../../xpcom/rust/nsstring" } +thin-vec = { version = "0.2.1", features = ["gecko-ffi"] } +wr_malloc_size_of = { path = "../../../../gfx/wr/wr_malloc_size_of" } +xpcom = { path = "../../../../xpcom/rust/xpcom" } diff --git a/security/manager/ssl/data_storage/src/lib.rs b/security/manager/ssl/data_storage/src/lib.rs new file mode 100644 index 0000000000..8cbbf05563 --- /dev/null +++ b/security/manager/ssl/data_storage/src/lib.rs @@ -0,0 +1,1017 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +extern crate byteorder; +#[macro_use] +extern crate cstr; +extern crate firefox_on_glean; +#[macro_use] +extern crate log; +#[macro_use] +extern crate malloc_size_of_derive; +extern crate moz_task; +extern crate nserror; +extern crate thin_vec; +extern crate wr_malloc_size_of; +#[macro_use] +extern crate xpcom; + +use wr_malloc_size_of as malloc_size_of; + +use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt}; +use firefox_on_glean::metrics::data_storage; +use malloc_size_of::{MallocSizeOf, MallocSizeOfOps}; +use moz_task::{create_background_task_queue, RunnableBuilder}; +use nserror::{ + nsresult, NS_ERROR_FAILURE, NS_ERROR_ILLEGAL_INPUT, NS_ERROR_INVALID_ARG, + NS_ERROR_NOT_AVAILABLE, NS_OK, +}; +use nsstring::{nsACString, nsAString, nsCStr, nsCString, nsString}; +use thin_vec::ThinVec; +use xpcom::interfaces::{ + nsIDataStorage, nsIDataStorageItem, nsIFile, nsIHandleReportCallback, nsIMemoryReporter, + nsIMemoryReporterManager, nsIObserverService, nsIProperties, nsISerialEventTarget, nsISupports, +}; +use xpcom::{xpcom_method, RefPtr, XpCom}; + +use std::collections::HashMap; +use std::ffi::CStr; +use std::fs::{File, OpenOptions}; +use std::io::{BufRead, BufReader, ErrorKind, Read, Seek, SeekFrom, Write}; +use std::os::raw::{c_char, c_void}; +use std::path::PathBuf; +use std::sync::{Condvar, Mutex}; +use std::time::{Duration, SystemTime, UNIX_EPOCH}; + +/// Helper type for turning the nsIDataStorage::DataType "enum" into a rust +/// enum. +#[derive(Copy, Clone, Eq, PartialEq)] +enum DataType { + Persistent, + Private, +} + +impl From<u8> for DataType { + fn from(value: u8) -> Self { + match value { + nsIDataStorage::Persistent => DataType::Persistent, + nsIDataStorage::Private => DataType::Private, + _ => panic!("invalid nsIDataStorage::DataType"), + } + } +} + +impl From<DataType> for u8 { + fn from(value: DataType) -> Self { + match value { + DataType::Persistent => nsIDataStorage::Persistent, + DataType::Private => nsIDataStorage::Private, + } + } +} + +/// Returns the current day in days since the unix epoch, to a maximum of +/// u16::MAX days. +fn now_in_days() -> u16 { + const SECONDS_PER_DAY: u64 = 60 * 60 * 24; + let now = SystemTime::now() + .duration_since(UNIX_EPOCH) + .unwrap_or(Duration::ZERO); + (now.as_secs() / SECONDS_PER_DAY) + .try_into() + .unwrap_or(u16::MAX) +} + +/// An entry in some DataStorageTable. +#[derive(Clone, MallocSizeOf)] +struct Entry { + /// The number of unique days this Entry has been accessed on. + score: u16, + /// The number of days since the unix epoch this Entry was last accessed. + last_accessed: u16, + /// The key. + key: Vec<u8>, + /// The value. + value: Vec<u8>, + /// The slot index of this Entry. + slot_index: usize, +} + +impl Entry { + /// Constructs an Entry given a line of text from the old DataStorage format. + fn from_old_line(line: &str, slot_index: usize, value_length: usize) -> Result<Self, nsresult> { + // the old format is <key>\t<score>\t<last accessed>\t<value> + let parts: Vec<&str> = line.split('\t').collect(); + if parts.len() != 4 { + return Err(NS_ERROR_ILLEGAL_INPUT); + } + let score = parts[1] + .parse::<u16>() + .map_err(|_| NS_ERROR_ILLEGAL_INPUT)?; + let last_accessed = parts[2] + .parse::<u16>() + .map_err(|_| NS_ERROR_ILLEGAL_INPUT)?; + let key = Vec::from(parts[0]); + if key.len() > KEY_LENGTH { + return Err(NS_ERROR_ILLEGAL_INPUT); + } + let value = Vec::from(parts[3]); + if value.len() > value_length { + return Err(NS_ERROR_ILLEGAL_INPUT); + } + Ok(Entry { + score, + last_accessed, + key, + value, + slot_index, + }) + } + + /// Constructs an Entry given the parsed parts from the current format. + fn from_slot( + score: u16, + last_accessed: u16, + key: Vec<u8>, + value: Vec<u8>, + slot_index: usize, + ) -> Self { + Entry { + score, + last_accessed, + key, + value, + slot_index, + } + } + + /// Constructs a new Entry given a key, value, and index. + fn new(key: Vec<u8>, value: Vec<u8>, slot_index: usize) -> Self { + Entry { + score: 1, + last_accessed: now_in_days(), + key, + value, + slot_index, + } + } + + /// Constructs a new, empty `Entry` with the given index. Useful for clearing + /// slots on disk. + fn new_empty(slot_index: usize) -> Self { + Entry { + score: 0, + last_accessed: 0, + key: Vec::new(), + value: Vec::new(), + slot_index, + } + } + + /// Returns whether or not this is an empty `Entry` (an empty `Entry` has + /// been created with `Entry::new_empty()` or cleared with + /// `Entry::clear()`, has 0 `score` and `last_accessed`, and has an empty + /// `key` and `value`. + fn is_empty(&self) -> bool { + self.score == 0 && self.last_accessed == 0 && self.key.is_empty() && self.value.is_empty() + } + + /// If this Entry was last accessed on a day different from today, + /// increments its score (as well as its last accessed day). + /// Returns `true` if the score did in fact change, and `false` otherwise. + fn update_score(&mut self) -> bool { + let now_in_days = now_in_days(); + if self.last_accessed != now_in_days { + self.last_accessed = now_in_days; + self.score += 1; + true + } else { + false + } + } + + /// Clear the data stored in this Entry. Useful for clearing a single slot + /// on disk. + fn clear(&mut self) { + // Note: it's important that this preserves slot_index - the writer + // needs it to know where to write out the zeroed Entry + *self = Self::new_empty(self.slot_index); + } +} + +/// Strips all trailing 0 bytes from the end of the given vec. +/// Useful for converting 0-padded keys and values to their original, non-padded +/// state. +fn strip_zeroes(vec: &mut Vec<u8>) { + let mut length = vec.len(); + while length > 0 && vec[length - 1] == 0 { + length -= 1; + } + vec.truncate(length); +} + +/// Given a slice of entries, returns a Vec<Entry> consisting of each Entry +/// with score equal to the minimum score among all entries. +fn get_entries_with_minimum_score(entries: &[Entry]) -> Vec<&Entry> { + let mut min_score = u16::MAX; + let mut min_score_entries = Vec::new(); + for entry in entries.iter() { + if entry.score < min_score { + min_score = entry.score; + min_score_entries.clear(); + } + if entry.score == min_score { + min_score_entries.push(entry); + } + } + min_score_entries +} + +const MAX_SLOTS: usize = 2048; +const KEY_LENGTH: usize = 256; + +/// Helper type to map between an entry key and the slot it is stored on. +type DataStorageTable = HashMap<Vec<u8>, usize>; + +/// The main structure of this implementation. Keeps track of persistent +/// and private entries. +#[derive(MallocSizeOf)] +struct DataStorageInner { + /// The key to slot index mapping table for persistent data. + persistent_table: DataStorageTable, + /// The persistent entries that are stored on disk. + persistent_slots: Vec<Entry>, + /// The key to slot index mapping table for private, temporary data. + private_table: DataStorageTable, + /// The private, temporary entries that are not stored on disk. + /// This data is cleared upon observing "last-pb-context-exited", and is + /// forgotten when the program shuts down. + private_slots: Vec<Entry>, + /// The name of the table (e.g. "SiteSecurityServiceState"). + name: String, + /// The maximum permitted length of values. + value_length: usize, + /// A PathBuf holding the location of the profile directory, if available. + maybe_profile_path: Option<PathBuf>, + /// A serial event target to post tasks to, to write out changed persistent + /// data in the background. + #[ignore_malloc_size_of = "not implemented for nsISerialEventTarget"] + write_queue: Option<RefPtr<nsISerialEventTarget>>, +} + +impl DataStorageInner { + fn new( + name: String, + value_length: usize, + maybe_profile_path: Option<PathBuf>, + ) -> Result<Self, nsresult> { + Ok(DataStorageInner { + persistent_table: DataStorageTable::new(), + persistent_slots: Vec::new(), + private_table: DataStorageTable::new(), + private_slots: Vec::new(), + name, + value_length, + maybe_profile_path, + write_queue: Some(create_background_task_queue(cstr!("data_storage"))?), + }) + } + + /// Initializes the DataStorageInner. If the profile directory is not + /// present, does nothing. If the backing file is available, processes it. + /// Otherwise, if the old backing file is available, migrates it to the + /// current format. + fn initialize(&mut self) -> Result<(), nsresult> { + let Some(profile_path) = self.maybe_profile_path.as_ref() else { + return Ok(()); + }; + let mut backing_path = profile_path.clone(); + backing_path.push(format!("{}.bin", &self.name)); + let mut old_backing_path = profile_path.clone(); + old_backing_path.push(format!("{}.txt", &self.name)); + if backing_path.exists() { + self.read(backing_path) + } else if old_backing_path.exists() { + self.read_old_format(old_backing_path) + } else { + Ok(()) + } + } + + /// Reads the backing file, processing each slot. + fn read(&mut self, path: PathBuf) -> Result<(), nsresult> { + let f = OpenOptions::new() + .read(true) + .write(true) + .create(true) + .open(path) + .map_err(|_| NS_ERROR_FAILURE)?; + let mut backing_file = BufReader::new(f); + let mut slots = Vec::new(); + // First read each entry into the persistent slots list. + while slots.len() < MAX_SLOTS { + if let Some(entry) = self.process_slot(&mut backing_file, slots.len())? { + slots.push(entry); + } else { + break; + } + } + self.persistent_slots = slots; + // Then build the key -> slot index lookup table. + self.persistent_table = self + .persistent_slots + .iter() + .filter(|slot| !slot.is_empty()) + .map(|slot| (slot.key.clone(), slot.slot_index)) + .collect(); + let num_entries = self.persistent_table.len() as i64; + match self.name.as_str() { + "AlternateServices" => data_storage::alternate_services.set(num_entries), + "ClientAuthRememberList" => data_storage::client_auth_remember_list.set(num_entries), + "SiteSecurityServiceState" => { + data_storage::site_security_service_state.set(num_entries) + } + _ => panic!("unknown nsIDataStorageManager::DataStorage"), + } + Ok(()) + } + + /// Processes a slot (via a reader) by reading its metadata, key, and + /// value. If the checksum fails or if the score or last accessed fields + /// are 0, this is an empty slot. Otherwise, un-0-pads the key and value, + /// creates a new Entry, and puts it in the persistent table. + fn process_slot<R: Read>( + &mut self, + reader: &mut R, + slot_index: usize, + ) -> Result<Option<Entry>, nsresult> { + // Format is [checksum][score][last accessed][key][value], where + // checksum is 2 bytes big-endian, score and last accessed are 2 bytes + // big-endian, key is KEY_LENGTH bytes (currently 256), and value is + // self.value_length bytes (1024 for most instances, but 24 for + // SiteSecurityServiceState - see DataStorageManager::Get). + let mut checksum = match reader.read_u16::<BigEndian>() { + Ok(checksum) => checksum, + // The file may be shorter than expected due to unoccupied slots. + // Every slot after the last read slot is unoccupied. + Err(e) if e.kind() == ErrorKind::UnexpectedEof => return Ok(None), + Err(_) => return Err(NS_ERROR_FAILURE), + }; + let score = reader + .read_u16::<BigEndian>() + .map_err(|_| NS_ERROR_FAILURE)?; + checksum ^= score; + let last_accessed = reader + .read_u16::<BigEndian>() + .map_err(|_| NS_ERROR_FAILURE)?; + checksum ^= last_accessed; + + let mut key = vec![0u8; KEY_LENGTH]; + reader.read_exact(&mut key).map_err(|_| NS_ERROR_FAILURE)?; + for mut chunk in key.chunks(2) { + checksum ^= chunk + .read_u16::<BigEndian>() + .map_err(|_| NS_ERROR_FAILURE)?; + } + strip_zeroes(&mut key); + let mut value = vec![0u8; self.value_length]; + reader + .read_exact(&mut value) + .map_err(|_| NS_ERROR_FAILURE)?; + for mut chunk in value.chunks(2) { + checksum ^= chunk + .read_u16::<BigEndian>() + .map_err(|_| NS_ERROR_FAILURE)?; + } + strip_zeroes(&mut value); + + // If this slot is incomplete, corrupted, or empty, treat it as empty. + if checksum != 0 || score == 0 || last_accessed == 0 { + // This slot is empty. + return Ok(Some(Entry::new_empty(slot_index))); + } + + Ok(Some(Entry::from_slot( + score, + last_accessed, + key, + value, + slot_index, + ))) + } + + /// Migrates from the old format to the current format. + fn read_old_format(&mut self, path: PathBuf) -> Result<(), nsresult> { + let file = File::open(path).map_err(|_| NS_ERROR_FAILURE)?; + let reader = BufReader::new(file); + // First read each line in the old file into the persistent slots list. + // The old format was limited to 1024 lines, so only expect that many. + for line in reader.lines().flatten().take(1024) { + match Entry::from_old_line(&line, self.persistent_slots.len(), self.value_length) { + Ok(entry) => { + if self.persistent_slots.len() >= MAX_SLOTS { + warn!("too many lines in old DataStorage format"); + break; + } + if !entry.is_empty() { + self.persistent_slots.push(entry); + } else { + warn!("empty entry in old DataStorage format?"); + } + } + Err(_) => { + warn!("failed to migrate a line from old DataStorage format"); + } + } + } + // Then build the key -> slot index lookup table. + self.persistent_table = self + .persistent_slots + .iter() + .filter(|slot| !slot.is_empty()) + .map(|slot| (slot.key.clone(), slot.slot_index)) + .collect(); + // Finally, write out the migrated data to the new backing file. + self.async_write_entries(self.persistent_slots.clone())?; + let num_entries = self.persistent_table.len() as i64; + match self.name.as_str() { + "AlternateServices" => data_storage::alternate_services.set(num_entries), + "ClientAuthRememberList" => data_storage::client_auth_remember_list.set(num_entries), + "SiteSecurityServiceState" => { + data_storage::site_security_service_state.set(num_entries) + } + _ => panic!("unknown nsIDataStorageManager::DataStorage"), + } + Ok(()) + } + + /// Given an `Entry` and `DataType`, this function updates the internal + /// list of slots and the mapping from keys to slot indices. If the slot + /// assigned to the `Entry` is already occupied, the existing `Entry` is + /// evicted. + /// After updating internal state, if the type of this entry is persistent, + /// this function dispatches an event to asynchronously write the data out. + fn put_internal(&mut self, entry: Entry, type_: DataType) -> Result<(), nsresult> { + let (table, slots) = self.get_table_and_slots_for_type_mut(type_); + if entry.slot_index < slots.len() { + let entry_to_evict = &slots[entry.slot_index]; + if !entry_to_evict.is_empty() { + table.remove(&entry_to_evict.key); + } + } + let _ = table.insert(entry.key.clone(), entry.slot_index); + if entry.slot_index < slots.len() { + slots[entry.slot_index] = entry.clone(); + } else if entry.slot_index == slots.len() { + slots.push(entry.clone()); + } else { + panic!( + "put_internal should not have been given an Entry with slot_index > slots.len()" + ); + } + if type_ == DataType::Persistent { + self.async_write_entry(entry)?; + } + Ok(()) + } + + /// Returns the total length of each slot on disk. + fn slot_length(&self) -> usize { + // Checksum is 2 bytes, and score and last accessed are 2 bytes each. + 2 + 2 + 2 + KEY_LENGTH + self.value_length + } + + /// Gets the next free slot index, or determines a slot to evict (but + /// doesn't actually perform the eviction - the caller must do that). + fn get_free_slot_or_slot_to_evict(&self, type_: DataType) -> usize { + let (_, slots) = self.get_table_and_slots_for_type(type_); + let maybe_unoccupied_slot = slots + .iter() + .enumerate() + .find(|(_, maybe_empty_entry)| maybe_empty_entry.is_empty()); + if let Some((unoccupied_slot, _)) = maybe_unoccupied_slot { + return unoccupied_slot; + } + // If `slots` isn't full, the next free slot index is one more than the + // current last index. + if slots.len() < MAX_SLOTS { + return slots.len(); + } + // If there isn't an unoccupied slot, evict the entry with the lowest score. + let min_score_entries = get_entries_with_minimum_score(&slots); + // `min_score_entry` is the oldest Entry with the minimum score. + // There must be at least one such Entry, so unwrap it or abort. + let min_score_entry = min_score_entries + .iter() + .min_by_key(|e| e.last_accessed) + .unwrap(); + min_score_entry.slot_index + } + + /// Helper function to get a handle on the slot list and key to slot index + /// mapping for the given `DataType`. + fn get_table_and_slots_for_type(&self, type_: DataType) -> (&DataStorageTable, &[Entry]) { + match type_ { + DataType::Persistent => (&self.persistent_table, &self.persistent_slots), + DataType::Private => (&self.private_table, &self.private_slots), + } + } + + /// Helper function to get a mutable handle on the slot list and key to + /// slot index mapping for the given `DataType`. + fn get_table_and_slots_for_type_mut( + &mut self, + type_: DataType, + ) -> (&mut DataStorageTable, &mut Vec<Entry>) { + match type_ { + DataType::Persistent => (&mut self.persistent_table, &mut self.persistent_slots), + DataType::Private => (&mut self.private_table, &mut self.private_slots), + } + } + + /// Helper function to look up an `Entry` by its key and type. + fn get_entry(&mut self, key: &[u8], type_: DataType) -> Option<&mut Entry> { + let (table, slots) = self.get_table_and_slots_for_type_mut(type_); + let slot_index = table.get(key)?; + Some(&mut slots[*slot_index]) + } + + /// Gets a value by key, if available. Updates the Entry's score when appropriate. + fn get(&mut self, key: &[u8], type_: DataType) -> Result<Vec<u8>, nsresult> { + let Some(entry) = self.get_entry(key, type_) else { + return Err(NS_ERROR_NOT_AVAILABLE); + }; + let value = entry.value.clone(); + if entry.update_score() && type_ == DataType::Persistent { + let entry = entry.clone(); + self.async_write_entry(entry)?; + } + Ok(value) + } + + /// Inserts or updates a value by key. Updates the Entry's score if applicable. + fn put(&mut self, key: Vec<u8>, value: Vec<u8>, type_: DataType) -> Result<(), nsresult> { + if key.len() > KEY_LENGTH || value.len() > self.value_length { + return Err(NS_ERROR_INVALID_ARG); + } + if let Some(existing_entry) = self.get_entry(&key, type_) { + let data_changed = existing_entry.value != value; + if data_changed { + existing_entry.value = value; + } + if (existing_entry.update_score() || data_changed) && type_ == DataType::Persistent { + let entry = existing_entry.clone(); + self.async_write_entry(entry)?; + } + Ok(()) + } else { + let slot_index = self.get_free_slot_or_slot_to_evict(type_); + let entry = Entry::new(key.clone(), value, slot_index); + self.put_internal(entry, type_) + } + } + + /// Removes an Entry by key, if it is present. + fn remove(&mut self, key: &Vec<u8>, type_: DataType) -> Result<(), nsresult> { + let (table, slots) = self.get_table_and_slots_for_type_mut(type_); + let Some(slot_index) = table.remove(key) else { + return Ok(()); + }; + let entry = &mut slots[slot_index]; + entry.clear(); + if type_ == DataType::Persistent { + let entry = entry.clone(); + self.async_write_entry(entry)?; + } + Ok(()) + } + + /// Clears all tables and the backing persistent file. + fn clear(&mut self) -> Result<(), nsresult> { + self.persistent_table.clear(); + self.private_table.clear(); + self.persistent_slots.clear(); + self.private_slots.clear(); + let Some(profile_path) = self.maybe_profile_path.clone() else { + return Ok(()); + }; + let Some(write_queue) = self.write_queue.clone() else { + return Ok(()); + }; + let name = self.name.clone(); + RunnableBuilder::new("data_storage::remove_backing_files", move || { + let old_backing_path = profile_path.join(format!("{name}.txt")); + let _ = std::fs::remove_file(old_backing_path); + let backing_path = profile_path.join(format!("{name}.bin")); + let _ = std::fs::remove_file(backing_path); + }) + .may_block(true) + .dispatch(write_queue.coerce()) + } + + /// Clears only data in the private table. + fn clear_private_data(&mut self) { + self.private_table.clear(); + self.private_slots.clear(); + } + + /// Asynchronously writes the given entry on the background serial event + /// target. + fn async_write_entry(&self, entry: Entry) -> Result<(), nsresult> { + self.async_write_entries(vec![entry]) + } + + /// Asynchronously writes the given entries on the background serial event + /// target. + fn async_write_entries(&self, entries: Vec<Entry>) -> Result<(), nsresult> { + let Some(mut backing_path) = self.maybe_profile_path.clone() else { + return Ok(()); + }; + let Some(write_queue) = self.write_queue.clone() else { + return Ok(()); + }; + backing_path.push(format!("{}.bin", &self.name)); + let value_length = self.value_length; + let slot_length = self.slot_length(); + RunnableBuilder::new("data_storage::write_entries", move || { + let _ = write_entries(entries, backing_path, value_length, slot_length); + }) + .may_block(true) + .dispatch(write_queue.coerce()) + } + + /// Drop the write queue to prevent further writes. + fn drop_write_queue(&mut self) { + let _ = self.write_queue.take(); + } + + /// Takes a callback that is run for each entry in each table. + fn for_each<F>(&self, mut f: F) + where + F: FnMut(&Entry, DataType), + { + for entry in &self.persistent_slots { + f(entry, DataType::Persistent); + } + for entry in &self.private_slots { + f(entry, DataType::Private); + } + } + + /// Collects the memory used by this DataStorageInner. + fn collect_reports( + &self, + ops: &mut MallocSizeOfOps, + callback: &nsIHandleReportCallback, + data: Option<&nsISupports>, + ) -> Result<(), nsresult> { + let size = self.size_of(ops); + let data = match data { + Some(data) => data as *const nsISupports, + None => std::ptr::null() as *const nsISupports, + }; + unsafe { + callback + .Callback( + &nsCStr::new() as &nsACString, + &nsCString::from(format!("explicit/data-storage/{}", self.name)) as &nsACString, + nsIMemoryReporter::KIND_HEAP, + nsIMemoryReporter::UNITS_BYTES, + size as i64, + &nsCStr::from("Memory used by PSM data storage cache") as &nsACString, + data, + ) + .to_result() + } + } +} + +#[xpcom(implement(nsIDataStorageItem), atomic)] +struct DataStorageItem { + key: nsCString, + value: nsCString, + type_: u8, +} + +impl DataStorageItem { + xpcom_method!(get_key => GetKey() -> nsACString); + fn get_key(&self) -> Result<nsCString, nsresult> { + Ok(self.key.clone()) + } + + xpcom_method!(get_value => GetValue() -> nsACString); + fn get_value(&self) -> Result<nsCString, nsresult> { + Ok(self.value.clone()) + } + + xpcom_method!(get_type => GetType() -> u8); + fn get_type(&self) -> Result<u8, nsresult> { + Ok(self.type_) + } +} + +type VoidPtrToSizeFn = unsafe extern "C" fn(ptr: *const c_void) -> usize; + +/// Helper struct that coordinates xpcom access to the DataStorageInner that +/// actually holds the data. +#[xpcom(implement(nsIDataStorage, nsIMemoryReporter, nsIObserver), atomic)] +struct DataStorage { + ready: (Mutex<bool>, Condvar), + data: Mutex<DataStorageInner>, + size_of_op: VoidPtrToSizeFn, + enclosing_size_of_op: VoidPtrToSizeFn, +} + +impl DataStorage { + xpcom_method!(get => Get(key: *const nsACString, type_: u8) -> nsACString); + fn get(&self, key: &nsACString, type_: u8) -> Result<nsCString, nsresult> { + self.wait_for_ready()?; + let mut storage = self.data.lock().unwrap(); + storage + .get(&Vec::from(key.as_ref()), type_.into()) + .map(|data| nsCString::from(data)) + } + + xpcom_method!(put => Put(key: *const nsACString, value: *const nsACString, type_: u8)); + fn put(&self, key: &nsACString, value: &nsACString, type_: u8) -> Result<(), nsresult> { + self.wait_for_ready()?; + let mut storage = self.data.lock().unwrap(); + storage.put( + Vec::from(key.as_ref()), + Vec::from(value.as_ref()), + type_.into(), + ) + } + + xpcom_method!(remove => Remove(key: *const nsACString, type_: u8)); + fn remove(&self, key: &nsACString, type_: u8) -> Result<(), nsresult> { + self.wait_for_ready()?; + let mut storage = self.data.lock().unwrap(); + storage.remove(&Vec::from(key.as_ref()), type_.into())?; + Ok(()) + } + + xpcom_method!(clear => Clear()); + fn clear(&self) -> Result<(), nsresult> { + self.wait_for_ready()?; + let mut storage = self.data.lock().unwrap(); + storage.clear()?; + Ok(()) + } + + xpcom_method!(is_ready => IsReady() -> bool); + fn is_ready(&self) -> Result<bool, nsresult> { + let ready = self.ready.0.lock().unwrap(); + Ok(*ready) + } + + xpcom_method!(get_all => GetAll() -> ThinVec<Option<RefPtr<nsIDataStorageItem>>>); + fn get_all(&self) -> Result<ThinVec<Option<RefPtr<nsIDataStorageItem>>>, nsresult> { + self.wait_for_ready()?; + let storage = self.data.lock().unwrap(); + let mut items = ThinVec::new(); + let add_item = |entry: &Entry, data_type: DataType| { + let item = DataStorageItem::allocate(InitDataStorageItem { + key: entry.key.clone().into(), + value: entry.value.clone().into(), + type_: data_type.into(), + }); + items.push(Some(RefPtr::new(item.coerce()))); + }; + storage.for_each(add_item); + Ok(items) + } + + fn indicate_ready(&self) -> Result<(), nsresult> { + let (ready_mutex, condvar) = &self.ready; + let mut ready = ready_mutex.lock().unwrap(); + *ready = true; + condvar.notify_all(); + Ok(()) + } + + fn wait_for_ready(&self) -> Result<(), nsresult> { + let (ready_mutex, condvar) = &self.ready; + let mut ready = ready_mutex.lock().unwrap(); + while !*ready { + ready = condvar.wait(ready).unwrap(); + } + Ok(()) + } + + fn initialize(&self) -> Result<(), nsresult> { + let mut storage = self.data.lock().unwrap(); + // If this fails, the implementation is "ready", but it probably won't + // store any data persistently. This is expected in cases where there + // is no profile directory. + let _ = storage.initialize(); + self.indicate_ready() + } + + xpcom_method!(collect_reports => CollectReports(callback: *const nsIHandleReportCallback, data: *const nsISupports, anonymize: bool)); + fn collect_reports( + &self, + callback: &nsIHandleReportCallback, + data: Option<&nsISupports>, + _anonymize: bool, + ) -> Result<(), nsresult> { + let storage = self.data.lock().unwrap(); + let mut ops = MallocSizeOfOps::new(self.size_of_op, Some(self.enclosing_size_of_op)); + storage.collect_reports(&mut ops, callback, data) + } + + xpcom_method!(observe => Observe(_subject: *const nsISupports, topic: *const c_char, _data: *const u16)); + unsafe fn observe( + &self, + _subject: Option<&nsISupports>, + topic: *const c_char, + _data: *const u16, + ) -> Result<(), nsresult> { + let mut storage = self.data.lock().unwrap(); + let topic = CStr::from_ptr(topic); + // Observe shutdown - prevent any further writes. + // The backing file is in the profile directory, so stop writing when + // that goes away. + // "xpcom-shutdown-threads" is a backstop for situations where the + // "profile-before-change" notification is not emitted. + if topic == cstr!("profile-before-change") || topic == cstr!("xpcom-shutdown-threads") { + storage.drop_write_queue(); + } else if topic == cstr!("last-pb-context-exited") { + storage.clear_private_data(); + } + Ok(()) + } +} + +/// Given some entries, the path of the backing file, and metadata about Entry +/// length, writes an Entry to the backing file in the appropriate slot. +/// Creates the backing file if it does not exist. +fn write_entries( + entries: Vec<Entry>, + backing_path: PathBuf, + value_length: usize, + slot_length: usize, +) -> Result<(), std::io::Error> { + let mut backing_file = OpenOptions::new() + .write(true) + .create(true) + .open(backing_path)?; + let Some(max_slot_index) = entries.iter().map(|entry| entry.slot_index).max() else { + return Ok(()); // can only happen if entries is empty + }; + let necessary_len = ((max_slot_index + 1) * slot_length) as u64; + if backing_file.metadata()?.len() < necessary_len { + backing_file.set_len(necessary_len)?; + } + let mut buf = vec![0u8; slot_length]; + for entry in entries { + let mut buf_writer = buf.as_mut_slice(); + buf_writer.write_u16::<BigEndian>(0)?; // set checksum to 0 for now + let mut checksum = entry.score; + buf_writer.write_u16::<BigEndian>(entry.score)?; + checksum ^= entry.last_accessed; + buf_writer.write_u16::<BigEndian>(entry.last_accessed)?; + for mut chunk in entry.key.chunks(2) { + if chunk.len() == 1 { + checksum ^= (chunk[0] as u16) << 8; + } else { + checksum ^= chunk.read_u16::<BigEndian>()?; + } + } + if entry.key.len() > KEY_LENGTH { + continue; + } + buf_writer.write_all(&entry.key)?; + let (key_remainder, mut buf_writer) = buf_writer.split_at_mut(KEY_LENGTH - entry.key.len()); + key_remainder.fill(0); + for mut chunk in entry.value.chunks(2) { + if chunk.len() == 1 { + checksum ^= (chunk[0] as u16) << 8; + } else { + checksum ^= chunk.read_u16::<BigEndian>()?; + } + } + if entry.value.len() > value_length { + continue; + } + buf_writer.write_all(&entry.value)?; + buf_writer.fill(0); + + backing_file.seek(SeekFrom::Start((entry.slot_index * slot_length) as u64))?; + backing_file.write_all(&buf)?; + backing_file.flush()?; + backing_file.seek(SeekFrom::Start((entry.slot_index * slot_length) as u64))?; + backing_file.write_u16::<BigEndian>(checksum)?; + } + Ok(()) +} + +/// Uses the xpcom directory service to try to obtain the profile directory. +fn get_profile_path() -> Result<PathBuf, nsresult> { + let directory_service: RefPtr<nsIProperties> = + xpcom::components::Directory::service().map_err(|_| NS_ERROR_FAILURE)?; + let mut profile_dir = xpcom::GetterAddrefs::<nsIFile>::new(); + unsafe { + directory_service + .Get( + cstr!("ProfD").as_ptr(), + &nsIFile::IID, + profile_dir.void_ptr(), + ) + .to_result()?; + } + let profile_dir = profile_dir.refptr().ok_or(NS_ERROR_FAILURE)?; + let mut profile_path = nsString::new(); + unsafe { + (*profile_dir).GetPath(&mut *profile_path).to_result()?; + } + let profile_path = String::from_utf16(profile_path.as_ref()).map_err(|_| NS_ERROR_FAILURE)?; + Ok(PathBuf::from(profile_path)) +} + +fn make_data_storage_internal( + basename: &str, + value_length: usize, + size_of_op: VoidPtrToSizeFn, + enclosing_size_of_op: VoidPtrToSizeFn, +) -> Result<RefPtr<nsIDataStorage>, nsresult> { + let maybe_profile_path = get_profile_path().ok(); + let data_storage = DataStorage::allocate(InitDataStorage { + ready: (Mutex::new(false), Condvar::new()), + data: Mutex::new(DataStorageInner::new( + basename.to_string(), + value_length, + maybe_profile_path, + )?), + size_of_op, + enclosing_size_of_op, + }); + // Initialize the DataStorage on a background thread. + let data_storage_for_background_initialization = data_storage.clone(); + RunnableBuilder::new("data_storage::initialize", move || { + let _ = data_storage_for_background_initialization.initialize(); + }) + .may_block(true) + .dispatch_background_task()?; + + // Observe shutdown and when the last private browsing context exits. + if let Ok(observer_service) = xpcom::components::Observer::service::<nsIObserverService>() { + unsafe { + observer_service + .AddObserver( + data_storage.coerce(), + cstr!("profile-before-change").as_ptr(), + false, + ) + .to_result()?; + observer_service + .AddObserver( + data_storage.coerce(), + cstr!("xpcom-shutdown-threads").as_ptr(), + false, + ) + .to_result()?; + observer_service + .AddObserver( + data_storage.coerce(), + cstr!("last-pb-context-exited").as_ptr(), + false, + ) + .to_result()?; + } + } + + // Register the DataStorage as a memory reporter. + if let Some(memory_reporter_manager) = xpcom::get_service::<nsIMemoryReporterManager>(cstr!( + "@mozilla.org/memory-reporter-manager;1" + )) { + unsafe { + memory_reporter_manager + .RegisterStrongReporter(data_storage.coerce()) + .to_result()?; + } + } + + Ok(RefPtr::new(data_storage.coerce())) +} + +#[no_mangle] +pub unsafe extern "C" fn make_data_storage( + basename: *const nsAString, + value_length: usize, + size_of_op: VoidPtrToSizeFn, + enclosing_size_of_op: VoidPtrToSizeFn, + result: *mut *const xpcom::interfaces::nsIDataStorage, +) -> nsresult { + if basename.is_null() || result.is_null() { + return NS_ERROR_INVALID_ARG; + } + let basename = &*basename; + let basename = basename.to_string(); + match make_data_storage_internal(&basename, value_length, size_of_op, enclosing_size_of_op) { + Ok(val) => val.forget(&mut *result), + Err(e) => return e, + } + NS_OK +} diff --git a/security/manager/ssl/gen_cert_header.py b/security/manager/ssl/gen_cert_header.py new file mode 100644 index 0000000000..a141a9b54b --- /dev/null +++ b/security/manager/ssl/gen_cert_header.py @@ -0,0 +1,46 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +def _file_byte_generator(filename): + with open(filename, "rb") as f: + contents = f.read() + + # Treat empty files the same as a file containing a lone 0; + # a single-element array will fail cert verifcation just as an + # empty array would. + if not contents: + return ["\0"] + + return contents + + +def _create_header(array_name, cert_bytes): + hexified = ["0x%02x" % byte for byte in cert_bytes] + + substs = {"array_name": array_name, "bytes": ", ".join(hexified)} + return "const uint8_t %(array_name)s[] = {\n%(bytes)s\n};\n" % substs + + +# Create functions named the same as the data arrays that we're going to +# write to the headers, so we don't have to duplicate the names like so: +# +# def arrayName(header, cert_filename): +# header.write(_create_header("arrayName", cert_filename)) +array_names = [ + "addonsPublicIntermediate", + "addonsPublicRoot", + "addonsStageRoot", + "contentSignatureDevRoot", + "contentSignatureLocalRoot", + "contentSignatureProdRoot", + "contentSignatureStageRoot", + "xpcshellRoot", +] + +for n in array_names: + # Make sure the lambda captures the right string. + globals()[n] = lambda header, cert_filename, name=n: header.write( + _create_header(name, _file_byte_generator(cert_filename)) + ) diff --git a/security/manager/ssl/ipcclientcerts/Cargo.toml b/security/manager/ssl/ipcclientcerts/Cargo.toml new file mode 100644 index 0000000000..9dcfc8c3b7 --- /dev/null +++ b/security/manager/ssl/ipcclientcerts/Cargo.toml @@ -0,0 +1,16 @@ +[package] +name = "ipcclientcerts-static" +version = "0.1.0" +authors = ["Dana Keeler <dkeeler@mozilla.com>"] +edition = "2018" +license = "MPL-2.0" + +[dependencies] +byteorder = "1.3" +pkcs11-bindings = "0.1" +rsclientcerts = { path = "../rsclientcerts" } +sha2 = "0.10.2" +mozilla-central-workspace-hack = { version = "0.1", features = ["ipcclientcerts-static"], optional = true } + +[lib] +crate-type = ["staticlib"] diff --git a/security/manager/ssl/ipcclientcerts/dynamic-library/ipcclientcerts.symbols b/security/manager/ssl/ipcclientcerts/dynamic-library/ipcclientcerts.symbols new file mode 100644 index 0000000000..562ecea21d --- /dev/null +++ b/security/manager/ssl/ipcclientcerts/dynamic-library/ipcclientcerts.symbols @@ -0,0 +1 @@ +C_GetFunctionList diff --git a/security/manager/ssl/ipcclientcerts/dynamic-library/moz.build b/security/manager/ssl/ipcclientcerts/dynamic-library/moz.build new file mode 100644 index 0000000000..7f2ab5e27f --- /dev/null +++ b/security/manager/ssl/ipcclientcerts/dynamic-library/moz.build @@ -0,0 +1,40 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +USE_LIBS += ["ipcclientcerts-static"] + +# On Linux (but not when building for Android), this needs to use the C++ +# version to avoid linking against the wrong libc symbols. +# On Android, this needs to use the C version to avoid multiple definitions +# of symbols caused by their presence in libgcc and ipcclientcerts-static. +if CONFIG["OS_ARCH"] == "Linux" and CONFIG["OS_TARGET"] != "Android": + SOURCES += [ + "stub.cpp", + ] +else: + SOURCES += [ + "stub.c", + ] + +if CONFIG["OS_TARGET"] == "Android": + OS_LIBS += ["m"] + +if CONFIG["OS_ARCH"] == "WINNT": + OS_LIBS += [ + "advapi32", + "userenv", + "ws2_32", + ] + OS_LIBS += [ + "bcrypt", + "ntdll", + ] + + +SharedLibrary("ipcclientcerts") + +NoVisibilityFlags() +SYMBOLS_FILE = "ipcclientcerts.symbols" diff --git a/security/manager/ssl/ipcclientcerts/dynamic-library/stub.c b/security/manager/ssl/ipcclientcerts/dynamic-library/stub.c new file mode 100644 index 0000000000..f679e5dfd4 --- /dev/null +++ b/security/manager/ssl/ipcclientcerts/dynamic-library/stub.c @@ -0,0 +1,43 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "pkcs11.h" + +// The build system builds the rust library ipcclientcerts as a static library +// called ipcclientcerts_static. On macOS and Windows, that static library can +// be linked with an empty file and turned into a shared library with the +// function C_GetFunctionList exposed. This allows that shared library to be +// used as a PKCS#11 module (see osclientcerts). +// Unfortunately, on Linux, exposing the C_GetFunctionList in the static +// library doesn't work for some unknown reason. As a workaround, this file +// declares its own C_GetFunctionList that can be exposed in the shared +// library. It then calls the function IPCCC_GetFunctionList exposed +// (internally to the linkage in question) by ipcclientcerts. This enables +// the build system to ultimately turn ipcclientcerts into a shared library +// that exposes a C_GetFunctionList function, meaning it can be used as a +// PKCS#11 module. + +CK_RV IPCCC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); + +CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { + return IPCCC_GetFunctionList(ppFunctionList); +} + +// On MinGW there's a toolchain mismatch that results in _Unwind_Resume being +// undefined. It's never going to get called here anyway, so this defines it to +// satisfy the linker. See bug 1745855 and +// https://github.com/rust-lang/rust/issues/79609#issuecomment-987107562. +#ifdef __MINGW32__ +# include "mozilla/Assertions.h" +void _Unwind_Resume() { MOZ_CRASH("Unexpected call to _Unwind_*"); } +void _Unwind_GetDataRelBase() { _Unwind_Resume(); } +void _Unwind_GetTextRelBase() { _Unwind_Resume(); } +void _Unwind_GetLanguageSpecificData() { _Unwind_Resume(); } +void _Unwind_GetIPInfo() { _Unwind_Resume(); } +void _Unwind_GetRegionStart() { _Unwind_Resume(); } +void _Unwind_SetGR() { _Unwind_Resume(); } +void _Unwind_SetIP() { _Unwind_Resume(); } +void _GCC_specific_handler() { _Unwind_Resume(); } +#endif diff --git a/security/manager/ssl/ipcclientcerts/dynamic-library/stub.cpp b/security/manager/ssl/ipcclientcerts/dynamic-library/stub.cpp new file mode 100644 index 0000000000..e50f867574 --- /dev/null +++ b/security/manager/ssl/ipcclientcerts/dynamic-library/stub.cpp @@ -0,0 +1,29 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "pkcs11.h" + +// The build system builds the rust library ipcclientcerts as a static library +// called ipcclientcerts_static. On macOS and Windows, that static library can +// be linked with an empty file and turned into a shared library with the +// function C_GetFunctionList exposed. This allows that shared library to be +// used as a PKCS#11 module (see osclientcerts). +// Unfortunately, on Linux, exposing the C_GetFunctionList in the static +// library doesn't work for some unknown reason. As a workaround, this file +// declares its own C_GetFunctionList that can be exposed in the shared +// library. It then calls the function IPCCC_GetFunctionList exposed +// (internally to the linkage in question) by ipcclientcerts. This enables +// the build system to ultimately turn ipcclientcerts into a shared library +// that exposes a C_GetFunctionList function, meaning it can be used as a +// PKCS#11 module. + +extern "C" { + +CK_RV IPCCC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); + +CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { + return IPCCC_GetFunctionList(ppFunctionList); +} +} diff --git a/security/manager/ssl/ipcclientcerts/moz.build b/security/manager/ssl/ipcclientcerts/moz.build new file mode 100644 index 0000000000..1d24bdea31 --- /dev/null +++ b/security/manager/ssl/ipcclientcerts/moz.build @@ -0,0 +1,9 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +DIRS += ["dynamic-library"] + +RustLibrary("ipcclientcerts-static") diff --git a/security/manager/ssl/ipcclientcerts/src/backend.rs b/security/manager/ssl/ipcclientcerts/src/backend.rs new file mode 100644 index 0000000000..534eecd47e --- /dev/null +++ b/security/manager/ssl/ipcclientcerts/src/backend.rs @@ -0,0 +1,373 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +use pkcs11_bindings::*; +use rsclientcerts::error::{Error, ErrorType}; +use rsclientcerts::manager::{ClientCertsBackend, CryptokiObject, Sign, SlotType}; +use rsclientcerts::util::*; +use sha2::{Digest, Sha256}; +use std::ffi::c_void; + +use crate::FindObjectsFunction; +use crate::SignFunction; + +pub struct Cert { + class: Vec<u8>, + token: Vec<u8>, + id: Vec<u8>, + label: Vec<u8>, + value: Vec<u8>, + issuer: Vec<u8>, + serial_number: Vec<u8>, + subject: Vec<u8>, + slot_type: SlotType, +} + +impl Cert { + fn new(der: &[u8], slot_type: SlotType) -> Result<Cert, Error> { + let (serial_number, issuer, subject) = read_encoded_certificate_identifiers(der)?; + let id = Sha256::digest(der).to_vec(); + Ok(Cert { + class: serialize_uint(CKO_CERTIFICATE)?, + token: serialize_uint(CK_TRUE)?, + id, + label: b"IPC certificate".to_vec(), + value: der.to_vec(), + issuer, + serial_number, + subject, + slot_type, + }) + } + + fn class(&self) -> &[u8] { + &self.class + } + + fn token(&self) -> &[u8] { + &self.token + } + + fn id(&self) -> &[u8] { + &self.id + } + + fn label(&self) -> &[u8] { + &self.label + } + + fn value(&self) -> &[u8] { + &self.value + } + + fn issuer(&self) -> &[u8] { + &self.issuer + } + + fn serial_number(&self) -> &[u8] { + &self.serial_number + } + + fn subject(&self) -> &[u8] { + &self.subject + } +} + +impl CryptokiObject for Cert { + fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool { + if self.slot_type != slot_type { + return false; + } + for (attr_type, attr_value) in attrs { + let comparison = match *attr_type { + CKA_CLASS => self.class(), + CKA_TOKEN => self.token(), + CKA_LABEL => self.label(), + CKA_ID => self.id(), + CKA_VALUE => self.value(), + CKA_ISSUER => self.issuer(), + CKA_SERIAL_NUMBER => self.serial_number(), + CKA_SUBJECT => self.subject(), + _ => return false, + }; + if attr_value.as_slice() != comparison { + return false; + } + } + true + } + + fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> { + let result = match attribute { + CKA_CLASS => self.class(), + CKA_TOKEN => self.token(), + CKA_LABEL => self.label(), + CKA_ID => self.id(), + CKA_VALUE => self.value(), + CKA_ISSUER => self.issuer(), + CKA_SERIAL_NUMBER => self.serial_number(), + CKA_SUBJECT => self.subject(), + _ => return None, + }; + Some(result) + } +} + +pub struct Key { + cert: Vec<u8>, + class: Vec<u8>, + token: Vec<u8>, + id: Vec<u8>, + private: Vec<u8>, + key_type: Vec<u8>, + modulus: Option<Vec<u8>>, + ec_params: Option<Vec<u8>>, + slot_type: SlotType, + sign: SignFunction, +} + +impl Key { + fn new( + modulus: Option<&[u8]>, + ec_params: Option<&[u8]>, + cert: &[u8], + slot_type: SlotType, + sign: SignFunction, + ) -> Result<Key, Error> { + let id = Sha256::digest(cert).to_vec(); + let key_type = if modulus.is_some() { CKK_RSA } else { CKK_EC }; + Ok(Key { + cert: cert.to_vec(), + class: serialize_uint(CKO_PRIVATE_KEY)?, + token: serialize_uint(CK_TRUE)?, + id, + private: serialize_uint(CK_TRUE)?, + key_type: serialize_uint(key_type)?, + modulus: modulus.map(|b| b.to_vec()), + ec_params: ec_params.map(|b| b.to_vec()), + slot_type, + sign, + }) + } + + fn class(&self) -> &[u8] { + &self.class + } + + fn token(&self) -> &[u8] { + &self.token + } + + pub fn id(&self) -> &[u8] { + &self.id + } + + fn private(&self) -> &[u8] { + &self.private + } + + fn key_type(&self) -> &[u8] { + &self.key_type + } + + fn modulus(&self) -> Option<&[u8]> { + match &self.modulus { + Some(modulus) => Some(modulus.as_slice()), + None => None, + } + } + + fn ec_params(&self) -> Option<&[u8]> { + match &self.ec_params { + Some(ec_params) => Some(ec_params.as_slice()), + None => None, + } + } +} + +impl CryptokiObject for Key { + fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool { + if self.slot_type != slot_type { + return false; + } + for (attr_type, attr_value) in attrs { + let comparison = match *attr_type { + CKA_CLASS => self.class(), + CKA_TOKEN => self.token(), + CKA_ID => self.id(), + CKA_PRIVATE => self.private(), + CKA_KEY_TYPE => self.key_type(), + CKA_MODULUS => { + if let Some(modulus) = self.modulus() { + modulus + } else { + return false; + } + } + CKA_EC_PARAMS => { + if let Some(ec_params) = self.ec_params() { + ec_params + } else { + return false; + } + } + _ => return false, + }; + if attr_value.as_slice() != comparison { + return false; + } + } + true + } + + fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> { + match attribute { + CKA_CLASS => Some(self.class()), + CKA_TOKEN => Some(self.token()), + CKA_ID => Some(self.id()), + CKA_PRIVATE => Some(self.private()), + CKA_KEY_TYPE => Some(self.key_type()), + CKA_MODULUS => self.modulus(), + CKA_EC_PARAMS => self.ec_params(), + _ => None, + } + } +} + +impl Sign for Key { + fn get_signature_length( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<usize, Error> { + // Unfortunately we don't have a way of getting the length of a signature without creating + // one. + let dummy_signature_bytes = self.sign(data, params)?; + Ok(dummy_signature_bytes.len()) + } + + fn sign( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<Vec<u8>, Error> { + let mut signature = Vec::new(); + let (params_len, params) = match params { + Some(params) => ( + std::mem::size_of::<CK_RSA_PKCS_PSS_PARAMS>(), + params as *const _ as *const u8, + ), + None => (0, std::ptr::null()), + }; + (self.sign)( + self.cert.len(), + self.cert.as_ptr(), + data.len(), + data.as_ptr(), + params_len, + params, + Some(sign_callback), + &mut signature as *mut _ as *mut c_void, + ); + if signature.len() > 0 { + Ok(signature) + } else { + Err(error_here!(ErrorType::LibraryFailure)) + } + } +} + +unsafe extern "C" fn sign_callback(data_len: usize, data: *const u8, ctx: *mut c_void) { + let signature: &mut Vec<u8> = std::mem::transmute(ctx); + signature.clear(); + signature.extend_from_slice(std::slice::from_raw_parts(data, data_len)); +} + +unsafe extern "C" fn find_objects_callback( + typ: u8, + data_len: usize, + data: *const u8, + extra_len: usize, + extra: *const u8, + slot_type: u32, + ctx: *mut c_void, +) { + let data = std::slice::from_raw_parts(data, data_len); + let extra = std::slice::from_raw_parts(extra, extra_len); + let slot_type = match slot_type { + 1 => SlotType::Modern, + 2 => SlotType::Legacy, + _ => return, + }; + let find_objects_context: &mut FindObjectsContext = std::mem::transmute(ctx); + match typ { + 1 => match Cert::new(data, slot_type) { + Ok(cert) => find_objects_context.certs.push(cert), + Err(_) => {} + }, + 2 => match Key::new( + Some(data), + None, + extra, + slot_type, + find_objects_context.sign, + ) { + Ok(key) => find_objects_context.keys.push(key), + Err(_) => {} + }, + 3 => match Key::new( + None, + Some(data), + extra, + slot_type, + find_objects_context.sign, + ) { + Ok(key) => find_objects_context.keys.push(key), + Err(_) => {} + }, + _ => {} + } +} + +struct FindObjectsContext { + certs: Vec<Cert>, + keys: Vec<Key>, + sign: SignFunction, +} + +impl FindObjectsContext { + fn new(sign: SignFunction) -> FindObjectsContext { + FindObjectsContext { + certs: Vec::new(), + keys: Vec::new(), + sign, + } + } +} + +pub struct Backend { + find_objects: FindObjectsFunction, + sign: SignFunction, +} + +impl Backend { + pub fn new(find_objects: FindObjectsFunction, sign: SignFunction) -> Backend { + Backend { find_objects, sign } + } +} + +impl ClientCertsBackend for Backend { + type Cert = Cert; + type Key = Key; + + fn find_objects(&self) -> Result<(Vec<Cert>, Vec<Key>), Error> { + let mut find_objects_context = FindObjectsContext::new(self.sign); + (self.find_objects)( + Some(find_objects_callback), + &mut find_objects_context as *mut _ as *mut c_void, + ); + Ok((find_objects_context.certs, find_objects_context.keys)) + } +} diff --git a/security/manager/ssl/ipcclientcerts/src/lib.rs b/security/manager/ssl/ipcclientcerts/src/lib.rs new file mode 100644 index 0000000000..cc2580d9d4 --- /dev/null +++ b/security/manager/ssl/ipcclientcerts/src/lib.rs @@ -0,0 +1,1049 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#![allow(non_snake_case)] + +extern crate byteorder; +extern crate pkcs11_bindings; +#[macro_use] +extern crate rsclientcerts; +extern crate sha2; + +use pkcs11_bindings::*; +use rsclientcerts::manager::{Manager, SlotType}; +use std::ffi::{c_void, CStr}; +use std::sync::Mutex; + +mod backend; + +use backend::Backend; + +type FindObjectsCallback = Option< + unsafe extern "C" fn( + typ: u8, + data_len: usize, + data: *const u8, + extra_len: usize, + extra: *const u8, + slot_type: u32, + ctx: *mut c_void, + ), +>; + +type FindObjectsFunction = extern "C" fn(callback: FindObjectsCallback, ctx: *mut c_void); + +type SignCallback = + Option<unsafe extern "C" fn(data_len: usize, data: *const u8, ctx: *mut c_void)>; + +type SignFunction = extern "C" fn( + cert_len: usize, + cert: *const u8, + data_len: usize, + data: *const u8, + params_len: usize, + params: *const u8, + callback: SignCallback, + ctx: *mut c_void, +); + +/// The singleton `Manager` that handles state with respect to PKCS #11. Only one thread +/// may use it at a time, but there is no restriction on which threads may use it. +static MANAGER: Mutex<Option<Manager<Backend>>> = Mutex::new(None); + +// Obtaining a handle on the manager is a two-step process. First the mutex must be locked, which +// (if successful), results in a mutex guard object. We must then get a mutable refence to the +// underlying manager (if set - otherwise we return an error). This can't happen all in one macro +// without dropping a reference that needs to live long enough for this to be safe. In +// practice, this looks like: +// let mut manager_guard = try_to_get_manager_guard!(); +// let manager = manager_guard_to_manager!(manager_guard); +macro_rules! try_to_get_manager_guard { + () => { + match MANAGER.lock() { + Ok(maybe_manager) => maybe_manager, + Err(_) => return CKR_DEVICE_ERROR, + } + }; +} + +macro_rules! manager_guard_to_manager { + ($manager_guard:ident) => { + match $manager_guard.as_mut() { + Some(manager) => manager, + None => return CKR_DEVICE_ERROR, + } + }; +} + +/// This gets called to initialize the module. For this implementation, this consists of +/// instantiating the `Manager`. +extern "C" fn C_Initialize(pInitArgs: CK_VOID_PTR) -> CK_RV { + // pInitArgs.pReserved will be a c-string containing the base-16 + // stringification of the addresses of the functions to call to communicate + // with the main process. + if pInitArgs.is_null() { + return CKR_DEVICE_ERROR; + } + let serialized_addresses_ptr = unsafe { (*(pInitArgs as CK_C_INITIALIZE_ARGS_PTR)).pReserved }; + if serialized_addresses_ptr.is_null() { + return CKR_DEVICE_ERROR; + } + let serialized_addresses_cstr = + unsafe { CStr::from_ptr(serialized_addresses_ptr as *mut std::os::raw::c_char) }; + let serialized_addresses = match serialized_addresses_cstr.to_str() { + Ok(serialized_addresses) => serialized_addresses, + Err(_) => return CKR_DEVICE_ERROR, + }; + let function_addresses: Vec<usize> = serialized_addresses + .split(',') + .filter_map(|serialized_address| usize::from_str_radix(serialized_address, 16).ok()) + .collect(); + if function_addresses.len() != 2 { + return CKR_DEVICE_ERROR; + } + let find_objects: FindObjectsFunction = unsafe { std::mem::transmute(function_addresses[0]) }; + let sign: SignFunction = unsafe { std::mem::transmute(function_addresses[1]) }; + let mut manager_guard = try_to_get_manager_guard!(); + let _unexpected_previous_manager = + manager_guard.replace(Manager::new(Backend::new(find_objects, sign))); + CKR_OK +} + +extern "C" fn C_Finalize(_pReserved: CK_VOID_PTR) -> CK_RV { + // Drop the manager. When C_Finalize is called, there should be only one + // reference to this module (which is going away), so there shouldn't be + // any concurrency issues. + let mut manager_guard = try_to_get_manager_guard!(); + match manager_guard.take() { + Some(_) => CKR_OK, + None => CKR_CRYPTOKI_NOT_INITIALIZED, + } +} + +// The specification mandates that these strings be padded with spaces to the appropriate length. +// Since the length of fixed-size arrays in rust is part of the type, the compiler enforces that +// these byte strings are of the correct length. +const MANUFACTURER_ID_BYTES: &[u8; 32] = b"Mozilla Corporation "; +const LIBRARY_DESCRIPTION_BYTES: &[u8; 32] = b"IPC Client Cert Module "; + +/// This gets called to gather some information about the module. In particular, this implementation +/// supports (portions of) cryptoki (PKCS #11) version 2.2. +extern "C" fn C_GetInfo(pInfo: CK_INFO_PTR) -> CK_RV { + if pInfo.is_null() { + return CKR_ARGUMENTS_BAD; + } + let mut info = CK_INFO::default(); + info.cryptokiVersion.major = 2; + info.cryptokiVersion.minor = 2; + info.manufacturerID = *MANUFACTURER_ID_BYTES; + info.libraryDescription = *LIBRARY_DESCRIPTION_BYTES; + unsafe { + *pInfo = info; + } + CKR_OK +} + +/// This module has two slots. +const SLOT_COUNT: CK_ULONG = 2; +/// The slot with ID 1 supports modern mechanisms like RSA-PSS. +const SLOT_ID_MODERN: CK_SLOT_ID = 1; +/// The slot with ID 2 only supports legacy mechanisms. +const SLOT_ID_LEGACY: CK_SLOT_ID = 2; + +/// This gets called twice: once with a null `pSlotList` to get the number of slots (returned via +/// `pulCount`) and a second time to get the ID for each slot. +extern "C" fn C_GetSlotList( + _tokenPresent: CK_BBOOL, + pSlotList: CK_SLOT_ID_PTR, + pulCount: CK_ULONG_PTR, +) -> CK_RV { + if pulCount.is_null() { + return CKR_ARGUMENTS_BAD; + } + if !pSlotList.is_null() { + if unsafe { *pulCount } < SLOT_COUNT { + return CKR_BUFFER_TOO_SMALL; + } + unsafe { + *pSlotList = SLOT_ID_MODERN; + *pSlotList.offset(1) = SLOT_ID_LEGACY; + } + }; + unsafe { + *pulCount = SLOT_COUNT; + } + CKR_OK +} + +const SLOT_DESCRIPTION_MODERN_BYTES: &[u8; 64] = + b"IPC Client Cert Slot (Modern) "; +const SLOT_DESCRIPTION_LEGACY_BYTES: &[u8; 64] = + b"IPC Client Cert Slot (Legacy) "; + +/// This gets called to obtain information about slots. In this implementation, the tokens are +/// always present in the slots. +extern "C" fn C_GetSlotInfo(slotID: CK_SLOT_ID, pInfo: CK_SLOT_INFO_PTR) -> CK_RV { + if (slotID != SLOT_ID_MODERN && slotID != SLOT_ID_LEGACY) || pInfo.is_null() { + return CKR_ARGUMENTS_BAD; + } + let description = if slotID == SLOT_ID_MODERN { + SLOT_DESCRIPTION_MODERN_BYTES + } else { + SLOT_DESCRIPTION_LEGACY_BYTES + }; + let slot_info = CK_SLOT_INFO { + slotDescription: *description, + manufacturerID: *MANUFACTURER_ID_BYTES, + flags: CKF_TOKEN_PRESENT, + hardwareVersion: CK_VERSION::default(), + firmwareVersion: CK_VERSION::default(), + }; + unsafe { + *pInfo = slot_info; + } + CKR_OK +} + +const TOKEN_LABEL_MODERN_BYTES: &[u8; 32] = b"IPC Client Cert Token (Modern) "; +const TOKEN_LABEL_LEGACY_BYTES: &[u8; 32] = b"IPC Client Cert Token (Legacy) "; +const TOKEN_MODEL_BYTES: &[u8; 16] = b"ipcclientcerts "; +const TOKEN_SERIAL_NUMBER_BYTES: &[u8; 16] = b"0000000000000000"; + +/// This gets called to obtain some information about tokens. This implementation has two slots, +/// so it has two tokens. This information is primarily for display purposes. +extern "C" fn C_GetTokenInfo(slotID: CK_SLOT_ID, pInfo: CK_TOKEN_INFO_PTR) -> CK_RV { + if (slotID != SLOT_ID_MODERN && slotID != SLOT_ID_LEGACY) || pInfo.is_null() { + return CKR_ARGUMENTS_BAD; + } + let mut token_info = CK_TOKEN_INFO::default(); + let label = if slotID == SLOT_ID_MODERN { + TOKEN_LABEL_MODERN_BYTES + } else { + TOKEN_LABEL_LEGACY_BYTES + }; + token_info.label = *label; + token_info.manufacturerID = *MANUFACTURER_ID_BYTES; + token_info.model = *TOKEN_MODEL_BYTES; + token_info.serialNumber = *TOKEN_SERIAL_NUMBER_BYTES; + unsafe { + *pInfo = token_info; + } + CKR_OK +} + +/// This gets called to determine what mechanisms a slot supports. The modern slot supports ECDSA, +/// RSA PKCS, and RSA PSS. The legacy slot only supports RSA PKCS. +extern "C" fn C_GetMechanismList( + slotID: CK_SLOT_ID, + pMechanismList: CK_MECHANISM_TYPE_PTR, + pulCount: CK_ULONG_PTR, +) -> CK_RV { + if (slotID != SLOT_ID_MODERN && slotID != SLOT_ID_LEGACY) || pulCount.is_null() { + return CKR_ARGUMENTS_BAD; + } + let mechanisms = if slotID == SLOT_ID_MODERN { + vec![CKM_ECDSA, CKM_RSA_PKCS, CKM_RSA_PKCS_PSS] + } else { + vec![CKM_RSA_PKCS] + }; + if !pMechanismList.is_null() { + if unsafe { *pulCount as usize } < mechanisms.len() { + return CKR_ARGUMENTS_BAD; + } + for i in 0..mechanisms.len() { + unsafe { + *pMechanismList.offset(i as isize) = mechanisms[i]; + } + } + } + unsafe { + *pulCount = mechanisms.len() as CK_ULONG; + } + CKR_OK +} + +extern "C" fn C_GetMechanismInfo( + _slotID: CK_SLOT_ID, + _type: CK_MECHANISM_TYPE, + _pInfo: CK_MECHANISM_INFO_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_InitToken( + _slotID: CK_SLOT_ID, + _pPin: CK_UTF8CHAR_PTR, + _ulPinLen: CK_ULONG, + _pLabel: CK_UTF8CHAR_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_InitPIN( + _hSession: CK_SESSION_HANDLE, + _pPin: CK_UTF8CHAR_PTR, + _ulPinLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SetPIN( + _hSession: CK_SESSION_HANDLE, + _pOldPin: CK_UTF8CHAR_PTR, + _ulOldLen: CK_ULONG, + _pNewPin: CK_UTF8CHAR_PTR, + _ulNewLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +/// This gets called to create a new session. This module defers to the `ManagerProxy` to implement +/// this. +extern "C" fn C_OpenSession( + slotID: CK_SLOT_ID, + _flags: CK_FLAGS, + _pApplication: CK_VOID_PTR, + _Notify: CK_NOTIFY, + phSession: CK_SESSION_HANDLE_PTR, +) -> CK_RV { + if (slotID != SLOT_ID_MODERN && slotID != SLOT_ID_LEGACY) || phSession.is_null() { + return CKR_ARGUMENTS_BAD; + } + let mut manager_guard = try_to_get_manager_guard!(); + let manager = manager_guard_to_manager!(manager_guard); + let slot_type = if slotID == SLOT_ID_MODERN { + SlotType::Modern + } else { + SlotType::Legacy + }; + let session_handle = match manager.open_session(slot_type) { + Ok(session_handle) => session_handle, + Err(_) => return CKR_DEVICE_ERROR, + }; + unsafe { + *phSession = session_handle; + } + CKR_OK +} + +/// This gets called to close a session. This is handled by the `ManagerProxy`. +extern "C" fn C_CloseSession(hSession: CK_SESSION_HANDLE) -> CK_RV { + let mut manager_guard = try_to_get_manager_guard!(); + let manager = manager_guard_to_manager!(manager_guard); + if manager.close_session(hSession).is_err() { + return CKR_SESSION_HANDLE_INVALID; + } + CKR_OK +} + +/// This gets called to close all open sessions at once. This is handled by the `ManagerProxy`. +extern "C" fn C_CloseAllSessions(slotID: CK_SLOT_ID) -> CK_RV { + if slotID != SLOT_ID_MODERN && slotID != SLOT_ID_LEGACY { + return CKR_ARGUMENTS_BAD; + } + let mut manager_guard = try_to_get_manager_guard!(); + let manager = manager_guard_to_manager!(manager_guard); + let slot_type = if slotID == SLOT_ID_MODERN { + SlotType::Modern + } else { + SlotType::Legacy + }; + match manager.close_all_sessions(slot_type) { + Ok(()) => CKR_OK, + Err(_) => CKR_DEVICE_ERROR, + } +} + +extern "C" fn C_GetSessionInfo(_hSession: CK_SESSION_HANDLE, _pInfo: CK_SESSION_INFO_PTR) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GetOperationState( + _hSession: CK_SESSION_HANDLE, + _pOperationState: CK_BYTE_PTR, + _pulOperationStateLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SetOperationState( + _hSession: CK_SESSION_HANDLE, + _pOperationState: CK_BYTE_PTR, + _ulOperationStateLen: CK_ULONG, + _hEncryptionKey: CK_OBJECT_HANDLE, + _hAuthenticationKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Login( + _hSession: CK_SESSION_HANDLE, + _userType: CK_USER_TYPE, + _pPin: CK_UTF8CHAR_PTR, + _ulPinLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +/// This gets called to log out and drop any authenticated resources. Because this module does not +/// hold on to authenticated resources, this module "implements" this by doing nothing and +/// returning a success result. +extern "C" fn C_Logout(_hSession: CK_SESSION_HANDLE) -> CK_RV { + CKR_OK +} + +extern "C" fn C_CreateObject( + _hSession: CK_SESSION_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, + _phObject: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_CopyObject( + _hSession: CK_SESSION_HANDLE, + _hObject: CK_OBJECT_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, + _phNewObject: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DestroyObject(_hSession: CK_SESSION_HANDLE, _hObject: CK_OBJECT_HANDLE) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GetObjectSize( + _hSession: CK_SESSION_HANDLE, + _hObject: CK_OBJECT_HANDLE, + _pulSize: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +/// This gets called to obtain the values of a number of attributes of an object identified by the +/// given handle. This module implements this by requesting that the `ManagerProxy` find the object +/// and attempt to get the value of each attribute. If a specified attribute is not defined on the +/// object, the length of that attribute is set to -1 to indicate that it is not available. +/// This gets called twice: once to obtain the lengths of the attributes and again to get the +/// values. +extern "C" fn C_GetAttributeValue( + _hSession: CK_SESSION_HANDLE, + hObject: CK_OBJECT_HANDLE, + pTemplate: CK_ATTRIBUTE_PTR, + ulCount: CK_ULONG, +) -> CK_RV { + if pTemplate.is_null() { + return CKR_ARGUMENTS_BAD; + } + let mut attr_types = Vec::with_capacity(ulCount as usize); + for i in 0..ulCount { + let attr = unsafe { &*pTemplate.offset(i as isize) }; + attr_types.push(attr.type_); + } + let mut manager_guard = try_to_get_manager_guard!(); + let manager = manager_guard_to_manager!(manager_guard); + let values = match manager.get_attributes(hObject, attr_types) { + Ok(values) => values, + Err(_) => return CKR_ARGUMENTS_BAD, + }; + if values.len() != ulCount as usize { + return CKR_DEVICE_ERROR; + } + for i in 0..ulCount as usize { + let attr = unsafe { &mut *pTemplate.offset(i as isize) }; + // NB: the safety of this array access depends on the length check above + if let Some(attr_value) = &values[i] { + if attr.pValue.is_null() { + attr.ulValueLen = attr_value.len() as CK_ULONG; + } else { + let ptr: *mut u8 = attr.pValue as *mut u8; + if attr_value.len() != attr.ulValueLen as usize { + return CKR_ARGUMENTS_BAD; + } + unsafe { + std::ptr::copy_nonoverlapping(attr_value.as_ptr(), ptr, attr_value.len()); + } + } + } else { + attr.ulValueLen = (0 - 1) as CK_ULONG; + } + } + CKR_OK +} + +extern "C" fn C_SetAttributeValue( + _hSession: CK_SESSION_HANDLE, + _hObject: CK_OBJECT_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +/// This gets called to initialize a search for objects matching a given list of attributes. This +/// module implements this by gathering the attributes and passing them to the `ManagerProxy` to +/// start the search. +extern "C" fn C_FindObjectsInit( + hSession: CK_SESSION_HANDLE, + pTemplate: CK_ATTRIBUTE_PTR, + ulCount: CK_ULONG, +) -> CK_RV { + if pTemplate.is_null() { + return CKR_ARGUMENTS_BAD; + } + let mut attrs = Vec::new(); + for i in 0..ulCount { + let attr = unsafe { &*pTemplate.offset(i as isize) }; + let slice = unsafe { + std::slice::from_raw_parts(attr.pValue as *const u8, attr.ulValueLen as usize) + }; + attrs.push((attr.type_, slice.to_owned())); + } + let mut manager_guard = try_to_get_manager_guard!(); + let manager = manager_guard_to_manager!(manager_guard); + match manager.start_search(hSession, attrs) { + Ok(()) => {} + Err(_) => return CKR_ARGUMENTS_BAD, + } + CKR_OK +} + +/// This gets called after `C_FindObjectsInit` to get the results of a search. This module +/// implements this by looking up the search in the `ManagerProxy` and copying out the matching +/// object handles. +extern "C" fn C_FindObjects( + hSession: CK_SESSION_HANDLE, + phObject: CK_OBJECT_HANDLE_PTR, + ulMaxObjectCount: CK_ULONG, + pulObjectCount: CK_ULONG_PTR, +) -> CK_RV { + if phObject.is_null() || pulObjectCount.is_null() || ulMaxObjectCount == 0 { + return CKR_ARGUMENTS_BAD; + } + let mut manager_guard = try_to_get_manager_guard!(); + let manager = manager_guard_to_manager!(manager_guard); + let handles = match manager.search(hSession, ulMaxObjectCount as usize) { + Ok(handles) => handles, + Err(_) => return CKR_ARGUMENTS_BAD, + }; + if handles.len() > ulMaxObjectCount as usize { + return CKR_DEVICE_ERROR; + } + unsafe { + *pulObjectCount = handles.len() as CK_ULONG; + } + for (index, handle) in handles.iter().enumerate() { + if index < ulMaxObjectCount as usize { + unsafe { + *(phObject.add(index)) = *handle; + } + } + } + CKR_OK +} + +/// This gets called after `C_FindObjectsInit` and `C_FindObjects` to finish a search. The module +/// tells the `ManagerProxy` to clear the search. +extern "C" fn C_FindObjectsFinal(hSession: CK_SESSION_HANDLE) -> CK_RV { + let mut manager_guard = try_to_get_manager_guard!(); + let manager = manager_guard_to_manager!(manager_guard); + // It would be an error if there were no search for this session, but we can be permissive here. + match manager.clear_search(hSession) { + Ok(()) => CKR_OK, + Err(_) => CKR_DEVICE_ERROR, + } +} + +extern "C" fn C_EncryptInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Encrypt( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pEncryptedData: CK_BYTE_PTR, + _pulEncryptedDataLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_EncryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, + _pEncryptedPart: CK_BYTE_PTR, + _pulEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_EncryptFinal( + _hSession: CK_SESSION_HANDLE, + _pLastEncryptedPart: CK_BYTE_PTR, + _pulLastEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Decrypt( + _hSession: CK_SESSION_HANDLE, + _pEncryptedData: CK_BYTE_PTR, + _ulEncryptedDataLen: CK_ULONG, + _pData: CK_BYTE_PTR, + _pulDataLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pEncryptedPart: CK_BYTE_PTR, + _ulEncryptedPartLen: CK_ULONG, + _pPart: CK_BYTE_PTR, + _pulPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptFinal( + _hSession: CK_SESSION_HANDLE, + _pLastPart: CK_BYTE_PTR, + _pulLastPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestInit(_hSession: CK_SESSION_HANDLE, _pMechanism: CK_MECHANISM_PTR) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Digest( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pDigest: CK_BYTE_PTR, + _pulDigestLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestKey(_hSession: CK_SESSION_HANDLE, _hKey: CK_OBJECT_HANDLE) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestFinal( + _hSession: CK_SESSION_HANDLE, + _pDigest: CK_BYTE_PTR, + _pulDigestLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +/// This gets called to set up a sign operation. The module essentially defers to the +/// `ManagerProxy`. +extern "C" fn C_SignInit( + hSession: CK_SESSION_HANDLE, + pMechanism: CK_MECHANISM_PTR, + hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + if pMechanism.is_null() { + return CKR_ARGUMENTS_BAD; + } + // Presumably we should validate the mechanism against hKey, but the specification doesn't + // actually seem to require this. + let mechanism = unsafe { *pMechanism }; + let mechanism_params = if mechanism.mechanism == CKM_RSA_PKCS_PSS { + if mechanism.ulParameterLen as usize != std::mem::size_of::<CK_RSA_PKCS_PSS_PARAMS>() { + return CKR_ARGUMENTS_BAD; + } + Some(unsafe { *(mechanism.pParameter as *const CK_RSA_PKCS_PSS_PARAMS) }) + } else { + None + }; + let mut manager_guard = try_to_get_manager_guard!(); + let manager = manager_guard_to_manager!(manager_guard); + match manager.start_sign(hSession, hKey, mechanism_params) { + Ok(()) => {} + Err(_) => return CKR_GENERAL_ERROR, + }; + CKR_OK +} + +/// NSS calls this after `C_SignInit` (there are more ways in the PKCS #11 specification to sign +/// data, but this is the only way supported by this module). The module essentially defers to the +/// `ManagerProxy` and copies out the resulting signature. +extern "C" fn C_Sign( + hSession: CK_SESSION_HANDLE, + pData: CK_BYTE_PTR, + ulDataLen: CK_ULONG, + pSignature: CK_BYTE_PTR, + pulSignatureLen: CK_ULONG_PTR, +) -> CK_RV { + if pData.is_null() || pulSignatureLen.is_null() { + return CKR_ARGUMENTS_BAD; + } + let data = unsafe { std::slice::from_raw_parts(pData, ulDataLen as usize) }; + if pSignature.is_null() { + let mut manager_guard = try_to_get_manager_guard!(); + let manager = manager_guard_to_manager!(manager_guard); + match manager.get_signature_length(hSession, data.to_vec()) { + Ok(signature_length) => unsafe { + *pulSignatureLen = signature_length as CK_ULONG; + }, + Err(_) => return CKR_GENERAL_ERROR, + } + } else { + let mut manager_guard = try_to_get_manager_guard!(); + let manager = manager_guard_to_manager!(manager_guard); + match manager.sign(hSession, data.to_vec()) { + Ok(signature) => { + let signature_capacity = unsafe { *pulSignatureLen } as usize; + if signature_capacity < signature.len() { + return CKR_ARGUMENTS_BAD; + } + let ptr: *mut u8 = pSignature as *mut u8; + unsafe { + std::ptr::copy_nonoverlapping(signature.as_ptr(), ptr, signature.len()); + *pulSignatureLen = signature.len() as CK_ULONG; + } + } + Err(_) => return CKR_GENERAL_ERROR, + } + } + CKR_OK +} + +extern "C" fn C_SignUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignFinal( + _hSession: CK_SESSION_HANDLE, + _pSignature: CK_BYTE_PTR, + _pulSignatureLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignRecoverInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignRecover( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pSignature: CK_BYTE_PTR, + _pulSignatureLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Verify( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pSignature: CK_BYTE_PTR, + _ulSignatureLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyFinal( + _hSession: CK_SESSION_HANDLE, + _pSignature: CK_BYTE_PTR, + _ulSignatureLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyRecoverInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyRecover( + _hSession: CK_SESSION_HANDLE, + _pSignature: CK_BYTE_PTR, + _ulSignatureLen: CK_ULONG, + _pData: CK_BYTE_PTR, + _pulDataLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestEncryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, + _pEncryptedPart: CK_BYTE_PTR, + _pulEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptDigestUpdate( + _hSession: CK_SESSION_HANDLE, + _pEncryptedPart: CK_BYTE_PTR, + _ulEncryptedPartLen: CK_ULONG, + _pPart: CK_BYTE_PTR, + _pulPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignEncryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, + _pEncryptedPart: CK_BYTE_PTR, + _pulEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptVerifyUpdate( + _hSession: CK_SESSION_HANDLE, + _pEncryptedPart: CK_BYTE_PTR, + _ulEncryptedPartLen: CK_ULONG, + _pPart: CK_BYTE_PTR, + _pulPartLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GenerateKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, + _phKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GenerateKeyPair( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _pPublicKeyTemplate: CK_ATTRIBUTE_PTR, + _ulPublicKeyAttributeCount: CK_ULONG, + _pPrivateKeyTemplate: CK_ATTRIBUTE_PTR, + _ulPrivateKeyAttributeCount: CK_ULONG, + _phPublicKey: CK_OBJECT_HANDLE_PTR, + _phPrivateKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_WrapKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hWrappingKey: CK_OBJECT_HANDLE, + _hKey: CK_OBJECT_HANDLE, + _pWrappedKey: CK_BYTE_PTR, + _pulWrappedKeyLen: CK_ULONG_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_UnwrapKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hUnwrappingKey: CK_OBJECT_HANDLE, + _pWrappedKey: CK_BYTE_PTR, + _ulWrappedKeyLen: CK_ULONG, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulAttributeCount: CK_ULONG, + _phKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DeriveKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hBaseKey: CK_OBJECT_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulAttributeCount: CK_ULONG, + _phKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SeedRandom( + _hSession: CK_SESSION_HANDLE, + _pSeed: CK_BYTE_PTR, + _ulSeedLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GenerateRandom( + _hSession: CK_SESSION_HANDLE, + _RandomData: CK_BYTE_PTR, + _ulRandomLen: CK_ULONG, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GetFunctionStatus(_hSession: CK_SESSION_HANDLE) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_CancelFunction(_hSession: CK_SESSION_HANDLE) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_WaitForSlotEvent( + _flags: CK_FLAGS, + _pSlot: CK_SLOT_ID_PTR, + _pRserved: CK_VOID_PTR, +) -> CK_RV { + CKR_FUNCTION_NOT_SUPPORTED +} + +/// To be a valid PKCS #11 module, this list of functions must be supported. At least cryptoki 2.2 +/// must be supported for this module to work in NSS. +static FUNCTION_LIST: CK_FUNCTION_LIST = CK_FUNCTION_LIST { + version: CK_VERSION { major: 2, minor: 2 }, + C_Initialize: Some(C_Initialize), + C_Finalize: Some(C_Finalize), + C_GetInfo: Some(C_GetInfo), + C_GetFunctionList: None, + C_GetSlotList: Some(C_GetSlotList), + C_GetSlotInfo: Some(C_GetSlotInfo), + C_GetTokenInfo: Some(C_GetTokenInfo), + C_GetMechanismList: Some(C_GetMechanismList), + C_GetMechanismInfo: Some(C_GetMechanismInfo), + C_InitToken: Some(C_InitToken), + C_InitPIN: Some(C_InitPIN), + C_SetPIN: Some(C_SetPIN), + C_OpenSession: Some(C_OpenSession), + C_CloseSession: Some(C_CloseSession), + C_CloseAllSessions: Some(C_CloseAllSessions), + C_GetSessionInfo: Some(C_GetSessionInfo), + C_GetOperationState: Some(C_GetOperationState), + C_SetOperationState: Some(C_SetOperationState), + C_Login: Some(C_Login), + C_Logout: Some(C_Logout), + C_CreateObject: Some(C_CreateObject), + C_CopyObject: Some(C_CopyObject), + C_DestroyObject: Some(C_DestroyObject), + C_GetObjectSize: Some(C_GetObjectSize), + C_GetAttributeValue: Some(C_GetAttributeValue), + C_SetAttributeValue: Some(C_SetAttributeValue), + C_FindObjectsInit: Some(C_FindObjectsInit), + C_FindObjects: Some(C_FindObjects), + C_FindObjectsFinal: Some(C_FindObjectsFinal), + C_EncryptInit: Some(C_EncryptInit), + C_Encrypt: Some(C_Encrypt), + C_EncryptUpdate: Some(C_EncryptUpdate), + C_EncryptFinal: Some(C_EncryptFinal), + C_DecryptInit: Some(C_DecryptInit), + C_Decrypt: Some(C_Decrypt), + C_DecryptUpdate: Some(C_DecryptUpdate), + C_DecryptFinal: Some(C_DecryptFinal), + C_DigestInit: Some(C_DigestInit), + C_Digest: Some(C_Digest), + C_DigestUpdate: Some(C_DigestUpdate), + C_DigestKey: Some(C_DigestKey), + C_DigestFinal: Some(C_DigestFinal), + C_SignInit: Some(C_SignInit), + C_Sign: Some(C_Sign), + C_SignUpdate: Some(C_SignUpdate), + C_SignFinal: Some(C_SignFinal), + C_SignRecoverInit: Some(C_SignRecoverInit), + C_SignRecover: Some(C_SignRecover), + C_VerifyInit: Some(C_VerifyInit), + C_Verify: Some(C_Verify), + C_VerifyUpdate: Some(C_VerifyUpdate), + C_VerifyFinal: Some(C_VerifyFinal), + C_VerifyRecoverInit: Some(C_VerifyRecoverInit), + C_VerifyRecover: Some(C_VerifyRecover), + C_DigestEncryptUpdate: Some(C_DigestEncryptUpdate), + C_DecryptDigestUpdate: Some(C_DecryptDigestUpdate), + C_SignEncryptUpdate: Some(C_SignEncryptUpdate), + C_DecryptVerifyUpdate: Some(C_DecryptVerifyUpdate), + C_GenerateKey: Some(C_GenerateKey), + C_GenerateKeyPair: Some(C_GenerateKeyPair), + C_WrapKey: Some(C_WrapKey), + C_UnwrapKey: Some(C_UnwrapKey), + C_DeriveKey: Some(C_DeriveKey), + C_SeedRandom: Some(C_SeedRandom), + C_GenerateRandom: Some(C_GenerateRandom), + C_GetFunctionStatus: Some(C_GetFunctionStatus), + C_CancelFunction: Some(C_CancelFunction), + C_WaitForSlotEvent: Some(C_WaitForSlotEvent), +}; + +/// This is the only function this module exposes. The C stub calls it when NSS +/// calls its exposed C_GetFunctionList function to obtain the list of functions +/// comprising this module. +#[no_mangle] +pub extern "C" fn IPCCC_GetFunctionList(ppFunctionList: CK_FUNCTION_LIST_PTR_PTR) -> CK_RV { + if ppFunctionList.is_null() { + return CKR_ARGUMENTS_BAD; + } + unsafe { + // CK_FUNCTION_LIST_PTR is a *mut CK_FUNCTION_LIST, but as per the + // specification, the caller must treat it as *const CK_FUNCTION_LIST. + *ppFunctionList = std::ptr::addr_of!(FUNCTION_LIST) as CK_FUNCTION_LIST_PTR; + } + CKR_OK +} + +#[cfg_attr(target_os = "macos", link(name = "Security", kind = "framework"))] +extern "C" {} diff --git a/security/manager/ssl/md4.c b/security/manager/ssl/md4.c new file mode 100644 index 0000000000..ed2369f1fa --- /dev/null +++ b/security/manager/ssl/md4.c @@ -0,0 +1,179 @@ +/* vim:set ts=2 sw=2 et cindent: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * "clean room" MD4 implementation (see RFC 1320) + */ + +#include <string.h> +#include "md4.h" + +/* the "conditional" function */ +#define F(x, y, z) (((x) & (y)) | (~(x) & (z))) + +/* the "majority" function */ +#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z))) + +/* the "parity" function */ +#define H(x, y, z) ((x) ^ (y) ^ (z)) + +/* rotate n-bits to the left */ +#define ROTL(x, n) (((x) << (n)) | ((x) >> (0x20 - n))) + +/* round 1: [abcd k s]: a = (a + F(b,c,d) + X[k]) <<< s */ +#define RD1(a, b, c, d, k, s) \ + a += F(b, c, d) + X[k]; \ + a = ROTL(a, s) + +/* round 2: [abcd k s]: a = (a + G(b,c,d) + X[k] + MAGIC) <<< s */ +#define RD2(a, b, c, d, k, s) \ + a += G(b, c, d) + X[k] + 0x5A827999; \ + a = ROTL(a, s) + +/* round 3: [abcd k s]: a = (a + H(b,c,d) + X[k] + MAGIC) <<< s */ +#define RD3(a, b, c, d, k, s) \ + a += H(b, c, d) + X[k] + 0x6ED9EBA1; \ + a = ROTL(a, s) + +/* converts from word array to byte array, len is number of bytes */ +static void w2b(uint8_t* out, const uint32_t* in, uint32_t len) { + uint8_t* bp; + const uint32_t *wp, *wpend; + + bp = out; + wp = in; + wpend = wp + (len >> 2); + + for (; wp != wpend; ++wp, bp += 4) { + bp[0] = (uint8_t)((*wp) & 0xFF); + bp[1] = (uint8_t)((*wp >> 8) & 0xFF); + bp[2] = (uint8_t)((*wp >> 16) & 0xFF); + bp[3] = (uint8_t)((*wp >> 24) & 0xFF); + } +} + +/* converts from byte array to word array, len is number of bytes */ +static void b2w(uint32_t* out, const uint8_t* in, uint32_t len) { + uint32_t* wp; + const uint8_t *bp, *bpend; + + wp = out; + bp = in; + bpend = in + len; + + for (; bp != bpend; bp += 4, ++wp) { + *wp = (uint32_t)bp[0] | ((uint32_t)bp[1] << 8) | ((uint32_t)bp[2] << 16) | + ((uint32_t)bp[3] << 24); + } +} + +/* update state: data is 64 bytes in length */ +static void md4step(uint32_t state[4], const uint8_t* data) { + uint32_t A, B, C, D, X[16]; + + b2w(X, data, 64); + + A = state[0]; + B = state[1]; + C = state[2]; + D = state[3]; + + RD1(A, B, C, D, 0, 3); + RD1(D, A, B, C, 1, 7); + RD1(C, D, A, B, 2, 11); + RD1(B, C, D, A, 3, 19); + RD1(A, B, C, D, 4, 3); + RD1(D, A, B, C, 5, 7); + RD1(C, D, A, B, 6, 11); + RD1(B, C, D, A, 7, 19); + RD1(A, B, C, D, 8, 3); + RD1(D, A, B, C, 9, 7); + RD1(C, D, A, B, 10, 11); + RD1(B, C, D, A, 11, 19); + RD1(A, B, C, D, 12, 3); + RD1(D, A, B, C, 13, 7); + RD1(C, D, A, B, 14, 11); + RD1(B, C, D, A, 15, 19); + + RD2(A, B, C, D, 0, 3); + RD2(D, A, B, C, 4, 5); + RD2(C, D, A, B, 8, 9); + RD2(B, C, D, A, 12, 13); + RD2(A, B, C, D, 1, 3); + RD2(D, A, B, C, 5, 5); + RD2(C, D, A, B, 9, 9); + RD2(B, C, D, A, 13, 13); + RD2(A, B, C, D, 2, 3); + RD2(D, A, B, C, 6, 5); + RD2(C, D, A, B, 10, 9); + RD2(B, C, D, A, 14, 13); + RD2(A, B, C, D, 3, 3); + RD2(D, A, B, C, 7, 5); + RD2(C, D, A, B, 11, 9); + RD2(B, C, D, A, 15, 13); + + RD3(A, B, C, D, 0, 3); + RD3(D, A, B, C, 8, 9); + RD3(C, D, A, B, 4, 11); + RD3(B, C, D, A, 12, 15); + RD3(A, B, C, D, 2, 3); + RD3(D, A, B, C, 10, 9); + RD3(C, D, A, B, 6, 11); + RD3(B, C, D, A, 14, 15); + RD3(A, B, C, D, 1, 3); + RD3(D, A, B, C, 9, 9); + RD3(C, D, A, B, 5, 11); + RD3(B, C, D, A, 13, 15); + RD3(A, B, C, D, 3, 3); + RD3(D, A, B, C, 11, 9); + RD3(C, D, A, B, 7, 11); + RD3(B, C, D, A, 15, 15); + + state[0] += A; + state[1] += B; + state[2] += C; + state[3] += D; +} + +void md4sum(const uint8_t* input, uint32_t inputLen, uint8_t* result) { + uint8_t final[128]; + uint32_t i, n, m, state[4]; + uint64_t inputLenBits; + uint32_t inputLenBitsLow; + uint32_t inputLenBitsHigh; + + /* magic initial states */ + state[0] = 0x67452301; + state[1] = 0xEFCDAB89; + state[2] = 0x98BADCFE; + state[3] = 0x10325476; + + /* compute number of complete 64-byte segments contained in input */ + m = inputLen >> 6; + + /* digest first m segments */ + for (i = 0; i < m; ++i) md4step(state, (input + (i << 6))); + + /* build final buffer */ + n = inputLen % 64; + memcpy(final, input + (m << 6), n); + final[n] = 0x80; + memset(final + n + 1, 0, 120 - (n + 1)); + + /* Append the original input length in bits as a 64-bit number. This is done + * in two 32-bit chunks, with the least-significant 32 bits first. + * w2b will handle endianness. */ + inputLenBits = inputLen << 3; + inputLenBitsLow = (uint32_t)(inputLenBits & 0xFFFFFFFF); + w2b(final + (n >= 56 ? 120 : 56), &inputLenBitsLow, 4); + inputLenBitsHigh = (uint32_t)((inputLenBits >> 32) & 0xFFFFFFFF); + w2b(final + (n >= 56 ? 124 : 60), &inputLenBitsHigh, 4); + + md4step(state, final); + if (n >= 56) md4step(state, final + 64); + + /* copy state to result */ + w2b(result, state, 16); +} diff --git a/security/manager/ssl/md4.h b/security/manager/ssl/md4.h new file mode 100644 index 0000000000..6e56a4ffdc --- /dev/null +++ b/security/manager/ssl/md4.h @@ -0,0 +1,38 @@ +/* vim:set ts=2 sw=2 et cindent: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef md4_h__ +#define md4_h__ + +#ifdef __cplusplus +extern "C" { +#endif + +#include <stdint.h> + +/** + * md4sum - computes the MD4 sum over the input buffer per RFC 1320 + * + * @param input + * buffer containing input data + * @param inputLen + * length of input buffer (number of bytes) + * @param result + * 16-byte buffer that will contain the MD4 sum upon return + * + * NOTE: MD4 is superceded by MD5. do not use MD4 unless required by the + * protocol you are implementing (e.g., NTLM requires MD4). + * + * NOTE: this interface is designed for relatively small buffers. A streaming + * interface would make more sense if that were a requirement. Currently, this + * is good enough for the applications we care about. + */ +void md4sum(const uint8_t* input, uint32_t inputLen, uint8_t* result); + +#ifdef __cplusplus +} +#endif + +#endif /* md4_h__ */ diff --git a/security/manager/ssl/metrics.yaml b/security/manager/ssl/metrics.yaml new file mode 100644 index 0000000000..a03682affb --- /dev/null +++ b/security/manager/ssl/metrics.yaml @@ -0,0 +1,180 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# Adding a new metric? We have docs for that! +# https://firefox-source-docs.mozilla.org/toolkit/components/glean/user/new_definitions_file.html + +--- +$schema: moz://mozilla.org/schemas/glean/metrics/2-0-0 +$tags: + - 'Core :: Security: PSM' + +data_storage: + alternate_services: + type: quantity + description: + The number of entries stored in the AlternateServices nsIDataStorage + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080 + data_sensitivity: + - interaction + notification_emails: + - dkeeler@mozilla.com + expires: never + unit: entries + client_auth_remember_list: + type: quantity + description: + The number of entries stored in the ClientAuthRememberList nsIDataStorage + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080 + data_sensitivity: + - interaction + notification_emails: + - dkeeler@mozilla.com + expires: never + unit: entries + site_security_service_state: + type: quantity + description: + The number of entries stored in the SiteSecurityServiceState nsIDataStorage + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1873080 + data_sensitivity: + - interaction + notification_emails: + - dkeeler@mozilla.com + expires: never + unit: entries + +oskeystore: + self_test: + type: labeled_boolean + description: + Whether or not each step of the OSKeyStore self test succeeded. + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1855759 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1855759 + data_sensitivity: + - interaction + notification_emails: + - dkeeler@mozilla.com + expires: 126 + labels: + - generate + - available + - encrypt + - decrypt + +tls: + certificate_verifications: + type: counter + description: > + The total number of successful TLS server certificate verifications. + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + notification_emails: + - dkeeler@mozilla.com + expires: never + xyber_intolerance_reason: + type: labeled_counter + description: > + The error that was returned from a failed TLS 1.3 handshake in which the client sent a Xyber key share (see tlsIntoleranceTelemetryBucket() in nsNSSIOLayer.cpp). + data_sensitivity: + - technical + bugs: + - https://bugzilla.mozilla.org/1874963 + data_reviews: + - https://bugzilla.mozilla.org/1874963 + notification_emails: + - jschanck@mozilla.com + expires: 136 + labels: + - PR_CONNECT_RESET_ERROR + - PR_END_OF_FILE_ERROR + - SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE + - SSL_ERROR_BAD_MAC_ALERT + - SSL_ERROR_BAD_MAC_READ + - SSL_ERROR_DECODE_ERROR_ALERT + - SSL_ERROR_HANDSHAKE_FAILED + - SSL_ERROR_HANDSHAKE_FAILURE_ALERT + - SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT + - SSL_ERROR_ILLEGAL_PARAMETER_ALERT + - SSL_ERROR_INTERNAL_ERROR_ALERT + - SSL_ERROR_KEY_EXCHANGE_FAILURE + - SSL_ERROR_NO_CYPHER_OVERLAP + - SSL_ERROR_PROTOCOL_VERSION_ALERT + - SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE + - SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE + - SSL_ERROR_UNSUPPORTED_VERSION + +verification_used_cert_from: + tls_handshake: + type: rate + description: > + How many successfully-built certificate chains used a certificate from the TLS handshake. + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + notification_emails: + - dkeeler@mozilla.com + expires: never + denominator_metric: tls.certificate_verifications + preloaded_intermediates: + type: rate + description: > + How many successfully-built certificate chains used a certificate from preloaded intermediates. + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + notification_emails: + - dkeeler@mozilla.com + expires: never + denominator_metric: tls.certificate_verifications + third_party_certificates: + type: rate + description: > + How many successfully-built certificate chains used a third-party certificate from the OS. + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + notification_emails: + - dkeeler@mozilla.com + expires: never + denominator_metric: tls.certificate_verifications + nss_cert_db: + type: rate + description: > + How many successfully-built certificate chains used a certificate from the NSS cert DB. + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + notification_emails: + - dkeeler@mozilla.com + expires: never + denominator_metric: tls.certificate_verifications + built_in_roots_module: + type: rate + description: > + How many successfully-built certificate chains used a certificate from the built-in roots module. + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1876435 + notification_emails: + - dkeeler@mozilla.com + expires: never + denominator_metric: tls.certificate_verifications diff --git a/security/manager/ssl/moz.build b/security/manager/ssl/moz.build new file mode 100644 index 0000000000..676652db28 --- /dev/null +++ b/security/manager/ssl/moz.build @@ -0,0 +1,273 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# osclientcerts is currently only implemented for Windows +# osclientcerts transitively depends on winapi 0.2.8, which doesn't work with +# AArch64 +if (CONFIG["OS_ARCH"] == "WINNT" and CONFIG["TARGET_CPU"] != "aarch64") or CONFIG[ + "OS_ARCH" +] == "Darwin": + DIRS += ["osclientcerts"] + +DIRS += ["ipcclientcerts"] +DIRS += ["builtins"] + +TEST_DIRS += ["tests"] + +XPIDL_SOURCES += [ + "nsICertificateDialogs.idl", + "nsICertOverrideService.idl", + "nsICertStorage.idl", + "nsICertTree.idl", + "nsIClientAuthDialogService.idl", + "nsIClientAuthRememberService.idl", + "nsIContentSignatureVerifier.idl", + "nsICryptoHash.idl", + "nsIDataStorage.idl", + "nsINSSComponent.idl", + "nsINSSErrorsService.idl", + "nsINSSVersion.idl", + "nsIOSKeyStore.idl", + "nsIOSReauthenticator.idl", + "nsIPK11Token.idl", + "nsIPK11TokenDB.idl", + "nsIPKCS11Module.idl", + "nsIPKCS11ModuleDB.idl", + "nsIPKCS11Slot.idl", + "nsIPublicKeyPinningService.idl", + "nsISecretDecoderRing.idl", + "nsISecurityUITelemetry.idl", + "nsISiteSecurityService.idl", + "nsITLSSocketControl.idl", + "nsITokenPasswordDialogs.idl", + "nsITransportSecurityInfo.idl", + "nsIX509Cert.idl", + "nsIX509CertDB.idl", + "nsIX509CertValidity.idl", +] + +XPIDL_MODULE = "pipnss" + +XPCOM_MANIFESTS += [ + "components.conf", +] + +EXTRA_JS_MODULES.psm += [ + "ClientAuthDialogService.sys.mjs", + "DER.sys.mjs", + "RemoteSecuritySettings.sys.mjs", + "X509.sys.mjs", +] + +EXPORTS += [ + "CommonSocketControl.h", + "CryptoTask.h", + "EnterpriseRoots.h", + "nsClientAuthRemember.h", + "nsNSSCallbacks.h", + "nsNSSCertificate.h", + "nsNSSComponent.h", + "nsNSSHelper.h", + "nsRandomGenerator.h", + "nsSecureBrowserUI.h", + "nsSecurityHeaderParser.h", + "NSSErrorsService.h", + "nsSSLSocketProvider.h", + "nsTLSSocketProvider.h", + "RootCertificateTelemetryUtils.h", + "ScopedNSSTypes.h", + "SharedCertVerifier.h", + "SSLServerCertVerification.h", + "TransportSecurityInfo.h", +] + +EXPORTS.mozilla += [ + "PublicSSL.h", +] + +EXPORTS.mozilla.psm += [ + "IPCClientCertsChild.h", + "IPCClientCertsParent.h", + "SelectTLSClientAuthCertChild.h", + "SelectTLSClientAuthCertParent.h", + "TransportSecurityInfo.h", + "VerifySSLServerCertChild.h", + "VerifySSLServerCertParent.h", +] + +UNIFIED_SOURCES += [ + "AppSignatureVerification.cpp", + "AppTrustDomain.cpp", + "CertStorageMemoryReporting.cpp", + "CommonSocketControl.cpp", + "ContentSignatureVerifier.cpp", + "CryptoTask.cpp", + "DataStorageManager.cpp", + "EnterpriseRoots.cpp", + "IPCClientCertsChild.cpp", + "IPCClientCertsParent.cpp", + "md4.c", + "nsCertOverrideService.cpp", + "nsCertTree.cpp", + "nsClientAuthRemember.cpp", + "nsNSSCallbacks.cpp", + "nsNSSCertHelper.cpp", + "nsNSSCertificate.cpp", + "nsNSSCertificateDB.cpp", + "nsNSSCertTrust.cpp", + "nsNSSComponent.cpp", + "nsNSSIOLayer.cpp", + "nsNSSModule.cpp", + "nsNSSVersion.cpp", + "nsNTLMAuthModule.cpp", + "nsPK11TokenDB.cpp", + "nsPKCS11Slot.cpp", + "nsPKCS12Blob.cpp", + "nsRandomGenerator.cpp", + "nsSecureBrowserUI.cpp", + "nsSecurityHeaderParser.cpp", + "NSSErrorsService.cpp", + "nsSiteSecurityService.cpp", + "NSSKeyStore.cpp", + "nsSSLSocketProvider.cpp", + "NSSSocketControl.cpp", + "nsTLSSocketProvider.cpp", + "OSKeyStore.cpp", + "PKCS11ModuleDB.cpp", + "PSMRunnable.cpp", + "PublicKeyPinningService.cpp", + "RootCertificateTelemetryUtils.cpp", + "SecretDecoderRing.cpp", + "SharedSSLState.cpp", + "SSLServerCertVerification.cpp", + "TLSClientAuthCertSelection.cpp", + "TransportSecurityInfo.cpp", + "VerifySSLServerCertChild.cpp", + "VerifySSLServerCertParent.cpp", + "X509CertValidity.cpp", +] + +if CONFIG["OS_ARCH"] == "WINNT": + # On Windows this file includes ntsecapi.h, which contains definitions that + # conflict with headers included in remaining source files. We compile this + # one independently to prevent that interferance. + SOURCES += [ + "OSReauthenticator.cpp", + ] +else: + UNIFIED_SOURCES += [ + "OSReauthenticator.cpp", + ] + +if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk": + UNIFIED_SOURCES += [ + "LibSecret.cpp", + ] + CFLAGS += CONFIG["GLIB_CFLAGS"] + CXXFLAGS += CONFIG["GLIB_CFLAGS"] + +if CONFIG["OS_ARCH"] == "Darwin": + UNIFIED_SOURCES += [ + "KeychainSecret.cpp", + "OSReauthenticatorDarwin.mm", + ] + OS_LIBS += [ + "-framework LocalAuthentication", + "-framework Security", + ] + +if CONFIG["OS_ARCH"] == "WINNT": + OS_LIBS += ["credui"] + UNIFIED_SOURCES += [ + "CredentialManagerSecret.cpp", + ] + +IPDL_SOURCES += [ + "PIPCClientCerts.ipdl", + "PSelectTLSClientAuthCert.ipdl", + "PSMIPCTypes.ipdlh", + "PVerifySSLServerCert.ipdl", +] + +FINAL_LIBRARY = "xul" + +LOCAL_INCLUDES += [ + "!/dist/public/nss", + "/dom/base", + "/dom/crypto", + "/netwerk/base", + "/security/certverifier", + "/third_party/rust/cose-c/include", + "/xpcom/build", +] + +GeneratedFile( + "nsSTSPreloadListGenerated.inc", + script="../../../xpcom/ds/tools/make_dafsa.py", + inputs=["nsSTSPreloadList.inc"], +) + +DEFINES["SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES"] = "True" +DEFINES["NSS_ENABLE_ECC"] = "True" + +# mozpkix is linked statically from the in-tree sources independent of whether +# system NSS is used or not. +USE_LIBS += ["mozpkix"] + +include("/ipc/chromium/chromium-config.mozbuild") + +if CONFIG["CC_TYPE"] in ("clang", "gcc"): + CXXFLAGS += [ + "-Wextra", + # -Wextra enables this warning, but it's too noisy to be useful. + "-Wno-missing-field-initializers", + ] + + # Gecko headers aren't warning-free enough for us to enable these warnings. + CXXFLAGS += [ + "-Wno-unused-parameter", + ] + +headers_arrays_certs = [ + ( + "xpcshell.inc", + "xpcshellRoot", + "tests/unit/test_signed_apps/xpcshellTestRoot.der", + ), + ("addons-public.inc", "addonsPublicRoot", "addons-public.crt"), + ( + "addons-public-intermediate.inc", + "addonsPublicIntermediate", + "addons-public-intermediate.crt", + ), + ("addons-stage.inc", "addonsStageRoot", "addons-stage.crt"), + ( + "content-signature-prod.inc", + "contentSignatureProdRoot", + "content-signature-prod.crt", + ), + ( + "content-signature-stage.inc", + "contentSignatureStageRoot", + "content-signature-stage.crt", + ), + # The dev root is the same as the stage root. + ( + "content-signature-dev.inc", + "contentSignatureDevRoot", + "content-signature-stage.crt", + ), + ( + "content-signature-local.inc", + "contentSignatureLocalRoot", + "content-signature-local.crt", + ), +] + +for header, array_name, cert in headers_arrays_certs: + GeneratedFile( + header, script="gen_cert_header.py", entry_point=array_name, inputs=[cert] + ) diff --git a/security/manager/ssl/nsCertOverrideService.cpp b/security/manager/ssl/nsCertOverrideService.cpp new file mode 100644 index 0000000000..b8d0bbc3a1 --- /dev/null +++ b/security/manager/ssl/nsCertOverrideService.cpp @@ -0,0 +1,757 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsCertOverrideService.h" + +#include "NSSCertDBTrustDomain.h" +#include "ScopedNSSTypes.h" +#include "SharedSSLState.h" +#include "mozilla/Assertions.h" +#include "mozilla/ScopeExit.h" +#include "mozilla/TaskQueue.h" +#include "mozilla/Telemetry.h" +#include "mozilla/TextUtils.h" +#include "mozilla/Tokenizer.h" +#include "mozilla/Unused.h" +#include "mozilla/dom/ToJSValue.h" +#include "nsAppDirectoryServiceDefs.h" +#include "nsCRT.h" +#include "nsILineInputStream.h" +#ifdef ENABLE_WEBDRIVER +# include "nsIMarionette.h" +#endif +#include "nsIObserver.h" +#include "nsIObserverService.h" +#include "nsIOutputStream.h" +#ifdef ENABLE_WEBDRIVER +# include "nsIRemoteAgent.h" +#endif +#include "nsISafeOutputStream.h" +#include "nsIX509Cert.h" +#include "nsNSSCertificate.h" +#include "nsNSSComponent.h" +#include "nsNetUtil.h" +#include "nsStreamUtils.h" +#include "nsStringBuffer.h" +#include "nsThreadUtils.h" + +using namespace mozilla; +using namespace mozilla::psm; + +#define CERT_OVERRIDE_FILE_NAME "cert_override.txt" + +class WriterRunnable : public Runnable { + public: + WriterRunnable(nsCertOverrideService* aService, nsCString& aData, + nsCOMPtr<nsIFile> aFile) + : Runnable("nsCertOverrideService::WriterRunnable"), + mCertOverrideService(aService), + mData(aData), + mFile(std::move(aFile)) {} + + NS_IMETHOD + Run() override { + mCertOverrideService->AssertOnTaskQueue(); + nsresult rv; + + auto removeShutdownBlockerOnExit = + MakeScopeExit([certOverrideService = mCertOverrideService]() { + NS_DispatchToMainThread(NS_NewRunnableFunction( + "nsCertOverrideService::RemoveShutdownBlocker", + [certOverrideService] { + certOverrideService->RemoveShutdownBlocker(); + })); + }); + + nsCOMPtr<nsIOutputStream> outputStream; + rv = NS_NewSafeLocalFileOutputStream( + getter_AddRefs(outputStream), mFile, + PR_CREATE_FILE | PR_TRUNCATE | PR_WRONLY); + NS_ENSURE_SUCCESS(rv, rv); + + const char* ptr = mData.get(); + uint32_t remaining = mData.Length(); + uint32_t written = 0; + while (remaining > 0) { + rv = outputStream->Write(ptr, remaining, &written); + NS_ENSURE_SUCCESS(rv, rv); + remaining -= written; + ptr += written; + } + + nsCOMPtr<nsISafeOutputStream> safeStream = do_QueryInterface(outputStream); + MOZ_ASSERT(safeStream); + rv = safeStream->Finish(); + NS_ENSURE_SUCCESS(rv, rv); + + return NS_OK; + } + + private: + const RefPtr<nsCertOverrideService> mCertOverrideService; + nsCString mData; + const nsCOMPtr<nsIFile> mFile; +}; + +NS_IMPL_ISUPPORTS(nsCertOverride, nsICertOverride) + +NS_IMETHODIMP +nsCertOverride::GetAsciiHost(/*out*/ nsACString& aAsciiHost) { + aAsciiHost = mAsciiHost; + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverride::GetFingerprint(/*out*/ nsACString& aFingerprint) { + aFingerprint = mFingerprint; + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverride::GetPort(/*out*/ int32_t* aPort) { + *aPort = mPort; + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverride::GetHostPort(/*out*/ nsACString& aHostPort) { + nsCertOverrideService::GetHostWithPort(mAsciiHost, mPort, aHostPort); + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverride::GetOriginAttributes( + JSContext* aCtx, /*out*/ JS::MutableHandle<JS::Value> aValue) { + if (ToJSValue(aCtx, mOriginAttributes, aValue)) { + return NS_OK; + } + return NS_ERROR_FAILURE; +} + +NS_IMPL_ISUPPORTS(nsCertOverrideService, nsICertOverrideService, nsIObserver, + nsISupportsWeakReference, nsIAsyncShutdownBlocker) + +nsCertOverrideService::nsCertOverrideService() + : mMutex("nsCertOverrideService.mutex"), + mDisableAllSecurityCheck(false), + mPendingWriteCount(0) { + nsCOMPtr<nsIEventTarget> target = + do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID); + MOZ_ASSERT(target); + + mWriterTaskQueue = TaskQueue::Create(target.forget(), "CertOverrideService"); +} + +nsCertOverrideService::~nsCertOverrideService() = default; + +static nsCOMPtr<nsIAsyncShutdownClient> GetShutdownBarrier() { + MOZ_ASSERT(NS_IsMainThread()); + nsCOMPtr<nsIAsyncShutdownService> svc = + mozilla::services::GetAsyncShutdownService(); + MOZ_RELEASE_ASSERT(svc); + + nsCOMPtr<nsIAsyncShutdownClient> barrier; + nsresult rv = svc->GetProfileBeforeChange(getter_AddRefs(barrier)); + + MOZ_RELEASE_ASSERT(NS_SUCCEEDED(rv)); + MOZ_RELEASE_ASSERT(barrier); + return barrier; +} + +nsresult nsCertOverrideService::Init() { + if (!NS_IsMainThread()) { + MOZ_ASSERT_UNREACHABLE("nsCertOverrideService initialized off main thread"); + return NS_ERROR_NOT_SAME_THREAD; + } + + nsCOMPtr<nsIObserverService> observerService = + mozilla::services::GetObserverService(); + + // If we cannot add ourselves as a profile change observer, then we will not + // attempt to read/write any settings file. Otherwise, we would end up + // reading/writing the wrong settings file after a profile change. + if (observerService) { + observerService->AddObserver(this, "profile-do-change", true); + // simulate a profile change so we read the current profile's settings file + Observe(nullptr, "profile-do-change", nullptr); + } + + SharedSSLState::NoteCertOverrideServiceInstantiated(); + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverrideService::Observe(nsISupports*, const char* aTopic, + const char16_t* aData) { + if (!nsCRT::strcmp(aTopic, "profile-do-change")) { + // The profile has already changed. + // Now read from the new profile location. + // we also need to update the cached file location + + MutexAutoLock lock(mMutex); + + nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR, + getter_AddRefs(mSettingsFile)); + if (NS_SUCCEEDED(rv)) { + mSettingsFile->AppendNative(nsLiteralCString(CERT_OVERRIDE_FILE_NAME)); + } else { + mSettingsFile = nullptr; + } + Read(lock); + CountPermanentOverrideTelemetry(lock); + } + + return NS_OK; +} + +void nsCertOverrideService::RemoveAllTemporaryOverrides() { + MutexAutoLock lock(mMutex); + bool removedAny = false; + for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) { + nsCertOverrideEntry* entry = iter.Get(); + if (entry->mSettings->mIsTemporary) { + iter.Remove(); + removedAny = true; + } + } + if (removedAny) { + nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService(); + if (os) { + os->NotifyObservers(nullptr, "net:cancel-all-connections", nullptr); + } + } + // no need to write, as temporaries are never written to disk +} + +static const char sSHA256OIDString[] = "OID.2.16.840.1.101.3.4.2.1"; +nsresult nsCertOverrideService::Read(const MutexAutoLock& aProofOfLock) { + mMutex.AssertCurrentThreadOwns(); + // If we don't have a profile, then we won't try to read any settings file. + if (!mSettingsFile) return NS_OK; + + nsresult rv; + nsCOMPtr<nsIInputStream> fileInputStream; + rv = NS_NewLocalFileInputStream(getter_AddRefs(fileInputStream), + mSettingsFile); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr<nsILineInputStream> lineInputStream = + do_QueryInterface(fileInputStream, &rv); + if (NS_FAILED(rv)) { + return rv; + } + + nsAutoCString buffer; + bool isMore = true; + + // Each line is of the form: + // host:port:originAttributes \t sSHA256OIDString \t fingerprint \t + // There may be some "bits" identifiers and "dbKey" after the `fingerprint` + // field in 'fingerprint \t \t dbKey' format, but these are now ignored. + // Lines that don't match this form are silently dropped. + + while (isMore && NS_SUCCEEDED(lineInputStream->ReadLine(buffer, &isMore))) { + if (buffer.IsEmpty() || buffer.First() == '#') { + continue; + } + + Tokenizer parser(buffer); + nsDependentCSubstring host; + if (parser.CheckChar('[')) { // this is a IPv6 address + if (!parser.ReadUntil(Tokenizer::Token::Char(']'), host) || + host.Length() == 0 || !parser.CheckChar(':')) { + continue; + } + } else if (!parser.ReadUntil(Tokenizer::Token::Char(':'), host) || + host.Length() == 0) { + continue; + } + int32_t port = -1; + if (!parser.ReadInteger(&port)) { + continue; + } + OriginAttributes attributes; + if (parser.CheckChar(':')) { + nsDependentCSubstring attributesString; + if (!parser.ReadUntil(Tokenizer::Token::Whitespace(), attributesString) || + !attributes.PopulateFromSuffix(attributesString)) { + continue; + } + } else if (!parser.CheckWhite()) { + continue; + } + nsDependentCSubstring algorithm; + if (!parser.ReadUntil(Tokenizer::Token::Whitespace(), algorithm) || + algorithm != sSHA256OIDString) { + continue; + } + nsDependentCSubstring fingerprint; + if (!parser.ReadUntil(Tokenizer::Token::Whitespace(), fingerprint) || + fingerprint.Length() == 0) { + continue; + } + + AddEntryToList(host, port, attributes, + false, // not temporary + fingerprint, aProofOfLock); + } + + return NS_OK; +} + +nsresult nsCertOverrideService::Write(const MutexAutoLock& aProofOfLock) { + mMutex.AssertCurrentThreadOwns(); + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + // If we don't have any profile, then we won't try to write any file + if (!mSettingsFile) { + return NS_OK; + } + + nsCString output; + + static const char kHeader[] = + "# PSM Certificate Override Settings file" NS_LINEBREAK + "# This is a generated file! Do not edit." NS_LINEBREAK; + + /* see ::Read for file format */ + + output.Append(kHeader); + + static const char kTab[] = "\t"; + for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) { + nsCertOverrideEntry* entry = iter.Get(); + + RefPtr<nsCertOverride> settings = entry->mSettings; + if (settings->mIsTemporary) { + continue; + } + + output.Append(entry->mKeyString); + output.Append(kTab); + output.Append(sSHA256OIDString); + output.Append(kTab); + output.Append(settings->mFingerprint); + output.Append(kTab); + // the "bits" string used to go here, but it no longer exists + // the "\t dbKey" string used to go here, but it no longer exists + output.Append(NS_LINEBREAK); + } + + // Make a clone of the file to pass to the WriterRunnable. + nsCOMPtr<nsIFile> file; + nsresult rv; + rv = mSettingsFile->Clone(getter_AddRefs(file)); + NS_ENSURE_SUCCESS(rv, rv); + + nsCOMPtr<nsIRunnable> runnable = new WriterRunnable(this, output, file); + rv = mWriterTaskQueue->Dispatch(runnable.forget()); + if (NS_FAILED(rv)) { + return rv; + } + mPendingWriteCount++; + + if (mPendingWriteCount == 1) { + rv = GetShutdownBarrier()->AddBlocker( + this, NS_LITERAL_STRING_FROM_CSTRING(__FILE__), __LINE__, + u"nsCertOverrideService writing data"_ns); + NS_ENSURE_SUCCESS(rv, rv); + } + + return NS_OK; +} + +nsresult GetCertSha256Fingerprint(nsIX509Cert* aCert, nsCString& aResult) { + nsAutoString fpStrUTF16; + nsresult rv = aCert->GetSha256Fingerprint(fpStrUTF16); + if (NS_FAILED(rv)) { + return rv; + } + aResult.Assign(NS_ConvertUTF16toUTF8(fpStrUTF16)); + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverrideService::RememberValidityOverride( + const nsACString& aHostName, int32_t aPort, + const OriginAttributes& aOriginAttributes, nsIX509Cert* aCert, + bool aTemporary) { + if (aHostName.IsEmpty() || !IsAscii(aHostName) || !aCert) { + return NS_ERROR_INVALID_ARG; + } + if (aPort < -1) { + return NS_ERROR_INVALID_ARG; + } + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + UniqueCERTCertificate nsscert(aCert->GetCert()); + if (!nsscert) { + return NS_ERROR_FAILURE; + } + + nsAutoCString fpStr; + nsresult rv = GetCertSha256Fingerprint(aCert, fpStr); + if (NS_FAILED(rv)) { + return rv; + } + + { + MutexAutoLock lock(mMutex); + AddEntryToList(aHostName, aPort, aOriginAttributes, aTemporary, fpStr, + lock); + if (!aTemporary) { + Write(lock); + } + } + + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverrideService::RememberValidityOverrideScriptable( + const nsACString& aHostName, int32_t aPort, + JS::Handle<JS::Value> aOriginAttributes, nsIX509Cert* aCert, + bool aTemporary, JSContext* aCx) { + OriginAttributes attrs; + if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) { + return NS_ERROR_INVALID_ARG; + } + + return RememberValidityOverride(aHostName, aPort, attrs, aCert, aTemporary); +} + +NS_IMETHODIMP +nsCertOverrideService::HasMatchingOverride( + const nsACString& aHostName, int32_t aPort, + const OriginAttributes& aOriginAttributes, nsIX509Cert* aCert, + bool* aIsTemporary, bool* aRetval) { + bool disableAllSecurityCheck = false; + { + MutexAutoLock lock(mMutex); + disableAllSecurityCheck = mDisableAllSecurityCheck; + } + if (disableAllSecurityCheck) { + *aIsTemporary = false; + *aRetval = true; + return NS_OK; + } + + if (aHostName.IsEmpty() || !IsAscii(aHostName)) { + return NS_ERROR_INVALID_ARG; + } + if (aPort < -1) return NS_ERROR_INVALID_ARG; + + NS_ENSURE_ARG_POINTER(aCert); + NS_ENSURE_ARG_POINTER(aIsTemporary); + NS_ENSURE_ARG_POINTER(aRetval); + *aRetval = false; + + RefPtr<nsCertOverride> settings( + GetOverrideFor(aHostName, aPort, aOriginAttributes)); + // If there is no corresponding override and the given OriginAttributes isn't + // the default, try to look up an override using the default OriginAttributes. + if (!settings && aOriginAttributes != OriginAttributes()) { + settings = GetOverrideFor(aHostName, aPort, OriginAttributes()); + } + if (!settings) { + return NS_OK; + } + + *aIsTemporary = settings->mIsTemporary; + + nsAutoCString fpStr; + nsresult rv = GetCertSha256Fingerprint(aCert, fpStr); + if (NS_FAILED(rv)) { + return rv; + } + + *aRetval = settings->mFingerprint.Equals(fpStr); + return NS_OK; +} + +already_AddRefed<nsCertOverride> nsCertOverrideService::GetOverrideFor( + const nsACString& aHostName, int32_t aPort, + const OriginAttributes& aOriginAttributes) { + nsAutoCString keyString; + GetKeyString(aHostName, aPort, aOriginAttributes, keyString); + MutexAutoLock lock(mMutex); + nsCertOverrideEntry* entry = mSettingsTable.GetEntry(keyString.get()); + if (!entry) { + return nullptr; + } + return do_AddRef(entry->mSettings); +} + +NS_IMETHODIMP +nsCertOverrideService::HasMatchingOverrideScriptable( + const nsACString& aHostName, int32_t aPort, + JS::Handle<JS::Value> aOriginAttributes, nsIX509Cert* aCert, + bool* aIsTemporary, JSContext* aCx, bool* aRetval) { + OriginAttributes attrs; + if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) { + return NS_ERROR_INVALID_ARG; + } + + return HasMatchingOverride(aHostName, aPort, attrs, aCert, aIsTemporary, + aRetval); +} + +nsresult nsCertOverrideService::AddEntryToList( + const nsACString& aHostName, int32_t aPort, + const OriginAttributes& aOriginAttributes, const bool aIsTemporary, + const nsACString& fingerprint, const MutexAutoLock& aProofOfLock) { + mMutex.AssertCurrentThreadOwns(); + nsAutoCString keyString; + GetKeyString(aHostName, aPort, aOriginAttributes, keyString); + + nsCertOverrideEntry* entry = mSettingsTable.PutEntry(keyString.get()); + + if (!entry) { + NS_ERROR("can't insert a null entry!"); + return NS_ERROR_OUT_OF_MEMORY; + } + + entry->mKeyString = keyString; + + RefPtr<nsCertOverride> settings(new nsCertOverride()); + + settings->mAsciiHost = aHostName; + settings->mPort = aPort; + settings->mOriginAttributes = aOriginAttributes; + settings->mIsTemporary = aIsTemporary; + settings->mFingerprint = fingerprint; + entry->mSettings = settings; + + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverrideService::ClearValidityOverride( + const nsACString& aHostName, int32_t aPort, + const OriginAttributes& aOriginAttributes) { + if (aHostName.IsEmpty() || !IsAscii(aHostName)) { + return NS_ERROR_INVALID_ARG; + } + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + if (aPort == 0 && aHostName.EqualsLiteral("all:temporary-certificates")) { + RemoveAllTemporaryOverrides(); + return NS_OK; + } + nsAutoCString keyString; + GetKeyString(aHostName, aPort, aOriginAttributes, keyString); + { + MutexAutoLock lock(mMutex); + mSettingsTable.RemoveEntry(keyString.get()); + Write(lock); + } + + nsCOMPtr<nsINSSComponent> nss(do_GetService(PSM_COMPONENT_CONTRACTID)); + if (nss) { + nss->ClearSSLExternalAndInternalSessionCache(); + } else { + return NS_ERROR_NOT_AVAILABLE; + } + + nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService(); + if (os) { + os->NotifyObservers(nullptr, "net:cancel-all-connections", nullptr); + } + + return NS_OK; +} +NS_IMETHODIMP +nsCertOverrideService::ClearValidityOverrideScriptable( + const nsACString& aHostName, int32_t aPort, + JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx) { + OriginAttributes attrs; + if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) { + return NS_ERROR_INVALID_ARG; + } + + return ClearValidityOverride(aHostName, aPort, attrs); +} + +NS_IMETHODIMP +nsCertOverrideService::ClearAllOverrides() { + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + { + MutexAutoLock lock(mMutex); + mSettingsTable.Clear(); + Write(lock); + } + + nsCOMPtr<nsINSSComponent> nss(do_GetService(PSM_COMPONENT_CONTRACTID)); + if (nss) { + nss->ClearSSLExternalAndInternalSessionCache(); + } else { + return NS_ERROR_NOT_AVAILABLE; + } + + nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService(); + if (os) { + os->NotifyObservers(nullptr, "net:cancel-all-connections", nullptr); + } + + return NS_OK; +} + +void nsCertOverrideService::CountPermanentOverrideTelemetry( + const MutexAutoLock& aProofOfLock) { + mMutex.AssertCurrentThreadOwns(); + uint32_t overrideCount = 0; + for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) { + if (!iter.Get()->mSettings->mIsTemporary) { + overrideCount++; + } + } + Telemetry::Accumulate(Telemetry::SSL_PERMANENT_CERT_ERROR_OVERRIDES, + overrideCount); +} + +static bool IsDebugger() { +#ifdef ENABLE_WEBDRIVER + nsCOMPtr<nsIMarionette> marionette = do_GetService(NS_MARIONETTE_CONTRACTID); + if (marionette) { + bool marionetteRunning = false; + marionette->GetRunning(&marionetteRunning); + if (marionetteRunning) { + return true; + } + } + + nsCOMPtr<nsIRemoteAgent> agent = do_GetService(NS_REMOTEAGENT_CONTRACTID); + if (agent) { + bool remoteAgentRunning = false; + agent->GetRunning(&remoteAgentRunning); + if (remoteAgentRunning) { + return true; + } + } +#endif + + return false; +} + +NS_IMETHODIMP +nsCertOverrideService:: + SetDisableAllSecurityChecksAndLetAttackersInterceptMyData(bool aDisable) { + if (!(PR_GetEnv("XPCSHELL_TEST_PROFILE_DIR") || IsDebugger())) { + return NS_ERROR_NOT_AVAILABLE; + } + + { + MutexAutoLock lock(mMutex); + mDisableAllSecurityCheck = aDisable; + } + + nsCOMPtr<nsINSSComponent> nss(do_GetService(PSM_COMPONENT_CONTRACTID)); + if (nss) { + nss->ClearSSLExternalAndInternalSessionCache(); + } else { + return NS_ERROR_NOT_AVAILABLE; + } + + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverrideService::GetSecurityCheckDisabled(bool* aDisabled) { + MutexAutoLock lock(mMutex); + *aDisabled = mDisableAllSecurityCheck; + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverrideService::GetOverrides( + /*out*/ nsTArray<RefPtr<nsICertOverride>>& retval) { + MutexAutoLock lock(mMutex); + for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) { + const RefPtr<nsICertOverride> settings = iter.Get()->mSettings; + + retval.AppendElement(settings); + } + return NS_OK; +} + +void nsCertOverrideService::GetHostWithPort(const nsACString& aHostName, + int32_t aPort, + nsACString& aRetval) { + nsAutoCString hostPort; + if (aHostName.Contains(':')) { + // if aHostName is an IPv6 address, add brackets to match the internal + // representation, which always stores IPv6 addresses with brackets + hostPort.Append('['); + hostPort.Append(aHostName); + hostPort.Append(']'); + } else { + hostPort.Append(aHostName); + } + if (aPort == -1) { + aPort = 443; + } + if (!hostPort.IsEmpty()) { + hostPort.Append(':'); + hostPort.AppendInt(aPort); + } + aRetval.Assign(hostPort); +} + +void nsCertOverrideService::GetKeyString( + const nsACString& aHostName, int32_t aPort, + const OriginAttributes& aOriginAttributes, nsACString& aRetval) { + nsAutoCString keyString; + GetHostWithPort(aHostName, aPort, keyString); + keyString.Append(':'); + OriginAttributes strippedAttributes(aOriginAttributes); + strippedAttributes.StripAttributes( + ~OriginAttributes::STRIP_PRIVATE_BROWSING_ID); + nsAutoCString attributeSuffix; + strippedAttributes.CreateSuffix(attributeSuffix); + keyString.Append(attributeSuffix); + aRetval.Assign(keyString); +} + +// nsIAsyncShutdownBlocker implementation +NS_IMETHODIMP +nsCertOverrideService::GetName(nsAString& aName) { + aName = u"nsCertOverrideService: shutdown"_ns; + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverrideService::GetState(nsIPropertyBag** aState) { + if (!aState) { + return NS_ERROR_INVALID_ARG; + } + *aState = nullptr; + return NS_OK; +} + +NS_IMETHODIMP +nsCertOverrideService::BlockShutdown(nsIAsyncShutdownClient*) { return NS_OK; } + +void nsCertOverrideService::RemoveShutdownBlocker() { + MOZ_ASSERT(NS_IsMainThread()); + MOZ_ASSERT(mPendingWriteCount > 0); + mPendingWriteCount--; + if (mPendingWriteCount == 0) { + nsresult rv = GetShutdownBarrier()->RemoveBlocker(this); + MOZ_RELEASE_ASSERT(NS_SUCCEEDED(rv)); + } +} diff --git a/security/manager/ssl/nsCertOverrideService.h b/security/manager/ssl/nsCertOverrideService.h new file mode 100644 index 0000000000..21cff56300 --- /dev/null +++ b/security/manager/ssl/nsCertOverrideService.h @@ -0,0 +1,152 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsCertOverrideService_h +#define nsCertOverrideService_h + +#include <utility> + +#include "mozilla/HashFunctions.h" +#include "mozilla/Mutex.h" +#include "mozilla/OriginAttributes.h" +#include "mozilla/TaskQueue.h" +#include "nsIAsyncShutdown.h" +#include "nsICertOverrideService.h" +#include "nsIFile.h" +#include "nsIObserver.h" +#include "nsString.h" +#include "nsTHashtable.h" +#include "nsWeakReference.h" +#include "secoidt.h" + +class nsCertOverride final : public nsICertOverride { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSICERTOVERRIDE + + nsCertOverride() : mPort(-1), mIsTemporary(false) {} + + nsCString mAsciiHost; + int32_t mPort; + mozilla::OriginAttributes mOriginAttributes; + bool mIsTemporary; // true: session only, false: stored on disk + nsCString mFingerprint; + + private: + ~nsCertOverride() = default; +}; + +// hash entry class +class nsCertOverrideEntry final : public PLDHashEntryHdr { + public: + // Hash methods + typedef const char* KeyType; + typedef const char* KeyTypePointer; + + // do nothing with aHost - we require mHead to be set before we're live! + explicit nsCertOverrideEntry(KeyTypePointer aHostWithPortUTF8) {} + + nsCertOverrideEntry(nsCertOverrideEntry&& toMove) + : PLDHashEntryHdr(std::move(toMove)), + mSettings(std::move(toMove.mSettings)), + mKeyString(std::move(toMove.mKeyString)) {} + + ~nsCertOverrideEntry() = default; + + KeyType GetKey() const { return KeyStringPtr(); } + + KeyTypePointer GetKeyPointer() const { return KeyStringPtr(); } + + bool KeyEquals(KeyTypePointer aKey) const { + return !strcmp(KeyStringPtr(), aKey); + } + + static KeyTypePointer KeyToPointer(KeyType aKey) { return aKey; } + + static PLDHashNumber HashKey(KeyTypePointer aKey) { + return mozilla::HashString(aKey); + } + + enum { ALLOW_MEMMOVE = false }; + + // get methods + inline const nsCString& KeyString() const { return mKeyString; } + + inline KeyTypePointer KeyStringPtr() const { return mKeyString.get(); } + + RefPtr<nsCertOverride> mSettings; + nsCString mKeyString; +}; + +class nsCertOverrideService final : public nsICertOverrideService, + public nsIObserver, + public nsSupportsWeakReference, + public nsIAsyncShutdownBlocker { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSICERTOVERRIDESERVICE + NS_DECL_NSIOBSERVER + NS_DECL_NSIASYNCSHUTDOWNBLOCKER + + nsCertOverrideService(); + + nsresult Init(); + void RemoveAllTemporaryOverrides(); + + // Concatenates host name and the port number. If the port number is -1 then + // port 443 is automatically used. This method ensures there is always a port + // number separated with colon. + static void GetHostWithPort(const nsACString& aHostName, int32_t aPort, + nsACString& aRetval); + + // Concatenates host name, port number, and origin attributes. + static void GetKeyString(const nsACString& aHostName, int32_t aPort, + const mozilla::OriginAttributes& aOriginAttributes, + nsACString& aRetval); + + void AssertOnTaskQueue() const { + MOZ_ASSERT(mWriterTaskQueue->IsOnCurrentThread()); + } + + void RemoveShutdownBlocker(); + + private: + ~nsCertOverrideService(); + + mozilla::Mutex mMutex; + bool mDisableAllSecurityCheck MOZ_GUARDED_BY(mMutex); + nsCOMPtr<nsIFile> mSettingsFile MOZ_GUARDED_BY(mMutex); + nsTHashtable<nsCertOverrideEntry> mSettingsTable MOZ_GUARDED_BY(mMutex); + + void CountPermanentOverrideTelemetry( + const mozilla::MutexAutoLock& aProofOfLock); + + nsresult Read(const mozilla::MutexAutoLock& aProofOfLock); + nsresult Write(const mozilla::MutexAutoLock& aProofOfLock); + nsresult AddEntryToList(const nsACString& host, int32_t port, + const mozilla::OriginAttributes& aOriginAttributes, + const bool aIsTemporary, + const nsACString& fingerprint, + const mozilla::MutexAutoLock& aProofOfLock); + already_AddRefed<nsCertOverride> GetOverrideFor( + const nsACString& aHostName, int32_t aPort, + const mozilla::OriginAttributes& aOriginAttributes); + + // Set in constructor only + RefPtr<mozilla::TaskQueue> mWriterTaskQueue; + + // Only accessed on the main thread + uint64_t mPendingWriteCount; +}; + +#define NS_CERTOVERRIDE_CID \ + { /* 67ba681d-5485-4fff-952c-2ee337ffdcd6 */ \ + 0x67ba681d, 0x5485, 0x4fff, { \ + 0x95, 0x2c, 0x2e, 0xe3, 0x37, 0xff, 0xdc, 0xd6 \ + } \ + } + +#endif // nsCertOverrideService_h diff --git a/security/manager/ssl/nsCertTree.cpp b/security/manager/ssl/nsCertTree.cpp new file mode 100644 index 0000000000..0448cf4566 --- /dev/null +++ b/security/manager/ssl/nsCertTree.cpp @@ -0,0 +1,844 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsCertTree.h" + +#include "ScopedNSSTypes.h" +#include "mozilla/Logging.h" +#include "mozilla/Maybe.h" +#include "mozilla/intl/AppDateTimeFormat.h" +#include "nsArray.h" +#include "nsArrayUtils.h" +#include "nsHashKeys.h" +#include "nsISupportsPrimitives.h" +#include "nsIX509CertDB.h" +#include "nsIX509Cert.h" +#include "nsIX509CertValidity.h" +#include "nsNSSCertHelper.h" +#include "nsNSSCertificate.h" +#include "nsComponentManagerUtils.h" +#include "nsNSSCertificateDB.h" +#include "nsNSSHelper.h" +#include "nsReadableUtils.h" +#include "nsTHashtable.h" +#include "nsUnicharUtils.h" +#include "nsXPCOMCID.h" +#include "nsString.h" +#include "nsTreeColumns.h" +#include "mozpkix/pkixtypes.h" + +using namespace mozilla; + +extern LazyLogModule gPIPNSSLog; + +// treeArrayElStr +// +// structure used to hold map of tree. Each thread (an organization +// field from a cert) has an element in the array. The numChildren field +// stores the number of certs corresponding to that thread. +struct treeArrayElStr { + nsString orgName; /* heading for thread */ + bool open; /* toggle open state for thread */ + int32_t certIndex; /* index into cert array for 1st cert */ + int32_t numChildren; /* number of chidren (certs) for thread */ +}; + +CompareCacheHashEntryPtr::CompareCacheHashEntryPtr() { + entry = new CompareCacheHashEntry; +} + +CompareCacheHashEntryPtr::~CompareCacheHashEntryPtr() { delete entry; } + +CompareCacheHashEntry::CompareCacheHashEntry() : key(nullptr), mCritInit() { + for (int i = 0; i < max_criterions; ++i) { + mCritInit[i] = false; + mCrit[i].SetIsVoid(true); + } +} + +static bool CompareCacheMatchEntry(const PLDHashEntryHdr* hdr, + const void* key) { + const CompareCacheHashEntryPtr* entryPtr = + static_cast<const CompareCacheHashEntryPtr*>(hdr); + return entryPtr->entry->key == key; +} + +static void CompareCacheInitEntry(PLDHashEntryHdr* hdr, const void* key) { + new (hdr) CompareCacheHashEntryPtr(); + CompareCacheHashEntryPtr* entryPtr = + static_cast<CompareCacheHashEntryPtr*>(hdr); + entryPtr->entry->key = (void*)key; +} + +static void CompareCacheClearEntry(PLDHashTable* table, PLDHashEntryHdr* hdr) { + CompareCacheHashEntryPtr* entryPtr = + static_cast<CompareCacheHashEntryPtr*>(hdr); + entryPtr->~CompareCacheHashEntryPtr(); +} + +static const PLDHashTableOps gMapOps = { + PLDHashTable::HashVoidPtrKeyStub, CompareCacheMatchEntry, + PLDHashTable::MoveEntryStub, CompareCacheClearEntry, CompareCacheInitEntry}; + +NS_IMPL_ISUPPORTS(nsCertTreeDispInfo, nsICertTreeItem) + +nsCertTreeDispInfo::~nsCertTreeDispInfo() = default; + +NS_IMETHODIMP +nsCertTreeDispInfo::GetCert(nsIX509Cert** aCert) { + NS_ENSURE_ARG(aCert); + nsCOMPtr<nsIX509Cert> cert = mCert; + cert.forget(aCert); + return NS_OK; +} + +NS_IMPL_ISUPPORTS(nsCertTree, nsICertTree, nsITreeView) + +nsCertTree::nsCertTree() + : mTreeArray(nullptr), + mNumOrgs(0), + mNumRows(0), + mCompareCache(&gMapOps, sizeof(CompareCacheHashEntryPtr), + kInitialCacheLength) { + mCellText = nullptr; +} + +void nsCertTree::ClearCompareHash() { + mCompareCache.ClearAndPrepareForLength(kInitialCacheLength); +} + +nsCertTree::~nsCertTree() { delete[] mTreeArray; } + +void nsCertTree::FreeCertArray() { mDispInfo.Clear(); } + +CompareCacheHashEntry* nsCertTree::getCacheEntry(void* cache, void* aCert) { + PLDHashTable& aCompareCache = *static_cast<PLDHashTable*>(cache); + auto entryPtr = static_cast<CompareCacheHashEntryPtr*>( + aCompareCache.Add(aCert, fallible)); + return entryPtr ? entryPtr->entry : nullptr; +} + +void nsCertTree::RemoveCacheEntry(void* key) { mCompareCache.Remove(key); } + +// CountOrganizations +// +// Count the number of different organizations encountered in the cert +// list. +int32_t nsCertTree::CountOrganizations() { + uint32_t i, certCount; + certCount = mDispInfo.Length(); + if (certCount == 0) return 0; + nsCOMPtr<nsIX509Cert> orgCert = mDispInfo.ElementAt(0)->mCert; + nsCOMPtr<nsIX509Cert> nextCert = nullptr; + int32_t orgCount = 1; + for (i = 1; i < certCount; i++) { + nextCert = mDispInfo.SafeElementAt(i, nullptr)->mCert; + // XXX we assume issuer org is always criterion 1 + if (CmpBy(&mCompareCache, orgCert, nextCert, sort_IssuerOrg, sort_None, + sort_None) != 0) { + orgCert = nextCert; + orgCount++; + } + } + return orgCount; +} + +// GetThreadDescAtIndex +// +// If the row at index is an organization thread, return the collection +// associated with that thread. Otherwise, return null. +treeArrayEl* nsCertTree::GetThreadDescAtIndex(int32_t index) { + int i, idx = 0; + if (index < 0) return nullptr; + for (i = 0; i < mNumOrgs; i++) { + if (index == idx) { + return &mTreeArray[i]; + } + if (mTreeArray[i].open) { + idx += mTreeArray[i].numChildren; + } + idx++; + if (idx > index) break; + } + return nullptr; +} + +// GetCertAtIndex +// +// If the row at index is a cert, return that cert. Otherwise, return null. +already_AddRefed<nsIX509Cert> nsCertTree::GetCertAtIndex( + int32_t index, int32_t* outAbsoluteCertOffset) { + RefPtr<nsCertTreeDispInfo> certdi( + GetDispInfoAtIndex(index, outAbsoluteCertOffset)); + if (!certdi) return nullptr; + + nsCOMPtr<nsIX509Cert> ret = certdi->mCert; + return ret.forget(); +} + +// If the row at index is a cert, return that cert. Otherwise, return null. +already_AddRefed<nsCertTreeDispInfo> nsCertTree::GetDispInfoAtIndex( + int32_t index, int32_t* outAbsoluteCertOffset) { + int i, idx = 0, cIndex = 0, nc; + if (index < 0) return nullptr; + // Loop over the threads + for (i = 0; i < mNumOrgs; i++) { + if (index == idx) return nullptr; // index is for thread + idx++; // get past the thread + nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0; + if (index < idx + nc) { // cert is within range of this thread + int32_t certIndex = cIndex + index - idx; + if (outAbsoluteCertOffset) *outAbsoluteCertOffset = certIndex; + RefPtr<nsCertTreeDispInfo> certdi( + mDispInfo.SafeElementAt(certIndex, nullptr)); + if (certdi) { + return certdi.forget(); + } + break; + } + if (mTreeArray[i].open) idx += mTreeArray[i].numChildren; + cIndex += mTreeArray[i].numChildren; + if (idx > index) break; + } + return nullptr; +} + +nsCertTree::nsCertCompareFunc nsCertTree::GetCompareFuncFromCertType( + uint32_t aType) { + switch (aType) { + case nsIX509Cert::ANY_CERT: + case nsIX509Cert::USER_CERT: + return CmpUserCert; + case nsIX509Cert::EMAIL_CERT: + return CmpEmailCert; + case nsIX509Cert::CA_CERT: + default: + return CmpCACert; + } +} + +nsresult nsCertTree::GetCertsByTypeFromCertList( + const nsTArray<RefPtr<nsIX509Cert>>& aCertList, uint32_t aWantedType, + nsCertCompareFunc aCertCmpFn, void* aCertCmpFnArg) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("GetCertsByTypeFromCertList")); + + nsTHashtable<nsCStringHashKey> allHostPortOverrideKeys; + + if (aWantedType == nsIX509Cert::SERVER_CERT) { + return NS_ERROR_INVALID_ARG; + } + + int count = 0; + for (const auto& cert : aCertList) { + bool wantThisCert = (aWantedType == nsIX509Cert::ANY_CERT); + + if (!wantThisCert) { + uint32_t thisCertType; + nsresult rv = cert->GetCertType(&thisCertType); + if (NS_FAILED(rv)) { + return rv; + } + if (thisCertType == aWantedType) { + wantThisCert = true; + } + } + + if (wantThisCert) { + int InsertPosition = 0; + for (; InsertPosition < count; ++InsertPosition) { + nsCOMPtr<nsIX509Cert> otherCert = nullptr; + RefPtr<nsCertTreeDispInfo> elem( + mDispInfo.SafeElementAt(InsertPosition, nullptr)); + if (elem) { + otherCert = elem->mCert; + } + if ((*aCertCmpFn)(aCertCmpFnArg, cert, otherCert) < 0) { + break; + } + } + nsCertTreeDispInfo* certdi = new nsCertTreeDispInfo(cert); + mDispInfo.InsertElementAt(InsertPosition, certdi); + ++count; + ++InsertPosition; + } + } + + return NS_OK; +} + +// LoadCerts +// +// Load all of the certificates in the DB for this type. Sort them +// by token, organization, then common name. +NS_IMETHODIMP +nsCertTree::LoadCertsFromCache(const nsTArray<RefPtr<nsIX509Cert>>& aCache, + uint32_t aType) { + if (mTreeArray) { + FreeCertArray(); + delete[] mTreeArray; + mTreeArray = nullptr; + mNumRows = 0; + } + ClearCompareHash(); + + nsresult rv = GetCertsByTypeFromCertList( + aCache, aType, GetCompareFuncFromCertType(aType), &mCompareCache); + if (NS_FAILED(rv)) { + return rv; + } + return UpdateUIContents(); +} + +nsresult nsCertTree::UpdateUIContents() { + uint32_t count = mDispInfo.Length(); + mNumOrgs = CountOrganizations(); + mTreeArray = new treeArrayEl[mNumOrgs]; + + mCellText = nsArrayBase::Create(); + + if (count) { + uint32_t j = 0; + nsCOMPtr<nsIX509Cert> orgCert = mDispInfo.ElementAt(j)->mCert; + for (int32_t i = 0; i < mNumOrgs; i++) { + nsString& orgNameRef = mTreeArray[i].orgName; + if (!orgCert) { + GetPIPNSSBundleString("CertOrgUnknown", orgNameRef); + } else { + orgCert->GetIssuerOrganization(orgNameRef); + if (orgNameRef.IsEmpty()) orgCert->GetCommonName(orgNameRef); + } + mTreeArray[i].open = true; + mTreeArray[i].certIndex = j; + mTreeArray[i].numChildren = 1; + if (++j >= count) break; + nsCOMPtr<nsIX509Cert> nextCert = + mDispInfo.SafeElementAt(j, nullptr)->mCert; + while (0 == CmpBy(&mCompareCache, orgCert, nextCert, sort_IssuerOrg, + sort_None, sort_None)) { + mTreeArray[i].numChildren++; + if (++j >= count) break; + nextCert = mDispInfo.SafeElementAt(j, nullptr)->mCert; + } + orgCert = nextCert; + } + } + if (mTree) { + mTree->BeginUpdateBatch(); + mTree->RowCountChanged(0, -mNumRows); + } + mNumRows = count + mNumOrgs; + if (mTree) mTree->EndUpdateBatch(); + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::DeleteEntryObject(uint32_t index) { + if (!mTreeArray) { + return NS_ERROR_FAILURE; + } + + nsCOMPtr<nsIX509CertDB> certdb = + do_GetService("@mozilla.org/security/x509certdb;1"); + if (!certdb) { + return NS_ERROR_FAILURE; + } + + int i; + uint32_t idx = 0, cIndex = 0, nc; + // Loop over the threads + for (i = 0; i < mNumOrgs; i++) { + if (index == idx) return NS_OK; // index is for thread + idx++; // get past the thread + nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0; + if (index < idx + nc) { // cert is within range of this thread + int32_t certIndex = cIndex + index - idx; + + RefPtr<nsCertTreeDispInfo> certdi( + mDispInfo.SafeElementAt(certIndex, nullptr)); + if (certdi) { + nsCOMPtr<nsIX509Cert> cert = certdi->mCert; + RemoveCacheEntry(cert); + certdb->DeleteCertificate(cert); + } + + mDispInfo.RemoveElementAt(certIndex); + + delete[] mTreeArray; + mTreeArray = nullptr; + return UpdateUIContents(); + } + if (mTreeArray[i].open) idx += mTreeArray[i].numChildren; + cIndex += mTreeArray[i].numChildren; + if (idx > index) break; + } + return NS_ERROR_FAILURE; +} + +////////////////////////////////////////////////////////////////////////////// +// +// Begin nsITreeView methods +// +///////////////////////////////////////////////////////////////////////////// + +NS_IMETHODIMP +nsCertTree::GetCert(uint32_t aIndex, nsIX509Cert** _cert) { + NS_ENSURE_ARG(_cert); + *_cert = GetCertAtIndex(aIndex).take(); + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::GetTreeItem(uint32_t aIndex, nsICertTreeItem** _treeitem) { + NS_ENSURE_ARG(_treeitem); + + RefPtr<nsCertTreeDispInfo> certdi(GetDispInfoAtIndex(aIndex)); + if (!certdi) return NS_ERROR_FAILURE; + + *_treeitem = certdi; + NS_IF_ADDREF(*_treeitem); + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::GetRowCount(int32_t* aRowCount) { + if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED; + uint32_t count = 0; + for (int32_t i = 0; i < mNumOrgs; i++) { + if (mTreeArray[i].open) { + count += mTreeArray[i].numChildren; + } + count++; + } + *aRowCount = count; + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::GetSelection(nsITreeSelection** aSelection) { + *aSelection = mSelection; + NS_IF_ADDREF(*aSelection); + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::SetSelection(nsITreeSelection* aSelection) { + mSelection = aSelection; + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::GetRowProperties(int32_t index, nsAString& aProps) { return NS_OK; } + +NS_IMETHODIMP +nsCertTree::GetCellProperties(int32_t row, nsTreeColumn* col, + nsAString& aProps) { + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::GetColumnProperties(nsTreeColumn* col, nsAString& aProps) { + return NS_OK; +} +NS_IMETHODIMP +nsCertTree::IsContainer(int32_t index, bool* _retval) { + if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED; + treeArrayEl* el = GetThreadDescAtIndex(index); + if (el) { + *_retval = true; + } else { + *_retval = false; + } + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::IsContainerOpen(int32_t index, bool* _retval) { + if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED; + treeArrayEl* el = GetThreadDescAtIndex(index); + if (el && el->open) { + *_retval = true; + } else { + *_retval = false; + } + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::IsContainerEmpty(int32_t index, bool* _retval) { + *_retval = !mTreeArray; + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::IsSeparator(int32_t index, bool* _retval) { + *_retval = false; + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::GetParentIndex(int32_t rowIndex, int32_t* _retval) { + if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED; + int i, idx = 0; + for (i = 0; i < mNumOrgs && idx < rowIndex; i++, idx++) { + if (mTreeArray[i].open) { + if (rowIndex <= idx + mTreeArray[i].numChildren) { + *_retval = idx; + return NS_OK; + } + idx += mTreeArray[i].numChildren; + } + } + *_retval = -1; + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::HasNextSibling(int32_t rowIndex, int32_t afterIndex, + bool* _retval) { + if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED; + + int i, idx = 0; + for (i = 0; i < mNumOrgs && idx <= rowIndex; i++, idx++) { + if (mTreeArray[i].open) { + idx += mTreeArray[i].numChildren; + if (afterIndex <= idx) { + *_retval = afterIndex < idx; + return NS_OK; + } + } + } + *_retval = false; + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::GetLevel(int32_t index, int32_t* _retval) { + if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED; + treeArrayEl* el = GetThreadDescAtIndex(index); + if (el) { + *_retval = 0; + } else { + *_retval = 1; + } + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::GetImageSrc(int32_t row, nsTreeColumn* col, nsAString& _retval) { + _retval.Truncate(); + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::GetCellValue(int32_t row, nsTreeColumn* col, nsAString& _retval) { + _retval.Truncate(); + return NS_OK; +} + +static void PRTimeToLocalDateString(PRTime time, nsAString& result) { + PRExplodedTime explodedTime; + PR_ExplodeTime(time, PR_LocalTimeParameters, &explodedTime); + intl::DateTimeFormat::StyleBag style; + style.date = Some(intl::DateTimeFormat::Style::Long); + style.time = Nothing(); + Unused << intl::AppDateTimeFormat::Format(style, &explodedTime, result); +} + +NS_IMETHODIMP +nsCertTree::GetCellText(int32_t row, nsTreeColumn* col, nsAString& _retval) { + if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED; + + nsresult rv = NS_OK; + _retval.Truncate(); + + const nsAString& colID = col->GetId(); + + treeArrayEl* el = GetThreadDescAtIndex(row); + if (el) { + if (u"certcol"_ns.Equals(colID)) + _retval.Assign(el->orgName); + else + _retval.Truncate(); + return NS_OK; + } + + int32_t absoluteCertOffset; + RefPtr<nsCertTreeDispInfo> certdi( + GetDispInfoAtIndex(row, &absoluteCertOffset)); + if (!certdi) return NS_ERROR_FAILURE; + + nsCOMPtr<nsIX509Cert> cert = certdi->mCert; + + int32_t colIndex = col->Index(); + uint32_t arrayIndex = absoluteCertOffset + colIndex * (mNumRows - mNumOrgs); + uint32_t arrayLength = 0; + if (mCellText) { + mCellText->GetLength(&arrayLength); + } + if (arrayIndex < arrayLength) { + nsCOMPtr<nsISupportsString> myString( + do_QueryElementAt(mCellText, arrayIndex)); + if (myString) { + myString->GetData(_retval); + return NS_OK; + } + } + + if (u"certcol"_ns.Equals(colID)) { + if (!cert) { + rv = GetPIPNSSBundleString("CertNotStored", _retval); + } else { + rv = cert->GetDisplayName(_retval); + } + } else if (u"tokencol"_ns.Equals(colID) && cert) { + rv = cert->GetTokenName(_retval); + } else if (u"emailcol"_ns.Equals(colID) && cert) { + rv = cert->GetEmailAddress(_retval); + } else if (u"issuedcol"_ns.Equals(colID) && cert) { + nsCOMPtr<nsIX509CertValidity> validity; + + rv = cert->GetValidity(getter_AddRefs(validity)); + if (NS_SUCCEEDED(rv)) { + PRTime notBefore; + rv = validity->GetNotBefore(¬Before); + if (NS_SUCCEEDED(rv)) { + PRTimeToLocalDateString(notBefore, _retval); + } + } + } else if (u"expiredcol"_ns.Equals(colID) && cert) { + nsCOMPtr<nsIX509CertValidity> validity; + + rv = cert->GetValidity(getter_AddRefs(validity)); + if (NS_SUCCEEDED(rv)) { + PRTime notAfter; + rv = validity->GetNotAfter(¬After); + if (NS_SUCCEEDED(rv)) { + PRTimeToLocalDateString(notAfter, _retval); + } + } + } else if (u"serialnumcol"_ns.Equals(colID) && cert) { + rv = cert->GetSerialNumber(_retval); + } else { + return NS_ERROR_FAILURE; + } + if (mCellText) { + nsCOMPtr<nsISupportsString> text( + do_CreateInstance(NS_SUPPORTS_STRING_CONTRACTID, &rv)); + NS_ENSURE_SUCCESS(rv, rv); + text->SetData(_retval); + mCellText->ReplaceElementAt(text, arrayIndex); + } + return rv; +} + +NS_IMETHODIMP +nsCertTree::SetTree(mozilla::dom::XULTreeElement* tree) { + mTree = tree; + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::ToggleOpenState(int32_t index) { + if (!mTreeArray) return NS_ERROR_NOT_INITIALIZED; + treeArrayEl* el = GetThreadDescAtIndex(index); + if (el) { + el->open = !el->open; + int32_t newChildren = (el->open) ? el->numChildren : -el->numChildren; + if (mTree) { + mTree->RowCountChanged(index + 1, newChildren); + mTree->InvalidateRow(index); + } + } + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::CycleHeader(nsTreeColumn* col) { return NS_OK; } + +NS_IMETHODIMP +nsCertTree::SelectionChangedXPCOM() { return NS_ERROR_NOT_IMPLEMENTED; } + +NS_IMETHODIMP +nsCertTree::CycleCell(int32_t row, nsTreeColumn* col) { return NS_OK; } + +NS_IMETHODIMP +nsCertTree::IsEditable(int32_t row, nsTreeColumn* col, bool* _retval) { + *_retval = false; + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::SetCellValue(int32_t row, nsTreeColumn* col, + const nsAString& value) { + return NS_OK; +} + +NS_IMETHODIMP +nsCertTree::SetCellText(int32_t row, nsTreeColumn* col, + const nsAString& value) { + return NS_OK; +} + +// +// CanDrop +// +NS_IMETHODIMP nsCertTree::CanDrop(int32_t index, int32_t orientation, + mozilla::dom::DataTransfer* aDataTransfer, + bool* _retval) { + NS_ENSURE_ARG_POINTER(_retval); + *_retval = false; + + return NS_OK; +} + +// +// Drop +// +NS_IMETHODIMP nsCertTree::Drop(int32_t row, int32_t orient, + mozilla::dom::DataTransfer* aDataTransfer) { + return NS_OK; +} + +// +// IsSorted +// +// ... +// +NS_IMETHODIMP nsCertTree::IsSorted(bool* _retval) { + *_retval = false; + return NS_OK; +} + +#define RETURN_NOTHING + +void nsCertTree::CmpInitCriterion(nsIX509Cert* cert, + CompareCacheHashEntry* entry, + sortCriterion crit, int32_t level) { + NS_ENSURE_TRUE(cert && entry, RETURN_NOTHING); + + entry->mCritInit[level] = true; + nsString& str = entry->mCrit[level]; + + switch (crit) { + case sort_IssuerOrg: + cert->GetIssuerOrganization(str); + if (str.IsEmpty()) cert->GetCommonName(str); + break; + case sort_Org: + cert->GetOrganization(str); + break; + case sort_Token: + cert->GetTokenName(str); + break; + case sort_CommonName: + cert->GetCommonName(str); + break; + case sort_IssuedDateDescending: { + nsresult rv; + nsCOMPtr<nsIX509CertValidity> validity; + PRTime notBefore; + + rv = cert->GetValidity(getter_AddRefs(validity)); + if (NS_SUCCEEDED(rv)) { + rv = validity->GetNotBefore(¬Before); + } + + if (NS_SUCCEEDED(rv)) { + PRExplodedTime explodedTime; + PR_ExplodeTime(notBefore, PR_GMTParameters, &explodedTime); + char datebuf[20]; // 4 + 2 + 2 + 2 + 2 + 2 + 1 = 15 + if (0 != PR_FormatTime(datebuf, sizeof(datebuf), "%Y%m%d%H%M%S", + &explodedTime)) { + str = NS_ConvertASCIItoUTF16(nsDependentCString(datebuf)); + } + } + } break; + case sort_Email: + cert->GetEmailAddress(str); + break; + case sort_None: + default: + break; + } +} + +int32_t nsCertTree::CmpByCrit(nsIX509Cert* a, CompareCacheHashEntry* ace, + nsIX509Cert* b, CompareCacheHashEntry* bce, + sortCriterion crit, int32_t level) { + NS_ENSURE_TRUE(a && ace && b && bce, 0); + + if (!ace->mCritInit[level]) { + CmpInitCriterion(a, ace, crit, level); + } + + if (!bce->mCritInit[level]) { + CmpInitCriterion(b, bce, crit, level); + } + + nsString& str_a = ace->mCrit[level]; + nsString& str_b = bce->mCrit[level]; + + int32_t result; + if (!str_a.IsVoid() && !str_b.IsVoid()) + result = Compare(str_a, str_b, nsCaseInsensitiveStringComparator); + else + result = str_a.IsVoid() ? (str_b.IsVoid() ? 0 : -1) : 1; + + if (sort_IssuedDateDescending == crit) result *= -1; // reverse compare order + + return result; +} + +int32_t nsCertTree::CmpBy(void* cache, nsIX509Cert* a, nsIX509Cert* b, + sortCriterion c0, sortCriterion c1, + sortCriterion c2) { + // This will be called when comparing items for display sorting. + // Some items might have no cert associated, so either a or b is null. + // We want all those orphans show at the top of the list, + // so we treat a null cert as "smaller" by returning -1. + // We don't try to sort within the group of no-cert entries, + // so we treat them as equal wrt sort order. + + if (!a && !b) return 0; + + if (!a) return -1; + + if (!b) return 1; + + NS_ENSURE_TRUE(cache && a && b, 0); + + CompareCacheHashEntry* ace = getCacheEntry(cache, a); + CompareCacheHashEntry* bce = getCacheEntry(cache, b); + + int32_t cmp; + cmp = CmpByCrit(a, ace, b, bce, c0, 0); + if (cmp != 0) return cmp; + + if (c1 != sort_None) { + cmp = CmpByCrit(a, ace, b, bce, c1, 1); + if (cmp != 0) return cmp; + + if (c2 != sort_None) { + return CmpByCrit(a, ace, b, bce, c2, 2); + } + } + + return cmp; +} + +int32_t nsCertTree::CmpCACert(void* cache, nsIX509Cert* a, nsIX509Cert* b) { + // XXX we assume issuer org is always criterion 1 + return CmpBy(cache, a, b, sort_IssuerOrg, sort_Org, sort_Token); +} + +int32_t nsCertTree::CmpUserCert(void* cache, nsIX509Cert* a, nsIX509Cert* b) { + // XXX we assume issuer org is always criterion 1 + return CmpBy(cache, a, b, sort_IssuerOrg, sort_Token, + sort_IssuedDateDescending); +} + +int32_t nsCertTree::CmpEmailCert(void* cache, nsIX509Cert* a, nsIX509Cert* b) { + // XXX we assume issuer org is always criterion 1 + return CmpBy(cache, a, b, sort_IssuerOrg, sort_Email, sort_CommonName); +} diff --git a/security/manager/ssl/nsCertTree.h b/security/manager/ssl/nsCertTree.h new file mode 100644 index 0000000000..d7fd86216c --- /dev/null +++ b/security/manager/ssl/nsCertTree.h @@ -0,0 +1,131 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _NS_CERTTREE_H_ +#define _NS_CERTTREE_H_ + +#include "nsCOMPtr.h" +#include "nsICertTree.h" +#include "nsITreeSelection.h" +#include "nsIMutableArray.h" +#include "nsNSSComponent.h" +#include "nsTArray.h" +#include "PLDHashTable.h" +#include "mozilla/Attributes.h" + +/* Disable the "base class XXX should be explicitly initialized + in the copy constructor" warning. */ +#if defined(__clang__) +# pragma clang diagnostic push +# pragma clang diagnostic ignored "-Wextra" +#elif defined(__GNUC__) +# pragma GCC diagnostic push +# pragma GCC diagnostic ignored "-Wextra" +#endif // __clang__ || __GNUC__ + +#include "mozilla/dom/XULTreeElement.h" + +#if defined(__clang__) +# pragma clang diagnostic pop +#elif defined(__GNUC__) +# pragma GCC diagnostic pop +#endif // __clang__ || __GNUC__ + +typedef struct treeArrayElStr treeArrayEl; + +struct CompareCacheHashEntry { + enum { max_criterions = 3 }; + CompareCacheHashEntry(); + + void* key; // no ownership + bool mCritInit[max_criterions]; + nsString mCrit[max_criterions]; +}; + +struct CompareCacheHashEntryPtr : PLDHashEntryHdr { + CompareCacheHashEntryPtr(); + ~CompareCacheHashEntryPtr(); + CompareCacheHashEntry* entry; +}; + +class nsCertTreeDispInfo : public nsICertTreeItem { + protected: + virtual ~nsCertTreeDispInfo(); + + public: + explicit nsCertTreeDispInfo(nsIX509Cert* aCert) : mCert(aCert) {} + + NS_DECL_ISUPPORTS + NS_DECL_NSICERTTREEITEM + + nsCOMPtr<nsIX509Cert> mCert; +}; + +class nsCertTree : public nsICertTree { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSICERTTREE + NS_DECL_NSITREEVIEW + + nsCertTree(); + + enum sortCriterion { + sort_IssuerOrg, + sort_Org, + sort_Token, + sort_CommonName, + sort_IssuedDateDescending, + sort_Email, + sort_None + }; + + protected: + virtual ~nsCertTree(); + + void ClearCompareHash(); + void RemoveCacheEntry(void* key); + + typedef int (*nsCertCompareFunc)(void*, nsIX509Cert* a, nsIX509Cert* b); + + static CompareCacheHashEntry* getCacheEntry(void* cache, void* aCert); + static void CmpInitCriterion(nsIX509Cert* cert, CompareCacheHashEntry* entry, + sortCriterion crit, int32_t level); + static int32_t CmpByCrit(nsIX509Cert* a, CompareCacheHashEntry* ace, + nsIX509Cert* b, CompareCacheHashEntry* bce, + sortCriterion crit, int32_t level); + static int32_t CmpBy(void* cache, nsIX509Cert* a, nsIX509Cert* b, + sortCriterion c0, sortCriterion c1, sortCriterion c2); + static int32_t CmpCACert(void* cache, nsIX509Cert* a, nsIX509Cert* b); + static int32_t CmpUserCert(void* cache, nsIX509Cert* a, nsIX509Cert* b); + static int32_t CmpEmailCert(void* cache, nsIX509Cert* a, nsIX509Cert* b); + nsCertCompareFunc GetCompareFuncFromCertType(uint32_t aType); + int32_t CountOrganizations(); + + private: + static const uint32_t kInitialCacheLength = 64; + + nsTArray<RefPtr<nsCertTreeDispInfo>> mDispInfo; + RefPtr<mozilla::dom::XULTreeElement> mTree; + nsCOMPtr<nsITreeSelection> mSelection; + treeArrayEl* mTreeArray; + int32_t mNumOrgs; + int32_t mNumRows; + PLDHashTable mCompareCache; + + treeArrayEl* GetThreadDescAtIndex(int32_t _index); + already_AddRefed<nsIX509Cert> GetCertAtIndex( + int32_t _index, int32_t* outAbsoluteCertOffset = nullptr); + already_AddRefed<nsCertTreeDispInfo> GetDispInfoAtIndex( + int32_t index, int32_t* outAbsoluteCertOffset = nullptr); + void FreeCertArray(); + nsresult UpdateUIContents(); + + nsresult GetCertsByTypeFromCertList( + const nsTArray<RefPtr<nsIX509Cert>>& aCertList, uint32_t aWantedType, + nsCertCompareFunc aCertCmpFn, void* aCertCmpFnArg); + + nsCOMPtr<nsIMutableArray> mCellText; +}; + +#endif /* _NS_CERTTREE_H_ */ diff --git a/security/manager/ssl/nsClientAuthRemember.cpp b/security/manager/ssl/nsClientAuthRemember.cpp new file mode 100644 index 0000000000..91fd774c91 --- /dev/null +++ b/security/manager/ssl/nsClientAuthRemember.cpp @@ -0,0 +1,435 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsClientAuthRemember.h" + +#include "mozilla/BasePrincipal.h" +#include "mozilla/RefPtr.h" +#include "nsCRT.h" +#include "nsINSSComponent.h" +#include "nsPrintfCString.h" +#include "nsNSSComponent.h" +#include "nsIDataStorage.h" +#include "nsIObserverService.h" +#include "nsNetUtil.h" +#include "nsPromiseFlatString.h" +#include "nsThreadUtils.h" +#include "nsStringBuffer.h" +#include "cert.h" +#include "nspr.h" +#include "pk11pub.h" +#include "certdb.h" +#include "sechash.h" +#include "SharedSSLState.h" + +#include "nsJSUtils.h" + +#ifdef XP_MACOSX +# include <CoreFoundation/CoreFoundation.h> +# include <Security/Security.h> +# include "KeychainSecret.h" // for ScopedCFType +#endif // XP_MACOSX + +using namespace mozilla; +using namespace mozilla::psm; + +NS_IMPL_ISUPPORTS(nsClientAuthRememberService, nsIClientAuthRememberService) +NS_IMPL_ISUPPORTS(nsClientAuthRemember, nsIClientAuthRememberRecord) + +const nsCString nsClientAuthRemember::SentinelValue = + "no client certificate"_ns; + +NS_IMETHODIMP +nsClientAuthRemember::GetAsciiHost(/*out*/ nsACString& aAsciiHost) { + aAsciiHost = mAsciiHost; + return NS_OK; +} + +NS_IMETHODIMP +nsClientAuthRemember::GetDbKey(/*out*/ nsACString& aDBKey) { + aDBKey = mDBKey; + return NS_OK; +} + +NS_IMETHODIMP +nsClientAuthRemember::GetEntryKey(/*out*/ nsACString& aEntryKey) { + aEntryKey.Assign(mAsciiHost); + aEntryKey.Append(','); + // This used to include the SHA-256 hash of the server certificate. + aEntryKey.Append(','); + aEntryKey.Append(mOriginAttributesSuffix); + return NS_OK; +} + +nsresult nsClientAuthRememberService::Init() { + if (!NS_IsMainThread()) { + NS_ERROR("nsClientAuthRememberService::Init called off the main thread"); + return NS_ERROR_NOT_SAME_THREAD; + } + + nsCOMPtr<nsIDataStorageManager> dataStorageManager( + do_GetService("@mozilla.org/security/datastoragemanager;1")); + if (!dataStorageManager) { + return NS_ERROR_FAILURE; + } + nsresult rv = + dataStorageManager->Get(nsIDataStorageManager::ClientAuthRememberList, + getter_AddRefs(mClientAuthRememberList)); + if (NS_FAILED(rv)) { + return rv; + } + if (!mClientAuthRememberList) { + return NS_ERROR_FAILURE; + } + + return NS_OK; +} + +NS_IMETHODIMP +nsClientAuthRememberService::ForgetRememberedDecision(const nsACString& key) { + nsresult rv = mClientAuthRememberList->Remove( + PromiseFlatCString(key), nsIDataStorage::DataType::Persistent); + if (NS_FAILED(rv)) { + return rv; + } + nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(NS_NSSCOMPONENT_CID)); + if (!nssComponent) { + return NS_ERROR_NOT_AVAILABLE; + } + return nssComponent->ClearSSLExternalAndInternalSessionCache(); +} + +NS_IMETHODIMP +nsClientAuthRememberService::GetDecisions( + nsTArray<RefPtr<nsIClientAuthRememberRecord>>& results) { + nsTArray<RefPtr<nsIDataStorageItem>> decisions; + nsresult rv = mClientAuthRememberList->GetAll(decisions); + if (NS_FAILED(rv)) { + return rv; + } + + for (const auto& decision : decisions) { + nsIDataStorage::DataType type; + rv = decision->GetType(&type); + if (NS_FAILED(rv)) { + return rv; + } + if (type == nsIDataStorage::DataType::Persistent) { + nsAutoCString key; + rv = decision->GetKey(key); + if (NS_FAILED(rv)) { + return rv; + } + nsAutoCString value; + rv = decision->GetValue(value); + if (NS_FAILED(rv)) { + return rv; + } + RefPtr<nsIClientAuthRememberRecord> tmp = + new nsClientAuthRemember(key, value); + + results.AppendElement(tmp); + } + } + + return NS_OK; +} + +NS_IMETHODIMP +nsClientAuthRememberService::ClearRememberedDecisions() { + nsresult rv = mClientAuthRememberList->Clear(); + if (NS_FAILED(rv)) { + return rv; + } + nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(NS_NSSCOMPONENT_CID)); + if (!nssComponent) { + return NS_ERROR_NOT_AVAILABLE; + } + return nssComponent->ClearSSLExternalAndInternalSessionCache(); +} + +NS_IMETHODIMP +nsClientAuthRememberService::DeleteDecisionsByHost( + const nsACString& aHostName, JS::Handle<JS::Value> aOriginAttributes, + JSContext* aCx) { + OriginAttributes attrs; + if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) { + return NS_ERROR_INVALID_ARG; + } + nsIDataStorage::DataType storageType = GetDataStorageType(attrs); + + nsTArray<RefPtr<nsIDataStorageItem>> decisions; + nsresult rv = mClientAuthRememberList->GetAll(decisions); + if (NS_FAILED(rv)) { + return rv; + } + + for (const auto& decision : decisions) { + nsIDataStorage::DataType type; + nsresult rv = decision->GetType(&type); + if (NS_FAILED(rv)) { + return rv; + } + if (type == storageType) { + nsAutoCString key; + rv = decision->GetKey(key); + if (NS_FAILED(rv)) { + return rv; + } + nsAutoCString value; + rv = decision->GetValue(value); + if (NS_FAILED(rv)) { + return rv; + } + RefPtr<nsIClientAuthRememberRecord> tmp = + new nsClientAuthRemember(key, value); + nsAutoCString asciiHost; + tmp->GetAsciiHost(asciiHost); + if (asciiHost.Equals(aHostName)) { + rv = mClientAuthRememberList->Remove(key, type); + if (NS_FAILED(rv)) { + return rv; + } + } + } + } + nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(NS_NSSCOMPONENT_CID)); + if (!nssComponent) { + return NS_ERROR_NOT_AVAILABLE; + } + return nssComponent->ClearSSLExternalAndInternalSessionCache(); +} + +NS_IMETHODIMP +nsClientAuthRememberService::RememberDecisionScriptable( + const nsACString& aHostName, JS::Handle<JS::Value> aOriginAttributes, + nsIX509Cert* aClientCert, JSContext* aCx) { + OriginAttributes attrs; + if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) { + return NS_ERROR_INVALID_ARG; + } + return RememberDecision(aHostName, attrs, aClientCert); +} + +NS_IMETHODIMP +nsClientAuthRememberService::RememberDecision( + const nsACString& aHostName, const OriginAttributes& aOriginAttributes, + nsIX509Cert* aClientCert) { + if (aHostName.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + + // aClientCert == nullptr means: remember that user does not want to use a + // cert + if (aClientCert) { + nsAutoCString dbkey; + nsresult rv = aClientCert->GetDbKey(dbkey); + if (NS_FAILED(rv)) { + return rv; + } + return AddEntryToList(aHostName, aOriginAttributes, dbkey); + } + return AddEntryToList(aHostName, aOriginAttributes, + nsClientAuthRemember::SentinelValue); +} + +#ifdef XP_MACOSX +// On macOS, users can add "identity preference" items in the keychain. These +// can be added via the Keychain Access tool. These specify mappings from +// URLs/wildcards like "*.mozilla.org" to specific client certificates. This +// function retrieves the preferred client certificate for a hostname by +// querying a system API that checks for these identity preferences. +nsresult CheckForPreferredCertificate(const nsACString& aHostName, + nsACString& aCertDBKey) { + aCertDBKey.Truncate(); + // SecIdentityCopyPreferred seems to expect a proper URI which it can use + // for prefix and wildcard matches. + // We don't have the full URL but we can turn the hostname into a URI with + // an authority section, so that it matches against macOS identity preferences + // like `*.foo.com`. If we know that this connection is always going to be + // https, then we should put that in the URI as well, so that it matches + // identity preferences like `https://foo.com/` as well. If we can plumb + // the path or the full URL into this function we could also match identity + // preferences like `https://foo.com/bar/` but for now we cannot. + nsPrintfCString fakeUrl("//%s/", PromiseFlatCString(aHostName).get()); + ScopedCFType<CFStringRef> host(::CFStringCreateWithCString( + kCFAllocatorDefault, fakeUrl.get(), kCFStringEncodingUTF8)); + if (!host) { + return NS_ERROR_UNEXPECTED; + } + ScopedCFType<SecIdentityRef> identity( + ::SecIdentityCopyPreferred(host.get(), NULL, NULL)); + if (!identity) { + // No preferred identity for this hostname, leave aCertDBKey empty and + // return + return NS_OK; + } + SecCertificateRef certRefRaw = NULL; + OSStatus copyResult = + ::SecIdentityCopyCertificate(identity.get(), &certRefRaw); + ScopedCFType<SecCertificateRef> certRef(certRefRaw); + if (copyResult != errSecSuccess || certRef.get() == NULL) { + return NS_ERROR_UNEXPECTED; + } + ScopedCFType<CFDataRef> der(::SecCertificateCopyData(certRef.get())); + if (!der) { + return NS_ERROR_UNEXPECTED; + } + + nsTArray<uint8_t> derArray(::CFDataGetBytePtr(der.get()), + ::CFDataGetLength(der.get())); + nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(derArray))); + return cert->GetDbKey(aCertDBKey); +} +#endif + +void nsClientAuthRememberService::Migrate() { + auto migrated = mMigrated.Lock(); + if (*migrated) { + return; + } + *migrated = true; + + nsTArray<RefPtr<nsIDataStorageItem>> decisions; + nsresult rv = mClientAuthRememberList->GetAll(decisions); + if (NS_FAILED(rv)) { + return; + } + for (const auto& decision : decisions) { + nsIDataStorage::DataType type; + if (NS_FAILED(decision->GetType(&type))) { + continue; + } + if (type != nsIDataStorage::DataType::Persistent) { + continue; + } + nsAutoCString key; + if (NS_FAILED(decision->GetKey(key))) { + continue; + } + nsAutoCString value; + if (NS_FAILED(decision->GetValue(value))) { + continue; + } + RefPtr<nsClientAuthRemember> entry(new nsClientAuthRemember(key, value)); + nsAutoCString newKey; + if (NS_FAILED(entry->GetEntryKey(newKey))) { + continue; + } + if (newKey != key) { + if (NS_FAILED(mClientAuthRememberList->Remove( + key, nsIDataStorage::DataType::Persistent))) { + continue; + } + if (NS_FAILED(mClientAuthRememberList->Put( + newKey, value, nsIDataStorage::DataType::Persistent))) { + continue; + } + } + } +} + +NS_IMETHODIMP +nsClientAuthRememberService::HasRememberedDecision( + const nsACString& aHostName, const OriginAttributes& aOriginAttributes, + nsACString& aCertDBKey, bool* aRetVal) { + NS_ENSURE_ARG_POINTER(aRetVal); + if (aHostName.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + + *aRetVal = false; + aCertDBKey.Truncate(); + + Migrate(); + + nsAutoCString entryKey; + RefPtr<nsClientAuthRemember> entry( + new nsClientAuthRemember(aHostName, aOriginAttributes)); + nsresult rv = entry->GetEntryKey(entryKey); + if (NS_FAILED(rv)) { + return rv; + } + nsIDataStorage::DataType storageType = GetDataStorageType(aOriginAttributes); + + nsAutoCString listEntry; + rv = mClientAuthRememberList->Get(entryKey, storageType, listEntry); + if (NS_FAILED(rv) && rv != NS_ERROR_NOT_AVAILABLE) { + return rv; + } + if (NS_SUCCEEDED(rv) && !listEntry.IsEmpty()) { + if (!listEntry.Equals(nsClientAuthRemember::SentinelValue)) { + aCertDBKey = listEntry; + } + *aRetVal = true; + return NS_OK; + } + +#ifdef XP_MACOSX + rv = CheckForPreferredCertificate(aHostName, aCertDBKey); + if (NS_FAILED(rv)) { + return rv; + } + if (!aCertDBKey.IsEmpty()) { + *aRetVal = true; + return NS_OK; + } +#endif + + return NS_OK; +} + +NS_IMETHODIMP +nsClientAuthRememberService::HasRememberedDecisionScriptable( + const nsACString& aHostName, JS::Handle<JS::Value> aOriginAttributes, + nsACString& aCertDBKey, JSContext* aCx, bool* aRetVal) { + OriginAttributes attrs; + if (!aOriginAttributes.isObject() || !attrs.Init(aCx, aOriginAttributes)) { + return NS_ERROR_INVALID_ARG; + } + return HasRememberedDecision(aHostName, attrs, aCertDBKey, aRetVal); +} + +nsresult nsClientAuthRememberService::AddEntryToList( + const nsACString& aHostName, const OriginAttributes& aOriginAttributes, + const nsACString& aDBKey) { + nsAutoCString entryKey; + RefPtr<nsClientAuthRemember> entry( + new nsClientAuthRemember(aHostName, aOriginAttributes)); + nsresult rv = entry->GetEntryKey(entryKey); + if (NS_FAILED(rv)) { + return rv; + } + nsIDataStorage::DataType storageType = GetDataStorageType(aOriginAttributes); + + nsCString tmpDbKey(aDBKey); + rv = mClientAuthRememberList->Put(entryKey, tmpDbKey, storageType); + if (NS_FAILED(rv)) { + return rv; + } + + return NS_OK; +} + +bool nsClientAuthRememberService::IsPrivateBrowsingKey( + const nsCString& entryKey) { + const int32_t separator = entryKey.Find(":"); + nsCString suffix; + if (separator >= 0) { + entryKey.Left(suffix, separator); + } else { + suffix = entryKey; + } + return OriginAttributes::IsPrivateBrowsing(suffix); +} + +nsIDataStorage::DataType nsClientAuthRememberService::GetDataStorageType( + const OriginAttributes& aOriginAttributes) { + if (aOriginAttributes.mPrivateBrowsingId > 0) { + return nsIDataStorage::DataType::Private; + } + return nsIDataStorage::DataType::Persistent; +} diff --git a/security/manager/ssl/nsClientAuthRemember.h b/security/manager/ssl/nsClientAuthRemember.h new file mode 100644 index 0000000000..ec9101739a --- /dev/null +++ b/security/manager/ssl/nsClientAuthRemember.h @@ -0,0 +1,101 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef __NSCLIENTAUTHREMEMBER_H__ +#define __NSCLIENTAUTHREMEMBER_H__ + +#include <utility> + +#include "mozilla/Attributes.h" +#include "mozilla/DataMutex.h" +#include "mozilla/HashFunctions.h" +#include "mozilla/ReentrantMonitor.h" +#include "nsIClientAuthRememberService.h" +#include "nsIDataStorage.h" +#include "nsIObserver.h" +#include "nsNSSCertificate.h" +#include "nsString.h" +#include "nsTHashtable.h" +#include "nsWeakReference.h" + +namespace mozilla { +class OriginAttributes; +} + +using mozilla::OriginAttributes; + +class nsClientAuthRemember final : public nsIClientAuthRememberRecord { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSICLIENTAUTHREMEMBERRECORD + + nsClientAuthRemember(const nsACString& aHostName, + const OriginAttributes& aOriginAttributes) { + mAsciiHost.Assign(aHostName); + aOriginAttributes.CreateSuffix(mOriginAttributesSuffix); + } + + nsClientAuthRemember(const nsCString& aEntryKey, const nsCString& aDBKey) { + if (!aDBKey.Equals(nsClientAuthRemember::SentinelValue)) { + mDBKey = aDBKey; + } + + size_t field_index = 0; + for (const auto& field : aEntryKey.Split(',')) { + switch (field_index) { + case 0: + mAsciiHost.Assign(field); + break; + case 1: + break; + case 2: + mOriginAttributesSuffix.Assign(field); + break; + default: + break; + } + field_index++; + } + } + + nsCString mAsciiHost; + nsCString mOriginAttributesSuffix; + nsCString mDBKey; + static const nsCString SentinelValue; + + protected: + ~nsClientAuthRemember() = default; +}; + +class nsClientAuthRememberService final : public nsIClientAuthRememberService { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSICLIENTAUTHREMEMBERSERVICE + + nsClientAuthRememberService() + : mMigrated(false, "nsClientAuthRememberService::mMigrated") {} + + nsresult Init(); + + static bool IsPrivateBrowsingKey(const nsCString& entryKey); + + protected: + ~nsClientAuthRememberService() = default; + + static nsIDataStorage::DataType GetDataStorageType( + const OriginAttributes& aOriginAttributes); + + nsCOMPtr<nsIDataStorage> mClientAuthRememberList; + + nsresult AddEntryToList(const nsACString& aHost, + const OriginAttributes& aOriginAttributes, + const nsACString& aDBKey); + + mozilla::DataMutex<bool> mMigrated; + void Migrate(); +}; + +#endif diff --git a/security/manager/ssl/nsICertOverrideService.idl b/security/manager/ssl/nsICertOverrideService.idl new file mode 100644 index 0000000000..6dfd07d6b6 --- /dev/null +++ b/security/manager/ssl/nsICertOverrideService.idl @@ -0,0 +1,143 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIArray; +interface nsIX509Cert; + +[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes); + +%{C++ +#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1" + +namespace mozilla { +class OriginAttributes; +} +%} + +[scriptable, builtinclass, uuid(ed735e24-fa55-4163-906d-17fb78851fe1)] +interface nsICertOverride : nsISupports { + + /** + * The hostname of the server the override is used for. + */ + readonly attribute ACString asciiHost; + + /** + * The port of the server the override is used for. + */ + readonly attribute int32_t port; + + /** + * A combination of hostname and port in the form host:port. + * Since the port can be -1 which is equivalent to port 433 we use an + * existing function of nsCertOverrideService to create this property. + */ + readonly attribute ACString hostPort; + + /** + * The fingerprint for the associated certificate. + */ + readonly attribute ACString fingerprint; + + /** + * The origin attributes associated with this override. + */ + [implicit_jscontext] + readonly attribute jsval originAttributes; +}; + +[scriptable, builtinclass, uuid(be019e47-22fc-4355-9f16-9ab047d6742d)] +interface nsICertOverrideService : nsISupports { + /** + * When making a TLS connection to the given hostname and port (in the + * context of the given origin attributes), if the certificate verifier + * encounters an overridable error when verifying the given certificate, the + * connection will continue (provided overrides are allowed for that host). + * + * @param aHostName The host (punycode) this mapping belongs to + * @param aPort The port this mapping belongs to. If it is -1 then it + * is internaly treated as 443. + * @param aOriginAttributes the origin attributes of the mapping + * @param aCert The certificate used by the server + * @param aTemporary Whether or not to only store the mapping for the session + */ + [binaryname(RememberValidityOverride), noscript, must_use] + void rememberValidityOverrideNative(in AUTF8String aHostName, + in int32_t aPort, + in const_OriginAttributesRef aOriginAttributes, + in nsIX509Cert aCert, + in boolean aTemporary); + [binaryname(RememberValidityOverrideScriptable), implicit_jscontext, must_use] + void rememberValidityOverride(in AUTF8String aHostName, + in int32_t aPort, + in jsval aOriginAttributes, + in nsIX509Cert aCert, + in boolean aTemporary); + + /** + * Return whether this host, port, cert triple has a stored override. + * If so, the outparams will contain the specific errors that were + * overridden, and whether the override is permanent, or only for the current + * session. + * + * @param aHostName The host (punycode) this mapping belongs to + * @param aPort The port this mapping belongs to, if it is -1 then it + * is internally treated as 443 + * @param aCert The certificate this mapping belongs to + * @param aIsTemporary Whether the stored override is session-only, + * or permanent + * @return Whether an override has been stored for this host+port+cert + */ + [binaryname(HasMatchingOverride), noscript, must_use] + boolean hasMatchingOverrideNative(in AUTF8String aHostName, + in int32_t aPort, + in const_OriginAttributesRef aOriginAttributes, + in nsIX509Cert aCert, + out boolean aIsTemporary); + [binaryname(HasMatchingOverrideScriptable), implicit_jscontext, must_use] + boolean hasMatchingOverride(in AUTF8String aHostName, + in int32_t aPort, + in jsval aOriginAttributes, + in nsIX509Cert aCert, + out boolean aIsTemporary); + + /** + * Remove a override for the given hostname:port. + * + * @param aHostName The host (punycode) whose entry should be cleared. + * @param aPort The port whose entry should be cleared. + * If it is -1, then it is internaly treated as 443. + * If it is 0 and aHostName is "all:temporary-certificates", + * then all temporary certificates should be cleared. + */ + [binaryname(ClearValidityOverride), noscript] + void clearValidityOverrideNative(in AUTF8String aHostName, + in int32_t aPort, + in const_OriginAttributesRef aOriginAttributes); + [binaryname(ClearValidityOverrideScriptable), implicit_jscontext] + void clearValidityOverride(in AUTF8String aHostName, + in int32_t aPort, + in jsval aOriginAttributes); + + /** + * Remove all overrides. + */ + void clearAllOverrides(); + + Array<nsICertOverride> getOverrides(); + + /** + * NOTE: This function is used only for testing! + * + * @param aDisable If true, disable all security check and make + * hasMatchingOverride always return true. + */ + void setDisableAllSecurityChecksAndLetAttackersInterceptMyData(in boolean aDisable); + + readonly attribute boolean securityCheckDisabled; +}; diff --git a/security/manager/ssl/nsICertStorage.idl b/security/manager/ssl/nsICertStorage.idl new file mode 100644 index 0000000000..3379aaafe7 --- /dev/null +++ b/security/manager/ssl/nsICertStorage.idl @@ -0,0 +1,265 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" +#include "nsIVariant.idl" + +%{C++ +#define NS_CERTSTORAGE_CONTRACTID "@mozilla.org/security/certstorage;1" +%} + +/** + * Callback type used to notify callers that an operation performed by + * nsICertStorage has completed. Indicates the result of the requested + * operation, as well as any data returned by the operation. + */ +[scriptable, function, uuid(3f8fe26a-a436-4ad4-9c1c-a53c60973c31)] +interface nsICertStorageCallback : nsISupports { + [must_use] + void done(in nsresult rv, in nsIVariant result); +}; + +/** + * A base interface for representing the revocation state of a certificate. + * Implementing this interface by itself is insufficient; your type must + * implement an inheriting interface that specifies the certificate by issuer + * and serial number or by subject and public key hash. + * Set state to nsICertStorage.STATE_UNSET to mark the certificate as not revoked. + * Set state to nsICertStorage.STATE_ENFORCE to mark the certificate as revoked. + */ +[scriptable, uuid(96db6fd7-6b64-4a5a-955d-310bd9ca4234)] +interface nsIRevocationState : nsISupports { + readonly attribute short state; +}; + +/** + * An interface representing the revocation state of a certificate by issuer + * and serial number. Both issuer name and serial number are base64-encoded. + */ +[scriptable, uuid(23ce3546-f1b9-46f6-8de3-77704da5702f)] +interface nsIIssuerAndSerialRevocationState : nsIRevocationState { + readonly attribute ACString issuer; + readonly attribute ACString serial; +}; + +/** + * An interface representing the revocation state of a certificate by subject + * and pub key hash (the hash algorithm should be SHA-256). Both subject name + * and public key hash are base64-encoded. + */ +[scriptable, uuid(e78b51b4-6fa4-41e2-92ce-e9404f541e96)] +interface nsISubjectAndPubKeyRevocationState : nsIRevocationState { + readonly attribute ACString subject; + readonly attribute ACString pubKey; +}; + +/** + * An interface representing a set of certificates that are covered by a CRLite + * filter. The set is represented by a certificate transparency log ID and a + * pair of timestamps. The timestamps are such that the CRLite aggregator has + * seen every certificate from the specified log with an SCT between the two + * timestamps. + * b64LogID is a base 64-encoded RFC 6962 LogID. + * minTimestamp is the smallest timestamp that the CRLite filter covers. + * maxTimestamp is the largest timestamp that the CRLite filter covers. + */ +[scriptable, uuid(416453f7-29bd-4820-a039-9c2e055d3715)] +interface nsICRLiteCoverage : nsISupports { + readonly attribute ACString b64LogID; + readonly attribute unsigned long long minTimestamp; + readonly attribute unsigned long long maxTimestamp; +}; + +/** + * An interface representing the id and timestamp fields from an RFC 6962 + * SignedCertificateTimestamp struct. + * logID is the id field. + * timestamp is the timestamp field. + */ +[uuid(9676cfc4-6e84-11ec-a30d-d3cd0af86e01)] +interface nsICRLiteTimestamp: nsISupports { + readonly attribute Array<octet> logID; + readonly attribute unsigned long long timestamp; +}; + +/** + * An interface representing a certificate to add to storage. Consists of the + * base64-encoded DER bytes of the certificate (cert), the base64-encoded DER + * bytes of the subject distinguished name of the certificate (subject), and the + * trust of the certificate (one of the nsICertStorage.TRUST_* constants). + * (Note that this implementation does not validate that the given subject DN + * actually matches the subject DN of the certificate, nor that the given cert + * is a valid DER X.509 certificate.) + */ +[scriptable, uuid(27b66f5e-0faf-403b-95b4-bc11691ac50d)] +interface nsICertInfo : nsISupports { + readonly attribute ACString cert; + readonly attribute ACString subject; + readonly attribute short trust; +}; + +[scriptable, uuid(327100a7-3401-45ef-b160-bf880f1016fd)] +interface nsICertStorage : nsISupports { + const octet DATA_TYPE_REVOCATION = 1; + const octet DATA_TYPE_CERTIFICATE = 2; + const octet DATA_TYPE_CRLITE = 3; + const octet DATA_TYPE_CRLITE_FILTER_FULL = 4; + const octet DATA_TYPE_CRLITE_FILTER_INCREMENTAL = 5; + + /** + * Asynchronously check if the backing storage has stored data of the given + * type in the past. This is useful if the backing storage may have had to + * have been deleted and recreated (as in bug 1546361 when we discovered that + * moving from a 32-bit binary to a 64-bit binary caused the DB to become + * unreadable, thus necessitating its deletion and recreation). + */ + [must_use] + void hasPriorData(in octet type, in nsICertStorageCallback callback); + + const short STATE_UNSET = 0; + const short STATE_ENFORCE = 1; + const short STATE_NOT_ENROLLED = 2; + const short STATE_NOT_COVERED = 3; + const short STATE_NO_FILTER = 4; + + /** + * Asynchronously set the revocation states of a set of certificates. + * The given callback is called with the result of the operation when it + * completes. + * Must only be called from the main thread. + */ + [must_use] + void setRevocations(in Array<nsIRevocationState> revocations, + in nsICertStorageCallback callback); + + /** + * Get the revocation state of a certificate. STATE_UNSET indicates the + * certificate is not revoked. STATE_ENFORCE indicates the certificate is + * revoked. + * issuer - issuer name, DER encoded + * serial - serial number, DER encoded + * subject - subject name, DER encoded + * pubkey - public key, DER encoded + * In gecko, must not be called from the main thread. See bug 1541212. + * xpcshell tests may call this from the main thread. + */ + [must_use] + short getRevocationState(in Array<octet> issuer, + in Array<octet> serial, + in Array<octet> subject, + in Array<octet> pubkey); + + /** + * Given the contents of a new CRLite filter, a list containing + * `base64(sha256(subject DN || subject SPKI))` for each enrolled issuer, and + * the filter's timestamp coverage, replaces any existing filter with the new + * one. Also clears any previously-set incremental revocation updates + * ("stashes"). + */ + [must_use] + void setFullCRLiteFilter(in Array<octet> filter, + in Array<ACString> enrolledIssuers, + in Array<nsICRLiteCoverage> coverage, + in nsICertStorageCallback callback); + + /** + * Given the DER-encoded issuer distinguished name, DER-encoded issuer subject public key info, + * the bytes of the value of the serial number (so, not including the DER tag and length) of a + * certificate, and the timestamps from that certificate's embedded SCTs, returns the result of + * looking up the corresponding entry in the currently-saved CRLite filter (if any). + * Returns + * - STATE_ENFORCE if the lookup indicates the certificate is revoked via CRLite, + * - STATE_UNSET if the lookup indicates the certificate is not revoked via CRLite, + * - STATE_NOT_ENROLLED if the issuer is not enrolled in CRLite, or + * - STATE_NOT_COVERED if the issuer is enrolled but the provided timestamps indicate + * that the serial number is not covered by the current CRLite filter. + * - STATE_NO_FILTER if there is no (usable) CRLite filter. + * No lookup is performed in the STATE_NOT_ENROLLED and STATE_NOT_COVERED cases. + */ + [must_use] + short getCRLiteRevocationState(in Array<octet> issuer, + in Array<octet> issuerSPKI, + in Array<octet> serialNumber, + in Array<nsICRLiteTimestamp> timestamps); + + /** + * Given the contents of a CRLite incremental revocation update ("stash"), adds the revocation + * information to the current set of stashed revocations. The basic unit of the stash file is an + * issuer subject public key info hash (sha-256) followed by a number of serial numbers + * corresponding to revoked certificates issued by that issuer. More specifically, each unit + * consists of: + * 4 bytes little-endian: the number of serial numbers following the issuer spki hash + * 1 byte: the length of the issuer spki hash + * issuer spki hash length bytes: the issuer spki hash + * as many times as the indicated serial numbers: + * 1 byte: the length of the serial number + * serial number length bytes: the serial number + * The stash file consists of any number of these units concatenated together. + */ + [must_use] + void addCRLiteStash(in Array<octet> stash, in nsICertStorageCallback callback); + + /** + * Given a DER-encoded issuer subject public key info and the bytes of the value of the serial + * number (so, not including the DER tag and length), determines if the certificate identified by + * this issuer SPKI and serial number is revoked according to the current set of stashed CRLite + * revocation information. + */ + [must_use] + bool isCertRevokedByStash(in Array<octet> issuerSPKI, in Array<octet> serialNumber); + + /** + * Trust flags to use when adding a adding a certificate. + * TRUST_INHERIT indicates a certificate inherits trust from another + * certificate. + * TRUST_ANCHOR indicates the certificate is a root of trust. + */ + const short TRUST_INHERIT = 0; + const short TRUST_ANCHOR = 1; + + /** + * Asynchronously add a list of certificates to the backing storage. + * See the documentation for nsICertInfo. + * The given callback is called with the result of the operation when it + * completes. + * Must only be called from the main thread. + */ + [must_use] + void addCerts(in Array<nsICertInfo> certs, in nsICertStorageCallback callback); + + /** + * Asynchronously remove the certificates with the given sha-256 hashes from + * the backing storage. + * hashes is an array of base64-encoded bytes of the sha-256 hashes of each + * certificate's bytes (DER-encoded). + * The given callback is called with the result of the operation when it + * completes. + * Must only be called from the main thread. + */ + [must_use] + void removeCertsByHashes(in Array<ACString> hashes, + in nsICertStorageCallback callback); + + /** + * Find all certificates in the backing storage with the given subject + * distinguished name. + * subject is the DER-encoded bytes of the subject distinguished name. + * Returns an array of arrays of bytes, where each inner array corresponds to + * the DER-encoded bytes of a certificate that has the given subject (although + * as these certificates were presumably added via addCertBySubject, this + * aspect is never actually valided by nsICertStorage). + * Must not be called from the main thread. See bug 1541212. + */ + [must_use] + Array<Array<octet> > findCertsBySubject(in Array<octet> subject); + + /** + * Get the count of remaining async operations. Called to ensure we don't skip + * or interrupt any operations during fast shutdown. + * Must only be called from the main thread. + */ + [must_use] + int32_t GetRemainingOperationCount(); +}; diff --git a/security/manager/ssl/nsICertTree.idl b/security/manager/ssl/nsICertTree.idl new file mode 100644 index 0000000000..8b506882c3 --- /dev/null +++ b/security/manager/ssl/nsICertTree.idl @@ -0,0 +1,39 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" +#include "nsITreeView.idl" + +interface nsIX509Cert; + +[scriptable, uuid(d0180863-606e-49e6-8324-cf45ed4dd891)] +interface nsICertTreeItem : nsISupports { + [must_use] + readonly attribute nsIX509Cert cert; +}; + +[scriptable, uuid(55d5ad6b-5572-47fe-941c-f01fe723659e)] +interface nsICertTree : nsITreeView { + [must_use] + void loadCertsFromCache(in Array<nsIX509Cert> cache, in unsigned long type); + + [must_use] + nsIX509Cert getCert(in unsigned long index); + [must_use] + nsICertTreeItem getTreeItem(in unsigned long index); + + [must_use] + void deleteEntryObject(in unsigned long index); +}; + +%{C++ + +#define NS_CERTTREE_CID { 0x4ea60761, 0x31d6, 0x491d, \ + { 0x9e, 0x34, 0x4b, 0x53, 0xa2, 0x6c, 0x41, 0x6c } } + +#define NS_CERTTREE_CONTRACTID "@mozilla.org/security/nsCertTree;1" + +%} diff --git a/security/manager/ssl/nsICertificateDialogs.idl b/security/manager/ssl/nsICertificateDialogs.idl new file mode 100644 index 0000000000..7df24d94e0 --- /dev/null +++ b/security/manager/ssl/nsICertificateDialogs.idl @@ -0,0 +1,68 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIInterfaceRequestor; +interface nsIX509Cert; + +/** + * Functions that implement user interface dialogs to manage certificates. + */ +[scriptable, uuid(da871dab-f69e-4173-ab26-99fcd47b0e85)] +interface nsICertificateDialogs : nsISupports +{ + /** + * UI shown when a user is asked to download a new CA cert. + * Provides user with ability to choose trust settings for the cert. + * Asks the user to grant permission to import the certificate. + * + * @param ctx A user interface context. + * @param cert The certificate that is about to get installed. + * @param trust A bit mask of trust flags. + * See nsIX509CertDB for possible values. + * + * @return true if the user allows to import the certificate. + */ + [must_use] + boolean confirmDownloadCACert(in nsIInterfaceRequestor ctx, + in nsIX509Cert cert, + out unsigned long trust); + + /** + * UI shown when a user's personal certificate is going to be + * exported to a backup file. + * The implementation of this dialog should make sure to prompt the user to + * type the password twice in order to confirm correct input. + * The wording in the dialog should also motivate the user to enter a strong + * password. + * + * @param ctx A user interface context. + * @param password The password provided by the user. + * + * @return false if the user requests to cancel. + */ + [must_use] + boolean setPKCS12FilePassword(in nsIInterfaceRequestor ctx, + out AString password); + + /** + * UI shown when a user is about to restore a personal + * certificate from a backup file. + * The user is requested to enter the password + * that was used in the past to protect that backup file. + * + * @param ctx A user interface context. + * @param password The password provided by the user. + * + * @return false if the user requests to cancel. + */ + [must_use] + boolean getPKCS12FilePassword(in nsIInterfaceRequestor ctx, + out AString password); +}; + +%{C++ +#define NS_CERTIFICATEDIALOGS_CONTRACTID "@mozilla.org/nsCertificateDialogs;1" +%} diff --git a/security/manager/ssl/nsIClientAuthDialogService.idl b/security/manager/ssl/nsIClientAuthDialogService.idl new file mode 100644 index 0000000000..e5e0f9f407 --- /dev/null +++ b/security/manager/ssl/nsIClientAuthDialogService.idl @@ -0,0 +1,43 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsILoadContext; +interface nsIX509Cert; + +[scriptable, function, uuid(6b00d96d-fb8a-4c9f-9632-c9e1235befce)] +interface nsIClientAuthDialogCallback : nsISupports +{ + void certificateChosen(in nsIX509Cert cert, in bool rememberDecision); +}; + +/** + * Provides UI when a server requests a TLS client authentication certificate. + */ +[scriptable, uuid(fa4c7520-1433-11d5-ba24-00108303b117)] +interface nsIClientAuthDialogService : nsISupports +{ + /** + * Called when a user is asked to choose a certificate for client auth. + * + * @param hostname Hostname of the server. + * @param certArray Array of certificates the user can choose from. + * @param loadContext The nsILoadContext of the connection requesting a + * certificate. May be null, in which case the + * implementation will use the most recent window to show + * UI. + * @param callback The nsIClientAuthDialogCallback to call when a certificate + * has been chosen (or no certificate). + */ + [must_use] + void chooseCertificate(in AUTF8String hostname, + in Array<nsIX509Cert> certArray, + in nsILoadContext loadContext, + in nsIClientAuthDialogCallback callback); +}; + +%{C++ +#define NS_CLIENTAUTHDIALOGSERVICE_CONTRACTID "@mozilla.org/security/ClientAuthDialogService;1" +%} diff --git a/security/manager/ssl/nsIClientAuthRememberService.idl b/security/manager/ssl/nsIClientAuthRememberService.idl new file mode 100644 index 0000000000..8797bae869 --- /dev/null +++ b/security/manager/ssl/nsIClientAuthRememberService.idl @@ -0,0 +1,65 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +%{ C++ +#include "mozilla/OriginAttributes.h" + +#define NS_CLIENTAUTHREMEMBERSERVICE_CONTRACTID "@mozilla.org/security/clientAuthRememberService;1" +%} + +interface nsIX509Cert; + +[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes); + +[scriptable, uuid(e92825af-7e81-4b5c-b412-8e1dd36d14fe)] +interface nsIClientAuthRememberRecord : nsISupports +{ + readonly attribute ACString asciiHost; + readonly attribute ACString dbKey; + readonly attribute ACString entryKey; +}; + +[scriptable, uuid(1dbc6eb6-0972-4bdb-9dc4-acd0abf72369)] +interface nsIClientAuthRememberService : nsISupports +{ + + [must_use] + void forgetRememberedDecision(in ACString key); + + + [must_use] + Array<nsIClientAuthRememberRecord> getDecisions(); + + + [must_use, noscript] + void rememberDecision(in ACString aHostName, + in const_OriginAttributesRef aOriginAttributes, + in nsIX509Cert aClientCert); + + [implicit_jscontext] + void rememberDecisionScriptable(in ACString aHostName, + in jsval originAttributes, + in nsIX509Cert aClientCert); + + [must_use, noscript] + bool hasRememberedDecision(in ACString aHostName, + in const_OriginAttributesRef aOriginAttributes, + out ACString aCertDBKey); + + [implicit_jscontext] + bool hasRememberedDecisionScriptable(in ACString aHostName, + in jsval originAttributes, + out ACString aCertDBKey); + + [must_use] + void clearRememberedDecisions(); + + [implicit_jscontext] + void deleteDecisionsByHost(in ACString aHostName, + in jsval aOriginAttributes); +}; diff --git a/security/manager/ssl/nsIContentSignatureVerifier.idl b/security/manager/ssl/nsIContentSignatureVerifier.idl new file mode 100644 index 0000000000..e5442845d5 --- /dev/null +++ b/security/manager/ssl/nsIContentSignatureVerifier.idl @@ -0,0 +1,49 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + + +#include "nsISupports.idl" +#include "nsIX509CertDB.idl" + +interface nsIContentSignatureReceiverCallback; + +/** + * An interface for verifying content-signatures, inspired by + * https://tools.ietf.org/html/draft-thomson-http-content-signature-00 + * described here https://github.com/franziskuskiefer/content-signature/tree/pki + */ +[scriptable, uuid(45a5fe2f-c350-4b86-962d-02d5aaaa955a)] +interface nsIContentSignatureVerifier : nsISupports +{ + const AppTrustedRoot ContentSignatureProdRoot = 1; + const AppTrustedRoot ContentSignatureStageRoot = 2; + const AppTrustedRoot ContentSignatureDevRoot = 3; + const AppTrustedRoot ContentSignatureLocalRoot = 4; + + /** + * Verifies that the data matches the data that was used to generate the + * signature. + * + * @param aData The data to be tested. + * @param aContentSignatureHeader The content-signature header, + * url-safe base64 encoded. + * @param aCertificateChain The certificate chain to use for verification. + * PEM encoded string. + * @param aHostname The hostname for which the end entity must + * be valid. + * @param aTrustedRoot The identifier corresponding to the + * expected root certificate of the + * certificate chain (note that the root need + * not actually be included in the chain). + * @returns Promise that resolves with the value true if the signature + * matches the data and aCertificateChain is valid within aContext, + * and false if not. Rejects if another error occurred. + */ + [implicit_jscontext, must_use] + Promise asyncVerifyContentSignature(in ACString aData, + in ACString aContentSignatureHeader, + in ACString aCertificateChain, + in ACString aHostname, + in AppTrustedRoot aTrustedRoot); +}; diff --git a/security/manager/ssl/nsICryptoHash.idl b/security/manager/ssl/nsICryptoHash.idl new file mode 100644 index 0000000000..2aa0ebb242 --- /dev/null +++ b/security/manager/ssl/nsICryptoHash.idl @@ -0,0 +1,109 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIInputStream; + +/** + * nsICryptoHash + * This interface provides crytographic hashing algorithms. + */ + +[builtinclass, scriptable, uuid(1e5b7c43-4688-45ce-92e1-77ed931e3bbe)] +interface nsICryptoHash : nsISupports +{ + /** + * Hashing Algorithms. These values are to be used by the + * |init| method to indicate which hashing function to + * use. These values must be identical to the values defined + * in security/nss/lib/util/hasht.h in type HASH_HashType. + * This allows us to use NSS mapping functions like + * HASH_GetHashOidTagByHashType with these values. + */ + const unsigned long MD5 = 2; /* String value: "md5" */ + const unsigned long SHA1 = 3; /* String value: "sha1" */ + const unsigned long SHA256 = 4; /* String value: "sha256" */ + const unsigned long SHA384 = 5; /* String value: "sha384" */ + const unsigned long SHA512 = 6; /* String value: "sha512" */ + + /** + * Initialize the hashing object. This method may be + * called multiple times with different algorithm types. + * + * @param aAlgorithm the algorithm type to be used. + * This value must be one of the above valid + * algorithm types. + * + * @throws NS_ERROR_INVALID_ARG if an unsupported algorithm + * type is passed. + * + * NOTE: This method or initWithString must be called + * before any other method on this interface is called. + */ + void init(in unsigned long aAlgorithm); + + /** + * Initialize the hashing object. This method may be + * called multiple times with different algorithm types. + * + * @param aAlgorithm the algorithm type to be used. + * + * @throws NS_ERROR_INVALID_ARG if an unsupported algorithm + * type is passed. + * + * NOTE: This method or init must be called before any + * other method on this interface is called. + */ + [must_use] + void initWithString(in ACString aAlgorithm); + + /** + * @param aData a buffer to calculate the hash over + * + * @param aLen the length of the buffer |aData| + * + * @throws NS_ERROR_NOT_INITIALIZED If |init| has not been called. + */ + void update([const, array, size_is(aLen)] in octet aData, in unsigned long aLen); + + /** + * Calculates and updates a new hash based on a given data stream. + * + * @param aStream an input stream to read from. + * + * @param aLen How much to read from the given |aStream|. Passing UINT32_MAX + * indicates that all data available will be used to update the hash. + * + * @throws NS_ERROR_NOT_INITIALIZED If |init| has not been called. + * + * @throws NS_ERROR_NOT_AVAILABLE If the requested amount of + * data to be calculated into the hash is not available. + * + */ + [must_use] + void updateFromStream(in nsIInputStream aStream, in unsigned long aLen); + + /** + * Completes this hash object and produces the actual hash data. + * + * @param aASCII If true then the returned value is a base64 encoded string. + * If false, then the returned value is binary data. + * + * @return a hash of the data that was read by this object. This can + * be either binary data or base 64 encoded. + * + * @throws NS_ERROR_NOT_INITIALIZED If |init| has not been called. + * + * NOTE: This method may be called any time after |init| + * is called. This call resets the object to its + * pre-init state. + */ + ACString finish(in boolean aASCII); +}; + +%{C++ +nsresult NS_NewCryptoHash(uint32_t aHashType, nsICryptoHash** aOutHasher); +nsresult NS_NewCryptoHash(const nsACString& aHashType, nsICryptoHash** aOutHasher); +%} diff --git a/security/manager/ssl/nsIDataStorage.idl b/security/manager/ssl/nsIDataStorage.idl new file mode 100644 index 0000000000..3fe2c87f77 --- /dev/null +++ b/security/manager/ssl/nsIDataStorage.idl @@ -0,0 +1,119 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIDataStorage; +interface nsIDataStorageItem; + +[scriptable, uuid(71b49926-fd4e-43e2-ab8d-d9b049413c0b)] +interface nsIDataStorageManager : nsISupports { + // Because of its specialized nature, nsIDataStorage instances are limited to + // the following pre-defined set. To add a new type of data storage, add an + // entry to the enum and get review from someone on the security and privacy + // engineering team. + cenum DataStorage : 8 { + AlternateServices, + ClientAuthRememberList, + SiteSecurityServiceState, + }; + + nsIDataStorage get(in nsIDataStorageManager_DataStorage dataStorage); +}; + +/** + * nsIDataStorage is a threadsafe, generic, narrow string-based hash map that + * persists data on disk and additionally handles private (temporary) data. + * The file format is portable across architectures. If used in a context where + * there is no profile directory, data will not be persisted. + * + * Its lifecycle is as follows: + * - Use nsIDataStorageManager to obtain the nsIDataStorage of a particular + * purpose. Its backing file will be read on a background thread. + * - Should the profile directory not be available, (e.g. in xpcshell), + * nsIDataStorage will not read any persistent data. + * - When data in the nsIDataStorage changes, those changes will be written + * to the backing file on a background thread. If the program crashes or is + * closed unexpectedly before the write completes, the changes may be lost. + * If the changes were an update to previously stored data, the original data + * may be lost as well. A checksum associated with each entry helps identify + * incompletely written entries. + * - nsIDataStorage does not support transactions. Each entry is independent of + * the others. + * - When an nsIDataStorage instance observes the topic "profile-before-change" + * in anticipation of shutdown, no more changes will be written to the + * backing file. To ensure no data is lost, users of nsIDataStorage should + * not attempt to change any data after this point. + * If "profile-before-change" is not observed, this happens upon observing + * "xpcom-shutdown-threads". + * - To prevent unbounded memory and disk use, the number of entries in each + * table is limited to 2048. Evictions are handled in by a modified LRU scheme + * (see implementation comments). + * - Note that instances of nsIDataStorage have long lifetimes because they are + * strong observers of events and won't go away until the observer service + * does. + * + * For each key/value: + * - The key must have a length no more than 256. + * - The value have a length no more than 1024 (24 for the site security + * service state). + * The length limits are to prevent unbounded disk and memory usage, and + * nsIDataStorage will throw/return an error if given keys or values of + * excess length. + * Take care when storing data containing bytes that may be 0. When read + * from disk, all trailing 0 bytes from keys and values are stripped. + */ +[scriptable, uuid(fcbb5ec4-7134-4069-91c6-9378eff51e03)] +interface nsIDataStorage : nsISupports { + /** + * Data that is Persistent is saved on disk. Data that is Private is not + * saved. Private is meant to only be set and accessed from private contexts. + * It will be cleared upon observing the event "last-pb-context-exited". + */ + cenum DataType : 8 { + Persistent, + Private, + }; + + // Given a key and a type of data, returns a value. Returns + // NS_ERROR_NOT_AVAILABLE if the key is not present for that type of data. + // This operation may block the current thread until the background task + // reading the backing file from disk has completed. + ACString get(in ACString key, in nsIDataStorage_DataType type); + + // Give a key, value, and type of data, adds an entry as appropriate. + // Updates existing entries. + // This operation may block the current thread until the background task + // reading the backing file from disk has completed. + void put(in ACString key, in ACString value, in nsIDataStorage_DataType type); + + // Given a key and type of data, removes an entry if present. + // This operation may block the current thread until the background task + // reading the backing file from disk has completed. + void remove(in ACString key, in nsIDataStorage_DataType type); + + // Removes all entries of all types of data. + // This operation may block the current thread until the background task + // reading the backing file from disk has completed. + void clear(); + + // Returns true if this data storage is ready to be used. To avoid blocking + // when calling other nsIDataStorage functions, callers may wish to first + // ensure this function returns true. + bool isReady(); + + // Read all of the data items. + // This operation may block the current thread until the background task + // reading the backing file from disk has completed. + Array<nsIDataStorageItem> getAll(); +}; + +[scriptable, uuid(4501f984-0e3a-4199-a67e-7753649e93f1)] +interface nsIDataStorageItem : nsISupports { + readonly attribute ACString key; + readonly attribute ACString value; + readonly attribute nsIDataStorage_DataType type; +}; diff --git a/security/manager/ssl/nsINSSComponent.idl b/security/manager/ssl/nsINSSComponent.idl new file mode 100644 index 0000000000..9c45a84090 --- /dev/null +++ b/security/manager/ssl/nsINSSComponent.idl @@ -0,0 +1,107 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +%{C++ +#include "cert.h" +#include "SharedCertVerifier.h" +#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1" +%} + +[ptr] native CERTCertificatePtr(CERTCertificate); +[ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier); + +[scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)] +interface nsINSSComponent : nsISupports { + /** + * When we log out of a PKCS#11 token, any TLS connections that may have + * involved a client certificate stored on that token must be closed. Since we + * don't have a fine-grained way to do this, we basically cancel everything. + * More speficially, this clears all temporary certificate exception overrides + * and any remembered client authentication certificate decisions, and then + * cancels all network connections (strictly speaking, this last part is + * overzealous - we only need to cancel all https connections (see bug + * 1446645)). + */ + [noscript] void logoutAuthenticatedPK11(); + + /** + * Used to determine if the given certificate (represented as an array of + * bytes) is the certificate we use in tests to simulate a built-in root + * certificate. Returns false in non-debug builds. + */ + [noscript] bool isCertTestBuiltInRoot(in Array<octet> cert); + + /** + * If enabled by the preference "security.enterprise_roots.enabled", returns + * an array of arrays of bytes representing the imported enterprise root + * certificates (i.e. root certificates gleaned from the OS certificate + * store). Returns an empty array otherwise. + * Currently this is only implemented on Windows and MacOS X, so this + * function returns an empty array on all other platforms. + */ + Array<Array<octet> > getEnterpriseRoots(); + ACString getEnterpriseRootsPEM(); + + /** + * Similarly, but for intermediate certificates. + */ + Array<Array<octet> > getEnterpriseIntermediates(); + ACString getEnterpriseIntermediatesPEM(); + + /** + * Test utility for adding an intermediate certificate to the current set of + * imported enterprise intermediates, if any. Additions to the set made using + * this function will be cleared when the value of the preference + * "security.enterprise_roots.enabled" changes. + */ + void addEnterpriseIntermediate(in Array<octet> intermediateBytes); + + /** + * For performance reasons, the builtin roots module is loaded on a background + * thread. When any code that depends on the builtin roots module runs, it + * must first wait for the module to be loaded. + */ + [noscript] void blockUntilLoadableCertsLoaded(); + + /** + * In theory a token on a PKCS#11 module can be inserted or removed at any + * time. Operations that may depend on resources on external tokens should + * call this to ensure they have a recent view of the token. + */ + [noscript] void checkForSmartCardChanges(); + + /** + * Used to potentially detect when a user's internet connection is being + * intercepted. When doing an update ping, if certificate verification fails, + * we make a note of the issuer distinguished name of that certificate. + * If a subsequent certificate verification fails, we compare issuer + * distinguished names. If they match, something may be intercepting the + * user's traffic (if they don't match, the server is likely misconfigured). + * This function succeeds if the given DN matches the noted DN and fails + * otherwise (e.g. if the update ping never failed). + */ + [noscript] void issuerMatchesMitmCanary(in string certIssuer); + + /** + * Returns an already-adrefed handle to the currently configured shared + * certificate verifier. + */ + [noscript] SharedCertVerifierPtr getDefaultCertVerifier(); + + /** + * For clearing both SSL internal and external session cache from JS. + * WARNING: May be racy when using the socket process. + */ + void clearSSLExternalAndInternalSessionCache(); + + /** + * For clearing both SSL internal and external session cache from JS. + */ + [implicit_jscontext] + Promise asyncClearSSLExternalAndInternalSessionCache(); +}; diff --git a/security/manager/ssl/nsINSSErrorsService.idl b/security/manager/ssl/nsINSSErrorsService.idl new file mode 100644 index 0000000000..e68cba3a05 --- /dev/null +++ b/security/manager/ssl/nsINSSErrorsService.idl @@ -0,0 +1,72 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +[scriptable, uuid(12f60021-e14b-4020-99d1-ed2c795be66a)] +interface nsINSSErrorsService : nsISupports +{ + /** + * @param aNSPRCode An error code obtained using PR_GetError() + * @return True if it is error code defined by the NSS library + */ + [must_use] + boolean isNSSErrorCode(in int32_t aNSPRCode); + + /** + * Function will fail if aNSPRCode is not an NSS error code. + * @param aNSPRCode An error code obtained using PR_GetError() + * @return The result of the conversion, an XPCOM error code + */ + [must_use] + nsresult getXPCOMFromNSSError(in int32_t aNSPRCode); + + /** + * Function will fail if aXPCOMErrorCode is not an NSS error code. + * @param aXPCOMErrorCode An error code obtained using getXPCOMFromNSSError + * return A localized human readable error explanation. + */ + AString getErrorMessage(in nsresult aXPCOMErrorCode); + + /** + * Function will fail if aXPCOMErrorCode is not an NSS error code. + * @param aXPCOMErrorCode An error code obtained using getXPCOMFromNSSError + * return the error class of the code, either ERROR_CLASS_BAD_CERT + * or ERROR_CLASS_SSL_PROTOCOL + */ + [must_use] + uint32_t getErrorClass(in nsresult aXPCOMErrorCode); + + const unsigned long ERROR_CLASS_SSL_PROTOCOL = 1; + const unsigned long ERROR_CLASS_BAD_CERT = 2; + + /** + * The following values define the range of NSPR error codes used by NSS. + * NSS remains the authorative source for these numbers, as a result, + * the values might change in the future. + * The security module will perform a runtime check and assertion + * to ensure the values are in synch with NSS. + */ + const long NSS_SEC_ERROR_BASE = -(0x2000); + const long NSS_SEC_ERROR_LIMIT = (NSS_SEC_ERROR_BASE + 1000); + const long NSS_SSL_ERROR_BASE = -(0x3000); + const long NSS_SSL_ERROR_LIMIT = (NSS_SSL_ERROR_BASE + 1000); + + /** + * The error codes within each module must fit in 16 bits. We want these + * errors to fit in the same module as the NSS errors but not overlap with + * any of them. Converting an NSS SEC, NSS SSL, or mozilla::pkix error to + * an NS error involves negating the value of the error and then + * synthesizing an error in the NS_ERROR_MODULE_SECURITY module. Hence, + * mozilla::pkix errors will start at a negative value that both doesn't + * overlap with the current value ranges for NSS errors and that will fit + * in 16 bits when negated. + * + * Keep these in sync with pkixnss.h. + */ + const long MOZILLA_PKIX_ERROR_BASE = -(0x4000); + const long MOZILLA_PKIX_ERROR_LIMIT = (MOZILLA_PKIX_ERROR_BASE + 1000); +}; diff --git a/security/manager/ssl/nsINSSVersion.idl b/security/manager/ssl/nsINSSVersion.idl new file mode 100644 index 0000000000..000f221e61 --- /dev/null +++ b/security/manager/ssl/nsINSSVersion.idl @@ -0,0 +1,37 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +%{C++ +#define NS_NSSVERSION_CONTRACTID "@mozilla.org/security/nssversion;1" +%} + +[scriptable, uuid(a8a53a2b-75cc-4c68-a9bb-9791dbddaa00)] +interface nsINSSVersion : nsISupports { + /* Minimal required versions as used at build time */ + [must_use] + readonly attribute AString NSPR_MinVersion; + [must_use] + readonly attribute AString NSS_MinVersion; + [must_use] + readonly attribute AString NSSUTIL_MinVersion; + [must_use] + readonly attribute AString NSSSSL_MinVersion; + [must_use] + readonly attribute AString NSSSMIME_MinVersion; + + /* Versions of libraries currently in use */ + [must_use] + readonly attribute AString NSPR_Version; + [must_use] + readonly attribute AString NSS_Version; + [must_use] + readonly attribute AString NSSUTIL_Version; + [must_use] + readonly attribute AString NSSSSL_Version; + [must_use] + readonly attribute AString NSSSMIME_Version; +}; diff --git a/security/manager/ssl/nsIOSKeyStore.idl b/security/manager/ssl/nsIOSKeyStore.idl new file mode 100644 index 0000000000..1306ba4ae1 --- /dev/null +++ b/security/manager/ssl/nsIOSKeyStore.idl @@ -0,0 +1,112 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +[scriptable, uuid(57972956-5718-42d2-8070-b3fc72212eaf)] +interface nsIOSKeyStore: nsISupports { + /** + * This interface provides encryption and decryption operations for data at + * rest. The key used to encrypt and decrypt the data is stored in the OS + * key store. + * + * NB: To first authenticate the user to the system, use + * nsIOSReauthenticator. + * + * Usage: + * + * // obtain the singleton OSKeyStore instance + * const oskeystore = Cc["@mozilla.org/security/oskeystore;1"].getService(Ci.nsIOSKeyStore); + * + * const PASSWORD_LABEL = "mylabel1"; + * + * // Check if there's a secret for your label already. + * if (!await oskeystore.asyncSecretAvailable(PASSWORD_LABEL)) { + * // Fail or generate a new secret for your label. + * // If you want to generate a new secret, do. + * // Hold onto `recoveryPhrase` to present to the user. + * let recoveryPhrase = await oskeystore.asyncGenerateSecret(PASSWORD_LABEL); + * } + * + * // Assuming there's a secret with your label. Encrypt/Decrypt as follows. + * let encryptedPasswordBytes = await oskeystore.asyncEncryptBytes(PASSWORD_LABEL, passwordBytes); + * let newPasswordBytes = await oskeystore.asyncDecryptBytes(PASSWORD_LABEL, encryptedPasswordBytes); + * + * // Delete the secret from the key store. + * await oskeystore.asyncDeleteSecret(PASSWORD_LABEL); + * + * // Recover a secret from a recovery code. + * await oskeystore.asyncRecoverSecret(PASSWORD_LABEL, recoveryPhrase); + */ + + /** + * Generate a new secret and store it in the OS key store with the given label. + * The caller should make sure that no other secrets with the same label are + * present before calling this function. + * This invalidates all previous ciphertexts created with the key + * corresponding to the given label. + * + * @param label The label to use for the secret. + * @return Promise that resolves to the recoveryPhrase string used to generate + * the secret. + */ + [implicit_jscontext, must_use] + Promise asyncGenerateSecret(in ACString label); + + /** + * Check whether a secret for a given label exists. + * + * @param label The label to lookup. + * @return Promise that resolves to a bool (whether a secret with label is + * known or not) or an error. + */ + [implicit_jscontext, must_use] + Promise asyncSecretAvailable(in ACString label); + + /** + * Set a secret from a given recovery phrase. + * This might not be implemented on all platforms. + * This invalidates all previous ciphertexts. + * + * @param label The label to use for the secret. + * @param recoveryPhrase The recovery phrase that's used to generate the secret. + * @return Promise that resolves to undefined or an error. + */ + [implicit_jscontext, must_use] + Promise asyncRecoverSecret(in ACString label, in ACString recoveryPhrase); + + /** + * Delete secret with a given label. If there is no secret with the given + * label, no action is taken. + * + * @param label The label of the secret to delete. + * @return Promise that resolves to undefined or an error. + */ + [implicit_jscontext, must_use] + Promise asyncDeleteSecret(in ACString label); + + + /** + * Encrypt the given data and then return the result as a base64-encoded + * string. + * + * @param label The label of the key to use to encrypt. + * @param inBytes The bytes to encrypt. + * @return Promise resolving to the encrypted text, encoded as Base64, or an + * error. + */ + [implicit_jscontext, must_use] + Promise asyncEncryptBytes(in ACString label, in Array<uint8_t> inBytes); + + /** + * Decode and then decrypt the given base64-encoded string. + * + * @param label The label of the key to use to decrypt. + * @param encryptedBase64Text Encrypted input text, encoded as Base64. + * @return Promise resolving to the plaintext bytes or an error. + */ + [implicit_jscontext, must_use] + Promise asyncDecryptBytes(in ACString label, in ACString encryptedBase64Text); +}; diff --git a/security/manager/ssl/nsIOSReauthenticator.idl b/security/manager/ssl/nsIOSReauthenticator.idl new file mode 100644 index 0000000000..753322ced5 --- /dev/null +++ b/security/manager/ssl/nsIOSReauthenticator.idl @@ -0,0 +1,45 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface mozIDOMWindow; + +[scriptable, uuid(4fe082ae-6ff0-4b41-b24f-eaa664f6e46a)] +interface nsIOSReauthenticator: nsISupports { + /** + * This interface provides an abstract way to request that the user + * reauthenticate themselves to the operating system. It may be useful in + * conjunction with nsIOSKeyStore, whereby consumers of these APIs may + * consider some secrets too sensitive to access without first + * reauthenticating the user. + * + * Usage: + * + * // obtain the singleton nsIOSReauthenticator instance + * const reauthenticator = Cc["@mozilla.org/security/osreauthenticator;1"] + * .getService(Ci.nsIOSReauthenticator); + * if (await reauthenticator.asyncReauthenticate()) { + * // do something only authenticated users are allowed to do... + * } else { + * // show a "sorry, this isn't allowed" error + * } + */ + + /** + * Asynchronously cause the operating system to request that the user + * reauthenticate. This is typically in the form of a dialog box asking the + * user for their login password. The actual behaviour of this depends on the + * OS. + * + * @param prompt A short string that may be incorporated in the dialog + * @param caption A short string that may be shown as the dialog caption (usually Product Name) + * @param parentWindow Used to associate the OS dialog with the calling window. + * @return Promise resolving to true if the user successfully authenticated + * and false otherwise. + */ + [implicit_jscontext, must_use] + Promise asyncReauthenticateUser(in AString prompt, in AString caption, in mozIDOMWindow parentWindow); +}; diff --git a/security/manager/ssl/nsIPK11Token.idl b/security/manager/ssl/nsIPK11Token.idl new file mode 100644 index 0000000000..ae8fc2e994 --- /dev/null +++ b/security/manager/ssl/nsIPK11Token.idl @@ -0,0 +1,81 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +[scriptable, uuid(51191434-1dd2-11b2-a17c-e49c4e99a4e3)] +interface nsIPK11Token : nsISupports +{ + /* + * The name of the token + */ + [must_use] + readonly attribute AUTF8String tokenName; + [must_use] + readonly attribute boolean isInternalKeyToken; + /** + * Manufacturer ID of the token. + */ + [must_use] + readonly attribute AUTF8String tokenManID; + /** + * Hardware version of the token. + */ + [must_use] + readonly attribute AUTF8String tokenHWVersion; + /** + * Firmware version of the token. + */ + [must_use] + readonly attribute AUTF8String tokenFWVersion; + [must_use] + readonly attribute AUTF8String tokenSerialNumber; + + /* + * Login information + */ + [must_use] + boolean isLoggedIn(); + [must_use] + void login(in boolean force); + [must_use] + void logoutSimple(); + [must_use] + void logoutAndDropAuthenticatedResources(); + [must_use] + boolean needsLogin(); + [must_use] + readonly attribute boolean needsUserInit; + + /* + * Reset password + */ + [must_use] + void reset(); + + /** + * Checks whether the given password is correct. Logs the token out if an + * incorrect password is given. + * + * @param password The password to check. + * @return true if the password was correct, false otherwise. + */ + [must_use] + boolean checkPassword(in AUTF8String password); + [must_use] + void initPassword(in AUTF8String initialPassword); + [must_use] + void changePassword(in AUTF8String oldPassword, in AUTF8String newPassword); + + /* + * True if a password has been configured for this token, and false otherwise. + * (Whether or not the user is currently logged in makes no difference.) + * In particular, this can be used to determine if a user has set a master + * password (if this is the internal key token). + */ + [must_use] + readonly attribute boolean hasPassword; +}; diff --git a/security/manager/ssl/nsIPK11TokenDB.idl b/security/manager/ssl/nsIPK11TokenDB.idl new file mode 100644 index 0000000000..c493e0c57c --- /dev/null +++ b/security/manager/ssl/nsIPK11TokenDB.idl @@ -0,0 +1,31 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIPK11Token; + +/** + * The PK11 Token Database provides access to the PK11 modules + * that are installed, and the tokens that are available. + * Interfaces: nsIPK11TokenDB + * Threading: ?? + */ +%{C++ +#define NS_PK11TOKENDB_CONTRACTID "@mozilla.org/security/pk11tokendb;1" +%} + +/** + * nsIPK11TokenDB - Manages PK11 Tokens + */ +[scriptable, uuid(4ee28c82-1dd2-11b2-aabf-bb4017abe395)] +interface nsIPK11TokenDB : nsISupports +{ + /* + * Get the internal key database token + */ + nsIPK11Token getInternalKeyToken(); +}; diff --git a/security/manager/ssl/nsIPKCS11Module.idl b/security/manager/ssl/nsIPKCS11Module.idl new file mode 100644 index 0000000000..0446b7ddaa --- /dev/null +++ b/security/manager/ssl/nsIPKCS11Module.idl @@ -0,0 +1,21 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIPKCS11Slot; +interface nsISimpleEnumerator; + +[scriptable, uuid(8a44bdf9-d1a5-4734-bd5a-34ed7fe564c2)] +interface nsIPKCS11Module : nsISupports +{ + [must_use] + readonly attribute AUTF8String name; + [must_use] + readonly attribute AUTF8String libName; + [must_use] + nsISimpleEnumerator listSlots(); +}; diff --git a/security/manager/ssl/nsIPKCS11ModuleDB.idl b/security/manager/ssl/nsIPKCS11ModuleDB.idl new file mode 100644 index 0000000000..9221fd26c6 --- /dev/null +++ b/security/manager/ssl/nsIPKCS11ModuleDB.idl @@ -0,0 +1,40 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIPKCS11Module; +interface nsIPKCS11Slot; +interface nsISimpleEnumerator; + +%{C++ +#define NS_PKCS11MODULEDB_CONTRACTID "@mozilla.org/security/pkcs11moduledb;1" +%} + +[scriptable, uuid(ff9fbcd7-9517-4334-b97a-ceed78909974)] +interface nsIPKCS11ModuleDB : nsISupports +{ + [must_use] + void deleteModule(in AString moduleName); + + [must_use] + void addModule(in AString moduleName, + in AString libraryFullPath, + in long cryptoMechanismFlags, + in long cipherFlags); + + [must_use] + nsISimpleEnumerator listModules(); + + [must_use] + readonly attribute boolean canToggleFIPS; + + [must_use] + void toggleFIPSMode(); + + [must_use] + readonly attribute boolean isFIPSEnabled; +}; diff --git a/security/manager/ssl/nsIPKCS11Slot.idl b/security/manager/ssl/nsIPKCS11Slot.idl new file mode 100644 index 0000000000..20c82729c1 --- /dev/null +++ b/security/manager/ssl/nsIPKCS11Slot.idl @@ -0,0 +1,52 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIPK11Token; + +[scriptable, uuid(c2d4f296-ee60-11d4-998b-00b0d02354a0)] +interface nsIPKCS11Slot : nsISupports { + [must_use] + readonly attribute AUTF8String name; + [must_use] + readonly attribute AUTF8String desc; + /** + * Manufacturer ID of the slot. + */ + [must_use] + readonly attribute AUTF8String manID; + /** + * Hardware version of the slot. + */ + [must_use] + readonly attribute AUTF8String HWVersion; + /** + * Firmware version of the slot. + */ + [must_use] + readonly attribute AUTF8String FWVersion; + + const unsigned long SLOT_DISABLED = 0; + const unsigned long SLOT_NOT_PRESENT = 1; + const unsigned long SLOT_UNINITIALIZED = 2; + const unsigned long SLOT_NOT_LOGGED_IN = 3; + const unsigned long SLOT_LOGGED_IN = 4; + const unsigned long SLOT_READY = 5; + [must_use] + readonly attribute unsigned long status; + + /* This is really a workaround for now. All of the "slot" functions + * (isTokenPresent(), etc.) are in nsIPK11Token. For now, return the + * token and handle those things there. + */ + [must_use] + nsIPK11Token getToken(); + + /* more fun with workarounds - we're referring to everything by token name */ + [must_use] + readonly attribute AUTF8String tokenName; +}; diff --git a/security/manager/ssl/nsIPublicKeyPinningService.idl b/security/manager/ssl/nsIPublicKeyPinningService.idl new file mode 100644 index 0000000000..b48f86dbb7 --- /dev/null +++ b/security/manager/ssl/nsIPublicKeyPinningService.idl @@ -0,0 +1,22 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIURI; + +[scriptable, uuid(f64432b9-e8c6-41b4-b2da-8eb004344bba), builtinclass] +interface nsIPublicKeyPinningService : nsISupports +{ + /** + * Returns true if the host of the given URI has pinning information, and + * false otherwise. + */ + [must_use] + bool hostHasPins(in nsIURI aURI); +}; + +%{C++ +#define NS_PKPSERVICE_CONTRACTID "@mozilla.org/security/publickeypinningservice;1" +%} diff --git a/security/manager/ssl/nsISecretDecoderRing.idl b/security/manager/ssl/nsISecretDecoderRing.idl new file mode 100644 index 0000000000..caa70b2f3b --- /dev/null +++ b/security/manager/ssl/nsISecretDecoderRing.idl @@ -0,0 +1,77 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +[scriptable, uuid(0EC80360-075C-11d4-9FD4-00C04F1B83D8)] +interface nsISecretDecoderRing: nsISupports { + /** + * Encrypt to Base64 output. + * Note that the input must basically be a byte array (i.e. the code points + * must be within the range [0, 255]). Hence, using this method directly to + * encrypt passwords (or any text, really) won't work as expected. + * Instead, use something like nsIScriptableUnicodeConverter to first convert + * the desired password or text to UTF-8, then encrypt that. Remember to + * convert back when calling decryptString(). + * + * @param text The text to encrypt. + * @return The encrypted text, encoded as Base64. + */ + [must_use] + ACString encryptString(in ACString text); + + /** + * Run encryptString on multiple strings, asynchronously. This will allow you + * to not jank the browser if you need to encrypt a large number of strings + * all at once. This method accepts an array of wstrings which it will convert + * to UTF-8 internally before encrypting. + * + * @param plaintexts the strings to encrypt. + * @return A promise for the list of encrypted strings, encoded as Base64. + */ + [implicit_jscontext, must_use] + Promise asyncEncryptStrings(in Array<AUTF8String> plaintexts); + + /** + * Decrypt Base64 input. + * See the encryptString() documentation - this method has basically the same + * limitations. + * + * @param encryptedBase64Text Encrypted input text, encoded as Base64. + * @return The decoded text. + */ + [must_use] + ACString decryptString(in ACString encryptedBase64Text); + + /** + * Run decryptString on multiple strings, asynchronously. This will allow you + * to not jank the browser if you need to decrypt a large number of strings + * all at once. + * + * @param encryptedStrings the strings to decrypt, encoded as Base64. + * @return A promise that resolves with the list of decrypted strings in Unicode. + */ + [implicit_jscontext, must_use] + Promise asyncDecryptStrings(in Array<ACString> encryptedStrings); + + /** + * Prompt the user to change the password on the SDR key. + */ + [must_use] + void changePassword(); + + /** + * Logout of the security device that protects the SDR key. + */ + [must_use] + void logout(); + + /** + * Logout of the security device that protects the SDR key and tear + * down authenticated objects. + */ + [must_use] + void logoutAndTeardown(); +}; diff --git a/security/manager/ssl/nsISecurityUITelemetry.idl b/security/manager/ssl/nsISecurityUITelemetry.idl new file mode 100644 index 0000000000..5c550bd897 --- /dev/null +++ b/security/manager/ssl/nsISecurityUITelemetry.idl @@ -0,0 +1,34 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +[scriptable, uuid(5d1acf82-223a-46fb-a8f3-a1b16e2ceb04)] +interface nsISecurityUITelemetry : nsISupports { + +/* + * Addon installation warnings + */ + +// Firefox prevented this site from asking you to install addon +const uint32_t WARNING_ADDON_ASKING_PREVENTED = 1; +// User clicks through and allows site to ask to install addons +const uint32_t WARNING_ADDON_ASKING_PREVENTED_CLICK_THROUGH = 2; +// Are you sure you want to install this addon? Only install addons you trust +const uint32_t WARNING_CONFIRM_ADDON_INSTALL = 3; +// User clicked she is sure after waiting 3secs +const uint32_t WARNING_CONFIRM_ADDON_INSTALL_CLICK_THROUGH = 4; + + +/* + * modal dialogs/warnings + */ + +// User encountered a POST to an insecure context from a secure context. +const uint32_t WARNING_CONFIRM_POST_TO_INSECURE_FROM_SECURE = 9; +// User clicked through to POST to an insecure context from a secure context. +const uint32_t WARNING_CONFIRM_POST_TO_INSECURE_FROM_SECURE_CLICK_THROUGH = 10; +}; diff --git a/security/manager/ssl/nsISiteSecurityService.idl b/security/manager/ssl/nsISiteSecurityService.idl new file mode 100644 index 0000000000..882dbb78ad --- /dev/null +++ b/security/manager/ssl/nsISiteSecurityService.idl @@ -0,0 +1,145 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIURI; + +[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes); + +[scriptable, uuid(275127f8-dbd7-4681-afbf-6df0c6587a01)] +interface nsISiteSecurityService : nsISupports +{ + const uint32_t Success = 0; + const uint32_t ERROR_UNKNOWN = 1; + // ERROR_UNTRUSTWORTHY_CONNECTION was 2 (the caller is now responsible for + // checking this) + const uint32_t ERROR_COULD_NOT_PARSE_HEADER = 3; + const uint32_t ERROR_NO_MAX_AGE = 4; + const uint32_t ERROR_MULTIPLE_MAX_AGES = 5; + const uint32_t ERROR_INVALID_MAX_AGE = 6; + const uint32_t ERROR_MULTIPLE_INCLUDE_SUBDOMAINS = 7; + const uint32_t ERROR_INVALID_INCLUDE_SUBDOMAINS = 8; + // The constants that were removed below were used in HPKP processing + // (which has been removed entirely). + // ERROR_INVALID_PIN was 9 + // ERROR_MULTIPLE_REPORT_URIS was 10 + // ERROR_PINSET_DOES_NOT_MATCH_CHAIN was 11 + // ERROR_NO_BACKUP_PIN was 12 + const uint32_t ERROR_COULD_NOT_SAVE_STATE = 13; + // ERROR_ROOT_NOT_BUILT_IN was 14 + + /** + * Parses a given HTTP header and records the results internally. + * Currently one header type is supported: HSTS (aka STS). + * The format of the HSTS header is defined by the HSTS specification: + * https://tools.ietf.org/html/rfc6797 + * and allows a host to specify that future HTTP requests should be + * upgraded to HTTPS. + * The caller is responsible for first determining that the header was + * delivered via a trustworthy connection (namely, https with no errors). + * + * @param aSourceURI the URI of the resource with the HTTP header. + * @param aHeader the HTTP response header specifying security data. + * @param aOriginAttributes the origin attributes that isolate this origin, + * (note that this implementation does not isolate + * by userContextId because of the risk of man-in- + * the-middle attacks before trust-on-second-use + * happens). + * If mPrivateBrowsingId > 0, information gathered + * from this header will not be saved persistently. + * @param aMaxAge the parsed max-age directive of the header. + * @param aIncludeSubdomains the parsed includeSubdomains directive. + * @param aFailureResult a more specific failure result if NS_ERROR_FAILURE + was returned. + * @return NS_OK if it succeeds + * NS_ERROR_FAILURE if it can't be parsed + * NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA + * if there are unrecognized tokens in the header. + */ + [binaryname(ProcessHeader), noscript, must_use] + void processHeaderNative(in nsIURI aSourceURI, + in ACString aHeader, + in const_OriginAttributesRef aOriginAttributes, + [optional] out unsigned long long aMaxAge, + [optional] out boolean aIncludeSubdomains, + [optional] out uint32_t aFailureResult); + + [binaryname(ProcessHeaderScriptable), implicit_jscontext, optional_argc, + must_use] + void processHeader(in nsIURI aSourceURI, + in ACString aHeader, + [optional] in jsval aOriginAttributes, + [optional] out unsigned long long aMaxAge, + [optional] out boolean aIncludeSubdomains, + [optional] out uint32_t aFailureResult); + + // Helper enum for use with resetState. + cenum ResetStateBy : 8 { + // reset state for the exact domain + ExactDomain, + // reset state for any domain rooted by the given domain + // (e.g. foo.example.com if given example.com) + RootDomain, + // reset all state associated with the given base domain (e.g. data + // partitioned by total cookie protection) + BaseDomain, + }; + + /** + * Resets HSTS state a host, including the includeSubdomains state that + * would affect subdomains. This essentially removes the state for the + * domain tree rooted at this host. If any preloaded information is present + * for that host, that information will then be used instead of any other + * previously existing state. + * + * @param aURI the URI of the target host + * @param aOriginAttributes the origin attributes that isolate this origin, + * (note that this implementation does not isolate + * by userContextId because of the risk of man-in- + * the-middle attacks before trust-on-second-use + * happens). + * @param aScope The scope of state to reset. See ResetStateBy. Defaults + * to ExactDomain. + */ + [implicit_jscontext, optional_argc, must_use] + void resetState(in nsIURI aURI, + [optional] in jsval aOriginAttributes, + [optional] in nsISiteSecurityService_ResetStateBy aScope); + + /** + * Checks whether or not the URI's hostname has HSTS set. + * For example: + * The URI is an HSTS URI if either the host has the HSTS state set, or one + * of its super-domains has the HSTS "includeSubdomains" flag set. + * NOTE: this function makes decisions based only on the + * host contained in the URI, and disregards other portions of the URI + * such as path and port. + * + * @param aURI the URI to query for STS state. + * @param aOriginAttributes the origin attributes that isolate this origin, + * (note that this implementation does not isolate + * by userContextId because of the risk of man-in- + * the-middle attacks before trust-on-second-use + * happens). + */ + [binaryname(IsSecureURI), noscript, must_use] + boolean isSecureURINative(in nsIURI aURI, + in const_OriginAttributesRef aOriginAttributes); + + [binaryname(IsSecureURIScriptable), implicit_jscontext, optional_argc, + must_use] + boolean isSecureURI(in nsIURI aURI, [optional] in jsval aOriginAttributes); + + /** + * Removes all non-preloaded HSTS state by resetting to factory-original + * settings. + */ + [must_use] + void clearAll(); +}; + +%{C++ +#define NS_SSSERVICE_CONTRACTID "@mozilla.org/ssservice;1" +%} diff --git a/security/manager/ssl/nsITLSSocketControl.idl b/security/manager/ssl/nsITLSSocketControl.idl new file mode 100644 index 0000000000..42d1b4bcd7 --- /dev/null +++ b/security/manager/ssl/nsITLSSocketControl.idl @@ -0,0 +1,195 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIInterfaceRequestor; +interface nsITlsHandshakeCallbackListener; +interface nsITransportSecurityInfo; +interface nsIX509Cert; + +%{C++ +#include "nsStringFwd.h" +#include "nsTArrayForwardDeclare.h" +%} +[ref] native nsCStringTArrayRef(nsTArray<nsCString>); + +// An interface describing an object that controls and holds information about +// a TLS handshake. +// NB: The implementations of this interface may only be used on the socket +// thread (except for asyncGetSecurityInfo); +[scriptable, builtinclass, uuid(418265c8-654e-4fbb-ba62-4eed27de1f03)] +interface nsITLSSocketControl : nsISupports { + void proxyStartSSL(); + void StartTLS(); + + /* NPN (Next Protocol Negotiation) is a mechanism for + negotiating the protocol to be spoken inside the SSL + tunnel during the SSL handshake. The NPNList is the list + of offered client side protocols. setNPNList() needs to + be called before any data is read or written (including the + handshake to be setup correctly. The server determines the + priority when multiple matches occur, but if there is no overlap + the first protocol in the list is used. */ + + [noscript] void setNPNList(in nsCStringTArrayRef aNPNList); + + /* For 0RTT we need to know the alpn protocol selected for the last tls + * session. This function will return a value if applicable or an error + * NS_ERROR_NOT_AVAILABLE. + */ + ACString getAlpnEarlySelection(); + + /* If 0RTT handshake was applied and some data has been sent, as soon as + * the handshake finishes this attribute will be set to appropriate value. + */ + readonly attribute bool earlyDataAccepted; + + /* When 0RTT is performed, PR_Write will not drive the handshake forward. + * It must be forced by calling this function. + */ + void driveHandshake(); + + /* Determine if a potential SSL connection to hostname:port with + * a desired NPN negotiated protocol of npnProtocol can use the socket + * associated with this object instead of making a new one. And if so, combine + * them. + */ + boolean joinConnection( + in ACString npnProtocol, /* e.g. "h2" */ + in ACString hostname, + in long port); + + /* just like JoinConnection() except do not mark a successful test as joined. + */ + boolean testJoinConnection( + in ACString npnProtocol, /* e.g. "h2" */ + in ACString hostname, + in long port); + + /* Determine if existing connection should be trusted to convey information about + * a hostname. + */ + boolean isAcceptableForHost(in ACString hostname); + + /* The Key Exchange Algorithm is used when determining whether or + not HTTP/2 can be used. + + After a handshake is complete it can be read from KEAUsed. + The values correspond to the SSLKEAType enum in NSS or the + KEY_EXCHANGE_UNKNOWN constant defined below. + + KEAKeyBits is the size/security-level used for the KEA. + */ + + [infallible] readonly attribute short KEAUsed; + [infallible] readonly attribute unsigned long KEAKeyBits; + + const short KEY_EXCHANGE_UNKNOWN = -1; + + /* + * The original flags from the socket provider. + */ + readonly attribute uint32_t providerFlags; + + /* These values are defined by TLS. */ + const short SSL_VERSION_3 = 0x0300; + const short TLS_VERSION_1 = 0x0301; + const short TLS_VERSION_1_1 = 0x0302; + const short TLS_VERSION_1_2 = 0x0303; + const short TLS_VERSION_1_3 = 0x0304; + const short SSL_VERSION_UNKNOWN = -1; + + [infallible] readonly attribute short SSLVersionUsed; + [infallible] readonly attribute short SSLVersionOffered; + + /* These values match the NSS defined values in sslt.h */ + const short SSL_MAC_UNKNOWN = -1; + const short SSL_MAC_NULL = 0; + const short SSL_MAC_MD5 = 1; + const short SSL_MAC_SHA = 2; + const short SSL_HMAC_MD5 = 3; + const short SSL_HMAC_SHA = 4; + const short SSL_HMAC_SHA256 = 5; + const short SSL_MAC_AEAD = 6; + + [infallible] readonly attribute short MACAlgorithmUsed; + + /** + * If set to true before the server requests a client cert + * no cert will be sent. + */ + [notxpcom, nostdcall] attribute boolean denyClientCert; + + /** + * True iff a client cert has been sent to the server - i.e. this + * socket has been client-cert authenticated. + */ + [infallible] readonly attribute boolean clientCertSent; + + /* + * failedVerification is true if any enforced certificate checks have failed. + * Connections that have not yet tried to verify, or are using acceptable + * exceptions will all return false. + */ + [infallible] readonly attribute boolean failedVerification; + + /* + * esniTxt is a string that consists of the concatenated _esni. TXT records. + * This is a base64 encoded ESNIKeys structure. + */ + attribute ACString esniTxt; + + /* + * echConfig is defined for conveying the ECH configuration. + * This is encoded in base64. + */ + attribute ACString echConfig; + + /** + * The echConfig that should be used to retry for the connection setup. + */ + readonly attribute ACString retryEchConfig; + + /** + * Disable early data. + */ + [noscript] void disableEarlyData(); + + [noscript] void setHandshakeCallbackListener(in nsITlsHandshakeCallbackListener callback); + + /** + * The id used to uniquely identify the connection to the peer. + */ + readonly attribute ACString peerId; + + /** + * The securityInfo of the TLS handshake. + */ + readonly attribute nsITransportSecurityInfo securityInfo; + + /** + * Asynchronously obtain the securityInfo of the TLS handshake. Resolves + * with an nsITransportSecurityInfo. This should probably only be used in + * tests, where JS running on the main thread cannot access any of the + * other fields of nsITLSSocketControl. + */ + [implicit_jscontext, must_use] + Promise asyncGetSecurityInfo(); + + /** + * Claim a speculative connection. + */ + void claim(); + + /** + * The top-level outer content window ID (called "browserId" in networking + * code) associated with this connection, if any (otherwise, 0). Useful for + * associating this connection with a browser tab in order to show UI (e.g. + * the client authentication certificate selection dialog). + */ + attribute uint64_t browserId; +}; diff --git a/security/manager/ssl/nsITokenPasswordDialogs.idl b/security/manager/ssl/nsITokenPasswordDialogs.idl new file mode 100644 index 0000000000..1e5475e6dd --- /dev/null +++ b/security/manager/ssl/nsITokenPasswordDialogs.idl @@ -0,0 +1,30 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIInterfaceRequestor; +interface nsIPK11Token; + +/** + * This is the interface for setting and changing password + * on a PKCS11 token. + */ +[scriptable, uuid(87dbd64a-4466-474e-95f5-1ad1cee5702c)] +interface nsITokenPasswordDialogs : nsISupports +{ + /** + * Brings up a dialog to set the password on a token. + * + * @param ctx A user interface context. + * @param token {nsIPK11Token} The token. + * @return true if the user canceled the dialog, false otherwise. + */ + [must_use] + boolean setPassword(in nsIInterfaceRequestor ctx, in nsIPK11Token token); +}; + +%{C++ +#define NS_TOKENPASSWORDSDIALOG_CONTRACTID "@mozilla.org/nsTokenPasswordDialogs;1" +%} diff --git a/security/manager/ssl/nsITransportSecurityInfo.idl b/security/manager/ssl/nsITransportSecurityInfo.idl new file mode 100644 index 0000000000..8fe5879e4a --- /dev/null +++ b/security/manager/ssl/nsITransportSecurityInfo.idl @@ -0,0 +1,137 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIObjectOutputStream; +interface nsIX509Cert; + +%{ C++ +namespace IPC { +class MessageWriter; +} +%} + +[ptr] native IpcMessageWriterPtr(IPC::MessageWriter); + +[builtinclass, scriptable, uuid(216112d3-28bc-4671-b057-f98cc09ba1ea)] +interface nsITransportSecurityInfo : nsISupports { + cenum OverridableErrorCategory : 32 { + ERROR_UNSET, + ERROR_TRUST, + ERROR_DOMAIN, + ERROR_TIME, + }; + + readonly attribute unsigned long securityState; + readonly attribute long errorCode; // PRErrorCode + // errorCode as string (e.g. "SEC_ERROR_UNKNOWN_ISSUER") + readonly attribute AString errorCodeString; + + /** + * The following parameters are only valid after the TLS handshake + * has completed. Check securityState first. + */ + + /** + * If certificate verification failed, this will be the peer certificate + * chain provided in the handshake, so it can be used for error reporting. + * If verification succeeded, this will be empty. + */ + readonly attribute Array<nsIX509Cert> failedCertChain; + + readonly attribute nsIX509Cert serverCert; + readonly attribute Array<nsIX509Cert> succeededCertChain; + + [must_use] + readonly attribute ACString cipherName; + [must_use] + readonly attribute unsigned long keyLength; + [must_use] + readonly attribute unsigned long secretKeyLength; + [must_use] + readonly attribute ACString keaGroupName; + [must_use] + readonly attribute ACString signatureSchemeName; + + const short SSL_VERSION_3 = 0; + const short TLS_VERSION_1 = 1; + const short TLS_VERSION_1_1 = 2; + const short TLS_VERSION_1_2 = 3; + const short TLS_VERSION_1_3 = 4; + [must_use] + readonly attribute unsigned short protocolVersion; + + const short CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE = 0; + const short CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT = 5; + const short CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS = 6; + const short CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS = 7; + [must_use] + readonly attribute unsigned short certificateTransparencyStatus; + + [must_use] + readonly attribute boolean isAcceptedEch; + [must_use] + readonly attribute boolean isDelegatedCredential; + [must_use] + readonly attribute nsITransportSecurityInfo_OverridableErrorCategory overridableErrorCategory; + + /** + * True if OCSP requests were made to query the status of certificates + * used in this connection. + */ + [must_use] + readonly attribute boolean madeOCSPRequests; + + /** + * True if the DNS record used for this connection was fetched over an encrypted connection. + */ + [must_use] + readonly attribute boolean usedPrivateDNS; + + /** + * True only if (and after) serverCert was successfully validated as + * Extended Validation (EV). + */ + [must_use] + readonly attribute boolean isExtendedValidation; + + [notxpcom, noscript] + void SerializeToIPC(in IpcMessageWriterPtr aWriter); + + /** + * Serializes the data represented in this interface to a base64-encoded + * string that can be deserialized using TransportSecurityInfo::Read. + */ + [must_use] + ACString toString(); + + /* negotiatedNPN is '' if no NPN list was provided by the client, + * or if the server did not select any protocol choice from that + * list. That also includes the case where the server does not + * implement NPN. + * + * If negotiatedNPN is read before NPN has progressed to the point + * where this information is available NS_ERROR_NOT_CONNECTED is + * raised. + */ + readonly attribute ACString negotiatedNPN; + + /** + * True iff the connection was resumed using the resumption token. + */ + readonly attribute boolean resumed; + + /** + * True iff the succeededCertChain is built in root. + */ + readonly attribute boolean isBuiltCertChainRootBuiltInRoot; + + /** + * The id used to uniquely identify the connection to the peer. + */ + readonly attribute ACString peerId; +}; diff --git a/security/manager/ssl/nsIX509Cert.idl b/security/manager/ssl/nsIX509Cert.idl new file mode 100644 index 0000000000..c97dcd33f5 --- /dev/null +++ b/security/manager/ssl/nsIX509Cert.idl @@ -0,0 +1,200 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIArray; +interface nsIX509CertValidity; +interface nsICertVerificationListener; + +%{ C++ +namespace IPC { +class MessageReader; +class MessageWriter; +} + + /* forward declaration */ + typedef struct CERTCertificateStr CERTCertificate; +%} + +[ptr] native CERTCertificatePtr(CERTCertificate); +[ptr] native IpcMessageReaderPtr(IPC::MessageReader); +[ptr] native IpcMessageWriterPtr(IPC::MessageWriter); + +/** + * This represents a X.509 certificate. + * + * NOTE: Service workers persist x.509 certs in object form on disk. If you + * change this uuid you probably need a hack in nsBinaryInputStream to + * read the old uuid. If you change the format of the object + * serialization then more complex changes will be needed. + */ +[scriptable, builtinclass, uuid(bdc3979a-5422-4cd5-8589-696b6e96ea83)] +interface nsIX509Cert : nsISupports { + + /** + * The primary email address of the certificate, if present. + */ + readonly attribute AString emailAddress; + + /** + * Obtain a list of all email addresses + * contained in the certificate. + * + * @return An array of email addresses. + */ + [must_use] + Array<AString> getEmailAddresses(); + + /** + * Check whether a given address is contained in the certificate. + * The comparison will convert the email address to lowercase. + * The behaviour for non ASCII characters is undefined. + * + * @param aEmailAddress The address to search for. + * + * @return True if the address is contained in the certificate. + */ + [must_use] + boolean containsEmailAddress(in AString aEmailAddress); + + /** + * The subject owning the certificate. + */ + readonly attribute AString subjectName; + + /** + * The subject's common name. + */ + readonly attribute AString commonName; + + /** + * The subject's organization. + */ + readonly attribute AString organization; + + /** + * The subject's organizational unit. + */ + [must_use] + readonly attribute AString organizationalUnit; + + /** + * The fingerprint of the certificate's DER encoding, + * calculated using the SHA-256 algorithm. + */ + readonly attribute AString sha256Fingerprint; + + /** + * The fingerprint of the certificate's DER encoding, + * calculated using the SHA1 algorithm. + */ + [must_use] + readonly attribute AString sha1Fingerprint; + + /** + * A human readable name identifying the hardware or + * software token the certificate is stored on. + */ + readonly attribute AString tokenName; + + /** + * The subject identifying the issuer certificate. + */ + readonly attribute AString issuerName; + + /** + * The serial number the issuer assigned to this certificate. + */ + [must_use] + readonly attribute AString serialNumber; + + /** + * The issuer subject's common name. + */ + [must_use] + readonly attribute AString issuerCommonName; + + /** + * The issuer subject's organization. + */ + readonly attribute AString issuerOrganization; + + /** + * The issuer subject's organizational unit. + */ + [must_use] + readonly attribute AString issuerOrganizationUnit; + + /** + * This certificate's validity period. + */ + readonly attribute nsIX509CertValidity validity; + + /** + * A unique identifier of this certificate within the local storage. + */ + [must_use] + readonly attribute ACString dbKey; + + /** + * A human readable identifier to label this certificate. + */ + [must_use] + readonly attribute AString displayName; + + /** + * Constants to classify the type of a certificate. + */ + const unsigned long UNKNOWN_CERT = 0; + const unsigned long CA_CERT = 1 << 0; + const unsigned long USER_CERT = 1 << 1; + const unsigned long EMAIL_CERT = 1 << 2; + const unsigned long SERVER_CERT = 1 << 3; + const unsigned long ANY_CERT = 0xffff; + + /** + * Type of this certificate + */ + readonly attribute unsigned long certType; + + /** + * Obtain a raw binary encoding of this certificate + * in DER format. + * + * @return The bytes representing the DER encoded certificate. + */ + [must_use] + Array<octet> getRawDER(); + + /** + * Obtain a base 64 string representation of this certificate + * in DER format. + * + * @return The DER encoded certificate as a string. + */ + [must_use] + ACString getBase64DERString(); + + /** + * The base64 encoding of the DER encoded public key info using the specified + * digest. + */ + [must_use] + readonly attribute ACString sha256SubjectPublicKeyInfoDigest; + + /** + * Retrieves the NSS certificate object wrapped by this interface + */ + [notxpcom, noscript, must_use] + CERTCertificatePtr getCert(); + + [notxpcom, noscript] + void SerializeToIPC(in IpcMessageWriterPtr aWriter); + + [notxpcom, noscript] + bool DeserializeFromIPC(in IpcMessageReaderPtr aReader); +}; diff --git a/security/manager/ssl/nsIX509CertDB.idl b/security/manager/ssl/nsIX509CertDB.idl new file mode 100644 index 0000000000..fe72c78f40 --- /dev/null +++ b/security/manager/ssl/nsIX509CertDB.idl @@ -0,0 +1,351 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIArray; +interface nsIX509Cert; +interface nsIFile; +interface nsIInterfaceRequestor; +interface nsIZipReader; +interface nsIInputStream; + +%{C++ +#define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1" +%} + +typedef uint32_t AppTrustedRoot; + +[scriptable, function, uuid(fc2b60e5-9a07-47c2-a2cd-b83b68a660ac)] +interface nsIOpenSignedAppFileCallback : nsISupports +{ + void openSignedAppFileFinished(in nsresult rv, + in nsIZipReader aZipReader, + in nsIX509Cert aSignerCert); +}; + +[scriptable, function, uuid(07c08655-8b11-4650-b6c4-0c145595ceb5)] +interface nsIAsyncBoolCallback : nsISupports +{ + void onResult(in bool result); +}; + +/** + * Callback type for use with asyncVerifyCertAtTime. + * If aPRErrorCode is PRErrorCodeSuccess (i.e. 0), aVerifiedChain represents the + * verified certificate chain determined by asyncVerifyCertAtTime. aHasEVPolicy + * represents whether or not the end-entity certificate verified as EV. + * If aPRErrorCode is non-zero, it represents the error encountered during + * verification. aVerifiedChain is null in that case and aHasEVPolicy has no + * meaning. + */ +[scriptable, function, uuid(49e16fc8-efac-4f57-8361-956ef6b960a4)] +interface nsICertVerificationCallback : nsISupports { + void verifyCertFinished(in int32_t aPRErrorCode, + in Array<nsIX509Cert> aVerifiedChain, + in bool aHasEVPolicy); +}; + +/** + * This represents a service to access and manipulate + * X.509 certificates stored in a database. + */ +[scriptable, uuid(5c16cd9b-5a73-47f1-ab0f-11ede7495cce)] +interface nsIX509CertDB : nsISupports { + + /** + * Constants that define which usages a certificate + * is trusted for. + */ + const unsigned long UNTRUSTED = 0; + const unsigned long TRUSTED_SSL = 1 << 0; + const unsigned long TRUSTED_EMAIL = 1 << 1; + + /** + * Will find a certificate based on its dbkey + * retrieved by getting the dbKey attribute of + * the certificate. + * + * @param aDBkey Database internal key, as obtained using + * attribute dbkey in nsIX509Cert. + */ + [must_use] + nsIX509Cert findCertByDBKey(in ACString aDBkey); + + /** + * Use this to import a stream sent down as a mime type into + * the certificate database on the default token. + * The stream may consist of one or more certificates. + * + * @param data The raw data to be imported + * @param length The length of the data to be imported + * @param type The type of the certificate, see constants in nsIX509Cert + * @param ctx A UI context. + */ + void importCertificates([array, size_is(length)] in octet data, + in unsigned long length, + in unsigned long type, + in nsIInterfaceRequestor ctx); + + /** + * Import another person's email certificate into the database. + * + * @param data The raw data to be imported + * @param length The length of the data to be imported + * @param ctx A UI context. + */ + void importEmailCertificate([array, size_is(length)] in octet data, + in unsigned long length, + in nsIInterfaceRequestor ctx); + + /** + * Import a personal certificate into the database, assuming + * the database already contains the private key for this certificate. + * + * @param data The raw data to be imported + * @param length The length of the data to be imported + * @param ctx A UI context. + */ + void importUserCertificate([array, size_is(length)] in octet data, + in unsigned long length, + in nsIInterfaceRequestor ctx); + + /** + * Delete a certificate stored in the database. + * + * @param aCert Delete this certificate. + */ + void deleteCertificate(in nsIX509Cert aCert); + + /** + * Modify the trust that is stored and associated to a certificate within + * a database. Separate trust is stored for + * One call manipulates the trust for one trust type only. + * See the trust type constants defined within this interface. + * + * @param cert Change the stored trust of this certificate. + * @param type The type of the certificate. See nsIX509Cert. + * @param trust A bitmask. The new trust for the possible usages. + * See the trust constants defined within this interface. + */ + [must_use] + void setCertTrust(in nsIX509Cert cert, + in unsigned long type, + in unsigned long trust); + + /** + * @param cert The certificate for which to modify trust. + * @param trustString decoded by CERT_DecodeTrustString. 3 comma separated + * characters, indicating SSL, Email, and Object signing + * trust. The object signing trust flags are effectively + * ignored by gecko, but they still must be specified (at + * least by a final trailing comma) because this argument + * is passed to CERT_DecodeTrustString. + */ + [must_use] + void setCertTrustFromString(in nsIX509Cert cert, in ACString trustString); + + /** + * Query whether a certificate is trusted for a particular use. + * + * @param cert Obtain the stored trust of this certificate. + * @param certType The type of the certificate. See nsIX509Cert. + * @param trustType A single bit from the usages constants defined + * within this interface. + * + * @return Returns true if the certificate is trusted for the given use. + */ + [must_use] + boolean isCertTrusted(in nsIX509Cert cert, + in unsigned long certType, + in unsigned long trustType); + + /** + * Import certificate(s) from file + * + * @param aFile Identifies a file that contains the certificate + * to be imported. + * @param aType Describes the type of certificate that is going to + * be imported. See type constants in nsIX509Cert. + */ + [must_use] + void importCertsFromFile(in nsIFile aFile, + in unsigned long aType); + + const uint32_t Success = 0; + const uint32_t ERROR_UNKNOWN = 1; + const uint32_t ERROR_PKCS12_NOSMARTCARD_EXPORT = 2; + const uint32_t ERROR_PKCS12_RESTORE_FAILED = 3; + const uint32_t ERROR_PKCS12_BACKUP_FAILED = 4; + const uint32_t ERROR_PKCS12_CERT_COLLISION = 5; + const uint32_t ERROR_BAD_PASSWORD = 6; + const uint32_t ERROR_DECODE_ERROR = 7; + const uint32_t ERROR_PKCS12_DUPLICATE_DATA = 8; + + /** + * Import a PKCS#12 file containing cert(s) and key(s) into the database. + * + * @param aFile Identifies a file that contains the data to be imported. + * @param password The password used to protect the file. + * @return Success or the specific error code on failure. The return + * values are defined in this file. + */ + [must_use] + uint32_t importPKCS12File(in nsIFile aFile, in AString aPassword); + + /** + * Export a set of certs and keys from the database to a PKCS#12 file. + * + * @param aFile Identifies a file that will be filled with the data to be + * exported. + * @param count The number of certificates to be exported. + * @param aCerts The array of all certificates to be exported. + * @param password The password used to protect the file. + * @return Success or the specific error code on failure + */ + [must_use] + uint32_t exportPKCS12File(in nsIFile aFile, + in Array<nsIX509Cert> aCerts, + in AString aPassword); + + /* + * Decode a raw data presentation and instantiate an object in memory. + * + * @param base64 The raw representation of a certificate, + * encoded as Base 64. + * @return The new certificate object. + */ + [must_use] + nsIX509Cert constructX509FromBase64(in ACString base64); + + /* + * Decode a raw data presentation and instantiate an object in memory. + * + * @param certDER The raw representation of a certificate, + * encoded as raw DER. + * @return The new certificate object. + */ + [must_use] + nsIX509Cert constructX509(in Array<uint8_t> certDER); + + /** + * Verifies the signature on the given JAR file to verify that it has a + * valid signature. To be considered valid, there must be exactly one + * signature on the JAR file and that signature must have signed every + * entry. Further, the signature must come from a certificate that + * is trusted for code signing. + * + * On success, NS_OK, a nsIZipReader, and the trusted certificate that + * signed the JAR are returned. + * + * On failure, an error code is returned. + * + * This method returns a nsIZipReader, instead of taking an nsIZipReader + * as input, to encourage users of the API to verify the signature as the + * first step in opening the JAR. + */ + // 1 used to be AppMarketplaceProdPublicRoot. + // 2 used to be AppMarketplaceProdReviewersRoot. + // 3 used to be AppMarketplaceDevPublicRoot. + // 4 used to be AppMarketplaceDevReviewersRoot. + // 5 used to be AppMarketplaceStageRoot. + const AppTrustedRoot AppXPCShellRoot = 6; + const AppTrustedRoot AddonsPublicRoot = 7; + const AppTrustedRoot AddonsStageRoot = 8; + [must_use] + void openSignedAppFileAsync(in AppTrustedRoot trustedRoot, + in nsIFile aJarFile, + in nsIOpenSignedAppFileCallback callback); + + /* + * Add a cert to a cert DB from a binary string. + * + * @param certDER The raw DER encoding of a certificate. + * @param trust String describing the trust settings to assign the + * certificate. Decoded by CERT_DecodeTrustString. Consists of 3 + * comma separated sets of characters, indicating SSL, Email, and + * Object signing trust. The object signing trust flags are + * effectively ignored by gecko, but they still must be specified + * (at least by a final trailing comma) because this argument is + * passed to CERT_DecodeTrustString. + * @return nsIX509Cert the resulting certificate + */ + [must_use] + nsIX509Cert addCert(in ACString certDER, in ACString trust); + + // Flags for asyncVerifyCertAtTime (these must match the values in + // CertVerifier.cpp): + // Prevent network traffic. + const uint32_t FLAG_LOCAL_ONLY = 1 << 0; + // Do not fall back to DV verification after attempting EV validation. + const uint32_t FLAG_MUST_BE_EV = 1 << 1; + + /* + * Asynchronously verify a certificate given a set of parameters. Calls the + * `verifyCertFinished` function on the provided `nsICertVerificationCallback` + * with the results of the verification operation. + * See the documentation for nsICertVerificationCallback. + * + * @param aCert the certificate to verify + * @param aUsage an integer representing the usage to verify for (see + * SECCertificateUsage in certt.h from NSS) + * @param aFlags flags as described above + * @param aHostname the (optional) hostname to verify for + * @param aTime the time at which to verify, in seconds since the epoch + * @param aCallback the nsICertVerificationCallback that will receive the + results of this verification + * @return a succeeding nsresult if the job was dispatched successfully + */ + [must_use] + void asyncVerifyCertAtTime(in nsIX509Cert aCert, + in int64_t /*SECCertificateUsage*/ aUsage, + in uint32_t aFlags, + in ACString aHostname, + in uint64_t aTime, + in nsICertVerificationCallback aCallback); + + // Clears the OCSP cache for the current certificate verification + // implementation. + [must_use] + void clearOCSPCache(); + + /* + * Add a cert to a cert DB from a base64 encoded string. + * + * @param base64 The raw representation of a certificate, encoded as Base 64. + * @param trust String describing the trust settings to assign the + * certificate. Decoded by CERT_DecodeTrustString. Consists of 3 + * comma separated sets of characters, indicating SSL, Email, and + * Object signing trust. The object signing trust flags are + * effectively ignored by gecko, but they still must be specified + * (at least by a final trailing comma) because this argument is + * passed to CERT_DecodeTrustString. + * @return nsIX509Cert the resulting certificate + */ + [must_use] + nsIX509Cert addCertFromBase64(in ACString base64, in ACString trust); + + /* + * Get all the known certs in the database + */ + [must_use] + Array<nsIX509Cert> getCerts(); + + /** + * Encode the list of certificates as a PKCS#7 SignedData structure. No data + * is actually signed - this is merely a way of exporting a collection of + * certificates. + */ + [must_use] + ACString asPKCS7Blob(in Array<nsIX509Cert> certList); + + /** + * Iterates through all the certs and returns false if any of the trusted + * CA certs are not built-in roots; and true otherwise. + */ + [must_use] + void asyncHasThirdPartyRoots(in nsIAsyncBoolCallback callback); +}; diff --git a/security/manager/ssl/nsIX509CertValidity.idl b/security/manager/ssl/nsIX509CertValidity.idl new file mode 100644 index 0000000000..b27e1b3847 --- /dev/null +++ b/security/manager/ssl/nsIX509CertValidity.idl @@ -0,0 +1,25 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +/** + * Information on the validity period of a X.509 certificate. + */ +[scriptable, uuid(e701dfd8-1dd1-11b2-a172-ffa6cc6156ad)] +interface nsIX509CertValidity : nsISupports { + /** + * The earliest point in time where + * a certificate is valid. + */ + readonly attribute PRTime notBefore; + + /** + * The latest point in time where + * a certificate is valid. + */ + readonly attribute PRTime notAfter; +}; diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp new file mode 100644 index 0000000000..c3a23213c5 --- /dev/null +++ b/security/manager/ssl/nsNSSCallbacks.cpp @@ -0,0 +1,1152 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSCallbacks.h" + +#include "NSSSocketControl.h" +#include "PSMRunnable.h" +#include "ScopedNSSTypes.h" +#include "SharedCertVerifier.h" +#include "SharedSSLState.h" +#include "mozilla/ArrayUtils.h" +#include "mozilla/Assertions.h" +#include "mozilla/Casting.h" +#include "mozilla/Logging.h" +#include "mozilla/RefPtr.h" +#include "mozilla/ScopeExit.h" +#include "mozilla/Span.h" +#include "mozilla/SpinEventLoopUntil.h" +#include "mozilla/Telemetry.h" +#include "mozilla/Unused.h" +#include "mozilla/intl/Localization.h" +#include "nsContentUtils.h" +#include "nsIChannel.h" +#include "nsIHttpChannel.h" +#include "nsIHttpChannelInternal.h" +#include "nsIPrompt.h" +#include "nsIProtocolProxyService.h" +#include "nsISupportsPriority.h" +#include "nsIStreamLoader.h" +#include "nsIUploadChannel.h" +#include "nsIWebProgressListener.h" +#include "nsNSSCertHelper.h" +#include "nsNSSCertificate.h" +#include "nsNSSComponent.h" +#include "nsNSSHelper.h" +#include "nsNSSIOLayer.h" +#include "nsNetUtil.h" +#include "nsProxyRelease.h" +#include "nsStringStream.h" +#include "mozpkix/pkixtypes.h" +#include "ssl.h" +#include "sslproto.h" +#include "SSLTokensCache.h" + +#include "TrustOverrideUtils.h" +#include "TrustOverride-SymantecData.inc" +#include "TrustOverride-AppleGoogleDigiCertData.inc" + +using namespace mozilla; +using namespace mozilla::pkix; +using namespace mozilla::psm; + +extern LazyLogModule gPIPNSSLog; + +namespace { + +// Bits in bit mask for SSL_REASONS_FOR_NOT_FALSE_STARTING telemetry probe +// These bits are numbered so that the least subtle issues have higher values. +// This should make it easier for us to interpret the results. +const uint32_t POSSIBLE_VERSION_DOWNGRADE = 4; +const uint32_t POSSIBLE_CIPHER_SUITE_DOWNGRADE = 2; +const uint32_t KEA_NOT_SUPPORTED = 1; + +} // namespace + +class OCSPRequest final : public nsIStreamLoaderObserver, public nsIRunnable { + public: + OCSPRequest(const nsACString& aiaLocation, + const OriginAttributes& originAttributes, + const uint8_t (&ocspRequest)[OCSP_REQUEST_MAX_LENGTH], + size_t ocspRequestLength, TimeDuration timeout); + + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSISTREAMLOADEROBSERVER + NS_DECL_NSIRUNNABLE + + nsresult DispatchToMainThreadAndWait(); + nsresult GetResponse(/*out*/ Vector<uint8_t>& response); + + private: + ~OCSPRequest() = default; + + static void OnTimeout(nsITimer* timer, void* closure); + nsresult NotifyDone(nsresult rv, MonitorAutoLock& proofOfLock); + + // mMonitor provides the memory barrier protecting these member variables. + // What happens is the originating thread creates an OCSPRequest object with + // the information necessary to perform an OCSP request. It sends the object + // to the main thread and waits on the monitor for the operation to complete. + // On the main thread, a channel is set up to perform the request. This gets + // dispatched to necko. At the same time, a timeout timer is initialized. If + // the necko request completes, the response data is filled out, mNotifiedDone + // is set to true, and the monitor is notified. The original thread then wakes + // up and continues with the results that have been filled out. If the request + // times out, again the response data is filled out, mNotifiedDone is set to + // true, and the monitor is notified. The first of these two events wins. That + // is, if the timeout timer fires but the request completes shortly after, the + // caller will see the request as having timed out. + // When the request completes (i.e. OnStreamComplete runs), the timer will be + // cancelled. This is how we know the closure in OnTimeout is valid. If the + // timer fires before OnStreamComplete runs, it should be safe to not cancel + // the request because necko has a strong reference to it. + Monitor mMonitor MOZ_UNANNOTATED; + bool mNotifiedDone; + nsCOMPtr<nsIStreamLoader> mLoader; + const nsCString mAIALocation; + const OriginAttributes mOriginAttributes; + const mozilla::Span<const char> mPOSTData; + const TimeDuration mTimeout; + nsCOMPtr<nsITimer> mTimeoutTimer; + TimeStamp mStartTime; + nsresult mResponseResult; + Vector<uint8_t> mResponseBytes; +}; + +NS_IMPL_ISUPPORTS(OCSPRequest, nsIStreamLoaderObserver, nsIRunnable) + +OCSPRequest::OCSPRequest(const nsACString& aiaLocation, + const OriginAttributes& originAttributes, + const uint8_t (&ocspRequest)[OCSP_REQUEST_MAX_LENGTH], + size_t ocspRequestLength, TimeDuration timeout) + : mMonitor("OCSPRequest.mMonitor"), + mNotifiedDone(false), + mLoader(nullptr), + mAIALocation(aiaLocation), + mOriginAttributes(originAttributes), + mPOSTData(reinterpret_cast<const char*>(ocspRequest), ocspRequestLength), + mTimeout(timeout), + mTimeoutTimer(nullptr), + mResponseResult(NS_ERROR_FAILURE) { + MOZ_ASSERT(ocspRequestLength <= OCSP_REQUEST_MAX_LENGTH); +} + +nsresult OCSPRequest::DispatchToMainThreadAndWait() { + MOZ_ASSERT(!NS_IsMainThread()); + if (NS_IsMainThread()) { + return NS_ERROR_FAILURE; + } + + MonitorAutoLock lock(mMonitor); + nsresult rv = NS_DispatchToMainThread(this); + if (NS_FAILED(rv)) { + return rv; + } + while (!mNotifiedDone) { + lock.Wait(); + } + + TimeStamp endTime = TimeStamp::Now(); + // CERT_VALIDATION_HTTP_REQUEST_RESULT: + // 0: request timed out + // 1: request succeeded + // 2: request failed + // 3: internal error + // If mStartTime was never set, we consider this an internal error. + // Otherwise, we managed to at least send the request. + if (mStartTime.IsNull()) { + Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 3); + } else if (mResponseResult == NS_ERROR_NET_TIMEOUT) { + Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 0); + Telemetry::AccumulateTimeDelta( + Telemetry::CERT_VALIDATION_HTTP_REQUEST_CANCELED_TIME, mStartTime, + endTime); + } else if (NS_SUCCEEDED(mResponseResult)) { + Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 1); + Telemetry::AccumulateTimeDelta( + Telemetry::CERT_VALIDATION_HTTP_REQUEST_SUCCEEDED_TIME, mStartTime, + endTime); + } else { + Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 2); + Telemetry::AccumulateTimeDelta( + Telemetry::CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME, mStartTime, + endTime); + } + return rv; +} + +nsresult OCSPRequest::GetResponse(/*out*/ Vector<uint8_t>& response) { + MOZ_ASSERT(!NS_IsMainThread()); + if (NS_IsMainThread()) { + return NS_ERROR_FAILURE; + } + + MonitorAutoLock lock(mMonitor); + if (!mNotifiedDone) { + return NS_ERROR_IN_PROGRESS; + } + if (NS_FAILED(mResponseResult)) { + return mResponseResult; + } + response.clear(); + if (!response.append(mResponseBytes.begin(), mResponseBytes.length())) { + return NS_ERROR_OUT_OF_MEMORY; + } + return NS_OK; +} + +static constexpr auto OCSP_REQUEST_MIME_TYPE = "application/ocsp-request"_ns; +static constexpr auto OCSP_REQUEST_METHOD = "POST"_ns; + +NS_IMETHODIMP +OCSPRequest::Run() { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_FAILURE; + } + + MonitorAutoLock lock(mMonitor); + + nsCOMPtr<nsIIOService> ios = do_GetIOService(); + if (!ios) { + return NotifyDone(NS_ERROR_FAILURE, lock); + } + + nsCOMPtr<nsIURI> uri; + nsresult rv = NS_NewURI(getter_AddRefs(uri), mAIALocation); + if (NS_FAILED(rv)) { + return NotifyDone(NS_ERROR_MALFORMED_URI, lock); + } + nsAutoCString scheme; + rv = uri->GetScheme(scheme); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + if (!scheme.LowerCaseEqualsLiteral("http")) { + return NotifyDone(NS_ERROR_MALFORMED_URI, lock); + } + + // See bug 1219935. + // We should not send OCSP request if the PAC is still loading. + nsCOMPtr<nsIProtocolProxyService> pps = + do_GetService(NS_PROTOCOLPROXYSERVICE_CONTRACTID, &rv); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + + if (pps->GetIsPACLoading()) { + return NotifyDone(NS_ERROR_FAILURE, lock); + } + + nsCOMPtr<nsIChannel> channel; + rv = ios->NewChannel(mAIALocation, nullptr, nullptr, + nullptr, // aLoadingNode + nsContentUtils::GetSystemPrincipal(), + nullptr, // aTriggeringPrincipal + nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL, + nsIContentPolicy::TYPE_OTHER, getter_AddRefs(channel)); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + + // Security operations scheduled through normal HTTP channels are given + // high priority to accommodate real time OCSP transactions. + nsCOMPtr<nsISupportsPriority> priorityChannel = do_QueryInterface(channel); + if (priorityChannel) { + priorityChannel->AdjustPriority(nsISupportsPriority::PRIORITY_HIGHEST); + } + + channel->SetLoadFlags( + nsIRequest::LOAD_ANONYMOUS | nsIRequest::LOAD_BYPASS_CACHE | + nsIRequest::INHIBIT_CACHING | nsIChannel::LOAD_BYPASS_SERVICE_WORKER | + nsIChannel::LOAD_BYPASS_URL_CLASSIFIER); + + nsCOMPtr<nsILoadInfo> loadInfo = channel->LoadInfo(); + + // Prevent HTTPS-Only Mode from upgrading the OCSP request. + uint32_t httpsOnlyStatus = loadInfo->GetHttpsOnlyStatus(); + httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_EXEMPT; + loadInfo->SetHttpsOnlyStatus(httpsOnlyStatus); + + // allow deprecated HTTP request from SystemPrincipal + loadInfo->SetAllowDeprecatedSystemRequests(true); + + // For OCSP requests, only the first party domain and private browsing id + // aspects of origin attributes are used. This means that: + // a) if first party isolation is enabled, OCSP requests will be isolated + // according to the first party domain of the original https request + // b) OCSP requests are shared across different containers as long as first + // party isolation is not enabled and none of the containers are in private + // browsing mode. + if (mOriginAttributes != OriginAttributes()) { + OriginAttributes attrs; + attrs.mFirstPartyDomain = mOriginAttributes.mFirstPartyDomain; + attrs.mPrivateBrowsingId = mOriginAttributes.mPrivateBrowsingId; + + rv = loadInfo->SetOriginAttributes(attrs); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + } + + nsCOMPtr<nsIInputStream> uploadStream; + rv = NS_NewByteInputStream(getter_AddRefs(uploadStream), mPOSTData, + NS_ASSIGNMENT_COPY); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + nsCOMPtr<nsIUploadChannel> uploadChannel(do_QueryInterface(channel)); + if (!uploadChannel) { + return NotifyDone(NS_ERROR_FAILURE, lock); + } + rv = uploadChannel->SetUploadStream(uploadStream, OCSP_REQUEST_MIME_TYPE, -1); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + // Do not use SPDY or HTTP3 for internal security operations. It could result + // in the silent upgrade to ssl, which in turn could require an SSL + // operation to fulfill something like an OCSP fetch, which is an + // endless loop. + nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(channel); + if (!internalChannel) { + return NotifyDone(rv, lock); + } + rv = internalChannel->SetAllowSpdy(false); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + rv = internalChannel->SetAllowHttp3(false); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + rv = internalChannel->SetIsOCSP(true); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(channel); + if (!hchan) { + return NotifyDone(NS_ERROR_FAILURE, lock); + } + rv = hchan->SetAllowSTS(false); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + rv = hchan->SetRequestMethod(OCSP_REQUEST_METHOD); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + + rv = NS_NewStreamLoader(getter_AddRefs(mLoader), this); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + + rv = NS_NewTimerWithFuncCallback( + getter_AddRefs(mTimeoutTimer), OCSPRequest::OnTimeout, this, + mTimeout.ToMilliseconds(), nsITimer::TYPE_ONE_SHOT, "OCSPRequest::Run"); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + rv = hchan->AsyncOpen(this->mLoader); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + mStartTime = TimeStamp::Now(); + return NS_OK; +} + +nsresult OCSPRequest::NotifyDone(nsresult rv, MonitorAutoLock& lock) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_FAILURE; + } + + if (mNotifiedDone) { + return mResponseResult; + } + mLoader = nullptr; + mResponseResult = rv; + if (mTimeoutTimer) { + Unused << mTimeoutTimer->Cancel(); + } + mNotifiedDone = true; + lock.Notify(); + return rv; +} + +NS_IMETHODIMP +OCSPRequest::OnStreamComplete(nsIStreamLoader* aLoader, nsISupports* aContext, + nsresult aStatus, uint32_t responseLen, + const uint8_t* responseBytes) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_FAILURE; + } + + MonitorAutoLock lock(mMonitor); + + nsCOMPtr<nsIRequest> req; + nsresult rv = aLoader->GetRequest(getter_AddRefs(req)); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + + if (NS_FAILED(aStatus)) { + return NotifyDone(aStatus, lock); + } + + nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(req); + if (!hchan) { + return NotifyDone(NS_ERROR_FAILURE, lock); + } + + bool requestSucceeded; + rv = hchan->GetRequestSucceeded(&requestSucceeded); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + if (!requestSucceeded) { + return NotifyDone(NS_ERROR_FAILURE, lock); + } + + unsigned int rcode; + rv = hchan->GetResponseStatus(&rcode); + if (NS_FAILED(rv)) { + return NotifyDone(rv, lock); + } + if (rcode != 200) { + return NotifyDone(NS_ERROR_FAILURE, lock); + } + + mResponseBytes.clear(); + if (!mResponseBytes.append(responseBytes, responseLen)) { + return NotifyDone(NS_ERROR_OUT_OF_MEMORY, lock); + } + mResponseResult = aStatus; + + return NotifyDone(NS_OK, lock); +} + +void OCSPRequest::OnTimeout(nsITimer* timer, void* closure) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return; + } + + // We know the OCSPRequest is still alive because if the request had completed + // (i.e. OnStreamComplete ran), the timer would have been cancelled in + // NotifyDone. + OCSPRequest* self = static_cast<OCSPRequest*>(closure); + MonitorAutoLock lock(self->mMonitor); + self->mTimeoutTimer = nullptr; + self->NotifyDone(NS_ERROR_NET_TIMEOUT, lock); +} + +mozilla::pkix::Result DoOCSPRequest( + const nsCString& aiaLocation, const OriginAttributes& originAttributes, + uint8_t (&ocspRequest)[OCSP_REQUEST_MAX_LENGTH], size_t ocspRequestLength, + TimeDuration timeout, /*out*/ Vector<uint8_t>& result) { + MOZ_ASSERT(!NS_IsMainThread()); + if (NS_IsMainThread()) { + return mozilla::pkix::Result::ERROR_OCSP_UNKNOWN_CERT; + } + + if (ocspRequestLength > OCSP_REQUEST_MAX_LENGTH) { + return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; + } + + result.clear(); + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("DoOCSPRequest to '%s'", aiaLocation.get())); + + nsCOMPtr<nsIEventTarget> sts = + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID); + MOZ_ASSERT(sts); + if (!sts) { + return mozilla::pkix::Result::FATAL_ERROR_INVALID_STATE; + } + bool onSTSThread; + nsresult rv = sts->IsOnCurrentThread(&onSTSThread); + if (NS_FAILED(rv)) { + return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; + } + MOZ_ASSERT(!onSTSThread); + if (onSTSThread) { + return mozilla::pkix::Result::FATAL_ERROR_INVALID_STATE; + } + + RefPtr<OCSPRequest> request(new OCSPRequest( + aiaLocation, originAttributes, ocspRequest, ocspRequestLength, timeout)); + rv = request->DispatchToMainThreadAndWait(); + if (NS_FAILED(rv)) { + return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; + } + rv = request->GetResponse(result); + if (NS_FAILED(rv)) { + if (rv == NS_ERROR_MALFORMED_URI) { + return mozilla::pkix::Result::ERROR_CERT_BAD_ACCESS_LOCATION; + } + return mozilla::pkix::Result::ERROR_OCSP_SERVER_ERROR; + } + return Success; +} + +static char* ShowProtectedAuthPrompt(PK11SlotInfo* slot, nsIPrompt* prompt) { + MOZ_ASSERT(NS_IsMainThread()); + MOZ_ASSERT(slot); + MOZ_ASSERT(prompt); + if (!NS_IsMainThread() || !slot || !prompt) { + return nullptr; + } + + // Dispatch a background task to (eventually) call C_Login. The call will + // block until the protected authentication succeeds or fails. + Atomic<bool> done; + Atomic<SECStatus> result; + nsresult rv = + NS_DispatchBackgroundTask(NS_NewRunnableFunction(__func__, [&]() mutable { + result = PK11_CheckUserPassword(slot, nullptr); + done = true; + })); + if (NS_FAILED(rv)) { + return nullptr; + } + + nsTArray<nsCString> resIds = { + "security/pippki/pippki.ftl"_ns, + }; + RefPtr<mozilla::intl::Localization> l10n = + mozilla::intl::Localization::Create(resIds, true); + auto l10nId = "protected-auth-alert"_ns; + auto l10nArgs = mozilla::dom::Optional<intl::L10nArgs>(); + l10nArgs.Construct(); + auto dirArg = l10nArgs.Value().Entries().AppendElement(); + dirArg->mKey = "tokenName"_ns; + dirArg->mValue.SetValue().SetAsUTF8String().Assign(PK11_GetTokenName(slot)); + nsAutoCString promptString; + ErrorResult errorResult; + l10n->FormatValueSync(l10nId, l10nArgs, promptString, errorResult); + if (NS_FAILED(errorResult.StealNSResult())) { + return nullptr; + } + rv = prompt->Alert(nullptr, NS_ConvertUTF8toUTF16(promptString).get()); + if (NS_FAILED(rv)) { + return nullptr; + } + + MOZ_ALWAYS_TRUE(SpinEventLoopUntil( + "ShowProtectedAuthPrompt"_ns, [&]() { return static_cast<bool>(done); })); + + switch (result) { + case SECSuccess: + return ToNewCString(nsDependentCString(PK11_PW_AUTHENTICATED)); + case SECWouldBlock: + return ToNewCString(nsDependentCString(PK11_PW_RETRY)); + default: + return nullptr; + } +} + +class PK11PasswordPromptRunnable : public SyncRunnableBase { + public: + PK11PasswordPromptRunnable(PK11SlotInfo* slot, nsIInterfaceRequestor* ir) + : mResult(nullptr), mSlot(slot), mIR(ir) {} + virtual ~PK11PasswordPromptRunnable() = default; + + char* mResult; // out + virtual void RunOnTargetThread() override; + + private: + static bool mRunning; + + PK11SlotInfo* mSlot; + nsIInterfaceRequestor* mIR; +}; + +bool PK11PasswordPromptRunnable::mRunning = false; + +void PK11PasswordPromptRunnable::RunOnTargetThread() { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return; + } + + // If we've reentered due to the nested event loop implicit in using + // nsIPrompt synchronously (or indeed the explicit nested event loop in the + // protected authentication case), bail early, cancelling the password + // prompt. This will probably cause the operation that resulted in the prompt + // to fail, but this is better than littering the screen with a bunch of + // password prompts that the user will probably just cancel anyway. + if (mRunning) { + return; + } + mRunning = true; + auto setRunningToFalseOnExit = MakeScopeExit([&]() { mRunning = false; }); + + nsresult rv; + nsCOMPtr<nsIPrompt> prompt; + if (!mIR) { + rv = nsNSSComponent::GetNewPrompter(getter_AddRefs(prompt)); + if (NS_FAILED(rv)) { + return; + } + } else { + prompt = do_GetInterface(mIR); + MOZ_ASSERT(prompt, "Interface requestor should implement nsIPrompt"); + } + + if (!prompt) { + return; + } + + if (PK11_ProtectedAuthenticationPath(mSlot)) { + mResult = ShowProtectedAuthPrompt(mSlot, prompt); + return; + } + + nsAutoString promptString; + if (PK11_IsInternal(mSlot)) { + rv = GetPIPNSSBundleString("CertPasswordPromptDefault", promptString); + } else { + AutoTArray<nsString, 1> formatStrings = { + NS_ConvertUTF8toUTF16(PK11_GetTokenName(mSlot))}; + rv = PIPBundleFormatStringFromName("CertPasswordPrompt", formatStrings, + promptString); + } + if (NS_FAILED(rv)) { + return; + } + + nsString password; + bool userClickedOK = false; + rv = prompt->PromptPassword(nullptr, promptString.get(), + getter_Copies(password), &userClickedOK); + if (NS_FAILED(rv) || !userClickedOK) { + return; + } + + mResult = ToNewUTF8String(password); +} + +char* PK11PasswordPrompt(PK11SlotInfo* slot, PRBool /*retry*/, void* arg) { + if (!slot) { + return nullptr; + } + RefPtr<PK11PasswordPromptRunnable> runnable(new PK11PasswordPromptRunnable( + slot, static_cast<nsIInterfaceRequestor*>(arg))); + runnable->DispatchToMainThreadAndWait(); + return runnable->mResult; +} + +nsCString getKeaGroupName(uint32_t aKeaGroup) { + nsCString groupName; + switch (aKeaGroup) { + case ssl_grp_ec_secp256r1: + groupName = "P256"_ns; + break; + case ssl_grp_ec_secp384r1: + groupName = "P384"_ns; + break; + case ssl_grp_ec_secp521r1: + groupName = "P521"_ns; + break; + case ssl_grp_ec_curve25519: + groupName = "x25519"_ns; + break; + case ssl_grp_kem_xyber768d00: + groupName = "xyber768d00"_ns; + break; + case ssl_grp_ffdhe_2048: + groupName = "FF 2048"_ns; + break; + case ssl_grp_ffdhe_3072: + groupName = "FF 3072"_ns; + break; + case ssl_grp_none: + groupName = "none"_ns; + break; + case ssl_grp_ffdhe_custom: + groupName = "custom"_ns; + break; + // All other groups are not enabled in Firefox. See namedGroups in + // nsNSSIOLayer.cpp. + default: + // This really shouldn't happen! + MOZ_ASSERT_UNREACHABLE("Invalid key exchange group."); + groupName = "unknown group"_ns; + } + return groupName; +} + +nsCString getSignatureName(uint32_t aSignatureScheme) { + nsCString signatureName; + switch (aSignatureScheme) { + case ssl_sig_none: + signatureName = "none"_ns; + break; + case ssl_sig_rsa_pkcs1_sha1: + signatureName = "RSA-PKCS1-SHA1"_ns; + break; + case ssl_sig_rsa_pkcs1_sha256: + signatureName = "RSA-PKCS1-SHA256"_ns; + break; + case ssl_sig_rsa_pkcs1_sha384: + signatureName = "RSA-PKCS1-SHA384"_ns; + break; + case ssl_sig_rsa_pkcs1_sha512: + signatureName = "RSA-PKCS1-SHA512"_ns; + break; + case ssl_sig_ecdsa_secp256r1_sha256: + signatureName = "ECDSA-P256-SHA256"_ns; + break; + case ssl_sig_ecdsa_secp384r1_sha384: + signatureName = "ECDSA-P384-SHA384"_ns; + break; + case ssl_sig_ecdsa_secp521r1_sha512: + signatureName = "ECDSA-P521-SHA512"_ns; + break; + case ssl_sig_rsa_pss_sha256: + signatureName = "RSA-PSS-SHA256"_ns; + break; + case ssl_sig_rsa_pss_sha384: + signatureName = "RSA-PSS-SHA384"_ns; + break; + case ssl_sig_rsa_pss_sha512: + signatureName = "RSA-PSS-SHA512"_ns; + break; + case ssl_sig_ecdsa_sha1: + signatureName = "ECDSA-SHA1"_ns; + break; + case ssl_sig_rsa_pkcs1_sha1md5: + signatureName = "RSA-PKCS1-SHA1MD5"_ns; + break; + // All other groups are not enabled in Firefox. See sEnabledSignatureSchemes + // in nsNSSIOLayer.cpp. + default: + // This really shouldn't happen! + MOZ_ASSERT_UNREACHABLE("Invalid signature scheme."); + signatureName = "unknown signature"_ns; + } + return signatureName; +} + +static void PreliminaryHandshakeDone(PRFileDesc* fd) { + NSSSocketControl* socketControl = (NSSSocketControl*)fd->higher->secret; + if (!socketControl) { + return; + } + if (socketControl->IsPreliminaryHandshakeDone()) { + return; + } + + SSLChannelInfo channelInfo; + if (SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)) != SECSuccess) { + return; + } + SSLCipherSuiteInfo cipherInfo; + if (SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo, + sizeof(cipherInfo)) != SECSuccess) { + return; + } + socketControl->SetPreliminaryHandshakeInfo(channelInfo, cipherInfo); + socketControl->SetSSLVersionUsed(channelInfo.protocolVersion); + socketControl->SetEarlyDataAccepted(channelInfo.earlyDataAccepted); + socketControl->SetKEAUsed(channelInfo.keaType); + socketControl->SetKEAKeyBits(channelInfo.keaKeyBits); + socketControl->SetMACAlgorithmUsed(cipherInfo.macAlgorithm); + + // Get the NPN value. + SSLNextProtoState state; + unsigned char npnbuf[256]; + unsigned int npnlen; + + if (SSL_GetNextProto(fd, &state, npnbuf, &npnlen, + AssertedCast<unsigned int>(ArrayLength(npnbuf))) == + SECSuccess) { + if (state == SSL_NEXT_PROTO_NEGOTIATED || + state == SSL_NEXT_PROTO_SELECTED) { + socketControl->SetNegotiatedNPN( + BitwiseCast<char*, unsigned char*>(npnbuf), npnlen); + } else { + socketControl->SetNegotiatedNPN(nullptr, 0); + } + mozilla::Telemetry::Accumulate(Telemetry::SSL_NPN_TYPE, state); + } else { + socketControl->SetNegotiatedNPN(nullptr, 0); + } + + socketControl->SetPreliminaryHandshakeDone(); +} + +SECStatus CanFalseStartCallback(PRFileDesc* fd, void* client_data, + PRBool* canFalseStart) { + *canFalseStart = false; + + NSSSocketControl* infoObject = (NSSSocketControl*)fd->higher->secret; + if (!infoObject) { + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; + } + + infoObject->SetFalseStartCallbackCalled(); + + PreliminaryHandshakeDone(fd); + + uint32_t reasonsForNotFalseStarting = 0; + + SSLChannelInfo channelInfo; + if (SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)) != SECSuccess) { + return SECSuccess; + } + + SSLCipherSuiteInfo cipherInfo; + if (SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo, + sizeof(cipherInfo)) != SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("CanFalseStartCallback [%p] failed - " + " KEA %d\n", + fd, static_cast<int32_t>(channelInfo.keaType))); + return SECSuccess; + } + + // Prevent version downgrade attacks from TLS 1.2, and avoid False Start for + // TLS 1.3 and later. See Bug 861310 for all the details as to why. + if (channelInfo.protocolVersion != SSL_LIBRARY_VERSION_TLS_1_2) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("CanFalseStartCallback [%p] failed - " + "SSL Version must be TLS 1.2, was %x\n", + fd, static_cast<int32_t>(channelInfo.protocolVersion))); + reasonsForNotFalseStarting |= POSSIBLE_VERSION_DOWNGRADE; + } + + // See bug 952863 for why ECDHE is allowed, but DHE (and RSA) are not. + // Also note that ecdh_hybrid groups are not supported in TLS 1.2 and are out + // of scope. + if (channelInfo.keaType != ssl_kea_ecdh) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("CanFalseStartCallback [%p] failed - " + "unsupported KEA %d\n", + fd, static_cast<int32_t>(channelInfo.keaType))); + reasonsForNotFalseStarting |= KEA_NOT_SUPPORTED; + } + + // Prevent downgrade attacks on the symmetric cipher. We do not allow CBC + // mode due to BEAST, POODLE, and other attacks on the MAC-then-Encrypt + // design. See bug 1109766 for more details. + if (cipherInfo.macAlgorithm != ssl_mac_aead) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("CanFalseStartCallback [%p] failed - non-AEAD cipher used, %d, " + "is not supported with False Start.\n", + fd, static_cast<int32_t>(cipherInfo.symCipher))); + reasonsForNotFalseStarting |= POSSIBLE_CIPHER_SUITE_DOWNGRADE; + } + + // XXX: An attacker can choose which protocols are advertised in the + // NPN extension. TODO(Bug 861311): We should restrict the ability + // of an attacker leverage this capability by restricting false start + // to the same protocol we previously saw for the server, after the + // first successful connection to the server. + + Telemetry::Accumulate(Telemetry::SSL_REASONS_FOR_NOT_FALSE_STARTING, + reasonsForNotFalseStarting); + + if (reasonsForNotFalseStarting == 0) { + *canFalseStart = PR_TRUE; + infoObject->SetFalseStarted(); + infoObject->NoteTimeUntilReady(); + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("CanFalseStartCallback [%p] ok\n", fd)); + } + + return SECSuccess; +} + +static void AccumulateNonECCKeySize(Telemetry::HistogramID probe, + uint32_t bits) { + unsigned int value = bits < 512 ? 1 + : bits == 512 ? 2 + : bits < 768 ? 3 + : bits == 768 ? 4 + : bits < 1024 ? 5 + : bits == 1024 ? 6 + : bits < 1280 ? 7 + : bits == 1280 ? 8 + : bits < 1536 ? 9 + : bits == 1536 ? 10 + : bits < 2048 ? 11 + : bits == 2048 ? 12 + : bits < 3072 ? 13 + : bits == 3072 ? 14 + : bits < 4096 ? 15 + : bits == 4096 ? 16 + : bits < 8192 ? 17 + : bits == 8192 ? 18 + : bits < 16384 ? 19 + : bits == 16384 ? 20 + : 0; + Telemetry::Accumulate(probe, value); +} + +// XXX: This attempts to map a bit count to an ECC named curve identifier. In +// the vast majority of situations, we only have the Suite B curves available. +// In that case, this mapping works fine. If we were to have more curves +// available, the mapping would be ambiguous since there could be multiple +// named curves for a given size (e.g. secp256k1 vs. secp256r1). We punt on +// that for now. See also NSS bug 323674. +static void AccumulateECCCurve(Telemetry::HistogramID probe, uint32_t bits) { + unsigned int value = bits == 255 ? 29 // Curve25519 + : bits == 256 ? 23 // P-256 + : bits == 384 ? 24 // P-384 + : bits == 521 ? 25 // P-521 + : 0; // Unknown + Telemetry::Accumulate(probe, value); +} + +static void AccumulateCipherSuite(const SSLChannelInfo& channelInfo) { + uint32_t value; + // Note: this list must include every cipher suite it is possible to enable + // in nsNSSComponent.cpp (see sCipherPrefs and sDeprecatedTLS1CipherPrefs). + switch (channelInfo.cipherSuite) { + case TLS_RSA_WITH_3DES_EDE_CBC_SHA: // 0x000A + value = 1; + break; + case TLS_RSA_WITH_AES_128_CBC_SHA: // 0x002F + value = 2; + break; + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: // 0x0033 + value = 3; + break; + case TLS_RSA_WITH_AES_256_CBC_SHA: // 0x0035 + value = 4; + break; + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: // 0x0039 + value = 5; + break; + case TLS_RSA_WITH_AES_128_GCM_SHA256: // 0x009C + value = 6; + break; + case TLS_RSA_WITH_AES_256_GCM_SHA384: // 0x009D + value = 7; + break; + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: // 0xC009 + value = 8; + break; + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: // 0xC00A + value = 9; + break; + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: // 0xC013 + value = 10; + break; + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: // 0xC014 + value = 11; + break; + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: // 0xC02B + value = 12; + break; + case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: // 0xC02C + value = 13; + break; + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: // 0xC02F + value = 14; + break; + case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: // 0xC030 + value = 15; + break; + case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: // 0xCCA8 + value = 16; + break; + case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: // 0xCCA9 + value = 17; + break; + + // TLS 1.3 cipher suites + case TLS_AES_128_GCM_SHA256: // 0x1301 + value = 18; + break; + case TLS_AES_256_GCM_SHA384: // 0x1302 + value = 19; + break; + case TLS_CHACHA20_POLY1305_SHA256: // 0x1303 + value = 20; + break; + + // unknown + default: + value = 0; + break; + } + MOZ_ASSERT(value != 0); + Telemetry::Accumulate(Telemetry::TLS_CIPHER_SUITE, value); +} + +void HandshakeCallback(PRFileDesc* fd, void* client_data) { + // Do the bookkeeping that needs to be done after the + // server's ServerHello...ServerHelloDone have been processed, but that + // doesn't need the handshake to be completed. + PreliminaryHandshakeDone(fd); + + NSSSocketControl* infoObject = (NSSSocketControl*)fd->higher->secret; + nsSSLIOLayerHelpers& ioLayerHelpers = + infoObject->SharedState().IOLayerHelpers(); + + SSLVersionRange versions(infoObject->GetTLSVersionRange()); + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] HandshakeCallback: succeeded using TLS version range " + "(0x%04x,0x%04x)\n", + fd, static_cast<unsigned int>(versions.min), + static_cast<unsigned int>(versions.max))); + + // If the handshake completed, then we know the site is TLS tolerant + ioLayerHelpers.rememberTolerantAtVersion(infoObject->GetHostName(), + infoObject->GetPort(), versions.max); + + SSLChannelInfo channelInfo; + SECStatus rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)); + MOZ_ASSERT(rv == SECSuccess); + if (rv != SECSuccess) { + return; + } + AccumulateCipherSuite(channelInfo); + + // Get the protocol version for telemetry + // 1=tls1, 2=tls1.1, 3=tls1.2, 4=tls1.3 + unsigned int versionEnum = channelInfo.protocolVersion & 0xFF; + MOZ_ASSERT(versionEnum > 0); + Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_VERSION, versionEnum); + + SSLCipherSuiteInfo cipherInfo; + rv = SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo, + sizeof cipherInfo); + MOZ_ASSERT(rv == SECSuccess); + if (rv != SECSuccess) { + return; + } + // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4, ecdh_hybrid=8 + Telemetry::Accumulate(infoObject->IsFullHandshake() + ? Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_FULL + : Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_RESUMED, + channelInfo.keaType); + + if (infoObject->IsFullHandshake()) { + switch (channelInfo.keaType) { + case ssl_kea_rsa: + AccumulateNonECCKeySize(Telemetry::SSL_KEA_RSA_KEY_SIZE_FULL, + channelInfo.keaKeyBits); + break; + case ssl_kea_dh: + AccumulateNonECCKeySize(Telemetry::SSL_KEA_DHE_KEY_SIZE_FULL, + channelInfo.keaKeyBits); + break; + case ssl_kea_ecdh: + AccumulateECCCurve(Telemetry::SSL_KEA_ECDHE_CURVE_FULL, + channelInfo.keaKeyBits); + break; + case ssl_kea_ecdh_hybrid: + // Bug 1874963: Add probes for Xyber768d00 + break; + default: + MOZ_CRASH("impossible KEA"); + break; + } + + Telemetry::Accumulate(Telemetry::SSL_AUTH_ALGORITHM_FULL, + channelInfo.authType); + + // RSA key exchange doesn't use a signature for auth. + if (channelInfo.keaType != ssl_kea_rsa) { + switch (channelInfo.authType) { + case ssl_auth_rsa: + case ssl_auth_rsa_sign: + AccumulateNonECCKeySize(Telemetry::SSL_AUTH_RSA_KEY_SIZE_FULL, + channelInfo.authKeyBits); + break; + case ssl_auth_ecdsa: + AccumulateECCCurve(Telemetry::SSL_AUTH_ECDSA_CURVE_FULL, + channelInfo.authKeyBits); + break; + default: + MOZ_CRASH("impossible auth algorithm"); + break; + } + } + } + + PRBool siteSupportsSafeRenego; + if (channelInfo.protocolVersion != SSL_LIBRARY_VERSION_TLS_1_3) { + rv = SSL_HandshakeNegotiatedExtension(fd, ssl_renegotiation_info_xtn, + &siteSupportsSafeRenego); + MOZ_ASSERT(rv == SECSuccess); + if (rv != SECSuccess) { + siteSupportsSafeRenego = false; + } + } else { + // TLS 1.3 dropped support for renegotiation. + siteSupportsSafeRenego = true; + } + bool renegotiationUnsafe = !siteSupportsSafeRenego && + ioLayerHelpers.treatUnsafeNegotiationAsBroken(); + + bool deprecatedTlsVer = + (channelInfo.protocolVersion < SSL_LIBRARY_VERSION_TLS_1_2); + + uint32_t state; + if (renegotiationUnsafe || deprecatedTlsVer) { + state = nsIWebProgressListener::STATE_IS_BROKEN; + } else { + state = nsIWebProgressListener::STATE_IS_SECURE; + SSLVersionRange defVersion; + rv = SSL_VersionRangeGetDefault(ssl_variant_stream, &defVersion); + if (rv == SECSuccess && versions.max >= defVersion.max) { + // we know this site no longer requires a version fallback + ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(), + infoObject->GetPort()); + } + } + + if (infoObject->HasServerCert()) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("HandshakeCallback KEEPING existing cert\n")); + } else { + infoObject->RebuildCertificateInfoFromSSLTokenCache(); + } + + // Check if the user has added an override for a certificate error. + if (infoObject->HasUserOverriddenCertificateError()) { + state |= nsIWebProgressListener::STATE_CERT_USER_OVERRIDDEN; + } + + infoObject->SetSecurityState(state); + + // XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead, + // we should set a flag on the channel that higher (UI) level code can check + // to log the warning. In particular, these warnings should go to the web + // console instead of to the error console. Also, the warning is not + // localized. + if (!siteSupportsSafeRenego) { + NS_ConvertASCIItoUTF16 msg(infoObject->GetHostName()); + msg.AppendLiteral(" : server does not support RFC 5746, see CVE-2009-3555"); + + nsContentUtils::LogSimpleConsoleError( + msg, "SSL"_ns, !!infoObject->GetOriginAttributes().mPrivateBrowsingId, + true /* from chrome context */); + } + + infoObject->NoteTimeUntilReady(); + infoObject->SetHandshakeCompleted(); +} + +void SecretCallback(PRFileDesc* fd, PRUint16 epoch, SSLSecretDirection dir, + PK11SymKey* secret, void* arg) { + // arg must be set to an NSSSocketControl* in SSL_SecretCallback + MOZ_ASSERT(arg); + NSSSocketControl* infoObject = (NSSSocketControl*)arg; + if (epoch == 2 && dir == ssl_secret_read) { + // |secret| is the server_handshake_traffic_secret. Set a flag to indicate + // that the Server Hello has been processed successfully. We use this when + // deciding whether to retry a connection in which a Xyber share was sent. + infoObject->SetHasTls13HandshakeSecrets(); + } +} diff --git a/security/manager/ssl/nsNSSCallbacks.h b/security/manager/ssl/nsNSSCallbacks.h new file mode 100644 index 0000000000..f8fdbdb5ed --- /dev/null +++ b/security/manager/ssl/nsNSSCallbacks.h @@ -0,0 +1,45 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSCallbacks_h +#define nsNSSCallbacks_h + +#include "mozilla/Attributes.h" +#include "mozilla/BasePrincipal.h" +#include "mozilla/TimeStamp.h" +#include "mozilla/Vector.h" +#include "nspr.h" +#include "nsString.h" +#include "pk11func.h" +#include "mozpkix/pkix.h" +#include "mozpkix/pkixtypes.h" +#include "nsIX509Cert.h" +#include "ssl.h" + +using mozilla::OriginAttributes; +using mozilla::TimeDuration; +using mozilla::Vector; + +class nsILoadGroup; + +char* PK11PasswordPrompt(PK11SlotInfo* slot, PRBool retry, void* arg); + +void HandshakeCallback(PRFileDesc* fd, void* client_data); +void SecretCallback(PRFileDesc* fd, PRUint16 epoch, SSLSecretDirection dir, + PK11SymKey* secret, void* arg); +SECStatus CanFalseStartCallback(PRFileDesc* fd, void* client_data, + PRBool* canFalseStart); + +mozilla::pkix::Result DoOCSPRequest( + const nsCString& aiaLocation, const OriginAttributes& originAttributes, + uint8_t (&ocspRequest)[mozilla::pkix::OCSP_REQUEST_MAX_LENGTH], + size_t ocspRequestLength, TimeDuration timeout, + /*out*/ Vector<uint8_t>& result); + +nsCString getKeaGroupName(uint32_t aKeaGroup); +nsCString getSignatureName(uint32_t aSignatureScheme); + +#endif // nsNSSCallbacks_h diff --git a/security/manager/ssl/nsNSSCertHelper.cpp b/security/manager/ssl/nsNSSCertHelper.cpp new file mode 100644 index 0000000000..2a21400cb6 --- /dev/null +++ b/security/manager/ssl/nsNSSCertHelper.cpp @@ -0,0 +1,99 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSCertHelper.h" + +#include <algorithm> + +#include "ScopedNSSTypes.h" +#include "mozilla/Assertions.h" +#include "mozilla/Casting.h" +#include "mozilla/NotNull.h" +#include "mozilla/Sprintf.h" +#include "mozilla/UniquePtr.h" +#include "mozilla/Utf8.h" +#include "mozilla/net/DNS.h" +#include "nsCOMPtr.h" +#include "nsIStringBundle.h" +#include "nsNSSCertificate.h" +#include "nsReadableUtils.h" +#include "nsServiceManagerUtils.h" +#include "nsThreadUtils.h" +#include "prerror.h" +#include "prnetdb.h" +#include "secder.h" + +using namespace mozilla; + +// To avoid relying on localized strings in PSM, we hard-code the root module +// name internally. When we display it to the user in the list of modules in the +// front-end, we look up the localized value and display that instead of this. +const char* kRootModuleName = "Builtin Roots Module"; +const size_t kRootModuleNameLen = strlen(kRootModuleName); + +static nsresult GetPIPNSSBundle(nsIStringBundle** pipnssBundle) { + nsCOMPtr<nsIStringBundleService> bundleService( + do_GetService(NS_STRINGBUNDLE_CONTRACTID)); + if (!bundleService) { + return NS_ERROR_NOT_AVAILABLE; + } + return bundleService->CreateBundle("chrome://pipnss/locale/pipnss.properties", + pipnssBundle); +} + +nsresult GetPIPNSSBundleString(const char* stringName, nsAString& result) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + MOZ_ASSERT(stringName); + if (!stringName) { + return NS_ERROR_INVALID_ARG; + } + nsCOMPtr<nsIStringBundle> pipnssBundle; + nsresult rv = GetPIPNSSBundle(getter_AddRefs(pipnssBundle)); + if (NS_FAILED(rv)) { + return rv; + } + result.Truncate(); + return pipnssBundle->GetStringFromName(stringName, result); +} + +nsresult GetPIPNSSBundleString(const char* stringName, nsACString& result) { + nsAutoString tmp; + nsresult rv = GetPIPNSSBundleString(stringName, tmp); + if (NS_FAILED(rv)) { + return rv; + } + result.Assign(NS_ConvertUTF16toUTF8(tmp)); + return NS_OK; +} + +nsresult PIPBundleFormatStringFromName(const char* stringName, + const nsTArray<nsString>& params, + nsAString& result) { + MOZ_ASSERT(stringName); + MOZ_ASSERT(!params.IsEmpty()); + if (!stringName || params.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + nsCOMPtr<nsIStringBundle> pipnssBundle; + nsresult rv = GetPIPNSSBundle(getter_AddRefs(pipnssBundle)); + if (NS_FAILED(rv)) { + return rv; + } + result.Truncate(); + return pipnssBundle->FormatStringFromName(stringName, params, result); +} + +void LossyUTF8ToUTF16(const char* str, uint32_t len, + /*out*/ nsAString& result) { + auto span = Span(str, len); + if (IsUtf8(span)) { + CopyUTF8toUTF16(span, result); + } else { + // Actually Latin1 despite ASCII in the legacy name + CopyASCIItoUTF16(span, result); + } +} diff --git a/security/manager/ssl/nsNSSCertHelper.h b/security/manager/ssl/nsNSSCertHelper.h new file mode 100644 index 0000000000..453e2e21eb --- /dev/null +++ b/security/manager/ssl/nsNSSCertHelper.h @@ -0,0 +1,31 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSCertHelper_h +#define nsNSSCertHelper_h + +#ifndef INET6_ADDRSTRLEN +# define INET6_ADDRSTRLEN 46 +#endif + +#include "certt.h" +#include "nsString.h" + +extern const char* kRootModuleName; +extern const size_t kRootModuleNameLen; + +class nsIX509Cert; + +// If input is valid UTF-8, converts from UTF-8 to UTF-16. Otherwise, +// converts from Latin1 to UTF-16. +void LossyUTF8ToUTF16(const char* str, uint32_t len, /*out*/ nsAString& result); + +// Must be used on the main thread only. +nsresult GetPIPNSSBundleString(const char* stringName, nsAString& result); +nsresult GetPIPNSSBundleString(const char* stringName, nsACString& result); +nsresult PIPBundleFormatStringFromName(const char* stringName, + const nsTArray<nsString>& params, + nsAString& result); + +#endif // nsNSSCertHelper_h diff --git a/security/manager/ssl/nsNSSCertTrust.cpp b/security/manager/ssl/nsNSSCertTrust.cpp new file mode 100644 index 0000000000..f5855c92c6 --- /dev/null +++ b/security/manager/ssl/nsNSSCertTrust.cpp @@ -0,0 +1,121 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSCertTrust.h" + +#include "certdb.h" + +void nsNSSCertTrust::AddCATrust(bool ssl, bool email) { + if (ssl) { + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA); + } + if (email) { + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); + } +} + +void nsNSSCertTrust::AddPeerTrust(bool ssl, bool email) { + if (ssl) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); + if (email) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); +} + +nsNSSCertTrust::nsNSSCertTrust() { memset(&mTrust, 0, sizeof(CERTCertTrust)); } + +nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, unsigned int email) { + memset(&mTrust, 0, sizeof(CERTCertTrust)); + addTrust(&mTrust.sslFlags, ssl); + addTrust(&mTrust.emailFlags, email); +} + +nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust* t) { + if (t) + memcpy(&mTrust, t, sizeof(CERTCertTrust)); + else + memset(&mTrust, 0, sizeof(CERTCertTrust)); +} + +nsNSSCertTrust::~nsNSSCertTrust() = default; + +void nsNSSCertTrust::SetSSLTrust(bool peer, bool tPeer, bool ca, bool tCA, + bool tClientCA, bool user, bool warn) { + mTrust.sslFlags = 0; + if (peer || tPeer) addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD); + if (tPeer) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); + if (ca || tCA) addTrust(&mTrust.sslFlags, CERTDB_VALID_CA); + if (tClientCA) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA); + if (tCA) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); + if (user) addTrust(&mTrust.sslFlags, CERTDB_USER); + if (warn) addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN); +} + +void nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer, bool ca, bool tCA, + bool tClientCA, bool user, bool warn) { + mTrust.emailFlags = 0; + if (peer || tPeer) addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD); + if (tPeer) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); + if (ca || tCA) addTrust(&mTrust.emailFlags, CERTDB_VALID_CA); + if (tClientCA) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); + if (tCA) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); + if (user) addTrust(&mTrust.emailFlags, CERTDB_USER); + if (warn) addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN); +} + +void nsNSSCertTrust::SetValidCA() { + SetSSLTrust(false, false, true, false, false, false, false); + SetEmailTrust(false, false, true, false, false, false, false); +} + +void nsNSSCertTrust::SetValidPeer() { + SetSSLTrust(true, false, false, false, false, false, false); + SetEmailTrust(true, false, false, false, false, false, false); +} + +bool nsNSSCertTrust::HasAnyCA() { + if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) || + hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) || + hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA)) + return true; + return false; +} + +bool nsNSSCertTrust::HasPeer(bool checkSSL, bool checkEmail) { + if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD)) + return false; + if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD)) + return false; + return true; +} + +bool nsNSSCertTrust::HasAnyUser() { + if (hasTrust(mTrust.sslFlags, CERTDB_USER) || + hasTrust(mTrust.emailFlags, CERTDB_USER) || + hasTrust(mTrust.objectSigningFlags, CERTDB_USER)) + return true; + return false; +} + +bool nsNSSCertTrust::HasTrustedCA(bool checkSSL, bool checkEmail) { + if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) || + hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA))) + return false; + if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) || + hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA))) + return false; + return true; +} + +bool nsNSSCertTrust::HasTrustedPeer(bool checkSSL, bool checkEmail) { + if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED))) return false; + if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED))) + return false; + return true; +} + +void nsNSSCertTrust::addTrust(unsigned int* t, unsigned int v) { *t |= v; } + +bool nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v) { + return !!(t & v); +} diff --git a/security/manager/ssl/nsNSSCertTrust.h b/security/manager/ssl/nsNSSCertTrust.h new file mode 100644 index 0000000000..3f05d28993 --- /dev/null +++ b/security/manager/ssl/nsNSSCertTrust.h @@ -0,0 +1,55 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSCertTrust_h +#define nsNSSCertTrust_h + +#include "certt.h" + +/* + * Class for maintaining trust flags for an NSS certificate. + */ +class nsNSSCertTrust { + public: + nsNSSCertTrust(); + nsNSSCertTrust(unsigned int ssl, unsigned int email); + explicit nsNSSCertTrust(CERTCertTrust* t); + virtual ~nsNSSCertTrust(); + + /* query */ + bool HasAnyCA(); + bool HasAnyUser(); + bool HasPeer(bool checkSSL = true, bool checkEmail = true); + bool HasTrustedCA(bool checkSSL = true, bool checkEmail = true); + bool HasTrustedPeer(bool checkSSL = true, bool checkEmail = true); + + /* common defaults */ + /* equivalent to "c,c,c" */ + void SetValidCA(); + /* equivalent to "p,p,p" */ + void SetValidPeer(); + + /* general setters */ + /* read: "p, P, c, C, T, u, w" */ + void SetSSLTrust(bool peer, bool tPeer, bool ca, bool tCA, bool tClientCA, + bool user, bool warn); + + void SetEmailTrust(bool peer, bool tPeer, bool ca, bool tCA, bool tClientCA, + bool user, bool warn); + + /* set c <--> CT */ + void AddCATrust(bool ssl, bool email); + /* set p <--> P */ + void AddPeerTrust(bool ssl, bool email); + + CERTCertTrust& GetTrust() { return mTrust; } + + private: + void addTrust(unsigned int* t, unsigned int v); + void removeTrust(unsigned int* t, unsigned int v); + bool hasTrust(unsigned int t, unsigned int v); + CERTCertTrust mTrust; +}; + +#endif // nsNSSCertTrust_h diff --git a/security/manager/ssl/nsNSSCertificate.cpp b/security/manager/ssl/nsNSSCertificate.cpp new file mode 100644 index 0000000000..d0413c0340 --- /dev/null +++ b/security/manager/ssl/nsNSSCertificate.cpp @@ -0,0 +1,686 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSCertificate.h" + +#include "CertVerifier.h" +#include "ExtendedValidation.h" +#include "NSSCertDBTrustDomain.h" +#include "X509CertValidity.h" +#include "certdb.h" +#include "ipc/IPCMessageUtils.h" +#include "mozilla/Assertions.h" +#include "mozilla/Base64.h" +#include "mozilla/Casting.h" +#include "mozilla/NotNull.h" +#include "mozilla/Span.h" +#include "mozilla/TextUtils.h" +#include "mozilla/Unused.h" +#include "mozilla/ipc/TransportSecurityInfoUtils.h" +#include "mozilla/ipc/IPDLParamTraits.h" +#include "mozilla/net/DNS.h" +#include "mozpkix/Result.h" +#include "mozpkix/pkixnss.h" +#include "mozpkix/pkixtypes.h" +#include "mozpkix/pkixutil.h" +#include "nsArray.h" +#include "nsCOMPtr.h" +#include "nsIClassInfoImpl.h" +#include "nsIObjectInputStream.h" +#include "nsIObjectOutputStream.h" +#include "nsIX509Cert.h" +#include "nsNSSCertHelper.h" +#include "nsNSSCertTrust.h" +#include "nsPK11TokenDB.h" +#include "nsPKCS12Blob.h" +#include "nsProxyRelease.h" +#include "nsReadableUtils.h" +#include "nsString.h" +#include "nsThreadUtils.h" +#include "nsUnicharUtils.h" +#include "nspr.h" +#include "prerror.h" +#include "secasn1.h" +#include "secder.h" +#include "secerr.h" +#include "ssl.h" + +#ifdef XP_WIN +# include <winsock.h> // for htonl +#endif + +using namespace mozilla; +using namespace mozilla::psm; + +extern LazyLogModule gPIPNSSLog; + +NS_IMPL_ISUPPORTS(nsNSSCertificate, nsIX509Cert, nsISerializable, nsIClassInfo) + +nsNSSCertificate::nsNSSCertificate() : mCert("nsNSSCertificate::mCert") {} + +nsNSSCertificate::nsNSSCertificate(CERTCertificate* cert) + : mCert("nsNSSCertificate::mCert") { + if (cert) { + mDER.AppendElements(cert->derCert.data, cert->derCert.len); + auto lock = mCert.Lock(); + auto& maybeCert = lock.ref(); + maybeCert.emplace(UniqueCERTCertificate(CERT_DupCertificate(cert))); + } +} + +nsNSSCertificate::nsNSSCertificate(nsTArray<uint8_t>&& der) + : mDER(std::move(der)), mCert("nsNSSCertificate::mCert") {} + +UniqueCERTCertificate nsNSSCertificate::GetOrInstantiateCert() { + auto lock = mCert.Lock(); + auto& maybeCert = lock.ref(); + if (maybeCert.isSome()) { + return UniqueCERTCertificate(CERT_DupCertificate((*maybeCert).get())); + } + + if (!EnsureNSSInitializedChromeOrContent()) { + return nullptr; + } + + SECItem derItem = {siBuffer, mDER.Elements(), + static_cast<unsigned int>(mDER.Length())}; + UniqueCERTCertificate cert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &derItem, nullptr, false, true)); + if (!cert) { + return nullptr; + } + maybeCert.emplace(std::move(cert)); + + return UniqueCERTCertificate(CERT_DupCertificate((*maybeCert).get())); +} + +nsresult nsNSSCertificate::GetCertType(uint32_t* aCertType) { + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + CERTCertTrust certTrust{0, 0, 0}; + // If there is no stored trust information, CERT_GetCertTrust will return + // SECFailure. This isn't a failure. In this case, all trust bits will remain + // unset. + Unused << CERT_GetCertTrust(cert.get(), &certTrust); + nsNSSCertTrust trust(&certTrust); + if (cert->nickname && trust.HasAnyUser()) { + *aCertType = nsIX509Cert::USER_CERT; + return NS_OK; + } + if (trust.HasAnyCA()) { + *aCertType = nsIX509Cert::CA_CERT; + return NS_OK; + } + if (trust.HasPeer(true, false)) { + *aCertType = nsIX509Cert::SERVER_CERT; + return NS_OK; + } + if (trust.HasPeer(false, true) && cert->emailAddr) { + *aCertType = nsIX509Cert::EMAIL_CERT; + return NS_OK; + } + if (CERT_IsCACert(cert.get(), nullptr)) { + *aCertType = nsIX509Cert::CA_CERT; + return NS_OK; + } + if (cert->emailAddr) { + *aCertType = nsIX509Cert::EMAIL_CERT; + return NS_OK; + } + *aCertType = nsIX509Cert::UNKNOWN_CERT; + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetDbKey(nsACString& aDbKey) { + static_assert(sizeof(uint64_t) == 8, "type size consistency check"); + static_assert(sizeof(uint32_t) == 4, "type size consistency check"); + + pkix::Input certInput; + pkix::Result result = certInput.Init(mDER.Elements(), mDER.Length()); + if (result != pkix::Result::Success) { + return NS_ERROR_INVALID_ARG; + } + // NB: since we're not building a trust path, the endEntityOrCA parameter is + // irrelevant. + pkix::BackCert cert(certInput, pkix::EndEntityOrCA::MustBeEndEntity, nullptr); + result = cert.Init(); + if (result != pkix::Result::Success) { + return NS_ERROR_INVALID_ARG; + } + + // The format of the key is the base64 encoding of the following: + // 4 bytes: {0, 0, 0, 0} (this was intended to be the module ID, but it was + // never implemented) + // 4 bytes: {0, 0, 0, 0} (this was intended to be the slot ID, but it was + // never implemented) + // 4 bytes: <serial number length in big-endian order> + // 4 bytes: <DER-encoded issuer distinguished name length in big-endian order> + // n bytes: <bytes of serial number> + // m bytes: <DER-encoded issuer distinguished name> + nsAutoCString buf; + const char leadingZeroes[] = {0, 0, 0, 0, 0, 0, 0, 0}; + buf.Append(leadingZeroes, sizeof(leadingZeroes)); + uint32_t serialNumberLen = htonl(cert.GetSerialNumber().GetLength()); + buf.Append(BitwiseCast<const char*, const uint32_t*>(&serialNumberLen), + sizeof(uint32_t)); + uint32_t issuerLen = htonl(cert.GetIssuer().GetLength()); + buf.Append(BitwiseCast<const char*, const uint32_t*>(&issuerLen), + sizeof(uint32_t)); + buf.Append(BitwiseCast<const char*, const unsigned char*>( + cert.GetSerialNumber().UnsafeGetData()), + cert.GetSerialNumber().GetLength()); + buf.Append(BitwiseCast<const char*, const unsigned char*>( + cert.GetIssuer().UnsafeGetData()), + cert.GetIssuer().GetLength()); + + return Base64Encode(buf, aDbKey); +} + +NS_IMETHODIMP +nsNSSCertificate::GetDisplayName(nsAString& aDisplayName) { + aDisplayName.Truncate(); + + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + + UniquePORTString commonName(CERT_GetCommonName(&cert->subject)); + UniquePORTString organizationalUnitName(CERT_GetOrgUnitName(&cert->subject)); + UniquePORTString organizationName(CERT_GetOrgName(&cert->subject)); + + // Only use the nickname for built-in roots where we already have a hard-coded + // reasonable display name (unfortunately we have to strip off the leading + // slot identifier followed by a ':'). Otherwise, attempt to use the following + // in order: + // - the common name, if present + // - an organizational unit name, if present + // - an organization name, if present + // - the entire subject distinguished name, if non-empty + // - an email address, if one can be found + // In the unlikely event that none of these fields are present and non-empty + // (the subject really shouldn't be empty), an empty string is returned. + nsAutoCString builtInRootNickname; + nsAutoCString fullNickname(cert->nickname); + static const nsLiteralCString kBuiltinObjectTokenPrefix = + "Builtin Object Token:"_ns; + if (StringBeginsWith(fullNickname, kBuiltinObjectTokenPrefix)) { + // Substring will gracefully handle the case where index is the last + // character in the string (that is, if the nickname is just + // "Builtin Object Token:"). In that case, we'll get an empty string. + builtInRootNickname = + Substring(fullNickname, kBuiltinObjectTokenPrefix.Length()); + } + const char* nameOptions[] = {builtInRootNickname.get(), + commonName.get(), + organizationalUnitName.get(), + organizationName.get(), + cert->subjectName, + cert->emailAddr}; + + for (auto nameOption : nameOptions) { + if (nameOption) { + size_t len = strlen(nameOption); + if (len > 0) { + LossyUTF8ToUTF16(nameOption, len, aDisplayName); + return NS_OK; + } + } + } + + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetEmailAddress(nsAString& aEmailAddress) { + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + if (cert->emailAddr) { + CopyUTF8toUTF16(MakeStringSpan(cert->emailAddr), aEmailAddress); + } else { + GetPIPNSSBundleString("CertNoEmailAddress", aEmailAddress); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetEmailAddresses(nsTArray<nsString>& aAddresses) { + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + uint32_t length = 0; + for (const char* aAddr = CERT_GetFirstEmailAddress(cert.get()); aAddr; + aAddr = CERT_GetNextEmailAddress(cert.get(), aAddr)) { + ++(length); + } + + aAddresses.SetCapacity(length); + + for (const char* aAddr = CERT_GetFirstEmailAddress(cert.get()); aAddr; + aAddr = CERT_GetNextEmailAddress(cert.get(), aAddr)) { + CopyASCIItoUTF16(MakeStringSpan(aAddr), *aAddresses.AppendElement()); + } + + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::ContainsEmailAddress(const nsAString& aEmailAddress, + bool* result) { + NS_ENSURE_ARG(result); + *result = false; + + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + for (const char* aAddr = CERT_GetFirstEmailAddress(cert.get()); aAddr; + aAddr = CERT_GetNextEmailAddress(cert.get(), aAddr)) { + nsAutoString certAddr; + LossyUTF8ToUTF16(aAddr, strlen(aAddr), certAddr); + ToLowerCase(certAddr); + + nsAutoString testAddr(aEmailAddress); + ToLowerCase(testAddr); + + if (certAddr == testAddr) { + *result = true; + break; + } + } + + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetCommonName(nsAString& aCommonName) { + aCommonName.Truncate(); + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + UniquePORTString commonName(CERT_GetCommonName(&cert->subject)); + if (commonName) { + LossyUTF8ToUTF16(commonName.get(), strlen(commonName.get()), aCommonName); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetOrganization(nsAString& aOrganization) { + aOrganization.Truncate(); + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + UniquePORTString organization(CERT_GetOrgName(&cert->subject)); + if (organization) { + LossyUTF8ToUTF16(organization.get(), strlen(organization.get()), + aOrganization); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetIssuerCommonName(nsAString& aCommonName) { + aCommonName.Truncate(); + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + UniquePORTString commonName(CERT_GetCommonName(&cert->issuer)); + if (commonName) { + LossyUTF8ToUTF16(commonName.get(), strlen(commonName.get()), aCommonName); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetIssuerOrganization(nsAString& aOrganization) { + aOrganization.Truncate(); + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + UniquePORTString organization(CERT_GetOrgName(&cert->issuer)); + if (organization) { + LossyUTF8ToUTF16(organization.get(), strlen(organization.get()), + aOrganization); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetIssuerOrganizationUnit(nsAString& aOrganizationUnit) { + aOrganizationUnit.Truncate(); + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + UniquePORTString organizationUnit(CERT_GetOrgUnitName(&cert->issuer)); + if (organizationUnit) { + LossyUTF8ToUTF16(organizationUnit.get(), strlen(organizationUnit.get()), + aOrganizationUnit); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetOrganizationalUnit(nsAString& aOrganizationalUnit) { + aOrganizationalUnit.Truncate(); + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + UniquePORTString orgunit(CERT_GetOrgUnitName(&cert->subject)); + if (orgunit) { + LossyUTF8ToUTF16(orgunit.get(), strlen(orgunit.get()), aOrganizationalUnit); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetSubjectName(nsAString& _subjectName) { + _subjectName.Truncate(); + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + if (cert->subjectName) { + LossyUTF8ToUTF16(cert->subjectName, strlen(cert->subjectName), + _subjectName); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetIssuerName(nsAString& _issuerName) { + _issuerName.Truncate(); + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + if (cert->issuerName) { + LossyUTF8ToUTF16(cert->issuerName, strlen(cert->issuerName), _issuerName); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetSerialNumber(nsAString& _serialNumber) { + _serialNumber.Truncate(); + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + UniquePORTString tmpstr( + CERT_Hexify(&cert->serialNumber, true /* use colon delimiters */)); + if (tmpstr) { + _serialNumber = NS_ConvertASCIItoUTF16(tmpstr.get()); + return NS_OK; + } + return NS_ERROR_FAILURE; +} + +nsresult nsNSSCertificate::GetCertificateHash(nsAString& aFingerprint, + SECOidTag aHashAlg) { + aFingerprint.Truncate(); + + if (!EnsureNSSInitializedChromeOrContent()) { + return NS_ERROR_NOT_AVAILABLE; + } + + nsTArray<uint8_t> digestArray; + nsresult rv = + Digest::DigestBuf(aHashAlg, mDER.Elements(), mDER.Length(), digestArray); + if (NS_FAILED(rv)) { + return rv; + } + SECItem digestItem = {siBuffer, digestArray.Elements(), + static_cast<unsigned int>(digestArray.Length())}; + + UniquePORTString fpStr( + CERT_Hexify(&digestItem, true /* use colon delimiters */)); + if (!fpStr) { + return NS_ERROR_FAILURE; + } + + aFingerprint.AssignASCII(fpStr.get()); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetSha256Fingerprint(nsAString& aSha256Fingerprint) { + return GetCertificateHash(aSha256Fingerprint, SEC_OID_SHA256); +} + +NS_IMETHODIMP +nsNSSCertificate::GetSha1Fingerprint(nsAString& _sha1Fingerprint) { + return GetCertificateHash(_sha1Fingerprint, SEC_OID_SHA1); +} + +NS_IMETHODIMP +nsNSSCertificate::GetTokenName(nsAString& aTokenName) { + UniqueCERTCertificate cert(GetOrInstantiateCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + UniquePK11SlotInfo internalSlot(PK11_GetInternalSlot()); + if (!internalSlot) { + return NS_ERROR_FAILURE; + } + nsCOMPtr<nsIPK11Token> token( + new nsPK11Token(cert->slot ? cert->slot : internalSlot.get())); + nsAutoCString tmp; + nsresult rv = token->GetTokenName(tmp); + if (NS_FAILED(rv)) { + return rv; + } + aTokenName.Assign(NS_ConvertUTF8toUTF16(tmp)); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetSha256SubjectPublicKeyInfoDigest( + nsACString& aSha256SPKIDigest) { + aSha256SPKIDigest.Truncate(); + + if (!EnsureNSSInitializedChromeOrContent()) { + return NS_ERROR_NOT_AVAILABLE; + } + + pkix::Input certInput; + pkix::Result result = certInput.Init(mDER.Elements(), mDER.Length()); + if (result != pkix::Result::Success) { + return NS_ERROR_INVALID_ARG; + } + // NB: since we're not building a trust path, the endEntityOrCA parameter is + // irrelevant. + pkix::BackCert cert(certInput, pkix::EndEntityOrCA::MustBeEndEntity, nullptr); + result = cert.Init(); + if (result != pkix::Result::Success) { + return NS_ERROR_INVALID_ARG; + } + pkix::Input derPublicKey = cert.GetSubjectPublicKeyInfo(); + nsTArray<uint8_t> digestArray; + nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, derPublicKey.UnsafeGetData(), + derPublicKey.GetLength(), digestArray); + if (NS_FAILED(rv)) { + return rv; + } + rv = Base64Encode(nsDependentCSubstring( + reinterpret_cast<const char*>(digestArray.Elements()), + digestArray.Length()), + aSha256SPKIDigest); + if (NS_WARN_IF(NS_FAILED(rv))) { + return rv; + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetRawDER(nsTArray<uint8_t>& aArray) { + aArray.SetLength(mDER.Length()); + memcpy(aArray.Elements(), mDER.Elements(), mDER.Length()); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetBase64DERString(nsACString& base64DERString) { + nsDependentCSubstring derString( + reinterpret_cast<const char*>(mDER.Elements()), mDER.Length()); + nsresult rv = Base64Encode(derString, base64DERString); + if (NS_FAILED(rv)) { + return rv; + } + return NS_OK; +} + +CERTCertificate* nsNSSCertificate::GetCert() { + UniqueCERTCertificate cert(GetOrInstantiateCert()); + return cert.release(); // caller takes ownership +} + +NS_IMETHODIMP +nsNSSCertificate::GetValidity(nsIX509CertValidity** aValidity) { + NS_ENSURE_ARG(aValidity); + pkix::Input certInput; + pkix::Result rv = certInput.Init(mDER.Elements(), mDER.Length()); + if (rv != pkix::Success) { + return NS_ERROR_FAILURE; + } + nsCOMPtr<nsIX509CertValidity> validity = new X509CertValidity(certInput); + validity.forget(aValidity); + return NS_OK; +} + +// NB: Any updates (except disk-only fields) must be kept in sync with +// |SerializeToIPC|. +NS_IMETHODIMP +nsNSSCertificate::Write(nsIObjectOutputStream* aStream) { + // This field used to be the cached EV status, but it is no longer necessary. + nsresult rv = aStream->Write32(0); + if (NS_FAILED(rv)) { + return rv; + } + rv = aStream->Write32(mDER.Length()); + if (NS_FAILED(rv)) { + return rv; + } + return aStream->WriteBytes(Span(mDER)); +} + +// NB: Any updates (except disk-only fields) must be kept in sync with +// |DeserializeFromIPC|. +NS_IMETHODIMP +nsNSSCertificate::Read(nsIObjectInputStream* aStream) { + auto lock = mCert.Lock(); + auto& maybeCert = lock.ref(); + if (!mDER.IsEmpty() || maybeCert.isSome()) { + return NS_ERROR_ALREADY_INITIALIZED; + } + + // This field is no longer used. + uint32_t unusedCachedEVStatus; + nsresult rv = aStream->Read32(&unusedCachedEVStatus); + if (NS_FAILED(rv)) { + return rv; + } + + uint32_t len; + rv = aStream->Read32(&len); + if (NS_FAILED(rv)) { + return rv; + } + + rv = aStream->ReadByteArray(len, mDER); + if (NS_FAILED(rv)) { + return rv; + } + return NS_OK; +} + +void nsNSSCertificate::SerializeToIPC(IPC::MessageWriter* aWriter) { + bool hasCert = !mDER.IsEmpty(); + WriteParam(aWriter, hasCert); + + if (!hasCert) { + return; + } + + WriteParam(aWriter, mDER); +} + +bool nsNSSCertificate::DeserializeFromIPC(IPC::MessageReader* aReader) { + auto lock = mCert.Lock(); + auto& maybeCert = lock.ref(); + if (!mDER.IsEmpty() || maybeCert.isSome()) { + return false; + } + + bool hasCert = false; + if (!ReadParam(aReader, &hasCert)) { + return false; + } + + if (!hasCert) { + return true; + } + + if (!ReadParam(aReader, &mDER)) { + return false; + } + return true; +} + +NS_IMETHODIMP +nsNSSCertificate::GetInterfaces(nsTArray<nsIID>& array) { + array.Clear(); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetScriptableHelper(nsIXPCScriptable** _retval) { + *_retval = nullptr; + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetContractID(nsACString& aContractID) { + aContractID.SetIsVoid(true); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetClassDescription(nsACString& aClassDescription) { + aClassDescription.SetIsVoid(true); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetClassID(nsCID** aClassID) { + *aClassID = (nsCID*)moz_xmalloc(sizeof(nsCID)); + return GetClassIDNoAlloc(*aClassID); +} + +NS_IMETHODIMP +nsNSSCertificate::GetFlags(uint32_t* aFlags) { + *aFlags = nsIClassInfo::THREADSAFE; + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificate::GetClassIDNoAlloc(nsCID* aClassIDNoAlloc) { + static NS_DEFINE_CID(kNSSCertificateCID, NS_X509CERT_CID); + + *aClassIDNoAlloc = kNSSCertificateCID; + return NS_OK; +} diff --git a/security/manager/ssl/nsNSSCertificate.h b/security/manager/ssl/nsNSSCertificate.h new file mode 100644 index 0000000000..cec7331c6b --- /dev/null +++ b/security/manager/ssl/nsNSSCertificate.h @@ -0,0 +1,50 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSCertificate_h +#define nsNSSCertificate_h + +#include "ScopedNSSTypes.h" +#include "certt.h" +#include "mozilla/DataMutex.h" +#include "mozilla/Maybe.h" +#include "nsCOMPtr.h" +#include "nsIClassInfo.h" +#include "nsISerializable.h" +#include "nsIX509Cert.h" +#include "nsStringFwd.h" + +class nsNSSCertificate final : public nsIX509Cert, + public nsISerializable, + public nsIClassInfo { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIX509CERT + NS_DECL_NSISERIALIZABLE + NS_DECL_NSICLASSINFO + + nsNSSCertificate(); + explicit nsNSSCertificate(CERTCertificate* cert); + explicit nsNSSCertificate(nsTArray<uint8_t>&& der); + + private: + virtual ~nsNSSCertificate() = default; + nsresult GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg); + mozilla::UniqueCERTCertificate GetOrInstantiateCert(); + + nsTArray<uint8_t> mDER; + // There may be multiple threads running when mCert is actually instantiated, + // so it must be protected by a mutex. + mozilla::DataMutex<mozilla::Maybe<mozilla::UniqueCERTCertificate>> mCert; +}; + +#define NS_X509CERT_CID \ + { /* 660a3226-915c-4ffb-bb20-8985a632df05 */ \ + 0x660a3226, 0x915c, 0x4ffb, { \ + 0xbb, 0x20, 0x89, 0x85, 0xa6, 0x32, 0xdf, 0x05 \ + } \ + } + +#endif // nsNSSCertificate_h diff --git a/security/manager/ssl/nsNSSCertificateDB.cpp b/security/manager/ssl/nsNSSCertificateDB.cpp new file mode 100644 index 0000000000..fc3caf29b5 --- /dev/null +++ b/security/manager/ssl/nsNSSCertificateDB.cpp @@ -0,0 +1,1375 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSCertificateDB.h" + +#include "CertVerifier.h" +#include "CryptoTask.h" +#include "ExtendedValidation.h" +#include "NSSCertDBTrustDomain.h" +#include "SharedSSLState.h" +#include "certdb.h" +#include "mozilla/Assertions.h" +#include "mozilla/Base64.h" +#include "mozilla/Casting.h" +#include "mozilla/Logging.h" +#include "mozilla/Services.h" +#include "mozilla/Unused.h" +#include "mozpkix/Time.h" +#include "mozpkix/pkixnss.h" +#include "mozpkix/pkixtypes.h" +#include "nsArray.h" +#include "nsArrayUtils.h" +#include "nsCOMPtr.h" +#include "nsComponentManagerUtils.h" +#include "nsICertificateDialogs.h" +#include "nsIFile.h" +#include "nsIMutableArray.h" +#include "nsIObserverService.h" +#include "nsIPrompt.h" +#include "nsNSSCertHelper.h" +#include "nsNSSCertTrust.h" +#include "nsNSSCertificate.h" +#include "nsNSSComponent.h" +#include "nsNSSHelper.h" +#include "nsPKCS12Blob.h" +#include "nsPromiseFlatString.h" +#include "nsProxyRelease.h" +#include "nsReadableUtils.h" +#include "nsThreadUtils.h" +#include "nspr.h" +#include "secasn1.h" +#include "secder.h" +#include "secerr.h" +#include "ssl.h" + +#ifdef XP_WIN +# include <winsock.h> // for ntohl +#endif + +using namespace mozilla; +using namespace mozilla::psm; + +extern LazyLogModule gPIPNSSLog; + +NS_IMPL_ISUPPORTS(nsNSSCertificateDB, nsIX509CertDB) + +NS_IMETHODIMP +nsNSSCertificateDB::FindCertByDBKey(const nsACString& aDBKey, + /*out*/ nsIX509Cert** _cert) { + NS_ENSURE_ARG_POINTER(_cert); + *_cert = nullptr; + + if (aDBKey.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + + nsresult rv = BlockUntilLoadableCertsLoaded(); + if (NS_FAILED(rv)) { + return rv; + } + + UniqueCERTCertificate cert; + rv = FindCertByDBKey(aDBKey, cert); + if (NS_FAILED(rv)) { + return rv; + } + // If we can't find the certificate, that's not an error. Just return null. + if (!cert) { + return NS_OK; + } + nsCOMPtr<nsIX509Cert> nssCert = new nsNSSCertificate(cert.get()); + nssCert.forget(_cert); + return NS_OK; +} + +nsresult nsNSSCertificateDB::FindCertByDBKey(const nsACString& aDBKey, + UniqueCERTCertificate& cert) { + static_assert(sizeof(uint64_t) == 8, "type size sanity check"); + static_assert(sizeof(uint32_t) == 4, "type size sanity check"); + // (From nsNSSCertificate::GetDbKey) + // The format of the key is the base64 encoding of the following: + // 4 bytes: {0, 0, 0, 0} (this was intended to be the module ID, but it was + // never implemented) + // 4 bytes: {0, 0, 0, 0} (this was intended to be the slot ID, but it was + // never implemented) + // 4 bytes: <serial number length in big-endian order> + // 4 bytes: <DER-encoded issuer distinguished name length in big-endian order> + // n bytes: <bytes of serial number> + // m bytes: <DER-encoded issuer distinguished name> + nsAutoCString decoded; + nsAutoCString tmpDBKey(aDBKey); + // Filter out any whitespace for backwards compatibility. + tmpDBKey.StripWhitespace(); + nsresult rv = Base64Decode(tmpDBKey, decoded); + if (NS_FAILED(rv)) { + return rv; + } + if (decoded.Length() < 16) { + return NS_ERROR_ILLEGAL_INPUT; + } + const char* reader = decoded.BeginReading(); + uint64_t zeroes = *BitwiseCast<const uint64_t*, const char*>(reader); + if (zeroes != 0) { + return NS_ERROR_ILLEGAL_INPUT; + } + reader += sizeof(uint64_t); + // Note: We surround the ntohl() argument with parentheses to stop the macro + // from thinking two arguments were passed. + uint32_t serialNumberLen = + ntohl((*BitwiseCast<const uint32_t*, const char*>(reader))); + reader += sizeof(uint32_t); + uint32_t issuerLen = + ntohl((*BitwiseCast<const uint32_t*, const char*>(reader))); + reader += sizeof(uint32_t); + if (decoded.Length() != 16ULL + serialNumberLen + issuerLen) { + return NS_ERROR_ILLEGAL_INPUT; + } + CERTIssuerAndSN issuerSN; + issuerSN.serialNumber.len = serialNumberLen; + issuerSN.serialNumber.data = BitwiseCast<unsigned char*, const char*>(reader); + reader += serialNumberLen; + issuerSN.derIssuer.len = issuerLen; + issuerSN.derIssuer.data = BitwiseCast<unsigned char*, const char*>(reader); + reader += issuerLen; + MOZ_ASSERT(reader == decoded.EndReading()); + + cert.reset(CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), &issuerSN)); + return NS_OK; +} + +SECStatus collect_certs(void* arg, SECItem** certs, int numcerts) { + nsTArray<nsTArray<uint8_t>>* certsArray = + reinterpret_cast<nsTArray<nsTArray<uint8_t>>*>(arg); + + while (numcerts--) { + nsTArray<uint8_t> certArray; + SECItem* cert = *certs; + certArray.AppendElements(cert->data, cert->len); + certsArray->AppendElement(std::move(certArray)); + certs++; + } + return (SECSuccess); +} + +nsresult nsNSSCertificateDB::getCertsFromPackage( + nsTArray<nsTArray<uint8_t>>& collectArgs, uint8_t* data, uint32_t length) { + if (CERT_DecodeCertPackage(BitwiseCast<char*, uint8_t*>(data), length, + collect_certs, &collectArgs) != SECSuccess) { + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +// When using the sql-backed softoken, trust settings are authenticated using a +// key in the secret database. Thus, if the user has a password, we need to +// authenticate to the token in order to be able to change trust settings. +SECStatus ChangeCertTrustWithPossibleAuthentication( + const UniqueCERTCertificate& cert, CERTCertTrust& trust, void* ctx) { + MOZ_ASSERT(cert, "cert must be non-null"); + if (!cert) { + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + // NSS ignores the first argument to CERT_ChangeCertTrust + SECStatus srv = CERT_ChangeCertTrust(nullptr, cert.get(), &trust); + if (srv == SECSuccess || PR_GetError() != SEC_ERROR_TOKEN_NOT_LOGGED_IN) { + return srv; + } + if (cert->slot) { + // If this certificate is on an external PKCS#11 token, we have to + // authenticate to that token. + srv = PK11_Authenticate(cert->slot, PR_TRUE, ctx); + } else { + // Otherwise, the certificate is on the internal module. + UniquePK11SlotInfo internalSlot(PK11_GetInternalKeySlot()); + srv = PK11_Authenticate(internalSlot.get(), PR_TRUE, ctx); + } + if (srv != SECSuccess) { + return srv; + } + return CERT_ChangeCertTrust(nullptr, cert.get(), &trust); +} + +static nsresult ImportCertsIntoPermanentStorage( + const UniqueCERTCertList& certChain) { + bool encounteredFailure = false; + PRErrorCode savedErrorCode = 0; + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + for (CERTCertListNode* chainNode = CERT_LIST_HEAD(certChain); + !CERT_LIST_END(chainNode, certChain); + chainNode = CERT_LIST_NEXT(chainNode)) { + UniquePORTString nickname(CERT_MakeCANickname(chainNode->cert)); + SECStatus srv = PK11_ImportCert(slot.get(), chainNode->cert, + CK_INVALID_HANDLE, nickname.get(), + false); // this parameter is ignored by NSS + if (srv != SECSuccess) { + encounteredFailure = true; + savedErrorCode = PR_GetError(); + } + } + + if (encounteredFailure) { + return GetXPCOMFromNSSError(savedErrorCode); + } + + return NS_OK; +} + +nsresult nsNSSCertificateDB::handleCACertDownload(NotNull<nsIArray*> x509Certs, + nsIInterfaceRequestor* ctx) { + // First thing we have to do is figure out which certificate we're + // gonna present to the user. The CA may have sent down a list of + // certs which may or may not be a chained list of certs. Until + // the day we can design some solid UI for the general case, we'll + // code to the > 90% case. That case is where a CA sends down a + // list that is a hierarchy whose root is either the first or + // the last cert. What we're gonna do is compare the first + // 2 entries, if the second was signed by the first, we assume + // the root cert is the first cert and display it. Otherwise, + // we compare the last 2 entries, if the second to last cert was + // signed by the last cert, then we assume the last cert is the + // root and display it. + + uint32_t numCerts; + + x509Certs->GetLength(&numCerts); + + if (numCerts == 0) return NS_OK; // Nothing to import, so nothing to do. + + nsCOMPtr<nsIX509Cert> certToShow; + uint32_t selCertIndex; + if (numCerts == 1) { + // There's only one cert, so let's show it. + selCertIndex = 0; + certToShow = do_QueryElementAt(x509Certs, selCertIndex); + } else { + nsCOMPtr<nsIX509Cert> cert0; // first cert + nsCOMPtr<nsIX509Cert> cert1; // second cert + nsCOMPtr<nsIX509Cert> certn_2; // second to last cert + nsCOMPtr<nsIX509Cert> certn_1; // last cert + + cert0 = do_QueryElementAt(x509Certs, 0); + cert1 = do_QueryElementAt(x509Certs, 1); + certn_2 = do_QueryElementAt(x509Certs, numCerts - 2); + certn_1 = do_QueryElementAt(x509Certs, numCerts - 1); + + nsAutoString cert0SubjectName; + nsAutoString cert1IssuerName; + nsAutoString certn_2IssuerName; + nsAutoString certn_1SubjectName; + + cert0->GetSubjectName(cert0SubjectName); + cert1->GetIssuerName(cert1IssuerName); + certn_2->GetIssuerName(certn_2IssuerName); + certn_1->GetSubjectName(certn_1SubjectName); + + if (cert1IssuerName.Equals(cert0SubjectName)) { + // In this case, the first cert in the list signed the second, + // so the first cert is the root. Let's display it. + selCertIndex = 0; + certToShow = cert0; + } else if (certn_2IssuerName.Equals(certn_1SubjectName)) { + // In this case the last cert has signed the second to last cert. + // The last cert is the root, so let's display it. + selCertIndex = numCerts - 1; + certToShow = certn_1; + } else { + // It's not a chain, so let's just show the first one in the + // downloaded list. + selCertIndex = 0; + certToShow = cert0; + } + } + + if (!certToShow) return NS_ERROR_FAILURE; + + nsCOMPtr<nsICertificateDialogs> dialogs; + nsresult rv = ::getNSSDialogs(getter_AddRefs(dialogs), + NS_GET_IID(nsICertificateDialogs), + NS_CERTIFICATEDIALOGS_CONTRACTID); + if (NS_FAILED(rv)) { + return rv; + } + + UniqueCERTCertificate tmpCert(certToShow->GetCert()); + if (!tmpCert) { + return NS_ERROR_FAILURE; + } + + if (!CERT_IsCACert(tmpCert.get(), nullptr)) { + DisplayCertificateAlert(ctx, "NotACACert", certToShow); + return NS_ERROR_FAILURE; + } + + if (tmpCert->isperm) { + DisplayCertificateAlert(ctx, "CaCertExists", certToShow); + return NS_ERROR_FAILURE; + } + + uint32_t trustBits; + bool allows; + rv = dialogs->ConfirmDownloadCACert(ctx, certToShow, &trustBits, &allows); + if (NS_FAILED(rv)) return rv; + + if (!allows) return NS_ERROR_NOT_AVAILABLE; + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("trust is %d\n", trustBits)); + UniquePORTString nickname(CERT_MakeCANickname(tmpCert.get())); + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("Created nick \"%s\"\n", nickname.get())); + + nsNSSCertTrust trust; + trust.SetValidCA(); + trust.AddCATrust(!!(trustBits & nsIX509CertDB::TRUSTED_SSL), + !!(trustBits & nsIX509CertDB::TRUSTED_EMAIL)); + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE, + nickname.get(), + false); // this parameter is ignored by NSS + if (srv != SECSuccess) { + return MapSECStatus(srv); + } + srv = + ChangeCertTrustWithPossibleAuthentication(tmpCert, trust.GetTrust(), ctx); + if (srv != SECSuccess) { + return MapSECStatus(srv); + } + + // Import additional delivered certificates that can be verified. + + // build a CertList for filtering + UniqueCERTCertList certList(CERT_NewCertList()); + if (!certList) { + return NS_ERROR_FAILURE; + } + + // get all remaining certs into temp store + + for (uint32_t i = 0; i < numCerts; i++) { + if (i == selCertIndex) { + // we already processed that one + continue; + } + + nsCOMPtr<nsIX509Cert> remainingCert = do_QueryElementAt(x509Certs, i); + if (!remainingCert) { + continue; + } + + UniqueCERTCertificate tmpCert2(remainingCert->GetCert()); + if (!tmpCert2) { + continue; // Let's try to import the rest of 'em + } + + if (CERT_AddCertToListTail(certList.get(), tmpCert2.get()) != SECSuccess) { + continue; + } + + Unused << tmpCert2.release(); + } + + return ImportCertsIntoPermanentStorage(certList); +} + +nsresult nsNSSCertificateDB::ConstructCertArrayFromUniqueCertList( + const UniqueCERTCertList& aCertListIn, + nsTArray<RefPtr<nsIX509Cert>>& aCertListOut) { + if (!aCertListIn.get()) { + return NS_ERROR_INVALID_ARG; + } + + for (CERTCertListNode* node = CERT_LIST_HEAD(aCertListIn.get()); + !CERT_LIST_END(node, aCertListIn.get()); node = CERT_LIST_NEXT(node)) { + RefPtr<nsIX509Cert> cert = new nsNSSCertificate(node->cert); + aCertListOut.AppendElement(cert); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificateDB::ImportCertificates(uint8_t* data, uint32_t length, + uint32_t type, + nsIInterfaceRequestor* ctx) { + // We currently only handle CA certificates. + if (type != nsIX509Cert::CA_CERT) { + return NS_ERROR_FAILURE; + } + + nsTArray<nsTArray<uint8_t>> certsArray; + nsresult rv = getCertsFromPackage(certsArray, data, length); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr<nsIMutableArray> array = nsArrayBase::Create(); + if (!array) { + return NS_ERROR_FAILURE; + } + + // Now let's create some certs to work with + for (nsTArray<uint8_t>& certDER : certsArray) { + nsCOMPtr<nsIX509Cert> cert = new nsNSSCertificate(std::move(certDER)); + nsresult rv = array->AppendElement(cert); + if (NS_FAILED(rv)) { + return rv; + } + } + + return handleCACertDownload(WrapNotNull(array), ctx); +} + +/** + * Decodes a given array of DER-encoded certificates into temporary storage. + * + * @param certs + * Array in which the decoded certificates are stored as arrays of + * unsigned chars. + * @param temporaryCerts + * List of decoded certificates. + */ +static nsresult ImportCertsIntoTempStorage( + nsTArray<nsTArray<uint8_t>>& certs, + /*out*/ const UniqueCERTCertList& temporaryCerts) { + NS_ENSURE_ARG_POINTER(temporaryCerts); + + for (nsTArray<uint8_t>& certDER : certs) { + CERTCertificate* certificate; + SECItem certItem; + certItem.len = certDER.Length(); + certItem.data = certDER.Elements(); + certificate = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certItem, + nullptr, false, true); + + UniqueCERTCertificate cert(certificate); + if (!cert) { + continue; + } + + if (CERT_AddCertToListTail(temporaryCerts.get(), cert.get()) == + SECSuccess) { + Unused << cert.release(); + } + } + + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificateDB::ImportEmailCertificate(uint8_t* data, uint32_t length, + nsIInterfaceRequestor* ctx) { + nsTArray<nsTArray<uint8_t>> certsArray; + + nsresult rv = getCertsFromPackage(certsArray, data, length); + if (NS_FAILED(rv)) { + return rv; + } + + UniqueCERTCertList temporaryCerts(CERT_NewCertList()); + if (!temporaryCerts) { + return NS_ERROR_FAILURE; + } + + rv = ImportCertsIntoTempStorage(certsArray, temporaryCerts); + if (NS_FAILED(rv)) { + return rv; + } + + return ImportCertsIntoPermanentStorage(temporaryCerts); +} + +nsresult nsNSSCertificateDB::ImportCACerts(nsTArray<nsTArray<uint8_t>>& caCerts, + nsIInterfaceRequestor* ctx) { + UniqueCERTCertList temporaryCerts(CERT_NewCertList()); + if (!temporaryCerts) { + return NS_ERROR_FAILURE; + } + + nsresult rv = ImportCertsIntoTempStorage(caCerts, temporaryCerts); + if (NS_FAILED(rv)) { + return rv; + } + + return ImportCertsIntoPermanentStorage(temporaryCerts); +} + +void nsNSSCertificateDB::DisplayCertificateAlert(nsIInterfaceRequestor* ctx, + const char* stringID, + nsIX509Cert* certToShow) { + if (!NS_IsMainThread()) { + NS_ERROR( + "nsNSSCertificateDB::DisplayCertificateAlert called off the main " + "thread"); + return; + } + + nsCOMPtr<nsIInterfaceRequestor> my_ctx = ctx; + if (!my_ctx) { + my_ctx = new PipUIContext(); + } + + // This shall be replaced by embedding ovverridable prompts + // as discussed in bug 310446, and should make use of certToShow. + + nsAutoString tmpMessage; + GetPIPNSSBundleString(stringID, tmpMessage); + nsCOMPtr<nsIPrompt> prompt(do_GetInterface(my_ctx)); + if (!prompt) { + return; + } + + prompt->Alert(nullptr, tmpMessage.get()); +} + +NS_IMETHODIMP +nsNSSCertificateDB::ImportUserCertificate(uint8_t* data, uint32_t length, + nsIInterfaceRequestor* ctx) { + if (!NS_IsMainThread()) { + NS_ERROR( + "nsNSSCertificateDB::ImportUserCertificate called off the main thread"); + return NS_ERROR_NOT_SAME_THREAD; + } + + nsTArray<nsTArray<uint8_t>> certsArray; + + nsresult rv = getCertsFromPackage(certsArray, data, length); + if (NS_FAILED(rv)) { + return rv; + } + + SECItem certItem; + + if (certsArray.IsEmpty()) { + return NS_OK; + } + + certItem.len = certsArray.ElementAt(0).Length(); + certItem.data = certsArray.ElementAt(0).Elements(); + + UniqueCERTCertificate cert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &certItem, nullptr, false, true)); + if (!cert) { + return NS_ERROR_FAILURE; + } + + UniquePK11SlotInfo slot(PK11_KeyForCertExists(cert.get(), nullptr, ctx)); + if (!slot) { + nsCOMPtr<nsIX509Cert> certToShow = new nsNSSCertificate(cert.get()); + DisplayCertificateAlert(ctx, "UserCertIgnoredNoPrivateKey", certToShow); + return NS_ERROR_FAILURE; + } + slot = nullptr; + + /* pick a nickname for the cert */ + nsAutoCString nickname; + if (cert->nickname) { + nickname = cert->nickname; + } else { + get_default_nickname(cert.get(), ctx, nickname); + } + + /* user wants to import the cert */ + slot.reset(PK11_ImportCertForKey(cert.get(), nickname.get(), ctx)); + if (!slot) { + return NS_ERROR_FAILURE; + } + slot = nullptr; + + { + nsCOMPtr<nsIX509Cert> certToShow = new nsNSSCertificate(cert.get()); + DisplayCertificateAlert(ctx, "UserCertImported", certToShow); + } + + rv = NS_OK; + if (!certsArray.IsEmpty()) { + certsArray.RemoveElementAt(0); + rv = ImportCACerts(certsArray, ctx); + } + + nsCOMPtr<nsIObserverService> observerService = + mozilla::services::GetObserverService(); + if (observerService) { + observerService->NotifyObservers(nullptr, "psm:user-certificate-added", + nullptr); + } + + return rv; +} + +NS_IMETHODIMP +nsNSSCertificateDB::DeleteCertificate(nsIX509Cert* aCert) { + NS_ENSURE_ARG_POINTER(aCert); + UniqueCERTCertificate cert(aCert->GetCert()); + if (!cert) { + return NS_ERROR_FAILURE; + } + + // Temporary certificates aren't on a slot and will go away when the + // nsIX509Cert is destructed. + if (cert->slot) { + uint32_t certType; + nsresult rv = aCert->GetCertType(&certType); + if (NS_WARN_IF(NS_FAILED(rv))) { + return rv; + } + if (certType == nsIX509Cert::USER_CERT) { + SECStatus srv = PK11_Authenticate(cert->slot, true, nullptr); + if (srv != SECSuccess) { + return NS_ERROR_FAILURE; + } + srv = PK11_DeleteTokenCertAndKey(cert.get(), nullptr); + if (srv != SECSuccess) { + return NS_ERROR_FAILURE; + } + } else { + // For certificates that can't be deleted (e.g. built-in roots), un-set + // all trust bits. + nsNSSCertTrust trust(0, 0); + SECStatus srv = ChangeCertTrustWithPossibleAuthentication( + cert, trust.GetTrust(), nullptr); + if (srv != SECSuccess) { + return NS_ERROR_FAILURE; + } + if (!PK11_IsReadOnly(cert->slot)) { + srv = SEC_DeletePermCertificate(cert.get()); + if (srv != SECSuccess) { + return NS_ERROR_FAILURE; + } + } + } + } + + nsCOMPtr<nsIObserverService> observerService = + mozilla::services::GetObserverService(); + if (observerService) { + observerService->NotifyObservers(nullptr, "psm:user-certificate-deleted", + nullptr); + } + + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificateDB::SetCertTrust(nsIX509Cert* cert, uint32_t type, + uint32_t trusted) { + NS_ENSURE_ARG_POINTER(cert); + nsNSSCertTrust trust; + switch (type) { + case nsIX509Cert::CA_CERT: + trust.SetValidCA(); + trust.AddCATrust(!!(trusted & nsIX509CertDB::TRUSTED_SSL), + !!(trusted & nsIX509CertDB::TRUSTED_EMAIL)); + break; + case nsIX509Cert::SERVER_CERT: + trust.SetValidPeer(); + trust.AddPeerTrust(trusted & nsIX509CertDB::TRUSTED_SSL, false); + break; + case nsIX509Cert::EMAIL_CERT: + trust.SetValidPeer(); + trust.AddPeerTrust(false, !!(trusted & nsIX509CertDB::TRUSTED_EMAIL)); + break; + default: + // Ignore any other type of certificate (including invalid types). + return NS_OK; + } + + UniqueCERTCertificate nsscert(cert->GetCert()); + SECStatus srv = ChangeCertTrustWithPossibleAuthentication( + nsscert, trust.GetTrust(), nullptr); + return MapSECStatus(srv); +} + +NS_IMETHODIMP +nsNSSCertificateDB::IsCertTrusted(nsIX509Cert* cert, uint32_t certType, + uint32_t trustType, bool* _isTrusted) { + NS_ENSURE_ARG_POINTER(_isTrusted); + *_isTrusted = false; + + nsresult rv = BlockUntilLoadableCertsLoaded(); + if (NS_FAILED(rv)) { + return rv; + } + + SECStatus srv; + UniqueCERTCertificate nsscert(cert->GetCert()); + CERTCertTrust nsstrust; + srv = CERT_GetCertTrust(nsscert.get(), &nsstrust); + if (srv != SECSuccess) { + // CERT_GetCertTrust returns SECFailure if given a temporary cert that + // doesn't have any trust information yet. This isn't an error. + return NS_OK; + } + + nsNSSCertTrust trust(&nsstrust); + if (certType == nsIX509Cert::CA_CERT) { + if (trustType & nsIX509CertDB::TRUSTED_SSL) { + *_isTrusted = trust.HasTrustedCA(true, false); + } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) { + *_isTrusted = trust.HasTrustedCA(false, true); + } else { + return NS_ERROR_FAILURE; + } + } else if (certType == nsIX509Cert::SERVER_CERT) { + if (trustType & nsIX509CertDB::TRUSTED_SSL) { + *_isTrusted = trust.HasTrustedPeer(true, false); + } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) { + *_isTrusted = trust.HasTrustedPeer(false, true); + } else { + return NS_ERROR_FAILURE; + } + } else if (certType == nsIX509Cert::EMAIL_CERT) { + if (trustType & nsIX509CertDB::TRUSTED_SSL) { + *_isTrusted = trust.HasTrustedPeer(true, false); + } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) { + *_isTrusted = trust.HasTrustedPeer(false, true); + } else { + return NS_ERROR_FAILURE; + } + } /* user: ignore */ + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificateDB::ImportCertsFromFile(nsIFile* aFile, uint32_t aType) { + NS_ENSURE_ARG(aFile); + switch (aType) { + case nsIX509Cert::CA_CERT: + case nsIX509Cert::EMAIL_CERT: + // good + break; + + default: + // not supported (yet) + return NS_ERROR_FAILURE; + } + + PRFileDesc* fd = nullptr; + nsresult rv = aFile->OpenNSPRFileDesc(PR_RDONLY, 0, &fd); + if (NS_FAILED(rv)) { + return rv; + } + if (!fd) { + return NS_ERROR_FAILURE; + } + + PRFileInfo fileInfo; + if (PR_GetOpenFileInfo(fd, &fileInfo) != PR_SUCCESS) { + return NS_ERROR_FAILURE; + } + + auto buf = MakeUnique<unsigned char[]>(fileInfo.size); + int32_t bytesObtained = PR_Read(fd, buf.get(), fileInfo.size); + PR_Close(fd); + + if (bytesObtained != fileInfo.size) { + return NS_ERROR_FAILURE; + } + + nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext(); + + switch (aType) { + case nsIX509Cert::CA_CERT: + return ImportCertificates(buf.get(), bytesObtained, aType, cxt); + case nsIX509Cert::EMAIL_CERT: + return ImportEmailCertificate(buf.get(), bytesObtained, cxt); + default: + MOZ_ASSERT(false, "Unsupported type should have been filtered out"); + break; + } + + return NS_ERROR_FAILURE; +} + +NS_IMETHODIMP +nsNSSCertificateDB::ImportPKCS12File(nsIFile* aFile, const nsAString& aPassword, + uint32_t* aError) { + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + nsresult rv = BlockUntilLoadableCertsLoaded(); + if (NS_FAILED(rv)) { + return rv; + } + + NS_ENSURE_ARG(aFile); + nsPKCS12Blob blob; + rv = blob.ImportFromFile(aFile, aPassword, *aError); + nsCOMPtr<nsIObserverService> observerService = + mozilla::services::GetObserverService(); + if (NS_SUCCEEDED(rv) && observerService) { + observerService->NotifyObservers(nullptr, "psm:user-certificate-added", + nullptr); + } + + return rv; +} + +NS_IMETHODIMP +nsNSSCertificateDB::ExportPKCS12File( + nsIFile* aFile, const nsTArray<RefPtr<nsIX509Cert>>& aCerts, + const nsAString& aPassword, uint32_t* aError) { + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + nsresult rv = BlockUntilLoadableCertsLoaded(); + if (NS_FAILED(rv)) { + return rv; + } + + NS_ENSURE_ARG(aFile); + if (aCerts.IsEmpty()) { + return NS_OK; + } + nsPKCS12Blob blob; + return blob.ExportToFile(aFile, aCerts, aPassword, *aError); +} + +NS_IMETHODIMP +nsNSSCertificateDB::ConstructX509FromBase64(const nsACString& base64, + /*out*/ nsIX509Cert** _retval) { + if (!_retval) { + return NS_ERROR_INVALID_POINTER; + } + + // Base64Decode() doesn't consider a zero length input as an error, and just + // returns the empty string. We don't want this behavior, so the below check + // catches this case. + if (base64.Length() < 1) { + return NS_ERROR_ILLEGAL_VALUE; + } + + nsAutoCString certDER; + nsresult rv = Base64Decode(base64, certDER); + if (NS_FAILED(rv)) { + return rv; + } + + return ConstructX509FromSpan(AsBytes(Span(certDER)), _retval); +} + +NS_IMETHODIMP +nsNSSCertificateDB::ConstructX509(const nsTArray<uint8_t>& certDER, + nsIX509Cert** _retval) { + return ConstructX509FromSpan(Span(certDER.Elements(), certDER.Length()), + _retval); +} + +nsresult nsNSSCertificateDB::ConstructX509FromSpan( + Span<const uint8_t> aInputSpan, nsIX509Cert** _retval) { + if (NS_WARN_IF(!_retval)) { + return NS_ERROR_INVALID_POINTER; + } + + if (aInputSpan.Length() > std::numeric_limits<unsigned int>::max()) { + return NS_ERROR_ILLEGAL_VALUE; + } + + SECItem certData; + certData.type = siDERCertBuffer; + certData.data = const_cast<unsigned char*>( + reinterpret_cast<const unsigned char*>(aInputSpan.Elements())); + certData.len = aInputSpan.Length(); + + UniqueCERTCertificate cert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &certData, nullptr, false, true)); + if (!cert) + return (PORT_GetError() == SEC_ERROR_NO_MEMORY) ? NS_ERROR_OUT_OF_MEMORY + : NS_ERROR_FAILURE; + + nsCOMPtr<nsIX509Cert> nssCert = new nsNSSCertificate(cert.get()); + nssCert.forget(_retval); + return NS_OK; +} + +void nsNSSCertificateDB::get_default_nickname(CERTCertificate* cert, + nsIInterfaceRequestor* ctx, + nsCString& nickname) { + nickname.Truncate(); + + CK_OBJECT_HANDLE keyHandle; + + if (NS_FAILED(BlockUntilLoadableCertsLoaded())) { + return; + } + + CERTCertDBHandle* defaultcertdb = CERT_GetDefaultCertDB(); + nsAutoCString username; + UniquePORTString tempCN(CERT_GetCommonName(&cert->subject)); + if (tempCN) { + username = tempCN.get(); + } + + nsAutoCString caname; + UniquePORTString tempIssuerOrg(CERT_GetOrgName(&cert->issuer)); + if (tempIssuerOrg) { + caname = tempIssuerOrg.get(); + } + + nsAutoString tmpNickFmt; + GetPIPNSSBundleString("nick_template", tmpNickFmt); + NS_ConvertUTF16toUTF8 nickFmt(tmpNickFmt); + + nsAutoCString baseName; + baseName.AppendPrintf(nickFmt.get(), username.get(), caname.get()); + if (baseName.IsEmpty()) { + return; + } + + nickname = baseName; + + /* + * We need to see if the private key exists on a token, if it does + * then we need to check for nicknames that already exist on the smart + * card. + */ + UniquePK11SlotInfo slot(PK11_KeyForCertExists(cert, &keyHandle, ctx)); + if (!slot) return; + + if (!PK11_IsInternal(slot.get())) { + nsAutoCString tmp; + tmp.AppendPrintf("%s:%s", PK11_GetTokenName(slot.get()), baseName.get()); + if (tmp.IsEmpty()) { + nickname.Truncate(); + return; + } + baseName = tmp; + nickname = baseName; + } + + int count = 1; + while (true) { + if (count > 1) { + nsAutoCString tmp; + tmp.AppendPrintf("%s #%d", baseName.get(), count); + if (tmp.IsEmpty()) { + nickname.Truncate(); + return; + } + nickname = tmp; + } + + UniqueCERTCertificate dummycert; + + if (PK11_IsInternal(slot.get())) { + /* look up the nickname to make sure it isn't in use already */ + dummycert.reset(CERT_FindCertByNickname(defaultcertdb, nickname.get())); + } else { + // Check the cert against others that already live on the smart card. + dummycert.reset(PK11_FindCertFromNickname(nickname.get(), ctx)); + if (dummycert) { + // Make sure the subject names are different. + if (CERT_CompareName(&cert->subject, &dummycert->subject) == SECEqual) { + /* + * There is another certificate with the same nickname and + * the same subject name on the smart card, so let's use this + * nickname. + */ + dummycert = nullptr; + } + } + } + if (!dummycert) { + break; + } + count++; + } +} + +NS_IMETHODIMP +nsNSSCertificateDB::AddCertFromBase64(const nsACString& aBase64, + const nsACString& aTrust, + nsIX509Cert** addedCertificate) { + // Base64Decode() doesn't consider a zero length input as an error, and just + // returns the empty string. We don't want this behavior, so the below check + // catches this case. + if (aBase64.Length() < 1) { + return NS_ERROR_ILLEGAL_VALUE; + } + + nsAutoCString aCertDER; + nsresult rv = Base64Decode(aBase64, aCertDER); + if (NS_FAILED(rv)) { + return rv; + } + return AddCert(aCertDER, aTrust, addedCertificate); +} + +NS_IMETHODIMP +nsNSSCertificateDB::AddCert(const nsACString& aCertDER, + const nsACString& aTrust, + nsIX509Cert** addedCertificate) { + MOZ_ASSERT(addedCertificate); + if (!addedCertificate) { + return NS_ERROR_INVALID_ARG; + } + *addedCertificate = nullptr; + + nsNSSCertTrust trust; + if (CERT_DecodeTrustString(&trust.GetTrust(), + PromiseFlatCString(aTrust).get()) != SECSuccess) { + return NS_ERROR_FAILURE; + } + + nsCOMPtr<nsIX509Cert> newCert; + nsresult rv = + ConstructX509FromSpan(AsBytes(Span(aCertDER)), getter_AddRefs(newCert)); + if (NS_FAILED(rv)) { + return rv; + } + + UniqueCERTCertificate tmpCert(newCert->GetCert()); + if (!tmpCert) { + return NS_ERROR_FAILURE; + } + + // If there's already a certificate that matches this one in the database, we + // still want to set its trust to the given value. + if (tmpCert->isperm) { + rv = SetCertTrustFromString(newCert, aTrust); + if (NS_FAILED(rv)) { + return rv; + } + newCert.forget(addedCertificate); + return NS_OK; + } + + UniquePORTString nickname(CERT_MakeCANickname(tmpCert.get())); + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("Created nick \"%s\"\n", nickname.get())); + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE, + nickname.get(), + false); // this parameter is ignored by NSS + if (srv != SECSuccess) { + return MapSECStatus(srv); + } + srv = ChangeCertTrustWithPossibleAuthentication(tmpCert, trust.GetTrust(), + nullptr); + if (srv != SECSuccess) { + return MapSECStatus(srv); + } + newCert.forget(addedCertificate); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificateDB::SetCertTrustFromString(nsIX509Cert* cert, + const nsACString& trustString) { + NS_ENSURE_ARG(cert); + + CERTCertTrust trust; + SECStatus srv = + CERT_DecodeTrustString(&trust, PromiseFlatCString(trustString).get()); + if (srv != SECSuccess) { + return MapSECStatus(srv); + } + UniqueCERTCertificate nssCert(cert->GetCert()); + + srv = ChangeCertTrustWithPossibleAuthentication(nssCert, trust, nullptr); + return MapSECStatus(srv); +} + +NS_IMETHODIMP nsNSSCertificateDB::AsPKCS7Blob( + const nsTArray<RefPtr<nsIX509Cert>>& certList, nsACString& _retval) { + if (certList.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + + UniqueNSSCMSMessage cmsg(NSS_CMSMessage_Create(nullptr)); + if (!cmsg) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("nsNSSCertificateDB::AsPKCS7Blob - can't create CMS message")); + return NS_ERROR_OUT_OF_MEMORY; + } + + UniqueNSSCMSSignedData sigd(nullptr); + for (const auto& cert : certList) { + // We need an owning handle when calling nsIX509Cert::GetCert(). + UniqueCERTCertificate nssCert(cert->GetCert()); + if (!sigd) { + sigd.reset( + NSS_CMSSignedData_CreateCertsOnly(cmsg.get(), nssCert.get(), false)); + if (!sigd) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("nsNSSCertificateDB::AsPKCS7Blob - can't create SignedData")); + return NS_ERROR_FAILURE; + } + } else if (NSS_CMSSignedData_AddCertificate(sigd.get(), nssCert.get()) != + SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("nsNSSCertificateDB::AsPKCS7Blob - can't add cert")); + return NS_ERROR_FAILURE; + } + } + + NSSCMSContentInfo* cinfo = NSS_CMSMessage_GetContentInfo(cmsg.get()); + if (NSS_CMSContentInfo_SetContent_SignedData(cmsg.get(), cinfo, sigd.get()) != + SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("nsNSSCertificateDB::AsPKCS7Blob - can't attach SignedData")); + return NS_ERROR_FAILURE; + } + // cmsg owns sigd now. + Unused << sigd.release(); + + UniquePLArenaPool arena(PORT_NewArena(1024)); + if (!arena) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("nsNSSCertificateDB::AsPKCS7Blob - out of memory")); + return NS_ERROR_OUT_OF_MEMORY; + } + + SECItem certP7 = {siBuffer, nullptr, 0}; + NSSCMSEncoderContext* ecx = NSS_CMSEncoder_Start( + cmsg.get(), nullptr, nullptr, &certP7, arena.get(), nullptr, nullptr, + nullptr, nullptr, nullptr, nullptr); + if (!ecx) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("nsNSSCertificateDB::AsPKCS7Blob - can't create encoder")); + return NS_ERROR_FAILURE; + } + + if (NSS_CMSEncoder_Finish(ecx) != SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("nsNSSCertificateDB::AsPKCS7Blob - failed to add encoded data")); + return NS_ERROR_FAILURE; + } + + _retval.Assign(nsDependentCSubstring( + reinterpret_cast<const char*>(certP7.data), certP7.len)); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificateDB::GetCerts(nsTArray<RefPtr<nsIX509Cert>>& _retval) { + nsresult rv = BlockUntilLoadableCertsLoaded(); + if (NS_FAILED(rv)) { + return rv; + } + + rv = CheckForSmartCardChanges(); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); + UniqueCERTCertList certList(PK11_ListCerts(PK11CertListUnique, ctx)); + if (!certList) { + return NS_ERROR_FAILURE; + } + return nsNSSCertificateDB::ConstructCertArrayFromUniqueCertList(certList, + _retval); +} + +nsresult IsCertBuiltInRoot(const RefPtr<nsIX509Cert>& cert, + bool& isBuiltInRoot) { + nsTArray<uint8_t> der; + nsresult rv = cert->GetRawDER(der); + if (NS_FAILED(rv)) { + return rv; + } + pkix::Input certInput; + pkix::Result result = certInput.Init(der.Elements(), der.Length()); + if (result != pkix::Result::Success) { + return NS_ERROR_FAILURE; + } + result = IsCertBuiltInRoot(certInput, isBuiltInRoot); + if (result != pkix::Result::Success) { + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSCertificateDB::AsyncHasThirdPartyRoots(nsIAsyncBoolCallback* aCallback) { + NS_ENSURE_ARG_POINTER(aCallback); + nsMainThreadPtrHandle<nsIAsyncBoolCallback> callback( + new nsMainThreadPtrHolder<nsIAsyncBoolCallback>("AsyncHasThirdPartyRoots", + aCallback)); + + return NS_DispatchBackgroundTask( + NS_NewRunnableFunction( + "nsNSSCertificateDB::AsyncHasThirdPartyRoots", + [cb = std::move(callback), self = RefPtr{this}] { + bool hasThirdPartyRoots = [self]() -> bool { + nsTArray<RefPtr<nsIX509Cert>> certs; + nsresult rv = self->GetCerts(certs); + if (NS_FAILED(rv)) { + return false; + } + + for (const auto& cert : certs) { + bool isTrusted = false; + nsresult rv = + self->IsCertTrusted(cert, nsIX509Cert::CA_CERT, + nsIX509CertDB::TRUSTED_SSL, &isTrusted); + if (NS_FAILED(rv)) { + return false; + } + + if (!isTrusted) { + continue; + } + + bool isBuiltInRoot = false; + rv = IsCertBuiltInRoot(cert, isBuiltInRoot); + if (NS_FAILED(rv)) { + return false; + } + + if (!isBuiltInRoot) { + return true; + } + } + + return false; + }(); + + NS_DispatchToMainThread(NS_NewRunnableFunction( + "nsNSSCertificateDB::AsyncHasThirdPartyRoots callback", + [cb, hasThirdPartyRoots]() { + cb->OnResult(hasThirdPartyRoots); + })); + }), + NS_DISPATCH_EVENT_MAY_BLOCK); +} + +nsresult VerifyCertAtTime(nsIX509Cert* aCert, + int64_t /*SECCertificateUsage*/ aUsage, + uint32_t aFlags, const nsACString& aHostname, + mozilla::pkix::Time aTime, + nsTArray<RefPtr<nsIX509Cert>>& aVerifiedChain, + bool* aHasEVPolicy, + int32_t* /*PRErrorCode*/ _retval) { + NS_ENSURE_ARG_POINTER(aCert); + NS_ENSURE_ARG_POINTER(aHasEVPolicy); + NS_ENSURE_ARG_POINTER(_retval); + + if (!aVerifiedChain.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + + *aHasEVPolicy = false; + *_retval = PR_UNKNOWN_ERROR; + + RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); + NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE); + + nsTArray<nsTArray<uint8_t>> resultChain; + EVStatus evStatus; + mozilla::pkix::Result result; + + nsTArray<uint8_t> certBytes; + nsresult nsrv = aCert->GetRawDER(certBytes); + if (NS_FAILED(nsrv)) { + return nsrv; + } + + if (!aHostname.IsVoid() && aUsage == certificateUsageSSLServer) { + result = + certVerifier->VerifySSLServerCert(certBytes, aTime, + nullptr, // Assume no context + aHostname, resultChain, aFlags, + Nothing(), // extraCertificates + Nothing(), // stapledOCSPResponse + Nothing(), // sctsFromTLSExtension + Nothing(), // dcInfo + OriginAttributes(), &evStatus); + } else { + const nsCString& flatHostname = PromiseFlatCString(aHostname); + result = certVerifier->VerifyCert( + certBytes, aUsage, aTime, + nullptr, // Assume no context + aHostname.IsVoid() ? nullptr : flatHostname.get(), resultChain, aFlags, + Nothing(), // extraCertificates + Nothing(), // stapledOCSPResponse + Nothing(), // sctsFromTLSExtension + OriginAttributes(), &evStatus); + } + + if (result == mozilla::pkix::Success) { + for (auto& certDER : resultChain) { + RefPtr<nsIX509Cert> cert = new nsNSSCertificate(std::move(certDER)); + aVerifiedChain.AppendElement(cert); + } + + if (evStatus == EVStatus::EV) { + *aHasEVPolicy = true; + } + } + + *_retval = mozilla::pkix::MapResultToPRErrorCode(result); + + return NS_OK; +} + +class VerifyCertAtTimeTask final : public CryptoTask { + public: + VerifyCertAtTimeTask(nsIX509Cert* aCert, int64_t aUsage, uint32_t aFlags, + const nsACString& aHostname, uint64_t aTime, + nsICertVerificationCallback* aCallback) + : mCert(aCert), + mUsage(aUsage), + mFlags(aFlags), + mHostname(aHostname), + mTime(aTime), + mCallback(new nsMainThreadPtrHolder<nsICertVerificationCallback>( + "nsICertVerificationCallback", aCallback)), + mPRErrorCode(SEC_ERROR_LIBRARY_FAILURE), + mHasEVPolicy(false) {} + + private: + virtual nsresult CalculateResult() override { + nsCOMPtr<nsIX509CertDB> certDB = do_GetService(NS_X509CERTDB_CONTRACTID); + if (!certDB) { + return NS_ERROR_FAILURE; + } + return VerifyCertAtTime(mCert, mUsage, mFlags, mHostname, + mozilla::pkix::TimeFromEpochInSeconds(mTime), + mVerifiedCertList, &mHasEVPolicy, &mPRErrorCode); + } + + virtual void CallCallback(nsresult rv) override { + if (NS_FAILED(rv)) { + nsTArray<RefPtr<nsIX509Cert>> tmp; + Unused << mCallback->VerifyCertFinished(SEC_ERROR_LIBRARY_FAILURE, tmp, + false); + } else { + Unused << mCallback->VerifyCertFinished(mPRErrorCode, mVerifiedCertList, + mHasEVPolicy); + } + } + + nsCOMPtr<nsIX509Cert> mCert; + int64_t mUsage; + uint32_t mFlags; + nsCString mHostname; + uint64_t mTime; + nsMainThreadPtrHandle<nsICertVerificationCallback> mCallback; + int32_t mPRErrorCode; + nsTArray<RefPtr<nsIX509Cert>> mVerifiedCertList; + bool mHasEVPolicy; +}; + +NS_IMETHODIMP +nsNSSCertificateDB::AsyncVerifyCertAtTime( + nsIX509Cert* aCert, int64_t /*SECCertificateUsage*/ aUsage, uint32_t aFlags, + const nsACString& aHostname, uint64_t aTime, + nsICertVerificationCallback* aCallback) { + RefPtr<VerifyCertAtTimeTask> task(new VerifyCertAtTimeTask( + aCert, aUsage, aFlags, aHostname, aTime, aCallback)); + return task->Dispatch(); +} + +NS_IMETHODIMP +nsNSSCertificateDB::ClearOCSPCache() { + RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); + NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE); + certVerifier->ClearOCSPCache(); + return NS_OK; +} diff --git a/security/manager/ssl/nsNSSCertificateDB.h b/security/manager/ssl/nsNSSCertificateDB.h new file mode 100644 index 0000000000..125bb32acd --- /dev/null +++ b/security/manager/ssl/nsNSSCertificateDB.h @@ -0,0 +1,71 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSCertificateDB_h +#define nsNSSCertificateDB_h + +#include "ScopedNSSTypes.h" +#include "certt.h" +#include "mozilla/Mutex.h" +#include "mozilla/NotNull.h" +#include "mozilla/RefPtr.h" +#include "mozilla/UniquePtr.h" +#include "nsIX509CertDB.h" +#include "nsString.h" + +class nsIArray; + +class nsNSSCertificateDB final : public nsIX509CertDB + +{ + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIX509CERTDB + + // This is a separate static method so nsNSSComponent can use it during NSS + // initialization. Other code should probably not use it. + static nsresult FindCertByDBKey(const nsACString& aDBKey, + mozilla::UniqueCERTCertificate& cert); + + static nsresult ConstructCertArrayFromUniqueCertList( + const mozilla::UniqueCERTCertList& aCertListIn, + nsTArray<RefPtr<nsIX509Cert>>& aCertListOut); + + protected: + virtual ~nsNSSCertificateDB() = default; + + private: + // Use this function to generate a default nickname for a user + // certificate that is to be imported onto a token. + static void get_default_nickname(CERTCertificate* cert, + nsIInterfaceRequestor* ctx, + nsCString& nickname); + + static nsresult ImportCACerts(nsTArray<nsTArray<uint8_t>>& CACerts, + nsIInterfaceRequestor* ctx); + + static void DisplayCertificateAlert(nsIInterfaceRequestor* ctx, + const char* stringID, + nsIX509Cert* certToShow); + + nsresult getCertsFromPackage(nsTArray<nsTArray<uint8_t>>& collectArgs, + uint8_t* data, uint32_t length); + nsresult handleCACertDownload(mozilla::NotNull<nsIArray*> x509Certs, + nsIInterfaceRequestor* ctx); + nsresult ConstructX509FromSpan(const mozilla::Span<const uint8_t> aInputSpan, + nsIX509Cert** _retval); +}; + +#define NS_X509CERTDB_CID \ + { /* fb0bbc5c-452e-4783-b32c-80124693d871 */ \ + 0xfb0bbc5c, 0x452e, 0x4783, { \ + 0xb3, 0x2c, 0x80, 0x12, 0x46, 0x93, 0xd8, 0x71 \ + } \ + } + +SECStatus ChangeCertTrustWithPossibleAuthentication( + const mozilla::UniqueCERTCertificate& cert, CERTCertTrust& trust, + void* ctx); + +#endif // nsNSSCertificateDB_h diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp new file mode 100644 index 0000000000..5f3792fd52 --- /dev/null +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -0,0 +1,2551 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSComponent.h" + +#include "BinaryPath.h" +#include "CryptoTask.h" +#include "EnterpriseRoots.h" +#include "ExtendedValidation.h" +#include "NSSCertDBTrustDomain.h" +#include "SSLTokensCache.h" +#include "ScopedNSSTypes.h" +#include "SharedSSLState.h" +#include "cert.h" +#include "cert_storage/src/cert_storage.h" +#include "certdb.h" +#include "mozilla/AppShutdown.h" +#include "mozilla/ArrayUtils.h" +#include "mozilla/Assertions.h" +#include "mozilla/Base64.h" +#include "mozilla/Casting.h" +#include "mozilla/EndianUtils.h" +#include "mozilla/FilePreferences.h" +#include "mozilla/PodOperations.h" +#include "mozilla/Preferences.h" +#include "mozilla/ProfilerLabels.h" +#include "mozilla/ProfilerMarkers.h" +#include "mozilla/PublicSSL.h" +#include "mozilla/ScopeExit.h" +#include "mozilla/Services.h" +#include "mozilla/StaticMutex.h" +#include "mozilla/StaticPrefs_security.h" +#include "mozilla/StaticPtr.h" +#include "mozilla/SyncRunnable.h" +#include "mozilla/Telemetry.h" +#include "mozilla/TimeStamp.h" +#include "mozilla/Unused.h" +#include "mozilla/Vector.h" +#include "mozilla/dom/Promise.h" +#include "mozilla/net/SocketProcessParent.h" +#include "mozpkix/pkixnss.h" +#include "nsAppDirectoryServiceDefs.h" +#include "nsCRT.h" +#include "nsClientAuthRemember.h" +#include "nsComponentManagerUtils.h" +#include "nsDirectoryServiceDefs.h" +#include "nsICertOverrideService.h" +#include "nsIFile.h" +#include "nsILocalFileWin.h" +#include "nsIOService.h" +#include "nsIObserverService.h" +#include "nsIPrompt.h" +#include "nsIProperties.h" +#include "nsISerialEventTarget.h" +#include "nsISiteSecurityService.h" +#include "nsITimer.h" +#include "nsITokenPasswordDialogs.h" +#include "nsIWindowWatcher.h" +#include "nsIXULRuntime.h" +#include "nsLiteralString.h" +#include "nsNSSHelper.h" +#include "nsNetCID.h" +#include "nsPK11TokenDB.h" +#include "nsPrintfCString.h" +#include "nsServiceManagerUtils.h" +#include "nsThreadUtils.h" +#include "nsXULAppAPI.h" +#include "nss.h" +#include "p12plcy.h" +#include "pk11pub.h" +#include "prmem.h" +#include "secerr.h" +#include "secmod.h" +#include "ssl.h" +#include "sslerr.h" +#include "sslproto.h" + +#if defined(XP_LINUX) && !defined(ANDROID) +# include <linux/magic.h> +# include <sys/vfs.h> +#endif + +#ifdef XP_WIN +# include "nsILocalFileWin.h" +#endif + +using namespace mozilla; +using namespace mozilla::psm; + +LazyLogModule gPIPNSSLog("pipnss"); + +int nsNSSComponent::mInstanceCount = 0; + +// Forward declaration. +nsresult CommonInit(); + +// Take an nsIFile and get a UTF-8-encoded c-string representation of the +// location of that file (encapsulated in an nsACString). +// This operation is generally to be avoided, except when interacting with +// third-party or legacy libraries that cannot handle `nsIFile`s (such as NSS). +// |result| is encoded in UTF-8. +nsresult FileToCString(const nsCOMPtr<nsIFile>& file, nsACString& result) { +#ifdef XP_WIN + nsAutoString path; + nsresult rv = file->GetPath(path); + if (NS_SUCCEEDED(rv)) { + CopyUTF16toUTF8(path, result); + } + return rv; +#else + return file->GetNativePath(result); +#endif +} + +void TruncateFromLastDirectorySeparator(nsCString& path) { + static const nsAutoCString kSeparatorString( + mozilla::FilePreferences::kPathSeparator); + int32_t index = path.RFind(kSeparatorString); + if (index == kNotFound) { + return; + } + path.Truncate(index); +} + +bool LoadIPCClientCerts() { + // This returns the path to the binary currently running, which in most + // cases is "plugin-container". + UniqueFreePtr<char> pluginContainerPath(BinaryPath::Get()); + if (!pluginContainerPath) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("failed to get get plugin-container path")); + return false; + } + nsAutoCString ipcClientCertsDirString(pluginContainerPath.get()); + // On most platforms, ipcclientcerts is in the same directory as + // plugin-container. To obtain the path to that directory, truncate from + // the last directory separator. + // On macOS, plugin-container is in + // Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/, + // whereas ipcclientcerts is in Firefox.app/Contents/MacOS/. Consequently, + // this truncation from the last directory separator has to happen 4 times + // total. Normally this would be done using nsIFile APIs, but due to when + // this is initialized in the socket process, those aren't available. + TruncateFromLastDirectorySeparator(ipcClientCertsDirString); +#ifdef XP_MACOSX + TruncateFromLastDirectorySeparator(ipcClientCertsDirString); + TruncateFromLastDirectorySeparator(ipcClientCertsDirString); + TruncateFromLastDirectorySeparator(ipcClientCertsDirString); +#endif + if (!LoadIPCClientCertsModule(ipcClientCertsDirString)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("failed to load ipcclientcerts from '%s'", + ipcClientCertsDirString.get())); + return false; + } + return true; +} + +// This function can be called from chrome or content or socket processes +// to ensure that NSS is initialized. +bool EnsureNSSInitializedChromeOrContent() { + static Atomic<bool> initialized(false); + + if (initialized) { + return true; + } + + // If this is not the main thread (i.e. probably a worker) then forward this + // call to the main thread. + if (!NS_IsMainThread()) { + nsCOMPtr<nsIThread> mainThread; + nsresult rv = NS_GetMainThread(getter_AddRefs(mainThread)); + if (NS_FAILED(rv)) { + return false; + } + + // Forward to the main thread synchronously. + mozilla::SyncRunnable::DispatchToThread( + mainThread, + NS_NewRunnableFunction("EnsureNSSInitializedChromeOrContent", []() { + EnsureNSSInitializedChromeOrContent(); + })); + + return initialized; + } + + if (XRE_IsParentProcess()) { + nsCOMPtr<nsISupports> nss = do_GetService(PSM_COMPONENT_CONTRACTID); + if (!nss) { + return false; + } + initialized = true; + return true; + } + + if (NSS_IsInitialized()) { + initialized = true; + return true; + } + + if (NSS_NoDB_Init(nullptr) != SECSuccess) { + return false; + } + + if (XRE_IsSocketProcess()) { + if (NS_FAILED(CommonInit())) { + return false; + } + // If ipcclientcerts fails to load, client certificate authentication won't + // work (if networking is done on the socket process). This is preferable + // to stopping the program entirely, so treat this as best-effort. + Unused << NS_WARN_IF(!LoadIPCClientCerts()); + initialized = true; + return true; + } + + if (NS_FAILED(mozilla::psm::InitializeCipherSuite())) { + return false; + } + + mozilla::psm::DisableMD5(); + mozilla::pkix::RegisterErrorTable(); + initialized = true; + return true; +} + +static const uint32_t OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX = 5000; +static const uint32_t OCSP_TIMEOUT_MILLISECONDS_HARD_MAX = 20000; + +void nsNSSComponent::GetRevocationBehaviorFromPrefs( + /*out*/ CertVerifier::OcspDownloadConfig* odc, + /*out*/ CertVerifier::OcspStrictConfig* osc, + /*out*/ uint32_t* certShortLifetimeInDays, + /*out*/ TimeDuration& softTimeout, + /*out*/ TimeDuration& hardTimeout) { + MOZ_ASSERT(NS_IsMainThread()); + MOZ_ASSERT(odc); + MOZ_ASSERT(osc); + MOZ_ASSERT(certShortLifetimeInDays); + + // 0 = disabled + // 1 = enabled for everything (default) + // 2 = enabled for EV certificates only + uint32_t ocspLevel = StaticPrefs::security_OCSP_enabled(); + switch (ocspLevel) { + case 0: + *odc = CertVerifier::ocspOff; + break; + case 2: + *odc = CertVerifier::ocspEVOnly; + break; + default: + *odc = CertVerifier::ocspOn; + break; + } + + *osc = StaticPrefs::security_OCSP_require() ? CertVerifier::ocspStrict + : CertVerifier::ocspRelaxed; + + *certShortLifetimeInDays = + StaticPrefs::security_pki_cert_short_lifetime_in_days(); + + uint32_t softTimeoutMillis = + StaticPrefs::security_OCSP_timeoutMilliseconds_soft(); + softTimeoutMillis = + std::min(softTimeoutMillis, OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX); + softTimeout = TimeDuration::FromMilliseconds(softTimeoutMillis); + + uint32_t hardTimeoutMillis = + StaticPrefs::security_OCSP_timeoutMilliseconds_hard(); + hardTimeoutMillis = + std::min(hardTimeoutMillis, OCSP_TIMEOUT_MILLISECONDS_HARD_MAX); + hardTimeout = TimeDuration::FromMilliseconds(hardTimeoutMillis); +} + +nsNSSComponent::nsNSSComponent() + : mLoadableCertsLoadedMonitor("nsNSSComponent.mLoadableCertsLoadedMonitor"), + mLoadableCertsLoaded(false), + mLoadableCertsLoadedResult(NS_ERROR_FAILURE), + mMutex("nsNSSComponent.mMutex"), + mMitmDetecionEnabled(false) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::ctor\n")); + MOZ_RELEASE_ASSERT(NS_IsMainThread()); + + MOZ_ASSERT(mInstanceCount == 0, + "nsNSSComponent is a singleton, but instantiated multiple times!"); + ++mInstanceCount; +} + +nsNSSComponent::~nsNSSComponent() { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::dtor\n")); + MOZ_RELEASE_ASSERT(NS_IsMainThread()); + + // All cleanup code requiring services needs to happen in xpcom_shutdown + + PrepareForShutdown(); + SharedSSLState::GlobalCleanup(); + --mInstanceCount; + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::dtor finished\n")); +} + +void nsNSSComponent::UnloadEnterpriseRoots() { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return; + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("UnloadEnterpriseRoots")); + MutexAutoLock lock(mMutex); + mEnterpriseCerts.Clear(); + setValidationOptions(false, lock); + ClearSSLExternalAndInternalSessionCache(); +} + +class BackgroundImportEnterpriseCertsTask final : public CryptoTask { + public: + explicit BackgroundImportEnterpriseCertsTask(nsNSSComponent* nssComponent) + : mNSSComponent(nssComponent) {} + + private: + virtual nsresult CalculateResult() override { + mNSSComponent->ImportEnterpriseRoots(); + mNSSComponent->UpdateCertVerifierWithEnterpriseRoots(); + return NS_OK; + } + + virtual void CallCallback(nsresult rv) override { + nsCOMPtr<nsIObserverService> observerService = + mozilla::services::GetObserverService(); + if (observerService) { + observerService->NotifyObservers(nullptr, "psm:enterprise-certs-imported", + nullptr); + } + } + + RefPtr<nsNSSComponent> mNSSComponent; +}; + +void nsNSSComponent::MaybeImportEnterpriseRoots() { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return; + } + bool importEnterpriseRoots = StaticPrefs::security_enterprise_roots_enabled(); + if (importEnterpriseRoots) { + RefPtr<BackgroundImportEnterpriseCertsTask> task = + new BackgroundImportEnterpriseCertsTask(this); + Unused << task->Dispatch(); + } +} + +void nsNSSComponent::ImportEnterpriseRoots() { + MOZ_ASSERT(!NS_IsMainThread()); + if (NS_IsMainThread()) { + return; + } + + nsTArray<EnterpriseCert> enterpriseCerts; + nsresult rv = GatherEnterpriseCerts(enterpriseCerts); + if (NS_SUCCEEDED(rv)) { + MutexAutoLock lock(mMutex); + mEnterpriseCerts = std::move(enterpriseCerts); + } else { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("failed gathering enterprise roots")); + } +} + +nsresult nsNSSComponent::CommonGetEnterpriseCerts( + nsTArray<nsTArray<uint8_t>>& enterpriseCerts, bool getRoots) { + nsresult rv = BlockUntilLoadableCertsLoaded(); + if (NS_FAILED(rv)) { + return rv; + } + + enterpriseCerts.Clear(); + MutexAutoLock nsNSSComponentLock(mMutex); + for (const auto& cert : mEnterpriseCerts) { + nsTArray<uint8_t> certCopy; + // mEnterpriseCerts includes both roots and intermediates. + if (cert.GetIsRoot() == getRoots) { + cert.CopyBytes(certCopy); + enterpriseCerts.AppendElement(std::move(certCopy)); + } + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSComponent::GetEnterpriseRoots( + nsTArray<nsTArray<uint8_t>>& enterpriseRoots) { + return CommonGetEnterpriseCerts(enterpriseRoots, true); +} + +nsresult BytesArrayToPEM(const nsTArray<nsTArray<uint8_t>>& bytesArray, + nsACString& pemArray) { + for (const auto& bytes : bytesArray) { + nsAutoCString base64; + nsresult rv = Base64Encode(reinterpret_cast<const char*>(bytes.Elements()), + bytes.Length(), base64); + if (NS_FAILED(rv)) { + return rv; + } + if (!pemArray.IsEmpty()) { + pemArray.AppendLiteral("\n"); + } + pemArray.AppendLiteral("-----BEGIN CERTIFICATE-----\n"); + for (size_t i = 0; i < base64.Length() / 64; i++) { + pemArray.Append(Substring(base64, i * 64, 64)); + pemArray.AppendLiteral("\n"); + } + if (base64.Length() % 64 != 0) { + size_t chunks = base64.Length() / 64; + pemArray.Append(Substring(base64, chunks * 64)); + pemArray.AppendLiteral("\n"); + } + pemArray.AppendLiteral("-----END CERTIFICATE-----"); + } + return NS_OK; +} + +NS_IMETHODIMP +nsNSSComponent::GetEnterpriseRootsPEM(nsACString& enterpriseRootsPEM) { + nsTArray<nsTArray<uint8_t>> enterpriseRoots; + nsresult rv = GetEnterpriseRoots(enterpriseRoots); + if (NS_FAILED(rv)) { + return rv; + } + return BytesArrayToPEM(enterpriseRoots, enterpriseRootsPEM); +} + +NS_IMETHODIMP +nsNSSComponent::GetEnterpriseIntermediates( + nsTArray<nsTArray<uint8_t>>& enterpriseIntermediates) { + return CommonGetEnterpriseCerts(enterpriseIntermediates, false); +} + +NS_IMETHODIMP +nsNSSComponent::GetEnterpriseIntermediatesPEM( + nsACString& enterpriseIntermediatesPEM) { + nsTArray<nsTArray<uint8_t>> enterpriseIntermediates; + nsresult rv = GetEnterpriseIntermediates(enterpriseIntermediates); + if (NS_FAILED(rv)) { + return rv; + } + return BytesArrayToPEM(enterpriseIntermediates, enterpriseIntermediatesPEM); +} + +NS_IMETHODIMP +nsNSSComponent::AddEnterpriseIntermediate( + const nsTArray<uint8_t>& intermediateBytes) { + nsresult rv = BlockUntilLoadableCertsLoaded(); + if (NS_FAILED(rv)) { + return rv; + } + EnterpriseCert intermediate(intermediateBytes.Elements(), + intermediateBytes.Length(), false); + { + MutexAutoLock nsNSSComponentLock(mMutex); + mEnterpriseCerts.AppendElement(std::move(intermediate)); + } + + UpdateCertVerifierWithEnterpriseRoots(); + return NS_OK; +} + +class LoadLoadableCertsTask final : public Runnable { + public: + LoadLoadableCertsTask(nsNSSComponent* nssComponent, + bool importEnterpriseRoots, + Vector<nsCString>&& possibleLoadableRootsLocations, + Maybe<nsCString>&& osClientCertsModuleLocation) + : Runnable("LoadLoadableCertsTask"), + mNSSComponent(nssComponent), + mImportEnterpriseRoots(importEnterpriseRoots), + mPossibleLoadableRootsLocations( + std::move(possibleLoadableRootsLocations)), + mOSClientCertsModuleLocation(std::move(osClientCertsModuleLocation)) { + MOZ_ASSERT(nssComponent); + } + + ~LoadLoadableCertsTask() = default; + + nsresult Dispatch(); + + private: + NS_IMETHOD Run() override; + nsresult LoadLoadableRoots(); + RefPtr<nsNSSComponent> mNSSComponent; + bool mImportEnterpriseRoots; + Vector<nsCString> mPossibleLoadableRootsLocations; // encoded in UTF-8 + Maybe<nsCString> mOSClientCertsModuleLocation; // encoded in UTF-8 +}; + +nsresult LoadLoadableCertsTask::Dispatch() { + // The stream transport service (note: not the socket transport service) can + // be used to perform background tasks or I/O that would otherwise block the + // main thread. + nsCOMPtr<nsIEventTarget> target( + do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID)); + if (!target) { + return NS_ERROR_FAILURE; + } + return target->Dispatch(this, NS_DISPATCH_NORMAL); +} + +NS_IMETHODIMP +LoadLoadableCertsTask::Run() { + Telemetry::AutoScalarTimer<Telemetry::ScalarID::NETWORKING_LOADING_CERTS_TASK> + timer; + + nsresult loadLoadableRootsResult = LoadLoadableRoots(); + if (NS_WARN_IF(NS_FAILED(loadLoadableRootsResult))) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("LoadLoadableRoots failed")); + // We don't return loadLoadableRootsResult here because then + // BlockUntilLoadableCertsLoaded will just wait forever. Instead we'll save + // its value (below) so we can inform code that relies on the roots module + // being present that loading it failed. + } + + // Loading EV information will only succeed if we've successfully loaded the + // loadable roots module. + if (NS_SUCCEEDED(loadLoadableRootsResult)) { + if (NS_FAILED(LoadExtendedValidationInfo())) { + // This isn't a show-stopper in the same way that failing to load the + // roots module is. + MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("failed to load EV info")); + } + } + + if (mImportEnterpriseRoots) { + mNSSComponent->ImportEnterpriseRoots(); + mNSSComponent->UpdateCertVerifierWithEnterpriseRoots(); + } + if (mOSClientCertsModuleLocation.isSome()) { + bool success = LoadOSClientCertsModule(*mOSClientCertsModuleLocation); + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("loading OS client certs module %s", + success ? "succeeded" : "failed")); + } + { + MonitorAutoLock rootsLoadedLock(mNSSComponent->mLoadableCertsLoadedMonitor); + mNSSComponent->mLoadableCertsLoaded = true; + // Cache the result of LoadLoadableRoots so BlockUntilLoadableCertsLoaded + // can return it to all callers later (we use that particular result because + // if that operation fails, it's unlikely that any TLS connection will + // succeed whereas the browser may still be able to operate if the other + // tasks fail). + mNSSComponent->mLoadableCertsLoadedResult = loadLoadableRootsResult; + mNSSComponent->mLoadableCertsLoadedMonitor.NotifyAll(); + } + return NS_OK; +} + +// Returns by reference the path to the desired directory, based on the current +// settings in the directory service. +// |result| is encoded in UTF-8. +static nsresult GetDirectoryPath(const char* directoryKey, nsCString& result) { + MOZ_ASSERT(NS_IsMainThread()); + + nsCOMPtr<nsIProperties> directoryService( + do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID)); + if (!directoryService) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("could not get directory service")); + return NS_ERROR_FAILURE; + } + nsCOMPtr<nsIFile> directory; + nsresult rv = directoryService->Get(directoryKey, NS_GET_IID(nsIFile), + getter_AddRefs(directory)); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("could not get '%s' from directory service", directoryKey)); + return rv; + } + return FileToCString(directory, result); +} + +class BackgroundLoadOSClientCertsModuleTask final : public CryptoTask { + public: + explicit BackgroundLoadOSClientCertsModuleTask(const nsCString&& libraryDir) + : mLibraryDir(std::move(libraryDir)) {} + + private: + virtual nsresult CalculateResult() override { + bool success = LoadOSClientCertsModule(mLibraryDir); + return success ? NS_OK : NS_ERROR_FAILURE; + } + + virtual void CallCallback(nsresult rv) override { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("loading OS client certs module %s", + NS_SUCCEEDED(rv) ? "succeeded" : "failed")); + nsCOMPtr<nsIObserverService> observerService = + mozilla::services::GetObserverService(); + if (observerService) { + observerService->NotifyObservers( + nullptr, "psm:load-os-client-certs-module-task-ran", nullptr); + } + } + + nsCString mLibraryDir; +}; + +void AsyncLoadOrUnloadOSClientCertsModule(bool load) { + if (load) { + nsCString libraryDir; + nsresult rv = GetDirectoryPath(NS_GRE_BIN_DIR, libraryDir); + if (NS_FAILED(rv)) { + return; + } + RefPtr<BackgroundLoadOSClientCertsModuleTask> task = + new BackgroundLoadOSClientCertsModuleTask(std::move(libraryDir)); + Unused << task->Dispatch(); + } else { + UniqueSECMODModule osClientCertsModule( + SECMOD_FindModule(kOSClientCertsModuleName)); + if (osClientCertsModule) { + SECMOD_UnloadUserModule(osClientCertsModule.get()); + } + } +} + +nsresult nsNSSComponent::BlockUntilLoadableCertsLoaded() { + MonitorAutoLock rootsLoadedLock(mLoadableCertsLoadedMonitor); + while (!mLoadableCertsLoaded) { + rootsLoadedLock.Wait(); + } + MOZ_ASSERT(mLoadableCertsLoaded); + + return mLoadableCertsLoadedResult; +} + +#ifndef MOZ_NO_SMART_CARDS +static StaticMutex sCheckForSmartCardChangesMutex MOZ_UNANNOTATED; +static TimeStamp sLastCheckedForSmartCardChanges = TimeStamp::Now(); +#endif + +nsresult nsNSSComponent::CheckForSmartCardChanges() { +#ifndef MOZ_NO_SMART_CARDS + { + StaticMutexAutoLock lock(sCheckForSmartCardChangesMutex); + // Do this at most once every 3 seconds. + TimeStamp now = TimeStamp::Now(); + if (now - sLastCheckedForSmartCardChanges < + TimeDuration::FromSeconds(3.0)) { + return NS_OK; + } + sLastCheckedForSmartCardChanges = now; + } + + // SECMOD_UpdateSlotList attempts to acquire the list lock as well, so we + // have to do this in three steps. + Vector<UniqueSECMODModule> modulesWithRemovableSlots; + { + AutoSECMODListReadLock secmodLock; + SECMODModuleList* list = SECMOD_GetDefaultModuleList(); + while (list) { + if (SECMOD_LockedModuleHasRemovableSlots(list->module)) { + UniqueSECMODModule module(SECMOD_ReferenceModule(list->module)); + if (!modulesWithRemovableSlots.append(std::move(module))) { + return NS_ERROR_OUT_OF_MEMORY; + } + } + list = list->next; + } + } + for (auto& module : modulesWithRemovableSlots) { + // Best-effort. + Unused << SECMOD_UpdateSlotList(module.get()); + } + AutoSECMODListReadLock secmodLock; + for (auto& module : modulesWithRemovableSlots) { + for (int i = 0; i < module->slotCount; i++) { + // We actually don't care about the return value here - we just need to + // call this to get NSS to update its view of this slot. + Unused << PK11_IsPresent(module->slots[i]); + } + } +#endif + + return NS_OK; +} + +// Returns by reference the path to the directory containing the file that has +// been loaded as MOZ_DLL_PREFIX nss3 MOZ_DLL_SUFFIX. +// |result| is encoded in UTF-8. +static nsresult GetNSS3Directory(nsCString& result) { + MOZ_ASSERT(NS_IsMainThread()); + + UniquePRString nss3Path( + PR_GetLibraryFilePathname(MOZ_DLL_PREFIX "nss3" MOZ_DLL_SUFFIX, + reinterpret_cast<PRFuncPtr>(NSS_Initialize))); + if (!nss3Path) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nss not loaded?")); + return NS_ERROR_FAILURE; + } + nsCOMPtr<nsIFile> nss3File(do_CreateInstance(NS_LOCAL_FILE_CONTRACTID)); + if (!nss3File) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't create a file?")); + return NS_ERROR_FAILURE; + } + nsAutoCString nss3PathAsString(nss3Path.get()); + nsresult rv = nss3File->InitWithNativePath(nss3PathAsString); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("couldn't initialize file with path '%s'", nss3Path.get())); + return rv; + } + nsCOMPtr<nsIFile> nss3Directory; + rv = nss3File->GetParent(getter_AddRefs(nss3Directory)); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't get parent directory?")); + return rv; + } + return FileToCString(nss3Directory, result); +} + +// The loadable roots library is probably in the same directory we loaded the +// NSS shared library from, but in some cases it may be elsewhere. This function +// enumerates and returns the possible locations as nsCStrings. +// |possibleLoadableRootsLocations| is encoded in UTF-8. +static nsresult ListPossibleLoadableRootsLocations( + Vector<nsCString>& possibleLoadableRootsLocations) { + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + // First try in the directory where we've already loaded + // MOZ_DLL_PREFIX nss3 MOZ_DLL_SUFFIX, since that's likely to be correct. + nsAutoCString nss3Dir; + nsresult rv = GetNSS3Directory(nss3Dir); + if (NS_SUCCEEDED(rv)) { + if (!possibleLoadableRootsLocations.append(std::move(nss3Dir))) { + return NS_ERROR_OUT_OF_MEMORY; + } + } else { + // For some reason this fails on android. In any case, we should try with + // the other potential locations we have. + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("could not determine where nss was loaded from")); + } + nsAutoCString currentProcessDir; + rv = GetDirectoryPath(NS_XPCOM_CURRENT_PROCESS_DIR, currentProcessDir); + if (NS_SUCCEEDED(rv)) { + if (!possibleLoadableRootsLocations.append(std::move(currentProcessDir))) { + return NS_ERROR_OUT_OF_MEMORY; + } + } else { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("could not get current process directory")); + } + nsAutoCString greDir; + rv = GetDirectoryPath(NS_GRE_DIR, greDir); + if (NS_SUCCEEDED(rv)) { + if (!possibleLoadableRootsLocations.append(std::move(greDir))) { + return NS_ERROR_OUT_OF_MEMORY; + } + } else { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("could not get gre directory")); + } + // As a last resort, this will cause the library loading code to use the OS' + // default library search path. + nsAutoCString emptyString; + if (!possibleLoadableRootsLocations.append(std::move(emptyString))) { + return NS_ERROR_OUT_OF_MEMORY; + } + + return NS_OK; +} + +nsresult LoadLoadableCertsTask::LoadLoadableRoots() { + for (const auto& possibleLocation : mPossibleLoadableRootsLocations) { + if (mozilla::psm::LoadLoadableRoots(possibleLocation)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("loaded CKBI from %s", possibleLocation.get())); + return NS_OK; + } + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("could not load loadable roots")); + return NS_ERROR_FAILURE; +} + +// Table of pref names and SSL cipher ID +typedef struct { + const char* pref; + int32_t id; + bool (*prefGetter)(); +} CipherPref; + +// Update the switch statement in AccumulateCipherSuite in nsNSSCallbacks.cpp +// when you add/remove cipher suites here. +static const CipherPref sCipherPrefs[] = { + {"security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + StaticPrefs::security_ssl3_ecdhe_rsa_aes_128_gcm_sha256}, + {"security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + StaticPrefs::security_ssl3_ecdhe_ecdsa_aes_128_gcm_sha256}, + {"security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + StaticPrefs::security_ssl3_ecdhe_ecdsa_chacha20_poly1305_sha256}, + {"security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + StaticPrefs::security_ssl3_ecdhe_rsa_chacha20_poly1305_sha256}, + {"security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384", + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + StaticPrefs::security_ssl3_ecdhe_ecdsa_aes_256_gcm_sha384}, + {"security.ssl3.ecdhe_rsa_aes_256_gcm_sha384", + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + StaticPrefs::security_ssl3_ecdhe_rsa_aes_256_gcm_sha384}, + {"security.ssl3.ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + StaticPrefs::security_ssl3_ecdhe_rsa_aes_128_sha}, + {"security.ssl3.ecdhe_ecdsa_aes_128_sha", + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + StaticPrefs::security_ssl3_ecdhe_ecdsa_aes_128_sha}, + {"security.ssl3.ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + StaticPrefs::security_ssl3_ecdhe_rsa_aes_256_sha}, + {"security.ssl3.ecdhe_ecdsa_aes_256_sha", + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + StaticPrefs::security_ssl3_ecdhe_ecdsa_aes_256_sha}, + {"security.ssl3.dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + StaticPrefs::security_ssl3_dhe_rsa_aes_128_sha}, + {"security.ssl3.dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + StaticPrefs::security_ssl3_dhe_rsa_aes_256_sha}, + {"security.tls13.aes_128_gcm_sha256", TLS_AES_128_GCM_SHA256, + StaticPrefs::security_tls13_aes_128_gcm_sha256}, + {"security.tls13.chacha20_poly1305_sha256", TLS_CHACHA20_POLY1305_SHA256, + StaticPrefs::security_tls13_chacha20_poly1305_sha256}, + {"security.tls13.aes_256_gcm_sha384", TLS_AES_256_GCM_SHA384, + StaticPrefs::security_tls13_aes_256_gcm_sha384}, + {"security.ssl3.rsa_aes_128_gcm_sha256", TLS_RSA_WITH_AES_128_GCM_SHA256, + StaticPrefs::security_ssl3_rsa_aes_128_gcm_sha256}, + {"security.ssl3.rsa_aes_256_gcm_sha384", TLS_RSA_WITH_AES_256_GCM_SHA384, + StaticPrefs::security_ssl3_rsa_aes_256_gcm_sha384}, + {"security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, + StaticPrefs::security_ssl3_rsa_aes_128_sha}, + {"security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, + StaticPrefs::security_ssl3_rsa_aes_256_sha}, +}; + +// These ciphersuites can only be enabled if deprecated versions of TLS are +// also enabled (via the preference "security.tls.version.enable-deprecated"). +static const CipherPref sDeprecatedTLS1CipherPrefs[] = { + {"security.ssl3.deprecated.rsa_des_ede3_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA, + StaticPrefs::security_ssl3_deprecated_rsa_des_ede3_sha}, +}; + +// This function will convert from pref values like 1, 2, ... +// to the internal values of SSL_LIBRARY_VERSION_TLS_1_0, +// SSL_LIBRARY_VERSION_TLS_1_1, ... +/*static*/ +void nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut, + uint32_t minFromPrefs, + uint32_t maxFromPrefs, + SSLVersionRange defaults) { + rangeOut = defaults; + // determine what versions are supported + SSLVersionRange supported; + if (SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) != + SECSuccess) { + return; + } + + // Clip the defaults by what NSS actually supports to enable + // working with a system NSS with different ranges. + rangeOut.min = std::max(rangeOut.min, supported.min); + rangeOut.max = std::min(rangeOut.max, supported.max); + + // convert min/maxFromPrefs to the internal representation + minFromPrefs += SSL_LIBRARY_VERSION_3_0; + maxFromPrefs += SSL_LIBRARY_VERSION_3_0; + // if min/maxFromPrefs are invalid, use defaults + if (minFromPrefs > maxFromPrefs || minFromPrefs < supported.min || + maxFromPrefs > supported.max || + minFromPrefs < SSL_LIBRARY_VERSION_TLS_1_0) { + return; + } + + // fill out rangeOut + rangeOut.min = (uint16_t)minFromPrefs; + rangeOut.max = (uint16_t)maxFromPrefs; +} + +static void ConfigureTLSSessionIdentifiers() { + bool disableSessionIdentifiers = + StaticPrefs::security_ssl_disable_session_identifiers(); + SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, !disableSessionIdentifiers); + SSL_OptionSetDefault(SSL_NO_CACHE, disableSessionIdentifiers); +} + +nsresult CommonInit() { + SSL_OptionSetDefault(SSL_ENABLE_SSL2, false); + SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false); + + nsresult rv = nsNSSComponent::SetEnabledTLSVersions(); + if (NS_FAILED(rv)) { + return rv; + } + + ConfigureTLSSessionIdentifiers(); + + SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, + StaticPrefs::security_ssl_require_safe_negotiation()); + SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_REQUIRES_XTN); + SSL_OptionSetDefault(SSL_ENABLE_EXTENDED_MASTER_SECRET, true); + SSL_OptionSetDefault(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, + StaticPrefs::security_tls_hello_downgrade_check()); + SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, + StaticPrefs::security_ssl_enable_false_start()); + // SSL_ENABLE_ALPN also requires calling SSL_SetNextProtoNego in order for + // the extensions to be negotiated. + // WebRTC does not do that so it will not use ALPN even when this preference + // is true. + SSL_OptionSetDefault(SSL_ENABLE_ALPN, + StaticPrefs::security_ssl_enable_alpn()); + SSL_OptionSetDefault(SSL_ENABLE_0RTT_DATA, + StaticPrefs::security_tls_enable_0rtt_data()); + SSL_OptionSetDefault(SSL_ENABLE_POST_HANDSHAKE_AUTH, + StaticPrefs::security_tls_enable_post_handshake_auth()); + SSL_OptionSetDefault( + SSL_ENABLE_DELEGATED_CREDENTIALS, + StaticPrefs::security_tls_enable_delegated_credentials()); + + rv = InitializeCipherSuite(); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("Unable to initialize cipher suite settings\n")); + return rv; + } + + DisableMD5(); + + mozilla::pkix::RegisterErrorTable(); + SharedSSLState::GlobalInit(); + SetValidationOptionsCommon(); + + return NS_OK; +} + +void PrepareForShutdownInSocketProcess() { + MOZ_ASSERT(XRE_IsSocketProcess()); + SharedSSLState::GlobalCleanup(); +} + +bool HandleTLSPrefChange(const nsCString& prefName) { + // Note that the code in this function should be kept in sync with + // gCallbackSecurityPrefs in nsIOService.cpp. + bool prefFound = true; + if (prefName.EqualsLiteral("security.tls.version.min") || + prefName.EqualsLiteral("security.tls.version.max") || + prefName.EqualsLiteral("security.tls.version.enable-deprecated")) { + Unused << nsNSSComponent::SetEnabledTLSVersions(); + } else if (prefName.EqualsLiteral("security.tls.hello_downgrade_check")) { + SSL_OptionSetDefault(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, + StaticPrefs::security_tls_hello_downgrade_check()); + } else if (prefName.EqualsLiteral("security.ssl.require_safe_negotiation")) { + SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, + StaticPrefs::security_ssl_require_safe_negotiation()); + } else if (prefName.EqualsLiteral("security.ssl.enable_false_start")) { + SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, + StaticPrefs::security_ssl_enable_false_start()); + } else if (prefName.EqualsLiteral("security.ssl.enable_alpn")) { + SSL_OptionSetDefault(SSL_ENABLE_ALPN, + StaticPrefs::security_ssl_enable_alpn()); + } else if (prefName.EqualsLiteral("security.tls.enable_0rtt_data")) { + SSL_OptionSetDefault(SSL_ENABLE_0RTT_DATA, + StaticPrefs::security_tls_enable_0rtt_data()); + } else if (prefName.EqualsLiteral( + "security.tls.enable_post_handshake_auth")) { + SSL_OptionSetDefault( + SSL_ENABLE_POST_HANDSHAKE_AUTH, + StaticPrefs::security_tls_enable_post_handshake_auth()); + } else if (prefName.EqualsLiteral( + "security.tls.enable_delegated_credentials")) { + SSL_OptionSetDefault( + SSL_ENABLE_DELEGATED_CREDENTIALS, + StaticPrefs::security_tls_enable_delegated_credentials()); + } else if (prefName.EqualsLiteral( + "security.ssl.disable_session_identifiers")) { + ConfigureTLSSessionIdentifiers(); + } else { + prefFound = false; + } + return prefFound; +} + +void SetValidationOptionsCommon() { + // Note that the code in this function should be kept in sync with + // gCallbackSecurityPrefs in nsIOService.cpp. + bool ocspStaplingEnabled = StaticPrefs::security_ssl_enable_ocsp_stapling(); + PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled); + PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled); + + bool ocspMustStapleEnabled = + StaticPrefs::security_ssl_enable_ocsp_must_staple(); + PublicSSLState()->SetOCSPMustStapleEnabled(ocspMustStapleEnabled); + PrivateSSLState()->SetOCSPMustStapleEnabled(ocspMustStapleEnabled); + + const CertVerifier::CertificateTransparencyMode defaultCTMode = + CertVerifier::CertificateTransparencyMode::TelemetryOnly; + CertVerifier::CertificateTransparencyMode ctMode = + static_cast<CertVerifier::CertificateTransparencyMode>( + StaticPrefs::security_pki_certificate_transparency_mode()); + switch (ctMode) { + case CertVerifier::CertificateTransparencyMode::Disabled: + case CertVerifier::CertificateTransparencyMode::TelemetryOnly: + break; + default: + ctMode = defaultCTMode; + break; + } + bool sctsEnabled = + ctMode != CertVerifier::CertificateTransparencyMode::Disabled; + PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled); + PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled); +} + +namespace { + +class CipherSuiteChangeObserver : public nsIObserver { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSIOBSERVER + + static nsresult StartObserve(); + + protected: + virtual ~CipherSuiteChangeObserver() = default; + + private: + static StaticRefPtr<CipherSuiteChangeObserver> sObserver; + CipherSuiteChangeObserver() = default; +}; + +NS_IMPL_ISUPPORTS(CipherSuiteChangeObserver, nsIObserver) + +// static +StaticRefPtr<CipherSuiteChangeObserver> CipherSuiteChangeObserver::sObserver; + +// static +nsresult CipherSuiteChangeObserver::StartObserve() { + MOZ_ASSERT(NS_IsMainThread(), + "CipherSuiteChangeObserver::StartObserve() can only be accessed " + "on the main thread"); + if (!sObserver) { + RefPtr<CipherSuiteChangeObserver> observer = + new CipherSuiteChangeObserver(); + nsresult rv = Preferences::AddStrongObserver(observer.get(), "security."); + if (NS_FAILED(rv)) { + sObserver = nullptr; + return rv; + } + + nsCOMPtr<nsIObserverService> observerService = + mozilla::services::GetObserverService(); + observerService->AddObserver(observer, NS_XPCOM_SHUTDOWN_OBSERVER_ID, + false); + + sObserver = observer; + } + return NS_OK; +} + +// Enables or disabled ciphersuites from deprecated versions of TLS as +// appropriate. If security.tls.version.enable-deprecated is true, these +// ciphersuites may be enabled, if the corresponding preference is true. +// Otherwise, these ciphersuites will be disabled. +void SetDeprecatedTLS1CipherPrefs() { + if (StaticPrefs::security_tls_version_enable_deprecated()) { + for (const auto& deprecatedTLS1CipherPref : sDeprecatedTLS1CipherPrefs) { + SSL_CipherPrefSetDefault(deprecatedTLS1CipherPref.id, + deprecatedTLS1CipherPref.prefGetter()); + } + } else { + for (const auto& deprecatedTLS1CipherPref : sDeprecatedTLS1CipherPrefs) { + SSL_CipherPrefSetDefault(deprecatedTLS1CipherPref.id, false); + } + } +} + +// static +void SetKyberPolicy() { + if (StaticPrefs::security_tls_enable_kyber()) { + NSS_SetAlgorithmPolicy(SEC_OID_XYBER768D00, NSS_USE_ALG_IN_SSL_KX, 0); + } else { + NSS_SetAlgorithmPolicy(SEC_OID_XYBER768D00, 0, NSS_USE_ALG_IN_SSL_KX); + } +} + +nsresult CipherSuiteChangeObserver::Observe(nsISupports* /*aSubject*/, + const char* aTopic, + const char16_t* someData) { + MOZ_ASSERT(NS_IsMainThread(), + "CipherSuiteChangeObserver::Observe can only be accessed on main " + "thread"); + if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { + NS_ConvertUTF16toUTF8 prefName(someData); + // Look through the cipher table and set according to pref setting + for (const auto& cipherPref : sCipherPrefs) { + if (prefName.Equals(cipherPref.pref)) { + SSL_CipherPrefSetDefault(cipherPref.id, cipherPref.prefGetter()); + break; + } + } + SetDeprecatedTLS1CipherPrefs(); + SetKyberPolicy(); + nsNSSComponent::DoClearSSLExternalAndInternalSessionCache(); + } else if (nsCRT::strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) { + Preferences::RemoveObserver(this, "security."); + MOZ_ASSERT(sObserver.get() == this); + sObserver = nullptr; + nsCOMPtr<nsIObserverService> observerService = + mozilla::services::GetObserverService(); + observerService->RemoveObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID); + } + return NS_OK; +} + +} // namespace + +void nsNSSComponent::setValidationOptions( + bool isInitialSetting, const mozilla::MutexAutoLock& proofOfLock) { + // We access prefs so this must be done on the main thread. + mMutex.AssertCurrentThreadOwns(); + MOZ_ASSERT(NS_IsMainThread()); + if (NS_WARN_IF(!NS_IsMainThread())) { + return; + } + + SetValidationOptionsCommon(); + + const CertVerifier::CertificateTransparencyMode defaultCTMode = + CertVerifier::CertificateTransparencyMode::TelemetryOnly; + CertVerifier::CertificateTransparencyMode ctMode = + static_cast<CertVerifier::CertificateTransparencyMode>( + StaticPrefs::security_pki_certificate_transparency_mode()); + switch (ctMode) { + case CertVerifier::CertificateTransparencyMode::Disabled: + case CertVerifier::CertificateTransparencyMode::TelemetryOnly: + break; + default: + ctMode = defaultCTMode; + break; + } + + // This preference controls whether we do OCSP fetching and does not affect + // OCSP stapling. + // 0 = disabled, 1 = enabled, 2 = only enabled for EV + uint32_t ocspEnabled = StaticPrefs::security_OCSP_enabled(); + + bool ocspRequired = ocspEnabled > 0 && StaticPrefs::security_OCSP_require(); + + // We measure the setting of the pref at startup only to minimize noise by + // addons that may muck with the settings, though it probably doesn't matter. + if (isInitialSetting) { + Telemetry::Accumulate(Telemetry::CERT_OCSP_ENABLED, ocspEnabled); + Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired); + } + + NetscapeStepUpPolicy netscapeStepUpPolicy = static_cast<NetscapeStepUpPolicy>( + StaticPrefs::security_pki_netscape_step_up_policy()); + switch (netscapeStepUpPolicy) { + case NetscapeStepUpPolicy::AlwaysMatch: + case NetscapeStepUpPolicy::MatchBefore23August2016: + case NetscapeStepUpPolicy::MatchBefore23August2015: + case NetscapeStepUpPolicy::NeverMatch: + break; + default: + netscapeStepUpPolicy = NetscapeStepUpPolicy::AlwaysMatch; + break; + } + + CRLiteMode defaultCRLiteMode = CRLiteMode::Disabled; + CRLiteMode crliteMode = + static_cast<CRLiteMode>(StaticPrefs::security_pki_crlite_mode()); + switch (crliteMode) { + case CRLiteMode::Disabled: + case CRLiteMode::TelemetryOnly: + case CRLiteMode::Enforce: + case CRLiteMode::ConfirmRevocations: + break; + default: + crliteMode = defaultCRLiteMode; + break; + } + + CertVerifier::OcspDownloadConfig odc; + CertVerifier::OcspStrictConfig osc; + uint32_t certShortLifetimeInDays; + TimeDuration softTimeout; + TimeDuration hardTimeout; + + GetRevocationBehaviorFromPrefs(&odc, &osc, &certShortLifetimeInDays, + softTimeout, hardTimeout); + + mDefaultCertVerifier = new SharedCertVerifier( + odc, osc, softTimeout, hardTimeout, certShortLifetimeInDays, + netscapeStepUpPolicy, ctMode, crliteMode, mEnterpriseCerts); +} + +void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() { + MutexAutoLock lock(mMutex); + if (!mDefaultCertVerifier) { + return; + } + + RefPtr<SharedCertVerifier> oldCertVerifier = mDefaultCertVerifier; + mDefaultCertVerifier = new SharedCertVerifier( + oldCertVerifier->mOCSPDownloadConfig, + oldCertVerifier->mOCSPStrict ? CertVerifier::ocspStrict + : CertVerifier::ocspRelaxed, + oldCertVerifier->mOCSPTimeoutSoft, oldCertVerifier->mOCSPTimeoutHard, + oldCertVerifier->mCertShortLifetimeInDays, + oldCertVerifier->mNetscapeStepUpPolicy, oldCertVerifier->mCTMode, + oldCertVerifier->mCRLiteMode, mEnterpriseCerts); +} + +// Enable the TLS versions given in the prefs, defaulting to TLS 1.0 (min) and +// TLS 1.2 (max) when the prefs aren't set or set to invalid values. +nsresult nsNSSComponent::SetEnabledTLSVersions() { + // Keep these values in sync with all.js. + // 1 means TLS 1.0, 2 means TLS 1.1, etc. + static const uint32_t PSM_DEFAULT_MIN_TLS_VERSION = 3; + static const uint32_t PSM_DEFAULT_MAX_TLS_VERSION = 4; + static const uint32_t PSM_DEPRECATED_TLS_VERSION = 1; + + uint32_t minFromPrefs = StaticPrefs::security_tls_version_min(); + uint32_t maxFromPrefs = StaticPrefs::security_tls_version_max(); + + // This override should be removed some time after + // PSM_DEFAULT_MIN_TLS_VERSION is increased to 3. + bool enableDeprecated = StaticPrefs::security_tls_version_enable_deprecated(); + if (enableDeprecated) { + minFromPrefs = std::min(minFromPrefs, PSM_DEPRECATED_TLS_VERSION); + } + + SSLVersionRange defaults = { + SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION, + SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MAX_TLS_VERSION}; + SSLVersionRange filledInRange; + FillTLSVersionRange(filledInRange, minFromPrefs, maxFromPrefs, defaults); + + SECStatus srv = + SSL_VersionRangeSetDefault(ssl_variant_stream, &filledInRange); + if (srv != SECSuccess) { + return NS_ERROR_FAILURE; + } + + return NS_OK; +} + +#if defined(XP_WIN) || (defined(XP_LINUX) && !defined(ANDROID)) +// If the profile directory is on a networked drive, we want to set the +// environment variable NSS_SDB_USE_CACHE to yes (as long as it hasn't been set +// before). +static void SetNSSDatabaseCacheModeAsAppropriate() { + MOZ_ASSERT(NS_IsMainThread()); + + nsCOMPtr<nsIFile> profileFile; + nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR, + getter_AddRefs(profileFile)); + if (NS_FAILED(rv)) { + // We're probably running without a profile directory, so this is + // irrelevant. + return; + } + + static const char sNSS_SDB_USE_CACHE[] = "NSS_SDB_USE_CACHE"; + static const char sNSS_SDB_USE_CACHE_WITH_VALUE[] = "NSS_SDB_USE_CACHE=yes"; + auto profilePath = profileFile->NativePath(); + +# if defined(XP_LINUX) && !defined(ANDROID) + struct statfs statfs_s; + if (statfs(profilePath.get(), &statfs_s) == 0 && + statfs_s.f_type == NFS_SUPER_MAGIC && !PR_GetEnv(sNSS_SDB_USE_CACHE)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("profile is remote (and NSS_SDB_USE_CACHE wasn't set): " + "setting NSS_SDB_USE_CACHE")); + PR_SetEnv(sNSS_SDB_USE_CACHE_WITH_VALUE); + } else { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("not setting NSS_SDB_USE_CACHE")); + } +# endif // defined(XP_LINUX) && !defined(ANDROID) + +# ifdef XP_WIN + wchar_t volPath[MAX_PATH]; + if (::GetVolumePathNameW(profilePath.get(), volPath, MAX_PATH) && + ::GetDriveTypeW(volPath) == DRIVE_REMOTE && + !PR_GetEnv(sNSS_SDB_USE_CACHE)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("profile is remote (and NSS_SDB_USE_CACHE wasn't set): " + "setting NSS_SDB_USE_CACHE")); + PR_SetEnv(sNSS_SDB_USE_CACHE_WITH_VALUE); + } else { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("not setting NSS_SDB_USE_CACHE")); + } +# endif // XP_WIN +} +#endif // defined(XP_WIN) || (defined(XP_LINUX) && !defined(ANDROID)) + +static nsresult GetNSSProfilePath(nsAutoCString& aProfilePath) { + aProfilePath.Truncate(); + nsCOMPtr<nsIFile> profileFile; + nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR, + getter_AddRefs(profileFile)); + if (NS_FAILED(rv)) { + NS_WARNING( + "NSS will be initialized without a profile directory. " + "Some things may not work as expected."); + return NS_OK; + } + +#if defined(XP_WIN) + // SQLite always takes UTF-8 file paths regardless of the current system + // code page. + nsCOMPtr<nsILocalFileWin> profileFileWin(do_QueryInterface(profileFile)); + if (!profileFileWin) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("Could not get nsILocalFileWin for profile directory.\n")); + return NS_ERROR_FAILURE; + } + nsAutoString u16ProfilePath; + rv = profileFileWin->GetPath(u16ProfilePath); + CopyUTF16toUTF8(u16ProfilePath, aProfilePath); +#else + rv = profileFile->GetNativePath(aProfilePath); +#endif + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("Could not get native path for profile directory.\n")); + return rv; + } + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("NSS profile at '%s'\n", aProfilePath.get())); + return NS_OK; +} + +#ifndef ANDROID +// Given a profile path, attempt to rename the PKCS#11 module DB to +// "pkcs11.txt.fips". In the case of a catastrophic failure (e.g. out of +// memory), returns a failing nsresult. If execution could conceivably proceed, +// returns NS_OK even if renaming the file didn't work. This simplifies the +// logic of the calling code. +// |profilePath| is encoded in UTF-8. +static nsresult AttemptToRenamePKCS11ModuleDB(const nsACString& profilePath) { + nsCOMPtr<nsIFile> profileDir = do_CreateInstance("@mozilla.org/file/local;1"); + if (!profileDir) { + return NS_ERROR_FAILURE; + } +# ifdef XP_WIN + // |profilePath| is encoded in UTF-8 because SQLite always takes UTF-8 file + // paths regardless of the current system code page. + nsresult rv = profileDir->InitWithPath(NS_ConvertUTF8toUTF16(profilePath)); +# else + nsresult rv = profileDir->InitWithNativePath(profilePath); +# endif + if (NS_FAILED(rv)) { + return rv; + } + const char* moduleDBFilename = "pkcs11.txt"; + nsAutoCString destModuleDBFilename(moduleDBFilename); + destModuleDBFilename.Append(".fips"); + nsCOMPtr<nsIFile> dbFile; + rv = profileDir->Clone(getter_AddRefs(dbFile)); + if (NS_FAILED(rv) || !dbFile) { + return NS_ERROR_FAILURE; + } + rv = dbFile->AppendNative(nsAutoCString(moduleDBFilename)); + if (NS_FAILED(rv)) { + return rv; + } + // If the PKCS#11 module DB doesn't exist, renaming it won't help. + bool exists; + rv = dbFile->Exists(&exists); + if (NS_FAILED(rv)) { + return rv; + } + // This is strange, but not a catastrophic failure. + if (!exists) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("%s doesn't exist?", moduleDBFilename)); + return NS_OK; + } + nsCOMPtr<nsIFile> destDBFile; + rv = profileDir->Clone(getter_AddRefs(destDBFile)); + if (NS_FAILED(rv) || !destDBFile) { + return NS_ERROR_FAILURE; + } + rv = destDBFile->AppendNative(destModuleDBFilename); + if (NS_FAILED(rv)) { + return rv; + } + // If the destination exists, presumably we've already tried this. Doing it + // again won't help. + rv = destDBFile->Exists(&exists); + if (NS_FAILED(rv)) { + return rv; + } + // Unfortunate, but not a catastrophic failure. + if (exists) { + MOZ_LOG( + gPIPNSSLog, LogLevel::Debug, + ("%s already exists - not overwriting", destModuleDBFilename.get())); + return NS_OK; + } + // Now do the actual move. + // This may fail on, e.g., a read-only file system. This would be unfortunate, + // but again it isn't catastropic and we would want to fall back to + // initializing NSS in no-DB mode. + Unused << dbFile->MoveToNative(profileDir, destModuleDBFilename); + return NS_OK; +} +#endif // ifndef ANDROID + +// Given a profile directory, attempt to initialize NSS. If nocertdb is true, +// (or if we don't have a profile directory) simply initialize NSS in no DB mode +// and return. Otherwise, first attempt to initialize in read/write mode, and +// then read-only mode if that fails. If both attempts fail, we may be failing +// to initialize an NSS DB collection that has FIPS mode enabled. Attempt to +// ascertain if this is the case, and if so, rename the offending PKCS#11 module +// DB so we can (hopefully) initialize NSS in read-write mode. Again attempt +// read-only mode if that fails. Finally, fall back to no DB mode. On Android +// we can skip the FIPS workaround since it was never possible to enable FIPS +// there anyway. +// |profilePath| is encoded in UTF-8. +static nsresult InitializeNSSWithFallbacks(const nsACString& profilePath, + bool nocertdb, bool safeMode) { + if (nocertdb || profilePath.IsEmpty()) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("nocertdb mode or empty profile path -> NSS_NoDB_Init")); + SECStatus srv = NSS_NoDB_Init(nullptr); +#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED + if (srv != SECSuccess) { + MOZ_CRASH_UNSAFE_PRINTF("InitializeNSSWithFallbacks failed: %d", + PR_GetError()); + } +#endif + return srv == SECSuccess ? NS_OK : NS_ERROR_FAILURE; + } + + // Try read/write mode. If we're in safeMode, we won't load PKCS#11 modules. +#ifndef ANDROID + PRErrorCode savedPRErrorCode1; +#endif // ifndef ANDROID + PKCS11DBConfig safeModeDBConfig = + safeMode ? PKCS11DBConfig::DoNotLoadModules : PKCS11DBConfig::LoadModules; + SECStatus srv = ::mozilla::psm::InitializeNSS( + profilePath, NSSDBConfig::ReadWrite, safeModeDBConfig); + if (srv == SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r/w mode")); + return NS_OK; + } +#ifndef ANDROID + savedPRErrorCode1 = PR_GetError(); + PRErrorCode savedPRErrorCode2; +#endif // ifndef ANDROID + // That failed. Try read-only mode. + srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadOnly, + safeModeDBConfig); + if (srv == SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r-o mode")); + return NS_OK; + } +#ifndef ANDROID + savedPRErrorCode2 = PR_GetError(); + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("failed to initialize NSS with codes %d %d", savedPRErrorCode1, + savedPRErrorCode2)); +#endif // ifndef ANDROID + +#ifndef ANDROID + // That failed as well. Maybe we're trying to load a PKCS#11 module DB that is + // in FIPS mode, but we don't support FIPS? Test load NSS without PKCS#11 + // modules. If that succeeds, that's probably what's going on. + if (!safeMode && (savedPRErrorCode1 == SEC_ERROR_LEGACY_DATABASE || + savedPRErrorCode2 == SEC_ERROR_LEGACY_DATABASE || + savedPRErrorCode1 == SEC_ERROR_PKCS11_DEVICE_ERROR || + savedPRErrorCode2 == SEC_ERROR_PKCS11_DEVICE_ERROR)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("attempting no-module db init")); + // It would make sense to initialize NSS in read-only mode here since this + // is just a test to see if the PKCS#11 module DB being in FIPS mode is the + // problem, but for some reason the combination of read-only and no-moddb + // flags causes NSS initialization to fail, so unfortunately we have to use + // read-write mode. + srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadWrite, + PKCS11DBConfig::DoNotLoadModules); + if (srv == SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("FIPS may be the problem")); + // Unload NSS so we can attempt to fix this situation for the user. + srv = NSS_Shutdown(); + if (srv != SECSuccess) { +# ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED + MOZ_CRASH_UNSAFE_PRINTF("InitializeNSSWithFallbacks failed: %d", + PR_GetError()); +# endif + return NS_ERROR_FAILURE; + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("trying to rename module db")); + // If this fails non-catastrophically, we'll attempt to initialize NSS + // again in r/w then r-o mode (both of which will fail), and then we'll + // fall back to NSS_NoDB_Init, which is the behavior we want. + nsresult rv = AttemptToRenamePKCS11ModuleDB(profilePath); + if (NS_FAILED(rv)) { +# ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED + // An nsresult is a uint32_t, but at least one of our compilers doesn't + // like this format string unless we include the cast. <shruggie emoji> + MOZ_CRASH_UNSAFE_PRINTF("InitializeNSSWithFallbacks failed: %u", + (uint32_t)rv); +# endif + return rv; + } + srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadWrite, + PKCS11DBConfig::LoadModules); + if (srv == SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r/w mode")); + return NS_OK; + } + srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadOnly, + PKCS11DBConfig::LoadModules); + if (srv == SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r-o mode")); + return NS_OK; + } + } + } +#endif + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("last-resort NSS_NoDB_Init")); + srv = NSS_NoDB_Init(nullptr); +#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED + if (srv != SECSuccess) { + MOZ_CRASH_UNSAFE_PRINTF("InitializeNSSWithFallbacks failed: %d", + PR_GetError()); + } +#endif + return srv == SECSuccess ? NS_OK : NS_ERROR_FAILURE; +} + +#if defined(NIGHTLY_BUILD) && !defined(ANDROID) +// dbType is either "cert9.db" or "key4.db" +void UnmigrateOneCertDB(const nsCOMPtr<nsIFile>& profileDirectory, + const nsACString& dbType) { + nsCOMPtr<nsIFile> dbFile; + nsresult rv = profileDirectory->Clone(getter_AddRefs(dbFile)); + if (NS_FAILED(rv)) { + return; + } + rv = dbFile->AppendNative(dbType); + if (NS_FAILED(rv)) { + return; + } + bool exists; + rv = dbFile->Exists(&exists); + if (NS_FAILED(rv)) { + return; + } + // If the unprefixed DB already exists, don't overwrite it. + if (exists) { + return; + } + nsCOMPtr<nsIFile> prefixedDBFile; + rv = profileDirectory->Clone(getter_AddRefs(prefixedDBFile)); + if (NS_FAILED(rv)) { + return; + } + nsAutoCString prefixedDBName("gecko-no-share-"); + prefixedDBName.Append(dbType); + rv = prefixedDBFile->AppendNative(prefixedDBName); + if (NS_FAILED(rv)) { + return; + } + Unused << prefixedDBFile->MoveToNative(nullptr, dbType); +} + +void UnmigrateFromPrefixedCertDBs() { + nsCOMPtr<nsIFile> profileDirectory; + nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR, + getter_AddRefs(profileDirectory)); + if (NS_FAILED(rv)) { + return; + } + UnmigrateOneCertDB(profileDirectory, "cert9.db"_ns); + UnmigrateOneCertDB(profileDirectory, "key4.db"_ns); +} +#endif // defined(NIGHTLY_BUILD) && !defined(ANDROID) + +nsresult nsNSSComponent::InitializeNSS() { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::InitializeNSS\n")); + AUTO_PROFILER_LABEL("nsNSSComponent::InitializeNSS", OTHER); + AUTO_PROFILER_TRACING_MARKER("NSS", "nsNSSComponent::InitializeNSS", OTHER); + + static_assert( + nsINSSErrorsService::NSS_SEC_ERROR_BASE == SEC_ERROR_BASE && + nsINSSErrorsService::NSS_SEC_ERROR_LIMIT == SEC_ERROR_LIMIT && + nsINSSErrorsService::NSS_SSL_ERROR_BASE == SSL_ERROR_BASE && + nsINSSErrorsService::NSS_SSL_ERROR_LIMIT == SSL_ERROR_LIMIT, + "You must update the values in nsINSSErrorsService.idl"); + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("NSS Initialization beginning\n")); + + nsAutoCString profileStr; + nsresult rv = GetNSSProfilePath(profileStr); + MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv)); + if (NS_FAILED(rv)) { + return NS_ERROR_NOT_AVAILABLE; + } + +#if defined(NIGHTLY_BUILD) && !defined(ANDROID) + if (!profileStr.IsEmpty()) { + UnmigrateFromPrefixedCertDBs(); + } +#endif + +#if defined(XP_WIN) || (defined(XP_LINUX) && !defined(ANDROID)) + SetNSSDatabaseCacheModeAsAppropriate(); +#endif + + bool nocertdb = StaticPrefs::security_nocertdb_AtStartup(); + bool inSafeMode = true; + nsCOMPtr<nsIXULRuntime> runtime(do_GetService("@mozilla.org/xre/runtime;1")); + // There might not be an nsIXULRuntime in embedded situations. This will + // default to assuming we are in safe mode (as a result, no external PKCS11 + // modules will be loaded). + if (runtime) { + rv = runtime->GetInSafeMode(&inSafeMode); + MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv)); + if (NS_FAILED(rv)) { + return rv; + } + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("inSafeMode: %u\n", inSafeMode)); + + rv = InitializeNSSWithFallbacks(profileStr, nocertdb, inSafeMode); + MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv)); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("failed to initialize NSS")); + return rv; + } + + PK11_SetPasswordFunc(PK11PasswordPrompt); + + // Register an observer so we can inform NSS when these prefs change + Preferences::AddStrongObserver(this, "security."); + + rv = CommonInit(); + + MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv)); + if (NS_FAILED(rv)) { + return NS_ERROR_UNEXPECTED; + } + + nsCOMPtr<nsICertOverrideService> certOverrideService( + do_GetService(NS_CERTOVERRIDE_CONTRACTID)); + nsCOMPtr<nsIClientAuthRememberService> clientAuthRememberService( + do_GetService(NS_CLIENTAUTHREMEMBERSERVICE_CONTRACTID)); + nsCOMPtr<nsISiteSecurityService> siteSecurityService( + do_GetService(NS_SSSERVICE_CONTRACTID)); + nsCOMPtr<nsICertStorage> certStorage(do_GetService(NS_CERT_STORAGE_CID)); + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("NSS Initialization done\n")); + + { + MutexAutoLock lock(mMutex); + + // ensure we have initial values for various root hashes +#ifdef DEBUG + mTestBuiltInRootHash.Truncate(); + Preferences::GetCString("security.test.built_in_root_hash", + mTestBuiltInRootHash); +#endif + mMitmCanaryIssuer.Truncate(); + Preferences::GetString("security.pki.mitm_canary_issuer", + mMitmCanaryIssuer); + mMitmDetecionEnabled = + Preferences::GetBool("security.pki.mitm_canary_issuer.enabled", true); + + // Set dynamic options from prefs. + setValidationOptions(true, lock); + + bool importEnterpriseRoots = + StaticPrefs::security_enterprise_roots_enabled(); + Vector<nsCString> possibleLoadableRootsLocations; + rv = ListPossibleLoadableRootsLocations(possibleLoadableRootsLocations); + MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv)); + if (NS_FAILED(rv)) { + return rv; + } + + bool loadOSClientCertsModule = + StaticPrefs::security_osclientcerts_autoload(); + Maybe<nsCString> maybeOSClientCertsModuleLocation; + if (loadOSClientCertsModule) { + nsAutoCString libraryDir; + if (NS_SUCCEEDED(GetDirectoryPath(NS_GRE_BIN_DIR, libraryDir))) { + maybeOSClientCertsModuleLocation.emplace(libraryDir); + } + } + RefPtr<LoadLoadableCertsTask> loadLoadableCertsTask( + new LoadLoadableCertsTask(this, importEnterpriseRoots, + std::move(possibleLoadableRootsLocations), + std::move(maybeOSClientCertsModuleLocation))); + rv = loadLoadableCertsTask->Dispatch(); + MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv)); + if (NS_FAILED(rv)) { + return rv; + } + + return NS_OK; + } +} + +void nsNSSComponent::PrepareForShutdown() { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::PrepareForShutdown")); + MOZ_RELEASE_ASSERT(NS_IsMainThread()); + + PK11_SetPasswordFunc((PK11PasswordFunc) nullptr); + + Preferences::RemoveObserver(this, "security."); + + if (mIntermediatePreloadingHealerTimer) { + mIntermediatePreloadingHealerTimer->Cancel(); + mIntermediatePreloadingHealerTimer = nullptr; + } + + // Release the default CertVerifier. This will cause any held NSS resources + // to be released. + MutexAutoLock lock(mMutex); + mDefaultCertVerifier = nullptr; + // We don't actually shut down NSS - XPCOM does, after all threads have been + // joined and the component manager has been shut down (and so there shouldn't + // be any XPCOM objects holding NSS resources). +} + +// The aim of the intermediate preloading healer is to remove intermediates +// that were previously cached by PSM in the NSS certdb that are now preloaded +// in cert_storage. When cached by PSM, these certificates will have no +// particular trust set - they are intended to inherit their trust. If, upon +// examination, these certificates do have trust bits set that affect +// certificate validation, they must have been modified by the user, so we want +// to leave them alone. +bool CertHasDefaultTrust(CERTCertificate* cert) { + CERTCertTrust trust; + if (CERT_GetCertTrust(cert, &trust) != SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CERT_GetCertTrust failed")); + return false; + } + // This is the active distrust test for CA certificates (this is expected to + // be an intermediate). + if ((trust.sslFlags & (CERTDB_TRUSTED_CA | CERTDB_TERMINAL_RECORD)) == + CERTDB_TERMINAL_RECORD) { + return false; + } + // This is the trust anchor test. + if (trust.sslFlags & CERTDB_TRUSTED_CA) { + return false; + } + // This is the active distrust test for CA certificates (this is expected to + // be an intermediate). + if ((trust.emailFlags & (CERTDB_TRUSTED_CA | CERTDB_TERMINAL_RECORD)) == + CERTDB_TERMINAL_RECORD) { + return false; + } + // This is the trust anchor test. + if (trust.emailFlags & CERTDB_TRUSTED_CA) { + return false; + } + return true; +} + +void IntermediatePreloadingHealerCallback(nsITimer*, void*) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("IntermediatePreloadingHealerCallback")); + + if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("Exiting healer due to app shutdown")); + return; + } + + // Get the slot corresponding to the NSS certdb. + UniquePK11SlotInfo softokenSlot(PK11_GetInternalKeySlot()); + if (!softokenSlot) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("PK11_GetInternalKeySlot failed")); + return; + } + // List the certificates in the NSS certdb. + UniqueCERTCertList softokenCertificates( + PK11_ListCertsInSlot(softokenSlot.get())); + if (!softokenCertificates) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("PK11_ListCertsInSlot failed")); + return; + } + nsCOMPtr<nsICertStorage> certStorage(do_GetService(NS_CERT_STORAGE_CID)); + if (!certStorage) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't get cert_storage")); + return; + } + Vector<UniqueCERTCertificate> certsToDelete; + // For each certificate, look it up in cert_storage. If there's a match, this + // is a preloaded intermediate. + for (CERTCertListNode* n = CERT_LIST_HEAD(softokenCertificates); + !CERT_LIST_END(n, softokenCertificates); n = CERT_LIST_NEXT(n)) { + if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("Exiting healer due to app shutdown")); + return; + } + + nsTArray<uint8_t> subject; + subject.AppendElements(n->cert->derSubject.data, n->cert->derSubject.len); + nsTArray<nsTArray<uint8_t>> certs; + nsresult rv = certStorage->FindCertsBySubject(subject, certs); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("FindCertsBySubject failed")); + break; + } + for (const auto& encodedCert : certs) { + if (encodedCert.Length() != n->cert->derCert.len) { + continue; + } + if (memcmp(encodedCert.Elements(), n->cert->derCert.data, + encodedCert.Length()) != 0) { + continue; + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("found preloaded intermediate in certdb")); + if (!CertHasDefaultTrust(n->cert)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("certificate doesn't have default trust - skipping")); + continue; + } + UniqueCERTCertificate certCopy(CERT_DupCertificate(n->cert)); + if (!certCopy) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CERT_DupCertificate failed")); + continue; + } + // Note that we want to remove this certificate from the NSS certdb + // because it also exists in preloaded intermediate storage and is thus + // superfluous. + if (!certsToDelete.append(std::move(certCopy))) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("append failed - out of memory?")); + return; + } + break; + } + // Only delete 20 at a time. + if (certsToDelete.length() >= 20) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("found limit of 20 preloaded intermediates in certdb")); + break; + } + } + for (const auto& certToDelete : certsToDelete) { + if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("Exiting healer due to app shutdown")); + return; + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("attempting to delete preloaded intermediate '%s'", + certToDelete->subjectName)); + if (SEC_DeletePermCertificate(certToDelete.get()) != SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("SEC_DeletePermCertificate failed")); + } + } + + // This is for tests - notify that this ran. + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "IntermediatePreloadingHealerCallbackDone", []() -> void { + nsCOMPtr<nsIObserverService> observerService = + mozilla::services::GetObserverService(); + if (observerService) { + observerService->NotifyObservers( + nullptr, "psm:intermediate-preloading-healer-ran", nullptr); + } + })); + Unused << NS_DispatchToMainThread(runnable.forget()); +} + +nsresult nsNSSComponent::Init() { + MOZ_RELEASE_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + MOZ_ASSERT(XRE_IsParentProcess()); + if (!XRE_IsParentProcess()) { + return NS_ERROR_NOT_AVAILABLE; + } + + Telemetry::AutoScalarTimer<Telemetry::ScalarID::NETWORKING_NSS_INITIALIZATION> + timer; + uint32_t zero = 0; // Directly using 0 makes the call to ScalarSet ambiguous. + Telemetry::ScalarSet(Telemetry::ScalarID::SECURITY_CLIENT_AUTH_CERT_USAGE, + u"requested"_ns, zero); + Telemetry::ScalarSet(Telemetry::ScalarID::SECURITY_CLIENT_AUTH_CERT_USAGE, + u"sent"_ns, zero); + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Beginning NSS initialization\n")); + + nsresult rv = InitializeNSS(); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("nsNSSComponent::InitializeNSS() failed\n")); + return rv; + } + + rv = RegisterObservers(); + if (NS_FAILED(rv)) { + return rv; + } + + rv = MaybeEnableIntermediatePreloadingHealer(); + if (NS_FAILED(rv)) { + return rv; + } + + return NS_OK; +} + +nsresult nsNSSComponent::MaybeEnableIntermediatePreloadingHealer() { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("nsNSSComponent::MaybeEnableIntermediatePreloadingHealer")); + MOZ_ASSERT(NS_IsMainThread()); + if (!NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + if (mIntermediatePreloadingHealerTimer) { + mIntermediatePreloadingHealerTimer->Cancel(); + mIntermediatePreloadingHealerTimer = nullptr; + } + + if (!StaticPrefs::security_intermediate_preloading_healer_enabled()) { + return NS_OK; + } + + nsCOMPtr<nsIEventTarget> socketThread( + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID)); + if (!socketThread) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("couldn't get socket thread?")); + return NS_ERROR_FAILURE; + } + uint32_t timerDelayMS = + StaticPrefs::security_intermediate_preloading_healer_timer_interval_ms(); + nsresult rv = NS_NewTimerWithFuncCallback( + getter_AddRefs(mIntermediatePreloadingHealerTimer), + IntermediatePreloadingHealerCallback, nullptr, timerDelayMS, + nsITimer::TYPE_REPEATING_SLACK_LOW_PRIORITY, + "IntermediatePreloadingHealer", socketThread); + if (NS_FAILED(rv)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("NS_NewTimerWithFuncCallback failed")); + return rv; + } + return NS_OK; +} + +// nsISupports Implementation for the class +NS_IMPL_ISUPPORTS(nsNSSComponent, nsINSSComponent, nsIObserver) + +static const char* const PROFILE_BEFORE_CHANGE_TOPIC = "profile-before-change"; + +NS_IMETHODIMP +nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic, + const char16_t* someData) { + // In some tests, we don't receive a "profile-before-change" topic. However, + // we still have to shut down before the storage service shuts down, because + // closing the sql-backed softoken requires sqlite still be available. Thus, + // we observe "xpcom-shutdown" just in case. + if (nsCRT::strcmp(aTopic, PROFILE_BEFORE_CHANGE_TOPIC) == 0 || + nsCRT::strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("receiving profile change or XPCOM shutdown notification")); + PrepareForShutdown(); + } else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { + bool clearSessionCache = true; + NS_ConvertUTF16toUTF8 prefName(someData); + + if (HandleTLSPrefChange(prefName)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("HandleTLSPrefChange done")); + } else if (prefName.EqualsLiteral("security.OCSP.enabled") || + prefName.EqualsLiteral("security.OCSP.require") || + prefName.EqualsLiteral( + "security.pki.cert_short_lifetime_in_days") || + prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") || + prefName.EqualsLiteral("security.ssl.enable_ocsp_must_staple") || + prefName.EqualsLiteral( + "security.pki.certificate_transparency.mode") || + prefName.EqualsLiteral("security.pki.netscape_step_up_policy") || + prefName.EqualsLiteral( + "security.OCSP.timeoutMilliseconds.soft") || + prefName.EqualsLiteral( + "security.OCSP.timeoutMilliseconds.hard") || + prefName.EqualsLiteral("security.pki.crlite_mode")) { + MutexAutoLock lock(mMutex); + setValidationOptions(false, lock); +#ifdef DEBUG + } else if (prefName.EqualsLiteral("security.test.built_in_root_hash")) { + MutexAutoLock lock(mMutex); + mTestBuiltInRootHash.Truncate(); + Preferences::GetCString("security.test.built_in_root_hash", + mTestBuiltInRootHash); +#endif // DEBUG + } else if (prefName.Equals("security.enterprise_roots.enabled")) { + UnloadEnterpriseRoots(); + MaybeImportEnterpriseRoots(); + } else if (prefName.Equals("security.osclientcerts.autoload")) { + bool loadOSClientCertsModule = + StaticPrefs::security_osclientcerts_autoload(); + AsyncLoadOrUnloadOSClientCertsModule(loadOSClientCertsModule); + } else if (prefName.EqualsLiteral("security.pki.mitm_canary_issuer")) { + MutexAutoLock lock(mMutex); + mMitmCanaryIssuer.Truncate(); + Preferences::GetString("security.pki.mitm_canary_issuer", + mMitmCanaryIssuer); + } else if (prefName.EqualsLiteral( + "security.pki.mitm_canary_issuer.enabled")) { + MutexAutoLock lock(mMutex); + mMitmDetecionEnabled = + Preferences::GetBool("security.pki.mitm_canary_issuer.enabled", true); + } else { + clearSessionCache = false; + } + if (clearSessionCache) { + ClearSSLExternalAndInternalSessionCache(); + } + + // Preferences that don't affect certificate verification. + if (prefName.Equals("security.intermediate_preloading_healer.enabled") || + prefName.Equals( + "security.intermediate_preloading_healer.timer_interval_ms")) { + MaybeEnableIntermediatePreloadingHealer(); + } + } + + return NS_OK; +} + +/*static*/ +nsresult nsNSSComponent::GetNewPrompter(nsIPrompt** result) { + NS_ENSURE_ARG_POINTER(result); + *result = nullptr; + + if (!NS_IsMainThread()) { + NS_ERROR("nsSDRContext::GetNewPrompter called off the main thread"); + return NS_ERROR_NOT_SAME_THREAD; + } + + nsresult rv; + nsCOMPtr<nsIWindowWatcher> wwatch( + do_GetService(NS_WINDOWWATCHER_CONTRACTID, &rv)); + NS_ENSURE_SUCCESS(rv, rv); + + rv = wwatch->GetNewPrompter(0, result); + NS_ENSURE_SUCCESS(rv, rv); + + return rv; +} + +nsresult nsNSSComponent::LogoutAuthenticatedPK11() { + nsCOMPtr<nsICertOverrideService> icos = + do_GetService("@mozilla.org/security/certoverride;1"); + if (icos) { + icos->ClearValidityOverride("all:temporary-certificates"_ns, 0, + OriginAttributes()); + } + + ClearSSLExternalAndInternalSessionCache(); + + nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService(); + if (os) { + os->NotifyObservers(nullptr, "net:cancel-all-connections", nullptr); + } + + return NS_OK; +} + +nsresult nsNSSComponent::RegisterObservers() { + nsCOMPtr<nsIObserverService> observerService( + do_GetService("@mozilla.org/observer-service;1")); + if (!observerService) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("nsNSSComponent: couldn't get observer service\n")); + return NS_ERROR_FAILURE; + } + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent: adding observers\n")); + // Using false for the ownsweak parameter means the observer service will + // keep a strong reference to this component. As a result, this will live at + // least as long as the observer service. + observerService->AddObserver(this, PROFILE_BEFORE_CHANGE_TOPIC, false); + observerService->AddObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID, false); + + return NS_OK; +} + +nsresult DoesCertMatchFingerprint(const nsTArray<uint8_t>& cert, + const nsCString& fingerprint, bool& result) { + result = false; + + if (cert.Length() > std::numeric_limits<uint32_t>::max()) { + return NS_ERROR_INVALID_ARG; + } + nsTArray<uint8_t> digestArray; + nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, cert.Elements(), + cert.Length(), digestArray); + if (NS_FAILED(rv)) { + return rv; + } + SECItem digestItem = {siBuffer, digestArray.Elements(), + static_cast<unsigned int>(digestArray.Length())}; + UniquePORTString certFingerprint( + CERT_Hexify(&digestItem, true /* use colon delimiters */)); + if (!certFingerprint) { + return NS_ERROR_FAILURE; + } + + result = fingerprint.Equals(certFingerprint.get()); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSComponent::IsCertTestBuiltInRoot(const nsTArray<uint8_t>& cert, + bool* result) { + NS_ENSURE_ARG_POINTER(result); + *result = false; + +#ifdef DEBUG + MutexAutoLock lock(mMutex); + nsresult rv = DoesCertMatchFingerprint(cert, mTestBuiltInRootHash, *result); + if (NS_FAILED(rv)) { + return rv; + } +#endif // DEBUG + + return NS_OK; +} + +NS_IMETHODIMP +nsNSSComponent::IssuerMatchesMitmCanary(const char* aCertIssuer) { + MutexAutoLock lock(mMutex); + if (mMitmDetecionEnabled && !mMitmCanaryIssuer.IsEmpty()) { + nsString certIssuer = NS_ConvertUTF8toUTF16(aCertIssuer); + if (mMitmCanaryIssuer.Equals(certIssuer)) { + return NS_OK; + } + } + + return NS_ERROR_FAILURE; +} + +SharedCertVerifier::~SharedCertVerifier() = default; + +NS_IMETHODIMP +nsNSSComponent::GetDefaultCertVerifier(SharedCertVerifier** result) { + MutexAutoLock lock(mMutex); + NS_ENSURE_ARG_POINTER(result); + RefPtr<SharedCertVerifier> certVerifier(mDefaultCertVerifier); + certVerifier.forget(result); + return NS_OK; +} + +// static +void nsNSSComponent::DoClearSSLExternalAndInternalSessionCache() { + SSL_ClearSessionCache(); + mozilla::net::SSLTokensCache::Clear(); +} + +NS_IMETHODIMP +nsNSSComponent::ClearSSLExternalAndInternalSessionCache() { + MOZ_ASSERT(XRE_IsParentProcess()); + if (!XRE_IsParentProcess()) { + return NS_ERROR_NOT_AVAILABLE; + } + + if (mozilla::net::nsIOService::UseSocketProcess()) { + if (mozilla::net::gIOService) { + mozilla::net::gIOService->CallOrWaitForSocketProcess([]() { + Unused << mozilla::net::SocketProcessParent::GetSingleton() + ->SendClearSessionCache(); + }); + } + } + DoClearSSLExternalAndInternalSessionCache(); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSComponent::AsyncClearSSLExternalAndInternalSessionCache( + JSContext* aCx, ::mozilla::dom::Promise** aPromise) { + MOZ_ASSERT(XRE_IsParentProcess()); + if (!XRE_IsParentProcess()) { + return NS_ERROR_NOT_AVAILABLE; + } + + nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx); + if (NS_WARN_IF(!globalObject)) { + return NS_ERROR_FAILURE; + } + + ErrorResult result; + RefPtr<mozilla::dom::Promise> promise = + mozilla::dom::Promise::Create(globalObject, result); + if (NS_WARN_IF(result.Failed())) { + return result.StealNSResult(); + } + + if (mozilla::net::nsIOService::UseSocketProcess() && + mozilla::net::gIOService) { + mozilla::net::gIOService->CallOrWaitForSocketProcess( + [p = RefPtr{promise}]() { + Unused << mozilla::net::SocketProcessParent::GetSingleton() + ->SendClearSessionCache() + ->Then( + GetCurrentSerialEventTarget(), __func__, + [promise = RefPtr{p}] { + promise->MaybeResolveWithUndefined(); + }, + [promise = RefPtr{p}] { + promise->MaybeReject(NS_ERROR_UNEXPECTED); + }); + }); + } else { + promise->MaybeResolveWithUndefined(); + } + DoClearSSLExternalAndInternalSessionCache(); + promise.forget(aPromise); + return NS_OK; +} + +namespace mozilla { +namespace psm { + +already_AddRefed<SharedCertVerifier> GetDefaultCertVerifier() { + static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); + + nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID)); + if (!nssComponent) { + return nullptr; + } + nsresult rv = nssComponent->BlockUntilLoadableCertsLoaded(); + if (NS_FAILED(rv)) { + return nullptr; + } + RefPtr<SharedCertVerifier> result; + rv = nssComponent->GetDefaultCertVerifier(getter_AddRefs(result)); + if (NS_FAILED(rv)) { + return nullptr; + } + return result.forget(); +} + +// Helper for FindClientCertificatesWithPrivateKeys. Copies all +// CERTCertificates from `from` to `to`. +static inline void CopyCertificatesTo(UniqueCERTCertList& from, + UniqueCERTCertList& to) { + MOZ_ASSERT(from); + MOZ_ASSERT(to); + for (CERTCertListNode* n = CERT_LIST_HEAD(from.get()); + !CERT_LIST_END(n, from.get()); n = CERT_LIST_NEXT(n)) { + UniqueCERTCertificate cert(CERT_DupCertificate(n->cert)); + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" provisionally adding '%s'", n->cert->subjectName)); + if (CERT_AddCertToListTail(to.get(), cert.get()) == SECSuccess) { + Unused << cert.release(); + } + } +} + +// Lists all private keys on all modules and returns a list of any corresponding +// client certificates. Returns null if no such certificates can be found. Also +// returns null if an error is encountered, because this is called as part of +// the client auth data callback, and NSS ignores any errors returned by the +// callback. +UniqueCERTCertList FindClientCertificatesWithPrivateKeys() { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("FindClientCertificatesWithPrivateKeys")); + + (void)BlockUntilLoadableCertsLoaded(); + (void)CheckForSmartCardChanges(); + + UniqueCERTCertList certsWithPrivateKeys(CERT_NewCertList()); + if (!certsWithPrivateKeys) { + return nullptr; + } + + UniquePK11SlotInfo internalSlot(PK11_GetInternalKeySlot()); + + AutoSECMODListReadLock secmodLock; + SECMODModuleList* list = SECMOD_GetDefaultModuleList(); + while (list) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" module '%s'", list->module->commonName)); + for (int i = 0; i < list->module->slotCount; i++) { + PK11SlotInfo* slot = list->module->slots[i]; + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" slot '%s'", PK11_GetSlotName(slot))); + // If this is the internal certificate/key slot or the slot on the + // builtin roots module, there may be many more certificates than private + // keys, so search by private keys (PK11_HasRootCerts will be true if the + // slot contains an object with the vendor-specific CK_CLASS + // CKO_NSS_BUILTIN_ROOT_LIST, which should only be the case for the NSS + // builtin roots module). + if (internalSlot.get() == slot || PK11_HasRootCerts(slot)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" (looking at internal/builtin slot)")); + if (PK11_Authenticate(slot, true, nullptr) != SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (couldn't authenticate)")); + continue; + } + UniqueSECKEYPrivateKeyList privateKeys( + PK11_ListPrivKeysInSlot(slot, nullptr, nullptr)); + if (!privateKeys) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (no private keys)")); + continue; + } + for (SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(privateKeys); + !PRIVKEY_LIST_END(node, privateKeys); + node = PRIVKEY_LIST_NEXT(node)) { + UniqueCERTCertList certs(PK11_GetCertsMatchingPrivateKey(node->key)); + if (!certs) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" PK11_GetCertsMatchingPrivateKey encountered an " + "error ")); + continue; + } + if (CERT_LIST_EMPTY(certs)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (no certs for key)")); + continue; + } + CopyCertificatesTo(certs, certsWithPrivateKeys); + } + } else { + // ... otherwise, optimistically assume that searching by certificate + // won't take too much time. Since "friendly" slots expose certificates + // without needing to be authenticated to, this results in fewer PIN + // dialogs shown to the user. + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" (looking at non-internal slot)")); + + if (!PK11_IsPresent(slot)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (not present)")); + continue; + } + // If this isn't a "friendly" slot, authenticate to expose certificates. + if (!PK11_IsFriendly(slot) && + PK11_Authenticate(slot, true, nullptr) != SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (couldn't authenticate)")); + continue; + } + UniqueCERTCertList certsInSlot(PK11_ListCertsInSlot(slot)); + if (!certsInSlot) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" (couldn't list certs in slot)")); + continue; + } + // When NSS decodes a certificate, if that certificate has a + // corresponding private key (or public key, if the slot it's on hasn't + // been logged into), it notes it as a "user cert". + if (CERT_FilterCertListForUserCerts(certsInSlot.get()) != SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" (couldn't filter certs)")); + continue; + } + CopyCertificatesTo(certsInSlot, certsWithPrivateKeys); + } + } + list = list->next; + } + + if (CERT_FilterCertListByUsage(certsWithPrivateKeys.get(), certUsageSSLClient, + false) != SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + (" CERT_FilterCertListByUsage encountered an error - returning")); + return nullptr; + } + + if (MOZ_UNLIKELY(MOZ_LOG_TEST(gPIPNSSLog, LogLevel::Debug))) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" returning:")); + for (CERTCertListNode* n = CERT_LIST_HEAD(certsWithPrivateKeys); + !CERT_LIST_END(n, certsWithPrivateKeys); n = CERT_LIST_NEXT(n)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" %s", n->cert->subjectName)); + } + } + + if (CERT_LIST_EMPTY(certsWithPrivateKeys)) { + return nullptr; + } + + return certsWithPrivateKeys; +} + +} // namespace psm +} // namespace mozilla + +NS_IMPL_ISUPPORTS(PipUIContext, nsIInterfaceRequestor) + +PipUIContext::PipUIContext() = default; + +PipUIContext::~PipUIContext() = default; + +NS_IMETHODIMP +PipUIContext::GetInterface(const nsIID& uuid, void** result) { + NS_ENSURE_ARG_POINTER(result); + *result = nullptr; + + if (!NS_IsMainThread()) { + NS_ERROR("PipUIContext::GetInterface called off the main thread"); + return NS_ERROR_NOT_SAME_THREAD; + } + + if (!uuid.Equals(NS_GET_IID(nsIPrompt))) return NS_ERROR_NO_INTERFACE; + + nsIPrompt* prompt = nullptr; + nsresult rv = nsNSSComponent::GetNewPrompter(&prompt); + *result = prompt; + return rv; +} + +nsresult getNSSDialogs(void** _result, REFNSIID aIID, const char* contract) { + if (!NS_IsMainThread()) { + NS_ERROR("getNSSDialogs called off the main thread"); + return NS_ERROR_NOT_SAME_THREAD; + } + + nsresult rv; + + nsCOMPtr<nsISupports> svc = do_GetService(contract, &rv); + if (NS_FAILED(rv)) { + return rv; + } + + rv = svc->QueryInterface(aIID, _result); + + return rv; +} + +nsresult setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx) { + MOZ_ASSERT(slot); + MOZ_ASSERT(ctx); + NS_ENSURE_ARG_POINTER(slot); + NS_ENSURE_ARG_POINTER(ctx); + + if (PK11_NeedUserInit(slot)) { + nsCOMPtr<nsITokenPasswordDialogs> dialogs; + nsresult rv = getNSSDialogs(getter_AddRefs(dialogs), + NS_GET_IID(nsITokenPasswordDialogs), + NS_TOKENPASSWORDSDIALOG_CONTRACTID); + if (NS_FAILED(rv)) { + return rv; + } + + bool canceled; + nsCOMPtr<nsIPK11Token> token = new nsPK11Token(slot); + rv = dialogs->SetPassword(ctx, token, &canceled); + if (NS_FAILED(rv)) { + return rv; + } + + if (canceled) { + return NS_ERROR_NOT_AVAILABLE; + } + } + + return NS_OK; +} + +static PRBool ConvertBetweenUCS2andASCII(PRBool toUnicode, unsigned char* inBuf, + unsigned int inBufLen, + unsigned char* outBuf, + unsigned int maxOutBufLen, + unsigned int* outBufLen, + PRBool swapBytes) { + std::unique_ptr<unsigned char[]> inBufDup(new unsigned char[inBufLen]); + if (!inBufDup) { + return PR_FALSE; + } + std::memcpy(inBufDup.get(), inBuf, inBufLen * sizeof(unsigned char)); + + // If converting Unicode to ASCII, swap bytes before conversion as neccessary. + if (!toUnicode && swapBytes) { + if (inBufLen % 2 != 0) { + return PR_FALSE; + } + mozilla::NativeEndian::swapFromLittleEndianInPlace( + reinterpret_cast<char16_t*>(inBufDup.get()), inBufLen / 2); + } + return PORT_UCS2_UTF8Conversion(toUnicode, inBufDup.get(), inBufLen, outBuf, + maxOutBufLen, outBufLen); +} + +namespace mozilla { +namespace psm { + +nsresult InitializeCipherSuite() { + MOZ_ASSERT(NS_IsMainThread(), + "InitializeCipherSuite() can only be accessed on the main thread"); + + if (NSS_SetDomesticPolicy() != SECSuccess) { + return NS_ERROR_FAILURE; + } + + // Disable any ciphers that NSS might have enabled by default + for (uint16_t i = 0; i < SSL_NumImplementedCiphers; ++i) { + uint16_t cipher_id = SSL_ImplementedCiphers[i]; + SSL_CipherPrefSetDefault(cipher_id, false); + } + + // Now only set SSL/TLS ciphers we knew about at compile time + for (const auto& cipherPref : sCipherPrefs) { + SSL_CipherPrefSetDefault(cipherPref.id, cipherPref.prefGetter()); + } + + SetDeprecatedTLS1CipherPrefs(); + + // Enable ciphers for PKCS#12 + SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1); + SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1); + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1); + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); + SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); + SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); + SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1); + SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1); + SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1); + SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); + PORT_SetUCS2_ASCIIConversionFunction(ConvertBetweenUCS2andASCII); + + // PSM enforces a minimum RSA key size of 1024 bits, which is overridable. + // NSS has its own minimum, which is not overridable (the default is 1023 + // bits). This sets the NSS minimum to 512 bits so users can still connect to + // devices like wifi routers with woefully small keys (they would have to add + // an override to do so, but they already do for such devices). + NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 512); + + SetKyberPolicy(); + + // Observe preference change around cipher suite setting. + return CipherSuiteChangeObserver::StartObserve(); +} + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/nsNSSComponent.h b/security/manager/ssl/nsNSSComponent.h new file mode 100644 index 0000000000..3c4e59abc5 --- /dev/null +++ b/security/manager/ssl/nsNSSComponent.h @@ -0,0 +1,165 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _nsNSSComponent_h_ +#define _nsNSSComponent_h_ + +#include "nsINSSComponent.h" + +#include "EnterpriseRoots.h" +#include "ScopedNSSTypes.h" +#include "SharedCertVerifier.h" +#include "mozilla/Monitor.h" +#include "mozilla/Mutex.h" +#include "mozilla/RefPtr.h" +#include "nsCOMPtr.h" +#include "nsIObserver.h" +#include "nsNSSCallbacks.h" +#include "nsServiceManagerUtils.h" +#include "prerror.h" +#include "sslt.h" + +#ifdef XP_WIN +# include <windows.h> // this needs to be before the following includes +# include <wincrypt.h> +#endif // XP_WIN + +class nsIDOMWindow; +class nsIPrompt; +class nsISerialEventTarget; +class nsITimer; + +namespace mozilla { +namespace psm { + +[[nodiscard]] ::already_AddRefed<mozilla::psm::SharedCertVerifier> +GetDefaultCertVerifier(); +UniqueCERTCertList FindClientCertificatesWithPrivateKeys(); + +} // namespace psm +} // namespace mozilla + +#define NS_NSSCOMPONENT_CID \ + { \ + 0x4cb64dfd, 0xca98, 0x4e24, { \ + 0xbe, 0xfd, 0x0d, 0x92, 0x85, 0xa3, 0x3b, 0xcb \ + } \ + } + +bool EnsureNSSInitializedChromeOrContent(); +bool HandleTLSPrefChange(const nsCString& aPref); +void SetValidationOptionsCommon(); +void PrepareForShutdownInSocketProcess(); + +// Implementation of the PSM component interface. +class nsNSSComponent final : public nsINSSComponent, public nsIObserver { + public: + // LoadLoadableCertsTask updates mLoadableCertsLoaded and + // mLoadableCertsLoadedResult and then signals mLoadableCertsLoadedMonitor. + friend class LoadLoadableCertsTask; + // BackgroundImportEnterpriseCertsTask calls ImportEnterpriseRoots and + // UpdateCertVerifierWithEnterpriseRoots. + friend class BackgroundImportEnterpriseCertsTask; + + nsNSSComponent(); + + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSINSSCOMPONENT + NS_DECL_NSIOBSERVER + + nsresult Init(); + + static nsresult GetNewPrompter(nsIPrompt** result); + + static void FillTLSVersionRange(SSLVersionRange& rangeOut, + uint32_t minFromPrefs, uint32_t maxFromPrefs, + SSLVersionRange defaults); + + static nsresult SetEnabledTLSVersions(); + + // This function does the actual work of clearing the session cache. It is to + // be used by the socket process (where there is no nsINSSComponent) and + // internally by nsNSSComponent. + // NB: NSS must have already been initialized before this is called. + static void DoClearSSLExternalAndInternalSessionCache(); + + protected: + virtual ~nsNSSComponent(); + + private: + nsresult InitializeNSS(); + void PrepareForShutdown(); + + void setValidationOptions(bool isInitialSetting, + const mozilla::MutexAutoLock& proofOfLock); + void GetRevocationBehaviorFromPrefs( + /*out*/ mozilla::psm::CertVerifier::OcspDownloadConfig* odc, + /*out*/ mozilla::psm::CertVerifier::OcspStrictConfig* osc, + /*out*/ uint32_t* certShortLifetimeInDays, + /*out*/ TimeDuration& softTimeout, + /*out*/ TimeDuration& hardTimeout); + void UpdateCertVerifierWithEnterpriseRoots(); + nsresult RegisterObservers(); + + void MaybeImportEnterpriseRoots(); + void ImportEnterpriseRoots(); + void UnloadEnterpriseRoots(); + nsresult CommonGetEnterpriseCerts( + nsTArray<nsTArray<uint8_t>>& enterpriseCerts, bool getRoots); + + nsresult MaybeEnableIntermediatePreloadingHealer(); + + // mLoadableCertsLoadedMonitor protects mLoadableCertsLoaded. + mozilla::Monitor mLoadableCertsLoadedMonitor; + bool mLoadableCertsLoaded MOZ_GUARDED_BY(mLoadableCertsLoadedMonitor); + nsresult mLoadableCertsLoadedResult + MOZ_GUARDED_BY(mLoadableCertsLoadedMonitor); + + // mMutex protects all members that are accessed from more than one thread. + mozilla::Mutex mMutex; + + // The following members are accessed from more than one thread: + +#ifdef DEBUG + nsCString mTestBuiltInRootHash MOZ_GUARDED_BY(mMutex); +#endif + RefPtr<mozilla::psm::SharedCertVerifier> mDefaultCertVerifier + MOZ_GUARDED_BY(mMutex); + nsString mMitmCanaryIssuer MOZ_GUARDED_BY(mMutex); + bool mMitmDetecionEnabled MOZ_GUARDED_BY(mMutex); + nsTArray<EnterpriseCert> mEnterpriseCerts MOZ_GUARDED_BY(mMutex); + + // The following members are accessed only on the main thread: + static int mInstanceCount; + // If the intermediate preloading healer is enabled, the following timer + // periodically dispatches events to the socket thread. Each of these + // events scans the NSS certdb for preloaded intermediates that are in + // cert_storage and thus can be removed. By default, the interval is 5 + // minutes. + nsCOMPtr<nsITimer> mIntermediatePreloadingHealerTimer; +}; + +inline nsresult BlockUntilLoadableCertsLoaded() { + nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID)); + if (!component) { + return NS_ERROR_FAILURE; + } + return component->BlockUntilLoadableCertsLoaded(); +} + +inline nsresult CheckForSmartCardChanges() { +#ifndef MOZ_NO_SMART_CARDS + nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID)); + if (!component) { + return NS_ERROR_FAILURE; + } + return component->CheckForSmartCardChanges(); +#else + return NS_OK; +#endif +} + +#endif // _nsNSSComponent_h_ diff --git a/security/manager/ssl/nsNSSHelper.h b/security/manager/ssl/nsNSSHelper.h new file mode 100644 index 0000000000..5f3f5ea9b4 --- /dev/null +++ b/security/manager/ssl/nsNSSHelper.h @@ -0,0 +1,32 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSHelper_h +#define nsNSSHelper_h + +#include "nsIInterfaceRequestor.h" +#include "nsIInterfaceRequestorUtils.h" +#include "pk11func.h" + +// Implementation of an nsIInterfaceRequestor for use as context for NSS calls. +class PipUIContext : public nsIInterfaceRequestor { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIINTERFACEREQUESTOR + + PipUIContext(); + + protected: + virtual ~PipUIContext(); +}; + +// Function to get the implementor for a certain set of NSS specific dialogs. +nsresult getNSSDialogs(void** _result, REFNSIID aIID, const char* contract); + +// A function that sets the password on an unitialized slot. +nsresult setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx); + +#endif // nsNSSHelper_h diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp new file mode 100644 index 0000000000..508eafa0c5 --- /dev/null +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -0,0 +1,1804 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSIOLayer.h" + +#include <algorithm> +#include <utility> +#include <vector> + +#include "NSSCertDBTrustDomain.h" +#include "NSSErrorsService.h" +#include "NSSSocketControl.h" +#include "PSMRunnable.h" +#include "SSLServerCertVerification.h" +#include "ScopedNSSTypes.h" +#include "SharedSSLState.h" +#include "TLSClientAuthCertSelection.h" +#include "keyhi.h" +#include "mozilla/Base64.h" +#include "mozilla/Casting.h" +#include "mozilla/DebugOnly.h" +#include "mozilla/Logging.h" +#include "mozilla/Preferences.h" +#include "mozilla/RandomNum.h" +#include "mozilla/ScopeExit.h" +#include "mozilla/StaticPrefs_security.h" +#include "mozilla/Telemetry.h" +#include "mozilla/glean/GleanMetrics.h" +#include "mozilla/net/SSLTokensCache.h" +#include "mozilla/net/SocketProcessChild.h" +#include "mozilla/psm/IPCClientCertsChild.h" +#include "mozilla/psm/PIPCClientCertsChild.h" +#include "mozpkix/pkixnss.h" +#include "mozpkix/pkixtypes.h" +#include "mozpkix/pkixutil.h" +#include "nsArray.h" +#include "nsArrayUtils.h" +#include "nsCRT.h" +#include "nsCharSeparatedTokenizer.h" +#include "nsClientAuthRemember.h" +#include "nsContentUtils.h" +#include "nsISocketProvider.h" +#include "nsIWebProgressListener.h" +#include "nsNSSCertHelper.h" +#include "nsNSSComponent.h" +#include "nsNSSHelper.h" +#include "nsPrintfCString.h" +#include "nsServiceManagerUtils.h" +#include "prmem.h" +#include "prnetdb.h" +#include "secder.h" +#include "secerr.h" +#include "ssl.h" +#include "sslerr.h" +#include "sslexp.h" +#include "sslproto.h" + +#if defined(__arm__) +# include "mozilla/arm.h" +#endif + +using namespace mozilla; +using namespace mozilla::psm; +using namespace mozilla::ipc; + +// #define DEBUG_SSL_VERBOSE //Enable this define to get minimal +// reports when doing SSL read/write + +// #define DUMP_BUFFER //Enable this define along with +// DEBUG_SSL_VERBOSE to dump SSL +// read/write buffer to a log. +// Uses PR_LOG except on Mac where +// we always write out to our own +// file. + +namespace { + +// The NSSSocketInfo tls flags are meant to be opaque to most calling +// applications but provide a mechanism for direct TLS manipulation when +// experimenting with new features in the scope of a single socket. They do not +// create a persistent ABI. +// +// Use of these flags creates a new 'sharedSSLState' so existing states for +// intolerance are not carried to sockets that use these flags (and intolerance +// they discover does not impact other normal sockets not using the flags.) +// +// Their current definitions are: +// +// bits 0-2 (mask 0x07) specify the max tls version +// 0 means no override 1->4 are 1.0, 1.1, 1.2, 1.3, 4->7 unused +// bits 3-5 (mask 0x38) specify the tls fallback limit +// 0 means no override, values 1->4 match prefs +// bit 6 (mask 0x40) was used to specify compat mode. Temporarily reserved. + +enum { + kTLSProviderFlagMaxVersion10 = 0x01, + kTLSProviderFlagMaxVersion11 = 0x02, + kTLSProviderFlagMaxVersion12 = 0x03, + kTLSProviderFlagMaxVersion13 = 0x04, +}; + +static uint32_t getTLSProviderFlagMaxVersion(uint32_t flags) { + return (flags & 0x07); +} + +static uint32_t getTLSProviderFlagFallbackLimit(uint32_t flags) { + return (flags & 0x38) >> 3; +} + +void getSiteKey(const nsACString& hostName, uint16_t port, + /*out*/ nsACString& key) { + key = hostName; + key.AppendLiteral(":"); + key.AppendInt(port); +} + +} // unnamed namespace + +extern LazyLogModule gPIPNSSLog; + +void nsSSLIOLayerHelpers::Cleanup() { + MutexAutoLock lock(mutex); + mTLSIntoleranceInfo.Clear(); + mInsecureFallbackSites.Clear(); +} + +namespace { + +enum Operation { reading, writing, not_reading_or_writing }; + +int32_t checkHandshake(int32_t bytesTransfered, bool wasReading, + PRFileDesc* ssl_layer_fd, NSSSocketControl* socketInfo); + +NSSSocketControl* getSocketInfoIfRunning(PRFileDesc* fd, Operation op) { + if (!fd || !fd->lower || !fd->secret || + fd->identity != nsSSLIOLayerHelpers::nsSSLIOLayerIdentity) { + NS_ERROR("bad file descriptor passed to getSocketInfoIfRunning"); + PR_SetError(PR_BAD_DESCRIPTOR_ERROR, 0); + return nullptr; + } + + NSSSocketControl* socketInfo = (NSSSocketControl*)fd->secret; + + if (socketInfo->IsCanceled()) { + PRErrorCode err = socketInfo->GetErrorCode(); + PR_SetError(err, 0); + if (op == reading || op == writing) { + // We must do TLS intolerance checks for reads and writes, for timeouts + // in particular. + (void)checkHandshake(-1, op == reading, fd, socketInfo); + } + + // If we get here, it is probably because cert verification failed and this + // is the first I/O attempt since that failure. + return nullptr; + } + + return socketInfo; +} + +} // namespace + +static PRStatus nsSSLIOLayerConnect(PRFileDesc* fd, const PRNetAddr* addr, + PRIntervalTime timeout) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] connecting SSL socket\n", (void*)fd)); + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; + + PRStatus status = fd->lower->methods->connect(fd->lower, addr, timeout); + if (status != PR_SUCCESS) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("[%p] Lower layer connect error: %d\n", (void*)fd, PR_GetError())); + return status; + } + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] Connect\n", (void*)fd)); + return status; +} + +void nsSSLIOLayerHelpers::rememberTolerantAtVersion(const nsACString& hostName, + int16_t port, + uint16_t tolerant) { + nsCString key; + getSiteKey(hostName, port, key); + + MutexAutoLock lock(mutex); + + IntoleranceEntry entry; + if (mTLSIntoleranceInfo.Get(key, &entry)) { + entry.AssertInvariant(); + entry.tolerant = std::max(entry.tolerant, tolerant); + if (entry.intolerant != 0 && entry.intolerant <= entry.tolerant) { + entry.intolerant = entry.tolerant + 1; + entry.intoleranceReason = 0; // lose the reason + } + } else { + entry.tolerant = tolerant; + entry.intolerant = 0; + entry.intoleranceReason = 0; + } + + entry.AssertInvariant(); + + mTLSIntoleranceInfo.InsertOrUpdate(key, entry); +} + +void nsSSLIOLayerHelpers::forgetIntolerance(const nsACString& hostName, + int16_t port) { + nsCString key; + getSiteKey(hostName, port, key); + + MutexAutoLock lock(mutex); + + IntoleranceEntry entry; + if (mTLSIntoleranceInfo.Get(key, &entry)) { + entry.AssertInvariant(); + + entry.intolerant = 0; + entry.intoleranceReason = 0; + + entry.AssertInvariant(); + mTLSIntoleranceInfo.InsertOrUpdate(key, entry); + } +} + +bool nsSSLIOLayerHelpers::fallbackLimitReached(const nsACString& hostName, + uint16_t intolerant) { + if (isInsecureFallbackSite(hostName)) { + return intolerant <= SSL_LIBRARY_VERSION_TLS_1_0; + } + return intolerant <= mVersionFallbackLimit; +} + +// returns true if we should retry the handshake +bool nsSSLIOLayerHelpers::rememberIntolerantAtVersion( + const nsACString& hostName, int16_t port, uint16_t minVersion, + uint16_t intolerant, PRErrorCode intoleranceReason) { + if (intolerant <= minVersion || fallbackLimitReached(hostName, intolerant)) { + // We can't fall back any further. Assume that intolerance isn't the issue. + forgetIntolerance(hostName, port); + return false; + } + + nsCString key; + getSiteKey(hostName, port, key); + + MutexAutoLock lock(mutex); + + IntoleranceEntry entry; + if (mTLSIntoleranceInfo.Get(key, &entry)) { + entry.AssertInvariant(); + if (intolerant <= entry.tolerant) { + // We already know the server is tolerant at an equal or higher version. + return false; + } + if ((entry.intolerant != 0 && intolerant >= entry.intolerant)) { + // We already know that the server is intolerant at a lower version. + return true; + } + } else { + entry.tolerant = 0; + } + + entry.intolerant = intolerant; + entry.intoleranceReason = intoleranceReason; + entry.AssertInvariant(); + mTLSIntoleranceInfo.InsertOrUpdate(key, entry); + + return true; +} + +void nsSSLIOLayerHelpers::adjustForTLSIntolerance( + const nsACString& hostName, int16_t port, + /*in/out*/ SSLVersionRange& range) { + IntoleranceEntry entry; + + { + nsCString key; + getSiteKey(hostName, port, key); + + MutexAutoLock lock(mutex); + if (!mTLSIntoleranceInfo.Get(key, &entry)) { + return; + } + } + + entry.AssertInvariant(); + + if (entry.intolerant != 0) { + // We've tried connecting at a higher range but failed, so try at the + // version we haven't tried yet, unless we have reached the minimum. + if (range.min < entry.intolerant) { + range.max = entry.intolerant - 1; + } + } +} + +PRErrorCode nsSSLIOLayerHelpers::getIntoleranceReason( + const nsACString& hostName, int16_t port) { + IntoleranceEntry entry; + + { + nsCString key; + getSiteKey(hostName, port, key); + + MutexAutoLock lock(mutex); + if (!mTLSIntoleranceInfo.Get(key, &entry)) { + return 0; + } + } + + entry.AssertInvariant(); + return entry.intoleranceReason; +} + +bool nsSSLIOLayerHelpers::nsSSLIOLayerInitialized = false; +PRDescIdentity nsSSLIOLayerHelpers::nsSSLIOLayerIdentity; +PRDescIdentity nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity; +PRIOMethods nsSSLIOLayerHelpers::nsSSLIOLayerMethods; +PRIOMethods nsSSLIOLayerHelpers::nsSSLPlaintextLayerMethods; + +static PRStatus nsSSLIOLayerClose(PRFileDesc* fd) { + if (!fd) { + return PR_FAILURE; + } + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] Shutting down socket", fd)); + + // Take the owning reference from the layer. See the corresponding comment in + // nsSSLIOLayerAddToSocket where this gets set. + RefPtr<NSSSocketControl> socketInfo( + already_AddRefed((NSSSocketControl*)fd->secret)); + fd->secret = nullptr; + if (!socketInfo) { + return PR_FAILURE; + } + + return socketInfo->CloseSocketAndDestroy(); +} + +#if defined(DEBUG_SSL_VERBOSE) && defined(DUMP_BUFFER) +// Dumps a (potentially binary) buffer using SSM_DEBUG. (We could have used +// the version in ssltrace.c, but that's specifically tailored to SSLTRACE.) +# define DUMPBUF_LINESIZE 24 +static void nsDumpBuffer(unsigned char* buf, int len) { + char hexbuf[DUMPBUF_LINESIZE * 3 + 1]; + char chrbuf[DUMPBUF_LINESIZE + 1]; + static const char* hex = "0123456789abcdef"; + int i = 0; + int l = 0; + char ch; + char* c; + char* h; + if (len == 0) return; + hexbuf[DUMPBUF_LINESIZE * 3] = '\0'; + chrbuf[DUMPBUF_LINESIZE] = '\0'; + (void)memset(hexbuf, 0x20, DUMPBUF_LINESIZE * 3); + (void)memset(chrbuf, 0x20, DUMPBUF_LINESIZE); + h = hexbuf; + c = chrbuf; + + while (i < len) { + ch = buf[i]; + + if (l == DUMPBUF_LINESIZE) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("%s%s\n", hexbuf, chrbuf)); + (void)memset(hexbuf, 0x20, DUMPBUF_LINESIZE * 3); + (void)memset(chrbuf, 0x20, DUMPBUF_LINESIZE); + h = hexbuf; + c = chrbuf; + l = 0; + } + + // Convert a character to hex. + *h++ = hex[(ch >> 4) & 0xf]; + *h++ = hex[ch & 0xf]; + h++; + + // Put the character (if it's printable) into the character buffer. + if ((ch >= 0x20) && (ch <= 0x7e)) { + *c++ = ch; + } else { + *c++ = '.'; + } + i++; + l++; + } + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("%s%s\n", hexbuf, chrbuf)); +} + +# define DEBUG_DUMP_BUFFER(buf, len) nsDumpBuffer(buf, len) +#else +# define DEBUG_DUMP_BUFFER(buf, len) +#endif + +namespace { + +uint32_t tlsIntoleranceTelemetryBucket(PRErrorCode err) { + // returns a numeric code for where we track various errors in telemetry + // only errors that cause version fallback are tracked, + // so this is also used to determine which errors can cause version fallback + switch (err) { + case SSL_ERROR_BAD_MAC_ALERT: + return 1; + case SSL_ERROR_BAD_MAC_READ: + return 2; + case SSL_ERROR_HANDSHAKE_FAILURE_ALERT: + return 3; + case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT: + return 4; + case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: + return 6; + case SSL_ERROR_NO_CYPHER_OVERLAP: + return 7; + case SSL_ERROR_UNSUPPORTED_VERSION: + return 10; + case SSL_ERROR_PROTOCOL_VERSION_ALERT: + return 11; + case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE: + return 13; + case SSL_ERROR_DECODE_ERROR_ALERT: + return 14; + case PR_CONNECT_RESET_ERROR: + return 16; + case PR_END_OF_FILE_ERROR: + return 17; + case SSL_ERROR_INTERNAL_ERROR_ALERT: + return 18; + default: + return 0; + } +} + +bool retryDueToTLSIntolerance(PRErrorCode err, NSSSocketControl* socketInfo) { + // This function is supposed to decide which error codes should + // be used to conclude server is TLS intolerant. + // Note this only happens during the initial SSL handshake. + + if (StaticPrefs::security_tls_ech_disable_grease_on_fallback() && + socketInfo->GetEchExtensionStatus() == EchExtensionStatus::kGREASE) { + // Don't record any intolerances if we used ECH GREASE but force a retry. + return true; + } + + if (!socketInfo->IsPreliminaryHandshakeDone() && + !socketInfo->HasTls13HandshakeSecrets() && socketInfo->SentXyberShare()) { + nsAutoCString errorName; + const char* prErrorName = PR_ErrorToName(err); + if (prErrorName) { + errorName.AppendASCII(prErrorName); + } + mozilla::glean::tls::xyber_intolerance_reason.Get(errorName).Add(1); + // Don't record version intolerance if we sent Xyber, just force a retry. + return true; + } + + SSLVersionRange range = socketInfo->GetTLSVersionRange(); + nsSSLIOLayerHelpers& helpers = socketInfo->SharedState().IOLayerHelpers(); + + if (err == SSL_ERROR_UNSUPPORTED_VERSION && + range.min == SSL_LIBRARY_VERSION_TLS_1_0) { + socketInfo->SetSecurityState(nsIWebProgressListener::STATE_IS_INSECURE | + nsIWebProgressListener::STATE_USES_SSL_3); + } + + // NSS will return SSL_ERROR_RX_MALFORMED_SERVER_HELLO if anti-downgrade + // detected the downgrade. + if (err == SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT || + err == SSL_ERROR_RX_MALFORMED_SERVER_HELLO) { + // This is a clear signal that we've fallen back too many versions. Treat + // this as a hard failure, but forget any intolerance so that later attempts + // don't use this version (i.e., range.max) and trigger the error again. + + // First, track the original cause of the version fallback. This uses the + // same buckets as the telemetry below, except that bucket 0 will include + // all cases where there wasn't an original reason. + PRErrorCode originalReason = helpers.getIntoleranceReason( + socketInfo->GetHostName(), socketInfo->GetPort()); + Telemetry::Accumulate(Telemetry::SSL_VERSION_FALLBACK_INAPPROPRIATE, + tlsIntoleranceTelemetryBucket(originalReason)); + + helpers.forgetIntolerance(socketInfo->GetHostName(), socketInfo->GetPort()); + + return false; + } + + // When not using a proxy we'll see a connection reset error. + // When using a proxy, we'll see an end of file error. + + // Don't allow STARTTLS connections to fall back on connection resets or + // EOF. + if ((err == PR_CONNECT_RESET_ERROR || err == PR_END_OF_FILE_ERROR) && + socketInfo->GetForSTARTTLS()) { + return false; + } + + uint32_t reason = tlsIntoleranceTelemetryBucket(err); + if (reason == 0) { + return false; + } + + Telemetry::HistogramID pre; + Telemetry::HistogramID post; + switch (range.max) { + case SSL_LIBRARY_VERSION_TLS_1_3: + pre = Telemetry::SSL_TLS13_INTOLERANCE_REASON_PRE; + post = Telemetry::SSL_TLS13_INTOLERANCE_REASON_POST; + break; + case SSL_LIBRARY_VERSION_TLS_1_2: + pre = Telemetry::SSL_TLS12_INTOLERANCE_REASON_PRE; + post = Telemetry::SSL_TLS12_INTOLERANCE_REASON_POST; + break; + case SSL_LIBRARY_VERSION_TLS_1_1: + pre = Telemetry::SSL_TLS11_INTOLERANCE_REASON_PRE; + post = Telemetry::SSL_TLS11_INTOLERANCE_REASON_POST; + break; + case SSL_LIBRARY_VERSION_TLS_1_0: + pre = Telemetry::SSL_TLS10_INTOLERANCE_REASON_PRE; + post = Telemetry::SSL_TLS10_INTOLERANCE_REASON_POST; + break; + default: + MOZ_CRASH("impossible TLS version"); + return false; + } + + // The difference between _PRE and _POST represents how often we avoided + // TLS intolerance fallback due to remembered tolerance. + Telemetry::Accumulate(pre, reason); + + if (!helpers.rememberIntolerantAtVersion(socketInfo->GetHostName(), + socketInfo->GetPort(), range.min, + range.max, err)) { + return false; + } + + Telemetry::Accumulate(post, reason); + + return true; +} + +// Ensure that we haven't added too many errors to fit. +static_assert((SSL_ERROR_END_OF_LIST - SSL_ERROR_BASE) <= 256, + "too many SSL errors"); +static_assert((SEC_ERROR_END_OF_LIST - SEC_ERROR_BASE) <= 256, + "too many SEC errors"); +static_assert((PR_MAX_ERROR - PR_NSPR_ERROR_BASE) <= 128, + "too many NSPR errors"); +static_assert((mozilla::pkix::ERROR_BASE - mozilla::pkix::END_OF_LIST) < 31, + "too many moz::pkix errors"); + +static void reportHandshakeResult(int32_t bytesTransferred, bool wasReading, + PRErrorCode err, + NSSSocketControl* socketInfo) { + uint32_t bucket; + + // A negative bytesTransferred or a 0 read are errors. + if (bytesTransferred > 0) { + bucket = 0; + } else if ((bytesTransferred == 0) && !wasReading) { + // PR_Write() is defined to never return 0, but let's make sure. + // https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_Write. + MOZ_ASSERT(false); + bucket = 671; + } else if (IS_SSL_ERROR(err)) { + bucket = err - SSL_ERROR_BASE; + MOZ_ASSERT(bucket > 0); // SSL_ERROR_EXPORT_ONLY_SERVER isn't used. + } else if (IS_SEC_ERROR(err)) { + bucket = (err - SEC_ERROR_BASE) + 256; + } else if ((err >= PR_NSPR_ERROR_BASE) && (err < PR_MAX_ERROR)) { + bucket = (err - PR_NSPR_ERROR_BASE) + 512; + } else if ((err >= mozilla::pkix::ERROR_BASE) && + (err < mozilla::pkix::ERROR_LIMIT)) { + bucket = (err - mozilla::pkix::ERROR_BASE) + 640; + } else { + bucket = 671; + } + + uint32_t flags = socketInfo->GetProviderFlags(); + if (!(flags & nsISocketProvider::IS_RETRY)) { + Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_RESULT_FIRST_TRY, bucket); + } + + if (flags & nsISocketProvider::BE_CONSERVATIVE) { + Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_RESULT_CONSERVATIVE, bucket); + } + + switch (socketInfo->GetEchExtensionStatus()) { + case EchExtensionStatus::kGREASE: + Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_RESULT_ECH_GREASE, bucket); + break; + case EchExtensionStatus::kReal: + Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_RESULT_ECH, bucket); + break; + default: + break; + } + Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_RESULT, bucket); + + if (bucket == 0) { + nsCOMPtr<nsITransportSecurityInfo> securityInfo; + if (NS_FAILED(socketInfo->GetSecurityInfo(getter_AddRefs(securityInfo))) || + !securityInfo) { + return; + } + // Web Privacy Telemetry for successful connections. + bool success = true; + + bool usedPrivateDNS = false; + success &= securityInfo->GetUsedPrivateDNS(&usedPrivateDNS) == NS_OK; + + bool madeOCSPRequest = false; + success &= securityInfo->GetMadeOCSPRequests(&madeOCSPRequest) == NS_OK; + + uint16_t protocolVersion = 0; + success &= securityInfo->GetProtocolVersion(&protocolVersion) == NS_OK; + bool usedTLS13 = protocolVersion == 4; + + bool usedECH = false; + success &= securityInfo->GetIsAcceptedEch(&usedECH) == NS_OK; + + // As bucket is 0 we are reporting the results of a sucessful connection + // and so TransportSecurityInfo should be populated. However, this isn't + // happening in all cases, see Bug 1789458. + if (success) { + uint8_t TLSPrivacyResult = 0; + TLSPrivacyResult |= usedTLS13 << 0; + TLSPrivacyResult |= !madeOCSPRequest << 1; + TLSPrivacyResult |= usedPrivateDNS << 2; + TLSPrivacyResult |= usedECH << 3; + + Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_PRIVACY, TLSPrivacyResult); + } + } +} + +// Check the status of the handshake. This is where PSM checks for TLS +// intolerance and potentially sets up TLS intolerance fallback by noting the +// intolerance, setting the NSPR error to PR_CONNECT_RESET_ERROR, and returning +// -1 as the bytes transferred so that necko retries the connection. +// Otherwise, PSM returns the bytes transferred unchanged. +int32_t checkHandshake(int32_t bytesTransferred, bool wasReading, + PRFileDesc* ssl_layer_fd, NSSSocketControl* socketInfo) { + const PRErrorCode originalError = PR_GetError(); + + // If the connection would block, return early. + if (bytesTransferred < 0 && originalError == PR_WOULD_BLOCK_ERROR) { + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + return bytesTransferred; + } + + // We only need to do TLS intolerance checking for the first transfer. + bool handleHandshakeResultNow = socketInfo->IsHandshakePending(); + if (!handleHandshakeResultNow) { + // If we've encountered an error since the handshake, ensure the socket + // control is cancelled, so that getSocketInfoIfRunning will correctly + // cause us to fail if another part of Gecko (erroneously) calls an I/O + // function (PR_Send/PR_Recv/etc.) again on this socket. + if (bytesTransferred < 0) { + if (!socketInfo->IsCanceled()) { + socketInfo->SetCanceled(originalError); + } + PR_SetError(originalError, 0); + } + return bytesTransferred; + } + + // TLS intolerant servers only cause the first transfer to fail, so let's + // set the HandshakePending attribute to false so that we don't try this logic + // again in a subsequent transfer. + socketInfo->SetHandshakeNotPending(); + // Report the result once for each handshake. Note that this does not + // get handshakes which are cancelled before any reads or writes + // happen. + reportHandshakeResult(bytesTransferred, wasReading, originalError, + socketInfo); + + // If there was no error, return early. The case where we read 0 bytes is not + // considered an error by NSS, but PSM interprets this as TLS intolerance, so + // we turn it into an error. Writes of 0 bytes are an error, because PR_Write + // is never supposed to return 0. + if (bytesTransferred > 0) { + return bytesTransferred; + } + + // There was some sort of error. Determine what it was and if we want to + // retry the connection due to TLS intolerance. + PRErrorCode errorToUse = originalError; + // Turn zero-length reads into errors and handle zero-length write errors. + if (bytesTransferred == 0) { + if (wasReading) { + errorToUse = PR_END_OF_FILE_ERROR; + } else { + errorToUse = SEC_ERROR_LIBRARY_FAILURE; + } + bytesTransferred = -1; + } + bool wantRetry = retryDueToTLSIntolerance(errorToUse, socketInfo); + // Set the error on the socket control and cancel it. + if (!socketInfo->IsCanceled()) { + socketInfo->SetCanceled(errorToUse); + } + + if (wantRetry) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] checkHandshake: will retry with lower max TLS version", + ssl_layer_fd)); + // Setting the error PR_CONNECT_RESET_ERROR causes necko to retry the + // connection. + PR_SetError(PR_CONNECT_RESET_ERROR, 0); + } else { + PR_SetError(originalError, 0); + } + + return bytesTransferred; +} + +} // namespace + +static int16_t nsSSLIOLayerPoll(PRFileDesc* fd, int16_t in_flags, + int16_t* out_flags) { + if (!out_flags) { + NS_WARNING("nsSSLIOLayerPoll called with null out_flags"); + return 0; + } + + *out_flags = 0; + + NSSSocketControl* socketInfo = + getSocketInfoIfRunning(fd, not_reading_or_writing); + + if (!socketInfo) { + // If we get here, it is probably because certificate validation failed + // and this is the first I/O operation after the failure. + MOZ_LOG( + gPIPNSSLog, LogLevel::Debug, + ("[%p] polling SSL socket right after certificate verification failed " + "or NSS shutdown or SDR logout %d\n", + fd, (int)in_flags)); + + MOZ_ASSERT(in_flags & PR_POLL_EXCEPT, + "Caller did not poll for EXCEPT (canceled)"); + // Since this poll method cannot return errors, we want the caller to call + // PR_Send/PR_Recv right away to get the error, so we tell that we are + // ready for whatever I/O they are asking for. (See getSocketInfoIfRunning). + *out_flags = in_flags | PR_POLL_EXCEPT; // see also bug 480619 + return in_flags; + } + + MOZ_LOG(gPIPNSSLog, LogLevel::Verbose, + (socketInfo->IsWaitingForCertVerification() + ? "[%p] polling SSL socket during certificate verification " + "using lower %d\n" + : "[%p] poll SSL socket using lower %d\n", + fd, (int)in_flags)); + + socketInfo->MaybeDispatchSelectClientAuthCertificate(); + + // We want the handshake to continue during certificate validation, so we + // don't need to do anything special here. libssl automatically blocks when + // it reaches any point that would be unsafe to send/receive something before + // cert validation is complete. + int16_t result = fd->lower->methods->poll(fd->lower, in_flags, out_flags); + MOZ_LOG(gPIPNSSLog, LogLevel::Verbose, + ("[%p] poll SSL socket returned %d\n", (void*)fd, (int)result)); + return result; +} + +nsSSLIOLayerHelpers::nsSSLIOLayerHelpers(uint32_t aTlsFlags) + : mTreatUnsafeNegotiationAsBroken(false), + mVersionFallbackLimit(SSL_LIBRARY_VERSION_TLS_1_0), + mutex("nsSSLIOLayerHelpers.mutex"), + mTlsFlags(aTlsFlags) {} + +// PSMAvailable and PSMAvailable64 are reachable, but they're unimplemented in +// PSM, so we set an error and return -1. +static int32_t PSMAvailable(PRFileDesc*) { + PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); + return -1; +} + +static int64_t PSMAvailable64(PRFileDesc*) { + PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); + return -1; +} + +static PRStatus PSMGetsockname(PRFileDesc* fd, PRNetAddr* addr) { + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; + + return fd->lower->methods->getsockname(fd->lower, addr); +} + +static PRStatus PSMGetpeername(PRFileDesc* fd, PRNetAddr* addr) { + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; + + return fd->lower->methods->getpeername(fd->lower, addr); +} + +static PRStatus PSMGetsocketoption(PRFileDesc* fd, PRSocketOptionData* data) { + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; + + return fd->lower->methods->getsocketoption(fd, data); +} + +static PRStatus PSMSetsocketoption(PRFileDesc* fd, + const PRSocketOptionData* data) { + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; + + return fd->lower->methods->setsocketoption(fd, data); +} + +static int32_t PSMRecv(PRFileDesc* fd, void* buf, int32_t amount, int flags, + PRIntervalTime timeout) { + NSSSocketControl* socketInfo = getSocketInfoIfRunning(fd, reading); + if (!socketInfo) return -1; + + if (flags != PR_MSG_PEEK && flags != 0) { + PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0); + return -1; + } + + int32_t bytesRead = + fd->lower->methods->recv(fd->lower, buf, amount, flags, timeout); + + MOZ_LOG(gPIPNSSLog, LogLevel::Verbose, + ("[%p] read %d bytes\n", (void*)fd, bytesRead)); + +#ifdef DEBUG_SSL_VERBOSE + DEBUG_DUMP_BUFFER((unsigned char*)buf, bytesRead); +#endif + + return checkHandshake(bytesRead, true, fd, socketInfo); +} + +static int32_t PSMSend(PRFileDesc* fd, const void* buf, int32_t amount, + int flags, PRIntervalTime timeout) { + NSSSocketControl* socketInfo = getSocketInfoIfRunning(fd, writing); + if (!socketInfo) return -1; + + if (flags != 0) { + PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0); + return -1; + } + +#ifdef DEBUG_SSL_VERBOSE + DEBUG_DUMP_BUFFER((unsigned char*)buf, amount); +#endif + + if (socketInfo->IsShortWritePending() && amount > 0) { + // We got "SSL short write" last time, try to flush the pending byte. +#ifdef DEBUG + socketInfo->CheckShortWrittenBuffer(static_cast<const unsigned char*>(buf), + amount); +#endif + + buf = socketInfo->GetShortWritePendingByteRef(); + amount = 1; + + MOZ_LOG(gPIPNSSLog, LogLevel::Verbose, + ("[%p] pushing 1 byte after SSL short write", fd)); + } + + int32_t bytesWritten = + fd->lower->methods->send(fd->lower, buf, amount, flags, timeout); + + // NSS indicates that it can't write all requested data (due to network + // congestion, for example) by returning either one less than the amount + // of data requested or 16383, if the requested amount is greater than + // 16384. We refer to this as a "short write". If we simply returned + // the amount that NSS did write, the layer above us would then call + // PSMSend with a very small amount of data (often 1). This is inefficient + // and can lead to alternating between sending large packets and very small + // packets. To prevent this, we alert the layer calling us that the operation + // would block and that it should be retried later, with the same data. + // When it does, we tell NSS to write the remaining byte it didn't write + // in the previous call. We then return the total number of bytes written, + // which is the number that caused the short write plus the additional byte + // we just wrote out. + + // The 16384 value is based on libssl's maximum buffer size: + // MAX_FRAGMENT_LENGTH - 1 + // + // It's in a private header, though, filed bug 1394822 to expose it. + static const int32_t kShortWrite16k = 16383; + + if ((amount > 1 && bytesWritten == (amount - 1)) || + (amount > kShortWrite16k && bytesWritten == kShortWrite16k)) { + // This is indication of an "SSL short write", block to force retry. + socketInfo->SetShortWritePending( + bytesWritten + 1, // The amount to return after the flush + *(static_cast<const unsigned char*>(buf) + bytesWritten)); + + MOZ_LOG( + gPIPNSSLog, LogLevel::Verbose, + ("[%p] indicated SSL short write for %d bytes (written just %d bytes)", + fd, amount, bytesWritten)); + + bytesWritten = -1; + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + +#ifdef DEBUG + socketInfo->RememberShortWrittenBuffer( + static_cast<const unsigned char*>(buf)); +#endif + + } else if (socketInfo->IsShortWritePending() && bytesWritten == 1) { + // We have now flushed all pending data in the SSL socket + // after the indicated short write. Tell the upper layer + // it has sent all its data now. + MOZ_LOG(gPIPNSSLog, LogLevel::Verbose, + ("[%p] finished SSL short write", fd)); + + bytesWritten = socketInfo->ResetShortWritePending(); + } + + MOZ_LOG(gPIPNSSLog, LogLevel::Verbose, + ("[%p] wrote %d bytes\n", fd, bytesWritten)); + + return checkHandshake(bytesWritten, false, fd, socketInfo); +} + +static PRStatus PSMBind(PRFileDesc* fd, const PRNetAddr* addr) { + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; + + return fd->lower->methods->bind(fd->lower, addr); +} + +static int32_t nsSSLIOLayerRead(PRFileDesc* fd, void* buf, int32_t amount) { + return PSMRecv(fd, buf, amount, 0, PR_INTERVAL_NO_TIMEOUT); +} + +static int32_t nsSSLIOLayerWrite(PRFileDesc* fd, const void* buf, + int32_t amount) { + return PSMSend(fd, buf, amount, 0, PR_INTERVAL_NO_TIMEOUT); +} + +static PRStatus PSMConnectcontinue(PRFileDesc* fd, int16_t out_flags) { + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) { + return PR_FAILURE; + } + + return fd->lower->methods->connectcontinue(fd, out_flags); +} + +namespace { + +class PrefObserver : public nsIObserver { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIOBSERVER + explicit PrefObserver(nsSSLIOLayerHelpers* aOwner) : mOwner(aOwner) {} + + protected: + virtual ~PrefObserver() = default; + + private: + nsSSLIOLayerHelpers* mOwner; +}; + +} // unnamed namespace + +NS_IMPL_ISUPPORTS(PrefObserver, nsIObserver) + +NS_IMETHODIMP +PrefObserver::Observe(nsISupports* aSubject, const char* aTopic, + const char16_t* someData) { + if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { + NS_ConvertUTF16toUTF8 prefName(someData); + + if (prefName.EqualsLiteral( + "security.ssl.treat_unsafe_negotiation_as_broken")) { + bool enabled; + Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", + &enabled); + mOwner->setTreatUnsafeNegotiationAsBroken(enabled); + } else if (prefName.EqualsLiteral("security.tls.version.fallback-limit")) { + mOwner->loadVersionFallbackLimit(); + } else if (prefName.EqualsLiteral("security.tls.insecure_fallback_hosts")) { + // Changes to the allowlist on the public side will update the pref. + // Don't propagate the changes to the private side. + if (mOwner->isPublic()) { + mOwner->initInsecureFallbackSites(); + } + } + } + return NS_OK; +} + +static int32_t PlaintextRecv(PRFileDesc* fd, void* buf, int32_t amount, + int flags, PRIntervalTime timeout) { + NSSSocketControl* socketInfo = nullptr; + + int32_t bytesRead = + fd->lower->methods->recv(fd->lower, buf, amount, flags, timeout); + if (fd->identity == nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity) { + socketInfo = (NSSSocketControl*)fd->secret; + } + + if ((bytesRead > 0) && socketInfo) { + socketInfo->AddPlaintextBytesRead(bytesRead); + } + return bytesRead; +} + +nsSSLIOLayerHelpers::~nsSSLIOLayerHelpers() { + // mPrefObserver will only be set if this->Init was called. The GTest tests + // do not call Init. + if (mPrefObserver) { + Preferences::RemoveObserver( + mPrefObserver, "security.ssl.treat_unsafe_negotiation_as_broken"); + Preferences::RemoveObserver(mPrefObserver, + "security.tls.version.fallback-limit"); + Preferences::RemoveObserver(mPrefObserver, + "security.tls.insecure_fallback_hosts"); + } +} + +template <typename R, R return_value, typename... Args> +static R InvalidPRIOMethod(Args...) { + MOZ_ASSERT_UNREACHABLE("I/O method is invalid"); + PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); + return return_value; +} + +nsresult nsSSLIOLayerHelpers::Init() { + if (!nsSSLIOLayerInitialized) { + MOZ_ASSERT(NS_IsMainThread()); + nsSSLIOLayerInitialized = true; + nsSSLIOLayerIdentity = PR_GetUniqueIdentity("NSS layer"); + nsSSLIOLayerMethods = *PR_GetDefaultIOMethods(); + + nsSSLIOLayerMethods.fsync = + InvalidPRIOMethod<PRStatus, PR_FAILURE, PRFileDesc*>; + nsSSLIOLayerMethods.seek = + InvalidPRIOMethod<int32_t, -1, PRFileDesc*, int32_t, PRSeekWhence>; + nsSSLIOLayerMethods.seek64 = + InvalidPRIOMethod<int64_t, -1, PRFileDesc*, int64_t, PRSeekWhence>; + nsSSLIOLayerMethods.fileInfo = + InvalidPRIOMethod<PRStatus, PR_FAILURE, PRFileDesc*, PRFileInfo*>; + nsSSLIOLayerMethods.fileInfo64 = + InvalidPRIOMethod<PRStatus, PR_FAILURE, PRFileDesc*, PRFileInfo64*>; + nsSSLIOLayerMethods.writev = + InvalidPRIOMethod<int32_t, -1, PRFileDesc*, const PRIOVec*, int32_t, + PRIntervalTime>; + nsSSLIOLayerMethods.accept = + InvalidPRIOMethod<PRFileDesc*, nullptr, PRFileDesc*, PRNetAddr*, + PRIntervalTime>; + nsSSLIOLayerMethods.listen = + InvalidPRIOMethod<PRStatus, PR_FAILURE, PRFileDesc*, int>; + nsSSLIOLayerMethods.shutdown = + InvalidPRIOMethod<PRStatus, PR_FAILURE, PRFileDesc*, int>; + nsSSLIOLayerMethods.recvfrom = + InvalidPRIOMethod<int32_t, -1, PRFileDesc*, void*, int32_t, int, + PRNetAddr*, PRIntervalTime>; + nsSSLIOLayerMethods.sendto = + InvalidPRIOMethod<int32_t, -1, PRFileDesc*, const void*, int32_t, int, + const PRNetAddr*, PRIntervalTime>; + nsSSLIOLayerMethods.acceptread = + InvalidPRIOMethod<int32_t, -1, PRFileDesc*, PRFileDesc**, PRNetAddr**, + void*, int32_t, PRIntervalTime>; + nsSSLIOLayerMethods.transmitfile = + InvalidPRIOMethod<int32_t, -1, PRFileDesc*, PRFileDesc*, const void*, + int32_t, PRTransmitFileFlags, PRIntervalTime>; + nsSSLIOLayerMethods.sendfile = + InvalidPRIOMethod<int32_t, -1, PRFileDesc*, PRSendFileData*, + PRTransmitFileFlags, PRIntervalTime>; + + nsSSLIOLayerMethods.available = PSMAvailable; + nsSSLIOLayerMethods.available64 = PSMAvailable64; + nsSSLIOLayerMethods.getsockname = PSMGetsockname; + nsSSLIOLayerMethods.getpeername = PSMGetpeername; + nsSSLIOLayerMethods.getsocketoption = PSMGetsocketoption; + nsSSLIOLayerMethods.setsocketoption = PSMSetsocketoption; + nsSSLIOLayerMethods.recv = PSMRecv; + nsSSLIOLayerMethods.send = PSMSend; + nsSSLIOLayerMethods.connectcontinue = PSMConnectcontinue; + nsSSLIOLayerMethods.bind = PSMBind; + + nsSSLIOLayerMethods.connect = nsSSLIOLayerConnect; + nsSSLIOLayerMethods.close = nsSSLIOLayerClose; + nsSSLIOLayerMethods.write = nsSSLIOLayerWrite; + nsSSLIOLayerMethods.read = nsSSLIOLayerRead; + nsSSLIOLayerMethods.poll = nsSSLIOLayerPoll; + + nsSSLPlaintextLayerIdentity = PR_GetUniqueIdentity("Plaintxext PSM layer"); + nsSSLPlaintextLayerMethods = *PR_GetDefaultIOMethods(); + nsSSLPlaintextLayerMethods.recv = PlaintextRecv; + } + + loadVersionFallbackLimit(); + + // non main thread helpers will need to use defaults + if (NS_IsMainThread()) { + bool enabled = false; + Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", + &enabled); + setTreatUnsafeNegotiationAsBroken(enabled); + + initInsecureFallbackSites(); + + mPrefObserver = new PrefObserver(this); + Preferences::AddStrongObserver( + mPrefObserver, "security.ssl.treat_unsafe_negotiation_as_broken"); + Preferences::AddStrongObserver(mPrefObserver, + "security.tls.version.fallback-limit"); + Preferences::AddStrongObserver(mPrefObserver, + "security.tls.insecure_fallback_hosts"); + } else { + MOZ_ASSERT(mTlsFlags, "Only per socket version can ignore prefs"); + } + + return NS_OK; +} + +void nsSSLIOLayerHelpers::loadVersionFallbackLimit() { + // see nsNSSComponent::SetEnabledTLSVersions for pref handling rules + uint32_t limit = 3; // TLS 1.2 + + if (NS_IsMainThread()) { + limit = Preferences::GetUint("security.tls.version.fallback-limit", + 3); // 3 = TLS 1.2 + } + + // set fallback limit if it is set in the tls flags + uint32_t tlsFlagsFallbackLimit = getTLSProviderFlagFallbackLimit(mTlsFlags); + + if (tlsFlagsFallbackLimit) { + limit = tlsFlagsFallbackLimit; + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("loadVersionFallbackLimit overriden by tlsFlags %d\n", limit)); + } + + SSLVersionRange defaults = {SSL_LIBRARY_VERSION_TLS_1_2, + SSL_LIBRARY_VERSION_TLS_1_2}; + SSLVersionRange filledInRange; + nsNSSComponent::FillTLSVersionRange(filledInRange, limit, limit, defaults); + if (filledInRange.max < SSL_LIBRARY_VERSION_TLS_1_2) { + filledInRange.max = SSL_LIBRARY_VERSION_TLS_1_2; + } + + mVersionFallbackLimit = filledInRange.max; +} + +void nsSSLIOLayerHelpers::clearStoredData() { + MOZ_ASSERT(NS_IsMainThread()); + initInsecureFallbackSites(); + + MutexAutoLock lock(mutex); + mTLSIntoleranceInfo.Clear(); +} + +void nsSSLIOLayerHelpers::setInsecureFallbackSites(const nsCString& str) { + MutexAutoLock lock(mutex); + + mInsecureFallbackSites.Clear(); + + for (const nsACString& host : nsCCharSeparatedTokenizer(str, ',').ToRange()) { + if (!host.IsEmpty()) { + mInsecureFallbackSites.PutEntry(host); + } + } +} + +void nsSSLIOLayerHelpers::initInsecureFallbackSites() { + MOZ_ASSERT(NS_IsMainThread()); + nsAutoCString insecureFallbackHosts; + Preferences::GetCString("security.tls.insecure_fallback_hosts", + insecureFallbackHosts); + setInsecureFallbackSites(insecureFallbackHosts); +} + +bool nsSSLIOLayerHelpers::isPublic() const { + return this == &PublicSSLState()->IOLayerHelpers(); +} + +class FallbackPrefRemover final : public Runnable { + public: + explicit FallbackPrefRemover(const nsACString& aHost) + : mozilla::Runnable("FallbackPrefRemover"), mHost(aHost) {} + NS_IMETHOD Run() override; + + private: + nsCString mHost; +}; + +NS_IMETHODIMP +FallbackPrefRemover::Run() { + MOZ_ASSERT(NS_IsMainThread()); + nsAutoCString oldValue; + Preferences::GetCString("security.tls.insecure_fallback_hosts", oldValue); + nsCString newValue; + for (const nsACString& host : + nsCCharSeparatedTokenizer(oldValue, ',').ToRange()) { + if (host.Equals(mHost)) { + continue; + } + if (!newValue.IsEmpty()) { + newValue.Append(','); + } + newValue.Append(host); + } + Preferences::SetCString("security.tls.insecure_fallback_hosts", newValue); + return NS_OK; +} + +void nsSSLIOLayerHelpers::removeInsecureFallbackSite(const nsACString& hostname, + uint16_t port) { + forgetIntolerance(hostname, port); + { + MutexAutoLock lock(mutex); + if (!mInsecureFallbackSites.Contains(hostname)) { + return; + } + mInsecureFallbackSites.RemoveEntry(hostname); + } + if (!isPublic()) { + return; + } + RefPtr<Runnable> runnable = new FallbackPrefRemover(hostname); + if (NS_IsMainThread()) { + runnable->Run(); + } else { + NS_DispatchToMainThread(runnable); + } +} + +bool nsSSLIOLayerHelpers::isInsecureFallbackSite(const nsACString& hostname) { + MutexAutoLock lock(mutex); + return mInsecureFallbackSites.Contains(hostname); +} + +void nsSSLIOLayerHelpers::setTreatUnsafeNegotiationAsBroken(bool broken) { + MutexAutoLock lock(mutex); + mTreatUnsafeNegotiationAsBroken = broken; +} + +bool nsSSLIOLayerHelpers::treatUnsafeNegotiationAsBroken() { + MutexAutoLock lock(mutex); + return mTreatUnsafeNegotiationAsBroken; +} + +nsresult nsSSLIOLayerNewSocket(int32_t family, const char* host, int32_t port, + nsIProxyInfo* proxy, + const OriginAttributes& originAttributes, + PRFileDesc** fd, + nsITLSSocketControl** tlsSocketControl, + bool forSTARTTLS, uint32_t flags, + uint32_t tlsFlags) { + PRFileDesc* sock = PR_OpenTCPSocket(family); + if (!sock) return NS_ERROR_OUT_OF_MEMORY; + + nsresult rv = + nsSSLIOLayerAddToSocket(family, host, port, proxy, originAttributes, sock, + tlsSocketControl, forSTARTTLS, flags, tlsFlags); + if (NS_FAILED(rv)) { + PR_Close(sock); + return rv; + } + + *fd = sock; + return NS_OK; +} + +static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc* fd, + NSSSocketControl* infoObject, + const char* host, bool haveHTTPSProxy) { + // Memory allocated here is released when fd is closed, regardless of the + // success of this function. + PRFileDesc* sslSock = SSL_ImportFD(nullptr, fd); + if (!sslSock) { + return nullptr; + } + if (SSL_SetPKCS11PinArg(sslSock, infoObject) != SECSuccess) { + return nullptr; + } + if (SSL_HandshakeCallback(sslSock, HandshakeCallback, infoObject) != + SECSuccess) { + return nullptr; + } + if (SSL_SecretCallback(sslSock, SecretCallback, infoObject) != SECSuccess) { + return nullptr; + } + if (SSL_SetCanFalseStartCallback(sslSock, CanFalseStartCallback, + infoObject) != SECSuccess) { + return nullptr; + } + + // Disable this hook if we connect anonymously. See bug 466080. + uint32_t flags = infoObject->GetProviderFlags(); + SSLGetClientAuthData clientAuthDataHook = SSLGetClientAuthDataHook; + // Provide the client cert to HTTPS proxy no matter if it is anonymous. + if (flags & nsISocketProvider::ANONYMOUS_CONNECT && !haveHTTPSProxy && + !(flags & nsISocketProvider::ANONYMOUS_CONNECT_ALLOW_CLIENT_CERT)) { + clientAuthDataHook = nullptr; + } + if (SSL_GetClientAuthDataHook(sslSock, clientAuthDataHook, infoObject) != + SECSuccess) { + return nullptr; + } + + if (SSL_AuthCertificateHook(sslSock, AuthCertificateHook, infoObject) != + SECSuccess) { + return nullptr; + } + if (SSL_SetURL(sslSock, host) != SECSuccess) { + return nullptr; + } + + return sslSock; +} + +// Please change getSignatureName in nsNSSCallbacks.cpp when changing the list +// here. See NOTE at SSL_SignatureSchemePrefSet call site. +static const SSLSignatureScheme sEnabledSignatureSchemes[] = { + ssl_sig_ecdsa_secp256r1_sha256, + ssl_sig_ecdsa_secp384r1_sha384, + ssl_sig_ecdsa_secp521r1_sha512, + ssl_sig_rsa_pss_sha256, + ssl_sig_rsa_pss_sha384, + ssl_sig_rsa_pss_sha512, + ssl_sig_rsa_pkcs1_sha256, + ssl_sig_rsa_pkcs1_sha384, + ssl_sig_rsa_pkcs1_sha512, +#if !defined(EARLY_BETA_OR_EARLIER) + ssl_sig_ecdsa_sha1, +#endif + ssl_sig_rsa_pkcs1_sha1, +}; + +static nsresult nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS, + bool haveProxy, const char* host, + int32_t port, + NSSSocketControl* infoObject) { + if (forSTARTTLS || haveProxy) { + if (SECSuccess != SSL_OptionSet(fd, SSL_SECURITY, false)) { + return NS_ERROR_FAILURE; + } + } + + SSLVersionRange range; + if (SSL_VersionRangeGet(fd, &range) != SECSuccess) { + return NS_ERROR_FAILURE; + } + + // Set TLS 1.3 compat mode. + if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("[%p] nsSSLIOLayerSetOptions: Setting compat mode failed\n", fd)); + } + + // setting TLS max version + uint32_t versionFlags = + getTLSProviderFlagMaxVersion(infoObject->GetProviderTlsFlags()); + if (versionFlags) { + MOZ_LOG( + gPIPNSSLog, LogLevel::Debug, + ("[%p] nsSSLIOLayerSetOptions: version flags %d\n", fd, versionFlags)); + if (versionFlags == kTLSProviderFlagMaxVersion10) { + range.max = SSL_LIBRARY_VERSION_TLS_1_0; + } else if (versionFlags == kTLSProviderFlagMaxVersion11) { + range.max = SSL_LIBRARY_VERSION_TLS_1_1; + } else if (versionFlags == kTLSProviderFlagMaxVersion12) { + range.max = SSL_LIBRARY_VERSION_TLS_1_2; + } else if (versionFlags == kTLSProviderFlagMaxVersion13) { + range.max = SSL_LIBRARY_VERSION_TLS_1_3; + } else { + MOZ_LOG(gPIPNSSLog, LogLevel::Error, + ("[%p] nsSSLIOLayerSetOptions: unknown version flags %d\n", fd, + versionFlags)); + } + } + + if ((infoObject->GetProviderFlags() & nsISocketProvider::BE_CONSERVATIVE) && + (range.max > SSL_LIBRARY_VERSION_TLS_1_2)) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to " + "BE_CONSERVATIVE flag\n", + fd)); + range.max = SSL_LIBRARY_VERSION_TLS_1_2; + } + + uint16_t maxEnabledVersion = range.max; + infoObject->SharedState().IOLayerHelpers().adjustForTLSIntolerance( + infoObject->GetHostName(), infoObject->GetPort(), range); + MOZ_LOG( + gPIPNSSLog, LogLevel::Debug, + ("[%p] nsSSLIOLayerSetOptions: using TLS version range (0x%04x,0x%04x)\n", + fd, static_cast<unsigned int>(range.min), + static_cast<unsigned int>(range.max))); + + // If the user has set their minimum version to something higher than what + // we've now set the maximum to, this will result in an inconsistent version + // range unless we fix it up. This will override their preference, but we only + // do this for sites critical to the operation of the browser (e.g. update + // servers) and telemetry experiments. + if (range.min > range.max) { + range.min = range.max; + } + + if (SSL_VersionRangeSet(fd, &range) != SECSuccess) { + return NS_ERROR_FAILURE; + } + infoObject->SetTLSVersionRange(range); + + // when adjustForTLSIntolerance tweaks the maximum version downward, + // we tell the server using this SCSV so they can detect a downgrade attack + if (range.max < maxEnabledVersion) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] nsSSLIOLayerSetOptions: enabling TLS_FALLBACK_SCSV\n", fd)); + // Some servers will choke if we send the fallback SCSV with TLS 1.2. + if (range.max < SSL_LIBRARY_VERSION_TLS_1_2) { + if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, true)) { + return NS_ERROR_FAILURE; + } + } + // tell NSS the max enabled version to make anti-downgrade effective + if (SECSuccess != SSL_SetDowngradeCheckVersion(fd, maxEnabledVersion)) { + return NS_ERROR_FAILURE; + } + } + + // Enable ECH GREASE if suitable. Has no impact if 'real' ECH is being used. + if (range.max >= SSL_LIBRARY_VERSION_TLS_1_3 && + !(infoObject->GetProviderFlags() & (nsISocketProvider::BE_CONSERVATIVE | + nsISocketProvider::DONT_TRY_ECH)) && + StaticPrefs::security_tls_ech_grease_probability()) { + if ((RandomUint64().valueOr(0) % 100) >= + 100 - StaticPrefs::security_tls_ech_grease_probability()) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] nsSSLIOLayerSetOptions: enabling TLS ECH Grease\n", fd)); + if (SECSuccess != SSL_EnableTls13GreaseEch(fd, PR_TRUE)) { + return NS_ERROR_FAILURE; + } + // ECH Padding can be between 1 and 255 + if (SECSuccess != + SSL_SetTls13GreaseEchSize( + fd, std::clamp(StaticPrefs::security_tls_ech_grease_size(), 1U, + 255U))) { + return NS_ERROR_FAILURE; + } + infoObject->UpdateEchExtensionStatus(EchExtensionStatus::kGREASE); + } + } + + // Include a modest set of named groups. + // Please change getKeaGroupName in nsNSSCallbacks.cpp when changing the lists + // here. + if (StaticPrefs::security_tls_enable_kyber() && + range.max >= SSL_LIBRARY_VERSION_TLS_1_3 && + !(infoObject->GetProviderFlags() & + (nsISocketProvider::BE_CONSERVATIVE | nsISocketProvider::IS_RETRY))) { + const SSLNamedGroup namedGroups[] = { + ssl_grp_kem_xyber768d00, ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, + ssl_grp_ec_secp384r1, ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, + ssl_grp_ffdhe_3072}; + if (SECSuccess != SSL_NamedGroupConfig(fd, namedGroups, + mozilla::ArrayLength(namedGroups))) { + return NS_ERROR_FAILURE; + } + // This ensures that we send key shares for Xyber768D00, X25519, and P-256 + // in TLS 1.3, so that servers are less likely to use HelloRetryRequest. + if (SECSuccess != SSL_SendAdditionalKeyShares(fd, 2)) { + return NS_ERROR_FAILURE; + } + infoObject->WillSendXyberShare(); + } else { + const SSLNamedGroup namedGroups[] = { + ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1, + ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072}; + // Skip the |ssl_grp_kem_xyber768d00| entry. + if (SECSuccess != SSL_NamedGroupConfig(fd, namedGroups, + mozilla::ArrayLength(namedGroups))) { + return NS_ERROR_FAILURE; + } + // This ensures that we send key shares for X25519 and P-256 in TLS 1.3, so + // that servers are less likely to use HelloRetryRequest. + if (SECSuccess != SSL_SendAdditionalKeyShares(fd, 1)) { + return NS_ERROR_FAILURE; + } + } + + // NOTE: Should this list ever include ssl_sig_rsa_pss_pss_sha* (or should + // it become possible to enable this scheme via a pref), it is required + // to test that a Delegated Credential containing a small-modulus RSA-PSS SPKI + // is properly rejected. NSS will not advertise PKCS1 or RSAE schemes (which + // the |ssl_sig_rsa_pss_*| defines alias, meaning we will not currently accept + // any RSA DC. + if (SECSuccess != SSL_SignatureSchemePrefSet( + fd, sEnabledSignatureSchemes, + mozilla::ArrayLength(sEnabledSignatureSchemes))) { + return NS_ERROR_FAILURE; + } + + bool enabled = infoObject->SharedState().IsOCSPStaplingEnabled(); + if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_OCSP_STAPLING, enabled)) { + return NS_ERROR_FAILURE; + } + + bool sctsEnabled = infoObject->SharedState().IsSignedCertTimestampsEnabled(); + if (SECSuccess != + SSL_OptionSet(fd, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, sctsEnabled)) { + return NS_ERROR_FAILURE; + } + + if (SECSuccess != SSL_OptionSet(fd, SSL_HANDSHAKE_AS_CLIENT, true)) { + return NS_ERROR_FAILURE; + } + +#if defined(__arm__) + if (!mozilla::supports_arm_aes()) { + unsigned int enabledCiphers = 0; + std::vector<uint16_t> ciphers(SSL_GetNumImplementedCiphers()); + + // Returns only the enabled (reflecting prefs) ciphers, ordered + // by their occurence in + // https://hg.mozilla.org/projects/nss/file/a75ea4cdacd95282c6c245ebb849c25e84ccd908/lib/ssl/ssl3con.c#l87 + if (SSL_CipherSuiteOrderGet(fd, ciphers.data(), &enabledCiphers) != + SECSuccess) { + return NS_ERROR_FAILURE; + } + + // On ARM, prefer (TLS_CHACHA20_POLY1305_SHA256) over AES when hardware + // support for AES isn't available. However, it may be disabled. If enabled, + // it will either be element [0] or [1]*. If [0], we're done. If [1], swap + // it with [0] (TLS_AES_128_GCM_SHA256). + // *(assuming the compile-time order remains unchanged) + if (enabledCiphers > 1) { + if (ciphers[0] != TLS_CHACHA20_POLY1305_SHA256 && + ciphers[1] == TLS_CHACHA20_POLY1305_SHA256) { + std::swap(ciphers[0], ciphers[1]); + + if (SSL_CipherSuiteOrderSet(fd, ciphers.data(), enabledCiphers) != + SECSuccess) { + return NS_ERROR_FAILURE; + } + } + } + } +#endif + + // Set the Peer ID so that SSL proxy connections work properly and to + // separate anonymous and/or private browsing connections. + nsAutoCString peerId; + infoObject->GetPeerId(peerId); + if (SECSuccess != SSL_SetSockPeerID(fd, peerId.get())) { + return NS_ERROR_FAILURE; + } + + uint32_t flags = infoObject->GetProviderFlags(); + if (flags & nsISocketProvider::NO_PERMANENT_STORAGE) { + if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, false) || + SECSuccess != SSL_OptionSet(fd, SSL_NO_CACHE, true)) { + return NS_ERROR_FAILURE; + } + } + + return NS_OK; +} + +SECStatus StoreResumptionToken(PRFileDesc* fd, const PRUint8* resumptionToken, + unsigned int len, void* ctx) { + PRIntn val; + if (SSL_OptionGet(fd, SSL_ENABLE_SESSION_TICKETS, &val) != SECSuccess || + val == 0) { + return SECFailure; + } + + NSSSocketControl* infoObject = (NSSSocketControl*)ctx; + if (!infoObject) { + return SECFailure; + } + + nsAutoCString peerId; + infoObject->GetPeerId(peerId); + if (NS_FAILED( + net::SSLTokensCache::Put(peerId, resumptionToken, len, infoObject))) { + return SECFailure; + } + + return SECSuccess; +} + +nsresult nsSSLIOLayerAddToSocket(int32_t family, const char* host, int32_t port, + nsIProxyInfo* proxy, + const OriginAttributes& originAttributes, + PRFileDesc* fd, + nsITLSSocketControl** tlsSocketControl, + bool forSTARTTLS, uint32_t providerFlags, + uint32_t providerTlsFlags) { + SharedSSLState* sharedState = nullptr; + RefPtr<SharedSSLState> allocatedState; + if (providerTlsFlags) { + allocatedState = new SharedSSLState(providerTlsFlags); + sharedState = allocatedState.get(); + } else { + bool isPrivate = providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE || + originAttributes.mPrivateBrowsingId != + OriginAttributes().mPrivateBrowsingId; + sharedState = isPrivate ? PrivateSSLState() : PublicSSLState(); + } + + RefPtr<NSSSocketControl> infoObject( + new NSSSocketControl(nsDependentCString(host), port, *sharedState, + providerFlags, providerTlsFlags)); + if (!infoObject) { + return NS_ERROR_FAILURE; + } + + infoObject->SetForSTARTTLS(forSTARTTLS); + infoObject->SetOriginAttributes(originAttributes); + if (allocatedState) { + infoObject->SetSharedOwningReference(allocatedState); + } + + bool haveProxy = false; + bool haveHTTPSProxy = false; + if (proxy) { + nsAutoCString proxyHost; + nsresult rv = proxy->GetHost(proxyHost); + if (NS_FAILED(rv)) { + return rv; + } + haveProxy = !proxyHost.IsEmpty(); + nsAutoCString type; + haveHTTPSProxy = haveProxy && NS_SUCCEEDED(proxy->GetType(type)) && + type.EqualsLiteral("https"); + } + + // A plaintext observer shim is inserted so we can observe some protocol + // details without modifying nss + PRFileDesc* plaintextLayer = + PR_CreateIOLayerStub(nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity, + &nsSSLIOLayerHelpers::nsSSLPlaintextLayerMethods); + if (!plaintextLayer) { + return NS_ERROR_FAILURE; + } + plaintextLayer->secret = (PRFilePrivate*)infoObject.get(); + if (PR_PushIOLayer(fd, PR_TOP_IO_LAYER, plaintextLayer) != PR_SUCCESS) { + plaintextLayer->dtor(plaintextLayer); + return NS_ERROR_FAILURE; + } + auto plaintextLayerCleanup = MakeScopeExit([&fd] { + // Note that PR_*IOLayer operations may modify the stack of fds, so a + // previously-valid pointer may no longer point to what we think it points + // to after calling PR_PopIOLayer. We must operate on the pointer returned + // by PR_PopIOLayer. + PRFileDesc* plaintextLayer = + PR_PopIOLayer(fd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity); + if (plaintextLayer) { + plaintextLayer->dtor(plaintextLayer); + } + }); + + PRFileDesc* sslSock = + nsSSLIOLayerImportFD(fd, infoObject, host, haveHTTPSProxy); + if (!sslSock) { + return NS_ERROR_FAILURE; + } + + nsresult rv = nsSSLIOLayerSetOptions(sslSock, forSTARTTLS, haveProxy, host, + port, infoObject); + if (NS_FAILED(rv)) { + return rv; + } + + // Now, layer ourselves on top of the SSL socket... + PRFileDesc* layer = + PR_CreateIOLayerStub(nsSSLIOLayerHelpers::nsSSLIOLayerIdentity, + &nsSSLIOLayerHelpers::nsSSLIOLayerMethods); + if (!layer) { + return NS_ERROR_FAILURE; + } + // Give the layer an owning reference to the NSSSocketControl. + // This is the simplest way to prevent the layer from outliving the + // NSSSocketControl (otherwise, the layer could potentially use it in + // nsSSLIOLayerClose after it has been released). + // nsSSLIOLayerClose takes the owning reference when the underlying fd gets + // closed. If the fd never gets closed (as in, leaks), the NSSSocketControl + // will also leak. + layer->secret = (PRFilePrivate*)do_AddRef(infoObject).take(); + + if (PR_PushIOLayer(sslSock, PR_GetLayersIdentity(sslSock), layer) != + PR_SUCCESS) { + layer->dtor(layer); + return NS_ERROR_FAILURE; + } + auto layerCleanup = MakeScopeExit([&fd] { + PRFileDesc* layer = + PR_PopIOLayer(fd, nsSSLIOLayerHelpers::nsSSLIOLayerIdentity); + if (layer) { + layer->dtor(layer); + } + }); + + // We are going use a clear connection first // + if (forSTARTTLS || haveProxy) { + infoObject->SetHandshakeNotPending(); + } + + infoObject->SharedState().NoteSocketCreated(); + + rv = infoObject->SetResumptionTokenFromExternalCache(sslSock); + if (NS_FAILED(rv)) { + return rv; + } + if (SSL_SetResumptionTokenCallback(sslSock, &StoreResumptionToken, + infoObject) != SECSuccess) { + return NS_ERROR_FAILURE; + } + + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] Socket set up", (void*)sslSock)); + + (void)infoObject->SetFileDescPtr(sslSock); + layerCleanup.release(); + plaintextLayerCleanup.release(); + *tlsSocketControl = infoObject.forget().take(); + return NS_OK; +} + +extern "C" { + +const uint8_t kIPCClientCertsObjectTypeCert = 1; +const uint8_t kIPCClientCertsObjectTypeRSAKey = 2; +const uint8_t kIPCClientCertsObjectTypeECKey = 3; + +// This function is provided to the IPC client certs module so it can cause the +// parent process to find certificates and keys and send identifying +// information about them over IPC. +void DoFindObjects(FindObjectsCallback cb, void* ctx) { + net::SocketProcessChild* socketChild = + net::SocketProcessChild::GetSingleton(); + if (!socketChild) { + return; + } + + RefPtr<IPCClientCertsChild> ipcClientCertsActor( + socketChild->GetIPCClientCertsActor()); + if (!ipcClientCertsActor) { + return; + } + nsTArray<IPCClientCertObject> objects; + if (!ipcClientCertsActor->SendFindObjects(&objects)) { + return; + } + for (const auto& object : objects) { + switch (object.type()) { + case IPCClientCertObject::TECKey: + cb(kIPCClientCertsObjectTypeECKey, object.get_ECKey().params().Length(), + object.get_ECKey().params().Elements(), + object.get_ECKey().cert().Length(), + object.get_ECKey().cert().Elements(), object.get_ECKey().slotType(), + ctx); + break; + case IPCClientCertObject::TRSAKey: + cb(kIPCClientCertsObjectTypeRSAKey, + object.get_RSAKey().modulus().Length(), + object.get_RSAKey().modulus().Elements(), + object.get_RSAKey().cert().Length(), + object.get_RSAKey().cert().Elements(), + object.get_RSAKey().slotType(), ctx); + break; + case IPCClientCertObject::TCertificate: + cb(kIPCClientCertsObjectTypeCert, + object.get_Certificate().der().Length(), + object.get_Certificate().der().Elements(), 0, nullptr, + object.get_Certificate().slotType(), ctx); + break; + default: + MOZ_ASSERT_UNREACHABLE("unhandled IPCClientCertObject type"); + break; + } + } +} + +// This function is provided to the IPC client certs module so it can cause the +// parent process to sign the given data using the key corresponding to the +// given certificate, using the given parameters. +void DoSign(size_t cert_len, const uint8_t* cert, size_t data_len, + const uint8_t* data, size_t params_len, const uint8_t* params, + SignCallback cb, void* ctx) { + net::SocketProcessChild* socketChild = + net::SocketProcessChild::GetSingleton(); + if (!socketChild) { + return; + } + + RefPtr<IPCClientCertsChild> ipcClientCertsActor( + socketChild->GetIPCClientCertsActor()); + if (!ipcClientCertsActor) { + return; + } + ByteArray certBytes(nsTArray<uint8_t>(cert, cert_len)); + ByteArray dataBytes(nsTArray<uint8_t>(data, data_len)); + ByteArray paramsBytes(nsTArray<uint8_t>(params, params_len)); + ByteArray signature; + if (!ipcClientCertsActor->SendSign(certBytes, dataBytes, paramsBytes, + &signature)) { + return; + } + cb(signature.data().Length(), signature.data().Elements(), ctx); +} +} // extern "C" diff --git a/security/manager/ssl/nsNSSIOLayer.h b/security/manager/ssl/nsNSSIOLayer.h new file mode 100644 index 0000000000..c819889257 --- /dev/null +++ b/security/manager/ssl/nsNSSIOLayer.h @@ -0,0 +1,134 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSIOLayer_h +#define nsNSSIOLayer_h + +#include "mozilla/Assertions.h" +#include "mozilla/TimeStamp.h" +#include "mozilla/UniquePtr.h" +#include "nsCOMPtr.h" +#include "nsIProxyInfo.h" +#include "nsITLSSocketControl.h" +#include "nsITlsHandshakeListener.h" +#include "nsNSSCertificate.h" +#include "nsTHashMap.h" +#include "nsTHashtable.h" +#include "sslt.h" + +namespace mozilla { +class OriginAttributes; +namespace psm { +class SharedSSLState; +} // namespace psm +} // namespace mozilla + +const uint32_t kIPCClientCertsSlotTypeModern = 1; +const uint32_t kIPCClientCertsSlotTypeLegacy = 2; + +using mozilla::OriginAttributes; + +class nsIObserver; + +// Order matters for UpdateEchExtensioNStatus. +enum class EchExtensionStatus { + kNotPresent, // No ECH Extension was sent + kGREASE, // A GREASE ECH Extension was sent + kReal // A 'real' ECH Extension was sent +}; + +class nsSSLIOLayerHelpers { + public: + explicit nsSSLIOLayerHelpers(uint32_t aTlsFlags = 0); + ~nsSSLIOLayerHelpers(); + + nsresult Init(); + void Cleanup(); + + static bool nsSSLIOLayerInitialized; + static PRDescIdentity nsSSLIOLayerIdentity; + static PRDescIdentity nsSSLPlaintextLayerIdentity; + static PRIOMethods nsSSLIOLayerMethods; + static PRIOMethods nsSSLPlaintextLayerMethods; + + bool mTreatUnsafeNegotiationAsBroken; + + void setTreatUnsafeNegotiationAsBroken(bool broken); + bool treatUnsafeNegotiationAsBroken(); + + private: + struct IntoleranceEntry { + uint16_t tolerant; + uint16_t intolerant; + PRErrorCode intoleranceReason; + + void AssertInvariant() const { + MOZ_ASSERT(intolerant == 0 || tolerant < intolerant); + } + }; + nsTHashMap<nsCStringHashKey, IntoleranceEntry> mTLSIntoleranceInfo; + // Sites that require insecure fallback to TLS 1.0, set by the pref + // security.tls.insecure_fallback_hosts, which is a comma-delimited + // list of domain names. + nsTHashtable<nsCStringHashKey> mInsecureFallbackSites; + + public: + void rememberTolerantAtVersion(const nsACString& hostname, int16_t port, + uint16_t tolerant); + bool fallbackLimitReached(const nsACString& hostname, uint16_t intolerant); + bool rememberIntolerantAtVersion(const nsACString& hostname, int16_t port, + uint16_t intolerant, uint16_t minVersion, + PRErrorCode intoleranceReason); + void forgetIntolerance(const nsACString& hostname, int16_t port); + void adjustForTLSIntolerance(const nsACString& hostname, int16_t port, + /*in/out*/ SSLVersionRange& range); + PRErrorCode getIntoleranceReason(const nsACString& hostname, int16_t port); + + void clearStoredData(); + void loadVersionFallbackLimit(); + void setInsecureFallbackSites(const nsCString& str); + void initInsecureFallbackSites(); + bool isPublic() const; + void removeInsecureFallbackSite(const nsACString& hostname, uint16_t port); + bool isInsecureFallbackSite(const nsACString& hostname); + + uint16_t mVersionFallbackLimit; + + private: + mozilla::Mutex mutex MOZ_UNANNOTATED; + nsCOMPtr<nsIObserver> mPrefObserver; + uint32_t mTlsFlags; +}; + +nsresult nsSSLIOLayerNewSocket(int32_t family, const char* host, int32_t port, + nsIProxyInfo* proxy, + const OriginAttributes& originAttributes, + PRFileDesc** fd, + nsITLSSocketControl** tlsSocketControl, + bool forSTARTTLS, uint32_t flags, + uint32_t tlsFlags); + +nsresult nsSSLIOLayerAddToSocket(int32_t family, const char* host, int32_t port, + nsIProxyInfo* proxy, + const OriginAttributes& originAttributes, + PRFileDesc* fd, + nsITLSSocketControl** tlsSocketControl, + bool forSTARTTLS, uint32_t flags, + uint32_t tlsFlags); + +extern "C" { +using FindObjectsCallback = void (*)(uint8_t type, size_t id_len, + const uint8_t* id, size_t data_len, + const uint8_t* data, uint32_t slotType, + void* ctx); +void DoFindObjects(FindObjectsCallback cb, void* ctx); +using SignCallback = void (*)(size_t data_len, const uint8_t* data, void* ctx); +void DoSign(size_t cert_len, const uint8_t* cert, size_t data_len, + const uint8_t* data, size_t params_len, const uint8_t* params, + SignCallback cb, void* ctx); +} + +#endif // nsNSSIOLayer_h diff --git a/security/manager/ssl/nsNSSModule.cpp b/security/manager/ssl/nsNSSModule.cpp new file mode 100644 index 0000000000..ec62d25fc7 --- /dev/null +++ b/security/manager/ssl/nsNSSModule.cpp @@ -0,0 +1,107 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSModule.h" + +#include "ContentSignatureVerifier.h" +#include "OSKeyStore.h" +#include "OSReauthenticator.h" +#include "PKCS11ModuleDB.h" +#include "SecretDecoderRing.h" +#include "mozilla/MacroArgs.h" +#include "mozilla/ModuleUtils.h" +#include "mozilla/SyncRunnable.h" +#include "nsCertTree.h" +#include "nsNSSCertificateDB.h" +#include "nsPK11TokenDB.h" +#include "nsRandomGenerator.h" +#include "nsXULAppAPI.h" + +namespace mozilla { +namespace psm { + +// Many of the implementations in this module call NSS functions and as a result +// require that PSM has successfully initialized NSS before being used. +// Additionally, some of the implementations have various restrictions on which +// process and threads they can be used on (e.g. some can only be used in the +// parent process and some must be initialized only on the main thread). +// The following initialization framework allows these requirements to be +// succinctly expressed and implemented. + +template <class InstanceClass, nsresult (InstanceClass::*InitMethod)()> +MOZ_ALWAYS_INLINE static nsresult Instantiate(REFNSIID aIID, void** aResult) { + InstanceClass* inst = new InstanceClass(); + NS_ADDREF(inst); + nsresult rv = InitMethod != nullptr ? (inst->*InitMethod)() : NS_OK; + if (NS_SUCCEEDED(rv)) { + rv = inst->QueryInterface(aIID, aResult); + } + NS_RELEASE(inst); + return rv; +} + +enum class ThreadRestriction { + // must be initialized on the main thread (but can be used on any thread) + MainThreadOnly, + // can be initialized and used on any thread + AnyThread, +}; + +enum class ProcessRestriction { + ParentProcessOnly, + AnyProcess, +}; + +template <class InstanceClass, + nsresult (InstanceClass::*InitMethod)() = nullptr, + ProcessRestriction processRestriction = + ProcessRestriction::ParentProcessOnly, + ThreadRestriction threadRestriction = ThreadRestriction::AnyThread> +static nsresult Constructor(REFNSIID aIID, void** aResult) { + *aResult = nullptr; + + if (processRestriction == ProcessRestriction::ParentProcessOnly && + !XRE_IsParentProcess()) { + return NS_ERROR_NOT_AVAILABLE; + } + + if (!EnsureNSSInitializedChromeOrContent()) { + return NS_ERROR_FAILURE; + } + + if (threadRestriction == ThreadRestriction::MainThreadOnly && + !NS_IsMainThread()) { + return NS_ERROR_NOT_SAME_THREAD; + } + + return Instantiate<InstanceClass, InitMethod>(aIID, aResult); +} + +#define IMPL(type, ...) \ + template <> \ + nsresult NSSConstructor<type>(const nsIID& aIID, void** aResult) { \ + return Constructor<type, __VA_ARGS__>(aIID, aResult); \ + } + +// Components that require main thread initialization could cause a deadlock +// in necko code (bug 1418752). To prevent it we initialize all such components +// on main thread in advance in net_EnsurePSMInit(). Update that function when +// new component with ThreadRestriction::MainThreadOnly is added. +IMPL(SecretDecoderRing, nullptr) +IMPL(nsPK11TokenDB, nullptr) +IMPL(PKCS11ModuleDB, nullptr) +IMPL(nsNSSCertificateDB, nullptr) +IMPL(nsCertTree, nullptr) +IMPL(ContentSignatureVerifier, nullptr) +IMPL(nsRandomGenerator, nullptr, ProcessRestriction::AnyProcess) +IMPL(OSKeyStore, nullptr, ProcessRestriction::ParentProcessOnly, + ThreadRestriction::MainThreadOnly) +IMPL(OSReauthenticator, nullptr, ProcessRestriction::ParentProcessOnly, + ThreadRestriction::MainThreadOnly) +#undef IMPL + +} // namespace psm +} // namespace mozilla diff --git a/security/manager/ssl/nsNSSModule.h b/security/manager/ssl/nsNSSModule.h new file mode 100644 index 0000000000..85d2c74209 --- /dev/null +++ b/security/manager/ssl/nsNSSModule.h @@ -0,0 +1,21 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSModule_h +#define nsNSSModule_h + +#include "nsID.h" + +class nsISupports; + +namespace mozilla { +namespace psm { +template <typename T> +nsresult NSSConstructor(const nsIID& aIID, void** aInstancePtr); +} +} // namespace mozilla + +#endif // nsNSSModule_h diff --git a/security/manager/ssl/nsNSSVersion.cpp b/security/manager/ssl/nsNSSVersion.cpp new file mode 100644 index 0000000000..4ad5046a96 --- /dev/null +++ b/security/manager/ssl/nsNSSVersion.cpp @@ -0,0 +1,78 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSVersion.h" +#include "nsString.h" +#include "prinit.h" +#include "nss.h" +#include "nssutil.h" +#include "ssl.h" +#include "smime.h" + +NS_IMPL_ISUPPORTS(nsNSSVersion, nsINSSVersion) + +nsNSSVersion::nsNSSVersion() = default; + +nsNSSVersion::~nsNSSVersion() = default; + +NS_IMETHODIMP +nsNSSVersion::GetNSPR_Version(nsAString& v) { + v.AssignASCII(PR_GetVersion()); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSVersion::GetNSS_Version(nsAString& v) { + v.AssignASCII(NSS_GetVersion()); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSVersion::GetNSSUTIL_Version(nsAString& v) { + v.AssignASCII(NSSUTIL_GetVersion()); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSVersion::GetNSSSSL_Version(nsAString& v) { + v.AssignASCII(NSSSSL_GetVersion()); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSVersion::GetNSSSMIME_Version(nsAString& v) { + v.AssignASCII(NSSSMIME_GetVersion()); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSVersion::GetNSPR_MinVersion(nsAString& v) { + v.AssignLiteral(PR_VERSION); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSVersion::GetNSS_MinVersion(nsAString& v) { + v.AssignLiteral(NSS_VERSION); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSVersion::GetNSSUTIL_MinVersion(nsAString& v) { + v.AssignLiteral(NSSUTIL_VERSION); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSVersion::GetNSSSSL_MinVersion(nsAString& v) { + v.AssignLiteral(NSS_VERSION); + return NS_OK; +} + +NS_IMETHODIMP +nsNSSVersion::GetNSSSMIME_MinVersion(nsAString& v) { + v.AssignLiteral(NSS_VERSION); + return NS_OK; +} diff --git a/security/manager/ssl/nsNSSVersion.h b/security/manager/ssl/nsNSSVersion.h new file mode 100644 index 0000000000..de8dc15dd3 --- /dev/null +++ b/security/manager/ssl/nsNSSVersion.h @@ -0,0 +1,30 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _NS_NSSVERSION_H_ +#define _NS_NSSVERSION_H_ + +#include "nsINSSVersion.h" +#include "mozilla/Attributes.h" + +class nsNSSVersion final : public nsINSSVersion { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSINSSVERSION + + nsNSSVersion(); + + private: + ~nsNSSVersion(); +}; + +#define NS_NSSVERSION_CID \ + { \ + 0x23ad3531, 0x11d2, 0x4e8e, { \ + 0x80, 0x5a, 0x6a, 0x75, 0x2e, 0x91, 0x68, 0x1a \ + } \ + } + +#endif diff --git a/security/manager/ssl/nsNTLMAuthModule.cpp b/security/manager/ssl/nsNTLMAuthModule.cpp new file mode 100644 index 0000000000..0bb9452548 --- /dev/null +++ b/security/manager/ssl/nsNTLMAuthModule.cpp @@ -0,0 +1,1040 @@ +/* vim:set ts=2 sw=2 et cindent: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNTLMAuthModule.h" + +#include <time.h> + +#include "ScopedNSSTypes.h" +#include "md4.h" +#include "mozilla/Assertions.h" +#include "mozilla/Base64.h" +#include "mozilla/Casting.h" +#include "mozilla/CheckedInt.h" +#include "mozilla/EndianUtils.h" +#include "mozilla/Likely.h" +#include "mozilla/Logging.h" +#include "mozilla/Preferences.h" +#include "mozilla/Sprintf.h" +#include "mozilla/StaticPrefs_network.h" +#include "mozilla/Telemetry.h" +#include "nsCOMPtr.h" +#include "nsComponentManagerUtils.h" +#include "nsICryptoHash.h" +#include "nsNativeCharsetUtils.h" +#include "nsNetCID.h" +#include "nsUnicharUtils.h" +#include "pk11pub.h" +#include "prsystem.h" + +static mozilla::LazyLogModule sNTLMLog("NTLM"); + +#define LOG(x) MOZ_LOG(sNTLMLog, mozilla::LogLevel::Debug, x) +#define LOG_ENABLED() MOZ_LOG_TEST(sNTLMLog, mozilla::LogLevel::Debug) + +static void des_makekey(const uint8_t* raw, uint8_t* key); +static void des_encrypt(const uint8_t* key, const uint8_t* src, uint8_t* hash); + +//----------------------------------------------------------------------------- +// this file contains a cross-platform NTLM authentication implementation. it +// is based on documentation from: http://davenport.sourceforge.net/ntlm.html +//----------------------------------------------------------------------------- + +#define NTLM_NegotiateUnicode 0x00000001 +#define NTLM_NegotiateOEM 0x00000002 +#define NTLM_RequestTarget 0x00000004 +#define NTLM_Unknown1 0x00000008 +#define NTLM_NegotiateSign 0x00000010 +#define NTLM_NegotiateSeal 0x00000020 +#define NTLM_NegotiateDatagramStyle 0x00000040 +#define NTLM_NegotiateLanManagerKey 0x00000080 +#define NTLM_NegotiateNetware 0x00000100 +#define NTLM_NegotiateNTLMKey 0x00000200 +#define NTLM_Unknown2 0x00000400 +#define NTLM_Unknown3 0x00000800 +#define NTLM_NegotiateDomainSupplied 0x00001000 +#define NTLM_NegotiateWorkstationSupplied 0x00002000 +#define NTLM_NegotiateLocalCall 0x00004000 +#define NTLM_NegotiateAlwaysSign 0x00008000 +#define NTLM_TargetTypeDomain 0x00010000 +#define NTLM_TargetTypeServer 0x00020000 +#define NTLM_TargetTypeShare 0x00040000 +#define NTLM_NegotiateNTLM2Key 0x00080000 +#define NTLM_RequestInitResponse 0x00100000 +#define NTLM_RequestAcceptResponse 0x00200000 +#define NTLM_RequestNonNTSessionKey 0x00400000 +#define NTLM_NegotiateTargetInfo 0x00800000 +#define NTLM_Unknown4 0x01000000 +#define NTLM_Unknown5 0x02000000 +#define NTLM_Unknown6 0x04000000 +#define NTLM_Unknown7 0x08000000 +#define NTLM_Unknown8 0x10000000 +#define NTLM_Negotiate128 0x20000000 +#define NTLM_NegotiateKeyExchange 0x40000000 +#define NTLM_Negotiate56 0x80000000 + +// we send these flags with our type 1 message +#define NTLM_TYPE1_FLAGS \ + (NTLM_NegotiateUnicode | NTLM_NegotiateOEM | NTLM_RequestTarget | \ + NTLM_NegotiateNTLMKey | NTLM_NegotiateAlwaysSign | NTLM_NegotiateNTLM2Key) + +static const char NTLM_SIGNATURE[] = "NTLMSSP"; +static const char NTLM_TYPE1_MARKER[] = {0x01, 0x00, 0x00, 0x00}; +static const char NTLM_TYPE2_MARKER[] = {0x02, 0x00, 0x00, 0x00}; +static const char NTLM_TYPE3_MARKER[] = {0x03, 0x00, 0x00, 0x00}; + +#define NTLM_TYPE1_HEADER_LEN 32 +#define NTLM_TYPE2_HEADER_LEN 48 +#define NTLM_TYPE3_HEADER_LEN 64 + +/** + * We don't actually send a LM response, but we still have to send something in + * this spot + */ +#define LM_RESP_LEN 24 + +#define NTLM_CHAL_LEN 8 + +#define NTLM_HASH_LEN 16 +#define NTLMv2_HASH_LEN 16 +#define NTLM_RESP_LEN 24 +#define NTLMv2_RESP_LEN 16 +#define NTLMv2_BLOB1_LEN 28 + +//----------------------------------------------------------------------------- + +/** + * Prints a description of flags to the NSPR Log, if enabled. + */ +static void LogFlags(uint32_t flags) { + if (!LOG_ENABLED()) return; +#define TEST(_flag) \ + if (flags & NTLM_##_flag) \ + PR_LogPrint(" 0x%08x (" #_flag ")\n", NTLM_##_flag) + + TEST(NegotiateUnicode); + TEST(NegotiateOEM); + TEST(RequestTarget); + TEST(Unknown1); + TEST(NegotiateSign); + TEST(NegotiateSeal); + TEST(NegotiateDatagramStyle); + TEST(NegotiateLanManagerKey); + TEST(NegotiateNetware); + TEST(NegotiateNTLMKey); + TEST(Unknown2); + TEST(Unknown3); + TEST(NegotiateDomainSupplied); + TEST(NegotiateWorkstationSupplied); + TEST(NegotiateLocalCall); + TEST(NegotiateAlwaysSign); + TEST(TargetTypeDomain); + TEST(TargetTypeServer); + TEST(TargetTypeShare); + TEST(NegotiateNTLM2Key); + TEST(RequestInitResponse); + TEST(RequestAcceptResponse); + TEST(RequestNonNTSessionKey); + TEST(NegotiateTargetInfo); + TEST(Unknown4); + TEST(Unknown5); + TEST(Unknown6); + TEST(Unknown7); + TEST(Unknown8); + TEST(Negotiate128); + TEST(NegotiateKeyExchange); + TEST(Negotiate56); + +#undef TEST +} + +/** + * Prints a hexdump of buf to the NSPR Log, if enabled. + * @param tag Description of the data, will be printed in front of the data + * @param buf the data to print + * @param bufLen length of the data + */ +static void LogBuf(const char* tag, const uint8_t* buf, uint32_t bufLen) { + int i; + + if (!LOG_ENABLED()) return; + + PR_LogPrint("%s =\n", tag); + char line[80]; + while (bufLen > 0) { + int count = bufLen; + if (count > 8) count = 8; + + strcpy(line, " "); + for (i = 0; i < count; ++i) { + int len = strlen(line); + snprintf(line + len, sizeof(line) - len, "0x%02x ", int(buf[i])); + } + for (; i < 8; ++i) { + int len = strlen(line); + snprintf(line + len, sizeof(line) - len, " "); + } + + int len = strlen(line); + snprintf(line + len, sizeof(line) - len, " "); + for (i = 0; i < count; ++i) { + len = strlen(line); + if (isprint(buf[i])) { + snprintf(line + len, sizeof(line) - len, "%c", buf[i]); + } else { + snprintf(line + len, sizeof(line) - len, "."); + } + } + PR_LogPrint("%s\n", line); + + bufLen -= count; + buf += count; + } +} + +/** + * Print base64-encoded token to the NSPR Log. + * @param name Description of the token, will be printed in front + * @param token The token to print + * @param tokenLen length of the data in token + */ +static void LogToken(const char* name, const void* token, uint32_t tokenLen) { + if (!LOG_ENABLED()) { + return; + } + + nsDependentCSubstring tokenString(static_cast<const char*>(token), tokenLen); + nsAutoCString base64Token; + nsresult rv = mozilla::Base64Encode(tokenString, base64Token); + if (NS_FAILED(rv)) { + return; + } + + PR_LogPrint("%s: %s\n", name, base64Token.get()); +} + +//----------------------------------------------------------------------------- + +// byte order swapping +#define SWAP16(x) ((((x) & 0xff) << 8) | (((x) >> 8) & 0xff)) +#define SWAP32(x) ((SWAP16((x) & 0xffff) << 16) | (SWAP16((x) >> 16))) + +static void* WriteBytes(void* buf, const void* data, uint32_t dataLen) { + memcpy(buf, data, dataLen); + return (uint8_t*)buf + dataLen; +} + +static void* WriteDWORD(void* buf, uint32_t dword) { +#ifdef IS_BIG_ENDIAN + // NTLM uses little endian on the wire + dword = SWAP32(dword); +#endif + return WriteBytes(buf, &dword, sizeof(dword)); +} + +static void* WriteSecBuf(void* buf, uint16_t length, uint32_t offset) { +#ifdef IS_BIG_ENDIAN + length = SWAP16(length); + offset = SWAP32(offset); +#endif + buf = WriteBytes(buf, &length, sizeof(length)); + buf = WriteBytes(buf, &length, sizeof(length)); + buf = WriteBytes(buf, &offset, sizeof(offset)); + return buf; +} + +#ifdef IS_BIG_ENDIAN +/** + * WriteUnicodeLE copies a unicode string from one buffer to another. The + * resulting unicode string is in little-endian format. The input string is + * assumed to be in the native endianness of the local machine. It is safe + * to pass the same buffer as both input and output, which is a handy way to + * convert the unicode buffer to little-endian on big-endian platforms. + */ +static void* WriteUnicodeLE(void* buf, const char16_t* str, uint32_t strLen) { + // convert input string from BE to LE + uint8_t *cursor = (uint8_t*)buf, *input = (uint8_t*)str; + for (uint32_t i = 0; i < strLen; ++i, input += 2, cursor += 2) { + // allow for the case where |buf == str| + uint8_t temp = input[0]; + cursor[0] = input[1]; + cursor[1] = temp; + } + return buf; +} +#endif + +static uint16_t ReadUint16(const uint8_t*& buf) { + uint16_t x = ((uint16_t)buf[0]) | ((uint16_t)buf[1] << 8); + buf += sizeof(x); + return x; +} + +static uint32_t ReadUint32(const uint8_t*& buf) { + uint32_t x = ((uint32_t)buf[0]) | (((uint32_t)buf[1]) << 8) | + (((uint32_t)buf[2]) << 16) | (((uint32_t)buf[3]) << 24); + buf += sizeof(x); + return x; +} + +//----------------------------------------------------------------------------- + +static void ZapBuf(void* buf, size_t bufLen) { memset(buf, 0, bufLen); } + +static void ZapString(nsString& s) { ZapBuf(s.BeginWriting(), s.Length() * 2); } + +/** + * NTLM_Hash computes the NTLM hash of the given password. + * + * @param password + * null-terminated unicode password. + * @param hash + * 16-byte result buffer + */ +static void NTLM_Hash(const nsString& password, unsigned char* hash) { + uint32_t len = password.Length(); + uint8_t* passbuf; + +#ifdef IS_BIG_ENDIAN + passbuf = (uint8_t*)malloc(len * 2); + WriteUnicodeLE(passbuf, password.get(), len); +#else + passbuf = (uint8_t*)password.get(); +#endif + + md4sum(passbuf, len * 2, hash); + +#ifdef IS_BIG_ENDIAN + ZapBuf(passbuf, len * 2); + free(passbuf); +#endif +} + +//----------------------------------------------------------------------------- + +/** + * LM_Response generates the LM response given a 16-byte password hash and the + * challenge from the Type-2 message. + * + * @param hash + * 16-byte password hash + * @param challenge + * 8-byte challenge from Type-2 message + * @param response + * 24-byte buffer to contain the LM response upon return + */ +static void LM_Response(const uint8_t* hash, const uint8_t* challenge, + uint8_t* response) { + uint8_t keybytes[21], k1[8], k2[8], k3[8]; + + memcpy(keybytes, hash, 16); + ZapBuf(keybytes + 16, 5); + + des_makekey(keybytes, k1); + des_makekey(keybytes + 7, k2); + des_makekey(keybytes + 14, k3); + + des_encrypt(k1, challenge, response); + des_encrypt(k2, challenge, response + 8); + des_encrypt(k3, challenge, response + 16); +} + +//----------------------------------------------------------------------------- + +static nsresult GenerateType1Msg(void** outBuf, uint32_t* outLen) { + // + // verify that bufLen is sufficient + // + *outLen = NTLM_TYPE1_HEADER_LEN; + *outBuf = moz_xmalloc(*outLen); + + // + // write out type 1 msg + // + void* cursor = *outBuf; + + // 0 : signature + cursor = WriteBytes(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)); + + // 8 : marker + cursor = WriteBytes(cursor, NTLM_TYPE1_MARKER, sizeof(NTLM_TYPE1_MARKER)); + + // 12 : flags + cursor = WriteDWORD(cursor, NTLM_TYPE1_FLAGS); + + // + // NOTE: it is common for the domain and workstation fields to be empty. + // this is true of Win2k clients, and my guess is that there is + // little utility to sending these strings before the charset has + // been negotiated. we follow suite -- anyways, it doesn't hurt + // to save some bytes on the wire ;-) + // + + // 16 : supplied domain security buffer (empty) + cursor = WriteSecBuf(cursor, 0, 0); + + // 24 : supplied workstation security buffer (empty) + cursor = WriteSecBuf(cursor, 0, 0); + + return NS_OK; +} + +struct Type2Msg { + uint32_t flags; // NTLM_Xxx bitwise combination + uint8_t challenge[NTLM_CHAL_LEN]; // 8 byte challenge + const uint8_t* target; // target string (type depends on flags) + uint32_t targetLen; // target length in bytes + const uint8_t* + targetInfo; // target Attribute-Value pairs (DNS domain, et al) + uint32_t targetInfoLen; // target AV pairs length in bytes +}; + +static nsresult ParseType2Msg(const void* inBuf, uint32_t inLen, + Type2Msg* msg) { + // make sure inBuf is long enough to contain a meaningful type2 msg. + // + // 0 NTLMSSP Signature + // 8 NTLM Message Type + // 12 Target Name + // 20 Flags + // 24 Challenge + // 32 targetInfo + // 48 start of optional data blocks + // + if (inLen < NTLM_TYPE2_HEADER_LEN) return NS_ERROR_UNEXPECTED; + + const auto* cursor = static_cast<const uint8_t*>(inBuf); + + // verify NTLMSSP signature + if (memcmp(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)) != 0) { + return NS_ERROR_UNEXPECTED; + } + + cursor += sizeof(NTLM_SIGNATURE); + + // verify Type-2 marker + if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_TYPE2_MARKER)) != 0) { + return NS_ERROR_UNEXPECTED; + } + + cursor += sizeof(NTLM_TYPE2_MARKER); + + // Read target name security buffer: ... + // ... read target length. + uint32_t targetLen = ReadUint16(cursor); + // ... skip next 16-bit "allocated space" value. + ReadUint16(cursor); + // ... read offset from inBuf. + uint32_t offset = ReadUint32(cursor); + mozilla::CheckedInt<uint32_t> targetEnd = offset; + targetEnd += targetLen; + // Check the offset / length combo is in range of the input buffer, including + // integer overflow checking. + if (MOZ_LIKELY(targetEnd.isValid() && targetEnd.value() <= inLen)) { + msg->targetLen = targetLen; + msg->target = static_cast<const uint8_t*>(inBuf) + offset; + } else { + // Do not error out, for (conservative) backward compatibility. + msg->targetLen = 0; + msg->target = nullptr; + } + + // read flags + msg->flags = ReadUint32(cursor); + + // read challenge + memcpy(msg->challenge, cursor, sizeof(msg->challenge)); + cursor += sizeof(msg->challenge); + + LOG(("NTLM type 2 message:\n")); + LogBuf("target", msg->target, msg->targetLen); + LogBuf("flags", + mozilla::BitwiseCast<const uint8_t*, const uint32_t*>(&msg->flags), 4); + LogFlags(msg->flags); + LogBuf("challenge", msg->challenge, sizeof(msg->challenge)); + + // Read (and skip) the reserved field + ReadUint32(cursor); + ReadUint32(cursor); + // Read target name security buffer: ... + // ... read target length. + uint32_t targetInfoLen = ReadUint16(cursor); + // ... skip next 16-bit "allocated space" value. + ReadUint16(cursor); + // ... read offset from inBuf. + offset = ReadUint32(cursor); + mozilla::CheckedInt<uint32_t> targetInfoEnd = offset; + targetInfoEnd += targetInfoLen; + // Check the offset / length combo is in range of the input buffer, including + // integer overflow checking. + if (MOZ_LIKELY(targetInfoEnd.isValid() && targetInfoEnd.value() <= inLen)) { + msg->targetInfoLen = targetInfoLen; + msg->targetInfo = static_cast<const uint8_t*>(inBuf) + offset; + } else { + NS_ERROR("failed to get NTLMv2 target info"); + return NS_ERROR_UNEXPECTED; + } + + return NS_OK; +} + +static nsresult GenerateType3Msg(const nsString& domain, + const nsString& username, + const nsString& password, const void* inBuf, + uint32_t inLen, void** outBuf, + uint32_t* outLen) { + // inBuf contains Type-2 msg (the challenge) from server + MOZ_ASSERT(NS_IsMainThread()); + nsresult rv; + Type2Msg msg{}; + + rv = ParseType2Msg(inBuf, inLen, &msg); + if (NS_FAILED(rv)) return rv; + + bool unicode = (msg.flags & NTLM_NegotiateUnicode); + + // There is no negotiation for NTLMv2, so we just do it unless we are forced + // by explict user configuration to use the older DES-based cryptography. + bool ntlmv2 = !mozilla::StaticPrefs::network_auth_force_generic_ntlm_v1(); + + // temporary buffers for unicode strings +#ifdef IS_BIG_ENDIAN + nsAutoString ucsDomainBuf, ucsUserBuf; +#endif + nsAutoCString hostBuf; + nsAutoString ucsHostBuf; + // temporary buffers for oem strings + nsAutoCString oemDomainBuf, oemUserBuf, oemHostBuf; + // pointers and lengths for the string buffers; encoding is unicode if + // the "negotiate unicode" flag was set in the Type-2 message. + const void *domainPtr, *userPtr, *hostPtr; + uint32_t domainLen, userLen, hostLen; + + // This is for NTLM, for NTLMv2 we set the new full length once we know it + mozilla::CheckedInt<uint16_t> ntlmRespLen = NTLM_RESP_LEN; + + // + // get domain name + // + if (unicode) { +#ifdef IS_BIG_ENDIAN + ucsDomainBuf = domain; + domainPtr = ucsDomainBuf.get(); + domainLen = ucsDomainBuf.Length() * 2; + WriteUnicodeLE(const_cast<void*>(domainPtr), + static_cast<const char16_t*>(domainPtr), + ucsDomainBuf.Length()); +#else + domainPtr = domain.get(); + domainLen = domain.Length() * 2; +#endif + } else { + NS_CopyUnicodeToNative(domain, oemDomainBuf); + domainPtr = oemDomainBuf.get(); + domainLen = oemDomainBuf.Length(); + } + + // + // get user name + // + if (unicode) { +#ifdef IS_BIG_ENDIAN + ucsUserBuf = username; + userPtr = ucsUserBuf.get(); + userLen = ucsUserBuf.Length() * 2; + WriteUnicodeLE(const_cast<void*>(userPtr), + static_cast<const char16_t*>(userPtr), ucsUserBuf.Length()); +#else + userPtr = username.get(); + userLen = username.Length() * 2; +#endif + } else { + NS_CopyUnicodeToNative(username, oemUserBuf); + userPtr = oemUserBuf.get(); + userLen = oemUserBuf.Length(); + } + + // + // get workstation name + // (do not use local machine's hostname after bug 1046421) + // + rv = mozilla::Preferences::GetCString("network.generic-ntlm-auth.workstation", + hostBuf); + if (NS_FAILED(rv)) { + return rv; + } + + if (unicode) { + CopyUTF8toUTF16(hostBuf, ucsHostBuf); + hostPtr = ucsHostBuf.get(); + hostLen = ucsHostBuf.Length() * 2; +#ifdef IS_BIG_ENDIAN + WriteUnicodeLE(const_cast<void*>(hostPtr), + static_cast<const char16_t*>(hostPtr), ucsHostBuf.Length()); +#endif + } else { + hostPtr = hostBuf.get(); + hostLen = hostBuf.Length(); + } + + // + // now that we have generated all of the strings, we can allocate outBuf. + // + // + // next, we compute the NTLM or NTLM2 responses. + // + uint8_t lmResp[LM_RESP_LEN]; + uint8_t ntlmResp[NTLM_RESP_LEN]; + uint8_t ntlmv2Resp[NTLMv2_RESP_LEN]; + uint8_t ntlmHash[NTLM_HASH_LEN]; + uint8_t ntlmv2_blob1[NTLMv2_BLOB1_LEN]; + if (ntlmv2) { + // NTLMv2 mode, the default + nsString userUpper, domainUpper; + + // temporary buffers for unicode strings + nsAutoString ucsDomainUpperBuf; + nsAutoString ucsUserUpperBuf; + const void* domainUpperPtr; + const void* userUpperPtr; + uint32_t domainUpperLen; + uint32_t userUpperLen; + + if (msg.targetInfoLen == 0) { + NS_ERROR("failed to get NTLMv2 target info, can not do NTLMv2"); + return NS_ERROR_UNEXPECTED; + } + + ToUpperCase(username, ucsUserUpperBuf); + userUpperPtr = ucsUserUpperBuf.get(); + userUpperLen = ucsUserUpperBuf.Length() * 2; +#ifdef IS_BIG_ENDIAN + WriteUnicodeLE(const_cast<void*>(userUpperPtr), + static_cast<const char16_t*>(userUpperPtr), + ucsUserUpperBuf.Length()); +#endif + ToUpperCase(domain, ucsDomainUpperBuf); + domainUpperPtr = ucsDomainUpperBuf.get(); + domainUpperLen = ucsDomainUpperBuf.Length() * 2; +#ifdef IS_BIG_ENDIAN + WriteUnicodeLE(const_cast<void*>(domainUpperPtr), + static_cast<const char16_t*>(domainUpperPtr), + ucsDomainUpperBuf.Length()); +#endif + + NTLM_Hash(password, ntlmHash); + + mozilla::HMAC ntlmv2HashHmac; + rv = ntlmv2HashHmac.Begin(SEC_OID_MD5, + mozilla::Span(ntlmHash, NTLM_HASH_LEN)); + if (NS_FAILED(rv)) { + return rv; + } + rv = ntlmv2HashHmac.Update(static_cast<const uint8_t*>(userUpperPtr), + userUpperLen); + if (NS_FAILED(rv)) { + return rv; + } + rv = ntlmv2HashHmac.Update(static_cast<const uint8_t*>(domainUpperPtr), + domainUpperLen); + if (NS_FAILED(rv)) { + return rv; + } + nsTArray<uint8_t> ntlmv2Hash; + rv = ntlmv2HashHmac.End(ntlmv2Hash); + if (NS_FAILED(rv)) { + return rv; + } + + uint8_t client_random[NTLM_CHAL_LEN]; + PK11_GenerateRandom(client_random, NTLM_CHAL_LEN); + + mozilla::HMAC lmv2ResponseHmac; + rv = lmv2ResponseHmac.Begin(SEC_OID_MD5, mozilla::Span(ntlmv2Hash)); + if (NS_FAILED(rv)) { + return rv; + } + rv = lmv2ResponseHmac.Update(msg.challenge, NTLM_CHAL_LEN); + if (NS_FAILED(rv)) { + return rv; + } + rv = lmv2ResponseHmac.Update(client_random, NTLM_CHAL_LEN); + if (NS_FAILED(rv)) { + return rv; + } + nsTArray<uint8_t> lmv2Response; + rv = lmv2ResponseHmac.End(lmv2Response); + if (NS_FAILED(rv)) { + return rv; + } + + if (lmv2Response.Length() != NTLMv2_HASH_LEN) { + return NS_ERROR_UNEXPECTED; + } + + memcpy(lmResp, lmv2Response.Elements(), NTLMv2_HASH_LEN); + memcpy(lmResp + NTLMv2_HASH_LEN, client_random, NTLM_CHAL_LEN); + + memset(ntlmv2_blob1, 0, NTLMv2_BLOB1_LEN); + + time_t unix_time; + uint64_t nt_time = time(&unix_time); + nt_time += 11644473600LL; // Number of seconds betwen 1601 and 1970 + nt_time *= 1000 * 1000 * 10; // Convert seconds to 100 ns units + + ntlmv2_blob1[0] = 1; + ntlmv2_blob1[1] = 1; + mozilla::LittleEndian::writeUint64(&ntlmv2_blob1[8], nt_time); + PK11_GenerateRandom(&ntlmv2_blob1[16], NTLM_CHAL_LEN); + + mozilla::HMAC ntlmv2ResponseHmac; + rv = ntlmv2ResponseHmac.Begin(SEC_OID_MD5, mozilla::Span(ntlmv2Hash)); + if (NS_FAILED(rv)) { + return rv; + } + rv = ntlmv2ResponseHmac.Update(msg.challenge, NTLM_CHAL_LEN); + if (NS_FAILED(rv)) { + return rv; + } + rv = ntlmv2ResponseHmac.Update(ntlmv2_blob1, NTLMv2_BLOB1_LEN); + if (NS_FAILED(rv)) { + return rv; + } + rv = ntlmv2ResponseHmac.Update(msg.targetInfo, msg.targetInfoLen); + if (NS_FAILED(rv)) { + return rv; + } + nsTArray<uint8_t> ntlmv2Response; + rv = ntlmv2ResponseHmac.End(ntlmv2Response); + if (NS_FAILED(rv)) { + return rv; + } + + if (ntlmv2Response.Length() != NTLMv2_RESP_LEN) { + return NS_ERROR_UNEXPECTED; + } + + memcpy(ntlmv2Resp, ntlmv2Response.Elements(), NTLMv2_RESP_LEN); + ntlmRespLen = NTLMv2_RESP_LEN + NTLMv2_BLOB1_LEN; + ntlmRespLen += msg.targetInfoLen; + if (!ntlmRespLen.isValid()) { + NS_ERROR("failed to do NTLMv2: integer overflow?!?"); + return NS_ERROR_UNEXPECTED; + } + } else if (msg.flags & NTLM_NegotiateNTLM2Key) { + // compute NTLM2 session response + nsCString sessionHashString; + + PK11_GenerateRandom(lmResp, NTLM_CHAL_LEN); + memset(lmResp + NTLM_CHAL_LEN, 0, LM_RESP_LEN - NTLM_CHAL_LEN); + + nsCOMPtr<nsICryptoHash> hasher = + do_CreateInstance(NS_CRYPTO_HASH_CONTRACTID, &rv); + if (NS_FAILED(rv)) { + return rv; + } + rv = hasher->Init(nsICryptoHash::MD5); + if (NS_FAILED(rv)) { + return rv; + } + rv = hasher->Update(msg.challenge, NTLM_CHAL_LEN); + if (NS_FAILED(rv)) { + return rv; + } + rv = hasher->Update(lmResp, NTLM_CHAL_LEN); + if (NS_FAILED(rv)) { + return rv; + } + rv = hasher->Finish(false, sessionHashString); + if (NS_FAILED(rv)) { + return rv; + } + + const auto* sessionHash = mozilla::BitwiseCast<const uint8_t*, const char*>( + sessionHashString.get()); + + LogBuf("NTLM2 effective key: ", sessionHash, 8); + + NTLM_Hash(password, ntlmHash); + LM_Response(ntlmHash, sessionHash, ntlmResp); + } else { + NTLM_Hash(password, ntlmHash); + LM_Response(ntlmHash, msg.challenge, ntlmResp); + + // According to http://davenport.sourceforge.net/ntlm.html#ntlmVersion2, + // the correct way to not send the LM hash is to send the NTLM hash twice + // in both the LM and NTLM response fields. + LM_Response(ntlmHash, msg.challenge, lmResp); + } + + mozilla::CheckedInt<uint32_t> totalLen = NTLM_TYPE3_HEADER_LEN + LM_RESP_LEN; + totalLen += hostLen; + totalLen += domainLen; + totalLen += userLen; + totalLen += ntlmRespLen.value(); + + if (!totalLen.isValid()) { + NS_ERROR("failed preparing to allocate NTLM response: integer overflow?!?"); + return NS_ERROR_FAILURE; + } + *outBuf = moz_xmalloc(totalLen.value()); + *outLen = totalLen.value(); + + // + // finally, we assemble the Type-3 msg :-) + // + void* cursor = *outBuf; + mozilla::CheckedInt<uint32_t> offset; + + // 0 : signature + cursor = WriteBytes(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)); + + // 8 : marker + cursor = WriteBytes(cursor, NTLM_TYPE3_MARKER, sizeof(NTLM_TYPE3_MARKER)); + + // 12 : LM response sec buf + offset = NTLM_TYPE3_HEADER_LEN; + offset += domainLen; + offset += userLen; + offset += hostLen; + if (!offset.isValid()) { + NS_ERROR("failed preparing to write NTLM response: integer overflow?!?"); + return NS_ERROR_UNEXPECTED; + } + cursor = WriteSecBuf(cursor, LM_RESP_LEN, offset.value()); + memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), lmResp, LM_RESP_LEN); + + // 20 : NTLM or NTLMv2 response sec buf + offset += LM_RESP_LEN; + if (!offset.isValid()) { + NS_ERROR("failed preparing to write NTLM response: integer overflow?!?"); + return NS_ERROR_UNEXPECTED; + } + cursor = WriteSecBuf(cursor, ntlmRespLen.value(), offset.value()); + if (ntlmv2) { + memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), ntlmv2Resp, + NTLMv2_RESP_LEN); + offset += NTLMv2_RESP_LEN; + if (!offset.isValid()) { + NS_ERROR("failed preparing to write NTLM response: integer overflow?!?"); + return NS_ERROR_UNEXPECTED; + } + memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), ntlmv2_blob1, + NTLMv2_BLOB1_LEN); + offset += NTLMv2_BLOB1_LEN; + if (!offset.isValid()) { + NS_ERROR("failed preparing to write NTLM response: integer overflow?!?"); + return NS_ERROR_UNEXPECTED; + } + memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), msg.targetInfo, + msg.targetInfoLen); + } else { + memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), ntlmResp, + NTLM_RESP_LEN); + } + // 28 : domain name sec buf + offset = NTLM_TYPE3_HEADER_LEN; + cursor = WriteSecBuf(cursor, domainLen, offset.value()); + memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), domainPtr, domainLen); + + // 36 : user name sec buf + offset += domainLen; + if (!offset.isValid()) { + NS_ERROR("failed preparing to write NTLM response: integer overflow?!?"); + return NS_ERROR_UNEXPECTED; + } + cursor = WriteSecBuf(cursor, userLen, offset.value()); + memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), userPtr, userLen); + + // 44 : workstation (host) name sec buf + offset += userLen; + if (!offset.isValid()) { + NS_ERROR("failed preparing to write NTLM response: integer overflow?!?"); + return NS_ERROR_UNEXPECTED; + } + cursor = WriteSecBuf(cursor, hostLen, offset.value()); + memcpy(static_cast<uint8_t*>(*outBuf) + offset.value(), hostPtr, hostLen); + + // 52 : session key sec buf (not used) + cursor = WriteSecBuf(cursor, 0, 0); + + // 60 : negotiated flags + cursor = WriteDWORD(cursor, msg.flags & NTLM_TYPE1_FLAGS); + + return NS_OK; +} + +//----------------------------------------------------------------------------- + +NS_IMPL_ISUPPORTS(nsNTLMAuthModule, nsIAuthModule) + +nsNTLMAuthModule::~nsNTLMAuthModule() { ZapString(mPassword); } + +nsresult nsNTLMAuthModule::InitTest() { + // disable NTLM authentication when FIPS mode is enabled. + return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK; +} + +NS_IMETHODIMP +nsNTLMAuthModule::Init(const nsACString& serviceName, uint32_t serviceFlags, + const nsAString& domain, const nsAString& username, + const nsAString& password) { + MOZ_ASSERT((serviceFlags & ~nsIAuthModule::REQ_PROXY_AUTH) == + nsIAuthModule::REQ_DEFAULT, + "Unexpected service flags"); + + mDomain = domain; + mUsername = username; + mPassword = password; + mNTLMNegotiateSent = false; + + static bool sTelemetrySent = false; + if (!sTelemetrySent) { + mozilla::Telemetry::Accumulate(mozilla::Telemetry::NTLM_MODULE_USED_2, + serviceFlags & nsIAuthModule::REQ_PROXY_AUTH + ? NTLM_MODULE_GENERIC_PROXY + : NTLM_MODULE_GENERIC_DIRECT); + sTelemetrySent = true; + } + + return NS_OK; +} + +NS_IMETHODIMP +nsNTLMAuthModule::GetNextToken(const void* inToken, uint32_t inTokenLen, + void** outToken, uint32_t* outTokenLen) { + nsresult rv; + + // disable NTLM authentication when FIPS mode is enabled. + if (PK11_IsFIPS()) { + return NS_ERROR_NOT_AVAILABLE; + } + + if (mNTLMNegotiateSent) { + // if inToken is non-null, and we have sent the NTLMSSP_NEGOTIATE (type 1), + // then the NTLMSSP_CHALLENGE (type 2) is expected + if (inToken) { + LogToken("in-token", inToken, inTokenLen); + // Now generate the NTLMSSP_AUTH (type 3) + rv = GenerateType3Msg(mDomain, mUsername, mPassword, inToken, inTokenLen, + outToken, outTokenLen); + } else { + LOG( + ("NTLMSSP_NEGOTIATE already sent and presumably " + "rejected by the server, refusing to send another")); + rv = NS_ERROR_UNEXPECTED; + } + } else { + if (inToken) { + LOG(("NTLMSSP_NEGOTIATE not sent but NTLM reply already received?!?")); + rv = NS_ERROR_UNEXPECTED; + } else { + rv = GenerateType1Msg(outToken, outTokenLen); + if (NS_SUCCEEDED(rv)) { + mNTLMNegotiateSent = true; + } + } + } + + if (NS_SUCCEEDED(rv)) LogToken("out-token", *outToken, *outTokenLen); + + return rv; +} + +NS_IMETHODIMP +nsNTLMAuthModule::Unwrap(const void* inToken, uint32_t inTokenLen, + void** outToken, uint32_t* outTokenLen) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +nsNTLMAuthModule::Wrap(const void* inToken, uint32_t inTokenLen, + bool confidential, void** outToken, + uint32_t* outTokenLen) { + return NS_ERROR_NOT_IMPLEMENTED; +} + +//----------------------------------------------------------------------------- +// DES support code + +// set odd parity bit (in least significant bit position) +static uint8_t des_setkeyparity(uint8_t x) { + if ((((x >> 7) ^ (x >> 6) ^ (x >> 5) ^ (x >> 4) ^ (x >> 3) ^ (x >> 2) ^ + (x >> 1)) & + 0x01) == 0) { + x |= 0x01; + } else { + x &= 0xfe; + } + return x; +} + +// build 64-bit des key from 56-bit raw key +static void des_makekey(const uint8_t* raw, uint8_t* key) { + key[0] = des_setkeyparity(raw[0]); + key[1] = des_setkeyparity((raw[0] << 7) | (raw[1] >> 1)); + key[2] = des_setkeyparity((raw[1] << 6) | (raw[2] >> 2)); + key[3] = des_setkeyparity((raw[2] << 5) | (raw[3] >> 3)); + key[4] = des_setkeyparity((raw[3] << 4) | (raw[4] >> 4)); + key[5] = des_setkeyparity((raw[4] << 3) | (raw[5] >> 5)); + key[6] = des_setkeyparity((raw[5] << 2) | (raw[6] >> 6)); + key[7] = des_setkeyparity((raw[6] << 1)); +} + +// run des encryption algorithm (using NSS) +static void des_encrypt(const uint8_t* key, const uint8_t* src, uint8_t* hash) { + CK_MECHANISM_TYPE cipherMech = CKM_DES_ECB; + PK11SymKey* symkey = nullptr; + PK11Context* ctxt = nullptr; + SECItem keyItem; + mozilla::UniqueSECItem param; + SECStatus rv; + unsigned int n; + + mozilla::UniquePK11SlotInfo slot(PK11_GetBestSlot(cipherMech, nullptr)); + if (!slot) { + NS_ERROR("no slot"); + goto done; + } + + keyItem.data = const_cast<uint8_t*>(key); + keyItem.len = 8; + symkey = PK11_ImportSymKey(slot.get(), cipherMech, PK11_OriginUnwrap, + CKA_ENCRYPT, &keyItem, nullptr); + if (!symkey) { + NS_ERROR("no symkey"); + goto done; + } + + // no initialization vector required + param = mozilla::UniqueSECItem(PK11_ParamFromIV(cipherMech, nullptr)); + if (!param) { + NS_ERROR("no param"); + goto done; + } + + ctxt = + PK11_CreateContextBySymKey(cipherMech, CKA_ENCRYPT, symkey, param.get()); + if (!ctxt) { + NS_ERROR("no context"); + goto done; + } + + rv = PK11_CipherOp(ctxt, hash, (int*)&n, 8, (uint8_t*)src, 8); + if (rv != SECSuccess) { + NS_ERROR("des failure"); + goto done; + } + + rv = PK11_DigestFinal(ctxt, hash + 8, &n, 0); + if (rv != SECSuccess) { + NS_ERROR("des failure"); + goto done; + } + +done: + if (ctxt) PK11_DestroyContext(ctxt, true); + if (symkey) PK11_FreeSymKey(symkey); +} diff --git a/security/manager/ssl/nsNTLMAuthModule.h b/security/manager/ssl/nsNTLMAuthModule.h new file mode 100644 index 0000000000..25a96a09d8 --- /dev/null +++ b/security/manager/ssl/nsNTLMAuthModule.h @@ -0,0 +1,33 @@ +/* vim:set ts=2 sw=2 et cindent: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNTLMAuthModule_h__ +#define nsNTLMAuthModule_h__ + +#include "nsIAuthModule.h" +#include "nsString.h" + +class nsNTLMAuthModule : public nsIAuthModule { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSIAUTHMODULE + + nsNTLMAuthModule() : mNTLMNegotiateSent(false) {} + + nsresult InitTest(); + + static void SetSendLM(bool sendLM); + + protected: + virtual ~nsNTLMAuthModule(); + + private: + nsString mDomain; + nsString mUsername; + nsString mPassword; + bool mNTLMNegotiateSent; +}; + +#endif // nsNTLMAuthModule_h__ diff --git a/security/manager/ssl/nsPK11TokenDB.cpp b/security/manager/ssl/nsPK11TokenDB.cpp new file mode 100644 index 0000000000..d13f39fc18 --- /dev/null +++ b/security/manager/ssl/nsPK11TokenDB.cpp @@ -0,0 +1,287 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "nsPK11TokenDB.h" + +#include <string.h> + +#include "ScopedNSSTypes.h" +#include "mozilla/Casting.h" +#include "mozilla/Unused.h" +#include "mozilla/Logging.h" +#include "nsISupports.h" +#include "nsNSSCertHelper.h" +#include "nsNSSComponent.h" +#include "nsPromiseFlatString.h" +#include "nsReadableUtils.h" +#include "nsServiceManagerUtils.h" +#include "prerror.h" +#include "secerr.h" + +extern mozilla::LazyLogModule gPIPNSSLog; + +NS_IMPL_ISUPPORTS(nsPK11Token, nsIPK11Token) + +nsPK11Token::nsPK11Token(PK11SlotInfo* slot) : mUIContext(new PipUIContext()) { + MOZ_ASSERT(slot); + mSlot.reset(PK11_ReferenceSlot(slot)); + mIsInternalCryptoToken = + PK11_IsInternal(mSlot.get()) && !PK11_IsInternalKeySlot(mSlot.get()); + mIsInternalKeyToken = PK11_IsInternalKeySlot(mSlot.get()); + mSeries = PK11_GetSlotSeries(slot); + mozilla::Unused << refreshTokenInfo(); +} + +nsresult nsPK11Token::refreshTokenInfo() { + if (mIsInternalCryptoToken) { + nsresult rv; + if (PK11_IsFIPS()) { + rv = GetPIPNSSBundleString("Fips140TokenDescription", mTokenName); + } else { + rv = GetPIPNSSBundleString("TokenDescription", mTokenName); + } + if (NS_FAILED(rv)) { + return rv; + } + } else if (mIsInternalKeyToken) { + nsresult rv = GetPIPNSSBundleString("PrivateTokenDescription", mTokenName); + if (NS_FAILED(rv)) { + return rv; + } + } else { + mTokenName.Assign(PK11_GetTokenName(mSlot.get())); + } + + CK_TOKEN_INFO tokInfo; + nsresult rv = mozilla::MapSECStatus(PK11_GetTokenInfo(mSlot.get(), &tokInfo)); + if (NS_FAILED(rv)) { + return rv; + } + + // Set the Manufacturer field + if (mIsInternalCryptoToken || mIsInternalKeyToken) { + rv = GetPIPNSSBundleString("ManufacturerID", mTokenManufacturerID); + if (NS_FAILED(rv)) { + return rv; + } + } else { + const char* ccManID = + mozilla::BitwiseCast<char*, CK_UTF8CHAR*>(tokInfo.manufacturerID); + mTokenManufacturerID.Assign( + ccManID, strnlen(ccManID, sizeof(tokInfo.manufacturerID))); + mTokenManufacturerID.Trim(" ", false, true); + } + + // Set the Hardware Version field + mTokenHWVersion.Truncate(); + mTokenHWVersion.AppendInt(tokInfo.hardwareVersion.major); + mTokenHWVersion.Append('.'); + mTokenHWVersion.AppendInt(tokInfo.hardwareVersion.minor); + + // Set the Firmware Version field + mTokenFWVersion.Truncate(); + mTokenFWVersion.AppendInt(tokInfo.firmwareVersion.major); + mTokenFWVersion.Append('.'); + mTokenFWVersion.AppendInt(tokInfo.firmwareVersion.minor); + + // Set the Serial Number field + const char* ccSerial = + mozilla::BitwiseCast<char*, CK_CHAR*>(tokInfo.serialNumber); + mTokenSerialNum.Assign(ccSerial, + strnlen(ccSerial, sizeof(tokInfo.serialNumber))); + mTokenSerialNum.Trim(" ", false, true); + + return NS_OK; +} + +nsresult nsPK11Token::GetAttributeHelper(const nsACString& attribute, + /*out*/ nsACString& xpcomOutParam) { + // Handle removals/insertions. + if (PK11_GetSlotSeries(mSlot.get()) != mSeries) { + nsresult rv = refreshTokenInfo(); + if (NS_FAILED(rv)) { + return rv; + } + } + + xpcomOutParam = attribute; + return NS_OK; +} + +NS_IMETHODIMP +nsPK11Token::GetTokenName(/*out*/ nsACString& tokenName) { + return GetAttributeHelper(mTokenName, tokenName); +} + +NS_IMETHODIMP +nsPK11Token::GetIsInternalKeyToken(/*out*/ bool* _retval) { + NS_ENSURE_ARG_POINTER(_retval); + *_retval = mIsInternalKeyToken; + return NS_OK; +} + +NS_IMETHODIMP +nsPK11Token::GetTokenManID(/*out*/ nsACString& tokenManufacturerID) { + return GetAttributeHelper(mTokenManufacturerID, tokenManufacturerID); +} + +NS_IMETHODIMP +nsPK11Token::GetTokenHWVersion(/*out*/ nsACString& tokenHWVersion) { + return GetAttributeHelper(mTokenHWVersion, tokenHWVersion); +} + +NS_IMETHODIMP +nsPK11Token::GetTokenFWVersion(/*out*/ nsACString& tokenFWVersion) { + return GetAttributeHelper(mTokenFWVersion, tokenFWVersion); +} + +NS_IMETHODIMP +nsPK11Token::GetTokenSerialNumber(/*out*/ nsACString& tokenSerialNum) { + return GetAttributeHelper(mTokenSerialNum, tokenSerialNum); +} + +NS_IMETHODIMP +nsPK11Token::IsLoggedIn(bool* _retval) { + NS_ENSURE_ARG_POINTER(_retval); + *_retval = PK11_IsLoggedIn(mSlot.get(), 0); + return NS_OK; +} + +NS_IMETHODIMP +nsPK11Token::Login(bool force) { + nsresult rv; + bool test; + rv = this->NeedsLogin(&test); + if (NS_FAILED(rv)) return rv; + if (test && force) { + rv = this->LogoutSimple(); + if (NS_FAILED(rv)) return rv; + } + rv = setPassword(mSlot.get(), mUIContext); + if (NS_FAILED(rv)) return rv; + + return mozilla::MapSECStatus( + PK11_Authenticate(mSlot.get(), true, mUIContext)); +} + +NS_IMETHODIMP +nsPK11Token::LogoutSimple() { + // PK11_Logout() can fail if the user wasn't logged in beforehand. We want + // this method to succeed even in this case, so we ignore the return value. + mozilla::Unused << PK11_Logout(mSlot.get()); + return NS_OK; +} + +NS_IMETHODIMP +nsPK11Token::LogoutAndDropAuthenticatedResources() { + static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); + + nsresult rv = LogoutSimple(); + + if (NS_FAILED(rv)) return rv; + + nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); + if (NS_FAILED(rv)) return rv; + + return nssComponent->LogoutAuthenticatedPK11(); +} + +NS_IMETHODIMP +nsPK11Token::Reset() { + return mozilla::MapSECStatus(PK11_ResetToken(mSlot.get(), nullptr)); +} + +NS_IMETHODIMP +nsPK11Token::GetNeedsUserInit(bool* aNeedsUserInit) { + NS_ENSURE_ARG_POINTER(aNeedsUserInit); + *aNeedsUserInit = PK11_NeedUserInit(mSlot.get()); + return NS_OK; +} + +NS_IMETHODIMP +nsPK11Token::CheckPassword(const nsACString& password, bool* _retval) { + NS_ENSURE_ARG_POINTER(_retval); + SECStatus srv = + PK11_CheckUserPassword(mSlot.get(), PromiseFlatCString(password).get()); + if (srv != SECSuccess) { + *_retval = false; + PRErrorCode error = PR_GetError(); + if (error != SEC_ERROR_BAD_PASSWORD) { + /* something really bad happened - throw an exception */ + return mozilla::psm::GetXPCOMFromNSSError(error); + } + } else { + *_retval = true; + } + return NS_OK; +} + +NS_IMETHODIMP +nsPK11Token::InitPassword(const nsACString& initialPassword) { + const nsCString& passwordCStr = PromiseFlatCString(initialPassword); + // PSM initializes the sqlite-backed softoken with an empty password. The + // implementation considers this not to be a password (GetHasPassword returns + // false), but we can't actually call PK11_InitPin again. Instead, we call + // PK11_ChangePW with the empty password. + bool hasPassword; + nsresult rv = GetHasPassword(&hasPassword); + if (NS_FAILED(rv)) { + return rv; + } + if (!PK11_NeedUserInit(mSlot.get()) && !hasPassword) { + return mozilla::MapSECStatus( + PK11_ChangePW(mSlot.get(), "", passwordCStr.get())); + } + return mozilla::MapSECStatus( + PK11_InitPin(mSlot.get(), "", passwordCStr.get())); +} + +NS_IMETHODIMP +nsPK11Token::ChangePassword(const nsACString& oldPassword, + const nsACString& newPassword) { + // PK11_ChangePW() has different semantics for the empty string and for + // nullptr. In order to support this difference, we need to check IsVoid() to + // find out if our caller supplied null/undefined args or just empty strings. + // See Bug 447589. + return mozilla::MapSECStatus(PK11_ChangePW( + mSlot.get(), + oldPassword.IsVoid() ? nullptr : PromiseFlatCString(oldPassword).get(), + newPassword.IsVoid() ? nullptr : PromiseFlatCString(newPassword).get())); +} + +NS_IMETHODIMP +nsPK11Token::GetHasPassword(bool* hasPassword) { + NS_ENSURE_ARG_POINTER(hasPassword); + // PK11_NeedLogin returns true if the token is currently configured to require + // the user to log in (whether or not the user is actually logged in makes no + // difference). + *hasPassword = PK11_NeedLogin(mSlot.get()) && !PK11_NeedUserInit(mSlot.get()); + return NS_OK; +} + +NS_IMETHODIMP +nsPK11Token::NeedsLogin(bool* _retval) { + NS_ENSURE_ARG_POINTER(_retval); + *_retval = PK11_NeedLogin(mSlot.get()); + return NS_OK; +} + +/*=========================================================*/ + +NS_IMPL_ISUPPORTS(nsPK11TokenDB, nsIPK11TokenDB) + +NS_IMETHODIMP +nsPK11TokenDB::GetInternalKeyToken(nsIPK11Token** _retval) { + NS_ENSURE_ARG_POINTER(_retval); + mozilla::UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + return NS_ERROR_FAILURE; + } + + nsCOMPtr<nsIPK11Token> token = new nsPK11Token(slot.get()); + token.forget(_retval); + + return NS_OK; +} diff --git a/security/manager/ssl/nsPK11TokenDB.h b/security/manager/ssl/nsPK11TokenDB.h new file mode 100644 index 0000000000..36f54354ad --- /dev/null +++ b/security/manager/ssl/nsPK11TokenDB.h @@ -0,0 +1,67 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsPK11TokenDB_h +#define nsPK11TokenDB_h + +#include "nsCOMPtr.h" +#include "nsIPK11Token.h" +#include "nsIPK11TokenDB.h" +#include "nsISupports.h" +#include "nsNSSHelper.h" +#include "nsString.h" +#include "pk11func.h" +#include "ScopedNSSTypes.h" + +class nsPK11Token : public nsIPK11Token { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSIPK11TOKEN + + explicit nsPK11Token(PK11SlotInfo* slot); + + protected: + virtual ~nsPK11Token() = default; + + private: + friend class nsPK11TokenDB; + nsresult refreshTokenInfo(); + + nsCString mTokenName; + nsCString mTokenManufacturerID; + nsCString mTokenHWVersion; + nsCString mTokenFWVersion; + nsCString mTokenSerialNum; + mozilla::UniquePK11SlotInfo mSlot; + // True if this is the "PKCS#11 token" that provides cryptographic functions. + bool mIsInternalCryptoToken; + // True if this is the "PKCS#11 token" where private keys are stored. + bool mIsInternalKeyToken; + int mSeries; + nsCOMPtr<nsIInterfaceRequestor> mUIContext; + nsresult GetAttributeHelper(const nsACString& attribute, + /*out*/ nsACString& xpcomOutParam); +}; + +class nsPK11TokenDB : public nsIPK11TokenDB { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSIPK11TOKENDB + + nsPK11TokenDB() = default; + + protected: + virtual ~nsPK11TokenDB() = default; +}; + +#define NS_PK11TOKENDB_CID \ + { \ + 0xb084a2ce, 0x1dd1, 0x11b2, { \ + 0xbf, 0x10, 0x83, 0x24, 0xf8, 0xe0, 0x65, 0xcc \ + } \ + } + +#endif // nsPK11TokenDB_h diff --git a/security/manager/ssl/nsPKCS11Slot.cpp b/security/manager/ssl/nsPKCS11Slot.cpp new file mode 100644 index 0000000000..130e79033d --- /dev/null +++ b/security/manager/ssl/nsPKCS11Slot.cpp @@ -0,0 +1,277 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsPKCS11Slot.h" + +#include <string.h> + +#include "mozilla/Casting.h" +#include "mozilla/Logging.h" +#include "mozilla/Telemetry.h" +#include "mozilla/Unused.h" +#include "nsCOMPtr.h" +#include "nsIMutableArray.h" +#include "nsNSSCertHelper.h" +#include "nsNSSComponent.h" +#include "nsPK11TokenDB.h" +#include "nsPromiseFlatString.h" +#include "nsComponentManagerUtils.h" +#include "secmod.h" + +using mozilla::LogLevel; + +extern mozilla::LazyLogModule gPIPNSSLog; + +NS_IMPL_ISUPPORTS(nsPKCS11Slot, nsIPKCS11Slot) + +nsPKCS11Slot::nsPKCS11Slot(PK11SlotInfo* slot) { + MOZ_ASSERT(slot); + mSlot.reset(PK11_ReferenceSlot(slot)); + mIsInternalCryptoSlot = + PK11_IsInternal(mSlot.get()) && !PK11_IsInternalKeySlot(mSlot.get()); + mIsInternalKeySlot = PK11_IsInternalKeySlot(mSlot.get()); + mSeries = PK11_GetSlotSeries(slot); + mozilla::Unused << refreshSlotInfo(); +} + +nsresult nsPKCS11Slot::refreshSlotInfo() { + CK_SLOT_INFO slotInfo; + nsresult rv = mozilla::MapSECStatus(PK11_GetSlotInfo(mSlot.get(), &slotInfo)); + if (NS_FAILED(rv)) { + return rv; + } + + // Set the Description field + if (mIsInternalCryptoSlot) { + nsresult rv; + if (PK11_IsFIPS()) { + rv = GetPIPNSSBundleString("Fips140SlotDescription", mSlotDesc); + } else { + rv = GetPIPNSSBundleString("SlotDescription", mSlotDesc); + } + if (NS_FAILED(rv)) { + return rv; + } + } else if (mIsInternalKeySlot) { + rv = GetPIPNSSBundleString("PrivateSlotDescription", mSlotDesc); + if (NS_FAILED(rv)) { + return rv; + } + } else { + const char* ccDesc = + mozilla::BitwiseCast<char*, CK_UTF8CHAR*>(slotInfo.slotDescription); + mSlotDesc.Assign(ccDesc, strnlen(ccDesc, sizeof(slotInfo.slotDescription))); + mSlotDesc.Trim(" ", false, true); + } + + // Set the Manufacturer field + if (mIsInternalCryptoSlot || mIsInternalKeySlot) { + rv = GetPIPNSSBundleString("ManufacturerID", mSlotManufacturerID); + if (NS_FAILED(rv)) { + return rv; + } + } else { + const char* ccManID = + mozilla::BitwiseCast<char*, CK_UTF8CHAR*>(slotInfo.manufacturerID); + mSlotManufacturerID.Assign( + ccManID, strnlen(ccManID, sizeof(slotInfo.manufacturerID))); + mSlotManufacturerID.Trim(" ", false, true); + } + + // Set the Hardware Version field + mSlotHWVersion.Truncate(); + mSlotHWVersion.AppendInt(slotInfo.hardwareVersion.major); + mSlotHWVersion.Append('.'); + mSlotHWVersion.AppendInt(slotInfo.hardwareVersion.minor); + + // Set the Firmware Version field + mSlotFWVersion.Truncate(); + mSlotFWVersion.AppendInt(slotInfo.firmwareVersion.major); + mSlotFWVersion.Append('.'); + mSlotFWVersion.AppendInt(slotInfo.firmwareVersion.minor); + + return NS_OK; +} + +nsresult nsPKCS11Slot::GetAttributeHelper(const nsACString& attribute, + /*out*/ nsACString& xpcomOutParam) { + if (PK11_GetSlotSeries(mSlot.get()) != mSeries) { + nsresult rv = refreshSlotInfo(); + if (NS_FAILED(rv)) { + return rv; + } + } + + xpcomOutParam = attribute; + return NS_OK; +} + +NS_IMETHODIMP +nsPKCS11Slot::GetName(/*out*/ nsACString& name) { + if (mIsInternalCryptoSlot) { + if (PK11_IsFIPS()) { + return GetPIPNSSBundleString("Fips140TokenDescription", name); + } + return GetPIPNSSBundleString("TokenDescription", name); + } + if (mIsInternalKeySlot) { + return GetPIPNSSBundleString("PrivateTokenDescription", name); + } + name.Assign(PK11_GetSlotName(mSlot.get())); + + return NS_OK; +} + +NS_IMETHODIMP +nsPKCS11Slot::GetDesc(/*out*/ nsACString& desc) { + return GetAttributeHelper(mSlotDesc, desc); +} + +NS_IMETHODIMP +nsPKCS11Slot::GetManID(/*out*/ nsACString& manufacturerID) { + return GetAttributeHelper(mSlotManufacturerID, manufacturerID); +} + +NS_IMETHODIMP +nsPKCS11Slot::GetHWVersion(/*out*/ nsACString& hwVersion) { + return GetAttributeHelper(mSlotHWVersion, hwVersion); +} + +NS_IMETHODIMP +nsPKCS11Slot::GetFWVersion(/*out*/ nsACString& fwVersion) { + return GetAttributeHelper(mSlotFWVersion, fwVersion); +} + +NS_IMETHODIMP +nsPKCS11Slot::GetToken(nsIPK11Token** _retval) { + NS_ENSURE_ARG_POINTER(_retval); + nsCOMPtr<nsIPK11Token> token = new nsPK11Token(mSlot.get()); + token.forget(_retval); + return NS_OK; +} + +NS_IMETHODIMP +nsPKCS11Slot::GetTokenName(/*out*/ nsACString& tokenName) { + if (!PK11_IsPresent(mSlot.get())) { + tokenName.SetIsVoid(true); + return NS_OK; + } + + if (PK11_GetSlotSeries(mSlot.get()) != mSeries) { + nsresult rv = refreshSlotInfo(); + if (NS_FAILED(rv)) { + return rv; + } + } + + if (mIsInternalCryptoSlot) { + if (PK11_IsFIPS()) { + return GetPIPNSSBundleString("Fips140TokenDescription", tokenName); + } + return GetPIPNSSBundleString("TokenDescription", tokenName); + } + if (mIsInternalKeySlot) { + return GetPIPNSSBundleString("PrivateTokenDescription", tokenName); + } + + tokenName.Assign(PK11_GetTokenName(mSlot.get())); + return NS_OK; +} + +NS_IMETHODIMP +nsPKCS11Slot::GetStatus(uint32_t* _retval) { + NS_ENSURE_ARG_POINTER(_retval); + if (PK11_IsDisabled(mSlot.get())) { + *_retval = SLOT_DISABLED; + } else if (!PK11_IsPresent(mSlot.get())) { + *_retval = SLOT_NOT_PRESENT; + } else if (PK11_NeedLogin(mSlot.get()) && PK11_NeedUserInit(mSlot.get())) { + *_retval = SLOT_UNINITIALIZED; + } else if (PK11_NeedLogin(mSlot.get()) && + !PK11_IsLoggedIn(mSlot.get(), nullptr)) { + *_retval = SLOT_NOT_LOGGED_IN; + } else if (PK11_NeedLogin(mSlot.get())) { + *_retval = SLOT_LOGGED_IN; + } else { + *_retval = SLOT_READY; + } + return NS_OK; +} + +NS_IMPL_ISUPPORTS(nsPKCS11Module, nsIPKCS11Module) + +nsPKCS11Module::nsPKCS11Module(SECMODModule* module) { + MOZ_ASSERT(module); + mModule.reset(SECMOD_ReferenceModule(module)); +} + +// Convert the UTF8 internal name of the module to how it should appear to the +// user. In most cases this involves simply passing back the module's name. +// However, the builtin roots module has a non-localized name internally that we +// must map to the localized version when we display it to the user. +static nsresult NormalizeModuleNameOut(const char* moduleNameIn, + nsACString& moduleNameOut) { + // Easy case: this isn't the builtin roots module. + if (strnlen(moduleNameIn, kRootModuleNameLen + 1) != kRootModuleNameLen || + strncmp(kRootModuleName, moduleNameIn, kRootModuleNameLen) != 0) { + moduleNameOut.Assign(moduleNameIn); + return NS_OK; + } + + nsAutoString localizedRootModuleName; + nsresult rv = + GetPIPNSSBundleString("RootCertModuleName", localizedRootModuleName); + if (NS_FAILED(rv)) { + return rv; + } + moduleNameOut.Assign(NS_ConvertUTF16toUTF8(localizedRootModuleName)); + return NS_OK; +} + +NS_IMETHODIMP +nsPKCS11Module::GetName(/*out*/ nsACString& name) { + return NormalizeModuleNameOut(mModule->commonName, name); +} + +NS_IMETHODIMP +nsPKCS11Module::GetLibName(/*out*/ nsACString& libName) { + if (mModule->dllName) { + libName = mModule->dllName; + } else { + libName.SetIsVoid(true); + } + return NS_OK; +} + +NS_IMETHODIMP +nsPKCS11Module::ListSlots(nsISimpleEnumerator** _retval) { + NS_ENSURE_ARG_POINTER(_retval); + + nsresult rv = CheckForSmartCardChanges(); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID); + if (!array) { + return NS_ERROR_FAILURE; + } + + /* applications which allow new slot creation (which Firefox now does + * since it uses the WaitForSlotEvent call) need to hold the + * ModuleList Read lock to prevent the slot array from changing out + * from under it. */ + mozilla::AutoSECMODListReadLock lock; + for (int i = 0; i < mModule->slotCount; i++) { + if (mModule->slots[i]) { + nsCOMPtr<nsIPKCS11Slot> slot = new nsPKCS11Slot(mModule->slots[i]); + rv = array->AppendElement(slot); + if (NS_FAILED(rv)) { + return rv; + } + } + } + + return array->Enumerate(_retval, NS_GET_IID(nsIPKCS11Slot)); +} diff --git a/security/manager/ssl/nsPKCS11Slot.h b/security/manager/ssl/nsPKCS11Slot.h new file mode 100644 index 0000000000..3f532d7064 --- /dev/null +++ b/security/manager/ssl/nsPKCS11Slot.h @@ -0,0 +1,58 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsPKCS11Slot_h +#define nsPKCS11Slot_h + +#include "ScopedNSSTypes.h" +#include "nsIPKCS11Module.h" +#include "nsIPKCS11Slot.h" +#include "nsISupports.h" +#include "nsString.h" +#include "pk11func.h" + +class nsPKCS11Slot : public nsIPKCS11Slot { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSIPKCS11SLOT + + explicit nsPKCS11Slot(PK11SlotInfo* slot); + + protected: + virtual ~nsPKCS11Slot() = default; + + private: + mozilla::UniquePK11SlotInfo mSlot; + // True if this is the "PKCS#11 slot" that provides cryptographic functions. + bool mIsInternalCryptoSlot; + // True if this is the "PKCS#11 slot" where private keys are stored. + bool mIsInternalKeySlot; + nsCString mSlotDesc; + nsCString mSlotManufacturerID; + nsCString mSlotHWVersion; + nsCString mSlotFWVersion; + int mSeries; + + nsresult refreshSlotInfo(); + nsresult GetAttributeHelper(const nsACString& attribute, + /*out*/ nsACString& xpcomOutParam); +}; + +class nsPKCS11Module : public nsIPKCS11Module { + public: + NS_DECL_ISUPPORTS + NS_DECL_NSIPKCS11MODULE + + explicit nsPKCS11Module(SECMODModule* module); + + protected: + virtual ~nsPKCS11Module() = default; + + private: + mozilla::UniqueSECMODModule mModule; +}; + +#endif // nsPKCS11Slot_h diff --git a/security/manager/ssl/nsPKCS12Blob.cpp b/security/manager/ssl/nsPKCS12Blob.cpp new file mode 100644 index 0000000000..2814626cfc --- /dev/null +++ b/security/manager/ssl/nsPKCS12Blob.cpp @@ -0,0 +1,357 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsPKCS12Blob.h" + +#include "mozilla/Assertions.h" +#include "mozilla/Casting.h" +#include "mozilla/Logging.h" +#include "mozilla/Preferences.h" +#include "mozilla/Unused.h" +#include "mozpkix/pkixtypes.h" +#include "nsIFile.h" +#include "nsIInputStream.h" +#include "nsIX509CertDB.h" +#include "nsNetUtil.h" +#include "nsNSSCertHelper.h" +#include "nsNSSCertificate.h" +#include "nsNSSHelper.h" +#include "nsReadableUtils.h" +#include "nsTArray.h" +#include "nsThreadUtils.h" +#include "p12plcy.h" +#include "ScopedNSSTypes.h" +#include "secerr.h" + +using namespace mozilla; +extern LazyLogModule gPIPNSSLog; + +#define PIP_PKCS12_BUFFER_SIZE 2048 +#define PIP_PKCS12_NOSMARTCARD_EXPORT 4 +#define PIP_PKCS12_RESTORE_FAILED 5 +#define PIP_PKCS12_BACKUP_FAILED 6 +#define PIP_PKCS12_NSS_ERROR 7 + +nsPKCS12Blob::nsPKCS12Blob() : mUIContext(new PipUIContext()) {} + +// Given a file handle, read a PKCS#12 blob from that file, decode it, and +// import the results into the internal database. +nsresult nsPKCS12Blob::ImportFromFile(nsIFile* aFile, + const nsAString& aPassword, + uint32_t& aError) { + uint32_t passwordBufferLength; + UniquePtr<uint8_t[]> passwordBuffer; + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + return NS_ERROR_FAILURE; + } + + passwordBuffer = stringToBigEndianBytes(aPassword, passwordBufferLength); + + // initialize the decoder + SECItem unicodePw = {siBuffer, passwordBuffer.get(), passwordBufferLength}; + UniqueSEC_PKCS12DecoderContext dcx( + SEC_PKCS12DecoderStart(&unicodePw, slot.get(), nullptr, nullptr, nullptr, + nullptr, nullptr, nullptr)); + if (!dcx) { + return NS_ERROR_FAILURE; + } + // read input aFile and feed it to the decoder + PRErrorCode nssError; + nsresult rv = inputToDecoder(dcx, aFile, nssError); + if (NS_FAILED(rv)) { + return rv; + } + if (nssError != 0) { + aError = handlePRErrorCode(nssError); + return NS_OK; + } + // verify the blob + SECStatus srv = SEC_PKCS12DecoderVerify(dcx.get()); + if (srv != SECSuccess) { + aError = handlePRErrorCode(PR_GetError()); + return NS_OK; + } + // validate bags + srv = SEC_PKCS12DecoderValidateBags(dcx.get(), nicknameCollision); + if (srv != SECSuccess) { + aError = handlePRErrorCode(PR_GetError()); + return NS_OK; + } + // import cert and key + srv = SEC_PKCS12DecoderImportBags(dcx.get()); + if (srv != SECSuccess) { + aError = handlePRErrorCode(PR_GetError()); + return NS_OK; + } + aError = nsIX509CertDB::Success; + return NS_OK; +} + +static bool isExtractable(UniqueSECKEYPrivateKey& privKey) { + ScopedAutoSECItem value; + SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey.get(), + CKA_EXTRACTABLE, &value); + if (rv != SECSuccess) { + return false; + } + + bool isExtractable = false; + if ((value.len == 1) && value.data) { + isExtractable = !!(*(CK_BBOOL*)value.data); + } + return isExtractable; +} + +// Having already loaded the certs, form them into a blob (loading the keys +// also), encode the blob, and stuff it into the file. +nsresult nsPKCS12Blob::ExportToFile(nsIFile* aFile, + const nsTArray<RefPtr<nsIX509Cert>>& aCerts, + const nsAString& aPassword, + uint32_t& aError) { + nsCString passwordUtf8 = NS_ConvertUTF16toUTF8(aPassword); + uint32_t passwordBufferLength = passwordUtf8.Length(); + aError = nsIX509CertDB::Success; + // The conversion to UCS2 is executed by sec_pkcs12_encode_password when + // necessary (for some older PKCS12 algorithms). The NSS 3.31 and newer + // expects password to be in the utf8 encoding to support modern encoders. + UniquePtr<unsigned char[]> passwordBuffer( + reinterpret_cast<unsigned char*>(ToNewCString(passwordUtf8))); + if (!passwordBuffer.get()) { + return NS_OK; + } + UniqueSEC_PKCS12ExportContext ecx( + SEC_PKCS12CreateExportContext(nullptr, nullptr, nullptr, nullptr)); + if (!ecx) { + aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED; + return NS_OK; + } + // add password integrity + SECItem unicodePw = {siBuffer, passwordBuffer.get(), passwordBufferLength}; + SECStatus srv = + SEC_PKCS12AddPasswordIntegrity(ecx.get(), &unicodePw, SEC_OID_SHA1); + if (srv != SECSuccess) { + aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED; + return NS_OK; + } + for (auto& cert : aCerts) { + UniqueCERTCertificate nssCert(cert->GetCert()); + if (!nssCert) { + aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED; + return NS_OK; + } + // We can probably only successfully export certs that are on the internal + // token. Most, if not all, smart card vendors won't let you extract the + // private key (in any way shape or form) from the card. So let's punt if + // the cert is not in the internal db. + if (nssCert->slot && !PK11_IsInternal(nssCert->slot)) { + // We aren't the internal token, see if the key is extractable. + UniqueSECKEYPrivateKey privKey( + PK11_FindKeyByDERCert(nssCert->slot, nssCert.get(), mUIContext)); + if (privKey && !isExtractable(privKey)) { + // This is informative. If a serious error occurs later it will + // override it later and return. + aError = nsIX509CertDB::ERROR_PKCS12_NOSMARTCARD_EXPORT; + continue; + } + } + + // certSafe and keySafe are owned by ecx. + SEC_PKCS12SafeInfo* certSafe; + SEC_PKCS12SafeInfo* keySafe = SEC_PKCS12CreateUnencryptedSafe(ecx.get()); + bool useModernCrypto = Preferences::GetBool( + "security.pki.use_modern_crypto_with_pkcs12", false); + // We use SEC_OID_AES_128_CBC for the password and SEC_OID_AES_256_CBC + // for the certificate because it's a default for openssl an pk12util + // command. + if (!SEC_PKCS12IsEncryptionAllowed() || PK11_IsFIPS()) { + certSafe = keySafe; + } else { + SECOidTag privAlg = + useModernCrypto ? SEC_OID_AES_128_CBC + : SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC; + certSafe = + SEC_PKCS12CreatePasswordPrivSafe(ecx.get(), &unicodePw, privAlg); + } + if (!certSafe || !keySafe) { + aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED; + return NS_OK; + } + // add the cert and key to the blob + SECOidTag algorithm = + useModernCrypto + ? SEC_OID_AES_256_CBC + : SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC; + srv = SEC_PKCS12AddCertAndKey(ecx.get(), certSafe, nullptr, nssCert.get(), + CERT_GetDefaultCertDB(), keySafe, nullptr, + true, &unicodePw, algorithm); + if (srv != SECSuccess) { + aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED; + return NS_OK; + } + } + + UniquePRFileDesc prFile; + PRFileDesc* rawPRFile; + nsresult rv = aFile->OpenNSPRFileDesc(PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, + 0664, &rawPRFile); + if (NS_FAILED(rv) || !rawPRFile) { + aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED; + return NS_OK; + } + prFile.reset(rawPRFile); + // encode and write + srv = SEC_PKCS12Encode(ecx.get(), writeExportFile, prFile.get()); + if (srv != SECSuccess) { + aError = nsIX509CertDB::ERROR_PKCS12_BACKUP_FAILED; + } + return NS_OK; +} + +// For the NSS PKCS#12 library, must convert PRUnichars (shorts) to a buffer of +// octets. Must handle byte order correctly. +UniquePtr<uint8_t[]> nsPKCS12Blob::stringToBigEndianBytes( + const nsAString& uni, uint32_t& bytesLength) { + if (uni.IsVoid()) { + bytesLength = 0; + return nullptr; + } + + uint32_t wideLength = uni.Length() + 1; // +1 for the null terminator. + bytesLength = wideLength * 2; + auto buffer = MakeUnique<uint8_t[]>(bytesLength); + + // We have to use a cast here because on Windows, uni.get() returns + // char16ptr_t instead of char16_t*. + mozilla::NativeEndian::copyAndSwapToBigEndian( + buffer.get(), static_cast<const char16_t*>(uni.BeginReading()), + wideLength); + + return buffer; +} + +// Given a decoder, read bytes from file and input them to the decoder. +nsresult nsPKCS12Blob::inputToDecoder(UniqueSEC_PKCS12DecoderContext& dcx, + nsIFile* file, PRErrorCode& nssError) { + nssError = 0; + + nsCOMPtr<nsIInputStream> fileStream; + nsresult rv = NS_NewLocalFileInputStream(getter_AddRefs(fileStream), file); + if (NS_FAILED(rv)) { + return rv; + } + + char buf[PIP_PKCS12_BUFFER_SIZE]; + uint32_t amount; + while (true) { + rv = fileStream->Read(buf, PIP_PKCS12_BUFFER_SIZE, &amount); + if (NS_FAILED(rv)) { + return rv; + } + // feed the file data into the decoder + SECStatus srv = + SEC_PKCS12DecoderUpdate(dcx.get(), (unsigned char*)buf, amount); + if (srv != SECSuccess) { + nssError = PR_GetError(); + return NS_OK; + } + if (amount < PIP_PKCS12_BUFFER_SIZE) { + break; + } + } + return NS_OK; +} + +// What to do when the nickname collides with one already in the db. +SECItem* nsPKCS12Blob::nicknameCollision(SECItem* oldNick, PRBool* cancel, + void* wincx) { + *cancel = false; + int count = 1; + nsCString nickname; + nsAutoString nickFromProp; + nsresult rv = GetPIPNSSBundleString("P12DefaultNickname", nickFromProp); + if (NS_FAILED(rv)) { + return nullptr; + } + NS_ConvertUTF16toUTF8 nickFromPropC(nickFromProp); + // The user is trying to import a PKCS#12 file that doesn't have the + // attribute we use to set the nickname. So in order to reduce the + // number of interactions we require with the user, we'll build a nickname + // for the user. The nickname isn't prominently displayed in the UI, + // so it's OK if we generate one on our own here. + // XXX If the NSS API were smarter and actually passed a pointer to + // the CERTCertificate* we're importing we could actually just + // call default_nickname (which is what the issuance code path + // does) and come up with a reasonable nickname. Alas, the NSS + // API limits our ability to produce a useful nickname without + // bugging the user. :( + while (1) { + // If we've gotten this far, that means there isn't a certificate + // in the database that has the same subject name as the cert we're + // trying to import. So we need to come up with a "nickname" to + // satisfy the NSS requirement or fail in trying to import. + // Basically we use a default nickname from a properties file and + // see if a certificate exists with that nickname. If there isn't, then + // create update the count by one and append the string '#1' Or + // whatever the count currently is, and look for a cert with + // that nickname. Keep updating the count until we find a nickname + // without a corresponding cert. + // XXX If a user imports *many* certs without the 'friendly name' + // attribute, then this may take a long time. :( + nickname = nickFromPropC; + if (count > 1) { + nickname.AppendPrintf(" #%d", count); + } + UniqueCERTCertificate cert( + CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname.get())); + if (!cert) { + break; + } + count++; + } + UniqueSECItem newNick( + SECITEM_AllocItem(nullptr, nullptr, nickname.Length() + 1)); + if (!newNick) { + return nullptr; + } + memcpy(newNick->data, nickname.get(), nickname.Length()); + newNick->data[nickname.Length()] = 0; + + return newNick.release(); +} + +// write bytes to the exported PKCS#12 file +void nsPKCS12Blob::writeExportFile(void* arg, const char* buf, + unsigned long len) { + PRFileDesc* file = static_cast<PRFileDesc*>(arg); + MOZ_RELEASE_ASSERT(file); + PR_Write(file, buf, len); +} + +// Translate PRErrorCode to nsIX509CertDB error +uint32_t nsPKCS12Blob::handlePRErrorCode(PRErrorCode aPrerr) { + MOZ_ASSERT(aPrerr != 0); + uint32_t error = nsIX509CertDB::ERROR_UNKNOWN; + switch (aPrerr) { + case SEC_ERROR_PKCS12_CERT_COLLISION: + error = nsIX509CertDB::ERROR_PKCS12_DUPLICATE_DATA; + break; + // INVALID_ARGS is returned on bad password when importing cert + // exported from firefox or generated by openssl + case SEC_ERROR_INVALID_ARGS: + case SEC_ERROR_BAD_PASSWORD: + error = nsIX509CertDB::ERROR_BAD_PASSWORD; + break; + case SEC_ERROR_BAD_DER: + case SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE: + case SEC_ERROR_PKCS12_INVALID_MAC: + error = nsIX509CertDB::ERROR_DECODE_ERROR; + break; + case SEC_ERROR_PKCS12_DUPLICATE_DATA: + error = nsIX509CertDB::ERROR_PKCS12_DUPLICATE_DATA; + break; + } + return error; +} diff --git a/security/manager/ssl/nsPKCS12Blob.h b/security/manager/ssl/nsPKCS12Blob.h new file mode 100644 index 0000000000..e764481999 --- /dev/null +++ b/security/manager/ssl/nsPKCS12Blob.h @@ -0,0 +1,54 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsPKCS12Blob_h +#define nsPKCS12Blob_h + +#include "mozilla/RefPtr.h" +#include "mozilla/UniquePtr.h" +#include "nsCOMPtr.h" +#include "nsIInterfaceRequestor.h" +#include "nsString.h" +#include "nsTArray.h" +#include "p12.h" +#include "prerror.h" +#include "ScopedNSSTypes.h" +#include "seccomon.h" + +class nsIFile; +class nsIX509Cert; + +// Class for importing/exporting PKCS#12 blobs +class nsPKCS12Blob { + public: + nsPKCS12Blob(); + ~nsPKCS12Blob() = default; + + // PKCS#12 Import + nsresult ImportFromFile(nsIFile* file, const nsAString& password, + uint32_t& error); + + // PKCS#12 Export + nsresult ExportToFile(nsIFile* file, + const nsTArray<RefPtr<nsIX509Cert>>& certs, + const nsAString& password, uint32_t& error); + + private: + nsCOMPtr<nsIInterfaceRequestor> mUIContext; + + // local helper functions + nsresult inputToDecoder(mozilla::UniqueSEC_PKCS12DecoderContext& dcx, + nsIFile* file, PRErrorCode& nssError); + mozilla::UniquePtr<uint8_t[]> stringToBigEndianBytes(const nsAString& uni, + uint32_t& bytesLength); + uint32_t handlePRErrorCode(PRErrorCode prerr); + + static SECItem* nicknameCollision(SECItem* oldNick, PRBool* cancel, + void* wincx); + static void writeExportFile(void* arg, const char* buf, unsigned long len); +}; + +#endif // nsPKCS12Blob_h diff --git a/security/manager/ssl/nsRandomGenerator.cpp b/security/manager/ssl/nsRandomGenerator.cpp new file mode 100644 index 0000000000..0f56b2b4e3 --- /dev/null +++ b/security/manager/ssl/nsRandomGenerator.cpp @@ -0,0 +1,41 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsRandomGenerator.h" + +#include "ScopedNSSTypes.h" +#include "nsNSSComponent.h" +#include "pk11pub.h" +#include "prerror.h" +#include "secerr.h" +#include "mozilla/UniquePtrExtensions.h" + +NS_IMPL_ISUPPORTS(nsRandomGenerator, nsIRandomGenerator) + +NS_IMETHODIMP +nsRandomGenerator::GenerateRandomBytes(uint32_t aLength, uint8_t** aBuffer) { + NS_ENSURE_ARG_POINTER(aBuffer); + *aBuffer = nullptr; + + mozilla::UniqueFreePtr<uint8_t> buf( + static_cast<uint8_t*>(moz_xmalloc(aLength))); + nsresult rv = GenerateRandomBytesInto(buf.get(), aLength); + NS_ENSURE_SUCCESS(rv, rv); + + *aBuffer = buf.release(); + return NS_OK; +} + +NS_IMETHODIMP +nsRandomGenerator::GenerateRandomBytesInto(uint8_t* aBuffer, uint32_t aLength) { + NS_ENSURE_ARG_POINTER(aBuffer); + + mozilla::UniquePK11SlotInfo slot(PK11_GetInternalSlot()); + if (!slot) { + return NS_ERROR_FAILURE; + } + + SECStatus srv = PK11_GenerateRandomOnSlot(slot.get(), aBuffer, aLength); + return srv == SECSuccess ? NS_OK : NS_ERROR_FAILURE; +} diff --git a/security/manager/ssl/nsRandomGenerator.h b/security/manager/ssl/nsRandomGenerator.h new file mode 100644 index 0000000000..4ae3fc82f4 --- /dev/null +++ b/security/manager/ssl/nsRandomGenerator.h @@ -0,0 +1,29 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsRandomGenerator_h +#define nsRandomGenerator_h + +#include "mozilla/Attributes.h" +#include "nsIRandomGenerator.h" + +#define NS_RANDOMGENERATOR_CID \ + { \ + 0xbe65e2b7, 0xfe46, 0x4e0f, { \ + 0x88, 0xe0, 0x4b, 0x38, 0x5d, 0xb4, 0xd6, 0x8a \ + } \ + } + +#define NS_RANDOMGENERATOR_CONTRACTID "@mozilla.org/security/random-generator;1" + +class nsRandomGenerator final : public nsIRandomGenerator { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIRANDOMGENERATOR + + private: + ~nsRandomGenerator() = default; +}; + +#endif // nsRandomGenerator_h diff --git a/security/manager/ssl/nsSSLSocketProvider.cpp b/security/manager/ssl/nsSSLSocketProvider.cpp new file mode 100644 index 0000000000..41fa50add8 --- /dev/null +++ b/security/manager/ssl/nsSSLSocketProvider.cpp @@ -0,0 +1,46 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "mozilla/BasePrincipal.h" +#include "nsSSLSocketProvider.h" +#include "nsNSSIOLayer.h" +#include "nsError.h" + +using mozilla::OriginAttributes; + +nsSSLSocketProvider::nsSSLSocketProvider() = default; + +nsSSLSocketProvider::~nsSSLSocketProvider() = default; + +NS_IMPL_ISUPPORTS(nsSSLSocketProvider, nsISocketProvider) + +NS_IMETHODIMP +nsSSLSocketProvider::NewSocket(int32_t family, const char* host, int32_t port, + nsIProxyInfo* proxy, + const OriginAttributes& originAttributes, + uint32_t flags, uint32_t tlsFlags, + PRFileDesc** _result, + nsITLSSocketControl** tlsSocketControl) { + nsresult rv = + nsSSLIOLayerNewSocket(family, host, port, proxy, originAttributes, + _result, tlsSocketControl, false, flags, tlsFlags); + return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK; +} + +// Add the SSL IO layer to an existing socket +NS_IMETHODIMP +nsSSLSocketProvider::AddToSocket(int32_t family, const char* host, int32_t port, + nsIProxyInfo* proxy, + const OriginAttributes& originAttributes, + uint32_t flags, uint32_t tlsFlags, + PRFileDesc* aSocket, + nsITLSSocketControl** tlsSocketControl) { + nsresult rv = nsSSLIOLayerAddToSocket( + family, host, port, proxy, originAttributes, aSocket, tlsSocketControl, + false, flags, tlsFlags); + + return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK; +} diff --git a/security/manager/ssl/nsSSLSocketProvider.h b/security/manager/ssl/nsSSLSocketProvider.h new file mode 100644 index 0000000000..690c911bd5 --- /dev/null +++ b/security/manager/ssl/nsSSLSocketProvider.h @@ -0,0 +1,32 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _NSSSLSOCKETPROVIDER_H_ +#define _NSSSLSOCKETPROVIDER_H_ + +#include "nsISocketProvider.h" + +/* 217d014a-1dd2-11b2-999c-b0c4df79b324 */ +#define NS_SSLSOCKETPROVIDER_CID \ + { \ + 0x217d014a, 0x1dd2, 0x11b2, { \ + 0x99, 0x9c, 0xb0, 0xc4, 0xdf, 0x79, 0xb3, 0x24 \ + } \ + } + +class nsSSLSocketProvider : public nsISocketProvider { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSISOCKETPROVIDER + + // nsSSLSocketProvider methods: + nsSSLSocketProvider(); + + protected: + virtual ~nsSSLSocketProvider(); +}; + +#endif /* _NSSSLSOCKETPROVIDER_H_ */ diff --git a/security/manager/ssl/nsSTSPreloadList.inc b/security/manager/ssl/nsSTSPreloadList.inc new file mode 100644 index 0000000000..a2a0b03969 --- /dev/null +++ b/security/manager/ssl/nsSTSPreloadList.inc @@ -0,0 +1,158718 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/*****************************************************************************/ +/* This is an automatically generated file. If you're not */ +/* nsSiteSecurityService.cpp, you shouldn't be #including it. */ +/*****************************************************************************/ + +#include <stdint.h> +const PRTime gPreloadListExpirationTime = INT64_C(1721040743743000); +%% +0--1.de, 1 +0-0.io, 1 +0-0.lt, 1 +0-1.party, 1 +0-24.com, 1 +0-24.net, 1 +0-9.com, 1 +0.com.ms, 1 +0.sb, 1 +00.eco, 1 +00000000-0000-0000-0000-000000000000.xyz, 1 +00010110.nl, 1 +0007552.com, 1 +000814.com, 1 +000a1.com, 1 +000a2.com, 1 +000a3.com, 1 +000a5.com, 1 +000a6.com, 1 +000a7.com, 1 +000a8.com, 1 +000a9.com, 1 +000aicai.com, 1 +000g.ru, 1 +000x2.com, 1 +0011011.xyz, 1 +00120012.net, 1 +00140014.net, 1 +00168365.com, 1 +0017552.com, 1 +0017d88.com, 1 +001yapan.com, 1 +002.ro, 0 +00228.am, 0 +00228555.com, 1 +00228999.com, 1 +00228vip5.com, 1 +00228vip6.com, 1 +00228vip8.com, 1 +00228vv.com, 0 +00228w.com, 1 +00228ww.com, 0 +00228xx.com, 0 +00228yy.com, 0 +00228zz.com, 0 +003.mx, 1 +00321365.com, 1 +00365t.com, 1 +0037552.com, 1 +003d88.com, 1 +003dyw.com, 1 +0047552.com, 1 +00484.com, 1 +005184.xyz, 1 +0057552.com, 1 +0066.in, 1 +0067552.com, 1 +007d88.com, 1 +007kf.com, 1 +007sascha.de, 1 +0087552.com, 1 +00880088.net, 1 +008yingshi.com, 1 +009597.com, 0 +00971.net, 1 +0097552.com, 1 +009cc.com, 1 +009zl.com, 1 +00b31.com, 0 +00b58.com, 1 +00bet86.com, 1 +00c.org, 1 +00d88.com, 1 +00dani.me, 1 +00f.net, 1 +00ffaaa.com, 1 +00ffbbb.com, 1 +00ffccc.com, 1 +00ffddd.com, 1 +00ffeee.com, 1 +00fffaa.com, 1 +00fffbb.com, 1 +00fffcc.com, 1 +00fffdd.com, 1 +00fffee.com, 1 +00fffgg.com, 1 +00fffhh.com, 1 +00fffii.com, 1 +00fffjj.com, 1 +00fffkk.com, 1 +00fffll.com, 1 +00fffmm.com, 1 +00fffnn.com, 1 +00fffoo.com, 1 +00fffpp.com, 1 +00fffqq.com, 1 +00fffrr.com, 1 +00fffss.com, 1 +00ffftt.com, 1 +00fffuu.com, 1 +00fffvv.com, 1 +00fffww.com, 1 +00fffxx.com, 1 +00fffyy.com, 1 +00fffzz.com, 1 +00ffggg.com, 1 +00ffhhh.com, 1 +00ffiii.com, 1 +00ffjjj.com, 1 +00ffkkk.com, 1 +00fflll.com, 1 +00ffmmm.com, 1 +00ffnnn.com, 1 +00ffooo.com, 1 +00ffppp.com, 1 +00ffqqq.com, 1 +00ffrrr.com, 1 +00ffsss.com, 1 +00ffttt.com, 1 +00ffuuu.com, 1 +00ffvvv.com, 1 +00ffwww.com, 1 +00ffxxx.com, 1 +00ffyyy.com, 1 +00ffzzz.com, 1 +00o00.top, 1 +00wbf.com, 1 +01011970.xyz, 1 +010203.ru, 1 +01100010011001010111001101110100.com, 1 +01110000011100110111001001100111.ca, 1 +01110000011100110111001001100111.com, 1 +011100110110010101110010011001110110100101101111.com, 1 +011101.xyz, 1 +0116288.com, 1 +011631.com, 1 +0117552.com, 0 +011ks.com, 1 +012345678365.com, 1 +0127552.com, 0 +01337.tech, 1 +013458.com, 1 +01365t.com, 1 +0137552.com, 1 +0138365.com, 0 +0139365.com, 0 +015kb.com, 1 +018zl.com, 1 +019ks.com, 1 +01electronica.com.ar, 1 +01seguridad.com.ar, 1 +01smh.com, 1 +01tools.com, 1 +01up.co.za, 1 +021002.com, 1 +0222z6.com, 1 +022367.com, 1 +022391.com, 1 +022501.com, 1 +022503.com, 1 +022507.com, 1 +022571.com, 1 +022601.com, 1 +022609.com, 1 +022610.com, 1 +02327.net, 1 +02349898.xyz, 1 +02365t.com, 1 +02375.net, 1 +023sec.com, 1 +025500.xyz, 1 +02638.net, 1 +026637.com, 1 +027862.com, 1 +029637.com, 1 +02d88.net, 1 +02n.cn, 1 +02smh.com, 1 +03-09-2016.wedding, 1 +03012.net, 1 +03018.net, 1 +031373.com, 1 +03170317.com, 1 +032ks.com, 1 +0335z6.com, 1 +035711630.xyz, 1 +0376z6.com, 1 +0377z6.com, 1 +038663.com, 1 +038799.com, 0 +038dev.nl, 1 +0391315.com, 1 +03region.ga, 1 +040552.com, 0 +041552.com, 0 +0420.ec, 1 +042230.com, 1 +042552.com, 0 +04365t.com, 1 +046552.com, 0 +046569.com, 1 +047329.com, 1 +048661.com, 1 +04911701.cn, 1 +049552.com, 0 +04d88.com, 1 +04d88.net, 1 +04pk.cn, 1 +04sun.com, 1 +050.ca, 1 +050a1.com, 1 +050a2.com, 1 +050a3.com, 1 +050a4.com, 1 +050a5.com, 1 +050a6.com, 1 +050ks.com, 1 +051014.com, 1 +0511315.net, 1 +0513z6.com, 1 +0514.chat, 1 +051552.com, 0 +0517z6.com, 1 +051ks.com, 1 +052ks.com, 1 +05365t.com, 1 +053ks.com, 1 +054552.com, 0 +055268.com, 1 +0553z6.com, 1 +0555z6.com, 1 +056687.com, 0 +056697.com, 0 +057180.com, 0 +0571z6.com, 1 +0575z6.com, 1 +0597z6.com, 1 +059958.com, 1 +06006.vip, 0 +060258.com, 1 +060579.com, 1 +060757.com, 1 +060796.com, 1 +060798.com, 1 +06091994.xyz, 1 +06365t.com, 1 +065l.com, 1 +066630.com, 1 +06804.com, 0 +0681a.com, 1 +0681h.com, 1 +068552.com, 0 +06d88.com, 1 +06d88.net, 1 +06se.com, 1 +070709.net, 1 +070930.com, 1 +0712z6.com, 1 +071552.com, 0 +071615.com, 1 +0737399.com, 1 +074696.com, 1 +074758.com, 1 +076.ne.jp, 1 +0760ks.com, 1 +078663.com, 1 +078895.com, 1 +0788yh.com, 1 +0792112.com, 1 +0798rcw.com, 0 +07d88.com, 1 +07d88.net, 1 +07f.de, 1 +08000113.nl, 1 +080261.com, 1 +081115.com, 1 +081752.com, 1 +081763.com, 1 +081769.com, 1 +081783.com, 1 +081925.com, 1 +081927.com, 1 +081957.com, 1 +082159.com, 1 +082167.com, 1 +082173.com, 1 +082175.com, 1 +082179.com, 1 +082192.com, 1 +082193.com, 1 +082195.com, 1 +082359.com, 1 +083321.com, 1 +083326.com, 1 +083329.com, 1 +08365t.com, 1 +083967.com, 1 +084552.com, 1 +084709.com, 1 +085035.com, 1 +085851.com, 0 +086486.com, 1 +08845.cc, 1 +089818.com, 1 +08detaxe.fr, 1 +09.ag, 0 +09000113.nl, 1 +090124.xyz, 1 +090136.com, 1 +0906-clan.tk, 1 +09115.com, 0 +091630.com, 1 +091k8.com, 0 +0935792342.tw, 1 +09365t.com, 1 +095598.cc, 1 +097712.com, 1 +09892.net, 1 +0998z6.com, 1 +0999z6.com, 1 +09elektrik.com, 1 +09kanagawa.jp, 1 +0akarma.me, 1 +0au.de, 0 +0c.mom, 1 +0carbon.com, 1 +0cdn.ga, 1 +0cdn.net, 1 +0cean.tk, 1 +0chan.pl, 1 +0cp8778.com, 1 +0culus.tk, 1 +0d111.com, 1 +0day.agency, 1 +0dayexploits.gq, 1 +0des.com, 1 +0i0.nl, 1 +0ii0.cf, 1 +0iz.net, 1 +0knowledge.de, 1 +0milemarathon.com, 1 +0n3b1t.com, 1 +0nnn.top, 1 +0o0.edu.pl, 1 +0o0.ooo, 1 +0o0o.biz, 1 +0okmnbvcxzx.tk, 1 +0ooo0.xyz, 1 +0paste.com, 1 +0q0.eu, 1 +0r3.de, 1 +0rap.tk, 1 +0system.tk, 1 +0trust.cloud, 1 +0trust.pro, 1 +0ut3r.space, 1 +0verall.tk, 1 +0vi.org, 1 +0w.al, 1 +0w0.wiki, 1 +0wx.cat, 1 +0wx.es, 1 +0wx.eu, 1 +0wx.net, 1 +0wx.org, 1 +0x.cx, 1 +0x.lu, 1 +0x.sk, 1 +0x0.cloud, 1 +0x0.li, 1 +0x00c.de, 1 +0x00ff00ff.com, 1 +0x0a.team, 1 +0x1.ink, 1 +0x12.de, 1 +0x15.ca, 1 +0x17.de, 1 +0x21.consulting, 1 +0x22.de, 1 +0x27.fr, 1 +0x28.de, 1 +0x2a.ninja, 1 +0x378.net, 1 +0x3a.net, 1 +0x41.us, 1 +0x52.net, 1 +0x52.org, 1 +0x53.de, 1 +0x5d.de, 1 +0x5f3759df.net, 1 +0x7.io, 1 +0x76.de, 1 +0x7d7b.net, 1 +0x7fffffff.net, 0 +0x80.org, 1 +0x90.io, 1 +0x90.space, 1 +0xaa55.me, 1 +0xacab.org, 1 +0xaf.tk, 1 +0xda.de, 1 +0xdefaced.de, 1 +0xedward.io, 1 +0xee.eu, 1 +0xf00.ch, 1 +0xfc.de, 1 +0xff.se, 1 +0xfn.eu, 1 +0xheuts.nl, 1 +0xn.de, 1 +0xnotes.me, 0 +0xnull.de, 1 +0xspa.de, 1 +0xword.com, 1 +0yen.org, 1 +1-2-3bounce.co.uk, 1 +1-800-mattress.com, 1 +1-ae.com, 1 +1-inv.com, 1 +1-pujcky-uvery.tk, 1 +1-x-bet.com, 1 +1-x-bet.ke, 1 +1-x-mirror.com, 1 +1-xbet-tj.com, 1 +1-xbet.ke, 1 +1-xbet13.com, 1 +1-xbet20.com, 1 +100-downloads.com, 1 +10000hits.tk, 1 +10000lab.net, 1 +10000rub.gq, 1 +10000spoons.tk, 1 +10001000.xyz, 1 +100048.com, 1 +1000cp5.cc, 1 +1000inf.ru, 1 +1000ps.at, 1 +1000ps.de, 1 +1000rubley.ml, 1 +1000serien.com, 1 +1000wordsevents.com, 0 +1001cachimbas.es, 1 +1001fonts.com, 1 +1001home.cf, 1 +1001kartini.com, 1 +1001mv.com, 1 +1001n.com, 1 +1001reasonstolearnspanish.com, 1 +1001telecommandes.com, 1 +1007337.com, 1 +10086.id, 1 +10086.ru, 1 +100baksov.tk, 1 +100ballov.tk, 1 +100beauty.com, 1 +100bib.ru, 1 +100fast.com, 1 +100fss.com, 1 +100fss.marketing, 1 +100k.eu, 1 +100kraz.ga, 1 +100kredite.de, 1 +100lib.ru, 1 +100mani.it, 1 +100nome.com, 1 +100onrainkajino.com, 1 +100pay.com, 1 +100pour100print.com, 1 +100pudov.tk, 1 +100reach.com, 1 +100refer.tk, 1 +100sapog.tk, 1 +100skidok.ga, 1 +100sovetov.info, 1 +100time.ru, 1 +100tur.tk, 1 +100up.de, 1 +100up.net, 1 +100up.org, 1 +100v.org, 1 +100visits.tk, 1 +100voprosov.tk, 1 +100zakladok.tk, 1 +10101.io, 1 +101010.hopto.org, 1 +101010.pl, 1 +101023.xyz, 1 +10198.com, 1 +101android.ru, 1 +101st-airborne.tk, 1 +101st.tk, 1 +101warehousing.com.au, 1 +1020310.com, 1 +1020311.com, 1 +1020312.com, 1 +1020313.com, 1 +1020314.com, 1 +1020316.com, 1 +1020318.com, 1 +1020319.com, 1 +1020320.com, 1 +10218.com, 1 +10218app10218.com, 1 +10218b.com, 0 +10218c.com, 0 +10218cj.com, 1 +10218d.com, 0 +10218e.com, 0 +10218f.com, 0 +10218g.com, 0 +10218h.com, 0 +10218i.com, 0 +1024.ee, 1 +1024.kr, 1 +1025.ga, 1 +10365e.com, 1 +10365f.com, 1 +10365h.com, 1 +1037thefoxrocks.com, 1 +104.ua, 1 +1040taxfirm.com, 1 +1041263497.rsc.cdn77.org, 1 +10414.org, 0 +10430.net, 1 +10435.net, 1 +10436.net, 1 +10438.net, 1 +10439.net, 1 +10453.net, 1 +104760.com, 1 +10495.net, 1 +105318.com, 1 +105861.com, 1 +106.hi.cn, 1 +10628.com, 1 +1068511.com, 1 +10705.ml, 1 +107996.com, 1 +1079fm.ga, 1 +10840.net, 1 +10961096.xyz, 1 +109k8.com, 1 +10er-friseur.de, 1 +10gbit.ovh, 1 +10hz.de, 1 +10ktotalent.com, 1 +10mach.com, 1 +10media.ru, 1 +10mijlvanijmuiden.tk, 1 +10milliondollarpage.com, 1 +10must.com, 1 +10news.com, 1 +10og.de, 1 +10pearls.com, 1 +10ppm.com, 1 +10seos.com, 1 +10ten.study, 1 +10tv.in, 1 +10ve.live, 1 +10web.io, 1 +10wtac.tk, 1 +10x.to, 1 +10xnation.com, 1 +1100.so, 1 +1100110.xyz, 1 +11018vip.com, 1 +11018xpj.com, 1 +11046.com, 1 +11082.com, 1 +110838.com, 1 +110cl.com, 1 +110na.com, 1 +111011.xyz, 1 +1111365t.com, 1 +111365t.com, 1 +11168365.com, 1 +111814.com, 1 +11182.com, 1 +11183.com, 1 +11185.com, 1 +111aicai.com, 1 +111bet86.com, 1 +111novosti.tk, 1 +111plus.design, 1 +1120301.com, 1 +1120302.com, 1 +1120303.com, 1 +1120305.com, 1 +1120306.com, 1 +1120307.com, 1 +1120308.com, 1 +1120309.com, 1 +1120311.com, 1 +1120312.com, 1 +1120313.com, 1 +1120314.com, 1 +1120315.com, 1 +1120316.com, 1 +1120317.com, 1 +1120320.com, 1 +1120321.com, 1 +1120322.com, 1 +1120323.com, 1 +1120324.com, 1 +1120325.com, 1 +1120326.com, 1 +1120327.com, 1 +1120328.com, 1 +1120330.com, 1 +1120331.com, 1 +1120332.com, 1 +1120334.com, 1 +1120335.com, 1 +1120336.com, 1 +1120337.com, 1 +1120338.com, 1 +1120339.com, 1 +1120341.com, 1 +1120342.com, 1 +1120343.com, 1 +1120344.com, 1 +1120345.com, 1 +1120346.com, 1 +1120347.com, 1 +1120348.com, 1 +1120349.com, 1 +1120350.com, 1 +11221jz.com, 1 +11223837.com, 0 +1126.blog, 1 +112app.nl, 1 +112hz.com, 1 +112it.ro, 0 +112krimpen.tk, 1 +112madgamer.tk, 1 +11321365.com, 1 +11333837.com, 1 +11365t.com, 1 +113k8.com, 1 +113z6.com, 1 +11400.com, 1 +11443837.com, 0 +114514ss.com, 1 +114job.com, 1 +114online.com, 1 +115.one, 1 +115z6.com, 1 +11665835.com, 0 +1174healing.com, 1 +117766.xyz, 1 +1177z6.com, 1 +11792.com, 1 +118400.com, 0 +1190america.tk, 1 +1199bet.vip, 1 +11aaee.com, 1 +11aagg.com, 1 +11aajj.com, 1 +11aaqq.com, 1 +11aazz.com, 1 +11academianetworks.com, 1 +11b31.com, 0 +11b58.com, 1 +11bbjj.com, 1 +11bbpp.com, 1 +11bbqq.com, 1 +11bbss.com, 1 +11bbzz.com, 1 +11bet86.com, 1 +11ccee.com, 1 +11ccgg.com, 1 +11ccjj.com, 1 +11ccpp.com, 1 +11ccqq.com, 1 +11cctt.com, 1 +11cczz.com, 1 +11cloud.ch, 1 +11ddbb.com, 1 +11ddcc.com, 1 +11ddjj.com, 1 +11ddkk.com, 1 +11ddpp.com, 1 +11dzon.com, 1 +11eebb.com, 1 +11eegg.com, 1 +11eejj.com, 1 +11eeqq.com, 1 +11eess.com, 1 +11eexx.com, 1 +11eeyy.com, 1 +11eezz.com, 1 +11ffaaa.com, 1 +11ffbbb.com, 1 +11ffcc.com, 1 +11ffccc.com, 1 +11ffddd.com, 1 +11ffeee.com, 1 +11fffaa.com, 1 +11fffbb.com, 1 +11fffcc.com, 1 +11fffdd.com, 1 +11fffee.com, 1 +11fffgg.com, 1 +11fffhh.com, 1 +11fffii.com, 1 +11fffjj.com, 1 +11fffkk.com, 1 +11fffll.com, 1 +11fffmm.com, 1 +11fffnn.com, 1 +11fffoo.com, 1 +11fffpp.com, 1 +11fffqq.com, 1 +11fffrr.com, 1 +11fffss.com, 1 +11ffftt.com, 1 +11fffuu.com, 1 +11fffvv.com, 1 +11fffww.com, 1 +11fffxx.com, 1 +11fffyy.com, 1 +11fffzz.com, 1 +11ffggg.com, 1 +11ffhhh.com, 1 +11ffiii.com, 1 +11ffjjj.com, 1 +11ffkk.com, 1 +11ffkkk.com, 1 +11fflll.com, 1 +11ffmmm.com, 1 +11ffnnn.com, 1 +11ffooo.com, 1 +11ffppp.com, 1 +11ffqqq.com, 1 +11ffrr.com, 1 +11ffrrr.com, 1 +11ffsss.com, 1 +11fftt.com, 1 +11ffttt.com, 1 +11ffuuu.com, 1 +11ffvvv.com, 1 +11ffwww.com, 1 +11ffxx.com, 1 +11ffxxx.com, 1 +11ffyy.com, 1 +11ffyyy.com, 1 +11ffzz.com, 1 +11ffzzz.com, 1 +11ggbb.com, 1 +11ggcc.com, 1 +11ggee.com, 1 +11ggjj.com, 1 +11ggrr.com, 1 +11ggss.com, 1 +11ggyy.com, 1 +11ggzz.com, 1 +11hhee.com, 1 +11hhff.com, 1 +11hhgg.com, 1 +11hhqq.com, 1 +11hhrr.com, 1 +11hhzz.com, 1 +11it.ru, 1 +11jjaa.com, 1 +11jjcc.com, 1 +11jjrr.com, 1 +11jjyy.com, 1 +11jjzz.com, 1 +11kkee.com, 1 +11kkff.com, 1 +11men.tk, 1 +11ppbb.com, 1 +11ppee.com, 1 +11pphh.com, 1 +11ppjj.com, 1 +11ppqq.com, 1 +11ppss.com, 1 +11pptt.com, 1 +11ppyy.com, 1 +11ppzz.com, 1 +11qqbb.com, 1 +11qqdd.com, 1 +11qqgg.com, 1 +11qqhh.com, 1 +11qqpp.com, 1 +11qqss.com, 1 +11rrcc.com, 1 +11rree.com, 1 +11rrff.com, 1 +11rrhh.com, 1 +11rrjj.com, 1 +11rrkk.com, 1 +11rrqq.com, 1 +11rrss.com, 1 +11rrzz.com, 1 +11sshh.com, 1 +11ssjj.com, 1 +11sskk.com, 1 +11sspp.com, 1 +11ssqq.com, 1 +11ssrr.com, 1 +11sstt.com, 1 +11traders.com, 1 +11ttbb.com, 1 +11tthh.com, 1 +11ttpp.com, 1 +11ttqq.com, 1 +11ttxx.com, 1 +11ttzz.com, 1 +11tv.dp.ua, 1 +11u15.com, 1 +11urss.com, 1 +11yycc.com, 1 +11yydd.com, 1 +11yyee.com, 1 +11yyjj.com, 1 +11yykk.com, 1 +11yyqq.com, 1 +11zzkk.com, 1 +11zztt.com, 1 +12.ag, 1 +12.digital, 1 +1200.cf, 1 +12006.com, 1 +120percent-inc.com, 1 +1212.tk, 1 +1212873467.rsc.cdn77.org, 1 +1218641649.rsc.cdn77.org, 1 +1220310.com, 1 +1220321.com, 1 +1220322.com, 1 +1220323.com, 1 +1220324.com, 1 +1220325.com, 1 +1220326.com, 1 +1220327.com, 1 +1220328.com, 1 +1220329.com, 1 +1220330.com, 1 +1220331.com, 1 +1220332.com, 1 +1220334.com, 1 +1220335.com, 1 +1220336.com, 1 +1220337.com, 1 +1220338.com, 1 +1220339.com, 1 +1220340.com, 1 +1220342.com, 1 +1220343.com, 1 +1220344.com, 1 +1220345.com, 1 +1220346.com, 1 +1220347.com, 1 +1220348.com, 1 +1220349.com, 1 +1220350.com, 1 +1222z6.com, 1 +1223.tk, 1 +123-d.com, 1 +123-ticketsystem.com, 1 +123.chat, 1 +123.gg, 1 +123110.com, 1 +123365t.com, 1 +1234.link, 1 +123410.xyz, 1 +12345.lv, 1 +12345678365.com, 1 +123456789365.com, 1 +12345porn.com, 1 +12365t.com, 1 +123apps.com, 1 +123birthdaygreetings.com, 1 +123comparer.be, 1 +123comparer.fr, 1 +123derivatives.com, 1 +123djdrop.com, 1 +123e.tk, 1 +123freebrushes.com, 1 +123freevectors.com, 1 +123gostovanje.si, 1 +123greeting.tk, 1 +123hpcom.co.uk, 1 +123midterm.com, 1 +123noticias.com.br, 1 +123nutricion.es, 1 +123pay.ir, 1 +123petitspas.com, 1 +123seo.ml, 1 +123site.tk, 1 +123sportpassion.com, 1 +123start.pl, 1 +123start.tk, 1 +123storage.com.au, 1 +123termpapers.com, 1 +123verhuislift.nl, 1 +123viajando.com, 1 +123writings.com, 1 +124133.com, 1 +1244.tk, 1 +1244546066.rsc.cdn77.org, 1 +125-rue.com, 1 +12517.com, 1 +12554.com, 1 +12557.com, 1 +12558.com, 1 +12559.com, 1 +12588.com, 1 +125colours.tk, 1 +125m125.de, 1 +127011.ch, 1 +127661.com, 1 +12778.com, 1 +1277bet.com, 1 +128012.com, 0 +128612.com, 1 +12877.com, 1 +1288366.com, 1 +128bitar.net, 1 +129.co, 1 +12ag8.com, 1 +12apostleshotel.com, 1 +12go.asia, 1 +12go.co, 1 +12gramu.cz, 1 +12grid.co.jp, 1 +12l.nl, 1 +12lasee.com, 1 +12nomos.tk, 1 +12photos.eu, 0 +12socialsmansa.tk, 1 +12train.com, 1 +12u15.com, 1 +12vpx.com, 1 +13-th.com, 1 +130.ua, 0 +1300.cf, 1 +130kb.com, 1 +130ks.com, 1 +130ks.net, 1 +131365a.com, 0 +131365qq.com, 1 +1313z6.com, 1 +13214.cc, 1 +132813.com, 1 +132kv.ch, 1 +133.casino, 1 +13318522.com, 1 +1333.cf, 1 +133335.xyz, 1 +1333z6.com, 1 +1337.ax, 1 +133769.xyz, 1 +1337ersprime.com, 1 +133ks.com, 1 +133ks.net, 1 +133z6.com, 1 +13411-111.com, 1 +134ks.net, 1 +1359826938.rsc.cdn77.org, 1 +135vv.com, 1 +136814.com, 0 +136book.com, 1 +137724.com, 1 +137kb.com, 1 +137z6.com, 1 +138.hk, 1 +13826145000.com, 1 +138z6.com, 1 +1395kj.com, 1 +139z6.com, 1 +13ad.de, 1 +13ag8.com, 1 +13cloudmike.duckdns.org, 1 +13th-dover.uk, 1 +13u15.com, 1 +140.social, 1 +14000.cz, 1 +141-94-142-218.xyz, 1 +141-95-156-101.xyz, 1 +141145.com, 0 +14159.gb.net, 1 +142552.com, 0 +142710.com, 1 +144-217-180-114.xyz, 1 +144chan.ml, 1 +1453914078.rsc.cdn77.org, 1 +1459.io, 1 +145ks.net, 1 +1464424382.rsc.cdn77.org, 1 +146552.com, 0 +1481481.com, 0 +1481486.com, 1 +1481486.net, 1 +148663.com, 1 +149481.com, 1 +14er.jp, 1 +14er.net, 1 +14erc.com, 1 +14ercooper.com, 1 +14fbr.com, 1 +14flags.de, 1 +14it.de, 1 +14thwief.org, 1 +14u15.com, 1 +14x3.de, 1 +15-montorgueil.com, 1 +1511774230.rsc.cdn77.org, 1 +1517.ch, 1 +1517598.com, 1 +1517668.com, 1 +1517669.com, 1 +1517883.com, 1 +1517886.com, 1 +1517889.com, 1 +151farmers.org, 1 +1520301.com, 1 +1520302.com, 1 +1520303.com, 1 +1520304.com, 1 +1520305.com, 1 +1520306.com, 1 +1520310.com, 1 +1520316.com, 1 +1520318.com, 1 +1520319.com, 1 +1520320.com, 1 +1520322.com, 1 +1520323.com, 1 +1520324.com, 1 +1520325.com, 1 +1520326.com, 1 +1520327.com, 1 +1520328.com, 1 +1520329.com, 1 +1520330.com, 1 +1520331.com, 1 +1520332.com, 1 +1520333.com, 1 +1520334.com, 1 +1520335.com, 1 +1520336.com, 1 +1520337.com, 1 +1520338.com, 1 +1520339.com, 1 +1520340.com, 1 +1520341.com, 1 +1520342.com, 1 +1520343.com, 1 +1520344.com, 1 +1520345.com, 1 +1520346.com, 1 +1520347.com, 1 +1520348.com, 1 +1520349.com, 1 +1520350.com, 1 +1527web.com, 1 +152z6.com, 1 +1536.cf, 1 +153z6.com, 1 +154379.com, 1 +154922.com, 0 +155175.com, 0 +155ks.net, 1 +155z6.com, 1 +156k66.com, 1 +156z6.com, 1 +157z6.com, 1 +158.nl, 1 +158306.com, 0 +158bg.com, 1 +1590284872.rsc.cdn77.org, 1 +159ks.net, 1 +159z6.com, 1 +15k.me, 1 +15montorgueil.com, 1 +15ruemontorgueil.com, 1 +15u15.com, 1 +16-qw.tk, 1 +161.sh, 1 +161233.com, 0 +161263.com, 0 +16164f.com, 1 +16195.com, 1 +1620301.com, 1 +1620302.com, 1 +1620303.com, 1 +1620304.com, 1 +1620305.com, 1 +1620306.com, 1 +1620307.com, 1 +1620308.com, 1 +1620309.com, 1 +1620310.com, 1 +1620311.com, 1 +1620312.com, 1 +1620313.com, 1 +1620314.com, 1 +1620315.com, 1 +1620316.com, 1 +1620317.com, 1 +1620318.com, 1 +1620319.com, 1 +1620320.com, 1 +1620321.com, 1 +1620323.com, 1 +1620324.com, 1 +1620325.com, 1 +1620326.com, 1 +1620328.com, 1 +1620329.com, 1 +1620330.com, 1 +1620331.com, 1 +1620332.com, 1 +1620333.com, 1 +1620334.com, 1 +1620335.com, 1 +1620336.com, 1 +1620337.com, 1 +1620338.com, 1 +1620339.com, 1 +1620340.com, 1 +1620341.com, 1 +1620342.com, 1 +1620343.com, 1 +1620349.com, 1 +1620350.com, 1 +162263.com, 0 +162361.com, 0 +162632.com, 1 +162cr.com, 1 +162ea.com, 1 +162jonesrd.ca, 1 +163.gd, 1 +16321.tk, 1 +163pay.com, 1 +164.co, 1 +1644091933.rsc.cdn77.org, 1 +1650thefan.com, 1 +16561155.com, 1 +16561166.com, 1 +16561177.com, 1 +16561188.com, 1 +1661237.com, 1 +166166.com, 1 +166jk.cc, 1 +167clan.net, 1 +1682019.co, 1 +16836500.com, 1 +1683651.com, 1 +16836511.com, 1 +1683652.com, 1 +16836522.com, 1 +1683653.com, 1 +16836533.com, 1 +1683654.com, 1 +16836544.com, 1 +16836555.com, 1 +16836577.com, 1 +16836588.com, 1 +1683659.com, 1 +16836599.com, 1 +168365t.com, 1 +168esb.com, 1 +16974.cc, 1 +169xpj.com, 1 +16megablast.tk, 1 +16packets.com, 1 +16qw.tk, 1 +16region.tk, 1 +16u15.com, 1 +16valerienicolas.tk, 1 +171365a.com, 1 +171365b.com, 1 +171365c.com, 1 +171365d.com, 1 +171365e.com, 1 +171365f.com, 1 +171365g.com, 1 +171365h.com, 1 +171365i.com, 1 +171365j.com, 1 +171365k.com, 1 +171365m.com, 1 +171365n.com, 1 +171365p.com, 1 +171365q.com, 1 +171365r.com, 1 +171365s.com, 1 +171365t.com, 1 +171365u.com, 1 +171365v.com, 1 +171365w.com, 1 +171365x.com, 1 +171365y.com, 1 +171365z.com, 1 +17187q.com, 1 +17190.com, 1 +1720301.com, 1 +1720302.com, 1 +1720303.com, 1 +1720304.com, 1 +1720305.com, 1 +1720306.com, 1 +1720307.com, 1 +1720308.com, 1 +1720309.com, 1 +1720312.com, 1 +1720313.com, 1 +1720314.com, 1 +1720315.com, 1 +1720316.com, 1 +1720317.com, 1 +1720318.com, 1 +1720319.com, 1 +1720320.com, 1 +1720321.com, 1 +1720322.com, 1 +1720323.com, 1 +1720324.com, 1 +1720325.com, 1 +1720326.com, 1 +1720327.com, 1 +1720328.com, 1 +1720329.com, 1 +1720330.com, 1 +1720331.com, 1 +1720332.com, 1 +1720333.com, 1 +1720334.com, 1 +1720335.com, 1 +1720336.com, 1 +1720337.com, 1 +1720338.com, 1 +1720339.com, 1 +1720340.com, 1 +1720341.com, 1 +1720342.com, 1 +1720343.com, 1 +1720344.com, 1 +1720345.com, 1 +1720346.com, 1 +1720347.com, 1 +1720348.com, 1 +1720349.com, 1 +1720350.com, 1 +172792.com, 1 +173.studio, 1 +173yg.com, 1 +174.net.nz, 1 +174343.com, 1 +1750studios.com, 0 +175dt.com, 1 +17901.com, 1 +17920.com, 1 +17921.com, 1 +17kpw.cc, 1 +17kpw.com, 1 +17ta.com, 1 +17th-airborne.tk, 1 +17u15.com, 1 +17xile.com, 1 +1800-mattress.net, 1 +1800baskets.com, 1 +1800flowers.com, 1 +1800matress.net, 1 +1800mattress.co, 1 +1800mattress.net, 1 +1800petmeds.com, 1 +180btt.com, 1 +181k8.com, 1 +181ks.net, 1 +181z6.com, 1 +1820301.com, 1 +1820302.com, 1 +1820303.com, 1 +1820304.com, 1 +1820305.com, 1 +1820306.com, 1 +1820307.com, 1 +1820308.com, 1 +1820309.com, 1 +1820310.com, 1 +1820311.com, 1 +1820313.com, 1 +1820314.com, 1 +1820315.com, 1 +1820316.com, 1 +1820317.com, 1 +1820318.com, 1 +1820319.com, 1 +1820320.com, 1 +1820321.com, 1 +1820322.com, 1 +1820323.com, 1 +1820324.com, 1 +1820325.com, 1 +1820326.com, 1 +1820327.com, 1 +1820328.com, 1 +1820329.com, 1 +1820330.com, 1 +1820331.com, 1 +1820332.com, 1 +1820333.com, 1 +1820334.com, 1 +1820335.com, 1 +1820336.com, 1 +1820337.com, 1 +1820338.com, 1 +1820340.com, 1 +1820341.com, 1 +1820342.com, 1 +1820343.com, 1 +1820344.com, 1 +1820345.com, 1 +1820346.com, 1 +1820347.com, 1 +1820348.com, 1 +1820349.com, 1 +1820350.com, 1 +182wh.com, 1 +182zlong.com, 1 +1831365.com, 1 +1832365.com, 1 +1834365.com, 1 +1837365.com, 1 +183cm.tk, 1 +183zlong.com, 1 +184325.com, 1 +1844329061.rsc.cdn77.org, 1 +18521.com, 1 +185k8.com, 1 +186526.club, 1 +186526.xyz, 1 +186588.xyz, 1 +1869365.com, 0 +186ks.com, 1 +1876365.com, 0 +1876996.com, 1 +18836.com, 1 +1888zr.com, 0 +188cn-sb.com, 1 +188da.com, 0 +188wei.com, 1 +189fc.com, 1 +18f.gov, 1 +18f.gsa.gov, 1 +18kit.com, 1 +18onlypixel.com, 1 +18onlypixels.com, 1 +18pee.com, 1 +18pioners.tk, 1 +18teensporn.pro, 1 +18upchat.com, 1 +18vr.com, 1 +1911trust.com, 1 +1912x.com, 1 +1920.tk, 1 +1920301.com, 1 +1920302.com, 1 +1920303.com, 1 +1920304.com, 1 +1920305.com, 1 +192080.com, 1 +19216811-sifre.com, 1 +19216811.mobi, 1 +192168ll.repair, 1 +1921958389.rsc.cdn77.org, 1 +1926lesoleil.com, 1 +1939365.com, 1 +1941-45.ru, 1 +1965.ml, 1 +196flavors.com, 1 +19770620.xyz, 1 +1981365.com, 1 +1981612088.rsc.cdn77.org, 1 +1986ventures.ph, 1 +1989-bmw-e30-forsale-in-norcal.com, 1 +1989studio.tk, 1 +198wei.com, 1 +1990.ee, 1 +1994.io, 0 +1999.rs, 1 +19990bb.com, 1 +19990c.com, 1 +19990cc.com, 1 +19990d.com, 0 +19990dd.com, 1 +19990e.com, 1 +19990ee.com, 1 +19990ff.com, 1 +19990g.com, 1 +19990gg.com, 1 +19990h.com, 1 +19990hh.com, 1 +19990i.com, 1 +19990ii.com, 1 +19990j.com, 1 +19990jj.com, 1 +19990kk.com, 1 +19990ll.com, 1 +19990m.com, 1 +19990mm.com, 1 +19990o.com, 1 +19990oo.com, 1 +19990p.com, 1 +19990q.com, 1 +19990r.com, 1 +19990rr.com, 1 +19990s.com, 1 +19990ss.com, 1 +19990tt.com, 1 +19990u.com, 1 +19990uu.com, 1 +19990v.com, 1 +19990vv.com, 1 +19990ww.com, 1 +19990x.com, 1 +19990xx.com, 1 +19990y.com, 1 +19990yy.com, 0 +19990zz.com, 1 +199ks.com, 1 +19area.cn, 1 +19hundert84.de, 1 +1a-diamantscheiben.de, 1 +1a-hyp.de, 1 +1a-media.com, 1 +1a-werkstattgeraete.de, 1 +1ab-machinery.com, 1 +1abcicka.ru, 1 +1adda.tk, 1 +1ae86.com, 1 +1ago.be, 1 +1ahyp.de, 1 +1allhosting.com, 1 +1android.de, 1 +1apple.com, 1 +1art.tk, 1 +1atelie.ru, 1 +1autoparts.com, 1 +1aweb.de, 1 +1b1.pl, 1 +1baks.tk, 1 +1bha7uk0.com, 1 +1bitcoinprice.com, 1 +1blazing.cf, 1 +1bps.eu.org, 1 +1bps.io, 1 +1brd.com, 1 +1breadcrumb.com, 1 +1breadcrumb.com.au, 1 +1c-power.ru, 1 +1cbit.ru, 1 +1chan.pl, 1 +1codex.online, 1 +1cover.co.nz, 1 +1cover.com.au, 1 +1cp.org, 1 +1cprosto.tk, 1 +1cswd.com, 1 +1d-lsd.shop, 1 +1datatec.com, 1 +1day.cc, 0 +1day1ac.red, 1 +1dispatch.com, 1 +1dollar.ml, 1 +1dollarwebsite.gq, 1 +1dot1dot1dot1.cf, 1 +1dt.ltd, 1 +1dv.link, 1 +1e9.nl, 1 +1eanda.com, 1 +1earn.com, 1 +1er-secours.ch, 0 +1f123.net, 1 +1f616emo.xyz, 1 +1fastcourse.com, 1 +1fc0.org, 1 +1fresh.com, 1 +1g.gg, 1 +1gp.us, 1 +1hc.be, 1 +1heart.tk, 1 +1heiz-pellets.de, 1 +1hfree.tk, 1 +1huiszoeken.nl, 1 +1ii.im, 1 +1it.click, 1 +1js.de, 1 +1kando.com, 0 +1kdui.com, 1 +1ki174.com, 1 +1kilise.com, 1 +1kilise.net, 1 +1kilise.org, 1 +1kmi.co, 1 +1kv.com.pl, 1 +1lc1.com, 0 +1ll.uk, 1 +1m.duckdns.org, 1 +1malaysian.tk, 1 +1masquepourtous.com, 1 +1me.cz, 1 +1mgt.ru, 1 +1montre.fr, 1 +1my.me, 1 +1naturalway.com, 1 +1nf.me, 1 +1nian.vip, 1 +1node.site, 1 +1nza.net, 1 +1on1on1.de, 1 +1on1on1.tv, 1 +1onehouse.com, 1 +1onestrong.com, 1 +1opochkah.ru, 1 +1p.cl, 1 +1p.ro, 0 +1pair.com, 1 +1panorama.ru, 1 +1para.net, 1 +1password.ca, 1 +1password.com, 1 +1password.community, 1 +1password.eu, 1 +1picture.hu, 1 +1plus.red, 1 +1pluss.ee, 1 +1profile.ru, 1 +1project.com, 1 +1pw.ca, 1 +1q2w.nl, 1 +1q365a.com, 1 +1r.is, 1 +1rs.nl, 1 +1rust.net, 1 +1sand0s.nl, 1 +1scope.com, 1 +1se.co, 0 +1se2or3.com, 1 +1secretaire.com, 1 +1serial.tv, 1 +1sociaaldomein.nl, 1 +1st-bounce.co.uk, 1 +1st-community.de, 1 +1st-online-academy.com, 1 +1st2bounce.com, 1 +1stav.dk, 1 +1stcalldfw.com, 1 +1stchoicelodging.com, 1 +1stchoicewaterproofing.com, 1 +1stclassbouncycastles.co.uk, 1 +1stclasschauffeurs.co.uk, 1 +1stforfun.co.uk, 1 +1stopfloor.com, 1 +1stpeninsulabouncers.co.uk, 1 +1strecipes.com, 1 +1ststop.co.uk, 1 +1sttix.org, 1 +1ticks.com, 1 +1tip.com, 1 +1tomplumber.com, 1 +1u0m.com, 1 +1up.it, 1 +1uptick.com, 1 +1v-lsd.eu, 1 +1v1.xyz, 1 +1v9.im, 1 +1v9.io, 1 +1voz.org, 1 +1vpns.com, 1 +1vs2.by, 1 +1way.faith, 1 +1whw.co.uk, 1 +1whw.uk, 1 +1wirelog.de, 1 +1x-00.com, 1 +1x-01.com, 1 +1x-04.com, 1 +1x-bet-co.com, 1 +1x-bet-ua.com, 1 +1x-bet-uz.com, 1 +1x-bet.com, 1 +1x-bet.ke, 1 +1x-bet2021.com, 1 +1x-bet93432.world, 1 +1x-betua.com, 1 +1x-bit.mobi, 1 +1x-kor.com, 1 +1x-korbet.com, 1 +1x-krbet.com, 1 +1x-mirrors.com, 1 +1x-th.com, 1 +1x1.re, 1 +1x2020.xyz, 1 +1x2betwinner.com, 1 +1x2magazine.eu, 1 +1x88.net, 1 +1xaja.com, 1 +1xb88.net, 1 +1xbenar.com, 1 +1xbet-015.com, 1 +1xbet-66669.top, 0 +1xbet-china.com, 1 +1xbet-ro.com, 1 +1xbet-s.com, 1 +1xbet-se.com, 1 +1xbet-sw.com, 1 +1xbet-uz.com, 1 +1xbet-viet.com, 1 +1xbet.ac, 1 +1xbet.ae, 1 +1xbet.af, 1 +1xbet.bo, 1 +1xbet.cd, 1 +1xbet.cg, 1 +1xbet.ci, 1 +1xbet.cm, 1 +1xbet.co.ke, 1 +1xbet.co.ls, 1 +1xbet.co.mu, 1 +1xbet.co.rw, 1 +1xbet.co.zw, 1 +1xbet.com, 1 +1xbet.com.gh, 1 +1xbet.com.gn, 1 +1xbet.com.mx, 1 +1xbet.com.na, 1 +1xbet.com.tw, 1 +1xbet.com.zm, 1 +1xbet.cr, 1 +1xbet.do, 1 +1xbet.ec, 1 +1xbet.fi, 1 +1xbet.games, 1 +1xbet.gd, 1 +1xbet.gf, 1 +1xbet.global, 1 +1xbet.gm, 1 +1xbet.go.ug, 1 +1xbet.gq, 1 +1xbet.gs, 1 +1xbet.gt, 1 +1xbet.gw, 1 +1xbet.hk, 1 +1xbet.hn, 1 +1xbet.ht, 1 +1xbet.in, 1 +1xbet.ke, 1 +1xbet.kz, 1 +1xbet.lat, 1 +1xbet.mg, 1 +1xbet.mq, 1 +1xbet.mw, 1 +1xbet.na, 1 +1xbet.ne.ug, 1 +1xbet.net.za, 1 +1xbet.ng, 1 +1xbet.nu, 1 +1xbet.org.mw, 1 +1xbet.org.na, 1 +1xbet.pe, 1 +1xbet.ph, 1 +1xbet.pk, 1 +1xbet.pn, 1 +1xbet.ps, 1 +1xbet.rw, 1 +1xbet.sb, 1 +1xbet.sc, 1 +1xbet.sc.ug, 1 +1xbet.sh, 1 +1xbet.sl, 1 +1xbet.sn, 1 +1xbet.sr, 1 +1xbet.tc, 1 +1xbet.td, 1 +1xbet.tj, 1 +1xbet.tl, 1 +1xbet.to, 1 +1xbet.ug, 1 +1xbet.vg, 1 +1xbet.vu, 1 +1xbet1.com, 1 +1xbet101.com, 1 +1xbet102.com, 1 +1xbet105.com, 1 +1xbet12.com, 1 +1xbet13.com, 1 +1xbet14.com, 1 +1xbet15.com, 1 +1xbet2.com, 1 +1xbet26.com, 1 +1xbet27.com, 1 +1xbet3.com, 1 +1xbet359348.top, 1 +1xbet36.com, 1 +1xbet4.com, 1 +1xbet50.com, 1 +1xbet6.com, 1 +1xbet7.com, 1 +1xbet733390.top, 0 +1xbet8.com, 1 +1xbet82.com, 1 +1xbet84.com, 1 +1xbet88.net, 1 +1xbet9.com, 1 +1xbetasia2018.com, 1 +1xbetasia2018.net, 1 +1xbetasia2018.space, 1 +1xbetbk16.com, 1 +1xbetbk17.com, 1 +1xbetbk2.com, 1 +1xbetbk4.com, 1 +1xbetbk6.com, 1 +1xbetbola.com, 1 +1xbetet.com, 1 +1xbetga.com, 1 +1xbethp.com, 1 +1xbetjap.com, 1 +1xbetkk.com, 1 +1xbetkor.com, 1 +1xbetkr.com, 1 +1xbetkr1.com, 1 +1xbetmm.com, 1 +1xbetqq.com, 1 +1xbetsd.com, 1 +1xbetst.com, 1 +1xbetsz.com, 1 +1xbettz.com, 1 +1xbetua.com, 1 +1xbit.com, 1 +1xbit1.com, 1 +1xbit4.com, 1 +1xbit5.com, 1 +1xbk.mobi, 1 +1xbkbet3.com, 1 +1xbkbet4.com, 1 +1xcinta.com, 1 +1xde.com, 1 +1xfast.com, 1 +1xfifa.com, 1 +1xgames.online, 1 +1xgokil.com, 1 +1xir-red.com, 1 +1xj.net, 1 +1xjago.com, 1 +1xjkt.com, 1 +1xjuara.com, 1 +1xmakati.com, 1 +1xmalaysia.com, 1 +1xmaubix.com, 1 +1xmenang.com, 1 +1xmob1pl.top, 1 +1xmobi.com, 1 +1xmyanmar.net, 1 +1xpartners.com, 1 +1xraja.com, 1 +1xraya.com, 1 +1xrindu.com, 1 +1xsinga.com, 1 +1xslot-ua.com, 1 +1xslot.casino, 1 +1xslot.space, 1 +1xslot2.xyz, 1 +1xslot3.com, 1 +1xslot6.xyz, 1 +1xslot7.xyz, 1 +1xslot76161.com, 1 +1xslotpartners.com, 1 +1xslotspartners.com, 1 +1xsport.mobi, 1 +1xspport.mobi, 1 +1xstavka.ru, 1 +1xsukan.com, 1 +1xsultan.com, 1 +1xsultanah.com, 1 +1xtranslate.com, 1 +1xvhy.xyz, 1 +1zagon.tk, 1 +1zavse.si, 1 +1zwolle.nl, 1 +2-ae.com, 1 +2-euromuenzen.de, 1 +2-faktor-betaling.dk, 1 +2.pe, 1 +2.wtf, 1 +20-jahre-auslandsdienst.tk, 1 +200.ee, 1 +200.network, 1 +2000.is, 1 +2000feet.tk, 1 +2000meter.no, 0 +2001y.me, 0 +200201.xyz, 1 +2007-g8.tk, 1 +20071019780415.com, 1 +2007nea.tk, 1 +200fcw.com, 1 +200mmx.net, 1 +200pppp.com, 1 +2012review.tk, 1 +2013review.tk, 1 +20140301.xyz, 1 +2015review.tk, 1 +2016.ga, 1 +2016.tk, 1 +2018-frisuren.tk, 1 +2018.wales, 1 +2018fifaworldcup.tk, 1 +2020cadillac.com, 1 +2020spaces.com, 1 +2021.dog, 1 +2021bleibtsernst.at, 1 +2022.dog, 1 +20220228.xyz, 1 +2022class1.ga, 1 +202jj.com, 0 +2030404.com, 1 +2030411.com, 1 +2033002.com, 1 +2033003.com, 1 +2033004.com, 1 +2033005.com, 1 +2033006.com, 1 +2033007.com, 1 +2033008.com, 1 +2033009.com, 1 +2033010.com, 1 +2033011.com, 1 +2033a.com, 1 +2033c.com, 1 +2033z.com, 1 +203700.com, 1 +204504byse.info, 1 +2048-spiel.de, 1 +207169.com, 1 +207708.com, 1 +208.es, 1 +2083236893.com, 1 +208930.com, 1 +208garfield.com, 1 +208medical.org, 1 +20at.com, 1 +20denier.com, 1 +20four7va.com, 1 +20gg.de, 1 +20plus.com, 1 +20sights.tk, 1 +21-school.ru, 1 +21.co.uk, 1 +2113.ch, 1 +2132vip.com, 1 +2137.eu, 1 +2138vip.com, 0 +213k8.com, 1 +21566365.com, 0 +215advisors.com, 0 +2182am.com, 1 +218strand.com, 1 +21ce.com, 1 +21domain.com, 1 +21done.ph, 1 +21eb.com, 1 +21er.com, 1 +21expo.com, 1 +21football.com, 1 +21god.com, 1 +21gou.com, 1 +21green.com, 1 +21jobs.com, 1 +21kampus.com, 1 +21lab.co, 1 +21love.com, 1 +21nurse.com, 1 +21ol.com, 1 +21photo.com, 1 +21risk.com, 0 +21run.com, 0 +21soccer.com, 1 +21stcenturycarpentry.com.au, 1 +21stcenturyoptics.com, 1 +21stnc.us, 1 +21tax.com, 1 +21up.com, 1 +21venture.com, 1 +22-bets.org, 1 +22007apply.gov, 1 +220220.de, 1 +220control.ru, 1 +2211.cf, 1 +22168365.com, 1 +221791.com, 1 +221b.store, 1 +222001.com, 1 +222138vip.com, 1 +222321365.com, 0 +2226321.com, 1 +2227552.com, 1 +222aicai.com, 1 +222bet86.com, 1 +222tips.com, 1 +223742.com, 1 +225225.jp, 1 +2255motion.com, 1 +225950.com, 1 +2264707.ru, 1 +2277bet.com, 1 +228668.com, 1 +2288422.com, 1 +2288499.com, 1 +22884a.com, 0 +22884b.com, 0 +22884c.com, 0 +22884d.com, 0 +22884e.com, 0 +22884f.com, 0 +22884g.com, 0 +22884h.com, 0 +2299411.com, 1 +2299422.com, 1 +2299433.com, 1 +2299455.com, 1 +2299466.com, 1 +2299477.com, 1 +2299488.com, 1 +22b58.com, 1 +22bet-top.com, 1 +22bet.co.ke, 1 +22bet.com, 1 +22bet.ng, 1 +22bet86.com, 1 +22betglobal.com, 1 +22betpartners.com, 1 +22bets.me, 1 +22ccaa.com, 1 +22d.io, 1 +22delta.com, 1 +22emesiecle.com, 1 +22ffaaa.com, 1 +22ffbbb.com, 1 +22ffccc.com, 1 +22ffddd.com, 1 +22ffeee.com, 1 +22fffaa.com, 1 +22fffbb.com, 1 +22fffcc.com, 1 +22fffdd.com, 1 +22fffee.com, 1 +22fffgg.com, 1 +22fffhh.com, 1 +22fffii.com, 1 +22fffjj.com, 1 +22fffkk.com, 1 +22fffll.com, 1 +22fffmm.com, 1 +22fffnn.com, 1 +22fffoo.com, 1 +22fffpp.com, 1 +22fffqq.com, 1 +22fffrr.com, 1 +22fffss.com, 1 +22ffftt.com, 1 +22fffuu.com, 1 +22fffvv.com, 1 +22fffww.com, 1 +22fffxx.com, 1 +22fffyy.com, 1 +22fffzz.com, 1 +22ffggg.com, 1 +22ffhhh.com, 1 +22ffiii.com, 1 +22ffjjj.com, 1 +22ffkkk.com, 1 +22fflll.com, 1 +22ffmmm.com, 1 +22ffnnn.com, 1 +22ffooo.com, 1 +22ffppp.com, 1 +22ffqqq.com, 1 +22ffrrr.com, 1 +22ffsss.com, 1 +22ffttt.com, 1 +22ffuuu.com, 1 +22ffvvv.com, 1 +22ffwww.com, 1 +22ffxxx.com, 1 +22ffyyy.com, 1 +22ffzzz.com, 1 +22hd.ru, 1 +22i.co.uk, 1 +22lc8.com, 0 +22momo.com, 1 +22nd.com, 0 +22ndcircuitil.gov, 1 +22ssbb.com, 1 +22ssjj.com, 1 +22sskk.com, 1 +22sstt.com, 1 +22tete.com, 1 +22times.com, 1 +22ttgg.com, 1 +22vetter.st, 1 +22xxjj.com, 1 +22xxyy.com, 1 +22yybb.com, 1 +22yydd.com, 1 +22yyii.com, 1 +22yyjj.com, 1 +22yykk.com, 1 +22yypp.com, 1 +22yyqq.com, 1 +22yyrr.com, 1 +22yyss.com, 1 +22yytt.com, 1 +22zt.com, 1 +230beats.com, 1 +232192.com, 1 +233.be, 1 +233.land, 1 +233.services, 1 +2333.press, 1 +233333.ga, 1 +233356.xyz, 0 +2333blog.com, 1 +2333boy.com, 1 +2333hub.com, 1 +2333z6.com, 1 +23365t.com, 1 +233abc.com, 0 +233blog.com, 1 +233boy.com, 1 +233boy.net, 1 +233boy.org, 1 +233hub.com, 1 +233hub.net, 1 +233hub.org, 1 +233hugo.com, 1 +233image.land, 1 +233leyuan.top, 1 +233ss.net, 1 +233try.com, 1 +233v2.com, 1 +233vps.com, 1 +234.fi, 1 +2340365.com, 0 +2345.lgbt, 1 +2345666365.com, 0 +2345678365.com, 1 +23456789365.com, 0 +2346321.com, 1 +2347porthcawlatc.tk, 1 +235u.net, 1 +236530.com, 1 +236560.com, 1 +236570.com, 1 +23andme.com, 1 +23andme.io, 1 +23ks.app, 1 +24-7.fi, 1 +24-7.jp, 1 +24-7intouch.com, 1 +24-restore.com, 1 +240525.com, 1 +240786.com, 1 +241552.com, 1 +242552.com, 1 +242846.com, 1 +243581.com, 1 +2444.cf, 1 +244821.com, 1 +245990.xyz, 1 +245meadowvistaway.com, 0 +246060.ru, 1 +247a.co.uk, 1 +247able.com, 1 +247analsex.com, 1 +247asiansex.com, 1 +247bar.fr, 1 +247bigboobs.com, 1 +247butts.com, 1 +247cumshots.com, 1 +247dns.net, 1 +247healthshop.com, 1 +247maturesex.com, 1 +247medplan.com, 1 +247megamart.com.au, 1 +247naijabuzz.com, 1 +247vision.com, 1 +247xchanger.com, 1 +248000.xyz, 1 +24848168.com, 0 +24848188.com, 0 +24848588.com, 0 +24848918.com, 0 +24848966.com, 0 +24848988.com, 0 +24848a.vip, 1 +24848b.vip, 1 +24848c.vip, 1 +24848d.vip, 1 +24848e.vip, 0 +24848h.vip, 0 +24848rr.com, 0 +24848v.vip, 0 +24848w.vip, 0 +24848x.vip, 0 +24848y.vip, 0 +24848z.vip, 0 +248663.com, 1 +2495dentalimplants.com, 1 +249722.com, 1 +249cq.com, 1 +24action.com, 1 +24active.com, 1 +24alarm.com, 1 +24ball.com, 1 +24beauty.com, 1 +24bel.ru, 0 +24chance.tk, 1 +24control.com, 1 +24fair.com, 1 +24fan.com, 1 +24gazette.ga, 1 +24gis.com, 1 +24go.me, 1 +24h.com.br, 0 +24hod.com, 1 +24hour-locksmithsanantonio.com, 1 +24hourcyclist.co.uk, 1 +24hourlocksmithdallastx.com, 1 +24hourlocksmithspring.com, 1 +24hourscienceprojects.com, 1 +24hrbrandbash.com, 1 +24images.com, 1 +24k.co.jp, 1 +24livene.com, 1 +24london.com, 1 +24meg.com, 1 +24monitor.com, 1 +24onlain.tk, 1 +24read.com, 1 +24see.com, 1 +24share.com, 1 +24slides.com, 1 +24slot.com, 1 +24status.com, 1 +24vod.com, 1 +24webservice.nl, 1 +24x7aircargoservices.co.in, 1 +2500.cf, 1 +2502.net, 1 +250708.com, 1 +2525admin.nl, 1 +253007.com, 1 +253325.com, 1 +254vc.ml, 1 +2555z6.com, 1 +256br.com, 1 +256k.me, 1 +258management.cf, 1 +258management.ga, 1 +258management.ml, 1 +259454.com, 1 +259885.com, 1 +25api.com, 1 +25lotto.co.ke, 1 +25lotto.com, 1 +25may.tk, 1 +25oclock.com, 1 +25percent.me, 1 +25refer.tk, 1 +25reinyan25.net, 1 +2600edinburgh.org, 1 +2600hq.com, 1 +2601.de, 1 +260150.com, 1 +262569.com, 1 +263email.com, 1 +263mail.com, 1 +267326.com, 1 +269196.com, 1 +2698pacificave.com, 1 +26bbc.com, 1 +26ck.com, 1 +26uuu.mobi, 1 +26uuu.us, 1 +27.gay, 1 +27000.best, 1 +271624.com, 1 +2718282.net, 1 +272live.com, 1 +275004.com, 1 +275763.com, 1 +27726.eu, 1 +27728522.com, 1 +277z6.com, 1 +27lx.me, 1 +27skycake.com, 1 +28-industries.com, 1 +280.social, 1 +281180.de, 1 +281ks.com, 1 +282ks.com, 1 +283228.com, 1 +28359.eu, 1 +28365cn-365.com, 1 +283928.com, 1 +28428.com, 0 +284365.com, 1 +285128.com, 1 +287628.com, 1 +2881dh.com, 1 +288628.com, 0 +28865.de, 1 +28865.eu, 1 +288cn-563.com, 1 +288game.net, 1 +2890.ltd, 1 +289728.com, 1 +28spots.net, 1 +291167.xyz, 1 +2912.nl, 1 +293685.com, 1 +2948.ca, 1 +297computers.com, 1 +2991236.com, 1 +299zzz.com, 1 +29a.ch, 1 +29dejuniode1997.tk, 1 +29zw.com, 1 +2ae86.com, 1 +2b2b.pro, 1 +2b2t.fi, 1 +2bas.nl, 1 +2bcompany.ch, 0 +2bet86.com, 1 +2bis10.de, 1 +2bitboer.com, 1 +2bitout.com, 1 +2blazing.cf, 1 +2bu2t.online, 1 +2bu2t.ru, 1 +2buldzha2t.ru, 1 +2business.ml, 1 +2c-b.com, 1 +2c-d.com, 1 +2c-e.com, 1 +2c-t-2.com, 1 +2c-t-7.com, 1 +2c-t-8.com, 1 +2c.lol, 1 +2cars.com, 1 +2cat.cc, 1 +2cb.rocks, 1 +2chan.eu, 1 +2chan.jp, 1 +2chi1.com, 1 +2choose.com, 1 +2class.eu.org, 1 +2cv-co.be, 1 +2cvclubdepicardie.tk, 1 +2daysmood.asia, 1 +2daysmood.eu, 1 +2daysmood.nl, 1 +2daysmood.us, 1 +2diets.ru, 1 +2dk.info, 1 +2dns.com, 1 +2driver-ok.ml, 1 +2earn-online.com, 0 +2fa.directory, 1 +2finish.com, 1 +2fm.ie, 1 +2fm.radio, 1 +2fr3.com, 1 +2fraud.pro, 1 +2free.com, 1 +2g1s.net, 1 +2gallery.com, 1 +2gen.com, 1 +2gether.fr, 1 +2gisparser.tk, 1 +2gmedia.de, 1 +2h-nagoya.org, 1 +2habc.com, 1 +2head.com, 1 +2heartsbookings.co.uk, 1 +2hypeenterprises.com, 1 +2img.net, 1 +2impact.com, 1 +2innovateit.com, 0 +2insights.com, 1 +2isk.in, 1 +2jhb.com, 1 +2jtech.net, 1 +2k2solutions.com, 1 +2k7.link, 1 +2kgwf.fi, 1 +2kinds.tk, 1 +2krueger.de, 1 +2ladd.com, 1 +2lafel.ro, 1 +2learncomputing.ga, 1 +2learncomputing.ml, 1 +2li.ch, 1 +2link.ga, 1 +2logical.net, 1 +2manydits.com, 1 +2manydots.nl, 1 +2mb.solutions, 1 +2mfitnessduo.com, 1 +2milebridge.com, 1 +2mileservice.com, 1 +2mir.com, 1 +2mkz.eu, 1 +2mp.ca, 1 +2nains.ch, 0 +2ndface.info, 1 +2ndmileservice.com, 1 +2ndtivertonscouts.tk, 1 +2nerds1bit.com, 1 +2nimpresores.es, 1 +2nodez.com, 1 +2of.me, 1 +2one.one, 1 +2or3.tk, 1 +2pi.finance, 1 +2pi.network, 1 +2rsc.com, 1 +2rsc.net, 1 +2sendai.net, 1 +2serious.com, 1 +2steel.com, 1 +2stv.net, 0 +2target.com, 1 +2tausend19.de, 1 +2th.me, 1 +2think.org, 1 +2travel8.world, 1 +2url.link, 1 +2ustyle.com, 1 +2value.com, 1 +2vnews.com, 1 +2vp-an.online, 1 +2wheel.com, 0 +2x.nu, 1 +2xgraphik.com, 1 +2y.fi, 1 +2y3x.com, 1 +2yar.tk, 1 +2yy.nl, 1 +3-ae.com, 1 +3.sb, 1 +30-v-minutu.ml, 1 +3000security.co.uk, 1 +30019cc.com, 1 +3007337.com, 1 +300jjjj.com, 1 +300m.com, 1 +301.moe, 1 +301.one, 0 +301.sh, 1 +301.technology, 1 +301334.com, 1 +30375500.com, 1 +30375533.com, 1 +3056999.com, 1 +305westendassistedliving.com, 1 +3078i.com, 0 +308274.com, 1 +3090.eu, 1 +30bet365.com, 1 +30daystosoc.com, 1 +30deagosto.tk, 1 +30for30podcasts.com, 1 +30minut.com, 1 +30nama1.tk, 1 +30region.tk, 1 +30ta.com, 1 +31-elagage.fr, 1 +31.to, 1 +3100.cf, 1 +3133bet.com, 1 +313xpj.com, 0 +314257.com, 1 +314553.com, 1 +315422.com, 1 +315xpj.com, 0 +317811111.com, 0 +317822222.com, 0 +31783333.com, 1 +317833333.com, 0 +317844444.com, 0 +317855555.com, 0 +31786666.com, 0 +317866666.com, 0 +3178666666.com, 1 +317877777.com, 0 +3178888888.com, 1 +31789999.com, 0 +317899999.com, 0 +3178b.com, 0 +3178c.com, 0 +3178dd.com, 1 +3178e.com, 0 +3178f.com, 0 +3178g.com, 0 +3178h.com, 0 +3178i.com, 0 +3178l.com, 0 +3178m.com, 0 +3178n.com, 0 +3178o.com, 0 +3178p.com, 0 +3178ppp.com, 0 +3178qqq.com, 0 +3178rrr.com, 0 +3178tt.com, 0 +3178ttt.com, 0 +3178uuu.com, 0 +3178vvv.com, 0 +3178ww.com, 0 +3178www.com, 0 +3178xx.com, 0 +3178xxx.com, 0 +3178yy.com, 0 +3178yyy.com, 1 +3178zzz.com, 0 +319064.com, 1 +319k3.com, 1 +319xpj.com, 1 +31fss.marketing, 1 +31fss.net, 1 +31fss.support, 1 +320281.net, 1 +321132.com, 0 +321666365.com, 1 +321live.nl, 1 +3233bet.com, 1 +323kkk.com, 1 +325fss.marketing, 1 +326243.com, 1 +3265623.com, 1 +32bet365.com, 1 +32bit.com.tr, 1 +32h.de, 1 +32kk.edu.ee, 1 +33-couvreur.fr, 1 +33-km.ru, 1 +3306.io, 1 +33132.com, 1 +33138app.com, 0 +33138vip.com, 1 +33168365.com, 1 +331977.com, 0 +3332444.com, 0 +333321365.com, 0 +3333365t.com, 1 +333365t.com, 1 +3333ylc.cc, 1 +3336321.com, 1 +333aicai.com, 1 +333bet86.com, 1 +333capital.com, 1 +333capital.com.au, 1 +33445111.com, 1 +33445222.com, 1 +33445444.com, 1 +335a.cc, 0 +336yh.com, 1 +3389p.com, 1 +338da.com, 1 +338sa.com, 1 +339999.top, 1 +33acac.com, 1 +33b58.com, 1 +33devici.ml, 1 +33ffaaa.com, 1 +33ffbbb.com, 1 +33ffccc.com, 1 +33ffddd.com, 1 +33ffeee.com, 1 +33fffaa.com, 1 +33fffbb.com, 1 +33fffcc.com, 1 +33fffdd.com, 1 +33fffee.com, 1 +33fffgg.com, 1 +33fffhh.com, 1 +33fffii.com, 1 +33fffjj.com, 1 +33fffkk.com, 1 +33fffll.com, 1 +33fffmm.com, 1 +33fffnn.com, 1 +33fffoo.com, 1 +33fffpp.com, 1 +33fffqq.com, 1 +33fffrr.com, 1 +33fffss.com, 1 +33ffftt.com, 1 +33fffuu.com, 1 +33fffvv.com, 1 +33fffww.com, 1 +33fffxx.com, 1 +33fffyy.com, 1 +33fffzz.com, 1 +33ffggg.com, 1 +33ffhhh.com, 1 +33ffiii.com, 1 +33ffjjj.com, 1 +33ffkkk.com, 1 +33fflll.com, 1 +33ffmmm.com, 1 +33ffnnn.com, 1 +33ffooo.com, 1 +33ffppp.com, 1 +33ffqqq.com, 1 +33ffrrr.com, 1 +33ffsss.com, 1 +33ffttt.com, 1 +33ffuuu.com, 1 +33ffvvv.com, 1 +33ffwww.com, 1 +33ffxxx.com, 1 +33ffyyy.com, 1 +33ffzzz.com, 1 +33knkn.com, 1 +33zv.com, 0 +33zxzx.com, 1 +3400.cf, 1 +342960.com, 1 +3433bet.com, 1 +34365t.com, 1 +3444.cf, 1 +34536565.com, 0 +3455bet.com, 1 +345666365.com, 0 +3456666365.com, 0 +345678365.com, 1 +3456789365.com, 1 +3466bet.com, 1 +3473-wiki.de, 1 +347552.com, 1 +3477bet.com, 1 +348663.com, 1 +34bg.com, 1 +34ja.com, 1 +34jw.com, 1 +34metiza.ru, 1 +34nh.com, 1 +34nj.com, 1 +350.org, 1 +35089y.com, 1 +351079.com, 1 +351365.com, 0 +3539783.com, 1 +3555500.com, 1 +3559365.com, 1 +355fss.com, 1 +356338.com, 1 +356338a.com, 1 +356338b.com, 1 +357601.com, 1 +35898a.com, 1 +35898b.com, 1 +35898c.com, 1 +35898d.com, 1 +35898e.com, 1 +35898f.com, 1 +35898g.com, 1 +35898h.com, 1 +35898j.com, 1 +35898k.com, 1 +35898m.com, 1 +35898s.com, 1 +35898w.com, 1 +35898x.com, 1 +35898y.com, 1 +35mm.im, 1 +35uj.com, 1 +35wsolutions.com, 1 +360-ot.de, 1 +3602020.xyz, 1 +360365.com, 1 +360bcty.com, 1 +360cycling.com.br, 1 +360degreecloud.com, 1 +360dental.com, 1 +360dialog.com, 1 +360e-commerce.de, 1 +360e-commerce.net, 1 +360ecogroup.com, 0 +360ecommerce.de, 1 +360ecommerce.net, 1 +360faces.com, 1 +360fcu.org, 1 +360gradus.com, 0 +360hosting.com.au, 1 +360islam.com, 1 +360kuvia.fi, 1 +360now.com, 1 +360organic.com, 1 +360primeview.ie, 1 +360prokuvat.fi, 1 +360rail.nl, 1 +360spider.com, 1 +360system.com, 1 +360tr.com, 1 +360trust.com, 1 +360videoshare.com, 1 +360vrs.com, 1 +361116.com, 1 +3615jacky.fr, 1 +364553.com, 1 +365.systems, 1 +36506088.com, 1 +36506099.com, 1 +3651145.com, 1 +3651147.com, 1 +3651149.com, 1 +3651201.com, 1 +3651202.com, 1 +3651203.com, 1 +3651204.com, 1 +3651205.com, 1 +3651267.com, 0 +3652389.com, 0 +36525.hk, 1 +36533c.com, 1 +36533d.com, 1 +36533e.com, 1 +36533f.com, 1 +36533h.com, 1 +36533i.com, 1 +36533j.com, 1 +36533k.com, 1 +36533l.com, 1 +36533m.com, 1 +36533n.com, 1 +36533o.com, 1 +36533r.com, 1 +36533s.com, 1 +36533t.com, 1 +36533u.com, 1 +365365.com, 1 +3653650000.com, 0 +3653651111.com, 1 +36536533.vip, 0 +3653654444.com, 1 +36536555.vip, 0 +36536566.vip, 0 +36536588.vip, 0 +36536599.vip, 0 +3655053.com, 1 +36554ll.com, 0 +3655612.com, 0 +3655623.com, 0 +3655634.com, 0 +3655645.com, 0 +365600dl.com, 1 +36565123.com, 0 +36565234.com, 0 +36565345.com, 0 +365654321.com, 0 +36565456.com, 0 +36565567.com, 0 +36565678.com, 1 +36565789.com, 0 +36565b.com, 1 +36565f.com, 0 +3656701.com, 0 +3656712.com, 0 +3656723.com, 0 +3656734.com, 0 +3656745.com, 0 +3656778.com, 0 +36587654321.com, 1 +365886.com, 1 +3658887654.com, 0 +36594a.com, 1 +36594b.com, 1 +36594c.com, 1 +3659868.com, 1 +3659869.com, 1 +3659980.com, 1 +365a1.com, 0 +365air.com, 1 +365beautyworld.com, 1 +365blog.com, 1 +365canvas.com, 1 +365check.com, 1 +365clo.com, 1 +365cn-288.com, 1 +365coupon.com, 1 +365eib.com, 1 +365eif.com, 1 +365eil.com, 1 +365eiq.com, 1 +365eis.com, 1 +365eiv.com, 1 +365eiw.com, 1 +365fast.com, 1 +365healthworld.com, 1 +365iosapp.com, 0 +365labs.cloud, 1 +365nnnn.com, 0 +365pet.com, 1 +365proxy.com, 1 +365q01.com, 1 +365r.co, 0 +365renovations.com, 1 +365sb-cn.com, 1 +365skulls.com, 1 +365vision.com, 1 +365y0.com, 0 +365y00.com, 0 +365y11.com, 0 +365y2.com, 0 +365y22.com, 0 +365y3.com, 0 +365y33.com, 1 +365y5.com, 0 +365y55.com, 0 +365y6.com, 0 +365y66.com, 0 +365y7.com, 0 +365y77.com, 0 +365y9.com, 0 +365y99.com, 0 +365yapan.com, 1 +365ypw.com, 1 +365zg.org, 1 +369369.xyz, 1 +369bin.com, 1 +369dp.com, 1 +369eq.com, 1 +369ex.com, 1 +369ra.com, 1 +369rr.com, 1 +36ga.com, 1 +36ja.com, 1 +36jn.com, 1 +36kn.com, 1 +36ky.com, 1 +36pd.com, 1 +36pg.com, 1 +36xk.com, 1 +36xn.com, 1 +36yf.com, 1 +370385.com, 1 +371437.com, 1 +371cloud.com, 0 +372bbb.com, 1 +373.moe, 1 +374161.com, 1 +375337.com, 1 +375575.xyz, 1 +375realty.com, 1 +377625.com, 1 +377632.com, 1 +377837.com, 1 +377854.com, 1 +377ks.com, 1 +377zzz.com, 1 +37889658.com, 0 +378901.com, 1 +378902.com, 1 +379237.com, 1 +379437.com, 1 +379637.com, 1 +379700.com, 1 +379737.com, 1 +3798.com, 0 +37987.com, 1 +37987d.com, 1 +37987e.com, 0 +37987f.com, 0 +379efss.com, 1 +37zk.com, 1 +37zw.com, 1 +3800.cf, 1 +380111000.com, 1 +380111777.com, 1 +380222444.com, 0 +380805.com, 1 +38138938.com, 1 +38317.tk, 1 +3837k.com, 0 +3837x.com, 0 +383838.plus, 1 +3839.ca, 1 +383aaa.com, 1 +384854.com, 1 +385833.com, 1 +3880p.com, 1 +38888msc.com, 1 +388da.com, 1 +38irkutsk.tk, 1 +390539.com, 1 +390trains.com, 1 +391231.com, 1 +392365.com, 0 +393335.ml, 0 +394553.com, 1 +3957b.com, 1 +3957d.com, 1 +3957g.com, 1 +396228.com, 0 +396301.com, 0 +396303.com, 0 +396304.com, 0 +396305.com, 0 +3963bb.com, 1 +3963cc.com, 0 +3963dd.com, 0 +396539.com, 1 +397039.com, 1 +3970a.com, 1 +3970aa.com, 1 +3970abc.com, 1 +3970b.com, 1 +3970bb.com, 1 +3970cc.com, 1 +3970ccc.com, 1 +3970d.com, 1 +3970dd.com, 1 +3970f.com, 1 +3970fa.com, 1 +3970ff.com, 1 +3970g.com, 1 +3970gg.com, 1 +3970go.com, 1 +3970h.com, 1 +3970hh.com, 1 +3970ii.com, 1 +3970j.com, 1 +3970jj.com, 1 +3970ku.com, 1 +3970l.com, 1 +3970ll.com, 1 +3970mm.com, 1 +3970n.com, 1 +3970o.com, 1 +3970oo.com, 1 +3970p.com, 1 +3970pp.com, 1 +3970q.com, 1 +3970qq.com, 1 +3970r.com, 1 +3970ss.com, 1 +3970tt.com, 1 +3970u.com, 1 +3970uu.com, 1 +3970v.com, 1 +3970vv.com, 1 +3970w.com, 1 +3970win.com, 1 +3970ww.com, 1 +3970xx.com, 1 +3970y.com, 1 +3970yes.com, 1 +3970ylc.com, 1 +3970yy.com, 1 +3970z.com, 1 +3970zz.com, 1 +397542.com, 1 +398039.com, 1 +39news.tk, 1 +39sihu.com, 0 +39w66.com, 1 +3aa365.com, 1 +3abnstore.com, 1 +3accounts.ml, 1 +3ae86.com, 1 +3aexpert.com.ua, 1 +3ags.de, 1 +3ameldaw.ml, 1 +3amtoolbox.se, 1 +3arena.ie, 1 +3b-concept.fr, 1 +3b.pm, 1 +3bb365.com, 1 +3bet86.com, 1 +3bigking.com, 1 +3blazing.cf, 1 +3candy.com, 1 +3cbalance.pl, 1 +3cc365.com, 1 +3changtrai.com, 1 +3countiescastlehire.co.uk, 1 +3creation.com, 1 +3cs.ch, 0 +3ct.group, 1 +3cup90.com, 1 +3d-animator.net, 1 +3d-glow.de, 1 +3d-station.fr, 1 +3d47.com, 1 +3dadvance.fr, 1 +3dall.ro, 1 +3danimation.tk, 1 +3dapartment.com, 1 +3dc9.jp, 1 +3dcaipiao.com, 1 +3dcollective.es, 1 +3dcopy.com, 1 +3dd365.com, 1 +3degreedesign.co.uk, 1 +3deni.com, 1 +3dexpose.tk, 1 +3dfeel.com, 1 +3dfiguur.nl, 0 +3dflat.tk, 1 +3dflipbook.net, 1 +3dgep.com, 1 +3dinosaurs.com, 1 +3dissue.com, 1 +3djapan.com, 1 +3djava.ml, 1 +3dlab.team, 1 +3dlan.com, 1 +3dm.audio, 1 +3dmedium.de, 1 +3dmetalprinting.tk, 1 +3dmili.com, 1 +3dmusiclab.nl, 1 +3dnovedades.com, 0 +3do3dont.com, 1 +3down.com, 1 +3dprintedobjects.be, 1 +3dprintsondemand.eu, 1 +3dranger.com, 1 +3dreal.tk, 1 +3ds-max.org, 1 +3dscanners.co.uk, 1 +3dshards.com, 1 +3dsites.tk, 1 +3dstandard.com, 1 +3dstore.dk, 1 +3dsupplies.be, 1 +3dtech.pt, 1 +3dvf.com, 1 +3dvisual.studio, 1 +3dzip.org, 1 +3ecpa.com.hk, 1 +3ecpa.com.my, 1 +3ecpa.com.sg, 1 +3ee365.com, 1 +3einfrastructure.com, 1 +3elife.vn, 0 +3em1.pt, 1 +3eyonetim.com, 1 +3ff365.com, 1 +3foto.at, 1 +3g-bandet.tk, 1 +3gdev.com, 1 +3gdu.tk, 1 +3gg365.com, 1 +3h-co.de, 1 +3haeuserprojekt.org, 1 +3haueserprojekt.org, 1 +3hh365.com, 1 +3huan.com, 1 +3i-infotech.com, 1 +3ieimpact.org, 1 +3ii365.com, 1 +3isk.today, 1 +3james.com, 1 +3jj365.com, 1 +3ks.pl, 1 +3link.com, 1 +3links.com, 1 +3lmnyblogger.ga, 1 +3logic.ru, 1 +3lot.ru, 1 +3marilynthemedia.cf, 1 +3mediaweb.com, 1 +3mind-solutions.com, 1 +3ml.org.uk, 0 +3moorcrescent.online, 1 +3ne.fun, 1 +3newsnow.com, 1 +3nickels.com, 1 +3niu007.com, 1 +3niu010.com, 1 +3niu100.com, 1 +3niu111.com, 1 +3niu126.com, 1 +3niu161.com, 1 +3niu1688.com, 1 +3niu178.com, 1 +3niu186.com, 1 +3niu222.com, 1 +3niu226.com, 1 +3niu282.com, 1 +3niu333.com, 1 +3niu353.com, 1 +3niu388.com, 1 +3niu505.com, 1 +3niu568.com, 1 +3niu57.com, 1 +3niu58.com, 1 +3niu588.com, 1 +3niu599.com, 1 +3niu636.com, 1 +3niu64.com, 1 +3niu66.com, 1 +3niu666.com, 1 +3niu6666.com, 1 +3niu668.com, 1 +3niu67.com, 1 +3niu686.com, 1 +3niu699.com, 1 +3niu72.com, 1 +3niu727.com, 1 +3niu768.com, 1 +3niu770.com, 1 +3niu771.com, 1 +3niu777.com, 1 +3niu7777.com, 1 +3niu855.com, 1 +3niu868.com, 1 +3niu880.com, 1 +3niu885.com, 1 +3niu888.com, 1 +3niu89.com, 1 +3niu922.com, 1 +3niu99.com, 1 +3niusurl.com, 1 +3niuurls.com, 1 +3orod.ml, 1 +3os.ooo, 1 +3os.org, 1 +3pestki.org, 1 +3phase.pw, 1 +3pif.de, 1 +3pillarglobal.com, 1 +3plusdesign.gr, 1 +3pm.tw, 1 +3prn.com, 1 +3pro.ca, 1 +3proxy.org, 1 +3proxy.ru, 1 +3queens.cz, 1 +3queens.io, 1 +3r.co.nz, 1 +3r.org.uk, 1 +3rabsite.tk, 1 +3rd.fi, 1 +3rr0r.com, 1 +3rr0r.net, 1 +3rr0r.org, 1 +3s-datasolution.de, 1 +3s-datasolutions.de, 1 +3s-ddns.de, 1 +3s-dns.de, 1 +3s-hosting.de, 1 +3s-mail.de, 1 +3sa.aero, 1 +3scort.tk, 1 +3sd.it, 1 +3sdatasolution.de, 1 +3sdatasolutions.de, 1 +3sddns.de, 1 +3sdns.de, 1 +3shosting.de, 1 +3sisecurity.com, 1 +3sixtydutyfree.com, 1 +3smail.de, 1 +3speak.tv, 1 +3techjournal.cf, 1 +3tiers.xyz, 1 +3trees.tk, 1 +3u15.com, 1 +3v3s.tk, 1 +3v4l.org, 1 +3varta.com.ua, 0 +3vensen.no, 1 +3vlnaeet.cz, 1 +3w-solutions.fr, 1 +3we.org, 1 +3wid.com.br, 1 +3wideclub.com, 1 +3wincorp.com, 1 +3xx.click, 1 +3xx.link, 1 +3zm-cheats.de, 1 +3zm-hacks.de, 1 +3zm.de, 1 +3zzbet.com, 1 +4-0-4.ga, 1 +4-ae.com, 1 +4.com.ms, 1 +4.sb, 1 +4000milestare.com, 1 +4000ok.com, 1 +4000sf.com, 1 +40010monogatari.com, 1 +4005365.com, 1 +4008810.com, 1 +400yaahc.gov, 1 +401go.com, 1 +401ksite.com, 1 +4025360.com, 1 +4025361.com, 1 +4025362.com, 1 +4025363.com, 1 +4025364.com, 1 +4025365.com, 1 +4025366.com, 1 +4025367.com, 1 +4025368.com, 1 +4025369.com, 1 +403.ch, 1 +403page.com, 1 +404.blue, 0 +404.city, 1 +404.guide, 1 +404888.xyz, 1 +4048kkk.com, 1 +4048v.com, 1 +404group.tk, 1 +404notfound.com.br, 1 +408663.com, 1 +409564.com, 1 +40acts.org.uk, 1 +40anospaguemenos.com.br, 1 +40daysnutrition.com, 1 +40percentpapermache.com, 1 +4100.cf, 1 +41199.com, 1 +413504.com, 1 +4144bet.com, 1 +414553.com, 1 +414store.com, 1 +415.ai, 1 +4151365.com, 1 +418.im, 1 +418663.com, 1 +419213.com, 1 +419sport.tk, 1 +41southbar.com, 1 +420.nerdpol.ovh, 1 +420screen.com, 1 +420weedcenter.com, 1 +4222.cf, 1 +4233065.com, 1 +4233068.com, 1 +4233069.com, 1 +4233330.com, 1 +4233331.com, 1 +4233332.com, 1 +4233334.com, 1 +4233335.com, 1 +4233336.com, 1 +4233337.com, 1 +4233338.com, 1 +4233339.com, 1 +424102.com, 1 +4245pay.com, 1 +4251365.com, 0 +425degree.com, 1 +426773.com, 0 +428northampton.com, 1 +42bit.io, 1 +42ch.com, 1 +42day.info, 1 +42degrees.com, 1 +42entrepreneurs.fr, 0 +42fss.us, 1 +42gears.com, 1 +42l.fr, 1 +42t.ru, 1 +4305design.com.au, 0 +432666365.com, 1 +4333.cf, 1 +434365.com, 1 +4344bet.com, 1 +4345.me, 0 +4351365.com, 0 +436773.com, 1 +437348.com, 1 +437844.com, 1 +438663.com, 1 +439050.com, 1 +439182.com, 1 +43klive.com, 1 +44-k.com, 1 +440313.com, 1 +44168365.com, 1 +443.one, 0 +443.org, 1 +443658.com, 0 +44365t.com, 1 +443782.com, 1 +444321365.com, 0 +4444.com.tw, 1 +4447552.com, 1 +444aicai.com, 1 +444bet86.com, 1 +446072.com, 1 +44ada.pl, 1 +44bet86.com, 1 +44feelings.com, 1 +44ffaaa.com, 1 +44ffbbb.com, 1 +44ffccc.com, 1 +44ffddd.com, 1 +44ffeee.com, 1 +44fffaa.com, 1 +44fffbb.com, 1 +44fffcc.com, 1 +44fffdd.com, 1 +44fffee.com, 1 +44fffgg.com, 1 +44fffhh.com, 1 +44fffii.com, 1 +44fffjj.com, 1 +44fffkk.com, 1 +44fffll.com, 1 +44fffmm.com, 1 +44fffnn.com, 1 +44fffoo.com, 1 +44fffpp.com, 1 +44fffqq.com, 1 +44fffrr.com, 1 +44fffss.com, 1 +44ffftt.com, 1 +44fffuu.com, 1 +44fffvv.com, 1 +44fffww.com, 1 +44fffxx.com, 1 +44fffyy.com, 1 +44fffzz.com, 1 +44ffggg.com, 1 +44ffhhh.com, 1 +44ffiii.com, 1 +44ffjjj.com, 1 +44ffkkk.com, 1 +44fflll.com, 1 +44ffmmm.com, 1 +44ffnnn.com, 1 +44ffooo.com, 1 +44ffppp.com, 1 +44ffqqq.com, 1 +44ffrrr.com, 1 +44ffsss.com, 1 +44ffttt.com, 1 +44ffuuu.com, 1 +44ffvvv.com, 1 +44ffwww.com, 1 +44ffxxx.com, 1 +44ffyyy.com, 1 +44ffzzz.com, 1 +451.ooo, 1 +451365.com, 0 +452895.com, 1 +45365t.com, 1 +4544bet.com, 1 +4551365.com, 1 +4553.com, 1 +455327.com, 1 +455328.com, 1 +4553s.com, 1 +4553vip.com, 1 +455555.xyz, 1 +45636565.com, 1 +456365t.com, 1 +4566321.com, 1 +4567.plus, 1 +4567666365.com, 0 +4567989.com, 1 +457552.com, 1 +458663.com, 1 +45b.org, 1 +45min.ga, 1 +45secondes.fr, 1 +463855.com, 1 +4661049.com, 1 +467413.com, 1 +46bf.com, 1 +46bl.com, 1 +46fn.com, 1 +47.rs, 1 +476470.com, 1 +476773.com, 1 +47essays.com, 1 +47tech.com, 1 +47yr.com, 1 +480ptvseries.com, 1 +482449.com, 1 +483329.com, 1 +483610.com, 1 +48365365cn.com, 1 +48365cn-365.com, 1 +486662.xyz, 1 +486773.com, 1 +487511.com, 1 +487552.com, 1 +48coin.cf, 1 +48d88.com, 1 +48hr.com, 1 +48lipetsk.tk, 1 +48times.online, 1 +491783.com, 1 +491mhz.net, 1 +4927a.com, 0 +492977.com, 0 +492y.com, 0 +497552.com, 0 +49889.com, 1 +49948522.com, 1 +499ks.net, 1 +49ko.com, 1 +4ads.de, 1 +4ae86.com, 1 +4allpromos.com, 1 +4am.click, 1 +4armed.com, 1 +4b.gg, 1 +4baby.com.br, 1 +4beats.ml, 1 +4best.tk, 1 +4bet86.com, 1 +4bmt-vld.xyz, 1 +4budget.ga, 1 +4cavaleiros.com.br, 1 +4chairs.bg, 1 +4chan.com, 1 +4child.tk, 1 +4cloud.cf, 1 +4creative.net, 1 +4cut.tk, 1 +4d2.xyz, 1 +4daagse.nl, 1 +4dbuild.net, 1 +4dclub.com, 1 +4devs.com.br, 1 +4digital.it, 1 +4digitiq.nl, 1 +4dillusion.tk, 1 +4dimension.net, 1 +4dplay.com, 1 +4dsignworx.com, 1 +4dstyle.com, 1 +4e8.net, 1 +4everdosti.tk, 1 +4everproxy.com, 1 +4exchange.ru, 1 +4filtre.com, 1 +4filtre.com.tr, 1 +4fit.ro, 1 +4flex.info, 1 +4freepress.com, 1 +4freeprintable.com, 1 +4g-server.eu, 0 +4game.my.id, 1 +4garage.com.br, 1 +4gnews.pt, 1 +4grad.in.ua, 1 +4hmediaproductions.com, 1 +4host.ch, 1 +4hourcourse.com, 1 +4hourmini.com, 1 +4hw.ru, 1 +4hypo.cz, 1 +4infra.com.br, 1 +4investors.de, 1 +4iplatform.com, 1 +4iq.lt, 1 +4k3dyptt.com, 1 +4kpi.eu, 1 +4kprojektory.cz, 1 +4lados.tk, 1 +4lephants.tk, 1 +4list.ml, 1 +4loc.us, 1 +4lock.com.br, 1 +4mama.ua, 1 +4maniacos.tk, 1 +4meizu.ru, 0 +4mm.org, 1 +4motionsgmbh.de, 1 +4n3.net, 1 +4nature.com, 1 +4netguides.org, 1 +4nikola.de, 1 +4o.pw, 1 +4obgyne.com, 1 +4ourbest.tk, 1 +4pals.org, 1 +4paws.co.uk, 1 +4peace.gent, 1 +4played.de, 1 +4played.vip, 1 +4project.co.il, 1 +4q-quartet.tk, 1 +4racers.jp, 1 +4ree.tk, 1 +4screens.net, 1 +4season-flowers.com, 1 +4seasonz.co.nz, 1 +4seeds.co.za, 1 +4seo.ml, 1 +4server.ch, 1 +4share.tv, 1 +4sics.se, 1 +4sjnc.org, 1 +4smart.cz, 1 +4smart.house, 1 +4sun.cf, 1 +4tgw34.tk, 1 +4th-ave-studio.com, 1 +4thfebruary.tk, 1 +4thjdcar.gov, 1 +4true.com, 1 +4u.services, 0 +4u2ore.net, 1 +4uwatch.cf, 1 +4vector.com, 1 +4vf.de, 1 +4vio.com, 1 +4voip.ru, 1 +4web-hosting.com, 1 +4wrd.cc, 1 +4x.fi, 1 +4x4-27mc.nl, 1 +4x4.lk, 1 +4x4coatingen.nl, 1 +4x4tt.com, 1 +4y4.me, 1 +4y4a-arts.space, 1 +4yowipes10yo.gq, 1 +4yuz.net, 1 +50-ottenkov.tk, 1 +50.gy, 1 +5000164.com, 1 +5000164.jp, 1 +5000yz.com, 1 +5002888.com, 1 +5007999.com, 1 +500f500.com, 1 +500fcw.com, 1 +500k.nl, 1 +500wordessay.gq, 1 +501371.com, 1 +5017501.com, 1 +5017502.com, 1 +5017503.com, 1 +5017505.com, 1 +5017701.com, 1 +5017702.com, 1 +5017703.com, 1 +5017704.com, 1 +5017705.com, 1 +5017801.com, 1 +5017802.com, 1 +5017803.com, 1 +5017804.com, 1 +5017805.com, 1 +501stcl.tk, 1 +502312.com, 1 +502fss.marketing, 1 +5060711.com, 1 +5060715.com, 1 +50balles.com, 1 +50firstavenue.com.au, 1 +50hertz.tk, 1 +50lakeshore.com, 1 +50ma.xyz, 1 +50miners.tk, 1 +50plusdating.ml, 1 +50plusdating.tk, 1 +50plusmusikfestival.ch, 1 +50plusnet.nl, 1 +50refer.tk, 1 +50ten40.com, 1 +51-83-136-132.xyz, 1 +511.org, 1 +511in.org, 1 +51365a.com, 0 +51365aa.com, 1 +51365b.com, 0 +51365bb.com, 1 +51365c.com, 0 +51365cc.com, 1 +51365d.com, 0 +51365ee.com, 0 +513maximus.site, 1 +513x.cc, 1 +514-media.co.uk, 1 +514-media.com, 1 +514-media.de, 1 +514-media.fr, 1 +514.moe, 1 +514622.com, 1 +515188.xyz, 1 +5155bet.com, 1 +517vpn.cn, 1 +518.com.tw, 1 +518k8.com, 1 +5197aa.co, 1 +5197bb.co, 1 +5197cc.co, 1 +5197dd.co, 1 +5197dh.co, 0 +5197dns.com, 1 +5197ee.co, 1 +5197ff.co, 1 +5197gg.co, 1 +5197hd.co, 1 +5197hh.co, 1 +5197ii.co, 1 +5197jj.co, 1 +5197kk.co, 1 +5197ll.co, 1 +5197m.co, 1 +5197mm.co, 1 +5197n.co, 1 +5197nn.co, 1 +5197o.co, 1 +5197oo.co, 1 +5197p.co, 1 +5197pp.co, 1 +5197q.co, 1 +5197qq.co, 1 +5197r.co, 1 +5197rr.co, 1 +5197s.co, 1 +5197ss.co, 1 +5197t.co, 1 +5197tt.co, 1 +5197u.co, 1 +5197uu.co, 1 +5197v.co, 1 +5197vv.co, 1 +5197w.co, 1 +5197ww.co, 1 +5197x.co, 1 +5197xx.co, 1 +5197y.co, 1 +5197yy.co, 1 +5197z.co, 1 +5197zz.co, 1 +51acg.eu.org, 1 +51aifuli.com, 1 +51cls.tw, 1 +51club8.com, 1 +51dinghuo.com, 1 +51fish.com, 1 +51fishing.com, 1 +51flower.com, 1 +51flowers.com, 1 +51free.com, 1 +51fss.marketing, 1 +51guaq.com, 1 +51ku.com, 1 +51life.com, 1 +51logo.com, 1 +51motor.com, 1 +51photos.com, 1 +51pic.com, 1 +51pig.com, 1 +51pinpai.com, 1 +51power.com, 1 +51resume.com, 1 +51senluo.com, 1 +51share.com, 1 +51shoes.com, 1 +51space.com, 1 +51talk.ph, 1 +51tiaojiu.com, 1 +51train.com, 1 +51xiongmao.cn, 1 +52002a.com, 1 +52002b.com, 1 +52002c.com, 1 +52002d.com, 1 +52002e.com, 1 +52002f.com, 1 +52002g.com, 1 +52002h.com, 1 +52002i.com, 1 +52002j.com, 1 +52002k.com, 1 +52002l.com, 1 +52002m.com, 1 +52002n.com, 1 +52002o.com, 1 +52002p.com, 1 +52002q.com, 1 +52002r.com, 1 +52002s.com, 1 +52002t.com, 1 +52002u.com, 1 +52002v.com, 1 +52002w.com, 1 +52002x.com, 1 +52002y.com, 1 +5201365.com, 0 +52051.com, 1 +52051a.com, 1 +5205365.com, 0 +52062z.com, 1 +5206365.com, 0 +5209365.com, 0 +520xpjxpj.com, 0 +521.dog, 1 +5219.ml, 1 +521keyvista.com, 1 +521ssl.com, 1 +5225sf.com, 1 +528sss.com, 1 +529kb.com, 1 +529sss.com, 1 +52b9.com, 1 +52b9.net, 1 +52danji.cc, 1 +52dashboard.com, 1 +52evar.com, 1 +52fanpai.com, 1 +52fish.com, 1 +52fss.marketing, 1 +52hentai.ml, 1 +52itt.com, 1 +52kb1.com, 1 +52kb365.com, 0 +52ncp.net, 1 +52pojie.cn, 1 +52sykb.com, 0 +52xuanmi.com, 1 +52yanhao.com, 1 +531k8.com, 1 +533sss.com, 1 +534365.com, 1 +535kb.com, 1 +5364b.com, 1 +5364c.com, 1 +5364d.com, 1 +5364jc.com, 1 +538507.com, 1 +53ningen.com, 0 +53pluk.cz, 1 +540interactive.com, 1 +541651.com, 1 +5454app.com, 1 +5455bet.com, 1 +54below.com, 0 +54cuatro.com, 1 +5518k3.com, 1 +55321365.com, 0 +5533445.com, 1 +55365t.com, 1 +5536z.com, 1 +555321365.com, 0 +555554.xyz, 1 +5557552.com, 1 +555aicai.com, 1 +555bet86.com, 1 +555btt.com, 1 +555kb.com, 1 +555w.org, 1 +555xl.com, 1 +555zlong.com, 1 +556185.com, 1 +5566bet.vip, 1 +556777.cc, 1 +557.pm, 1 +557bbb.com, 1 +558137.com, 1 +55bet86.com, 1 +55club.com, 1 +55ffaaa.com, 1 +55ffbbb.com, 1 +55ffccc.com, 1 +55ffddd.com, 1 +55ffeee.com, 1 +55fffaa.com, 1 +55fffbb.com, 1 +55fffcc.com, 1 +55fffdd.com, 1 +55fffee.com, 1 +55fffgg.com, 1 +55fffhh.com, 1 +55fffii.com, 1 +55fffjj.com, 1 +55fffkk.com, 1 +55fffll.com, 1 +55fffmm.com, 1 +55fffnn.com, 1 +55fffoo.com, 1 +55fffpp.com, 1 +55fffqq.com, 1 +55fffrr.com, 1 +55fffss.com, 1 +55ffftt.com, 1 +55fffuu.com, 1 +55fffvv.com, 1 +55fffww.com, 1 +55fffxx.com, 1 +55fffyy.com, 1 +55fffzz.com, 1 +55ffggg.com, 1 +55ffhhh.com, 1 +55ffiii.com, 1 +55ffjjj.com, 1 +55ffkkk.com, 1 +55fflll.com, 1 +55ffmmm.com, 1 +55ffnnn.com, 1 +55ffooo.com, 1 +55ffppp.com, 1 +55ffqqq.com, 1 +55ffrrr.com, 1 +55ffsss.com, 1 +55ffttt.com, 1 +55ffuuu.com, 1 +55ffvvv.com, 1 +55ffwww.com, 1 +55ffxxx.com, 1 +55ffyyy.com, 1 +55ffzzz.com, 1 +55fss.net, 1 +55goal.com, 1 +55k66.vip, 1 +55opt.org, 1 +56011s.com, 0 +56011v.com, 0 +5611.cf, 1 +5611bet.com, 1 +5622bet.com, 1 +562656.com, 1 +562956.com, 1 +563398.com, 1 +5633bet.com, 1 +56365t.com, 1 +5663.cc, 1 +5663.co, 1 +566380.com, 0 +56736565.com, 1 +5676321.com, 1 +567666365.com, 1 +5677.cf, 1 +5678666365.com, 0 +568756.com, 1 +572223.com, 1 +572kb.com, 1 +573sss.com, 1 +5758cp.com, 1 +5765.io, 1 +578064.com, 1 +5781.org, 1 +578173.com, 1 +578380.com, 1 +5792.org, 1 +579514.com, 1 +5795444.com, 1 +5795887.com, 1 +582303.com, 1 +585380.com, 1 +588e.com, 1 +589174.com, 1 +5898657.com, 1 +589team.com, 1 +592227.com, 1 +593380.com, 1 +593398.com, 1 +594795.com, 1 +595380.com, 1 +5981168.com, 1 +5981611.com, 1 +5981622.com, 1 +5981644.com, 1 +5981655.com, 1 +5981667.com, 1 +5981668.com, 1 +5981669.com, 1 +5981677.com, 1 +5981688.com, 1 +5981699.com, 1 +5981800.com, 1 +5981811.com, 1 +5981822.com, 1 +5981833.com, 1 +5981844.com, 1 +5981855.com, 1 +5981866.com, 1 +5981877.com, 1 +5981899.com, 1 +5981918.com, 1 +5981b.com, 1 +5981c.com, 1 +5981d.com, 1 +5981e.com, 1 +5981f.com, 1 +5981g.com, 1 +5981h.com, 1 +5981i.com, 1 +5981k.com, 1 +5981l.com, 1 +5981m.com, 1 +5981o.com, 1 +5981p.com, 1 +5981q.com, 1 +5981r.com, 1 +5981s.com, 1 +5981u.com, 1 +5981v.com, 1 +5981w.com, 1 +5981x.com, 1 +5981y.com, 0 +5981z.com, 1 +598598598.net, 1 +59859h.vip, 1 +59859j.vip, 1 +59859k.vip, 1 +59859l.vip, 1 +59859y.vip, 1 +5986fc.com, 1 +5997891.com, 0 +59dcmi.gov, 1 +59rus.tk, 1 +59yanhao.com, 1 +5aelettroni.ga, 1 +5agks.com, 1 +5am.is, 1 +5apps.com, 1 +5baiwan.com, 1 +5bet86.com, 1 +5c1fd0f31022cbc40af9f785847baaf9.space, 1 +5ca.com, 1 +5cake.com, 1 +5ccapitalinvestments.com, 1 +5chat.it, 1 +5dm.link, 1 +5dm.one, 1 +5dm.tv, 1 +5drachenschule.de, 1 +5e.tools, 1 +5eki.jp, 0 +5elementostudio.co, 1 +5escorts.com, 1 +5fm.nu, 1 +5francs.com, 1 +5g.co.uk, 1 +5goglobal.com, 1 +5h0r7.com, 1 +5icsb.com, 1 +5iforum.com, 1 +5ilg.com, 1 +5in.win, 0 +5long88.com, 1 +5minutemystery.com, 1 +5n.be, 1 +5net.ga, 1 +5ososea.com, 1 +5peciali5t.tk, 1 +5penazi.sk, 1 +5percentperweek.com, 1 +5snb.club, 1 +5sporn.com, 1 +5starcruises.com.au, 1 +5stardesigner.tk, 1 +5starexterior.com, 0 +5stars.tv, 1 +5startree.com, 1 +5startrucksales.us, 1 +5tar.jp, 1 +5tart.tk, 1 +5thchichesterscouts.org.uk, 1 +5thfloormedia.com, 1 +5thgenrams.com, 1 +5tiptop.com, 1 +5top.nl, 1 +5u15.com, 1 +5y.fi, 1 +5yeb.com, 0 +6-bros.com, 1 +6-d.cc, 1 +6.vu, 1 +600cao.com, 1 +600k8.com, 0 +604windswell.ca, 1 +6060fm.tk, 1 +6080.ga, 1 +608245.com, 1 +608460.com, 1 +608854.com, 1 +608vets.com, 1 +60d.cn, 1 +60i.cn, 1 +60n13.com, 1 +60w.co, 1 +610.co, 1 +6132pk.com, 1 +6132vip.com, 1 +614989.com, 1 +616578.com, 1 +616675.com, 1 +616728.com, 0 +616758.com, 0 +616798.com, 1 +616btt.net, 1 +616f88.com, 1 +61730123.com, 0 +618034.xyz, 1 +61ag8.com, 1 +61d88.com, 1 +61fss.net, 1 +620207.com, 1 +620862.com, 1 +621424.com, 1 +621kb.com, 1 +621nn.com, 0 +625kb.com, 1 +626562.com, 1 +628062.com, 1 +628462.com, 1 +632025.com, 1 +632026.com, 1 +632027.com, 1 +632035.com, 0 +632040.com, 1 +632045.com, 1 +632046.com, 1 +632047.com, 1 +6321000.com, 0 +6321007.com, 0 +6321008.com, 0 +6321009.com, 0 +6321222.com, 0 +6321333.com, 0 +632140.com, 1 +632143.com, 1 +632144.com, 1 +632148.com, 0 +632174.com, 0 +632365.com, 1 +632863.com, 1 +633663.net, 1 +633663.vip, 1 +635-488.com, 0 +635-588.com, 0 +635-788.com, 0 +635-888.com, 1 +635-988.com, 1 +636051.com, 1 +637663.com, 1 +638566.com, 1 +6396000.com, 1 +63960000.com, 1 +63961111.com, 1 +639611111.com, 0 +6396222.com, 1 +63962222.com, 1 +639622222.com, 0 +6396333.com, 1 +63963333.com, 1 +639633333.com, 0 +6396444.com, 1 +63964444.com, 1 +639644444.com, 0 +63965555.com, 0 +639655555.com, 0 +639666666.com, 0 +63967777.com, 1 +639677777.com, 0 +63968888.com, 0 +639688888.com, 1 +63969999.com, 0 +639699999.com, 0 +6396aaa.com, 1 +6396bbb.com, 1 +6396ccc.com, 1 +6396ddd.com, 1 +6396eee.com, 0 +6396fff.com, 1 +6396iii.com, 0 +6396jjj.com, 0 +6396ooo.com, 0 +6396qqq.com, 0 +6396rrr.com, 0 +6396sss.com, 0 +6396ttt.com, 1 +6396vvv.com, 0 +6396www.com, 0 +6396xxx.com, 0 +6396yyy.com, 1 +6396zzz.com, 0 +63fg.com, 1 +63gaming.com, 1 +645ds.cn, 0 +645ds.com, 0 +64970.com, 1 +64bitgaming.de, 1 +64stacks.com, 1 +650.org, 1 +65131a.com, 1 +65131b.com, 1 +65131c.com, 1 +65131d.com, 1 +65131h.com, 1 +65131i.com, 1 +65131j.com, 1 +65131t.com, 1 +65131u.com, 1 +65131v.com, 1 +65131w.com, 1 +65131x.com, 1 +65131y.com, 1 +65131z.com, 1 +6541166.com, 1 +6542277.com, 1 +6543399.com, 1 +6547700.com, 1 +6547711.com, 1 +6547722.com, 1 +6547733.com, 1 +6547744.com, 1 +6547755.com, 1 +6547766.com, 1 +6548855.com, 1 +6548877.com, 1 +654pk.cn, 1 +655ks.com, 1 +656265.com, 1 +658565.com, 1 +659265.com, 1 +65d88.com, 1 +6601.cf, 1 +6602.cf, 1 +6602p.com, 1 +6603.cf, 1 +6604.cf, 1 +6605.cf, 1 +6606.cf, 1 +6607.cf, 1 +6608.cf, 1 +6609.cf, 1 +6610.cf, 1 +6612.cf, 1 +6613.cf, 1 +661326.com, 1 +6614.cf, 1 +6615.cf, 1 +6616.cf, 1 +66168365.com, 1 +6616fc.com, 1 +6617.cf, 1 +6618.cf, 1 +6619.cf, 1 +661z6.com, 1 +6620.cf, 1 +6623.cf, 1 +6624.cf, 1 +6625.cf, 1 +6626.cf, 1 +6627.cf, 1 +66321365.com, 0 +6633445.com, 1 +663365666.com, 1 +663365777.com, 1 +663365888.com, 1 +663365a.vip, 1 +663365b.vip, 1 +663365c.vip, 1 +663365d.vip, 1 +663365e.vip, 1 +663365f.vip, 1 +663365g.vip, 1 +663365h.vip, 1 +663365i.vip, 1 +663365j.vip, 1 +663365k.vip, 1 +663651.com, 0 +6660.cf, 1 +6660111.ru, 1 +6661.cf, 1 +666111bet.com, 1 +666222bet.com, 1 +666321365.com, 0 +666333bet.com, 1 +666365app.com, 0 +666365ios.com, 0 +666365iosapp.com, 0 +666365t.com, 1 +6664553.com, 1 +666668722.com, 1 +666689999.xyz, 1 +666777bet.com, 1 +666888bet.com, 1 +666999bet.com, 1 +666aicai.com, 1 +666b58.com, 0 +666bet86.com, 1 +666btt.net, 1 +6677.us, 1 +6688.ovh, 1 +668825.vip, 1 +668k8.net, 1 +66bet86.com, 1 +66bwf.com, 1 +66ffaaa.com, 1 +66ffbbb.com, 1 +66ffccc.com, 1 +66ffddd.com, 1 +66ffeee.com, 1 +66fffaa.com, 1 +66fffbb.com, 1 +66fffcc.com, 1 +66fffdd.com, 1 +66fffee.com, 1 +66fffgg.com, 1 +66fffhh.com, 1 +66fffii.com, 1 +66fffjj.com, 1 +66fffkk.com, 1 +66fffll.com, 1 +66fffmm.com, 1 +66fffnn.com, 1 +66fffoo.com, 1 +66fffpp.com, 1 +66fffqq.com, 1 +66fffrr.com, 1 +66fffss.com, 1 +66ffftt.com, 1 +66fffuu.com, 1 +66fffvv.com, 1 +66fffww.com, 1 +66fffxx.com, 1 +66fffyy.com, 1 +66fffzz.com, 1 +66ffggg.com, 1 +66ffhhh.com, 1 +66ffiii.com, 1 +66ffjjj.com, 1 +66ffkkk.com, 1 +66fflll.com, 1 +66ffmmm.com, 1 +66ffnnn.com, 1 +66ffooo.com, 1 +66ffppp.com, 1 +66ffqqq.com, 1 +66ffrrr.com, 1 +66ffsss.com, 1 +66ffttt.com, 1 +66ffuuu.com, 1 +66ffvvv.com, 1 +66ffwww.com, 1 +66ffxxx.com, 1 +66ffyyy.com, 1 +66ffzzz.com, 1 +66gal.com, 1 +66k66.vip, 1 +6700.ar, 1 +670102.com, 1 +671660.com, 1 +671990.com, 1 +672367.com, 1 +6729.co, 0 +672990.com, 0 +6729a.co, 1 +6729aa.co, 1 +6729aa.com, 1 +6729apk.com, 1 +6729app.com, 1 +6729b.co, 1 +6729bb.co, 1 +6729bb.com, 1 +6729c.co, 1 +6729c.com, 1 +6729cc.co, 1 +6729cc.com, 1 +6729d.co, 1 +6729d.com, 1 +6729dd.co, 1 +6729dd.com, 1 +6729dh.co, 1 +6729dns.com, 1 +6729e.co, 1 +6729e.com, 0 +6729ee.co, 1 +6729ee.com, 0 +6729f.co, 1 +6729f.com, 0 +6729ff.co, 1 +6729ff.com, 0 +6729g.co, 1 +6729g.com, 0 +6729gg.co, 1 +6729gg.com, 0 +6729h.co, 1 +6729h.com, 0 +6729hb.com, 0 +6729hh.co, 1 +6729hh.com, 0 +6729i.co, 1 +6729i.com, 0 +6729ii.co, 1 +6729ii.com, 0 +6729ipa.com, 1 +6729j.co, 1 +6729j.com, 1 +6729jj.co, 1 +6729jj.com, 1 +6729k.co, 1 +6729k.com, 0 +6729kk.co, 1 +6729kk.com, 0 +6729l.co, 1 +6729l.com, 0 +6729ll.co, 1 +6729ll.com, 1 +6729m.co, 1 +6729m.com, 0 +6729mm.co, 1 +6729mm.com, 0 +6729n.co, 1 +6729n.com, 0 +6729nn.co, 1 +6729nn.com, 0 +6729o.co, 1 +6729o.com, 1 +6729oo.co, 1 +6729oo.com, 0 +6729p.co, 1 +6729p.com, 1 +6729pp.co, 1 +6729pp.com, 1 +6729q.co, 1 +6729q.com, 1 +6729qq.co, 1 +6729qq.com, 0 +6729r.co, 1 +6729rr.co, 1 +6729rr.com, 1 +6729s.co, 1 +6729s.com, 0 +6729ss.co, 1 +6729ss.com, 0 +6729t.co, 1 +6729t.com, 0 +6729tt.co, 1 +6729tt.com, 0 +6729u.co, 1 +6729u.com, 0 +6729uu.co, 1 +6729uu.com, 0 +6729v.co, 1 +6729v.com, 0 +6729vv.co, 1 +6729vv.com, 0 +6729w.co, 1 +6729w.com, 1 +6729ww.co, 1 +6729ww.com, 0 +6729x.co, 1 +6729x.com, 1 +6729xx.co, 1 +6729xx.com, 0 +6729xy.com, 0 +6729y.co, 1 +6729y.com, 0 +6729yy.co, 1 +6729yy.com, 1 +6729z.co, 1 +6729z.com, 1 +6729zz.co, 1 +6729zz.com, 0 +672bbb.com, 1 +673395.com, 1 +673569.com, 1 +673660.com, 1 +673bbb.com, 1 +676812.com, 1 +677314.com, 1 +677340.com, 1 +677341.com, 1 +677346.com, 1 +677347.com, 1 +677354.com, 1 +677364.com, 1 +677384.com, 1 +6777.cf, 1 +67836565.com, 1 +678365app.com, 0 +678365cc.com, 0 +678365t.com, 1 +678678365.com, 1 +67877777.com, 1 +6789666365.com, 0 +679470.com, 1 +67y7.com, 0 +682368.com, 1 +68277.me, 1 +683168.com, 1 +683968.com, 1 +684781.com, 1 +68522c.com, 1 +68522k.com, 1 +68522m.com, 1 +68522s.com, 1 +68622.com, 1 +68622a.com, 1 +68622b.com, 1 +68636.cc, 1 +68636.com, 1 +68636.vip, 1 +689368.com, 1 +68reg.tk, 1 +692241.com, 1 +692b8c32.de, 1 +694640.com, 1 +695346.com, 1 +695660.com, 1 +6957.co, 1 +6957a.co, 1 +6957aa.co, 1 +6957apk.com, 1 +6957app.com, 1 +6957b.co, 1 +6957bb.co, 1 +6957c.co, 1 +6957cc.co, 1 +6957d.co, 1 +6957dd.co, 1 +6957dh.co, 1 +6957e.co, 1 +6957ee.co, 1 +6957f.co, 1 +6957ff.co, 1 +6957g.co, 1 +6957gg.co, 1 +6957h.co, 1 +6957hh.co, 1 +6957i.co, 1 +6957ii.co, 1 +6957j.co, 1 +6957jj.co, 1 +6957k.co, 1 +6957kk.co, 1 +6957l.co, 1 +6957ll.co, 1 +6957m.co, 1 +6957mm.co, 1 +6957n.co, 1 +6957nn.co, 1 +6957o.co, 1 +6957oo.co, 1 +6957p.co, 1 +6957pp.co, 1 +6957q.co, 1 +6957qq.co, 1 +6957r.co, 1 +6957rr.co, 1 +6957rr.com, 0 +6957s.co, 1 +6957ss.co, 1 +6957t.co, 1 +6957tt.co, 1 +6957u.co, 1 +6957uu.co, 1 +6957v.co, 1 +6957vv.co, 1 +6957vv.com, 0 +6957w.co, 1 +6957ww.co, 1 +6957x.co, 1 +6957xx.co, 1 +6957xy.com, 0 +6957y.co, 1 +6957yy.co, 1 +6957z.co, 1 +6957z.com, 1 +6957zz.co, 1 +69759.com, 0 +698134.com, 1 +6997896.com, 1 +69asmr.com, 1 +69butterfly.com, 1 +69games.xxx, 1 +69kzvm3f.com, 1 +69level.com, 1 +69mentor.com, 1 +69wasted.net, 1 +6a.nz, 1 +6b.com.au, 1 +6bet86.com, 1 +6bwcp.com, 1 +6dec.gc.ca, 1 +6f.com.au, 1 +6i.com.au, 1 +6ird.com, 0 +6lo.zgora.pl, 1 +6meter.tk, 1 +6play.fr, 1 +6t-montjoye.org, 1 +6thmarch.com, 1 +6wbz.com, 1 +7-it.ml, 1 +7-zip.de, 1 +700.az, 1 +700creditsolution.com, 1 +700dealer.com, 1 +700wns.com, 1 +701squad.tk, 1 +702341.win, 1 +702343.win, 1 +702344.win, 1 +702345.win, 1 +70365365.com, 0 +703700.com, 1 +705994.com, 1 +708090.ru, 1 +70872.com, 0 +709611.com, 1 +70mpg.org, 1 +7100.cf, 1 +712kb.com, 1 +713367.com, 0 +71365365.com, 0 +713kb.com, 1 +716176.com, 0 +7177bet.com, 1 +717966833.xyz, 1 +718113.com, 0 +7183.org, 0 +71fss.marketing, 1 +71tuiguang.com, 1 +7203.ru, 1 +7203.xn--p1ai, 1 +721010.xyz, 1 +721172.com, 1 +7214.cc, 1 +721aa.com, 0 +722201.com, 0 +723421.com, 1 +724go.com, 1 +724online.com, 1 +725134.com, 1 +725741.com, 1 +7261696e626f77.net, 1 +727877.com, 0 +727sss.com, 1 +730.no, 1 +732273.com, 1 +732473.com, 1 +733575.com, 0 +73365365.com, 0 +733673.com, 1 +734365.com, 1 +734551.com, 1 +735973.com, 1 +736373.com, 1 +736416.com, 1 +736573.com, 1 +739373.com, 1 +739673.com, 1 +73fy.com, 0 +740424.ml, 1 +740660.com, 1 +740cashbuyers.com, 1 +743365.com, 1 +74365365.com, 1 +7444.cf, 1 +746104.com, 1 +7478vip1.cc, 1 +7478vip2.cc, 1 +74d88.com, 1 +74dy.org, 1 +74th.jp, 1 +750375.com, 1 +750475.com, 1 +751175.com, 1 +751930.com, 1 +753345.com, 1 +7552001.com, 1 +7552002.com, 1 +7552005.com, 1 +7552006.com, 1 +7552008.com, 1 +7552009.com, 1 +7552010.com, 1 +7552011.com, 1 +7552012.com, 1 +7552013.com, 1 +755204.com, 1 +755243.com, 1 +755245.com, 1 +755246.com, 1 +755249.com, 1 +755274.com, 1 +755294.com, 0 +755364.com, 1 +755k3.com, 1 +756975.com, 1 +757409.com, 1 +758375.com, 1 +758393.com, 1 +759375.com, 1 +759419.com, 1 +759675.com, 1 +75codes.com, 1 +75refer.tk, 1 +76.to, 1 +761.com, 1 +761link.net, 1 +763361.com, 1 +76365365.com, 1 +7654654.xyz, 1 +7666321.com, 1 +76668.com, 1 +7666898.com, 1 +76669.com, 1 +766788.xyz, 1 +7699.org, 1 +769k.com, 0 +769sc.com, 0 +76networks.tk, 1 +76o.cn, 1 +77018dd.com, 0 +77018vip.com, 0 +77168365.com, 1 +77177.de, 1 +77321365.com, 0 +7733445.com, 1 +775018.com, 0 +777365t.com, 1 +7776321.com, 0 +777aicai.com, 1 +777bet86.com, 1 +777coin.com, 1 +777mage.com, 1 +777tv.tv, 1 +77909a.com, 0 +77909b.com, 0 +77909c.com, 0 +77909d.com, 0 +77909dhz.com, 1 +77909e.com, 0 +77909f.com, 0 +77909g.com, 0 +77909h.com, 0 +77909i.com, 0 +77999xl.com, 1 +77b58.com, 1 +77bet86.com, 1 +77ffaaa.com, 1 +77ffbbb.com, 1 +77ffccc.com, 1 +77ffddd.com, 1 +77ffeee.com, 1 +77fffaa.com, 1 +77fffbb.com, 1 +77fffcc.com, 1 +77fffdd.com, 1 +77fffee.com, 1 +77fffgg.com, 1 +77fffhh.com, 1 +77fffii.com, 1 +77fffjj.com, 1 +77fffkk.com, 1 +77fffll.com, 1 +77fffmm.com, 1 +77fffnn.com, 1 +77fffoo.com, 1 +77fffpp.com, 1 +77fffqq.com, 1 +77fffrr.com, 1 +77fffss.com, 1 +77ffftt.com, 1 +77fffuu.com, 1 +77fffvv.com, 1 +77fffww.com, 1 +77fffxx.com, 1 +77fffyy.com, 1 +77fffzz.com, 1 +77ffggg.com, 1 +77ffhhh.com, 1 +77ffiii.com, 1 +77ffjjj.com, 1 +77ffkkk.com, 1 +77fflll.com, 1 +77ffmmm.com, 1 +77ffnnn.com, 1 +77ffooo.com, 1 +77ffppp.com, 1 +77ffqqq.com, 1 +77ffrrr.com, 1 +77ffsss.com, 1 +77ffttt.com, 1 +77ffuuu.com, 1 +77ffvvv.com, 1 +77ffwww.com, 1 +77ffxxx.com, 1 +77ffyyy.com, 1 +77ffzzz.com, 1 +77online.com, 1 +78-couvreur.fr, 1 +78.to, 1 +780aa.com, 1 +783306.com, 1 +783346.com, 1 +78365b.com, 0 +783lab.com, 1 +787637.com, 1 +7877bet.com, 1 +787k3.com, 1 +787kb.com, 1 +7885765.com, 1 +7888815.com, 1 +788zzz.com, 1 +7891553.com, 1 +7891997.com, 1 +78936565.com, 0 +789365t.com, 1 +789zr.com, 0 +790951.com, 1 +793703.com, 1 +795sss.com, 1 +797715.com, 1 +797sss.com, 1 +798392.com, 1 +798sss.com, 1 +799146.com, 1 +7992.org, 1 +799713.com, 1 +799ks.com, 1 +799z6.com, 1 +79ch.com, 1 +7across.com, 1 +7aga7.mk, 1 +7akawyna.tk, 1 +7b.gg, 1 +7bandarqq.com, 1 +7bet86.com, 1 +7daystodie.top, 1 +7delights.in, 1 +7dies.net, 1 +7eastgenetics.com, 1 +7emka.tk, 1 +7eo.mk, 1 +7extranews.tk, 1 +7f.is, 1 +7gr.uk, 1 +7graus.pt, 1 +7hills.us, 1 +7hq.ru, 1 +7im.co.uk, 1 +7in0.me, 1 +7ki.photography, 1 +7kicks.com, 1 +7kovrikov.ru, 1 +7kvadratov.by, 1 +7l00p.com, 1 +7learnings.com, 1 +7links.com.br, 1 +7milesglobal.com, 1 +7money.co, 1 +7net.uk, 1 +7networking.com, 1 +7pets.net, 1 +7plus.com.au, 1 +7pm.studio, 1 +7proxies.com, 1 +7qly.com, 1 +7quark.xyz, 1 +7sdre.am, 1 +7sisters.tk, 1 +7sotok.info, 1 +7starhealth.ga, 1 +7th-heaven.me, 1 +7thcircledesigns.com, 1 +7url.ml, 1 +7x24servis.com, 1 +7x7cajalosandes.cl, 1 +7zet.ml, 1 +80001234.com, 1 +8000plus.si, 1 +8001d.com, 1 +8001d88.com, 1 +8003pay.com, 1 +8006d88.com, 1 +800999.xyz, 1 +800bar.com, 1 +800email.com, 1 +800ink.com, 1 +800live.com, 1 +800mattress.com, 1 +800perkins.com, 1 +800sports.com, 1 +800tea.com, 1 +800tutor.com, 1 +8010d88.com, 1 +8012d88.com, 1 +8017d88.com, 1 +8019d88.com, 1 +8021d.com, 1 +8022d.com, 1 +8027d.com, 1 +8028d.com, 1 +8029d.com, 1 +8029d88.com, 1 +803001.com, 1 +8032d88.com, 1 +8033d88.com, 1 +8035d88.com, 1 +80365365.com, 0 +8036d88.com, 1 +8038d88.com, 1 +803970.com, 1 +8039d.com, 1 +804265.com, 1 +805084.com, 1 +8050d.com, 1 +8059d88.com, 1 +8060d88.com, 1 +80630.com, 1 +8069d88.com, 1 +8071d.com, 1 +807252.com, 1 +8077d.com, 1 +80780780.com, 1 +8078d.com, 1 +807software.com, 1 +8081d.com, 1 +808cleanups.org, 1 +808gutterking.com, 1 +808mao.com, 1 +809088.cc, 1 +8091.info, 1 +8092d88.com, 1 +8093d.com, 1 +8097d.com, 1 +80993.net, 1 +80bin.com, 1 +80motorsclub.tk, 1 +80smaniacs.nl, 1 +80thcork.com, 1 +81.cz, 1 +8100.cf, 1 +8102d.com, 1 +8102d88.com, 1 +8106365.com, 0 +8109d88.com, 1 +811121.com, 0 +8113d.com, 1 +8115d88.com, 1 +8116d88.com, 1 +811fsspentagon.com, 1 +8121d.com, 1 +8121d88.com, 1 +8128d.com, 1 +8130d88.com, 1 +8135d88.com, 1 +81365365.com, 0 +81365s.com, 1 +8139d.com, 1 +8151d.com, 1 +8153365.com, 0 +8153d.com, 1 +8156d.com, 1 +8159d88.com, 1 +815jz.com, 1 +8160d.com, 1 +8160d88.com, 1 +8161d.com, 1 +8161d88.com, 1 +8162d.com, 1 +8167365.com, 0 +816jz.com, 1 +817181.com, 1 +8171d.com, 1 +817209.com, 0 +8173d.com, 1 +817615.com, 1 +8176d.com, 1 +8178d.com, 1 +81818app.com, 0 +81818d.com, 1 +81818z.com, 1 +8181d88.com, 1 +8182d.com, 1 +8182d88.com, 1 +8183d.com, 1 +8183d88.com, 1 +8186d.com, 1 +818bwf.com, 1 +8190d.com, 1 +8190d88.com, 1 +819323.com, 1 +8193d.com, 1 +8193d88.com, 1 +8196d.com, 1 +8197d.com, 1 +8197d88.com, 1 +8198d.com, 1 +8198d88.com, 1 +81alarm.cz, 1 +81klima.cz, 1 +81klima.sk, 1 +81uc.com, 1 +8202d.com, 1 +8203d88.com, 1 +8206d.com, 1 +8207d88.com, 1 +8208d88.com, 1 +8210d88.com, 1 +8211d88.com, 1 +8216d.com, 1 +8216d88.com, 1 +8217d88.com, 1 +8218d88.com, 1 +8219d88.com, 1 +8221d88.com, 1 +8222d88.com, 1 +8225.com, 1 +8225d.com, 1 +8226d.com, 1 +8228d.com, 1 +8229d88.com, 1 +823582.com, 1 +82365a.com, 1 +82365b.com, 1 +82365c.com, 1 +82365d.com, 1 +82365e.com, 1 +82365f.com, 1 +82365g.com, 1 +82365h.com, 1 +82365i.com, 1 +82365j.com, 1 +82365k.com, 1 +82365l.com, 1 +82365m.com, 1 +82365n.com, 1 +82365o.com, 1 +82365p.com, 1 +82365q.com, 1 +82365r.com, 1 +82365s.com, 1 +82365t.com, 1 +82365u.com, 1 +82365v.com, 1 +82365w.com, 1 +82365x.com, 1 +82365y.com, 1 +82365z.com, 1 +824886.com, 1 +825148.com, 1 +825382.com, 1 +826282.com, 1 +82781111.com, 0 +82783333.com, 0 +82784444.com, 0 +82785555.com, 0 +82786666.com, 0 +82789999.com, 0 +8278b.com, 0 +8278bb.com, 0 +8278ee.com, 0 +8278eee.com, 1 +8278ff.com, 0 +8278jj.com, 0 +8278jjj.com, 1 +8278kk.com, 0 +8278rr.com, 0 +8278tt.com, 0 +8278yy.com, 0 +829917.com, 1 +82fss.marketing, 1 +82kb88.com, 1 +830891.com, 0 +830res.com, 1 +831783.com, 1 +83365365.com, 1 +833792.com, 0 +833z6.com, 1 +834365.com, 1 +8349822.com, 1 +835183.com, 1 +836436.com, 1 +838180.com, 1 +838888.net, 1 +83i.de, 1 +83ir2k8b.duckdns.org, 1 +83kb88.com, 1 +84036.ml, 1 +842844.com, 1 +8444.cf, 1 +846773.com, 1 +848jz.com, 1 +848sf.com, 1 +84ag.com, 1 +84aj.com, 1 +84an.com, 1 +84ar.com, 1 +84az.com, 1 +84bn.com, 1 +84bp.com, 1 +84cl.com, 1 +84cx.com, 1 +84dp.com, 1 +84dt.com, 1 +84ek.com, 1 +84et.com, 1 +84ew.com, 1 +84fe.com, 1 +84fi.com, 1 +84ft.com, 1 +84fz.com, 1 +84ga.com, 1 +84gf.com, 1 +84gi.com, 1 +84gk.com, 1 +84gt.com, 1 +84he.com, 1 +84hp.com, 1 +84hs.com, 1 +84ia.com, 1 +84jt.com, 1 +84kc.com, 1 +84kn.com, 1 +84kq.com, 1 +84lb.com, 1 +84pg.com, 1 +84rd.com, 1 +84rn.com, 1 +84sg.com, 1 +84tn.com, 1 +84tp.com, 1 +84tw.com, 1 +84tx.com, 1 +84xa.com, 1 +84xe.com, 1 +84xl.com, 1 +84xm.com, 1 +84xp.com, 1 +84yd.com, 1 +84yj.com, 1 +84yp.com, 1 +84yv.com, 1 +84yw.com, 1 +84zb.com, 1 +850226.com, 1 +8521.co, 0 +8522hk.com, 1 +8522ph.com, 1 +8522top.com, 1 +8522tw.com, 1 +8522usa.com, 1 +8560.be, 1 +8586cp.com, 1 +86001688.com, 1 +8602010.com, 1 +862.tv, 1 +863479.com, 1 +8649955.com, 1 +8649966.com, 1 +8649977.com, 1 +86606.com, 1 +866300.vip, 1 +866305.vip, 1 +866308.vip, 1 +8666321.com, 1 +867104.com, 1 +8688fc.com, 1 +868z6.com, 1 +869293.com, 1 +8699bet.com, 1 +86kb88.com, 1 +86metro.ru, 1 +870.cc, 0 +870718.xyz, 1 +872291.com, 0 +8722ph.com, 1 +8722usa.com, 1 +872787.com, 1 +873394.com, 1 +87365365.com, 0 +877027.com, 0 +877287.com, 1 +877791.com, 1 +878365cn.com, 1 +878431.com, 1 +878989.com, 1 +8796.jp, 1 +8799bet.com, 1 +87kb88.com, 1 +8800.ru, 1 +880557.com, 1 +8809d.com, 1 +8809d88.com, 1 +8809ks.com, 1 +88168365.com, 1 +8816d88.com, 1 +88178.top, 1 +8817d88.com, 1 +881z6.com, 1 +8826d.com, 1 +8826d88.com, 1 +88321365.com, 0 +8832ks.com, 1 +8833445.com, 1 +8835365.com, 0 +88365.net, 1 +88365t.com, 1 +88518.com, 0 +88522am.com, 1 +885287.com, 1 +8858ks.com, 1 +885kb.com, 1 +885z6.com, 1 +8860d.com, 1 +88661234.com, 1 +886666f.com, 0 +886666l.com, 0 +886666n.com, 1 +886666p.com, 1 +886666q.com, 1 +886666r.com, 0 +886666s.com, 1 +886666t.com, 0 +886666u.com, 0 +886666v.com, 0 +8866d88.com, 1 +8868ty8.com, 1 +8869ks.com, 1 +886k8.com, 0 +886z6.com, 1 +887.ag, 1 +8871d.com, 1 +8872d.com, 1 +88740b.com, 1 +88740e.com, 1 +88740f.com, 1 +88740i.com, 1 +88740j.com, 1 +88740k.com, 1 +88740l.com, 1 +88740m.com, 1 +88740n.com, 1 +88740o.com, 1 +88740p.com, 1 +88740q.com, 1 +88740r.com, 1 +88740s.com, 1 +88740t.com, 1 +88740u.com, 1 +88740v.com, 1 +88740w.com, 1 +88740x.com, 1 +88740z.com, 1 +887d.com, 1 +8881ks.com, 1 +888321365.com, 0 +8884553.com, 1 +8885asknick.com, 1 +8885ks.com, 1 +888666pj.com, 1 +888700.xyz, 1 +888789j.com, 1 +888806.xyz, 1 +888888722.com, 1 +88889822.com, 1 +888900.xyz, 1 +888aicai.com, 1 +888bet86.com, 1 +888bwf.com, 1 +888casino-canada.com, 1 +888lots.com, 1 +888starz-5b.bet, 1 +888starz.bet, 1 +888starz22.bet, 1 +888xpjxpj.com, 0 +8890d.com, 1 +8891d.com, 1 +8891ks.com, 1 +8892d.com, 1 +8895d.com, 1 +8898ks.com, 1 +889999vip.com, 1 +889vip1.com, 1 +889vip10.com, 1 +889vip2.com, 1 +889vip3.com, 1 +889vip4.com, 1 +889vip5.com, 1 +889vip6.com, 1 +889vip7.com, 1 +889vip8.com, 1 +889vip9.com, 1 +889w889.com, 1 +889w889.net, 1 +88acesmaritime.com, 1 +88bet86.com, 1 +88bill.com, 1 +88cakescorner.com, 1 +88d.com, 1 +88djl.cc, 1 +88ffaaa.com, 1 +88ffbbb.com, 1 +88ffccc.com, 1 +88ffddd.com, 1 +88ffeee.com, 1 +88fffaa.com, 1 +88fffbb.com, 1 +88fffcc.com, 1 +88fffdd.com, 1 +88fffee.com, 1 +88fffgg.com, 1 +88fffhh.com, 1 +88fffii.com, 1 +88fffjj.com, 1 +88fffkk.com, 1 +88fffll.com, 1 +88fffmm.com, 1 +88fffnn.com, 1 +88fffoo.com, 1 +88fffpp.com, 1 +88fffqq.com, 1 +88fffrr.com, 1 +88fffss.com, 1 +88ffftt.com, 1 +88fffuu.com, 1 +88fffvv.com, 1 +88fffww.com, 1 +88fffxx.com, 1 +88fffyy.com, 1 +88fffzz.com, 1 +88ffggg.com, 1 +88ffhhh.com, 1 +88ffiii.com, 1 +88ffjjj.com, 1 +88ffkkk.com, 1 +88fflll.com, 1 +88ffmmm.com, 1 +88ffnnn.com, 1 +88ffooo.com, 1 +88ffppp.com, 1 +88ffqqq.com, 1 +88ffrrr.com, 1 +88ffsss.com, 1 +88ffttt.com, 1 +88ffuuu.com, 1 +88ffvvv.com, 1 +88ffwww.com, 1 +88ffxxx.com, 1 +88ffyyy.com, 1 +88ffzzz.com, 1 +88home9.com, 1 +88kb88.com, 1 +88laohu.cc, 1 +88laohu.com, 1 +88thpolarisscouts.ca, 1 +88yabo.com, 1 +88yule11.com, 1 +88yule112.com, 1 +88yule113.com, 1 +88yule12.com, 1 +88yule13.com, 1 +88yule15.com, 1 +88yule16.com, 1 +88yule7.com, 1 +88yule9.com, 1 +8900.cf, 1 +8900d.com, 1 +890238.com, 1 +8906d.com, 1 +890789d.com, 0 +8908d.com, 1 +8921d.com, 1 +8925d.com, 1 +8925d88.com, 1 +8926d88.com, 1 +8927d88.com, 1 +8929d88.com, 1 +893067.com, 0 +89386.com, 1 +89386b.com, 0 +89386d.com, 0 +89386e.com, 1 +89386l.com, 1 +8938885.com, 1 +893fm.com.au, 1 +894324.com, 1 +895865.com, 1 +8966bet.com, 1 +8977bet.com, 1 +8989k3.com, 1 +899ks.com, 1 +8a.pw, 1 +8ack.de, 1 +8ag8.org, 1 +8b8888.com, 1 +8ballbombom.uk, 1 +8balls.nl, 1 +8bb.org, 1 +8bet86.com, 1 +8bit.ltd, 1 +8bitpickle.com, 1 +8bitsafe.com, 1 +8cent.com, 1 +8crafty.com, 1 +8dabet.com, 1 +8daysaweek.tk, 1 +8duhu.com, 1 +8e8z.com, 1 +8fit.com, 1 +8freeporn.com, 1 +8fs000.com, 1 +8fs333.com, 1 +8fs444.com, 1 +8fs555.com, 1 +8fs666.com, 1 +8fs999.com, 1 +8gaming.net, 1 +8gerd.tk, 1 +8hrs.net, 1 +8i3m2a67.com, 1 +8l.com.au, 1 +8link.com, 1 +8maerz.at, 1 +8me.nl, 1 +8mpay.com, 1 +8shequapp.com, 1 +8show.com, 1 +8t8.eu, 1 +8tech.com.hk, 1 +8thportsmouth.org.uk, 1 +8thstreetlatinas.com, 1 +8time.com, 1 +8tuffbeers.com, 1 +8ung.online, 1 +8xx888.com, 1 +8xxxxxxx.com, 1 +8y.network, 1 +8yabo.com, 0 +8yun.cf, 1 +8yun.ga, 0 +9-11commission.gov, 1 +9.lviv.ua, 1 +90.cx, 1 +9002.cf, 1 +9003.cf, 1 +9004.cf, 1 +9005.cf, 1 +9005424.com, 1 +9006.cf, 1 +9007.cf, 1 +9009019.com, 0 +900hosting.com, 1 +9011.cf, 1 +9012.cf, 1 +9013.cf, 1 +9014.cf, 1 +9015.cf, 1 +901543.com, 1 +9016.cf, 1 +9018.cf, 1 +9019.cf, 1 +902.gr, 1 +9020.cf, 1 +9021.cf, 1 +9021.io, 1 +9022.cf, 1 +9023.cf, 1 +9023n.com, 0 +9023w.com, 0 +9024.cf, 1 +9025.cf, 1 +9026.cf, 1 +9028.cf, 1 +9029.cf, 1 +9030.cf, 1 +9031.cf, 1 +9032.cf, 1 +9033.cf, 1 +9034.cf, 1 +9035.cf, 1 +9036.cf, 1 +9037.cf, 1 +9038.cf, 1 +9039.cf, 1 +9040.cf, 1 +9041.cf, 1 +9042.cf, 1 +9043.cf, 1 +9044.cf, 1 +9045.cf, 1 +9046.cf, 1 +9047.cf, 1 +9048.cf, 1 +9049.cf, 1 +9050.cf, 1 +9051.cf, 1 +9052.cf, 1 +9053.cf, 1 +9055.cf, 1 +9056.cf, 1 +9057.cf, 1 +9058.cf, 1 +9059.cf, 1 +9060.cf, 1 +9061.cf, 1 +9062.cf, 1 +9063.cf, 1 +9064.cf, 1 +9065.cf, 1 +9066.cf, 1 +9067.cf, 1 +9068.cf, 1 +9069.cf, 1 +9070.cf, 1 +9070989.com, 1 +9071.cf, 1 +9073.cf, 1 +9074.cf, 1 +9075.cf, 1 +9076.cf, 1 +9077.cf, 1 +9078.cf, 1 +907856.com, 1 +9079.cf, 1 +9080.cf, 1 +9081.cf, 1 +9082.cf, 1 +9085.cf, 1 +9086.cf, 1 +9087.cf, 1 +9088.cf, 1 +9090.cf, 1 +9091.cf, 1 +90920.cn, 1 +9093.cf, 1 +9094.cf, 1 +9095.cf, 1 +9096.cf, 1 +9097.cf, 1 +9098.cf, 1 +90daydiet.org, 1 +90minut.com, 1 +90r.jp, 1 +90splease.com, 1 +91-cg.com, 1 +91-short.com, 1 +9100.cf, 1 +9100.ga, 1 +9100.gq, 1 +9100.ml, 1 +9101.cf, 1 +9102.cf, 1 +9103.cf, 1 +9104.cf, 1 +9105.cf, 1 +9106.cf, 1 +910635.com, 1 +9107.cf, 1 +9108.cf, 1 +9109.cf, 1 +911.gov, 1 +9111s.ru, 1 +911216.xyz, 1 +9113.cf, 1 +9114.cf, 1 +9115.cf, 1 +9116.cf, 1 +9117.cf, 1 +9118.com, 1 +9118.hk, 0 +9118.la, 1 +91181.cc, 1 +91186.cc, 1 +9118inc.com, 0 +911commission.gov, 1 +911dispatcheredu.org, 1 +9120.cf, 1 +9121.cf, 1 +9122.cf, 1 +9123.cf, 1 +9124.cf, 1 +9125.cf, 1 +9126.cf, 1 +9127.cf, 1 +912891.com, 1 +9129.cf, 1 +9130.cf, 1 +9131.cf, 1 +9132.cf, 1 +913291.com, 1 +9133.cf, 1 +9134.cf, 1 +9135.cf, 1 +9136.cf, 1 +9137.cf, 1 +9139.cf, 1 +9140.cf, 1 +9141.cf, 1 +9142.cf, 1 +9143.cf, 1 +9144.cf, 1 +9145.cf, 1 +9146.cf, 1 +9147.cf, 1 +9148.cf, 1 +9149.cf, 1 +9150.cf, 1 +9151.cf, 1 +9152.cf, 1 +9153.cf, 1 +9154.cf, 1 +9155.cf, 1 +9156.cf, 1 +9157.cf, 1 +9159.cf, 1 +9160.cf, 1 +9161.cf, 1 +9162.cf, 1 +916294.com, 1 +9164.cf, 1 +9165.cf, 1 +9166.cf, 1 +9167.cf, 1 +9168.cf, 1 +9169.cf, 1 +9170.cf, 1 +9171.cf, 1 +9172.cf, 1 +9173.cf, 1 +9174.cf, 1 +9175.cf, 1 +9176.cf, 1 +9177.cf, 1 +9179.cf, 1 +917991.com, 1 +9180.cf, 1 +9181.cf, 1 +9181181.com, 1 +9181182.com, 1 +9181183.com, 1 +9181184.com, 1 +9181185.com, 1 +9181186.com, 1 +9181187.com, 1 +9181189.com, 1 +9182.cf, 1 +9182289.com, 1 +9183.cf, 1 +9184.cf, 1 +9185.cf, 1 +9186.fun, 0 +9186119.com, 1 +9187.cf, 1 +918991a.com, 0 +918991b.com, 0 +918991c.com, 0 +918991d.com, 0 +918991dhz.com, 0 +918991e.com, 0 +918bbm.co, 1 +918bcf.co, 1 +918bcw.co, 1 +918bio.co, 1 +918bip.co, 1 +918bis.co, 1 +918dc04.com, 1 +918dc19.com, 1 +918kisse.com, 1 +918kissinw.com, 1 +9190.cf, 1 +9193.cf, 1 +919391.com, 1 +9194.cf, 1 +9195.cf, 1 +9197.cf, 1 +9198.cf, 1 +91bbr.com, 1 +91beauty.com, 1 +91cg.com, 1 +91d52.com, 1 +91d72.com, 1 +91d81.com, 1 +91d83.com, 1 +91d85.com, 0 +91dh.cc, 0 +91fashion.com, 1 +91fldz.com, 1 +91imh.com, 1 +91milk.net, 0 +91news.tk, 1 +91quanji.com, 1 +91short.com, 1 +91tianmi.com, 0 +91tvg.com, 1 +9200.cf, 1 +9200.ml, 1 +9201.cf, 1 +9202.cf, 1 +9203.cf, 1 +920392.com, 1 +9204.cf, 1 +9205.cf, 1 +9206.cf, 1 +9207.cf, 1 +9208.cf, 1 +9209.cf, 1 +9210.cf, 1 +9212.cf, 1 +9214.cf, 1 +9215.cf, 1 +9216.cf, 1 +9217.cf, 1 +921792.com, 1 +9218.cf, 1 +921892.com, 1 +9219.cf, 1 +9220.cf, 1 +9221.cf, 1 +9223.cf, 1 +9224.cf, 1 +9225.cf, 1 +9226.cf, 1 +9227.cf, 1 +9228.cf, 1 +9230.cf, 1 +9231.cf, 1 +9232.cf, 1 +9233.cf, 1 +9234.cf, 1 +9235.cf, 1 +9236.cf, 1 +9237.cf, 1 +9239.cf, 1 +9240.cf, 1 +9241.cf, 1 +9242.cf, 1 +9243.cf, 1 +9245.cf, 1 +924592.com, 1 +9246.cf, 1 +9247.cf, 1 +924892.com, 1 +924992.com, 1 +925892.com, 1 +925silverjewelry.com, 1 +926792.com, 1 +927092.com, 1 +928092.com, 1 +929349.com, 1 +929592.com, 1 +9297.co, 1 +9297a.co, 1 +9297aa.co, 1 +9297b.co, 1 +9297bb.co, 1 +9297c.co, 1 +9297cc.co, 1 +9297d.co, 1 +9297dd.co, 1 +9297dh.co, 1 +9297dns.com, 1 +9297e.co, 1 +9297ee.co, 1 +9297f.co, 1 +9297ff.co, 1 +9297g.co, 1 +9297gg.co, 1 +9297h.co, 1 +9297hb.com, 0 +9297hd.co, 1 +9297hd.com, 1 +9297hh.co, 1 +9297i.co, 1 +9297ii.co, 1 +9297j.co, 1 +9297jj.co, 1 +9297k.co, 1 +9297kk.co, 1 +9297l.co, 1 +9297ll.co, 1 +9297m.co, 1 +9297mm.co, 1 +9297n.co, 1 +9297nn.co, 1 +9297o.co, 1 +9297oo.co, 1 +9297p.co, 1 +9297pp.co, 1 +9297q.co, 1 +9297qq.co, 1 +9297r.co, 1 +9297rr.co, 1 +9297s.co, 1 +9297ss.co, 1 +9297t.co, 1 +9297tt.co, 1 +9297u.co, 1 +9297uu.co, 1 +9297v.co, 1 +9297vv.co, 1 +9297w.co, 1 +9297ww.co, 1 +9297x.co, 1 +9297xx.co, 1 +9297y.co, 1 +9297yy.co, 1 +9297z.co, 1 +9297zz.co, 1 +92url.com, 1 +9301.cf, 1 +9302.cf, 1 +9303.cf, 1 +9304.cf, 1 +9305.cf, 1 +9306.cf, 1 +9307.cf, 1 +9308.cf, 1 +9309.cf, 1 +9310.cf, 1 +9311.cf, 1 +9312.cf, 1 +9313.cf, 1 +9314.cf, 1 +9315.cf, 1 +931593.com, 1 +9316.cf, 1 +9317.cf, 1 +9318.cf, 1 +9319.cf, 1 +9320.cf, 1 +9321.cf, 1 +9322.cf, 1 +9323.cf, 1 +9324.cf, 1 +9325.cf, 1 +9326.cf, 1 +9327.cf, 1 +9328.cf, 1 +9329.cf, 1 +932993.com, 1 +9330.cf, 1 +9331.cf, 1 +9332.cf, 1 +9334.cf, 1 +9335.cf, 1 +9336.cf, 1 +9337.cf, 1 +9338.cf, 1 +9339.cf, 1 +9340.cf, 1 +9341.cf, 1 +9342.cf, 1 +9343.cf, 1 +934365.com, 1 +934377.com, 1 +9344.cf, 1 +9345.cf, 1 +9347.cf, 1 +9348.cf, 1 +9349.cf, 1 +9351.cf, 1 +9352.cf, 1 +9353.cf, 1 +9354.cf, 1 +9355.cf, 1 +9356.cf, 1 +9357.cf, 1 +9358.cf, 1 +9359.cf, 1 +935themix.com, 1 +9360.cf, 1 +9361.cf, 1 +9362.cf, 1 +9363.cf, 1 +9364.cf, 1 +93644a.com, 0 +93644b.com, 0 +93644c.com, 0 +93644d.com, 0 +93644x.com, 0 +93644y.com, 0 +93644z.com, 0 +9365.cf, 1 +9366.cf, 1 +9367.cf, 1 +9368.cf, 1 +9369.cf, 1 +9370.cf, 1 +937093.com, 1 +9371.cf, 1 +9372.cf, 1 +9373.cf, 1 +9374.cf, 1 +9375.cf, 1 +9376.cf, 1 +937693.com, 1 +9377.cf, 1 +9378.cf, 1 +937893.com, 1 +9379.cf, 1 +9381.cf, 1 +938193.com, 1 +9382.cf, 1 +9383.cf, 1 +9384.cf, 1 +9385.cf, 1 +9386.cf, 1 +9387.cf, 1 +9388.cf, 1 +9389.cf, 1 +9390.cf, 1 +9391.cf, 1 +9392.cf, 1 +9393.cf, 1 +939394.org, 1 +939394.xyz, 1 +9395.cf, 1 +9396.cf, 1 +9397.cf, 1 +9397a.com, 1 +9397b.com, 1 +9397c.com, 1 +9397e.com, 1 +9397hb.com, 1 +9397hd.com, 1 +9397i.com, 1 +9397r.com, 1 +9398.cf, 1 +939wns.com, 1 +93ag8.com, 1 +93cq.com, 1 +93jc.cn, 1 +9401.cf, 1 +9402.cf, 1 +9403.cf, 1 +9404.cf, 1 +9405.cf, 1 +9406.cf, 1 +9407.cf, 1 +9409.cf, 1 +9410.cf, 1 +9411.cf, 1 +9412220.de, 1 +9417k.cf, 1 +9417k.com, 1 +941988.cn, 1 +943359.com, 1 +9444.cf, 1 +9449-27a1-22a1-e0d9-4237-dd99-e75e-ac85-2f47-9d34.de, 1 +947cq.com, 1 +9499060.com, 0 +9499066.com, 0 +9499068.com, 0 +9499113.com, 0 +9499115.com, 0 +9499118.com, 0 +9499125.com, 0 +9499137.com, 1 +9499151.com, 0 +9499212.com, 0 +9499232.com, 0 +9499238.com, 0 +9499263.com, 0 +9499278.com, 0 +9499343.com, 0 +9499369.com, 0 +9499399.com, 0 +9499403.com, 0 +9499459.com, 0 +9499518.com, 0 +9499558.com, 0 +9499565.com, 0 +9499568.com, 0 +9499575.com, 0 +9499668.com, 0 +9499676.com, 0 +9499682.com, 0 +9499737.com, 1 +9499757.com, 0 +9499835.com, 0 +9499855.com, 0 +9499869.com, 0 +9499958.com, 0 +9499jjj.com, 0 +9499l.com, 0 +9499mmmm.com, 1 +9499ttt.com, 0 +9499xxx.com, 0 +9499yl.com, 1 +95-the-mix.com, 1 +9500.cf, 1 +9501.cf, 1 +9502.cf, 1 +9503.cf, 1 +9504.cf, 1 +9505.cf, 1 +9506.cf, 1 +9507.cf, 1 +9508.cf, 1 +9509.cf, 1 +9510.cf, 1 +95105.com, 1 +95107.com, 1 +95108.com, 1 +9511.cf, 1 +9512.cf, 1 +9513.cf, 1 +9514.cf, 1 +9515.cf, 1 +951562.com, 1 +9516.cf, 1 +9517.cf, 1 +9519.cf, 1 +951thebull.com, 1 +9522.cf, 1 +9523.cf, 1 +9524.cf, 1 +9525.cf, 1 +9528.cf, 1 +9529.cf, 1 +9531.cf, 1 +9532.cf, 1 +9533.cf, 1 +9534.cf, 1 +9535.cf, 1 +9536.cf, 1 +9537.cf, 1 +9538.cf, 1 +9539.cf, 1 +9540.cf, 1 +9541.cf, 1 +9542.cf, 1 +9543.cf, 1 +9544.cf, 1 +9545.cf, 1 +9546.cf, 1 +9547.cf, 1 +9548.cf, 1 +9549.cf, 1 +9550.cf, 1 +95500.com, 1 +9551.cf, 1 +95518.com, 1 +95519.com, 1 +9552.cf, 1 +9553.cf, 1 +9554.cf, 1 +95544.com, 1 +95558.com, 1 +95559.com, 1 +9556.cf, 1 +95566.com, 1 +95568.com, 1 +9557.cf, 1 +95577.com, 1 +9558.cf, 1 +9559.cf, 1 +9560.cf, 1 +9561.cf, 1 +9562.cf, 1 +9564.cf, 1 +9565.cf, 1 +9566.cf, 1 +9567.cf, 1 +9568.cf, 1 +9569.cf, 1 +956jj.com, 0 +9570.cf, 1 +95700.com, 1 +9571.cf, 1 +9572.cf, 1 +9573.cf, 1 +9574.cf, 1 +9575.cf, 1 +9576.cf, 1 +9578.cf, 1 +9579.cf, 1 +9580.cf, 1 +95808.com, 1 +9581.cf, 1 +9582.cf, 1 +95828.com, 1 +9584.cf, 1 +9585.cf, 1 +9586.cf, 1 +95868457.xyz, 1 +9587.cf, 1 +9588.com.cn, 1 +9590.cf, 1 +9591.cf, 1 +9592.cf, 1 +9593.cf, 1 +9594.cf, 1 +9595.cf, 1 +9596.cf, 1 +959606.com, 1 +9597.cf, 1 +95996.com, 1 +9600.cf, 1 +96002.com, 0 +9601.cf, 1 +9602.cf, 1 +9603.cf, 1 +9604.cf, 1 +9605.cf, 1 +9606.cf, 1 +9607.cf, 1 +9608.cf, 1 +9609.cf, 1 +960server.net.co, 1 +9610.cf, 1 +9611.cf, 1 +9612.cf, 1 +9613.cf, 1 +9614.cf, 1 +9615.cf, 1 +9616.cf, 1 +9617.cf, 1 +9617818.com, 1 +9617818.net, 1 +9618.cf, 1 +96181.com, 1 +9619.cf, 1 +9620.cf, 1 +96200.com, 1 +9621.cf, 1 +9622.cf, 1 +96220.com, 1 +96229.com, 1 +9623.cf, 1 +9624.cf, 1 +9625.cf, 1 +9626.cf, 1 +9628.cf, 1 +9629.cf, 1 +9630.cf, 1 +9631.cf, 1 +96316.com, 1 +9632.cf, 1 +9633.cf, 1 +96448.com, 1 +964515.com, 1 +96577.com, 1 +96606.com, 1 +96607.com, 1 +96658.com, 1 +9666ks.com, 1 +96678.com, 0 +96685.com, 1 +966ty.com, 1 +967606.com, 1 +967you.com, 1 +968860.com, 1 +96896.com, 1 +96961.com, 1 +9697cp.com, 1 +9700.cf, 1 +9701.cf, 1 +9702.cf, 1 +9703.cf, 1 +9705.cf, 1 +9706.cf, 1 +9707.cf, 1 +9708.cf, 1 +9709.cf, 1 +970locksmithservices.tech, 0 +9710.cf, 1 +9711.cf, 1 +9712.cf, 1 +9714.cf, 1 +9716.cf, 1 +9717.cf, 1 +9718.cf, 1 +9719.cf, 1 +9720.cf, 1 +9721dh.com, 1 +9721hd.com, 1 +9721o.com, 1 +9721ss.com, 0 +9722.cf, 1 +9723.cf, 1 +9724.cf, 1 +9725.cf, 1 +9726.cf, 1 +9727.cf, 1 +9728.cf, 1 +9728.com, 1 +9728a.co, 1 +9728aa.co, 1 +9728b.co, 1 +9728bb.co, 0 +9728c.co, 1 +9728cc.co, 1 +9728d.co, 1 +9728dd.co, 1 +9728dh.com, 1 +9728dns.com, 1 +9728dz.com, 1 +9728e.co, 1 +9728ee.co, 1 +9728f.co, 1 +9728ff.co, 1 +9728g.co, 1 +9728gg.co, 1 +9728h.co, 1 +9728hb.com, 0 +9728hd.com, 1 +9728hh.co, 1 +9728i.co, 1 +9728ii.co, 1 +9728j.co, 1 +9728jj.co, 1 +9728k.co, 1 +9728kk.co, 1 +9728l.co, 1 +9728ll.co, 1 +9728m.co, 1 +9728mm.co, 1 +9728n.co, 1 +9728nn.co, 1 +9728o.co, 1 +9728oo.co, 1 +9728p.co, 1 +9728pp.co, 1 +9728q.co, 1 +9728qq.co, 1 +9728r.co, 1 +9728rr.co, 1 +9728s.co, 1 +9728ss.co, 1 +9728sx.com, 1 +9728t.co, 1 +9728tt.co, 1 +9728u.co, 1 +9728uu.co, 1 +9728v.co, 1 +9728vv.co, 1 +9728w.co, 1 +9728ww.co, 1 +9728x.co, 1 +9728xx.co, 1 +9728y.co, 1 +9728yy.co, 1 +9728z.co, 1 +9728zz.co, 1 +9729.cf, 1 +972citizenjournalism.org, 1 +972mag.com, 1 +9730.cf, 1 +9731.cf, 1 +9732.cf, 1 +9733.cf, 1 +973325.com, 1 +9734.cf, 1 +9735.cf, 1 +9736.cf, 1 +9737.cf, 1 +9738.cf, 1 +9739.cf, 1 +9740.cf, 1 +9741.cf, 1 +9742.cf, 1 +9743.cf, 1 +9744.cf, 1 +9745.cf, 1 +9746.cf, 1 +9747.cf, 1 +9748.cf, 1 +9749.cf, 1 +9750.cf, 1 +9751.cf, 1 +9752.cf, 1 +9753.cf, 1 +9754.cf, 1 +9756.cf, 1 +9757.cf, 1 +9758.cf, 1 +9759.cf, 1 +976-tuna.com, 1 +9760.cf, 1 +9761.cf, 1 +9764.cf, 1 +9765.cf, 1 +9766.cf, 1 +9767.cf, 1 +97736.com, 1 +97738.com, 0 +977395.com, 1 +977kb.com, 1 +97bros.com, 1 +97m.cc, 1 +9800.cc, 1 +9801.cf, 1 +980709.xyz, 1 +9822.bz, 0 +9822am.com, 1 +9822cn.com, 1 +9822hk.com, 1 +9822ph.com, 1 +9822tw.com, 1 +9822usa.com, 1 +982453.com, 1 +982zzz.com, 1 +984.ch, 1 +9859365.com, 0 +985ccc.com, 1 +986ccc.com, 1 +9877bet.com, 1 +987987.com, 1 +987kisscountry.com, 1 +988.gov, 1 +9882258.com, 1 +9883358.com, 1 +9884458.com, 1 +98877.com, 1 +98944448.com, 1 +98944449.com, 1 +98944555.com, 1 +98944666.com, 1 +98944888.com, 1 +98999555.com, 1 +98999666.com, 1 +98e.site, 1 +98laba.com, 0 +98laba.net, 0 +9901.cf, 1 +9901.ml, 1 +9902.cf, 1 +9902.ml, 1 +9903.cf, 1 +990313.xyz, 1 +9904.cf, 1 +9904.ml, 1 +9905.cf, 1 +9905.ml, 1 +9906.cf, 1 +9906.ml, 1 +9907.cf, 1 +9908.cf, 1 +9908.ml, 1 +9909.cf, 1 +9910.cf, 1 +9912.cf, 1 +9913.cf, 1 +9914.cf, 1 +9915.cf, 1 +9917.cf, 1 +9918.cf, 1 +9920.cf, 1 +9921.cf, 1 +9923.cf, 1 +9925.cf, 1 +9926.cf, 1 +9927.cf, 1 +9928.cf, 1 +992ccc.com, 1 +9930.cf, 1 +9931.cf, 1 +9932.cf, 1 +99321365.com, 0 +9933445.com, 1 +9934.cf, 1 +9935.cf, 1 +9936.cf, 1 +99365t.com, 1 +9937.cf, 1 +9938.cf, 1 +9939.cf, 1 +9940.cf, 1 +9941.cf, 1 +9941y.top, 1 +9942.cf, 1 +9943.cf, 1 +99456j.com, 0 +9946.cf, 1 +9947.cf, 1 +9948.cf, 1 +9949.cf, 1 +9950.cf, 1 +9951.cf, 1 +99511.fi, 1 +9952.cf, 1 +9953.cf, 1 +9954.cf, 1 +9957.cf, 1 +9958.cf, 1 +9959.cf, 1 +99599.fi, 0 +99599.net, 0 +995ccc.com, 1 +9961.cf, 1 +9962.cf, 1 +9963.cf, 1 +9964.cf, 1 +9965.cf, 1 +9967.cf, 1 +9968.cf, 1 +9968101.com, 0 +9968110.com, 0 +9968121.com, 0 +9968159.com, 0 +9968161.com, 0 +9968202.com, 0 +9968232.com, 0 +9968235.com, 0 +9968285.com, 0 +9968303.com, 0 +9968321.com, 0 +9968343.com, 1 +9968359.com, 0 +9968368.com, 0 +9968383.com, 0 +9968454.com, 0 +9968565.com, 0 +9968595.com, 0 +9968606.com, 0 +9968676.com, 1 +9968678.com, 0 +9968787.com, 0 +9968808.com, 0 +9968909.com, 0 +9968959.com, 0 +9968989.com, 0 +9968aaa.com, 1 +9968good.com, 0 +9968live.com, 0 +9968love.com, 0 +9968xl.com, 1 +9968xpj.com, 0 +9969.cf, 1 +9970.cf, 1 +9971.cf, 1 +9972.cf, 1 +9973.cf, 1 +9974.cf, 1 +9975.cf, 1 +9976.cf, 1 +9977432.com, 1 +9978.cf, 1 +9979.cf, 1 +997z6.com, 1 +9980.cf, 1 +9982.cf, 1 +9983.cf, 1 +9984.cf, 1 +9986.cf, 1 +998sa.com, 1 +998wei.com, 1 +998wns.com, 1 +999003.xyz, 1 +999004.xyz, 1 +999005.xyz, 1 +9990058.com, 1 +999006.xyz, 1 +999008.xyz, 1 +999011.xyz, 1 +999014.xyz, 1 +999015.xyz, 1 +999016.xyz, 1 +999017.xyz, 1 +999018.xyz, 1 +999019.xyz, 1 +999021.xyz, 1 +999023.xyz, 1 +999024.xyz, 1 +999025.xyz, 1 +999026.xyz, 1 +999027.xyz, 1 +999028.xyz, 1 +999029.xyz, 1 +999030.xyz, 1 +999031.xyz, 1 +999032.xyz, 1 +999033.xyz, 1 +999034.xyz, 1 +999035.xyz, 1 +999036.xyz, 1 +999037.xyz, 1 +999038.xyz, 1 +999040.xyz, 1 +999041.xyz, 1 +999042.xyz, 1 +999043.xyz, 1 +999044.xyz, 1 +999045.xyz, 1 +999046.xyz, 1 +999047.xyz, 1 +999048.xyz, 1 +999049.xyz, 1 +999050.xyz, 1 +999051.xyz, 1 +999052.xyz, 1 +999053.xyz, 1 +999054.xyz, 1 +999055.xyz, 1 +999056.xyz, 1 +999057.xyz, 1 +999058.xyz, 1 +999059.xyz, 1 +999060.xyz, 1 +999061.xyz, 1 +999062.xyz, 1 +999063.xyz, 1 +999064.xyz, 1 +999065.xyz, 1 +999067.xyz, 1 +999068.xyz, 1 +999070.xyz, 1 +999072.xyz, 1 +999073.xyz, 1 +999074.xyz, 1 +999075.xyz, 1 +999076.xyz, 1 +999078.xyz, 1 +999079.xyz, 1 +999080.xyz, 1 +999081.xyz, 1 +999082.xyz, 1 +999083.xyz, 1 +999084.xyz, 1 +999085.xyz, 1 +999086.xyz, 1 +999089.xyz, 1 +999092.xyz, 1 +999093.xyz, 1 +999094.xyz, 1 +999095.xyz, 1 +999096.xyz, 1 +999097.xyz, 1 +999098.xyz, 1 +9991.cf, 1 +9991158.com, 1 +9992258.com, 1 +999321365.com, 1 +9993358.com, 1 +999365t.com, 1 +9994.cf, 1 +9994553.com, 1 +9995558.com, 1 +999700.xyz, 1 +999814.com, 1 +9998722.com, 1 +9998k8.com, 1 +99998522.com, 1 +99999822.com, 1 +999998722.com, 1 +999aicai.com, 1 +999bet86.com, 1 +999btt.net, 1 +999salon.co, 1 +999salon.com, 1 +999zlong.com, 1 +99bt.com, 1 +99buffets.com, 1 +99casinos.com, 1 +99dog.com, 1 +99ffaaa.com, 1 +99ffbbb.com, 1 +99ffccc.com, 1 +99ffddd.com, 1 +99ffeee.com, 1 +99fffaa.com, 1 +99fffbb.com, 1 +99fffcc.com, 1 +99fffdd.com, 1 +99fffee.com, 1 +99fffgg.com, 1 +99fffhh.com, 1 +99fffii.com, 1 +99fffjj.com, 1 +99fffkk.com, 1 +99fffll.com, 1 +99fffmm.com, 1 +99fffnn.com, 1 +99fffoo.com, 1 +99fffpp.com, 1 +99fffqq.com, 1 +99fffrr.com, 1 +99fffss.com, 1 +99ffftt.com, 1 +99fffuu.com, 1 +99fffvv.com, 1 +99fffww.com, 1 +99fffxx.com, 1 +99fffyy.com, 1 +99fffzz.com, 1 +99ffggg.com, 1 +99ffhhh.com, 1 +99ffiii.com, 1 +99ffjjj.com, 1 +99ffkkk.com, 1 +99fflll.com, 1 +99ffmmm.com, 1 +99ffnnn.com, 1 +99ffooo.com, 1 +99ffppp.com, 1 +99ffqqq.com, 1 +99ffrrr.com, 1 +99ffsss.com, 1 +99ffttt.com, 1 +99ffuuu.com, 1 +99ffvvv.com, 1 +99ffwww.com, 1 +99ffxxx.com, 1 +99ffyyy.com, 1 +99ffzzz.com, 1 +99furnitureideasandtips.gq, 1 +99furnitureideasexamples.ga, 1 +99laptops.com, 1 +99lib.net, 1 +99music.com, 1 +99naturalfoods.de, 1 +99perf.com, 1 +99qp.org, 1 +99rst.org, 1 +99sitedesign.com, 1 +99spokes.com, 1 +99wxt.com, 1 +9ag88.com, 1 +9articles.org, 1 +9baka.top, 1 +9bet86.com, 1 +9ccn.top, 1 +9de.net, 1 +9elements.com, 0 +9etl.com, 1 +9fruit.com, 1 +9fvip.net, 1 +9gag.com, 1 +9hosts.net, 1 +9i0.com, 1 +9iwan.net, 1 +9jajuice.com, 1 +9k262.com, 1 +9k267.com, 0 +9k268.com, 1 +9k269.com, 1 +9k282.com, 1 +9k285.com, 1 +9k323.com, 1 +9k329.com, 1 +9k337.com, 1 +9k339.com, 1 +9k373.com, 1 +9k376.com, 1 +9k379.com, 1 +9k387.com, 1 +9k388.com, 1 +9k389.com, 1 +9k392.com, 1 +9k393.com, 1 +9k397.com, 1 +9k562.com, 1 +9k566.com, 1 +9k568.com, 1 +9k569.com, 1 +9k572.com, 1 +9k573.com, 1 +9k585.com, 1 +9k586.com, 1 +9k587.com, 1 +9k626.com, 1 +9k632.com, 1 +9k636.com, 1 +9k638.com, 1 +9k653.com, 1 +9k658.com, 1 +9k662.com, 1 +9k663.com, 1 +9k665.com, 1 +9k667.com, 1 +9k668.com, 1 +9k669.com, 1 +9k675.com, 1 +9k682.com, 1 +9k686.com, 1 +9k689.com, 1 +9k693.com, 1 +9k696.com, 1 +9k698.com, 1 +9k823.com, 1 +9k825.com, 1 +9k826.com, 1 +9k828.com, 1 +9k829.com, 1 +9k832.com, 1 +9k833.com, 1 +9k835.com, 1 +9k836.com, 1 +9k837.com, 1 +9k852.com, 1 +9k855.com, 1 +9k857.com, 1 +9k858.com, 1 +9k859.com, 1 +9k862.com, 1 +9k865.com, 1 +9k866.com, 1 +9k867.com, 1 +9k869.com, 1 +9k872.com, 1 +9k873.com, 0 +9k875.com, 1 +9k877.com, 1 +9k879.com, 1 +9k883.com, 1 +9k885.com, 1 +9k886.com, 1 +9k889.com, 1 +9k892.com, 1 +9k893.com, 1 +9k895.com, 0 +9k896.com, 1 +9k897.com, 1 +9k898.com, 1 +9k899.com, 1 +9kb.xyz, 1 +9l.com.au, 1 +9lab.jp, 1 +9mp.ro, 1 +9nu.org, 0 +9ostech.com, 1 +9pkfz.com, 1 +9pm.com.vn, 1 +9point6.com, 1 +9riddles.com, 1 +9sw.de, 1 +9tailedkitsune.com, 1 +9tl.ru, 1 +9to5linux.com, 1 +9to5notes.in, 1 +9uelle.jp, 0 +9ungnir.xyz, 1 +9vx.org, 1 +9xbuddy.com, 1 +9xbuddy.xyz, 1 +9xmoviesapp.com, 1 +9yw.me, 1 +9zlatan9.tk, 1 +a-1waterproofing.com, 1 +a-allard.be, 0 +a-b.ee, 1 +a-better-planet.com, 0 +a-busty.com, 1 +a-care.net, 1 +a-classinflatables.co.uk, 1 +a-dish.com, 1 +a-frique.com, 1 +a-gokan.com, 1 +a-h-p.de, 1 +a-hitoduma.com, 1 +a-invest.de, 1 +a-ix.net, 1 +a-lexx.de, 1 +a-little-linux-box.at, 1 +a-louest.info, 1 +a-moe.com, 1 +a-oben.org, 1 +a-players.team, 1 +a-pools.com.ua, 0 +a-raven.corsica, 1 +a-s-motors.ru, 1 +a-shirouto.com, 1 +a-starbouncycastles.co.uk, 1 +a-systems.ru.com, 1 +a-up.info, 1 +a-wife.net, 1 +a.ac, 1 +a.tt, 1 +a.wtf, 1 +a00228.com, 1 +a01sa01to.com, 1 +a04gameapp.com, 1 +a04webapp.com, 1 +a05webapp.com, 1 +a06.ch, 1 +a06.me, 1 +a06gameapp.com, 1 +a06webapp.com, 1 +a1.ro, 1 +a11ybadges.com, 1 +a11ywatch.com, 1 +a122.cc, 1 +a12k.nz, 0 +a13x.uk, 1 +a163.top, 1 +a1bouncycastlehire.com, 1 +a1cashforcar.com.au, 1 +a1cdrinks.com, 1 +a1cookingequipment.com.au, 1 +a1expresscarremoval.com.au, 1 +a1hypnosis.ga, 1 +a1jumpandbounce.co.uk, 1 +a1post.bg, 1 +a1qualityspareparts.com.au, 1 +a1scrapmetalrecyclers.com.au, 1 +a1scuba.com, 1 +a1seowebdirectory.com, 0 +a1solarstore.com, 1 +a1speedyrooter.com, 1 +a1viplimo.com, 1 +a1websitepro.com, 1 +a210.online, 1 +a22z.xyz, 1 +a24dmng.de, 1 +a24help.ru, 1 +a2a.me, 1 +a2c-co.net, 1 +a2censo.com, 1 +a2ch.ru, 1 +a2g.io, 1 +a2gamer.com, 1 +a2n-expertise.com, 1 +a2ssrl.duckdns.org, 1 +a2zplumbing.com.au, 1 +a2zva.com, 1 +a30.tokyo, 0 +a340.com, 1 +a356.top, 1 +a36533.com, 1 +a365vip2.com, 0 +a365vip3.com, 0 +a365vip5.com, 0 +a365vip9.com, 0 +a3m.gmbh, 1 +a3mobile.com, 1 +a3sys-elodie.fr, 1 +a4.com, 1 +a4pmu.net, 1 +a4sound.com, 1 +a5197.co, 1 +a632079.me, 1 +a64.me, 1 +a66.la, 0 +a6619.com, 1 +a6621.com, 1 +a6623.com, 1 +a6627.com, 1 +a6631.com, 1 +a6651.com, 1 +a6652.com, 1 +a6657.com, 0 +a6659.com, 0 +a6671.com, 0 +a6672.com, 0 +a6673.com, 0 +a6675.com, 0 +a6682.com, 0 +a6683.com, 0 +a6687.com, 0 +a6691.com, 0 +a6692.com, 0 +a6695.com, 0 +a6729.co, 1 +a6729.com, 0 +a6957.co, 1 +a77018.com, 0 +a7m2.me, 1 +a7sa2eat.com, 1 +a82365.com, 1 +a8438pb3.com, 1 +a88fc.com, 1 +a899365.com, 0 +a9-9.top, 1 +a9297.co, 1 +a9721.com, 1 +a9728.co, 1 +aa00228.com, 0 +aa43d.cn, 1 +aa5197.co, 1 +aa6688.net, 0 +aa6729.co, 1 +aa6729.com, 0 +aa6957.co, 1 +aa793.com, 0 +aa9297.co, 1 +aa9728.co, 1 +aaa-racing.com, 1 +aaa-racing.net, 1 +aaa.ma, 1 +aaa.my, 1 +aaa.ua, 1 +aaablindfactory.com, 1 +aaacomms.com, 1 +aaahosting70.de, 1 +aaainfosystems.com, 1 +aaapl.com, 1 +aaaplumbers.com, 1 +aaapo.com.br, 1 +aaapucrio.com.br, 1 +aabanet.com.br, 1 +aabeltech.com, 1 +aabenjaminjewelry.com, 0 +aacc.ac, 1 +aachen-quiz.de, 1 +aacs-design.com, 1 +aad-gp.com, 1 +aadl.ga, 1 +aadv.com.br, 1 +aaflalo.me, 1 +aagetransport.no, 1 +aahhbali.com, 1 +aaic.ca, 1 +aajkakavi.in, 0 +aalalbayt.com, 1 +aalalbayt.net, 1 +aalaslearninglibrary.org, 1 +aalen.tk, 1 +aalianbinhaider.ml, 1 +aalright.org, 1 +aalstmotors-usedcars.be, 1 +aaltocapital.com, 1 +aaltocapital.de, 1 +aaltocapital.fi, 1 +aama.tk, 1 +aamlive.com, 1 +aamt.es, 1 +aan-shop.co.il, 1 +aandachtsmeditatie.nl, 1 +aandeautobody.com, 1 +aandkevents.co.uk, 1 +aanhuisgebakken.tk, 1 +aanlynskool.co.za, 1 +aanwp.com, 1 +aanyasri.com, 1 +aaogaragedoorrepairaustin.com, 1 +aaomidi.com, 1 +aaoth.xyz, 1 +aapant.org.au, 0 +aapifund.org, 1 +aapipower.org, 0 +aappb.org, 1 +aappe.fr, 0 +aaprotocol.tk, 1 +aarailfan.com, 1 +aardvarksoep.nl, 1 +aareptan.ch, 1 +aarestation.ch, 1 +aarhus-protein.dk, 1 +aarhusinside.dk, 1 +aariefhaafiz.com, 1 +aarisings.com, 1 +aarklendoia.com, 1 +aaron-gustafson.com, 0 +aaron-russell.co.uk, 1 +aaron-schaal.de, 1 +aaron-smith-cpa.com, 1 +aaronbonine.com, 1 +aaronburrows.com, 1 +aaronchiangmd.com, 1 +aaronfurtado.com, 1 +aaronhorler.com, 1 +aaronmaar.de, 1 +aaronosmani.com, 1 +aaronr.digital, 1 +aarons.law, 1 +aaronsilber.me, 1 +aaronsmunpra.com, 1 +aaronspain.tk, 1 +aarontechnology.net, 1 +aarquiteta.com.br, 1 +aarsen.me, 1 +aarsunwoods.com, 0 +aartbouman.nl, 1 +aarvinproperties.com, 1 +aarwer.com, 1 +aarwer.jp, 1 +aasumitro.id, 1 +aasvets.co.uk, 1 +aatf.us, 1 +aati.be, 1 +aati.info, 1 +aatq.eu, 1 +aatq.nl, 1 +aattrans.com, 1 +aau.edu, 1 +aautoline.tk, 1 +aavaa.org, 1 +aave.com, 0 +aavienna.com, 1 +aawt.net.au, 0 +aayan.com, 1 +aayub.xyz, 1 +ab-design.tk, 1 +ab-pflege.de, 1 +ab-solutepilates.com, 1 +ab-uk.com, 1 +ab-west.tk, 1 +ab288.com, 1 +ab2888.cn, 1 +ab2web.com, 1 +ab91corp.com, 1 +abaapplianceservice.com, 1 +abaaustin.com, 1 +abaca.bar, 1 +abaco.cr, 1 +abaconappliancerepairs.co.za, 1 +abacross.com, 1 +abacus-essen.de, 1 +abacus-marketing.uk, 1 +abacus.ai, 0 +abacus.com, 1 +abacusbouncycastle.co.uk, 1 +abacusfi.com, 1 +abacuslouisville.com, 1 +abacusnt.es, 1 +abacuste.ch, 1 +abacustech.co.jp, 1 +abacustech.jp, 1 +abacustech.net, 1 +abacustech.org, 1 +abadie-architecture.com, 1 +abaev.uk, 1 +abag.nu, 1 +abahanavillas.com, 1 +abalsa.tk, 1 +abambo.tk, 1 +abancommercials.com, 1 +abandoned-zone.tk, 1 +abandoned.tk, 1 +abandonedmines.gov, 1 +abanico.tk, 1 +abanilla.tk, 1 +abantoclub.com, 1 +abantos.tk, 1 +abaranov.cf, 1 +abaranov.gq, 1 +abarquinha.tk, 1 +abas-erp.com, 1 +abasalehngo.com, 1 +abashevo.ml, 1 +abashevo.tk, 1 +abasite.tk, 1 +abasky.net, 1 +abasteo.mx, 1 +abastor.tk, 1 +abateroad66.it, 1 +abattepeluqueriacitas.com, 1 +abay-today.tk, 1 +abbas.ch, 1 +abbaye-chaise-dieu.com, 1 +abbevillecountysc.gov, 1 +abbeycarefoundation.com, 1 +abbeyvetspets.co.uk, 1 +abbl.com, 1 +abborsjo.fi, 1 +abbotkinneys.com, 1 +abbottscastles.co.uk, 1 +abbreviated-adult-course.com, 1 +abbuc.de, 1 +abbyairsoft.tk, 1 +abbystrange.com, 1 +abbyvangrinsven.co.nz, 1 +abc-kinderbetreuung.at, 1 +abc-people.tk, 1 +abc-pneupascher.eu, 1 +abc-rz.de, 1 +abc.li, 1 +abc001.ga, 1 +abc123autumn.com, 1 +abc15.com, 1 +abcbouncyfactory.co.uk, 1 +abcc.dk, 1 +abccomputerservices.com, 0 +abcdreamusa.com, 1 +abcdthesis.net, 1 +abcensax.tk, 1 +abcfinance.co.uk, 0 +abcgruppen.se, 1 +abch2o.net, 1 +abcheck.se, 1 +abcideabased.com, 1 +abcine.tk, 1 +abckam.com, 1 +abclyrics.tk, 1 +abcode.ml, 1 +abcorporate-aviation.com, 1 +abcorporate-aviation.fr, 1 +abcpartyhire.com, 1 +abcprodutosvirtuais.com.br, 1 +abcrcm.com, 1 +abcstudio.com.au, 1 +abcsystem.ml, 1 +abctaylor.com, 1 +abctwenty.xyz, 1 +abcum.com, 1 +abdel.me, 1 +abdelali.tk, 1 +abdelalidev.ml, 1 +abdelaliezzyn.tk, 1 +abdelsater.net, 1 +abdened.tk, 1 +abdesign.tk, 1 +abdijmale.tk, 1 +abdl.link, 1 +abdsirketim.com, 0 +abdul.cloud, 1 +abdul.win, 1 +abdulawal.tk, 1 +abdulazizgolca.com, 1 +abdulkarimm.tk, 1 +abdullaeff.net, 1 +abdullahavci.com, 1 +abdullahavci.com.tr, 1 +abdullahavci.net, 1 +abdullahavci.net.tr, 1 +abdullahavci.org, 1 +abdullahavci.org.tr, 1 +abdullahki.com, 1 +abdullahzubayerofficial.ml, 1 +abdulraheem.org, 1 +abdulraheemalick.com, 1 +abdulrahman.eu, 1 +abdulwahaab.ca, 1 +abduramshad.ml, 1 +abdurrahmangazidis.tk, 1 +abdurrehman.tk, 1 +abe-elektro.de, 1 +abe-medical.jp, 1 +abecedarios.co, 1 +abecodes.net, 1 +abecon.com.br, 1 +abeervinum.it, 1 +abeestrada.com, 0 +abeilleduhain.be, 1 +abelbarretto.tk, 1 +abella.ro, 1 +abellagranitecountertops.com, 1 +abellao.com, 1 +abelles.cf, 1 +abelles.gq, 1 +abelles.ml, 1 +abelles.tk, 1 +abelrubio.me, 1 +abelsflooringandtile.com, 1 +abemarx.hu, 1 +abenteuer-kindheit.com, 1 +abenteuerschule4u.eu, 1 +abenteuerteam.de, 1 +abeontech.com, 1 +aber.travel, 1 +aberdeenairportparking24.co.uk, 1 +aberdeenalmeras.com, 1 +aberdeencriticalmass.tk, 1 +aberon.pl, 1 +aberrantvascular.tk, 1 +aberson.nl, 1 +abetterdeath.com, 1 +abetterwichita.org, 1 +abeus.com, 1 +abfluss.com, 1 +abg.com.sa, 1 +abg.ninja, 1 +abgeo.ga, 1 +abgrafstenen.nl, 1 +abhaken.com, 1 +abhaldus.ee, 1 +abhayaranya.com, 1 +abhijit.today, 1 +abhijitvalluri.com, 1 +abhisharma.me, 1 +abhishekkabdijain.tk, 1 +abhy.net, 1 +abi-2017.tk, 1 +abi-fvs.de, 1 +abi95oha.de, 1 +abiapp.net, 1 +abibliasagrada.tk, 1 +abicem.co.uk, 1 +abidinginhesed.com, 1 +abierta.cr, 1 +abigailfriedland.com, 1 +abigailstark.com, 1 +abigisp.com, 1 +abigruppe.de, 1 +abileneef.org, 1 +abilenemachine.com, 0 +abilities-inc.jp, 1 +abilityone.gov, 1 +abilix.tk, 1 +abilma.com, 1 +abilymp06.net, 1 +abilympics.org.au, 1 +abimelec.com, 0 +abinferis.com, 1 +abinmetall.ru, 1 +abinyah.com, 1 +abirmas.com, 1 +abitaspringsla.gov, 1 +abitech.tk, 1 +abitextra.eu, 1 +abitextra.org, 1 +abitidalavoro.roma.it, 1 +abitidasposa.roma.it, 1 +abiturient-test.tk, 1 +abivert-piscines.fr, 1 +abk.com.tr, 1 +abkhazianews.tk, 1 +abl.com, 0 +ablauf.com, 1 +ablebits.com, 1 +ablecha.tk, 1 +ablehorsehandlers.au, 1 +ablehorsehandlers.com, 1 +ablehorsehandlers.com.au, 1 +ablehorsehandlers.net.au, 1 +ablehorsetransport.au, 1 +ablehorsetransport.com, 1 +ablehorsetransport.com.au, 1 +ablehorsetransport.net.au, 1 +ableitungsrechner.net, 1 +ableprop.net, 1 +abli.at, 1 +abli.eu, 1 +abli.info, 1 +abli.li, 1 +ablmultiservice.nl, 1 +abloop.com, 1 +ablx.de, 1 +abmackenzie.com, 1 +abmahnhelfer.de, 1 +abmc.gov, 1 +abmelden.com, 1 +abminiplex.in, 1 +abminv.com, 1 +abmledger.ca, 1 +abn-consultants.ie, 1 +abnamropensioenen.nl, 0 +abnarnro.com, 0 +abnbfcu.org, 1 +abnehmen-sport-fitness.de, 1 +abnobapetstore.co.uk, 1 +abnradiofm.tk, 1 +abo-iptv.com, 1 +aboces.org, 1 +abogadoperu.com, 1 +abogadophd.com, 1 +abogadoscav.com, 1 +abogadosescobarysanchez.es, 1 +abogehad.tk, 1 +abol.us, 1 +abolicionistas.com, 1 +abolition.net, 1 +abolitionism.ca, 1 +abolitionism.co.uk, 1 +abolitionism.com, 1 +abolitionism.in, 1 +abolitionism.net, 1 +abolitionism.us, 1 +abolitionist-movement.com, 1 +abolitionist-project.com, 1 +abolitionist-society.com, 1 +abolitionist.ca, 1 +abolitionist.co.uk, 1 +abolitionist.com, 1 +abolitionist.in, 1 +abolitionist.net, 1 +abolitionist.us, 1 +abolitionistparty.com, 1 +abolitionistproject.com, 1 +abolitionistsociety.com, 1 +abolitionniste.com, 1 +abolitionofspeciesism.tk, 1 +abolizionista.com, 1 +abona24.de, 1 +abonegma.com, 1 +abonemnet.tk, 1 +abonentka.tk, 1 +abonilla.com, 0 +aborla.net, 1 +abormez.es, 1 +aborto.tk, 1 +abortopr.com, 1 +abos.eu, 0 +aboticaprodutosnaturais.com, 1 +abouncycastleman.co.uk, 1 +about-bangladesh.tk, 1 +about-e-bags.tk, 1 +about-it.pl, 1 +about-jewelry.tk, 1 +about-sects-and-cults.tk, 1 +about.gq, 1 +about.photos, 1 +aboutadhd.com, 1 +aboutajax.tk, 1 +aboutamit.com, 1 +aboutandroid.tk, 1 +aboutconstruction.ga, 1 +aboutconstruction.gq, 1 +aboutconstruction.ml, 1 +aboutdelphi.tk, 1 +aboutdiabetesinfo.gq, 1 +aboutearning.tk, 1 +aboutfranciscomartinez.tk, 1 +aboutgrills.tk, 1 +abouthistory.tk, 1 +abouthrm.nl, 1 +aboutict.nl, 1 +aboutislam.tk, 1 +aboutlaserremoval.com, 1 +aboutlegal.nl, 1 +aboutlevi.ga, 1 +aboutmarketing.ga, 1 +aboutmedia.nl, 1 +aboutmedicine.tk, 1 +aboutmoney.tk, 1 +aboutmusicals.tk, 1 +aboutmyip.info, 1 +aboutmyproperty.ca, 1 +aboutpublishers.nl, 1 +aboutrom.tk, 1 +aboutshakil.cf, 1 +aboutshakil.tk, 1 +aboutsk.tk, 1 +aboutsleep.com.ua, 1 +abouttablewares.tk, 1 +abouttime.gq, 1 +abouttravel.gq, 1 +aboutwealthcreation.tk, 1 +aboutyou.at, 1 +aboutyou.be, 1 +aboutyou.bg, 1 +aboutyou.ch, 1 +aboutyou.com, 1 +aboutyou.cz, 1 +aboutyou.de, 1 +aboutyou.dk, 1 +aboutyou.ee, 1 +aboutyou.es, 1 +aboutyou.fi, 1 +aboutyou.gr, 1 +aboutyou.hr, 1 +aboutyou.hu, 1 +aboutyou.ie, 1 +aboutyou.it, 1 +aboutyou.lt, 1 +aboutyou.lv, 1 +aboutyou.nl, 1 +aboutyou.no, 1 +aboutyou.pl, 1 +aboutyou.pt, 1 +aboutyou.ro, 1 +aboutyou.se, 1 +aboutyou.si, 1 +aboutyou.sk, 1 +aboveall.love, 1 +abovethefirehouse.com, 1 +abox-kb.com, 1 +abpages.com, 1 +abpis.hr, 1 +abplive.com, 1 +abplusz.hu, 1 +abr.ru, 1 +abracadabramagicas.com.br, 1 +abrah.am, 1 +abrahamboray.tk, 1 +abrahametalero.tk, 1 +abram-lab.ir, 1 +abramochkin.tk, 1 +abramovich.tk, 1 +abramowskimi.tk, 1 +abramsand.co, 1 +abraofilho.blog.br, 1 +abrarahmed.tk, 1 +abraxan.pro, 1 +abraxas-apis.ch, 1 +abraxas-apps.ch, 1 +abre.cloud, 1 +abreactive.com, 1 +abreactive.net, 1 +abreactive.org, 1 +abrec.cf, 1 +abrec.ga, 1 +abrecenze.cz, 1 +abri29.com, 0 +abrilect.com, 1 +abritek.ca, 1 +abrody.com, 1 +abroferlendo.tk, 1 +abrolhosoctopus.com, 1 +abrupt.co, 1 +abruptgames.com, 1 +absat.tk, 1 +abschleppdienst-in-recklinghausen.de, 1 +abseher-technology.com, 1 +abseits.org, 0 +absentia.cf, 1 +absinsurance.com, 1 +absolab.xyz, 1 +absolem.cc, 1 +absoluav.com, 1 +absoluconseils.com, 1 +absolucopine.com, 1 +absolugroupe.com, 1 +absoluphoto.com, 1 +absoluteblack.cc, 1 +absolutebritney.com, 1 +absolutechristmas.com, 1 +absolutedouble.co.uk, 1 +absolutegames.ga, 1 +absolutepondcare.com, 1 +absoluterush.net, 1 +absoluteup.com.au, 1 +absolutezero.tk, 1 +absolution.ga, 1 +absolutperm.tk, 1 +absolutweb.tk, 1 +abssoft.tk, 1 +abstechs.ae, 1 +abstimmen.online, 1 +abstract27.com, 1 +abstractbarista.com, 1 +abstractbarista.net, 0 +abstractive.ai, 1 +abstudio.de, 1 +absurdia.tk, 1 +absurdopedia.wiki, 1 +absyscyborg.com, 1 +abteam.tk, 1 +abtech.link, 1 +abteutonia.de, 1 +abth.tk, 1 +abtherapy.co.uk, 1 +abthorpe.org, 1 +abtinheydari.tk, 1 +abu-auftrag.ch, 1 +abu-nour.tk, 1 +abuahmed.ga, 1 +abulanov.com, 1 +abun-motorsport.tk, 1 +abundent.com, 1 +abusamraphotography.tk, 1 +abuse.cat, 1 +abuse.ch, 1 +abuse.fi, 1 +abuse.io, 1 +abusive-host.tk, 1 +abuzihipnoterapi.com, 1 +abuziyadhsds.com, 1 +abvent.net, 0 +abvlbasketviganello.ch, 0 +aby-action.com, 1 +abyaction.net, 1 +abys.se, 1 +abysra.com, 1 +abyss.moe, 1 +abysse.tk, 1 +abyssinian.ga, 1 +abyssproject.net, 1 +abysswebsite.tk, 1 +abzarkosaran.ir, 1 +abzunraid.com, 1 +ac-admin.pl, 1 +ac-booster.net, 1 +ac-evalar.ru, 1 +ac-spain.tk, 1 +ac-town.com, 1 +ac-trust.ru, 1 +ac.id.au, 1 +ac.milan.it, 1 +ac0g.dyndns.org, 1 +ac8.es, 1 +acab.love, 1 +acachau.synology.me, 1 +acacia-gardens.co.uk, 1 +academiacivilbalonmano.tk, 1 +academiacomercialalpina.com, 1 +academiadelmolino.com.uy, 1 +academiadeufologia.com.br, 1 +academiaeureka.tk, 1 +academiaofimage.com, 1 +academiasdemodelos.com, 0 +academic-master.com, 1 +academica.nl, 1 +academicassignmentexperts.com, 1 +academichealthscience.net, 1 +academichelp.gq, 1 +academie-angoumois.org, 1 +academie-de-police.ch, 0 +academika.tk, 1 +academkin.com, 1 +academy-awards.ml, 1 +academyonlinetoyou.tk, 1 +academyruins.com, 1 +academytv.com.au, 1 +acadiate.com, 1 +acaeum.com, 0 +acafellas.com, 1 +acalcio.ga, 1 +acallawayroofing.com, 1 +acaltair.com, 1 +acandroid.top, 1 +acani.xyz, 1 +acaonegocios.com.br, 1 +acapadena.co, 1 +acapana.com, 1 +acapara.net, 1 +acapellalanguage.tk, 1 +acapetahua.tk, 1 +acaptureservices.com, 1 +acara.edu.au, 1 +acasadavella.tk, 1 +acasadoprodutor.com.br, 1 +acaseta.com, 1 +acat.io, 1 +acatec.de, 1 +acatiimi.fi, 1 +acb.com.vn, 1 +acbcoop.com, 1 +acbrussels-used.be, 1 +acbug2018.com, 1 +accademia24.it, 1 +accademiacimarosa.tk, 1 +accademiadelgolden.com, 1 +accademiaditruccoblog.it, 1 +accademiaprati.tk, 1 +accademiapugilistica.it, 1 +accadia.academy, 1 +accalendar17.net, 1 +accc.gov.au, 1 +acccnyc.org, 0 +accedeainternet.gov, 1 +accedia-distribution.com, 1 +accedia.net, 1 +accelaway.com, 1 +acceldigital.com.au, 1 +acceleratedreading.cf, 1 +acceleratethesale.com, 1 +accelerateyourworld.org, 1 +accelerationsummit.com, 1 +accelerator.nyc, 1 +accelerator.tk, 1 +accelsnow.com, 1 +accent-homedecor.com, 1 +accentchair.net, 1 +accentsduterroir.fr, 1 +accentwebs.ie, 1 +acces-elevation.fr, 1 +accesloges.com, 1 +accesoriiutilaje.ro, 1 +access-board.gov, 1 +access-nl.org, 1 +access-not-allowed.gq, 1 +access-odata.com, 1 +access-techniques.com, 1 +access-token.tk, 1 +accessacab.co.uk, 1 +accessauto-occasions.be, 0 +accessauto.co.uk, 1 +accessbankplc.com, 1 +accesseap.com.au, 1 +accessibility.gov, 1 +accessibilityguidelines.com, 1 +accessibledigitallearning.org, 1 +accessibletravelclub.com, 1 +accessingram.com, 1 +accessiware.com, 1 +accesskeycloning.com, 1 +accesslogisticgroup.com, 1 +accessmania.com, 0 +accessnetworks.com, 1 +accessoh.gov, 1 +accessoirescheveuxchic.com, 1 +accessoklahoma.gov, 1 +accessories-for-women.tk, 1 +accessoriesautoparts.tk, 1 +accessoripersmartphone.it, 1 +accesspress.org, 1 +accesstosystem.cf, 1 +acchan-fun.com, 1 +acchiappasognibedandbreakfast.it, 1 +accio.be, 1 +accionesyreacciones.com, 1 +accioninmobiliaria.tk, 1 +acclivity.pro, 1 +accme.co, 1 +accolade.com.br, 0 +accoladescreens.com.au, 1 +accomexico.com, 1 +accord-application.com, 1 +accordable.gq, 1 +accordimento.de, 1 +accordinnovation.org, 1 +accordproject.tk, 1 +account.gov.mo, 1 +account.gov.uk, 1 +accountancymanager.co.uk, 1 +accountingedu.org, 1 +accountmover.io, 1 +accountryclub.com, 1 +accounts.firefox.com, 1 +accounts.google.com, 1 +accountsfilingmadesimple.com, 1 +accpl.co, 1 +accpressurewashing.com, 1 +accreditamento.net, 1 +accreditedbuildingservices.com, 1 +accretech.vn, 1 +accretexperience.com, 1 +accrosoft.com, 1 +acct-affiliate.com, 1 +accubitsdemo.ml, 1 +accudemia.net, 1 +accueil-paysan.com, 1 +accueillons.org, 1 +acculex.co.uk, 1 +acculongrange.com, 1 +accuphotography.com, 1 +accuracast.com, 1 +accurainspection.com, 1 +accurateinfosolutions.in, 1 +accuride.com, 1 +accuritconsulting.com, 1 +accurx.nhs.uk, 1 +accurxinc.com, 1 +accustandard.com, 1 +accustomedicals.ga, 1 +accutint.com, 1 +accutone.com.mx, 1 +accwing.com, 1 +acd-c.ru, 1 +acdc-tech.eu, 1 +acdc-tech.lv, 1 +acdcbrasil.net, 1 +acdesignsolution.com, 1 +acdk2.de, 1 +ace-aegon.cloud, 1 +ace-clan.tk, 1 +ace-familydental.com, 1 +ace-translations.tk, 1 +ace-uk.net, 1 +ace-wiki.com, 1 +ace.one, 1 +ace0328.com, 1 +aceai.com, 1 +acealters.com, 0 +aceanswering.com, 1 +acebeam.com, 1 +acebovirtual.tk, 1 +acecardiologyclinic.com, 1 +acecerts.co.uk, 1 +acectamentit.tk, 1 +acedstudy.com, 1 +acefishing.tk, 1 +acefront.co.uk, 1 +aceinflatables.com, 1 +aceinstituteonline.com, 1 +acejunkpros.com, 1 +aceleracaodigital.com, 1 +aceleraguria.com.br, 1 +acelpb.com, 1 +acely.se, 1 +acem.org.au, 1 +acemadeira.pt, 1 +acemsa.ga, 1 +acemypaper.com, 1 +acen.edu.au, 1 +acendas.com, 1 +acendealuz.com.br, 1 +aceofdiamondspainting.com, 1 +aceofheartsgiftbaskets.com, 1 +aceparking.com, 1 +acepi.pt, 1 +acercapartners.com, 1 +acerosfortuna.com.mx, 1 +acertenoalvo.com, 1 +aceshop702.com, 1 +acetaiavaleri.it, 1 +acetudy.com, 1 +acevalar.ru, 1 +aceweb.ga, 1 +aceycity.ml, 1 +acftienda.tk, 1 +acfun.eu.org, 1 +acg.ac, 1 +acg.mn, 1 +acg.sb, 0 +acgaudio.com, 1 +acgc.nl, 1 +acgpiano.club, 1 +acgqwq.gq, 1 +acgroupvoyages.com, 1 +acgtalktw.com, 1 +acgxi.tk, 1 +achalay.org, 0 +achat-volets-roulants.fr, 1 +achatroom.co.uk, 1 +acheconcursos.com.br, 1 +achered.cf, 1 +acheter-ethylotest.fr, 1 +acheter-louer.fr, 1 +achicrip.org, 1 +achiesa.fr, 1 +achievablewellbeing.com, 1 +achievenewsfrance.tk, 1 +achiever.ga, 1 +achievingheightsacademy.com, 1 +achiksongs.tk, 1 +achildshome.com, 1 +achildshome.org, 1 +achill.org, 1 +achinsk.tk, 1 +achintyaesbee.tk, 1 +achireland.com, 1 +achkandiro.ml, 1 +achkandiro.tk, 1 +achl.fr, 1 +achlochan.tk, 1 +achmadfamily.com, 1 +achmazstore.ir, 1 +achmea.com.au, 1 +achousaude.com.br, 1 +achromatisch.de, 0 +acht-pfade.de, 1 +achtenhagen.me, 1 +achterblog.de, 1 +achterhoekseveiligheidsbeurs.nl, 1 +achtpfade.de, 1 +achtzehn.de, 1 +achtzehn.eu, 1 +achtzig20.de, 0 +aciclovir.ga, 1 +acidchrist.tk, 1 +acidoascorbico.com, 1 +acidtool.com, 1 +acierto.com, 1 +acihotel.vn, 1 +aciksite.com, 1 +acilicraft.cn, 1 +acina.fr, 1 +acingov.pt, 1 +acinq.co, 1 +acionistadevalor.com.br, 1 +acipayam.bel.tr, 1 +acisms.es, 1 +ack.tax, 1 +ackermann.ch, 1 +ackermannevents.de, 1 +ackersplastering.co.uk, 1 +acklandstainless.com.au, 1 +acl.gov, 1 +aclandia.fr, 1 +aclhire.com, 1 +aclipt.com, 0 +acloud.one, 1 +acls13.fr, 1 +aclu.org, 0 +acm.vc, 1 +acmebookkeepingsolutions.com, 1 +acmilan.gq, 1 +acmilan.ml, 1 +acnenaturalhealing.com, 1 +acnj.gov, 1 +acnjpolice.gov, 1 +acnoventa.it, 1 +acobex.be, 1 +acode.one, 1 +acodess.com, 1 +acodonline.be, 1 +acoip.net, 1 +acolicy.com, 1 +acomerygozar.cam, 1 +acompanhantes.com.pt, 1 +acomplia20mg.cf, 1 +acopatableware.com, 1 +acordes.online, 1 +acorespro.com, 1 +acorncastles.co.uk, 1 +acornmetal.com.au, 1 +acotadecalle.tk, 1 +acourse.io, 1 +acousticalsolutions.com, 1 +acousticandfire.co.uk, 1 +acoustics.network, 1 +acoustics.tech, 1 +acousticsoundrecords.com, 1 +acoustictabs.tk, 1 +acoustique-tardy.com, 0 +acovadamoura.tk, 1 +acpbenefit.gov, 1 +acpcoils.com, 0 +acperu.ch, 0 +acpinformatique.fr, 1 +acpny.com, 1 +acquadiparma.kr, 1 +acquaparrucchieri.it, 1 +acquari.roma.it, 1 +acquasuisse.tk, 1 +acquire.co.nz, 1 +acquirebpo.com, 1 +acquireit.com.au, 1 +acquisition.gov, 1 +acquisitiongateway.gov, 1 +acraftedpassion.com, 1 +acrealamendolara.tk, 1 +acreinfoco.com, 1 +acrepairgeorgetown.com, 1 +acrepairhutto.com, 1 +acrepairroundrocktx.com, 1 +acrhnc2020.dedyn.io, 1 +acriticismlab.org, 1 +acroaccounting.au, 1 +acroballe-circus.fr, 0 +acrobatic.cf, 1 +acrobatic.tk, 1 +acrolife.cz, 0 +acronis.com, 1 +acronis.events, 1 +acronis.org, 0 +acronis.work, 1 +acrorock.tk, 1 +across-community.tk, 1 +acrossgw.com, 1 +acroteam.tk, 1 +acroyoga-nuernberg.de, 1 +acrylbilder-acrylmalerei.de, 1 +acrylicstyle.xyz, 1 +acrylicwifi.com, 1 +acs-nettoyage-entretien-immeuble.com, 1 +acsb.ro, 0 +acsbbs.org, 1 +acsc.gov.au, 1 +acsd-az.gov, 1 +acse.net, 1 +acsemb.org, 1 +acsihostingsolutions.com, 0 +acsiresearch.com, 1 +acsmuhendislik.com.tr, 1 +acsports.ca, 1 +act-interactive.com, 1 +act-news.com, 1 +act-on.com, 1 +act-web-sa.com, 1 +actabg.net, 1 +actacapital.com.au, 1 +actaflytt.se, 1 +actc.org.uk, 1 +acte2immo.com, 1 +actelsershop.com, 1 +acteon.com, 1 +actexpo.com, 1 +actfleetforum.com, 1 +actforcanada.ca, 1 +actgruppe.de, 1 +actheater.com, 1 +acticu.com, 1 +actiefgeld.nl, 0 +actieplaza.tk, 1 +actifii.com, 1 +actifyleads.com, 1 +actigamer.pt, 1 +actilove.ch, 1 +actimap.ga, 1 +acting.by, 1 +actingcxo.com, 1 +action-education.org, 1 +action-intell.com, 1 +action-verite.fr, 1 +action.eu, 1 +action.nl, 1 +actioncameraaccessories.ga, 1 +actioncleaningnd.com, 1 +actioncovid.nl, 1 +actioncutprint.com, 1 +actionglasshouston.com, 1 +actionlabs.net, 1 +actionmadagascar.ch, 0 +actionminecraft.tk, 1 +actions.today, 1 +actionsack.com, 1 +actionsandreactions.com, 1 +actionsecuritycameras.com, 1 +actionverb.com, 1 +actiumhealth.com, 1 +activat3rs.com, 1 +activate.swiss, 1 +activatenow.com, 1 +activationkeys.org, 1 +activators.ml, 1 +active-english.tk, 1 +active247.info, 1 +activeaerogels.com, 1 +activecare-monitor.com, 0 +activeclearweb.com, 1 +activeexcavator.com, 0 +activegateball.tk, 1 +activehealth.com, 1 +activehire.co.uk, 1 +activeleisure.ie, 1 +activelife.travel, 1 +activenl.co.uk, 1 +activephysiohealth.com.au, 1 +activeplatesystem.ga, 1 +activeprospect.com, 1 +activespaceautomation.com, 1 +activespacetech.com, 1 +activetk.cf, 1 +activetk.jp, 1 +activexperts.com, 1 +activeyogi.tk, 1 +activism.cf, 1 +activiteithardenberg.nl, 1 +activitesagadir.com, 1 +activitesaintnicaise.org, 1 +activiteschiens.be, 1 +activiti.alfresco.com, 1 +activities.rocks, 1 +activitycellsers.ga, 1 +activityhub.cloud, 1 +activityhub.xyz, 1 +activityinfo.org, 1 +activitypub.cyou, 1 +activityshelter.com, 1 +activlux.pt, 1 +activpilot.at, 1 +activs.ru, 1 +actom.cc, 1 +actonsoft.com, 1 +actonwoodworks.com, 1 +actopan.tk, 1 +actoragecheck.com, 1 +actoralcareprofessional.com, 1 +actoresonlinevenezuela.tk, 1 +actorsanthosh.tk, 1 +actorshop.co.uk, 1 +actransit.gov, 1 +actrices.tk, 1 +actris.ac.cy, 1 +actro.ga, 1 +actro.gq, 1 +actronx.tk, 1 +actserv.co.ke, 1 +actu-itech.cf, 1 +actualadmins.com, 1 +actualidad-rt.com, 1 +actualite-videos.com, 1 +actualizarapp.com, 0 +actualizarwordpress.es, 1 +actuallykabouters.com, 1 +actualprogressivevotersguide.com, 1 +actualsizemusic.tk, 1 +actualsolutions.am, 1 +actus-banque.fr, 1 +actuse.tk, 1 +actzero.ai, 0 +acuarios.tk, 1 +acuarismo-iquique.tk, 1 +acuarius.tk, 1 +acuica.co.uk, 0 +acuityfinishing.com, 1 +acul.me, 1 +aculocity.com, 1 +acupofsalt.tv, 1 +acupuncture.ml, 1 +acupuncturecornwall.co.uk, 1 +acupuncturefoundation.com, 1 +acupuncturefoundation.org, 1 +acupuntura.coach, 1 +acupuntura.doctor, 1 +acupuntura.institute, 1 +acupunturamadrid.xyz, 1 +acupunturavalencia.xyz, 1 +acurapartswarehouse.com, 1 +acus.gov, 1 +acutabovetherestbarbers.com, 1 +acutane.cf, 1 +acutane.ga, 1 +acutane.gq, 1 +acutewealthadvisors.com, 1 +acutica.ro, 1 +acutron.net, 1 +acutron.org, 1 +acvan.net, 1 +acvilnius.tk, 1 +acwcerts.co.uk, 1 +acwdca.gov, 1 +acwi.gov, 1 +acworth-ga.gov, 1 +acy.com, 1 +acyclovir-cream.cf, 1 +acyclovir400mg.ml, 1 +acytec.cl, 1 +ad-bp.top, 1 +ad-disruptio.fr, 0 +ad-education.com, 1 +ad-notam.asia, 1 +ad-notam.ch, 1 +ad-notam.co.uk, 1 +ad-notam.com, 1 +ad-notam.de, 1 +ad-notam.fr, 1 +ad-notam.it, 1 +ad-notam.pt, 1 +ad-notam.uk, 1 +ad-notam.us, 1 +ad-s.cn, 1 +ad-web.tk, 1 +ad.nl, 1 +ad13.in, 1 +ad4tube.com, 1 +ada.eco, 1 +ada.gov, 1 +adab-mans.tk, 1 +adac-musikreisen.de, 1 +adachi.work, 1 +adacomputerscience.org, 1 +adacprod.fr, 1 +adaera.com, 1 +adaeze-wolf.com, 1 +adagia.eu, 1 +adalis.org, 1 +adalite-staging-testnet.herokuapp.com, 1 +adalite.io, 1 +adam-ant.co.uk, 1 +adam-kostecki.de, 1 +adam.com, 1 +adam.id.au, 1 +adam.pt, 1 +adamabernathy.com, 1 +adamant.ua, 1 +adamante.com.br, 1 +adamas-magicus.ru, 1 +adamaveray.com.au, 1 +adambryant.ca, 0 +adamcarbonell.com, 1 +adamcoffee.net, 0 +adamdixon.co.uk, 1 +adamdorman.com, 1 +adameveplus.com, 1 +adamevevod.com, 1 +adamfontenot.com, 1 +adamgian.com, 1 +adamh.us, 1 +adamj.eu, 1 +adamjeelukmanjee.com, 1 +adamjoycegames.co.uk, 1 +adamkissee.com, 1 +adamkostecki.de, 1 +adamlevine.ga, 1 +adamliu.net, 0 +adamoutler.com, 1 +adamov.tk, 1 +adamradocz.com, 1 +adamraoof.tk, 1 +adamricheimer.com, 1 +adams-gonczi.fun, 1 +adams.dk, 1 +adamscampcolorado.org, 1 +adamschmuck.de, 1 +adamscountyco.gov, 1 +adamscountycoelections.gov, 1 +adamscountyemsoh.gov, 1 +adamscountyil.gov, 1 +adamscountyne.gov, 1 +adamscountypa.gov, 1 +adamstas.com, 1 +adamsweb.tk, 1 +adamwallington.co.uk, 1 +adaoconde.art, 1 +adapt-elektronik.com, 1 +adapt-iq.co.nz, 1 +adapt-iq.com, 1 +adapti.de, 1 +adaptimmune.com, 1 +adaptiv.ltd, 1 +adaptivecenter.net, 1 +adaptiveexercisegroup.com, 1 +adaptiveicons.com, 1 +adaptivemechanics.edu.au, 1 +adaptivesite.cf, 1 +adaptivesite.gq, 1 +adaptiveu.io, 1 +adaptyourlifeacademy.com, 1 +adarixconsultores.com, 1 +adarshcloud.in, 1 +adarsvidler.me, 1 +adasbench.com, 1 +adaselin.com, 1 +adasiacorp.com, 1 +adata-c.kz, 1 +adata.kz, 1 +adatitleiii.com, 1 +adativos.com.br, 1 +adawolfa.cz, 1 +adbexcavation.ca, 1 +adbglobal.com, 1 +adblock.ee, 1 +adblockextreme.com, 1 +adblockextreme.net, 1 +adblockextreme.org, 1 +adbpub.com, 1 +adc-dentalcare.com, 1 +adc64.com, 1 +adceuta.tk, 1 +adclickmedia.com, 1 +adcnvs.com, 1 +adcoglazing.co.uk, 1 +adcpressurewashing.co.uk, 1 +add-image.tk, 1 +add-in-express.com, 1 +add-ons.co.uk, 1 +add.pics, 1 +addag.de, 1 +addall.com, 1 +addax.com.tr, 1 +addbonus.ml, 1 +addcrazy.com, 1 +adder.ml, 1 +adderall.ml, 1 +adderall.space, 1 +addict.tk, 1 +addictedtotravel.pl, 1 +addiction-counselors.com, 1 +addictioncounsellors.co.nz, 1 +addictionsolutionsllc.com, 1 +addictlaw.com, 1 +addictless.ru, 1 +addictstore.it, 1 +addiko.net, 1 +addisoncrump.info, 1 +addisonwi.gov, 1 +addition.ml, 1 +addlink.ga, 1 +addlink.gq, 1 +addly.se, 1 +addmefast.tk, 1 +addnewsite.tk, 1 +addnine.com, 1 +addon.watch, 1 +addones.org, 1 +addownit.com, 1 +addr.space, 1 +addresstobe.com, 1 +addscoop.ml, 1 +addstar.jp, 0 +addtelegrammember.com, 1 +addtoany.com, 1 +adducation.info, 1 +adduono.com, 1 +addurls.tk, 1 +addviseo.com, 1 +addy.io, 1 +addy.to, 1 +addydari.us, 1 +addymail.com, 1 +addyourlink.tk, 1 +addyto.me, 1 +ade-power.com, 1 +adea.mx, 1 +adeabramihza.com, 1 +adec-emsa.ae, 1 +adeelshahid.tk, 1 +adeex.co.uk, 1 +adeex.in, 1 +adeex.us, 1 +adeexaustralia.com, 1 +adek.uz, 1 +adek24.uz, 1 +adelaidamountainresidences.ph, 1 +adelaidecoldlaser.com.au, 1 +adelaidefestivalsquare.com.au, 1 +adelaidelaundromats.com.au, 1 +adelapereira.com, 1 +adeldz-foot.cf, 1 +adelebeals.com, 1 +adelgace.top, 1 +adelicious.co, 1 +adelie.org.uk, 1 +adelightfulglow.com, 1 +adelina.com.br, 0 +adeline.mobi, 1 +adelonline.tk, 1 +adelphiawines.com, 1 +ademaulana.tk, 1 +adenhurra.cf, 1 +adenhurra.ml, 1 +adenoma.tk, 1 +adenopatia.com, 1 +adenos.in, 1 +adenplus1.com, 0 +adeon.ml, 1 +adept-elearning.com, 1 +adept.org.pl, 1 +adescb.ga, 1 +adese.es, 1 +adesex.in, 1 +adesignguy.co.uk, 1 +adespresso.com, 1 +adevel.eu, 1 +adevo.be, 1 +adex.network, 1 +adextremadurafs.tk, 1 +adf-safetytools.com, 1 +adf.gov, 1 +adfconsumer.gov.au, 1 +adfinternational.org, 1 +adfisicateca.org, 1 +adfs.pro, 1 +adftrasporti.it, 1 +adfyl.tk, 1 +adg-devochtspecialist.be, 1 +adg.is, 1 +adgh.ml, 1 +adgift.ro, 1 +adglue.io, 1 +adgreetz.com, 1 +adh.org.au, 1 +adhadse.com, 1 +adhd-explained.com, 1 +adhd-inattentive.com, 1 +adhdyoga.ca, 1 +adhetron.com, 1 +adhigamindia.com, 1 +adhockery.ga, 1 +adhocracy.plus, 1 +adhs.fyi, 1 +adi.com.au, 1 +adi.net.au, 1 +adiaz.us, 1 +adib.family, 1 +adictosdominantescdls.tk, 1 +adidas-2020-spring.com, 1 +adiehard.party, 1 +adiesyndrome.tk, 1 +adigolifestyle.com, 1 +adiguezel-bau-gmbh.de, 1 +adihomes.com, 1 +adilsabri.tk, 1 +adimaja.com, 1 +adimo.com.pl, 1 +adimplere.com.br, 1 +adinaporter.com, 1 +adinfinitum.gq, 1 +adinternational.com.au, 1 +adiph.fr, 1 +adiph.org, 1 +adiprospero.it, 1 +adiraku.co.id, 1 +adiscorduser.com, 1 +adit.com, 1 +adityaes.eu.org, 1 +adityatelange.in, 1 +adiyamandanal.com, 1 +adiyamanhaberleri.tk, 1 +adje-fansite.tk, 1 +adjudicating.tk, 1 +adjustablebedfactory.com, 1 +adjustablebeds.ca, 1 +adjustablebeds.org, 1 +adjusterpro.com, 1 +adjutor.xyz, 1 +adkinvest.co.il, 1 +adld.center, 1 +adler-international.pl, 1 +adlerneves.com, 1 +adlerneves.com.br, 1 +adlerosn.com, 1 +adlerosn.com.br, 1 +adlershop.ch, 1 +adlignum.se, 1 +adliomar.tk, 1 +adm-sarov.ru, 1 +admanmedia.fr, 1 +admglass.co.uk, 1 +admicos.cf, 1 +admin-gator.com, 1 +admin-gator.net, 1 +admin-rbb-ugc-prod.azurewebsites.net, 1 +admin-rbb-ugc.azurewebsites.net, 1 +admin-serv.net, 1 +admin-wp.com, 1 +admin-wp.pl, 1 +admin.academy, 1 +admin.fedoraproject.org, 1 +admin.google.com, 1 +admin.se, 1 +admin.stg.fedoraproject.org, 1 +adminconnection.net, 1 +admindaily.com, 1 +adminforge.de, 1 +admingator.net, 1 +admini.cl, 1 +administracionessaez.es, 1 +administradoresdefincasvalencia.net, 1 +administradorvalencia.es, 0 +administraitor.video, 1 +administrarmeusite.tk, 1 +administratiekantoorblom.nl, 1 +administrator.de, 1 +administratorhandal.cf, 1 +adminless.ovh, 1 +adminlinux.pl, 1 +admino.cz, 1 +adminova.tk, 1 +adminplus.bg, 1 +adminresurs.tk, 1 +adminrezo.fr, 1 +adminwells.com, 1 +admirable.pro, 0 +admody.com, 1 +admongo.gov, 1 +admstudio.co.uk, 1 +admus.pl, 1 +adn-recrutement.fr, 0 +adnanotoyedekparca.com, 1 +adndigital.com.br, 1 +adnempresa.es, 1 +adnexa.it, 1 +adney.land, 1 +adnfiscal.com, 1 +adnolesh.com, 1 +adnotam.ch, 1 +adnscript.tk, 1 +adnseguros.es, 1 +adnsolutions.com, 1 +adofestival.com, 1 +adoll.ml, 1 +adomani-italia.com, 1 +adomicilio.gt, 1 +adonairelogios.com.br, 1 +adondevamosmundo.com, 1 +adonis.hosting, 1 +adonisgrup.ro, 1 +adonizer.science, 1 +adonnante.com, 0 +adontenchambers.com, 1 +adoperator.com, 1 +adopt-dont-shop.de, 1 +adopt.tk, 1 +adoptabeehive.co.uk, 1 +adoptabeehive.com, 1 +adoptabeehive.org, 1 +adoptabeehive.org.uk, 1 +adoptas.org, 1 +adopting.tk, 1 +adoption.tk, 1 +adoptionpregnancycenter.com, 1 +adoptionpregnancycenter.net, 1 +adoptium.net, 1 +adorable-home.com, 1 +adorade.ro, 0 +adorai.tk, 1 +adoran.ga, 1 +adorecricket.com, 1 +adores.gq, 1 +adorez.tk, 1 +adoric.com, 1 +adorkable.eu, 1 +adorkable.social, 1 +adorned.ga, 1 +adotta.me, 1 +adoucishop.fr, 1 +adoxy.com.br, 1 +adpesp.org.br, 1 +adphotography.pl, 1 +adplist.org, 1 +adpot.xyz, 0 +adr-stock.com, 1 +adr.gov, 1 +adrabataille.fr, 0 +adrafinil.wiki, 1 +adreaminsteel.tk, 1 +adreana.com, 1 +adregain.com, 1 +adregain.ru, 1 +adrenalin.is, 1 +adrenalin.od.ua, 0 +adrenalinhunters.tk, 1 +adresse-ip-publique.fr, 1 +adressendata.nl, 1 +adresults.com, 1 +adresults.nl, 1 +adrian-riemer.tk, 1 +adrian.web.id, 1 +adrian2023.com, 1 +adrian2023.de, 1 +adrianadelrossi.com, 1 +adrianadelrossi.net, 1 +adrianagonzalez.tk, 1 +adrianajewelry.my, 1 +adrianasantos.me, 1 +adrianbechtold.de, 1 +adrianbotes.com, 1 +adrianbrad.com, 1 +adriancitu.com, 1 +adriancostin.ro, 1 +adrianfeliciano.com, 0 +adrianhardy.com, 0 +adrianiacobus.com, 1 +adrianjensen.com, 1 +adrianmejias.com, 1 +adrianobarbosa.xyz, 1 +adrianpetcu.tk, 1 +adrianpole.tk, 1 +adrianseo.ro, 0 +adrianspeyer.com, 1 +adriantwpmi.gov, 1 +adrianwalls.tk, 1 +adrianweb.ml, 1 +adriarae.xyz, 1 +adriatic.hr, 1 +adriatika.tk, 1 +adriatrans.ga, 1 +adrienfelsmann.fr, 1 +adrieng.fr, 1 +adrienkohlbecker.com, 1 +adriennekiss.net, 1 +adriennesmiles.com, 1 +adrinet.tk, 1 +adrino.cf, 1 +adrino.gq, 1 +adrino.ml, 1 +adrup.com, 1 +ads-kuwait.net, 1 +adsamcik.com, 1 +adsb.lol, 1 +adsbouncycastles.co.uk, 1 +adscambodia.com, 1 +adsense-arbitrage.com, 1 +adseye.tk, 1 +adsforcash.ga, 1 +adshooter.com, 1 +adsib.gob.bo, 1 +adsl2meg.fr, 1 +adsmarketing.tk, 1 +adsmobilefor.win, 1 +adsmodels.com, 1 +adsnetwork.pro, 1 +adsnn.com, 1 +adson.at, 1 +adson.cz, 1 +adson.de, 1 +adson.ee, 1 +adson.eu, 0 +adson.fi, 1 +adson.fr, 1 +adson.hu, 1 +adson.ie, 1 +adson.li, 1 +adson.lt, 1 +adson.lv, 1 +adson.nl, 1 +adson.no, 1 +adson.pt, 1 +adspire.tk, 1 +adspottest.tk, 1 +adspu.org, 1 +adst.dk, 1 +adstop.ga, 1 +adstop.ml, 1 +adstune.com, 1 +adsviews.gq, 1 +adswoo.com, 1 +adt.co.za, 1 +adt.pl, 1 +adtelligent.com, 1 +adtgroup.com, 1 +adti.pt, 0 +aduanasgama.com, 1 +adubosvidere.com.br, 1 +adultbizz.eu, 1 +adultdvdparadise.com, 1 +adulteducation.org.uk, 1 +adultforum.gr, 1 +adultgames.pro, 1 +adultmalecontent.com, 1 +adultshop.com.au, 0 +adultwebcams1.com, 1 +aduro.com.tr, 1 +adurra.com, 1 +adutoras.com.br, 1 +adv.cr, 0 +advair-generic.ga, 1 +advairgeneric.ga, 1 +advairprice.ga, 1 +advaitghaisas.in, 1 +advaith.fun, 1 +advaith.io, 1 +advaith.link, 1 +advaithbot.xyz, 1 +advaithnikhi.ml, 1 +advaithnikhi.tk, 1 +advance.hr, 1 +advancealabama.gov, 1 +advanced-online.eu, 1 +advancedacupuncture.net, 1 +advancedaquaticservice.com, 1 +advancedboilers.com, 1 +advancedbotoxclinic.com, 1 +advancedbuildings.com.au, 1 +advancedconcrete.construction, 1 +advanceddermmohssurgery.com, 1 +advanceddermtribeca.com, 1 +advanceddieselspokane.com, 0 +advanceddisposables.co.uk, 0 +advancedelectricalservicesqld.com.au, 1 +advancedfueladditives.com, 1 +advancedhealthmedical.com.au, 1 +advancedinteg.com, 1 +advancedmd.com, 1 +advancedmedicalcertification.com, 1 +advancednetflowtraining.com, 1 +advancedob-gyn.com, 1 +advancedoneroofing.com, 1 +advancedridertraining.co.uk, 1 +advancedroofingmuskoka.com, 1 +advancedseo.io, 1 +advancedsepticandpumping.com, 0 +advancedsurgicalconsultantsllc.com, 1 +advancedturf.tk, 1 +advancedurologyca.com, 1 +advancedurologyswla.com, 1 +advancedwriters.com, 1 +advancemoversnc.com, 1 +advanceoptical.com, 1 +advanceworx.com, 1 +advania.info, 1 +advanqi.se, 1 +advantagehomeinteriors.com, 1 +advantagemechanicalinc.com, 1 +advantageroofer.com, 1 +advantagetowing.com.au, 1 +advantis.ai, 1 +advantis.cf, 1 +advantis.ga, 1 +advantis.gq, 1 +advantis.tk, 1 +advantmed.com, 1 +advapacs.com, 1 +advara.com, 1 +advarra.com, 1 +advasa.jp, 1 +advasa.net, 1 +advbizintel.com, 1 +advenacs.com, 1 +advenacs.com.au, 1 +advenapay.com, 1 +adventaholdings.com, 1 +adventalley.com, 1 +adventistai.lt, 1 +adventisthomemaker.com, 1 +advento.bg, 1 +adventry.tk, 1 +adventure-runner.tk, 1 +adventureally.com, 1 +adventurealpinetreks.com, 1 +adventurearts.tk, 1 +adventureboy.co.uk, 1 +adventurecorps.cf, 1 +adventurecorps.ga, 1 +adventurecorps.gq, 1 +adventurecorps.ml, 1 +adventurecreators.com, 1 +adventuredental.com, 1 +adventuredrives.com, 0 +adventureforest.co.nz, 1 +adventureforest.nz, 1 +adventuregamers.com, 1 +adventureprooutdoors.com, 1 +adventureprovisionco.com, 1 +adventures.com, 1 +adventuretoursbend.com, 1 +adventuringup.com, 1 +adventurousway.com, 1 +adventus.space, 1 +advercarte.com, 1 +adverganda.com, 1 +adverganda.de, 1 +adversus-test.tk, 0 +adversus-web-staging.tk, 0 +advertise-ment.tk, 1 +advertising-design.tk, 1 +advertisingcompany.tk, 1 +advertisingindustry.ga, 1 +advertisingphonesest.ga, 1 +advertisment.ga, 1 +advertizer.com, 1 +advery.tk, 1 +advgyan.com, 1 +advice24.tk, 1 +advicepay.com, 1 +adviceprime.tk, 1 +adviesfactuur.nl, 1 +adviesgv.nl, 1 +advinix.fr, 1 +advirk.tk, 1 +adviserplus.com, 1 +advisorperspectives.com, 1 +advmaster.cf, 1 +advocaat-dejonge.be, 1 +advocaatzoeken.nl, 1 +advocatae.com, 1 +advocatburo.tk, 1 +advocatealliancegroup.com, 1 +advocateanakha.com, 1 +advocatechannel.com, 1 +advocatize.com, 1 +advocator.ca, 1 +advoervice.ga, 1 +advogadavaleria.com.br, 1 +advogatech.com.br, 1 +advokat-dtp.cf, 1 +advokat-dtp.ga, 1 +advokat-dtp.gq, 1 +advokat-dtp.ml, 1 +advokat-dtp.tk, 1 +advokat-malinovskii.ml, 1 +advokat-romanov.com, 1 +advokat-teigstad.no, 1 +advokat-vvp.com.ua, 1 +advokat73.gq, 1 +advokati-ceva.cz, 1 +advokatkonsult.cf, 1 +advokatmorgunov.ml, 1 +advokatonline.ml, 1 +advokatskoe-byuro.ml, 1 +advokaty-onlajn.cf, 1 +advokaty-onlajn.ga, 1 +advokaty-onlajn.gq, 1 +advokaty-onlajn.ml, 1 +advokaty-onlajn.tk, 1 +advokaty-yuristy.ga, 1 +advokaty-yuristy.ml, 1 +advokaty-yuristy.tk, 1 +advokaty.cf, 1 +advokaty.gq, 1 +advritujeph.in, 1 +advst.uk, 1 +advtran.com, 0 +adwallgate.com, 1 +adware.pl, 0 +adwokatkosterka.pl, 1 +adwokatzdunek.pl, 1 +adxperience.com, 1 +adygeya.cf, 1 +adzie.xyz, 1 +adzuna.at, 1 +adzuna.ca, 1 +adzuna.co.nz, 1 +adzuna.co.za, 1 +adzuna.com, 1 +adzuna.com.au, 1 +adzuna.com.br, 1 +adzuna.de, 1 +adzuna.fr, 1 +adzuna.in, 1 +adzuna.it, 1 +adzuna.nl, 1 +adzuna.pl, 1 +adzuna.ru, 1 +adzuna.sg, 1 +ae-dir.com, 1 +ae-dir.org, 1 +ae.com, 1 +ae.edu.rs, 1 +ae86.de, 1 +ae86.dog, 0 +ae86.in, 1 +ae86.plus, 0 +ae86.pro, 1 +ae86.pw, 1 +ae86.run, 0 +ae86.vip, 1 +ae86a.com, 1 +ae86c.com, 1 +ae86dy.com, 1 +ae86j.com, 1 +ae86k.com, 1 +ae86t.com, 1 +ae86tt.com, 1 +ae86u.com, 1 +ae86uu.com, 1 +ae86x.com, 0 +ae86y.com, 1 +ae86yy.com, 1 +ae86zx.net, 1 +ae86zy.com, 1 +aeb.io, 1 +aebba.org, 1 +aebian.org, 1 +aebleskoven.dk, 1 +aec-security.eu, 1 +aece.ro, 1 +aechelon.net, 1 +aecis.org, 1 +aecnewstoday.com, 1 +aecom.digital, 1 +aecom.io, 1 +aecord.com, 1 +aedollon.com, 1 +aedus-design.ru, 1 +aefas.com, 1 +aegcl.co.in, 1 +aegeanmep.com, 1 +aegee-academy.eu, 1 +aegee-academy.org, 1 +aegee-utrecht.nl, 1 +aegee.eu, 1 +aegee.org, 1 +aegis.moe, 1 +aegisaccounting.co.uk, 1 +aegisalarm.co.uk, 1 +aegisalarm.com, 1 +aegisalarms.co.uk, 1 +aegisalarms.com, 1 +aegisys.com, 1 +aegon.hu, 1 +aegrel.ee, 1 +aeh5134.cc, 1 +aeha.tk, 1 +aehe.us, 1 +aeht.eu, 1 +aeis-api-stg.azurewebsites.net, 1 +aeis-api.azurewebsites.net, 1 +aeksantcugat.tk, 1 +aeksistem.com, 1 +aelgame.com, 1 +aelia.cc, 1 +aelia.im, 1 +aelia.is, 1 +aelintx.com, 1 +aelisya.net, 0 +aelurus.com, 1 +aenes.com, 1 +aenmail.com, 1 +aeolservice.es, 1 +aeon.co, 0 +aeon.wiki, 0 +aeonc.com, 1 +aeonct.org, 1 +aeonian.live, 0 +aeonmall.global, 1 +aep-digital.com, 1 +aeperocovilha.pt, 1 +aeperodacovilha.pt, 1 +aequometer.de, 1 +aeradesign.com, 1 +aeradoresgaivota.com.br, 1 +aerandir.fr, 1 +aere.com, 1 +aereco.com, 1 +aerelon.de, 1 +aergia.eu, 1 +aerialawesome.com, 1 +aerialforce.co.uk, 1 +aerialworks.ddns.net, 1 +aerisnetwork.com, 1 +aerlux.md, 1 +aeroalbrook.com, 1 +aerobasegroup.com, 1 +aerobatt.com, 1 +aerobiconline.tk, 1 +aerobotz.com, 1 +aeroclub-tolhuin.tk, 1 +aeroelectronics.net, 1 +aeroequity.com, 1 +aeroexpress.tk, 1 +aerofarms.com, 1 +aeroflot.gq, 1 +aeroframe.tk, 1 +aeroglass.ml, 1 +aerogrill.tk, 1 +aeroklub.tk, 1 +aerolineasvenezolanas.net, 1 +aerolog.co, 0 +aeromot.com, 1 +aeron.aero, 1 +aeronautix.com, 1 +aeronote.net, 1 +aeropetz.com.br, 1 +aeroplan.tk, 1 +aeropole.de, 1 +aeropole.eu, 1 +aeroport.gq, 1 +aeropostale.com.ar, 1 +aerosail.fr, 1 +aerosoul.tk, 1 +aerospace-schools.com, 1 +aerospacearchives.tk, 1 +aerospacescience.ml, 1 +aerospeceng.com.au, 1 +aerotrans-service.eu, 1 +aerotrophy.fr, 1 +aerowillys.tk, 1 +aerozone.tk, 1 +aertel.ie, 1 +aerztezentrum.io, 1 +aes-freundeskreis.de, 0 +aes.org.pt, 1 +aesculapliterature.com, 1 +aeslifesciences.com, 1 +aesmoris.es, 1 +aesre.com, 1 +aesre.de, 1 +aesre.net, 1 +aessencia.com.br, 1 +aestheticsplus.xyz, 1 +aesthetikpiercing.de, 1 +aesthetix.icu, 1 +aesthetx.com, 1 +aesthway.com, 1 +aestore.by, 1 +aesvalanalys.com, 1 +aesyours.com, 1 +aeterna-ufa.ru, 1 +aeternus-darkermonument.tk, 1 +aeternus.tech, 1 +aether.industries, 1 +aetherc0r3.eu, 1 +aetherdigitalplatform.com, 1 +aethereahealth.com, 0 +aetherlink.de, 1 +aethernia.net, 1 +aethon.com, 1 +aethonan.pro, 1 +aethopy.ga, 1 +aetna-medicareplans.com, 1 +aevo-vergleich.de, 1 +aevpn.org, 1 +aextron.com, 1 +aextron.de, 1 +aextron.org, 1 +aezw.at, 1 +af-clan.tk, 1 +af.link, 1 +afadansedeparis.com, 1 +afadvantage.gov, 1 +afanasev.tk, 1 +afandou.com, 1 +afanias.org, 1 +afas-apps.nl, 1 +afasim.tk, 1 +afasstatus.nl, 1 +afbct.de, 1 +afbouw-gevelsupport.nl, 1 +afbrunswick.com, 1 +afc-capital.mx, 1 +afcmrstest.org, 1 +afd-bedburg.de, 1 +afd-bergheim.de, 1 +afd-elsdorf.de, 1 +afd-frechen.de, 1 +afd-huerth.de, 1 +afd-kerpen.de, 1 +afd-pulheim.de, 1 +afd-rheinerft.de, 1 +afdah.se, 1 +afdbedburg.de, 1 +afdbruehl.de, 1 +afdelsdorf.de, 1 +afderftstadt.de, 1 +afdfrechen.de, 1 +afdhuerth.de, 1 +afdkerpen.de, 1 +afdpulheim.de, 1 +afdrek.de, 1 +afdrhein-erft.de, 1 +afearlessventure.com, 1 +aferagetback.eu, 1 +aff1xstavka.com, 1 +aff1xstavka.top, 1 +affaire.com, 1 +affairefacile.net, 1 +affairemateriaux.fr, 1 +affairs.com, 1 +affarsnatverk.nu, 0 +affcreations.com, 1 +affect3d.com, 1 +affect3dstore.com, 1 +affectionate.tk, 1 +affengine.com, 1 +affengine.net, 1 +affibody.se, 1 +affidea.ie, 1 +affilatura.it, 1 +affilia.tk, 1 +affiliatebeeers.ga, 1 +affiliatebeest.ga, 1 +affiliatebitz.com, 1 +affiliatedphysicians.com, 1 +affiliatep.com, 1 +affiliateprogram.ga, 1 +affiliateprograms.cf, 1 +affiliateprograms.gq, 1 +affiliates-psychicsource.com, 1 +affiliates.trade, 1 +affine.ai, 1 +affine.space, 1 +affinipay.com, 0 +affinity.co, 1 +affinity.com, 1 +affinity.vc, 1 +affinitycu.ca, 1 +affinityplus.org, 1 +affinitysync.com, 1 +affinityweb.co, 1 +affirm-stage.com, 1 +affissioni.roma.it, 1 +affittacamere.roma.it, 1 +affittialmare.it, 1 +affittibreviliguria.it, 1 +affittisalento.it, 1 +affle.com, 1 +afflictedquarter.tk, 1 +affordable.icu, 1 +affordableasphaltcompany.com, 1 +affordableautoglass.com, 1 +affordableblindsexpress.com, 1 +affordablecameras.tk, 1 +affordableconnectivity.gov, 1 +affordableelectronics.tk, 1 +affordablehealthquotesforyou.com, 1 +affordablemedicalusa.com, 1 +affordablepapers.com, 1 +affordableracingparts.com.au, 1 +affordablevaccinesest.ga, 1 +affordacode.com, 1 +affpa.top, 1 +affpass.com, 1 +affping.com, 1 +affproduct.com, 1 +affsoft.cc, 1 +affumico.it, 1 +affusio.com, 1 +afg-team.tk, 1 +afganistan.cf, 1 +afghan-media.tk, 1 +afghan-sites.tk, 1 +afghan.gq, 1 +afghandonia.tk, 1 +afghanen4life.tk, 1 +afghangreetings.tk, 1 +afghanlink.tk, 1 +afghanraps.tk, 1 +afghansite.tk, 1 +afgphotographers.com, 1 +afgraphic.tk, 1 +afiador.com.br, 1 +afiawealth.com, 0 +aficards.com, 1 +aficionados.com.br, 1 +afilio.de, 1 +afinaudio.com, 1 +afishablogs.tk, 1 +afive.us, 1 +afiyetolsun.jp, 1 +aflam-online.tk, 1 +aflattr.com, 1 +aflebedevo.tk, 1 +afoikrali.gr, 1 +aforadearrastu.tk, 1 +aforism.tk, 1 +afp548.com, 1 +afrag.fr, 1 +afreelancersworld.com, 1 +afres.com, 1 +afreshperspective.com, 1 +africaclassifieds.ga, 1 +africaindemander.tk, 1 +africalebanon.tk, 1 +african-artmosphere.tk, 1 +africanbiblesafari.org, 1 +africanewstest0.ml, 1 +africangazda.tk, 1 +africangreyparrotscare.com, 1 +africanheritage.tk, 1 +africanhosting.ml, 1 +africankingsclothing.com, 1 +africankitchen.gallery, 1 +africanmangoforum.ga, 1 +africanmangoforum.gq, 1 +africansafaris.co.nz, 1 +africantourer.com, 1 +africaone-publishing.com, 1 +africaricecenter.org, 1 +afrijet.ga, 1 +afrilatest.com, 1 +afrimarket.ci, 1 +afrique.buzz, 1 +afriregister.com.ss, 1 +afriregister.et, 1 +afriregister.eu, 1 +afriregister.sn, 1 +afrodigital.uk, 1 +afrodisiac.tk, 1 +afrodita.tk, 1 +afroditafirm.tk, 1 +afroditehotel.tk, 1 +afrogospel.tk, 1 +afroludi.tk, 1 +afroto.com, 1 +afseguros.com, 1 +afslankstudiovelserbroek.nl, 1 +aftamurae.com, 1 +after-whoru.tk, 1 +afterblokrock.tk, 1 +afterburnerjs.com, 1 +afterdarklabs.net, 1 +afterdwi.info, 1 +afterfostercare.tk, 1 +afterhate.fr, 1 +afterhoursglass.com.au, 1 +aftermagic.com, 1 +aftermix.com, 1 +afternoonhereyes.tk, 1 +afteroblivion.tk, 1 +afterpay.com, 1 +afterschool.tk, 1 +afterskool.eu, 1 +afterstack.net, 1 +aftodioikisi.gr, 1 +aftonbladet.se, 1 +aftontickets.com, 1 +afute.fr, 1 +afuturewithoutfear.org, 1 +afuturewithoutfear.us, 1 +afva.net, 1 +afwd.international, 1 +afxsoft.ml, 1 +afzaalace.com, 1 +afzetbak.nl, 1 +ag066.vip, 1 +ag123.la, 1 +ag13842.com, 1 +ag1386.com, 1 +ag158.cc, 0 +ag1603.com, 0 +ag1604.com, 1 +ag1607.com, 1 +ag3.la, 1 +ag3232g.com, 1 +ag388.vip, 1 +ag399.vip, 1 +ag4.app, 0 +ag518518.net, 1 +ag6.im, 1 +ag6.pub, 1 +ag6.vc, 1 +ag6.vip, 1 +ag600.la, 1 +ag618.la, 1 +ag6215.com, 1 +ag6225.com, 1 +ag66321.com, 1 +ag666.vip, 1 +ag68ks.com, 1 +ag69000.com, 1 +ag72.vip, 1 +ag8-game.com, 1 +ag8.im, 1 +ag8.vip, 1 +ag80808.com, 1 +ag80880.com, 1 +ag812.tv, 1 +ag818.net, 1 +ag819.tv, 1 +ag82011.vip, 1 +ag82018.cc, 1 +ag82018.com, 1 +ag8500.com, 1 +ag8600.com, 1 +ag88.com, 1 +ag880.win, 1 +ag8808.com, 1 +ag88080.com, 1 +ag88110.com, 1 +ag8819-livechat.com, 1 +ag8859.com, 0 +ag8876.com, 1 +ag888818.com, 1 +ag889.com, 1 +ag8890.com, 1 +ag8891.com, 1 +ag88dc22.com, 1 +ag88ks.com, 1 +ag89000.com, 1 +ag898.cc, 1 +ag8vip.com, 1 +ag9.im, 0 +ag9100.com, 1 +ag918.cc, 1 +ag918.co, 1 +ag918.top, 1 +ag96.win, 1 +ag9757.com, 1 +ag98.tv, 0 +ag9800.com, 1 +ag9815.com, 1 +ag9835.com, 1 +ag98ks.com, 1 +ag9999.co, 1 +ag9ks.com, 1 +ag9vip.com, 1 +aga-eiken.tk, 1 +aga.gov.au, 1 +agabucheros.tk, 1 +agad.tk, 1 +agagent.vip, 1 +agahimax.com, 1 +against.tk, 1 +againstgynexams.tk, 1 +againsttheneighbour.tk, 1 +againsttheodds.es, 1 +agalia.com, 1 +agalloch.tk, 1 +agambition.eu, 1 +agamsecurity.ch, 0 +agapelove.tk, 1 +agar.kr, 1 +agarcat.com, 1 +agargiulo.com, 1 +agari-mj.com, 1 +agarioforum.ga, 1 +agas.com, 1 +agasport.nl, 0 +agastia.com, 1 +agatajanik.de, 1 +agate.pw, 1 +agateh.com.au, 1 +agaveandpine.com, 1 +agavesurgery.com, 1 +agbremen.de, 0 +agcdn.cc, 1 +agcdn.top, 1 +agceauditores.cl, 1 +agcegroup.cl, 1 +agcpapp.com, 1 +agdalieso.com.ba, 1 +agds.pw, 1 +agdsenice.cz, 1 +age-encryption.org, 1 +agearo.com, 1 +ageasagentessummit.pt, 1 +agechecker.net, 1 +agedcaredentistry.com.au, 1 +agedefying.net, 1 +agedgamer.com, 1 +agefriendlyri.org, 1 +ageg.ca, 1 +agehotel.com, 1 +ageless-world.tk, 1 +agelesscitizen.com, 1 +agelesscitizens.com, 1 +agellonia.com, 1 +agen62.asia, 1 +agen62.cc, 1 +agen62.info, 1 +agen62.org, 1 +agen62.site, 1 +agen62.top, 1 +agenbandarq.cf, 1 +agenbandarq.ga, 1 +agenbandarq.gq, 1 +agenbandarq.ml, 1 +agenbandarq.tk, 1 +agence-immobiliere-hossegor.com, 1 +agence-initiale.fr, 1 +agence-matrimoniale-paris.com, 1 +agence.tw, 1 +agenceimmoselect.com, 1 +agencelcinvestigations.com, 1 +agences-cegee.fr, 1 +agencesaintpierre.fr, 1 +agencestaff.fr, 1 +agencetourismemali.ml, 1 +agenciacanina.tk, 1 +agenciacoder.com, 1 +agenciacolors.com.br, 1 +agenciacorujadesign.com.br, 1 +agenciacrown.es, 1 +agenciahangar.com.br, 1 +agenciaingenium.cl, 1 +agenciakarazai.com.br, 1 +agenciaonnmarketing.com, 1 +agenciapixelnove.com.br, 1 +agenciaplanner.com.br, 1 +agenciarse.com, 1 +agenciarubik.com, 1 +agenciatecben.com.br, 1 +agencja-interaktywna.ga, 1 +agencja-interaktywna.tk, 1 +agencxy.ga, 1 +agencybeam.com, 1 +agencyeve.com, 1 +agencygood.tk, 1 +agencyinmotion.com, 1 +agencymanager.be, 1 +agenda-loto.net, 0 +agenda21senden.de, 1 +agendadelvolo.info, 1 +agendamuslim.tk, 1 +agendaspectacles.fr, 1 +agendatelefonica.net, 1 +agendominoq.tk, 1 +agenslot128.com, 1 +agent-007.tk, 1 +agent-grow.com, 1 +agent.sk, 1 +agent47.tk, 1 +agent4fl.com, 1 +agentabuseest.ga, 1 +agenter.cf, 1 +agenter.tk, 1 +agentesevillanocooper.tk, 1 +agentfirewall.com, 1 +agentpak.com, 1 +agentpatrolest.ga, 1 +agentpoint.website, 1 +agentprovocateur.com, 1 +agentrisk.com, 0 +agentsmith.tk, 1 +agentum.ga, 1 +agentur-pottkinder.de, 1 +agentz.ga, 1 +agenux.org, 1 +agenziaimmobiliarezeta.it, 1 +agenziapubblicitaria.milano.it, 1 +agenziapubblicitaria.roma.it, 1 +agenziefunebri.it, 1 +ageofreason.tk, 1 +agesofarda.net, 1 +agfmedia.com, 1 +agg097.com, 1 +agg88.com, 1 +aggeneralconstruction.com, 1 +aggielandtutoring.com, 1 +agglo-sion.ch, 1 +aggn.info, 1 +aggression.tk, 1 +aggressionpvp.com, 1 +aggressivecarwraps.com, 1 +aggtechconcrete.com, 1 +aghayeva-edler.de, 1 +agiairini.cz, 1 +agic-geneve.ch, 1 +agiftinside.com, 1 +agilan.nl, 1 +agile.coach, 1 +agileacademy.technology, 1 +agilebits.com, 1 +agilebits.net, 0 +agilecoldstorage.com, 1 +agilecraft.com, 1 +agilee.io, 1 +agilepeopleopsframework.com, 1 +agileui.com, 0 +agilewalls.com, 1 +agilextra.com.au, 1 +agilicus.ca, 1 +agilicus.com, 1 +agility-westvlaanderen.tk, 1 +agilityconsulting.be, 1 +agill.me, 1 +agilob.net, 1 +agiloo.tk, 1 +agilusdiagnostics.com, 1 +aging.gov, 1 +agingstats.gov, 1 +agingstop.net, 1 +aginion.com, 1 +aginion.net, 1 +agioanmark.tk, 1 +agiosthomas.tk, 1 +agirc-arrco.fr, 1 +agirlknows.com, 1 +agitmedia.ru, 1 +agk.co.com, 1 +agks02.com, 1 +agks1.com, 1 +agks116.com, 1 +agks136.com, 1 +agks16.com, 1 +agks188.com, 1 +agks19.com, 1 +agks23.com, 1 +agks27.com, 1 +agks35.com, 1 +agks38.com, 1 +agks4.com, 1 +agks45.com, 1 +agks53.com, 1 +agks57.com, 1 +agks59.com, 1 +agks60.com, 1 +agks63.com, 1 +agks67.com, 1 +agks68.com, 1 +agks69.com, 1 +agks7.com, 1 +agks70.com, 1 +agks71.com, 1 +agks72.com, 1 +agks78.com, 1 +agks79.com, 1 +agks8.com, 1 +agks82.com, 1 +agks83.com, 1 +agks86.com, 1 +agks87.com, 1 +agks888.com, 0 +agks89.com, 1 +agks9.com, 1 +agks92.com, 1 +agktest1.ga, 1 +aglar.com.ec, 1 +aglar.tk, 1 +agleventis.com, 1 +aglow.nl, 1 +agm4545.com, 1 +agmuscle.com, 1 +agnconnect.com, 1 +agnesk.blog, 1 +agnesmatilda.tk, 1 +agnestakeaway.be, 1 +agneta.tk, 1 +agnosia.tk, 1 +agnosticism.tk, 1 +agnusbostel.tk, 1 +agocs.me, 1 +agora-energiewende.de, 1 +agora-soft.cf, 1 +agora-verkehrswende.de, 1 +agora.co.il, 1 +agora.ru, 1 +agorabet.com.br, 1 +agoracupom.com.br, 1 +agoradanza.tk, 1 +agoradesk.com, 1 +agorapulse.com, 1 +agoratek.fr, 1 +agoravisitasguiadas.com, 1 +agoravm.tk, 1 +agoravox.it, 1 +agorism.eu.org, 1 +agoshop.de, 1 +agossearch.tk, 1 +agostonegro.tk, 1 +agouraelectrical.com, 1 +agouraelectrician.com, 1 +agouraexteriorlighting.com, 1 +agourahillselectric.com, 1 +agourahillselectrical.com, 1 +agourahillselectrician.com, 1 +agourahillsexteriorlighting.com, 1 +agourahillslandscapelighting.com, 1 +agourahillslighting.com, 1 +agourahillsoutdoorlighting.com, 1 +agouralandscapelighting.com, 1 +agouralighting.com, 1 +agouraoutdoorlighting.com, 1 +agowa338.de, 1 +agpandit.in, 1 +agpideas.com, 1 +agr.asia, 1 +agrabah.com, 1 +agradi.nl, 1 +agralines.tk, 1 +agrarking.com, 1 +agrarking.de, 1 +agrarkredit.de, 1 +agrartermine-deggendorf.de, 1 +agrartermine-straubing-bogen.de, 1 +agravery.com, 1 +agraw.tk, 1 +agregator.tk, 1 +agrekov.ru, 1 +agremo.com, 0 +agreor.com, 1 +agressief.com, 1 +agri-meet.com, 1 +agri.ee, 0 +agricult.tk, 1 +agricultural-technology.tk, 1 +agriculture-schools.com, 1 +agriculture.vic.gov.au, 1 +agrifoglio.com, 1 +agrifoodtoday.it, 1 +agrifutures.com.au, 1 +agrigentonotizie.it, 1 +agrikulturchic.com, 1 +agrinous.com, 1 +agrinous.com.au, 1 +agripartner.fr, 1 +agripick.com, 1 +agriportal.online, 1 +agrippa.tk, 1 +agriprofocus.com, 1 +agriresearch.tk, 1 +agrish.tk, 1 +agrisicilia.it, 0 +agritatrade.bg, 1 +agro-dom.solutions, 1 +agro-ferma.tk, 1 +agro-forestry.net, 1 +agro-market24.ru, 1 +agro-portal.info, 1 +agrobank.uz, 1 +agrobase.uz, 1 +agrobaza.com.ua, 1 +agrocare.tk, 1 +agroclan.tk, 1 +agroclimat.tk, 1 +agroconsultoraplus.com, 1 +agrodoki.hu, 1 +agrofind.com.br, 1 +agrogrup79.com, 1 +agroguia.com.co, 1 +agroinsider.com, 1 +agrokomi.tk, 1 +agrokredit.ga, 1 +agroland.tk, 1 +agrolife.tk, 1 +agroma.com, 1 +agromotorsburzaco.com, 1 +agron.tk, 1 +agronomi.tk, 1 +agronomict.tk, 1 +agropark.tk, 1 +agroplas.cf, 1 +agropool.tk, 1 +agropotter.com.ua, 1 +agrosanus.pt, 0 +agrospan.ga, 1 +agrosvit.kz, 1 +agroteam.tk, 1 +agrotek.lt, 1 +agrotender.com.ua, 1 +agrotraktor.gq, 1 +agrowbio.com, 0 +agroyard.com.ua, 1 +agrus-wow.tk, 1 +agscapeslandscaping.com, 1 +agscinemas.com, 1 +agscinemasapp.com, 1 +agsun6.com, 1 +aguaazul.com.co, 1 +aguajero.com, 1 +aguantepimpinero.tk, 1 +aguarani.com.br, 1 +aguaviva.tk, 1 +aguiascarecas.org, 1 +aguidetolovelossanddesperation.com, 1 +agujetas.tk, 1 +agul.tk, 1 +agullo.tk, 1 +agung-furniture.com, 1 +agurskie-vodopadi.ru, 1 +agusandelsur.gov.ph, 1 +agusik.com.ua, 1 +agustian.tk, 1 +agusticarmona.tk, 1 +agustin.cf, 1 +agustin.ml, 1 +agusto.tk, 1 +aguz.tk, 1 +agviet88.com, 1 +agvins.fr, 1 +agvip1000.com, 1 +agvip168.com, 1 +agvip2001.com, 1 +agvip2008.com, 1 +agvip88.com, 0 +agvip986.com, 1 +agwa.name, 1 +agwin1.com, 0 +agwin7.com, 1 +agwin8.com, 1 +agwin9.com, 1 +agworkers.com, 1 +agzlapp.com, 1 +agzy.tw, 1 +agzy.vip, 1 +ahanet.tk, 1 +ahansen.is, 0 +ahbap.org, 1 +ahccorleone.tk, 1 +ahcpb.com, 1 +ahcpr.gov, 1 +ahd.com, 0 +ahealthyjourney.ca, 1 +ahegaoroulette.com, 1 +ahelos.tk, 1 +ahezu.com, 1 +ahg-offices.fr, 1 +ahhcomfortshoes.com, 1 +ahidta.gov, 1 +ahiha-design.com, 1 +ahima.org, 1 +ahityayinlari.com, 1 +ahityayinlari.org, 1 +ahj.no, 1 +ahjy.com, 1 +ahl.gov.au, 0 +ahl.im, 1 +ahlac.tk, 1 +ahlaejaba.com, 1 +ahli-antenatv.tk, 1 +ahli.io, 1 +ahlibank.com.qa, 1 +ahlz.sk, 1 +ahm.com.au, 1 +ahmad.space, 1 +ahmadfathy.ml, 1 +ahmadjakfar.tk, 1 +ahmadmaher.tk, 1 +ahmadonline.tk, 1 +ahmadov.tk, 1 +ahmadrafiq.tk, 1 +ahmadramadan.tk, 1 +ahmadtea.lk, 1 +ahmed-alasadi.tk, 1 +ahmed.tk, 1 +ahmedcorp.tk, 1 +ahmedelgamalanimations.tk, 1 +ahmedszaidi.com, 1 +ahmerjamilkhan.org, 1 +ahmetazgin.net, 1 +ahmetcadirci.com.tr, 1 +ahmetshina.tk, 1 +ahmt.net, 1 +ahmu.com, 1 +ahmud.net, 1 +ahoefer.de, 1 +ahoeheng.com, 1 +ahoj.email, 1 +ahoj.hu, 1 +ahomeconcept.com, 1 +ahorasalud.com, 1 +ahornblatt.org, 1 +ahosamuel.com, 1 +ahosenjoni.fi, 1 +ahosi.com, 1 +ahouansou.cz, 1 +ahqf.com, 1 +ahrefs.com, 1 +ahroproject.org, 1 +ahrora.com, 1 +ahrq.gov, 1 +ahs.com, 1 +ahscarolinas.com, 1 +ahsinsaleem.tk, 1 +ahstrem.com, 1 +ahswarranty.com, 1 +ahsyg.com, 1 +ahtuxpk.ru, 1 +ahughes03.com, 1 +ahwah.net, 1 +ahwahnee.today, 1 +ai-english.jp, 1 +ai-genit.com, 1 +ai-powered-learning.com, 1 +ai-practitioners.com, 1 +ai-soft.co.jp, 1 +ai.gov, 1 +ai.gov.ae, 1 +ai.market, 1 +ai.moda, 1 +ai.mr, 0 +ai00.vip, 1 +ai1989.com, 1 +ai2-jp.com, 1 +ai5.me, 1 +aia-alkmaar.nl, 1 +aiaccinu.eu.org, 1 +aiaidaxue.com, 1 +aiaidou.com, 1 +aiainiu.com, 1 +aianetwork.net, 1 +aianipid.ee, 1 +aiasesoriainmobiliaria.com, 1 +aiat.net, 1 +aiatsis.gov.au, 1 +aibaoyou.com, 1 +aibes-staging.com, 1 +aibes.org, 1 +aibili.pt, 1 +aibiying.com, 1 +aibolit-apteka.tk, 1 +aibolit.ga, 1 +aibolit.md, 1 +aibolit.ml, 1 +aibolitik.tk, 1 +aibot.tk, 1 +aibsoftware.mx, 1 +aicampo.com, 1 +aiccc.com.au, 1 +aiccorp.com, 1 +aicfb.in, 1 +aichat.io, 1 +aichat.site, 1 +aichi-tokko-shien.com, 1 +aichou.com, 1 +aicial.co.uk, 1 +aickelin.eu, 1 +aicr.org, 1 +aicv.io, 1 +aid-web.ch, 1 +aida.org.au, 1 +aidablanco.tk, 1 +aidaccess.org, 1 +aidanamavi.com, 1 +aidanapple.com, 1 +aidanmitchell.uk, 0 +aidanmontare.net, 1 +aidanpr.com, 1 +aidanpr.net, 1 +aidarikako.com, 1 +aidco.net, 1 +aide-hebergement.ca, 1 +aide-valais.ch, 1 +aide.com, 1 +aideenmonaghan.com, 1 +aidenlx.top, 1 +aidenoliver.au, 1 +aidhan.net, 1 +aidi-ahmi.com, 1 +aidliveers.ga, 1 +aido.gq, 1 +aidoc.com, 1 +aidoru.net, 1 +aids-dissidents.tk, 1 +aids.gov, 1 +aidventurers.com, 1 +aie.de, 1 +aiecosystem.com.au, 1 +aiesecarad.ro, 1 +aievaluare.ro, 1 +aifartsakh.com, 1 +aifob.tk, 1 +aifriccampbell.com, 1 +aifx.ml, 0 +aigcev.org, 1 +aigenpul.se, 1 +aigner-club.com, 1 +aigner-club.de, 1 +aignerimage.de, 1 +aignermunich.com, 1 +aignermunich.de, 1 +aignermunich.jp, 1 +aigu.io, 1 +aiguemarine-spa.fr, 1 +aiguilhe-querre.com, 1 +aiha.com, 1 +aihaamua.tk, 1 +aiho.stream, 1 +aihschgo.org, 1 +aiinsurance.xyz, 1 +aikareborn.com, 1 +aiken.golf, 1 +aikenpromotions.com, 1 +aiki.de, 1 +aiki.do, 1 +aiki.tk, 0 +aikido-club-limburg.de, 1 +aikido-kiel.de, 1 +aikido-linz.at, 1 +aikido-wels.at, 1 +aikidoaalst.tk, 1 +aikidoboskovice.cz, 1 +aikidoinfo.tk, 1 +aikidosaltadojo.tk, 1 +aikijutsu.tk, 1 +aikiva.com, 1 +aikoly.com, 1 +aila.org, 1 +aileenwatt.co.uk, 1 +ailife.blog, 1 +ailitonia.com, 1 +ailitonia.xyz, 1 +ailladearousa.com, 1 +aim.org.pt, 1 +aimare-web.tk, 1 +aimarketingdesk.com, 1 +aimax.com, 1 +aimaye.com, 1 +aimbot.games, 1 +aimdigital.tk, 1 +aimeeandalec.com, 1 +aimeisi.com, 1 +aimgroup.co.tz, 1 +aiminet.com, 1 +aimless.tk, 1 +aimlessempire.tk, 1 +aimmuneinstitute.org, 1 +aimoda.bid, 1 +aimoda.click, 1 +aimoda.cloud, 1 +aimoda.download, 1 +aimoda.io, 1 +aimoda.loan, 1 +aimoda.space, 1 +aimoda.stream, 1 +aimoda.trade, 1 +aimotive.com, 1 +aimreply.com, 1 +aimrom.org, 1 +aina.moi, 1 +ainaishi.com, 1 +ainameals.com, 1 +ainamoroms.com, 1 +aine.com.br, 1 +ainewsto.com, 1 +ainfographie.com, 1 +aini99.club, 0 +ainong.com, 1 +ainrm.cn, 1 +ainsa.tk, 1 +ainutrition.co.uk, 1 +ainvest.de, 1 +ainzu.net, 1 +aioboot.com, 1 +aiois.com, 1 +aioj.ac, 1 +aiom.tk, 1 +aion.fi, 1 +aiosetups.com, 1 +aiot.pw, 1 +aipcardio.ai, 1 +aipcardio.hu, 1 +aipderm.com.mx, 1 +aipderm.eu, 1 +aipderm.mx, 1 +aipderm.ro, 1 +aipdev.kz, 1 +aipee.org, 1 +aiphyron.com, 1 +aipi.at, 1 +aipi.ch, 1 +aipi.de, 1 +aipi.tel, 1 +aipi.uk, 1 +aipor.pt, 0 +aiporn666.com, 1 +aipregnancy.com, 1 +aipregnant.com, 1 +aiqinggu.com, 1 +aiqingli.com, 1 +air-business.tk, 1 +air-clan.tk, 1 +air-flot.tk, 1 +air-planning.co.jp, 1 +air-rishon.tk, 1 +air-soft.ga, 1 +air-swift.com, 1 +air-techniques.fr, 1 +air-ticket.ga, 1 +airalarm.com, 1 +airaplus.ca, 1 +airbender.tk, 1 +airbnb.ae, 1 +airbnb.at, 1 +airbnb.be, 1 +airbnb.biz, 1 +airbnb.ca, 1 +airbnb.cat, 1 +airbnb.ch, 1 +airbnb.cl, 1 +airbnb.cn, 1 +airbnb.co.cr, 1 +airbnb.co.id, 1 +airbnb.co.il, 1 +airbnb.co.in, 1 +airbnb.co.kr, 1 +airbnb.co.nz, 1 +airbnb.co.uk, 1 +airbnb.co.ve, 1 +airbnb.com, 1 +airbnb.com.ar, 1 +airbnb.com.au, 1 +airbnb.com.bo, 1 +airbnb.com.br, 1 +airbnb.com.bz, 1 +airbnb.com.cn, 1 +airbnb.com.co, 1 +airbnb.com.ec, 1 +airbnb.com.gt, 1 +airbnb.com.hk, 1 +airbnb.com.hn, 1 +airbnb.com.hr, 1 +airbnb.com.kh, 1 +airbnb.com.mt, 1 +airbnb.com.my, 1 +airbnb.com.ni, 1 +airbnb.com.pa, 1 +airbnb.com.pe, 1 +airbnb.com.ph, 1 +airbnb.com.py, 1 +airbnb.com.sg, 1 +airbnb.com.sv, 1 +airbnb.com.tr, 1 +airbnb.com.tw, 1 +airbnb.com.ua, 1 +airbnb.com.vn, 1 +airbnb.cz, 1 +airbnb.de, 1 +airbnb.dk, 1 +airbnb.es, 1 +airbnb.fi, 1 +airbnb.fr, 1 +airbnb.gr, 1 +airbnb.gy, 1 +airbnb.hu, 1 +airbnb.ie, 1 +airbnb.is, 1 +airbnb.it, 1 +airbnb.jp, 1 +airbnb.la, 1 +airbnb.lu, 1 +airbnb.mx, 1 +airbnb.nl, 1 +airbnb.no, 1 +airbnb.org, 1 +airbnb.pl, 1 +airbnb.pt, 1 +airbnb.ru, 1 +airbnb.se, 1 +airbnb.tools, 1 +airbnbchina.cn, 1 +airborne-clan.tk, 1 +airborne-commando.tk, 1 +airborne-inflatables.co.uk, 1 +airborneexperience.com, 1 +airbossofamerica.com, 1 +airburners.com, 1 +airburners.com.au, 1 +airburners.net, 1 +airbusters.com, 1 +aircareair.tk, 1 +airchartervirginislands.com, 1 +aircheapfare.com, 1 +aircheapfares.com, 1 +aircomet.tk, 1 +aircompressormachine.com, 1 +airconditioning.tk, 1 +airconditioningcondensers.tk, 1 +airconditioningservicejohannesburg.co.za, 1 +airconsboksburg.co.za, 1 +airconservicingcapetown.co.za, 1 +airconsfourways.co.za, 1 +aircraft-database.com, 1 +aircraftnoisemodel.org, 1 +aircraftspruce.ca, 1 +aircraftspruce.com, 1 +aircrewportpages.com, 1 +aircs.racing, 1 +airday.tk, 1 +airdeer.com, 1 +airdropics.com, 1 +airdropkings.com, 1 +airductcleaninggrandprairie.com, 1 +airdur.eu, 1 +aireaseleaks.org, 1 +airedaleterrier.com.br, 1 +airensmuseum.com, 1 +aires-autoroute-areas.com, 1 +airesourcezone.com, 1 +airethilien.tk, 1 +airetvie.com, 0 +aireuropeflights.com, 1 +airez.tk, 1 +airfal.com, 1 +airfan.cf, 1 +airfarecheapdeal.com, 1 +airfarecheapeurope.com, 1 +airfarecompareprices.com, 1 +airfaredealstoindia.com, 1 +airfarefrom.com, 1 +airfarehonolulu.com, 1 +airfarehoteldeals.com, 1 +airfaremexicocity.com, 1 +airfareorlando.com, 1 +airfaresdomestic.com, 1 +airfareseconomy.com, 1 +airfaresfrom.com, 1 +airfareshotels.com, 1 +airfarestoamerica.com, 1 +airfarestogermany.com, 1 +airfareticketsdeals.com, 1 +airfaretousa.com, 1 +airfaretracking.com, 1 +airfield.gq, 1 +airflightsdeals.com, 1 +airforce.com, 1 +airformosa.com, 1 +airfoto.tk, 1 +airfox.cf, 1 +airfox.gq, 1 +airgreen.com, 1 +airgun.tk, 1 +airgundepot.com, 1 +airhart.me, 1 +airhelp.com, 1 +airhorn.de, 1 +airi-tabei.com, 1 +airi.ga, 1 +airicy.com, 1 +airikai.com, 1 +airism.com, 1 +airit.de, 1 +airixfood.com, 1 +airjet.cf, 1 +airjordan11.cc, 1 +airjordan1phatwhite.info, 1 +airjordan2017.site, 1 +airjordanpascher.tk, 1 +airjordansshoes.us, 1 +airjordanwholesale.us, 1 +airkiss.ga, 1 +airknowledge.gov, 1 +airlapse.net, 0 +airline-rabota.tk, 1 +airlineairlines.com, 1 +airlineairplane.com, 1 +airlineairports.com, 1 +airlineairways.com, 1 +airlineandhotels.com, 1 +airlineandtickets.com, 1 +airlinebe.com, 1 +airlineblue.com, 1 +airlinebookingtickets.com, 1 +airlinebuyticket.com, 1 +airlineby.com, 1 +airlinec.com, 1 +airlinecheapflightinternationalticket.com, 1 +airlinecheapflightticket.com, 1 +airlinecheapprices.com, 1 +airlinecheaptravel.com, 1 +airlinechicago.com, 1 +airlinedallas.com, 1 +airlinedenmark.com, 1 +airlinedomestic.com, 1 +airlineeconomy.com, 1 +airlinefarecheap.com, 1 +airlinefarediscount.com, 1 +airlinefarelow.com, 1 +airlinefareprices.com, 1 +airlinefaresdiscount.com, 1 +airlinefee.com, 1 +airlinefirstclass.com, 1 +airlineflight.biz, 1 +airlineflightcheap.com, 1 +airlineflights.biz, 1 +airlineflightsdeals.com, 1 +airlineflightsdiscount.com, 1 +airlineflightsfares.com, 1 +airlineflightsinternational.com, 1 +airlineflightsprices.com, 1 +airlineflightsreservations.com, 1 +airlineflyingclub.tk, 1 +airlineforsale.com, 1 +airlinefr.com, 1 +airlinegermany.com, 1 +airlinehawaii.com, 1 +airlinekorea.com, 1 +airlinelondon.com, 1 +airlinenationwide.com, 1 +airlinenews.tk, 1 +airlinenewzealand.com, 1 +airlineoil.com, 1 +airlinep.com, 1 +airlineplanetickets.com, 1 +airlinesair.com, 1 +airlinesamsterdam.com, 1 +airlinesandhotel.com, 1 +airlinesandtickets.com, 1 +airlinesandtravel.com, 1 +airlinesargentina.com, 1 +airlinesau.com, 1 +airlinesaustralia.com, 1 +airlinesboston.com, 1 +airlinesbritish.com, 1 +airlinesbrussels.com, 1 +airlinesby.com, 1 +airlinesca.com, 1 +airlinescheapfare.com, 1 +airlinescheapflights.com, 1 +airlinescheapticket.com, 1 +airlineschicago.com, 1 +airlinescincinnati.com, 1 +airlinesdallas.com, 1 +airlinesdc.com, 1 +airlinesdetroit.com, 1 +airlinesdomestic.com, 1 +airlineseast.com, 1 +airlineseconomy.com, 1 +airlinesettlement.com, 1 +airlinesfirstclass.com, 1 +airlinesfleet.com, 1 +airlinesfrom.com, 1 +airlineshouston.com, 1 +airlinesincanada.com, 1 +airlinesingapore.com, 1 +airlinesinlasvegas.com, 1 +airlinesinsingapore.com, 1 +airlinesit.com, 1 +airlinesjordan.com, 1 +airlineslasvegas.com, 1 +airlineslosangeles.com, 1 +airlineslowfare.com, 1 +airlinesmiddleeast.com, 1 +airlinesname.com, 1 +airlinesnashville.com, 1 +airlinesnewyork.com, 1 +airlinesnorthamerica.com, 1 +airlinesnyc.com, 1 +airlinesofdubai.com, 1 +airlinesofmexico.com, 1 +airlinespackages.com, 1 +airlinesparis.com, 1 +airlinesphonenumber.com, 1 +airlinessa.com, 1 +airlinessanfrancisco.com, 1 +airlinesseating.com, 1 +airlinessingapore.com, 1 +airlinestexas.com, 1 +airlinesticketbooking.com, 1 +airlinesto.com, 1 +airlinestoalaska.com, 1 +airlinestoamerica.com, 1 +airlinestoatlanta.com, 1 +airlinestocanada.com, 1 +airlinestochicago.com, 1 +airlinestocostarica.com, 1 +airlinestoeurope.com, 1 +airlinestoflorida.com, 1 +airlinestofrance.com, 1 +airlinestogermany.com, 1 +airlinestoitaly.com, 1 +airlinestojapan.com, 1 +airlinestolasvegas.com, 1 +airlinestolosangeles.com, 1 +airlinestomiami.com, 1 +airlinestoorlando.com, 1 +airlinestophoenix.com, 1 +airlinestosingapore.com, 1 +airlinestoturkey.com, 1 +airlinestousa.com, 1 +airlinestovegas.com, 1 +airlinesturkey.com, 1 +airlinesunitedstates.com, 1 +airlinesvegas.com, 1 +airlinesvietnam.com, 1 +airlineti.com, 1 +airlinetic.com, 1 +airlineticketscheapflights.com, 1 +airlineticketsfrom.com, 1 +airlineticketspurchase.com, 1 +airlineticketswith.com, 1 +airlineto.com, 1 +airlinetocanada.com, 1 +airlinetohawaii.com, 1 +airlinetolasvegas.com, 1 +airlinetolondon.com, 1 +airlinetomiami.com, 1 +airlinetovegas.com, 1 +airlinetravelinternational.com, 1 +airlinetravelnetwork.com, 1 +airlinetx.com, 1 +airlinevegas.com, 1 +airlinewholesale.com, 1 +airm.aero, 1 +airmag.tk, 1 +airmail.cc, 0 +airman.cf, 1 +airmap.com, 0 +airmap.io, 1 +airmash.online, 1 +airmaxinflatables.com, 1 +airnet.tk, 1 +airnode.ga, 1 +airnow.gov, 1 +airpark-roissy.fr, 1 +airplaneairline.com, 1 +airplanepictures.tk, 1 +airplanestatsers.ga, 1 +airplanestatsest.ga, 1 +airplanet.tk, 1 +airplanetic.com, 1 +airplanetick.com, 1 +airplaneticketcheap.com, 1 +airplay-inflatable-hire.co.uk, 1 +airplayradio.nl, 1 +airpoint-compressors.nl, 1 +airport-acap.eu, 1 +airport-car-rental.tk, 1 +airport-charlotte.com, 1 +airportairline.com, 1 +airportal.cn, 1 +airportbarking.eu, 1 +airportcdgparis.com, 1 +airportcoc.cf, 1 +airportcoc.ga, 1 +airportcoc.ml, 1 +airportcyprus.com, 1 +airportdc.com, 1 +airportfrankfurtgermany.com, 1 +airportgatwick.com, 1 +airportgrandhotel.com, 1 +airportguam.com, 1 +airportholiday.com, 1 +airporthotelsgatwick.com, 1 +airportinrome.com, 1 +airportknoxville.com, 1 +airportlas.com, 1 +airportnz.com, 1 +airportofdubai.com, 1 +airportparkingschiphol.nl, 1 +airportperth.com, 1 +airportsbarcelona.com, 1 +airportsdc.com, 1 +airportsflights.com, 1 +airportsflorida.com, 1 +airportsfo.com, 1 +airportstickets.com, 1 +airportstockholm.com, 1 +airportstuttgart.com, 1 +airportturkey.com, 1 +airportzo.net.in, 1 +airportzostage.in, 1 +airpurifierproductsonline.com, 1 +airquestion.org, 1 +airrestoration.ch, 1 +airscope.ae, 1 +airscorp.com, 1 +airsculpture.us, 1 +airsculptureballoonart.com, 1 +airsculptureballoonart.net, 1 +airsculptureballoonart.org, 1 +airsculptureballoons.com, 1 +airseatac.net, 1 +airship.com, 1 +airship.eu, 1 +airsial.com, 1 +airslate.com, 1 +airsoft.fr, 1 +airsofthub.fr, 1 +airsoftpark.cz, 1 +airsoftpinoso.tk, 1 +airstop.cz, 1 +airstrike.tk, 1 +airswap.io, 1 +airtable.com, 1 +airtame.cloud, 1 +airtec-france.fr, 1 +airtel.co.tz, 1 +airtel.com.ng, 1 +airterms.cf, 1 +airticketstravel.com, 1 +airtimerewards.co.uk, 0 +airtrain.gq, 1 +airtrolinc.com, 1 +airventuri.com, 1 +airvida.sg, 1 +airvpn.org, 1 +airwayz.co, 1 +airweb.top, 0 +airwolf.tk, 1 +airwolfthemes.com, 1 +airwudhu.id, 1 +airzone.tk, 1 +airzox.com, 1 +aisawa22.com, 1 +aiscale.fr, 1 +aischepervers-porn.com, 1 +aisedomains.ga, 1 +aisera.com, 1 +aish.ml, 1 +aishatibetanterriers.ca, 1 +aisi316l.net, 1 +aisp.sg, 1 +aispirit.tk, 1 +aisrvs.net, 1 +aisselkolm.com, 1 +aistdent.ru, 1 +aisthesthai.tk, 1 +aistockcharts.com, 1 +aistrope.com, 1 +aistsist.ga, 1 +aistsist.tk, 1 +ait.com.ar, 1 +aita.global, 1 +aitanaedu.org, 1 +aitidings.com, 1 +aitindo.com, 1 +aitkincountymn.gov, 1 +aitokyolab.com, 1 +aitosoftware.com, 1 +aitrading.uk, 1 +aitrust.ro, 1 +aitsl.edu.au, 1 +aiui10.cn, 1 +aiutodomestico.ch, 0 +aiva.ai, 1 +aivan.ai, 1 +aivd.lol, 1 +aivsasociacion.org, 1 +aiwadubai.com, 1 +aiwo.ai, 1 +aiwosq.cn, 1 +aiwriter.tools, 1 +aixlab.de, 1 +aixm.aero, 1 +aixploringprovence.com, 1 +aixue.net, 1 +aizhuan.com, 1 +aizxxs.com, 1 +aizxxs.net, 1 +aj-laixada.tk, 1 +ajancctv.com, 1 +ajansmanisa.com, 1 +ajansseo.com, 1 +ajarope.com, 1 +ajatelier.com, 1 +ajax-fanatics.tk, 1 +ajax-magazine.tk, 1 +ajaxboys.tk, 1 +ajaxed.net, 1 +ajaxfansforever.tk, 1 +ajaxfansite.tk, 1 +ajaxfansonly.tk, 1 +ajaxforever.tk, 1 +ajaxified.com, 1 +ajaxmasterdam.tk, 1 +ajaxmfs.com, 1 +ajaxnetwerk.tk, 1 +ajaxnow.tk, 1 +ajaxplaza.tk, 1 +ajaxposter.tk, 1 +ajaxsites.tk, 1 +ajaxtime.tk, 1 +ajaxtraining.tk, 1 +ajaxworld.tk, 1 +ajces.com, 1 +ajdiaz.me, 1 +ajedrezbolivia.tk, 1 +ajetaci.cz, 1 +ajeventhire.co.uk, 1 +ajfite.com, 0 +ajforum.tk, 1 +ajhstamps.co.uk, 1 +ajiboye.com, 1 +ajiloot.com, 1 +ajinabraham.com, 1 +ajitp.com, 1 +ajl.io, 1 +ajman-realty.ga, 1 +ajmanded.com, 1 +ajmanepay.ae, 1 +ajmanpay.gov.ae, 1 +ajmansewerage.ae, 1 +ajmara.pl, 1 +ajnah.net, 1 +ajnasz.hu, 1 +ajoke.eu, 1 +ajoliveira.com, 1 +ajoliveira.net, 1 +ajoliveira.org, 1 +ajoneuvokeskitys.fi, 1 +ajop.loan, 1 +ajramos.tk, 1 +ajsb85.com, 1 +ajscred.online, 1 +ajto.pro, 1 +ajvandeven.com, 1 +ajvco.com.hk, 1 +ajvco.net, 1 +ajvocab.com, 1 +ajwebsolutions.com, 1 +ak-design.tk, 1 +ak-online.tk, 1 +ak-varazdin.hr, 1 +ak-wohnen.de, 1 +ak.sb, 1 +ak2000.tk, 1 +ak47-miyamoto.spdns.org, 1 +ak68.tk, 1 +ak85.tk, 1 +ak96.tk, 1 +aka.ms, 1 +aka.pw, 1 +akaattorneys.co.za, 1 +akabandokonlamierda.tk, 1 +akachanikuji.com, 1 +akachanwebsite.tk, 1 +akaconvention.org, 1 +akad.com.br, 1 +akademiaantykorupcyjna.pl, 1 +akademiamarleen.pl, 1 +akademiawawer.pl, 1 +akademiawellbeing.pl, 1 +akademie-frankfurt.de, 1 +akadseguros.com.br, 0 +akaike.co.jp, 1 +akamon.ac.jp, 1 +akamu.de, 1 +akaratasker.com, 1 +akari.net, 1 +akarisoftware.com, 1 +akaritakai.net, 1 +akasa.red, 1 +akasha.world, 1 +akashdsouza.now.sh, 1 +akashi-kiharu.com, 1 +akashiya-b.com, 1 +akashstephen.com, 1 +akasi.cf, 1 +akasmedikal.com, 1 +akasmedikal.net, 1 +akatsukainuneko.co.jp, 1 +akaxaka.tk, 1 +akayu.com, 1 +akaziya.cf, 1 +akbam.co.uk, 1 +akbarsempoi.tk, 1 +akbas.tk, 1 +akblasch.com.au, 1 +akbtv.ru, 1 +akcenty.com.ua, 1 +akconciergerie.fr, 1 +akcs.one, 1 +akdenizim.tk, 1 +akdigitalegesellschaft.de, 0 +akdusekbudil.cz, 1 +akeenext.com, 1 +akeldam.tk, 1 +akelius.com, 1 +akemineko.tk, 1 +akemisp.com.br, 1 +akerberri.tk, 1 +akerboom.family, 1 +akerboom.me, 1 +akerboom.org, 1 +akeroh.com, 1 +akeroh.nl, 1 +akesinti.tk, 1 +aketzasantacoloma.tk, 1 +akfoundationindia.com, 1 +akhabar.tk, 1 +akhbaralam.cf, 1 +akhbareldesh.tk, 1 +akhbarmisr.tk, 1 +akhealthconnection.com, 0 +akhepcat.com, 1 +akhilindurti.com, 0 +akhomesforyou.com, 1 +akiadalia.com, 1 +akiakira-nsn.gov, 1 +akiba-server.info, 1 +akiba-souken.com, 1 +akiekintveld.com, 1 +akihi.ink, 1 +akihi.me, 1 +akihito.com, 1 +akijo.de, 1 +akikat.tk, 1 +akilimob.com, 0 +akilli-devre.com, 1 +akillitelefon.com, 1 +akimeder.tk, 1 +akimitsu.co.jp, 1 +aking.com.my, 1 +akinix.com, 1 +akinokae.de, 1 +akiranet.tk, 1 +akisazame.tk, 1 +akita-boutique.com, 1 +akita-stream.com, 1 +akita.cloud, 1 +akitacyber.com, 1 +akitra.net, 1 +akiym.com, 1 +akj.io, 1 +akkerwinde.tk, 1 +akko.wtf, 1 +akkordy-skachat.ga, 1 +akkoremaji.club, 1 +akkorturizm.com, 1 +akl.city, 1 +aklagare.se, 1 +akmatrix.org, 1 +akmens.id, 1 +ako-world.com, 1 +akoben.cloud, 1 +akoch.net, 1 +akoestischafbouwen.nl, 1 +akonlineworks.tk, 1 +akoofs.com, 0 +akordeoiak.tk, 1 +akostecki.de, 1 +akouryy.net, 1 +akoya.fi, 1 +akp.photos, 1 +akplates.org, 1 +akpp1.com.ua, 1 +akr.io, 1 +akr.services, 1 +akracing.se, 1 +akramvet.tk, 1 +akrasa.com.au, 1 +akrasa.pro, 1 +akrasa.xyz, 1 +akrep.com, 1 +akrilikhavuz.com, 1 +akritikos.info, 1 +akrobat.cf, 1 +akrochem.com, 1 +akronhousing.gov, 1 +akronohiorescue.gov, 1 +akropolis-ravensburg.de, 1 +akrzon.com, 1 +aksehir.bel.tr, 1 +akselinurmio.fi, 1 +aksenov.tk, 1 +aksenovalexey.tk, 1 +aksesuarai.com, 1 +akshavitrends.com, 1 +akshay.in.eu.org, 1 +akshit.me, 1 +aksnapshots.com, 1 +aksnwn.com, 1 +aksot.com, 1 +akt.health, 1 +aktaspompa.com, 1 +aktelectric.com.co, 1 +aktia.fi, 0 +aktin.cz, 1 +aktin.sk, 1 +aktion-vielfalt.ch, 1 +aktiv-naturheilmittel.at, 1 +aktiv-naturheilmittel.ch, 1 +aktiv-naturheilmittel.de, 1 +aktiv.pl, 1 +aktivace.eu, 1 +aktive-arbeitslose.at, 1 +aktivierungscenter.de, 1 +aktivitetatil.com, 1 +aktivpark-lumdatal.de, 1 +aktransmission.com, 1 +aktuel-urunler.com, 1 +aktuelfirsat.com, 1 +aktuelleprospekte.at, 1 +aktueller.com, 1 +aktuellsakerhet.se, 1 +akuislam.com, 1 +akuku-parkitka.pl, 1 +akumarjain.com, 1 +akumat.com.pl, 1 +akumat.eu, 1 +akumat.pl, 1 +akuntansilengkap.com, 1 +akupunktur-akupunktoer.dk, 1 +akupunktura.tk, 1 +akura.cf, 1 +akura.tk, 1 +akuston.eu, 1 +akustyka.tk, 1 +akutun.cl, 1 +akvakm.eu, 1 +akvaristika.cf, 1 +akvilon.tk, 1 +akvorrat.at, 1 +akyildiz.net, 1 +akzio.cl, 1 +al-abdal.tk, 1 +al-bahrain.tk, 1 +al-capone.ga, 1 +al-capone.tk, 1 +al-craft.info, 1 +al-hekka.com.ua, 1 +al-monitor.com, 1 +al-salam.tk, 1 +al-wood.it, 1 +al-yawm.ga, 1 +al2schaos.tk, 1 +al3abmizo.com, 1 +al3ilm.com, 1 +al3xpro.com, 1 +alaattinkaraca.tk, 1 +alab.space, 1 +alabalaporto.tk, 1 +alabamaable.gov, 1 +alabamaag.gov, 1 +alabamabuys.gov, 1 +alabamacoastalradiology.com, 1 +alabamadebtrelief.org, 1 +alabamafurs.com, 1 +alabamanet.tk, 1 +alabamaonlinedivorce.com, 1 +alabamasoilandwater.gov, 1 +alabn.com, 1 +alaboard.com, 1 +alabordage.fr, 1 +alabuena.com, 1 +alacatim.cf, 1 +alachuacounty.gov, 1 +alachuacountyfl.gov, 1 +alachuacountyfla.gov, 1 +alachuacountyflorida.gov, 1 +alacriti.com, 1 +alacritylaw.com, 1 +aladdin.ie, 1 +aladdinschools.appspot.com, 1 +aladintechnologies.tk, 1 +alain-webcreator.cf, 1 +alainfrancois.eu, 1 +alainfrancois.nl, 0 +alainmargot.ch, 0 +alainodea.com, 1 +alainwolf.ch, 1 +alainwolf.net, 1 +alais.com.do, 1 +alajv.com, 1 +alalivre.cf, 1 +alamad.cf, 1 +alamalsahara.co, 1 +alamanceconstruction.com, 1 +alamancecountync.gov, 1 +alamanceinsulationllc.com, 1 +alamancetv.com, 1 +alamani.tk, 1 +alambazarmath.tk, 1 +alambique.tk, 1 +alamitosbaytraders.com, 1 +alamo-analytics.com, 1 +alamoranchhandyman.com, 1 +alamotownshipmi.gov, 1 +alamowellnessalliance.com, 1 +alan-lam.co.uk, 0 +alan-turnbull.co.uk, 1 +alana.com.ua, 1 +alanberger.me.uk, 1 +alanbleiweiss.com, 1 +alanburr.us.eu.org, 1 +alancabrera.com, 1 +alancat.ml, 1 +alancolephotography.com, 1 +aland.co.uk, 1 +alandoyle.com, 1 +alanet.org, 0 +alanhua.ng, 1 +alanhuang.name, 1 +alanina.com, 1 +alaninkenya.org, 1 +alaniz-law.com, 1 +alankardresswalla.tk, 1 +alankatona.com, 1 +alankritstories.com, 1 +alanokling.nl, 1 +alanonsantabarbara.info, 1 +alanpearce.eu, 1 +alanpearce.uk, 1 +alanrogers.com, 1 +alansilson.tk, 1 +alantica.ga, 1 +alanyaescmagazin.tk, 1 +alanyatur.tk, 1 +alaoui.eu.org, 1 +alapa-tatsuno.com, 1 +alapetite.fr, 1 +alarab.chat, 1 +alarabiyanow.com, 1 +alarbnet.tk, 1 +alargarlavida.com, 1 +alarko-carrier.com.tr, 1 +alarm.net.tr, 1 +alarmat.pl, 1 +alarme-bateau-yacht.com, 1 +alarmmessageest.ga, 1 +alarmnewengland.com, 1 +alarna.de, 1 +alas-negras.tk, 1 +alasdelalma.com.co, 1 +alasdupur.tk, 1 +alaska.com.tr, 1 +alaskabuylocal.org, 1 +alaskacapitol.gov, 1 +alaskacruises.com, 1 +alaskadentalcare.com, 1 +alaskafishinglodges.net, 1 +alaskafolkarts.tk, 1 +alaskajewelry.com, 1 +alaskanmalamute.tk, 1 +alasta.info, 1 +alastairs-place.net, 1 +alatest.com, 1 +alatienne.fr, 1 +alatkesehatan.tk, 1 +alaturkaonline.com, 0 +alaunus.com, 1 +alavieestbelle.be, 1 +alazaherah.net, 1 +alb-flirt.de, 1 +alb-media.tk, 1 +albaadani.com, 1 +albadon.tk, 1 +albaform.com, 1 +albagold.tk, 1 +albagora.nl, 1 +albakham.eu.org, 1 +albakos.tk, 1 +albaladejodelcuende.tk, 1 +albalatedelarzobispo.tk, 1 +albalew.is, 1 +albalinks.tk, 1 +albamiss.com, 1 +albamusic.tk, 1 +albanacupuncture.com, 1 +albaneselorenzo.com, 0 +albaniachat.tk, 1 +albaniaonline.tk, 1 +albanien.tk, 1 +albanildedios.tk, 1 +albanskpaskhare.tk, 1 +albanyca.gov, 1 +albanycountywy.gov, 1 +albanylaser.ca, 1 +albanyoregon.gov, 1 +albarius.ga, 1 +albaronventures.com, 1 +albarugby.tk, 1 +albatrosboat.it, 1 +albatrostercume.com, 1 +albayan.ae, 1 +albemarlehistory.org, 1 +albendazole.ga, 1 +albendazole.ml, 1 +albergolafiorita.com, 1 +alberguecovadonga.es, 1 +albert-yu.com, 1 +albertathome.org, 1 +albertcuyp-markt.amsterdam, 1 +alberteinsteinbiography.tk, 1 +albertforfuture.de, 0 +albertgibb.tk, 1 +albertify.xyz, 1 +albertocarvalhosa.pt, 1 +albertofarina.tk, 1 +albertolopezaroca.tk, 1 +albertonplumber24-7.co.za, 1 +albertosobrino.tk, 1 +albertovr.com, 1 +albertovr.net, 1 +albertpedersen.com, 1 +alberts-blatt.de, 0 +albertspahiu.tk, 1 +alberttwpmi.gov, 1 +albertvillemn.gov, 1 +albeso.ml, 1 +albhof-wasserfall.de, 1 +albi-tourisme.fr, 1 +albilaga.id, 1 +albinonderdelen.nl, 1 +albinvega.tk, 1 +albion2.org, 1 +albionfaeries.org.uk, 1 +albleuchten.de, 1 +albme.gov, 1 +albourne.com, 1 +albrocar.com, 1 +albstaedter-kids-cup.de, 1 +albufeira-car-hire.com, 1 +albuic.tk, 1 +alburquerquerock.tk, 1 +albuterol.ga, 1 +albuterolonline.ga, 1 +albuterolwithoutprescription.gq, 1 +albylane.com.au, 1 +alca31.com, 0 +alcalainos.tk, 1 +alcanaan.com, 1 +alcanaplata.com, 1 +alcantara.cf, 1 +alcapalis.tk, 1 +alcapone.gq, 1 +alcar.tk, 1 +alcaralifusi.tk, 1 +alcatelonetouch.us, 1 +alcatraz-webdesign.tk, 1 +alcatrazeast.com, 1 +alcatraztourtickets.com, 1 +alchakov.tk, 1 +alchemist-heaven.tk, 1 +alchemisten.tk, 1 +alchemiya.ru, 1 +alchemy.gr, 1 +alchemy.net, 1 +alchiemy.com, 1 +alchimic.ch, 0 +alchimist-paulo-coelho.tk, 1 +alchosting.net, 0 +alcites.com, 1 +alcnutrition.com, 1 +alcobendas.tk, 1 +alcoclinica.ru, 1 +alcogolizmstop.ru, 1 +alcoholapi.com, 1 +alcoholia.tk, 1 +alcoholicbeverages.tk, 1 +alcoholismtreatment.tk, 1 +alcoleadetajo.tk, 1 +alcolecapital.com, 1 +alcor.tk, 1 +alcorncountyms.gov, 1 +alcove.cf, 1 +alcovidvaccine.gov, 1 +alctel.com.br, 0 +alcubillas.tk, 1 +aldanpa.gov, 1 +aldarcake.com, 1 +aldastv.tk, 1 +alday.de, 1 +aldeal.gq, 1 +aldealices.tk, 1 +aldebaranbm.com, 1 +aldersgatemontgomery.org, 1 +aldersgateumc.org, 1 +aldervets.co.uk, 1 +aldevadigital.com, 1 +aldien.com.br, 1 +aldino-redagno.com, 1 +aldipresscentre.co.uk, 1 +aldo-saputra.ga, 1 +aldo-shop.tk, 1 +aldolafontana.be, 1 +aldomedia.com, 1 +aldorlocal.gov, 1 +aldot.gov, 1 +aldous-huxley.com, 1 +aldridge-ringers.tk, 1 +aldridge.com, 1 +aldyputra.net, 1 +ale5000.altervista.org, 1 +alea-prevention.com, 1 +alea.xyz, 1 +aleax.me, 1 +alecel.de, 1 +alecpap.com, 1 +alecpapierniak.com, 1 +alecrimacessorios.com.br, 1 +alector.com, 1 +aledoil.gov, 1 +aledotx.gov, 1 +aleftinka.tk, 1 +alegriafm.tk, 1 +alegromania.tk, 1 +alehinta.fi, 1 +alejandrocruz.es, 1 +alejandromateoconde.tk, 1 +alejandropernett.tk, 1 +alejandrophones.com.mx, 1 +alejohnramirez.com, 1 +alek.in, 1 +alekos2go.com, 1 +aleks.com, 1 +aleksa.ga, 1 +aleksa.tk, 1 +aleksac.me, 1 +aleksandar-vukmirovic.tk, 1 +aleksanderkilinski.tk, 1 +aleksanders.tk, 1 +alekseevaleksandr.cf, 1 +alekseevski.tk, 1 +aleksejjocic.tk, 1 +alelectricista.es, 1 +alelin.ml, 1 +alemagia.pl, 1 +alemangranada.tk, 1 +alen.nl, 1 +alena.ga, 1 +alena.tk, 1 +alenafugueroa.tk, 1 +alenaserezhina.cf, 1 +alenbadel.com, 1 +alendronate.gq, 1 +alendronato.com, 1 +alentaja.com, 1 +alentaja.fi, 1 +alenvlahovljak.com, 1 +alenwich.com, 1 +aleph.land, 1 +alephindia.in, 1 +alerbon.net, 1 +aleromtrowbank.tk, 1 +alerque.com, 1 +alert-software.com, 1 +alertaenlinea.gov, 1 +alertaspopup.com, 1 +alertes.biz, 1 +alertlogic.com, 1 +alertmedia.com, 1 +alertoc.gov, 1 +alerts.sg, 1 +alertsclk.com, 1 +alertwire.com, 1 +ales.fr, 0 +alesagglo-expo.com, 1 +alesagglo.net, 1 +alescan.it, 1 +alesha.tk, 1 +alesraa-academy.com, 1 +aless.io, 1 +alessandraoliva.tk, 1 +alessandrobasi.it, 1 +alessandrolapiana.com, 1 +alessandroonline.com.br, 1 +alessandrotravel.com, 1 +alessandroz.ddns.net, 1 +aletm.it, 0 +alevel.tech, 0 +alevi-forum.tk, 1 +alevi.tk, 1 +alevro.com, 1 +alex-n.net, 1 +alex-ross.co.uk, 1 +alex-werbung.de, 1 +alex-wohl.fr, 1 +alex.net.co, 1 +alex3.tk, 1 +alex97000.de, 0 +alexaconnect.tk, 1 +alexada.ms, 1 +alexadamsddns.com, 1 +alexalist.tk, 1 +alexaminers.gov, 1 +alexander-beck.eu, 1 +alexander-net.tk, 1 +alexander-van-nieuwenhoven.tk, 1 +alexander.dk, 1 +alexanderandwilks.co.uk, 1 +alexanderb.info, 1 +alexandererber.com, 0 +alexanderg.tk, 1 +alexanderiwan.de, 1 +alexanderjshapiro.com, 1 +alexanderkarstens-fotografie.de, 1 +alexanderkhen.tk, 1 +alexanderlau.ga, 1 +alexanderneng.de, 1 +alexandernorth.ch, 1 +alexanderpiatigorsky.tk, 1 +alexanderplatz.tk, 1 +alexanderpopov.tk, 1 +alexandersavvidis.de, 1 +alexandertechniquenow.com, 1 +alexandertutoring.com, 1 +alexanderwagner.tk, 1 +alexandra-schulze.de, 1 +alexandra-siegel.com, 1 +alexandraandnicolay.com, 1 +alexandraschick.at, 1 +alexandraschmidt.coach, 1 +alexandrastrauss.fr, 1 +alexandrawett.org, 1 +alexandre-acaries.fr, 1 +alexandre-barret.fr, 1 +alexandreguarita.com.br, 1 +alexandremottier.tk, 1 +alexandrevicente.net, 1 +alexandrianh.gov, 1 +alexandrin.com, 1 +alexandrite.cf, 1 +alexandros.io, 0 +alexandryimmobilier.fr, 1 +alexaprinting.tk, 1 +alexauto.tk, 1 +alexberts.ch, 1 +alexblanck.com, 1 +alexblock.io, 1 +alexbogovich.com, 0 +alexbosch.net, 1 +alexbresnahan.com, 1 +alexcoman.com, 1 +alexcpp.tk, 1 +alexdaniel.org, 1 +alexdelpiero.ru, 1 +alexdesigner.tk, 1 +alexdowns.tk, 1 +alexdutton.co.uk, 1 +alexdutton.com, 1 +alexeimolina.com, 1 +alexeydrach.ru, 1 +alexeykamalov.tk, 1 +alexeykopytko.com, 1 +alexgaynor.net, 1 +alexgonzalez-online.tk, 1 +alexguti.com, 1 +alexhd.de, 1 +alexhodgkinson.tk, 1 +alexia.fr, 1 +alexia.lol, 1 +alexidls.com, 1 +alexio.ml, 1 +alexion.nl, 1 +alexischaussy.xyz, 1 +alexismeza.com.mx, 1 +alexismeza.dk, 1 +alexismeza.es, 1 +alexispoficial.tk, 1 +alexisquero.tk, 1 +alexisshaw.com, 1 +alexistexaspornstar.com, 1 +alexjacinto.com, 1 +alexjsully.me, 1 +alexkoala.com, 1 +alexkuleshov.com, 0 +alexlambertz.de, 1 +alexlombardo.tk, 1 +alexlouden.com, 1 +alexmainz.com, 1 +alexmathews.blog, 1 +alexmedia.tk, 1 +alexmerkel.com, 1 +alexmerkel.me, 1 +alexmerkel.xyz, 1 +alexmol.tk, 1 +alexmunroe.co.uk, 1 +alexn.org, 1 +alexnedea.ro, 1 +alexpavel.com, 1 +alexpetryk.com, 1 +alexpotter.net, 1 +alexridevski.net, 1 +alexridge.tk, 1 +alexs.de, 1 +alexsandrasverden.cf, 1 +alexsantos.tk, 1 +alexsavin.me, 1 +alexschokker.tk, 1 +alexsergeyev.com, 1 +alexserver.cloud, 1 +alexsexton.com, 0 +alexstudio.tk, 1 +alextaffe.com, 1 +alexthayne.co.uk, 1 +alextsang.net, 1 +alextweewielers.tk, 1 +alexustinoff.cf, 1 +alexvdveen.nl, 1 +alexveil.com, 1 +alexvetter.de, 0 +alexwardweb.com, 1 +alexweber.tk, 1 +alexyang.me, 1 +alexzeta.tk, 1 +aleymedya.ga, 1 +aleymedya.gq, 1 +aleymedya.ml, 1 +aleynadavetiye.com, 1 +aleynamasajsalonu.gq, 1 +alfa-auto.tk, 1 +alfa-books.ga, 1 +alfa-host.ml, 1 +alfa-music.tk, 1 +alfa-pack.com.ua, 1 +alfa-tech.su, 1 +alfaair.aero, 1 +alfabetajuega.com, 1 +alfabuster.com, 1 +alfacharlie.co, 1 +alfadecor.ml, 1 +alfadefiant.tk, 1 +alfadoc.dk, 1 +alfadoc.pl, 1 +alfadoc.se, 1 +alfafile.net, 1 +alfalasteenyia.cf, 1 +alfambra.tk, 1 +alfapack-shop.com, 1 +alfaproweb.fr, 1 +alfardanexchange.com, 1 +alfastone.com.ua, 1 +alfateks.com.ua, 1 +alfavipambulans.com, 1 +alfavit.cf, 1 +alfawedding.com, 1 +alfonso-baya.tk, 1 +alfonsostriano.it, 1 +alfordbenefits.com, 1 +alforto.nl, 0 +alfred-figge.de, 1 +alfred-g-fischer.de, 1 +alfred.co.in, 1 +alfredapp.com, 1 +alfredlin015.com, 1 +alfredo-misael.tk, 1 +alfredopotena.it, 1 +alfromuez.es, 1 +alfryadi.my.id, 1 +alftrain.com, 1 +alfu.rs, 1 +alg-fotografie.de, 1 +algarmatic-automatismos.pt, 1 +algarve-1.com, 1 +algarve-carhire.net, 1 +algarve-transfers.co.uk, 1 +algbee.com, 1 +algbra.com, 1 +alge.xyz, 1 +algebra-quiz.com, 1 +algercounty.gov, 1 +algerianportal.tk, 1 +algeriaweb.tk, 1 +algerie-music.tk, 1 +algerie360.com, 1 +alghadpowersolutions.com, 1 +alghanimcatering.com, 1 +algibranstore.id, 1 +algo-invest.in, 1 +algoarmada.com, 1 +algoentremanos.com, 1 +algoexplorer.io, 1 +algofactory.de, 1 +algolia.com, 1 +algonaiowa.gov, 1 +algopix.com, 1 +algorista.tk, 1 +algorithmen-lernen.de, 1 +algorithmic.ml, 1 +algorithms-visual.com, 1 +algorithms.guide, 1 +algoritm.gq, 1 +algoritmika.org, 1 +algoritmususpechu.cz, 1 +algorytm.tk, 1 +algotest.in, 1 +alhamedeia.tk, 1 +alhareth.net, 1 +alhomaidani.com, 1 +alhost.ml, 1 +alhothary.com, 1 +alhs-archives.com, 1 +alhuqul-kh.com, 1 +ali-shariati.tk, 1 +ali360.com, 1 +alia-helianthi.tk, 1 +aliaakademi.com.tr, 1 +aliads.com, 1 +aliakpoyraz.com, 1 +alialkurdy.tk, 1 +aliamakeup.com, 1 +aliancadesentupidora.com.br, 1 +alianet.org, 1 +aliantsoft.pl, 1 +aliasbox.org, 1 +aliasbox.ovh, 1 +aliasinfoforums.tk, 1 +aliaswp.com, 1 +alibabau.tk, 1 +alibamu.com, 1 +alibamu.org, 1 +alibangash.com, 1 +alibi-ua.com.ua, 1 +alibiloungelv.com, 0 +alibip.de, 1 +alicante-spain.tk, 1 +alice-memorial.de, 1 +alice.tw, 1 +alicebaldenegro.tk, 1 +alicecastle.com, 1 +alicedepret.com, 1 +alicehairstyling.tk, 1 +alicehartley.com, 1 +alicejewelry.bg, 1 +alicekinkycat.net, 1 +alicekinkycat.org, 1 +alicestudio.it, 1 +alicevardel.fr, 1 +alicialab.org, 1 +alicjacezary.eu, 1 +alicomalimentari.com, 1 +alidanbao.com, 1 +aliefirfany.com, 1 +alieke.design, 1 +aliel.fr, 1 +alien-life.tk, 1 +alien.net.au, 1 +alienantfarm.tk, 1 +alienclicker.ml, 1 +alienemporium.tk, 1 +alienflight.com, 1 +alieninternet.be, 1 +alieninternet.eu, 1 +alieninvasion.fun, 1 +alienmag.io, 1 +alienresidence.tk, 1 +alienslab.net, 1 +alienstat.com, 1 +alienstatsers.ga, 1 +aliexfantaisies.com, 1 +alifan.tk, 1 +alifarnam.ir, 1 +alifeadjacent.com, 1 +alifnasiya.uz, 1 +alighierirescaldina.it, 1 +alightwell.com, 1 +alignedchiro.org, 1 +alignedweb.com, 1 +alignminds.com, 1 +alignrs.com, 1 +alignthoughts.com, 1 +alihashemrasheed.com, 1 +aliibrahimov.tk, 1 +aliim.gdn, 1 +alikarslanov.tk, 1 +alikasimoglu.com, 1 +alikgriffin.com, 1 +alikorooki.ir, 1 +alikulov.me, 1 +alila.dog, 1 +alilepro.cf, 1 +alilialili.ga, 1 +alilog.com, 1 +alimahmood.com, 1 +alimanaka-rabesata.tk, 1 +alimate.com, 1 +aliment-covid19.com, 1 +alimentosmcf.com, 1 +alimentsduquebecaumenu.com, 1 +alimenty.tk, 1 +alimeta.it, 1 +alimtyaz.estate, 1 +alimwilliams.tk, 1 +alinalamour.com, 1 +alinasmusicstudio.com, 1 +alinatinen.cf, 1 +alinatinen.gq, 1 +aline-cannabis.com, 1 +alinecordeiro.adv.br, 1 +alinemello.com.br, 1 +alineonline.tk, 1 +alingroove.com, 1 +alinneata.com, 1 +alinode.com, 1 +alio.lt, 1 +aliorange.com, 1 +aliosmanyuksel.com.tr, 1 +alireza2love.tk, 1 +alirezahesari.com, 1 +alis-test.tk, 1 +alisblog.ml, 1 +alisearch.com, 1 +aliseihotelspa.com, 1 +alishanova.tk, 1 +alisoft.gq, 1 +alisondavenport.ga, 1 +alisondemarco.com, 1 +alisonlitchfield.com, 1 +alisonmatter.tk, 1 +alissa-group.com, 1 +alissanoir.net, 1 +alisstyle.tk, 1 +alistaku.tk, 1 +alisync.com, 1 +alitabergert.tk, 1 +alitajran.com, 1 +alitec.it, 1 +alitpedia.ga, 1 +alittledelightful.com, 1 +aliv.biz, 1 +alix-board.de, 1 +alix.energy, 1 +aliyasin.org, 1 +alizah.id, 1 +alizeemedia.tk, 1 +aljaspod.ch, 1 +aljaspod.com, 1 +aljaspod.hu, 1 +aljaspod.net, 1 +aljaspod.org, 1 +aljullusims.tk, 1 +aljweb.com, 1 +alkaabi.io, 1 +alkacoin.net, 1 +alkamitech.com, 1 +alkanbelgelendirme.com.tr, 1 +alkel.info, 1 +alkemy.mx, 1 +alkesznevelde.hu, 1 +alko-centr.ru, 1 +alko-stop.cf, 1 +alko-stop.ml, 1 +alkoferma.gq, 1 +alkogol.ga, 1 +alkopedia.tk, 1 +alkor.tk, 1 +all-bikes.fr, 1 +all-blogs.tk, 1 +all-bronza.ru, 1 +all-connect.net, 0 +all-credits.cf, 1 +all-ebooks.gq, 1 +all-eu-recruitment.com, 1 +all-fashion-schools.com, 1 +all-for-u.tk, 1 +all-gsm-solutions.tk, 1 +all-inhealth.com, 1 +all-music.ml, 1 +all-music.tk, 1 +all-pics.tk, 1 +all-rating.tk, 1 +all-seo.tk, 1 +all-stuff.tk, 1 +all-tec.com.mx, 1 +all-things.tk, 1 +all-top.tk, 1 +all-waystraining.com.au, 1 +all-wot.ml, 1 +all.li, 1 +all4hardware4u.de, 1 +all4phones.de, 1 +all4running.nl, 1 +all4web.tk, 1 +all878.com, 1 +alla-famiglia-p-otto.de, 1 +alla.tk, 1 +allaboutcovers.co.za, 1 +allabouteyes.com, 1 +allabouteyesvet.com, 1 +allaboutfunuk.com, 1 +allaboutgoats.com, 1 +allaboutgreg.net, 1 +allabouthome.ml, 1 +allabouthtml.com, 1 +allaboutmadonna.tk, 1 +allaboutnothing.cf, 1 +allaboutnothing.ga, 1 +allaboutnothing.gq, 1 +allaboutreligions.tk, 1 +allaboutswing.co.uk, 1 +allaboutswing.com, 1 +allabouttechh.tk, 1 +allaboutthekink.org, 1 +allaboutyouspa.co.uk, 1 +allaccessglobal.tech, 1 +allaccountingcareers.com, 1 +allactioneventhire.co.uk, 1 +allactionsecurity.com, 1 +allamakee.k12.ia.us, 1 +allamericangutterprotection.com, 1 +allamericanprotection.net, 1 +allamericatrans.com, 1 +allandrich.ml, 1 +allandrichonline.tk, 1 +allangirvan.net, 1 +allanlopez.tk, 1 +allanta.be, 1 +allapresenter.com, 1 +allarmi.roma.it, 1 +allarticles.tk, 1 +allas.se, 1 +allas.tk, 1 +allasianpics.com, 1 +allatoonadiesel.com, 1 +allattaremoda.com.br, 1 +allauthor.com, 1 +allazohealth.com, 1 +allbenjoy.de, 1 +allbestby.tk, 1 +allbetgame.cn, 1 +allbetgaming.com, 1 +allbetnet.com, 1 +allbets.tv, 1 +allboard.tk, 1 +allbookmark.cf, 1 +allbooks.cf, 1 +allbouncesurrey.co.uk, 1 +allboxes.ru, 1 +allboymodeling.com, 1 +allbrestby.tk, 1 +allbrestorg.tk, 1 +allbridges.tk, 1 +allbs.pt, 1 +allbuttpics.com, 1 +allcapa.org, 1 +allcarecorrectionalpharmacy.com, 1 +allcarepharmacy.com, 1 +allcarespecialty.pharmacy, 1 +allcelebs.tk, 1 +allchan.io, 1 +allcinema.net, 1 +allcitynews.net, 1 +allcleanservices.ca, 1 +allcloud.com, 1 +allcomic.com, 1 +allcompanycorp.com, 1 +allcooking.tk, 1 +allcourts.tk, 1 +allcoveredbyac.com, 1 +allcrimea.tk, 1 +allcumshotpics.com, 1 +alldesign.ai, 1 +alldewall.de, 1 +alldigitalsolutions.com, 1 +alldm.ru, 1 +alldogs.tk, 1 +alldrives.tk, 1 +alle-zonvakanties.nl, 1 +alle.bg, 1 +alle.com, 1 +allefrisuren.de, 1 +alleganyco.gov, 1 +allegiancemd.com, 1 +allegorymetal.tk, 1 +allegra.ga, 1 +allegra180.ga, 1 +allegra180mg.ga, 1 +allegrapark.ga, 1 +allegreto.com, 1 +allegrettoresort.com, 1 +allegrettoresortandvineyard.com, 1 +allegrettoresortandvineyardbyayres.com, 1 +allegrettovineyard.com, 1 +allegrettovineyardresort.com, 1 +allegrettovineyards.com, 1 +allegrettowine.com, 1 +allegrettowines.com, 1 +allemanniamarburg.at, 1 +allemoz.com, 1 +allemoz.fr, 1 +allenacampbell.tk, 1 +allenarchive.com, 1 +allencountyinvoters.gov, 1 +allencountykentucky.gov, 1 +allendalecounty.gov, 1 +allenivory.com, 1 +allensun.org, 1 +allentertainment.de, 0 +allentherapeuticmassage.com, 1 +allenturley.com, 1 +allenwillis.ga, 1 +allerbestefreunde.de, 1 +allergento.shop, 1 +allergento.store, 0 +allergictoidiots.tk, 1 +allergy.university, 1 +allergyweb.cf, 1 +allergyweb.ga, 1 +allerlei-havelte.nl, 1 +allerstorfer.at, 1 +allerzeiten.com, 1 +alles-kan.be, 1 +alles-nur-ge.cloud, 1 +alles.cx, 1 +allesisgezondheid.nl, 1 +allesisonline.nl, 1 +alleskan.gent, 1 +alleskomtgoed.org, 1 +allesley.com, 1 +allesmartphonehoesjes.nl, 1 +allesovercrypto.nl, 1 +allesoverdieren.tk, 1 +allesoverhondentraining.tk, 1 +allesoversport.nl, 1 +allesrocknroll.de, 1 +allesuitdekast.be, 1 +allesvoorbeton.be, 1 +allesvoorniets.tk, 1 +alletattoo.de, 1 +allette.com.au, 1 +allevamentoticinella.tk, 1 +alleyread.com, 1 +allfaithsfoodbank.org, 1 +allfansleak.net, 1 +allfashionews.tk, 1 +allfatpics.com, 1 +allfaucet.ml, 1 +allfoodrecipes.ga, 1 +allforcreate.ru, 1 +allforex.ml, 1 +allforhon.tk, 1 +allforlocal.com, 1 +allfortips.com, 1 +allfreelancers.su, 0 +allfundsconnect.com, 1 +allfur.love, 1 +allgadgetsfree.tk, 1 +allgaragedoorandgates.com, 1 +allgaragefloors.com, 1 +allgemeinarzt-wenta-bralla.de, 1 +allgemeine-zeitung.de, 1 +allglobal.net, 1 +allgooddeedshomes.com, 1 +allgrass.net, 1 +allgreek.tk, 1 +allgreenlawncare.ca, 1 +allhallows.tk, 1 +allhard.org, 1 +allhits.ml, 1 +allhonest.com, 1 +allhsa.com, 1 +alli-diet-pill.cf, 1 +alli-pills.cf, 1 +alliaancebiotech.com, 1 +alliance-immobilier-service-neuf.fr, 1 +alliance-psychiatry.com, 0 +allianceairlinesflights.com, 1 +allianceautomation.com.au, 1 +alliancebank.com, 1 +allianceblock.io, 1 +allianceborderservices.com, 1 +allianceforafreesociety.com, 1 +allianceforafreesociety.net, 1 +allianceforafreesociety.org, 1 +alliancehealthcareservices-us.com, 1 +alliances-globalsolutions.com, 0 +alliancetrading.ch, 1 +allianskyrkan.se, 1 +allianz-pro-schiene.de, 1 +allianzdirect.com, 1 +allianzdirect.de, 1 +allianzdirect.it, 1 +allianzdirect.nl, 1 +alliedartistswv.org, 1 +alliedmedia.org, 1 +allier-vichy-moulins-expert-comptable.fr, 1 +allindiacityguide.com, 1 +allindiajobs.ga, 1 +allindiatanzeem.ml, 1 +allindustriessolutions.com.au, 1 +allinform.ga, 1 +allinoutfits.com, 1 +allinpdf.com, 1 +allinsuranceinformation.com, 1 +allis.co.jp, 1 +allis.jp, 1 +allis.studio, 1 +allisonsite.tk, 1 +allitcrm.sytes.net, 1 +allius.de, 1 +alliymacorp.com, 1 +alljamin.com, 1 +alljokesaside.tk, 1 +alllaboutchickens.tk, 1 +alllatinapics.com, 1 +allline.shop, 1 +allmagic.tk, 1 +allmandlaw.com, 1 +allmaps.tk, 1 +allmaster.ga, 1 +allmba.cf, 1 +allmemy.com, 0 +allmen.tk, 1 +allmendenetz.de, 1 +allmessedup.tk, 1 +allmobilenews.tk, 1 +allmousepads.com, 1 +allmoviesonline.tk, 1 +allnaijagists.com.ng, 1 +allnations4christ.org, 1 +allnodes.com, 1 +allnovosibirsk.tk, 1 +allns.fr, 1 +allnumis.com, 1 +allo-luxembourg.tk, 1 +allofthestops.com, 1 +allohol.de, 1 +alloldpics.com, 1 +allontanamentovolatili.it, 1 +allontanamentovolatili.milano.it, 1 +alloprof.qc.ca, 1 +allopurinal.tk, 1 +allopurinol.gq, 1 +allopurinol100mg.tk, 1 +allopurinol300mg.ml, 1 +alloutauto1.com, 1 +allpantypics.com, 1 +allpaydirect.com, 1 +allpedia.tk, 1 +allpinouts.org, 1 +allpointsblog.com, 1 +allporn.pics, 1 +allporncomic.com, 1 +allpornvids.com, 1 +allpost.co, 1 +allprices.world, 1 +allprints.tk, 1 +allproformation.com, 1 +allpropertyservices.com, 1 +allproptonline.com, 1 +allpussynow.com, 1 +allrad-buck.de, 1 +allram.info, 1 +allreptiles.tk, 1 +allresorts.tk, 1 +allright.tk, 1 +allriteseptic.com, 1 +allroundtechnology.com, 1 +allroundtechnology.nl, 1 +allsafemd.com, 1 +allsaints.church, 1 +allsaintspreschoolyj.com.au, 1 +allsarms.com, 1 +allscammers.exposed, 1 +allscholarship.com.ng, 1 +allschool.com.ng, 1 +allscience.tk, 1 +allsearch.io, 1 +allseasons-cleaning.co.uk, 1 +allseasonschimney.com, 1 +allseasonswaterproofing.com, 1 +allset.ml, 1 +allshapes.co.nz, 1 +allshousedesigns.com, 0 +allsmart.gr, 1 +allsouls.co.za, 1 +allspinecare.com, 1 +allstakesupply.com.au, 1 +allstar-janitorial.com, 1 +allstarautokiaparts.com, 1 +allstarcustompools.com, 1 +allstargraphics.com.au, 1 +allstarink.com.au, 1 +allstarquilts.com, 1 +allstatedealerservices.com, 1 +allsun.online, 1 +allsurpl.us, 1 +allsurplus.com, 1 +allsync.com, 1 +allsync.nl, 1 +allthatblings.online, 1 +allthebots.com, 1 +allthefallen.moe, 1 +alltheplaces2go.com, 1 +alltherapies.tk, 1 +alltherooms.es, 1 +allthethings.co.nz, 1 +allthewaynorth.xyz, 1 +allthings.me, 0 +allthingshealthy.org, 1 +allthingsroyal.nl, 1 +allthingzit.com, 1 +alltimespost.com, 1 +alltourism.tk, 1 +alltrade.ga, 1 +alltrippers.com, 1 +alltwwk.tk, 1 +alluance.nl, 1 +allucinati.tk, 1 +alluel.com, 1 +allur-club.cf, 1 +allurebikerental.com, 1 +allurechiro.com, 1 +allureclinic.pt, 1 +alluremedicalaesthetic.com, 1 +allurescarves.com, 1 +alluringdesigns.tk, 1 +alluvion.studio, 1 +allvideofoot.tk, 1 +allvips.ru, 1 +allwaterjet.com, 1 +allways.tk, 1 +allweatherheatingandairconditioning.com, 1 +allwebkeys.gr, 1 +allwebsites.tk, 1 +allwebtuts.com, 1 +allwiki.tk, 1 +allwithinmyhands.org, 1 +allwordpress.tk, 1 +allworld.ga, 1 +allwrestling.ga, 1 +allxon.com, 1 +allyachts.cf, 1 +allyachts.gq, 1 +allyfile.com, 1 +allyoucanstyle.de, 1 +allyspot.com, 1 +allyweds.com, 1 +almaarkansas.gov, 1 +almaascosmetics.com, 1 +almaatlantica.com, 1 +almablanca.tk, 1 +almacenterwi.gov, 1 +almadaria.com, 1 +almadeviajante.com, 1 +almagalla.com, 1 +almajaniyate.ga, 1 +almamarket.com, 0 +almanea.email, 1 +almanea.family, 1 +almanea.net, 1 +almanea.org, 1 +almanilan.com, 1 +almanshood.com, 1 +almanyacv.com, 1 +almarail.tk, 1 +almargen.ga, 1 +almargen.tk, 1 +almarin.es, 1 +almasoft.ga, 1 +almastabriz.com, 1 +almasteb.com, 1 +almatinki.com, 1 +almatybusiness.gov.kz, 1 +almatytips.com, 1 +almayadeen.education, 1 +almayoreo.com.co, 1 +almaz-host.ml, 1 +almaz-host.tk, 1 +almaz-sait-rp.ml, 1 +almeera.online, 1 +almeerajtour.com, 1 +almeeraloyalty.com, 1 +almeezangroup.com, 1 +almeidaesilvaseguros.com.br, 1 +almenatownship.gov, 1 +almenrausch-pirkhof.de, 1 +almeriaplayer.tk, 1 +almette.pl, 1 +almeva.swiss, 1 +almhtnews.com, 1 +almirall.com, 1 +almiriatechstore.co.ke, 1 +almlab.tk, 1 +almlc.gov, 1 +almokhlifoud.com, 1 +almorafestival.com, 1 +almosis.tk, 1 +almost.cf, 1 +almost.fit, 1 +almost.gq, 1 +almostobjective.com, 1 +almudenallacer.com, 1 +almukhtar.se, 0 +almurtaqa.com, 1 +almusbahperfume.com, 1 +almushealth.com, 1 +almut-zielonka.de, 1 +almx.net, 1 +alnaierh.com, 1 +alng.me, 1 +alnilam.co.uk, 1 +alnitech.com, 0 +alnoorintl.com, 1 +aloalosalomao.com.br, 1 +alodavetiye.com.tr, 1 +alodokita.com, 1 +aloe-care.tk, 1 +aloe-vera-info.tk, 1 +aloemeda.de, 1 +aloesbienetre.be, 1 +aloesoluciones.com.ar, 1 +aloeveralisboa.pt, 1 +alofone.vn, 1 +alohapartyevents.co.uk, 1 +alohotel.com, 1 +alohotelorange.com, 1 +alohotels.com, 1 +alojadalu.com.br, 1 +alola.co.uk, 1 +alolabor.org, 1 +alomch.gq, 1 +alomendia.tk, 1 +alonaku.com, 1 +alonarodeh.com, 1 +aloneg.ovh, 1 +alonephoenix.tk, 1 +alonetone.com, 1 +alonsoluzgas.es, 1 +alonuocsuoi.com, 1 +aloo.ga, 1 +aloomic.com.au, 1 +aloop.cloud, 1 +alopezlawfirm.com, 1 +alorica.com, 0 +aloris-controle.fr, 1 +aloro.io, 1 +alotso.com, 1 +alottajava.com, 1 +alov.blog, 1 +aloys233.top, 1 +alp-eastlink-portal-model.azurewebsites.net, 1 +alp-samsungca-portal-model.azurewebsites.net, 1 +alp-spectrum-portal-model.azurewebsites.net, 1 +alp.od.ua, 1 +alpa.is, 1 +alpaca.haus, 1 +alpahandling.com, 1 +alpan.ml, 1 +alpan.tk, 1 +alpca.org, 1 +alpe-d-or.dyn-o-saur.com, 1 +alpencams.at, 1 +alpencams.ch, 1 +alpencams.com, 1 +alpencams.de, 1 +alpencams.fr, 1 +alpencams.it, 1 +alpencams.net, 1 +alpencams.nl, 1 +alpenguides.de, 1 +alpenhof-suedtirol.com, 1 +alpenjuice.com, 1 +alpenrose.de, 1 +alpenschmarrn.de, 1 +alpensternderl.de, 1 +alperenremziunal.me, 1 +alperozmen.kim, 1 +alpertron.com.ar, 1 +alpes-deis-tools.com, 1 +alpes-deis.fr, 1 +alpetrov.cf, 1 +alpha-ag.ru, 1 +alpha-assistant.com, 1 +alpha-associates.ch, 1 +alpha-bet.com.ua, 1 +alpha-centauri.tk, 1 +alpha-force.net, 0 +alpha-kamera.de, 1 +alpha-protein.de, 1 +alpha-shop.gr, 1 +alpha.ch, 1 +alpha91.co.za, 1 +alphaassurances.com, 1 +alphabet-z.xyz, 1 +alphabetsigns.com, 1 +alphabetworksheetsfree.com, 1 +alphabouncycastles.co.uk, 1 +alphabrasloja.com.br, 1 +alphabytes.uk, 0 +alphachannel.tk, 1 +alphachat.net, 1 +alphacity.tk, 1 +alphacodingskills.com, 1 +alphacomputersllc.com, 0 +alphaconsult.sk, 0 +alphacorp.tk, 1 +alphadance.tk, 1 +alphadefense.co.za, 1 +alphadetroit.com.au, 1 +alphadronten.tk, 1 +alphaetomega3d.fr, 1 +alphafoo.dk, 1 +alphagames.tk, 1 +alphageek.blog, 1 +alphahosting.hu, 1 +alphahunks.com, 1 +alphainflatablehire.com, 1 +alphakites.de, 1 +alphalab.tk, 1 +alphalibraries.com, 1 +alphamosa.fr, 1 +alphanodes.com, 1 +alphapengu.in, 1 +alphapoker.ru, 1 +alpharail.se, 1 +alpharettaga.gov, 1 +alpharoofga.com, 1 +alpharotary.com, 1 +alphasall.com, 0 +alphasoft-i.net, 1 +alphassl.de, 1 +alphastrip.com, 1 +alphat.net, 1 +alphatam.com, 1 +alphatrading.tk, 1 +alphatrash.de, 1 +alphatv.cf, 1 +alphatv.ga, 1 +alphavit.ru, 1 +alphaworks.it, 1 +alphaxb.com, 1 +alphazure.co.uk, 1 +alphazure.com, 1 +alphera.nl, 1 +alphie.me, 1 +alphimedia.com, 1 +alphipneux.fr, 1 +alphline.com.sg, 1 +alphotelmilano.it, 1 +alpilean.com, 1 +alpinar.tk, 1 +alpinatours.nl, 1 +alpine-holiday.de, 1 +alpine-tuning.de, 1 +alpinebank.com, 1 +alpinedentalhealth.com, 1 +alpinehighlandrealty.com, 1 +alpineplanet.com, 1 +alpinepubliclibrary.org, 1 +alpinestarmassage.com, 1 +alpinewy.gov, 1 +alpis.fr, 1 +alplogopedia.it, 1 +alpparts.com, 1 +alquiler-de-coches.tk, 1 +alquiler-de-furgonetas.tk, 1 +alquran-online.tk, 1 +alrahman.ch, 1 +alrahman.de, 1 +alre-outillage.fr, 1 +alredho.com, 1 +alrehmantech.tk, 1 +alrioart.com, 1 +alrobotics.net, 1 +alroniks.com, 0 +alsaagency.tk, 1 +alsabil.tk, 1 +alsace-informatique.shop, 1 +alsetat.com, 1 +alshabab.tk, 1 +alshamil.tk, 1 +alsharkest.net, 1 +alskar.co, 0 +alsol.fr, 1 +alsops.cf, 1 +alsteadnh.gov, 1 +alstertouch.com, 1 +alstertouch.de, 1 +alt-bookings.com, 1 +alt-pannekow.de, 1 +alt-three.com, 0 +alt-til-windows.dk, 1 +alt-wien.com, 1 +alt.org, 1 +alta-densidad.tk, 1 +alta-ict.nl, 1 +altabadia.com, 1 +altabadia.it, 1 +altabash.tk, 1 +altabg.com, 1 +altabib.me, 1 +altabooks.ga, 1 +altacomunicazione.tk, 1 +altahrim.net, 1 +altai-info.ga, 1 +altai-voyage.tk, 1 +altai-zemlya.cf, 1 +altai-zemlya.ga, 1 +altai-zemlya.ml, 1 +altai-zemlya.tk, 1 +altai22.tk, 1 +altair.com, 0 +altairfp.es, 1 +altairlyh.com, 1 +altaiscience.com, 1 +altaizemlya.cf, 1 +altaizemlya.ga, 1 +altaizemlya.ml, 1 +altaizemlya.tk, 1 +altana.com, 1 +altaplana.be, 1 +altasierra.co.uk, 1 +altavaldinon.com, 1 +altavoces.guru, 1 +altcoaching.fr, 1 +altcodes.nl, 1 +altd.cz, 1 +altdforyou.tk, 1 +alte-wassermuehle-friesoythe.de, 1 +altea.it, 1 +altec.pl, 1 +altecgmbh.de, 1 +altedirect.com, 1 +altenagala.nl, 1 +altenheim.it, 1 +alteralife.eu, 1 +alteraro.com, 1 +alteraro.org, 1 +alterbaum.net, 1 +altered.network, 1 +altered.si, 1 +alterego.tk, 1 +alterenergy.tk, 1 +alterengine.tk, 1 +altergalaxy.tk, 1 +alteria.xyz, 1 +alterian.com, 1 +alterlinks.com, 1 +alterlinks.fr, 1 +alterlinks.it, 1 +alterlinks.nl, 1 +altermidya.net, 1 +altern-in-wuerde.com, 1 +alternador.com.br, 1 +alternahaircare.com, 1 +alternatieva.tk, 1 +alternatifin.com, 1 +alternativa-kaluga.ru, 1 +alternativagospel.tk, 1 +alternative-e-energy.tk, 1 +alternative-kultur.tk, 1 +alternative-reussite.org, 1 +alternative.hosting, 1 +alternativebit.fr, 1 +alternativedev.ca, 1 +alternativeenergy.tk, 1 +alternativefacts.cf, 1 +alternativehosting.ca, 1 +alternativehosting.com, 1 +alternativeinternet.ca, 1 +alternativet.party, 1 +alternativetomeds.com, 1 +alternativewireless.com, 1 +alternativnizivot.tk, 1 +alternatiwa.tk, 1 +alternatoru.com, 1 +alternego.com, 1 +alternet.ml, 1 +alterspalter.de, 1 +altertek.org, 1 +altes-sportamt.de, 1 +altesses.eu, 1 +altestore.com, 1 +althacare.com, 1 +altharis.net, 1 +althi.nl, 1 +althistory.ga, 1 +alti-global.com, 1 +altidrabat.dk, 1 +altieresgomes.com.br, 1 +altijdleroy.nl, 1 +altijdleroy.online, 1 +altimetrique.ca, 1 +altimetry.com, 1 +altinea.fr, 1 +altinity.com, 1 +altinopoliscervejaria.com.br, 1 +altiplano.travel, 1 +altisnet.ga, 1 +altitude-dev.com, 1 +altitudeco.com.au, 1 +altitudehauling.com, 1 +altiup.ch, 0 +altiup.com, 0 +altius-europe.com, 1 +altius.com.pa, 1 +altiusconsulting.com, 1 +altiusconsulting.net, 1 +altiusondemand.com, 1 +altkia.com, 1 +altkremsmuensterer.at, 1 +altmann-systems.de, 1 +altmedicine.tk, 1 +altoa.cz, 1 +altoinsuranceagency.com, 1 +altoona-wi.gov, 1 +altopartners.com, 0 +altopia.com, 1 +altoplan.de, 1 +altos.tk, 1 +altospam.net, 1 +altovalemarmoraria.com.br, 1 +altovoltaggio.tk, 1 +altoweb.tk, 1 +altphotos.com, 1 +altralamezia.tk, 1 +altramarsala.tk, 1 +altransport.ca, 1 +altratella.tk, 1 +altravita-ivf.ru, 1 +altrei.ch, 1 +altrui.st, 1 +altsdigital.com, 0 +altsetup.com, 1 +altspacex.com, 1 +altstadt-it.de, 1 +alttrackr.com, 1 +altunbas.info, 1 +altur.tk, 1 +alturiak.net, 1 +altusbiologics.com, 1 +altusgroup.com, 0 +altview.gq, 1 +altyazur.com, 1 +alua.com, 1 +aluchta.tk, 1 +alugha.com, 1 +aluguer-rodagigante.pt, 0 +alukard.gq, 1 +alukard.ml, 1 +alukard.pro, 1 +alulasails.com, 1 +aluminaty.com, 1 +aluminium-giesserei.de, 1 +aluminumfencestlouis.com, 1 +alumni-kusa.jp, 1 +alumni-skensa.tk, 1 +alumni.education, 1 +alumnispecialers.ga, 1 +alumnivilleest.ga, 1 +alunara.eu, 1 +alunyc.gq, 1 +alupferd.de, 1 +aluroof.eu, 1 +alushta-vostorg.ml, 1 +alushta-vostorg.tk, 1 +alushta.tk, 1 +alusib.ga, 1 +alusim.ga, 1 +aluta.de, 1 +alvarez.tk, 1 +alvarezmorales.tk, 1 +alvaritoeresnuestradulcelocura.tk, 1 +alvaro-smith.link, 1 +alvarovega.tk, 1 +alvastonauto.fi, 1 +alves-avocat.com, 1 +alviano.com, 0 +alvicom.hu, 1 +alvies-laufbus.de, 1 +alvimedika.com.ua, 1 +alvinalvelino.com, 1 +alvinaonline.com, 1 +alvinhu.com, 0 +alvirzy.tk, 1 +alvn.ga, 1 +alvordtx.gov, 1 +alvosec.com, 1 +alware.ca, 1 +alwaysdata.com, 1 +alwayshowher.tk, 1 +alwayslookingyourbest.com, 1 +alwaysmine.fi, 1 +alwayswanderlust.com, 1 +alwiam.info, 1 +alwistra.eu, 1 +alwuz.com, 1 +alxclub.tk, 1 +alxn-congress-2022.com, 1 +alxpresentes.com.br, 1 +alxu.ca, 1 +aly.pet, 1 +alykkelife.com, 1 +alyoung.com, 1 +alyssamilano.tk, 1 +alyusr.com.sa, 1 +alza.at, 1 +alza.co.uk, 1 +alza.cz, 1 +alza.de, 1 +alza.sk, 1 +alzashop.com, 1 +alzheimers.gov, 0 +alziamoiltetto.it, 1 +alzlogarforensics.com, 1 +alzon.cf, 1 +alzulej.pt, 1 +am-39.com, 1 +am-dd.com, 1 +am-executive-consulting.com, 1 +am-i-on-am-i-on-drugs-dot-com.com, 1 +am-i-on-drugs.com, 1 +am-liaotian.com, 0 +am-schlossgarten.haus, 1 +am-sonnenblick.de, 1 +am-sonnengarten.de, 1 +am-yu.jp, 1 +am190.com, 1 +am22i6xaf1m2a5m9k.xyz, 1 +am3.se, 1 +am5188.com, 1 +am7000.com, 1 +am8009.com, 1 +am8028.com, 1 +am8213.com, 1 +am8811.net, 1 +am8898.net, 1 +am8900.com, 1 +ama.ne.jp, 1 +amabiligranilhas.com, 1 +amac.tv, 1 +amademy.com, 1 +amadera.com, 1 +amaderforum.tk, 1 +amadeusproject.cf, 1 +amadin.tk, 1 +amadispa.com.br, 0 +amadoraslindas.com, 1 +amadorcounty.gov, 1 +amadvice.com, 1 +amaeruinc.com, 1 +amaforro.com, 1 +amagdic.com, 1 +amagical.net, 0 +amagraduates.tk, 1 +amagroup.io, 1 +amaisd.org, 1 +amaiz.com, 0 +amalbansode.com, 1 +amalfi5stars.com, 1 +amalfipositanoboatrental.com, 1 +amalgaamvrij.tk, 1 +amalgaamziekte.tk, 1 +amalgamma.ml, 1 +amalou-photografie.de, 1 +amambebe.com, 1 +amandablain.com, 1 +amandadamsphotography.com, 1 +amandahamilton.tk, 1 +amandamachado.nl, 1 +amandasage.ca, 1 +amandaworldstudies.com, 1 +amanduscommunication.com, 1 +amanet.ro, 1 +amango.se, 1 +amani-kinderdorf.de, 1 +amanmerceria.com, 1 +amansinghbhogal.com, 0 +amanydesignstudio.com, 1 +amapspa.it, 1 +amaranth.gq, 1 +amaranth.tk, 1 +amaranthinewanderlust.com, 1 +amaranthus.com.ph, 1 +amarasbutterflies.com, 1 +amaresq.com, 1 +amarilio.com.mx, 1 +amarillosquare.com, 1 +amarinbabyandkids.com, 1 +amaris-pr.ru, 1 +amarrada.com, 1 +amarresdeamorconelbrujoguillermo.com, 1 +amarresperuanos.com, 1 +amartaramitramandal.tk, 1 +amartours.pt, 1 +amaruddinmufid.com, 1 +amaruz.tk, 1 +amarylis.com, 1 +amasea.yachts, 1 +amasing.tk, 1 +amateku.jp, 1 +amateri.com, 1 +amateur-boxing.tk, 1 +amateur.cash, 1 +amateur.cf, 1 +amateur101.tk, 1 +amateureuro.com, 1 +amateurplayerstour.com, 1 +amateurradionotes.com, 1 +amateurs.ga, 1 +amateurs.gq, 1 +amateurtuning.tk, 1 +amateurvoicetalent.com, 1 +amati.solutions, 1 +amato.tk, 1 +amatoryasamak.tk, 1 +amatutis.lt, 1 +amatya.co.uk, 1 +amauf.de, 1 +amaurijogos.tk, 1 +amavis.org, 1 +amavo.tk, 1 +amaxa.com, 1 +amaxautomotive.com.au, 1 +amazcode.ooo, 1 +amazdriver.com, 1 +amazetimberfurniture.com.au, 1 +amazhot.com, 1 +amazinations.com, 1 +amazing-cars98.tk, 1 +amazing-castles.co.uk, 1 +amazing-maids.com, 1 +amazingraymond.com, 1 +amazingraymond.com.au, 1 +amazingribs.com, 1 +amazingstore.gq, 1 +amazingtattooideas.com, 1 +amazon, 1 +amazon.ae, 1 +amazon.at, 1 +amazon.care, 1 +amazon.com.tr, 1 +amazon.eg, 1 +amazon.pl, 1 +amazon.sa, 1 +amazon.se, 1 +amazonseoservices.com, 1 +amazonteckathon.com, 1 +amazstaff.com, 1 +amaztravail.com, 1 +amazwerk.com, 1 +amb.tf, 1 +ambarbyarihant.com, 1 +ambasador-dibo.pl, 1 +ambasady.cz, 1 +ambassadordayslevis2023.com, 1 +ambassify.com, 1 +ambassify.eu, 1 +amber-teething-necklace.com, 1 +amberba.tk, 1 +ambercaravalho.com, 1 +amberesdetective.be, 1 +amberhouse.cf, 1 +amberhouse.ga, 1 +amberhouse.gq, 1 +amberoad.tk, 1 +amberonline.tk, 1 +ambersafety.info, 1 +ambersoftware.co.uk, 1 +ambertears.tk, 1 +amberwiz.com, 1 +ambiancewindowcoverings.com, 1 +ambident.cz, 1 +ambient.digital, 1 +ambient.wtf, 1 +ambiente.one, 1 +ambientskies.tk, 1 +ambigramasdecarmela.tk, 1 +ambion.am, 1 +ambisonia.com, 1 +ambitionbox.com, 1 +ambivalence.tk, 1 +amblin.com, 1 +ambor.com, 1 +ambor.org, 1 +ambouncyhire.com, 1 +ambra.net.nz, 1 +ambrosia.cafe, 1 +ambrosiamosaicos.co, 1 +ambrosio.tk, 1 +ambtpay.com, 1 +ambulanceplus.cz, 1 +ambulancieros.tk, 1 +ambulanza.it, 1 +ambulanza.milano.it, 1 +ambulanza.roma.it, 1 +ambulanzaprivata.roma.it, 1 +ambulari.cz, 1 +ambulatori.it, 1 +amburgo.com, 1 +amcanalense.tk, 1 +amcangroup.com, 1 +amcasia.com, 1 +amcchemical.com, 0 +amchainitiative.org, 1 +amcharts.com, 1 +amcs.website, 0 +amdelisi.tk, 1 +amdental.lv, 1 +amdiving.ru, 1 +amdm.ru, 1 +amdrumors.com, 1 +amdukis-bordercollies.tk, 1 +ameba-capital.com, 1 +amebavirtual.tk, 1 +amebolounge.tk, 1 +amechancez.work, 1 +amecopress.net, 1 +amedeo.pro, 1 +ameego.com, 1 +ameego.it, 1 +ameego.net, 1 +ameego.nl, 1 +ameego.org, 1 +ameeradubai.com, 1 +amees.me, 0 +ameeventos.pt, 1 +amefrec.co.jp, 1 +ameho.me, 0 +ameinteriores.pt, 1 +ameisenbaer.tk, 1 +amelanchiers.tk, 1 +amelia-wedding.pl, 1 +amelielei.net, 1 +ameliemarieintokyo.com, 1 +amello.de, 1 +amemei-lists.top, 1 +amempire.tk, 1 +amendine.fr, 1 +ameninalaceira.com.br, 1 +amenoskuarto.tk, 1 +amenta.in, 1 +ameresco.com, 1 +ameri.capital, 1 +america.gov, 1 +america250.gov, 1 +americabiznews.tk, 1 +americafamilylawcenter.org, 1 +americafc.tk, 1 +americahealthcare.tk, 1 +americamilitar.com, 1 +american-automotive.tk, 1 +american-school-search.com, 1 +americanacrylicaward.com, 1 +americanartwarehouse.com, 1 +americanbooks.cf, 1 +americanbuzz.tk, 1 +americancasinoguide.shop, 1 +americancomfortexperts.com, 1 +americandisinfectingassociation.com, 1 +americandisinfectingassociation.org, 1 +americanews.ml, 1 +americanflooring.co, 1 +americanflooringservicesinc.com, 1 +americanfootball.ml, 1 +americanfootball.tk, 1 +americanfreight.com, 1 +americangods.tk, 1 +americanimageawards.com, 1 +americaninsuranceplus.ml, 1 +americankickoff.ga, 1 +americanmessaging.net, 1 +americanmusical.com, 1 +americanpop.be, 1 +americanreservations.us, 1 +americans.cam, 1 +americanstrategic.com, 0 +americantowers.org, 0 +americanunicornparty.tk, 1 +americanwalkincoolers.com, 1 +americanwater.lk, 1 +americapitalfunding.com, 1 +americasbasementcontractor.com, 1 +americasblackprophet.com, 1 +americasdirector.com, 1 +americasgottalentauditions.com, 1 +americathebeautifulquarters.gov, 1 +americatracker.com, 1 +americavip.tk, 1 +americawiki.tk, 1 +americolorcorp.com, 1 +americorps.gov, 1 +americorpsoig.gov, 1 +ameriglasscontractors.com, 1 +amerigroup.com, 1 +amerigrouphealthyliving.com, 1 +ameriikanpoijat.org, 1 +amerikanloto.tk, 1 +amerikanpaketim.com, 1 +amerikasepetim.com, 1 +amerikeli.tk, 1 +amerimex.cc, 1 +amerimex.org, 1 +amerion.nl, 1 +ameriondental.nl, 1 +ameripacfund.com, 1 +ames-fzco.ae, 1 +amesagesse.com, 1 +amesgen.de, 1 +amessage.de, 1 +amessage.eu, 1 +amessage.info, 1 +amesvacuumrepair.com, 1 +amethystbodyart.co.za, 1 +amethystcards.co.uk, 1 +amethystdevelopment.co.uk, 1 +amethystwebsitedesign.com, 1 +ametinsurance.com, 1 +ametrin.biz, 1 +amevoice.com, 1 +amex.ua, 1 +amexemp.com, 1 +amf.to, 1 +amfelt.dk, 1 +amfiteatr.tk, 1 +amfora.gq, 1 +amforst.ddns.net, 1 +amg.work, 1 +amgreatness.com, 1 +amh-entertainments.co.uk, 1 +ami-de-bastanes.fr, 1 +ami.com, 1 +amiabot.ca, 1 +amiabot.com, 1 +amianto.milano.it, 1 +amianto.roma.it, 1 +amiatlanticare.com, 1 +amica-travel.com, 1 +amicalecanyon.ch, 0 +amicare.fr, 1 +amicipadrealdo.tk, 1 +amiciperibambini.org, 1 +amiciperlatesta.it, 1 +amicon.com, 1 +amicosauro.tk, 1 +amicus-webdesign.de, 1 +amicusjunior.ro, 1 +amie.so, 1 +amiez.com, 1 +amifoundation.net, 1 +amigatraktor.tk, 1 +amightyoakbedandbreakfast.com, 1 +amigodeltoro.tk, 1 +amigoenergy.com, 1 +amigosdelvalenciadeastorga.tk, 1 +amigosencanada.com, 1 +amigosgranada4050.tk, 1 +amigucrochet.com, 1 +amikton.ru, 1 +amilaresort.com, 1 +amilcalcados.com.br, 1 +amilesportes.com.br, 1 +amilum.org, 1 +amimi.tk, 1 +amin.one, 1 +aminafrance.com, 1 +amineamellouk.com, 1 +amineptine.com, 1 +aminfarhoodi.tk, 1 +aminformatica.ml, 1 +aminformatica.tk, 1 +aminko.ga, 1 +aminoro.de, 1 +aminos.tk, 1 +aminsabeti.com, 1 +aminullrouted.com, 1 +amion.com.ua, 1 +amionamiondrugsdotcom.com, 1 +amiondrugs.com, 1 +amionvpn.com, 1 +amir-nadlan.co.il, 1 +amir-tataloo.tk, 1 +amirarsalan.tk, 1 +amirasyraf.com, 0 +amirautos.com, 0 +amirhanova-a.ru, 1 +amirkaraj.tk, 1 +amirmahdy.com, 1 +amis-du-cinema.com, 1 +amis-sh.fr, 1 +amiserver.de, 1 +amisharingstuff.com, 1 +amishra.tk, 1 +amisoft.co.jp, 1 +amisoft.tk, 1 +amissing.link, 1 +amisun.com, 1 +amithvijayan.in, 1 +amitopia.tk, 1 +amitpatra.com, 0 +amitriptyline-hydrochloride.ga, 1 +amitriptyline25mg.cf, 1 +amitriptylineonline.tk, 1 +amitt.ga, 1 +amityvillepdny.gov, 1 +amitywebsitedesign.com, 1 +amiv.ch, 1 +amj-smart-energy.com, 1 +amjaadabdullah.com, 1 +amjesusdespojado.tk, 1 +amjinc.ca, 1 +amlakzibakenar.com, 1 +amlameiras.pt, 0 +amleather.pl, 1 +amliorefemme.tk, 1 +amliyatdua.com, 0 +amlops.com.au, 1 +amm6e.com, 1 +ammanagingdirectors.com, 1 +ammex.com, 1 +amministratore.biz, 1 +amministratore.roma.it, 1 +amministratorecondominiale.it, 1 +amministratorecondominio.roma.it, 1 +amministratoredicondominio.roma.it, 1 +amministratoristabilitorino.tk, 1 +amministrazioni.roma.it, 1 +ammoland.com, 0 +ammsystems.pl, 1 +amnathrig.com, 1 +amnepal.ml, 1 +amnesia-zone.tk, 1 +amnesty.cf, 1 +amnesty.org.au, 1 +amnesy.fr, 1 +amnion.tk, 1 +amniotic.tk, 1 +amniowell.com, 1 +amnistiya.tk, 1 +amoatuaexistencia.com.br, 1 +amobileway.co.uk, 1 +amoc.org, 1 +amodeocarlo.com, 1 +amoderm.com, 1 +amogus.cloud, 1 +amokinio.com, 1 +amolaccum.tk, 1 +amolador.com.br, 1 +amolare.com.br, 1 +amoliogames.com, 1 +amollare.com.br, 1 +amon.tech, 1 +amondial.com, 1 +among-us.me, 1 +amongtheflora.com, 1 +amongus-guru.ru, 1 +amongusmerch.co, 1 +amoozesh98.ir, 1 +amoralizm.tk, 1 +amoraquatropatas.org, 1 +amordoce.com, 1 +amorekids.es, 1 +amorfestival.com, 1 +amorgos-aegialis.com, 1 +amorgosrentandgo.gr, 1 +amorim.ca, 1 +amoroso-vivace.ch, 1 +amorph.aero, 1 +amorphis.tk, 1 +amorphsys.com, 1 +amorszexshop.hu, 1 +amortyzator.tk, 1 +amorxyoga.com, 1 +amorymerced.tk, 1 +amoryurgentcare.com, 1 +amos.ovh, 1 +amosca.tk, 1 +amotarget.com, 1 +amoursucre.com, 1 +amoxicillin-500mg.ga, 1 +amoxicillin.cf, 1 +amoxicillin.ga, 1 +amoxicillincapsules.tk, 1 +amoxicillinonline.tk, 1 +amoxil.cf, 1 +amoxil.ga, 1 +amoxil875.ga, 1 +amoxilonline.gq, 1 +amp-logistics.com, 1 +amp-wp.org, 1 +amp.chat, 1 +ampact.co, 1 +amped4ski.co.nz, 0 +ampedairsoft.com, 1 +amper.kharkov.ua, 1 +ampersandnbspsemicolon.com, 1 +ampersandsmallbusiness.com, 1 +ampetronic.com, 1 +ampflower.gay, 1 +amphetamines.org, 1 +amphibo.ly, 1 +amphora.jp, 1 +amphora.tk, 1 +amphost.tk, 1 +ampicillin.ga, 1 +ampicillin.ml, 1 +ampicillin24.com, 1 +ampicilliniv.tk, 1 +ampicillinonline.gq, 1 +amplead.com, 1 +ampledesigners.com, 1 +ampleinfographics.com, 1 +ampleitsolutions.com.au, 1 +ampleroads.com, 1 +amplifi.io, 1 +amplifiedit.com, 1 +amplifier-technics.tk, 1 +amplifire.com, 1 +ampparit.com, 1 +ampproject.com, 1 +ampproject.org, 1 +ampselectricsolar.com, 1 +ampullen.tk, 1 +amputated.tk, 1 +amputatedgenitals.tk, 1 +amr.de, 1 +amrealtypr.com, 1 +amref.org, 1 +amrita.club, 1 +amritps.com, 1 +amroelkhatib.fi, 1 +amroz.xyz, 1 +amrun-verlag.de, 1 +amruta.org, 1 +ams-web-qa.azurewebsites.net, 1 +ams.co.rs, 1 +amsconnectapp.com, 1 +amscrosscomp.nl, 1 +amsel305nc.ddnss.de, 1 +amsmart.hu, 1 +amst.io, 1 +amstat.org, 0 +amstelradio.tk, 1 +amstelveentje.nl, 1 +amsterdam.nl, 1 +amsterdam4u.tk, 1 +amsterdam5.nl, 1 +amsterdamian.com, 1 +amsterdamtype.nl, 1 +amsterdamtypography.nl, 1 +amstudiorecording.com, 1 +amsuisse.com, 0 +amt-taxfrance.com, 1 +amtheone.com, 1 +amtrakoig.gov, 1 +amule.cf, 1 +amumtomum.com, 1 +amunanalytics.eu, 1 +amundi-ca-assurances.com, 1 +amundi-ee.com, 1 +amundi-tc.com, 1 +amundsensports.com, 1 +amunoz.org, 1 +amuq.net, 1 +amur-photo.ml, 1 +amur.tk, 1 +amusa.cl, 1 +amuzante.com, 1 +amva.it, 1 +amvip9.com, 1 +amvisor.com, 1 +amvisualgraphics.com, 1 +amwake.com, 1 +amwine.ru, 1 +amxm.aero, 1 +amxpj888.com, 0 +amy-nichols.ga, 1 +amyapets.tk, 1 +amyfoundhermann.com, 1 +amymabel.com, 1 +amyred.net, 1 +amyria.jp, 1 +amyrussellhair.com, 1 +amytuarez.ga, 1 +amytuarez.gq, 1 +amytuarez.ml, 1 +amywinehouseaddicted.tk, 1 +amyyeung.com, 1 +amz-tas.ba, 1 +amzik.tk, 1 +amzinfotech.com, 0 +amzn.com, 1 +amzn.rocks, 1 +amznworks.com, 1 +an-alles-gedacht.de, 1 +an0ns.ru, 0 +an0ns.tk, 1 +an7hrax.se, 1 +anaal-nathrakh.tk, 1 +anaaldea.tk, 1 +anaalmeisjes.tk, 1 +anaalnathrakh.tk, 1 +anaalontmaagd.tk, 1 +anaar.ml, 1 +anabarata.tk, 1 +anabecoaj.org, 1 +anabijou.com.br, 1 +anabolic-stresser.ga, 1 +anabolic.co, 1 +anabolickdieta.ga, 1 +anabolics.tk, 1 +anabolika.ga, 1 +anabolika.gq, 1 +anabolika.ml, 1 +anachristinarodriguez.com, 1 +anachronaeon.tk, 1 +anachronis.gq, 1 +anacom.pt, 1 +anacondasc.co.uk, 1 +anacondaswimmingclub.org.uk, 1 +anacron.pl, 1 +anacruz.es, 1 +anadiuvo.fi, 1 +anadlelkheir.com, 1 +anaelog.com.au, 1 +anaethelion.fr, 1 +anafranil.cf, 1 +anafranil.ga, 1 +anagir.tk, 1 +anagramma.tk, 1 +anahitascribe.tk, 1 +anahtarfikir.com, 0 +anahwaftah.ga, 1 +anaiscoachpersonal.es, 1 +anaisfae.art, 1 +anak-pontianak.tk, 1 +anakart.tk, 1 +anakin.ca, 1 +anakliarmalam.ml, 1 +analbabsi.com, 1 +analebear.com, 1 +analfistula.com.sg, 1 +analgesia.ga, 1 +analgesia.net, 1 +analinsting.tk, 1 +analisi-grammaticale.biz, 1 +analisi-logica.it, 1 +analisi-periodo.it, 1 +analisi.roma.it, 1 +analitik.ml, 1 +analizator.tk, 1 +analizufa.ru, 1 +analogfreeers.ga, 1 +analogical.ga, 1 +analogist.net, 1 +analogman.com, 1 +analpantyhose.org, 1 +analpics.com, 1 +analyser-mon-site.fr, 1 +analystexamers.ga, 1 +analysts.com, 1 +analytics-media.com, 1 +analyticscanvas.com, 1 +analyticsinmotion.com, 1 +analyticsinsight.net, 1 +analyticum.at, 1 +analyticum.com, 1 +analyticum.de, 1 +analyticum.eu, 1 +analyticum.net, 1 +analytik.news, 1 +analyzemyfriends.com, 1 +analyzepoker.com, 1 +anamelikian.com, 1 +anamterminal.tk, 1 +ananas.gq, 1 +ananasposter.ru, 1 +anangeix.tk, 1 +anankecosmetics.com, 1 +anantshri.info, 1 +ananyagupta.tk, 1 +anaprieto.com, 1 +anapsi.tk, 1 +anar.biz, 1 +anarajaoui.ma, 1 +anarcasmetalicos.tk, 1 +anarchapulco.com, 1 +anarchie-in-lippe.tk, 1 +anarchie.tk, 1 +anarchista.top, 1 +anarchistfederation.net, 1 +anarchistischefoderation.de, 1 +anarchistos.tk, 1 +anarchotv.tk, 1 +anarchy.eu.org, 1 +anarchyhax.ml, 1 +anarchyrp.life, 1 +anarchyweb.tk, 1 +anarhia.tk, 1 +anarhija.tk, 1 +anarhist.net, 1 +anarhist.org, 1 +anaricompras.com, 1 +anarka.org, 1 +anarkhe.net, 1 +anarky.tk, 1 +anarshist.tk, 1 +anarticle.gq, 1 +anasaci.com, 1 +anasahr.be, 1 +anassiriphotography.com, 0 +anastasiaweb.tk, 1 +anastasis.studio, 1 +anastasiyasivayeva.ru, 1 +anastore.com, 1 +anatoliarles.com, 1 +anatoly.tk, 1 +anatomized.tk, 1 +anatoray.com, 1 +anatorywap.gq, 1 +anaxios.ga, 1 +anaxvip-sp.gr, 1 +anayahuasca.com.br, 1 +anayarealm.com, 1 +anbaicreative.com, 1 +anbank.pl, 1 +anbigift.nl, 1 +anblife.com, 1 +anborn.tk, 1 +ancade.es, 1 +ancaebacia.pt, 1 +ancarda.net, 1 +ancardukids.tk, 1 +anccg.ca, 1 +ance.lv, 0 +ancentury.com, 1 +ancestral.beer, 1 +ancestramil.fr, 1 +ancestry.ca, 1 +ancestry.co.uk, 1 +ancestry.com, 1 +ancestry.com.au, 1 +ancestry.de, 1 +ancestry.fr, 1 +ancestry.mx, 1 +ancestry.se, 1 +ancestrycdn.com, 1 +ancestryinstitution.com, 1 +anchev.net, 1 +anchorbvfs.com, 1 +anchorit.gov, 1 +anchoritsg.com, 1 +anchovy.nz, 0 +anchr.io, 1 +anciennes-automobiles.fr, 1 +anciens.org, 1 +ancient-gates.de, 1 +ancientnorth.com, 1 +ancientnorth.nl, 1 +anclarma.fr, 1 +ancolies-andre.com, 0 +anconatoday.it, 1 +ancroma.ro, 1 +ancuong.com, 1 +and-stuff.nl, 1 +and-tax.jp, 1 +andain.com, 1 +andalosse.tk, 1 +andalucia.com, 1 +andaluciaboard.tk, 1 +andalusiaal.gov, 1 +andamancapitalpartners.com, 1 +andantepiano.studio, 1 +andefang.com, 1 +andel.info, 0 +anderbelt.com.br, 1 +anders.hamburg, 1 +anderskp.dk, 0 +andersoncountytn.gov, 1 +andersonenergy.com.au, 1 +andersonlegal.co, 1 +andersonmanufacturing.com, 1 +andersonpowerservices.com, 1 +andersonshatch.com, 1 +andersontownshipoh.gov, 1 +andersraagaard.dk, 1 +anderstoneel.tk, 1 +anderstornkvist.se, 1 +andesnevadotours.com, 1 +andesoftconsulting.com, 1 +andeticaret.com, 1 +andfaraway.tk, 1 +andfrankly.com, 1 +andhrawishesh.com, 1 +andibo.net, 1 +andinapets.pe, 1 +andiplusben.com, 1 +andisadhdspot.com, 1 +andiscyber.space, 1 +andnet.tk, 1 +andoaingo-gaztetxea.tk, 1 +andobil.com, 1 +andoms.fi, 1 +andonivr.com, 1 +andonix.com, 1 +andorraimperial.tk, 1 +andorrainsiders.com, 1 +andos.tk, 1 +andouillette-thierry.fr, 1 +andoyasuyuki.com, 1 +andr-mobile.tk, 1 +andradealbuquerque.pt, 1 +andragon.tk, 1 +andrasnagy.com, 1 +andrasnagy.eu, 1 +andrasnagy.net, 1 +andrazaharia.com, 1 +andre-ballensiefen.de, 1 +andre-baum.com, 1 +andre-otto.com, 1 +andre-schlichting.de, 1 +andrea-kiaora.de, 1 +andrea-m.me, 1 +andrea-wirthensohn.at, 0 +andreaalloway.com, 1 +andreaassenti.it, 1 +andreaboero.it, 0 +andreacarreno.com, 1 +andreadraghetti.it, 1 +andreae.nl, 1 +andreafranceschini.org, 1 +andreafruggi.it, 1 +andreagiusti.tk, 1 +andreagobetti.com, 1 +andreagourmet.it, 1 +andrealand.sk, 1 +andreamcnett.com, 1 +andreapalermo.tk, 1 +andreapavone.com, 1 +andreas-hildebrandt.com, 1 +andreas-kluge.eu, 1 +andreas-kurtz.de, 1 +andreaseracleous.com, 0 +andreasfeusi.ch, 1 +andreashartmann.net, 1 +andreashellkvist.tk, 1 +andreasjanker.de, 1 +andreaskluge.eu, 1 +andreaskrasa.com, 1 +andreaslicht.nl, 1 +andreasolsson.se, 1 +andreasr.com, 1 +andreaswirth.com, 1 +andreasxp.me, 1 +andreatedeschi.it, 1 +andrecanuto.com.br, 1 +andrecarvalho.net.br, 1 +andredaus.com, 1 +andree.cloud, 1 +andreeapasat.ro, 1 +andreferreira.website, 1 +andrehartensveld.tk, 1 +andrehazeswinactie.nl, 1 +andreichira.ro, 1 +andreihodorog.com, 1 +andreina-atencio.com, 1 +andrejbenz.com, 1 +andrejstefanovski.com, 1 +andremaciel.pt, 1 +andrematosband.tk, 1 +andreoliveira.io, 1 +andreotti-furniture.com, 1 +andrepicard.de, 1 +andresbandb.tk, 1 +andrescuartas.tk, 1 +andresgarciapersonal.com, 1 +andresgarciapersonal.es, 1 +andresgarzon.net, 1 +andresguiarealtor.com, 1 +andrespaz.com, 1 +andrespr.es, 1 +andresrios.nl, 1 +andressaflores.com.br, 1 +andresvillanueva.mx, 1 +andreundnina.de, 1 +andrew-lazarev.com, 1 +andrew.fi, 1 +andrewbennett.ltd, 1 +andrewcountymo.gov, 1 +andrewdaws.co, 1 +andrewdaws.info, 1 +andrewdaws.io, 1 +andrewdaws.me, 1 +andrewdaws.tv, 1 +andrewensley.com, 1 +andrewfergusonbooks.com, 1 +andrewglucas.com, 1 +andrewglucas.net, 1 +andrewhowden.com, 0 +andrewimeson.com, 1 +andrewin.ru, 1 +andrewjphotography.com, 1 +andrewmcfarlane.tk, 1 +andrewmichaelsmith.com, 1 +andrewmichaud.me, 1 +andrewnet.net, 1 +andrewpeng.net, 1 +andrewpucci.com, 0 +andrewrdaws.com, 1 +andrewreaganm.com, 1 +andrewrgoss.com, 1 +andrewryno.com, 1 +andrews-waste.co.uk, 0 +andrewsandford.com, 1 +andrewsfasteners.uk, 1 +andrewsfss.marketing, 1 +andrewsnc.gov, 1 +andrewsoutar.com, 1 +andrewsun.com, 1 +andrewtasso.com, 1 +andrewtaylor.eu, 1 +andrewtran.xyz, 1 +andrewwiggins.ca, 1 +andrey.red, 1 +andrey1p.ru, 1 +andreyborisov.cf, 1 +andreyjuravlev.ga, 1 +andreypopp.com, 1 +andreysmirnov.tk, 1 +andrian.ga, 1 +andrian.io, 1 +andrian.tk, 1 +andriano.net, 1 +andrianova.ml, 1 +andriekus.tk, 1 +andrienko.tk, 1 +andrija-i-andjelka.com, 1 +andro4all.com, 1 +androgain.in, 1 +android, 1 +android-10-inch-tablets.tk, 1 +android-center.tk, 1 +android-club.cf, 1 +android-gamers.tk, 1 +android-hit.ml, 1 +android-it.cf, 1 +android-soft.gq, 1 +android-tv.3utilities.com, 1 +android-tv.ml, 1 +android.com.pl, 1 +android.re, 1 +android1.co.id, 1 +androidcrunch.com, 1 +androide.com, 1 +androidfactory.io, 1 +androidfinal.com, 1 +androidgadgematic.com, 1 +androidgaming.tk, 1 +androidhack.tk, 1 +androidhry.cz, 1 +androidinfotech.com, 1 +androidioswindows18378.ml, 1 +androidkatalog.cz, 1 +androidlab.tk, 1 +androidmafia.ru, 1 +androidmarket.gq, 1 +androidmarketturkiye.tk, 1 +androidmax.tk, 1 +androidnovinky.cz, 1 +androidphones.ga, 1 +androidplanet.nl, 1 +androidplay.tk, 1 +androidru.ml, 1 +androidservicetool.com, 1 +androidtamer.com, 1 +androidtcpdump.com, 1 +androidtelefony.cz, 1 +androidtools.gq, 1 +androidtorrent.info, 1 +androidtotal.ml, 1 +androidwale.ga, 1 +androidwedakarayo.com, 1 +androidweekly.net, 1 +androidzone.me, 1 +androlab.tk, 1 +andromeda.se, 1 +andropia-online.fr, 1 +androscoggincountyema.gov, 1 +androtics.com, 1 +androtix.com, 1 +andrush.eu, 1 +andschwa.com, 1 +andsecure.ch, 0 +andsoul.nl, 1 +andthisismyodyssey.tk, 1 +anduril.de, 1 +anduril.eu, 1 +andy-hagans.tk, 1 +andyante.cz, 1 +andyattorney.com, 1 +andybrett.com, 1 +andycatteceur.tk, 1 +andyclark.io, 0 +andyconcreting.com.au, 1 +andycraftz.eu, 1 +andycrockett.io, 1 +andykenward.com, 1 +andymoore.info, 0 +andyscubepage.tk, 1 +andyseducation.com, 1 +andysmith.tk, 1 +andyson.at, 1 +andysroom.dynu.net, 1 +andysroom.net, 1 +andyt.eu, 1 +andythomasonline.tk, 1 +andythomsonbooks.ca, 1 +andytownsendphotography.com, 1 +andytsoi.nyc, 1 +andyvandermeyde.tk, 1 +andywalkeronline.tk, 1 +andywilliamsonline.tk, 1 +andzia.art.pl, 1 +aneclab.cz, 1 +anecuni-club.com, 1 +anecuni-rec.com, 1 +anedot-sandbox.com, 1 +anedot.com, 1 +anedot.space, 1 +anedot.xyz, 1 +aneducationuto.tk, 1 +anefi.com.ec, 0 +anegabawa.com, 0 +anehost.com, 1 +anehtaconseil.com, 1 +aneirin.net, 1 +anekdot-pr.tk, 1 +anekdotik.tk, 1 +anekdotiki.tk, 1 +anelik.tk, 1 +anelki.net, 1 +aneslix.com, 0 +anesmebeli.com, 1 +anessex.wedding, 1 +anesterov.xyz, 1 +anetaben.nl, 1 +anetofwellness.com, 1 +anetteolzon.tk, 1 +anewperspectiveconstruction.com, 1 +anex.us, 1 +anexperimentedblog.tk, 1 +anextraordinaryday.net, 1 +anfadern.com, 1 +anfalas.ddnss.de, 1 +anfarabic.com, 1 +anfei.com, 1 +anfieldbc.co.uk, 1 +anfloors.ru, 0 +anfr.fr, 1 +angablade.com, 1 +angazajamii.com, 1 +ange-de-bonheur444.com, 1 +angeben.com, 1 +angel-body.com, 1 +angel-jrk.com, 1 +angel-wing.jp, 1 +angel163.ru, 0 +angela.baby, 1 +angeladietrich.com, 1 +angelaheck.com, 1 +angelalombardo.it, 1 +angelarellano.tk, 1 +angelbulldog.tk, 1 +angelcastellanos.tk, 1 +angelcorpus.tk, 1 +angelcreations.tk, 1 +angeldjmix.tk, 1 +angelefloramendy.org, 1 +angelesdelabismo.com, 1 +angelesydemonios.es, 1 +angelfood.org, 1 +angelhaken.com, 1 +angelhammer.tk, 1 +angelic.icu, 1 +angelic47.com, 1 +angelicapanganibansite.tk, 1 +angelicare.co.uk, 1 +angelicsphynx.tk, 1 +angelikaclothing.com, 1 +angelinadevil.tk, 1 +angelinafilipski.tk, 1 +angelineroguel.com, 1 +angeliquewoudenberg.tk, 1 +angeljmadrid.com, 1 +angelkeepers.net, 1 +angelnumber.faith, 1 +angelnumber.one, 1 +angelo4ek.tk, 1 +angeloangioi.tk, 1 +angelok.ru, 1 +angeloroelen.tk, 1 +angelpowwow.com, 1 +angelremigene.com, 0 +angelsanctum.tk, 1 +angelsandairwaves.tk, 1 +angelsandfriends.com, 1 +angelschlesser.tk, 1 +angelsdecay.tk, 1 +angelsgirl.eu.org, 1 +angelsmile.tk, 1 +angelsmithphotography.com, 1 +angelspabeauty.co.uk, 1 +angelswar.ga, 1 +angeltorri.tk, 1 +angelvisionary.com, 1 +angem.gq, 1 +angem.tk, 1 +angepsychedelices.tk, 1 +angeredmoon.tk, 1 +angermanalvorna.tk, 1 +angesehen.com, 1 +angestoepselt.de, 1 +angie-webdesign.ch, 0 +angiejones.com, 1 +angielynx.net, 1 +angiesite.tk, 1 +angiewickes.com, 1 +anginf.de, 1 +angiolinikids.it, 1 +angione.ca, 1 +angione.se, 1 +angisonline.cz, 1 +angkapaito.net, 1 +angkasa.net.id, 1 +anglais-angouleme.com, 1 +anglarsports.com, 1 +angleline.cn, 1 +anglersconservation.net, 1 +anglertanke.de, 1 +anglesya.win, 1 +anglictina-sojcak.cz, 1 +anglictinasojcak.cz, 1 +anglingactive.co.uk, 0 +anglingnewfoundlandlabrador.com, 1 +anglirl.eu.org, 1 +anglogoldashanti.com, 1 +anglopoltransport.pl, 1 +angolo.com, 1 +angolo.ga, 1 +angop.ao, 1 +angora.id, 1 +angorarabbitsaspets.com, 1 +angristan.fr, 1 +angristan.xyz, 1 +angry-monk.com, 1 +angry.im, 1 +angryaf.com, 1 +angrybear.tk, 1 +angrybug.com, 1 +angrydragonproductions.com, 1 +angrymoulinex.tk, 1 +angrysnarl.com, 1 +angryteeth.net, 0 +angstakademie.com, 1 +angstrommold.com, 1 +angular-js.ga, 1 +anguloconsulting.com, 1 +angusandperthpgl.tk, 1 +angusbarn.com, 1 +anh-dv.com, 1 +anhaffen.lu, 0 +anhangabau.com, 1 +anhdvboot.com, 1 +anhdvshop.com, 1 +anhembi.br, 1 +anhqv.es, 1 +ani-man.de, 1 +aniababan.com, 1 +aniabuduje.pl, 1 +aniaimichal.eu, 1 +anian.ch, 0 +aniblizzard.tk, 1 +anichief.com, 1 +anicloud.com.br, 1 +anievo.id, 1 +aniforprez.net, 1 +anightmareonelmstreet.tk, 1 +anihilated.tk, 1 +anihonetwallpaper.com, 1 +anikabyaabi.com, 1 +anikaras.ga, 1 +anikschwall.com, 1 +anilom.tk, 1 +anim.ee, 1 +anima.digital, 1 +anima.nz, 1 +animaalternative.it, 1 +animacionclub.tk, 1 +animadoc.cl, 1 +animaeducacao.com.br, 1 +animaemundi.be, 0 +animal-clothing.com, 1 +animal-liberation.com, 1 +animal-paris.fr, 1 +animal-rights.com, 1 +animal-world.cf, 1 +animal-world.tk, 1 +animalarkvets.co.uk, 1 +animalcenterunomas.tk, 1 +animalcrossingwiki.de, 1 +animalkingdom.cl, 1 +animalliberation.tk, 1 +animallog.tk, 1 +animalnutritionwizard.org, 1 +animalpetblog.ml, 1 +animalpetgroup.ml, 1 +animalpix.ch, 0 +animalplace.tk, 1 +animalratingsers.ga, 1 +animalratingsest.ga, 1 +animals-world.tk, 1 +animalshelter.tk, 1 +animalsphoto.tk, 1 +animalstropic.com, 1 +animaltesting.fr, 1 +animalworld.gq, 1 +animalz.ga, 1 +animalz.ml, 1 +animalz.tk, 1 +animamega.tk, 1 +animan.ca, 1 +animanganetwork.tk, 1 +animaproduksiyon.com.tr, 1 +animari.at, 1 +animari.ch, 1 +animari.de, 1 +animari.eu, 1 +animasencia.tk, 1 +animashka.tk, 1 +animataz.ga, 1 +animate.de, 1 +animatedtimes.com, 1 +animazul.tk, 1 +anime-and-manga-news.tk, 1 +anime-best.tk, 1 +anime-cafe.tk, 1 +anime-dragoon.tk, 1 +anime-drift.tk, 1 +anime-list.ga, 1 +anime-news.tk, 1 +anime-rg.com, 1 +anime-tip.com, 1 +anime-tv.tk, 1 +anime.my, 0 +anime1.me, 1 +anime1.moe, 1 +anime1.pw, 1 +anime74.ru, 1 +animeai.com, 1 +animebits.moe, 1 +animecasepremium.id, 1 +animecreed.ga, 1 +animeday.ml, 1 +animeday.tk, 1 +animedescarga.ml, 1 +animedesuga.com, 1 +animedon.tk, 1 +animeelite.tk, 1 +animefire.net, 0 +animefluxxx.com, 1 +animefun.cf, 1 +animegroup.tk, 1 +animeheaven.ml, 1 +animehomeworld.tk, 1 +animeinsights.net, 1 +animekun.tk, 1 +animelandia.tk, 1 +animelatino.tk, 1 +animelesson.ga, 1 +animelily.com, 1 +animelime.ru, 1 +animelolipop.com, 1 +animemotivation.com, 1 +animeonsen.xyz, 1 +animeplus1.tk, 1 +animepower.gq, 1 +animepower.tk, 1 +animequest.tk, 1 +animeronews.tk, 1 +animeru.org, 1 +animes-portal.info, 1 +animesbrasil.tk, 1 +animesconsteemplee.tk, 1 +animesekken.tk, 1 +animesharp.com, 1 +animeshka.tk, 1 +animeslayer.ga, 1 +animeslayer.ml, 1 +animesoftcream.com, 1 +animestash.tk, 1 +animestreamingfr.fr, 1 +animesun.tk, 1 +animetosho.org, 1 +animetriad.com, 1 +animeuknews.net, 1 +animewallpapers.tk, 1 +animixplays.net, 1 +animmouse.com, 1 +animofluteandpiano.co.uk, 1 +animonda.de, 1 +animotica.com, 1 +animoxavilorza.tk, 1 +aninews.tk, 1 +anip.icu, 1 +anipassion.com, 0 +aniplus.cf, 1 +aniplus.gq, 1 +anishnayak.com, 1 +anisiaclinic.ro, 1 +anisimov.ml, 1 +anisotomatikkapi.com, 1 +anitaalbersen.nl, 1 +anitahebe.com, 1 +anitalk.dk, 1 +anitaxcph.dk, 1 +anitklib.ml, 1 +anitop.ga, 1 +anitop.tk, 1 +anitube-nocookie.ch, 1 +aniviasport.store, 1 +anivision.tk, 1 +aniwatch.me, 1 +aniwhen.com, 1 +aniya.moe, 1 +anja-vastgoed.nl, 1 +anjadethurah.dk, 1 +anjaliandthekid.com, 1 +anjanbiswas.in, 1 +anjara.eu, 1 +anjiurine.top, 1 +anjocerdena.com, 1 +anjoola.com, 1 +anjtransportsolutions.com.au, 1 +ankalash.com, 1 +ankam.com, 1 +ankane.org, 1 +ankanetworks.net, 1 +ankaraarabakiralama.com.tr, 1 +ankaraarabakiralama.name.tr, 1 +ankaraarackiralama.name.tr, 1 +ankarabolcahindi.com.tr, 1 +ankaraciftkabin.com, 1 +ankaracikma.com.tr, 1 +ankaracikmaparca.com.tr, 1 +ankaradaozelders.tk, 1 +ankaraevdenevenakliyat.name.tr, 1 +ankarafiziktedavimerkezi.com.tr, 1 +ankarahavaalaniarackiralama.com.tr, 1 +ankarahavalimaniarackiralama.com.tr, 1 +ankarajeneratorkiralama.com.tr, 1 +ankarakurumsalwebtasarim.com, 1 +ankaramotosikletyedekparca.com, 1 +ankaraotocikmaparca.com.tr, 1 +ankaraotokiralama.name.tr, 1 +ankaraotokiralama.tk, 1 +ankaraotomobilcikmaparca.com, 1 +ankaraotomobilcikmaparca.com.tr, 1 +ankaraotomobilyedekparca.com, 1 +ankaraotomobilyedekparca.com.tr, 1 +ankaraotoparca.com.tr, 1 +ankararentacar.name.tr, 1 +ankaraseo.name.tr, 1 +ankarasoket.com.tr, 1 +ankarasondajkuyusutemizleme.com, 1 +ankarauzmanlarnakliyat.com, 0 +ankaravinckiralama.com.tr, 1 +ankarawebtasarim.name.tr, 1 +ankarawebtasarim.tk, 1 +ankarayedek.com.tr, 1 +ankastremerkezi.com, 1 +anker-wladyslawowo.pl, 1 +anketlekazan.net, 1 +ankitha.in, 1 +ankitpati.in, 1 +ankiuser.net, 1 +ankiweb.net, 1 +ankos.cf, 1 +ankya9.com, 1 +anleitung-deutsch-lernen.de, 1 +anleitung-zum-flechten.de, 1 +anleitung-zum-haekeln.de, 1 +anleitung-zum-schreiben.de, 1 +anleitung-zum-schweissen.de, 1 +anleitung-zum-toepfern.de, 1 +anlikdoviz.co, 1 +anlikhaber.tk, 1 +anliting.com, 1 +anmelden.io, 1 +anmriers.ga, 1 +anna-beauty.ga, 1 +anna-beauty.gq, 1 +anna-center.tk, 1 +anna-dance.ru, 1 +anna-mai.net, 1 +anna.info, 1 +annaaurora.eu, 1 +annabelcinemas.com, 1 +annabelmassina.net, 1 +annabet.com, 1 +annadebrux.cf, 1 +annadebrux.ga, 1 +annadebrux.gq, 1 +annadebrux.ml, 1 +annaenemma.nl, 1 +annafiore.com.br, 1 +annainstitute.org, 1 +annalaudel.gallery, 1 +annaleon.tk, 1 +annalisefashion.ga, 1 +annalitvinova.pro, 1 +annalouise.tk, 1 +annaluizaferreira.com.br, 1 +annandaleonline.net, 1 +annandaleonline.org, 1 +annangela.cn, 1 +annangela.moe, 0 +annarborplasticsurgery.com, 1 +annarokina.com, 1 +annat.cf, 1 +annat.tk, 1 +annavissi.tk, 1 +annawagner.pl, 1 +annaweb.tk, 1 +annazweglinska.pl, 1 +anne-gb.ch, 1 +anne-marie.tk, 1 +annedaniels.co.uk, 1 +anneeden-porn.com, 1 +anneeden.com, 1 +annefit.ro, 1 +annefrank.org, 1 +annefried-hahn.de, 1 +annejan.com, 1 +annekleinert.de, 1 +annelida.com, 1 +annelies-monsere.tk, 1 +anneliesvanhoof.tk, 1 +annelisetouya.com, 1 +annema.biz, 1 +annemakeslovelycandles.co.uk, 1 +annemarielaponder.com, 1 +annesfotografie.de, 1 +annetardif.ca, 1 +annetta.com, 1 +annetta.net, 1 +annettewindlin.ch, 1 +annevankesteren.nl, 1 +annevankesteren.org, 1 +anney-life.com, 1 +anniangel-porn.com, 1 +annicascakes.nl, 1 +anniecloth.com, 1 +anniegagnonphotographie.com, 1 +anniesdollhouse.com, 1 +annihilation-squad.tk, 1 +annikarose-porn.com, 1 +annitrinity.com, 1 +annitrinity.net, 1 +anniversaryforumers.ga, 1 +annonasoftware.com, 1 +annoncer.ga, 1 +annonces-immobilier.tk, 1 +annonces-moto.org, 1 +annonces-vacances.info, 1 +annonces34.tk, 1 +annonseringonline.se, 1 +announcement.tk, 1 +annoyinggui.de, 1 +annoyingguide.de, 1 +annrusnak.com, 1 +anns.eu, 1 +annthegran.com, 1 +annu.tk, 1 +annuaire-auto-ecole.com, 1 +annuaire-express.tk, 1 +annual.ga, 1 +annuire.org, 1 +annuitycommunity.com, 1 +annuityequityers.ga, 1 +annulleret.tk, 1 +annunciationbvmchurch.org, 1 +annuncisesso.tk, 1 +annyaurora.net, 1 +annygraces.com, 1 +anodas.lt, 1 +anohana.org, 1 +anokacountybuys.gov, 1 +anol.loan, 1 +anomalous.eu, 1 +anomaly.tk, 1 +anon-gap.tk, 1 +anon-net.tk, 1 +anon-next.de, 1 +anon-tipz.tk, 1 +anon-ways.tk, 1 +anonaddy.com, 1 +anonaddy.me, 1 +anonase.com, 1 +anoncrypto.org, 1 +anoneko.com, 1 +anongoth.pl, 0 +anonhq.com, 1 +anonicloud.ch, 1 +anoniem-domein.nl, 1 +anonimizers.tk, 1 +anonmega.tk, 1 +anonofficial.tk, 1 +anonrea.ch, 1 +anons.fr, 0 +anonser.tk, 1 +anontekno.com, 1 +anonwonders.tk, 1 +anonybus.com, 1 +anonym-surfen.de, 0 +anonym-surfen.online, 1 +anonyme-spieler.at, 1 +anonymous.com.pt, 1 +anonymousbitcoinexchange.org, 1 +anonymousemail.me, 1 +anonymshare.com, 1 +anoopcnair.com, 1 +anopan.tk, 1 +anora.ai, 1 +anoracdn.net, 1 +anorak.tech, 1 +anordinaryhousewife.com, 1 +anorexia-nervosa.tk, 1 +another.ch, 1 +anotherfatgeek.net, 1 +anotherinvest.pl, 1 +anothermilan.net, 1 +anothermusic.tk, 1 +anotheronedead.tk, 1 +anothersupersite.com, 1 +anothersupersociety.com, 1 +anothervps.com, 1 +anoual-lycee.tk, 1 +anoujaa.com, 1 +anouncer.ga, 1 +anova.com, 1 +anowicki.pl, 1 +anoxinon.de, 1 +anoxinon.media, 1 +anpaju.gq, 1 +anpigabon.ga, 1 +anquankongjian.com, 1 +anquanssl.com, 1 +ans-ge.ch, 0 +ans-solutions.com, 1 +ansas.net, 0 +ansdell.net, 1 +ansellchallenge.azurewebsites.net, 1 +anseo.ninja, 1 +ansermet.net, 0 +ansgar-sonntag.de, 1 +ansgar.tk, 1 +ansgarsonntag.de, 1 +anshar.eu, 1 +anshlag.co.il, 1 +ansibeast.net, 1 +ansichtssache.at, 1 +ansogning-sg.dk, 1 +anson.ru, 1 +ansoncountync.gov, 1 +ansperformance.eu, 1 +anstaskforce.gov, 1 +anster.org, 1 +anstorino.tk, 1 +answerbookstore.tk, 1 +answerconnect.co.uk, 1 +answerconnect.com, 1 +answerforce.com, 1 +answering365.com, 0 +answernow.cf, 1 +answers-online.ru, 1 +answersincme.com, 1 +antabuse.ga, 1 +antabuse500mg.ga, 1 +antabuskaufen1.gq, 1 +antagning-vn.se, 1 +antagning.se, 1 +antagonist1.tk, 1 +antalya-taxi.cf, 1 +antalya-turkey.tk, 1 +antalya-yesim.cf, 1 +antalyaduvarkagidi.com.tr, 1 +antalyaescmagazin.tk, 1 +antalyaescortyaren.tk, 1 +antalyahomes.com, 1 +antalyamasajsalonu.gq, 1 +antama.eu, 1 +antama.nl, 1 +antanavagefarbiarz.com, 1 +antani.cloud, 1 +antarcti.co, 1 +antarctida.tk, 1 +antaresmedia.com.py, 1 +antarktida.ru, 1 +antarktida.tk, 1 +antarlina.com, 1 +antavo.com, 1 +antcas.com, 0 +antechrista.tk, 1 +antecim.fr, 1 +antecipa.com, 1 +antelope.ai, 1 +antena.ga, 1 +antenaplay.ro, 1 +antenasmundosat.com, 1 +antenasmundosat.com.br, 1 +antenaweb.tk, 1 +antenna-lyubertsy.cf, 1 +antennajunkies.com, 1 +antennaweb.tk, 1 +antennekaart.nl, 1 +antennista.bari.it, 1 +antennista.catania.it, 1 +antennista.it, 1 +antennista.milano.it, 1 +antennista.pavia.it, 1 +antennista.roma.it, 1 +antennista.tv, 1 +antennistaroma.it, 1 +antennisti.milano.it, 1 +antennisti.palermo.it, 1 +antennisti.roma.it, 1 +anteny.ml, 1 +antephaber.tk, 1 +anteros.shop, 0 +antfarm.cf, 1 +anthes.is, 1 +anthiago.com, 1 +anthisis.tv, 1 +anthisnes.org, 1 +anthony-bardon.eu, 1 +anthonychampagne.me, 1 +anthonydegrande.tk, 1 +anthonyellis.com, 1 +anthonyfontanez.com, 1 +anthonylaberge.tk, 1 +anthonyloop.com, 1 +anthonymineo.com, 0 +anthonytimbers.com, 1 +anthonytutorials.tk, 1 +anthonyvadala.me, 1 +anthrene-traitement.fr, 1 +anthro.asia, 1 +anthro.icu, 1 +anthrocon.com, 1 +anthrocon.net, 1 +anthrocon.org, 1 +anthroper.com, 1 +anthropoid.ca, 1 +anti-akw-ac.de, 1 +anti-civilisation.tk, 1 +anti-ddos.group, 1 +anti-depressants.tk, 1 +anti-doping.tk, 1 +anti-eniologia.ml, 1 +anti-eniologiya.ml, 1 +anti-gololed.ga, 1 +anti-iupac.tk, 1 +anti-lohotron.tk, 1 +anti-nsa.tk, 1 +anti-radar.org, 1 +anti-spy.net, 0 +anti-stop.cf, 1 +antiage.ml, 1 +antianti.nl, 1 +antiaz.com, 1 +antibanner.tk, 1 +antibioticaugmentin.cf, 1 +antibioticaugmentin.ml, 1 +antibioticaugmentin.tk, 1 +antibioticsadvice.cf, 1 +anticapitalist.party, 1 +anticensorship-russia.tk, 1 +antichat.tk, 1 +antichatresources.ga, 1 +anticipating.tk, 1 +anticonceptieportaal.nl, 1 +anticopyright.com, 1 +anticorruption.tk, 1 +antics.tk, 1 +antidayton.com, 1 +antidepressants.tk, 1 +antidopamine.com, 1 +antidope.tk, 1 +antidoping.tk, 1 +antidott.fr, 1 +antiekboerderijgraafland.nl, 1 +antielectoral.tk, 1 +antifa-bernau.tk, 1 +antifa.sh, 0 +antifabus.tk, 1 +antifake-funko.fr, 1 +antifaschistisch-reisen.tk, 1 +antifaschistische-linke.tk, 1 +antifaschistischeaktioncelle.tk, 1 +antifilter.network, 1 +antifraud.cf, 1 +antifraudcentre-centreantifraude.ca, 1 +antifurti.roma.it, 1 +antigravity.cf, 1 +antihelp-tomsk.tk, 1 +antihistaminico.com, 1 +antihistory.cf, 1 +antihistory.ga, 1 +antihistory.gq, 1 +antihistory.ml, 1 +antihype.space, 1 +antijob.tk, 1 +antik-trodelmarkt.de, 1 +antikeo.com, 1 +antikfloors.ga, 1 +antikfloors.gq, 1 +antikfloors.ml, 1 +antikpest.hu, 0 +antikskupka.ru, 1 +antikvar-i-ya.tk, 1 +antikvar-net.tk, 1 +antikvariat22.cz, 1 +antikvarshop.tk, 1 +antilaserpriority.com, 1 +antiled.by, 1 +antimateri.com, 1 +antimaterie.tk, 1 +antimine.me, 1 +antiminutemen5.tk, 1 +antinatalism.com, 1 +antinatalists.com, 1 +antinazi.org, 1 +antincendio.it, 1 +antincendio.roma.it, 1 +antiochtechnologies.com, 1 +antipa.ch, 1 +antipodi.ga, 1 +antipolygraph.org, 1 +antiquario.roma.it, 1 +antique-pedalcars.ch, 1 +antiquecenter.gq, 1 +antiquefirearms.tk, 1 +antiquemotorcycle.org, 1 +antiquesinvestorsest.ga, 1 +antireklams.tk, 1 +antirepressionbayarea.com, 1 +antiseptik.me, 1 +antishell.ru, 1 +antisocialist.tk, 1 +antispamcloud.dk, 1 +antispeciesism.com, 1 +antispeciesist.com, 1 +antistarenie.tk, 1 +antistate.ch, 1 +antistatik.tk, 1 +antisystem.tk, 1 +antitabak.tk, 1 +antiuser.tk, 1 +antivandal.tk, 1 +antivigilancia.tk, 1 +antivirus.com, 1 +antivirus.cz, 1 +antivirusnet.tk, 1 +antivirusnik.tk, 1 +antiwarsongs.org, 1 +antize.tk, 1 +antizon.net, 1 +antlerprojects.com, 1 +antnetwork.tk, 1 +antocom.com, 1 +antoga.eu, 1 +antoinat.fr, 1 +antoine-data.tk, 1 +antoine-soscouverture.fr, 1 +antoined.fr, 0 +antoinedeschenes.com, 1 +antoinelounis.com, 1 +antoinelounis.xyz, 1 +antoineschaller.ch, 0 +anton-media.tk, 1 +anton-nb.com, 1 +antonchen.com, 1 +antonellabb.eu, 1 +antoni.xyz, 1 +antoniamaria.tk, 1 +antonianolocura.tk, 1 +antonimos.com.br, 1 +antonin.one, 1 +antoninocardillo.com, 1 +antonio-gartenbau.de, 0 +antonioantunesefilhos.pt, 1 +antonioffernandez.com, 1 +antoniojr.adv.br, 1 +antoniolatimore.com, 1 +antoniomarques.eu, 0 +antoniorodriguesadv.com.br, 1 +antonios.ch, 1 +antonioso.ng, 1 +antonioucabinets.com.au, 1 +antonis.cy, 1 +antonis.org, 1 +antonjuulnaber.dk, 1 +antonoff.tk, 1 +antonok.com, 1 +antonovka.ga, 1 +antonygeorge.tk, 1 +antonyraz.de, 1 +antopie.org, 1 +antoshka-net.tk, 1 +antota.lt, 1 +antr.me, 1 +antragsgruen.de, 1 +antraxx.ee, 1 +antrimnh.gov, 1 +antrodiulisse.eu, 0 +antropico.com, 1 +antroposboutique.it, 1 +antroposofica.com.br, 1 +ants-and-me.ml, 1 +ants-carte-grise.fr, 1 +antsa.duckdns.org, 1 +antstoolbox.com, 1 +antti.codes, 1 +antts.uk, 1 +antts.xyz, 1 +anturis.com, 1 +antwire.net, 1 +antyblokada.pl, 1 +antyware.pl, 1 +anubandarage.com, 1 +anubislinux.tk, 1 +anubisz.tk, 1 +anubixx.com, 1 +anujag.tk, 1 +anukaweb.com, 1 +anuke.eu.org, 1 +anulowano.pl, 1 +anunciosclasificados.co, 1 +anuntulmeu.tk, 1 +anunturitv.ro, 1 +anvilmetal.tk, 1 +anvilsales.tk, 1 +anvilsecure.com, 1 +anvish.in, 1 +anwalt-website.de, 1 +anwalt.us, 1 +anwarulislam.tk, 1 +anwarverdict.ml, 1 +anweshpatel.tk, 1 +anxietydisorderexplained.com, 1 +anxietyspace.com, 1 +anxiolytics.com, 1 +anxtlevel.nl, 1 +any-download.cf, 1 +any-download.ga, 1 +any-download.gq, 1 +any-download.ml, 1 +any-download.tk, 1 +any-id.be, 1 +any-id.eu, 1 +any-id.nl, 1 +any-id.online, 1 +any-id.store, 1 +any-link-page.de, 1 +any6.com, 1 +anya-carter.com, 1 +anya.moe, 1 +anyad.at, 1 +anyboat.com.au, 1 +anybus.com, 0 +anycoindirect.eu, 1 +anydaytour.cf, 1 +anyduchildren.tk, 1 +anyebooks.cf, 1 +anyebooks.ga, 1 +anyebooks.gq, 1 +anyebooks.ml, 1 +anyfood.fi, 1 +anyhobby.ga, 1 +anyi.in, 1 +anyid.be, 1 +anyid.uk, 1 +anyid.us, 1 +anyilin.cn, 1 +anyma.it, 1 +anymatch.ai, 1 +anyone.cf, 1 +anypeer.net, 1 +anyplant.ga, 1 +anyprime.net, 1 +anyquestions.govt.nz, 1 +anyradio.ga, 1 +anyrisk.ru, 1 +anyrose.ga, 1 +anysale.ga, 1 +anyshapemusic.com, 1 +anyshow.ga, 1 +anystack.xyz, 1 +anythingforsports.com, 1 +anytimefitness.co.in, 1 +anytimefitness.co.uk, 1 +anytimefitness.nl, 1 +anytimefundingers.ga, 1 +anytimefundingest.ga, 1 +anytimeicon.io, 1 +anytimeoffices.ga, 1 +anytimesewerrepair.com, 1 +anytots.com, 1 +anyuta-mebel.tk, 1 +anywayanyday.com, 1 +anywhereworks.com, 1 +anz.co.nz, 1 +anzalikala.com, 1 +anzeiger.ag, 1 +anztb.org, 1 +ao-vivo.net, 1 +ao2.it, 1 +ao27.net, 1 +ao2law.com, 1 +ao6.works, 1 +aoa.gov, 1 +aoa2.ch, 1 +aoadatacommunity.us, 1 +aoaprograms.net, 1 +aobogo.com, 1 +aocai.com, 1 +aoconsultoria.com, 1 +aod-tech.com, 1 +aodisco.co.uk, 1 +aodnovel.com, 0 +aoe9.com, 1 +aoeuaoeu.com, 1 +aofusa.me, 1 +aofusa.net, 1 +aohao.com, 1 +aoicprobationil.gov, 1 +aoil.gr, 1 +aojf.fr, 1 +aok-bv.de, 0 +aokae.com, 1 +aoku3d.com, 0 +aolcollege.com, 1 +aomar-mohammedi.tk, 1 +aomi.com, 1 +aonedatasolution.com, 1 +aonhewitt.com.cy, 1 +aonhewitt.gr, 1 +aonsolutions.com.cy, 1 +aonsolutions.gr, 1 +aooobo.com, 1 +aopa.org, 1 +aopedeure.nl, 1 +aorangi-debt.co.nz, 1 +aorhan.com, 1 +aori.com, 1 +aorui.com, 1 +aosc.kz, 1 +aosclan.tk, 1 +aoshiya.com, 1 +aosika.com, 1 +aospa.co, 1 +aostacarnavals.it, 1 +aosus.org, 1 +aotearoa.maori.nz, 1 +aotearoafreepress.com, 1 +aotearoaleaks.org, 1 +aotopo.com, 1 +aotuo.com, 1 +aova.loan, 1 +aoyagi-farm.jp, 1 +aoyamacc.co.jp, 1 +aozora.moe, 1 +ap-auto-rege.com, 1 +ap-auto.pl, 1 +ap-bg.eu, 1 +ap.icu, 1 +apa-canal.ro, 1 +apac-fxcm.com, 1 +apache-portal.com, 1 +apachecountyaz.gov, 1 +apachehaus.de, 0 +apachelounge.com, 1 +apachetoday.com, 1 +apadmi.com, 0 +apadrinaunolivo.org, 1 +apadvantage.com, 1 +apaesthetics.com, 1 +apambiente.pt, 1 +apaniwebsite.xyz, 1 +apannpyaymedia.com, 1 +apapinspection.ca, 1 +aparaatti.org, 1 +aparistravel.com, 0 +apart-hotel-weimar.de, 1 +apartamentoslostejos.tk, 1 +apartamentscalpatoi.cat, 1 +apartamentsvituri.com, 1 +apartment-in-rijeka.com, 1 +apartment-market.ml, 1 +apartment.loans, 1 +apartmentkroatien.at, 1 +apartmentregister.com.au, 1 +apartments-promajna.tk, 1 +apartments.co.nz, 1 +apartrentrotterdam.nl, 1 +apartyakamoz.com, 1 +apasaja.tech, 1 +apassodarte.com, 1 +apatransport.com, 1 +apbassettsolicitors.co.uk, 1 +apbforum.tk, 1 +apbio.org, 1 +apbox.de, 1 +apcassistant.com, 1 +apcdistri.com, 1 +apcmc.pt, 1 +apcube.com, 1 +apcw.org, 1 +apdfawl.com, 0 +apdtalents.org.tw, 1 +apdx.com, 1 +apea.com, 1 +apeasternpower.com, 1 +apecsustain.com, 1 +apedreira.com, 1 +apef.ch, 0 +apefrog.tk, 1 +apeiri.de, 1 +apeironassets.com, 1 +apelcinchik.ru, 1 +apelsin.ml, 1 +apem.com, 1 +aperature.com, 1 +apercloud.es, 1 +aperioadvice.ga, 1 +aperiomoney.ga, 1 +aperiotaxation.ga, 1 +apert.be, 1 +aperta.ro, 1 +aperta.shop, 1 +apertis.org, 0 +aperto-nota.eu, 0 +aperto.de, 1 +apertura.tk, 1 +aperture-science.net, 1 +aperture.gr, 1 +apertureimaging.com, 1 +aperturelabs.tk, 1 +aperturescience.cf, 1 +aperturesciencelabs.de, 1 +apertvre.tk, 1 +apex-parts.com, 1 +apex-promotion.com, 1 +apex-writers.com, 1 +apex.ac, 1 +apex.aw, 1 +apexchain-dev.com, 1 +apexchimneyrepairs.com, 1 +apexconsulting.io, 1 +apexfacades.com.au, 1 +apexitsolutions.ca, 1 +apexnc.gov, 1 +apexperformancegym.com, 1 +apexpreciousmetals.com, 1 +apexsupplies.com.sa, 1 +apextrailers.co.za, 1 +apfhaiti.org, 1 +apfm.fr, 1 +apfnxg.com, 1 +apfulfilment.com, 1 +apgw.jp, 1 +aphantasiac.com, 1 +aphelionband.ga, 1 +aphelionentertainment.com, 1 +aphelis.net, 1 +aphorismen-archiv.de, 1 +api-agri.ga, 1 +api-bitrefill.com, 1 +api-hany.cf, 1 +api.biz.tr, 1 +api.lookout.com, 1 +api.recurly.com, 1 +api42.ch, 1 +api64.com, 1 +apiary.shop, 1 +apiary.supplies, 1 +apiary.supply, 1 +apicep.com, 1 +apico-fish.ru, 1 +apiculture.net, 1 +apido.de, 1 +apienergisahomol.com, 1 +apigb.com, 1 +apiinfotech.com, 1 +apil.org.uk, 1 +apila.care, 1 +apiled.io, 1 +apilicens.nu, 1 +apimon.de, 1 +apimoveisorocaba.com.br, 1 +apinat.de, 1 +apination.com, 1 +apio.systems, 1 +apiora.ru, 1 +apiordie.com, 1 +apiplus.fr, 1 +apipsandiego.ga, 1 +apipsandiego.gq, 1 +apipsandiego.ml, 1 +apirie.uk, 1 +apiris.fr, 1 +apis.blue, 1 +apis.google.com, 1 +apit-kovrov.ru, 1 +apitodemestre.com.br, 1 +apiu.me, 1 +apix.se, 1 +apix.uz, 1 +apixmessaging.com, 1 +apixplatform.com, 1 +apk-world.cf, 1 +apk.li, 1 +apk4fun.com, 1 +apkclup.com, 1 +apkcunk.com, 1 +apkdv.com, 0 +apkfame.com, 1 +apkfree.com, 1 +apkfuse.com, 1 +apkindirsene.com, 1 +apkmaze.com, 1 +apkmint.co, 1 +apkmodders.com, 0 +apkmody.io, 1 +apknut.com, 1 +apkoc.com, 1 +apkpokemongo.ga, 1 +apkpokemongo.gq, 1 +apkpokemongo.tk, 1 +apktechy.com, 1 +apkteen.com, 1 +apkxi.com, 1 +aplaceforpops.com, 1 +aplausse.tk, 1 +aplazame.com, 0 +aplcare.com, 1 +aplibrary.org, 1 +aplicaciones.ai, 1 +aplis-online.de, 0 +aplpackaging.co.uk, 1 +aplteam.tk, 1 +aplu.fr, 1 +aplus.mn, 1 +aplusdownload.com, 1 +aplusteachingresources.com.au, 1 +aplusz.nl, 1 +apm.com.tw, 1 +apn-dz.org, 1 +apn-einstellungen.de, 1 +apnagujarkhan.tk, 1 +apnakhattak.tk, 1 +apnanaudero.tk, 1 +apnee-sommeil.ml, 1 +apnews.com, 1 +apnic.network, 1 +apnisites.tk, 1 +apobot.de, 1 +apocalipsisdot.tk, 1 +apocalypseboard.tk, 1 +apocalypseclan.tk, 1 +apocalypsje.ga, 1 +apod.com.au, 1 +apod.ml, 1 +apodis.pro, 1 +apogaea.com, 1 +apogeephoto.com, 1 +apoia.se, 1 +apoiocoletivo.com, 1 +apokalipsis.tk, 1 +apolitical.co, 1 +apollodiet.com, 1 +apollogames.cz, 1 +apolloheatingandair.com, 1 +apollointeractive.com, 1 +apollomobile.ga, 1 +apollomobile.gq, 1 +apollonas.tk, 1 +apollonia.tk, 1 +apollowallet.org, 1 +apollux.ro, 1 +apollyon.work, 1 +apoly.de, 1 +aponkral.com, 1 +aponkral.com.tr, 1 +aponkral.dev, 1 +aponkral.net, 1 +aponkral.net.tr, 1 +aponkral.org, 1 +aponkral.org.tr, 1 +aponte-systems.com, 1 +apopka.gov, 1 +apopov.tk, 1 +apordi.fr, 1 +aposan.de, 1 +aposke.com, 1 +aposke.net, 1 +aposke.org, 1 +apostalegal.com, 1 +apostalegal.pt, 1 +apostascomvalor.com, 1 +apostasdesportivas.tv, 1 +apostasolida.com, 1 +apostasonline.guru, 1 +apostillelondon.com, 1 +apothecarydouglasville.com, 1 +apotheek-ict.nl, 1 +apotheke.social, 1 +apothekeonline.tk, 1 +apotom.tk, 1 +apoyoentareas.tk, 1 +apozitivenergiasport.hu, 1 +app, 1 +app-alp-cp-boost-model.azurewebsites.net, 1 +app-at.work, 1 +app-capacitymanager-v1-pro-crd-hd.azurewebsites.net, 1 +app-cinveninfostream-qa.azurewebsites.net, 1 +app-colissimo.fr, 1 +app-control-fcu.de, 1 +app-finanzas-services-v1-pro-ol.azurewebsites.net, 1 +app-internalapps-v1-uat-crd-hd.azurewebsites.net, 1 +app-online.cloud, 1 +app-scantech.com, 1 +app-scope.com, 1 +app-sharepoint-v1-pro-crd-hd.azurewebsites.net, 1 +app-uks-stg-projectb-website.azurewebsites.net, 1 +app.do, 1 +app.gp, 1 +app.lookout.com, 1 +app.ps, 1 +app.recurly.com, 1 +app.yinxiang.com, 0 +app00228.com, 1 +app11018.com, 1 +app2get.de, 1 +app3w.nl, 1 +app666365.com, 0 +app77018.com, 1 +appac.com.tr, 1 +appac.ltd, 1 +appagility.co.nz, 1 +apparatrechose.tk, 1 +apparatus.ga, 1 +apparelfashionwiki.com, 1 +apparelmusic.com, 1 +appartamento.tk, 1 +appartement-andrea.at, 1 +appartement-evolene.net, 0 +appartement-oostduinkerke.tk, 1 +appartementhaus-am-uke.de, 1 +appartementmarsum.nl, 1 +appartementspanje.tk, 1 +appartementvlissingen.tk, 1 +appartenfrance.com, 1 +appbet43.com, 1 +appbot.co, 1 +appbydl.com, 1 +appcoins.io, 1 +appcraver.com, 1 +appdividend.com, 1 +appdrinks.com, 1 +appearinsequel.tk, 1 +appel-aide.ch, 1 +appelboom.com, 1 +appelboomdefilm.nl, 1 +appelerintrt.tk, 1 +appelhof.com, 1 +appemployees.tk, 1 +appen.com.cn, 1 +appengine.google.com, 1 +appetiser.com.au, 1 +appetitesanonymous.com, 1 +appfollow.io, 1 +appgeek.com.br, 1 +appgrowth.com, 1 +appgurus.com.au, 1 +apphr.io, 1 +appian-cdn-gov.com, 1 +appian-cdn.com, 1 +appiancloud-dynamic.com, 1 +appiancloud-static.com, 1 +appiancloud.com, 1 +appify.org, 1 +appimlab.it, 1 +appingrove.com.au, 1 +appinplace.com.au, 1 +appinvalley.com.au, 1 +appisoftsas.com, 1 +appjobs.com, 1 +applaus-kornwestheim.de, 1 +apple-droid.com, 1 +apple-droid.ru, 1 +apple-watch-zubehoer.de, 1 +apple.ax, 1 +apple.markets, 1 +apple.tf, 1 +apple.wf, 1 +apple77.net, 1 +applebee1558.com, 1 +applecare.cz, 1 +appledestek.net, 1 +appledroid.ru, 1 +appleedu.com, 1 +appleexterminating.com, 1 +applefeel.com, 1 +appleglasscompany.com, 1 +applegun.com, 1 +appleii-box.de, 1 +applejacks-bouncy-castles.co.uk, 1 +applelp.com, 1 +applemaclover.tk, 1 +applemon.com, 1 +applemon.net, 1 +applemon.org, 1 +appleoosa.com, 1 +appleric.tk, 1 +applesaph.nl, 1 +applesencia.com, 1 +appleslayer.cf, 1 +applet.cyou, 1 +appletonmn.gov, 1 +appletonwi.gov, 1 +appletoy.com, 1 +appletree.is, 1 +appletreelanewm.com, 0 +appletreemedicalgroup.com, 1 +applevalleyca.gov, 1 +applewatch.co.nz, 1 +applian.com, 1 +appliancedoctorofwestmichigan.com, 1 +appliancepronwi.com, 1 +appliancerepairtime.com, 1 +appliances-for-home.tk, 1 +appliancist.com, 1 +applicablesecurity.net, 1 +application-travel.us.com, 1 +applicationmanager.gov, 1 +applicationtracker.com, 1 +applied-privacy.net, 1 +appliedbehavioranalysisedu.org, 1 +appliedbiomath.com, 1 +appliedmaths.lk, 1 +appliedtesting.com, 1 +applingcounty.gov, 1 +applique.co.jp, 0 +appliquette.com.au, 1 +appllio.com, 1 +apply-esta.us.com, 1 +apply-eta.org, 1 +apply-visa.us.com, 1 +apply.eu, 1 +apply55gx.com, 1 +applybe.com, 1 +applydirect.org, 1 +applythis.net, 1 +applytofaceblog.com, 1 +appmania.cf, 1 +appmania.gq, 1 +appmedia.tk, 1 +appmeucredito.com.br, 1 +appmobile.io, 1 +appninjas.com, 1 +appo.nl, 1 +appodeal.com, 1 +appoggiature.fr, 1 +appointible.com, 1 +appointment.ga, 1 +apponic.com, 1 +apponline.com, 1 +appopay.com, 1 +apppage.net, 1 +appperformance.com.br, 1 +appraf.com, 1 +appraisalroomest.ga, 1 +apprank.in, 1 +apprendre-le-russe-avec-ania.fr, 1 +apprenticedocs.com.au, 1 +apprenticeship.gov, 1 +apprenticeships.gov, 1 +apprentimillionnaire.com, 1 +approbo.com, 1 +approval-workflow.com, 1 +approve.me, 1 +approvedcashmax.com, 1 +approvedlawyersers.ga, 1 +approveme.com, 1 +apps.facebook.com, 0 +apps.fedoraproject.org, 1 +apps.stg.fedoraproject.org, 1 +apps4all.sytes.net, 1 +apps4inter.net, 0 +appsafrica.com, 1 +appsbaladyg.org, 1 +appsbd.com, 1 +appsbud.com, 1 +appscan360.com, 1 +appscan360.net, 1 +appscan360.org, 1 +appscem.mx, 1 +appscloudplus.com, 1 +appsdock.de, 1 +appsecmonkey.com, 0 +appservice.ru, 1 +appshuttle.com, 1 +appsimplex.pt, 1 +appsmith.com, 1 +appsoda.net, 1 +appson.co.uk, 1 +appspcwiki.com, 1 +appsren.com, 1 +appstory.co.kr, 1 +appt.ch, 0 +appt.to, 1 +apptesters.com, 1 +apptio.com, 1 +apptoutou.com, 1 +appuals.com, 1 +appub.co.jp, 1 +appugo.tk, 1 +appui-de-fenetre.fr, 1 +appuntidallarete.com, 1 +appunwrapped.com, 1 +appveyor.com, 1 +appwardbeta.com, 1 +appworld.ga, 1 +appy.us, 1 +appypie.com, 1 +appzoojoo.be, 1 +aprazivel.com.br, 1 +aprendadesign.com, 1 +aprendaingles123.com, 1 +aprendaviaweb.com.br, 1 +aprende-a-programar.com, 1 +aprende.com, 1 +aprendejainternet.tk, 1 +aprenderexcel.com.br, 1 +aprenderjuntos.cl, 1 +aprendiendoforexhoy.com, 1 +apresski-pictures.tk, 1 +apresskistuntteam.tk, 1 +apretatuercas.es, 1 +apriadirect.com, 1 +apricavia.com, 1 +apricaviabranding.com, 1 +apricotactuaries.com.au, 1 +aprilagentur.de, 1 +aprileporte.it, 1 +aprilspecialsest.ga, 1 +aprimatic.msk.ru, 1 +aprofunda.art.br, 1 +apropotv.ro, 1 +apropotv.tk, 1 +aprovatotal.com.br, 1 +aprpullmanportermuseum.org, 0 +aprsdroid.org, 1 +apruvd.com, 1 +aprz.de, 1 +apsa.paris, 1 +apsb.cz, 1 +apsbengdubi.org, 1 +apse.ga, 1 +apsistemas.info, 1 +apsl.sk, 1 +apsnewcastle.com, 0 +apspayroll.com, 1 +apsportseditors.org, 1 +apsprofessions.gov.au, 1 +apsreform.gov.au, 0 +apsreview.gov.au, 1 +apssb.in, 1 +apssolucoesfinanceiras.online, 1 +apstats.tk, 1 +apstudynotes.org, 1 +apstylebook.com, 1 +apsua.tk, 1 +apt-one.com, 1 +aptcaust.com.au, 1 +aptechka.ga, 1 +apteka-evalar.ru, 1 +apteka38.com, 1 +aptekaevalar.ru, 1 +aptekakolska.pl, 1 +aptekas.tk, 1 +aptern.pt, 1 +apthesys.com, 1 +aptient.com, 1 +aptinjectiontraining.com, 1 +aptitudetests.org, 1 +aptos.com, 1 +apu-board.de, 1 +apuestaes.tv, 1 +apuestalegal.com, 1 +apuestalegal.mx, 1 +apuestalegal.pe, 1 +apuestalegalchile.com, 1 +apunkt.dk, 1 +apur.org, 1 +apuraytravel.com, 1 +apuvalinetekniikka.fi, 1 +apuyou.io, 0 +apv-ollon.ch, 1 +apviz.io, 1 +apw-dortmund.de, 1 +aqarategypt.com, 1 +aqarbab.com, 1 +aqdance.com.sg, 1 +aqdlt.tv, 1 +aqdun.com, 0 +aqenglish.pk, 1 +aqlivia.com, 1 +aqqrate.com, 1 +aqsiq.net, 1 +aqu.com, 1 +aqua-academy.at, 1 +aqua-accelerator.com, 1 +aqua-dom33.ru, 1 +aqua-ferra.co.uk, 1 +aqua-fitness-nacht.de, 1 +aqua-fm.tk, 1 +aqua-fotowelt.de, 1 +aqua-minsk.tk, 1 +aqua-print.com.ua, 1 +aqua-richtig.de, 1 +aquababy.at, 1 +aquabio.ch, 0 +aquabiodesign.tk, 1 +aquablue.tk, 1 +aquabotanic.tk, 1 +aquabyte.co.uk, 1 +aquacapsule.cf, 1 +aquacitylands.com, 1 +aquaconcepts.be, 1 +aquadarts.tk, 1 +aquadecor.cf, 1 +aquadrom.cz, 1 +aquaexpo.com.ec, 1 +aquafc.com, 1 +aquafilm.cf, 1 +aquafirm.com, 1 +aquagino.nl, 1 +aquahill.net, 1 +aquaholic.tk, 1 +aquaist.com, 1 +aqualantic.de, 1 +aqualife.cf, 1 +aqualift.uk.com, 1 +aqualogis.co.uk, 1 +aqualysis.nl, 0 +aquamarin.icu, 1 +aquamart.tk, 1 +aquantia.com, 1 +aquapets.tk, 1 +aquaphor.com, 1 +aquaphor.ru, 1 +aquaplaning.tk, 1 +aquaplays.net, 1 +aquapoint.kiev.ua, 1 +aquaponics.ga, 1 +aquapool.es, 1 +aquapraat.tk, 1 +aquarel-games.tk, 1 +aquarel.tk, 1 +aquarelleren.tk, 1 +aquarillon.fr, 1 +aquariu.ms, 1 +aquarium-supplement.net, 1 +aquariumhobby.tk, 1 +aquariumhome.tk, 1 +aquariymist.tk, 1 +aquaron.tk, 1 +aquasaur.tk, 1 +aquascaping.tk, 1 +aquaselect.eu, 1 +aquasplash.ae, 1 +aquastudios.games, 1 +aquasun.pl, 1 +aquatherm72.ru, 1 +aquatiq.com, 1 +aquato.com.ua, 1 +aquatropical.tk, 1 +aquaviaspa.es, 1 +aquaworld.tk, 1 +aquedim.com, 1 +aqueducttech.com, 1 +aquienguate.com, 1 +aquila.co.uk, 1 +aquila.earth, 1 +aquimisa.com, 1 +aquiparoxetina.gq, 1 +aquivardenafilo.gq, 1 +aqwire.io, 1 +aqworlds.cf, 1 +ar-1xbet.com, 1 +ar-android.com, 1 +ar-informatique.ch, 0 +ar-oma.tk, 1 +ar-vernet.fr, 1 +ar.al, 1 +araadvocats.net, 1 +arab-romance.tk, 1 +arab1info.cf, 1 +arab2cam.com, 1 +arabafenicespa.com, 1 +arabakiralama.name.tr, 1 +arabam.com, 1 +arabapps.org, 1 +arabbook.ga, 1 +arabearthcommunity.ml, 1 +arabedia.tk, 1 +arabeyes.com, 1 +arabi-news.ml, 1 +arabi-online.net, 1 +arabia-news.gq, 1 +arabia.fi, 1 +arabian-gulf.tk, 1 +arabic-for-nerds.com, 1 +arabic-shirts.com, 1 +arabicbayan.tk, 1 +arabicdress.com, 1 +arabicpost.live, 1 +arabictranslation.tk, 1 +arabicxz.com, 1 +arabigolestan.tk, 1 +arabmusic.tk, 1 +arabschools.edu.sa, 1 +arabseed.cf, 1 +arabska.tk, 1 +arabskills.tk, 1 +arabstar.ml, 1 +arabstar.tk, 1 +arabstreamsystem.tk, 1 +arabtones.tk, 1 +arabwomen.ml, 1 +aracbul.com, 1 +arachnid.tk, 1 +arachnida.ml, 1 +arackiralama.name.tr, 1 +aradiantlife.org, 1 +aradiantlyhealthylife.com, 1 +arados.de, 1 +aradpulse.tk, 1 +aragotownshipmn.gov, 1 +arai21.net, 1 +arainfo.org, 1 +arais.com, 1 +arakanis.tk, 1 +arakomputer.com, 1 +aral.ml, 1 +araluenvalleyhotel.ga, 1 +aralun.net, 1 +aralys.com, 1 +aram-designs.com, 1 +aramido.de, 1 +aramloebmd.com, 1 +aramsco.com, 1 +aramyayinevi.com, 1 +aranchhomes.com, 1 +arandinacf.tk, 1 +arandomsite.tk, 1 +aranel.me, 1 +aranycsillag.net, 1 +aranykornyp.hu, 1 +arapahoeco.gov, 1 +arapahoesheriff.gov, 1 +arapahoevotes.gov, 1 +araqnid.org, 1 +ararat-rp.tk, 1 +araratour.com, 1 +arargo.cf, 1 +araro.ch, 0 +ararrl.com, 1 +ararrl.net, 1 +ararrl.org, 1 +arasozgun.net, 1 +aravitor.com, 1 +aravo.com, 1 +arawaza.info, 1 +araxis.com, 1 +araya.ga, 1 +arbaiten.tk, 1 +arbaswedan.id, 1 +arbat.media, 1 +arbautocare.com, 1 +arbavere.ee, 1 +arbeidsplassen.no, 1 +arbeiten.ga, 1 +arbeiterkammer.at, 1 +arbeitskraft.de, 1 +arbeitskreis-asyl-eningen.de, 1 +arbeitslosenverwaltung.de, 1 +arbejdsdag.dk, 1 +arbitrarion.com, 1 +arbitrary.ch, 1 +arbitrations.tk, 1 +arbitrazh.tk, 1 +arbobille.es, 1 +arboleda-hurtado.com, 1 +arbolesdenavidad.info, 1 +arbolesdenavidad.site, 1 +arbologic.nl, 1 +arborio.com.ua, 1 +arboristadvice.com, 1 +arboristic.de, 1 +arbounie.nl, 1 +arbousier.com, 1 +arbradio.com, 1 +arbschg.com, 1 +arbu.eu, 0 +arbucks.io, 1 +arc-relight.com, 1 +arc.run, 1 +arca.am, 1 +arca.info.ro, 1 +arca.live, 1 +arcada-company.com, 1 +arcadami.gov, 1 +arcadegame.ga, 1 +arcadegames.com, 1 +arcadia.com.ph, 1 +arcadiaca.gov, 1 +arcadiaeng.com, 1 +arcaik.net, 1 +arcana-noctis.tk, 1 +arcandadults.org, 1 +arcane.no, 1 +arcanefrost.de, 1 +arcanehardware.com, 1 +arcanetides.com, 1 +arcanoid.com, 1 +arcantel.ch, 1 +arcbouncycastles.co.uk, 1 +arcdesantmarti.net, 1 +arcenergy.co.uk, 1 +arcese.com, 1 +arch-design.com, 1 +archaeoadventures.com, 1 +archaeology.lk, 1 +archambault.paris, 1 +archangelbio.com, 1 +archbishop.ga, 1 +archdetal.com.ua, 1 +archeologicatoscana.it, 1 +archerconsulting.llc, 1 +archerlong.com, 1 +archerlongx.com, 1 +archerxlong.com, 1 +archery.land, 1 +archerytaghuren.be, 1 +archeton.ga, 1 +archframe.net, 1 +archi.ve.it, 1 +archibuilt.net.au, 1 +archief-ocmwgent.be, 1 +archina.ir, 1 +archined.nl, 1 +archion.ro, 1 +archipelagoperfarecasa.it, 1 +archispace.com.cn, 1 +archistart.net, 1 +archit.in, 1 +architect-cassiman.be, 1 +architectphd.tk, 1 +architectryan.com, 1 +architecturaldesignschool.com, 1 +architecture-colleges.com, 1 +architectureblog.ml, 1 +architectus.ga, 1 +architekt-website.de, 1 +architekt.tk, 1 +architekten.tk, 1 +architektur.ga, 1 +architektur.tk, 1 +architekturwiki.tk, 1 +archival-services.gov.ge, 1 +archive.gov.ge, 1 +archivero.es, 1 +archives.cf, 1 +archives.gov, 1 +archivesdelavieordinaire.ch, 1 +archivesfoundation.org, 1 +archivestesting.tk, 1 +archivi.ddns.net, 1 +archivistas.tk, 1 +archivium.biz, 1 +archivosmercury.com, 1 +archivosstl.com, 1 +archiweb.pl, 0 +archlinux.de, 1 +archlinux.org, 1 +archlinuxcn.org, 1 +archmacro.ga, 1 +archmirror.it, 1 +archoit.org, 0 +archphila.org, 1 +archsec.info, 1 +archtekton.com.ve, 1 +arcinapoli.it, 1 +arcj.es, 1 +arclookup.com, 1 +arcloud.com.tw, 1 +arcmarine.eu, 1 +arco.lu, 1 +arcobalabs.ca, 1 +arcogb.co, 1 +arcoidaho.gov, 1 +arcoiriscastellon.tk, 1 +arcolapdtx.gov, 1 +arcolasecurities.com, 1 +arcolatexas.gov, 1 +arcopay.io, 1 +arcosa.com, 1 +arcosdelallana.tk, 1 +arcosdequejana.com, 1 +arcourts1st.gov, 1 +arcourts6th.gov, 1 +arcovix.com, 1 +arcproject.org.uk, 1 +arcsar.eu, 1 +arcserv.com, 1 +arcskoru.com, 1 +arcthelad.com, 1 +arctic-charge.tk, 1 +arctic.ca, 1 +arctica.io, 0 +arcticfiber.net, 0 +arcticfox.email, 0 +arcticfoxes.net, 1 +arcticpolitics.com, 1 +arcticvillage.gov, 1 +arcticwolf.com, 1 +arctus-security.com, 1 +arcueil-cachan.fr, 0 +arcza.com, 1 +arcza.net, 0 +ardabil.tk, 1 +ardacar.com, 1 +ardadanal.com, 1 +ardakannews.tk, 1 +ardania.de, 1 +ardennes.com, 1 +ardenwolfsky.com, 1 +arditech.ml, 1 +ardmoreok.gov, 1 +ardo.tk, 1 +ardor.noip.me, 1 +ardtrade.ru, 1 +arduino.cc, 1 +are-you-experienced.tk, 1 +area.ge, 1 +area21.ga, 1 +area3.org, 1 +area4pro.com, 1 +area51.dyndns1.de, 1 +area51.social, 1 +area51bit.com, 1 +area51bit.it, 1 +areacinquentaeum.tk, 1 +areallyneatwebsite.com, 1 +arealsultan.ga, 1 +areanet.tk, 1 +areata.tk, 1 +areatrend.com, 1 +areavoipers.ga, 1 +areavoipest.ga, 1 +areeb.live, 1 +areege.tk, 1 +arefidgetspinnersgay.com, 1 +arefly.com, 1 +aregus.tk, 1 +areins.com, 1 +areinsmuseum.com, 1 +arekatieandchrisgettingmarried.com, 1 +arekatieandchrisgettingmarried.today, 1 +arekatieandchrismarriedyet.com, 1 +arekkusu.net, 1 +arelektribuneriske.lv, 1 +arellak.de, 1 +areminder.co, 1 +arena-news.tk, 1 +arenaalbionu.pl, 1 +arenadagon.tk, 1 +arenaforum.ru, 1 +arenatennis.ga, 1 +arenda-auto.com, 0 +arenda-bez-agenta.ml, 1 +arenda247.by, 0 +arendabotov.tk, 1 +arendadoma.tk, 1 +arendakemper.by, 1 +arendakrana.tk, 1 +arendaskuterov.cf, 1 +arendburgers.nl, 1 +arenlor.com, 1 +arenlor.info, 1 +arenns.com, 1 +arenzana.org, 1 +arenzanaphotography.com, 1 +areproduktioqn.tk, 1 +areqgaming.com, 1 +ares.systems, 1 +ares.watch, 1 +aresico.cz, 1 +aresproject.org, 1 +arest.web.id, 1 +aresztowany.pl, 1 +aresztsledczy.pl, 1 +aret.eu.org, 1 +arete.net, 1 +areteaudit.pl, 1 +aretemusic.tk, 1 +areteortho.com.sg, 1 +arezzonotizie.it, 1 +arforingenieria.com, 1 +arfulus.com, 1 +arfycat.com, 1 +arg.zone, 1 +argama-nature.com, 1 +arganaddict.com, 1 +arganaddict.net, 1 +arganaderm.ch, 0 +argb.de, 1 +argekultur.at, 1 +argentinachat.tk, 1 +argentinatrabaja.org, 1 +argentinaxp.com, 1 +argentinetownship.gov, 1 +argentumonline.tk, 1 +argico.com, 1 +argilo.net, 1 +argo-vision.com, 1 +argo-vision.it, 1 +argo.vision, 1 +argocasino.com, 1 +argon2.online, 1 +argonmail.com, 1 +argonnewi.gov, 1 +argos.co.uk, 1 +argosasist.co.uk, 1 +argosrisk.com, 1 +argotplan.com, 1 +argovpay.com, 1 +argovpn.com, 1 +argrafiche.it, 1 +argumentative-essay.gq, 1 +argumentplus.ru, 1 +argus01.bg, 1 +argxentakato.me, 1 +argyrouminas.digital, 1 +argyrouminas.eu, 1 +arheh.com, 1 +arhgrille.com, 1 +arhipka.tk, 1 +arhivpalanka.rs, 1 +ari.beauty, 1 +ari.gg, 1 +ari.lt, 1 +aria-best.ru, 1 +aria-best.su, 1 +aria-sante.org, 1 +aria2.cf, 1 +ariaartgallery.com, 1 +ariacreations.net, 1 +ariacres.ca, 1 +ariadermspa.com, 1 +ariag.tk, 1 +ariajourney.com, 0 +ariamag.com, 0 +ariaman.tk, 1 +arian.io, 1 +ariana.wtf, 1 +ariashii.tk, 1 +ariba.info, 1 +aribicara.tk, 1 +aric-assurances.fr, 1 +aricabus.tk, 1 +aricaluchalibre.tk, 1 +aridhia.com, 1 +aridhia.io, 1 +arielasher.cf, 1 +arielhr.ca, 1 +arielpereira.tk, 1 +ariens.com, 1 +ariensco.com, 1 +ariensco.uk, 1 +arienscohospitality.com, 1 +arienscompany.com, 1 +arienscompanydealer.com, 1 +ariensconordiccenter.com, 1 +arienscorp.com, 1 +ariensfamilyfoundation.org, 1 +ariensfoundation.org, 1 +ariensmuseum.com, 1 +ariensnordiccenter.com, 1 +arienssnotek.com, 1 +ariensstore.com, 1 +aries.it, 1 +ariesclark.com, 0 +arieswdd.com, 1 +arifarma.com, 1 +arifburhan.online, 1 +arifer.tk, 1 +arifp.me, 1 +arifrachmanhakim.tk, 1 +arigato-java.download, 1 +arihantabode.com, 1 +arihantarden.com, 1 +arihantbuildcon.com, 1 +arihantone.com, 1 +arihantone.in, 1 +arihantsouthwinds.com, 1 +arihunt.com.au, 1 +arij.net, 1 +arilto.com, 1 +arima.co.ke, 1 +arima.tk, 1 +arimarie.com, 1 +arina.is, 1 +arina.moscow, 0 +arinahashimoto.com, 1 +arinde.ee, 1 +arinflatablefun.co.uk, 1 +arionta.com, 1 +arious.uk, 1 +aripiprazolee.gq, 1 +arirabinowitz.com, 1 +arirex.me, 1 +aris.io, 1 +arisaka.tk, 1 +ariseconference.org.nz, 1 +arisevendor.net, 1 +arishastyle.tk, 1 +arissait.com, 1 +aristidebouix.cloud, 1 +aristocrates.co, 1 +aristokratia.tk, 1 +ariston-center.gq, 1 +aristotle.tk, 1 +aritec-la.com, 1 +arithmetic.ga, 1 +arithmetica.at, 1 +aritmetic.com, 1 +aritworld.tk, 1 +arivo.com.br, 1 +arizona-fake.tk, 1 +arizonaautomobileclub.com, 1 +arizonabondedtitle.com, 1 +arizonaonlinedivorce.com, 0 +arizonatech.tk, 1 +arjan.nl, 1 +arjandejong.eu, 1 +arjanenthijs.nl, 1 +arjansteevels.nl, 1 +arjanvaartjes.net, 1 +arjen-robben.tk, 1 +arjunasdaughter.pub, 0 +arjweb.co.uk, 1 +arkaan.tk, 1 +arkadaslik.tk, 1 +arkadelphia.gov, 1 +arkadiahill.tk, 1 +arkadian.tk, 1 +arkadien.com, 1 +arkadium.com.br, 1 +arkadiyt.com, 1 +arkagis.com, 1 +arkagt.ir, 1 +arkaic.dyndns.org, 1 +arkantos.agency, 1 +arkenstone.ml, 1 +arkforum.de, 1 +arkfoundationrepair.com, 1 +arkhamasylum.tk, 1 +arkhangelsk.cf, 1 +arkhangelsk.gq, 1 +arkhangelsk.tk, 1 +arkholmevillage.ml, 1 +arkhvoid.xyz, 1 +arklow.io, 0 +arkm6.gq, 1 +arknights.work, 0 +arknodejs.com, 1 +arkomaok.gov, 1 +arkontechnologies.com, 1 +arkrowd.eu.com, 1 +arks.cards, 1 +arksan.com.tr, 1 +arkulagunak.com, 0 +arkutinofamilyresort.com, 1 +arlatools.com, 1 +arle.moe, 1 +arlenarmageddon.com, 1 +arlenitas.com, 1 +arleo.eu, 1 +arlingtonmn.gov, 1 +arlingtonva.gov, 1 +arlingtonwine.net, 1 +arllab.co.nz, 1 +arlon.com, 1 +arm.gov, 1 +arma3.com, 1 +armacom.tk, 1 +armadale.au, 1 +armadale.wa.gov.au, 1 +armadalelearningpathways.co.uk, 1 +armadaquadrat.com, 1 +armadateam.tk, 1 +armadilloscubatx.com, 1 +armadix.net, 1 +armado.tk, 1 +armageddonclan.tk, 1 +armahackers.tk, 1 +armamentevolved.com, 1 +armand-colin.com, 1 +armanddesign.com, 1 +armanddesign.nl, 1 +armandmusic.nl, 1 +armando.info, 1 +armandocorazones.tk, 1 +armandsdiscount.com, 1 +armanozak.com, 1 +armansazehradis.com, 1 +armaplatform.com, 1 +armarinhovirtual.com.br, 1 +armaselektronik.com, 1 +armateursderhum.fr, 1 +armatura.kiev.ua, 1 +armazemdaminiatura.com.br, 1 +armazemdeminasmg.com.br, 1 +armazone.tk, 1 +armbrust.me, 1 +armcar.ga, 1 +armchairwarlord.com, 1 +armchess.tk, 1 +armculturaltv.cf, 1 +armdirectoryers.ga, 1 +armdirectoryest.ga, 1 +armenia.cf, 1 +armeniaweb.tk, 1 +armeo.top, 1 +armeria.roma.it, 1 +armfilm.co, 1 +armhistory.tk, 1 +armiantichesanmarino.eu, 1 +armida.tk, 1 +armil.it, 1 +arminc.tk, 1 +arminpech.de, 1 +arminreiter.com, 1 +arminsure.com, 1 +armleads.com, 0 +armo.re, 1 +armo.sk, 1 +armoedebeleidgent.be, 1 +armond.tk, 1 +armorsoft.fr, 1 +armour.ventures, 1 +armourroofcolorado.com, 1 +armourroofinc.com, 1 +armsco.fr, 1 +armstrong.com.mx, 1 +armstrongremovals.com.au, 1 +armstrongsengineering.com, 1 +armtopnews.tk, 1 +army.ca, 1 +army.gov.lb, 1 +armyburza.cz, 1 +armycyberchallenge.xyz, 1 +armyholidays.com.au, 1 +armyofflyingmonkeys.com, 1 +armyrtf.com.au, 1 +armyuniversity.edu, 1 +armywear.ga, 1 +arn0.cc, 1 +arnados.tk, 1 +arnamur.be, 1 +arnaqueoufiable.com, 1 +arnaudb.net, 1 +arnaudlanna.com, 1 +arnaudligny.fr, 1 +arnaudmarketing.fr, 1 +arnaudminable.net, 1 +arne-gammelby.dk, 1 +arne.cool, 1 +arneheise.com, 1 +arnesegers.be, 1 +arnested.dk, 1 +arnevankauter.com, 0 +arnews.nl, 1 +arniescastles.co.uk, 1 +arno-klein.com, 1 +arno-klein.de, 1 +arno-klein.eu, 1 +arno-klein.fr, 1 +arno-klein.it, 1 +arno-klein.net, 1 +arno.digital, 0 +arno.pm, 1 +arnoklein.eu, 1 +arnoklein.fr, 1 +arnoklein.it, 1 +arnold-schwarzenegger.tk, 1 +arnoldkontz-occasions.lu, 0 +arnonerba.com, 1 +arnor.org, 0 +arnottindustries.ga, 1 +arnoudraeven.nl, 1 +arnove.fr, 1 +arnove.net, 1 +arnoweterings.nl, 1 +arnstein.it, 1 +arny.ru, 1 +aroablog.tk, 1 +arobaz-informatique.org, 1 +arockets.ru, 1 +arod.tk, 1 +arofabric.com, 1 +arogov.com, 1 +arokha.com, 1 +aroma-therapy.tk, 1 +aroma-wave.com, 1 +aroma24.ml, 1 +aromachat.eu, 1 +aromacoffee.bg, 1 +aromacos.ch, 1 +aromacraft.uk, 1 +aromaduft.at, 1 +aromaecocandles.ca, 1 +aromahookah.gr, 0 +aromaimportado.com.br, 1 +aromaonlinestore-korat.com, 1 +aromateque.com.ua, 1 +aromatherapy.cf, 1 +aromatlas.com, 1 +aromatraining.com, 1 +aromex.ml, 1 +aroncull.de, 1 +aronsonrosenthal.com, 1 +aroofing.net, 1 +aroonchande.com, 0 +arooshi.website, 1 +aros.pl, 1 +arose.io, 1 +arounddeal.com, 1 +arouparia.com, 1 +arouzing.xyz, 1 +arowsoft.tk, 1 +arox.eu, 1 +aroya.io, 1 +arp-arena.ml, 1 +arp-mb.de, 1 +arpa-h.gov, 1 +arpagian.com, 1 +arpah.gov, 1 +arpamip.org, 1 +arpasix.com, 1 +arpasix.email, 1 +arpasix.eu, 1 +arpasix.net, 1 +arpasix.org, 1 +arphotography.tk, 1 +arpnet.co.jp, 1 +arpnet.net, 1 +arpnet.us, 1 +arpsel.de, 1 +arpsel.ws, 1 +arpteamdiabolo.tk, 1 +arpuff.eu, 1 +arqpericial.es, 1 +arqueo-ecuatoriana.ec, 1 +arquipielago.tk, 1 +arquitectura-ilimitada.tk, 1 +arquitet.com.br, 1 +arr.icu, 1 +arrakis.se, 1 +arrangeme.com, 1 +arraudi.be, 1 +arraudi.eu, 1 +array.io, 1 +arrazane.com.br, 1 +arrazola.org, 1 +arrestageinternational.com, 1 +arrival.com, 1 +arrive.by, 0 +arrivedconsulting.com, 1 +arrmaforum.com, 1 +arroba.digital, 1 +arrotatore.roma.it, 1 +arrow-api.nl, 1 +arrowad.com, 1 +arrowduty.ml, 1 +arrowfastener.com, 1 +arrowgrove.com, 0 +arrowsmithil.gov, 1 +arrowwebprojects.nl, 1 +arrt.xyz, 1 +ars-online.pl, 1 +arsake.cf, 1 +arsalba.com, 1 +arsalbania.tk, 1 +arschkrebs.org, 1 +arselvarol.com.tr, 1 +arsenal-of-wisdom.org, 1 +arsenal-trans.tk, 1 +arsenalestate.tk, 1 +arsenalperu.tk, 1 +arsenideas.ga, 1 +arsenyan.cf, 1 +arset.net, 1 +arshdeepsingh.tk, 1 +arshia.cf, 1 +arshidazarine.tk, 1 +arshina.su, 1 +arshispana.com, 1 +arsigroup.com, 1 +arsindecor.com, 1 +arsk1.com, 1 +arslankaynakmetal.com, 1 +arslonga.ovh, 1 +arsmagazine.tk, 1 +arsmedika.ru, 1 +arsmundi.de, 1 +arsmuseum.com, 1 +arsrenacer.com, 1 +arstudentloanhelp.com, 1 +art-athens.com, 1 +art-auction.jp, 1 +art-boeden.ch, 1 +art-creative.tk, 1 +art-design.tk, 1 +art-dolls.com.ua, 1 +art-et-psyche.com, 1 +art-et-tonneaux.fr, 1 +art-illustration.tk, 1 +art-khotyn.tk, 1 +art-kuchni.tk, 1 +art-news.tk, 1 +art-okno.com, 1 +art-online.tk, 1 +art-pix.de, 1 +art-pix.net, 1 +art-polynesien.com, 1 +art-rca.cf, 1 +art-school.tk, 1 +art-shinbi.com, 1 +art-voronov.tk, 1 +art.art, 1 +art21tv-armenian.tk, 1 +art30.ro, 1 +art93.com, 1 +artabrian.com, 1 +artadagroup.com, 1 +artakids.tk, 1 +artane.gq, 1 +artaurium.com, 1 +artbalsam.com, 1 +artbees.co.uk, 1 +artboja.com, 1 +artbygarr.com, 1 +artc.at, 1 +artcartels.com, 1 +artcenter.tk, 1 +artclasscontent.com, 1 +artcoefficient.com, 1 +artcommunity.tk, 1 +artcravers.in, 1 +artdeco-photo.com, 0 +artdecoration.tk, 1 +artdigital.tk, 1 +artdigitalmedia.co.uk, 1 +arte-actual.tk, 1 +artea.ga, 1 +arteaga.co.uk, 1 +arteaga.eu, 1 +arteaga.me, 1 +arteaga.tech, 1 +arteaga.uk, 1 +artebel.com.br, 1 +artecat.ch, 1 +artechip.net, 1 +artededition.tk, 1 +artedellavetrina.it, 1 +artedmachado.tk, 1 +artedona.com, 1 +artefeitaessencias.com.br, 1 +arteinstudio.it, 1 +artel.od.ua, 1 +artelignum.tk, 1 +artelista.com, 1 +artem.se, 1 +artembusiness.tk, 1 +artemida-dot.tk, 1 +artemis-fowl.tk, 1 +artemisgroup.ga, 1 +artemislena.eu, 1 +artemiy-plus.com.ua, 1 +artemiz.tk, 1 +artemoon.ml, 1 +artemweb.tk, 1 +artepinas.tk, 1 +arteproducciones.tk, 1 +arteq.ga, 1 +artera.spb.ru, 1 +arteriamagazine.tk, 1 +arterienundvenen.ch, 1 +arterydb.ru, 1 +artesacraloreto.it, 1 +artesaniafenix.cl, 1 +artesaniascym.com.ar, 1 +artesaniastonalaytlaquepaque.com, 1 +arteseideias.com.pt, 1 +arteshesorkh.tk, 1 +artesial.com, 1 +artesoft.gr, 1 +artestetica.tk, 1 +artetbalade.tk, 1 +artetculture.tk, 1 +arteventinews.it, 1 +artevos.com, 1 +artevos.de, 1 +artex.com.br, 1 +artexhibition.jp, 1 +artextasia.com, 1 +arteya.net, 1 +artfabrics.com, 1 +artfullyelegant.com, 1 +artgaragecrewe.com, 1 +artgorod.tk, 1 +artgranit.tk, 1 +arthritisgrouppa.com, 1 +arthritisrheumaticdiseases.com, 1 +arthrosis.ml, 1 +arthur.cn, 1 +arthurdejong.org, 1 +arthurdev.cf, 1 +arthurhoefer.com, 1 +arthurlaw.ca, 1 +arthurlewis.me, 1 +arthuro.ca, 1 +arthuryidi.com, 1 +arti-group.ml, 1 +arti-islam.tk, 1 +artibirteknikbilisim.com, 1 +articaexports.com, 1 +articlebyte.ga, 1 +articlefr.cf, 1 +articlepub.ga, 1 +articlesplanet.tk, 1 +articlestack.tk, 1 +articlesutiles.cf, 1 +articu.no, 1 +articulo19.org, 1 +artifact.center, 1 +artifact.spb.ru, 1 +artifacthub.io, 1 +artifactsblog.com, 1 +artifex.com, 1 +artifex21.fr, 1 +artifexnet.com, 1 +artifice.tk, 1 +artificethefilm.com, 1 +artificial.army, 1 +artificiala.gq, 1 +artificialaxis.com, 1 +artificialdiffusion.com, 1 +artificialplants.tk, 1 +artificialpoetry.com, 1 +artifort.com, 1 +artifuse.ch, 1 +artigianociao.jp, 1 +artigoagency.com, 1 +artikel5ev.de, 1 +artikel9.com, 1 +artilect.studio, 1 +artinfo.ge, 0 +artinfo.tk, 1 +artintend.com, 0 +artioml.net, 1 +artionet.ch, 1 +artis-game.net, 1 +artisan-cheminees-poeles-design.fr, 0 +artisan-emmanuel.fr, 1 +artisan-ravalement-facade.fr, 1 +artisan.tk, 1 +artisanat2france.fr, 1 +artisanhd.com, 1 +artisanportrait.com, 1 +artisansbottega.com.au, 1 +artisansofstone.com, 1 +artisansoftaste.com, 1 +artisavotins.com, 1 +artishevski.com, 1 +artismist.com, 1 +artiso.pl, 1 +artistagenda.com, 1 +artistcorporation.com, 1 +artistedeparis.fr, 1 +artistieq.com, 1 +artistiquementvotre.tk, 1 +artistiqueweddingphotography.com.au, 1 +artistmovieers.ga, 1 +artistrunwebsite.com, 1 +artiwear.com.tw, 1 +artizlibranza.com, 1 +artj.jp, 1 +artk-co.ir, 1 +artlab.tk, 1 +artlantis.nl, 1 +artleading.ru, 1 +artlifeisgood.com, 1 +artlinestix.com.au, 1 +artlogo.biz, 1 +artlogo.cz, 1 +artlogo.sk, 1 +artmaker.kiev.ua, 1 +artmark.ro, 1 +artmarketingnews.com, 1 +artmaterials.com.ua, 1 +artmaxi.eu, 1 +artmo.com, 1 +artnazar.org.ua, 1 +arto.group, 1 +artofcode.co.uk, 1 +artofeyes.nl, 1 +artofhappyliving.com, 1 +artoflinesmd.ca, 1 +artofmonitoring.com, 0 +artofstonegardening.com, 1 +artofwhere.com, 1 +artofzoo.com, 1 +artomalu.tk, 1 +artomili.com, 1 +artouch.com, 1 +artozoul.fr, 1 +artplaneta-leto.by, 1 +artprojectsforkids.org, 1 +artpsd.com, 1 +artransparency.gov, 1 +artrapid.com, 1 +artratio.co.uk, 1 +artrick.ch, 1 +artrofisio.com.br, 1 +artroom-design.com, 1 +artroot.jp, 1 +artroscopiaperlosport.it, 1 +artru.tk, 1 +arts-polynesiens.com, 1 +arts.gov, 1 +artsalon.tk, 1 +artsautomotive.com, 1 +artschmidtoptical.com, 1 +artsguide.ca, 0 +artslife.com, 1 +artsmagazine.com, 1 +artsmeet.com, 1 +artspac.es, 0 +artspark.tk, 1 +artstudioweb.tk, 1 +artsy.cloud, 1 +artsygrl.ca, 1 +artteacheredu.org, 1 +arttel-media.ru, 1 +arttill.com, 1 +artucation.eu, 1 +artup.company, 1 +artup.gallery, 1 +arturgaweda.de, 1 +arturkraak.duckdns.org, 1 +arturoemilio.tk, 1 +arturojimenez.es, 1 +arturrossa.de, 1 +arturszalak.com, 1 +arturweb.tk, 1 +artushak.ru, 1 +artuu.me, 1 +artuu.pl, 1 +artvaastu.ru, 1 +artvertising.tk, 1 +artvinhaberleri.tk, 1 +artwar.tk, 1 +artweby.cz, 1 +artwhale.ph, 1 +artwhoredistro.tk, 1 +artworkpath.com, 1 +artworks.gd, 1 +artworksthatlookgood.com, 0 +arty.name, 1 +artycoz.fr, 1 +artyengine.com, 1 +artyhouse.be, 0 +aru.fi, 1 +aruanaseguradora.com.br, 1 +arubasunsetbeach.com, 1 +arul.io, 1 +arunchullikkal.tk, 1 +arunjoshua.com, 1 +arunmor.net, 1 +arunsunner.tk, 1 +aruntech.cloud, 1 +arunyaresidenceklnorth.com, 1 +aruo.net, 1 +aruson.tk, 1 +arvadaco.gov, 1 +arvadafireco.gov, 1 +arveex.eu, 1 +arviamedspa.com, 1 +arviksa.co.uk, 1 +arvindhariharan.com, 1 +arvindhariharan.me, 1 +arvinovoyage.com, 1 +arvutiladu.ee, 1 +arvyncerezo.com, 1 +arw-bw.de, 1 +arw.me, 1 +arwensiberian.tk, 1 +arweth.com, 1 +arx-libertatis.org, 1 +arx.vg, 1 +arxarios.tk, 1 +aryalaroca.de, 1 +aryan-nation.com, 1 +aryani-fitriana.tk, 1 +aryasenna.net, 1 +aryescommercial.com, 1 +aryesgroup.net, 1 +arysports.ml, 1 +arytmicznie.pl, 1 +arz-florian.tk, 1 +arz-online.ml, 1 +arzid.com, 1 +arzinfo.pw, 1 +arzmercury.tk, 1 +arztpraxis-kubalok.de, 1 +arzua.gal, 1 +as-evalar.ru, 1 +as.roma.it, 1 +as0.it, 1 +as136964.com, 1 +as136964.net, 1 +as198768.eu.org, 1 +as200351.net, 1 +as202413.net, 1 +as203145.com, 1 +as204982.net, 1 +as205794.net, 1 +as207618.net, 1 +as207960.net, 1 +as211960.net, 1 +as212993.net, 1 +as216318.net, 1 +as400566.com, 1 +as400566.net, 1 +as41073.net, 1 +as41405.net, 1 +as6369.com, 1 +as6369.net, 1 +as8423.net, 1 +asabacortoscaseros.tk, 1 +asadatec.de, 1 +asaduddinowaisi.tk, 1 +asafaweb.com, 1 +asafilm.co, 1 +asafomba.com, 0 +asahi-tax.or.jp, 1 +asak.xyz, 1 +asakoh.co.jp, 1 +asal.tk, 1 +asana.biz, 1 +asana.com, 1 +asana.plus, 1 +asananutrition.co.uk, 1 +asancharge.tk, 1 +asandu.eu, 1 +asankomara.tk, 1 +asansol.tk, 1 +asantosdev.com, 1 +asanuma-clinic.jp, 1 +asap-advice.com.au, 1 +asap.gov, 1 +asapboardshop.com, 1 +asaphomeinspect.com, 1 +asapstory.com, 1 +asara.tk, 1 +asart.bg, 1 +asas-tn.org, 1 +asasesoria.cl, 1 +asatahvieh.com, 1 +asato-jewelry.com, 1 +asatys-partners.com, 1 +asb.edu.my, 1 +asba2023.jp, 1 +asbaces.com, 1 +asbestos-awareness.cf, 1 +asbestos-awareness.ga, 1 +asbestos-awareness.gq, 1 +asbestos-awareness.ml, 1 +asbestosthedarkarts.com, 1 +asbf-rambouillet.fr, 1 +asbito.de, 1 +asburyparkreporter.com, 1 +asbweb.org, 1 +asc.es, 1 +ascamo.tk, 1 +ascannes-non-officiel.tk, 1 +ascar.us, 1 +ascard.net, 1 +ascauctions.com, 1 +ascc.sg, 1 +ascend.com.sa, 1 +ascenderhcm.com, 1 +ascendix.com, 1 +ascension.run, 1 +ascensiongt.com, 1 +ascensionnyc.org, 1 +ascensionparishla.gov, 1 +ascensori.biz, 1 +ascentlogistics.com, 1 +ascgathering.com, 1 +aschaefer.net, 0 +aschc.co.uk, 1 +aschismatic.com, 1 +aschool.kiev.ua, 1 +asciitable.tips, 1 +ascirno.com, 1 +ascl.org.uk, 1 +asco.com.mx, 0 +ascolibasi.tk, 1 +ascolympia.nl, 0 +ascom.vi.it, 1 +ascon-profi.ru, 1 +ascormovies.com, 1 +ascpaphilatelie.eu, 1 +ascultaonlineradio.ml, 1 +asd.gov.au, 0 +asdchieti.tk, 1 +asdetrifolium.com, 1 +asdf.one, 1 +asdfqwerty.duckdns.org, 1 +asdwfwqd.com, 1 +asdyx.de, 1 +asec01.net, 1 +asecla.com, 1 +asecus.ch, 1 +asegem.es, 1 +aseglobal.com, 1 +aseint.com.co, 1 +aseith.com, 1 +aseityresearch.com, 1 +aselectionoffice.gov, 1 +aselo.org, 1 +asenaru.id, 1 +asennemedia.fi, 1 +asennestudio.fi, 1 +asenno.com, 1 +aseoblog.com, 1 +aserbx.ga, 1 +asersagua.es, 1 +aserver.eu, 1 +asesecours.com, 1 +asesinosdeltarot.tk, 1 +asesor.live, 1 +asesorialigorred.es, 1 +asessiglo21.es, 1 +asexualitat.cat, 1 +asfaleianet.gr, 1 +asfalteros.cz, 1 +asfalti.it, 1 +asfberbagi.org, 1 +asfono.gov, 1 +asg-egy.com, 1 +asgard-engineering.com, 1 +asgeirolafs.com, 1 +asgrep.com, 1 +ashastalent.com, 0 +ashburnconsulting.com, 1 +ashburnr.com, 1 +ashbusters.net, 1 +ashbyhq.com, 1 +ashbymail.com, 1 +ashbyprd.com, 1 +ashbystg.com, 1 +ashcombe.surrey.sch.uk, 1 +ashd1.goip.de, 1 +ashd2.goip.de, 1 +ashd3.goip.de, 1 +ashdodisrael.com, 1 +ashenc.gov, 1 +ashenm.ml, 1 +asher.tools, 1 +asherosborne.com, 1 +asheroto.com, 1 +ashesheriff.gov, 1 +ashesi.edu.gh, 1 +ashevillemenshealth.com, 1 +ashfak.tk, 1 +ashfordcastle.com, 1 +ashgroveclinic.com.au, 1 +ashiba-kagu.com, 1 +ashikajewellers.com.au, 1 +ashimwe.com, 1 +ashisharma.tk, 1 +ashishchamoli.com, 1 +ashlandcountywi.gov, 1 +ashlee-club.tk, 1 +ashley.net.in, 1 +ashleyadum.com, 1 +ashleyanderson.co.uk, 1 +ashleykaryl.com, 1 +ashleymadison.com, 1 +ashleynicholsboudoir.com, 1 +ashleythouret.com, 1 +ashlingonline.com, 1 +ashmportfolio.com, 1 +ashotofadrenaline.net, 1 +ashraful-islam.ml, 1 +ashtabulacountyprosecutoroh.gov, 1 +ashtar.tk, 1 +ashtech.tk, 1 +ashtonbromleyceramics.co.uk, 1 +ashtonc.ca, 1 +ashtoncityid.gov, 1 +ashtonid.gov, 1 +ashtonwealth.com, 1 +ashtronaut.space, 1 +ashucg.com, 1 +ashutoshmishra.org, 1 +ashutov.rocks, 0 +ashwainfo.in, 1 +ashwaubenon.gov, 1 +asia-fhjt.com, 1 +asia-fuhui.com, 1 +asiacan.com, 1 +asiaceo.com, 1 +asiadirect.co.th, 1 +asiafaninfo.net, 1 +asiafood-curator.com, 1 +asiagate.ga, 1 +asiagps.com, 1 +asiahabit.com, 1 +asiakartu.tk, 1 +asialeonding.at, 1 +asialivenewscafe.gq, 1 +asian-goku.tk, 1 +asian-industry.eu, 1 +asian-sexfree.com, 1 +asian-sirens.net, 1 +asian.school, 1 +asianbeautywholesale.com, 1 +asianbusinesscards.com, 1 +asiancolor.com, 1 +asiandickfor.me, 1 +asiandubfoundation.tk, 1 +asianet.tk, 1 +asianetbroadband.in, 1 +asianfuckables.com, 1 +asiangroceronline.com.au, 1 +asianinside.tk, 1 +asianmoney.biz, 1 +asianpavilion.com, 1 +asianray.com, 1 +asianshop.com.pe, 1 +asiansnus.com, 1 +asiansongs.tk, 1 +asianspa.co.uk, 1 +asiantube.tv, 1 +asianwebcams.webcam, 1 +asiaproductsdirect.tk, 1 +asiashop.com.br, 1 +asiasmi.tk, 1 +asiaticas.cf, 1 +asiaview.ml, 1 +asiaview.tk, 1 +asiaviews.com, 1 +asiayuan.com, 1 +asiba.com.au, 1 +asier.tk, 1 +asifinclusives.tk, 1 +asiiro.com, 1 +asikoo.com, 1 +asikoo.xyz, 1 +asikpasagazetesi.tk, 1 +asile-colis.fr, 1 +asilo.roma.it, 1 +asilomar.com, 1 +asinat.by, 1 +asinetasima.com, 1 +asisee.co.il, 1 +asistencialegal.tk, 1 +asistentecx.com, 1 +asitanc.com, 1 +asitanc.cz, 1 +asitt.nl, 1 +asiyasia.tk, 1 +ask-thenutritionist.com, 1 +ask.fi, 1 +ask.stg.fedoraproject.org, 1 +ask1.org, 1 +askapkmod.com, 1 +askaret.cz, 1 +askart.com, 1 +askartza.com, 1 +askatechnicalquestion.com, 1 +askatechnicalquestion.eu, 1 +askatrans.tk, 1 +askbill.org.uk, 1 +askcaisse.com, 1 +askcascade.com, 0 +askdeliver.tk, 1 +asker-massasje.no, 1 +askerweb.cf, 1 +askeverythingonline.com, 1 +askeygeek.com, 1 +askgamblers.com, 1 +askhow.co.il, 1 +askimsin.com, 1 +askindia.tk, 1 +askjan.org, 1 +askkaren.gov, 1 +asklyrics.com, 1 +askmagicconch.com, 0 +askme-events.vip, 0 +askme-fast.tk, 1 +askme24.de, 1 +askmetutoring.com, 1 +askmetutoring.org, 1 +asko-nabytek.cz, 1 +asko-nabytok.sk, 1 +askollelectric.bg, 1 +askpam.ai, 1 +asktanzania.com, 1 +askvg.com, 1 +askwhy.cz, 1 +askwhy.eu, 1 +asla.info, 1 +aslanadam.com, 1 +aslansigorta.net, 1 +aslinfinity.com, 1 +asm.io, 1 +asm802.com, 1 +asm802.es, 1 +asmbsurvey.com, 1 +asmdz.com, 1 +asmeets.nl, 1 +asmess.com, 1 +asmgroup.rs, 1 +asmm.cc, 0 +asmobox.ga, 1 +asmood.net, 1 +asmpt.com, 1 +asmr-100.com, 1 +asmr-200.com, 1 +asmr-300.com, 1 +asmr.one, 1 +asmrbuluo.com, 0 +asmui.ml, 1 +asmuncandle.com, 1 +asna.host, 1 +aso.com, 1 +asoagroca.com, 1 +asoccu.ga, 1 +asocedune.com, 1 +asociacionatlas.tk, 1 +asociaciones.tk, 1 +asociacionlarueda.tk, 1 +asokan.org, 1 +asonaderi2002.tk, 1 +asoul.tw, 1 +asoziales-netzwerk.net, 1 +asp-progress.tk, 1 +asp.net, 1 +aspec-md.de, 1 +aspectcontext.com, 1 +aspen.gov, 1 +aspencat.tk, 1 +aspenhillsdesign.com, 1 +aspenvocational.com, 1 +asperatechnology.com, 1 +asperatechnology.cz, 1 +asperatechnology.de, 1 +aspernallee.at, 1 +asperti.com, 1 +aspet.org, 1 +aspews.org, 1 +asphaltfruehling.de, 1 +asphaltsolutionsnc.com, 1 +asphyxia.su, 1 +aspi.cz, 1 +aspiechattr.me, 1 +aspietechygamer.tk, 1 +aspiracloud.com, 1 +aspirantum.com, 1 +aspirateur-anti-pollution.fr, 1 +aspirateur-univers.com, 1 +aspiration.marketing, 1 +aspire-dev2.com, 1 +aspirecig.bg, 1 +aspirevc-prod.com, 1 +aspirevc.com, 1 +aspisdata.com, 1 +aspjvm.com, 1 +asportnoy.com, 1 +aspr.gov, 1 +asprion.org, 1 +asprivacy.com, 1 +asprobet.com, 1 +asproni.it, 1 +asps.biz, 1 +aspviress.gq, 1 +asr.cloud, 1 +asr.li, 1 +asr.rocks, 1 +asr.solar, 1 +asr9k.de, 1 +asra.gr, 1 +asral7.com, 1 +asremanoto.tk, 1 +asri.org, 1 +asriyatno.tk, 1 +asrob.eu, 0 +asrtechnology.tk, 1 +assaabloy-partnerportal.com, 1 +assaabloygaragedoors.ca, 1 +assafashowroom.com, 1 +assai.com.br, 1 +assamtenders.gov.in, 1 +assanti.com, 1 +assassinasian.tk, 1 +assdecoeur.org, 1 +assecuro.com.ua, 1 +assedo.tk, 1 +asseenontvonline.ru, 1 +assegaimedia.com, 1 +asselin.fr, 1 +assemblage.gq, 1 +assemblee-copropriete.fr, 1 +assemblyai.com, 0 +assemblywithoutthewalls.org, 1 +assendelft.com, 1 +assens.dk, 1 +assentfitness.com, 1 +assentis.ch, 1 +assentis.com, 1 +assentis.de, 1 +assentis.net, 1 +assentooriginal.com.br, 1 +assertion.de, 1 +assertstack.com, 1 +assessmentpractitioner.co.za, 1 +assessments.careers, 1 +assessoriati.com.br, 1 +assessorindie.tk, 1 +asset-metrix.com, 1 +assetbacked.capital, 0 +asseti.co, 1 +assetinvesting.com, 1 +assets.schwarz, 1 +assetsec.io, 1 +assetsman-assetsvalue.com, 1 +assettocorsa.tk, 1 +assguidesporrentruy.ch, 0 +assicurare.it, 1 +assid.com, 1 +assignacii.ml, 1 +assignmenthelper.org, 1 +assignmenthelponline.co.uk, 1 +assignmenthelpservices.com, 1 +assignments4u.com, 1 +assikerujked.tk, 1 +assinare.com, 1 +assinare.eu, 1 +assinare.pt, 1 +assiplan.it, 1 +assis.partners, 1 +assist-team.co.il, 1 +assistance-personnes-agees.ch, 1 +assistanceinparadise.com, 1 +assistantdemocraticleader.gov, 1 +assistel.com, 1 +assistentesanitario.it, 1 +assistenzaferrodastiro.org, 1 +assistenzafrigorifero.org, 1 +assistenzamicroonde.org, 1 +assistere-a-casa.it, 1 +assistere-a-domicilio.it, 1 +assistere-in-famiglia.it, 1 +assistivebathing.co.uk, 1 +assistouest.fr, 1 +assistouest.net, 1 +assistouest.shop, 1 +assmb.ly, 1 +assmgp.com, 1 +asso.com.ua, 1 +associatedgamer.com, 1 +associationguillaume.com, 1 +associationhorizon.tk, 1 +associazionerimborsi.it, 1 +associazioneterra.it, 1 +assoft.co, 1 +assomydesk.fr, 1 +assoservicesweb.org, 1 +asspoop.com, 1 +assr-online.com, 1 +assta.ga, 1 +assumptionla.gov, 1 +assumptionoep-la.gov, 1 +assurance-emprunteur.bzh, 1 +assurances-brg.com, 1 +assured.se, 0 +assuredspc.com, 1 +assyriatwpmi.gov, 1 +ast-nabytek.cz, 1 +asta-bar.de, 0 +astacreative.nl, 0 +astal.rs, 1 +astana.cf, 1 +astanainform.tk, 1 +astanakz.tk, 1 +astaninki.com, 1 +astano.com, 1 +astano.tk, 1 +astaoffshore.com.au, 1 +astaraday.com, 1 +astarforu.com, 1 +astarfrommosul.cf, 1 +astarfrommosul.ga, 1 +astarfrommosul.ml, 1 +astarmathsandphysics.com, 1 +astateoftrance.tk, 1 +asteelflash.com, 1 +astekbet.com, 1 +astellaria.ee, 1 +astengox.com, 1 +astenotarili.online, 0 +astenretail.com, 1 +astera-led.com, 1 +astera.com, 1 +asterhu.com, 1 +asterix-obelix.ga, 1 +asterobot.net, 1 +asteronline.com, 1 +astettner.de, 1 +asthamishra.com, 1 +asthma-explained.com, 1 +asthowen.com, 1 +asthowen.fr, 1 +asthrdp.com, 1 +astiamministrazioni.it, 1 +asticon.de, 1 +asticonnectedservices.com, 1 +astifan.online, 1 +astigmatic.gq, 1 +astilleroslagos.es, 1 +astleyplumbing.com, 1 +astmatiki.ru, 1 +astolfo.cool, 1 +astonbysqli.com, 1 +astonishing.tk, 1 +astore.co.uk, 1 +astorfoodservice.com, 1 +astorhospitality.com, 1 +astormueble.tk, 1 +astorship.com, 1 +astour.ee, 1 +astqx.com, 1 +astra.software, 1 +astraalivankila.net, 0 +astrakhan-gorod.ga, 1 +astrakhan.cf, 1 +astrakhan.ga, 1 +astrakhan.gq, 1 +astrakhan.ml, 1 +astrakhan.tk, 1 +astral-imperium.com, 1 +astral-prime.com, 1 +astral.com.ar, 1 +astral.gq, 1 +astral.org.pl, 1 +astralrank.com, 1 +astralriders.tk, 1 +astralus.com, 1 +astralus.de, 1 +astramundo.com, 1 +astrategicedgecoaching.com, 1 +astrath.net, 1 +astrati.com.br, 1 +astrawebhost.com, 1 +astrea-voetbal-groningen.nl, 1 +astrid-stolz.de, 1 +astro-com.co.uk, 1 +astro-libre.fr, 1 +astro22.com, 1 +astro4u.tk, 1 +astroalloys.com.au, 0 +astroanaliz.com, 1 +astrociencia.tk, 1 +astrogate.tk, 1 +astrogift.cf, 1 +astrogift.ga, 1 +astrogift.gq, 1 +astrogift.ml, 1 +astrogift.tk, 1 +astrograph.io, 1 +astrojunkies.com, 1 +astrolab.tk, 1 +astroloeches.tk, 1 +astrologeminesolakoglu.com, 1 +astrologerumesh.com, 1 +astrologic.cf, 1 +astrologics.in, 1 +astrologie12.tk, 1 +astrologify.com, 1 +astrology-for-beginners.com, 1 +astrology42.com, 1 +astrolojiyorumcusu.com, 1 +astroluna.cz, 1 +astroluxe.io, 1 +astrong.pl, 1 +astronomiadecolombia.tk, 1 +astronomija.cf, 1 +astronomija.tk, 1 +astronomygcse.cf, 1 +astropackgulf.com, 1 +astropar.tk, 1 +astroscopy.ch, 0 +astrosnail.pt.eu.org, 1 +astrosoc.ml, 1 +astrosociety.org, 1 +astrosofa.com, 1 +astrostart.tk, 1 +astroteam.tk, 1 +astrovandalistas.cc, 1 +astroze.it, 1 +astrumadvies.nl, 1 +astsummer.tk, 1 +astucas.com, 1 +astucedirecte.tk, 1 +astucewebmaster.com, 1 +astuna.de, 1 +astur.school, 1 +asturhackers.es, 1 +astutetm.com, 1 +astutikhonda.com, 1 +astutr.co, 1 +astyork.com, 1 +astypic.fr, 1 +asual.com, 1 +asuamaytinh.com, 1 +asuclassfinder.com, 1 +asucrews.com, 1 +asufte.com, 1 +asugsvsummit.com, 1 +asuikit.com, 1 +asukalangley.tk, 1 +asun.co, 1 +asuntospropios.com, 1 +asura.in.th, 1 +asurbernardo.com, 1 +asurgiant.ca, 1 +asuro.de, 1 +asustor.com, 1 +asustreiber.de, 1 +asvsa.ch, 0 +aswakbladi.com, 1 +asweetsmile.com, 1 +aswish.com, 1 +asws.nl, 1 +asyadexpress.com, 1 +asyaturk.org, 1 +asyikbelanja.com, 1 +asylbarn.no, 1 +asylinfo.no, 1 +asylumguild.tk, 1 +asynchrono.cf, 1 +asyotec.es, 1 +asystent-dzierzawy.pl, 1 +asztrologus.eu, 1 +aszurkolassport.com, 1 +at-consulting.pl, 1 +at.search.yahoo.com, 0 +at.vg, 1 +at2-architecten.be, 1 +at5.nl, 1 +at7s.me, 1 +atabekkoleji.k12.tr, 1 +ataber.pw, 1 +atabor.tk, 1 +atacado.com.vc, 1 +atacadocervejeiro.com.br, 1 +atacadoclube.com.br, 1 +atacadodesandalias.com.br, 1 +atacul.ro, 1 +atadawul.com, 1 +atafu-village.tk, 1 +atahualpa.com, 1 +atakac.com, 1 +atakac.net, 1 +atalandportal.com, 1 +atalantapsicologia.es, 1 +atallo.es, 1 +atam-academy.com, 1 +atanas.ch, 1 +atanet.it, 1 +atapindonesia.com, 1 +atarinew.tk, 1 +atary.tk, 1 +ataton.ch, 0 +atayia.com, 1 +atc-fr.com, 1 +atc.cuneo.it, 1 +atc.io, 0 +atcg.cc, 0 +atchisonkspolice.gov, 1 +atchleyjazz.com, 1 +atchleyjazz.org, 1 +atchleylab.org, 1 +atclan.tk, 1 +atcreform.gov, 1 +atcstl.org, 1 +atcworldaviation.com, 1 +atds.ch, 0 +ateamsport.dk, 1 +atease-salon.jp, 1 +ateasesystems.net, 1 +atebaa.ga, 1 +atec.pt, 1 +ateli.com, 1 +atelier-aleph.fr, 0 +atelier-lebreton.fr, 1 +atelier-naruby.cz, 1 +atelier-rk.com, 1 +atelier-viennois-cannes.fr, 1 +atelier20.ch, 1 +atelieraphelion.com, 1 +atelierbw.com, 1 +atelierdelacreation.com, 1 +atelierdelarobotique.fr, 1 +atelierdeloulou.fr, 1 +atelierdesflammesnoires.fr, 1 +atelierfantazie.sk, 1 +atelierferro.be, 1 +atelierhsn.com, 1 +atelierjs.com, 1 +atelierkuni.jp, 1 +atelierlk.art, 1 +ateliernaruby.cz, 1 +ateliernox.com, 1 +atelierquersin.fr, 1 +atelierssud.swiss, 1 +atelierverbeelding.nl, 1 +atenasconservadora.com.br, 1 +atencionbimbo.com, 0 +ateneumontbui.tk, 1 +ateneupalafrugell.tk, 1 +atenolol25mg.ga, 1 +atenolol50mg.ga, 1 +atentadocumbiero.tk, 1 +aterlectric.com, 1 +ateus.net, 1 +atev.tk, 1 +atf.gov, 1 +atfonline.gov, 1 +atfstudios.tk, 1 +atgmaildotcom.ca, 1 +atgnet.com, 1 +atgoetschel.ch, 0 +atgresultat.com, 1 +atgseed.co.uk, 1 +atgseed.uk, 1 +atgweb.es, 0 +ath0.org, 0 +atheatac.com, 1 +atheism.org, 1 +atheist-refugees.com, 1 +atheistfoundation.org.au, 1 +atheistfrontier.com, 1 +athekiu.com, 1 +athelstanewiclerk.gov, 1 +athemis.de, 1 +athena-security.net, 1 +athenadynamics.com, 1 +athenainvestmentsystems.com, 1 +athenainvsys.com, 1 +athenainvsys.net, 1 +athenaspark.com, 1 +athenasystems.com, 1 +athenasystems.net, 1 +atheneum-partners.cn, 1 +athenrymusicschool.net, 1 +athensdrunktour.com, 1 +athensil.gov, 1 +athenstn.gov, 1 +athensvantours.gr, 1 +athensvillageny.gov, 1 +athensvintagetours.com, 1 +athensvt.gov, 1 +atherosense.ga, 1 +athicart.com, 1 +athleticstore.bg, 1 +athlin.de, 1 +athome-nextcloud.ddns.net, 1 +athomedeco.fr, 1 +athorcis.ovh, 1 +athoris.net, 1 +athritisexplained.com, 1 +atide.cf, 1 +atigerseye.com, 1 +atik.kr, 0 +atiku2007.tk, 1 +atila.io, 1 +atilo.sh, 1 +atimba.com, 1 +atimevis.com, 1 +atimo.dj, 1 +atinylittle.space, 1 +atiparts.com.tr, 1 +atis-ars.ru, 0 +atis.net, 1 +atishchenko.com, 1 +atisoft.biz.tr, 1 +atisoft.com.tr, 1 +atisoft.name.tr, 1 +atisoft.net, 1 +atisoft.net.tr, 1 +atisoft.web.tr, 1 +atisoftbarkodetiket.com.tr, 1 +atisoftseo.com, 1 +atisoftwebtasarim.com, 1 +atisoftwebyazilim.com, 1 +ativaplayfitness.com.br, 1 +ativapsicologia.com.br, 1 +atix.tk, 1 +atizanvip.com, 1 +atk-huolto.com, 1 +atk-nexus.tech, 1 +atk.me, 1 +atkinshealthcenter.com.au, 1 +atkstore.com, 1 +atl-paas.net, 0 +atlacademy.org, 1 +atlan.digital, 1 +atlan.nl, 1 +atlantacustomfab.com, 1 +atlantahealthcare.tk, 1 +atlantajewishconnector.com, 1 +atlantajewishlifefestival.com, 1 +atlantareroof.com, 1 +atlantatai.org, 1 +atlantclinical.com, 1 +atlantica.tk, 1 +atlanticbeachacademy.com, 1 +atlanticcitycasino.news, 1 +atlanticcitycasinonews.com, 1 +atlanticcityweekly.com, 1 +atlanticdatastream.ca, 1 +atlanticfcu.com, 1 +atlantichearingcare.com, 1 +atlantichomes.com.au, 1 +atlanticmarina.com, 1 +atlanticpediatricortho.com, 1 +atlanticradio.fr, 1 +atlanticwatches.ch, 1 +atlantida-amber.org, 1 +atlantik.ml, 1 +atlantik.tk, 1 +atlantikwall.ga, 1 +atlantischild.hu, 1 +atlantishop.si, 1 +atlantismd.com, 1 +atlantiswaterproofing.com, 0 +atlantium.tk, 1 +atlarytm1x.com, 1 +atlas-5.site, 1 +atlas-multimedia.de, 1 +atlas-sat.tk, 1 +atlas-staging.ml, 1 +atlas.computer, 1 +atlas.net.co, 1 +atlasams.com, 1 +atlasauthority.com, 1 +atlasbridge.com, 1 +atlasbrown.com, 1 +atlasbus.by, 1 +atlasbus.pl, 1 +atlasbus.ru, 1 +atlascloud.cn, 1 +atlascoffeeclub.com, 1 +atlascultural.com, 1 +atlasdev.io, 1 +atlasdog.org, 1 +atlasescorts.com, 1 +atlasgaming.ma, 0 +atlasleeuwen.tk, 1 +atlasminertool.com, 1 +atlaso.cz, 1 +atlasone.us, 1 +atlasrealestates.com, 1 +atlasreclame.nl, 1 +atlassen.com, 1 +atlassian.net, 1 +atlassignsandplaques.com, 1 +atlastax.ga, 1 +atlastaxi.eu, 1 +atlastravelvic.com.au, 1 +atlastube.com, 1 +atlasuno.com, 1 +atlaswu.com, 1 +atlcoaters.com, 1 +atlcranetrucks.com.au, 1 +atletico-guacuano.tk, 1 +atleticocearense.com.br, 1 +atletika.hu, 1 +atletismomacotera.tk, 1 +atlon-nn.ru, 0 +atm-erasmus.com, 1 +atm.net, 1 +atmalta.com, 1 +atmelook.com, 1 +atmetalwork.com, 1 +atmi-zo.gr, 1 +atmilanomoda.com, 1 +atmind.nl, 1 +atmmantenimiento.co, 1 +atmmasterplan.eu, 1 +atmocdn.com, 0 +atmondigital.com, 0 +atmos.tk, 1 +atmosferno.cf, 1 +atmospheremarketingwy.com, 1 +atmox.eu, 1 +atmoz.tk, 1 +atmseminar.org, 1 +atmydesk.tech, 1 +atnis.com, 1 +atnteam.tk, 1 +atobtransfer.com, 1 +atolm.net, 1 +atom-china.org, 1 +atom86.net, 1 +atombase.org, 1 +atomeus.nl, 1 +atomic-bounce.com, 1 +atomic-corals.de, 1 +atomic.radio, 1 +atomicanet.tk, 1 +atomicbounce.co.uk, 1 +atomicecho.com, 1 +atomicheart.tk, 1 +atomichomehealth.com, 1 +atomickitteninternational.tk, 1 +atomictag.com, 1 +atomik.biz, 1 +atomism.com, 1 +aton-ensemble.tk, 1 +atonibai.com, 1 +atope.art, 1 +atopy-sendai.com, 1 +atorcidabrasileira.com.br, 1 +atovelin.gq, 1 +atovelin.tk, 1 +atoz-gc.com, 1 +atozeventrentalsofpa.com, 1 +atp-autoteile.de, 1 +atplonline.co, 1 +atproducts.xyz, 1 +atpx.com, 1 +atraining.ru, 1 +atrands.com, 1 +atresclick.com, 0 +atrevillot.com, 1 +atrexservices.com, 1 +atriaresort.ro, 1 +atrias.net, 1 +atriballi.com.br, 1 +atrinik.org, 1 +atris-qa.media, 1 +atris.media, 1 +atriumschool.gr, 1 +atrogi.com, 1 +atrs2023kobe.com, 1 +ats.net, 1 +atspeeds.com, 1 +att-lda.pt, 1 +attac.us, 0 +attanasioluigi.tk, 1 +attatroll.de, 1 +attawauganfirect.gov, 1 +attcleaning.com, 1 +atte.fi, 1 +attechnical.co.uk, 1 +attekaleva.fi, 1 +attendanceondemand.com, 1 +attendantdesign.com, 1 +attendhealth.com, 1 +attendu.cz, 0 +attengo.ga, 1 +attention.horse, 1 +attentionpleats.com.tw, 1 +attesawp.com, 1 +atthehelmins.com, 1 +attic-design.com, 1 +atticlightstudio.net, 1 +atticusblog.com, 1 +attilavandervelde.nl, 1 +attiliospagnolo.it, 1 +attinderdhillon.com, 1 +attireaccessories.com, 1 +attiremr.tk, 1 +attitudefraiche.com, 1 +attitudes-bureaux.fr, 1 +attivazioneveloce.it, 1 +attlane.fr, 1 +attly.cn, 1 +attoch.org, 1 +attogtech.com, 1 +attorneybiographies.ga, 1 +attorneybiographiesest.ga, 1 +attorneyrebeccawhittington.com, 1 +attosoft.tk, 1 +attractant.com, 1 +attractieparken.tk, 1 +atttrainings.com, 1 +attuned.se, 1 +attwood.org, 1 +attyhub.com, 1 +atuallemoveis.ind.br, 1 +atuendomr.com, 1 +atugan.com, 1 +atunel.tk, 1 +atvirtual.at, 1 +atvlifesaver.net, 1 +atvsafety.gov, 1 +atwatermn.gov, 1 +atwel.de, 1 +atwey.fr, 1 +atwk.io, 1 +atwonline.org, 1 +atworktechnology.com.au, 1 +atxchirocoverage.com, 1 +atyourleisureculinary.com, 1 +atyourprice.net, 1 +atyourscreen.com, 1 +atyourscreen.events, 1 +atypicom.es, 1 +atypicom.it, 1 +atypicom.pt, 1 +atyuan.me, 1 +atyuan.one, 1 +atyum.com, 1 +atzenchefin.de, 1 +atzeneta.tk, 1 +atzzz.com, 1 +au-be.net, 1 +au-inter.net, 1 +au.by, 1 +au.search.yahoo.com, 0 +au.zj.cn, 1 +au2pb.net, 1 +au2pb.org, 1 +aubassadeurs-airfly.fr, 1 +aubassadeurs.fr, 1 +aubay.it, 1 +aubcon.com, 1 +aubepine-restaurant.com, 1 +aubergegilly.ch, 0 +aubio.org, 1 +auburn-housekeeper.com, 1 +auburnma.gov, 1 +auburnmi.gov, 1 +auburnpub.com, 1 +auc.ch, 1 +aucarresainteloi.com, 1 +aucc.org.nz, 1 +aucem.com, 1 +auchan.fr, 1 +aucielrose.com, 1 +auckland-lawyer.co.nz, 1 +auckland-painter.co.nz, 1 +aucklandadventurejet.co.nz, 0 +aucklandcastles.co.uk, 1 +aucoindubloc.com, 1 +aucoindufruit.fr, 1 +auction.com, 1 +auctionbv.tk, 1 +audacityland.com, 1 +audatopaz.com, 1 +audazsolucoes.com.br, 1 +aude-mdb-hypnose.fr, 1 +audencia.com, 0 +audian.com, 1 +audible, 1 +audiclubbahrain.com, 1 +audifs.com, 1 +audilio.it, 1 +audio-extractor.net, 1 +audio-joiner.com, 1 +audio.servemp3.com, 1 +audiobit.es, 1 +audioblackmagic.com, 1 +audiobone.com, 1 +audiobookstudio.com, 1 +audioboom.com, 1 +audioboomers.ga, 1 +audiocards.ru, 1 +audiocd.tk, 1 +audiocinemateca.com, 1 +audioconspiracy.tk, 1 +audiofrases.com, 1 +audiohub.com, 1 +audiohub.de, 1 +audiohub.fr, 1 +audiokinetic.com, 1 +audiolegendsny.com, 1 +audiolibri.org, 1 +audiologistdirectory.com, 1 +audiolot.com, 1 +audiomedica.com, 1 +audiomind.tk, 1 +audiomir.tk, 1 +audion.cc, 1 +audionamix.com, 1 +audionpack.de, 1 +audioonly.stream, 1 +audioplugin.deals, 1 +audiorental.net, 1 +audios.tk, 1 +audioscenic.co.uk, 1 +audioscenic.uk, 1 +audioschoolonline.com, 1 +audiosciencereview.com, 1 +audioslave.tk, 1 +audiotools.in, 1 +audiotrace.tk, 1 +audiovegas.com, 1 +audiovisualmurciano.tk, 1 +audisto.com, 1 +audit.one, 1 +audit.ovh, 1 +auditeorganum.cz, 1 +auditingfirm.tk, 1 +audition-radio.tk, 1 +auditiontapes.co.uk, 1 +auditmatrix.com, 1 +auditore-host.tk, 1 +auditorwashingtoncountyohio.gov, 1 +auditos.com, 1 +auditsquare.com, 1 +audleyconstruction.tk, 1 +audreyhossepian.fr, 0 +audreyjudson.com, 1 +audumakrasas.lv, 1 +auenhof-agrar.de, 1 +auerbach-verlag.de, 1 +auf-feindgebiet.de, 1 +aufeergroup.eu, 1 +aufeerjob.cz, 1 +aufildemesidees.fr, 1 +aufmerksamkeitsstudie.com, 1 +aufprise.de, 1 +aufschieben.com, 1 +aufwachzeit.at, 1 +aufwachzeit.com, 1 +aufwecken.dynu.net, 1 +augendre.info, 1 +augenklappe.com, 1 +augenlaser-chemnitz.de, 1 +augenlaser-dresden.de, 1 +augenlasercenter-dresden.de, 1 +augenlaserzentrum-dresden.com, 1 +augenlaserzentrum-dresden.de, 1 +augenlaserzentrum-dresden.eu, 1 +augeo.pt, 1 +augesen.tk, 1 +augix.net, 1 +augmedia.com, 1 +augmedix.com, 1 +augmentable.de, 0 +augmentin.ga, 1 +augmentin.gq, 1 +augmentines600.ga, 1 +augredutemps.ca, 1 +augur.us, 1 +auguri-shop.ro, 1 +august-hoegn.tk, 1 +august.me, 1 +augusta-apotheke.nrw, 1 +augustaky.gov, 1 +augustanews.tk, 1 +augustian-life.cz, 1 +augustiner-kantorei-erfurt.de, 1 +augustiner-kantorei.de, 1 +augustus.lt, 1 +auk.hopto.org, 1 +aukanaw.tk, 1 +aukaraoke.su, 1 +aukcioon-domenov.cf, 1 +aukcioon-domenov.gq, 1 +aukcioon-domenov.ml, 1 +aukhygiene.com, 1 +auksnest.ca, 1 +aulacaribemar.com, 1 +auladerepaso.com, 0 +aulaschrank.gq, 1 +aulasprofdanilo.com.br, 1 +aulialaundry.cf, 1 +aulica-conseil.com, 1 +aulio.fi, 1 +aultcolorado.gov, 1 +aum.edu.kw, 1 +aumigona.com, 1 +aumilieudumonde.gf, 1 +aunali1.com, 1 +auntiesnorkel.com, 1 +auntmia.com, 1 +aunto.xyz, 1 +aupadenis.com, 1 +aupair.com, 1 +aupapa.com, 1 +aupaysdesanes.com, 1 +auplidespages.fr, 1 +auqi.com, 1 +aur.rocks, 1 +aura.moe, 1 +aura7chakr.com, 1 +aurabasketball.com, 1 +aurabasketball.fr, 1 +aurabeautyhub.com, 1 +aurac.org.nz, 1 +aurahiemis.tk, 1 +auralia.cloud, 1 +auralia.net, 1 +auraliafirst.com, 1 +auraliamusic.com, 1 +auralinna.blog, 1 +aurantis.it, 1 +aurbrowser.tk, 1 +aurelharmoniebeaute.fr, 1 +aureliavelvet.org, 1 +aurelie-valognes.com, 1 +aurelieburn.fr, 1 +aurelien-duchene.fr, 1 +aurelienaltarriba.fr, 1 +aurelvoica.ro, 1 +aureshotels.com, 1 +aureusinvest.eu, 1 +auribus.io, 1 +auricblue.com, 1 +auricom.tk, 1 +auriga.com, 1 +aurigaapp.org, 1 +aurigadebtadvice.org.uk, 1 +aurigafuel.co.uk, 1 +aurigaservicesapp.co.uk, 1 +aurika.ag, 1 +auriko-games.de, 1 +auristelasaavedra.tk, 1 +aurnik.com, 1 +aurobindodash.tk, 1 +auronfencing.com.au, 1 +aurora-nexus.org, 1 +aurora.net.au, 0 +aurora403.com, 1 +aurora911.net, 1 +auroracloud.com.au, 1 +auroramarionvillepd-mo.gov, 1 +auroranianoxx.net, 1 +auroraofficefurniture.com.au, 1 +aurorarecordings.com, 1 +auroravtc.com, 1 +aurory.io, 1 +auroz.video, 1 +aurtho.com, 1 +aurumkoins.tk, 1 +ausat.net, 1 +ausbildung-rbg.de, 1 +ausbildungsmesse-digital.de, 1 +ausbrightfacilities.com.au, 1 +auscanalliancecorp.com, 1 +auscert.org.au, 1 +auscube.tk, 1 +auscultador.com, 1 +auscultador.net, 1 +auscultador.org, 1 +auscultadores.net, 1 +auscultadores.org, 1 +auseal.au, 1 +ausec.ch, 0 +auservicedeschiens.com, 1 +ausfin.com, 1 +ausfinex.com, 1 +ausgesprochen.com, 1 +ausielogistics.com.au, 1 +auskast.com, 1 +auskate.tk, 1 +auskunftsbegehren.at, 1 +ausmwoid.de, 1 +ausncp.gov.au, 1 +auspicacious.org, 1 +ausruestungen.com, 1 +aussagen.com, 1 +ausschreibungen-suedtirol.it, 1 +ausset.me, 1 +aussiebum.com, 1 +aussiefinances.com.au, 1 +aussiefunadvisor.com, 0 +aussiemilfs.com, 1 +aussieofficefitout.com.au, 1 +aussieofficefurniture.com, 1 +aussieservicedown.com, 1 +aussiesmostlifted.com.au, 1 +aussiesnus.com, 1 +aussiestoresonline.com, 0 +austcm.com.au, 1 +austenplumbing.com, 1 +austercita.tk, 1 +austin-dumpsters.com, 1 +austin-pearce.com, 1 +austin-security-cameras.com, 1 +austinbestdjs.com, 1 +austincardiac.com, 1 +austincosmetic.com, 1 +austinhartzheim.me, 1 +austinlaw.co.uk, 1 +austinonline.tk, 1 +austinoverheaddoorcompany.com, 1 +austinsutphin.com, 1 +austinuniversityhouse.com, 1 +australiabusinessblog.com, 1 +australiadaily.ga, 1 +australiaday.com.au, 1 +australiainvest.info, 1 +australiajetcharter.com, 1 +australian.tk, 1 +australianairbrushedtattoos.com, 1 +australianairbrushedtattoos.com.au, 1 +australianattractions.com.au, 1 +australiancattle.dog, 1 +australiancurriculum.edu.au, 1 +australianhimalayanfoundation.org.au, 1 +australianhomemade.com, 1 +australianimmigrationadvisors.com.au, 1 +australianjewishnews.com, 1 +australianonlineappliances.ga, 1 +australianpropertyanalytics.ga, 1 +australiantales.com, 0 +australiantemporarytattoos.com, 1 +australiantemporarytattoos.com.au, 1 +australien-tipps.info, 1 +austriablog.de, 0 +austriaguide.tk, 1 +austriahikingtours.tk, 1 +austriantekken.tk, 1 +austriatravel.tk, 1 +austromorph.space, 1 +auszeit-lanzarote.com, 1 +auszeit-walsrode.de, 1 +auszeit.bio, 1 +autantic.fr, 1 +auteldesbrumes.com, 1 +autenti.com, 1 +autenticismo.tk, 1 +autenticoperfumes.com.br, 1 +autereband.tk, 1 +auth.adult, 1 +auth.mail.ru, 1 +authanet.ga, 1 +authcom.ca, 1 +authcom.com, 1 +authenteak.com, 1 +authenticate.be, 1 +authenticate.computer, 1 +authentication.directory, 1 +authentick.online, 1 +authentick.systems, 1 +authic.io, 1 +authinfo-bestellen.de, 1 +authinity.com, 0 +authland.com, 1 +author-it.com, 1 +author.cn, 1 +author24.info, 1 +authorise.computer, 1 +authorise.network, 1 +authoritysolutions.com, 1 +authorize.computer, 1 +authorize.network, 1 +authorwise.com, 1 +authress.io, 1 +authsrv.nl.eu.org, 1 +autism-explained.com, 1 +autisme-france.fr, 1 +autismewoerden.nl, 1 +autismspectrum.shop, 1 +autista.roma.it, 1 +autisten.club, 1 +autistici.org, 1 +auto-albrecht.de, 1 +auto-anleitung.de, 1 +auto-arsenal.tk, 1 +auto-borse.tk, 1 +auto-dealership-news.com, 1 +auto-delchev.com, 1 +auto-ecole-remparts.fr, 1 +auto-help.tk, 1 +auto-i-dat.ch, 1 +auto-market.tk, 1 +auto-none.com, 1 +auto-parts-store.tk, 1 +auto-plus.tn, 1 +auto-profy.com.ua, 1 +auto-quote.ga, 1 +auto-rahbari.de, 1 +auto-reklame.tk, 1 +auto-res.ru, 1 +auto-skills.ru, 1 +auto-specifikacio.hu, 1 +auto1.fi, 1 +auto10dacte.com, 1 +auto2019.net, 1 +auto365haiphong.com, 1 +autoallys.com, 1 +autoambulanza.it, 1 +autoamor.com.br, 1 +autoangels.ga, 1 +autoankaufen.com, 1 +autoapk.com, 1 +autoarena.fr, 1 +autoauctionsarizona.com, 1 +autoauctionsohio.com, 1 +autoauctionsvirginia.com, 1 +autoaudio.pt, 0 +autobarn.co.nz, 1 +autobazarcentrum.cz, 1 +autobedrijfgarant.nl, 1 +autobella-hurtownia.pl, 1 +autobelle.it, 1 +autobelt.com, 1 +autobiz.tk, 1 +autoblog-de.com, 1 +autoblogs.ml, 1 +autobot.com.ua, 1 +autobourcier.com, 1 +autobraga.ru, 1 +autobus.roma.it, 1 +autobuseros4ever.tk, 1 +autobusesonline.tk, 1 +autobusiness.ml, 1 +autocadperfmon.azurewebsites.net, 1 +autocardesign.org, 1 +autocartruck.com, 1 +autocashmachine.tk, 1 +autocenters.ca, 1 +autocheck.co.nz, 1 +autocirkel.tk, 1 +autoclassics.com, 1 +autocmall.com, 1 +autocoder.chat, 1 +autoconcept.ga, 1 +autoconcept.tk, 1 +autocorner.com, 1 +autocross.tk, 1 +autocrossfoto.tk, 1 +autocrossonline.tk, 1 +autocrossteam-martens.tk, 1 +autocrossteam-monein.tk, 1 +autocrossteam.tk, 1 +autocrypt.org, 1 +autodach.com, 1 +autodalas.com, 1 +autodeal.com.ph, 1 +autodekor.com, 1 +autodemolizioni.roma.it, 1 +autodidactic.ai, 1 +autodidacticstudios.com, 1 +autodidacticstudios.net, 1 +autodidacticstudios.org, 1 +autodocument.tk, 1 +autodynamics.tk, 1 +autoecoledumontblanc.com, 1 +autoeet.cz, 1 +autoelettricaperbambini.com, 1 +autoentrepreneurinfo.com, 1 +autoepc.ro, 1 +autoescolapontual.com.br, 1 +autoeshop.eu, 1 +autoexprez.com, 1 +autofficina.roma.it, 1 +autofinancing.ga, 1 +autofornal.pl, 1 +autofresh.tk, 1 +autogalerie-bader.ch, 1 +autogarag.ru, 1 +autogard.cz, 1 +autogear.ga, 1 +autogenai.com, 1 +autoglascenter.com, 1 +autoglass.com.my, 1 +autoglasskobra.bg, 1 +autohaus-brueggemann.de, 1 +autohausmf-nord.de, 1 +autohaussued.de, 0 +autohaussued.gmbh, 1 +autohero.com.au, 1 +autohit.ro, 1 +autohomehub.com, 1 +autohunt.ga, 1 +autohut.ca, 1 +autohuttruckcenter.ca, 1 +autoi.ch, 1 +autoidc.com, 1 +autoinfa.tk, 1 +autoinkoop.tk, 1 +autoinsurancehavasu.com, 1 +autojur.com.br, 1 +autokasko.tk, 1 +autokino-sachsen.de, 1 +autoklub.cz, 1 +autoknife.cf, 1 +autokontinent.ml, 1 +autokovrik-diskont.ru, 1 +autokredit.org, 1 +autolackierung-sadiki.de, 1 +autolatex.cf, 1 +autolawetawroclaw.pl, 1 +autoleaders.gr, 1 +autoledky.sk, 1 +autolet.tk, 1 +autologix.io, 1 +automaatic.com, 1 +automacro.com, 1 +automagischeberegening.nl, 1 +automasrl.it, 1 +automastercastlerock.com, 1 +automatecodes.com, 1 +automatentest.de, 1 +automaticmsp.com, 1 +automation-tools.stream, 1 +automationpro.me, 1 +automationstore.ga, 1 +automatyczna-identyfikacja.pl, 1 +automaxcovington.com, 1 +automechanicschooledu.org, 1 +automeeting.com, 1 +automekano.com, 0 +automekbromma.se, 1 +automiata.de, 1 +automir.online, 1 +automobile-detail.com, 1 +automobile-gadgets.ru, 1 +automobile-propre.com, 1 +automobile.fr, 1 +automobileescrowers.ga, 1 +automobileescrowest.ga, 1 +automobiliteit.nl, 1 +automods.com.au, 1 +automotive.org.ua, 1 +automotiveabundant.ga, 1 +automotiveadaptive.ga, 1 +automotiveagenda.ga, 1 +automotiveamazing.ga, 1 +automotiveanchor.ga, 1 +automotiveappeal.ga, 1 +automotivearrow.ga, 1 +automotiveatlantic.ga, 1 +automotiveavatar.ga, 1 +automotivebad.ga, 1 +automotiveblaster.ga, 1 +automotiveboulevard.ga, 1 +automotivebounce.ga, 1 +automotivebrands.tk, 1 +automotivebrowse.ga, 1 +automotivebuller.ga, 1 +automotivecarnival.ga, 1 +automotivecaster.ga, 1 +automotivecharm.ga, 1 +automotivecheapest.ga, 1 +automotivecircus.ga, 1 +automotivecity.tk, 1 +automotiveclassy.ga, 1 +automotiveclearance.ga, 1 +automotiveclient.ga, 1 +automotivecommission.ga, 1 +automotiveconnect.tk, 1 +automotivecorporation.ga, 1 +automotivecrawler.ga, 1 +automotivecrunch.ga, 1 +automotivecurious.ga, 1 +automotivedelta.ga, 1 +automotivedepot.ga, 1 +automotivedesigning.ga, 1 +automotivedestination.ga, 1 +automotivedodge.ga, 1 +automotivedollar.ga, 1 +automotiveduck.ga, 1 +automotiveeagle.ga, 1 +automotiveeastside.ga, 1 +automotiveepic.ga, 1 +automotiveexcel.ga, 1 +automotivefame.ga, 1 +automotivefeature.ga, 1 +automotiveflag.ga, 1 +automotiveflower.ga, 1 +automotivegang.ga, 1 +automotivegecko.ga, 1 +automotivegeo.ga, 1 +automotiveglory.ga, 1 +automotivego.tk, 1 +automotivegoddess.ga, 1 +automotivegorilla.ga, 1 +automotivegrace.ga, 1 +automotivegratis.ga, 1 +automotivegroove.ga, 1 +automotivegroup-usedcars.be, 1 +automotivegun.ga, 1 +automotivehands.ga, 1 +automotivehard.ga, 1 +automotivehotrod.ga, 1 +automotiveinfo.tk, 1 +automotiveintergrity.ga, 1 +automotivejackpot.ga, 1 +automotivejewel.ga, 1 +automotivejoker.ga, 1 +automotiveknight.ga, 1 +automotiveletter.ga, 1 +automotivelightning.ga, 1 +automotiveloco.ga, 1 +automotivelucky.ga, 1 +automotivemain.ga, 1 +automotivemanagementnetwork.com, 1 +automotivemarks.ga, 1 +automotivemeasure.ga, 1 +automotivemechanic.org, 0 +automotivemessenger.ga, 1 +automotivemeta.ga, 1 +automotivemetric.ga, 1 +automotivemillions.ga, 1 +automotivenano.ga, 1 +automotivenatural.ga, 1 +automotivenature.ga, 1 +automotivenetwork.tk, 1 +automotivenight.ga, 1 +automotivenobel.ga, 1 +automotivenormal.ga, 1 +automotiveocity.ga, 1 +automotiveoffline.ga, 1 +automotiveomatic.ga, 1 +automotiveonline.tk, 1 +automotiveopedia.ga, 1 +automotiveopplis.ga, 1 +automotiveoriginal.ga, 1 +automotiveouter.ga, 1 +automotivephase.ga, 1 +automotivepirates.ga, 1 +automotiveplatinum.ga, 1 +automotivepositive.ga, 1 +automotiveprecision.ga, 1 +automotivepremium.ga, 1 +automotivepriority.ga, 1 +automotivepronto.ga, 1 +automotivepure.ga, 1 +automotiverainforest.ga, 1 +automotiverapid.ga, 1 +automotiverater.ga, 1 +automotiverates.ga, 1 +automotiveraven.ga, 1 +automotivereadset.ga, 1 +automotivereps.ga, 1 +automotiverex.ga, 1 +automotiverings.ga, 1 +automotiveroom.tk, 1 +automotiverunners.ga, 1 +automotivescapes.ga, 1 +automotivescribe.ga, 1 +automotivesedona.ga, 1 +automotivesession.ga, 1 +automotiveshake.ga, 1 +automotiveshuffle.ga, 1 +automotivesleuth.ga, 1 +automotivesource.tk, 1 +automotivesouthbeach.ga, 1 +automotivespicy.ga, 1 +automotivesplash.ga, 1 +automotivesprint.ga, 1 +automotivestick.ga, 1 +automotivestore.tk, 1 +automotivestreaming.ga, 1 +automotivestyle.tk, 1 +automotivesugar.ga, 1 +automotivesunflower.ga, 1 +automotivesurprise.ga, 1 +automotivesustain.ga, 1 +automotivethunder.ga, 1 +automotivetimes.tk, 1 +automotivetreat.ga, 1 +automotiveturbo.ga, 1 +automotiveuk.tk, 1 +automotiveultra.ga, 1 +automotiveurban.ga, 1 +automotivevariety.ga, 1 +automotivevector.ga, 1 +automotivevisual.ga, 1 +automotivewidget.ga, 1 +automotivewish.ga, 1 +automotiveworth.ga, 1 +automotiveyankee.ga, 1 +automoto-tom.net, 1 +automuovifix.fi, 1 +automuse.com, 1 +autonewsreview.com, 1 +autonewssite.com, 1 +autonoleggio.milano.it, 1 +autonome-netze.de, 1 +autonome-treinen.tk, 1 +autoofficina.it, 1 +autoopravarjunior.cz, 1 +autopacking.com, 1 +autopapo.com.br, 1 +autopark-ost-fichtner.de, 1 +autoparts-for-foreigncars.tk, 1 +autoparts-russia.ru, 1 +autoparts.im, 1 +autoparts.sh, 1 +autoparts.wf, 1 +autopartso.com, 1 +autopartsprime.com, 1 +autopartsu.com, 1 +autopaulito.pt, 1 +autopilotapp.com, 1 +autopistadelitata.cl, 1 +autopneusdacovilha.pt, 1 +autopocket.co, 1 +autopod.com, 1 +autoporn.com, 1 +autoportal.tk, 1 +autopril.com, 1 +autoprogconsortium.ga, 1 +autopsy.com, 1 +autopsyhouston.com, 1 +autorabit.com, 1 +autorai.nl, 1 +autorama.cf, 1 +autorecoveryandtowing.com, 1 +autorefuellings.com, 1 +autorefuellings.ru, 1 +autoreinigung-noack.de, 1 +autorepguide.com, 1 +autorepmans.com, 1 +autoresponderilimitado.tk, 1 +autoreview.ml, 1 +autorijschooljohanbos.nl, 1 +autorijschoolrichardschut.nl, 1 +autorisweb.com, 1 +autorizaciones.com, 1 +autos-mertens.com, 1 +autos-motos.fr, 1 +autosalesmachine.net, 1 +autosalone.roma.it, 1 +autosan-vykup.ru, 1 +autosbodyest.ga, 1 +autoschade-mosman.nl, 1 +autoschadeschreuder.nl, 1 +autoschadevdberg.tk, 1 +autoschool.ga, 1 +autoscoops.tk, 1 +autoscreens.com.au, 1 +autoscuola.roma.it, 1 +autosdsg.ca, 1 +autosecurityfinance.com, 1 +autoshopsolutions.com, 0 +autosiero.nl, 1 +autoskolaplzen.cz, 1 +autosneed.com, 1 +autosoftdms.com, 1 +autosolution.tk, 1 +autospadetail.sk, 1 +autosprint.tk, 1 +autospurghi.milano.it, 1 +autospurgo.com, 1 +autospurgo.it, 1 +autospurgo.milano.it, 1 +autospurgo.name, 1 +autosrivada.com, 0 +autostationsest.ga, 1 +autostodulky.cz, 1 +autostop-occasions.be, 1 +autostrady.tk, 1 +autostramites.com, 1 +autostramites.com.ar, 1 +autosupirkimas.tk, 1 +autoteplo.org, 1 +autoterminus-used.be, 0 +autotimez.com, 1 +autotitleloansnu.ga, 1 +autoto.hr, 1 +autotonic.tk, 1 +autotrac.com.br, 1 +autotransportquoteservices.com, 1 +autotras.com, 1 +autotriumph.ru, 1 +autouncle.at, 1 +autouncle.co.uk, 1 +autouncle.com, 1 +autouncle.de, 1 +autouncle.dk, 1 +autouncle.fi, 1 +autouncle.fr, 1 +autouncle.it, 1 +autouncle.pl, 1 +autouncle.pt, 1 +autouncle.ro, 1 +autouncle.se, 1 +autovalepinturas.com.br, 1 +autoverhuur-tilburg.nl, 0 +autovesti.cf, 1 +autovesti.tk, 1 +autoviral.cf, 1 +autoviral.ga, 1 +autoviral.gq, 1 +autoviral.ml, 1 +autoviral.tk, 1 +autowallpapers.tk, 1 +autowatch.tk, 1 +autoweek.nl, 1 +autowerkstatt-puchheim.de, 1 +autozaz.ml, 1 +autozuki.com, 1 +autres-talents.fr, 1 +autumnhungary.tk, 1 +autumnmanor.com, 1 +autya.ga, 1 +auverdrift.ovh, 1 +auvernet.org, 1 +auversum.com, 1 +auvicom.nl, 1 +auvidos.ru, 1 +auviewpoint.tk, 1 +aux-arts-de-la-table.com, 1 +aux-scape.tk, 1 +auxbrinstresses.fr, 1 +auxessenceselfiques.fr, 1 +auxiliame.com, 1 +auxilius.be, 1 +auxmode.com, 1 +auzpro.au, 1 +av-dnepr.com.ua, 1 +av-planet.si, 0 +av-th.net, 1 +av-yummy.com, 1 +av01.tv, 1 +av0ndale.de, 1 +av163.cc, 1 +ava-creative.de, 0 +ava-sky.ga, 1 +ava-software.at, 1 +avaamo.com, 1 +avaaz.org, 1 +avacariu.me, 1 +avacatossiu.tk, 1 +avaclub.ga, 1 +avacourcelles.com, 1 +avaemr-development-environment.ca, 1 +avaeon.com, 1 +avagroup.ga, 1 +avai.la, 1 +available.direct, 1 +availablecastles.com, 1 +availablereportsest.ga, 1 +avakore.com, 0 +avalancha.tk, 1 +avaland.tk, 1 +avalaunchmedia.com, 1 +avalon-ami.tk, 1 +avalon-rpg.com, 1 +avalon-studios.de, 1 +avalonaccess.com, 1 +avalonartstudio.com, 1 +avalonbelltown.com, 0 +avalondevelopment.tk, 1 +avalontechsv.com, 1 +avalyuan.com, 1 +avamax.cz, 1 +avaminoo.com, 1 +avamix.com, 1 +avanad.biz, 1 +avanad.com, 1 +avanade-consulting.com, 1 +avanade.biz, 1 +avanade.ca, 1 +avanade.cm, 1 +avanade.co.in, 1 +avanade.com.br, 1 +avanade.com.es, 1 +avanade.com.sg, 1 +avanade.consulting, 1 +avanade.in, 1 +avanade.info, 1 +avanade.jobs, 1 +avanade.name, 1 +avanade.net, 1 +avanade.org, 1 +avanadeblog.com, 1 +avanadeconsulting.com, 1 +avanadeonline.com, 1 +avancen.com, 1 +avangard-bg.com, 1 +avangard-tovar.tk, 1 +avangard.tk, 1 +avangardmobile.ru, 1 +avanguardia.tk, 1 +avangvpn.ga, 1 +avanovum.de, 1 +avanse.com, 1 +avansyourself.nl, 1 +avantagetaxi.ru, 1 +avantcoequipment.com, 1 +avantcoice.com, 1 +avantcorefrigeration.com, 1 +avanteinversiones.es, 1 +avantikachair.com, 1 +avanza.ps, 0 +avanzagrupo.com, 1 +avanzbanc.com, 1 +avaralar.tk, 1 +avarcom.tk, 1 +avarie.ru, 1 +avariya.tk, 1 +avarom.ir, 1 +avarty.com, 1 +avastantivirus.ro, 1 +avasu.com, 1 +avatarka.tk, 1 +avatedu.com, 1 +avaxprices.com, 1 +avay.vn, 1 +avcipets.com, 1 +avclub.com, 1 +avcone.co.uk, 1 +avdagic.net, 1 +avday.tv, 1 +ave.zone, 1 +aveamcorp.com, 1 +aveapps.com, 0 +aveclunettesoleil.fr, 1 +avedesk.org, 0 +avelecollege.edu.ws, 1 +avelengo.org, 1 +avelinodiaz.gal, 1 +avellinotoday.it, 1 +aveloair.com, 1 +avelon.cloud, 1 +avelux.ru, 1 +avenad.com, 1 +avenad.net, 1 +avenade.com, 1 +avenade.net, 1 +avenade.org, 1 +avengehub.com, 1 +avengepet.eu.org, 1 +avengersonline.ml, 1 +avengersonlinemovie.ga, 1 +avenida7.com, 1 +avenir-now.at, 1 +avenir-now.ch, 1 +avenir-now.com, 1 +avenir-now.de, 1 +avensure.com, 1 +aventure-chasse-peche.com, 1 +avenue5.com, 1 +avenuedesbebes.com, 1 +avepoint.com, 1 +avepol.cz, 1 +avepol.eu, 1 +averageinspired.com, 1 +averen.co.uk, 1 +averge.co.za, 1 +avernis.de, 1 +avertoni.ru, 1 +avery.com, 1 +aves.asso.fr, 1 +avestagames.tk, 1 +avevad.com, 1 +avexon.com, 1 +avexongroup.com, 1 +avexonsecurity.com, 1 +avg.club, 1 +avg7.de, 1 +avgindiantech.com, 1 +avi-web.com, 1 +avi12.com, 0 +avi9526.pp.ua, 1 +avia-krasnoyarsk.ru, 0 +avia-ufa.ru, 0 +aviabilet.tk, 1 +avianbrands.com, 1 +aviandirectory.uk, 1 +avianotravel.com, 1 +aviaphoto.tk, 1 +aviapic.com, 1 +aviapic.eu, 1 +aviapic.fr, 1 +aviapic.info, 1 +aviapic.net, 1 +aviapic.org, 1 +aviareis.tk, 1 +aviarycourthotel.co.uk, 1 +aviasales.gq, 1 +aviasalon.spb.ru, 1 +aviasg.com, 1 +aviaskan.ru, 1 +aviationcareerpal.com, 1 +aviationlearning.aero, 1 +aviationlearning.lu, 1 +aviationmilitaire.tk, 1 +aviationonline.tk, 1 +aviations-engineering.tk, 1 +aviationsafetywiki.org, 1 +aviationstrategies.aero, 1 +aviationstrategy.aero, 1 +aviationweather.gov, 1 +aviationzone.tk, 1 +aviciibook.ru, 1 +aviconverter.tk, 1 +avidmode-dev.com, 1 +avidmode-staging.com, 1 +avidmode.com, 1 +avidtv.ie, 1 +avie.de, 1 +avilas-style.com, 1 +avilauto.com.es, 1 +avilauto.net, 1 +avincouture.de, 1 +avinguard.com, 1 +avinilo.com, 1 +avintivmedia.com, 1 +avio.rest, 1 +aviodrome.nl, 1 +aviokarte.rs, 1 +avionicbooks.tk, 1 +avions.ga, 1 +aviprime.by, 1 +aviraantivirusreviews.com, 1 +aviruptribedi.com, 1 +avisbabes.com, 1 +avishanx.com, 1 +avishwebsoft.com, 1 +avisodeprivacidad.info, 1 +avisofi-credit-immobilier.fr, 1 +avisoshuaraz.tk, 1 +avisoversigten.dk, 1 +avispl.com, 1 +avitahealth.org, 1 +avitus.hu, 1 +aviv-group.at, 1 +avivanuestroscorazones.com, 1 +avivaplasticsurgery.com, 1 +aviweisfogelinfo.org, 1 +avlasov.tk, 1 +avlhostel.com, 1 +avlover.com, 1 +avm-multimedia.com, 1 +avm99963.com, 1 +avmemo.com, 1 +avmtn.net, 1 +avmup.com, 1 +avn-buses.tk, 1 +avnet.ws, 1 +avninternational.tk, 1 +avo.lt, 0 +avoandco.com, 1 +avocad.studio, 1 +avocadooo.stream, 1 +avocadopress.ru, 0 +avocadostore.at, 1 +avocadostore.de, 1 +avocat-alina-szilaghi.ro, 1 +avocat-bourgogne.fr, 1 +avocat-divort-constanta.ro, 1 +avocat-droit-du-travail.org, 1 +avocat-karsenti.fr, 1 +avocatcivil.net, 1 +avocatpenal.net, 1 +avocatro.net, 1 +avodart.ml, 1 +avogel-company.ch, 1 +avogel.ca, 1 +avogel.ch, 1 +avogel.co.uk, 1 +avogel.de, 1 +avogel.gr, 1 +avogel.ie, 1 +avogel.nl, 1 +avogel.pt, 1 +avogel.si, 1 +avogelusa.com, 1 +avoids-troops.gq, 1 +avoinna24.fi, 1 +avondaleestatesga.gov, 1 +avonindiana.gov, 1 +avonlearningcampus.com, 1 +avontuurlijk-natuurlijk.be, 1 +avonvets.co.uk, 1 +avoonix.com, 1 +avounossoupes.be, 1 +avp-emobility.de, 1 +avpres.net, 0 +avqueen.cn, 0 +avrilhouse.tk, 1 +avrilshine.tk, 1 +avris.it, 1 +avrora-nov.ru, 1 +avroramine.tk, 1 +avrrom.com, 1 +avstack.io, 1 +avt-ukraine.com, 1 +avtecmedia.com, 0 +avtek.pl, 1 +avthelsinki.fi, 1 +avto-bazar.tk, 1 +avto-signal.cf, 1 +avto-signal.ga, 1 +avto-signal.gq, 1 +avto-signal.ml, 1 +avtochip.tk, 1 +avtodoki.tk, 1 +avtodot.tk, 1 +avtoforex.ru, 1 +avtogara-isperih.com, 1 +avtojurist.ml, 1 +avtojurist.tk, 1 +avtomaniya.ml, 1 +avtomaniya.tk, 1 +avtomarket.ru, 1 +avtoobzor.tk, 1 +avtoritet78.ru, 1 +avtorspb.ru, 1 +avtoshini.md, 1 +avtostolica.tk, 1 +avtoucheba.tk, 1 +avtours.gr, 1 +avtoveles.by, 1 +avtovikup.ml, 1 +avtovokzaly.ru, 1 +avtoyurist.cf, 1 +avtoyurist.ga, 1 +avtoyurist.gq, 1 +avtoyurist.ml, 1 +avtoyurist.tk, 1 +avus-automobile.com, 1 +avv.li, 1 +avvaterra.ch, 1 +avvnicolaurbani.ch, 1 +avvocato.bologna.it, 1 +avvocatoinlinea.it, 1 +avvoka.com, 1 +avweb.tk, 1 +aw.gov.pl, 1 +aw.net, 1 +awac.com, 1 +awakenaija.com, 1 +awakengr.com, 0 +awakening-guild.com, 1 +awakenplace.tk, 1 +awakenplace.top, 1 +awakenwow.ga, 1 +awakinn.co.in, 1 +awangardaszkola.pl, 1 +awanteverde.tk, 1 +award.ga, 1 +aware.org.sg, 0 +awaremi-tai.com, 1 +awarenessadvisor.ga, 1 +awarenessadvisorest.ga, 1 +awaresec.com, 1 +awaresec.no, 1 +awareservices.com, 0 +awarify.io, 1 +awarify.me, 1 +awarity.be, 1 +awarner.co.uk, 1 +awaro.net, 1 +awaua.nl, 0 +awawa.cf, 1 +awaybot.com, 1 +awaygroundguide.com, 1 +awayword.cf, 1 +awconsulting.com.sg, 1 +awe130.com, 1 +awebsome.fr, 1 +awei.pub, 1 +awena.me, 1 +awena.xyz, 1 +awersomecreatorfromrussia.tk, 1 +awesome-coconut-software.fr, 1 +awesomebible.de, 1 +awesomelifedeals.today, 1 +awesomenamegenerator.com, 1 +awesomeperfumes.com, 1 +awesomesheep48.ca, 1 +awesomesit.es, 0 +awf0.xyz, 1 +awfulsport-news.tk, 1 +awh.ink, 1 +awk.tw, 1 +awksolutions.com, 1 +awlonline.tk, 1 +awmb.uk, 1 +awningcleaningchicago.com, 1 +awningpressurewashing.com, 1 +awningsaboveus.com, 1 +awo-bremen.de, 1 +awo-sh.de, 1 +awoau.com.au, 1 +awomansplacenj.com, 1 +awrd.cz, 1 +awsbs.de, 1 +awscloudrecipes.com, 1 +awsl.blog, 1 +awsl.tech, 0 +awsnuke.com, 1 +awsome-books.co.uk, 1 +awsumchan.org, 1 +awtogid.com, 1 +awwwcats.com, 1 +awxg.com, 1 +awxg.email, 1 +awxg.eu.org, 1 +awxg.net, 1 +awxg.org, 1 +awxg.zone, 1 +ax.mk, 1 +ax25.org, 1 +ax4health.nl, 1 +axa.ch, 1 +axa.de, 1 +axavalon.tk, 1 +axchap.ir, 1 +axcient.com, 1 +axe-formation.com, 1 +axe.io, 1 +axeapi.au, 1 +axel-faure.eu, 1 +axel-fischer.net, 0 +axel-fischer.science, 1 +axel-stettner.de, 1 +axel-voss.eu, 0 +axel.red, 1 +axelcalle.com, 1 +axeldavid.fr, 1 +axeligence.com, 1 +axelname.ru, 1 +axelr.me, 1 +axeltheune.de, 1 +axelvoss.eu, 0 +axenhus.com, 1 +axeonline.tk, 1 +axessgroup.com, 1 +axesslab.com, 1 +axesslab.se, 1 +axfr.se, 1 +axg.io, 1 +axialhouse.cf, 1 +axiam-pc.co.uk, 1 +axiams.co.uk, 1 +axidocepabid.tk, 1 +axin888.vip, 1 +axiniteguitars.ca, 1 +axiniteguitars.com, 1 +axioinvest.com, 1 +axiom-networks.org, 1 +axiom4.net, 1 +axiomecpa.com, 1 +axiomtechnologies.tk, 1 +axios.tk, 1 +axiosint.com, 1 +axis-of-evil.tk, 1 +axis-stralis.co.uk, 1 +axis.kiev.ua, 1 +axis2ofevil.com, 1 +axiscapital.com, 0 +axisdesignarchitects.co.uk, 1 +axisdesignarchitects.com, 1 +axishw.com, 1 +axisinteriors.net, 1 +axislinx.com, 1 +axisortho.com.sg, 1 +axist.com.co, 1 +axisunderwriting.com.au, 1 +axl.net, 1 +axmedmessi.tk, 1 +axoftglobal.com, 1 +axoftglobal.ru, 1 +axolotagencia.com, 1 +axomatic.com, 1 +axomatic.it, 1 +axon-toumpa.gr, 1 +axon.link, 1 +axoncoho.tk, 1 +axone-computers.fr, 0 +axonholdingse.eu, 1 +axre.de, 1 +axrec.de, 1 +axstet.de, 1 +axton.ink, 0 +axtra.digital, 1 +axtux.tk, 1 +axx.ax, 1 +axxemble.nl, 0 +axxeptinq.tk, 1 +axxess-marine.com, 1 +axxial.tk, 1 +axyl.cloud, 1 +axzq.com, 1 +ay-net.jp, 1 +ayahya.me, 0 +ayakatenshi.tk, 1 +ayamchikchik.com, 1 +ayanomimi.com, 1 +ayatosuzuki.com, 1 +aycacankurt.com, 1 +aycasac.com, 1 +aycomba.de, 1 +aydacosmetics.com, 1 +aydesignco.com, 1 +aydinescmagazin.tk, 1 +aydinhaberleri.tk, 1 +aye.sh, 1 +ayersanaheim.com, 1 +ayerscoronaeast.com, 1 +ayersgroup.net, 1 +ayershawthorne.com, 1 +ayershotelsealbeach.com, 1 +ayerslagunawoods.com, 1 +ayersorange.com, 1 +ayerssuites.com, 1 +ayerssuitesmillsmall.com, 1 +ayesh.win, 1 +ayhankaraman.com, 1 +ayj.solutions, 1 +aykiri.com.tr, 1 +aykutcevik.com, 1 +aykyamultifest.com, 1 +aylak.com, 1 +aylesburycastlehire.co.uk, 1 +aylett.co.uk, 1 +ayltoninacio.com.br, 1 +aymerick-dupouey.fr, 1 +aymericlagier.com, 1 +aymhome.top, 0 +ayoa.com, 1 +ayomi.com, 1 +ayon-games.tk, 1 +ayothemes.com, 1 +ayovaksindinkeskdi.id, 1 +ayresalpine.com, 1 +ayresanaheim.com, 1 +ayresapline.com, 1 +ayresbarstow.com, 1 +ayresboutiquesuites.com, 1 +ayrescalabasas.com, 1 +ayrescares.com, 1 +ayreschinohills.com, 1 +ayreschulavista.com, 1 +ayrescommercial.com, 1 +ayresconstructioncompany.com, 1 +ayrescoronaeast.com, 1 +ayrescoronawest.com, 1 +ayrescostamesa.com, 1 +ayresdevelopment.com, 1 +ayresdiamondbar.com, 1 +ayresfountainvalley.com, 1 +ayresgroup.net, 1 +ayreshawthorne.com, 1 +ayreshotel.com, 1 +ayreshotelanaheim.com, 1 +ayreshotelbarstow.com, 1 +ayreshotelchulavista.com, 1 +ayreshotelgroup.com, 1 +ayreshotellagunawoods.com, 1 +ayreshotelmanhattanbeach.com, 1 +ayreshotelmillenia.com, 1 +ayreshotelmorenovalley.com, 1 +ayreshotelorange.com, 1 +ayreshotelrialto.com, 1 +ayreshotels.com, 1 +ayreshotelsealbeach.com, 1 +ayreshotelvista.com, 1 +ayreshr.com, 1 +ayresinnorange.com, 1 +ayreslagunawoods.com, 1 +ayreslodgealpine.com, 1 +ayresmillenia.com, 1 +ayresmillsmall.com, 1 +ayresmissionviejo.com, 1 +ayresmissionviejospa.com, 1 +ayresmorenovalley.com, 1 +ayresolympiclodge.com, 1 +ayresontario.com, 1 +ayresontarioairport.com, 1 +ayresontariomillsmall.com, 1 +ayresorange.com, 1 +ayrespasorobles.com, 1 +ayresredlands.com, 1 +ayresresortandvineyard.com, 1 +ayresrialto.com, 1 +ayressealbeach.com, 1 +ayresselfstorage.com, 1 +ayresspamorenovalley.com, 1 +ayressuites.com, 1 +ayressuitescoronawest.com, 1 +ayressuitescostamesa.com, 1 +ayressuitesdiamondbar.com, 1 +ayressuitesmissionviejo.com, 1 +ayressuitesmorenovalley.com, 1 +ayressuitesontario.com, 1 +ayressuitesontarioairport.com, 1 +ayressuitesyorbalinda.com, 1 +ayressupport.com, 1 +ayresvista.com, 1 +ayresyorbalinda.com, 1 +ayrohq.com, 1 +ayrom.io, 1 +ayrshirebouncycastlehire.co.uk, 1 +ayruu.com, 1 +ayselonia.onl, 1 +ayshaflix.com.br, 1 +aysima.com, 1 +ayubesportes.com.br, 1 +ayudacloud.com, 1 +ayudaconmibanco.gov, 1 +ayudalabs.com, 1 +ayudamineduc.cl, 1 +ayudamutua.red, 1 +ayudapreview.com, 1 +ayudaprogramacion.net, 1 +ayudasocialmex.com, 1 +ayumi.network, 1 +ayumindev.net, 1 +ayumix3.xyz, 1 +ayuntamientoarenoso.gob.do, 1 +ayuntamientoazua.gob.do, 1 +ayuntamientobocachica.gob.do, 1 +ayur-veda.tk, 1 +ayurveda-france.com, 0 +ayuwidodari.my.id, 1 +ayvalikgezgini.com, 1 +ayyildizgrup.com, 1 +ayyz66.cc, 1 +az-flag.com, 1 +az-forum.ga, 1 +az-moga.bg, 1 +az-raven.com, 1 +az-vinyl-boden.de, 1 +az.net.au, 1 +az.search.yahoo.com, 0 +az.st, 1 +az.support, 1 +az11018.com, 1 +azadblog.tk, 1 +azadliq.info, 1 +azadliq.online, 1 +azairline.com, 1 +azaleos.com, 1 +azaleos.net, 1 +azallon.com.br, 1 +azami.com, 1 +azaria.blog, 1 +azarkepic.com, 1 +azartmania.ga, 1 +azartmania.tk, 1 +azarus.ch, 1 +azarweb.tk, 1 +azbuka-bp.ru, 1 +azcensus2020.gov, 1 +azcontech.com, 1 +azdailysun.com, 1 +azdevsmartviewwebportal.azurewebsites.net, 1 +aze.dk, 1 +azehosting.net, 1 +azemardstephanie.com, 1 +azenot.com, 0 +azeo.com, 1 +azeo.fr, 1 +azerbelarbi.tk, 1 +azerigenocide.tk, 1 +azeriinfo.tk, 1 +azeriland.tk, 1 +azerinews.ga, 1 +azerinews.tk, 1 +azeronline.tk, 1 +azertyjobs.com, 1 +azfreaks.tk, 1 +azh-kunden.de, 1 +azhamevents.com, 1 +azhapasa.com, 1 +azhappytails.com, 1 +azhibo18.com, 1 +azia.info, 0 +azianpride.tk, 1 +aziatki.tk, 1 +azicostar.com, 1 +azienda-tv.tk, 1 +aziendaagricolapagano.it, 1 +azimech.net, 1 +azimut.fr, 1 +azimuth-ast.ru, 1 +azingostar.tk, 1 +azinmadaar.com, 1 +azinmahab.com, 1 +azirevpn.com, 1 +azithromycin.ga, 1 +azithromycinbuy.ga, 1 +azithromycine.gq, 1 +azitromicina.gq, 1 +azizfirat.com, 0 +azizidevelopments.com, 1 +azjlbc.gov, 1 +azkunazentroa.eus, 1 +azl-app.be, 1 +azl.ink, 1 +azlink.tk, 1 +azlk-team.ru, 1 +azmt.de, 1 +azmun.com, 1 +aznaetelivy.ru, 1 +azoang.com, 1 +azoft.com, 1 +azon.gr, 1 +azonicinfotech.com, 1 +azoogi.com.au, 1 +azora.cf, 1 +azorin.tk, 1 +azort.com, 1 +azotobacter.nl, 1 +azoulaygroup.org, 1 +azplayersclub.com, 1 +azpogomap.com, 1 +azquality.com, 1 +azrangers.gov, 1 +azrazalea.net, 1 +azreal.com, 1 +azredistricting.gov, 1 +azrevolutionizingckd.com, 1 +azrhymes.com, 1 +azs-nw.ru, 1 +azsalud.gov, 1 +azsec.biz, 1 +azso.pro, 1 +azsoriginal.pw, 0 +azsupport.com, 1 +azsupport.host, 1 +azsupport.org, 1 +aztecahome.com, 1 +aztekium.com, 1 +aztestsmartviewwebapp.azurewebsites.net, 1 +azton.tk, 1 +aztraslochi.it, 1 +aztrix.me, 1 +aztummytuck.com, 1 +azu-l.com, 0 +azu-l.jp, 0 +azudream.tk, 1 +azuki.cloud, 1 +azul-elijah.tk, 1 +azula.tk, 1 +azulimparcial.pt, 1 +azulweb.tk, 1 +azur.ovh, 1 +azure, 1 +azure-informatique.cloud, 1 +azurecraft.ga, 1 +azurecrimson.com, 1 +azurecup.cz, 1 +azurecup.online, 1 +azurefabric.com, 1 +azurenorth.com.ph, 1 +azuriasky.com, 1 +azuriasky.net, 1 +azuriom.com, 1 +azurlane.cool, 1 +azurpedia.cf, 1 +azuxul.fr, 1 +azvirtualschool.com, 0 +azvpn.tk, 1 +azzurrapelletterie.it, 1 +b-angel.info, 1 +b-b-law.com, 1 +b-coal.com, 0 +b-cyclesshop.ch, 0 +b-designer.tk, 1 +b-digital.cf, 1 +b-digital.ga, 1 +b-digital.gq, 1 +b-entropy.com, 1 +b-freerobux.ga, 1 +b-honey.gr, 1 +b-institute.ml, 1 +b-landia.net, 1 +b-root-force.de, 1 +b-services.net, 0 +b-swiss.com, 1 +b-ticket.ch, 1 +b-tje.nl, 1 +b-tree.be, 1 +b-utstore.com, 1 +b-wartburg.de, 1 +b.ee, 1 +b.wtf, 1 +b00de.ga, 1 +b03aa.com, 0 +b03cc.com, 0 +b0hr.ai, 1 +b0k.org, 1 +b0r.ch, 1 +b0rk.com, 1 +b1.work, 1 +b1031.com, 1 +b11p.com, 1 +b131000.com, 0 +b17turkiye.com, 1 +b1c1l1.com, 1 +b1drivers.com, 1 +b1ggi.ovh, 1 +b1nzy-pinged.me, 1 +b1r0d4l0m.com, 1 +b1rd.tk, 1 +b24.pt, 1 +b2b-leads.nl, 1 +b2b-nestle.com.br, 1 +b2bchiemihara.com, 1 +b2bhint.com, 1 +b2binpay.com, 1 +b2bleadhub.com, 1 +b2bmail.ga, 1 +b2bmuzikbank.com, 1 +b2bpoke.com, 1 +b2btaz.com, 1 +b2c-engineering.com, 1 +b2markt.de, 1 +b2music.asia, 1 +b3.nu, 1 +b3103.com, 0 +b31aa.com, 0 +b31cc.com, 0 +b31dd.com, 0 +b31ee.com, 0 +b31ff.com, 0 +b3390.com, 0 +b33app.com, 0 +b36512.com, 0 +b3b4.com, 1 +b3bra.win, 1 +b3pacific.com, 1 +b3tec.fr, 1 +b422edu.com, 1 +b4bouncycastles.co.uk, 1 +b4ckbone.de, 1 +b4ifund.it, 1 +b4lint.hu, 1 +b4r7.de, 1 +b4z.eu, 1 +b5189.com, 0 +b5197.co, 1 +b5901.com, 0 +b5902.com, 1 +b5903.com, 0 +b5904.com, 0 +b5906.com, 1 +b5907.com, 1 +b5908.com, 0 +b5909.com, 1 +b5910.com, 0 +b5dev.com, 1 +b5i.net, 1 +b61688.com, 1 +b62aa.com, 1 +b62b.com, 1 +b62bb.com, 1 +b62cc.com, 1 +b62d.com, 1 +b62dd.com, 1 +b62ee.com, 1 +b6701.com, 1 +b6703.com, 1 +b6704.com, 1 +b6705.com, 1 +b6729.co, 1 +b67701.com, 1 +b67702.com, 1 +b67703.com, 1 +b67704.com, 1 +b67705.com, 1 +b67801.com, 1 +b67802.com, 1 +b67803.com, 1 +b67805.com, 1 +b67901.com, 0 +b67902.com, 0 +b67903.com, 0 +b67904.com, 0 +b67905.com, 0 +b6957.co, 1 +b70301.com, 1 +b70302.com, 1 +b70305.com, 1 +b70661.com, 1 +b70663.com, 1 +b70664.com, 1 +b70884.com, 1 +b70885.com, 1 +b70991.com, 1 +b70992.com, 1 +b70993.com, 1 +b70994.com, 1 +b70995.com, 1 +b72.com, 1 +b72.net, 1 +b7306.com, 0 +b73bb.com, 0 +b73dd.com, 0 +b767.net, 1 +b8-e.de, 1 +b82365.com, 1 +b86255.com, 1 +b8831.com, 0 +b88vip1.com, 1 +b88vip10.com, 1 +b88vip2.com, 1 +b88vip3.com, 1 +b88vip4.com, 1 +b88vip5.com, 1 +b88vip6.com, 1 +b88vip7.com, 1 +b88vip8.com, 1 +b88vip9.com, 1 +b89gg.com, 0 +b89hh.com, 1 +b8a.me, 1 +b9168.com, 1 +b9297.co, 1 +b9498.com, 1 +b9586.net, 1 +b9588.net, 1 +b95888.net, 1 +b9589.net, 1 +b96899.com, 1 +b9728.co, 1 +b979365.com, 0 +b979666.com, 1 +b9883.net, 1 +b9884.net, 1 +b9885.net, 1 +b9886.com, 1 +b9886.net, 1 +b9887.net, 1 +b9888.net, 0 +b98886.com, 1 +b9889.net, 1 +b99011.com, 0 +b99022.com, 1 +b99033.com, 1 +b9904.com, 0 +b99044.com, 1 +b9905.com, 0 +b99055.com, 1 +b99066.com, 1 +b99077.com, 1 +b99088.com, 1 +b99099.com, 1 +b99118.com, 0 +b9912.com, 0 +b99218.com, 0 +b9930.com, 1 +b99318.com, 1 +b99418.com, 1 +b9951.com, 0 +b99518.com, 0 +b9954.com, 1 +b9957.com, 0 +b9961.com, 0 +b99618.com, 0 +b9962.com, 0 +b9970.com, 0 +b99718.com, 1 +b9973.com, 0 +b9976.com, 0 +b99818.com, 0 +b99881.com, 1 +b99882.com, 1 +b99883.com, 1 +b99885.com, 1 +b99886.com, 1 +b99918.com, 0 +b9999ff.com, 0 +b9999hh.com, 0 +b9999ii.com, 0 +b9999jj.com, 0 +b9999ll.com, 0 +b9999mm.com, 0 +b9999nn.com, 0 +b9999oo.com, 1 +b9999pp.com, 1 +b9999qq.com, 0 +b9999tt.com, 1 +b9999vv.com, 1 +b9999ww.com, 0 +b9999yy.com, 1 +b9999zz.com, 0 +b99iosapp.com, 0 +b9winner.com, 1 +ba7jcm.live, 1 +ba7jcm.top, 1 +ba7rain.tk, 1 +baaam.se, 1 +baac-dewellmed.com, 1 +baaiai.com, 1 +baalajimaestro.me, 1 +baams.tk, 1 +baaradvies.nl, 1 +baas-becking.biology.utah.edu, 1 +baas-sabiogroup.com, 1 +baas.agency, 1 +baatar.idv.hk, 1 +baazee.de, 1 +baba.wiki, 1 +babacloud.ddns.net, 1 +babacsalogato.hu, 0 +babacuhocica.tk, 1 +babadag.tk, 1 +babaei.net, 1 +babaei.org, 1 +babaganousha.net, 1 +babai.ru, 1 +babakhanalia.tk, 1 +babakortane.ga, 1 +babakshaabani.tk, 1 +babamamatermek.hu, 1 +babaog.com, 1 +babarkata.com, 1 +babaroxi4j2.com, 0 +babaseo.ml, 1 +babavan.ga, 1 +babayaga-bg.ga, 1 +babb.is, 1 +babbel.tk, 1 +babbelchat.tk, 1 +babblefeed.tk, 1 +babeeclothingandoutfits.com, 1 +babehunt.tk, 1 +babekids.tk, 1 +babel.es, 1 +babeleo.com, 1 +babelfisch.eu, 1 +babelfish.money, 1 +babes.com, 1 +babesnetwork.com, 1 +babet365.com, 1 +babetta.tk, 1 +babettelandmesser.de, 0 +babevr.com, 1 +babia.to, 1 +babibonami.tk, 1 +babichsteriliser.com.au, 1 +babico.name.tr, 1 +babindo.com, 1 +babineaux.zone, 1 +babitaji.tk, 1 +babki-mgnovenno.ga, 1 +babki-mgnovenno.ml, 1 +babkitut.ga, 1 +bablodel.biz, 1 +bablodel.com, 1 +babo.ooo, 1 +babo.tk, 1 +babolsar.tk, 1 +baboo.com.br, 1 +babsbibs.com, 1 +babuccu.com, 1 +baburhat.tk, 1 +babursahvizeofisi.com, 1 +babushkin-mir.tk, 1 +baby-doll.tk, 1 +baby-massage.tk, 1 +baby-skin-care.ga, 1 +baby-tester.tk, 1 +babyandchild.ae, 1 +babyandmoms.tk, 1 +babyappear.com, 1 +babybed.tk, 1 +babyboom.pl, 1 +babyboomer.org, 1 +babyboomer.ro, 1 +babybuddah.ga, 1 +babybunnypictures.tk, 1 +babycaring.com, 1 +babycat.tk, 1 +babycezi.ro, 1 +babychou.me, 1 +babycr.net, 1 +babyfights.tk, 1 +babyfotograf-schweiz.ch, 1 +babygearlab.com, 1 +babygirlholidaydresses.tk, 1 +babyinthehouse.com.br, 1 +babykappy.com, 1 +babylonclub.cf, 1 +babymall.hk, 1 +babymasaze.cz, 1 +babymozg.ga, 1 +babynamen.nl, 1 +babynames.net, 1 +babynoise.tk, 1 +babynow.org, 1 +babypaparadise.com, 0 +babypharm.ga, 1 +babyphototime.com, 1 +babypibu.com, 1 +babypoppen.tk, 1 +babyportal.net, 1 +babyprice.fr, 0 +babysafety.tk, 1 +babysdishes-bowls.tk, 1 +babysface.com, 1 +babyshopsupport.com.au, 1 +babyshower.cf, 1 +babystrollers.ml, 1 +babyvillagegt.com, 1 +babyz.tk, 1 +babyzen.tk, 1 +babyzoet.com, 1 +bac-fiches.tk, 1 +bacamanga.id, 1 +bacanal-intruder.tk, 1 +bacanaskincare.com, 1 +bacaneriahlg.com, 1 +bacanora.tk, 1 +bacanovel.id, 1 +bacardi.cf, 1 +bacardicola.tk, 1 +baccarat.tk, 1 +bacchus.report, 1 +baccredomatic.voyage, 1 +bacgp.com, 1 +bacgroup.digital, 1 +bacgroupdigital.com, 1 +bacgroupinc.com, 1 +bacgrouppublishing.com, 1 +bach-frederiksen.dk, 1 +bachata.berlin, 1 +bachata.info, 1 +bache-barre.fr, 1 +bache-bulle.fr, 1 +bache-de-piscine.fr, 1 +bache-ete-piscine.com, 1 +bache-hiver-piscine.com, 1 +bache-hivernage.com, 1 +bachelorampel.de, 1 +bachelornation.com, 1 +baches-piscines.com, 1 +bachlongbeach.com, 1 +bachlongmobile.com, 1 +bachmannyachts.com, 1 +bachmatt-baar.ch, 1 +bachokiro.com, 1 +bachoodesign.com, 1 +bachweid-baar.ch, 1 +baciu.ch, 0 +back-links.ga, 1 +back-stage.tk, 1 +back-streets.tk, 1 +back-yard.tk, 1 +backd00red.org, 1 +backenmachtgluecklich.de, 0 +backfront.com, 1 +background-checks-systems.com, 1 +background-checks.asia, 1 +background-checks.biz, 1 +background-checks.mobi, 1 +backgroundscreenersofamerica.com, 1 +backgroundz.net, 1 +backingtrackbrasil.com, 1 +backinstockalerts.com, 1 +backjump.tk, 1 +backlashband.tk, 1 +backlink-builder.tk, 1 +backlink.gd, 1 +backlinkboss.com, 1 +backlinktr.tk, 1 +backlog.jp, 1 +backlogapp.io, 1 +backlogs.org, 1 +backmark.tk, 1 +backmigo.com, 1 +backmitra.com, 1 +backmitra.mx, 1 +backmitra.nl, 1 +backpacken.org, 1 +backpackinglight.com, 1 +backpackingtours.com, 1 +backpacktour.ru, 1 +backpagegals.com, 1 +backporchartists.com, 1 +backrestored.gq, 1 +backrip.tk, 1 +backscattering.de, 0 +backschues.com, 1 +backschues.de, 1 +backschues.net, 1 +backseatbandits.com, 1 +backslash-n.com, 1 +backsliderz.uk, 1 +backspace.dev, 1 +backspace.rocks, 1 +backstage.click, 1 +backstienkboys.tk, 1 +backstreetbrasil.tk, 1 +backstreets-corner.tk, 1 +backterris.com, 1 +backtest.org, 1 +backtheeffup.com, 1 +backtobed.com, 1 +backup-kurumsal.com, 1 +backupassist.de, 1 +backupauthentication.com, 1 +backwardsalphabet.tk, 1 +backwpup.com, 1 +backyardaddict.com, 1 +backyardbella.com, 1 +backyardchickens.com, 1 +backyardtaco.com, 1 +backzoneterapi.dk, 1 +baclofen.ga, 1 +baclofen.gq, 1 +bacom1.com, 1 +bacon-monitoring.org, 1 +baconismagic.ca, 0 +baconsultores.co, 1 +bacoux.com, 1 +bacq.pro, 1 +bacri.eu, 1 +bacsmegye.hu, 1 +bacteri.com, 1 +bacteriakit.com, 1 +bactrim-antibiotic.gq, 1 +bactrim-antibiotic.ml, 1 +bactrim-ds.ga, 1 +bactrim-medicine.ml, 1 +bactrim.ga, 1 +bactrim.gq, 1 +bactrimds.cf, 1 +bactrimprice.tk, 1 +bacula.jp, 1 +bacus.ga, 1 +bad-homburg.tk, 1 +bad-influence.rocks, 1 +bad.horse, 1 +bad.pet, 1 +bad.spdns.de, 1 +badaa.info, 1 +badante.it, 1 +badanteinfamiglia.it, 1 +badaparda.com, 1 +badass-women.club, 1 +badassdallascondo.com, 1 +badassfantastico.tk, 1 +badasslistings.com, 1 +badbee.cc, 1 +badbird.tk, 1 +badblock.fr, 1 +badboy-club.tk, 1 +badboyz.org, 1 +badboyzclub.de, 1 +badcarma.tk, 1 +badcomputer.tk, 1 +badcyber.com, 1 +baddrones.llc, 1 +badeand.net, 1 +badekappen.com, 1 +baderscott.com, 1 +badeurlaub.tk, 1 +badf00d.de, 1 +badge.rs, 1 +badges.fedoraproject.org, 1 +badges.stg.fedoraproject.org, 1 +badgirlfoto.ga, 1 +badgirlsbible.com, 1 +badhabits.tk, 1 +badhusky.com, 0 +badkamerconcurrent.be, 1 +badkamerconcurrent.nl, 1 +badkamermarkt.be, 1 +badkamermarkt.com, 1 +badkamermarkt.net, 1 +badkamermarkt.nl, 1 +badkeys.info, 1 +badmania.fr, 1 +badmessage.tk, 1 +badmice.tk, 1 +badminton-forum.tk, 1 +badmintonargentina.tk, 1 +badmintonbeersheva.co.il, 1 +badmintonclubwaarschoot.tk, 1 +badmintondk.cz, 1 +badmintonoverdag.tk, 1 +badmintonracketreview.com, 1 +badmonkey.fr, 1 +badmood.tk, 1 +badmusic.tk, 1 +badnails.tk, 1 +badnat.tk, 1 +badnjar.rs, 1 +badodds.ga, 1 +badoinkvr.com, 1 +badoo.com, 1 +badoo.com.ar, 1 +badoo.de, 1 +badoo.eu, 1 +badoo.us, 1 +badpc.net, 1 +badpinguin.gq, 1 +badpreachers.tk, 1 +badrap.io, 1 +badreichenhall.tk, 1 +badreligion.tk, 1 +badrequest.me, 1 +badri-taxi-vtc.com, 1 +badrock.tk, 1 +badseacoffee.com, 1 +badsl.nl, 1 +badstar.tk, 1 +badudeal.lk, 1 +badules.tk, 1 +badwi.com, 1 +badwolf.tk, 1 +bae.st, 1 +baecker-know-how.de, 1 +baeconhills.tk, 1 +baeder-luboss.de, 1 +baederlacke.eu, 0 +baehost.com, 1 +baells.tk, 1 +baer-concepts.de, 1 +baer-holger.de, 1 +baer.com, 1 +baer.space, 1 +baerkarrer.ch, 1 +baesystems-she.com, 1 +baeten.com, 1 +baevserver.ddns.net, 1 +bafito.com, 1 +baframedya.tk, 1 +bafus.ru, 1 +bag.bg, 1 +bagdagul.tk, 1 +bagelbrands.com, 1 +bagelsbakery.com, 0 +baggy.me.uk, 1 +bagheera.me.uk, 1 +baghtelecom.net, 1 +baginfo.com, 1 +bagiobella.com, 1 +bagirahome.bg, 1 +bagleytownshipmi.gov, 1 +bagmutskiy.com, 1 +bagni-chimici.roma.it, 1 +bagnichimici.milano.it, 1 +bagnichimici.roma.it, 1 +bagnichimici.veneto.it, 1 +bagol.tk, 1 +bags.bg, 1 +bagsbanny.de, 1 +bagshop.ua, 1 +bagso.bg, 1 +bagsofbounce.co.uk, 1 +bagspecialist.nl, 1 +bagssale.ga, 1 +bagtobag.com.gr, 1 +bagu.biz, 1 +bagu.fr, 1 +bagui.com, 1 +bagwrap.com, 1 +bah.im, 0 +bahadirh.ml, 1 +bahaiprayers.io, 1 +bahami.com, 1 +bahana.net, 1 +baharmusic24.tk, 1 +bahcehavuz.com, 1 +bahena.be, 0 +bahisbonus.work, 1 +bahnenimbild.de, 1 +bahnenimbild.eu, 1 +bahnhelden.de, 1 +bahninrotweissrot.at, 1 +bahnmagazine.de, 1 +bahrain.gq, 1 +bahraincredit.com.bh, 1 +bahrainmarina.bh, 1 +bahrainonline.tk, 1 +bahrep.com, 1 +bahri.sa, 1 +bai-bao.fr, 1 +baiask.com, 1 +baichi.cf, 1 +baichi.ml, 1 +baidu-s.com, 0 +baiduo.com, 1 +baier-michels.com, 1 +baif.hr, 1 +baifubao.com, 1 +baikal.cf, 1 +baikalfond.ml, 1 +baikalppk.tk, 1 +baiki.ch, 1 +baildonbouncycastles.co.uk, 1 +baildonhottubs.co.uk, 1 +baileebee.com, 1 +baileyh.xyz, 1 +baileyladders.com.au, 1 +baileysafetyconsultants.com, 1 +baileysharborwi.gov, 1 +bailiang.com, 1 +bailleux.be, 1 +bailodromo.tk, 1 +bailong.kr.ua, 1 +bailonga.com, 1 +baimail.com, 1 +baimed.com.au, 1 +bainba.com, 1 +baindayman.com, 1 +baindetoile.fr, 1 +baipay.com, 1 +baircentral.com, 1 +bairuo.net, 0 +bairuo.top, 0 +bairwell.com, 1 +baise.cf, 1 +baise.ml, 1 +baise3x.com, 1 +baishitie.com, 1 +bait55.ru, 0 +baitable.ml, 1 +baitapsgk.com, 1 +baithuti.com, 1 +baitnaservices.com, 1 +baitulongbaycruises.com, 1 +baixadordemusica.tk, 1 +baixarbluray.tk, 1 +baixarvideosgratis.com.br, 1 +baiyangliu.com, 0 +bajacalifornia.tk, 1 +bajajplasticsurgery.com, 1 +bajalotodo.tk, 1 +bajanowski-fotografie.de, 0 +bajaprogramas.tk, 1 +bajarjuegos.com, 1 +bajic.ch, 1 +bajiotec.com, 1 +bajj.de, 1 +bajofondoradio.tk, 1 +bajominimos.tk, 1 +bajune.tk, 1 +bak.my.id, 0 +baka-gamer.net, 1 +baka.ms, 1 +baka.network, 1 +baka.org.cn, 1 +baka.red, 1 +bakabt.info, 1 +bakanin.ru, 1 +bakaproxy.moe, 1 +bakbi.tk, 1 +bakchich.biz, 1 +bakcor.com, 1 +baker-street.tk, 1 +bakerandfarmer.com.au, 1 +bakerbasements.com, 1 +bakercity.gov, 1 +bakercitypd.gov, 1 +bakercosheriffor.gov, 1 +bakercounty911or.gov, 1 +bakercountyor.gov, 1 +bakercountysheriffor.gov, 1 +bakersafari.co, 1 +bakersfieldhomeoffer.com, 1 +bakerviewdentalcentre.com, 1 +bakerymazowsze.co.uk, 1 +bakesy.shop, 1 +bakeup.be, 1 +bakibal.com, 1 +bakira.eu, 1 +bakivaxti.az, 1 +bakj.com, 1 +bakkerij-janschrieks.nl, 1 +bakkerinjebuurt.be, 1 +bakkerpanden.nl, 1 +bakkersmolen.tk, 1 +bakkerstraatfeesten.tk, 1 +bakkt.com, 1 +bakkus.tk, 1 +bakla.ml, 1 +baklavabg.com, 1 +bakoma.pl, 1 +bakongcondo.com, 1 +bakrypt.io, 1 +baks.cf, 1 +baksclub.cf, 1 +baksclub.gq, 1 +baku-club.tk, 1 +baku.news, 1 +bakubest.tk, 1 +bakupka.de, 1 +bakuze.net, 1 +bakxnet.com, 0 +balaam-black.tk, 1 +balabarsakhtemani.com, 1 +balade-commune.ch, 0 +baladecommune.ch, 0 +balador.io, 1 +balafon.cloud, 1 +balaga.pl, 1 +balaganlimited.cf, 1 +balaganoff.tk, 1 +balagne-corsica.com, 1 +balaisnomad.com, 0 +balakovo-news.tk, 1 +balala.com, 1 +balancascia.com.br, 1 +balance.courses, 1 +balance.education, 1 +balance.equipment, 1 +balance.technology, 1 +balanceadosmendoza.com, 1 +balancecreamers.ga, 1 +balancecreamest.ga, 1 +balancedbrawl.net, 1 +balancehairrestoration.com, 1 +balancehits.com.br, 1 +balancenaturalhealthclinic.ca, 1 +balancer.gq, 1 +balancingbird.net, 1 +balancingbirthbaby.com, 1 +balanda.ga, 1 +balashiha-podmoskovie.ml, 1 +balasingandaru.cf, 1 +balaskas.gr, 1 +balatarin.com, 1 +balatonlelleapartman.tk, 1 +balboa.io, 1 +balboa.org.uk, 1 +balboacapital.com, 1 +balbus.tk, 1 +balca.ga, 1 +balcaonet.com.br, 1 +balconnr.com, 1 +balconsverdun.com, 0 +balcony.cf, 1 +baldinger.tk, 1 +baldolinitraslochiroma.it, 1 +baldpreventioners.ga, 1 +baldvinringsted.com, 1 +baldwin-mania.tk, 1 +baleen.us, 1 +baleinesendirect.org, 1 +balelabs.id, 1 +balerma.tk, 1 +balesetvedelem.hu, 1 +balester.com, 1 +balezovolley.fr, 1 +balhamrm.co.uk, 1 +balia.de, 1 +balicekzdravi.cz, 0 +balicyclingtours.id, 1 +balikesireftotoekspertiz.com, 1 +balikesirhaberleri.tk, 1 +baliklar.tk, 1 +balikturleri.com, 1 +balilingo.ooo, 0 +balimoves.com, 1 +balingwiredirect.com, 1 +balintjanvari.com, 1 +balirentalku.com, 1 +balist.es, 1 +balivacationhomes.com, 1 +balivakantiewoning.nl, 1 +balivillassanur.com, 0 +baliwebsitedesign.info, 1 +balkan-observatory.net, 1 +balkannightlife.ga, 1 +balkanpharmstore.com, 1 +balkenbushmechanical.com, 1 +balkoni.gq, 1 +balkonien.org, 1 +balkonov.com.ua, 1 +ball-bizarr.com, 1 +ball-bizarr.de, 1 +ball3d.es, 1 +ball4training.com, 1 +ballajuraafc.com, 1 +ballamor.com, 1 +ballarin.cc, 1 +ballast.tk, 1 +ballbusting-cbt.com, 1 +ballcancan.tk, 1 +ballejaune.com, 1 +ballensiefen.net, 1 +ballerkneipe.com, 1 +ballettstudio-ost.de, 1 +ballinw.com, 1 +ballisticbrass.tk, 1 +ballitolocksmith.com, 1 +ballmusikband.de, 1 +ballonnenopdakpannen.tk, 1 +balloon.gq, 1 +ballotapi.com, 1 +ballparkbuns.com, 0 +ballpythonsaspets.com, 1 +ballroompages.com, 1 +balluncar.tk, 1 +balneariodearchena.com, 1 +baloch-intelligence.tk, 1 +balochism.tk, 1 +balogkrisztian.hu, 1 +baloncestoarqueros.tk, 1 +baloncestolliria.tk, 1 +balonsiparis.com, 1 +balopal.tk, 1 +balsamaiso.es, 1 +balsara.com, 1 +balski.com, 1 +balslev.io, 1 +balt.net, 1 +balter.com, 1 +baltialcoholicos.tk, 1 +baltimorecashflow.com, 1 +baltimorecitybnmd.gov, 1 +baltimorecolonrectal.com, 1 +baltimorejetcharter.com, 1 +baltimoreroofingservices.com, 1 +baltlex.de, 1 +baltoe.com, 0 +baluarte.com, 1 +bam.com.gt, 1 +bamaland.org, 1 +bamberger-maelzerei.de, 1 +bambergerdatenschutz.de, 1 +bamboehof.nl, 1 +bamboo-team.online, 1 +bambooagile.eu, 1 +bambooforest.nl, 1 +bamboohr.co.uk, 1 +bamboohr.com, 1 +bambooplywood.com, 1 +bamboorose.com, 1 +bamboostage.com, 1 +bambrick.com.au, 0 +bambuitalia.it, 1 +bambukshop.ml, 1 +bambulab.com, 1 +bambumania.com.br, 1 +bambusushibar.com, 0 +bamfacts.tk, 1 +bamifm.tk, 1 +bamily.rocks, 1 +baming.com, 1 +bammatta.ch, 1 +bampers.tk, 1 +ban-list.gq, 1 +banabarka.tk, 1 +banajanitorialservices.com, 1 +bananabeer.xyz, 1 +banananet.work, 1 +bananathrash.tk, 1 +bananatreenews.today, 1 +bananatrunkingprotocol.com, 1 +bananavapes.com, 1 +bananenbr0t.de, 1 +bananice.moe, 1 +banatearab.tk, 1 +banbaog.com, 1 +bancacrs.it, 1 +bancamiga.com, 1 +bancastato.ch, 1 +bancatransilvania.ro, 1 +banch.io, 1 +banchungcu.com, 1 +bancoagricola.com, 1 +bancobai.ao, 0 +bancobica.com.ar, 1 +bancobpm.it, 1 +bancoctt.pt, 1 +bancodeloja.fin.ec, 1 +bancontinental.com.py, 1 +bancosdominicanos.net, 1 +bancoserfinanza.com, 1 +bancosol.com.bo, 1 +band.us, 1 +banda-car-service.com, 1 +bandaancha.eu, 1 +bandademusicacarrion.tk, 1 +bandadestino.tk, 1 +bandally.net, 1 +bandamirandadeebro.tk, 1 +bandarifamily.com, 1 +bandaronline.ml, 1 +bandarqonline.ga, 1 +bandarqonline.ml, 1 +bandaumnikov.ru, 1 +bandbattle.tk, 1 +bandbelievo.tk, 1 +bandbwestport.com, 1 +bandeaux.com, 1 +bandeira1.com.br, 1 +bandeiraimoveisitu.com.br, 1 +bandeirasnacionais.com, 1 +banderas-mundo.es, 1 +banderasdelmundo.xyz, 1 +banderatx.gov, 1 +banderol.tk, 1 +bandhanbank.com, 1 +bandidosmc.com, 1 +bandiere-mondo.it, 1 +bandiga.it, 1 +bandirmaevdenevenakliyat.tk, 1 +bandmentor.com, 1 +bandnames.tk, 1 +bando.de, 1 +bandolino-bewind.nl, 1 +bandoom.tk, 1 +bandtcollections.com.au, 1 +bandures.tk, 1 +bandvideos.tk, 1 +bandwagon.tk, 1 +bandwagonok.tk, 1 +bandwh.com, 1 +bandymasarna.tk, 1 +baneh-academic.com, 1 +banerka.tk, 1 +banes.ch, 1 +banffcanmorespeedskating.ca, 1 +banfieldentertowin.com, 0 +banfieldtravel.it, 1 +banfun.org, 1 +bang.com.au, 1 +bangabandhu.tk, 1 +bangaichi.no-ip.org, 0 +bangandscrew.com, 1 +bangbangboys.tk, 1 +bangberlin.tk, 1 +bangdaiviet.tk, 1 +bangkok-thailand.org, 1 +bangkokcookingclass.com, 1 +bangkokflightservices.com, 1 +bangkoklife.com, 1 +bangku.tk, 1 +bangladesimagi.tk, 1 +banglahotstory.tk, 1 +banglargolpo.tk, 1 +banglatec.tk, 1 +banglatypography.com, 1 +banglets.com, 1 +bangsparks.com, 1 +bangujero.tk, 1 +bangyu.wang, 1 +banh.am, 1 +banham.co.uk, 0 +banham.com, 1 +banhphongtomquangtran.com, 1 +bani-hashem.tk, 1 +banimarket.by, 0 +baniuliuukis.lt, 1 +banja-kulasi.ga, 1 +banjonelson.tk, 1 +bank, 1 +bank-credit.org, 1 +bank-laan.dk, 1 +bank-yahav.co.il, 1 +bank34.ua, 1 +banka.space, 0 +bankanswers.gov, 1 +bankassafa.com, 1 +bankasubeleri.tk, 1 +bankbranchlocator.com, 1 +bankcardoffer.com, 1 +bankcustomer.gov, 1 +bankcustomerassistance.gov, 1 +bankeasternct.com, 1 +bankee.us, 1 +banker.vn, 1 +bankera.com, 1 +banket-furshet-spb.ru, 1 +banketbesteld.nl, 1 +bankffin.kz, 0 +bankfreeoffers.com, 1 +bankheadvegetables.com, 1 +bankhelp.gov, 1 +banki-finance-credit.ru, 1 +bankid.com, 1 +bankimsk.cf, 1 +banking-services.tk, 1 +bankingheralders.ga, 1 +bankinter.pt, 1 +bankiros.ru, 1 +bankislami.com.pk, 1 +bankitt.network, 1 +bankja.net, 1 +bankmno.ga, 1 +bankmoney.cf, 1 +banknet.gov, 1 +banknews.ga, 1 +banknn.ru, 1 +banknottakip.com, 1 +bankofguilin.com, 1 +bankofharbin.com, 1 +bankofireland.com, 1 +bankofrealty.review, 1 +bankofshaanxi.com, 1 +bankpolicies.com, 1 +bankrbk.kz, 1 +bankruptcy.ky, 1 +banksite.ga, 1 +banksmalaysia.com, 1 +banksouthern.com, 0 +banksulselbar.co.id, 1 +banktatigebon.cf, 1 +banktender.ga, 1 +banktool.com, 1 +bankvanbreda.be, 1 +bankwithfidelity.com, 1 +banland.net, 1 +banlinhdanong.com, 0 +banmapvn.com, 1 +banned-bitches.tk, 1 +banner-design.tk, 1 +banner.ga, 1 +bannerbangbang.com.au, 1 +bannercountyne.gov, 1 +bannerexchange.tk, 1 +bannermarquees.ie, 1 +bannerpagina.tk, 1 +bannerrealty.com, 1 +bannervaners.ga, 1 +bannerworld.co.uk, 1 +banning.gq, 1 +banningca.gov, 1 +banninglibraryca.gov, 1 +bannisbierblog.de, 1 +bannockcounty.gov, 1 +bannockcountyidaho.gov, 1 +bannsecurity.com, 1 +banquevanbreda.be, 1 +banri.me, 1 +bans.info, 1 +bantaihost.com, 1 +bantchev.com, 1 +bantchev.net, 1 +bantenmien.tk, 1 +banter.city, 1 +bantik.by, 1 +bantiki.ga, 1 +bantoa.com, 1 +bantuanteknis.id, 1 +banuakodi.com, 1 +banyan-advantech.com, 1 +banyarukami.ru, 1 +banzay.ml, 1 +banzhuti.com, 1 +bao-in.net, 1 +baobabgroup.com, 1 +baobaoquming.net, 0 +baobiao.com, 1 +baocheng.tech, 1 +baofuzhuan.com, 1 +baogao.store, 1 +baoge55.com, 1 +baogiathicongnoithat.com, 1 +baogougou.com, 0 +baokhangfood.com, 1 +baoqiang.com, 1 +baoshun.com, 1 +baoxue5.com, 0 +bapco.com, 1 +bapeel.tk, 1 +bapha.be, 1 +baptiste-peugnez.fr, 1 +baptistecabrera.com, 1 +baptisteplanckaert.tk, 1 +baptistesale.tk, 1 +bar-event.tk, 1 +bar-rique.de, 1 +bar-valhalla.tk, 1 +bar38.tk, 1 +baraboowi.gov, 1 +barabrume.fr, 1 +baracca.es, 1 +barakayu.com, 1 +baraklava.com, 1 +baran-shop.ga, 1 +baransys.com, 1 +baranyavar.hu, 1 +barao.tk, 1 +barataeletrica.tk, 1 +baratzegrowshop.com, 1 +baravalle.com, 1 +baraxolka.ga, 1 +baraxolka.ml, 1 +barbaderespeito.com.br, 1 +barbara-bertagnolli.co.uk, 1 +barbara-fuchs-gruene-fuerth.de, 1 +barbarabowersrealty.com, 1 +barbarabryce.com, 1 +barbaraedanielsantos.ga, 1 +barbarafabbri.com, 1 +barbarafeldman.com, 1 +barbaramoorman.tk, 1 +barbarareynoldsphotography.com, 1 +barbarasymmons.com, 1 +barbarianbear.art, 1 +barbarians.com, 0 +barbaros.info, 1 +barbate.fr, 1 +barberscorner.tk, 1 +barbershop-harmony.org, 0 +barbershopbabo.com, 1 +barbiecollectorjapan.cf, 1 +barbiecollectorjapan.ga, 1 +barbiecollectorjapan.gq, 1 +barbieforteza.tk, 1 +barbinlaw.com, 1 +barbonnetje.nl, 1 +barborakucerova.cz, 1 +barbosha.ru, 1 +barbourcountyal.gov, 1 +barbourcountyhdwv.gov, 1 +barbu.family, 1 +barburas.com, 1 +barca-movie.jp, 1 +barcamp.koeln, 1 +barcelonapremium.es, 1 +barcelonapremiummini.es, 1 +barcelonatours.net, 1 +barcelonawinewalk.com, 1 +barchetta.org, 1 +barcicuvele.tk, 1 +barcitizen.eu, 1 +barclaybonitaranch.com, 1 +barclays.net, 1 +barcodelookup.com, 1 +barcoder.tk, 1 +barcodewiz.com, 1 +bard-college.com, 1 +bard-college.net, 1 +bardak.ga, 1 +bardcollege.net, 1 +bardcollege.org, 1 +bardes.org, 1 +bardfarm.org, 1 +bardian.net, 1 +bardian.org, 1 +bardiharborow.com, 1 +bardtech.com, 1 +barduschinamusic.org, 1 +barefoodinrome.it, 1 +barelias.tk, 1 +barentsz.co, 1 +barer.me, 1 +barexam.jp, 1 +bargaindentistsers.ga, 1 +bargaindentistsest.ga, 1 +bargainsettelement.com, 1 +bargainusa.tk, 1 +barganhanaweb.ml, 1 +bargenarenji.com, 1 +bargerveen.tk, 1 +bargfeldt.de, 1 +bargrill.ga, 1 +bargroup.ga, 1 +barhan-sarykum.ru, 1 +barichara.com, 1 +barihandin.tk, 1 +barikell.be, 1 +barinasknot.tk, 1 +barinov.ga, 1 +barinov.ml, 1 +barinov.tk, 1 +baripedia.org, 0 +baris-sagdic.com, 1 +bariseau-mottrie.be, 1 +barisi.me, 1 +baristabetter.com, 1 +baristador.com, 1 +baritoday.it, 1 +barke-schaltanlagen.de, 1 +barkerandstonehouse.co.uk, 1 +barkerjr.xyz, 1 +barkingspidersaspets.com, 1 +barkio.com, 1 +barklanepets.com, 0 +barkstop.net, 1 +barkysupplies.com, 1 +barlettaviva.it, 1 +barlex.pl, 1 +barleyandbirch.com, 1 +barlijst.net, 1 +barlotta.net, 1 +barlow-media.club, 1 +barmenteros.com, 1 +barmusic.tk, 1 +barnabasgolf.org, 1 +barnabycolby.io, 1 +barnacional.com.au, 1 +barnaul-altai.tk, 1 +barnesvilleohio.gov, 1 +barneveldcentrum.nl, 1 +barney-media.com, 1 +barneydavey.com, 1 +barnflix.net, 1 +barnhomega.com, 1 +barnumiidev.com, 1 +barnunnwy.gov, 1 +barnvaensveitarfelog.is, 1 +barnvets.co.uk, 1 +barnwellcountysc.gov, 1 +barobax.tk, 1 +baroccofashion.it, 1 +baroclean.fr, 1 +barok.tk, 1 +baroloboys.de, 1 +baron14.be, 1 +baronbunny.cn, 1 +baronet.cf, 1 +baronspices.com, 1 +baroquemath.net, 1 +baroqueworksstudio.com, 1 +barpodsosnami.pl, 1 +barprive.com, 1 +barqo.co, 1 +barr.com.au, 1 +barrack.cf, 1 +barrack.ga, 1 +barrack.gq, 1 +barrack.tk, 1 +barracuda.blog, 1 +barracuda.com.tr, 0 +barracudaswimmingclub.tk, 1 +barrahome.org, 1 +barrancos.tk, 1 +barrankest.ga, 1 +barranquillero.tk, 1 +barraqueirotransportes.pt, 1 +barreiroappraisals.com, 1 +barrencountyky.gov, 1 +barrenwuffett.com, 1 +barricader.com, 1 +barricader.network, 1 +barrierefreie-medien.info, 1 +barrierpestservices.com, 1 +barrikade.tk, 1 +barro.ga, 1 +barruntos.tk, 1 +barrydenicola.com, 1 +barrymarkus.tk, 1 +barrytownshipmn.gov, 1 +barsashop.com.br, 1 +barsgroup.com, 1 +barsleaks.com, 1 +barsopen.ga, 1 +barsukas.net, 1 +bart-f.com, 1 +bart-f.net, 1 +bart1ebee.com, 1 +barta.me, 1 +bartavi.nl, 1 +bartbania.com, 1 +bartcoppens.be, 1 +bartdaelman.tk, 1 +bartdesign.tk, 1 +bartekbv.be, 1 +bartel.ws, 1 +bartelt.name, 1 +barter.me, 1 +barter.vg, 1 +bartershift.com, 1 +bartg95.nl, 1 +bartgroeneveld.nl, 1 +barth-herzberger.de, 1 +barth.services, 1 +bartholf.nu, 1 +bartlamboo.nl, 1 +bartlettil.gov, 1 +bartoliconsulting.com, 1 +bartolomebellido.com, 1 +bartonmohealth.gov, 1 +bartowcountyga.gov, 1 +bartula.de, 1 +bartvandamme.tk, 1 +baruch.me, 1 +barwaldesigns.com, 1 +barwave.com, 1 +barzallof.com, 1 +barzza.tk, 1 +bas.bio, 1 +bas.codes, 1 +bas.coffee, 1 +bas.surf, 1 +bas.work, 1 +basar-horrheim.de, 1 +basauristudios.com, 1 +basaveshwaraborewells.tk, 1 +basculasconfiables.com, 1 +basdferty.cf, 1 +base-autonome-durable.com, 0 +base-people.ml, 1 +base-radio.cf, 1 +base27.eu, 0 +base2face.tk, 1 +base48.systems, 1 +basebalance.net, 1 +baseballcrank.com, 1 +baseballjapan.org, 1 +baseballpitchingmachine.tk, 1 +baseballsapka.hu, 1 +baseballsavings.com, 1 +basebyte.nl, 1 +basecamp.cf, 1 +basecampstudios.com, 1 +basechat.com, 1 +basechat.jp, 1 +baseconvert.com, 1 +basecore.co, 1 +based.gr, 1 +basedonline.nl, 1 +basedriver.com, 1 +baseerapp.com, 1 +basel-gynaecology.com, 1 +basel-gynaekologie.ch, 1 +basel-onlinemarketing.de, 1 +baselang.com, 1 +baselnazifrei.info, 0 +basement961.co.nz, 1 +basementdefender.net, 1 +basementdoctorwestvirginia.com, 1 +basementfinishingohio.com, 1 +basementwaterproofingasheville.com, 1 +basementwaterproofingdesmoines.com, 1 +basementwaterproofingknoxvilletn.com, 1 +basementwaterproofingsaintlouis.com, 1 +basementwaterproofingwi.com, 1 +basenio.de, 1 +baserverz.ga, 1 +basetherm.com, 1 +basetruck.cn, 1 +baseweb.design, 1 +basf-vcar.com, 1 +bash.news, 1 +bashari.tk, 1 +bashc.at, 0 +bashhack.cf, 1 +bashkimi.com, 1 +bashkiri.cf, 1 +bashkiria.cf, 1 +bashkiria.ga, 1 +bashkiria.ml, 1 +bashkirlife.tk, 1 +bashoutter.link, 1 +bashsoftware.tk, 1 +bashstreetband.co.uk, 1 +bashtel.tk, 1 +bashyconsulting.se, 1 +basic.is, 1 +basic.space, 1 +basicapparel.de, 1 +basicattentiontoken.org, 1 +basicguitarlessons.com, 1 +basicknowledge101.com, 1 +basiclimits.tk, 1 +basicports.com, 1 +basicports.eu, 1 +basicports.net, 1 +basicports.org, 1 +basics.domains, 1 +basics.net, 1 +basicskillstest.co.uk, 1 +basictools.tk, 1 +basicwallpapers.tk, 1 +basilicaknights.org, 1 +basilicproduction.fr, 1 +basilm.co, 1 +basilsys.com, 1 +basis-online.eu, 1 +basisbedarf.de, 1 +basisofcare.com, 1 +basisonline.nl, 1 +basisonlinefiles.nl, 1 +basisschoolhundelgem.be, 1 +basisvaardigheden.nl, 1 +basitplan.com, 1 +basket-ballworld.fr, 1 +basket-malaunay.fr, 1 +basket-sint-truiden.tk, 1 +basketball-malavan.tk, 1 +basketballnewz.tk, 1 +basketforex.com, 1 +basketsandmore.bg, 1 +baskibu.com, 0 +baskideposu.com.tr, 1 +baskingalkin.tk, 1 +basllp.co.uk, 1 +basmacioglu.com, 1 +basmp.ml, 1 +basnachtegaal.tk, 1 +basnoslovno.ru, 1 +basonlinemarketing.nl, 0 +basradio.tk, 1 +bass-pro.ru, 1 +bassanova.tk, 1 +bassbase.tk, 1 +bassblog.net, 1 +bassculture.tk, 1 +bassdentistry.com, 1 +basse-chaine.info, 1 +bassethound.tk, 1 +bassguy.tk, 1 +bassislandline.com.au, 1 +basskickers.tk, 1 +bassment.org, 1 +bassment.ph, 1 +bassotto.it, 1 +bassresource.com, 1 +bassrhymeposse.tk, 1 +bassrider.eu, 1 +bassstraitmaritimecentre.com.au, 1 +bassys.com.co, 1 +bastakka.eu, 0 +bastanet.tk, 1 +bastardator.tk, 1 +bastelstu.be, 1 +basteltips.tk, 1 +bastelwelt.ch, 1 +bastelzauberwelt.de, 1 +bastionadvokat.ml, 1 +bastionentifo.tk, 1 +bastolino.de, 1 +bastotrekking.pt, 1 +bastter.com, 1 +bastun.com, 1 +basuramarina.com, 1 +baswetter.photography, 1 +basyrova.ml, 1 +basysconsulting.com, 1 +basyspro.net, 1 +bata.co.zm, 1 +batacas.com, 1 +batailleros.tk, 1 +bataminnovationhub.com, 1 +bataviail.gov, 1 +bataviaoh.gov, 1 +batca.ca, 1 +batcave.tech, 1 +batch.com, 0 +batdongsancongnghiep.vn, 0 +bateaux-sans-permis.com, 0 +batelco.com, 1 +baterias.com, 1 +baterioverolety.cz, 1 +batescountymo.gov, 1 +batesvillearkansas.gov, 1 +batextiles.tk, 1 +bath.limited, 1 +bath.ltd.uk, 1 +bath.men, 1 +bathbodyshop.tk, 1 +bathcountyva.gov, 1 +bathok.tk, 1 +bathost.net, 1 +bathrobes.tk, 1 +bathroomremodelinggeorgia.com, 1 +bathroomsinkcabinet.tk, 1 +bathscobensraker.ga, 1 +bati-alu.fr, 1 +batiburrillo.net, 1 +batiim.co.il, 1 +batipiscine.com, 1 +batipresta.ch, 0 +batitrakya.org, 1 +batiweb.tv, 1 +batiwebgroup.com, 0 +batka-stealer.tk, 1 +batkhonjon.com, 1 +batkonjon.com, 1 +batmanvsupermanfullmovie.ga, 1 +batmod.com, 1 +batoit.gq, 1 +batonchik.tk, 1 +batonger.com, 1 +bats.gov, 1 +batten-family.uk, 1 +batten.eu.org, 1 +batterie-au-top.com, 1 +batterman.ch, 1 +battery-center.fr, 1 +batteryboys.ca, 1 +batteryboys.com, 1 +batterymax.org, 1 +batteryreconditioning.ml, 1 +batterystaple.pw, 1 +battle-arena.tk, 1 +battle-game.com, 1 +battlefield1942.tk, 1 +battleforkhashuri.tk, 1 +battlefrontoldschool.cf, 1 +battleguard.net, 1 +battleofthegridiron.com, 1 +battlerealms.cc, 1 +battlerite.tk, 1 +battletech.tk, 1 +battreil.tk, 1 +batualam88.id, 1 +batualam88.online, 1 +batucadastore.nl, 1 +batucilegon.com, 1 +batukhan.tk, 1 +batulicin.tk, 1 +batwatt.com, 1 +bau.ua, 1 +baubau.bg, 1 +bauchtanz.tk, 1 +bauer-plus.de, 1 +bauer-reininghorses.com, 1 +bauer.network, 0 +bauernhof-koch-edingen.de, 1 +bauernhof-lercher.at, 1 +bauernmarkt-fernitz.at, 1 +baufi-express.ag, 1 +baufi-express.biz, 1 +baufi-express.com, 1 +baufi-express.de, 1 +baufi-express.eu, 1 +baufi-express.info, 1 +baufi-express.net, 1 +baufi-express.org, 1 +baufi24.de, 0 +baufiexpress.ag, 1 +baufiexpress.biz, 1 +baufiexpress.com, 1 +baufiexpress.de, 1 +baufiexpress.eu, 1 +baufiexpress.info, 1 +baufiexpress.net, 1 +baufiexpress.org, 1 +baugelitt.eu, 1 +baugemeinschaftbernstein.de, 1 +baugeshite.de, 1 +bauhaus.cz, 1 +bauhaus.sk, 1 +baukebies.nl, 1 +baukelek.tk, 1 +baumannfabrice.com, 1 +baumansound.com, 1 +baumbet.ro, 1 +baumfreund.ch, 1 +baumkletterschule.de, 1 +baumkuchen-aus-dresden.de, 0 +baummer.com.br, 1 +baur.de, 1 +bausep.de, 1 +bausparkassen.tk, 1 +baustils.com, 1 +bauthier-occasions.be, 0 +bautizodelucia.com, 1 +bav.com, 1 +bavaria-feuerloeschershop.de, 1 +bavaropuntacanahotels.com, 1 +bavarovillage.com, 1 +bavartec.de, 1 +bavi.tk, 1 +bavoogi.com, 1 +bawag.at, 1 +bawbby.com, 1 +bawsiebezpiecznie.pl, 1 +baxir.fr, 1 +baxleyga.gov, 1 +baxomilowa.tk, 1 +baxtercountyar.gov, 1 +baxterstorey.online, 1 +baxterstoreyirelandonline.com, 1 +baxx.eu.org, 1 +bayanbennett.com, 1 +bayanradio.tk, 1 +bayarea.ga, 1 +bayarea.gq, 1 +bayarea.ml, 1 +bayarea.tk, 1 +bayareagynecology.com, 1 +bayareamustangs.tk, 1 +bayareaplasticsurgery.com, 1 +bayashi.net, 1 +bayburtgazetecilercemiyeti.org.tr, 1 +bayburtmanset.com, 1 +baycialis.net, 1 +baycitymi.gov, 1 +baycountyfltax.gov, 1 +bayden.com, 1 +baydreamer.tk, 1 +bayer-stefan.com, 1 +bayer-stefan.de, 1 +bayer-stefan.eu, 1 +bayer.earth, 1 +bayerhazard.de, 1 +bayernwaage.de, 1 +bayerstefan.com, 1 +bayerstefan.de, 1 +bayerstefan.eu, 1 +bayfly.net, 1 +bayhauling.net, 1 +bayherbalist.com, 1 +bayilelakiku.com, 1 +bayliss.aero, 1 +bayliss.co.uk, 1 +bayliss.uk, 1 +bayly.eu, 1 +baymard.com, 1 +baymark.com, 1 +bayofseo.com, 1 +bayou.energy, 1 +bayraklar.info, 1 +bayramov.tk, 1 +bayrampasa.bel.tr, 1 +bayrisch-fuer-anfaenger.de, 1 +bayscollisionrepairs.co.nz, 1 +bayshore.ca, 1 +baysidefamilydentist.com.au, 1 +baysidemedicalgroup.net, 1 +baysidephotography.ga, 1 +bayt.com, 1 +baytobayaircon.com.au, 1 +baytv.it, 1 +bayvotesfl.gov, 1 +baywatbemacom.cf, 1 +baywatch.io, 1 +bayyanainmuebles.com, 1 +baz.nl, 1 +baza-gai.com.ua, 1 +bazaarbhaav.com, 1 +bazaarcompass.com, 1 +bazaart.me, 1 +bazaclub.ru, 0 +bazaleev.ru, 1 +bazar-online.tk, 1 +bazar-pc.tk, 1 +bazar.bg, 0 +bazardunet.tk, 1 +bazarfds.com.br, 1 +bazari.com.pl, 1 +bazarmag.ir, 1 +bazarotehijos.com, 1 +bazdell.com, 0 +bazdidaval.ir, 1 +baze.cz, 1 +bazel.build, 1 +bazhan.wang, 1 +bazinga-events.nl, 1 +bazos.at, 1 +bazos.cz, 1 +bazos.pl, 1 +bazos.sk, 1 +bazziergraphik.com, 1 +bb-aroundtheworld.se, 1 +bb.church, 1 +bb00228.com, 0 +bb057.com, 0 +bb087.com, 0 +bb168.cc, 0 +bb2-group.com, 1 +bb37roma.it, 1 +bb5197.co, 1 +bb6729.co, 1 +bb6729.com, 1 +bb6957.co, 1 +bb9297.co, 1 +bb9728.co, 1 +bbaccademia.it, 1 +bbalposticino.it, 1 +bbamsch.com, 0 +bbb1991.me, 0 +bbbb.loan, 1 +bbbff.net, 1 +bbc.co.uk, 0 +bbc.com, 0 +bbc67.fr, 1 +bbcastles.com, 1 +bbcincorp.com, 1 +bbclyra.tk, 1 +bbcomcdn.com, 1 +bbcsuk.co.uk, 1 +bbcustomremodeling.com, 1 +bbfandom.com, 1 +bbfxtraders.com, 1 +bbg.org, 1 +bbgeschenke.ch, 0 +bbh-kreislauf.de, 1 +bbhsolutions.com, 1 +bbimarketing.com, 1 +bbinsure.com, 0 +bbiny.edu, 1 +bbk365m.com, 1 +bbk365t.com, 1 +bbk365zz.com, 1 +bbka.co.uk, 1 +bbka.org.uk, 1 +bbkanews.co.uk, 1 +bbkanews.com, 1 +bbkanews.org, 1 +bbkanews.uk, 1 +bbkworldwide.jp, 1 +bblsa.ch, 0 +bbmagnagrecia.it, 0 +bbmak.tk, 1 +bbmsarauniteam.com, 1 +bbnx.net, 1 +bbp.ng, 1 +bbpnas.win, 1 +bbqs-algarve.com, 1 +bbrassart.fr, 1 +bbrigittae.hu, 1 +bbrmonza.it, 1 +bbrp.org, 1 +bbs-buchholz.com, 1 +bbs-buchholz.eu, 1 +bbschat.tk, 1 +bbsec.xyz, 1 +bbtk.com, 1 +bbunits.de, 1 +bbusa.tk, 1 +bbw-wrestling.com, 1 +bbwanalsex.com, 1 +bbwhale.org, 1 +bbwmellon.com, 1 +bbwmovies.com, 1 +bbwpictures.com, 1 +bbwpornpics.com, 1 +bbwpussytube.com, 1 +bbwsexclips.com, 1 +bbwteens.org, 1 +bbx.bike, 1 +bbxin9.net, 1 +bbxy.buzz, 1 +bc-bd.org, 0 +bc-cdc.org, 1 +bc-diffusion.com, 1 +bcabs.com, 1 +bcaf.uk, 1 +bcakuwait.com, 1 +bcalabsokc.com, 1 +bcalles.dk, 1 +bcalles.eu, 1 +bcallesen.dk, 1 +bcallesen.eu, 1 +bcansw.com.au, 1 +bcarpentrypro.com, 1 +bcbsfepvision.com, 1 +bcbudonline.com, 1 +bcccremeno.it, 1 +bccx.eu.org, 1 +bccxo.com, 1 +bcdiesel.ca, 1 +bcdn.me, 1 +bcdonadio.com, 1 +bcdonadio.com.br, 1 +bcdonadio.org, 1 +bceaf.org, 1 +bcfp.gov, 1 +bcgefatap.com, 1 +bchep.com, 1 +bcis.co.uk, 0 +bck-koethen.de, 1 +bck-lelystad.nl, 1 +bckl.me, 1 +bclserver.se, 1 +bcmguide.com, 1 +bcmhire.co.uk, 1 +bcn.cv, 1 +bcnation.com, 1 +bcnet.com.hk, 1 +bcoffices.com.mx, 1 +bcomm.com.au, 1 +bconcept.be, 1 +bcoverart.com, 1 +bcpc-ccgpfcheminots.com, 1 +bcrnews.tk, 1 +bcrook.com, 1 +bcrypt.online, 1 +bcs-talk.com, 1 +bcschool.cn, 1 +bcsnygroup.com, 1 +bcsytv.com, 0 +bctraducciones.org, 1 +bcu.ac.uk, 1 +bcubeanalytics.com, 1 +bcutah.gov, 1 +bcvps.com, 1 +bcyw56.live, 0 +bcyw56.top, 1 +bcz.ca, 1 +bczeeland.tk, 1 +bd-friend.com, 1 +bd-media.tk, 1 +bd.foundation, 1 +bd4d.org, 1 +bda-boulevarddesairs.com, 0 +bdasites.in, 1 +bdbe.ga, 1 +bdbxml.net, 1 +bdcdev.in, 1 +bdd.fi, 1 +bddam.fr, 1 +bddam.one, 1 +bdeducator.com, 1 +bdeep.org, 1 +bdew.net, 1 +bdfriends.tk, 1 +bdgroup-lab.com, 1 +bdix.link, 1 +bdli.de, 1 +bdmusic25.us, 1 +bdo-tools.jp, 1 +bdocfurniture.com, 1 +bdpachicago.tech, 1 +bdpestsolutionsstlouis.com, 1 +bdpn.ru, 1 +bdragon.com, 1 +bdrmedia.rs, 1 +bdsdonghanh.com, 1 +bdsmbibliothek.net, 1 +bdsmcontrol.com, 1 +bdsmdating.tk, 1 +bdsmwiki.hu, 1 +bdsu-connect.de, 1 +bdsu-kongress.de, 1 +bdsu.de, 1 +bdtc.com.bd, 1 +bdtd.nl, 1 +bdtechnews.tk, 1 +be-bellence.com, 1 +be-craft.de, 1 +be-free.gq, 1 +be-nice.digital, 1 +be-real.life, 0 +be-sigsol.fr, 1 +be-up-developpement.com, 1 +be-wear.ch, 1 +be-webdesign.com, 1 +be.ax, 1 +be.search.yahoo.com, 0 +be.st, 1 +be2cloud.de, 1 +be9418.com, 1 +be9418.info, 1 +be9418.net, 1 +be9418.org, 1 +be9458.net, 0 +be9458.org, 0 +be958.info, 1 +be958.org, 1 +be9966.com, 1 +bea.expert, 0 +bea.gov, 1 +beabadoartesanato.com.br, 1 +beable.com, 1 +beacham.online, 1 +beachcitiestaxandaccounting.com, 1 +beachcitybody.com, 1 +beachcitycastles.com, 1 +beachcruisers.tk, 1 +beachlife4life.cf, 1 +beachmonster.tk, 1 +beachpoint.tk, 1 +beachsmile.com, 1 +beachsoccer.tk, 1 +beachvolley.tk, 1 +beachvolleyball.tk, 1 +beachworldchampion.tk, 1 +beacinsight.com, 1 +beaconcart.com, 1 +beaconfed.org, 1 +beaconhealthoptions.com, 1 +beaconhouse.org.uk, 1 +beaconny.gov, 1 +beaconstac.com, 1 +beadaptive.ca, 1 +beadare.com, 1 +beadare.nl, 1 +beadedcouture.tk, 1 +beadings.tk, 1 +beadseh.ca, 1 +beadsxbeans.com, 1 +beager.ga, 1 +beagles.tk, 1 +beaglesaspets.com, 1 +beaglesecurity.com, 1 +beagstudio.ie, 1 +beakbirds.com, 1 +beaker.coffee, 1 +beal.edu, 1 +bealefss.marketing, 1 +bealeslandscaping.co.uk, 1 +bealpha.pl, 1 +beam-life.tk, 1 +beam-to.me, 1 +beama.org, 1 +beambdi.com, 1 +beamitaly.tk, 1 +beamitapp.com, 1 +beamy-lake.com, 1 +bean-jam.jp, 1 +beanbot.party, 1 +beanboygames.com, 1 +beancount.io, 1 +beanilla.com, 1 +beanjuice.me, 1 +beansgalore.com.au, 1 +beaoriflame.hu, 1 +beapieceofart.com, 1 +beaquarium.com, 1 +bearblinds.com.au, 1 +bearbonesenterprises.com, 1 +bearcosports.com.br, 1 +bearcreekcubschildcare.com, 1 +bearcreektownshipmi.gov, 1 +beard.se, 1 +beardboys.co.za, 1 +bearded.sexy, 1 +bearden.io, 1 +beardic.cn, 0 +beardsome.me, 1 +beardsorcery.com, 1 +bearfactory.tk, 1 +bearfarm.tk, 1 +beargarden.club, 1 +beargorilla.com, 1 +bearings.tk, 1 +bearingworks.com, 1 +bearlakelife.com, 1 +bearrecords.tk, 1 +bearrun.com, 1 +bearslakeinn.com, 1 +bearsunderland.com, 1 +bearzoutdoor.com, 1 +beasel.biz, 1 +beast-books.com, 1 +beast.rent, 1 +beastiejob.com, 1 +beastlog.tk, 1 +beastnet.works, 1 +beastnet.xyz, 1 +beastowner.com, 1 +beastowner.li, 1 +beatachoroszynska.pl, 1 +beatbreaker.tk, 1 +beatfeld.de, 1 +beatfreaks.tk, 1 +beatle.tk, 1 +beatmaker.ml, 1 +beatmalaria.org, 1 +beaton.tk, 1 +beatquantum.com, 1 +beatrice-nightscout.herokuapp.com, 1 +beatrice-raws.org, 1 +beatricedailysun.com, 1 +beatriz-urbano-vega.tk, 1 +beatrizaebischer.ch, 0 +beatrizmartinez.tk, 1 +beatsaberchampionship.eu, 1 +beatsdope.com, 1 +beatsearch.net, 0 +beatsnbits.nl, 1 +beatsta.tk, 1 +beatthebastards.tk, 1 +beatuprobot.net, 1 +beatzone.tk, 1 +beau.cat, 1 +beaufortcastawaycharter.com, 1 +beaufortcountync.gov, 1 +beauhilton.com, 1 +beaulieu.ch, 1 +beaumontcabusiness.gov, 1 +beaute-eternelle.ch, 0 +beautiful-lingerie.tk, 1 +beautiful.ai, 1 +beautifulart.ml, 1 +beautifulplaces.tk, 1 +beautifulreflectionsmedspa.com, 1 +beautifulrussianwomen.cf, 1 +beautifulsouth.tk, 1 +beauty-blog.gq, 1 +beauty-form.ir, 1 +beauty-haircare.tk, 1 +beauty-salon-lino.com, 1 +beauty-stories.tk, 1 +beauty-style.ml, 1 +beauty-town.tk, 1 +beauty-woman.tk, 1 +beauty-yan-enterprise.com, 1 +beauty.moe, 0 +beauty24.de, 1 +beauty2home.net, 1 +beauty77.ch, 1 +beautyandboutique.tk, 1 +beautyandfashionadvice.com, 1 +beautyandthebeast.tk, 1 +beautyanna.ga, 1 +beautyanna.gq, 1 +beautyarticles.tk, 1 +beautybism.com, 1 +beautybox.ro, 1 +beautyboxes.net, 1 +beautyby.tv, 1 +beautycarepack.com.ng, 1 +beautycom.club, 1 +beautycon.ir, 1 +beautyeyewear.ga, 1 +beautyforce.bg, 1 +beautyforceacademy.bg, 1 +beautyindistress.tk, 1 +beautyinweb.net, 1 +beautyisfine.tk, 1 +beautykiss.com, 1 +beautylookz.nl, 1 +beautyoverture.com, 1 +beautyschool.od.ua, 1 +beautyseasons.ru, 1 +beautyspaceshop.com, 1 +beautyspacestore.com, 1 +beautyspot.tk, 1 +beautytechpro.ro, 1 +beaver-creek.ga, 1 +beaver.com.br, 1 +beaverdamautos.com, 1 +beaverheadcountymt.gov, 1 +beavertales.ca, 1 +beavillabea.it, 1 +beavivo.de, 0 +bebaspedia.com, 1 +bebbiboni.tk, 1 +bebe2luxe.fr, 1 +bebeautiful.business, 1 +bebebebra.bid, 1 +bebecar.com, 1 +bebechegou.com, 1 +bebechegou.com.br, 1 +bebef.de, 1 +bebefofuxo.com.br, 1 +bebemamae.com, 1 +bebes.uno, 1 +bebesreborns.com, 1 +bebest.gov, 1 +bebetrotteur.com, 1 +bebidasrd.com, 1 +bebodywise.com, 1 +beboldpr.com, 1 +bebout.domains, 1 +bebout.pw, 1 +bebr.loan, 1 +bebra.ai, 1 +bebra.loan, 1 +bebrenok.trade, 1 +bebrev.trade, 1 +bebrik.men, 1 +bebrina.date, 1 +bebro.loan, 1 +bebrochka.loan, 1 +becallgroup.com, 1 +because.co.il, 1 +becausecapitalism.org, 1 +beccaanne.photography, 1 +beccajoshwedding.com, 1 +bech32.net, 1 +beck.pl, 1 +beckdesign.tk, 1 +becker-annika.de, 1 +becker.wales, 1 +beckerpumps.com, 1 +becklove.cn, 1 +beckmandxapps.com, 1 +beckylicious.tk, 1 +beclan.tk, 1 +becleverwithyourcash.com, 1 +becli.com, 1 +beclick.co.il, 1 +becoairandheat.com, 1 +becollective.com, 1 +become-a-bounty-hunter.com, 1 +become-lucky.com, 1 +becomeaparalegal.org, 1 +becomebravehorsemanship.nl, 1 +becomewebdeveloper.tk, 1 +beconnect.cf, 1 +beconstructive.com, 1 +becquerelgroup.com, 1 +becs.ch, 0 +becubed.co, 0 +becydog.cz, 1 +bed-and-breakfast-elz.de, 1 +bedamedia.com, 1 +bedandbreakfast.dk, 1 +bedandbreakfasteuropa.com, 1 +bedandbreakfasthoekvanholland.com, 1 +bedavainternet.club, 1 +bedavakodlar.com, 1 +bedavaoyunkod.com, 1 +beddingexperts.com, 1 +bede.fr, 1 +bedeiah.tk, 1 +bedels.nl, 1 +bedenica.hr, 1 +bedford-hotel.co.uk, 1 +bedford911.com, 1 +bedfordnissanparts.com, 1 +bedful.com, 1 +bedienungsanleitung24.de, 1 +bedinfo.com, 1 +bedlingtonterrier.com.br, 1 +bedofcorpses.tk, 1 +bedouille.com, 1 +bedpage.com, 1 +bedrijfs-feesten.nl, 1 +bedrijfsfeesten.tk, 1 +bedrijfsfotoreportages.nl, 1 +bedrijfswasmachine.nl, 1 +bedrockcommunity.ml, 1 +bedrocklinux.org, 1 +bedrukt.nl, 1 +bedstecasinobonusser.dk, 1 +bedtimeflirt.com, 1 +bedum-blues.tk, 1 +bedwettingyoungsters.tk, 1 +bee-creative.nl, 1 +bee-line.org.uk, 1 +bee-removal-dublin.com, 1 +bee.tools, 1 +beebeads.ga, 1 +beebruh.bid, 1 +beebuy.online, 1 +beebuy.restaurant, 1 +beecambio.com.br, 1 +beecare.ch, 1 +beechwoodindustrial.com, 1 +beechwoodmetalworks.com, 1 +beedsolyjas.tk, 1 +beeebraa.download, 1 +beefclan.tk, 1 +beeg.hu, 1 +beegarage.com, 1 +beehive.govt.nz, 1 +beehive.systems, 1 +beehive42.com, 1 +beehive42.eu, 1 +beehive42.net, 1 +beehive42.nl, 1 +beehive42.org, 1 +beekbier.nl, 1 +beekeeper.supply, 1 +beekeeper.tools, 1 +beekeepingfiji.com, 1 +beekman-relatietherapie.nl, 1 +beeksnetwork.nl, 1 +beeldbankgent.be, 1 +beeliarspirit.org, 1 +beelikeus.pl, 1 +beeline.am, 1 +beelit.com, 0 +beeming.co.za, 1 +beeming.com.au, 1 +beeming.net, 1 +beeming.org, 1 +beemprimelogistics.com, 1 +beeone.nl, 1 +beepcar.ru, 1 +beeportfolio.com, 1 +beer-sheva.city, 1 +beer9.com, 1 +beerbruhs.com, 1 +beercast.co.uk, 1 +beeremovaljohannesburg.co.za, 1 +beeremovalpretoria.co.za, 1 +beeremovalspretoria.co.za, 1 +beergifts.tk, 1 +beerglasses.tk, 1 +beerhouse.tk, 1 +beerians.com, 1 +beerians.info, 1 +beerjet.bg, 1 +beerloga.tk, 1 +beernews.ga, 1 +beerradar.no, 1 +beerradar.party, 1 +beerre.com, 1 +beersandco.ch, 1 +beersconf.com, 1 +beersheba.co.il, 1 +beersheva.city, 1 +beersheva.co.il, 1 +beerview.ga, 1 +beerwallpa.com, 1 +beerxa.cz, 1 +beescloud.com, 1 +beesco.us, 1 +beesex.xyz, 1 +beesnoosa.com, 1 +beestar.it, 1 +beestation13.com, 1 +beestech.fr, 0 +beeswarmrehoming.com.au, 1 +beesweethoney.co.za, 1 +beet-und-balkonpflanze-des-jahres.de, 1 +beetech.global, 1 +beetgroup.id, 1 +beethoveninlove.com, 1 +beetsforyou.xyz, 1 +beeutifulparties.co.uk, 1 +beeweighed.co.uk, 1 +beezkneezcastles.co.uk, 1 +beeznest.com, 1 +befantasy.tk, 1 +befoodsafe.gov, 1 +beforeafter.gq, 1 +beforethedawn.tk, 1 +beforeyoueatoc.com, 1 +befreewifi.info, 1 +befunddolmetscher.de, 1 +befundonline.de, 1 +befunky.in, 1 +bega-dc.gov, 1 +begabungsfoerderung.info, 1 +begemoth.tk, 1 +begethost.cf, 1 +begin-motorcycling.co.uk, 1 +beginnercampingguide.top, 1 +beginwp.tips, 1 +begleitung-zuhause.at, 1 +begonias.tk, 1 +begoth.boutique, 1 +begovel.shop, 1 +begravningsbyranhumana.se, 1 +begundal.tk, 1 +behamepresrdce.sk, 1 +behamzdarma.cz, 1 +behappyonlinetanfolyam.hu, 1 +behar-selimi.tk, 1 +behatech.tk, 1 +behavenet.com, 1 +behavhealth.ml, 1 +behaving.tk, 1 +behaviorchangeimpact.org, 1 +behead.de, 1 +behealthandrehab.com, 1 +behealthoncologia.com, 1 +behealthyeveryday.eu, 1 +behemoth.cf, 1 +beherit.pl, 1 +behinam.co.il, 1 +behind-the-mask.tk, 1 +behindenemyminds.be, 1 +behindenemyminds.eu, 1 +behindertenagentur.de, 1 +behindsong.com, 1 +behindthedesk.tk, 1 +behindthemars.de, 1 +behleem.tk, 1 +behoerden-online-dienste.de, 1 +behold.gq, 1 +behomewithlove.com.br, 1 +behoreal.cz, 1 +behotelmalta.com, 1 +behrami.com, 1 +behrer.se, 1 +beiduofu.com, 1 +beiersdorf-svz.ch, 1 +beijing.bj, 1 +beijinglug.club, 1 +beijiquan.com, 1 +beikeil.de, 1 +beimchristoph.de, 1 +beinad.com, 1 +beinghuman.tk, 1 +beinghumanpsychotherapy.com.au, 1 +beingmad.org, 1 +beinsports.pro, 1 +beinsured.cloud, 0 +beinteractive.pl, 1 +beiqilai.com, 1 +beira.pt, 1 +beiramar.tk, 1 +beirasumos.pt, 1 +beirel.ru, 1 +beitmidrashrambam.com, 1 +beizsoft.co.uk, 1 +bejago.com, 1 +bejarano.io, 1 +bejbi.net, 1 +bejo.be, 0 +bejo.bg, 0 +bejo.by, 0 +bejo.cl, 0 +bejo.cn, 0 +bejo.com, 0 +bejo.com.au, 0 +bejo.com.br, 0 +bejo.com.mx, 0 +bejo.cz, 0 +bejo.es, 0 +bejo.hr, 0 +bejo.jp, 0 +bejo.kz, 0 +bejo.ma, 0 +bejo.nl, 0 +bejo.pl, 0 +bejo.pt, 0 +bejo.ro, 0 +bejo.ru, 0 +bejo.sk, 0 +bejo.ua, 0 +bejo.vn, 0 +bejoandes.cl, 0 +bejogt.com, 0 +bejoindia.in, 0 +bejoindonesia.com, 0 +bejoitalia.it, 0 +bejosamen.de, 0 +bejoseeds.com, 0 +bekabazar.cz, 1 +bekeltetes.hu, 1 +beklenengazete.com, 1 +bekmekci.tk, 1 +beko.co.uk, 1 +beko.ie, 1 +bekolite.com, 1 +bekoplc.com, 1 +bel-air1998.com, 1 +bel-assainissement-service.fr, 1 +bel-snegirek.ru, 0 +belacapa.com.br, 1 +belacine.com, 1 +belafonte.co, 1 +belajarcarabelajar.com, 1 +belajarpsikology.tk, 1 +belak.se, 1 +belanews.tk, 1 +belani.eu, 1 +belanja.express, 1 +belaradio.tk, 1 +belarbykora.tk, 1 +belardoinstrumentos.tk, 1 +belarto.es, 1 +belarto.pl, 1 +belarus-mtz.gq, 1 +belarus.tk, 1 +belarusmemorials.com, 1 +belarustoday.tk, 1 +belarustravel.tk, 1 +belastingmiddeling.nl, 1 +belayarus.tk, 1 +belcanto.cz, 1 +beleadsteam.com, 1 +belebey.city, 1 +beleefheemstede.nl, 1 +beleggingspanden-financiering.nl, 0 +belegit.org, 1 +belevingsboerderijdekoolberg.nl, 1 +belezadateresa.com.br, 1 +belezashopping.com.br, 1 +belf.ml, 1 +belfastbounce.co.uk, 1 +belfastjujitsu.tk, 1 +belfastlocks.com, 1 +belfasttechservices.co.uk, 1 +belfix.be, 1 +belfor-probleme.de, 1 +belga.tk, 1 +belge.rs, 1 +belger.tk, 1 +belgers.com, 1 +belgia.tk, 1 +belgian-investor.be, 1 +belgian-naturists.tk, 1 +belgian-swimmers-united.tk, 1 +belgianbirdalerts.be, 1 +belgianfilipinolovers.be, 1 +belgiantennis.tk, 1 +belgianwaffleironstore.com, 1 +belgianwesthoekclassic.tk, 1 +belgicaservices.be, 1 +belgie-postcodes.be, 1 +belgischekeizer.nl, 1 +belgischerijpony.tk, 1 +belgiumwi.gov, 1 +belgive.by, 1 +belgorod-host.cf, 1 +belgorod.ml, 1 +belgrademt.gov, 1 +belgradestatebank.com, 1 +belgraver.email, 1 +belgraver.eu, 1 +belgraver.xyz, 1 +belic.net, 1 +belichtungswert.de, 1 +belics.com, 1 +belidi.tk, 1 +belidzs.hu, 0 +belieber.tk, 1 +belien-tweedehandswagens.be, 1 +believablebook.com, 0 +believeinyourmind.com, 1 +beliishko.tk, 1 +belindaweb.tk, 1 +belinks.tk, 1 +belinsky.tk, 1 +beliyo.tk, 1 +belizemap.tk, 1 +belk.io, 1 +belka.online, 1 +belki.tk, 1 +belknapcounty.gov, 1 +belkys.net, 0 +bell-meet.de, 1 +bell.id.au, 1 +bella-abyssinia.tk, 1 +bella-klein.org, 1 +bella.network, 1 +bellaaroma.com.tw, 1 +bellacasarealtyaz.com, 1 +belladeluxxe.net, 1 +bellafashion.tk, 1 +bellaireroofinginc.com, 1 +bellamama.biz, 1 +bellamodeling.com, 1 +bellamy.cloud, 1 +bellamy.md, 1 +bellanews.tk, 1 +bellaslokal.de, 1 +bellassubsandpizza.com, 1 +bellastate.ca, 1 +bellatight.com, 1 +bellavistaoutdoor.com, 1 +bellcarrington.com, 1 +bellcomp.co.uk, 1 +belle-bete.ca, 1 +belle-epoque-toys.com, 1 +belle-lingerie.co.uk, 0 +bellebakes.blog, 1 +bellebaum.eu, 1 +bellecarmen.tk, 1 +bellehorizon.co.za, 1 +bellenews.com, 1 +bellenundballern.de, 1 +belleplaineiowa.gov, 1 +belleplainemn.gov, 1 +bellesetrebelles.tk, 1 +bellevilleboot.com, 1 +bellevueduilawyers.com, 1 +bellezanatural.life, 1 +bellezon-shop.com, 1 +bellezzasenzalimiti.it, 1 +bellflowerlactation.com, 1 +bellhowell.net, 1 +bellisima.com.co, 1 +bellissime.tk, 1 +bellmeadtx.gov, 1 +belloo.date, 1 +bellop.top, 1 +belloweb.tk, 1 +bellowsafs.marketing, 1 +belloy.net, 0 +bellpi.com, 0 +bellreguard.tk, 1 +bellsweets.com, 1 +bellthrogh.com, 1 +belltownfarms.com, 1 +belltownpower.com, 1 +bellware.io, 0 +bellyaccessoriesest.ga, 1 +belmontgoessolar.org, 1 +belmontnh.gov, 1 +belmontsheriffohio.gov, 1 +belmount.com.br, 1 +belmundo.org, 1 +belocallyseo.com, 1 +beloevino.ml, 1 +belos.at, 1 +belouga.org, 1 +belovedbumps.sg, 1 +belowaverage.tk, 1 +belowzero.tk, 1 +belquant.cf, 1 +belrosstrakh.tk, 1 +belrybalka.cf, 1 +bels-lijntje.nl, 1 +belsilos.com, 1 +belt.black, 1 +beltanelabrosse.tk, 1 +beltar.nl, 1 +beltbuckle.pw, 1 +beltman-shipping.tk, 1 +beltramifashion.be, 1 +beltsystemu.com, 1 +belug.de, 1 +belugadev.ml, 1 +belveb24.by, 1 +belvidereil.gov, 1 +belviderepoliceil.gov, 1 +belvideretownshipmi.gov, 1 +belvitajoreggelt.hu, 1 +belvo.com, 1 +belvoc.be, 1 +belvoirbouncycastles.co.uk, 1 +belwederczykow.eu, 1 +belzlongroup.com, 1 +bembee.tk, 1 +bemcorp.de, 1 +bemergroup.com, 1 +bemindly.com, 1 +bempensadoconsul.com.br, 1 +bemsoft.pl, 1 +bemvindoaolar.com.br, 1 +ben-deneme.gq, 1 +ben-energy.com, 0 +ben-escort-hh.com, 1 +ben-stock.de, 1 +ben.ge, 1 +ben.org.uk, 1 +ben2.co.il, 1 +benabbott.nz, 1 +benabrams.it, 1 +benadryl.ml, 1 +benadryld.tk, 1 +benaldirma.net, 1 +benary.org, 1 +benas.tk, 1 +benatarfanclub.com, 1 +benatherton.com, 1 +benatskezrkadla.sk, 1 +benazir-reaction.tk, 1 +benbalter.com, 1 +benbenben.loan, 1 +benbozsa.ca, 1 +benc.io, 1 +benceskorka.com, 1 +bencheetham.me.uk, 1 +benchling.com, 1 +benchmark-dental.com, 1 +benchmark-ip.com, 1 +benchmarkmonument.com, 1 +benclarkphotography.com.au, 1 +bencrump.com, 1 +bendechrai.com, 0 +bendemaree.com, 1 +bender.ga, 1 +benderssportsandspirits.com, 0 +bendingtheending.com, 1 +bendjadid.com, 1 +bendminding.com, 1 +bendwebs.com, 1 +bendyworks.com, 1 +beneathvt.com, 1 +beneazy.cf, 1 +benedetti.ca, 1 +benedict-system.eu, 1 +benedict-system.hu, 1 +benedict.systems, 1 +benedict.tk, 1 +benedicthanshenwang.com, 1 +benedictoaguilar.tech, 1 +benedikto.tk, 1 +benee-awraham.nl, 1 +benefeds.com, 1 +benefitboys.com, 1 +benefits.gov, 1 +benefitsbookcase.com, 1 +benefitsystems.ro, 1 +benefitz.cf, 1 +benefitz.ga, 1 +benefitz.gq, 1 +benefitz.ml, 1 +benekill.tk, 1 +benemortasia.com, 1 +benemortasia.eu, 1 +benemortasia.nl, 1 +benemortasia.us, 1 +benepla.com, 1 +benetcasablancas.tk, 1 +benevisim.com, 1 +benevita.bio, 1 +benevita.life, 1 +benevita.live, 1 +benevita.organic, 1 +benewahcountyid.gov, 1 +bengalcat.tk, 1 +bengalcatscare.com, 1 +bengaldisom.tk, 1 +bengalen.tk, 1 +bengalifake.tk, 1 +bengaltourism.ml, 1 +bengalurugifts.com, 1 +bengaratei.com, 1 +bengcao.com, 1 +bengisureklam.com, 1 +bengkelkeramik.tk, 1 +bengou.tk, 1 +bengt.org, 1 +benhammoutex.com, 1 +benhamplateau.tk, 1 +benhaney.com, 1 +benhartmann.de, 0 +benhavenarchives.org, 1 +benhocking.com, 1 +benhoeg.com, 0 +benia.cz, 1 +beniajan.tk, 1 +benicee.com, 1 +benidormcd.tk, 1 +benify.com, 1 +benify.se, 1 +benimhedefim.net, 1 +benimseom.com, 1 +benimsetin.com, 1 +benimsetin.org, 1 +beninca.link, 1 +beniskala.com, 1 +benjamin-horvath.com, 1 +benjamin-suess.de, 1 +benjamin-thomsen.de, 1 +benjaminbedard.com, 1 +benjaminblack.net, 1 +benjamindietrich.com, 1 +benjamindietrich.de, 1 +benjaminfox.net, 1 +benjaminjurke.com, 1 +benjaminkopelke.com, 1 +benjaminleupold.com, 1 +benjaminpiquet.fr, 0 +benjaminprevot.fr, 1 +benjaminrancourt.ca, 1 +benjaminvasel.de, 1 +benjamorphism.com, 1 +benjii.me, 1 +benjijaldoner.nl, 1 +benjilopez.com, 1 +benjonline.tk, 1 +benkelmed.com, 1 +benken.tk, 1 +benleb.de, 1 +benleemd.com, 1 +benleggiero.me, 1 +benmack.net, 1 +benmarron.co.uk, 1 +benmatthews.com.au, 1 +benmedia.nl, 1 +bennet.org, 0 +bennettsbouncycastlehire.co.uk, 1 +bennettshire.co.uk, 1 +benni1.eu, 1 +bennie.com, 1 +bennierobinson.com, 1 +benningtonne.gov, 1 +benningtontownshipmi.gov, 1 +bennink.me, 1 +benno.frl, 1 +bennygommers.nl, 1 +bennythink.com, 1 +benobi.one, 0 +benoit.jp.net, 1 +benoitchantre.com, 1 +benprisby.com, 1 +benpro.fr, 1 +benq.com, 1 +benq.eu, 1 +benrogers.tk, 1 +bensbouncycastles.co.uk, 1 +benschnarr.com, 1 +benscobie.com, 1 +benshoof.org, 1 +bensinflatables.co.uk, 1 +bensjamtracks.com, 1 +bensokol.com, 1 +bensonvermont.gov, 1 +benstevinson.com, 1 +bensvpn.com, 1 +bensvriend.tk, 1 +bent-nails.com, 1 +bentallgreenoak.com, 0 +bentaylorforcroydonsouth.online, 1 +bentcreekfarm.us, 1 +bentebogholder.dk, 1 +bentek.fr, 1 +bentertain.de, 0 +benthanhtourist.com, 1 +bentina.com, 1 +bentley.blog, 1 +bentley.link, 1 +bentleyks.gov, 1 +bento-kurumaya.co.jp, 1 +bentoncountyia.gov, 1 +bentoncountyor.gov, 1 +bentoncountywa.gov, 1 +bentongroup.co.uk, 1 +bentonweatherstone.co.uk, 1 +bentonwi.gov, 1 +bentpunk.tk, 1 +bentrask.com, 1 +benu.cz, 1 +benu.rs, 1 +benulekaren.sk, 1 +benunapredpis.cz, 1 +benward.physio, 1 +benwoo.org, 1 +benz-hikaku.com, 1 +benzblog.tk, 1 +benzi.io, 1 +benzieco.gov, 1 +benzin.tk, 1 +benzonestore.tk, 1 +benzou-space.com, 1 +beonas.ddns.net, 1 +beonline.ml, 1 +beornish.com, 1 +beospain.tk, 1 +bep.gov, 1 +bepayd.com, 1 +bephoenix.org.uk, 0 +bepick.blog, 1 +bepiratedo.gay, 1 +bepositive.ml, 1 +beptutotnhat.com, 1 +bepzi.com, 1 +beq.cc, 1 +bequ1ck.com, 1 +bequiia.com, 1 +berakal.com, 1 +beran.tk, 1 +berandalcorp.tk, 1 +beranovi.com, 1 +beraru.tk, 1 +berasavocate.com, 1 +beraten-entwickeln-steuern.de, 1 +beratungswelt.dvag, 1 +berbatov.ga, 1 +berbervandenberg.tk, 1 +berchtesgaden-hilft.de, 1 +berdan.tk, 1 +berdu.id, 1 +bereaplumber.co.za, 1 +bereelcorporation.com, 1 +bereginy.com.ua, 1 +bereginya-lada.ru, 1 +beregite-zdorovje.ru, 1 +beregusha.com, 1 +bereikbaargent.be, 1 +berekenen.nl, 1 +berekenhet.nl, 1 +berend.tk, 1 +bereregisdental.co.uk, 1 +beresbalazs.tk, 1 +berete.de, 1 +beretinec.hr, 1 +berg-tal.com, 1 +berg.social, 1 +berge.tk, 1 +bergelevrad.tk, 1 +bergencountyclerk.gov, 1 +bergenfieldnj.gov, 1 +bergerandgreen.com, 1 +bergevoet-fa.nl, 0 +bergfex.at, 1 +bergfex.ch, 1 +bergfex.com, 1 +bergfex.de, 1 +bergfex.it, 1 +berggeit.tk, 1 +berghof-foundation.org, 1 +berghuus.ch, 1 +berglust-pur.de, 1 +bergmanbeachproperties.com, 1 +bergside.pl, 1 +bergsjomannen.tk, 1 +bergstation.eu, 1 +bergstoneware.com, 1 +bergvallsmassage.se, 1 +bergwandercamp.de, 1 +bergwandercamp.eu, 1 +bergwandercamp.info, 1 +berhampore-gateway.tk, 1 +berichtsheft-vorlage.de, 1 +berighthere.com, 1 +berightthere.eu, 1 +berikod.ru, 1 +beris.us, 1 +beritalaptop.com, 1 +beritamotor.tk, 1 +beritanow.tk, 1 +beritatopbanten.com, 0 +beritavirall.com, 1 +berjadagar.is, 1 +berjou.me, 1 +berk.tk, 1 +berkadia.com, 1 +berkat-luqs.ddns.net, 1 +berkbrands.com, 1 +berkeleyca.gov, 1 +berkeleypolitical.review, 1 +berkhills.com, 1 +berksabstract.com, 1 +berksestateplanning.com, 1 +berkshire.com, 1 +berkshireesupply.com, 0 +berkspa.gov, 1 +berkswatertech.com, 1 +berkvensgm.nl, 1 +berlin-cuisine.com, 1 +berlin-flirt.de, 1 +berlin-hotel.tk, 1 +berlin-starlight-orchestra.de, 1 +berlinal.gov, 1 +berlincreators.de, 1 +berlinct.gov, 1 +berlindecouverte.fr, 1 +berlingeriresort.it, 1 +berlinnhpd.gov, 1 +berlintwpioniami.gov, 1 +berlintwpmi.gov, 1 +berlinvt.gov, 1 +berluga.com, 1 +berluskoni.tk, 1 +bermatrix.hu, 1 +bermeitinger.eu, 0 +bermellar.tk, 1 +bermos.net, 1 +bermudabathtub-retard.cf, 1 +bermytraq.bm, 1 +bern.bz, 1 +berna.fr, 1 +bernack.ga, 1 +bernadette.tk, 1 +bernadetteanderes.ch, 0 +bernadettehermsen.nl, 1 +bernama.com.my, 1 +bernar.do, 1 +bernard.fr, 1 +bernardbeneito.com, 1 +bernardcontainers.be, 0 +bernardez-photo.com, 1 +bernarditadiaz.tk, 1 +bernardocoelho.com.br, 1 +bernardsville.gov, 1 +bernardwatch.com, 1 +bernat.ch, 1 +bernat.im, 1 +bernayslab.com, 1 +bernbrucher.com, 0 +bernbrucher.de, 0 +berncoclerk.gov, 1 +bernd-leitner-fotodesign.com, 1 +bernd-leitner-fotodesign.de, 1 +bernd-leitner.de, 1 +bernd-schnitter.de, 1 +bernd-ungerer.com, 0 +berndartmueller.com, 0 +berndtgen.org, 1 +bernerland.cf, 1 +bernerland.tk, 1 +bernersennen.tk, 1 +bernhard-eicher.ch, 1 +bernhard-seidenspinner.de, 1 +bernhardluginbuehl.ch, 1 +bernhardluginbuehl.com, 1 +bernie.lol, 1 +bernie.pics, 1 +bernieware.de, 1 +bernius.eu, 1 +bernius.xyz, 1 +bernmail.ch, 1 +bernoldi.com.ar, 1 +berntmuurling.nl, 1 +bernyweb.net, 1 +beroepenhuis.gent, 1 +berr.yt, 1 +berra.se, 0 +berria.fi, 1 +berriabot.com, 1 +berriabot.fi, 1 +berriacast.com, 1 +berriacast.fi, 1 +berriainfo.com, 1 +berriainfo.fi, 1 +berriencountyga.gov, 1 +berries.com, 1 +berrnd.net, 1 +berrus.com, 1 +berry.cat, 1 +berrycheapers.ga, 1 +berryevent.es, 0 +berryvillear.gov, 1 +bersatu.com.my, 1 +berserk.gq, 1 +berserk.tk, 1 +bersier.net, 1 +bersierservices.ch, 0 +berst.cz, 1 +bert-dijkink.tk, 1 +bert.org, 1 +bertaudarthur.fr, 1 +bertbrockham.org.uk, 1 +bertgroup.com, 1 +berthabailey.com, 1 +berthaphil.com, 1 +berthaundcarlbenzpreis.de, 1 +berthelier.me, 1 +berthoudeconomicdevelopment.com, 1 +bertlight.com, 1 +bertold.org, 1 +bertoliniodontoiatria.it, 1 +bertr.am, 1 +bertrand.bio, 0 +bertrandkeller.info, 0 +bertrell.com, 1 +bertsmithvwparts.com, 1 +bertusengelbrecht.com, 1 +berwickpa.gov, 1 +berz.one, 1 +berzkalne.co.uk, 1 +besanowsky.de, 1 +besarfe.com, 0 +besb66.club, 1 +besb66.me, 1 +besb66.ninja, 1 +besb66.rocks, 1 +besb66.us, 1 +bescoutednow.com, 1 +bescover.com, 1 +besdev.uk, 1 +besedovichi.tk, 1 +besensi.com, 1 +besiconstruct.be, 1 +besidemetal.tk, 1 +besikta.se, 1 +besiktasmtsk.com, 1 +besir.com, 1 +beskiden.com, 1 +besnard.me, 1 +besnik.de, 0 +besnik.tk, 1 +besola.de, 1 +besolov.tk, 1 +besonderheit.com, 1 +besonders-s.at, 1 +besox.be, 1 +bespaarbazaar.nl, 1 +bespaarenergie.click, 1 +bespaarnu.click, 1 +bespoiled.nl, 1 +bespokebathrooms.com.au, 1 +bespokespeaker.uk, 1 +bespredel.tk, 1 +bessels.tk, 1 +bessems.com, 1 +bessems.eu, 1 +besser-beissen.de, 1 +besser-golfen.tk, 1 +besslavnye-ublyudki.tk, 1 +bessmertie.ml, 1 +best-accounting-schools.com, 1 +best-art-colleges.com, 1 +best-book.gq, 1 +best-business-colleges.com, 1 +best-cat.tk, 1 +best-cats.tk, 1 +best-chiter.tk, 1 +best-community-colleges.com, 1 +best-education-schools.com, 1 +best-engineering-colleges.com, 1 +best-essay-service.com, 1 +best-games.cf, 1 +best-graduate-programs.com, 1 +best-hvac-schools.com, 1 +best-lutheran-colleges.com, 1 +best-management-schools.com, 1 +best-marketing-schools.com, 1 +best-mum.fr, 1 +best-nursing-colleges.com, 1 +best-of-bounce.co.uk, 1 +best-party.ru, 1 +best-pdf.com, 1 +best-photobooth.ro, 1 +best-seminar.gq, 1 +best-seminar.ml, 1 +best-software.tk, 1 +best-stroy.ru, 1 +best-ticket.it, 1 +best-tickets.co.uk, 1 +best-tickets.com.au, 1 +best-trucking-schools.com, 1 +best-wedding-quotes.com, 1 +best10resumewriters.com, 1 +best66.me, 1 +besta.tk, 1 +bestaction.tk, 1 +bestafricaradio.tk, 1 +bestallgame.co, 1 +bestallid06.se, 1 +bestarts.tk, 1 +bestasquadradas.org, 1 +bestatos.com, 1 +bestatter.de, 1 +bestattungen-kammerer.de, 1 +bestattungshaus-kammerer.de, 0 +bestaucasinosites.com, 1 +bestaustraliancasinosites.com, 1 +bestautoinsurance.com, 1 +bestbatteriesonline.com, 1 +bestbefore.com, 1 +bestbestbitcoin.com, 1 +bestbonuses.co.uk, 1 +bestbookmark.cf, 1 +bestbookmark.gq, 1 +bestbookmark.ml, 1 +bestboot.cf, 1 +bestbox.be, 1 +bestbrakes.com, 1 +bestbudseedbank.com, 1 +bestbureau.fr, 1 +bestbuyzone.com, 1 +bestcamshow.tk, 1 +bestcanvaswallart.com, 1 +bestcarscyprus.com, 1 +bestcash2020.com, 1 +bestcasinositesonline.com, 1 +bestchoicehomeinspections.com, 1 +bestclassifiedsusa.com, 1 +bestclix.ml, 1 +bestcms.tk, 1 +bestcollegeaid.com, 1 +bestcreditcards.biz, 1 +bestcreditcards.me, 1 +bestcreditcards.news, 1 +bestcreditcards.tv, 1 +bestcreditcards.xyz, 1 +bestcriminallawyerinsingapore.com, 1 +bestcrossbowguide.com, 1 +bestdatingsite.ml, 1 +bestdatingsite.tk, 1 +bestdeal-umzug.de, 1 +bestdeal.co.in, 1 +bestdealstrips.com, 1 +bestdiabeteshealth.com, 1 +bestdlsites2.tk, 1 +bestdownloadscenter.com, 1 +bestdslrcameras.tk, 1 +bestecbdolie.com, 1 +bestech.de, 1 +bestechgadgets.tk, 1 +besteckliste.com, 1 +bestedeal.nl, 1 +besteenergieleverancier.com, 1 +bestehen.com, 1 +bestehostingproviders.nl, 1 +bestelhetmaar.nl, 1 +bestellipticalmachinereview.info, 1 +bestelsportprijzen.nl, 1 +bestemailmarketingsoftware.org, 1 +bestenlogin.com, 1 +bestertagderwelt.de, 1 +bestesb.net, 1 +bestescortmallorca.com, 1 +bestescortsdirectory.com, 1 +bestessayhelp.com, 1 +bestestquote.com, 1 +bestethereumcasinos.io, 1 +besteto.cz, 1 +besteto.sk, 1 +besteuitvaartverzekering.com, 1 +bestfacts.ru, 1 +bestfewo.de, 1 +bestfitnesswatchreview.info, 1 +bestfornutrition.com, 1 +bestfotostudio.com, 1 +bestfriend.ga, 1 +bestfriendsequality.org, 1 +bestgardener.info, 1 +bestgiftever.ca, 1 +bestgolftrips.ca, 1 +bestgriefbooks.com, 1 +besthemes.tk, 1 +besthobi.com, 1 +besthorsebedding.com, 0 +besthost.cz, 1 +besthouse.co.il, 1 +besthumorsite.tk, 1 +besti.it, 1 +bestiahosting.com, 1 +besties4life.ml, 1 +bestincservices.com, 1 +bestinductioncooktop.us, 1 +bestinsider.net, 0 +bestinsulatedwaterbottle.tk, 1 +bestinver.es, 0 +bestitwork.tk, 1 +bestjigsawreview.net, 1 +bestjumptrampolines.be, 1 +bestkbeauty.com, 1 +bestkenmoredentists.com, 1 +bestkeys.ga, 1 +bestladyshaver.co.uk, 0 +bestlawabundant.tk, 1 +bestlawafter.tk, 1 +bestlawamazing.tk, 1 +bestlawanchor.tk, 1 +bestlawarrow.tk, 1 +bestlawatlantic.tk, 1 +bestlawavatar.tk, 1 +bestlawbattle.tk, 1 +bestlawblaster.tk, 1 +bestlawblod.tk, 1 +bestlawbody.tk, 1 +bestlawbounce.tk, 1 +bestlawbrite.tk, 1 +bestlawbrowse.tk, 1 +bestlawbrowser.tk, 1 +bestlawbuddies.tk, 1 +bestlawbuller.tk, 1 +bestlawbunny.tk, 1 +bestlawcache.tk, 1 +bestlawcalculator.tk, 1 +bestlawcamel.tk, 1 +bestlawcaptive.tk, 1 +bestlawcarnival.tk, 1 +bestlawcatch.tk, 1 +bestlawcatcher.tk, 1 +bestlawcellar.tk, 1 +bestlawcharm.tk, 1 +bestlawcharte.tk, 1 +bestlawcharts.tk, 1 +bestlawcheaper.tk, 1 +bestlawconstruct.tk, 1 +bestlawcorporation.tk, 1 +bestlawcounty.tk, 1 +bestlawcreativity.tk, 1 +bestlawcrunch.tk, 1 +bestlawcrystal.tk, 1 +bestlawctktom.tk, 1 +bestlawcupid.tk, 1 +bestlawcuriotk.tk, 1 +bestlawdepot.tk, 1 +bestlawdesigning.tk, 1 +bestlawdestination.tk, 1 +bestlawdivine.tk, 1 +bestlawdodge.tk, 1 +bestlawdollars.tk, 1 +bestlawdowntown.tk, 1 +bestlawduck.tk, 1 +bestlaweagle.tk, 1 +bestlawebony.tk, 1 +bestlawecho.tk, 1 +bestlawecono.tk, 1 +bestlawelectra.tk, 1 +bestlawenvy.tk, 1 +bestlawepic.tk, 1 +bestlawfalcon.tk, 1 +bestlawfame.tk, 1 +bestlawfighter.tk, 1 +bestlawflavor.tk, 1 +bestlawfolder.tk, 1 +bestlawgang.tk, 1 +bestlawgecko.tk, 1 +bestlawgeo.tk, 1 +bestlawglamour.tk, 1 +bestlawglory.tk, 1 +bestlawgoddess.tk, 1 +bestlawgorilla.tk, 1 +bestlawgrab.tk, 1 +bestlawgrabber.tk, 1 +bestlawgrace.tk, 1 +bestlawgram.tk, 1 +bestlawgratis.tk, 1 +bestlawgroove.tk, 1 +bestlawgrow.tk, 1 +bestlawguerilla.tk, 1 +bestlawguerrilla.tk, 1 +bestlawgun.tk, 1 +bestlawhands.tk, 1 +bestlawhandsome.tk, 1 +bestlawhandy.tk, 1 +bestlawhard.tk, 1 +bestlawhotrod.tk, 1 +bestlawhtkky.tk, 1 +bestlawice.tk, 1 +bestlawimagine.tk, 1 +bestlawintergrity.tk, 1 +bestlawiron.tk, 1 +bestlawjackpot.tk, 1 +bestlawjewel.tk, 1 +bestlawjoker.tk, 1 +bestlawjtkt.tk, 1 +bestlawkayak.tk, 1 +bestlawkiss.tk, 1 +bestlawknight.tk, 1 +bestlawlast.tk, 1 +bestlawlastminute.tk, 1 +bestlawlegacy.tk, 1 +bestlawless.tk, 1 +bestlawlightning.tk, 1 +bestlawlimited.tk, 1 +bestlawlion.tk, 1 +bestlawlittle.tk, 1 +bestlawloco.tk, 1 +bestlawlowprice.tk, 1 +bestlawlucky.tk, 1 +bestlawmain.tk, 1 +bestlawmarks.tk, 1 +bestlawmatche.tk, 1 +bestlawmeasure.tk, 1 +bestlawmember.tk, 1 +bestlawmessenger.tk, 1 +bestlawmeta.tk, 1 +bestlawmetric.tk, 1 +bestlawmillions.tk, 1 +bestlawminer.tk, 1 +bestlawmtkcle.tk, 1 +bestlawmystical.tk, 1 +bestlawnano.tk, 1 +bestlawnational.tk, 1 +bestlawnations.tk, 1 +bestlawnatural.tk, 1 +bestlawnight.tk, 1 +bestlawnobel.tk, 1 +bestlawnormal.tk, 1 +bestlawnorthamerican.tk, 1 +bestlawnumber.tk, 1 +bestlawocity.tk, 1 +bestlawoffline.tk, 1 +bestlawoftheday.tk, 1 +bestlawomatic.tk, 1 +bestlawomega.tk, 1 +bestlawoneday.tk, 1 +bestlawopedia.tk, 1 +bestlawopplis.tk, 1 +bestlaworama.tk, 1 +bestlaworiginal.tk, 1 +bestlawother.tk, 1 +bestlawouter.tk, 1 +bestlawover.tk, 1 +bestlawyernear.com, 1 +bestleftwild.com, 1 +bestliege.be, 1 +bestlifek9training.com, 1 +bestlyrics.tk, 1 +bestmasterofscienceinnursing.com, 1 +bestmastersinpsychology.com, 1 +bestmattressabout.com, 1 +bestmattresses.tk, 1 +bestmaturepics.com, 1 +bestmedsmmj.com, 1 +bestmicro.fr, 1 +bestmodels.ua, 1 +bestmotherfucking.website, 1 +bestmotorcyclehelmets.net, 1 +bestnetentcasino.info, 1 +bestnetflowanalyzer.com, 1 +bestnewsmag.com, 1 +bestnovelbooks.ga, 1 +bestnursingdegree.com, 1 +bestnursingmasters.com, 1 +besto.cf, 1 +besto.ga, 1 +besto.tk, 1 +bestofbooks.gq, 1 +bestofdate.com, 1 +bestofjazz.org, 1 +bestofnuevovallarta.com, 1 +bestofrooftop.com, 1 +bestoldmusic.tk, 1 +bestoliveoils.com, 1 +bestomania.tk, 1 +bestonlinestuffs.com, 1 +bestparking.com, 1 +bestpartyhire.com, 1 +bestpig.fr, 1 +bestplus.ml, 1 +bestplus.tk, 1 +bestpneu.cz, 1 +bestporn.pics, 1 +bestporn2022.com, 1 +bestpornclip.com, 1 +bestporngirls.com, 1 +bestpornpictures.com, 1 +bestportablegeneratorratings.com, 1 +bestpost.org, 1 +bestpressurewashingchicago.com, 1 +bestpsychologydegrees.com, 1 +bestpsychologydegrees.org, 1 +bestreleases.tk, 1 +bestremote.io, 1 +bestroofinginkansascity.com, 1 +bestroutes.net, 1 +bestsatoshifaucet.ga, 1 +bestschools.io, 1 +bestseo4u.co.uk, 1 +bestsextoys.com, 1 +bestshoesmix.com, 1 +bestshopping.ga, 1 +bestshops.ga, 1 +bestsidelka.ru, 1 +bestsingingbowls.com, 1 +bestsiteporn.com, 1 +bestsolution.at, 1 +beststock.kr, 1 +beststudio.ru, 1 +besttechnews.ml, 1 +besttipsntricks.tk, 1 +besttrade.tk, 1 +besttrannytube.com, 1 +besttraveluk.ga, 1 +bestvape.ie, 1 +bestvpns.co.uk, 0 +bestvpnsoftware.org, 1 +bestwebcams.ga, 1 +bestwebcams.ml, 1 +bestwebsite.gallery, 1 +bestweleenbeetje.nl, 0 +bestwigs.ga, 1 +bestwirelessdoorbell.ml, 1 +bestwriterjobs.tk, 1 +bestzoo.tk, 1 +besured.nl, 1 +besv.com, 1 +beszerzokozpont.hu, 1 +bet-platform.com, 1 +bet031.com, 0 +bet03vip.com, 0 +bet064.com, 0 +bet06vip.com, 1 +bet074.com, 0 +bet08vip.com, 1 +bet166111.com, 1 +bet166333.com, 1 +bet166444.com, 1 +bet166555.com, 1 +bet166888.com, 1 +bet1668888.com, 1 +bet166999.com, 1 +bet166b.com, 1 +bet166c.com, 1 +bet166uu.com, 1 +bet166ww.com, 1 +bet166yy.com, 1 +bet1x-th.com, 1 +bet1x-thai.com, 1 +bet1x-thailand.com, 1 +bet333111.com, 1 +bet333123.com, 1 +bet333222.com, 1 +bet333321.com, 0 +bet333345.com, 0 +bet333432.com, 0 +bet333444.com, 1 +bet333456.com, 1 +bet333567.com, 1 +bet333666.com, 1 +bet333678.com, 1 +bet333789.com, 0 +bet333h.com, 1 +bet333k.com, 0 +bet333l.com, 1 +bet333m.com, 1 +bet333n.com, 1 +bet333o.com, 1 +bet333p.com, 0 +bet333q.com, 1 +bet333r.com, 0 +bet333s.com, 1 +bet333t.com, 1 +bet333w.com, 0 +bet333x.com, 1 +bet333y.com, 1 +bet333z.com, 1 +bet338c.com, 1 +bet3639.com, 0 +bet365-fixed-matches.com, 1 +bet365bc.net, 1 +bet365bet2020.com, 1 +bet365cn-casino.com, 1 +bet365cn-game.com, 1 +bet365cn-keno.com, 1 +bet365cn-livecasino.com, 1 +bet365cn-poker.com, 1 +bet365cn-sports.com, 1 +bet365cn-vegas.com, 1 +bet365cnq.com, 1 +bet365cnr.com, 1 +bet365cnt.com, 1 +bet365cnu.com, 1 +bet365cnv.com, 1 +bet365cnw.com, 1 +bet365cnx.com, 1 +bet365cny.com, 1 +bet365cnz.com, 1 +bet365g8.com, 1 +bet365n1.com, 1 +bet365n2.com, 1 +bet365n6.com, 1 +bet365n8.com, 1 +bet365n9.com, 1 +bet365q0.com, 1 +bet365q6.com, 1 +bet365q8.com, 1 +bet365q9.com, 1 +bet365r8.com, 1 +bet365vip1.com, 0 +bet365vip2.com, 1 +bet365vip2020.com, 0 +bet365vip7.com, 1 +bet365x0.com, 1 +bet365x1.com, 1 +bet365x2.com, 1 +bet365x3.com, 1 +bet365x6.com, 1 +bet365x9.com, 1 +bet391.com, 0 +bet392.com, 0 +bet397.com, 0 +bet3xx.com, 1 +bet3zz.com, 1 +bet43app.com, 1 +bet44410.com, 1 +bet444403.com, 0 +bet444424.com, 0 +bet444425.com, 0 +bet444426.com, 0 +bet444429.com, 0 +bet444430.com, 1 +bet5119.com, 1 +bet5234.com, 1 +bet531.com, 0 +bet5757.com, 1 +bet600.co.uk, 1 +bet631.com, 0 +bet66.com, 1 +bet66669999.com, 1 +bet666888.vip, 1 +bet7234.com, 1 +bet819.com, 0 +bet86ah.com, 1 +bet86am.com, 1 +bet86cq.com, 1 +bet86fj.com, 1 +bet86gs.com, 1 +bet86gx.com, 1 +bet86gz.com, 1 +bet86hlj.com, 1 +bet86hn.com, 1 +bet86jl.com, 1 +bet86js.com, 1 +bet86jx.com, 1 +bet86ln.com, 1 +bet86nmg.com, 1 +bet86nx.com, 1 +bet86qh.com, 1 +bet86sc.com, 1 +bet86sd.com, 1 +bet86sh.com, 1 +bet86sx.com, 1 +bet86tj.com, 1 +bet86tw.com, 1 +bet86xj.com, 1 +bet86xz.com, 1 +bet86yn.com, 1 +bet86zj.com, 1 +bet909.com, 1 +beta-cell.com, 1 +beta-site-staging.azurewebsites.net, 1 +beta.pw, 0 +betaa0.com, 1 +betaa2.com, 1 +betaa3.com, 1 +betaa5.com, 1 +betaa6.com, 1 +betaa8.com, 1 +betaa9.com, 1 +betaal.my, 1 +betaams.net, 1 +betabar.dk, 1 +betacalc.com, 1 +betaclouds.net, 1 +betacommand.tk, 1 +betadelivery.co.uk, 1 +betahyp.de, 1 +betalingsservice.dk, 1 +betandslots.com, 1 +betandyou.com, 1 +betandyou.mobi, 1 +betandyou1.com, 1 +betanoapp.com, 1 +betaoptimize.com, 1 +betaprofiles.com, 1 +betasozluk.com, 1 +betata.tk, 1 +betatester.ml, 1 +betawi.com, 1 +betaworx.de, 1 +betaworx.eu, 1 +betb33.com, 0 +betb73.com, 0 +betbed.ml, 1 +betbravo.et, 1 +betc.com, 1 +betcn-mart.com, 1 +betecnet.de, 1 +betel.tk, 1 +betelgeus.com, 1 +betelnatural.com, 1 +betemyja.tk, 1 +betenemy.com, 1 +beteroud.nl, 1 +betexperts.tk, 1 +betfair.com.co, 1 +betformular.com, 1 +bethanyhome.org, 1 +bethanymo.com, 1 +bethanytownshipmi.gov, 1 +bethatkinson.tk, 1 +bethelparkpa.gov, 1 +bethelparkpapolice.gov, 1 +betheltwplebanon.gov, 1 +bethematch.org, 1 +bethematchclinical.org, 1 +betheredge.us, 1 +bethlehemnj.gov, 1 +bethlehempa.org, 1 +bethlehemwv.gov, 1 +bethpage.net, 1 +bethphageanimalclinic.com, 1 +bethulietourism.co.za, 1 +bethzone.tk, 1 +beticaret.com, 1 +betingsite.com, 1 +betish.tk, 1 +betkorea1.com, 1 +betleakbot.com, 1 +betmobilenigeria.com, 1 +betobaccofree.gov, 1 +betolerant.fr, 1 +beton-vloer.nl, 1 +beton.ie, 1 +betonbewerkingsmachines.be, 1 +betondrew.com, 1 +betongereedschap.be, 1 +betoniera.org, 1 +betonline.bz, 1 +betonmachines.be, 1 +betonmarkets.info, 1 +betonperkasa.com, 1 +betonsport.ga, 1 +betonvloerpolijsten.com, 1 +betop-lab.com, 1 +betor.cz, 1 +betor.sk, 1 +betordertr.com, 1 +betoskip.tk, 1 +betpokies.com, 1 +betreut.at, 1 +betreut.de, 1 +betrifft-mich-dsgvo.ch, 1 +betrimus.xyz, 1 +betrisey.net, 1 +betrouwbarewifi.nl, 1 +bets.de, 1 +betsafe.lt, 1 +betseven.pt, 1 +betseybuckheit.com, 1 +betsfortoday.com, 1 +betsharpangles.com, 1 +betshoot.com, 1 +betsonlinefree.com.au, 1 +betspin.com, 1 +betstop.gov.au, 1 +betsys.de, 1 +bett1.at, 1 +bett1.ch, 1 +bett1.de, 1 +bett1.fr, 1 +bett1.pl, 1 +bettaline.com.au, 1 +bettashoerepairs.com.au, 1 +bettendorf.gov, 1 +better.com, 0 +better.fyi, 1 +betterbaseball.com, 1 +betterbedding.com, 1 +betterbladders.com, 1 +betterboards.net, 1 +betterbuiltbasements.com, 1 +betterbuiltkitchensandbathrooms.com, 1 +bettercallsully.com, 1 +bettercareclinic.co.uk, 1 +bettercleaningcompany.co.uk, 1 +bettercommunication.org.uk, 1 +bettercrypto.org, 1 +betterdecoratingbible.com, 1 +betterhealthatworkaward.org.uk, 1 +betterhelp.com, 1 +betterhelp.com.au, 1 +betterhelporg.com, 1 +betterhelpteens.com, 1 +betterhome.ml, 1 +betterjapanese.blog, 1 +betterjapanese.org, 1 +betterjapanese.xyz, 1 +betterlifekidsclub.com, 1 +betterlovestore.com, 1 +betterna.me, 1 +betternews.eu, 1 +betteroffed.com, 1 +betterplace.restaurant, 1 +betterscience.org, 1 +bettersecurity.co, 1 +bettersocialmedia.co.uk, 1 +betterteam.com, 1 +bettertech.pt, 1 +bettertechsoftware.com, 1 +bettertest.it, 1 +bettertime.jetzt, 1 +betterviewrentals.com, 1 +betterworlded.org, 1 +bettflaschen.ch, 1 +bettie.tk, 1 +betting-magic.com, 1 +bettingbangladesh.online, 1 +bettingbasket.com, 1 +bettingbusiness.ru, 1 +bettingmalaysia.online, 1 +bettingonaverage.com, 1 +bettingphilippines.online, 1 +bettolinokitchen.com, 1 +betty-baloo.com, 1 +bettyblue.tk, 1 +bettysseafoodshack.com, 1 +betulashop.ch, 1 +betus.tk, 1 +betvisa.com, 1 +betweenthehills.be, 1 +betweenthesheets.tk, 1 +betwin9.net, 0 +betwinner-india.com, 1 +betwinner-ua.com, 1 +betwinner-zerkalo.ru, 1 +betwinner.cm, 1 +betwinner.co.it, 1 +betwinner.co.ug, 1 +betwinner.co.zm, 1 +betwinner.com.gh, 1 +betwinner.de.com, 1 +betwinner.ng, 1 +betwinner1.com, 1 +betwinner2.com, 1 +betwinner5.mobi, 1 +betwinnerbahis.net, 1 +betwinnerfrance.net, 1 +betwinnerkenya.com, 1 +betwinnerlive.com, 1 +betwinnermobileapp.com, 1 +betwinnernigeria.com, 1 +betwinnerperu.com, 1 +betwinnerportugal.com, 1 +betwinnerpromocode.net, 1 +betwinners.in, 1 +betwinnertanzania.com, 1 +betwinneruganda.com, 1 +betxx1.com, 1 +betxx2.com, 1 +betza.online, 1 +betzgmbh.de, 1 +betzwhite.com, 1 +beudelbingers.nl, 1 +beugelbekkie.tk, 1 +beulahparks.com, 1 +beulen.email, 1 +beulen.link, 1 +beulen.pro, 1 +beurettes-en-chaleur.tk, 1 +beursbever.be, 1 +beurteilt.com, 1 +beus.ink, 1 +beusefulbook.ru, 1 +beuteugeu.com, 1 +beutner.de, 1 +beuty-flowers.tk, 1 +bevallarta.com, 1 +bevcrushesit.ca, 1 +bevedo.cz, 1 +bevedo.sk, 1 +beveiligingscamerawestland.nl, 1 +bevelbeer.com, 1 +bevelpix.com, 1 +beveragemobileest.ga, 1 +beverb.org, 1 +beverhof.nl, 1 +beverley.tk, 1 +beverleycounselling.co.uk, 1 +beverleymoneyman.com, 1 +beverly.tk, 1 +beverlydrive.tk, 1 +beverlyhillstx.gov, 1 +beverlyhospital.org, 1 +beverlyinternational.com, 1 +bevestor.de, 1 +bevhost.com, 1 +bevif.com, 1 +bevinco2020.com, 1 +bevinsco.org, 1 +beviu.com, 1 +bevmoir.com, 1 +bevnut.com, 1 +bewaredevapi.azurewebsites.net, 1 +bewegigsruum.ch, 1 +bewegtes-lagern.at, 1 +bewegtes-lagern.ch, 1 +bewegtes-lagern.com, 1 +bewegtes-lagern.de, 1 +bewegteslagern.ch, 1 +bewegteslagern.com, 1 +bewegteslagern.de, 1 +bewegungsfluss.com, 0 +bewerbung.net, 1 +bewerbungsfibel.de, 1 +bewerbungsfoto-deinfoto.ch, 1 +bewildered.gq, 1 +beworksite.com, 1 +bewustwinkelen.nl, 1 +bexit-hosting.nl, 1 +bexit-security.eu, 1 +bexit-security.nl, 1 +bexit.nl, 1 +bexithosting.nl, 1 +bexleycastles.co.uk, 1 +bey.io, 1 +beybiz.com, 1 +beybladesource.tk, 1 +beyerautomation.com, 1 +beyerm.de, 1 +beyers.io, 0 +beylkin.tk, 1 +beyond-destiny.tk, 1 +beyond-infinity.org, 0 +beyond-rational.com, 1 +beyond.com.br, 0 +beyond3dview.com, 1 +beyond3dviews.com, 1 +beyondalderaan.net, 1 +beyondauth.io, 1 +beyondbounce.co.uk, 1 +beyondfrosting.com, 1 +beyondgameplay.com, 1 +beyondinfinite.com, 1 +beyondmydoor.com, 1 +beyonds.fr, 1 +beyondthecode.io, 1 +beyondthecreek.com, 1 +beyondthefive.org, 0 +beyondthemoments.com, 1 +beyondthepitch.net, 1 +beyondtherealm.tk, 1 +beyondthisrealm.com.au, 1 +beyondtrust.com, 1 +beyondtv.ga, 1 +beyondweb.net, 1 +beyondzeroacademy-reservations.fr, 1 +beyonsolutions.com, 1 +bezagentstva.cf, 1 +bezahlbare-praemien.ch, 1 +bezbik.tk, 1 +bezdech.tk, 1 +bezdomny.tk, 1 +bezin.ga, 1 +bezoek-benidorm.tk, 1 +bezoomnyville.com, 1 +bezopasna-rabota.tk, 1 +bezpaliuk.com, 1 +bezpecnostsiti.cf, 1 +bezpieczny.pl, 1 +bezpiecznyiphone.pl, 1 +bezpiecznykierowca.info, 1 +bezposrednio.net.pl, 1 +bezpredel.tk, 1 +bf-foto.eu, 1 +bf2statistics.eu, 1 +bfam.tv, 1 +bfas237blog.com, 1 +bfbet365.com, 1 +bfbs.com, 1 +bfc-expertcomptable.com, 1 +bfcgermania88.de, 1 +bfelob.gov, 1 +bfem.gov, 1 +bferal.cl, 1 +bffr.wtf, 1 +bfh.science, 1 +bfharrison.com, 1 +bfi.is, 1 +bfkcloud.ddns.net, 1 +bflix.tv, 0 +bflw.pl, 1 +bfly.tech, 1 +bfob.gg, 1 +bfoliver.com, 1 +bforb.sk, 1 +bforben.uk, 1 +bfp-mail.de, 1 +bfpg.org, 1 +bfrailwayclub.cf, 1 +bfsasia.com, 1 +bft-media.com, 0 +bfw-online.de, 1 +bg-1xbet.com, 1 +bg-sexologia.com, 1 +bg2kuj.com, 1 +bgbaby.net, 1 +bgbet365.com, 1 +bgbhsf.top, 1 +bgd-info.tk, 1 +bgdesign.de, 0 +bgemi.net, 1 +bgeo.io, 1 +bget.org.uk, 1 +bgetfuel.co.uk, 1 +bgfashion.net, 1 +bggcapital.com, 1 +bgh.sh, 1 +bghddevelopment.com, 1 +bghope.com, 1 +bghost.xyz, 1 +bgjargon.com, 1 +bgkoleda.bg, 1 +bglsingles.de, 1 +bgm.bg, 1 +bgmall.tk, 1 +bgmedia.tk, 1 +bgmn.me, 1 +bgmontaggi.com, 1 +bgmsquad.com, 1 +bgp.co, 1 +bgr34.cz, 1 +bgs-game.com, 1 +bgtraffic.tk, 1 +bh-oberland.de, 1 +bh.sb, 1 +bhacit.com, 0 +bhaiben.com, 1 +bhameshwarigraphics.com, 1 +bhanaphotography.co.nz, 1 +bharat-media.tk, 1 +bharatanatyam-dancer.tk, 1 +bharath-g.in, 1 +bharatskills.gov.in, 1 +bhat.vn, 1 +bhatia.at, 1 +bhavansvidyamandir.tk, 1 +bhaweshkumar.com, 1 +bhbet365.com, 1 +bhcarroll.edu, 1 +bhf.im, 1 +bhfseo.com, 1 +bhi.consulting, 1 +bhiglu.com, 1 +bhitnews.tk, 1 +bhitti.in, 1 +bhodisoft.com, 1 +bhogavati.tk, 1 +bhosted.nl, 1 +bhpropco.com, 1 +bhrenovations.com, 1 +bhserralheria.com.br, 1 +bhsooq.com, 1 +bhtechconnection.com, 0 +bhtelecom.ba, 1 +bhub.tk, 1 +bhuntr.com, 1 +bhuvanreddy.space, 1 +bhvapers.com, 1 +bhxch.moe, 1 +bi-fazlasi.com, 1 +bi-in-beeld.nl, 1 +bi-jenny.net, 1 +bi-medien.de, 1 +bi.search.yahoo.com, 0 +bi1gif.radio, 1 +bi3e.ma, 1 +bi4sb.com, 1 +bi8cku.club, 1 +bi8cku.tech, 1 +bia.gov, 1 +bia3consultores.es, 1 +biaform.be, 1 +biagiowineandspirits.com, 1 +biahposter.com, 1 +bialamydlarnia.pl, 0 +biancadark.tk, 1 +biancapulizie.it, 1 +biancasalgueiro.tk, 1 +biancavandenberg.nl, 1 +biancazapatka.com, 1 +bianco-band.tk, 1 +bianinapiccanovias.com, 1 +biano-ai.com, 1 +biantai.cf, 1 +biantai.ml, 1 +biantti.md, 1 +bianyanan.xyz, 1 +biaoxiong.com, 1 +biaozi.cf, 1 +biaozi.ml, 1 +biarritzboys.tk, 1 +biaservice.cz, 1 +biasmath.es, 1 +biathloncup.ru, 1 +biaxin.cf, 1 +biaxin.ml, 1 +bibanks.com, 1 +biber-bike.de, 1 +biberonshop.bg, 1 +bibet365.com, 1 +bibi-xxx.com, 1 +bibica.net, 1 +bibimanga.com, 1 +bibit.id, 1 +bibitbunga.com, 1 +bible-maroc.com, 1 +bible4u.net, 1 +biblebrainhealth.com, 1 +bibleforchildren.ru, 1 +bibleinsiderest.ga, 1 +biblereadlist.com, 1 +biblesearch.tw, 1 +biblesignposts.com, 1 +bibleversesfordailyliving.com, 1 +biblia.es, 1 +bibliaon.com, 1 +bibliatodo.com, 1 +biblicalbeliefs.org, 1 +biblicalcounseling.com, 1 +biblicaudio.org, 1 +biblico.tk, 1 +biblicom.org, 1 +biblinfo.com, 1 +bibliobaldur.tk, 1 +biblioblog.fr, 1 +bibliobus.ch, 1 +bibliomarkt.ch, 1 +biblionaut.net, 1 +biblionix.com, 1 +biblionix.info, 1 +biblionix.net, 1 +biblionix.org, 1 +biblionix.us, 1 +biblioporn.com, 1 +bibliotecadeseguranca.com.br, 1 +bibliotecaguate.ml, 1 +bibliotecasantaoliva.tk, 1 +bibliotecaumana.it, 1 +biblioteka-online.tk, 1 +biblioteka17.tk, 1 +bibliotekarien.se, 1 +bibliotekasnow.org, 1 +bibliotekha.org, 1 +bibliotheka.tk, 1 +bibloteka.com, 1 +biblura.com, 1 +biboran.ga, 1 +bibra.bid, 1 +bibuch.com, 1 +bibun.gq, 1 +bicaraviral.com, 1 +bicecontracting.com, 1 +bicestore.cl, 1 +bicha.net, 1 +bichonfrise.com.br, 1 +bichonmaltes.com.br, 1 +bicicletassym.com, 1 +bicignet.ga, 1 +bicommarketing.com, 1 +bicranial.io, 0 +bicromoestudio.com, 1 +bicstone.me, 1 +bicubic.tk, 1 +bicycle-events.com, 1 +bicyclesoftheworld.com, 1 +bidaah.tk, 1 +bidadari.my, 1 +bidc.ltd, 1 +biddl.com, 1 +biddle.co, 1 +biddr.com, 1 +biddulphinbloom.org.uk, 1 +bidenstopdeportations.com, 1 +bidlab.org, 1 +bidmachine.io, 1 +bidman.cz, 1 +bidman.eu, 1 +bidoluindirim.com, 1 +bidonline.tk, 1 +bidviewmarketing.com, 1 +bie.edu, 1 +bieg.tk, 1 +biegal.ski, 1 +biegi.tk, 1 +biegner-technik.de, 1 +biehlsoft.info, 1 +biekos.com, 1 +bielefailed.de, 1 +bielemenklen.tk, 1 +bielik.io, 1 +biempire.com, 1 +bien-etre-beaute.fr, 1 +bien-etre-sante.info, 1 +bienbailao.com, 1 +biene.rocks, 1 +bienenfreunde.tk, 1 +bienestarinmobiliarioyaliadas.com, 1 +bienhacerlimpiezas.es, 1 +bienici.com, 1 +bienoubien.org, 1 +biensenvue.com, 1 +bienstar.tv, 1 +biensup.com, 1 +biensur.ch, 1 +bienvenidoamerica.com, 1 +bienvenue.tk, 1 +bier-brothers.tk, 1 +bier.law, 1 +bier.legal, 1 +bierbaumer.net, 1 +bierbringer.at, 1 +bierbrouwerijderoos.nl, 1 +bieresamanger.fr, 1 +bierlegal.com, 1 +bierochs.org, 1 +bierrunde.de, 1 +bierwebshop.be, 1 +bieser.ch, 1 +biester.pro, 1 +bietigheim-digital.tk, 1 +bietinidesign.be, 1 +bieville-beuville.fr, 1 +biewen.me, 0 +biffo.com, 1 +biflosgknm.tk, 1 +bifrost.cz, 1 +bifrostwallet.com, 1 +biftin.net, 1 +big-black.de, 1 +big-books.gq, 1 +big-brother.ga, 1 +big-daishowa.co.jp, 1 +big-daishowa.com, 1 +big-file.tk, 1 +big-music.tk, 1 +big-office.lviv.ua, 1 +big-orange.com.ua, 1 +big-papa.tk, 1 +big-tits-video.ru, 1 +big-travel.tk, 1 +big.ua, 1 +big.wtf, 1 +big80s.tk, 1 +bigalba.ga, 1 +bigambitions.co.za, 1 +bigart.tk, 1 +bigassmonster.com, 1 +bigasstubes.com, 1 +bigband-a.com, 1 +bigband.tk, 1 +bigbarbe.com, 1 +bigbearkh.com, 0 +bigbearlakecoins.com, 1 +bigbeats.tk, 1 +bigbeautysecrets.tk, 1 +bigbendcoffeeroasters.com, 0 +bigbendguide.com, 1 +bigbendsentinel.com, 1 +bigbenny.tk, 1 +bigbit.tk, 1 +bigblockmotors.ru, 1 +bigblue.co.il, 1 +bigbluecomputers.tk, 1 +bigbluedoor.net, 1 +bigboard.tk, 1 +bigboobporn.com, 1 +bigbooty.tv, 1 +bigbootytube.net, 1 +bigboris.tk, 1 +bigbouncebouncycastles.co.uk, 1 +bigbouncetheory.co.uk, 1 +bigbounceuk.com, 1 +bigboyhub.com, 1 +bigbroeyes.com, 1 +bigbuild.vic.gov.au, 1 +bigbunce.ru, 0 +bigbyte.com.np, 1 +bigcakes.dk, 1 +bigchance.tk, 1 +bigchris.tk, 1 +bigcitylife.fr, 1 +bigclassaction.com, 1 +bigcomputerchair.gq, 1 +bigcorestintas.com.br, 1 +bigcountry.com.br, 1 +bigdaddyslash.tk, 1 +bigdatatop.cf, 1 +bigdayproductions.biz, 1 +bigdesiresolutions.co.za, 1 +bigdiff.co.uk, 1 +bigdinosaur.org, 1 +bigdiscounts.tk, 1 +bigeaglesacademy.gq, 1 +bigeasyfences.com, 1 +bigeasygrille.com, 0 +bigfreebet.com, 1 +bigfreebielist.tk, 1 +biggernews.gq, 1 +biggerpicture.agency, 1 +biggerpockets.com, 1 +biggive.org, 1 +biggles.io, 1 +biggsconstruction.com, 1 +biggy.kiev.ua, 1 +bighappy.com, 1 +bighome.ml, 1 +bighorn.co.jp, 1 +bighugbotanicals.com, 1 +bigid.com, 1 +bigideachallenge.org, 1 +bigio.com.br, 1 +bigland.com, 1 +biglapa.ru, 1 +biglistofporn.com, 1 +biglu.eu.org, 1 +bigmoney.nu, 1 +bigmonsters.tk, 1 +bigmountainmail.com, 1 +bigmuff.duckdns.org, 1 +bignaturals.com, 1 +bignet.bid, 0 +bigone.com, 1 +bigopr.com, 1 +bigorangelab.com, 1 +bigpage.tk, 1 +bigpanparties.co.uk, 1 +bigphilsrubbishremoval.com, 1 +bigpicturerecords.com, 1 +bigprintinglasvegas.com, 1 +bigpurse.tk, 1 +bigrapidstownshipmi.gov, 1 +bigrender.tk, 1 +bigrivercn.com, 1 +bigriverintl.com, 1 +bigriverjp.com, 1 +bigriverservs.com, 1 +bigsam.us, 1 +bigseo.ml, 1 +bigseo.tk, 1 +bigshare.ga, 1 +bigshopper.com, 1 +bigshort.org, 1 +bigsister.tk, 1 +bigskyhomebuyers.com, 1 +bigskylifestylerealestate.com, 1 +bigskymontanalandforsale.com, 1 +bigsmallhosting.com, 1 +bigsolar.com, 1 +bigspark.it, 1 +bigstonecounty.gov, 1 +bigstr.com, 1 +bigthree.ga, 1 +bigthunder.ca, 1 +bigtimeiq.com, 1 +bigtitsmilf.com, 1 +bigtix.io, 0 +bigtown.tk, 1 +bigtstexasbbq.com, 1 +bigudi.ee, 1 +bigudi.eu, 1 +biguz.net, 1 +bigwaterut.gov, 1 +bigwicks.co.uk, 1 +bigzoo.com.br, 1 +biigtigconsulting.ca, 1 +biip.lt, 1 +bij-juud.nl, 1 +bijlesbart.nl, 1 +bijlesportal.nl, 1 +bijloke.gent, 1 +bijlokesite.be, 1 +bijlokesite.gent, 1 +bijou.be, 1 +bijoux-fantaisies.eu, 1 +bijoux.com.br, 1 +bijouxbrasil.com.br, 1 +bijouxcherie.com, 1 +bijuteria-venetia.ro, 1 +bijuteriavenetia.ro, 1 +bijzonderekoorprojecten.nl, 1 +bike-kurse.ch, 1 +bike-liptov.tk, 1 +bike-shack.com, 1 +bike-style.tk, 1 +bikebay.it, 1 +bikebristol.com, 1 +bikeclub.tk, 1 +bikehistory.org, 1 +bikemaniacs.tk, 1 +bikemi.com, 1 +bikemod.de, 1 +bikerawardsers.ga, 1 +bikerawardsest.ga, 1 +bikerebel.com, 1 +bikerestart.com, 1 +bikersclub.tk, 1 +bikersmadrid.es, 1 +bikerteeshop.com, 1 +bikesandbits.tk, 1 +bikeshopitalia.com, 1 +bikesquadron.com, 1 +bikestream.tk, 1 +bikesupermarket.it, 1 +biketalk.ga, 1 +biketrainer.tk, 1 +bikhof.com, 1 +biki.com, 1 +bikini-shop.tk, 1 +bikini.tk, 1 +bikinibich.tk, 1 +bikinis.ga, 1 +bikinis.tk, 1 +bikkelbroeders.com, 0 +bikkelbroeders.nl, 0 +biknet.tk, 1 +bikyaku.fun, 1 +bilalozdemir.me, 1 +bilanca.com.hr, 1 +bilar.tk, 1 +bilbao.tk, 1 +bilbud.tk, 1 +bilder-designs.de, 1 +bilderload.com, 1 +bildermachr.de, 1 +bilderrahmen-baer.de, 1 +bilderrahmen-schluechtern-sinntal.de, 1 +bildiri.ci, 1 +bildkomponist.de, 1 +bildschirmflackern.de, 1 +bildung-mv.de, 0 +bilecikhaberleri.tk, 1 +biletkesfet.com, 1 +biletru.net, 1 +biletturk.tk, 1 +biletvkrym.ga, 1 +biletyplus.by, 1 +biletyplus.com, 1 +biletyplus.ru, 1 +biletyplus.ua, 1 +bilgehan.net, 1 +bilgiliksel.com, 1 +bilgireis.com, 1 +bilgisayarkursu.tk, 1 +bilgo.com, 1 +bilhos.com.tr, 1 +bilibili.link, 1 +bilibili.party, 1 +bilimal.kz, 1 +bilimoe.com, 1 +bilingualunit.tk, 1 +bilirrubina.com, 1 +bilisimdanismani.com, 1 +biliwind.com, 1 +biljettmonster.se, 1 +bilke.org, 1 +bilkovita.bg, 1 +bilkovitinkturi.bg, 1 +billaltermatt.com, 1 +billarpool.cl, 1 +billaud.eu, 1 +billaud.eu.org, 1 +billboard-panama.ml, 1 +billbuddy.co.uk, 1 +billchen.win, 0 +billcompare.ga, 1 +billcomparison.ga, 1 +billetes.gov, 1 +billets-avion.tk, 1 +billetto.co.uk, 1 +billetto.dk, 1 +billetto.eu, 1 +billetto.it, 1 +billetto.se, 1 +billfazz.com, 1 +billgatos.tk, 1 +billgoldstein.name, 1 +billgradywebdesign.com, 1 +billhartzer.com, 1 +billiardmaster.com.ua, 1 +billiebikes.com, 1 +billigastehemsidan.se, 1 +billiger-mietwagen.de, 1 +billigerfinder.de, 1 +billigesommerhuse.nu, 1 +billigflug.tk, 1 +billigpoker.dk, 1 +billigtech.tk, 1 +billingsgazette.com, 1 +billingsgroup.com, 0 +billingsmtpublicworks.gov, 1 +billionaire.ml, 1 +billionaire365.com, 1 +billionkiaparts.com, 1 +billkochman.com, 1 +billo.life, 1 +billogram.com, 1 +billpay.com, 1 +billpro.com.au, 1 +billrobinson.io, 1 +billusherwood.com, 1 +billview.com.au, 1 +billwebb.com.au, 1 +billy.pictures, 1 +billybluerecords.com, 1 +billybob.tk, 1 +billyjamrecords.com, 1 +billykwok.me, 1 +billyoh.com, 1 +billywig.stream, 1 +biloxihistoricalsociety.org, 0 +biloxisportfishing.com, 1 +bilsho.com, 1 +biltullen.com, 1 +bim.finance, 1 +bim.physio, 1 +bim0s.com, 1 +bimacitizen.com, 1 +bimatoprostrx.com, 1 +bimbingan.tk, 1 +bimbobakeriesusa.com, 0 +bimedis.com, 1 +bimhomes.vn, 1 +bimibroccoli.co.uk, 1 +bimibroccoli.com, 1 +bimibroccoli.dk, 1 +bimibroccoli.it, 1 +bimibroccoli.nl, 1 +bimibroccoli.se, 1 +bimibrocoli.es, 1 +bimibrocoli.fr, 1 +bimibrokkoli.de, 1 +bimigroup.org, 1 +bimmerlabs.com, 1 +bimoge.tk, 1 +bimsynergistics.com, 1 +bimtec.jp, 1 +bin-laden.org, 1 +bin95.com, 1 +bina.az, 1 +binaa.co.il, 1 +binairy.com, 1 +binairy.nl, 1 +binam.center, 0 +binans.com, 1 +binans.com.tr, 1 +binans.io, 1 +binans.net, 1 +binaries.fr, 1 +binaries.tk, 1 +binarization.net, 1 +binary.house, 1 +binary.ninja, 1 +binaryabstraction.com, 1 +binaryappdev.com, 1 +binarycom.ch, 1 +binarycreations.scot, 1 +binaryevolved.com, 1 +binarypuzzle.nl, 1 +binarystud.io, 1 +binaryvision.tk, 1 +binbaz.org.sa, 1 +binbin9.com, 1 +binbo.cz, 1 +binbo.sk, 1 +bind.ch, 1 +bindb.com, 1 +binding-problem.com, 1 +bindingspines.com, 1 +binds.co, 1 +bindsolutions.com, 1 +binezalohar.tk, 1 +binf.tk, 1 +bing, 1 +bing-cdn.com, 1 +bing-cdn.xyz, 1 +bing.com, 1 +bingcheung.com, 1 +bingchunmoli.com, 1 +bingebooks.com, 1 +binggun.com, 1 +binghamcountyid.gov, 1 +binghamid.gov, 1 +bingning.com, 1 +bingo-wear.com, 1 +bingo9.net, 1 +bingobank.org, 1 +bingoblue.com, 1 +bingoclub.ga, 1 +bingocounterers.ga, 1 +bingoela.com, 1 +bingofriends.com, 1 +bingohalls.ca, 1 +bingoporno.com, 1 +bingospelen.tk, 1 +bingothemesers.ga, 1 +bingothemesest.ga, 1 +bingyou.com, 1 +binhdang.me, 0 +binhex.net, 1 +binhminhpc.com, 1 +binimo.com, 1 +biniou.net, 1 +binkanhada.biz, 1 +binkconsulting.be, 1 +binkert-treuhand.ch, 1 +binnacle.mx, 1 +binnen-buten.de, 1 +binnenmeer.de, 1 +binoculars.ga, 1 +binoqlo.com, 1 +binoro.de, 1 +binpress.com, 1 +binson-museum.tk, 1 +binsp.net, 1 +bintach.com, 1 +bintanglautplatinum.com, 1 +bintangtop.com, 1 +bintelligence.cl, 1 +bintelligence.info, 1 +bintelligence.nl, 1 +bintra.directory, 1 +bintube.com, 1 +bio-disinfestazione.it, 1 +bio-dolt-aveyron.fr, 1 +bio-farma.net, 1 +bio-feed.org, 1 +bio-kertem.hu, 1 +bio-place.com, 1 +bio-plus.cz, 1 +bio-verzeichnis.de, 1 +bio24.si, 0 +bioadva.com, 1 +bioarc.com.au, 1 +bioarchlinux.org, 1 +bioatrium.com, 1 +bioaufvorrat.de, 1 +bioblog.tk, 1 +biobone.net, 1 +biobuttons.ch, 1 +biocal.eu, 1 +biocal.nl, 1 +biocarbonregistry.com, 1 +biocentricinc.com, 1 +biochart.ga, 1 +biocheminee.com, 1 +bioclaudia.it, 1 +biocrafting.net, 0 +biodaan.com, 1 +biodieselbr.com, 1 +biodieseldata.com, 1 +biodieselpumps.com, 1 +biodit.com, 0 +biodobavki.tk, 1 +biodots.at, 1 +biodots.eu, 1 +biodots.info, 1 +biodots.it, 1 +bioedilizia.roma.it, 1 +bioemsan.cz, 0 +bioenergie-eferding.at, 1 +bioenergy-solutions.eco, 1 +bioequivalence.design, 1 +bioetco.ch, 1 +bioexistencialismo.tk, 1 +bioexploratorium.pl, 1 +biofattorietoscane.it, 1 +biofeedback-luzern.ch, 1 +biofizpribor.ru, 1 +bioforce.tk, 1 +biogaspuxin.es, 1 +biogecho.ch, 0 +biogeist.de, 1 +biogenius.ca, 0 +biogiardinaggio.it, 1 +biographyseriesers.ga, 1 +biographyseriesest.ga, 1 +biohappiness.com, 1 +bioharmony.ca, 1 +biohazardland.tk, 1 +biohazardonline.tk, 1 +biohazardous.tk, 1 +bioinfo-diag.fr, 1 +bioinformaticsweb.tk, 1 +biointelligence-explosion.com, 1 +biokal-labsystems.eu, 1 +biokal-labsystems.nl, 1 +biokal.com, 1 +biokal.eu, 1 +biokal.nl, 1 +biokemonline.com, 1 +bioknowme.com, 1 +biokoxomodding.tk, 1 +biol.moscow, 1 +biol.spb.ru, 1 +biolack.cf, 1 +biolact.tk, 1 +bioleev.sklep.pl, 1 +biolegsanonims.tk, 1 +bioligo.ch, 0 +biolika.ua, 1 +biolingzhipro.my.id, 1 +biolink.vn, 1 +biolinky.co, 0 +biolmarket.ru, 1 +biologiaygeologia.tk, 1 +biologie-seite.de, 1 +biologis.ch, 1 +biologo.club, 1 +biology-colleges.com, 1 +biologymusicvideos.com, 1 +biologynest.com, 1 +biologyoftrauma.com, 1 +biomarket24.pl, 1 +biomasscore.com, 1 +biomassinfo.jp, 1 +biomathalliance.org, 1 +biomax-mep.com.br, 1 +biomechanics.tk, 1 +biomechanoid.tk, 1 +biomed-hospital.ch, 1 +biomed-sparepart.com, 1 +biomed.ch, 1 +biomedsciinstrum.org, 1 +biomedyczne.pl, 1 +biometriccoe.gov, 1 +biometrics.gov, 1 +biometservices.com, 1 +biomin.co.uk, 1 +biomod.tk, 1 +biomodra.cz, 1 +bionic-karnage.tk, 1 +bionicman.name, 1 +bionovanaturalpools.com, 1 +biontech24.pl, 1 +biontechworld.com, 1 +biopreferred.gov, 1 +biopro-st.com, 1 +biopsychiatry.com, 1 +bioreference.com, 1 +bioresonanz-ibiza.com, 1 +biosafe.ch, 0 +biosalts.it, 1 +biosbits.org, 1 +bioscience.co.uk, 1 +biosearch.tk, 1 +bioseguridad.gob.pa, 1 +bioselect.com.cy, 1 +bioshine.com.sg, 1 +bioshome.de, 1 +biosignalanalytics.com, 1 +biosky.tk, 1 +biospw.com, 1 +biostaffic.com, 1 +biostar.com.tw, 1 +biosuit.ga, 1 +biosupplyalliance.com, 1 +biot.tk, 1 +biotal.ua, 1 +biotanquesbts.com, 1 +biotec.tk, 1 +biotecommunity.com, 1 +bioteebook.com, 1 +biotin.ch, 1 +biotin24.cf, 1 +biotorrents.de, 1 +biotraxx.com, 1 +biouhli.com, 1 +biouhli.cz, 1 +biouhli.sk, 1 +bioweingut-baumann.de, 1 +biowtage.cf, 1 +biowtage.gq, 1 +bip-online.tk, 1 +bip.gov.sa, 0 +bipart.eu, 1 +bipartisanreport.com, 1 +bipedecurieux.com, 1 +bipolardisorderexplained.com, 1 +bipolargeek.com, 1 +bipolargeek.net, 1 +bipolargeek.org, 1 +bipolarworld.us, 1 +bippassistant.com, 1 +birahugo.tk, 1 +birchbarkfurniture.ch, 1 +birchbarkfurniture.com, 0 +birchbarkfurniture.fr, 0 +birchtree.me, 1 +bird-tech.co.uk, 1 +bird.engineer, 1 +birdbox.party, 1 +birdbrowser.com, 1 +birdbutt.com, 1 +birdgifs.nz, 1 +birdiehosting.nl, 1 +birdist.com, 1 +birdrave.com, 1 +birdsite.ga, 1 +birdslabel.com, 1 +birdsnow.com, 1 +birdwatchireland.ie, 1 +birdymanbestreviews.com, 1 +birebirvilla.com, 1 +birenbaum.se, 1 +birgit-rydlewski.de, 1 +birgitandmerlin.com, 1 +birjdid.tk, 1 +birkanpusa.com.tr, 1 +birkengarten.ch, 1 +birkenstab.de, 1 +birkhoff.me, 0 +birkilise.com, 1 +birkilise.net, 1 +birkilise.org, 1 +birkman.com, 0 +birlikdayanisma.com, 1 +birman.tk, 1 +birminghamairportparking24.co.uk, 1 +birminghamal911.gov, 1 +birminghammoneyman.com, 1 +birminghamorthospine.com, 1 +birminghamsunset.com, 1 +birnenhain.de, 1 +birobidjan.tk, 1 +birone.tk, 1 +bironthemes.com, 1 +birosuli.hu, 1 +birouldeimagine.ro, 1 +birpufnoktasi.com, 1 +birra.tk, 1 +birrapenombra.tk, 1 +birtamode.tk, 1 +birtebrorson.dk, 1 +birthday-to-you.com, 1 +birthdayapp.io, 1 +birthdayapp.today, 1 +birthdaybuzz.org, 1 +birthdayinsiderest.ga, 1 +birthlight-austria.com, 1 +birthright.host, 1 +birtles.blog, 1 +birulevo.tk, 1 +birwa.tk, 1 +birzan.org, 1 +birzman.ga, 1 +bis-jeddah.com, 1 +bis.gov, 1 +bisa-sis.net, 1 +bischoff-mathey.family, 1 +biscuit.town, 1 +biscuitcute.com.br, 1 +biscuitflatsopenhouse.com, 1 +biscuits-rec.com, 1 +biscuits-shop.com, 1 +biser-borisov.eu, 1 +biser.online, 1 +biserica-antiohia.ro, 1 +bishopjordan.com, 1 +bishopscourt-hawarden.co.uk, 1 +bishopston.net, 1 +bishoptx.com, 1 +bisigorta.com, 1 +bisik.ml, 1 +bisix.tk, 1 +bismantova.tk, 1 +bismarck-tb.de, 1 +bismarcktribune.com, 1 +bismi.solutions, 0 +bismuth.it, 1 +bisnis.com, 1 +bisnisesteen.tk, 1 +bisnisfmcg.com, 1 +bisnisinternetgratis.tk, 1 +bisnismuda.id, 1 +bisnisonlinecerdas.tk, 1 +biso.ga, 1 +bisoga.ga, 1 +bisq.chat, 1 +bisq.community, 1 +bisq.markets, 1 +bisq.ninja, 1 +bisq.services, 1 +bisq.wiki, 1 +bisrockloverclan.tk, 1 +bisrockonline.tk, 1 +bissalama.org, 1 +bisschopssteeg.nl, 1 +bissokush.cf, 1 +bistro-dengi.ml, 1 +bistrocean.com, 0 +bistrodeminas.com, 1 +bistrozaim.ml, 1 +bit-cloud.de, 1 +bit-flex.com, 1 +bit-rapid.com, 0 +bit-saar.de, 1 +bit-sentinel.com, 1 +bit.cloud, 1 +bit.li, 1 +bit8.com, 0 +bitaccelerate.com, 1 +bitace.com, 0 +bitazza.com, 1 +bitbank.cc, 1 +bitbank.cf, 1 +bitbincomputers.com, 1 +bitbonus.cf, 1 +bitbonusss.tk, 1 +bitbotster.com, 1 +bitbox.me, 1 +bitbroker.exchange, 1 +bitbucket.com, 1 +bitbucket.io, 1 +bitbucket.org, 1 +bitburner.de, 1 +bitcalt.eu.org, 1 +bitcalt.ga, 1 +bitchesabroad.com, 1 +bitchyjana.com, 1 +bitclusive.de, 1 +bitcoin-2go.de, 1 +bitcoin-about.tk, 1 +bitcoin-casino-no-deposit-bonus.com, 1 +bitcoin-casino.monster, 1 +bitcoin-class.com, 1 +bitcoin-daijin.com, 1 +bitcoin-exchange.ga, 1 +bitcoin-fauset.cf, 1 +bitcoin-india.net, 1 +bitcoin-india.org, 1 +bitcoin-news.info, 1 +bitcoin-newsbiz.com, 1 +bitcoin-now.ga, 1 +bitcoin-only.com, 1 +bitcoin-wizards.com, 1 +bitcoin-youtube.net, 1 +bitcoin.asia, 1 +bitcoin.ch, 1 +bitcoin.co.nz, 1 +bitcoin.de, 1 +bitcoin.foundation, 1 +bitcoin.im, 1 +bitcoin.info, 1 +bitcoin.ninja, 1 +bitcoin.org, 1 +bitcoin.us, 1 +bitcoinapi.de, 1 +bitcoinbitcoin.com, 1 +bitcoinbot.cf, 1 +bitcoinbot.ga, 1 +bitcoinbot.tk, 1 +bitcoincasino.link, 1 +bitcoincasino.monster, 1 +bitcoincasino.tech, 1 +bitcoincasino.today, 1 +bitcoincasinos.pro, 1 +bitcoincore.org, 1 +bitcoineffect.ml, 1 +bitcoinfaucet.tech, 1 +bitcoinfax.net, 1 +bitcoinfees.net, 1 +bitcoinforthe.lol, 1 +bitcoinforthe.world, 1 +bitcoinfy.net, 1 +bitcoingambling.pro, 1 +bitcoingames.world, 1 +bitcoingroup.ga, 1 +bitcoinheaders.net, 1 +bitcoinheaders.org, 1 +bitcoinindy.com, 1 +bitcoinissafe.com, 1 +bitcoinjpn.com, 1 +bitcoinkaufen.me, 1 +bitcoinkaufen.news, 1 +bitcoinku.sh, 1 +bitcoinkurs.news, 1 +bitcoinkurs.world, 1 +bitcoinnews.digital, 1 +bitcoinnews.guru, 1 +bitcoinnews.world, 1 +bitcoinprice.buzz, 1 +bitcoinprice.international, 1 +bitcoinprice.news, 1 +bitcoinprice.pizza, 1 +bitcoinprice.rocks, 1 +bitcoinprice.world, 1 +bitcoinreserve.com, 1 +bitcoinseed.net, 1 +bitcoinset.pl, 1 +bitcoinskoers.nl, 1 +bitcoinslots.info, 1 +bitcoinstandard.jp, 1 +bitcoinstock.ga, 1 +bitcointask.net, 1 +bitcointech.ga, 1 +bitcointransfer.tk, 1 +bitcointv.com, 1 +bitcoinwalletscript.tk, 1 +bitcoinwarszawa.pl, 1 +bitcoinx.ro, 1 +bitcork.io, 1 +bitcrazy.org, 1 +bitdefender.de, 1 +bitdelta.com, 1 +bitdizzle.xyz, 1 +bitdocs.xyz, 1 +bitdynamics.au, 1 +bitech-ec.com, 1 +bitedu.pt, 1 +bitehazard.cz, 1 +bitenose.com, 1 +bitenose.org, 1 +bitewinggames.com, 1 +bitex.la, 1 +bitfarm-archiv.com, 1 +bitfarm-archiv.de, 1 +bitfasching.de, 0 +bitfashion.pt, 1 +bitfehler.net, 1 +bitfinder.nl, 1 +bitforge.tk, 1 +bitforming.com, 1 +bitfortune.fund, 1 +bitfuse.net, 1 +bitga.in, 1 +bitgarant.tk, 1 +bitgo.com, 1 +bithosting.pt, 1 +bititrain.com, 1 +bitix.tk, 1 +bitjunkiehosting.com, 1 +bitkan.com, 1 +bitkiselreyonum.com, 1 +bitkub-app.com, 1 +bitkub-int.com, 1 +bitlair.nl, 1 +bitlaunch.io, 1 +bitlink.id, 1 +bitljettnu.gq, 1 +bitlo.com, 1 +bitlo.com.tr, 1 +bitlo.io, 1 +bitlo.org, 1 +bitloco.net, 1 +bitmag.ml, 1 +bitmaincare.com.ua, 1 +bitmaincare.ru, 1 +bitmainwarranty.com.ua, 1 +bitmainwarranty.ru, 1 +bitmarket.net, 1 +bitmart.com, 1 +bitmart.cool, 1 +bitmessage.ch, 1 +bitmexin.com, 1 +bitmidi.com, 1 +bitmine.gq, 1 +bitmix.biz, 1 +bitmoe.com, 1 +bitmoji.com, 1 +bitms.tk, 1 +bitname.it, 1 +bitnoder.com, 1 +bitnoise.nl, 1 +bitnovo.com, 1 +bito3d.com.br, 1 +bitovayatehn.tk, 1 +bitpod.de, 1 +bitpumpe.net, 1 +bitradius.com, 1 +bitrate.tk, 1 +bitredirixe.top, 1 +bitref.com, 1 +bitrefill.com, 1 +bitrefill.info, 1 +bitrefill.me, 1 +bitrush.nl, 1 +bits-chips.nl, 1 +bits-hr.de, 0 +bitsafe.com.my, 1 +bitsalt.com, 1 +bitsellx.com, 1 +bitseo.ga, 1 +bitseo.tk, 1 +bitshaker.net, 1 +bitsight.net, 1 +bitsimnow.com, 1 +bitsimnow.se, 1 +bitsinex.com, 1 +bitsite.com, 1 +bitski.com, 1 +bitsler.ie, 1 +bitso.com, 1 +bitsoffreedom.nl, 1 +bitspaceonline.ml, 1 +bitstack.nz, 1 +bitstage.uk, 1 +bitstorm.nl, 1 +bitstorm.org, 1 +bitsync.nl, 1 +bitten.pw, 1 +bittentechsolutions.in, 1 +bitterley.org.uk, 1 +bitterspringscabins.com.au, 1 +bittersweetcandybowl.com, 1 +bittervault.xyz, 1 +bittimaatti.fi, 1 +bittiraha.fi, 1 +bitton.com.au, 1 +bittounsi.com, 1 +bittrend.ga, 1 +bittrust.com, 1 +bittylicious.com, 1 +bitunit.tk, 1 +bitvest.io, 1 +bitvise.com, 1 +bitwarden.com, 1 +bitwardit.com, 1 +bitwards.io, 1 +bitwardsdev.com, 1 +bitwoci.pt, 1 +bitwolk.nl, 1 +bitwrought.net, 1 +bitxel.com.co, 1 +bityes.org, 1 +biupay.com.br, 1 +biurokarier.edu.pl, 1 +biuropulawy.pl, 1 +bivg.ru, 1 +bivvy.com, 1 +bixbasement.com, 1 +bixbydevelopers.com, 1 +bixservice.com, 1 +biysk.ml, 1 +biz-academy.it, 1 +biz-pak.ml, 1 +biz-secrety.cf, 1 +biz-secrety.ga, 1 +biz-secrety.gq, 1 +biz-secrety.ml, 1 +biz-seecrets.gq, 1 +biz4solutions.com, 1 +biz4x.com, 0 +bizapps.lv, 1 +bizarrefuture.cf, 1 +bizbelarus.tk, 1 +bizboatest.ga, 1 +bizcalcs.com, 1 +bizcatalyst360.com, 1 +bizcope.com, 1 +bizdemevcut.com.tr, 1 +bizdir.tk, 1 +bizeau.ch, 1 +bizedge.co.nz, 1 +bizequals.com, 1 +bizfavor.ml, 1 +bizgo.nl, 1 +bizify.co.uk, 1 +bizlatinhub.com, 1 +bizleal.com, 1 +bizmax.ltd, 1 +bizmonthly.com, 1 +biznes-bum.tk, 1 +biznes-sekrety.gq, 1 +biznes-sekrety.tk, 1 +biznes.cf, 1 +biznes4you.ml, 1 +biznesone.ga, 1 +biznesonline.info, 1 +biznesowe.pl, 1 +biznet.tk, 1 +bizniskatalog.mk, 1 +biznotes.ru, 1 +biznpro.ru, 1 +bizoneplan.com, 1 +bizontrip.com, 1 +bizophub.com, 1 +bizopia.com, 1 +bizor.tk, 1 +bizpay.su, 1 +bizprom.ga, 1 +bizstart.ga, 1 +bizstarter.cz, 1 +bizsugar.ga, 1 +bizteam.ga, 1 +biztera.com, 1 +biztok.eu, 1 +biztositok.com, 1 +biztouch.work, 1 +biztrend.ru, 1 +bizuteria-laoni.tk, 1 +bizuteria-naprezent-szczecin.ml, 1 +bizval.co, 1 +bizzdesign.com, 1 +bizzix.tk, 1 +bizzseo.tk, 1 +bizzvisor.site, 0 +bizzybee.buzz, 1 +bizzysites.gr, 1 +bj-caffe.tk, 1 +bja.gov, 1 +bjargradakerfi.is, 1 +bjarnerest.de, 0 +bjarno.xyz, 1 +bjbybbs.com, 1 +bjc.hu, 1 +bjcw.com, 1 +bjecard.buzz, 1 +bjelimici.com, 1 +bjerregaard.me, 1 +bjfuli.com, 1 +bjgwyj.com, 1 +bjjmississauga.com, 1 +bjl688.cc, 1 +bjm-gembas.be, 1 +bjmgeek.science, 1 +bjoern-thoroe.de, 1 +bjolanta.pl, 1 +bjordanov.com, 1 +bjorknet.com, 1 +bjornerastrefelling.no, 1 +bjornhelmersson.se, 1 +bjornjohansen.no, 1 +bjs.com.au, 1 +bjs.gov, 1 +bjsbouncycastles.com, 1 +bjshare.com, 1 +bjsms.de, 1 +bjtxl.cn, 1 +bjugard.io, 1 +bjut.photos, 1 +bjxx.com, 1 +bk-art.ru, 1 +bk-info.lt, 1 +bk1x.mobi, 1 +bk1xbet.mobi, 1 +bk27.ru, 1 +bk622.com, 1 +bk725.com, 1 +bka.li, 1 +bkentertainments.co.uk, 1 +bkfplaner.com, 1 +bkgatl.com, 1 +bkhonnun.is, 1 +bkhpilates.co.uk, 1 +bkin-15340.space, 1 +bkin-15451.space, 1 +bkin-15530.website, 1 +bkin-15777.website, 1 +bkin-16490.space, 1 +bkin-16543.website, 1 +bkin-16836.space, 1 +bkin-17242.website, 1 +bkin-18126.website, 1 +bkin-18399.space, 1 +bkin-18734.top, 1 +bkin-18822.space, 1 +bkin-18825.space, 1 +bkin-18888.space, 1 +bkin-19138.website, 1 +bkin-19335.website, 1 +bkin-19342.space, 1 +bkin-19827.space, 1 +bkin-20245.space, 1 +bkin-20467.website, 1 +bkin-20855.space, 1 +bkin-21332.website, 1 +bkin-21703.space, 1 +bkin-21882.website, 1 +bkin-22350.website, 1 +bkin-22808.website, 1 +bkin-22962.space, 1 +bkin-23261.website, 1 +bkin-23612.space, 1 +bkin-23658.website, 1 +bkin-23906.website, 1 +bkin-24119.space, 1 +bkin-24239.space, 1 +bkin-24456.space, 1 +bkin-25297.space, 1 +bkin-25798.website, 1 +bkin-25982.xyz, 1 +bkin-26191.top, 1 +bkin-26470.xyz, 1 +bkin-27135.xyz, 1 +bkin-27185.xyz, 1 +bkin-27262.xyz, 1 +bkin-27733.top, 1 +bkin-27825.space, 1 +bkin-28035.xyz, 1 +bkin-28589.xyz, 1 +bkin-28659.xyz, 1 +bkin-28749.xyz, 1 +bkin-28767.space, 1 +bkin-28946.xyz, 1 +bkin-29253.xyz, 1 +bkin-29349.xyz, 1 +bkin-29531.xyz, 1 +bkin-29696.xyz, 1 +bkin-29957.space, 1 +bkin-29993.xyz, 1 +bkin-30246.xyz, 1 +bkin-30429.xyz, 1 +bkin-30668.xyz, 1 +bkin-30794.xyz, 1 +bkin-30845.xyz, 1 +bkin-30862.xyz, 1 +bkin-30883.xyz, 1 +bkin-31087.website, 1 +bkin-31170.xyz, 1 +bkin-31436.xyz, 1 +bkin-31447.xyz, 1 +bkin-31656.xyz, 1 +bkin-31789.xyz, 1 +bkin-31972.xyz, 1 +bkin-32482.xyz, 1 +bkin-32486.xyz, 1 +bkin-32744.xyz, 1 +bkin-32863.xyz, 1 +bkin-33383.xyz, 1 +bkin-33544.xyz, 1 +bkin-33740.xyz, 1 +bkin-33813.xyz, 1 +bkin-33970.xyz, 1 +bkin-34233.xyz, 1 +bkin-34299.xyz, 1 +bkin-34456.xyz, 1 +bkin-34797.xyz, 1 +bkin-35189.xyz, 1 +bkin-35365.xyz, 1 +bkin-35372.xyz, 1 +bkin-35499.xyz, 1 +bkin-35692.xyz, 1 +bkin-36700.xyz, 1 +bkin-36749.xyz, 1 +bkin-37699.xyz, 1 +bkin-37873.xyz, 1 +bkin-37968.xyz, 1 +bkin-38134.xyz, 1 +bkin-38325.xyz, 1 +bkin-38877.xyz, 1 +bkin-39139.xyz, 1 +bkin-39933.xyz, 1 +bkin-40545.xyz, 1 +bkin-41419.xyz, 1 +bkin-41934.xyz, 1 +bkin-41976.xyz, 1 +bkin-42525.xyz, 1 +bkin-42740.xyz, 1 +bkin-43450.xyz, 1 +bkin-46680.xyz, 1 +bkk24.de, 1 +bkkposn.com, 1 +bklaindia.com, 1 +bkmexpress.com.tr, 1 +bkms-system.com, 1 +bkositspartytime.co.uk, 1 +bkphcoop.com, 1 +bkpm.tj, 1 +bksites.tk, 1 +bkt.to, 1 +bl-builder.tk, 1 +bl0ck.org, 1 +bl4ckb0x.biz, 1 +bl4ckb0x.com, 1 +bl4ckb0x.de, 1 +bl4ckb0x.eu, 1 +bl4ckb0x.info, 1 +bl4ckb0x.net, 1 +bl4ckb0x.org, 1 +blaa-arme.tk, 1 +blaarmeersen.be, 1 +blaasmuziek-laarbeek.nl, 1 +blaauwgeers.pro, 1 +blaauwgeers.wiki, 1 +blabber.im, 1 +blabla.rocks, 0 +blablacar.co.uk, 1 +blablacar.com, 1 +blablacar.com.br, 1 +blablacar.com.tr, 1 +blablacar.com.ua, 1 +blablacar.cz, 1 +blablacar.de, 1 +blablacar.es, 1 +blablacar.fr, 1 +blablacar.hr, 1 +blablacar.hu, 1 +blablacar.in, 1 +blablacar.it, 1 +blablacar.mx, 1 +blablacar.nl, 1 +blablacar.pl, 1 +blablacar.pt, 1 +blablacar.ro, 1 +blablacar.rs, 1 +black-air-rpg.com, 1 +black-diamonds.cf, 1 +black-flirt.de, 1 +black-friday.org.il, 1 +black-ghost.tk, 1 +black-goldautokozmetika.hu, 1 +black-hair-extension.tk, 1 +black-holes.org, 1 +black-magic-love-spells.com, 1 +black-mail.nl, 1 +black-market.ga, 1 +black-pool.net, 1 +black-rider-studio.eu, 1 +black-rosella.tk, 1 +black-side.tk, 1 +blackandblond.tk, 1 +blackandwhite.tk, 1 +blackapron.com.br, 1 +blackarch.org, 1 +blackarts.co.za, 1 +blackashstudio.com, 1 +blackassassins.tk, 1 +blackbag.nl, 1 +blackbam.at, 1 +blackbbwvideos.com, 1 +blackbean.tk, 1 +blackbird-whitebird.com, 1 +blackbirdproperties.tk, 1 +blackbox.earth, 1 +blackboxcity.tk, 1 +blackbrookwi.gov, 1 +blackbyrne.com, 1 +blackbyte.it, 1 +blackcastle.tk, 1 +blackcat.ca, 1 +blackcatcard.com, 1 +blackcatinformatics.ca, 1 +blackcatinformatics.com, 1 +blackcatwanderlust.com, 1 +blackchristmas.tk, 1 +blackchrome.com.au, 1 +blackcicada.com, 1 +blackco.ga, 1 +blackcountrymusicband.co.uk, 1 +blackdiam.net, 1 +blackdoordc.com, 1 +blackdown.de, 1 +blackdragoninc.org, 1 +blackeaglenet.tk, 1 +blackedbyte.com, 1 +blackenedsoil.com, 1 +blackestdespondency.tk, 1 +blackeyes.gq, 1 +blackeyes.tk, 1 +blackfeather.in, 1 +blackfire.io, 1 +blackfirecrew.tk, 1 +blackfold.ca, 1 +blackforeststheoriginal.cf, 1 +blackforeststheoriginal.ga, 1 +blackforeststheoriginal.ml, 1 +blackforlife.me, 1 +blackfriday-sales.co.uk, 1 +blackfridaynew.com, 1 +blackgamelp.de, 1 +blackgoat.tk, 1 +blackhail.tk, 1 +blackhat.dk, 1 +blackhat.nz, 1 +blackhawk.io, 1 +blackheads.tk, 1 +blackheartbar.com, 1 +blackhelicopters.net, 1 +blackhillsinfosec.com, 1 +blackhistorymonth.gov, 1 +blackidfound.org, 1 +blackisbetter.com, 1 +blackjackballroomcasino.info, 1 +blackjackprogramest.ga, 1 +blackjaguar.tk, 1 +blackjaxamity.com, 1 +blackkeg.ca, 1 +blackl.net, 1 +blacklane.com, 1 +blacklava.tk, 1 +blacklightparty.be, 1 +blacklist.support, 1 +blacklodge.tk, 1 +blacklotusaudio.com, 1 +blackmagick-candles.com, 1 +blackmagickwitch.com, 1 +blackmagicshaman.com, 1 +blackmaleme.com, 1 +blackmark.me, 1 +blackmarlinship.com, 1 +blackmaskpro.gq, 1 +blackmesa.com, 1 +blackmetalencyclopedia.tk, 1 +blackmetalist.tk, 1 +blackmetaller.tk, 1 +blackmilftube.com, 1 +blackminds.tk, 1 +blackmistery.tk, 1 +blackmodelsusa.tk, 1 +blackoutzone.tk, 1 +blackpapermoon.de, 1 +blackpayment.ru, 1 +blackphantom.de, 1 +blackphoenix.de, 1 +blackpi.dedyn.io, 1 +blackpooltransport.com, 1 +blackportal.tk, 1 +blackpurl.com, 1 +blackriverfalls.tk, 1 +blackriverfallswi.gov, 1 +blackrockvet.ie, 1 +blackroses.tk, 1 +blacksamantha.tk, 1 +blackscytheconsulting.com, 1 +blackseals.net, 1 +blacksega.ga, 1 +blacksentry.io, 1 +blackshark.cf, 1 +blackslots.club, 1 +blacksniffer.tk, 1 +blackspark.tk, 1 +blackspider.tk, 1 +blacksport.ru, 1 +blacksprut.com, 1 +blackstoneone.net, 1 +blackstonepress.tk, 1 +blackstonetubrefinishers.ca, 1 +blackstrapsecurity.com, 1 +blackstudio.fr, 1 +blackstump.xyz, 1 +blacksuitmedia.com, 0 +blacksvets.co.uk, 1 +blackswan.tk, 1 +blackswancompany.com, 1 +blackswirl.com, 1 +blackteam.org, 1 +blacktemplars.tk, 1 +blacktown.eu, 1 +blacktownbuildingsupplies.com.au, 1 +blacktube.tv, 1 +blacktubes.cf, 1 +blacktubes.ga, 1 +blacktubes.ml, 1 +blacktype.bet, 1 +blackvinegarcollection.com, 0 +blackwaterlounge.com, 1 +blackwaterutilities.tk, 1 +blackwellsupport.com, 1 +blackwidow.tk, 1 +blackwire.tk, 1 +blackwoodrugby.tk, 1 +blackwoodseventcenter.com, 1 +blackwoodsprotector.co.nz, 1 +blackworld.ga, 1 +blackwot.ru, 0 +blackyau.cc, 0 +blackys-chamber.de, 0 +blackzebra.audio, 1 +blade-online.tk, 1 +bladencountync.gov, 1 +blaetter.de, 1 +blaeu.com, 1 +blagger.tk, 1 +blaggo.com, 1 +blago-sostoyanie.ga, 1 +blago-sostoyanie.gq, 1 +blago-sostoyanie.ml, 1 +blago.tk, 1 +blagomed.by, 1 +blagosvet.ml, 1 +blague.tk, 1 +blahaj.eu, 1 +blaindalefarms.com, 1 +blainecosheriff-ok.gov, 1 +blairmitchelmore.com, 1 +blairtalbotmotors.com, 1 +blairtownshipmi.gov, 1 +blaise.io, 1 +blaizer.tk, 1 +blake-thickbroom.co.uk, 1 +blakecoin.org, 1 +blakecommagere.com, 1 +blakekhan.com, 1 +blakeminer.com, 1 +blakenichols.com, 1 +blakescrepes.com, 1 +blakezone.com, 1 +blako-squad.tk, 1 +blakylle.de, 1 +blan.tk, 1 +blanboom.org, 1 +blancamartinez.com, 1 +blanchardandcalhoun.com, 1 +blanchardinstitute.org, 1 +blanchardla.gov, 1 +blanchardvillewi.gov, 1 +blanchescornwall.co.uk, 1 +blancmeteore.com, 1 +blancoltd.co.uk, 1 +blanickymanifest.eu, 1 +blankersfamily.com, 1 +blanket.technology, 1 +blanketsofhopepa.org, 1 +blankhang.com, 1 +blankpage.link, 1 +blanksreload.com, 1 +blankstore.com.pe, 1 +blankstyle.com, 1 +blantik.net, 1 +blantr.com, 1 +blanx.de, 1 +blanzastore.com.br, 1 +blasdelamo.es, 1 +blaser.com, 1 +blasflittchen.net, 1 +blasorchester-runkel.de, 1 +blastentertainment.co.nz, 1 +blastentertainment.com.au, 1 +blastersklan.com, 1 +blastoffbuisness.in, 1 +blastofftherapy.com, 1 +blastoise186.co.uk, 1 +blasunafotocadadia.com, 1 +blathinwheatens.tk, 1 +blatino.com, 1 +blatnic.eu, 1 +blatnice.cf, 1 +blatnice.fun, 1 +blatnice.ga, 1 +blatnice.gq, 1 +blatnice.ml, 1 +blatnice.online, 1 +blatnice.tk, 1 +blau-weiss-aachen.de, 1 +blau-weiss-stolberg.de, 1 +blaudev.es, 1 +blauesschwarz.de, 0 +blauglockenbaum.de, 1 +blaumedia.com, 1 +blautiefe.de, 1 +blauwereigercoaching.nl, 1 +blauwgras.nl, 1 +blauwwit.be, 1 +blavandbike.de, 1 +blavandbike.dk, 1 +blavaty.tk, 1 +blayne.me, 0 +blayneallan.com, 0 +blazebd.com, 1 +blazeeria.com, 1 +blazefire.tk, 1 +blazeweb.ml, 1 +blazing.cz, 1 +blazingsaddles.ga, 1 +blazingsuns.tk, 1 +blazor.nl, 1 +blbet365.com, 1 +blblblblbl.fr, 0 +blc.net.au, 1 +blcandleco.com, 1 +bleachbattalion.tk, 1 +bleaching-tipps.de, 1 +bleaklyrics.tk, 1 +bleatingsheep.org, 1 +bleche-onlineshop.at, 1 +bleche-onlineshop.de, 1 +blechschmidt.saarland, 1 +bledina.com, 1 +bleedingcool.com, 1 +bleedmoneyest.ga, 1 +bleekerenbleeker.nl, 1 +bleep.zone, 1 +blegalservicespty.com, 1 +blekingeopen.tk, 1 +blend.works, 1 +blender.io, 1 +blenderinsider.com, 1 +blenderrecipereviews.com, 1 +blendessencial.com, 1 +blending.kr, 1 +blendle.nl, 1 +blenneros.net, 0 +blero.tk, 1 +blessedgeeks.org, 1 +blessedgeeks.social, 1 +blessedguy.com, 1 +blessings24x7.com, 1 +blessingtransportbromoijen.com, 1 +blessrank.com, 1 +bleta.io, 1 +bleuwire.com, 1 +blevinstirepros.com, 1 +blewebprojects.com, 1 +bleyershoes.com, 1 +blheritage-tours.com, 0 +blic-zajm.gq, 1 +blichmann.eu, 1 +blicy.net, 1 +blideobames.com, 1 +blids.nl, 1 +blidz.com, 0 +blieque.co.uk, 1 +bliesener.com, 1 +blijfbij.com, 1 +blijfbij.eu, 1 +bliker.ga, 1 +blikund.swedbank.se, 1 +blinblin.la, 1 +blind-iq.at, 1 +blind-iq.com, 1 +blind-iq.cz, 1 +blind-iq.de, 1 +blind-iq.dk, 1 +blind-iq.es, 1 +blind-iq.eu, 1 +blind-iq.fr, 1 +blind-iq.it, 1 +blind-iq.nl, 1 +blind-iq.pl, 1 +blind-iq.se, 1 +blind-iq.sk, 1 +blindaryproduction.tk, 1 +blindenfreizeiten.de, 1 +blindfold.cf, 1 +blindfold.ga, 1 +blindler.net, 1 +blindpigandtheacorn.com, 1 +blindscribblings.com, 1 +blindsjoburg.com, 1 +blindspotstg.wpenginepowered.com, 1 +blingbusinessest.ga, 1 +blingsparkleshine.com, 1 +blink-security.com, 1 +blink.mortgage, 1 +blinkdir.tk, 1 +blinkdrivex.com, 1 +blinken.co, 1 +blinkenlight.com.au, 1 +blinking.life, 1 +blinking.ml, 1 +blinkspeed.eu, 1 +blinniza.tk, 1 +blinq.me, 1 +blio.tk, 1 +blippr.com, 1 +blissbox.com, 1 +blissdrive.com, 1 +blissfulsmile.com, 1 +blissplan.com, 1 +blissso.com, 1 +blissway.tk, 1 +blissy.com.br, 1 +blist.xyz, 1 +blisterreview.com, 1 +blistertrackandtrace.com, 1 +blitz-idee24.de, 1 +blitzarena.io, 1 +blitzga.me, 1 +blitzkrieg.tk, 1 +blitzlotto.tk, 1 +blitzpaintball.net, 1 +blitztesting.com, 1 +blitzvendor.com, 1 +blivawesome.dk, 1 +blivdj.dk, 1 +blivvektor.dk, 1 +blix.tk, 1 +blixpage.tk, 1 +blixtv.com, 1 +blizhost.com, 1 +blizhost.com.br, 1 +blizko.tk, 1 +blk-intern.ch, 1 +blk-kriens.ch, 1 +blkbx.eu, 1 +blkj.com, 1 +bllb.ru, 0 +bllmnn.de, 1 +bllmnn.eu, 1 +bllmnn.net, 1 +blm.gov, 1 +blm36.cc, 1 +blm69.cc, 1 +blnc.gov, 1 +blnsoftware.com, 1 +blo-melchiorshausen.de, 1 +blobby.com, 1 +blobemoji.com, 1 +blobfolio.com, 1 +blobfox.coffee, 1 +blobs.gg, 1 +bloch.sh, 1 +block-planet.xyz, 1 +block-this.com, 1 +block.xyz, 1 +block65.com, 1 +blockchain.com, 1 +blockchain.info, 1 +blockchain.poker, 1 +blockchainbulteni.com.tr, 1 +blockchainreporter.net, 1 +blockchaintech.ga, 1 +blockcheck.network, 1 +blockcreams.com, 1 +blocked.fun, 1 +blocked.icu, 1 +blockedservers.com, 1 +blockedyourcar.com, 1 +blockedyourcar.net, 1 +blockedyourcar.org, 1 +blockhost.net, 1 +blockified.io, 1 +blockinx.com, 1 +blockmetry.com, 1 +blockmomsest.ga, 1 +blocksettle.com, 1 +blockshopauto.com, 1 +blockstream.com, 1 +blockstream.info, 1 +blockstrom.com, 1 +blockstudio.it, 1 +blocktab.io, 1 +blockthis.xyz, 1 +blockvideo.live, 1 +blockwatch.cc, 0 +blockxit.de, 1 +blockyflare.com, 1 +blodeuyn.com, 1 +bloemenbesteld.nl, 1 +bloemendaalsamen.nl, 1 +bloemendal.me, 1 +blog-investimenti.it, 1 +blog-ludmily.ml, 1 +blog-page.tk, 1 +blog-preview.ml, 1 +blog-sat.com, 1 +blog-story.tk, 1 +blog-trawnikowy.pl, 1 +blog.fo, 1 +blog.gov.uk, 1 +blog.gparent.org, 1 +blog.gt, 1 +blog.je, 1 +blog.torproject.org, 0 +blog.vu, 1 +blogabout.ru, 1 +blogabouthealthy.tk, 1 +blogabr.it, 1 +blogaid.net, 1 +bloganchoi.com, 1 +blogaram.tk, 1 +blogarts.net, 1 +blogbegin.xyz, 1 +blogbookcassiopee.fr, 1 +blogbooker.com, 1 +blogbrew.org, 1 +blogbuz.org, 1 +blogcast.com, 0 +blogclouds.com, 1 +blogcosmeticsurgeon.ga, 1 +blogcrimesnews.tk, 1 +blogcuaviet.com, 1 +blogdelgloton.com, 1 +blogdelosjuguetes.com, 1 +blogdeyugioh.com, 1 +blogdieconomia.it, 1 +blogdimoda.com, 1 +blogdimotori.it, 1 +blogdiva.org, 1 +blogdosimoveis.com.br, 1 +blogexpress.org, 1 +blogext.com, 1 +blogfeng.tk, 1 +blogforprofit.tk, 1 +bloggermobile.tk, 1 +bloggermoney.ml, 1 +bloggermumofthreeboys.com, 1 +bloggerse.com, 1 +bloggersonlinetrainings.tk, 1 +bloggervent.com, 1 +bloggerzarausa.ga, 1 +blogging-life.com, 1 +bloggingfusion.com, 1 +bloggingkits.org, 1 +bloggingqna.com, 1 +bloggingtriggers.com, 1 +bloggingwithchildren.com, 1 +blogguitar.tk, 1 +bloggyaani.com, 1 +bloggymoms.com, 1 +bloggytalky.com, 1 +bloghogger.tk, 1 +blogidol.tk, 1 +bloginformatique.ml, 1 +blogit.fi, 1 +blogke.cn, 1 +bloglogistics.com, 1 +blogman.com, 1 +blognews.cf, 1 +blognik.pl, 1 +blognone.com, 1 +blogofapps.com, 1 +blogom.at, 1 +blogotomia.tk, 1 +blogpark.tk, 1 +blogpress.co.il, 1 +blogpronto.com.br, 1 +blogpsy.net, 1 +blogreen.org, 1 +blogsnote.xyz, 1 +blogspasest.ga, 1 +blogssl.com, 0 +blogstar.tk, 1 +blogtechnologiczny.pl, 1 +blogthedata.com, 1 +blogtienao.com, 1 +blogtroterzy.pl, 1 +bloguerrilla.it, 1 +blogvadim.ga, 1 +blogworm.eu, 1 +blokada.org, 1 +blokino.org, 0 +blokmap.be, 1 +blokuhaka.fr, 1 +blomberg.name, 1 +blomberguk.com, 1 +bloms.de, 1 +blonde-hexe.net, 1 +blondish.net, 0 +bloobasket.com, 1 +blood-kirsche.tk, 1 +blood4pets.tk, 1 +bloodandbones.tk, 1 +bloodandhonourcentral.tk, 1 +bloodhaven.tk, 1 +bloodhunt.eu, 1 +bloodmeter.com, 1 +bloodmine.ga, 1 +bloodmissionsest.ga, 1 +bloodpop.tk, 1 +bloodsports.org, 1 +bloodteam.tk, 1 +bloody-hosting.tk, 1 +bloody.pw, 1 +bloodybiz-news.tk, 1 +bloodycraft.ml, 1 +bloodyhawks.tk, 1 +bloom.sh, 1 +bloom.study, 1 +bloomberg.com, 0 +bloombergadria.com, 1 +bloomberglp.com, 0 +bloombergtv.mn, 1 +bloomfield-investment.com, 1 +bloomfire.com, 1 +bloomingpink.in, 1 +bloomingtonelectionsil.gov, 1 +bloomingtonil.gov, 1 +bloomingwoods.tk, 1 +bloomnail.net, 1 +bloomppm.com, 1 +bloomscape.com, 1 +blopezabogado.es, 1 +blorbo.link, 1 +bloscheck.com, 1 +bloscheck.de, 1 +bloscheck.eu, 1 +bloscheck.net, 1 +bloscheck.org, 1 +blossomtexas.gov, 1 +blountsherifftn.gov, 1 +blounttn.gov, 1 +blowingrock.gov, 1 +bloxtimes.com, 1 +blrjmt.com, 1 +blsattestation.com, 1 +blsgermanyvisa.com, 1 +blsindiavisa-uae.com, 1 +blt-avocat-nantes.fr, 1 +bltc.co.uk, 1 +bltc.com, 1 +bltc.net, 1 +bltc.org, 1 +bltc.org.uk, 1 +bltdirect.com, 1 +bluavido.ml, 1 +blubop.fr, 1 +blubracket.com, 1 +blubux.tk, 1 +blucoat.com, 1 +bluconductor.com, 1 +blucouriers.com.au, 1 +bludiode.com, 1 +bludnykoren.ml, 1 +blue-gmbh-erfahrungen.de, 1 +blue-gmbh.de, 1 +blue-olive.co.za, 1 +blue-pool.de, 1 +blue-python.tk, 1 +blue2purple.com, 1 +blue3investimentos.com.br, 1 +blueangel.org.tw, 1 +bluebahari.gq, 1 +bluebird.com, 1 +bluebirdservice.us, 1 +bluebnc.com, 1 +blueboybernie.com, 1 +bluecam.com, 1 +bluecanvas.io, 1 +bluecat.tk, 1 +bluecatnetworks.com, 1 +bluecherry.tk, 1 +bluecoastelectric.com, 1 +bluecoatnetflowsupport.com, 1 +bluecollarfetishwear.com, 1 +bluecosmetics.tk, 1 +bluecrossmn.com, 1 +blued.moe, 1 +bluedeck.org, 1 +bluedivision.tk, 1 +bluedog-security.com, 1 +blueenergy.tk, 1 +blueeyesworld.tk, 1 +bluefieldwv.gov, 1 +bluefieldwvpd.gov, 1 +blueflare.org, 1 +blueflow.pl, 1 +bluefrontier.co.uk, 1 +bluefuzz.nl, 1 +bluegifts.ro, 1 +bluegoat.jp, 1 +bluegolf.com, 1 +bluegorilla.es, 1 +bluegrassprizes.com, 1 +bluehillme.gov, 1 +bluehr.ph, 1 +blueimp.net, 1 +blueinc.com.au, 1 +blueisafety.com, 1 +bluejeans.com, 1 +blueknights6.eu, 1 +bluekrypt.com, 1 +bluelighter.tk, 1 +bluelily.ga, 1 +bluelime.it, 1 +bluelockchapters.com, 0 +bluemagnetinteractive.com, 1 +bluemail24.com, 0 +bluemango-studios.com, 1 +bluemodus.com, 1 +bluemonte.com, 0 +bluemoonrescue.org, 1 +bluemosh.com, 1 +bluemoundtexas.gov, 1 +bluemountain-ms.gov, 1 +bluemtnrentalmanagement.ca, 1 +bluenetworks.xyz, 1 +blueneuron.tk, 1 +blueoakart.com, 1 +blueoceanbrain.com, 1 +blueparrotpainting.com, 1 +bluepearl.tk, 1 +blueperil.de, 1 +blueplanet.social, 1 +blueport.com, 0 +bluepostbox.de, 1 +blueprintrealtytn.com, 1 +blueprintsdogstudio.com, 1 +blueprotocol-cn.com, 1 +bluerange.io, 1 +blueride.se, 1 +blueridge.social, 1 +blueridgemachinery.com, 1 +blueridgeplans.com, 1 +bluerootsmarketing.com, 1 +blues-and-pictures.com, 1 +blues.at, 1 +bluesbarn.tk, 1 +bluesbuyers.com, 1 +bluescape.com, 1 +bluescape.io, 1 +blueshouse.ro, 1 +blueskiesmassage.com, 1 +bluesky-it.uk, 1 +blueskybrokerage.tk, 1 +blueskycantina.com, 1 +blueskycoverage.com, 1 +blueskyinsure.com, 1 +blueskywebdesign.net, 1 +bluesnews.tk, 1 +bluesoap.com.au, 1 +bluespace.ng, 1 +bluespirit.com, 1 +bluestarbus.co.uk, 1 +bluestardiabetes.com, 1 +bluestoneconstruction.com, 1 +bluestrigger.tk, 1 +bluesunhotels.com, 1 +blueswandaily.com, 1 +bluesystem.tk, 1 +bluetape.com, 1 +bluetape.tk, 1 +bluetexservice.com, 1 +bluetime.com, 1 +bluetoothlasersers.ga, 1 +bluetoothspecialist.ga, 1 +bluetrout.nl, 0 +bluewire.ca, 1 +bluewizardart.net, 1 +bluex.im, 1 +bluex.info, 1 +bluex.net, 1 +bluex.org, 1 +blueyonder.com, 1 +bluffcitytn.gov, 1 +bluffplumber.co.za, 1 +bluffsbyowner.com, 1 +bluheron.ca, 1 +blui.co, 1 +blui.ml, 0 +bluiandaj.ml, 1 +bluicraft.tk, 1 +bluimedia.com, 1 +bluinsights.aws, 1 +blumagine.de, 1 +blumando.de, 1 +blumen-garage.de, 1 +blumen-pusch.de, 1 +blumenbasteln.ml, 1 +blumenfeldart.com, 1 +blumenversand.tk, 1 +blumiges-fischbachtal.de, 0 +blummedia.de, 1 +blundell.wedding, 1 +bluntandsnakes.com, 1 +bluntpark.com, 1 +bluprintoncology.com, 1 +bluproducts.com.es, 1 +blur.io, 1 +blurbhack.com, 1 +blurringexistence.net, 1 +blurt.cf, 1 +blushbymounika.com, 1 +blushingweb.tk, 1 +blusmurf.net, 1 +blutooth.ga, 1 +blutspende.de, 1 +bluware.com, 1 +bluxus.com, 1 +bluzone.io, 1 +blv38.fr, 1 +blw-eschwege.de, 1 +blw.moe, 0 +blyat.science, 1 +blyth.me.uk, 1 +blythwood.com, 1 +bm-academy.fr, 1 +bm-dataprotect.ch, 1 +bm-i.ch, 0 +bm-pc.ddns.net, 1 +bm-trading.nl, 1 +bm1.nl, 1 +bmac.cloud, 1 +bmak.me, 1 +bmak.xyz, 1 +bmbfiltration.com, 1 +bmblawfirm.com, 1 +bmelecevolution.com, 1 +bmhglobal.com.au, 1 +bmipestcontrol.com, 1 +bmjphotography.tk, 1 +bmk-kramsach.at, 1 +bmm.com.co, 1 +bmoattachments.org, 1 +bmoe.eu.org, 1 +bmone.net, 1 +bmotorsports.com, 1 +bmr.ar, 1 +bmriv.com, 1 +bmros.com.ar, 1 +bms-cleaning.ro, 1 +bmskibaru.com, 1 +bmsupermercados.es, 1 +bmw-motorradclub-seefeld.de, 1 +bmwcolors.com, 1 +bmwhocking.com, 1 +bmwhocking.nz, 1 +bmwpartsdeal.com, 1 +bmyjacks.cn, 0 +bmzm.nl, 0 +bn9.com.br, 1 +bnb-buddy.nl, 1 +bnbhome.com, 1 +bnboy.cn, 1 +bnbsinflatablehire.co.uk, 1 +bnc.sh, 1 +bnct.us, 1 +bnd.house, 1 +bnews.vn, 1 +bnext.tech, 1 +bngdigital.com, 1 +bngs.pl, 1 +bngsecure.com, 1 +bnin.org, 1 +bnjscastles.co.uk, 1 +bnkconsulting.info, 1 +bnnuy.com, 1 +bnpl.kz, 1 +bnpparibas-am.com, 0 +bnpparibas.be, 1 +bnpparibas.bg, 1 +bnpparibas.co.uk, 1 +bnpparibas.com.hk, 1 +bnpparibas.de, 1 +bnpparibas.es, 1 +bnpparibas.it, 1 +bnpparibas.lu, 1 +bnpparibas.no, 1 +bnpparibas.pt, 1 +bnpparibas.ru, 0 +bnpparibascardif.com.ar, 1 +bnrailstories.com, 1 +bnssigns.com, 1 +bnstree.com, 0 +bnty.net, 1 +bnwrdil.gov, 1 +bo-1xbet.com, 1 +bo-rad.de, 1 +bo.ke, 1 +bo1689.com, 0 +bo4tracker.com, 1 +boa.rw, 1 +boam.nu, 1 +boanastudio.com, 1 +board-portal.org, 1 +board-room.ca, 1 +boardcloud.org, 1 +boardfree.tk, 1 +boardgameforces.com, 1 +boardgamegeeks.de, 1 +boardgameshots.com, 1 +boardingschoolreview.com, 1 +boardlinks.gov.au, 1 +boardroommind.com, 1 +boards.ie, 1 +boardsoftware.net, 1 +boardspot.com, 1 +boardusersers.ga, 1 +boat-engines.eu, 1 +boatandsailboat.com, 1 +boathut.com.au, 1 +boats.com, 0 +boatsandoats.com, 1 +boatsdonated.com, 1 +boatseller.org, 1 +boatsforveterans.org, 1 +boattour.ru, 1 +boattrader.com.au, 1 +boatyardx.com, 1 +boauganda.com, 0 +boazwi.gov, 1 +bob-dylan.tk, 1 +bob-fuchs.de, 1 +bob.nl, 1 +bob.pe, 1 +bobaly.es, 0 +bobancoamigo.com, 1 +bobandbrians.com.au, 1 +bobandducky.com, 0 +bobaobei.net, 1 +bobaobei.org, 1 +bobasy.pl, 1 +bobbyfischer.tk, 1 +bobbyhensley.com, 1 +bobbyoriginal.tk, 1 +bobbyrobinson.tk, 1 +bobcat.com, 1 +bobcoffee.com.br, 1 +bobcopeland.com, 1 +bobek.cz, 1 +bobep.ru, 1 +bobet.it, 1 +bobfilm.ml, 1 +bobigames.com, 1 +bobiji.com, 0 +bobijoel.ml, 1 +bobkidbob.com, 1 +boblog.tk, 1 +boboboboboaji.xyz, 1 +bobobox.net, 1 +bobotie.ga, 1 +bobra.bid, 1 +bobruysk.tk, 1 +bobseven.com, 1 +bobsfhairstyles.ga, 1 +bobstenancycleaning.co.uk, 1 +bobstikkers.be, 1 +bobstronomie.fr, 1 +bobvincent.com, 1 +bocaaboca.ml, 1 +bocabeats.tk, 1 +bocada.com, 1 +bocahkampus.com, 1 +bocal.cf, 1 +bocamo.it, 1 +bocawa.es, 1 +bocbot.tk, 1 +boccabell.com, 0 +bocciatitanium.com, 1 +bochs.info, 1 +bocloud.eu, 1 +boctok.space, 1 +bocusedormauritius.com, 1 +bodas.com.mx, 1 +bodas.net, 1 +bodascartagena.com, 1 +bodclansite.tk, 1 +boddunan.com, 1 +bodegademuebles.com, 1 +bodegagarces.tk, 1 +bodemplaten4x4.nl, 1 +boden.co.uk, 1 +boden.com, 1 +boden.eu, 1 +boden.fr, 1 +bodenclothing.com.au, 1 +bodendirect.at, 1 +bodendirect.de, 1 +bodenpreview.co.uk, 1 +bodenpreview.com, 1 +bodenpreview.de, 1 +bodenusa.com, 1 +bodesi.com, 1 +bodhi.fedoraproject.org, 1 +bodhionline.com, 1 +bodin.cz, 1 +bodivo.vn, 1 +bodixite.com, 1 +bodlsc.com, 1 +bodrumescmagazin.tk, 1 +bodrumfarm.com, 1 +bodrus.com, 1 +bodsch.com, 1 +bodusod.bg, 1 +body-demo.tk, 1 +bodyblockarcade.com, 1 +bodyblog.nl, 1 +bodybuilding.com, 0 +bodybuilding.events, 1 +bodybuilding.nl, 1 +bodybuildingstyle.tk, 1 +bodybuildingsupplementsexplained.com, 1 +bodybuildingworld.com, 1 +bodycare.cn, 1 +bodyecology.com, 1 +bodygearguide.com, 1 +bodyhealthcare.tk, 1 +bodymassage.cf, 1 +bodymfr.com, 1 +bodymod.tk, 1 +bodymusclejournal.com, 1 +bodypad.com, 1 +bodypainting.waw.pl, 1 +bodyshaping.ml, 1 +bodyshopnews.net, 1 +bodytechautomotive.com.au, 1 +bodyweb.com.br, 1 +bodyweightsolution.com, 1 +boealpinelounge.it, 1 +boegli.tk, 1 +boehm.sh, 1 +boehs.org, 1 +boeing747.tk, 1 +boeleo.ru, 1 +boelsen.net, 1 +boem.gov, 1 +boensite.tk, 1 +boenyc.gov, 1 +boerandolphcountyga.gov, 1 +boerderijspel.nl, 1 +boeren.de, 0 +boerger.com, 1 +boesckens.de, 1 +boese.one, 1 +boevik.ml, 1 +boew.de, 1 +bof.fo, 1 +bofashion.site, 1 +boffin.tk, 1 +bofn.com.tr, 1 +bofoxdesign.com, 0 +bogatyizhenih.tk, 1 +bogdanbiris.com, 1 +bogdancornianu.com, 1 +bogdanepureanu.ro, 1 +bogdanov.ga, 1 +bogdanow.tk, 1 +bogdatrend.ml, 1 +bogenexten.com, 1 +bogner.sh, 1 +bogolyandras.com, 1 +bogosity.tv, 1 +bogoslov.tk, 1 +bogozi.com, 1 +bogs.de, 1 +bogtom.tk, 1 +bogus.ltd, 1 +bogwitch.tk, 1 +bohaishibei.com, 1 +bohemiantooers.ga, 1 +bohoprime.com, 1 +bohramt.de, 1 +bohyn.cz, 1 +boikhor.com, 1 +boilermechhr.com, 1 +boilesen.com, 0 +boiliai.lt, 1 +boilingpoint.net, 1 +boimmobilier.ch, 0 +boingboing.net, 1 +boingo00.wtf, 1 +bointon.com, 1 +boip.in, 1 +boira.tk, 1 +boisebirthdoula.com, 1 +boisehomeoffers.com, 1 +boizeau.fr, 1 +bojan.tk, 1 +bojanowskiszkolka.pl, 1 +bojiu99.cc, 1 +bojoproductions.tk, 1 +bokaldo.com, 1 +bokatas.tk, 1 +boke112.com, 1 +bokehandbows.ca, 1 +bokentau-company.kz, 1 +bokhaldari.is, 1 +bokhylle.eu, 1 +bokkeriders.com, 1 +bokkun.jp, 1 +bokov.gq, 1 +boksburgplumbing.co.za, 1 +bokutake.com, 1 +bol.io, 1 +bolalocobrews.co.uk, 1 +bolaodarico.com.br, 1 +bolbilisim.com, 1 +bolcaparca.com.tr, 1 +boldandbra.sh, 1 +boldare.com, 1 +boldbeau.pt, 1 +bolderly.com, 1 +boldhaus.de, 1 +boldinsight.com, 0 +boldium.com, 1 +boldogsagadni.hu, 1 +boldorion.com, 1 +boldsmartlock.com, 0 +bolehvpn.net, 1 +bolektro.de, 1 +bolele.org, 1 +boleleboyz.org, 1 +boleros.tk, 1 +boletosdeavionbaratos.tk, 1 +boleyn.su, 1 +bolgarnyelv.hu, 1 +bolgarus.ru, 0 +bolha.one, 1 +bolicforum.com, 1 +bolid.tk, 1 +bolivar-circuit-clerk.ms, 1 +bolivar80.com, 0 +bolivarchurch.tk, 1 +bolivarfm.com.ve, 1 +boliviaverde.tk, 1 +bolivin.ga, 1 +bollardstreet.com, 1 +bollervilla.de, 1 +bolli.tech, 1 +bollymarket.com, 1 +bollywoodacapellas4djs.tk, 1 +bollywoodfans.tk, 1 +bollywoodgk.tk, 1 +bollywoodhdsongs.tk, 1 +bollywoodstrot.tk, 1 +bologna-disinfestazioni.it, 1 +bolognatoday.it, 1 +bolognatsrmpstrp.it, 0 +bologoe.tk, 1 +bololo.fun, 1 +bolonapps.com, 1 +bolos.tk, 1 +bolosbatiente.tk, 1 +bolsa.tk, 1 +bolsasbellagio.com.br, 1 +bolshevik.tk, 1 +bolshoi.tk, 1 +bolshoy.tk, 1 +bolt.cm, 0 +bolt.com, 1 +bolte.org, 1 +boltmobile.ca, 1 +bolton-consulting.org, 1 +boltonct.gov, 1 +boltreplassen.no, 1 +boluhaberleri.tk, 1 +bolur.is, 1 +boluwebtasarim.cf, 1 +bolverin.tk, 1 +bolzano-bozen.it, 1 +bolzanoavvocati.it, 1 +bolzanoinfo.it, 1 +boma.ml, 1 +bomanufacture.com, 1 +bombard.ga, 1 +bombe-lacrymogene.fr, 1 +bomberosceuta.tk, 1 +bomberus.de, 1 +bombgame.tk, 1 +bombgirls.cf, 1 +bombgirls.ga, 1 +bombgirls.gq, 1 +bombgirls.ml, 1 +bombiaturkiye.cf, 1 +bombo.xyz, 1 +bomboniere.roma.it, 1 +bomenzoeker.nl, 1 +bomhard.de, 1 +bomhard.net, 1 +bomhard.org, 1 +bomnegocioveiculosrs.com.br, 1 +bomnet.tk, 1 +bompus.com, 1 +bon-appetit-wesel.de, 1 +bonaccordpestcontrol.co.uk, 1 +bonaccorso.eu, 1 +bonaemi.ga, 1 +bonami.cz, 1 +bonami.hr, 1 +bonami.hu, 1 +bonami.lt, 1 +bonami.lv, 1 +bonami.pl, 1 +bonami.ro, 1 +bonami.si, 1 +bonami.sk, 1 +bonami.tech, 1 +bonamihome.ro, 1 +bonanzateam.tk, 1 +bonaparte.com.co, 1 +bonapati.tk, 1 +bonapeti.ml, 1 +bonapp.restaurant, 0 +bonaselect.lv, 1 +bonawehouse.co.uk, 1 +bonbonka.best, 1 +bonbonmania.com, 1 +bonbonshop.ro, 1 +bonchaboncha.com.tw, 1 +bondagefetishstore.com, 1 +bondarenko.dn.ua, 1 +bondarenko.tk, 1 +bondcountyil.gov, 1 +bondcountysa.gov, 1 +bondcouponers.ga, 1 +bondingwithbaby.ca, 1 +bondlink.com, 1 +bondmaster.tk, 1 +bondpro.gov, 1 +bondscript.tk, 1 +bondvigilantes.com, 1 +boneanu.tk, 1 +bonebreakers.tk, 1 +bonebunny.de, 1 +boneinlayinteriorfurniture.com, 1 +boneros.tk, 1 +bonesserver.com, 1 +bonexio.tk, 1 +bonfi.net, 1 +bonfire.co.uk, 1 +bonfireleads.com, 0 +bong--brothers.tk, 1 +bongbong-irl.com, 1 +bongbongirl.com, 1 +bongbongmarcos.com, 1 +bonghuyn.com, 1 +bongit.de, 1 +bongjukim.com, 1 +bongloy.com, 1 +bongo.cat, 1 +bongocams.webcam, 1 +bongoland.tk, 1 +bongoo.fr, 1 +bonic.tk, 1 +bonifatius-friedrich.de, 1 +bonify.de, 1 +bonita.com.br, 1 +bonitadesax.com, 1 +bonitamacas.tk, 1 +bonitaslecturas.ml, 1 +bonitasoft.com, 1 +bonitech.co.uk, 1 +bonito.pl, 1 +bonjour.cm, 1 +bonjourimmo.tv, 1 +bonjourmademoiselle.fr, 1 +bonk.pw, 1 +bonkleagues.ml, 1 +bonkotsua.net, 1 +bonn.digital, 1 +bonneannee.tk, 1 +bonnepart.fr, 1 +bonnetmoda.com, 1 +bonnevillecountyidaho.gov, 1 +bonniecoloring.com, 1 +bonniedraw.com, 1 +bonniekitchen.com, 1 +bonnieradvocaten.nl, 1 +bonniestylez.net, 1 +bonnsustainabilityportal.de, 1 +bonnydevil.com, 1 +bono3.ir, 1 +bonobo.cz, 1 +bonprix.co.uk, 1 +bonsai-uk.cf, 1 +bonsaiclubkengai.tk, 1 +bonsaiclubsanvi.tk, 1 +bonsaicrm.com, 1 +bonsaimedia.nl, 1 +bonsaitree.tv, 1 +bonsaj.tk, 1 +bonte.tk, 1 +bonukset.cf, 1 +bonukset.tk, 1 +bonus-club.gq, 1 +bonus-kran.tk, 1 +bonus.ca, 1 +bonus.net.nz, 1 +bonus7.ro, 1 +bonusdigital.id, 1 +bonusov.tk, 1 +bonusup.tk, 1 +bonviveur.com, 1 +bonvorur.is, 1 +bonwari.com, 1 +boo, 1 +boobsgirls.com, 1 +boodmo.com, 1 +boof.com, 0 +boogiedown.tk, 1 +booglobal.com, 1 +boogschutters-perk.tk, 1 +boojiboysbasement.tk, 1 +book-excursion.com, 1 +book-in-hotel.com, 1 +book-online.tk, 1 +book-sites.cf, 1 +book24.ru, 1 +bookameeting.se, 1 +bookb.com, 1 +bookbazar.co.in, 1 +bookcheapairline.com, 1 +bookchums.com, 1 +bookcreator.com, 1 +bookfirm.com, 1 +bookgeek.ga, 1 +bookginawest.com, 1 +bookingdjparis.fr, 1 +bookinghealth.com, 1 +bookingplacecostarica.com, 1 +bookingpressplugin.com, 1 +bookingready.com, 1 +bookingslog.com, 1 +bookingsrit.tk, 1 +bookingtool.com, 1 +bookingtool.net, 1 +bookingworldspeakers.com, 1 +bookitlive.net, 1 +bookmaker.expert, 1 +bookmark.gq, 1 +bookmarkblog.tk, 1 +bookmarkclub.ga, 1 +bookmarkclub.gq, 1 +bookmarkclub.tk, 1 +bookmarked.cf, 1 +bookmarking.ml, 1 +bookmarkingyourbusiness.ga, 1 +bookmarklive.cf, 1 +bookmarklive.tk, 1 +bookmarkseo.gq, 1 +bookmarkseo.tk, 1 +bookmarkup.gq, 1 +bookmarkup.ml, 1 +bookmarkup.tk, 1 +bookmysplash.com, 1 +booknooktutor.com, 1 +bookourdjs.com, 1 +bookposh.com, 1 +bookreport.ga, 1 +books-dowload.tk, 1 +books-ru.tk, 1 +books.co.ua, 1 +booksales.tk, 1 +booksandcoffee.ml, 1 +bookshopofindia.com, 1 +booksinthefridge.at, 1 +booksky.com, 1 +bookslibrarybooks.gq, 1 +booksoncamping.com, 1 +bookstores.gq, 1 +bookstrap.ga, 1 +booksy.com, 1 +booktruestorys.com, 1 +bookvuz.tk, 1 +bookwear.com, 1 +bookwhen.com, 1 +bookworld.gr, 1 +bookwormstory.social, 1 +bookwritingbureau.com, 1 +bookyourdata.com, 1 +bookzaga.com, 1 +bool.be, 1 +booldamm.llc, 1 +boolypan.com, 1 +boom2.network, 1 +boombangcreditos.tk, 1 +boomboomboat.com, 1 +boomcloud.net, 0 +boomerangwater.com, 1 +boomersurf.com, 1 +boomfestival.org, 1 +boomfinity.xyz, 1 +boomingnewtech.com, 1 +boomingofthings.com, 1 +boomshadow.net, 1 +boomshine.de, 1 +boomsocial.com, 1 +boomstyle.com, 1 +boomsual.com, 1 +boomtheme.com, 1 +boomtownevents.com, 1 +boomvm.pw, 1 +boonecountyfpdmo.gov, 1 +boonecountyil.gov, 1 +boonecountyne.gov, 1 +boonecountywv.gov, 1 +boonecsdia.gov, 1 +booneiowa.gov, 1 +boonemo.gov, 1 +boonshoft.com, 1 +booox.biz, 1 +booox.cc, 1 +booox.net, 1 +booox.org, 1 +booox.pw, 1 +boop.gq, 1 +boop.icu, 1 +booq.org, 1 +booquiz.com, 1 +booshka.ga, 1 +boosinflatablegames.co.uk, 1 +boosman.nu, 1 +boosmanpoolservice.com, 1 +boost-collective.com, 0 +boost.ink, 1 +boostdesign.tk, 1 +boostermachine.com, 1 +boostertonbusiness.com, 1 +boostgame.win, 1 +boostitco.com, 1 +boostplm.com, 1 +boostport.com, 1 +boostport.com.au, 1 +boostroom.com, 1 +boostup.com.tr, 1 +booths.cyou, 1 +bootlesshacker.com, 1 +boots-shop.tk, 1 +bootsa.ga, 1 +bootsa.tk, 1 +bootswinter.tk, 1 +bootsy.org, 1 +bootytube.net, 1 +boozinyan.com, 1 +bopiweb.com, 1 +bopyx.com, 0 +boraarat.com, 1 +boraboraphotos.com, 0 +boracay.tk, 1 +boraclub.com, 1 +boraescolher.com.br, 1 +borafalardeguito.com, 1 +borahan.net, 0 +boranco.tk, 1 +borasol.tk, 1 +borba-umov.tk, 1 +borche-imm.eu, 1 +borchers-media.de, 1 +borchers.ninja, 1 +bordadoenpedreria.com, 1 +borde.network, 1 +bordeiu.ro, 1 +bordelique.tk, 1 +bordercolli.tk, 1 +bordercollie.tk, 1 +bordercolliesworkingdogs.tk, 1 +bordercrossingux.com, 1 +borderfever.cf, 1 +borderfever.ga, 1 +borderfever.ml, 1 +borderlens.com, 1 +borderless.ro, 1 +borderless360.com, 0 +borderpatroledu.org, 1 +bordersbuses.co.uk, 1 +borderzoo.tk, 1 +bordes.me, 1 +bordo.com.au, 1 +bordoeurope.com, 1 +bordonisport.com, 1 +borduurcadeau.tk, 1 +borduurpatronen.tk, 1 +borduurshophengelo.nl, 1 +bore.lt, 1 +borealis.gg, 1 +borealis.su, 1 +boredhackers.com, 1 +boredhoard.com, 1 +boredhousewifeconfessions.cf, 1 +boredhousewifeconfessions.ga, 1 +boredhousewifeconfessions.ml, 1 +borein.cf, 1 +boreo.si, 1 +boresmail.ru, 1 +borfin.com, 1 +borgcube.com, 1 +borgmann-krankenfahrten.de, 1 +borgmestervangen.xyz, 1 +borgoaureo.com, 1 +borgodigatteraia.it, 1 +borgshof.tk, 1 +borhunter.pl, 0 +boringnews.tk, 1 +boringpoll.com, 1 +boringsmith.com, 1 +borisenko-alexander.com, 1 +borisenko.by, 1 +borislam.tk, 1 +borisof.tk, 1 +borja.io, 1 +borjaacost.com, 1 +borjalucero.es, 1 +borlangefk.tk, 1 +borman.biz, 1 +born2bounce.co.uk, 1 +born2dance.tk, 1 +bornandgrazed.com, 1 +borneodictionary.com, 1 +bornfiber.dk, 1 +bornhack.dk, 1 +bornreality.tk, 1 +borntobetogether.eu, 1 +borntocover.pl, 1 +borntoraid.com, 1 +boros.tk, 1 +borowski.pw, 1 +borraxeiros.tk, 1 +borriquillacuenca.tk, 1 +borsa2k.com.tr, 1 +borsodsakk.hu, 1 +bortebest.no, 1 +bortoto.asia, 1 +bortoto.fans, 1 +bortoto.net, 1 +bortoto.org, 1 +borygoai.org, 1 +borysek.net, 1 +borysenko.se, 1 +borzamalta.com.mt, 1 +borzaresearch.com, 1 +borzov.tk, 1 +bosabosa.org, 0 +bosanski-forum.com, 1 +bosanskinovi.tk, 1 +bosattondskap.tk, 1 +bosbandarq.cc, 1 +bosbandarq.info, 1 +bosbandarq.net, 1 +bosbandarq.org, 1 +bosburyhistoryresource.org.uk, 1 +boscawennh.gov, 1 +boschee.net, 1 +boschhirtshals.dk, 1 +boschveldtuin.nl, 1 +boscobelwi.gov, 1 +bosconation.tk, 1 +boscq.fr, 1 +bosdubica.tk, 1 +bosekarmelitky.cz, 1 +bosengineering.be, 1 +bosiquanao.vn, 1 +boskant.tk, 1 +bosnia-online.tk, 1 +bosniaks.com, 1 +bosonogka.tk, 1 +bospiraat.tk, 1 +bospor.tk, 1 +bosquedelasimagenes.tk, 1 +boss.az, 1 +bossefors.tk, 1 +bossurl.tk, 1 +bostan.com, 1 +boston-molly.tk, 1 +boston-sailing.com, 1 +bostonadvisors.com, 0 +bostonaoii.com, 1 +bostonblockchainassociation.org, 1 +bostonews.tk, 1 +bostonfast.com, 1 +bostonivy.co, 1 +bostonmedicalgroup.com, 1 +bostonsportsmedicinemd.com, 1 +bosun.io, 1 +boswellboropd-pa.gov, 1 +bot-manager.pl, 1 +botanical-design.nl, 1 +botanical.house, 1 +botanicoved.com, 1 +botanischkunstenaarsnederland.nl, 1 +botarticle.ga, 1 +botbrother.ml, 1 +botdiril.com, 1 +botealis.ch, 0 +botelegram.tk, 1 +botguard.net, 1 +bothive.io, 1 +boticadiservicio.com, 1 +botija.tk, 1 +botika.online, 1 +botikadiservisio.com, 1 +botipedia.tk, 1 +botmaker.tk, 1 +botmanager.pl, 1 +botmedia.cf, 1 +botnam.com, 1 +botoes-primor.pt, 1 +botoks.tk, 1 +botox.bz, 1 +botpago.cl, 1 +botsa.com, 1 +botschaften-an-das-volk-gottes.de, 0 +botserver.de, 1 +botsindiscord.me, 1 +botstack.host, 1 +botticelli.tk, 1 +bottinquebec.com, 1 +bottke.berlin, 1 +bottle.li, 1 +bottlecapsbev.com, 1 +bottlerockshuttles.com, 1 +bottly.in, 1 +bottom9clothing.com, 1 +bottomfeedings.tk, 1 +bou.cloud, 1 +bou.ke, 1 +bouah.net, 0 +bouallaoui.tk, 1 +boubyranol-biere.com, 1 +bouchard-mathieux.com, 1 +boucherie-charcuterie.ca, 1 +boucherie-restaurant-les-provinces.fr, 1 +bouchonville-knifemaker.com, 1 +bouckaert-usedcars.be, 0 +bouckaert.co, 1 +boudah.pl, 1 +bouffartigue.fr, 1 +bougeer.gent, 1 +bougepourtoi.tk, 1 +bougeret.fr, 1 +bougerpourmasante.com, 1 +bougharios.com, 1 +boughariosbros.com, 1 +bouldercounty.gov, 1 +bouldercountyassessor.gov, 1 +bouldercountydronepilot.com, 1 +bouldercountyhhs.gov, 1 +bouldercountynavigatingdisaster.gov, 1 +bouldercountyrecovery.gov, 1 +bouldercountytreasurer.gov, 1 +bouldercountyvotes.gov, 1 +boulderdowntown.com, 1 +boulderodm.gov, 1 +bouldersheriff.gov, 1 +boulderswap.com, 1 +boulderwagonroad.org, 1 +boulebar.duckdns.org, 1 +boulevard-ruijschenbergh.nl, 1 +boulstory.ru, 1 +boulzicourt.fr, 1 +boumstudio.com, 1 +bounce-a-roo.co.uk, 1 +bounce-abouts.com, 1 +bounce-n-go.co.uk, 1 +bounce-on.co.uk, 1 +bounce-r-us.co.uk, 1 +bounce-xtreme.co.uk, 1 +bounce4fun.co.uk, 1 +bounce4kidz.com, 1 +bounce4less.ie, 1 +bouncea-bout.com, 1 +bounceaboutnewark.co.uk, 1 +bounceaboutsussex.co.uk, 1 +bouncealotnorthwest.co.uk, 1 +bounceapp.com, 1 +bouncearoundinflatable.com, 1 +bouncearoundsheffield.co.uk, 1 +bounceawaycastles.com, 1 +bouncebackcastles.co.uk, 1 +bouncebookings.com.au, 1 +bouncecrazy.ie, 1 +bouncemaniaevents.co.uk, 1 +bouncemaniainflatables.co.uk, 1 +bouncenortheast.co.uk, 1 +bouncenpaint.co.uk, 1 +bounceroos-bouncycastles.co.uk, 1 +bounceroosevents.co.uk, 1 +bouncers-bouncycastlehire.co.uk, 1 +bouncesquad.co.uk, 1 +bouncetasticuk.co.uk, 1 +bouncetheparty.co.uk, 1 +bouncetothebeat.tk, 1 +bounceunlimited.co.uk, 1 +bouncewithbovells.com, 0 +bouncincastles.co.uk, 1 +bouncing4joy.co.uk, 1 +bouncingbuzzybees.co.uk, 1 +bouncinghigher.co.uk, 1 +bouncingscotland.com, 1 +bouncourseplanner.net, 1 +bouncy-castles-surrey.co.uk, 1 +bouncy-tots.co.uk, 1 +bouncybaileys.co.uk, 1 +bouncyball.eu, 1 +bouncyballs.org, 1 +bouncybouncyboocastlehire.co.uk, 1 +bouncycastle.net.au, 1 +bouncycastlehire-norwich.com, 1 +bouncycastlehire.co.uk, 1 +bouncycastlehireauckland.co.nz, 1 +bouncycastlehirebexley.co.uk, 1 +bouncycastlehirechelmsford.org.uk, 1 +bouncycastlehirehull.co.uk, 1 +bouncycastlehirelouth.co.uk, 1 +bouncycastlehiremalvern.co.uk, 1 +bouncycastlehiresurrey.co.uk, 1 +bouncycastlehirewinchester.co.uk, 1 +bouncycastleman.co.uk, 1 +bouncycastleparade.com, 1 +bouncycastlesgalway.com, 1 +bouncycastleshire.co.uk, 1 +bouncycastlesin.co.uk, 1 +bouncycastlesinderby.co.uk, 1 +bouncycastlesisleofwight.co.uk, 1 +bouncycastlesmonaghan.com, 1 +bouncycastlesperth.net, 1 +bouncycastlessheerness.co.uk, 1 +bouncydays.co.uk, 1 +bouncygiggles.com.au, 1 +bouncyhigher.co.uk, 1 +bouncykingdom.co.uk, 1 +bouncykings.co.uk, 1 +bouncykingsnortheast.co.uk, 1 +bouncykingsofleicester.co.uk, 1 +bouncymacs.co.uk, 1 +bouncyrainbows.co.uk, 1 +bouncytime.co.uk, 1 +bound2bounce.co.uk, 1 +boundaryford.com, 1 +boundaryvets.co.uk, 1 +boundladies.ga, 1 +boundless-designs.com, 1 +boundlessmediausa.com, 1 +bounouh.tk, 1 +bountiful.ag, 1 +bountiful.gov, 1 +bounty.fund, 1 +bounty.software, 1 +bountyfactory.io, 0 +bountyhunter.tk, 1 +bountyhunteredu.org, 1 +bountyhuntermetaldetector.tk, 1 +bourangstudios.com, 1 +bourasse.fr, 1 +bourbo.net, 1 +bourbonridgeretreat.com, 1 +bourestonmedia.com, 1 +bourgeoisdoor.com, 1 +bourgeoisdoorco.com, 1 +bourhis.info, 1 +bourne-ma.gov, 1 +bournefun.co.uk, 1 +bourrasque-info.org, 1 +bourrelier.be, 1 +bourse-aux-jouets.org, 0 +bourse-aux-vetements.org, 0 +bourse-puericulture.org, 0 +bourseauxservices.com, 1 +bourtalm.fr, 1 +boutibag.com, 1 +boutique-pcland.fr, 1 +boutique.be, 1 +boutiquecoureurdesbois.ca, 1 +boutiquedecanetas.com.br, 1 +boutiquedelhogar.cl, 1 +boutiquedoartista.com.br, 1 +boutiqueguenaelleverdin.com, 1 +boutiqueinove.com.br, 1 +boutiquesette.bg, 1 +boutoncoupdepoing.fr, 1 +bouvier-des-flanders.com, 1 +bouville.fr, 0 +bouw.live, 1 +bouwbedrijfdesmet.be, 1 +bouwbedrijfjstam.nl, 1 +bouwbedrijfkorstanje.nl, 1 +bouwma.nl, 1 +bouwplaatscheckin.nl, 1 +bouwstenen.com, 1 +bouzouada.com, 1 +bouzouks.net, 1 +bovender.de, 1 +bovenwebdesign.nl, 1 +bovileva.com.ua, 1 +bovworkplacepensions.com, 1 +bowdens.me, 1 +bowdoinmaine.gov, 1 +bowelcontroltherapy.com, 1 +bowhill.me, 1 +bowhunter-ahorn.de, 0 +bowlcake.fr, 1 +bowldirectoryest.ga, 1 +bowlidex.com, 1 +bowling.com, 1 +bowmanwilliams.com, 0 +bowmar.gov, 1 +bownhpd.gov, 1 +bowntycdn.net, 1 +bowwowinsurance.com.au, 1 +box.bz, 1 +box.lol, 1 +box2.cz, 1 +boxalouer78.fr, 1 +boxbuttecountyne.gov, 1 +boxclaw.com, 1 +boxclub-marburg.de, 1 +boxcritters.wiki, 1 +boxcryptor.com, 0 +boxdevigneron.fr, 1 +boxdroplacrosse.com, 1 +boxeomexicano.tk, 1 +boxer-shorts.net, 1 +boxerdogdiaries.com, 1 +boxerdogsaspets.com, 1 +boxfly.com, 1 +boxhall.co.uk, 1 +boxhostserver.com, 1 +boxing-kangaroo.ga, 1 +boxing-videos.com, 1 +boxing247.com, 1 +boxingclubduval.com, 1 +boxingnews.co, 1 +boxingnews24.com, 1 +boxingrankings.co, 1 +boxingschedule.co, 1 +boxintense.com, 0 +boxiruem.ru, 1 +boxlegal.es, 1 +boxmail.cn, 1 +boxmania.tk, 1 +boxofficebengal.tk, 1 +boxofficefunding.com, 1 +boxofninjas.ca, 1 +boxoptions.com, 1 +boxpark.co.uk, 1 +boxpirates.to, 0 +boxsite.ga, 1 +boxtub.com, 1 +boxturtlesaspets.com, 1 +boxview.com, 1 +boyard.tk, 1 +boycewire.com, 1 +boydcorp.com, 1 +boydstree.com, 1 +boydwi.gov, 1 +boygirl.tk, 1 +boyhost.cn, 1 +boyinglanguage.com, 1 +boykovo.tk, 1 +boylecountyky.gov, 1 +boyo.cloud, 1 +boyscoutcampcars.cf, 1 +boyscouts.tk, 1 +boyscoutschile.tk, 1 +boyson.tech, 1 +boysontech.com, 1 +boysorebro.tk, 1 +boywife.space, 1 +bozdech.eu, 1 +bozenadusseau.tk, 1 +bozhok.tk, 1 +bozit.com.au, 1 +bp-app.de, 1 +bp-systems.ovh, 1 +bpa.gov, 1 +bpadvisors.eu, 1 +bparlay.com, 1 +bpastudies.org, 1 +bpbdpadangsidimpuan.id, 1 +bpconsulting.kz, 1 +bpd.nl, 1 +bphostels.com, 1 +bpinvest.ch, 1 +bpisites.eu, 1 +bplan.tk, 1 +bpo.or.jp, 1 +bpo.ovh, 1 +bpol-forum.de, 1 +bpreguica.com.br, 1 +bpsdev.org.uk, 1 +bpsis.fr, 1 +bpvgoncalves.com, 1 +bpvr.ddns.net, 1 +bpvr.nl, 1 +bqcp.net, 1 +bqp.io, 0 +bqr.ch, 0 +bqtoolbox.com, 1 +br-1xbet.com, 1 +br-hq.net, 1 +br-miyamoto.spdns.org, 1 +br.search.yahoo.com, 0 +br.to, 1 +br1334shop.com.br, 1 +br3in.nl, 0 +br7.ru, 1 +br8.pl, 1 +bra-horapparat.se, 1 +bra360.com, 1 +braathe.no, 1 +brabantia.com, 1 +braccialini.tk, 1 +bracebridgechiro.com, 1 +bracelet-chakras.com, 1 +braces-supports.tk, 1 +bracesbyberry.com, 1 +bracesjourney.com, 1 +brachotelborak.com, 1 +bracken.jp, 1 +bracket.land, 1 +bracketofficial.com, 1 +brackets-salad.com, 1 +brackettvilletx.gov, 1 +bracknellvets.co.uk, 1 +bractwogothica.ml, 1 +brad.fi, 1 +bradeales.com, 1 +bradentonfl.gov, 1 +bradfordcountypa.gov, 1 +bradfordhottubhire.co.uk, 1 +bradfordwoods.gov, 1 +bradler.net, 0 +bradleybeeming.com, 1 +bradturveyofficial.tk, 1 +bradyosborne.com, 1 +bradypatterson.com, 1 +braemer-it-consulting.de, 1 +bragasoft.com.br, 0 +bragaweb.com.br, 1 +braggalabel.cf, 1 +bragis.nl, 1 +brahammn.gov, 1 +brahma.world, 1 +brahmins.com, 1 +braiampeguero.xyz, 1 +braidice.ga, 1 +brailsford.xyz, 1 +brain-club.info, 1 +brain-e.co, 1 +brain-force.ch, 1 +brain-storm.ml, 1 +brain.gov, 1 +brainatwork.it, 1 +brainball.fr, 0 +brainbashers.com, 1 +brainboxai.com, 1 +brainburger101.tk, 1 +brainbus.com, 1 +braincandy.com, 1 +brainchasm.com, 1 +braincorebismarck.com, 1 +brainefive.com, 1 +brainfeed.nl, 1 +brainfirm.com, 1 +brainguru.co.in, 1 +brainguru.in, 1 +brainhealth.gov, 1 +brainhub.nl, 1 +brainit.at, 1 +brainjuice.tk, 1 +brainmade.tk, 1 +brainmanager.io, 1 +brainobeat.com, 1 +brainotony.com, 1 +brainoutlevel.com, 1 +brainporteindhoven.com, 1 +brainps.org, 1 +brainrush.ga, 1 +brainserve.ch, 0 +brainserve.com, 0 +brainserve.swiss, 0 +brainshare.tk, 1 +brainshit.fr, 1 +brainsik.net, 1 +brainsoftict.nl, 1 +brainspawn.tk, 1 +brainstache.com, 1 +brainstew.tk, 1 +brainstormproductions.tk, 1 +braintensive.com, 1 +braintonus.tk, 1 +braintree.gov.uk, 1 +braintreevt.gov, 1 +brainup-clinic.com, 1 +brainvation.de, 1 +brainware-india.com, 1 +brakebills.org, 1 +brakemanpro.com, 1 +brakesystemu.com, 1 +brakomecov.tk, 1 +brallog.tk, 1 +bralnik.com, 1 +bramberheights.com, 1 +brambevers.tk, 1 +bramblerealestate.com, 1 +brambles.com, 1 +brambleski.com, 1 +bramburek.net, 1 +bramfri.dk, 1 +bramhallsamusements.com, 1 +bramhopetails.uk, 1 +bramois.tk, 1 +bramptonaikikai.tk, 1 +bramptonscrapcarremoval.com, 1 +bramsikkens.be, 1 +bramstaps.nl, 1 +bramvanaken.be, 1 +bramygrozy.pl, 1 +bran.cool, 1 +bran.land, 1 +bran.pw, 1 +bran.soy, 1 +bran.to, 1 +branaher.cz, 1 +branch-bookkeeper.com, 1 +branch.ga, 1 +branchchristianschool.org.uk, 1 +branchenbuch-potsdam.com, 1 +branchrvparktexas.com, 1 +branchtobox.com, 1 +branchtrack.com, 1 +brand-design.studio, 1 +brandabaski.tk, 1 +brandand.co.uk, 1 +brandarkitekt.com, 1 +brandathon.be, 1 +brandathon.nl, 1 +brandbags.gr, 1 +brandbastion.com, 1 +brandbook.io, 1 +brandcodestyle.com, 0 +brandeps.com, 1 +brandfactory.ml, 1 +brandfeatured.com, 1 +brandfolder.com, 1 +brandfoto.com, 1 +brandhost.tk, 1 +brandhout-b-tree.be, 1 +brandingclick.com, 1 +brandingcoapps.com, 1 +brandingforthepeople.com, 1 +brandinspiration.fr, 1 +brandjapan.com, 1 +brandketers.com, 1 +brandmixer.ru, 1 +brandmovers.co, 1 +brandnous.ca, 1 +brandnucreations.com, 1 +brando753.xyz, 1 +brandon-manilow.tk, 1 +brandon.so, 0 +brandonbonine.com, 1 +brandoncricket.tk, 1 +brandondivorcelawyer.com, 1 +brandongevallen.tk, 1 +brandongomez.me, 1 +brandonhaynesmd.com, 1 +brandonhubbard.com, 1 +brandonjacksonphoto.com, 1 +brandonlin.me, 1 +brandonlui.com, 1 +brandonlui.ml, 1 +brandons.site, 1 +brandontaylor-black.com, 1 +brandonwalker.me, 1 +brandosvault111.ca, 1 +brandrocket.dk, 1 +brands-clothings.tk, 1 +brands-polo.cf, 1 +brands-polo.gq, 1 +brands-sports.com, 1 +brandsafe.io, 1 +brandsclub.tk, 1 +brandstead.com, 1 +brandstof-prijzen.nl, 1 +brandt.tech, 1 +brandtechdesign.co.uk, 1 +brandtrapselfie.nl, 1 +brandweer-almelo.tk, 1 +brandweer-sgravendeel.tk, 1 +brandweerbarboek.nl, 1 +brandweercapcodes.tk, 1 +brandweeredam.tk, 1 +brandweerfraneker.nl, 1 +brandweergent.be, 1 +brandweergrijpskerk.tk, 1 +brandweerhalsteren.tk, 1 +brandweermodelbouw.tk, 1 +brandweerpuch.tk, 1 +brandweerrooster.nl, 1 +brandweertrainingen.nl, 1 +brandweeruitgeest.nl, 1 +brandweerweb.tk, 1 +brandwizo.com, 1 +branefive.com, 1 +branemusic.com, 1 +braniebananie.nl, 1 +brank.as, 1 +brankor.net, 1 +brankor.rs, 1 +branobratoz.tk, 1 +bransive.com.au, 1 +bransonwestmo.gov, 1 +brantleycounty-ga.gov, 1 +branw.xyz, 0 +brard.it, 1 +brasas.ec, 1 +brasco.tk, 1 +brasdir.com, 1 +brashear.me, 1 +brasil66.tk, 1 +brasilandia.tk, 1 +brasilcheats.tk, 1 +brasilduino.tk, 1 +brasiliademinasnet.tk, 1 +brasilianskbikini.se, 1 +brasillifeoficial.tk, 1 +brasilmatamata.ml, 1 +brasilmedia.com, 1 +brasilmobi.cf, 1 +brasiltopnews.tk, 1 +brasilwear.biz, 1 +brasilweb.tk, 1 +braslet-bianshi.tk, 1 +braspetdf.com.br, 1 +brasrede.com.br, 1 +brass.host, 1 +brassbandwarmond.tk, 1 +brasseursdubois.com, 1 +brasshow.com.br, 1 +brasspipedreams.org, 1 +bratan.ga, 1 +bratkartoffelking.de, 1 +bratstvo.tk, 1 +bratt.tk, 1 +bratteng.com, 0 +bratteng.me, 1 +bratteng.solutions, 1 +brattleboro.gov, 1 +bratunaconline.tk, 1 +brau-ingenieur.de, 1 +braudoktor.de, 1 +brauer-augenoptik.de, 1 +brauingenieur.de, 1 +braun-russia.ru, 1 +braunbergerfreelance.com, 1 +braunsteinpc.com, 1 +braunwarth.info, 0 +brausch.co.nz, 1 +brauschtrucking.co.nz, 1 +brausestube.de, 1 +brave-foods.ch, 0 +brave-foods.com, 0 +brave.com, 1 +braveagency.com.au, 1 +bravebaby.com.au, 1 +bravebiz-news.tk, 1 +bravegk.com.ua, 1 +bravelittlesquirrel.com, 1 +bravelocation.com, 1 +bravelychoc.com, 1 +bravenboer.tk, 1 +bravewiki.tk, 1 +bravga.com, 1 +bravica.tk, 1 +bravo.bi, 1 +bravoasociados.com, 1 +bravobet.et, 1 +bravodeal.com, 1 +bravodescuento.es, 1 +bravogutschein.at, 1 +bravogutschein.de, 1 +bravokorting.nl, 1 +bravokupony.pl, 1 +bravopromo.be, 1 +bravopromo.fr, 1 +bravosconto.it, 1 +bravovoucher.co.uk, 1 +bravurabusinessconsulting.com, 1 +bravurasolutions.com, 1 +brawin.cf, 1 +brawlstarsitalia.com, 1 +braxtoncountywv.gov, 1 +braxtonehle.com, 1 +braychappell.com, 1 +brayden.gq, 1 +braynblog.ml, 1 +brazenfol.io, 1 +brazilh2.com.br, 1 +brazilian-human-hair-extension.tk, 1 +brazilianbikinishop.com, 1 +braziliantop.com, 1 +braziliaskincare.com, 1 +brazillens.com, 1 +brazoriacountyclerktx.gov, 1 +brazzers.com, 1 +brazzersnetwork.com, 1 +brazzersvod.com, 1 +brb.city, 1 +brba.nl, 1 +brbt.eu, 1 +brbt.net, 1 +brc.fj.cn, 1 +brck.nl, 1 +brcshipsupply.com, 1 +breachdata.io, 1 +breachlock.com, 1 +breachmedia.ca, 0 +bread.fish, 1 +breadandlife.org, 0 +breadheads.net, 1 +breadmash.tk, 1 +breadpirates.chat, 1 +breakberlin.tk, 1 +breakcraft.tk, 1 +breakdancer.tk, 1 +breakerlink.com, 1 +breakeven.tk, 1 +breakfastcafe.tk, 1 +breakfree.tk, 1 +breakingdeal.fr, 1 +breakingnewskenya.tk, 1 +breakingthesilence.org.il, 1 +breakinoutpr.com, 1 +breakmaps.net, 1 +breakofdawn.tk, 1 +breakpoint.at, 1 +breaksome.tech, 1 +breakthroughenergy.org, 1 +breakwall.ml, 1 +breaky.de, 1 +breard.tf, 1 +breastaugmentationky.com, 1 +breastbuysers.ga, 1 +breastbuysest.ga, 1 +breastdensitynj.com, 1 +breastenlargement.gq, 1 +breathe-easy.tk, 1 +breathedreamgo.com, 0 +breathingblanket.com, 0 +breathingsound.ml, 1 +breathlesssheranda.tk, 1 +brechadigital.tk, 1 +brecht.ch, 1 +breckle.com.ua, 1 +brecknell.biz, 1 +brecknell.com, 1 +brecknell.info, 1 +brecknell.name, 1 +brecknell.net, 1 +brecknell.org, 1 +breda.computer, 1 +bredabeds.com, 1 +bredahooligans.tk, 1 +bredband.fi, 1 +breechdepot.com, 1 +breederpodcast.com, 1 +breederworld.dog, 1 +breen.com.br, 1 +breezyapp.hu, 1 +breezypointmn.gov, 1 +breffa.pl, 1 +brefy.com, 1 +brege.org, 1 +bregmanfance.com, 1 +bregnedal.dk, 1 +bregnedalsystems.dk, 1 +bregroup.com, 1 +brehoni.cz, 0 +breinify.ai, 1 +breinify.com, 1 +breitband.bz.it, 1 +breizh.pm, 1 +breizhetho.com, 1 +breizhpuffy.org, 1 +breket.ml, 1 +brelin.tk, 1 +brellich.eu, 1 +breloque.com, 1 +bremen-restaurants.de, 1 +bremerfriedensforum.de, 1 +breml.com, 1 +bremsscheiben.com, 1 +brenbarnes.com, 1 +brenbarnes.com.au, 0 +brendabecker.com, 1 +brendanbatliner.com, 1 +brendancroker.tk, 1 +brendanfarmer.ga, 1 +brendanreev.es, 1 +brendanscherer.com, 1 +brendasartstudio.com, 1 +brentalbright.tk, 1 +brentfieldschools.cf, 1 +brentnewbury.com, 1 +brentonico.com, 1 +brentsoslibraries.org.uk, 1 +bresciatoday.it, 1 +breshka.be, 1 +bressem.com, 0 +bresslerriskblog.com, 1 +brest-bel.tk, 1 +brest-biz-belarus.tk, 1 +brest-brest.tk, 1 +brest-master.tk, 1 +brest-news.tk, 1 +brest-region.tk, 1 +brest.fr, 0 +brest24.tk, 1 +brestnews.tk, 1 +brestradio.tk, 1 +brestshop.tk, 1 +bretcarmichael.com, 1 +breteuilcommerceartisanat.com, 1 +breton.pm, 1 +bretonhouse.ca, 1 +bretonstripe.com, 1 +brett.ml, 1 +brettabel.com, 1 +brettcornwall.com, 1 +bretti.net, 1 +brettlawyer.com, 1 +brettlfohra.tk, 1 +brettpostin.com, 1 +brettw.xyz, 1 +bretzner.fr, 0 +brevboxar.se, 1 +breve-tufvassons.ru, 1 +brevent.sh, 1 +brew.fi, 1 +brew.sh, 1 +brewcentralny.com, 1 +brewin.ml, 1 +brewit.online, 1 +brewmovers.com, 1 +brewsouth.com, 1 +brewspark.co, 0 +brex.money, 1 +brex.pw, 1 +brexit.tk, 1 +breyerslakeshoreresort.com, 1 +breyerslakesideresort.com, 1 +breyersresort.com, 1 +brezani.tk, 1 +breznet.com, 0 +brf-tradgarden.se, 1 +brferramentas.com.br, 1 +brfvh24.se, 1 +brg.to, 1 +brgins.com, 1 +brgsmartcity.com, 1 +brguk.com, 1 +brhanhaki.org, 1 +bri.fyi, 1 +bri.net.br, 1 +brian-ormond.tk, 1 +brian-wee.com, 1 +brian.gq, 0 +brianalaway.com, 1 +brianalawayconsulting.com, 1 +briandwells.com, 0 +brianfanzo.com, 1 +brianfoshee.com, 1 +briangarcia.ga, 1 +brianjohnson.co.za, 1 +brianjosephdavis.tk, 1 +briankanode.com, 1 +briankavanaugh.com, 1 +brianlachapelle.tk, 1 +brianlanders.us, 1 +brianleejackson.com, 1 +brianleemarketing.com, 1 +brianm.com, 1 +brianmwaters.net, 1 +brianna.tk, 1 +brianoost.com, 1 +brianpagan.net, 1 +brianregan.com, 0 +brianroadifer.com, 1 +briansemrau.com, 1 +briansmith.org, 1 +briantafoya.com, 1 +brianum.de, 1 +brianum.net, 1 +brianvalente.tk, 1 +brianwesaala.com, 0 +brianwilson.tk, 1 +briarcliffmanor.gov, 1 +briarpatchfrenchiesandpugs.com, 1 +briarproject.org, 1 +bribriescolawfirm.com, 1 +brickadia.com, 1 +brickell.com, 1 +brickfilmfestival.tk, 1 +brickftp.com, 1 +brickland.tk, 1 +bricks-clicks.com, 1 +bricks4kidzelearn.com, 1 +bricksandmotor.co.uk, 1 +brickstreettrio.com, 1 +brickvortex.com, 1 +brickweb.co.uk, 1 +brickwerks.io, 1 +bricmon.tk, 1 +bricolajeux.ch, 0 +bricomag-media.com, 1 +bricomium.com, 1 +brid.gy, 0 +bridal.tk, 1 +bridalfabrics.ru, 1 +bridalgallerysalem.com, 1 +bridalreflections.com, 1 +bridalshoes.com, 1 +bridalweddingshow.ga, 1 +bride.vn, 1 +bridebook.com, 1 +bridesbouquet.ml, 1 +bridestarco.com, 1 +bridge-online.cloud, 1 +bridge-to-knowledge.nl, 1 +bridge-xs.com, 1 +bridge.nl, 1 +bridgecitytx.gov, 1 +bridgecon.com.au, 1 +bridgedigest.cf, 1 +bridgedigest.tk, 1 +bridgedigestest.ga, 1 +bridgedirectoutreach.com, 1 +bridgefield.de, 1 +bridgeforcefinancial.com, 1 +bridgeitsolutions.com.au, 1 +bridgemanualest.ga, 1 +bridgement.com, 1 +bridgeout.com, 1 +bridgepayday.ph, 1 +bridgeportlaboratory.tk, 1 +bridgeportne.gov, 1 +bridgeportwv.gov, 1 +bridgercanyonfiremt.gov, 1 +bridges.ml, 1 +bridgesinbelize.org, 1 +bridgethailand28chidlom.com, 1 +bridgetmcauliffe.ie, 1 +bridgetonmo.gov, 1 +bridgetownrecords.tk, 1 +bridgetroll.org, 1 +bridgewaterma.gov, 1 +bridholm.se, 1 +bridozia.com, 1 +briefassistant.com, 1 +briefbiz-news.tk, 1 +briefly.ru, 1 +briefs.in.th, 1 +briefvorlagen-papierformat.de, 1 +briellenj.gov, 1 +briffoud.fr, 1 +brigadasazules.tk, 1 +brigady.tk, 1 +brigantinebeach.org, 1 +briggsandlittle.com, 1 +briggsleroux.com, 1 +brighouse-leisure.co.uk, 1 +bright-s.net, 1 +brightback.com, 1 +brightbiz-news.tk, 1 +brightblue.cf, 1 +brightbock.co.uk, 1 +brightbock.com, 1 +brightbock.net, 1 +brightbock.org, 1 +brightbock.tw, 1 +brightbock.uk, 1 +brightday.bz, 1 +brightendofleasecleaning.com.au, 0 +brighterimagelab.com, 1 +brightfuturemadebyme.com, 1 +brightgk.com, 1 +brightideaspromotional.co.uk, 1 +brightmachines.com, 1 +brightmls.com, 1 +brightmovers.com, 1 +brighton-canoes.co.uk, 1 +brightonbank.com, 1 +brightonbouncycastles.net, 1 +brightonchilli.org.uk, 1 +brightonfc.tk, 1 +brightongrowlights.ga, 1 +brightonncmachine.com, 1 +brightonvt.gov, 1 +brightonvt.org, 1 +brightpool-markets.com, 1 +brightside.com, 1 +brightsparks.com.sg, 1 +brightsport-news.tk, 1 +brighttax.com, 1 +brighttomorrowproductions.com, 1 +brightvalley.com.au, 1 +brightview.net.cn, 1 +brightwakeintranet.co.uk, 1 +brightzonecleaning.com.au, 1 +brightzoneofficecleaning.com.au, 1 +brigidaarie.com, 1 +brigittaseasons.com, 1 +brigittaspromise.org, 1 +brigittebutt.tk, 1 +brigittefontaine.tk, 1 +brignier.com, 1 +brilalux.pe, 1 +brileytownshipmi.gov, 1 +briliant.tk, 1 +brilliancesecuritymagazine.com, 1 +brilliant-minds.tk, 1 +brilliantbouncyfun.co.uk, 1 +brilliantproductions.co.nz, 1 +brillie.tk, 1 +brillio.com, 1 +brillionwi.gov, 1 +brillionworks.com, 1 +brimspark.com, 1 +brimspark.systems, 1 +brindabantheatre.tk, 1 +brindesgrafica.com.br, 1 +brindisireport.it, 1 +brindocorp.tk, 1 +bring-heaven.com, 1 +bringfido.com, 1 +bringform.ml, 1 +bringonbusiness.com, 1 +brinker.com, 1 +brinkhu.is, 1 +brinksurl.com, 1 +brinokidzonline.tk, 1 +brio-shop.ch, 1 +brio-ukraine.store, 1 +brio.news, 1 +briograce.com.mx, 1 +brioukraine.store, 1 +brisamar8.de, 1 +brisbanecashforcars.com.au, 1 +brisbanelogistics.com.au, 1 +brisbanerecordbar.com.au, 1 +brisbine.cloud, 1 +brisceremony.com, 1 +brisignshop.com.au, 1 +brisp.nl, 1 +brisq.design, 1 +bristebein.com, 1 +bristolandwestonsuperbounce.com, 1 +bristolctwatersewer.gov, 1 +bristolmoneyman.com, 1 +bristowpoliceok.gov, 1 +brit-thoracic.org.uk, 1 +britania.tk, 1 +britanicasalud.com.ar, 1 +britannia-jewellery.co.uk, 1 +britannia.no, 1 +britanniapandi.com, 1 +britanniawellness.com, 1 +britelocate.com, 1 +british-assessment.co.uk, 1 +britishairlinesflights.com, 1 +britishantiquefurniture.co.uk, 1 +britishbee.org.uk, 1 +britishbee.uk, 1 +britishbeef.com, 1 +britishbeekeepers.com, 1 +britishbeekeepers.net, 1 +britishbeekeepers.org, 1 +britishbeekeepers.org.uk, 1 +britishbeekeepers.uk, 1 +britishbeekeepersassociation.org.uk, 1 +britishbookmakers.co.uk, 1 +britishbullshitfoundation.cf, 1 +britishbullshitfoundation.ga, 1 +britishbullshitfoundation.ml, 1 +britishchronicles.com, 1 +britishgeneralelection.cf, 1 +britishgeneralelection.ga, 1 +britishgeneralelection.ml, 1 +britishgroupsg.com, 1 +britishmeat.com, 1 +britishpearl.com, 1 +britishpropoliss.my.id, 1 +britishrafting.com, 1 +britishsfaward.org, 1 +britishsnoring.co.uk, 1 +britney-galaxy.com, 1 +britneyclause.com, 1 +britneymanias.tk, 1 +britneyuniverse.com, 1 +britofootball.com, 1 +britsoc.co.uk, 1 +brittainconsulting.ca, 1 +brittany.com.ph, 1 +brittanyferriesnewsroom.com, 1 +brittas-world.tk, 1 +brivawn.com, 1 +brix-central.tk, 1 +brixxonline.nl, 0 +brizawen.com, 1 +brizz.com.co, 1 +brizzo.net, 1 +brk-t.com, 1 +brk-t.org, 1 +brk.dk, 1 +brk.st, 1 +brkt.cc, 1 +brkt.church, 1 +brktkiliseleri.com, 1 +brktkiliseleri.org, 1 +brlcontracting.com.au, 1 +brmascots.com, 1 +brmnn.de, 1 +brmsalescommunity.com, 1 +brn.by, 1 +brn.is, 0 +brnogame.com, 1 +brnogame.cz, 1 +brnogame.online, 1 +brnohra.com, 1 +brnohra.cz, 1 +brnohra.online, 1 +brnojebozi.cz, 1 +brnr.link, 1 +brnrx.com, 1 +broadax.ml, 1 +broadbandchoices.co.uk, 1 +broadbandexposed.co.uk, 1 +broadbandmap.gov, 1 +broadbiz-news.tk, 1 +broadcastlistingers.ga, 1 +broadcastlistingest.ga, 1 +broadcastrealtimeest.ga, 1 +broadcasttowerers.ga, 1 +broadfoundation.org, 1 +broadjournalest.ga, 1 +broadleft.org, 1 +broadsheet.com.au, 1 +broadstreetalerts.com, 1 +broadwayfamilydentalpc.com, 1 +broadwaytravel.com, 1 +broadwayva.gov, 1 +broadwayvets.co.uk, 1 +broansunited.tk, 1 +broca.dk, 1 +broca.io, 0 +brock.guide, 1 +brockenhurstguide.com, 1 +brockenhurstonline.com, 1 +brockwayministorage.com, 1 +brockwaytwpmn.gov, 1 +brocos.io, 1 +brodahose.com.au, 0 +brodowski.cc, 1 +brody.digital, 1 +brody.ninja, 1 +broe.ie, 1 +broedersvanliefde.be, 1 +broemp.de, 1 +broerbv.nl, 0 +broerendasbouwbedrijf.nl, 1 +broersma.com, 1 +broerweb.nl, 1 +broeselei.at, 0 +broilertrade.com, 1 +brojagraphics.de, 1 +broke.network, 1 +brokeinkorea.tk, 1 +brokenbiz-news.tk, 1 +brokenbowokpd.gov, 1 +brokencityllc.ga, 1 +brokendollsmuseum.com, 1 +brokenhands.io, 1 +brokenminds.tk, 1 +brokenneckgang.com, 1 +brokenrevolution.com, 1 +brokenships.com, 1 +brokensword.tk, 1 +brokentoaster.tk, 1 +broker.id, 1 +broker.vn, 1 +broker4u.com, 1 +brokerdecredite.ro, 1 +brokerlink.ca, 1 +brokernews.com.au, 1 +brokernotes.co, 1 +brokerpro.com, 1 +brokerstalk.com, 1 +brokeryouers.ga, 1 +brokeryouest.ga, 1 +brokfolio.com, 1 +brokgency.com, 1 +brollopsfotografkalmar.com, 1 +brols.eu, 1 +bromfietsman.tk, 1 +bromideas.ga, 1 +bromo.com, 1 +bromonetwork.com, 1 +brompton-cocktail.com, 1 +bronco-atodogalope.tk, 1 +bronevichok.ru, 1 +brontech.com, 1 +bronwynlewis.com, 1 +bronx-ny-dentist.com, 1 +bronya.moe, 1 +broochwithme.com, 1 +broodbesteld.nl, 1 +broodingblogger.com, 1 +brookecountywv.gov, 1 +brookfordnc.gov, 1 +brookframework.org, 1 +brooklakeevents.com, 1 +brooklinenh.gov, 1 +brooklynboyblues.cf, 1 +brooklynboyblues.ga, 1 +brooklynboyblues.ml, 1 +brooklyncentermn.gov, 1 +brooklyndecker.tk, 1 +brooklynentdoc.com, 1 +brooklynparkmn.gov, 1 +brooklynrealestateblog.com, 1 +brooklyntheborough.com, 1 +brooklyntownwashburnwi.gov, 1 +brooklynveinandvascular.com, 1 +brookscountyga.gov, 1 +brookshirebrothers.com, 1 +brooksideas.ga, 1 +brookskolb.com, 1 +brooksrents.com, 1 +brookstonelc.com, 1 +brookstowingoregon.com, 1 +brookvillepoliceny.gov, 1 +brookz.nl, 1 +broomcastle.com, 1 +broomcastle.eu, 1 +broomcastle.net, 1 +broomcastle.org, 1 +broomcastle.social, 1 +broomecountyny.gov, 1 +broomorchard.com, 1 +brosay-legko.ml, 1 +brossman.it, 1 +brossmanit.com, 1 +brotaufstriche.com, 1 +brother.com.hk, 1 +brothersinbeetles.tk, 1 +brottsfiltret.tk, 1 +brotwurz.de, 1 +brou.com.uy, 1 +brouillard.ch, 0 +brouskat.be, 1 +brouwer-greonterp.nl, 1 +brouwerijdeblauweijsbeer.nl, 0 +brovelton.com, 0 +browardvotes.gov, 1 +browfai.casa, 1 +brown-bros.ca, 1 +brownacres.nz, 1 +brownandjoseph.com, 1 +brownavto-news.tk, 1 +brownbagdinner.org, 1 +browncoil.gov, 1 +browncountyne.gov, 1 +browncountytx.gov, 1 +browndeerwi.gov, 1 +brownforces.desi, 1 +brownforces.org, 1 +brownie.plus, 1 +brownpipe.app.br, 1 +brownstownmi.gov, 1 +brownsville360.org, 1 +brownsvillewi.gov, 1 +browntiger.tk, 1 +browntowncountryclub.com, 1 +brownwolfstudio.com, 0 +brownwoodnews.cf, 1 +browsbybecca.ca, 1 +browse-china.com, 1 +browse-tutorials.com, 1 +browselog.com, 1 +browsemycity.com, 1 +browser.style, 1 +browserleaks.com, 1 +brpmanuals.com, 1 +brq.com, 1 +brr.fyi, 1 +brrr.fr, 1 +brsvcs.in, 1 +brtve.tk, 1 +bru6.de, 1 +brubaker.ac, 1 +brubaker.cc, 1 +brubakerairconditioningrepair.com, 1 +brubankv1-staging.azurewebsites.net, 1 +bruce-springsteen.tk, 1 +brucebenes.com, 1 +bruceleeitems.com, 1 +brucemillerauto.com, 1 +brucemines.ca, 1 +bruckner.li, 1 +brudevelopments.ca, 1 +brudkista.nu, 1 +brudkista.se, 1 +brudkistan.nu, 1 +brudkistan.se, 1 +brueche-rechner.de, 1 +bruechner.net, 1 +brueggers.com, 1 +brueggi.tk, 1 +brueser-gmbh.de, 1 +brugerklub.info, 1 +brugia.com, 1 +brugpensioen.tk, 1 +bruh.ltd, 1 +bruhcontent.ru, 1 +bruidstaarten.tk, 1 +bruitparif.fr, 1 +bruk2fa.no, 1 +brukalai.lt, 1 +brulewi.gov, 1 +brun-despagne.com, 1 +brun.rocks, 1 +bruna-cdn.nl, 1 +brunamarquezine.tk, 1 +brunanet.tk, 1 +brunchandmatch.be, 1 +bruneaufamily.digital, 1 +brunella.tk, 1 +brunetderochebrune.com, 0 +brunettipesco.com, 1 +brunhild.com, 1 +brunhilde.ml, 1 +brunner.ninja, 1 +bruno-pelletier.tk, 1 +brunoamaral.eu, 1 +brunobattaglia.tk, 1 +brunobeauvoir.com, 1 +brunocesarlima.com.br, 1 +brunodomingos.com, 1 +brunofontes.net, 1 +brunohenc.from.hr, 1 +brunolt.nl, 1 +brunoperetti.com.br, 1 +brunoramos.com, 0 +brunoreno.be, 1 +brunoriguzzi.io, 1 +brunorogerioadvocacia.com.br, 1 +brunosampaioblog.com, 1 +brunroom.tk, 1 +brunswick.com, 0 +brunswickcove.com, 1 +brunswickncsheriff.gov, 1 +brush.ninja, 1 +brushcreekyachts.com, 1 +brushscene.de, 1 +brushyourideas.com, 1 +brusselsairlines.com, 1 +brusselsbe.tk, 1 +brusselsexpolive.ga, 1 +brusselsexpoloft.ga, 1 +brusselsexpostudio.ga, 1 +brusselslouisepenthouse.ga, 1 +brusselslouisestudio.ga, 1 +brusselsmidiapartment.ga, 1 +brusselsmidistudio.ga, 1 +brusselspackagesers.ga, 1 +brusselspackagesest.ga, 1 +brusselswestapartment.ga, 1 +brust-zentrum.ch, 1 +brutal.systems, 1 +brutalica.tk, 1 +brutality.cf, 1 +brutdecom.fr, 1 +brutecloud.com, 1 +brutosanetos.com, 1 +brutosshopping.com, 1 +brutus2.ga, 0 +bruun.co, 1 +bruxserv.net, 1 +bruyerre.eu, 1 +brw-shop.by, 1 +brweb.tk, 1 +brwebsolutions.tk, 1 +brwn.loan, 1 +brws.to, 1 +bryanarmijomd.com, 1 +bryancastillo.site, 1 +bryancountyga.gov, 1 +bryandesrosiers.com, 1 +bryandrakedrivingschool.co.nz, 1 +bryandunnewald.com, 1 +bryanfalchuk.com, 1 +bryankaplan.com, 1 +bryanley.com, 1 +bryanquigley.com, 1 +bryanski.tk, 1 +bryantluk.com, 1 +bryantx.gov, 1 +bryceml.us, 1 +bryggebladet.dk, 1 +bryte-rp.tk, 1 +brzc.st, 1 +brztec.com, 1 +bs-facilityservice.ch, 0 +bs-network.net, 1 +bs-security.com, 1 +bs.sb, 1 +bs.to, 1 +bs09.de, 1 +bs2k.me, 1 +bsa-dom.ru, 1 +bsa157.org, 1 +bsaab.se, 1 +bsaft.ml, 1 +bsale.com.au, 1 +bsalyzer.com, 1 +bsapack564.org, 1 +bsatroop1003.com, 1 +bsatroop3.com, 1 +bsatroop794.org, 1 +bsawiberg.com, 1 +bsbet365.com, 1 +bsbnet.nl, 1 +bsc-rietz.at, 1 +bsc01.dyndns.org, 1 +bscc.support, 1 +bscquimicos.com.br, 1 +bscyb.ch, 1 +bsd-box.net, 1 +bsd-sec.com, 1 +bsd-unix.org, 1 +bsd.com.ro, 1 +bsd.gay, 1 +bsdbox.de, 1 +bsdex.de, 1 +bsdfreak.dk, 0 +bsdguru.net, 1 +bsdly.net, 1 +bsdracing.ca, 1 +bsdug.org, 1 +bsdunix.xyz, 1 +bsee.gov, 1 +bserved.de, 0 +bseuc.eu, 1 +bsf-knowledgecity.com, 1 +bsg.ro, 1 +bsgamanet.ro, 1 +bsgcredit.com, 1 +bsgcredit.ro, 1 +bsgexchange.ro, 1 +bsidesf.com, 1 +bsidesf.org, 1 +bsidessf.com, 1 +bskhq.tk, 1 +bsktweetup.info, 1 +bslim-e-boutique.com, 1 +bslinguistics.co.uk, 1 +bslnow.co.uk, 1 +bsmsl.com, 1 +bsmsummit.com, 1 +bsn.cloud, 1 +bsnedu.org, 1 +bsociabl.com, 1 +bsod.me, 1 +bsolut.com, 1 +bsolut.de, 1 +bsolut.org, 1 +bsp-southpool.com, 1 +bspecialfx.nl, 1 +bsq1492.com, 1 +bsrueti.ch, 1 +bss-solutions.net, 1 +bss-systems.net, 1 +bss.com.ph, 1 +bss.net.ph, 1 +bss.solutions, 1 +bss.systems, 1 +bss01.de, 1 +bsskorcz.pl, 1 +bssolvfagen-pre-storeswa-wap.azurewebsites.net, 1 +bsstainless.com, 1 +bst-brandschutz.at, 1 +bsteele.tk, 1 +bstoked.net, 1 +bsuess.de, 1 +bsurfcr.com, 1 +bsuru.xyz, 1 +bsw-solution.de, 1 +bswears.com, 1 +bt-kc.de, 1 +bt121.com, 0 +bt123.xyz, 1 +bt3655.com, 0 +bt3657.com, 0 +bt3658.com, 0 +bt780.com, 1 +bt85.cn, 0 +bt9.cc, 0 +btarts.com.br, 1 +btbb.net, 1 +btc-alpha.com, 1 +btc-doge.ga, 1 +btc-wallet.tk, 1 +btcanalyse.com, 1 +btcarg.com.ar, 1 +btcarmory.com, 1 +btclients.tk, 1 +btcp.space, 1 +btcpop.co, 1 +btcrit.com, 1 +btcwip.com, 1 +btcx.com, 1 +btddd.com, 1 +btdirect.uk, 1 +btdproductions.tk, 1 +btea.online, 1 +btec.ae, 1 +bth.dance, 1 +bth.wtf, 1 +bticoin3king.cf, 1 +btid.tk, 1 +btine.tk, 1 +btleasing.md, 1 +btleasing.ro, 1 +btln.cloud, 1 +btln.de, 1 +btmic.ro, 1 +btnissanparts.com, 1 +btool.eu.org, 1 +btorrent.xyz, 1 +btrade.io, 1 +btrans.by, 1 +btraviswright.com, 1 +btraviswrightmps.com, 1 +btraviswrightmps.org, 1 +btrb.ml, 1 +btrfs.no, 1 +btsapem.com, 1 +btsline.co.id, 1 +btsoft.eu, 1 +btsou.org, 1 +btsource.tk, 1 +btsous.org, 1 +btsresearch.com, 1 +btssiou.xyz, 1 +btssl.com, 1 +btsybt.com, 0 +btt-39.com, 1 +btt-59.com, 1 +btt882.com, 1 +btta13.com, 1 +btta16.com, 1 +btth.live, 1 +btth.pl, 1 +bttorj45.com, 1 +bttrade.com, 1 +bturboo.com, 1 +btvw.de, 1 +btwj.com, 1 +btwsa.tk, 1 +btxchange.io, 1 +bu-e.com, 1 +buai.cf, 1 +buai.gq, 1 +buai.ml, 1 +buai.tk, 1 +buatcvonline.com, 1 +buayacorp.com, 1 +bubalova.com, 1 +bubba.cc, 1 +bubbelwafel.nl, 1 +bubblebuttpics.com, 1 +bubbleclips.com, 1 +bubbleclips.net, 1 +bubbleclips.org, 1 +bubbleclipsnetwork.com, 1 +bubblegumblog.com, 1 +bubblelist.tk, 1 +bubblemedia.com, 1 +bubblesco.tk, 1 +bubblespetspa.com, 1 +bubblin.io, 1 +bubhub.io, 1 +bubnovsky.org, 1 +bubok.com.ar, 1 +bubok.es, 1 +bubra.stream, 1 +bubsngrubs.com.au, 1 +bubty.com, 1 +bubu1.eu, 1 +bubulazi.com, 0 +bubulazy.com, 0 +bucapositano.it, 1 +bucek.cz, 1 +buch-angucken.de, 1 +buchanancountyvirginia.gov, 1 +buchananga.gov, 1 +buchanantwpmi.gov, 1 +buchangroupinc.com, 1 +bucharestbachelorparty.com, 1 +buchdata.it, 1 +buchelstore.com.br, 0 +buchhaltung-muehelos.de, 1 +buchhammer.tk, 1 +buchholz-coaching.de, 1 +buchkatalog.de, 1 +buchwegweiser.com, 1 +buck-hydro.de, 1 +buck.com, 1 +buckenmaier.xyz, 1 +bucket.tk, 1 +buckethead.tk, 1 +buckfast.tk, 1 +buckglobal.com, 1 +bucklinmo.gov, 1 +buckmans.com, 1 +buckscounty.gov, 1 +bucksfund.com, 1 +buckthorn.ml, 1 +buckypaper.com, 1 +buda.com, 1 +budapestairport.tk, 1 +budapestgraphics.hu, 1 +budapestjazzclub.hu, 1 +budapesttaxi.de, 0 +budapesttaxi.fr, 0 +budapesttaxi.nl, 0 +budapesttaxi.uk, 1 +budatx.gov, 1 +budbringerne.tk, 1 +buddhas.tk, 1 +buddhism.cf, 1 +buddhismedia.com, 1 +buddhistische-weisheiten.org, 1 +buddie5.com, 1 +buddiescomputers.com.au, 1 +buddingoptimist.com, 1 +buddlycrafts.com, 1 +buddobot.com, 1 +buddy-acceptance-authentication-frontend.azurewebsites.net, 1 +buddy-acceptance-backoffice-frontend.azurewebsites.net, 1 +buddy-acceptance-web-frontend.azurewebsites.net, 1 +buddy-development-backoffice-webapp.azurewebsites.net, 1 +buddy-development-rabodirectconnect-api.azurewebsites.net, 1 +buddy-locator.com, 1 +buddy.net, 1 +buddyme.me, 1 +budeanu.com, 1 +buderus-family.be, 1 +budget-box.com, 1 +budget-cuts.tk, 1 +budget.gouv.fr, 1 +budget.gov, 1 +budget.ie, 1 +budget.ovh, 1 +budgetfitter.com, 1 +budgetimize.com, 1 +budgetlob.gov, 1 +budgetlovers.nl, 1 +budgetrf.tk, 1 +budgow.com, 1 +budhimaan.com, 1 +budidayatani.com, 1 +budilnik.ml, 1 +budofjoy.com, 1 +budolangnau.ch, 1 +budolfs.de, 1 +budomalsch.de, 1 +budpolimer.com, 0 +budpop.com, 1 +budscope.com, 1 +budtraffic.net, 1 +budulanradu.ro, 1 +buehler.rocks, 1 +bueltge.de, 1 +buena.me, 1 +buenavistawinery.com, 1 +buenosairesconnect.com, 1 +buenosproductos.net, 1 +buentaller.com, 1 +bueny.com, 1 +bueny.net, 1 +buergerwehr-ettlingen.de, 1 +buerliag.ch, 1 +buero13-design.de, 1 +buerstaedter-zeitung.de, 1 +buesiforquo.cf, 1 +buettgens.net, 1 +buetzer.ch, 1 +bufete.tk, 1 +bufeteesquire.com, 1 +buff-buff.tk, 1 +buff360.xyz, 1 +buffalo-ny-gay-chat.com, 1 +buffaloautomation.com, 1 +buffalobakeriesers.ga, 1 +buffalobakeriesest.ga, 1 +buffalobill.idv.tw, 1 +buffalocountywi.gov, 1 +buffalodrycleanerers.ga, 1 +buffalodrycleanerest.ga, 1 +buffalogaptx.gov, 1 +buffalohomerepairs.com, 1 +buffalojewishfederation.org, 1 +buffalonews.com, 1 +buffaloskillgames.com, 1 +buffaloturf.com.au, 0 +buffandtan.com, 1 +buffbarbell.com, 1 +buffetbouc.com, 1 +buffl.co, 1 +buffup.media, 1 +buffus.cz, 1 +bufla.net, 1 +bufo.tk, 1 +bug.blue, 1 +bug.ee, 1 +bug321.com, 1 +bugalert.org, 1 +bugbounty.ch, 1 +bugbountytip.tech, 1 +bugcrowd.com, 0 +bugfender.com, 1 +bugfuzz.com, 1 +buggiano.com, 1 +buggy777.me, 1 +buggymaven.com, 1 +buggywonderland.tk, 1 +bugprove.com, 1 +bugraseyhan.tk, 1 +bugrayildiz.av.tr, 1 +bugreader.com, 1 +bugs.chromium.org, 1 +bugwie.com, 1 +bugzilla.mozilla.org, 1 +buharkeyf1.com, 1 +buharlikoltukyikama.com.tr, 1 +buharlikoltukyikama.org, 1 +buhayprincipal.com, 1 +buhsantoandre.vip, 1 +buhunov.tk, 1 +buicha.social, 1 +buick1958.tk, 1 +build-marrakech.org, 1 +build-up.tk, 1 +build.chromium.org, 1 +build.gov, 1 +buildbackbetter.gov, 1 +buildbytes.com, 1 +buildconcierge.ga, 1 +buildcor.com.au, 1 +builddesygner.xyz, 1 +buildersdiscount.net, 1 +buildersofthesilentcities.tk, 1 +buildfood.com, 1 +buildgp.com, 1 +buildherers.ga, 1 +buildherest.ga, 1 +building-cost-estimators.com, 1 +building-materials.tk, 1 +buildingbitcoin.org, 1 +buildingchemistry.tk, 1 +buildingcleaningchicago.com, 1 +buildingcostestimators.co.uk, 1 +buildingdesign.tk, 1 +buildinginspectionmandurah.ga, 1 +buildingmaterials.tk, 1 +buildingpassport.com, 1 +buildingpoint.pt, 1 +buildingpointne.com, 1 +buildingprojectsswanseama.gov, 1 +buildingqueries.com, 1 +buildingresiliency.org, 1 +buildkite.com, 1 +buildmate.ml, 1 +buildmorebuslanes.com, 1 +buildnews.tk, 1 +buildplease.com, 1 +builds.gg, 1 +buildstaging.com, 1 +buildwealth.uk, 1 +buileo.com, 1 +builterra2.azurewebsites.net, 1 +builtin.com, 1 +builtinaustin.com, 1 +builtinboston.com, 1 +builtinchicago.org, 1 +builtincolorado.com, 1 +builtingym.com, 1 +builtinla.com, 1 +builtinnyc.com, 1 +builtinseattle.com, 1 +builtinsf.com, 1 +builtinvacuum.com, 1 +builtory.my, 1 +builttosell.com, 1 +builtvisible.com, 1 +builtwith.com, 1 +buissonchardin.fr, 1 +buitenposter.nl, 1 +buitex.lt, 1 +buitrong.net, 1 +buka.jp, 1 +buketnevesti.cf, 1 +bukiko.net, 1 +bukinist.tk, 1 +bukiskola.hu, 1 +bukkenfan.jp, 1 +bukn.uk, 1 +bukowski.se, 1 +bukowski.tk, 1 +bukpcszerviz.hu, 1 +buksu.edu.ph, 1 +bukularis.ga, 1 +bul3seas.eu, 1 +bulabanews.com.ng, 1 +bulario.com, 1 +bulario.net, 1 +bularmas.com, 1 +bulatlat.com, 1 +bulatlat.org, 1 +bulavki.tk, 1 +bulba.download, 1 +bulbagram.ml, 1 +bulbcompare.com, 1 +bulbidea.com, 1 +bulbonidos.tk, 1 +bulbuly.tk, 1 +buldogueingles.com.br, 1 +bulentcirakli.tk, 1 +bulevard-residence.com, 1 +bulgakov.ga, 1 +bulgakov.ml, 1 +bulgakov.tk, 1 +bulgariablog.tk, 1 +bulgarianhouse.tk, 1 +bulgarianmale.com, 1 +bulgarianproperties.com, 1 +bulgariya.cf, 1 +bulhost.com, 1 +bulindir.tk, 1 +bulkowespacerkowo.nl, 1 +bull.id.au, 0 +bulldog-buss.tk, 1 +bulldog-hosting.de, 0 +bulldogdriveways.com, 1 +bulldogfrances.tk, 1 +bulldogkennel.tk, 1 +bulldogmarketinggroup.com, 1 +bulldogs-sipoo.tk, 1 +bulledair-savons.ch, 0 +bulledart.ga, 1 +bullesdeculture.com, 1 +bullesdelaube.com, 1 +bulletbabu.com, 0 +bulletfrog.tk, 1 +bulletpoint.cz, 1 +bullettags.com, 1 +bullfitta.tk, 1 +bullfrogpooltilecleaning.com, 1 +bulli.tk, 1 +bullionexus.com, 1 +bullish.com, 1 +bullmarketing.nl, 1 +bullockcountyal.gov, 1 +bullpendaily.com, 1 +bullseyecleaning.com.au, 1 +bullshithost.nl, 1 +bullshitmail.nl, 1 +bullterrierspain.tk, 1 +bullvalleyil.gov, 1 +bullyprotection.ml, 1 +bulmanat.tk, 1 +bulmastife.com.br, 1 +bultdatabasen.se, 1 +bulten.com, 1 +bultink.tk, 1 +bulutkey.com, 1 +bulvar.tk, 1 +bumble.com, 1 +bumblebee.cf, 1 +bumblebee.co.za, 1 +bumblebeekids.uk, 1 +bumenn.is, 1 +bumirc.tk, 1 +bummelwelt.ch, 1 +bummelwelt.com, 1 +bummelwelt.de, 1 +bumpi.gq, 1 +bumsbesuch.com, 1 +bumsbuero.com, 1 +bumsbus.com, 1 +bunadarbankinn.is, 1 +bunaken.tk, 1 +bunbun.be, 1 +bunburydad.tk, 1 +bunchful.com, 1 +buncombecounty.org, 1 +buncranacarndonaghgreenway.ie, 1 +bundesamtsozialesicherung.de, 1 +bundesanzeieger.com, 1 +bundespolizei-forum.de, 1 +bundesrepublikneu.land, 1 +bundesverband-krisenintervention.de, 1 +bundesverbandkrisenintervention.de, 1 +bundesvvehr.de, 1 +bundle.tools, 1 +bundlejs.com, 1 +bune.city, 1 +bungalowseljardin.com, 0 +bungeeireland.tk, 1 +bungotai.ga, 1 +buniq.com.br, 1 +bunix.de, 0 +bunker307.tk, 1 +bunkerhilltx.gov, 1 +bunkyo-life.com, 1 +bunlarateist.space, 1 +bunny-rabbits.com, 1 +bunny.tk, 1 +bunnybloythost.com, 1 +bunnycarenotes.com, 1 +bunnydiamond.de, 1 +bunnymaxim.com, 1 +bunnymud.com, 1 +bunnyvishal.com, 1 +bunnyworld.xyz, 1 +bunq.love, 1 +buns.cc, 1 +bunsnbagels.com, 1 +bunto-import.tk, 1 +buongiornolatina.it, 1 +buonventosbt.eu, 1 +bupa.com.au, 1 +bupamedical.com.au, 1 +bupamedicalvisaservices.com.au, 1 +bupamvs.com.au, 1 +buphachat.com, 1 +bupropion.com, 1 +bupropionhclsr.ga, 1 +buqi.cc, 1 +buquesdeguerra.tk, 1 +buraksercanercin.co, 1 +burakuckun.com, 1 +burakurer.com, 1 +buralteria.tk, 1 +burasicanakkale.com, 1 +buratino.tk, 1 +buratiya.tk, 1 +burb.social, 1 +burbaguena.tk, 1 +burbankdental.com, 1 +burberry-outlet.cf, 1 +burberry-outlets.ca, 1 +burcevo.info, 1 +burchfabrics.com, 0 +burdurhaber.tk, 1 +burdursondakika.tk, 1 +bureau-store.fr, 1 +bureaubolster.nl, 0 +bureaubraam.nl, 0 +bureaudirectoryers.ga, 1 +bureaunouveau.eu, 1 +bureauzelfstandigenfryslan.nl, 1 +burenservice.nl, 1 +burenvoorburen.gent, 1 +burevestnik.tk, 1 +burewala.com, 1 +burewala.tk, 1 +burewalanews.tk, 1 +burg-esslingen.de, 1 +burg-hohnstein.com, 0 +burg-hohnstein.info, 0 +burgas.bg, 1 +burgawnc.gov, 1 +burger.eu.org, 1 +burger.fitness, 1 +burgerbudget.gent, 1 +burgerking.eu.org, 1 +burgernet.nl, 0 +burgers.io, 1 +burgesspetcare.com, 1 +burghardt-neumann.de, 1 +burghardt.pl, 1 +burghtstam.tk, 1 +burgoslacrosse.tk, 1 +burguesinhas.com.br, 1 +burhan-autosattlerei.de, 1 +burhanionlinestore.com, 1 +buricloud.fr, 1 +burienergy.com, 1 +burina.net, 1 +buriramradio.com, 1 +burke.services, 1 +burkebarclaylawoffice.com, 1 +burkhardt.at, 0 +burkitech.com, 1 +burkoff.tk, 1 +burkow.ru, 1 +burlaka.net, 1 +burlapsac.ca, 1 +burlesonconstructioninc.com, 1 +burlesontx.gov, 1 +burling.cz, 1 +burma-we-care.tk, 1 +burmalin.ml, 1 +burmania.tk, 1 +burmeister-gmbh.de, 1 +burmesecatscare.com, 1 +burmesepythonpet.com, 1 +burncorp.org, 1 +burndyt3.com, 1 +burnedyouers.ga, 1 +burnedyouest.ga, 1 +burner.gay, 1 +burnerfitness.com, 1 +burnettcountywi.gov, 1 +burnimage.co.uk, 1 +burning-team.tk, 1 +burning-wheels.tk, 1 +burningbase.com, 0 +burningbooks.org, 1 +burningducks.com, 1 +burningflame.tk, 1 +burningflipside.com, 0 +burningseries.co, 1 +burningseries.cx, 1 +burningseries.sx, 1 +burnit.tk, 1 +burnsland.com, 1 +burntfish.com, 1 +burnus.net, 1 +burnworks.com, 0 +buro86.be, 1 +buronducouderc.fr, 1 +buronewsmobilya.com, 1 +buronwater.com, 1 +buroviz.nl, 1 +burr.is, 1 +burree.xyz, 1 +burreli.tk, 1 +burritosalsa.com, 1 +burritosband.tk, 1 +burroughsid.com, 1 +bursamusik.tk, 1 +bursapartner.tk, 1 +burstequity.com, 1 +burstequity.net, 1 +burstequity.org, 1 +burstsocial.com, 1 +burstsocial.net, 1 +burstsocial.org, 1 +burtai.com, 1 +burtcheboyganmi.gov, 1 +burtcountyne.gov, 1 +burtrum.family, 1 +burtrum.me, 1 +burtrum.name, 1 +burtrum.org, 1 +burtsbees.ca, 1 +burttownshipcheboyganmi.gov, 1 +burunucu.ga, 1 +buryat-mongol.cf, 1 +buryatia.tk, 1 +burybox.co.uk, 1 +burz.eu.com, 1 +burz.net, 1 +burz.one, 1 +burz.ro, 1 +burzcast.com, 1 +burzcast.media, 1 +burzgroup.com, 1 +burzmali.com, 1 +burzmedia.ro, 1 +burzstudios.com, 1 +burzum.ch, 1 +bus-hit.me, 1 +bus2talent.eu, 1 +busanhs.bid, 1 +buscaaviena.com, 1 +buscacpf.se, 1 +buscaebooks.tk, 1 +buscagenealogia.tk, 1 +buscahost.com, 1 +buscalotodo.com, 1 +buscandolosmejores.com, 1 +buscatea.com, 1 +buscatodo.tk, 1 +buschavdar.tk, 1 +buscolu.tk, 1 +buselefante.tk, 1 +buserror.cn, 1 +buses.co.uk, 1 +busesurbanoschile.tk, 1 +busflag.tk, 1 +bush41library.gov, 1 +bushbaby.com, 1 +bushbeats.com, 1 +bushcraftfriends.com, 1 +bushfirerecovery.gov.au, 1 +bushingsandbars.com, 1 +bushland.tk, 1 +busindre.com, 1 +business-creators.ru, 1 +business-events.org.uk, 1 +business-explosion-fortune.tk, 1 +business-garden.com, 1 +business-institute.sk, 1 +business-network.or.jp, 1 +business-secreti.cf, 1 +business-secreti.ga, 1 +business-secreti.gq, 1 +business-secreti.tk, 1 +business-swiss.ch, 0 +business.facebook.com, 0 +business.gov, 0 +business.medbank.com.mt, 1 +business.vic.gov.au, 1 +business4all.gr, 1 +business4beginners.co.uk, 1 +business808.com, 1 +businessactivities.tk, 1 +businessadaptive.ga, 1 +businessadvance.tk, 1 +businessafter.ga, 1 +businessamongus.com, 1 +businessanalyst.ml, 1 +businessarrow.ga, 1 +businessbad.ga, 1 +businessbasecamp.eu, 1 +businessbetter.tk, 1 +businessblod.ga, 1 +businessbody.ga, 1 +businessbrite.ga, 1 +businessbrowse.ga, 1 +businessbuller.ga, 1 +businessbunny.ga, 1 +businesscards4free.tk, 1 +businesscaster.ga, 1 +businesscellar.ga, 1 +businesscharm.ga, 1 +businesscharts.ga, 1 +businesscircus.ga, 1 +businesscisco.tk, 1 +businesscloud.co.uk, 1 +businesscollect.ga, 1 +businesscollections.ga, 1 +businesscolor.ga, 1 +businesscommission.ga, 1 +businessconnect.ml, 1 +businesscorp.tk, 1 +businesscorporation.ga, 1 +businesscourier.ga, 1 +businesscrafter.ga, 1 +businesscupcake.ga, 1 +businesscupid.ga, 1 +businesscurious.ga, 1 +businesscutter.com, 1 +businessdelta.ga, 1 +businessdevelopmentagency.tk, 1 +businessdevelopmentarea.tk, 1 +businessdevelopmentasia.tk, 1 +businessdevelopmentinfo.tk, 1 +businessdevelopmentnews.tk, 1 +businessdevelopmentsystem.tk, 1 +businessdirect.ml, 1 +businessdodge.ga, 1 +businessdollar.ga, 1 +businessdollars.ga, 1 +businessdragon.ga, 1 +businessdrive.biz, 1 +businessduck.ga, 1 +businesseagle.ga, 1 +businesseastside.ga, 1 +businessecho.ga, 1 +businesselectra.ga, 1 +businessenterpriseteam.com, 1 +businessepic.ga, 1 +businessethics.ml, 1 +businessetmarketing.com, 1 +businessexcel.ga, 1 +businessfactors.de, 1 +businessfalcon.ga, 1 +businessfame.ga, 1 +businessfeature.ga, 1 +businessfeedback.ga, 1 +businessfiesta.ga, 1 +businessfighter.ga, 1 +businessflag.ga, 1 +businessfleet.ga, 1 +businessflower.ga, 1 +businessfurs.info, 1 +businessgang.ga, 1 +businessgoddess.ga, 1 +businessgold.no, 1 +businessgrace.ga, 1 +businessgroove.ga, 1 +businessgrowth.ga, 1 +businessgrowthleaders.com, 1 +businessguide.co.ke, 1 +businessgun.ga, 1 +businesshandsome.ga, 1 +businesshome.ml, 1 +businesshosting.nl, 0 +businesshotrod.ga, 1 +businesshub.cz, 0 +businessideaarea.tk, 1 +businessideaasia.tk, 1 +businessideacompany.tk, 1 +businessideadevelopment.tk, 1 +businessideainfo.tk, 1 +businessideainfonews.tk, 1 +businessideainsurancenews.tk, 1 +businessideal.tk, 1 +businessimmigration-eu.com, 1 +businessimmigration-eu.ru, 1 +businessinaustin.ga, 1 +businessinboston.ga, 1 +businessinchicago.ga, 1 +businessinchicago.tk, 1 +businessincolumbus.ga, 1 +businessincolumbus.tk, 1 +businessindallas.ga, 1 +businessindallas.tk, 1 +businessindenver.ga, 1 +businessindenver.tk, 1 +businessindetroit.ga, 1 +businessindetroit.tk, 1 +businessindia.tk, 1 +businessinelpaso.ga, 1 +businessinelpaso.tk, 1 +businessinfonews.tk, 1 +businessinfortworth.ga, 1 +businessinfortworth.tk, 1 +businessinhouston.ga, 1 +businessinindianapolis.ga, 1 +businessinjacksonville.ga, 1 +businessinjacksonville.tk, 1 +businessinlosangeles.tk, 1 +businessinmemphis.ga, 1 +businessinmemphis.tk, 1 +businessinnashville.ga, 1 +businessinnashville.tk, 1 +businessinnewyork.ga, 1 +businessinphiladelphia.ga, 1 +businessinphoenix.ga, 1 +businessinsanantonio.ga, 1 +businessinsandiego.ga, 1 +businessinsandiego.tk, 1 +businessinsanfrancisco.ga, 1 +businessinsanfrancisco.tk, 1 +businessinsanjose.ga, 1 +businessinseattle.ga, 1 +businessinside.ml, 1 +businessinsurancemanagement.tk, 1 +businessinvest.cf, 1 +businessinvestment.tk, 1 +businessinwashington.ga, 1 +businessk.ml, 1 +businesskanada.tk, 1 +businesskayak.ga, 1 +businesskiss.ga, 1 +businessknight.ga, 1 +businesslabs.space, 1 +businesslead.tk, 1 +businessleadsworld.com, 1 +businesslegacy.ga, 1 +businessless.ga, 1 +businesslion.ga, 1 +businesslite.pl, 1 +businessloanconnection.org, 0 +businessloco.ga, 1 +businesslondon.tk, 1 +businesslowprice.ga, 1 +businessmarks.ga, 1 +businessmetric.ga, 1 +businessmind.ml, 1 +businessmystical.ga, 1 +businessnames.ga, 1 +businessnations.ga, 1 +businessnatural.ga, 1 +businessnet.cf, 1 +businessnetworks.tk, 1 +businessnews-nigeria.com, 1 +businessnewsera.tk, 1 +businessnight.ga, 1 +businessoftheday.ga, 1 +businessomatic.ga, 1 +businessomega.ga, 1 +businessoneday.ga, 1 +businessones.tk, 1 +businessopedia.ga, 1 +businessopplis.ga, 1 +businessother.ga, 1 +businessouter.ga, 1 +businessparis.tk, 1 +businesspart.ga, 1 +businesspartner.tk, 1 +businesspassport.ga, 1 +businesspatch.ga, 1 +businesspeace.ga, 1 +businesspearl.ga, 1 +businesspersonal.ga, 1 +businessphase.ga, 1 +businesspicker.ga, 1 +businesspipe.ga, 1 +businessplanidea.tk, 1 +businessplus.ie, 1 +businessportal.tk, 1 +businesspremium.ga, 1 +businesspride.ga, 1 +businesspure.ga, 1 +businessquality.ml, 1 +businessrainforest.ga, 1 +businessraven.ga, 1 +businessreborn.tk, 1 +businessremarkable.ga, 1 +businessreps.ga, 1 +businessrequest.ga, 1 +businessrex.ga, 1 +businessrhino.ga, 1 +businessroll.ga, 1 +businessrunners.ga, 1 +businesssalzburg.tk, 1 +businessscaler.co.uk, 1 +businessscapes.ga, 1 +businesssend.ga, 1 +businessshoot.ga, 1 +businessslide.ga, 1 +businesssonic.ga, 1 +businesssouthbeach.ga, 1 +businesssparkle.ga, 1 +businessspicy.ga, 1 +businesssplash.ga, 1 +businessstamp.ga, 1 +businessstudent.com, 1 +businesssupportbywilma.nl, 1 +businesssurreal.ga, 1 +businesstalking.tk, 1 +businesstexas.tk, 1 +businessthunder.ga, 1 +businesstimes.ga, 1 +businesstool.no, 1 +businesstravelmelbourne.ga, 1 +businesstrip.ml, 1 +businessunder.ga, 1 +businessup.tk, 1 +businessuprise.com, 1 +businessusa.gov, 1 +businessusa.tk, 1 +businessvalue.com, 1 +businessvisual.ga, 1 +businesswaterfront.ga, 1 +businesswebadmin.com, 1 +businesswish.ga, 1 +businessworth.ga, 1 +businessx.in, 1 +businesszachod.pl, 1 +businka.tk, 1 +busit.be, 1 +busiteyiengelle.com, 1 +buskompass.de, 1 +busmaster.com.ua, 1 +busned.tk, 1 +busnews.tk, 1 +buspark.com, 1 +buspark.cz, 1 +buspatrol.com, 1 +busphotos.tk, 1 +busqnet.com, 1 +bussi.at, 1 +bussinesconsulting.tk, 1 +bussinesinsurance.tk, 1 +bussinesman.tk, 1 +bussinesnews.tk, 1 +bussinessofware.tk, 1 +bussinessupport.tk, 1 +busstation.tk, 1 +bustany.org, 1 +bustaura.lt, 1 +bustepaga.it, 1 +buster.me.uk, 1 +bustickets.ph, 1 +bustillodeloro.tk, 1 +bustimes.org, 1 +bustmold.com, 1 +bustmovesest.ga, 1 +busty-milf.net, 1 +bustyarchive.com, 1 +bustymilftube.com, 1 +bustypassion.com, 1 +bustypics.com, 1 +bustyrack.com, 1 +busuan.com, 1 +busuttil.org.uk, 1 +buswiki.ml, 1 +busybee.nl, 1 +busyon.cloud, 1 +but-it-actually.work, 1 +but-its-not-your.business, 1 +butarque.es, 1 +butcherboymarket.com, 1 +butcherpaxtattoo.com, 1 +butenhofbomster.com, 1 +buter-petersen.dk, 1 +butfirstkoffee.in, 1 +butik-mechty.tk, 1 +butikk-nesoddkatten.no, 1 +butikvip.ru, 1 +butl.nl, 1 +butlaroo.com, 1 +butlercountyne.gov, 1 +butlerdisposal.com, 1 +butlerfm.dk, 1 +butlins.com, 1 +butongshidai.com, 1 +butorkatalog.hu, 1 +butorvasarlas.hu, 1 +butowka.tk, 1 +butsa.tk, 1 +butserdocumentary.tk, 1 +butt.repair, 0 +buttedesmortssd1wi.gov, 1 +butter.horse, 1 +butter.ml, 1 +butterhost.ga, 1 +buttermilk.cf, 1 +butternutbox.com, 1 +buttertea.shop, 1 +buttertrick.com, 1 +buttgun-tattoo.de, 1 +buttonizer.pro, 1 +buttonline.ch, 1 +buttonsmashers.tk, 1 +butts-are.cool, 1 +butttexters.ga, 1 +butunoyunlar.net, 1 +butyric.com, 1 +butz.cloud, 1 +butzies.ddnss.org, 1 +buumibar.fi, 1 +buurtbusboskoop.nl, 1 +buurtgenotencollectief.nl, 1 +buurtkeukens.nl, 1 +buurtpreventiefraneker.nl, 1 +buurtschapdemarkt.tk, 1 +buvik.gov.in, 1 +buviva.com, 1 +buvocastings.nl, 1 +buxru.tk, 1 +buxum-communication.ch, 0 +buy-aleve.gq, 1 +buy-amitriptyline.tk, 1 +buy-amoxil.ml, 1 +buy-an-essay.gq, 1 +buy-apartment.tk, 1 +buy-avodart.ga, 1 +buy-camera-cases.ga, 1 +buy-cozaar.tk, 1 +buy-decadron.tk, 1 +buy-deltasone.tk, 1 +buy-essay-online.ga, 1 +buy-express-vpn.asia, 1 +buy-human-hair-extension.tk, 1 +buy-indocin.cf, 1 +buy-invertor.shop, 1 +buy-jeansbiz.tk, 1 +buy-lasix-without-a-doctor-s-prescription.ga, 1 +buy-lingerie.tk, 1 +buy-lipitor.tk, 1 +buy-prednisolone.ga, 1 +buy-premarin.ml, 1 +buy-robaxin.gq, 1 +buy-rumalaya.gq, 1 +buy-seroquel.tk, 1 +buy-skelaxin.ml, 1 +buy-stuffed-toys.tk, 1 +buy-terramycin.gq, 1 +buy-topamax.tk, 1 +buy-zimulti.ga, 1 +buy-zofran.ga, 1 +buyaccessible.gov, 1 +buyaccutane.gq, 1 +buyacompliaonline.ga, 1 +buyalbendazole.cf, 1 +buyalbuterolonline.ga, 1 +buyallopurinol.tk, 1 +buyamerican.gov, 1 +buyamoxicillin875mg.tk, 1 +buyamoxil.ml, 1 +buyantabuse.gq, 1 +buyasheep.tw, 1 +buyatarax.gq, 1 +buyazithromycin.gq, 1 +buybaclofen.ga, 1 +buybitmain.com, 1 +buybuspar.ga, 1 +buybutton.store, 1 +buycafergot.ml, 1 +buycbd.store, 1 +buycheapandlow.tk, 1 +buychristmastoys.com, 1 +buycialissmx.tk, 1 +buycitalopram.ga, 1 +buyclaritin.ml, 1 +buycook.shop, 1 +buycostarica.tk, 1 +buycultureboxesers.ga, 1 +buydataonline.tk, 1 +buydeltasone.ga, 1 +buydeltasone.ml, 1 +buydiamox.cf, 1 +buydiflucan.ga, 1 +buydiflucan.ml, 1 +buydissertations.com, 1 +buyeba.xyz, 1 +buyebooks.tk, 1 +buyeffexor.tk, 1 +buyer.pro, 1 +buyessay.org, 1 +buyessays.net, 1 +buyessayscheap.com, 1 +buyfluoxetineonline.gq, 1 +buyharpoon.com, 1 +buyhydrochlorothiazide.ml, 1 +buyingstatus.com, 1 +buyingtvsers.ga, 1 +buyingtvsest.ga, 1 +buyiptv.tech, 1 +buyitmalta.online, 1 +buyjewel.shop, 1 +buylasix.ml, 1 +buylevaquin.tk, 1 +buymetforminonline.tk, 1 +buymobic.ml, 1 +buymyvoip.com, 1 +buynairobi.com, 1 +buyneurontin.ml, 1 +buyonmov.online, 1 +buyornot.tk, 1 +buyorsellcampers.com, 1 +buypal.com.pe, 1 +buypapercheap.net, 1 +buypersonalproxy.com, 1 +buyplore.com, 1 +buyplussize.shop, 1 +buyprednisolone24h.ml, 1 +buyprednisoloneonline.ga, 1 +buyprilosec.tk, 1 +buyprofessional.shop, 1 +buyproiptv.store, 1 +buypropecia.cf, 1 +buyproperty.az, 1 +buyproscaronlinecanada.ga, 1 +buyprovera.tk, 1 +buyprozac.cf, 1 +buypurenature.ga, 1 +buyr.com, 1 +buyretinamicro.cf, 1 +buyrimonabant.cf, 1 +buyrogaine.ga, 1 +buyru.net, 1 +buyselldonothing.com, 1 +buyshine.com, 1 +buyshoe.org, 1 +buysildenafil.ml, 1 +buystromectol.cf, 1 +buystromectol.ml, 1 +buysuisse.shop, 1 +buytermpaper.com, 1 +buytetracycline.cf, 1 +buytramadol.ga, 1 +buytramadol.ml, 1 +buyucoin.com, 1 +buyusa.gov, 1 +buyventolin.cf, 1 +buyventolininhaler.ga, 1 +buywellbutrinonline.gq, 1 +buywifi.tk, 1 +buywood.shop, 1 +buyzithromax.ga, 1 +buyzithromaxonline.ml, 1 +buyzofranonline.tk, 1 +buyzoloft.cf, 1 +buziaczki.pl, 1 +buzinessmarket.ml, 1 +buzko.pl, 1 +buzt.cn, 0 +buzzage.fr, 1 +buzzard.org, 1 +buzzclub.com.br, 1 +buzzconcert.com, 1 +buzzcontent.com, 1 +buzzeditora.com.br, 1 +buzzenginegroup.com, 1 +buzzfeast.com, 1 +buzzhub.tk, 1 +buzzman.ga, 1 +buzzpost.tk, 1 +buzzprint.it, 1 +buzzsmithmusic.com, 1 +buzzspace.net, 1 +buzztalk.tk, 1 +buzzthemuddypyrador.com, 1 +buzztrending.tk, 1 +buzzword24.de, 1 +buzzworld.tk, 1 +buzzworthy.biz, 1 +buzzybites.com, 1 +bv-driver.tk, 1 +bv-ferreiradozezere.pt, 1 +bvb.moe, 0 +bvblaboratory.hu, 1 +bvbmedia.nl, 1 +bvdp-saturn-prod.appspot.com, 1 +bvexplained.co.uk, 1 +bvfz.pt, 1 +bvgg.eu, 1 +bvgt.org, 1 +bvionline.eu, 1 +bviphotovideo.com, 1 +bvlos.com.pl, 1 +bvlp.com, 1 +bvng.nl, 1 +bvonesource.com, 1 +bvop.org, 1 +bvr-nsn.gov, 1 +bvrd.com.do, 1 +bvrlodge.com, 1 +bvrlodge.ro, 1 +bvrpd-pa.gov, 1 +bvv-europe.eu, 1 +bvwphotography.com, 1 +bw.codes, 1 +bwa.wroc.pl, 1 +bwanglab.com, 1 +bwashing.tk, 1 +bwasoimoveis.net, 1 +bwcscorecard.org, 1 +bweston.ga, 1 +bwf11.com, 1 +bwf55.com, 1 +bwf6.com, 0 +bwf77.com, 1 +bwf99.com, 1 +bwfc.nl, 1 +bwgjms.com, 1 +bwgjms.net, 1 +bwgjms.org, 1 +bwh1.net, 0 +bwhbwh.net, 1 +bwigroup.com.au, 1 +bwilkinson.co.uk, 1 +bwin18.cc, 0 +bwin2288.com, 1 +bwin369.cc, 1 +bwin58.cc, 1 +bwinvestments.com.au, 1 +bwired.ca, 1 +bwl-earth.club, 1 +bwmcnc.com, 1 +bwmlaser.com, 1 +bwmovies.tk, 1 +bws16.de, 1 +bwsolar.com.au, 1 +bx-n.de, 1 +bx.ee, 1 +bx49.cc, 1 +bxctrust.com, 1 +bxdj3.com, 1 +bxin.de, 1 +bxp40.at, 1 +by-g.ch, 1 +by-pixcl.com, 1 +by-robyn.nl, 1 +by-the-sword.com, 1 +by-yesilbag.com, 1 +by.city, 1 +by.cx, 0 +by.place, 1 +by1u.com, 1 +byalexia.gr, 1 +byanabelen.com, 1 +byange.pro, 1 +byanjushka.com, 0 +byatte.com, 1 +byblog.tk, 1 +bybym.ml, 1 +bycafeonline.com, 1 +bycatch.com, 1 +bycialis.com, 1 +bycorefi.com, 1 +bydik.com, 1 +bydisk.com, 0 +bydoora.com, 1 +byedzhang.tk, 1 +byemediaers.ga, 1 +byemediaest.ga, 1 +byemedsers.ga, 1 +byeskille.no, 1 +byfare.com, 1 +byfeldt.dk, 1 +byggindrustrin.ga, 1 +byggonline.ga, 1 +bygningsregistrering.dk, 1 +bygogmiljoe.dk, 1 +bygonegames.com, 1 +bygoselink.nl, 1 +byhenryvera.com, 1 +byhoag.com, 1 +byjamesrush.com, 1 +byji.com, 1 +byjudasarrieta.tk, 1 +byjus.com, 1 +byjuschennai.com, 1 +byken.cn, 1 +byll.de, 1 +byluthier.com, 1 +bylz.me, 1 +bymike.co, 1 +bymogarna.se, 1 +bynder.com, 1 +bynono.pt, 1 +bynumlaw.net, 1 +byootify.com, 1 +bypass-link.ga, 1 +bypass.kr, 1 +bypassgfw.tk, 1 +bypetula.cz, 1 +byraje.com, 1 +byrddogpaving.com, 1 +byredo.com, 1 +byrest.com, 1 +byrko.sk, 1 +byronkg.us, 1 +byrtz.de, 1 +byrut.org, 1 +byrutor.org, 1 +bysb.net, 0 +byshep.com, 1 +byshop.tk, 1 +byskafasi.com, 1 +byst.by, 1 +bystryj-zajm.gq, 1 +bystryj-zajm.tk, 1 +byte-lab.tk, 1 +byte.nl, 1 +byte.surf, 1 +byte128.com, 0 +bytebiter.io, 1 +bytebodega.com, 1 +bytebolt.at, 1 +bytebucket.org, 1 +byteflick.org, 1 +bytelink.pro, 1 +bytema.cz, 1 +bytema.eu, 1 +bytema.re, 1 +bytema.sk, 1 +bytemethod.ca, 1 +bytemix.cloud, 1 +bytenews.org, 1 +byteofdev.com, 1 +bytepen.com, 1 +bytes.co, 1 +bytes.fyi, 1 +bytesec.net, 1 +byteshift.ca, 1 +bytesign.de, 1 +bytesizedalex.com, 1 +bytesofcode.de, 1 +bytesoftech.ml, 1 +bytespace.co.uk, 1 +bytesund.biz, 1 +byteswave.cl, 1 +bytesystems.com, 1 +bytetechy.com, 1 +bytetime.net, 0 +byteultra.com, 1 +bytexd.com, 1 +bytez.tk, 1 +bytheglass.gr, 1 +bythen.cn, 0 +bytheswordinc.com, 1 +bytrain.net, 1 +byuro.org, 1 +byw.cymru, 1 +bywencke.nl, 1 +byzhihuo.com, 1 +bzbet365.com, 1 +bzfit.ru, 1 +bzh.tf, 1 +bzhserv.ovh, 1 +bzhub.bid, 1 +bziaks.xyz, 1 +bzik.cf, 1 +bzkj.de, 1 +bzsparks.com, 0 +bztech.com.br, 1 +bztech.ru, 1 +bztraveler.com, 1 +bztraveler.net, 1 +bzv-fr.eu, 1 +c-137.me, 1 +c-14.de, 1 +c-3po.fr, 1 +c-aeroconsult.com, 1 +c-c-europeen.org, 1 +c-chaud.com, 1 +c-data.nl, 0 +c-dome.com, 1 +c-g-h.net, 1 +c-ma-copro.com, 1 +c-ovidiu.tk, 1 +c-resource.tech, 0 +c-rpg.eu, 1 +c-rtx.com, 1 +c-sagaseru.com, 1 +c-shock.org, 1 +c-solarcity.com, 1 +c-style.net, 0 +c-three.jp, 1 +c-world.co.uk, 1 +c.cc, 1 +c.im, 1 +c.lu, 1 +c.sl, 1 +c.wtf, 1 +c00ke.com, 1 +c057cl7.com, 1 +c0mplicated.tk, 1 +c0nfigurati0n.com, 0 +c0rn3j.com, 1 +c10.cz, 1 +c16t.uk, 0 +c19adoption.com, 1 +c19aspirin.com, 1 +c19bromhexine.com, 1 +c19budesonide.com, 1 +c19colchicine.com, 1 +c19curcumin.com, 1 +c19early.com, 1 +c19early.org, 1 +c19favipiravir.com, 1 +c19fluvoxamine.com, 1 +c19hcq.com, 1 +c19hcq.org, 1 +c19ic.com, 1 +c19ivermectin.com, 1 +c19ivermectin.org, 1 +c19ivm.org, 1 +c19legacy.com, 1 +c19ly.com, 1 +c19melatonin.com, 1 +c19mp.com, 1 +c19nitazoxanide.com, 1 +c19ns.com, 1 +c19probiotics.com, 1 +c19proxalutamide.com, 1 +c19pvpi.com, 1 +c19quercetin.com, 1 +c19regn.com, 1 +c19rmd.com, 1 +c19study.com, 1 +c19sv.com, 1 +c19vitaminc.com, 1 +c19vitamind.com, 1 +c19zinc.com, 1 +c1cdn.com, 1 +c21first.co.il, 1 +c2athletics.com, 1 +c2cdn.xyz, 1 +c2lab.net, 1 +c2o2.xyz, 1 +c3.io, 1 +c3.pm, 1 +c35.design, 1 +c36533.com, 1 +c3boc.com, 1 +c3hv.cn, 1 +c3sinc.com, 1 +c3soc.de, 1 +c3speak.com, 1 +c3speak.de, 1 +c3stream.de, 1 +c3vo.de, 0 +c3w.at, 1 +c3wien.at, 1 +c4164.com, 1 +c41ee55a-da20-4cff-8075-24afd0f22aac.com, 1 +c4539.com, 1 +c4b.tools, 1 +c4k3.net, 1 +c4me.online, 1 +c5197.co, 1 +c5h8no4na.net, 1 +c5y.moe, 1 +c6729.co, 1 +c6729.com, 0 +c6957.co, 1 +c7dn.com, 1 +c7n.ch, 1 +c7ra.com, 1 +c82365.com, 1 +c86255.com, 1 +c899365.com, 0 +c9297.co, 1 +c9728.co, 1 +c9n.xyz, 1 +ca-canovelles.tk, 1 +ca-els.com, 1 +ca-immobilier.fr, 1 +ca-key.de, 1 +ca-saintdie.fr, 1 +ca.gparent.org, 1 +ca.search.yahoo.com, 0 +ca3ahhet.tk, 1 +ca5.de, 1 +caa.ca, 1 +caalmn.org, 1 +caarecord.org, 1 +caasd.org, 1 +caasda.tk, 1 +caasz.com, 1 +cabaladada.org, 0 +cabale.fr, 1 +cabalistic.tk, 1 +caball.com, 1 +caballeroalba.cf, 1 +caballerosdeltablero.tk, 1 +cabanactf.com, 1 +cabaretadanowskyfan.tk, 1 +cabazon-tu.com, 1 +cabbage.software, 1 +cabcard.services, 1 +cabeceirasdebasto.pt, 0 +cabecera-descendimiento.tk, 1 +cabelgrano.tk, 1 +cabenoap.com.br, 1 +cabezadeframontanos.tk, 1 +cabezadelcaballo.tk, 1 +cabina-photobooth.ro, 1 +cabincrewcareercenter.com, 1 +cabineritten.nl, 1 +cabinet-bedin.com, 0 +cabinet-life.fr, 0 +cabinet-voyance-orca.tk, 1 +cabinetlm.com, 1 +cabinetm.com, 1 +cabinetmtc.com, 1 +cabinetoumaima.tk, 1 +cabinetselect.com, 1 +cable.ru, 1 +cableatierra.tk, 1 +cablefibreoptique.fr, 1 +cablehighspeed.net, 1 +cableiran.com, 1 +cablemadrid.tk, 1 +cablemod.com, 1 +cables-pro.com, 1 +cablesandkits.com, 1 +cablogrammes.fr, 1 +cabodream.ml, 1 +caboleisurerealestate.com, 1 +cabooneconstruction.com, 1 +cabosaferide.com, 1 +cabotagem.com, 1 +caboverde.tk, 1 +cabphysio.ch, 1 +cabr.al, 1 +cabrachicagritona.tk, 1 +cabrils.com, 1 +cabvertising.it, 1 +cac-hc.org, 1 +cac-ua.com, 1 +cacao-besos.com, 1 +cacao-chocolate.com, 1 +cacao-gang.ml, 1 +cacao.supply, 1 +cacaobesos.bg, 1 +cacaobesos.ro, 1 +cacaolalina.com, 1 +cacareerzone.org, 1 +cacaumidade.com.br, 1 +caccc.com, 1 +cachacasantaterezinha.com.br, 1 +cachaceros.tk, 1 +cache-checker.com, 1 +cachecounty.gov, 1 +cachesheriff.gov, 1 +cachetur.no, 1 +cachorrosboss.com, 1 +caciquecigars.com.br, 1 +cackette.com, 0 +cackl.io, 1 +cacko.tk, 1 +cacnverslavingszorg.nl, 1 +cacombos.com, 1 +cacommenceavecmoi.ca, 1 +cacoriccionline.tk, 1 +cacr.pw, 1 +cacrm.com, 1 +cactus-search.com, 1 +cactusarium.tk, 1 +cactusdentrepair.com, 1 +cactusgreen.com.br, 1 +cactuspedia.cf, 1 +cactuspedia.ga, 1 +cactuspedia.gq, 1 +cactuspedia.ml, 1 +cactusplumbingandair.com, 1 +cad-noerdlingen.de, 1 +cadafalso.tk, 1 +cadams.io, 0 +cadastroloteamento.com.br, 1 +cadaunoescomoes.tk, 1 +cadaver.tk, 1 +cadavre-exquis-musical.tk, 1 +cadconcrete.ca, 1 +cadcrowd.com, 1 +caddo.gov, 1 +caddr.org, 1 +caddyfashionshop.com, 1 +cadeaux-anniversaires.net, 1 +cadeauxfolies.fr, 1 +cadecobots.com, 1 +cadeengineering.com, 1 +cadeirasparaescritorio.ind.br, 1 +cadenadereferidos.tk, 1 +cadencescience.com, 1 +cadetsge.ch, 0 +cadflow.pt, 1 +cadiar.tk, 1 +cadici.ga, 1 +cadifit.ga, 1 +cadillacfairview.com, 1 +cadillacitalia.it, 1 +cadiskitchen.ca, 1 +cadmail.nl, 1 +cadman.pw, 1 +cadman.uk, 1 +cadmechanic.com, 1 +cadonau.net, 1 +cadonet.tk, 1 +cadooz.com, 1 +cadovod.tk, 1 +cadra.nl, 1 +cadre.com, 1 +cadreok.com, 1 +cadsys.net, 1 +caduceuslane.com, 1 +cadusilva.com, 1 +caduta-capelli.tk, 1 +cadvending.ch, 1 +cadwalk.de, 1 +cady-jennifer.tk, 1 +cadynce.com, 1 +caenergyprograms.com, 1 +caerostris.com, 1 +caesar.today, 1 +caesarkabalan.com, 1 +caetanobenet.es, 1 +caetanoflotas.es, 1 +caetanoformula.es, 1 +caetanoformulacadiz.es, 1 +caetanoformulagalicia.es, 1 +caetanomotorsmalaga.es, 1 +caetanoreicomsa.es, 1 +caetanoretail.pt, 1 +caetanotec.pt, 1 +caeterra.com, 1 +caf.ma, 1 +cafe-bg.com, 1 +cafe-cliche.tk, 1 +cafe-georges.cf, 1 +cafe-hamlet.fr, 1 +cafe-musica.org, 1 +cafe-pauline.de, 1 +cafe-service.ru, 0 +cafead.de, 1 +cafeamazon.tk, 1 +cafebab.com, 1 +cafebeauty.com, 1 +cafebeirut.tk, 1 +cafecentraal.tk, 1 +cafecentral.tk, 1 +cafechesscourt.com, 1 +cafechroma.tk, 1 +cafecobus.tk, 1 +cafedelcielo.co, 1 +cafedesignbooks.com, 1 +cafedospescadores.tk, 1 +cafedupont.be, 1 +cafedupont.co.uk, 1 +cafedupont.de, 1 +cafedupont.nl, 1 +cafefacil.com.br, 1 +cafehaventje.tk, 1 +cafeimsueden.de, 1 +cafeitalia.tk, 1 +cafekleuskens.tk, 1 +cafelandia.net, 1 +cafelegenda.cz, 1 +cafemadrid.tk, 1 +cafemandala.hu, 0 +cafemodi.cz, 0 +cafenix.tk, 1 +cafenoorderzon.tk, 1 +cafeobscura.nl, 1 +cafeplacedumarche.ch, 1 +cafepress.com.au, 1 +cafesforonda.com, 1 +cafetaste.com, 1 +cafeterya.tk, 1 +cafethevibes.com, 1 +cafethrive.co.uk, 1 +cafevelo.org, 1 +caffe.ga, 1 +caffein.cf, 1 +caffeinate.co.uk, 1 +caffeineandconcrete.com, 1 +caffeinebookly.com, 1 +caffeinefiend.org, 1 +caffelatte.tk, 1 +cafferata.tk, 1 +caffeservice.hu, 1 +caffewasyl.pl, 1 +cafled.org, 1 +caflou.com, 1 +caflou.cz, 1 +cafpatronato.it, 1 +caftan.tk, 1 +cag.legal, 1 +cagalogluhamami.com.tr, 1 +cagao.com, 1 +cagbuzau.ro, 1 +cageworld.tk, 1 +cagir.eu, 1 +cagivaclub.tk, 1 +caglarcakici.com, 1 +cagranollers.tk, 1 +cagrierdogdu.com, 1 +cagrimerkezinumarasi.com, 1 +cahabadigital.com, 1 +cahfee.com, 1 +cahn-achn.ca, 1 +cahuilla-nsn.gov, 1 +cai-ti.com.tw, 1 +caian.com, 1 +caiben.org, 1 +caibi.io, 1 +caic.com.sg, 1 +caidao.com, 1 +caifan.com, 1 +caihuan.com, 1 +caijunyi.net, 0 +caikuai.com, 1 +caillou.eu, 1 +cailoli.com, 1 +caimin.com, 1 +caindelhi.in, 1 +cainesjannif.com, 1 +cainiao.moe, 1 +caio.moe, 1 +caipai.fm, 1 +caipiao.com.cn, 1 +caipsnotes.com, 1 +caiqu.com, 1 +caiqueparrot.com, 1 +cairan.com, 1 +cairnterrier.com.br, 1 +cairohost.ml, 1 +cairokebab.com, 1 +cairui.com, 1 +cais.de, 1 +caise.tk, 1 +caissefrancaisedefinancementlocal.fr, 1 +caivps.com, 1 +caiwenjian.xyz, 1 +caixiange.com, 1 +caixideal-serralharia.pt, 1 +caiyi.com, 1 +caiyou.com, 1 +caizx.com, 0 +caj-eichstaett.de, 1 +caja-pdf.es, 0 +cajadecoloreshome.com, 1 +cajadelparque.tk, 1 +cajamarca.blog, 1 +cajaregionalserrana.com.mx, 1 +cajas.zone, 1 +cajio.ru, 1 +cak.nl, 1 +cakalnedobe.si, 1 +cakaveterinerklinigi.com, 1 +cake-n-go.com, 1 +cakearific.com, 1 +cakedeliver.com, 1 +cakedeveloperers.ga, 1 +cakedeveloperest.ga, 1 +cakelaces.com, 1 +cakeoffencesact.uk, 1 +cakes.ga, 1 +cakes.tk, 1 +cakesbyzoey.com, 1 +cakeshop.xyz, 1 +cakesoverseas.com, 1 +cakessl.com, 1 +cakestandscarriers.tk, 1 +caketoindia.com, 1 +cakeup.in.ua, 1 +cakir.info.tr, 1 +cakko.ml, 1 +caknowledge.com, 1 +cal-pacpainting.com, 1 +cal.goip.de, 1 +cal9000.com, 1 +calaad.net, 1 +calabasaselectric.com, 1 +calabasaselectrical.com, 1 +calabasaselectrician.com, 1 +calabasasexteriorlighting.com, 1 +calabasaslandscapelighting.com, 1 +calabasaslighting.com, 1 +calabasasoutdoorlighting.com, 1 +calaborlawnews.com, 1 +calabozo.tk, 1 +caladan.tk, 1 +calaficirecords.cf, 1 +calaix.click, 1 +calamidad.tk, 1 +calamp.com, 1 +calancamassages.ch, 0 +calandrahosting.tk, 1 +calantonieta.tk, 1 +calasiaoplantcoop.com.ph, 1 +calaverascounty.gov, 1 +calaverasmedicalcannabis.com, 1 +calc.center, 1 +calcasieu.gov, 1 +calcasieuclerk.gov, 1 +calcasieuparish.gov, 1 +calcasieusheriff.gov, 1 +calcedge.com, 1 +calcettomania.com, 1 +calcinacci.com, 1 +calcinacci.roma.it, 1 +calcionews24.com, 1 +calcioragusa.tk, 1 +calcioweb.eu, 1 +calconcontractors.com, 1 +calcoolator.pl, 1 +calcsoft.tk, 1 +calcsub.net, 1 +calculadora-de-derivadas.com, 1 +calculadora-de-integrales.com, 1 +calculadoraconversor.com, 1 +calcularis.ch, 1 +calculaseguros.com.br, 1 +calculate.co.kr, 1 +calculateaspectratio.com, 1 +calculates.org, 1 +calculatetoday.com, 1 +calculator-app.com, 1 +calculator-imt.com, 1 +calculator.aws, 1 +calculator.tf, 1 +calculatorspace.com, 1 +calculatortvers.ga, 1 +calculatortvest.ga, 1 +calcworkshop.com, 1 +caldaia.roma.it, 1 +caldaro.de, 1 +caldaro.org, 1 +caldecotevillagehall.co.uk, 1 +calderagallery.com, 1 +calderasgranada.cf, 1 +caldercenter.org, 1 +caldervets.co.uk, 1 +caldoletto.com, 1 +caldwell.com, 1 +caleaders.cf, 1 +caleatoxic.org, 1 +caledoniaoh.gov, 1 +caledonie.tech, 1 +calefones-electricos.com, 1 +calendar.cf, 0 +calendar.google.com, 1 +calendarinspiration.com, 1 +calendariodecorrida.com.br, 1 +calendarpensers.ga, 1 +calendarpensest.ga, 1 +calendarr.com, 1 +calendarsnow.com, 1 +calendly.com, 1 +calendriergn.ch, 1 +calendriergratuit.fr, 1 +caletka.cz, 1 +caletka.nl, 1 +calgarydermatologisters.ga, 1 +calhoun.tk, 1 +calhouncityms.gov, 1 +calhouncountyfl.gov, 1 +calhouncountyflsheriff.gov, 1 +calhouncountyil.gov, 1 +calhounfalls.gov, 1 +calhounmi911.gov, 1 +caliber.to, 1 +calibermind.com, 1 +calibrationrecall.com, 1 +calibreapp.com, 1 +calibso.net, 1 +calidadbio.com, 1 +calidoinvierno.com, 1 +californiabalsamic.com, 1 +californiabudgetfinance.tk, 1 +californiabuilding.ma, 1 +californiahairmd.com, 0 +californiahealth.tk, 1 +californiahumanrights.tk, 1 +californiakingsnakepet.com, 1 +californialemonlaw-lawyers.com, 1 +californiamusicacademy.com, 1 +californianet.tk, 1 +californiaonlinedivorce.com, 0 +californiapa.gov, 1 +californiavalues.cf, 1 +calim.com.ar, 1 +calimero.tk, 1 +calindairy.com, 1 +calinetworks.com, 1 +caliph.one, 1 +calisteniaperu.ga, 1 +calisthenicroutines.com, 1 +calitateavietii-ardeal.ro, 1 +call.me, 1 +call2counter.com, 0 +calla.pl, 1 +callabs.net, 1 +callahancountytx.gov, 1 +callamnow.com, 0 +callan.com, 1 +callanenglish.tk, 1 +callanetica.ru, 1 +callanjg.co.uk, 1 +callantonia.com, 1 +callawaymn.gov, 1 +callawayracing.se, 0 +callaworker.ml, 1 +callbackform.tk, 1 +callbell.eu, 1 +callcenterdeluxecalls.nl, 1 +callcriteria.com, 1 +callear.org, 1 +callerid4u.com, 1 +callerstrom.se, 1 +calleveryday.com, 1 +callflex.com.br, 1 +callfordataspeakers.com, 1 +callforkunst.de, 0 +callfunc.com, 1 +callhappyhive.com, 1 +callhippo.com, 1 +callhome.link, 1 +callhub.io, 1 +calliesalls.com, 1 +calligraph.gq, 1 +calligraphychic.com, 1 +callisabel.fr, 1 +callmebetty.com, 1 +callmewhatever.com, 1 +callmewhatever.de, 1 +callmewhatever.net, 1 +calloway.us, 1 +callowaycountyky.gov, 1 +callrail.com, 0 +callsign.com, 0 +callsigns.ca, 1 +calltoar.ms, 1 +callum.au, 1 +callummoore.au, 1 +callumsilcock.me, 1 +calluro.hr, 1 +callvip.tk, 1 +callwork.tk, 1 +cally.tk, 1 +callychat.tk, 1 +calmaririshmusicfestival.tk, 1 +calmer-cloud.de, 1 +calminteractive.fr, 1 +calomel.org, 1 +calonmahasiswa.com, 1 +calotte-academy.com, 1 +calpaterson.com, 1 +calposa.ml, 1 +calref.ca, 1 +calsense.net, 1 +calu.me, 1 +calucon.de, 1 +caluette.com, 1 +calumcrawford.com, 1 +calumetcounty.gov, 1 +calvario.tk, 1 +calvaryhospital.org, 1 +calverleyparish.church, 1 +calvertcityky.gov, 1 +calverttx.gov, 1 +calvin.my, 1 +calvusconsultancy.nl, 1 +calystral.com, 1 +calyxinstitute.org, 1 +calzadonline1.com, 1 +camago.dk, 1 +camanoislandpilates.com, 1 +camaradecomerciosiguatepeque.hn, 1 +camaras.uno, 1 +camarilla.tk, 1 +camarilloelectric.com, 1 +camarilloelectrical.com, 1 +camarilloexteriorlighting.com, 1 +camarillolandscapelighting.com, 1 +camarillolighting.com, 1 +camarillooutdoorlighting.com, 1 +camaronazo.com, 1 +camarzanadetera.tk, 1 +camashop.de, 1 +camastowncar.com, 1 +cambados.tk, 1 +cambait.tk, 1 +camberford.com, 1 +cambiamenti-climatici.it, 1 +cambiamos.tk, 1 +cambiata.io, 1 +cambier.org, 1 +cambioeuro.es, 1 +cambioeuro.it, 1 +cambiowatch.ch, 0 +cambodiainfo.tk, 1 +cambopost.tk, 1 +cambramanresa.cat, 1 +cambridge-security.com, 1 +cambridgeanalytica.cz, 1 +cambridgeanalytica.net, 1 +cambridgemoneyman.com, 1 +cambridgesecuritygroup.org, 1 +cambridgetutors.com, 1 +cambuslangharriers.org, 1 +camcelebs.com, 1 +camconn.cc, 0 +camcookies.com, 1 +camdenhistory.com, 1 +camdennj.gov, 1 +camdenny.gov, 1 +camdenpaws.com.au, 1 +camdesign.pl, 1 +camel2243.com, 1 +camelcrush.cf, 1 +camelflight.tk, 1 +camelforensics.com, 1 +camelia-poezii.tk, 1 +camelia.bg, 1 +camelion.tk, 1 +camella.com.ph, 1 +camelotestatehomes.com, 1 +camelservers.com, 1 +camenisch.ws, 1 +cameo-membership.uk, 0 +cameo.ee, 1 +cameos.bo, 1 +camera-podvod.tk, 1 +camerahire.com.au, 1 +cameraman.tk, 1 +cameramark.nl, 1 +camerashot.tk, 1 +cameraslyphotography.tk, 1 +camerata.com, 1 +cameraviva.com.br, 1 +camerawisata.com, 1 +cameria.tk, 1 +cameriere.it, 1 +cameroncountytx.gov, 1 +cameronherold.com, 1 +cameronphotographyok.com, 1 +cameronsiguenza.com, 1 +cameronstar.tk, 1 +cameronwince.com, 1 +cameronwv.gov, 1 +cameroonlounge.com, 1 +camerweb.es, 1 +camfire.family, 1 +camfire.school, 1 +camfire.team, 1 +camgirl-info.net, 1 +camgirl.ga, 1 +camgirldata.com, 1 +camgo.org, 1 +camhavuz.com, 1 +camilamoreno.tk, 1 +camilaporto.tk, 1 +camilat.tk, 1 +camileonline.tk, 1 +camilia.io, 1 +caminoneocatecumenal.tk, 1 +caminopicoseuropa.com, 1 +caminosalavida.com, 1 +caminreal.tk, 1 +camionerosdecoslada.tk, 1 +camionesdesegundamano.net, 1 +camipress.ga, 1 +camisado.tk, 1 +camisantiago.tk, 1 +camisetas-bones.com.br, 1 +camisetas4fun.com.br, 1 +camisetasbichopreguica.com.br, 1 +camisetasmalwee.com.br, 1 +camisetasparatodos.tk, 1 +camit.tk, 1 +camixo.tk, 1 +camjackson.net, 0 +cammamam.gq, 1 +camnews.tk, 1 +camolist.com, 1 +camon.si, 1 +camouflaged.tk, 1 +camp-pleinsoleil.ch, 0 +camp.zone, 1 +campaign-ad.com, 1 +campaign-center.net, 1 +campaign.gov.scot, 1 +campaign.gov.uk, 1 +campaigner.gq, 1 +campaignlake.com, 1 +campaignwiki.org, 1 +campaignzee.com, 1 +campalhilal.org, 1 +campamentos.info, 1 +campamerika.de, 1 +campanhamamypoko.com.br, 1 +campbellcountywy.gov, 1 +campcambodia.org, 1 +campcar-location.com, 1 +campdesante.com, 1 +campdetarragona.tk, 1 +campeonatoalemao.com.br, 1 +camperdays.de, 1 +camperdirectoryers.ga, 1 +camperdirectoryest.ga, 1 +camperlist.com, 1 +campermanaustralia.com, 1 +campertrailerfinance.com.au, 1 +camperverzekerd.nl, 1 +campfire.moe, 1 +campfiretails.org, 1 +campfourpaws.com, 0 +campguaikinima.com, 1 +camping-aupigeonnier.fr, 1 +camping-chantemerle.com, 1 +camping-dulac-dordogne.com, 1 +camping-everywhere.fun, 1 +camping-le-pasquier.com, 1 +camping-seilershof.de, 1 +camping-trentino.it, 1 +camping.it, 1 +campingbuffs.com, 1 +campingcarlovers.com, 1 +campingdebergboer.tk, 1 +campingdekoolberg.nl, 1 +campingdewatermolen.nl, 1 +campingfontanelle.it, 1 +campinggadgetest.ga, 1 +campinghuntingshooting.com, 1 +campingpasseiermeran.com, 1 +campingprofessionalsest.ga, 1 +campingshop.pl, 1 +campingwatchest.ga, 1 +campistry.net, 1 +camplaza.tk, 1 +campmackinaw.com, 1 +campo-salado.com, 1 +campofant.com, 1 +campogrande.ms, 1 +campograndenews.com.br, 1 +campolivillagebakery.com, 1 +campona.hu, 1 +camposolillo.tk, 1 +camppisos.com.br, 1 +camprunamutt.dog, 1 +campsite-explorer.top, 1 +campsoulfestival.com, 1 +campstuffs.com, 1 +camptonnh.gov, 1 +camptuk.org, 1 +campula.cz, 1 +campus-finance.com, 1 +campuscom.jp, 1 +campuscore.eu, 1 +campusdrugprevention.gov, 1 +campuskota.com, 1 +campuspodsers.ga, 1 +campuspodsest.ga, 1 +campvana.com, 1 +camrecord.ml, 1 +camreviews.org, 1 +camrosewebservices.com, 1 +camsangels.com, 1 +camsexia.com, 1 +camsexia.net, 1 +camsexia.org, 1 +camshort.com, 1 +camshowhub.com, 1 +camsky.de, 0 +camslurp.com, 1 +camslurp.net, 1 +camslurp.org, 1 +camsupplier.ml, 1 +camsupplierers.ga, 1 +camtor.ml, 1 +camtu.com, 1 +camuri.com, 1 +camview.nz, 1 +camworld.com, 1 +camzroofing.ca, 0 +can-amchains.com, 1 +can-fleet.com, 1 +can-tran.com, 1 +canabeinternacional.com, 1 +canada-tourisme.ch, 0 +canadaabroad.com, 0 +canadacloudpharmacy.com, 1 +canadaclub.tk, 1 +canadacommunity.org, 1 +canadacouncil.ca, 1 +canadafactcheck.ca, 0 +canadagoosejacketscanada.ca, 1 +canadahustle.com, 0 +canadalife.de, 1 +canadamails.tk, 1 +canadapet.club, 1 +canadapets.club, 1 +canadapost-postescanada.ca, 1 +canadapropertyexpert.ca, 1 +canadianatheists.ca, 1 +canadianatheists.com, 1 +canadianbusiness.com, 1 +canadianfraudlaw.com, 1 +canadianfriendsofyadsarah.com, 1 +canadianlandscapeart.ca, 1 +canadianlawyermag.com, 1 +canadianmetalworking.com, 1 +canadianmilitaryspouse.tk, 1 +canadianoutdoorequipment.com, 1 +canadianpharmacyonline.com, 1 +canadianpointerclub.tk, 1 +canadiansinternet.com, 1 +canadiansrit.tk, 1 +canadiantouristboard.com, 1 +canae.org, 1 +canajoana.eu, 1 +canal-onanismo.org, 1 +canal4.com.ni, 1 +canalbpv.com, 1 +canalconfidencial.com.br, 1 +canaldeintegridade.com.br, 1 +canaldelaespartera.tk, 1 +canalecontracting.com, 1 +canalescape.tk, 1 +canalinterativo.cf, 1 +canalinterativo.ml, 1 +canalinterativo.tk, 1 +canalpatriotas.tk, 1 +canalrivertrust.org.uk, 1 +canalspa.cl, 1 +canamo-solidario.tk, 1 +canarabankcsis.in, 1 +canaresidences.com, 1 +canaria.ga, 1 +canariasport.com, 0 +canariculturacolor.com, 1 +canaryaspets.com, 1 +canarymod.net, 1 +canarypower.tk, 1 +canarys.cf, 1 +canastasderegalointernacionales.com, 1 +canavilage.com, 1 +canavillage.net, 1 +canavillagepuntacana.com, 1 +canavillageresidences.com, 1 +canberraoutletcentre.com.au, 1 +canberrarunners.org.au, 1 +cancan.ml, 1 +cancer-info.org, 1 +cancer.gov, 1 +canceraid.coach, 1 +canceraid.com, 1 +canceraid.com.au, 1 +canceraid.io, 1 +cancerdata.nhs.uk, 1 +cancersintomas.com, 1 +cancertherapy.tk, 1 +cancomputers.hn, 1 +cancunhealthers.ga, 1 +cancunvacationexperts.com, 1 +candaceplayforth.com, 1 +candas.tk, 1 +candelaguatemala.tk, 1 +candex.com, 1 +candicecity.com, 0 +candidasa.com, 1 +candidateexperiencemarketing.nl, 1 +candidatlibre.net, 1 +candidcard.ga, 1 +candidcarders.ga, 1 +candidcardest.ga, 1 +candinya.com, 1 +candinya.me, 1 +candlcastles.co.uk, 1 +candlelightchallenge.tk, 1 +candlelightediting.com, 1 +candlemakingexplained.com, 1 +candlepro.cf, 1 +candlevn.com, 1 +cando.eu, 1 +candogiveguide.org, 1 +candorhealthed.org, 1 +candy-pop.tk, 1 +candyalexa.net, 1 +candyboulevard.tk, 1 +candybouquet.tk, 1 +candybygrant.com, 1 +candydol.xyz, 1 +candydoll11.com, 1 +candydoll12.com, 1 +candydoll13.com, 1 +candydoll14.com, 1 +candydoll15.com, 1 +candydoll3.com, 1 +candydoll7.com, 1 +candydoll8.com, 1 +candydoll9.com, 1 +candyflavor.com, 1 +candykidsentertainment.co.uk, 1 +candykurs.ru, 1 +candylion.rocks, 1 +candypalace.tk, 1 +candysailing.ml, 1 +candysamira.org, 1 +candytip.ru, 1 +candyxs.org, 1 +canecorsodogguide.com, 1 +canek.es, 0 +canelaimobiliaria.com.br, 1 +canellayachts.com, 1 +canetelareal.tk, 1 +canfazz.com, 1 +canfield.gov, 1 +canfleet.ca, 1 +canfleet.com, 1 +canfleet.info, 1 +canfleetglobal.com, 1 +canfleetlogistics.com, 1 +cangku.in, 1 +cangurin.com, 1 +canhas.report, 1 +canhazip.com, 1 +canhq.tk, 1 +canhtuaone.com, 0 +cani-compostelle.fr, 1 +canibrowse.net, 1 +canidelite-toulouse.fr, 1 +canihavesome.coffee, 0 +canile.it, 1 +caninecompilation.com, 1 +caninejournal.com, 1 +caniuse.email, 1 +canjo.gov, 1 +cankado.com, 1 +canker.org, 1 +cankhon.tk, 1 +cankirihaber.tk, 1 +cankutahya.com.tr, 1 +canlidiziizlesene.org, 1 +canliradyodinle.fm, 1 +canlitelefonhatti.ga, 1 +canlom.tk, 1 +canmipai.com, 1 +cannabis-marijuana.com, 1 +cannabisdiscounter.ca, 1 +cannabishouseyeg.com, 1 +cannabislegality.info, 1 +cannabisoffers.net, 1 +cannabisreports.org, 1 +cannabistraininguniversity.com, 1 +cannabiz.tk, 1 +cannabytes.net, 1 +cannacards.ca, 1 +cannagoals.com, 1 +cannamaca.com, 1 +cannamx.online, 1 +cannaseedsonline.com, 1 +cannature.eu, 1 +cannedcyberlabs.org, 1 +cannellecitron86-biomonde.fr, 1 +canningcityfc.org.au, 1 +canningpartners.com.au, 1 +cannoli.london, 1 +cannon.org.cn, 1 +cannoncountytn.gov, 1 +cannonriverwatershedmn.gov, 1 +cannonsforsale.com, 1 +canntinas.com, 0 +cannyfoxx.me, 1 +canobag.es, 1 +canondrivers-support.com, 1 +canondrivers.org, 1 +canonisti.fi, 1 +canoonic.se, 1 +canopy.ninja, 1 +canopycleaning.com.au, 1 +canopycleaningmelbourne.com.au, 1 +canopyservicing.com, 0 +canopytax.com, 1 +canossagardens.org.au, 0 +canossahospital.org.au, 1 +canovamedical.co.uk, 1 +canovamedical.com, 1 +canperclinicaveterinaria.com, 1 +canrarantra.tk, 1 +canstar.co.nz, 1 +canstar.com.au, 1 +canstarblue.co.nz, 1 +canstarblue.com.au, 1 +cantaloupe.ga, 1 +cantalupo.tk, 1 +cantando.nl, 1 +cantarefacile.com, 1 +cantarella.tk, 1 +cantatio.ch, 0 +cantautores.tk, 1 +cantdecidename.com, 1 +canterbury.ws, 1 +canterburycrest.org, 1 +canterburynh.gov, 1 +canters.tk, 1 +cantinhodabia.com, 1 +cantongroup.com, 1 +cantonmi.gov, 1 +cantonmopolice.gov, 1 +cantonms.gov, 1 +cantoo.fr, 1 +cantor.cloud, 1 +cantosdisidentes.tk, 1 +cantrack.com, 1 +cantstopart.com, 1 +canukseeds.com, 1 +canuluduz.tk, 1 +canv4s.com, 1 +canva-dev.com, 1 +canva-staging.cn, 1 +canva-staging.com, 1 +canva.cn, 1 +canva.com, 1 +canvas-art.tk, 1 +canvaspersonalized.com, 1 +canveganseat.com, 1 +canyoncreekjeep.com, 1 +canyonisd.net, 1 +canyonshoa.com, 1 +canyontx.gov, 1 +canyou.ai, 1 +canyou.com.au, 1 +canyoupwn.me, 1 +cao.bi, 1 +cao.gov, 1 +cao.la, 1 +caocao.cf, 1 +caodecristachines.com.br, 0 +caodesantohumberto.com.br, 1 +caos.ch, 0 +caoshanhu.com, 1 +caoshe.com, 1 +caostura.com, 1 +caoyao.com, 1 +caozuo.com, 1 +cap-study.com, 1 +cap21-lrc.fr, 1 +cap73.fr, 1 +cap75.com, 1 +capa.digital, 1 +capacityproject.org, 1 +capari.co, 1 +caparicasurfing.com, 1 +caparis.nl, 1 +capeannpediatrics.com, 1 +capebretonpiper.com, 1 +capecanaveral.gov, 1 +capecod.gov, 1 +capecoral.gov, 1 +capecycles.co.za, 1 +capehipandknee.co.za, 1 +capekeen.com, 1 +capellan.pe, 1 +capellen.tk, 1 +capeprivacy.com, 0 +capetown.travel, 1 +capetownelite.co.za, 1 +caph.info, 1 +caphane.com, 1 +caphapupolas.ga, 1 +caphapupolas.ml, 1 +caphefin.com, 1 +capicibera.tk, 1 +capike.cf, 1 +capillary.io, 1 +capimlimaoflores.com.br, 1 +capitainebaggy.ch, 0 +capitains.tk, 1 +capital-electronics.ml, 1 +capital-match.com, 1 +capitalcap.com, 1 +capitalcollections.org.uk, 1 +capitalcounselor.com, 1 +capitalendurancegroup.com, 1 +capitalibre.com, 1 +capitalindustrygroup.com.au, 1 +capitalise.ai, 1 +capitalism.party, 1 +capitalism.rip, 1 +capitalist.cf, 1 +capitalmarkets.online, 1 +capitalmatters.cf, 1 +capitalmatters.ga, 1 +capitalmatters.gq, 1 +capitalmatters.ml, 1 +capitalmediaventures.co.uk, 1 +capitalmedicals.co.nz, 1 +capitalnativenations.org, 1 +capitaloneshopping.com, 1 +capitalontap.com, 1 +capitalp.jp, 1 +capitalpay.ml, 1 +capitalpipeline.tech, 1 +capitalquadatv.org.nz, 1 +capitalrooms.ga, 1 +capitalroomsers.ga, 1 +capitalscum.tk, 1 +capitalsejours.fr, 1 +capitalspiderers.ga, 1 +capitalstakepool.info, 1 +capitaltruepartner.hk, 1 +capitaltruepartnertechnology.cn, 1 +capitalwin.com, 1 +capitan.ml, 1 +capitanbeilinson.tk, 1 +capitapeskanova.tk, 1 +capitein.tk, 1 +capitolavenue62.co.in, 1 +capitolnational.com, 1 +capitolpathways.org, 1 +capitolrisk.tk, 1 +capitoltrades.com, 1 +capitone.fr, 1 +caplinbouncycastles.co.uk, 1 +caponestudiolegale.it, 1 +caponte.io, 1 +caporalmktdigital.com.br, 1 +capota.tk, 1 +capper.de, 1 +cappp.cz, 1 +capradip.in, 0 +caprell.com, 1 +capriccio.to, 1 +caprichosdevicky.com, 1 +caprigo.ru, 1 +capris.cr, 0 +capro.global, 1 +caps-hats.tk, 1 +caps.equipment, 1 +caps.is, 1 +caps.solutions, 1 +caps.systems, 1 +capsdelhi.com, 1 +capseo.id, 1 +capsicle.tk, 1 +capslock.ch, 1 +capsogusto.com, 1 +capstansecurity.co.uk, 1 +capstansecurity.com, 1 +capstonehcm.com, 1 +capsuladigital.tk, 1 +capsulafinanciera.com, 1 +capsule.org, 0 +capsulekitchen.co, 1 +capsulezone.tk, 1 +captain-dandelion.com, 1 +captain-droid.com, 1 +captainark.net, 1 +captainclaw.tk, 1 +captaincontributor.com, 1 +captainjanks.tk, 1 +captainratnesh.tk, 1 +captainsavage.lt, 1 +captainscarlet.tk, 1 +captainsinn.com, 1 +captainsonic.com, 1 +captainsunshine.tk, 1 +captalize.com, 1 +captchafox.com, 1 +captify.ca, 1 +captivationscience.com, 1 +captivationtheory.com, 1 +capturebilling.com, 1 +captured-symphonies.com, 1 +capturelead.tk, 1 +capturis.com, 1 +capuchinox.com, 1 +caputo.com, 1 +capybaraowner.com, 1 +car-alarm.tk, 1 +car-clean-nord.de, 1 +car-diagnose.com, 1 +car-dismantling.tk, 1 +car-expresso.com, 1 +car-hire-lisbon.com, 1 +car-keys.tk, 1 +car-market.tk, 1 +car-seats-store.ga, 1 +car-speed.tk, 1 +car-touch.tk, 1 +car.info, 1 +car24portal.de, 1 +car3d.gq, 1 +car4rent.fr, 1 +cara-bisnis.tk, 1 +cara-mudah-hidup-sehat.tk, 1 +carabin.cf, 1 +caraccidentlawyersaltlake.com, 1 +caraccidentslawyer.tk, 1 +caraccio.li, 1 +caracterizacion.tk, 1 +caradaftarakun.ga, 1 +caragame.id, 1 +carajas.tk, 1 +caralarm.cf, 1 +caralarm.tk, 1 +caraliadeluxe.net, 1 +caralina.com, 1 +caramelldansen.com, 1 +caramellespinell.tk, 1 +caramplifier.com, 1 +caratennison.net, 1 +carauctionnetwork.com, 1 +carauctionsalabama.com, 1 +carauctionscarolina.com, 1 +carauctionsgeorgia.com, 1 +carauctionsillinois.com, 1 +carauctionsnewyork.com, 1 +caraudiostore.tk, 1 +caravaca.tk, 1 +caravansciences.tk, 1 +caravelairclub.tk, 1 +caraz.tk, 1 +carballeira.tk, 1 +carbaza.ru, 1 +carberra.io, 1 +carberra.xyz, 1 +carbeso.co.network, 1 +carbeso.site, 1 +carbgrent.com, 1 +carbon-project.org, 1 +carbon.coop, 1 +carbon12.org, 1 +carbon12.software, 1 +carbonadvantage.tk, 1 +carbonaphta.com, 1 +carboncountypa.gov, 1 +carboncountywy.gov, 1 +carbondix.com, 1 +carboneventsupport.be, 1 +carboneventsupport.lu, 1 +carbonholic.org, 1 +carbonkiller.org, 1 +carbonlib.com, 0 +carbonmapper.org, 1 +carbonmonoxidelawyer.net, 1 +carbonnel.me, 0 +carbono.uy, 1 +carbonopuro.es, 0 +carbonswap.exchange, 1 +carbonswap.finance, 1 +carbontv.com, 1 +carbonvision.cn, 0 +carcare.net.au, 1 +carcatron.org, 1 +carceloinfierno.tk, 1 +carcheck123.com, 1 +carck.co.uk, 1 +carcleannord.de, 1 +carcloud.ch, 1 +carcluesest.ga, 1 +carcrushe.rs, 1 +carcrushers.cc, 1 +cardanalysisers.ga, 1 +cardano.eco, 1 +cardbouns.tk, 1 +cardcaptorsakura.jp, 1 +cardcollectors.ch, 1 +carddelivery.com, 1 +cardexaminerers.ga, 1 +cardexaminerest.ga, 1 +cardiagnose.nl, 1 +cardiagnostics.tk, 1 +cardiffmoneyman.com, 1 +cardijn-athus.be, 1 +cardinauto.fr, 1 +cardington.tk, 1 +cardinus.com, 1 +cardioagainstcancer.nl, 1 +cardiology.academy, 1 +cardiology.gq, 1 +cardios.srv.br, 1 +cardiosportsilvinadelgado.com, 0 +cardiothinklab.com, 1 +cardity.de, 1 +cardliquidatorsers.ga, 1 +cardloan-center.jp, 1 +cardloan-manual.net, 1 +cardmarketersers.ga, 1 +cardmarketersest.ga, 1 +cardmart.tk, 1 +cardmates.com.br, 1 +cardmates.net, 1 +cardmates.org, 1 +cardmates.ru, 1 +cardmates.ua, 1 +cardmetricsers.ga, 1 +cardmetricsest.ga, 1 +cardoni.net, 1 +cardozovargas.com, 1 +cardozovargas.com.br, 1 +cardozovargas.me, 1 +cardpaymentoptions.com, 1 +cardprinter.co.il, 1 +cardpyramiders.ga, 1 +cardranking.jp, 1 +cardrecovery.fr, 1 +cards4jobs.com, 1 +cardschat.com, 1 +cardsite.ca, 1 +cardsolutionsbh.com.br, 1 +cardstesting.tk, 1 +cardstream.com, 1 +cardswith.love, 1 +cardtrekers.ga, 1 +cardtrekest.ga, 1 +cardtronics.com, 1 +cardwar.tk, 1 +cardwars.hu, 1 +care-pack.eu, 1 +care-q.net, 1 +care.com, 1 +care4all.com, 1 +care4homecare.nl, 1 +careapp.com.au, 1 +carear.com, 1 +carecm.de, 1 +career-conduct.jp, 1 +career-guidance.com, 1 +career-log.jp, 1 +careerandjobsearch.tk, 1 +careercapital.co.za, 1 +careerdiary.co.uk, 1 +careergigo.com, 1 +careerminds.com, 1 +careernet.in, 1 +careeroptionscoach.com, 1 +careerpower.co.in, 1 +careersinpsychology.org, 1 +careerslevel.com, 1 +careertransformed.com, 1 +carefix.pro, 1 +carefree-creative.com, 1 +carefu.link, 1 +carefy.ph, 1 +caregoportal.com, 1 +carehomejob.co.uk, 1 +careium.co.uk, 1 +carekleen.com.au, 1 +carelancerportfolio.ga, 1 +careloco.tk, 1 +caremad.io, 1 +caremobi-prod.herokuapp.com, 1 +carepan.ga, 1 +carepassport.com, 1 +caresco.nl, 1 +careshields.sg, 1 +carespot.com, 1 +carespottravelmedicine.mobi, 1 +caretaker.com, 1 +carethehealth.com, 1 +caretoyou.com, 1 +caretta.co.uk, 1 +carevan.org, 1 +carevic.eu, 1 +carevo.id, 1 +careyohio.gov, 1 +careyolsen.com, 1 +carezza.net, 1 +carfamily.com, 1 +carfashion.com.mx, 1 +carfax.ca, 1 +carfaxcanadaappgateway.azurewebsites.net, 1 +carfinancehelp.com, 1 +carfinans.ru, 1 +carforme.gr, 1 +carfraemill.co.uk, 1 +cargo.build, 1 +cargobas.com, 1 +cargobay.net, 1 +cargoio.com, 1 +cargomaps.com, 1 +cargorestraintsystems.com.au, 1 +cargosapiens.com.br, 1 +cargotariff.ml, 1 +cargotransinfo.ru, 1 +carhunters.cz, 1 +caribank.org, 1 +caribbeancinemas.com, 1 +caribbeansolutionslab.com, 1 +caribeeficiente.com.co, 1 +caribuku.tk, 1 +caricature.fr, 1 +caricatureavenue.com, 1 +carien.eu, 1 +carif-idf.net, 0 +carigami.fr, 1 +cariki.gq, 1 +carikiv.gq, 1 +carillon.tk, 1 +carinaklijn.nl, 1 +carine.ml, 1 +caringkitsforkids.org.uk, 1 +caringmedicine.ga, 1 +caringpups.com, 1 +carinsuranceliveest.ga, 1 +carinthia.eu, 1 +carioca-romania.ro, 1 +cariproperti.com, 1 +carisenda.com, 1 +carium.com, 1 +carkeysanantonio.com, 1 +carkeysystem.com, 1 +carl-blum-haus.tk, 1 +carl-otto.it, 1 +carl-topham.com, 0 +carl.land, 1 +carlansell.co.uk, 1 +carlapoggioli.com, 1 +carlaschiavone.tk, 1 +carlasecrets.com, 1 +carlcsaposs.com, 1 +carlelo.com, 1 +carlesribot.tk, 1 +carleycounselingservices.com, 1 +carlgo11.com, 1 +carlicahn.com, 1 +carlife-at.jp, 1 +carlijnottens.nl, 1 +carlili.fr, 0 +carlingfordapartments.com.au, 1 +carlingforddental.com.au, 1 +carlinmack.com, 1 +carlislebrass.com, 1 +carlislecounty.gov, 1 +carlite.at, 1 +carlitoxxpro.com, 1 +carlmjohnson.net, 0 +carloancalculator.tk, 1 +carlobiagi.de, 1 +carlocksmith--dallas.com, 1 +carlocksmithbaltimore.com, 1 +carlocksmithcarrollton.com, 1 +carlocksmithellicottcity.com, 1 +carlocksmithfallbrook.com, 1 +carlocksmithkey.com, 1 +carlocksmithlewisville.com, 1 +carlocksmithmesquite.com, 1 +carlocksmithsjohannesburg.co.za, 1 +carlocksmithtucson.com, 1 +carloelectrical.com, 1 +carlolacana.tk, 1 +carlolander.se, 1 +carlons.cf, 1 +carlos-moreira.com, 1 +carlosabarbamd.com, 1 +carlosbronze.com.br, 1 +carloscar.art, 1 +carloscar.co, 1 +carloscar.com, 1 +carloscar.se, 1 +carloscolina.com, 1 +carlosfelic.io, 1 +carlosgago.tk, 1 +carlosguadian.tk, 1 +carloshbcabral.com, 1 +carloshmm.com, 1 +carloshmm.stream, 1 +carloshmoreira.com, 1 +carlosjeurissen.com, 1 +carlosjeurissen.nl, 1 +carlospiga.fr, 1 +carlosvelezmarketing.com, 1 +carlot-j.com, 1 +carls-fallout-4-guide.com, 1 +carlsbadluxuryhotels.ga, 1 +carlshamnbageri.com, 1 +carlshamnbageri.se, 1 +carlshamnmejeri.com, 1 +carlshamnmejeri.se, 1 +carlshamnsvaxtrike.se, 1 +carlshamnvaxtrike.se, 1 +carlsonfonder.se, 1 +carlsonfund.de, 1 +carlsonfunds.com, 1 +carlsonsw.com, 1 +carltoncountymn.gov, 1 +carltonelitetravel.ga, 1 +carltontownfc.tk, 1 +carlvanderlaan.com, 1 +carlysgarden.net, 1 +carmageddon.tk, 1 +carmarthenradiocontrolledcarclub.tk, 1 +carmela.tk, 1 +carmelrise.co.uk, 1 +carmelss.edu.hk, 1 +carmeltownship-mi.gov, 1 +carmen1996.com, 1 +carmengrayfanclub.tk, 1 +carmeni.tk, 1 +carmeny.org, 1 +carminemastropierro.com, 1 +carna.tk, 1 +carnageheart.tk, 1 +carnagevisors.tk, 1 +carnaticalifornia.com, 1 +carnavaldeltoro.tk, 1 +carnavales.tk, 1 +carnavalinrothem.tk, 1 +carnedelmercado.com, 1 +carnell.com, 1 +carnet-du-voyageur.com, 1 +carnetdeconducir.club, 1 +carni.tk, 1 +carnica.tk, 1 +carniceriaserrador.es, 1 +carnildo.com, 1 +carnivalcostumes.tk, 1 +carnivalkingsupplies.com, 1 +carnivorediet.gr, 1 +carnivorousplants.co.uk, 1 +carobme.de, 1 +carocream.org, 1 +caroffer.ch, 1 +carohq.com, 1 +caroinstitute.cf, 1 +carol-lambert.com, 1 +carolcestas.com, 1 +caroli.biz, 1 +caroli.com, 1 +caroli.info, 1 +caroli.name, 1 +caroli.net, 1 +carolicious.tk, 1 +carolina.cz, 1 +carolinaharboe.baby, 1 +carolinaharboe.com, 1 +carolinaoliveira.tk, 1 +carolinarice.com, 1 +carolinasaddictionfellows.com, 1 +carolinashoe.com, 1 +carolinavarletaarriagada.tk, 1 +carolineball.com, 1 +carolinebazin.fr, 1 +carolineeball.com, 1 +carolinegirvan.com, 1 +carolinehanania.com, 1 +carolinehoule.com, 1 +carolinelanglois.fr, 1 +carolineovercash.com, 1 +carolinepleuvret.fr, 1 +carolmolinari.tk, 1 +carontetourist.hr, 1 +carontetouristisoleminori.it, 1 +carottage-beton.com, 1 +carousel.ga, 1 +carouselbuses.co.uk, 1 +carouselinsights.com, 1 +carp-world.tk, 1 +carp-zeeland.tk, 1 +carp4life.tk, 1 +carparo.net, 0 +carpeleo.com, 1 +carpeleo.mobi, 1 +carpeleo.se, 1 +carpentersvilleil.gov, 1 +carpet24.gr, 1 +carpetandhardwoodflooringpros.com, 1 +carpetcleanerswilmington.com, 1 +carpetcleaning-cypress.com, 1 +carpetcleaningtomball.com, 1 +carpetcobblers.ga, 1 +carpio.tk, 1 +carplus.es, 1 +carplus.net, 1 +carportus.com, 1 +carpostal.com, 1 +carprice.auction, 1 +carprice.ru, 1 +carproof.com, 1 +carpticon.tk, 1 +carpuya.ga, 1 +carrabiners.tk, 1 +carraboucrafts.com, 1 +carre-jardin.com, 1 +carre-lutz.com, 1 +carre.nl, 1 +carrelageetmosaique.fr, 1 +carreraspopularescalendario.com, 1 +carrgroup.co.nz, 1 +carrgroup.com.au, 1 +carriage.fun, 1 +carriedin.com, 1 +carrier.tools, 1 +carrieunderwood.tk, 1 +carrion.tk, 1 +carrmachines.co.nz, 1 +carrmachines.com.au, 1 +carrnorthamerica.com, 1 +carroattrezzi.it, 1 +carroattrezzi.lazio.it, 1 +carroattrezzimilanodaluiso.it, 1 +carroceriascarluis.com, 1 +carrolcountyohioelections.gov, 1 +carrollcotne911.gov, 1 +carrollcountyil.gov, 1 +carrollcountyiowa.gov, 1 +carrollcountynh.gov, 1 +carrollcountynhdeeds.gov, 1 +carrolltontx.gov, 1 +carroseletricosbh.com.br, 1 +carrosserie-delaval.be, 1 +carrouselcompany.fr, 1 +carrozzeria.roma.it, 1 +carrozziere.roma.it, 1 +carrumhealth.com, 1 +carry.luxe, 1 +carryvanbruggen.tk, 1 +cars-project.ru, 1 +cars4salecy.com, 1 +carsandstars.com.au, 1 +carseatchecks.ca, 1 +carshippingcarriers.com, 1 +carsinsuranceis.com, 1 +carsmate.com, 1 +carsoft.tk, 1 +carson-matthews.co.uk, 1 +carsonca.gov, 1 +carsonkoziol.com, 1 +carsonmorrow.com, 1 +carsoug.com, 1 +carspicture.tk, 1 +carspneu.cz, 1 +carsreborn.com, 1 +carstar.com.ua, 1 +carstub.com, 1 +carsurance.net, 1 +carsworld.cf, 1 +cartadeviajes.cl, 1 +cartadeviajes.co, 1 +cartadeviajes.com, 1 +cartadeviajes.com.ar, 1 +cartadeviajes.com.ve, 1 +cartadeviajes.de, 1 +cartadeviajes.ec, 1 +cartadeviajes.es, 1 +cartadeviajes.fr, 1 +cartadeviajes.mx, 1 +cartadeviajes.pe, 1 +cartadeviajes.uk, 1 +cartago.co.cr, 1 +cartaisapre.com, 1 +carte-resident.ci, 1 +cartegrise.com, 1 +cartegrise.xyz, 1 +carteles.tk, 1 +cartelloni.roma.it, 1 +carteltec.com, 1 +cartercountymo.gov, 1 +carterdan.net, 1 +carterjonas.co.uk, 1 +carterkosturos.com, 1 +carterstad.se, 1 +cartertonscouts.org.nz, 1 +cartes-voyance.fr, 1 +cartesfrance.fr, 1 +cartesy.de, 1 +cartfilm.tk, 1 +cartft.com, 1 +carthagecement.com.tn, 1 +carthedral.com, 1 +cartierplan.ga, 0 +cartomancieperso.tk, 1 +cartongesso.roma.it, 1 +cartons-cheap.tk, 1 +cartooncastles.ie, 1 +cartooncollections.com, 1 +cartoonlists.com, 1 +cartoonstock.com, 1 +cartoontube69.com, 1 +cartoonvibe.com, 1 +cartoonwap.tk, 1 +cartoradio.fr, 1 +cartorio4oficiojuazeiro.com.br, 1 +cartorios.tk, 1 +cartoservice.tk, 1 +cartouche24.eu, 1 +cartridge.bg, 1 +cartridge.gq, 1 +cartridgereviewers.ga, 1 +cartridgereviewsers.ga, 1 +cartridgereviewsest.ga, 1 +cartridgesave.co.uk, 1 +cartturbo.com, 1 +cartucce24.it, 1 +cartuchoonline.com.br, 1 +cartunings.tk, 1 +cartwrightrealestate.com, 1 +carty.bg, 1 +carun.us, 0 +carunion.nl, 1 +carver.tk, 1 +carvercountymn.gov, 1 +carvoeiro-car-hire.com, 1 +carwashdruten.nl, 1 +carwashkampen.nl, 1 +carwreckcowboy.com, 1 +caryl.fr, 1 +carymedicalgroup.com, 1 +caryvilletn.gov, 1 +cas-chauxdefonds.ch, 0 +cas-ebbers.nl, 1 +casa-app.de, 0 +casa-brel.ml, 1 +casa-carla.it, 1 +casa-due-pur.com, 1 +casa-due-pur.de, 1 +casa-due.com, 1 +casa-familia.com, 0 +casa-indigo.com, 1 +casa-laguna.net, 1 +casa-lunch-break.de, 1 +casa-lunchbreak.de, 1 +casa-mea-inteligenta.ro, 1 +casa-mitica.com, 1 +casa-prince.tk, 1 +casaasia.cat, 1 +casaasia.es, 1 +casaasia.eu, 1 +casabella.com.tw, 1 +casacampolima.com, 1 +casacapalbio.com, 1 +casacazoleiro.com, 1 +casachameleonhotels.com, 1 +casachronicles.com, 1 +casacochecurro.com, 1 +casacoleccionistagaldar.tk, 1 +casacolosseo.com, 1 +casacomcharme.com.br, 1 +casacoscolo.tk, 1 +casadasmolas.tk, 1 +casadedios.tk, 1 +casadegomes.com, 1 +casadelasvinas.com, 1 +casadetiteres.tk, 1 +casadoarbitro.com.br, 1 +casadomarketingdigital.com.br, 1 +casadopulpo.com, 1 +casaessencias.com.br, 1 +casafina.tk, 1 +casagami.ga, 1 +casagyn.com.br, 1 +casajeannine.tk, 1 +casalacabra.com, 1 +casalborgo.it, 1 +casalcrevillent.tk, 1 +casaledibuccole.it, 1 +casalinghedisperate.ga, 1 +casalopez.tk, 1 +casalor.ro, 1 +casalunchbreak.de, 1 +casamariano.es, 1 +casamentos.com.br, 1 +casamentos.pt, 1 +casamiento.com.uy, 1 +casamientos.com.ar, 1 +casandraemge.tk, 1 +casanuova.tk, 1 +casaoggidomani.it, 1 +casapalla.com.br, 1 +casapedra.tk, 1 +casaplorer.com, 1 +casaruralsantamaria.tk, 1 +casasbandeirantes.com.br, 1 +casascomdesign.com, 1 +casashops.com, 1 +casasparaperross.com, 1 +casasuara.com, 1 +casasuleletrodomesticos.com.br, 1 +casatendeiro.tk, 1 +casavacanze.estate, 1 +casavaleria.tk, 1 +casavlas.ro, 1 +casbia.info, 0 +casbuijs.nl, 1 +casburggraaf.com, 0 +casc.cz, 1 +casca.tk, 1 +cascadenos.tk, 1 +cascadewindows.com, 1 +cascadinglounge.tk, 1 +cascavelle.fr, 1 +cascavelle.nl, 1 +cascd.pt, 1 +case-vacanza-salento.com, 1 +case4you.bg, 1 +case4you.ro, 1 +casecandy.in, 1 +casecurity.org, 1 +caseform.de, 1 +caseificio.roma.it, 1 +caselemnbarat.ro, 1 +casemaka.com, 1 +caseof.fr, 1 +casepariurionline.ro, 1 +caseplus-daem.de, 1 +casertanews.it, 1 +cases.lu, 1 +casetech.com, 1 +casewarecloud.com, 1 +caseycapitalpartners.com, 1 +caseykeith.me, 1 +casgp.com, 0 +cash-bot.tk, 1 +cash-generator.tk, 1 +cash-pos.com, 1 +cash.app, 1 +cash.me, 1 +cash.nyc, 1 +cashamerican.tk, 1 +cashati.com, 1 +cashbackcow.us, 1 +cashbacksummit.com, 1 +cashblog.ga, 1 +cashbook.co.tz, 1 +cashbot.sk, 1 +cashbuild.co.za, 1 +cashcode.ga, 1 +cashcoin.tk, 1 +cashconverters.co.uk, 1 +cashconverters.com, 1 +cashconverters.com.au, 1 +cashdo.co.il, 1 +cashdrop.ga, 1 +cashenvoy.com, 1 +cashewmanufacturers.com, 1 +cashflowstrategist.com, 0 +cashforcarremovalsipswich.com.au, 1 +cashfortulsahouses.com, 1 +cashjankari.com, 1 +cashline.tk, 1 +cashlink.de, 0 +cashlogic.ch, 0 +cashmanagerbg.com, 1 +cashmaxtexas.com, 1 +cashortrade.org, 1 +cashper.de, 1 +cashplk.com, 1 +cashregistry.tk, 1 +cashsector.ga, 1 +cashservices.com.au, 1 +cashwave.com, 1 +cashworks.ga, 1 +cashworks.tk, 1 +cashyourcar.sydney, 1 +casian.ir, 1 +casillasdecoria.tk, 1 +casino-apps.dk, 1 +casino-cash-flow.com.ru, 1 +casino-cash-flow.info, 1 +casino-cash-flow.pro, 1 +casino-cash-flow.ru, 1 +casino-cash-flow.su, 1 +casino-cashflow.ru, 1 +casino-hero.de, 0 +casino-online.info, 1 +casino-r.com, 1 +casino-spelletjes.com, 1 +casino-trio.com, 1 +casino-z-top.ru, 1 +casino.guide, 1 +casino.org, 1 +casinobonus360.de, 1 +casinobonuscodes365.com, 1 +casinobuyersguide.com, 1 +casinocashflow.ru, 1 +casinocashflow.su, 1 +casinochecking.com, 0 +casinocity.africa, 1 +casinocity.ag, 1 +casinocity.al, 1 +casinocity.am, 1 +casinocity.ar, 1 +casinocity.asia, 1 +casinocity.ax, 1 +casinocity.ba, 1 +casinocity.bg, 1 +casinocity.bi, 1 +casinocity.bj, 1 +casinocity.bz, 1 +casinocity.ci, 1 +casinocity.cl, 1 +casinocity.cm, 1 +casinocity.co, 1 +casinocity.co.at, 1 +casinocity.co.bw, 1 +casinocity.co.hu, 1 +casinocity.co.il, 1 +casinocity.co.im, 1 +casinocity.co.na, 1 +casinocity.co.nl, 1 +casinocity.co.tz, 1 +casinocity.com.au, 1 +casinocity.com.br, 1 +casinocity.com.by, 1 +casinocity.com.de, 1 +casinocity.com.gr, 1 +casinocity.com.jm, 1 +casinocity.com.ng, 1 +casinocity.com.ni, 1 +casinocity.com.pa, 1 +casinocity.com.pr, 1 +casinocity.com.ru, 1 +casinocity.com.tt, 1 +casinocity.com.ve, 1 +casinocity.cr, 1 +casinocity.cy, 1 +casinocity.cz, 1 +casinocity.dj, 1 +casinocity.do, 1 +casinocity.ee, 1 +casinocity.es, 1 +casinocity.eu, 1 +casinocity.fi, 1 +casinocity.fr, 1 +casinocity.gd, 1 +casinocity.ge, 1 +casinocity.gp, 1 +casinocity.gs, 1 +casinocity.gt, 1 +casinocity.gy, 1 +casinocity.hk, 1 +casinocity.hn, 1 +casinocity.hr, 1 +casinocity.ie, 1 +casinocity.im, 1 +casinocity.in, 1 +casinocity.it, 1 +casinocity.jp, 1 +casinocity.ke, 1 +casinocity.kr, 1 +casinocity.la, 1 +casinocity.lc, 1 +casinocity.li, 1 +casinocity.lk, 1 +casinocity.lt, 1 +casinocity.ltd.uk, 1 +casinocity.lu, 1 +casinocity.lv, 1 +casinocity.ma, 1 +casinocity.md, 1 +casinocity.me, 1 +casinocity.mk, 1 +casinocity.ms, 1 +casinocity.mt, 1 +casinocity.mu, 1 +casinocity.mw, 1 +casinocity.mx, 1 +casinocity.no, 1 +casinocity.nz, 1 +casinocity.ph, 1 +casinocity.pl, 1 +casinocity.pt, 1 +casinocity.re, 1 +casinocity.ro, 1 +casinocity.rs, 1 +casinocity.sb, 1 +casinocity.sc, 1 +casinocity.se, 1 +casinocity.sg, 1 +casinocity.si, 1 +casinocity.sk, 1 +casinocity.sl, 1 +casinocity.sn, 1 +casinocity.st, 1 +casinocity.sx, 1 +casinocity.tg, 1 +casinocity.tv, 1 +casinocity.ug, 1 +casinocity.uy, 1 +casinocity.vc, 1 +casinocity.vn, 1 +casinocity.vu, 1 +casinocity.web.za, 1 +casinocity.ws, 1 +casinocitytimes.com, 1 +casinocosmopol.se, 1 +casinocrit.com, 1 +casinofollower.com, 1 +casinoindex.io, 1 +casinoleader.com, 1 +casinolistings.com, 1 +casinologinaustralia.com, 1 +casinomucho.com, 1 +casinomucho.org, 1 +casinomucho.se, 1 +casinonieuws.nl, 1 +casinoonline39.com, 1 +casinoonlineprova.com, 1 +casinoportugal.pt, 1 +casinopromote.com, 1 +casinoreal.com, 1 +casinorewards.info, 1 +casinorobots.com, 1 +casinosanalyzer.com, 1 +casinosblockchain.io, 1 +casinoscout.ca, 1 +casinoscout.nl, 1 +casinoscryptos.com, 1 +casinoslotsww.com, 1 +casinosnederland.com, 1 +casinospesialisten.net, 1 +casinotokelau.tk, 1 +casinotop10.net, 1 +casinotopplistan.com, 1 +casinotopplisten.com, 1 +casinotopsonline.com, 1 +casinoua.club, 1 +casinovendors.com, 1 +casio-caisses-enregistreuses.fr, 1 +casio.bg, 0 +casitawn.cf, 1 +casjay.cloud, 0 +casjay.com, 0 +casjay.info, 0 +casjenprome.cz, 1 +casko-insurance.tk, 1 +casman.tk, 1 +casnoviatownshipmi.gov, 1 +caso.co.jp, 1 +casovi.cf, 1 +casperfect.com, 1 +casperpanel.com, 1 +caspi.org.il, 1 +caspianrentcar.com, 1 +caspicards.com, 1 +casscoroadmi.gov, 1 +casscountyia.gov, 1 +casscountyil.gov, 1 +casscountymn.gov, 1 +casscountyne.gov, 1 +cassembly.fr, 1 +cassia.gov, 1 +cassies.com.au, 1 +cassilandianoticias.com.br, 1 +cassimo.com, 0 +cassini.ro, 1 +casso.ml, 1 +casso.tk, 1 +cassvilletwpwi.gov, 1 +cassvillevlgwi.gov, 1 +cast-london.co.uk, 1 +castagnino.net, 1 +castagnola.tk, 1 +castagnonavocats.com, 1 +castalie.tk, 1 +castaneatownshippa.gov, 1 +castaneda.tk, 1 +castedart.com, 1 +castelflowers.it, 1 +castella.tk, 1 +castellet.tk, 1 +castelletto.tk, 1 +castelli-media.de, 1 +casteloinformatica.com.br, 1 +castelsardo.tk, 1 +casterleyrock.com, 1 +castglobal-china.biz, 1 +casthull.co.uk, 1 +castiana.xyz, 1 +castible.de, 1 +castiel.cf, 1 +castilla-comunera.tk, 1 +castillo.club, 1 +castillosohail.es, 1 +casting-vote.tk, 1 +castingallaitaliana.com, 1 +castingfrancais.com, 1 +castingnetworks.com, 1 +castings.tk, 1 +castit.biz, 1 +castlabs.com, 0 +castle-emarketing.com, 1 +castle-engine.io, 1 +castlebuilder.com, 1 +castlecapers.com.au, 1 +castlehack.ga, 1 +castlekingdomstockport.co.uk, 1 +castlekingkent.co.uk, 1 +castlemania.tk, 1 +castleoblivion.tk, 1 +castles-in-the-sky.co.uk, 1 +castleswa.com.au, 1 +castlevaniaspain.tk, 1 +castorio.tk, 1 +castrillodelavalduerna.tk, 1 +castrillodelavega.tk, 1 +castrillodevillavega.tk, 1 +castroverde.tk, 1 +castrovirreyna.tk, 1 +casualclubdating.ml, 1 +casualiswebs.com, 1 +casuallab.com, 1 +casuallyblue.xyz, 1 +casualtime.ga, 1 +casusgrillcaribbean.com, 1 +cat-encyclopedia.ml, 1 +cat-problems.ml, 1 +cat.casa, 1 +cat.fo, 1 +cat.ne, 1 +cat.net, 1 +cataclysmal.org, 1 +catalog-bookinist.tk, 1 +catalog-clothing.tk, 1 +catalog-lingerie.tk, 1 +catalog-lingeries.tk, 1 +catalog-serverov.ml, 1 +catalog-serverov.tk, 1 +catalog-underwear.tk, 1 +catalogador.ml, 1 +catalogcomputerhardware.tk, 1 +catalogingpro.com, 1 +catalogobiblioteca.com, 1 +catalogobiblioteca.net, 1 +catalogosvirtualesonline.com, 1 +catalogueau.com, 0 +catalojic.tk, 1 +catalonia.tk, 1 +catalyseurs-territoriaux.org, 1 +catalyst-ecommerce.com, 1 +catalystapp.co, 1 +catandmoonalchemy.com.au, 1 +cataniatoday.it, 1 +catanzarotoday.it, 1 +catapa.com, 1 +catapultgroup.ca, 1 +catarrhalfuns.tk, 1 +catartofsweden.se, 1 +catastrofy.tk, 1 +catatau.tk, 1 +catawiki.com, 1 +catawiki.de, 1 +catawiki.net, 1 +catawiki.nl, 1 +catb.on.ca, 1 +catbat.rocks, 1 +catbeautifulanimal.tk, 1 +catbold.space, 1 +catbop.com, 1 +catbox.moe, 1 +catbull.com, 1 +catcafe.gg, 1 +catcat.cc, 1 +catcatnya.com, 1 +catchall.tw, 1 +catchers.cc, 1 +catchhimandkeephim.com, 1 +catchief.com, 1 +catchteamca.gov, 1 +catchup-enschede.tk, 1 +catcontent.cloud, 1 +catcoxx.com, 1 +catech.au, 1 +catechese-ressources.com, 1 +catedraderechonotarial.es, 1 +catedraloscura.tk, 1 +catedralsantodomingo.org, 1 +catego.info, 1 +catenacondos.com, 1 +caterbing.com, 1 +catering-fantasia.tk, 1 +catering-xanadu.cz, 1 +catfish.gq, 1 +catfishworld.tk, 1 +catflap.org, 1 +catfood.cf, 1 +catfood.ga, 1 +catfoto.cf, 1 +catfun-foto.de, 1 +catgarden.tk, 1 +catgirl.center, 0 +catgirl.cloud, 1 +catharinalingeries.com.br, 1 +catharinaparkieten.tk, 1 +catharinaziekenhuis.nl, 1 +cathcartandwinn.com, 1 +cathcartconsulting.com.au, 1 +cathedralappointments.co.uk, 1 +cathedralofsatan.tk, 1 +cathelp.cf, 1 +cathelp.cn, 1 +cathelp.xyz, 1 +catherinejf.com, 1 +catherinesarasin.com, 1 +catherinesofpartick.co.uk, 0 +catholic8964.org, 1 +catholicjobs.com, 1 +catholicprayers.tk, 1 +catholicteuchtar.cf, 1 +catholicteuchtar.ga, 1 +catholicteuchtar.ml, 1 +cathosa.nl, 1 +cathosting.org, 1 +cathouse.me, 1 +cathrine.tk, 1 +cathy.best, 1 +cathy.guru, 1 +cathy.legal, 1 +cathy.lgbt, 1 +cathy.link, 1 +cathy.website, 1 +cathyfitzpatrick.com, 1 +cathyjf.ca, 1 +cathyjf.com, 1 +cathyjf.net, 1 +cathyjf.org, 1 +cathyjfitzpatrick.com, 1 +cathylean.tk, 1 +cathymcquaid.co.uk, 1 +catio.network, 1 +cativa.net, 1 +catl.st, 1 +catland.club, 1 +catlettsburgky.gov, 1 +catlicking.com, 1 +catlive.com, 1 +catlovingcare.com, 1 +catlowe.com, 1 +catmash.tk, 0 +catmatchers.org, 1 +catme.org, 1 +catmonad.xyz, 1 +catmoose.ca, 1 +catmoz.fr, 1 +catnetworks.co.jp, 1 +catnmeow.com, 1 +catnsofa.com, 1 +catphysics.com, 1 +catpic.xyz, 1 +catplay.tk, 1 +catprincess.com.tw, 1 +catprint.com, 1 +catram.org, 1 +catransportation.net, 1 +catrinasporelmundo.com, 1 +catrins-kunst.de, 1 +cats-dom.ru, 1 +catsarch.com, 1 +catscreativecakes.ga, 1 +catskillselfstorage.com, 1 +catsmagic.pp.ua, 1 +catsnow.com, 1 +catsofcapetown.com, 1 +catsoft.me, 1 +catstv.tk, 1 +cattellar.tk, 1 +cattery-mundilfari.tk, 1 +cattery.work, 1 +catterydelmoria.tk, 1 +catterydumagasin.tk, 1 +cattiau.com, 1 +cattleplay.gq, 1 +catto.win, 1 +cattsgym.co.uk, 1 +catu-bikes.se, 1 +catus.moe, 1 +catvibers.me, 1 +catvsmice.com, 1 +catwilliford.com, 1 +catylist.com, 1 +catz-productions.tk, 1 +caucasusandmercury.com, 1 +caucus.fr, 1 +caueteam.tk, 1 +caughtredhanded.co.nz, 1 +caulacbonuochoa.tk, 1 +caulfieldeastapartments.com.au, 1 +caulkingexperts.com, 1 +caulong-ao.net, 1 +caumont-normandie.fr, 0 +cauquenes.tk, 1 +cavac.at, 1 +cavalassur.com, 1 +cavaleirocity.com.br, 1 +cavaliernd.gov, 1 +cavallochiropractic.com, 1 +cavalryscout.com, 1 +cave-reynard.ch, 1 +cave-vet-specialists.co.uk, 1 +cavecreekaz.gov, 1 +cavediverharry.com, 1 +cavemax.com, 1 +caviarmultimedia.com, 1 +cavinesswealth.com, 1 +cavisson.com, 1 +cavistenancy.fr, 1 +cavzodiaco.com.br, 1 +caw.be, 1 +cawagiras.ga, 1 +caxaa.mx, 1 +caycehouse.com, 1 +caymart.com, 1 +cazadordebuenaonda.com, 1 +cazaviajes.es, 1 +cazes.info, 1 +cazfire.gov, 1 +cazinoz.ru, 1 +cazizi.com, 1 +cazoo-dev.co.uk, 1 +cazoo-dev.com, 1 +cazoo-test.co.uk, 1 +cazoo-test.com, 1 +cazoo.co.uk, 1 +cazoo.com, 1 +cb1388.com, 1 +cb1588.com, 1 +cb96net.ru, 1 +cba.gov.pl, 1 +cbaamaga.com, 1 +cbbio.fr, 1 +cbc-hire.co.uk, 1 +cbca.gov, 1 +cbcembalagens.com.br, 1 +cbcentelles.tk, 1 +cbcf.info, 1 +cbcnet.co.za, 1 +cbcnet.info, 1 +cbd-natural.de, 1 +cbd-world-online.com, 1 +cbd.supply, 1 +cbd181.com, 1 +cbd2050.com, 1 +cbdbflo.com, 1 +cbdcontact.eu, 1 +cbdcontact.pl, 1 +cbdd.eu.org, 1 +cbddo.gov.tr, 1 +cbdecoshop.lt, 1 +cbdev.de, 1 +cbdication.com, 1 +cbdlession.com, 1 +cbdoilcures.co, 1 +cbdtelegram.com, 1 +cbeal-fumeirodetrancoso.pt, 1 +cbeal.pt, 1 +cbecrft.net, 1 +cbet.lt, 1 +cbflleida.cat, 1 +cbh.org, 1 +cbhcfl.gov, 1 +cbhq.net, 1 +cbi-epa.gov, 1 +cbin168.com, 1 +cbintermountainrealty.com, 1 +cbk.kg, 1 +cbl.express, 1 +cbl.sk, 1 +cblocallocksmiths.co.uk, 1 +cbmc.store, 1 +cbmusa.com, 1 +cbnegocial.com.br, 1 +cboard.ml, 1 +cboard.net, 1 +cboost.nl, 1 +cboss.xyz, 1 +cbpay.com, 1 +cbplus.tn, 1 +cbpridecenter.org, 1 +cbr-rcb.ca, 1 +cbr-xml-daily.ru, 1 +cbrbuildingrepairs.com.au, 1 +cbrtrainer.com, 1 +cbs-engineering.com, 1 +cbs-engineering.it, 1 +cbs.nl, 1 +cbs3design.it, 1 +cbsr.ru, 1 +cbt.quest, 1 +cbt.tj, 1 +cbtest.de, 1 +cbw.sh, 1 +cbxp.in, 1 +cby.im, 0 +cc-customer.de, 1 +cc.ag, 1 +cc.hn, 1 +cc00228.com, 0 +cc5197.co, 1 +cc6729.co, 1 +cc6729.com, 0 +cc6957.co, 1 +cc8822.cc, 1 +cc8833.cc, 1 +cc9297.co, 1 +cc9728.co, 1 +cc98.eu.org, 1 +cca.com.br, 1 +cca.ky, 1 +ccaa.gg, 1 +ccaag.link, 1 +ccaag.me, 1 +ccaag.mx, 1 +ccaag.net, 1 +ccaag.us, 0 +ccac.gov, 1 +ccaguavivadonaciones.org, 1 +ccaj.io, 1 +ccak.training, 1 +ccarps.com, 1 +ccatpracticetest.com, 1 +ccatpracticetests.com, 1 +ccattestprep.com, 1 +ccautomobil.de, 1 +ccayearbook.com, 1 +ccb.gov, 1 +ccbin.tk, 1 +ccc-ch.ch, 1 +ccc-checker.cn, 1 +ccc-cloud.de, 1 +ccc-ffm.de, 1 +ccc.eu, 1 +ccc.gov, 1 +ccc.org, 1 +ccc.xxx, 1 +cccc.loan, 1 +cccleaner.tk, 1 +cccp-o.tk, 1 +cccpublishing.com, 1 +cccwien.at, 1 +ccdcoe.org, 0 +ccddos.club, 1 +ccdgaia.pt, 0 +ccdiscussion.com, 1 +ccdlab.ooo, 1 +ccdnederland.org, 1 +ccdohnj.gov, 1 +cceifame.com, 1 +ccelectricaldrafting.ca, 1 +cceputnam360.com, 1 +ccestaque.tk, 1 +ccgx.de, 1 +cchat.de, 1 +cchim.ca, 1 +cciiblog.tk, 1 +cciofficial.com, 1 +cck-law.com, 1 +ccl776o.tk, 0 +cclasabana.com.co, 1 +ccli.com, 1 +ccmg.com, 1 +ccnadesdecero.com, 1 +ccnbikes.com, 1 +ccnda.net, 1 +ccnda.org, 0 +ccnexus.global, 1 +ccnm.cc, 1 +ccoo.cat, 1 +ccorca.org, 1 +ccover.ru, 1 +ccpaas.net, 1 +ccparishwilmington.org, 1 +ccpdata.org, 1 +ccpe.net, 1 +ccpgmpo.gov, 1 +ccpinturas.com, 1 +ccpinvestments.com, 1 +ccplot.org, 1 +ccprwebsite.org, 1 +ccrun.tk, 1 +ccsaposs.com, 1 +ccshire.ga, 1 +ccsk.training, 1 +ccskills.org.uk, 1 +ccslt.org.nz, 1 +ccsrv.eu, 1 +ccsys.com, 1 +cctld.com, 1 +ccts-cprst.ca, 1 +cctv-camera.cf, 1 +cctv-supraveghere.ro, 1 +cctv-systems.tk, 1 +cctvlaw.ga, 1 +cctvsecurityjohannesburg.co.za, 1 +cctvview.info, 0 +ccu.plus, 1 +ccuanj.gov, 1 +ccv-deutschland.de, 0 +ccv.eu, 0 +ccv.nl, 0 +ccvr6smarthome.de, 1 +ccwallet.io, 1 +ccwebdevelopment.com, 1 +ccxperience.com, 1 +cd-shopware.de, 1 +cd-sport.com, 1 +cd.net.tr, 1 +cd.search.yahoo.com, 0 +cd89.com, 1 +cda-aigle.ch, 0 +cdaid.gov, 1 +cdaldeano.tk, 1 +cdasiaonline.com, 0 +cdasphalt.com, 1 +cdavis.xyz, 1 +cdawoerden.org, 1 +cdbp.pro, 1 +cdbtech.com, 1 +cdc-security.com, 1 +cdc.cx, 1 +cdc.gov, 1 +cdcflix.xyz, 1 +cdconnect.net, 1 +cdcpartners.gov, 1 +cdd.go.th, 0 +cdda.ch, 0 +cdeeply.com, 1 +cdf.fyi, 1 +cdf.wiki, 1 +cdfnature2019.fr, 1 +cdg30.fr, 1 +cdga.org, 1 +cdhb.health.nz, 1 +cdhome.ga, 1 +cdhqt.com, 1 +cdigitale.com, 1 +cdirectory.tk, 1 +cdkeyprices.com, 1 +cdkpatterns.com, 1 +cdkrot.me, 1 +cdlandb1.com, 1 +cdlaserena.tk, 1 +cdlinares.tk, 1 +cdm.guru, 1 +cdmdisinfestazioni.it, 1 +cdmhp.org.nz, 1 +cdmon.tech, 1 +cdn-reichelt.de, 1 +cdn.ampproject.org, 1 +cdn.ink, 1 +cdn.lk, 1 +cdn1.com.br, 1 +cdnaval.tk, 1 +cdncompanies.com, 1 +cdndepo.com, 1 +cdnjs.com, 1 +cdnpkg.com, 1 +cdnrecords.com, 1 +cdnsys.net, 1 +cdny.de, 1 +cdnya.com, 1 +cdo.gov, 1 +cdocs.ml, 1 +cdom.de, 1 +cdp-poznan.pl, 1 +cdpn.io, 1 +cdrom.ch, 1 +cds-infra.de, 1 +cds-inquirer.tk, 1 +cdscsuc.gq, 1 +cdseditora.com.br, 1 +cdsf.tk, 1 +cdsfinancial.ca, 1 +cdshining.com, 0 +cdsportal.uk, 1 +cdt.cz, 1 +cdt.org, 0 +cdusapps.eu.org, 1 +cduspages.eu.org, 1 +cdvl.org, 1 +ce-agentur.de, 0 +ce-design.eu, 1 +ce-na.ru, 1 +ce-tuifrance.com, 1 +ce-webdesign.de, 1 +cea.ru, 1 +ceafinney.com, 1 +ceannard.net, 1 +cearaagora.com.br, 1 +cearaleste.com.br, 1 +cearl.cc, 1 +ceatheneum.com, 1 +ceaunulbunicii.ro, 1 +ceba-cuec.ca, 1 +cebolinha-imaginaria.com, 1 +cebrita.tk, 1 +cec.org.es, 1 +cec.org.pt, 1 +cecalivo.tk, 1 +cecame.ch, 1 +cecamericas.com, 1 +cecilandlou.com, 1 +ceciledekock.tk, 1 +cecilga.gov, 1 +cecilia-online.nl, 1 +ceciliacolombara.com, 1 +cecilsheriffmd.gov, 1 +cecilstatesattorneymd.gov, 1 +cecilwalker.com.au, 1 +cecipu.gob.cl, 1 +ceco.cf, 1 +ced-services.nl, 1 +ceda-fi.tk, 1 +cedarcitydining.com, 1 +cedarcityut.gov, 1 +cedarcountyne.gov, 1 +cedarcoveassistedliving.com, 1 +cedarmanagementgroup.com, 1 +cedarrockalliance.com, 1 +cedric-garcia.tk, 1 +cedricbonhomme.org, 1 +cedriccassimo.ch, 0 +cedriccassimo.com, 0 +cedricpim.com, 1 +cedsp.fr, 1 +cee3.net, 1 +ceebee.com, 1 +ceecosmetic.com.br, 1 +ceefaastresources.com, 1 +ceenic.ltd, 1 +ceet.biz, 1 +ceetzie.net, 1 +ceew.in, 1 +cefaction.pt, 1 +cefi.work, 1 +cefonline.com, 1 +cegfw.com, 1 +ceiba.com.co, 1 +ceicer.eu, 1 +ceidf-vie-cooperative.fr, 1 +ceiexam.sg, 1 +ceifx.com, 1 +ceilimoss.tk, 1 +ceilingpac.org, 1 +ceinorme.it, 1 +ceiphr.com, 1 +cejgsd.org, 1 +cejhon.cz, 0 +cejky.cz, 1 +cekabajio.com, 1 +cekgacor.com, 1 +cekgacor.net, 1 +celadas.tk, 1 +celarsports.fr, 1 +celayix.com, 1 +celcelulares.com, 1 +celcomhomefibre.com.my, 1 +cele.bi, 1 +celebavirus.com, 1 +celebcritics.com, 1 +celebdaily.ga, 1 +celebi-forest.tk, 1 +celebjacket.com, 1 +celebjury.com, 1 +celebmasta.com, 1 +celebrasianconference.com, 1 +celebrate-creativity.com, 1 +celebratesportsnetwork.com, 1 +celebratingloveministry.com, 1 +celebratoday.com, 0 +celebraze.tk, 1 +celebrex.ga, 1 +celebrex100mg.cf, 1 +celebritiesblog.tk, 1 +celebritydailynews.ml, 1 +celebrityfakes.tk, 1 +celebrityguard.co, 1 +celebritynakeds.com, 1 +celebritypic.tk, 1 +celebritypics.club, 1 +celebrityscope.net, 1 +celebritysrit.tk, 1 +celebritytoob.com, 1 +celebritytopnews.tk, 1 +celebrityviralbug.com, 1 +celebxx.com, 1 +celectro-pro.com, 1 +celendo.ga, 1 +celeraindustries.tk, 1 +celesco.eu, 1 +celeste-energie.fr, 1 +celestia.tk, 1 +celestialdental.com, 1 +celestialenergies.com.au, 1 +celestialmusic.tk, 1 +celex-machinery.tk, 1 +celexa365.tk, 1 +celiac.com, 1 +celinaohiopd.gov, 1 +celine-patisserie.fr, 1 +celineitalia.tk, 1 +celinepsychotherapie.com, 1 +celinesrecipes.com, 1 +cell-wellbeing.com.br, 1 +cellboost.cf, 1 +cellebrite.com, 1 +cellecci.com, 1 +cellgames.com, 1 +celliberate.co.uk, 1 +cellmart.ru, 1 +cellnatsci.com, 1 +cellopasorobles.com, 1 +cellrg.org, 1 +cellsheet.me, 1 +cellsites.nz, 1 +celltek-server.de, 1 +celltick.com, 1 +celltraders.ga, 1 +cellufit.ga, 1 +cellul19.com, 1 +cellulare.tk, 1 +cellulit.tk, 1 +celluliteorangeskin.com, 1 +celluliteremovaldiet.com, 1 +cellulitetreatment.tk, 1 +cellypso.com, 1 +celseven.com, 1 +celsoazevedo.com, 1 +celtacad.tk, 1 +celti.ie.eu.org, 1 +celti.name, 1 +celticangel.org, 1 +celticconnections.com, 1 +celticdream.tk, 1 +celtigafutbolclub.com, 1 +celulares.com, 1 +celuliteonline.com, 1 +cemac.int, 1 +cemada.cz, 1 +cemarks.com, 1 +cemcerkez.com, 1 +cementplas.es, 0 +cementscience.com, 1 +cemetary.tk, 1 +ceml.ch, 1 +cemporcentocliente.com.br, 1 +cemregulveren.com, 1 +cenatorium.pl, 1 +cendata.co.uk, 1 +cendi.gov, 1 +cendis.cz, 1 +cennelley.com, 1 +cennelly.com, 1 +cennetfm.tk, 1 +cennetforum.tk, 1 +censamatil.net, 1 +censeo-financial.com, 1 +censored.ml, 1 +censurfridns.dk, 1 +censurfridns.nu, 1 +centariuss.ga, 1 +centella.tw, 1 +centenariodeuncampeon.tk, 1 +centenera.tk, 1 +centennialrewards.com, 1 +center-elite.ml, 1 +center-mts.ru, 1 +center-strategy.ru, 1 +centeragro.com.br, 1 +centerforamericangreatness.com, 1 +centerforcreativeconsciousness.com, 1 +centergate.se, 0 +centerhancockin.gov, 1 +centerharbornh.gov, 1 +centermk.ru, 1 +centeronhunger.org, 1 +centerpoint.ovh, 1 +centerpointwest.com, 1 +centerpointwestapartments.com, 1 +centervilleutah.gov, 1 +centio.bg, 1 +centipedegraphics.com, 1 +centolos.tk, 1 +centos.pub, 1 +centr.dn.ua, 1 +central-apartman.tk, 1 +central4.me, 1 +centralbank.ae, 1 +centralbank.ie, 0 +centralbetsers.ga, 1 +centralbetsest.ga, 1 +centralcityjuniorkindergarten.com, 1 +centralclinic.science, 1 +centralcoasthomeloans.com.au, 1 +centralconvergence.com, 1 +centralcountiesservices.org, 0 +centraldegovernanca.com.br, 1 +centraldeseguro.com.br, 1 +centraldoencanador.com.br, 1 +centrale-vapeur.pro, 1 +centralebigmat.eu, 1 +centralegedimat.eu, 1 +centralesnucleaires.fr, 1 +centralex.io, 1 +centralfor.me, 1 +centralhome.com, 1 +centralhq.tk, 1 +centralisgroup.com, 1 +centralitasbaratas.es, 1 +centralkladno.cz, 1 +centrallaketownshipmi.gov, 1 +centrallead.net, 1 +centrallondonaesthetics.co.uk, 0 +centralmarket.com, 1 +centralmissourifoundationrepair.com, 1 +centralnic.com, 1 +centralnicregistry.com, 1 +centralpaellera.com, 1 +centralpinesnc.gov, 1 +centralsite.tk, 1 +centralsoft.tk, 1 +centralspyers.ga, 1 +centralstatecu.org, 1 +centralstor.ga, 1 +centraltime.com, 1 +centraltoken.io, 1 +centralvalleyharness.org, 1 +centralvoice.org, 1 +centrationgame.com, 1 +centre-commercial.fr, 1 +centre-equestre.net, 1 +centre-maiakovski.fr, 1 +centreagree.com, 1 +centreal.gov, 1 +centrecountyvotes.gov, 1 +centreimageriedunord.com, 1 +centremanagement.eu, 1 +centrenationaldulivre.fr, 1 +centrepointorguk-dev.azurewebsites.net, 1 +centrepresseaveyron.fr, 1 +centretownshipin.gov, 1 +centricagency.co.uk, 1 +centricient.com, 1 +centrmebeli.by, 0 +centroavant.com, 1 +centroculturalostuncalco.tk, 1 +centrodavida.com.br, 1 +centrodeeportesbarco.tk, 1 +centrodefisioterapia.com.br, 1 +centrodemediacionconcepcion.cl, 1 +centrodememoriahistorica.gov.co, 1 +centrodemioma.com.br, 1 +centroecuestrecastellar.com, 1 +centrofotostudija.lt, 1 +centrokiri.cl, 1 +centrolavoro.org, 1 +centromedico.tk, 1 +centromotion.com, 1 +centropagina.it, 1 +centros.ml, 1 +centros.tk, 1 +centrosocialferrel.pt, 1 +centrselstroy.ru, 1 +centrum-bz.it, 1 +centrum-edukacji.tk, 1 +centrum.church, 1 +centrumgarten.de, 1 +centrumhodinek.cz, 1 +centrumkulturyslowianskiej.pl, 1 +centrumpieknairelaksu.pl, 1 +centrumpodpora.pl, 1 +centruvechisv.ro, 1 +centsay.info, 1 +centsay.io, 0 +centsay.net, 1 +centsay.org, 1 +centsi.io, 1 +centsiwallet.com, 1 +centura.de, 1 +centuria.co.nz, 1 +centuria.com.au, 1 +centurialeonina.com, 1 +centurion-consulting-cie.eu, 1 +centurion-consulting.eu, 1 +centurion-consulting.net, 1 +centurion-consulting.tech, 1 +centurion-it.site, 1 +centurion-meet.site, 1 +centurion.ovh, 1 +centurioninfosec.com, 0 +centurionlaboratories.com.ua, 1 +centurionunderground.com, 1 +century-properties.com, 1 +century21.es, 1 +century21.pt, 1 +centuryfighters.tk, 1 +centuryforum.tk, 1 +centurykiaparts.com, 1 +centurylink.cf, 1 +centurystudios.com, 1 +ceo-consulting.eu, 1 +ceomonthlyest.ga, 1 +ceopedia.org, 1 +cephalexin.ga, 1 +cephalexincapsules.ml, 1 +cephalexincapsules.tk, 1 +cephalexine.gq, 1 +cepheid.com, 0 +cephx.com, 1 +cepmarket.com.tr, 0 +ceprenomnexistepas.ovh, 1 +cepsychologie.com, 1 +cepxuo.tk, 1 +ceramahit.ru, 1 +ceramic-glazes.com, 1 +ceramica.roma.it, 1 +ceramiche.roma.it, 1 +ceramicoatingspecialists.com, 1 +cerammind.com, 1 +ceranity.au, 1 +cerastar.com, 1 +cerber.re, 1 +cerberusecurity.com, 1 +cerberusftp.com, 1 +cerbos.cloud, 1 +cerbottana.duckdns.org, 1 +cercanos.co, 1 +cerchio.com, 1 +cercidiana.pt, 0 +cercle-duclos.fr, 1 +cercle-helvetia.ch, 0 +cercrid.fr, 1 +cerda-avocats.com, 1 +cerebelo.info, 1 +cerebrosano.gov, 1 +cerecup.com, 0 +ceredowv.gov, 1 +ceremonial-magic.com, 1 +ceremonialcastings.tk, 1 +ceremonialvirtualphd.com, 1 +ceremonybydesign.com.au, 1 +cerena-silver.ru, 0 +ceres-corp.org, 1 +cerezacomunicacion.com, 1 +cerfid.com.pe, 1 +cerivo.co.uk, 1 +cermak.photos, 1 +cernac.cz, 1 +cernakova.eu, 1 +cernalistina.eu, 1 +cernko.de, 1 +cerok.cl, 1 +ceroresiduo.com, 0 +cerovica.tk, 1 +cerpus-course.com, 1 +cerquitamio.com, 1 +cerrajeriaamericadelquindio.com, 1 +cerrajeriaenvillavicencio.com, 1 +cerritosca.gov, 1 +cerstve-korenie.sk, 1 +cerstvekorenie.sk, 1 +cert.ee, 0 +cert.govt.nz, 1 +cert.je, 1 +cert.or.id, 1 +cert.se, 1 +certain.com, 0 +certainbiz-news.tk, 1 +certaintelligence.com, 1 +certaireland.ie, 1 +certasenergy.co.uk, 1 +certbus.com, 1 +certcenter.com, 0 +certevia.com, 1 +certfa.com, 1 +certfica4u.com, 1 +certidao-nascimento-pt.org, 1 +certidaonc.com.br, 1 +certificadodigitalpari.com.br, 1 +certificados.edu.do, 1 +certificatedetails.com, 1 +certificateoflogistics.ga, 1 +certificateofpurchasing.ga, 1 +certificatespending.com, 1 +certificatetools.com, 0 +certificationacademy.com, 1 +certificationmap.com, 1 +certificato-prevenzione-incendi.it, 1 +certificazione.it, 1 +certificazioni-energetiche.it, 0 +certified-parts.com, 1 +certifiedbb.com, 1 +certifiedfieldassociate.com, 1 +certifiedmerchandiseest.ga, 1 +certifiednurses.org, 1 +certifix.eu, 1 +certifycrm.com, 1 +certifylogin.com, 1 +certiquali.fr, 1 +certivac.ch, 1 +certly.co, 1 +certnazionale.it, 1 +certo-escrow.com, 1 +certprep.fr, 0 +certpro.uk, 1 +certready.tk, 1 +certreg.eu, 1 +certsign.fr, 1 +certspotter.com, 1 +certspotter.org, 1 +certum.cn, 1 +certum.shop, 1 +certusquartz.com, 1 +certyhukil.ga, 1 +cervejista.com, 1 +cervek.me, 1 +cervellomorto.tk, 1 +cerveny.ch, 1 +cervenyjezek.eu, 1 +cervera.com.br, 1 +ces-ltd.co.uk, 0 +cesar-hector.tk, 1 +cesarecirugiaplastica.com, 1 +cesarfotos.com.br, 1 +cesarparedespacora.com, 1 +cesarpinto.com, 1 +cesarteixeiraimoveis.com.br, 1 +cesboard.com, 1 +cesc.shop, 1 +cescfortuny.tk, 1 +cesclam.org, 1 +cesdb.com, 1 +cesenatoday.it, 1 +cesibo.com, 1 +cesipagano.com, 1 +cesium.ml, 1 +cesjo.pl, 1 +ceska-polygraficka.cz, 1 +ceska-polygraficka.eu, 1 +ceskaexpedice.org, 1 +ceskasit.cz, 1 +ceskepivnesety.sk, 1 +ceskepivnisety.cz, 1 +cesobaly.cz, 1 +cesonia.io, 1 +cespedes.fr, 1 +cesservices.net, 1 +cestasdepresente.com.br, 1 +cestasedelicias.com.br, 1 +cestaswmonline.com.br, 1 +cestlaviegeorgia.com, 1 +cestpasviolent.com, 1 +cestujnamiru.cz, 1 +cestujtenamiru.cz, 1 +cestunamiru.cz, 1 +cesurteknikservis.com, 1 +cesusc.edu.br, 1 +cetak.com.my, 1 +cetamol.com, 1 +cetelon.tk, 1 +ceti.ga, 1 +cetong.se, 1 +cetorebe.tk, 1 +ceu.edu, 0 +ceu.edu.ph, 1 +ceuniverse.com, 1 +ceva-dsp.com, 1 +cevaplari.net, 1 +ceverett.io, 0 +cevin.at, 1 +cevo.com.hr, 1 +cevpu.com, 1 +cevrimicidiyet.com, 1 +cevt.ar, 1 +cewek.ml, 1 +cewood.xyz, 1 +cexplorer.io, 1 +ceyizlikelisleri.com, 1 +ceylondigital.co.uk, 1 +ceylontea.org, 1 +cezdent.com, 1 +cf-connect.nl, 1 +cf-ide.de, 1 +cf-tm.net, 1 +cf.nl.eu.org, 1 +cf11.de, 0 +cfa.gov, 1 +cfaimpact.com, 1 +cfan.space, 1 +cfar.org, 1 +cfasync.ga, 1 +cfbenchmarks.com, 1 +cfc-swc.gc.ca, 1 +cfcbigideas.com, 1 +cfchiropractic.com, 1 +cfcpestcontrol.com, 1 +cfcproperties.com, 1 +cfda.gov, 1 +cfdata.lol, 1 +cfdcre5.org, 1 +cfdtrading.com, 1 +cfenns.ath.cx, 1 +cfent.xyz, 1 +cfgllc.us, 1 +cfh.com, 1 +cfigura.com, 1 +cflblaw.com, 1 +cfnibelize.com, 1 +cfnmpics.com, 1 +cfno.org, 0 +cfo.gov, 1 +cfotech.asia, 1 +cfotech.co.nz, 1 +cfotech.com.au, 1 +cfpa-formation.fr, 1 +cfpa.gov, 1 +cfpb.gov, 1 +cfr-culturism.tk, 1 +cfrench.cc, 1 +cfse.biz, 1 +cfsh.tk, 1 +cfsrportal.org, 1 +cfst.eu.org, 1 +cftc.gov, 1 +cftcarouge.com, 0 +cfurl.cf, 1 +cfxdesign.com, 1 +cg-consult.fr, 1 +cg-design.tk, 1 +cg-n.fr, 1 +cg.al, 1 +cg.search.yahoo.com, 0 +cgal.org, 1 +cgan.de, 1 +cgan.pw, 1 +cgarchives.com, 1 +cgbassurances.ch, 0 +cgbf.org, 1 +cgbh3.gq, 1 +cgbproduction.tk, 1 +cgbunch.com, 1 +cgconsulting.digital, 1 +cgdct.moe, 1 +cgdquizzes.com, 1 +cgelves.com, 1 +cges.xyz, 1 +cgestiona.com, 1 +cgha.us, 1 +cgilfirenze.it, 1 +cgionline.tk, 1 +cgiq.ca, 1 +cgise.com, 1 +cgknieuwpoort.nl, 1 +cglib.xyz, 1 +cgmbacklot.com, 1 +cgminc.net, 1 +cgmllc.net, 1 +cgmote.com, 1 +cgo-it.de, 1 +cgp.moe, 1 +cgpa-de.org, 1 +cgpcollective.com, 1 +cgplumbing.com, 1 +cgpn.fr, 1 +cgps.ch, 1 +cgsmart.com, 1 +cgsmotors.com, 1 +cgstprayagraj.gov.in, 1 +cgt-univ-nantes.fr, 1 +cgtcaixabank.es, 1 +cgtips.org, 1 +cgtsoft.com, 1 +cgtv.ml, 1 +cgtx.us, 1 +cgu-ingenieria.tk, 1 +cgunited.com, 1 +ch-ariege-couserans.fr, 1 +ch-axlesthermes.fr, 1 +ch-investor.tk, 1 +ch-laborit.fr, 1 +ch-poitiers.fr, 1 +ch-stjunien.fr, 1 +ch.bzh, 1 +ch.search.yahoo.com, 0 +ch225.com, 1 +ch341.com, 1 +ch47f.com, 1 +ch4bb.org, 1 +cha-ta.com, 1 +chaacantik.tk, 1 +chaacker.tk, 1 +chaanddavid.ca, 1 +chabliscadillac.com, 1 +chaboisseau.net, 1 +chacoonline.com.py, 1 +chacraexperimental.com.py, 1 +chad-online.tk, 1 +chad.ch, 1 +chadis.com, 1 +chadlenz.ca, 1 +chadpugsley.com, 1 +chadslive.com, 1 +chadstoneapartments.com.au, 1 +chadtaljaardt.com, 1 +chagahq.com, 0 +chaghi.tk, 1 +chaghionline.tk, 1 +chagrindads.com, 1 +chahal.blog, 1 +chaidu.com, 1 +chaifeng.com, 1 +chaikaclub.tk, 1 +chaikinanalytics.com, 1 +chain-reaction.org.au, 1 +chainataun.ru, 1 +chainedunion.info, 1 +chainels.com, 0 +chainex.io, 1 +chainge-re.com, 1 +chaingpt.org, 1 +chainlinkfencestlouis.com, 1 +chainmail.cc, 1 +chainwhy.com, 0 +chainz.tk, 1 +chaip.org, 1 +chairtech-yellowpages.ga, 1 +chaisystems.net, 1 +chaitanyapandit.com, 1 +chaizhikang.com, 1 +chakanaherb.be, 1 +chalanbiltv.net, 1 +chaldal.com, 1 +chalet-gerard.com, 1 +chalet-maubuisson.tk, 1 +chaletapartmentrentals.com, 1 +chaletdemontagne.org, 1 +chaletmanager.com, 1 +chaletpierrot.ch, 0 +chaletsusi.it, 1 +chaletverzekeringen.nl, 1 +challenge-magazine.org, 1 +challenge.gov, 1 +challengerinvestors.tk, 1 +challenges.gov, 1 +challengeskins.com, 1 +chalons-agglo.fr, 1 +chalonsenchampagne.fr, 1 +chalov.ml, 1 +chamartin.tk, 1 +chamath.co.uk, 1 +chamath.eu, 1 +chamath.ie, 1 +chamath.link, 1 +chamath.lk, 1 +chamath.no, 1 +chamath.uk, 1 +chamathinfotech.com, 1 +chamathj.com, 1 +chambas.com.mx, 1 +chamber.sa, 1 +chamberlinfoundation.org, 1 +chamberscountytx.gov, 1 +chameleon-ents.co.uk, 1 +chameleon.io, 1 +chameth.com, 1 +chamicro.com, 1 +chaminadeonline.org, 1 +chamonixcamera.cn, 1 +champagne-guilleminot.fr, 1 +champagneandcoconuts.com, 1 +champagneandcoffeestains.com, 0 +champaigncountyclerkil.gov, 1 +champaigncountyil.gov, 1 +champdogs.co.uk, 1 +champdogs.com, 1 +championbet.ug, 1 +championcastles.ie, 1 +championnat-romand-cuisiniers-amateurs.ch, 1 +champions.co, 1 +championsofpowerfulliving.com, 0 +championsofregnum.com, 1 +championweb.co.nz, 0 +championweb.com, 0 +championweb.com.au, 0 +championweb.com.sg, 0 +championweb.nz, 0 +championweb.sg, 0 +champsglobal.org, 1 +champslearning.co.uk, 1 +champw.com, 1 +chamsocdidong.com, 1 +chamsocial.com, 1 +chamudi.lk, 1 +chamudi.net, 1 +chamurliyski.com, 1 +chanakyanewz.com, 1 +chanchi.idv.hk, 1 +chanddriving.co.uk, 1 +chanderson.com.au, 1 +chandlerazpd.gov, 1 +chandlersales.ca, 1 +chandr1000.ga, 1 +chandracenter.com, 1 +chandradeepdey.com, 1 +chandramani.tk, 1 +change10000lives.com.ph, 1 +changeactivation.com, 1 +changeanalytics.us, 1 +changecopyright.ru, 1 +changeforfuture.cf, 1 +changemywifipassword.com, 1 +changenow.io, 1 +changeplan.co, 1 +changesfor.life, 1 +changethislater.com, 1 +changetowellness.com, 1 +changeupinc.com, 1 +changing-cities.org, 1 +chanhassenmn.gov, 1 +chankin.tk, 1 +channalinflatables.com, 1 +channel, 1 +channel-7.net, 1 +channelingranny.com, 1 +channelist.tk, 1 +channellife.asia, 1 +channellife.co.nz, 1 +channellife.com.au, 1 +channelpro.es, 1 +channingmotorsport.tk, 1 +chantage.tk, 1 +chantellbeauty.co.uk, 1 +chantuong.org, 1 +chanz.com, 1 +chaos-darmstadt.de, 1 +chaos-wg.net, 1 +chaos.run, 1 +chaos.stream, 1 +chaoschemnitz.de, 1 +chaoscommunication.camp, 1 +chaoscycle.tk, 1 +chaosdorf.de, 1 +chaosfield.at, 1 +chaosme.su, 1 +chaospott.de, 1 +chaosprocess.com, 1 +chaoticevil.tk, 1 +chaoticgamers.net, 1 +chaotichive.com, 1 +chaoticlab.io, 1 +chaoticonline.tk, 1 +chaouby.com, 0 +chaowan.cf, 1 +chaoxi.io, 1 +chaoxi.link, 1 +chaoyansuo.com, 1 +chaparral.com.au, 1 +chapek9.com, 1 +chapel.tk, 1 +chapelaria.tf, 1 +chapelfordbouncers.co.uk, 1 +chapelhillobgyn.com, 1 +chapelhousevet.co.uk, 1 +chapelle.co.uk, 1 +chapellerie-traclet.com, 1 +chapiteauxduleman.fr, 1 +chapleau.ca, 1 +chapmanstreeservice.com, 1 +chapnews.id, 1 +chapstick.life, 1 +chaqueteros.tk, 1 +char.press, 1 +character-count.com, 1 +charbonnel.eu, 1 +charcoal-se.org, 1 +charcoalvenice.com, 1 +chardik.tk, 1 +charge.ga, 1 +charge.gq, 1 +chargebacks911.com, 1 +chargeover.com, 1 +chargifi.com, 1 +chargify.com, 1 +chariots.tk, 1 +charisma.ai, 1 +charismadesign.ie, 1 +charisse.id, 1 +charity.cz, 1 +chariz.com, 1 +charl.eu, 1 +charlageneral.tk, 1 +charleliphile.tk, 1 +charlenevondell.com, 1 +charleroi-duty-free.com, 1 +charles-darwin.com, 1 +charles-migaud.fr, 1 +charlesbordet.com, 1 +charlesbwise.com, 1 +charlescwcooke.com, 1 +charlesdickens.tk, 1 +charlesmarsan.com, 1 +charlesperkinsacademy.com.au, 1 +charlesrogers.co.uk, 1 +charlestonfacialplastic.com, 1 +charlestonpersonalinjurylawyer.com, 1 +charlestonsecuritysystems.net, 1 +charlevoixtownship.gov, 1 +charley.tk, 1 +charlie-liveshow.com, 0 +charlie.im, 1 +charlie2alpha.org, 1 +charlie4change.com, 1 +charlieblog.tk, 1 +charliedillon.com, 1 +charliegarrod.com, 1 +charlieharbourtattoos.tk, 1 +charliehr.com, 1 +charliejonas.co.uk, 1 +charliejonas.com, 1 +charlientoi.fr, 1 +charlierogers.co.uk, 1 +charlierogers.com, 1 +charliescomputerservice.com, 1 +charliez0.cf, 1 +charliez0.ga, 1 +charliez0.gq, 1 +charliez0.ml, 1 +charliez0.tk, 1 +charliez0sp.cf, 1 +charliez0sp.ga, 1 +charliez0sp.gq, 1 +charliez0sp.ml, 1 +charliez0sp.tk, 1 +charlotte-touati.ch, 1 +charlotteanne.tk, 1 +charlottecountyva.gov, 1 +charlottejulienne.com, 1 +charlottemi.gov, 1 +charlottesvillegolfcommunities.com, 1 +charlottesvillehorsefarms.com, 1 +charlotteswimmingpoolbuilder.com, 1 +charlubermensch.com, 1 +charlws.com, 1 +charlylou.de, 1 +charmander.me, 1 +charmanterelefant.at, 0 +charmcitytech.com, 1 +charming-powers.tk, 1 +charmingarsehole.tk, 1 +charmingsaul.com, 1 +charmpets.ru, 1 +charnego.tk, 1 +charon.tk, 1 +charonsecurity.com, 1 +charpy.cc, 1 +charqawi.tk, 1 +charset.org, 1 +chartafzar.com, 1 +chartbox.tk, 1 +charteredsurveyorinlondon.co.uk, 1 +charteroak.org, 1 +charthop.com, 1 +chartkick.com, 1 +chartlands.org, 1 +chartmogul.com, 1 +chartpixel.com, 1 +chartsy.de, 1 +charuga.com.au, 1 +charuni.ru, 1 +charuru.moe, 1 +chasalin.nl, 1 +chascrazycreations.com, 1 +chase.co.nz, 1 +chaseandzoey.de, 1 +chasecorp.com, 1 +chasecountyne.gov, 1 +chasetrails.co.uk, 1 +chaskafire.gov, 1 +chaskamn.gov, 1 +chaskapolice.gov, 1 +chasoslov.tk, 1 +chasse-au-tresor.eu, 1 +chasse-maree.com, 1 +chasseurdetruites.com, 1 +chastitybelts.tk, 1 +chat-buddy.com, 1 +chat-cam.tk, 1 +chat-edu.org.uk, 1 +chat-libera.com, 1 +chat-porc.eu, 1 +chat.cz, 1 +chat2.cf, 1 +chat36.ga, 1 +chat40.net, 1 +chat4me.tk, 1 +chataberan.cz, 1 +chatacademies.org.uk, 1 +chatagoralskalipowa.pl, 1 +chataynazz.ga, 1 +chatbarran.tk, 1 +chatbelgie.eu, 1 +chatbizsol.com, 1 +chatbo.de, 1 +chatbot.one, 1 +chatbotclic.com, 1 +chatbotclick.com, 1 +chatbots.email, 1 +chatbots.systems, 1 +chatcentral.tk, 1 +chatcontrol.se, 1 +chatcuck.com, 1 +chatdoguaxinim.tk, 1 +chatdrop.org, 1 +chateau-belvoir.com, 1 +chateau-de-fresnois.com, 1 +chateau-de-fresnois.fr, 1 +chateau-dela-salle.fr, 1 +chateau-patris.com, 1 +chateaudelachaize.fr, 1 +chateauderoncourt.fr, 1 +chateaudestrainchamps.com, 0 +chateaulabrede.com, 1 +chateaulacordeliere.fr, 1 +chatedit.org.uk, 1 +chatelaine.com, 1 +chateroids.com, 1 +chatforskning.no, 1 +chatfreespeech.com, 1 +chatgayitalia.it, 1 +chatgen.ai, 1 +chatgptv.net, 1 +chatgptwith.me, 1 +chatgratis40.it, 1 +chatgtd.net, 1 +chathamcountync.gov, 1 +chathamil.gov, 1 +chathund.de, 1 +chatify.com, 1 +chatinsieme.it, 1 +chatkisskiss.tk, 1 +chatkitty.com, 1 +chatline.cf, 1 +chatline.ga, 1 +chatline.ml, 1 +chatlol.org, 1 +chatloupe.org, 1 +chatmaus.ml, 1 +chatnaweb.cz, 1 +chatnederland.eu, 1 +chatomg.com, 1 +chatons.org, 1 +chatopia.tk, 1 +chatounerie.com, 1 +chatovod.tk, 1 +chatphp.com, 1 +chatplanet.com, 1 +chatpoint.tk, 1 +chatreplay.stream, 1 +chatroomfans.tk, 1 +chatshort.com, 1 +chatsupport.co, 1 +chatsworthil.gov, 1 +chattahoocheefl.gov, 1 +chattergallery.com, 1 +chatteron.io, 1 +chatticketsers.ga, 1 +chattogether.tk, 1 +chattomania.it, 1 +chatu.io, 1 +chatu.me, 1 +chatucomputers.com, 1 +chatup.cf, 1 +chaturbate.com, 1 +chaturbate.eu, 1 +chaturbate.global, 1 +chaturbates.org, 1 +chaturfier.com, 1 +chatvizor.tk, 1 +chatweb.online, 1 +chatzimanolis.com, 0 +chatzimanolis.gr, 1 +chaudierecogeneration.com, 1 +chauffage-budget.fr, 1 +chauffeurandbeyond.com, 1 +chaumiere.ddns.net, 0 +chaurocks.com, 1 +chaussenot.net, 1 +chaussurerunning.fr, 1 +chautauquacountyks.gov, 1 +chaveirogrimaldi.com, 1 +chaverde.org, 1 +chazalet.fr, 0 +chbs.me, 1 +chcblog.tk, 1 +chcemradost.sk, 1 +chch.it, 1 +chcheaptech.nz, 1 +chcisezeptat.cz, 1 +chckr.co, 1 +chcoc.gov, 1 +chcuscojungle.com, 1 +chda.fr, 1 +chdauk.co.uk, 1 +chdg.gq, 1 +chdg.tk, 1 +chdgaming.xyz, 1 +cheap-airtickets.ru, 1 +cheap-colleges.com, 1 +cheap-mattresses.co.uk, 1 +cheapacyclovir.ml, 1 +cheapairfarefrom.com, 1 +cheapairfaresdeals.com, 1 +cheapairfaresticket.com, 1 +cheapairlinesuk.com, 1 +cheapairplaneticket.biz, 1 +cheapalarmparts.com.au, 0 +cheapandbesthosting.com, 1 +cheapautoinsuranceblog.com, 1 +cheapbloggingers.ga, 1 +cheapchiaplotting.com, 1 +cheapessay.net, 1 +cheapestdirectdebit.co.uk, 1 +cheapestgamecards.com, 1 +cheapestwaytofly.com, 1 +cheapexpenseers.ga, 1 +cheapexpenseest.ga, 1 +cheapfareto.com, 1 +cheapflightatlanta.com, 1 +cheapflightla.com, 1 +cheapflightmexico.com, 1 +cheapflightsengland.com, 1 +cheapflightsticketstoindia.com, 1 +cheapflightsunitedstates.com, 1 +cheapgeekts.com, 0 +cheapiesystems.com, 1 +cheapinternationalair.com, 1 +cheaplasix.tk, 1 +cheaplookers.ga, 1 +cheaplookest.ga, 1 +cheapmessengersers.ga, 1 +cheapmessengersest.cf, 1 +cheapmessengersest.ga, 1 +cheapmixesers.ga, 1 +cheapnolvadex.ml, 1 +cheapsmall.tk, 1 +cheapspecialistsers.ga, 1 +cheapspecialistsest.ga, 1 +cheapsshop.tk, 1 +cheapsslsecurity.com, 1 +cheapsslsecurity.com.au, 1 +cheapsslsecurity.com.ph, 1 +cheapsyrupers.ga, 1 +cheaptadalafil.tk, 1 +cheapticket.in, 1 +cheapticketsfrom.com, 1 +cheaptucsoners.ga, 1 +cheaptucsonest.ga, 1 +cheapvaltrex.ml, 1 +cheapwarrantsers.ga, 1 +cheapwebcallsers.ga, 1 +cheapwebcallsest.ga, 1 +cheapwipesest.ga, 1 +cheapwritinghelp.com, 1 +cheapwritingservice.com, 1 +cheat-files.ml, 1 +cheatengine.ml, 1 +cheatengine.pro, 1 +cheaterbios.ga, 1 +cheatersanonymousers.ga, 1 +cheathamcountyclerk.gov, 1 +cheathax.com, 1 +cheatmasters.tk, 1 +cheatomania.tk, 1 +cheatraiders.tk, 1 +cheats.is, 1 +cheatsupreme.com, 1 +cheazey.co, 1 +cheazey.net, 1 +cheazey.org, 1 +chebotarevkk.tk, 1 +chebwebb.com, 1 +checalaweb.com, 1 +chechencity.tk, 1 +check-redirect.com, 1 +check.gd, 1 +check.torproject.org, 0 +checkandreportlive.com, 1 +checkblau.de, 1 +checkbot.ml, 1 +checkccnumber.tk, 1 +checkchina.org, 1 +checkda.be, 1 +checkdithuis.nl, 1 +checkecert.nl, 1 +checkercab.tk, 1 +checkfreescore.com, 1 +checkfresh.com, 1 +checkiday.com, 1 +checkissuing.com, 1 +checkjehuis.be, 1 +checkjehuis.gent, 1 +checkjelinkje.nl, 1 +checklistbuilder.herokuapp.com, 1 +checklytics.com, 1 +checkmack.cf, 1 +checkmack.ga, 1 +checkmack.gq, 1 +checkmarket.com, 1 +checkmarx.com, 1 +checkme.gq, 1 +checkme.ml, 1 +checkmedia.org, 1 +checkmin.cf, 1 +checkmk.com, 1 +checkmyhttps.net, 1 +checkmypsoriasis.com, 1 +checknetworks.com.au, 1 +checkngo.com, 0 +checkout.google.com, 1 +checkr.com, 0 +checkra.in, 1 +checkras.tk, 1 +checkrente.nl, 1 +checkreview.in, 1 +checkrz.com, 1 +checkspf.net, 1 +checktls.nl, 0 +checktype.com, 1 +checkui.com, 1 +checkurinsurance.com, 1 +checkusernames.com, 1 +checkyourmath.com, 1 +checkyourprivilege.org, 1 +checkyourreps.org, 1 +checookies.com, 1 +cheddarpayments.com, 1 +cheekboss.com, 1 +cheekycharliessoftplay.co.uk, 1 +cheela.org, 1 +cheem.co.uk, 1 +cheems.rip, 1 +cheers.bio, 1 +cheese-storeroom.tk, 1 +cheeseemergency.co.uk, 1 +cheesefusion.com, 1 +cheeseginie.com, 1 +cheeth.am, 1 +cheetham.me.uk, 1 +cheetham.social, 1 +cheez.systems, 1 +cheezflix.uk, 1 +chefaa.com, 1 +chefcuisto.com, 1 +chefdehome.com, 1 +chefdondari.com, 1 +chefforaday.it, 1 +chefkoch.de, 1 +cheflindseyfarr.com, 1 +chefnardulli.com, 1 +chefpablito.tk, 1 +chefscraftgourmet.com, 0 +chefshooba.com, 1 +chefsuccess.com, 1 +cheftasy.com, 1 +cheguevaraclub.tk, 1 +chehalemgroup.com, 1 +cheholchik.tk, 1 +cheibegaudi.ch, 1 +cheiloplasty.tk, 1 +chekaonline.com, 1 +chekhov.gq, 1 +chel.ga, 1 +cheladmin.ru, 1 +chelema.xyz, 1 +chellame.fr, 1 +chellescourt.tk, 1 +chelmsz.ml, 1 +chelpogoda.tk, 1 +chelsea98.com, 1 +chelseafs.co.uk, 1 +chelseagroton.com, 1 +chelseahgaul.com, 1 +chelseaok.gov, 1 +cheltenhambouncycastles.co.uk, 1 +cheltenhampa.gov, 1 +cheltik.ru, 1 +chelyaba.tk, 1 +chema.ga, 1 +chemapool.bg, 1 +chemaxon.com, 1 +chemgenes.com, 1 +chemical-shark.de, 1 +chemicalcrux.org, 1 +chemicalguys-ruhrpott.de, 1 +chemicalpharm.com, 1 +chemicalromance.tk, 1 +chemie-schule.de, 0 +cheminsderando.fr, 0 +chemiphys.com, 0 +chemistry-schools.com, 1 +chemolak.pl, 1 +chenangocountyny.gov, 1 +chenapartment.com, 1 +chenbo.tk, 1 +chendhurcollections.com, 1 +chendhurcollections.in, 1 +chenequawi.gov, 1 +cheneypartners.com, 1 +cheng.pet, 1 +chengfayun.com, 1 +chenghao360.top, 1 +chengl.com, 1 +chengmach.com, 1 +chengren.cf, 1 +chengren.ml, 1 +chengta-money.com.tw, 1 +chengxindong.com, 1 +chengyutrading.com, 1 +chenky.com, 1 +chenna.me, 1 +chennai.nic.in, 1 +chennaimetrorail.org, 1 +chennaiskills.cf, 1 +chennien.com, 1 +chennuo.xyz, 1 +chenpei.org, 1 +chenqiang.com, 1 +chentianyi.cn, 1 +chenui.design, 1 +chenx221.cyou, 0 +chenx221.ml, 1 +chenx221.xyz, 1 +chenx2210.xyz, 1 +chenyin.work, 1 +chenzhi.idv.hk, 1 +chenzhipeng.com.cn, 1 +cheque-transitionactive.fr, 1 +chequeo.de, 1 +chequeraccounting.com.au, 1 +cheratocono.tk, 1 +cherbourg.website, 1 +cherevoiture.com, 0 +cherhenri.com, 1 +cherie-belle.com, 1 +cherie-eyelash.com, 1 +cherienoir.net, 1 +cheriny.com, 1 +cherkasskiy.ml, 1 +cherkassy.ml, 1 +cherkes.tk, 1 +cherkess.tk, 1 +chernikova.tk, 1 +chernogoriya.tk, 1 +chernyak.id.au, 1 +cherokee.net.br, 1 +cherokeecountyga.gov, 1 +cherrett.digital, 0 +cherry-green.ch, 1 +cherry-handmade.ml, 1 +cherryband.space, 1 +cherrybread.net, 1 +cherrycountyne.gov, 1 +cherrycredits.com, 1 +cherrycreeknorth.com, 1 +cherryjimbo.sucks, 1 +cherryonit.com, 0 +cherryq.com.my, 1 +cherubicsoft.com, 1 +cheryforum.net, 1 +cheryls.com, 1 +cheryltweedy.tk, 1 +cherysunzhang.com, 1 +chesapeakecluttercontrol.com, 1 +chesapeakeopticallab.com, 1 +chesapeakewv.gov, 1 +chescommessa.it, 1 +cheshirex.com, 0 +chess.katowice.pl, 1 +chesslovin.com, 1 +chessmatesny.com, 1 +chesspoint.ch, 1 +chessresult.ru, 1 +chesstempo.com, 1 +chessustron.pl, 1 +chessveterinary.co.uk, 1 +chesswiki.org, 1 +chesterbennington.tk, 1 +chestercountypediatrics.com, 1 +chestercountysc.gov, 1 +chesterfieldmayfair.com, 1 +chesterultimatefrisbee.tk, 1 +chestnut.cf, 1 +chetin-orlov.ga, 1 +cheto.io, 1 +chetori.tk, 1 +chetu.com, 1 +chetwood.se, 1 +cheviron.org, 1 +chevius.tk, 1 +chevroletitalia.com, 1 +chevychaseviewmd.gov, 1 +chewey.de, 1 +chewey.org, 1 +chewinggumremovalchicago.com, 1 +cheyannism.tk, 1 +chez-gaillard.fr, 1 +chez-janine.de, 1 +chez-merlin.com, 1 +chez-oim.org, 1 +chezbernard.tk, 1 +cheztitine.tk, 1 +chfr.search.yahoo.com, 0 +chg.codes, 1 +chhlayban.tk, 1 +chhory.com, 1 +chhy.at, 1 +chialab.eu, 1 +chialab.info, 1 +chialab.io, 1 +chialab.it, 1 +chialab.net, 1 +chialab.srl, 1 +chiamami.online, 1 +chiamatehot.com, 1 +chiangdao.com, 1 +chiangli.ml, 1 +chiangmaimontessori.com, 1 +chianti2002.jp, 1 +chiapasfutbol.com, 1 +chiara.net.au, 1 +chiaraiuola.com, 0 +chiasang.tk, 1 +chiaseek.com, 1 +chiavistello.it, 1 +chiba-shika.jp, 1 +chiboard.co, 1 +chiboost.net, 1 +chibr.eu, 1 +chic-leather.com, 1 +chicago-mold.com, 1 +chicagobasementblog.com, 1 +chicagobreastaugdrs.com, 1 +chicagoconcretecleaning.com, 1 +chicagoemergencyclosings.com, 1 +chicagoillinois.gq, 1 +chicagopowercleaning.com, 1 +chicagopowerwashing.net, 1 +chicagopowerwashingservices.com, 1 +chicagopressurewashing.net, 1 +chicagopressurewashingservices.com, 1 +chicagoprivatejets.com, 1 +chicagostudentactivists.org, 1 +chicaman.tk, 1 +chicas.tk, 1 +chicasgo.ga, 1 +chicasloca.com, 1 +chichi-cats.com, 1 +chichijane.com, 1 +chichoverboard.online, 1 +chicinttim.gq, 1 +chicjrajeevalochana.com, 1 +chick-goo-ewe-farm.com, 1 +chickencentral.tk, 1 +chickencoop.ml, 1 +chickenfarms.tk, 1 +chickensaladchick.com, 1 +chicki.tk, 1 +chickteam.tk, 1 +chicofc.tk, 1 +chicorec.gov, 1 +chicospanico.tk, 1 +chicurrichi.com, 1 +chief.tools, 1 +chieffamilyofficer.info, 1 +chiefworks.com, 1 +chielonline.tk, 1 +chiemgauflirt.de, 1 +chienluoc.tk, 1 +chiesanuova.nl, 1 +chietitoday.it, 1 +chifeng.com.tw, 1 +chiffer.nu, 1 +chiffrer.info, 1 +chifumi.net, 1 +chihuahuaalinstante.com, 1 +chijb.cc, 1 +chikahaku1001vr.jp, 1 +chikakei.com, 1 +chikan-beacon.net, 1 +chikenweb.jp, 1 +chiki.tk, 1 +chikory.com, 1 +chilapaweb.tk, 1 +chilbert.co, 1 +child-theater-bs.co.il, 1 +childcare.gov, 1 +childcarealgoma.ca, 1 +childcaremanagementcompany.ga, 1 +childcaresolutionscny.org, 1 +childchaos.cf, 1 +childchaos.ga, 1 +childchaos.ml, 1 +childchaos.tk, 1 +childcounseling.org, 1 +childish.wtf, 1 +childno.de, 1 +children-toys.tk, 1 +children1st.jp, 1 +childrenandmedia.org.au, 1 +childrenfirstalways.org, 1 +childreninadversity.gov, 1 +childrenoftheshadow.org, 1 +childrens-museum.org, 1 +childrens-room.com, 1 +childrensdentalranch.com, 1 +childrensentertainmentleicester.co.uk, 1 +childrensfurniture.co.uk, 1 +childrensheartfoundation.org, 1 +childrensmentalhealthcampaign.org, 1 +childrensrecipes.tk, 1 +childstats.gov, 1 +childswear.tk, 1 +childtaxcredit.gov, 1 +childwelfare.gov, 1 +chile.tk, 1 +chileprevencion.cl, 1 +chiletrenes.tk, 1 +chilhowieva.gov, 1 +chili.ml, 1 +chilian.de, 1 +chilihosting.eu, 1 +chilikin.pro, 1 +chilimathwords.com, 1 +chilio.net, 1 +chilipy.ga, 1 +chilis.com, 1 +chill-house.ga, 1 +chill.bet, 1 +chillcicada.com, 1 +chillebever.nl, 1 +chillhop.com, 1 +chillipadi.tk, 1 +chilliwackchurchofgod.com, 1 +chillpay.co, 1 +chillplanet.nl, 1 +chillybin.co, 1 +chillybin.com.sg, 1 +chiloesinpuente.tk, 1 +chiltanfm88.tk, 1 +chilternfarming.com, 1 +chiltonwi.gov, 1 +chimaeraconsulting.eu, 1 +chimaira.tk, 1 +chimcanhcut.tk, 1 +chime.com, 1 +chimebank.com, 1 +chimera.sh, 1 +chimeratool.com, 1 +chimerity.com, 1 +chimm.cc, 1 +chimneytec.se, 1 +chimpanzee.cf, 1 +chimpanzee.net, 1 +chimpmatic.com, 1 +china-midas.net, 1 +china-online-news.tk, 1 +chinabank.ph, 1 +chinabelt.com, 1 +chinablows.com, 1 +chinacbd.com, 1 +chinacdn.org, 1 +chinacheers.com, 1 +chinaclone.com, 1 +chinadiy.com, 1 +chinadream404.com, 1 +chinadrilling.com, 1 +chinafree.online, 1 +chinafree.site, 1 +chinaglobalsecurities.cn, 1 +chinahd.com, 1 +chinahealthcareblog.cf, 1 +chinahitech.com, 1 +chinaicpower.org, 0 +chinaindexfund.cn, 1 +chinajingkun.com, 1 +chinalike.com, 1 +chinalosers.com, 1 +chinamediaproject.org, 1 +chinaneed.com, 1 +chinanurse.com, 1 +chinaoptionsfund.cn, 1 +chinaoptionsfund.com, 1 +chinaprices.com, 1 +chinaprofit.com, 1 +chinapsych.com, 1 +chinaqueue.com, 1 +chinasay.com, 1 +chinasearch.tk, 1 +chinaspa.com, 1 +chinastory.tk, 1 +chinasucksass.com, 1 +chinati.org, 1 +chinava.com, 1 +chinavegan.com, 1 +chinawatchinstitute.org, 1 +chinawhale.com, 1 +chinawicker.com, 1 +chinchillas.tk, 1 +chinees.restaurant, 1 +chinefrancophonie.fr, 1 +chinen-hs41.com, 1 +chinese-fuhui.com, 1 +chinese-fxcm.com, 1 +chinese.sc, 1 +chinesebrides.ml, 1 +chinesedishes.tk, 1 +chinesefu.com, 1 +chinesepen.org, 1 +chinesephones.tk, 1 +chineseplease.moe, 1 +chinfolk.tk, 1 +ching.tv, 1 +chiniiki.com, 1 +chinohills.gov, 1 +chinookmt.gov, 1 +chinookwebdesign.ca, 1 +chinovalleyaz.gov, 1 +chinplugins.com, 1 +chinplugins.net, 1 +chinplugins.xyz, 1 +chintaparthi.tk, 1 +chintaparthihome.tk, 1 +chinteni.com, 1 +chinwag.im, 1 +chip.icu, 1 +chipdig.com, 1 +chipollinko.com.ua, 1 +chippewa.com, 1 +chippewacountywi.gov, 1 +chippy.ch, 0 +chiprender.com, 1 +chips-scheduler.de, 1 +chips.gov, 1 +chipset.no, 1 +chipsfuck.fish, 1 +chiquian.tk, 1 +chirality.de, 1 +chiralsoftware.com, 1 +chireiden.me, 1 +chiriri.top, 1 +chirkunov.tk, 1 +chiro-doctor.com, 1 +chiro-merksplas.tk, 1 +chiro.org, 1 +chiroharbalorifa.tk, 1 +chiroherne.tk, 1 +chirointellect.com, 0 +chirojap.tk, 1 +chirolokalenfonteintjekoersel.be, 1 +chiromeisjes-boxberg.tk, 1 +chiron.care, 0 +chiropractic.gr, 1 +chiropracticwpb.com, 0 +chiropractorlongmontgpa.com, 1 +chiropraktik-riemann.de, 1 +chiropraktik-wildner.de, 0 +chirotestelt.tk, 1 +chirototem.tk, 1 +chirowij.tk, 1 +chirpset.com, 1 +chiru.no, 1 +chirurgoplastico.roma.it, 1 +chisagocountymn.gov, 1 +chiselgems.com, 1 +chispita.tk, 1 +chistesdesebas.tk, 1 +chistim.info, 1 +chit.search.yahoo.com, 0 +chita.cf, 1 +chita.tk, 1 +chitaem.tk, 1 +chitashop.ml, 1 +chitchok.com, 1 +chitinfo.tk, 1 +chitlar.ml, 1 +chitraltune.tk, 1 +chittagongtextile.tk, 1 +chiucainlaw.co.nz, 1 +chiusa-klausen.com, 1 +chiva-ariege.fr, 1 +chizouworld.tk, 1 +chizra.com, 1 +chk-ccs.com, 1 +chkmkt.com, 1 +chkserv.com, 0 +chksite.com, 1 +chl.la, 1 +chliine.ch, 1 +chlo-products.biz, 1 +chlo-products.net, 1 +chloehorler.com, 1 +chloes.gr, 1 +chloescastles.co.uk, 1 +chloeting.com, 1 +chlopes.com, 1 +chlorca.es, 1 +chlth.com, 1 +chmfin.com, 1 +chmielarz.it, 1 +chmsoft.com.ua, 1 +chmsoft.ru, 1 +chmurakotori.ml, 1 +chndrb.in, 1 +chngold.com, 1 +chnj.gov, 1 +chnlib.com, 1 +chobble.com, 1 +chobitool.com, 1 +choccychox.com, 1 +chochos.tk, 1 +choco-championship.jp, 1 +choco.run, 1 +chocoband.cf, 1 +chocodecor.com.br, 1 +chocolat-lp2.com, 1 +chocolat-suisse.ch, 0 +chocolat.work, 1 +chocolate-express.co.uk, 1 +chocolate.wiki, 1 +chocolatesandhealth.com, 1 +chocolateslim.gq, 1 +chocolatesonline.com, 1 +chocolatier-tristan.ch, 0 +chocolatier.co.uk, 0 +chocolatos.tk, 1 +chocolay.gov, 1 +chocolytech.info, 1 +chocope-peru.tk, 1 +chocudan.tk, 1 +chodaczek.pl, 1 +choe.fi, 1 +choesfirm.tk, 1 +chofan.tk, 1 +choice-design.com.tw, 1 +choiceautoloan.com, 1 +choiceuniontown.org, 1 +choirofbeirut.cf, 1 +choisirmoneau.blog, 1 +chokladfantasi.net, 1 +cholleria.es, 1 +chollima.pro, 1 +chollospain.cf, 1 +choloforo.tk, 1 +chonghe.org, 1 +chonglang.cfd, 1 +chongming.tk, 1 +chongthamsika.tk, 1 +chongwukong.com, 1 +choochooworld.com, 0 +choootto.net, 1 +choosealicense.com, 1 +choosemypc.net, 1 +chooserealleather.cn, 1 +choosetech.com.br, 1 +choosevalley.co.uk, 1 +chooseyourdesinty.tk, 1 +chopnotch.com, 1 +chopper-parts.ru, 1 +chopperdesign.com, 1 +chopperforums.com, 1 +chopradionet.tk, 1 +chordify.net, 1 +chordmag.com, 1 +chordpage.com, 1 +choreographytogo.com, 1 +chorkley.co.uk, 1 +chorkley.com, 1 +chorkley.me, 1 +chorkley.uk, 1 +chorleycaninesolutions.co.uk, 1 +chornobyl.tk, 1 +chorpinkpoemps.de, 1 +choruru.jp, 1 +choruscall.com, 1 +chorverband-region-kocher.de, 1 +chosenofstarclan.com, 1 +chosenos.tk, 1 +chosenplaintext.org, 1 +choservices.com, 1 +chosting.dk, 1 +chou-chinois.com, 1 +chouchouweb.com, 1 +chovancova.sk, 1 +chowchowugo.com, 1 +chowtime.chat, 1 +choylifut.tk, 1 +choyri.com, 1 +chpa.org, 1 +chpwmedicare.org, 1 +chr0me.sh, 1 +chrawrizard.org, 1 +chrestos.de, 1 +chrg-server.de, 1 +chris-edwards.net, 1 +chris-siedler.at, 1 +chris.land, 1 +chrisahrweileryoga.com, 1 +chrisaitch.com, 1 +chrisandian.com, 1 +chrisb.me, 0 +chrisb.xyz, 0 +chrisbrockdiving.com, 1 +chrisbrowntherapies.co.uk, 1 +chrisbryant.me.uk, 1 +chrisburnell.com, 1 +chriscarey.com, 1 +chriscelkins.com, 1 +chriscutts.uk, 1 +chrisdasie.com, 1 +chriseldon.com, 1 +chrisfinazzo.com, 0 +chrisgieger.com, 1 +chrisirwin.ca, 1 +chrisjean.com, 1 +chriskthomas.com, 1 +chrislane.com, 1 +chrislauderback.com, 1 +chrislauderback.net, 1 +chrislauderback.org, 1 +chrisliebaer.de, 1 +chrisluen.com, 1 +chrismax89.com, 1 +chrismcclendon.com, 1 +chrismckee.co.uk, 1 +chrismiller.xyz, 1 +chrismorgan.info, 1 +chrismurray.co.uk, 1 +chrismurrayfilm.com, 1 +chrisnekarda.com, 1 +chrisogedengbe.org, 1 +chrispaul.ml, 1 +chrispontius.tk, 1 +chrisrude.com, 1 +chrisshort.me, 1 +chrisshort.net, 1 +chrisspencercreative.com, 1 +chrisspencermusic.com, 1 +chrissx.de, 1 +chrissx.eu, 1 +chrissx.ga, 1 +chrissytechaira.tk, 1 +christ.cm, 1 +christadelphians.eu, 1 +christcostum.tk, 1 +christec.net, 1 +christengroei.tk, 1 +christensenplace.us, 1 +christerwaren.com, 1 +christerwaren.fi, 1 +christiaanconover.com, 1 +christian-folini.ch, 1 +christian-gredig.de, 1 +christian-laubender.de, 1 +christian-liebel.com, 1 +christian-oette.de, 1 +christian-stadelmann.de, 1 +christianadventurecamps.org, 1 +christianaknudsen.com, 1 +christianbecker.name, 1 +christianblog.ml, 1 +christianbro.gq, 1 +christianbsl.com, 1 +christianchat.ml, 1 +christiancleva.com, 1 +christiancoleman.info, 1 +christianconcepts.cf, 1 +christianconcepts.ga, 1 +christianconcepts.gq, 1 +christiancountyil.gov, 1 +christiandiorsneakers.shop, 1 +christiandiscourse.net, 1 +christianfilms.net, 1 +christiangaro.com, 1 +christiangaro.email, 1 +christiangaro.info, 1 +christiangaro.me, 1 +christiangaro.us, 1 +christiangehring.org, 1 +christianhaugen.tk, 1 +christianhoffmann.info, 0 +christianimweb.tk, 1 +christianitas.ga, 1 +christianitas.gq, 1 +christianitas.tk, 1 +christianjens.com, 1 +christianjoachim.de, 1 +christianleedunn.tk, 1 +christianliebel.com, 1 +christianlis.org.uk, 1 +christianlis.uk, 1 +christianmoore.me, 1 +christianmorales.tk, 1 +christianoliff.com, 1 +christianotero.co, 1 +christianplumbingservices.com, 1 +christianr.me, 1 +christianrasch.de, 1 +christianreimold.de, 1 +christiansayswords.com, 1 +christiansburgva.gov, 1 +christiansciencevancouverwa.org, 1 +christiansrit.tk, 1 +christianwenz.de, 1 +christianwitts.tech, 1 +christiehawkes.com, 1 +christinabjoern-nilsson.dk, 1 +christinacrawford.cf, 1 +christinacrawford.ga, 1 +christinacrawford.gq, 1 +christinacrawford.ml, 1 +christinarosenvinge.tk, 1 +christinasattler.com, 1 +christine-kraemer.de, 0 +christineandcie.fr, 1 +christineblachford.com, 1 +christinecloma.com, 1 +christineglaeser.de, 1 +christineprayon.de, 1 +christmasinelmhurst.org, 1 +christmasloansvet.com, 1 +christmaspages.tk, 1 +christmaspartyhire.co.uk, 1 +christmasrecipe.tk, 1 +christo.ga, 1 +christoph.media, 1 +christophbartschat.com, 1 +christophe-dubois.tk, 1 +christophebarbezat.ch, 1 +christophedavid.tk, 1 +christopher-simon.de, 0 +christopher-wright.com, 1 +christopher-zentgraf.de, 1 +christopher.sh, 0 +christopherbillo.com, 1 +christopherburg.com, 1 +christophercolumbusfoundation.gov, 1 +christopherd.me, 1 +christophergowerjohnson.com, 1 +christopherjferguson.com, 1 +christopherkardas.me, 1 +christopherkennelly.com, 1 +christopherpritchard.co.uk, 1 +christopherterryweddings.co.uk, 1 +christophertruncer.com, 1 +christopherzoukis.com, 1 +christophfink.com, 1 +christophheich.me, 1 +christophkranebitter.at, 1 +christophkreileder.com, 1 +christophsackl.de, 1 +christreformedchurchdfw.org, 1 +christthegoodshepherd.org, 1 +christthekingparish.net, 1 +christtheredeemer.us, 1 +christtheshepherdvineland.org, 1 +christwaycounseling.com, 1 +christysstampingspot.com, 1 +chrisupjohn.xyz, 1 +chrisvannooten.tk, 1 +chriswald.com, 1 +chriswarbo.tk, 1 +chriswarrick.com, 1 +chriswbarry.com, 0 +chriswells.io, 1 +chriswiggin.cf, 1 +chriswiggin.ga, 1 +chriswiggin.gq, 1 +chriswiggin.ml, 1 +chriswilding.co.uk, 1 +chriswservers.com, 1 +chrisx.xyz, 1 +chriszarb.tk, 1 +chrixonline.tk, 1 +chromaitaly.com, 1 +chromamastering.com, 1 +chromaphile.tk, 1 +chromarea.fr, 1 +chromaryu.net, 0 +chromcraft-revington.com, 1 +chrome, 1 +chrome-devtools-frontend.appspot.com, 1 +chrome-stats.com, 1 +chrome.com, 1 +chrome.google.com, 1 +chrome.pt, 1 +chromebookchart.com, 1 +chromebookcompare.com, 1 +chromebooksforwork.com, 1 +chromereporting-pa.googleapis.com, 1 +chromestatus.com, 1 +chromiumbugs.appspot.com, 1 +chromiumcodereview.appspot.com, 1 +chromopho.be, 1 +chronic101.xyz, 1 +chronicals.de, 1 +chronicbuilt.com, 1 +chronicled.tk, 1 +chronicles.tk, 1 +chroniclesofgeorge.com, 1 +chronik-kramsach.at, 1 +chronoc.de, 1 +chronocarpe.com, 1 +chronocolis.ml, 1 +chronodelivery.com, 1 +chronology.no, 1 +chronometre-en-ligne.com, 1 +chronoshop.cz, 1 +chronotech.fr, 1 +chronusgov.com, 1 +chrony.tk, 1 +chroot.co.uk, 1 +chrpaul.de, 0 +chrsmtc.com, 1 +chrstn.eu, 1 +chrstngr.cm, 1 +chrt-tcdp.gc.ca, 1 +chrudim-city.cz, 1 +chrxw.com, 1 +chrysanthos.net, 1 +chryslerbuilding.tk, 1 +chrystajewelry.com, 1 +chrystofer.com, 0 +chrystus.pl, 1 +chsamuel.net, 1 +chsh.moe, 0 +chshealthcare.co.uk, 1 +chshouyu.com, 1 +chsmedical.com, 1 +chsterz.de, 1 +chstrategies.com.au, 1 +chsvotes.gov, 1 +chtj.uk, 1 +chtodelat.ga, 1 +chtsi.uk, 1 +chtyvo.tk, 1 +chuangyi.com, 1 +chuanxinlian.com, 1 +chubbygirlpics.com, 1 +chubr.cf, 1 +chubuhokenservice.com, 1 +chuckame.fr, 1 +chuckecheese.com, 1 +chuckval.tk, 1 +chudnov.tk, 1 +chuhe.xyz, 1 +chukardin.tk, 1 +chukcha.ru, 1 +chukotka.ml, 1 +chukou.cf, 1 +chukou.ga, 1 +chukou.gq, 1 +chukou.ml, 1 +chukou.tk, 1 +chukwunyere-chambers.org, 1 +chulinkuei.org.tw, 1 +chun.pro, 1 +chunabhatti.tk, 1 +chundelac.com, 1 +chunga.tk, 1 +chungachyan.ga, 1 +chunghwamc.com, 1 +chungnguyenblog.tk, 1 +chungsir.com.pa, 1 +chunk.science, 1 +chunkeat.cyou, 1 +chunkeat.me, 1 +chunkeat.ml, 1 +chuongle.com, 1 +chupacabra-drift.pl, 1 +chupadelfrasco.com, 1 +chupanhcotrang.com, 1 +chuppa.com.au, 1 +chur-arosa-bahn.de, 1 +chur-arosa-bahn.nl, 1 +churakov.tk, 1 +church360.co.ke, 1 +churchaid.ml, 1 +churchforeveryone.info, 1 +churchforum.tk, 1 +churchhouse.io, 1 +churchill.co.za, 1 +churchillcountynv.gov, 1 +churchlinkpro.com, 1 +churchlw.tk, 1 +churchm.ag, 1 +churchofchrist.tk, 1 +churchofcyprus.org.cy, 1 +churchofsaintbenedict.com, 1 +churchofsmyrna.com, 1 +churchofsmyrna.org, 1 +churchplaza.com, 1 +churchssja.org, 1 +churchsuite.com, 1 +churchthemes.com, 1 +churchwebcanada.ca, 1 +churchwebsupport.com, 1 +churnfree.com, 1 +churrascariacampogrande.com.br, 1 +chuskocity.tk, 1 +chuspace.com, 1 +chutingstar.com, 1 +chutisant.tk, 1 +chutoriaru.com, 1 +chuvash-republic.tk, 1 +chuvash.tk, 1 +chuvashia.tk, 1 +chuvashiya.tk, 1 +chuyentien247.com.vn, 1 +chwempower.com, 1 +chwilrank.pl, 1 +chytraauta.cz, 1 +chytris.cf, 1 +chytris.cz, 1 +chziq.com, 1 +ci-fo.org, 1 +ci-suite.com, 1 +ci.com.br, 1 +cia-gaming.de, 1 +cia-landlords.co.uk, 1 +cia.gov, 1 +ciaagentedu.org, 1 +ciadocultivo.com.br, 1 +ciagutek.pl, 1 +ciahalim.tk, 1 +ciai.cf, 1 +ciai.ga, 1 +ciai.gq, 1 +ciai.ml, 1 +ciai.tk, 1 +cialde.it, 1 +cialis-trial.gq, 1 +cialisfreetrial.ga, 1 +cialismarketim.net, 1 +cialismarketing.net, 1 +cialisonlinee.com, 0 +cialisusapills.com, 1 +cialisvtr.com, 1 +cialisworld.net, 1 +cialisworld.org, 1 +ciallo.work, 1 +cianmawhinney.me, 1 +cianmawhinney.xyz, 1 +ciao.ro, 1 +ciaracode.com, 1 +ciaran.tk, 1 +ciasa.se, 1 +ciasademunt.com, 0 +ciat.no, 0 +cibcclearygull.com, 1 +cibdol.com, 1 +cibdol.nl, 1 +cibercat.tk, 1 +cibercheck.com, 1 +cibernicola.es, 1 +cible-recrutement.ma, 1 +cibopdx.com, 0 +cica.es, 1 +cicavkleci.cz, 1 +ciceksohbet.com, 1 +ciceron.cloud, 1 +cicerony.gov, 1 +ciceronypd.gov, 1 +cicery.com, 1 +cichol.com, 1 +ciclimattio.com, 1 +ciclismoyrendimiento.com, 1 +ciclista.roma.it, 1 +ciclodekrebs.com, 1 +ciclodelcarbono.com, 1 +ciclohidrologico.com, 1 +ciclopico.it, 1 +cidcca.com, 1 +cideaassociation.com, 1 +cidersus.com.ec, 1 +cidgomes.com.br, 1 +cidikit.tk, 1 +cidones.tk, 1 +cie-theatre-montfaucon.ch, 0 +ciekawi.com, 1 +ciekwestronki.cf, 1 +ciekwestronki.ga, 1 +ciekwestronki.gq, 1 +ciekwestronki.ml, 1 +ciel.coffee, 1 +ciel.luxe, 1 +ciel.pro, 1 +ciel.si, 1 +ciele.com, 1 +cielo-thefilm.com, 1 +cienciasempresariais.pt, 1 +cienegaspa.com, 1 +cierreperimetral.com, 1 +cifop-numerique.fr, 1 +ciftkabincikmaparca.com.tr, 1 +ciftkabinyedekparca.com.tr, 1 +ciftlikesintisi.com, 1 +cigar-cartel.com, 1 +cigarafterten.com, 1 +cigarette-electronique.tk, 1 +cigarettes-electronik.fr, 1 +cigarren-colleg.de, 1 +cigarterminal.com, 0 +cigdelivery.com, 1 +cign.nl, 1 +cigniti.com, 1 +cignium.com, 1 +cigotracker.com, 1 +cigrowthhack.com, 0 +cihanmedya.ga, 1 +cihar.com, 1 +cihr-irsc.gc.ca, 1 +cihucm.com, 1 +ciicutini.ro, 1 +cilacapnews.ml, 1 +cile.cf, 1 +cile.tk, 1 +cilipa.com, 1 +cilkamail.cloud, 1 +cilkanet.cloud, 1 +cilt.tk, 1 +ciltskillnet.ie, 0 +cim.se, 1 +cima-alfa.com, 1 +cima-idf.fr, 1 +cimaroom.com, 1 +cimbalino.org, 1 +cimballa.com, 1 +cimfax.com, 1 +cimice.it, 1 +cimtools.net, 1 +cin.net.au, 1 +cinafilm.com, 1 +cinay.pw, 1 +cinccapital.com, 1 +cincinnati.gov, 1 +cincinnaticasinonight.com, 1 +cincinnatijapanesechurch.com, 1 +cincosf.com, 1 +cincy.gov, 1 +cincydeckandpatio.com, 1 +cindey.io, 1 +cindy.cn, 1 +cine-music.de, 1 +cine-passion16.fr, 1 +cine.to, 1 +cinecat.de, 1 +cinedarkwolf.tk, 1 +cinefilia.tk, 1 +cineforge.com, 1 +cinefun.net, 1 +cinegore.tk, 1 +cinejoia.tv, 1 +cinelandia.tk, 1 +cinema-rulem.tk, 1 +cinemaclub.co, 1 +cinemadoma.tk, 1 +cinemafrix.cf, 1 +cinemaperto.tk, 1 +cinemarxism.com, 1 +cinemaschool.by, 1 +cinemasetfree.com, 1 +cinematherapy.org, 1 +cinematic.asia, 1 +cinematriz.cl, 1 +cinemaz.to, 1 +cinemaza.tk, 1 +cinemotion.by, 1 +cinemysticism.com, 1 +cinenote.link, 1 +cineping.com, 1 +cineplex.my, 1 +cineramen.gr, 1 +cinet.jp, 1 +cineterror.tk, 1 +cineworld.co.in, 1 +cinexilio.tk, 1 +cinicloud.com, 1 +cinicostudio.com, 1 +cinicsystems.tk, 1 +ciniticket.com, 1 +ciniticket.in, 1 +cink.hu, 1 +cinkciarz.pl, 1 +cinn.ml, 1 +cinnagar.tk, 1 +cinnamon.bot, 1 +cinnamon.gq, 1 +cinnamonsnail.com, 1 +cinnamonspiceandeverythingnice.com, 1 +cinq-elements.com, 0 +cinq-elements.net, 1 +cinquecentoclubholland.tk, 1 +cinqueportsvets.co.uk, 1 +cins.rs, 1 +cinsels.com, 1 +cinshine.nl, 1 +cint.com, 1 +cintactimber.com, 1 +cintamanilingerie.co.uk, 1 +cintapersonalizada.es, 1 +cintaraso.es, 1 +cinteo.com, 1 +cinthia.tk, 1 +cio-spirit.de, 1 +cio.gov, 1 +ciochina.com, 1 +cionir.fr, 1 +cioscloud.com, 1 +cioudways.pro, 1 +cioxhealth.com, 1 +cip.md, 1 +cipa.com.co, 0 +cipartyhire.co.uk, 1 +cipf.ca, 0 +ciph.zone, 1 +cipher.team, 1 +cipherboy.com, 1 +cipherli.st, 0 +ciphermail.com, 1 +ciphersuite.info, 1 +ciphertech.com.tw, 1 +ciplerli.st, 1 +cippus.tk, 1 +cipri.com, 1 +cipri.net, 1 +cipri.nl, 1 +cipri.org, 1 +cipria.no, 1 +ciproantibiotic.gq, 1 +ciprofloxacin.cf, 1 +ciprofloxacin.ga, 1 +ciprogeneric.gq, 1 +cipy.com, 1 +cir.is, 1 +cira.email, 1 +cirasul.com, 1 +cirasync.com, 1 +circady.com, 1 +circara.com, 1 +circle-people.com, 1 +circlebox.rocks, 1 +circleci.com, 1 +circlelytics.com, 1 +circleofhealthlongmont.com, 1 +circlepluscircle.me, 1 +circlevilleoh.gov, 1 +circu.ml, 0 +circues.com, 1 +circuit.co.uk, 1 +circuitcityelectricaladelaide.com.au, 1 +circuitclerkmarioncountyms.gov, 1 +circuitdesertmaroc.com, 1 +circular.fashion, 1 +circularity.id, 1 +circulosocial77.com, 1 +circumstances.ir, 1 +circus-maximus.de, 1 +circusdays.tk, 1 +circuses.tk, 1 +cirdcil.gov, 1 +cirfi.com, 1 +cirocunato.tk, 1 +cirriton.de, 1 +cirro.io, 1 +cirroenergy.com, 1 +cirruslab.ch, 0 +cirruslabs.ch, 0 +cirurgicagervasio.com.br, 1 +cirurgicalucena.com.br, 1 +cirurgicasaopaulo.com.br, 1 +cirurgicavirtual.com.br, 1 +cisa.gov, 1 +cisabroad.com, 0 +cisco-training.net, 1 +ciscoasanetflow.com, 1 +ciscobrewers.com, 1 +ciscocyberthreatdefense.com, 1 +ciscodude.net, 0 +ciscom.tk, 1 +cisconetflowleader.com, 1 +cisconetflowpartners.com, 1 +cisconetflowreporting.com, 1 +cisconetflowsupport.com, 1 +cisi.org, 1 +cisin.com, 1 +cisincometax.ca, 1 +cisindia.tk, 1 +cision.one, 1 +ciso.social, 1 +cisoaid.com, 1 +cisofy.com, 1 +cisopoland.org, 1 +cisowianki.tk, 1 +cisprague.org, 1 +ciss.ltd, 1 +cissofitness.com, 1 +cistenikoberculiberec.net, 1 +cistit.tk, 1 +cistoaracnoide.org, 1 +cisum-cycling.com, 1 +cisylik.gq, 1 +citacatastro.es, 1 +citace.com, 1 +citacepro.com, 1 +citadelpark.be, 1 +citadni.online, 1 +citae.ga, 1 +citafogasa.es, 1 +citafun.tk, 1 +citakon.cz, 1 +citalopram-20-mg.ml, 1 +citalopram20.ga, 1 +citalopramgeneric.ga, 1 +citalopramhbr.ga, 1 +citans.tk, 1 +citap.gov, 1 +citaprevia-medico.es, 1 +citas-adultas.com, 1 +citationgurus.com, 1 +citations.tk, 1 +citazioni.tk, 1 +citfin.cz, 1 +citharas.org, 1 +citidirect.com, 1 +cities.cl, 1 +citiledger.ga, 1 +citimarinestore.com, 0 +citiswich.com.au, 1 +citius.gal, 1 +citizen428.net, 1 +citizenewatch.tk, 1 +citizenkevin.com, 0 +citizens.pt, 1 +citizensbank.net, 1 +citizensbankal.com, 1 +citizenscience.gov, 1 +citizensgbr.org, 1 +citizenside.fr, 1 +citizenslasvegas.com, 1 +citizensleague.org, 1 +citizentruth.org, 1 +citizing.org, 1 +citos.ga, 1 +citoyen.eu, 1 +citroner.blog, 1 +citrusbocc.gov, 1 +citruscounty.gov, 1 +citruspi.com, 1 +citruspi.io, 1 +citsc.de, 1 +citti.de, 1 +cittinfo.com, 1 +citto.ru, 1 +city-adm.lviv.ua, 1 +city-glas.com, 1 +city-home.tk, 1 +city-nn.com, 1 +city-online.tk, 1 +city-walks.info, 1 +city.kharkov.ua, 1 +cityapparels.com, 1 +citybusexpress.com, 0 +citycalculator.ml, 1 +citycardgand.com, 1 +citycardgante.com, 1 +citycardgent.be, 1 +citycardgent.com, 1 +citycardghent.com, 1 +citycarremovals.com.au, 1 +citycell.ml, 1 +cityconsultants.tk, 1 +citycreek.studio, 1 +citycricket.tk, 1 +cityfacialplastics.com, 1 +cityhide.tk, 1 +cityhotel.tk, 1 +cityjam.tk, 1 +citylift.com.ua, 1 +citylocal.cf, 1 +citymagazine.si, 1 +citymeats.com, 1 +cityofadelga.gov, 1 +cityofallisonia.gov, 1 +cityofaltonil.gov, 1 +cityofamoryms.gov, 1 +cityofarcolatx.gov, 1 +cityofaudubonmn.gov, 1 +cityofbambergsc.gov, 1 +cityofbathmaine.gov, 1 +cityofbayardnm.gov, 1 +cityofbaylakefl.gov, 1 +cityofbayminetteal.gov, 1 +cityofbinghamton.gov, 1 +cityofblairwi.gov, 1 +cityofblancotx.gov, 1 +cityofboydtx.gov, 1 +cityofbridgetonnj.gov, 1 +cityofbristowok.gov, 1 +cityofbrodheadwi.gov, 1 +cityofbrookings-sd.gov, 1 +cityofbrookwoodal.gov, 1 +cityofburnsor.gov, 1 +cityofcarsonca.gov, 1 +cityofcharlottetn.gov, 1 +cityofchinagrovetx.gov, 1 +cityofclare.gov, 1 +cityofclintoniowa.gov, 1 +cityofconroe.gov, 1 +cityofcottonwoodmn.gov, 1 +cityofcrandonwi.gov, 1 +cityofdelafieldwi.gov, 1 +cityofdelcity.gov, 1 +cityofdixonca.gov, 1 +cityofeastpointemi.gov, 1 +cityofeatonrapids.gov, 1 +cityofellisks.gov, 1 +cityofelynv.gov, 1 +cityoferintn.gov, 1 +cityofeuporams.gov, 1 +cityoffergusonky.gov, 1 +cityofflorencesc.gov, 1 +cityofgibraltarmi.gov, 1 +cityofgigharborwa.gov, 1 +cityofgirardoh.gov, 1 +cityofglasgowcollege.ac.uk, 1 +cityofglendora.gov, 1 +cityofgolden.gov, 1 +cityofgrandblancmi.gov, 1 +cityofgrossepointemi.gov, 1 +cityofguttenbergia.gov, 1 +cityofhackensackmn.gov, 1 +cityofherculaneum.gov, 1 +cityofhughsonca.gov, 1 +cityofioneoregon.gov, 1 +cityofirvineca.gov, 1 +cityofithacany.gov, 1 +cityofjuneauwi.gov, 1 +cityofkandiyohimn.gov, 1 +cityofkasaanak.gov, 1 +cityofkewauneewi.gov, 1 +cityoflakebuenavistafl.gov, 1 +cityoflakegeneva.gov, 1 +cityoflancasterca.gov, 1 +cityoflancasterpa.gov, 1 +cityoflfp.gov, 1 +cityoflodiwi.gov, 1 +cityoflompoc.gov, 1 +cityoflorettotn.gov, 1 +cityoflouisvillems.gov, 1 +cityofmadera.gov, 1 +cityofmanchestertn.gov, 1 +cityofmargaretalabama.gov, 1 +cityofmarionia.gov, 1 +cityofmaysvilleky.gov, 1 +cityofmaywoodparkor.gov, 1 +cityofmebanenc.gov, 1 +cityofmerced.gov, 1 +cityofminatarene.gov, 1 +cityofmitchellsd.gov, 1 +cityofmonroewi.gov, 1 +cityofmorgantonga.gov, 1 +cityofmte.gov, 1 +cityofmusic.be, 1 +cityofnewbuffalomi.gov, 1 +cityofnewkirkok.gov, 1 +cityofnewman.gov, 1 +cityofnichollsga.gov, 1 +cityofnovi.gov, 1 +cityofocontowi.gov, 1 +cityofpagedalemo.gov, 1 +cityofpalmdaleca.gov, 1 +cityofpearidgear.gov, 1 +cityofpeople.gent, 1 +cityofperris.gov, 1 +cityofpetersburgwv.gov, 1 +cityofpevelymo.gov, 1 +cityofpinconningmi.gov, 1 +cityofpinebluff-ar.gov, 1 +cityoframseymn.gov, 1 +cityofredding.gov, 1 +cityofrobertsidaho.gov, 1 +cityofroncevertewv.gov, 1 +cityofroyaltonmn.gov, 1 +cityofsacramento.gov, 1 +cityofsalemky.gov, 1 +cityofsanmateoca.gov, 1 +cityofsantamariaca.gov, 1 +cityofsebastopol.gov, 1 +cityofsenatobiams.gov, 1 +cityofsourlake.gov, 1 +cityofspoonerwi.gov, 1 +cityofthorp.gov, 1 +cityoftitans.com, 1 +cityoftulsa.gov, 1 +cityoftybee.gov, 1 +cityofvacaville.gov, 1 +cityofvermilionohio.gov, 1 +cityofwadley-ga.gov, 1 +cityofwakefieldmi.gov, 1 +cityofwashburnwi.gov, 1 +cityofwasilla.gov, 1 +cityofwaterfordca.gov, 1 +cityofwauchula.gov, 1 +cityofwhitneytx.gov, 1 +cityofwinonamo.gov, 1 +cityofwoodland.gov, 1 +cityofwoodward-ok.gov, 1 +cityonfire.com, 1 +citypress.cf, 1 +citypress.ga, 1 +citypress.gq, 1 +citypro.tk, 1 +cityradiusmaps.com, 1 +cityscapeinsurance.com, 1 +cityseeker.com, 1 +citysmartdmc.com, 1 +citysmile.ro, 1 +cityspin.org, 1 +citysportapp.com, 0 +citysquarenews.tk, 1 +citysteambrewery.com, 1 +citytaxiandtours.ga, 1 +citytel.ga, 1 +citytireservice.com, 1 +citytoday.it, 1 +citytourgirls.com, 1 +cityuproject.com, 1 +cityutilities.com, 1 +cityvets.co.uk, 1 +cityview.tk, 1 +cityvision.co.nz, 1 +cityvision.net.nz, 1 +cityvision.nz, 1 +cityvision.org.nz, 1 +citywalkr.com, 1 +citywidealarms.com, 1 +citywisdom.tk, 1 +cityworksonline.com, 1 +ciubotaru.tk, 1 +ciuci.us, 1 +ciuciucadou.ro, 1 +ciucobirbone.it, 1 +ciudadanosbo.com, 1 +ciudadrealtrabaja.com, 1 +ciulea.ro, 1 +civ.social, 1 +civey.com, 1 +civfund.org, 1 +civic-europe.eu, 1 +civicamente.cl, 1 +civicconnectiongroup.com, 1 +civicforum.pl, 1 +civicphotos.com, 1 +civics.us, 1 +civics.world, 1 +civictech.ngo, 1 +civicunicorn.com, 1 +civicunicorn.us, 1 +civil-works-sri.com, 1 +civilbikes.com, 1 +civilconcretellc.com, 1 +civilengineeringhandbook.tk, 1 +civilhost.tk, 1 +civillines.nl, 1 +civilsociety.su, 1 +civiltoday.com, 1 +civilunfold.com, 1 +civilvirus.tk, 1 +civmob.com, 1 +cizgikod.ga, 1 +cizz.uk, 1 +cj-espace-vert.fr, 1 +cj-jackson.com, 1 +cj26.club, 1 +cj8.de, 1 +cjc.gob.es, 1 +cjc.org.es, 1 +cjcanarias.es, 1 +cjcanarias.eu, 1 +cjcanarias.net, 1 +cjcanarias.org, 1 +cjdby.net, 1 +cjdpenterprises.com, 1 +cjdpenterprises.com.au, 1 +cjean.fr, 0 +cjenni.ch, 1 +cjey.me, 1 +cjfinance.fr, 1 +cjhzp.net, 1 +cjimmobilier.com, 1 +cjis.gov, 1 +cjr.host, 1 +cjri.uk, 1 +cjs8866.cc, 1 +cjsm.net, 1 +cjswoodworking.com, 1 +cjwagner.net, 1 +ck-energy.info, 1 +ck-la.tk, 1 +ck-pms.com, 1 +ck.cx, 1 +ck0.eu, 1 +ck1020.cc, 1 +ck12.org, 1 +ckbc.com.sg, 1 +ckcameron.net, 1 +ckcg.tk, 1 +ckdb.de, 1 +ckeke.com, 1 +ckenel.com, 1 +ckenell.com, 1 +ckenelley.com, 1 +ckenelly.com, 1 +ckenely.com, 1 +ckennel.com, 1 +ckenneley.com, 1 +ckennell.com, 1 +ckennelley.com, 1 +ckennelly.com, 1 +ckennely.com, 1 +ckgr.me, 1 +cklie.de, 1 +ckliemann.com, 1 +ckliemann.net, 1 +ckna.ca, 1 +ckostecki.de, 1 +ckp.ie, 1 +ckpl.io, 1 +ckpl.us, 1 +ckprofessionalbookkeeping.ca, 1 +ckrobotics.tk, 1 +cktennis.com, 1 +ckyalliancefinland.tk, 1 +cl-1xbet.com, 1 +cl-automotive.com, 1 +cl-cloud.spdns.org, 1 +cl.search.yahoo.com, 0 +cl0ud.hopto.org, 1 +cl0ud.space, 0 +claarycherry.com, 1 +clacetandil.com.ar, 1 +clactonfencingsupplies.co.uk, 1 +clad.cf, 1 +clague.moe, 1 +claibornecountyms.gov, 1 +claibornecountytn.gov, 1 +claim-justice.com, 1 +claimconnect.us, 1 +claimflights.at, 1 +claimflights.co.uk, 0 +claimflights.com, 0 +claimflights.de, 0 +claimflights.it, 0 +claimflights.pl, 0 +claimflights.ro, 0 +claimfreemusic.com, 1 +claimit.ml, 1 +claimitar.gov, 1 +claimittexas.gov, 1 +claimmosaic.com, 1 +claimnote.com, 1 +claimpilot.com, 1 +claims-bot-webchat-itest.azurewebsites.net, 1 +claimspharmacy.services, 1 +claimyourvoicenow.com, 1 +clairebabai.nl, 1 +clairegold.com, 1 +clairelefort-architectes.com, 1 +clairescastles.co.uk, 1 +clairette-de-die-lantheaume.fr, 1 +clairevoyance.tk, 1 +claitec.com, 1 +clak.io, 1 +clalbit-checknet.co.il, 1 +clallamcountywa.gov, 1 +clamatohalloffame.com, 1 +clan-afa.tk, 1 +clan-behh.tk, 1 +clan-destin.tk, 1 +clan-doom.tk, 1 +clan-finaldestination.tk, 1 +clan-hosting.tk, 1 +clan-ogm.tk, 1 +clan-ready4war.tk, 1 +clan-wars.ml, 1 +clan-ww.com, 1 +clan-zone.dk, 1 +clancrazy.tk, 1 +clandarkworld.tk, 1 +clanebouncycastles.com, 1 +claneros.tk, 1 +clankron.tk, 1 +clanlaw.tk, 1 +clanlegends.tk, 1 +clanmacbran.tk, 1 +clanrose.org.uk, 1 +clansty.com, 1 +clantemplates.tk, 1 +clanto.shop, 1 +clantonal.gov, 1 +clanwarz.com, 1 +clanwub.dk, 1 +clapbacks.com, 1 +clapcafe.com, 1 +clapping-rhymes.com, 1 +claptrap.tk, 1 +clara-solis.eu, 1 +clara.de, 1 +claraanalytics.com, 1 +clarachampbell.com, 1 +clarasegura.tk, 1 +clare3dx.com, 1 +claremontyachtclub.org.au, 1 +clarendon.network, 1 +clarendonvt.gov, 1 +claresderibota.tk, 1 +claretandbluearmy.tk, 1 +clarilog.com, 1 +clarinet.ga, 1 +clarinexonline.gq, 1 +clario.co, 1 +clarionpolicepa.gov, 1 +clarisights.com, 0 +clarisonicmiareview.tk, 1 +clarissalund.com, 1 +clariti-health.com, 1 +claritician.com, 1 +claritin.gq, 1 +claritin.ml, 1 +clarity-c2ced.appspot.com, 1 +claritydesignworks.com, 1 +clarityskin.com, 1 +clark.de, 1 +clarkassociatesinc.biz, 1 +clarkbuildersllc.com, 1 +clarkcoky.gov, 1 +clarkcommagere.com, 1 +clarkcountyar.gov, 1 +clarkcountynv.gov, 1 +clarkcountywi.gov, 1 +clarkecoenergy.com, 1 +clarkelectricalservices.com.au, 1 +clarkfoodserviceequipment.biz, 1 +clarkhowell.com, 1 +clarkinc.biz, 1 +clarkltl.com, 1 +clarkmerrick.com, 1 +clarknationalaccounts.com, 1 +clarkpro.biz, 1 +clarksburgma.gov, 1 +clarksgreenhouse.com, 1 +clarkstatecontract.com, 1 +clarkstown.gov, 1 +clarksvilletn.gov, 1 +clarkturnkey.com, 1 +clarktwpmi.gov, 1 +clarkwinkelmann.com, 1 +clarotvpromocao.com.br, 1 +claroty.com, 1 +clarr.tk, 1 +claryssabarbosa.com.br, 1 +clasa-mea.tk, 1 +clase3.tk, 1 +clash-movies.de, 1 +clashclans.pl, 1 +clashersrepublic.com, 1 +clashoflights.ga, 1 +clashpost.com, 1 +class-zone.tk, 1 +class.com.au, 1 +class66.tk, 1 +classbasic.com, 1 +classcreator.io, 1 +classdesignhome.com, 1 +classdojo.com, 1 +classentials.com, 1 +classic-diva.cf, 1 +classic-diva.ga, 1 +classic-diva.ml, 1 +classicalchaos.tk, 1 +classicalpilates.ca, 1 +classicbakes.com, 1 +classiccrew.tk, 1 +classiccrewhaiti.tk, 1 +classiccutstupelo.com, 1 +classicdriver.com, 1 +classicfg.com.au, 1 +classichits.tk, 1 +classichorrormovie.tk, 1 +classichorrornetwork.tk, 1 +classichost.gq, 1 +classicmagazine.ml, 1 +classicnova.com, 1 +classicnovaandperformance.com, 1 +classics.io, 1 +classicstories.tk, 1 +classictheatrecumbria.co.uk, 1 +classificadostodaoferta.tk, 1 +classifiedspoint.tk, 1 +classiques-garnier.com, 1 +classlastsforever.co.nz, 1 +classpoint.cz, 1 +classroom.google.com, 1 +classroomconductor.com, 1 +classsitterers.ga, 1 +classsitterest.ga, 1 +classx.tk, 1 +classyng.com, 1 +claster.it, 1 +clatsopcounty.gov, 1 +claude.me, 1 +claude.photo, 1 +claudeleveille.com, 0 +claudia-halfter.de, 1 +claudia-makeup.com, 1 +claudiahalfter.de, 1 +claudiasnederlandsehangoordwergjes.tk, 1 +claudiney.eti.br, 1 +claudiney.id, 1 +claudiney.info, 1 +claudiohdz.com, 1 +claumarservice.com, 1 +claunchdesign.com, 1 +claus-bahr.de, 1 +claus-cremer.tk, 1 +clausematch.com, 1 +clauseriksen.net, 0 +clausewitz-gesellschaft.de, 1 +claustrofobia.tk, 1 +clautopieces.fr, 1 +clav1d.com, 1 +clavit4.zone, 1 +clawe.de, 1 +clawedfrogs.tk, 1 +claycountyne.gov, 1 +clayelections.gov, 1 +claygregory.com, 1 +claypenblanks.com, 1 +claytonca.gov, 1 +claytoncapolice.gov, 1 +claytoncondon.com, 1 +claytonjunior.tk, 1 +claytwpmi.gov, 1 +clb.org.hk, 1 +clbmconsultancy.com, 1 +clco.fr, 1 +clcv-brest.fr, 1 +cldejessey.com, 1 +cldfile.com, 1 +cldinc.com, 1 +cldly.com, 1 +clean-cubes.com, 1 +clean-mailbox.com, 1 +clean-servicee.com, 1 +clean-water-and-sanitation.tk, 1 +cleanclearwater.co.uk, 1 +cleandetroit.org, 1 +cleandrains.com.au, 1 +cleanenergy.gov, 1 +cleanenergywire.org, 1 +cleanequip.com.au, 1 +cleaner-en.com, 1 +cleaner.tk, 1 +cleanertoday.com, 1 +cleanertool.co.uk, 1 +cleanfacesest.ga, 1 +cleanforce.ca, 1 +cleanhortihigienizados.com.br, 1 +cleaningbyrosie.com, 0 +cleaningcarpet.ga, 1 +cleaningservicejulai.com, 1 +cleaningsolutioncorp.com, 1 +cleaningwarehouse.ie, 1 +cleankey.jp, 0 +cleanmycurtains.ie, 1 +cleanmyfloor.ie, 1 +cleanmymattress.ie, 1 +cleanmyupholstery.ie, 1 +cleanrun.com, 1 +cleansheetsaz.com, 1 +cleanshield99.com, 1 +cleanslate.sh, 1 +cleanspeak.com, 1 +cleansweepaa.com, 1 +cleanuri.com, 1 +cleanway.dk, 1 +cleanweb.solutions, 1 +cleanzer.id, 1 +clear-eyes.se, 1 +clearbit.com, 1 +clearbooks.co.uk, 1 +clearbookscdn.uk, 1 +clearbrand.com, 1 +clearbreezesecuritydoors.com.au, 1 +clearchatsandbox.com, 1 +clearcreekcountyco.gov, 1 +clearcreekcountydronepilot.com, 1 +cleared.io, 1 +clearer.cloud, 1 +clearfieldcountypa.gov, 1 +clearfieldpa.gov, 1 +cleargage.com, 1 +cleargoals.com, 1 +cleargrain.com.au, 1 +cleargrowshine.com, 1 +clearhumor.tk, 1 +clearip.com, 1 +clearlakechildrenscenter.com, 1 +clearlawinstitute.com, 1 +clearmatics.com, 1 +clearpay.co.uk, 1 +clearsafetalk.com, 1 +clearsailingproperties.com, 1 +clearsoftcomputacion.com, 1 +clearspringinsurance.com, 1 +clearstep.health, 1 +clearstoneip.com, 1 +cleartheear.co.uk, 1 +clearview-creative.com, 1 +clearviewok.gov, 1 +clearviewwealthprojector.com.au, 1 +clearvoice.com, 1 +clearvoice.org, 0 +clearvoice1.com, 1 +clearvoiceu.com, 0 +clearwateragency.com.au, 1 +clearwaterbidets.com, 1 +clearwatercountyid.gov, 1 +clearwatercountymn.gov, 1 +clearwaterseries.tk, 1 +clearwatersexhealth.com, 1 +cleary.xyz, 1 +cleelandspecialists.com.au, 1 +cleelum.gov, 1 +clegc-gckey.gc.ca, 1 +clemdesign.eu, 1 +clemenceroofing.co.uk, 1 +clemency.com, 1 +clemens-bartz.de, 1 +clemensbartz.de, 1 +clemenscompanies.com, 1 +clemenshermanns.de, 1 +clement-gruin.fr, 1 +clementavenue.co.uk, 1 +clementfevrier.fr, 1 +clementlodge.co.uk, 1 +clementluck.com, 1 +clementsfamily.co, 1 +clendeninwv.gov, 1 +cleo.com, 1 +cleocinonline.gq, 1 +cleova.com, 1 +cles-asso.fr, 1 +cles.jp, 1 +clevelandheights.gov, 1 +clevelandokla.com, 1 +clever-datenschutz.de, 1 +clever-invest.cf, 1 +clever-invest.ga, 1 +clever-invest.gq, 1 +clever-reisen.tk, 1 +cleverbots.ru, 1 +cleverbowling.com, 1 +clevercoaching.nl, 1 +cleverdarts.com, 1 +cleverdeal.tk, 1 +cleverlance.de, 1 +cleverlance.es, 1 +cleverlance.sk, 1 +clevermemo.com, 1 +clevermo.gov, 1 +cleveroad.com, 1 +cleveronmobility.com, 1 +cleverskateboard.com, 1 +clevertarget.ru, 1 +cleververmarkten.com, 1 +cleververmarkten.de, 1 +clevisto.com, 1 +clevon.com, 1 +clevon.us, 1 +clevoninvestors.com, 1 +clevvi.com.au, 0 +clevyr.ai, 1 +clevyr.biz, 1 +clevyr.careers, 1 +clevyr.co, 1 +clevyr.com, 1 +clevyr.email, 1 +clevyr.expert, 1 +clevyr.info, 1 +clevyr.me, 1 +clevyr.mobi, 1 +clevyr.ninja, 1 +clevyr.org, 1 +clevyr.shop, 1 +clevyr.store, 1 +clevyr.us, 1 +clevyr.work, 1 +clevyrapps.com, 1 +clevyrcares.com, 1 +clevyrcreative.com, 1 +clevyrgames.com, 1 +clevyrhosting.com, 1 +clevyrhub.com, 1 +clevyrlabs.com, 1 +clevyrnode.com, 1 +clevyrnodejs.com, 1 +clevyrstream.com, 1 +clevyrstreamjs.com, 1 +clevyrstudios.com, 1 +clevyrvr.com, 1 +cleysense.com, 0 +clic-music.com, 1 +clic29.fr, 1 +clica.net, 1 +click-7979.com, 1 +click-cat.tk, 1 +click-generator.com, 1 +click2affiliate.xyz, 1 +click4click.ga, 1 +clickandclaim.me, 1 +clickapro.com, 1 +clickbasin.co.uk, 1 +clickcell.tk, 1 +clickclickfish.com, 1 +clickclickmalware.com, 1 +clickclickphish.com, 1 +clickclickvirus.com, 1 +clickclock.cc, 1 +clickcollect.boutique, 1 +clickdebateest.ga, 1 +clickdefense.io, 1 +clickdocs.ca, 1 +clickedu.net, 1 +clickenergy.com.au, 1 +clickfinger.net, 1 +clickforum.cf, 1 +clickfreescore.com, 1 +clickhelp.com, 1 +clickheretobegin.tk, 1 +clickhost.com.au, 1 +clickhouse.tech, 1 +clickinfo.tk, 1 +clickingmad.com, 1 +clickipo.com, 1 +clickkon.ml, 1 +clickmeeting.com, 1 +clickpeak.digital, 1 +clickphobia.ga, 1 +clickpress.tk, 1 +clickrecados.tk, 1 +clickrising.com, 1 +clicks24.cf, 1 +clicksacolas.com, 1 +clickseek.in, 1 +clicksengage.com, 1 +clickspeedtest.net, 1 +clickstart.ml, 1 +clicktenisdemesa.com.br, 0 +clicktest.cf, 1 +clicktheright.top, 0 +clicktodiscount.com, 1 +clicktolinkb.gq, 1 +clicktrans.com, 1 +clicktrans.de, 1 +clicktrans.es, 1 +clicktrans.it, 1 +clicktrans.pl, 1 +clickzone.ga, 1 +clicoclick.com, 1 +clien.net, 1 +client.coach, 0 +client.photos, 1 +client24.tk, 1 +clientboss.com, 1 +clientcms.co.uk, 1 +clientify.com, 1 +clientpay.com, 0 +clientportal.com, 1 +clientportal.photo, 1 +cliff-rilly-website.tk, 1 +cliffbreak.de, 1 +cliffburton.tk, 1 +clifflu.net, 1 +cliftonaz.gov, 1 +clik.ga, 1 +clima.vip, 1 +climaencusco.com, 1 +climaffaires.com, 1 +climamulti.com.br, 1 +climate.biz, 1 +climatecrafters.com, 1 +climatejustice.nyc, 1 +climatetax.com, 1 +climatgate.tk, 1 +climaticequipment.tk, 1 +climatizzatore.it, 0 +climatizzatore.roma.it, 1 +climatizzatoriprezzi.it, 1 +climaventa.net, 1 +climaverde.gr, 1 +climb4achild.org, 1 +climbernews.com, 1 +climbing.tk, 1 +climbinggear.info, 1 +climbinghouse.com, 1 +climbsoill.com, 1 +climeradar.com, 1 +clinchcountyga.gov, 1 +clindamycin-150mg.ga, 1 +clindamycin-phosphate.ga, 1 +clindamycin.gq, 1 +clindamycinantibiotic.cf, 1 +clindamycinantibiotic.ga, 1 +clindamycinantibiotic.gq, 1 +clindamycinantibiotic.tk, 1 +clindamycinprice.tk, 1 +clindoeilmontagne.com, 0 +clingout.com, 1 +clinic-manager.academy, 1 +clinic-narcom.ru, 1 +clinica.zapto.org, 1 +clinicaarques.es, 1 +clinicadeesteticacontagem.com.br, 1 +clinicadentalados.com, 1 +clinicadentalayomunoz.com, 1 +clinicadentalhome.com, 1 +clinicadoctormit.ro, 1 +clinicaeiger.cl, 1 +clinicaeliana.com, 1 +clinicaesteticabhprime.com.br, 1 +clinicaferrusbratos.com, 0 +clinicalrehabilitation.info, 1 +clinicalstats.ga, 1 +clinicaltrialpodcast.com, 1 +clinicaltrials.gov, 1 +clinicamagdalena.com.co, 1 +clinicarayanelacerda.com.br, 1 +clinicaresplandecer.com.br, 1 +clinicasantodomingo.cl, 1 +clinicaschirmer.com, 1 +clinicasesteticas.com.br, 1 +clinicasmedicas.com.br, 1 +clinicasveterinarias.info, 1 +clinicatorino.com.br, 1 +clinicortinascali.com, 1 +clinicos.cl, 1 +cliniko.com, 1 +clinique-ser.ca, 1 +cliniquecomplementaire.com, 1 +cliniquedacupuncturelajeunesse.com, 1 +cliniquevethuy.be, 1 +clinlife.com, 1 +clinlife.de, 1 +clinlife.us, 1 +clinpharm.vn, 1 +clinsoftcsd.com, 1 +clinstatdevice.com, 1 +clintburnett.com, 1 +clinthorne.com, 1 +clintonbloodworth.com, 1 +clintoncomo.gov, 1 +clintoncountyin.gov, 1 +clintoncountyny.gov, 1 +clintoncountypa.gov, 1 +clintonlibrary.gov, 1 +clintonoh.gov, 1 +clintonohfire.gov, 1 +clintonsavings.com, 1 +clintontwpnj.gov, 1 +clintonvillewi.gov, 1 +clio-dev2.com, 1 +cliomi.gov, 1 +clip-hair.net, 1 +clip.cafe, 1 +clipchamp.com, 1 +clipclip.com, 1 +clips.ga, 1 +cliqit.com.au, 1 +cliquetis.ddns.net, 1 +cliqz.com, 1 +clirnet.com, 1 +clive.io, 1 +cliveptr.cc, 1 +clkbw.com, 1 +clkdmg.site, 1 +clmbr.ch, 0 +clmde.de, 1 +clmz.nl, 1 +clnc.to, 1 +clnlboard.co.uk, 1 +clnnet.ch, 1 +clnshrk.club, 0 +cloaked.ch, 0 +clochix.net, 1 +clock3.com, 1 +clockcaster.com, 1 +clockka.com, 1 +clockka.it, 1 +clocklab.design, 1 +clocklink.com, 1 +clockster.com, 0 +clodo.it, 1 +clodoteam.ga, 1 +cloeri.com, 1 +clojurefactory.io, 1 +clojurescript.ru, 1 +clokdways.com, 1 +clomid100mg.ga, 1 +clomid50mg.cf, 1 +clomid50mg.ml, 1 +clomidformen.tk, 1 +clomidonline.tk, 1 +clomiphene.gq, 1 +clonekicks.nu, 1 +cloneprint.com, 1 +cloneuniverse.com, 1 +cloneuniverse.de, 1 +clonidine-hydrochloride.ga, 1 +clonix.tk, 1 +clonoe.tk, 1 +clonyitaly.tk, 1 +clooi.tk, 1 +cloppenburg-autmobil.com, 1 +cloppenburg-automobil.com, 1 +cloppenburg-gruppe.de, 1 +clorinda.tk, 1 +clorophilla.net, 1 +cloroxpro.com, 1 +closecross.com, 1 +closeli.cn, 1 +closeli.com, 1 +closelinksecurity.co.uk, 1 +closelinksecurity.com, 1 +closernow.tk, 1 +closetedsoul.com, 1 +closets-cheap.tk, 1 +closingholding.com, 1 +closingthegap.gov.au, 1 +closrr.cloud, 1 +closrr.com, 1 +clothes-for-school.tk, 1 +clothilde-wattelier.fr, 1 +clothing-2010.tk, 1 +clothing-for-women.tk, 1 +clothingforcamping.com, 1 +clothingjeans.tk, 1 +clothoff.io, 1 +cloturefrost.net, 1 +cloud-glaeser.dedyn.io, 1 +cloud-hair.jp, 1 +cloud-lines.ml, 1 +cloud-screen.com, 1 +cloud-world.tk, 1 +cloud.bugatti, 1 +cloud.fail, 1 +cloud.google.com, 1 +cloud.gov, 1 +cloud1.nl, 1 +cloud10.io, 1 +cloud10solutions.technology, 1 +cloud24.kz, 1 +cloud24x7.us, 1 +cloud255.com, 1 +cloud42.ch, 0 +cloud4c.com, 1 +cloud9bouncycastlehire.com, 1 +cloud9vets.co.uk, 1 +cloudads.ga, 1 +cloudads.ml, 1 +cloudalice.com, 1 +cloudalice.net, 1 +cloudapps.digital, 1 +cloudatabases.com, 1 +cloudatedge.com, 1 +cloudav.pt, 1 +cloudbees.ai, 1 +cloudbees.com, 1 +cloudbees.io, 1 +cloudberlin.goip.de, 1 +cloudbleed.info, 1 +cloudboard.fr, 1 +cloudbook.wiki, 1 +cloudbool.com, 1 +cloudbreaker.net, 1 +cloudbrothers.info, 0 +cloudbytesconnect.com, 1 +cloudcaprice.net, 1 +cloudcastles.xyz, 1 +cloudcert.org, 1 +cloudchart.site, 1 +cloudcloudcloud.cloud, 1 +cloudcomputingtechnologies.com, 1 +cloudcraftmc.de, 1 +cloudcybersecure.com, 1 +clouddark.xyz, 1 +clouddaten.de, 1 +clouddesk.co.uk, 1 +clouddog.com.br, 1 +clouddomain.tk, 1 +clouddownloader.net, 1 +cloudeezy.com, 1 +cloudengage.com, 1 +cloudera.com, 1 +cloudevolutionforum.com.br, 1 +cloudey.net, 1 +cloudfast.cf, 1 +cloudfilecomputer.ga, 1 +cloudfiles.at, 1 +cloudfinders.cf, 1 +cloudfit.tech, 1 +cloudflare-dns.com, 1 +cloudflare.com, 1 +cloudflare.irish, 1 +cloudflareonazure.com, 1 +cloudforce.com, 1 +cloudfree.shop, 1 +cloudfree.top, 1 +cloudfudge.com, 1 +cloudhero.ai, 1 +cloudia.org, 1 +cloudily.com, 1 +cloudimproved.com, 1 +cloudimprovedtest.com, 1 +cloudindex.io, 1 +cloudinfinit.com, 1 +cloudinnovation.design, 1 +cloudit.co, 1 +cloudix.cf, 1 +cloudlandmark.com, 1 +cloudlessdreams.com, 0 +cloudlfront.net, 1 +cloudlight.biz, 1 +cloudmanagedbuilding.com, 1 +cloudmanagedbuildings.com, 1 +cloudmarathi.work, 1 +cloudmarket.com.br, 0 +cloudmax.es, 1 +cloudmigrator365.com, 1 +cloudmoney.tk, 1 +cloudmyhome.site, 1 +cloudmyhome.top, 1 +cloudnexusit.com, 1 +cloudnote.cc, 1 +cloudnovi.com, 1 +cloudns.net, 1 +cloudofertas.com.br, 1 +cloudoptimizedsmb.com, 1 +cloudoptimus.com, 1 +cloudpagesforwork.com, 1 +cloudpengu.in, 1 +cloudplan.nl, 1 +cloudpole.de, 1 +cloudpublic.pro, 1 +cloudrive.cf, 1 +cloudscribe.com, 1 +cloudse.co.uk, 1 +cloudsec.tk, 1 +cloudsecurityalliance-europe.org, 1 +cloudsecurityalliance.ai, 1 +cloudsecurityalliance.ca, 1 +cloudsecurityalliance.cloud, 1 +cloudsecurityalliance.cn, 1 +cloudsecurityalliance.com, 1 +cloudsecurityalliance.events, 1 +cloudsecurityalliance.net, 1 +cloudsecurityalliance.org, 1 +cloudsecurityalliance.training, 1 +cloudsecurityalliancelabs.com, 1 +cloudsecuritycommunity.org, 1 +cloudsecuritycongress.net, 1 +cloudsecuritycongress.org, 1 +cloudseptam.fr, 1 +cloudsharp.io, 1 +cloudshiftgroup.co.uk, 1 +cloudsign.jp, 1 +cloudskill.in, 1 +cloudsmart.tech, 1 +cloudsmith.com, 0 +cloudsms.com, 1 +cloudspace-analytics.com, 1 +cloudspeedy.net, 1 +cloudspire.net, 1 +cloudstoragecompare.com, 1 +cloudstored.nl, 1 +cloudstress.ga, 1 +cloudsweeper.com, 1 +cloudsweeper.de, 1 +cloudsys.dnsalias.net, 1 +cloudteam.de, 1 +cloudtelemanagement.com, 1 +cloudtocloud.ddns.net, 0 +cloudtocloud.tk, 1 +cloudtropia.de, 1 +cloudtskr.com, 1 +cloudturing.chat, 1 +cloudturing.com, 1 +cloudu.de, 1 +cloudup.com, 1 +cloudvoor.eu, 1 +cloudvoor.net, 1 +cloudvoor.nl, 1 +cloudwajs.com, 1 +cloudwalk.io, 0 +cloudwave.fr, 1 +cloudwayc.com, 1 +cloudwayds.com, 1 +cloudwayq.com, 1 +cloudways.cm, 1 +cloudwebservices.nl, 1 +cloudwellmarketing.com, 1 +cloudwithlightning.net, 1 +cloudyun.top, 1 +cloudzentechnologies.com, 1 +clouglobal.com, 0 +cloutcloset.ga, 1 +clouvways.com, 1 +clouwways.com, 1 +clouz.de, 1 +clover-sendai.com, 1 +cloverleafmoving.com, 1 +cloversonoma.com, 1 +clovertwo.com, 1 +clovisoncology.com, 1 +clovisplumbingservices.com, 1 +clovorin.gq, 1 +clowd.haus, 1 +clowd.ovh, 1 +clown-clan.tk, 1 +clown-workshop.de, 1 +clown-zappo.de, 1 +clownish.co.il, 1 +cloxy.com, 1 +cloydnco.com, 1 +cloydnco.com.jm, 1 +cloydncojamaica.com.jm, 1 +cloyes.com, 1 +cloze.com, 1 +clpoule.nl, 1 +clr3.com, 1 +cls.im, 1 +clsimage.com, 1 +clsmalta.eu, 1 +clsoft.ch, 1 +clu-in.org, 1 +cluadmin.de, 1 +club-adulti.ro, 1 +club-creole.com, 1 +club-dieta.ru, 1 +club-dresses.cf, 1 +club-duomo.com, 1 +club-eclipse.tk, 1 +club-ed.com, 1 +club-leondehuanuco.tk, 1 +club-nautique-sainte-maxime.fr, 1 +club-night.tk, 1 +club-no4.de, 1 +club-oz.tk, 1 +club-premiere.com, 1 +club-reduc.com, 1 +club-slow.jp, 1 +club-soul.tk, 1 +club-transformation-digitale.com, 1 +club.zj.cn, 1 +club10x.com, 1 +clubanimal.cl, 1 +clubapk.com, 1 +clubarbuz.ru, 1 +clubatleticonacionalpotosi.tk, 1 +clubauto.guru, 1 +clubbers-comtois.tk, 1 +clubcollinssquare.com.au, 1 +clubcompetition.co.uk, 1 +clubcorolla.cf, 1 +clubcorsavenezuela.com, 0 +clubcupido.com.br, 1 +clubdeportivocieza.tk, 1 +clubdeslecteurs.net, 1 +clubduvieuxmanoir.fr, 1 +clubeamizade.com, 1 +clubeamizade.com.pt, 1 +clubeamizade.pt, 1 +clubedalutashop.com, 1 +clubedaquimica.tk, 1 +clubedegeografia.tk, 1 +clubedoberloque.com.br, 1 +clubedohardware.com.br, 1 +clubedores.com.br, 1 +clubeflor.com.br, 1 +clubegls.com, 1 +clubegls.com.pt, 1 +clubegolfpt.com, 1 +clubeighteen.tk, 1 +clubempleos.com, 1 +clubeohara.com, 1 +cluberiks.cf, 1 +cluberiks.ga, 1 +cluberiks.gq, 1 +clubetravel.biz, 1 +clubetravel.com, 1 +clubetravel.com.br, 1 +clubetravel.com.pt, 1 +clubetravel.net, 1 +clubetravel.org, 1 +clubexpress.com, 1 +clubfactory.ml, 1 +clubfailed.tk, 1 +clubfamily.de, 1 +clubforce.com, 1 +clubfunday.ga, 1 +clubgalileo.com.ec, 1 +clubgenesis.tk, 1 +clubgls.com, 1 +clubhouseohio.org, 1 +clubhousetownhomes.com, 0 +clubic.com, 1 +clubinhodobaby.com.br, 1 +clubkalinka.tk, 1 +clubkuzmich.ru, 1 +clublevelsports.com, 1 +clublibertad.tk, 1 +clublime.com.au, 1 +clubmagellan.tk, 1 +clubmahindra.com, 1 +clubmania.tk, 1 +clubmarina.store, 1 +clubmate.rocks, 1 +clubmini.jp, 1 +clubminimansiones.tk, 1 +clubnature.tk, 1 +clubni.tk, 1 +clubnoetig-ink2g.de, 1 +cluboc.site, 1 +clubon.space, 1 +clubpes.tk, 1 +clubpeugeot405.tk, 1 +clubserveers.ga, 1 +clubsuccessjapan.com, 1 +clubtamarugal.tk, 1 +clubtecknocore.tk, 1 +clubtraining.com.au, 1 +clubtravel.com.pt, 1 +clubtur.dk, 1 +clubvodoley.ru, 1 +clubvttlesloupsdemaixe.tk, 1 +clubvwgolf.com, 1 +clubzap.org, 1 +clubzero.co, 1 +clubzul.com, 1 +cluedosenvivo.com, 1 +cluefluest.ga, 1 +clueless.ga, 1 +clueless.tk, 1 +cluelesscraft.com, 1 +cluin.org, 1 +cluj.apartments, 1 +cluj.help, 1 +clush.pw, 1 +cluster.biz.tr, 1 +cluster446.fr, 1 +clusterfuck.nz, 1 +clustermaze.net, 1 +clutch.ua, 1 +clvr.sh, 1 +clvs7.com, 0 +clweb.ch, 1 +clwrota.com, 1 +clycat.ru, 1 +clyde-tx.gov, 1 +clydewi.gov, 1 +cm-agueda.pt, 1 +cm-funchal.pt, 1 +cm-law.eu, 1 +cm-loures.pt, 1 +cm-penalvadocastelo.pt, 1 +cm-pombal.pt, 1 +cm-portimao.pt, 1 +cm-ribeiragrande.pt, 1 +cm-terrasdebouro.pt, 0 +cm-valenca.pt, 0 +cm-viladobispo.pt, 1 +cm-vizela.pt, 1 +cm-vpaguiar.pt, 1 +cm1xbet.com, 1 +cm3.pw, 0 +cmaa.it, 1 +cmadeangelis.it, 1 +cmalet-avocat.fr, 1 +cmavs.com, 1 +cmbeautiful.com, 1 +cmbs.loans, 1 +cmc.pt, 0 +cmcbank.co.in, 1 +cmcc.network, 1 +cmcjanuary.in, 1 +cmcressy.ch, 1 +cmd2021acm.com, 1 +cme-colleg.de, 1 +cmetana.tk, 1 +cmf.qc.ca, 1 +cmfaccounting.com, 0 +cmfcuro.com, 1 +cmftech.com, 1 +cmfuchs.de, 1 +cmi.no, 1 +cmillrehab.com, 1 +cmkr.at, 1 +cmlachapelle.ch, 1 +cmlcpa.ca, 1 +cmlex.com, 1 +cmlignon.ch, 1 +cmmcinfo.org, 1 +cmn-group.com, 0 +cmn-groupe.com, 0 +cmngroup.com, 0 +cmngroupe.com, 0 +cmonlien.fr, 1 +cmperalta.tk, 1 +cmplainpalais.ch, 1 +cmprecisiontech.com, 1 +cmrconstructions.com.au, 1 +cmrlink.org, 1 +cmrnw.com, 1 +cms-mania.tk, 1 +cms-service24.de, 1 +cms-weble.jp, 1 +cms-world.co.jp, 1 +cmsasia.co, 1 +cmscompany.de, 1 +cmsdca.gov, 1 +cmserviscz.cz, 0 +cmskeyholding.co.uk, 1 +cmskeyholding.com, 1 +cmskh.co.uk, 1 +cmsnl.com, 1 +cmsonline.com, 1 +cmsua.ca, 1 +cmtportal.co.uk, 1 +cmtso.com, 1 +cmv.gr, 1 +cmweb.xyz, 1 +cn.search.yahoo.com, 0 +cn2euportugal.com, 1 +cn8522.com, 1 +cna-ecuador.com, 1 +cna.com.br, 1 +cnabogota.tk, 1 +cnairgroupstore.com, 1 +cnam-idf.fr, 1 +cnatraining.network, 1 +cnb.ie, 1 +cnb1901.com, 1 +cnbs.ch, 1 +cnc-lehrgang.de, 1 +cncexplorer.com, 1 +cncfraises.fr, 1 +cncn3.cn, 1 +cncollege.tk, 1 +cncr.ga, 1 +cncs.gov.pt, 1 +cnetw.xyz, 1 +cnews.ru, 1 +cnexchange.com, 1 +cnfei.com, 1 +cnfree.xyz, 1 +cngf.com, 1 +cngvp.org, 1 +cni-certing.it, 1 +cni.net.id, 1 +cniec.com, 1 +cnil.fr, 1 +cnipv6.com, 1 +cnitdog.com, 1 +cnki.com, 1 +cnlic.com, 1 +cnlongtex.com, 1 +cnmi.gov, 1 +cnmilaw.gov, 1 +cnnet.in, 1 +cnnumerique.fr, 1 +cnocsp.com, 1 +cnopera.com, 1 +cnp.ovh, 1 +cnpkg.org, 1 +cnpy.gdn, 1 +cnslub.ru, 1 +cnss.gob.do, 1 +cntraveller.com, 1 +cnvt.fr, 1 +cnxiangxian.com, 1 +co-construisonsdemain.org, 1 +co-founder-stuttgart.de, 1 +co-store.com, 1 +co-yutaka.com, 1 +co.fo, 1 +co.lu, 1 +co.search.yahoo.com, 0 +co.td, 1 +co2eco.cn, 0 +co2fr.ee, 0 +co3app.com, 1 +coa.gov.ph, 1 +coach-enligne.fr, 1 +coach-hpe.ch, 0 +coach.org.uk, 1 +coachablebyabel.nl, 1 +coachbakery.com, 1 +coaches-website.de, 1 +coachinfopreneur.com, 1 +coaching-aus-leidenschaft.com, 1 +coaching-harmonique.fr, 1 +coaching-impulse.ch, 0 +coaching-in-veenendaal.nl, 1 +coaching-oberhavel.de, 1 +coachingausbildungde.com, 1 +coachingforleaders.com, 1 +coachingmillenium.com, 1 +coachingsantcugat.cat, 1 +coachjehond.nl, 1 +coachment.dk, 1 +coactive.ai, 1 +coag.gov.au, 1 +coagclinic.com, 1 +coalitieduurzamedigitalisering.nl, 1 +coalition.tk, 1 +coalmen.ga, 1 +coalpointcottage.com, 1 +coalvillebasketball.tk, 1 +coaojarlos.tk, 1 +coasa.me, 1 +coassessment.com, 1 +coast.tk, 1 +coastalmotorcoach.com, 1 +coastalpayroll.net, 1 +coastalphysie.com, 1 +coastalpointe.com, 1 +coastalsignsplus.com, 1 +coastline.net.au, 1 +coastnews.cf, 1 +coathangastrangla.com, 1 +coathangastrangler.com, 1 +coathangerstrangla.com, 1 +coathangerstrangler.com, 1 +coating-equipment.com, 1 +coats-and-jackets.tk, 1 +coatsandcocktails.org, 1 +cobaka.tk, 1 +cobaltia.org, 1 +cobbcountygeorgia.ml, 1 +coberturaplus.com, 1 +cobitis.net, 1 +cobiz.nl, 1 +coboxviagens.com.br, 1 +cobracastles.co.uk, 1 +cobralelie.nl, 1 +cobranzasimg.com, 1 +coc.de, 1 +cocaine.ninja, 1 +cocaine.wiki, 1 +cocalc.com, 1 +cocareonline.com, 1 +coccinellaskitchen.com, 1 +coccinellaskitchen.de, 1 +coccinellaskitchen.it, 1 +coccinellepratas.com.br, 1 +coccolebenessere.it, 1 +cochem-zell-online.de, 1 +cochem-zell.de, 1 +cocheriagori.com.ar, 1 +cochesaescala.tk, 1 +cochesteledirigidos.net, 1 +cochin-brahma.tk, 1 +cochise.gov, 1 +cochranwriting.com, 1 +cocina.guru, 1 +cocinaconalegria.shop, 1 +cocinandoenelsalnes.com, 1 +cocinasazahara.tk, 1 +cocinoyo.com, 1 +cock.lt, 1 +cockedey.in, 1 +cockerspanielamericano.com.br, 1 +cockerspanielingles.com.br, 1 +cockfile.com, 1 +cockmonkey.tk, 1 +cocktail.network, 1 +cocktailwebbook.com, 1 +cockybot.com, 1 +coco-01.gq, 1 +coco-apo.de, 1 +coco-cool.fr, 1 +coco-line.ch, 1 +coco.one, 1 +cocoa-job.jp, 1 +cocoafl.gov, 1 +cocoamexico.com, 1 +cocobollo-sallanches.com, 1 +cocobrother.ddnss.de, 1 +cocodroid.com, 0 +cocogoat.work, 1 +cocogolfcarts.com, 1 +cocokmobi.ga, 1 +cocolink.jp, 1 +cocomelody.com, 0 +cocomelody.jp, 1 +coconutguy.gq, 1 +coconutoil.ml, 1 +coconuts-fashion.gr, 1 +cocopah.gov, 1 +cocopipeline-br-development.herokuapp.com, 1 +cocoscastles.co.uk, 1 +cocosunbeds.co.uk, 1 +cocounty.org, 1 +cocowine.com, 1 +cocresa.tk, 1 +cocula.net, 1 +cocyou.ooo, 1 +cocytus.services, 1 +cod-ggw.ml, 1 +cod4mw.fr, 1 +cod88.cc, 1 +coda-erfurt.de, 1 +coda.io, 1 +coda.world, 1 +coda18.gov, 1 +coda23.gov, 1 +codabix.com, 1 +codabix.de, 1 +codandn.com, 1 +code-35.com, 0 +code-in-plate.tk, 1 +code-judge.tk, 1 +code-maze.com, 1 +code-poets.co.uk, 1 +code-server.host, 1 +code-vikings.de, 1 +code-well.com, 1 +code.cool, 1 +code.facebook.com, 0 +code.fm, 1 +code.google.com, 1 +code.gov, 1 +code4.hk, 1 +code9000.be, 1 +codeandpeace.com, 1 +codeandsupply.co, 1 +codeberg.org, 1 +codebot.tk, 1 +codebrahma.com, 0 +codebrasileiro.tk, 1 +codebreak.tk, 1 +codebreakers.it, 1 +codecatalyst.aws, 1 +codeclouds.com, 1 +codeclub.gq, 1 +codecolliders.com, 1 +codecommunity.io, 1 +codecool.com, 1 +codecrew.us, 1 +codectron.com, 1 +codedbyjim.nl, 1 +codedelarouteenligne.fr, 1 +codedo.info, 0 +codedump.net, 1 +codeeclipse.com, 1 +codefaq.org, 1 +codefather.ml, 1 +codeferm.com, 1 +codefionn.eu, 1 +codefive.co.uk, 1 +codefordus.de, 1 +codefordus.nrw, 1 +codefoundry.it, 0 +codegen.ca, 1 +codegirl.tk, 1 +codeguided.com, 1 +codehangar.io, 1 +codehelper.ml, 1 +codeheroes.fr, 1 +codehupy.org.py, 1 +codehz.one, 1 +codeidea.ga, 1 +codeine.co.uk, 1 +codeit.guru, 1 +codeit.pro, 1 +codeit.us, 1 +codejumper.ml, 1 +codekk.com, 1 +codelinchpin.com, 1 +codeloop.pw, 1 +codemahrt.com, 1 +codemanbd.com, 1 +codemperium.com, 1 +codename-infinity.de, 1 +codename-infinity.org, 1 +codename24.tk, 1 +codenamelungo.tk, 1 +codenetwork.com, 1 +codeninja.me, 1 +codenlife.kr, 1 +codenlife.xyz, 1 +codenode.io, 1 +codeofhonor.tech, 1 +codeparva.com, 1 +codepen.com, 1 +codepen.io, 1 +codepoint.ml, 1 +codepoints.net, 1 +codepref.com, 1 +codeprotocols.com, 1 +codeproxy.net, 1 +codepwn.win, 1 +codercross.com, 1 +codered.sh, 1 +codereduction.promo, 1 +coderema.de, 1 +coderema.eu, 1 +coderescue.com, 1 +codereview.appspot.com, 1 +codereview.chromium.org, 1 +coderhangout.com, 1 +coderjesus.com, 1 +coderme.com, 1 +codero.com, 1 +coderoute-enligne.com, 1 +coderpad.io, 1 +codersatlas.co, 1 +codersatlas.xyz, 1 +codersharing.com, 1 +coderus.com, 1 +codes.pk, 1 +codesgroup.tk, 1 +codeslaw.com, 1 +codesplain.in, 1 +codesport.io, 1 +codesquad.com.au, 1 +codessale.com, 1 +codestats.net, 1 +codestudies.net, 1 +codetahiche.com, 1 +codetheweb.blog, 1 +codetheworld.com, 1 +codetrack.se, 1 +codetricked.com, 1 +codetripping.net, 1 +codeupstudios.com, 1 +codeux.com, 1 +codeux.info, 1 +codeux.net, 1 +codev.com.tr, 1 +codevat.com, 1 +codewaifu.com, 1 +codewild.de, 1 +codewitchbella.com, 0 +codewithalisha.ga, 1 +codewithlove.blog, 1 +codewrecks.com, 1 +codex.online, 1 +codezenith.com, 1 +codezeno.com.au, 1 +codicicer.it, 1 +codifi.com, 1 +codific.com, 1 +codifique.tk, 1 +codigodelbonusbet365.com, 1 +codigoexactodearea.com, 1 +codigojose.com, 1 +codigomusical.tk, 1 +coding-aloud.nz, 1 +coding-basic.tk, 1 +coding-treff.de, 1 +coding.lv, 1 +coding.net, 1 +codingale.com, 1 +codingame.com, 1 +codingame.eu, 1 +codingblog.org, 1 +codingforspeed.com, 1 +codingfromhell.net, 1 +codinginfinity.me, 1 +codingissimple.com, 1 +codingnbb.com, 1 +codish.ml, 1 +codista.com, 1 +cododigital.co.uk, 1 +codowned.com, 1 +coduca88.com, 1 +codulrutier.tk, 1 +coduzion.com, 1 +cody.sh, 1 +codydostal.com, 1 +codywy.gov, 1 +coeburnva.gov, 1 +coecho.net, 1 +coedpictures.com, 1 +coefficient.com.au, 1 +coeminna.edu.ng, 0 +coenjutte.tk, 1 +coens.me.uk, 1 +coentropic.com, 1 +coenzima.com, 1 +coequals.tk, 1 +cofense.at, 1 +cofetaria-narcisa.ro, 1 +coffee-break.cc, 1 +coffee-like.com, 1 +coffee-webstore.com, 1 +coffee.co.uk, 1 +coffeebean.cf, 1 +coffeebeanstudios.tk, 1 +coffeebiz.co.nz, 1 +coffeebreak.bg, 1 +coffeechi.ir, 1 +coffeeciel.com, 1 +coffeeciel.com.tr, 1 +coffeeholic.tk, 1 +coffeehousewriters.com, 1 +coffeemoment.nl, 1 +coffeeplazahamburg.com, 1 +coffeeruta.ru, 1 +coffeestain.ltd, 1 +coffeestory.in.ua, 1 +coffeetom.de, 1 +coffeist.com, 1 +coffstotalroofing.com.au, 1 +cofidis-group.com, 1 +cofidur.com, 1 +cofigs.com, 1 +cofinco.nl, 1 +cofob.ru, 1 +cofradiaqueimada.tk, 1 +cogent.cc, 1 +cogetop.com.br, 1 +coggeshall.io, 1 +coggeshall.us, 1 +coggin.church, 1 +coggle.it, 1 +coginti.tk, 1 +cogknockers.com, 1 +cogknockers.net, 1 +cognac-oenologie.com, 1 +cognac-tasting-tour.com, 0 +cognigennetwork.tk, 1 +cognitiveapplications.net, 1 +cognitivehealthintl.com, 1 +cognitohq.com, 0 +cognixia.us, 1 +cognosweb.net, 1 +cogolloelegante.com, 1 +cogsquad.house, 1 +cogstate.com, 1 +cogumelosmagicos.org, 1 +coharushika.com, 1 +cohassetfirema.gov, 1 +cohassetma.gov, 1 +cohassetpolicema.gov, 1 +cohenandcohen.net, 1 +cohere.io, 1 +cohob.de, 1 +coiffbot.fr, 1 +coiffeurschnittstelle.ch, 1 +coiffure-website.de, 1 +coil.gov, 1 +coimmvest.com, 1 +coin-exchange.cz, 1 +coin-miners.info, 1 +coin-money.tk, 1 +coin.dance, 1 +coin.space, 1 +coinamount.com, 0 +coinauctionshelp.com, 1 +coinbase.com, 1 +coinbit.trade, 0 +coinbrain.com, 1 +coincabin.io, 1 +coincalc.tk, 1 +coinchapter.com, 1 +coincircle.com, 1 +coincity.ga, 1 +coinclickz.fun, 1 +coincoele.com.br, 1 +coincoin.eu.org, 1 +coinf.it, 1 +coinflux.com, 1 +coinfundit.com, 1 +coingate.com, 1 +coinjar-sandbox.com, 1 +coinjar.com, 1 +coinlend.org, 1 +coinliq.com, 1 +coinloan.io, 1 +coinmarketturkiye.com, 1 +coinmotion.com, 1 +coinnector.com, 1 +coinnewspulse.com, 1 +coinpaprika.com, 1 +coinpedia.org, 1 +coinplay.com, 1 +coinroom.com, 1 +coins2001.ru, 1 +coinsales.net, 1 +coinscatalog.net, 1 +coinsconnect.co.uk, 1 +coinsmat.com, 1 +coinsuggest.com, 1 +cointosh.jp, 1 +coinwind.vip, 1 +coinx.pro, 1 +coiracom.net, 1 +cojam.ru, 1 +cojo.eu, 1 +cok.hu, 1 +cokebar.info, 0 +coker.com.au, 1 +cokestudiosongs.tk, 1 +cokisiregar.com, 1 +cokomi.com, 1 +col.la, 0 +cola-host.tk, 1 +colaborame.tk, 1 +colaborativa.tv, 1 +colaboratorija.lt, 1 +colabore.com, 1 +colabug.com, 1 +colafoodcritic.com, 1 +colah.com.au, 1 +colapsys.net, 1 +colarelli.ch, 1 +colarose.tk, 1 +colazxk.xyz, 1 +colbert.ml, 1 +colburnadamswi.gov, 1 +colchesterglobal.co.nz, 1 +colchesterglobal.com, 1 +colchesterglobal.com.au, 1 +colcomm.com, 1 +cold.world, 1 +coldcardwallet.com, 1 +coldcaserecords.gov, 1 +coldecan.edu.co, 1 +colder.one, 1 +coldfff.com, 1 +coldfusion.co.jp, 1 +coldhak.ca, 0 +coldice.tk, 1 +coldjetconnect.com, 1 +coldlasers.org, 1 +coldpaste.com, 1 +coldspegll.gq, 1 +coldspringsrancheria.gov, 1 +coldsteelsolutions.com, 1 +coldstreamcreekfarm.com, 1 +coldtomato.ga, 1 +coldtomatoest.ga, 1 +coldwater.tk, 1 +coldwateraustin.com, 1 +colearning.world, 1 +colecountymo.gov, 1 +colectivaradio.tk, 1 +colectivo.tk, 1 +colectivomackandal.tk, 1 +colectivovictorjara.tk, 1 +coleg.gov, 1 +colegiocuauhtzin.com.mx, 1 +colegiojaimebalmes.es, 1 +colegiorecanto.com, 1 +colegios.net, 1 +colegiosantaursula.com.br, 1 +colegiotalenti.com, 1 +colegiotavera.tk, 1 +colemak.com, 1 +colengo.com, 1 +colerainemn.gov, 1 +coletrain.com, 1 +colfaxcountyne.gov, 1 +colfaxia.gov, 1 +colibri.jp, 1 +colibriexpress.tk, 1 +coligo.fr, 1 +colinasdog.com.br, 1 +colincogle.name, 1 +colinespinas.com, 0 +colinhouston.com, 1 +colink.fi, 1 +colinobrien.online, 1 +colinsnaith.co.uk, 1 +colinstark.ca, 1 +colinyoung.scot, 1 +colis-collecte.re, 1 +colisfrais.com, 0 +colivevalues.com, 1 +collab.ddnss.org, 1 +collabora-office.com, 1 +collabora.ca, 0 +collabora.co.kr, 1 +collabora.co.uk, 1 +collabora.com, 1 +collabora.kr, 1 +collabora.ninja, 0 +collabora.social, 0 +collabora.uk, 0 +collaboracloudsuite.com, 0 +collaboraoffice.co.uk, 1 +collaboraoffice.com, 1 +collaboration.cafe, 1 +collaborativedrug.com, 0 +collabornation.net, 1 +collacott.org, 1 +collaction.hk, 1 +collada.org, 1 +collage.me, 1 +collagecrafting.com, 1 +collagepartners.com, 1 +collalloc.com, 1 +collapsed.de, 1 +collar.place, 1 +collard.tk, 1 +collare.com.mx, 1 +collare.mx, 1 +collarslab.com, 1 +collateral360.com, 1 +collateralmurder.com, 1 +collbox.co, 0 +colleadimari.com, 1 +collectaction.com, 1 +collectdocs.com, 1 +collecter.tk, 1 +collectfood.com, 1 +collectiblebeans.com, 1 +collectibles.tk, 1 +collectif-laicite-yallah.be, 1 +collectif85.com, 1 +collectifpinceoreilles.com, 1 +collectionru.com, 1 +collective-incubator.de, 1 +collectivedg.com, 1 +collectiverecyclers.com, 1 +collectivesupply.com, 1 +collector.cf, 1 +collectorknives.net, 1 +collectorscorner.com, 1 +collectorsystems.com, 1 +college-chagall.tk, 1 +collegeeducation.ml, 1 +collegegirlhd.com, 1 +collegeinlouisiana.com, 1 +collegeinoklahoma.com, 1 +collegeinoregon.com, 1 +collegeinpennsylvania.com, 1 +collegematchmaking.org, 1 +collegemate.eu, 1 +collegemoccassin.com, 1 +collegenavigator.gov, 1 +collegepaperworld.com, 1 +collegephysicsanswers.com, 1 +collegeprospectsofcentralindiana.com, 1 +collegereligionandphilosophy.com, 1 +collegesecretary.cn, 1 +collegesecretary.com, 1 +collegesexvid.com, 1 +collegesidekick.com, 1 +collegesrit.tk, 1 +collegestationhomes.com, 1 +collegetimes.co, 1 +collegetownstudios.tk, 1 +collepietra.it, 1 +collerosso.com, 1 +collettando.it, 1 +colley.tk, 1 +collezione.it, 1 +collideascope.co, 1 +collierlunaire.fr, 1 +colliervotes.gov, 1 +collin.us, 1 +collin.xyz, 1 +collinel-hossari.com, 1 +collinelhossari.com, 1 +collinklippel.com, 0 +collinlove.ca, 1 +collinlove.ch, 1 +collinlove.co.uk, 1 +collinlove.com, 1 +collinlove.de, 1 +collinlove.net, 1 +collinlove.nl, 1 +collinlove.org, 1 +collinlove.se, 1 +collinlove.uk, 1 +collinlove.us, 1 +collinlove.xyz, 1 +collinmbarrett.com, 1 +collins.kg, 1 +collins4mayor.co.nz, 1 +collins4mayor.nz, 1 +collins4mayor.org, 1 +collins4mayor.org.nz, 1 +collinsdictionary.com, 1 +collinssquare.com.au, 1 +collinssquarecatering.com.au, 1 +collinswyatt.com, 1 +collobrieres.restaurant, 1 +colloquio.tk, 1 +colloquy.mobi, 1 +colmena.biz, 1 +colo-tech.com, 1 +colocolochile.tk, 1 +coloffmedia.com, 1 +cololi.moe, 1 +colombiajobstoday.com, 1 +colombian.cam, 1 +colombianas.webcam, 1 +colombianbride.net, 1 +colombyinai.ga, 1 +coloniae.de, 1 +colonialbeachva.gov, 1 +colonialfilings.com, 1 +colonialfurniturestripping.com, 1 +colonize.africa, 1 +coloquiocentrooeste.mat.br, 1 +color-mixer.tk, 1 +color01.net, 1 +colorado-locksmith.com, 1 +coloradobluebook.gov, 1 +coloradochildrep.gov, 1 +coloradoer.tk, 1 +coloradofamli.gov, 1 +coloradolottery.com, 1 +coloradorangers.gov, 1 +coloradoseodesign.com, 1 +coloradosos.gov, 1 +colorblindfilms.com, 1 +colorblindprogramming.com, 1 +colorbrightongreen.org, 1 +colorcodedlyrics.com, 1 +colorcomm.com, 1 +colorfularchive.eu.org, 1 +colorfulcloud.eu.org, 1 +colorfuldots.com, 0 +colorfulworld.ru, 1 +colorguni.com, 1 +colorhexa.com, 1 +colorideas.net, 1 +coloringbooknook.org, 1 +coloristcafe.com, 1 +colorjungle.co.za, 1 +colorlib.com, 0 +colorline.com.br, 1 +colorpalette.org, 1 +colorpicker.fr, 1 +colorsbycarin.com, 1 +colortronic.tk, 1 +colorunhas.com.br, 1 +colorwow.cf, 1 +colorwow.ga, 1 +colossean.com, 1 +colosseumticket.cz, 1 +colostral.com, 1 +colotimes.com, 1 +colourblast.com.au, 1 +colourfulcastles.co.uk, 1 +colourmanagementpro.com, 1 +colourmeren.com, 1 +colourtohtml.tk, 1 +colpatriaws.azurewebsites.net, 1 +colposcopy.com.sg, 1 +colquittcountyga.gov, 1 +colquittga.gov, 1 +colson-occasions.be, 0 +coltellisurvival.com, 1 +coltonrb.com, 1 +columbiacountyor.gov, 1 +columbiacountywi.gov, 1 +columbiail.gov, 1 +columbialawreview.org, 1 +columbiamemorialhealth.org, 1 +columbiamspd.gov, 1 +columbiaproemergencymovers.com, 1 +columbiascaffolding.com, 1 +columbiathreadneedle.com, 1 +columbiatwpmi.gov, 1 +columbuscoffeefest.com, 1 +columbuscomedyfest.com, 1 +columbushydroxide.com, 1 +columbushydroxide.net, 1 +columbushydroxide.org, 1 +columbusks.gov, 1 +columbustelegram.com, 1 +columbusunderground.com, 1 +columbuswi.gov, 1 +colwichks.gov, 1 +colwyn.me, 1 +colwynfm.com, 1 +colyakoomusic.com, 1 +com-b.vn, 1 +com-news.io, 1 +com-tic.africa, 1 +com.cc, 1 +com.com.tr, 1 +com.fo, 1 +com4.no, 0 +comactor.com, 1 +comactor.fr, 1 +comagexinvoice.com, 1 +comalia.com, 1 +comanchecountyks.gov, 1 +comanchenationpolice.gov, 1 +comanchetexas.gov, 1 +comanis.fr, 1 +comaporter.com, 1 +comarcadelaranda.tk, 1 +comarch.com, 1 +comarch.es, 1 +comarch.pl, 1 +comarch.ru, 1 +comarkinstruments.cloud, 1 +comarkinstruments.net, 1 +comasystem.dk, 1 +combatix.io, 1 +combattrecellulite.com, 1 +combidarlehen.de, 1 +combineconquer.com, 1 +combineid.com, 1 +combines.world, 1 +combloux.com, 1 +combos-2020.tk, 1 +combron.be, 1 +combron.co.uk, 1 +combron.com, 1 +combron.nl, 1 +combustion.tk, 1 +comcenter.com, 1 +comchezmeme.com, 1 +comcol.nl, 1 +comdirect.de, 1 +comdmedias.fr, 1 +comdotgame.com, 1 +comdurav.com, 1 +come.ga, 1 +come2cook.com, 1 +comealong.org, 1 +comeals.com, 1 +comebookmark.cf, 1 +comebookmark.ga, 1 +comebookmark.ml, 1 +comedimagrire.it, 1 +comedonchisciotte.org, 1 +comedy.co.uk, 1 +comedybox.ro, 1 +comedyhuis.nl, 1 +comedyillusions.com, 1 +comefareper.online, 1 +comelibro.org, 1 +comenc.ddns.net, 1 +comengpt.com, 1 +comenityremediation.com, 1 +comeoishii.com, 1 +comeoneileen.tk, 1 +comeratope.com, 1 +comercialcolombia.tk, 1 +comercialmattos.com, 1 +comercialroxana.com, 1 +comercialtrading.eu, 1 +comeros.be, 1 +comestoarra.com, 1 +comet-pct.com, 1 +comet-xray.com, 1 +comet.eu.org, 1 +comet.tech, 1 +cometbot.cf, 1 +cometcache.com, 1 +comete-electricite.fr, 1 +cometer.co, 1 +cometer.io, 1 +cometonovascotia.ca, 1 +comevius.com, 1 +comevius.org, 1 +comevius.xyz, 1 +comfandivirtual.com.co, 1 +comff.net, 1 +comfintouch.com, 0 +comfis.nl, 1 +comfitsweets.co.uk, 1 +comflores.com.br, 1 +comfort-light.ru, 1 +comfortablelife.tk, 1 +comfriesland.tk, 1 +comfun.net, 1 +comfuzztible.tk, 1 +comfy-court.com, 1 +comfy.cafe, 0 +comfyliving.net, 1 +comhack.com, 1 +comical.ml, 1 +comicbooktreasury.com, 1 +comicborgs.com, 1 +comiccrusaders.com, 1 +comicsans.tk, 0 +comicsanshouse.ddns.net, 1 +comicslate.org, 1 +comicspornos.com, 1 +comicspornow.com, 1 +comicspornoxxx.com, 1 +comicsymanga.com, 0 +comicwiki.dk, 1 +comidasaludablehoy.com, 1 +comidasperuanas.net, 0 +comidina.com, 1 +comingto.icu, 1 +comiq.io, 1 +comistar.ee, 1 +comita.ru, 1 +comita.su, 1 +comitedal974.re, 1 +comiteexpertes.gc.ca, 1 +comitesaustria.at, 0 +comlipa.gq, 1 +comm-works.com, 1 +comm.cx, 1 +commagere.com, 1 +command53.fr, 1 +commandeleven.com, 0 +commander-seo.com, 1 +commanderone.net, 1 +commanderx.cf, 1 +commanderx.ml, 1 +commanderx.tk, 1 +commania.co.kr, 1 +commbox.io, 1 +commboxtest.com, 1 +commco.nl, 1 +commencepayments.com, 1 +commentgagnerdelargentsurlenet.com, 1 +commentjaichangedevie.fr, 1 +comments.app, 1 +commentutiliser.com, 1 +commerce.gov, 1 +commercega.gov, 1 +commercegurus.com, 1 +commercepartnerhub.com, 1 +commercetwpmi.gov, 1 +commercia.srl, 1 +commercial.lviv.ua, 1 +commercialfinancepartners.com, 1 +commercialfundinggroupllc.us, 1 +commercialkitchensusa.com, 1 +commercialstainless.com, 1 +commercialzone.cf, 1 +commercialzone.ga, 1 +commercialzone.ml, 1 +commeunamour.com, 1 +commeunefleche.com, 1 +commfortchat.tk, 1 +commhealthcollab.com, 1 +commissaris-vraagbaak.nl, 1 +commissionagenda.com, 1 +commissionaires.ca, 1 +commissioner.tk, 1 +commitsandrebases.com, 1 +commlabindia.com, 0 +commloan.com, 1 +commonapp.org, 1 +commoncode.com.au, 0 +commoncode.io, 0 +commoncog.com, 1 +commoncore4kids.com, 1 +commongoodit.com, 1 +commongrave.tk, 1 +commoninf.com, 1 +commons-mayflower.tk, 1 +commonsenseamericanpolitics.com, 1 +commonsensedivorce.ca, 0 +commonsenseinactie.nl, 1 +commonstock.com, 1 +commonsubdoc.com, 1 +commonsubdoc.io, 1 +commonvoice.tk, 1 +commonwarest.ga, 1 +commonwealthsl.com, 1 +communalconsulting.org, 1 +communebouteille.org, 1 +communi.biz, 1 +communic.tk, 1 +communicate2lead.com, 1 +communication-services.tk, 1 +communications-major.com, 1 +communiquons.org, 1 +communist-party.tk, 1 +community-mall.com, 1 +community-pro.de, 1 +community-pro.net, 1 +community-services.cz, 0 +communityaligned.com, 1 +communitybangladesh.tk, 1 +communitybridgesaz.org, 1 +communitycodeofconduct.com, 1 +communitycollegereview.com, 1 +communitydirectory.tk, 1 +communitydriving.com, 1 +communityflow.info, 1 +communityfunded.com, 1 +communitylivingalgoma.org, 1 +communityparentsinc.com, 1 +communitypowernh.gov, 1 +communitypreventionpartnership.org, 1 +communote.net, 1 +commuty.net, 1 +commvnion.com, 1 +comnaviosaka.com, 1 +como-se-escribe.com, 1 +comoaliviareldolor.de, 1 +comocomprarumcarro.tk, 1 +comoculosdesol.pt, 1 +comodio.com, 0 +comodo.nl, 1 +comodosslstore.com, 1 +comoentrenarperros.tk, 1 +comogene.com, 0 +comohacerblog.net, 1 +comohacerpara.com, 1 +comoimportar.net, 1 +comomoraremportugal.ga, 1 +comomurio.info, 1 +comoperdonar.tk, 1 +comoreconquistaroex.com, 1 +comorecuperaratumujerpdf.com, 1 +comosecarabarriga.com, 1 +comosediceesto.com, 1 +comoseduzir.net, 1 +comosefazisto.com.br, 1 +comosehace.online, 1 +comovenderpelowhatsapp.com.br, 1 +comoviajarcontumascota.com, 1 +comp4u.de, 1 +compact.pt, 0 +compactador-vendetta.tk, 1 +compagnidimerenda.tk, 1 +compagniecoupable.fr, 1 +compagniedesateliers.com, 1 +compagniedesvoyageurs.com, 1 +compagniemartin.com, 0 +compalliance.com, 1 +companion-web.net, 1 +company-bike.com, 1 +company-info-plugins.nl, 1 +companyaneksta.tk, 1 +companycam.com, 1 +companycleaninghome.com, 1 +comparai.com.br, 1 +comparatif-moto.fr, 1 +compare-energie.fr, 1 +compareairfaredeals.com, 1 +compareandrecycle.co.uk, 0 +compareceleb.com, 1 +compareer.com, 1 +compareleasedlines.co.uk, 1 +comparemymobile.com, 1 +comparendossimit.com, 0 +compareshow.com, 1 +comparesoft.com, 1 +comparetheproject.com, 1 +comparewatch.com, 1 +compareweddinginsurance.org.uk, 1 +comparexcloudcenter.com, 1 +comparic.pl, 1 +compartirtrenmesaave.com, 1 +compassbest.com, 1 +compassdirectportal.com, 1 +compassfinance.com, 1 +compassintladv.com, 1 +compassionandchoices.org, 0 +compassionate-biology.com, 1 +compasslos.com, 1 +compassregroup.com, 1 +compdermcenter.com, 1 +compdev.ru, 1 +compelloid-staging-client-b2c.azurewebsites.net, 1 +compensadosbello.com.br, 1 +compeon.de, 1 +competencyassessment.ca, 1 +competis.cf, 1 +competitor.com, 1 +compeuphoria.com, 1 +compibus.fr, 1 +compilenix.org, 0 +complaint.tk, 1 +complang.se, 1 +complasplasticos.com.br, 1 +compleet.com, 1 +complete-concrete-concise.com, 1 +complete-privacy.tk, 1 +completeanon.tk, 1 +completecareair.com, 1 +completecase.com, 1 +completecomps.au, 1 +completecontrol.tk, 1 +completed.com, 1 +completehub.com, 1 +completeonlinepharmacy.com, 1 +completeprivacy.tk, 1 +completesecurityessex.co.uk, 1 +completesecurityessex.com, 1 +completewordsest.ga, 1 +complex-kaspiy.tk, 1 +complex-news.com, 1 +complex-organization.com, 1 +complexart.ro, 1 +complexcoral.ro, 1 +complexorganization.com, 1 +complexsystems.fail, 1 +compliance-risk.com, 1 +compliance-systeme.de, 1 +compliancebox.co, 1 +compliancedictionary.com, 1 +complianceinsight.ca, 1 +compliancerisksoftware.co.uk, 1 +complianz.io, 1 +compliment.cf, 1 +complt.xyz, 1 +complyadvantage.com, 1 +complycheck.co, 1 +complyportal.uk, 1 +componentcore.com, 1 +composersforum.org, 1 +composite-isfahan.ir, 1 +compositedevtec.tk, 1 +compostelle-bouddha.fr, 1 +compoundc.eu, 1 +compra-deuna.com, 1 +compraapartamentomoema.com.br, 1 +comprachida.com, 1 +compraenpijama.com, 1 +comprafasil.com, 1 +comprajuguete.com, 1 +comprando.tk, 1 +compraporinternet.online, 1 +comprar.club, 1 +comprarefiereygana.com, 1 +comprarpapelhigienico.online, 1 +comprascuba.online, 1 +comprauncelular.com, 1 +comprax.nl, 1 +comprebrindes.com.br, 1 +compree.com, 1 +comprehensiveihc.com, 1 +compressor.io, 1 +comprising.de, 1 +comprofacil.es, 1 +compromis-promesse-vente.fr, 1 +compservice.in.ua, 1 +comptoir-hardware.com, 1 +comptoirducycle.com, 1 +comptonslespetitescroix.tk, 1 +comptrollerofthecurrency.gov, 1 +comptu.com, 1 +compu-ofertas.tk, 1 +compubench.com, 1 +compucastell.ch, 1 +compucorner.mx, 1 +compucorner.tk, 1 +compudoc.tk, 1 +compunet.biz, 1 +compunetics.com, 1 +compunetix.com, 1 +compusrit.tk, 1 +compustore.pe, 1 +compustuff.tk, 1 +computec.ch, 1 +computechcorp.com, 1 +computel.nl, 0 +computer-acquisti.com, 1 +computer-forensics-recruiter.com, 1 +computer-kleinmachnow.de, 1 +computer-menschen.de, 1 +computer-science-schools.com, 1 +computer-service-24.de, 1 +computer-service.ch, 1 +computer-world.pro, 1 +computer-worlds.tk, 1 +computer4me.tk, 1 +computeradvance.tk, 1 +computerandaccessories.com, 1 +computerbas.nl, 1 +computerbase.de, 1 +computerforum.tk, 1 +computerforums.net, 1 +computerhelpbutton.com, 1 +computerhilfe-feucht.de, 1 +computerinfobits.com, 1 +computerjet.ru, 1 +computernerd.es, 1 +computernetwerkwestland.nl, 1 +computernetwork.be, 1 +computerpackages.com, 1 +computerpoint.net, 0 +computerscience.guide, 1 +computersforlearning.gov, 1 +computersneversleep.art, 1 +computersoftware.tk, 1 +computersolutions.cn, 1 +computersystems.guru, 0 +computertechreviews.com, 1 +computerthings.net, 1 +computertips.tk, 1 +computerwerk.org, 1 +computexrio.com, 1 +computime.com, 1 +computing.land, 1 +computingaustralia.com.au, 1 +computingaustralia.group, 1 +computingessentials.tk, 1 +computingsociety.co.uk, 1 +computingwarehouse.com, 1 +computop.com, 1 +computron.ga, 1 +compuvate.com, 1 +comquadro.com.br, 1 +comquestmed.com, 1 +comradesofmight.tk, 1 +comsoli.com.br, 1 +comsolibrasil.com.br, 1 +comswp.com, 1 +comtex.com.au, 1 +comtois.hk, 1 +comumlab.org, 1 +comunal.co, 1 +comunate.com, 1 +comune.palermo.it, 1 +comunic.io, 1 +comunicat.global, 1 +comunicazionenellaristorazione.it, 1 +comunidadmontepinar.es, 1 +comunidadreparando.com, 1 +comunidadvegetariana.com, 1 +comuniondelucia.com, 1 +comunismo.tk, 1 +comunistas.tk, 1 +comunitas.com, 1 +comunitateonline.tk, 1 +comunityflashgame.cf, 1 +comvert.com, 1 +comw.cc, 1 +comwwwcomcom.com, 1 +comyuno.com, 0 +con-ca.jp, 1 +con-con.nl, 1 +con-vivencia.es, 1 +conall.io, 1 +conalpedis.tk, 1 +conbida.co, 1 +conbrio.tk, 1 +concealoutfitters.com, 1 +concellodoparamo.tk, 1 +concepcion-futbol-club.tk, 1 +concept-web.ch, 0 +concept4photography.com, 1 +concept5.co.il, 1 +conceptatelier.de, 1 +conceptec.de, 1 +conceptfoundation.org, 1 +conceptground.com, 1 +conceptual.ga, 1 +concern.cloud, 1 +concert.ga, 1 +concertcrushers.ga, 1 +concertparkingest.ga, 1 +concerts-metal.ch, 0 +concertsenboite.fr, 1 +concertsponent.tk, 1 +concertsto.com, 1 +conciencianimal.tk, 1 +concierge.diet, 1 +conciertoscolombia.tk, 1 +concilioderivendel.tk, 1 +conciliumnotaire.ca, 1 +conclave.gq, 1 +conclave.rocks, 1 +conclave.tk, 1 +conclude.ga, 1 +conclusion.nl, 0 +conclusive.co.za, 1 +concor.ne.jp, 1 +concord.sh, 1 +concordance.bible, 1 +concrefy.com, 1 +concretedreamsoftexas.com, 1 +concretehermit.com, 0 +concretemachines.be, 1 +concretepressurewashing.com, 1 +concreterepairatlanta.com, 1 +concreterepairconcreteleveling.com, 1 +concreterepairconcreteraising.com, 1 +concreteworksohio.com, 1 +concreteworksplus.com, 1 +concurseirosdeplantao.com.br, 1 +concursocultural.com.br, 0 +concursos.com.br, 1 +concursosabertos.com.br, 1 +concursuri.biz, 0 +condemnity.net, 1 +condenast.co.uk, 1 +condensacion.com, 1 +condictor.pl, 1 +condignum.com, 1 +condit.cf, 1 +condit.gq, 1 +condit.ml, 1 +conditionyellowacademy.com, 1 +condizionatore.roma.it, 1 +condo.do, 1 +condolencemessages.net, 1 +condominiosi.it, 1 +condominioweb.com, 1 +condonescadistas.tk, 1 +condonline.app.br, 1 +condosforcash.com, 1 +condroz-motors.be, 0 +coneall.com, 1 +conectada.tk, 1 +conectadev.com, 1 +conectens.com, 1 +conectumfinanse.pl, 1 +conejicos.tk, 1 +conejovalleyelectrical.com, 1 +conejovalleyelectrician.com, 1 +conejovalleyexteriorlighting.com, 1 +conejovalleylandscapelighting.com, 1 +conejovalleylighting.com, 1 +conejovalleyoutdoorlighting.com, 1 +coneo.eu, 1 +coneser2gl.com, 1 +conesin.com, 1 +conews.ml, 1 +conexionok.com, 1 +conexiontransporte.com, 1 +conexionvegana.com, 1 +conexresearch.com, 1 +coney.tk, 1 +conf.tn, 1 +confer.ch, 1 +conference-expert.eu, 1 +conference.cafe, 1 +conference.dnsfor.me, 1 +conferencemanager.ch, 1 +conferencemanager.co.uk, 1 +conferencemanager.de, 1 +conferencemanager.dk, 1 +conferencemanager.es, 1 +conferencemanager.fr, 1 +conferencemanager.lt, 1 +conferencemanager.lv, 1 +conferencemanager.nl, 1 +conferencemanager.se, 1 +conferencemanager.uk, 1 +conferencemanager.us, 1 +conferencemanagerpro.com, 1 +conferencemonkey.org, 1 +conferenciaepiscopal.es, 1 +confettidogs.com, 1 +confia.co.cr, 1 +confianza.pe, 1 +confidentielsn.com, 1 +confidentliving.gq, 1 +confidentliving.tk, 1 +config.schokokeks.org, 1 +configcat.com, 1 +configpoint.group, 1 +configserverfirewall.com, 1 +configurat.cf, 1 +configurat.tk, 1 +configwizard.xyz, 1 +confio.gmbh, 0 +confio.pt, 1 +confirmit.ca, 1 +confirmit.com.au, 1 +confirmit.de, 1 +confiscate.ga, 1 +confiscation.tk, 1 +confiwall.de, 1 +conflictspecialist.com, 1 +conflidentliving.cf, 1 +confluent.cloud, 1 +conformal.group, 1 +conformat.com, 1 +conformax.com.br, 1 +conformist.jp, 1 +conformitykills.tk, 1 +confort-bebe.fr, 1 +confort-sante.com, 1 +conftree.com, 1 +confucio.cl, 1 +confused.com, 1 +confusion-band.ch, 1 +confygo.com, 1 +congafasdesol.com, 1 +congdongnhatviet.com, 0 +congelado.tk, 1 +congelationpunaisedelit.com, 1 +congenio.com, 0 +congenio.de, 0 +congineer.com, 1 +congnghe.so, 1 +congoproject.tk, 1 +congregacionmitacol.org, 0 +congresistas-ap.tk, 1 +congresodermatologia2019.com, 1 +congressmankirk.com, 1 +congresso.tk, 1 +congye.com, 1 +coniectoinvestments.com, 1 +coniglione.tk, 1 +conju.cat, 0 +conjugacao.com.br, 1 +conjunctions.com, 1 +conjurer.tk, 1 +conjurosamarresytrabajosespirituales.com, 1 +conjurosyhechizosfuertes.com, 1 +conkret.ch, 1 +conkret.co.uk, 1 +conkret.eu, 1 +conkret.mobi, 1 +conmatic.tk, 1 +connect-ed.network, 1 +connect-me.com, 1 +connect.facebook.net, 1 +connect.gov, 1 +connect.net.pk, 1 +connecta.store, 1 +connectaimpianti.it, 1 +connectall.tk, 1 +connectavid.com, 1 +connectedbynexus.com, 1 +connectedinvestors.com, 1 +connectedmind.me, 1 +connectfss.com, 1 +connecticare.com, 1 +connecticutnet.tk, 1 +connectika.io, 1 +connecting-software.com, 1 +connectingcultures.dk, 1 +connectingrentals.com, 1 +connectingup.org, 1 +connection-sggz.nl, 1 +connectionplanet.nl, 1 +connectionstrings.com, 1 +connective.com.au, 1 +connectivia.it, 0 +connectivityinnovationnetwork.com, 1 +connectivityparty.tk, 1 +connectmath.com, 1 +connectme.com.mx, 1 +connectmy.car, 1 +connectnow.nl, 1 +connecto.group, 1 +connectthedoc.com, 1 +connectto.com, 1 +connectum.eu, 1 +connectusa.com, 0 +connelink.fr, 1 +connell.co.nz, 1 +conner.work, 1 +conneropticals.ga, 1 +connexas.eu, 1 +connexio.digital, 1 +connext.de, 1 +connictro.de, 1 +connies-diner.de, 1 +conniesacademy.com, 1 +connor.nl, 1 +connorhatch.com, 1 +connorjc.io, 1 +connorlim.net, 1 +connornoddin.com, 1 +conntrack.com, 1 +connyandthecrazydogs.com, 1 +connyduck.art, 0 +connyduck.at, 1 +conocchialidasole.it, 1 +conocedordigital.com, 1 +conoha.vip, 1 +conorboyd.info, 1 +conorjwryan.com, 1 +conory.com, 1 +conotoxia.com, 1 +conova.com, 1 +conpins.nl, 1 +conpsy.ro, 1 +conpulpademanzana.es, 1 +conpunk.tk, 1 +conqi.net, 1 +conque.sk, 1 +conquistar30dias.com.br, 1 +conrad-kostecki.de, 1 +conrad.am, 1 +conradcartagena.com, 1 +conradkostecki.de, 1 +conradkroencke.com, 1 +conrads.it, 1 +conrail.blue, 1 +conrasd.tk, 1 +conrazon.me, 1 +consagracionamariasantisima.org, 1 +conscia.com, 1 +consciente.ch, 1 +consciente.ngo, 1 +consciente.ong, 1 +conscientia.com.mx, 1 +consegnafioridomicilio.net, 1 +consegne.it, 1 +conseildesarts.ca, 1 +conseils-immo.fr, 1 +consejoescolardecanarias.org, 1 +conselljoventutillesbalears.org, 1 +consens.us.org, 1 +consensoprivacy.it, 1 +consertodeeletrodomesticosembh.com, 1 +conservadoraembh.com.br, 1 +conservaschato.com, 1 +conservationfreedivers.com, 1 +conservationgeography.com, 1 +conserviengenharia.com.br, 1 +consiglidisalute.com, 1 +consilio.com, 1 +consilium-ifa.co.uk, 1 +consilium-vitae.ch, 1 +consiliumvitae.ch, 1 +consill.com, 1 +consoe.com, 1 +console.rest, 1 +consolemania.com, 1 +consoletech.tk, 1 +consoleuniverse.tk, 1 +consolezone.tk, 1 +consommation-locale.fr, 1 +consonare.de, 1 +consoom.soy, 1 +consorcionacionalideal.com.br, 1 +consortium.chat, 1 +consortiumhealthplans.com, 1 +consorzio.org, 1 +conspiracionweb.tk, 1 +conspiracy.gq, 1 +conspiracytheorypal.com, 1 +conssales.com, 1 +constablevilleny.gov, 1 +constant-rough.de, 1 +constant.ga, 1 +constantinocontabilidade.com, 1 +constantinschreiber.me, 1 +constcorrect.com, 1 +constellatio.com, 1 +constellationinternational.ml, 1 +constellations.ga, 1 +constern.de, 1 +consteval.org, 1 +constexpr.org, 1 +constinit.org, 1 +constipationrecords.tk, 1 +constitution.website, 0 +constru-vegas.com.mx, 1 +construccionesceyve.com, 1 +construct.net, 1 +constructexpres.ro, 1 +construction-colleges.com, 1 +construction-digitale.fr, 0 +construction-group.ga, 1 +constructionstudent.uk, 1 +constructive.men, 1 +constructoraisaba.com, 1 +construguia.co, 1 +construred.tk, 1 +construyetuempresa.com, 1 +consul-coton.ru, 1 +consul-novocherkassk.ml, 1 +consul.io, 0 +consuldat.com, 1 +consulenteambientale.it, 1 +consulentedellavoro.it, 1 +consulenza.pro, 1 +consulplan.net, 1 +consult-altius.co.uk, 1 +consultadepsicoterapia.com, 1 +consultancyistanbul.com, 1 +consultation.ai, 1 +consultation.biz.tr, 1 +consultimator.com, 1 +consultimedia.de, 1 +consulting-brokerage.tk, 1 +consultinghero.es, 1 +consultinghouse.tk, 1 +consultinghousenet.tk, 1 +consultingnurseest.ga, 1 +consultor.marketing, 1 +consultoresrey.cl, 1 +consultoriaandrade.com.br, 1 +consultoriadeseguranca.com.br, 1 +consultoriadigital.pt, 1 +consultoriosodontologicos.com.br, 1 +consultorseobr.com.br, 1 +consultpetkov.com, 1 +consultum.com, 1 +consulvation.com, 1 +consumer.ee, 1 +consumer.gov, 1 +consumer.gov.au, 1 +consumer.gq, 1 +consumer.org.nz, 1 +consumeraction.gov, 1 +consumerattorneys.com, 1 +consumerbureau.gov, 1 +consumerdatastandards.gov.au, 1 +consumerfiles.com, 1 +consumerfinance.gov, 1 +consumerfinancial.gov, 1 +consumerfinancialbureau.gov, 1 +consumerfinancialprotectionbureau.gov, 1 +consumerindex.ga, 1 +consumerlaw.gov.au, 1 +consumerprotection.gov, 1 +consumerprotectionbureau.gov, 1 +consumersentinel.gov, 1 +consumertesting.com, 1 +consumidor.gov, 1 +consumptionjunction.com, 1 +consuwijzer.nl, 1 +consyltec.de, 1 +contabilidadebhpampulha.com.br, 1 +contabilidadebrooklin.com.br, 1 +contabilidademassarelli.com.br, 1 +contact-checker.tk, 1 +contact.inc, 1 +contact.xyz, 1 +contactaffix.com, 1 +contactangle.com, 1 +contactbadger.com, 1 +contactelus88.fr, 1 +contactlimo.com, 1 +contactmcr.com, 0 +contactme.cards, 1 +contactsrl.it, 1 +contadorespublicos.co, 1 +contagiousaf.com, 1 +contailor.de, 1 +contalbi.pt, 1 +contaminatie.nl, 1 +contango.xyz, 1 +contato.vip, 1 +contemplativeeducation.org, 1 +contemptevoke.com, 1 +contenedoresdereciclaje.online, 1 +contenized.com, 0 +contentmaaksters.nl, 1 +contentmarathon.com, 1 +contentq.nl, 1 +contents.ga, 1 +contermis.com, 1 +contessa32experience.com, 0 +contestreviewest.ga, 1 +contextolog.cf, 1 +conti-profitlink.co.uk, 1 +continental-landscapes.co.uk, 1 +continuernom.tk, 1 +continuousinksupplysystem.com.au, 1 +continuum.memorial, 0 +continuum.sbs, 1 +continuumdesign.net, 1 +continuumm-tech.com, 1 +contiprint.com.ec, 0 +contortion.tk, 1 +contos.cz, 1 +contotudo.online, 1 +contrabass.net, 1 +contracostacr.gov, 1 +contracostacre.gov, 1 +contracostavote.gov, 1 +contractalerters.ga, 1 +contractdigital.co.uk, 0 +contractdirectory.gov, 1 +contractormountain.com, 1 +contractorswestga.com, 1 +contractstore.com, 1 +contractwriters.com, 1 +contrafactos.tk, 1 +contralaespeculacioninmobiliaria.tk, 1 +contrarianoutlook.com, 1 +contrarreforma.tk, 1 +contraspin.co.nz, 1 +contrastchecker.online, 1 +contrastecolombia.com, 1 +contrastly.com, 1 +contrastsecurity.com, 1 +contratderatisation.com, 1 +contratti.it, 1 +contrebande-metz.fr, 1 +contreraslandscaping.com, 1 +contributopia.org, 1 +contributor.google.com, 1 +contro.cf, 1 +contro.ga, 1 +contro.gq, 1 +contro.ml, 1 +contro.tk, 1 +controlautocom.com.br, 1 +controlbooth.com, 1 +controld.com, 1 +controle-exportations.fr, 1 +controle-technique-ales.fr, 1 +controlecelular.com.br, 1 +controleer-maar-een-ander.nl, 1 +controleert.nl, 1 +controlewiki.be, 1 +controlit.eu, 1 +controllertech.com, 1 +controlpad.com, 1 +controlpro.mx, 1 +controlshiftlabs.com, 1 +controltvpodcast.tk, 1 +controlup.com, 1 +controlvisitas.com.mx, 1 +controsoffitti.milano.it, 1 +controversialrisks.com, 1 +controversialrisks.se, 1 +contucara.tk, 1 +contuestilo.tk, 1 +contunda.de, 0 +conv2pdf.com, 1 +convecteurs.net, 1 +convent-mensing.de, 1 +convergence.fi, 1 +convergencela.com, 1 +convergent.tn, 1 +convergnce.com, 1 +conversationexchange.com, 1 +conversatis.cf, 1 +conversechucktaylor.us, 1 +converser.tk, 1 +conversionsciences.com, 1 +convert.im, 1 +convert.io, 1 +convert2sql.com, 1 +converter.ml, 1 +convertire-documenti.it, 1 +convertkit.com, 1 +convertr.io, 1 +convexic.com, 1 +conveyance.pro, 1 +convicted-driver-insurance.com, 1 +conviction.org.uk, 1 +convierteenabudancia.com, 1 +convocatoriafundacionpepsicomexico.org, 0 +convoluted.solutions, 1 +convoyin.com, 1 +conwaymedicalcenter.com, 1 +conwaymi.gov, 1 +conwaypdnh.gov, 1 +conwayregional.org, 0 +conwaysc.gov, 1 +conwood.best, 1 +conxcon.de, 1 +cooalliance.com, 1 +coochiehacks.io, 1 +coocook.org, 1 +cooferro.tk, 1 +cooink.net, 0 +cook-maestro.com, 1 +cook.gg, 1 +cookcountyclerkil.gov, 1 +cookcountysheriffil.gov, 1 +cookescastles.co.uk, 1 +cookgem.com, 1 +cookicons.co, 1 +cookie-directive.cf, 1 +cookie4.com, 1 +cookieandkate.com, 1 +cookiecorner.com, 1 +cookiecrook.com, 1 +cookiedatabase.org, 1 +cookielaw.org, 1 +cookiepedia.co.uk, 1 +cookiepro.com, 1 +cookiesmoquirida.com.br, 1 +cookiesoft.de, 1 +cookiestudies.cf, 1 +cooking-food.cf, 1 +cookingandme.com, 1 +cookingbooks.es, 1 +cookingcrusade.com, 1 +cookingiseasy.tk, 1 +cookingperfected.com, 1 +cookingperformancegroup.com, 1 +cookingreporter.com, 1 +cookinsumos.com, 1 +cooko.at, 1 +cooks.house, 1 +cooksite.tk, 1 +cooktoprepairaustin.com, 1 +cookwithmanali.com, 1 +cool-parties.co.uk, 1 +cool-wallpapers.jp, 1 +cool110.tk, 1 +cool110.xyz, 1 +coolabaroo.com.au, 1 +coolagent-dokumenty.cz, 1 +coolansplanet.com, 1 +coolattractions.co.uk, 1 +coolblockschool.org, 1 +coolboys.ga, 1 +coolcamping.com, 1 +coolcloud.tk, 1 +coolcomputers.info, 1 +cooldan.com, 1 +cooldomains.tk, 1 +cooldown.club, 1 +coole-fete.de, 1 +coolefehler.de, 1 +coolerssr.space, 1 +coolexpo.com, 1 +coolfilm.cf, 1 +coolgeography.co.uk, 1 +coolgifs.de, 1 +coolink.pub, 1 +cooljs.me, 1 +cooljv.com, 1 +coolkidsbouncycastles.co.uk, 1 +coolkidsparty.nl, 1 +coolleader.com, 1 +coolmath.cf, 1 +coolpi.nl, 1 +coolplus.com, 1 +coolprylar.se, 1 +cools.tech, 1 +coolsculptingmanhattanbeach.com, 1 +coolshirt.tk, 1 +coolsochi.ru, 1 +coolsoftware.tk, 1 +coolspeak.com, 1 +cooltang.ooo, 1 +coolulder.net, 1 +coolutils.com, 1 +coolvox.com, 1 +coolweirdfacts.ga, 1 +coombsinc.com, 1 +coomer.su, 1 +coomonte.tk, 1 +coonelnel.net, 1 +coonlink.fun, 1 +coop-land.ru, 1 +coop.com.py, 1 +coopal.jp, 1 +coopcityinfo.com, 1 +coopcoa.pt, 1 +coopemep.live, 0 +cooperativecogohio.gov, 1 +coopercity.gov, 1 +coopercityfl.gov, 1 +coopermais.tk, 1 +coopsoc.com.au, 1 +coor.info, 1 +coordonnees-gps.fr, 1 +coore.jp, 1 +coorpacademy.com, 1 +coosbayor.gov, 1 +cooznacza.pl, 1 +copa.cf, 1 +copabarena.tk, 1 +copacabanafc.tk, 1 +copadata.be, 1 +copasulassessoria.com.br, 1 +copdfoundation.org, 1 +copdrop.ga, 1 +cope.finance, 1 +copedeportes.tk, 1 +cophumouraustralia.com, 1 +copiermarket.com, 1 +copiisiparinti.ro, 1 +copilotgps.com, 1 +copilotpro.com, 1 +coppelmansmakelaardij.nl, 1 +copper.co, 1 +copperart.ca, 1 +copperexports.tk, 1 +copperheados.com, 1 +copperlantern.tk, 1 +coppermein.co.za, 1 +coppermine-kickers.tk, 1 +copperplate.tk, 1 +coppidesentupidora.com.br, 1 +coproduzindo.com.br, 1 +coprotag.com, 1 +coprotag.fr, 1 +coptkm.cz, 1 +copurhoca.com, 1 +copybysophie.com.au, 1 +copycats.tk, 1 +copycaught.co, 1 +copycaught.xyz, 1 +copycenter.cf, 1 +copycrafter.net, 1 +copyfast.cf, 1 +copygeneral.pl, 1 +copyhandler.com, 1 +copymundo.cr, 1 +copypoison.com, 1 +copyright-watch.org, 1 +copyright.gov, 1 +copyrightclaimsboard.gov, 1 +copyrightcoins.com, 1 +copyrightcoins.help, 1 +copyrighted.com, 0 +copyrighter.tk, 1 +copyrightforabout.tk, 1 +copyrightservice.co.uk, 1 +copyshrug.ca, 1 +copysyncest.ga, 1 +copytext.ml, 1 +copywriting-on-demand.tk, 1 +coral-study.eu, 1 +coral.tech, 1 +coralenergy.gr, 1 +coralpress.com, 1 +coralreef.blue, 1 +coralreef.tk, 1 +coralsprings.gov, 1 +coralspringsfl.gov, 1 +coramdeoclassical.com, 1 +corarain.me, 1 +coratxa.tk, 1 +corazoncaliente.tk, 1 +corazondemelon.es, 1 +corbax.com, 1 +corbettparadise.com, 1 +corbi.net.au, 1 +corbuloacademyofmilitaryscience.com, 1 +corbusier.gq, 1 +corcoranmn.gov, 1 +cord-blood.tk, 1 +cordeirosolutions.ga, 1 +cordejong.nl, 0 +cordelia.tk, 1 +cordemar.info, 1 +corder.tech, 1 +corderosa.tk, 1 +corderoscleaning.com, 0 +cordeydesign.ch, 0 +cordis.io, 1 +cordlessdog.com, 1 +corduroyproducts-velvetjackets.tk, 1 +core-concepts.de, 0 +core-networks.de, 1 +core.md, 1 +core.mx, 1 +core.org.pt, 1 +core300.org, 1 +core3k.biz, 1 +core3k.com, 1 +core3k.info, 1 +core3k.mobi, 1 +core3k.net, 1 +core3k.org, 1 +core3k.us, 1 +coreapm.com, 1 +coreapm.org, 1 +corebit.nl, 1 +corecapital.cz, 1 +corecdn.org, 1 +corecore.com, 1 +cored.al, 1 +coredna.com, 1 +coredns.rocks, 1 +coredrive.com, 1 +coredroid.com, 1 +corefy.com, 1 +coreg.tk, 1 +corehealthberks.com, 1 +corehealthcare.com.au, 1 +corelationinc.com, 1 +coreless-initiative.net, 1 +coremcnetwork.ml, 1 +coremicro.com, 1 +coremove.tk, 1 +corentin-et-rosalie.fr, 1 +corepacks.tk, 1 +corepartners.com.ua, 1 +corephysicians.org, 1 +corerad.net, 1 +corescientific.com, 1 +coresos.com, 1 +corestack.io, 1 +coresystems.hu, 1 +coretechnology.ie, 1 +coretema.eu, 1 +coreum.ca, 1 +coreup.de, 1 +corevetconnect.co.uk, 1 +corexpert.com, 1 +coreyjmahler.com, 1 +coreylmartin.com, 1 +corfuny.gov, 1 +corgal.com, 1 +corgi.party, 1 +corgiaspets.com, 1 +corgiclub.art, 1 +corgspace.com, 1 +corhellemons.tk, 1 +cori.tk, 1 +coribi.com, 1 +corima.it, 1 +corinastefan.ro, 1 +corinnanese.de, 1 +corinsamsterdam.com, 1 +corintech.net, 1 +corinthfilms.com, 1 +coriolis.ch, 1 +corisu.co, 1 +corkcityfc.tk, 1 +corkedwinebar.com, 1 +corky.tk, 1 +corleoncatering.com, 1 +corlija.com, 1 +corlinde.nl, 1 +cormed-heverlee.tk, 1 +corn.az, 1 +cornday.org, 1 +cornel1801.com, 1 +cornelia-kaufmann.tk, 1 +corner-cabinets.tk, 1 +corner-marburg.de, 1 +corneranimal.com, 1 +cornercafe.tk, 1 +cornercircle.co.uk, 1 +cornergarage.coop, 0 +cornerperk.com, 1 +cornerstone.network, 1 +cornerstone.photography, 1 +cornerstone.rocks, 1 +cornerstoneefree.org, 1 +cornerstonefoundationrepairllc.com, 1 +cornerstonenorthwest.com, 1 +cornertoyshop.ga, 1 +corniche.com, 1 +corningcu.org, 1 +cornips.nl, 1 +cornitek.tk, 1 +cornmachine.com, 1 +cornodo.com, 1 +cornut.fr, 1 +cornwallct.gov, 1 +cornwallda.co.uk, 1 +coroas10.tk, 1 +coroimagen.tk, 1 +corona-data.eu, 1 +corona-renderer.cloud, 1 +corona-renderer.com, 1 +corona-stats.online, 0 +coronacheck.nl, 1 +coronasafe.network, 1 +coronastationphotography.com, 1 +coronatestalmere.nl, 1 +coronavaccinatiedatum.nl, 1 +coronavirus-19.es, 1 +coronavirus-journal.fr, 1 +coronavirus.de, 1 +coronavirus.gov, 1 +coronavirusfortbend.gov, 1 +coronavirustesting.gov, 1 +coronersconnect.co.uk, 1 +cororocierodebelen.tk, 1 +corovan.com, 1 +corp.goog, 1 +corpfin.net, 1 +corpheuss.ga, 1 +corpio.nl, 1 +corplex.com, 1 +corpoflow.nl, 1 +corpomotriztokio.com, 1 +corpora.ga, 1 +corpora.tk, 1 +corporate-advisory.com, 1 +corporate-electric.ky, 1 +corporateclash.net, 1 +corporateclubaustralia.com.au, 1 +corporatecompany.cz, 1 +corporatecomputingsolutions.com, 1 +corporategift.com, 1 +corporatehitech.com.au, 1 +corporateinbound.com, 1 +corporatevisions.com, 1 +corporativoarval.info, 1 +corposeditora.tk, 1 +corpsepaint.life, 1 +corpulant.coffee, 1 +corpulantcoffee.com, 1 +corpulent.coffee, 1 +corpulentcoffee.com, 1 +corpus-hermeticum.pl, 1 +corpuschristisouthriver.org, 1 +corpuschristitx.gov, 1 +corpusslayer.com, 1 +corr-met.pl, 1 +corrales-sanchez.tk, 1 +correct.cf, 1 +correctconstructions.com.au, 1 +correcthorse.cf, 1 +correcthorse.pw, 1 +correctionalofficer.org, 1 +correctionalofficeredu.org, 1 +correctiv.org, 1 +correctlydesign.com, 1 +corrector.com.ua, 1 +corredorampr.com, 1 +correo-e.mx, 1 +correo.club, 1 +correotemporal.org, 1 +correspond.gq, 1 +correspondent.ga, 1 +corrick.io, 1 +corride.at, 1 +corridorsands.com.au, 1 +corriere.roma.it, 1 +corrieresalentino.it, 1 +corrigan.xyz, 1 +corrupt-republicans.com, 1 +corruptcatz.com, 1 +corruptos.tk, 1 +corry-new.cloud, 1 +cors-proxy.cf, 1 +corsa-b.uk, 1 +corsac.nl, 1 +corsectra.com, 1 +corsepro.com, 1 +corservsolutions.com, 1 +corsetacademy.tk, 1 +corsi.tk, 1 +corsica.ovh, 1 +corsicalaw.com, 1 +corsicanatx.gov, 1 +corsihaccpsicurezzalavoro.it, 1 +corsisicurezza.it, 1 +corso.cf, 1 +corsohaccp.roma.it, 1 +corsorspp.roma.it, 1 +cortadoradeplasma.online, 1 +cortadorplasma.com, 1 +cortapelos.site, 1 +corte.tk, 1 +cortealcastello.it, 1 +cortege.cf, 1 +cortemadera.gov, 1 +cortep.fr, 1 +cortestesisat.net, 1 +cortex-development.de, 1 +cortezco.gov, 1 +cortezsanitation.gov, 1 +corthouts.pl, 1 +cortino.ga, 1 +cortis-consulting.ch, 1 +cortizo.com.ar, 1 +cortizocampillo.com.mx, 1 +cortlandcountyny.gov, 1 +cortlandreview.com, 1 +cortlandvoice.com, 1 +cortonaeranieri.com.br, 1 +corum.fr, 1 +corus-xuam.eu, 1 +corus.lt, 1 +corvaglia.com, 1 +corvax.kiev.ua, 1 +corvetto.tk, 1 +corvus.eu.org, 1 +corvuscorax.info, 1 +coryadum.com, 1 +coryellcountytx.gov, 1 +corykoz.com, 1 +coryluba.com, 1 +corytennison.net, 1 +cos.rent, 1 +cosasnuevas.tk, 1 +cosasque.com, 1 +cosavederein1giorno.it, 1 +cosavederein5giorni.it, 1 +cosec.cn, 0 +coshima.cf, 1 +coshima.ga, 1 +coshima.gq, 1 +coshima.tk, 1 +cosirex.com, 1 +coskun.tk, 1 +coslinker.com, 0 +cosmasiakraft.tk, 1 +cosmatic.it, 1 +cosmeagardens.com, 1 +cosmekaitori.jp, 0 +cosmetic-pack.com, 1 +cosmetic-surgery-prices.co.uk, 1 +cosmeticasimple.com, 1 +cosmeticenter.com.br, 1 +cosmeticosdelivery.com.br, 1 +cosmeticosfuerth.de, 1 +cosmeticosnet.com.br, 1 +cosmeticosprofissionais.com.br, 1 +cosmeticsurgeon.ga, 1 +cosmetify.com, 1 +cosmetiq.tk, 1 +cosmetix-ndsf.fr, 1 +cosmiatria.pe, 1 +cosmic-relations.co.jp, 1 +cosmic-service.com, 1 +cosmicdrifters.com, 1 +cosmichpc.com, 1 +cosmichpc.systems, 1 +cosmick9.net, 1 +cosmicnetworks.cf, 1 +cosmictourist.de, 1 +cosmicworlds.mobi, 1 +cosmocode.de, 1 +cosmodacollection.com, 1 +cosmohit.ua, 1 +cosmohost.info, 0 +cosmohosting.site, 1 +cosmoiler.com, 1 +cosmonaut.tk, 1 +cosmos-indirekt.de, 1 +cosmos-ink.net, 1 +cosmos-software.tk, 1 +cosmoschaos.net, 1 +cosmosdogbakery.com, 1 +cosmosearch-azerbaijan.tk, 1 +cosmosenalerta.tk, 1 +cosmosmkt.com.mx, 1 +cosmoz.ga, 1 +cosms.com, 1 +cosmundi.de, 1 +cosmv.org, 1 +cosni.co, 1 +cosos.gov, 1 +cosplayer.com, 1 +cosplaygif.com, 1 +cospol.ch, 0 +cosset.com.tw, 1 +costa-ballena.tk, 1 +costablancavoorjou.com, 1 +costalinux.tk, 1 +costarellos.com, 1 +costaricanvillas.com, 1 +costazulinmobiliaria.com, 1 +costco.co.jp, 1 +costco.co.kr, 1 +costco.co.nz, 1 +costco.co.uk, 1 +costco.com.au, 1 +costco.com.mx, 1 +costco.com.tw, 1 +costco.is, 1 +costcoinsider.com, 1 +costel.tk, 1 +costelino.tk, 1 +costellofc.co.uk, 0 +costflow.ga, 1 +costi.cf, 1 +costi.eu, 1 +costinesti.tk, 1 +costoflipitor.gq, 1 +costplusdrugs.com, 1 +costravel.ru, 1 +costreportdata.com, 0 +costruzioni.milano.it, 1 +costum-for-men.tk, 1 +costumestylesers.ga, 1 +cosude.org.pe, 1 +cosumnescsd.gov, 1 +cosuno.com, 1 +cosy-interior.com, 1 +cosyden.tk, 1 +cotak.gov, 1 +cotandoseguro.com, 1 +coteax.com, 1 +coteax.nl, 1 +cotehy.com, 1 +cotejardin.gent, 1 +cotennis.net, 1 +coteouestmedia.com, 1 +coth.ml, 1 +cothurnes.fr, 1 +cotofoto.tk, 1 +coton.tk, 1 +cotonni.tk, 1 +cotrugli.social, 1 +cotswoldgrangehotel.co.uk, 1 +cotsworth.com, 1 +cotta.dk, 1 +cottagegroveor.gov, 1 +cottagelife.com, 1 +cottagessw.co.uk, 1 +cottier-angeli.swiss, 1 +cottonage.tk, 1 +cottonwoodcountymn.gov, 1 +cottonwoodimprovement.gov, 1 +cotwe-ge.ch, 0 +coubron-escrime.fr, 1 +couchidiomas.com, 1 +couchscreen.de, 1 +cougar-bordeaux.fr, 1 +cougargrades.io, 1 +cougarlyon.fr, 1 +coughlan.de, 1 +could.jp, 1 +couleur-lavande.com, 1 +couleursorgue.tk, 1 +coun.be, 1 +counseling4students.com, 1 +counselingforstudents.com, 1 +counsellingtime.co.uk, 1 +counsellingtime.com, 1 +counsellink.net, 1 +counstellor.com, 0 +counter-strike.net.cn, 1 +countercloud.com, 1 +counterenlol.com, 1 +counterespionage.com, 1 +countermats.net, 1 +countermentors.com, 1 +counterstrikeonline.org, 1 +countertopapothecary.com, 1 +countertrade.com, 0 +countexact.com, 1 +countingdues.com, 1 +countingup.com, 1 +countrify.net, 1 +country-candles.co.uk, 1 +country-creativ.de, 1 +country-dancers.tk, 1 +country-games.tk, 1 +country-house.ga, 1 +country-muziek.nl, 1 +countrybrewer.com.au, 1 +countrylife.cz, 1 +countrymountaininn.com, 1 +countryoutlaws.ca, 1 +countrysaloon.tk, 1 +countryshopradio.tk, 1 +countrysidebar.tk, 1 +countrysidemarquees.co.uk, 1 +countrysmile.org, 0 +county10.com, 1 +countybankdel.com, 1 +countyjailinmatesearch.com, 1 +countyofbarton.gov, 1 +countyofkingsca.gov, 1 +countyofmonterey.gov, 1 +countyofmontereyca.gov, 1 +coup-dun-soir.ch, 1 +coupa.com, 1 +coupedevils.tk, 1 +coupestanley.com, 1 +couplay.org, 1 +couplesapp.co, 1 +couponarea.com, 1 +couponava.com, 1 +couponchief.com, 0 +couponcodefind.com, 1 +couponcodesme.com, 1 +couponfollow.co.uk, 1 +couponsale.tk, 1 +couponzil.com, 1 +cour4g3.me, 1 +courage-sachsen.org, 1 +courage.cf, 1 +couraqe.tk, 1 +courier.lk, 1 +couriergrey.com, 1 +couriersrs.com, 1 +couriertrackers.com, 1 +coursables.com, 1 +coursdejaponais.com, 1 +course5i.com, 0 +courseconfidence.com, 1 +coursehero.com, 1 +coursehero.ph, 1 +coursehunter.net, 1 +courselore.org, 1 +courseorbit.com, 1 +coursera.org, 1 +coursereleases.com, 1 +courses.nl, 1 +coursesanswer.com, 1 +coursesidekick.com, 1 +coursesweb.net, 1 +courseworkbank.info, 1 +coursingweb.tk, 1 +coursocean.co, 1 +courstoujours.be, 1 +court1tickets.co.uk, 1 +court1tickets.com, 1 +court23taylormi.gov, 1 +courthousedirect.com, 1 +courtlandtwpmi.gov, 1 +courtonetickets.co.uk, 1 +courtonetickets.com, 1 +courtreporteredu.org, 1 +courttranscriptontario.ca, 1 +courvix.com, 1 +couscous.recipes, 1 +cousine.tk, 1 +cousins.tk, 1 +couteauxsurvie.fr, 1 +couverture-barre.fr, 1 +couverture-saint-nazaire.fr, 1 +couvreur-hinault.fr, 1 +covar.com.co, 1 +covbounce.co.uk, 1 +cove.chat, 1 +covechat.xyz, 1 +covenantbattle.net, 1 +covenco.com, 1 +coventry.com, 1 +coventrycollege.ac.uk, 1 +coventryfdri.gov, 1 +coventrymoneyman.com, 1 +coventryuk.tk, 1 +cover-fashion.de, 1 +coverage-db.org, 1 +coveragecareservices.co.uk, 1 +coveragent.de, 1 +covercrust.com, 1 +covercupboard.co.uk, 1 +coveredinspiders.com, 1 +covering.com.py, 1 +covermusik-band.de, 1 +covermytrip.com.au, 1 +covers.com, 1 +covershousing.nl, 1 +covert.sh, 1 +covery.ai, 1 +coveteur.com, 1 +coviacorp.com, 1 +covid-19.nhs.uk, 1 +covid-19advice.com, 1 +covid.gov, 1 +covid19-tracing.ch, 1 +covid19.gov.ph, 1 +covid19.melbourne, 1 +covid19.nhs.uk, 1 +covid19dataportal.si, 1 +covid19details.com, 1 +covid19resilience.org, 1 +covid19responsepod.com, 1 +covid19scotland.co.uk, 0 +covid19statstracker.com, 1 +covidactnow.org, 1 +covidcoldfacts.com, 1 +coviddiary.live, 1 +coviddrawings.org.uk, 1 +covidfreeathome.org, 1 +covidinfo.com.br, 1 +covidlive.com.au, 1 +covidmodel.net, 1 +covidpppstore.co.za, 1 +covidservicepoint.de, 1 +covidstats.gr, 1 +covidtest.gov, 1 +covidtesthonolulu.org, 1 +covidtests.gov, 1 +covidtracker.fr, 1 +covisa.cl, 1 +covisian.com, 1 +covybrat.cz, 1 +cow-ims.herokuapp.com, 1 +cowbird.org, 1 +cowcreek-nsn.gov, 1 +cowleycountyks.gov, 1 +cowleysexeter.co.uk, 1 +cowlitzwa.gov, 1 +coworkanywhere.ch, 1 +coworking-luzern.ch, 1 +coworking-space.tk, 1 +coxcapitalmanagement.com, 1 +coxhealthfoundation.com, 1 +coxxs.me, 1 +coxxs.moe, 1 +coya.tw, 1 +coyo.tl, 1 +coyocloud.com, 1 +coyote.cf, 1 +coyote105.com, 1 +coz-artistic.net, 1 +cozanne.fr, 1 +coze.zone, 1 +cozinharaz.com, 1 +cozmoapp.com, 1 +cozmoyachts.com, 1 +cozo.me, 1 +coztacukrzyca.pl, 1 +cozumelairlines.com, 1 +cozumelflight.com, 1 +cozumelisparadise.com, 1 +cozy.town, 1 +cozyeggdesigns.com, 1 +cozynergy.com, 1 +cozzack.com, 1 +cp-st-martin.be, 1 +cp061.com, 0 +cpacharge.com, 1 +cpadollar.cf, 1 +cpagray.com, 0 +cpan.org, 1 +cpanels.us, 1 +cpaneltips.com, 1 +cpap.com, 1 +cpaporttraining.org, 0 +cpars.gov, 1 +cparta.pro, 1 +cpaspecialisters.ga, 1 +cpasperdu.com, 1 +cpatoday.club, 1 +cpbanq.com, 1 +cpcbegin.tk, 1 +cpchur.ch, 0 +cpd-education.co.uk, 1 +cpd.org.au, 1 +cpe-colleg.de, 1 +cpe-registry.com, 1 +cpe-registry.org, 1 +cpegypt.tk, 1 +cpeip.cl, 1 +cpelighting.tk, 1 +cperegistry.com, 1 +cperegistry.net, 1 +cperegistry.org, 1 +cpfpa.com, 1 +cpfrancophonie.org, 1 +cpfs-group.com, 1 +cpfurni.com, 0 +cpg.de, 1 +cpgiiaragon.es, 1 +cphollywoodproduct.ml, 1 +cphpvb.net, 1 +cpifilters.com, 1 +cpish.id.au, 1 +cplconsult.com, 1 +cpls.me, 1 +cplsearch.com, 1 +cpm-steuerberater.de, 1 +cpm-steuerberater.pro, 1 +cpm-steuerberater.support, 1 +cpme-industrial.com, 1 +cpost.com.tr, 1 +cppaste.org, 1 +cppressinc.com, 1 +cpro.pt, 1 +cprportal.com, 1 +cps-ecobati.com, 1 +cps-sante.ml, 1 +cpsa.co.uk, 1 +cpsc.gov, 1 +cpsecureapp.com, 1 +cpsq.fr, 1 +cpstest.live, 1 +cpstest.org, 1 +cpsurvey.com, 1 +cptoon.com, 1 +cptvl.de, 1 +cpu.biz.tr, 1 +cpu.wiki, 1 +cpucheu.com, 1 +cpufanshop.ga, 1 +cpws.gov, 1 +cpxz.nl, 1 +cpy.pt, 1 +cqep.com, 1 +cqfuchen.com, 1 +cqoicebordel.tk, 1 +cqradio.tk, 1 +cqre.business, 1 +cqswxx.com, 1 +cqvradio.ddns.net, 0 +cr.search.yahoo.com, 0 +cr05.fr, 1 +cr3zyblog.com, 1 +cr8haven.com, 1 +cr9499.com, 1 +cra-bank.com, 1 +cra-search.net, 1 +cra-zy.tk, 1 +crabfactory.com.my, 1 +crabgrasslawn.com, 1 +crabo3d.de, 1 +crabrave.space, 1 +crabtreestore.nl, 1 +cracedkey.com, 1 +crackajack.cf, 1 +crackbros.com, 1 +crackcat.de, 1 +crackedlink.com, 1 +crackedsoftware.cf, 1 +cracker.in.th, 1 +crackerjohn.tk, 1 +crackheros.site, 1 +crackhomes.com, 1 +cracklab.tk, 1 +crackle.io, 1 +crackpfer.de, 1 +cracksarkariexam.com, 1 +cracksarkarinaukri.com, 1 +crackserialkey.co, 1 +cracksnet.tk, 1 +crackspro.co, 1 +crackstation.net, 1 +cracky-chan.com, 1 +cracky.art, 1 +cracky.win, 1 +crackychan.cc, 1 +crackychan.net, 1 +crackychan.org, 1 +crackyhouse.com, 1 +crackypedia.uk, 1 +crackzoom.com, 1 +cradio.tk, 1 +cradleaccounting.com, 1 +cradleofaviation.org, 1 +cradletocareer.org.uk, 1 +craft-beer.life, 1 +craft-me-in.com, 1 +craft.eu.org, 1 +craftandbuild.de, 1 +craftbyhand.com, 1 +craftcms.com, 1 +crafted.cat, 1 +crafterbase.de, 1 +crafters.co.jp, 1 +craftfocus.com, 1 +craftgalore.com.au, 1 +craftgate.io, 1 +crafthead.net, 1 +craftination.net, 1 +craftinghand.com, 0 +craftist.de, 1 +craftmachinec.com, 1 +craftmenu.ru, 1 +craftmeow.com, 1 +craftmeow.support, 1 +craftngo.hu, 1 +craftottawa.ca, 1 +craftshiponline.tk, 1 +craftsmandruggets.com, 1 +craftsmany.net, 1 +craftsofcleo.com, 1 +crafttalk.tk, 1 +craftutor.com, 1 +craftwarehouse.com, 1 +craftwmcp.xyz, 1 +craftydev.design, 1 +craftyguy.net, 0 +craftyphotons.net, 1 +craftyun.cn, 1 +craig-mullins.com, 1 +craigary.net, 0 +craigbates.co.uk, 0 +craigdavis.ga, 1 +craigfrancis.co.uk, 1 +craigheadcountyar.gov, 1 +craigleclaireteam.com, 1 +craignewmarkphilanthropies.org, 0 +craigphillips-work.cf, 1 +craigrouse.com, 1 +craigsaper.com, 1 +craigwfox.com, 0 +cramersoft.com, 1 +cran-automobiles.fr, 1 +cranems.com.ua, 1 +cranenburgh.nl, 1 +cranenburgh.tk, 1 +cranepedia.com, 1 +cranes.ga, 1 +cranforddental.com, 1 +crangasi.tk, 1 +cranioo.nl, 1 +crankshaft.space, 1 +cranstonri.gov, 1 +craphound.com, 1 +crapitalism.biz, 1 +crapmail.tk, 1 +crapouill.es, 1 +crash-de-1929-et-grande-depression.tk, 1 +crash.net, 1 +crashbolsa.com, 1 +crashcomputer.tk, 1 +crashcoursecenter.com, 1 +crashcrafter.de, 1 +crashday.tk, 1 +crashdummy.tk, 1 +crashedata.tk, 1 +crashgambler.io, 1 +crashpaint.cf, 1 +cratedb-dev.cloud, 1 +cratedb.cloud, 1 +cratedb.net, 1 +crates-io.cn, 1 +cratexcalgary.com, 1 +cratexedm.com, 1 +cratexind.com, 1 +cratitadelicioasa.ro, 1 +cratss.co.uk, 1 +cravatar.cn, 0 +cravecraftonline.com, 1 +crawcial.de, 1 +crawdadrepublic.com, 1 +crawford.cloud, 1 +crawfordcountyin.gov, 1 +crawfordcountyohioboe.gov, 1 +crawfordcountytcc.org, 1 +crawfordcountywi.gov, 1 +crawfordtx.gov, 1 +crawler.ninja, 1 +crax.tube, 1 +craxpro.io, 1 +crayon.co, 1 +craytos.jp, 1 +crazedknitters.com, 1 +crazilyeverafter.com, 1 +crazy-cake.tk, 1 +crazy-coders.com, 1 +crazy-fox.cf, 1 +crazy-project.ml, 1 +crazyachmed.de, 1 +crazybear-underground.tk, 1 +crazycastles.ie, 1 +crazycen.com, 0 +crazychicken.tk, 1 +crazycouple.ml, 1 +crazycube.fr, 1 +crazycube.tk, 1 +crazydrivers.tk, 1 +crazydude.tk, 1 +crazyfly.tk, 1 +crazyfrog.biz, 1 +crazyfrog.com, 1 +crazygifts.cf, 1 +crazyhost.ga, 1 +crazyhost.tk, 1 +crazymadness.tk, 1 +crazymarvin.com, 1 +crazymeeshu.com, 1 +crazymonkey.gq, 1 +crazynetwork.it, 1 +crazypaul.com, 1 +crazypellas.tk, 1 +crazypete.ga, 1 +crazypong.tk, 1 +crazypotato.tk, 1 +crazysavings.ga, 1 +crazysexpics.com, 1 +crazystories.tk, 1 +crazytunaaz.com, 1 +crbug.com, 1 +crc-bank.com, 1 +crc-online.nl, 1 +crc-search.com, 1 +crc.net.br, 1 +crc32.online, 1 +crca911co.gov, 1 +crcdatatech.com, 1 +crcncc.org, 1 +crcr.pw, 0 +cre8iveco.com, 1 +cre8ivedeals.com, 1 +cre8studios.net, 1 +crea-etc.net, 0 +crea-shops.ch, 0 +crea-that.fr, 1 +crea.bg, 1 +crea.me, 1 +creacioneslri.com, 1 +creacode.tech, 1 +creactivatecomfandi.com, 1 +creadoc.fr, 1 +creadordenoticias.com, 1 +creadstudy.com, 1 +creafitchile.cl, 1 +creaintel.net, 1 +creaketing.com, 1 +crealabs.it, 1 +crealogix-online.com, 1 +creamcastles.co.uk, 1 +creamfields.com, 1 +creamless.com, 1 +creampiepornvids.com, 1 +creampiepussytube.com, 1 +creamsoft.com, 1 +creamyfox.com, 1 +creandoydesarrollando.com, 1 +crear-webs-baratas.com, 0 +creared.edu.co, 1 +crearesiteweb.tk, 1 +creareup.com, 1 +creartcol.tk, 1 +creartsynergy.org, 1 +creasetheband.tk, 1 +creastic.com, 1 +create-it.cz, 1 +create-ls.jp, 1 +create-website.ga, 1 +create2.be, 1 +createbeauty.tk, 1 +createbeing.com, 1 +createbot.ml, 1 +createcode.pt, 1 +createconline.de, 1 +createcpanama.com, 1 +creategyx.ga, 1 +creately.com, 1 +createme.com.pl, 1 +createmvp.com, 1 +createstudios.com.au, 0 +createuniforms.co.za, 1 +createwithcynthia.com, 1 +creati.me, 1 +creatiefcoaching.nl, 1 +creatieven.com, 1 +creation-photos.com, 1 +creationfox.gq, 1 +creations-edita.com, 1 +creationsgate.com, 1 +creative-wave.fr, 1 +creative2.ru, 1 +creativeangles.in, 1 +creativeartifice.com, 0 +creativebaccha.ga, 1 +creativebathroomsandinteriors.com.au, 1 +creativebenefits.ca, 1 +creativebitsandpieces.com, 1 +creativebloq.tk, 1 +creativechili.com, 1 +creativecityofmusic.be, 1 +creativecommons.gr, 1 +creativecommonscatpictures.com, 1 +creativeconceptsvernon.com, 1 +creativeconsult.com, 1 +creativedijital.com.tr, 1 +creativeeducation.tk, 1 +creativeexpertdesigner.com, 1 +creativefocus.com, 1 +creativegraphix.com, 1 +creativeground.com, 1 +creativeground.com.au, 1 +creativeideasagency.com, 1 +creativeink.de, 1 +creativekitchens.co.nz, 1 +creativekkids.com, 1 +creativelaw.eu, 1 +creativeliquid.com, 1 +creativelysustainable.com, 1 +creativemarket.com, 1 +creativematters.ch, 0 +creativemindslms.tk, 1 +creativenz.govt.nz, 1 +creativepatterns.io, 1 +creativephs.com, 1 +creativephysics.ml, 1 +creativeqc.com, 1 +creativeradiance.com, 1 +creativescastle.com, 1 +creativescorpio.tk, 1 +creativesectors.tk, 1 +creativestories.me, 1 +creativevietnam.com.vn, 1 +creativeweb.biz, 1 +creativewolf.net, 1 +creativeworks.com.hk, 1 +creativika.it, 1 +creativityalliance.com, 1 +creativlabor.ch, 1 +creatix.tk, 1 +creatixx-network.de, 0 +creatormetrics.io, 1 +creators-design.com, 1 +creators.direct, 1 +creatorswave.com, 1 +creattic.tk, 1 +creatuasociacion.es, 1 +creayes.com, 1 +crebita.de, 1 +crecips.com, 1 +crecman.fr, 1 +crecycle.eco, 1 +credello.com, 1 +credentsys.cloud, 0 +credex.bg, 1 +credify.tech, 1 +credigo.io, 1 +credimax.com.bh, 1 +credin.com.tr, 1 +credit-10.com, 1 +credit-default-swaps.tk, 1 +credit-mgmt.biz, 1 +credit.in.th, 1 +creditcard.run, 1 +creditcardgenerator.money, 1 +crediteurope.ru, 1 +credithelpinfo.com, 1 +creditif.tk, 1 +creditjunkie.com, 1 +creditkarma.ca, 1 +creditkarma.com, 1 +creditkarma.pro, 1 +creditoconsolidado.pt, 1 +creditopessoal.pt, 1 +creditor.ga, 1 +creditor.tk, 1 +creditorapido.pt, 1 +creditos-rapidos.com, 1 +creditozen.es, 0 +creditozen.mx, 0 +creditreport.tk, 1 +creditriskmonitor.com, 1 +creditscoresmart.com, 1 +creditshanghai.com, 1 +creditshop.com, 1 +creditsummerevent.eu, 1 +creditxpert.com, 1 +crednox.com, 1 +credot.ru, 1 +creekie.me, 1 +creeks-coworking.com, 1 +creeksidebiblechurch.org, 1 +creeksidecentre.org.uk, 1 +creeksideduluth.com, 1 +creelandgow.com, 1 +creep.tk, 1 +creepnt.stream, 1 +creepycraft.nl, 1 +creepypastas.com, 1 +creepystories.tk, 1 +creer-mon-business-plan.fr, 1 +creer-une-boutique-en-ligne.com, 1 +creermonsite-wp.com, 1 +creerunblog.net, 1 +cremalleradenuria.tk, 1 +crematory.tk, 1 +cremedigital.com, 1 +cremicro.com, 0 +crena.ch, 1 +crepa.ch, 0 +crepusculofansmexico.tk, 1 +crescendo.ai, 1 +crescendo.ventures, 1 +crescent-moon.tk, 1 +crescentchc.org, 1 +cresoweb.it, 1 +cresserons.fr, 1 +cressetcapital.com, 1 +crest.com, 1 +crestalepropiedades.com.ar, 1 +crestaproject.com, 1 +crestasantos.com, 1 +crestataustin.com.my, 1 +crestaurant.com.au, 1 +crestdatasys.com, 1 +crestoncottage.com, 0 +crestor20mg.ml, 1 +crestorgeneric.ml, 1 +crestresearch.ac.uk, 1 +crestrockadvisors.com, 1 +crestron.com, 1 +crestwoodky.gov, 1 +cretdupuy.com, 0 +creteangle.com, 1 +cretica.no, 1 +creusalp.ch, 0 +crew.moe, 1 +crewextension.com, 1 +crewnetwork.com, 1 +crewresourcesinternational.group, 1 +crewsing.tk, 1 +crewvision.pt, 1 +crex24.com, 1 +crfcap.org, 0 +crgalvin.com, 1 +crgm.net, 1 +crh.org, 0 +cria.jp, 1 +criandosites.com.br, 1 +crianma.com, 0 +criaraposta.com.br, 1 +crias.fr, 1 +criativedesign.com.br, 1 +cribboker.net, 1 +cribcore.com, 1 +cric-grenoble.info, 1 +cricheroes.in, 1 +cricket-betting-online.in, 1 +cricketarena.ml, 1 +cricketnmore.com, 1 +cricketwatch.org, 1 +crickey.eu, 1 +crickits.co.uk, 1 +cricklewood.condos, 1 +cricmela.com, 1 +cricpa.com, 1 +crictechs.com, 1 +cridem.org, 1 +cridigital.net, 1 +criena.com, 1 +criena.net, 1 +crigler-najjar.fr, 1 +criglernajjarday.com, 1 +criktrik.com, 1 +crimalelov.gq, 1 +crimeadsers.ga, 1 +crimeadsest.ga, 1 +crimeainspire.com, 1 +crimeamet.ml, 1 +crimean-wines.tk, 1 +crimeandwar.com, 1 +crimefreeliving.com, 1 +crimemuseum.org, 1 +crimes.media, 1 +crimesceneinvestigatoredu.org, 1 +crimethincx.tk, 1 +crimewatch.net, 1 +crimewatchfl.com, 1 +crimewatchpa.com, 1 +crimewatchus.com, 1 +criminal-attorney.ru, 1 +criminal-market.ml, 1 +criminal-news.tk, 1 +criminal.enterprises, 1 +criminalcasecheats.ml, 1 +criminaljusticeprograms.com, 1 +criminaljusticeprogramsonline.com, 1 +criminallawyerjobdescription.ga, 1 +criminallawyerjobdescription.gq, 1 +criminallawyerjobdescription.ml, 1 +criminallawyersingapore.com, 1 +criminalminds.tk, 1 +criminalnote.tk, 1 +criminalskin.tk, 1 +criminologia.or.cr, 1 +crimsh.com, 0 +crimson.no, 0 +crimsonconnect.co.uk, 1 +crimsoncoward.com, 1 +crimsondragoncosplay.tk, 1 +crimsoninators.ga, 1 +crimsonlettersmusic.com, 1 +crimsonmedia.co.uk, 1 +crimtan.com, 1 +crinesdanzantes.be, 1 +crioestaminal.pt, 1 +crip-usk.ba, 1 +criptex.tk, 1 +criptocert.com, 1 +criptofy.com, 1 +criptoinvest.pt, 1 +criptomonedas365.com, 1 +criptomonedasworld.com, 1 +criptomonedaz.com, 1 +criptomoneylite.tk, 1 +criptozoologia.tk, 1 +cris.org.in, 1 +cris2006.com, 1 +crisantacademy.com, 1 +crisisactual.com, 1 +crisisclubers.ga, 1 +crisisdelos40.tk, 1 +crisisnextdoor.gov, 1 +crismar-flora.tk, 1 +crismatthews.com, 1 +crisp.chat, 1 +crisp.email, 1 +crisp.help, 1 +crisp.im, 1 +crisp.nl, 1 +crisp.watch, 1 +crispinplasticsurgery.com, 1 +crispinusphotography.com, 1 +crispybacon.ml, 1 +crisssmanmix.tk, 1 +cristaleslitios.com.mx, 1 +cristalgema.ga, 1 +cristalid.com, 1 +cristals.ga, 1 +cristaltercos.com.br, 1 +cristau.org, 1 +cristenberens.tk, 1 +cristiaen.nl, 1 +cristian-alexander.tk, 1 +cristiandumitru.tk, 1 +cristianhares.com, 1 +cristianonascimento.ml, 1 +cristiengoller.ga, 1 +cristiengoller.gq, 1 +cristina.tk, 1 +cristinafigueroa.tk, 1 +cristnasar.tk, 1 +cristomisina.tk, 1 +cristomoradocusco.tk, 1 +critcola.com, 1 +criteriaproducciones.tk, 1 +criterion.ga, 1 +criterionsystems.co.uk, 1 +critfc.org, 1 +critical-scientists.net, 1 +critical.software, 1 +criticalculture.cf, 1 +criticalculture.gq, 1 +criticalculture.ml, 1 +criticalgenesis.tk, 1 +criticalmention.com, 1 +criticalmetalscorp.com, 1 +criticalminerals.gov, 1 +criticalrace.org, 1 +criticalsurveys.co.uk, 1 +criticcoos.tk, 1 +criticizetheworld.tk, 1 +critiker.com, 1 +critiquejeu.info, 1 +critiquejeu.org, 1 +critterculture.com, 1 +crivitz.gov, 1 +crix.ro, 1 +crixto.io, 1 +crl-autos.com, 1 +crlna.com, 1 +crm-dialog.com, 1 +crm-dialog.de, 1 +crm-gestion-relation-client.com, 1 +crm.onlime.ch, 0 +crm114d.com, 1 +crm911.com, 1 +crmall.com, 1 +crmdumariage.com, 1 +crmforce.mil, 1 +crmot.com, 1 +crmplace.com, 1 +crmtaxi.ml, 1 +crmzz.com, 1 +crnajobsite.com, 1 +crobeauty.com, 1 +croceverdevb.it, 1 +crocheclube.com, 1 +crocheteursdefrance.fr, 1 +crochetkim.com, 1 +crocia.com, 1 +crockettdoodles.com, 0 +crockettmyers.com, 1 +crocky.tk, 1 +crocop.tk, 1 +crocuscoaching.co.uk, 1 +croeder.net, 1 +croftsvetsurgery.co.uk, 1 +croissant.casa, 1 +cromavista.tk, 1 +cromefire.de, 1 +cromefire.myds.me, 1 +cromosceltavigo.tk, 1 +cromosomax.com, 1 +cromwell-intl.com, 1 +cromwellarc.co.uk, 1 +cromwellvets.co.uk, 1 +cron.com, 1 +cron.uz, 1 +cronberg.ch, 1 +croncron.io, 1 +cronenberg.cc, 1 +cronicademuro.tk, 1 +cronicanet.com.br, 1 +cronix.cc, 1 +cronjob.de, 1 +cronobox.one, 1 +cronologie.de, 1 +cronometer.com, 1 +cronoscentral.be, 1 +crookcountyor.gov, 1 +crookedcru.tk, 1 +crookedtower.com, 1 +crooklibraryor.gov, 1 +crookpublichealthor.gov, 1 +croonix.one, 1 +croonix.tech, 1 +crop-alert.com, 1 +cropdiagnosis.com, 1 +cropme.net, 1 +cropwizarders.ga, 1 +croquementbon.fr, 1 +croquetgolf.tk, 1 +croquis.tk, 1 +crosbug.com, 1 +cross-culture.tk, 1 +cross-games.tk, 1 +cross-led-sign.com, 1 +cross-x.com, 1 +crossair.tk, 1 +crosschq.com, 1 +crosscom.ch, 1 +crossconnected.co.uk, 1 +crossdresscontest.com, 1 +crossedwires.net, 1 +crossfiremovies.tk, 1 +crossfitbesafe.com, 1 +crossformer.com, 1 +crossfunctional.com, 1 +crosslaketech.com, 1 +crosslifenutrition.co.uk, 0 +crosslimit.ga, 1 +crosslink.ae, 1 +crossmediahouse.nl, 1 +crossorange.jp, 1 +crossover.tk, 1 +crossoverit.com, 1 +crosspeakoms.com, 1 +crossplainstn.gov, 1 +crosspointmn.org, 1 +crossriver.com, 0 +crossroads-gmbh.ch, 1 +crossroadsdentalgroup.org, 1 +crosstitch.com, 1 +crossuniverse.net, 1 +crossway.nl, 1 +crosswayz.tk, 1 +crosswordarchive.org, 1 +crosty.tk, 1 +crotchrockets.tk, 1 +croviz.com, 1 +crow.tw, 1 +crowcloud.com, 1 +crowdamp.live, 1 +crowdbank.jp, 1 +crowdbox.net, 1 +crowdcloud.be, 1 +crowdfavorite.com, 1 +crowdfiber.com, 1 +crowdfundingdream.com, 1 +crowdfundinggent.be, 1 +crowdpress.it, 1 +crowdsim3d.com, 1 +crowdstack.com, 1 +crowdstack.io, 1 +crowdsupply.com, 1 +crowleybrynn.com, 1 +crown-beverage.com, 1 +crown-building.com, 1 +crown-trading.ru, 1 +crownaffairs.ch, 1 +crowncastles.co.uk, 1 +crownchessclub.com, 1 +crownedhijab.com, 1 +crownednetwork.com, 1 +crownmarqueehire.co.uk, 1 +crownpoint.com, 0 +crownsterling.io, 1 +crowter.li, 1 +crowwing.gov, 1 +croxu.com, 1 +croydonapartments.com.au, 1 +croydonbouncycastles.co.uk, 1 +crpcentroradiologico.com.br, 1 +crrapi.cf, 1 +crrapi.xyz, 1 +crrev.com, 1 +crrow777radio.com, 1 +crsngthsswthy.com, 1 +crsoresina.it, 1 +crsserviceogkloak.dk, 1 +crstat.ru, 1 +crt.cloud, 1 +crt.sh, 1 +crt2014-2024review.gov, 1 +crtalleres.com, 1 +crti.dz, 1 +crti.tech, 1 +crtified.me, 1 +crucerosplus.com, 1 +crucial.com, 1 +crucial.de, 1 +crucial.es, 1 +crucial.fr, 1 +crucial.in, 1 +crucial.jp, 1 +crucial.tw, 1 +cruelalice.net, 1 +cruelcarbon.tk, 1 +cruelgirls.tk, 1 +crufad.org, 0 +cruicky.co.uk, 1 +cruicky.uk, 1 +cruiseamerica.com, 1 +cruisecheap.com, 1 +cruisecontrolnovels.com, 1 +cruisefashion.tk, 1 +cruiseguy.com, 1 +cruiselookout.com, 1 +cruisemoab.com, 1 +cruisemongers.com, 1 +cruisequotes.com, 1 +cruises.tk, 1 +cruisezoom.com, 1 +crumbcontrol.com, 1 +crumbscorkscrews.com, 1 +crumobr.com, 1 +crunchopedia.com, 1 +crunchr.com, 1 +crunchrapps.com, 1 +crunchreviews.com, 1 +crunchy.rocks, 1 +crunchybetty.com, 1 +crunchybridge.com, 1 +crushthelsatexam.com, 1 +crushthepmexam.com, 1 +crushxp.tk, 1 +crustytoothpaste.net, 1 +crute.me, 1 +crutic.gq, 1 +cruzadamorada.tk, 1 +crvegas.com, 1 +crvenikrst.tk, 1 +cry-sys.de, 0 +cryne.me, 1 +cryo-fit.com, 1 +cryoflesh.com, 1 +cryogeni.fr, 1 +cryosite.com, 1 +cryothanasia.com, 1 +cryovex.com, 1 +cryozenic.com, 1 +cryp.no, 1 +crypt-app.net, 1 +crypt0cloud.ddns.net, 0 +cryptcex.com, 0 +cryptcheck.fr, 1 +cryptearth.de, 1 +crypted.chat, 0 +crypteianetworks.com, 1 +cryptenet.com, 1 +crypterium.com.br, 1 +cryptex.net, 1 +crypticdeath.tk, 1 +crypticface.tk, 1 +crypticonseattle.com, 1 +crypticstench.tk, 1 +cryptii.com, 0 +cryptin-it.com, 1 +cryptingup.com, 1 +cryptitan.live, 1 +cryptme.in, 1 +crypto-ads.ga, 1 +crypto-clix.xyz, 1 +crypto-gambling.tv, 1 +crypto-gaming.tk, 1 +crypto-trade.org, 1 +crypto-unveil.com, 0 +crypto-wiki.tk, 1 +crypto.cat, 1 +crypto.graphics, 1 +crypto.is, 0 +cryptoafternoon.com, 1 +cryptoanarchist.tk, 1 +cryptoarabsolar.tk, 1 +cryptobells.com, 0 +cryptobet.guru, 1 +cryptobin.co, 1 +cryptobonus.ga, 1 +cryptobonus.tk, 1 +cryptobot.dk, 1 +cryptoclix.website, 1 +cryptocon.org, 1 +cryptocurrencylatestnews.today, 1 +cryptocurrencynews.today, 1 +cryptocurrencyservices.com, 1 +cryptodogsnft.com, 1 +cryptodore.com, 1 +cryptodredge.org, 1 +cryptoearnblog.xyz, 1 +cryptoeighty.com, 1 +cryptofacilities.co.uk, 1 +cryptofacilities.com, 1 +cryptofan.org, 1 +cryptofinance.ai, 1 +cryptofomo.capital, 1 +cryptofomocapital.com, 1 +cryptoforo.com, 1 +cryptofox.nl, 1 +cryptogazette.com, 1 +cryptography.blue, 1 +cryptography.ch, 1 +cryptography.io, 1 +cryptoguidemap.com, 1 +cryptohinge.com, 1 +cryptoinvoke.com, 1 +cryptoisnotacrime.org, 1 +cryptojacks.io, 1 +cryptoki.fr, 1 +cryptolab.tk, 1 +cryptoleed.com, 1 +cryptolinchpin.com, 1 +cryptolocalatm.com, 1 +cryptology.ch, 1 +cryptolot.ru, 1 +cryptomail.nl, 1 +cryptomaniaks.com, 1 +cryptomarketrade.com, 1 +cryptomining.mobi, 1 +cryptomixer.io, 0 +cryptomkt.com, 1 +cryptomonnaies.io, 1 +crypton.academy, 1 +crypton.help, 1 +crypton.info, 1 +crypton.vercel.app, 1 +crypton.wiki, 1 +crypton.xyz, 1 +cryptonaire.ga, 1 +cryptonit.cf, 1 +cryptonom.org, 1 +cryptonym.com, 1 +cryptool.org, 1 +cryptop.ml, 1 +cryptoparty.at, 1 +cryptoparty.dk, 1 +cryptoparty.in, 1 +cryptoparty.tv, 1 +cryptopartynewcastle.org, 1 +cryptopartyutah.org, 1 +cryptopaste.org, 1 +cryptophobia.nl, 1 +cryptopuppers.co, 1 +cryptorival.com, 1 +cryptoruay.com, 1 +cryptoscope.io, 1 +cryptoseb.pw, 1 +cryptosender.io, 1 +cryptoshot.pw, 1 +cryptosolicitations.com, 1 +cryptostarz.online, 1 +cryptostorm.is, 1 +cryptotabworks.ml, 1 +cryptotoken.site, 1 +cryptotrendclub.com, 1 +cryptoviet.com, 1 +cryptowat.ch, 1 +cryptowhitelists.com, 1 +cryptoya.io, 1 +cryptozoologyguide.com, 1 +cryptpad.cz, 1 +cryptsetup.com, 1 +cryptulo.com, 1 +crys.cloud, 1 +crys.email, 1 +crys.hu, 1 +crys.me, 1 +crys.ovh, 1 +crys.pw, 1 +crys.tv, 1 +crystal-media.tk, 1 +crystal-zone.com, 1 +crystal.com.co, 1 +crystalapp.ca, 1 +crystalball.photo, 1 +crystalblockchain.com, 1 +crystalcave.nl, 0 +crystalcaves.tk, 1 +crystalchandelierservices.com, 1 +crystalcherryonline.tk, 1 +crystalcleaningservicing.com, 1 +crystalcube.tk, 1 +crystaldesign.tk, 1 +crystaldown.de, 0 +crystalglass.ml, 1 +crystallake.tk, 1 +crystalprinting.com.au, 1 +crystalsdollz.tk, 1 +crystalsky.tk, 1 +crystalspringsms.gov, 1 +crystone.me, 1 +cryz.ru, 1 +cs-algeria.tk, 1 +cs-bot.tk, 1 +cs-colorscreed-betongulve.dk, 1 +cs-escom.tk, 1 +cs-ice.tk, 1 +cs-lite.tk, 1 +cs-mania.tk, 1 +cs-master.tk, 1 +cs-nri.com, 1 +cs-powa.tk, 1 +cs-top.tk, 1 +cs-tops.tk, 1 +cs-unlimited.tk, 1 +cs-westside.tk, 1 +cs.money, 1 +cs2.ac.cn, 1 +cs2.chat, 1 +cs2.net.cn, 1 +cs2.org.cn, 1 +cs2.pub, 1 +cs2.ren, 1 +csa-clan.tk, 1 +csa-library.org, 1 +csa.co.za, 1 +csa.support, 1 +csaapac.com, 1 +csaapac.org, 1 +csab.nic.in, 1 +csabg.org, 1 +csabinext.dyndns.org, 1 +csachapter.io, 1 +csacloudbytes.com, 1 +csacloudtrustsummit.com, 1 +csacongress.com, 1 +csacongress.org, 1 +csacongress.us, 1 +csadc.org, 1 +csaemeacongress.com, 1 +csaemeasummit.com, 1 +csaerotherm.com, 1 +csafederalsummit.com, 1 +csale.co.il, 1 +csapa.com, 1 +csaposs.com, 1 +csasummit.net, 1 +csasummit.org, 1 +csatestdomain.com, 1 +csaurl.org, 1 +csb-consultancy.com, 1 +csbs.org, 1 +csbya.com, 1 +csc-muenchen.de, 1 +cscau.com, 0 +cscholz.io, 1 +cschreiber.llc, 1 +cschristmas.com.au, 1 +csci571.com, 1 +cscmotors.com, 1 +cscred.online, 1 +csd-sevnica.si, 1 +csd-slovenije.si, 1 +csdacadcv.ga, 1 +csdcab.ca, 1 +csdcareerday.com, 1 +csdisco.com, 1 +csds.md, 1 +csdurant.com, 1 +cse-sna78.fr, 1 +cse-uniserve.com.au, 1 +csedsp.fr, 1 +csedu.com, 1 +csehnyelv.hu, 1 +cselzer.com, 1 +csengle.de, 1 +csevolution.tk, 1 +csexy.ml, 1 +csfcloud.com, 1 +csfd.cz, 1 +csfd.sk, 1 +csfm.com, 1 +csgbusiness.co.uk, 1 +csghomedesignbuild.com, 1 +csgo-roulette.ru, 1 +csgo.ac.cn, 1 +csgo.help, 1 +csgo.net, 1 +csgo.su, 1 +csgoba.cn, 1 +csgodb.net, 1 +csgoempire.com, 1 +csgoempire.gg, 1 +csgofile.tk, 1 +csgofinder.eu, 1 +csgomtr.com, 1 +csgostash.com, 1 +csgoswap.com, 1 +csgotwister.com, 1 +csgoyournal.com, 1 +csharp.love, 1 +csharpfactory.io, 1 +csharpmarc.net, 1 +cshe.de, 1 +cshive-img.com, 1 +cshive-static.com, 1 +cshm-schm.ca, 1 +cshostorg.tk, 1 +cshs.edu, 1 +csilies.de, 1 +csillagoszpumi.se, 1 +csirt.ee, 0 +csitarz.com, 1 +cskentertainment.co.uk, 1 +cskt.gov, 1 +cslbbs.net, 1 +cslbuild.com, 1 +csmainframe.com, 1 +csn3366.ga, 1 +csnet.live, 1 +csodaorszagovoda.hu, 1 +csokolozos-jatekok.tk, 1 +csolar.com, 1 +csorncss.ca, 1 +csosa.gov, 1 +csowt.gq, 1 +csp-tohoku.co.jp, 1 +csper.io, 1 +cspeti.hu, 1 +cspvalidator.org, 1 +csreturn.com.au, 1 +csrichter.com, 1 +csroot.cf, 1 +csrtci.com, 1 +csrtech.com, 1 +csrtech.support, 0 +csru.net, 1 +css-krebs.ch, 1 +css-tricks.com, 1 +css-tricks.tk, 1 +css.direct, 1 +cssai.eu, 1 +cssbmb.gov, 1 +csspsverify.com, 1 +csspublic.tk, 1 +csssr.com, 1 +csszamotuly.pl, 1 +cst-vbg.ru, 0 +cst188.cc, 1 +cstanley.net, 1 +cstevens.cc, 1 +cstg.com, 1 +cstmadrid.tk, 1 +cstmo.org, 1 +cstoredecisions.com, 1 +cstp-marketing.com, 1 +cstromblad.com, 1 +csty.ltd, 1 +csu.st, 1 +csub.edu, 1 +csuchen.com, 1 +csulb-cmp-eir.com, 1 +csumathtutor.com, 1 +csupe.hu, 1 +csusop.gov, 1 +csuw.net, 1 +csvalpha.nl, 1 +csvlombardia.it, 1 +csvplot.com, 1 +cswapps.com, 1 +cswatch.org, 1 +cswrld.com, 1 +csx.co.za, 1 +csy.hu, 1 +csyxy.fi, 1 +ct-static.com, 1 +ct-watches.dk, 0 +ct.search.yahoo.com, 0 +ctafo.com, 0 +ctauditors.gov, 1 +ctbirding.org, 1 +ctcloud.ml, 1 +ctcom-peru.com, 1 +ctcp.pt, 1 +ctd.to, 1 +ctdi.pl, 1 +ctech.cf, 1 +ctes.cz, 1 +ctet.nic.in, 1 +ctf-albstadt.de, 1 +ctf-archive.com, 0 +ctf.link, 1 +cthomas.work, 1 +cthulhuden.com, 1 +ctir.gov.br, 1 +ctj.im, 1 +ctjk.com, 1 +ctknight.me, 1 +ctkwwri.org, 1 +ctl.fi, 1 +ctliu.com, 1 +ctm.community, 1 +ctmlightning.co.uk, 1 +ctmportal.co.uk, 1 +ctmrepository.com, 1 +ctnguyen.de, 1 +ctnguyen.net, 1 +ctns.de, 0 +ctoin.tw, 1 +ctonovenkogo.tk, 1 +ctoresms.com, 1 +ctpe.info, 1 +ctpe.net, 1 +ctpro.net, 1 +ctr-sante.eu, 1 +ctrl.blog, 1 +ctrl.gr, 0 +ctrlaltstream.com, 1 +ctrlcvz.tk, 1 +cts-companies.com, 1 +ctsu.org, 1 +cttso.gov, 1 +ctu.cz, 1 +ctyrisinkneri.cz, 1 +cu247secure.ie, 1 +cua911.gov, 1 +cuarentagrados.tk, 1 +cuaresmaysemanasanta.tk, 1 +cuartaraiz.com, 1 +cuartetocontinental.tk, 1 +cuartob.tk, 1 +cuasotinhyeu.vn, 1 +cuatroporcuatro.tk, 1 +cuatroymedia.com, 1 +cuban.wiki, 1 +cubanchino.tk, 1 +cubanda.de, 1 +cubatel.com, 1 +cubatravel.cu, 1 +cubazineers.ga, 1 +cubazineest.ga, 1 +cube-cloud.com, 1 +cube-filing.com, 1 +cube.builders, 1 +cube.guide, 1 +cube.scot, 1 +cube64128.xyz, 1 +cubebik.com, 1 +cubebuilders.net, 1 +cubecraft.net, 1 +cubecraftcdn.com, 1 +cubecraftstore.net, 1 +cubefreak.tk, 1 +cubegame.tk, 1 +cubeinfo.tk, 1 +cubekrowd.net, 1 +cubela.tech, 1 +cubelify.com, 1 +cubepasses.com, 1 +cubeperformancecentre.com.au, 1 +cubestudio.website, 1 +cubetech.co.jp, 1 +cubflaica.it, 1 +cubia.com, 1 +cubia4.com, 1 +cubic-lynx.com, 1 +cubicempire.com, 1 +cubicle.tk, 1 +cubiest.com, 1 +cubigames.tk, 1 +cubikus.fr, 1 +cubile.xyz, 1 +cubilo.fi, 1 +cubing.net, 1 +cubistmediagroup.com, 1 +cubitt.cz, 1 +cublick.com, 1 +cubminnesota.org, 1 +cubocell.com, 1 +cubotabacaria.com.br, 1 +cuboxmovies.ga, 1 +cubrebocas.tk, 1 +cubsbestteaminbaseball.com, 1 +cubsradio.tk, 1 +cubyhome.com, 1 +cubyn.com, 1 +cuc-cayman.com, 1 +cucabot.tk, 1 +cucaracha.tk, 1 +cuchichi.es, 1 +cuckoo.ee, 1 +cuckoohallacademy.org.uk, 1 +cucumber.io, 1 +cuddlecat.io, 1 +cuddlecomfort.com, 1 +cuddlingyaks.com, 1 +cuddlybeardaycare.org, 1 +cudesa.gq, 1 +cudesyb.tk, 1 +cudoo.de, 1 +cueca.com.br, 1 +cuecasonline.com.br, 1 +cuegee.com, 1 +cuentadias.cl, 1 +cuentamecomopaso.es, 1 +cuentas-gratis.ga, 1 +cuentasmutualamr.org.ar, 1 +cues.org.uk, 1 +cuesplus.com, 1 +cuestiondetiempo.tk, 1 +cuetoems.com, 1 +cuevafelina.tk, 1 +cufe.com.au, 1 +cufoon.com, 1 +cugetliber.ro, 1 +cuhadardokuma.com, 1 +cuhawaii.com, 1 +cuidade.fr, 1 +cuio.net, 1 +cuir-lipari.fr, 1 +cuisine-ultime.fr, 1 +cuitrau.tk, 1 +cujanovic.com, 1 +cujo.com, 1 +cukrinelape.com, 1 +cukurbag.ml, 1 +culan.dk, 0 +culetto.at, 1 +culha.net, 1 +culinary.ga, 1 +culpoilu.tk, 1 +cult.games, 1 +cultivariable.com, 1 +cultofperf.org.uk, 1 +cultrix.co.uk, 1 +cultrixdigital.co.uk, 1 +culturaanarquista.tk, 1 +culturaarabe.tk, 1 +culturabrasilia.tk, 1 +culturaeuropea.tk, 1 +culturagenial.com, 1 +culturahack.tk, 1 +culturaldistrict.org, 1 +culturaldiversity.tk, 1 +culturalmaninhos.tk, 1 +culturalparadiso.tk, 1 +culturalsabotage.cf, 1 +culturama.tk, 1 +cultureetsoft.tk, 1 +cultureforward.online, 1 +culturehatti.com, 1 +culturelivresque.fr, 1 +culturerain.com, 1 +culturesgames.tk, 1 +cultureshift.co, 1 +culturesouthwest.org.uk, 1 +culturestraveled.com, 1 +culturevision.com, 1 +culturism.ml, 1 +cultuur.gent, 1 +cultuurinonderwijs.be, 1 +cumberlandcoil.gov, 1 +cumberlandcountyhealthnj.gov, 1 +cumberlandcountyme.gov, 1 +cumberlandcountync.gov, 1 +cumberlandcountynj.gov, 1 +cumberlandcountypa.gov, 1 +cumberlandrivertales.com, 1 +cumberlink.com, 1 +cumbiaperuana.tk, 1 +cumbreamazonica.tk, 1 +cumfiesta.com, 1 +cuminas.com, 1 +cumingcountyne.gov, 1 +cumlaudegent.be, 1 +cumman.life, 1 +cummiesin.me, 1 +cumnock.name, 1 +cumnock.org, 1 +cumplegenial.com, 1 +cumseface.eu, 1 +cumsext.me, 1 +cumshots-video.ru, 1 +cumtd.com, 1 +cumulogranite.fr, 1 +cumulonembo.com, 1 +cumulus.photo, 1 +cungnhauhoctap.tk, 1 +cunha.be, 1 +cunninghamfs.ie, 1 +cunova.cf, 1 +cunova.tk, 1 +cuo.net, 1 +cuoc.org.uk, 1 +cuongthach.com, 1 +cuongthach.net, 1 +cuongtran.xyz, 1 +cuoredesigns.tk, 1 +cuorineri.tk, 1 +cupabonita.com, 1 +cupcake.com, 0 +cupcake.io, 1 +cupcake.pt, 1 +cupcakestatus.com, 1 +cupcakestatus.net, 1 +cupcao.gov, 1 +cupclub.com, 0 +cupdunarea.ro, 1 +cupertino.gov, 1 +cupid789.co, 1 +cupie.tk, 1 +cupoane-reducere.net, 1 +cupom.net, 1 +cupomia.com.br, 1 +cuponesmasdescuentos.tk, 1 +cuppen.de, 1 +cuppen.marketing, 1 +cuppen.me, 1 +cuppen.pro, 1 +cuppen.support, 1 +cuppycakes.fi, 1 +cur.by, 1 +curacao.tk, 1 +curacaodiveguide.com, 1 +curamail.co.uk, 1 +curamcare.ml, 1 +curaprox.co.th, 1 +curareldolordeespalda.com, 1 +curatednews.xyz, 1 +curatednow.ca, 1 +curationsblog.com, 1 +curbsoftware.com, 1 +curbza.com, 1 +cureatr.com, 1 +cureine.com, 1 +cureyou.com.tw, 1 +curieux.digital, 0 +curinline.com, 1 +curio-shiki.com, 1 +curio.lk, 1 +curio.nl, 1 +curiocity.com, 1 +curiocity.tk, 1 +curiosidadeanimal.cf, 1 +curiosity-driven.org, 1 +curiositytrained.com, 1 +curiosoando.com, 1 +curious.host, 1 +curiouscast.ca, 1 +curiousduck.com, 1 +curiousspoonfoods.com, 1 +curioustea.com, 1 +curiozitate.com, 1 +curis-health.com, 1 +curl.tw, 0 +curlie.tk, 1 +curlify.com, 1 +curlingbelgium.tk, 1 +curlingclass.com, 1 +curlingclubpwa.tk, 1 +curly-hair-extentions.tk, 1 +curlybracket.co.uk, 1 +curlyhumanhairextensions.tk, 1 +currency-one.com, 1 +currency-strength.com, 1 +currency-toolkit.com, 1 +currencyfreaks.com, 1 +currencyreader.gov, 1 +currencyreaderapplication.gov, 1 +current-ip.com, 1 +current.com, 0 +currentbitcoin.news, 1 +currentchaos.tk, 1 +currentcryptocurrency.news, 1 +currentcryptocurrencynews.com, 1 +currenthaus.com, 1 +currentlystreaming.com, 1 +currentos.foundation, 1 +currycountynm.gov, 1 +currycountyor.gov, 1 +currynissanmaparts.com, 1 +currytech.cn, 1 +cursedpine.studio, 1 +curseus.com, 1 +cursillosdezaragoza.tk, 1 +cursoalia.com, 0 +cursoandroid.com, 1 +cursocatolico.com, 1 +cursocomunicacionnoverbal.com, 1 +cursodehipnosis.tk, 1 +cursodememorizacao.ml, 1 +cursointeractivo.com, 1 +cursomente.online, 1 +cursorcam.tk, 1 +cursos-trabajadores.net, 1 +cursos.com, 1 +cursosemmaus.es, 1 +cursosforex.com, 1 +cursosgratuitos.pe, 1 +cursosingles.com, 1 +cursosprogramacion.online, 1 +cursossena.co, 1 +cursosypostgrados.com, 1 +curtacircuitos.com.br, 0 +curtis-ne.gov, 1 +curtis-smith.me.uk, 1 +curtis-smith.uk, 1 +curtisint.com, 0 +curtisleejones.tk, 1 +curtispope.com, 0 +curtissmith.me.uk, 1 +curtissmith.uk, 1 +curts-showcars.com, 1 +curva.co, 0 +curvaverde02.tk, 1 +curvemedia.co, 1 +curveprotect.cz, 1 +curvissa.co.uk, 1 +curvyjessi.com, 1 +curvysarah.com, 1 +cuscoloko.com.br, 1 +cusfit.com, 1 +cusgpwoerden.nl, 1 +cushlaofgullion.com, 1 +cushytushiediapers.com, 1 +custer.tk, 1 +custercounty-co.gov, 1 +custercountymt.gov, 1 +custercountymttransit.gov, 1 +custercountyne.gov, 1 +custify.com, 1 +custodiamobili.roma.it, 1 +custodian.nl, 1 +custodyxchange.com, 1 +custom-wear.ua, 1 +customanarchy.tk, 1 +custombps.com, 1 +custombrokers.com.au, 1 +custombuttonco.com, 1 +customcircuitsltd.co.uk, 1 +customcraft.tk, 1 +customdissertation.com, 1 +customeessay.com, 1 +customer2you.com, 1 +customerfocus.co.za, 1 +customerservicemanager.com, 1 +customerservicepal.com, 1 +customerware.com.au, 0 +customessaystation.gq, 1 +customfiberglasscoaches.com, 1 +customfoodtruckgraphics.com, 1 +customhealthplans.com, 1 +customhomerealty.com, 1 +customisable.net, 0 +customizedcelebrations.co.uk, 1 +customleads.net, 1 +customlogoit.com, 1 +custommadecasino.com, 1 +custommadegolfevents.com, 1 +custompainted.ca, 1 +custompapers.com, 1 +custompoolsbydesign.com, 1 +customradio.tk, 1 +customromlist.com, 1 +customsandals.tk, 1 +customshort.link, 1 +customsportsocks.com, 1 +customtel.com.au, 1 +customwebsitesplus.com, 1 +customwritings.com, 1 +customwritingservice.com, 1 +customwritten.com, 1 +custosd.com, 1 +custosd.io, 1 +custosd.net, 1 +custosd.org, 1 +cut-piehler.de, 1 +cutads.ml, 1 +cutaneon.com, 1 +cutaquigusa.com, 1 +cute-urls.ml, 1 +cute2u.com, 1 +cuteboibutt.ml, 1 +cutehost.ga, 1 +cutemodel.ml, 1 +cutephil.com, 1 +cuthe.re, 1 +cutie-viewty.tk, 1 +cuties.chat, 1 +cutimbo.ovh, 1 +cutlinks.ml, 1 +cutme.fr, 1 +cutmylink.gq, 1 +cutner.co, 1 +cutout.ml, 1 +cutpasteprofit.tk, 1 +cutter.li, 1 +cuttingedgedoorandtrim.com, 1 +cuttingedgeoptronics.com, 0 +cuttingedgeperiodontist.com, 1 +cuttingedges.tk, 1 +cuubconsultancy.com, 1 +cuvantul.tk, 1 +cuve-ibc.be, 1 +cuvva.co, 1 +cuvva.co.uk, 1 +cuvva.com, 1 +cuvva.eu, 1 +cuvva.insure, 1 +cuvva.io, 1 +cuvva.it, 1 +cuvva.me, 1 +cuvva.net, 1 +cuvva.org, 1 +cuvva.uk, 1 +cuvva.us, 1 +cuwcd.gov, 1 +cuxpool.club, 1 +cuxpool.net, 1 +cuyahogacommunitycollege.tk, 1 +cuyahogacountyvotesoh.gov, 1 +cuzmall.com, 1 +cvalda.tk, 1 +cvazquez.es, 1 +cvbp.nl, 1 +cvc.digital, 1 +cvdeexpo.com, 1 +cvdesignr.com, 1 +cve-le-carrousel.ch, 0 +cvec.org, 1 +cvedetails.com, 1 +cvetpodokonnik.tk, 1 +cvglobal.cf, 1 +cvgt.com.au, 1 +cvhunter.hu, 1 +cvj.me, 1 +cvjd.me, 0 +cvlibrary.co.uk, 1 +cvlid.com, 1 +cvmatch.me, 1 +cvmu.jp, 1 +cvninja.pl, 1 +cvpartner.com, 1 +cvps.top, 0 +cvrn.cc, 1 +cvsec.org, 1 +cvsmash.io, 1 +cvtemplatemaster.com, 1 +cvtenerife.tk, 1 +cvv.cn, 1 +cvwdwater.gov, 1 +cvwizard.com, 1 +cvwrfut.gov, 1 +cw-bw.de, 0 +cw.center, 1 +cw3.fr, 1 +cwa-online.nl, 1 +cwaclub.tk, 1 +cwage.com, 0 +cwalla.com, 1 +cwallpapersheb.tk, 1 +cwaurora.top, 1 +cwbc-bearing.com, 1 +cwbrtrust.ca, 1 +cwc.gov, 1 +cwchristerw.com, 1 +cwchristerw.fi, 1 +cwcloudtest.com, 1 +cweagans.net, 1 +cwebdesign.tk, 1 +cwgallery.de, 0 +cwgaming.co.uk, 1 +cwglass.pl, 1 +cwgpllc.com, 1 +cwi.fi, 1 +cwinfo.eu, 1 +cwinfo.fi, 1 +cwinfo.net, 1 +cwinfo.org, 1 +cwmart.in, 1 +cwmcpe.tk, 1 +cwo.fi, 1 +cwp.com.sg, 1 +cwr.gov, 1 +cwrau.com, 1 +cwrau.de, 1 +cwrau.info, 1 +cwrau.io, 1 +cwrau.rocks, 1 +cwtsamplecenter.com, 1 +cwwise.com, 1 +cx100.io, 1 +cxbmystore.com, 1 +cxcarepro.com, 1 +cxense.com, 1 +cxfund.com.cn, 1 +cxologic.com, 1 +cxologic.io, 1 +cxologic.net, 1 +cxologic.org, 1 +cxorisks.com, 1 +cxotrustsummit.com, 1 +cy.ax, 1 +cy.technology, 1 +cyanhexagon.com, 1 +cybbh.space, 1 +cybeautiful.com.br, 1 +cybelesoft.com, 1 +cyber-anon.tk, 1 +cyber-article.tk, 1 +cyber-computer.club, 1 +cyber-core.co.uk, 1 +cyber-links.tk, 1 +cyber-m.net, 1 +cyber-mech.tk, 1 +cyber-party.tk, 1 +cyber-resear.ch, 1 +cyber-shield.de, 0 +cyber-swiat.pl, 1 +cyber-travel.com, 1 +cyber-world.tk, 1 +cyber-yaroslavl.tk, 1 +cyber.cl, 1 +cyber.gov, 1 +cyber.info, 1 +cyber.je, 1 +cyber72.com, 1 +cyberab.org, 1 +cyberalternance.com, 1 +cyberark.com, 1 +cyberarmy.cc, 1 +cyberassurance.run, 1 +cyberattackincidentresponse.com, 1 +cyberautomobile.tk, 1 +cyberbangla.com, 1 +cyberblog.cn, 1 +cyberbook.ml, 1 +cyberbotx.com, 1 +cyberboy.tk, 1 +cyberburek.tk, 1 +cybercareers.gov, 1 +cybercat-tver.tk, 1 +cybercic.com, 1 +cyberclaw.tk, 1 +cybercloud.cc, 0 +cybercrew.cc, 1 +cybercrew.rocks, 1 +cybercrime-forschung.de, 1 +cybercrime.gov, 1 +cybercustodian.com, 1 +cyberdean.fr, 1 +cyberdevelopment.es, 1 +cyberdiscoverycommunity.uk, 1 +cyberdns.com, 1 +cyberdog.ch, 1 +cyberdragon.tk, 1 +cyberduck.io, 1 +cyberdyne.ie, 1 +cyberdyne.llc, 1 +cyberexplained.info, 1 +cyberfebrio.tk, 1 +cyberfla.me, 1 +cyberforensics.com, 1 +cyberforge.ml, 1 +cyberfruit.tk, 1 +cybergame-host.tk, 1 +cybergordon.com, 1 +cybergroup.cf, 1 +cyberhaus.ch, 1 +cyberhelden.nl, 1 +cyberhipsters.nl, 1 +cyberhost.uk, 1 +cyberianhusky.com, 0 +cyberis.com, 1 +cyberislam.tk, 1 +cyberium-planet.cf, 1 +cyberjake.xyz, 1 +cyberknife-sigulda.com, 1 +cyberkov.com, 1 +cyberlab.team, 1 +cyberlin.org, 1 +cyberlinchpin.com, 1 +cyberlocos.tk, 1 +cyberlounge.ga, 1 +cyberlux.cz, 1 +cybermall.ga, 1 +cybermaniac.tk, 1 +cybermaretique.fr, 1 +cybermatrixone.tk, 1 +cyberme.sh, 1 +cybermeldpunt.nl, 1 +cybermonday.org.il, 1 +cybermotives.com, 1 +cybern.tk, 1 +cybernews.com, 1 +cybernode.host, 1 +cyberogism.com, 1 +cyberon.it, 1 +cyberoptic.de, 1 +cyberoptions.ca, 1 +cyberpanel.cf, 1 +cyberpanelsetup.com, 1 +cyberpathogen.me, 1 +cyberpcforum.com, 1 +cyberpedia.wiki, 1 +cyberphoenix.tk, 1 +cyberplus.net.id, 1 +cyberpoint.az, 1 +cyberpro.club, 1 +cyberproducciones.tk, 1 +cyberprogramming.tk, 1 +cyberpuerta.mx, 1 +cyberpunk.guru, 1 +cyberquest.cf, 1 +cyberregister.nl, 1 +cyberregister.org, 1 +cyberrepair.de, 1 +cyberresilience.io, 1 +cyberry.eu, 1 +cybersafesolutions.com, 0 +cybersafetn.gov, 1 +cybersails.co.za, 1 +cybersamurai.tk, 1 +cyberscan.io, 1 +cyberschmiede.at, 1 +cyberschmiede.com, 1 +cyberschmiede.de, 1 +cybersec.help, 1 +cybersecurite-info.fr, 1 +cybersecurity.gov, 1 +cybersecurity.gr, 1 +cybersecurity.nz, 1 +cybersecurity.run, 1 +cybersecuritychallenge.be, 0 +cybersecuritydefence.co.uk, 1 +cybersecuritydegreeguide.com, 1 +cybersecurityeducationguides.org, 1 +cybersecurityforum.com.br, 1 +cybersecurityguide.in, 1 +cybersecurityincidentresponse.com, 1 +cybersecuritywerkt.nl, 1 +cybershark.space, 1 +cybershot.tk, 1 +cybersins.com, 1 +cyberskyline.com, 1 +cybersmart.co.uk, 1 +cybersmartdefence.com, 1 +cybersolution.tk, 1 +cybersound.tk, 1 +cyberspace.community, 1 +cyberspect.com, 1 +cyberspect.io, 1 +cyberspot-ci.net, 1 +cyberstatus.de, 1 +cybertalents.com, 1 +cyberteam.info, 1 +cybertinus.nl, 1 +cybertn.gov, 1 +cybertorsk.org, 1 +cybertrinity.co.uk, 1 +cybertron.cf, 1 +cybertronics.tk, 1 +cybertu.be, 1 +cyberwandelendetakjes.tk, 1 +cyberwarhq.com, 1 +cyberwars.dk, 1 +cyberwebeyeos.com, 1 +cyberweightloss.com, 1 +cyberwire.nl, 1 +cyberworldexpert.tk, 1 +cyberxpert.nl, 1 +cyberzone.ml, 1 +cyberzones.gq, 1 +cybiko123.com, 1 +cyborgtheory.tk, 1 +cybozu.cn, 1 +cybozu.com, 1 +cybrient.com, 1 +cybrix.io, 1 +cybrossec.com, 1 +cybsafe.com, 1 +cyburbia.org, 1 +cycc.cloud, 1 +cyclamen.tk, 1 +cyclecoach.co.za, 1 +cycledownunder.com, 1 +cyclehackluxembourgcity.lu, 1 +cyclemasters.com, 1 +cycleshop.com.ua, 1 +cycleterrace.jp, 1 +cycling74.com, 1 +cyclingmonthlyest.ga, 1 +cyclisjumper.gallery, 1 +cyclize.cf, 1 +cyclonedesign.ca, 1 +cyclonemetals.com, 1 +cyclos.org, 1 +cycomm.ro, 1 +cyconet.org, 1 +cydetec.com, 1 +cydogbrowser.com, 1 +cyelint.com, 1 +cyesec.com, 1 +cyfly.org, 1 +cygnaltech.com, 1 +cygnan.com, 1 +cygnatus.com, 1 +cygnius.net, 1 +cyjm.com, 1 +cykelbanor.se, 1 +cyklistika24.cz, 1 +cylex-italia.it, 1 +cylex.noip.me, 1 +cyllos.me, 1 +cynchealth.org, 1 +cynetco.com, 1 +cynicaloptimist.me, 1 +cynology.ga, 1 +cynop.me, 1 +cynrgie.fr, 1 +cynthiacherry.com, 1 +cyon.ch, 1 +cyoubook.com, 1 +cype.dedyn.io, 1 +cyph.com, 1 +cyph.healthcare, 1 +cyph.ws, 1 +cyphar.com, 1 +cypherbot.org, 1 +cypherpunk.observer, 1 +cypherpunk.ws, 1 +cypressca.gov, 1 +cypressinheritancesaga.com, 1 +cypresslegacy.com, 1 +cyprus-company-for.gr, 1 +cyprus-company-service.com, 1 +cyptechost.co.ke, 1 +cyqual.com, 1 +cyraco.com, 1 +cyrenianhouse.com, 1 +cyrex.tech, 0 +cyril-leytsihovich.ml, 1 +cyriletsophie.fr, 1 +cyrilmurphy.com, 1 +cyrilstoll.ch, 1 +cyrix-systems.tk, 1 +cyroco.fr, 1 +cyrokx.com, 1 +cyrozap.com, 1 +cyrusdaily.tk, 1 +cysecure.co, 1 +cysi.in, 1 +cyson.tech, 1 +cyspro.ch, 1 +cystotech.com, 1 +cytat.tk, 1 +cytegic-update-packages.com, 1 +cytn.xyz, 1 +cytophil.com, 1 +cyumus.com, 1 +cyvault.io, 1 +cyware.com, 1 +cz.ma, 1 +cz.nl, 1 +czakey.net, 1 +czarni-czarne.tk, 1 +czaw.org, 1 +czbix.com, 1 +czbtm.com, 1 +czc.cz, 1 +czdoll2.com, 1 +czdoll4.com, 1 +czdoll5.com, 1 +czdoll6.com, 1 +czdoll7.com, 1 +czdoll8.com, 1 +czdoll9.com, 1 +czebox.cz, 1 +czech.is, 1 +czechcrystals.co.uk, 1 +czechglaskralen.nl, 1 +czechhunter.com, 1 +czechpoint.cz, 1 +czechps.cz, 1 +czechvirus.cz, 1 +czeh.us, 1 +czewo-data.de, 1 +czihak.at, 0 +czirnich.org, 1 +czk.mk, 1 +czl.net, 0 +czlx.co, 0 +cznburak.co.uk, 1 +czprothz.tk, 1 +czqu.cc, 1 +czqu.net, 1 +czqu.xyz, 1 +czteryporyroku.edu.pl, 1 +czwartybrat.pl, 1 +czymamdzisimieniny.pl, 1 +czzs.org, 1 +d-20.fr, 1 +d-consultant.ru, 1 +d-cuba.com, 1 +d-day.tk, 1 +d-diabetiki.ru, 1 +d-eisenbahn.com, 1 +d-influencers.com, 1 +d-ku.de, 1 +d-macindustries.com, 1 +d-mind.de, 1 +d-shed.tk, 1 +d-soft.tk, 1 +d-solutions.com.au, 1 +d-systems.tk, 1 +d-tousei.co.jp, 1 +d-toys.com.ua, 1 +d-training.de, 1 +d-uhlig.de, 1 +d-va.cf, 1 +d-vision-create.com, 1 +d.ac, 1 +d.nf, 1 +d.nr, 1 +d00228.com, 0 +d00d.de, 1 +d0g.cc, 1 +d0xq.net, 1 +d10ses.com, 1 +d166.net, 1 +d1b2k93bahaw3s.cloudfront.net, 1 +d1gital.org, 1 +d1iwhdc6scsqsn.cloudfront.net, 1 +d1pbyafuxn3mkm.cloudfront.net, 1 +d1pyhxxwnnp9rt.cloudfront.net, 1 +d1qvlbepn0kduz.cloudfront.net, 1 +d1v7neu4o1h4vp.cloudfront.net, 1 +d2.gg, 1 +d21laxujm54z8h.cloudfront.net, 1 +d24zgh0u05bzjw.cloudfront.net, 1 +d25sxbgdpzj1st.cloudfront.net, 1 +d2evs.net, 1 +d2m3-uat.azurewebsites.net, 1 +d2ph.com, 1 +d2toledo.com, 1 +d2trade.tk, 1 +d2woj1dt0tk6sn.cloudfront.net, 1 +d36533.com, 1 +d36594.com, 1 +d39rl9amo4q27v.cloudfront.net, 1 +d3d3.tk, 1 +d3dev.cf, 1 +d3lab.net, 1 +d3scene.org, 1 +d3x.pw, 1 +d3xt3r01.tk, 1 +d4done.com, 1 +d4fx.de, 1 +d4h.live, 1 +d4insight.com, 1 +d4wson.com, 1 +d4x.de, 1 +d500world.tk, 1 +d5197.co, 1 +d58beu28.com, 1 +d5k.one, 1 +d64.nl, 1 +d6729.co, 1 +d6729.com, 0 +d6957.co, 1 +d6c5yfulmsbv6.cloudfront.net, 1 +d8.io, 1 +d8181.com, 1 +d82365.com, 1 +d88.ag, 1 +d88.cc, 0 +d88.cn.com, 1 +d88118.com, 1 +d8812.com, 1 +d8814.com, 1 +d8816.com, 1 +d8819.com, 1 +d8834.com, 1 +d883vip.com, 1 +d8845.com, 1 +d8846.com, 1 +d8847.com, 1 +d884vip.com, 1 +d8859.com, 1 +d885vip.com, 1 +d886vip.com, 1 +d8870.net, 1 +d8874.com, 1 +d8878.com, 1 +d887vip.com, 1 +d88818.com, 1 +d8886.net, 1 +d88869.com, 1 +d8891.net, 1 +d88agent.com, 1 +d88siteintro.com, 1 +d898.app, 1 +d899365.com, 0 +d8studio.net, 1 +d9297.co, 1 +d9397.com, 1 +d9728.co, 1 +d9and10sports.com, 1 +da-schaewel.de, 1 +da-tex.com.ua, 1 +da-tixe.ml, 1 +da-tixe.tk, 1 +da42foripad.com, 1 +da4colorado.gov, 1 +daadn.cn, 0 +daaje-und-andre.de, 1 +daallexx.eu, 1 +daanbanaan.tk, 1 +daanial.tk, 1 +daann-wch.com.tw, 1 +daaxit.com, 1 +dabai.cf, 1 +dabai.ga, 1 +dabai.ml, 1 +dabai.photo, 1 +dabaixiong.com, 1 +dabasstacija.lv, 1 +dabbagam.tk, 1 +dabhand.studio, 1 +dabi.tk, 1 +dabrecords.co.uk, 1 +dabro.tk, 1 +dabuzz.tk, 1 +dacada-porn.com, 1 +dacangku.com, 1 +daceurope.co.uk, 1 +dacgroup.com, 1 +dacha-letom.ml, 1 +dacha.today, 0 +dachb0den.net, 1 +dachdecker-ranzenberger.de, 1 +dachdeckerei-hagen.de, 0 +dachdeckermeister-egon-weiss.de, 1 +dachdeckermeister-moeller.de, 1 +dachet.com, 1 +dachlaeufer.com, 1 +dachnie-reshenia.ru, 1 +dachnyvopros.info, 1 +dachshundsaspets.com, 1 +dachshundtalk.com, 1 +daciaforum.nl, 1 +daciamodellen.nl, 1 +daconsult.uk, 1 +dacsanchatviet.com, 1 +dacsansach.com, 1 +dad, 1 +dad256.tk, 1 +dada.is, 0 +dadafterforty.be, 1 +dadcentral.ca, 1 +daddarios.tk, 1 +daddybio.com, 1 +daddyfinger.me, 1 +daddyhax.ml, 1 +daddylive.link, 1 +daddylonglegs.tk, 1 +daddyschickenshack.com, 1 +daddysfranchising.com, 1 +daddysluder.net, 1 +dadecityfl.gov, 1 +dadecountymo911.gov, 1 +dado.cloud, 1 +dado.fr, 1 +dado.me, 1 +dado.virtual.museum, 1 +dadoilustrado.pt, 1 +dadons-laserdiscs.com, 1 +dadoresanguepsiria.pt, 1 +dadosch.de, 0 +dadrian.io, 1 +dadsarmy.tk, 1 +daduke.org, 1 +daedalusdesigns.co, 1 +daemen.org, 1 +daemon-hentai.tk, 1 +daemon.xin, 1 +daemons.ml, 1 +daemonslayer.net, 1 +daemwool.ch, 1 +daer.cloud, 1 +daevel.com, 1 +daevel.fr, 1 +daevel.net, 1 +dafassl.com, 1 +dafater.sa, 1 +dafe2021.ee, 1 +dafengche.com, 1 +dafengding.com, 1 +daffodilusa.org, 1 +dafmeyda.com, 1 +dafong.com, 1 +dafont.com, 1 +dafunda.com, 1 +dafuq.xyz, 1 +dafyddcrosby.com, 1 +dag-berlin.tk, 1 +dag-konsult.com, 1 +dag-ogni.tk, 1 +dagallemaal.be, 1 +daganghalal.com, 1 +daganzo.tk, 1 +dagbestedingwarrie.nl, 1 +dagensannonser.se, 1 +dagestan-guide.ru, 1 +dagestan.cf, 1 +dagestanci.tk, 1 +dagestanec.tk, 1 +daggas.life, 1 +daggastest.com, 1 +dagirl.uno, 1 +dagjetreinen.nl, 1 +daglar-domany.tk, 1 +dagmar2018.cz, 1 +dagmarhamalova.cz, 1 +dagrands.com, 1 +dagrs.se, 1 +dagsell.ga, 1 +daha.net, 1 +dahaboffers.tk, 1 +dahag-status.de, 1 +dahl-pind.dk, 1 +dahlberg.cologne, 1 +dahlem.info, 1 +dahobo.tk, 1 +dai.top, 0 +daidogei.com, 1 +daidothi.vn, 1 +daidr.me, 1 +daie-inc.com, 1 +daijin.com, 1 +daikokuyajp.com, 1 +daikonsystems.com, 1 +daikoz.com, 1 +daili.eu, 1 +daily-puzzle.tk, 1 +daily-solution.pro, 0 +daily-sudoku.tk, 1 +daily.it, 1 +dailyalerts.ga, 1 +dailybihar.com, 1 +dailybits.be, 1 +dailyblocks.com, 1 +dailyblogged.com, 1 +dailybusiness.tk, 1 +dailycricnews.tk, 1 +dailydealika.com, 1 +dailydodge.com, 1 +dailydote.com, 1 +dailydoze.com, 1 +dailyfictive.com, 1 +dailyfish.ru, 1 +dailygamemoments.com, 1 +dailyhealthylife.ml, 1 +dailyhealthylife.tk, 1 +dailyhomestore.cl, 1 +dailyjigsawpuzzles.net, 1 +dailyjoy.com, 1 +dailykos.com, 1 +dailykosbeta.com, 1 +dailylime.kr, 1 +dailylviv.com, 1 +dailymedicalinfo.com, 1 +dailymotion.com, 1 +dailynewsclubs.ga, 1 +dailynewsfrommedjugorje.ml, 1 +dailyotovinfast.com.vn, 1 +dailyphototips.com, 0 +dailypop.ru, 1 +dailyporncams.com, 1 +dailypost.ng, 1 +dailyprogress.com, 1 +dailyreels.ga, 1 +dailyrenewblog.com, 1 +dailyroverr.com, 1 +dailysomething.site, 1 +dailysportfan.com, 1 +dailysuperheroes.com, 1 +dailytrip.de, 1 +dailyusbusiness.tk, 1 +dailywarteg.com, 1 +dailywealth.com, 1 +dailywork.ga, 1 +dailyxenang.com, 1 +daimonikos.com, 1 +dairikab.go.id, 1 +daisidaniels.co.uk, 1 +daisuki.pw, 1 +daisy-peanut.com, 1 +daisydevbi.net, 1 +daisydollyandme-dev.com, 1 +daisydollyandme.com, 1 +daisyindia.org, 1 +daisypeanut.com, 1 +daisypeel.com, 1 +daisyscars.cf, 1 +daja.ml, 1 +dajaks.tk, 1 +dajaskincare.nl, 1 +daji.ba, 1 +dajiale.org, 1 +dajjal.org, 1 +dak.org, 1 +dakartmarket.com, 1 +dakcess.net, 1 +daken.hu, 1 +daki-host.tk, 1 +dakin.nyc, 1 +dakindesign.com, 1 +daknam.tk, 1 +daknob.net, 1 +dakota-fanning.tk, 1 +dakota-spain.tk, 1 +dakota911mn.gov, 1 +dakotacil.org, 1 +dakotas.com, 1 +dakotavalleyrecyclingmn.gov, 1 +dal-loop.xyz, 1 +dal.net.sa, 1 +dalagore.com, 1 +dalaran.city, 1 +dalb.in, 1 +dalbar.com, 1 +dalbarsqm.com, 1 +dalbitresb.com, 1 +daldropsbb.com, 1 +daleanddollops.com, 1 +dalecountyal.gov, 1 +dalek.co.nz, 1 +dalevuelta.tk, 1 +daleworley.com, 1 +dalfsennet.nl, 1 +dali-boli.me, 1 +dalianbbq.com, 1 +dalil.tk, 1 +dalingk.com, 1 +dalkhola-city.tk, 1 +dalkhola.tk, 1 +dalkholaphotos.tk, 1 +dallapartedeltorto.tk, 1 +dallas.gov, 1 +dallas.lu, 1 +dallascaraccidentlawyers.net, 1 +dallascowboys.tk, 1 +dallasfire.gov, 1 +dallaslife.org, 1 +dallaslu.com, 1 +dallaslu.eu.org, 1 +dallasobgynpa.com, 1 +dallasor.biz, 1 +dallaspolice.gov, 1 +dallastexas.ml, 1 +dallaswater.gov, 1 +dallaswestinternational.ga, 1 +dallatana.tk, 1 +dallatur.com.br, 1 +dallemon.dk, 1 +dalliard.ch, 1 +dallinbryce.com, 1 +dallincooper.com, 1 +dalliope.com, 1 +dallmeier.net, 0 +dallydushigrill.com, 0 +dalmatians.tk, 1 +dalsin.ir, 1 +daltoncraven.com, 1 +daltonohio.gov, 1 +daltons.tk, 1 +dalux.com, 1 +dalycity.gov, 1 +damadam.pk, 1 +damades.com, 1 +damag.net, 1 +damaged.org, 1 +damanlu.com, 1 +damanlv.com, 1 +damarsarkilar.tk, 1 +damasgonzalezabogados.com, 1 +damassimo.bg, 1 +dambachpeacebuilderfellowships.org, 1 +dambo.tk, 1 +dame.cf, 1 +damedrogy.cz, 1 +dameeq.cf, 1 +dameisports.com, 0 +damgoodmedia.com, 1 +damianmalrechauffe.tk, 1 +damianus.hr, 1 +damibaby.com.br, 1 +damicris.ro, 1 +damienchicotphotographe.fr, 1 +damienduhamel.tk, 1 +damiengobron.com, 1 +damienoreilly.org, 1 +damifph.com, 1 +damirsystems.com, 1 +damjanovic.work, 1 +dammekens.be, 1 +dammu.tk, 1 +damnation.tk, 1 +damnednation.tk, 1 +damngoodpepper.com, 0 +damnkid.ml, 1 +damnmodz.com, 1 +damonline.dk, 1 +dampedia.com, 1 +dampfbahn-leverkusen.com, 1 +dampfbahn-leverkusen.de, 1 +dampferchef.ch, 1 +dampoo.com, 1 +damsafety.co.nz, 1 +damscheid.de, 1 +damuhan.tk, 1 +damvdolg.gq, 1 +dan-bureau.com, 1 +dan-informacijske-varnosti.si, 1 +dan-maskiner.tk, 1 +dan-saba.com, 1 +dan.me.uk, 1 +dan124.com, 1 +dana-hilliot.tk, 1 +danaandnathan.com, 1 +danadameson.tk, 1 +danads.com, 1 +danalpay.com, 1 +danalytics.com.pe, 1 +danamica.dk, 1 +danandkatiegetmarried.com, 1 +danandrum.com, 1 +danangcitytours.com, 1 +danarozmarin.com, 1 +danashamsters.tk, 1 +danasweed.com, 1 +danbailey.com, 1 +danbaldwinart.com, 1 +danbao.com, 1 +danbarrett.com.au, 0 +danbergen.com, 1 +danbolig.dk, 1 +danca.com, 1 +dance-colleges.com, 1 +dance-school.tk, 1 +dancechart.tk, 1 +dancefm.tk, 1 +dancehome.com, 1 +dancehubsa.com.au, 1 +danceonline.fi, 1 +danceordienet.tk, 1 +danceproducciones.com, 1 +dancerzone.tk, 1 +danceworld.tk, 1 +danchen.org, 1 +danchestertonphoto.co.uk, 1 +dancingangels.tk, 1 +dancingcubs.co.uk, 1 +danclassroom.com, 1 +dandan101.com, 1 +danddy.eu, 1 +dandelikaliadventure.com, 1 +dandelion-seeds.com, 1 +dandelionjunkqueens.tk, 1 +dandenongroadapartments.com.au, 1 +danderco.in, 1 +dandia.ro, 1 +dandie.tk, 1 +dandsplumbers.com, 1 +danduran.me, 1 +dandymodz.tk, 1 +dandymrsb.com, 1 +danecounty.gov, 1 +danejones.com, 1 +danelska.pl, 1 +danelski.pl, 1 +danesara.com, 1 +daneshtools.tk, 1 +danfromit.co.uk, 1 +danfromit.com, 1 +dangeredwolf.com, 1 +dangerscience.com, 1 +dangmai.tk, 1 +dangr.zone, 0 +danhalliday.com, 1 +danhotels.co.il, 1 +danhotels.com, 1 +dania.gq, 1 +dania.ml, 1 +danibooks.de, 1 +daniel-ayala.tk, 1 +daniel-baumann.ch, 1 +daniel-beilharz.com, 1 +daniel-beilharz.de, 1 +daniel-cholewa.de, 1 +daniel-leblanc.tk, 1 +daniel-milnes.co.uk, 1 +daniel-milnes.uk, 1 +daniel-monaghan.co.uk, 1 +daniel-ruf.de, 1 +daniel-san.de, 1 +daniel-stahl.net, 1 +daniel-topalov.ga, 1 +daniel.priv.no, 1 +daniel.sb, 1 +danielacocco.it, 1 +danielacorahansson.com, 1 +danieladentista.com, 1 +danielaeichberger.com, 1 +danielaferpe.tk, 1 +danielalvarez.net, 1 +danielaswish.org, 1 +danielbankhead.com, 1 +danielbarros.com.br, 1 +danielbeilharz.com, 1 +danielbeilharz.de, 1 +danielbeltejar.es, 1 +danielcardoso.net, 1 +danielcolquitt.com, 1 +danieldavies.co.uk, 1 +danielderidderfansite.tk, 1 +danieldevine.tk, 1 +danielduran.tk, 1 +daniele.tech, 1 +danielehniss.de, 0 +danieleluttazzi.tk, 1 +danieleoneta.it, 0 +danielepestilli.com, 0 +danielg0.co.uk, 1 +danielg0.com, 1 +danielgil.pt, 1 +danielgorr.de, 1 +danielgray.email, 1 +danielgray.me, 1 +danielgraziano.ca, 1 +danielhammond.tk, 1 +danielheal.net, 0 +danielhinterlechner.eu, 1 +danielhurley.com, 1 +danielhurley.eu, 1 +danielhurley.ie, 1 +danielhurley.info, 1 +danielhurley.org, 1 +danielittlewood.xyz, 1 +danielj.tk, 1 +danieljamesscott.org, 1 +danielkanchev.com, 1 +danielkoster.nl, 1 +daniellecavazos.com, 1 +danielleskosky.com, 1 +daniellespringer.tk, 1 +daniellesteel.com, 1 +danielluisrodriguezs.com, 1 +danielmartin.de, 1 +danielmicay.ca, 1 +danielmicay.com, 1 +danielmoch.com, 1 +danielmorales917.com, 1 +danielmorell.com, 1 +danielnaaman.com, 1 +danielnaaman.org, 1 +danielnet.co, 1 +danielparker.com.au, 1 +danielpeukert.cz, 1 +danielportfolio.es, 1 +danielran.com, 1 +danielroelsontwerp.nl, 1 +danielrozenberg.com, 1 +danielruiz.tk, 1 +danielsblog.org, 1 +danielshaw.co.nz, 1 +danielshealth.com.au, 1 +danielstach.cz, 1 +danielstiner.me, 1 +danielt.co.uk, 0 +danielthompson.info, 1 +danieltollot.de, 0 +danielvaduva.tk, 1 +danielve.ga, 1 +danielverlaan.nl, 1 +danielwayman.co.uk, 1 +danielwelty.com, 1 +danielwildhaber.ch, 1 +danielzuzevich.com, 1 +danifabi.eu, 1 +danilapisarev.com, 1 +danilov-abrosimov.org.ua, 1 +danish.cf, 1 +danish.events, 1 +danishbytes.club, 1 +danishiqbal.tk, 1 +danispage.tk, 1 +danituuu7.tk, 1 +daniweb.com, 1 +daniya.tk, 1 +danjesensky.com, 1 +dankburritofranchise.com, 1 +danke.moe, 1 +dankeroni.de, 1 +dankevich.ru, 1 +dankie.com.br, 1 +dankim.de, 0 +dankojunasevic.tk, 1 +dankrpg.xyz, 1 +danla.nl, 1 +danlockton.tk, 1 +danloona.nl, 1 +danmaby.com, 1 +danmarksbedstefredagsbar.dk, 1 +danmassarano.com, 1 +danminkevitch.com, 0 +danmoldovan.tk, 1 +danndorf.com, 0 +dannemora.tk, 1 +dannhanks.com, 1 +dannicholas.net, 1 +danniellealbrechtdesigns.com, 1 +dannon.com, 1 +danny-rohde.de, 1 +danny.fm, 1 +dannycairns.com, 0 +dannycavanagh.tk, 1 +dannydiamondsconcrete.com, 1 +dannygaidateraelgar.com, 1 +dannyhoekstra.tk, 1 +dannyhorne.com, 1 +dannyjota.tk, 1 +dannymoran.com, 1 +dannyoficial.tk, 1 +dannyroh.de, 1 +dannyrohde.de, 1 +dannyscloud.tk, 1 +dannystevens.co.uk, 1 +dannytemming.tk, 1 +dannyvanwamelen.tk, 1 +danoji.cf, 1 +danone.es, 1 +danonenorthamerica.com, 0 +danotage.tv, 1 +danovamix.com.br, 1 +danpiel.net, 1 +danportik.com, 1 +danq.me, 1 +danramer.tk, 1 +dansage.co, 0 +dansasphaltmaintenance.com, 1 +dansaunders.me, 1 +dansedesalonsaintave.fr, 1 +danselibre.net, 1 +danselibre.org, 1 +dansemacabre.tk, 1 +danseressen.nl, 1 +dansk8bit.dk, 1 +danske.events, 1 +danskemedier.dk, 1 +danskoya.com, 1 +danslan.org, 1 +danslavieyadescactus.ch, 1 +danstillman.com, 1 +danstoncu.be, 1 +dantana.de, 1 +dante.ms, 1 +dantesinferno.tk, 1 +danthecloudman.com, 1 +dantikap.tk, 1 +danux.co.uk, 1 +danvillein.gov, 1 +danvillevt.gov, 1 +danw.io, 1 +danwaibel.com, 1 +danwelty.co, 1 +danwelty.me, 1 +danwelty.net, 1 +danwelty.org, 1 +danwillenberg.com, 1 +danwin.de, 1 +danwin1210.de, 1 +danwise.online, 1 +danwolff.se, 1 +danya.ml, 1 +danyabanya.com, 1 +danyasa.com, 1 +danzavila.com, 1 +danzenyogadaycare.com, 1 +danzka.tk, 1 +dao.spb.su, 1 +daofficers.com, 1 +daojian.com, 1 +daole.com, 1 +daomo.com, 1 +daoplattunhien.com.vn, 1 +daoro.net, 0 +daoudi.it, 1 +dapasten.com, 1 +daphne.informatik.uni-freiburg.de, 1 +daphnedietz.com, 1 +dapoxetinagenerico.cf, 1 +dapoxetine.gq, 1 +dapperdom.net, 1 +dapps.earth, 1 +dappui.com, 1 +daprint.tk, 1 +dapss-ut.gov, 1 +dapursolo.tk, 1 +daqq.com, 1 +daracokorilo.com, 1 +darador.net, 0 +darajambili.com, 1 +daramad-telegram.ga, 1 +daravk.ch, 1 +darbi.org, 1 +darc-mak.de, 1 +darci.tech, 1 +darcyinspired.com, 1 +darcymarshall.com, 1 +dare.deals, 1 +darean.ml, 1 +daredorm.com, 1 +dareechayhome.com.pk, 1 +darenc.gov, 1 +darenet.org, 1 +daresay.games, 1 +daresay.studio, 1 +daresaygames.com, 1 +daretogain.com, 1 +darf.nl, 1 +darfurwall.org, 1 +dari.wiki, 1 +daricaun.com, 1 +dariela.tk, 1 +darientownwi.gov, 1 +darienvillagewi.gov, 1 +dario.gq, 1 +dariosirangelo.me, 1 +darioturchetti.me, 1 +darioush.com, 0 +dariusheghbali.tk, 1 +darix.tk, 1 +dark-ages.tk, 1 +dark-crystal.tk, 1 +dark-dreams.tk, 1 +dark-infection.de, 1 +dark-lake.com, 1 +dark-legion.tk, 1 +dark-nova.me, 1 +dark-nova.tk, 1 +dark-programs.com, 1 +dark-vision.cz, 1 +dark-wolf.tk, 1 +dark.direct, 1 +dark.fail, 1 +darkag.ovh, 1 +darkartstudios.tk, 1 +darkbeam.com, 1 +darkbit.gr, 1 +darkboysmedia.com, 1 +darkbyte.com, 1 +darkcelebration.tk, 1 +darkcodes.icu, 1 +darkcores.net, 1 +darkct.com, 1 +darkcure.tk, 1 +darkdestiny.ch, 1 +darkengine.io, 1 +darkengine.net, 1 +darkenluster.space, 1 +darkerlystormy.com, 0 +darkerstormy.com, 0 +darkestproductions.net, 1 +darkfeeling.tk, 1 +darkfilm.tk, 1 +darkfire.ch, 1 +darkfirestudios.tk, 1 +darkforceofhappiness.tk, 1 +darkgames.cf, 1 +darkgrid.eu, 1 +darkhall.tk, 1 +darkhuntersworld.tk, 1 +darkinvasion.tk, 1 +darkishgreen.com, 1 +darkkeepers.tk, 1 +darklang.com, 1 +darklaunch.com, 1 +darkleia.com, 1 +darklite.ml, 1 +darklybasic.com, 1 +darkmail.cf, 1 +darkmanthra.tk, 1 +darkmattertechnology.com, 1 +darkmattertechnology.net, 1 +darkmemo.com, 1 +darkmilknyeremeny.hu, 1 +darkness-and-light.tk, 1 +darkness.sk, 1 +darknessflickers.com, 0 +darknessinme.tk, 1 +darknight.blog, 1 +darkoctoberseance.com, 1 +darkoff.tk, 1 +darkotip.tk, 1 +darkovepredmety.cz, 1 +darkpassionsite.tk, 1 +darkperu.tk, 1 +darkphantom.tk, 1 +darkprince.tk, 1 +darkrain.nl, 1 +darkrisks.com, 1 +darkscience.tk, 1 +darksecret.dk, 1 +darkserver.fedoraproject.org, 1 +darkserver.stg.fedoraproject.org, 1 +darksideprod.tk, 1 +darksignsgame.tk, 1 +darkskymap.com, 1 +darksoilcbd.com, 1 +darksonic.tk, 1 +darkspacelab.com, 1 +darkspike.tk, 1 +darkstar-digital.com, 1 +darksystems.tk, 1 +darktechnology.tk, 1 +darktide.tk, 1 +darktime.ru, 1 +darkwater.info, 1 +darkwater.tk, 1 +darkweb.wtf, 1 +darkwebkittens.xyz, 0 +darkwoods.tk, 1 +darkx.me, 1 +darkxxxtube.com, 1 +darlehen-ratgeber.de, 1 +darlen.com, 1 +darlene.hu, 1 +darlenenbocek.com, 1 +darlingdownscoffee.com.au, 1 +darlington.tk, 1 +darlingtonia.nl, 1 +darlingtonwi.gov, 1 +darmowy-tarot.pl, 1 +darnashop.fr, 1 +darom.jp, 1 +darosen.eu, 1 +darpa.mil, 1 +darrenflemingphotography.co.uk, 1 +darrenlines.uk, 1 +darrenm.net, 1 +darrouzettisd.gov, 1 +darshanalytics.com, 1 +dart-tanke.com, 1 +dart-tanke.de, 1 +dartagnan.com, 1 +dartbeginners.tk, 1 +dartcarrousel.tk, 1 +dartcode.org, 0 +dartdriving.com, 1 +dartergroup.com, 1 +darthbraden.com, 1 +dartmold.com, 1 +dartmouth-health.org, 1 +dartmouth-hitchcock.org, 1 +dartnallministorage.com, 1 +dartstart.tk, 1 +dartydiscount.fr, 1 +darululum.ga, 1 +darwinkel.net, 1 +darwinpark.tk, 1 +darwinport.com.au, 1 +darwinsearch.org, 1 +darxx.com, 1 +darya.tk, 1 +daryl-wilcher.tk, 1 +daryl.moe, 1 +darylcumbo.net, 1 +darylwilcher.tk, 1 +darysvet.ru, 1 +das-clanpage.tk, 1 +das-efx.tk, 1 +das-forum24.de, 1 +das-maennermagazin.com, 1 +das-mediale-haus.de, 1 +das-pna.ao, 1 +das-sommercamp.de, 1 +das.nl, 1 +dasabomobil.de, 1 +dasble.com, 1 +dascan.com.br, 1 +dasdanny.de, 1 +daseinsfreu.de, 1 +daservajesus.com, 1 +daservajesus.net, 1 +dasfest.com, 1 +dasgeestig.nl, 1 +dash.com.co, 1 +dashboard.gov.ph, 1 +dashboard.run, 1 +dashboardph.com, 1 +dashboardphilippines.com, 1 +dashdoc.eu, 1 +dashdrive.net, 1 +dasher.co.za, 1 +dashice.com, 1 +dashipping.com, 1 +dashlane.com, 1 +dashofmedia.com, 1 +dashofting.com, 1 +dashwebconsulting.com, 1 +dasignsource.com, 1 +dasinternetluegt.at, 1 +daskirschhaus.com, 1 +dasler.eu, 1 +dasmailarchiv.ch, 1 +dasolindustrialpark.tk, 1 +dastchin.live, 1 +dastchin.shop, 1 +dasteichwerk.at, 0 +dastelefonbuch.de, 1 +dastomize.com, 1 +dasug.de, 1 +data-access-point.com, 1 +data-analyse.nl, 1 +data-detox.de, 1 +data-exchange.tk, 1 +data-jt.de, 1 +data-loader.com, 1 +data-mail.tk, 1 +data-mining.co.uk, 1 +data-privacy.tk, 1 +data-reader.de, 1 +data-replicator.cloud, 1 +data-replicator.com, 1 +data-servers.com, 1 +data-wing.ga, 0 +data.gov, 1 +data.govt.nz, 1 +data.haus, 1 +data.world, 1 +data18.com, 1 +data3w.nl, 1 +dataadvantage.se, 1 +database-excel-integration.com, 1 +database-word-integration.com, 1 +database.com, 1 +databasedrivers.cloud, 1 +databasez.net, 1 +databeam.de, 0 +databiz.ga, 1 +datablender.nl, 1 +databutlr.com, 1 +databutlr.net, 1 +datacalle.com, 1 +datacandy.com, 0 +datacaptive.com, 1 +datacave.is, 1 +datacenterbrasil.ga, 1 +datacenternews.asia, 1 +datacenternews.co.nz, 1 +datacenternews.us, 1 +datacenterunited.com, 1 +datacentrenews.eu, 1 +datacentresupport.com, 1 +datacloud.gq, 1 +datacomm.com, 1 +datacommissioner.gov.au, 0 +datacool.tk, 1 +datadefendersforum.com, 1 +datadoghq.com, 1 +datadorf.de, 1 +datadraugen.no, 1 +datadyne.technology, 1 +dataentry.top, 1 +datafarms.com, 1 +datafloq.com, 1 +dataformers.at, 0 +datagate.com.br, 1 +datagir.ir, 0 +datagrail.io, 1 +datagrid.ga, 1 +dataguidance.com, 1 +dataguru.lv, 1 +dataharvest.at, 1 +datahaus.construction, 1 +datahoarder.xyz, 1 +datahove.no, 1 +datainvest.pl, 1 +datakick.org, 1 +datakl.com, 1 +datalich.com, 1 +datalife.gr, 1 +datalift.io, 0 +dataloft.tk, 1 +datalogistics.lt, 1 +datalok.de, 0 +datalysis.ch, 0 +dataman.ml, 1 +datamationgroup.com, 1 +datamish.com, 1 +datapathadmin.com, 1 +datapiped.com, 1 +dataprivacyframework.gov, 1 +dataprivacysolution.com, 1 +dataproject.com, 1 +datapun.ch, 1 +datarails.com, 1 +dataregister.info, 1 +datarobot.com, 1 +dataroom-online.org, 1 +datarooms-advisor.org, 1 +datarooms.com, 1 +datasat.solutions, 1 +datascience.cafe, 1 +datasciencedojo.com, 1 +datasciocean.tech, 1 +datashock.com, 1 +datasite.com, 1 +dataskydd.net, 1 +datasourcenj.org, 1 +dataspace.pl, 1 +datastack.design, 1 +datastar.net, 1 +datastream.org, 1 +datastream.re, 0 +datastudio.google.com, 1 +datasubject.com, 1 +datasubjects.com, 1 +datasunrise.com, 1 +datasupporthub.com, 1 +dataswamp.org, 1 +datateknologsektionen.se, 0 +datatips.cl, 1 +datatree.nl, 1 +datatrics.com, 0 +datatruckers.com, 1 +datatruckers.email, 1 +datatruckers.eu, 1 +datatruckers.net, 1 +datatruckers.nl, 1 +datatruckers.org, 1 +datatruckers.social, 1 +datatube.tk, 1 +datatypes.net, 1 +datavitec.com, 1 +datavizable.org, 1 +datavoiceoptions.com, 1 +datawar.tk, 1 +datax-cloud.de, 1 +dataxl.net, 1 +datazoo.asia, 1 +datazoo.com, 1 +datdt.com, 1 +date-hijri.net, 1 +dateien.at, 1 +dateierweiterung.com, 1 +datelligent.com, 1 +datema.no, 1 +datememe.com, 1 +datenbitch.org, 0 +datengrab.ws, 1 +datengrab.xyz, 1 +datenightmovies.com, 1 +datenkeks.de, 1 +dateno1.com, 1 +datenreiter.cf, 1 +datenreiter.gq, 1 +datenretter.tk, 1 +datenrettung360.at, 1 +datenrettung360.de, 1 +datensalat.info, 1 +datenschutz-consult.de, 1 +datenschutz-gruenwald.de, 1 +datenschutz-individuell.de, 1 +datenschutz-isny.de, 1 +datenschutz-leutkirch.de, 1 +datenschutz-luebbecke.de, 1 +datenschutz-oberschwaben.de, 1 +datenschutz-ravensburg.de, 1 +datenschutz-recht-medizin.de, 1 +datenschutz-wangen.de, 1 +datenschutz-weingarten.de, 1 +datenschutzgrundverordnung.de, 1 +datenschutztag.org, 1 +datenschutzzentrum.de, 1 +datenwerkstatt.net, 1 +datessrit.tk, 1 +dating.wedding, 1 +datingadvice.gq, 1 +datingbedrog.tk, 1 +datingblog.tk, 1 +datingfakecheck.com, 1 +datinglocalgirls.com, 1 +datingonlinecheck.com, 1 +datingopportunitiesest.ga, 1 +datingru.ml, 1 +datingru.tk, 1 +datingsite.ml, 1 +datingsrit.tk, 1 +datingswagger.ga, 1 +datingticino.ch, 0 +datingwebsitesforteenagers.cf, 1 +datingyourmate.ga, 1 +datj.net, 1 +datmancrm.com, 1 +datnenhamiltongarden.com, 1 +datomize.com, 1 +datorb.com, 1 +datorhjalp-stockholm.se, 1 +datorhjalpen.link, 1 +datorhjalptaby.se, 1 +datos-quimsaitw.es, 1 +datosfreak.tk, 1 +datovy-portal.cz, 1 +datovy-portal.sk, 1 +datovyaudit.cz, 1 +datovyportal.cz, 1 +datovyportal.sk, 1 +dattelking.com, 1 +dattelking.de, 1 +datumplus.co.uk, 1 +datumstudio.jp, 1 +datumvandaag.eu, 1 +dature.cloud, 1 +datustribe.tk, 1 +datutoday.tk, 1 +datutorials.tk, 1 +datzen.com, 1 +daubecity.de, 1 +daubehosting.de, 1 +dauenhauer.de, 1 +daughertyplasticsurgery.com, 1 +daughtridgeenergy.com, 1 +daugoitot.com, 1 +daum-group.de, 1 +daunatotala.ro, 1 +daunt.link, 1 +dauphincounty.gov, 1 +dausendschoen.de, 1 +davalochki.tk, 1 +davar1.co.il, 1 +davd.cf, 1 +dave-pearce.com, 1 +daveaglick.com, 0 +daveaustin.xyz, 1 +davebelton.com, 1 +davebodnar.tk, 1 +davebuis.tk, 1 +davecardwell.com, 1 +daveedave.de, 0 +davelucia.com, 1 +davemusic.tk, 1 +davenportok.gov, 1 +daveoc64.co.uk, 1 +davepearce.com, 1 +davepermen.net, 1 +davepullig.co.uk, 1 +daveredfern.com, 1 +daveroverts.nl, 0 +davesharpe.com, 1 +davesplace.tk, 1 +davetempleton.com, 1 +davewardle.com, 1 +daveyconstructions.com, 1 +davichete.me, 1 +david-almeida.co.uk, 1 +david-andrawos.fr, 1 +david-beckham-online.tk, 1 +david-clarke.id.au, 1 +david-corry.com, 1 +david-edu.com, 1 +david-jeffery.co.uk, 1 +david-merkel.de, 1 +david-nextcloud.ddns.net, 1 +david-osipov.me, 1 +david-osipov.vision, 1 +david-pearce.com, 1 +david-reess.de, 1 +david-schiffmann.de, 1 +david.kitchen, 1 +davidadrian.org, 1 +davidalbert.me, 1 +davidandersson.se, 1 +davidbach.com, 1 +davidband.com.au, 1 +davidbranco.me, 1 +davidbrito.tech, 1 +davidbrookes.me, 0 +davidbyrne.tk, 1 +davidcityne.gov, 1 +davidcraft.de, 1 +davidcrousehouse.com, 1 +davidczihak.at, 0 +daviddesberg.com, 1 +daviddietrich.com, 1 +davidebaraglia.it, 1 +davidebasile.tk, 1 +davidelstob.com, 1 +davideonlain.tk, 1 +davidepalma.it, 1 +davidereinato.tk, 1 +davidetmagali.fr, 1 +davidfarland.com, 1 +davidfindlay.org, 1 +davidforward.net, 1 +davidfuentes.es, 1 +davidgarza.email, 1 +davidgarza.me, 1 +davidgouveia.net, 1 +davidgreig.uk, 1 +davidgroup.co.id, 1 +davidgroup.id, 1 +davidgrudl.com, 1 +davidhanle.com, 1 +davidinteriors.tk, 1 +davidje13.com, 1 +davidjktofan.com, 1 +davidjusto.com, 1 +davidkatz.tk, 1 +davidkeane.com, 1 +davidkennardphotography.com, 1 +davidking.xyz, 1 +davidknoll.me.uk, 1 +davidkyburz.ch, 1 +davidlamprea.com, 1 +davidlamprea.eu, 1 +davidlane.io, 0 +davidlemler.me, 1 +davidlillo.com, 1 +davidlindekilde.dk, 1 +davidlouisedelman.com, 1 +davidlyness.com, 1 +davidmanouchehri.com, 1 +davidmcevoy.org.uk, 1 +davidmessenger.co.uk, 1 +davidmgarvin.com, 1 +davidmlujan.com, 1 +davidmocq.com, 1 +davidn.cz, 1 +davidnadaski.com, 1 +davidnoren.com, 0 +davidops.com, 0 +davidorsot.com, 1 +davidovskakreu.tk, 1 +davidpatrickwilson.us, 1 +davidpearce.com, 1 +davidpearce.org, 1 +davidpescarolo.it, 1 +davidrichardson.com, 1 +davidritchie.tk, 1 +davidrteixeira.com, 1 +davids.online, 1 +davidsanker.com, 1 +davidschadlich.com, 1 +davidscherzer.at, 1 +davidsdika.com, 1 +davidsimner.me.uk, 1 +davidson-berquist.com, 1 +davidsonberquist.com, 1 +davidsopas.com, 0 +davidstark.name, 1 +davidstrickler.net, 1 +davidstuff.net, 1 +davidsun.info, 1 +davidsun.name, 1 +davidtiffany.com, 1 +davidtorres4congress.com, 1 +davidvilla.tk, 1 +davidzarza.tk, 1 +davidzeegers.nl, 1 +davidzimmerman3.com, 1 +davie3.com, 1 +daviesscountyin.gov, 1 +daviesscountyinsheriff.gov, 1 +davimun.org, 1 +davinamccall.tk, 1 +davinciwaldorfschool.org, 1 +davisboroga.gov, 1 +daviscannabisco.com, 1 +daviscountyelectionsutah.gov, 1 +daviscountyiowa.gov, 1 +davisdieselandautorepair.com, 1 +davisgrana.tk, 1 +davison.tech, 1 +davisontwp-mi.gov, 1 +davisvision.com, 1 +davmimer-mercerie.ro, 1 +davorin.cf, 1 +davosalestax.com, 1 +davros.eu, 1 +davros.ru, 1 +davulcuyuz.com, 1 +davy-server.com, 1 +davyatletiek.tk, 1 +davyjonesatacado.com.br, 1 +davypropper.com, 1 +dawaai.pk, 1 +daware.io, 1 +dawg.eu, 1 +dawgs.ga, 1 +dawidpotocki.com, 1 +dawidwrobel.com, 1 +dawnbringer.eu, 1 +dawnbringer.net, 1 +dawnbyte.ch, 1 +dawnlydialnyc.com, 1 +dawnofhope.tk, 1 +dawnson.is, 1 +dawnzine.com, 1 +dawonelectron.com, 1 +dawonmedax.com, 1 +dawprogram.org, 1 +dawrimiz.com, 1 +dawson-floridavilla.co.uk, 1 +dawsoncountyga.gov, 1 +dawsoncountyne.gov, 1 +dawsonmt.gov, 1 +dax.do, 1 +dax.guide, 1 +daxenexpress.com, 1 +daxis.io, 1 +daxisweb.net, 1 +daxo.io, 1 +daxoptimizer.com, 1 +daxos.tk, 1 +daxpatterns.com, 1 +daxperience.eu, 1 +daxrunbase.com, 1 +day, 1 +day-of-battlecats.blog, 1 +day.marketing, 1 +dayachts.com, 1 +daybreaklearning.com.au, 1 +daybuy.tw, 1 +daycomtech.com, 1 +daycontactlens.com, 1 +daycubrem.com, 1 +daydream.team, 1 +dayekelly.com, 1 +dayesh.tk, 1 +daygametraining.com, 1 +daylafit.com, 1 +daylightpirates.org, 1 +daymail.io, 1 +dayman.net, 1 +daymarksi.com, 1 +daymi.co, 1 +daymprove.life, 1 +daynia.net, 1 +daynightdrugs.com, 1 +dayoadetiloye.com, 1 +dayofdays.be, 1 +dayofthegirl.gc.ca, 1 +dayslater.tk, 1 +daysnews.tk, 1 +daysoftheyear.com, 1 +dayswithnostabbings.ca, 1 +daytonahealthsolutions.com, 1 +daytonaparadise.tk, 1 +daytonpcrepair.com, 1 +dayuse-hotels.it, 1 +dayuse.co.uk, 1 +dayuse.com, 1 +dayuse.com.hk, 1 +dayuse.cz, 1 +dayuse.de, 1 +dayuse.es, 1 +dayuse.fr, 1 +dayuse.se, 1 +dayvillefire.gov, 1 +daywind.com, 1 +daywindmusicgroup.com, 1 +daywindrecordingstudio.com, 1 +daywindrecords.com, 1 +daywindworship.com, 1 +dayz.com, 1 +daz8activator.com, 1 +dazenelevator.ph, 1 +dazz.it, 1 +dazzit.ca, 1 +dazzit.com, 1 +dazzit.io, 1 +dazzit.net, 1 +dazzit.org, 1 +dazzit.xyz, 1 +dazzledrive.tk, 1 +dazzlepulse.tk, 1 +dazzlestart.com, 1 +dazzleworks.tk, 1 +db-sanity.com, 1 +db-works.nl, 1 +db.ci, 1 +dba-support.nl, 1 +dbapress.org, 1 +dbaron.org, 1 +dbas.cz, 1 +dbase.cf, 1 +dbasolucoesadministrativas.com.br, 1 +dbautoservice.nl, 1 +dbb.wtf, 1 +dbcartography.com, 1 +dbdisco.co.uk, 1 +dbeilharz.com, 1 +dbeilharz.de, 1 +dbeilharz.eu, 1 +dbentertainment.co.uk, 1 +dbfopraga-pn.waw.pl, 1 +dbgames.info, 1 +dbhome.org, 1 +dbhouse.tk, 1 +dbic.ro, 1 +dbildungscloud.de, 1 +dbinderbilling.com, 1 +dbjc.tk, 1 +dbjg.com, 1 +dblabsite.net, 1 +dblcastles.co.uk, 1 +dbldub.net, 1 +dblsuretybonds.com, 1 +dbmiller.org, 1 +dbmnet.be, 1 +dbnext.de, 1 +dboptical.com, 1 +dbox.ga, 1 +dbpkg.com, 0 +dbplanview.com, 1 +dbq.com, 1 +dbradley771.com, 1 +dbrand.com, 0 +dbrgn.ch, 1 +dbs.cl, 0 +dbsalon.beauty, 1 +dbsbeautystore.cl, 1 +dbsinergy.tk, 1 +dbsinternational.org, 1 +dbt3ch.com, 1 +dbtechreviews.com, 1 +dbtest5.com, 1 +dbtotalnet.tk, 1 +dbtsai.com, 0 +dbtunder.tk, 1 +dbushell.com, 1 +dbw678.com, 1 +dbxtopstconverter.org, 1 +dc-acupuncture.com, 0 +dc-design.tk, 1 +dc-elektro.com, 1 +dc-elektro.de, 1 +dc-elektro.eu, 1 +dc-forum.tk, 1 +dc-occasies.be, 1 +dc-service.by, 1 +dc-solutions.at, 1 +dc-texas.com, 1 +dc-zone.com, 1 +dc7342.im, 1 +dcain.me, 1 +dcampusbd.com, 1 +dcards.in.th, 1 +dcareer.tk, 1 +dcave.net, 1 +dcboe.org, 1 +dcbouncycastles.co.uk, 1 +dcc.cat, 1 +dcc.moe, 1 +dcc.name, 1 +dccdurgor1nbl.cloudfront.net, 1 +dccode.gov, 1 +dccomputerrepair.com, 1 +dccpropane.com, 1 +dccwiki.com, 0 +dcdestetica.it, 1 +dcgprecisionpainters.co.nz, 1 +dchatelain.ch, 0 +dchauriga.com, 0 +dchest.org, 1 +dci.com.br, 1 +dcimpianti.it, 1 +dckd.nl, 1 +dcklvr.fr, 1 +dcl.re, 1 +dclaisse.fr, 1 +dclm.org, 1 +dclmwp.com, 1 +dcm.com, 1 +dcmarvelunited.com, 1 +dcmcleanair.com, 1 +dcmediahosting.com, 1 +dcmeventmanagement.com, 1 +dcmt.co, 1 +dcnews.jp, 1 +dcnews.ro, 1 +dco.sg, 1 +dcomedieta.it, 1 +dcoremassagechairs.com, 1 +dcparts.com.br, 1 +dcpl.bt, 1 +dcpower.eu, 1 +dcpro.pt, 1 +dcpudwa.gov, 1 +dcrdev.com, 1 +dcs.pp.ua, 1 +dcso.de, 1 +dcsoky.gov, 1 +dctrl.ch, 1 +dcustody.xyz, 1 +dcvc.com, 1 +dcw.io, 1 +dcyph.de, 1 +dd-groupinc.com, 1 +dd.art.pl, 1 +dd.center, 1 +dd00228.com, 0 +dd11d.net, 1 +dd202d.com, 1 +dd207d.com, 1 +dd214.gov, 1 +dd215d.com, 1 +dd23project.com, 1 +dd33d.net, 1 +dd3ah.de, 1 +dd5197.co, 1 +dd6729.co, 1 +dd6729.com, 0 +dd6957.co, 1 +dd9297.co, 1 +dd9728.co, 1 +dda.gov.ae, 1 +ddatsh.com, 1 +ddays2008.org, 1 +ddcakedeliveryservice.co.uk, 1 +dddd.loan, 1 +dddmelbourne.com, 1 +ddeaejwa.ml, 1 +ddel.de, 1 +dden.ca, 0 +dden.website, 1 +ddf.net, 1 +ddhlawyers.com, 1 +ddhosted.com, 0 +ddi.one, 1 +ddiaz.tk, 1 +ddinox.be, 1 +ddjia.com, 0 +ddjlawtampa.com, 1 +ddk.dn.ua, 1 +ddkdoradztwo.pl, 1 +ddkkitchens.com, 1 +ddma.nl, 1 +ddmail.se, 1 +ddmeportal.com, 1 +ddns-anbieter.de, 1 +ddns-test.de, 1 +ddnsip.cn, 1 +ddnsweb.com, 0 +ddog-gov.com, 1 +ddos-mitigation.co.uk, 1 +ddos-mitigation.info, 1 +ddosguard.cf, 1 +ddosolitary.org, 1 +ddproxy.cf, 1 +ddracepro.net, 1 +ddraum.de, 1 +ddsdiscounts.com, 1 +ddy.tw, 1 +de-basiliek.tk, 1 +de-ella.com, 1 +de-google-ify.org, 1 +de-groot.it, 1 +de-haas.dk, 1 +de-kramers.nl, 1 +de-lucadesigns.com.au, 1 +de-medici.nl, 1 +de-mossadeq.tk, 1 +de-ooyevaar.be, 1 +de-ooyevaar.com, 1 +de-ooyevaar.de, 1 +de-ooyevaar.nl, 1 +de-osopanda.com, 1 +de-penaranda.be, 1 +de-rwa.de, 1 +de-servers.de, 1 +de-spil.be, 1 +de.gt, 1 +de.ls, 1 +de.md, 1 +de.search.yahoo.com, 0 +de.vg, 1 +dea.gov, 1 +dead-letter.email, 1 +dead-parrot.de, 1 +deadbeef.ninja, 1 +deadboyskilling.tk, 1 +deadbybeats.tk, 1 +deadc0de.re, 1 +deadcode.ca, 1 +deadcoderssociety.tk, 1 +deadescape.tk, 1 +deadhead.tk, 1 +deadlift.tk, 1 +deadlockcoaching.com, 1 +deadpixel.tk, 1 +deadpoolonline.ga, 1 +deadpulse.com, 1 +deadpvp.eu, 1 +deadroot.tk, 1 +deadsamaritan.tk, 1 +deadsea.tk, 1 +deadshortaudio.com, 1 +deadspin.com, 1 +deadvoltage.com, 1 +deaecom.gov, 1 +deaf.eu.org, 1 +deafsound.tk, 1 +deaktualisierung.org, 0 +deal-runners.cf, 1 +deal45.ga, 1 +dealandgo.co.il, 1 +dealapp.nl, 1 +dealbanana.no, 1 +dealchip.tk, 1 +dealcoupons.in, 1 +dealcruiser.nl, 1 +dealdump.nl, 1 +dealerselectric.com, 1 +dealerwriter.com, 1 +dealinflatables.co.uk, 1 +dealjumbo.com, 1 +deallix.com, 1 +dealnxt.com, 1 +dealogic.com, 1 +dealpost.it, 1 +dealproject.org.au, 1 +dealroom.co, 1 +dealschief.com, 1 +dealsfinders.blog, 1 +dealsfromheaven.com, 1 +dealsinaz.com, 1 +dealsmagnet.com, 1 +dealsomart.com, 1 +dealsoncart.com, 1 +dealsonhealth.net, 1 +dealstreet.fr, 1 +dealzme.com, 1 +deamonmail.tk, 1 +deamsterdam.ml, 1 +deanandnatalia.co.za, 1 +deanbank.com, 1 +deanconsultancy.co.uk, 1 +deane.li, 1 +deano-s.co.uk, 1 +deanvending.com, 1 +dear-children.ga, 1 +dear-olivia.com, 1 +dearborn.gov, 1 +dearbornheightsmi.gov, 1 +dearburma.com, 1 +dearktiel.nl, 1 +deasserstadsloop.nl, 1 +deasy-store.com, 1 +deasyvow.com, 1 +death.social, 1 +deathberry.ddns.net, 1 +deathclub.eu, 1 +deathcult.fun, 1 +deathlords.tk, 1 +deathmarch.tk, 1 +deathofspring.com, 0 +deathrockstar.tk, 1 +deathsdomain.com, 1 +deathwar.tk, 1 +deathwarrior.tk, 1 +deathy.ro, 1 +deavel.com, 1 +deavel.fr, 1 +deavel.net, 1 +deavon.tk, 1 +debacker.biz, 1 +debarbas.com, 1 +debarkader34.tk, 1 +debarras-diogene.paris, 1 +debarrasantony.com, 1 +debarrasasnieressurseine.com, 1 +debarrasboulognebillancourt.com, 1 +debarrasclichy.com, 1 +debarrascolombes.com, 1 +debarrasnanterre.com, 1 +debashishsahu.com, 1 +debateisland.com, 1 +debats.tk, 1 +debattinnlegg.no, 1 +debatyun.jp, 0 +debauchery.ml, 1 +debbiesblog.nl, 1 +debbiessieraden.tk, 1 +debedstedanskecasinoer.dk, 1 +debeer.tech, 1 +debelareabogados.es, 1 +debelicd.tk, 1 +debesiukas.lt, 1 +debesteaedwinkel.nl, 1 +debesteehbodoos.nl, 1 +debewaker.tk, 1 +debian.link, 1 +debianizzati.org, 1 +debigare.com, 1 +debijloke.be, 1 +debijloke.gent, 1 +debitcloud.com, 1 +debitterballetjes.tk, 1 +deblender.be, 1 +deblender.shop, 1 +deblier.dynv6.net, 1 +deblocking.ga, 1 +deboekaniers.be, 1 +debofnight.com, 1 +deboo.info, 1 +debora-singkreis.de, 1 +deborahkaty.tk, 1 +deborahmarinelli.eu, 1 +debostero.tk, 1 +deboutpourlemali.ml, 1 +debraj.in, 1 +debraj.xyz, 0 +debraydesign.com.au, 1 +debricked.com, 1 +debrunet.nl, 1 +debruns.ie, 1 +debt-consolidation-reviews.org, 1 +debtdandy.com, 1 +debtmetricest.ga, 1 +debtpaypro.com, 1 +debtrecycling.com.au, 1 +debtsolution.cf, 1 +debtsolution.tk, 1 +debtsupportcentre.co.uk, 1 +debtsy.com, 1 +debuemon.com, 1 +debugging.tk, 1 +deburen.tk, 1 +debut-mebel.ru, 1 +debutaredead.tk, 1 +debuyer.com, 1 +debyte.com, 1 +debzsh.tk, 1 +dec-ced.gc.ca, 1 +dec6.gc.ca, 1 +decadentdvices.com, 1 +decal-times.com, 1 +decalquai.ch, 0 +decamidea.it, 1 +decarrouseloss.nl, 1 +decathlon.ca, 1 +decathlon.co.il, 1 +decathlon.com.co, 1 +decathlon.in, 1 +decathlon.lt, 1 +decathlon.lv, 1 +decathlon.my, 1 +decathlon.ph, 1 +decathlon.vn, 1 +decathlonag2r.com, 1 +decaturcountyiowa.gov, 1 +decaturcountytn.gov, 1 +decaturhistory.com, 1 +decaturish.com, 1 +deceasedonline.com, 1 +decentrala.org, 1 +dechan.com, 1 +dechat.nl, 1 +decherdtn.gov, 1 +dechetor.fr, 1 +dechow.ddns.net, 1 +decibelnewmusic.com, 1 +decide.hopto.org, 1 +decidetreatment.org, 1 +decima.bg, 1 +decimatechnologies.eu, 1 +decimation.tk, 1 +decipe.com, 1 +decis.fr, 1 +decisif-pacifique.com, 1 +decisionssometimes.ml, 1 +decisiontime.online, 0 +decisivetactics.com, 1 +deciso.eu, 1 +decisora.com, 1 +deckerville-mi.gov, 1 +deckfix.co.nz, 1 +deckshop.pro, 1 +deckzone.fr, 1 +declarando.es, 1 +declarativ.ga, 1 +declivitas.com, 1 +declutteringmymess.com, 1 +deco-parisienne.fr, 1 +decoating.pl, 1 +decock-usedcars.be, 1 +decode.ga, 1 +decodeanddestroy.com, 1 +decofire.pl, 0 +decokeuken.nl, 1 +decologisticsgh.com, 1 +decompression.tk, 1 +decompressneuroma.com, 1 +deconstructind.ro, 1 +decontentmaaksters.nl, 1 +decopros.fr, 1 +decor-anna.com, 1 +decor-essentials.com, 0 +decor-live.ru, 1 +decor-prazdnik.ru, 1 +decorahia.gov, 1 +decoral.org, 1 +decorarei.com, 1 +decoratingadvice.co.uk, 1 +decorations-elmotamaiz.com, 1 +decoratiunidulci.ro, 1 +decorativeconcretewa.com.au, 1 +decorativecosmetics.tk, 1 +decorator.uk, 1 +decoratore.roma.it, 1 +decorestilo.com.br, 1 +decorlux.bg, 1 +decorluxmuebles.com, 1 +decormiernissanparts.com, 1 +decorno.tk, 1 +decorpol-renovation.fr, 1 +decorsolucionesgraficas.es, 1 +decorumcomics.com, 1 +decosoftware.com, 1 +decotax.com, 1 +decotonic.com, 1 +decotrend.ro, 1 +decoyoctopus.tk, 1 +decrousaz-ceramique.ch, 0 +decrypt.co, 1 +decrypto.net, 1 +decs.es, 1 +decstasy.de, 1 +decsys.work, 1 +decubex.com, 1 +dedal.store, 0 +dedede.ro, 1 +dedektor.com, 1 +dedelta.net, 1 +dedeo.tk, 1 +dedg3.com, 1 +dedge.org, 1 +dedicatedservers.cf, 1 +dedmoroz.ga, 1 +dedmoroz.gq, 1 +dedmorozrzn.ru, 0 +dedns.com, 1 +dedoho.pw, 1 +dedoles.at, 1 +dedoles.com, 1 +dedoles.cz, 1 +dedoles.de, 1 +dedoles.hu, 1 +dedoles.pl, 1 +dedoles.ro, 1 +dedoles.sk, 1 +deduijventil.nl, 1 +dedurpsidioten.tk, 1 +dedyk.gq, 1 +dee.pe, 1 +dee.su, 1 +deechtebakkers.nl, 1 +deedixservice.com, 1 +deedoo.com, 1 +deedyinc.com, 1 +deeezy.com, 1 +deegeeinflatables.co.uk, 1 +deejayladen.de, 1 +deejayz.tk, 1 +deelmee.nl, 1 +deelmijnreis.nl, 1 +deelodge.art, 0 +deemasfashion.co.uk, 1 +deemasfashion.com, 1 +deemasfashion.us, 1 +deenergiecentrale.be, 1 +deenergiecentrale.gent, 1 +deeonix.eu, 1 +deep-core.tk, 1 +deep-labs.com, 1 +deep-wave-hair-extensions.tk, 1 +deep6.ai, 1 +deepaero.com, 1 +deeparamaraj.com, 1 +deepbluecrafting.co.uk, 1 +deepblueemail.com, 1 +deepbuy.tech, 1 +deepcreampie.com, 1 +deepgame.tk, 1 +deephill.com, 1 +deephustlellc.com, 1 +deepid.com, 1 +deepinnov.com, 1 +deepinsight.io, 1 +deepl.com, 1 +deeplink-medical.com, 1 +deepmountains.tk, 1 +deepnote.com, 1 +deeps.cat, 1 +deepserve.info, 1 +deepset.ai, 1 +deepset.com, 1 +deepsingh.tk, 1 +deepsky.tk, 1 +deepsoulutions.cf, 1 +deepsoulutions.ga, 1 +deepsoulutions.gq, 1 +deepsoulutions.ml, 1 +deepspace.dedyn.io, 1 +deepu-mathew.tk, 1 +deepumathew.tk, 1 +deepvalley.tech, 1 +deepwoodshop.com, 1 +deerfieldknoll.com, 1 +deeringnh.gov, 1 +deerlycke.tk, 1 +deesse-gaia.fr, 1 +def-pos.ru, 1 +defamiliehagen.com, 1 +defaultisafault.com, 1 +defcon.org, 1 +defcon.social, 1 +defcongame.tk, 1 +defcongroups.org, 1 +defectivebydesign.org, 1 +defeestboek.nl, 1 +defeestridders.tk, 1 +defelo.de, 1 +defelo.ml, 1 +defence.pk, 1 +defencemilcis2022.com.au, 1 +defend2.org, 1 +defendanimals.com, 1 +defender-pro.com, 1 +defendinnovation.org, 1 +defendtheweb.co.uk, 1 +defendtheweb.net, 1 +defenestrazionedipra.ga, 1 +defensefrontit.com, 1 +defenseweapon.tk, 1 +defensie.tk, 1 +defensivefirearmsinstruction.org, 1 +defensoresunidos.tk, 1 +defero.io, 1 +defesa.gov.br, 1 +defesaaereanaval.com.br, 1 +deffo.com.au, 0 +defi-metier.com, 0 +defi-metier.fr, 0 +defi-metier.org, 0 +defi-metiers.com, 0 +defi-metiers.org, 0 +defiant.com, 1 +defichain.com, 1 +defietsambassade.be, 1 +defietsambassade.gent, 1 +defietsambassadegent.be, 1 +defifa.ga, 1 +defile.ml, 1 +defiler.tk, 1 +defimetier.fr, 0 +defimetier.org, 0 +defimetiers.com, 0 +defimetiers.fr, 0 +define-atheism.com, 1 +define-atheist.com, 1 +defineatheism.com, 1 +defineatheist.com, 1 +definethenoise.tk, 1 +definingterms.com, 1 +definitely.cn, 0 +definitions360.com, 1 +definitivepressurewashing.com, 1 +defiscalisation.ml, 1 +defiscan.live, 0 +defisolutions.ch, 0 +defkey.com, 1 +deflumeri.com, 1 +deflumeriker.com, 1 +defme.eu, 1 +defont.nl, 1 +defreitas.no, 1 +defriesezaak.nl, 1 +deftek.com, 1 +defterikebir.tk, 1 +deftig-und-fein.de, 1 +defunct-engineers.ml, 1 +defuse.ca, 1 +degala.tk, 1 +degasten.tk, 1 +dege.me, 1 +degeberg.com, 1 +degeberg.dk, 1 +degeeks.xyz, 1 +degen-elektrotechnik.de, 1 +degenerativediscdiseaseexplained.com, 1 +degens.io, 1 +degentseflikkenzoekenu.be, 1 +degeo.cf, 1 +degeo.ml, 1 +degestamptepot.nl, 1 +degewonegezondemeid.nl, 1 +degilde.tk, 1 +degirmenkasi.tk, 1 +degit.de, 1 +dego.biz.id, 0 +degoeiewebsite.cf, 1 +degooglisons-internet.com, 1 +degooglisons-internet.fr, 1 +degooglisons-internet.org, 1 +degooglisons.org, 1 +degooglisonsinternet.org, 1 +degooglize.org, 1 +degoulet.net, 1 +degraafschapdierenartsen.nl, 1 +degracetechnologie.com, 1 +degradarium.com, 1 +degraissagehotte.fr, 1 +degrasboom.org, 1 +degravel.net, 1 +degreecollege.tk, 1 +degreeducation.tk, 1 +degreequalified.com, 1 +degreesofcomfort.com, 1 +degreesonline.com, 1 +degressif.com, 1 +degroetenvanrosaline.nl, 1 +degrootenslot.nl, 0 +degrootsteshop.nl, 1 +degustuju.cz, 1 +dehaagsehogeschool.nl, 1 +dehaanadvocatenkantoor.nl, 1 +dehaancaravans.nl, 1 +dehippeouder.nl, 1 +dehkade3.ml, 1 +dehoga-reisen.de, 1 +dehop.re, 1 +dehopre.com, 1 +dehumanizer.com, 1 +deiaprint.com, 1 +deidee.nl, 1 +deimos.gq, 1 +dein-baumdienst.de, 1 +dein-trueffel.de, 1 +dein.mx, 1 +deinballon.de, 1 +deindeal.ch, 1 +deineagentur.de, 1 +deinelakaien.tk, 1 +deinewebsite.de, 1 +deinhardt.com, 1 +deinjoghurt.de, 1 +deinsparen24.de, 1 +deionized.ga, 1 +deisedigital.com, 1 +deitec-global.com, 1 +deitti.net, 1 +deja-lu.de, 1 +dejandayoff.com, 1 +dejaren80.tk, 1 +dejavu.ml, 1 +dejected.ga, 1 +dejfcold.cz, 1 +dejie.com, 1 +dejiren.com, 1 +dejmidarek.cz, 1 +dejon-whirlpools.de, 1 +dejongonline.eu, 1 +dejorisenkeesshow.tk, 1 +dejoylandschools.com, 1 +dejure.org, 0 +dejuzconsults.com, 1 +dekalbcountyclerkil.gov, 1 +dekalbcountymo.gov, 1 +dekampioenen.tk, 1 +dekasegi-kansai.com, 1 +dekasegifuzoku.com, 1 +dekasseguiempregos.com, 1 +dekel.co.il, 1 +dekeurslagers.nl, 1 +dekhanyalcalde.com, 1 +dekinai.moe, 1 +dekko.io, 1 +dekleinezeppos.be, 0 +dekonijnenburcht.tk, 1 +dekorasyonu.net, 1 +dekoration.cf, 1 +dekoration.gq, 1 +dekoration.ml, 1 +dekoration.tk, 1 +dekordiyon.com, 1 +dekulk.nl, 0 +del-ex.de, 1 +delahrzolder.nl, 1 +delam.site, 1 +delamoreretirement.com.au, 1 +delanomn.gov, 1 +delaquila.com.co, 1 +delartouducocon.com, 1 +delasamericas.tk, 1 +delavega.ua, 1 +delavska-hranilnica.si, 1 +delavska.si, 1 +delawarehealth.tk, 1 +delawarenation-nsn.gov, 1 +delawaretwpmi.gov, 1 +delay-dengi.cf, 1 +delaydengy.tk, 1 +delaysoft.tk, 1 +delcan.ga, 1 +delcan.gq, 1 +delcan.ml, 1 +delcity.gov, 1 +delcopa.gov, 1 +delcopalandbank.gov, 1 +deldadegan.tk, 1 +delduca.casa, 1 +deleesanghers.tk, 1 +delegao.moe, 1 +deleidscheflesch.nl, 1 +delete.cf, 1 +deletebin.com, 1 +deletebin.org, 1 +delfi.ee, 1 +delfi.lt, 1 +delfi.net, 1 +delfic.org, 1 +delfinus.tk, 1 +delftstudy.nl, 1 +delhi-escorts.in, 1 +delhi.edu, 1 +delhicleanairforum.tk, 1 +delhitourism.gov.in, 1 +delhitownshipmi.gov, 1 +deli-fuzoku.jp, 1 +deliacreates.com, 1 +deliandiver.org, 1 +delicaclubphils.tk, 1 +delicadosonico.tk, 1 +delicale.com.br, 1 +delicatewonders.com, 1 +delici.art.br, 1 +deliciascomercial.com, 1 +deliciaskitchen.com, 1 +delicious-audio.com, 1 +delicious.gq, 1 +deliciousmedia.co.uk, 1 +deliciousmedia.net, 1 +delicioustable.com, 1 +delicon.jp, 1 +delijan24.ir, 1 +delika.io, 1 +delikom.de, 1 +delio.tk, 1 +delirio.tk, 1 +delisoft.ca, 1 +delistudio.cf, 1 +delitefully.com, 1 +delitto.top, 1 +deliuksta.lt, 1 +deliverability.guru, 1 +delivereasy.tk, 1 +delivery.it, 1 +deliveryman.site, 1 +delivr.com, 1 +deljeconiah.com, 1 +delker.com, 1 +delkomrockdrill.com, 1 +dellacasapizzasemassas.com.br, 1 +dellamorte.tk, 1 +dellasano.com, 1 +dellie.com, 1 +dellipaoli.com, 1 +dellirium.tk, 1 +delmarsumter.nl, 0 +delofderonvolmaaktheid.tk, 1 +delogo.nl, 1 +delontewest.tk, 1 +delorenzi.dk, 1 +deloretta.com, 1 +delosgaia.nl, 1 +delpark.de, 1 +delphia.ai, 1 +delphia.com, 1 +delphibasics.tk, 1 +delphij.net, 1 +delphinarabic.tk, 1 +delphine.dance, 1 +delphinewong.com, 1 +delprete.me, 1 +delpuertohealth.gov, 1 +delrayengineering.ca, 1 +delsfranchise.com, 1 +delsolphotography.com, 1 +delta-data.ch, 1 +delta-electric.net, 1 +delta-games.tk, 1 +delta-hawks.tk, 1 +delta-host.ml, 1 +delta-market.ru, 1 +delta.ai, 1 +delta.ru, 1 +delta24.ml, 1 +deltacity.net, 1 +deltacomputer.com, 1 +deltacomputer.de, 1 +deltacountyco.gov, 1 +deltacountymi.gov, 1 +deltacountymi.org, 1 +deltadentalmo.com, 1 +deltadentalsc.com, 1 +deltafm.tk, 1 +deltaloja.com.br, 1 +deltamusik.tk, 1 +deltamvcd.gov, 1 +deltanio.nl, 0 +deltaonlineguards.com, 1 +deltaphiepsilon.tk, 1 +deltaprise-events.de, 1 +deltarisk.com, 0 +deltaserat.tk, 1 +deltaservers.blog.br, 1 +deltaservers.com.br, 1 +deltasigmachi.org, 1 +deltasigmaxi1971.tk, 1 +deltasul.com.br, 1 +deltasuprimentos.com.br, 1 +deltav.ml, 1 +deltava.org, 1 +deltawolf.net, 1 +deltaworkssecurity.com, 1 +deltaworkssecurity.nl, 1 +delugarnenhum.com, 1 +delugerpg.com, 1 +delunee.co, 1 +deluxe-bot.tk, 1 +deluxe-dubai.com, 1 +deluxeblogtips.com, 1 +deluxecar.fr, 1 +delvemagazine.ca, 1 +delvinoadegas.com.br, 1 +delycate.com, 1 +delycate.fr, 1 +delzottolink.com, 1 +demaison.pro, 1 +demandbase.com, 1 +demander.tk, 1 +demandmatrix.com, 1 +demannen.tk, 1 +demarestnj.gov, 1 +demarit.fi, 1 +demascotas.es, 0 +demcra.com, 1 +demedx.at, 1 +demenagement-chalon.fr, 1 +demenagement-sfd.fr, 1 +demenagementagb.com, 1 +dementiacaring.com.au, 1 +dementiafactsexplained.com, 1 +dementiapraecox.de, 1 +dementieva-pennetta.tk, 1 +dementievriendelijk.gent, 1 +dementievriendelijkgent.be, 1 +demes.tk, 1 +demesos.tk, 1 +demetra-site.com.ua, 1 +demeubelmakelaar.nl, 1 +demeyere-usedcars.be, 1 +demfloro.ru, 1 +demicon.biz, 1 +demijn.nl, 1 +demilletech.net, 1 +demilovatomexico.tk, 1 +demine.freeboxos.fr, 1 +deminglaw.com, 1 +deminormaastricht.tk, 1 +demirdokum.tk, 1 +demisch-tim.de, 1 +demischtim.de, 1 +demish.tk, 1 +demmakina.com, 1 +demmarket.ru, 1 +demmer.one, 1 +demo-awl.com, 1 +demo-ferma.ga, 1 +demo.com.my, 1 +demo.sb, 1 +demo.swedbank.se, 1 +demobiliteitfinancier.nl, 1 +democracy-news.tk, 1 +democracy.cf, 1 +democracychronicles.com, 1 +democracydirect.com, 1 +democracyineurope.eu, 1 +democratherald.com, 1 +democratie.tk, 1 +democraziaineuropa.eu, 1 +demografia.tk, 1 +demohubglobal.com, 1 +demokisisel.tk, 1 +demokrasi.tk, 1 +demolandia.net, 1 +demolitetuto.fr, 1 +demomanca.com, 1 +demonbuster.tk, 1 +demondms.com, 1 +demonforums.tk, 1 +demoniak.ch, 1 +demonicademorte.tk, 1 +demonicresurrection.tk, 1 +demonics.tk, 1 +demonized.tk, 1 +demonmassacre.tk, 1 +demonoid.is, 1 +demonstrably.live, 1 +demontage.tk, 1 +demonwav.com, 1 +demonwithin.tk, 1 +demonwolfdev.com, 1 +demopanel.tk, 1 +demorgen.be, 1 +demostweb.ga, 1 +demotivatorbi.ru, 1 +demotrjct.online, 1 +demoussage-drone.fr, 1 +dempe.tk, 1 +dempsters.ca, 0 +demsh.org, 1 +demuzere.be, 1 +demuzere.eu, 1 +demuzere.net, 1 +demuzere.nl, 1 +demuzere.org, 1 +demxausa.com, 1 +den-fi.com, 1 +den.vc, 1 +dena.pro, 1 +denabot.pw, 1 +denachtegaalferwert.tk, 1 +denaehula.com, 1 +denali.net, 1 +denalisculpture.com, 1 +denarium.com, 1 +denatured.tk, 1 +denbar.org, 1 +dencel.lv, 1 +denchik.tk, 1 +dendi.tk, 1 +dendibanget.tk, 1 +dendra.io, 1 +dendrite.fail, 1 +denegka-mgnovenno.cf, 1 +denegmnogo.tk, 1 +denejki.tk, 1 +denet.pro, 0 +denformlab.lt, 1 +dengg.name, 1 +dengidoma24.ml, 1 +dengisrazu.tk, 1 +dengivdolg.ml, 1 +dengivdolg.tk, 1 +dengivdom.tk, 1 +dengjunhui.cn, 1 +dengyt.net, 1 +denhartogracing.com, 1 +denhotels.com, 1 +denied.gr, 1 +denieuwenederlandsevlag.tk, 1 +denimtoday.com, 1 +denince.net, 1 +denisaadolfova.com, 1 +denisadinu.com, 1 +denisdftnewyorklife.com, 1 +denisdimoski.tk, 1 +deniseeisenhauer.de, 1 +denisewakeman.com, 1 +denisglobal.com, 1 +denisgrandverger.de, 1 +denismusic.ga, 1 +denisontx.gov, 1 +denispiknjac.com, 1 +denissalignat.fr, 1 +denissealatinsoul.com, 1 +denistruffaut.fr, 0 +denisyakovlev.ga, 1 +denisyakovlev.ml, 1 +denisyan.ml, 1 +deniszczuk.pl, 1 +deniz.uk, 1 +denizdesign.co.uk, 1 +denizkutan.com, 1 +denizlicilingir.org, 1 +denizlihaber.tk, 1 +denizlihaberleri.tk, 1 +denizlisohbet.tk, 1 +denizuydur.nl, 1 +denk-it.be, 1 +denkeandersblog.de, 1 +denker.tk, 1 +denkerstube.net, 1 +denkit.com, 1 +denkmalagentur.ch, 1 +denkmalsetzung.at, 1 +denknowles.com, 1 +denkorolev.ga, 1 +denkubator.de, 1 +denner.ch, 1 +denninger.jp, 1 +denningny.gov, 1 +dennis-carpenter.com, 1 +dennisang.com, 1 +denniscsl.com, 1 +dennishenrique.com.br, 1 +dennishzg.com, 1 +denniskoot.nl, 1 +dennislicht.tk, 1 +dennismurphy.biz, 1 +dennisrubin.tk, 1 +dennisswiers.tk, 1 +dennistyfus.tk, 1 +dennisvandenbos.nl, 1 +dennmart.me, 1 +dennogumi.org, 1 +deno.com, 1 +denous.nl, 1 +denovo.energy, 1 +denovocorp.com, 1 +denrei.com, 1 +denshub.com, 1 +densocean.net, 1 +dent-academ.ru, 1 +dent.uy, 1 +denta-ua.com, 1 +dentad.com.ua, 1 +dentadir.com, 0 +dental-cloud.eu, 1 +dental-colleges.com, 1 +dental-fitness.co.jp, 1 +dental.gq, 1 +dentalcareerfinder.com, 1 +dentalcareersedu.org, 1 +dentalcolleges.tk, 1 +dentalimplantscost.com.au, 1 +dentalmonitoring.com, 1 +dentalnasser.com, 0 +dentaloptimizer.com, 1 +dentalqore.com, 1 +dentalqoretemp.com, 1 +dentalreklamlari.tk, 1 +dentals.cf, 1 +dentalsupportuk.com, 1 +dentalturism.com, 1 +dentalunion.ru, 1 +dentcountyhealth.gov, 1 +dentdelion-plugin.com, 1 +dented.gq, 1 +dentelegan.com, 1 +dentisalut.com, 1 +dentislabor.lt, 1 +dentist-profi.ga, 1 +dentistaaroma.com, 1 +dentistabarbarajaqueline.com.br, 1 +dentistalagoasanta.com.br, 1 +dentistesdarveauetrioux.com, 1 +dentistree.in.ua, 1 +dentistsgainesvillega.com, 1 +dentistslilburnga.com, 1 +dentoncounty.gov, 1 +dentoncountysheriffjobs.gov, 1 +dentonolab.lt, 1 +dentrassi.de, 1 +dentsugrantgroup.com, 1 +dentystabirmingham.co.uk, 1 +denuevestore.com, 1 +denugka-vezde.gq, 1 +denugka-vezde.tk, 1 +denunzieren.tk, 1 +denver-design.cf, 1 +denver.show, 1 +denver.tk, 1 +denver7.com, 1 +denverautoinsurancecompany.com, 1 +denverclassifieds.net, 1 +denverescorts.net, 1 +denverilluminations.com, 1 +denvernews.ml, 1 +denverroot.com, 1 +denvillenj.gov, 1 +denvillepolice.gov, 1 +denydarko.tk, 1 +deobandi.tk, 1 +deobandimazhab.tk, 1 +deonlineadvocaat.nl, 1 +deonlineassistente.nl, 1 +deonlinedrogist.nl, 1 +deontology.com, 1 +deoostfrees.com, 1 +deooyevaar.be, 1 +deooyevaar.com, 1 +deooyevaar.de, 1 +deooyevaar.es, 1 +deooyevaar.fr, 1 +deooyevaar.nl, 0 +deoremann.com, 0 +deoxy.org, 1 +depaco.com, 1 +depak.de, 1 +depannage-traceur.fr, 1 +depapboeren.tk, 1 +deparis.me, 1 +departamentosenventaen.com, 1 +departamentosenventaentulum.com, 1 +departamentoslosolivos.tk, 1 +departmentofdefense.tk, 1 +departmentofoncology.com, 1 +departureboard.io, 1 +depaulmanorestate.com.au, 1 +depcoa.date, 1 +depcompower.com, 1 +depd.rocks, 1 +depdesign.com, 1 +depeche.ga, 1 +depechemode-live.com, 1 +depechemode.de, 1 +deped.blog, 0 +deped.io, 1 +depedcommons.com, 1 +depedcommons.org, 1 +depedept.com, 0 +depedsurigaodelnorte.com, 1 +depedtambayan.blog, 0 +depedtambayan.net, 1 +depedtayo.ph, 1 +depelos.co, 1 +depelteau.com, 1 +dependonplus.com, 1 +dependopolis.com, 1 +deperewi.gov, 1 +dephoro.com, 1 +depicus.com, 1 +depijl-mz.nl, 0 +depijp.tk, 1 +depilazione.roma.it, 1 +depilestil.es, 1 +depiratas.com.es, 0 +depistage-bejune.ch, 0 +depleteduranium.tk, 1 +deplis.fr, 0 +deplorablesdaily.com, 1 +depokcity.tk, 1 +depolauncher.cf, 1 +depone.net, 0 +depop.com, 1 +deported.ml, 1 +deportes.in, 1 +deportescr.net, 1 +deportestalcahuano.tk, 1 +deportivo-pasto.tk, 1 +depositart.com, 1 +depositomerci.it, 1 +depositomobili.it, 1 +depository.ml, 1 +depotaraf.com.tr, 1 +depotchronicle.com, 1 +depotly.io, 1 +depotronik.com, 1 +depotsquarekerrville.com, 1 +depotter-usedcars.be, 1 +deprecate.de, 1 +depressionadvice.gq, 1 +deprobe.pro, 1 +deprofundis.tk, 1 +deps.com.br, 1 +depthsofdepravity.tk, 1 +depuberteit.tk, 1 +depuratore.it, 1 +dequency.io, 1 +der-bank-blog.de, 1 +der-beste-schumpeter-vortrag.de, 1 +der-elite.blog, 1 +der-gardinenmann.de, 1 +der-lan.de, 1 +derailer.org, 1 +derakkers.tk, 1 +derango.tk, 1 +deratisation-prix.fr, 1 +deratisation.maison, 1 +deratisation.paris, 1 +derattizzare.it, 1 +derattizzazione.name, 1 +derattizzazioni.biz, 1 +derattizzazioni.it, 1 +derattizzazioni.milano.it, 1 +derattizzazioni.org, 1 +derbuntering.de, 1 +derby.ge, 1 +derbybouncycastles.com, 1 +derbylegalassistance.com, 1 +derbymoneyman.com, 1 +derbyshire-language-scheme.co.uk, 1 +derbysound.com, 1 +derbyware.com, 1 +derchris.me, 1 +derdevel.de, 1 +derdewereldrommelmarkt.nl, 1 +derechosanimales.tk, 1 +dereddingsklos.nl, 1 +dereferenced.net, 1 +derejilla.online, 1 +derekbarnes.consulting, 1 +derekgendron.com, 1 +derekheld.com, 1 +derekkent.com, 1 +dereklow.co, 1 +derekseaman.com, 1 +derekseaman.studio, 1 +deremeavocats.be, 1 +derewonko.com, 1 +derf.fr, 1 +derfritz.at, 1 +dergon.club, 1 +derguns.town, 1 +derhaeuptling.de, 1 +derhil.de, 1 +derinsular.tk, 1 +derivative-calculator.net, 1 +derivativeshub.pro, 1 +derive.cc, 0 +derive.cf, 1 +derkach.io, 1 +derkarl.tk, 1 +derkbarten.nl, 1 +derkuki.de, 1 +derlux.tk, 1 +dermacarecomplex.com, 1 +dermafeelstudio.com, 1 +dermaldistinction.com, 1 +dermalenzburg.ch, 1 +dermapaz.net, 1 +dermaprocollagen.com, 1 +dermapuur.nl, 1 +dermarollerbest.com, 1 +dermato.floripa.br, 1 +dermatolog-ivanova.com, 1 +dermatologie-morges.ch, 0 +dermatologistmumbai.com, 1 +dermatologyandlasergroup.com, 1 +dermax.tk, 1 +dermedia.tk, 1 +dermediq.nl, 1 +dermko.cz, 1 +dermnet.ai, 1 +dermody.ga, 1 +dermopigmentista.it, 1 +dermot.org.uk, 1 +dermscc.com, 1 +dermsf.com, 1 +dermu.ai, 1 +deroo.org, 1 +deroo.tk, 1 +derou.com, 1 +derp.army, 1 +derp.chat, 1 +derpibooru.org, 1 +derpicdn.net, 1 +derpy.pp.ua, 1 +derre.fr, 1 +derreichesack.com, 1 +derricofinancialservices.com, 1 +derrigimlaghtokylemoregreenway.ie, 1 +derrybasketball.tk, 1 +dersimizmatematik.cf, 1 +dersoundhunter.de, 1 +derssonu.com, 1 +derstulle.de, 1 +derventzis.gr, 1 +derw.pw, 1 +derwaldschrat.net, 1 +derze.cloud, 1 +des-hommes-et-des-clous.com, 1 +desacanggu.id, 1 +desafiomovilidadsustentable.com, 1 +desagaz.com, 1 +desakatorock.tk, 1 +desalas.org, 1 +desant.com, 1 +desapego.com.br, 1 +desarrollamosweb.com, 1 +descargapormega.ml, 1 +descargar-apk.org, 1 +descobrim.com, 1 +desconfiats.tk, 1 +descopera.ro, 1 +descubre.ml, 1 +descuentomi.es, 1 +desec.io, 1 +desecsecurity.com, 1 +deseneonline.tk, 1 +desensitized.tk, 1 +desentupidorakazumi.com.br, 1 +desenvolvimentolocalvfa.com.br, 1 +deseosvip.tk, 1 +desergo.com, 0 +desert.cf, 1 +desertbloomplasticsurgery.com, 0 +desertbloomskincare.com, 1 +desertbluffs.com, 1 +desertdogtechnology.com, 1 +desertfiredesigns.com, 1 +desertfury.tk, 1 +desertgrove.com, 1 +desertheroesteam.com, 1 +deserti.tk, 1 +desertlinealuminium.com, 1 +desertlinegroup.com, 1 +desertmarocsafari.com, 1 +desertmedaesthetics.com, 1 +desertnaturals.me, 1 +desertofoldies.tk, 1 +desertsounds.org, 1 +desgenst.ch, 1 +desguacesbarcelonacat.com, 1 +desguacesdecamiones.es, 1 +deshalb.de, 1 +deshevle-net.com, 1 +deshobi.cloud, 1 +desic-sl.com, 1 +desiderantes.tk, 1 +desideriushogeschool.be, 1 +design-in-bad.eu, 1 +design-n-art.tk, 1 +design-production.jp, 1 +design-tooning.de, 1 +design-tricks.gq, 1 +design-your-life.info, 1 +design2u.eu, 1 +designacademy.ru, 1 +designanyware.com.br, 1 +designarea.tk, 1 +designartepublicidad.com, 1 +designbro.com, 1 +designburners.com, 1 +designbymargot.com, 1 +designbymargot.fr, 1 +designbymargot.pro, 1 +designcanada.com, 1 +designdecoration.info, 1 +designdecorativ.ro, 1 +designdept.com.au, 1 +designdirective.ca, 1 +designengineering.com, 1 +designer-drug.com, 1 +designerjoe.gq, 1 +designerrateest.ga, 1 +designeus.ga, 1 +designeus.gq, 1 +designeus.tk, 1 +designforchangetaiwan.org, 1 +designformanufacturability.net, 1 +designgraphic.fr, 1 +designgurus.org, 0 +designhill.com, 1 +designhoheit.de, 1 +designhuddle.com, 1 +designmodernideas.tk, 1 +designnprint.nl, 1 +designpro.tk, 1 +designrhome.com, 1 +designsbyjanith.com, 1 +designsbyscott.ca, 1 +designsite.tk, 1 +designsociety.tk, 1 +designstripe.com, 1 +designsystem.gov.scot, 1 +designtagebuch.com, 1 +designtrc.com, 1 +designville.cz, 1 +designville.sk, 1 +desimpelaere.eu, 1 +desinfectantemanos.org, 1 +desinfection-gale.fr, 1 +desinfectionfrance.com, 1 +desingslash.tk, 1 +desinsectisation-punaise-de-lit.com, 1 +desinsectisation.ma, 1 +desinsectisation.paris, 1 +desiplex.tk, 1 +desire-host.tk, 1 +desirememory.cf, 1 +desirenet.ro, 1 +desish.cf, 1 +desitorrents.tv, 1 +desiunderground.com, 1 +desivideos.tk, 1 +desize.com, 1 +deskaservices.com, 1 +deskdesign.nl, 1 +deskeen.fr, 1 +desktopcentral.ath.cx, 1 +desktopd.eu.org, 0 +desktopfibra.com, 1 +desktopfx.net, 0 +desktopia.tk, 1 +desktopsolos.tk, 1 +deskture.com, 1 +deskvip.com, 1 +desmo.gg, 1 +desmon.blog, 1 +desmu.fr, 1 +desna.tk, 1 +desonnemannen.tk, 1 +desormiers.com, 1 +despachomariscal.com, 1 +desperate.solutions, 1 +desperatesailors.com, 1 +despertarparavida.org, 1 +desplainesil.gov, 1 +despoina-vandi.tk, 1 +despondentrock.tk, 1 +despora.de, 1 +desportvriendenoverijse.tk, 1 +despotika.de, 1 +desserteagleselvenar.tk, 1 +dessinemoilademocratie.ch, 0 +dest-gottskar-nidingen.se, 1 +destcyr.com, 1 +destech.nl, 1 +desteniiprocess.com, 1 +desteptarea.com, 1 +desterman.ru, 1 +desterproducts.nl, 1 +desterrada.tk, 1 +destguides.com, 1 +destileria.net.br, 1 +destilteomarmd.be, 1 +destinattorneyjohngreene.com, 1 +destinomistico.com, 1 +destinopiriapolis.com, 0 +destinotecnologico.ml, 1 +destinyofthephoenix.me, 0 +destinypedia.com, 1 +destinytemplates.tk, 1 +destock-poitou.fr, 1 +destom.be, 1 +destreekboer.ml, 1 +destroyed.ga, 1 +destroyed.tk, 1 +destroysilence.cf, 1 +destroysilence.ga, 1 +destroysilence.gq, 1 +destroysilence.ml, 1 +destruction-frelon-asiatique.com, 1 +destructive-revolution.tk, 1 +destructoradepapel.com.es, 1 +destudio.org.ua, 1 +destuurmanskolk.nl, 1 +destyntek.com, 1 +desu.ne.jp, 1 +desuchan.eu, 1 +desuchan.org, 1 +desucla.com, 1 +desvan.tk, 1 +deswaffelaars.tk, 1 +desy.tk, 1 +desyatnichenko.ml, 1 +desygner.com, 1 +desynced.rocks, 1 +det-blev-ingen-cd.se, 1 +det-te.ch, 1 +detailedimage.com, 1 +detailingsp.com, 1 +detakhukum.com, 1 +detalika.ru, 1 +detao.org, 1 +detc.tk, 1 +detceptam.com, 1 +detdom-48.ru, 1 +detdom.tk, 1 +detecte-fuite.ch, 0 +detecte.ch, 0 +detectefuite.ch, 0 +detectify.com, 1 +detectivedesk.com.au, 1 +detectiveedu.org, 1 +detectro.cc, 1 +deteken.be, 1 +detekenmuze.nl, 1 +detektywtd24.pl, 0 +determapp.de, 1 +determinatie.tk, 1 +detfagligehus.dk, 1 +dethemium.com, 1 +deti-online.com, 1 +deti.ga, 1 +detiklife.com, 1 +detiks.cf, 1 +detishki.ga, 1 +detki.cf, 1 +detki24.ru, 0 +detodojuegos.com, 1 +detoxic.vn, 1 +detoxtorehab.com, 1 +detrapdoor.com, 1 +detrazioni.it, 1 +detreannamaria.tk, 1 +detrimental.tk, 1 +detroit-english.de, 1 +detroit.gov, 1 +detroitcrackteam.com, 1 +detroitfastest.org, 1 +detroitlocksmiths.net, 1 +detroitnews.tk, 1 +detroitzoo.org, 1 +detsad.ml, 1 +detsad.tk, 1 +detska-boticka.cz, 1 +detski.center, 1 +detskie-avto-kresla.tk, 1 +detskysad.com, 1 +detuinmuze.nl, 1 +detusmascotas.com, 1 +detweedekans.tk, 1 +detyamobuv.tk, 1 +detyobuv.tk, 1 +detype.nl, 1 +deu.sh, 1 +deuchnord.fr, 1 +deude.de, 1 +deuelcountyne.gov, 1 +deunanube.com, 1 +deurenfabriek.nl, 1 +deuro.net, 1 +deurwaarderhelmond.nl, 1 +deustech-media.tk, 1 +deustech.tk, 1 +deutsche-finanzagentur.de, 1 +deutsche-tageszeitungen.de, 1 +deutschebusiness.com, 0 +deutscheibank.com, 1 +deutscher-bericht.de, 1 +deutscherquidditchbund.de, 1 +deutscheshoponline.com, 0 +deutschland-dsl.de, 1 +deutschlandreport.com, 1 +deux.solutions, 1 +deuxfleurs.fr, 1 +deuxsol.co, 1 +deuxsol.com, 1 +dev, 1 +dev-advancedservicesportal.com, 1 +dev-brandywineglobal.com, 1 +dev-digibtw.nl, 1 +dev-gutools.co.uk, 1 +dev-lab.net.pl, 1 +dev-mail.net, 1 +dev-pmcc.net, 1 +dev-soft.pl, 1 +dev-tek.de, 1 +dev-test.nl, 1 +dev-vip.com, 1 +dev-woenenn-node-server.herokuapp.com, 1 +dev-ylinternal.com, 1 +dev.moe, 1 +dev.tw, 1 +dev.vu, 1 +devafterdark.com, 1 +devagency.fr, 1 +devahi.gq, 1 +devalbert.com, 1 +devalkincentives.nl, 1 +devalps.eu, 1 +devanstavern.tk, 1 +devapi.pro, 1 +devastacion.tk, 1 +devbay.cc, 1 +devcf.com, 1 +devcftc.gov, 1 +devchuli.ml, 1 +devcontainer.com, 1 +devcourseweb.com, 1 +devdeb.com, 1 +devdesco.com, 1 +devdiggers.com, 1 +devdomain.cf, 1 +devdoodle.net, 1 +deve.software, 1 +develify.co, 1 +develmaster.tk, 1 +develooper.com, 1 +develope.cz, 1 +developedbygayuh.my.id, 1 +developer.android.com, 1 +developer.moe, 1 +developer.mydigipass.com, 0 +developerdan.com, 1 +developerinsider.co, 1 +developers.facebook.com, 0 +developmentsites.melbourne, 1 +developnorthportfl.gov, 1 +developpeur-freelance.io, 1 +developpeur-web.tech, 0 +developpeur-web2.com, 1 +develops.co.il, 1 +develoself.ga, 1 +develotica.com, 1 +develoupe.com, 1 +develux.net, 1 +devendradox.ml, 1 +devendrameena.tk, 1 +devenirconseillerbienetre.com, 1 +devensys.com, 1 +devenv.ml, 1 +devet-slunci.cz, 1 +devflop.fr, 1 +devgo.ca, 1 +devh.de, 1 +devh.net, 1 +devhjz.com, 0 +deviant.email, 1 +deviante.com, 1 +devianthardcore.com, 1 +deviation.tk, 1 +devicebattle.ai, 1 +devicenow.com, 1 +devicom.mx, 1 +devignstudios.co.uk, 1 +devil-may-cry.tk, 1 +devil-radio.tk, 1 +devil.wtf, 1 +devilbyte.tk, 1 +devildog.tk, 1 +devillers-occasions.be, 0 +devilmaycry.ga, 1 +devilmaycry.tk, 1 +devilrecords.tk, 1 +devils-co.tk, 1 +devils-point.de, 1 +devilshakerz.com, 1 +devilsophie.net, 1 +devindavid.com, 1 +devinfo.net, 0 +devinite.com, 1 +devinlasarre.com, 1 +devinslick.com, 1 +devirc.net, 1 +devise-host.com, 1 +devisnow.fr, 1 +devkid.net, 1 +devksingh.com, 1 +devlabroid.com, 1 +devlist.tk, 1 +devlogr.com, 1 +devloope.com, 1 +devmanagersest.ga, 1 +devmode.fm, 1 +devnet.ma, 1 +devnet.tk, 1 +devnull.team, 1 +devnull.win, 1 +devnull.zone, 1 +devoc.net, 1 +devochki.ga, 1 +devolution.ws, 1 +devoncycles.co.uk, 1 +devonport.tas.gov.au, 1 +devonportairport.com.au, 1 +devonsawatzky.ca, 1 +devonvintagechina.co.uk, 1 +devoo.tn, 1 +devopedia.org, 1 +devopers.com.br, 1 +devops-playtest.net, 1 +devops.co.za, 1 +devopsish.com, 1 +devos.ml, 1 +devoted-atheist.tk, 1 +devoteschlampe.net, 1 +devotional.tk, 1 +devpage.lv, 1 +devpost.com, 1 +devpp.com.br, 1 +devpsy.info, 1 +devragu.com, 1 +devrekarti.com, 1 +devrekgazetesi.com, 0 +devries.frl, 1 +devries.one, 1 +devrijejansenist.nl, 1 +devrim.io, 1 +devs-from.asia, 1 +devs.men, 1 +devs4.com, 1 +devsectools.com, 1 +devsjournal.com, 1 +devskyport.com, 1 +devslash.net, 1 +devsrvr.ru, 1 +devstarops.com, 1 +devstores.io, 1 +devstroke.io, 1 +devsurveyorcloud.com, 1 +devswag.io, 1 +devtambayan.com, 1 +devtea.cz, 1 +devtechgroup.com, 1 +devtestfan1.gov, 1 +devtoys.ru, 1 +devtty.org, 1 +devuan.org, 0 +devurandom.tk, 1 +devushki.cf, 1 +devvg.co.uk, 1 +devyanijayakar.com, 1 +devz.life, 0 +devzero.io, 0 +dewalch.net, 1 +dewapress.com, 1 +dewberry.com, 0 +dewblog.ml, 1 +dewereldvankina.be, 1 +dewereldwerktthuis.com, 1 +dewereldwerktthuis.eu, 1 +dewereldwerktthuis.net, 1 +dewereldwerktthuis.nl, 1 +dewereldwerktthuis.org, 1 +dewerveling.tk, 1 +deweybeachpolice.gov, 1 +dewijkpraktijk.nl, 1 +dewijnclubonline.nl, 1 +dewingerdfreinet.be, 1 +dewittcountyil.gov, 1 +dewittmi.gov, 1 +dewka.tk, 1 +dewolden.nl, 0 +dexalo.de, 1 +dexauto.fr, 1 +dexcellentesidees.tk, 1 +dexerto.com, 1 +dexerto.es, 1 +dexerto.fr, 1 +dexhost.nl, 1 +dexie.space, 1 +dexign.ro, 1 +dexigner.com, 1 +dexlex.nl, 1 +dexon.ws, 1 +dexonservicedeskws.azurewebsites.net, 1 +dextermarket.com, 1 +dextra.tk, 1 +dextrahedelmallisyysklinikka.fi, 1 +deyute.com, 1 +dezea.net, 1 +dezeregio.nl, 1 +dezet-ev.de, 1 +dezevenster.com, 1 +dezinsekcija.online, 1 +dezshop.com.ua, 1 +dezzoroofing.co.za, 1 +df-clan.tk, 1 +df-team.tk, 1 +df1nif.de, 1 +df1paw.de, 1 +df3313.com, 1 +df3314.com, 1 +df3315.com, 1 +df3316.com, 1 +df3317.com, 1 +df3318.com, 1 +df3319.com, 1 +df5.se, 1 +df5104.com, 1 +df5aa.com, 1 +df5bb.com, 1 +df5cc.com, 1 +df5dd.com, 1 +df63.cc, 0 +dfafacts.gov, 1 +dfagent.com, 0 +dfc.gov, 1 +dfc52.com, 0 +dfctaiwan.org, 1 +dfg.re, 1 +dfilip.click, 1 +dflcares.com, 1 +dfm.ae, 0 +dfmn.berlin, 1 +dfmvf.org, 1 +dfpblog.com, 1 +dfranke.com, 1 +dfspdfl.gov, 1 +dfstoryteller.com, 1 +dfwfasthomebuyers.com, 1 +dfwm.vote, 1 +dfwmv.com, 1 +dfwmv.org, 1 +dfwmv.us, 1 +dfwmv.vote, 1 +dfwork.lt, 1 +dfwrvroofmasters.com, 1 +dfwwp.com, 1 +dfzone.tk, 1 +dg-1.jp, 1 +dg-hyp.ag, 1 +dg-hyp.biz, 1 +dg-hyp.com, 1 +dg-hyp.eu, 1 +dg-hyp.info, 1 +dg-hyp.net, 1 +dg-hyp.org, 1 +dg-komm.com, 1 +dg-pic.tk, 1 +dg1-test.com, 1 +dg1.com, 1 +dg1.services, 1 +dg1298.com, 0 +dg1jp-test.com, 1 +dg68.cc, 0 +dgangsta.net, 1 +dgap.org, 1 +dggb.co.in, 1 +dghyp-immobrief.de, 1 +dghyp-info.de, 1 +dghyp-kiel.de, 1 +dghyp-press.de, 1 +dghyp.ag, 1 +dghyp.at, 1 +dghyp.biz, 1 +dghyp.com.tw, 1 +dghyp.in, 1 +dghyp.info, 1 +dghyp.net.cn, 1 +dgli.org, 1 +dgmedia.tk, 1 +dgmenergy.com, 1 +dgmutual.co.uk, 1 +dgn.de, 1 +dgo.co.il, 1 +dgou.de, 1 +dgpot.com, 1 +dgpro.click, 1 +dgr-wpg.de, 1 +dgries.de, 1 +dgroups.org, 1 +dgschell.com, 1 +dgt-portal.de, 1 +dgtakano.co.jp, 0 +dgtcitaprevia.es, 1 +dgtl.hosting, 1 +dgtl.tools, 1 +dgtl.work, 1 +dgund.com, 1 +dh-leasing.si, 1 +dh.si, 1 +dh26a.com, 0 +dh6729.com, 1 +dh75975.com, 0 +dh9397.com, 1 +dh9721.com, 1 +dha.gov.ae, 1 +dhakabankltd.com, 1 +dhamdhamaanchalikcollege.tk, 1 +dhammacitta.org, 1 +dhanushtechno.in, 1 +dharma-clinic.com, 1 +dharveydev.com, 1 +dhautefeuille.eu, 1 +dhauwer.nl, 1 +dhavalvira.com, 1 +dhaynes.xyz, 1 +dhconcept.ch, 0 +dhde.de, 1 +dhdmdkd.com, 1 +dheart.net, 1 +dhelixnet.de, 1 +dhemant.de, 1 +dhhs.gov, 1 +dhirendrayadav.com, 1 +dhit.pl, 1 +dhl-smart.ch, 1 +dhlcotizadorexpo-qa.azurewebsites.net, 1 +dhlinux.org, 1 +dhlkh.com, 1 +dhlparcel.nl, 1 +dhome.at, 1 +dhrupad.tk, 1 +dhruv.nz, 1 +dhtr.pw, 1 +dhuboeuf.be, 1 +dhurbabaral.com.np, 1 +dhuy.net, 1 +dhwx.de, 1 +dhxxls.com, 1 +di-basketballscouting.com, 1 +di2pra.com, 0 +di2pra.fr, 0 +dia-de.com, 1 +dia.com.br, 1 +diaakademi.com, 1 +diabetessucks.net, 1 +diableros.tk, 1 +diables-noirs.tk, 1 +diablescastell.tk, 1 +diabline.tk, 1 +diablocarpet.com, 1 +diablos-obon.tk, 1 +diabolic.chat, 1 +diabolique.pt, 1 +diacritical.net, 1 +diadiemdangsong.com, 1 +diadorafitness.es, 1 +diadorafitness.it, 1 +diagilev.ml, 1 +diagno.cl, 1 +diagnocentro.cl, 1 +diagnoseo.com, 1 +diagnoseo.se, 1 +diagnosingfiction.com, 1 +diagnost-auto.com, 1 +diagnostics.stream, 1 +diagnostix.org, 1 +diai.cf, 1 +diai.gq, 1 +diai.ml, 1 +diai.tk, 1 +diaiai.com, 1 +diakonie-michaelshoven.de, 1 +dial.directory, 1 +dialadigger.net.au, 1 +dialectic-og.com, 1 +dialoegue.com, 1 +dialog.co, 1 +dialogue.co, 1 +dialoguecorp.com, 1 +dialoguecorp.eu, 1 +dialradio24.tk, 1 +dialybiendong.tk, 1 +diamant.family, 1 +diamant.nyc, 1 +diamante.ro, 1 +diamantiques.com, 1 +diamantovaburza.cz, 1 +diamgroup.pl, 1 +diamond-cutting.kiev.ua, 1 +diamond-hairstyle.dk, 1 +diamondblueair.com, 1 +diamondbluffwi.gov, 1 +diamondcargotrailers.org, 1 +diamondforms.net, 1 +diamondgoldmarkcity.cf, 1 +diamondgrid.ga, 1 +diamondiscaudio.com, 1 +diamondit.com.au, 1 +diamondsystem.ro, 1 +diamondyacca.co.uk, 1 +diamorphine.com, 1 +diamwall.com, 1 +dian7la.space, 1 +diana-und-aaron.de, 1 +dianaconsultancy.com, 1 +dianaconta.pt, 1 +dianadeluxe.net, 1 +dianadrive.com, 0 +dianafaraj.de, 0 +dianakaarina.tk, 1 +diananeves.pt, 0 +dianaqueeny.tk, 1 +dianas.sk, 1 +dianaundaaron.de, 1 +dianavanderplas.tk, 1 +dianchoi.vn, 1 +diane-marstboom.tk, 1 +dianefriedli.ch, 0 +diankou.cn, 1 +diankou.com, 1 +diankou.com.cn, 1 +diankpi.com, 1 +diankpi.ws, 1 +dianoxofficiel.tk, 1 +dianshangyi.net, 1 +dianshuju.com, 1 +diansung.com, 1 +diaoyu8.com, 1 +diapazon.kz, 1 +diapuls.ru, 1 +diare-na-miru.cz, 1 +diario-egipto.com, 1 +diariocibao.com, 1 +diariodearaxa.com.br, 1 +diariodebalsas.com.br, 1 +diariodicucina.it, 1 +diarionet.tk, 1 +diarionoticia.pe, 1 +diariopergaminoaustral.tk, 1 +diariosurnoticias.com, 1 +diaroma.it, 1 +diaryspace.tk, 1 +diasdasemana.com, 1 +diasporan.cf, 1 +diasporan.ga, 1 +diasporan.gq, 1 +diasporan.ml, 1 +diaspordc.com, 1 +diatechusa.com, 1 +diatr.us, 1 +diatrofi-ygeia.gr, 1 +diaweb.nl, 1 +diazpubli.tk, 1 +diba.org.cn, 1 +dibacode.com, 1 +dibal.ua, 1 +dibiphp.com, 1 +dibo-ambasador.pl, 1 +dic.ae, 1 +dicaprio.tk, 1 +dicasgostosas.com, 1 +diccionarioabierto.com, 1 +diccionariodedudas.com, 1 +diccionariomexico.com, 1 +diccionarioperu.com, 1 +diccionarqui.com, 1 +dice.ml, 1 +dice.tokyo, 1 +dicelab-rhul.org, 1 +dicelab.co.uk, 1 +dicemer.com, 1 +dicesites.com, 1 +dicgaming.net, 1 +dichvuchuyentien247.com, 1 +dichvudangkygiayphep.com, 1 +dicio.com.br, 1 +dicionario.org, 1 +dicionariodegirias.com.br, 1 +dicionariodelatim.com.br, 1 +dicionariodenomesproprios.com.br, 1 +dicionariodesimbolos.com.br, 1 +dicionarioetimologico.com.br, 1 +dicionariofinanceiro.com, 1 +dicionariopopular.com, 1 +dicionarios.cc, 1 +dicipa.com.mx, 1 +dick.red, 1 +dickord.cloud, 1 +dickp.it, 1 +dickpics.ru, 1 +dicksakowicz.com, 1 +diclofenac-75mg.ga, 1 +diclofenacgel.cf, 1 +diclofenacgel.ml, 1 +diclofenacgel1.tk, 1 +diclofenaconline.gq, 1 +diclofenactopical.ga, 1 +diclofenactopical.tk, 1 +dico-charentais.tk, 1 +dicoado.org, 1 +dicoeste.com, 1 +dicomed.tk, 1 +dicomsoftware.com, 1 +diconium.biz, 1 +diconium.com, 0 +diconium.de, 1 +diconium.jobs, 1 +diconium.org, 1 +diconium.pt, 1 +diconium.wtf, 1 +diconium42.com, 1 +diconium42.de, 1 +dictators-encyclopedia.tk, 1 +dictatronics.com, 1 +dictatube.com, 1 +dictionarybook.org, 1 +dictionaryofsydney.org, 1 +dictionarypro.net, 1 +dictum-gardentools.com, 1 +dictum-gartenwerkzeug.de, 1 +dictzone.com, 1 +dida.xin, 1 +didactic.ml, 1 +didaktik4you.de, 1 +didc.cz, 1 +didche.net, 0 +diddens.de, 1 +diddlworld.tk, 1 +dideeducacion.com, 1 +didefamilia.com, 1 +didelikarpiai.lt, 1 +didesalud.com, 1 +didi-online.tk, 1 +dididiamond.net, 1 +didier-equipereussite.com, 1 +didierfle-decibel.fr, 1 +didierfle-latelier.fr, 1 +didierfle.com, 1 +didierghez.com, 0 +didierlaumen.be, 1 +didigotoffer.com, 1 +didiwinata.com, 1 +didiwinata.my.id, 1 +didonshop.tn, 1 +didtrumpopengovernmentyet.com, 1 +didtweb.com, 1 +die-bergfuehrer.de, 1 +die-besten-weisheiten.de, 1 +die-borts.ch, 1 +die-cms-manufaktur.de, 1 +die-gruenen-teufel.de, 1 +die-herrenschneider.com, 1 +die-machons.de, 1 +die-partei-reutlingen.de, 1 +die-pizzabaeckerei.de, 1 +die-seide.de, 1 +die-seiler.de, 1 +die-sinlosen.de, 1 +die-speisekammer-reutlingen.de, 1 +die-sputniks.de, 1 +die.de, 1 +die.one, 1 +diebasis-partei.de, 1 +diebesban.de, 1 +diecieventi.com, 1 +diecke.nu, 1 +diecourier.co.za, 1 +diedenhofen.tk, 1 +diedesigntante.de, 1 +diedrich.co, 1 +dieecpd.org, 1 +dieetfabels.tk, 1 +dieffe.tech, 1 +diefotogruppe.de, 1 +dieg.info, 1 +diegelernten.de, 1 +diegentlemenbittenzurkasse.tk, 1 +diegerbers.de, 1 +diegobarrosmaia.com.br, 1 +diegocastagna.com, 1 +diegodelaprada.com, 1 +diegoforlan.tk, 1 +diegogelin.com, 0 +diegogranada.tk, 1 +diegoisla.ga, 1 +diegomeza.tk, 1 +diegosalgado.tk, 1 +diegott.ddns.net, 1 +diegovasconcelos.com.br, 1 +diegovisual.tk, 1 +diehildebrands.de, 1 +diehumanisten.de, 1 +diekleinekartenfabrik.de, 1 +diekperaiwseis.gr, 1 +dielinke-igb.de, 1 +diem25.org, 1 +diemattels.at, 1 +diemperu.com, 1 +dienaturbinderei.at, 1 +dienchaninstitute.com, 1 +diengiolachoa.com, 1 +dienkenijboer.nl, 1 +dienmattroichonthanh.com, 1 +dienna.nl, 1 +diennhienshop.com, 1 +diennobi.com, 1 +dienstplan.cc, 1 +dierabenmutti.de, 1 +dieradvies.nl, 1 +dierenartsdeconinck.be, 1 +dierenpagina.tk, 1 +dierenrijk.nl, 1 +dierenschilderijen.tk, 1 +dierenwiki.nl, 1 +diesdasananas.spdns.de, 1 +dieselanimals.lt, 1 +dieselfiltersonline.com, 1 +dieselndust.com, 1 +dieselor.bg, 1 +dieselor.com, 1 +diesicheremail.de, 1 +dieslowhtx.com, 1 +diesse.nl, 0 +diet-hack.bg, 1 +dieta-figura.tk, 1 +dieta-vita.com, 1 +dietandexercises.tk, 1 +dietaryguidelines.gov, 1 +dietbrand.eu, 1 +dieter.one, 1 +dieterglas.de, 1 +dietfordiabetics.tk, 1 +dietherapie.tirol, 1 +diethood.com, 1 +dieti-natura.com, 1 +dieti.ga, 1 +dieti.gq, 1 +dieti.net, 1 +dietitianmeetsmom.com, 1 +dietitiansidehustle.com, 1 +dietlein.tech, 1 +dietlist.ga, 1 +dietmoikiensinh.tk, 1 +dietolog.gq, 1 +dietpi.com, 1 +dietrich-bonhoeffer.net, 1 +dietrich.cx, 1 +dieumfrage.com, 1 +dievozodis.lt, 1 +dievturi.lv, 1 +difc.ae, 0 +diferenca.com, 1 +diferenciador.com, 1 +differentgirleveryday.ml, 1 +differenziare.it, 1 +differt.be, 1 +difficulty.ga, 1 +diffnow.com, 1 +diflora.it, 1 +diflucangeneric.ml, 1 +diflucanonline.tk, 1 +diflucanpill.ga, 1 +difon.tk, 1 +difusionesnocomerciales.tk, 1 +difusionmetalera.tk, 1 +difuzevox.com, 0 +dig.cat, 1 +digaloahidigital.com, 1 +digar.ee, 1 +digbin.com.br, 1 +digchip.com, 1 +digchip.info, 1 +digchip.net, 1 +digchip.org, 1 +digchips.com, 1 +digdata.de, 1 +diggerlandusa.com, 1 +digginsmo.gov, 1 +dighans.com, 1 +digi-typ.fi, 1 +digi-typa.fi, 1 +digiaika.com, 1 +digiaika.fi, 1 +digiarc.net, 1 +digibean.com.au, 0 +digibild.ch, 1 +digiboxx.com, 1 +digibtw.nl, 1 +digibull.email, 1 +digibull.gmbh, 1 +digibull.link, 1 +digicamchart.com, 1 +digicelidgy.com, 1 +digicert-support.com, 1 +digicert.com.ru, 1 +digicert.nl, 0 +digichefs.com, 1 +digicode.hu, 1 +digicomtel.com.br, 1 +digicy.cloud, 1 +digidaigaku.com, 1 +digidroom.be, 1 +digifloat.io, 1 +digijoy.com, 1 +digilabs.fr, 1 +digiland.tk, 1 +digilicious.com, 1 +digilirapay.com, 1 +digilock.com, 1 +digimaat.agency, 1 +digimagical.com, 1 +digimedia.cd, 0 +digimen.cn, 1 +digimen.icu, 1 +digimen.love, 1 +digimen.store, 1 +digimen.top, 1 +digimen.xyz, 1 +digimind-evolution.com, 1 +digimobee.info, 1 +digimoncard.io, 1 +digimortals.nl, 1 +digino.jp, 1 +digino.us, 1 +digino.xyz, 1 +digiparse.com, 1 +digipartindex.ch, 1 +digipeak.org, 1 +digipitch.com, 1 +digipolis.gent, 1 +digipost.no, 1 +digirechnung.de, 1 +digirence.org, 1 +digiriik.ee, 1 +digiscrap.nl, 1 +digiscrap.plus, 0 +digiscrap.shop, 1 +digisecmalta.com, 1 +digisfil.fr, 1 +digisign.tk, 1 +digit.ec, 1 +digitaal-atelier.tk, 1 +digitaaltalent.be, 1 +digitador.tk, 1 +digitai.net, 1 +digital-agency360.com, 1 +digital-compounds.com, 1 +digital-cs.tk, 1 +digital-e-library.tk, 1 +digital-eastside.de, 1 +digital-echo.io, 1 +digital-garden.us, 1 +digital-home.tk, 1 +digital-insurance-engine.com, 1 +digital-insurance-engine.de, 1 +digital-insurance-platform.com, 1 +digital-insurance-platform.de, 1 +digital-insure.fr, 1 +digital-liberal.ch, 1 +digital-mu.tk, 1 +digital-park.de, 1 +digital-rainbow-dolls.tk, 1 +digital-sculpture.org, 1 +digital-sky.it, 1 +digital-vorwaerts.de, 1 +digital-watchdog.com, 1 +digital.democrat, 1 +digital.gov, 1 +digital.govt.nz, 1 +digital1st.co.uk, 1 +digital4starazagora.com, 1 +digitaladl.com.au, 1 +digitalagencynetwork.com, 1 +digitalakatsuki.com, 1 +digitalalektioner.se, 1 +digitalallies.co.uk, 1 +digitalandsocialmediaacademy.com, 1 +digitalarchitecture.com, 1 +digitalbang.gr, 1 +digitalbd.tk, 1 +digitalbeachbrasil.com.br, 1 +digitalbitbox.com, 1 +digitalblood.eu, 1 +digitalbox.jp, 0 +digitalbuero.eu, 1 +digitalcanvas.com.br, 0 +digitalcarbide.com, 1 +digitalcash.cf, 1 +digitalcashpalace.com, 1 +digitalch.ng, 1 +digitalchurch.ng, 1 +digitalcitizen.life, 1 +digitalcoffeepodcast.com, 1 +digitalcomponents.de, 1 +digitalconcrete.co.uk, 1 +digitalcourage.de, 1 +digitalcraftmarketing.co.uk, 1 +digitalcrisis.com, 1 +digitalcrisis.us, 1 +digitaldashboard.gov, 1 +digitaldeli.com, 1 +digitaldeli.org, 1 +digitaldeli.tv, 1 +digitaldeli.us, 1 +digitaldeliarchive.com, 1 +digitaldem.it, 1 +digitaldesign.ga, 1 +digitaldisaster.tk, 1 +digitaldoor.com.au, 1 +digitaldruck.info, 1 +digitale-afvalscheiding.nl, 1 +digitale-ausleihe.de, 1 +digitale-bibliothek.tk, 1 +digitale-oekonomie.ch, 1 +digitaleducationarea.tk, 1 +digitaleducationpro.tk, 1 +digitalehandtekeningen.nl, 1 +digitaleplus.fr, 1 +digitalerror.net, 1 +digitaletanker.com, 1 +digitaletelevisie.tk, 1 +digitalewelten.de, 1 +digitalexpertsdirectory.com.au, 1 +digitalezukunft-hagen.de, 1 +digitalezukunft.nrw, 1 +digitalfoodbook.com, 1 +digitalforensicsdubai.com, 1 +digitalfortress.tech, 1 +digitalfoster.org, 1 +digitalfury.co.uk, 1 +digitalgeckos.com, 1 +digitalgeek.social, 1 +digitalgenius.com, 0 +digitalgov.gov, 1 +digitalgyan.org, 1 +digitalgymnastics.tk, 1 +digitalhabitat.io, 1 +digitalhack.ro, 1 +digitalhands.tk, 1 +digitalhealth.gov.au, 1 +digitalheart.tk, 1 +digitalhurricane.io, 0 +digitaliandm.com, 1 +digitalid-sandbox.com, 1 +digitalid.com, 1 +digitalid.com.au, 1 +digitalillusion.pt, 1 +digitalimpactlab.org, 1 +digitalindiatalent.com, 1 +digitalis.fr, 1 +digitalistan.tk, 1 +digitalizer.my.id, 1 +digitalizzazioneverona.it, 0 +digitalkashmir.ml, 1 +digitalkey.pro, 1 +digitalkoran.com, 1 +digitalks.com.br, 1 +digitallife.tk, 1 +digitallink.be, 1 +digitalliteracy.gov, 1 +digitallolitayume.tk, 1 +digitalmahleracademy.com, 1 +digitalmanager.guru, 1 +digitalmaniac.co.uk, 1 +digitalmarketingindallas.com, 1 +digitalmarketingnetic.com, 1 +digitalmind.su, 1 +digitalmove.co.uk, 1 +digitalninja.tk, 1 +digitalnomadsunderground.com, 1 +digitalphone.tk, 1 +digitalphoto.group, 1 +digitalphoto.tech, 1 +digitalpilipinas.ph, 1 +digitalpiloten.org, 1 +digitalplayground.com, 1 +digitalplaygroundnetwork.com, 1 +digitalplaymakers.co.uk, 1 +digitalpocketpedometer.tk, 1 +digitalposition.com, 1 +digitalproduct.ga, 1 +digitalproductivity.online, 1 +digitalprojects.com.au, 1 +digitalradio.ie, 1 +digitalrealitybbs.com, 1 +digitalreborn.com, 1 +digitalredshirts.com, 0 +digitalrhino.eu, 1 +digitalrights.center, 1 +digitalroma.tk, 1 +digitalsearchgroup.ie, 1 +digitalsearchlab.com, 1 +digitalservices.lk, 1 +digitalside.com.br, 1 +digitalsignagedisplay.com, 1 +digitalskillswap.com, 1 +digitalsolutionsonline.co.uk, 1 +digitalsphere.tk, 1 +digitalsuply.com.br, 1 +digitalsupporter.ml, 1 +digitalsurge.io, 1 +digitaltbyra.no, 1 +digitaltcertifikat.dk, 1 +digitaltech.vip, 1 +digitaltechupdates.com, 1 +digitaltechviews.com, 1 +digitaltry.tk, 1 +digitalupcoming.tk, 1 +digitalutilities.net, 1 +digitalvag.tk, 1 +digitalwasteland.net, 1 +digitalworkplaceforum.com.br, 1 +digitalzenworks.com, 1 +digitalzylinder-shop.com, 1 +digite.com, 1 +digitec.ch, 1 +digitecgalaxus.ch, 1 +digitechseo.com, 1 +digitecno.com, 1 +digitese.pt, 1 +digithub.tk, 1 +digitise.io, 0 +digitium.fr, 1 +digitizer.co.il, 1 +digitkon.com, 1 +digitogy.com, 1 +digitoimistopipeline.fi, 1 +digitoucan.com, 1 +digitra.com, 1 +digitreads.com, 1 +digityp.fi, 1 +digitypa.fi, 1 +digivan.ml, 1 +digminecraft.com, 1 +dignilog.com, 1 +dignited.com, 1 +dignity.tk, 1 +digpubdev.org, 1 +digpubprd.org, 1 +digpubqa.org, 1 +digsys.bg, 1 +digwiz.biz, 0 +digwp.com, 1 +dih-technology.com, 1 +dih-technology.info, 1 +dih-technology.net, 1 +dih-technology.org, 1 +dih.email, 1 +dihinternational.com, 1 +dihinternational.info, 1 +dihinternational.net, 1 +dihinternational.org, 1 +dihmedical.info, 1 +dihmedical.net, 1 +dihmedical.org, 1 +dihydrotestosteron.pl, 1 +diipoo.com, 1 +diirekt.de, 1 +diis.plus, 1 +dijispin.com, 1 +dijitaller.com, 1 +dijitalsaray.com, 1 +dijitalzade.com, 1 +dijks.com, 1 +dijks.nl, 1 +dijoncter.info, 1 +dik-manusch.tk, 1 +dikerastore.com, 1 +dikkevettescania.tk, 1 +diktatur.tk, 1 +dilation.party, 1 +dild.loan, 1 +dildoexperten.se, 1 +dilfed.com, 1 +dilibel.be, 1 +diligence.cloud, 1 +diligo.ch, 0 +dillewijnzwapak.nl, 1 +dillon-mcnamara.com, 1 +dillonco.gov, 1 +dillonm.io, 1 +dillynbarber.com, 0 +dilmahtea.com, 1 +dilmahtea.me, 1 +dilmarames.com, 1 +dima.pm, 0 +dimagrimentoincorso.it, 1 +dimamergel.com, 1 +dimanss47.net, 1 +dimaweb.tk, 1 +dimdata.com, 1 +dime-staging.com, 1 +dimension-pc.com, 1 +dimensiondigital.net, 1 +dimensionjapon.tk, 1 +dimensions-ohs.com, 1 +dimensionweb.tk, 1 +dimeponline.com.br, 1 +dimesanmedical.com, 1 +dimeven.tk, 1 +dimez.ru, 1 +dimiro.co.tz, 1 +dimiskovska.de, 1 +dimism.eu, 1 +dimitri-davies.com, 1 +dimitri-papadimitriou.com, 1 +dimitri-papadimitriou.eu, 1 +dimitri-papadimitriou.gr, 1 +dimitris.tk, 1 +dimitrovi.tk, 1 +dimmak.com, 0 +dimmersagourahills.com, 1 +dimmerscalabasas.com, 1 +dimmersdosvientos.com, 1 +dimmershiddenhills.com, 1 +dimmerslakesherwood.com, 1 +dimmersnewburypark.com, 1 +dimmersoakpark.com, 1 +dimmersthousandoaks.com, 1 +dimmerswestlakevillage.com, 1 +dimo-analytics.fr, 1 +dimo-crm.fr, 1 +dimo-dematerialisation.com, 1 +dimo-tresorerie.fr, 1 +dimomaint.com, 1 +dimomaint.de, 1 +dimomaint.es, 1 +dimonz.com, 1 +dimosoftware.fr, 1 +dimseklubben.dk, 1 +dimspith.com, 1 +dinamikarosta.ml, 1 +dinamofilms.cl, 1 +dinarys.com, 1 +dincemlakmerkez.ga, 1 +dind.one, 1 +dinda.tk, 1 +dindarkocer.tk, 1 +dindludovic.design, 0 +dineniagara.ca, 1 +dinepont.fr, 1 +dinerolibre.tk, 1 +dinerroboticurology.com, 1 +diners.mk, 1 +dinevigroup.bg, 1 +ding.com.co, 1 +ding.gent, 1 +dingcc.com, 1 +dingcc.me, 1 +dingdong-shop.ru, 1 +dingelbob-schuhcreme.gq, 1 +dingeldein-messtechnik.de, 1 +dinghuo.com, 1 +dinglecottage.co.uk, 1 +dinglishuzi.com, 1 +dingos.tk, 1 +dingsbums.shop, 1 +dingss.com, 1 +dinheirolucrar.com, 1 +dinimizislam.tk, 1 +dinira-bg.com, 1 +dinitabir.tk, 1 +dinkoreskolesilkeborg.dk, 0 +dinkoreskoleviborg.dk, 1 +dinmtb.dk, 1 +dinnerandmurder.com, 1 +dinnerclub.tk, 1 +dinocarrozzeria.com, 1 +dinos-mag.tk, 1 +dinotv.at, 1 +dintrafic.net, 1 +diodo.me, 1 +dioesfoto.com, 1 +diogbatech.tk, 1 +diogenenettoyage.com, 1 +diogeneshoy.com, 1 +diogof.pt, 1 +diogofmedeiros.com, 1 +dionera.com, 1 +dionmirrors.nl, 1 +dionysos-ios.gr, 1 +dioris.net, 1 +dios.ga, 1 +diospersonal.tk, 1 +diouf.tk, 1 +dioxido.com.ar, 1 +diozoid.com, 1 +dip.digital, 1 +dipakgajjar.com, 1 +dipalma.me, 1 +dipanshuparashar.ml, 1 +dipietro.id.au, 1 +dipling.de, 1 +diplom-ru.tk, 1 +diplomatcruises.co.uk, 1 +diplomatiegabon.ga, 1 +dipnot.tv, 1 +dipro.id, 1 +dipsytroller.com, 1 +dipuma.com, 1 +dir2epub.com, 1 +dir2epub.org, 1 +dirch.tk, 1 +dirdet.co.uk, 1 +dirdur.cf, 1 +direc-tory.tk, 1 +direct-aesthetics.com, 1 +direct-sel.com, 1 +direct.cz, 0 +direct2trade.co.nz, 1 +direct365.es, 1 +directadmin.com, 1 +directairlineflights.com, 1 +directb2b.ca, 1 +directcouriers.com.au, 1 +directelectricalltd.co.uk, 1 +directfinance.cz, 1 +directfitnesssolutions.com, 1 +directholidaysuae.com, 1 +directhomeremodelinginc.com, 1 +directinspectionskc.com, 1 +directions.ee, 1 +directlendingsolutions.com, 1 +directlook.tk, 1 +directly.ga, 1 +directmailctr.com, 1 +directmedica.fr, 1 +directnews.be, 1 +directnic.com, 1 +directories.cf, 1 +directoriodemedios.com, 1 +directorioempresarial.com.co, 1 +directoriomedico.com.co, 1 +directorios.tk, 1 +directorioweb.co, 1 +directorwebseo.tk, 1 +directory-aldo.tk, 1 +directory-ecco.tk, 1 +directory-sunglasses.tk, 1 +directorydashboard.ga, 1 +directorydisc.cf, 1 +directorydisc.ga, 1 +directoryworld.tk, 1 +directpaydayloansonline.ga, 1 +directright.ca, 1 +directright.com, 1 +directright.net, 1 +directrightcartage.com, 1 +directstreet.tk, 1 +directtwo.solutions, 1 +directtwosolutions.org, 0 +directvacations.com, 1 +directverify.in, 1 +directview.ddns.net, 1 +direitonovo.com, 0 +direitoproacademy.com.br, 1 +direj.tk, 1 +direktundonline.de, 1 +direktvermarktung-schmitzberger.at, 1 +diretonoponto.gq, 1 +direwolfsoftware.ca, 1 +dirhami.com, 1 +dirk-dogs.tk, 1 +dirk-weise.de, 1 +dirkdavid.org, 1 +dirki.tk, 1 +dirkjonker.nl, 1 +dirkkok.nl, 1 +dirkmurschall.de, 1 +dirko.net, 0 +dirkwolf.de, 0 +dirot7.co.il, 1 +dirt-street.tk, 1 +dirtcraft.ca, 1 +dirtinmyshoes.com, 1 +dirty-tina.net, 1 +dirtyboyreviews.com, 1 +dirtycat.ru, 1 +dirtycode.tk, 1 +dirtycosplay.com, 1 +dirtygeek.ovh, 1 +dirtygirl.ml, 1 +dirtyherri.de, 1 +dirtymusic.tk, 1 +dirtyporno.tk, 1 +dirtypretties.cf, 1 +dirtypretties.ga, 1 +dirtypretties.gq, 1 +dirtypretties.ml, 1 +dirtyprettyartwear.com, 1 +dirtypriscilla.com, 1 +dirtyscout.com, 1 +dirtysindy.com, 1 +dirtytiles.xyz, 1 +dirtywoman.tk, 1 +dirtywork.net, 1 +dirunreddy.tk, 1 +disability-card.com, 1 +disability.gov, 1 +disabilitydischarge.com, 1 +disabilityscoop.com, 1 +disabled-world.com, 1 +disabled.gay, 1 +disableipv4.se, 1 +disabuse.cf, 1 +disadattamentolavorativo.it, 1 +disain.tk, 1 +disassemble.website, 1 +disasterrific.tk, 1 +disastertalkest.ga, 1 +disavowfile.com, 1 +disboard.org, 1 +disbug.io, 1 +disc.uz, 1 +discarica.bari.it, 1 +discarica.bologna.it, 1 +discarica.firenze.it, 1 +discarica.it, 1 +discarica.milano.it, 1 +discarica.napoli.it, 1 +discarica.roma.it, 1 +discarsl.com, 1 +discdash.ga, 1 +discdash.tk, 1 +discgolf.com, 1 +disch.com.de, 1 +disciples.io, 1 +disciplescloud.com, 1 +disciplesmakingdisciples.ca, 1 +disco-crazy-world.de, 1 +discodoener.de, 1 +discofitta.com, 1 +discohook.org, 1 +disconformity.net, 1 +disconnect.tk, 1 +disconter.tk, 1 +discord-chan.net, 1 +discord.com, 1 +discord.do, 1 +discord.gg, 1 +discord.gift, 1 +discord.me, 1 +discord4j.com, 1 +discordapp.com, 1 +discordapp.gay, 1 +discordbee.com, 1 +discordextremelist.xyz, 1 +discordghost.space, 1 +discordhome.com, 1 +discordjs-japan.org, 1 +discordservers.com, 1 +discordsworld.tk, 1 +discotek.club, 1 +discotheque.tk, 1 +discount-course.com, 1 +discountdimmers.com, 1 +discountforelectronics.tk, 1 +discountisolatie.nl, 1 +discounto.de, 1 +discountoffice.be, 1 +discountoffice.nl, 1 +discountpark.fr, 1 +discountpowertx.com, 1 +discountravel.tk, 1 +discover-mercure.com, 1 +discover-shaken.com, 1 +discoverapp.com, 1 +discoveraustralia.tk, 1 +discoverbrampton.co.uk, 1 +discoverchinanow.cf, 1 +discoverchinanow.ga, 1 +discoverchinanow.gq, 1 +discoverchinanow.ml, 1 +discoverfloridasprings.com, 1 +discoverglo.com, 1 +discovergy.com, 1 +discoverhealthage.com, 0 +discoveringdocker.com, 1 +discoverkeesler.com, 1 +discoverkeesler.marketing, 1 +discoverlutruwita.com, 1 +discovermodus.com, 1 +discovernavajo.com, 1 +discoverradiance.com, 1 +discoverthetech.com, 1 +discoverthreejs.com, 1 +discoverucg.co.uk, 1 +discoveryaima.com, 1 +discoveryballoon.org, 1 +discoverybehavioralhealth.com, 1 +discoveryottawa.ca, 1 +discrede.tk, 1 +discrypt.ca, 1 +discshop.co.nz, 1 +disctranulis.gq, 1 +discus-communications.dk, 1 +discuss-data.net, 1 +discuzturkiye.tk, 1 +disengaged.tk, 1 +disenialia.com, 1 +disenian.com, 1 +disenosyestructurasdelbajio.com.mx, 1 +disenowebakus.net, 1 +disenowebgalicia.tk, 1 +disenowebseoolmisur.com, 1 +disepho.cl, 1 +diseworth.uk, 1 +disfigured.tk, 1 +disgruntledcode.com, 1 +disguise.cf, 1 +dishcrawl.com, 0 +dishwashermagic.tk, 1 +dishwasherrepair-austin.com, 1 +disidencia.tk, 1 +disinclined.org, 1 +disinfectingassociation.com, 1 +disinfectingassociation.org, 1 +disinfectingdoctor.com, 1 +disinfectingdoctors.com, 1 +disinfectiondoctor.com, 1 +disinfectiondoctors.com, 1 +disinfesta.it, 1 +disinfestando.info, 1 +disinfestare.it, 1 +disinfestatore.roma.it, 1 +disinfestatori.com, 1 +disinfestazione-roma.org, 1 +disinfestazione.brescia.it, 1 +disinfestazione.napoli.it, 1 +disinfestazione.roma.it, 1 +disinfestazione.torino.it, 1 +disinfestazione.venezia.it, 1 +disinfestazione.verona.it, 1 +disinfestazione24.it, 1 +disinfestazioneblatte.it, 1 +disinfestazionecimici.napoli.it, 1 +disinfestazionecimici.roma.it, 1 +disinfestazionemilano.it, 1 +disinfestazionezanzare.it, 1 +disinfestazioni-sardegna.org, 1 +disinfestazioni-umbria.it, 1 +disinfestazioni.bari.it, 1 +disinfestazioni.bergamo.it, 1 +disinfestazioni.cagliari.it, 1 +disinfestazioni.caserta.it, 1 +disinfestazioni.catania.it, 1 +disinfestazioni.co, 1 +disinfestazioni.firenze.it, 1 +disinfestazioni.genova.it, 1 +disinfestazioni.gorizia.it, 1 +disinfestazioni.info, 1 +disinfestazioni.it, 1 +disinfestazioni.milano.it, 1 +disinfestazioni.modena.it, 1 +disinfestazioni.napoli.it, 1 +disinfestazioni.net, 1 +disinfestazioni.padova.it, 1 +disinfestazioni.rimini.it, 1 +disinfestazioni.roma.it, 1 +disinfestazioni.torino.it, 1 +disinfestazioni.treviso.it, 1 +disinfestazioni.udine.it, 1 +disinfestazioni.venezia.it, 1 +disinfestazioni.verona.it, 1 +disinfestazioni.viterbo.it, 1 +disinfestazioni24.it, 1 +disinfestazionivespe.milano.it, 1 +disinfestazionizanzare.milano.it, 1 +disinfestazionizanzare.roma.it, 1 +disinisharing.com, 1 +disisto-schiesser.com, 1 +disisto.de, 1 +disisto.nl, 1 +diskbit.com, 1 +diskbit.nl, 1 +diskdoctors.tk, 1 +disketa.cf, 1 +disketteetikette.tk, 1 +diskgem.info, 1 +disking.co.uk, 1 +diskonsepatu.ga, 1 +diskotekflashback.dk, 0 +diskusi.cf, 1 +diskusi.tk, 1 +diskussionsbereich.de, 1 +dislepsia.tk, 1 +dismail.de, 1 +dismed.fr, 1 +disney-stitch.com, 1 +disneywallpapers.tk, 1 +disobey.net, 1 +disoluto.tk, 1 +disostruzioni.it, 1 +disougstroy.com.ua, 1 +disparada.com.br, 1 +dispatched.tk, 1 +dispel-photo.com, 1 +dispensarygta.com, 1 +displayrd.com, 1 +displaysandholders.com, 1 +disposable.link, 1 +dispur.nic.in, 1 +disroot.org, 1 +disrupters.ch, 0 +disruptglobal.com, 1 +disruption.tk, 1 +dissensionclub.net, 1 +dissertation-editor.com, 1 +dissertationhelp.com, 1 +dissidence.ovh, 1 +dissident.host, 1 +dissieux.com, 1 +dissolution-sci.com, 1 +dist-it.com, 1 +dist.torproject.org, 0 +distance-learning-courses.co.uk, 1 +distancelove.cf, 1 +distancelove.ml, 1 +distancelove.tk, 1 +distancionno.com, 1 +distant.land, 1 +distekinc.com, 1 +distelbentelo.nl, 1 +distempered.tk, 1 +disti.com, 1 +distiduffer.org, 1 +distilleren.tk, 1 +distinctdesign2009.com, 1 +distinguishedlegal.com, 1 +distinguishedprisoner.com, 1 +disto.tk, 1 +distopias.tk, 1 +distortionx.tk, 1 +distract09.be, 1 +distract09.gent, 1 +distracteddriving.gov, 1 +distraction.gov, 1 +distraction.tk, 1 +distractors.tk, 1 +distratus.com, 1 +distri.com.ua, 1 +distribucionmayorista.online, 1 +distribucionstunel.es, 1 +distribuidora-online.com, 1 +distribuidoracristal.com.br, 1 +distribuidoradecierres.com, 1 +distribuidoraplus.com, 1 +distribuidorguarani.com.br, 1 +distribuidormaster.com.br, 1 +distribute.gov.sg, 1 +distributed.cafe, 1 +distributedsource.com, 1 +distributedsystems.science, 1 +distributordd.com, 1 +distributore.it, 1 +distributori.roma.it, 1 +district08cnca.org, 1 +district09.be, 1 +district09.gent, 1 +districtcourtislamabad.tk, 1 +districttownship.org, 1 +distrigenosa.tk, 1 +distrikia.com.co, 0 +distrilogservices.com, 1 +distrim.pt, 1 +distrim2.pt, 1 +distritoae.com, 1 +distritotres.tk, 1 +distritoxic.tk, 1 +distro.fr, 1 +distro.re, 0 +distrophy-grind.tk, 1 +distrust.co, 1 +disturbedwarriors.tk, 1 +disturbmenot.co, 1 +dit.moe, 1 +ditaconsultora.com, 1 +ditdot.hr, 1 +ditec.sk, 1 +diterzafra.tk, 1 +ditex.ddns.net, 1 +dities.tk, 1 +ditissaskia.nl, 1 +dittvertshus.no, 1 +div.energy, 1 +div12.org, 1 +divacresent.tk, 1 +divanogiusto.it, 1 +divari.nl, 1 +divas.joburg, 1 +divatri.tk, 1 +divcoder.com, 1 +dive-japan.com, 1 +divedigital.id, 1 +divegearexpress.com, 1 +divegearexpress.net, 1 +diveidc.com, 1 +diveleasia.tk, 1 +divelement.ro, 1 +divelyon.fr, 1 +diveplan.org, 1 +diver-equipment.eu, 1 +divergences.eu.org, 1 +divernet.com, 1 +diverscott.com, 1 +diversificarte.com, 1 +diversify.cf, 1 +diversify.ga, 1 +diversity-otherwise.tk, 1 +diversityflags.com.au, 1 +diversityflags.nz, 1 +diversitywatch.asia, 0 +diversitywatch.co.nz, 1 +diversovariable.tk, 1 +diversual.com, 1 +divertidores.tk, 1 +divestos.org, 1 +divewithfrank.com, 1 +divicar.com.br, 1 +divided.si, 1 +dividedstates.tk, 1 +dividendosfiis.com.br, 1 +dividendz.net, 1 +divider.tk, 1 +divienna.nl, 1 +diviflash.com, 1 +divigear.com, 1 +divihosting.nl, 1 +divinaoracion.com, 0 +divinasaiamodas.com.br, 1 +divineangel.tk, 1 +divinedecay.tk, 1 +divinefeminineyoga.com, 1 +divinegames.studio, 1 +divinemercyparishvld.com, 1 +divinemercyparishvlds.com, 1 +divineprovidenceorphanage.org, 1 +divinerooms.com, 1 +divinglive.ru, 1 +divinho.com.br, 1 +divinitas.tk, 1 +divinoafeto.com.br, 1 +divinoaffetto.com.br, 1 +divisuite.com, 1 +diviworx.com, 1 +divizja.tk, 1 +divjak.at, 1 +divo-remont.tk, 1 +divorce.com, 1 +divorceattorneyschicago.com, 1 +divorceattorneyshouston.com, 1 +divorceformsfiller.com, 1 +divorcelawyer365.com, 1 +divorceonline.com, 1 +divort.org, 1 +divstack.io, 1 +divviup.org, 1 +divvy.tk, 1 +divxonline.ro, 1 +dixa.tech, 1 +dixeo.fr, 1 +dixibox.com, 1 +dixiepest.com, 1 +dixieweld.com, 1 +dixifuar.com, 1 +dixoncountyne.gov, 1 +dixonfireca.gov, 1 +dixonmo.gov, 1 +dixonpoliceca.gov, 1 +dixuant.com, 1 +diy-business-marketing.co.za, 1 +diy-kitchens.com, 1 +diyadinnet.com, 1 +diyanetruya.tk, 1 +diyarbakirescmagazin.tk, 1 +diycc.org, 1 +diycraft.ga, 1 +diycrafts.ml, 1 +diyeat.com, 1 +diyeta.cf, 1 +diyetlife.com, 1 +diyeventhire.co.nz, 1 +diygeek.com, 1 +diymediahome.org, 1 +diysec.tk, 1 +diysonline.com, 1 +diyzealot.com, 1 +dizainkyhni.ml, 1 +dizayn-cheloveka.ru, 1 +dizayner.tk, 1 +dizaynspor.com, 1 +dizhome.net, 1 +dizihastasi.com, 1 +dizirix.net, 1 +dizkartes.nl, 1 +dizkofloor.com, 1 +dizlexiqa.tk, 1 +dizmatt.tk, 1 +dizzidecalz.com.au, 1 +dizzie.org, 1 +dizzyskills.tk, 1 +dizzythewizard.co.uk, 1 +dj-damm.tk, 1 +dj-dfo.tk, 1 +dj-eran.tk, 1 +dj-guillaume.tk, 1 +dj-iliri.tk, 1 +dj-jackson.tk, 1 +dj-kupidon.gq, 1 +dj-leszwolle.nl, 1 +dj-morfu.tk, 1 +dj-ocean.tk, 1 +dj-phil.fr, 1 +dj-wout.tk, 1 +dj-x.info, 1 +dj16888a.com, 1 +dj16888b.com, 1 +dj16888c.com, 1 +dj16888d.com, 1 +dj62.tk, 1 +djaad.tk, 1 +djabad.tk, 1 +djafe.tk, 1 +djakil.tk, 1 +djakuza.tk, 1 +djalberto.tk, 1 +djalessandrobrain.tk, 1 +djamelkokene.com, 1 +djamiroquai.tk, 1 +djang.tk, 1 +django.baby, 1 +django.city, 1 +django.cyou, 1 +djangobirthday.com, 0 +djangogolf.com, 1 +djangoproject.com, 1 +djangoproject.tk, 1 +djangosnippets.org, 1 +djangowebstudio.com, 1 +djanneli.tk, 1 +djarman.tk, 1 +djattack.com, 1 +djav.org, 1 +djawabna.ga, 1 +djax.tk, 1 +djazair.ml, 1 +djazair.tk, 1 +djazim.tk, 1 +djbardhi.tk, 1 +djbell.tk, 1 +djbessi.tk, 1 +djbobbytables.com, 1 +djboi.tk, 1 +djboomarang.tk, 1 +djboris.com, 1 +djbrixx.tk, 1 +djcaz.tk, 1 +djcezar.tk, 1 +djcheka.tk, 1 +djcirce.tk, 1 +djconde.tk, 1 +djconker.tk, 1 +djcontact.tk, 1 +djcritikal.tk, 1 +djcursuszwolle.nl, 1 +djdan.tk, 1 +djdarkz.tk, 1 +djdavid98.art, 1 +djddt.tk, 1 +djdebayanofficial.ga, 1 +djdennis.tk, 1 +djdiego.tk, 1 +djduckie.tk, 1 +djefsane.tk, 1 +djembeforum.tk, 1 +djerba-tunisie.tk, 1 +djfafafa.com, 1 +djfantum.com, 1 +djfaruk.tk, 1 +djfed.tk, 1 +djfede.tk, 1 +djfelix.tk, 1 +djfilms.tk, 1 +djfrenchy.com, 1 +djfunkyju.de, 1 +djgarcia.tk, 1 +djh-nordmark.de, 1 +djharun.tk, 1 +djhooligan.tk, 1 +djhouse.tk, 1 +djhozby.tk, 1 +djhypnoticstate.tk, 1 +djichtus.tk, 1 +djieno.com, 1 +djinstinct.tk, 1 +djjacs.tk, 1 +djjck.com, 1 +djjck.net, 1 +djjonimix.tk, 1 +djkemal.tk, 1 +djkhalid.tk, 1 +djkonor.tk, 1 +djl188.cc, 1 +djl63.com, 1 +djl63001.com, 1 +djleon.net, 1 +djlifemusic.tk, 1 +djlinux.cz, 1 +djlive.ga, 1 +djlmk.tk, 1 +djlogic.tk, 1 +djlove.tk, 1 +djluca.tk, 1 +djmafia.tk, 1 +djmania.es, 1 +djmanikbd.gq, 1 +djmathew.tk, 1 +djmetrix.tk, 1 +djmilad.tk, 1 +djmissynthia.tk, 1 +djmullet.tk, 1 +djmus.tk, 1 +djnandoalmenara.tk, 1 +djnash.tk, 1 +djnefret.tk, 1 +djnext.tk, 1 +djogani.tk, 1 +djoiasoficial.com.br, 1 +djoos.de, 1 +djosu.tk, 1 +djoszee.tk, 1 +djovanov.tk, 1 +djpatrik.tk, 1 +djpiere.tk, 1 +djpippoalpar.tk, 1 +djpromo.tk, 1 +djpump-diaphragmpump.com, 1 +djpyerr.tk, 1 +djramage.tk, 1 +djrider.tk, 1 +djrizwan.tk, 1 +djrofex.tk, 1 +djroynomden.nl, 1 +djrunaway.tk, 1 +djrush134.tk, 1 +djsamurai.tk, 1 +djsciencecollege.tk, 1 +djsearch.tk, 1 +djselo.tk, 1 +djsetitalia.tk, 1 +djshivbabu.tk, 1 +djshox.tk, 1 +djsina.tk, 1 +djsk.nl, 1 +djskippy.tk, 1 +djslash.tk, 1 +djsm.ga, 1 +djspacies.com, 1 +djt-vom-chausseehaus.de, 1 +djtavo.tk, 1 +djthibodeau.com, 1 +djtiago.tk, 1 +djtime.fr, 1 +djtourist.tk, 1 +djurensvanner.tk, 1 +djurklinikenangelholm.se, 1 +djursland-psykologen.dk, 1 +djvampire.tk, 1 +djviks-rap.tk, 1 +djvintagevinyl.com, 1 +djvintagevinyl.de, 1 +djvintagevinyl.nl, 1 +djvirus.tk, 1 +djwaynepryke.com, 1 +djwilson.tk, 1 +djyaman.tk, 1 +djyoungcruse.tk, 1 +dk-kromeriz.cz, 1 +dk.com, 1 +dk.search.yahoo.com, 0 +dk1818.cc, 1 +dkay.me, 1 +dkbilliards.com, 1 +dkcoks.gov, 1 +dkcomputers.com.au, 1 +dkdigital.tk, 1 +dkds.us, 1 +dkec2.space, 1 +dkgamers.tk, 1 +dkhf.ir, 1 +dkim-validator.com, 1 +dkk-gaming.de, 1 +dknoops.xyz, 1 +dko-steiermark.ml, 1 +dkonline.tk, 1 +dkos10.com, 1 +dkos2.com, 1 +dkos3.com, 1 +dkos4.com, 1 +dkos5.com, 1 +dkos6.com, 1 +dkos7.com, 1 +dkos8.com, 1 +dkos9.com, 1 +dkproducts.nl, 1 +dkravchenko.su, 0 +dksh.com, 1 +dksinger.tk, 1 +dksoft-2130.ddns.net, 1 +dksoft.online, 1 +dkstage.com, 1 +dkweb.ml, 1 +dkweb.tk, 1 +dkwedding.gr, 1 +dl-navigator.by, 1 +dl-protect.tk, 1 +dl.google.com, 1 +dl444.net, 1 +dlaces.it, 1 +dlagos.com, 1 +dlagoss.com, 1 +dlandroid24.com, 1 +dlatego.com, 1 +dlazmyslow.pl, 1 +dlbouncers.co.uk, 1 +dlcompare.co.uk, 1 +dlcompare.com, 1 +dlcompare.de, 1 +dlcompare.fr, 1 +dlcompare.it, 1 +dlcompare.pt, 1 +dlcompare.ru, 1 +dlcwilson.com, 1 +dlde.ru, 1 +dleet.com, 1 +dleger.space, 1 +dler.at, 1 +dlevans.com, 1 +dlf.exchange, 1 +dlfsymposium.nl, 1 +dlg.im, 1 +dlgf.com, 1 +dlitz.net, 1 +dll4free.com, 1 +dlld.biz, 1 +dlld.com, 1 +dlld.org, 1 +dlld.us, 1 +dllsearch.net, 1 +dlmarket.jp, 1 +dlmeto.com, 1 +dlmixcloud.com, 1 +dlouwrink.nl, 0 +dlp-demo.com, 1 +dlrg-cux-ohz.de, 0 +dlscomputers.com.au, 1 +dlslab.com, 1 +dlslab.org, 1 +dlsmdportal.com, 1 +dlsolutions-inc.com, 1 +dlt.green, 1 +dlttrading.com, 1 +dluxelab.com, 1 +dlv-registry.com, 1 +dlv-registry.net, 1 +dlyabega.tk, 1 +dlyaribalki.tk, 1 +dlyatepla.ml, 1 +dlyl888.com, 1 +dm-0.com, 1 +dm-918kiss.com, 1 +dm-drogeriemarkt.at, 1 +dm-drogeriemarkt.ba, 1 +dm-drogeriemarkt.bg, 1 +dm-drogeriemarkt.cz, 1 +dm-drogeriemarkt.de, 1 +dm-drogeriemarkt.hr, 1 +dm-drogeriemarkt.hu, 1 +dm-drogeriemarkt.it, 1 +dm-drogeriemarkt.mk, 1 +dm-drogeriemarkt.ro, 1 +dm-drogeriemarkt.rs, 1 +dm-drogeriemarkt.si, 1 +dm-drogeriemarkt.sk, 1 +dm-poepperl.de, 1 +dm-ppp.jp, 1 +dm-tools.co.uk, 1 +dm.at, 1 +dm.cw, 1 +dm.cz, 1 +dm.de, 1 +dm.gov.ae, 1 +dm.hr, 1 +dm.hu, 1 +dm.mk, 1 +dm.pl, 1 +dm.ro, 1 +dm.rs, 1 +dm.si, 1 +dm1.in, 1 +dm4productions.com, 1 +dm6.co, 1 +dm7ds.de, 1 +dm8.link, 1 +dmaglobal.com, 1 +dmarc-hd.org, 1 +dmarc.dk, 1 +dmarc.io, 1 +dmarcexperts.com, 1 +dmarcian.com, 1 +dmarcpal.com, 1 +dmartpreneur.com, 1 +dmautomek.no, 1 +dmc-cc.de, 1 +dmc-commerce-consultants.de, 1 +dmc.ae, 1 +dmc.cc, 1 +dmc030.de, 1 +dmccommerceconsultants.de, 1 +dmclix.com, 1 +dmcw.de, 1 +dmd.lv, 1 +dmdata.jp, 1 +dmdc.mil, 1 +dmdd.org.uk, 1 +dmdiamonds.tk, 1 +dme.net, 1 +dme.web.id, 1 +dmehub.com, 1 +dmesg.sk, 1 +dmfd.net, 1 +dmfj.io, 1 +dmforcesupport.com, 1 +dmforcesupport.marketing, 1 +dmfss.com, 1 +dmfss.tv, 1 +dmg.st, 1 +dmhomedesign.pl, 1 +dmhoteles.pe, 1 +dmhy.com, 1 +dmi.es, 1 +dmi.gov.lb, 1 +dmiapis.id, 1 +dmilb.org, 1 +dmillerlaw.com, 1 +dmitryg.name, 1 +dmitrysnotes.ru, 1 +dmitrysyrov.com, 1 +dmix.ca, 1 +dmlaser.nl, 1 +dmlive.wiki, 1 +dmma.be, 1 +dmmedya.com, 1 +dmmkenya.co.ke, 0 +dmn.sh, 1 +dmni.my, 1 +dmoj.ca, 1 +dmosk.ru, 1 +dmparish.com, 1 +dmr446.fr, 1 +dmrhub.cloud, 1 +dmrhub.net, 1 +dmrhub.network, 1 +dmrhub.org, 1 +dms-technik.de, 1 +dmshynk.com, 1 +dmslog.com, 1 +dmslog.com.br, 1 +dmstechnology.com, 1 +dmtcustoms.co.za, 1 +dmu.ac.ae, 1 +dmvape.us, 1 +dmvhomesgroup.com, 1 +dmvivienda.pe, 1 +dmwall.cn, 1 +dmwaste.com, 0 +dmwclan.tk, 1 +dmx.xyz, 1 +dmxclan.tk, 1 +dmz.rs, 1 +dmze.tk, 1 +dmzlab.se, 1 +dmzr.be, 1 +dn3s.me, 1 +dn42.us, 1 +dna-technology.ua, 1 +dna.li, 0 +dnabler.eu, 1 +dnadk.com, 1 +dnalounge.com, 1 +dnapagamentos.com.br, 1 +dnapizza.com, 1 +dnash.tk, 1 +dnastaffinginc.com, 1 +dnb.co.in, 1 +dnb.dk, 1 +dnb.no, 1 +dnb.se, 1 +dnbalpha.com, 1 +dnbbedrift.no, 1 +dnbeiendom.no, 1 +dnbfeed.no, 1 +dnbfinans.se, 1 +dnbfonder.se, 1 +dnbgroup.lu, 1 +dnbnor.co.uk, 1 +dnbnor.com, 1 +dnbnor.com.cn, 1 +dnbnor.no, 1 +dnbnor.se, 1 +dnbnorbedrift.no, 1 +dnbnord.com, 1 +dnbnorfinance.eu, 1 +dnbnorfinans.com, 1 +dnbnorfinans.eu, 1 +dnbnorfinans.no, 1 +dnbnorfond.no, 1 +dnbnorkort.no, 1 +dnbnorprivat.no, 1 +dnbprivat.no, 1 +dnbung.no, 1 +dnc.org.nz, 1 +dndblog.tk, 1 +dnddobbelstenen.nl, 1 +dndtools.net, 1 +dnel.me, 1 +dneprfilm.top, 1 +dnepropetrovck.tk, 1 +dneprovski.tk, 1 +dnestr.tk, 1 +dnevnichok.club, 1 +dnfc.rocks, 1 +dnfsb.gov, 1 +dngrexplorer.cf, 1 +dngsnl.com, 1 +dnhome.net, 0 +dnjwpa.com.pl, 1 +dnk.company, 1 +dnmlab.it, 1 +dnns.no, 1 +dnplegal.com, 1 +dnpprogramstudies.com, 1 +dnratthee.me, 1 +dnrt-esports.nl, 1 +dns-check.nl, 0 +dns-control.eu, 1 +dns-free.link, 1 +dns-swiss.ch, 1 +dns.expert, 1 +dns.google.com, 1 +dns.gov, 1 +dns.sb, 1 +dns.sh, 1 +dns0.eu, 1 +dnsaio.com, 1 +dnsbird.org, 1 +dnsbl-servers.org, 1 +dnscaa.com, 1 +dnscrawler.com, 1 +dnscrypt-blacklist.tk, 1 +dnscrypt.info, 1 +dnscrypt.nl, 1 +dnscurve.io, 1 +dnsdns.today, 1 +dnsecho.net, 1 +dnsecho.org, 1 +dnshallinta.fi, 1 +dnshelper.com, 1 +dnshotel.dk, 1 +dnsinfo.ml, 1 +dnsipv6.srv.br, 0 +dnskeep.com, 1 +dnskeeper.com, 1 +dnslog.com, 1 +dnslow.me, 1 +dnslytics.com, 1 +dnsman.se, 1 +dnsmate.net, 1 +dnsmonitor.com, 1 +dnsnox.com, 1 +dnspod.ml, 1 +dnspropagation.net, 1 +dnsrate.com, 1 +dnsrevolve.com, 1 +dnsscience.org, 1 +dnssecandipv6.se, 1 +dnssecunsigned.com, 1 +dnssex.com, 1 +dnsspeed.com, 1 +dnstwister.report, 1 +dnsvrfy.com, 1 +dnsvrfy.eu, 1 +dnsvrfy.net, 1 +dnsvrfy.org, 1 +dnswarden.com, 0 +dnt1egh97ehxx.cloudfront.net, 1 +dnvod.ml, 1 +do-do.tk, 1 +do-it-service.de, 1 +do-not.click, 1 +do-prod.com, 0 +do.gd, 1 +do.ne, 1 +do.search.yahoo.com, 0 +do13.net, 1 +do67.de, 1 +do67.net, 1 +doanhai.tk, 1 +doanhnhankhanhhoa.vn, 0 +dob46.mazowsze.pl, 1 +dobavki.club, 1 +dobbshvac.com, 1 +dobledemichaeljackson.tk, 1 +doblejewel.shop, 1 +dobleseo.pro, 1 +dobookmark.ml, 1 +doboszynski.com, 1 +dobramagia.pl, 1 +dobraprace.cz, 0 +dobrekupony.cz, 1 +dobrekupony.pl, 1 +dobrekupony.sk, 1 +dobreoknaszczecin.pl, 1 +dobrev.family, 1 +dobrinya.tk, 1 +dobrisan.ro, 1 +dobrisan.uk, 1 +dobro.ml, 1 +dobrodar.tk, 1 +dobrodruzi.tk, 1 +dobrynyastyle.ru, 1 +dobryprezident.sk, 1 +doc-baza.tk, 1 +doc.ai, 1 +doc.new, 1 +doc.python.org, 1 +doc8643.com, 1 +docabo.ch, 1 +docbox.ch, 1 +docbrown.dk, 1 +doccafe.com, 1 +docdoc.tel, 1 +docedic.com, 1 +docemeldoces.com, 1 +docesmartini.com.br, 1 +docfusioncloud.com, 1 +docguide.com, 1 +docha.tk, 1 +dochimera.com, 1 +dochub.com, 1 +dock-bar.com, 1 +dock.tech, 1 +dock23.de, 1 +dockerbook.com, 0 +dockerm.com, 1 +dockerup.net, 1 +dockeryarmory.com, 1 +dockflow.com, 1 +dockmastersonline.com, 1 +dockstarter.com, 1 +dockysearch.com, 1 +doclassworks.com, 1 +docline.gov, 1 +docloudu.info, 1 +doclures.com, 1 +docmartinchiropractic.com, 1 +docmbs.com, 1 +docmode.org, 1 +docogo.ga, 1 +docplexus.com, 1 +docpost.ml, 1 +docs-kelis.fr, 1 +docs.google.com, 1 +docs.moe, 1 +docs.python.org, 1 +docs.tw, 1 +docsend.com, 1 +docsity.com, 1 +docsunited.net, 1 +docswallet.com, 1 +doctabaila.com, 1 +doctaforum-diferidos.com, 1 +doctaforum-events.org, 1 +doctaforum-test.com, 1 +docteur-delorme.fr, 1 +doctoblog.fr, 1 +doctor-locks.co.uk, 1 +doctorako.com, 1 +doctorbini.com, 1 +doctorcalefon.com, 1 +doctordabbah.com, 1 +doctordangond.com, 1 +doctorebonie.com, 1 +doctorfox.co.uk, 1 +doctoriko.tk, 1 +doctoripfix.com, 1 +doctorkaraca.com, 1 +doctorlab.am, 1 +doctormahamudul.tk, 1 +doctormartinclavo.tk, 1 +doctormit.ro, 1 +doctornaima.ml, 1 +doctornet.ml, 1 +doctorofnursingpracticednp.org, 1 +doctorpage.info, 1 +doctorperu.com, 1 +doctorpower.ga, 1 +doctorpup.com, 1 +doctorradio.tk, 1 +doctorsarfarazdo.ga, 1 +doctorsexplain.net, 1 +doctorshealthfund.com.au, 1 +doctorsinternet.com, 1 +doctorswithoutborders.org, 1 +doctorwho.cz, 1 +doctour.eu, 1 +doctour.fr, 1 +doctrine.fr, 1 +docu.io, 1 +docubox.info, 1 +docucopies.com, 1 +docufiel.com, 0 +docugate.cloud, 1 +docugatetest.cloud, 1 +documaniatv.com, 1 +document-translation-nationwide.com, 1 +documentalista.cat, 1 +documentat.ga, 1 +documentations-sociales.com, 1 +documentationsite.net, 1 +documentforce.com, 1 +documentnode.io, 1 +documods.com, 1 +docupaymentuat.xyz, 1 +docupub.com, 1 +docusearch.com, 1 +docusend.biz, 1 +docusign.ca, 1 +docusign.co.uk, 1 +docusign.com, 1 +docusign.com.au, 1 +docusign.com.br, 1 +docusign.com.es, 1 +docusign.de, 1 +docusign.fr, 1 +docusign.in, 1 +docusign.jp, 1 +docusign.mx, 1 +docusign.nl, 1 +docutayho.com, 1 +docxtemplater.com, 1 +doczlo.tk, 1 +doda.space, 1 +dodabrothers.com, 1 +dodacommunity.tk, 1 +dodalf.com, 1 +dodard.link, 1 +doddridgecountywv.gov, 1 +dodds.cc, 1 +doddy.tk, 1 +dodecaedro.tk, 1 +dodelf.com, 1 +dodgecountymn.gov, 1 +dodgecountyne.gov, 1 +dodgevillewi.gov, 1 +dodi-alhelo.tk, 1 +dodi-repacks.site, 1 +dodiedods.fr, 1 +dodikod.tk, 1 +dodolle.co.uk, 1 +dodotool.ru, 1 +dodylesmana.com, 1 +doedelzakken-jsh.tk, 1 +doegirls.com, 1 +doehle-group.com, 1 +doeleman.nl, 1 +doencadobeijo.com, 1 +doener-curator.com, 1 +doenets.lk, 1 +doenjoylife.com, 1 +doeprojects.com, 1 +doerz.com, 1 +doesburg-comp.nl, 1 +doesinfotech.com, 1 +doesmycodehavebugs.today, 1 +doetwat.nl, 1 +dof.gov.ph, 1 +dofashion.tk, 1 +dofedex.com, 1 +dofrancais.com, 1 +dofus-aide.tk, 1 +dofus.market, 1 +dofux.org, 1 +dog-likeeyes.tk, 1 +doga-osusume.jp, 1 +doga.tk, 1 +dogadostuambalaj.com, 1 +dogaicincal.com, 1 +dogalsoyamumu.com, 1 +dogan.ch, 0 +doganoglu.net, 1 +dogcat.vn, 1 +dogcratereview.info, 1 +dogday.tk, 1 +dogdayafternoons.biz, 1 +doge-fa.tk, 1 +dogear.ch, 0 +dogecdn.wtf, 1 +dogecoinnews.net, 1 +dogecoinnews.org, 1 +dogespeed.gq, 1 +dogespeed.ml, 1 +dogfights.tk, 1 +dogforum.de, 1 +dogfriendly.co.uk, 1 +dogfriendlyplaces.eu, 1 +dogft.com, 1 +doggingclub.tk, 1 +doggo-staging.herokuapp.com, 1 +doggo.cloud, 1 +doggo.email, 1 +doggroomingcourse.com, 0 +doghandling.tk, 1 +doghousedigital.com, 1 +doginaflat.com, 1 +dogingtonpost.com, 1 +dogite.org, 1 +doglifejacket.tk, 1 +doglist.ga, 1 +doglog.com, 1 +dogma.it, 1 +dogma2000.tk, 1 +dogmagic.tk, 1 +dogmap.jp, 1 +dogmazic.net, 1 +dogodki.today, 1 +dogofwar.tk, 1 +dogoo.com, 1 +dogpawstudio.com, 1 +dogprograms.net, 1 +dogrupara.com, 1 +dogscare.tk, 1 +dogsforfun.tk, 1 +dogsite.tk, 1 +dogsnaturallymagazine.com, 1 +dogsnow.com, 1 +dogsport.org, 1 +dogsunderstood.shop, 1 +dogtowneastpowell.com, 1 +dogtrack.tk, 1 +dogtrainingnaples.com, 1 +dogualp.com, 1 +dogvolution.com, 1 +dogwoodceramics.com, 1 +dogworld.com.br, 1 +doh.pub, 1 +doh.sb, 1 +dohanews.co, 1 +dohertyconsulting.tk, 1 +doi.org, 1 +doihavetoputonpants.com, 1 +doinaruscior.eu, 1 +doineedanmdm.com, 1 +doinwp.com, 1 +doioig.gov, 1 +doist.com, 1 +doit-intl.com, 1 +doit.com, 1 +doitauto.de, 1 +doj.gov.in, 1 +doja-cat.ru, 1 +dojah.io, 1 +dojifish.space, 1 +dojihomes.vn, 1 +dojin.nagoya, 1 +dojki.cf, 1 +dojki.ga, 1 +dojki.gq, 1 +dojmt.gov, 1 +dojocasts.com, 1 +dojodigital.co.uk, 1 +dojozendebourges.fr, 1 +dokanline.com, 1 +dokcar.com.br, 1 +dokee.cn, 1 +dokelio-idf.fr, 1 +dokipy.no, 1 +doklinik.com, 1 +dokonline.tk, 1 +dokspot.cf, 1 +dokspot.ga, 1 +doktererectie.com, 1 +doktorplyusheva.ml, 1 +doku-gilde.de, 1 +dokuboard.com, 1 +dokuev.ga, 1 +dokument.tk, 1 +dokuraum.de, 1 +dokutech.fr, 1 +dolbyatmosmusiclist.com, 1 +dolce-vita-mia.tk, 1 +dolcesalatoweb.it, 1 +dolceuvita.com, 1 +dolchhut.tk, 1 +dolci-delizie.de, 1 +dolciariasimonini.com, 1 +dolciterapie.com, 1 +doldersumenzoon.tk, 1 +doleta.gov, 1 +dolezalpartners.com, 1 +dolfotransport.com, 1 +dolg.cf, 1 +dolg.ga, 1 +dolg.gq, 1 +dolg.ml, 1 +dolg.tk, 1 +dolgopolova.ga, 1 +dolgorukovo.cf, 1 +dolice.net, 1 +dolinathome.com, 1 +dolkfm.tk, 1 +doll.gq, 1 +doll.ml, 1 +dollarads.cf, 1 +dollarads.ga, 1 +dollareast.tk, 1 +dollarhero.ga, 1 +dollarprofit.tk, 1 +dollarrp.pl, 1 +dollarweb.cf, 1 +dolle-shop.com.ua, 1 +dolledout.co.ke, 1 +dollemore.com, 1 +dollestieren.tk, 1 +dolliesmaker.tk, 1 +dolly.ga, 1 +dollylox.tk, 1 +dollz-world.tk, 1 +dollz.tk, 1 +dolmencleanroom.com, 1 +dolmenejecutores.com, 1 +dolmeningenieria.com, 1 +dolmentree.tk, 1 +dolnolinevo.tk, 1 +dolo.tk, 1 +dolomititour.com, 1 +dolonki.beauty, 1 +dolorism.com, 1 +dolph.de, 1 +dolphin-cloud.com, 1 +dolphin-hosting.com, 1 +dolphin-it.de, 1 +dolphinbraces.com, 1 +dolphins.tk, 1 +dolphyserver.tk, 1 +dolys.fr, 1 +dom-byt.tk, 1 +dom-desertov.tk, 1 +dom-riviere.tk, 1 +dom.blog, 1 +dom2news.gq, 1 +dom2news.tk, 1 +dom2seychelles.tk, 1 +dom2tnt.tk, 1 +doma.in, 1 +domacikavarna.cz, 1 +domadillo.com, 1 +domagovic.tk, 1 +domain-comparison.com, 1 +domain-ermittlung.de, 1 +domain-skachat.cf, 1 +domain-speicher.com, 0 +domain-swiss.ch, 1 +domain.ch, 1 +domaine-aigoual-cevennes.com, 1 +domaine-de-garbelle.com, 1 +domaine-de-vermoise.fr, 1 +domainedebichery.com, 1 +domainedemanville.fr, 1 +domainevanina.fr, 1 +domainexpress.de, 0 +domainforfree.gq, 1 +domainhostingcompany.tk, 1 +domainics.ml, 1 +domainify.ca, 1 +domainlions.com, 1 +domainmonitor.net, 1 +domainoo.com, 0 +domainoo.fr, 1 +domainops.gov, 1 +domainproactive.com, 1 +domainregistry.ie, 1 +domainresidential.com.au, 1 +domains-hoarden-ist-ein-ernstes-problem-suchen-sie-sich-hilfe.jetzt, 1 +domains.google.com, 1 +domains.lt, 1 +domainsearchindia.com, 1 +domainservice.cf, 1 +domainsetup.email, 1 +domainsilk.com, 1 +domainstaff.com, 1 +domaintm.in, 1 +domainvoider.cf, 1 +domakidis.com, 1 +domarkperu.com, 1 +domashnij-pk.ru, 1 +domashnijpk.ru, 1 +domashniy-server.tk, 1 +domaxpoker.com, 1 +domaza.gq, 1 +domaza.ml, 1 +domcc.tel, 1 +domeconseil.fr, 1 +domein-direct.com, 1 +domein-direct.nl, 1 +domeindns.nl, 1 +domeinhub.nl, 1 +domeinquarantaine.nl, 1 +domekklimkowka.com, 1 +domen-reg.ru, 1 +domenaru.ga, 1 +domenic.me, 1 +domenick-lieneweg.de, 1 +domenico.lviv.ua, 1 +domenicods.tk, 1 +domhaase.me, 1 +domharmonia.bg, 1 +domhos.tk, 1 +domialt.de, 1 +domian.cz, 1 +dominanta-law.com, 1 +dominateyourmarket247.com, 1 +dominationgame.co.uk, 1 +dominatorauckland.co.nz, 1 +dominctheroofguy.com, 1 +dominguezchiropractic.com, 1 +dominicana-lux.cf, 1 +dominicandfelixroco.tk, 1 +dominicanisimo.tk, 1 +dominicanosenpr.com, 1 +dominichoward.tk, 1 +dominicinc.com, 1 +dominicjackson.cf, 1 +dominicjackson.ga, 1 +dominicjackson.gq, 1 +dominicself.co.uk, 1 +dominicself.com, 1 +dominicself.uk, 1 +dominictaylor.co.uk, 1 +dominik-bergmann.de, 1 +dominik-steiner.at, 1 +dominik.st, 1 +dominikaner-vechta.de, 1 +dominikconrads.de, 1 +dominikriedig.de, 1 +dominioanimal.com.br, 1 +dominionlending.ca, 1 +dominionpayroll.net, 1 +dominiopruebados.ml, 1 +dominiostk.tk, 1 +dominique-haas.fr, 0 +domino.com.ge, 1 +domino99.ml, 1 +domino99.tk, 1 +dominobot.ir, 1 +dominobreaker.ml, 1 +dominoknihy.cz, 0 +dominolessons.ga, 1 +dominomatrix.com, 1 +dominoqq.asia, 1 +dominoz.tk, 1 +domitori.tk, 1 +domix.fun, 1 +domizx.de, 1 +domjh.com, 1 +domkiwgrodku.pl, 1 +domlist.tk, 1 +dommaster.info, 1 +dommistrza.pl, 1 +dommod.tk, 1 +domnaslonecznej.pl, 1 +domob.eu, 1 +domodeco.fr, 1 +domofon.io, 0 +domokode.ru, 1 +domop.org, 1 +domoplus.ca, 1 +domostroiy.tk, 1 +domostroydon.ru, 1 +domostroynn.ru, 1 +domostroyrf.ru, 1 +domotek.pl, 1 +domotics101.com, 1 +domovik-magz.tk, 1 +domovitae.io, 1 +domowe-potrawy.pl, 1 +domowejroboty.pl, 1 +domowezrodlozdrowia.pl, 1 +domp.pl, 1 +domparts.com.au, 1 +dompetdhuafa.org, 1 +domprojects.com, 1 +domps.fr, 1 +domreg.lt, 1 +domsamogona.ru, 1 +domscripting.com, 1 +domt.com, 1 +domu.ro, 1 +domucmayintainha.com.vn, 1 +domus-global.com, 1 +domus-global.cz, 1 +domus-rely.com, 1 +domyassignments.com, 1 +domycasestudy.com, 1 +domycoding.com, 1 +domycoursework.com, 1 +domycreativewritings.com, 1 +domydissertations.com, 1 +domyessay.net, 1 +domyhomework123.com, 1 +domyiadaptacje.pl, 1 +domynetwork.com, 1 +domypapers.com, 1 +domyresearchpaper.com, 1 +domyreview.net, 1 +domyspeech.com, 1 +domytermpaper.com, 1 +domythesis.net, 1 +domyzitrka.cz, 1 +domznak.ru, 1 +don-news.tk, 1 +donabeneko.jp, 1 +donacarlota.net.br, 1 +donacije.rs, 1 +donaciondeorganos.gov, 1 +donalblaney.cf, 1 +donalblaney.ga, 1 +donalblaney.gq, 1 +donaldduck.nl, 1 +donaldtrump.ga, 1 +donaldwarner.com, 1 +donamflor.com, 1 +donarmany.online, 1 +donat.cloud, 1 +donate-streamer.com, 1 +donate.lol, 1 +donateabox.org, 1 +donateaday.net, 1 +donateers.org, 1 +donateforcharity.com, 1 +donatellapratas.com.br, 1 +donation.ph, 1 +donationexecutor.com, 1 +donazione.it, 1 +doncastermoneyman.com, 1 +dondiabolo.com, 1 +donec.tk, 1 +donegalhistory.ie, 1 +doneinteriorerp.com, 1 +donera.tk, 1 +donerite.us, 1 +donewhen.email, 1 +donewhen.eu, 1 +donewhen.net, 1 +donewhen.nl, 1 +donewhen.org, 1 +donfelino.tk, 0 +donga.tk, 1 +dongbd.com, 1 +dongcdn.com, 1 +dongchenyue.art, 1 +donge.fr, 1 +dongha.org, 1 +donghochinhhang.store, 1 +donghua-europe.com, 1 +donghuapiandaquan.com, 1 +dongjian.com, 1 +dongkepu.com, 1 +dongor.tk, 1 +donhoward.org, 0 +doninformatico.ga, 1 +doniramdoni.tk, 1 +donislawdev.com, 1 +donkerslootjes.nl, 1 +donkeytrekkingkefalonia.com, 1 +donnaandscottmcelweerealestate.com, 1 +donnabotanica.com.br, 1 +donnabrothers.com, 1 +donnacha.blog, 1 +donnachie.net, 1 +donnahay.com.au, 1 +donnapepe.tk, 1 +donnerhollenconstruction.com, 1 +donnerwetter.tk, 1 +donngle.com, 1 +donnons.org, 0 +donnoval.ru, 0 +donorscape.com, 1 +donostiweb.tk, 1 +donotcall.gov, 1 +donotdepart.com, 1 +donpanda.cz, 1 +donpi.it, 1 +donpietraos.tk, 1 +donplafon.ru, 1 +donpomodoro.com.co, 1 +donquix.nl, 1 +donsgroupattire.com, 1 +donsremovals.com.au, 1 +dont.re, 1 +dont.watch, 1 +dontarriva.org.uk, 1 +dontasktoask.com, 1 +dontbeevil.com, 1 +dontbreakme.com, 1 +dontbubble.me, 1 +dontcageus.org, 1 +donteaetcrayons.tk, 1 +donteffwithmyvote.com, 1 +donteffwithmyvote.org, 1 +donteffwithmyvote.us, 1 +dontefwithmyvote.com, 1 +dontefwithmyvote.org, 1 +dontefwithmyvote.us, 1 +dontenedor.com, 1 +dontfuckwithmy.vote, 1 +dontfuckwithmyvote.com, 1 +dontfuckwithmyvote.net, 1 +dontfuckwithmyvote.org, 1 +dontfuckwithmyvote.us, 1 +dontfwithmy.vote, 1 +dontfwithmyvote.com, 1 +dontfwithmyvote.net, 1 +dontfwithmyvote.org, 1 +dontfwithmyvote.us, 1 +donthedragonwilson.com, 1 +dontkeylog.me, 1 +dontkillspike.tk, 1 +dontpayfull.com, 1 +dontstopcoffee.com, 1 +dontvisit.me, 1 +dontwastethewood.com, 1 +donumanimo.pl, 1 +donutcompany.co.jp, 1 +donwhen.com, 1 +donwhen.email, 1 +donwhen.eu, 1 +donwhen.net, 1 +donwhen.nl, 1 +donwhen.org, 1 +donwilkssculptor.com, 1 +doo.is, 1 +dooby.fr, 1 +doodle.com, 1 +doodlecorn.com, 1 +doodlegames.tk, 1 +doodletips.com, 1 +doogej.nl, 1 +doolac.com, 1 +dooleylabs.com, 1 +doomsdaymag.tk, 1 +doomsworld.com, 1 +doomtech.net, 1 +doonvalleytrail.co.uk, 1 +doooooops.com, 1 +doop.im, 1 +doorchaser.tk, 1 +doordash.com, 1 +doordash.news, 1 +doordash.red, 1 +doordecor.bg, 1 +doorframe.com, 1 +doorin.tk, 1 +doorlinekktc.tk, 1 +doornmore.com, 1 +doors-and-windows.tk, 1 +doorservice.ml, 1 +doorsystemsweden.se, 1 +doortodoor.ml, 1 +doottrucks.com.au, 1 +dopamine.tk, 1 +dopefile.cf, 1 +dopefile.tk, 1 +dopei.com, 1 +dopeillustrators.com, 1 +dopesoft.de, 1 +dopewars.tk, 1 +dopfer-fenstertechnik.de, 1 +dopiatku.pl, 1 +doppeleinhorn.de, 1 +doppenpost.nl, 1 +doppler-manufaktur.com, 1 +doppler.com, 1 +doppler.team, 1 +dopplerschirme.com, 1 +dor-tak.com, 1 +dor-tak.ru, 1 +dora.cat, 1 +dora.moe, 1 +dorados.tk, 1 +doradoscampeon.tk, 1 +doraemonchile.tk, 1 +dorama.gq, 1 +doramamusic.gq, 1 +doramiru.com, 1 +doranobi-fansub.id, 1 +dorcelvision.com, 1 +dorco.be, 1 +dordtpas.nl, 1 +doremy.be, 1 +dorfbrunnen.eu, 0 +dorfkultur.net, 1 +dorfpark-falkenburg.de, 1 +dorfzittig.de, 1 +doriangardes.fr, 1 +doriangirod.ch, 0 +dorianharmans.nl, 1 +dorianmuthig.com, 1 +doridian.com, 1 +doridian.de, 1 +doridian.net, 1 +doridian.org, 1 +dorier-digiplace.com, 1 +dorisdeluxe.com, 1 +dorizonline.tk, 1 +dorkface.tk, 1 +dormi.hu, 1 +dormilaine.fr, 1 +dorminyeremenyjatek.hu, 1 +dormirmucho.com, 0 +dormitengernyikaland.hu, 1 +dormiu.com, 1 +dormiu.com.br, 1 +dormkitty.com, 1 +dorogaminina.tk, 1 +dorotaorlowska.pl, 1 +dorpshuis-dwarsgracht.nl, 1 +dorpsoverlegboskoop.nl, 1 +dorpsparade.tk, 1 +dorquelle.com, 1 +dorrtownshipmi.gov, 1 +dorsavi.com, 1 +dorsaycreative.com, 1 +dorsethouselyme.com, 1 +dorsetthotels.com, 1 +dorth.nl, 1 +dortmund.de, 1 +dortmund.directory, 1 +dorys.ga, 1 +dos-team.tk, 1 +dos.lol, 1 +dosavor.com, 1 +dosbox.tk, 1 +dosdiasenlavida.es, 1 +dosei.net, 1 +dosenkiwi.at, 1 +dosenpendidikan.co.id, 1 +dosenpintar.com, 1 +dosensosiologi.com, 1 +doserres.tk, 1 +dosevue.com, 1 +dosgame.club, 1 +dosgratus.tk, 1 +dosimabag.com, 1 +dosimapress.com, 1 +dosite.gq, 1 +dosje.org, 1 +doska.by, 1 +doska.cf, 1 +doska.ru, 1 +doskapozora.tk, 1 +dosomeworks.biz, 1 +dosorbonne.com, 1 +dossierbaudet.nl, 1 +dossierweb.tk, 1 +dostal.co, 0 +dostalsecurity.com, 1 +dostat.de, 1 +dostav.tk, 1 +dostavkakurierom.ru, 1 +dostips.com, 1 +dostkuijper.nl, 1 +dosug.gq, 1 +dosug.so, 1 +dosugru.gq, 1 +dosvientoselectric.com, 1 +dosvientoselectrical.com, 1 +dosvientoselectrician.com, 1 +dosvientosexteriorlighting.com, 1 +dosvientoslandscapelighting.com, 1 +dosvientoslighting.com, 1 +dosvientosoutdoorlighting.com, 1 +doswap.com, 1 +doswo-design.at, 1 +dosyaa.tk, 1 +dosyakurtarma.com, 1 +dosyanet.cf, 1 +dosyanet.tk, 1 +doszkocs-zsuzsa.hu, 1 +dot.sb, 1 +dota2expert.ru, 0 +dota2free.tk, 1 +dotadotaman.tk, 1 +dotatic.com, 1 +dotbox.org, 1 +dotcircle.co, 1 +dotcomdesigns.biz, 1 +dotcompetentdigital.com, 1 +dotcomtest02-single.azurewebsites.net, 1 +dotconnor.com, 0 +dotfile.tk, 1 +dotgov.gov, 1 +dothaneagle.com, 1 +dotheevolution.tk, 1 +dothegangnamstyle.tk, 1 +dotjesper.com, 1 +dotjesper.dk, 1 +dotjesper.net, 1 +dotjs.party, 1 +dotker.com, 1 +dotkniseandroida.cz, 1 +dotkod.pl, 1 +dotlab.net, 1 +dotlab.nl, 1 +dotlakevillagecouncil-nsn.gov, 1 +dotlaw.co, 1 +dotless.tk, 1 +dotlight.ga, 1 +dotlimino.tk, 1 +dotneko.net, 1 +dotnetdocs.ir, 1 +dotnetfoundation.org, 0 +dotnetsandbox.ca, 1 +dotnext.co.za, 1 +dotovh.ovh, 1 +dotphoto.com, 1 +dotplex.com, 1 +dotpoint.ga, 1 +dotprime.by, 1 +dotrel.com, 0 +dotridmeto.cz, 1 +dotrox.net, 1 +dotsbuy.com, 1 +dotshule.ug, 1 +dotsiam.co.th, 1 +dotsiam.com, 1 +dotsiam.in.th, 1 +dotsmesh.com, 1 +dottore.roma.it, 1 +dottormarc.it, 1 +dotweb.com, 1 +dotxyz.lol, 1 +dotya.ml, 1 +dotyk-snov.tk, 1 +dotyk.me, 1 +dotzauer-stb.de, 1 +douai.me, 1 +douban.city, 1 +double20.gg, 1 +doublearm.in, 1 +doubleaste.com, 0 +doublebass-solo.com, 1 +doubled.ml, 1 +doubledranch.tk, 1 +doublefun.net, 1 +doublejack.online, 1 +doubleness.gq, 1 +doublespeak.chat, 1 +doublestat.me, 1 +doubletex.de, 1 +doubleup.com.au, 1 +doubleupgaming.tk, 1 +doublewide.tk, 1 +doublewood.tk, 1 +doubllexchange.com, 1 +doubllexchange.site, 1 +doubllexchange.website, 1 +doubloin.com, 1 +doubly.tk, 1 +doubtaboutwill.org, 1 +doucebnice.cz, 1 +douceurcarlet.com, 1 +doucheba.gs, 0 +doucheoftheweek.com, 1 +doughseeker.com, 1 +doughstory.cf, 1 +douglas-ma.gov, 1 +douglascounty-oregon.gov, 1 +douglascountybar.com, 1 +douglascountycolorado.gov, 1 +douglascountyga.gov, 1 +douglascountyil.gov, 1 +douglascountymn.gov, 1 +douglascountyor.gov, 1 +douglascovotes.gov, 1 +douglascuddletoy.com, 1 +douglascustodio.com.br, 1 +douglasgreenberg.org, 1 +douglasmi.gov, 1 +douglasresende.tk, 1 +douglassimons.com, 1 +douglegomovie.tk, 1 +dougley.com, 1 +dougsnugs.love, 1 +doujin-domain.cz, 1 +doujin.nagoya, 1 +doujinrepublic.com, 1 +doujinshi.info, 1 +doujinspot.com, 1 +douzer.de, 1 +douzer.earth, 1 +douzer.industries, 1 +dovebuttare.it, 1 +doveconviene.it, 1 +dovecraft.com.ua, 1 +doveholesband.co.uk, 1 +dovemoe.com, 1 +dovenzorgmalawi.nl, 1 +doverfcu.com, 1 +doveriestom.com, 1 +doverma.gov, 1 +dovermotion.com, 1 +doverye.tk, 1 +doveskyger.site, 1 +doveskyger.tk, 1 +dovetail.com, 1 +dovetailapp.com, 1 +doveweekend.com, 1 +dovizborsa.com, 1 +dovolena-ihned.cz, 1 +dowdscatfishandbbq.com, 1 +dowell.media, 1 +dowhatmakegood.de, 1 +dowhatyoucannow.com, 1 +dowina.com, 1 +dowling.nz, 1 +dowling.tk, 1 +down-load.dynu.net, 1 +down.pm, 1 +downalarm.cz, 1 +downalarm.sk, 1 +downandouts.tk, 1 +downbook.org, 1 +downestan.ga, 1 +downfall-records.tk, 1 +downfreak.tk, 1 +downgratis.tk, 1 +download-image.ga, 1 +download-knigi.gq, 1 +download-lagu-mp3.com, 1 +downloadabc.cf, 1 +downloadapkpokemongo.ga, 1 +downloadapkpure.tk, 1 +downloadasik.com, 1 +downloadcounter-strike16.com, 1 +downloadfestival.co.uk, 1 +downloadfiles.cf, 1 +downloadforum.ml, 1 +downloadforum.tk, 1 +downloadhindimovie.net, 1 +downloadhindimovies.net, 1 +downloadmoremousepad.ml, 1 +downloads.zdnet.com, 1 +downloadsoftwaregratisan.com, 1 +downloadvipgames.tk, 1 +downset.tk, 1 +downthebayoucharters.com, 1 +downtoagony.tk, 1 +downtoearthjewelry.com, 1 +downtownafrica.com, 1 +downtownboise.org, 1 +downtowncharm.is, 1 +downtownindy.org, 1 +downtownla.com, 1 +downtownmesa.com, 1 +downtownpdx.dog, 1 +downtownraleigh.org, 1 +downtownsuiteliving.com, 1 +downtowntucson.org, 1 +downtownvernon.com, 1 +downunderporn.com, 1 +downwithchina.com, 1 +dowow.tv, 1 +dox-box.eu, 1 +doxa.tk, 1 +doxal.ro, 1 +doxepin1.gq, 1 +doxepinonline.gq, 1 +doxyciclin.ga, 1 +doxyciclin.gq, 1 +doxyciclin.tk, 1 +doxycyclin.gq, 1 +doxycycline-online.cf, 1 +doxycycline1.gq, 1 +doxycyclinehyclate100mgcap.cf, 1 +doxycyclineprices.cf, 1 +doyarki.ga, 1 +doylesalewski.ca, 1 +doylestownborough.net, 1 +doyo.email, 1 +doyo.tech, 1 +doyogawithlina.com, 1 +doyoucheck.com, 0 +doyoulyft.com, 1 +doyoutax.com, 0 +doypacky.cz, 1 +doze-cloud.tech, 1 +dozecloud.com, 1 +dozor.ga, 1 +dozor.gq, 1 +dozor.tk, 1 +dp-clan.tk, 1 +dp-films.de, 1 +dp.cx, 1 +dp7.ro, 1 +dpangerl.de, 0 +dpanosian.com, 1 +dpasn-afpa.fr, 1 +dpath.com, 1 +dpatyk.com, 1 +dpc-pca.org, 1 +dpc-software.de, 1 +dpc.ae, 1 +dpcp.fr, 1 +dpcs.xyz, 0 +dpcyourhome.com, 1 +dpd.com.pl, 1 +dpecuador.com, 1 +dpereira.net, 1 +dperson.net, 1 +dpeter.me, 1 +dpfsolutionsfl.com, 1 +dpg.no, 1 +dphipartner.com, 1 +dpi-design.de, 1 +dpim.org.my, 1 +dpinse.com, 1 +dpisecuretests.com, 1 +dpjuse.tk, 1 +dpk.es, 1 +dpkk.ph, 1 +dplpmtud.com, 1 +dpmr446.fr, 1 +dpoairport.au, 1 +dpoairport.com.au, 1 +dpomax.com.br, 1 +dponapratica.com.br, 1 +dpower.tk, 1 +dppstar.com, 1 +dprb.biz, 1 +dpress24.it, 1 +dprmp.org, 1 +dps.srl, 1 +dpsengineers.com.au, 1 +dpsg-hohenlinden.de, 1 +dpsmassage.nl, 1 +dpucarriersma.gov, 1 +dpwsweeps.co.uk, 1 +dqfilesonline.com, 1 +dr-amar.tk, 1 +dr-beyer.de, 1 +dr-dedet.com, 1 +dr-detailing.com, 1 +dr-diffusion.fr, 1 +dr-ermilov.com, 1 +dr-feldman.com, 1 +dr-it.co.uk, 0 +dr-karagenska.com, 1 +dr-kissler.de, 1 +dr-maike-juergens.de, 1 +dr-mgeorgieva.com, 1 +dr-nope.de, 1 +dr-nosrat.tk, 1 +dr-notemann.de, 1 +dr-schlamminger.de, 1 +dr-schuessler.de, 1 +dr-vlasak.cz, 1 +dr-www.de, 1 +dr.mg, 1 +dr2dr.ca, 1 +draabe-nyt.dk, 1 +draadloos-besturen.nl, 1 +draadloze-noodstop.nl, 1 +draagmerriecentrale.nl, 1 +draakjefosfor.be, 1 +drabbin.com, 1 +drabim.org, 1 +drace.biz, 1 +drach.xyz, 1 +dracheisolation.tk, 1 +drachenchronik.com, 1 +drachenleder.de, 1 +dracisvet.cz, 1 +dracoon.team, 1 +dracox.com, 0 +dracula.city, 1 +drafatimagarcia.com, 1 +draftguru.com.au, 1 +drafton.com, 1 +draftposts.com, 1 +dragcave.net, 1 +dragdroplearning.com, 1 +dragfiles.com, 1 +draghive.asia, 1 +draghive.ca, 1 +draghive.co.uk, 1 +draghive.com, 1 +draghive.net, 0 +draghive.org, 1 +draghive.tv, 1 +dragon-aspect.com, 1 +dragon-ballz.tk, 1 +dragon-chem.eu, 1 +dragon-craft.tk, 1 +dragon-hearts.co.uk, 1 +dragon-hearts.com, 1 +dragon-hearts.net, 1 +dragon-team.tk, 1 +dragon.nu, 1 +dragon00.com, 1 +dragon26.com, 1 +dragon95.com, 1 +dragon98.com, 1 +dragonballzfigures.com, 1 +dragonballzstore.com, 1 +dragonbike.by, 1 +dragonboatfestival.tk, 1 +dragonbox.de, 1 +dragoncave.me, 1 +dragoncityhack.tips, 1 +dragonclean.gr, 1 +dragonclicker.ml, 1 +dragonesymazmorras.tk, 1 +dragonfly.co.uk, 0 +dragonflycms.cf, 1 +dragonfosfor.be, 1 +dragonheartsrpg.com, 1 +dragonhill.tk, 1 +dragonkin.net, 1 +dragonlord.tk, 1 +dragonmoviesz.ga, 1 +dragonoid.tk, 1 +dragonpi.ga, 1 +dragonprogrammer.com, 1 +dragonqueen.fi, 1 +dragonradar.tk, 1 +dragonraja.tk, 1 +dragonreal.estate, 1 +dragonroost.tk, 1 +dragonscale.tk, 1 +dragonsgate.ml, 1 +dragonshare.tk, 1 +dragonsorcerers.tk, 1 +dragonsunited.at, 1 +dragonsunited.be, 1 +dragonsunited.ch, 1 +dragonsunited.de, 1 +dragonsunited.eu, 1 +dragonsunited.info, 1 +dragonsunited.li, 1 +dragonsunited.lu, 1 +dragonsunited.net, 1 +dragonsunited.org, 1 +dragontail.tk, 1 +dragonwolfpackaquaria.com, 1 +dragonwork.me, 1 +dragowebdesign.com, 0 +drahcro.uk, 1 +drainagedirect.com, 1 +drainwllc.com, 1 +drak.tk, 1 +drake.partners, 1 +drakecommercial.com, 1 +drakencan.gq, 1 +drakenprospero.com, 0 +drakenson.de, 1 +drakfot.se, 1 +drakia.com, 1 +drakiada.tk, 1 +drakkarbilbao.com, 1 +draknet.eu, 1 +draliabadi.com, 0 +draljarallah.com, 1 +dralucilavolasco.com.br, 1 +drama-live.tv, 1 +drama.tk, 1 +dramacooltv.org, 1 +dramakorea.tk, 1 +dramaquarter.com, 1 +dramaqueer.ch, 1 +dramaslayer.ga, 1 +dramatherapie.tk, 1 +dramaticpeople.com, 1 +drambikarathi.com, 1 +dramyalderman.com, 1 +dranderle.com, 1 +drandrewarnold.com, 1 +drandrewlofman.com, 1 +dranik.ga, 1 +dranik.ml, 1 +drankenweb.tk, 1 +drankkoning.nl, 1 +drantonov.bg, 1 +drap-pa.org, 1 +drapeauxdespays.fr, 1 +draper.wtf, 1 +draperutah.gov, 1 +dras.hu, 1 +drasocalzado.com, 1 +drasoclothes.com, 1 +drastik.cz, 1 +drasyl.org, 0 +drata.com, 1 +drathaisdentista.com.br, 1 +dratini0.hu, 1 +draughts64.org, 1 +draugr.de, 1 +draup.com, 1 +draussen.tk, 1 +draw-bonus.ml, 1 +draw.uy, 1 +drawbridgeconnect.com, 1 +drawchan.org, 1 +drawesome.uy, 1 +drawguess.fun, 1 +drawing.tk, 1 +drawingcode.net, 1 +drawtwo.gg, 1 +drawvesly.ovh, 1 +drawxp.com, 1 +drawzit.com, 1 +draycotthotel.com, 0 +drbadnick.tk, 1 +drbanerjeecures.in, 1 +drbarnabus.com, 0 +drbaxter.com, 1 +drbenbarry.com, 1 +drbet.it, 1 +drblend.com, 1 +drblog.tk, 1 +drbonine.com, 1 +drbooks-accounting.com, 1 +drbresnick.com, 1 +drcardiofit.com, 1 +drcarolynquist.com, 1 +drcbxlpundw8t.cloudfront.net, 1 +drchapin.com, 1 +drchrislivingston.com, 1 +drchristaengelbrecht.com, 1 +drchrono.com, 1 +drclub.tk, 1 +drcommodore.it, 1 +drcorderocirujanoplastico.com, 1 +drdca.gov, 1 +drdeath.tk, 1 +drdegenhart.de, 1 +drdenisvincenzi.com.br, 1 +drdibbus.nl, 1 +drdipilla.com, 1 +drdispatch.com, 1 +drdripplumbingsydney.com.au, 1 +drduru.com, 1 +dreadd.org, 1 +dreadfully.cf, 1 +dreadfulsanity.com, 1 +dreadlocks.tk, 1 +dreadlord.tk, 1 +dreadnews.ga, 1 +dream-design.tk, 1 +dream-domain.tk, 1 +dream-factory.tk, 1 +dream-pools.cf, 1 +dreamaholic.club, 1 +dreamawake.tk, 1 +dreambbs.tk, 1 +dreambed.com, 1 +dreamboxpro.com, 1 +dreamcartransport.be, 1 +dreamcast-world.tk, 1 +dreamcatchers-events.com, 1 +dreamcrack.tk, 1 +dreamcraft.su, 1 +dreamdale-fans.net, 1 +dreamdale.info, 1 +dreamdeity.com, 1 +dreamdivers.com, 1 +dreamelegant.ml, 1 +dreamersgiftshopec.com, 1 +dreamfm.gr, 1 +dreamhostremixer.com, 1 +dreamimd.com, 1 +dreaminformatique.tk, 1 +dreaming.solutions, 1 +dreaminjewelz.tk, 1 +dreamkids-bysiska.com, 1 +dreamlab.co.jp, 1 +dreamlandsdesign.com, 1 +dreamlifeproperty.cf, 1 +dreamlight.cloud, 1 +dreamlinks.tk, 1 +dreamlordpress.it, 1 +dreamlux.cz, 1 +dreamlux.sk, 1 +dreamms.gg, 1 +dreamofice.cn, 1 +dreamoza.com, 1 +dreampages.tk, 1 +dreampointech.com, 1 +dreamqueen.tk, 1 +dreamrae.net, 1 +dreamreality.tk, 1 +dreams-2-reality.com, 1 +dreamsbythelake.com, 0 +dreamsea.tk, 1 +dreamsindigital.tk, 1 +dreamsjob.cf, 1 +dreamsofalostsoul.tk, 1 +dreamsolution.nl, 1 +dreamsphere.tk, 1 +dreamstarter.ml, 1 +dreamstudio.com, 1 +dreamstudios.tk, 1 +dreamsubmitting.tk, 1 +dreamswelcome.com, 1 +dreamsxxl.com, 1 +dreamsystems.tk, 1 +dreamtapestry.ga, 1 +dreamtechie.com, 1 +dreamweavers.live, 1 +dreamwork.financial, 1 +dreamworldstudio.tk, 1 +dreamy-flat-lyon.fr, 1 +dreamytheatre.com, 1 +dreamz-staging.zone, 1 +dreamz.com, 1 +dreatho.com, 1 +dreax.win, 1 +drechsel.xyz, 1 +drechsler-forum.de, 1 +dredwerkz.tk, 1 +dreemurr.com, 1 +drehabkhalifa.com, 1 +drehpartner-werden.net, 1 +drei01.com, 1 +drei01.de, 1 +drei01.technology, 1 +dreibock.com, 1 +dreid.org, 1 +dreieich.schule, 1 +dreifaltigkeitsgemeinde-leipzig.de, 1 +dreifaltigkeitskirchgemeinde-leipzig.de, 1 +dreifaltigkeitskirchgemeinde.de, 1 +dreigold.de, 1 +dreischneidiger.de, 1 +dreiskemoving.com, 1 +dreizwosechs.de, 0 +drema.tk, 1 +drendermobilyaservisi.com, 1 +drenergysaveror.com, 1 +drenergysaverpdx.com, 1 +drenergysaverpnw.com, 1 +dresden-kaffee-24.de, 1 +dresden-kaffeeroesterei.de, 1 +dresdens-pfefferkuchenprinzessin.de, 0 +dresdner-christstollen-von-reimann.de, 1 +dresdner-kaffeeroesterei.de, 1 +dresdner-mandelstollen.de, 0 +dresdner-stollen.shop, 0 +dress-cons.com, 1 +dressabelle.tk, 1 +dresscodeny.com, 1 +dressesbal.tk, 1 +dressestore.tk, 1 +dresstique.in, 1 +dreumesshakira.tk, 1 +drevoline.com.ua, 1 +drew.beer, 1 +drew.ga, 1 +drewapianostudio.com, 1 +drewfuller.tk, 1 +drewsilcock.co.uk, 1 +drewtransportllc.com, 1 +drewuniverse.net, 1 +drewzar.com, 1 +drexelwood.com, 1 +dreyfussplasticsurgery.com, 1 +drezzy.it, 1 +drfirst.com, 1 +drfranciscofonseca.com.br, 1 +drfrey.ch, 0 +drfuhrman.com, 1 +drgabrielschmitt.com, 1 +drgeadsdavinci.com, 1 +drghomi.com, 1 +drgn.li, 1 +drgn.no, 1 +drguyfacialplastics.com, 1 +drhathazi.hu, 1 +drheibel.com, 1 +drherndonent.com, 1 +drhildebrand.net, 1 +drhopeson.com, 1 +drhosting.com, 1 +drhowardaubert.com, 1 +drhyler.com, 1 +drianpublishing.tk, 1 +drica.tk, 1 +dricka.tk, 1 +driesjtuver.nl, 1 +driessoftsec.tk, 1 +driestwegkerk.nl, 1 +driftdude.nl, 1 +drifter.tk, 1 +driftingruby.com, 1 +driftkikker.tk, 1 +driftsjournal.dk, 1 +drikaartesanato.com, 1 +drikuansvarligt.dk, 1 +drill.st, 1 +drillcalendar.ga, 1 +drillingsupply.info, 1 +drillingsupplystore.com, 1 +drillion.net, 1 +drillshackresort.com, 1 +drillster.ai, 1 +drillster.be, 1 +drillster.biz, 1 +drillster.cn, 1 +drillster.co, 1 +drillster.co.in, 1 +drillster.co.za, 1 +drillster.com, 1 +drillster.com.br, 1 +drillster.de, 1 +drillster.es, 1 +drillster.eu, 1 +drillster.fr, 1 +drillster.info, 1 +drillster.it, 1 +drillster.mobi, 1 +drillster.net, 1 +drillster.nl, 1 +drillster.org, 1 +drillster.ro, 1 +drillster.se, 1 +drillster.us, 1 +drilster.com, 1 +drilster.nl, 1 +dring.tf, 1 +drink-team.tk, 1 +drinkablegifts.com, 1 +drinkcontrolapp.com, 1 +drinkgo.vn, 1 +drinking.tk, 1 +drinklife.tk, 1 +drinkplanet.eu, 1 +drinks.my, 1 +drinksontap.co.uk, 1 +drinkvhemp.com, 1 +dripflow.co, 1 +dripnaija.com, 1 +dripshop.live, 1 +drishtibeats.com, 1 +drishtiias.com, 1 +drison.com, 1 +drissner.me, 0 +driv.io, 1 +drive.google.com, 1 +driveandpark.com, 1 +driveandpark.de, 1 +driveandpark.nl, 1 +drivebespokelab.media, 1 +drivebolt.co.uk, 1 +drivechat.com.au, 1 +drivecrestwood.com, 1 +drivedannyherman.com, 1 +drivedavis.com, 1 +drivedmbowman.com, 1 +drivedvv.ru, 1 +driveelectric.gov, 1 +driveexport.com, 1 +driveforadtransport.com, 1 +driveforartur.com, 1 +driveincleveland.com, 1 +drivemorganvanlines.com, 1 +driven2shine.eu, 1 +drivencollision.com, 1 +drivenes.net, 1 +driventheatre.com, 1 +driventoday.com, 1 +driveoakleytransport.com, 1 +drivepaultransportation.com, 1 +driver.ru, 1 +driveral.com, 1 +driveral.hu, 1 +driverhome.com, 1 +driverinthebox.it, 1 +drivermerkezi.tk, 1 +driversandsoftware.com, 1 +driverscollection.com, 1 +drivestarfreight.com, 1 +drivetonortheast.com, 1 +drivewaygateopener.com, 1 +drivewaymaintenance.repair, 1 +driveyouradblockcounterup.com, 1 +driving-lessons.co.uk, 1 +drivingacademy.tk, 1 +drivingcalculator.ga, 1 +drivinginstruction.tk, 1 +drivingschoolnearmelbourne.com.au, 1 +drivio.co.uk, 1 +drivio.uk, 1 +drivya.be, 1 +drivya.ch, 1 +drivya.com, 1 +drivya.nl, 1 +driwch.tk, 1 +drixn.com, 0 +drixn.info, 1 +drixn.net, 1 +drizz.com.br, 0 +drjacquesmalan.com, 1 +drjaensch.de, 1 +drjaisejoy.com, 1 +drjart.com, 0 +drjoaquimserraodecastro.com.br, 1 +drjoe.ca, 1 +drjosebarrera.com, 1 +drjulianneil.com, 1 +drjungspine.com, 1 +drk-blutspende.de, 1 +drk-oberhausen-rheinhausen.de, 1 +drkashany.ir, 1 +drkazim.com, 1 +drkbri.ru, 1 +drkhsh.at, 1 +drksachsen.de, 1 +drlarakiortho.com, 1 +drleoplasticsurgery.com, 1 +drlevi.cf, 1 +drlevi.ga, 1 +drlinkcheck.com, 1 +drloizides.com, 1 +drlp.link, 1 +drlynnehinkle.com, 1 +drmartindentistry.com, 1 +drmarwanbaroud.com, 1 +drmcdaniel.com, 1 +drmiltenbergermd.com, 1 +drminev.com, 1 +drms.us, 1 +drmtransit.com, 1 +drmvl.org, 1 +drnatura.fr, 1 +drnjewels.com, 1 +drobina.top, 1 +drogaleste.com.br, 1 +drogariasnovafarma.com.br, 1 +drogoz.moe, 1 +drohnen-camp.de, 1 +droid101.com, 1 +droidafrica.net, 0 +droidandy.com, 1 +droidapp.nl, 1 +droidchart.com, 1 +droidguide.ga, 1 +droidhere.com, 1 +droidific.com, 1 +droidtrix.ga, 1 +droidwars.tk, 1 +droidwiki.de, 1 +droitalecole.org, 1 +droitdunet.fr, 1 +dromax.hu, 1 +dromotique.com, 1 +dronalti.fr, 1 +drone-it.net, 0 +drone-laws.com, 1 +drone-mapping.expert, 1 +drone-traveller.com, 1 +drone33.fr, 1 +dronebase.cf, 1 +dronebl.org, 1 +dronedeploy.com, 1 +droneland.nl, 1 +dronepanorama.net, 1 +dronepanorama.nl, 1 +dronepilotgeorgia.com, 1 +dronepit.dk, 1 +droneservices.com.fj, 1 +droneshield.com.br, 1 +droneson.com.br, 1 +dronesquadcoptersales.ga, 1 +droneup.pl, 1 +droneways.tech, 1 +dronix.tk, 1 +dronografia.es, 1 +droom.in, 1 +droomhuis-in-zuid-holland-kopen.nl, 1 +drop-zone.tk, 1 +drop.com, 1 +dropbox.com, 1 +dropboxer.net, 1 +dropchat.cf, 1 +dropchat.ga, 1 +dropchat.ml, 1 +dropcop.com, 1 +dropden.com, 1 +droperplus.com, 1 +dropeverythingrecords.com, 1 +droply.host, 1 +dropmb.com, 1 +droppia.io, 1 +dropq.nl, 1 +dropscloud.spdns.de, 1 +dropsdesign.tk, 1 +dropshell.net, 1 +dropshipp.site, 1 +dropshippers.gq, 1 +dropsite.com.au, 1 +droso.dk, 1 +drosophila.tk, 1 +drost.la, 1 +drought.gov, 1 +drowz.ee, 1 +drpetervoigt.ddns.net, 1 +drpetervoigt.de, 1 +drpico.com.au, 1 +drpil.nl, 1 +drponciano.com, 1 +drpure.top, 1 +drpush.ru, 1 +drrachellemeaux.com, 1 +drradin.com, 1 +drricardofretes.com, 1 +drros.ru, 1 +drrr.chat, 1 +drrr.com, 1 +drrr.wiki, 1 +drryanstanton.com, 1 +drsajjadian.com, 1 +drsamkelojiyana.co.za, 1 +drsamuelkoo.com, 1 +drschusterman.com, 1 +drsejf.cz, 1 +drshadankabiri.com, 1 +drshefalibatra.com, 1 +drsimonematousek.com, 1 +drsiv.com, 1 +drsoul.band, 1 +drspiro.com, 1 +drsports.bet, 1 +drstephanieteotia.com, 1 +drsteveart.com, 1 +drstevenwarnock.com, 1 +drsturgeonfreitas.com, 1 +drt.org.nz, 1 +drtanyaescobedo.com, 1 +drthalhammer.at, 1 +drthiagopinheiro.com.br, 1 +drthiagorighetto.com.br, 1 +drtimmarch.com, 1 +drtimothysteel.com.au, 1 +drtimothysteeljournal.com, 1 +drtimothysteelnetwork.com, 1 +drtimothysteelresults.com, 1 +drtimothysteelscholarship.com.au, 1 +drtimothysteelvideos.com, 1 +drtragency.com, 1 +drtsaiclinic.com, 1 +drtti.io, 1 +drturner.com.au, 1 +drubn.de, 1 +druckerei-huesgen.de, 1 +druckereiclassen.de, 1 +druckerfehlermeldungen.de, 1 +drugenforcementedu.org, 1 +drugfreeworkplaces.com, 1 +drugpromosers.ga, 1 +drugrehabjohannesburg.co.za, 1 +drugs.com, 1 +drugsindustry.tk, 1 +drugstore.bg, 1 +drugtestingcourses.com, 1 +drugwars.tk, 1 +drugzone.tk, 1 +druides.tk, 1 +druidry.org, 1 +druids.site, 1 +druidwebdesign.com, 1 +druko.cf, 1 +druko.ga, 1 +druko.gq, 1 +drum-majo-ijsselstrand.tk, 1 +drum.tk, 1 +drumbe.at, 1 +drummachines.ga, 1 +drummer.cf, 1 +drummondframing.com, 1 +drumnbass.tk, 1 +drunkcalc.com, 1 +drunkendropkes.tk, 1 +drupal.org, 1 +drupalfr.be, 1 +drusantia.net, 1 +drusillas.co.uk, 1 +druwe.net, 1 +druznek.rocks, 1 +druznek.xyz, 1 +druzya.store, 1 +drvanessaphua.com, 1 +drwang.group, 0 +drweissbrot.com, 1 +drweissbrot.de, 1 +drweissbrot.net, 1 +drwilfredbrown.com, 1 +drwongsuni.com.sg, 1 +drwoods.com, 1 +dry-cleaning.tk, 1 +dryashplasticsurgery.com, 1 +dryasinakgul.com, 1 +drybjed.net, 1 +drybysuperior.com, 1 +drycreekphoto.com, 1 +drydensfairfax.com, 1 +dryerrepairaustin.com, 1 +dryerventcleaningarlington.com, 1 +dryerventcleaningcarrollton.com, 1 +drymx.cn, 1 +dryskin.cf, 1 +dryskin.ga, 1 +dryskin.gq, 1 +dryskin.ml, 1 +dryskin.tk, 1 +dryusdan.space, 1 +drywall.com.co, 1 +drywallresponse.gov, 1 +dryzgov.tk, 1 +drzhnn.com, 1 +drziyayavuz.com, 1 +ds-networks.at, 1 +ds-networks.eu, 1 +ds-srv.net, 1 +ds-statistik.de, 1 +ds-ultimate.de, 1 +ds.lol, 1 +ds.me, 1 +ds1.io, 1 +ds138.cc, 1 +ds28s.com, 1 +ds388.cc, 1 +ds67.de, 1 +ds915.com, 1 +dsa.cy, 1 +dsac.gov, 1 +dsad209.ml, 1 +dsaengineering.com, 1 +dsanborndesign.com, 1 +dsar.info, 1 +dsbc.tk, 1 +dsblog.biz, 1 +dscharrer.com, 1 +dschwarzachtaler.de, 1 +dscsigncert.com, 1 +dsdlove.com, 1 +dsdomains.com, 1 +dsds-ltd.com, 0 +dse-assessments.co.uk, 0 +dsebastien.net, 1 +dsecure.me, 1 +dseg.org, 1 +dsektionen.se, 0 +dsfc.net, 1 +dsfzsq.com, 1 +dsg.ac.cn, 1 +dsg.gd.cn, 1 +dsg.lol, 1 +dsgnet.hu, 1 +dsgnwrld.com, 1 +dsgv.de, 1 +dsgvo-addon.eu, 1 +dsgvo-analyse.de, 1 +dsgvo.name, 1 +dsh.io, 1 +dshield.org, 1 +dsimonitor.online, 1 +dsiteam.in, 1 +dsjbvba.be, 1 +dskbank.bg, 1 +dskrecords.tk, 1 +dslz.tk, 1 +dsm5.com, 1 +dsmjs.com, 1 +dsmnet.org, 1 +dsn-it.com, 1 +dsn-k.com, 1 +dso-izlake.si, 1 +dsobook.club, 1 +dsol.hu, 1 +dsorter.com.ng, 1 +dsosbelasek.cz, 1 +dsouzamusic.com, 1 +dsp-audiovisueel.nl, 1 +dsp-wiki.com, 1 +dspace.pl, 1 +dspbz.ro, 1 +dspnor.com, 1 +dspretoria.co.za, 1 +dspropertyservicesltd.co.uk, 1 +dsreal.de, 1 +dssresearch.com, 1 +dsswise.org, 1 +dstamou.de, 1 +dsteiner.at, 1 +dstnct.co, 1 +dstnutec.in, 1 +dstvnearme.co.za, 1 +dsu4.ru, 1 +dsuinnovation.com, 1 +dsv-gruppe.de, 1 +dsv-salesmanager.de, 1 +dsy4567.cf, 1 +dsysav.com, 1 +dsysav.lol, 1 +dsysav.xyz, 1 +dsysav01.com, 1 +dsysav02.com, 1 +dsyunmall.com, 1 +dt-privacyportal-ui.azurewebsites.net, 1 +dt2rmc.pt, 1 +dtbouncycastles.co.uk, 1 +dtbw.eu, 1 +dtbw.net, 1 +dtbw.org, 1 +dtconsoles.tk, 1 +dtdi.com, 1 +dtdsh.com, 1 +dte.vn, 1 +dtf.digital, 1 +dtg-fonds.com, 1 +dtg-fonds.de, 1 +dtg-fonds.net, 1 +dtgmns.com, 1 +dtguide.ga, 1 +dths.dk, 1 +dtinel.org, 1 +dtk-vom-chausseehaus.de, 1 +dtleague.eu, 1 +dtmbnl.com, 1 +dtmbx.com, 1 +dtmbx.email, 1 +dtmbx.eu, 1 +dtmbx.net, 1 +dtmbx.nl, 1 +dtmbx.org, 1 +dtmedia.se, 1 +dtmf.io, 1 +dtmlnp.com, 1 +dtngny.com, 1 +dtnx.email, 1 +dtnx.eu, 1 +dtnx.net, 1 +dtnx.org, 1 +dtnx.social, 1 +dtnxny.com, 1 +dtrifonov.cf, 1 +dtto.com, 1 +dtuaarsfest.dk, 1 +dtune.me, 1 +dtx.sk, 1 +dual-aspect.com, 1 +dual-universe.ga, 1 +dual.cat, 1 +dual.pw, 0 +dualascent.com, 1 +dualbix.com, 1 +dualcore.tk, 1 +dualexistence.xyz, 1 +dualias.xyz, 0 +dualize.io, 1 +dualsimadapter.com, 1 +dualuniverse.game, 1 +duama.top, 1 +duan-dky.me, 1 +duanemorrisinstitute.com, 1 +duanre.tk, 1 +duanyong.com, 1 +duarteeleiteconsultoria.com.br, 1 +dubai-fashions.com, 1 +dubai-realestate.space, 1 +dubaiaerospace.com, 1 +dubaiaward.link, 1 +dubaibliss.com, 1 +dubaicourses.com, 0 +dubaifitnesschallenge.com, 1 +dubaigrandsale.com, 1 +dubaiprivatejetcharter.com, 1 +dubairanking.com, 1 +dubairun.com, 1 +dubaisc.ae, 1 +dubaistudiocity.ae, 1 +dubaitourism.gov.ae, 1 +dubaivisa.net, 1 +dubaizone.cf, 1 +dubawa.org, 1 +dubboskills.com.au, 1 +dubcowa.tk, 1 +dubex.de, 1 +dubious-website.com, 1 +dubl.tk, 1 +dublinguide.ie, 1 +dublinrail.tk, 1 +dublinseocompany.ie, 1 +duboeuf.com, 1 +duboisinternational.com, 1 +duboisinvestissements.com, 1 +dubolom.tk, 1 +dubrava.tk, 1 +dubreuilville.ca, 1 +dubridgeweb.be, 1 +dubrovnik.tours, 1 +dubrovnikfoodtours.com, 1 +dubrovskiy.cf, 1 +dubrovskiy.net, 1 +dubrovskiy.pro, 1 +dubslow.tk, 1 +dubstep.fr, 1 +dubtrack.fm, 1 +dubuquecountyiowa.gov, 1 +dubyou.tw, 1 +ducadu.com, 0 +ducalendars.com, 1 +duch.cloud, 1 +duchyoffeann.com, 1 +ducite.ga, 1 +ducius.net, 1 +duckbase.com, 1 +duckblade.com, 1 +duckcorp.org, 1 +duckduckstart.com, 1 +duckeight.win, 1 +duckerings.com, 1 +duckeringstransport.biz, 1 +duckeringstransport.com, 1 +duckfam.us, 1 +duckfx.tk, 1 +duckhub.io, 1 +duckinc.net, 0 +duckman.tk, 1 +duckmapr.com, 1 +duckonthepond.com, 1 +duckside.tk, 1 +ducksify.com, 1 +ducksoft.fi, 1 +duckstad.net, 1 +duckyubuntu.com, 1 +duckyubuntu.tk, 1 +ductcare.com, 1 +dudedood.tk, 1 +dudeexpert.cf, 1 +dudesunderwear.com.br, 0 +dudleypolicema.gov, 1 +dudushu.com, 1 +due-diligence-security.com, 1 +duediligencedataroom.com, 1 +duelhost.dk, 1 +duelingaces.com, 1 +duellin.tv, 1 +duelsow.eu, 1 +duenas.cat, 1 +duepuntozero.tk, 1 +duerlund-falkenberg.dk, 1 +duerlundfalkenberg.dk, 1 +duerme.net, 1 +dues-eckert.com, 1 +duesee.org, 1 +duesseldorf.tk, 1 +duesseldorferheineburschenschaft.tk, 1 +duesterhus.eu, 1 +duewestsc.gov, 1 +duffau.net, 1 +duffdignity.tk, 1 +duffel.com, 1 +dufortassociates.com, 1 +dufrei.com, 1 +dug.net.pl, 1 +dugehstonline.de, 1 +duggtec.com, 1 +dugle80.com, 1 +dugnet.io, 0 +dugnet.net, 0 +dugnet.tech, 0 +dugongo.tk, 1 +dugoutsports.com, 1 +dugunedavet.com, 1 +duh.se, 1 +duhanic.com, 1 +duhanic.de, 1 +duhivip.ml, 1 +duhurensohn.de, 1 +duhy.sk, 1 +duijf.info, 1 +duijf.io, 1 +duijfathome.nl, 1 +duiker101.tk, 1 +duitse-herders.tk, 1 +duizhangs.tk, 1 +duka.bg, 1 +duka.com.gr, 1 +duka.com.ro, 1 +dukaj.org, 1 +dukaj.tk, 1 +dukan-recepty.ru, 1 +duke-nukem.tk, 1 +dukeandduchessdrivingschool.co.uk, 1 +dukefox.com, 0 +dukegat.de, 0 +dukeipai.org, 0 +dukeofmetal.tk, 1 +dukers-baelemans.nl, 0 +dukes-london.com, 1 +dukes.ca, 1 +dukin.tk, 1 +dukkanacmak.com, 1 +dukun.de, 1 +dulanic.com, 1 +dulce-reverie.ro, 1 +dulcehome.ch, 1 +dulceysalado.tk, 1 +dulcinea.eu.org, 1 +dulcinea.tk, 1 +dulei.si, 1 +duleos.com.br, 1 +duloxetinbestellen.gq, 1 +duloxetine.gq, 1 +dulse.fr, 1 +dulurtekno.co.id, 1 +dulux.co.nz, 1 +dulux.com.au, 1 +dum.moe, 1 +dum.tw, 1 +dumax.fr, 1 +dumb-laws.net.ru, 1 +dumbcryptopunks.com, 1 +dumbdrinker.com, 1 +dumbeartech.com, 1 +dumberger-bau.de, 1 +dumbfunded.co.uk, 1 +dumbmeta.com, 1 +dumek.com, 1 +dumek.it, 1 +dumeng.org, 1 +dummo.tk, 1 +dumnezeu.tk, 1 +dumping.tk, 1 +dumpper.ch, 1 +dumpper.com, 1 +dumpsterdudez.com, 1 +dumspiro.ch, 1 +dunamiscommunity.com, 1 +dunangel.com, 1 +dunassyn.com, 1 +dunatos.tk, 1 +dunbarboropa.gov, 1 +dunbarmoving.com, 1 +dunberghof.tk, 1 +duncancmt.com, 1 +duncanfamilytrust.org, 1 +duncanwinfrey.com, 1 +dunce.cf, 1 +duncm.com, 1 +dundalk.ie, 0 +dundalkdonnie.com, 1 +dundalkskillnet.ie, 1 +dundeeutility.tk, 1 +dunedot.tk, 1 +dunesadventure.net, 1 +dunescorporation.tk, 1 +dungbui.co, 0 +dungbui.net, 1 +dungchata.com, 1 +dungeon-bbs.de, 1 +dungeoncity.com, 1 +dungeonedraghi.it, 1 +dungeonfire.tk, 1 +dungeonline.com, 1 +dunia-news.tk, 1 +dunkelmann.eu, 1 +dunkerhosting.nl, 1 +dunkirkin.gov, 1 +dunklau.fr, 1 +dunkle-seite.org, 1 +dunlaptn.gov, 1 +dunmanelectric.com, 1 +dunmanpoolandspa.com, 1 +dunningtonaudio.co.uk, 1 +dunwellgroup.info, 1 +dunyahalleri.com, 1 +duo-tauceti.com, 1 +duo.com, 1 +duobus.nl, 1 +duocircle.com, 0 +duodeno.tk, 1 +duoduocha.com, 1 +duoduodazhe.com, 1 +duohao.xyz, 0 +duolife.us, 1 +duoluodeyu.com, 1 +duonganhtuan.com, 1 +duoqichina.cn, 1 +duoqichina.com, 1 +duoquadragintien.fr, 1 +duoyin.com, 1 +dupagecounty.gov, 1 +dupagecourts.gov, 1 +dupageresults.gov, 1 +dupfx.com, 1 +duplicazionechiavi.it, 1 +duplika.com, 1 +dupontdentistry.com, 1 +dupuis.xyz, 1 +duquess.com.br, 1 +duquoinil.gov, 1 +dura.si, 1 +durabletravailler.tk, 1 +durad.in.rs, 1 +durad.xyz, 1 +duraes.pt, 0 +durakinesis.tk, 1 +duramaximportaciones.com, 1 +duranceofhate.com, 1 +durand.com.br, 1 +durand.tf, 1 +durand.tk, 1 +durandeau.org, 1 +durandwi.gov, 1 +durangoaldezaharra.tk, 1 +durangoenergyllc.com, 1 +durantchamber.org, 1 +durastudio.com, 1 +durcal.tk, 1 +durchblick-shop.de, 1 +durcoin.org, 1 +duredo.com, 1 +dureuil.info, 1 +durexwinkel.nl, 1 +durfteparticiperen.nl, 1 +durganews.com, 1 +durhammaine.gov, 1 +durhammoneyman.com, 1 +durhamnh.gov, 1 +duria.de, 1 +duriandelivery.net, 1 +durianexpressdelivery.com.sg, 1 +duriantech.net, 1 +duriemas.com, 1 +duroterm.ro, 1 +durtk.com, 1 +durvalpereira.com.br, 0 +durys.be, 1 +dusablemuseum.org, 1 +duschfiltershop.de, 1 +dushu.cat, 1 +duskraven.tk, 1 +dusmomente.com, 1 +dusnan.com, 1 +dust.tk, 1 +dust4you.tk, 1 +dustbox.tk, 1 +dustinbrett.com, 1 +dustindecker.com, 1 +dustman.tk, 1 +dustpla.net, 1 +dustplanet.de, 1 +dustri.org, 1 +dustshop.tk, 1 +dusty.gr, 1 +dustycloth.com, 1 +dustygroove.com, 1 +dustyro.se, 1 +dustyspokesbnb.ca, 1 +dusupov.gq, 1 +dutabisniz.com, 0 +dutch-alliance.tk, 1 +dutch-physiotherapy.com, 1 +dutch.desi, 1 +dutch1.nl, 1 +dutchassistancedogs.nl, 1 +dutchavifauna.nl, 1 +dutchbeautyacademy.nl, 1 +dutchbeercollective.nl, 1 +dutchbird.tk, 1 +dutchbirdalerts.nl, 1 +dutchbirding.nl, 1 +dutchbodybuilding.com, 1 +dutchcariblaw.nl, 0 +dutchcichlidplanet.tk, 1 +dutchconcreations.com, 1 +dutchdungeon.tk, 1 +dutchessuganda.com, 1 +dutchfoodie.nl, 1 +dutchforkrunners.com, 1 +dutchglover.tk, 1 +dutchie.info, 1 +dutchmobilityinnovations.com, 1 +dutchpentathlon.nl, 1 +dutchperformanceproducts.nl, 1 +dutchplayers.com, 1 +dutchrocksite.tk, 1 +dutchsailors.com, 1 +dutchwanderers.nl, 1 +dutify.com, 1 +dutkoteam.com, 1 +dutrac.co.id, 1 +dutt.ch, 1 +dutton.uk, 1 +duttonmt.gov, 1 +dutyfreeperfumes.tk, 1 +duurzaamgww.nl, 1 +duurzaamheidskaart.nl, 1 +duv.al, 1 +duval.info, 1 +duval.li, 1 +duval.ovh, 1 +duval.paris, 1 +duval.pm, 1 +duval.re, 1 +duvalelections.gov, 1 +duvalo.eu, 1 +duvalo.info, 1 +duvalo.net, 1 +duvalo.org, 1 +duvalo.sk, 1 +duvessa.tk, 1 +duwitmu.com, 1 +duxbow.de, 1 +duxbury-ma.gov, 1 +duxi-s-feromonami.ga, 1 +duysondang.name.vn, 1 +duzavo.cz, 1 +duzcehaberleri.tk, 1 +duzcesondakika.tk, 1 +dv-project.ru, 1 +dv.cn, 1 +dvbris.co.uk, 1 +dvbris.com, 1 +dvbtmap.eu, 1 +dvclub.tk, 1 +dvd.wtf, 1 +dvdassistanceers.ga, 1 +dvdforum.ga, 1 +dvdinmotion.com, 1 +dvdland.com.au, 1 +dvdmania.ga, 1 +dvdmusic.ga, 1 +dvdrein.net, 1 +dvds.casa, 1 +dveretti.com, 1 +dveri-lugansk.tk, 1 +dvgsites.com, 1 +dvhosting.be, 1 +dvipadmin.com, 1 +dvkg.de, 1 +dvminsight.com, 1 +dvn.pt, 1 +dvnatura.ch, 0 +dvor.ml, 1 +dvorek-karlin.cz, 1 +dvorekkarlin.cz, 1 +dvoretsvramoni.ru, 1 +dvorupotocnych.sk, 1 +dvotx.org, 1 +dvpc.net, 1 +dvprogram.us, 1 +dvu.com.tr, 1 +dvwc.org, 1 +dvx.cloud, 1 +dw-connect.org, 1 +dw-loewe.de, 0 +dw-software.de, 1 +dw6.cn, 1 +dwarf.com.tw, 1 +dweb.link, 1 +dweilorkest-frederikshaven.tk, 1 +dwgeneralcontractors.com, 1 +dwgf.xyz, 1 +dwienzek.de, 1 +dwightd.com, 1 +dwightgunning.com, 1 +dwihn.org, 1 +dwiminneapolislawyer.com, 1 +dwnld.me, 1 +dwood.store, 1 +dworzak.ch, 1 +dwservice.net, 1 +dwt-inc.com, 1 +dwt-onderwijsencoaching.nl, 1 +dwtonline.com, 0 +dwu21.net, 1 +dww.hu, 1 +dwwt.eu, 1 +dwwt.net, 1 +dwwt.nl, 1 +dwwt.org, 1 +dwz-solutions.com, 1 +dwz-solutions.de, 0 +dwz-solutions.eu, 0 +dwz-solutions.net, 0 +dwz.wtf, 1 +dx-revision.com, 1 +dxa.io, 0 +dxcv.net, 1 +dxfootball.tk, 1 +dxgl.info, 1 +dxgl.org, 1 +dxm.no-ip.biz, 1 +dxrating.net, 1 +dxsigner.com, 1 +dxzl.org, 1 +dxzsj.cn, 1 +dy.express, 1 +dy.me, 0 +dy1d.com, 1 +dyachenko.ml, 1 +dyarakotijobs.com, 1 +dybuster.at, 1 +dybuster.ch, 1 +dybuster.com, 1 +dybuster.de, 1 +dybuster.es, 1 +dybuster.it, 1 +dybuster.se, 1 +dycoa.com, 1 +dydesign.space, 1 +dyeager.org, 1 +dyedurhamterrain.com, 1 +dyingflame.tk, 1 +dykebaby.tk, 1 +dyktig.as, 1 +dylan-motorcross.tk, 1 +dylancl.cf, 1 +dylancl.fr, 1 +dylandeconinck.cf, 1 +dylandulaney.com, 1 +dylanhansch.net, 1 +dylankatz.com, 1 +dylanknoll.ca, 1 +dylanlogan.xyz, 1 +dylansevier.com, 1 +dylanspcrepairs.com, 1 +dylantjb.com, 1 +dylanuwr.pl, 1 +dylanwise.net, 1 +dylanwolff.com, 1 +dylmye.me, 1 +dylnuge.com, 1 +dym.asia, 1 +dym2012.com, 1 +dym2013.com, 1 +dym2014.com, 1 +dym2017.com, 1 +dyma.fr, 1 +dymdajce.ovh, 1 +dymension-uat.co.uk, 1 +dymension.co.uk, 1 +dymfbbs.com, 1 +dymmo.tk, 1 +dymmovie.com, 1 +dymond.net, 1 +dymov.tk, 1 +dymovskiy.ru, 1 +dymowski.de, 0 +dyn-dnhensel.de, 1 +dyn-nserve.net, 1 +dyn.net, 1 +dynabob.tk, 1 +dynacast.com, 1 +dynacrop.space, 1 +dynadns.de, 1 +dynah.net, 1 +dynalab.pl, 1 +dynaloop.net, 0 +dynamic-movie.com, 1 +dynamic-networks.be, 1 +dynamicalsystem.work, 1 +dynamicasoft.com, 1 +dynamicathletes.ga, 1 +dynamicbusinessconsultants.ga, 1 +dynamicdesignuk.com, 1 +dynamicdiesupply.com, 1 +dynamicenergy.co, 1 +dynamicini.org, 1 +dynamiclogodesigns.com, 1 +dynamicmart.pk, 1 +dynamicpl.us, 1 +dynamicplus.it, 1 +dynamicquantum.net, 1 +dynamicsdays.info, 1 +dynamicservers.co.uk, 1 +dynamicsnetwork.net, 1 +dynamicsretailnotes.com, 1 +dynamictesting.co.uk, 1 +dynamictostatic.com, 1 +dynamicyou.co.uk, 1 +dynamis.tk, 1 +dynamitejobs.com, 1 +dynamix-tec.com, 1 +dynamixsolutions.com, 1 +dynamofanforum.de, 1 +dynasend.com, 1 +dynasoft.co.ke, 1 +dynastic.co, 1 +dynasty-warriors.net, 1 +dynastyredzone.com, 1 +dynatos-cloud.com, 1 +dyncdn.me, 1 +dyncdn2.com, 1 +dyneco.io, 1 +dynet.ru, 1 +dynn.be, 0 +dynorphin.com, 1 +dynorphins.com, 1 +dynsoundmax.tk, 1 +dynts.pro, 1 +dynx.pl, 1 +dypromed.com, 1 +dyregrave.dk, 1 +dyremyhr.no, 1 +dyrenesverden.no, 1 +dyreplassen.no, 1 +dyrkar.se, 1 +dyrkshop.com, 1 +dysautonomia-postsyndrome.com, 1 +dyscalculia-blog.com, 1 +dysco.tk, 1 +dysgucymraeg.cymru, 1 +dyslexicfish.com, 1 +dyslexicfish.net, 1 +dysthymia.com, 1 +dyuimovochka.tk, 1 +dyve.me, 1 +dyykkarit.tk, 1 +dyyn.de, 1 +dyz.pw, 1 +dz-hyp.ag, 1 +dz-hyp.com, 1 +dz-hyp.de, 1 +dz6729.com, 1 +dz68.cc, 1 +dz6957.com, 1 +dz7337.com, 1 +dzar.nsupdate.info, 1 +dzet.de, 1 +dzhyp.ag, 1 +dziaduch.pl, 1 +dziecismoka.pl, 1 +dziekonski.com, 1 +dzimchuk.net, 1 +dzingel-personaldienst.de, 1 +dziscover.com, 1 +dziura.email, 0 +dziurdzia.pl, 1 +dziv.net, 1 +dzivniekubriviba.lv, 0 +dzmonarchie.tk, 1 +dzndk.com, 1 +dzndk.net, 1 +dzndk.org, 1 +dzogchentoday.org, 1 +dzomo.org, 0 +dzpc3.site, 1 +dzsi.bi, 0 +dzsibi.com, 1 +dzsula.hu, 1 +dzu.fund, 1 +dzu.life, 1 +dzuka.sk, 1 +dzus.tk, 1 +dzworld.com, 1 +dzyabchenko.com, 0 +dzyszla.pl, 1 +e-account.by, 0 +e-alink.com, 1 +e-antikvar.tk, 1 +e-arteria.pl, 1 +e-bags.tk, 1 +e-balloons.tk, 1 +e-bap.net, 1 +e-baraxolka.ru, 1 +e-belgia.tk, 1 +e-bikesdirect.co.uk, 1 +e-bill.ovh, 1 +e-blueprint.co.uk, 1 +e-bodybuilding.tk, 1 +e-boekhouden.nl, 1 +e-bookshelf.de, 1 +e-borneoshop.com, 1 +e-boss.tk, 1 +e-branchekoden.dk, 1 +e-buro.tk, 1 +e-classroom.tk, 1 +e-coduct.eu, 1 +e-coexist.com, 1 +e-colle.info, 1 +e-copys.com, 1 +e-cottage.com.br, 1 +e-dechet.com, 1 +e-dengi.tk, 1 +e-diabolo.tk, 1 +e-diapers.tk, 1 +e-diasporan.cf, 1 +e-diasporan.ga, 1 +e-diasporan.gq, 1 +e-diasporan.ml, 1 +e-dnevnik.hr, 1 +e-driver.fr, 1 +e-dv.eu, 1 +e-e.icu, 1 +e-emploi.be, 1 +e-enterprise.gov, 1 +e-estonia.com, 0 +e-estonians.ee, 1 +e-facture.net, 1 +e-farm.com, 1 +e-fireplaces.tk, 1 +e-fishing.tk, 1 +e-fitnes.tk, 1 +e-flotila.cz, 1 +e-frontier.systems, 1 +e-games-board.tk, 1 +e-gc.de, 1 +e-generator.tk, 1 +e-geologia.tk, 1 +e-goi.com, 1 +e-gso.com, 1 +e-guestbooks.com, 1 +e-guvence.com, 1 +e-hair.tk, 1 +e-havenotime.tk, 1 +e-homebiz.tk, 1 +e-house.tk, 1 +e-id.ee, 1 +e-ideamagazine.ga, 1 +e-informatyk.tk, 1 +e-insportline.pl, 1 +e-instalator.pl, 1 +e-interactivenet.tk, 1 +e-interview.tk, 1 +e-islam.tk, 1 +e-jackets.tk, 1 +e-jasiecki.pl, 1 +e-jewelrys.tk, 1 +e-kartinki.tk, 1 +e-klempir.cz, 1 +e-knitting.tk, 1 +e-knitwear.tk, 1 +e-kultura.tk, 1 +e-lambre.com, 1 +e-lamp.tk, 1 +e-latvenergo.lv, 1 +e-launch.nl, 1 +e-learningbs.com, 1 +e-lexia.com, 1 +e-lifetechnology.com, 1 +e-loshadka.tk, 1 +e-loukidis.gr, 1 +e-lupo.pl, 1 +e-mak.eu, 1 +e-massage.tk, 1 +e-matras.ua, 1 +e-medicines.tk, 1 +e-mieszkania.org.pl, 1 +e-migration.ch, 0 +e-nail.tk, 1 +e-name.tk, 1 +e-nanum.kr, 1 +e-nature.tk, 1 +e-networks.jp, 1 +e-node.ru, 1 +e-ops.bg, 1 +e-otdyx.tk, 1 +e-peeling.tk, 1 +e-peets.tk, 1 +e-petition-petitions.net, 1 +e-petition-support-us.net, 1 +e-petition.net, 1 +e-petitions.by, 1 +e-placement.tk, 1 +e-planshet.tk, 1 +e-plus-m.de, 1 +e-pns.com, 1 +e-pokupki.eu, 1 +e-polygraphy.tk, 1 +e-privat.info, 1 +e-promotion.tk, 1 +e-ptn.com, 1 +e-quip.cz, 1 +e-random.com, 1 +e-receta.cl, 1 +e-recruitment.tk, 1 +e-redes.pt, 1 +e-referendum.cz, 1 +e-repairs.tk, 1 +e-resident.gov.ee, 1 +e-resident.me, 1 +e-rest.tk, 1 +e-rober.tk, 1 +e-sauna.tk, 1 +e-scraper.com, 1 +e-sell.tk, 1 +e-sell.today, 1 +e-servicerms.com, 1 +e-shobai.com, 1 +e-shonai.com, 1 +e-sisyu.com, 0 +e-sklep.biz, 1 +e-slots.tk, 1 +e-smile.tk, 1 +e-sneakers.tk, 1 +e-standardstore.org, 1 +e-streams.tv, 1 +e-student.tk, 1 +e-styling.tk, 1 +e-sweaters.tk, 1 +e-tables.tk, 1 +e-tablets.tk, 1 +e-tarotlasky.cz, 1 +e-teacher.pl, 1 +e-tech-solution.com, 1 +e-tech-solution.net, 1 +e-technology.tk, 1 +e-techsolution.com, 1 +e-techsolutions.net, 1 +e-ticaret.site, 1 +e-tires.tk, 1 +e-tmf.org, 0 +e-top.uz, 1 +e-traceur-france.fr, 1 +e-transformer.tk, 1 +e-trucking.tk, 1 +e-typ.eu, 1 +e-umbrellas.tk, 1 +e-underwear.tk, 1 +e-uteplitel.ru, 1 +e-vau.de, 0 +e-verify.gov, 1 +e-virtus.blog, 1 +e-virtus.com, 1 +e-vykladkaret.cz, 1 +e-walks.tk, 1 +e-wish.tk, 1 +e-wishlist.net, 1 +e-worksmedia.com, 0 +e-yachts.tk, 1 +e-zine.tk, 1 +e.gg, 1 +e.mail.ru, 1 +e00228.com, 0 +e02.cn, 1 +e15r.co, 1 +e1e0.net, 0 +e27.co, 1 +e2b.com.au, 1 +e2ebrindes.com.br, 1 +e2ee-meet.de, 1 +e2epartners.org, 1 +e2essentialelements.com, 0 +e2feed.com, 1 +e2save.com, 1 +e30.ee, 1 +e30gruppe.com, 1 +e34club.com.ua, 1 +e365.vip, 1 +e36533.com, 1 +e3lan.net, 1 +e4.chat, 1 +e42.org, 0 +e4a.org, 1 +e4mc.link, 1 +e4work.com.br, 1 +e5197.co, 1 +e5tv.hu, 1 +e5xbps.com, 1 +e621.download, 1 +e6729.co, 1 +e6729.com, 1 +e6957.co, 1 +e6e.io, 1 +e7180.com, 1 +e7d.io, 1 +e7fun.net, 1 +e82365.com, 1 +e899365.com, 0 +e8bet.net, 1 +e8space.co.nz, 1 +e8space.com, 1 +e8space.nz, 1 +e901.com, 0 +e9297.co, 1 +e9582.com, 1 +e9728.co, 1 +ea-lateleassistance.com, 1 +ea-ru.org, 1 +ea2drocks.com, 1 +eaa-online.org, 1 +eaanderson.com, 1 +eac.gov, 1 +eac0935.com, 1 +eac555.com, 1 +each.tk, 1 +ead-italia.it, 1 +eadea.net, 1 +eaganmn.gov, 1 +eagar.com.au, 1 +eagenda.com.br, 1 +eagle-yard.de, 1 +eaglecounty.gov, 1 +eaglecountyco.gov, 1 +eaglecrest.us, 1 +eaglecustomapparel.com, 1 +eaglefireid.gov, 1 +eaglegrove.gov, 1 +eaglehaslended.com, 1 +eaglelakefl.gov, 1 +eagleled.us, 1 +eaglemoe.com, 1 +eaglemtn.com, 0 +eaglenation.net, 1 +eaglenusa.my.id, 1 +eaglepasstx.gov, 1 +eagleplanners.agency, 1 +eagler.tk, 1 +eagleriverwi.gov, 1 +eagleseven.com, 1 +eaglesightproperties.tech, 1 +eagletechz.com.br, 1 +eaglevilletn.gov, 1 +eaglewreck.info, 1 +eagleyecs.com, 1 +eahea.org, 1 +eaimty.com, 1 +eaip.aero, 1 +eajmail.com, 1 +eakes.com, 1 +eaktarim.com, 1 +ealadel.com, 0 +ealarm-safemode.ch, 1 +ealc.aero, 1 +ealc.lu, 1 +ealekseyev.ml, 1 +ealev.de, 1 +eali.com.ph, 1 +eamadit.com, 1 +eames-clayton.us, 1 +eamigo.com, 1 +eamproperties.com, 1 +eamu.fun, 1 +eandata.com, 1 +eanraig.top, 1 +eaofarlington.com, 1 +eaofaustin.com, 1 +eaofcarrollton.com, 1 +eaofdallas.com, 1 +eaofdfw.com, 1 +eaoffrisco.com, 1 +eaofhouston.com, 1 +eaofirving.com, 1 +eaoftarrantcounty.com, 1 +earfolds.com, 1 +earl-plak.de, 1 +earlsttech.ca, 1 +early-etudes.com, 1 +earlychildhoodteacher.org, 1 +earlytime.com, 1 +earlyvoting.cf, 1 +earlyvoting.gq, 1 +earlyvoting.ml, 1 +earlyyearshub.com, 1 +earmarks.gov, 1 +earnet.tk, 1 +earni.fi, 1 +earningsgames.tk, 1 +earningthatis.tk, 1 +earnosethroat.co.za, 1 +earpconsult.co.uk, 1 +earth-quake.tk, 1 +earthbound.tk, 1 +earthbox.com, 1 +earthcam.com, 1 +earthcam.net, 1 +earthcore.com, 1 +earthcorporation.cf, 1 +eartheld.tk, 1 +earthiq.news, 1 +earthjustice.org, 1 +earthlink.net, 1 +earthpixz.com, 1 +earthpoints.org, 1 +earthshotprize.org, 1 +earthsocialism.org, 1 +earthsolidarity.org, 1 +earthsystemprediction.gov, 1 +earthvoice.ru, 1 +earthwatch.org, 1 +earthytales.in, 1 +eas.ee, 0 +easaccounting.com, 1 +ease.io, 0 +easew.com, 1 +easez.net, 1 +eashwar.com, 1 +easierexams.com, 1 +easiest-way.de, 1 +easlerlaw.com, 1 +easol.com, 1 +east-line.su, 1 +east-westlogistics.com, 1 +east.baby, 1 +eastafricafeed.ga, 1 +eastarm.net, 1 +eastblue.org, 1 +eastcairo-egypt.com, 1 +eastchesternyfd.gov, 1 +eastcoastbubbleandbounce.co.uk, 1 +eastcoastexports.tk, 1 +eastcobbhoa.com, 1 +eastcottvets.co.uk, 1 +eastdream.tk, 1 +eastendonline.tk, 1 +eastendtastemagazine.com, 1 +easternbreezes.com, 1 +easternmontanafair.gov, 1 +easternskatesupply.com, 1 +eastfordct.gov, 1 +eastgreenwichnews.com, 1 +eastgrmi.gov, 1 +easthaddamct.gov, 1 +easthamptonctha.gov, 1 +easthaven-ct.gov, 1 +eastheaven.ml, 1 +eastlandcountytexas.gov, 1 +eastleigh.online, 1 +eastlothianbouncycastles.co.uk, 1 +eastmaintech.com, 1 +eastman.com, 1 +eastmedo.pl, 1 +eastnatfoods.com, 1 +eastnorschool.co.uk, 1 +easton.ga, 1 +eastpeoria-il.gov, 1 +eastpershingdental.com, 1 +eastping.com, 1 +eastplan.co.kr, 1 +eastportcorp.tk, 1 +eastprovidenceri.gov, 1 +eastridgeresidence.com, 1 +easts.in, 1 +eastshare.ml, 1 +eastshore.xyz, 1 +eastside.tk, 1 +eastsidecottages.co.uk, 1 +eastspace.org.uk, 1 +eastspencer.gov, 1 +eaststudios.net, 1 +easttamakiauto.co.nz, 1 +easttea.com, 1 +easttowereg.com, 1 +eastvalleyendo.com, 1 +eastvalleywater.gov, 1 +eastwashingtonpa.gov, 1 +eastwindsorhistory.tk, 1 +eastyorkshirebuses.co.uk, 1 +easukasbestos.co.uk, 1 +easy-affiliations.tk, 1 +easy-company.tk, 1 +easy-design.tk, 1 +easy-drop.co, 1 +easy-factures.fr, 1 +easy-feedback.com, 1 +easy-feedback.de, 1 +easy-katka.ga, 1 +easy-pornvideos.com, 1 +easy-rpg.org, 1 +easy2bathe.co.uk, 1 +easy4ssl.com, 1 +easyaddress.io, 1 +easyadsnbanners.tk, 0 +easybank.at, 1 +easybaufi.com, 1 +easybill.de, 1 +easybiztech.co.za, 1 +easybom.com, 1 +easybot.tk, 1 +easybranches.com, 1 +easybrazilianrecipes.com, 1 +easycater.com, 1 +easycoding.org, 1 +easycom.tk, 1 +easyconstat.com, 1 +easycontentplan.com, 1 +easycrochet.tk, 1 +easydmarc.am, 1 +easydonate.tk, 1 +easydrawingguides.com, 1 +easydumpsterrental.com, 0 +easyenrollment.net, 1 +easyescortwebsites.com, 1 +easyfiles.ch, 1 +easyfiles.gq, 1 +easyfoto.tk, 1 +easygenerator.com, 1 +easygrow.tk, 1 +easyhacks.net, 1 +easyhome.org, 1 +easyhomebiz.tk, 1 +easyhousing.dk, 1 +easyhtml.tk, 1 +easyishare.com, 1 +easyit.ga, 1 +easyit.tk, 1 +easyjumping.tk, 1 +easykash.net, 1 +easykitchens.co.in, 1 +easykonto.de, 0 +easylinker.tk, 1 +easylogics.tk, 1 +easymarketing.uk, 1 +easymeditation.tk, 1 +easymotionskin-japan.jp, 1 +easymun.com, 1 +easynm.cn, 1 +easynotary.ch, 1 +easyocm.hu, 1 +easyonlinetest.tk, 1 +easypay.bg, 1 +easypayment.cf, 1 +easypaymentnow.com, 1 +easypayments.pro, 1 +easypets.fr, 0 +easypost.com, 1 +easypricebook.com, 1 +easypv.ch, 1 +easyqr.codes, 0 +easyradio.gq, 1 +easyreal.ru, 1 +easyretro.io, 1 +easyrpg.org, 1 +easyshare.gq, 1 +easysignup.com, 1 +easyska.tk, 1 +easyslide.be, 1 +easysoft.tk, 1 +easysubmit.tk, 1 +easytamil.tk, 1 +easytap.sv, 1 +easytechguides.com, 1 +easytestonline.tk, 1 +easytext.ga, 1 +easytfa.com, 1 +easytokill.tk, 1 +easytrackghana.com, 1 +easytube.ga, 1 +easywebhosting.tk, 1 +easyweenies.com, 1 +easywin.ml, 1 +easywio.com, 1 +easywrite.com.tw, 1 +eat, 1 +eat-sleep-code.com, 1 +eat-that.tk, 1 +eat-the-world.ch, 1 +eat-vegan.rocks, 0 +eatandsleep.jp, 1 +eatdrinktalk.net, 1 +eatechled.com, 1 +eatery.co.il, 1 +eatfitoutlet.com.br, 1 +eatingasturias.com, 1 +eatinglinks.tk, 1 +eatmebudapest.hu, 1 +eatmportal.eu, 1 +eaton-daitron.jp, 1 +eaton-works.com, 1 +eatonbrowncountywi.gov, 1 +eatry.io, 1 +eats.soy, 1 +eatsleeprepeat.net, 1 +eatson.com, 1 +eatwith.com, 1 +eauclairecounty.gov, 1 +eaucube.com, 1 +eaugenethomas.cf, 1 +eauto-cash.de, 1 +eautocash.de, 1 +eautocollision.com, 1 +eautolease.com, 1 +eauxdevienne.fr, 1 +eava.ga, 1 +eazy.gr, 1 +eazyfreight.co.uk, 1 +eazyg.tk, 1 +eazyinvoice.tk, 1 +eazyproject.net, 1 +eazytailors.ga, 1 +eazzy.tk, 1 +eb-net.de, 1 +eb66.com, 1 +eb7.jp, 1 +eba.com.au, 1 +eba.com.ua, 1 +ebag-solar.com.tr, 1 +ebagroup.tk, 1 +ebakery.de, 1 +eban.bzh, 1 +ebanca.com, 1 +ebanking.indovinabank.com.vn, 1 +ebanking.raiffeisen.ch, 1 +ebankingabersicher.ch, 1 +ebankingbutsecure.ch, 1 +ebankingentoutesecurite.ch, 1 +ebankingmasicuro.ch, 1 +ebarer.com, 1 +ebas.ch, 1 +ebashim.tk, 1 +ebassradiante.cl, 1 +ebataw.com, 1 +ebatech-energiemanagement.nl, 1 +ebatech.be, 1 +ebatech.eu, 1 +ebatech.net, 1 +ebatech.nl, 1 +ebatech.org, 1 +ebatechenergiedisplay.nl, 1 +ebatechenergiemanagement.nl, 1 +ebayinc.com, 1 +ebcfx.com, 1 +ebci-nsn.gov, 1 +ebcired-nsn.gov, 1 +ebdaa-business.com, 1 +eben18.net, 1 +ebenda.org, 1 +ebenisterie-de-villenouvelle.fr, 1 +ebenvloedaanleggen.nl, 1 +eberharter-steine.at, 1 +eberspacher-rus.ru, 1 +ebertlang.com, 0 +eberwe.in, 1 +ebest.co.jp, 1 +ebetbananom.tk, 1 +ebics.cz, 1 +ebics.hu, 1 +ebics.sk, 1 +ebikeanswers.com, 1 +ebikemod.de, 1 +ebilanzplus.de, 1 +ebino.pl, 1 +ebiografia.com, 1 +ebiografias.com.br, 1 +ebis.cloud, 1 +ebis.info, 1 +ebisee.com, 1 +ebizarts.com, 1 +ebiznespro.pl, 1 +ebjork.se, 1 +ebki-nsn.gov, 1 +eblan.gq, 1 +eblandscaping.com.au, 1 +eblog.cf, 1 +eblog.ink, 1 +eboardsolutions.com, 1 +ebola-hosting.cz, 1 +ebola.cz, 1 +ebolacharts.ga, 1 +ebolavirus.tk, 1 +ebony.social, 1 +ebonyfantasies.com, 1 +ebonylog.com, 1 +ebonymgp.com, 1 +ebonymilftube.com, 1 +ebonyriddle.com, 1 +ebonytube.tv, 1 +eboocker.de, 1 +ebookabc.tk, 1 +ebookdep.com, 1 +ebookdrive.tk, 1 +ebooki.eu.org, 1 +ebooknetworking.net, 1 +ebookpdf.com, 1 +ebooks-pdf.cf, 1 +ebooks4all.tk, 1 +ebooks4gate.tk, 1 +ebooksgratis.tk, 1 +ebooksgratuits.org, 1 +ebooksinfocus.com, 1 +ebookspy.tk, 1 +ebookweb.gq, 1 +ebop.ch, 1 +eboxgroup.tk, 1 +eboxtenders.com, 1 +ebpc.com.au, 1 +ebpgateway.com, 1 +ebrahimhadimarket.com, 1 +ebrdbusinessguide.com, 1 +ebrea.ch, 1 +ebrnd.de, 1 +ebrofoods.es, 0 +ebrows.md, 1 +ebru-gundes.tk, 1 +ebrununkasnagi.com, 1 +ebs.to, 1 +ebscomedical.com, 1 +ebuha.ga, 1 +ebuku.tk, 1 +eburg.ml, 1 +ec-baran.de, 1 +ec-current.com, 1 +ec.ath.cx, 1 +ec.mine.nu, 1 +ec2software.com, 1 +eca.nb.ca, 1 +ecamisetas.com.br, 1 +ecampusontario.ca, 1 +ecard.ml, 1 +ecardoo.com, 1 +ecardoo.de, 1 +ecardoo.net, 1 +ecardoo.org, 1 +ecargo.co.nz, 1 +ecarscash.com, 1 +ecat.ua, 1 +ecaterina.tk, 1 +ecbt.co.il, 1 +ecchidreams.com, 1 +eccma.org, 1 +ecco-verde.at, 1 +ecco-verde.com, 1 +ecco-verde.de, 1 +ecco-verde.it, 1 +eccoholiday.com, 1 +eccoilmenu.it, 1 +eccologic.net, 1 +eccoplastic.com, 1 +eccouncil.org, 1 +eccu.edu, 1 +ecdn.cz, 1 +ece-inc.net, 1 +ecelembrou.ovh, 1 +ecemella.com, 1 +ecency.com, 1 +ecenglishlive.com, 0 +ecenter.bg, 1 +ecetechsol.com, 1 +ecetiner.com, 1 +ecfunstalls.com, 1 +ecgclic.fr, 1 +echarity.ae, 1 +echbay.com, 1 +echi.pw, 1 +echidna-usa.com, 1 +echidna.com.au, 1 +echidnalock.com.au, 1 +echima.ca, 1 +echinus.solutions, 1 +echo-in.info, 1 +echo-n.nz, 0 +echo-online.de, 1 +echo-security.co, 1 +echo.cc, 1 +echoanalytics.com, 1 +echobridgepartners.com, 1 +echocolate.xyz, 1 +echodio.com, 1 +echoeshq.com, 0 +echofoxtrot.co, 1 +echoit.net, 1 +echoit.net.au, 1 +echoit.services, 1 +echomail.org, 1 +echopaper.com, 1 +echorecovery.org, 1 +echosdg.com, 1 +echosearch.co, 1 +echoserver.org, 1 +echoship.com, 1 +echosixmonkey.com, 1 +echosystem.fr, 1 +echotango.fr, 1 +echoteam.eu.org, 1 +echoteam.gq, 1 +echoteam.ml, 1 +echotone.tk, 1 +echovintage.com.br, 1 +echowave.io, 1 +echt.ga, 1 +echtcache.ga, 1 +echtebbq.nl, 1 +echternach-immobilien.de, 1 +echtes-hutzelbrot.de, 1 +ecirtam.net, 0 +eciso.io, 1 +ecity.hu, 1 +eck.cologne, 1 +eckel-edv.de, 1 +eckel-kieser-gbr.de, 1 +eckel.co, 1 +eckerl.org, 1 +eckerle-gruppe.com, 1 +eckfordtownshipmi.gov, 1 +eckindustries.com, 1 +eckler.ca, 1 +eckotech.fr, 1 +eckstein.tech, 1 +eclectic-al.gov, 1 +eclecticbeaver.com, 1 +eclectiv.com, 1 +eclipse-cross.info, 1 +eclipse4academia-startups.com, 1 +eclipseforum.tk, 1 +eclipsegame.tk, 1 +eclipseide.org, 1 +eclipseinspectionservices.co.uk, 1 +ecn.ir, 1 +ecnetworker.com, 1 +eco-derattizzazione.it, 1 +eco-doors.co.uk, 1 +eco-price.ru, 1 +eco-rubber.ru, 1 +eco-solu.co.jp, 1 +eco-web.com, 1 +eco-wiki.com, 1 +eco-work.it, 1 +eco2u.ru, 1 +eco69.com, 1 +eco69.eu, 1 +eco69.pl, 1 +ecobalispa.com, 1 +ecobunker.co.uk, 1 +ecobunkerusa.com, 1 +ecocanada.jobs, 1 +ecoceutics.com, 1 +ecochannel-ve.com, 1 +ecochiccottages.com, 1 +ecoconut.org, 1 +ecocoolrooms.co.uk, 1 +ecocreativity.org, 1 +ecocuisinedesign.com, 1 +ecodedi.com, 1 +ecodepur.co.ao, 1 +ecodepur.fr, 1 +ecodesign-labo.jp, 1 +ecodesigns.nl, 1 +ecoeat.ru, 1 +ecoefficience.com, 1 +ecoelectricsandiego.com, 1 +ecoeuropa.cf, 1 +ecofinancing.com, 1 +ecofoolad.com, 1 +ecoformeurope.com, 1 +ecofriendlytravels.com, 1 +ecogarden.design, 1 +ecogen.com.au, 1 +ecogen.net.au, 1 +ecohaus-pinklao-salaya.com, 0 +ecoheatcool.co.uk, 1 +ecohimdv.tk, 1 +ecohomebuild.org, 1 +ecohostingservices.uk, 1 +ecoindia.tk, 1 +ecojob.ga, 1 +ecolala.my, 1 +ecolan37.ru, 1 +ecole-attalens.ch, 0 +ecole-du-digital.com, 1 +ecole-eac.com, 1 +ecole-iaf.fr, 0 +ecole-parfum.com, 1 +ecole-saint-yves-rennes.fr, 1 +ecoledusabbat.org, 0 +ecolelacime.be, 1 +ecolenotredame.tk, 1 +ecolequebec.com, 1 +ecoles-conde.com, 1 +ecolive.pl, 1 +ecolodgedebosuil.nl, 1 +ecologeek.tk, 1 +ecologiahoy.com, 1 +ecologiapolitica.info, 1 +ecologic-france.com, 1 +ecologica.it, 1 +ecologistasenaccion.org, 1 +ecologiya.tk, 1 +ecologs.ie, 1 +ecoloriptv.tk, 1 +ecombustibil.ro, 0 +ecometal.bg, 1 +ecometalsrl.com, 1 +ecomia.dk, 1 +ecommerce-bikinsistem.tk, 1 +ecommerce-optimizer.com, 1 +ecommercedb.com, 1 +ecommercenews.asia, 1 +ecommercenews.co.nz, 1 +ecommercenews.com.au, 1 +ecommerceuropa.eu, 1 +ecompen.co.za, 1 +ecomuuu.com, 1 +ecomweb.ro, 1 +ecomycie.com, 1 +econativa.pt, 1 +econfia.cf, 1 +econmarketingdigital.com, 1 +economia.cl, 1 +economias.pt, 1 +economic-sanctions.com, 1 +economicnews.ga, 1 +economics-colleges.com, 1 +economie.gouv.fr, 1 +economie2.alsace, 1 +economie2.fr, 1 +economiefidu.ch, 0 +economies.ch, 0 +economixportal.tk, 1 +economycarrentalscyprus.com, 1 +economydiva.com, 1 +economyroofingco.com, 1 +econsorzio.com, 1 +econstitution.bg, 1 +econsumer.gov, 1 +ecoo.top, 1 +ecoon.net, 1 +ecopak.org, 1 +ecopark.asia, 1 +ecopark.co, 1 +ecopark.tv, 1 +ecopiscines.fr, 1 +ecopowerenginewash.com, 1 +ecopy.ir, 1 +ecorak.de, 1 +ecored.pl, 1 +ecoresina.com, 1 +ecorp-australia.tk, 1 +ecos-ev.de, 1 +ecosas.org, 1 +ecoscanapp.eu, 1 +ecosdesociedad.tk, 1 +ecosfti.tk, 1 +ecoshare.info, 1 +ecosial.org, 1 +ecoskif.ru, 1 +ecosoftconsult.com, 0 +ecostarfoam.com, 1 +ecostroika.ru, 1 +ecostruxureit.com, 1 +ecosuds.co.uk, 1 +ecosuds.uk, 1 +ecosystem.atlassian.net, 1 +ecosystemmanager-uat1.azurewebsites.net, 1 +ecotecelevator.com, 1 +ecotrade-disinfestazioni.it, 1 +ecotsa.com, 1 +ecotur.org, 1 +ecoturismo.tk, 1 +ecounselling.nic.in, 1 +ecoupakovka.ga, 1 +ecourbano.tk, 1 +ecoute.tv, 1 +ecowater.com, 1 +ecowoman-armenian.tk, 1 +ecowoman-bengalian.tk, 1 +ecowoman-indonezian.tk, 1 +ecowoman-turkey.tk, 1 +ecowoman-ukraine.tk, 1 +ecozip.it, 1 +ecozona.tk, 1 +ecpa-eg.com, 1 +ecpc.org, 1 +ecpic.gov, 1 +ecpl.ru, 1 +ecr-test-partnapp.azurewebsites.net, 1 +ecrangamer.fr, 1 +ecredits-dev-app-backoffice01.azurewebsites.net, 1 +ecredits-dev-app-partner01.azurewebsites.net, 1 +ecrehabandwellness.com, 1 +ecrehou.com, 1 +ecrequipamientos.com, 1 +ecriminalrecords.com, 1 +ecrownoffire.com, 1 +ecrums.gov, 1 +ecsafety.com, 1 +ecscoutgroup.cf, 1 +ecstaticentertainment.com, 1 +ecsupplyinc.com, 1 +ect-cpg.com, 1 +ect-telecoms.com, 1 +ectfsaz.com, 1 +ectora.com, 1 +ectpro.co.th, 1 +ecttaz.com, 1 +ecuadorbienesraices.com, 1 +ecuadorlibrered.tk, 1 +ecuadorwillana.com, 1 +ecuashop.ec, 1 +ecubr.com, 1 +ecup.mx, 1 +ecupcafe.com, 0 +ecv.fr, 1 +ecvma.fr, 1 +ecvtd.gov, 1 +ecxforum.com, 1 +ecyy.net, 1 +eczacionline.com, 1 +ed-medications.ml, 1 +ed-studios.tk, 1 +ed.gs, 1 +ed394jed.fr, 1 +eda-ah.com, 1 +eda.cooking, 0 +eda.gov, 1 +eda72.com, 1 +edacsoft.com, 1 +edalat.tk, 1 +edanalytics.org, 1 +edapt.org.uk, 1 +edas.info, 0 +edatech.com, 1 +edb.cz, 1 +edb.eu, 1 +edb.gov.sg, 1 +edcaptain.com, 1 +edcdn.net, 1 +edd-miles.com, 1 +eddesign.ch, 1 +eddi.org.au, 1 +eddie.website, 1 +eddmil.es, 1 +eddokloosterman.com, 1 +eddriesen.tk, 1 +eddsworld.tk, 1 +eddyn.net, 0 +eddysystem.tk, 1 +eddyworld.tk, 1 +edeals.co.com, 1 +edeals.com.co, 1 +edeca.net, 1 +ededdeddy.tk, 1 +edegembicycleclub.tk, 1 +edegulkoyu.tk, 1 +edehsa.com, 1 +edeka-peper.de, 1 +edel-suff.de, 1 +edelveiys.tk, 1 +edelvivesdigital.com, 1 +edelvivesdigitalplus.com, 1 +edelweiskapel.tk, 1 +edelweiss-pinzolo.com, 1 +edelweiss-service.ru, 1 +edelweissalternatives.com, 1 +eden-project-insight.tk, 1 +eden.bz, 1 +eden.co.uk, 1 +edenaya.com, 0 +edencollie.com, 1 +edenfactory.tk, 1 +edenming.info, 1 +edennc.gov, 1 +edenprairiemn.gov, 1 +edenpureheater.tk, 1 +edenredbenefits.com, 1 +edenvaleplumber24-7.co.za, 1 +edenverses.com, 1 +eder-steiner.at, 1 +ederasrl.it, 1 +edesseglabor.hu, 1 +edevletkapisi.org, 1 +edfdentalcenter.tk, 1 +edgar.mx, 1 +edgarcountyillinois.gov, 1 +edgarpierre.fr, 1 +edgarsmission.org.au, 1 +edgarsonderwaterwereld.tk, 1 +edgartamarit.com, 1 +edgarwi.gov, 1 +edgarz.tk, 1 +edgebilisim.com, 1 +edgecase.ru, 1 +edgeconnectnj.net, 1 +edgecustomersportal.com, 1 +edgedynasty.com, 1 +edgeimpulse.com, 1 +edgeless.pp.ua, 0 +edgelogs.com, 1 +edgemagazine.net, 1 +edgemasterspaint.com, 1 +edgeofnoservers.com, 1 +edgerton.us, 1 +edgeservices.co.uk, 1 +edgetalk.net, 1 +edgetechig.co.uk, 0 +edgewaterco.gov, 1 +edging.tech, 1 +edh.email, 1 +edholm.pub, 1 +edi-gate.com, 1 +edi-gate.de, 1 +edibarcode.com, 1 +ediberto.tk, 1 +edibleforest.co, 1 +edicct.com, 1 +edicionescrimentales.tk, 1 +edihair.com, 1 +edik.tk, 1 +edikacomptabilite.com, 1 +edilane.com, 1 +edilane.de, 1 +edilians-group.com, 1 +ediliovo.com, 1 +edilondon.com, 1 +edilservizivco.it, 1 +edinburghcastle.scot, 1 +edinburghcyclehire.co.uk, 1 +edinburghcyclehire.com, 1 +edinburghopenworkshop.co.uk, 1 +edirnehaber.tk, 1 +edirnehaberleri.tk, 1 +edison.moe, 1 +edisonchee.com, 1 +edisongroup.ru, 1 +edisonlee55.com, 1 +edisonluiz.com, 1 +edisonnj.gov, 1 +edisonstreet.com, 1 +edist.ro, 1 +edit.co.uk, 1 +edit.org, 1 +edit.yahoo.com, 0 +edited.at, 1 +edited.be, 1 +edited.ch, 1 +edited.cz, 1 +edited.de, 1 +edited.nl, 1 +edited.pl, 1 +edithlouw.tk, 1 +edition-sonblom.de, 0 +editions-campanile.fr, 1 +editionsnoiretrouge.com, 1 +editionsz.com, 1 +editorakanope.com.br, 1 +editorialexpress.com, 1 +editorsguild.com, 1 +editspace.tk, 1 +editus.it, 1 +edityeet.com, 1 +edje.com, 1 +edjo.us, 1 +edl.com.ph, 1 +edlinger.at, 1 +edlinger.mobi, 1 +edman007.com, 1 +edmates.com, 1 +edmedications.tk, 1 +edmedsonline.tk, 1 +edmilia.tk, 1 +edmoncu.com, 1 +edmondok.gov, 1 +edmontonwellness.ca, 1 +edmundcelis.com, 1 +edmundy.tk, 1 +edmwaves.org, 1 +ednarstore.com, 1 +edocperso.fr, 1 +edocr.com, 1 +edok.com.br, 1 +edopomoga.gov.ua, 1 +edoss.co.za, 0 +edp.com, 1 +edpgassu.pt, 1 +edpnc.com, 1 +edpr.com, 1 +edpubs.gov, 1 +edr-d.expert, 1 +edragneainpuscarie.ro, 1 +edremith.com, 1 +edremitweb.site, 1 +edrepay.com, 1 +edrgroup.nl, 1 +edri.org, 1 +edrosd.cf, 1 +edrost.tk, 1 +edrtravel.com, 1 +edsby.com, 0 +edscha.com, 1 +edscolors.com, 1 +edservicing.com, 1 +edshogg.co.uk, 1 +edsm.net, 1 +edstem.org, 1 +edstep.com, 1 +edsys.com.au, 1 +edtech-hub.com, 1 +edtech.ee, 1 +edtechwebb.com, 1 +edtravel.ga, 1 +edu-kingdom.com, 1 +edu3w.at, 1 +edu6.cloud, 1 +eduanimal.tk, 1 +eduard-dopler.de, 1 +eduardbaas.com, 1 +eduardnikolenko.com, 1 +eduardochang.tk, 1 +eduardofranco-luthier.tk, 1 +eduardomaio.net, 1 +eduardosuarez.tk, 1 +eduart.tk, 1 +eduba.se, 1 +edubase.link, 1 +edubase.net, 1 +edubirdie.com, 1 +edublognews.tk, 1 +educa-cao.pt, 1 +educa2.es, 1 +educabis.tk, 1 +educacionit.com, 1 +educacionnm.ml, 1 +educacionvirtual.com.ar, 1 +educaestado.com, 1 +educanada.in, 1 +educard.co.at, 1 +educasis.tk, 1 +educatek.es, 1 +educatie.tk, 1 +education-colleges.com, 1 +education-info.cf, 1 +education4paper.tk, 1 +educationarea.tk, 1 +educationboard.ml, 1 +educationconnect.tk, 1 +educationdepartment.ml, 1 +educationet.tk, 1 +educationfirst.ml, 1 +educationgov.tk, 1 +educationhighquality.ml, 1 +educationism.tk, 1 +educationmalaysia.co.uk, 1 +educationone.ml, 1 +educationportal.ga, 1 +educationportal.tk, 1 +educationstandards.nsw.edu.au, 1 +educationstatistic.tk, 1 +educationstudent.tk, 1 +educationsupport.org.uk, 0 +educationtopics.tk, 1 +educationtree.tk, 1 +educationtrust.tk, 1 +educationweek.tk, 1 +educative.io, 1 +educator-one.com, 1 +educatorretirementsolutions.com, 1 +educators.co.nz, 1 +educatoys.com.br, 1 +educbook.ga, 1 +educheck.tech, 1 +educlove.com, 1 +educourse.nl, 1 +edudip-next.com, 1 +edudip.com, 1 +edudip.de, 1 +edufever.com, 1 +edufever.in, 1 +eduflow.at, 1 +edugeton.com, 1 +edugram.com, 1 +eduhub.lol, 1 +eduhub.ml, 1 +eduhublisbon.com, 1 +eduid.se, 1 +eduif.nl, 0 +eduium.io, 1 +eduki.com, 1 +edukle.com, 0 +edularidea.com, 1 +edularism.com, 1 +edulayer.net, 1 +edulinks.ml, 1 +edumanage.tk, 1 +edumaritime.net, 1 +edumerson.com, 1 +edunaut.com.au, 1 +edunet.gq, 1 +edunet.training, 1 +edunian.com, 1 +edunoor.tk, 1 +eduoneschool.tk, 1 +edupay.co.at, 1 +edupesa.com, 1 +eduproject.tk, 1 +eduproquality.tk, 1 +eduqfix.com, 1 +eduradiadores.com.br, 1 +eduresultbd.com, 1 +eduroam.no, 1 +eduroam.uy, 1 +edusanjal.com, 1 +eduschool.ml, 1 +edusektor.de, 0 +edusercontent.com, 1 +eduson.pl, 1 +eduspot.co.uk, 1 +edusson.com, 1 +edusuite.at, 1 +edutech.group, 1 +edutour.ml, 1 +edutrum.com, 1 +eduxon.in, 1 +eduxpro.com, 1 +eduzaurus.com, 1 +edv-biela.de, 1 +edv-lehrgang.de, 1 +edv-ringhofer.de, 1 +edv-schmittner.de, 1 +edvan.com.br, 1 +edvestinu.com, 1 +edvgarbe.de, 1 +edvision.ga, 1 +edvmesstec.de, 1 +edward-tagle.tk, 1 +edwardbrowninvestment.tk, 1 +edwardcastrillon.com, 1 +edwarddekker.nl, 1 +edwardkong.top, 1 +edwards.me.uk, 1 +edwardscommercialcleaning.com, 1 +edwardsgrounds.co.uk, 1 +edwardwall.me, 1 +edware.ga, 1 +edweb.tk, 1 +edwellbrook.com, 1 +edwinlinda.tk, 1 +edwinlugo.gq, 1 +edwinmattiacci.com, 1 +edwinroelvink.tk, 1 +edxg.de, 0 +edxn.de, 1 +edyhenry.tk, 1 +edyou.org, 0 +edytabania.com, 1 +edzo.dk, 1 +edzo.fr, 1 +ee-terminals.com, 1 +ee00228.com, 0 +ee362.com, 0 +ee367.com, 0 +ee372.com, 0 +ee396.com, 0 +ee397.com, 0 +ee5197.co, 1 +ee6729.co, 1 +ee6729.com, 0 +ee6957.co, 1 +ee9297.co, 1 +ee951.com, 0 +ee9728.co, 1 +ee973.com, 0 +eebt.hu, 1 +eeeb.loan, 1 +eeeeeeeeee.de, 1 +eeehh.com, 1 +eeetrust.org, 1 +eegaming.org, 1 +eegaming.tk, 1 +eehitus.ee, 1 +eeia.com, 1 +eeiletudiant.com, 1 +eekelen.net, 1 +eelabs.eu, 1 +eelcapone.nl, 1 +eellak.gr, 1 +eelsden.net, 1 +eelzak.nl, 1 +eemcevn.com, 1 +een-eenvoudige-test-voor-de-maximum-lengte-van-een-nederlandse.nl, 1 +een.com, 1 +eenfotowaard.nl, 1 +eenmailsturen.nl, 0 +eennieuwepc.nl, 1 +eentweevijf.be, 1 +eenvren.com, 1 +eenvxing.com, 1 +eeqj.com, 1 +eer.io, 1 +eeri.org, 1 +eerstemaanlanding.tk, 1 +eery.de, 1 +eesti.id, 1 +eet.nu, 1 +eetestingcenter.com, 1 +eetimestv.com, 1 +eevie.io, 1 +eevpn.com, 1 +eewna.org, 1 +eeyo.uk, 1 +eez.ee, 0 +eezepc.com, 1 +ef.gy, 1 +efaas.nl, 1 +efag.com, 1 +efcpharma.com, 1 +efcross.com, 1 +efectococuyo.com, 0 +efeel.info, 1 +efeen.nl, 1 +efeindonesia.com, 1 +efektfoto.cz, 1 +efektyvnist.pro, 1 +eferro.ca, 1 +efeso.co.nz, 1 +efeso.nz, 1 +efeso.org.nz, 1 +efeso4mayor.co.nz, 1 +efeso4mayor.nz, 1 +efeso4mayor.org, 1 +efeso4mayor.org.nz, 1 +efesocollins.org, 1 +efesocollins.org.nz, 1 +efesoformayor.co.nz, 1 +efesoformayor.nz, 1 +efesoformayor.org, 1 +efesoformayor.org.nz, 1 +eff.org, 1 +effdocs.com, 1 +effe.ch, 0 +effecotto.it, 1 +effective-altruist.com, 1 +effectivecommunication.tk, 1 +effectiveconsulting.ca, 1 +effectivelist.com, 1 +effectivepapers.com, 1 +effectory.com, 1 +effectpointphotography.cf, 1 +effectualness.co.za, 1 +effectualness.web.za, 1 +effelzburgfilms.com, 1 +effer.me, 1 +effex.ru, 1 +effexorgeneric.ml, 1 +effiasoft.com, 0 +effic.es, 1 +efficientip.com, 0 +efficientsolutions.tk, 1 +effigos.com, 1 +effigos.de, 1 +effinfun.com, 1 +effinghamcountyil.gov, 1 +efflam.net, 1 +effmio.de, 1 +effortlesshr.com, 1 +effortlesshr.net, 1 +effra.pl, 1 +efi.com, 0 +eficsolar.com, 1 +efiglobal.com, 1 +efiledcsuperiorcourt.gov, 1 +efirma.com, 1 +eflorashop.be, 1 +eflorashop.ch, 1 +eflorashop.co.uk, 1 +eflorashop.com, 1 +eflorashop.de, 1 +eflorashop.es, 1 +eflorashop.fr, 1 +eflorashop.it, 1 +eflorashop.mx, 1 +eflorashop.net, 1 +eflorashop.us, 1 +efmcredentialing.org, 1 +efmo.de, 1 +efoood.org, 1 +efootball4u.es, 1 +eformost.ca, 1 +eforw.com, 1 +efp.nl, 1 +efran-eliyev.gq, 1 +efsanesi.tk, 1 +eft.boutique, 1 +eftcorp.biz, 1 +eftelingcraft.net, 1 +efterfest.tk, 1 +eftotoekspertizbalikesir.com, 1 +efutbol.tk, 1 +eg-dev.net, 1 +eg22.com, 1 +eg7.co.jp, 1 +eg7.jp, 1 +egablo.black, 1 +egabroaventuras.tk, 1 +egais.ml, 1 +egal24.de, 1 +egarden.it, 1 +egb.at, 0 +egbeautybar.nl, 1 +egbert.net, 1 +egbertsen.tk, 1 +egc.ink, 1 +egdsk.ru, 1 +egegesh.ru, 1 +egekbb.org, 1 +egeozcan.com, 0 +egestor.com.br, 1 +egevpare.tk, 1 +egfl.org.uk, 1 +egg-ortho.ch, 1 +eggblast.com, 1 +eggc.at, 1 +egge.com, 0 +eggel.ch, 1 +eggen.dk, 1 +eggendorfer.at, 1 +eggendorfer.be, 1 +eggendorfer.biz, 1 +eggendorfer.ch, 1 +eggendorfer.co.uk, 1 +eggendorfer.de, 1 +eggendorfer.info, 1 +eggendorfer.it, 1 +eggendorfer.li, 1 +eggendorfer.name, 1 +eggendorfer.net, 1 +eggendorfer.online, 1 +eggendorfer.org, 1 +eggendorfer.pro, 1 +eggendorfer.rocks, 1 +eggendorfer.tv, 1 +eggendorfer.uk, 1 +eggendorfer.us, 1 +eggendorfer.wine, 1 +eggertsvillefiredistrict.gov, 1 +egglestonyouthcenter.org, 1 +eggman.tk, 1 +eggplantsoftware.com, 1 +eggqvq.com, 1 +eggrolls.ml, 1 +eggy.com.au, 0 +eggzr.com, 1 +egh.ir, 1 +egiftcards.be, 1 +egilopaseryh.tk, 1 +egins.tk, 1 +egipet-tiz.tk, 1 +egiptwakacje.tk, 1 +egitim.academy, 1 +egitimpusulam.com, 1 +egito.pl, 1 +egittophilia.tk, 1 +eglantier.eu, 1 +egles.eu, 1 +eglinlife.net, 1 +eglise-crc.be, 1 +egliseclichy92.fr, 1 +eglisedenantes.fr, 1 +egm-sakura.com, 1 +ego4u.com, 1 +ego4u.de, 1 +egoclan.tk, 1 +egold-keeper.com, 1 +egomania.tk, 1 +egomaniaque.tk, 1 +egonews.ga, 1 +egophobia.tk, 1 +egorazarkevich.ga, 1 +egorka.ml, 1 +egoroskope.tk, 1 +egos-online.com, 1 +egoscolumn.tk, 1 +egotickets.com, 1 +egotripproductions.org, 1 +egov.digital, 1 +egov4.ch, 1 +egproduction.com, 1 +egreensvape.com, 1 +egregius.be, 0 +egres.xyz, 1 +egretail.no, 0 +egrojsoft.info, 1 +egrouen.net, 1 +egroupware.org, 1 +egrow.io, 1 +egt-bg.com, 1 +egt-digital.com, 1 +egt.ee, 0 +eguchi-dc.com, 1 +egvilparks.gov, 1 +egw-ceramica.de, 1 +egy-boy.tk, 1 +egypt-tourism.ga, 1 +egypt-tours.tk, 1 +egypt-turism.ru, 1 +egyptcrops.com, 1 +egypte.tk, 1 +egyptenet.tk, 1 +egypteweb.tk, 1 +egyptexposed.tk, 1 +egypthomemaintenance.com, 1 +egyptian.gq, 1 +egyptianeuphoria.com, 1 +egyptianhak.tk, 1 +egytimes.tk, 1 +egzekucija.tk, 1 +egzotique.com, 1 +eh-huebner-stiftung.de, 1 +ehaccp.it, 1 +ehazi.hu, 1 +ehbsecuritydavy.be, 1 +ehcommerce.com, 1 +ehdata.net, 1 +ehealth.gov.au, 1 +ehealth.kg, 1 +eheartspecialist.com, 1 +eheliche-disziplin.schule, 1 +eheya.net, 1 +ehipaa.com, 1 +ehlers-net.de, 1 +ehlersdanlos.dk, 1 +ehlersdanlos.tk, 1 +ehliyetsinavsorulari.org, 1 +ehmsen.nu, 1 +ehmtheblueline.com, 1 +ehne.de, 1 +ehome.im, 1 +ehometools.com, 1 +ehomusicgear.com, 1 +ehorizon.jp, 1 +ehpad-ariege.fr, 1 +ehr.bg, 1 +ehr.gov, 1 +ehrby.se, 1 +ehrdata.com, 1 +ehrenburg.info, 1 +ehrlichesbier.de, 1 +ehsehk.com.ph, 1 +ehtgov.org, 1 +ehtp.pt, 1 +ehtu.tk, 1 +ehub.cz, 1 +ehub.hu, 1 +ehub.pl, 1 +ehub.sk, 1 +ehuber.info, 1 +ei-bo.org, 1 +eiacampoguamal.com, 1 +eiao.me, 1 +eiber.net, 1 +eibich.de, 1 +eichel.eu, 1 +eichendorffschule.online, 1 +eichenrund.de, 1 +eichinger-stelzl.com, 1 +eichinger-stelzl.de, 1 +eichler.work, 1 +eickhof.co, 1 +eickhof.us, 1 +eickhofcolumbaria.com, 1 +eidelpes.info, 1 +eientei.org, 1 +eifach.top, 1 +eifel.website, 1 +eifelstuebchen.de, 1 +eiffage.com, 1 +eiga.com, 1 +eigenaardig.tk, 1 +eigenbubi.de, 1 +eigenetiket.tk, 1 +eigenpul.se, 1 +eigenpulse.com, 1 +eigentech.com, 1 +eigenvector.space, 1 +eigenvector.systems, 1 +eightballde.luxe, 1 +eightvirtues.tk, 1 +eighty-aid.com, 1 +eightyfour.ca, 1 +eightysoft.de, 1 +eigpropertyauctions.co.uk, 1 +eihaikyo.com, 1 +eihei.net, 1 +eiji.fr, 1 +eikenskaden.tk, 1 +eikentafels.nl, 1 +eiklandenergy.com, 1 +eiko-dch.ac.jp, 1 +eikoh.nsw.edu.au, 1 +eikones.tk, 1 +eikounoayumi.jp, 1 +eileen.ml, 1 +eilhan.com, 1 +eim.one, 1 +eimacs.com, 1 +eimeko.ch, 1 +eimmigration.com, 1 +ein-itin.com, 1 +einarkallevig.tk, 1 +einaros.is, 1 +eindex.me, 1 +eine-andere-welt.org, 1 +einfach-fitz.at, 1 +einfachkiss.at, 1 +einheizpreis.de, 1 +einhorn.space, 1 +einmonolog.de, 1 +einreiseanmeldung.de, 1 +einrichtenonline.com, 1 +einsatzstiefel.info, 1 +einstein-themanandhismind.net, 1 +einsteinathome.org, 1 +einsteinbros.com, 1 +einsteinium.fr, 1 +einsteinmishra.com, 1 +einsteins.tk, 1 +einstokbeer.com, 1 +eintageinzug.de, 1 +eintoepfe-bruchsal.de, 1 +eintracht-rodde.de, 1 +einvestment.com, 1 +einwie.com, 1 +eipione.com, 1 +eirastudios.co.uk, 1 +eirb.fr, 1 +eirgroup.com.au, 1 +eirik.eu, 1 +eirikyrolae.tk, 1 +eis.org.uk, 1 +eisaev.ru, 1 +eisblau.org, 1 +eisei-iinkai.com, 1 +eisen-biomed.ch, 1 +eisenbahnfreunde-lengerich.de, 1 +eisenberg.co.za, 1 +eisenhowerlibrary.gov, 1 +eisenhut.family, 1 +eisenstark.de, 1 +eisenzelt.de, 1 +eisernes-kreuz.tk, 1 +eiskratzer-bedrucken.de, 0 +eit-solutions.com.au, 1 +eit-web.de, 0 +eitbtaldea.eus, 1 +eitt.pl, 1 +eivanec.com, 1 +eiyoushi-shigoto.com, 1 +ej.gov, 1 +ej.uz, 1 +ejabi-infosec.com, 1 +ejbelectrical.com, 1 +ejcabinets.com, 1 +ejderrapgott.de, 1 +ejdv-anmeldung.de, 1 +ejelectrical-qld.com.au, 1 +ejerciciosmemoria.com, 1 +ejit.eu, 1 +ejkathome.nl, 1 +ejkatwork.nl, 1 +ejkenergie.nl, 1 +ejkgemist.nl, 1 +ejkgroep.nl, 1 +ejkholding.nl, 1 +ejkhosting.nl, 1 +ejkinternet.nl, 1 +ejkitservices.nl, 1 +ejkmedia.nl, 1 +ejkmuseum.nl, 1 +ejknet.nl, 1 +ejknieuws.nl, 1 +ejkproducties.nl, 1 +ejkradio.nl, 1 +ejkrail.nl, 1 +ejkrailshop.nl, 1 +ejksport.nl, 1 +ejktelecom.nl, 1 +ejktv.nl, 1 +ejkuniversiteit.nl, 1 +ejkweb.nl, 1 +ejkwebdesign.nl, 1 +ejsc.co.jp, 1 +ek-networks.de, 0 +ekadry.info, 1 +ekalisch.de, 1 +ekamfoundationmumbai.org, 1 +ekamus.tk, 1 +ekatalendra.com, 1 +ekatavirghost.com, 1 +ekati.ru, 1 +ekawaiishop.com, 1 +ekb-avia.ru, 0 +ekcomp.com, 1 +ekcrags.ru, 1 +ekd.de, 1 +ekdoseis.gr, 1 +ekeblock.com, 1 +ekedc.com, 1 +ekedp.com, 1 +ekf.ee, 1 +ekfgroup.com, 1 +ekgh.dk, 1 +ekhabar.ml, 1 +ekho.tk, 1 +ekimaeseitai.com, 1 +ekimma.com, 1 +ekimturkgurme.com, 1 +ekinyalincak.com, 1 +ekiphost.com, 1 +eklepka.com, 1 +eklitzke.org, 1 +ekmanager.tk, 1 +eko69.pl, 1 +ekobudisantoso.net, 1 +ekocleaningllc.com, 1 +ekoclin.com, 1 +ekocyber.com, 1 +ekogroszekpieklo.pl, 1 +ekokpandm.tk, 1 +ekol-2001.tk, 1 +ekologie.tk, 1 +ekologija.tk, 1 +ekonbenefits.com, 1 +ekonomika.tk, 1 +ekonomipolitik.tk, 1 +ekonomival.se, 1 +ekonomska.tk, 1 +ekophone.bg, 1 +ekoport.ru, 1 +ekopromet.com, 1 +ekosaltis.lt, 1 +ekosf.ru, 1 +ekospajzka.cz, 1 +ekostecki.de, 1 +ekouniejow.pl, 1 +ekowibowo.com, 1 +ekozercy.pl, 1 +ekpj.jp, 1 +ekranoplan-lun.ru, 1 +ekranos.me, 1 +ekransystem.com, 1 +ekre.club, 1 +ekron.at, 1 +eks.news, 1 +eksibition.org, 1 +eksik.com, 0 +eksisozluk.com, 0 +eksperiments.lv, 1 +ekspert.tk, 1 +ekspertemerytalny.pl, 1 +eksploraz.com, 1 +ekspress.ee, 1 +ektefa.sa, 1 +ekvastra.in, 1 +ekwador.com, 1 +ekyu.moe, 1 +ekzcrosstour.ch, 1 +ekzotika.tk, 1 +el-cell.com, 1 +el-hossari.com, 1 +el-masri.bg, 1 +el-mass.com, 1 +el-mundo.tk, 1 +el-tatwer.tk, 1 +ela-n.de, 1 +elaax.de, 0 +elabib.com, 1 +elaboratefiction.com, 1 +elad.wtf, 1 +eladalfassa.com, 1 +eladerezo.com, 1 +eladgames.com, 1 +elahejalilvand.com, 1 +elaheze.com, 0 +elahuehuete.art, 1 +elainerock.com, 1 +elakiri.cf, 1 +elalmibar.com, 1 +elana.lt, 1 +elandador.com.mx, 0 +elanterna.ro, 1 +elanusparts.com, 1 +elaon.de, 0 +elar.tk, 1 +elarcoreu.com, 0 +elariannews.ml, 1 +elartedelaguerra.tk, 1 +elartedelapaz.org, 1 +elarvee.xyz, 1 +elasten.eu, 1 +elastiekschieten.tk, 1 +elatinoamericano.tk, 1 +elauricielo.tk, 1 +elaxy-online.de, 1 +elayog.bt, 1 +elazafran.com, 1 +elazighaber.tk, 1 +elb500ttl.nl, 1 +elba-elba.tk, 1 +elba-hotel.tk, 1 +elbaal.gov, 1 +elbersdometechniek.tk, 1 +elbetech.net, 1 +elbiaadmin.sk, 1 +elbiahosting.sk, 1 +elbir.tk, 1 +elbitsystems.com, 1 +elblogdezoe.es, 1 +elbrus360.ru, 1 +elbrutoconeloso.tk, 1 +elburnfire.gov, 1 +elbvision.de, 1 +elbwiese.de, 1 +elcactus.tk, 1 +elcajon.gov, 1 +elcambioavanza.co, 1 +elcanonjusto.tk, 1 +elcarajo.tk, 1 +elchamandelaprosperidad.org, 1 +elcheapoflags.com, 1 +elcient.com, 1 +elcigaro.bg, 1 +elcin.tk, 1 +elcirculo.mx, 1 +elcontadorsac.com, 1 +elcontenido.news, 1 +elcontrol.tk, 1 +elcosmos.tk, 1 +elcosteno.tk, 1 +elcozinante.com, 1 +elcuadernodefilosofia.tk, 1 +eldarom.ro, 1 +eldeneleokuldaneveoyun.com, 1 +eldercare.gov, 1 +eldercare.net.au, 1 +elderdevelopmentgroup.com, 1 +elderindex.org, 1 +elderjustice.gov, 1 +elderplan.org, 1 +elderreviews.gq, 1 +elderscrolls.tk, 1 +eldevo.com, 1 +eldhestar.is, 1 +eldiedesign.com, 1 +eldisagjapi.de, 1 +eldoradocylinders.com, 1 +eldoradoil.gov, 1 +eldoradotechnical.com, 1 +eldrid.ge, 1 +ele-sm.com, 1 +eleanorleightrio.com, 1 +elearningi.pl, 1 +elearningpilot.com, 1 +eleather.it, 1 +elecbuz.com, 0 +eleconomista.com.ar, 1 +electerious.com, 1 +electicofficial.com, 0 +electionpresidentiellegabon2009.ga, 1 +electionrunners.com, 1 +elections.ca, 1 +elections.nz, 1 +electionsbycounty.com, 1 +electionsdatabase.com, 1 +electionsshelbytn.gov, 1 +electmikewaters.com, 1 +electr0sheep.com, 1 +electra.co.nz, 1 +electragirl.com, 1 +electras.cf, 1 +electrastart.nz, 1 +electric-clippers.tk, 1 +electric-samara.tk, 1 +electric-vault.co.uk, 1 +electricagoura.com, 1 +electricagourahills.com, 1 +electrical-schools.com, 1 +electrical.cn, 1 +electricalagoura.com, 1 +electricalagourahills.com, 1 +electricalandelectronicsengineerinformation.ga, 1 +electricalcalabasas.com, 1 +electricalcamarillo.com, 1 +electricalconejovalley.com, 1 +electricaldosvientos.com, 1 +electricalengineers.tk, 1 +electricalhiddenhills.com, 1 +electricallakesherwood.com, 1 +electricalmalibu.com, 1 +electricalmoorpark.com, 1 +electricalnewburypark.com, 1 +electricaloakpark.com, 1 +electricalpacificpalisades.com, 1 +electricalsimivalley.com, 1 +electricalthousandoaks.com, 1 +electricalwestlakevillage.com, 1 +electricannihilation.tk, 1 +electricbeast.co, 1 +electriccalabasas.com, 1 +electriccamarillo.com, 1 +electriccitysf.com, 1 +electriccoin.co, 1 +electricconejovalley.com, 1 +electricdosvientos.com, 1 +electricdreams.xyz, 1 +electricfencingpinetown.co.za, 1 +electricfireplaces.tk, 1 +electricgatemotoralberton.co.za, 1 +electricgatemotorboksburg.co.za, 1 +electricgatemotorgermiston.co.za, 1 +electricgatemotorshillcrest.co.za, 1 +electricgatemotorsroodepoort.co.za, 1 +electricgypsies.nl, 1 +electrichiddenhills.com, 1 +electrichome.fr, 0 +electricianagoura.com, 1 +electricianagourahills.com, 1 +electriciancalabasas.com, 1 +electriciancamarillo.com, 1 +electricianconejovalley.com, 1 +electriciandosvientos.com, 1 +electricianforum.co.uk, 1 +electricianhiddenhills.com, 1 +electricianlakesherwood.com, 1 +electricianmalibu.com, 1 +electricianmoorpark.com, 1 +electriciannewburypark.com, 1 +electricianoakpark.com, 1 +electricianpacificpalisades.com, 1 +electricianpretoria24-7.co.za, 1 +electricians-roodepoort.co.za, 1 +electricianschooledu.org, 1 +electriciansimivalley.com, 1 +electricianthousandoaks.com, 1 +electricianwestlakevillage.com, 1 +electricienasnieres.fr, 1 +electricimagination.co.uk, 1 +electricity.tk, 1 +electricityplans.com, 1 +electriclakesherwood.com, 1 +electricmalibu.com, 1 +electricmoorpark.com, 1 +electricnewburypark.com, 1 +electrico.tk, 1 +electricoakpark.com, 1 +electricpower.tk, 1 +electricsimivalley.com, 1 +electricthousandoaks.com, 1 +electricwestlakevillage.com, 1 +electricwokstore.com, 1 +electriczone.tk, 1 +electrobraid.com, 1 +electrocity.ie, 0 +electrocomplect.com.ua, 1 +electrocuted.com, 1 +electrodomesticos.tk, 1 +electrodomesticosmiro.com, 1 +electroforum.tk, 1 +electrofreakz.tk, 1 +electrogenic.co.uk, 1 +electrohelp.ga, 1 +electrolandia.tk, 1 +electrolivefest.spb.ru, 1 +electromagnetichealth.org, 1 +electromagnetism.gq, 1 +electromec.biz, 1 +electromec.eu, 1 +electromec.info, 1 +electromec.net, 1 +electromec.org, 1 +electromenager.tk, 1 +electrominati.com, 1 +electromotor.tk, 1 +electronic-ignition-system.com, 1 +electronicafacil.net, 1 +electronicaripol.es, 1 +electronicfasteners.com, 0 +electronicssrit.tk, 1 +electronictucuman.com, 1 +electroniko.cf, 1 +electronis.ru, 1 +electronmag.tk, 1 +electronsweatshop.com, 1 +electroschematics.com, 1 +electrosoftcloud.com, 0 +electrostatics.com, 1 +electrostore.com.ec, 1 +electrotainment.com, 1 +electrotounes.tn, 1 +electroyclima.es, 1 +electrum.org, 1 +eled.io, 1 +elefanten-cup.de, 1 +elefsisport.gr, 0 +elegance-lingerie.com, 1 +elegance-sm.com, 1 +elegance96.tk, 1 +elegancecement.com, 1 +elegansia-piscine.fr, 1 +elegant-design.tk, 1 +elegant-techno.com, 1 +eleganta.ga, 1 +elegantanal.com, 1 +elegantbrows.com, 1 +elegantfamilyhotelsandresorts.com, 1 +elegantlatex.tk, 1 +elegantly-clean.co.uk, 1 +eleganza.ga, 1 +elegro.cz, 1 +eleicoes2018.com, 1 +elejordemarketingconsultancy.com, 1 +eleken.jp, 1 +elekner.tk, 1 +elektiriklidireksiyontamiri.com, 1 +elektiriktasarruf.tk, 1 +elektriker-notdienst-zentrale.de, 1 +elektrikumraniye.com, 1 +elektrikvesukesintileri.com, 1 +elektrilevi.com, 1 +elektrilevi.ee, 1 +elektrilevi.eu, 1 +elektro-adam.de, 1 +elektro-diehm.de, 1 +elektro-doerr.com, 1 +elektro-feichtner.at, 1 +elektro-hammes.net, 1 +elektro-hofmann-gmbh.de, 1 +elektro-hornetz.de, 1 +elektro-koehl.de, 1 +elektro-liebeskind.de, 1 +elektro-metz.de, 1 +elektro-pfeiffer.de, 1 +elektro-praha10.cz, 1 +elektro-reibsch.de, 1 +elektro-stock.de, 1 +elektro-wandelt.de, 1 +elektro-woerdehoff.de, 1 +elektrobusch.com, 1 +elektroclauberg.de, 1 +elektroclub.tk, 1 +elektroepilation-stuttgart.de, 1 +elektrofinke.de, 1 +elektroistrument.tk, 1 +elektrokarges.de, 1 +elektrolety.com, 1 +elektrolety.cz, 1 +elektromet.com.pl, 1 +elektromet.pl, 1 +elektrometz.de, 1 +elektromobil-zubehoer.de, 1 +elektromosev.cz, 1 +elektromotor.tk, 1 +elektron-elektrotechnik.de, 1 +elektronickakancelar.cz, 1 +elektroniksigarasehri1.com, 1 +elektronische-post.org, 1 +elektronix.tk, 1 +elektronomi.com, 1 +elektropartner.nu, 1 +elektropost.org, 1 +elektroprom.tk, 1 +elektrosety.com.ua, 1 +elektrotango.tk, 1 +elektrotechnik-heisel.de, 1 +elektrotechnik-kaetzel.de, 1 +elektrotechnik-schreck.de, 1 +elektrotechniker-beck.de, 1 +elektrownie-tanio.net, 1 +elektryczka.pl, 1 +elelenin.cf, 1 +elemanpersonelalimi.com, 1 +elemenik.com, 1 +elemenop.tk, 1 +element.hr, 1 +element.io, 1 +elemental.software, 1 +elementalengine.com, 1 +elementalengine.org, 1 +elementalengines.com, 1 +elementalengines.org, 1 +elementalrobotics.com, 1 +elementalsoftware.net, 1 +elementalsoftware.org, 1 +elementarewatson.it, 1 +elementarium.cf, 1 +elementarium.ga, 1 +elementarywave.com, 1 +elementblend.com, 1 +elementbookings.com, 1 +elementedigitale.ro, 1 +elementmea.com, 1 +elementorfa.ir, 1 +elements-space-time.com, 1 +elements.guide, 1 +elementshop.co.uk, 1 +elementsoftware.tk, 1 +elemistlarp.com, 1 +elena-paparizou.tk, 1 +elena-risteska.tk, 1 +elena-soset.cf, 1 +elena-soset.ga, 1 +elena-soset.ml, 1 +elena-soset.tk, 1 +elenagherta.ga, 1 +elenapulizieroma.it, 1 +elenaristeska.tk, 1 +elenaristeskaweb.tk, 1 +elenashilko.ga, 1 +elenaskincarespa.com, 1 +elenatranslations.nl, 0 +elenatroncone.tk, 1 +elenavoce.cf, 1 +elenayulkina.ru, 1 +elencantotecate.com, 1 +elencinar.tk, 1 +eleni.no, 1 +elenorsmadness.org, 1 +elenta.lt, 1 +eleonardo.tk, 1 +eleonora.gay, 1 +eleonoraanzini.tk, 1 +eleonoramazzola.com, 1 +eleonorapapallo.tk, 1 +eleonorengland.com, 1 +eleonrp.tk, 1 +elephant-orchestra.com, 1 +elephant-orchestra.cz, 1 +elephantartonline.com, 1 +elephantbasslab.tk, 1 +elephantia.cf, 1 +elephantorchestra.cz, 1 +elephants.net, 1 +elephants.tk, 1 +eleplant.fi, 1 +elepover.com, 1 +elesconditedelola.com, 1 +eletminosegert.ro, 1 +eletom.pl, 1 +eletor.com, 1 +eletor.pl, 1 +eletrati.com, 1 +eletromaxautopecas.com.br, 1 +eletroquipsp.com.br, 1 +eletrotel.com, 1 +elettrauto.roma.it, 1 +elettricista-roma.it, 1 +elettricista-roma.org, 1 +elettricista.roma.it, 1 +elettricisti.roma.it, 1 +elettrodomestici.roma.it, 1 +elettrolinkimpianti.it, 1 +elettronew.com, 1 +eleusis-zur-verschwiegenheit.de, 1 +elev8fashion.ca, 1 +elevacionesrama.com, 1 +elevanhairdressing.co.uk, 1 +elevatewebdesigns.com, 1 +elevationcreative.net, 1 +elevationplumbingandheating.com, 1 +elevationxstudios.com, 1 +elevator.ee, 1 +elevatoraptitudetest.com, 1 +elevaweb.cl, 1 +elevelo.eu, 1 +elevenbeta.tk, 1 +elevenensemble.tk, 1 +elevenpaths.com, 1 +eleventhhouraltar.com, 1 +eleventhhourwatch.com, 1 +elexel.ru, 1 +elexon.co.uk, 1 +elexprimidor.com, 1 +elfe.de, 1 +elfejoyeux.com, 1 +elfi.com, 1 +elfix.sk, 1 +elforat.tk, 1 +elforno.gr, 1 +elforo.tk, 1 +elfranco.tk, 1 +elfrancotirador.tk, 1 +elfring.eu, 1 +elfussports.com, 1 +elgancho.tk, 1 +elgargajo.tk, 1 +elgenero.com, 1 +elgin.ga, 1 +elgin.tk, 1 +elgintexas.gov, 1 +elgoog.im, 1 +elgraffo.tk, 1 +elgrecohotel.gr, 1 +elguillatun.cl, 1 +elgustdecreixer.cat, 1 +elgustodecrecer.es, 1 +elhall.pro, 0 +elhamadimi.com, 1 +elhim-iskra.com, 1 +elhombrepez.tk, 1 +elhorizontal.com, 1 +elhossari.com, 1 +elhuesero.com, 1 +eliamakingmemories.co.nz, 1 +eliamakingmemories.com, 1 +eliang.tk, 1 +elias-erdmann.tk, 1 +eliasfgabriel.com, 1 +eliasfox.com, 1 +eliasfranklinn.tk, 1 +eliasojala.me, 1 +eliasong.com, 0 +eliaswendt.com, 0 +eliaustvarjaspomine.si, 1 +eliav.tk, 1 +elibidore.ml, 1 +elicdn.com, 1 +elie.net, 0 +elielaloum.com, 1 +elifelabs.com, 1 +elifesciences.org, 1 +elifo.com.cn, 1 +eligasht.com, 1 +eligibilis.com, 1 +eligibility.com, 1 +eligibleapi.com, 1 +eligrey.com, 1 +eliis.eu, 1 +elijahbrown.tk, 1 +elijahgrey.com, 1 +elikers.ml, 1 +elimidrol.com, 1 +eliminations.tk, 1 +eliminercellulite.com, 1 +elimit.eu, 1 +elimitecreamforsale.ga, 1 +elimperiolatino.com, 1 +elina.pp.ua, 1 +elinaflower.com, 1 +eline168.com, 1 +elinevanhaaften.nl, 1 +elinformatico.tk, 1 +elink.io, 1 +elinks.tk, 1 +elinspector.tk, 1 +elinternadolagunanegra.tk, 1 +eliolita.com, 1 +eliotchs.org, 1 +eliott.cc, 1 +eliottlavier.com, 1 +elisa.ee, 1 +elisabeth-kostecki.de, 1 +elisabeth-raendel.de, 1 +elisabeth-strunz.de, 1 +elisabethbegle.at, 1 +elisabethborgermans.com, 1 +elisabethcasanova.ch, 1 +elisabethkostecki.de, 1 +elisabethrene.com, 1 +eliseadams.com.au, 1 +eliseshivamber.com, 1 +elisetriestocook.com, 1 +elisity.com, 1 +eliskamyskova.cz, 1 +elit-fitnes.tk, 1 +elit-host.tk, 1 +elit-logistic.ru, 1 +elit.ro, 1 +elitatasehirescort.com, 1 +elitav.be, 1 +elite-design.tk, 1 +elite-enc.tk, 1 +elite-forums.tk, 1 +elite-fuite.fr, 1 +elite-magazin.de, 1 +elite-nakhodka.tk, 1 +elite-porno.ru, 1 +elite-tools.tk, 1 +elite-units.tk, 1 +elite.memorial, 1 +elitebike.com.co, 1 +elitecleaningservices.com.cy, 1 +eliteco.tk, 1 +elitecontentmarketer.com, 1 +elitedns.info, 1 +elitedns.org, 1 +elitefintechglobal.com, 1 +elitegameservers.net, 1 +elitegaragedoors247.com, 1 +eliteholidaylights.com, 1 +elitehouse.tk, 1 +eliteimsolutions.com, 1 +elitelandscapedesigns.ca, 1 +elitemdsupply.com, 1 +elitemud.tk, 1 +elitenovice.tk, 1 +elitephysiotherapy.com.au, 1 +eliteprofit.fr, 1 +elitepsychiatryandwellness.com, 1 +elitepumps.net, 1 +eliterequestboard.tk, 1 +elitesim.ga, 1 +elitesquadmodz.tk, 1 +elitetopic.com, 1 +elitetoy.com.br, 1 +elitewealth.in, 1 +elitexcomputing.com, 1 +elitexxx.com, 1 +elithayat.com, 1 +elithus.se, 1 +elitrahealth.com, 1 +elitsa.gr, 1 +elivenet.com, 1 +elixi.re, 1 +elixir.bzh, 1 +elixirfactory.io, 1 +elizabethcitync.gov, 1 +elizabethgeren.com, 1 +elizabethgreenfield.com, 1 +elizabethhospeech.com, 1 +elizabethrominski.com, 1 +elizabethtaderera.me, 1 +elizabethtown-ny.gov, 1 +elizafranklin.com, 1 +elizaminami.com.br, 1 +eljay.cc, 1 +eljef.me, 1 +elk.moe, 1 +elka-piter.ga, 1 +elkampeuzo-musique.tk, 1 +elkarizan.com, 1 +elkgroveil.gov, 1 +elkhaus.de, 1 +elki-musik.ch, 1 +elkim.cz, 1 +elkmontal.gov, 1 +elkmotel.at, 1 +elkodaily.com, 1 +elkonsults.com, 1 +elkovplus.cz, 1 +elkvalley-nsn.gov, 1 +ell-net.tokyo, 1 +ella-kwikmed.com, 0 +ellanurse.co.il, 1 +ellas-haarshop.nl, 1 +ellasbubbles.com, 1 +ellatotal.com, 1 +elle-fanning.info, 1 +elle-weine.de, 1 +elle.se, 1 +elledecor.tk, 1 +ellegaard.dk, 1 +ellemental.me, 1 +ellencorddry.com, 1 +ellendalend.gov, 1 +ellenkesters.be, 1 +ellenpage.tk, 1 +ellensburgwa.gov, 1 +ellesoft-freeware.tk, 1 +ellevate.com, 1 +ellhofen-peccioli.de, 1 +elliboettcher.de, 1 +ellierider.com, 1 +elligre.tk, 1 +ellinaras.tk, 1 +ellingworth.co.uk, 1 +elliot.cat, 1 +elliotbrandwein.com, 1 +elliotlewisms.com, 1 +elliottbernstein.com, 1 +elliottgaming.ga, 1 +elliottinsuranceservices.com, 1 +elliottwoodworking.com, 1 +ellipsoid.cf, 1 +ellipticalmachine.tk, 1 +elliquiy.com, 1 +ellisamusements.co.uk, 1 +elliscoscanner.com, 1 +ellisleisure.co.uk, 1 +ellisvanlaarhoven.tk, 1 +elliteshop.vn, 1 +elliyoung.com, 1 +elloadingjr.ga, 1 +ellty.com, 1 +ellyscakes.com, 1 +elm-dental.com, 1 +elmaci.net, 1 +elmagdclean.com, 1 +elmahost.net, 1 +elmandria.com, 1 +elmarchive.ir, 1 +elmejorcortapelos.com, 1 +elmejordance.tk, 1 +elmenreich.tk, 1 +elmerboroughnj.gov, 1 +elmermx.ch, 1 +elmeson.tk, 1 +elmetodofuncional.com, 1 +elmion.cloud, 1 +elmolar.tk, 1 +elmolist.tk, 1 +elmoro.mx, 1 +elmresan.ir, 1 +elmundodeloso.tk, 1 +elmwoodmi.gov, 1 +elnan.do, 1 +elnegocioperfecto.tk, 1 +elnodiacademy.com, 1 +elo-forum.org, 1 +elo-rocket.com, 1 +elobservador.tk, 1 +eloca.ls, 1 +elocals.me, 1 +elodees.com, 1 +elodieclerc.ch, 1 +elodrias.de, 1 +elog.tokyo, 1 +eloge.se, 1 +elohellp.com, 0 +eloiseponnau.com, 1 +elok.eu.org, 1 +elon.gov, 1 +elona-wvw.de, 1 +elonaspitze.de, 1 +elonbase.com, 1 +elonma.gov, 1 +elontime.de, 1 +elorbe.com, 1 +elorrieta.eus, 1 +elosoavila.tk, 1 +elosrah.com, 0 +elovip.com.br, 1 +eloxt.com, 1 +elpac.info, 1 +elpactest.com, 1 +elpactest.eu, 1 +elpactest.info, 1 +elpactest.org, 1 +elpandemonio.tk, 1 +elpcnc.com, 1 +elpellejodelabreva.tk, 1 +elperdigon.tk, 1 +elphnt.io, 1 +elpincho.tk, 1 +elpitazo.net, 1 +elplugins.xyz, 1 +elpo.net, 1 +elposconflicto.org, 1 +elpreciosostud.com, 1 +elprincipevegeta.tk, 1 +elprofeshows.com, 1 +elpromaucae.tk, 1 +elpueblo.com.do, 1 +elquintoas.tk, 1 +elradiobuffet.tk, 1 +elradix.be, 1 +elradix.eu, 1 +elranchofeliz.org, 1 +elrebollar.tk, 1 +elrenook.gov, 1 +elreportero.tk, 1 +elri.blog, 1 +elrincondelasplacas.com, 1 +elrincondelotaku.tk, 1 +elrinconderovica.com, 1 +elron.ee, 0 +elrubio.tk, 1 +elsadonaire.tk, 1 +elsas.tk, 1 +elsbouslanostraaficio.tk, 1 +elsector7.tk, 1 +elsemanariodesalamanca.tk, 1 +elsenzhafen.de, 1 +elsg.co.uk, 1 +elshop1eu.com, 1 +elshou.com, 1 +elstravato.com, 1 +elsuccionador.com, 1 +elsvanderlugt.nl, 1 +elsvanmerhaeghe.be, 1 +elsweb.net, 1 +elsword.moe, 0 +elsylist.com, 1 +elta.com.ua, 1 +eltair.com, 1 +eltar.pl, 1 +eltconsultants.com.mx, 1 +eltec.es, 1 +eltern-verein.ch, 1 +elternbeiratswahl.online, 1 +elternverein-utzenstorf.ch, 1 +elternzimmer.de, 1 +eltip.click, 1 +eltjon.duckdns.org, 1 +eltlaw.com, 1 +elto.ch, 0 +eltohsurgery.com.sg, 1 +eltonpastilha.me, 1 +eltormo.tk, 1 +eltoroweakly.com, 1 +eltransportquevolem.org, 1 +eltrompomedia.com, 1 +eltron.com.ua, 1 +eltuito.tk, 1 +eluancm.net, 1 +elucron.com, 1 +eluhome.de, 1 +elusivetranslations.com, 1 +eluvade.com, 1 +eluvio.com, 1 +elvac.eu, 1 +elvalordelsaliments.cat, 1 +elvcino.com, 0 +elverdaderoamor.tk, 1 +elvikom.co.uk, 1 +elviraszabo.com, 1 +elvis-atouchofgold.com, 0 +elvis-presley.tk, 1 +elvismania.tk, 1 +elvispresley.net, 1 +elvisvrconnect.co.uk, 1 +elvonet.hr, 1 +elvorti.bg, 1 +elvorti.com, 1 +elvtr.com, 1 +elwave.org, 1 +elweronete.tk, 1 +elwix.com, 1 +elyazmusic.com, 1 +elycoin.io, 0 +elysiandigital.co, 1 +elysiria.fr, 1 +elysium-team.tk, 1 +elysium.coop, 1 +elysiumware.com, 1 +em-biotek.cz, 0 +em-racing.com, 1 +em-racing.de, 1 +em888.vip, 0 +emabot.tk, 1 +emacitylife.com, 1 +emad7.tk, 1 +emagazine.com, 1 +emaging-productions.fr, 1 +emaging.fr, 1 +email-pipeline.xyz, 1 +email-verifier.tk, 1 +email.repair, 0 +email24.cf, 1 +email4u.at, 1 +emailable.com, 1 +emailablev.com, 1 +emailalaperformance.fr, 1 +emailalias.nl, 1 +emailbusters.tk, 1 +emailconfiguration.com, 1 +emailexpress.ga, 1 +emailfreeshop.tk, 1 +emailgonderim.tk, 1 +emailhunter.co, 1 +emailing.alsace, 1 +emailing.ga, 1 +emaillagebaingenial.ca, 1 +emailmasker.nl, 1 +emailmeform.com, 1 +emailprivacytester.com, 1 +emailprocessorpro.gq, 1 +emailpursuits.com, 1 +emailroundup.com, 1 +emailservers.tk, 1 +emailspedia.com, 1 +emailtemporal.org, 0 +emakicms.com, 1 +emaks.tk, 1 +emalm.com, 1 +emamiltd.in, 1 +emanaclinic.com, 0 +emancipator.com, 1 +emanol.co.uk, 1 +emanuel.photography, 1 +emanuela-gabriela.co.uk, 0 +emanuelachiriaco.tk, 1 +emanuelduss.ch, 1 +emanuelemazzotta.com, 1 +emaps.tk, 1 +emaratalyoum.com, 1 +emarhotel.bg, 1 +emarketingmatters.com, 1 +emas-beja.pt, 1 +emater.com, 1 +emavending.club, 1 +emavok.eu, 1 +emaygroup.co, 1 +emazrin.tk, 1 +emazzanti.net, 1 +embarcados.com.br, 1 +embark.studio, 1 +embawood.az, 1 +embedded.com, 1 +embelgium.org, 1 +embelize.com, 1 +embellir-aroma.com, 1 +embellir-kyujin.com, 1 +embellishop.com, 1 +ember-is.gay, 1 +ember.co, 1 +emberit.com, 1 +emberlife.com, 1 +embien.co, 1 +embodiaacademy.com, 1 +embodiaapp.com, 1 +embodied.vision, 1 +embonus.dk, 1 +emboque.tk, 1 +embouts-et-bouchons.fr, 1 +embox.net, 1 +embracecontext.com, 1 +embracer.com, 1 +embracethedarkness.co.uk, 1 +embracezine.tk, 1 +embraco.com, 0 +embryologist.info, 1 +embryooptions.com, 1 +embuscadasintonia.com, 1 +emby.cloud, 1 +emby.live, 1 +emccglobal.org, 1 +emceemanic.tk, 1 +emcentrix-com-site-mvc.azurewebsites.net, 1 +emcloud.io, 1 +emcspotlight.com, 1 +emdad-persian.ir, 1 +emdadkhodrokaraj.ir, 1 +emdadulislam.tk, 1 +emdbonlinehelp.tk, 1 +emdep.com, 1 +emdesigns.tk, 1 +emdrupholm.dk, 1 +emdvcorasia.com, 1 +emdynint.io, 1 +emed.com, 0 +emeetattd.ddns.net, 1 +emeklifinans.com, 1 +emeliecrystal.net, 1 +emeliefalk.se, 1 +emeliemai.com, 1 +emelies-inspiration.tk, 1 +ememsei.com, 1 +emenaspa.com, 1 +emenshop.cf, 1 +emenshop.ga, 1 +emenshop.ml, 1 +emenshop.tk, 1 +emeralda.tk, 1 +emeraldcbdshop.com, 0 +emeraldcoastrideshare.com, 1 +emeraldcoasturgentcare.com, 1 +emeraldheights.tk, 1 +emeraldshield.com, 1 +emeres.tk, 1 +emergency-broadcast-system.tk, 1 +emergency-federal-register.gov, 1 +emergencycommand.us, 1 +emergencymanagementedu.org, 1 +emergencyportal.tk, 1 +emergenzaduepuntozero.it, 1 +emergingafricagroup.com, 0 +emergingindustryprofessionals.com, 1 +emeria.in, 1 +emero.de, 0 +emersoncanada.ca, 1 +emersonreview.tk, 1 +emersya.com, 1 +emex.ro, 1 +emffren.com.tr, 1 +emi.im, 1 +emielraaijmakers.nl, 1 +emigrantes.tk, 1 +emigratieplanner.com, 1 +emil-dein-baecker.com, 1 +emil-dein-baecker.de, 1 +emil-reimann.com, 1 +emil-reimann.de, 1 +emil.click, 0 +emil.one, 0 +emilecourriel.com, 1 +emileon.gr, 1 +emilianojeff.com, 1 +emilianomaccaferri.com, 1 +emiliaperkkola.fi, 1 +emiliaromagnaeconomy.it, 1 +emiliederavinspain.tk, 1 +emiliehouse.net, 1 +emiliendevos.be, 1 +emilieporte.fr, 1 +emilio.media, 1 +emilioadani.com, 1 +emiliopj.es, 1 +emiliops.com, 1 +emilong.com, 1 +emilreimann.de, 1 +emils-1910.de, 1 +emils-chemnitz.de, 1 +emils1910.de, 1 +emilsleker.no, 1 +emilstahl.com, 1 +emilstahl.de, 1 +emilstahl.dk, 1 +emilstahl.eu, 1 +emilstahl.se, 1 +emilvanderwal.tk, 1 +emilvarga.com, 1 +emily-website.tk, 1 +emily.moe, 1 +emilybellydance.com.au, 1 +emilymarques.ga, 1 +emilypennock.co.uk, 1 +emilypennock.com, 1 +emilysweet.com, 1 +emilywufaith.tk, 1 +emina-arapovic.tk, 1 +eminafans.tk, 1 +emindweb.com, 1 +eminem.kim, 1 +eminem50cent.com, 1 +eminencepools.com, 1 +emirates247.com, 1 +emiratesairline.co.uk, 1 +emirefek.net, 1 +emirichardson.com, 1 +emisia.com, 1 +emisoralavozdedios.tk, 1 +emissionsgroup.com, 1 +emissionssafe.org, 1 +emita.ee, 1 +emivauthey.com, 0 +emkan-furniture.com, 1 +emkanrecords.com, 0 +emkode.pl, 1 +emla.info, 1 +emlakforum.com.tr, 1 +emlcloud.com, 1 +emls.fr, 1 +emma-central.tk, 1 +emma-o.com, 1 +emma-secret.com, 1 +emma-und-felix-heiraten.de, 1 +emmababy420.com, 1 +emmadreams.net, 1 +emmagarland.com, 1 +emmajayne.tk, 1 +emmalegalnurse.com, 1 +emmaliddell.com, 0 +emmanuelle-et-julien.ch, 1 +emmanuelorocker.com, 1 +emmaowl.com, 1 +emmastarr.net, 1 +emmaste.edu.ee, 1 +emmastree.com, 1 +emmauspa.gov, 1 +emmawatsonking.tk, 1 +emmawatsononline.tk, 1 +emmdy.com, 0 +emmedicom.ml, 1 +emmedicom.tk, 1 +emmepole.tk, 1 +emmerdale.me.uk, 1 +emmetcountyia.gov, 1 +emmilein.com, 1 +emmiwelentain.com, 1 +emmynet.de, 1 +emo-poris.com, 1 +emo.ie, 1 +emocionado.com, 1 +emocionestlp.com, 1 +emocionypensamiento.com, 1 +emocje.com, 1 +emoforum.tk, 1 +emoji-meaning.org, 1 +emoji-symbols.org, 1 +emoji.web.tr, 1 +emoji.wf, 1 +emojikeyboard.top, 1 +emojiteka.pl, 1 +emojiterra.com, 1 +emolafarm.com, 1 +emolar.com, 1 +emond-usedcars.net, 0 +emoneycircle.com, 1 +emonovo.com, 1 +emonsarkar.tk, 1 +emopics.com, 1 +emotality.com, 1 +emote.bot, 1 +emotebank.com, 1 +emotebot.com, 1 +emotionalonlinestorytelling.com, 1 +emotionsanonymous.org, 1 +emotionsgroup.kz, 1 +emotive.productions, 1 +emoxie.com, 0 +empathhouse.com, 1 +empathogen.com, 1 +empathogens.com, 1 +empathy.ca, 1 +empathyband.tk, 1 +empatify.com, 1 +empatify.pl, 1 +empatos.cf, 1 +empeltd.com, 1 +emperola.com, 1 +emperor-penguin.com, 1 +emperor-penguins.com, 1 +emperoranimeindo.tk, 1 +emperors.net, 1 +empfrm.com, 1 +empherino.net, 1 +empietraining.com, 1 +empire-events.nl, 1 +empire-forum.tk, 1 +empire-group.co.nz, 1 +empire-univ.com, 1 +empire24.co, 1 +empireauto-2000.com, 1 +empiredenham.ga, 1 +empirehall.com.ua, 1 +empireking.us, 1 +empirelevel.eu, 1 +empireliverfoundation.org, 1 +empirestatejazzcafe.com, 1 +emplifi.io, 1 +emploi-collectivites.fr, 0 +emploi-international.net, 1 +emploi-saintefoytarentaise.fr, 1 +employeeexpress.gov, 1 +employeemanual.com.au, 1 +employer.gov, 1 +employer411.com, 1 +employeradmin.com, 1 +employersolutionsgroup.com, 1 +employersupport.co.uk, 1 +employflorida.com, 1 +employmax.co.za, 1 +employmaxcampus.co.za, 1 +employmaxetd.co.za, 1 +employment-applicant.com, 1 +employment-solutions.ca, 1 +employment.uk.com, 1 +employmentguide.com, 1 +employmenttracking.ga, 1 +emporiaks.gov, 1 +emporikonathenshotel.com, 1 +emporioarchitect.com, 1 +emporiodosperfumes.com.br, 1 +emporioguarani.com.br, 1 +emporiohortinatura.com.br, 1 +emporioonline.com.br, 1 +emporiopurochile.com.br, 1 +emporium-italy.com, 1 +emporiumbeverages.com, 1 +empoweraces.com, 1 +empowerdb.com, 1 +empowered-decision.com.au, 1 +empoweren.com, 1 +empoweringdifferences.com, 1 +empowernation.org, 1 +empowersimcoe.ca, 1 +empoweryou.ca, 1 +emprechtinger.com, 1 +empregosrj.com, 1 +empreinte.ca, 1 +emprendecausa.com, 1 +emprendeconchrisfx.com, 1 +emprendedoresdesevilla.es, 1 +emprendimientoweb.co, 1 +emprendimientoyformacion.com, 1 +empresa365.com, 1 +empresautil.tk, 1 +emprestimodedinheiro.com, 1 +emprestimosemcomprovar.com, 1 +emprunterlivre.ci, 1 +empsi-sup.com, 1 +emptiness.cf, 1 +empty.host, 1 +emptybox.org, 1 +emptypath.com, 1 +emptysmile.tk, 1 +empyreanrule.com, 1 +emq.io, 1 +emrah.io, 1 +emrawi.org, 1 +emreaydinfan.tk, 1 +emrecicekmuhendislik.com, 1 +emresaglam.com, 1 +emrgnc.co.uk, 1 +emrullahsahin.com, 1 +ems.gov, 1 +emsa-casm.ca, 0 +emsd.tw, 1 +emsdinghies.com, 1 +emse.fr, 1 +emsliespharmacy.com.au, 1 +emsnow.com, 1 +emsrealfood.nl, 0 +emta.ee, 0 +emtex.at, 1 +emtex.co.jp, 1 +emtofis.com, 1 +emtpigging.com, 1 +emtpigging.my, 1 +emtradingacademy.com, 1 +emtreview.com, 1 +emu.dk, 1 +emu.land, 1 +emulation-archive.org, 1 +emulationking.com, 1 +emulator.ml, 1 +emulator.wtf, 1 +emulatronic.tk, 1 +emulefans.com, 1 +emulovers.com, 1 +emulsifier.ga, 1 +emunet.net, 1 +emurom.net, 1 +emuser.tk, 1 +emusicuz.tk, 1 +emvoiceapp.com, 1 +emw3.com, 1 +emxvn.co.za, 1 +emyr.net, 1 +emyself.org, 1 +emystars.tk, 1 +emzi0767.com, 1 +emzy.de, 1 +en-crypt.me, 1 +en-maktoob.search.yahoo.com, 0 +en-pc.jp, 1 +en-wp.com, 1 +en-wp.org, 1 +en0.io, 1 +en4rab.co.uk, 1 +en4u.org, 1 +enaah.de, 1 +enable-javascript.com, 1 +enableyourlife.com, 1 +enabling.ga, 1 +enablingcommunities.com.au, 1 +enactor.co, 1 +enactusteesside.org, 1 +enago.com, 1 +enagramm.com, 1 +enalean.com, 1 +enam.gov.in, 1 +enamae.net, 1 +enamelpin.club, 1 +enaminestore.com, 1 +enamonada.com, 1 +enattendantpauline.ca, 1 +enaturelive.com, 1 +enbecom.net, 1 +enboarder.com, 1 +enbulleiugnen.com, 1 +enby.army, 1 +encd.life, 1 +ence.es, 1 +encelaya.com.mx, 0 +encenna.com.br, 1 +encfs.win, 1 +enchantedcode.co.uk, 1 +enchantedcottage.tk, 1 +enchong.com, 1 +encinitastrainer.com, 1 +encirca.com, 1 +encircleapp.com, 1 +encode.host, 1 +encodecloud.net, 1 +encontra-me.org, 1 +encontreumagp.com, 1 +encontro.online, 1 +encontroespiritadeinverno.com.br, 1 +encore.tech, 1 +encoreglobal.com, 1 +encoro.org, 1 +encorp.com.my, 1 +encotentin.fr, 1 +encountercss.com, 1 +encouragemarketing.com, 1 +encredible.de, 0 +encredible.org, 0 +encres-nelly.fr, 1 +encretplomb.ch, 0 +encryp.ch, 1 +encrypt.cf, 1 +encrypt.my.id, 1 +encrypted.at, 1 +encrypted.google.com, 1 +encryptedaudience.com, 1 +encryptedconnection.net, 1 +encryptionweb.tk, 1 +encryptmy.site, 1 +encryptmycard.com, 1 +encryptographs.com, 1 +encuentra-todo.tk, 1 +encuentra.tk, 1 +encuentraapoyo.gov, 1 +encuestaspagadas.com.mx, 1 +encuestaspagadas.org, 1 +encurta.ml, 1 +encycarpedia.com, 1 +end.tf, 1 +endangeredwatch.com, 1 +endavantstap9b.tk, 1 +endbegins.tk, 1 +endbox.email, 1 +endcottagevets.co.uk, 1 +ende-x.com, 1 +endeal.nl, 1 +endean.com, 1 +endeavourbiz.com, 1 +endee.de, 1 +endeksa.com, 1 +endener.com, 1 +ender.co.at, 1 +ender.fr, 1 +ender.moe, 1 +ender3.info, 1 +enderandrew.com, 1 +enderbycamping.com, 0 +enderdrachelp.ddns.net, 1 +enderhost.tk, 1 +enderle.cloud, 1 +enderman.eu, 1 +enderszone.com, 0 +endiana.cf, 1 +endiana.ga, 1 +endiana.gq, 1 +endiana.ml, 1 +endingthedocumentgame.gov, 1 +endless.pet, 1 +endlessdiy.ca, 1 +endlessfashion.tk, 1 +endlessgrind.com, 1 +endlesshorizons.info, 1 +endlessvideo.com, 1 +endlesswebsite.tk, 1 +endofevolution.com, 1 +endofinternet.goip.de, 1 +endoflife.date, 1 +endofodo.goip.de, 1 +endoftenancycleaninglondon.co.uk, 1 +endohaus.us, 1 +endometriu.ml, 1 +endondehay.com, 1 +endoscope.bg, 1 +endpipe.com, 1 +endplasticwaste.org, 1 +endpointclinical.com, 1 +endrinas.com, 1 +endrust.com.au, 1 +endspamwith.us, 1 +enduranceseries.ca, 1 +enduroxtrem.tk, 1 +endustriyelfirinlar.com, 1 +endviolence.gc.ca, 1 +enecivilela.com, 1 +enefit.com, 1 +enefitgreen.ee, 1 +enefitvolt.com, 1 +eneko.com, 1 +enekogarrido.com, 0 +enel.com, 1 +enelgreenpower.com, 1 +enemybase.tk, 1 +enemyofman.com, 1 +enemyterritory.tk, 1 +enercon.co.il, 1 +enercontechltd.com, 1 +energaia.de, 1 +energetic-root-medicine.net, 1 +energetic.cc, 1 +energetica.ga, 1 +energeticafemenina.com, 1 +energetikasmantojums.lv, 1 +energetikasmuzejs.lv, 1 +energialibre.tk, 1 +energianuclear.tk, 1 +energiatalgud.ee, 1 +energiaurbana.tk, 1 +energicertifikat.fi, 1 +energie-sante.ch, 0 +energiecentrale.gent, 1 +energieconsultonline.nl, 1 +energiekeurplus.nl, 1 +energielabelbinneneenweek.nl, 1 +energiemines.ma, 1 +energiewende.com.br, 1 +energikompetens.se, 1 +energizer.eu, 1 +energoproff.com, 1 +energoset-spb.ru, 1 +energozrouti.cz, 0 +energy-drink-magazin.de, 1 +energy-fm.tk, 1 +energy-healings.com, 1 +energy-in-balance.eu, 0 +energy-robotics.com, 1 +energy.eu, 1 +energyatlas.com, 1 +energyaupair.dk, 1 +energyaupair.nl, 1 +energyaupair.no, 1 +energyaupair.se, 1 +energybooster.ml, 1 +energybooster.tk, 1 +energycodes.gov, 1 +energycommunities.gov, 1 +energyconsultonline.nl, 1 +energycrewing.com, 1 +energydrinkblog.de, 1 +energyefficientservices.com, 1 +energyelephant.com, 1 +energyforum.tk, 1 +energygenie.com.au, 1 +energygroup.gq, 1 +energygroup.tk, 1 +energyguru.tk, 1 +energyhomeservice.ca, 1 +energyhybrid.ga, 1 +energylink.com, 1 +energylocal.com.au, 1 +energylocals.au, 1 +energylocals.com, 1 +energylocals.com.au, 1 +energylocals.org, 1 +energymedia.tk, 1 +energysaveroregon.com, 1 +energysite.tk, 1 +energystar.gov, 1 +energysystems.com, 1 +energytrust.tk, 1 +energyuse.net, 1 +energywisdom.tk, 1 +enerity.eu, 1 +enerity.io, 1 +enerot.com, 1 +eneroths.se, 1 +enerpac.com, 1 +enersaveapp.org, 1 +enerte.ru, 1 +enerypa.tk, 1 +enescrackmerkezi.tk, 1 +enet-navigator.de, 1 +enet.eu, 1 +enett.team, 1 +enewspapers.tk, 1 +enfant.tk, 1 +enfants-terribles.tk, 1 +enfantsdelarue.ch, 1 +enfasyperfumarias.com, 1 +enfermedaddelbeso.com, 1 +enfermeira.pt, 1 +enfieldheightsacademy.org.uk, 1 +enflow.nl, 1 +enforcement-trends-dev.azurewebsites.net, 1 +enforcement-trends-test.azurewebsites.net, 1 +enforcement-trends.azurewebsites.net, 1 +eng-erlangen.de, 1 +eng3corp.com, 1 +eng4arab.tk, 1 +engageapp.net, 1 +engagelogic.com, 1 +engagewarnerrobinsga.gov, 1 +engagewell.com, 1 +engagingmuscles.com, 1 +engagio.com, 1 +engalego.tk, 1 +enganchesevilla.es, 1 +engbers.com, 1 +engelandautohuur.nl, 1 +engeldasein.at, 1 +engeldasein.com, 1 +engelk.de, 1 +engelmann.com, 0 +engelorchester.de, 1 +engelsism.tk, 1 +engelundlicht.ch, 1 +engelzicht.com, 1 +engen.co.za, 0 +engg.ca, 1 +enggar.tk, 1 +enghero.com, 1 +engie-laadpalen.nl, 1 +engima.nl, 1 +engineer-kobe.ga, 1 +engineer-route.com, 1 +engineer.org.my, 1 +engineeringclicks.com, 1 +engineeringidea.ga, 1 +engineertaplin.co.uk, 1 +enginefirefighter.com, 1 +enginemoves.com, 1 +engineowning.com, 1 +enginepit.com, 1 +enginsight.com, 1 +enginx.net, 1 +enginytech.com, 1 +engione.com, 1 +engl-amps.com, 1 +engl-amps.net, 1 +engl-customshop.com, 1 +engl-customshop.de, 1 +engl-customshop.net, 1 +engl-distribution.com, 1 +engl-distribution.de, 1 +engl-distribution.net, 1 +engl-server.de, 1 +engl-systems.de, 1 +england-fixed-matches.com, 1 +englandairportcars.com, 1 +englandbeach.com, 1 +englandlearn.com, 1 +englandschool.tk, 1 +englesh.org, 1 +english-e-reader.net, 1 +english-to-russian-translation.tk, 1 +english-training.tk, 1 +english.events, 1 +englishbulgaria.net, 1 +englishcast.com.br, 1 +englishclassworksheets.com, 1 +englishclub.com, 1 +englishcompany-mobile.jp, 1 +englishcompany.jp, 1 +englishdirectory.de, 1 +englishfamilyzone.tk, 1 +englishit.io, 1 +englishll.com, 1 +englishlol.com, 1 +englishouse.tk, 1 +englishprovence.com, 1 +englishschoolforkids.com.ua, 1 +englishteacheredu.org, 1 +englishtofrench.eu, 1 +englishvit.com, 1 +engodnat.dk, 1 +engraffo.com, 1 +engrama.tk, 1 +engrepair.com, 1 +engrish.ml, 1 +engso-education.eu, 1 +engso.com, 1 +engso.eu, 1 +engsoyouth.eu, 1 +engsubjav.com, 1 +engution.biz, 0 +engvid.com, 1 +engweld.co.uk, 1 +engym.com.tw, 1 +engz.icu, 1 +enhanced-mail.tk, 1 +enhancemedia.co.uk, 1 +enia.com, 1 +enigheten.tk, 1 +enigma.swiss, 0 +enigmacpt.com, 0 +enigmamusic.tk, 1 +enigmatry-website-test.azurewebsites.net, 1 +enigmatry.com, 1 +enigmavault.io, 1 +enip2.ru, 1 +enitso.de, 1 +enity.tk, 1 +eniwa-eye.com, 1 +enixgaming.com, 0 +eniyicrmprogramlari.tk, 1 +enizioshop.com, 1 +enji-sendai.com, 1 +enjieding.com, 1 +enjin.io, 1 +enjin.zone, 1 +enjincoin.io, 1 +enjinwallet.io, 1 +enjoy-drive.com, 1 +enjoyangels.com, 1 +enjoybeer.dk, 1 +enjoytransferitalia.com, 1 +enka-works.com, 1 +enka-works.jp, 1 +enka-works.net, 1 +enkelanmalan.se, 1 +enkelpaamelding.no, 1 +enker.tk, 1 +enkolaysertifika.com, 1 +enkrypt.com, 1 +enky.be, 1 +enlacemedik.com, 1 +enlacesgranotas.tk, 1 +enlamochiladeadri.com, 1 +enlasnubes.tk, 1 +enlaztravel.com, 1 +enlightenspeech.com, 1 +enlightio.com, 1 +enlightsec.se, 1 +enlnf.link, 1 +enloestatebank.com, 1 +enlr.ru, 1 +enlyft.com, 0 +enmieux.be, 1 +enmowe.co.ke, 1 +enmowe.tech, 1 +ennd.com, 1 +enno.mom, 0 +ennori.jp, 1 +ennova.com, 0 +enoahinc.com, 1 +enodais.gr, 1 +enoenergy.com, 1 +enofmusic.com, 1 +enoisdaturma.tk, 1 +enolalingerie.com, 1 +enomada.net, 1 +enoou.com, 1 +enosiseurotrade.com, 1 +enosistrade.com, 1 +enot32.ru, 1 +enotar.ch, 1 +enoteca.do, 1 +enoteca.roma.it, 1 +enotecabortone.it, 1 +enotecastore.it, 1 +enotefile.com, 1 +enotovil.ru, 1 +enotrosmundos.tk, 1 +enpalmademallorca.info, 1 +enpasenerji.com.tr, 1 +enputu.tk, 1 +enquetebeteiligung.de, 1 +enquos.com, 1 +enrack.tk, 1 +enrega.com, 1 +enrich.email, 1 +enrichdata.ai, 1 +enriched.news, 1 +enrique-monroy.tk, 1 +enrique.wtf, 1 +enriqueamaro.com, 1 +enriqueferreira.com, 1 +enriquezdomenech.ninja, 1 +enroll2control.com, 1 +enrollapp.com, 1 +enroo-tech.com, 1 +enrouleur-bache.fr, 1 +enroutedeliveryservice.com, 1 +ensage.io, 1 +ensaladasvinagreta.com, 1 +ensap.gouv.fr, 1 +ensayistas.org, 1 +ensemble-conseils-et-services.fr, 1 +ensemble-rubato.de, 1 +enshin-karate.tk, 1 +ensightpharma.com, 1 +ensightsolutions.us, 1 +ensilencio.tk, 1 +ensingpodotherapie.nl, 1 +enskat.de, 1 +enslavedplantationclub.com, 1 +ensley.tech, 1 +ensma.fr, 1 +ensons.de, 1 +ensonyan.com, 1 +enstep.ru, 1 +enstroga.at, 1 +ensured.com, 1 +ensured.nl, 1 +ensurtec.com, 1 +ensy.cz, 1 +ent.cat, 1 +entabe.com, 1 +entabe.jp, 1 +entactogen.com, 1 +entactogens.com, 1 +entasyonline.com, 1 +entdeckertouren.com, 1 +enteente.com, 1 +entegrations.io, 1 +enter.co, 1 +enter.eco, 1 +enteratesoria.tk, 1 +enterclaim.com, 1 +enterdev.co, 1 +enterdown.com, 1 +enteronline.tk, 1 +enterprise-hr.com, 1 +enterprisenetworksecurity.net, 1 +enterpriseoregon.gov, 1 +enterpriset.cf, 1 +enterprisey.enterprises, 1 +entersoftsecurity.com, 1 +entersynapse.com, 1 +entertaiment-news.tk, 1 +entertainerzone.tk, 1 +entertainmentblog.tk, 1 +entertainmentmesh.com, 1 +entertainmentsrit.tk, 1 +enterthehollow.com, 1 +enteweb.tk, 1 +enthasso.gr, 1 +entheo-worldeyes.org, 1 +entheogens.com, 1 +entheorie.net, 1 +enthrallinggumption.com, 1 +enticingai.com, 1 +entityelevation.com, 1 +entityfiling.com, 1 +entomologia.it, 1 +entorangecounty.com, 1 +entouchgo.com, 1 +entpe.fr, 1 +entradacaminitorey.com, 1 +entradasrealmadrid.com, 1 +entrainchat.it, 1 +entrainr.com, 1 +entranceinfo.tk, 1 +entranz.nl, 1 +entreamigos.tk, 1 +entregarapida.cf, 1 +entremass.com, 1 +entrenossocialinfo.com, 1 +entreprenet.gq, 1 +entrepreneuretlibre.com, 1 +entrepreneurialopensource.org, 1 +entrepreneurnight.com, 1 +entreprise-innovante.fr, 1 +entreprises.gouv.fr, 1 +entreterse.com.br, 1 +entretien-roche.fr, 1 +entretien-vmc-professionnel.com, 1 +entretiendevmc.net, 1 +entretienvmc.com, 1 +entreutilidades.com.br, 1 +entrevistadesucesso.ga, 1 +entrezdansladanse.fr, 1 +entronica.co.th, 1 +entropy.su, 1 +entropyofdelicatewonders.com, 1 +entropytcg.com, 1 +entruempelung-berlin.de, 1 +entrup.io, 1 +entryboss.cc, 1 +entryscape.at, 1 +entryscape.ch, 1 +entryscape.com, 1 +entryscape.de, 1 +entryscape.net, 1 +entryscape.se, 1 +entserv.eu, 0 +entwickler.land, 1 +entwicklung.center, 1 +entzoneplan.com, 1 +enuchi.com, 1 +enuchi.jp, 1 +enumasecurity.com, 1 +enuygun.com, 1 +enuygunaucakbileti.com, 1 +envaldemoro.com, 1 +envant.co.uk, 1 +envelope.co.nz, 1 +envelopeartisans.com, 1 +envelopegroup.com, 1 +enveloppenopmaat.nl, 1 +enverid.com, 1 +envescent.com, 1 +envia.com.gt, 1 +enviam.de, 1 +enviarcurriculumvitae.com, 0 +enviartucurriculumvitae.com, 1 +enviatufoto.com, 0 +envide.no, 1 +enviesdeville.fr, 1 +enviodedinero.online, 1 +enviosnegocios.tk, 1 +envir.ee, 0 +envirhom.com, 1 +enviro-clear.co.uk, 1 +enviroli.ch, 1 +enviroli.co.nz, 1 +enviroli.co.uk, 1 +enviroli.cz, 1 +enviroli.dk, 1 +enviroli.eu, 1 +enviroli.li, 1 +enviroli.org.uk, 1 +enviroli.pl, 1 +enviroli.ro, 1 +enviroli.se, 1 +enviroli.uk, 1 +environcom.co.uk, 1 +environment.ai, 1 +environmental-colleges.com, 1 +environmentaljustice.gov, 1 +environmentalscience.org, 1 +envirotecstructures.com.au, 1 +envirotivity.com, 1 +envisionmedicalgroup.com, 0 +envisionsproperty.com, 1 +envisolarvind.tk, 1 +envistacu.com, 1 +enviyatar.tk, 1 +envoie.moi, 1 +envoyair.com, 1 +envoybrain.com, 1 +envoyez.moi, 1 +envoyglobal.com, 1 +envoypresents.com, 1 +envydesigns.tk, 1 +envygeeks.io, 1 +enweb.ml, 1 +enwikipedia.tk, 1 +enwillyado.tk, 1 +enwo.co, 1 +enwo.io, 1 +enxadahost.com, 1 +enzedonline.com, 1 +enzofardone.ga, 1 +enzosoares.com, 1 +enzyme-sensor.net, 1 +eo-literaturo.tk, 1 +eoa.live, 1 +eocka.com, 1 +eocservices.co.uk, 1 +eod.su, 1 +eohima.org, 0 +eol-team.tk, 1 +eola.co, 1 +eoliennedetoit.com, 1 +eomnneo.cz, 1 +eon.tech, 1 +eonclub.tk, 1 +eongame.tk, 1 +eonhive.com, 1 +eons.io, 1 +eonwavesstudio.com, 1 +eooe.me, 1 +eoonglobalresources.jp, 1 +eopac.net, 1 +eoperth.com.au, 1 +eos-croatia.com, 0 +eos-utvalget.no, 0 +eosagonline.ru, 1 +eoscryptocurrency.com, 1 +eosguru.ru, 1 +eosinofilos.com, 1 +eosol.de, 1 +eosol.net, 1 +eosol.services, 1 +eov2.com, 1 +ep-cortex.com, 1 +ep-plus.jp, 1 +epa.com.es, 1 +epagos.com.ar, 1 +epal.pt, 1 +epaoig.gov, 1 +epasar.my, 0 +epaslaugos.lt, 1 +epavape.eu, 1 +epave.paris, 1 +epawnatl.com, 1 +epay.bg, 1 +epaygateway.net, 1 +epcomputacion.com.ar, 1 +epcreation.nl, 1 +epcwd-ca.gov, 1 +epdemo.selfip.com, 1 +epdeveloperchallenge.com, 1 +epdiekirch.tk, 1 +epdigital.biz, 1 +ephemia.com, 1 +ephesusbreeze.com, 1 +epi.one, 0 +epic-semiconductors.com, 1 +epic-vistas.com, 1 +epic-vistas.de, 1 +epic.ca, 1 +epic.gl, 1 +epic.org, 1 +epica.tk, 1 +epicapos.cz, 1 +epicawesomemods.com, 1 +epicdesign1.tk, 1 +epicdesign2.tk, 1 +epicdowney.com, 1 +epicentar.mk, 1 +epicenter.ga, 1 +epicenter.work, 1 +epicentre-amsterdam.tk, 1 +epicentre.works, 1 +epicerie-raccourci.com, 1 +epiceriedici.ch, 1 +epicfail.be, 1 +epicforums.tk, 1 +epicginger.fi, 1 +epichouse.net, 0 +epicinflatables.co.uk, 1 +epiclawnpro.com, 1 +epiclegends.ml, 1 +epicmoney.tk, 1 +epicmusicradio.ml, 1 +epicpages.com, 1 +epicridesbahamas.com, 1 +epicsecure.de, 1 +epicserver.ru, 1 +epicsoft.de, 1 +epicteam.tk, 1 +epicteller.com, 0 +epicvideofactory.com, 1 +epicvistas.com, 1 +epicvistas.de, 1 +epidastudio.com, 1 +epidauros.be, 1 +epieos.com, 1 +epigrafes-led-farmakeia.gr, 1 +epikchat.com, 1 +epilis.gr, 1 +epinesdeparadis.com, 1 +epiphaniusmacar.com, 1 +epiphanyofourlordchurch.com, 1 +episails.com, 1 +episkevh-plaketas.gr, 1 +episode.tk, 1 +epistas.com, 1 +epistas.de, 1 +epistula.com, 1 +epitafija.ru, 1 +epitelial.com, 1 +epitesti.ro, 1 +epitesz.co, 1 +epiteugma.com, 1 +epizentrum.work, 1 +epizentrum.works, 1 +epl.ee, 1 +eplayer.cz, 1 +eplayer.sk, 1 +eplenet.tk, 1 +epliar.com, 1 +eplus.group, 1 +epluse.com, 1 +epm-bg.com, 1 +epmcentroitalia.it, 1 +epmonthly.com, 1 +epoch-film.ml, 1 +epochcg.pt, 1 +epolitiker.com, 1 +epos.az, 1 +eposbirmingham.co.uk, 1 +eposbrighton.co.uk, 1 +eposbristol.co.uk, 1 +eposcardiff.co.uk, 1 +eposig.net, 1 +eposkent.co.uk, 1 +eposleeds.co.uk, 1 +eposleicester.co.uk, 1 +eposliverpool.co.uk, 1 +eposlondon.co.uk, 1 +eposmidlands.co.uk, 1 +eposnottingham.co.uk, 1 +eposreading.co.uk, 1 +epossheffield.co.uk, 1 +epossussex.co.uk, 1 +eposswansea.co.uk, 1 +epost.pub, 1 +epost.tw, 1 +epostplus.li, 1 +eposyork.co.uk, 1 +eposzilos.nl, 1 +epoxyfloor.com.my, 1 +epoxyflooringperth.com.au, 1 +eppelblei.lu, 0 +eppelduerferjugend.lu, 0 +eppelpress.lu, 0 +eprdco.gov, 1 +epreskripce.cz, 1 +eprezto.com, 1 +eprimego.com, 1 +eprint-grimsby.co.uk, 1 +eprom.cf, 1 +eprosto.cf, 1 +eprzybornik.pl, 1 +epsamsg.com, 1 +epsi.io, 1 +epsilogix.com, 1 +epsilontel.com, 1 +epsmil.it, 1 +epsomnhpolice.gov, 1 +epson.ru, 1 +epsonstore.ae, 1 +epspolymer.com, 1 +eptirgotajs.lv, 1 +epublibre.org, 1 +epvd.tk, 1 +epyonsuniverse.net, 1 +eq-serve.com, 1 +eqassociates.com, 1 +eqbal.org, 1 +eqibank.com, 1 +eqlplayground.io, 1 +eqrx.net, 1 +eqs.com, 1 +equalifica.com.br, 1 +equalone.co.jp, 1 +equals.com.br, 1 +equalscollective.com, 1 +equans-kaelte.de, 1 +equasea.com, 0 +equate.net.au, 1 +equatetechnologies.com.au, 0 +equeim.ru, 0 +equestrianvaulting.co.uk, 1 +equi.ac, 1 +equiac.com, 1 +equicom.com, 1 +equidam.com, 1 +equifaxobjection.com, 1 +equilibratura.roma.it, 1 +equilibrium.med.br, 1 +equilibriumx.com, 0 +equine-dentistry-endoscope.com, 1 +equine-dentistry-scope.com, 1 +equinenow.com, 1 +equinetherapy.ca, 1 +equinox.io, 1 +equinoxe.de, 1 +equip.cz, 1 +equipamentosparapostos.com.br, 1 +equipandoloja.net.br, 1 +equipecarriere.ca, 1 +equipedefrance.tv, 0 +equipedefrente.tk, 1 +equipeferramentas.com.br, 1 +equipment-pool.tk, 1 +equipomorado.tk, 1 +equipoweb.info, 1 +equippers.de, 1 +equipsys.net, 1 +equisa-verpackung.com, 1 +equisecu.com, 1 +equitable-igwm.com, 1 +equitablehealthycities.org, 1 +equitazionepertutti.it, 1 +equity.today, 1 +equitybank.com, 1 +equityelevate.com, 1 +equityloupe.ru, 1 +equityyes.org, 1 +equivid.ga, 1 +equmeniakyrkanhallunda.se, 1 +equt.cloud, 1 +er-mgmt.com, 1 +er-music.com, 1 +er.pl, 1 +er.tl, 1 +era.fi, 1 +eradoom.net, 1 +erafat.com, 1 +eraiescrow.com, 1 +erandymoreira.cf, 1 +erandymoreira.ga, 1 +erandymoreira.gq, 1 +erandymoreira.ml, 1 +erapotensia.com, 1 +erasmo.info, 1 +erasmusantoine.tk, 1 +erasmusbari.tk, 1 +erasmusplusrooms.com, 1 +erasure.tk, 1 +erasyou.com, 1 +erate.fi, 1 +eraterm.com, 1 +eravurnet.tk, 1 +erb.org, 1 +erboristeria.milano.it, 1 +erboristeria.roma.it, 1 +erbt.tk, 1 +ercio.com, 1 +erciyesspor.tk, 1 +erclab.kr, 1 +erclaim.com, 1 +erctra.com, 1 +erda.gov, 1 +erdekesseg.com, 1 +erdethamburgeronsdag.no, 1 +ereader.uno, 1 +erebuildings.com, 1 +erechimimoveis.com.br, 1 +erectiepillenwinkel.nl, 1 +erector.cf, 1 +erector.tk, 1 +eredmenye.xyz, 1 +erefredag.se, 1 +eregma.tk, 1 +erektion1.gq, 1 +eremex.ru, 1 +erenvakfi.org, 1 +erethon.com, 1 +erfgoedeisden.tk, 1 +erfolgsmaschine.ch, 0 +ergaomnes.cz, 1 +ergaran.tk, 1 +ergobaby.com, 1 +ergobyte.eu, 1 +ergobyte.gr, 1 +ergodark.com, 1 +ergometrics.org, 1 +ergonomic-products.com, 0 +ergoseo.com, 1 +ergotopia.de, 1 +ergovita.com.br, 1 +erhvervsposten.dk, 1 +erhydro.com, 1 +eriandevan.com, 1 +eric-huber.de, 1 +eric-kolelas.tk, 1 +eric-masters.tk, 1 +eric.gg, 1 +eric1932.tk, 1 +ericabrahamsen.net, 1 +ericacastano.com, 1 +ericaftereric.top, 1 +ericairwin.com, 1 +ericccheng.com, 1 +ericdiao.com, 1 +ericdobson.com, 1 +ericfm.tk, 1 +ericfo.cf, 1 +ericfra.nz, 1 +erich-lessing-theater.tk, 1 +erichoekstra.com, 1 +erichoekstra.nl, 1 +erichorstmanshof.nl, 1 +erichuber.de, 1 +erichware.tk, 1 +ericisaweso.me, 0 +ericjohnltd.com, 1 +erick.blog, 1 +ericksonvasquez.com, 1 +ericksonvilleta.com, 1 +ericktello.tk, 1 +ericleuthardt.com, 1 +ericleuthardtphotography.club, 1 +ericloud.tk, 1 +erico-hm.com, 1 +ericoc.com, 1 +erics.email, 1 +erics.site, 1 +ericsaadeonline.tk, 1 +ericseankennedy.com, 1 +ericsilva.me, 1 +ericsilva.org, 1 +ericspeidel.de, 1 +ericvantijn.tk, 1 +ericwie.se, 0 +eridan.me, 1 +eridanus.uk, 1 +eridas.ml, 1 +erider.bg, 1 +eriecountyohioboe.gov, 1 +erigrid.eu, 1 +eriix.org, 1 +erik-stomp.de, 1 +erik.dedyn.io, 1 +erik1erik1.com, 1 +erikaepedro.ga, 1 +erikdslater.com, 1 +erikheemskerk.nl, 1 +erikhubers.nl, 1 +erikkruithof.nl, 1 +erikrji.me, 1 +eriksen.com, 1 +eriksen.im, 1 +erikserver2.tk, 1 +erikswan.com, 1 +erinaceinae.com, 1 +erinalinks.org, 1 +erinandken.net, 1 +erincarmody.cf, 1 +erindesu.cz, 1 +eriner.me, 1 +eringmaguire.com, 1 +erinias.net, 1 +erinmyers.us, 1 +eris-bj.com, 1 +erisa.uk, 1 +erisinfo.com, 1 +eristajanmutka.com, 1 +erisws.com, 1 +erisys.net, 1 +erito.com, 1 +eritonetwork.com, 1 +eritropoyetina.com, 1 +erium.fr, 1 +erkaelderbarenaaben.dk, 1 +erkeklersoruyor.com, 1 +erkemeij.com, 1 +erkenntniswen.de, 1 +erkiss.club, 1 +erkiss.live, 1 +erkiss12.com, 1 +erkkiaronen.fi, 1 +erlebe-salsa.de, 1 +erlebnisarchaeologie-bayern.de, 1 +erli.pl, 1 +ermak.tk, 1 +erman.ga, 1 +ermeglio.com, 1 +ermitano.cf, 1 +ernal.net, 1 +ernelit.com.br, 1 +ernest.ly, 1 +ernestchemists.com, 1 +ernotek.se, 1 +ernst-fuchs.tk, 1 +ero-like.online, 1 +ero-video.net, 1 +ero.ink, 0 +erodvd.com, 0 +erogen.org, 1 +erogen.su, 1 +eroimatome.com, 1 +erokat.ga, 1 +erol.se, 1 +erolib.ga, 1 +erolmobilya.com, 1 +eromanga.com, 1 +eromasajes.com, 1 +eron.info, 1 +eropics.to, 1 +erosbeautyandwellness.com, 1 +eroscomixitalia.tk, 1 +erosofia.tk, 1 +erosveneziani.cz, 1 +eroticjuggs.com, 1 +eroticmassagevegas.com, 1 +eroticom.hr, 1 +eroticspice.com, 1 +erotiksexgeschichten.net, 1 +erotikstahrtseite.cf, 1 +erotikstahrtseite.ga, 1 +erotikstahrtseite.gq, 1 +erotikstahrtseite.tk, 1 +erotismo.co, 1 +erozine.jp, 1 +erp-band.ru, 1 +erp-systems.ovh, 1 +erp.band, 1 +erpband.ru, 1 +erpcargo.com, 0 +erpcloud.systems, 1 +erpelstolz.at, 1 +erperium.com, 1 +erperium.nl, 1 +erpid.info, 1 +erpollo.com, 1 +erpsolutionsmart.com, 1 +erraen.org.ua, 1 +erreguete.gal, 1 +errekaweb.tk, 1 +errietta.me, 1 +errlytics.com, 1 +errolmarkland.com, 1 +errolstambler.com, 1 +erronort.com, 1 +error.fail, 1 +error.org, 1 +error418.nl, 1 +errror.org, 1 +ersa-shop.com, 1 +ersankaucuk.com, 1 +ersdfaredsaeem.tk, 1 +ersei.net, 1 +erseni.net, 1 +ershiwo.com, 1 +ersinbiltekin.tk, 1 +ersinerce.com, 0 +erspro.net, 1 +erste-hilfe-sbh.de, 1 +erste.guru, 1 +erstehilfeprodukte.at, 1 +erstiwiki.de, 1 +ert.ovh, 1 +ertekmakina.com.tr, 1 +ertel.xyz, 0 +erthisa.tk, 1 +ertvag.no, 1 +eru.cz, 1 +eru.im, 1 +erudicia.com, 1 +erudicia.de, 1 +erudicia.es, 1 +erudicia.fr, 1 +erudicia.it, 1 +erudicia.nl, 1 +erudicia.se, 1 +erudicia.uk, 1 +erudikum.cz, 1 +erudio-usluge.hr, 1 +erulezz.nl, 1 +eruzione.us, 1 +ervirmaison.tk, 1 +erwannlaflute.tk, 1 +erwerbslosenforum.de, 1 +erwin.saarland, 1 +erwinmi.gov, 1 +erwinonline.tk, 1 +erwinpaal.nl, 1 +erwinschmaeh.ch, 1 +erwinsite.tk, 1 +erwinwensveen.nl, 1 +erythromycinonline.gq, 1 +erythroxylum-coca.com, 1 +eryxmail.de, 1 +erzaehlwerkstatt-heilbronn.de, 1 +erzbistum-bamberg.de, 1 +es-geenen.de, 1 +es-ostan.tk, 1 +es-ramonage.fr, 1 +es-sharing.eu, 1 +es-sicherheit.ch, 1 +es-standart.com.ua, 1 +es-tools.at, 1 +es-tools.com, 1 +es-tools.de, 1 +es-vps.eu, 1 +es.ax, 1 +es.search.yahoo.com, 0 +es8888.net, 1 +es888999.com, 1 +esaborit.ddns.net, 0 +esadnext.cloud, 1 +esagente.com, 1 +esajokinen.net, 1 +esale.co, 1 +esalesclub.com, 1 +esame-di-professione-cinestetica.ch, 1 +esamsur.tk, 1 +esasafe.com, 1 +esasite.com, 1 +esatn.gov, 1 +esautotech.com.au, 1 +esb-platte.de, 1 +esb1314.net, 1 +esb1668.com, 1 +esb16888.com, 1 +esb369.com, 0 +esb518.com, 1 +esb556.com, 1 +esb5889.com, 1 +esb688.com, 1 +esb68888.com, 1 +esb777.me, 1 +esb777.us, 1 +esb888.net, 1 +esb8886.com, 1 +esb999.com, 1 +esb999.info, 1 +esb999.us, 1 +esba11.cc, 1 +esba11.com, 1 +esba11.in, 1 +esball.in, 0 +esball.online, 1 +esbuilders.co.nz, 0 +esc-romania.tk, 1 +esc-turkey.tk, 1 +esc18.net, 1 +esc3.net, 1 +esc9.net, 1 +escae.ml, 1 +escael.org, 1 +escalando.tk, 1 +escale-communication.bzh, 0 +escale33bienetre.fr, 1 +escalesensorielle.com, 1 +escambiacountyal.gov, 1 +escanabatownshipmi.gov, 1 +escancia.tk, 1 +escandell.cat, 1 +escaparate.tk, 1 +escape-house.be, 1 +escapeforyou.com, 1 +escapejunk.com, 1 +escapely.com, 1 +escapeplaza.de, 1 +escaperoomla.com, 1 +escaperoompsl.com, 1 +escapio.com, 1 +escarpe.com, 1 +escavador.com, 1 +escg.digital, 1 +escif.com, 1 +esclinux.tk, 1 +escmatrix.com, 1 +escobarservice7000.com, 1 +escobeira.pt, 1 +escoben.tk, 1 +escoffier.mu, 1 +escogitasrls.com, 1 +escoladejudo.com.br, 1 +escoladepilota.tk, 1 +escolamais.com.br, 1 +escolanacionaldejudo.com.br, 1 +escolatop.com.br, 1 +escolibri.com, 1 +escondido.gov, 1 +escondidoca.gov, 1 +escontact.ch, 0 +escordilla.tk, 1 +escort-fashion.com, 1 +escort.it, 1 +escortaccess.net, 1 +escortbee.com, 1 +escortcreampie.com, 1 +escortdelhi.net, 1 +escortdisplay.com, 1 +escortes.xyz, 1 +escortjessy.tk, 1 +escortlistings.ca, 1 +escortlistings.eu, 1 +escortlistings.fr, 1 +escortlistings.ph, 1 +escortlistingsuk.co.uk, 1 +escorts.works, 1 +escortslittleblackbook.com, 1 +escortz.gq, 1 +escoteiros.tk, 1 +escovator-records.tk, 1 +escritoresdelcomahue.tk, 1 +escritoriohs.com.br, 1 +escriva.org, 1 +escrocratie.tk, 1 +escrowalliance.com, 1 +escspain.tk, 1 +escuelabiblica.com, 1 +escuelacaninalatejera.es, 1 +escueladego.tk, 1 +escueladelsabor.com, 1 +escueladeministerioytecnologia.com, 1 +escuelagobierno.org, 1 +escuelakaesport.es, 1 +escuelaparapapas.tk, 1 +escuelasargento.tk, 1 +escuelitasansebastian.cl, 1 +escuelotika-online.tk, 1 +escursione.it, 1 +escyr.top, 0 +esdacademy.eu, 1 +esdarat.ml, 1 +esden.com, 1 +esdenera.com, 1 +esdiscuss.org, 1 +esdrasluna.com, 1 +esds.com.br, 1 +eseances.ch, 1 +esecuredata.com, 1 +esemtia.com, 1 +esenaskincare.com, 1 +eservices-greece.com, 1 +eset.ml, 1 +esexchange.ga, 1 +esferipol.pt, 1 +esfiledecrypter.com, 1 +esg-abi2001.de, 1 +esgen.org, 1 +esgforum.com.br, 1 +esginside.com.br, 1 +esgr.in, 1 +esgresearch.pro, 1 +esh.ink, 1 +esher.ac.uk, 1 +eshoeft.com, 1 +eshop-prices.com, 1 +eshop-ptz.ru, 1 +eshopriver.com, 1 +eshoprzd.ru, 1 +eshotsaatleri.com, 1 +eshtapay.com, 1 +esicia.rw, 1 +esideshop.com, 1 +esignandpay.net, 1 +esignering.se, 1 +esignprod.herokuapp.com, 1 +esigtorg.ru, 0 +esiliati.org, 1 +esilva.me, 1 +esite.ch, 1 +esj.org, 1 +eskapi.fr, 1 +eskdale.net, 1 +eskiceviri.cf, 1 +eskiegaming.com, 1 +eskimosboards.ga, 1 +eskimuzikatolyesi.org, 1 +eskisehirhaberleri.tk, 1 +esko.bar, 1 +eskriett.com, 0 +eskritt.ca, 1 +eskurye.com, 1 +eskypartners.com, 1 +eslamahmed.tk, 1 +eslbuzz.com, 1 +esleme.com, 1 +eslgrammar.org, 1 +eslightinghire.co.uk, 1 +eslint.org, 0 +eslove.jp, 1 +eslteacheredu.org, 1 +eslutt.cc, 1 +esm.run, 1 +esmalglass-itaca.com, 0 +esmart.ro, 1 +esmejor.tk, 1 +esmincg2t1.com, 1 +esmoker.bg, 1 +esmtp-mx.com, 1 +esmuefektivs.lv, 1 +esnekkaucuk.com, 1 +esnlpr.fi, 1 +eso-database.com, 1 +eso-skillfactory.com, 1 +eso3.eu.org, 1 +esoa.net, 1 +esocite.la, 1 +esoko.eu, 1 +esolcourses.com, 1 +esolitos.com, 1 +esomeprazole1.gq, 1 +eson.eu, 1 +esono.de, 1 +esopticallabs.com, 1 +esormestt.fr, 1 +esote.net, 1 +esoteric.website, 1 +esoterik.link, 1 +esoterikerforum.de, 1 +espace-caen.fr, 0 +espace-gestion.fr, 1 +espace-habitat-francais.fr, 1 +espace-orenda.ch, 0 +espace-vet.fr, 1 +espace.network, 1 +espacefragil.be, 1 +espacejabugo.com, 0 +espacepiscine51.fr, 1 +espaceroseauteinturiers.fr, 0 +espacetendance.fr, 1 +espacetheosophie.fr, 1 +espachavo.tk, 1 +espacioantiguo.com, 1 +espacioseideas.mx, 1 +espacioweb.tk, 1 +espacoalimentoesaude.com.br, 1 +espacoentreletras.com.br, 0 +espacosaudesuplementos.com.br, 1 +espaiblancandorra.ga, 1 +espaiblancandorra.gq, 1 +espaiblancandorra.ml, 1 +espaider.com.br, 1 +espairecer.pt, 1 +espanol.search.yahoo.com, 0 +espanyoldebarna.tk, 1 +espass.gq, 1 +espci.fr, 1 +especials.co.za, 1 +especificosba.com.ar, 1 +espectro.tk, 1 +espectrometria.com, 1 +espejo.tk, 1 +espejocofrade.tk, 1 +espeleogel.tk, 1 +espen.cz, 1 +espenandersen.no, 1 +espeo.eu, 1 +esperantio.tk, 1 +esperanto.co, 1 +espgg.org, 1 +espigol.org, 1 +espiragen.com, 1 +espiritismo.gay, 1 +espiritismo.lgbt, 1 +espiritismo.tk, 1 +espirituracer.com, 1 +espiv.net, 1 +espivblogs.net, 1 +esplendorecosmeticos.com.br, 1 +espocada.com, 1 +espoonkumi.fi, 0 +esport-agency.fr, 1 +esporters.it, 1 +esporters.today, 1 +esportsbattles.ga, 1 +espower.com.sg, 1 +espressonews.gr, 1 +espressoservicesplus.com.au, 1 +esprihealth.com, 1 +espub.org, 1 +esq, 1 +esquelario.tk, 1 +esquirebrotherhood.tk, 1 +esquirelaw.com, 1 +esquirelawfirm.com, 1 +esquirelawservices.com, 1 +esra.gq, 1 +esrarengizkasabahd.tk, 1 +esrhd.com, 1 +esrinfo.com, 1 +esrs.gov, 1 +ess-ecologica.cat, 1 +essaandmore.com.au, 1 +essay-writing-topics-fce.tk, 1 +essayads.com, 1 +essaybrand.com, 1 +essaychat.com, 1 +essaycoupons.com, 1 +essaydirectory.com, 0 +essayforsale.net, 1 +essayforum.com, 1 +essayhave.com, 1 +essayjob.com, 1 +essaykeeper.com, 1 +essaylib.com, 1 +essaymaker.gq, 1 +essaynews.com, 1 +essaypro.net, 1 +essayscam.org, 1 +essayservices.org, 1 +essayshark.com, 1 +essaytalk.com, 1 +essaywebsite.com, 1 +essecharlie.com, 1 +essenah.com, 1 +essencesdeprana.org, 1 +essencespresso.es, 0 +essenciasparis.com.br, 1 +essente.pl, 1 +essentialfoods.pt, 1 +essentialinteriors.ga, 1 +essentialliving.co.uk, 1 +essentialoils.co.za, 1 +essentialoils.nl, 1 +essentialsource.net, 1 +essentiapura.com, 1 +essentiate.com, 1 +essentiel-du-mariage.com, 1 +essentiel-physique.com, 1 +essentry.com, 1 +essentta.com, 1 +essenttamarketplace-essenttamarketplaceqa.azurewebsites.net, 1 +esseriumani.com, 1 +essex.cc, 1 +essexcountyvermont.gov, 1 +essexelectricaltraining.co.uk, 1 +essexgardenstudios.co.uk, 1 +essexhighways.org, 1 +essexmoneyman.com, 1 +essexregionalnj.gov, 1 +essextimbercraft.co.uk, 1 +essilorpse.com, 1 +essite.net, 1 +essjayericsson.com, 1 +esslm.sk, 1 +esslym.com, 1 +essnet.co.jp, 1 +essoduke.org, 1 +essplusmed.org, 1 +essr.org.uk, 1 +essteebee.ch, 0 +esswp.com, 1 +est-it.de, 1 +est8.ai, 1 +establo.pro, 1 +estacion3d.ar, 1 +estada.ch, 1 +estadoreclamos.com, 1 +estafallando.es, 1 +estafallando.mx, 1 +estahl.dk, 1 +estallidodigital.cl, 1 +estampascriativas.com.br, 1 +estampille-paris.fr, 1 +estanciasgauchas.com.br, 1 +estate360.co.tz, 1 +estatebud.com, 1 +estateczech-eu.ru, 1 +estateways.com, 1 +estcequemonordinateurestallume.fr, 1 +estcequemontelephoneestallume.fr, 1 +estcequonmetenprodaujourdhui.info, 1 +esteban-abadahs.tk, 1 +estebanborges.com, 1 +estebanoria.net, 1 +estedafah.com, 1 +esteladigital.com, 1 +estelarix.com, 1 +estellaequipment.com, 1 +estenio.com.mx, 1 +esteniomexico.com, 1 +esteria.eu, 0 +esteriliza-me.org, 1 +esterilizacion-perros.es, 1 +estespr.com, 0 +estet.tk, 1 +estetica-bilbao.com, 1 +estetica.host, 1 +esteticamicali.com.ar, 1 +esteticanorte.com.br, 1 +esteticaprofana.it, 1 +estetici.com, 1 +esteticka-chirurgie-nohy.cz, 1 +estetista.net, 1 +esthe-zukan.com, 1 +esthergoh.com, 1 +estherlew.is, 1 +esthesoleil.jp, 1 +estheticianedu.org, 1 +esthetiqueboissiere.fr, 1 +estila.co, 1 +estiloelevadores.com.br, 1 +estilopack-loja.com.br, 1 +estimateone.com, 1 +estintori.roma.it, 1 +estiv-ales.fr, 1 +estlat.eu, 0 +estoense.com, 1 +estomp.de, 1 +estonia.ee, 0 +estonia.net, 1 +estoniananonymous.tk, 1 +estoniantrade.ee, 1 +estonoentraenelexamen.com, 1 +estopero.tk, 1 +estopwatch.net, 1 +estradatech.org, 1 +estradiolbestellen.gq, 1 +estrasol.com.mx, 1 +estrategiasfm.net, 1 +estreetshuffle.com, 1 +estrella.tk, 1 +estrietoit.com, 0 +estrogenonline.gq, 1 +estrogens.gq, 1 +estruendo.tk, 1 +estuarystudent.tv, 1 +estudantetorcedor.com.br, 1 +estudiarparaser.com, 1 +estudiaryaprenderingles.com, 1 +estudiemosvirtualmente.com, 1 +estudio21pattern.com, 0 +estudioaany.com.br, 1 +estudiogarcia-rada.com, 1 +estudiomantis.tk, 1 +estudionale.com, 1 +estudios-biblicos.tk, 1 +estudiosalmogavares.tk, 1 +estudiosmart.com, 1 +estudosnacionais.com, 1 +esu.dog, 1 +esu.moe, 1 +esu.wiki, 1 +esu.zone, 1 +esunapena.tk, 1 +esunenin.tk, 1 +esuretynew.azurewebsites.net, 1 +esurveynordic.com, 1 +esv.se, 1 +esvaco.cf, 1 +esw.com, 1 +esy.nl, 1 +esyno.nl, 1 +esyoil.com, 1 +esys.ga, 1 +esystems.tk, 1 +eszkola.pl, 1 +et-inf.de, 1 +et.al, 1 +et420nrw.tk, 1 +etablissement.com, 1 +etaconic.com, 1 +etaes.eu, 1 +etajerka-spb.ru, 1 +etajerka.spb.ru, 1 +etaldelune.fr, 1 +etalent.net, 1 +etalentos.com.br, 1 +etalktome.com, 1 +etanol.tk, 1 +etarskaikozmetickaulja.rs, 1 +etath.com, 1 +etaxigraz.com, 1 +etccooperative.org, 0 +etch.co, 1 +etch44.com, 1 +etcivil.com, 1 +etctop.tk, 1 +etdcampus.com, 1 +etdp.co.za, 1 +etech-solution.com, 1 +etech-solution.net, 1 +etech-solutions.com, 1 +etech.com.my, 1 +etechsolution.net, 1 +eteradia.dynv6.net, 1 +eternal-chaos.tk, 1 +eternal-con.de, 1 +eternal-dementia.tk, 1 +eternal-warriors.de, 1 +eternalabyss.int.eu.org, 1 +eternalaugust.com, 1 +eternalflame.cn, 1 +eternalflame.info, 1 +eternalguild.tk, 1 +eternalmountains.tk, 1 +eternalparking.com, 1 +eternalparking.eu, 1 +eternalparking.net, 1 +eternalparking.org, 1 +eternalsymbols.com, 1 +eternegy.co, 1 +eternit.roma.it, 1 +eternitdesio.it, 1 +eternl.io, 1 +etestyonline.tk, 1 +etf.nu, 1 +etf2l.org, 1 +etfacta.com, 0 +etfcentral.com, 1 +etflife.com, 1 +eth-news.info, 1 +eth-services.de, 1 +eth0.nl, 0 +etha.nz, 1 +ethaligan.fr, 1 +ethan-hanlon.xyz, 1 +ethan.pm, 1 +ethanjones.me, 1 +ethanlew.is, 1 +ethanopp.com, 0 +ethanrjones.name, 1 +ethansailant.com, 1 +ethanyoo.com, 1 +ethelbrooks.es, 1 +ether.school, 1 +etherandir.com, 1 +etherapeut.de, 1 +ethercalc.net, 1 +etherderbies.com, 1 +etherdream.com, 1 +ethereal-skies.tk, 1 +ethereal.games, 1 +etherealcollapse.tk, 1 +ethereum-news.info, 1 +ethereumnews.best, 1 +ethereumnews.digital, 1 +ethereumnews.io, 1 +ethereumnews.live, 1 +ethereumnews.news, 1 +ethereumnews.site, 1 +ethereumnews.xyz, 1 +ethergeist.de, 1 +etheria-software.tk, 1 +etherium.design, 1 +ethermine.org, 1 +ethernium.fun, 1 +etheron.com, 1 +etherpad.nl, 1 +etherpoap.xyz, 1 +ethers.news, 1 +ethiack.com, 1 +ethical-home.co.uk, 1 +ethical.quest, 1 +ethicalconsumer.org, 1 +ethicaldata.co.uk, 1 +ethicalescorts.com, 1 +ethicallogistics.com, 1 +ethicalpolitics.org, 1 +ethicaltek.com, 0 +ethics.org, 1 +ethicsburg.gov, 1 +ethicsfirst.org, 1 +ethicsforhumans.org, 1 +ethika.com, 1 +ethil-faer.fr, 1 +ethioconsulate-la.org, 1 +ethiqueadvisory.com, 1 +ethitter.com, 1 +ethnews.today, 1 +ethniki-antistasi-dse.gr, 1 +ethnopsychoanalyse.tk, 1 +ethosinfo.com, 1 +ethotupala.tk, 1 +ethpool.org, 1 +eticket.cr, 1 +etienne.cc, 1 +etiennes.work, 1 +etigold.com, 1 +etiketten.tk, 1 +etikus-hacker.hu, 1 +etil.wtf, 1 +etil2jz.lol, 1 +etincelle.ml, 1 +etincelle.tk, 1 +etindustries.com, 1 +etiqa.tk, 1 +etisrl.net, 1 +etkarle.de, 1 +etlaq.com, 1 +etmtobik.eu, 1 +etnis.id, 1 +etnoforum.tk, 1 +etnoria.com, 1 +etoile-rc.jp, 1 +etoile-usedcars.com, 0 +etopa.de, 1 +etopedia.com, 1 +etoro-openbook.tk, 1 +etororeviews.com, 1 +etos.tk, 1 +etowahwaterga.gov, 1 +etrades.tk, 1 +etre-belle.tk, 1 +etre-vivant.fr, 0 +etrecosmeticderm.com, 1 +etresmant.es, 1 +etrolleybizstore.com, 1 +ets-etos.azurewebsites.net, 1 +ets-software.de, 1 +etsduova.dedyn.io, 1 +etselquemenges.cat, 1 +etsmarconi.be, 0 +etspuka.de, 1 +etsradio.org, 1 +etsu.edu, 1 +ettbattreinternet.se, 1 +etterforsker1.no, 1 +etterretningstjenesten.no, 1 +ettgottliv.com, 1 +ettip.com, 1 +ettlinger-tor.de, 1 +ettoday.org, 1 +ettoremirarchifilms.it, 1 +ettyproject.org, 1 +etudepresse.tk, 1 +etudes.ru, 1 +etudesbibliques.fr, 0 +etudesbibliques.net, 0 +etudesbibliques.org, 0 +etula.ga, 1 +etulasin.tk, 1 +etury.online, 1 +etutsplus.com, 1 +etv.cx, 1 +etyd.org, 1 +etyka.cz, 1 +eu-darlehen-finanzierung.de, 1 +eu-datenbank.de, 1 +eu-election.eu, 1 +eu-gamers.com, 1 +eu-prodaja.com, 1 +eu-secured.com, 1 +eu-stellenangebot.de, 1 +eu.ax, 1 +eu4ua.org, 1 +euaaaio.ru, 1 +euanbarrett.com, 1 +euassisti.com.br, 1 +euc.world, 1 +euchance.hu, 1 +euchre.us, 1 +eucimen.com, 0 +euclidian.com, 1 +euclidinnovations.com, 1 +eucollegetours.com, 1 +eucustody.com, 1 +eucybernet.eu, 0 +eudiakok.hu, 1 +eudore.org, 1 +eufair.com, 1 +euflight.info, 1 +eufraimidis.com, 1 +eugenegamelan.org, 1 +eugenekay.com, 0 +eugeneorourke.com, 1 +eugenesia.org, 1 +eugeneyeosurgery.sg, 1 +eugenics.org, 1 +eugeniocorso.com, 1 +eugenioperez.tk, 1 +eugostodefilmesbrasileiros.tk, 1 +eugster.se, 1 +eujobs.hu, 1 +eujobsgmbh.de, 1 +eujobshrgroup.com, 1 +eujobshrgroup.hu, 1 +eujuicers.bg, 1 +eujuicers.com, 1 +eujuicers.com.hr, 1 +eujuicers.com.tr, 1 +eujuicers.com.ua, 1 +eujuicers.cz, 1 +eujuicers.de, 1 +eujuicers.es, 1 +eujuicers.fr, 1 +eujuicers.hu, 1 +eujuicers.it, 1 +eujuicers.pl, 1 +eujuicers.pt, 1 +eujuicers.ro, 1 +eujuicers.rs, 1 +eujuicers.ru, 1 +eujuicers.si, 1 +eujuicers.sk, 1 +euklems.eu, 1 +eule82.de, 1 +eulen.com, 1 +eulenberg.com, 1 +eulenschmiede.de, 1 +euleres.tk, 1 +eulessplumbers.com, 1 +euman.ml, 1 +eumananc.ro, 1 +eumk6.ml, 1 +eung.ga, 1 +eunicetan.com, 1 +eunomy.io, 1 +eunow.com, 1 +eupay.de, 1 +euphoriaonline.tk, 1 +eupm.org, 1 +euporos.ch, 0 +euprapeace.org, 1 +eurasierwelpen.tk, 1 +eurazeo.com, 1 +eurban.life, 1 +eurbanos.tk, 1 +eurekaca.gov, 1 +eurekagames.tk, 1 +eurekanetwork.org, 1 +eurekatech.eti.br, 1 +eurekatownshipmi.gov, 1 +eurelectric.org, 1 +euren.se, 1 +eurmarketing.com, 1 +euro-cdm.org, 1 +euro-construction.co.uk, 1 +euro-issues.tk, 1 +euro-servers.de, 1 +euro.se, 1 +euroairport.com, 1 +euroalter.com, 1 +euroasia-tm.com, 1 +eurobattle.tk, 1 +eurobeaute.be, 1 +eurobilltracker.tk, 1 +eurocertificazione.it, 1 +eurocleanfrance.fr, 1 +eurococos.com.ua, 1 +eurocom.bg, 1 +eurocomcompany.cz, 1 +euroconti.com, 1 +eurocontrol.aero, 1 +eurocontrol.eu, 1 +eurocontrol.in, 1 +eurocontrol.lu, 1 +eurocontrol.me, 1 +eurocontrol.xxx, 1 +eurocure.com, 1 +eurodanceperu.tk, 1 +eurodentaire.com, 1 +eurodesk.eu, 1 +eurodontic.co.uk, 0 +euroecho.com, 1 +euroenergy.tk, 1 +euroestetica.ec, 1 +eurofinance.com, 1 +eurofire.tk, 1 +euroflora.com, 1 +euroflora.mobi, 1 +euroflorist.cf, 1 +euroflorist.ga, 1 +euroflorist.tk, 1 +eurofoods.gr, 1 +eurofoot.cf, 1 +eurofrank.eu, 1 +eurofunk.at, 1 +eurofunk.com, 1 +eurogarden-parts.de, 1 +eurogarden.be, 1 +eurogarden.com, 1 +eurogarden.nl, 1 +eurohell-design.com, 1 +eurohell-design.de, 1 +euroherp.com, 1 +eurohouse.tk, 1 +eurokid.com, 1 +eurokiss.com, 1 +eurolink.tk, 1 +eurolocarno.es, 1 +eurologix.com, 1 +euromalha.com.br, 1 +euroman.ga, 1 +euromas.com, 1 +euromexde.com, 1 +euromuseumcoins.com, 1 +euronic.fi, 1 +eurookna.tk, 1 +europa-passage.de, 1 +europabio.org, 1 +europack.kiev.ua, 1 +europainchemnitz.de, 1 +europapier.net, 1 +europarts-sd.com, 1 +europastudien-chemnitz.de, 1 +europastudien.de, 1 +europatour2005.tk, 1 +europatrans.com.tr, 1 +europavilion.com, 1 +european-accreditation.org, 1 +european-agency.org, 1 +european-alternatives.eu, 1 +european-hospital.ga, 1 +european-hospital.ml, 1 +european-hospital.tk, 1 +european-silk-road.eu, 1 +european-village.com, 1 +europeananomalouswave.tk, 1 +europeancuisine.tk, 1 +europeancupinline.eu, 1 +europeangaming.eu, 1 +europeanpolice.net, 1 +europeanpreppers.com, 1 +europeanstudies-chemnitz.de, 1 +europeantransportmanagement.com, 1 +europeluxuryweddings.com, 1 +europeonline.tk, 1 +europeontrack.org, 1 +europesearbeiders.be, 1 +europesrit.tk, 1 +europetraveler.tk, 1 +europetravelservice.co.uk, 1 +europop.com, 1 +europrise.ie, 0 +euroregister.com, 1 +euroroad17.dk, 1 +euroscot.de, 1 +euroshop.or.at, 1 +euroshop.tk, 1 +eurosight.com, 1 +euroskano.nl, 1 +euroskulpa.de, 1 +eurosnap.com, 1 +eurosos.com, 1 +eurospecautowerks.com, 1 +eurosquad.tk, 1 +eurostoc.ro, 1 +eurostrategy.vn.ua, 1 +eurosun.tk, 1 +euroswapper.tk, 1 +euroteam.tk, 1 +eurotechme.com, 1 +eurotechnology-group.com, 1 +eurotecvfs.com, 1 +eurotest.tk, 1 +eurotoerist.nl, 1 +eurotop.net.pl, 1 +eurotour.tk, 1 +eurotracs.com, 1 +eurotramp.com, 0 +eurousa.us, 1 +eurovision-romania.tk, 1 +eurovision.ie, 1 +eurowave.com, 1 +eurowijskids.nl, 0 +eurowish.com, 1 +eurozhartleys.com, 1 +eurseo.com, 1 +euruni.edu, 1 +eusalesman.hu, 1 +eusarse.tk, 1 +eusebiu.com, 1 +euskalstakepool.win, 1 +euskaltzaleak.tk, 1 +eusou.ml, 1 +eustaquio.tk, 1 +eustomamc.net, 1 +eusv.net, 1 +eusystemic.com, 1 +eutawal.gov, 1 +euterpiaradio.ch, 1 +eutotal.com, 1 +euvo.tk, 0 +euwid.de, 1 +euzissima.com.br, 1 +ev-zertifikate.de, 1 +eva-briegel-fanpage.tk, 1 +eva.cz, 1 +eva24h.tk, 1 +eva42.com, 1 +evaali.fi, 1 +evaalordiah.tk, 1 +evaberg.net, 1 +evacs.net, 1 +evacs.org, 1 +evacuumstore.com, 1 +evadi.ca, 1 +evafernandez.tk, 1 +evafojtova.cz, 1 +evaisanta-mariaalmudever.tk, 1 +evaisanta.tk, 1 +evaks.az, 1 +evakuator-kharkov.kh.ua, 1 +evakuator-tut.by, 1 +evakuator.ltd, 1 +evalar-apteka.ru, 1 +evalarapteka.ru, 1 +evalarmarket.ru, 1 +evalcom.co, 1 +evalcorp.com, 1 +evalesc.com, 1 +evalinux.com, 1 +evalopezzz.org, 1 +evaluasi.com, 1 +evaluation.gov, 1 +evalueit.eu, 1 +evaluer2.pl, 1 +evamachkova.cz, 0 +evamathil.de, 1 +evamlakar.si, 1 +evananderi.com, 1 +evanbaker.xyz, 1 +evanescenceisfallen.tk, 1 +evanescencenorge.tk, 1 +evanescenceturkey.tk, 1 +evanfiddes.com, 1 +evang.at, 1 +evangelicalmagazine.com, 1 +evangelicalplatform.com, 1 +evangelietuin.tk, 1 +evangelionmagi.tk, 1 +evangelise.asia, 1 +evangersdogfood.com, 1 +evanreev.es, 1 +evansfmm.org, 1 +evansfox.com, 1 +evanspoliceny.gov, 1 +evanstonnow.com, 0 +evansville-wy.gov, 1 +evansvillewi.gov, 1 +evantageglobal.com, 1 +evanwang0.com, 1 +evaolson.se, 1 +evar2.com, 1 +evaria-network.fr, 1 +evasioncreole.com, 1 +evasionteam.tk, 1 +evasovova.cz, 1 +evatantricmassagelondon.uk, 1 +evavolfova.cz, 1 +evbox.com, 1 +evdenevenakliyatankara.name.tr, 1 +evdenevenakliyatistanbul.gen.tr, 1 +evdeneyapilir.com, 1 +eve-online-com.ru, 1 +eve-ua.com, 1 +eve.tax, 1 +eve0s.com, 1 +eveandi.health, 1 +eveapk.com, 1 +eveaz.com, 1 +eveco-mebel.ga, 1 +evedanjailbreak.com, 1 +eveetcie.com, 1 +evehryday.com, 1 +eveil-et-savoirs.com, 1 +evelethpd.gov, 1 +evelienstormzangcoach.nl, 1 +evelienuitvaartverzorging.nl, 1 +evelienzorgt.nl, 1 +evelin.tk, 1 +evelyn.com, 1 +evenbijproaten.online, 1 +evendesign.com, 1 +evendesign.gq, 1 +evenementenpartner.nl, 1 +evenimenteromania.tk, 1 +eveningstar.tk, 1 +eveningtaxservices.com, 1 +evenstar-gaming.com, 1 +evenstargames.com, 1 +event-blick.de, 1 +event-fullyyours.com, 1 +event-register.jp, 1 +event-reisen.tk, 1 +event-trac.com, 1 +event-tyrlig.no, 1 +event1teamstore.com, 0 +event4fun.no, 1 +event64.ru, 1 +eventact.com, 0 +eventaro.com, 1 +eventblog2017.tk, 1 +eventcore.tk, 1 +eventdata.co.uk, 1 +eventdata.uk, 1 +eventdays.tk, 1 +eventex-rentals.com, 1 +eventfoto.com, 1 +eventfun.tk, 1 +eventide.space, 1 +eventive.org, 0 +eventlista.no, 1 +eventlocation2.de, 1 +eventmake.es, 1 +eventnexus.co.uk, 1 +eventosbgp.com, 1 +eventosdeluchalibre.tk, 1 +eventosenmendoza.com.ar, 1 +eventosformativos.tk, 1 +eventospremium.es, 0 +eventpark.cz, 1 +eventpay.jp, 1 +eventplanner.be, 1 +eventplanner.co.uk, 1 +eventplanner.de, 1 +eventplanner.es, 1 +eventplanner.fr, 1 +eventplanner.ie, 1 +eventplanner.lu, 1 +eventplanner.net, 1 +eventplanner.nl, 1 +eventprazdnik.ru, 1 +events.bt, 1 +events1.co.il, 1 +eventsbytma.com, 1 +eventseeker.com, 1 +eventservicestockholm.se, 1 +eventsforyou.fr, 1 +eventsframe.com, 1 +eventtech.com, 0 +eventticketscenter.com, 1 +eveonline.com, 1 +ever.sale, 0 +ever4cats.de, 1 +everaerts.eu, 1 +everain.me, 1 +everand.com, 1 +everberg.tk, 1 +evercheck.com, 1 +everdivemarine.com, 1 +everestbankltd.com, 1 +everettduiattorneys.com, 1 +everettsautorepair.com, 0 +everfine.com.tw, 1 +everfreecoloring.com, 1 +evergarden.cn, 1 +evergladesfarmequipment.com, 1 +everglow.co.jp, 1 +evergreenal.gov, 1 +evergreenilder.tk, 1 +evergreenlangladewi.gov, 1 +evergreentlc.com, 1 +evergreenweedshop.com, 1 +evergrowthdc.com, 1 +everhome.cloud, 1 +everhome.de, 1 +everichspice.com, 1 +everifile.com, 1 +everify.gov, 1 +everisland.com, 1 +everitoken.io, 1 +everling.lu, 1 +everlong.org, 1 +everly.market, 1 +evermade.fi, 1 +evermed.au, 1 +evermed.com.au, 1 +evernaut.com, 1 +everpcpc.com, 1 +everready.tk, 1 +everride.com, 1 +everseo.tk, 1 +eversightwealth.com, 1 +evertonarentwe.com, 1 +evertradeelectronics.com, 1 +evertz.com, 1 +evervitjuice.com, 1 +everwaking.com, 0 +everwinter.tk, 1 +every-day-life.com, 0 +everyarti.st, 1 +everycorneroftheworld.cf, 1 +everycorneroftheworld.de, 1 +everycorneroftheworld.ml, 1 +everycorneroftheworld.tk, 1 +everyday.eu.org, 1 +everydaycaitfitness.com, 1 +everydaydishes.com, 0 +everydaygary.com, 1 +everydaylifeinsurance.com, 1 +everydaypower.com, 1 +everydaypsychology.org, 1 +everydaytherich.com, 1 +everydaywot.com, 1 +everyex.com, 1 +everyeye.it, 1 +everyfad.com, 1 +everyhq.com, 1 +everykidoutdoors.gov, 1 +everymail.me, 1 +everymanandhisdogvineyard.com, 1 +everyoneadmins.tk, 1 +everyonefit.com, 1 +everysaving.ae, 1 +everysaving.ca, 1 +everysaving.co.uk, 1 +everysaving.com, 1 +everysaving.com.au, 1 +everysaving.ie, 1 +everysaving.sg, 1 +everystudent.bg, 1 +everystudent.com.tw, 1 +everysync.co.jp, 1 +everything-as-code.com, 1 +everything-everywhere.com, 1 +everything-mdaemon.com, 1 +everythingaccess.com, 1 +everythingcovid-19.com, 1 +everythingfree.tk, 1 +everythinginoneblog.gq, 1 +everythinglidia.com, 1 +everythinq.com, 1 +everytrycounts.gov, 1 +everyveterancountsohio.gov, 1 +eveshaiwu.com, 1 +eveshamglass.co.uk, 1 +eveswell.com, 1 +evetdermisin.com, 1 +evetech.net, 1 +evezqurbanli.tk, 1 +evga.com, 1 +evhoeft.com, 1 +eviction.cf, 1 +evidecor.com.br, 1 +evidencebased.net, 1 +evidencija.ba, 1 +evidenze.com, 1 +evies.tk, 1 +evil-empire.tk, 1 +evilbeasts.ru, 1 +evilbrood.tk, 1 +evilcodes.tk, 1 +evildarkness.tk, 1 +evilduck.tk, 1 +evilla.ru, 0 +evilmartians.com, 1 +evilmoisture.tk, 1 +evilnolo.tk, 1 +evilofsociety.tk, 1 +evilolive.tk, 1 +evilsay.com, 0 +evilscience.tk, 1 +evilsite.cf, 1 +eviltricks.tk, 1 +evilways.tk, 1 +evin.ml, 1 +evin.tk, 1 +evisa.us.com, 1 +evisky.com, 1 +evisos.cl, 1 +evisos.com, 1 +evisos.com.ar, 1 +evisos.com.mx, 1 +evisos.es, 1 +evitacion.com, 1 +eviz.co, 1 +evkitdigital.com.br, 1 +evl.one, 1 +evlilikilan.com, 1 +evlqa1sp1tzb05zo-reoo0vhj9a1t5pousfudnkg.com, 0 +evntage.com, 1 +evobox.store, 1 +evocate.com.au, 1 +evoco.vc, 1 +evodation.com, 1 +evodation.org, 1 +evoffer.com, 1 +evojska.tk, 1 +evoke.ie, 1 +evokeearlylearning.com.au, 1 +evolucioneducativa.com.ec, 1 +evolucionestudios.com.bo, 1 +evolucionradio.tk, 1 +evolusis.fr, 1 +evolutiespirituala.ro, 1 +evolution-gaming.tk, 1 +evolution-host.ga, 1 +evolution-x.org, 1 +evolutionbiote.com, 1 +evolutioninflatables.co.uk, 1 +evolutionosteopathy.co.uk, 1 +evolutive-records.tk, 1 +evoluxion.co, 1 +evoluzione.fr, 0 +evolve-mma.com, 1 +evolve-university.com, 1 +evolve-vacation.com, 1 +evolve.com, 0 +evolvedevlabs.de, 1 +evolvetechnologies.co.uk, 1 +evolvicity.org, 1 +evolvingseo.com, 1 +evolvingthoughts.net, 1 +evonet.co.za, 1 +evony.eu, 1 +evonys.com, 1 +evopack.net, 1 +evoplay.gq, 1 +evoqion.se, 1 +evosyn.com, 1 +evote-ch.ch, 1 +evotec.pl, 1 +evoting-test.ch, 1 +evoting.ch, 1 +evri.com, 1 +evrial.com, 1 +evromandie.ch, 1 +evronews.ga, 1 +evropaedu.ru, 1 +evscicats.com, 1 +evscstudentwifi.com, 1 +evsinemasistemleri.tk, 1 +evstatus.com, 1 +evtasima.name.tr, 1 +evthing.se, 0 +evtripping.com, 1 +evu-pe.tk, 1 +evulka.eu, 1 +evv.ee, 1 +evxp.it, 1 +evyn.eu, 1 +evz.ro, 1 +ewa-hayward.co.uk, 1 +ewacforum.tk, 1 +ewaf.club, 1 +ewaipiotr.pl, 1 +ewananga.ac.nz, 1 +ewanm89.co.uk, 1 +ewanm89.com, 1 +ewanm89.uk, 1 +ewansinclair.tk, 1 +ewanto.de, 1 +ewaroeng.com, 1 +ewatchers.org, 1 +ewddlacity.com, 1 +ewebcreative.com, 1 +ewelinagrochowina.pl, 1 +ewen-bara.com, 1 +ewesparky.com, 1 +ewgri.gov, 1 +ewhitehat.com, 1 +ewhowell.com, 1 +ewie.name, 1 +ewigetrauringe.de, 1 +ewighost.com, 1 +ewinstore.com, 1 +ewizja.info, 1 +ewizmo.com, 1 +ewon.biz, 0 +eworkflow.ca, 1 +eworksmedia.com, 0 +eworldmedia.ml, 1 +eworldmedia.tk, 1 +ewoutpool.tk, 1 +ewritingservice.com, 1 +ewsfeed.com, 1 +ewtl.es, 1 +ewuchuan.com, 1 +ewycena.pl, 1 +ex-deli.jp, 1 +ex-links.net, 1 +ex.co, 1 +ex2technology.com, 1 +ex78.com, 1 +exabike.com, 1 +exablue.de, 1 +exact-distribution.com, 1 +exact-online-apps-by-invantive.com, 1 +exact.realty, 1 +exactlibris.com, 1 +exactlyinfinite.com, 1 +exactphilosophy.net, 1 +exactrealty.co.uk, 1 +exactrealty.no, 1 +exactrealty.us, 1 +exactverify.com, 1 +exadime.net, 1 +exaduosport.fr, 1 +exagoni.com, 1 +exagoni.com.au, 1 +exagoni.com.my, 1 +exalthost.com, 1 +exam4.us, 1 +exambot.cf, 1 +exambot.ga, 1 +exambot.gq, 1 +exambot.tk, 1 +examedge.com, 1 +examesrush.com, 0 +examesrush.com.br, 0 +examhq.net, 1 +examika.ru, 1 +examity.com, 1 +examly.io, 1 +examone.com, 1 +exampaperarchive.com, 1 +example.li, 1 +exampleessays.com, 1 +examroll.fr, 1 +examroo.nl, 0 +examsite.tk, 1 +examsmate.in, 1 +examsoft.com, 1 +examsplanner.in, 1 +examticket.tk, 1 +exaplac.com, 1 +exarcheia.com, 1 +exarcheia.link, 1 +exarcheia.online, 1 +exarcheia.ru, 1 +exarius.org, 1 +exasapiens.com, 1 +exashop.tn, 1 +exatmiseis.net, 0 +exatom.io, 1 +excaliburmatrix.tk, 1 +excaliburtitle.com, 0 +excavation.ga, 1 +exceed-clan.tk, 1 +exceed.global, 1 +excel-mechanical.com, 1 +excelbroadcast.com, 1 +excelcenter.org, 1 +exceldatapro.com, 1 +exceldor.ca, 1 +exceldor.com, 1 +exceldorcooperative.ca, 1 +exceldorcooperative.com, 1 +excelenteawards.com, 1 +exceleron.in, 1 +excelgum.ca, 1 +excelindonesia.com, 1 +excelindonesia.id, 1 +excelkursdirekt.eu, 1 +excellarate.com, 1 +excellence-eventos.com, 1 +excellence-redefined.org, 1 +excellence.corsica, 1 +excellenceandcreativity.com, 1 +excellenceriviera.com, 1 +excellentrencontrer.tk, 1 +excellentsurferers.ga, 1 +excellentsurferest.ga, 1 +excellentweb.site, 1 +excelnutritional.com.br, 1 +excelsiorcomics.com.br, 0 +excelsis.rs, 1 +exceltechoman.com, 1 +exceltobarcode.com, 1 +excentos.com, 1 +exceptionalfirm.com, 1 +exceptionalservices.us, 1 +exceptionalstack.com, 1 +exceptionnotfound.net, 1 +excess-baggage.com, 1 +excessive-software.tk, 1 +exchangedobem.com, 1 +exchangemarketplace.com, 1 +exchanger.ml, 1 +exchanger.tk, 1 +exchangeratingest.ga, 1 +exchangesolutions.com, 1 +exchangetrading.tk, 1 +exchangeview.ga, 1 +exchangevisits.tk, 1 +exchaser.com, 1 +excimerlaser.com, 1 +excite.co.id, 1 +exciters.tk, 1 +excitingbulgaria.com, 0 +excitoninteractive.com, 1 +exclaimer.com, 1 +exclusivacademy.com, 1 +exclusive-okno.ru, 1 +exclusive-world.tk, 1 +exclusivedesignz.com, 1 +exclusivelyuk.co.uk, 1 +exclusivemilf.com, 1 +exclusiveresorts.com, 1 +excluzive.ml, 1 +excoins.biz, 1 +excontinuum.de, 1 +excursiones.tk, 1 +exdomo.com, 1 +exe-boss.tech, 1 +execbar.com, 1 +exechip.com, 1 +execom68.tk, 1 +execupharm.jp, 1 +execution.biz.tr, 1 +executivemarketing.co.za, 1 +executiveseatsers.ga, 1 +executivoshotel.com.br, 1 +exedo.nl, 1 +exeest.com, 1 +exegese.ch, 0 +exegol.co.uk, 1 +exehack.net, 1 +exeintel.com, 1 +exemplarypainting.com, 1 +exemples-de-stands.com, 1 +exentio.sexy, 1 +exentrify.com, 1 +exer.fr, 1 +exercisekingers.ga, 1 +exercisekingest.ga, 1 +exerforge.net, 1 +exerph.com, 1 +exerpm.tk, 1 +exescan.net, 1 +exesoft.ml, 1 +exeterfit.com, 1 +exeunt.tk, 1 +exexcarriers.com, 1 +exeypanteleev.com, 1 +exforo.tk, 1 +exfuga.com, 1 +exhalewell.com, 1 +exhibitionsupplies.net.au, 1 +exhumationindia.tk, 1 +exiahost.com, 1 +exiled.land, 1 +exiled.world, 1 +exiletattoo.net, 1 +exiletower.tk, 1 +eximbank.gov.tr, 1 +exip.ga, 1 +exipure.com, 1 +exira.com, 1 +exitooutdoor.com, 1 +exitoseguro.tk, 1 +exitreality.tk, 1 +exizent.com, 1 +exizent.tk, 1 +exline.pro, 1 +exmart.ng, 1 +exmoe.com, 1 +exo-chanyeol.tk, 1 +exodiac.ph, 1 +exodium.tk, 1 +exodus-net.pl, 1 +exodus.com, 1 +exodus.io, 1 +exogenous.ga, 1 +exomind.cf, 1 +exomind.gq, 1 +exon.io, 1 +exonip.de, 1 +exonovov.tk, 1 +exordiumconcepts.com, 1 +exosama.com, 1 +exoscale.ch, 1 +exoscale.com, 1 +exoten-spezialist.de, 1 +exotic-animals.tk, 1 +exotic-bengal-cattery.ml, 1 +exotic.report, 1 +exoticads.com, 1 +exotical.tk, 1 +exoticaz.to, 1 +exotictravel.tk, 1 +exousiakaidunamis.pw, 1 +exousiamg.com, 1 +exoweb.ca, 1 +exowellness.com, 1 +exp.gg, 1 +exp4all.com, 1 +expancio.com, 0 +expanda.org, 0 +expandabil.cf, 1 +expanddigital.media, 1 +expandor.cz, 1 +expansehost.de, 1 +expansion-lidl.es, 1 +expansive.info, 1 +expart.com, 1 +expatfinancial.com.hk, 1 +expatinpoland.com, 1 +expatmortgage.uk, 1 +expatriate.pl, 0 +expatwealthatwork.com, 1 +expe.voyage, 1 +expectful.com, 0 +expecting.com.br, 1 +expediteplus-asia.com, 1 +expediteplus.biz, 1 +expediteplus.ca, 1 +expediteplus.com, 1 +expediteplus.com.mx, 1 +expediteplus.info, 1 +expediteplus.mobi, 1 +expediteplus.mx, 1 +expediteplus.net, 1 +expediteplus.org, 1 +expediteplus.pro, 1 +expediteplus.us, 1 +expeditiegrensland.nl, 0 +expedition247.com.au, 1 +expelliarmus.tk, 1 +expensify.com, 1 +expensivejewelsest.ga, 1 +exper.gr, 1 +experiencealula.com, 1 +experienceoutdoors.org.uk, 1 +experienceoz.com.au, 1 +experiment-626.tk, 1 +experimentalguruji.cf, 1 +experimentaltheatreclub.tk, 1 +experimentator.cz, 1 +experimentoscongaseosa.tk, 1 +experimentrak.com, 1 +experiments.lv, 1 +experimentworld.io, 1 +experimetrix.com, 1 +experise.fr, 1 +experpento.tk, 1 +expert-batiment-rouen.fr, 1 +expert-comptable-vichy-moulins-allier.fr, 1 +expert-korovin.ru, 1 +expert-market.com, 1 +expert-voronezh.tk, 1 +expert.cz, 1 +expert96.cf, 1 +expertclub.tk, 1 +expertcomics.ca, 1 +experteasy.com.au, 1 +expertembeleza.com, 1 +expertembeleza.com.br, 1 +expertestate.org, 1 +experthive.co.za, 1 +expertmarketer.ro, 1 +expertmarktrg.com, 1 +expertofficefitouts.com.au, 1 +expertowears.com, 1 +expertpaintersvt.com, 1 +expertpanel.gc.ca, 1 +expertpensions.co.uk, 1 +expertplumbingandsolarservicesbathurst.com.au, 1 +experts-united.tk, 1 +expertvagabond.com, 1 +expertviolinteacher.com, 1 +expicare.com, 1 +expii.com, 1 +expireddomains.net, 1 +expis.tk, 1 +explane.org, 1 +explode.tk, 1 +explodie.org, 1 +exploit-db.com, 1 +exploit.cz, 0 +exploit.party, 1 +exploit.ph, 1 +exploited.cz, 1 +exploithe.net, 1 +exploitit.com.au, 1 +exploodo.rocks, 1 +explorance.com, 1 +exploraturuta.com, 1 +exploravacations.in, 1 +explore-being-human.org, 1 +explore-malaysia.ga, 1 +explore-visions.com, 1 +explore.beer, 1 +explorea1a.com, 1 +explorebigideas.com, 1 +explorecrack.com, 1 +exploreeurope.de, 1 +exploregulf.ga, 1 +exploreit.online, 1 +explorerdispatch.com, 1 +exploretock.com, 1 +exploretravellife.com, 1 +exploretsp.gov, 1 +exploring-memory.org, 1 +exploringmorocco.tours, 1 +exploristics.com, 1 +explorium.tk, 1 +explosion-cs.tk, 1 +explosionstereo.tk, 1 +expo58.tk, 1 +expoavanza.com, 1 +expobeds.com, 1 +expocom.online, 1 +expodat.com, 1 +expodom.hu, 1 +expodom.ro, 1 +expodom.sk, 1 +expodum.cz, 1 +expoesiavisual.tk, 1 +expoexports.tk, 1 +expomac.tk, 1 +exponential.fi, 1 +exponentialnews.net, 1 +exponentialsoft.cf, 1 +exponentialsoft.ga, 1 +exponentialsoft.gq, 1 +exponline.ga, 1 +exponline.tk, 1 +expoort.co.uk, 1 +expoort.com, 1 +expoort.com.br, 1 +expoort.es, 1 +expopodium.com, 1 +expoprime.tk, 1 +expopro24.ru, 1 +exporta.cz, 1 +exposedcasting.com, 1 +exposethetruth.tk, 1 +exposurecompensation.co.uk, 1 +exposurethrash.tk, 1 +expouniverse.tk, 1 +expoxl.nl, 1 +express-delivery.co.il, 1 +express-hosting.org, 1 +express-shina.ru, 1 +express-shop.tk, 1 +express-vpn.com, 1 +express1040.com, 1 +expressarte.tk, 1 +expressdebanat.ro, 1 +expressemotion.net, 1 +expressglobal.co.kr, 1 +expresshosting.org, 1 +expresshsp.com, 1 +expressinfo.cz, 1 +expressinfo.sk, 1 +expressionexpress.net, 1 +expressionfunerals.co.nz, 1 +expressivee.com, 1 +expressmarket.ru, 1 +expressodasilhas.cv, 1 +expresspak.co.nz, 1 +expressramps.com, 1 +expressstairliftssw.co.uk, 1 +expressstore.ga, 1 +expressvpn.com, 1 +expressvpn.net, 1 +expressvpn.works, 1 +expressvpn.xyz, 1 +expresvpn-private-analytics.net, 1 +exprimo.tk, 1 +expungement.law, 1 +expxkcd.com, 1 +exquisique.tk, 1 +exquisito.tk, 1 +exs.lv, 1 +exside.com, 1 +exstirpo.com, 1 +extact.com, 1 +extelicast.com, 1 +extendedteam.co, 1 +extendedteam.net, 1 +extendet.tk, 1 +extendgroup.com, 1 +extendresources.com, 0 +extendwings.com, 1 +extenselizzembalagens.com.br, 1 +extensia.it, 1 +extensibility.biz.tr, 1 +extensibleweb.org, 1 +extensiblewebmanifesto.org, 1 +extensiblewebsummit.org, 1 +extensionciglia.roma.it, 1 +extensions-chrome.ru, 1 +extensionschallenge.com, 1 +extensionworkshop.com, 1 +exteriorlightingagoura.com, 1 +exteriorlightingagourahills.com, 1 +exteriorlightingcalabasas.com, 1 +exteriorlightingcamarillo.com, 1 +exteriorlightingconejovalley.com, 1 +exteriorlightingdosvientos.com, 1 +exteriorlightinghiddenhills.com, 1 +exteriorlightinglakesherwood.com, 1 +exteriorlightingmoorpark.com, 1 +exteriorlightingnewburypark.com, 1 +exteriorlightingoakpark.com, 1 +exteriorlightingsimivalley.com, 1 +exteriorlightingthousandoaks.com, 1 +exteriorlightingwestlakevillage.com, 1 +exteriorroofwindowguttercleaning.com, 1 +exteriorservices.io, 1 +exterminateur-punaise-de-lit.fr, 1 +exterminateur-quebec.ca, 1 +exterminator.com.ua, 1 +external-share.com, 1 +externalapps.com, 1 +externalfb.com, 1 +externer-datenschutzbeauftragter-bochum.de, 0 +externeverslaggeving.nl, 1 +externevoorzitter.nl, 1 +extienso.com, 1 +extinctionrebellion.de, 1 +extirosli.ga, 1 +extmatrix.com, 0 +extra.ie, 1 +extrabits.pt, 0 +extrabusiness.tk, 1 +extract.me, 1 +extracting.tk, 1 +extradiely.sk, 1 +extradivers-worldwide.com, 1 +extraeasycash.com, 1 +extraefficiency.tk, 1 +extraefficient.tk, 1 +extrafrei.at, 1 +extrafuerdich.tk, 1 +extrainsiderest.ga, 1 +extraligamasters.cz, 1 +extraloud.tk, 1 +extrapagetab.com, 1 +extraspaces.co.uk, 1 +extratext.at, 1 +extratv.com, 1 +extraupdate.com, 1 +extreemhost.nl, 1 +extreme-addicts.tk, 1 +extreme-gaming.de, 1 +extreme-gaming.us, 1 +extreme.co.th, 1 +extremebaking.com, 1 +extremeforces.tk, 1 +extremelawsers.ga, 1 +extremelawsest.ga, 1 +extremeleadprogram.com, 1 +extremelycorporate.ca, 0 +extrememusclepump.com, 1 +extremepeptides.com, 1 +extremeprojects.tk, 1 +extremeservicesandrestoration.com, 1 +extremesports.tk, 1 +extremetreeandlandscape.com, 1 +extremetunedcars.tk, 1 +extremfrank.tk, 1 +extrolife.ml, 1 +extromail.de, 1 +extstore.com, 1 +extua.pw, 1 +exudestudios.tk, 1 +exum.tk, 1 +exusi.ai, 1 +exvisits.tk, 1 +exvs.org, 1 +exwaiti.com, 1 +exway.com, 1 +exxoncannabis.com, 1 +exxpozed-image.de, 1 +exxpozed.ch, 1 +exxpozed.co.uk, 1 +exxpozed.com, 1 +exxpozed.de, 1 +exxpozed.eu, 1 +exzibit.net, 1 +eyasc.nl, 1 +eye-move.nl, 1 +eye.do, 1 +eye.security, 1 +eyeandfire.com, 1 +eyebagdoctor.com.sg, 1 +eyeball.ml, 1 +eyebrowsmicroblading.co.uk, 1 +eyecandy.gr, 1 +eyecon.gr, 1 +eyedea.ga, 1 +eyedesignuniversity.com, 1 +eyeglasses.com, 0 +eyelash-mc.com, 1 +eyelash-navi.com, 1 +eyelash.tk, 1 +eyelashconcept.com, 1 +eyelashextensions.tk, 1 +eyelidsphoenix.com, 1 +eyemagic.net, 1 +eyemedica.de, 0 +eyeniyasam.com, 1 +eyenote.gov, 1 +eyeonid.com, 0 +eyep.me, 0 +eyeratereviews.com, 1 +eyes-berg.com, 0 +eyesandearsrescue.org, 1 +eyesaveopticalinc.com, 1 +eyescratch.tk, 1 +eyesee.fr, 1 +eyesfans.com, 1 +eyeshield-informatique.tech, 1 +eyesome.com, 1 +eyespecialistsofla.com, 1 +eyestrainexplained.com, 1 +eyesurgery.tk, 1 +eyetooth.ga, 1 +eyfari.com, 1 +eyktasarim.tk, 1 +eylea.us, 1 +eylog.co.uk, 1 +eylulsohbet.net, 1 +eynio.com, 1 +eyona.com, 1 +eyps.net, 1 +eytosh.net, 1 +eyy.co, 1 +eyyit.com, 0 +eyyubyilmaz.com, 1 +ezabalium.tk, 1 +ezakazivanje.rs, 1 +ezalba.com, 0 +ezcater.com, 1 +ezcater.io, 1 +ezcesspoollongisland.com, 1 +ezcourseonline.com, 1 +ezdog.press, 1 +ezec.com.tw, 1 +ezee-fix.co.uk, 1 +ezekia.com, 1 +ezercommerce.com, 1 +ezeviral.com, 1 +ezgif.com, 1 +ezhub.de, 1 +ezidox.com, 1 +ezifin.com, 1 +ezik-ido.tk, 1 +ezinezone.tk, 1 +ezinternet.com.au, 1 +ezitech.com, 1 +ezmob.com, 1 +ezmoddingz.tk, 1 +ezochat.com, 1 +ezorgportaal.nl, 1 +ezoterizm.info, 1 +ezpb.com, 1 +ezprints.com, 0 +ezpublish-france.fr, 1 +ezrent.tk, 1 +ezsavers.ga, 1 +ezsaversers.ga, 1 +ezsaversest.ga, 1 +ezscrapbooksest.ga, 1 +ezshopper.co.uk, 1 +ezsun.co, 1 +ezvolt.com.br, 1 +ezwebsearch.com, 1 +ezybook.co.nz, 1 +ezybook.net, 1 +ezyfitdoors.com.au, 1 +ezygentechnology.com, 1 +ezz-drops.tk, 1 +ezzarware.nl, 1 +ezzhole.net, 1 +f-401.com, 1 +f-centre.ru, 1 +f-csc.org, 1 +f-droid.org, 0 +f-hd.net, 1 +f-mebel-na-zakaz.ru, 1 +f-sulzmann.de, 1 +f-thie.de, 1 +f-u-c-k.wien, 1 +f00228.com, 1 +f00f.org, 1 +f0x.es, 1 +f1-onlineliga.com, 1 +f1318.net, 1 +f1bigpicture.com, 1 +f1classement.com, 0 +f1collection.com, 1 +f1distribution.com, 1 +f1ex.org, 1 +f1fever.co.uk, 1 +f1fever.net, 1 +f1grandprix.tk, 1 +f1ltr0.com, 1 +f1minute.com, 1 +f1nal-lap.be, 1 +f1nalboss.de, 1 +f1nn.space, 1 +f1pr.com, 1 +f1report.net, 1 +f1rstparking.co.uk, 1 +f1sh.de, 1 +f1simulator.tk, 1 +f1solutionslb.com, 1 +f1sport.tk, 1 +f1worldwide.tk, 1 +f2h.io, 1 +f2pool.com, 1 +f36533.com, 1 +f3m.pt, 1 +f3r.xyz, 1 +f42.net, 1 +f43.me, 1 +f45challenge.com, 1 +f45training.com, 1 +f4bkv.net, 1 +f4jsl.fr, 1 +f5.hk, 1 +f51365.com, 0 +f5197.co, 1 +f6729.co, 1 +f6729.com, 0 +f6957.co, 1 +f6queer.org, 1 +f82365.com, 1 +f88288.com, 1 +f8842.com, 1 +f88fine.com, 1 +f88good.com, 1 +f88ll.com, 1 +f88qin.com, 1 +f88vip1.com, 1 +f88vip101.com, 1 +f88vip102.cc, 1 +f88vip107.com, 1 +f88vip108.com, 1 +f88vip29.com, 1 +f88vip8.com, 1 +f88vip804.com, 1 +f88vip851.com, 1 +f88vip878.com, 1 +f88vip895.com, 1 +f88yule111.com, 1 +f88yule122.com, 1 +f88yule7.com, 1 +f88yule9.com, 1 +f8906.com, 1 +f8908.com, 1 +f8921.com, 1 +f899365.com, 0 +f8cp1.com, 0 +f8cp2.com, 0 +f8cp3.com, 0 +f8cp5.com, 0 +f8cp6.com, 0 +f8cp7.com, 0 +f8cp8.com, 0 +f8s.co, 1 +f9297.co, 1 +f9728.co, 1 +f9852.com, 0 +f9883.com, 0 +f9884.com, 1 +f9885.com, 0 +fa-fa.tk, 1 +faac-sloupy.cz, 1 +faac-zavory.cz, 1 +faaog.com, 1 +faapart107certifiedpilot.com, 1 +faaq.ru, 1 +faasviddy.nl, 1 +faavem.org, 1 +faazadvocatenkantoor.nl, 1 +faazmusic.com, 1 +fabao.in, 1 +fabarm.fr, 1 +fabbro-roma.org, 1 +fabbro.roma.it, 1 +fabconvert.com, 1 +fabelturen.tk, 1 +faber.org.ru, 0 +faberoclub.tk, 1 +fabfrenchinsurance.com, 1 +fabian-fingerle.de, 1 +fabian-ising.de, 1 +fabian-klose.com, 1 +fabian-klose.de, 1 +fabian-klose.net, 1 +fabian-kluge.de, 1 +fabian-praschl.de, 1 +fabian-zoske.de, 1 +fabian.gq, 1 +fabianackle.ch, 1 +fabianbeiner.com, 0 +fabianbeiner.de, 0 +fabianegli.ch, 1 +fabianfranke.de, 1 +fabiankoeppen.com, 1 +fabianni.tk, 1 +fabickcat.com, 1 +fabien-eigenmann.ch, 1 +fabien-hebuterne.fr, 0 +fabienbaker.com, 1 +fabienne-roux.org, 1 +fabil.id, 1 +fabilnatural.co.id, 1 +fabilpages.com, 1 +fabim.de, 1 +fabio.gg, 1 +fabiobier.com, 1 +fabiokrug.de, 1 +fabiolamolinastore.com, 1 +fabiooliveirapr.com.br, 1 +fabiopaiva.pt, 1 +fabledsolutions.com, 1 +fableforge.nl, 1 +fableheartmedia.com, 1 +fabpilot.com, 1 +fabricademonstros.com.br, 1 +fabricadesolados.com.br, 1 +fabricalaser.com.br, 1 +fabricandoclientes.com.br, 1 +fabriceleroux.com, 0 +fabricemannuelphotography.fr, 1 +fabricio.adv.br, 1 +fabricio.eti.br, 1 +fabriciokleinadvocacia.com.br, 1 +fabriciomoreira.ga, 1 +fabrik.de, 1 +fabrika-himchistki.ru, 1 +fabrika-jaluzi.ru, 1 +fabrikafilmes.com.br, 1 +fabriknet.de, 1 +fabrilec.tk, 1 +fabrinet.co.th, 1 +fabriziofaniello.tk, 1 +fabriziorocca.it, 1 +fabriziorocca.tk, 1 +fabrykazabawy1.pl, 1 +fabse.net, 1 +fabseal.de, 1 +fabslabour.uk, 1 +fabtechexpo.com, 1 +fabulosa.com.br, 0 +fabulous.com, 1 +fabulouseventsmiami.com, 1 +fabulousfarmgirl.com, 1 +fabulouslyyouthfulskin.com, 1 +fabulouslyyouthfulskineyeserum.com, 1 +fabuye.cf, 1 +fabuye.ga, 1 +fabuye.gq, 1 +fabuye.ml, 1 +fabuye.tk, 1 +fac.fi, 1 +fac.gov, 1 +faca.gov, 1 +facaca.com, 1 +facadatabase.gov, 1 +facan-godollo.hu, 1 +facanabota.com, 1 +facanabota.com.br, 1 +facarospauls.com, 1 +facchinaggio.it, 1 +facchinaggio.milano.it, 1 +facchinaggio.roma.it, 1 +facchinetti.cloud, 1 +facchino.it, 1 +face-art.tk, 1 +face-fashion.de, 1 +face.yoga, 1 +face2faith-vechta.de, 1 +facealacrise.fr, 0 +facebeautyhq.com, 1 +facebook-atom.appspot.com, 1 +facebook-program.com, 1 +facebook.ax, 1 +facebook.com, 0 +facebookcareers.com, 1 +facebookenterprise.com, 1 +facebookmail.com, 1 +facebookrecruiting.com, 1 +faceboom.tk, 1 +facebylouise.co.uk, 1 +facedaily.tk, 1 +facedeplook.tk, 1 +faceegypt.tk, 1 +faceitsalon.com, 1 +facekhande.tk, 1 +facelimousin.fr, 1 +facemaze.io, 1 +facenews.ml, 1 +facepainting.gr, 1 +facepalmsecurity.com, 1 +faces4watch.com, 1 +facescertification.com, 1 +facesdr.com, 1 +faceside.com, 1 +facesnf.com, 1 +facevietpro.tk, 1 +facevitalityers.ga, 1 +fach-journalist.de, 1 +fachcar.ma, 1 +fachfusspflege-exner.de, 1 +fachim.tk, 1 +fachinformatiker.com, 1 +fachiri.tk, 1 +fachschaften.org, 0 +fachschaftslisten.at, 1 +fachschaftslisten.org, 1 +fachversand-hennes.de, 1 +facialcare.tk, 1 +facialexercising.com, 1 +facialparalysisnetwork.ga, 1 +facialplasticsurgeryofaustin.com, 1 +facil.services, 0 +facilecommebonjour.com, 1 +facilit-info.fr, 1 +facilitate.tech, 1 +facilities.fr, 1 +facilitiessurvey.org, 1 +facilitrak.com, 1 +facilitron.com, 1 +facility-service-muenchen.de, 1 +fackovcova.cz, 1 +fackovcova.eu, 1 +fackovcova.fun, 1 +fackovcova.online, 1 +fackovcova.sk, 1 +fackovec.cz, 1 +fackovec.eu, 1 +fackovec.fun, 1 +fackovec.online, 1 +fackovec.sk, 1 +facorne.com, 1 +fact.cat, 1 +factbros.com, 0 +factbusterers.ga, 1 +factbusterest.ga, 1 +factbytefactbox.com, 1 +facteurcheval.com, 1 +factis.com, 1 +factor.cc, 0 +factorchave.com, 1 +factoriadifacil.com, 1 +factorio.tools, 1 +factoriobin.com, 1 +factoriotools.com, 1 +factoriotools.net, 1 +factoriotools.org, 1 +factorit.fr, 1 +factorway.com, 1 +factory-f.net, 1 +factory-fan.com, 1 +factoryalimentos.com.br, 1 +factorypark.com, 1 +factorypartsdirect.com, 1 +factozia.tk, 1 +facts-about-bees.ml, 1 +factslider.tk, 1 +factsvision.sr, 1 +factua.nl, 1 +factum-info.net, 1 +facturama.pt, 1 +facturare.online, 1 +factureenlinea.com, 0 +factuur.pro, 1 +factuursturen.be, 1 +factuursturen.nl, 1 +facty.com, 1 +factys.do, 1 +factys.es, 1 +facucosta.com.ar, 1 +facvest.com, 1 +fadaex.org, 1 +fadaru.ml, 1 +fadecloud.com, 1 +fadedave.com, 1 +fadednet.com, 0 +fademusic.tk, 1 +fadergs.edu.br, 1 +faderweb.de, 1 +fads-center.online, 1 +fae.watch, 1 +faedefencesociety.com, 1 +faedefensesociety.com, 1 +faehler.de, 1 +faehling.space, 1 +faelix.ch, 1 +faelix.eu, 1 +faelix.fr, 1 +faelix.im, 1 +faelix.net, 1 +faelix.uk, 1 +faerb.it, 1 +faeriebabe.com, 1 +faeriecakes.be, 1 +faeservice.eu, 1 +faeton.tk, 1 +fafarishoptrading.com, 1 +fafers.tk, 1 +fafscloud.com, 0 +fagdag.dk, 1 +faggut.gg, 1 +fagor.com, 1 +fagott.pw, 1 +fagus.hopto.org, 1 +fagyottvilag.hu, 1 +fahadbook.com, 1 +fahnamporn.com, 1 +fahrenwal.de, 1 +fahrenwalde.de, 1 +fahrradreisen-wanderreisen.de, 1 +fahrschule-laux.de, 1 +fahrservice-herrmann.de, 1 +fahrwerk.io, 1 +fahrzeug-talk.de, 1 +fai.gov, 1 +faidanoi.it, 1 +faidatefacile.it, 1 +faieurope.it, 1 +fail.cf, 1 +failed-banks.com, 1 +failforward.tech, 1 +failover.de, 1 +failover.eu, 1 +failoverplan.it, 1 +failstats.net, 0 +faimdevoyages.com, 1 +faimmobiliare.it, 1 +fainlogistics.com, 1 +fairbairnrealty.com, 1 +fairbill.com, 1 +fairbot.cf, 1 +fairbot.gq, 1 +fairbot.ml, 1 +fairbot.tk, 1 +fairbroker.com, 1 +fairchildband.tk, 1 +fairchildfun.com, 0 +fairchildfun.marketing, 1 +fairchildfun.tv, 1 +fairchildstx.gov, 1 +fairdata.ga, 1 +fairedeseconomies.info, 1 +fairelements.net, 1 +faireum.win, 1 +fairewindenergie-sh.de, 1 +fairfaxcountypartners.gov, 1 +fairfaxsc.gov, 1 +fairfield-me.gov, 1 +fairfieldcountyohioworkforcecenter.gov, 1 +fairfieldmt.gov, 1 +fairfieldschool.tk, 1 +fairfieldtexas.gov, 1 +fairfieldtwplenaweemi.gov, 1 +fairfly.com, 1 +fairgaming.ml, 1 +fairgaming.tk, 1 +fairgolfteams.com, 1 +fairhavenvt.gov, 1 +fairleevt.gov, 1 +fairlesslaw.com, 1 +fairline.com, 1 +fairmates.tk, 1 +fairmontnc.gov, 1 +fairmonttamarak.cf, 1 +fairmonttamarak.ga, 1 +fairmonttamarak.ml, 1 +fairmountfireco.gov, 1 +fairplanner.net, 1 +fairplay-trading.com, 1 +fairplay.im, 1 +fairprice.com.sg, 1 +fairtrade010.nl, 1 +fairtradegemeentegent.be, 1 +fairviewcounseling.org, 1 +fairviewevents.ca, 0 +fairviewfarmacy.com, 1 +fairviewfcss.com, 0 +fairviewheightsil.gov, 1 +fairviewmotel-simcoe.com, 1 +fairwayhomebuyers.com, 1 +fairwork.gov.au, 1 +fairyballet.ga, 1 +fairydust.space, 1 +fairyth.tk, 1 +faisia.tk, 1 +faithadvisorers.ga, 1 +faithadvisorest.ga, 1 +faithbulletin.tk, 1 +faithcentercogop.net, 1 +faithfuladvisor.com, 1 +faithfulcounseling.com, 1 +faithfulfaye.nl, 1 +faithfully.tk, 1 +faithfulroad.org, 1 +faithleaks.org, 0 +faixaazul.com, 1 +faizan.net, 1 +faizanullah.com, 0 +fajarafriansh.cf, 1 +fajarilahi.sch.id, 1 +fajasreductoras.top, 1 +fajita.party, 1 +fajn-shop.cz, 1 +fajnshop.sk, 1 +fajode.net, 1 +fakat.tk, 1 +fake-show.ga, 1 +fake.creditcard, 1 +fakeaddress.net, 1 +fakeapple.nl, 1 +fakeballon.shop, 1 +fakebusters.club, 1 +fakecheck.com, 1 +faked.org, 1 +fakeemergency.com, 1 +fakeframes.ga, 1 +fakeframesers.ga, 1 +fakeframesest.ga, 1 +fakehostel.com, 1 +fakehouse.tk, 1 +fakehub.com, 1 +fakel.ga, 1 +fakemoney.ga, 1 +fakeroses.tk, 1 +fakes-ru.tk, 1 +fakescreen.org, 1 +faketaxi.com, 1 +fakhrudin.tk, 1 +fakinga.tk, 1 +fakir-show.nl, 1 +fakt.tk, 1 +faktenfaktenfakten.tk, 1 +faktotum.tech, 1 +fakturi.com, 1 +faktury.co, 0 +fal.moe, 1 +falaeapp.org, 1 +falastin.tk, 1 +falbros.com, 1 +falcatus-dalmatians.hu, 1 +falce.in, 1 +falcema.com, 1 +falchion.tk, 1 +falck.dk, 1 +falcn.io, 1 +falconcrest-lippert.com, 1 +falconerny.gov, 1 +falconfrag.com, 1 +falconi.com, 1 +falconicapital.com, 1 +falconieri.it, 1 +falconinsurance.com.hk, 1 +falconstap.tk, 1 +falconvintners.com, 0 +falcoz.net, 1 +faldoria.de, 1 +fale.io, 1 +falegname-roma.it, 1 +falegname.roma.it, 1 +falegnameria.milano.it, 1 +falixnodes.net, 1 +falkenbergthomsen.dk, 1 +falkenthal.org, 1 +falkentyre.com, 1 +falkus.net, 1 +fall.ga, 1 +fallen-evolution.com, 1 +fallenangeldrinks.co.uk, 1 +fallenangeldrinks.com, 0 +fallenangeldrinks.eu, 1 +fallenangelspirits.co.uk, 1 +fallenangelspirits.com, 1 +fallenlondon.wiki, 1 +fallenmoons.nl, 1 +fallens-home.de, 1 +fallenspirits.co.uk, 1 +fallfishtenkara.com, 0 +falling.se, 1 +fallingbrick.co.uk, 1 +fallofthecitadel.com, 1 +fallonarrocho.tk, 1 +fallout-craft.ru, 1 +fallout-tattoo.de, 1 +fallout4london.com, 1 +fallriverbiblechapel.tk, 1 +fallriverma.gov, 1 +fallspa.gov, 1 +fallvegermdfharder.gq, 1 +falmouthpublicsafetyma.gov, 1 +falmouthretirementma.gov, 1 +falscher-kellner.de, 1 +false.in.net, 1 +falsepattern.com, 1 +falsesecurity.org, 1 +falsterhus.de, 1 +falsterhus.dk, 1 +falstoneshow.com, 1 +falsum.net, 1 +fam-borsch.de, 1 +fam-kreibich.de, 1 +fam-roos.com, 1 +fam-stemmer.de, 0 +famacweb.no, 1 +famcloud.de, 1 +famdouma.nl, 1 +fameng.nl, 1 +famep.gov, 1 +fameska.com, 1 +fameslook.tk, 1 +fameus.fr, 1 +fameuxhosting.co.uk, 1 +famgdigital.com, 1 +famigliafiorini.it, 1 +familialchercher.tk, 1 +familiaperez.net, 0 +familie-keil.de, 1 +familie-kruithof.nl, 1 +familie-kupschke.de, 1 +familie-mischak.de, 1 +familie-monka.de, 1 +familie-mueller.com.de, 1 +familie-oberlander.de, 1 +familie-poeppinghaus.de, 1 +familie-remke.de, 1 +familie-sprink.de, 0 +familie-witzik.eu, 1 +familiearchivaris.nl, 1 +familiebaehr.eu, 1 +familiebies.nl, 1 +familiedelwicheferrari.tk, 1 +familiekiekjes.nl, 1 +familiekusch.de, 1 +familienoase-koenigstein.de, 1 +familienportal.de, 1 +familienrat.com, 1 +familienzone.at, 1 +familiereimann.com, 0 +familieretshuset.dk, 1 +familietandarts.nl, 1 +familievisscher.tk, 1 +familjenm.se, 1 +familjenosterlund.se, 1 +familleenfete.fr, 1 +familleseux.net, 1 +familleshilton.com, 1 +family-clinic.tk, 1 +familyclinicstl.com, 1 +familyconventioners.ga, 1 +familyd-c.com, 1 +familydoctor.ru, 1 +familyframeworks.com, 1 +familyhookups.com, 1 +familyparties.co.uk, 1 +familyrecipe.co.uk, 1 +familysinners.com, 1 +familystockexchangeers.ga, 1 +familytreehq.com, 1 +familytrees.net, 1 +familytreewebinars.com, 1 +familyworld.gr, 0 +familyzone.ga, 1 +famion.eu, 1 +famlefeber.nl, 1 +famonitor.com, 1 +famosas.cf, 1 +famous-models.tk, 1 +famousandfaded.com, 1 +famousbirthdays.com, 1 +famousit.nl, 1 +famousmodels.tk, 1 +famouspdf.gq, 1 +famre.de, 1 +famreijnen.nl, 1 +famschaefer.ddns.net, 1 +famvsomeren.nl, 1 +fan-sport.com, 1 +fan-sport25.com, 1 +fan.gov, 1 +fan4all.de, 1 +fanart.ru, 1 +fanaticamandafans.tk, 1 +fanaticosdehectorlavoeenperu.tk, 1 +fanatka.tk, 1 +fanbike.de, 1 +fanboi.ch, 1 +fanbooster.com, 1 +fancars.ru, 1 +fancentro.com, 1 +fanclubblackhills.tk, 1 +fanclubmariaciobanu.tk, 1 +fanclubs.tk, 1 +fancy-bridge.com, 1 +fancy.org.uk, 1 +fancygaming.dk, 1 +fancypanty.cf, 1 +fancywow.com, 1 +fandars.com, 1 +fandeev.tk, 1 +fander.it, 1 +fandt.me, 1 +fanera.tk, 1 +fanescu.ro, 1 +faneuil.com, 1 +fanfareokselaar.tk, 1 +fanfareunion.ch, 0 +fanfiction.tk, 1 +fanflix.co, 1 +fang-den-sommer.de, 1 +fangan.com, 1 +fangbing.me, 1 +fangd.net, 1 +fangjingdian.com, 1 +fangkehou.tk, 1 +fangshu.com, 1 +fanidrakopoulou.tk, 1 +fanjingbo.com, 1 +fanmerchstore.com, 1 +fanniemaeloans.tk, 1 +fanning.tk, 1 +fannyips.tk, 1 +fanohus.de, 1 +fanohus.dk, 1 +fanorama.tk, 1 +fanosak.tk, 1 +fanqia.ng, 1 +fans-darkangel.tk, 1 +fans-lily-allen.tk, 1 +fansale.de, 1 +fansdefoot.fr, 1 +fanshenzhiyi.com, 1 +fansport.space, 1 +fansta.jp, 1 +fanstuff.ru, 1 +fantacast.it, 1 +fantasiatravel.hr, 1 +fantasmma.tk, 1 +fantasticcleaners.com.au, 1 +fantasticcleanersbristol.co.uk, 1 +fantasticgrassers.ga, 1 +fantasticgrassest.ga, 1 +fantastichandymanmelbourne.com.au, 1 +fantastici.de, 1 +fantasticservices.com, 1 +fantasticservicesgroup.com.au, 1 +fantastictricks.gq, 1 +fantastictricks.tk, 1 +fantasy-football.org, 1 +fantasy-judo.com, 1 +fantasyadventures.tk, 1 +fantasybarsers.ga, 1 +fantasybarsest.ga, 1 +fantasybet.co, 1 +fantasycastles.co.uk, 1 +fantasycdn.com, 1 +fantasychronicleonline.com, 1 +fantasydreams.tk, 1 +fantasyempires.net, 1 +fantasyempires.nl, 1 +fantasyescortsbirmingham.co.uk, 1 +fantasyfoot.gq, 1 +fantasyfoot.tk, 1 +fantasyforever.tk, 1 +fantasymina.de, 1 +fantasypartyhire.com.au, 1 +fantasypartyrental.com, 1 +fantasyprojections.com, 1 +fantasyspectrum.com, 1 +fantasysports.tk, 1 +fantasysportsnews.org, 1 +fantgames.com, 1 +fantinisfantasy.cf, 1 +fantinishop.com, 1 +fantraxhq.com, 1 +fanty-online.com, 0 +fanyue123.tk, 1 +fanz.pro, 1 +fanzade.com, 1 +fanzapers.ga, 1 +fanzhuang.com, 1 +fanzine-nimbus.tk, 1 +fanzlive.com, 1 +fap.link, 1 +fap.no, 1 +fapcoholic.com, 1 +fapdrop.com, 1 +fapiis.gov, 1 +fapplejuice.com, 1 +fapplepie.com, 1 +fapplesauce.com, 1 +fapzone.tk, 1 +faq.ie, 1 +faqbite.com, 1 +faqexchangeest.ga, 1 +faqin-hr.info, 1 +faqiteam.tk, 1 +far-east.tk, 1 +far3link.tk, 1 +fara.gov, 1 +faradji.nu, 1 +faradome.ws, 1 +faradrive.ir, 1 +farafaratodonuevoleon.com, 1 +farallonesrentacar.com, 1 +faraloda.tk, 1 +faraonplay5.com, 1 +faraonplay7.com, 1 +faraonplay8.com, 1 +faraslot8.com, 1 +faraslot8.net, 1 +faraso.org, 1 +farb-tabelle.de, 1 +farberplasticsurgery.com, 1 +farbyin10.com, 1 +farcecrew.de, 0 +farcon.com, 1 +farda.gov, 1 +fardinarafat.tk, 0 +fareast.cf, 1 +fareast.ga, 1 +fareast.gq, 1 +fareast.tk, 1 +fareinternational.com, 1 +farenheit.net, 1 +faresair.com, 1 +farescan.com, 1 +faresfrom.com, 1 +fareto.com, 1 +faretravel.co.uk, 1 +fareuntrasloco.it, 1 +farexpress.it, 0 +farfallapets.com.br, 1 +farfor.tk, 1 +farhadexchange.com, 1 +farhamaghdasi.ir, 1 +farhandanish.tk, 1 +farian.tk, 1 +faribanx-porn.com, 1 +faribanx-xxx.com, 1 +faridathaimassage.com.au, 1 +farikaporselen.com, 1 +farisre.com, 1 +farizhan.com, 1 +farizizhan.com, 0 +farizstore.tk, 1 +farkas.ws, 1 +farleybrass.com.au, 1 +farleymetals.com.au, 1 +farlitesolutions.com, 1 +farm-catalog.ga, 1 +farm-dogecoin.tk, 1 +farm-vacations.com, 1 +farm24.co.uk, 1 +farmaceuticainternazionale.it, 1 +farmacia.pt, 1 +farmaciacomunalelacchiarella.it, 1 +farmaciadejaime.es, 1 +farmacologiaonline.com, 1 +farmacovigilancia-exeltis.com.mx, 0 +farmako.net, 1 +farmakon.tk, 1 +farmasimahaganesha.ac.id, 1 +farmaspeed.it, 1 +farmauna.com, 1 +farmaweb.be, 1 +farmbureauinsurance-mi.com, 1 +farmcloud.fr, 1 +farmer-miniaturen.tk, 1 +farmerfairness.gov, 1 +farmers.gov, 1 +farmersfridge.com, 0 +farmersgirlkitchen.co.uk, 1 +farming.co.uk, 1 +farmingtonlaxwi.gov, 1 +farmkazuto.com, 1 +farmmaximizer.com, 1 +farmocracy.in, 1 +farmqa.com, 1 +farmscbdoil.com, 1 +farmtogether.com, 1 +farmvilleva.gov, 1 +farnboroughairshow.com, 1 +faro-car-hire.co.uk, 1 +faro.com, 1 +farodistribuidora.com.br, 1 +faroes.net, 1 +faroes.org, 1 +faroit.tk, 1 +faroitalia.it, 1 +farol.cz, 1 +faros-studio.gr, 1 +faroutsolutions.com, 0 +farrel-f.cf, 1 +farrel-f.id, 1 +farrel-f.tk, 1 +farrelf.blog, 1 +farrelly.nz, 1 +farringtonfoundation.org, 1 +farringtongurneyvillagehall.org, 1 +farsiight.com, 1 +farsil.eu, 1 +fart.cafe, 1 +fartoclose.tk, 1 +fartypants.com, 1 +faryaz.tk, 1 +fasab-portcenter.se, 1 +fasad.eu, 1 +fasam.edu.br, 1 +fascat.com, 1 +fashion-buttons.tk, 1 +fashion-family.cf, 1 +fashion-hunters.pl, 1 +fashion-swimwear.tk, 1 +fashion-world.tk, 1 +fashion.bg, 1 +fashionactivation.com, 1 +fashionadvice.tk, 1 +fashionagent.tk, 1 +fashionblogs.tk, 1 +fashioncatalogues.tk, 1 +fashionchanel.tk, 1 +fashioncourses.tk, 1 +fashiondaily.tk, 1 +fashiondays.bg, 1 +fashiondays.hu, 1 +fashiondays.ro, 1 +fashiondesign.ml, 1 +fashiondistrict.org, 1 +fashiondock.de, 0 +fashiondot.ga, 1 +fashioneditor.gr, 1 +fashionflavorph.com, 1 +fashionforward.tk, 1 +fashionforyou.ga, 1 +fashionfreaks.tk, 1 +fashionfuture.tk, 1 +fashionhome.tk, 1 +fashioninitaly.tk, 1 +fashionlink.tk, 1 +fashionlistify.tk, 1 +fashionmagazine.com, 1 +fashionmagz.tk, 1 +fashionmasala.tk, 1 +fashionmovie.tk, 1 +fashionone.tk, 1 +fashionopenstudio.com, 1 +fashionoutlets.tk, 1 +fashionplus.ml, 1 +fashionrecovery.co.nz, 1 +fashionreview.ml, 1 +fashionstylenews.tk, 1 +fashionsuits.tk, 1 +fashionsummer.tk, 1 +fashiontrendsetter.com, 1 +fashionunited.at, 1 +fashionunited.be, 1 +fashionunited.ch, 1 +fashionunited.cl, 1 +fashionunited.cn, 1 +fashionunited.co, 1 +fashionunited.co.uk, 1 +fashionunited.com, 1 +fashionunited.com.ar, 1 +fashionunited.com.br, 1 +fashionunited.com.pe, 1 +fashionunited.de, 1 +fashionunited.es, 1 +fashionunited.fi, 1 +fashionunited.fr, 1 +fashionunited.hk, 1 +fashionunited.hu, 1 +fashionunited.ie, 1 +fashionunited.in, 1 +fashionunited.info, 1 +fashionunited.it, 1 +fashionunited.jp, 1 +fashionunited.lu, 1 +fashionunited.mx, 1 +fashionunited.nl, 1 +fashionunited.no, 1 +fashionunited.nz, 1 +fashionunited.pl, 1 +fashionunited.pt, 1 +fashionunited.ru, 1 +fashionunited.se, 1 +fashionunited.uk, 1 +fashionusa.gq, 1 +fashionweb.ml, 1 +fashionweek.tk, 1 +fashionweekweb.com, 1 +fashionworlds.ml, 1 +fashionxmas.gq, 1 +fasigbrooks.com, 1 +fasmaritime.com, 1 +faspirits.co.uk, 1 +faspirits.com, 1 +faspsych.com, 1 +fasqu.com, 1 +fassaden-selleng.de, 1 +fassadenverkleidung24.de, 1 +fassi-sport.it, 1 +fassiportugal.pt, 1 +fast-cargo.ml, 1 +fast-drops.cf, 1 +fast-events.eu, 1 +fast-growth.fr, 1 +fast-host.gq, 1 +fast-host.net, 1 +fast-mobile.tk, 1 +fast-pro.co.jp, 1 +fast-rabbit.tw, 1 +fast-silver.tk, 1 +fast4ever.tk, 1 +fastaim.de, 1 +fastamundi.com, 1 +fastandtuning.tk, 1 +fastbackmbg.be, 1 +fastbackmbm.be, 1 +fastbet.it, 1 +fastblit.com, 1 +fastblob.com, 1 +fastbob.cf, 1 +fastbob.ga, 1 +fastbob.gq, 1 +fastbob.ml, 1 +fastbob.tk, 1 +fastbuilder.pro, 1 +fastcash.com.br, 1 +fastcast.ga, 1 +fastcats.tk, 1 +fastcdn.info, 1 +fastcloud.ge, 1 +fastcommerce.org, 1 +fastconfirm.com, 1 +fastcp.top, 1 +fastcup.net, 1 +fastcustomboxes.com, 1 +fastdronespro.com, 1 +fastener.tk, 1 +fastensorozo.hu, 1 +faster-disinfestazioni.it, 1 +faster.cz, 1 +fasterblogsers.ga, 1 +fasterblogsest.ga, 1 +fasterci.com, 1 +fasterfront.com, 1 +fasterfront.com.br, 1 +fasternie.tk, 1 +fastestknowntime.com, 1 +fastfast.click, 1 +fastfix.nl, 1 +fastfloorscreed.ie, 1 +fastforwardsociety.nl, 1 +fastforwardthemes.com, 1 +fastfox.tk, 1 +fastfwd.co.za, 1 +fastgamingro.tk, 1 +fasthost.com.br, 1 +fastighetsekonomi.com, 0 +fastknighki.ga, 1 +fastknigi.ml, 1 +fastlaneimportautorepair.com, 1 +fastmail.com, 0 +fastme.co, 1 +fastmeet.tk, 1 +fastmetrics.com, 1 +fastonline.ro, 1 +fastopen.ml, 1 +fastos.com, 1 +fastos.de, 1 +fastpaper.gq, 1 +fastpeoplesearch.com, 1 +fastphox.com, 1 +fastpresence.com, 1 +fastproxycat.ml, 1 +fastproxyforfree.gq, 1 +fastrocket.pl, 1 +fastscanapp.com, 1 +fastserv.pl, 1 +fastshop.com.pl, 1 +faststage.ch, 1 +fasttracconsulting.com, 1 +fasturl.ml, 1 +fastvanya.com, 1 +fastvelocityers.ga, 1 +fastvelocityest.ga, 1 +fastvisit.tk, 1 +fastvistorias.com.br, 1 +fastworx.com, 1 +faszination-fankurve.de, 1 +fatal-beauty.tk, 1 +fatal.ga, 1 +fatalchat.tk, 1 +fatalerrorcoded.eu, 1 +fatalityimmortals.ga, 1 +fatalsunrise.com, 1 +fatassbooty.com, 1 +fatcat.tk, 1 +fate-srd.com, 0 +fatecdevday.com.br, 1 +fatemaalhabsi.com, 1 +fates.online, 1 +fatetx.gov, 1 +fatfueled.com, 1 +fatherhood.gov, 1 +fatidique.com, 1 +fatig.com, 1 +fatiguesyndrome.com, 1 +fatihingemisi.com, 1 +fatimamoldes.com.br, 1 +fatlabwebsupport.com, 1 +fatmixx.com, 1 +fator25.com.br, 1 +fatowltees.com, 1 +fatpussytube.com, 1 +fattailcall.com, 0 +fattoriabio.jp, 1 +fattorino.it, 1 +fatturegeko.eu, 1 +fattyburgers.com, 1 +fattyink.com, 1 +fatumagro.bg, 1 +fatvalley.at, 1 +fatzebra.com.au, 1 +fau-bremen.tk, 1 +fau8.ml, 1 +fauceton.cf, 1 +fauceton.tk, 1 +faucetslist.tk, 1 +faulhaber.com, 1 +faulkner2020.com, 1 +faulknercountyar.gov, 1 +faultyserver.com, 1 +faunahotel.cl, 1 +faunathreads.com, 1 +faunatrek.com, 1 +faure.link, 1 +fautchen.eu, 1 +fauteuil-bebe.fr, 1 +fauvettes.be, 1 +fauwater.com, 1 +fauxcams.com, 1 +fauxil.shop, 1 +fauxreal.com, 1 +fav-hosting.online, 1 +favalart.com, 1 +favarica.com, 1 +favicone.com, 1 +favirei.com, 1 +favor-group.ru, 1 +favorai.com, 1 +favorislotgiris.com, 1 +favorit-stroy-snab.ru, 1 +favoritenewspaperers.ga, 1 +favoritenewspaperest.ga, 1 +favoritestudent.ml, 1 +favoritestudenters.ga, 1 +favoritestudentest.ga, 1 +favoritetechers.ga, 1 +favouritequotations.ca, 1 +favourperfect.com.au, 1 +favro.com, 1 +favrotest.com, 1 +faw-club.cf, 1 +fawong.com, 1 +fawter.online, 1 +fawx.news, 1 +faxfarmers.ga, 1 +faxfarmest.ga, 1 +faxreader.net, 1 +faxvorlagen-druckvorlagen.de, 1 +fayalove.com, 1 +fayamovies.tk, 1 +fayettecountyillinois.gov, 1 +fayettecountyoh.gov, 1 +fayettecountytn.gov, 1 +fayettecountywv.gov, 1 +fayettemopd.gov, 1 +fayettevilleflyer.com, 1 +fayettevillewv.gov, 1 +fayffersons.com, 1 +fayfilms.com, 1 +fayntic.com, 1 +faysalabdi.fi, 1 +fazal.tv, 1 +fazet.tk, 1 +fazhion.tk, 1 +fazo.gq, 1 +fazrin.tk, 1 +fazz.fun, 1 +fazz.id, 1 +fb.audio, 1 +fb.gg, 1 +fb.me, 1 +fb.watch, 1 +fbaun.dk, 1 +fbausch.de, 1 +fbcdn.net, 1 +fbcfairburn.com, 1 +fbcopy.com, 1 +fbctx.gov, 1 +fbe.to, 1 +fbf.gov, 1 +fbfwd.email, 1 +fbi.gov, 1 +fbiagentedu.org, 1 +fbigame.com, 1 +fbihr.gov, 1 +fbiic.gov, 1 +fbijobs.gov, 1 +fbilab.gov, 1 +fbk.moe, 1 +fbmedia-ckl.com, 1 +fbo.gov, 1 +fbo.network, 1 +fboerman.nl, 1 +fbrief.org, 1 +fbsbx.com, 1 +fbscontenttest.com, 1 +fbthirdpartypixel.com, 1 +fburl.com, 1 +fbwat.ch, 1 +fbwifi.com, 1 +fc-corvinul.tk, 1 +fc-rostov.ru, 1 +fc8882.net, 1 +fca-tools.com, 1 +fcapartsdb.com, 1 +fcapollo.tk, 1 +fcarrascosa.es, 1 +fcbarcelona.cz, 1 +fcbasel.info, 1 +fcblueboys.be, 1 +fcbrasov.tk, 1 +fccaracciolo-solution.tk, 1 +fccarbon.com, 0 +fcd.im, 1 +fcdauwendaele-dames.tk, 1 +fcdekampioenen.tk, 1 +fcdemuis.tk, 1 +fcdenhaag-holi.tk, 1 +fcdg.com.br, 1 +fcdordrecht.tk, 1 +fcforum.net, 1 +fcg.fyi, 1 +fcgmd.gov, 1 +fcht.fr, 1 +fcic.gov, 1 +fcijobportalodisha.com, 1 +fcingolstadt.de, 0 +fcitasc.com, 1 +fcm.org.co, 1 +fcmoorsel.tk, 1 +fcode.tk, 1 +fcosinus.com, 1 +fcporto.ws, 1 +fcprovadia.com, 1 +fcrrijswijk.nl, 1 +fcs-embedded.com, 1 +fcsarajevo.tk, 1 +fcsic.gov, 1 +fcsm.gov, 1 +fcts.ml, 1 +fd-telecom.ru, 1 +fd.gov, 1 +fdalawboston.com, 1 +fdaregs.com, 1 +fdereplace.tk, 1 +fdevs.ch, 1 +fdfz.edu.cn, 1 +fdg-98.de, 1 +fdic.exposed, 1 +fdicig.gov, 1 +fdicoig.gov, 1 +fdimmo24.com, 1 +fdis.net.cn, 1 +fdj.fr, 1 +fdkm.eu, 1 +fdlibre.eu, 1 +fdlp.gov, 1 +fdlpl.org, 1 +fdltcc.edu, 1 +fdmg.nl, 1 +fdms.gov, 1 +fdnsc.net, 1 +fdp-alsdorf.de, 1 +fdp-heinsberg.de, 1 +fdpbrig.ch, 1 +fdresearch.ca, 1 +fdsys.gov, 1 +fdx-insurance.com, 1 +feac.us, 1 +feaden.me, 1 +feandc.com, 1 +fear-crowd.tk, 1 +fearedcreation.tk, 1 +fearfactory.tk, 1 +fearghus.org, 1 +fearlessmusic.tk, 1 +fearnley.uk, 1 +fearstyle.tk, 1 +fearunknown.tk, 1 +feast-day.tk, 1 +feast.info, 1 +feastofplants.com, 1 +feastr-dev.de, 1 +feastr.de, 1 +feastr.io, 1 +feastshare.com, 1 +feat.agency, 1 +feath.net, 1 +featherfan.io, 1 +feathermc.com, 1 +feathersbtq.com, 1 +featherweightlabs.com, 1 +feature-branch.nl, 1 +featured.tk, 1 +featuredcarders.ga, 1 +featuredmen.com, 1 +feb.gov, 1 +febeditora.com.br, 1 +febooti.com, 1 +fed-shashek.spb.ru, 1 +fed51.com, 1 +fedbizopps.gov, 1 +fedcenter.gov, 1 +fedefutbol.tk, 1 +fedel.tk, 1 +fedema.com, 1 +federacaoanarquista.com.br, 1 +federacaofutebolmesa.pt, 1 +federacaomatraquilhos.pt, 1 +federacaoportuguesafutebolmesa.pt, 1 +federaciocatalanapipaclubs.tk, 1 +federacionanarquista.net, 1 +federalbus.ga, 1 +federalbusers.ga, 1 +federalbusest.ga, 1 +federalcalendarest.ga, 1 +federalcriminaldefenseattorney.com, 1 +federalinvestments.gov, 1 +federaljob.net, 1 +federaljobs.gov, 1 +federallawenforcement.org, 1 +federalprisonforums.com, 1 +federalregister.gov, 1 +federalreserve.gov, 1 +federalreserveconsumerhelp.gov, 1 +federalsignal.com, 1 +federasco.ga, 1 +federation.gov.au, 1 +federica.tk, 1 +federico.ro, 1 +federicomigliavacca.it, 1 +fedextrackingservices.com, 1 +fedidcard.gov, 1 +fedifeed.net, 1 +fedinvest.gov, 0 +fedistatus.com, 1 +fedistatus.eu, 1 +fedistatus.net, 1 +fedistatus.org, 1 +fedistatus.social, 1 +fediver.city, 1 +fediver.com, 1 +fediver.eu, 1 +fediver.net, 1 +fediver.org, 1 +fediver.social, 1 +fedivercity.com, 1 +fedivercity.eu, 1 +fedivercity.net, 1 +fedivercity.org, 1 +fedivercity.social, 1 +fediverse.observer, 1 +fedjobs.gov, 1 +fedlocatorers.ga, 1 +fedlocatorest.ga, 1 +fedn.it, 1 +fednat.com, 1 +fedorahosted.org, 1 +fedoralinux.or.kr, 1 +fedoranews.org, 1 +fedorapeople.org, 1 +fedoraproject.org, 1 +fedorblog.tk, 1 +fedpartnership.gov, 1 +fedramp.gov, 1 +fedres.gov, 1 +fedrigoni.com, 1 +fedrooms.gov, 1 +fedrtc.org, 1 +fedshat.space, 1 +fedshirevets.gov, 1 +feeblebridges.nl, 1 +feecotec.com, 1 +feed-back.com, 1 +feedback-project.eu, 1 +feedbackproduction.tk, 1 +feedbin.com, 0 +feedetailsers.ga, 1 +feedetailsest.ga, 1 +feedfall.com, 1 +feedhq.org, 1 +feedinghouse.tk, 1 +feedingmethodsers.ga, 1 +feedingmethodsest.ga, 1 +feedingmynewbaby.com, 1 +feedkovacs.hu, 1 +feedmail.org, 1 +feedough.com, 1 +feedstringer.com, 1 +feedthefood.com, 1 +feedthefuture.gov, 1 +feedthegreek.tk, 1 +feedtube.com, 1 +feedvisor.com, 1 +feeg-wage.gc.ca, 1 +feegg.com.br, 1 +feehla.com, 1 +feek.org, 1 +feel-events.com, 1 +feel.aero, 1 +feelamazing.com.au, 1 +feelbycubanas.com, 1 +feeld.cloud, 1 +feelerfolg.com, 1 +feelgood-workouts.de, 1 +feelgood.com.tw, 1 +feelgoodcasino.com, 1 +feeling.com.mx, 1 +feelingdesperate.net, 1 +feelingdesperate.org, 1 +feelmingo.com, 1 +feelnet.top, 1 +feelnice.com.br, 1 +feeltennis.net, 1 +feelya.com, 1 +feen.us, 1 +feepod.com, 1 +feeriedesign-event.com, 1 +feest.com, 1 +feestbierfusten.nl, 1 +feestfactory.tk, 1 +feestgids.nl, 1 +feetek.net, 1 +feetnesclub.tk, 1 +feetpa.ws, 1 +feezmodo.com, 1 +fef.moe, 1 +fefacaram.com.br, 1 +fefelovalex.ru, 1 +feg-wge.gc.ca, 1 +fegame.eu, 1 +fegame.mobi, 1 +fegame.net, 1 +fegame.nl, 1 +fegc-wgec.gc.ca, 1 +fegli.gov, 1 +fehlerqultur.net, 1 +fehngarten.de, 1 +fehr-online.eu, 1 +fehrm.gov, 1 +feibiaowang.com, 0 +feigling.net, 0 +feignandfolly.tk, 1 +feiki.tk, 1 +feikuai.tv, 1 +feildel.fr, 1 +feilen.de, 1 +feilestrokestown.com, 1 +feinform.com, 1 +feip.co, 1 +feirlane.org, 0 +feiromo.com, 1 +feistore.com.tw, 1 +feistyduck.com, 1 +feisworld.com, 0 +feitam.es, 1 +feittinf.org.br, 1 +feixiang.eu.org, 1 +feixiang.pp.ua, 1 +feiya.ng, 1 +fejervar.hu, 1 +fejo.dk, 1 +fekepp.net, 1 +fekir.info, 1 +felcas.com.co, 1 +felcraperak.com.my, 1 +feld.saarland, 1 +feldbogenclub-hamburg.de, 1 +feldgut.de, 1 +feldkirchen.tk, 1 +feldmangallery.com, 1 +feldmaraesthetics.com, 1 +felett.es, 1 +felger-times.fr, 1 +felgitscher.xyz, 1 +felicifia.org, 1 +felid.gay, 1 +felidas.net, 1 +felin.es, 1 +feline.ro, 1 +felinefriend.co.uk, 1 +felinepc.com, 1 +felipesexto.tk, 1 +felipesuri.com, 0 +feliratok.eu, 1 +felis.com.mx, 1 +feliscatus.tk, 1 +felistirnavia.sk, 1 +felix-amez.tk, 1 +felix-hirner.de, 1 +felixbarta.de, 1 +felixbrand.de, 1 +felixbroekhuizen.tk, 1 +felixc.at, 1 +felixcabrol.com, 1 +felixcrux.com, 1 +felixgerschau.com, 1 +felixharo.es, 0 +felixhollitzer.de, 1 +felixkauer.de, 1 +felixklenner.de, 1 +felixlatscha.ch, 1 +felixmendez.com, 1 +felixsanchez.tk, 1 +felixschuermeyer.de, 1 +felixseele.de, 1 +felixsworld.tk, 1 +felixturgeon.ca, 1 +felixvelarde.com, 1 +felixweb.tk, 1 +feliz.tk, 1 +felko-tech.de, 1 +fellas.com.tr, 1 +fellpony.org, 0 +felmodrj.com, 1 +felonymath.com, 1 +felonymath.net, 1 +felonymath.org, 1 +felsare3.com, 1 +felsefe.tk, 1 +felsenheimer.tk, 1 +feltencie.com, 1 +feltons.me, 0 +feluck.de, 1 +female-costumes.tk, 1 +femalecare.tk, 1 +femalefoodie.com, 1 +femalehumorers.ga, 1 +femalehumorest.ga, 1 +femaleteamest.ga, 1 +femastudios.com, 1 +femboy.clothing, 1 +femboy.fan, 1 +femboys.pics, 1 +femcompany.nl, 1 +femik.net, 1 +femina.se, 1 +feminina.eu, 1 +feminina.pt, 1 +feminique.tk, 1 +feministreview.cf, 1 +feministreview.ga, 1 +feministreview.gq, 1 +feministreview.ml, 1 +feministspectrum.org, 1 +feminteligencia.com, 1 +femiwiki.com, 1 +femme.fitness, 1 +femmes-women.gc.ca, 1 +femmes.gc.ca, 1 +femmesaupluriel.com, 1 +femtomind.com, 1 +fena.jp, 1 +fenagav.ga, 1 +fenatrigo.com.br, 1 +fence-stlouis.com, 1 +fencebutlers.com, 1 +fencekirkwood.com, 1 +fencestlouis.co, 1 +fencestlouis.com, 1 +fencethisyard.com, 1 +fenciblelaw.co.nz, 1 +fencingmarters.ga, 1 +fencingmartest.ga, 1 +feng.si, 1 +feng18.vip, 0 +feng88.vip, 0 +fengchuiyudaqu.ml, 1 +fenghuangcheng.tk, 1 +fengmar.com, 1 +fengrui.me, 0 +fengshuimeta.com, 1 +fengyadi.com, 1 +fengyi.tel, 1 +fengying.co, 1 +fenhl.net, 1 +fenichelar.com, 1 +fenitriatnica.tk, 1 +fenix-site.tk, 1 +fenix-zone.tk, 1 +fenixcorporative.tk, 1 +fenixmetal.tk, 1 +fenixonlinevirtual.com.br, 1 +fenj.nl, 1 +fenn.moe, 1 +fennec.wtf, 1 +fenns.co.za, 1 +fennville.gov, 1 +fennydewit.nl, 1 +fenom.ga, 1 +fenotipo.com, 1 +fenris.ovh, 1 +fenritec.eu, 1 +fenritec.fr, 1 +fense.cf, 1 +fense.ml, 1 +fenster-bank.at, 1 +fenster-bank.de, 1 +fensterbau-mutscheller.de, 1 +fenwickisland-de.gov, 1 +fenzas.com, 1 +feodosiya.cf, 1 +feodosiya.tk, 1 +fepun.com, 1 +ferad.net, 1 +feras-alhajjaji.com, 1 +feraz.com.mx, 1 +ferc.gov, 1 +ferca.pt, 1 +ferchup.com, 1 +ferdi-is.gay, 1 +ferenczi.ch, 1 +ferestre-bucuresti.ro, 1 +fereum.com, 1 +ferfer.ga, 1 +fergtm.com, 1 +fergusfallsmn.gov, 1 +fergusonroofing.com, 1 +ferhatsurer.com, 1 +feria-ales.fr, 1 +feriadelvellon.tk, 1 +feribotlines.com, 1 +feridun.tk, 1 +feriehus-danmark.no, 1 +ferien-haus-mittelpunkt.de, 1 +ferien-netzwerk.de, 1 +ferien-zweibruecken.tk, 1 +ferienhaeuser-krummin.de, 1 +ferienhaus-danemark-hund.de, 1 +ferienhaus-danemark-privat.de, 1 +ferienhaus-laesoe.de, 1 +ferienhaus-montenegro.tk, 1 +ferienhaus-polchow-ruegen.de, 0 +ferienhaus-urlaub-danemark.de, 1 +ferienhausprovence.ch, 1 +ferienwohnung-hafeninsel-stralsund.de, 1 +ferienwohnung-ruegen.tk, 1 +ferienwohnung-wiesengrund.eu, 1 +ferienwohnung-wilmersdorf.de, 1 +ferienwohnungen-lastminute.de, 1 +ferienwohnungen-willingen.de, 1 +ferienwohnunglanger.de, 1 +ferieservice.dk, 1 +ferio-fuu.tk, 1 +ferlc.org, 1 +ferluxilluminazione.it, 1 +fermabel.com.br, 1 +fermanacuratampaparts.com, 1 +fermanaghomagh.com, 1 +fermani.ar, 1 +fermani.com.ar, 1 +fermastore.cf, 1 +fermastore.tk, 1 +fermateh.com.ua, 1 +fermemarineau.com, 1 +fermentcerealesbio.fr, 1 +fermenteana.com, 1 +fermier-mag.ro, 1 +fernandes.org, 1 +fernandezvilar.es, 1 +fernandoalonso.tk, 1 +fernandob.com, 1 +fernandobarata.pt, 1 +fernandobarillas.com, 1 +fernandolucas.info, 1 +fernandomiguel.net, 1 +fernandomorientes-zone.tk, 1 +fernandosuarez.cf, 1 +fernatura.tk, 1 +ferngas.de, 1 +fernheim.com.py, 1 +fernhowe.co.uk, 0 +fernland.com.au, 1 +fernvenue.com, 1 +fernweh.tk, 1 +ferociousmass.tk, 1 +feross.net, 1 +feross.org, 1 +ferozes.com.br, 1 +ferrada.org, 0 +ferrari.com, 1 +ferrariadvisor.it, 1 +ferrariale.tk, 1 +ferrarichat.fr, 1 +ferreh.com, 1 +ferreira.ovh, 1 +ferreirabordinhao.adv.br, 1 +ferreteriaferreiro.com, 1 +ferrets.tk, 1 +ferretslife.com, 1 +ferriday.gov, 1 +ferrikomm.de, 1 +ferrin.tk, 1 +ferrisfox.me, 1 +ferriswheelofficial.us, 1 +ferro-design.tk, 1 +ferrodata.de, 1 +ferrousmoon.com, 1 +ferrovial.com, 1 +ferrumformat.com, 1 +ferrybig.me, 1 +fersedo.mk, 1 +fersumalin.cf, 1 +fersumalin.ga, 1 +fersumalin.gq, 1 +fersumalin.ml, 1 +fersumalin.tk, 1 +ferticare.pt, 1 +fertile.fund, 1 +fertilityquick.ga, 1 +fertilityquickers.ga, 1 +fertilityquickest.ga, 1 +fertilityspace.io, 1 +fertilitytreatmentcenter.com, 1 +fertilizers.tk, 1 +ferwor.studio, 1 +ferydoonzandi.tk, 1 +fes.at, 1 +fescuesodsouthernindiana.com, 1 +feseev.ml, 1 +fesne.com, 1 +festaprylar.se, 1 +festar.tk, 1 +festasdosenhordocalvario.pt, 1 +festesuniversitaries.tk, 1 +festfabriken.se, 1 +festin.tk, 1 +festival-tipps.com, 1 +festival365.ml, 1 +festivalcarpark.com.au, 1 +festivaldays.tk, 1 +festivaldecinedemallorca.tk, 1 +festivaldelumieresgand.be, 1 +festivaldelumieresgand.com, 1 +festivaldimouamaroussiou.gr, 1 +festivalfumo.tk, 1 +festivalgourmet.com, 1 +festivaljapon.com, 1 +festivalplaza.com.au, 1 +festivalpopayan.tk, 1 +festivalsalmondeoro.tk, 1 +festivalsquare.com.au, 1 +festivalsrit.tk, 1 +festivaltower.au, 1 +festivaltower.com.au, 1 +festmaniastore.com.br, 1 +festo.net, 1 +festo.online, 1 +festrentcar.pl, 1 +festusmo.gov, 1 +festx.co.za, 1 +fetanbus.com, 1 +fetawerelddans.tk, 1 +fetchease.com, 1 +fetchmag.com, 1 +fetchmonitors.com, 1 +fetclips.se, 1 +fethtv.com, 1 +fetichedecaramelo.tk, 1 +fetih1453.tk, 1 +fetish-x.com, 1 +fetishbazar.cz, 1 +fetishblend.com, 1 +fetishvips.com, 1 +fetishzone.org, 1 +fetlife.com, 1 +fetlinks.ga, 1 +fettbrot.tk, 1 +fettings.com, 1 +feudalisten.de, 1 +feudaltactics.com, 1 +feuerhuhn.de, 1 +feuerloescher-test.de, 1 +feuerwehr-dachaufsetzer.de, 1 +feuerwehr-e-learning.de, 1 +feuerwehr-gebirge.de, 1 +feuerwehr-heiligenberg.de, 1 +feuerwehr-mehring.de, 1 +feuerwehr-offenbach-bieber.de, 0 +feuerwehr-solms.de, 1 +feuerwehr-vechta.de, 1 +feuerwerksmanufaktur.de, 1 +feuerwolke.spdns.de, 1 +feuetgloire.com, 0 +feurich.tk, 1 +fever.ch, 1 +fevo.us, 1 +fevolden.com, 1 +fewo-groden.de, 1 +fewo-hafeninsel-stralsund.de, 1 +fewo-thueringer-wald.de, 1 +fewo-wildrosenpfad.de, 1 +fewo.plus, 1 +fewo.reise, 1 +fewo32.de, 1 +fexopay.com, 1 +fey-web.tk, 1 +feyenoordrotterdam.tk, 1 +feyenoordsite.tk, 1 +feyenoordvakz.tk, 1 +fezbet.net, 1 +fezlee.com, 1 +ff-bg.xyz, 1 +ff-koenigstein-opf.de, 1 +ff-obersunzing-niedersunzing.de, 1 +ff-tostedt.de, 1 +ff15.ddns.net, 1 +ff326.com, 0 +ff5197.co, 1 +ff5g.com, 1 +ff6729.co, 1 +ff6729.com, 1 +ff6957.co, 1 +ff9297.co, 1 +ff9397.com, 1 +ff9728.co, 1 +ff976.com, 0 +ffaaa00.com, 1 +ffaaa11.com, 1 +ffaaa22.com, 1 +ffaaa33.com, 1 +ffaaa44.com, 1 +ffaaa55.com, 1 +ffaaa66.com, 1 +ffaaa77.com, 1 +ffaaa88.com, 1 +ffaaa99.com, 1 +ffamranteatime.com, 1 +ffb.gov, 1 +ffbans.org, 1 +ffbbb00.com, 1 +ffbbb11.com, 1 +ffbbb22.com, 1 +ffbbb33.com, 1 +ffbbb44.com, 1 +ffbbb55.com, 1 +ffbbb66.com, 1 +ffbbb77.com, 1 +ffbbb88.com, 1 +ffbbb99.com, 1 +ffbsee.net, 0 +ffc-gerlingen.de, 1 +ffccc00.com, 1 +ffccc11.com, 1 +ffccc22.com, 1 +ffccc33.com, 1 +ffccc44.com, 1 +ffccc55.com, 1 +ffccc66.com, 1 +ffccc88.com, 1 +ffccc99.com, 1 +ffddd00.com, 1 +ffddd11.com, 1 +ffddd22.com, 1 +ffddd33.com, 1 +ffddd44.com, 1 +ffddd55.com, 1 +ffddd66.com, 1 +ffddd77.com, 1 +ffddd88.com, 1 +ffddd99.com, 1 +ffeee00.com, 1 +ffeee11.com, 1 +ffeee22.com, 1 +ffeee33.com, 1 +ffeee44.com, 1 +ffeee55.com, 1 +ffeee66.com, 1 +ffeee77.com, 1 +ffeee88.com, 1 +ffeee99.com, 1 +fff-du.de, 1 +fff-musique.fr, 1 +fffaa00.com, 1 +fffaa11.com, 1 +fffaa22.com, 1 +fffaa33.com, 1 +fffaa44.com, 1 +fffaa55.com, 1 +fffaa66.com, 1 +fffaa77.com, 1 +fffaa88.com, 1 +fffaa99.com, 1 +fffbb00.com, 1 +fffbb11.com, 1 +fffbb22.com, 1 +fffbb33.com, 1 +fffbb44.com, 1 +fffbb55.com, 1 +fffbb66.com, 1 +fffbb77.com, 1 +fffbb88.com, 1 +fffbb99.com, 1 +fffbhv.de, 1 +fffcc00.com, 1 +fffcc11.com, 1 +fffcc22.com, 1 +fffcc33.com, 1 +fffcc44.com, 1 +fffcc55.com, 1 +fffcc66.com, 1 +fffcc77.com, 1 +fffcc88.com, 1 +fffcc99.com, 1 +fffdd00.com, 1 +fffdd11.com, 1 +fffdd22.com, 1 +fffdd33.com, 1 +fffdd44.com, 1 +fffdd55.com, 1 +fffdd66.com, 1 +fffdd77.com, 1 +fffdd88.com, 1 +fffdd99.com, 1 +fffdm.com, 1 +fffee00.com, 1 +fffee11.com, 1 +fffee22.com, 1 +fffee33.com, 1 +fffee44.com, 1 +fffee55.com, 1 +fffee66.com, 1 +fffee77.com, 1 +fffee88.com, 1 +fffee99.com, 1 +fffgg00.com, 1 +fffgg11.com, 1 +fffgg22.com, 1 +fffgg33.com, 1 +fffgg44.com, 1 +fffgg55.com, 1 +fffgg66.com, 1 +fffgg77.com, 1 +fffgg88.com, 1 +fffgg99.com, 1 +fffhh00.com, 1 +fffhh11.com, 1 +fffhh22.com, 1 +fffhh33.com, 1 +fffhh44.com, 1 +fffhh55.com, 1 +fffhh66.com, 1 +fffhh77.com, 1 +fffhh88.com, 1 +fffhh99.com, 1 +fffii00.com, 1 +fffii11.com, 1 +fffii22.com, 1 +fffii33.com, 1 +fffii44.com, 1 +fffii55.com, 1 +fffii66.com, 1 +fffii77.com, 1 +fffii88.com, 1 +fffii99.com, 1 +fffjj00.com, 1 +fffjj11.com, 1 +fffjj22.com, 1 +fffjj33.com, 1 +fffjj44.com, 1 +fffjj55.com, 1 +fffjj66.com, 1 +fffjj77.com, 1 +fffjj88.com, 1 +fffjj99.com, 1 +fffkk00.com, 1 +fffkk11.com, 1 +fffkk22.com, 1 +fffkk33.com, 1 +fffkk44.com, 1 +fffkk55.com, 1 +fffkk66.com, 1 +fffkk77.com, 1 +fffkk88.com, 1 +fffkk99.com, 1 +fffll00.com, 1 +fffll11.com, 1 +fffll22.com, 1 +fffll33.com, 1 +fffll44.com, 1 +fffll55.com, 1 +fffll66.com, 1 +fffll77.com, 1 +fffll88.com, 1 +fffll99.com, 1 +fffmm00.com, 1 +fffmm11.com, 1 +fffmm22.com, 1 +fffmm33.com, 1 +fffmm44.com, 1 +fffmm55.com, 1 +ffiec.gov, 1 +ffis.me, 0 +ffl123.com, 1 +fflone.com, 1 +ffmradio.de, 1 +ffmv.de, 1 +ffn-connect.de, 1 +ffnm.org, 1 +ffp-survey.com, 1 +ffprofile.com, 1 +ffrev.de, 1 +ffsociety.nl, 1 +fftech.se, 1 +fftechnology.pt, 0 +ffty2.com, 1 +ffw-zeven.de, 1 +ffwd-it.nl, 1 +ffxiv-eureka.com, 1 +ffxiv-tools.jp, 1 +ffzeven.de, 1 +fgdc.gov, 1 +fgeiger.dnshome.de, 1 +fggpay.com, 1 +fgidu.com, 1 +fgtsolutions.com, 1 +fgui.de, 1 +fh-apac.com, 1 +fh-chinese.com, 1 +fh-chn.com, 1 +fh-jituan.com, 1 +fh-photographie.art, 1 +fh-wechat.com, 1 +fh-x.de, 1 +fh-zh.com, 1 +fh.spb.ru, 1 +fh169.cc, 1 +fh6lfwyn.com, 1 +fh70.com, 0 +fhappcp.com, 1 +fhar.be, 1 +fharbe.com, 1 +fharbe.de, 1 +fharbe.net, 1 +fhasiacorp.com, 1 +fhasiacorporate.com, 1 +fhba.com.au, 1 +fhcdn.xyz, 1 +fhdhelp.de, 0 +fhdhilft.de, 0 +fhersoberanes.tk, 1 +fhfaoig.gov, 1 +fhfuhui.com, 1 +fhglobal-zh.com, 1 +fhglobal-zhs.com, 1 +fhglobalcn.com, 1 +fhgroup-chn.com, 1 +fhgroup-cn.com, 1 +fhgroup-zh.com, 1 +fhgroup-zhs.com, 1 +fhgroupcn.com, 1 +fhgroupzhs.com, 1 +fhi.nl, 1 +fhinds.co.uk, 1 +fhjituan-cn.com, 1 +fhjituan-zh.com, 1 +fhjituan-zhs.com, 1 +fhjituancn.com, 1 +fhjituanzhs.com, 1 +fhjt-apac.com, 1 +fhjt-zh.com, 1 +fhjtapac.com, 1 +fhjtchn.com, 1 +fhjtcn.com, 1 +fhjtglobal.com, 1 +fhjtzh.com, 1 +fhjtzhs.com, 1 +fhm.duckdns.org, 1 +fhmarkets.com, 1 +fhmkh.cn, 1 +fhome.ch, 1 +fhope.org, 1 +fhsseniormens.club, 1 +fhstation.com, 1 +fhstatus-chinese.com, 1 +fhtrader.com, 1 +fhv-waldhausen.de, 1 +fhwechat.com, 1 +fhzhs.com, 1 +fi.google.com, 1 +fi.se, 1 +fi.search.yahoo.com, 0 +fiam.me, 1 +fiamtorino.eu, 1 +fianna.tk, 1 +fianoromano.news, 1 +fiasgo.dk, 1 +fiataldivat.hu, 1 +fibank.bg, 1 +fiberoptikz.tk, 1 +fiberxl.com, 1 +fibery.io, 1 +fibo-forex.org, 1 +fibogroup.com, 1 +fibrasynormasdecolombia.com, 1 +fibraworks.com, 1 +fibrefly.co.uk, 1 +fibrenttech.co.za, 1 +fibretv.co.nz, 1 +fibretv.tv, 1 +fibroarrendacaseton.mx, 0 +fibromuebles.com, 1 +fibu.email, 1 +fibune.com, 1 +fibutest.de, 1 +fic.is, 1 +fichajes.com, 1 +fichier-pdf.fr, 0 +fickfreundinnen.net, 1 +fickweiler.nl, 1 +ficlab.com, 1 +fico.com, 1 +ficor.gov, 1 +fictionaltruths.com, 1 +ficus.io, 0 +fid-elite.ch, 0 +fidanza.eu, 1 +fiddle.to, 1 +fiddlesaw.com, 1 +fiddlestickstoys.com.au, 1 +fidelapp.com, 1 +fidelis-it.ch, 1 +fidelis-it.net, 1 +fidelitybank.com.gh, 1 +fidelityhomestead.com, 1 +fidelitysound.es, 1 +fidell.com.ua, 1 +fides.ch, 1 +fideschile.tk, 1 +fidesic.com, 0 +fidgetbox.co.uk, 1 +fidhouriet.ch, 1 +fidlar.com, 1 +fidmmuseum.org, 1 +fidoo.com, 1 +fiduciaire-ratio.ch, 0 +fiducoldex.com.co, 1 +fiedelaks-landbarf.de, 1 +fieggen.eu, 1 +fieggen.net, 1 +fieggen.social, 1 +fiekeoffringa.nl, 1 +fieldcrafts.com, 1 +fieldeffect.com, 1 +fieldsgynroboticsurgery.com, 1 +fieldworkbrewing.com, 1 +fiemmeimpianti.it, 1 +fienaliri.tk, 1 +fierman.eu, 0 +fierman.net, 0 +fierman.us, 0 +fierscleaning.nl, 1 +fiery.me, 0 +fieryaura.eu, 1 +fierykitchen.pl, 1 +fiesta-mk5-limited-edition.nl, 1 +fiestasalquezar.tk, 1 +fiet.cat, 1 +fietsambassade.be, 1 +fietsambassade.gent, 1 +fietsambassadegent.be, 1 +fietsennaarbarcelona.tk, 1 +fietsherstel.gent, 1 +fietsvakman.nl, 1 +fietsvierdaagsen.nl, 1 +fifaaddict.com, 1 +fifacup.ga, 1 +fifadimensions.tk, 1 +fifafans.tk, 1 +fifastars.tk, 1 +fifatournament.tk, 1 +fifaultimatemod.tk, 1 +fifauteam.com, 1 +fifehg.org.uk, 1 +fifemedicalgroup.co.uk, 1 +fiff.de, 0 +fifi.club, 1 +fifr.nl, 1 +fifthwall.com, 1 +fiftynorth.eu, 1 +fiftyseven.media, 1 +fiftyshadesofgreyfullmovie.ga, 1 +fiftyshadesofluca.ml, 1 +fig.ms, 1 +figaroparrucchiere.it, 1 +figbert.com, 1 +figbytes.biz, 1 +figbytes.com, 1 +fighribali.tk, 1 +fightape.cf, 1 +fightape.ga, 1 +fightape.gq, 1 +fightape.ml, 1 +fighter-planes.tk, 1 +fighting-turtle.tk, 1 +fightingshit.tk, 1 +fightingtigerbet888.com, 1 +fightsupplies.co.uk, 1 +figibi.com, 1 +figl.net, 1 +figliasons.com, 1 +figma.com, 1 +figmalover.com, 1 +figshare.com, 1 +figsrugbyleague.com.au, 1 +figura.cz, 1 +figuras.tk, 1 +figurasdelinguagem.com.br, 1 +figure.com, 1 +figure.nz, 1 +figuro.la, 0 +figuurzagers.nl, 0 +fihatest.ml, 1 +fiilr.com, 1 +fiix.io, 1 +fija.org, 1 +fijibutterflyfishcount.com, 1 +fijimarinas.com, 1 +fijiresortforsale.com, 1 +fijisharkcount.com, 1 +fijnefeestdageneneengelukkignieuwjaar.nl, 1 +fijnewoensdag.nl, 1 +fiken.no, 1 +fikirblog.net, 1 +fikirtasarim.net, 1 +fikong.com, 1 +fikrinet.tk, 1 +fikriwildannugraha.com, 1 +fiksem-it.nl, 1 +fil-tec-rixen.com, 1 +fil.fi, 0 +filamentia.nl, 1 +filanthropystar.org, 1 +filantropikum.com, 1 +filapanel.com, 1 +filaretihairlove.gr, 1 +filcosplay.tk, 1 +file-cloud.eu, 1 +file-recovery-mac.com, 1 +file.ac, 1 +file.doctor, 1 +file24.tk, 1 +filebox.one, 1 +filecopa.com, 1 +filedesc.com, 1 +filedoom.ml, 1 +filehash.de, 1 +filehippo.com, 1 +filehippo.jp, 1 +filehorsefile.com, 1 +fileio.io, 1 +filejo.com, 1 +filek.ga, 1 +fileon.com, 1 +fileplanet.com, 1 +fileport.io, 1 +filequit.xyz, 1 +files.com, 0 +files.from-me.org, 1 +files.to, 1 +filesense.com, 1 +fileservicios.com.ar, 1 +fileshare.party, 1 +filesharingshop.com, 1 +filesoup.io, 1 +filestar.io, 1 +filestartest.io, 1 +filetransfer.one, 1 +filezilla-project.org, 1 +filhodohomem.com, 1 +filhomes.ph, 1 +fili.com, 1 +filidorwiese.nl, 1 +filigrana.tk, 1 +filiio.com, 1 +filiotech.com, 1 +filiotech.pl, 1 +filip-prochazka.com, 0 +filipadamczak.com, 1 +filipi.no, 1 +filipinasdailynews.tk, 1 +filipinochinese.tk, 1 +filipinostaff.uk, 1 +filipn.cz, 1 +filippo.io, 1 +filippoberio.co.uk, 1 +filippodanesi.it, 0 +filipstaffa.net, 1 +filizaker.tk, 1 +filleritemsindia.com, 1 +fillmorecountyne.gov, 1 +fillmysuitca.se, 1 +fillo.com.tr, 1 +film-colleges.com, 1 +film-op-tv.nl, 1 +film-storyboards.com, 0 +film-storyboards.fr, 0 +film-tutorial.com, 1 +film.ru, 1 +filmarchiv-sachsen.de, 0 +filmatiporno.xxx, 1 +filmbabasi.net, 1 +filmbasar.com, 1 +filmbest.tk, 1 +filmcorner.tk, 1 +filmdates.co.uk, 1 +filme-onlines.com, 1 +filmedonstage.com, 1 +filmezzunk.hu, 1 +filmfestivalflix.com, 1 +filmfog.cf, 1 +filmfog.ga, 1 +filmimpact.com, 1 +filmisfun.com, 1 +filmisfun.net, 1 +filmizleindir.tk, 1 +filmkode.com, 1 +filmnet.pl, 1 +filmnetz.tk, 1 +filmoffice.pl, 1 +filmosliw.cf, 1 +filmotekaplus.pl, 1 +filmovka.pl, 1 +filmowanie-dronem.com.pl, 1 +filmphotograph.com, 1 +filmpornofrancais.fr, 1 +filmpronet.in, 1 +filmsearch.tk, 1 +filmserver.de, 1 +filmsidan.tk, 1 +filmsite-studio.com, 1 +filmsleague.com, 1 +filmtheaternieuwegein.tk, 1 +filmwallpapers.ml, 1 +filmyporno.net, 1 +filmzwesela.online, 1 +filobot.xyz, 1 +filokiralama.name.tr, 1 +filosofare.tk, 1 +filosofia.tk, 1 +filosofiskaeleonora.se, 1 +filpromer.com, 1 +filstop.com, 1 +filter-kiev.com, 1 +filterlists.com, 1 +filtershekanha.com, 1 +filthyapartmenters.ga, 1 +filthyapartmentest.ga, 1 +filtr.me, 1 +filworx.com, 1 +fimc-biodiversityportal.org, 1 +fimfiction.net, 1 +fimozin.ga, 1 +fimp.pt, 1 +fimsquad.com, 1 +fin-ware.ru, 1 +fin.ddns.net, 1 +fin.ee, 0 +fina-foxy.com, 1 +finagosolo.com, 1 +finaktiv.tk, 1 +final-expense-quotes.com, 1 +final-rest.co.uk, 1 +final-x.com, 1 +final.ac, 1 +finalashes.tk, 1 +finalesuperuser.com, 1 +finalfate.tk, 1 +finalfoursteam.tk, 1 +finalfourstream.tk, 1 +finalgambit.band, 1 +finalleopard.tk, 1 +finalmenteazul.pt, 1 +finalonline.tk, 1 +finalrewind.org, 1 +finaltouchmusic.net, 1 +finalweapon.net, 1 +finalworkdriesstef.tk, 1 +finalx.nl, 1 +finanalysis.com, 1 +finance-colleges.com, 1 +finance-consulting.ga, 1 +finance-devils.com, 1 +finance-equation.co.uk, 1 +finance-news.ga, 1 +financeaffiliateprograms.com, 1 +financecontrol.tk, 1 +financedepth.com, 1 +financedraft.com, 1 +financeforafrica.com, 1 +financeguest.com, 1 +financehindi.com, 1 +financeinterface.tk, 1 +financejobs.ch, 1 +financelong.com, 1 +financemagnates.com, 1 +financemain.com, 1 +financenews.tk, 1 +financepen.com, 1 +financeplush.com, 1 +financepre.com, 1 +financestead.com, 1 +financethrive.com, 1 +financetwenty.com, 1 +financewhile.com, 1 +financewithcromulent.com, 1 +financial-law.tk, 1 +financial-standby.de, 1 +financialfreedomaus.com, 1 +financialfrolicker.com, 1 +financialhost.org, 1 +financialmoveers.ga, 1 +financialmoveest.ga, 1 +financialnews.today, 1 +financialopticshq.com, 0 +financialplannerworld.com, 1 +financniexperti.sk, 1 +finansified.com, 1 +finansinspektionen.se, 1 +finanstilsynet.dk, 1 +finansy.tk, 1 +finanz-planer.net, 1 +finanzasydinero.com, 1 +finanzconsult.org, 1 +finanzen-az.com, 1 +finanzen-weblog.de, 1 +finanzierung-sofortzusage.de, 1 +finanztime.com, 1 +finanzwende-recherche.de, 1 +finaster.com.br, 1 +finax.eu, 1 +finbio.cf, 1 +fincabank.kg, 1 +fincafresh.is, 1 +fincarebank.com, 0 +fincas-ruiz.com, 1 +fincent.xyz, 1 +finch.am, 1 +finch.ga, 1 +finchkeeper.com, 1 +finchnest.co.uk, 1 +finchtechie.com, 1 +fincities.tk, 1 +find-mba.com, 1 +findahero.com.au, 1 +findairconditioningers.ga, 1 +findairconditioningest.ga, 1 +findallgames.com, 1 +findanengineer.com, 1 +findapinball.com, 1 +findautoloan.ml, 1 +findbalancedliving.com, 1 +findcanary.com, 1 +findcbdoilnearme.com, 1 +findcep.com, 0 +finddecisionsest.ga, 1 +findedeinencoach.net, 1 +findelahistoria.com, 1 +finder.bike, 1 +findete.tk, 1 +findeth.io, 1 +findheim.at, 0 +findhow.org, 1 +findingawesome.com, 1 +findinggenius.com, 1 +findingimagesers.ga, 1 +findingimagesest.ga, 1 +findingkorea.com, 0 +findingneverlandthemusical.com, 1 +findings.co, 1 +findingtheuniverse.com, 1 +findingturkeyers.ga, 1 +finditez.com, 1 +findlayohio.gov, 1 +findlimitsers.ga, 1 +findlocalproduce.co.uk, 1 +findmail.ga, 1 +findmassmoney.gov, 1 +findme.partners, 1 +findmentalhealth.co.uk, 1 +findmespot.com, 1 +findmybottleshop.com.au, 1 +findmycare.ca, 1 +findmyfamily.org, 1 +findmytricks.com, 0 +findnhmoney.gov, 1 +findolino.at, 1 +findoon.de, 1 +findoutlyrics.com, 1 +findprivateinvestor.com, 1 +findrejsepartner.dk, 1 +findsalmonest.ga, 1 +findscan.me, 1 +findschool.ge, 1 +findsingledating.ml, 1 +findstorenearme.ca, 1 +findstorenearme.co.uk, 1 +findstorenearme.us, 1 +findsupport.gov, 1 +findthatnude.com, 1 +findthere.net, 1 +findtrain.tk, 1 +findtreatment.gov, 1 +findwell.be, 1 +findyour.diet, 1 +findyourdreams.tk, 1 +findyouridealpartner.com, 1 +findyourstores.com, 1 +findyourvoice.ca, 1 +fine-services.paris, 1 +fineartbead.de, 1 +fineartbyjames.co.uk, 1 +fineartofguitar.com, 1 +finecocoin.io, 1 +finecraft.cc, 1 +finefriends.nl, 1 +finefriendsapp.com, 1 +finehealth.ru, 0 +finehomesource.com, 1 +finelineaestheticstx.com, 0 +finenet.com.tw, 1 +fineshare.tk, 1 +finesio.sk, 1 +finesoon.net, 1 +finessedentalrancho.com, 1 +finestblingers.ga, 1 +finestblingest.ga, 1 +finestrabatalera.tk, 1 +finestreview.cf, 1 +finet.se, 1 +finex.by, 1 +finexity.com, 1 +finexo.ch, 1 +finfleet.id, 1 +finfocus.today, 1 +finform.ch, 1 +finfowe.com, 1 +fingerlakesgaming.com, 1 +fingerprint.com, 0 +fingerprintjs.com, 1 +fingerscrossed.style, 1 +fingertight.ga, 1 +finhelp.ga, 1 +fini-de-jouer.ch, 0 +finicity.com, 1 +finilaviolence.gc.ca, 1 +finion.com, 1 +finishingpasteers.ga, 1 +finishingpasteest.ga, 1 +finishmaster.com, 1 +finisron.in, 1 +finkelstein.fr, 1 +finlandcook.online, 1 +finlandcook.top, 1 +finlaylloyd.com, 1 +finlib.in, 1 +finlito.tk, 1 +finliz.com, 1 +finmozg.ru, 1 +finn-svoboda.cf, 1 +finn-thorben.me, 1 +finn.io, 1 +finnclass.cz, 1 +finndel.no, 1 +finnhjelpemidler.no, 1 +finnishclothing.tk, 1 +finnishconsulting.com, 1 +finnjumping.tk, 1 +finnkupongkoder.no, 1 +finnwea.com, 0 +finom.co, 1 +finovate.com, 1 +finpomosh.gq, 1 +finprison.net, 1 +finpt.com, 0 +finqk.nl, 1 +finqueslaromanica.com, 1 +finr.fr, 1 +fins.money, 1 +finscan.com, 1 +finsecurity.eu, 1 +finsight.com, 1 +finsprings.org, 1 +finst.com, 1 +finstererlebnis.de, 1 +fintechaccelerate.com, 1 +finteo.de, 1 +fintracker.ca, 1 +fintry.ca, 0 +finturio.de, 1 +finvantage.com, 1 +finvantive.com, 1 +finvantive.nl, 1 +finverse.com, 1 +finwarriors.tk, 1 +finwe.info, 1 +finzy.com, 1 +fionahengartner.ch, 1 +fionamcbride.com, 1 +fionna.io, 1 +fiore31.fr, 1 +fiorellaweddings.com, 1 +fiorenzaperfumhome.com.br, 1 +fioriepiante.info, 1 +fioristionline.it, 1 +fioristionline.net, 1 +fiosgenomics.com, 1 +fioulmarket.fr, 1 +fipackaging.com, 1 +fiphfp.fr, 1 +fipo.life, 1 +fipq.tk, 1 +fir.ch, 1 +firatcakir.com.tr, 1 +firatnews.com, 1 +firatofm.tk, 1 +firaun.tk, 1 +firc.de, 1 +fire, 1 +fire-eyes.tk, 1 +fire-places.tk, 1 +fire-schools.com, 1 +fire-science-schools.com, 1 +firealarms.gq, 1 +fireballsteven.tk, 1 +firebaseio.com, 1 +firebirdrangecookers.com, 1 +firebounty.com, 1 +fireboxfood.com, 1 +firebrandchurch.com, 1 +firecask.com, 1 +firechip.cc, 1 +firecity.tk, 1 +firecore.com, 1 +firecry.org, 1 +firedemons.tk, 1 +firedo.de, 1 +firedup4success.com, 1 +fireeye.tk, 1 +firefart.at, 0 +firefense.com, 1 +firefightergarage.com, 1 +fireflygatlinburg.com, 1 +fireglow.de, 1 +fireinthedeep.com, 1 +fireintheholevideos.tk, 1 +fireleadership.gov, 1 +firelinkshrine.xyz, 1 +firemail.de, 1 +firemaker.tk, 1 +firenews.cf, 1 +firenza.org, 1 +firenzetoday.it, 1 +fireoakstrategies.com, 1 +fireperformerstoronto.com, 1 +fireplacerepairlasvegas.com, 1 +fireplex.co.uk, 1 +fireportal.cz, 1 +fireportal.sk, 1 +fireradio.tk, 1 +firerain.me, 1 +fireservicerota.co.uk, 1 +fireshellsecurity.team, 1 +firesofheaven.org, 1 +firesolutionsinc.com, 1 +firestart.tk, 1 +firestarter.fi, 1 +firestickhacks.com, 1 +firestuff.org, 1 +firetotheprisons.org, 1 +firetrunk.com, 1 +fireurboss.tk, 1 +firevap.org, 1 +firewall.net.za, 1 +firewallremoval.cf, 1 +firewallremovalers.ga, 1 +fireware.tk, 1 +fireworksshowvr.com, 1 +firexarxa.de, 1 +firexfly.com, 1 +firexp.tk, 1 +firingsquad.tk, 1 +firma-cerny.cz, 1 +firma-offshore.com, 1 +firmador.cloud, 1 +firmador.online, 1 +firmaet.com, 1 +firmajulegaver.dk, 1 +firmale.com, 1 +firmament.space, 1 +firmament.tk, 1 +firmanali.com, 1 +firmant.me, 1 +firmapi.com, 1 +firmennie-crossovki.tk, 1 +firmenwerbung-vermarktung.de, 1 +firmfoundationsconsulting.com, 0 +firmkernel.tk, 1 +firmware.science, 1 +firobe.fr, 1 +firouz.tk, 1 +firsov.gq, 1 +first-aid-kit.net, 0 +first-house.no, 1 +first-hyp.de, 1 +first-legion.eu, 1 +first-money.tk, 1 +first-ns.com, 0 +first-time-offender.com, 1 +first-wishes.com, 1 +first.org, 1 +first4it.com, 1 +firstbankkansas.com, 1 +firstbaptistchurchofchrist.org, 1 +firstbooks.ml, 1 +firstbus.co.uk, 1 +firstcallnc.com, 1 +firstcapitalfcu.com, 1 +firstcentralsavings.com, 1 +firstchoicebouncycastlehire.co.uk, 1 +firstchoicefriseur.at, 1 +firstchoicejunkservice.com, 1 +firstchurchmn.org, 1 +firstcitizensbank.com, 1 +firstclass.com.kh, 1 +firstclasscastles.com, 1 +firstclassleisure.co.uk, 1 +firstclassnuisance.tk, 1 +firstclinic.tk, 1 +firstcoastsir.com, 1 +firstcoastteaco.com, 1 +firstcolonyengraving.com, 1 +firstcommunity.com, 1 +firstcontact.cf, 1 +firstdent.ro, 1 +firstdry.com.br, 1 +firstechpayments.com, 0 +firstfinanceit.com, 1 +firstfinca.de, 1 +firstgov.gov, 1 +firstgradeframeofmind.com, 1 +firstimpressionsecuritydoors.com, 1 +firstlab.com, 1 +firstlayout.net, 1 +firstlegal.group, 1 +firstlightfusion.com, 1 +firstlightinspirations.tk, 1 +firstload.tk, 1 +firstmall.de, 1 +firstmarket.tech, 1 +firstname.tk, 1 +firstnet.gov, 1 +firstnetwork.cf, 1 +firstnetworksouth.com, 1 +firstorion.com, 1 +firstperformance.ro, 1 +firstphilec.com, 1 +firstplace.ga, 1 +firstq.xyz, 1 +firstqa.com, 1 +firstresponder.gov, 1 +firstserviceplumbing.com, 1 +firstshowing.net, 1 +firstsiteguide.tk, 1 +firsttimer.tk, 1 +firsttimeround.tk, 1 +firsttimeshopperers.ga, 1 +firsttimeshopperest.ga, 1 +firstup.io, 1 +firstversionist.com, 1 +firstwebring.tk, 1 +firstwordpharma.com, 1 +firthidaho.gov, 1 +firtreetechnology.co.uk, 1 +fis.io, 1 +fisa.net.za, 1 +fiscalidadresiduos.org, 1 +fiscalitatresidus.org, 1 +fischbacher-reisebuero.de, 1 +fischer-group.com, 1 +fischer-immoteam.de, 1 +fischer-its.com, 0 +fischer-kundendienst.de, 1 +fischer-programmierung.ch, 0 +fischer-wasels-medizin.de, 1 +fischerfutureheat.de, 1 +fischerp.net, 1 +fischers.srv.br, 1 +fischersports.com, 1 +fisciences.com, 1 +fiscoeconti.it, 1 +fish-hook.ru, 1 +fish-n-chips.uk, 1 +fish.lgbt, 1 +fish2.me, 1 +fish24.bg, 1 +fishbattle.io, 1 +fishbattle.net, 1 +fishbrain.com, 1 +fishcorp.dk, 1 +fishergo.ml, 1 +fishergo.tk, 1 +fishermailbox.net, 1 +fisherman-union.ml, 1 +fishermansbend.apartments, 1 +fishermansbendcorporation.com.au, 1 +fishermansbendtownhouses.com.au, 1 +fishersin.gov, 1 +fishfive.top, 1 +fishgen.no, 1 +fishingworld.tk, 1 +fishingzone.bg, 1 +fishlanestudios.com, 1 +fishman.idv.tw, 1 +fishoftheday.tv, 1 +fishoilsafety.com, 1 +fishport.cloud, 1 +fishserver.net, 1 +fishtacos.blog, 1 +fishtank.ga, 1 +fishycam.com, 1 +fishygames.ml, 1 +fishyscans.tk, 1 +fishystuff.cf, 1 +fisinfomanagerdr.com, 1 +fisio-clinics.com, 1 +fisiobox.eu, 1 +fisiodomiciliargoiania.com.br, 1 +fisionutri.com.br, 1 +fisioterapia-online.com, 1 +fisioterapiaalquimia.com, 1 +fisioterapialanchares.com, 1 +fisioterapista.roma.it, 1 +fisiotohome.com, 1 +fiskelures.se, 1 +fission.moe, 1 +fistingtogether.com, 1 +fisvo.org, 0 +fit-4u.ch, 0 +fit-mit-nina.com, 1 +fit-mit-system.eu, 1 +fit-portal.ru, 1 +fit365.jp, 0 +fit81.com, 1 +fit81.it, 1 +fitandfightrijswijk.nl, 1 +fitanu.com, 1 +fitas.store, 1 +fitasdobonfim.com, 1 +fitawakening.co.uk, 1 +fitbase.cf, 1 +fitbase.fitness, 1 +fitbizcpa.org, 1 +fitbodyestetica.com.br, 1 +fitbylo.com, 1 +fitcamp.fitness, 1 +fitch.group, 1 +fitchannel.com, 1 +fitchconnect-stg.com, 1 +fitchconnect.com, 1 +fitchpeople.nl, 1 +fitcoachion.com, 1 +fitcrewhn.com, 1 +fitculator.com, 1 +fite.family, 0 +fitecleaningservices.com, 1 +fitekin.com, 1 +fitequilibrio.com.br, 1 +fiteveryday.co.uk, 1 +fitflaop.ga, 1 +fitfocusau.com.au, 1 +fitfoodfab.nl, 1 +fitfoodrecipe.com, 1 +fitikafo.com, 1 +fitint.ro, 1 +fitlinewellnesscoach.com, 1 +fitmommyinheels.com, 1 +fitmybike.eu, 0 +fitness-challenge.co.uk, 1 +fitness-world.ga, 1 +fitness.edu.au, 1 +fitness.gov, 1 +fitnessbenefit.com, 1 +fitnessbest.com, 1 +fitnessbond.com, 1 +fitnessfoodguide.com, 1 +fitnesshaber.com, 1 +fitnessimage.com.au, 1 +fitnesskarate.club, 1 +fitnessmaus.com, 1 +fitnessplanet.best, 1 +fitnessstudio-website.de, 1 +fitnesstotal.com.br, 1 +fitnesstrainer-website.de, 1 +fitnessunder50.com, 1 +fitnessup.fr, 1 +fitnessupay.com, 1 +fitnessupreme.com, 1 +fitnessvocab.com, 1 +fitnessvolt.com, 1 +fitnetion.com, 1 +fitnhot.com, 1 +fitnur.com, 1 +fitnutkatie.com, 1 +fitnutricode.pt, 1 +fito.tk, 1 +fitodifesa.it, 1 +fitotovar.ru, 1 +fitpass.co.in, 1 +fitrecepty.info, 1 +fitspo.net, 1 +fitspring.com, 1 +fittelo.cz, 1 +fittherapy.biz, 0 +fitxxxsandy.net, 1 +fitzsim.org, 1 +fiu.ee, 0 +fius.de, 1 +five.sh, 1 +fiveboosts.xyz, 1 +fivecrm.com, 1 +fivefortheroad.com, 1 +fivegraces.com, 1 +fiveminute.tk, 1 +fivemm.shop, 1 +fivemods.io, 1 +fivepb.me, 1 +fivepedia.tk, 1 +fiveslice.pizza, 1 +fivestar.et, 1 +fivestartrader.com, 1 +fivetecnologia.com, 1 +fivethirtyeight.com, 1 +fiveyearsahead.com, 1 +fix-boredom.ml, 1 +fix-css.com, 1 +fix-ru.ga, 1 +fix-the-timeline.com, 1 +fix-the-timeline.org, 1 +fix.mk, 1 +fixedfeeplacements.co.uk, 1 +fixedgear.tk, 1 +fixedmatch.bet, 1 +fixedtoday.com.au, 1 +fixerra.tech, 1 +fixfd.com, 1 +fixfix.ch, 1 +fixfm.tk, 1 +fixforce.nl, 1 +fixi.dk, 1 +fiximage.net, 1 +fixingscrews.co.uk, 1 +fixmobile.online, 1 +fixmyalarmpanel.co.uk, 1 +fixmyglitch.com, 1 +fixodent-fr-fr-swapper.azurewebsites.net, 1 +fixodent.fr, 1 +fixorg.ru, 1 +fixpart.de, 1 +fixpart.nl, 1 +fixpix.gq, 1 +fixplusflex.de, 1 +fixpoint.co.at, 1 +fixpoint.systems, 1 +fixthetimeline.com, 1 +fixthetimeline.org, 1 +fixturemundial.com, 1 +fixupx.com, 1 +fixverkaufen.de, 1 +fixville.co, 1 +fiyatgrafik.com, 1 +fiyatinedir.net, 1 +fizadvocaten.nl, 1 +fizeau.com, 1 +fiziktedavi.name.tr, 1 +fizjo-strefa.com, 1 +fizjonell.pl, 1 +fizjoterapia.uk, 1 +fizjourogeek.pl, 1 +fizmiks.lv, 1 +fizmix.lv, 1 +fizyonetistanbul.com, 1 +fizyoterapi.name.tr, 1 +fizz.buzz, 1 +fizz.cloud, 1 +fizz.space, 1 +fizz.studio, 1 +fizz.systems, 1 +fizz.team, 1 +fizz.technology, 1 +fizz.tools, 1 +fizz.zone, 1 +fizzcharts.com, 1 +fizzcompetitions.com, 1 +fizzcoronationstreetdied.cf, 1 +fizzcreativemedia.com, 1 +fizzpopmedia.com, 1 +fizzstudio.org, 1 +fj.je, 1 +fj.search.yahoo.com, 0 +fjallbackacamping.se, 1 +fjallconnections.com, 1 +fjant.tk, 1 +fjco.alsace, 1 +fjerhammer.dk, 1 +fjharcu.com, 1 +fjkl.uk, 1 +fjnuacm.top, 1 +fjordboge.dk, 1 +fjordenpaard.tk, 1 +fjordtorsk.se, 1 +fjsb.com, 1 +fjugstad.com, 1 +fjzone.org, 1 +fkaoi.net, 1 +fkbae.to, 1 +fkcdn.de, 1 +fkfev.de, 1 +fkgfw.men, 1 +fklegal.com, 1 +fkmt-server.net, 1 +fkosquad.moe, 1 +fktpm.ru, 1 +fl-ad.com, 1 +fl-catering.ru, 1 +fl.ru, 1 +fl3xx.com, 1 +flabacinov.ga, 1 +flabutelov.tk, 1 +flacandmp3.ml, 1 +flacon.tk, 1 +flacsoandes.edu.ec, 1 +fladnag.net, 1 +flaeskeklubben.dk, 1 +flaeskeklubben.eu, 1 +flagburningworld.com, 1 +flagcdn.com, 1 +flagfox.net, 1 +flaggorvarlden.se, 1 +flaggrimsby.co.uk, 1 +flagi-panstw.pl, 1 +flagipanstw.info.pl, 1 +flagipanstw.pl, 1 +flagistrany.ru, 1 +flaglercounty.gov, 1 +flaglerelections.gov, 1 +flaglermosquito.gov, 1 +flagma-no.com, 1 +flagma.biz.tr, 1 +flagma.by, 1 +flagma.de, 1 +flagma.es, 1 +flagma.hu, 1 +flagma.pl, 1 +flagma.ua, 1 +flagma.uz, 1 +flagpedia.asia, 1 +flagpedia.net, 1 +flagriculture.gov, 1 +flagspot.net, 0 +flagstone-magazin.ro, 0 +flagthis.com, 1 +flagyl-500-mg.ga, 1 +flair.nl, 1 +flaite.com, 1 +flakytest.com, 1 +flam.studio, 1 +flaman-h7a.fr, 1 +flamehaze.tk, 1 +flamencoexplained.com, 0 +flamencoshoes.tk, 1 +flamengopi.tk, 1 +flamentecnic.tk, 1 +flameofthoughts.tk, 1 +flameport.com, 1 +flamer-scene.com, 0 +flamet.eu, 0 +flameviper.tk, 1 +flamingcow.tv, 1 +flaminggorgefireandems.gov, 1 +flamingkeys.com, 1 +flamingogroup.vn, 1 +flamingoroute.tk, 1 +flamingowomenspavilion.com, 1 +flamme-von-anor.de, 1 +flammy.tk, 1 +flamoes.be, 1 +flamtky.de, 1 +flana.com, 1 +flanadot.com, 1 +flanagan.tk, 1 +flanderslaw.com, 1 +flandersmake.be, 1 +flanga.io, 0 +flanigan.tk, 1 +flapoverspeed.com, 1 +flapperistic.tk, 1 +flare.cloud, 1 +flareian.com, 1 +flaretechnologies.io, 1 +flarewalker.com, 1 +flarewalker.eu, 1 +flarewalker.net, 1 +flarewalker.org, 1 +flareweb.it, 1 +flart.studio, 1 +flart.tk, 1 +flarumtr.com, 1 +flasaki.gr, 1 +flash-games.tk, 1 +flash.homes, 1 +flashback.org, 1 +flashbackband.tk, 1 +flashbeat.tk, 1 +flashcardsmobile.com, 1 +flashcover.com.br, 1 +flasheschile.tk, 1 +flashgamedev.tk, 1 +flashgamesplayer.com, 1 +flashgot.net, 1 +flashigra.tk, 1 +flashingblinkylights.com, 1 +flashissue.com, 1 +flashkeysers.ga, 1 +flashlearners.com, 1 +flashlightchart.com, 1 +flashpegasus.com.br, 1 +flashscores.tk, 1 +flashset.tk, 1 +flashuk.com, 1 +flassetlocators.com, 1 +flaszka.com, 1 +flat-cdn.com, 1 +flat-embed.com, 1 +flat-tire.biz, 1 +flat.io, 1 +flatart.pl, 1 +flatbellyreview.com, 1 +flatbook.one, 1 +flatcast.tk, 1 +flatcoated.tk, 1 +flatheadelectric.com, 1 +flathome.co.jp, 1 +flaticons.net, 1 +flatlandchurch.com, 0 +flatmail.net, 1 +flatmail.pl, 1 +flatmatehub.com.au, 1 +flatpackmates.co.uk, 1 +flatplanet.tk, 1 +flatrate.com, 0 +flatreviews.co.nz, 1 +flatrooms-chiemgau.de, 1 +flatsomestudio.ir, 1 +flatsurfers.eu, 1 +flattie.cz, 1 +flatwoodsky.gov, 1 +flauschig.net, 1 +flavelappliances.com, 1 +flaviao.com, 1 +flavinha.tk, 1 +flavinus.fr, 1 +flaviu.co.uk, 1 +flavo.io, 1 +flavorblogers.ga, 1 +flavorblogest.ga, 1 +flawed.world, 1 +flawedworld.com, 1 +flawless-gaming.tk, 1 +flawlesscowboy.xyz, 1 +flawlessly.tk, 1 +flawlessweddings.nl, 1 +flayla.tk, 1 +flblog.top, 0 +flcatering.com, 1 +flcgil.it, 1 +flcma.gov, 1 +flcourts.gov, 1 +flcttn.com, 1 +fldjj.gov, 1 +fldsmdfr.nl, 1 +flealab.it, 1 +flechatec.net.br, 0 +fleche-ardennaise.be, 1 +flect.net, 1 +fleeb.xyz, 1 +fleep.io, 1 +fleeps.co, 0 +fleesty.dynv6.net, 1 +fleet-group.com, 1 +fleet-search.com, 1 +fleet.gov, 1 +fleetcomplete.com, 1 +fleetcor.at, 1 +fleetcor.ch, 1 +fleetcor.cz, 1 +fleetcor.de, 1 +fleetcor.fr, 1 +fleetcor.hu, 1 +fleetcor.lu, 1 +fleetcor.nl, 1 +fleetcor.pl, 1 +fleetcor.sk, 1 +fleetcorcards.be, 1 +fleetlinkatlascopco.com, 1 +fleetofhope.tk, 1 +fleetsmith.com, 1 +fleetssl.com, 1 +fleettools.tk, 1 +fleetyards.net, 1 +flehm.de, 1 +fleisch.club, 1 +fleischkaes.de, 1 +fleki.hu, 1 +flemberg.com, 1 +fleming.de, 1 +flemingmccullagh.com, 1 +flemingtonaudiparts.com, 1 +flemishopelclub.tk, 1 +flens.dance, 1 +flensburg-hilft-flensburg.de, 1 +flerstourisme.fr, 1 +fleshtone.tk, 1 +fleshwound.tk, 1 +fletcherdigital.com, 1 +fletcherdoescrime.com, 1 +fletchmusic.tk, 1 +fletchto99.com, 1 +fletesymudanzasbaratas.com, 1 +flets-ms.com, 1 +fleurdelune.it, 1 +fleurenplume.fr, 1 +fleurette.me, 1 +fleuriste-cannes.fr, 1 +fleuromance.ga, 1 +fleursdesoleil.fr, 0 +fleursdujour.ph, 1 +fleuryfleury.com, 1 +flevoland.nl, 1 +flex-one.fr, 1 +flex1solutions.com, 1 +flexalert.org, 1 +flexapplications.se, 1 +flexartsocial.com, 1 +flexbpo.com.br, 1 +flexcube.ch, 1 +flexdesign.fr, 1 +flexdrukker.nl, 1 +flexforcemonkey.com, 1 +flexgs.ca, 1 +flexgs.net, 1 +flexhyp.de, 1 +flexi-dance.pl, 1 +flexiblenetflow.com, 1 +flexibsd.com, 1 +flexicano.nl, 1 +flexicurity.tk, 1 +fleximus.org, 0 +flexingpro.com, 1 +flexinsurance.com.au, 1 +flexinvesting.fi, 0 +flexirobes.com.au, 1 +flexitanq.es, 0 +flexman.tk, 1 +flexmedia.tk, 1 +flexopus.com, 1 +flexphonesest.ga, 1 +flexpoint.com.br, 1 +flexport.com, 1 +flexsocialbox.com, 1 +flexsuplementos.com.br, 1 +flextrades.com, 1 +flextribly.xyz, 1 +flextudo.com, 1 +flextyp.com, 1 +flextypes.com, 1 +flexundfix.de, 1 +flexve.com, 1 +flexworkhero.de, 1 +flfl.de, 1 +flgaming.gov, 1 +flhealthcharts.gov, 1 +fliacuello.com.ar, 1 +flibanserina.com, 1 +flicerdowneh.cf, 1 +flickcritter.com, 1 +flickdirect.com, 1 +flicke.red, 1 +flickingercenter.com, 1 +flickor.tk, 1 +flicks2click.com, 1 +flie.co.jp, 1 +flieger-funk-runde.de, 1 +fliesen-waldschmidt.de, 1 +flight.school, 1 +flightacademy-memmingen.com, 1 +flightairport.com, 1 +flightcheapfares.com, 1 +flightdiary.cf, 1 +flightdiary.ga, 1 +flightdiary.gq, 1 +flightfrankfurt.com, 1 +flighthonolulu.com, 1 +flightjackets.tk, 1 +flightrights.gov, 1 +flightscarhire.com, 1 +flightschoolbooking.com, 1 +flightschoolcandidates.gov, 1 +flightschoolxxi.com, 1 +flightstimes.com, 1 +flightstoheathrow.com, 1 +flightti.com, 1 +flightticketsto.com, 1 +flightzero.cf, 1 +fliino.com, 1 +fliino.eu, 1 +fliino.info, 1 +fliino.net, 1 +fliino.org, 1 +flikmsg.co, 1 +flimnet.tk, 1 +flinch.io, 1 +fling.dating, 1 +flingflong.com, 1 +flinny.org, 1 +flintavenue.com, 1 +flintstones.tk, 1 +flip-flop.tk, 1 +flip.kim, 1 +flip.lease, 1 +flipflop.rs, 1 +flipin.ga, 1 +flipmusic.tk, 1 +flipneus.net, 1 +flipnhotdeals.com, 1 +flipos.be, 0 +flipperkast.tk, 1 +flippers-leuven.be, 1 +flipphotography.ga, 1 +flipping.land, 0 +flipsidevr.com, 1 +flipsnack.com, 1 +fliptable.org, 1 +flipthescripts.org, 1 +flipweb.tk, 1 +flirt-norden.de, 1 +flirtbox.tk, 1 +flirtee.net, 1 +flirtitup.com, 1 +flirtline.tk, 1 +flirtlu.com, 1 +flirtlu.net, 0 +flirtlu.org, 1 +flirtportalcheck24.de, 1 +flirty.tk, 1 +flixcheck.com, 1 +flixcheck.de, 1 +flixcost.com, 1 +flixed.io, 1 +flixflex.tk, 1 +flixone.com, 1 +flixpatrol.com, 1 +flixports.com, 1 +flixstats.com, 1 +flmedicaidmanagedcare.com, 1 +floart.tk, 1 +floatapp.com, 1 +floatationlocations.com, 1 +floaternet.com, 1 +floatifnghotel.cf, 1 +floatifnghotel.ga, 1 +floatifnghotel.tk, 1 +flockbox.club, 1 +flocktofedora.org, 1 +floersheimer-openair.de, 1 +floffi.media, 1 +flofr.gov, 1 +floify.com, 1 +floir.gov, 1 +floj.tech, 1 +flokinet.is, 1 +flokinet.social, 1 +flokinet.to, 1 +flokkr.com, 1 +floline.fr, 1 +flom.fi, 1 +flomax385.tk, 1 +flomedia.pl, 1 +flomeyer.de, 1 +floneo.fr, 1 +flonharmonymassage.space, 1 +floobits.com, 1 +floodboss.ml, 1 +flooddoctorva.com, 1 +floodguypro.com, 1 +floodheroessaltlakecity.com, 1 +floodsmart.gov, 1 +floogulinc.com, 1 +flooood.tk, 1 +floor3.co.uk, 1 +floorballphilippines.tk, 1 +floorhoursers.ga, 1 +floorhoursest.ga, 1 +flooringbidest.ga, 1 +flooringnightmares.com, 1 +flooringsourcetx.com, 1 +floors4lessbay.com, 1 +floort.net, 1 +floosak.co, 1 +flooz.trade, 0 +flop.tk, 1 +floppa.com.br, 1 +floppomoppo.ml, 1 +floppy.tk, 1 +flora-nova.tk, 1 +floraclick.net, 1 +florademurcia.tk, 1 +floraexpress.it, 1 +florafaunafavourites.co.uk, 1 +floragarden.tk, 1 +florahospitality.com, 1 +floralin.se, 1 +floralworkshopsers.ga, 1 +floranext.com, 1 +florante.com, 1 +florasite.tk, 1 +florausa.net, 0 +floravan.com, 1 +floravino.de, 1 +florealatelier.com, 1 +florebrasil.com.br, 1 +floreg.com, 1 +florence.com.tr, 1 +florencecountywi.gov, 1 +florenceutilitieswi.gov, 1 +florencewi.gov, 1 +florenciaextrema.tk, 1 +florenciasabio.com, 1 +florent-tatard.fr, 1 +floresastrid.tk, 1 +floresdocesfloricultura.com.br, 1 +floresgioiellishop.com, 1 +floresvilleedc.org, 0 +florevit.com, 1 +florhamparknj.gov, 1 +floria.online, 1 +florian-bachelet.fr, 1 +florian-knorn.com, 1 +florian-puschmann.de, 1 +florian-thie.de, 1 +florian2833z.de, 1 +florianartisans.com, 1 +florianbecker.it, 1 +florianbouchet.fr, 1 +floriankarmen.com, 1 +florianmitrea.uk, 1 +florianschmitt.ca, 1 +florianschmitt.tech, 1 +florianstroeger.com, 1 +florianstroeger.tk, 1 +floriantanner.ch, 1 +florianysantiago.com, 1 +floricultura24h.com.br, 1 +florida-estetica.com, 1 +florida-online.tk, 1 +florida-prep.org, 1 +floridaagriculture.gov, 1 +floridabrightfutures.gov, 1 +floridaconsumerhelp.gov, 1 +floridados.gov, 1 +floridaethics.gov, 1 +floridafabrication.net, 1 +floridafieros.org, 1 +floridafx.gov, 1 +floridahealthcareconnections.gov, 1 +floridaimigracao.com, 1 +floridaindependent.com, 1 +floridalegion.org, 1 +floridaplasticsurgery.com, 1 +floridapowermanagement.com, 1 +floridarrc.com, 1 +floridasexhealth.com, 1 +floridastadium.ga, 1 +floridastadiumers.ga, 1 +floridastadiumest.ga, 1 +floridastatefair.com, 1 +floridastatefair.net, 1 +floridastatefairag.com, 1 +floridastatefairauthority.com, 1 +floridasturnpike.com, 1 +floridaweightlossdoctors.com, 1 +floriebriand.com, 0 +floriimorii.tk, 1 +floris.tk, 1 +florisbrunet.com, 1 +florismouwen.com, 1 +florismouwen.nl, 1 +floristavirtual.com.br, 1 +floristeriayasmina.com, 1 +florisvdk.net, 1 +florix.tk, 1 +florlola.com, 1 +florp.social, 1 +flortal.de, 1 +floseed.fr, 1 +flossexanten.de, 1 +flosuretechnologies.com, 1 +floth.at, 1 +flothost.com, 1 +flothow.com, 1 +flourishdx.com, 1 +flourishgrazingevents.co.uk, 1 +flourishtogether.com, 1 +flow-serv.com, 1 +flow.su, 1 +flowair24.ru, 1 +flowalizer.com, 1 +flowalyzer.com, 1 +flowauditor.com, 1 +flowbuk.me, 1 +flowbyjonascaldeira.com, 1 +flowcount.xyz, 1 +flowcrypt.com, 1 +flowdise.com, 1 +flower5.org, 1 +flowercare.tk, 1 +flowercityflavor.com, 0 +flowerdelivery.tk, 1 +flowerdesign.tk, 1 +flowerhub.com.au, 1 +flowermound.gov, 1 +flowerpassword.com, 1 +flowerpictures.tk, 1 +flowers-city.com.ua, 0 +flowers-shops.tk, 1 +flowers.sumy.ua, 1 +flowers2moscow.com, 1 +flowersbylegacy.com, 1 +flowerscaffe.com, 1 +flowersquito.com, 1 +flowerstateest.ga, 1 +flowerstopetersburg.com, 1 +flowerstoukraine.com, 1 +flowerstver.ru, 1 +flowerwholesale.com, 1 +flowfest.com, 1 +flowgate.net, 1 +flowgo.tk, 1 +flowhcm.com, 1 +flowheater.net, 1 +flowhopper.com, 1 +flowinformer.com, 1 +flowingdata.com, 1 +flowinity.com, 1 +flowinity.eu.org, 1 +flowinity.host, 1 +flowinvoice.com, 1 +flowio.cz, 1 +flowith.io, 1 +flowlytics.host, 1 +flowmagazine.com, 1 +flowmagazine.nl, 1 +flownonfiction.com, 1 +flownty.com, 1 +flowoodpolice.gov, 1 +flowreplicator.com, 1 +flowsave-staging.nl, 1 +flowsave.nl, 1 +flowscale.com, 1 +flowstars.tk, 1 +flowstateyoga.com.au, 1 +flowstudios.com, 1 +flowtex.tk, 1 +floydcountyga.gov, 1 +floydcova.gov, 1 +floydsofleadville.com, 1 +floyt.com, 1 +flp-pushkar.info, 1 +flpd.gov, 1 +flpd6.gov, 1 +flra.gov, 1 +flsa6.gov, 1 +flsbanners.com, 1 +flslawyer.com, 1 +flst.link, 1 +flstaging.cloud, 1 +flubio.de, 1 +flubiostudios.com, 1 +flubiostudios.de, 1 +fluconazole.gq, 1 +fluencytech.com, 1 +fluentos.com, 1 +fluessiggas.de, 1 +fluff.im, 1 +fluffycat.ga, 1 +fluffycloud.de, 1 +fluggesellschaft.de, 1 +flughafenairport.com, 1 +fluglektuere.com, 1 +flugplatz-edvc.de, 1 +flugplatzmanager.de, 1 +flugrueckerstattung.de, 1 +flugsimulatorfrankfurt.com, 1 +fluidattacks.co, 1 +fluidattacks.com, 1 +fluidbb.co.uk, 1 +fluidpicturesinc.com, 1 +fluids.ac.uk, 1 +fluidsignal.com, 1 +fluig.com, 1 +fluitbeurt.nl, 1 +flukestar.tk, 1 +flumble.nl, 1 +flunschi.goip.de, 1 +fluoxetin.ga, 1 +fluoxetin.gq, 1 +fluoxetin.tk, 1 +fluoxetine.ml, 1 +fluoxetine.net, 1 +fluoxetine2.ru, 1 +flushlife.com, 1 +flusszs.tk, 1 +fluteandpianoteaching.co.uk, 1 +flutterappdev.com, 1 +flutterfactory.io, 1 +fluxforge.com, 1 +fluxi.fi, 1 +fluxnet.tk, 1 +fluxo.space, 1 +fluxoid.com, 1 +flvs.net, 0 +flvyingeagle.ga, 1 +flws.cl, 1 +fly, 1 +fly-fjends.dk, 1 +fly.moe, 1 +flyantvirtual.tk, 1 +flyavantar.com, 1 +flyawayart.tk, 1 +flyawaybirds.ga, 1 +flybar.tk, 1 +flybis.net, 1 +flyboarder.tk, 1 +flyboyfpv.com, 1 +flybyjunkhaulers.com, 0 +flydoc.org, 1 +flyer-homes.com, 1 +flyer.tools, 1 +flyer1stg.wpenginepowered.com, 1 +flyerdatabase.tk, 1 +flyerim.com, 1 +flyfifer.co.uk, 1 +flyforpoints.com, 1 +flyforsinkelse.dk, 1 +flyforsinkelser.no, 1 +flygexpo.tk, 1 +flygforsening.se, 1 +flygon.pink, 1 +flygplanering.se, 1 +flyhealthy.gov, 1 +flying-angels.tk, 1 +flying-dudes.de, 1 +flying-press.com, 1 +flyingangels.cf, 1 +flyingbasicsest.ga, 1 +flyingcolours.tk, 1 +flyingdoggy.net, 1 +flyingdreamers.com, 1 +flyingdutchman.tk, 1 +flyinghelpline.com, 1 +flyinghigh.tk, 1 +flyinglions.tk, 1 +flyingmonkeys.tk, 1 +flyingpackets.net, 1 +flyingpotatoes.tk, 1 +flyingspaghettimonsterdonationsfund.nl, 1 +flyingtutorsers.ga, 1 +flylcpa.gov, 1 +flylvia.com, 1 +flymns.fr, 1 +flymsy.com, 1 +flyn43.com, 1 +flynn.io, 1 +flynnhub.com, 1 +flynowpaylater.com, 1 +flyp.me, 1 +flypenge.dk, 1 +flyplay.com, 1 +flypuntoazul.gq, 1 +flyserver.co.il, 1 +flyspace.ga, 1 +flyspace.ml, 1 +flyssh.net, 1 +flyswoop.com, 1 +flyt.online, 1 +flytedek.com, 1 +flythecopter.tk, 1 +flytoadventures.com, 1 +flytrap.in, 1 +flyupture.com, 1 +flywind.ml, 1 +flyxll.com, 1 +flyzold.com, 1 +flyzone.tk, 1 +flyzoomattzir.com, 1 +fm-digitize.de, 1 +fm-online.tk, 1 +fm-panel.tk, 1 +fm.ie, 1 +fmamfg.org, 1 +fmanet.org, 1 +fmarchal.fr, 1 +fmbfirefl.gov, 1 +fmbilder.se, 1 +fmbonline.com, 1 +fmc.gov, 1 +fmc.hk, 1 +fmcs.gov, 1 +fmcsa.fr, 1 +fmfp.eu, 1 +fmi.gov, 1 +fminsight.net, 1 +fmjansen.com, 1 +fmjd64.com, 1 +fmjd64.org, 1 +fmlife.tk, 1 +fmm-creative.com, 1 +fmn.nl, 1 +fmo.ca, 0 +fmorales.com, 0 +fmorales.com.ni, 0 +fmpilot2.com, 1 +fmportal.biz, 1 +fmpuertomadero.cf, 1 +fmsforestry.com, 1 +fmslovakia.com, 1 +fmstr.ml, 0 +fmt-live.de, 1 +fmussatmd.com, 1 +fnacdarty.com, 1 +fnbava.com, 1 +fnbofks.com, 1 +fnbot.shop, 1 +fnckfashion.com, 1 +fndho.ca, 1 +fndout.com, 1 +fneon.eu, 1 +fnerk.org, 1 +fnet.gr, 1 +fnet.org, 1 +fnews.tk, 1 +fnfmods.net, 1 +fnka.de, 1 +fnkr.net, 1 +fnlcontent.nl, 1 +fno.cz, 1 +fnof.ch, 1 +fnordserver.eu, 1 +fnpro.eu, 1 +fnpvenues.com, 1 +fnrs.nl, 1 +fnscatania.tk, 1 +fnwiki.com, 1 +fnz.com, 1 +foair.me, 0 +foamfortress.tk, 1 +foard.biz, 1 +foard.us, 1 +fob-china-moscow.ru, 1 +fob-china.ru, 1 +fob-india.ru, 1 +fob-iran.ru, 1 +focalforest.com, 1 +focalpoint.tk, 1 +focanamoda.com.br, 1 +focanocliente.com.br, 1 +focored.com, 1 +focus2career.com, 0 +focus2move.com, 1 +focusbet-api.com, 1 +focusbet.cc, 1 +focusbet.io, 1 +focuscomic.com, 1 +focusdemolition.com.au, 1 +focusgroup.tk, 1 +focushm.com, 1 +focusministries1.org, 1 +focusnews.in, 1 +focusoptimization.com, 1 +focusphotobooths.com, 1 +focusphotography.net, 1 +focusproductions.tk, 1 +focustec.tk, 1 +focusti.com.br, 1 +focustuningclub.tk, 1 +focuswales.com, 1 +fodder.ga, 1 +foehl.de, 1 +foej-aktiv.de, 1 +foej.net, 1 +foepwned.com, 1 +foerderverein-horrheim.de, 1 +foerderverein-rimsg.de, 1 +fof-clan.tk, 1 +foggi.cf, 1 +foggi.ml, 1 +foggiatoday.it, 1 +fognini-depablo.eu, 1 +fogu.com, 1 +foguest.com.br, 1 +fogway.net, 1 +fogworldn.com, 1 +foi.se, 1 +foiaonline.gov, 1 +foilhat.tk, 1 +foixet.com, 1 +fojing.com, 1 +fojt.cz, 1 +fojtova.cz, 1 +fojtovi.cz, 1 +fok.nl, 1 +fokan.be, 1 +fokan.ch, 1 +fokep.no, 1 +fokos.de, 0 +fokus.ag, 1 +fol.tf, 1 +folar.ga, 1 +folclore.tk, 1 +foldcle.com, 1 +foldertips.com, 1 +foldnfly.com, 1 +folf.codes, 1 +foliencenter24.com, 1 +folife.nl, 1 +folio.no, 1 +foljeton.dk, 0 +folk.as, 1 +folk.tk, 1 +folkdance.tk, 1 +folkfests.org, 1 +folkmusicworld.com, 1 +folkofolk.se, 1 +folkperu.tk, 1 +folkrace.tk, 1 +folktalerecords.tk, 1 +folktellers.tk, 1 +folkweb.net, 1 +follandviolins.com, 1 +follow-the-leader.tk, 1 +follower98.ir, 1 +followgrown.com, 1 +followlearning.com, 1 +followme.com, 1 +followmystaff.com, 1 +followpharma.com, 1 +followsbuy.com, 1 +followthatpage.com, 1 +followthecult.de, 1 +followtheevidence.me, 1 +followthepin.com, 1 +follygardens.com, 1 +folszyb.pl, 1 +foluomeng.net, 1 +folwark.krakow.pl, 1 +folwia.pl, 1 +folxhealth.com, 1 +foma.ru, 1 +foma.tk, 1 +fomo.af, 1 +fomo.exposed, 1 +fomo.trading, 1 +fomobremen.info, 1 +fomopop.com, 1 +foncorbeta.com, 1 +fondation-afnic.fr, 1 +fondation-vinci.com, 1 +fondationdesterritoires.org, 1 +fondationgus.com, 1 +fondationo2.ch, 0 +fondationwiggli.ch, 1 +fondbaikal.ml, 1 +fonds-dieter.be, 1 +fondy.ua, 1 +fondzee.cz, 1 +foneapk.com, 1 +fonga.ch, 1 +fonix.tk, 1 +fonkongres.cz, 1 +fonline.tk, 1 +fono.jp, 0 +fonrouge.tk, 1 +fonseguin.ca, 1 +fontainebleau.tk, 1 +fontanaca.gov, 1 +fontawesome.com, 1 +fonte-trading.com, 1 +fontein.de, 1 +fontela.es, 1 +fontenelegroup.com, 1 +fontnegar.ir, 1 +fontocean.com, 1 +fontplus.jp, 1 +fonts4free.net, 1 +fontsinuse.com, 1 +fontstand.com, 1 +fonzone.it, 0 +foo, 1 +foo.fo, 1 +foo.hamburg, 1 +food4healthybones.com, 1 +food4me.in, 1 +foodadaptive.ga, 1 +foodafter.ga, 1 +foodagenda.ga, 1 +foodanchor.ga, 1 +foodandseeds.com, 1 +foodarrow.ga, 1 +foodatlantic.ga, 1 +foodattitude.ch, 0 +foodauthority.ga, 1 +foodavatar.ga, 1 +foodbad.ga, 1 +foodbeast.ga, 1 +foodblod.ga, 1 +foodbody.ga, 1 +foodbounce.ga, 1 +foodboy.com, 1 +foodbrowse.ga, 1 +foodbrowser.ga, 1 +foodbuddies.ga, 1 +foodbuller.ga, 1 +foodcamel.ga, 1 +foodcaster.ga, 1 +foodcheaper.ga, 1 +foodcheapest.ga, 1 +foodclearance.ga, 1 +foodclient.ga, 1 +foodclub.lv, 1 +foodcollections.ga, 1 +foodcollector.ga, 1 +foodcorporation.ga, 1 +foodcourier.ga, 1 +foodcowgirls.com, 1 +foodcrafter.ga, 1 +foodcreativity.ga, 1 +foodcrystal.ga, 1 +foodculinaryusa.tk, 1 +foodcupcake.ga, 1 +foodcurious.ga, 1 +fooddeliverypartners.cz, 1 +fooddeliverypartners.online, 1 +fooddivine.ga, 1 +fooddodge.ga, 1 +fooddollar.ga, 1 +fooddollars.ga, 1 +fooddowntown.ga, 1 +foodeastbay.ga, 1 +foodecono.ga, 1 +foodepic.ga, 1 +foodescrow.ga, 1 +foodev.de, 1 +foodexcel.ga, 1 +foodfalcon.ga, 1 +foodfeature.ga, 1 +foodfirefriends.com, 1 +foodflower.ga, 1 +foodfriek.nl, 1 +foodgecko.ga, 1 +foodglamour.ga, 1 +foodglory.ga, 1 +foodgoddess.ga, 1 +foodgratis.ga, 1 +foodgroove.ga, 1 +foodgrow.ga, 1 +foodguerilla.ga, 1 +foodguerrilla.ga, 1 +foodhandy.ga, 1 +foodhotrod.ga, 1 +foodhusky.ga, 1 +foodieso.com, 1 +foodintergrity.ga, 1 +foodiron.ga, 1 +foodiron.tk, 1 +foodjoker.ga, 1 +foodkayak.ga, 1 +foodlast.ga, 1 +foodless.ga, 1 +foodlicious.ml, 1 +foodlightning.ga, 1 +foodlimited.ga, 1 +foodlist.net, 1 +foodloader.net, 1 +foodlobers.com, 1 +foodloco.ga, 1 +foodlover.restaurant, 1 +foodlucky.ga, 1 +foodmatche.ga, 1 +foodmeasure.ga, 1 +foodmillions.ga, 1 +foodminer.ga, 1 +foodnachos.com, 1 +foodnations.ga, 1 +foodnature.ga, 1 +foodnature.tk, 1 +foodnight.ga, 1 +foodo.cz, 1 +foodoffline.ga, 1 +foodomega.ga, 1 +foodonbook.com, 1 +foodoneday.ga, 1 +foodopplis.ga, 1 +foodoriginal.ga, 1 +foodother.ga, 1 +foodouter.ga, 1 +foodovernight.ga, 1 +foodpart.ga, 1 +foodpearl.ga, 1 +foodpermanent.ga, 1 +foodplatinum.ga, 1 +foodplum.ga, 1 +foodpresident.ga, 1 +foodprestige.ga, 1 +foodpronto.ga, 1 +foodquantum.ga, 1 +foodrainforest.ga, 1 +foodrapid.ga, 1 +foodrates.ga, 1 +foodremarkable.ga, 1 +foodrex.ga, 1 +foodrhino.ga, 1 +foodrings.ga, 1 +foodrips.com, 1 +foods.pe, 1 +foodsafety.gov, 1 +foodsafetyjobs.gov, 1 +foodsafetyworkinggroup.gov, 1 +foodsavers.gent, 1 +foodsaversgent.be, 1 +foodsedona.ga, 1 +foodseurope.com, 1 +foodshuffle.ga, 1 +foodsignature.ga, 1 +foodsilk.ga, 1 +foodsleuth.ga, 1 +foodsoldier.ga, 1 +foodsonic.ga, 1 +foodsoul.pro, 1 +foodsparkle.ga, 1 +foodsplash.ga, 1 +foodspring.co.uk, 1 +foodspring.de, 1 +foodspring.es, 1 +foodspring.fr, 1 +foodspring.it, 1 +foodsreborn.com, 1 +foodsunflower.ga, 1 +foodsuperhero.ga, 1 +foodsupplyiq.com, 1 +foodsurprise.ga, 1 +foodsurreal.ga, 1 +foodsustain.ga, 1 +foodtable.at, 1 +foodtimeline.org, 1 +foodtrekker.tk, 1 +foodtruck.ai, 1 +foodtruckconnections.com, 1 +foodtrucksnorthwest.com, 1 +foodtummy.com, 1 +foodurban.ga, 1 +foodusa.cf, 1 +foodusa.ga, 1 +foodusa.gq, 1 +foodverde.ga, 1 +foodwaterfront.ga, 1 +foodwidget.ga, 1 +foodwish.ga, 1 +foodyankee.ga, 1 +foodzpace.com, 1 +foogle.cf, 1 +fooishbar.org, 0 +fool.im, 1 +fooladi.tk, 1 +foolip.org, 1 +foolproofcomics.tk, 1 +foonly.fi, 1 +foorack.com, 1 +fooster.io, 1 +foot-direct.com, 1 +foot.fr, 1 +foot2rue.tk, 1 +foot4live.com, 1 +footasse.com, 1 +football-news.gq, 1 +football-world.tk, 1 +footballcelebrationsers.ga, 1 +footballexpress.co.uk, 1 +footballforum.de, 1 +footballfoundation.org.uk, 1 +footballmessi.tk, 1 +footballnews.net, 1 +footballrussia.cf, 1 +footballscores.ga, 1 +footballsrit.tk, 1 +footballtips.tk, 1 +footbolka.tk, 1 +footbolki.ml, 1 +footchronique.tk, 1 +footdoctorpodiatristnyc.com, 1 +footloose.co.uk, 1 +footmercato.net, 1 +footparisien.com, 1 +footstepsinthegambia.com, 1 +foottube.com, 1 +footvillewi.gov, 1 +footwear-catalogue.tk, 1 +footytalk.tk, 1 +for-testing.tk, 1 +for.care, 1 +for.gd, 1 +forabrokenrobot.tk, 1 +forallgifts.com, 1 +forat.tk, 1 +foray-jero.me, 1 +foraz.tk, 1 +forberedt.no, 1 +forbes.com, 1 +forbeser.com, 1 +forbiddenhistory.info, 1 +forbiddenshelf.com, 1 +forbole.com, 1 +forcamp.ga, 1 +force-shadow.tk, 1 +force-unleashed.com, 1 +force-unleashed.de, 1 +force-user-content.com, 1 +force.com, 1 +force4racing.co.uk, 1 +force4racing.com, 1 +forcebasements.com, 1 +forcecompanies.com, 1 +forcelink.eu, 1 +forcelink.nl, 1 +forcelinkamerica.com, 1 +forcelinkamerica.nl, 1 +forcemasonry.net, 1 +forcemasonryinc.com, 1 +forcemat.fr, 0 +forcenet.gov.au, 1 +forces.army, 1 +forceusercontent.com, 1 +forcewaterproofing.com, 1 +forchildren.tk, 1 +ford-mustang.tk, 1 +ford-shop.by, 1 +fordeetv.com, 1 +fordlibrarymuseum.gov, 1 +fordpartsgiant.com, 1 +fordpartsprime.com, 1 +fordsbranch.church, 1 +fordservicetraining.com, 1 +fordshop.by, 0 +fordtrac.com.br, 1 +foreammatti.fi, 1 +forecastapp.net, 1 +forecastcity.com, 1 +foreclosurecitiesers.ga, 1 +foredata.fi, 1 +forefront.dental, 1 +forefrontcloud.com, 1 +foreign-language-colleges.com, 1 +foreignaffairsmotorsports.com, 1 +foreignassistance.gov, 1 +foremail.tk, 1 +foreningssparbanken.se, 1 +forenschmiede.tk, 1 +forensic-system.com, 0 +forensicpsychologyedu.org, 1 +forensicpsychologyonline.com, 1 +forensicsciencecentral.tk, 1 +forensicsinfo.ga, 1 +forensicsinfoest.ga, 1 +forensischepsychiatrie.tk, 1 +forers.com, 1 +foresdon.jp, 1 +foresightbusinessservices.co.uk, 1 +foresite.com, 1 +forest-cl.com, 1 +forest-remote-control.com, 1 +forest-soft.xyz, 1 +forestairllc.com, 1 +forestcermegresik.com, 1 +forestcountypa.gov, 1 +forestdeclaration.org, 1 +forestersfriendlysociety.co.uk, 1 +foresthaven.tk, 1 +forestparkga.gov, 1 +forestraven.net, 1 +forestsprings.com.au, 1 +forestsystems.com, 1 +foresttownrcwi.gov, 1 +forestvets.com, 1 +forever.gq, 1 +foreverbreak.com, 1 +forevercollage.com, 1 +foreverpontiac.com, 1 +foreverreem.com, 1 +foreverssl.com, 1 +forevertoday.nl, 1 +foreverydream.com, 1 +forewordreviews.com, 1 +forex-arabia.tk, 1 +forex-trading-tutorial.tk, 1 +forex-up.cf, 1 +forex.ee, 1 +forexbrokerinspect.com, 1 +forexchef.de, 1 +forexcity.cf, 1 +forexcomreview.co, 1 +forexee.com, 1 +forexexchange.tk, 1 +forexhistorydata.com, 1 +forexinthai.com, 0 +forexlive.com, 1 +forexmarketsm.tk, 1 +forexnew.org, 1 +forexpattern.tk, 1 +forexplay.com, 1 +forextickler.com, 1 +forexwine.com, 1 +forexworld.cf, 1 +forfeit.ga, 1 +forfeiture.gov, 1 +forfortcollins.com, 1 +forfunssake.co.uk, 1 +forge.cn, 1 +forge.my.id, 1 +forgeary.com, 1 +forgemedia.io, 1 +forgetfulmomma.com, 1 +forgetme.ga, 1 +forgetme.gq, 1 +forgetme.tk, 1 +forgetmenot.care, 1 +forgetwp.com, 1 +forgive.com.tw, 1 +forgivemefather.com, 1 +forgottenho.me, 1 +forgottenrealms.tk, 1 +forgottenworld.it, 1 +forhealth.org, 1 +forhims.co.uk, 1 +forhosting.nl, 1 +forix.agency, 1 +forixcommerce.com, 1 +forixecommerce.com, 1 +forixseo.com, 1 +fork-portal.ml, 1 +forkfeeds.com, 1 +forkknifeswoon.com, 1 +forklift.name.tr, 1 +forklifttire.com, 1 +forksales.com, 1 +forkurd.ml, 1 +forlitoday.it, 1 +form100.de, 1 +formador.tk, 1 +formafantasma.com, 1 +formalgrammar.tk, 1 +formalistgallery.com, 1 +formality.de, 1 +formality.one, 0 +forman.store, 1 +formand.ru, 1 +formapi.io, 1 +formassembly.com, 1 +format-paysage.ch, 0 +format.ua, 1 +formation-assureur.com, 1 +formation-astro.com, 1 +formation-colmar.tk, 1 +formation-commissaire-justice.fr, 1 +formation-cqp-ssiap-paris.fr, 1 +formation-iade.tk, 1 +formation-intergeneration.com, 1 +formation-russe-paris.com, 1 +formation.ai, 1 +formation.tech, 1 +formationaumagnetisme.fr, 1 +formatmydoc.co.nz, 1 +formforger.com, 1 +formhub.ru, 1 +formi9.com, 1 +formidium.com, 1 +formingequipment.tk, 1 +formini.dz, 1 +formio.nl, 1 +formodernkids.com, 1 +formommiesbymommy.com, 1 +formopinionest.ga, 1 +formotherrussia.tk, 1 +forms.gov, 1 +formsbyair.com, 1 +formsite.com, 1 +formsmarts.com, 1 +formsmarts.net, 1 +formue.com, 1 +formula-busines.ru, 1 +formula-ot.ru, 1 +formula.cf, 1 +formulacionquimica.com, 1 +formulasguimaraes.com, 1 +formulastudent.de, 1 +formulaveevictoria.com.au, 1 +formup.com.pl, 1 +formworkcontractorssydney.com, 1 +fornarisandres.com, 1 +fornata.it, 1 +fornaxmall.com, 1 +fornoreason.net.au, 1 +foro-coopfuture.tk, 1 +foro.io, 0 +foroaranda.com, 1 +forocachacero.tk, 1 +forocbmollet.tk, 1 +forocio.tk, 1 +forocoches.com, 1 +forocristiano.tk, 1 +forodebanfield.tk, 1 +forodieta.com, 0 +foroenguera.tk, 1 +forojovensanfernando.tk, 1 +forologikidilosi.com.gr, 1 +foromasters.tk, 1 +foropl.com, 0 +forosdelmisterio.tk, 1 +forourselves.com, 1 +forowarhammer.tk, 1 +forrestheller.com, 1 +forrestwalkbarbershop.com.au, 1 +forrettabarinn.is, 1 +forro.berlin, 1 +forro.info, 1 +forsaken.tk, 1 +forsakenplanet.tk, 1 +forsakenstoners.tk, 1 +forsakringsarkivet.se, 1 +forsaleacameras.tk, 1 +forsaleelectronics.tk, 1 +forsaleinedmonton.ca, 1 +forsat.ga, 1 +forsbenin.org, 1 +forschbach-janssen.de, 1 +forsetinncafe.is, 1 +forsi.xyz, 0 +forskolin.gq, 1 +forstbetrieb-hennecke.de, 1 +forstprodukte.de, 1 +forsure.tk, 1 +forsvarsmakten.se, 1 +forsyth.cc, 1 +forsythco.com, 1 +forsythcountync.gov, 1 +forsythmo.gov, 1 +forsyththeatre.com, 1 +fort.eu, 1 +fortabletoys.com, 1 +fortatkinsonia.gov, 1 +fortatkinsonwi.gov, 1 +fortawesome.org, 1 +fortbendisd.gov, 1 +fortcommunity.com, 1 +fortdeposital.gov, 1 +fortdodgeradio.com, 1 +fortebet.rw, 1 +fortebet.ug, 1 +fortepiano.tk, 1 +fortesanshop.it, 1 +forthenrycustomknives.com, 1 +forthvalleykeswick.co.uk, 1 +fortifydiy.com, 1 +fortigate.es, 1 +fortipartner.co.uk, 1 +fortipartner.com, 1 +fortipartner.dk, 1 +fortipartner.net, 1 +fortipartner.nl, 1 +fortipartner.pl, 1 +fortipartner.se, 1 +fortipartner.uk, 1 +fortisadhesives.com.au, 1 +fortknoxster.com, 1 +fortlauderdaleaircharter.com, 1 +fortmatic.com, 1 +fortnet.online, 1 +fortnightlyofeugene.org, 1 +fortnitedb.com, 1 +fortnitemagic.ga, 1 +fortoglethorpega.gov, 1 +fortress.no, 1 +fortress.sk, 1 +fortresslinux.com, 1 +fortresslinux.nl, 1 +fortresslinux.org, 1 +fortricks.in, 1 +fortuna-apotheke-lahnstein.de, 1 +fortuna-loessnitz.de, 1 +fortuna-s.com, 1 +fortunabuilders.tk, 1 +fortunacigarettes.tk, 1 +fortunahamburg.tk, 1 +fortune-healing.com, 1 +fortunebazar.tk, 1 +fortuneinvestments.ga, 1 +fortunenames.ga, 1 +fortunenamesers.ga, 1 +fortunenamesest.ga, 1 +fortunetireusa.com, 1 +fortwinn.gov, 1 +forty-two.ml, 1 +forty.sh, 1 +forty8creates.com, 1 +fortycreekwhisky.com, 1 +fortygordy.com, 1 +fortytwo.cloud, 1 +fortytwo.tk, 1 +forum-4.de, 1 +forum-batteries.com, 1 +forum-egypte.tk, 1 +forum-expert.tk, 1 +forum-gilee.cf, 1 +forum-goszakaz.ru, 1 +forum-kinozal-tv.appspot.com, 1 +forum-mercury.tk, 1 +forum-noginska.tk, 1 +forum-reklamowe.cf, 1 +forum-tutorapide.ml, 1 +forum-tw.tk, 1 +forum-washington.tk, 1 +forum24.ml, 1 +forumblanes.tk, 1 +forumblockchain.com.br, 1 +forumcarriocity.tk, 1 +forumchiase.com, 1 +forumcondominio.it, 1 +forumconstruire.com, 1 +forumdabeleza.com.br, 1 +forumderelacionamento.com.br, 1 +forumdimo.fr, 1 +forumfeeers.ga, 1 +forumfi.com, 1 +forumhsbm.tk, 1 +forumhub.org, 1 +forumirc.net, 1 +forumistudentore.tk, 1 +forumix.tk, 1 +forummobile.com.br, 1 +forumoff.com, 1 +forumofld.in, 1 +forumotion.cf, 1 +forumotomobil.com, 0 +forumpakistan.tk, 1 +forumpenaguru.com, 1 +forumrowerowe.org, 1 +forums4everyone.tk, 1 +forumsampdoria.tk, 1 +forumsaudedigital.com.br, 1 +forumsearch.tk, 1 +forumsig.net, 1 +forumsrussia.ga, 1 +forumtruthest.ga, 1 +forumtv.pro, 1 +forumvardbyggnad.se, 1 +forve.cf, 1 +forward-fly-fishing.ch, 0 +forward-proxy.email, 1 +forward.lc, 1 +forwardemail.net, 1 +forwardfever.tk, 1 +forwardfinancingest.ga, 1 +forwardkredit.de, 1 +forwardtogether.org, 1 +foryoumer.com, 1 +foryourhealthybody.com, 1 +forza-milan.tk, 1 +forzasette.tk, 1 +fos-apps.org, 1 +foscamcanada.com, 1 +fosdem.org, 1 +foselectro.ru, 1 +fosgreece.com, 1 +foshanshequ.com, 0 +fossagarrafoni.tk, 1 +fossbots.org, 1 +fossboxen.com, 1 +fossboxen.net, 1 +fossboxen.org, 1 +fossewayflowers.co.uk, 1 +fossewayflowers.com, 1 +fossildlp.com, 1 +foster.ga, 1 +fosteringconsultant.com, 1 +fosters.ky, 1 +fosterwiki.com, 1 +fotbal-dubina.tk, 1 +fotbalclubcaracal.tk, 1 +foter.tk, 1 +fotikpro.ru, 1 +foto-bilder.ch, 1 +foto-forum.tk, 1 +foto-gallery.tk, 1 +foto-huwi.ch, 1 +foto-janvanaefst.nl, 1 +foto-leitner.com, 1 +foto-leitner.de, 1 +foto-na-doc.ru, 1 +foto-robitsch.at, 1 +foto-roma.ru, 1 +foto-verslui.lt, 1 +foto-znakomstva.ml, 1 +foto.by, 1 +foto.com, 1 +fotoallerlei.com, 1 +fotoatis.biz, 1 +fotoballon.com, 1 +fotoblog.nrw, 1 +fotobodyart.nl, 1 +fotobrinke.de, 1 +fotochip.tk, 1 +fotocoach.pl, 1 +fotocopiatrici.roma.it, 1 +fotofaerie.net, 1 +fotofast.tk, 1 +fotoflits.net, 1 +fotofofftein.de, 0 +fotofon.tk, 1 +fotofreunde-telegram.eu, 1 +fotograf-mario.de, 1 +fotograf-website.de, 1 +fotografechristha.nl, 1 +fotografessa.pl, 1 +fotografiadellalucerossa.com, 1 +fotografiamakro.pl, 1 +fotografiarte.com.es, 1 +fotografies.tk, 1 +fotografija.tk, 1 +fotografoivanalmeida.com.br, 1 +fotografy-help.de, 1 +fotohiking.com, 1 +fotohome.dk, 1 +fotokorner.com, 1 +fotokurskalmar.se, 1 +fotolectura.tk, 1 +fotoleitner.com, 1 +fotoleitner.de, 1 +fotomodel.cf, 1 +fotomodels.tk, 1 +fotomonza.com, 1 +fotontechnik.pl, 1 +fotonza.ru, 1 +fotoobraznaplatne.sk, 1 +fotopalacedigitalstudio.tk, 1 +fotopro.tk, 1 +fotorecull.tk, 1 +fotoshoot.org, 1 +fotosquares.com, 1 +fotostravestisbr.com, 1 +fotostrobo.ch, 1 +fotostudio-leitner.com, 1 +fotostudio-leitner.de, 1 +fotostudio-schweiz.ch, 1 +fotostudiobasic.tk, 1 +fotosubmarina.tk, 1 +fotosyeventos.es, 1 +fototjansterkalmar.se, 1 +fototutorial.tk, 1 +fotovsibiri.ml, 1 +fotowand.ml, 1 +fotowettbewerb.co, 0 +fotowolfy.com, 1 +fotozakazka.cz, 1 +fotozone.tk, 1 +fotp.com, 1 +fotrino.com, 1 +foucheplumbers.com, 1 +foudufafa.de, 0 +fougereettralala.fr, 1 +fougner.co, 1 +foulabook.com, 1 +found.com, 1 +found.website, 1 +foundationassure.com, 1 +foundationdevices.com, 1 +foundationmaintenance.com, 1 +foundationprogramme.nhs.uk, 1 +foundationrepairannarbor.com, 0 +foundationrepairasheville.com, 1 +foundationrepairbasementwaterproofingtn.com, 1 +foundationrepairchicagoil.com, 1 +foundationrepairnebraska.com, 1 +foundationspecialisteast.com, 1 +foundationspecialistmi.com, 1 +foundchurch.co.uk, 1 +founded.ml, 1 +founderinvestors.tk, 1 +founderio.net, 1 +foundland.com, 1 +foundrehotels.com, 1 +foundries.io, 1 +foundsounds.me, 1 +fountainco.gov, 1 +fountainvalley.gov, 1 +fourashesgolfcentre.uk, 1 +fourbrothers.tk, 1 +fourcask.com, 1 +fourchetteverte.ch, 1 +fourcornerscb.com, 1 +fourdesignstudio.com, 1 +fourfivecbd.co.za, 1 +fourfri.es, 1 +fouriemc.com, 1 +fourmidabel.tk, 1 +fourmies.fr, 1 +fournarisopenday.com, 1 +fournisseur-des-collectivites.com, 1 +fourpeaks.com, 1 +fourscore.ga, 1 +foursight.io, 0 +fourstrategy.de, 1 +fourwaysplumber24-7.co.za, 1 +fousekis.tk, 1 +fousetmoney.tk, 1 +foutras.com, 1 +foutrelis.com, 1 +fovndry.com, 1 +fowesolutions.net, 1 +foweyretreat.co.uk, 1 +fowlmanor.tk, 1 +fowlsmurf.net, 1 +fowos.de, 1 +fox-zulu.de, 1 +fox.my, 0 +fox13now.com, 1 +fox17online.com, 1 +fox47news.com, 1 +fox4now.com, 1 +foxandfish.be, 1 +foxart.com.tr, 1 +foxbenjaminfox.com, 1 +foxbnc.uk, 1 +foxcav.es, 1 +foxcloud.tk, 1 +foxcon.tk, 1 +foxdemos.ml, 1 +foxdev.co, 1 +foxdirectory.tk, 1 +foxes.no, 1 +foxeworks.net, 1 +foxghoul.com, 1 +foxgirl.land, 1 +foxholehq.net, 1 +foxing.club, 1 +foxite.me, 1 +foxlanesportsclub.co.uk, 1 +foxlawfresno.com, 1 +foxly.de, 1 +foxmailer.ml, 1 +foxmay.co.uk, 1 +foxo.blue, 0 +foxontheinter.net, 1 +foxpad.tk, 1 +foxpia.no, 1 +foxpointwi.gov, 1 +foxquill.com, 0 +foxscribbler.com, 1 +foxstreetcomms.co.za, 0 +foxstyle.gq, 1 +foxtransportables.com.au, 1 +foxtravelnews.com, 1 +foxtrials.com, 1 +foxtrotcharlie.ovh, 1 +foxtrotfm.tk, 1 +foxtwomodels.com, 1 +foxus.lt, 1 +foxxylove.net, 1 +foxycredit.com, 1 +foxygf.com, 1 +foxytubes.com, 1 +foyale.io, 1 +foylelegal.com, 1 +fozzie.co.uk, 1 +fozzie.space, 1 +fpalzira.es, 1 +fpasca.com, 1 +fpc.gov, 1 +fpcdn.io, 1 +fpds.gov, 1 +fpersona.com, 1 +fpf.org, 1 +fpgamania.com, 1 +fpjscdn.net, 1 +fpki.sh, 1 +fpline.jp, 1 +fpnet.tk, 1 +fpnpmcdn.net, 1 +fprinnovaciones.es, 1 +fprl39.ru, 1 +fprojects.lv, 1 +fps.ac.cn, 1 +fps168.com, 1 +fps73.ru, 1 +fpsclasico.de, 1 +fpsclasico.eu, 1 +fpsclassico.com, 1 +fpsjp.org, 1 +fpstest.org, 1 +fpsturk.net, 1 +fpsv.de, 1 +fpt.icu, 1 +fptbb.com, 1 +fpu.sk, 1 +fpy.cz, 1 +fqcstandard.com.tr, 1 +fr-fotopage.tk, 1 +fr.search.yahoo.com, 0 +fr33tux.org, 1 +fr3qradio.tk, 1 +fra.bg, 1 +fraai.agency, 1 +fracasados.tk, 1 +frack.nl, 0 +fracreazioni.it, 1 +fractieplanner.nl, 1 +fraction-calculations.com, 1 +fractionalciso.com, 1 +fractionalseo.net, 1 +fracturedfx.com, 1 +fracturedperspective.com, 1 +fraeuleinmeerbackt.de, 1 +fragara.com, 1 +fragbite.se, 1 +fragclub.tk, 1 +fragdenstaat.de, 1 +frageboegen-martini-klinik.de, 1 +fragilesolar.cf, 1 +fragmanhotel.com, 1 +fragment.com, 1 +fragmentation.ml, 1 +fragments.ga, 1 +fragmentspuren.de, 1 +fragmentus.tk, 1 +fragnation.tk, 1 +fragnet.net, 1 +fragolabs.com, 1 +fragstore.net, 1 +fragzona.tk, 1 +fraho.eu, 1 +frahub.com, 1 +frail.gq, 1 +fralef.me, 0 +fralippolippi.tk, 1 +frama.link, 1 +frama.site, 1 +frama.wiki, 1 +framabag.org, 1 +framabee.org, 1 +framabin.org, 1 +framablog.org, 1 +framaboard.org, 1 +framabook.org, 1 +framabookin.org, 1 +framacalc.org, 1 +framacarte.org, 1 +framaclic.org, 1 +framacolibri.org, 1 +framadate.org, 1 +framadrive.org, 1 +framadrop.org, 1 +framadvd.org, 1 +framadventure.no, 1 +framaestro.org, 1 +framaform.org, 1 +framaforms.org, 1 +framagames.org, 1 +framagenda.org, 1 +framagit.org, 1 +framago.de, 1 +framakey.org, 1 +framalab.org, 1 +framalang.org, 1 +framalibre.org, 1 +framalistes.org, 1 +framandroid.org, 1 +framanews.org, 1 +framanote.org, 1 +framanotes.org, 1 +framapack.org, 1 +framapad.org, 1 +framapiaf.org, 1 +framapic.org, 1 +framasite.org, 1 +framasites.org, 1 +framaslides.org, 1 +framasoft.net, 1 +framasoft.org, 1 +framasphere.org, 1 +framastart.org, 1 +framastats.org, 1 +framastory.org, 1 +framatalk.org, 1 +framateam.org, 1 +framatube.org, 1 +framavectoriel.org, 1 +framavox.org, 1 +framawiki.org, 1 +framazic.org, 1 +framboise314.fr, 1 +framedog.tk, 1 +framedpaws.com, 1 +framemo.org, 1 +framer.ai, 1 +framer.com, 1 +framer.live, 1 +framer.website, 1 +framerjs.com, 1 +frames-eyelash.com, 1 +frames-hair-design.com, 1 +framesi.cz, 1 +framindmap.org, 1 +framinetest.org, 1 +framinghampd.gov, 1 +frammenti.tk, 1 +fran.cr, 1 +francabellarsi.tk, 1 +francaispornofilm.com, 1 +france-cartouches.fr, 1 +france-cyber-maritime.eu, 1 +france-hotellerie-restauration.com, 1 +france-news.cf, 1 +france-orchidees.org, 1 +france-serres.com, 1 +france-volontaires.org, 1 +franceactivetravel.cf, 1 +franceactivetravel.ml, 1 +francebattery.com, 1 +francelight.fr, 1 +francenum.gouv.fr, 1 +francepandi.fr, 0 +francerent.com, 1 +frances8.com, 1 +francesca-and-lucas.com, 1 +francescazambon.it, 0 +francescocozza.it, 1 +francescopalazzo.com, 1 +francescopandolfibalbi.it, 1 +francescorandazzo.tk, 1 +francescorenna.tk, 1 +francescosbistro.com, 1 +francescosiciliano.tk, 1 +francesfluente.cf, 1 +franceskivillas.tk, 1 +francetraceur.fr, 1 +franchini.email, 1 +franchini.engineer, 1 +franchisebarrelhousepub.com, 1 +franchisechaodoi-cambodia.com, 1 +franchiseguide.ga, 1 +franchisehive.com, 1 +franchiseportal.de, 1 +franchisesports.co.uk, 1 +francinebelanger.network, 1 +francis.ph, 1 +franciscadelasllagasvirtual.com, 1 +franciscoeduardocruz.tk, 1 +franciscolapa.eu, 1 +francisgoethals.be, 1 +francishouserecovery.org, 1 +francisplaza.com, 1 +franckgirard.net, 1 +francocasimirri.tk, 1 +francodev.com, 1 +francodev.com.br, 1 +francoexpeditionperu.com, 1 +francofunghi.tk, 1 +francois-occasions.be, 1 +francoisbelangerboisclair.com, 1 +francoiscarrier.com, 1 +francoise-janssens.be, 1 +francoise-paviot.com, 1 +francoisharvey.ca, 1 +francoislaude.fr, 1 +francoislepage.com, 0 +franconia.space, 1 +francosuaga.es, 1 +francotecnologia.com, 1 +francotecnologia.com.br, 1 +francovital.com, 1 +francoz.me, 1 +francs-tireurs.tk, 1 +frand.tk, 1 +frandor.co.uk, 1 +frandroid.com, 1 +frandymvp.tk, 1 +franekerweer.tk, 1 +franfoto.com, 0 +frangallegodorado.es, 1 +frangipane.tk, 1 +frank-america.com, 1 +frank-gcc.com, 1 +frank-lastia.tk, 1 +frank-vincent.nl, 0 +frank-wendy.tk, 1 +frank.fyi, 1 +frankbellamy.co.uk, 1 +frankdufaux.com, 1 +franke-chemie.de, 1 +frankellawfirm.com, 1 +frankelod.com, 1 +frankenfresh.de, 1 +frankenlehrmittel.de, 1 +frankenweb.tk, 1 +frankeschenfelder.de, 1 +frankeurope.com, 1 +frankferrari.tk, 1 +frankfu.ltd, 0 +frankfurtergirl.net, 1 +frankhaarlem.tk, 1 +frankieburkeactor.tk, 1 +frankierfachmann.de, 1 +frankierprofi.de, 1 +frankierstar.de, 1 +frankieylosmatadores.tk, 1 +frankland.tk, 1 +franklin-townshipohio.gov, 1 +franklincountyflorida.gov, 1 +franklincountyia.gov, 1 +franklincountyms.gov, 1 +franklincountync.gov, 1 +franklincountyne.gov, 1 +franklincountyny.gov, 1 +franklincountywa.gov, 1 +franklinct.gov, 1 +franklindelco-ny.gov, 1 +franklinhua.com, 1 +franklinmo.gov, 1 +franklintonnc.gov, 1 +franklintownshipcarbonpa.gov, 1 +franklintwpbeavercopa.gov, 1 +franklinvillagemi.gov, 1 +frankmungoattorney.com, 1 +franksgreatoutdoors.com, 0 +franksiler.com, 1 +frankslaughterinsurance.com, 0 +frankthetank.biz, 1 +frankvision.se, 1 +frankwei.xyz, 0 +frankyan.com, 1 +frankychen.net, 1 +frankydo.com, 1 +franmerino.tk, 1 +franqois.id, 1 +franqois.my.id, 1 +franquiadia.com.br, 1 +franquiadickeys.com.br, 1 +fransebulldog-cadeaushop.tk, 1 +franta.biz, 1 +franta.email, 1 +frantajaros.cz, 1 +frantic1048.com, 1 +frantorregrosa.me, 1 +franz-vatter.de, 1 +franz.beer, 1 +franzen.tk, 1 +franziska-pascal.de, 1 +franziskaherbert.de, 1 +franzknoll.de, 1 +franzoni.eu, 1 +franzt.ovh, 1 +franzters.tk, 1 +frappant.cc, 1 +frappant.net, 1 +frappe.cloud, 1 +frappe.io, 1 +frappecloud.com, 1 +frappeframework.com, 1 +frarossi.tk, 1 +fraselab.ru, 1 +fraserengineco.com, 1 +fraserleonardart.com, 1 +frasermurray.scot, 1 +fraservalleyhotdog.com, 1 +frasesconemocion.com, 1 +frasesdodia.com, 1 +frasesdodia.net, 0 +frasesparaface.com.br, 1 +frasestop.com, 1 +frasestop.com.br, 1 +frasesytarjetas.com, 1 +frasicelebri.it, 1 +fratellisbt.it, 1 +fratelliscarrone.com, 1 +fratellistomboli.it, 1 +fraterbolivia.tk, 1 +fraternityfriendsest.ga, 1 +fraternitynetworkest.ga, 1 +fraternityphotosers.ga, 1 +fraternityphotosest.ga, 1 +fratia.com, 1 +fratiicazanoi.ro, 1 +fratreunioners.ga, 1 +fratreunionest.ga, 1 +frattaroli.org, 1 +frau-pusteblu.me, 1 +frau-sucht-bauer.de, 1 +frau.gq, 1 +fraudpoders.ga, 1 +fraudpodest.ga, 1 +fraudswatch.tk, 1 +fraudtoken.com, 1 +frauen-etappenrennen.de, 1 +frauenaerztin-wedel.de, 1 +frauenarztin-wedel.de, 1 +frauenlob.rocks, 0 +fraulen.ru, 1 +fraurichter.net, 1 +frax.finance, 1 +fraye.net, 1 +frazell.net, 1 +frazeysburg.gov, 1 +frazi.tk, 1 +frbracch.it, 1 +frc.gov, 1 +frc.gov.au, 1 +frc.us.com, 1 +frccsgo.tk, 1 +frcdr.org, 1 +freak-show.tk, 1 +freak-team.tk, 1 +freak-waves.de, 1 +freak-zone.tk, 1 +freakguitars.tk, 1 +freakinstream.com, 1 +freaksites.dk, 0 +freaksports.com.au, 0 +freakyawesome.agency, 1 +freakyawesome.art, 1 +freakyawesome.band, 1 +freakyawesome.business, 1 +freakyawesome.ca, 1 +freakyawesome.co, 1 +freakyawesome.co.uk, 1 +freakyawesome.design, 1 +freakyawesome.fm, 1 +freakyawesome.in, 1 +freakyawesome.lgbt, 1 +freakyawesome.net, 1 +freakyawesome.org, 1 +freakyawesome.solutions, 1 +freakyawesome.world, 1 +freakyawesome.yoga, 1 +freakyhappenings.tk, 1 +freakymatesers.ga, 1 +freakymatesest.ga, 1 +freave.co, 0 +frebi.org, 1 +frebib.co.uk, 1 +frebib.com, 1 +frebib.me, 1 +frebib.net, 1 +freckles.bg, 1 +fred-dresken.nl, 1 +fred26.fr, 1 +fredbarboo.cf, 1 +fredbarboo.ga, 1 +fredbarboo.gq, 1 +fredbarboo.ml, 1 +freddieleeman.nl, 1 +freddieonfire.tk, 0 +freddo.tk, 1 +freddyhasderyk.tk, 1 +freddyhirsch.com.ng, 1 +freddyjs.com, 1 +freddythechick.net, 1 +freddyvasquez.com, 1 +freddyxvasquez.com, 1 +fredericdenis.fr, 1 +fredericfrancois.com, 1 +frederickearlstein.com, 1 +frederickmd.gov, 1 +fredericksburg.com, 1 +frederictonrealestate.com, 1 +frederieknelissen.nl, 1 +frederikbethkeviolins.com, 1 +frederikugarte.tk, 1 +frederikvig.com, 1 +fredhook.tk, 1 +fredjanssen.tk, 1 +fredloya.com, 1 +frednet.tk, 1 +fredoniaaz.gov, 1 +fredoniaiowa.gov, 1 +fredoniawi.gov, 1 +fredoum.fr, 1 +fredriksslaktforskning.se, 1 +fredriksslekt.se, 1 +freds4buildings.com, 1 +fredtec.ru, 1 +fredz.eu, 1 +free-apply.com, 1 +free-barcode-generator.net, 1 +free-bitco.ml, 1 +free-cms.tk, 1 +free-generate.tk, 1 +free-lancer.ml, 1 +free-nation.tk, 1 +free-obmen.ml, 1 +free-ppp.jp, 1 +free-printablehq.com, 1 +free-printablemap.com, 1 +free-quotes.info, 1 +free-rein.net, 1 +free-seo.ml, 1 +free-seo.tk, 1 +free-sql-query-tool.com, 1 +free-ss.site, 1 +free-tarot.net, 1 +free-watching.ga, 1 +free-webtv.tk, 1 +free.com.tw, 1 +free4allsw.com, 1 +free6to12yo.gq, 1 +free8.xyz, 1 +freeadvertisingexchange.com, 1 +freeaf.gq, 1 +freeagent.tk, 1 +freeartico.ga, 1 +freeassange.net, 1 +freeasyshop.com, 1 +freeauction.tk, 1 +freeauroraoperations.tk, 1 +freebacklinksforyoudirectory.tk, 1 +freebasics.com, 1 +freebcard.com, 1 +freebegames.tk, 1 +freebetoffers.co.uk, 1 +freebetonthegrandnational.com, 1 +freebettingreviews.com, 1 +freebiofuels.ga, 1 +freebiofuelsers.ga, 1 +freebirdairlines.com, 1 +freebit.ch, 1 +freebitcoinfaucet.org, 1 +freebookdomain.tk, 1 +freebookslibrary.gq, 1 +freebornfinancial.ca, 1 +freeboson.org, 1 +freebsd.la, 1 +freebsd.me, 1 +freebsdbrasil.com.br, 1 +freebus.org, 1 +freebusinessideas.net, 1 +freecam-sex.com, 1 +freecam2cam.site, 1 +freecatz.pe.kr, 1 +freechatlines.com, 1 +freecloud.at, 1 +freeclubpenguin.tk, 1 +freecn.xyz, 1 +freecodenew.com, 1 +freecorner.tk, 1 +freecottage.fr, 1 +freecoursepage.net, 1 +freecourseweb.com, 1 +freecrypt.ga, 1 +freedatesite.ml, 1 +freedatesites.cf, 1 +freedatingonline.ml, 1 +freedeals4u.ga, 1 +freedev.cz, 1 +freedgb.com, 1 +freediomatiq.com, 0 +freedirectory.tk, 1 +freedogecrypt.tk, 1 +freedom-substitute.fr, 1 +freedom.nl, 1 +freedom.press, 1 +freedom35.org, 0 +freedomains4all.tk, 1 +freedomdujour.com, 1 +freedomfinanceuat.azurewebsites.net, 1 +freedomflotilla.org, 1 +freedomfrontier.tk, 1 +freedomhk.info, 1 +freedomhkg.info, 1 +freedomhouse.org, 1 +freedomisslavery.tk, 1 +freedomkiaparts.com, 1 +freedomonline.bg, 1 +freedomonthenet.org, 1 +freedomperception.com, 1 +freedomsaukwi.gov, 1 +freedomscam.com, 1 +freedomtoolkit.com, 1 +freedomvote.nl, 1 +freedomwill.tk, 1 +freedomworldoutreach.com, 1 +freeebooksblog.com, 1 +freeenglishhelp.com, 1 +freeexampapers.com, 1 +freefallproductions.tk, 1 +freefilesync.org, 1 +freefincal.com, 1 +freeflightstoitaly.ngo, 1 +freefonts.ga, 1 +freeform4u.de, 1 +freefuckvids.com, 1 +freegame-mugen.jp, 1 +freegutters.com, 1 +freehdporn.tv, 1 +freehorseracingtv.com, 1 +freehotline.ru, 1 +freehouse.video, 1 +freehqporno.com, 1 +freeiconspng.com, 0 +freeimage.host, 1 +freeimageclub.com, 1 +freeinet.cf, 1 +freeinet.tk, 1 +freeinfos.fr, 1 +freeinoutboard.com, 1 +freekdevries.nl, 1 +freelance-webdesign.co.uk, 1 +freelance.barcelona, 1 +freelance.boutique, 1 +freelance.nl, 1 +freelanceessaywriters.com, 1 +freelancehunt.com, 1 +freelancemw.com, 0 +freelancerim.ml, 1 +freelanceunited.co.uk, 1 +freelancewebprogrammer.com, 1 +freeliferp.de, 1 +freeloadfinance.com, 1 +freemagi.ga, 1 +freeman-online.tk, 1 +freemania.nl, 1 +freemanlogistics.com, 1 +freemans.com, 1 +freemanwealth.com, 0 +freemason.pt, 1 +freemazes.tk, 1 +freemchosting.tk, 1 +freeme.gq, 1 +freemilf.org, 1 +freemilfpics.com, 1 +freeminecraftmaps.tk, 1 +freeministryresources.org, 1 +freemomhugs.org, 1 +freemor.ca, 1 +freemotion.tk, 1 +freemovieonline.ga, 1 +freend.me, 0 +freenet.com.ng, 1 +freenetflow.com, 1 +freenetproject.org, 1 +freenft.com, 1 +freenome.com, 1 +freenome.net, 1 +freenomyoulilb.tk, 1 +freeo.cf, 1 +freeonlinearticles.tk, 1 +freeonlinegames.gq, 1 +freeonplate.com, 1 +freeparks.co.uk, 1 +freepastlife.com, 1 +freepatternsarea.com, 1 +freepedia.cf, 1 +freepeopledirectory.com, 1 +freephonefinder.cf, 1 +freeplace.tk, 1 +freepluginoffer.com, 1 +freepoints.us, 1 +freepornhunt.com, 1 +freepornomovies.info, 1 +freepornovideos.me, 1 +freepornpics.net, 1 +freepornvideos.life, 1 +freepornxxxvids.com, 1 +freeportbakery.com, 1 +freeporttx.gov, 1 +freeprintabletm.com, 1 +freepro.com, 1 +freepro.fr, 1 +freepron.xyz, 1 +freeradical.zone, 1 +freereal.ml, 1 +freerealincest.com, 1 +freergform.org, 1 +freeride-dragobrat.com, 1 +freeroughporn.com, 1 +freerun.cn, 0 +freesat.cn, 1 +freeschool.cf, 1 +freescorefast.com, 1 +freesexvideo.pro, 1 +freesexvidz.com, 1 +freeshell.de, 1 +freeshipping.com, 1 +freeskateparks.com, 1 +freeslots.guru, 0 +freesmile.tk, 1 +freesms-online.de, 1 +freesocialbookmarkingsites.tk, 1 +freesoft-board.to, 1 +freesoftlab.com, 1 +freesolitaire.win, 1 +freesourcestl.org, 1 +freespace.info, 1 +freespanlift.com, 1 +freespeech.org, 1 +freesports.ml, 1 +freesteam.net, 1 +freesteam.org, 1 +freestylemartialarts.tk, 1 +freesunday.tk, 1 +freetagboards.tk, 1 +freetamco.com, 1 +freetaxusa.com, 1 +freetelegraph.ga, 1 +freetelegraphers.ga, 1 +freetext.org, 1 +freethecape.org.za, 1 +freethetv.ie, 1 +freethinker.org, 1 +freethinkers.org, 1 +freethought.org, 1 +freetimefun.tk, 1 +freetokill.tk, 1 +freetranslations.org, 1 +freetrung.tk, 1 +freetsa.org, 1 +freeunitconverter.online, 1 +freeuseporn.org, 1 +freevideoproxy.com, 1 +freeview.in, 1 +freevisits.tk, 1 +freevstplugins.net, 1 +freewarez.org, 1 +freewaywarehouse.com, 1 +freewebh0st.tk, 1 +freewoman.club, 1 +freewoodfactory.com, 1 +freexmovie.com, 1 +freexxxmovies.biz, 1 +freeyourmusic.com, 1 +freeza.cf, 1 +freeza.tk, 1 +freezander.tk, 1 +freezemea.com, 1 +freezerrepairaustin.com, 1 +freezion.com, 1 +freezoneplan.com, 1 +freezvon.ru, 1 +freibesetzt.tk, 1 +freiboth.ddns.net, 1 +freie-software.net, 1 +freifahrt.de, 1 +freifall.tk, 1 +freifunk-burgaltendorf.de, 1 +freifunk-duesseldorf.de, 1 +freifunk-lindlar.net, 1 +freifunk-luenen.de, 1 +freifunk-myk.de, 1 +freifunk-remscheid.de, 1 +freight-broker.ru, 1 +freight-news.ru, 1 +freightcenter.com, 1 +freightinsightservice.com, 1 +freinetmiddenschool.gent, 1 +freitas.org, 1 +freitasm.com, 1 +freitasul.com.br, 1 +freitasul.io, 1 +freiwurst.net, 1 +freizeitpark.tk, 1 +freizeitplaza.de, 1 +frejasdal.dk, 1 +frekans.tk, 1 +frekat.tk, 1 +fremdlymarketing.com, 0 +fremontcountyco.gov, 1 +fremontcountyia.gov, 1 +fremontcountyid.gov, 1 +fremontfire.gov, 1 +fremonthills.gov, 1 +fremontmi.gov, 1 +fremontsmilesdentistry.com, 1 +fremonttribune.com, 1 +frences.tk, 1 +french.tk, 1 +frenchbluecottage.com, 1 +frenchcreekcog.org, 1 +frenchcreekroofing.com, 1 +frenchdays.fr, 1 +frenchieskingdom.com, 1 +frenchmac.com, 1 +frenchtownmi.gov, 1 +frenchvandal.com, 0 +frendamos-roleplay.ml, 1 +frendle.tech, 1 +frenetic.lv, 1 +frenger.co.uk, 1 +frenger.com.au, 1 +frente-popular.tk, 1 +frenzel.dk, 1 +frequence-turf.fr, 1 +frequencymc.cc, 1 +frequentlyaskedquestions.cf, 1 +frequenttraveller.com.au, 1 +freres-marchand.fr, 1 +fresar-engineering.nl, 1 +frescafit.com, 1 +frescamezcla.tk, 1 +fresco.ph, 1 +frescobol.tk, 1 +frescocooks.com, 1 +fresh-hotel.org, 1 +fresh-info.cf, 1 +fresh-info.gq, 1 +fresh-info.tk, 1 +fresh-networks.net, 1 +fresh.co.il, 1 +fresh4.co.uk, 1 +fresh4trash.io, 1 +freshbean.club, 1 +freshbooks.com, 0 +freshcode.nl, 1 +freshdesk-apps-by-invantive.com, 1 +fresheetmusic.com, 1 +freshempire.gov, 1 +freshersworld.ml, 1 +fresherwalkins.tk, 1 +freshfinder.com.au, 0 +freshfishdelivery.com, 1 +freshgreenhouse.net, 1 +freshhosting.tk, 1 +freshinsport.fr, 1 +freshjoomlatemplates.com, 1 +freshmail.com, 0 +freshmail.pl, 0 +freshman.tech, 1 +freshmans-pizza.de, 1 +freshmusicsheets.com, 1 +freshpatio.com, 1 +freshplus62.com, 0 +freshporno.net, 1 +freshpounds.com, 1 +freshproducemusic.tk, 1 +freshsexpics.com, 1 +freshsheetmusic.com, 1 +freshtest.tk, 1 +freshuk.co.il, 1 +freshwave.gr, 1 +fresno.tk, 1 +fresnofloodcontrol.gov, 1 +fresnois.com, 1 +freso.dk, 1 +fretboardforever.com, 1 +fretpal.online, 1 +fretscha.com, 1 +frettboard.com, 1 +frettennet.tk, 1 +frettirnar.is, 1 +freundeskreis-tarjan.de, 1 +freundinnen-ausflug.de, 0 +freundinnen-kurzurlaub.de, 0 +freundinnen-urlaub.de, 0 +freundinnenausflug.de, 0 +frfghtr.com, 1 +frfi.io, 1 +fribourgviking.net, 1 +fricassea.com, 1 +frickelboxx.de, 1 +frickelmeister.de, 1 +frickenate.com, 1 +frida.se, 1 +fridakahlofans.com, 1 +fridaybot.tk, 1 +fridaybridge.tk, 1 +fridayfoucoud.ma, 1 +fridaynightskate.tk, 1 +fridaysforfuture-bremen.de, 1 +fridge.dk, 1 +fridgesearchest.ga, 1 +fridolinka.cz, 1 +fried.tk, 1 +friedberg2020.de, 1 +friedbergdirectfx.ca, 1 +friederes.lu, 0 +friederloch.de, 1 +friedhelm-wolf.de, 1 +friedli.info, 1 +friedrich-foto-art.de, 1 +friedrichshafen.tk, 1 +friedsamphotography.com, 1 +friedstechnology.com, 1 +friedstechnology.nl, 1 +friedstechnology.online, 1 +friedzombie.nl, 1 +friedzombie.online, 1 +friendbot.ml, 1 +friendick.jp, 1 +friendindeed.com, 1 +friendku.tk, 1 +friendly.pe, 1 +friendlybearlabs.com, 1 +friendlydabs.com, 1 +friendofpaws.com, 1 +friendofthehoneybee.co.uk, 1 +friendofthehoneybee.org, 1 +friendofthehoneybee.org.uk, 1 +friendowment.us, 1 +friends-online.tk, 1 +friends.cafe, 1 +friendscapital.co.uk, 1 +friendsforeverrecords.tk, 1 +friendshipismagicsquad.com, 1 +friendsnew.com, 1 +friendsnomore.tk, 1 +friendsofgfwpc.org, 1 +friendsofmagnacarta.tk, 1 +friendsofoldstthomas.org, 1 +friendsofthehoneybee.co.uk, 1 +friendsofthehoneybee.com, 1 +friendsofthehoneybee.org, 1 +friendsofthehoneybee.org.uk, 1 +friendsofthehoneybee.uk, 1 +friendsoftheriverfront.org, 1 +friendsonline.com, 1 +friendsonline.tk, 1 +friendspoint.tk, 1 +friendsvilletn.gov, 1 +friendswoodtx.gov, 1 +friendtech.tk, 1 +friesvredesplatform.tk, 1 +friet.org, 1 +frietbesteld.nl, 1 +frietzombie.nl, 1 +friezy.ru, 1 +frightmare.tk, 1 +frigi.ch, 0 +frign.de, 1 +frigochaco.com.py, 1 +frigolit.net, 1 +frikandellenmoord.nl, 1 +frikandelmoord.nl, 1 +friker.tk, 1 +frikilinks.tk, 1 +frikimasters.es, 1 +frikipedia.tk, 1 +frikiteca.tk, 1 +frikizone.tk, 1 +frikotv.tk, 1 +frilima.com.br, 1 +friller.com.au, 1 +frillip.com, 0 +fringeintravel.com, 1 +frinkiac.com, 1 +frino.de, 1 +friplay.host, 1 +fripoune.fr, 1 +fripper.tk, 1 +frisaga.com, 1 +frisaga.me, 1 +frisaga.net, 1 +frisaga.org, 1 +frisaga.travel, 1 +friseur-foerder.de, 1 +friseur.website, 1 +friseure-website.de, 1 +friseurlinds.de, 1 +frisil.pt, 1 +friss.com, 0 +frissenootjes.tk, 1 +frisuren.tk, 1 +fritravelapp.com, 1 +fritteli.ch, 1 +fritz-koehne-schule.de, 1 +fritzbox-forum.tk, 1 +friv-2018.ga, 1 +frizo.com, 1 +frlcnews.com, 1 +frlt.one, 1 +frmbike.net, 1 +fro.ge, 1 +frodriguez.xyz, 1 +froehliche-hessen.de, 1 +frog.industries, 1 +frogatto.com, 1 +frogeducation.com, 1 +frogeye.fr, 1 +froggitt.com, 1 +froginfra.net, 1 +froglms.net, 1 +frogos.net, 1 +frogplay.net, 1 +frogsonamission.de, 1 +frogstage.com, 1 +frogtest.co.uk, 1 +frogtown.capital, 1 +froh-s.com, 1 +froh.co.jp, 1 +froicorp.com, 1 +frokenblomma.se, 1 +frolova.org, 1 +from-the-net.com, 1 +from.network, 0 +from.tk, 1 +fromager.net, 1 +fromageriedepeisey.com, 1 +fromages-freres-marchand.com, 1 +fromages-freres-marchand.fr, 1 +fromages-marchand.com, 1 +fromages-marchand.fr, 1 +fromix.de, 1 +fromlemaytoz.com, 1 +fromlifephoto.com, 1 +fromm-projects.de, 1 +frommars.tk, 1 +frommyhands.tk, 1 +fromoldbooks.org, 1 +fromrestaurants.tk, 1 +fromscratch.rocks, 1 +fromthecave.tk, 1 +fromthecountsplace.tk, 1 +fromthemonks.com, 1 +fromthesoutherncross.com, 1 +fromthetopsalonnh.com, 1 +fromwithin.tk, 1 +fronhadeseda.com.br, 1 +front.com, 1 +frontbaydevices.tk, 1 +frontconcept.com.my, 1 +fronteers.nl, 0 +fronteimoveis.com.br, 1 +fronterasblog.tk, 1 +frontier.bet, 1 +frontierbrasil.tk, 1 +frontierclimate.com, 0 +frontiernav.net, 1 +frontiernetworks.co.uk, 1 +frontiers.nl, 1 +frontiersinflight.com, 1 +frontigate.com, 1 +frontline.cloud, 1 +frontline6.com, 0 +frontlinepolicies.com, 1 +frontrouge.fr, 1 +frontrunneragency.com, 1 +froogo.co.uk, 1 +frosinonetoday.it, 1 +frosoku.com, 1 +frostedgame.xyz, 1 +frostexpert.ru, 1 +frostfire.tk, 1 +frostplatform.com, 1 +frostprotection.co.uk, 1 +frostwarning.com, 1 +frostwolf.tk, 1 +frosty-gaming.xyz, 1 +frosty.sk, 1 +frosty.style, 1 +frostymr.com, 1 +frostysummers.com, 1 +frothy285.com, 1 +froufe.com, 0 +frowin-base.de, 1 +frowin-stemmer.de, 0 +frown.town, 1 +frownonline.co.uk, 1 +frowresource.org.uk, 1 +froyomio.com, 1 +frozen-gaming.tk, 1 +frozen-geek.net, 1 +frozen-solid.net, 1 +frozencuisine.ga, 1 +frozencuisineers.ga, 1 +frozencuisineest.ga, 1 +frozendurian.club, 1 +frozenpennies.com, 1 +frp-roleplay.de, 1 +frpg.gov, 1 +frprn.com, 1 +frprn.es, 1 +frprn.xxx, 1 +frrfb.org.au, 1 +frsecure.com, 1 +frshminds.com, 1 +frsnpwr.net, 1 +frsra.ml, 1 +frtib.gov, 1 +frtn.com, 1 +frtr.gov, 1 +fruchtikus.net, 1 +frugaldateest.ga, 1 +frugalfamily.co.uk, 1 +frugalfamilyhome.com, 1 +frugalfarmwife.com, 1 +frugalmatic.com, 1 +frugro.be, 1 +fruit-farm.tk, 1 +fruit.ga, 1 +fruit.ml, 1 +fruitbouquets.com, 1 +fruitdiva.com, 1 +fruitfits.com, 1 +fruitfulenglish.com, 1 +fruition.co.jp, 1 +fruitjuicetab.ch, 1 +fruitlandmi.gov, 1 +fruitlawers.ga, 1 +fruitmoose.com, 1 +fruitscale.com, 1 +fruitsexpressdelivery.com.sg, 1 +fruitsfromchile.com, 1 +fruitybeauty.tk, 1 +fruitycasinos.com, 1 +fruityloop.tk, 1 +fruityten.co.uk, 1 +frutasyvejetales.com, 1 +frutidump.tk, 1 +frutuozo.com.br, 1 +fruturaproduce.com, 1 +fruxh.moe, 1 +fruxnux.net, 1 +frwmb.gov, 1 +fry.at, 1 +frydrychit.cz, 1 +fryfiredistrictaz.gov, 1 +fs-d.org, 1 +fs-fitness.eu, 1 +fs-g.org, 1 +fs-m.org, 1 +fs-maistadt.de, 1 +fs-rozmarija.tk, 1 +fs-w.org, 1 +fs-world.org, 1 +fs1.hopto.org, 1 +fs22a.de, 1 +fsalmeron.tk, 1 +fsapubs.gov, 0 +fsavc.org.uk, 1 +fsbn.eu, 1 +fsbpaintrock.com, 1 +fsch2009.com, 1 +fsck.cz, 1 +fsck.jp, 0 +fsconline.info, 1 +fscott.de, 1 +fsd.gov, 1 +fselka.is, 1 +fseo.tk, 1 +fsfi.is, 1 +fsg.one, 1 +fsgeek.ca, 1 +fsharpfactory.io, 1 +fsinf.at, 1 +fsinsight.com, 1 +fsk.fo, 0 +fsky.info, 1 +fsma.pl, 1 +fsmi.in, 1 +fsnb.com, 1 +fspk.pro, 1 +fsps.ch, 1 +fsrs.gov, 1 +fsscms.com, 1 +fssolutions.com, 1 +fssp-bordeaux.fr, 1 +fsst-nsn.gov, 1 +fstatic.io, 1 +fstm.tk, 1 +fstpn.at, 1 +fstpn.blog, 1 +fstpn.ch, 1 +fstpn.cloud, 1 +fstpn.de, 1 +fstpn.es, 1 +fstpn.eu, 1 +fstpn.info, 1 +fstpn.io, 1 +fstpn.it, 1 +fstpn.link, 1 +fstpn.media, 1 +fstpn.net, 1 +fstpn.network, 1 +fstpn.org, 1 +fstpn.pt, 1 +fstpn.shop, 1 +fstpn.si, 1 +fstpn.uk, 1 +fsty.uk, 1 +fsub.de, 1 +fsvoboda.cz, 1 +fsvt.ch, 0 +fsxxi.com, 1 +ft.com, 0 +ftang.de, 1 +ftapi.com, 0 +ftc.gov, 1 +ftccomplaintassistant.gov, 1 +ftcefile.gov, 1 +ftcscout.org, 1 +ftfgroup.us, 1 +ftg-ru.ga, 1 +ftgeufyihreufheriofeuozirgrgd.tk, 1 +ftgho.com, 1 +fthat.link, 1 +ftl-gaming.tk, 1 +ftl-ltl-china.ru, 1 +ftl13.com, 1 +ftlparksprojects.com, 1 +ftm.wiki, 1 +ftmc.tk, 1 +ftmwiki.com, 1 +ftmwiki.net, 1 +ftmwiki.org, 1 +ftmyersdogtraining.com, 1 +ftng.se, 1 +ftpmovement.tk, 1 +ftpporto.com, 0 +ftptest.net, 1 +ftrac.com.br, 1 +ftrfnd.me, 1 +ftth.eu.org, 0 +ftv.re, 1 +ftworthhousekeeper.com, 1 +ftx.io, 1 +ftx.tech, 1 +ftxtr.com, 0 +fu110.de, 1 +fu666.de, 1 +fu898.top, 1 +fuantaishenhaimuli.net, 1 +fuas.cl, 1 +fucajz.cz, 1 +fuchs-informatik.de, 1 +fuchsy.com, 1 +fuciam.com.co, 1 +fuck-your-false-positive.de, 1 +fuckar.ch, 1 +fuckcf.cf, 1 +fuckedintraffic.com, 1 +fuckimm.com, 1 +fucknazis.cf, 1 +fucknazis.tk, 1 +fuckobr.com, 1 +fuckobr.net, 1 +fuckobr.org, 1 +fuckobr.su, 1 +fucksc.cf, 1 +fuckssl.com, 1 +fucktory.tk, 1 +fuckup.dk, 1 +fuckwhatyouthink.tk, 1 +fuckxiaozhan.com, 0 +fuckxichina.com, 1 +fuckyou.monster, 1 +fuckyoupaypal.me, 1 +fuckz.net, 1 +fudaoyuan.com, 1 +fuddittu.tk, 1 +fudgeapps.co.uk, 1 +fudgeapps.uk, 1 +fudie.net, 1 +fudsend.com, 1 +fuego.tech, 1 +fuegocruzado.tk, 1 +fuegoenlasangre.tk, 1 +fuegosalsapower.tk, 1 +fueko.net, 1 +fuelbyte.sg, 1 +fuelcycle.com, 1 +fuelgalicia.tk, 1 +fuelingfilms.com, 1 +fuelpumpu.com, 1 +fuembellida.tk, 1 +fuenf-sterne.de, 1 +fuenferrada.tk, 1 +fuentesdeenergia.org, 1 +fuentesdeleon.tk, 1 +fuer-gerechte-steuern.at, 1 +fuerzaazul.tk, 1 +fufu.dance, 1 +fugaku.cloud, 1 +fuge-specialisten.dk, 1 +fuglar.tk, 1 +fugle.de, 1 +fuglede.dk, 1 +fugu.lol, 1 +fuhe-psy.com, 1 +fuhui-apac.com, 1 +fuhui-asia.com, 1 +fuhui-baike.com, 1 +fuhui-chinese.com, 1 +fuhui-chn.com, 1 +fuhui-fxcm.com, 1 +fuhui-global.com, 1 +fuhui-status.com, 1 +fuhui-web.com, 1 +fuhui-zhs.com, 1 +fuhuiapps.com, 1 +fuhuicorporate.com, 1 +fuhuifinance.com, 1 +fuhuigupiao.com, 1 +fuhuihub.com, 1 +fuhuijt.com, 1 +fuhuilab.com, 1 +fuhuimarket.com, 1 +fuhuimarkets.com, 1 +fuhuimobile.com, 1 +fuhuionline.com, 1 +fuhuiso.com, 1 +fuhuistation.com, 1 +fuhuistocks.com, 1 +fuhuitoutiao.com, 1 +fuhuitouzi.com, 1 +fuhuitrade.com, 1 +fuhuitrader.com, 1 +fuhuitrading.com, 1 +fuhuiwechat.com, 1 +fuhuizh.com, 1 +fuhuizhihu.com, 1 +fuinhas.tk, 1 +fuite.ch, 0 +fuitedeau.ch, 0 +fuites-eau-charente.com, 1 +fuites.ch, 0 +fuiveningent.be, 1 +fujianshipbuilding.com, 1 +fujieb.com, 1 +fujifilm-connect.com, 1 +fujijin.co.jp, 1 +fujikatu.tk, 1 +fujikochan.tk, 1 +fujimurado.com, 1 +fujiwarashinzo.com, 1 +fujiyakimono.com, 1 +fukabori-kaidora.com, 1 +fukase-seed.com, 1 +fukikaeru.com, 1 +fukn.jp, 1 +fuku-fashion.nl, 1 +fukuiedu.com, 1 +fukuko.biz, 1 +fukuko.xyz, 1 +fukushima-fun.com, 1 +fukushimacoffee.com, 1 +fulcrumanalytics.com, 1 +fulcrumdigital.com, 1 +fulda.tk, 1 +fulfil.io, 1 +fulfillmentcostsers.ga, 1 +fulfillmentcostsest.ga, 1 +fulfilmentcrowd.com, 1 +fulfyld.com, 1 +fulgentoncology.com, 1 +fulgenzis.com, 1 +fulisex.com, 1 +fuliwang.info, 1 +full-hd.info, 1 +full-stack.ninja, 1 +full.eu.org, 1 +fullautomotivo.com.br, 1 +fullaw.in, 1 +fullblast.tk, 1 +fullbulla.tk, 1 +fullbundle.com, 1 +fullcirclestudio.nl, 1 +fullcolors7.com, 1 +fulldw.com, 1 +fullerlife.org.uk, 1 +fullertonne.gov, 1 +fullfilez.com, 1 +fullfillery.com, 1 +fullhost.com, 1 +fullhotfilm.co, 1 +fullhouseresorts.com, 1 +fullhub.ru, 1 +fullinsiderers.ga, 1 +fullinsiderest.ga, 1 +fullintel.com, 1 +fullmetalconsulting.tk, 1 +fullmoondesignhouse.tk, 1 +fullmoonhentai.tk, 1 +fullpaisa.com, 1 +fullsize.ml, 1 +fullsizefordclub.tk, 1 +fullstackway.com, 1 +fulltextarchive.com, 1 +fulltxt.ml, 1 +fully-covered.tk, 1 +fully-hair.tk, 1 +fullzest.com, 1 +fultoncountyar.gov, 1 +fultoncountyil.gov, 1 +fultoncountyilelections.gov, 1 +fultoncountyky.gov, 1 +fultondaleal.gov, 1 +fulup.com, 1 +fulyayurdumetin.com, 1 +fumblers.ca, 1 +fumerx.com, 1 +fumify.tk, 1 +fumilink.com, 1 +fumotousa.com, 1 +fun-baby.ru, 1 +fun-bounce.co.uk, 1 +fun-day.tk, 1 +fun-life.com.tw, 0 +fun-tasia.co.uk, 1 +fun4ubouncycastles.co.uk, 1 +funadiq.com, 1 +funadvisor.ca, 0 +funadvisorfrance.com, 1 +funaiwhistle.com, 1 +funandfriends.tk, 1 +funandlearning.es, 1 +funatic.nl, 1 +funatic.tk, 1 +funboards.cz, 1 +funboat.tk, 1 +funbuynet.com.br, 1 +funchal.cf, 1 +funchal.ga, 1 +funchal.gq, 1 +funchal.pt, 1 +functions-online.com, 1 +functionx.io, 1 +functori.com, 1 +funcustomshirts.com, 1 +fundacaoeveris.com.br, 1 +fundacion.in, 1 +fundacionfade.org, 1 +fundacionfranciscofiasco.org, 1 +fundacionindigo.tk, 1 +fundacionlaboral.org, 1 +fundacionminutodigital.org, 1 +fundacionsiempreadelante.org, 1 +fundacionsilverina.org, 1 +fundacjamatkiewy.pl, 1 +fundaekhaya.co.za, 1 +fundamentt.com, 1 +fundatiacomunitaragalati.ro, 1 +fundayltd.com, 1 +fundedschools.ml, 1 +fundelva.com, 1 +fundex.id, 1 +fundhawk.com, 1 +fundiggitydog.co.nz, 1 +funding-zone.com, 1 +fundingoptions.com, 1 +fundingpartner.dk, 1 +fundingpartner.no, 1 +fundingpartner.se, 1 +fundkyapp.com, 1 +fundmylegalclaim.co.uk, 1 +fundort.ch, 1 +fundpress.org, 0 +funds.ddns.net, 1 +fundwave.com, 1 +funenhobby.nl, 1 +funeral-doom.tk, 1 +funeralforafriend.tk, 1 +funeralshowers.ga, 1 +funeralshowest.ga, 1 +funerare-cazacu.com, 1 +funerare24.ro, 1 +funerariaalarcon.cl, 1 +funfactorleeds.co.uk, 1 +funfacts.cz, 1 +funfm.tk, 1 +fungalforager.com, 1 +fungame.eu, 1 +fungame.fr, 1 +fungit.org, 0 +fungomoscow.cf, 1 +fungosdemexico.tk, 1 +funguana.com, 1 +funhiking.tk, 1 +funhotdate.com, 1 +funhouse-inflatables.co.uk, 1 +funhunt.es, 1 +funideas.org, 1 +funidelia-tr.com, 1 +funidelia.at, 1 +funidelia.be, 1 +funidelia.bg, 1 +funidelia.ca, 1 +funidelia.ch, 1 +funidelia.cl, 1 +funidelia.co, 1 +funidelia.co.il, 1 +funidelia.co.nz, 1 +funidelia.co.uk, 1 +funidelia.com, 1 +funidelia.com.ar, 1 +funidelia.com.au, 1 +funidelia.com.br, 1 +funidelia.com.ua, 1 +funidelia.cz, 1 +funidelia.de, 1 +funidelia.dk, 1 +funidelia.ee, 1 +funidelia.es, 1 +funidelia.fi, 1 +funidelia.fr, 1 +funidelia.gr, 1 +funidelia.hk, 1 +funidelia.hr, 1 +funidelia.hu, 1 +funidelia.id, 1 +funidelia.ie, 1 +funidelia.in, 1 +funidelia.is, 1 +funidelia.it, 1 +funidelia.kr, 1 +funidelia.lt, 1 +funidelia.lu, 1 +funidelia.lv, 1 +funidelia.mx, 1 +funidelia.my, 1 +funidelia.nl, 1 +funidelia.no, 1 +funidelia.ph, 1 +funidelia.pt, 1 +funidelia.ro, 1 +funidelia.rs, 1 +funidelia.ru, 1 +funidelia.se, 1 +funidelia.sg, 1 +funidelia.si, 1 +funidelia.sk, 1 +funidos.tk, 1 +funinfo.tk, 1 +funinthesunboating.com, 1 +funio.com, 1 +funkazoid-radio.com, 1 +funken-networks.de, 1 +funkfernbedienung-industrie.de, 1 +funkimforst.de, 1 +funknotaus.de, 1 +funkogames.com, 1 +funkshop.tk, 1 +funksteckdosen24.de, 0 +funkstyles.tk, 1 +funktdesign.eu, 1 +funktionel.co, 1 +funktionevents.co.uk, 1 +funky-emulation.net, 1 +funkydealz.no, 1 +funkyflo.tk, 1 +funkysims.tk, 1 +funline.tk, 1 +funlook.ga, 1 +funlook.tk, 1 +funmobiles.tk, 1 +funmountaincanyon.com, 1 +funnelsforbricks.io, 1 +funnelw3b.com, 1 +funniestclip.com, 1 +funny-boy.tk, 1 +funny-rates.tk, 1 +funny-wedding.ga, 1 +funnyanimalvideos.ml, 1 +funnybee.tk, 1 +funnybubu.ro, 1 +funnychristianjokes.tk, 1 +funnycommercials.ga, 1 +funnylinks.cf, 1 +funnymedia.tk, 1 +funnymetals.com, 1 +funnypicz.cf, 1 +funnyprankvideo.ga, 1 +funnypromotions.tk, 1 +funnytimes.cf, 1 +funnyvideoclips.cf, 1 +funnyvideoclips.tk, 1 +funoverip.net, 1 +funpakistan.tk, 1 +funpartytips.com, 1 +funphone.tk, 1 +funplaza.tk, 1 +funprode.org, 1 +funprogramming.tk, 1 +funreaktor.com, 1 +funshemale.com, 1 +funshirts.tk, 1 +funsite.tk, 1 +funsmsmailing.tk, 1 +funsoup.tk, 1 +funtastic-basketball.de, 1 +funtastic.ie, 1 +funtime-inflatables.co.uk, 1 +funtime.com.ua, 1 +funtime.kiev.ua, 1 +funtimesbouncycastles.co.uk, 1 +funtimeusabiloxi.com, 1 +funtimez.cf, 1 +funtimez.ga, 1 +funtimez.gq, 1 +funto.tk, 1 +funtonez.tk, 1 +funwithbells.com, 1 +funy.eu.org, 1 +funyirotraktor.hu, 1 +funzack.cf, 1 +fur-shop.tk, 1 +fur.city, 1 +fur.mt, 1 +fur.red, 1 +furaffrate.net, 1 +furbooru.org, 1 +furca.ca, 1 +furcdn.net, 1 +furcity.me, 1 +fureais.com, 1 +furgetmeknot.co.za, 1 +furgetmeknot.org, 1 +furgetmeknot.org.za, 1 +furgo.love, 1 +furi.ga, 1 +furiacelesteiquique.tk, 1 +furiaot.com, 1 +furik.me, 1 +furisode-sendai.com, 1 +furisode-yamaguchiya.com, 1 +furiya.tk, 1 +furkanahsap.com, 1 +furkankose.ml, 1 +furkanmudanyali.com, 1 +furkot.com, 1 +furkot.de, 1 +furkot.es, 1 +furkot.fi, 1 +furkot.fr, 1 +furkot.it, 1 +furkot.pl, 1 +furkot.ro, 1 +furlan.co, 0 +furlan.tk, 1 +furlog.it, 1 +furmap.fr, 1 +furnace-zero.tk, 1 +furnfurs.com, 1 +furnishedproperty.com.au, 1 +furniteco.com, 1 +furniture-for-home.tk, 1 +furniture-warehouse.co.za, 1 +furnitureconcept.co.uk, 1 +furniturefashion.com, 1 +furnitureforlife.com, 1 +furnitureforlifeboulder.com, 1 +furniturefromthebarn.com, 1 +furnitureproduction.tk, 1 +furnituresolutions.tk, 1 +furniturestrends.com, 1 +furnu.org, 1 +furorcanario.tk, 1 +furoretferrum.tk, 1 +furosemide-lasix.tk, 1 +furosemide.gq, 1 +furries.id, 1 +furry.codes, 1 +furry.cool, 1 +furry.dk, 1 +furry.gay, 1 +furrybot.co, 1 +furrycdn.org, 1 +furrycraft.ga, 1 +furrytech.network, 1 +furs.town, 1 +fursandfur.tk, 1 +furseo.co, 1 +fursho.ws, 1 +furshows.org, 1 +furtodo.at, 1 +furtodo.com, 1 +furtodo.cz, 1 +furtodo.de, 1 +furtodo.eu, 1 +furtodo.hu, 1 +furtodo.pl, 1 +furtodo.sk, 1 +furtodobox.com, 1 +furtodobox.cz, 1 +furtodobox.eu, 1 +furtodobox.sk, 1 +furtodoit.com, 1 +furu-sato.com, 1 +furukawabenn.com, 1 +furuse-shika.com, 1 +furuy.com, 0 +furuyadc.com, 1 +furworks.de, 1 +furyalexmichaelides.com, 1 +fusacity.tk, 1 +fusacovi.cf, 1 +fuselight.nl, 1 +fuseos.net, 1 +fuseyahoken.com, 1 +fushee.com, 1 +fusi.tk, 1 +fusico.be, 1 +fusico.com, 1 +fusico.digital, 1 +fusion-lamps.com, 1 +fusionapps.com, 1 +fusionapps.net, 1 +fusionarmenia.tk, 1 +fusionas.tk, 1 +fusionauth.io, 1 +fusionbd.net, 1 +fusionespeluqueria.es, 1 +fusionfacades.co.uk, 1 +fusionfactory.tk, 1 +fusiongaming.de, 1 +fusionpatrol.com, 0 +fusionplatter.eu, 1 +fusions.co.jp, 1 +fusionstudios.tk, 1 +fusionvr.in, 1 +fuso.com.py, 1 +fuso.net, 1 +fussball-xxl.de, 1 +fussballmanager.de, 1 +fussballpiraten.com, 1 +fussballtransfers.com, 1 +fussboden-manufaktur.de, 0 +fussbodenmanufaktur.de, 0 +fussell.io, 1 +fussfetisch.tk, 1 +fussy.ee, 1 +fussycats.com, 1 +fussycats.uk, 1 +fusu.re, 1 +fuszara.eu, 1 +fut21gen.com, 1 +futa.agency, 1 +futa.wiki, 1 +futaba-works.com, 1 +futacockinside.me, 1 +futarara.ga, 1 +futaritomo.tk, 1 +futaroulette.com, 1 +futbito.com, 1 +futbol-tv.tk, 1 +futbolcba.com, 1 +futbolistasveteranas.com, 1 +futbolmodesto.tk, 1 +futbolus.tk, 1 +futbomb.com, 1 +futebolatualizado.tk, 1 +futebolbrasileirosnes.tk, 1 +futeboleapostasonline.com, 1 +futhark24.com, 1 +futhark24.eu, 1 +futhark24.net, 1 +futhark24.org, 1 +futharkhorde.tk, 1 +futieltextiel.be, 1 +futo.biz, 1 +futone.com.br, 1 +futos.de, 1 +futrou.com, 0 +futsalnews24.com, 1 +futunk.be, 1 +futunk.com, 1 +futunk.eu, 1 +futunk.net, 1 +futunk.nl, 1 +futurageindia.com, 1 +futurains.com, 1 +futurama-il.tk, 1 +futurama-latino.org, 1 +future-dance.tk, 1 +future-telecom.com, 1 +futureappin.com.au, 1 +futureaudiographics.com, 0 +futurecharcoal.com, 1 +futurefive.asia, 1 +futurefive.co.nz, 1 +futurefive.com.au, 1 +futureforward.coop, 1 +futurefuels.com.au, 1 +futurefund.com, 1 +futurefund.gov.au, 1 +futurefundapp.com, 1 +futuregamereleases.com, 1 +futuregaming.io, 1 +futuregrowthva.com, 1 +futureimmigration.net, 1 +futurenda.com, 1 +futurenewsforyou.com, 1 +futureofyoucdc.sg, 1 +futureplan.de, 1 +futureplanet.tk, 1 +futuresinmarketing.co.uk, 1 +futuresonline.com, 0 +futuresound.tk, 1 +futurestyletiling.com.au, 1 +futuretechtrends.co.uk, 1 +futurethinkers.org, 1 +futureville.city, 1 +futurewithoutfear.com, 1 +futurewithoutfear.org, 1 +futurewithoutfear.us, 1 +futureyouhealth.com, 1 +futurezone.at, 1 +futuristicarchitectures.tk, 1 +futuristicjobs.sk, 1 +futurity.ml, 1 +futurygames.com, 1 +fuulle.com, 1 +fuvelis.com, 1 +fuwafuwa.moe, 1 +fuwafuwatime.moe, 1 +fuwashima.moe, 1 +fuxgames.com, 1 +fuyu.moe, 1 +fuzenet.net, 1 +fuzigames.com, 1 +fuzion.co.th, 1 +fuzoku-sodan.com, 1 +fuzoku.jp, 1 +fuzzbucket.tk, 1 +fuzzi.es, 1 +fuzzing-project.org, 1 +fuzzlemann.de, 1 +fuzzy.domains, 1 +fuzzylogic.tk, 1 +fvap.gov, 1 +fvb.world, 1 +fvdm.com, 1 +fveevaete.com, 1 +fvformation.fr, 0 +fvg.io, 1 +fw-einsatz.de, 1 +fwaux.de, 1 +fwba.hopto.org, 1 +fwdx.net, 1 +fwest.ovh, 1 +fwest98.nl, 1 +fwest98.ovh, 1 +fwg.sk, 1 +fwkart.de, 1 +fwo.gov.au, 1 +fwpda.gov, 1 +fwr.cz, 1 +fws.gov, 1 +fwt99.com, 1 +fwt999.com, 1 +fwtapp.com, 1 +fwtewm.com, 1 +fwtpic.com, 1 +fwup.org, 1 +fwupd.org, 1 +fx-rating.com, 1 +fxbrokerreview.org, 1 +fxcg-education.com, 1 +fxcm-arabic.com, 1 +fxcm-asia.com, 1 +fxcm-chn.com, 1 +fxcm-global.com, 1 +fxcm-id.com, 1 +fxcm-markets.com, 1 +fxcm-online.com, 1 +fxcm.com.tw, 1 +fxcm.com.vn, 1 +fxcm.eu, 1 +fxcm.my, 1 +fxcm.vn, 1 +fxcmaffiliates.com, 1 +fxcmapps-asia.com, 1 +fxcmapps.com, 1 +fxcmbullion.com, 1 +fxcmchn.com, 1 +fxcmglobal.com, 1 +fxcmhub.com, 1 +fxcmidn.com, 1 +fxcmmkt.com, 1 +fxcmportal.com, 1 +fxcmtrader.com, 1 +fxcmvn.com, 1 +fxcmzh.com, 1 +fxcopierpro.com, 1 +fxeuropa.com, 1 +fxexplained.co.uk, 1 +fxgame.online, 1 +fxiaoke.com, 1 +fxislamic.com, 1 +fxnotch.com, 1 +fxopen.co.uk, 1 +fxopen.com, 1 +fxopen.com.au, 1 +fxopen.com.br, 1 +fxopen.com.mx, 1 +fxopen.my, 1 +fxopen.ru, 1 +fxp.at, 1 +fxp.co.il, 1 +fxperk.com, 1 +fxpig-ib.com, 1 +fxpunch.com, 1 +fxrates.com, 1 +fxstatus-chinese.com, 1 +fxstock.eu, 1 +fxstrategics.com, 1 +fxtalk.cn, 0 +fxtrade-lab.com, 1 +fxtwitter.com, 1 +fxwebstudio.com.au, 0 +fydjbsd.cn, 1 +fyfywka.com, 1 +fyllehack.se, 1 +fyllingen-elinst.no, 1 +fylm.ai, 1 +fyn.nl, 1 +fyn.software, 1 +fynbo.io, 1 +fyndiq.se, 1 +fyol.pw, 1 +fyou.co, 1 +fyp-aiman.com, 1 +fyphb.com, 1 +fyptt.to, 1 +fyrebox.guru, 1 +fyrehost.net, 0 +fyrfalkcontent.se, 1 +fyroeo.fr, 0 +fysio-ict.nl, 1 +fysiotherapie-ict.nl, 1 +fysiotherapie.tk, 1 +fysiotherapieapeldoornzuid.nl, 1 +fysiotherapiesimons.nl, 1 +fyss.ga, 1 +fysuite.com, 1 +fytorio-pasxalis.gr, 1 +fyziotonka.sk, 1 +fzoske.de, 1 +fzx750.ru, 1 +fzxx.eu.org, 1 +fzxx.xyz, 1 +g-c-z.cc, 1 +g-center.tk, 1 +g-dart.com, 1 +g-ds.de, 1 +g-electricity.ml, 1 +g-fruit.gr, 1 +g-lab.xyz, 1 +g-m-w.eu, 1 +g-p-design.com, 1 +g-printec.com, 1 +g-rom.net, 1 +g-sp.azurewebsites.net, 1 +g-tea.ml, 1 +g.co, 0 +g00228.com, 1 +g01.in.ua, 1 +g0158.com, 1 +g0881.com, 1 +g0man.com, 1 +g1.ie, 1 +g10e.ch, 1 +g15ubezpieczenia.pl, 1 +g1reeds.com, 1 +g2-inc.com, 1 +g2fdistribuidora.com.br, 1 +g2jp.uk, 1 +g2links.com, 0 +g2llc.com, 1 +g2pla.net, 1 +g2soft.net, 0 +g36533.com, 1 +g36594.com, 1 +g3circuit.com, 1 +g3d.ro, 1 +g3hardcore.tk, 1 +g3homefoods.com, 1 +g47.web.id, 1 +g4v.in, 1 +g4w.co, 1 +g5.gov, 1 +g51365.com, 1 +g5197.co, 1 +g5yss.uk, 1 +g6666g.tk, 1 +g6729.co, 1 +g6957.co, 1 +g6957.com, 0 +g72020.gov, 1 +g7campdavid.gov, 1 +g7liveseafood.com.sg, 1 +g7usa.gov, 1 +g82365.com, 1 +g8energysolutions.co.uk, 1 +g9297.co, 1 +g9728.co, 1 +ga-digitazion.com, 1 +ga-part.ru, 1 +gaaog.com, 1 +gaasuper6.com, 1 +gabaldon.eu, 1 +gabaldon.nl, 1 +gabapentin.gq, 1 +gabare-loire.com, 1 +gabbeh.jp, 1 +gabby-online.tk, 1 +gabby.vn, 0 +gabbyer.ga, 1 +gabbyer.gq, 1 +gabbyer.ml, 1 +gabe.download, 1 +gabe.house, 1 +gabe.pics, 1 +gabe.watch, 1 +gabe565.com, 1 +gabecook.com, 1 +gabelli.com, 1 +gabethebabetv.com, 1 +gabigold.net, 1 +gabijazava.com, 1 +gabinet-okulistyczny.tk, 1 +gabiocs.com, 1 +gabiz.tk, 1 +gablermade.com, 1 +gablesplasticsurgery.com, 1 +gablesportsga.com, 0 +gablesvets.co.uk, 1 +gably.net, 1 +gabnotes.org, 1 +gabodesign.tk, 1 +gabonflash.com, 0 +gaborg.hu, 1 +gabraham.tk, 1 +gabriel.to, 1 +gabrielaebruno.cf, 1 +gabrielafriasfanclub.tk, 1 +gabrielcury.tk, 1 +gabriele-kluge.de, 1 +gabrielemarino.tk, 1 +gabrielflores.tk, 1 +gabrielg.es, 1 +gabrielgn.com.br, 0 +gabriella.cf, 1 +gabriellabastos.tk, 1 +gabriellearruda.com, 1 +gabrielrm.dynu.net, 1 +gabrielsimonet.ch, 1 +gabrielsteens.nl, 1 +gabrielyin.com, 0 +gabryjeluk.tk, 1 +gabskent.de, 1 +gabtitui.gov.au, 1 +gabucho.tk, 1 +gabyclark.com, 1 +gabyminneboo.tk, 1 +gabysoft.tk, 1 +gabz.net, 1 +gachea.cl, 1 +gachimuchi.ru, 1 +gachiyase.com, 1 +gachter.name, 0 +gaci88play.com, 1 +gacirenin.cf, 1 +gacirenin.tk, 1 +gackowski.tk, 1 +gadabit.pl, 1 +gadaj.eu, 1 +gadalkindom.ru, 1 +gadanie.cf, 1 +gadanie.ml, 1 +gadatel.ml, 1 +gaddiblog.com, 1 +gaddini.it, 1 +gadecs.com, 1 +gadget-freak.cf, 1 +gadget-hat.tk, 1 +gadget-tips.com, 1 +gadgetflashers.ga, 1 +gadgetflip.com, 1 +gadgetfreak.cf, 1 +gadgetgalaxy.ro, 1 +gadgetgi.ga, 1 +gadgetguideonline.com, 1 +gadgethacks.com, 1 +gadgetick.com, 1 +gadgetinfo.ga, 1 +gadgetized.net, 1 +gadgetmaker.tk, 1 +gadgetmaniac.tk, 1 +gadgets-cars.com.es, 1 +gadgets-mall.com, 1 +gadgetsandwearables.com, 1 +gadgetsgigabytesandgoodwill.com, 1 +gadgetshome.ml, 1 +gadgetslab.tk, 1 +gadingpromosindo.tk, 1 +gadkiy-farm.tk, 1 +gadsdensoefl.gov, 1 +gadse.games, 1 +gadzilla.tk, 1 +gaeldst.dk, 1 +gaelico.tk, 1 +gaemsofyesterday.com, 1 +gaengler.com, 1 +gaestehaus-leipzig.de, 1 +gaestehaus-monika.com, 1 +gaetanosonline.com, 1 +gafachi.com, 1 +gafan.cf, 1 +gaff-rig.co.uk, 1 +gaflooring.com, 1 +gag101.com, 1 +gaganenterprises.in, 1 +gagarin.ga, 1 +gagecountyne.gov, 1 +gagekroljic.com, 1 +gagesmith.tk, 1 +gagne.tk, 1 +gagnerenfant.tk, 1 +gagor.pl, 0 +gagramore.cf, 1 +gagygnole.ch, 0 +gaheztexab.com, 1 +gaiafood.co, 1 +gaijin.network, 1 +gailfellowsphotography.com, 1 +gaines-sodiamex.fr, 0 +gainesborotn.gov, 1 +gainesvillega.gov, 1 +gainingadvantage.com, 1 +gainnet.ru, 1 +gaio-automobiles.fr, 1 +gaireg.de, 1 +gais.tk, 1 +gaitandmobility.com, 1 +gaitasenlavereda.tk, 1 +gaite.me, 0 +gaitrehabilitation.com, 1 +gaitresearch.com, 1 +gajabhindi.cf, 1 +gajabhindi.tk, 1 +gajas18.com, 1 +gajda.cz, 1 +gajowniczek.eu, 1 +gajqc.gov, 1 +gakkainavi-epsilon.net, 1 +gakki.photos, 1 +gaku-architect.com, 1 +gaku-nkc.net, 1 +gala.im, 1 +gala.kiev.ua, 0 +galabands.info, 1 +galact.tk, 1 +galaksidot.tk, 1 +galaktika-znakomstv.tk, 1 +galaltosalento.it, 1 +galama.tk, 1 +galamusik-band.de, 1 +galamusikband.de, 1 +galanight.cz, 1 +galapagos.cx, 1 +galapagosbig15.com, 1 +galardica.com, 1 +galasin.cf, 1 +galasin.ga, 1 +galatabazaar.com, 1 +galavanmoskou.tk, 1 +galaw.gov, 1 +galax.tech, 1 +galax.us, 1 +galaxieblog.com.my, 0 +galaxit.ch, 1 +galaxus.at, 1 +galaxus.ch, 1 +galaxus.com, 1 +galaxus.de, 1 +galaxus.eu, 1 +galaxus.fr, 1 +galaxy.edu.pe, 1 +galaxyaudiobook.com, 1 +galaxyeuropemusic.com, 1 +galaxymedia.tk, 1 +galaxyofebooks.com, 1 +galaxyplex.tk, 1 +galaxyscientific.com, 1 +galaxystaking.space, 1 +galaxysweeper.com, 1 +galaxytracker.tk, 1 +galearquitetura.com.br, 1 +galecommercial.com, 1 +galefacialplastics.com, 1 +galenguyer.com, 1 +galenreasoner.com, 1 +galenzoski.com, 1 +galepaal.tk, 1 +galeria-reisen.de, 1 +galeria42.com, 1 +galeriabunkers.tk, 1 +galeriakobylarz.pl, 1 +galeriarr.pl, 1 +galerias-xamoralarte.cf, 1 +galerias-xamoralarte.ga, 1 +galerie-claudia-walz-nagold.tk, 1 +galerie-com.com, 1 +galerie-saintgermain.fr, 1 +galeries.photo, 0 +galeriesimple.fr, 1 +galexlee.com, 1 +galfar.jp, 1 +galfarma.cl, 1 +galgamer.eu.org, 1 +galgamer.moe, 1 +galganoboutique.com, 1 +galgoafegao.com.br, 1 +galgoingles.com.br, 1 +galgopersa.com.br, 1 +galhristova.com, 1 +galia.bg, 1 +galiciamaxica.eu, 0 +galiciasensual.tk, 1 +galickidigital.ie, 1 +galilahiskye.com, 1 +galilei.tk, 1 +galileicompara.com, 1 +galileo.io, 1 +galileohealth.com, 1 +galim.org.il, 1 +galina.ga, 1 +galinas-blog.de, 1 +galinkltd.com, 1 +galinos.gr, 1 +galip.nl, 1 +galiuzvejoti.org, 1 +galive.ga, 1 +galizae-sports.tk, 1 +galj.info, 1 +gallagherperformance.com, 1 +gallaghertownshippa.gov, 1 +gallant.tk, 1 +gallatinhousecleaning.com, 1 +galle.cz, 1 +galleonwaymedical.com.au, 1 +galleriacontinua.com, 1 +gallerify.eu, 1 +gallery-easysolution.tk, 1 +gallery-kaze.jp, 1 +galleryinfo.ga, 1 +gallerywestframeplant.com, 1 +gallesproperties.com, 1 +gallest.cf, 1 +gallest.ga, 1 +galleyfoods.com, 1 +gallifordtry.co.uk, 1 +gallifreyan-koala.tech, 1 +gallifreyapp.co.uk, 1 +gallifreypermaculture.com.au, 1 +gallivare.se, 1 +gallmeyer-consulting.com, 1 +gallopingkylin.com, 1 +gallun-shop.com, 1 +galoforo.it, 1 +galoserver.org, 1 +galpsafetytalks-portal-preprod.azurewebsites.net, 1 +galpsafetytalks-portal-production.azurewebsites.net, 1 +galtelligence.com, 1 +galton.sk, 1 +galtonbrands.com, 1 +galtonbrands.es, 1 +galtondev.com, 1 +galvincdn.com, 1 +galvingao.com, 1 +galvinism.ink, 1 +galwaytooughterardgreenway.ie, 1 +galwew.ga, 1 +gamadomesticos.com, 1 +gamagam.gq, 1 +gamalawadforum.tk, 1 +gamalhamza.tk, 1 +gamanlu.com, 1 +gambarian.com, 1 +gamberorosso.menu, 1 +gamberorotto.com, 1 +gambetti.fr, 1 +gambiafishing.tk, 1 +gambiapagina.tk, 1 +gambinotrasporti.it, 1 +gambisti.de, 1 +gambit.pro, 1 +gambitnash.co.uk, 1 +gambitnash.com, 1 +gambitprint.com, 1 +gamblersgaming.eu, 1 +gamblerspick.com, 1 +gambling-business.club, 1 +gamblingaffiliatevoice.com, 1 +gamblingconsulting.expert, 1 +gamburger.tk, 1 +gamcore.com, 1 +game-club.me, 1 +game-designers.net, 1 +game-developers.org, 1 +game-dominion.tk, 1 +game-files.net, 0 +game-gentle.com, 1 +game-net.ml, 1 +game-repack.site, 1 +game.es, 1 +game.gal, 1 +game4less.com, 1 +game818play.com, 1 +game88play.com, 1 +gameanalytics.com, 1 +gameapexlegends.com, 1 +gamebase.tk, 1 +gamebillingcentre.com, 1 +gamebits.net, 0 +gameblabla.nl, 1 +gameboyarchive.com, 1 +gamebrott.com, 1 +gamecarddelivery.com, 1 +gamecdn.com, 0 +gameclimax.cf, 1 +gameclimax.tk, 1 +gameclue.jp, 1 +gamecollector.be, 1 +gameconservation.org.uk, 1 +gameconsole.co.nz, 1 +gamecs.tk, 1 +gamecss.ml, 1 +gamedaim.com, 1 +gameday.org.uk, 1 +gamedealsnow.com, 1 +gamedna.studio, 1 +gamedware.com, 1 +gameexpress.tk, 1 +gamefarm.ru, 1 +gamefear.ga, 1 +gamefear.tk, 1 +gameflip.com, 1 +gamefoster.com, 1 +gamefreek.tk, 1 +gamegainlx.cf, 1 +gamegear.club, 0 +gamegix.com, 1 +gamegoddess.cf, 1 +gamegoddess.tk, 1 +gamegoone.tk, 1 +gamegrad.tk, 1 +gameharbor.eu, 1 +gamehighquality.tk, 1 +gameimani.ga, 1 +gameindustry.eu, 1 +gameisbest.jp, 1 +gamejobs.co, 1 +gamekaitori.jp, 0 +gamekb.gq, 1 +gamekeepers.cz, 1 +gamekeybox.tk, 1 +gamekiller.ga, 1 +gamelarix.com, 1 +gamelink.com, 1 +gameloft.ga, 1 +gamelok.ga, 1 +gamemakers.tk, 1 +gamenerd.net, 1 +gamenew.tk, 1 +gameofbooks.de, 1 +gameonespirit.tk, 1 +gameoveronline.tk, 1 +gamepad.com.br, 1 +gameplaysforkids.com, 1 +gameplus.win, 1 +gamepokies.ml, 1 +gameportalmoz.tk, 1 +gamepower.tk, 1 +gamepres.org, 0 +gamepunel.cf, 1 +gamepunel.tk, 1 +gamepunelita.cf, 1 +gamepunelita.tk, 1 +gamepuzzleinfo.tk, 1 +gamer-vip.com, 1 +gameracinginfo.tk, 1 +gamerankings.com, 1 +gamerant.com, 1 +gamercredo.com, 1 +gamereactor.asia, 1 +gamereactor.cn, 1 +gamereactor.de, 1 +gamereactor.dk, 1 +gamereactor.es, 1 +gamereactor.eu, 1 +gamereactor.fi, 1 +gamereactor.fr, 1 +gamereactor.it, 1 +gamereactor.no, 1 +gamereactor.pt, 1 +gamereactor.se, 1 +gamerepository.ga, 1 +gamerepublic.hu, 0 +gameres.com, 1 +gamering.cf, 1 +gamerkings.tk, 1 +gamers-community.tk, 1 +gamers-paradise.tk, 1 +gamersedge.tk, 1 +gamersflix.com, 0 +gamersgrill.com, 1 +gamersheaven.tk, 1 +gamersplace.tk, 1 +gamerspost.ga, 1 +gamerstudiozinc.tk, 1 +gamersuniverse.tk, 1 +gamersweb.ga, 1 +gamertelligence.com, 1 +gamertrashers.ga, 1 +gamerturk.tk, 1 +gamerwelfare.com, 1 +gamerzdot.com, 1 +games-rt.ru, 1 +games-station.tk, 1 +games2kids.net, 1 +games4theworld.org, 1 +gamesandcasino.com, 1 +gamesaviour.com, 1 +gamesbap.com, 1 +gamescore.tk, 1 +gamescum.ru, 1 +gamesdepartment.co.uk, 0 +gamesector.tk, 1 +gameserver-admin.ga, 1 +gameserver-sponsor.me, 1 +gameserver.fun, 1 +gamesgalaxy.it, 1 +gamesgate.tk, 1 +gameshack.io, 1 +gameship.ga, 1 +gameshopsrbija.com, 1 +gameshowchallenge.ie, 1 +gamesmagic.tk, 1 +gamesone.tk, 1 +gamespark.ga, 1 +gamespark.tk, 1 +gamespider.tk, 1 +gamesplanet.com, 1 +gamesplanet.tk, 1 +gamesputnik.ru, 1 +gamestand.net, 1 +gamester.tv, 1 +gamesunited.tk, 1 +gamesweek.melbourne, 1 +gametainment.net, 1 +gametilt.com, 1 +gametium.com, 1 +gametium.es, 1 +gametowndev.tk, 1 +gametube.website, 1 +gameview.tk, 1 +gamewarden.org, 1 +gamewardenedu.org, 1 +gamewayz.online, 1 +gamewinninggoal.com, 1 +gameworldcdr.tk, 1 +gamezero.nl, 1 +gamezon.ga, 1 +gamezon.tk, 1 +gamezsmack.com, 1 +gamhealth.net, 1 +gamifi.co.uk, 1 +gamilab.no, 1 +gamindustri.fr, 1 +gaming-club.tk, 1 +gaming-dice.tk, 1 +gaming-life.tk, 1 +gaming-news.tk, 1 +gaming-online.tk, 1 +gamingaktier.com, 1 +gamingblogx.com, 1 +gamingboard.eu, 1 +gamingdirectory.com, 1 +gamingdose.com, 1 +gamingerox.com, 1 +gamingexodus.com, 1 +gamingexperts.ga, 1 +gamingforecast.com, 1 +gaminggear.bg, 1 +gaminghost.ml, 1 +gaminglaptop.deals, 1 +gaminglessonest.ga, 1 +gamingmeets.com, 1 +gamingmonitortest.com, 1 +gamingph.com, 1 +gamingregulation.com, 1 +gamingtech.es, 1 +gamingterritory.com, 1 +gamingtilltheend.cf, 1 +gamingtoday.ga, 1 +gamingtopbox.ga, 1 +gamingwesters.ga, 1 +gamingwithcromulent.com, 1 +gamingx.tk, 1 +gamingzoneservers.com, 1 +gamishijabsyari.com, 1 +gamishou.fr, 1 +gamivo.com, 1 +gamize.com, 1 +gamma-travel.fr, 1 +gammabeyond.com, 1 +gammaboxtech.com, 1 +gammabrossfrance.fr, 1 +gammaknife.com, 1 +gammaphibeta.tk, 1 +gammonvillage.com, 1 +gamrenovation.ca, 1 +gamv.eu, 1 +gan.wtf, 1 +ganado.org, 0 +ganaha.org, 1 +ganardinerillo.tk, 1 +ganasoku.net, 1 +gancedo.com.es, 1 +gandalfcz.tk, 1 +gandalfservice.com, 1 +gandalfthefeline.com, 1 +gandmfamilydental.com, 1 +gandmltd.co.uk, 1 +gangbangs.tk, 1 +gangbangteen.net, 1 +ganggalbichler.at, 1 +ganglioslinfaticos.com, 1 +gangnamcool.com, 1 +gangnamoffices.com, 1 +gangrulz.tk, 1 +gangstafier.tk, 1 +gangstaflow.tk, 1 +gangsterz.tk, 1 +ganintegrity.com, 0 +gankel.nl, 1 +ganneff.de, 1 +gannett-cdn.com, 1 +gannettinnovation.com, 1 +ganodermatiendaonline.com, 1 +gant.tk, 1 +gantt-chart.com, 1 +ganyouxuan.com, 1 +gao.rocks, 1 +gao4.pw, 1 +gaodebo.com, 1 +gaoice.run, 1 +gaoice.top, 1 +gaoinnovation.gov, 1 +gaoinnovationlab.gov, 1 +gaoinnovations.gov, 1 +gaojianli.me, 1 +gaojianli.tk, 1 +gaojue.art, 1 +gaon.network, 1 +gaoqirun.com, 1 +gaos.org, 1 +gap150.jp, 1 +gapfa.ro, 1 +gaphag.ddns.net, 1 +gaponov.tk, 1 +garage-leone.com, 1 +garage.click, 1 +garage042.bg, 1 +garage15.com.ua, 1 +garagechief.com, 1 +garagedejan.ch, 1 +garagedoorrepaircedarhilltx.com, 1 +garageenginuity.com, 1 +garagemhermetica.org, 1 +garagen-crew.de, 1 +garagenet.com, 1 +garageportcenter.se, 1 +garagerogge.be, 1 +garanteasy.com, 1 +garantieabschluss.de, 1 +garantplus.kz, 1 +gararin.com, 1 +garaventa.com, 1 +garbage-juice.com, 1 +garbarinocatalogo.com, 1 +garbuszus.de, 1 +garbuz.ga, 1 +garcia-leplus.com, 1 +garciacarrion.com, 0 +garciaconstruction.com, 1 +garcialeplus.com, 1 +garciam.gt, 1 +garciaortiz.com, 1 +garco.co, 1 +garda-see.mobi, 1 +gardarika.tk, 1 +garden-land.ga, 1 +garden-life.org, 1 +garden-view.com, 1 +garden4less.co.uk, 1 +gardenblog.tk, 1 +gardencentreshopping.co.uk, 1 +gardencityal.gov, 1 +gardengameshireuk.com, 1 +gardeninggroot.com, 1 +gardenofads.com, 1 +gardenplantslife.com, 1 +gardenroomsdirect.co.uk, 1 +gardenstatecakes.com, 1 +gardensuperstore.com.au, 1 +garder.me, 1 +gardikagigih.com, 1 +gardinenzubehoer.tk, 1 +gardinia.ae, 1 +gardinpets.com, 1 +gardis.ua, 1 +gardnerlawyers.com, 1 +gardonslecap-covid19.ch, 1 +garduri-electrice-animale.ro, 1 +gardurialuminiuiasi.ro, 1 +garethbowker.com, 1 +garethbowker.uk, 1 +garethkirk.com, 1 +garethkirkreviews.com, 1 +garethrhugh.es, 1 +garfieldairlines.net, 1 +garfieldairlines.tk, 1 +garfieldcountyne.gov, 1 +garfieldcountywa.gov, 1 +gargantuan.tk, 1 +gargantuan.wang, 1 +gargas.ml, 1 +gargazon.net, 1 +gargola.tk, 1 +garibaldi.gov, 1 +gariganshi.ml, 1 +garip.me, 1 +garito3pa.tk, 1 +garlandcountyar.gov, 1 +garmonia.ml, 1 +garmonia.tk, 1 +garnerseo.co.uk, 1 +garnetnv.com, 1 +garnix-openair.de, 1 +garnuch-immo.de, 1 +garnuchbau.de, 1 +garo.email, 1 +garo.legal, 1 +garo.ninja, 1 +garochristian.us, 1 +garona.ru, 1 +garonna.com.ua, 1 +garotadeestilo.tk, 1 +garotastop10.tk, 1 +garotos.gq, 1 +garotos.tk, 1 +garp.org, 1 +garrafastermicas.net.br, 1 +garrardcountyky.gov, 1 +garrettcornwell.tk, 1 +garrettcountymd.gov, 1 +garrettmotion.com, 1 +garrettpopcorn.com, 1 +garrettrasel.com, 1 +garrigan.info, 1 +garrigan.nyc, 1 +garriganenterprises.com, 1 +garriganenterprises.net, 1 +garriganenterprisesinc.com, 1 +garriganenterprisesinc.net, 1 +garron.net, 1 +garrow.se, 1 +garrowdigitalmedia.com, 1 +garrowmediallc.com, 1 +garryserver.de, 1 +garsio.com, 1 +garstonvets.co.uk, 1 +gartanien.de, 1 +garten-diy.de, 1 +gartenbaur.de, 1 +gartengutachter.org, 1 +gartenplanung-brendes.de, 1 +gartmaninsurance.net, 1 +garudam.info, 1 +gary.gov, 1 +garycarmell.com, 1 +garyjones.co.uk, 1 +garyrh.com, 1 +garystallman.com, 1 +garywhittington.com, 0 +gas-boilers.tk, 1 +gas-proekt.tk, 1 +gasar.com, 1 +gasbarkenora.com, 1 +gasenergy.kz, 1 +gasesdelaguajira.com, 1 +gasfitermaipu.cl, 1 +gashalot.com, 1 +gasherde.tk, 1 +gasinstallationsjohannesburg.co.za, 1 +gasmar.cl, 1 +gasometria.com, 1 +gaspard-ulliel.tk, 1 +gasparesganga.com, 1 +gasscc.id, 1 +gassero.com, 0 +gasslerorourke.com, 0 +gassouthkenticoqa.azurewebsites.net, 1 +gassycat.be, 1 +gassycat.co.uk, 1 +gassycat.eu, 1 +gassycat.uk, 1 +gassyukumenkyoguide.com, 1 +gastarbajter.tk, 1 +gastepress.com, 1 +gasthausbauernhof.ch, 1 +gasthaustalacher.ch, 1 +gastonvietto.tk, 1 +gastouderbureausnoesje.nl, 1 +gastoudererenda.nl, 1 +gastro-dino.de, 1 +gastroalianza.es, 1 +gastroboom.kz, 1 +gastroboss.cz, 1 +gastrodino.com, 1 +gastrodino.de, 1 +gastroenterologen.no, 1 +gastrolab.tk, 1 +gastromedicalcenter.com.br, 1 +gastronom.ga, 1 +gastronomias.com.pt, 1 +gastrosfera.info, 1 +gastrotiger.at, 1 +gastrotiger.de, 1 +gatachic.com.br, 1 +gatapro.net, 0 +gate.sc, 1 +gate2home.com, 1 +gate4you.com, 1 +gatehub.net, 1 +gatekiller.co.uk, 1 +gatemaster.ga, 1 +gatemotorsbedfordview.co.za, 1 +gatemotorskyalami.co.za, 1 +gatemoves.com, 1 +gatenz-panel.com, 1 +gates-of-olympus-app.com, 1 +gatesstlouis.com, 1 +gatestoaesgaard.tk, 1 +gateway-cart.com, 1 +gatewaybridal.com, 1 +gatewayfurniture.com, 1 +gatewayp.com, 1 +gatewaytire.com, 1 +gatewaytrial.com, 1 +gatewaytrust.org.uk, 1 +gathegi.ga, 1 +gatherling.com, 1 +gatherup.com, 1 +gathu.co.ke, 1 +gatilagata.com.br, 1 +gatilhoarmas.com.br, 1 +gatlink.tk, 1 +gatoland.es, 1 +gatolovers.es, 1 +gatomix.net, 1 +gator34.com, 1 +gatoslivres.org, 1 +gattomatto.tk, 1 +gatturkey.com, 1 +gauche.com, 1 +gaudeamus-folklor.cz, 1 +gaudeamuschoir.tk, 1 +gaudere.co.jp, 1 +gaudi-renove.com, 1 +gaumenverfuehrer.de, 1 +gaurl.ga, 1 +gautam-iiith.tk, 1 +gautam-k.tk, 1 +gautengplumber24-7.co.za, 1 +gauthier.dk, 1 +gauthier.tel, 1 +gauting.de, 1 +gavarny.be, 1 +gavaskee.com, 1 +gavilanz.ddnsfree.com, 1 +gavin.sh, 1 +gavinbrown.ca, 1 +gavingreer.com, 1 +gavinnewsom.com, 1 +gavins.stream, 1 +gavintang.me, 1 +gavlix.se, 1 +gavr.space, 1 +gaw.sh, 1 +gay-chat.it, 1 +gay-jays.com, 1 +gay-personal-ads.com, 1 +gay.systems, 1 +gayanalysing.co.uk, 1 +gayauthors.org, 1 +gaycafe.lt, 1 +gaychatrooms.tk, 1 +gaycock4u.com, 1 +gaycum.de, 0 +gayfeedr.com, 1 +gayfr.online, 1 +gayfr.social, 1 +gayga.gov, 1 +gaygay.pro, 1 +gaygeeks.de, 1 +gayglobaltravel.com, 0 +gayhotmovies.com, 1 +gaymen.pictures, 1 +gaymer.network, 1 +gaymerx.org, 1 +gaynight.tk, 1 +gayonly.ch, 1 +gaypornvideos.xxx, 1 +gayreppc.com, 1 +gaysexpositions.guide, 1 +gaytor.rent, 1 +gaytorrent.ru, 1 +gaytubec.com, 1 +gayuhtri.my.id, 1 +gayukai.net, 1 +gazapos.ga, 1 +gazaryan.tk, 1 +gazbonicacidmc.ga, 1 +gazeta-n1.ru, 1 +gazete.org, 1 +gazetefutbol.de, 1 +gazette.govt.nz, 1 +gazettengr.com, 1 +gazi.edu.tr, 1 +gazik.com.ua, 1 +gazizov.tk, 1 +gazobeton-don.ru, 1 +gazor.tk, 1 +gazoz.ga, 1 +gazst.ru, 1 +gazza.tk, 1 +gb-bilder.com, 1 +gb-repair.com, 1 +gba.ge, 1 +gba.gob.ar, 1 +gbatroid.com, 1 +gbcdigitalmarketing.com, 1 +gbcomm.tk, 1 +gbcsummercamps.com, 1 +gbdavisplasticsurgery.com, 1 +gbes.com, 1 +gbfoundation.org, 1 +gbhem.org, 1 +gbi-etalon.ru, 1 +gbika.org, 1 +gbinsta.com, 1 +gbiotech.tk, 1 +gbisigma.com, 1 +gbk-host.de, 1 +gbk-teamplan.de, 1 +gbkom.de, 1 +gbl.selfip.net, 0 +gboys.net, 0 +gbp.com.ph, 1 +gbpayments.io, 1 +gbpicshd.com, 1 +gbquotes.com, 1 +gbrand.com.au, 1 +gbs.com.ua, 1 +gbsapri.it, 1 +gbscience.com, 1 +gbsvelasco.com, 1 +gbusercontent.com, 1 +gbwhats.cc, 1 +gc-event-manager.com, 1 +gc-hartberg.tk, 1 +gc-mc.de, 1 +gc-pfalz.de, 1 +gc.ru.net, 1 +gc22.xyz, 1 +gc4hr.org, 1 +gcabrasives.co.uk, 1 +gcaresolutions.com, 1 +gcautodeals.com, 1 +gcb.com.my, 1 +gcbit.dk, 1 +gcc-globalclimatechange.com, 0 +gccfoodstuff.com, 0 +gcdamp.gov, 1 +gcfadvisors.com, 1 +gcgeeks.com.au, 1 +gcgroup.io, 1 +gchp.ie, 0 +gchq.lol, 1 +gchq.wtf, 1 +gclegal.com.au, 1 +gclpower.com, 1 +gcmsnotes.com, 1 +gcode.space, 1 +gcoded.de, 1 +gcolomboart.com, 1 +gconcept.tk, 1 +gconstruction.org, 1 +gcoption.pro, 1 +gcorevape.ca, 1 +gcqd.fr, 1 +gcrm.jp, 1 +gcs-ventures.com, 1 +gcschool.tk, 1 +gcsepod.com, 1 +gcsm-qc.ca, 1 +gcso.gov, 1 +gcstechnologies.com, 1 +gctdtx.gov, 1 +gcuf.edu.pk, 1 +gcustom.email, 1 +gcwatx.gov, 1 +gcwcid1tx.gov, 1 +gcwholistic.com, 1 +gd-ots.com, 1 +gd1214b.icu, 0 +gda.gov.lb, 1 +gdacs.org, 1 +gdax.com, 1 +gdb.re, 1 +gddzqg.com, 1 +gdedoma.ru, 1 +gdesemena.ru, 1 +gdhzcgs.com, 1 +gdiary.net, 1 +gdit.com, 1 +gdkn0.gq, 1 +gdm.cl, 1 +gdngs.de, 1 +gdoce.es, 0 +gdomusicaeventi.tk, 1 +gdpr-pohotovost.cz, 1 +gdpr.fr, 1 +gdretrofunk.cf, 1 +gdtd.info, 1 +gdufe.top, 1 +gdv.me, 0 +gdwservices.com, 1 +gdz.tv, 1 +gdz4you.com, 1 +ge1.me, 0 +ge3k.net, 1 +gea-waldviertler.at, 1 +geafworks.tk, 1 +geaiai.com, 1 +gealot.com, 1 +geansunter.com, 1 +gear-acquisition-syndrome.community, 1 +gear4music.ch, 1 +gear4music.com, 1 +gear4music.de, 1 +gear4music.dk, 1 +gear4music.es, 1 +gear4music.fr, 1 +gear4music.ie, 1 +gear4music.it, 1 +gear4music.nl, 1 +gear4music.no, 1 +gear4music.se, 1 +gearallnews.com, 1 +gearbot.rocks, 1 +gearboxhero.com, 1 +gearev.net, 1 +gearfinder.nl, 1 +gearnews.tk, 1 +gearset.com, 1 +gearsupply.com, 0 +geaskb.nl, 0 +geass.xyz, 1 +geauxdns.com, 1 +geba-online.de, 1 +gebaeude-braun.de, 1 +gebaeudebilanzierung.de, 1 +gebaeudeklima-schweiz.ch, 1 +gebeliktakibim.com, 1 +geben.digital, 1 +gebhardtinsurancegroup.com, 1 +gebiert.de, 1 +gebn.co.uk, 1 +gebn.uk, 1 +geborgen-wachsen.de, 1 +gebpow.com, 1 +gebruikershandleiding.com, 1 +gebrvoit.de, 1 +gebzehaliyikama.net, 1 +gecbunlari.com, 1 +gecem.org, 1 +gechr.io, 1 +geckler-ee.de, 0 +geckos-geocaching.de, 1 +geckosurfschool.com, 1 +gecosan.com, 1 +gedachtekaarsje.nl, 1 +gedankenworks.com, 0 +geder.at, 1 +gedichtensite.tk, 1 +gediga.net, 1 +gedlingcastlehire.co.uk, 1 +gedlingtherapy.co.uk, 1 +geecrat.com, 1 +geek-hub.de, 1 +geek-rooms.tk, 1 +geek.ch, 1 +geek.com.tr, 1 +geek1.de, 1 +geekabit.nl, 1 +geekanatomy.com, 1 +geekandi.com, 1 +geekariom.com, 0 +geekashell.tk, 1 +geekattitude.org, 1 +geekbundle.org, 1 +geekcore.tk, 1 +geekcq.com, 1 +geekcreations.co.uk, 1 +geekdocs.de, 0 +geekdoit.com, 1 +geekedin.ga, 1 +geekflare.com, 1 +geekgear.tk, 1 +geekgirltech.com, 1 +geekhelpline.com.au, 1 +geekium.me, 1 +geeklair.net, 1 +geeklan.co.uk, 1 +geekles.net, 1 +geekmagazine.com.br, 1 +geeknik.com, 1 +geekofeminin.com, 1 +geekowl.com, 1 +geekpad.com, 1 +geekplay.fr, 1 +geekport.net, 1 +geekpost.net, 1 +geeks.berlin, 1 +geeks.lgbt, 0 +geeks.one, 0 +geeksforrent.com, 1 +geekshirts.cz, 1 +geeksontap.com.au, 1 +geekspace.gq, 1 +geeksquadforums.tk, 1 +geekstreet.fr, 1 +geekstuff.tk, 1 +geektarven.com, 1 +geektechsolutions.com.au, 1 +geektechypro.tk, 1 +geektopia.es, 1 +geekurl.cf, 1 +geekwhack.org, 1 +geekwithabudget.com, 1 +geekwu.org, 1 +geekyboi.co.uk, 1 +geekymansion.com, 1 +geekynutritionist.com, 1 +geekystudios.us, 1 +geekz.sk, 1 +geekzone.co.nz, 1 +geekzone.fr, 1 +geekzuprepairs.com, 1 +geelaeden.de, 1 +geele.co.th, 1 +geemprestimos.com, 1 +geenspam.net, 1 +geentsefeesten.be, 1 +geeq.ch, 1 +geerdsen.net, 1 +geertdegraaf.nl, 1 +geertjanvanhest.nl, 1 +geertswei.nl, 1 +geestelijkgezondgent.be, 1 +geesthof.de, 1 +gefinances.com, 1 +gefolge.org, 1 +gegeco.ch, 0 +gegevensdelen.nl, 1 +geh.li, 1 +gehirn.co.jp, 1 +gehirn.jp, 1 +gehirnapis.jp, 1 +gehirnstatus.jp, 1 +gehopft.de, 1 +gehrdencarre.de, 1 +gehrke.cloud, 1 +gehrke.in, 1 +gehrke.nrw, 1 +gehsicht.de, 1 +geico.com, 1 +geigr.de, 1 +geilefrauen.pics, 1 +geileverhalen.tk, 1 +geiser-family.ch, 1 +geishamika.com, 1 +geisten.net, 1 +geitenijs.com, 1 +gekko.tk, 1 +gekkoldprom.com, 1 +gekleurdverleden.be, 1 +geko.cf, 1 +gelaendermanufaktur.de, 1 +gelan.nl, 1 +gelanc.ml, 1 +gelaterista.de, 1 +gelb-computer.de, 1 +gelcocktail.fr, 1 +geld-im-blick.de, 1 +geld-magazin.info, 1 +geldimblick.de, 1 +geldmaat.nl, 1 +geldoderleben.tk, 1 +geldspelletjes.net, 1 +geldteveel.eu, 1 +geldvoorelkaar.nl, 1 +geleenbeekdal.nl, 1 +geleia-real.com, 1 +geli-graphics.com, 1 +gelijk.cf, 1 +gelisimakademi.com.tr, 1 +gellis12.com, 1 +gelmostop.tk, 1 +geloft.cf, 1 +geloft.gq, 1 +gelog-software.de, 0 +gelonghui.com, 1 +geloofindemocratie.nl, 1 +geloven-enzo.nl, 1 +gelsey.com, 1 +geluidsstudio.com, 1 +geluidstechniek.tk, 1 +geluidsverwachting.nl, 1 +gelukkigehonden.nl, 1 +geluleminceur.fr, 1 +gelvetika.cf, 1 +gem-forex.org, 1 +gem-forex.pro, 1 +gem-info.fr, 0 +gemahui.su, 1 +gemails.eu, 1 +gemaskeerd.nl, 1 +gemawardian.com, 1 +gemax-online.de, 1 +gembet99.com, 1 +gemeentehub.nl, 1 +gemeentestein.nl, 1 +gemeinde-luederitz.de, 1 +gemeinde-sonnen.de, 1 +gemeinderatswahl2020.de, 1 +gemeinfreie-lieder.de, 1 +gemelen.net, 1 +gemforex.pro, 1 +gemforex.top, 1 +gemgroups.in, 1 +gemik.com, 1 +gemini.com, 1 +geminicorp.be, 0 +geminifm.tk, 1 +gemmproductions.com, 1 +gemmy.cf, 1 +gemonite.com, 1 +gempak.com, 1 +gempool.ie, 1 +gemquery.com, 1 +gemstn.com, 1 +gemstones.com, 1 +gemwerx.com, 1 +gen.cn.eu.org, 1 +gen.net.eu.org, 1 +gen53.org, 1 +genbars.jp, 1 +genbrugge.tk, 1 +genchev.io, 0 +genclikdunyasi.com, 1 +genclikotobusu.com, 1 +gencnet.tk, 1 +gend.moe, 1 +gend.work, 1 +gender-summit.com, 1 +gendergp.com, 1 +genderidentiteit.nl, 1 +genderrevealshop.nl, 1 +gendrin.com, 1 +gendundrupa.ch, 0 +gene-drive.com, 1 +gene-drives.com, 1 +geneacdn.net, 1 +genealog.fr, 1 +genealog.ong.br, 1 +genealogiegazet.nl, 1 +genealogieonline.nl, 1 +genealogiewerkbalk.nl, 1 +genealogy-beyers.tk, 1 +genealorand.com, 1 +geneanet.org, 1 +geneastar.org, 1 +geneau.net, 1 +geneawiki.com, 1 +geneeskrachtig.com, 1 +genehightower.com, 1 +genehome.com.au, 1 +genejournal.blog, 1 +genelhaberler.tk, 1 +genemesservwparts.com, 1 +genemon.at, 1 +genen.ga, 1 +generace-id.org, 1 +generacionmoderatto.tk, 1 +generador-electrico.com, 1 +generadorminecraft.tk, 1 +general-anaesthesia.com, 1 +general-anaesthetics.com, 1 +general-anesthesia.com, 1 +general-directorate-of-administration.gov.lb, 1 +general-insurance.tk, 1 +generalautocheck.com, 1 +generalcustomshop.com.br, 1 +generali-investments-portal.cz, 1 +generali-worldwide.com, 1 +generalinsuranceagencies.com.au, 1 +generalinsuranceservices.com, 1 +generalliabilityinsure.com, 1 +generalpsych.cf, 1 +generalshale.com, 1 +generalsync.com, 1 +generaltitlewebui-stage.azurewebsites.net, 1 +generaly.ga, 1 +generateurdapplis.fr, 1 +generateurdesmiley.tk, 1 +generatevelocity.com, 1 +generation-clic.net, 1 +generation-free.org, 1 +generation247.nl, 1 +generationgoat.com, 1 +generationnext.pl, 0 +generationr.nl, 1 +generationsweldom.com, 1 +generator-energy.ru, 1 +generatorcountry.com, 1 +generatorkodowkreskowych.pl, 1 +generatormusic.tk, 1 +generatorreview.pro, 1 +generators-pro.ru, 1 +generic-noroxin.ml, 1 +generic-plavix.ga, 1 +generic-sildenafil-citrate.cf, 1 +generic-tadalafil.cf, 1 +generic-tenormin.gq, 1 +genericabana.gq, 1 +genericaccutaneonline.ml, 1 +genericaceon.tk, 1 +genericacomplia.ga, 1 +genericadvaironline.ml, 1 +genericanticipation.com, 1 +genericazithromycin.tk, 1 +genericazulfidine.gq, 1 +genericcalan.gq, 1 +genericcelebrex.tk, 1 +genericclaritin.ga, 1 +genericcolchicine.ml, 1 +genericdevelopment.nl, 1 +genericdutasteride.cf, 1 +genericflagyl.ga, 1 +genericforavodartmedication.tk, 1 +genericforflagyl.cf, 1 +genericlevaquin.tk, 1 +genericlexaprocost.cf, 1 +genericlexaprocost.tk, 1 +generico.in, 0 +genericprevacidlansoprazole.tk, 1 +genericrhinocort.ga, 1 +genericuroxatral.gq, 1 +genericvytorin.ml, 1 +generix.biz, 1 +generujdata.cz, 1 +geneseecountymi.gov, 1 +geneseetwpmi.gov, 1 +genesis-a-fresh-translation-from-hebrew-to-english.com, 1 +genesisblock.com, 1 +genesiscoding.net, 1 +genesiseureka.com, 1 +genesisgold.com, 1 +genesisgrade.com, 1 +genesismachina.ca, 1 +genesisplay.tk, 1 +genesistoday.org, 1 +genesys-uk.com, 1 +genetargetsolutions.com.au, 1 +genetidyne.com, 1 +genetworx.com, 1 +geneuse.ai, 1 +genevaal.gov, 1 +genevablogers.ga, 1 +genevablogest.ga, 1 +genevachauffeur.com, 1 +genevacountyal.gov, 1 +genevalunch.com, 1 +geneve.guide, 1 +genfaerd.dk, 1 +gengcerita.tk, 1 +genghan.com, 1 +genia-life.de, 1 +genial.ly, 1 +genie.tk, 1 +genieall.com, 1 +geninspira.com, 1 +geniodonna.it, 1 +geniofinanciero.org, 1 +genioideal.com, 1 +geniosport.com, 1 +genious.co, 1 +genious.world, 1 +genioyfigura.tk, 1 +geniusclan.tk, 1 +geniuses.gq, 1 +geniussis.com, 1 +geniusteacher.in, 1 +geniuswin.it, 1 +geniuszone.biz, 1 +genkihub.com, 1 +genlack.com, 0 +genmab.co.jp, 1 +gennaroabete.duckdns.org, 1 +gennerator.com, 1 +gennet.com, 1 +geno-hyp.de, 1 +geno-hypo.de, 1 +geno4links.ml, 1 +genocidediary.org, 1 +genocideofua.org, 1 +genodeftest.de, 1 +genohyp.com, 1 +genohyp.de, 1 +genohyp.net, 1 +genohypo.de, 1 +genom.by, 1 +genome-reform.com, 1 +genome.eu, 1 +genome.gov, 0 +genomedia.jp, 1 +genomelink.io, 1 +genomequestlive.com, 1 +genomesoft.systems, 1 +genometrik.de, 1 +genomicsinc.com, 1 +genomicslab.in, 1 +genomicsplc.com, 0 +genoog.com, 1 +genophore.com, 1 +genoplot.com, 1 +genorma.com, 1 +genossen.ru, 1 +genossenwiese.ch, 1 +genotix.eu, 1 +genotix.nl, 1 +genovatoday.it, 1 +genoveve.de, 1 +gensenwedding.jp, 1 +genshiken-itb.org, 1 +gensicke.de, 1 +gensleiten.de, 1 +genslerapps.com, 1 +genslerwisp.com, 1 +gensokyo.cafe, 1 +gensokyo.chat, 0 +gensokyo.re, 1 +gensolarenergy.com, 1 +gensonline.eu, 1 +gentapps.com, 1 +gentas.se, 1 +gentbereikbaar.be, 1 +gentblogt.be, 1 +gentbrugsemeersen.be, 1 +gentcdn.com, 1 +gentcityofmusic.be, 1 +gentcongres.be, 1 +gentcongres.com, 1 +gentcongres.eu, 1 +gentcongres.org, 1 +gentcreativecityofmusic.be, 1 +gentec.cz, 1 +gentengarde.be, 1 +gentevenement.be, 1 +gentfietst.be, 1 +gentgezondestad.be, 1 +gentgreenkey.be, 1 +gentholidayland.be, 1 +gentholidayland.com, 1 +gentianes.ch, 0 +gentinvest.be, 1 +gentklimaatstad.be, 1 +gentlecollies.tk, 1 +gentledance.ch, 1 +gentledance.net, 1 +gentledentalcaregroup.co.uk, 1 +gentleentuit.be, 1 +gentlemanwithin.com, 1 +gentlent.biz, 1 +gentlent.blog, 1 +gentlent.cn, 1 +gentlent.co, 1 +gentlent.com, 1 +gentlent.eu, 1 +gentlent.group, 1 +gentlent.help, 1 +gentlent.info, 1 +gentlent.io, 1 +gentlent.net, 1 +gentlent.org, 1 +gentlent.tech, 1 +gentlent.uk, 1 +gentlent.us, 1 +gentlent.xyz, 1 +gentlentapis.com, 1 +gentlentgroup.com, 1 +gentlentssl.com, 1 +gentlichtfestival.be, 1 +gentlichtfestival.com, 1 +gentlivinglab.be, 1 +gentmuziekstad.be, 1 +gentoo-blog.de, 0 +gentooblog.de, 1 +gentoocn.org, 1 +gentryarkansaspd.gov, 1 +gentrydeng.cn, 1 +gentrydeng.com, 1 +gentse-ondernemersdagen.be, 1 +gentsefeesten.be, 1 +gentsefeesten.gent, 1 +gentseondernemersdagen.be, 1 +gentsklimaatverbond.be, 1 +gentslimopweg.be, 1 +genttegenarmoede.be, 1 +gentverwent.be, 1 +genuineppe.co.uk, 1 +genuinetech.pk, 1 +genunlimited.ga, 1 +genunlimited.tk, 1 +genusbag.com, 1 +genutax.ca, 1 +genuxtsg.com, 1 +genxreviewest.ga, 1 +genzdx.xyz, 1 +genzia.ga, 1 +geo-files.tk, 1 +geo-industrie.fr, 1 +geo-portale.it, 1 +geoactivism.org, 1 +geoapps.nl, 1 +geoarchive.tk, 1 +geocaching.hu, 1 +geocar.com, 1 +geocell.website, 1 +geocod.tk, 1 +geocoin2016.dk, 1 +geocommunicator.gov, 1 +geocompass.at, 1 +geoconcretsa.com, 1 +geoconsultant.eu, 1 +geoconvention.ga, 1 +geodatasource.com, 1 +geodesic-tents.com, 1 +geodesign.tk, 1 +geoenvironconsult.ga, 1 +geofabrika.ru, 1 +geoffanderinmyers.com, 1 +geoffmyers.com, 1 +geoffreymmoore.pw, 1 +geoffreyrichard.com, 1 +geoffsec.org, 1 +geofit.ru, 1 +geoflowerstudio.com, 1 +geoforex.ro, 1 +geofox.eu, 1 +geofox.org, 1 +geogas.com.au, 1 +geografia-peru.tk, 1 +geographique.tk, 1 +geography-schools.com, 1 +geohashing.site, 1 +geoip-js.com, 1 +geoip.fedoraproject.org, 1 +geoip.stg.fedoraproject.org, 1 +geojs.io, 1 +geokeys.cf, 1 +geolex.tk, 1 +geolite.info, 1 +geologist.tk, 1 +geology-schools.com, 1 +geolonia.com, 1 +geomac.gov, 1 +geomadrid.ga, 1 +geomagne.tk, 1 +geoman.tk, 1 +geomancy.net, 1 +geomatic.tk, 1 +geometra.roma.it, 1 +geometra24.it, 1 +geometri.tk, 1 +geometrie-rechner.de, 1 +geometriya-dash.online, 1 +geometry-calculators.com, 1 +geon.nl, 1 +geoned.bg, 1 +geonice.ga, 1 +geonot.es, 1 +geophysicsjournal.com, 1 +geopixeles.cl, 1 +geopoetico.tk, 1 +geoponika.gr, 1 +georadar-algerie.com, 1 +georg-ledermann.de, 1 +george-brighton.co.uk, 1 +george-orwell.com, 1 +george.black, 1 +george.com.tw, 1 +george.id.au, 1 +george.ooo, 1 +georgebeverlysheamemorial.org, 1 +georgeblack.me, 1 +georgebrighton.co.uk, 1 +georgeclaghorn.com, 1 +georgeclooney.tk, 1 +georgecolgrove.com, 1 +georgedesign.ch, 1 +georgegachara.tk, 1 +georgehotz.tk, 1 +georgekaraoglanis.tk, 1 +georgelucas.tk, 1 +georgemudie.com, 1 +georgenad.duckdns.org, 1 +georgepancescu.ro, 1 +georges-sadeler.com, 1 +georges.nu, 1 +georgesand.be, 1 +georgeshobeika.cf, 1 +georgeslasaucisse.fr, 1 +georgetownohio.gov, 1 +georgetowntexas.gov, 1 +georgewatson.me, 1 +georgewbushlibrary.gov, 1 +georgiaaccess.gov, 1 +georgiaautoglass.net, 1 +georgiacriminaldefense.com, 1 +georgiaglassrepair.com, 1 +georgiainfo.ga, 1 +georgiajetcharter.com, 1 +georgian.io, 1 +georgianews.ml, 1 +georgiangames.gq, 1 +georgianhistory.tk, 1 +georgiaparks.org, 1 +georgiastuartyoga.co.uk, 0 +georgiawrestling.tk, 1 +georgie.cc, 1 +georgiebailey.com, 1 +georgiedann.ga, 1 +georgiedann.gq, 1 +georgiedann.ml, 1 +georginabouzova.tk, 1 +georginikolov.com, 1 +georgioskontaxis.com, 1 +georgioskontaxis.net, 1 +georgioskontaxis.org, 1 +georgiosnetworks.com, 1 +georglauterbach.com, 1 +georglauterbach.de, 1 +georgmayer.eu, 1 +geosales.tk, 1 +geoscout.uk, 1 +geoserves.com, 1 +geosever.cz, 1 +geosno.com, 1 +geospecialsers.ga, 1 +geostems.com, 1 +geoswohnen.de, 1 +geotabgov.us, 1 +geotec-weilrod.de, 1 +geotech.tk, 1 +geotextil.ec, 1 +geothermalproducts.info, 1 +geotrust.com.ru, 1 +geotruth.net, 1 +geourl.me, 1 +geowest.tk, 1 +gep.ch, 1 +gepassociati.cloud, 1 +gepe.ch, 1 +gepgroup.gr, 1 +gepps.de, 1 +geppy.im, 1 +gera-haushaltsaufloesung.de, 1 +gerainano.com, 1 +geraintwhite.co.uk, 1 +gerald-zojer.com, 1 +geranium.dk, 1 +gerard-klooster.net, 1 +gerardinden.nl, 1 +gerardmccabe.com.au, 1 +gerardozamudio.mx, 1 +gerards-abenteuer.de, 1 +gerbang-singkolo.ga, 1 +gerber-construction.com, 1 +gerbil.tk, 1 +gerbils.tk, 1 +gerbyte.co.uk, 1 +gerbyte.com, 1 +gerbyte.uk, 1 +gerd-frank.com, 1 +gereedschapmuseumdehobbyzolder.tk, 1 +gerenciaconsultor.com, 1 +gerencial.com.br, 1 +geret.cl, 1 +gergoladi.me, 1 +geriartriya.ru, 1 +gerimileva.com, 1 +gerinet.pl, 1 +gerkevangarderen.nl, 1 +germain.cc, 1 +germaintechnologies.com, 1 +german242.com, 1 +germanclarkoh.gov, 1 +germancoding.com, 1 +germancoding.de, 1 +germancorbo.com, 1 +germancraft.net, 1 +germandarknes.net, 1 +germanicvs.tk, 1 +germaniumsoft.com, 1 +germanmasterpainters.nz, 1 +germanophobia.tk, 1 +germanpavilion.com, 1 +germanpay.com, 1 +germanrojas.ga, 1 +germansoldiers.net, 1 +germanssky.de, 1 +germantolobis.lt, 1 +germantownpolicewi.gov, 1 +germantownwi.gov, 1 +germantrip.tk, 1 +germanymade.com, 1 +germanypay.com, 1 +germanytravel.ga, 1 +germanytravelguide.ml, 1 +germanzero-nv.de, 1 +germfr.ee, 1 +germinalekeren.tk, 1 +germistry.com, 1 +gernert-server.de, 1 +gero.io, 1 +geroiplavska.tk, 1 +geropa.it, 1 +gerris.tk, 1 +gerrit078.nl, 1 +gerritcodereview.com, 1 +gers-authentique.com, 1 +gerstbauer.tk, 1 +gerstner.it, 1 +gertjan-tamerus.tk, 1 +gertrudeco.com, 1 +gertrudentor.de, 1 +gerum.dynv6.net, 0 +gerwinvanderkamp.nl, 1 +gesamenvat.nl, 1 +gesath.co, 1 +gesath.com, 1 +geschenkkoerbeversand.de, 1 +geschenkkorb-ideen.de, 1 +geschenkly.de, 1 +geschichtscheck.de, 1 +geschichtswerkstatt.tk, 1 +geschmackspiloten.de, 0 +geschwinder.net, 1 +geseduc.cl, 1 +gesentorno.tk, 1 +gesetz.tk, 1 +gesica.cloud, 1 +gesmav-trier.de, 1 +gesnerfigueiredo.com.br, 1 +gesnex.com, 1 +gessettirotti.it, 1 +gessosaoluiz.com, 1 +gestaoclub.com.br, 1 +gestcoelho.com, 1 +gestion-de-contact.fr, 1 +gestionadministrativevirtuelle.ca, 1 +gestionadministrativevirtuelle.ch, 1 +gestione-certificazioni.it, 1 +gestioninfosolutions.com, 1 +gestionth.com, 1 +gestorehotel.com, 1 +gestorestecnologicos.com, 1 +gestus.tk, 1 +gesuiti.it, 1 +gesundessen.at, 1 +gesundessen.ch, 1 +gesundessen.de, 1 +gesundheit-ifg-muenchen.de, 1 +gesundheitmassage.com, 1 +gesundheitswelt24.de, 1 +gesundimmund.de, 1 +get-a-wingman.com, 1 +get-asterisk.ru, 1 +get-baaam.com, 1 +get-erp.ru, 1 +get-express-vpn.com, 1 +get-maurice.com, 1 +get-my-report.com, 1 +get-quick-bits-fast-2018.pw, 1 +get-refer.com, 1 +get-x-web-link2.com, 1 +get-your-business.tk, 1 +get.design, 1 +get.gov, 1 +get.how, 1 +getabear.com, 1 +getacrane.co.uk, 1 +getahearing.com, 1 +getaldea.com, 1 +getalink.ga, 1 +getalitools.ru, 1 +getanresources.com, 1 +getanswer.ga, 1 +getar.tk, 1 +getaskoll.at, 1 +getawaycab.tk, 1 +getawayline.com, 1 +getback.ch, 1 +getbellhop.co, 1 +getbodysmart.com, 1 +getboomerangwater.com, 1 +getbootstrap.com, 1 +getboubou.com, 1 +getbox.me, 1 +getbrain.tk, 1 +getbreadcrumbs.com, 1 +getbrowink.com, 1 +getbutterfly.com, 1 +getbuya.com, 1 +getcabal.com, 1 +getcare.com, 1 +getcarina.com, 1 +getchip.cc, 1 +getcloak.com, 1 +getclubsoda.com, 1 +getcodelove.com, 1 +getcolq.com, 1 +getcontact.com, 1 +getcookie.ml, 1 +getcyber.me, 1 +getcyber.org, 1 +getdash.io, 1 +getdeclutter.com, 1 +getdinghy.com, 1 +getdirectcredit.com, 1 +getdishnow.tk, 1 +getdoc.com.br, 1 +getdoges.tk, 1 +getdownon.it, 1 +getdumpsterdash.com, 1 +getecoins.shop, 1 +geteducation.tk, 1 +geteduroam.no, 1 +getelectronics.tk, 1 +geterp.ru, 1 +getescrowest.ga, 1 +getestudio.com, 1 +getevidenceers.ga, 1 +getexipure.com, 1 +getfastanswer.com, 1 +getfedora.org, 1 +getfit.md, 1 +getfitbee.com, 1 +getfitwithkip.com, 1 +getflip.com, 0 +getflorence.co.uk, 0 +getfreeelectricity.tk, 1 +getfreeltc.ml, 1 +getgeek.dk, 1 +getgeek.ee, 1 +getgeek.es, 1 +getgeek.fr, 1 +getgeek.io, 1 +getgeek.no, 1 +getgeek.nu, 1 +getgeek.pl, 1 +getgeek.se, 1 +getgreencarpetct.com, 1 +gethere.gq, 1 +gethotspotshield.com, 1 +gethow.org, 1 +gethttpsforfree.com, 1 +gethvac.pro, 1 +gethyas.com, 1 +geti2p.com, 1 +getidee.com, 1 +getidee.de, 1 +getidmcc.com, 1 +getinfoleads.tk, 1 +getinshape.today, 1 +getinsuranceanywhere.com, 1 +getinternet.gov, 1 +getintra.org, 1 +getitpeople.com, 1 +getjadedlocal.com, 1 +getjms.com, 1 +getlaminas.org, 1 +getlantern.org, 0 +getlawnbuddy.com, 1 +getlawyered.com.au, 1 +getleanflorida.gov, 1 +getlessgivemore.com, 1 +getlibrary.com, 1 +getmango.com, 1 +getmarksvoice.com, 1 +getmdl.io, 1 +getme.cf, 1 +getmello.org, 1 +getmeloan.org, 1 +getmerch.eu, 1 +getmetech.com, 0 +getmimo.com, 0 +getmonero.cz, 1 +getmybosslife.com, 1 +getnetset.com, 1 +getnew.tk, 1 +getnews360.com, 1 +getnib.com, 1 +getnikola.com, 1 +getontop.club, 1 +getonyx.com, 1 +getoxley.com, 1 +getpagespeed.com, 1 +getpaidclub.tk, 1 +getpaidtocode.com, 1 +getpaidtodesign.com, 1 +getpaidtodev.com, 1 +getpanelapp.com, 1 +getpavedmidmichigan.com, 1 +getpdf.in, 1 +getpet.lt, 1 +getplus.com.au, 1 +getpro.plumbing, 1 +getprohealth.com, 1 +getpromo.cf, 1 +getpublii.com, 1 +getready2dance.tk, 1 +getreadyforever.tk, 1 +getrelish.com, 1 +getresilience.org, 1 +getresults.co.za, 1 +getriebeservice-gse.de, 1 +getroman.com, 1 +getsamegoal.com, 1 +getscif.com, 1 +getsecure.nl, 1 +getserm.com, 1 +getserum.xyz, 1 +getsession.org, 1 +getsetbounce.co.uk, 1 +getsilknow.com, 1 +getsimone.online, 1 +getsmartlife.in, 1 +getsocreative.com, 1 +getspaces.com, 1 +getstark.co, 1 +getstat.net, 1 +getstream.io, 1 +getsubs.net, 1 +getswadeshi.com, 1 +getsweep.com, 1 +getteamninja.com, 1 +gettext.tk, 1 +getthefriendsyouwant.com, 1 +getthejobicanhelp.com, 1 +gettheworldmoving.com, 1 +getticker.com, 1 +gettingtvers.ga, 1 +gettodoing.com, 1 +gettonline.com, 1 +gettopquality.com, 1 +gettravelista.com, 1 +gettrust.com, 1 +getts.ro, 1 +getts.shop, 1 +gettwo.ml, 1 +getupandbounce.co.uk, 1 +getupdat.es, 1 +getupwakeclub.com, 1 +getvalidate.com, 1 +getvdownloader.com, 1 +getveer.io, 1 +getwemap.com, 1 +getwokegobroke.xyz, 1 +getword.com, 1 +getwork.tk, 1 +getwsodo.com, 1 +getyou.onl, 0 +getyour.nz, 1 +getyoureuro.tk, 1 +getyourlifestraight.com, 1 +getyournurse.de, 1 +getyourphix.tk, 1 +geulis.tk, 1 +geus-okna.eu, 1 +gevara.cz, 1 +gevelreinigingtiel.nl, 1 +gevme.com, 1 +gevo.gg, 1 +gew.is, 1 +gewasteelt.ga, 1 +gewel.io, 1 +gewerbe-fix.ag, 1 +gewerbe-fix.at, 1 +gewerbe-fix.ch, 1 +gewerbe-fix.com, 1 +gewerbe-fix.de, 1 +gewerbe-fix.eu, 1 +gewerbe-fix.info, 1 +gewerbe-fix.net, 1 +gewerbe-fix.org, 1 +gewerbefix.ag, 1 +gewerbefix.at, 1 +gewerbefix.biz, 1 +gewerbefix.ch, 1 +gewerbefix.com, 1 +gewerbefix.de, 1 +gewerbefix.eu, 1 +gewerbefix.info, 1 +gewerbefix.net, 1 +gewerbefix.org, 1 +gewinn.tk, 1 +gewis.nl, 1 +gexobiz.tk, 1 +geyduschek.be, 0 +geytabir.cf, 1 +gezakekazeg.tk, 1 +gezginsolar.com, 1 +gezinnenhilton.com, 1 +gezondetips.nl, 0 +gezondheidsfondsenvoorrookvrij.nl, 1 +gezondheidszorg-ict.nl, 1 +gezondheidszorg-it.nl, 1 +gf-franken.de, 1 +gf0.ltd, 1 +gf5fcalc.com, 1 +gfac.ru, 1 +gfahnen.de, 1 +gfast.ru, 1 +gfc.scot, 1 +gfcleisure.co.uk, 1 +gfcnieuws.com, 1 +gfcorp.jp, 1 +gfe.link, 1 +gfedating.com, 1 +gfestival.fo, 1 +gfetechs.com, 1 +gfgmmarketing.com, 1 +gfishbone.com, 1 +gfk-kunststoff-luebben.de, 1 +gfleaks.com, 1 +gfmp.com.pl, 1 +gfms.ru, 1 +gfnetfun.cf, 1 +gforce.ninja, 1 +gforex.pro, 1 +gforex.top, 1 +gfoss.gr, 1 +gfourmis.co, 1 +gfournier.ca, 1 +gfox.hu, 1 +gfpress.it, 1 +gfrevenge.com, 1 +gfronline.tk, 1 +gfsolucoesdigitais.com, 1 +gfsolucoesdigitais.com.br, 1 +gfx.cards, 1 +gfxbench.com, 1 +gfxviet.net, 1 +gfxworld.tk, 1 +gfycat.com, 1 +gg.ax, 1 +gg.co.uk, 1 +gg.world, 1 +gg5197.co, 1 +gg6729.co, 1 +gg6729.com, 1 +gg6957.co, 1 +gg9297.co, 1 +gg9397.com, 1 +gg9728.co, 1 +ggb.world, 1 +ggcp.com, 1 +ggdcpt.com, 1 +ggdghorkennisnet.nl, 1 +ggdrop.com, 1 +ggdrop.top, 1 +gge16.ru, 1 +ggg.re, 1 +gggg.loan, 1 +gginin.today, 1 +ggiveilig.nl, 1 +ggld.net, 1 +gglks.com, 1 +ggmmontascale.it, 1 +ggobbo.com, 1 +ggs-marschallstrasse.de, 1 +ggs.jp, 1 +ggservers.com, 1 +ggss.cf, 1 +ggworld.ga, 1 +gh-sandanski.com, 1 +gh16.com.ar, 1 +gha.st, 1 +ghada.blog, 1 +ghafatzayed.com, 1 +ghanaculture.tk, 1 +ghanapremiumconsultant.com, 1 +ghanitechnologies.com, 1 +gharbala.com, 1 +ghayegh.org, 1 +ghazals.tk, 1 +ghazi.im, 1 +ghbtns.com, 1 +ghcci.com, 1 +ghcoaching.mx, 1 +gheestore.in, 0 +ghentcityofmusic.be, 1 +ghentcreativecityofmusic.be, 1 +ghentfilmoffice.be, 1 +ghentholidayland.be, 1 +ghentlichtfestival.be, 1 +ghentlichtfestival.com, 1 +ghentlightfestival.be, 1 +ghentlightfestival.com, 1 +ghentlivinglab.be, 1 +gheorghe-sarcov.ga, 1 +gheorghesarcov.ga, 1 +gheorghesarcov.tk, 1 +ghereben.xyz, 1 +ghettonetflix.de, 1 +ghgkhalsaschool.com, 1 +ghi.gov, 1 +ghil.de, 1 +ghimaging.com, 1 +ghini.com, 1 +ghiro.tk, 1 +ghlinks.com.gh, 1 +ghll.org.uk, 1 +ghllc.com, 1 +ghn.vn, 1 +ghnewslive.com, 1 +ghobcars.com, 1 +ghobot.ai, 1 +ghobusers.com, 1 +ghostarmy.tk, 1 +ghostarrow.com, 1 +ghostbusters.tk, 1 +ghostbustersuk.tk, 1 +ghostcarve.ml, 1 +ghostcir.com, 0 +ghostdesign.tk, 1 +ghostdog.ga, 1 +ghostdragon.tk, 1 +ghostfam.com, 1 +ghostfam.win, 1 +ghostfiregaming.com, 1 +ghostgimbals.com, 1 +ghostinbox.pl, 1 +ghostlight.tk, 1 +ghostmarket.io, 1 +ghostnight.ga, 1 +ghostpi.pro, 1 +ghostpin.ga, 1 +ghostplanet.tk, 1 +ghostrealms.tk, 1 +ghostridersclan.tk, 1 +ghostruler.com, 1 +ghosts-to-you.tk, 1 +ghostsnote.tk, 1 +ghostsquad.tk, 1 +ghostutils.tk, 1 +ghostwritershigh.com, 1 +ghotokbaba.com, 1 +ghou.me, 1 +ghowell.io, 1 +ghpastor.com, 1 +ghprinter.com.br, 1 +ghprinting.net, 1 +ghsix.com.br, 1 +ghwconline.org, 1 +ghyvelde.fr, 1 +gi-plant.shop, 1 +giac.net, 1 +giac.org, 1 +giacomodebidda.com, 1 +giacomopelagatti.it, 1 +giacomosecchi.com, 1 +giakki.eu, 1 +gialai.gov.vn, 1 +gialupa.tk, 1 +giamcanhieuqua.vn, 1 +giancarlomarino.com, 1 +giangma.tk, 1 +giannakis.tk, 1 +gianproperties.com, 1 +giant-panda.com, 1 +giant-tortoise.com, 1 +giantratesers.ga, 1 +giantratesest.ga, 1 +giantrooster.de, 1 +giantroostergames.de, 1 +giantslipandslide.co.uk, 1 +giantsquid.cf, 1 +giantsquid.ga, 1 +giantsquid.gq, 1 +giantsquid.tk, 1 +gianttree.de, 1 +gianturl.net, 1 +giaohangtietkiem.vn, 1 +giardinaggio.milano.it, 1 +giardinaggio.napoli.it, 1 +giardinaggio.roma.it, 1 +giardiniblog.it, 1 +giardiniere.bologna.it, 1 +giardiniere.milano.it, 1 +giardiniere.roma.it, 1 +giardinoperfetto.com, 1 +giatrakos.com, 1 +giaydepvnn.com, 1 +gibberfish.org, 1 +gibbon.tk, 1 +gibbonedu.org, 1 +gibkoesteklo.ml, 1 +gibraltar-jobs.com, 1 +gibraltarwi.gov, 1 +gibranhernandez.tk, 1 +gibsonmemorial.ca, 1 +gibsonsecurity.co.uk, 1 +gicasport.it, 1 +gichigamigames.com, 1 +gickelskerb.de, 1 +gidapgs.cf, 1 +giddsmedia.com, 1 +giddyaunt.net, 1 +gideonbot.com, 1 +gidive.com, 1 +gidro-dom.ru, 1 +gidro.tech, 1 +gidroponica.ml, 1 +giebel.it, 1 +giedrioukis.lt, 1 +gielectrical.com.au, 0 +giemsa.com, 1 +gierds.de, 1 +gieschke.de, 1 +gietvloergarant.nl, 1 +gif-avatars.com, 1 +gif.tips, 0 +giff.com.mx, 1 +giffard.com, 1 +gifhelittlestars.co.uk, 1 +giford.com, 1 +gifsonline.tk, 1 +gift4ever.tk, 1 +giftbaskets.ru, 1 +giftbasketsoverseas.com, 1 +giftbit.com, 1 +giftcard.net, 1 +giftedconsortium.com, 1 +giftedmodels.com, 1 +giftex.cz, 1 +giftexperts.com, 1 +giftfavorite.tk, 1 +giftfocus.com, 1 +giftlist.guru, 1 +giftnix.com, 1 +giftofsquare.net, 1 +giftofsquare.org, 1 +giftpoint.io, 1 +gifts.best, 1 +giftscop.com, 1 +giftsenda.com, 1 +giftsforaspecialoccasion.com, 1 +giftsholidays.tk, 1 +giftsofsquare.com, 1 +giftsofsquare.net, 1 +giftsofsquare.org, 1 +gifudodo.com, 1 +gifuxuk.tk, 1 +gifzilla.net, 0 +gig.com, 1 +gig.ru, 0 +gig40.com, 1 +giga.nl, 1 +gigabitz.pw, 1 +gigachad.net, 1 +gigacloud.org, 1 +gigacloud.ua, 0 +gigacomputer.cz, 1 +gigagroup.cf, 1 +gigahertz.de, 1 +gigalink.me, 1 +giganet.tk, 1 +gigantar.com, 1 +gigantino.net, 1 +gigantism.com, 1 +gigantron.com, 1 +gigaone.pl, 1 +gigarange.org, 1 +gigarange.xyz, 1 +gigasoft.tk, 1 +gigatags.tk, 1 +gigatop.ga, 1 +gigatron.tk, 1 +gigawa.lt, 1 +gigawattz.com, 1 +gigaway.com, 1 +giggear.com.au, 1 +gigharborwa.gov, 1 +gigindia.in, 1 +gigis-pizzeria.de, 1 +gigiscloud.servebeer.com, 1 +giglink.club, 1 +gigloog.tk, 1 +gigpam.com, 1 +gigs.com, 1 +gigseekr.com, 1 +gijonshiro.tk, 1 +gikovatelojavirtual.com.br, 1 +gil.gg, 1 +gil.re, 1 +gilandrad.tk, 1 +gilangcp.com, 1 +gilbert-schmalriede.de, 1 +gilbertosimoni.tk, 1 +gilbertsvilleny.gov, 1 +gildenhost.de, 1 +gileadpac.com, 1 +gilescountytn.gov, 1 +gilewis.net, 1 +gilfed.com, 1 +gilion.tk, 1 +gill-cote-bistro.fr, 1 +gill-swerts.tk, 1 +gill-temptation.tk, 1 +gillesmorelle.com, 0 +gillespetrotey.com, 1 +gillettepromociones.com, 1 +gillfamily.de, 1 +gillmanandsoame.co.uk, 1 +gillsco.com, 1 +gilly.berlin, 0 +gilmanwi.gov, 1 +gilmasocial.ga, 1 +gilme.net, 1 +gilnet.be, 0 +gilpincountydronepilot.com, 1 +gilsanchez2009.com, 1 +gilsum-nh.gov, 1 +giltedge.travel, 1 +gim-app.tk, 1 +gim.ac.in, 1 +gimahhot.com, 1 +gimbal.ca, 1 +gimme.money, 1 +gimmickbots.com, 1 +gimmickmedia.de, 1 +gimnazija-skofjaloka.si, 1 +gimnazija.tk, 1 +gimnazijapg.me, 1 +gimnaziya.ga, 1 +gimnaziya.tk, 1 +gimnazjum-miloslaw.tk, 1 +gimpware.tk, 1 +gina-architektur.design, 1 +ginabaum.com, 1 +ginatony.com, 1 +ginecomastiatratamento.com.br, 1 +ginen.xyz, 0 +ginepolice.gov, 1 +ginev.tk, 1 +gingersutton.com, 1 +gingerxumd.com, 1 +ginionusedcars.be, 0 +ginitaly.it, 1 +ginnegappen.nl, 1 +ginniemae.gov, 1 +ginnungagap.space, 1 +ginosfiredup.ca, 1 +gintaresdental.lt, 1 +gintian.com, 1 +gintonic.tk, 1 +ginx.tv, 1 +ginza-viola.com, 1 +ginzago.ru, 1 +ginzaj.com, 1 +gio-abbigliamento.it, 1 +giochistars.it, 1 +giochistem.it, 1 +giocolive.com, 1 +gioielleriamolena.com, 1 +gion-ent.co.jp, 1 +gion.io, 1 +giopiu.it, 1 +giordan.com, 1 +giordano.com, 1 +giordanomultiservice.it, 1 +giorgia.tk, 1 +giorgiosite.tk, 1 +giornalisportivi.online, 1 +giovannarossi.tk, 1 +giovannibattistadagnino.eu, 1 +giovannisantini.tk, 1 +giovinco.tk, 1 +gip-carif-idf.net, 1 +gip-carif-idf.org, 1 +gipelpsb.fr, 1 +giper.ga, 1 +giperfast.tk, 1 +gipernn.ru, 1 +gipl.tk, 1 +gipsic.com, 1 +gipsplitka.ru, 1 +gipuzkoabasket.tk, 1 +giradiscos.com, 1 +giraffeduck.com, 1 +giraffenland.de, 1 +giraffes.org, 1 +gircimediterranee.fr, 1 +giresunhaberleri.tk, 1 +giri.co, 1 +girisbetturka.com, 1 +girishkumar.tk, 1 +girl.click, 1 +girl.science, 1 +girlan.net, 1 +girlandhermoon.com, 0 +girlbaito.jp, 1 +girlboss.ceo, 1 +girlcock.ceo, 1 +girldevelopit.com, 1 +girldick.gay, 1 +girlfriend.gq, 1 +girlgrind.com, 1 +girliciousbeauty.com, 1 +girlie.tk, 1 +girlingsdiamond.co.uk, 1 +girlinthetiara.com, 1 +girlisme.com, 1 +girljacket.com, 1 +girls-heaven.com, 1 +girlsaloudcity.tk, 1 +girlsbar-navi.jp, 1 +girlschandigarh.in, 1 +girlsfucked.com, 1 +girlsgenerationgoods.com, 1 +girlsgetpied.com, 1 +girlsglimpse.cf, 1 +girlsglimpse.ga, 1 +girlsglimpse.gq, 1 +girlshealth.gov, 1 +girlshere.tk, 1 +girlsnet.work, 1 +girlswhonerd.com, 1 +girlunfinished.com, 1 +girlz.jp, 1 +gironde-tourisme.fr, 1 +gironiforum.fr, 1 +giroskuter.ga, 1 +girsedesign.de, 1 +girvas.ru, 1 +gis.ee, 1 +gisa.gv.at, 1 +gisac.org, 1 +gisauto.ru, 1 +gisbornecabs.com.au, 1 +gisellapiano.tk, 1 +gisher.news, 1 +gisher.org, 1 +gisher.video, 1 +gishiko.net, 1 +gishpo.tk, 1 +gisma.tk, 1 +gistr.io, 1 +giswi.com, 1 +git-stuff.tk, 1 +git-top-repos.net, 1 +git.ac.cn, 1 +git.co, 1 +git.market, 1 +git.nl.eu.org, 1 +git.org.il, 0 +git.sb, 1 +git.tt, 0 +gitarist.tk, 1 +gitarren-akademie-online.de, 1 +gitch.xyz, 1 +gite-ambleteuse.tk, 1 +gite-bouvines.fr, 1 +gite-le-pascaud.fr, 1 +gitecolombedesbois.com, 1 +gitelermitage.be, 1 +gites-melaual.fr, 1 +gitgaattreaty.ca, 1 +github.blog, 1 +github.com, 1 +github.partners, 1 +githubapp.com, 1 +githubengineering.com, 1 +githubindia.com, 1 +githubnext.com, 1 +giti.com.sg, 1 +gitlab-apps.com, 1 +gitns.com, 1 +gitns.dev, 1 +gitns.io, 1 +gitns.net, 1 +gitns.nl, 1 +gitns.org, 1 +gitstuff.tk, 1 +gittigidiyor.com, 1 +gittr.ch, 1 +gitvibe.com, 1 +giuem.com, 1 +giuliabonati.com, 1 +giuliano.design, 1 +giuliawylde.com, 1 +giulliamodas.com.br, 1 +giunchi.net, 1 +giuristifriburgo.ch, 1 +giuseppebuccheri.it, 1 +giuseppemacario.it, 1 +giuseppemacario.men, 1 +giusyesabatino.it, 1 +give.net, 1 +give2charity.co, 1 +give2charityapp.com, 1 +giveasquare.com, 1 +giveasquare.net, 1 +giveasquare.org, 1 +givecfc.org, 1 +givelab.com, 1 +givemeaverse.com, 1 +givemebeer.tk, 1 +givemeyour.cc, 1 +givemylife.cf, 1 +givemylife.ga, 1 +givemylife.gq, 1 +givemylife.ml, 1 +given2.blog, 1 +given2.com, 1 +given2.me, 1 +given2.us, 1 +given4.it, 1 +givepenny.com, 1 +givery.cz, 1 +givery.sk, 1 +givesunlight.com, 1 +giveuselife.org, 1 +giving.com, 1 +givingnexus.org, 0 +givingpledge.org, 1 +givingtools.com, 1 +givip.eu, 1 +gix.net.pl, 1 +gixtools.co.uk, 1 +gixtools.com, 1 +gixtools.net, 1 +gixtools.uk, 1 +gizemlibilgi.com, 1 +gizitalk.com, 1 +gizlicekim.tk, 1 +gizmo.ovh, 1 +gizmocrazed.com, 1 +gizmodo.com, 1 +gizmodo.es, 1 +gizmodo.in, 1 +gizmogrind.com, 1 +gj-bochum.de, 1 +gj-cham.tk, 1 +gj6.top, 0 +gjan.in, 1 +gjan.info, 1 +gjan.io, 1 +gjanaconstruction.com, 1 +gjcampbell.co.uk, 1 +gjengset.com, 1 +gjnoonan.co.uk, 1 +gjung.com, 1 +gk-it.ru, 1 +gkb2.ru, 1 +gkbm.com, 1 +gkconsultancy.tk, 1 +gkdforum.eu.org, 1 +gkdk.se, 1 +gkdworld.com, 1 +gkdworld.eu.org, 1 +gkepm.com, 1 +gkhull.com, 1 +gklparis.fr, 1 +gkmusicindia.tk, 1 +gknews.tk, 1 +gkoenig-innenausbau.de, 1 +gkq.co.in, 1 +gkralik.eu, 1 +gkrru4v.xyz, 1 +gkstyle.net, 0 +gku-winterling.de, 1 +gkv-gorinchem.nl, 1 +gkvharidwar.org, 1 +gkvsc.de, 1 +gkzmengineering.com, 1 +gl-operacion.com.mx, 1 +gl.search.yahoo.com, 0 +glabiatoren-kst.de, 1 +glacialexperience.is, 1 +glaciercountymt.gov, 1 +glacierviewfire.gov, 1 +glad.com, 1 +gladala.tk, 1 +gladiac.duckdns.org, 1 +gladiator.tf, 1 +gladiators-clan.tk, 1 +gladiatorshop.nl, 1 +gladiium.store, 1 +gladosdan.com, 1 +gladstonemi.gov, 1 +gladwellentertainments.co.uk, 1 +gladwork.tk, 1 +gladysstrickland.com, 1 +glahcks.com, 1 +glamadelaide.com.au, 1 +glamcambabes.com, 1 +glamdaldyreklinikk.no, 1 +glami.com.tr, 1 +glaminati.com, 1 +glamlivesex.com, 1 +glamorousgoat.nl, 1 +glamorously-built.tk, 1 +glamour4you.de, 1 +glamourandgains.com, 1 +glamourdaze.com, 1 +glamourhair.tk, 1 +glamourmagazine.co.uk, 1 +glamourtime.tk, 1 +glamur-video.com, 1 +glance.gr, 1 +glanz-dienste.de, 1 +glanzodergarnicht.com, 1 +glas-systeme.eu, 1 +glasdon.com, 1 +glase.shop, 1 +glaserceramics.com, 1 +glasfaser-im-hanseviertel.de, 1 +glasgestaltung.biz, 1 +glasgowfilm.org, 0 +glasgowlife.org.uk, 1 +glashandelverbo.nl, 1 +glashandelwolf.nl, 0 +glasiko.tk, 1 +glass-blaster.com, 1 +glass.google.com, 1 +glass.photo, 1 +glasschmuck-millefiori.de, 1 +glassellparkschool.org, 1 +glassemployees.com, 1 +glassfoxowo.com, 1 +glasshouseretreat.co.uk, 1 +glassicasino.in, 1 +glasslikes.com, 1 +glassnebula.com, 1 +glassner.org, 1 +glassochchoklad.se, 1 +glassofdirt.tk, 1 +glassofgrape.com, 1 +glassportpapd.gov, 1 +glassrainbowtrust.org.je, 1 +glassrepairsperth.com.au, 1 +glassrom.org, 1 +glassrom.pw, 1 +glasssculpture.org, 1 +glasstechnics.be, 1 +glasswall.com, 1 +glassweb.com.mx, 1 +glassworld.tk, 1 +glastenbury.com, 1 +glaston.com, 1 +glaswerk-mellenbach.de, 1 +glaswolsite.tk, 1 +glatfelter.com, 1 +glauca.digital, 1 +glauca.space, 1 +glaucoma.uk, 1 +glavfundament.ru, 0 +glavny-yurist.ru, 1 +glavred.info, 0 +glazedmag.fr, 1 +glazenschuifwandenoutlet.nl, 1 +glazkova.ga, 1 +glbaumaulwurf.de, 1 +glbins.com, 1 +glbth.com, 1 +glcastlekings.co.uk, 1 +gld.re, 1 +gle, 1 +gleam.tk, 1 +gleanview.com, 1 +glebov.tk, 1 +gleeband.com, 1 +gleentech.com, 1 +gleesongs.tk, 1 +gleich-aluminium-shop.de, 1 +gleisner.io, 1 +gleisner.legal, 1 +gleki.com, 1 +glemtpassord.dep.no, 1 +glenatlasmd.com, 1 +glenavy.tk, 1 +glenbeulahwi.gov, 1 +glencambria.com, 1 +glencarbonil.gov, 1 +glencoveny.gov, 1 +glendalewv.gov, 1 +glendarraghbouncycastles.co.uk, 1 +glenderan.com, 1 +glendivemt.gov, 1 +glenhuntlyapartments.com.au, 1 +glenmarieproperties.com, 0 +glenmarkpharma.sk, 1 +glenmorewisconsin.gov, 1 +glennfitzpatrick.com, 1 +glennhamers.nl, 1 +glennvillega.gov, 1 +glennwilson.co.uk, 1 +glenshere.com, 1 +glenwhitememorial.com, 1 +glenwoodpark.com, 1 +glesbymarks.com, 1 +glevolution.com, 1 +glexia.com, 1 +glgclan.tk, 1 +gli.sh, 1 +gliagrumi.it, 1 +glibmarket.in, 1 +glickman-consulting.com, 1 +glidestep.com, 1 +glidingshop.cz, 1 +glidingshop.de, 1 +glidingshop.eu, 1 +glieroidelcalcio.com, 1 +gliihc.net, 1 +glimhome.com, 1 +glimpses.tk, 1 +glini.net, 1 +glit.sh, 1 +glitchcomic.tk, 1 +glitched.online, 1 +glitery.com, 1 +glitter-graphics.com, 1 +glitterblast.uk, 1 +glitteringmariah.tk, 1 +glittersjabloon.nl, 1 +glitzerstuecke.de, 1 +glitzybingo.co.uk, 1 +glixee.com, 1 +glk.academy, 1 +glloq.org, 0 +glm.io, 1 +glnpo.gov, 1 +global-adult-webcams.com, 1 +global-business-solutions.cf, 1 +global-carbonsolutions.com, 1 +global-content.net, 1 +global-electronic-music.tk, 1 +global-factory.co.jp, 1 +global-fh.com, 1 +global-free-classified-ads.com, 1 +global-monitoring.com, 1 +global-motherboard.com, 1 +global-qanoon.gq, 1 +global-scg.org, 1 +global-share.org, 1 +global-topsecret.tk, 1 +global-trance.tk, 1 +global-village.koeln, 1 +global-wire.eu, 1 +global-wire.fi, 1 +global-wire.net, 1 +global.my.id, 1 +global1.gg, 1 +globalacademicgroup.com, 1 +globalaccountservice.com, 1 +globalamend.com, 1 +globalawakening.com, 1 +globalbix.com, 1 +globalbridge-japan.com, 1 +globalbroadcastsolutions.com, 1 +globalbusiness.tk, 1 +globalbusinessinfoaccomodation.tk, 1 +globalbusinessinfoasia.tk, 1 +globalbusinessinfoera.tk, 1 +globalbusinessinfographic.tk, 1 +globalbusinessinfoinsurance.tk, 1 +globalbusinessinfonews.tk, 1 +globalbusinessinfouk.tk, 1 +globalbusinessinfousa.tk, 1 +globalbusinessnews.tk, 1 +globalbusinessrisk.com, 1 +globalcancer.tk, 1 +globalchemlab.ga, 1 +globalconsultant.tk, 1 +globalconsulting.ml, 1 +globaldataline.ml, 1 +globaldefensa.tk, 1 +globaldestruction.tk, 1 +globaled.org.uk, 1 +globalenergyinterconnection.com, 0 +globalentertainment.ga, 1 +globalenv.online, 1 +globalepsilon.com, 1 +globalflavorjourney.com, 1 +globalformat.de, 1 +globalfuhui.com, 1 +globalgate.cc, 1 +globalgivingtime.com, 1 +globalgovernancewatch.org, 1 +globalgrowth.group, 1 +globalhealth.gov, 1 +globalhealthstrategiesnetwork.com, 1 +globalhealthstrategiesnetwork.info, 1 +globalhealthstrategiesnetwork.net, 1 +globalhealthstrategiesnetwork.org, 1 +globalhomeautomation.ca, 1 +globalhomicideers.ga, 1 +globalhorses.de, 1 +globalimmigrationvisa.com, 1 +globalink.tk, 1 +globalipaction.ch, 1 +globalisierung-fakten.de, 1 +globalitac.com, 1 +globalizationpedia.com, 1 +globalkwizz.tk, 1 +globalmarketrade.com, 1 +globalmasonryers.ga, 1 +globalmasonryest.ga, 1 +globalmaster.com.mx, 1 +globalmed.tk, 1 +globalmethane.org, 1 +globalmetropolis.tk, 1 +globalmobilityjourneys.com, 1 +globalnewsdaily.cf, 1 +globalnewsdaily.tk, 1 +globalnewsnetwork.tk, 1 +globalnewssystems.tk, 1 +globalno.me, 1 +globalnomadvintage.com, 1 +globalobuv.tk, 1 +globalopsgame.tk, 1 +globalpandemictools.com, 1 +globalpediatriciansest.ga, 1 +globalperspectivescanada.com, 1 +globalpolarbear.com, 1 +globalproduction.ga, 1 +globalprojetores.com.br, 1 +globalradio.tk, 1 +globalreachgroup.com, 1 +globalroad.ma, 1 +globalrussia.tk, 1 +globalsecuritydatabase.com, 1 +globalsecuritydatabase.io, 1 +globalsecuritydatabase.net, 1 +globalsecuritydatabase.org, 1 +globalsens.com, 1 +globalsensationsers.ga, 1 +globalsensationsest.ga, 1 +globalseo.ga, 1 +globalseo.ml, 1 +globalseostrategy.com, 1 +globalshippinglimited.ga, 1 +globalsign.com.ru, 1 +globalspeed.tk, 1 +globalstar.com, 1 +globalstrike.tk, 1 +globalthermoforming.com, 1 +globaltiendat.com, 1 +globaltravel.cf, 1 +globaltravel.ga, 1 +globaltravel.tk, 1 +globaltrucking.uk, 1 +globalventil.com, 0 +globalvision.co, 1 +globalvisions-events.ch, 1 +globalvisions-events.com, 1 +globalvoice.ga, 1 +globalwarmingis.science, 1 +globalwidemedia.com, 1 +globalwire.fi, 1 +globalwitness.org, 0 +globalzone.tk, 1 +globaz.ch, 1 +globe-brasil.tk, 1 +globe.gov, 1 +globedx.exchange, 1 +globegazette.com, 1 +globeinform.com, 1 +globelink-group.com, 1 +globemilk.nl, 1 +globemusic.es, 1 +globeprotocol.be, 1 +globeprotocol.com, 1 +globeprotocol.de, 1 +globeprotocol.es, 1 +globeprotocol.eu, 1 +globeprotocol.fr, 1 +globeprotocol.io, 1 +globeprotocol.it, 1 +globeprotocol.nl, 1 +globeprotocolecosystem.nl, 1 +globereservationsest.ga, 1 +globetalent.nl, 1 +globetrotting.com.au, 1 +globevision.ca, 1 +globologic.com, 1 +globotech.be, 1 +globotur.de, 1 +globowood.ml, 1 +globuli-info.de, 1 +globus-plus.ml, 1 +globustrust.tk, 1 +glocesterri.gov, 1 +glocken-apotheke.info, 1 +glockenturm.digital, 1 +gloeckle-gruppe.de, 1 +glofox.com, 1 +glonee.live, 1 +gloning.name, 1 +glont.net, 1 +gloomy.tk, 1 +glorenza.org, 1 +gloria-home.co.uk, 1 +gloria-mundi.eu, 1 +gloria.tv, 1 +gloriousbride.com, 1 +gloriousfoods.co.uk, 1 +glorycambodia.com, 1 +glorycamrealty.com, 1 +gloryhealthcarellc.com, 1 +gloryholefucking.com, 1 +glorymark.com, 1 +gloryofloveband.tk, 1 +gloryofmusic.tk, 1 +gloryrise.tk, 1 +glorystar.ml, 1 +glosiko.cn, 1 +glosiko.com.cn, 1 +glosiko.net, 1 +glosiko.org, 1 +glossar.tk, 1 +glossowiki.ml, 1 +glossyfied.com, 1 +glotechrepairs.co.uk, 1 +glotte-trotters.fr, 1 +glotter.com, 1 +gloucesterva.gov, 1 +glovementor.com, 1 +glowfic.com, 1 +glowmedspaencino.com, 1 +glowskins.my.id, 1 +glpreparation.com, 1 +glsauto.com, 1 +glucometros.net, 1 +glue.tk, 1 +gluechapter.ga, 1 +glueck-im-norden.de, 1 +gluecksgriff-taschen.de, 1 +glueckskindter.de, 1 +gluecksmomente.boutique, 1 +gluglu.jp, 1 +gluit.de, 1 +glumac.com, 1 +glutenfreefoods.net, 1 +glutenfreehomemaker.com, 1 +glutenfreelife.co.nz, 1 +glutenfreeonashoestring.com, 0 +glutenfreevr.com, 1 +gluto.tk, 1 +gluware.com, 1 +gluwee.com, 1 +glxnet.com, 1 +glyam.nl, 1 +glyburidemetformin.tk, 1 +glykofridis.nl, 1 +glyph.ws, 1 +glyphosat.com, 1 +glyptodon.com, 1 +glz.ca, 1 +gm-assicurazioni.it, 1 +gm-net.jp, 1 +gm.search.yahoo.com, 0 +gm207.com, 0 +gm5.com.br, 1 +gmaetk.com, 1 +gmail, 1 +gmail.com, 0 +gman.bot, 1 +gmanlabs.com, 1 +gmanukyan.com, 1 +gmao.com, 1 +gmasil.de, 1 +gmavsg.org, 1 +gmbh-kiekin.de, 1 +gmc-mca.org, 1 +gmc-roma.it, 1 +gmc.uy, 1 +gmcbm.net, 1 +gmcd.co, 1 +gmdu.net, 1 +gmfumaria.com, 1 +gmgard.com, 1 +gmgcyouth.org, 1 +gmhdrivingschool.co.uk, 1 +gmhostingservices.co.uk, 1 +gmimarkets.com, 1 +gmind.ovh, 1 +gmit.com.ar, 1 +gmkdetailing.cz, 1 +gml4d2.ml, 1 +gmo-cybersecurity.com, 1 +gmod.de, 1 +gmopconsortium.org, 1 +gmpark.dk, 1 +gmpartsdb.com, 1 +gmpartsgiant.com, 1 +gmpartsprime.com, 1 +gms-marine.com, 1 +gmslaw.com, 1 +gmslparking.co.uk, 1 +gmsociety.tk, 1 +gmsurveyingms.com, 1 +gmta.gov, 1 +gmta.nl, 1 +gmtelectrical.com.au, 1 +gmtm.com, 1 +gmtplus.co.za, 1 +gmuh.fr, 0 +gmundner.africa, 1 +gmw-hannover.de, 1 +gmw-ingenieurbuero.de, 1 +gmx.at, 1 +gmx.ch, 1 +gmx.co.uk, 1 +gmx.com, 1 +gmx.de, 1 +gmx.es, 1 +gmx.fr, 1 +gmx.net, 1 +gmz.cx, 1 +gn00.com, 1 +gnagismen.tk, 1 +gnaptracker.tk, 1 +gnawa-diffusion.tk, 1 +gnax.jp, 0 +gncbilgi.com, 1 +gnetwork.eu, 1 +gnezdo.tk, 1 +gnfb.be, 1 +gnfrazier.me, 1 +gnhub.org, 1 +gnida.tk, 1 +gnihm.ac.in, 1 +gnilebein.de, 1 +gnk.io, 1 +gnmlive.com, 1 +gnom.me, 1 +gnomania.ml, 1 +gnomen.tk, 1 +gnomon-transport.com.ng, 1 +gnrinfo.tk, 1 +gns.gov.pt, 1 +gnu.style, 1 +gnuand.me, 1 +gnucashtoqif.us, 1 +gnuher.de, 1 +gnulinux.gq, 1 +gnulinuxforum.tk, 1 +gnupi.tk, 1 +gnuplus.me, 1 +gnush.cf, 1 +gnush.ga, 1 +gnush.gq, 1 +gnusocial.jp, 1 +gnuworldorder.ml, 1 +gnylf.com, 1 +gnzsnz.com, 1 +go-away.xyz, 1 +go-cqhttp.org, 1 +go-dove.com, 1 +go-down.tk, 1 +go-embedded.de, 1 +go-go.link, 1 +go-hijra.com, 1 +go-kuwait.tk, 1 +go-life.com.tw, 1 +go-mail.me, 1 +go-propiedades.cl, 1 +go-site.co.uk, 1 +go-sprout.de, 1 +go-srx.tk, 1 +go-zh.org, 1 +go.exchange, 1 +go.microsoft.com, 1 +go.ne, 1 +go2archive.nl, 1 +go2biz.com, 1 +go2mob.tk, 1 +go2sh.de, 1 +go2store.com, 1 +go2ubl.nl, 1 +go4games.ro, 1 +go4golfreizen.nl, 1 +go4it.ro, 1 +go4rest.de, 1 +go6.si, 1 +go6lab.si, 0 +go889w.com, 1 +goabase.com, 1 +goabase.net, 1 +goaddress.co.ke, 1 +goaheadireland.ie, 1 +goalac.org, 1 +goalbookapp.com, 1 +goalgrass.com, 1 +goalie1998.duckdns.org, 1 +goalup.com.br, 1 +goanalyse.co.uk, 1 +goapunks.net, 0 +goarnlms.org, 1 +goatbot.xyz, 1 +goathub.io, 0 +goatlord.tk, 1 +goatstore.ca, 1 +goavio.rest, 1 +gobarrelroll.com, 1 +gobebra.com, 1 +gobeline.com, 1 +gobetweenfilms.com, 1 +gobi.tk, 1 +gobiernousa.gov, 1 +goblackwood.co.uk, 1 +goblintears.com, 1 +gobouncy.co.uk, 1 +gobouncy.com, 1 +gobugfree.com, 1 +gobytedesign.uk, 1 +gocardless.com, 1 +gocareserv.com, 1 +gocct.com, 1 +gociicii.com, 1 +gockelsee.de, 1 +gockhuatsuky.tk, 1 +goclark.at, 1 +gocleanandsafe.nz, 1 +goclinic.com.br, 1 +goclix.ml, 1 +goconow.com, 1 +goconstruct.org, 1 +gocornwallbus.co.uk, 1 +gocpa.space, 1 +gocphongthuy.net, 1 +god-clan.hu, 1 +godalivetpalandet.tk, 1 +godall.tk, 1 +godan.tech, 1 +godanriver.com, 1 +godark.uk, 1 +godating.tk, 1 +godattributes.com, 1 +godaxen.tv, 1 +godblessus.com, 1 +godbo9.com, 0 +godclan.hu, 1 +goddamnwinnebago.com, 1 +goddess.name, 1 +goddesslena.com, 1 +godesigner.ru, 1 +godestination-morocco.com, 1 +godfilm.tk, 1 +godiscovers.com, 1 +godisgreat.africa, 1 +godish.com, 1 +godles.pl, 1 +godloveme.com, 1 +godmusicapp.com, 1 +godns.ru, 1 +godofredo.ninja, 1 +godoter.cn, 1 +godoza.tk, 1 +godrealms.com, 1 +godrive.ga, 1 +godsofhell.com, 1 +godsofhell.de, 1 +godsowncountry.tk, 1 +godsrollercoaster.co.uk, 1 +godstoghosts.com, 1 +godsunchained.com, 1 +godswila.be, 1 +godswill.tk, 1 +godwithusalinaitwefoundation-ugandalimited.com, 1 +godyo.com, 1 +godzillaencastellano.tk, 1 +goecart.net, 1 +goecomp.com, 1 +goeddesoundandlight.com, 1 +goedeke.ml, 1 +goedekers.com, 1 +goedekortingscodes.be, 1 +goedekortingscodes.nl, 1 +goedkoopparkeren.nl, 1 +goedkoopstecartridges.nl, 1 +goedkope-bestelautoverzekeringen.nl, 1 +goedkope-scooterverzekeringen.nl, 1 +goedkopecartridgeskopen.nl, 1 +goedkopeonesies.nl, 1 +goedkopetaxiservice.nl, 1 +goedkopetonerkopen.nl, 1 +goehler-baumpflege.de, 1 +goeikan.life, 1 +goenea.com, 1 +goenova.com, 1 +goerdeler-alumni-club.de, 1 +goergetown.tk, 1 +goerlitz-zgorzelec.org, 1 +goerres2014.de, 1 +goetec.ac.uk, 1 +goetemp.de, 1 +goetheschule-giessen.de, 1 +goetic.space, 1 +goetteesbarbershop.com, 1 +goettinger-katzenschutz.de, 1 +goetzinger-web.de, 1 +gofabcnc.com, 1 +goffrie.com, 1 +gofigure.fr, 0 +gofile.io, 1 +gofile.link, 1 +goflix.cf, 1 +goflo.net, 1 +gofobo.com, 1 +gofoiayourself.org, 1 +gofoodieonline.com, 1 +gofoodservice.com, 1 +goforcex.top, 0 +gofriends.cf, 1 +gofront.com, 1 +gofundhourly.tk, 1 +gofundme.com, 1 +goge.ml, 1 +gogebic.gov, 1 +gogeeks.com.au, 1 +gogem.in, 1 +gogetssl.com, 0 +gogle-analytics-srv2456.com, 1 +gogle-analytics.com, 1 +gogleapis.com, 1 +gogo.mn, 1 +gogocarto.fr, 1 +gogocharters.com, 1 +gogogirl.vip, 1 +gogolino.tk, 1 +gogomail.ga, 1 +gogonano.com, 1 +gograbit.com, 1 +gogracego.com, 0 +gogreece.dk, 1 +gogroopie.com, 1 +gogs.ca, 1 +gogsat.com, 1 +gogu.ma, 1 +goguarded.com, 1 +gohanrecords.tk, 1 +gohelixit.com, 1 +gohhaksu.sg, 1 +gohon.org, 1 +gohost.kz, 1 +gohvac.pro, 1 +gohyer.com, 1 +going-dutch.tk, 1 +going.com, 1 +goingawesomeplaces.com, 1 +goinggreenshow.gq, 1 +goingreen.com.au, 1 +goiymua.com, 1 +goizalde.tk, 1 +gojoebean.com, 1 +gokazakhstan.com, 1 +gokgids.nl, 1 +gokhankesici.com, 1 +gokmenguresci.com, 1 +gokoururi.com, 1 +goksu.in, 1 +goktoday.com, 1 +gokturkfindik.com, 1 +gokyrgyzstan.com, 1 +golan.ml, 1 +golang.org, 1 +golaw.ua, 1 +golayamadam.tk, 1 +gold-bird.tk, 1 +gold-diamondltd.tk, 1 +gold-fm.ml, 1 +gold9999.com, 1 +goldankauf1875.at, 1 +goldband.tk, 1 +goldbar.com.hk, 1 +goldbio.com, 1 +goldbug.ga, 1 +goldcard.cz, 1 +goldchip.com, 1 +goldclubcasino.com, 1 +goldcoast-plumbing.com.au, 1 +goldcoastasian.com, 1 +goldcoastit.com.au, 1 +goldcoastphotographycourses.com, 1 +goldcoastplumbingcompany.com.au, 1 +goldcreek.tk, 1 +golddeer.com, 1 +golden-beef.fr, 1 +golden-kamuy.com, 1 +golden-sea.tk, 1 +goldenage.tk, 1 +goldenagefoundation.tk, 1 +goldenbadger.de, 0 +goldenberg.tk, 1 +goldencircle.ga, 1 +goldenclub.ga, 1 +goldencoil.pl, 1 +goldendawnapersonalaffair.com, 1 +goldendogs.tk, 1 +goldeneggs.club, 1 +goldeneyesantafe.com, 1 +goldenfawz.com, 1 +goldenglow.fans, 1 +goldenhillsoftware.com, 1 +goldenhost.ca, 1 +goldenhouse.ga, 1 +goldeninvestmentbarcelona.com, 1 +goldenjoy.com, 1 +goldenkeys.io, 1 +goldenmunchbakeshop.com, 1 +goldenoaksgolfclub.com, 1 +goldenpi.com, 1 +goldenplate.com.sg, 1 +goldenravengifts.com, 1 +goldenretrieverspets.com, 1 +goldenruleemail.com, 1 +goldenshiny.com, 1 +goldensunmfg.com, 1 +goldentech.ca, 1 +goldentechelectronics.net, 1 +goldentip.cf, 1 +goldentriangletourindia.com, 1 +goldenwolrd.tk, 1 +goldenworldec.com, 1 +goldenyacca.co.uk, 1 +goldenyacca.net, 1 +goldenyacca.org, 1 +goldequipment.com.br, 1 +goldex.tk, 1 +goldfavela.com, 1 +goldfingermusic.tk, 1 +goldfm1031.tk, 1 +goldfmromania.ro, 1 +goldhabour.com, 1 +goldhill.ml, 1 +goldkid.com, 1 +goldloeckchen159.net, 1 +goldmanpropertygroup.com, 1 +goldminer.ga, 1 +goldpreisfinder.at, 1 +goldround.com, 1 +goldrushenergy.com, 1 +goldschmiede-suessenguth.de, 1 +goldsilver.org.ua, 1 +goldsmithwest.com, 1 +goldspace.tk, 1 +goldstandardtrust.tk, 1 +goldstartransport.co.uk, 1 +goldstein.rs, 1 +goldstein.tel, 1 +goldtits.com, 1 +goldwater.gov, 1 +goldwaterfoundation.gov, 1 +goldwaterscholarship.gov, 1 +goldwish.com, 1 +goldysoptic.bg, 1 +goldytechspecialists.com, 1 +goldzilla.eu, 1 +gole.ms, 1 +golearn.gov, 1 +golestanehali.ir, 1 +golezi.com, 1 +golf-alto-adige.com, 1 +golf-supplies.tk, 1 +golfandfashion.dk, 1 +golfbeautyers.ga, 1 +golfbeautyest.ga, 1 +golfbettingsystem.co.uk, 1 +golfbroadcasterers.ga, 1 +golfbroadcasterest.ga, 1 +golfburn.com, 1 +golfbyzipers.ga, 1 +golfbyzipest.ga, 1 +golfcabrio.de, 1 +golfcarttips.com, 1 +golfcleanerers.ga, 1 +golfcleanerest.ga, 1 +golfcleanersers.ga, 1 +golfcleanersest.ga, 1 +golfdeviceers.ga, 1 +golfedumorbihan56.com, 1 +golfhausmallorca.com, 1 +golfinbritishcolumbia.com, 1 +golfinclusiveers.ga, 1 +golfingbeters.ga, 1 +golfingbetest.ga, 1 +golfinginjuriesers.ga, 1 +golfkulur.is, 1 +golfmagic.com, 1 +golfplus.fr, 1 +golfrange-ffm.de, 1 +golfscape.com, 1 +golfshirtsjohannesburg.co.za, 1 +golfshirtwholesalejohannesburg.co.za, 1 +golftournamentgifts.tk, 1 +goliamo-vranovo.com, 1 +golikes.ml, 1 +golink.co, 0 +golnet.hu, 1 +goloa.fr, 1 +goloaninsurance.tk, 1 +goloborodko.net, 1 +golocksmithhonolulu.com, 1 +golootlo.pk, 1 +golosbots.tk, 1 +golosok.ml, 1 +golosovanye4you.tk, 1 +golser-schuh.at, 1 +golser.info, 1 +gomakemovie.com, 0 +gomarket33.com, 1 +gomasa.net, 1 +gomasy.jp, 1 +gomasy.net, 1 +gomdl.com, 1 +gomega.vn, 1 +gomel.chat, 1 +gomel.city, 1 +gomelagromashplus.by, 1 +gomelchat.com, 1 +gomelphoto.com, 1 +gomer.tk, 1 +gometa.link, 1 +gomeya.com, 1 +gomezhvac.com, 1 +gomezites.tk, 1 +gomicrophone.ml, 1 +gomine.tk, 1 +gomiso.com, 1 +gommista.roma.it, 1 +gomods.link, 1 +gomoon.com, 1 +gomorrabeach.tk, 1 +gomovein.com, 1 +gomtz.gq, 1 +gon.nl, 1 +gon45.com, 1 +gonadotropina.com, 1 +gonalops.gq, 1 +goncalofontoura.tk, 1 +goncalves-admredes.cf, 1 +gonce.io, 1 +goncharov.cf, 1 +goncharov.ml, 1 +goncharov.tk, 1 +gondawa.com, 1 +gondon.tk, 1 +gonebald.tk, 1 +gonenli.com, 1 +gonepal.com, 1 +gonerogue.ml, 1 +gongik.info, 1 +gongjianwei.com, 1 +gongjuhao.com, 1 +gonintendo.com, 1 +gonitro.com, 1 +gonortheast.co.uk, 1 +gonorthwest.co.uk, 1 +gontagro.com.ua, 1 +gonumber.ga, 1 +gonx.dk, 0 +gonz0.com.ar, 1 +gonzalesca.gov, 1 +goo.gl, 1 +goo4it.nl, 1 +gooch.io, 1 +good-cd.ml, 1 +good-course.ga, 1 +good-know.gq, 1 +good-linux.cf, 1 +good-luck3500.ga, 1 +good-wishes-4-u.ga, 1 +gooday.life, 1 +goodbargin.com, 1 +goodbenefit.com, 1 +goodbits.tech, 1 +goodbody.ie, 0 +goodbriar.com, 1 +goodcas.ca, 1 +goodcas.com, 1 +goodchoiceflowers.com, 1 +goodcoat.com, 1 +goodcollection.com, 1 +goodcotton.com, 1 +gooddatingsites.ml, 1 +goodday.finance, 1 +gooddayatwork.co.uk, 1 +gooddomainna.me, 1 +goodearth.com.tw, 1 +goodeditor.com, 1 +goodenglish.ga, 1 +goodenvironment.com, 1 +goodesign.su, 1 +goodface.com, 1 +goodfame.com, 1 +goodfarm.com, 1 +goodfarms.com, 1 +goodfeels.net, 1 +goodfoodrussia.com, 1 +goodfundsgateway.com, 1 +goodfundslending.com, 1 +goodhealthgateway.com, 1 +goodhopemedical.com, 1 +goodhotel.co, 1 +goodhuecountymn.gov, 1 +goodiesnet.ca, 0 +goodiesoft.hu, 0 +goodiespub.fr, 1 +goodingcountyid.gov, 1 +goodjobs.gov, 1 +goodkino.ga, 1 +goodlandks.gov, 1 +goodlink.ml, 1 +goodlosersest.ga, 1 +goodmailing.tk, 1 +goodmanwi.gov, 1 +goodmedia.solutions, 1 +goodmood.co.uk, 1 +goodmood.fr, 1 +goodmoodsocken.de, 1 +goodmorningapril.com, 1 +goodok.eu, 1 +goodopportunity.ga, 1 +goodpeople.tk, 1 +goodproof.com, 1 +goodryb.top, 1 +goodschain.com, 1 +goodseed.nl, 1 +goodsex4all.com.br, 1 +goodsey.com, 1 +goodshepherdmv.com, 1 +goodshuffle.com, 1 +goodsite.ga, 1 +goodspeaker.tk, 1 +goodsrepublic.com, 1 +goodstorage.com.br, 1 +goodsync.com, 1 +goodteach.com, 1 +goodth.ink, 1 +goodthing2.com, 1 +goodtrader.tk, 1 +goodtrip.kr, 1 +goodvibesblog.com, 1 +goodway.tv, 1 +goodwhois.com, 1 +goodwillbusiness.org, 1 +goodwillindy.org, 1 +goodwillnfp.org, 1 +goodwin43.ru, 0 +goodyearsotn.co.uk, 1 +goodyphotography.com, 1 +goofy.gr, 1 +google, 1 +google-analytics.com, 1 +google-and.tk, 1 +google-lunettes.fr, 1 +google.ax, 1 +google0.ca, 1 +googleadvies.nl, 1 +googleandroid.cz, 1 +googlecom.gq, 1 +googlehits.com, 1 +googlekun.tk, 1 +googlemail.com, 0 +googleplaypartnerportal.com, 1 +googleplex.com, 1 +googlerecetas.com, 1 +googleseo.pw, 1 +googleshortcuts.org, 1 +googlesource.com, 1 +goola.it, 1 +goolnk.com, 1 +goombi.fr, 1 +goondocks.io, 1 +goonersworld.co.uk, 1 +goonfleet.com, 1 +goontu.be, 1 +gooodnews.ga, 1 +goooo.info, 1 +goosecreeksc.gov, 1 +goosementor.com, 1 +goosip.tk, 1 +gootax.pro, 0 +gooty.ru, 1 +gooutdoorskansas.com, 1 +gopass-dev.com, 1 +gopass.health, 1 +gopher.tk, 1 +gophoto.it, 1 +gopigment.com, 1 +gopkg.link, 1 +gopnikman.cf, 1 +gopornovideo.com, 1 +goppold.net, 1 +gopri.tk, 1 +gopro-qa.com, 1 +gopro-staging.com, 1 +gopro.com, 1 +goproallaccess.com, 1 +gopronow.ga, 1 +gopuntaisla.com, 1 +gopwhip.gov, 1 +goquiq.com, 1 +goquiqstatus.com, 1 +gorakhpurclassifieds.tk, 1 +goranrango.ch, 1 +gorazde.tk, 1 +gorbatschow.tk, 1 +gorbilet.com, 1 +gorbov.tk, 1 +gorby.tk, 1 +gorce.com, 1 +gorchakov.org, 1 +gordas.cf, 1 +gordeijnsbouw.nl, 1 +gordianbla.de, 0 +gordillo.legal, 1 +gordion.tk, 1 +gordon-reid.com, 1 +gordonbeeming.com, 1 +gordonbeeming.com.au, 1 +gordonbeeming.xyz, 1 +gordoncountyga.gov, 1 +gordonhamilton.com, 1 +gordonquarter.org.au, 1 +gordontrading.co.nz, 1 +gordvorets.tk, 1 +gordyf.com, 1 +gordyforty.com, 1 +gorebayairport.ca, 1 +gorebayairport.com, 1 +gorenje-ru.ru, 1 +gorepriest.tk, 1 +gorf.club, 1 +gorgeousb.com, 1 +gorgeouslyflawed.com, 1 +gorgeouspizza.co.nz, 1 +gorgias.me, 1 +goriki.tk, 1 +goringdogsitting.co.uk, 1 +gorki.tk, 1 +gorky.media, 1 +gorlani.com, 1 +gorlani.net, 1 +gormanprojects.com, 1 +gorn.ch, 1 +goroboted.com, 0 +gorodabakan.cf, 1 +gorodabakan.ga, 1 +gorodabakan.gq, 1 +gorodabakan.ml, 1 +gorodabakan.tk, 1 +gorodivanovo.tk, 1 +gorodrabot.by, 1 +gorodrabot.kz, 1 +gorodrabot.ru, 1 +gorodrostov.tk, 1 +gorodruza.tk, 1 +gorodyaroslavl.tk, 1 +goroscop.ga, 1 +goroscop.ml, 1 +goroscop.tk, 1 +goroscope2011.tk, 1 +goroskop-sovmestimosti-znakov.tk, 1 +goroskop-sovmestimosti.ml, 1 +goroskop.gq, 1 +goroskopnew.tk, 1 +gorschenin.com, 1 +gorstom.ml, 1 +gortaniza.tk, 1 +gorymoon.se, 1 +gosaavd.tk, 1 +gosarh.tk, 1 +gosarhiv.tk, 1 +goscg.com, 1 +gosch.de, 1 +goshawkdb.io, 1 +goshin-group.co.jp, 1 +goshop.pl, 1 +goshopnow.co.za, 1 +gosia-banaszkiewicz.com, 1 +gosiberia.ru, 1 +gosimpler.com, 1 +goskills.com, 1 +gosling-gov.tk, 1 +gosling-mod.tk, 1 +goslot.com, 1 +gosnipe.com, 1 +gosolockpicks.com, 1 +gospeldesign.tk, 1 +gospelidea.com, 1 +gospellifewc.com, 1 +gospelmusic.io, 1 +gospelnarrative.com, 0 +gospelsmusic.uk, 1 +gospelstreamingsermons.com, 1 +gospelunited.tk, 1 +gospelvestcination.de, 1 +gospelzone.ga, 1 +gospence.com, 1 +gospercountyne.gov, 1 +gospiritus.com, 1 +gosq.co, 1 +gosq.com, 1 +gossiptimes.tk, 1 +gossr.pw, 1 +gost-energo.ru, 1 +gostargazing.co.uk, 1 +gostartkit.com, 1 +gostatera.com, 1 +gosti-dom.ga, 1 +gostica.com, 1 +gostomaisdecarrosdoquechocolates.com, 1 +gostudy.net, 1 +gosu.pro, 1 +gosupps.com, 1 +goswak.com, 1 +goszakupki.tk, 1 +got-tty.de, 1 +gotabflow.com, 1 +gotajikistan.com, 1 +gotchaphotos.net.au, 1 +gotcounterers.ga, 1 +gotcounterest.ga, 1 +goteamproclean.com, 1 +goteleport.com, 1 +gotepisodes.tk, 1 +gotforumers.ga, 1 +gotgeeks.nl, 1 +gotgenes.com, 0 +gothailand.cf, 1 +gothamcateringnyc.com, 1 +gothamcity.ch, 1 +gothamcity.fr, 1 +gothic-world.tk, 1 +gothiclandscape.com, 1 +gothicmarketing.tk, 1 +gothicsite.tk, 1 +gotikadesaldos.tk, 1 +gotirupati.com, 0 +gotit.com.tw, 1 +gotmilk.ml, 1 +gotmuebles.com, 1 +gotnet.tk, 1 +goto.google.com, 1 +goto.world, 1 +goto10.se, 1 +gotobooks.ml, 1 +gotobrno.cz, 1 +gotoexam.tk, 1 +gotohomerepair.com, 1 +gotolinux.ru, 1 +gotomap.com, 1 +gotomi.info, 0 +gotomojo.com, 1 +gotonet.tk, 1 +gotonline.ml, 1 +gotonline.tk, 1 +gotorussia.tk, 1 +gotovilekovi.tk, 1 +gotovka.ga, 1 +gotovka.tk, 1 +gotowebstore.com, 1 +gotoxy.at, 1 +gotrail.fr, 1 +gotransferdr.com, 1 +gotravel.blog, 1 +gotravel.hu, 1 +gotravel.us, 1 +gotravelmexico.com.mx, 1 +gotrek.com.au, 1 +gotreksperu.com, 1 +gotrendier.com.co, 1 +gotrendier.mx, 1 +gotriage.tk, 1 +gotstreamingers.ga, 1 +gotstubs.com, 1 +gott-it.dk, 1 +gottagohack.fr, 0 +gottasketchemall.com, 1 +gottcar.com, 1 +gottfridsberg.org, 1 +gottika.com, 1 +goturkmenistan.com, 1 +gotvax.us, 1 +gotver.tk, 1 +gotzg.de, 1 +goudenharynck.be, 1 +goudenlaantje.nl, 1 +goudronblanc.com, 1 +goudsbloemonline.nl, 1 +goudt.nl, 1 +gouforit.com, 1 +goug0.com, 1 +gougeaway.tk, 1 +gougeul.org, 1 +goukon.ru, 1 +gouplinkit.com, 1 +gourgouli.com, 1 +gourmet-safran.de, 1 +gourmetfestival.de, 1 +gourmetsditalie.com, 1 +gourmetspalencia.com, 1 +gourmetvitamins.ga, 1 +goushuang.com, 1 +goutsmits-tegelwerken.nl, 1 +gouwdata.nl, 1 +gouwen.com, 1 +gov.exposed, 1 +gov.md, 1 +gov.tc, 1 +gov.uk, 0 +govape.tk, 1 +govecountyks.gov, 1 +governikus.de, 1 +governmentjob.gq, 1 +governmentjobs.gov, 1 +governmentphoneservice.com, 1 +governorhub.com, 1 +govindagiri.tk, 1 +goviralnow.ml, 1 +govloans.gov, 1 +govmi.gov, 1 +govno-site.tk, 1 +govnohosting.cf, 1 +govnosite.tk, 1 +govotecolorado.gov, 1 +govotetn.gov, 1 +govquarter.gq, 1 +govsales.gov, 1 +govtjobs.blog, 1 +govtnaukrinews.com, 1 +govtrack.us, 1 +govvacationrewards.com, 1 +govype.com, 1 +gow220.ru, 1 +gowager.co.uk, 1 +gowaianapanapa.com, 1 +gowancommunications.com, 1 +gowatermarkdesign.com, 1 +gowe.wang, 0 +goweraesthetics.co.uk, 1 +gowervets.co.uk, 1 +gowikings.dk, 1 +gowildrodeo.co.uk, 1 +gowin.ae, 1 +gowinit.de, 1 +gowithflo.de, 1 +gowlingwlg.com, 1 +goworld.gq, 1 +gowpcare.com, 1 +goxyshuk.duckdns.org, 0 +goyahkles-spirit-to.tk, 1 +goyoyo.com, 1 +goyumoilexpeller.com, 1 +gozadera.es, 1 +gozenhost.com, 1 +gozenhosting.com, 1 +gp-lightstone.de, 1 +gpalabs.com, 1 +gpatrading.com, 1 +gpbdev.ru, 1 +gpccp.cc, 1 +gpcmicro.com, 1 +gpcp.org, 1 +gpcs.ml, 1 +gpcsolutions.fr, 1 +gpdp.it, 1 +gpfclan.de, 1 +gpforum.tk, 1 +gpga.cf, 1 +gpgscoins.com, 1 +gphalt.com, 1 +gphalt.de, 1 +gpio.gq, 1 +gpl25.ml, 1 +gplans.us, 1 +gplintegratedit.com, 1 +gpltimes.club, 1 +gpltimes.com, 0 +gpltimes.org, 1 +gplvilla.com, 1 +gpnotebook.com, 0 +gpo.gov, 0 +gpodev.gov, 1 +gpolanco.com, 1 +gpony.fr, 1 +gppro.com, 0 +gpr.ge, 1 +gpremium.cl, 1 +gps-fleettracking.ga, 1 +gps-track-sys.info, 1 +gps.com.br, 1 +gps4net.com, 1 +gps4net.eu, 1 +gpsarena.ro, 1 +gpsbag.com, 1 +gpsblackbox.com, 1 +gpsfix.cz, 1 +gpskoordinaten.de, 1 +gpsmith.tech, 1 +gpsnavigator.tk, 1 +gpsolarpanels.com, 1 +gpspolis.nl, 1 +gpsroomers.ga, 1 +gpstrackersaustralia.com, 1 +gpsvideocanada.com, 1 +gpswebsoft.ml, 1 +gptunnel.kz, 1 +gptunnel.ru, 1 +gpu.nu, 1 +gpwaconference.com, 1 +gpwatimes.org, 1 +gpwih.com, 1 +gpwmd-portal.org, 1 +gpz500s.tk, 1 +gq-magazine.co.uk, 1 +gqms.com, 1 +gqyyingshi.com, 0 +gr.search.yahoo.com, 0 +gra-gcc.com, 1 +gra2.com, 1 +graasp.net, 0 +grabacabpa.com, 1 +grabadolasermonterrey.com, 1 +graberbooks.gq, 1 +grabi.ga, 1 +grabnews.ga, 1 +grabnews.tk, 1 +grabowski.ovh, 1 +grabrfi.com, 1 +grabyourfreeleadshere.tk, 1 +grace-wan.com, 1 +gracealexwatch.org, 1 +gracebaking.com, 0 +graceclinic.com.tw, 1 +gracecommunity.school, 1 +gracecounselingcos.com, 1 +gracedaycorea.com, 1 +gracedays.org, 1 +gracedonors.co.uk, 1 +gracedonors.co.za, 1 +gracedonors.com, 1 +graceharborapps.net, 1 +gracelawoffice.com, 1 +graceradio.tk, 1 +gracereminder.com, 1 +gracethrufaith.com, 1 +gracetini.com, 1 +grachten.museum, 1 +gracia-club.tk, 1 +graciasmarvin.tk, 1 +gracodesign.eu, 1 +gradedblue.com, 1 +gradelink.com, 1 +gradenotify.com, 1 +gradgreenhouse.com, 1 +gradienthosting.co.uk, 1 +gradients.com, 1 +gradientthemes.com, 1 +gradinacufluturi.ro, 1 +gradingcontractornc.com, 1 +gradinitasamariteanulcluj.ro, 1 +gradintel.com, 1 +gradity.eu, 1 +gradle.com, 1 +gradle.org, 1 +grads360.org, 1 +graduados.tk, 1 +gradualgram.com, 1 +graduatenursingedu.org, 1 +graduatewriter.com, 1 +graecum.org, 1 +graeskmad.dk, 1 +graetgossip.com, 1 +graetintelligence.com, 1 +graetnew.com, 1 +graetnewsnetwork.com, 1 +graetreport.com, 1 +graf-igor.ch, 1 +graf.re, 1 +grafana.com, 1 +grafcaps.com, 1 +grafenberg.tk, 1 +graffiti-street-art-ebook.tk, 1 +graffitinetwerk.nl, 1 +graffitiwall.tk, 1 +graffprint.pl, 1 +grafia.ink, 1 +graficagesa.com.br, 1 +graficanocera.com, 1 +graficasantana.com.br, 1 +graficoywebvalencia.tk, 1 +grafik.gq, 1 +grafimagenpublicidad.com, 1 +grafittikontroll.cf, 1 +grafmag.pl, 1 +grafmark.art, 1 +grafmurr.de, 1 +grafnet.com.br, 1 +grafologia.tk, 1 +grafos.ml, 1 +grafoterapia.tk, 1 +grafphoto.com, 1 +graft.community, 1 +graft.spb.ru, 1 +graftoncountynh.gov, 1 +graftonglobe.cf, 1 +graftonglobe.tk, 1 +graftonnd.gov, 1 +graftworld.pw, 1 +grafuroam.com, 1 +grahambaggett.com, 1 +grahambaker.ca, 1 +grahamcarruthers.co.za, 1 +grahamcluley.com, 0 +grahamedgecombe.com, 1 +grahamleeonline.com, 1 +grahamsmith.tech, 1 +grailians.com, 1 +grailify.com, 1 +grain-feature-branch.co, 1 +grain-staging.co, 1 +grain.com, 1 +graine-de-cafe.com, 1 +graingert.co.uk, 1 +graliv.net, 0 +grallersdegegants.tk, 1 +gramati.com.br, 1 +grammar.co.id, 1 +grammar.hu, 1 +grammarhouse.me, 0 +grammofono.gr, 0 +grammysgrid.com, 1 +gramtarang.org.in, 1 +gran-hermano.tk, 1 +granalacant.tk, 1 +granary-demo.appspot.com, 0 +granaturov.mk.ua, 1 +granby404.eu, 1 +grancargo.com.br, 0 +grancellconsulting.com, 1 +grancordobahoy.com.ar, 1 +grand-assistance.co.jp, 1 +grand-books.cf, 1 +grand-certification.kz, 1 +grand-challenge.org, 1 +grand-design.tk, 1 +grand-hotel-de-france.com, 1 +grand-house.gq, 1 +grand-knighki.gq, 1 +grand-sity.ru, 1 +grandalfa.co.nz, 1 +grandblanctwpmi.gov, 1 +grandcabin.md, 1 +grandcafeatpark.nl, 1 +grandcanyon.tk, 1 +grandcanyonmore.com, 1 +grandcanyonmoretours.com, 1 +grandcapital.cn, 1 +grandcapital.id, 1 +grandcapital.net, 1 +grandcapital.ru, 1 +grandchene.ch, 0 +grandchutewi.gov, 1 +grandcountydronepilot.com, 1 +grande-rock.tk, 1 +grande.coffee, 1 +grande.wiki, 1 +grandepresion.com, 1 +grandesign.pt, 1 +grandesmaisons.fr, 1 +grandeurgifts.in, 1 +grandfallscamp.com, 1 +grandfieldok.gov, 1 +grandfoodandcateringservices.com.au, 0 +grandfootball.tk, 1 +grandhomemx.com, 1 +grandi-books.gq, 1 +grandisco.tk, 1 +grandiscontionline.com, 1 +grandislandne.gov, 1 +grandmasfridge.org, 0 +grandmass.com, 1 +grandmasternetwork.com, 1 +grandmusiccentral.com.au, 1 +grandpachy.tk, 1 +grandpad.biz, 1 +grandpad.net, 1 +grandpadusercontent.com, 1 +grandpcd.com, 1 +grandrapidsmn.gov, 1 +grandrapidswi.gov, 1 +grandstarcourier.ml, 1 +grandtiresers.ga, 1 +grandviewgynecology.ca, 1 +grandviewheights.gov, 1 +grandwailea.com, 1 +grandwill.com, 1 +grandworldnghiduong.com, 0 +grandx86.pl, 1 +granfort.es, 0 +granfutbol.com, 1 +grangecon.tk, 1 +grangette.eu, 1 +grani.gq, 1 +granian.pro, 1 +granica.tk, 1 +granigroup.ru, 1 +granishe.com, 1 +granit-capital.ga, 1 +graniteedvance.org, 1 +graniteescrow.com, 1 +granitehillcapital.com, 1 +graniteind.com, 1 +granitestateproductions.tk, 1 +granitko.ru, 1 +grannynude.tv, 1 +grannypussy.net, 1 +grannypussy.tv, 1 +grannypussypics.com, 1 +grannys-stats.com, 1 +grannytitty.com, 1 +grannytube.net, 1 +grannytube.tv, 1 +grannytubes.com, 1 +granool.ga, 1 +granotamaniacos.tk, 1 +granpoder-islacristina.tk, 1 +gransfors354.com, 1 +granstoqueatacadista.com.br, 1 +granstor.com, 0 +granstrom.tk, 1 +grantashqg.com, 1 +grantcountyne.gov, 1 +grantdb.ca, 1 +granthamnh.gov, 1 +grantmorrison.net, 1 +grantsmasters.com, 1 +grantsolutions.gov, 1 +granttwpstclairmi.gov, 1 +granulate.io, 1 +graonatural.com.br, 0 +grapee.jp, 1 +grapeintentions.com, 1 +grapevine.is, 1 +graph.org, 1 +graphe.gq, 1 +graphene.software, 1 +graphenecompany.com, 1 +grapheneenergy.com, 1 +grapheneengine.com, 1 +grapheneos.ca, 1 +grapheneos.com, 1 +grapheneos.info, 1 +grapheneos.net, 1 +grapheneos.org, 1 +grapheneos.ovh, 1 +grapheneos.social, 1 +graphenepower.com, 1 +graphic-schools.com, 1 +graphic-shot.com, 1 +graphicbuffet.co.th, 1 +graphicdesignresources.net, 1 +graphicdream.tk, 1 +graphicinfo.com, 1 +graphicnab.com, 1 +graphicps.com, 1 +graphicspace.tk, 1 +graphicz.ml, 1 +graphiste-freelance-rouen.fr, 1 +graphite.org.uk, 1 +graphiteconnect.com, 1 +grapholio.net, 1 +graphpaper.studio, 1 +graphviewer.tk, 1 +grapixo.com, 1 +grapplinginsider.com, 1 +grasboom35plus.nl, 1 +grasdealer.com, 1 +grasengroenkunstgras.nl, 1 +grasmark.com, 1 +grasp24.pl, 1 +grasrijk.tk, 1 +grassau.com, 1 +grasscity.com, 0 +grassenberg.de, 1 +grasshoppervape.com, 1 +grasski.net, 1 +grassreinforcement.com.au, 1 +grast.jp, 1 +graszoden.tk, 1 +gratelin.ga, 1 +gratis-hosting.cf, 1 +gratis.market, 1 +gratis4u.tk, 1 +gratisfotos.nl, 1 +gratisfullalbum.tk, 1 +gratishandy.tk, 1 +gratisliste.de, 1 +gratismuziek.tk, 1 +gratisonlinespel.tk, 1 +gratisparati.tk, 1 +gratitudeabundancepassion.com, 1 +gratius.tk, 1 +gratiz.nl, 1 +grattan.co.uk, 1 +grattecenne.com, 1 +gratuitweb.tk, 1 +graumeier.de, 1 +grauwasser-blog.de, 1 +gravedad-zero.tk, 1 +gravedigger.tk, 1 +gravelshooters.com, 1 +gravelshooters.net, 1 +gravelshooters.org, 1 +gravely-dealers.com, 1 +gravely.com, 1 +gravelylawn.com, 1 +gravelymower.com, 1 +gravensteengent.be, 1 +gravescountyky.gov, 1 +gravilink.com, 1 +gravira.ru, 1 +gravirovshik.ru, 1 +gravitascreative.net, 1 +gravitational.co, 1 +gravitational.com, 1 +gravitational.io, 1 +gravitco.com, 1 +gravitechthai.com, 1 +gravitlauncher.ml, 1 +graviton.work, 1 +gravity-bonanza.org, 1 +gravity-inc.net, 1 +gravityformspdfextended.com, 1 +gravityinvestments.com, 1 +gravitypdf.com, 1 +gravityresearchgroup.cf, 1 +gravityresearchgroup.ga, 1 +gravityresearchgroup.gq, 1 +gravityresearchgroup.tk, 1 +gravytrain.tk, 1 +grawe-blog.at, 1 +gray.network, 1 +grayarrow.com, 1 +graybroughton.com, 1 +graycat.ml, 1 +grayhatter.com, 1 +graymuzzlesociety.org, 1 +grayowlworks.com, 1 +grayphics.com, 1 +grayrectangle.com, 1 +grayslakeadvisors.com, 1 +grayson.sh, 1 +graysonsmith.co.uk, 1 +graysquare.com, 1 +grayville-il.gov, 1 +grazetech.com, 1 +grazhdanskij-advokat.tk, 1 +grbrt.com, 1 +grc.com, 0 +grd.cx, 1 +grday.com, 1 +grdnlife.site, 1 +great-ajax.tk, 1 +great-mom.tk, 1 +great.nagoya, 1 +greatagain.gov, 1 +greataltrock.tk, 1 +greatamericaneu.com, 1 +greatamericanuk.com, 1 +greatbarrierisland.nz, 1 +greatbeginningsmi.com, 1 +greatdane.com, 1 +greatdanegrp.com, 1 +greatdanemowers.com, 1 +greatepier.tk, 1 +greatergood.com, 0 +greatergoods.com, 1 +greaterzion.com, 1 +greatestcampsest.ga, 1 +greatestwallsest.ga, 1 +greatfallsmt.gov, 1 +greatfire.org, 1 +greatgooglymoogly.tk, 1 +greathairtransplants.com, 1 +greathillpartners.com, 1 +greatlakesden.net, 1 +greatlakesendurance.com, 1 +greatlakesintegrativemed.com, 1 +greatlakestechdiving.com, 1 +greatlifeinsurancegroup.com, 1 +greatlms.com, 1 +greatnetsolutions.com, 1 +greatnews.ro, 1 +greatoceanroadbrewhouse.com.au, 1 +greatplains.io, 1 +greatplainsaustralia.com.au, 1 +greatrenumbering.tk, 1 +greatrichmond.com, 1 +greatsankeypc.org.uk, 1 +greatscholars.tk, 1 +greatscience.tk, 1 +greatsittersers.ga, 1 +greatsittersest.ga, 1 +greatsurfersers.ga, 1 +greatsurfersest.ga, 1 +greatvacation.tk, 1 +greatwebdesign.uk, 1 +grechutaszkolenia.pl, 1 +greciahora.com, 1 +greeblehaus.com, 1 +greedy-it.de, 1 +greek-islands-hotels.tk, 1 +greeklish.gr, 1 +greekmusic.academy, 1 +greeknewspapers.tk, 1 +greeks.tk, 1 +greekweb.tk, 1 +greeleycountyne.gov, 1 +green-adn.com, 1 +green-anarchy.tk, 1 +green-attitude.be, 1 +green-aura.ru, 0 +green-clean.at, 1 +green-factory.gq, 1 +green-factory.ml, 1 +green-finance.fr, 1 +green-gardens.fr, 1 +green-laser.ga, 1 +green-laser.ml, 1 +green-light.cf, 1 +green-light.co.nz, 0 +green-light.ga, 1 +green-light.gq, 1 +green-light.ml, 1 +green-paradise.tk, 1 +green-smart.com, 1 +green-smart.work, 1 +green-snake.com, 1 +green-version.com, 1 +green-wood.com, 1 +green.com.do, 1 +greenacrescannabisgroup.com, 1 +greenaddress.it, 1 +greenangels.com.ua, 1 +greenapproach.ca, 1 +greenartistsswiss.ch, 1 +greenassembly.fr, 1 +greenbat57.fr, 1 +greenbeauty.in, 1 +greenbuildingsystemsllc.com, 1 +greenburghny.gov, 1 +greencapital.gent, 1 +greencbd.com, 1 +greencircleplantnursery.com.au, 1 +greencircleplantnursery.net.au, 1 +greenclouddefense.com, 1 +greencocktail.ga, 1 +greencoconutresort.cf, 1 +greencoconutresort.ga, 1 +greencoconutresort.gq, 1 +greencoconutresort.ml, 1 +greencross.cf, 1 +greencyprus.com, 1 +greendaylivecrew.tk, 1 +greendesserters.ga, 1 +greendessertest.ga, 1 +greendiscussionsers.ga, 1 +greendotcc.com, 1 +greendotcredit.com, 1 +greendragonsearch.tk, 1 +greendrive.tk, 1 +greendvorik.com.ua, 1 +greenearthlawns.com, 0 +greenecountyny.gov, 1 +greenecountyohio.gov, 1 +greenecountytn.gov, 1 +greenecountytnsheriffsdept.gov, 1 +greenetwpclintonpa.gov, 1 +greenews.ga, 1 +greenex.pro, 1 +greenfever.pl, 1 +greenfieldlaxwi.gov, 1 +greenfieldwi.gov, 1 +greenflashforensics.com, 1 +greenforum.tk, 1 +greenfoxadventures.com, 1 +greenfunder.co.uk, 1 +greengarden.tk, 1 +greengates.co.uk, 1 +greengoblindev.com, 1 +greengorych.io, 1 +greengorych.ru, 1 +greengov.gov, 1 +greengrocery.tk, 1 +greenhandy.com, 1 +greenhats.de, 1 +greenhillhosting.com, 1 +greenholiday.tk, 1 +greenhollowbowmen.tk, 1 +greenhous-technology.tk, 1 +greenice.net, 1 +greeningsremovalsandstorage.co.uk, 1 +greenislandgroupny.com, 1 +greenit.eco, 1 +greenkey.gent, 1 +greenkitchen.tk, 1 +greenlakecountywi.gov, 1 +greenland-estate.tk, 1 +greenleft.org.au, 0 +greenlifecannabis.com, 1 +greenlifetour.tk, 1 +greenlighttreeservices.com, 1 +greenline.financial, 1 +greenliquidsystem.com, 1 +greenliv.pl, 1 +greenmesg.org, 1 +greenmind.tk, 1 +greenminegroup.com, 1 +greenmoon.tk, 1 +greenmountainenergy.com, 1 +greenopedia.com, 1 +greenopeningsers.ga, 1 +greenopeningsest.ga, 1 +greenpal.jp, 1 +greenpanda.de, 1 +greenpartyofnewmilford.org, 1 +greenpaws.ee, 1 +greenpeace.community, 1 +greenplanet.tk, 1 +greenplanetgrass.com.au, 1 +greenridgemo.gov, 1 +greenroach.ru, 1 +greenroom.tk, 1 +greenrushdaily.com, 1 +greensad36.ru, 1 +greensboro.com, 1 +greensborosecuritycameras.com, 1 +greensborovt.gov, 1 +greensidevetpractice.co.uk, 1 +greensilllatam.com, 1 +greensmartplanet.com.my, 1 +greensmartplanet.my, 1 +greensph.tk, 1 +greensquare.tk, 1 +greenstation.no, 1 +greensurpriseers.ga, 1 +greensurpriseest.ga, 1 +greenswimmingers.ga, 1 +greenswimmingest.ga, 1 +greentea.gq, 1 +greentea.ml, 1 +greentea.tk, 1 +greenteamtwente.nl, 1 +greentechhvac.in, 1 +greenthought.tk, 1 +greentop.tk, 1 +greenupchdky.gov, 1 +greenux.cloud, 1 +greenux.cz, 1 +greenville.k12.sc.us, 1 +greenware.tk, 1 +greenway-moskva.ru, 1 +greenwaylog.net, 1 +greenwhitearmy.tk, 1 +greenwichbiosciences-influence-beta.azurewebsites.net, 1 +greenwiki.ca, 1 +greenwithdecor.com, 1 +greenwood-it.co.uk, 1 +greenwoodne.gov, 1 +greenwoodny.gov, 1 +greenwoodtwpcrawfordpa.gov, 1 +greenytimes.com, 1 +greenyway.com, 1 +greenzved.tk, 1 +greer.ru, 1 +greetabl.com, 1 +greetingcdsers.ga, 1 +greetingcdsest.ga, 1 +greffe-de-cheveux-turquie.com, 1 +greg.red, 1 +gregbrimble.com, 1 +gregdf.com, 1 +greger.me, 1 +greghouse.tk, 1 +gregmartyn.com, 1 +gregmarziomedia.co.za, 1 +gregmarziomedia.com, 1 +gregmc.ru, 1 +gregmckeown.com, 1 +gregmilton.com, 1 +gregmilton.org, 1 +gregmote.com, 1 +grego.pt, 1 +gregoirow.be, 1 +gregorians.org, 1 +gregorkofler.com, 1 +gregory-kramer.fr, 1 +gregory-thibault.com, 1 +gregorydorrifourt.fr, 1 +gregoryhammond.ca, 1 +gregorykelleher.com, 1 +gregoryrealestategroup.com, 1 +gregorywiest.com, 1 +gregproffit.com, 1 +gregscloud.com, 1 +greizer.tk, 1 +grekiskagudar.tk, 1 +grekos.com.pl, 1 +gremagol.xyz, 1 +gremlinsmountain.tk, 1 +grenadaco-opbank.com, 1 +grenade.ga, 1 +grenadiercorps-kaarst.de, 1 +grenadiere-kaarst.de, 1 +grenadierkorps-kaarst.de, 1 +grenadierkorps.de, 1 +grend.gq, 1 +grenfell.org.au, 1 +grenfellinternetcentre.com.au, 1 +grengine.ch, 1 +grenlan.com, 1 +grenoblepartners.com, 1 +grepable.com, 1 +grepular.com, 1 +gresak.io, 0 +gresik.info, 1 +gresrewop.ca, 1 +gresrewop.com, 1 +greta-birkner.de, 1 +greta-fischer-schule.de, 1 +gretalfoodproducts.com, 1 +gretathemes.com, 1 +gretch.space, 1 +gretchensbridalgallery.com, 1 +gretel.ai, 1 +greuel.online, 1 +greutmann.net, 1 +grevenagreece.gr, 1 +grevesgarten.de, 1 +grexx.today, 1 +grey-cat.tk, 1 +greybullwy.gov, 1 +greycentre.com, 1 +greycrane.net, 1 +greydesign.tk, 1 +greyhackcentral.gq, 1 +greyhash.se, 1 +greyheads.cat, 1 +greyline.tk, 1 +greymatteroffline.tk, 1 +greymuzzlemanor.org, 1 +greypanel.com, 1 +greyrectangle.com, 1 +greyskymedia.com, 1 +greysolonballroom.com, 1 +greystonesmovement.com, 1 +greystonesscouts.tk, 1 +greywalker.tk, 1 +greywolf.cz, 1 +grfinefoods.co.uk, 1 +grfnhousing.org, 1 +grg.de, 1 +grh.am, 0 +grhhosting.com, 1 +griassdi-reseller.de, 1 +gricargo.com, 1 +grickle.org, 1 +grid.is, 1 +gridcatalyst.org, 1 +gridcodestudio.com, 1 +gridfuse.com, 1 +gridgain.com, 1 +gridgames.tk, 1 +gridgroup.com.tr, 1 +gridironelitetraining.com, 1 +gridlab.de, 1 +gridly.nl, 1 +gridspace.ca, 1 +gridtennis.net, 1 +gridvis.cloud, 1 +griechische-pfoetchen.de, 1 +griefheart.com, 1 +grieg-gaarden.no, 1 +grieg.net, 1 +grieg.no, 1 +grieg.org, 1 +grieglogistics.no, 1 +griegshipbrokers.no, 1 +griendencollege.tk, 1 +grienenberger.eu, 1 +griesser2.de, 1 +griffin.com, 1 +griffinmuseum.org, 1 +griffinsrfc.tk, 1 +griffithobs.org, 1 +griffithobservatory.org, 1 +griffophotography.tk, 1 +grifomarchetti.com, 1 +grifone.tk, 1 +griftersnet.com, 1 +grigo.ga, 1 +grigo.tk, 1 +grigorev.tk, 1 +grijalba.tk, 1 +grijpskerk500.tk, 1 +grillboxtaxi.de, 1 +grillen-darf-nicht-gesund-sein.de, 1 +grillfocused.com, 1 +grillidellostretto.tk, 1 +grilllness.com, 1 +grilltanksplus.com, 1 +grimdarkterrain.com, 1 +grimetoshinecleaners.co.uk, 1 +grimm.cz, 1 +grimmhome.com, 1 +grimmonolith.tk, 1 +grimorium.tk, 1 +grimsby.ac.uk, 1 +grimsbydns.com, 1 +grimsbymoneyman.com, 1 +grinday.tk, 1 +grindgore.tk, 1 +grinmore.com, 1 +grinned.tk, 1 +grinnellksroots.com, 1 +grinnellplanes.com, 1 +grinnellplans.com, 1 +grinpis.tk, 1 +gripcoat.jp, 1 +gripeffect.nl, 1 +gripeh1n1.com, 1 +gripencrossfit.cf, 1 +gripencrossfit.gq, 1 +gripnijmegen.rip, 1 +gripopit.nl, 1 +gripvol.nl, 1 +gripwenab.cf, 1 +grishavirus.cf, 1 +grissianerhof.com, 1 +griswoldia.gov, 1 +grit3.com, 1 +gritsany.hopto.org, 1 +griyadenature.tk, 1 +griyo.online, 1 +grizz.gdn, 1 +grizzenergygum.com, 1 +grizzlys.com, 0 +grizzlys.tk, 1 +grm.com.co, 1 +grnbank.com, 1 +groaccess.com, 1 +groben-itsolutions.de, 1 +grockradio.ga, 1 +grocock.me.uk, 1 +groenaquasolutions.nl, 1 +groenemoskeeen.nl, 0 +groeneoldtimer.nl, 1 +groenlinks.nl, 1 +groentebesteld.nl, 1 +groenteclub.nl, 1 +groentefruitzeep.com, 1 +groentefruitzeep.nl, 1 +groepjam-usedcars.be, 1 +groepper-it.de, 1 +groestlcoin.org, 1 +groetzner.net, 1 +grog.pw, 1 +grokker.com, 1 +groklearning.com, 1 +grolimur.ch, 0 +grolleau.fr, 1 +gromasikov.tk, 1 +gromovphotography.tk, 1 +gronau-it-cloud-computing.de, 1 +grondius.com, 1 +grondwerkencooreman.be, 1 +groningerkustvaart.tk, 1 +groomershop.ru, 0 +groomlake.tk, 1 +groomscroft.co.uk, 1 +groomscroft.com, 1 +grooove.pl, 1 +groothagenbeek.nl, 1 +grootinadvies.nl, 1 +groots.com, 1 +groove3.com, 1 +grooveguard.tk, 1 +groover.com.br, 1 +groovie.tk, 1 +groovyboove.co.uk, 1 +groovydiscountsers.ga, 1 +groovydiscountsest.ga, 1 +groovydisk.com, 1 +groovygoldfish.org, 1 +groovyrelocation.com, 1 +gropar.ch, 1 +gropar.com, 1 +gropp.org, 1 +grosirfashion.online, 1 +gross.business, 1 +grossaci.cz, 1 +grossberger-ge.org, 0 +grosser.io, 1 +grossiste-en-ligne.com, 1 +grossmisconduct.news, 1 +grossorders.com, 1 +groszek.pl, 1 +grotesk.tk, 1 +groth.im, 1 +groth.xyz, 1 +grothem.cf, 1 +grothem.gq, 1 +grothoff.org, 1 +grottalchemica.it, 1 +grottenthaler.eu, 1 +grouchysysadmin.com, 1 +ground-control.de, 1 +groundball.tk, 1 +groundfm.tk, 1 +groundmc.net, 1 +groundsdirect.com, 1 +groundspan.com, 1 +groundthumpingmotors.com, 1 +groundthumpingmotors.net, 1 +groundthumpinmotors.com, 1 +groundthumpinmotors.net, 1 +group-digitcom.com, 1 +group-galore.com, 1 +group-project.xyz, 1 +group4layers.net, 1 +groupama.hu, 1 +groupama.sk, 1 +groupamadirekt.hu, 1 +groupdcc.com, 1 +groupe-accedia.org, 1 +groupe-cassous.com, 1 +groupe-erige.com, 1 +groupe-goddi.com, 1 +groupe-neurologique-nord.lu, 0 +groupeaccedia.biz, 1 +groupeaccedia.com, 1 +groupeaccedia.fr, 1 +groupeaccedia.info, 1 +groupeaccedia.net, 1 +groupeaccedia.org, 1 +groupeconseilera.com, 1 +groupekabowd.com, 1 +groupeleven.com, 1 +groupeonepoint.com, 1 +groupeperrier.com, 1 +grouperacinecotedesbar.fr, 1 +groupescr.fr, 0 +groupghistelinck-cars.be, 1 +groupkoufopoulou.gr, 1 +groupleavingcards.com, 1 +groupmallers.ga, 1 +groupmallest.ga, 1 +groupme.com, 1 +groupouts.com, 1 +grouppassers.ga, 1 +groups.google.com, 1 +groupsgyani.com, 1 +groupsh.ca, 1 +groupsite.blue, 1 +groupx.tk, 1 +groutandseal.co.nz, 1 +grove-archiv.de, 1 +grovecity.cf, 1 +grovecity.ga, 1 +grovecity.gq, 1 +grovecity.ml, 1 +grovecrypto.com, 1 +grovefinancialgroup.com.au, 1 +groveland.place, 1 +grovelandmi.gov, 1 +grovesales.co.uk, 1 +growatiopex.com, 1 +growblocks.com, 1 +growbydata.com, 1 +growbyrabbit.com, 1 +growebmarketing.com, 0 +growers.social, 1 +growery.com, 1 +growery.net, 1 +growery.org, 1 +growidentity.com, 1 +growingallthings.co.uk, 1 +growinghumankindness.com, 1 +growingsearch.com, 1 +growitsecure.com, 1 +growledlamp.fr, 1 +growledlamp.it, 0 +growme.gq, 1 +growth-rocket.com, 1 +growth.design, 1 +growthagent.com, 1 +growthandrenewal.ca, 1 +growthinbusiness.com, 1 +growthlab.com.my, 1 +growthlytics.co.uk, 1 +growthoutpatient.com, 1 +growthseedconsulting.com, 1 +growthservicesinc.com, 1 +growthsimulationest.ga, 1 +growthtoysers.ga, 1 +growthtoysest.ga, 1 +growy.ch, 0 +grozdanov.tk, 1 +grozter.se, 1 +grpformations.cloud, 1 +grplusbd.cf, 1 +grsecurity.net, 1 +grsglaciere13.asso.fr, 1 +grtc.today, 1 +grthomes.com, 1 +grtmmail.com, 1 +grtp02.com, 1 +gruaskmsa.cl, 1 +gruasllanos.cl, 1 +gruber-software.com, 0 +gruble.de, 1 +gruca.com.br, 1 +gruebebraeu.ch, 1 +grueberstein.de, 1 +gruelang.org, 1 +gruenderlehrstuhl.de, 1 +gruene-im-rvr.de, 1 +gruene-linde-schwimmen.tk, 1 +gruene-wattenscheid.de, 1 +gruener-salon-bochum.de, 1 +gruenerpass.co.at, 1 +gruenes-wp.de, 1 +gruenhagenlaw.com, 1 +gruenprint.de, 1 +gruenwedels-restaurant.de, 1 +gruenwedels.de, 1 +gruhn.email, 1 +grummittgroundworks.co.uk, 1 +grumpie.tk, 1 +grumpy.fr, 1 +grumpygamers.com, 1 +grumpyguy.ga, 1 +grundig.co.uk, 1 +grundlage.fi, 1 +grundschulratgeber.de, 1 +grundskoleboken.ga, 1 +grundskoleboken.gq, 1 +grundskoleboken.tk, 1 +grundycountyil.gov, 1 +grundycountyiowa.gov, 1 +grunion.tk, 1 +grunlab.net, 1 +grunttoziemia.pl, 1 +grunwaldzki.center, 1 +grunwasser.fr, 1 +grupatvogzivota.tk, 1 +grupdedansa.tk, 1 +gruphepsi.tk, 1 +grupo-famia.tk, 1 +grupo-zoom.com, 1 +grupoalv.com, 1 +grupoandrey.com.mx, 1 +grupoauxteclic.com, 1 +grupobit.net, 1 +grupocata.com, 1 +grupocb.com.br, 1 +grupodcasa.tk, 1 +grupodecoroinhaspnsa.tk, 1 +grupodepasajeros.tk, 1 +grupodes.com.br, 1 +grupoeitb.eus, 1 +grupoellatu.tk, 1 +grupoenelcolombia.com, 1 +grupoenergiabogota.com, 1 +grupoentregas.com, 1 +grupoeurodesign.com, 1 +grupofarmavip.pt, 1 +grupoharbour.com, 1 +grupoice.com, 1 +grupoimb.pt, 1 +grupoiwana.tk, 1 +grupolegalsgf.com, 1 +grupomacroex.com, 1 +grupomanquecura.tk, 1 +grupomedlegal.com, 1 +grupomonti.com.ar, 1 +grupomwr.com, 1 +grupoparco.com, 1 +grupoproabienesraices.com.mx, 1 +grupos.cf, 1 +gruposanjose.tk, 1 +gruposiit.com.mx, 1 +gruposousa.pt, 1 +grupovendap.com, 1 +grupovisabeira.com, 0 +gruppa.ml, 1 +gruppa.net, 1 +gruppakolibri.ml, 1 +gruppe-casablanca.tk, 1 +grupposanmarco.eu, 1 +grupposiciliaviola.tk, 1 +gruppotac.com, 1 +grurez.com, 1 +gruta.website, 1 +gruveo.com, 1 +gruver.de, 1 +gruwa.net, 1 +gruz0.ru, 1 +gruzchiki.ml, 1 +gruzchiki74.tk, 1 +gruzinfo.tk, 1 +gruzmt.ru, 1 +gruzoperevozki.ml, 1 +gruzoperevozki.tk, 1 +grwebdesigns.gr, 1 +gryffin.ga, 1 +gryffin.ml, 1 +gryffin.tk, 1 +gryphzia.cf, 1 +gryte.tk, 1 +grytics.com, 1 +grzegorzchomutowski.pl, 1 +grzesiak.com, 1 +gs-pflege.de, 1 +gs-schlossberg.de, 1 +gs93.de, 1 +gsa-online.de, 1 +gsa.gov, 1 +gsaadvantage.gov, 1 +gsaauctions.gov, 1 +gsafleet.gov, 1 +gsaj114.net, 1 +gsatest2.gov, 1 +gsaxcess.gov, 1 +gscgh.com, 1 +gscloud.xyz, 1 +gscpaudit.org.uk, 1 +gsd.id, 1 +gsded.com, 1 +gse.space, 1 +gservera.com, 1 +gsfreak.pt, 1 +gshoes.bg, 1 +gsilva.org, 1 +gsimagebank.co.uk, 1 +gsiw.be, 1 +gsiw.gent, 1 +gslabnet.org, 1 +gslate.com, 0 +gsm-info.tk, 1 +gsmbrick.com, 1 +gsmkungen.com, 1 +gsmmedia.tk, 1 +gsmpreview.com, 1 +gsmsale.nl, 1 +gsmtool.tk, 1 +gsmvermist.tk, 1 +gsp.com, 1 +gspcreations.com, 1 +gspilar.tk, 1 +gsrc.io, 1 +gst.name, 1 +gst.priv.at, 1 +gstackrankers.com, 1 +gstehlik.com, 1 +gstrans.bg, 1 +gt-himmel.com, 1 +gta-arabs.com, 1 +gta5redux.com, 1 +gtacoop.com, 1 +gtacty.co, 1 +gtaforum.nl, 1 +gtagames.nl, 1 +gtalenders.ca, 1 +gtanalytics.com, 1 +gtapg.net, 1 +gtb-nsn.gov, 1 +gtbeyes.com, 1 +gtbgames.com, 1 +gtbprivacy.com, 1 +gtc.com.gt, 0 +gtcountymi.gov, 1 +gtcprojects.com, 1 +gtd.cloud, 1 +gtdnordic.fi, 1 +gtek.com.br, 1 +gtgcloudservices.com, 1 +gti.cx, 1 +gtk-tim.ru, 1 +gtlaun.ch, 0 +gtlcenter.org, 1 +gtld.fyi, 1 +gtm-server.com, 1 +gtmetrix.com, 1 +gtmhub.com, 1 +gtn-pravda.ru, 1 +gtonline.ml, 1 +gtopala.com, 1 +gtopala.net, 1 +gtreasury.com, 1 +gtrwebdesign.nl, 0 +gts-tradgard.se, 1 +gts-varmepumpar.se, 1 +gtsb.io, 1 +gtsoftware.gr, 1 +gtupgrade.eu, 1 +gtx970settlement.com, 1 +gtxmail.de, 1 +gtxthere.tk, 1 +gtzq.com, 1 +gu153gx.uk, 1 +guadagnare.info, 1 +guadagnosicuro.tk, 1 +guadalinfoconlaroja.tk, 1 +guadaluperoses.co, 1 +guadalupetx.gov, 1 +guajars.cl, 1 +guamcourts.gov, 1 +guanggaonet.com, 1 +guangjiangk.com, 1 +guannan.net.cn, 0 +guanzhong.ca, 1 +guapcoinswap.finance, 1 +guapi.ml, 1 +guaranteedexchangeers.ga, 1 +guaranteedexchangeest.ga, 1 +guaranteedfitdanceshoes.com, 1 +guaranteedfittangoshoes.com, 1 +guardando.tk, 1 +guardedbox.com, 1 +guardedbox.es, 1 +guarderiajackson.tk, 1 +guardiabermellon.tk, 1 +guardian-codex.tk, 1 +guardian-heliotrope.tk, 1 +guardian360.nl, 1 +guardianangelportraits.com, 1 +guardiancodewebservices.com, 1 +guardianerm.net, 1 +guardiapretoriana.tk, 1 +guarever.tk, 1 +guarrato.tk, 1 +guategmala.ga, 1 +guateradio.tk, 1 +guatzessen.at, 1 +guayaquil-consort.tk, 1 +gubagoo.com, 1 +gubagoo.io, 1 +gubea.org, 0 +gubernia37.ml, 1 +gubka.ga, 1 +gudaman.com, 1 +gudangpangan.id, 1 +gudbrand.no, 1 +guddaff.de, 1 +gudini.net, 1 +gudostudio.tk, 1 +gudrun.ml, 1 +gudrun.tk, 1 +gudrunsleiter.it, 1 +gueckgueck.tk, 1 +guegan.de, 1 +guejarsierra.tk, 1 +guelo.ch, 1 +guelphhydropool.com, 1 +guendra.dedyn.io, 1 +guenstiger-it-support.ch, 1 +guenstigparken.de, 1 +guenther-freitag.tk, 1 +guenthereder.at, 1 +guerard.info, 1 +guercioarchitecture.com, 1 +guerillastocktrading.com, 1 +guernica1913.tk, 1 +guernseycounty.gov, 1 +guerra-civil.tk, 1 +guerra24.net, 1 +guerracivilencaceres.tk, 1 +guerrasgalacticas.tk, 1 +guerrilla-marketing.cf, 1 +guerrillaradio.tk, 1 +guerrillas.tk, 1 +guesclin.com, 1 +guessmatch.com, 1 +guestandmore.de, 1 +guestby.tk, 1 +guesthouse-namaste.com, 1 +guesthouse.tk, 1 +guestnetscript.tk, 1 +guestofhonor.tk, 1 +gueules-cassees.asso.fr, 1 +guevener.de, 1 +gufen.ga, 1 +gufen.gq, 1 +guffr.it, 1 +gufolev.tk, 1 +gugaalves.net, 1 +gugaltika-ipb.org, 0 +gugcstudentguild.com.au, 0 +guge.ch, 1 +gugert.net, 1 +gugli3d.com, 1 +gugs.tk, 1 +gugu-game.tk, 1 +gugucnn.tk, 1 +gugumu.com, 1 +guhei.net, 1 +guhenry3.tk, 1 +guiabroker.com, 1 +guiacg.com, 0 +guiaextra.com, 1 +guiahotelera.com.co, 1 +guiajunqueiropolis.com.br, 1 +guialegal.co, 1 +guiaminhasaude.net, 1 +guiaprofesional.co, 1 +guiarestobar.com.co, 1 +guiascliente.com, 1 +guiasdemexico.tk, 1 +guiasescapate.tk, 1 +guiasuteis.com.br, 1 +guiatelefone.com, 1 +guiaturismovallarta.com, 1 +guiaturisticanuevayork.com, 1 +guid2steamid.com, 1 +guid2steamid.pw, 1 +guidaditalia.com, 1 +guiddy.fr, 1 +guide-ecole.ch, 1 +guide-peche-cantal.com, 0 +guide-voyage.ga, 1 +guidebook.co.tz, 1 +guidecbd.fr, 1 +guidechecking.com, 1 +guidedchoice.com, 1 +guidedesventes.fr, 1 +guidedogs.org.uk, 1 +guidedselling.net, 1 +guidedsteps.com, 0 +guidegr.com, 1 +guidehouseinsights.com, 1 +guideline-pro.com, 1 +guideline.com, 1 +guideline.gov, 1 +guideline.io, 1 +guidelines.gov, 1 +guidemaroc.tk, 1 +guideo.ch, 0 +guidepointsecurity.com, 1 +guideposts.org, 0 +guides-peche64.com, 1 +guidesacademe.com, 1 +guidesiracusa.tk, 1 +guidesorbetiere.com, 1 +guidethailande.tk, 1 +guidetourism.tk, 1 +guidoclub.fr, 1 +guidopedia.ga, 1 +guikemarijwielhandel.nl, 1 +guild.xyz, 1 +guilded.gg, 1 +guildgearscore.cf, 1 +guildnet.tk, 1 +guilfordct.gov, 1 +guilfordvt.gov, 1 +guillaume-briand.fr, 1 +guillaumecote.me, 1 +guillaumematheron.fr, 1 +guillaumesworld.com, 1 +guille.tk, 1 +guillemagullo.tk, 1 +guillembosch.es, 1 +guillen.tk, 1 +guillouf.com, 1 +guillouxinformatique.fr, 1 +guiltyfox.ca, 1 +guiltyfox.com, 1 +guim.co.uk, 1 +guinaliu.tk, 1 +guineapig101.com, 1 +guineapigmustach.es, 1 +guinel-johnson.fr, 1 +guinguetteclovis.com, 1 +guirossler.com.br, 1 +guise.tk, 1 +guitar-strings-online.tk, 1 +guitarangel.tk, 1 +guitards.tk, 1 +guitare-rumba-congolaise-school.com, 1 +guitarefacile.tk, 1 +guitarfreak.tk, 1 +guitarraclasica.tk, 1 +guitarreria.tk, 1 +guitarristaluisquintero.com, 1 +guitarristas.info, 1 +guitartrader.international, 1 +gujarat.tk, 1 +gujinfo.com, 1 +gujun-sky.com, 1 +guki.me, 1 +gulabovski.ga, 1 +gulchuk.com, 1 +gulcinulutuna.com, 1 +guldhaug.org, 1 +guldkorn.dk, 1 +gule.loan, 1 +gulenbase.no, 1 +gulfcoastwaterauthoritytx.gov, 1 +gulfstream.ru, 0 +gulfvestors.com, 1 +gulizaroztemel.av.tr, 1 +gulkhannasir.tk, 1 +gulliversfun.co.uk, 1 +gulliwer.tk, 1 +gulllakeview.com, 1 +gulphora.tk, 1 +gulsot.tk, 1 +guma.cf, 1 +guma.ml, 1 +gumag.tk, 1 +gumbles.tk, 1 +gumbo-millennium.nl, 1 +gumbo.gq, 1 +gumbo.nu, 1 +gumeyamall.jp, 1 +gumi.ca, 1 +gummibande.noip.me, 0 +gummientchen.net, 1 +gumtree.ie, 1 +gumtreecs.com.au, 1 +gun-room.com, 1 +gunarchive.com, 1 +gunauc.net, 1 +gunbot.com, 1 +gunbrig.com, 0 +gundemguncel.tk, 1 +gunerds.com.br, 1 +gunfighterj.com, 1 +gunhunter.com, 1 +guninstructionsers.ga, 1 +guninstructionsest.ga, 1 +gunisifiyatlari.com, 1 +gunlaketribe-nsn.gov, 1 +gunlube.science, 1 +gunners.cf, 1 +gunnlawfirm.com, 1 +gunstatus.net, 1 +gunturnovizal.tk, 1 +gununsesi.info, 1 +gununsesi.org, 1 +gununsesiaz.info, 1 +gunvaluesboard.com, 1 +gunwatch.co.uk, 1 +gunworld.com.au, 1 +gunz.net, 1 +gunziefolleto.tk, 1 +gunzreplays.com, 1 +guochang.fun, 1 +guochanren.com, 1 +guoda.art, 1 +guogetv.com, 1 +guoke.com, 1 +guolaoban.xyz, 1 +guolaw.ca, 1 +guomai.com, 1 +guozeyu.com, 1 +gura.moe, 1 +gurbetilan.com, 1 +gurges.xyz, 1 +guri.ml, 1 +gurl.eu.org, 1 +gurleyal.gov, 1 +gurmel.ru, 1 +gurselcetin.com, 1 +gurty.tk, 1 +guru-naradi.cz, 1 +guruakuntansi.co.id, 1 +guruarchive.com, 1 +gurucomi.com, 1 +gurufox.ai, 1 +gurugamer.com, 1 +gurumobile.tk, 1 +gurunanakdarvar.tk, 1 +gurunanakhospitals.com, 1 +gurunpa.com, 1 +gururi.com, 1 +gurutraveltraining.com, 1 +guruworld.tk, 1 +gus.moe, 1 +gusar.by, 1 +gusli.net, 1 +guso.gq, 1 +gust.edu.kw, 0 +gust.org.pl, 1 +gustaff.de, 1 +gustarfsberg.cf, 1 +gustarfsberg.ga, 1 +gustarfsberg.gq, 1 +gustarfsberg.tk, 1 +gustavapp.com, 1 +gustaveeiffel-arruda.pt, 1 +gustavo-lima.ml, 1 +gustavoleiloeiro.lel.br, 1 +gustavomolina.com, 1 +gustavopalitos.com.br, 0 +gustavovelasco.ml, 1 +gustavscelmins.tk, 1 +gustaw.net.pl, 1 +gusted.xyz, 1 +gustiaux.com, 0 +gustimaulan.com, 1 +gusto.com, 1 +gustom.io, 0 +gusuraman.tk, 1 +gutegutscheine.at, 1 +gutegutscheine.ch, 1 +gutegutscheine.de, 1 +gutenburger-marburg.de, 1 +gutendag.ga, 1 +gutetexte.tk, 1 +guthabenkarten-billiger.de, 1 +gutieli.com, 1 +gutierrezvidal.tk, 1 +gutmeister.ch, 1 +gutools.co.uk, 1 +guts.moe, 1 +gutscasino.ml, 1 +gutschein-spezialist.de, 1 +gutscheineplus.de, 1 +gutscheingeiz.de, 1 +gutscheinpony.de, 1 +gutstein.ch, 1 +gutterbus.com, 1 +gutterdogs.com, 1 +gutterguardcharlotte.com, 1 +gutterguardsystems.com, 1 +guttergurugeelong.com.au, 1 +guttermaster.co.uk, 1 +gutterpupper.com, 1 +guttershutter.biz, 1 +guttertex.com, 1 +gutuia.blue, 1 +guug.ml, 1 +guus-thijssen.nl, 1 +guvernalternativa.ro, 1 +guwowo.com, 1 +guyeskens.be, 1 +guykokken.tk, 1 +guymenje.com, 1 +guypearce.co.uk, 1 +guyretreaters.ga, 1 +guyretreatest.ga, 1 +guys-reviews.ml, 1 +guysauto.com, 1 +guysroulette.com, 1 +guytarrant.co.uk, 1 +guzdek.co, 1 +guzelforum.tk, 1 +guzelkadinlar.tk, 1 +guzellikmerkezleri.tk, 1 +guzelresim.tk, 1 +guzelsozlerim.tk, 1 +guzelvideo.tk, 1 +guzemarkets.com, 1 +guzey.me, 1 +guzgu.me, 1 +guzlewski.pl, 1 +guzmansgreenhouse.com, 1 +gv-kirchberg.ch, 1 +gv-neumann.de, 1 +gv-salto.nl, 1 +gvaa.nl, 1 +gvatas.in, 1 +gvc-it.tk, 1 +gvchannel.xyz, 1 +gvdn.cz, 1 +gveh.de, 1 +gvenglish.com, 1 +gvh.hu, 1 +gvip.xyz, 0 +gvitebsk.cf, 1 +gvobgyn.ca, 1 +gvoetbaldagenalcides.nl, 1 +gvoh-ny.gov, 1 +gvt2.com, 1 +gvt3.com, 1 +gvvsicilia.tk, 1 +gvwgroup.cloud, 1 +gvwgroup.com, 1 +gvwparts.com, 1 +gw-uks-app-test-coreapi-02.azurewebsites.net, 1 +gw.fi, 1 +gw.lu, 1 +gw2.me, 1 +gw2efficiency.com, 1 +gw2treasures.com, 1 +gw66.cc, 0 +gwbet99.cc, 1 +gwennyeeckels.com, 1 +gwenolakaigre.tk, 1 +gwerder.net, 1 +gwg-march.ch, 1 +gwiazdowapark.pl, 1 +gwinnettcounty.gov, 1 +gwinteriors.com.au, 1 +gwmean.tk, 1 +gwnmarketing.com, 1 +gwo24.pl, 1 +gworld.cf, 1 +gwrr.com, 1 +gwrtech.com, 1 +gwy15.com, 1 +gwynfryncottages.com, 1 +gxdesign.tk, 1 +gxgx.org, 1 +gxm5.com, 1 +gxmyqy.net, 1 +gyaanprasaar.tk, 1 +gyanchowk.com, 1 +gyannews.ga, 1 +gyas.nl, 1 +gybagardlin.tk, 1 +gycis.me, 1 +gyefund.com, 1 +gyefund.org, 1 +gyertyalang.hu, 1 +gyjbyev.ga, 1 +gyllander.tk, 1 +gylly.net, 1 +gyllyngvase.com, 1 +gymagine.ch, 1 +gymbase.ml, 1 +gymbunny.de, 1 +gymguyzclearwater.com, 1 +gymguyzstpete.com, 1 +gymguyztampa.com, 1 +gymhero.me, 1 +gymjokesers.ga, 1 +gymjokesest.ga, 1 +gymkirchenfeld.ch, 1 +gymnaserenens.ch, 0 +gymnasium-farmsen.de, 1 +gymnasium-hittfeld.de, 1 +gymnasium56.tk, 1 +gymnastic.cf, 1 +gymnastic.ga, 1 +gymnastic.gq, 1 +gymnastic.ml, 1 +gymnastic.tk, 1 +gymnasticbodies.com, 1 +gymnastikfitness.se, 1 +gymnchod.cz, 1 +gymonlondon.com, 1 +gympap.de, 1 +gympass.com, 1 +gymvilla.nl, 1 +gynaecology.co, 1 +gynaeinfertility.com.sg, 1 +gynaemd.com.sg, 1 +gynaemdclementi.com.sg, 1 +gynaeovariancyst.com.sg, 1 +gynas.co.uk, 1 +gyongyosi.ga, 1 +gyoriedes.hu, 1 +gyoza.beer, 1 +gypsiebylouise.com, 1 +gypso-sendai.com, 1 +gypsybloom.co.uk, 1 +gypsymama.cz, 1 +gypsyreel.com, 1 +gyre.ch, 0 +gyrenens.ch, 0 +gyroscopicinvesting.com, 1 +gyrusclinic.com, 0 +gyu-raku.jp, 1 +gyx.one, 1 +gyy.me, 1 +gz-architekten.de, 1 +gz-benz.com, 1 +gz-bmw.com, 1 +gzitech.com, 1 +gzitech.net, 1 +gzitech.org, 1 +gzlivre.org, 1 +gzom.ru, 1 +gzonemu.ga, 1 +gztelli.ch, 1 +h-advisors.global, 1 +h-e-a-t.com, 1 +h-gac.gov, 1 +h-gen.to, 1 +h-jo.net, 1 +h-maxton.de, 1 +h-node.org, 1 +h-server.myfirewall.org, 1 +h-var.com, 1 +h.fo, 1 +h001.ru, 0 +h07.cn, 1 +h09.eu, 1 +h0r.st, 1 +h0stb3rry.org, 1 +h0u5er.com, 1 +h10l.com, 1 +h10s.net, 1 +h11.io, 1 +h11.moe, 1 +h1b.tech, 1 +h1ctf.com, 1 +h1z1swap.com, 1 +h2.com.sg, 1 +h2020faros.eu, 1 +h24.org, 1 +h2b.cz, 1 +h2cclipboard.com, 1 +h2cdn.cloud, 1 +h2gonc.gov, 1 +h2hc.email, 1 +h2ole.com, 1 +h2omusic.tk, 1 +h2ox.io, 1 +h2rul.eu, 1 +h2u.tv, 1 +h36533.com, 1 +h3artbl33d.nl, 1 +h3x.jp, 0 +h3z.jp, 1 +h51365.com, 1 +h5197.co, 1 +h5q.net, 1 +h6729.co, 1 +h6729.com, 1 +h6957.co, 1 +h6p.de, 1 +h82365.com, 1 +h8p.de, 1 +h9297.co, 1 +h9728.co, 1 +h9j.com.br, 1 +ha-kunamatata.de, 1 +ha.com, 1 +ha2hva1n.com, 1 +ha3.eu, 1 +ha34.com, 1 +ha6.ru, 1 +haagsebubbel.tk, 1 +haakonbecker.de, 1 +haakonhaug.com, 1 +haaldesignpro.com, 1 +haancommunity.cf, 1 +haaog.com, 1 +haar-trifft-medizin.de, 1 +haar.gq, 1 +haarbosch.net, 1 +haarigerrattenarsch.com, 1 +haarlemsesaxofoonschool.nl, 1 +haartrifftmedizin.de, 1 +haas.co.uk, 1 +haasonline.tk, 1 +haavard.me, 1 +hab.dynu.net, 1 +habahaba.tk, 1 +habarimail.com, 1 +habarisoft.com, 1 +habarovsk.ml, 1 +habbixed.tk, 1 +habbocore.tk, 1 +habboinside.tk, 1 +habbolibres.tk, 1 +habbstars.org, 1 +habbzohotel.tk, 1 +habedieeh.re, 1 +habeeba.tk, 1 +habenafilm.cz, 1 +habercininyeri.com, 1 +haberer.me, 1 +haberizma.com, 1 +haberlandconsulting.com, 1 +haberlanddesign.com, 1 +haberlanddigital.com, 1 +haberlandgroup.com, 1 +haberlandpartners.com, 1 +haberlandpodcasts.com, 1 +haberledik.com, 1 +habermatik.net, 1 +habermatik.tk, 1 +habernet.tk, 1 +habersitesikur.tk, 1 +haberton.com, 1 +habesha.bet, 1 +habibi-fit.com, 1 +habibifit.com, 1 +habilcondominios.com.br, 1 +habitable.ga, 1 +habitat-domotique.fr, 1 +habitatberks.org, 1 +habitiss.be, 1 +hable.kr, 1 +hablemosdenutricion.com, 1 +habnubis.es, 1 +habr.ee, 1 +habra-adm.ru, 1 +habrastorage.org, 1 +habsmack.tk, 1 +habtium.es, 1 +hac2er.net, 1 +hacc.top, 1 +haccp.bergamo.it, 1 +haccp.milano.it, 1 +haccp.roma.it, 1 +hacertest.com, 1 +hachette-collections.com, 1 +hachettepartworks.com, 1 +hachimijiogan.info, 1 +hachre.de, 0 +hacifadilogullari.com.tr, 1 +hacihusrevyikim.tk, 1 +hack-bang.com, 1 +hack-forum.ml, 1 +hack-net.gq, 1 +hack.fi, 1 +hackablestuff.cf, 1 +hackadena.com, 1 +hackamac.tk, 1 +hackathonjr.tw, 1 +hackathontwjr.ml, 0 +hackatruck.com.br, 1 +hackattack.com, 1 +hackbarth.guru, 1 +hackbeil.name, 1 +hackbubble.me, 1 +hackcess.net, 1 +hackclubmauritius.nl, 1 +hackcraft.net, 1 +hackdown.eu.org, 1 +hackdown.tech, 1 +hackdra.com, 1 +hackdra.io, 1 +hackeado.tk, 1 +hacked.com, 1 +hackedaf.com, 1 +hackedthe.net, 1 +hackendoz.com, 1 +hackengine.ga, 1 +hackenkunjeleren.nl, 1 +hackenturet.dk, 1 +hacker.deals, 1 +hacker.holiday, 1 +hacker.im, 1 +hacker.one, 1 +hacker1.com, 1 +hacker101.com, 1 +hacker8.cn, 0 +hackercommunity.org, 1 +hackerfa.tk, 1 +hackerflare.com, 1 +hackerforums.tk, 1 +hackergateway.com, 1 +hackerhotel.nl, 1 +hackerinfo.ml, 1 +hackerman.nu, 1 +hackernews.ddns.net, 1 +hackernewsuk.cf, 1 +hackernoon.com, 0 +hackerone-ext-content.com, 1 +hackerone-user-content.com, 1 +hackerone.at, 1 +hackerone.blog, 1 +hackerone.com, 1 +hackerone.events, 1 +hackerone.live, 1 +hackerone.net, 1 +hackerone.org, 1 +hackeronte.tk, 1 +hackers-networks.tk, 1 +hackersclothing.com, 1 +hackerspace.rocks, 1 +hackerstory.tk, 1 +hackersw0rld.tk, 1 +hackerzbug.tk, 1 +hackettrecipes.com, 1 +hackforgood.com, 1 +hackgunny.tk, 1 +hackhouse.sh, 1 +hackingand.coffee, 0 +hackingdh.com, 1 +hackingdumpdrive.org, 1 +hackingfever.tk, 1 +hackingondemand.com, 1 +hackingwithswift.com, 1 +hackintosh.eu, 1 +hackintosh.social, 1 +hackmd.io, 1 +hackmeifyoucan.site, 1 +hacknet-bar.cn, 1 +hackney.tk, 1 +hackops.tk, 1 +hackreone.com, 1 +hackrepreneur.com, 1 +hackrigs.com, 1 +hacksecu.re, 1 +hacksoc.co.uk, 1 +hackthat.tk, 1 +hackthehacker.ml, 1 +hackthissite.org, 1 +hacktivis.me, 1 +hacktivitycon.com, 1 +hacktober.dk, 1 +hackworx.com, 0 +hackyourfaceoff.com, 1 +hackzogtum-coburg.de, 1 +hacp.gov, 1 +hadaly.fr, 1 +hadassah.moscow, 1 +haddos.tk, 1 +haderecker.me, 1 +hadesblack.com, 1 +hadetlachapelle.com, 1 +hadibut.fr, 1 +hadika.tk, 1 +hadin.tk, 1 +hadleyluker.com, 1 +hadoora.hu, 1 +hadopi.fr, 1 +hadotifpc.in, 1 +hadouk.in, 1 +hadouken.tk, 1 +hadoverde.com, 1 +hadrons.org, 1 +hadudonura.tk, 1 +hady.boutique, 1 +hady.fr, 1 +haefligermedia.ch, 1 +haegele.consulting, 1 +haehnel.xyz, 1 +haehnlein.at, 1 +haemka.de, 1 +haemmerle.net, 1 +haemonetics.com, 1 +haens.li, 1 +haerwu.biz, 1 +hafcareclinic.com, 1 +haferman.net, 1 +haferman.org, 1 +haffen.com, 1 +hafizkadir.tk, 1 +hafling.net, 1 +haflingers.tk, 1 +hafniatimes.com, 1 +hag27.com, 1 +hagalaz-design.de, 1 +hagbergmedia.se, 1 +hagen-bauer.de, 0 +hagenkleinert.de, 1 +haggisofnorway.tk, 1 +hagiati.gr, 1 +hagix.tk, 1 +hagleitner.com, 1 +hagoyvivo.com, 1 +hagskold.se, 1 +hagtingius.nl, 1 +haguichi.net, 1 +haha-raku.com, 1 +haha.moe, 1 +haha.nl, 0 +hahahahaha.cf, 1 +hahapo.com, 1 +hahn-trafo.com, 1 +haiawan.de, 1 +haiboxu.com, 1 +haichuang.com, 1 +haiduc.tk, 1 +haifaworld.tk, 1 +haifengz.com, 0 +haigle.com, 1 +haileyuantoy.com, 0 +hails.info, 1 +hailstorm.nl, 1 +hailstormproject.tk, 1 +haimablog.ooo, 1 +hainanstar.cc, 1 +haineshilton.com, 1 +hair-care-guide.com, 1 +hair-carekit.tk, 1 +hair-dressing.tk, 1 +hair-extension.tk, 1 +hair-extensions.tk, 1 +hairbrushes.tk, 1 +haircareblog.tk, 1 +haircarebrazil.com, 1 +haircareology.com, 1 +haircode.gr, 1 +hairconventioners.ga, 1 +hairconventionest.ga, 1 +haircrazy.com, 1 +haircutideas.gq, 1 +hairdrezzersonfire.com, 1 +hairextensionjakarta.com, 1 +hairextensionsaustralia.tk, 1 +hairextensionshop.tk, 1 +hairextensionstore.tk, 1 +hairextensionsuk.tk, 1 +hairfitwolvega.nl, 1 +hairgrowth.cf, 1 +hairgrowth.gq, 1 +hairgrowth.ml, 1 +hairhardstyle.tk, 1 +hairhumanextensions.tk, 1 +hairlossadvice.tk, 1 +hairlossandscalpclinic.co.uk, 1 +hairmitage.pl, 0 +hairphoto.tk, 1 +hairpins.tk, 1 +hairsalon-wish.com, 1 +hairstyles-salon.tk, 1 +hairyfilm.com, 1 +hairymilfpics.com, 1 +hairypussyvideos.net, 1 +hairyteenpics.com, 1 +hairytouch.com, 1 +hairytube.tv, 1 +hairywomen.tv, 1 +hairywomenpics.com, 1 +haislipcorp.com, 1 +haitaka.cc, 1 +haitang.com, 1 +haitangsoshu.com, 1 +haitangsoushu.com, 1 +haititan.com, 1 +haititransfert.com, 1 +haitou.tk, 1 +haitrieu.com, 1 +haixihui.cn, 1 +haixingyun.com, 1 +haizs.com, 1 +haizs.net, 1 +haizum.pro, 1 +hajekdavid.cz, 1 +hajekj.cz, 1 +hajnzic.at, 1 +hak-lab.com, 1 +hak-zona.tk, 1 +hak.edu.ee, 1 +haka.se, 1 +hakama-sendai.com, 1 +hakanpeker.tk, 1 +hakaru.org, 1 +hakase.pw, 1 +hakasia.tk, 1 +hakatemia.fi, 0 +hake.me, 1 +haker24.tk, 1 +hakerzona.tk, 1 +hakiminvestment.com, 1 +hakimova.tk, 1 +hakkarihaberi.tk, 1 +hakkarihaberleri.tk, 1 +hakkariradyo.tk, 1 +hakkasan.com, 1 +hakkasannightclub.com, 1 +hakon.lol, 1 +haku.vn, 1 +hakugin.me, 1 +hakurei.ga, 1 +hakurei.win, 1 +hal-9th.space, 1 +halacs.hu, 1 +halagroup.ml, 1 +halalbooking.com, 1 +halatik.com.ua, 1 +halbbit.eu, 1 +halberstadt.tk, 1 +halbich.design, 1 +halcraft.tk, 1 +halcyon-scion.com, 1 +halcyonsbastion.com, 1 +haleluyah-asuubabi.ga, 1 +halepetdoorsofaz.com, 1 +halescornerswi.gov, 1 +haleyandlucas.tk, 1 +half-logic.eu.org, 1 +half.ga, 1 +half.host, 1 +half.in.th, 1 +halfbeasters.ga, 1 +halfbeastest.ga, 1 +halfhosting.de, 1 +halfmba.com, 1 +halfords.com, 1 +halfords.ie, 0 +halfreal.tk, 1 +halgap.ga, 1 +haliava.tk, 1 +halic.tk, 1 +halifaxboropdpa.gov, 1 +halifaxma.gov, 1 +halifaxmoneyman.com, 1 +halifaxsailingclub.org.uk, 1 +halilova.ga, 1 +halilova.ml, 1 +halilova.tk, 1 +halilweb.tk, 1 +halilyagcioglu.tk, 1 +halimjr.com, 0 +halkakoop.com, 1 +halkbank.mk, 1 +halkegitimkurs.com, 1 +halkoyu.org, 1 +halkyon.net, 1 +hall1c.com, 1 +hallanalysis.com, 1 +hallcopainting.com, 1 +hallelujahsoftware.com, 1 +hallettxn.com, 1 +halli.tk, 1 +halliday.work, 1 +halligan.tk, 1 +hallighof.de, 1 +halligladen.de, 1 +hallmanmemorials.net, 1 +hallmarkbusiness.com, 1 +hallmarkestates.ca, 1 +halloffameapartments.com, 1 +hallofoddities.tk, 1 +hallofworlds.online, 1 +hallopstyling.com, 1 +halloway.tk, 1 +halloweencostumesideas101.com, 1 +halloweenmusic.org, 1 +hallspumpandwellservice.net, 1 +halltrends.tk, 1 +hallucineer.com, 1 +hallucinogen.com, 1 +hallucinogens.org, 1 +hallways.tk, 1 +halneff.ga, 1 +halo.fr, 1 +halocredit.pl, 0 +halogen.vip, 1 +halogenos.org, 1 +halongbaybackpackertour.com, 1 +haloobaloo.com, 1 +halopedia.org, 1 +haloperidol.cf, 1 +haloscenter.com, 1 +halovanic.org, 1 +halpin.tk, 1 +halseyor.gov, 1 +halt.org, 1 +halterner-tc.de, 1 +halukaka.net, 1 +halv.me, 1 +halvalla.tk, 1 +halyul.com, 1 +ham.community, 1 +hamacho-kyudo.com, 1 +hamali.bg, 1 +hamarimarriage.tk, 1 +hamartrophy.cf, 1 +hamasu.com, 1 +hamave.nl, 1 +hamburg40grad.de, 1 +hamburgcode.com, 1 +hamburgerbesteld.nl, 1 +hamburgerland.tk, 1 +hamburgobgyn.com, 1 +hamdenct.gov, 1 +hamdiscussions.com, 1 +hamedfans.tk, 1 +hamelneinfachonline.de, 0 +hamelnpsychotherapie.de, 1 +hamerslag.tk, 1 +hamgamweb.com, 1 +hamha.tk, 1 +hamibot.cn, 1 +hamibot.com, 1 +hamiltonatlnj.gov, 1 +hamiltoncountyil.gov, 1 +hamiltoncountyne.gov, 1 +hamiltone-clearance.co.uk, 1 +hamiltone.co.uk, 1 +hamiltonil.gov, 1 +hamiltonpdnj.gov, 1 +hamiltonsalestraining.com, 1 +hamiltonvotesfl.gov, 1 +hamiltonweather.ca, 1 +hamiltonzinelibrary.cf, 1 +hamiltonzinelibrary.ga, 1 +hamiltonzinelibrary.gq, 1 +hamiltonzinelibrary.ml, 1 +hamking.tk, 1 +hamkorbank.uz, 1 +hamletstudio.tk, 1 +hammacklawfirm.com, 1 +hammann-services.de, 1 +hammed.tk, 1 +hammer-schnaps.com, 1 +hammer-sms.com, 1 +hammercast.fm, 1 +hammered.tk, 1 +hammerhead.tk, 1 +hammernews.tk, 1 +hammerofdamnation.tk, 1 +hammerofthor-india.com, 1 +hammerstorm.ga, 1 +hamminga.nl, 1 +hammondwi.gov, 1 +hamoominim.tk, 1 +hamoup.com, 1 +hampelmd.com, 1 +hampl.tv, 1 +hampshiretechservices.co.uk, 1 +hamptonandrhodes.com, 1 +hamptonrhodes.com, 1 +hamptonroads.gov, 1 +hampus.lol, 1 +hampuskraft.com, 1 +hamsaranjavan.tk, 1 +hamsokhan.tk, 1 +hamsterchines.tk, 1 +hamsteriousgift.com, 1 +hamsternetwork.com, 1 +hamstersenanos.tk, 1 +hamsterworld.tk, 1 +hamsystems.eu, 1 +hamtwpfcoh.gov, 1 +hamwan.nl, 0 +hamzahamry.ga, 1 +han-nas.com, 1 +hana-groupsac.com, 1 +hana.ondemand.com, 1 +hanabi.fan, 0 +hanacademy.us, 1 +hanakaru.tk, 1 +hanako-health.com, 1 +hanako-health.de, 1 +hanakohealth.com, 1 +hanakohealth.de, 1 +hanakovydny.cz, 1 +hanan.cz, 1 +hanatan.net, 1 +hanazono.tokyo, 1 +hanbing.it, 1 +hancevillewateral.gov, 1 +hancockcountyia.gov, 1 +hancockcountyky.gov, 1 +hancockcountymaine.gov, 1 +hancockcountyohioelections.gov, 1 +hancockcountywv.gov, 1 +hancockin.gov, 1 +hancocklawfl.com, 1 +hand-made24.de, 1 +hand.community, 1 +hand2h.com, 1 +handballinside.de, 1 +handballmania.tk, 1 +handbrake.fr, 1 +handcity.com, 1 +handelsbanken.co.uk, 1 +handelsbanken.com, 1 +handelsbanken.dk, 1 +handelsbanken.fi, 1 +handelsbanken.no, 1 +handelsbanken.se, 1 +handheldsound.com, 1 +handhockeyers.ga, 1 +handhockeyest.ga, 1 +handicap-job.com, 1 +handicappingsportsers.ga, 1 +handicappingsportsest.ga, 1 +handicapzero.org, 1 +handicraftsman.tk, 1 +handicraftsmarble.com, 1 +handigehannie.nl, 1 +handleidingkwijt.com, 1 +handlekrypto.com, 1 +handles.tech, 1 +handlingcosters.ga, 1 +handlingcostest.ga, 1 +handlungsleitfaden.de, 1 +handmade-club.tk, 1 +handmade-workshop.de, 1 +handmadehechoamano.com, 1 +handmadeselling.com, 1 +handmadetutorials.ro, 1 +handphones.tk, 1 +handpiece.com, 1 +handpresso.com, 1 +hands.net, 1 +handsaccounting.com, 1 +handsender-express.com, 1 +handsome-samurai.jp, 1 +handsomeabel.tk, 1 +handsonscience.com.au, 1 +handstandstudio.ga, 1 +handsup.dance, 1 +handwerk-digital-steinfurt.de, 1 +handwerker4u.de, 1 +handwerkwebseiten.de, 0 +handy-fun.tk, 1 +handy-page.tk, 1 +handy.lc, 1 +handymanbibleers.ga, 1 +handymanbibleest.ga, 1 +handymanbypolli.com, 1 +handymanlondonplease.co.uk, 1 +handynummer-info.ch, 1 +handyoutdoorgoods.com, 1 +handyschaft.de, 1 +handysex.live, 1 +handyticket.de, 1 +hanfoot.tk, 1 +hanfox.co.uk, 0 +hanfverband-erfurt.de, 1 +hang333.moe, 1 +hangar4.es, 1 +hangarbox.de, 1 +hangardasaves.com.br, 1 +hangargeek.ml, 1 +hangcapnach.com, 1 +hangkei.com, 1 +hangout, 1 +hangouts.google.com, 1 +hangryum.com, 1 +hangtenseo.com, 1 +hangw.xyz, 1 +hanhardt.org, 1 +hanhtrinhxanh.org, 1 +haniasitek.com, 1 +haniha.com, 1 +hanisirfan.cf, 1 +hanjl.com, 0 +hanjuapp.com, 1 +hanke.se, 1 +hankoreas.com, 1 +hankr.com, 1 +hanksservice.com, 1 +hanky2.com, 1 +hanlonconcrete.com, 1 +hanmandalu.com, 1 +hanmandao.com, 1 +hanmandaohang.com, 1 +hanmangu.com, 1 +hanmanlou.com, 1 +hanmanshijie.com, 1 +hanmanxia.com, 1 +hanming.li, 1 +hanmofu.life, 0 +hannaandersson.com, 1 +hannagroup.ca, 1 +hannah.link, 1 +hannahbarrettyoga.com, 1 +hannaljungberg.tk, 1 +hannehovi.fi, 1 +hannekroencke.com, 1 +hannes.paris, 1 +hannit.de, 1 +hannoluteijn.nl, 1 +hannover-96.tk, 1 +hannover-reisen.tk, 1 +hannywbarek.com, 1 +hanoibuffet.com, 1 +hanoicapital-tanvn.tk, 1 +hanomag-tractors.tk, 1 +hanpenblog.com, 1 +hanrobado.com, 1 +hansa-flex.com.ua, 1 +hansa.org.ru, 1 +hansahome.ddns.net, 1 +hansanders.nl, 1 +hansashop.eu, 0 +hansashop.fi, 0 +hansbruis.tk, 1 +hanschventures.com, 1 +hansee.com, 1 +hansen-kronshagen.de, 1 +hansen.hn, 1 +hansgoes.it, 1 +hansgoes.nl, 1 +hansgoesit.nl, 1 +hanshosting.nl, 1 +hanshow.com, 1 +hansinternational.com.au, 1 +hansklok.tk, 1 +hansminten.com, 1 +hansmund.com, 1 +hansmunt.nl, 1 +hansolrella.com, 1 +hansonian.com, 1 +hanspaulske-cteni.tk, 1 +hanspetersteiger.ch, 1 +hansvaneijsden.com, 1 +hansvaneijsden.nl, 1 +hant.se, 1 +hantera.fi, 1 +hantse.com, 0 +hanwhalife.com, 1 +hanxv.pw, 1 +hanys.xyz, 1 +hanzcollection.online, 1 +hanzubon.jp, 1 +hao-zhang.com, 1 +haofeng.com, 1 +haoke.com, 1 +haoming.com, 1 +haorenka.co, 1 +haoz.tk, 1 +haozhexie.com, 1 +haozi.me, 1 +hapfox.de, 1 +hapiao.com, 1 +hapijs.cn, 1 +hapissl.com, 1 +hapivm.com, 1 +hapless.tk, 1 +happeopleindonesia.id, 1 +happiestoutdoors.ca, 1 +happii.dk, 1 +happiness.solutions, 1 +happist.com, 1 +happity.co.uk, 1 +happu-dinero.tk, 1 +happy-end-shukatsu.com, 1 +happy-face.tk, 1 +happy-family.tk, 1 +happy-finance.tk, 1 +happy-space.tk, 1 +happy-wans.com, 1 +happy-watches.com, 1 +happy2hub.eu, 1 +happyagain.de, 1 +happyagain.se, 1 +happyandrelaxeddogs.com, 1 +happyanimalsshop.com, 1 +happybabyhappymama.nl, 1 +happybeerdaytome.com, 1 +happybirthdaywisher.com, 1 +happybounce.co.uk, 1 +happychat.io, 1 +happychungus.tk, 1 +happychurch.com, 1 +happycoder.net, 0 +happycoders.eu, 1 +happycolors.us, 1 +happycompany.fi, 1 +happycore.ml, 1 +happycrashers.ga, 1 +happycrashest.ga, 1 +happycustomer360.pt, 1 +happydad.tk, 1 +happydays.cat, 1 +happydoghosting.net, 1 +happydoq.ch, 0 +happydota.ga, 1 +happydreamsz.com, 1 +happyexwife.ga, 1 +happyfoolss.com, 1 +happyfun.tk, 1 +happyfuture.tk, 1 +happygadget.me, 1 +happygardencenter.com.br, 1 +happygreats.ml, 1 +happygreats.tk, 1 +happyhabitzone.com, 1 +happyhumans.com, 1 +happyindia.ml, 1 +happyjapan.co.jp, 1 +happykidsforkids.com, 1 +happylearning.com, 1 +happylifestyle.com, 1 +happymine.nl, 1 +happymonday.ua, 1 +happymondayclub.com, 1 +happymoney.com, 1 +happymothersday.tk, 1 +happynight.tk, 1 +happypets.pe, 1 +happyplantparent.com, 1 +happyretail.ai, 1 +happyrunning.tk, 1 +happyschnapper.com, 1 +happyscore.nl, 1 +happyscubadiving.tk, 1 +happyteamlabs.com, 1 +happytestings.com, 1 +happytime.gq, 1 +happytopup.com, 1 +happytours.cf, 1 +happytoys.com.br, 1 +happytugs.com, 1 +happyukgo.com, 1 +happywater.my, 1 +happyweekend.ga, 1 +happywheels1.online, 1 +hapronailz.tk, 1 +haproxy.tech, 1 +hapsana.nl, 1 +hapsfordmill.co.uk, 1 +haptemic.com, 1 +hapticmedia.com, 1 +hapticmedia.io, 1 +hapvm.com, 1 +haqrpatrol.com, 1 +har5.com, 1 +harabar.ga, 1 +harabar.gq, 1 +harabar.ml, 1 +harabe.ga, 1 +harahanla.gov, 1 +harajiplastic.ir, 1 +harald-d.dyndns.org, 1 +harald-nyborg.dk, 1 +harald-pfeiffer.de, 1 +harambo.cf, 1 +harapanrakyat.com, 1 +harapecorita.com, 1 +harapjunk.hu, 1 +harasov.tk, 1 +harbecke.cloud, 1 +harbecke.me, 1 +harbecke.net, 1 +harbecke.org, 1 +harbecke.xyz, 1 +harbor.com, 1 +harborhillsdaycamp.com, 1 +harboursport.co.nz, 1 +hard-drive-recovery-blog.tk, 1 +hard.email, 1 +hardatack.tk, 1 +hardcore-hooligans.tk, 1 +hardcore-toys.com, 1 +hardcoreincest.net, 1 +hardcorejokeers.ga, 1 +hardcorejokeest.ga, 1 +hardcorekings.com, 1 +hardcorepost.com, 1 +hardeecountyfl.gov, 1 +hardeeflvotes.gov, 1 +hardeman.nu, 1 +hardenburghny.gov, 1 +hardenize.com, 1 +hardergayporn.com, 1 +hardesec.com, 1 +hardfalcon.net, 1 +hardfloorcleaninglondon.co.uk, 1 +hardforum.com, 1 +hardfought.org, 1 +hardgame.tk, 1 +hardgospelcafe.tk, 1 +hardh.at, 0 +hardhat.io, 1 +hardhatengineer.com, 1 +hardies.nl, 1 +hardinal.com, 1 +hardincountyil.gov, 1 +hardincountyky.gov, 1 +hardincountyohio.gov, 1 +hardjump.tk, 1 +hardmetal.tk, 1 +hardmine.ru, 1 +hardnet.cz, 1 +hardnode.org, 1 +hardnoiser.tk, 1 +hardpay.com, 1 +hardrain980.com, 1 +hardrock.tk, 1 +hardrocksportsbook.com, 1 +hardscience.games, 1 +hardscience.io, 1 +hardstation.tk, 1 +hardstyleclothes.tk, 1 +hardtailrecon.com, 1 +hardtec.tk, 1 +hardtfrieden.de, 1 +hardtime.tk, 1 +hardtimeszine.tk, 1 +hardwake.tk, 1 +hardwareforum.ga, 1 +hardwarelog.in, 1 +hardwarelogin.com, 1 +hardwarelogin.rocks, 1 +hardwareschotte.de, 1 +hardwick-ma.gov, 1 +hardwickvt.gov, 1 +hardworm.tk, 1 +hardy.bz, 1 +hardyhaberland.com, 1 +hardzone.es, 1 +harem.tk, 1 +harery.com, 1 +harfordpark.org, 1 +harfordvotes.gov, 1 +hargaindo.com, 1 +hargamobilmu.com, 0 +harghita.com, 1 +hargita.com, 1 +hari-katha.tk, 1 +hari-tech.com, 1 +harianjogja.com, 1 +haribilalic.com, 1 +harigovind.org, 1 +hariharnagar.tk, 1 +hariji.tk, 1 +haringtwpmi.gov, 1 +harishgoyal.tk, 1 +harithsankalpa.com, 1 +haritsa.co.id, 1 +hariz.ga, 1 +harlan.cc, 1 +harlem-mt.gov, 1 +harlemeverafter.com, 1 +harleyclassifieds.com, 1 +harleysvillegroup.com, 1 +harlim.tk, 1 +harlingentx.gov, 1 +harlor.de, 1 +harmfarm.nl, 1 +harmim.cz, 1 +harmlesspeopleers.ga, 1 +harmlesspeopleest.ga, 1 +harmoney.com, 1 +harmoniaatlanta.org, 1 +harmonicasireland.com, 1 +harmonizely.com, 0 +harmony-labradoodles.nl, 1 +harmony.co.id, 1 +harmonyeg.net, 1 +harmonyhomeaidservices.co.uk, 1 +harmonylife.ro, 1 +harmonyroomspa.com, 1 +harmreductionwa.org, 1 +harms.io, 1 +harmsboone.org, 1 +harnettcountync.gov, 1 +harneycountyor.gov, 1 +harno.ee, 0 +harnoisfamily.net, 1 +harnov.dk, 0 +harodeportivo.tk, 1 +haroldkip.nl, 1 +haroldkramer.tk, 1 +haroldsharpe.com, 1 +harp.gov, 1 +harpen.de, 1 +harpersvilleal.gov, 1 +harplingemark.se, 1 +harpoonlarsen.tk, 1 +harpreetrakhra.ca, 1 +harputlugil.com, 1 +harrachovskyapartman.cz, 1 +harray.tk, 1 +harrcostl.com, 1 +harriedrecords.tk, 1 +harrietjohnston.tk, 1 +harrimantn.gov, 1 +harringtonca.com, 1 +harrisandharris.com.au, 1 +harrisconsulting.ie, 1 +harrisexteriors.com, 1 +harrisonar.gov, 1 +harrisonassessments.asia, 1 +harrisonassessments.co.id, 1 +harrisonassessments.co.in, 1 +harrisonassessments.co.uk, 1 +harrisonassessments.com.au, 1 +harrisonassessments.com.hk, 1 +harrisonassessments.com.tw, 1 +harrisonassessments.de, 1 +harrisonassessments.eu, 1 +harrisoncareerguide.com, 1 +harrisoncountymo.gov, 1 +harrisoncountyms.gov, 1 +harrisoncountymschanceryclerk.gov, 1 +harrisonsdirect.co.uk, 1 +harrisontownshipmi.gov, 1 +harrisrealestate.com, 1 +harrogatemoneyman.com, 1 +harry-baker.com, 1 +harry-hk.tk, 1 +harryagustiana.tk, 1 +harryanddavid.com, 1 +harryandharrison.com, 1 +harrychristensen.tk, 1 +harrymcgee.tk, 1 +harrymclaren.co.uk, 1 +harryosborn.tk, 1 +harrypotterclan.tk, 1 +harrypottereditor.com, 1 +harrypottereditor.net, 1 +harrypottervenezuela.tk, 1 +harrysmallbones.co.uk, 1 +harryvapoteur.com, 1 +harryvrancken.nl, 1 +harryxxjohnson.ga, 1 +harryyy.me, 0 +harshani.ga, 1 +harshee.ml, 1 +hartan.to, 1 +hartdesign.co.nz, 1 +hartfordct.gov, 1 +hartfordschools.org, 0 +hartfordtwpwipd.gov, 1 +hartie95.de, 1 +hartleighclyde.com.au, 1 +hartlep.email, 1 +hartleycountytx.gov, 1 +hartlieb.me, 1 +hartmancpa.com, 1 +hartmann-hartmann.eu, 1 +hartmannindustries.com, 1 +hartpsychologen.nl, 1 +hartsfieldrock.tk, 1 +hartslagnu.nl, 1 +hartstart.info, 1 +hartvannike.tk, 1 +hartwellga.gov, 1 +hartwickny.gov, 1 +hartzer.com, 1 +haru-restaurant.tk, 1 +haruhi.org.ua, 1 +harukakikuchi.com, 1 +harukawa.moe, 1 +harumi-cl.jp, 1 +harunafilez.tk, 1 +harvard-ma.gov, 1 +harvardil.gov, 1 +harvardpartners.com, 1 +harvestapp.com, 1 +harvester.fr, 1 +harvestfellowshipchurch.net, 1 +harvestgospelministries.org, 1 +harvestmoon.ga, 1 +harvestmoon.ml, 1 +harveyauzorst.com, 1 +harveyplum.com, 1 +harveysautoservice.net, 1 +harveysproducts.co.nz, 1 +harwoeck.group, 1 +haryana.gov.in, 1 +harz.cloud, 0 +harzin.tk, 1 +harzlaender.de, 1 +has-no-email-set.de, 1 +has.gy, 1 +has.report, 1 +has.work, 1 +hasabig.wang, 1 +hasalittle.wang, 1 +hasandeniz.uk, 1 +hasandurmus.com, 1 +hasanmtech.com, 1 +hasansaribas.com, 1 +hasanyildiz.com, 1 +hasas-automatizari.ro, 1 +hasas-cnc.ro, 1 +hasbara.tk, 1 +haschrebellen.de, 1 +hasdf.de, 1 +hasecuritysolutions.com, 1 +hasel.news, 1 +haselsteiner.me, 1 +hasenmueller.de, 1 +hasgeek.com, 1 +hash.works, 1 +hashcat.net, 1 +hashedin.com, 1 +hashemian.com, 1 +hashes.com, 1 +hashes.org, 1 +hashi.dk, 0 +hashi.icu, 1 +hashi.sbs, 1 +hashiconf.com, 0 +hashicorp.com, 0 +hashimah.ca, 1 +hashimoto-jimusho.com, 1 +hashinteractive.com, 0 +hashish.net, 1 +hashiura.jp, 1 +hashmart.io, 1 +hashnode.com, 0 +hashplex.com, 1 +hashru.nl, 1 +hashsters.com, 1 +hashsters.io, 1 +hashulchan.co.il, 1 +hashworks.net, 1 +hashxp.org, 1 +hasilkeluaransgp.com, 1 +hasilocke.de, 1 +hasjob.co, 1 +haskellcountytx.gov, 1 +haskovec.com, 1 +hasmoralsers.ga, 1 +hasmoralsest.ga, 1 +hass-server.pp.ua, 1 +hassan-kuordish.tk, 1 +hassanhardware.com, 1 +hassans.tk, 1 +hassclan.tk, 1 +hasselbach-dellwig.de, 1 +hassellunden.ga, 1 +hassiba-abderaouf.tk, 1 +hassra.org.uk, 1 +hasstopped.com, 1 +hastadoktor.com, 1 +hastaneurunleri.com.tr, 1 +hastati.tk, 1 +hastingsapplianceservice.com.au, 1 +hastingsdirect.com, 1 +hastingsmi.gov, 1 +hastingsne.gov, 1 +hastmassage.tk, 1 +hastyllc.com, 1 +hasx.me, 1 +hasznosithato.tk, 1 +haszon.hu, 1 +hatake.tk, 1 +hatakekaigi.com, 1 +hataonline.tk, 1 +hatarisecurity.co.ke, 1 +hatcher.cloud, 1 +hatchutah.gov, 1 +hate.ga, 1 +hate.tk, 1 +hatemarga.tk, 1 +hatematerial.tk, 1 +hatethe.uk, 1 +hathai.org, 1 +hathawaydinwiddie.com, 1 +hatierchinois.fr, 1 +hatinyhouse.com, 1 +hatori.tk, 1 +hatpakha.com, 1 +hatraters.ga, 1 +hatratest.ga, 1 +hats-land.com, 1 +hatsnet.io, 1 +hatsthings.com, 1 +hatsuharu.tk, 1 +hatsukoi-seikotsu.com, 1 +hatter.in, 1 +hatter.ink, 1 +hatter.me, 1 +hatterjiang.com, 1 +hatterjiang.org, 1 +hattori-hanzo.tk, 1 +hattricksites.tk, 1 +hatul.info, 1 +haucke.xyz, 1 +haughtonla.gov, 1 +hauller.ch, 1 +haulpackaging.com, 1 +hauntedcastle.tk, 1 +hauntedhouserecords.co.uk, 1 +hauntedtruth.tk, 1 +hauora.fyi, 1 +hauora.tech, 1 +haus-garten-test.de, 1 +haus-henne.de, 1 +haus-maritchen.at, 1 +haus-mittelpunkt.de, 1 +haus-momo.ch, 1 +haus.bio, 1 +hausarzt-nw.de, 1 +hausarzt-nw.info, 1 +hausdorf.ru, 1 +hausfoto.cz, 1 +hausfrauficken.com, 1 +haushaltsaufloesung-vor-ort.de, 1 +haushaltsaufloesung-zentrum.de, 1 +haushenne.de, 1 +haushub.org, 1 +hausmann-versorgungstechnik.de, 1 +hausmeister-website.de, 1 +hauspie.fr, 1 +hausresidential.com.au, 1 +haust.tk, 1 +haustechnik-breu.de, 1 +hausundhaus.de, 1 +hausverbrauch.de, 1 +hausverwaltung-motsch.de, 1 +hautarztzentrum.ch, 1 +hautehorlogerie.org, 1 +hautemontagne.com, 1 +hautescimesone.ch, 1 +hautsache-friesoythe.de, 1 +hautsdefrance.fr, 1 +havaci.tk, 1 +havaguncel.com, 1 +havana-club.com, 1 +havanaheritage.org, 1 +havarijna-sluzba-bratislava.sk, 1 +havasuinsurance.com, 1 +havasuopenhouse.com, 1 +havasutacohacienda.com, 1 +havator.fi, 1 +have-it.tk, 1 +have.jp, 1 +haveabounce.co.uk, 1 +havedicewillsave.com, 1 +haveforeningen-enghaven.dk, 1 +havefunbiking.com, 1 +haveg.ru, 1 +haveibeenpwned.be, 1 +haveibeenpwned.com, 1 +havellab.de, 1 +havells.com, 1 +haven-staging.cloud, 1 +havencyber.com, 1 +havenstar.com, 1 +havenstudios.com, 1 +haverford.com, 1 +havernbenefits.com, 1 +haverplastics.co.uk, 1 +havetherelationshipyouwant.com, 1 +havi-engel.de, 1 +havivdriver.co.il, 1 +havohravo.com, 1 +havuzkapinda.com, 1 +hawaiiafro.tk, 1 +hawaiianchoice.com, 1 +hawaiianlion.cf, 1 +hawaiianlion.ga, 1 +hawaiianlion.gq, 1 +hawaiifamilydental.com, 1 +hawaiiforbernie.com, 1 +hawaiinet.tk, 1 +hawaiipolice.gov, 1 +hawaindustrial.com, 1 +hawat.cz, 1 +hawawa.kr, 1 +hawickvets.co.uk, 1 +hawit-steuerberatung.de, 1 +hawit-steuerberatung.support, 1 +hawk-la.com, 1 +hawk.pl, 1 +hawkargentina.com, 1 +hawkbiosystems.com, 0 +hawkeyeia.gov, 1 +hawkeyeinsight.com, 1 +hawkins.plus, 1 +hawkinsonkiaparts.com, 1 +hawkofgeorgia.com, 1 +hawkon.dk, 1 +hawkrovers.tk, 1 +hawksguild.com, 0 +hawle-service.at, 1 +hawler.tk, 1 +hawo.academy, 1 +hawrerahimi.nl, 0 +hax.to, 1 +haxland.tk, 1 +haxor.one, 1 +haxx.hu, 1 +hay.email, 1 +hayai.space, 1 +hayalgucu.net, 1 +hayalmeyal.com, 1 +hayashi-rin.net, 1 +hayatmurat.tk, 1 +haydenal.gov, 1 +haydenbleasel.com, 0 +haydenfranklin.com, 1 +haydenjames.io, 1 +hayestwpclaremi.gov, 1 +hayestwpotsegomi.gov, 1 +hayfordoleary.com, 1 +hayl.me.uk, 1 +hayleywestenra.tk, 1 +hayobethlehem.nl, 1 +hayonik.com, 1 +hayrivertownship.gov, 1 +haysc.tech, 1 +hayssuperclean.com, 1 +haystack.tk, 1 +haystackrenovation.com.au, 1 +hayvanlar.net, 1 +hayvid.com, 1 +hayvid.net, 1 +hayward.uk.com, 1 +haywoodtn.gov, 1 +hazalturesan.tk, 1 +hazana.ovh, 1 +hazara-online.tk, 1 +hazaristan.asia, 1 +haze-productions.com, 1 +haze.productions, 1 +hazeldeanfamilydentalcentre.com, 1 +hazelhof.nl, 1 +hazelkid.tk, 1 +hazelwood.co.uk, 1 +hazeover.com, 1 +hazhistoria.net, 1 +hazimdesign.tk, 1 +hazit.co.il, 1 +hazlocheaters.com, 1 +hazloconlapix.com, 1 +hazyhosting.tk, 1 +hazytales.com, 1 +hazza.net, 1 +hb.by, 1 +hb5197.com, 0 +hb6729.com, 1 +hb8522.com, 1 +hb9397.com, 1 +hba1crechner.de, 1 +hbaa.ml, 1 +hbag.org, 1 +hbauer.net, 0 +hbbet.com, 1 +hbcm70.fr, 1 +hbcu-colleges.com, 1 +hbfisioeesthetic.com.br, 1 +hbgshop.cf, 1 +hbh.sh, 1 +hbility.eu, 0 +hbl-stahl.de, 1 +hblwrk.de, 1 +hbo-center.com, 1 +hboeck.de, 1 +hbomaxaustralia.com, 1 +hbpro.pt, 1 +hbr.link, 1 +hbs-it-gmbh.de, 1 +hbsslaw.co.uk, 1 +hbsslaw.com, 1 +hbsvzos.nl, 1 +hbudd.com, 0 +hbussmann.com, 1 +hbvip.com, 1 +hbweb.io, 1 +hbxianghang.com, 0 +hby.cx, 1 +hc-sc.gc.ca, 0 +hcahealthcare.co.uk, 1 +hcamag.com, 1 +hcaptcha.com, 1 +hcasino.it, 1 +hcaz.io, 1 +hcc-s.de, 1 +hcc-server.de, 1 +hccnet.org, 1 +hcdatn.gov, 1 +hcdonbass.com, 1 +hceu-performance.com, 1 +hcfeye.com.au, 1 +hcfl.gov, 1 +hcfoodpantry.org, 1 +hcg24.com, 1 +hcgallia.tk, 1 +hcie.pl, 0 +hclsw.at, 0 +hclsw.ch, 0 +hclsw.de, 0 +hclu.co, 1 +hcmuehlethurnen.ch, 1 +hcnh.gov, 1 +hco4.com, 1 +hcqmeta.com, 1 +hcr.io, 0 +hcs.land, 1 +hcscrusaders.com, 1 +hcsoffshore.com, 1 +hctegelhandel.tk, 1 +hctr002.tk, 1 +hcv.cz, 1 +hcv.ind.in, 1 +hcvp.com.pt, 1 +hcwels.at, 1 +hd-offensive.at, 0 +hd-olimpo.club, 1 +hd-only.org, 1 +hd-outillage.com, 1 +hd4arab.tk, 1 +hd6729.com, 1 +hd6957.com, 1 +hd9397.com, 1 +hd9721.com, 1 +hdaccess.info, 1 +hdatraining.ma, 1 +hdbigass.com, 1 +hdbits.org, 1 +hdblackporn.com, 1 +hdbooty.com, 1 +hdc.sg, 1 +hdcoupler.com.au, 1 +hddrecovery.net.au, 1 +hdeaves.uk, 1 +hdert.com, 1 +hdevent.net, 1 +hdfreeizle.com, 1 +hdfreex.com, 1 +hdgrannytube.com, 1 +hdguru.com, 1 +hdhoang.space, 1 +hdhomelift.com, 1 +hdlooks.tk, 1 +hdm-bogensport.at, 1 +hdmatureporn.com, 1 +hdmaturetube.com, 1 +hdmaturetube.tv, 1 +hdmilfporn.com, 1 +hdmixfilim.com, 1 +hdml.kr, 1 +hdmomtube.com, 1 +hdnakedgirls.com, 1 +hdnastudio.com, 1 +hdporno.tv, 1 +hdpornose.com, 1 +hdpornpics.com, 1 +hdpornpicture.com, 1 +hdrams.com, 1 +hdrcomercio.com.br, 1 +hdrezka2018.tk, 1 +hdrip.info, 1 +hdrtranscon.com, 0 +hds-lan.de, 1 +hdscheduleers.ga, 1 +hdscheduleest.ga, 1 +hdsengine.ml, 1 +hdsexxx.net, 1 +hdsinemax.com, 1 +hdtvblogsers.ga, 1 +hdtvblogsest.ga, 1 +hdtvboarders.ga, 1 +hdtvboardest.ga, 1 +hdv.paris, 1 +hdv12.horse, 1 +hdview.co.uk, 1 +hdwallpapers.net, 1 +hdwetpussy.com, 1 +hdxvideosporns.com, 1 +hdxxxpics.net, 1 +hdy.nz, 1 +hdz.org, 1 +hdzineers.ga, 1 +hdzineest.ga, 1 +he-sb.cf, 1 +he-sb.eu.org, 1 +he-sb.top, 1 +he.kg, 1 +heaaart.com, 1 +head-hunters.tk, 1 +head.org, 1 +head.ru, 1 +headachemigraine.org, 1 +heade.cf, 1 +headed2.com, 1 +headforcloud.com, 1 +headhuntercolombia.com, 1 +heading2australia.ga, 1 +headinsider.net, 0 +headlight.tech, 1 +headlineclub.gr, 1 +headlinepublishing.be, 1 +headofhair.pl, 1 +headphonesinear.tk, 1 +headshotharp.de, 1 +headsmackskatepark.tk, 1 +headstartkernow.org.uk, 1 +headstogether.org.uk, 1 +headstrong.de, 1 +headsuphealth.com, 1 +headwall-hosting.com, 1 +headwayapp.co, 1 +healdsburg.gov, 1 +healinfoods.com, 1 +healingfoundation.org.au, 1 +healingriverscounseling.net, 1 +healingthenaturalway.cf, 1 +healingthenaturalway.ga, 1 +healingthenaturalway.gq, 1 +healingwell.com, 1 +healingwithvibrationsummit.com, 1 +healinlife.com, 1 +healmyhearttoday.ga, 1 +healmynation.com, 1 +healtbeautyturkey.tk, 1 +health-and-beauty-news.net, 1 +health-ashlandcounty-oh.gov, 1 +health-e.org.za, 1 +health-ecore.com, 1 +health-in-mind.org.uk, 1 +health-match.com.au, 1 +health-plan-news.com, 1 +health-road.ga, 1 +health-toolbox.com, 1 +health-tourism.com, 1 +health.gd, 1 +health.gov, 1 +health.graphics, 1 +health.mil, 1 +health24.ml, 1 +health24world.ml, 1 +health360.bh, 1 +health4all.tk, 1 +health4food.com, 1 +health4life.tk, 1 +healthabundant.ga, 1 +healthactive.co, 0 +healthadaptive.ga, 1 +healthalbuquerque.tk, 1 +healthalternativemedicine.tk, 1 +healthamazing.ga, 1 +healthand.ml, 1 +healthandfitnessover40.co.uk, 1 +healthandglow.tk, 1 +healthandskinbeauty.com, 1 +healtharlington.tk, 1 +healtharrow.ga, 1 +healthasociation.tk, 1 +healthatlanta.tk, 1 +healthatlantic.ga, 1 +healthatlantic.tk, 1 +healthawareness.cf, 1 +healthbanfield.tk, 1 +healthbank.io, 1 +healthbeltsville.tk, 1 +healthbinghamton.tk, 1 +healthbit.com.br, 1 +healthblender.ga, 1 +healthblod.ga, 1 +healthbolton.tk, 1 +healthbordelonville.tk, 1 +healthboston.tk, 1 +healthboulevard.ga, 1 +healthbounce.ga, 1 +healthbrisbane.tk, 1 +healthbrite.ga, 1 +healthbrochures.info, 1 +healthbunny.ga, 1 +healthcalculator.site, 1 +healthcanal.ga, 1 +healthcaptive.ga, 1 +healthcare.gov, 0 +healthcare4ppl.com, 1 +healthcareadministrationedu.org, 1 +healthcareagency.tk, 1 +healthcareareainfo.tk, 1 +healthcareconnexion.com, 1 +healthcarediversion.org, 1 +healthcaredrugs.tk, 1 +healthcareera.tk, 1 +healthcareinfonews.tk, 1 +healthcaremedicine.tk, 1 +healthcarenutrition.tk, 1 +healthcarepathway.com, 1 +healthcareresearch.tk, 1 +healthcarereviews.tk, 1 +healthcarerevopt.com, 1 +healthcarestaffingacademy.com, 1 +healthcaresystemcareersedu.org, 1 +healthcatch.ga, 1 +healthcentralasia.tk, 1 +healthcentralmedicine.tk, 1 +healthcentralnews.tk, 1 +healthcentralstore.tk, 1 +healthcentraltreatment.tk, 1 +healthcharte.ga, 1 +healthchecks.io, 1 +healthchillicothe.tk, 1 +healthchoice.tk, 1 +healthcise.com, 1 +healthclassy.ga, 1 +healthclearance.ga, 1 +healthclyman.tk, 1 +healthcode.cf, 1 +healthcollect.ga, 1 +healthcolumbia.tk, 1 +healthcolumbus.tk, 1 +healthcommission.ga, 1 +healthcompany.tk, 1 +healthconfluence.tk, 1 +healthconstruct.ga, 1 +healthcostinstitute.org, 0 +healthcounty.ga, 1 +healthcourier.ga, 1 +healthcrafter.ga, 1 +healthcrawler.ga, 1 +healthcrown.cf, 1 +healthcrown.ga, 1 +healthcrystal.ga, 1 +healthculloden.tk, 1 +healthcultureexpo.com, 1 +healthcupid.ga, 1 +healthcurious.ga, 1 +healthdaily.cf, 1 +healthdaily.ga, 1 +healthdallas.tk, 1 +healthdata.gov, 1 +healthdelta.ga, 1 +healthdenver.tk, 1 +healthdesigning.ga, 1 +healthdestination.ga, 1 +healthdetroit.tk, 1 +healthdigitalstore.tk, 1 +healthdodge.ga, 1 +healthdowntown.ga, 1 +healthdraw.ga, 1 +healtheagle.ga, 1 +healtheffectsofasbestos.com, 1 +healthekids.tk, 1 +healthemden.tk, 1 +healthessence.ga, 1 +healthfalcon.ga, 1 +healthfame.ga, 1 +healthfiesta.ga, 1 +healthfinder.gov, 1 +healthfitapp.com, 1 +healthfitstore.com, 1 +healthflavor.ga, 1 +healthfleet.ga, 1 +healthfortwaltonbeach.tk, 1 +healthfortworth.tk, 1 +healthfrederick.tk, 1 +healthfreeport.tk, 1 +healthful.eu.org, 1 +healthglamour.ga, 1 +healthgoddess.ga, 1 +healthgrace.ga, 1 +healthgrad.com, 1 +healthgrandrapids.tk, 1 +healthguerilla.ga, 1 +healthguerrilla.ga, 1 +healthhair.ru, 1 +healthhard.ga, 1 +healthharrisburg.tk, 1 +healthhelena.tk, 1 +healthhendersonville.tk, 1 +healthhosts.com, 1 +healthhuntsville.tk, 1 +healthhusky.ga, 1 +healthi.ch, 1 +healthierweight.co.uk, 1 +healthimagine.ga, 1 +healthintergrity.ga, 1 +healthiraq.ga, 1 +healthiron.ga, 1 +healthit.gov, 1 +healthjackpot.ga, 1 +healthjarrettsville.tk, 1 +healthjoker.ga, 1 +healthkaro.tk, 1 +healthkaty.tk, 1 +healthkayak.ga, 1 +healthknight.ga, 1 +healthlable.com, 1 +healthlabs.com, 1 +healthlar.com, 1 +healthleadsusa.org, 1 +healthlesson.tk, 1 +healthlifeforyou.tk, 1 +healthlightning.ga, 1 +healthlincoln.tk, 1 +healthloco.ga, 1 +healthlongwood.tk, 1 +healthlowprice.ga, 1 +healthlucky.ga, 1 +healthmagazines.tk, 1 +healthmanager.ml, 1 +healthmanchester.tk, 1 +healthmatchapp.com, 1 +healthmeasure.ga, 1 +healthmedcost.com, 1 +healthmedicalcenter.it, 1 +healthmedicineasia.tk, 1 +healthmedicinebiology.tk, 1 +healthmedicinedrug.tk, 1 +healthmedicinestore.tk, 1 +healthmedicineus.tk, 1 +healthmedicineworld.tk, 1 +healthmeta.ga, 1 +healthmetric.ga, 1 +healthmiami.tk, 1 +healthmillions.ga, 1 +healthmilwaukee.tk, 1 +healthmilwaukie.tk, 1 +healthmotivation.ml, 1 +healthmountolive.tk, 1 +healthmuscle.ga, 1 +healthmuscle.tk, 1 +healthmystical.ga, 1 +healthnano.ga, 1 +healthnational.ga, 1 +healthnobel.ga, 1 +healthnorman.tk, 1 +healthnorthamerican.ga, 1 +healthnorthgreenbush.tk, 1 +healthnutrition.tk, 1 +healthnutritionfood.tk, 1 +healthnutritiongrowth.tk, 1 +healthnutritioninfo.tk, 1 +healthnutritioninfonews.tk, 1 +healthnutritioninjury.tk, 1 +healthnutritionpregnancy.tk, 1 +healthnutritionpublic.tk, 1 +healthnutritionusa.tk, 1 +healthnweight.tk, 1 +healthoakland.tk, 1 +healthocity.ga, 1 +healthoffline.ga, 1 +healthoneday.ga, 1 +healthonplanet.com, 1 +healthoptions.tk, 1 +healthpaducah.tk, 1 +healthpeace.ga, 1 +healthpeach.ga, 1 +healthpersonal.ga, 1 +healthpert.com, 1 +healthphase.ga, 1 +healthpickup.ga, 1 +healthpirates.ga, 1 +healthplansamerica.org, 1 +healthplatinum.ga, 1 +healthpremier.ga, 1 +healthprestige.ga, 1 +healthpriority.ml, 1 +healthproconsulting.com, 1 +healthquality.tk, 1 +healthquantum.ga, 1 +healthquest.com.au, 1 +healthrail.ga, 1 +healthrangely.tk, 1 +healthrapid.ga, 1 +healthraven.ga, 1 +healthreadset.ga, 1 +healthremarkable.ga, 1 +healthreno.tk, 1 +healthrequest.ga, 1 +healthrish.com, 1 +healthrivergrove.tk, 1 +healthrule.ga, 1 +healthrunners.ga, 1 +healths-tips.ml, 1 +healthsacramento.tk, 1 +healthsalvage.ga, 1 +healthsample.ga, 1 +healthsanantonio.tk, 1 +healthsanjose.tk, 1 +healthsanluisobispo.tk, 1 +healthsantaana.tk, 1 +healthsantaclara.tk, 1 +healthscience.tk, 1 +healthseason.ga, 1 +healthseattle.tk, 1 +healthservicediscounts.com, 1 +healthsession.ga, 1 +healthshadow.ga, 1 +healthsleuth.ga, 1 +healthslide.ga, 1 +healthsomerset.tk, 1 +healthsone.com, 1 +healthsouthfield.tk, 1 +healthsparkle.ga, 1 +healthspencer.tk, 1 +healthspringfield.tk, 1 +healthstar-dev.io, 1 +healthstar.io, 1 +healthstrick.ga, 1 +healthstudy.tk, 1 +healthstyletips.ml, 1 +healthsunflower.ga, 1 +healthsustain.ga, 1 +healthsyndrome.tk, 1 +healthtacoma.tk, 1 +healthtimes.ga, 1 +healthtips4you.ml, 1 +healthtoledo.tk, 1 +healthtreats.ga, 1 +healthtrio.com, 1 +healthtrust.tk, 1 +healthturbo.ga, 1 +healthultra.ga, 1 +healthunique.ga, 1 +healthurban.ga, 1 +healthvacancies.tk, 1 +healthvariety.ga, 1 +healthvariety.tk, 1 +healthveedersburg.tk, 1 +healthvision.ml, 1 +healthwarior.tk, 1 +healthwausau.tk, 1 +healthwealthtime.org, 1 +healthwichita.tk, 1 +healthy-map.com, 1 +healthy-shoko.com, 1 +healthy.io, 1 +healthy.works, 1 +healthyaging-digital.com, 1 +healthyalabama.tk, 1 +healthyalaska.tk, 1 +healthyankee.ga, 1 +healthyarizona.tk, 1 +healthyarkansas.tk, 1 +healthybeauty365bn.com, 1 +healthyburn.tk, 1 +healthychoices.tk, 1 +healthyclinic.tk, 1 +healthycolorado.tk, 1 +healthyfeet.gr, 1 +healthyfitfood.com, 1 +healthyflorida.tk, 1 +healthyfoodanddrink.tk, 1 +healthygeorgia.tk, 1 +healthyhomesofmichigan.com, 0 +healthyhomeventilation.com.au, 1 +healthyhours.tk, 1 +healthyindiana.tk, 1 +healthykansas.tk, 1 +healthykitchen101.com, 1 +healthymaine.tk, 1 +healthymen.ml, 1 +healthyminnesota.tk, 1 +healthymississippi.tk, 1 +healthynewjersey.tk, 1 +healthynutritionguide.info, 1 +healthyoregon.tk, 1 +healthypennsylvania.tk, 1 +healthypeople.gov, 1 +healthyrecipes101.com, 1 +healthyrun.tk, 1 +healthysanfrancisco.org, 1 +healthyschoolsnewcastle.org.uk, 1 +healthysouthdakota.tk, 1 +healthyspirituality.org, 1 +healthystore.my.id, 1 +healthystyle.tk, 1 +healthysuperhuman.com, 1 +healthyteame.com, 1 +healthytipsdiet.tk, 1 +healthyweblife.tk, 1 +healthywyoming.tk, 1 +healthyyou.ml, 1 +healtmainwp.tk, 1 +healtyersworld.tk, 1 +heap.zone, 1 +heapsofheaven.com, 1 +heardcountyathletics.com, 1 +hearfool.cc, 1 +hearingbydesign.co.nz, 1 +hearingshofar.com, 1 +hearkener.com, 1 +heart-cartoons.tk, 1 +heart-valve-surgery.com, 1 +heartbeat24.de, 1 +heartbomb.co.jp, 1 +heartbound.wiki, 1 +heartcard.tk, 1 +heartchating.tk, 1 +heartcomms.com.au, 1 +heartgames.pl, 1 +hearthealing.ca, 1 +hearthstonehungary.hu, 1 +hearthustlebrands.com, 1 +heartlandbiomed.com, 1 +heartlandbraidedrugs.com, 1 +heartlandcocacola.com, 1 +heartlandrentals.com, 1 +heartlandtownandcountry.tk, 1 +heartofenglandfirstaidtraining.com, 1 +heartofgod.tk, 1 +heartofthepeace.com, 0 +heartonmysleevegreetings.com, 1 +heartsintrueharmony.com, 1 +heartsucker.com, 0 +hearttruth.gov, 1 +heartview.com.br, 1 +heartway.online, 1 +heartwoodart.com, 1 +heartwoodrefuge.org, 0 +hearty.biz, 1 +hearty.blog, 1 +hearty.eu.org, 0 +hearty.ga, 1 +hearty.gift, 1 +hearty.gq, 1 +hearty.ink, 1 +hearty.me, 1 +hearty.ml, 1 +hearty.ooo, 1 +hearty.org.tw, 1 +hearty.sg, 1 +hearty.taipei, 1 +hearty.tech, 1 +hearty.tw, 1 +heartyapp.com, 1 +heartyapp.tw, 1 +heartymail.com, 1 +hearusa.com, 1 +heaslip-aluminium-smelter-engineering.com, 1 +heat-press.com.au, 1 +heat-ua.pt, 1 +heat.gov, 1 +heatcheck.security, 1 +heatcleanerers.ga, 1 +heatcleanerest.ga, 1 +heatershop.co.uk, 1 +heatgeek.com, 1 +heathaze.xyz, 1 +heatherbells.tk, 1 +heathercutler.ca, 0 +heatherleysephotography.com, 1 +heathersmithcommercial.com, 1 +heathersnotes.com, 1 +heathrowairportparking24.co.uk, 1 +heatingequipment.tk, 1 +heaven-boutique.de, 0 +heavenlybeauty.tk, 1 +heavenlylanka.com.au, 1 +heavenlynails.pl, 1 +heavenlyseals.com, 1 +heavenlysmokenc.com, 1 +heavennewsers.ga, 1 +heavennewsest.ga, 1 +heavensattic.co.uk, 1 +heavensolutions.com.br, 1 +heaventurizm.com.tr, 1 +heavycaliber.com, 1 +heavycoupleers.ga, 1 +heavycoupleest.ga, 1 +heavyequipments.org, 0 +heavyhymnal.com, 1 +heavylord.tk, 1 +heavysounds.tk, 1 +hebamme-cranio.ch, 1 +hebamme-ebersberg.de, 1 +hebamme-sabine.eu, 1 +hebbelabi.tk, 1 +hebe.stream, 1 +heber.tk, 1 +hebersprings.gov, 1 +heberut.gov, 1 +hebikhiv.nl, 1 +hebin.cf, 1 +hebmexico.tk, 1 +hebrew.ga, 1 +hebronnh.gov, 1 +hec-espace-entreprise.ch, 0 +hec.global, 1 +hecco.io, 1 +heccubus.tk, 1 +hechaocheng.ga, 1 +hechaocheng.ml, 1 +hechaocheng.tk, 1 +hechizosymagianegra.es, 1 +hechno.com, 1 +heckelektro.de, 1 +heckhome.com, 1 +hecking.tk, 1 +heckmann.photos, 1 +hectorama.tk, 1 +hectorfiorini.com.ar, 0 +hectorlima.tk, 1 +hedd.audio, 1 +heddoun.com, 1 +hedefhalk.com, 1 +hedefkompresor.com, 1 +hedenskrig.tk, 1 +hederaconsulting.com, 1 +hederawinkel.nl, 0 +hedge.fi, 1 +hedgedoc.net, 1 +hedgedoc.org, 1 +hedgehogs.tk, 1 +hedgesafeers.ga, 1 +hedgesafeest.ga, 1 +hedgeschool.ie, 1 +hedgetube.ga, 1 +hedinghamandchambers.co.uk, 1 +hedman.tk, 1 +hedonics.org, 1 +hedonism.org, 1 +hedonistai.org, 1 +hedonistic-imperative.com, 1 +hedonistic.org, 1 +hedonisticimperative.com, 1 +hedonium.com, 1 +hedoujia.tw, 1 +hedronarchive.com, 1 +hedweb.co.uk, 1 +hedweb.com, 1 +hedweb.net, 1 +hedweb.org, 1 +hedweb.uk, 1 +hedys.de, 1 +hee.ink, 1 +heeftmijnwebsitehttpsnodig.nl, 1 +heeler.red, 1 +heello.es, 1 +heerenveenlokaal.nl, 1 +heesenyachts.com, 0 +heethealthcare.com, 1 +hefengautoparts.com, 1 +heficed.com, 1 +heftfilme.com, 1 +hefty.cloud, 1 +heg.ge, 1 +hegdahl.tk, 1 +hegdahl.xyz, 1 +hegebo.de, 1 +hegocre.com, 1 +heh.ee, 1 +heha.co, 0 +hehecams.com, 1 +hehechat.com, 1 +heheparty.com, 1 +heheparty.net, 1 +heheparty.org, 1 +hehome.xyz, 0 +heiaheia.com, 1 +heibel.tk, 1 +heibobo.cf, 1 +heibobo.com, 1 +heibobo.ga, 1 +heibobo.gq, 1 +heibobo.ml, 1 +heibobo.tk, 1 +heic.nz, 1 +heictoany.com, 1 +heid.ws, 1 +heidarilawgroup.com, 1 +heidegg.ch, 1 +heidelbergengineering.com, 1 +heiden-wir-helfen.de, 1 +heidifuller.com, 1 +heidihills.com, 1 +heidinousiainen.com, 1 +heidirange.tk, 1 +heidisheroes.org, 1 +heidns.cn, 0 +heighton.com.au, 1 +heightselectrical.com.au, 1 +heigl-care.de, 1 +heihaha.com, 1 +heihei.cf, 1 +heijblok.com, 1 +heijdel.nl, 1 +heijmans.blog, 1 +heijmans.io, 1 +heijmans.org, 1 +heijmans.pm, 1 +heijmans.tech, 1 +heikal.tk, 1 +heikegastmann.com, 1 +heikki-mikkola.tk, 1 +heiko-zimmermann.com, 1 +heiko.ph, 1 +heikomauel.de, 1 +heikoopminiaturen.nl, 1 +heiland.io, 1 +heilbronn.tk, 1 +heiliao.in, 1 +heiligebirmanen.tk, 1 +heiliger-gral.info, 1 +heilpflanzenmagie.de, 1 +heilpraktiker-maxdorf.de, 1 +heimatverein-eitensheim.de, 1 +heimdallsensors.com, 1 +heimnetze.org, 0 +heimonen.eu, 1 +heimstaden.dk, 1 +heina.net, 1 +heineken.co.za, 1 +heino-peters.de, 1 +heinonen.cc, 1 +heinrich1.de, 1 +heinrich5991.de, 1 +heinvanhemert.nl, 1 +heinzdekat.tk, 1 +heinzencastellano.tk, 1 +heiraten-gardasee.de, 1 +heiraten-venedig.de, 1 +heise.cf, 1 +heise.ml, 1 +heisenberg.co, 1 +heishop.com.br, 1 +heishop.mx, 1 +heist-clan.tk, 1 +heistheguy.com, 1 +heitepriem.info, 1 +heiwa-valve.co.jp, 1 +hejazultra.org, 1 +heka.ai, 1 +hekat.sk, 1 +hekate.com.mx, 1 +hekatija.com, 1 +hekeki.com, 1 +hekoro.ml, 1 +hektenkairez.com, 1 +hekwerken.tk, 1 +helabet.com, 1 +helabet.ng, 1 +heladospipos.ga, 1 +helagotaland.ga, 1 +helagotaland.gq, 1 +helali.me, 1 +helbreath.tk, 1 +helcim.com, 1 +helco.xyz, 1 +helden-spielen.de, 1 +heldenhalde.de, 1 +heldmayer.com, 1 +heldtech.services, 1 +heldundsexgott.de, 1 +helebce.tk, 1 +heleendebruyne.be, 1 +helemduruth.com, 1 +helena-loos.de, 1 +helenair.com, 1 +helenakmiec.pl, 1 +helenapaparizouspainfanclub.tk, 1 +helenatownshipmi.gov, 1 +helendoe.uk, 1 +helendoron.fr, 1 +helene-conway.com, 1 +helenekurtz.com, 1 +helenelefauconnier.com, 1 +helenevanwunnik.tk, 1 +helenkellersimulator.org, 1 +helenlim.pw, 1 +helenmarie.ie, 1 +helenmcguinness.online, 1 +helensmithpr.co.uk, 1 +helenssjoholm.cf, 1 +helenssjoholm.ga, 1 +helenvalsj.tk, 1 +helenwade.tk, 1 +heleus.it, 1 +helfordriversc.co.uk, 1 +helga-fest.tk, 1 +helgaschultz.de, 1 +helgeklein.com, 1 +helhetsframtradande.se, 1 +heli-iq.at, 1 +heli-iq.com, 1 +heli-iq.cz, 1 +heli-iq.de, 1 +heli-iq.dk, 1 +heli-iq.es, 1 +heli-iq.fi, 1 +heli-iq.fr, 1 +heli-iq.it, 1 +heli-iq.nl, 1 +heli-iq.sk, 1 +helia.com.au, 1 +helibella.com, 1 +helichat.de, 1 +heliconservices.com, 1 +heligrandcanyon.com, 1 +helijobs.net, 1 +helikopter.ml, 1 +helikopterman.tk, 1 +helikopters.tk, 1 +helioanodyne.eu, 1 +heliobil.fr, 1 +heliocentrism.jp, 1 +helion.ch, 0 +helioring.com, 1 +helios4.com, 1 +heliosbot.net, 1 +heliosnet.com, 1 +heliosvoting.org, 0 +heliport-moscow.ru, 1 +helisimmer.com, 1 +heliumtech.tk, 1 +helix.am, 1 +helixagencyservices.com, 0 +helkyn.eu, 1 +helkyn.fr, 1 +helkyn.org, 1 +hell-o.net, 1 +hell.rodeo, 1 +hell.sh, 1 +hellband.tk, 1 +hellblade.tk, 1 +hellblast.tk, 1 +hellboundhackers.org, 1 +hellendumanrealty.com, 1 +hellenicagora.co.uk, 1 +hellenicmusicacademy.com, 1 +hellerarko.de, 1 +hellfreak.tk, 1 +hellhammer.tk, 1 +hellhavens.tk, 1 +hello-aioi.com, 1 +hello-papaye.com, 1 +hello-products.com, 1 +helloacm.com, 1 +helloafrica.ga, 1 +helloalpha.com, 1 +helloappservices.com, 1 +hellobarestore.com, 1 +hellobee.com, 1 +hellobetter.de, 1 +hellobrian.me, 1 +hellocash.business, 1 +hellocat.cf, 1 +hellocentral.ga, 1 +hellocoding.de, 1 +hellodesign.tk, 1 +hellodollface.com, 1 +helloemailers.ga, 1 +helloemailest.ga, 1 +helloexit.com, 1 +helloheadsup.com, 1 +helloindia.tk, 1 +hellokashmir.tk, 1 +hellolove.sg, 1 +hellomookie.com, 1 +hellomouse.cf, 1 +hellomouse.net, 1 +hellomouse.tk, 1 +hellomunnar.in, 1 +hellomyword.tk, 1 +hellonews.cf, 1 +hellonews.ga, 1 +helloo.com.br, 1 +hellopandaphoto.com, 1 +hellopowerserg.com, 1 +hellorory.com, 1 +hellorussia.ga, 1 +hellosalmon.com, 1 +hellosayge.com, 1 +hellosells.com, 1 +hellosixpackabs.com, 1 +helloskip.com, 0 +hellosmoove.com, 1 +hellotandem.com, 1 +hellotars.com, 1 +helloteen.tk, 1 +hellothematic.com, 1 +hellothought.net, 1 +hellotwist.com, 1 +hellov.in, 1 +helloverify.com, 1 +hellovillam.com, 1 +helloworldhost.com, 0 +hellpc.net, 1 +hellpizza.nz, 1 +hellraid.com, 1 +hellseeker.tk, 1 +hellsinkivampires.tk, 1 +hellsoldiers.tk, 1 +hellven.net, 1 +hellvis.tk, 1 +hellyeahbeer.tk, 1 +helm-pokale.de, 1 +helmethouse.com, 1 +helminger-lrs.at, 1 +helmondautoschade.nl, 1 +helmscapital.co.uk, 1 +helochic.com, 1 +heloisamarra.com, 1 +helorobo.com, 1 +help-me.today, 1 +help207.me, 1 +help24.be, 0 +help911.com, 1 +helpamericavote.gov, 1 +helpatmyhome.com, 1 +helpc.eu, 1 +helpcalculator.tk, 1 +helpcapital.ru, 1 +helpcomp.tk, 1 +helpconnect.com.au, 1 +helpcrm.co.uk, 1 +helpekwendenihospital.com, 1 +helpfulcash.com, 1 +helpinghandspartners.org, 1 +helpkoil.com, 1 +helplightning.com, 1 +helpline.com.ua, 1 +helplisted.com, 1 +helpmecovid.com, 1 +helpmij.cf, 1 +helpnet.ro, 1 +helpout.us, 1 +helpowl.com, 1 +helppc.com.ua, 1 +helprb.ru, 1 +helpscoutdocs.com, 1 +helptasker.com, 1 +helptasker.net, 1 +helptasker.org, 1 +helptasker.ru, 1 +helpticket.ml, 1 +helpticket.tk, 1 +helpwaarbenik.nl, 1 +helpwiki.nl, 1 +helpwise.io, 1 +helpwithadoption.com, 1 +helpwithinreach.com, 1 +helpwithmybank.gov, 1 +helpwithmycheckingaccount.gov, 1 +helpwithmycreditcard.gov, 1 +helpwithmycreditcardbank.gov, 1 +helpwithmymortgage.gov, 1 +helpwithmymortgagebank.gov, 1 +helsenorge.no, 1 +helsi.me, 1 +helsingfors.guide, 1 +helsinginlaakariyhdistys.fi, 1 +helsinki-systems.de, 1 +helst.org, 1 +heluna.tk, 1 +helvatech.ch, 1 +helvetic.finance, 1 +hemagon.com, 1 +hemanklerehab.com, 1 +hemaroids.tk, 1 +hemdal.se, 0 +hemdian.com, 1 +hemmens.eu, 1 +hemmersbach.com, 1 +hemnet.se, 1 +hemorroi.ga, 1 +hemp.com, 1 +hemphopper.eu, 1 +hempoffset.com, 1 +hempsteadcitytx.gov, 1 +hemrin.com, 1 +hems.si, 1 +hemtest.com, 1 +hen.ee, 1 +hen.ne.ke, 1 +hendersoncountyil.gov, 1 +hendersonky.gov, 1 +hendersonvalleyautomotive.co.nz, 1 +hendersonwomenscare.com, 1 +henderz.tk, 1 +hendrickx.be, 1 +hendrik.li, 1 +hendrinortier.nl, 1 +hendrix.com.ng, 1 +hendrix.tk, 1 +hendryelections.gov, 1 +hengelsportjansenlommel.tk, 1 +hengstumone.com, 1 +henhenlu.com, 0 +henkboelman.com, 1 +henke-home.eu, 1 +henker.net, 1 +henkibeer.com, 1 +henko-consulting.com, 1 +henkpille.tk, 1 +henkverlinde.com, 0 +henley-computer-repairs.co.uk, 1 +henleybouncycastles.co.uk, 1 +henlich.de, 1 +hennecke-forstbetrieb.de, 1 +henneke.me, 1 +hennepincounty.gov, 1 +hennepintheatretrust.org, 1 +hennes-haan.de, 1 +hennes-pokalshop.de, 1 +hennes-shop.de, 1 +henneshaan.de, 1 +hennessey.com, 1 +hennesshop.de, 1 +hennessy.tk, 1 +hennies.org, 1 +hennikernh.gov, 1 +henningkerstan.de, 1 +henningkerstan.org, 1 +henradplumbing.co.uk, 1 +henri-feuillade.tk, 1 +henri.moe, 1 +henrichaussade.fr, 1 +henrico.gov, 1 +henrieta-nagyova.tk, 1 +henriettatownshipmi.gov, 1 +henrik-sachse.de, 1 +henrikjosefsson.net, 1 +henrikjuvonen.fi, 1 +henriknoerr.com, 1 +henriksachse.com, 1 +henriksachse.de, 1 +henriksoderlund.com, 1 +henrikwelk.de, 1 +henrilammers.nl, 1 +henrri.net, 1 +henry.gg, 1 +henryalanbrown.com, 1 +henrybelk.com, 1 +henrybrown0.com, 1 +henryclub.tk, 1 +henryco911tn.gov, 1 +henrycountyga.gov, 1 +henrycountyohio.gov, 1 +henrycountysheriffga.gov, 1 +henryctyil.gov, 1 +henryford.tk, 1 +henryhouse.wales, 1 +henryhugo.tk, 1 +henryishax.com, 1 +henryluker.com, 1 +henrymercado.tk, 1 +henrymintzberg.nl, 1 +henryocallaghan.com, 1 +hentai-paradise.fr, 1 +hentai.it, 1 +hentaigogo.com, 1 +hentaimaster.net, 1 +hentaipornography.com, 1 +hentaipros.com, 1 +hentaiprosnetwork.com, 1 +hentairead.com, 1 +hentairoulette.com, 1 +hentaishit.com, 1 +hentaiworld.cc, 0 +hentaizm.cf, 1 +hentamanga.tk, 1 +hentavfall.no, 1 +hentschke-bau.de, 1 +hentschke-betonfertigteilwerk.de, 1 +hentschke-invest.de, 1 +henzenhoning.nl, 1 +henzy.cloud, 1 +hepfree.nyc, 1 +hepha.ch, 1 +hephzibahga.gov, 1 +heppler.net, 1 +heptafrogs.de, 1 +heptagonsystems.com, 1 +heptner24.de, 1 +hepuer.com, 1 +hepworthwakefield.org, 1 +her-life.ru, 1 +her.porn, 1 +her123.win, 1 +heraa.top, 1 +heracasinos.com, 1 +herald-review.com, 1 +herald.ga, 1 +heraldcourier.com, 1 +heraldik-wiki.de, 1 +heraldmakassar.com, 1 +herasoft.com, 1 +heratnews.tk, 1 +herba-belgie.be, 1 +herbacom.ro, 1 +herbalcart.com, 1 +herbalhouse.tk, 1 +herbalife.ru, 1 +herbalifereport.tk, 1 +herbalkanker.tk, 1 +herbalmusings.net, 1 +herbalproducts.com, 1 +herbarex.bg, 1 +herbarium.cf, 1 +herberichfamily.com, 1 +herbers.tk, 1 +herbertjanvandinther.nl, 1 +herbertmouwen.nl, 1 +herbiez.com, 1 +herbigass.com, 1 +herbisan.pl, 1 +herbnal.com, 1 +herbreathonglass.tk, 1 +herbsociety.org, 1 +herbsupplements.co.uk, 1 +herbweb.net, 1 +herbweb.org, 1 +herbymiast.waw.pl, 1 +herculesca.gov, 1 +herculex.fi, 1 +herderradio.ml, 1 +herdingcatshere.com, 1 +herdwilliam.ml, 1 +herdwilliam.tk, 1 +herealways.tk, 1 +herecafe.com, 1 +heredapoxetine.gq, 1 +herefordlighthouse.org, 0 +heren.fashion, 1 +herenstraatvoorburg.tk, 1 +hereplus.me, 1 +hereporn.com, 1 +heretic-guild.com, 1 +hereticle.com, 1 +hereticmaniacs.tk, 1 +hereticofficial.com, 1 +hereticpreist.tk, 1 +herez.fr, 1 +hergaenergy.com, 1 +hergeandtintin.tk, 1 +herila.ml, 1 +heringer.tk, 1 +heritagehandicraft.com, 1 +heritageinvestigativegroup.com, 1 +heritagereformed.tk, 1 +heritagetea.tk, 1 +heritagetechnologies.net, 1 +herizon.cf, 1 +herjj.com, 1 +herkam.pl, 1 +herkel.email, 1 +herkel.media, 1 +herkelmedia.com, 1 +herkelmedia.de, 1 +herkimercountyny.gov, 1 +herlimit.com, 1 +hermanbrouwer.nl, 1 +hermandevries.com, 1 +hermann-hesse-kolleg.de, 1 +hermann.in, 1 +hermanoscarrera.tk, 1 +hermes-net.de, 1 +hermes-onlinehandel.de, 1 +hermes-servizi.it, 1 +hermessenger.fr, 1 +hermetas.org, 1 +hermetien.tk, 1 +hermietkreeft.site, 0 +herminghaus24.de, 1 +hermiston.gov, 1 +hermitant.fr, 1 +hermiu.com, 1 +hermodesign.com, 1 +hermonmaine.gov, 1 +hermosaseagirt.com, 1 +hernandovotes.gov, 1 +hernanygerman.tk, 1 +herndl.org, 1 +herne-kupony.sk, 1 +herni-kupony.cz, 1 +herniaclinic.com.sg, 1 +hernikgames.tk, 1 +hernn.com, 1 +heroblog.info, 1 +herocentral.de, 1 +heroco.xyz, 1 +herod.tk, 1 +heroes3stat.tk, 1 +heroesofthenorth.com, 1 +heroesoftomorrow.nl, 1 +heroesorchestra.com, 1 +herofil.es, 1 +herogaming.net, 1 +herohealth.com, 1 +heroiclove.com, 1 +heroicpixel.com, 1 +herold.me, 1 +herold.space, 1 +heromlabs.tk, 1 +heromuster.com, 1 +heronhallacademy.org.uk, 1 +heroofkings.com, 1 +heroplusgroup.com, 0 +heroway.com, 1 +heroxin.com, 1 +herp.careers, 1 +herp.top, 1 +herpderpderpderp.com, 1 +herpes-no.com, 1 +herr-webdesign.de, 1 +herrald-skeeleren.tk, 1 +herramientasbazarot.com, 1 +herrderzeit.de, 1 +herregruppa.no, 1 +herrenblut.tk, 1 +herrenmuehle-wein.de, 1 +herreriamauricio.com.ar, 1 +herreriaorozco.com, 1 +herrfirm.com, 1 +herriman.gov, 1 +herriman.net, 1 +herringadvancemachine.com, 1 +herringboneeats.com, 1 +herringsresidence.be, 1 +herritage.ga, 1 +herrkal.eu, 1 +herrman.tk, 1 +herrns.cloud, 1 +herrschaftlich-durch-dresden.de, 1 +herrsmith.com, 1 +herrtxbias.net, 1 +herrtxbias.org, 1 +hersdorf-eifel.de, 1 +hersheyfeis.com, 1 +hersmartchoice.com, 1 +herthaloewen.tk, 1 +hertie.de, 1 +hertsbouncycastles.com, 1 +heru.tk, 1 +herumixer.ga, 1 +herus.net.pl, 1 +hervegranger.fr, 1 +hervia.com, 1 +hervormdweeshuiszwolle.nl, 1 +herwz.com, 1 +herychreality.cz, 1 +herza.id, 1 +herzberg.site, 1 +herzfuersoziales.at, 1 +herzig.cc, 1 +herzpfa.de, 1 +herzwacht.de, 1 +herzzuherz.de, 1 +hes.com.cy, 1 +hesabcenter.com, 1 +hesama.tk, 1 +hesaplama.net, 1 +hesbayefrost.be, 1 +hesbenergie.be, 1 +hescos.tk, 1 +heshamelsawah.clinic, 1 +heshamselim.tk, 1 +hessabras.ir, 1 +hessen-liebe.de, 1 +hessen.de, 1 +hessen.social, 1 +hessenheim.tk, 1 +hessentoday.de, 1 +hessherrera.com, 1 +hessis.xyz, 1 +hessischer-landtag.de, 1 +hesslag.com, 1 +hestaheimur.is, 1 +hestegrovvaren.dk, 1 +hestervanderheijden.nl, 1 +hestia-systeme.be, 1 +hestia-systeme.com, 1 +hestia-systeme.eu, 1 +hestia-systeme.fr, 1 +hestonlawfirm.com, 1 +hesyifei.com, 1 +het-klaverblad.nl, 1 +hetchie.com, 1 +hetcoronalab.nl, 1 +hetdebat.tk, 1 +hetene.nl, 1 +hetfundament.team, 1 +hetgetouw.be, 1 +hethely.ch, 1 +hetkomtnooitmeergoed.nl, 1 +hetmanrecovery.com, 1 +hetmedialab.nl, 1 +hetmeisjeachterpauw.nl, 1 +hetmer.cz, 1 +hetoefenpunt.be, 1 +hetushu.com, 1 +hetveurtheater.nl, 1 +hetvezercsarda.hu, 1 +hetwalhalla.nl, 1 +hetwebsitebedrijf.nl, 1 +heureetka.fr, 1 +heureka.fi, 1 +heureka2.com, 1 +heute-kaufen.de, 1 +heute.training, 1 +heutger.de, 1 +heutger.net, 1 +hev.edu.ee, 1 +hevenerfeld.de, 1 +hevenkin.cn, 1 +hevertonfreitas.com.br, 1 +hevo.io, 1 +hevoapp.com, 1 +hevodata.com, 1 +hevoiq.com, 1 +hevrishut.cf, 1 +hewavitharanamv.tk, 1 +hewlettbayparkny.gov, 1 +hewlettharbor.gov, 1 +hex.nl, 1 +hexagon-e.com, 1 +hexagonengg.com, 1 +hexalinq.com, 1 +hexane.cf, 1 +hexapt.com, 1 +hexashore.tn, 1 +hexasoft.com.my, 1 +hexatech.gq, 1 +hexatech.tk, 1 +hexaware.com, 1 +hexaweb.tk, 1 +hexcel.com, 1 +hexcode.in, 1 +hexhu.com, 1 +hexhu.net, 1 +hexiaohu.cn, 0 +hexid.me, 0 +hexieshe.com, 1 +hexo.ink, 0 +hexo.io, 0 +hexobind.com, 1 +hexoff.com, 1 +hexony.com, 1 +hexr.org, 1 +hexsafe.io, 1 +hexstream.expert, 1 +hexstream.net, 1 +hexstream.xyz, 1 +hexstreamsoft.com, 1 +hexure.com, 1 +hexxagon.com, 1 +hey-staging.com, 1 +hey.com, 1 +hey.pw, 1 +heyblogging.com, 0 +heybookmark.ga, 1 +heybookmark.gq, 1 +heybritney.tk, 1 +heybyrdie.com, 1 +heydorff.duckdns.org, 1 +heyfiesta.com, 1 +heyghost.io, 1 +heyitgirl.com, 1 +heyitsfree.net, 1 +heyjobs.co, 1 +heyjoecoffee.com, 1 +heyjoflyer.win, 1 +heyjournal.com, 1 +heylink.asia, 1 +heyomg.com, 1 +heyplay.eu.org, 1 +heysora.net, 1 +heytrade.com, 1 +heyvilleers.ga, 1 +heyvilleest.ga, 1 +heywise.com, 1 +heywood.cloud, 1 +hezzit.net, 1 +hf-rpg.ml, 1 +hf51-domeinen.nl, 1 +hf51.nl, 1 +hfa3.org, 1 +hfholidays.co.uk, 1 +hfikq8.cf, 1 +hflsdev.org, 0 +hfox.org, 1 +hfsa.org, 1 +hfsctx.gov, 1 +hfsg-habicht.at, 1 +hfvuejq.pro, 1 +hfx405.de, 1 +hg.eu, 1 +hg.python.org, 1 +hg0086.la, 0 +hg71839.com, 1 +hgb.club, 1 +hgc.solutions, 1 +hgc369.com, 1 +hgcityca.gov, 1 +hgfa.fi, 1 +hghanbarimd.com, 1 +hgmaranatha.nl, 1 +hgpowerglue.nl, 1 +hgseo.me, 1 +hgseo.net, 1 +hgtwa.com.au, 1 +hguandl.com, 1 +hgvnet.de, 1 +hgyo.me, 1 +hgyoseo.com, 1 +hgzw.com, 0 +hh-host.de, 1 +hh-massage.de, 1 +hh-medic.com, 1 +hh-ri.com, 1 +hh-wolke.dedyn.io, 1 +hh5197.co, 1 +hh6729.co, 1 +hh6729.com, 0 +hh6957.co, 1 +hh9297.co, 1 +hh9397.com, 1 +hh9728.co, 1 +hhalic.com, 1 +hhank.com, 1 +hhdelfland.nl, 1 +hhdy3.com, 1 +hhhdb.com, 1 +hhristov.tk, 1 +hhs.gov, 1 +hhsrocketry.tk, 1 +hhxiaozhan.ml, 1 +hi-million.ga, 1 +hi-million.ml, 1 +hi-newspaper.ml, 1 +hi-res.cloud, 1 +hi-res.com.cn, 1 +hi-res.vip, 1 +hi-techcrimes.net, 1 +hialatv.com, 1 +hiatoconteudodigital.com.br, 1 +hibanaworld.com, 1 +hibbingmn.gov, 1 +hibin.tk, 1 +hibiscuscoastfinancialservices.com.au, 1 +hibrid-turf.com, 1 +hiccupsandjuice.co.uk, 1 +hickmancountytn.gov, 1 +hickoryrecord.com, 1 +hickorywinecellar.com, 1 +hicksvilleohio.gov, 1 +hicl.org, 1 +hicoria.com, 1 +hicts.nl, 1 +hiczp.com, 1 +hidalgoad.org, 1 +hidashin.co.jp, 1 +hidayatullah.com, 1 +hidbo.de, 1 +hidden-audio.de, 1 +hidden.gq, 1 +hidden.nyc, 1 +hiddenbyleaves.tk, 1 +hiddencafebcn.com, 0 +hiddendragon.ml, 1 +hiddenempire.tk, 1 +hiddenhand.finance, 1 +hiddenhillselectric.com, 1 +hiddenhillselectrical.com, 1 +hiddenhillselectrician.com, 1 +hiddenhillsexteriorlighting.com, 1 +hiddenhillslandscapelighting.com, 1 +hiddenhillslighting.com, 1 +hiddenhillsoutdoorlighting.com, 1 +hiddenimage.ml, 1 +hiddenmalta.net, 1 +hiddenpalms.tk, 1 +hiddenredknights.tk, 1 +hiddenrefuge.eu.org, 1 +hiddens.tk, 1 +hiddenvalley.com, 1 +hiddout.com, 1 +hide-in.cloud, 1 +hide.me, 1 +hideallip.com, 1 +hideandseek.org, 1 +hidedd.com, 1 +hidelinkz.com, 1 +hideo54.com, 1 +hideouswebsite.com, 1 +hidetagu2021.net, 1 +hideuri.com, 1 +hidon.hu, 1 +hidra.tk, 1 +hidrasecurity.com, 1 +hidrolimpiadora.com.es, 1 +hidrolimpiadorasprofesionales.org, 1 +hidroshoping.com.br, 1 +hidupbisadiatur.com, 1 +hieisuki.ga, 1 +hielscher.com, 1 +hien.cf, 1 +hierden-bosch.nl, 1 +hierdenbosch.nl, 1 +hierer.com, 1 +hietbrink.tk, 1 +hietegerrekes.tk, 1 +hieucd.com, 1 +hif.red, 1 +hif88.com, 1 +hifala.de, 1 +hifast.cc, 1 +hiffen.tk, 1 +hiffo.de, 1 +hifiaudio.sk, 1 +hifiphile.com, 1 +hifly.aero, 1 +hifly.com.tw, 1 +hifrds.com, 1 +hifrnds.in, 1 +hig.gov, 1 +higeniqcleaning.com.au, 1 +higentexpo.com, 1 +higginsroofing.com.au, 1 +higgsboson.tk, 1 +high-flying.co.uk, 1 +high-ground.org, 1 +high-heels.se, 1 +high-school-atka.ga, 1 +high-solar.com, 1 +high-tech.tk, 1 +high-way.me, 1 +highaltitudearchery.com, 0 +highburycorp.com, 1 +highcalorierecipes.com, 1 +highcbdoildrops.com, 1 +highchair.tk, 1 +highdaseo.ml, 1 +highdefinitionnetworksers.ga, 1 +highdefinitionnetworksest.ga, 1 +highdensityheadache.tk, 1 +highdeserttinyhomes.com, 1 +highdonate.tk, 1 +higheducation.ml, 1 +highenergy.tk, 1 +higherairspace.eu, 1 +higherpress.org, 1 +highftp.tk, 1 +highgravityconsulting.com, 1 +highground.com, 1 +highheeltamia.com, 1 +highintegrity.tk, 1 +highinthemid80s.com, 1 +highkick.jp, 1 +highland-webcams.com, 1 +highlanddancing.tk, 1 +highlandheights-ky.gov, 1 +highlandparkcog.org, 1 +highlandpublicschool.co.in, 1 +highlandsclerkfl.gov, 1 +highlandsfl.gov, 1 +highlandsmode.nl, 1 +highlatitudestravel.com, 0 +highlevelwoodlands.com, 1 +highlightsfootball.com, 1 +highlightsfootball.net, 1 +highlnk.com, 1 +highnation.ml, 1 +highperfection.com, 1 +highperformance.ie, 1 +highplainssiding.com, 1 +highpressuretech.com, 1 +highproject.site, 1 +highproxies.com, 1 +highqappliance.com, 1 +highrank.cf, 1 +highrank.ga, 1 +highrank.tk, 1 +highship-industries.com, 1 +highsightroofing.com, 1 +highskilled.tk, 1 +highsky.ir, 1 +highspeed-arnsberg.de, 1 +highspeedinternetservices.ca, 1 +highspenfc.tk, 1 +highsprings.gov, 1 +highstage.com, 1 +highstakesdb.com, 1 +hightech.construction, 1 +hightechbrain.net, 1 +hightechone.cf, 1 +hightechreviews.ga, 1 +hightechsystems.nl, 1 +highthcahempflower.com, 1 +hightimes.com, 1 +hightop.com, 0 +highway11north.tk, 1 +highway54.tk, 1 +highway71autoparts.com, 1 +highwaytohoell.de, 1 +highwayzen.org, 1 +highworldnet.ga, 1 +higilimpmaringa.com.br, 1 +higilopocht.li, 1 +higsegeirl.com, 1 +higueras.tk, 1 +hii.or.th, 1 +hiig.edu.ee, 1 +hiitrepublic.com.au, 1 +hiiumeretuulepark.ee, 1 +hiiw.cloud, 1 +hiiw.de, 1 +hijabfashion.shop, 1 +hijyen-belgesi.com, 1 +hik-cloud.com, 1 +hikagestudios.com, 1 +hikarinet.tk, 1 +hikawa.top, 1 +hike.pics, 1 +hikeinrio.com, 1 +hiker.cool, 1 +hikerone.com, 1 +hiking-site.nl, 1 +hikingmonthlyers.ga, 1 +hikingmonthlyest.ga, 1 +hikka.ru, 1 +hikyu.it, 0 +hilahdih.cz, 1 +hilalnews.ga, 1 +hilaolu.com, 1 +hilarious.ga, 1 +hilaryhutler.com, 0 +hilarymundial.tk, 1 +hilbertwi.gov, 1 +hilde.link, 1 +hiledge.com, 1 +hilelipc.com, 0 +hilfe-bei-krebs-vechta.de, 1 +hilfikers.com, 1 +hilinecreators.tk, 1 +hill.selfip.net, 1 +hillcottagessuffolk.co.uk, 1 +hillcountryoralsurgery.com, 1 +hillcrestplumber.co.za, 1 +hillenbrand.com, 1 +hillexplorer.com, 1 +hillhiker.com, 1 +hillier-swift.co.uk, 1 +hilllodgingcompany.com, 1 +hillner.eu, 1 +hillroadgarage.tk, 1 +hills-selfstorage.co.uk, 1 +hillsandsaunders.com, 1 +hillsboroccpa.org, 1 +hillsboroughchristian.org, 1 +hillsclerk.com, 1 +hillsdalecounty.gov, 1 +hillsfarmstays.co.uk, 1 +hillshandymate.com, 1 +hillsidecustom.com, 1 +hillsphotosoc.tk, 1 +hillstohome.com, 1 +hillstrak.com.au, 1 +hillstrakwpg.com.au, 1 +hilltopcellar.com, 1 +hilltopsurgicalhospital.ga, 1 +hilnu.com, 1 +hilomrm.com, 1 +hiltonfoundation.org, 1 +hiltonhylandluxurycondos.com, 1 +hilunetan.tk, 1 +himalaja-kender.hu, 1 +himalaya-masala.at, 1 +himarijuana.tk, 1 +himawari-scanlator.tk, 1 +himawari-shika.org, 1 +himbamcky.com, 1 +himcy.ga, 1 +himens.com, 0 +himg.eu, 1 +himic.ru, 0 +himiku.com, 1 +himj.de, 1 +himmi.ru, 1 +himnosycanticos.org, 1 +himpler.com, 0 +himprom.com, 1 +hin10.com, 1 +hinaryazan.com, 1 +hinasense.jp, 1 +hinata-hidetoshi.com, 1 +hinatayamagolf.jp, 1 +hindenburgring.com, 1 +hindenburgring.de, 1 +hindibaba.tk, 1 +hindigalaxy.com, 1 +hindikibindi.tk, 1 +hindimeinjankari.com, 1 +hindimeseekhe.tk, 1 +hindimoviedownload.net, 1 +hindu-temple.tk, 1 +hinduradio.tk, 1 +hindustantimes.ml, 1 +hinduworld.tk, 1 +hindweb.tk, 1 +hingehealth.com, 0 +hingle.me, 1 +hinhanhykhoa.com, 1 +hinit.no, 1 +hinkel.tk, 1 +hinketsujyoshi-no-torisetsu.com, 1 +hinotify.io, 1 +hinsdaledental.com, 1 +hintergedanken.com, 0 +hinterposemuckel.de, 1 +hinto.com.au, 1 +hintss.pw, 0 +hinyari.net, 1 +hiob.fr, 0 +hiorth.tk, 1 +hiparish.org, 1 +hipcircles.tk, 1 +hipecompany.tk, 1 +hipeople.com.br, 1 +hiper-humor.tk, 1 +hipercultura.com, 1 +hipermenu.com, 1 +hipersuli.hu, 1 +hiphop.ren, 1 +hiphopall.tk, 1 +hiphopbolivia.tk, 1 +hiphopdates.de, 1 +hiphopfashion.tk, 1 +hipkneeortho.com.sg, 1 +hipnos.net, 1 +hipnosecriciuma.com.br, 1 +hipnosisypsicoterapia.com, 1 +hipnotista.tk, 1 +hipo.pt, 1 +hipocampo.org, 1 +hipodromcasusu.tk, 1 +hippiekiller.net, 1 +hippies.com.br, 1 +hippogriffhaven.com, 1 +hippogriffhaven.net, 1 +hippolini-herold.de, 1 +hippomovers.com, 1 +hippopotamuses.org, 1 +hips.com, 1 +hipstermamaproductions.com, 1 +hipsterpixel.co, 1 +hiptwist.tk, 1 +hipuranyhou.cz, 1 +hiq.co.za, 1 +hiq.sh, 1 +hirake55.com, 1 +hiramoto-ph.com, 1 +hiramvlgohio.gov, 1 +hirano-shikaclinic.com, 1 +hiranosayuri-piano.com, 1 +hiratake.xyz, 1 +hireabouncycastle.net, 1 +hirechrisfinazzo.com, 1 +hirecities.cf, 1 +hirecities.ml, 1 +hirecitiesers.ga, 1 +hirecitiesest.ga, 1 +hirecto.io, 1 +hireinsight.io, 1 +hirel.gq, 1 +hirepro.in, 1 +hireprofs.com, 1 +hirerecruiters.io, 1 +hireshield.com, 1 +hiresteve.ca, 1 +hirevets.gov, 1 +hirevo.eu, 1 +hirevue.com, 1 +hirewiz.tk, 1 +hirezzportal.com, 1 +hiring-process.org, 1 +hiringopps.com, 1 +hiringprocess.careers, 1 +hirisejanitorial.com, 0 +hirobbie.com, 1 +hiromi-dental.tokyo, 1 +hiromi.eu.org, 1 +hiromuogawa.com, 1 +hirorock.tk, 1 +hirosehp.jp, 1 +hiroshima-lpg-shien.jp, 1 +hirotaka.org, 1 +hirsch-lawyer.tk, 1 +hirschbergertal.de, 1 +hirschl.eu, 1 +hirtz.pm, 1 +hirtzfr.eu, 1 +hiru.top, 1 +hirumo.com, 1 +hirunet.ml, 1 +hiruthicsha.com, 1 +his.com, 1 +hisax.de, 1 +hisbrucker.net, 1 +hiseplast.com.br, 0 +hishirikka.com, 1 +hisoft.pk, 1 +hispadent.com.do, 1 +hispalazarus.tk, 1 +hispania-valencia.com, 1 +hispania.ml, 1 +hispanidad.tk, 1 +hispasat.es, 1 +hispashare.org, 1 +hispasonic.com, 1 +hispro.co, 1 +hisregistries.net, 1 +hisregistries.org, 1 +hisscentralen.se, 1 +hisscraft.se, 1 +hissgruppen.com, 1 +histalek.de, 0 +histhist.ru, 1 +histicle.com, 1 +histkult.ml, 1 +histkult.tk, 1 +histogames.com, 1 +histoire-cite.ch, 0 +histoires.tk, 1 +historia-arte.com, 1 +historiadebagua.tk, 1 +historiaeculturaguarani.org, 1 +historiarte.tk, 1 +historiasdepueblo.es, 1 +historiasyrelatos.tk, 1 +historiasztuki.tk, 1 +historicengland.org.uk, 1 +historichousesghent.be, 1 +historicizam.tk, 1 +historischehuizengent.be, 1 +history-schools.com, 1 +history-vision.tk, 1 +history.google.com, 1 +history.gov, 1 +history.pe, 1 +historymuseumsb.org, 1 +historytree.net, 1 +hit-electronics.com, 1 +hit.moe, 1 +hitchcockcountyne.gov, 1 +hitchen.net, 1 +hitchens.tk, 1 +hitchpin.com, 1 +hitchunion.org, 1 +hitech-news.ml, 1 +hitech-zone.com, 0 +hitekcomputing.net, 1 +hitekmechanical.com, 1 +hitel.tk, 1 +hiteshchandwani.com, 1 +hitflow.fr, 1 +hitflow.net, 1 +hitfm.ml, 1 +hitfm.tk, 1 +hithai.net, 1 +hitham.tk, 1 +hithouse.tk, 1 +hitiles.tk, 1 +hitimewine.net, 1 +hititgunesi-tr.com, 1 +hititleers.ga, 1 +hititleest.ga, 1 +hitkey.tk, 1 +hitleap.com, 1 +hitmaker.ga, 1 +hitmaker.tk, 1 +hitmanstat.us, 1 +hitmen.tk, 1 +hitmix.tk, 1 +hitmyheart.tk, 1 +hitn.at, 1 +hitocom.net.br, 1 +hitokoto-mania.com, 1 +hitokoto.cn, 1 +hitomecha.com, 1 +hitori-inc.com, 1 +hitpatrolers.ga, 1 +hitpatrolest.ga, 1 +hitpointer.tk, 1 +hitpt.com, 0 +hitrecord.org, 1 +hitrek.ml, 1 +hitrow-move.ga, 1 +hitrueauthentic.com, 1 +hitsk.in, 1 +hitter-lauzon.com, 1 +hitter.family, 1 +hitterfamily.com, 1 +hittop.tk, 1 +hittra.eu, 1 +hiv-symptome.de, 1 +hiv.com.tw, 1 +hiv.gov, 1 +hivaids.tk, 1 +hivatal-info.hu, 1 +hivault.cf, 1 +hive.gov, 1 +hive101.info, 1 +hivekey.eu, 1 +hivekey.io, 1 +hivelocity.net, 1 +hivemind.org, 1 +hivemindsystems.com, 1 +hiveopolis.eu, 1 +hiverlune.net, 0 +hivesigner.com, 1 +hiwannz.com, 1 +hiwebsite.tk, 1 +hiwiki.tk, 1 +hix.fi, 1 +hiyacar.co.uk, 1 +hiyuki2578.net, 1 +hizakura.nl, 1 +hizhina-hagrida.ru, 1 +hizliresim.com, 1 +hj-mosaiques.be, 1 +hj.rs, 1 +hj111777.com, 0 +hj2375.com, 0 +hj3586.com, 0 +hj3639.com, 0 +hj5386.com, 0 +hj555.cc, 1 +hj556.cc, 1 +hj6298.com, 0 +hj6929.com, 0 +hj9379.com, 1 +hj99111.com, 1 +hj99333.com, 0 +hjallboscoutkar.se, 1 +hjaltespizza.dk, 1 +hjartasmarta.se, 1 +hjbw-sterken.nl, 1 +hjdiaz.com, 1 +hjelmqvist-it.se, 1 +hjelpemiddeldatabasen.no, 1 +hjes.com.ve, 1 +hjkbm.cn, 1 +hjmag.com, 0 +hjorslev.com, 1 +hjort-froik.com, 1 +hjort.land, 1 +hjosh.com, 1 +hjoworld.tk, 1 +hjphoto.co.uk, 1 +hjtky.cn, 1 +hjyl.org, 1 +hjyl.xn--fiqs8s, 0 +hjyl1999.com, 0 +hjyl2828.com, 0 +hjyl299.com, 0 +hjyl699.com, 0 +hjyl7999.com, 0 +hjyl9898.com, 0 +hk-shuttle.net, 1 +hk.search.yahoo.com, 0 +hk130.com, 1 +hkamran.com, 1 +hkas.org.hk, 1 +hkconcept.lu, 1 +hkgix.net, 1 +hkl-gruppe.de, 1 +hkmap.co, 1 +hkmap.com, 1 +hkmap.live, 1 +hkmap.net, 1 +hkmusz.cn, 0 +hkno.it, 1 +hkoreatv.gq, 1 +hkp-usa.com, 1 +hkr.at, 1 +hks.pw, 1 +hkskhf.dk, 1 +hkspeed.com, 1 +hktech.link, 1 +hktkl.com, 1 +hktss.pp.ua, 1 +hkustmbajp.com, 1 +hkvi.nl, 1 +hl-design.co.kr, 1 +hl8id.club, 1 +hl8id.vip, 1 +hl8th.vip, 1 +hlavacek.us, 1 +hlavi.hu, 1 +hlebopekarna.com, 1 +hledejlevne.cz, 1 +hledejpravnika.cz, 1 +hlfh.space, 1 +hlg88.cc, 1 +hlidani-tornado.cz, 1 +hlinformatics.nl, 1 +hllr.xyz, 1 +hlm.wtf, 1 +hln.be, 1 +hloe0xff.ru, 1 +hlopokshop.ru, 1 +hlp.group, 1 +hlpublicidad.com, 1 +hls-tutorial.tk, 1 +hlsblog.com, 1 +hlsjgw.com, 1 +hlsmandarincentre.com, 1 +hlsquality.com, 1 +hlstory.tk, 1 +hltdos.com, 1 +hltk.fi, 1 +hltv.org.cn, 1 +hlucas.de, 1 +hlx66.cc, 1 +hlx86.cc, 1 +hly0928.com, 1 +hlz.mn, 1 +hm-notes.ru, 1 +hm.ee, 0 +hm1ch.com, 1 +hm1ch.ovh, 1 +hmarchat.tk, 1 +hmbana.org, 1 +hmcdj.cn, 1 +hmcreations.us, 1 +hme360.com, 1 +hmgym.ru, 1 +hmka.com, 0 +hmlpoc.com.br, 1 +hmnd.io, 1 +hmodapk.com, 1 +hmp.sc, 1 +hms-networks.com, 0 +hms-zentrum.de, 1 +hmshost.com, 1 +hmsotel.com, 1 +hmsplatform.tk, 1 +hmtransfer.ir, 1 +hmv.com, 1 +hn.search.yahoo.com, 0 +hn122.cc, 1 +hndmd.com, 1 +hnfertilizermachine.com, 1 +hnmd9.gq, 1 +hnn.net.br, 1 +hno-arzt-thomitzek.de, 1 +hno-norderstedt.de, 1 +hnojik.cz, 1 +hnsseed.com, 1 +hntuin.nl, 1 +hny.co, 1 +hnyp.hu, 1 +hoaas.no, 1 +hoahau.org, 1 +hoahop.tk, 1 +hoanghaiauto.vn, 1 +hoangvangioi.com, 1 +hoaphathomes.com, 1 +hoardit.ml, 1 +hoathienthao.com, 1 +hoathienthao.vn, 1 +hobartok.gov, 1 +hobbiesworld.tk, 1 +hobby-drechselei.de, 1 +hobby-lover.com, 1 +hobby4geek.com, 1 +hobbybrauer.de, 1 +hobbydo.cf, 1 +hobbydo.ga, 1 +hobbydo.gq, 1 +hobbyhorseslovakia.com, 1 +hobbyvogue.com, 1 +hobbyweeklyers.ga, 1 +hobbyweeklyest.ga, 1 +hoberg.ch, 1 +hobiliga.mk, 1 +hobindesign.com, 1 +hobo.video, 1 +hoboken.tk, 1 +hobokenpdnj.gov, 1 +hobokenrecords.tk, 1 +hobonline.tk, 1 +hobroefterskole.dk, 1 +hoc-bv.nl, 1 +hoccovua.vn, 1 +hochatown.gov, 1 +hochhaus.us, 1 +hochheimer-zeitung.de, 1 +hochimins.org, 1 +hochland.pl, 1 +hochoukikikiraku.com, 1 +hochuvrotik.cf, 1 +hochyi.com, 0 +hochzeit-ap.de, 1 +hochzeit-cm.at, 1 +hochzeit-dana-laurens.de, 1 +hochzeit-saufzeichnungen.tk, 1 +hochzeitsplaner-rodgau.de, 1 +hochzeitsplanerin-hamburg.de, 1 +hochzeitsregion.at, 1 +hochzeitstypen.de, 1 +hockey.academy, 1 +hockeyalertest.ga, 1 +hockeyapp.ch, 1 +hockeymotion.ch, 0 +hockingfamily.net, 1 +hockingfamily.nz, 1 +hockinghills.com, 1 +hockinghillscabins.com, 1 +hocoma.com.mx, 1 +hocoma.eu, 1 +hocoma.net, 1 +hocoma.org, 1 +hoctienganhgiaotiep.ga, 1 +hodeis.ga, 1 +hodes.tk, 1 +hodgeman.gov, 1 +hodgephotography.com, 1 +hodi.dk, 1 +hodi.host, 1 +hoe.re, 1 +hoegl.com, 0 +hoeheterobenjij.nl, 1 +hoejetaastrupprovsti.dk, 1 +hoelty.network, 1 +hoerbuecher-und-hoerspiele.de, 1 +hoeren.club, 1 +hoerspielbox.de, 1 +hoesnelwasik.nl, 1 +hoest.it, 1 +hoeveiligismijn.nl, 1 +hoewler.ch, 0 +hof-imbiss-lieske.de, 1 +hof-mulin.ch, 1 +hofapp.de, 1 +hofbraeu-muenchen.de, 1 +hoferdach.de, 1 +hoffmancorporation.com, 1 +hoffmanig.com, 1 +hoffmannresearch.ca, 1 +hoffmanns-ballonshop.de, 1 +hoffmeyer.me, 1 +hoffnungdeutschland.de, 1 +hofgut.net, 1 +hofiprojekt.cz, 1 +hofmannenhofmann.nl, 1 +hofmeisterkink.com, 1 +hofor.dk, 1 +hofpleinlijn.nl, 1 +hofstaetter.io, 1 +hoga.fr, 1 +hogamail.fr, 1 +hogar.gt, 1 +hoge.se, 1 +hogepad.com, 0 +hogerduinen.tk, 1 +hogeslagolst.nl, 1 +hogl.dk, 1 +hogrebe.de, 0 +hogren.cf, 1 +hogren.ga, 1 +hogren.gq, 1 +hogvorts.tk, 1 +hogwarts.io, 1 +hogwartshome.org.ua, 1 +hoh.com.sg, 1 +hohenleimbach.de, 1 +hohenpoelz.de, 1 +hohlhupe.de, 1 +hohlhupen.de, 1 +hohm.in, 1 +hohma.tk, 1 +hohnet.com, 0 +hohny.gov, 1 +hoikin.tk, 1 +hoiku-map.tokyo, 0 +hoiku-navi.com, 0 +hoing.io, 1 +hoistsdirect.com, 1 +hojalatero.tk, 1 +hojat.tk, 1 +hojoworks.com, 1 +hoka.com, 1 +hoken-okazaki.com, 1 +hoken-wakaru.jp, 1 +hokende.com, 1 +hokenselect.jp, 1 +hokioisecurity.com, 1 +hokkaido.tk, 1 +hokko.de, 1 +hokqbet88.co, 1 +hokuin.co.jp, 1 +hokung.xyz, 1 +holacannx.com, 1 +holacbdoils.com, 1 +holad.de, 1 +holadinero.es, 0 +holadinero.mx, 0 +holainternet.tk, 1 +holbrookaz.gov, 1 +holdengreene.com, 1 +holdenmaine.gov, 1 +holdenmo.gov, 1 +holderbekebvba.be, 1 +holdiers.tk, 1 +holdingcelebrations.tk, 1 +holdinghandsbrazil.com, 1 +holdmybeer.io, 0 +holdmymeme.com, 1 +holdperson.tk, 1 +holebedeljek.hu, 1 +holeboom.com, 1 +holgapanama.tk, 1 +holger-schwarze.de, 1 +holgergruenhagen.com, 1 +holgerlehner.com, 1 +holgr.com, 1 +holi-coresdaindia.com.br, 1 +holiday-home-baer.de, 1 +holidayacademy.co.uk, 1 +holidayair.net, 1 +holidaycity.org, 1 +holidayclub.tk, 1 +holidayformula.ru, 1 +holidayhomestrust.info, 1 +holidayincotswolds.co.uk, 1 +holidayland.gent, 1 +holidaylocal.ga, 1 +holidaylocalers.ga, 1 +holidaylocalest.ga, 1 +holidays-info.com, 1 +holidaytable.tk, 1 +holidaytours.tk, 1 +holine.studio, 1 +holini.com, 0 +holisticacupuncture.com.au, 1 +holisticdevelopmentagency.ml, 1 +holistichealer.in, 1 +holisticon.de, 1 +holisticwebsolutions.co.uk, 1 +holiy.jp, 1 +hollabanken.cf, 1 +holladayut.gov, 1 +holland-sailing.de, 1 +hollandco.com, 1 +hollanderclub.tk, 1 +hollandersleepproducts.com, 1 +hollandhouse.info, 1 +hollandsewolken.nl, 1 +hollandskroon.nl, 1 +hollandsweb.com, 1 +hollandwi.gov, 1 +hollermann.eu, 1 +hollingsworthpaul.com, 1 +hollinsbookstore.com, 1 +hollistermo.gov, 1 +hollisters.servepics.com, 1 +hollmann.international, 1 +hollomanfss.marketing, 1 +hollowman.ml, 1 +hollowrap.com, 1 +hollowwinds.xyz, 1 +holly.lgbt, 1 +hollybanks.net, 1 +hollybonnerdesigns.com, 1 +hollyforrest.ca, 1 +hollyforrestphotography.ca, 1 +hollyloless.com, 1 +hollyloless.net, 1 +hollyloless.org, 1 +hollyspringsfarmnac.com, 1 +hollyspringsms.gov, 1 +hollywoodbios.com, 1 +hollywoodsmilesfl.com, 1 +hollywoodstars.tk, 1 +hollyworks.com, 1 +holmenwi.gov, 1 +holmes.ie, 0 +holmeselectionsfl.gov, 1 +holmesian.org, 1 +holmeslaw.ie, 1 +holmesworkholding.co.uk, 1 +holmium-laser.ru, 0 +holmq.dk, 1 +holmqvist.tk, 1 +holo.host, 1 +holo.ovh, 1 +holocron.one, 1 +holod-servis777.tk, 1 +holofox.ru, 1 +holori.com, 1 +holostyak.tk, 1 +holowaty.me, 1 +holoxplor.space, 1 +holstein.tk, 1 +holstphoto.com, 1 +holtcountyne.gov, 1 +holtkampfinancieeladvies.nl, 0 +holtslander.ca, 1 +holtwick.de, 1 +holtwick.it, 1 +holubowski.com, 1 +holundersberg.de, 1 +holvonix.com, 1 +holychaos.tk, 1 +holycrosscatholics.org, 1 +holycrossphl.org, 1 +holycrossrockporttx.org, 1 +holycrossverobeach.org, 1 +holydevils.tk, 1 +holydragoon.jp, 1 +holydumplings.net, 1 +holyfamilyrussell.org, 1 +holyghost-church.org, 1 +holygrove.tk, 1 +holyhiphopdatabase.com, 1 +holymartyrschurch.org, 1 +holyoake.org.au, 1 +holyriders.cf, 1 +holyrosary.com.au, 1 +holyscriptur.es, 1 +holyspiritpalmyra.com, 1 +holyspiritweb.org, 1 +holyszko.com, 1 +holytransaction.com, 1 +holyubofficial.net, 1 +holywhite.com, 1 +holywr.it, 1 +holzbau-lepski.de, 1 +holzed.com, 1 +holzschutz-holzbearbeitung.de, 1 +holzspielzeug-shop.ch, 1 +holzstueckwerk.de, 1 +holzundgarten.de, 1 +homa.website, 0 +homake.cf, 1 +homatism.com, 1 +homd.xyz, 1 +home-design.bg, 1 +home-hunts.com, 1 +home-insurance-quotes.tk, 1 +home-iq.at, 1 +home-iq.cz, 1 +home-iq.fr, 1 +home-iq.it, 1 +home-iq.pl, 1 +home-iq.se, 1 +home-iq.sk, 1 +home-manicure.tk, 1 +home-ncj.com, 1 +home-page.xyz, 1 +home-portal.tk, 1 +home-remedies.tk, 1 +home-sagita.tk, 1 +home.saxo, 1 +home24bank.com, 1 +homeable.io, 1 +homeadore.com, 1 +homeadvice.ga, 1 +homeadvice.tk, 1 +homeandliving.it, 1 +homebank.kg, 1 +homebar.ml, 1 +homebasedbusinessopportunity.tk, 1 +homebattle.ga, 1 +homeblaster.ga, 1 +homebrew.tk, 1 +homebrewshop.be, 1 +homebrewworm.tk, 1 +homebuilder.tk, 1 +homebutton.tk, 1 +homecache.ga, 1 +homecareassociatespa.com, 1 +homecaring.com.au, 1 +homecaster.ga, 1 +homecatch.ga, 1 +homecharte.ga, 1 +homechase.ga, 1 +homechase.tk, 1 +homecheck.gr, 1 +homecinema-fr.com, 1 +homeclient.ga, 1 +homecollections.ga, 1 +homecoming.city, 1 +homecompost.in, 1 +homecpr.com.au, 1 +homecrawler.ga, 1 +homecreatives.net, 1 +homedecorclassic.tk, 1 +homedecorspecialists.com, 1 +homedesignabilene.tk, 1 +homedesignakron.tk, 1 +homedesignalbuquerque.tk, 1 +homedesignamarillo.tk, 1 +homedesignanaconda.tk, 1 +homedesignanchorage.tk, 1 +homedesignarlington.tk, 1 +homedesignarvada.tk, 1 +homedesignathens.tk, 1 +homedesignatlanta.tk, 1 +homedesignaugusta.tk, 1 +homedesignaustin.tk, 1 +homedesignbabbitt.tk, 1 +homedesignbakersfield.tk, 1 +homedesignbatonrouge.tk, 1 +homedesignbirmingham.tk, 1 +homedesignboise.tk, 1 +homedesignboston.tk, 1 +homedesignbouldercity.tk, 1 +homedesignbuckeye.tk, 1 +homedesignbuffalo.tk, 1 +homedesigncaliforniacity.tk, 1 +homedesigncapecoral.tk, 1 +homedesigncary.tk, 1 +homedesigncasagrande.tk, 1 +homedesignchandler.tk, 1 +homedesignchattanooga.tk, 1 +homedesignchesapeake.tk, 1 +homedesignchicago.tk, 1 +homedesigncincinnati.tk, 1 +homedesigncleveland.tk, 1 +homedesignclinton.tk, 1 +homedesignclovis.tk, 1 +homedesigncolorado.tk, 1 +homedesigncolumbus.tk, 1 +homedesigncompany.co.nz, 1 +homedesigncorona.tk, 1 +homedesigncorpuschristi.tk, 1 +homedesigncusseta.tk, 1 +homedesigndayton.tk, 1 +homedesigndesmoines.tk, 1 +homedesigndetroit.tk, 1 +homedesigndowney.tk, 1 +homedesigndurham.tk, 1 +homedesignedison.tk, 1 +homedesignedmond.tk, 1 +homedesignellsworth.tk, 1 +homedesignelpaso.tk, 1 +homedesignelreno.tk, 1 +homedesignera.tk, 1 +homedesigneugene.tk, 1 +homedesignfayetteville.tk, 1 +homedesignfontana.tk, 1 +homedesignfresno.tk, 1 +homedesignfrisco.tk, 1 +homedesigngarland.tk, 1 +homedesigngeorgetown.tk, 1 +homedesigngilbert.tk, 1 +homedesignhartford.tk, 1 +homedesignhartsville.tk, 1 +homedesignhayward.tk, 1 +homedesignirvine.tk, 1 +homedesignjacksonville.tk, 1 +homedesignjonesboro.tk, 1 +homedesignjuneau.tk, 1 +homedesignknoxville.tk, 1 +homedesignlasvegas.tk, 1 +homedesignlexington.tk, 1 +homedesignlincoln.tk, 1 +homedesignlubbock.tk, 1 +homedesignlynchburg.tk, 1 +homedesignmacon.tk, 1 +homedesignmadison.tk, 1 +homedesignmesa.tk, 1 +homedesignmiami.tk, 1 +homedesignmidland.tk, 1 +homedesignmilwaukee.tk, 1 +homedesignmobile.tk, 1 +homedesignmontgomery.tk, 1 +homedesignnews.tk, 1 +homedesignnewyork.tk, 1 +homedesignnewyorkcity.tk, 1 +homedesignnightmute.tk, 1 +homedesignnorman.tk, 1 +homedesignoakland.tk, 1 +homedesignohio.tk, 1 +homedesignomaha.tk, 1 +homedesignontario.tk, 1 +homedesignorlando.tk, 1 +homedesignoxnard.tk, 1 +homedesignpaterson.tk, 1 +homedesignpeoria.tk, 1 +homedesignphoenix.tk, 1 +homedesignplano.tk, 1 +homedesignportland.tk, 1 +homedesignraleigh.tk, 1 +homedesignrichmond.tk, 1 +homedesignsandiego.tk, 1 +homedesignsanfrancisco.tk, 1 +homedesignsantaana.tk, 1 +homedesignseattle.tk, 1 +homedesignstamford.tk, 1 +homedesigntacoma.tk, 1 +homedesigntampa.tk, 1 +homedesigntoledo.tk, 1 +homedesigntucson.tk, 1 +homedesigntulsa.tk, 1 +homedesignventura.tk, 1 +homedesignwashington.tk, 1 +homedev.cf, 1 +homedeveloper.cf, 1 +homedeveloper.ga, 1 +homedeveloper.gq, 1 +homedeveloper.ml, 1 +homedeveloper.tk, 1 +homedirectory.ml, 1 +homedizz.top, 1 +homedollar.ga, 1 +homedollars.ga, 1 +homeduck.ga, 1 +homeeagle.ga, 1 +homeehome.com, 1 +homeer.com, 1 +homeexperience.tk, 1 +homefacialpro.com, 0 +homefarmhealesville.com.au, 1 +homeflag.ga, 1 +homefolder.ga, 1 +homeforeveryone.tk, 1 +homeforfamily.tk, 1 +homeformula.ga, 1 +homeforum.tk, 1 +homegang.ga, 1 +homegardendecoration.tk, 1 +homegardengift.com, 1 +homegardeningforum.com, 1 +homegardenresort.nl, 1 +homegeo.ga, 1 +homegreenmark.com, 1 +homegreens.eu, 1 +homegrounds.co, 1 +homegrowncannabisco.com, 1 +homegun.ga, 1 +homeideasanddesigns.tk, 1 +homeimagician.com.au, 1 +homeimprovement.ga, 1 +homeimprovementinfo.tk, 1 +homeimprovementnews.tk, 1 +homeindiainfratech.com, 1 +homeinet.tk, 1 +homeinformation.tk, 1 +homeinformationpackages.com, 1 +homeinspired.tk, 1 +homeinteriorasia.tk, 1 +homeinteriorcanada.tk, 1 +homeinteriorebuild.tk, 1 +homeinterioritaly.tk, 1 +homeinteriorremodel.tk, 1 +homeinterioruk.tk, 1 +homeinteriorusa.tk, 1 +homeinvasion.tk, 1 +homeinvention.tk, 1 +homejapanese.ml, 1 +homekiss.ga, 1 +homelab.farm, 1 +homelabquotes.com, 1 +homeland.ie, 1 +homelandsecurity.gov, 1 +homelandsecurityedu.org, 1 +homeletter.ga, 1 +homelib.cf, 1 +homelion.ga, 1 +homelove.tk, 1 +homelovehome.tk, 1 +homemadetips.ga, 1 +homemadetipsers.ga, 1 +homemadetipsest.ga, 1 +homemarks.ga, 1 +homemaster-chita.ru, 1 +homematicblog.de, 1 +homemediadb.org, 1 +homemember.ga, 1 +homemessenger.ga, 1 +homen.in, 1 +homenature.tk, 1 +homenetworksecurity.eu, 1 +homenewsdesign.tk, 1 +homeniano.com, 1 +homenight.ga, 1 +homensdeouro.com.br, 1 +homenumber.ga, 1 +homeodynamics.com, 1 +homeoesp.org, 1 +homeofbeer.nl, 1 +homeofceline.tk, 1 +homeofjones.net, 1 +homeologyla.com, 1 +homeomatic.ga, 1 +homeopathie.tk, 1 +homeopathieridderspoor.nl, 1 +homeoperator.net, 1 +homeopplis.ga, 1 +homeorama.ga, 1 +homeostase.pt, 1 +homeover.ga, 1 +homeownersinsurancenv.com, 1 +homepage-nach-preis.de, 1 +homepal.cf, 1 +homepal.ga, 1 +homepal.gq, 1 +homepassport.ga, 1 +homepatch.ga, 1 +homephonelookup.tk, 1 +homeprivate.de, 1 +homeprivate.net, 1 +homepropertyera.tk, 1 +homepropertyinfo.tk, 1 +homepropertynews.tk, 1 +homepropertyunique.tk, 1 +homepropertyworld.tk, 1 +homeprotech.com, 1 +homequality.tk, 1 +homerail.ga, 1 +homerally.ga, 1 +homerecording.com, 1 +homerepairsideas.tk, 1 +homerequest.ga, 1 +homerex.ga, 1 +homero.tk, 1 +homesbyayres.com, 1 +homeschoolinkorea.tk, 1 +homesconnect.com, 1 +homeseguridad.com, 1 +homeseller.com, 1 +homeserve.es, 1 +homeserver-kp.de, 1 +homesforaustralia.ga, 1 +homesfordinner.ca, 1 +homeshow.ml, 1 +homeshowoff.com, 1 +homesonic.ga, 1 +homesport.es, 1 +homespunhouse.tk, 1 +homespure.com, 1 +homestamp.ga, 1 +homestead-honey.com, 1 +homesteadfarm.org, 1 +homesteadserver.cloud, 1 +homesteadtwpmi.gov, 1 +homestick.ga, 1 +homestreaming.ga, 1 +homestuck.ml, 1 +homesugar.ga, 1 +homesuite.tk, 1 +homesweethouse.tk, 1 +hometeenorgy.com, 1 +hometown.ml, 1 +hometrust.ca, 0 +hometunnel.de, 0 +homeunder.ga, 1 +homeunion.tk, 1 +homeview.ga, 1 +homevisual.ga, 1 +homewatt.co.uk, 1 +homewebnews.tk, 1 +homewidget.ga, 1 +homewinner.ga, 1 +homewish.ga, 1 +homewood.com, 1 +homeworkacers.com, 1 +homeworksuite.com, 1 +homeworld.ga, 1 +homeyou.com, 1 +homeyx.cf, 1 +homezlog.com, 1 +homitov.tk, 1 +hommecontemporain.org, 1 +homnest.fr, 0 +homo.ga, 1 +homofo.tk, 1 +homoglyph.net, 1 +homointerneticus.tk, 1 +homokfuvo.com, 1 +homoo.social, 1 +homophobia.tk, 1 +homophones.ml, 1 +homowank.com, 1 +hompimpaa.id, 1 +hompus.nl, 0 +homs.design, 1 +homunyan.com, 1 +homyak.gq, 1 +homyhomee.com, 1 +homyremedies.com, 1 +honaragah.com, 1 +honbin.tw, 1 +honda2wheelersindia.com, 1 +honda2wheelersindia.in, 1 +hondaactivindia.com, 1 +hondaarabia.com, 1 +hondacustomerserviceexperience.com, 1 +hondadigitalevent.com, 1 +hondago-bikerental.jp, 1 +hondainamerica.com, 1 +hondaindiafoundation.org, 1 +hondapartsnow.com, 1 +hondapowerproducts.ph, 1 +hondasancarlos.com, 1 +hondaswap.com, 1 +hondengedragscentrumfriesland.nl, 1 +hondensnacks.shop, 1 +hondudiario.tk, 1 +honest.ga, 1 +honestblogers.ga, 1 +honestblogest.ga, 1 +honestworknmoney.tk, 1 +honesty.com.pl, 1 +honey-whale.com, 1 +honey.beer, 1 +honeybhealthyliving.com, 1 +honeybrooklibrary.org, 1 +honeycomb.io, 1 +honeycombcreative.com, 1 +honeycome-recruit.com, 0 +honeycreeper.com, 1 +honeycrypt.com, 1 +honeyfact.com, 1 +honeygirl.tk, 1 +honeyspot.de, 1 +honeysucklewhite.com, 1 +honeytracks.com, 1 +honeyuniversity.net, 1 +honeyxlips.com, 1 +hong.com.br, 1 +hong.io, 1 +hongbomiao.com, 1 +honghan.tw, 1 +hongjun.li, 1 +hongki.tk, 1 +hongkongliberate.com, 1 +hongkongwillwin.com, 1 +hongnguyen.tk, 1 +hongo-ganka.com, 1 +hongocha.tk, 1 +hongorw.tk, 1 +hongosdemexico.tk, 1 +honguyensy.tk, 1 +hongyun-rent.com, 1 +honigconte.com, 1 +honigkuchenpferdeher.de, 1 +honkai.sr, 1 +honkhonk.net, 1 +honkion.net, 1 +honnedechuju.com, 1 +honoka-seitai.jp, 1 +honolulubws.gov, 1 +honovere.de, 1 +hontint.com, 1 +hontoir.eu, 1 +honzakulig.com, 1 +hoo.lt, 1 +hooapp.lt, 1 +hood-epc.xyz, 1 +hoodiessouthafrica.com, 1 +hoodoo.io, 1 +hoodoo.tech, 1 +hoodrivercounty.gov, 1 +hoodsite.com, 1 +hoofdredacteuren.nl, 1 +hoofexplorer.com, 1 +hoofexplorer.de, 1 +hoogdam.tk, 1 +hoogeveen.nl, 0 +hooghiemstrazelf.nl, 1 +hoogstraatseschaakclub.tk, 1 +hoogveen.tk, 1 +hookagency.com, 1 +hookah-uae.com, 1 +hookahfoil.ru, 1 +hookandloom.com, 1 +hookbin.com, 1 +hookedoncraftswaterford.ie, 1 +hookercountyne.gov, 1 +hookshotdesign.com, 1 +hoolibit.com, 1 +hooliganka.tk, 1 +hooliganz.tk, 1 +hoon.tk, 1 +hoooc.com, 1 +hoop.la, 1 +hooperlabs.xyz, 1 +hoopertechnicalsolutions.com, 1 +hooprelief.tk, 1 +hoopweb.org, 1 +hooray.beer, 1 +hoorig.de, 1 +hoorr.com, 1 +hoos.cf, 1 +hoosa.de, 1 +hooshop.lt, 1 +hootv.lt, 1 +hootworld.net, 0 +hoovism.com, 1 +hop-ict.nl, 1 +hop.exchange, 1 +hope.com, 1 +hopeandhealing.cz, 1 +hopeforlorn.tk, 1 +hopefultexas.com, 1 +hopeland.com.br, 1 +hopemeet.info, 1 +hopemeet.me, 1 +hopepartnershipproject.com, 1 +hopesanddreams.org.uk, 1 +hopeworld.pro, 1 +hopf.de, 1 +hopglass.eu, 1 +hopglass.net, 1 +hopi.com.tr, 1 +hopict.nl, 1 +hopital-tarascon09.fr, 1 +hopitaux-ariege.fr, 1 +hopkintonpolice-ri.gov, 1 +hopkintonri.gov, 1 +hoplongtech.com, 1 +hopo.design, 1 +hoponmedia.de, 1 +hops-and-ashes.de, 1 +hopscotch.cz, 1 +hopscotchmodel.com, 1 +hor.rent, 1 +hor.website, 1 +horablanquiazul.tk, 1 +horaceli.com, 1 +horaciolopez.pro, 1 +horackova.info, 1 +horaenpunto.com, 1 +horairetrain.ch, 1 +horairetrain.fr, 1 +horairetrain.lu, 1 +horairetrain.nl, 1 +horamesianica.tk, 1 +horcajadadelatorre.tk, 1 +horclan.tk, 1 +hord.ca, 1 +horde-entertainment.tk, 1 +horecatiger.eu, 1 +horeco.com, 1 +horgenberg.com, 1 +horiconwi.gov, 1 +horikawa-cement.co.jp, 1 +horionimoveis.com.br, 1 +horizon.ne.jp, 1 +horizonlawncare.tk, 1 +horizonmail.ga, 1 +horizonpainting.ca, 1 +horizonshypnosis.ca, 0 +horizonsmilestx.com, 1 +horizonsocial.media, 1 +horizontalsystems.io, 1 +horizonveterinaryservices.com, 1 +horkel.cf, 1 +horkel.tk, 1 +hormet.tk, 1 +hormigonimpreso.biz, 1 +hormonetrackerers.ga, 1 +hormonetrackerest.ga, 1 +horn.co, 1 +hornbach-holding.de, 1 +hornblower.tk, 1 +hornburg.io, 1 +horne.com, 1 +hornet.pl, 1 +hornetsecurity.com, 1 +horneytownbrewing.com, 1 +horngyihyangped.com.tw, 1 +horntec.at, 1 +hornwiesen-grundschule.de, 1 +horny-gay-dragons.com, 1 +hornyaf.com, 1 +hornybank.com, 1 +hornyforhanzo.com, 1 +hornyhostel.com, 1 +horoca.net, 1 +horochx.org, 0 +horodance.dk, 1 +horoscope-sound-healing.com, 1 +horoscopimages.tk, 1 +horoscopist.com, 1 +horoscopo.ml, 1 +horotoday.tk, 1 +horovod.im, 1 +horozo.com, 1 +horrell.ca, 1 +horrendous-servers.com, 1 +horror-forum.de, 1 +horrordor.eu.org, 1 +horrordor.tk, 1 +horrorfreaks.tk, 1 +horrormovies.gr, 1 +horrorserv.com, 1 +horrycountysc.gov, 1 +hors.coffee, 1 +horsa.cc, 1 +horsa.io, 1 +horsa.xyz, 1 +horsebreeding.cf, 1 +horsebreeding.ga, 1 +horsebreeding.gq, 1 +horsebreeding.tk, 1 +horsegateway.com, 1 +horsehead.tk, 1 +horsehunter.co.uk, 1 +horsellscouts.org.uk, 1 +horsellscoutsandguides.com, 1 +horsemanshipdentistry.com, 1 +horsemanshipdentistryschool.com, 1 +horseplanet.tk, 1 +horsewithnoname.com, 1 +horsgroup.com, 1 +horsky.me, 1 +horstfuchs.tk, 1 +horstmanshof.eu, 1 +horstmanshof.nl, 1 +hortencollection.com, 1 +hortico.rs, 1 +horton-brasses.com, 1 +horus.com.br, 1 +horusrc.com, 1 +horvat.tk, 1 +horvath.ooo, 1 +horvathd.eu, 1 +horvatia.tk, 1 +horvatnyelvkonyv.hu, 1 +hory.me, 1 +horza.org, 1 +hosch.co.nz, 1 +hose.ga, 1 +hosentaschenblog.org, 1 +hoshi-sr.com, 1 +hoshimaq.com.br, 1 +hoshimaquinas.com.br, 1 +hoshinplan.com, 1 +hosiery.tk, 1 +hosieryexpoers.ga, 1 +hosieryexpoest.ga, 1 +hosifuri.net, 1 +hosimiyasio.com, 0 +hosoi-tax.com, 1 +hospiceandcommunitycare.com, 1 +hospiceandcommunitycare.net, 1 +hospiceandcommunitycare.org, 1 +hospicecommunity.net, 1 +hospicecommunity.org, 1 +hospiceconnect.org, 1 +hospicelights.org, 1 +hospiceoflancaster.com, 1 +hospiceoflancaster.org, 1 +hospicepathofremembrance.org, 1 +hospiceprofessional.org, 1 +hospicespringfling.org, 1 +hospicewebsite.org, 1 +hospicewise.org, 1 +hospimedia.fr, 1 +hospitalcmq.com, 1 +hospitalcruzvermelha.pt, 1 +hospitaldaluz.pt, 1 +hospitaldebarcelona.cat, 1 +hospitaldelaconcepcion.com, 1 +hospitality-colleges.com, 1 +hospitalsanjuandedios.es, 1 +hospitalsineachstate.com, 1 +hospitalviladaserra.com.br, 1 +hossi.pro, 0 +hossien.tk, 1 +host-heberg.com, 1 +host-morezar.ml, 1 +host-stage.net, 1 +host.ax, 1 +host.com.tw, 1 +host1oc.eu.org, 1 +host24.com.pk, 1 +hostadvice.com, 1 +hostalk.net, 1 +hostalsanmarcos.tk, 1 +hostarea51.com, 1 +hostathome.fr, 1 +hostaz.net, 1 +hostbility.com, 1 +hostboxonline.com, 1 +hostcloud.ml, 1 +hostcoz.com, 1 +hostcsr.com, 1 +hostdaddyhn.com, 1 +hostdns.com, 1 +hosteasy.nl, 0 +hosted-power.com, 1 +hostedcomments.com, 1 +hosteddatabase.in, 1 +hostedghost.eu, 1 +hostedghost.net, 1 +hostedghost.nl, 1 +hostedghost.org, 1 +hostedtalkgadget.google.com, 1 +hostelacion.com, 1 +hostelaciones.com, 1 +hosteleriauno.es, 1 +hostelio.com, 1 +hostelxaxid.si, 1 +hosteons.com, 1 +hostesstrainingers.ga, 1 +hostesstrainingest.ga, 1 +hostfact.nl, 1 +hostfission.com, 1 +hostfree12.tk, 1 +hostgreet.com, 1 +hosthum.com, 1 +hostiberi.com, 1 +hostidn.com, 1 +hostido.net.pl, 1 +hostiko.com.ua, 1 +hosting-fast.com, 1 +hosting-rus.tk, 1 +hosting-swiss.ch, 1 +hosting.co.jp, 1 +hostingactive.it, 0 +hostingalternative.com, 0 +hostingdesignweb.com, 0 +hostingdiario.com, 1 +hostingdirect.nl, 1 +hostingdirectory.ga, 1 +hostingedominio.com, 1 +hostingelite.tk, 1 +hostingfirst.nl, 1 +hostingforyou.online, 1 +hostinghaus.tk, 1 +hostinghelp.guru, 1 +hostinginnederland.nl, 1 +hostingmedia.cl, 1 +hostingorservers.com, 1 +hostingphp.ch, 1 +hostingsolutions.cz, 1 +hostingsupremo.com, 1 +hostingsvizzera.com, 1 +hostingtg.com, 1 +hostingtipps.eu, 1 +hostingweb.pe, 1 +hostinkos.com, 1 +hostinvest.tk, 1 +hostitforcheap.com, 1 +hostix.de, 1 +hostixo.com, 1 +hostker.com, 1 +hostker.net, 1 +hostlev.com, 1 +hostma.ma, 1 +hostmijnpagina.nl, 1 +hostmodern.com.au, 1 +hostmore.com.br, 1 +hostonssd.ga, 1 +hostpoint-static.ch, 1 +hostpoint.ch, 1 +hostprior.ro, 1 +hostreputation.com, 1 +hostripples.com, 1 +hostripples.in, 1 +hosts.cf, 0 +hostsall.com, 1 +hostup.se, 0 +hostux.network, 1 +hostwella.com, 1 +hostwinds.com, 1 +hosuronline.com, 1 +hosuto.nl, 1 +hot-and-new.gr, 1 +hot-games.gq, 1 +hot-models.tk, 1 +hot-sex-photos.com, 1 +hot-spa.ch, 0 +hot.in.th, 1 +hot101fm.tk, 1 +hotaircoldlove.tk, 1 +hotaru.tk, 1 +hotbabe.ml, 1 +hotbabesplus.com, 1 +hotbeats.tk, 1 +hotbella.net, 1 +hotblondepussy.com, 1 +hotbox.fun, 1 +hotbustymoms.com, 1 +hotcamsreview.com, 1 +hotcandlestick.com, 1 +hotcars.com, 1 +hotchillibox.co.za, 1 +hotchillibox.com, 1 +hotcoder.tk, 1 +hotcursosrio.com.br, 1 +hotdates18.dk, 1 +hotdates18.fi, 1 +hotdishes.tk, 1 +hotdoc.com.au, 1 +hotdogscoolcats.net, 1 +hotdogwheel.tk, 1 +hotdresses.ga, 1 +hote-inox.ro, 1 +hotearth.de, 1 +hotebonytube.com, 1 +hotel-4-stelle.it, 1 +hotel-altabadia.com, 1 +hotel-arabba.net, 1 +hotel-aubrac.fr, 1 +hotel-bella-muerte.tk, 1 +hotel-bolzano.org, 1 +hotel-bruneck.net, 1 +hotel-brunico.net, 1 +hotel-du-parc-allevard.fr, 1 +hotel-fleuralp.it, 1 +hotel-garni-letizia.it, 1 +hotel-gruenwald.it, 1 +hotel-kontorhaus.de, 1 +hotel-kornwestheim.de, 1 +hotel-kronjuwel.de, 1 +hotel-kyiv.com.ua, 1 +hotel-le-vaisseau.ch, 0 +hotel-leda.com, 1 +hotel-navis.hr, 1 +hotel-promyk.pl, 1 +hotel-rosner.at, 1 +hotel-rosskopf.it, 1 +hotel-selva-gardena.net, 1 +hotel-valgardena.net, 1 +hotel-vipiteno.net, 1 +hotel-vivendi.de, 1 +hotel-waldheim.eu, 1 +hotel-wartburg-stuttgart.de, 1 +hotelalpino.com, 1 +hotelandplace.com, 1 +hotelarevalo.com, 1 +hotelastor.com, 1 +hotelbird.com, 1 +hotelbiz.cf, 1 +hotelbiz.ga, 1 +hotelbiz.gq, 1 +hotelbretagne.dk, 1 +hotelconsulado.com.br, 1 +hotelcorporate.codes, 1 +hotelcorporatecodes.com, 1 +hoteldahu.it, 1 +hoteldel.com, 1 +hoteldimorae.it, 1 +hoteldvorik.ml, 1 +hotelelaphusabrac.com, 1 +hoteleldhestar.is, 1 +hotelesterobeach.com, 1 +hotelfloresta.tk, 1 +hotelfloridachaco.com, 1 +hotelflow.com.br, 1 +hotelgodisa.com, 1 +hotelident.de, 1 +hoteliers.com, 1 +hotelitalia.tk, 1 +hotelite.tk, 1 +hotelkeihan.co.jp, 1 +hotellalucciola.net, 1 +hotellamm.it, 1 +hotellaserenella.it, 1 +hotelmap.com, 1 +hotelmariasas.it, 1 +hotelmarinaadria.com, 1 +hotelmelograno.eu, 1 +hotelmonal.in, 1 +hotelnagarkotparadise.tk, 1 +hotelplazataranto.com, 1 +hotelponcowinatan.com, 1 +hotelpromo.codes, 1 +hotelreis.com.br, 1 +hotelriviera.co.uk, 1 +hotels-insolites.com, 1 +hotels-resorts-in-crimea.tk, 1 +hotels3d.com, 1 +hotels4teams.com, 1 +hotelsalzberg.ga, 1 +hotelsalzberg.gq, 1 +hotelsalzberg.ml, 1 +hotelsantalibera.tk, 1 +hotelsfares.com, 1 +hotelsinbuxton.com, 1 +hotelsinformer.com, 1 +hotelsingaporeairport.com, 1 +hotelsinncoventry.com, 1 +hotelsonline.tk, 1 +hotelsrejber.cz, 1 +hotelsrit.tk, 1 +hotelsthisweekend.com, 1 +hotelsvetaekaterina.com, 1 +hotelv.com, 1 +hotelvalena.com, 1 +hotelvisegrad.hu, 1 +hotelzapse-aurora.tk, 1 +hotesb.net, 1 +hotfiesta.ml, 1 +hotgirl.tv, 1 +hotglue.me, 1 +hothag.com, 1 +hothardware.com, 1 +hothbricks.com, 0 +hotheart.ru, 1 +hothub.net, 1 +hotiii.ga, 1 +hotiks.tk, 1 +hotjasmingirls.com, 1 +hotlinenum.com, 1 +hotlinetohell.cf, 1 +hotlog.tk, 1 +hotmail, 1 +hotmango.tk, 1 +hotmann.de, 1 +hotmart.com, 1 +hotmilfphotos.com, 1 +hotmom.tv, 1 +hotmomsvideos.com, 1 +hotmovies.com, 1 +hotmoviesforher.com, 1 +hotnews-today.com, 1 +hotnewsnl.tk, 1 +hotnow.live, 1 +hotnudeteen.com, 1 +hoto.us, 1 +hoton.in, 1 +hotornot.com, 1 +hotperiscope.tk, 1 +hotpinkbraces.com, 1 +hotplate.co.nz, 1 +hotpmo.com, 1 +hotpopky.cf, 1 +hotpornfilms.com, 1 +hotporngirl.com, 1 +hotporntubes.com, 1 +hotpornvideos.tv, 1 +hotproxy.gq, 1 +hotpussypics.com, 1 +hotpussytube.com, 1 +hotrender.com, 1 +hotroviettel.vn, 1 +hotrowordpress.com, 0 +hotschneckchen.net, 1 +hotscripting.tk, 1 +hotsex.tv, 1 +hotsexvids.net, 1 +hotsexxxcams.com, 1 +hotshira.com, 1 +hotshotsleeves.com, 1 +hotsmi.cf, 1 +hotsoft.com.br, 1 +hotsolarsolutions.com, 1 +hotspot.cl, 1 +hotspotshield.com, 1 +hotspringsar.gov, 1 +hotsvenja.com, 1 +hottaro.com, 1 +hottchic.com, 1 +hottestguyoftech.com, 1 +hottestwebcamgirls.org, 1 +hottheme.net, 1 +hottie.at, 1 +hotting.nl, 1 +hottoys.tk, 1 +hotvehs.com, 1 +hotwaterspecialist.com.au, 1 +hotwifer.com, 1 +hotyoyo.ga, 1 +hotzheipoe.com, 1 +houdah.com, 1 +houdenvanhonden.nl, 1 +houhuayuan.com, 1 +houlang.ac.cn, 1 +houldsworthmill.com, 1 +hourai.gg, 1 +houraiteahouse.net, 1 +hourlyearning.tk, 1 +hourlyringtonesers.ga, 1 +hourlyringtonesest.ga, 1 +hoursofoperation.biz, 1 +hourspent.com, 1 +house-cleaning-howtos.com, 1 +house-sparrow.com, 1 +houseandgarden.co.uk, 1 +houseareacanada.tk, 1 +houseareaitaly.tk, 1 +housebar.tk, 1 +housecarty.com, 1 +housedesigninfo.tk, 1 +housedesignnews.tk, 1 +houseepropiedadraiz.com, 1 +houseforce.biz, 1 +household-appliances.tk, 1 +householdheroes.com.au, 1 +householdjournalers.ga, 1 +householdjournalest.ga, 1 +householdofmercy.org, 1 +houseinfonews.tk, 1 +housekeep.com, 1 +housekeeperlondon.co.uk, 1 +houselocal.co.uk, 1 +housemart.company, 1 +housemates.uk.com, 1 +housemouse.tk, 1 +houseofaceonline.com, 1 +houseofhipsters.com, 1 +houseofmusic.co.uk, 1 +houseofpertijs.com, 1 +houseofpheromones.com, 1 +houseoftutors.co.uk, 1 +houseofyee.com, 1 +houseplant.tk, 1 +houser.lu, 1 +houseracko.com, 1 +houseremodels.tk, 1 +houseroxrecords.com, 1 +housese.at, 1 +houseshop.biz, 1 +housesmartdecore.tk, 1 +housesumo.com, 1 +housetories.com, 1 +housevertising.nl, 1 +housing.com, 1 +housingauctions.net, 1 +housingcenter.com, 1 +housinglincolncountyor.gov, 1 +housingloan.jp, 1 +housingokc.gov, 1 +housten.com, 1 +houston-building-maintenance.com, 1 +houston-probate-law.com, 1 +houstonaudubon.org, 1 +houstonauthorizedrepair.com, 1 +houstonbestmaidservice.com, 1 +houstoncenterforvaluedliving.com, 1 +houstoncosoal.gov, 1 +houstoncountyal.gov, 1 +houstongaragedoorsrepair.com, 1 +houstonhomerevival.com, 1 +houstonhughes.tk, 1 +houstonjetcharter.com, 1 +houstonlake.gov, 1 +houstonlockout.com, 1 +houstonmethodist.org, 1 +houstonproperties.com, 1 +houtar.eu.org, 1 +houthandelbunskoek.nl, 1 +houthandeljacobs.nl, 1 +houtinee.com, 1 +hovala.tk, 1 +hovelaar.nl, 1 +hoverboardbarato.com, 1 +hovia.com, 1 +hovset.net, 1 +how-to-build-computer.tk, 1 +how-to-simply.com, 1 +how-to-write-a-book.cf, 1 +how-to-write-a-book.ga, 1 +how-to-write-a-book.gq, 1 +how-to-write-a-book.ml, 1 +how2dev.tools, 1 +how2smart.com, 1 +howa-n.net, 0 +howandroidhelp.com, 1 +howandwhys.com, 1 +howardchippewawi.gov, 1 +howardcounty-mo.gov, 1 +howardcountyne.gov, 1 +howardcountysheriffmo.gov, 1 +howardhannava.com, 1 +howardkaplanbooks.com, 1 +howardscholars.org, 1 +howardsgrovewi.gov, 1 +howardshaw.com, 1 +howarh.com, 0 +howdo.nl, 1 +howdoesmycode.work, 1 +howdoyousaythis.com, 1 +howdybikes.com, 1 +howellaccounts.co.uk, 1 +howellcountymo911.gov, 1 +howellpolicenj.gov, 1 +howesky.com, 1 +howgoodwasmysex.com, 1 +howieisawesome.com, 1 +howlers.tk, 1 +howlinhawk.tk, 1 +howlonghaswilliambeenwaitingforhislicence.uk, 1 +howmanymilesfrom.com, 1 +howmanypeoplearethereinthe.world, 1 +howmanypeoplearethereintheworld.com, 0 +howmuch.cf, 1 +howmuch.ga, 1 +howoldisjava8.today, 1 +howoldistheinter.net, 1 +howonce.cn, 1 +howonce.com.cn, 1 +howonce.net, 1 +howonce.org, 1 +howopen.net, 1 +howpchub.com, 1 +howsecureismypassword.net, 1 +howsmyssl.com, 1 +howsmytls.com, 1 +howto-connect.com, 1 +howto-outlook.com, 1 +howtobehealthy.tk, 1 +howtoboy.com, 1 +howtodesignwebsite.com, 1 +howtofixwindows.com, 1 +howtofreelance.com, 1 +howtogeek.com, 1 +howtogeekpro.com, 1 +howtogosolar.org, 0 +howtohomepage.tk, 1 +howtohow.org, 1 +howtoinstall.co, 1 +howtomakefriends.tk, 1 +howtomanagedevices.com, 1 +howtomediacenter.com, 1 +howtomovetheneedle.com, 1 +howtoplayguitarlikeapro.com, 1 +howtopreventvulnerabilities.com, 1 +howtorunfasterandlonger.com, 1 +howtoslapsomeonethroughtheinternet.com, 1 +howtostopsnoring.tk, 1 +howtoteachviolin.com, 1 +howtotech.com, 1 +howtotech.de, 1 +howtrainyourdog.ml, 1 +howtutu.click, 1 +howtutu.com, 1 +howtutu.email, 1 +howtutu.eu, 1 +howtutu.info, 1 +howtutu.link, 1 +howtutu.net, 1 +howtutu.org, 1 +howtutu.social, 1 +howudoin.tk, 1 +howunadeydoam.ng, 1 +howwhy.tw, 1 +hoxo.fr, 1 +hoychivilcoy.tk, 1 +hoyenapple.com, 1 +hoyerfamilysaffron.com, 1 +hoyosdelespino.tk, 1 +hoz-pack.com.ua, 1 +hozana.si, 0 +hozinga.de, 1 +hozio.com, 1 +hozio.net, 1 +hozkomurcu.com, 1 +hozonshoku.com, 1 +hp-67.com, 1 +hp-lexicon.org, 1 +hp42.de, 1 +hpac-portal.com, 1 +hpage.com, 1 +hpbn.co, 1 +hpc.mil, 1 +hpccsystems.com, 0 +hpeditor.tk, 1 +hpfxd.com, 1 +hphp.ga, 1 +hpic.net, 1 +hpisavageforum.com, 1 +hpk.edu.ee, 1 +hpkp-faq.de, 1 +hplace.com.br, 1 +hpm.pt, 1 +hpneo-conseil.com, 1 +hpruehl.de, 1 +hpsdigital.hu, 1 +hpsldc.com, 1 +hpsq.io, 1 +hpv-info.ee, 1 +hpvtimmerwerken.nl, 1 +hq.marketing, 1 +hq77.ru, 1 +hqblog.cn, 0 +hqproductreviews.com, 1 +hqsy.net, 1 +hqteas.com, 1 +hqtrannytube.com, 1 +hqwebhosting.tk, 0 +hqy.moe, 1 +hqy2000.com, 1 +hr-automation.eu, 1 +hr-books.shop, 1 +hr-clan.tk, 1 +hr-nielsen.tk, 1 +hr-praemien-santander.de, 1 +hr-tech.shop, 1 +hr-toys.shop, 1 +hr98.tk, 1 +hrabogados.com, 1 +hraesvelg.net, 1 +hrafnkellbaldurs.com, 1 +hrafnsholl.is, 1 +hrajhry.sk, 1 +hrajme.tk, 1 +hranicka.cz, 1 +hravatar.com, 1 +hrbanen.nl, 1 +hrbatypes.cz, 1 +hrblnrdx.org.cn, 1 +hrbrt.co, 1 +hrbrt.nl, 0 +hrcdn.net, 1 +hrcigroup.com, 1 +hrcrew.com.au, 1 +hrd-sec.com, 1 +hrd.pl, 1 +hrdns.de, 1 +hreflang.info, 1 +hrejterzy.com, 1 +hrgt.eu, 1 +hristijanspirovski.tk, 1 +hristos.com, 1 +hriveralaw.com, 1 +hrjfeedstock.org, 1 +hrjob.ml, 1 +hrjob.tk, 1 +hrk.aero, 1 +hrka.cc, 0 +hrkfamilylaw.com, 1 +hrknuddel.de, 1 +hrlab.de, 1 +hrlive.ga, 1 +hrmafia.ga, 1 +hrmcms.com, 1 +hrmg.agency, 1 +hrmny.sh, 1 +hrndz.io, 1 +hrnk.org, 1 +hro.to, 1 +hrobert.hu, 1 +hroc.co.uk, 1 +hrodna.life, 1 +hroling.nl, 1 +hromaticworld.tk, 1 +hroschyk.cz, 1 +hrpage.ml, 1 +hrprofessionals.tk, 1 +hrreporter.com, 1 +hrsa.gov, 1 +hrseoservice.com, 1 +hrsourav.info, 1 +hrstapps-dev.com, 1 +hrtechnologypro.cf, 1 +hrtpova.gov, 1 +hru.gov, 1 +hrumka.net, 1 +hrw66.cc, 1 +hrwsba.gov, 1 +hrxkauppa.fi, 1 +hryniewski.net, 1 +hryx.net, 1 +hrzblt.eu, 1 +hs-flensburg.de, 1 +hs-group.net, 1 +hs-hire.co.uk, 1 +hs7imports.com.br, 1 +hsappstatic.net, 1 +hsasearch.com, 1 +hsbc-zertifikate.de, 1 +hsbs.com.sg, 1 +hsbuild.com, 1 +hsc.com.vn, 1 +hsc.gd.cn, 1 +hschen.top, 0 +hscomposites.co.nz, 1 +hse-dev.com, 1 +hse-online.com, 1 +hse-reglementaire.com, 1 +hselectricalservices.com, 1 +hsex.tv, 0 +hsg-lumdatal.de, 1 +hsgms.de, 1 +hshnetwork.net, 1 +hsi.health, 1 +hsivonen.com, 1 +hsivonen.fi, 1 +hsivonen.iki.fi, 1 +hsjdzaragoza.es, 1 +hskernel.com, 1 +hskin.top, 1 +hskprep.com, 1 +hsm-eldesafio.tk, 1 +hsmithsmithfield.co.uk, 1 +hsmr.cc, 1 +hsn-tsn.com, 1 +hsn.com, 1 +hsog.tk, 1 +hsprotection.net, 1 +hsr.gov, 1 +hsreformas.es, 1 +hsselite.com, 1 +hst.tc, 1 +hstoyanov.com, 1 +hsts-preload-test.xyz, 1 +hsts.eu, 1 +hsts.eu.org, 1 +hsts.me, 1 +hsts.ovh, 1 +hstsbadnosniff.com, 1 +hstspreload.appspot.com, 1 +hstspreload.com, 1 +hstspreload.de, 1 +hstspreload.me, 1 +hstspreload.org, 1 +hstudio.tk, 1 +hsturan.com, 1 +hsutilitiesms.gov, 1 +hszemi.de, 1 +ht.mk, 1 +htaccessbook.com, 1 +htaps.com, 1 +htb-email.co, 1 +htb-email.com, 1 +htb-email.uk.com, 1 +htb.click, 1 +htb.co.uk, 1 +htbap.net, 1 +htbemail.co, 1 +htbemail.co.uk, 1 +htbemail.com, 1 +htbemail.net, 1 +htbemail.org, 1 +htbplc.co.uk, 1 +htcclan.tk, 1 +htdcomputer.vn, 1 +hte.ovh, 1 +hti.digital, 1 +htikeagkyaw.com, 1 +htl-anmeldung.at, 1 +htl.wiki, 1 +htlball.at, 1 +htljobs.at, 1 +htm-partners.com, 1 +htmag.co.il, 1 +htmanager.fr, 1 +htmdom.com, 1 +html-builder.tk, 1 +html-code-generator.com, 1 +html-css.tk, 1 +html5.org, 1 +htmlacademy.ru, 1 +htmlandcss.tk, 1 +htmlcssphp.ga, 1 +htmlcssphp.gq, 1 +htmlcssphp.ml, 1 +htmlcssphp.tk, 1 +htmlnet.tk, 1 +htmltemplated.com, 1 +htmlvalidator.com, 1 +htmlweb.ml, 1 +htmlyse.com, 1 +htmue.org, 1 +htp2.top, 1 +htt.pe, 1 +http.codes, 1 +http.dog, 1 +http.garden, 1 +http.gs, 1 +http.pizza, 1 +http2.com.cn, 1 +http2.eu, 1 +http2.pro, 1 +http3-hosting.de, 1 +http3.ch, 1 +http3.info, 1 +http3.pro, 1 +http418.org, 1 +httpcats.com, 1 +httpd.gq, 1 +httpducks.com, 1 +httpgoats.com, 1 +httpguides.com, 1 +https-rulesets.org, 1 +https.com.tw, 1 +https.dk, 1 +https.gs, 1 +https.jetzt, 1 +httpsalarm.com, 1 +httpsarnemergan.ml, 1 +httpsecured.net, 1 +httpsecurityreport.com, 1 +httpsiseasy.com, 1 +httpsispisseasy.com, 1 +httpsnow.com, 1 +httpsnow.org, 1 +httpstaak.tk, 1 +httpstest.eu, 1 +httpstest.nl, 1 +httpswatch.ca, 1 +httpswatch.eu, 1 +httpswatch.nl, 1 +htvoutlet.com, 1 +htxnet.biz, 1 +htzopremasrbija.co.rs, 1 +hu-1xbet.com, 1 +hu-a-u.com, 1 +hu.search.yahoo.com, 0 +hua-in.net, 1 +huabianwa.com, 0 +huachuang.com, 1 +huagati.com, 1 +huang.nu, 1 +huangban.org.cn, 1 +huangguancq.com, 1 +huangh.com, 1 +huangjia71.com, 1 +huangjia72.com, 1 +huangjia73.com, 1 +huangjia74.com, 1 +huangjia75.com, 1 +huangjia76.com, 1 +huangjia777.com, 1 +huangjia78.com, 1 +huangjia79.com, 1 +huangjiaint.com, 1 +huangjingjing.com, 1 +huangkevin.com, 1 +huangqifu.com, 1 +huangshuo.net, 1 +huangzenghao.cn, 0 +huangzenghao.com, 1 +huangzjnet.gq, 1 +huanqiu1988.com, 1 +huanta.tk, 1 +huanvm.com, 1 +huanwei.com, 1 +huanyu.com, 1 +huapood.com, 1 +huaqian.art, 1 +huashan.co.uk, 1 +huashang.tk, 1 +huawenyy.com, 1 +huaxueba.com, 1 +hub24.com.au, 1 +hub385.com, 1 +hubanero.cz, 1 +hubapi.com, 1 +hubbardhouseugrrmuseum.org, 1 +hubbaworld.tk, 1 +hubbell.com, 1 +hubblogging.com, 1 +hubchain.com, 1 +hubchain.com.br, 1 +hubchain.fr, 1 +hubchain.io, 1 +hubchain.org, 1 +huber-informatik.de, 1 +hublaagram.ml, 1 +hubnet.fr, 1 +hubok.net, 1 +huboo.co.uk, 1 +huboo.com, 1 +hubovra.nl, 1 +hubrecht.at, 1 +hubsaveers.ga, 1 +hubsaveest.ga, 1 +hubspot.com, 1 +hubspot.de, 1 +hubspot.es, 1 +hubspot.fr, 1 +hubspot.jp, 1 +hubux.tk, 1 +hubx.co, 1 +huchet.me, 0 +hucklebucks.com, 1 +huckletree.com, 0 +hudaa.us, 1 +hudbugcomics.com, 1 +huddlecamhd.com, 1 +hudebnibazarmixer.cz, 1 +hudeem-vmeste.ml, 1 +hudhaifahgoga.co.za, 1 +hudhomestore.gov, 1 +hudobniny.net, 1 +hudognik.com, 1 +hudrydum.cz, 1 +hudsonlifting.co.uk, 1 +hudsonregional.gov, 1 +hudsonsolutions.com, 1 +hudsonwi.gov, 1 +hudu.com, 1 +huduser.gov, 1 +huecomundo.tk, 1 +huehnerartikel.de, 1 +huelgajusticiaextremadura.tk, 1 +huellasfestival.com, 1 +huelvatrabaja.com, 1 +huemanpesolutions.com, 1 +huemeyraophelia.com, 1 +huemul.studio, 1 +huengsberg.com, 1 +huepfburggiessen.de, 1 +huertoydesamparados.tk, 1 +hues-in-lee.de, 1 +huesers.de, 1 +huesitos.tk, 1 +hueterecruiters.com, 1 +hufelare.tk, 1 +huffduffer.com, 1 +huffingtonwire.com, 1 +huffsinsurance.com, 1 +hug0.cz, 1 +hugebeasters.ga, 1 +hugebeastest.ga, 1 +hugetits.tv, 1 +huggies.com.au, 1 +huggy.moe, 1 +hughfitzgerald.com, 1 +hugi.is, 1 +huglen.info, 1 +hugobarral.me, 1 +hugochilemme.com, 1 +hugocurado.info, 1 +hugogarra.com, 1 +hugolegrand.fr, 1 +hugolynx.fr, 0 +hugomilano.ga, 1 +hugonote.cf, 1 +hugonote.ga, 1 +hugonote.gq, 1 +hugonote.ml, 1 +hugonote.ovh, 1 +hugonote.tk, 1 +hugotech.vn, 1 +hugovr.nl, 1 +hugoyugou.com, 1 +hugs.ua, 1 +huhao.tk, 1 +huhu.cf, 1 +huibrotladen.com, 1 +huicui.com, 1 +huiguniang.com, 1 +huiketang.com, 1 +huimin.com, 1 +huimou.com, 1 +huininga.com, 1 +huininga.nl, 1 +huininga.org, 1 +huirongis.me, 1 +huis-en-tuin.be, 1 +huisaandecosta.nl, 1 +huisartsen-ict.nl, 1 +huisartsenpraktijkheemraadssingel.nl, 1 +huisartsenpraktijksonmezer.nl, 1 +huisartsenpraktijkzonnehoed.nl, 1 +huisartsenpraktijkzwalm.be, 1 +huisdierinfopunt.tk, 1 +huiser.nl, 1 +huisjeboompje-baby.nl, 1 +huislaw.com, 1 +huislijn.nl, 1 +huissier-vosges.com, 1 +huit.re, 1 +huitaodang.com, 1 +huk-autoservice.de, 1 +hukkatavara.com, 1 +hukuhauchi.com, 1 +hulaginswoodworking.com, 1 +hulet.tech, 1 +hulii.com, 1 +hulii.com.au, 1 +hulkbay.tk, 1 +hulkweb.tk, 1 +hullmoneyman.com, 1 +hullscp.co.uk, 1 +hullseals.space, 1 +huloveyou.com, 1 +hulpbijmarketing.nl, 1 +hulpertechsite.tk, 1 +hulpmiddelenshop.nl, 1 +hulpverleningszonecentrum.be, 1 +hulsoft.co.uk, 1 +hultrid.hopto.org, 1 +hululkitab.co, 1 +huma-auto.club, 0 +human-centricity.com, 1 +human-clone.com, 1 +human-dev.io, 1 +human-parasites.tk, 1 +human-shinri.com, 1 +humana-medicaresupplement.com, 1 +humanamente.tk, 1 +humanbeing.tk, 1 +humanenrich.com, 1 +humanesdemadrid.tk, 1 +humanewolf.com, 1 +humanexperiments.com, 1 +humanhairgo.tk, 1 +humanhealth.pl, 1 +humanidad.tk, 1 +humaninterest.com, 1 +humanistgruppen.tk, 1 +humanit.com.au, 1 +humanitiesacademicpublishers.com, 0 +humanity.com, 1 +humanize.security, 1 +humanlocation.net, 1 +humanresources.gq, 1 +humanresourcesedu.org, 1 +humanresourcesmanager.de, 1 +humanrights.gov.au, 1 +humanrights.tk, 1 +humansense.nl, 1 +humanservicesedu.org, 1 +humanshiftpaper.com, 1 +humantouchmassagechairs.com, 1 +humanvidas.com.br, 1 +humanzee.com, 1 +humara.tk, 1 +humass.nl, 1 +humbaur.com, 1 +humbble.fr, 1 +humblebee.at, 1 +humblebee.be, 1 +humblebee.bg, 1 +humblebee.ch, 1 +humblebee.co.uk, 1 +humblebee.cz, 1 +humblebee.dk, 1 +humblebee.es, 1 +humblebee.eu, 1 +humblebee.foundation, 1 +humblebee.fr, 1 +humblebee.gr, 1 +humblebee.hu, 1 +humblebee.ie, 1 +humblebee.it, 1 +humblebee.nz, 1 +humblebee.pl, 1 +humblebee.us, 1 +humblebeeshop.ca, 1 +humblebeeshop.com.au, 1 +humblecraft.tk, 1 +humbledot.com, 0 +humblenano.africa, 1 +humblenano.io, 1 +humboldt-wi.gov, 1 +humboldtcavotes.gov, 1 +humboldtcountyca.gov, 1 +humboldtcountynv.gov, 1 +humboldtcsi.com, 1 +humboldthomeguide.com, 1 +humboldtmfg.com, 1 +humdata.org, 1 +humdruma-recordingz.tk, 1 +humer-it.com, 0 +humexe.com, 1 +humeydi.tk, 1 +humi.ca, 1 +humio.com, 1 +humm90.com, 1 +hummel.tk, 1 +hummingbird.co, 0 +hummy.tk, 1 +hummy.tv, 1 +humo.be, 1 +humor-life.tk, 1 +humor-web.tk, 1 +humor.cf, 1 +humor.ga, 1 +humorbest.tk, 1 +humorcheck.ga, 1 +humorcheckers.ga, 1 +humorcheckest.ga, 1 +humored.gq, 1 +humorojo.com, 1 +humpen.se, 1 +humphreyscountytn.gov, 1 +humpydumpy.tk, 1 +humuluslupulus.de, 1 +humus.tk, 1 +hunanbank.com, 1 +hund.io, 1 +hund.ml, 1 +hundamosantena3.tk, 1 +hundedekken.tk, 1 +hundeschule.tk, 1 +hundestudios.tk, 1 +hundhausen.de, 1 +hundimiento.com, 1 +hundlee.tk, 1 +hundter.com, 1 +hundur.tk, 1 +hunedoara.tk, 1 +hungarian-united-church.tk, 1 +hungarianeducationagency.com, 1 +hungaryz.ml, 1 +hungnm.me, 1 +hungryas.tk, 1 +hungryginie.com, 1 +hungryhealthyhappy.com, 1 +hunhold.at, 1 +hunhold.biz, 1 +hunhold.ch, 1 +hunhold.com, 1 +hunhold.de, 1 +hunhold.eu, 1 +hunhold.it, 1 +hunhold.net, 1 +hunhold.org, 1 +huniverse.co, 1 +hunngard.com, 1 +hunqz.com, 1 +hunstoncanoeclub.co.uk, 1 +hunter-read.com, 1 +hunter.io, 1 +hunter32.ru, 1 +hunterjohnson.io, 1 +huntersandprops.tk, 1 +hunterscreekapartments.net, 1 +hunterscrolls.tk, 1 +huntertrade.com.br, 1 +huntexpired.com, 0 +huntflow.ai, 1 +hunting.ml, 1 +huntingdonlifesciences.com, 1 +huntingdonsmithfieldpa.gov, 1 +huntingnewfoundlandlabrador.com, 1 +huntingtonestateproperties.com, 1 +huntingtonnow.com, 1 +huntingtonwv.gov, 1 +huntreminder.com, 1 +huntsvillealtransit.gov, 1 +huntsvillecottage.ca, 1 +huntvac.com, 1 +huny.eu.org, 1 +hunzai.tk, 1 +huoduan.com, 1 +huohu-sports.com, 1 +huohuo.cf, 1 +huohuo.ml, 1 +huon.fyi, 1 +huonit.com.au, 0 +huoqibaike.club, 1 +huoyankan.com, 1 +huoyou.com, 1 +huozhen.com, 1 +hup.hu, 0 +hupeng.me, 1 +hupoyunlar.com, 1 +hurbascooter.com, 1 +hurbo.com, 1 +hurdafiyatlari.site, 1 +hurinkazan2020.com, 1 +hurleyhomestead.com, 1 +huron.tk, 1 +huronsd.gov, 1 +hurra-blog.tk, 1 +hurricanecarroll.com, 1 +hurricanelabs.com, 0 +hurricaneplaneers.ga, 1 +hurricaneplaneest.ga, 1 +hurricanewv.gov, 1 +hurricanewvpd.gov, 1 +hurriyetseriilan.tk, 1 +hurstbourneacresky.gov, 1 +hurstiharrell.tk, 1 +hurtigrabat.dk, 1 +hurtigtinternet.dk, 1 +husakbau.at, 1 +hushbabysleep.com, 1 +hushfile.it, 1 +hushpuppiesobuv.ru, 1 +husic.net, 0 +husky-in-nood.tk, 1 +huskyeye.de, 1 +huskygifts.com, 1 +huskyinc.us, 0 +husmann.tech, 1 +husqvarnamoped.se, 1 +hussam.eu.org, 1 +hussehrana.com, 1 +hustlerstate.tk, 1 +hutavaterstetten.de, 1 +hutchinsonmn.gov, 1 +huthacks.com, 1 +huto.ml, 1 +huttotxedc.gov, 1 +huurwoordenaar.nl, 1 +huuto.tk, 1 +huutonauru.net, 1 +huwcbjones.uk, 1 +huwjones.me, 1 +huwshepheard.com, 1 +huxcoconstruction.com, 1 +huxixs.com, 1 +huxley.net, 1 +huynhviet.com, 1 +huyvu.nl, 1 +huzurmetal.net, 1 +huzurpansiyonfirtinavadisi.com, 1 +hv-2020.de, 1 +hv-2020.online, 1 +hv-anmeldung.de, 1 +hv-huset.no, 1 +hv-portal.de, 1 +hv.se, 1 +hva.cl, 1 +hvac-distributing.com, 1 +hvac-distributing.xyz, 1 +hvacschool.org, 1 +hvanmeldung.de, 1 +hvanmeldung.online, 1 +hvcoksvote.gov, 1 +hvdbox.de, 0 +hvenetworks.cf, 1 +hveradistributions.com, 1 +hverdagogkink.no, 1 +hvh.no, 1 +hvhdct.gov, 1 +hvhercules.tk, 1 +hvhindia.in, 1 +hvllucinvtion.tk, 1 +hvorschool.tk, 1 +hvr.co.il, 1 +hvrint.de, 1 +hvtuananh.com, 1 +hvvmg.com, 1 +hvylya.net, 1 +hw8.eu, 1 +hwag-pb.de, 1 +hwasung.com.vn, 1 +hwe.nz, 1 +hwholdsworth.com.au, 1 +hwinfo.tk, 1 +hwjkk.com, 1 +hwnd.io, 1 +hwsw.io, 1 +hwvv.nl, 1 +hwx8.com, 0 +hx-sun.com, 1 +hx36.net, 0 +hx53.de, 1 +hx678.cc, 1 +hx77.cc, 0 +hxit.cn, 1 +hxkvm.com, 1 +hxkvm.net, 1 +hxp.io, 1 +hxr404.cf, 1 +hxsrz.eu.org, 1 +hxtival.com, 1 +hxtival.nl, 1 +hy1.com, 1 +hyacinthus.tk, 1 +hyatt.com, 1 +hyb7.com, 1 +hybrd.is, 1 +hybrid-crescent.tk, 1 +hybriden.cf, 1 +hybriden.tk, 1 +hybridiyhdistys.fi, 1 +hybridklubben.fi, 1 +hybridragon.net, 1 +hybridscript.tk, 1 +hybridsounds.tk, 1 +hybridworld.tk, 1 +hybridworx.com, 1 +hybridworx.de, 1 +hybridworx.eu, 1 +hybridworx.net, 1 +hybridworx.org, 1 +hybrydowe-samochody.pl, 1 +hybula.com, 1 +hycken.com, 1 +hyckenberg.com, 1 +hyderabaddccb.org, 1 +hyderabadonlinegifts.com, 1 +hydra-interactive.com, 1 +hydra.az, 1 +hydrabit.nl, 1 +hydrante.ch, 0 +hydras.tk, 1 +hydrazin.pw, 1 +hydro17.com, 1 +hydroagro.pl, 1 +hydroaralen.com, 1 +hydrochlorothiazide.gq, 1 +hydrochlorothiazide125.ga, 1 +hydrocloud.net, 1 +hydrocontrolsystems-janssenwaterproofing.com, 1 +hydrocontrolsystems.com, 1 +hydrogel.tk, 1 +hydrogenplatform.com, 1 +hydrographicsocietybenelux.eu, 1 +hydroid.tk, 1 +hydrolifehottubs.co.uk, 1 +hydrolyze.tk, 1 +hydromech.com.au, 1 +hydrometrixtechnologies.com, 1 +hydronicheatingaustralia.com.au, 1 +hydronium.cf, 1 +hydronium.ga, 1 +hydronium.ml, 1 +hydronium.tk, 1 +hydronix-bg.com, 1 +hydroposev.com, 1 +hydrosaat.ch, 1 +hydrosight.com, 1 +hydrosila.com, 0 +hydroturbine.info, 0 +hydrozen.io, 1 +hydrozone.fr, 1 +hyds.com, 1 +hyec.jp, 1 +hyex.com.au, 1 +hygieneproclean.co.nz, 1 +hygienet.be, 1 +hygo.com, 1 +hygraph.com, 1 +hyk.me, 1 +hyland.com, 1 +hylark.com, 1 +hylians.com, 1 +hyllie.net, 1 +hymn.com, 1 +hymnal.net, 1 +hymnsandverses.com, 1 +hync.io, 1 +hyncice.com, 1 +hyndax.com.ar, 0 +hynek.me, 1 +hyodyntamaton.site, 0 +hyoi.de, 1 +hypar.io, 1 +hyparia.fr, 1 +hyparia.org, 1 +hypehub.tech, 1 +hypelifemagazine.com, 1 +hypemgmt.com, 1 +hyper-fit.nl, 1 +hyper-matrix.org, 1 +hyper-network.de, 1 +hyper-spirit.com, 1 +hyper-text.org, 0 +hyper.ai, 1 +hyper.lol, 1 +hyperalgesia.com, 1 +hyperautomotive.com.au, 1 +hyperblast-universe.tk, 1 +hyperbolecomics.com, 1 +hyperbolic-mayonnaise-interceptor.ovh, 1 +hyperc.club, 1 +hypercdn.de, 1 +hypercritical.co, 1 +hyperd.sh, 1 +hyperdesign.com, 1 +hyperemesis.ie, 1 +hyperhidrose.tk, 1 +hyperion-project.org, 1 +hyperion.gmbh, 0 +hyperion.io, 1 +hyperionms.com, 1 +hyperjewel.com, 1 +hyperjit.com, 1 +hyperlocal.co.za, 1 +hypermonkey.tk, 1 +hypernode.com, 1 +hyperonline.tk, 1 +hyperplanning.fr, 1 +hyperreal.chat, 1 +hyperreal.info, 1 +hypersequent.com, 1 +hypershell.tk, 1 +hypersomnia.com, 1 +hyperspace.tk, 1 +hyperstack.org, 1 +hypertaut.com, 1 +hypertensionexplained.com, 1 +hypertesto.me, 1 +hyperthymia.com, 1 +hypervsn.com, 1 +hypetrix.com, 1 +hypexstore.tk, 1 +hyphen.co.za, 1 +hyphenpda.co.za, 1 +hypixelstudios.com, 1 +hypno-thera.fr, 1 +hypnobb.com, 1 +hypnos.hu, 1 +hypnose-hennigsdorf.de, 1 +hypnose-nimes.fr, 1 +hypnoseduction.tk, 1 +hypnoside.tk, 1 +hypnosis.edu, 1 +hypnotistanbul.com, 1 +hypnotizedgirls.ml, 1 +hypnovir.us, 1 +hypo-fix.com, 1 +hypo-fix.de, 1 +hypo-light.de, 1 +hypo-x.de, 1 +hypo4u.de, 1 +hypocretins.com, 1 +hypocrites.tk, 1 +hypofax.de, 1 +hypofix-web.de, 1 +hypofix.com, 1 +hypofix.de, 1 +hypofixweb.de, 1 +hypofixx.de, 1 +hypofux.de, 1 +hypokalkulacka.sk, 1 +hypolife.de, 1 +hypolineweb.de, 1 +hyposoft.de, 1 +hypotheca.ca, 1 +hypotheekbond.nl, 1 +hypothekenbank.ag, 1 +hypotheques24.ch, 1 +hypothermia.tk, 1 +hypothes.is, 1 +hypothyroidmom.com, 1 +hypowelt.com, 1 +hypr.ee, 1 +hyr.mn, 0 +hyra.tk, 1 +hyrin.tk, 1 +hyrius.net, 1 +hyrulekingdom.tk, 1 +hys-te-ria.tk, 1 +hyser.com.ua, 1 +hysh.jp, 1 +hysh.net, 1 +hysh.org, 1 +hystats.net, 1 +hysupchile.cl, 1 +hytale.com, 1 +hytzongxuan.com, 1 +hytzongxuan.top, 1 +hyunbridge.com, 1 +hyundaifinance.de, 0 +hyundaipartsdeal.com, 1 +hyundaisrilanka.lk, 1 +hyunjoonkim.net, 1 +hyvinvointineuvoja.fi, 1 +hyy.ch, 1 +hyy.chat, 1 +hyychat.com, 1 +hyyen.com, 1 +hyyperchat.com, 1 +hyze.fr, 1 +hyzy.fr, 1 +hz601.org, 1 +hzbk.org, 0 +hzmpower.com, 1 +hzsx.com, 1 +hztgzz.com, 1 +i--b.com, 1 +i-0v0.in, 1 +i-3c.co.jp, 1 +i-am-cjc.tech, 1 +i-am-seo.co.uk, 1 +i-cite.es, 1 +i-connect.ie, 0 +i-cyber.gov.ua, 1 +i-experts.nl, 1 +i-fastnet.net, 1 +i-forum.ga, 1 +i-house.gq, 1 +i-hoz.ru, 1 +i-lab.ml, 1 +i-li.com, 1 +i-like-hits.tk, 1 +i-liren.com, 1 +i-logic.co.jp, 1 +i-logic.net, 1 +i-make-love.tk, 1 +i-make.com, 1 +i-make.fr, 1 +i-med.com.au, 1 +i-model.org, 1 +i-motor.nl, 1 +i-office.com.vn, 1 +i-on.by, 1 +i-panic.com, 1 +i-pinged-everyone.today, 1 +i-port-voice.com, 1 +i-prince.tk, 1 +i-proswiss.com, 0 +i-r-a.tk, 1 +i-readycentral.com, 1 +i-red.info, 1 +i-scream.space, 1 +i-sports.cz, 1 +i-stream2watch.com, 1 +i-telligence.de, 0 +i-tm.com.tw, 1 +i-tools.ru, 1 +i-verbi.it, 1 +i-vignette.com, 1 +i-volve.net, 1 +i-voting.pl, 1 +i.hosting, 1 +i00.eu, 1 +i00228.com, 1 +i0856.com, 0 +i0day.com, 1 +i10z.com, 1 +i1430.com, 0 +i24.host, 1 +i2capmark.com, 1 +i2education.com, 1 +i2itherapy.com, 1 +i2pgit.org, 0 +i36533.com, 1 +i365365.com, 1 +i36588.com, 1 +i3o.me, 1 +i49.net, 1 +i4cu.uk, 1 +i4net.eu, 1 +i4ware.fi, 1 +i51365.com, 0 +i5197.co, 1 +i5y.co.uk, 1 +i5y.org, 1 +i6729.co, 1 +i6729.com, 0 +i6957.co, 1 +i7.io, 1 +i7sas.tk, 1 +i82365.com, 1 +i879.com, 1 +i88i.gq, 1 +i8cp.com, 1 +i9297.co, 1 +i9728.co, 1 +i9assessoria.net.br, 1 +i9s.in, 1 +ia.ca, 1 +ia.net, 1 +ia1000.com, 1 +iaa.ee, 1 +iaata.info, 1 +iab-diva.ru, 1 +iabot.tk, 1 +iacee.org, 1 +iacitywebdesigner.com, 1 +iaco.li, 1 +iacono.com.br, 0 +iactu.info, 1 +iadb.org, 1 +iadminify.com, 1 +iadore.tk, 1 +iadttaveras.com, 1 +iae.one, 1 +iaeste.or.jp, 1 +iaf.gov, 1 +iaf.nu, 1 +iafd.com, 1 +iaforum.com.br, 1 +iafss2023.com, 1 +iain.tech, 1 +iainsimms.co.uk, 1 +iainsimms.com, 1 +iainsimms.me, 1 +ialternatywne.pl, 1 +iam.lc, 0 +iam.soy, 1 +iamafricacampaign.com, 1 +iamafricacampaign.org, 1 +iamaileen.com, 1 +iamanewme.com, 1 +iambhatti.tk, 1 +iamcloud.de, 1 +iamconnected.eu, 1 +iamhealthystore.com, 1 +iaminashittymood.today, 1 +iamjoshellis.com, 1 +iamkate.com, 1 +iamlearning.co.uk, 1 +iamlegend.ml, 1 +iamlife.com, 1 +iamlzh.com, 0 +iamokay.nl, 1 +iamovement.org, 1 +iamsadmax.ga, 1 +iamsainknight.tk, 1 +iamsamaskom.tk, 1 +iamtheib.me, 1 +iamthelife.io, 1 +iamthesweetspot.com, 1 +iamtonyarthur.com, 1 +iamtp.com, 1 +iamtrainsafe.co.uk, 1 +iamusingtheinter.net, 0 +iamyourpillow.com, 1 +ian-barker.co.uk, 1 +ian.sh, 0 +ian678.com, 1 +ian678.tk, 1 +ianasheu.com, 1 +ianbrault.com, 1 +iancu.me, 1 +iandouglasscott.com, 1 +iane-ccs.com, 1 +ianix.com, 1 +ianklug.com, 1 +iankmusic.com, 1 +ianmooreis.me, 1 +ianmoriarty.com.au, 1 +ianonavy.com, 1 +ians.lu, 1 +iansyst.co.uk, 1 +ianthompsonbooks.com, 1 +ianwalsh.org, 0 +iaofirearms.com, 1 +iapro.com, 1 +iapws.com, 0 +ias-gruppe.net, 1 +ias.ua, 1 +iassess.eu, 1 +iaswc.org, 1 +iatfei.com, 1 +iatrikos-exoplismos.gr, 1 +iaudited.com, 1 +iav.com, 1 +iav.de, 1 +iawx.net, 1 +iaxx.eu, 1 +ib-kreindl.at, 1 +ib-wedler.de, 1 +ib-zentrale.de, 1 +iba.community, 1 +iba.gov.au, 1 +ibacktraced.it, 1 +ibadboy.net, 1 +iban.com, 1 +ibaoger.com, 1 +ibavaro.com, 1 +ibb.co, 1 +ibb.co.com, 1 +ibb.istanbul, 1 +ibbit.ro, 1 +ibc-container.be, 1 +ibc.com, 1 +ibcl.us, 1 +ibcmed.com, 1 +ibcmed.net, 1 +ibcmed.org, 1 +ibe.de, 1 +ibeep.com, 0 +ibei.ru, 1 +ibemember3.com, 1 +ibericaderedes.es, 1 +ibericarbenet.es, 1 +ibericarcuzco.es, 1 +ibericarcuzcomini.es, 1 +ibericarformula.es, 1 +ibericargestoso.es, 1 +ibericarmotors.es, 1 +ibericarmotorsmalaga.es, 1 +ibericarmovilcentro.es, 1 +ibericarmovilsur.es, 1 +ibericarreicomsa.es, 1 +ibericartechnik.es, 1 +ibetora.com, 1 +ibex.co, 1 +ibexmultiday.com, 1 +ibexpackaging.com, 1 +ibexrepair.co.uk, 0 +ibhgospel.com, 1 +ibi.mt, 1 +ibidyoupeace.com, 1 +ibiki-boushi-makura.net, 1 +ibilog.net, 1 +ibin.co, 1 +ibinex.news, 1 +ibiu.xyz, 0 +ibiz.mk, 1 +ibizads.tk, 1 +ibizaluxuryachts.com, 1 +ibk.at, 1 +iblog.pk, 1 +iblowdry.com, 1 +iblsoft.com, 1 +ibm.gov.in, 1 +ibm3.com, 1 +ibmaspera.com, 1 +ibmix.de, 1 +ibo-chemnitz.de, 1 +iboat.eu, 1 +ibodyiq.com, 1 +ibon.org, 1 +iboy1069.com, 0 +iboysoft.com, 1 +ibpegasus.tk, 1 +ibpsrecruitment.co.in, 1 +ibq.life, 1 +ibra.org.uk, 1 +ibrainmedicine.org, 1 +ibraphotography.com, 1 +ibrom.eu, 1 +ibron.co, 0 +ibroshop.com, 1 +ibsasport.org, 1 +ibsglobal.co.za, 1 +ibsis.org, 1 +ibstyle.tk, 1 +ibu.ca, 1 +ibug.io, 1 +ibuildings.com, 1 +ibuildings.nl, 1 +ibuki.run, 1 +ibuprofens.gq, 1 +iburgs.com, 1 +ibuzz.tk, 1 +ibwc.gov, 1 +ibykos.com, 1 +ibz.be, 1 +ic3.gov, 1 +icafecash.com, 1 +icagency.it, 1 +icams-portal.gov, 1 +icanhazpass.com, 1 +icanseeyou.tk, 1 +icap.my, 1 +icardistry.com, 1 +icaremoving.com, 1 +icareofficesolutions.com, 1 +icarlos.net, 1 +icas-nsn.gov, 1 +icasas.mx, 1 +icasnetwork.com, 1 +icastgo.ca, 0 +icastgo.com, 0 +icasture.top, 1 +icatt.nl, 1 +icbemp.gov, 0 +icca-chem.org, 1 +iccorporateinteriors.com.au, 1 +iccupplatoon.tk, 1 +iccxx.cn, 1 +icd-codes.org, 1 +icddd.pl, 1 +icdisinfection.com.au, 1 +icdp.org.ua, 1 +icebat.dyndns.org, 1 +iceberg.academy, 0 +iceberg.cyou, 1 +iceberg.ddns.me, 1 +icebike.org, 1 +icebook.co.uk, 1 +icebound.cc, 1 +icebound.win, 1 +iceboxstudio.tk, 1 +icecars.net, 0 +icecodenew.tk, 1 +icecontrol.ro, 1 +icecreamandclara.co.uk, 1 +icecreamika.tk, 1 +icecutethings.com, 1 +icedev.pl, 1 +icedox.ga, 1 +icedre.am, 1 +icedream.tech, 0 +icedterminal.com, 1 +icedterminal.me, 1 +icedude.tk, 1 +iceewind.com, 1 +iceflow.tk, 1 +icefoxtee.com, 1 +iceheart.tk, 1 +icehost.cf, 1 +icekiller.ga, 1 +icelandic.cf, 1 +icelook.tk, 1 +icemakerrepairaustin.com, 1 +icemedia.com.au, 0 +icemoto.tk, 1 +icemyworld.tk, 1 +icenter.ee, 1 +icentury.ca, 1 +icepharmaceuticals.com, 1 +icerinkwarehouse.com, 1 +icerockproperties.com, 1 +iceshadow.tk, 1 +icetechworld.com, 1 +icetiger.eu, 1 +icetravellers.com, 0 +icewood-bois.com, 1 +ich-finde-wikipedia-toll.tk, 1 +ich-hab-die-schnauze-voll-von-der-suche-nach-ner-kurzen-domain.de, 1 +ich-tanke.de, 1 +icharme.fr, 1 +ichasco.com, 1 +ichbinein.org, 1 +ichbinhuebi.de, 1 +ichbinkeinfreier.com, 1 +ichbinkeinreh.de, 1 +ichfahre.at, 1 +ichglaubesbackt.de, 1 +ichibanfansub.com.br, 1 +ichibot.trade, 1 +ichibot.vip, 1 +ichigo.university, 1 +ichigoproduction.co.kr, 1 +ichigoproduction.kr, 1 +ichijoh.co.jp, 1 +ichisound.ml, 1 +ichitaka.tk, 1 +ichitaso.com, 1 +ichtroje.tk, 1 +ichuck.rocks, 1 +ici-freewares.tk, 1 +ici.ac.nz, 1 +ici.ms, 1 +ici.net.au, 1 +icie.info, 1 +icieducation.ca, 1 +icieducation.co.uk, 1 +icieducation.ie, 1 +icims.ca, 1 +icims.com, 1 +icims.eu, 1 +icims.io, 1 +icims.us, 1 +icisontdesdragons.fr, 1 +ickerseashop.com, 1 +icl82.systems, 1 +iclart.com, 1 +iclb.be, 1 +iclg.com, 1 +iclinic-mrt.ru, 1 +iclinic.ua, 1 +icloud.com, 1 +icloud.st, 1 +icloudlogin.com, 1 +icmarket.com, 1 +icmtx.com, 1 +icnc.ga, 1 +icnsk.ru, 1 +icnsoft.org, 1 +icodeconnect.com, 1 +icojapan.tokyo, 1 +icollezionisti.com, 1 +icolorpalette.com, 1 +icomputeconsulting.com, 1 +icomuk.co.uk, 1 +icon-programming.tk, 1 +icone-one.fr, 1 +iconexperience.com, 1 +iconintegration.com.au, 1 +iconique-menuiserie.be, 1 +iconmale.com, 1 +iconmalenetwork.com, 1 +iconoarte.tk, 1 +iconomi.net, 1 +iconparkingsystems.com, 1 +iconpropertyrescue.com, 1 +icons4free.tk, 1 +iconsiam.com, 1 +iconsuppstore.com, 1 +iconworld.ml, 1 +iconx.ml, 1 +iconz.tk, 1 +icounseling.com, 1 +icountnm.gov, 1 +icowhitepapers.co, 1 +icpb.com.my, 1 +icpc2016.in.th, 1 +icpcorp.com, 1 +icpe.nl, 1 +icq-project.net, 1 +icq-world.tk, 1 +icq.com, 1 +icr-box.ddns.net, 1 +icraft.bg, 1 +icrat.org, 1 +icrc.org, 1 +icreative.nl, 1 +icruise.com, 1 +ics-blitz.me, 1 +icsolutions.nl, 1 +icst.tk, 1 +icsti.org, 1 +ict-concept.nl, 1 +ict-oldehove.nl, 1 +ict-radar.com, 0 +ict-radar.nl, 0 +ict.govt.nz, 1 +ictbaneninnederland.nl, 1 +ictcareer.ch, 1 +ictergezocht.nl, 1 +ictfreak.nl, 1 +ictinforensics.org, 1 +ictkaisha.be, 1 +ictl.eu, 1 +ictoniolopisa.it, 1 +ictradar.com, 0 +icts.gov, 1 +icttindia.org, 0 +icusignature.com, 1 +icustomboxes.com, 1 +icy.aq, 1 +icyapril.com, 1 +icycanada.com, 1 +icydestiny.com, 0 +icyeurope.com, 1 +icyhealth.com, 0 +icyheroes.com, 1 +icyrock.com, 1 +icytales.com, 0 +icywhiz.com, 1 +iczc.cz, 1 +icze4r.co, 1 +icze4r.com, 1 +icze4r.net, 1 +icze4r.online, 1 +icze4r.org, 1 +iczelion.tk, 1 +iczer.one, 1 +iczer.org, 1 +id-blog.ch, 0 +id-fxcm.com, 1 +id.atlassian.com, 0 +id.fedoraproject.org, 0 +id.mayfirst.org, 0 +id.search.yahoo.com, 0 +id.wine, 1 +id0.gr, 1 +id3global.com, 1 +id5-sync.com, 1 +idaeus.eu, 1 +idahoansforliberty.net, 1 +idahofalls.gov, 1 +idahohealth.tk, 1 +idahomushroomclub.org, 1 +idanie.cf, 1 +idaspis.com, 1 +idatalabs.com, 0 +idatownshipmi.gov, 1 +idawallen.com, 1 +idblab.tk, 1 +idbm.ch, 1 +idbs.com, 1 +idc-business.be, 0 +idc.yn.cn, 1 +idc95.com, 0 +idcat.cat, 1 +idcrawl.com, 1 +idcrushermachine.ga, 1 +idcwr.com, 1 +iddaatahmin11.com, 1 +iddaatahmin6.com, 1 +iddaatahminleri.com.tr, 1 +iddconnect.com, 1 +iddconnect.org, 1 +iddportugal.pt, 1 +idea.ws, 1 +ideadozz.hu, 1 +ideageek.net, 1 +ideagenpentana.com, 1 +ideahub.tk, 1 +ideahubnepal.org, 1 +ideaklinik.com, 1 +ideaklinikbursa.com, 1 +ideaktiv.com, 1 +ideal-reality.com, 1 +ideal-social.com, 1 +ideal.shop, 1 +idealabs.tk, 1 +idealadvogadosbh.com.br, 1 +idealbet.it, 1 +idealbody.cf, 1 +idealbody.gq, 1 +idealcontabilidade.net, 0 +idealdedetizadorabh.com.br, 1 +idealimobiliariabh.com.br, 1 +idealize.ml, 1 +idealmature.com, 1 +idealmilf.com, 1 +idealnastrona.pl, 1 +idealni-hypoteka.cz, 1 +idealog.id, 1 +idealresponse.co.uk, 1 +idealsegurancaeletronica.com.br, 1 +idealserralheriabh.com.br, 1 +idealtruss.com, 1 +idealtruss.com.tw, 1 +idealucedifilippi.it, 1 +idealwhite.space, 1 +idealwifes.com, 1 +ideaplex.ca, 1 +ideas.com, 0 +ideasdigitales2025.es, 1 +ideasenfoto.com, 0 +ideashop.com, 1 +ideasinlab.com, 1 +ideau.pl, 1 +ideaweb.de, 1 +ideaweblab.com, 0 +idec.com, 1 +idee-geschenk.eu, 1 +idee-lq.at, 1 +idee-lq.ch, 1 +idee-lq.com, 1 +idee-lq.de, 1 +idee-lq.net, 1 +ideefactory.de, 1 +ideericette.it, 1 +ideesrecettes.net, 1 +idehvector.com, 1 +ideiasefinancas.com.br, 1 +ideice.gob.do, 1 +idemo.in, 1 +iden-tt.com, 1 +iden-tt.net, 1 +iden-tt.org, 1 +idenamaislami.com, 1 +idensys.nl, 1 +ident-clinic.be, 1 +identa.io, 1 +identassist.com, 1 +identeco.de, 1 +identifyme.net, 1 +identifytag.com, 1 +identigraf.center, 1 +identity-hash.online, 1 +identity-inspector.com, 0 +identity-project.com, 1 +identity.aero, 1 +identity.plus, 1 +identityexperts.co.uk, 1 +identityflashmob.com, 1 +identitykrisis.com, 1 +identitysandbox.gov, 1 +identityswapers.ga, 1 +identityswapest.ga, 1 +identitytheft.gov, 1 +ideologiaycultura-ap.tk, 1 +ideorealm.tk, 1 +idered.net, 1 +ides.co.jp, 1 +idesign.tk, 1 +idesoft.cloud, 1 +idesoft.com, 1 +idesoft.eu, 1 +idesoft.info, 1 +idesoft.net, 1 +idesoftinnovacion.com, 1 +idesoftinnovacion.es, 1 +idev-hub.com, 1 +idev.games, 1 +idevicesinc.com, 1 +idexxpublicationportal.com, 1 +idf64.com, 1 +idf64.org, 1 +idfc.gov, 1 +idgr.de, 1 +idhl.fr, 1 +idhosts.co.id, 1 +idigovs.com, 0 +idinby.dk, 1 +idiomasdelmundo.tk, 1 +idiomasdominados.tk, 1 +idioteque.tk, 1 +idjnow.com, 1 +idkidknow.com, 1 +idleleo.com, 1 +idlemon.net, 1 +idlethoughtsandramblings.com, 1 +idlewildflowers.com, 1 +idlxb.com, 1 +idmanagement.gov, 1 +idmaster.ml, 1 +idmmovers.com, 1 +idmobile.co.uk, 1 +idmod.org, 1 +idn.gov.pt, 0 +idndomain.tk, 1 +idndx.com, 1 +idnic.net, 1 +idoctoril.com, 1 +idohost.tk, 1 +idol-bikes.ru, 1 +idolf.dk, 1 +idolfap.com, 1 +idolish7.fun, 0 +idoljp.com, 1 +idonthaveawebsite.tk, 1 +idontplaydarts.com, 1 +idoparadoxon.hu, 1 +idoxus.de, 1 +idp.onl, 1 +idraetsmusik.dk, 1 +idratherbequilting.com, 1 +idraulico-roma.it, 1 +idraulico.roma.it, 1 +idream-solutions.co.uk, 0 +idrissi.eu, 1 +idroot.us, 1 +idropulsoredentale.shop, 1 +idsafe.co.za, 1 +idsc.com.tw, 1 +idsconsulting.co.nz, 1 +idstudio.tk, 1 +idta.com.au, 1 +idtechnowizard.com, 1 +idtheft.gov, 1 +idtrkarnal.com, 1 +iduntownshipmn.gov, 1 +idvchile.cl, 1 +idventure.de, 1 +idvl.de, 1 +idwaste.com, 1 +idweblog.com, 1 +idwebsitehosting.com, 1 +idwebtools.tk, 1 +idxforza.com, 1 +idyl.fr, 1 +idysse.com, 1 +ie.edu, 1 +ie.search.yahoo.com, 0 +ieeesb.nl, 1 +ieeesbe.nl, 1 +ieeespmb.org, 1 +iegat.com, 1 +iegatpracticetest.com, 1 +ieiscccuba.tk, 1 +ieji.de, 1 +iemail.eu.org, 1 +iemb.cf, 1 +iemc.pt, 1 +iemsamex.com, 1 +ienakacs.jp, 1 +ienakanote.com, 0 +ienekolife.net, 1 +ienergizer.com, 1 +ieomidi.com, 1 +iepaiement.fr, 1 +iepanywhere.com, 1 +ieros.it, 1 +ies-italia.it, 0 +iesledzkarjeru.lv, 1 +iesonline.co.in, 1 +iesucreipi.edu.co, 1 +iet.co.za, 1 +ieti.eu, 1 +ieval.ro, 1 +ievgenialehner.com, 1 +iewar.com, 1 +iexaminer.org, 1 +iexpats.com, 1 +if-sikkerhet.no, 1 +if0.ru, 1 +ifacservice.be, 1 +ifadian.club, 1 +ifailed.tk, 1 +ifailedlife.tk, 1 +ifaisalmukhtar.tk, 1 +ifam-erfurt.de, 1 +ifan.ch, 0 +ifan.ws, 1 +ifangpei.cn, 1 +ifangpei.com.cn, 1 +ifasfest2022.com, 1 +ifbagro.in, 1 +ifcfg.jp, 1 +ifconfig.tk, 1 +ifdb.org, 1 +ifdif.com, 1 +ifederalland.com, 1 +ifelse.io, 1 +ifengge.cn, 1 +iffk.in, 1 +ifgcdn.com, 1 +ifh.cc, 1 +ifibe.com, 1 +ifisher.xyz, 1 +ifleurs.com, 1 +iflixtv.ga, 1 +iflscience.com, 1 +ifmilitaria.tk, 1 +ifmsa-lahore.tk, 1 +ifnet.fr, 1 +ifnulltrue.com, 1 +ifoa.it, 1 +ifohancroft.com, 1 +ifok.de, 1 +ifolder.ga, 1 +iforced.net, 1 +ifort.fr, 1 +ifosep.fr, 0 +ifoss.me, 1 +ifpe.edu.br, 1 +ifrabb.fr, 1 +iframefinancement.be, 1 +ifreemax.ml, 1 +ifreetion.cn, 1 +ifreetion.com, 1 +ifriend.tk, 1 +ifsaalemi.tk, 1 +ifsac.org, 1 +ifsh.me, 1 +ift.cx, 1 +iftarsaati.org, 1 +iftcentre.com, 1 +iftrue.de, 0 +ifur.ga, 1 +ifwhenhow.org, 1 +ifworlddesignguide.com, 1 +ifxd.bid, 1 +ifxnet.com, 1 +ifylofd.xyz, 1 +ifyou.live, 1 +ig-plastik.tk, 1 +ig.com, 1 +ig.me, 1 +ig.solutions, 1 +iga-semi.jp, 1 +igad.int, 1 +igame.ml, 1 +igamingaffiliateprograms.com, 1 +igamingdirectory.com, 1 +igamingnews.com, 1 +igamingnyheder.dk, 1 +igamingpocketdirectory.com, 1 +igamingsuppliers.com, 1 +igarage.nl, 0 +igc.in.th, 1 +igdb.com, 1 +igenuinebeauty.co.jp, 1 +igforum.tk, 1 +igfwd.email, 1 +iggies.tk, 1 +igglabs.com, 1 +iggprivate.com, 1 +iggsoft.com, 1 +iggsoftware.com, 1 +igi-2.com, 1 +igi.codes, 0 +igiftcards.de, 1 +igiftcards.nl, 1 +igimusic.com, 0 +igiugig.gov, 1 +igiveyouthisday.com, 1 +igk.nz, 0 +igkabel.cf, 1 +igkabel.ga, 1 +igkabel.gq, 1 +igkabel.ml, 1 +igkabel.tk, 1 +iglesiabelen.tk, 1 +iglesiaquecamina.tk, 1 +igln.fr, 1 +igloballaw.com, 1 +iglobus.cz, 0 +igloocommunities.com, 1 +igloodigitalworkplace.ca, 1 +igloodigitalworkplace.com, 1 +igloodigitalworkplaces.ca, 1 +igloopartnerportal.com, 1 +igloopreview.ca, 1 +igloosandbox.com, 1 +iglosujemy.pl, 1 +igmedia.ir, 1 +igmus.org, 1 +ign-proprete.fr, 1 +ignace72.eu, 1 +ignaciolacruz.com, 1 +ignacjanskiednimlodziezy.pl, 1 +ignat-mag.com, 1 +ignat-torcov.tk, 1 +ignat.by, 1 +ignatij.tk, 1 +ignatovich.by, 1 +ignatovich.me, 1 +ignet.gov, 1 +ignite-reading.com, 1 +ignite.cz, 1 +ignitedmindz.in, 1 +igniteenergy.co.uk, 1 +igniteheatcool.com.au, 1 +ignytebrands.com, 1 +igocarwraps.com, 1 +igor-hristenko.tk, 1 +igor-usov.tk, 1 +igorandandre.com, 1 +igorlink.com, 1 +igormiranda.com.br, 1 +igorrealestate.com, 1 +igorshishkin.com, 1 +igorshishkin.ru, 1 +igorskyflyer.me, 1 +igorville.gov, 1 +igorvisi.com, 1 +igorvlasov.tk, 1 +igorvracar.com, 1 +igorw.org, 1 +igotoffer.com, 0 +igpwned.com, 1 +igra-prestol.tk, 1 +igra3k.tk, 1 +igram.io, 1 +igramming.com, 1 +igranit.md, 1 +igraonicalara.tk, 1 +igrarium.com.ua, 0 +igrek.co.jp, 1 +igrivi.com, 1 +igrodrom-kvest.tk, 1 +igromasikov.tk, 1 +igrovoi-klub.tk, 1 +igrun.com, 1 +igrun80.com, 1 +igrun88.com, 1 +igrunplay.com, 1 +igry-onlayn.ru, 1 +igryalawar.tk, 1 +igshop.ir, 1 +igsmgmt.com, 1 +igsoc.org, 1 +igt.com, 1 +igualdaton.org, 1 +iguanacruda.tk, 1 +iguru.gr, 1 +igust4u-archive.ga, 1 +igva.or.kr, 1 +ih8sn0w.com, 1 +iha6.com, 1 +ihacares.com, 1 +ihackear.com, 1 +ihacker.ai, 1 +ihakkitekin.com, 1 +ihatethissh.it, 1 +ihc.im, 1 +ihcprofile.com, 1 +ihdev.party, 1 +ihe-europe.net, 1 +iheartguys.com, 1 +iheartguys.net, 0 +iheartguys.org, 1 +iheatwithoil.com, 1 +ihempz.cz, 0 +ihersua.es, 1 +ihk-onlinewahl2021.de, 1 +ihkk.net, 1 +ihls.world, 0 +ihmc.us, 1 +ihmmarketing.com, 1 +ihmphila.org, 1 +ihmsp.org, 1 +ihonk.com, 1 +ihoofs.com, 1 +ihorizon.jp, 1 +ihorvorotnov.com, 1 +ihost.md, 1 +ihostup.net, 1 +ihouseu.com, 1 +ihr-finanzcockpit.de, 1 +ihr-hausarzt-kleinmachnow.de, 1 +ihre-ernaehrung.de, 1 +ihre-pflege-sachsen.de, 1 +ihrhost.com, 1 +ihri.ca, 1 +ihsangans.my.id, 1 +ihwanburhan.com, 1 +ii-vi.com, 1 +ii.cx, 1 +ii5197.co, 1 +ii6729.co, 1 +ii6729.com, 0 +ii6957.co, 1 +ii9297.co, 1 +ii9728.co, 1 +iia.no, 1 +iibarizona.com, 1 +iid.sg, 1 +iidb.org, 1 +iideaz.org, 1 +iiet.pl, 1 +iig-order.com, 1 +iii-coalition.us, 1 +iiii.gq, 1 +iiii.loan, 1 +iiii.ml, 1 +iiij.ml, 1 +iiinhoj.com, 1 +iiit.pl, 1 +iimarckus.org, 1 +iinehp.com, 1 +iinf.in, 1 +iinfin.org, 1 +iinix.com, 1 +iino-iina.co.jp, 1 +iiong.com, 1 +iipaynationofsantaysabel-nsn.gov, 1 +iipvapi.com, 1 +iipython.cf, 1 +iir.com, 1 +iis.net, 1 +iisjy.cn, 1 +iispeed.com, 1 +iisuss.gq, 1 +iitneetprep.com, 1 +iitowns.ir, 1 +iitranslation.com, 1 +iitrust.lk, 1 +ij.rs, 1 +ijemin.com, 1 +ijianli.cn, 1 +ijm.com, 1 +ijmondlijn.nl, 1 +ijmuiderstrand.tk, 1 +ijnokmpl.cf, 1 +ijohan.nl, 1 +ijpmediagroup.com, 1 +ijsbaanwitten.nl, 1 +ijsblokjesvormen.nl, 1 +ijsclubtilburg.nl, 1 +ijsselglas.nl, 1 +ijubt.cf, 1 +ijunohana.jp, 1 +ijustwanttomeetmyheroes.com, 1 +ijzerwarenhandel.nu, 1 +ika.monster, 1 +ikachalife.com, 1 +ikall.com, 1 +ikama.cz, 1 +ikara.social, 1 +ikari-san.tk, 1 +ikaros.tk, 1 +ikarus-itkurs.de, 1 +ikasgela.com, 1 +ikazumitsu.tk, 1 +ikbenrichie.nl, 1 +ikeacareers.co.uk, 1 +ikebuku.ro, 1 +ikedaquotes.org, 1 +ikenmeyer.com, 1 +ikenmeyer.eu, 1 +ikerepc.tk, 1 +ikeyless.com, 1 +ikfloreer.nu, 1 +ikhwanfillah.com, 1 +ikikiv.com, 1 +ikiler.com, 1 +ikimo9.com, 1 +ikinokori-marketing.com, 1 +ikisser.de, 1 +ikiteker.org.tr, 1 +ikk-classic.de, 0 +ikk.me, 1 +ikkakujuku.work, 0 +ikkatsu-satei.jp, 1 +ikke-coach.nl, 1 +ikkev.de, 0 +ikkoku.de, 1 +iklan-baris.gq, 1 +iklan.tk, 1 +iklanbaris.tk, 1 +ikmx.net, 1 +iknowd.org, 1 +iknowthatgirl.com, 1 +ikoreg.nl, 1 +ikra24.in.ua, 1 +ikrab.club, 1 +iks.moe, 1 +iksi.cc, 1 +iksi.me, 1 +iksworld.kr, 1 +iktisatbank.com, 0 +ikuda.net, 1 +ikudo.top, 1 +ikumi.us, 1 +ikutin.id, 1 +ikvts.de, 1 +ikwildjworden.com, 1 +ikwileendomein.tk, 1 +ikwilscheiden.nl, 1 +ikx.me, 1 +ikzoekeengoedkopeauto.nl, 1 +ikzoektim.nl, 1 +il12thcourt.gov, 1 +il2eu.com, 1 +ila.tw, 1 +ilab.health, 1 +ilac101.com, 1 +ilacrehberi.com, 1 +ilag.gov, 1 +ilamparas.at, 1 +ilamparas.co.uk, 1 +ilamparas.com, 1 +ilamparas.com.co, 1 +ilamparas.com.ve, 1 +ilamparas.mx, 1 +ilard.fr, 1 +ilasoft.net, 1 +ilaunch.co.za, 1 +ilawgix.com, 1 +ilazycat.com, 1 +ilbiglietto24.eu, 1 +ilbiscottificiodipamparato.it, 1 +ilc552.com, 1 +ilc553.com, 1 +ilchaos.com, 1 +ilconiglioblu.it, 1 +ilcorrieredellacitta.com, 1 +ilcourthelp.gov, 1 +ilctucson.com, 1 +ildepu.tk, 1 +ildigitale.it, 1 +ildisagio.tk, 1 +ildomani.it, 1 +ile-kalorii.pl, 1 +ile-sapporo.jp, 1 +ilearned.eu, 0 +ilearningengines.com, 0 +ileat.com, 1 +ileci.de, 1 +ileduguesclin.fr, 1 +ilektronika-farmakeia-online.gr, 1 +ilemonrain.com, 1 +ileonidze.tk, 1 +ilericikadinlar.org, 1 +iletisimmakinesi.com, 1 +iletiyonetimi.com, 1 +iletmen.com, 1 +ilformichiere.com, 1 +ilfumoshop.ru, 1 +ilg.ink, 1 +ilgazhaliyikama.com, 1 +ilgisaglik.com, 1 +ilhan.name, 1 +ilhansubasi.com, 1 +ilhombek.ml, 1 +iliad78.net, 1 +iliamna.media, 1 +iliastsi.net, 1 +ilienonline.com, 1 +ilife.bg, 1 +iligang.cn, 1 +iligang.com, 1 +iligang.com.cn, 1 +iligang.link, 1 +iligang.net, 1 +iligang.xin, 1 +ilikepenguins.tk, 1 +ilikezo.tk, 1 +ilimar.tk, 1 +ilimitar.tk, 1 +ilin.dk, 1 +ilin.xyz, 1 +iliny.hu, 1 +ilionsky.com, 1 +iljadr.be, 1 +illaadventure.com, 1 +illadrodimerendine.it, 1 +illafuture.com, 1 +illambias.ch, 0 +illange.info, 1 +illative.net, 1 +illavobuempliz.ch, 1 +illegalpornography.com, 1 +illegalpornography.me, 1 +illerzell.de, 1 +illicitart.ca, 1 +illicopresto.net, 1 +illimitmail.com, 1 +illinitechservice.com, 0 +illinoiscaselaw.com, 1 +illinoiscourtscommission.gov, 1 +illinoiseagle.com, 0 +illinoisequipmentdistributors.com, 1 +illinoishealth.tk, 1 +illjinx.info, 1 +illnation.tk, 1 +illogical-gaming.at, 1 +illorenese.fr, 1 +illsley.org, 1 +illu.ee, 1 +illubel.com, 1 +illumed.net, 1 +illumepgh.com, 1 +illuminated-security.com, 1 +illuminatelife.tk, 1 +illuminaten.tk, 1 +illuminatisocietyworldwide.org, 1 +illuminatiwatcher.com, 1 +illumini.io, 1 +illumis.com, 0 +illusia.tk, 1 +illusionephemere.com, 0 +illusionsdoptique.com, 1 +illusionsix.com, 1 +illusiveshop.com, 1 +illustrate.biz, 1 +illuxat.com, 1 +ilmaestro.net, 1 +ilmainensanakirja.fi, 1 +ilmanifesto.it, 0 +ilmcorp.com, 1 +ilmiogiardiniere.it, 1 +ilmubahasainggris.com, 1 +iloft.xyz, 1 +iloli.name, 1 +ilona-france.tk, 1 +ilondres.es, 1 +ilonewolfs.com, 1 +ilonpolku.fi, 1 +ilouis.cn, 0 +ilove.fish, 1 +iloveasiancams.com, 1 +iloveawardcams.com, 1 +iloveboycams.com, 1 +ilovecomputering.com, 1 +ilovefanyi.win, 1 +ilovefun.tk, 1 +ilovegrowingmarijuana.com, 1 +iloveherb.ru, 1 +ilovejoycams.com, 1 +ilovelivecams.com, 1 +ilovelwy.com, 1 +ilovematurecams.com, 1 +ilovemycams.com, 1 +iloveporn.ml, 1 +iloveprivatecams.com, 1 +ilovesamara.tk, 1 +ilovesnow.ml, 1 +ilovestickers.gr, 1 +ilovethiscampsite.com, 1 +ilovetranniescams.com, 1 +ilovewallpaper.tk, 1 +iloveyoutoo.tk, 1 +ilovias-farm.fr, 1 +ilpapaverodermohn.it, 1 +ilpescara.it, 1 +ilpiacenza.it, 1 +ilpuntosano.it, 1 +ilrg.com, 1 +ils-savaient.fr, 1 +ils.lt, 1 +ilsalvagente.it, 1 +ilsaperedelgusto.it, 1 +ilsedelangeforum.tk, 1 +iltec.ru, 1 +iltis.live, 1 +iltis.rocks, 1 +iltombolo.tk, 1 +iltuogiardino.org, 1 +iltuomedicodifamiglia.it, 1 +ilug-ktm.tk, 1 +iluman.tk, 1 +ilumantio.tk, 1 +ilunion.tk, 1 +ilusionesopticas.net, 1 +ilusionistas.tk, 1 +ilusionphoto.com, 1 +ilusoesopticas.com, 1 +ilustradanuvem.pt, 1 +ilya-potemin-domain.tk, 1 +ilya.pp.ua, 1 +ilyabakhlin.com, 1 +ilyatsykunov.com, 1 +im-a.cricket, 1 +im-alter-daheim.ch, 0 +im-c-shop.com, 1 +im-haus-sonnenschein.de, 1 +im-in.space, 1 +im-internet-geld-verdienen.tk, 1 +im-razmakh.ru, 1 +im-s.net, 1 +im4h.de, 1 +im4h.eu, 1 +im4h.info, 1 +im66.net, 1 +ima-solutions.fr, 1 +imadalin.ro, 1 +image-cdn.co.uk, 1 +image-drive.de, 1 +image.hosting, 1 +image.ie, 1 +image.tf, 1 +image4arab.tk, 1 +imagealbums.tk, 1 +imagebin.ca, 1 +imagecom.tk, 1 +imagecurl.com, 1 +imagefu.com, 1 +imagen891.tk, 1 +imagenesdedibujosalapizfacilesdehacer.com, 1 +imageproductions.ga, 1 +imagequix.com, 1 +imagerecall.tk, 1 +imagerestorationcenter.com, 1 +imagerive.ch, 0 +imageshare.web.id, 1 +imagetostl.com, 1 +imagevillage.ir, 1 +imageworld.tk, 1 +imagex.graphics, 1 +imaginair.es, 1 +imaginarium.tk, 1 +imaginary.ca, 1 +imaginary.stream, 1 +imaginarymakings.me, 1 +imaginationpathway.com, 1 +imagine-programming.com, 1 +imagineata.ro, 1 +imaginebelfast.com, 1 +imaginefamilychiropractic.com, 1 +imaginelab.club, 1 +imagineokla.gov, 1 +imaginescape.tk, 1 +imaginethatevent.com, 1 +imaginethefloor.tk, 1 +imaginetricks.com, 1 +imagingstudio.co.uk, 0 +imagisphe.re, 1 +imajavm.com, 1 +imajjeans.com, 1 +imakash.gq, 1 +imakeyougreatagain.com, 1 +imakin.nl, 1 +imamenu.com, 1 +imamiyadental.jp, 1 +imanageproducts.co.uk, 1 +imanageproducts.com, 1 +imanageproducts.uk, 1 +imanolbarba.net, 1 +imanoles.ddns.net, 1 +imap.support, 1 +imap2imap.de, 1 +imaple.net, 1 +imaple.org, 1 +imara-reiki.de, 1 +imaret.com.tr, 1 +imarkethost.co.uk, 1 +imarketing.pe, 1 +imask.ml, 1 +imask.tk, 1 +imatraelekter.ee, 1 +imawasn-consulting.com, 1 +imaya.tk, 1 +imbd-pro.net, 1 +imbdagency.com, 1 +imbianchino.roma.it, 1 +imbit.tk, 1 +imboom.tk, 1 +imbrian.org, 1 +imbunatatiri-logan.tk, 1 +imbushuo.net, 1 +imck.ml, 1 +imcsi.cn, 1 +imdaadapp.com, 1 +imdb, 1 +imdb-pro.com, 1 +imdb-pro.net, 1 +imdb.com, 1 +imdb.me, 1 +imdb.pro, 1 +imdbpro.com, 1 +imdbresume.com, 1 +imdcc.net, 1 +ime-a-tolerancia-eredmenye.club, 1 +ime.moe, 1 +imed.com.pt, 1 +imed.pt, 1 +imedi.it, 1 +imediabay.com, 1 +imediafly.com, 1 +imediato.pt, 1 +imediatoonline.com, 1 +imedikament.de, 1 +imeria.tk, 1 +imerys-mineraux-decoratifs.com, 1 +imesh-light.tk, 1 +imex-dtp.com, 1 +imexm.mx, 1 +imexmed.com.gt, 1 +imfacademy.com, 1 +imfblog.com, 1 +imforza.com, 1 +img.cm, 1 +img.mg, 1 +img.ovh, 1 +img.ren, 1 +imgaa.com, 1 +imgbb.com, 1 +imgen.top, 1 +imgencrypt.com, 1 +imgg.es, 1 +imgmodels.com, 1 +imgo.ga, 1 +imgo.tk, 1 +imgup.co, 1 +imguploaden.nl, 1 +imhua.com, 1 +imi-rhapsody.eu, 0 +imibo.com, 1 +imicroscope.tk, 1 +imidge.com.ua, 1 +imigrasilampung.co.id, 1 +imigrate.me, 1 +imin.co, 1 +imine.ru, 1 +iminshell.com, 0 +imirhil.fr, 1 +imis.com.br, 1 +imisa.com.mx, 1 +imisto.net, 1 +imitationjewelry.tk, 1 +imitza.com, 0 +imjo.in, 1 +imjustcreative.com, 1 +imkan.tours, 1 +imkero.net, 1 +imkerverein-moenchswald.de, 1 +imkindofabigdeal.com, 1 +imksk.com, 1 +imlbp.com, 1 +imlbp.eu.org, 1 +imlec.net, 1 +imlhx.com, 1 +imlinan.cn, 1 +imlinan.info, 1 +imlinan.net, 1 +imlloyd.yt, 1 +imlonghao.com, 1 +imls.gov, 1 +immanuellutheranmedia.org, 1 +immarypoppinsyall.tk, 1 +immaterium.de, 1 +immbruxelles.com, 1 +immedia.net, 1 +immedicohospitalario.es, 1 +immense.ly, 1 +immersa.co.uk, 1 +immersionclub.tk, 1 +immersionwealth.com, 1 +immersivewebportal.com, 1 +immi.shop, 1 +immiboards.com, 1 +immigrantdad.com, 1 +immigration-lawyers.co.nz, 1 +immigrationdirect.com.au, 1 +immijobs.co.uk, 1 +immo-agentur.com, 1 +immo-aval.org, 1 +immo-express.ag, 1 +immo-express.biz, 1 +immo-express.info, 1 +immo-express.org, 1 +immo-israel.ltd, 1 +immo-les-allees.com, 1 +immo-ment.eu, 1 +immo-passion.net, 0 +immo-spezial.com, 1 +immo-spezial.eu, 1 +immo-spezial.org, 1 +immoaval.de, 1 +immoaval.mobi, 1 +immobilien-badlippspringe.de, 1 +immobilien-in-istanbul.de, 1 +immobilien-schrammek.de, 1 +immobilien-suedtirol.bz.it, 1 +immobilien-uster.ch, 1 +immobilien-wallat.de, 1 +immobilien-zirm.de, 1 +immobiliengutachter-holland.de, 1 +immobilienkredit.de, 1 +immobilienmakler-berlin-biesdorf.de, 1 +immobilienmakler-berlin-kaulsdorf.de, 1 +immobilienmakler-berlin-mahlsdorf.de, 1 +immobiliensachverstaendiger-ludwigsburg.de, 1 +immobiliensachverstaendiger-waiblingen.de, 1 +immobilienservice-website.de, 1 +immobilier-realiste.fr, 1 +immobilier-swiss.ch, 1 +immobilier.org.il, 1 +immobilier92.net, 1 +immobilierlibourne.com, 1 +immobilo.de, 1 +immocompar.com, 1 +immoel101.com, 1 +immoexpress.org, 1 +immoisrael.agency, 1 +immoisrael.be, 1 +immoisrael.ch, 1 +immoisrael.co.il, 1 +immoisrael.com, 0 +immoisrael.de, 1 +immoisrael.eu, 1 +immoisrael.fr, 1 +immoisrael.ltd, 1 +immoisrael.lu, 1 +immoisrael.net, 1 +immoisrael.nl, 1 +immoisrael.org, 1 +immoisrael.org.il, 1 +immomydesk.fr, 1 +immoponteq.com, 1 +immoraldoctors.tk, 1 +immortal-it.tk, 1 +immortal.org.in, 1 +immortal.run, 1 +immortalcorporation.tech, 1 +immortallove.tk, 1 +immortec.com, 1 +immortol.tech, 1 +immortuos.live, 1 +immospezial.info, 1 +immovisual.be, 1 +immtel.co, 1 +immtel.com, 1 +immune.cf, 1 +immunoboost.be, 1 +immutable.com, 1 +imnabrasive.com, 1 +imoads.com, 1 +imobile3.com, 1 +imobiliare.tk, 1 +imobiliariaemblumenau.com.br, 1 +imobiliariamax.com.br, 1 +imobiliariamoema.com.br, 1 +imobiliariaprofit.com.br, 1 +imobiliariarealdream.com.br, 1 +imobilien.tk, 1 +imoe.fun, 0 +imokuri123.com, 1 +imolights.com, 1 +imolights.net, 1 +imolog.cl, 1 +imoner.com, 1 +imoner.ga, 1 +imoneynet.com, 1 +imorano.it, 1 +imosthailand.com, 1 +imoter.it, 1 +imouto.ru, 1 +imouyang.com, 0 +imoveisavenda.rio.br, 1 +impact-lyon.fr, 1 +impact-visual.tk, 1 +impact.com, 1 +impact.health.nz, 1 +impactartstudy.com, 1 +impactcomics.com.au, 1 +impactdepth.com, 1 +impacter.eu, 1 +impactovenezuela.com, 1 +impactparcels.co.uk, 1 +impactparcels.com, 1 +impactpub.ch, 0 +impactyou-academy.nl, 1 +impactyou.nl, 1 +impakho.com, 1 +impalaparts.com, 1 +imparat.de, 0 +imparostobene.it, 1 +impartner.com, 1 +impas.se, 1 +impec-cable.com, 1 +impeka.in, 1 +impelup.com, 1 +impendulo.org, 1 +imperator-janssens.tk, 1 +imperdin.com, 1 +imperdintechnologies.com, 1 +imperial-legrand.com, 1 +imperialcounty.org, 1 +imperialearth.com, 1 +imperialfenceinc.com, 1 +imperialfencestlouis.com, 1 +imperialism.rip, 1 +imperialmetalproducts.com, 1 +imperialne.gov, 1 +imperials.family, 1 +imperialteam.tk, 1 +imperialwrestling.tk, 1 +imperiodamodamiranda.com.br, 1 +imperiodeleones.cl, 1 +imperiodigital.online, 1 +imperiodosvinhos.com.br, 1 +imperioth.com, 1 +imperiumnova.info, 1 +imperivm-romanvm.com, 1 +imperiyashop.tk, 1 +impermeabilisationqc.com, 1 +impex.com.bd, 1 +impexul.de, 1 +impf.site, 1 +impfung.cf, 1 +impfung.site, 1 +imphotep.net, 1 +impianti.it, 1 +impiantistica.org, 1 +impiantofotovoltaico.roma.it, 1 +impiricus.com, 1 +implantologiadentalgt.com, 1 +implicitsuccess.com, 1 +implosion.tk, 1 +implude.com, 0 +impns.org, 1 +imponet.com.ar, 1 +import-shopping.de, 1 +importanteducation.tk, 1 +importsagt.com, 1 +importsem.com, 1 +importsign.com, 1 +imposingoods.com, 1 +impossible.org, 1 +impossiblechoisir.tk, 1 +impossiblehq.com, 1 +impossiblenutrition.com, 1 +impossiblex.com, 1 +impotsimple.ca, 1 +imppac-schmuck.de, 1 +imppac.de, 1 +impreg-group.com, 1 +imprenditore.it, 1 +imprendo.co, 1 +imprendo.pro, 1 +imprensaglobal.com.br, 1 +imprensaglobal.org, 1 +imprenta-es.com, 1 +imprenta.bg, 1 +imprentamanonelles.com, 1 +impresa-di-pulizie.milano.it, 1 +impresa-di-pulizie.org, 1 +impresa-pulizie.it, 1 +impresadipulizia.milano.it, 1 +impresadipulizia.roma.it, 1 +impresadipulizie.roma.it, 1 +impresadipulizie.verona.it, 1 +impresaedile.roma.it, 1 +impresaitalia.info, 1 +impresapulizia.milano.it, 1 +impresapuliziacleanproject.it, 1 +impresapulizie.firenze.it, 1 +impresapulizie.it, 1 +impresapulizie.milano.it, 1 +impresapulizie.roma.it, 1 +impresapuliziebergamo.it, 1 +impress-app.com, 1 +impressao3d.ml, 1 +impressivebison.eu, 0 +impressivetitle.tk, 1 +imprezer.tk, 1 +imprezzor.com, 1 +imprimante-3d-store.fr, 1 +improbo-group.com, 1 +improd.works, 1 +improfestival.ee, 1 +improv.ee, 1 +improvebusinessonline.info, 1 +improved-madness.de, 1 +improvenerg.com, 1 +improvetoyourself.ga, 1 +improveyourvision.tk, 1 +improvingsleepnaturally.com, 1 +imprumutdeurgenta.ro, 1 +impudence.tk, 1 +impuls.tk, 1 +impulse-clan.de, 1 +impulsewebdesign.nl, 1 +impulsocristiano.com, 1 +imququ.com, 1 +imranc.ca, 1 +imranhossen.ml, 1 +imransarwar.com, 1 +imrbq.com, 1 +imreh.net, 1 +imro.ie, 1 +imrozrum.k12.tr, 1 +imrunner.com, 1 +imrunner.ru, 1 +ims-dc.com, 1 +ims-sargans.ch, 1 +imsace.tk, 1 +imstocker.com, 1 +imtec-rohr.de, 1 +imtikai.ml, 1 +imtikaib.ml, 1 +imtools.gq, 1 +imumed.cz, 1 +imunify360.com, 1 +imusionforum.tk, 1 +imwalking.de, 1 +imy.rs, 0 +imyjy.cn, 1 +imzhu.com, 1 +imzye.me, 1 +in-1xbet.com, 1 +in-bachelor.de, 1 +in-books.tk, 1 +in-crypto.tk, 1 +in-depth.wiki, 1 +in-depthoutdoors.com, 1 +in-flame-team.com, 1 +in-flames.com, 1 +in-line.ru, 1 +in-love.tk, 1 +in-star.com.ua, 1 +in-ua.com, 1 +in.search.yahoo.com, 0 +in.xero.com, 0 +in10tion.com, 0 +inaji.com, 1 +inakasoftware.com, 1 +inakipsikologoa.com, 1 +inalvittile.cf, 1 +inalvittile.ga, 1 +inalvittile.ml, 1 +inalvittile.tk, 1 +inanaji.ga, 1 +inanam.tk, 1 +inanan.cf, 1 +inandoutcarwashcharleston.com, 1 +inanec.gq, 1 +inaned.ga, 1 +inaproc.id, 1 +inara.cz, 1 +inares.org, 1 +inarizona.tk, 1 +inawisdom.com, 1 +inbetweenathome.nl, 1 +inbitcoin.it, 1 +inblank.tk, 1 +inbound.tk, 1 +inbounder.io, 0 +inbox.google.com, 1 +inbox.gq, 1 +inboxceo.com, 1 +inboxen.org, 1 +inboxsms.tk, 1 +inboxxme.com, 1 +incarceratedwombats.com, 1 +incarter.ga, 1 +incaweb10.es, 1 +ince.tools, 1 +inceif.edu.my, 1 +incels.is, 1 +incels.wiki, 1 +inceneritore.ga, 1 +incent-fit.co, 1 +incent-fit.com, 1 +incent.fit, 1 +incent.fitness, 1 +incentafit.co, 1 +incentea.com, 1 +incentefit.co, 1 +incentehealth.com, 1 +incentfitness.com, 1 +incentifit.co, 1 +incentihealth.com, 1 +incentivefit.com, 1 +incentivi.it, 1 +incentofit.com, 1 +inceptionband.tk, 1 +incert.cn, 1 +incertint.com, 1 +inchargeus.net, 1 +inchcape-fleet-autobid.co.uk, 1 +inchenaim.com, 1 +inchidi.id, 1 +incident.dk, 1 +incidentresponsesolution.com, 1 +incidentresponsesystem.com, 1 +includesubdomains.preloaded.test, 1 +includesubdomains2.preloaded.test, 1 +inclusio.shop, 1 +inclusion.tn, 1 +inclusionhcpa.org, 1 +inclusioproject.com, 1 +inclusiv.nl, 0 +incn.su, 1 +incnjp.com, 1 +incognito.org.uk, 1 +incoherent.ch, 1 +income-earnings.tk, 1 +incomeestatellc.com, 1 +incomeplus.tk, 1 +incometaxbengaluru.org, 1 +incometricks.tk, 1 +incomewithdraw.tk, 1 +incomfinance.tk, 1 +incommon.io, 1 +incompliance.de, 1 +inconkz.com, 1 +inconsciente.tk, 1 +incontactmetjezelf.nl, 1 +inconvietnam.vn, 1 +incore.com, 1 +incorp.asia, 1 +incorp.ph, 1 +incorporatedstyle.com, 1 +incowrimo.org, 1 +incpak.com, 1 +incredibilis.tk, 1 +incrediblenews.tk, 1 +incrediblez.tk, 1 +increment.com, 1 +incrementation.net, 0 +increso.it, 1 +increyble.com, 1 +incrom.com, 0 +inculate.tk, 1 +incurvy.de, 1 +ind.ie, 1 +indamail.hu, 1 +indata42.nl, 1 +indatable.com, 1 +indecente.tk, 1 +indeco.com.ec, 1 +indecomm.com, 1 +indeika.ml, 1 +indeksonline.tk, 1 +indemer.mc, 1 +indenturaswork.lt, 1 +independenceia.gov, 1 +independenceliveers.ga, 1 +independenceliveest.ga, 1 +independencerecovery.com, 1 +independent-bank.com, 1 +independent-operators.com, 1 +independent-photo.com, 1 +independentadvicefinancial.ga, 1 +independentbookshopers.ga, 1 +independentbookshopest.ga, 1 +independentfinancial.ga, 1 +independentmoneyadvice.ga, 1 +independentpartyofamerica.tk, 1 +independenttravelcats.com, 1 +independenttribune.com, 1 +independenza.tk, 1 +independesk.com, 1 +indevelopment.tk, 1 +index-education.com, 1 +index-education.net, 1 +index-games.com, 1 +indexbase.ru, 1 +indexcesmad.cz, 1 +indexhost.tk, 1 +indexmarket.ga, 1 +indexmarket.gq, 1 +indexmod.gq, 1 +indexpert.es, 1 +indexsalaire.be, 1 +india-1xbet.com, 1 +india-ennenga.ga, 1 +india-export.com.ua, 1 +indiaai.gov.in, 1 +indiada.ru, 1 +indiaexamresult.in, 1 +indiaexport.com.ua, 1 +indiaflowermall.com, 1 +indiafm.tk, 1 +indiaforums.com, 1 +indiainteriors.in, 1 +indiainvestments.wiki, 1 +indiamistress.tk, 1 +indian-elephant.com, 1 +indian-health-news.com, 1 +indianaberry.com, 0 +indianacareerconnect.com, 1 +indianaffairs.gov, 1 +indianahealth.tk, 1 +indianajail.gov, 1 +indianapolismet.org, 1 +indianapolisnews.ml, 1 +indianapolispsychologistsers.ga, 1 +indianapolispsychologistsest.ga, 1 +indianapolisrestorations.com, 1 +indianareflux.com, 1 +indianawaterdamagerepairpros.com, 1 +indianbank.in, 1 +indianbeauty.ml, 1 +indianbridalservices.com, 1 +indianbrides.cf, 1 +indiancreekvillagepdfl.gov, 1 +indianculture.gov.in, 1 +indiandramasonline.tk, 1 +indianengineer.tk, 1 +indianet.tk, 1 +indiangamingreport.com, 1 +indianhairextension.tk, 1 +indianheadcu.org, 1 +indianhelpline.in, 1 +indianhill.gov, 1 +indiankart.nl, 1 +indianlakepa.gov, 1 +indianmasala4u.tk, 1 +indianporn2.xxx, 1 +indianriver.gov, 1 +indiantechhunter.tk, 1 +indianvirginhumanhair.tk, 1 +indianwarriors.tk, 1 +indianwellsca.gov, 1 +indianwomen.cf, 1 +indiapostgdsonline.gov.in, 1 +indiatechblogger.cf, 1 +indiatourhelp.tk, 1 +indiatravel.ml, 1 +indiaviral.ga, 1 +indiavotekar.com, 1 +indiawise.co.uk, 1 +indiaworlddigital.tk, 1 +indicatifs.fr, 1 +indico.tk, 1 +indicodata.ai, 1 +indicure.com, 1 +indiecat.tk, 1 +indieethos.com, 0 +indiemovementers.ga, 1 +indiemovementest.ga, 1 +indiereview.tk, 1 +indievelopment.nl, 1 +indieweb-endpoints.cc, 1 +indieweb.rocks, 1 +indigartbeading.ca, 1 +indigartbeading.com, 1 +indigenous.gov.au, 1 +indigestiblesuppuration.tk, 1 +indignes-strasbourg.tk, 1 +indigo.pet, 1 +indigo.tk, 1 +indigobooks.gq, 1 +indigojewelers.com, 1 +indigopaints.be, 1 +indigosakura.com, 1 +indigterms.com, 1 +indihome.co.id, 1 +indika.pe, 1 +indilens.com, 1 +indimike.tk, 1 +indioca.gov, 1 +indir2017.tk, 1 +indirhadi.tk, 1 +indirimkuponumarketim.com, 1 +indironline.com, 1 +inditip.com, 1 +inditoot.com, 1 +indivicloud.me, 0 +individualobligation.com, 1 +individuals.tk, 1 +indiwebawards.tk, 1 +indiwtf.com, 1 +indiya-kino.gq, 1 +indiya-land.ru, 1 +indlish.ga, 1 +indnews.ga, 1 +indo-wiki.fr, 1 +indo4life.tk, 1 +indobo.com, 1 +indobrains.id, 1 +indochinatravel.tk, 1 +indodax.com, 1 +indoetis-surneli.ga, 1 +indoface.ga, 1 +indofountain.tk, 1 +indogenius.org, 1 +indogermantrade.de, 1 +indoglobenews.co.id, 1 +indoidnews.ga, 1 +indoittraining.com, 0 +indonesiatrip.tk, 1 +indonesiax.co.id, 1 +indoor-kletterwald.de, 1 +indoorlandmarks.com, 1 +indopress.tk, 1 +indorepack.com, 1 +indospot.ml, 1 +indospot.tk, 1 +indotravels.tk, 1 +indovinabank.com.vn, 1 +indovision.tk, 1 +indramas.tk, 1 +indramdhani.net, 0 +indranesia.tk, 1 +indraq.tk, 1 +indreams.me, 1 +indtwpmi.gov, 1 +induehorse.co.uk, 1 +indumar.com, 1 +indumentaria-arabe.tk, 1 +induoloog.nl, 1 +indusap.com, 1 +indusfastremit-us.com, 1 +indusfastremit.com, 1 +indust.me, 1 +industreiler.com.br, 1 +industriafranchini.com, 1 +industrial-remote-control.com, 1 +industrial-ventilation.eu, 1 +industrialalpinism.tk, 1 +industrialcalibration.co.uk, 1 +industrialcomputers.com, 1 +industrialcontainer.com, 1 +industrialgassprings.com, 1 +industrialprecisionmfg.com, 1 +industrilokal.com, 1 +industrydecarbonization.com, 1 +industryoutlaws.tk, 1 +industryskillsaustralia.org.au, 1 +indyandmeskincare.com.au, 1 +indybay.org, 1 +indyperio.com, 1 +indyroom.tk, 1 +indyscouts.tk, 1 +inebula.it, 1 +ineedmore.domains, 1 +ineffect.net, 1 +inefin.tk, 1 +ineight.com, 1 +inertianetworks.com, 1 +inery.io, 1 +inesfinc.es, 1 +inesnutricion.com, 1 +inessoftsec.be, 1 +inet.se, 1 +inetdesign.tk, 1 +inethost.eu, 1 +inetinfo.io, 1 +inetol.net, 1 +inetserver.eu, 1 +inetsoftware.de, 1 +inetuser.tk, 1 +inetworking.it, 1 +ineuron.ai, 1 +inevitavelbrasil.com.br, 1 +inevo.com, 1 +inevo.no, 1 +inews.bg, 1 +inewsten.com, 1 +inex.one, 0 +inexlog.fr, 1 +inexpensivecomputers.net, 1 +ineztheminiatureelephant.com, 1 +inf-fusion.ca, 1 +inf-it.com, 1 +inf0sec.nl, 1 +infalaw.com, 1 +infamousguild.tk, 1 +infans.be, 1 +infantry.org.ua, 1 +infarktniki.ru, 1 +infarmbureau.com, 1 +infcloud.com, 1 +infectedvoice.tk, 1 +infecyon.tk, 1 +infeedo.com, 1 +infelix.tk, 1 +infelko.ru, 1 +inference.biz.tr, 1 +inferencium.com, 1 +inferencium.net, 1 +inferiousbypasser.cf, 1 +infermiere.roma.it, 1 +inferse.com, 1 +infertilitycure.tk, 1 +inffin-portal.com, 1 +inffin-portal.de, 1 +infhosting.com.au, 1 +inficom.org, 1 +infidel.org, 1 +infidels.me, 1 +infidels.org, 1 +infidia.tk, 1 +infiernoalgecireno.tk, 1 +infihow.com, 1 +infinan.ru, 1 +infineon-bipolar.com, 1 +infinether.net, 1 +infinifit.store, 1 +infinipharm.com, 1 +infinite.com, 1 +infiniteautomation.com.au, 1 +infiniteid.com, 1 +infinitelightofbeing.org, 1 +infinitenews.cf, 1 +infinitenews.ml, 1 +infiniteserieslabs.com, 1 +infinitiofallentownparts.com, 1 +infinitiofaugustaparts.com, 1 +infinitioflynnwoodparts.com, 0 +infinitiofmarinparts.com, 1 +infinitipartsdeal.com, 1 +infinito.tk, 1 +infinitomarca.com, 1 +infinitoporciento.tk, 1 +infinity-computer-systems.com, 1 +infinitybas.com, 1 +infinitybc.se, 1 +infinitybooksindia.in, 1 +infinitybots.gg, 1 +infinityels.com, 1 +infinityengine.org, 1 +infinityepos.co.uk, 1 +infinityfaces.tk, 1 +infinityname.tk, 1 +infinityonce.ml, 1 +infinityready.com, 1 +infinityrecruitinggroup.com, 1 +infinityvr.net, 1 +infinityweb.com.au, 1 +infinoe.fr, 1 +infinum.com, 1 +infirmieredevie.ch, 0 +infirmiers-montpellier.fr, 1 +infla-tables.tk, 1 +inflammatory.tk, 1 +inflanev.com, 1 +inflatablehire-scotland.co.uk, 1 +inflatablesny.com, 1 +inflatamania.com, 1 +inflate-a-bubbles.co.uk, 1 +inflatiecalculator.nl, 1 +inflationstation.net, 1 +inflexa.com, 1 +inflexsys.com, 0 +infloat.de, 1 +influencemobile.services, 1 +influencestaging.services, 1 +influentsolutions.ch, 1 +influo.com, 1 +influxus.com, 0 +info-beamer.com, 1 +info-bolivia.tk, 1 +info-compusciencetech.tk, 1 +info-days.tk, 1 +info-eolien.fr, 1 +info-free.ml, 1 +info-it.tk, 1 +info-kiwi.tk, 1 +info-o-zbozi.cz, 1 +info-obzor.ga, 1 +info-obzor.ml, 1 +info-reason.cf, 1 +info-screen.me, 1 +info-sell.ml, 1 +info-sys.tk, 1 +info-tech.tk, 1 +info-thailand.ru, 1 +info-usaha.tk, 1 +info.go.th, 1 +info.gov, 1 +info2all.nl, 1 +info4camper.com, 1 +infoaboutlawyers.com, 1 +infoamin.com, 1 +infoapis.net, 1 +infobae.com, 1 +infobalkans.com, 1 +infobanglanet.tk, 1 +infobasquet.tk, 1 +infobiznes.cf, 1 +infobiznes.ga, 1 +infobiznes.tk, 1 +infoblogs.pl, 1 +infoblox.com, 0 +infobot.email, 1 +infobot.eu, 1 +infobot.nl, 1 +infobrain.net, 1 +infobrest.tk, 1 +infobusinessnews.tk, 1 +infocanada.tk, 1 +infocanicatti.tk, 1 +infocapsol.com, 1 +infocision.com, 1 +infocoin.es, 1 +infocommsociety.com, 0 +infocrypto.pl, 1 +infocus.company, 1 +infocusvr.net, 1 +infodesigners.eu, 1 +infodesk.at, 1 +infodis.com, 1 +infoduv.fr, 1 +infoeccos.com, 1 +infofamouspeople.com, 1 +infoflora.ch, 1 +infofp.tk, 1 +infogai.tk, 1 +infogamesports.tk, 1 +infogate.ga, 1 +infogram.com, 1 +infogress.tk, 1 +infogrfx.com, 1 +infogroups.ml, 1 +infogym.com, 1 +infohas.ma, 1 +infohunter.education, 1 +infoiinfo.tk, 1 +infoindia.tk, 1 +infoiptv.tk, 1 +infoislamharian.tk, 1 +infojeunes.fr, 1 +infojmp.com, 1 +infokesehatan.ga, 1 +infoland.ml, 1 +infolead.tk, 1 +infolibertaire.net, 1 +infomail-online.ml, 1 +infomalin.fr, 1 +infomarradi.it, 1 +infomatricula.pt, 1 +infomax.gr, 1 +infomeddnews.com, 1 +infomexico.tk, 1 +infomikulcice.cz, 1 +infomir.eu, 1 +infomir.store, 0 +infomoney.com.br, 1 +infonet.fr, 1 +infopaperiguatemi.com.br, 1 +infoparamigrantes.com, 1 +infopedia.tk, 1 +infopercept.com, 1 +infopreneur.blog, 1 +infoprofuse.com, 1 +infopulse.com, 1 +infopuntzorg.nl, 0 +inforabota.tk, 1 +inforata.com, 1 +inforegister.ee, 1 +inforeviews.ru, 1 +inforge.tk, 1 +inforges.es, 1 +inform.kz, 1 +informace-zbozi.cz, 1 +informaciondeciclismo.com, 1 +informacionsexual.com, 1 +informal.pk, 1 +informalflowers.com, 1 +informasidumay.gq, 1 +informassist10.fr, 1 +informat.ga, 1 +informaticapremium.com, 0 +informaticien.tk, 1 +informaticmousset.tk, 1 +informaticoalicante.tk, 1 +informaticolamancha.tk, 1 +informatiger.net, 1 +informatik-handwerk.de, 1 +informationdoor.ga, 1 +informationdoorers.ga, 1 +informationdoorest.ga, 1 +informationinhindi.tk, 1 +informationliteracy.gov, 1 +informationnetworkwebsite.com, 1 +informationntechnology.com, 1 +informationrx.org, 1 +informations-echafaudages.com, 1 +informations-reglementees-sfil.fr, 1 +informationsarchiv.net, 1 +informationsaveers.ga, 1 +informationsaveest.ga, 1 +informatique-13.com, 1 +informatiquefacile.fr, 1 +informatiquenevers.fr, 1 +informator.tk, 1 +informelles.tk, 1 +informnapalm.org, 1 +informspb.tk, 1 +inforok.tk, 1 +inforopub.tk, 1 +infortheride.com, 1 +infosactu.com, 1 +infoschool.ml, 1 +infosec-handbook.eu, 0 +infosec.exchange, 0 +infosec.md, 1 +infosec.mv, 1 +infosec.pizza, 1 +infosec.wiki, 1 +infoseccenter.ro, 1 +infosecchicago.com, 1 +infosecdecompress.com, 1 +infosecsw.ca, 1 +infosectek.io, 1 +infosectekniques.com, 1 +infosective.org, 1 +infosenior.ch, 0 +infoserp.net.pe, 1 +infoshield.sa, 1 +infosolution.biz, 1 +infosoph.org, 1 +infostor.com, 1 +infosubasta.es, 1 +infosystem.cf, 1 +infotabla.si, 1 +infotax24.com.pl, 1 +infotectsecurity.com, 1 +infoteka.cf, 1 +infotekno.co.id, 1 +infotics.es, 1 +infotune.nl, 1 +infotv.io, 1 +infotype.ga, 1 +infouspekh.ru, 1 +infovb.org, 1 +infoventas.store, 1 +infovision-france.com, 1 +infowaywebsolutions.com, 1 +infoweb.ee, 1 +infowheels.tk, 1 +infoworm.org, 1 +infra-group.eu, 1 +infra-se.com, 1 +infra-voice.hu, 1 +infra.beer, 1 +infra.land, 1 +infra.press, 1 +infraball.com, 1 +infrabeep.com, 1 +infrabeta.com, 1 +infrabind.com, 1 +infrabold.com, 1 +infrabond.com, 1 +infraboom.com, 1 +infrabox.nl, 1 +infraclass.com, 1 +infraclip.com, 1 +infracron.com, 1 +infradart.com, 1 +infradeep.com, 1 +infradio.am, 1 +infradisk.com, 1 +infradive.com, 1 +infradot.com, 1 +infradrop.com, 1 +infraedifice.com, 1 +infrafile.com, 1 +infrafind.com, 1 +infrafire.com, 1 +infraflip.com, 1 +infraflux.com, 1 +infrafuse.com, 1 +infrafusion.com, 1 +infraget.com, 1 +infralicht.nl, 0 +infralira.com, 1 +infralist.com, 1 +infraloon.com, 1 +inframake.com, 1 +inframeet.com, 1 +inframenu.com, 1 +inframetro.com, 1 +inframint.com, 1 +infraname.com, 1 +infranest.com, 1 +infranium.com, 1 +infranium.eu, 1 +infranium.info, 1 +infranium.net, 1 +infranium.org, 1 +infranotes.com, 1 +infranoto.com, 1 +infranox.com, 1 +infrapass.com, 1 +infrapedia.ch, 1 +infrapeer.com, 1 +infrapilot.com, 1 +infraping.com, 1 +infrapirtis.lt, 1 +infrapixel.com, 1 +infraplot.com, 1 +infraplushk.com, 1 +infrarank.com, 1 +infrarate.com, 1 +infrareader.com, 1 +infraredradiant.com, 1 +infras.fr, 1 +infrasend.com, 1 +infraspin.com, 1 +infrastat.com, 1 +infrastatic.com, 1 +infratank.com, 1 +infratask.com, 1 +infrathink.com, 1 +infratrip.com, 1 +infravibe.com, 1 +infravideo.com, 1 +infravoce.com, 1 +infravoice.com, 1 +infraware.com, 1 +infrazine.com, 1 +infruction.com, 1 +infstudios.nl, 1 +infuse-mn.gov, 1 +infusemedia.com, 1 +ing, 1 +ing-buero-junk.de, 1 +ing.dk, 1 +ingalabs.hu, 1 +ingatlanjogaszok.hu, 1 +ingatlanneked.hu, 1 +ingbusiness.pl, 1 +inge-deco.com, 1 +inge-r.nl, 1 +ingebroer.com, 1 +ingegnereambientale.tk, 1 +ingemmologie.com, 1 +ingenesis.com, 1 +ingeni.ink, 1 +ingenieriaclinica.org, 0 +ingenieure-website.de, 1 +ingenious-development.tk, 1 +ingenium.si, 1 +ingeniumsociety.tk, 1 +ingenius.ws, 1 +ingenuitycloudservices.com, 1 +ingerhy.com, 1 +ingermany.ml, 1 +ingersolltwpmi.gov, 1 +inges-kattehjem.dk, 1 +ingeseratlantica.es, 1 +ingestion.life, 1 +ingevorderd.nl, 1 +ingfreelancer.com, 1 +ingfss.ru, 1 +inghamcountymi.gov, 1 +ingilizceturkce.gen.tr, 1 +ingjobs.ch, 1 +inglebycakes.co.uk, 1 +inglesencanada.cf, 1 +inglesfoco.com.br, 1 +inglesideonthebaytx.gov, 1 +inglesnarede.com.br, 1 +inglessantacruz.tk, 1 +inglestotal.tk, 1 +ingo-schlueter.de, 1 +ingolfsskali.is, 1 +ingoschlueter.de, 1 +ingrain-ed.com, 1 +ingrammicrocloud.com, 1 +ingresatupedido.com, 1 +ingresosautomaticos.tk, 1 +ingresospasivosyafiliados.online, 1 +ingridbai.me, 1 +ingridvanderveen.com, 1 +ingticos.com, 1 +ingushetia.tk, 1 +ingwaz.org, 1 +inhabitgroup.com, 1 +inhale.it, 1 +inhaltsangabe.de, 1 +inhere.cf, 1 +inherfeet.ml, 1 +inhoff.eu, 1 +inhomedesign.ro, 1 +inhouseents.co.uk, 1 +inhousehr.nl, 1 +inia.ai, 1 +iniiter.com, 1 +iniitian.com, 1 +inilabs.xyz, 1 +inilahgorontalo.com, 1 +inilahkalsel.com, 1 +inilahkendari.com, 1 +inilahtv.com, 1 +inima.org, 1 +inimicalpart.com, 1 +inin.gq, 1 +init.blog, 1 +init.ink, 1 +init3.cn, 1 +initblogger.com, 1 +initiative20x20.org, 1 +initq.net, 1 +initramfs.io, 1 +initrandom.com, 1 +inizio.pe, 1 +injerry.com, 1 +injigo.com, 0 +injuryactive.com, 1 +injurylawyers.com, 1 +injurylawyersphoenixaz.com, 1 +injust.cf, 1 +injust.ga, 1 +injust.gq, 1 +injust.me, 1 +injust.ml, 1 +injust.tk, 1 +inkandtonerni.co.uk, 1 +inkbeau.com, 1 +inkblogdb.com, 1 +inkblot.art, 1 +inkbunny.net, 1 +inkburners.ga, 1 +inkburnest.ga, 1 +inkdawgz.com, 1 +inkdrop.co.za, 0 +inkedin.com, 1 +inkeliz.com, 1 +inkerotic.com, 1 +inkerz.com.br, 1 +inkforall.com, 1 +inkhor.se, 1 +inkhub.com.au, 1 +inkjets-inks.tk, 1 +inkliners.tk, 1 +inkognito.cf, 1 +inkognito.ga, 1 +inkognito.gq, 1 +inkognito.ml, 1 +inkomensafhankelijkehuurverhoging.nl, 1 +inkopers.org, 1 +inkor.tk, 1 +inkpay.com, 1 +inksay.com, 1 +inkteeshop.com, 1 +inkthedealseminars.com, 1 +inkthemes.com, 1 +inkthreadable.co.uk, 1 +inkubatori.tk, 1 +inkurz.de, 1 +inkvisual.tk, 1 +inlabo.de, 1 +inlights.io, 1 +inlimiters.ga, 1 +inlimitest.ga, 1 +inline-online.tk, 1 +inline-sport.cz, 1 +inlinea.ch, 1 +inlineskates.tk, 1 +inlink.ee, 1 +inlink.ltd, 1 +inlocon.de, 1 +inlt.com, 1 +inlumi.com, 1 +inmaaa.cf, 1 +inmamaskitchen.com, 1 +inmaps.xyz, 1 +inmatefinancial.com, 1 +inmateintake.com, 1 +inmedic.pl, 1 +inmemoria.tk, 1 +inmemorium.tk, 1 +inmemoryofdaniella.com, 1 +inmigracion-florida.com, 1 +inmobanking.com.gt, 1 +inmobiliaria-sanpablo.cl, 1 +inmobiliariamarino.com, 0 +inmobiliariaredimido.com, 1 +inmobillium.fr, 1 +inmonteblandinio.be, 1 +inmoodforsex.com, 1 +inmoterrenas.com, 1 +inmotionmktg.com, 1 +inmoveskates.com, 1 +inmucrom.com, 1 +inmucrom.es, 1 +inmuseworld.tk, 1 +inmusicfestival.com, 1 +inmyhead.tk, 1 +innainnaki.net, 1 +innatocol.com, 1 +inncoaching.nl, 1 +inner-vision.tk, 1 +innerdarkside.tk, 1 +innerfence.com, 1 +innerlife.company, 1 +innerlifeskills.com, 1 +innerlightcrystals.co.uk, 1 +innermarkerranch.com, 1 +innermindpsychology.com.au, 1 +innermostparts.org, 1 +innerpeace.tk, 1 +innersafe.com, 1 +innerspace.ae, 1 +innertrip.co.kr, 1 +innewsweekly.com, 1 +innico.cf, 1 +inniger.be, 1 +innio.com, 1 +innisfildental.com, 1 +inno.ch, 0 +inno2grid.com, 1 +innocence.org.cn, 0 +innocenceseekers.net, 1 +innogames.com, 1 +innogames.de, 1 +innohb.com, 1 +innolabfribourg.ch, 1 +innoloop.com, 0 +innopharmaeducation.com, 1 +innopharmatechnology.com, 1 +innosysdelft.com, 1 +innot.net, 1 +innotec.security, 1 +innoteil.com, 1 +innoteknology.com, 1 +innov.in, 1 +innova-online.at, 1 +innova-scape.info, 1 +innovacoachgroup.com, 1 +innovae.eu, 0 +innovairservices.ch, 0 +innovamag.com, 1 +innovaptor.at, 1 +innovaptor.com, 1 +innovasistemas.com, 1 +innovate-indonesia.com, 1 +innovateohio.gov, 1 +innovateohioplatform.gov, 1 +innovation-workshop.ro, 1 +innovation.gov, 1 +innovationbranding.ga, 1 +innovationbrandingers.ga, 1 +innovationbrandingest.ga, 1 +innovationcu.ca, 1 +innovationrealtygrp.com, 1 +innovative-trading.tk, 1 +innovativeactors.com, 1 +innovativebuildingsolutions.co.za, 1 +innovativefoodservices.com, 1 +innovativeglass.co.nz, 1 +innovativeideaz.org, 1 +innovativetrials.com, 1 +innovativeunderwriters.com, 1 +innoventity.in, 1 +innover.se, 1 +innoviahome.com, 0 +innovion.it, 1 +innovomuebles.com, 1 +innovum.cz, 1 +innowire.tk, 1 +innsaimonitor.com, 1 +innsalzachsingles.de, 1 +innvisiondesign.net, 1 +innwan.com, 1 +inoa8.com, 1 +inoapps.com, 1 +inocelda.com, 1 +inoio.de, 1 +inomics.com, 1 +inondation.ch, 0 +inorbit.io, 1 +inorden.se, 1 +inoreader.com, 1 +inorigo.com, 1 +inorigo.net, 1 +inoruhana.com, 1 +inosek.com, 1 +inostudio.com, 1 +inostudio.ru, 0 +inotecsoftware.com, 1 +inourtime.cn, 1 +inovalon.com, 1 +inovalon.global, 1 +inovasirumahku.tk, 1 +inovatec.ca, 1 +inovatec.com, 1 +inovatecapi.com, 1 +inovatecsystems.com, 1 +inovigo.ro, 1 +inovitec.ro, 1 +inox-deurtrekkers.be, 1 +inoxandco.com, 1 +inparkmagazine.com, 1 +inpas.co.uk, 1 +inpasa.com.br, 1 +inpdp.tk, 1 +inpector.de, 1 +inpresso.pl, 1 +inprode.com, 1 +inprosy.com, 1 +inpulsetech.io, 1 +input.sh, 1 +inputdriven.com, 1 +inputmodes.com, 1 +inqorp.ca, 1 +inquant.de, 1 +inquisicion.tk, 1 +inquisition.is, 1 +inrage.fr, 0 +inrilan.tk, 1 +ins-jpn.com, 1 +ins-kreativ.de, 1 +ins.to, 0 +ins1gn1a.com, 1 +insame.space, 1 +insanb.com, 1 +insancendekiams.sch.id, 1 +insane.zone, 1 +insaneair.co.uk, 1 +insanedevs.com, 1 +insanepyro.tk, 1 +insanity.zone, 1 +insblauehinein.nl, 1 +inschrijfformulier.com, 1 +inscom.events, 1 +inscribe.ai, 1 +inscribeinternal.com, 1 +inscribeusercontent.com, 1 +inscripcionessena.com, 1 +inscriu.ro, 1 +insecret.ua, 1 +insecure.org.je, 1 +insegne.roma.it, 1 +insemed.de, 1 +inserior.com, 1 +inserta.tk, 1 +insertcoins.net, 1 +insertcredit.com, 1 +insertface.com, 1 +inshapenutrition.com.br, 1 +inshared.nl, 1 +inshibackdrop.com, 1 +inshop.hu, 1 +insiberia.tk, 1 +inside-m2m.de, 1 +inside-the-outside.com, 1 +insideastronomy.tk, 1 +insideaudit.com, 1 +insidebeach.com.br, 1 +insidebedroom.com, 0 +insideevs.com, 1 +insideevs.com.ar, 1 +insideevs.com.tr, 1 +insideevs.de, 1 +insideevs.fr, 1 +insideevs.ru, 1 +insidegnss.com, 1 +insidehook.com, 1 +insideofgaming.de, 1 +insideperu.tk, 1 +insideprisonbreak.tk, 1 +insider-invest.tk, 1 +insiderateers.ga, 1 +insiderateest.ga, 1 +insidergazette.com, 1 +insiderpie.de, 1 +insiders.ga, 1 +insiderx.com, 1 +insidethefirewall.tk, 1 +insidetheigloo.com, 1 +insideview.com, 1 +insightfulpsychics.com, 1 +insighti.com, 1 +insights.plus, 1 +insightsoftware.com, 1 +insignificant.space, 1 +insindacabili.it, 1 +insinuator.net, 1 +insistel.com, 1 +insolent.ch, 1 +insolved.com, 1 +insomnia-isterica.tk, 1 +insomniac.pl, 1 +insomniac.ro, 1 +insomniachelp.com, 1 +insono.no, 1 +insouciant.org, 1 +inspektre.com, 0 +inspektre.io, 1 +inspirascholen.be, 1 +inspiration.gr, 1 +inspirationalstories.com, 1 +inspirationalstories.tk, 1 +inspire-av.com, 1 +inspire2rise.com, 1 +inspired-builds.co.uk, 1 +inspired-creations.co.za, 1 +inspired-lua.org, 1 +inspiredbyannefrank.com, 1 +inspiredelements.co.uk, 1 +inspiredentalwellness.com, 1 +inspiredhousewife.com, 1 +inspiredlife.fun, 1 +inspireplanner.com, 1 +inspiresurgery.com, 1 +inspirez-vous-sophro.com, 1 +inspiringtips.com, 1 +inspirithealth.ca, 1 +insportline.bg, 1 +insportline.cz, 1 +insportline.de, 1 +insportline.eu, 1 +insportline.hu, 1 +insportline.lt, 1 +insportline.si, 1 +insportline.sk, 1 +inspreeveryone.ga, 1 +insrt.uk, 0 +insside.net, 1 +insst.es, 1 +insta-viewer.ml, 1 +instaapk.net, 1 +instacart.careers, 1 +instacart.com, 1 +instachina.ru, 1 +instacredito.pt, 1 +instadapp.io, 1 +instafind.nl, 1 +instaforex.com.ng, 1 +instagc.com, 1 +instagrabber.ru, 1 +instagram-atom.appspot.com, 1 +instagram.com, 1 +instagramdeposu.com, 1 +instagrammernews.com, 1 +instagramtweet.com, 1 +instagraph.cn, 1 +instahub.net, 1 +instalamosyreformamos.es, 1 +installation-hotte-cuisine.com, 1 +installation-of-xenon.tk, 1 +installer-borne-electrique.fr, 1 +installgentoo.net, 1 +instances.social, 1 +instanse.nl, 1 +instant-clearance-sale.co.uk, 1 +instant-hack.com, 1 +instant-hack.io, 1 +instant-hack.to, 1 +instant-thinking.de, 0 +instant.io, 1 +instanteindeleble.com, 1 +instantessay.tk, 1 +instantfinishers.ga, 1 +instantfinishest.ga, 1 +instantinsightinc.com, 1 +instantintegrationers.ga, 1 +instantintegrationest.ga, 1 +instantkhabar.com, 1 +instantluxe.com, 1 +instantluxe.de, 1 +instantmoron.com, 1 +instantpage.tk, 1 +instantprint.co.uk, 1 +instantreplay.tk, 1 +instantsiteaudit.com, 1 +instava.cz, 1 +instawi.com, 1 +instawierszyki.pl, 1 +instead.com.au, 1 +insteagle.com, 1 +instelikes.com.br, 1 +instem.jp, 1 +instics.com, 1 +instinctive-archery.de, 0 +institutadios.com, 0 +institutchroma.fr, 1 +instituto18denoviembre.tk, 1 +institutoclaro.org.br, 1 +institutoconsulplan.org.br, 1 +institutodeoposiciones.com, 1 +institutodyn.com, 1 +institutoessencia.com, 1 +institutofacial.com, 1 +institutogiuseppe.com, 1 +institutogiuseppe.com.ar, 1 +institutoliderar.edu.co, 1 +institutomaritimocolombiano.com, 1 +institutovinton.com, 1 +institutulcultural.ro, 1 +instocktho.cc, 1 +instructorcarders.ga, 1 +instrukci.tk, 1 +instrumart.ru, 0 +instrumentalevening.tk, 1 +instrumentalverein-tueddern.de, 1 +instrumentodepaz.com, 1 +instylecollection.tk, 1 +instytut.tk, 1 +instytutwellsense.pl, 1 +insulationchicagoil.com, 1 +insulations.ga, 1 +insulectro.com, 1 +insult.es, 1 +insultband.tk, 1 +insultnik.ru, 1 +insultniki.ru, 1 +insurance, 1 +insurance-companies.tk, 1 +insurance24.online, 1 +insurancebloggingers.ga, 1 +insurancebloggingest.ga, 1 +insurancebonzer.ga, 1 +insurancebusinessmag.com, 1 +insuranceclassic.ga, 1 +insurancecompanylive.tk, 1 +insurancehotline.com, 1 +insuranceleep.ga, 1 +insurancenews.gq, 1 +insurancequotes.tk, 1 +insurancesaman.tk, 1 +insurancesquaders.ga, 1 +insurancesquadest.ga, 1 +insuranceweb.ga, 1 +insurebot.com.au, 1 +insurebuysers.ga, 1 +insurebuysest.ga, 1 +insured-event.tk, 1 +insuredcloud.ga, 1 +insuredcreativity.com, 1 +insuredonline.in, 1 +insuremycar.ru, 1 +insureon.com, 1 +insurethebox.tk, 1 +insurgent.tk, 1 +insurgo.cloud, 1 +insurrectosdelbosque.tk, 1 +insyde.cloud, 1 +insyde.com, 1 +insydesw.com, 1 +inszu.com, 0 +int-elektro.eu, 1 +int-ext-design.fr, 1 +int-refer.nhs.uk, 1 +int-web.site, 1 +int21h.jp, 1 +int64software.com, 1 +intab.io, 1 +intafe.co.jp, 1 +intajouna.com, 1 +intakesync.com, 1 +intakings.tk, 1 +intal.info, 1 +intalink.org.uk, 1 +intarweb.ca, 1 +intasky.cz, 1 +intasky.sk, 1 +intcn.online, 1 +intcn.ru, 1 +inte.ru, 1 +inteapuestas.com, 1 +intechdaybcp.com, 1 +inteforge.com, 1 +integ.jp, 1 +integra-belgium.be, 1 +integrafin.co.uk, 1 +integrahealth.com.mx, 1 +integral-calculator.com, 1 +integral-calculator.ru, 1 +integralblue.com, 1 +integralcare.org, 1 +integralinmobiliario.com, 1 +integralkk.com, 1 +integralrechner.de, 1 +integralschool.ru, 1 +integrammes.fr, 1 +integratedbms.co.za, 1 +integratedmedicalonline.com, 1 +integratedphysio.com.au, 1 +integratedtec.net, 1 +integration-mouvements-oculaires.com, 1 +integrativepsychiatry.co.il, 1 +integrator.io, 1 +integreatedmedia.com, 1 +integrisaviation.com, 1 +integritet.com.se, 1 +integritree.ca, 1 +integrity.gov, 1 +integritydetail.com, 1 +integrityfirstloans.com, 1 +integrityglobal.com, 1 +integrityhomecontractors.com, 1 +integritykrakow.pl, 1 +integrityline.com, 1 +integrityokc.com, 1 +integrityoklahoma.com, 1 +integromat.com, 1 +integroof.com, 1 +integsystem.com, 1 +intel.gov, 1 +intel.im, 1 +intel69.cf, 1 +intelalumni.org, 1 +intelcapital.com, 1 +intelekta.es, 1 +intelhost.com.br, 1 +intelics.com.au, 1 +intelius.cf, 1 +intellar.com, 1 +intellect-ls.com, 1 +intellecta.is, 1 +intellective.us, 1 +intellectmoney.ru, 1 +intelledox.com, 1 +intellego.de, 1 +intellek.io, 1 +intellektuaalomand.ee, 1 +intelliance.eu, 1 +intellicore.cl, 1 +intellicus.com, 1 +intelligence-explosion.com, 1 +intelligenceia.fr, 1 +intelligenetics.com, 0 +intelligentnegotiator.com, 1 +intelligentrics.com, 1 +intelligentwaves.com, 1 +intelligista.tk, 1 +intelligizedigital.com, 1 +intelligroup360.com, 1 +intellihr.io, 1 +intellimatica.se, 1 +intellimax.ir, 1 +intellinetixvibration.com, 1 +intellio.pl, 1 +intellior.ag, 1 +intellitonic.com, 1 +intellium.io, 0 +intelly.kr, 1 +intelly.nl, 1 +intelly365.nl, 1 +intelrealsense.com, 1 +inteltechniques.com, 1 +intelx.io, 1 +intencje.pl, 1 +intenirphoto.tk, 1 +intensify.pictures, 1 +intensiveintervention.org, 1 +intensivpflege-sachsen.de, 1 +intentin.com, 1 +inter-culinarium.com, 1 +inter-design.sk, 1 +inter-news.tk, 1 +interabbit.co, 1 +interabbit.com, 1 +interacademybrazil.com.br, 1 +interacthindu.tk, 1 +interactiveanddesign.com, 1 +interactivebrokersreview.co, 1 +interactivedigesters.ga, 1 +interactivedigestest.ga, 1 +interactiveliterature.org, 1 +interactivetheatrecollective.tk, 1 +interad.com, 1 +interaffairs.com, 1 +interagencystandingcommittee.org, 1 +interaktiva.fi, 1 +interallied.org, 1 +interbanco.com.gt, 1 +interbank.pe, 1 +interbase.org, 1 +interbec.com, 1 +interblink.tk, 1 +interc0der.tk, 1 +intercariforef.org, 1 +intercars.bg, 1 +interceptorproject.hr, 1 +interchangehq.com, 1 +interchanges.io, 1 +intercol.com.br, 1 +intercom-attachments-1.com, 1 +intercom-attachments-5.com, 1 +intercom-attachments-6.com, 1 +intercom-attachments-9.com, 1 +intercom-attachments.com, 1 +intercom-attachments.eu, 1 +intercom-language.training, 1 +intercom-mail.com, 1 +intercom-mail.eu, 1 +intercom-sheets.com, 1 +intercom.com, 1 +intercom.io, 1 +intercomcdn.com, 1 +intercomcdn.eu, 1 +intercomp-cbu.ru, 1 +intercomp.ru, 1 +intercomunicador.org, 1 +intercomunicadores.org, 1 +interconlarp.org, 1 +intercop.es, 1 +intercrosse.tk, 1 +interday.net, 1 +interdc.com, 1 +interdc.nl, 1 +interdescargas.tk, 1 +interdez.com.ua, 1 +interesnyimir.com, 1 +interessengemeinschaft-pregelstrasse.tk, 1 +interesting.ac.cn, 1 +interestingfacts.gq, 1 +interface-systems.de, 1 +interfloraservices.co.uk, 1 +interflores.com.br, 1 +interfug.de, 1 +intergenx.co.uk, 1 +intergenx.com, 1 +intergenx.org, 1 +intergenx.org.uk, 1 +intergermania.com, 1 +intergraphix.com.ar, 1 +interguard.net, 1 +interguardian.de, 1 +interhealthcare.com.au, 1 +interiery-waters.cz, 1 +interieursud.fr, 1 +interimnorge.no, 1 +interior-design-colleges.com, 1 +interior16.cf, 1 +interiorai.com, 1 +interiorcarpentryqatar.com, 1 +interiorcheapo.com, 1 +interiorcolors.tk, 1 +interiorsnmore.com, 1 +interisaudit.com, 1 +interitus.tk, 1 +interlapse.tk, 1 +interleasing.co.nz, 1 +interleasing.com.au, 1 +interlecwa.com, 0 +interlijn.nl, 1 +interlingvo.biz, 1 +interlink-jp.com, 1 +interlinked.us, 1 +interlogos.bg, 1 +intermac.nl, 1 +intermaquinas.es, 1 +intermarche.pt, 1 +intermezzo-emmerich.de, 1 +intermezzo-emmerich.nl, 1 +interminsk.tk, 1 +intern.tax, 1 +internacionalista.tk, 1 +internaldisfunction.tk, 1 +internalfb.com, 1 +internalframebackpack.tk, 1 +internalkmc.com, 1 +internally.ga, 1 +internalportal.net, 1 +international-books.org, 1 +international-business-world.com, 1 +international-friends.net, 1 +international-genealogy-services.com, 1 +international.cn.eu.org, 1 +international.expert, 1 +internationalairlinestickets.com, 1 +internationalbussines.tk, 1 +internationaldelight.com, 1 +internationaldesigncomp.com, 1 +internationalepolitik.de, 1 +internationalfashionjobs.com, 1 +internationalflightstickets.com, 1 +internationalfm.tk, 1 +internationalfrom.com, 1 +internationalgse.com, 1 +internationaljoustingleague.tk, 1 +internationalrelationsedu.org, 1 +internationalrugsdallas.com, 1 +internationalschool.it, 1 +internationaltalento.it, 1 +internationaltercumeburosu.com.tr, 1 +internationaltranslating.com, 1 +internationalweekly.tk, 1 +internect.co.za, 1 +internet-aukcion.info, 1 +internet-drive.tk, 1 +internet-gazeta.ga, 1 +internet-hypothekenbank.de, 1 +internet-israel.com, 1 +internet-tv4u.tk, 1 +internet.org, 1 +internet42.tk, 1 +internet4all.gov, 1 +internetauction.tk, 1 +internetbank.swedbank.se, 1 +internetbloger.tk, 1 +internetbugbounty.com, 1 +internetbugbounty.org, 1 +internetbusiness-howto.com, 1 +internetcom.jp, 1 +internetdagarna.se, 1 +internetface.tk, 1 +internetfonden.se, 1 +internetforall.gov, 1 +internethediyesi.com, 1 +internethypothekenbank.de, 1 +internetinhetbuitengebied.nl, 1 +internetional.nl, 1 +internetk.tk, 1 +internetkunskap.se, 1 +internetline.tk, 1 +internetmagaz.tk, 1 +internetmarketingprofitscenter.com, 1 +internetmarkets.net, 1 +internetmedia.si, 1 +internetmineers.ga, 1 +internetmineest.ga, 1 +internetmuseum.se, 1 +internetnz.nz, 1 +internetofdon.gs, 1 +internetoffensive.fail, 1 +internetofinsecurethings.com, 1 +internetoskol.tk, 1 +internetovehazardnihry.cz, 1 +internetowykantor.pl, 1 +internetpasoapaso.com, 1 +internetpoem.com, 1 +internetpro.me, 1 +internetprofitspro.com, 1 +internetslapfights.com, 1 +internetstaff.com, 1 +internetstatistik.se, 1 +internetstiftelsen.se, 1 +internetstones.com, 1 +internetsubsidie.tk, 1 +internetthreatcenter.com, 1 +internetthreatscenter.com, 1 +internettoday.ga, 1 +internettradie.com.au, 0 +internetwealthresource.com, 1 +internetzaim.tk, 1 +internetzentrale.net, 1 +internews24.com, 1 +interparcel.com, 1 +interphoto.by, 1 +interplex.com, 1 +interpol.gov, 1 +interpretacjawynikowbadan.info.pl, 1 +interprete.tk, 1 +intersectionconsultancy.co.uk, 1 +interseguro.pe, 1 +interseller.io, 1 +intersexualite.tk, 1 +intersitios.com, 1 +interslang.tk, 1 +intersolute.de, 1 +interspar.at, 1 +intersportks.com, 1 +interspot.nl, 1 +interssl.com, 1 +interstateremovalists.sydney, 1 +intersun.es, 1 +intersun.fr, 1 +intersun.pt, 1 +intersys.uy, 1 +interterranfed.org, 1 +intertime.services, 1 +intertrans.tk, 1 +interval-training-timer.ru, 1 +intervalzero.com, 1 +intervention.io, 1 +interverv.com, 1 +interview-suite.com, 0 +interview-test-taker.com, 1 +interviewme.pl, 1 +interviewpipeline.co.uk, 1 +interviewstarsers.ga, 1 +interviewstarsest.ga, 1 +intervista-rh.fr, 1 +interways.de, 1 +interwebz-cheats.com, 1 +interwebz.cloud, 1 +interwebz.nz, 1 +interwerk.de, 1 +intesis.com, 0 +intestclub.tk, 1 +inthechair.com, 1 +inthechileanwoods.tk, 1 +inthepicture.com, 1 +inthevip.com, 1 +inthouse.cloud, 1 +intifx.com, 1 +intigriti.com, 0 +intihalprogrami.com, 1 +intim-24.tk, 1 +intim-ru.tk, 1 +intimastoreatacado.com.br, 1 +intimatecollision.com, 1 +intimidad.tk, 1 +intimznakomstvo.tk, 1 +intmissioncenter.org, 0 +into-the-mountain.com, 1 +intomsk.tk, 1 +inton.biz, 1 +intoparking.fi, 1 +intor.fi, 1 +intosec.nl, 1 +intotraffic.nl, 1 +intouchgames.co.uk, 1 +intouchtablets.com, 1 +intoxicate.tk, 1 +intpb.com.au, 0 +intpforum.com, 1 +intr0.cf, 1 +intr0.com, 1 +intr0.tk, 1 +intracdf.net, 1 +intracellulartherapies.com, 1 +intrack.net.au, 1 +intracom.com, 0 +intradayseasonals.com, 1 +intrador.com, 1 +intrafi.com, 1 +intralan.nl, 1 +intranet.dvag, 1 +intranetcity.ch, 1 +intranetcrowd.com, 1 +intraobes.com, 1 +intraxia.com, 1 +intrdate.us, 1 +intrepidmedia.tk, 1 +intrepy.com, 1 +intrigue3d.com, 1 +intrixgroup.com, 1 +intro.management, 1 +intron.pw, 1 +intropickup.ru, 1 +intropika.tk, 1 +intrstd.in, 1 +intrum-credit-information-ws.ch, 1 +intstyle.com.ua, 1 +intsys.fi, 1 +intux.be, 0 +intvonline.com, 1 +intxt.net, 1 +inu.nl, 1 +inuevostiempos.es, 1 +inumcoeli.com.br, 1 +inusasha.de, 1 +inuyasha-petition.tk, 1 +invadecafe.tk, 1 +invaded.ga, 1 +invadelabs.com, 1 +invalida.ru, 1 +invantive-apps-for-dynamics-crm.com, 1 +invantive-apps-for-magento.com, 1 +invantive-apps-for-nmbrs.com, 1 +invantive-apps-for-salesforce.com, 1 +invantive-apps-for-stackoverflow.com, 1 +invantive-apps-voor-exact-online.nl, 1 +invantive-apps-voor-loket.nl, 1 +invantive-apps-voor-xml-auditfiles.nl, 1 +invantive.be, 1 +invantive.cloud, 1 +invantive.co.uk, 1 +invantive.com, 1 +invantive.de, 1 +invantive.es, 1 +invantive.eu, 1 +invantive.net, 1 +invantive.nl, 1 +invantive.org, 1 +invasion.com, 1 +invasivespeciesinfo.gov, 1 +invata-ma.ro, 1 +invenio.software, 1 +inventarioti.serveftp.net, 1 +inventati.org, 1 +inventify.com, 1 +inventionjudgeers.ga, 1 +inventionjudgeest.ga, 1 +inventions-home.tk, 1 +inventionsteps.com.au, 1 +inventix.nl, 1 +invento.tk, 1 +inventortesters.ga, 1 +inventortestest.ga, 1 +inventorybase.co.uk, 1 +inventorybase.com, 1 +inventoryimages.co.uk, 1 +inventorylab.com, 1 +inventos.tk, 1 +inventoseinventores.com, 1 +inventum.cloud, 1 +inveny.fr, 1 +inveris.de, 1 +inverness.gov, 1 +inversegravity.net, 1 +inverselink-user-content.com, 1 +inverselink.com, 1 +inversion.travel, 1 +inversionesgalindo.com, 1 +invertiaweb.com, 1 +invertir.gov, 1 +invespex.com, 1 +invest-stroj.tk, 1 +invest.gov, 1 +investa.ph, 1 +investactiv.tk, 1 +investarholding.nl, 1 +investasiku.tk, 1 +investasimudah.tk, 1 +investasipasti.tk, 1 +investbeneficios.com.br, 1 +investcorp.com, 1 +investelogo.com.br, 1 +investeringsgids.be, 1 +investgold.ml, 1 +investgold.tk, 1 +investgroop.ml, 1 +investia.ca, 1 +investigace.cz, 1 +investigatemalware.com, 1 +investigatingmalware.com, 1 +investigations-nbi.com, 1 +investigatore.it, 1 +investigatore.milano.it, 1 +investigatore.roma.it, 1 +investigatore.torino.it, 1 +investigazione.milano.it, 1 +investigazione.roma.it, 1 +investinamerica.gov, 1 +investinestonia.com, 0 +investingdiary.cn, 1 +investinginamerica.gov, 1 +investingnews.com, 1 +investingoal.com, 1 +investingoutlook.co, 1 +investingtrader.net, 1 +investintech.com, 1 +investion.cf, 1 +investir.ch, 0 +investirdanslancien.fr, 1 +investire.biz, 0 +investirenisrael.fr, 1 +investirfazbem.com.br, 1 +investirsolidaire.fr, 1 +investisiya.az, 1 +investisseur-nomade.fr, 1 +investisseur-or-matieres.com, 1 +investlatam.com, 1 +investment-adh.com, 1 +investment.com, 1 +investmentrankingsers.ga, 1 +investmentrankingsest.ga, 1 +investmonitor.tk, 1 +investnext.com, 1 +investnorthernontario.com, 1 +investonline.cf, 1 +investor-academy.jp, 1 +investor.com.tr, 1 +investor.gov, 1 +investorcom.com, 1 +investoren-beteiligung.de, 1 +investorforms.com, 1 +investorloanshub.com, 1 +investorplace.com, 1 +investorrightsnetwork.com, 1 +investors.pl, 1 +investpay.ru, 1 +investpsp.ca, 1 +investpsp.com, 1 +investresolve.com, 1 +investservis.eu, 1 +inviaworld.tk, 1 +invicta.fr, 1 +invicti.com, 1 +invictuscapital.com, 1 +invictuscustodia.com, 1 +invidious.rocks, 1 +invidis.de, 1 +invincia.com, 1 +invinoaustria.cz, 1 +invisia.com.br, 1 +invisible-college.com, 1 +invisible.io, 1 +invisibledrain.com, 1 +invisiblehat.ventures, 1 +invisiblejiujitsu.co.uk, 1 +invisibles.ch, 0 +invisiblesolutions.com, 1 +invisiblewindows.ca, 1 +invisionary.tech, 1 +invisionary.tk, 1 +invisionretail.nl, 1 +invisitone.com, 1 +invitation-factory.tk, 1 +invitationtrackerers.ga, 1 +invitationtrackerest.ga, 1 +invitebiz.tk, 1 +invitepeople.com, 1 +invitescafe.com, 1 +invitia.net, 1 +invito.tk, 1 +invoiced.com, 1 +invoicely.com, 1 +invokingspirits.tk, 1 +involic.com, 1 +involve.asia, 1 +invuite.com, 1 +invuite.com.au, 1 +inwebo.net, 1 +inwepo.co, 1 +inwit.tk, 1 +inwonderofit.com, 1 +inycia.com, 1 +inyo.gov, 1 +inyourowntime.zone, 1 +inyr.hu, 0 +inzdr.com, 1 +inzeitinteractive.tk, 1 +inzelabs.com, 1 +inzeni.pl, 1 +inzernettechnologies.com, 1 +inzestfreunde.de, 1 +inzichtmeditatie.nl, 1 +inzidenz.eu, 1 +inzite.com, 1 +io.kg, 1 +io.nl.eu.org, 1 +io88.win, 1 +ioactive.com, 1 +ioanamateas.ro, 1 +ioanavisan.tk, 1 +iobint.com, 1 +iocbc.com, 1 +iochen.com, 1 +iocorp.jp, 1 +iocp.org, 0 +ioctl.cc, 1 +iocurrents.com, 0 +iodb.ru, 1 +iodu.re, 1 +ioga.tk, 1 +iogm-official.id, 1 +iograficathemes.com, 1 +iolabs.io, 1 +ioliver.co.uk, 1 +iololi.com, 1 +iolpodcast.com, 1 +iomedia.ch, 0 +iompost.com, 1 +iomstamps.com, 1 +ionc.ca, 1 +ioncubedecode.xyz, 1 +iondrey.cf, 1 +iondrey.fr, 1 +iondrey.ga, 1 +iondrey.gq, 1 +iondrey.ml, 1 +iondrey.tk, 1 +ione.net.nz, 1 +iongroup.com, 1 +ionhowto.com, 1 +ionicframework.com, 1 +ionicshop.xyz, 1 +ionize.cloud, 1 +ionlabs.kr, 1 +ionline.ml, 1 +ionovia.de, 1 +ionspin.com, 0 +ionstudio.pe, 1 +ionutnica.ro, 1 +ionx.co.uk, 1 +iop.intuit.com, 1 +iopex.com, 1 +iopool.us, 1 +iorgroup.org, 1 +ioriogioielli.com, 1 +ios11018.com, 1 +iosartstudios.gr, 1 +iosco.org, 1 +iosecurity.co.za, 1 +iosgeekblog.com, 1 +iosjailbreakiphone.com, 0 +iosme.ga, 1 +iosolutions.cl, 1 +iosprivacy.com, 1 +iossearch.tk, 1 +iostream.by, 1 +iosxr.de, 1 +iot-alliances.com, 1 +iotac.xyz, 1 +iotanodes.org, 1 +iotbusinessforum.com.br, 1 +iotekha.tv, 1 +iotfen.com, 1 +iotjenik.eu, 1 +iotmu.com, 1 +iotportal.tk, 1 +iotrasloco.it, 1 +iotsms.io, 1 +ioville.com, 1 +iovo.consulting, 1 +iowa80.com, 1 +iowacolonytx.gov, 1 +iowacorncountry.com, 1 +iowadol.gov, 1 +iowaintex.gov, 1 +iowamissingpersons.gov, 1 +iowaneedsanewkim.com, 1 +iowarawmilk.net, 1 +iowaschoolofbeauty.com, 1 +iowasmokefreeair.gov, 1 +iowastem.gov, 1 +iowaworks.gov, 1 +iowaworksforveterans.gov, 1 +iowawx.com, 1 +iowxy.com, 1 +iox.is, 1 +ioxio-dataspace.com, 1 +ioxio-showroom.com, 1 +ip-addr.es, 1 +ip-audio.org, 1 +ip-cam-pro-cz.com, 1 +ip-generation.de, 1 +ip-hahn.de, 0 +ip-kameri.com, 1 +ip-life.net, 1 +ip-tanz.com, 1 +ip.dog, 1 +ip.gt, 1 +ip.or.at, 1 +ip.sb, 1 +ip3.world, 1 +ip3office.com, 0 +ip40.com, 1 +ip4unlocked.tk, 1 +ip6.li, 1 +ipaddress.my, 1 +ipaddressreputation.com, 1 +ipadizate.com, 1 +ipadizate.es, 1 +ipadkaitori.jp, 0 +ipadr.is, 1 +ipal.im, 1 +ipal.name, 1 +ipal.tel, 1 +ipanchev.com, 1 +iparenda.tk, 1 +iparkki.com, 1 +ipcc-wg3.gov, 1 +ipcim.com, 1 +ipclabs.tk, 1 +ipcmali.ml, 1 +ipcom.com.br, 0 +ipconsulting.se, 1 +ipcontolsite.ga, 1 +ipcontolsite.tk, 1 +ipcstore.com, 1 +ipdental.tk, 1 +ipdfreedom.me, 1 +ipdgroup.com.au, 1 +ipdistrimart.com, 1 +ipemcomodoro.com.ar, 1 +iperconnessi.it, 1 +iperon.ru, 1 +ipetecperu.org, 1 +ipetitions.by, 1 +ipfire.org, 1 +ipfirebox.de, 1 +ipfixcalculator.com, 1 +ipfixcollector.com, 1 +ipfixifies.com, 1 +ipfixify.com, 1 +ipfixinator.com, 1 +ipfixreplicator.com, 1 +ipflu.com, 1 +ipfs.io, 1 +ipgeolocation.io, 1 +ipggroup.com, 1 +ipgrabbed.rip, 1 +iphone.fashion, 1 +iphone6.ro, 1 +iphonebatarya.net, 1 +iphonechina.net, 0 +iphoned.nl, 1 +iphonekaitori.tokyo, 0 +iphonemobile.ro, 1 +iphonerepairbolton.co.uk, 1 +iphonesoft.fr, 1 +iphoneunlock.nu, 1 +iphostreputation.com, 1 +ipid.me, 1 +ipidkun.com, 1 +ipigri.tk, 1 +ipinfo.tw, 1 +ipioneer.ga, 1 +ipirangaparafusos.com.br, 1 +ipl.pt, 1 +iplabs.de, 0 +iplaycraft.ru, 1 +iplayradio.net, 0 +ipleak.net, 1 +ipledgeonline.org, 0 +iplog.info, 0 +iplookup.tk, 1 +ipmatic.ga, 1 +ipmotion.ca, 1 +ipmscorp.com, 1 +ipmscoutek.com, 0 +ipnoze.com, 1 +ipnrt.net, 1 +ipoac.be, 1 +ipoac.nl, 1 +ipokabu.net, 1 +ipomue.com, 1 +ipon.hu, 1 +ipon.ro, 1 +iposm.net, 0 +ipoteka.az, 1 +ipow.tk, 1 +ipperde.tk, 1 +ipplans.com, 1 +ippo-juku.com, 1 +ippo.org.uk, 1 +iprcenter.gov, 1 +iprep.it, 0 +ipresent.com, 1 +iprice.co.id, 1 +iprice.hk, 1 +iprice.my, 1 +iprice.ph, 1 +iprice.sg, 1 +iprice.vn, 1 +ipricethailand.com, 1 +iprisk.info, 1 +ipro.sbs, 1 +iproducemusic.com, 1 +iproductrepair.com, 1 +iproskills.com, 1 +iprpetitiondenied.com, 1 +ips-consult.nl, 1 +ips-sachsen.de, 1 +ips.com.my, 1 +ipschool.spb.ru, 1 +ipsculemborg.nl, 1 +ipsecurelink.com, 1 +ipsilon-project.org, 1 +ipso.paris, 1 +ipssl.li, 1 +ipstoragesolutions.com, 1 +ipsubscription.store, 1 +ipsum.dk, 1 +ipswitch.com.tw, 1 +iptechnology.tk, 1 +iptoasn.com, 1 +iptops.com, 1 +iptv.ge, 1 +iptvfriend.ga, 1 +iptvzoom.xyz, 1 +ipty.de, 1 +ipuservicedesign.com, 1 +ipushmail.tk, 1 +ipv4.cf, 1 +ipv4.cy, 1 +ipv4.gr, 1 +ipv4.party, 1 +ipv4.rip, 1 +ipv6-adresse.dk, 1 +ipv6-handbuch.de, 1 +ipv6.bible, 1 +ipv6.cool, 1 +ipv6.cy, 1 +ipv6.gr, 1 +ipv6.jetzt, 0 +ipv6.pictures, 1 +ipv64.net, 0 +ipv6ioffentligsektor.se, 1 +ipv6vpn.net, 1 +ipvbook.com, 0 +ipview.tk, 1 +ipwho.site, 1 +iqcybersolutions.com, 1 +iqmarketing.nl, 1 +iqor.com, 1 +iqos.ml, 1 +iqphone.cf, 1 +iqphone.ga, 1 +iqr2.com, 1 +iqraskolan.se, 1 +iqreview.ru, 1 +iqsecurity.eu, 1 +iqtechportal.com, 1 +iqtek.solutions, 1 +iqwst.com, 1 +ir.to, 1 +iraanswersers.ga, 1 +iraanswersest.ga, 1 +iraf.de, 1 +iragoldreview.com, 1 +irajsingh.tk, 1 +irakturkleri.org, 1 +iramellor.com, 1 +iran-best.cf, 1 +iran-efshagari.com, 1 +iran-oil.tk, 1 +iran-speedex.tk, 1 +iranactua.tk, 1 +irancenter.tk, 1 +iranconnect.tk, 1 +irandex.ga, 1 +irandex.gq, 1 +irando.co.id, 1 +irandroid.ml, 1 +iranettelecom.com.br, 1 +iranfilmcity.tk, 1 +iranfreshfruit.cf, 1 +irangeodesy.tk, 1 +iranian.lgbt, 1 +iranjeunesse.com, 1 +iranjob.tk, 1 +iranlinks.tk, 1 +iranonline.tk, 1 +iranophiles.com, 1 +iranophiles.net, 1 +iranophiles.org, 1 +iranpedia.tk, 1 +iranrebate.com, 1 +iranturkey.info, 1 +iranwiki.ovh, 1 +irap.org, 1 +iraq2u.tk, 1 +iraq4u.tk, 1 +iraqinews.ga, 1 +iraqmartialarts.tk, 1 +iraqtop.tk, 1 +irareturners.ga, 1 +irasandi.com, 1 +irasingh.tk, 1 +iratechwatch.com, 1 +iratten.de, 1 +irayo.net, 1 +irbot.com.br, 1 +irchat.cn, 1 +ircica.org, 1 +ircmett.de, 1 +ircnet.de, 1 +ircnow.org, 0 +ircoholik.ml, 1 +ircom.com.ar, 1 +ircpad.com, 1 +ircsapiklari.tk, 1 +ircstats.org, 1 +irdll.com, 1 +ireaco.com, 1 +iready.ro, 1 +irealisatie.nl, 1 +iredellcountync.gov, 1 +iregister.al, 1 +ireiguam.org, 1 +ireis.fr, 1 +ireland.gq, 1 +irelandforukraine.ie, 1 +irelandinternetstuffs4u.tk, 1 +irelandondemand.ie, 1 +irelandremembers.com, 1 +irelandremembers.ie, 1 +irelandremembers.org, 1 +irelandstats.com, 1 +iren.gov, 1 +irenefellner.com, 1 +irenekauer.com, 1 +irenelove.com, 1 +ireneskralen.tk, 1 +irenictherapy.com, 1 +irentcar.com.tw, 1 +ireps.gov.in, 1 +iresineworld.tk, 1 +irf2.pl, 1 +irfanweb.cf, 1 +irfs.org, 1 +irgit.pl, 1 +iricky.art, 1 +iridescentsun.com, 1 +iridiumbrowser.de, 1 +irina-beauty.de, 1 +irinaf.tk, 1 +irioka.be, 1 +irion-edm.com, 1 +iris-design.info, 1 +iris-elements-development.co.uk, 1 +iris-elements-development.com, 1 +iris-elements-staging.co.uk, 1 +iris-elements-staging.com, 1 +iris-elements-testing.co.uk, 1 +iris-elements-testing.com, 1 +iris-elements.co.uk, 1 +iris-elements.com, 1 +iris-insa.com, 1 +iris.co.uk, 1 +irische-segenswuensche.info, 1 +irisdesideratum.com, 1 +irisdesign.com, 1 +irisfansite.tk, 1 +irish.radio, 1 +irishdancing.tk, 1 +irishdenetwork.org, 1 +irishlifehealth.ie, 1 +irishmusic.nu, 0 +irishradioplayer.radio, 1 +irishub.co.uk, 1 +irishwool.ru, 1 +irisinclusiva.pt, 0 +irisinfo.net, 1 +irismq.fr, 1 +irisopenspace.co.uk, 1 +irisws-development.co.uk, 1 +irisws-staging.co.uk, 1 +irisws-testing.co.uk, 1 +iritual.ru, 1 +irkutsk-studygood.ga, 1 +irkutsk38.tk, 1 +irland-firma.com, 1 +irlfp.com, 1 +irlpack.pl, 1 +irlprable.tk, 1 +irma-gadalka.tk, 1 +irmag.ru, 1 +irmakprefabrik.com, 1 +irmgard-woelfle.de, 1 +irmgardkoch.com, 1 +irmo.hr, 1 +irmonline.tk, 1 +irob.co.jp, 1 +iroiroaruyo.net, 1 +iroise.ch, 1 +iroisedh.fr, 1 +iron-infos.cf, 1 +iron.io, 1 +ironarch.net, 1 +ironbarnyc.com, 1 +ironbelly.pro, 1 +ironbow.com, 0 +ironbowhealthcare.com, 0 +ironcage.tk, 1 +ironcladapp.com, 1 +ironcross.tk, 1 +irondequoit.gov, 1 +ironfistdesign.com, 1 +ironfittings.com.br, 1 +irongym.tk, 1 +ironitekstil.com, 1 +ironmagma.tk, 1 +ironmaidenbootleghub.tk, 1 +ironmongery.cf, 1 +ironmongery.ga, 1 +ironmongeryexperts.co.uk, 1 +ironpeak.be, 1 +ironraven.ch, 1 +ironraven.ml, 1 +ironridgewi.gov, 1 +ironscales.com, 0 +ironstar.tk, 1 +irontigers.ga, 1 +irontigers.gq, 1 +irontigers.ml, 1 +ironwaytransport.com, 1 +ironwind.ga, 1 +ironwolftechnology.com, 1 +ironwoodmi.gov, 1 +ironycats.net, 1 +iroomz.co.uk, 1 +iroquoiscountyil.gov, 1 +irpadafrique.ml, 1 +irr52.ru, 0 +irr59.ru, 1 +irrational.net, 1 +irrewilse.se, 1 +irrigation.zone, 1 +irscouponsers.ga, 1 +irscouponsest.ga, 1 +iruarts.ch, 1 +iruca.co, 1 +iruniruten.tk, 1 +iruoy.com, 1 +irvetclinic.com, 1 +irvinekentucky.gov, 1 +irvingtonnj.gov, 1 +irvingtonva.gov, 1 +irvingtx.gov, 1 +irweb.io, 1 +irwincounty-ga.gov, 1 +irwinvalera.com, 1 +iryodatumoguide.com, 1 +irzumshafiq.tk, 1 +is-a-furry.org, 1 +is-and.com, 1 +is-in-hyper.space, 1 +is-news.today, 1 +is-real.xyz, 1 +is-rocket.science, 1 +is-socket.tk, 1 +isa357.com, 1 +isa4310.com, 1 +isa5417.com, 1 +isaaccomputerscience.org, 1 +isaaccs.org, 1 +isaacdgoodman.com, 1 +isaacgolding.com, 1 +isaackabel.cf, 1 +isaackabel.ga, 1 +isaackabel.gq, 1 +isaackabel.ml, 1 +isaackabel.tk, 1 +isaackhor.com, 1 +isaacman.tech, 1 +isaacmorneau.com, 1 +isaacperez.tk, 1 +isaacphysics.org, 1 +isaaczais.com, 1 +isaaya.com, 1 +isab.run, 1 +isabelaflores.com, 1 +isabelcaviedes.com, 1 +isabellahoopsentertainment.com, 1 +isabellainlove.com, 1 +isabellamelodia.com, 1 +isabellavandijk.nl, 1 +isabelle-delpech.com, 0 +isabellehogarth.co.uk, 1 +isabellzaloof.ga, 1 +isabellzaloof.gq, 1 +isabelmurillo-ordonez.com, 0 +isabelvalfer.com, 1 +isacyberinsure.com, 1 +isacybersecurity.com, 1 +isadamlari.tk, 1 +isaeus.nl, 1 +isakow.cf, 1 +isakow.gq, 1 +isamay.es, 1 +isamiok.com, 1 +isantv.com, 1 +isara.com, 1 +isaropiping.fr, 1 +isastylish.com, 1 +isavanderbrugge.nl, 1 +isavings.com, 1 +isbagla.com, 1 +isbase.de, 1 +isbaseballstillon.com, 1 +isbk.de, 0 +isbndirect.com, 0 +isbpanel.com, 1 +isc.org, 1 +isc2.org, 0 +isc2estoniachapter.ee, 1 +iscert.org, 1 +ischia2.it, 1 +ischool.co.jp, 1 +iscontrol.com.mx, 1 +iscrizioniexpofelina.it, 1 +iscultas.pp.ua, 1 +isdecolaop.nl, 1 +isdn.jp, 1 +isdown.cz, 1 +isecrets.se, 1 +iseecure.be, 1 +isekaimaid.xyz, 1 +isense.tw, 1 +isentek.com, 1 +iseriemandopkantoor.nl, 1 +isering.com, 1 +isernogiemandopkantoor.nl, 1 +iservicio.mx, 1 +iseulde.com, 1 +isexu.ga, 1 +isg-one.com, 0 +isg-tech.com, 1 +isgp-studies.com, 1 +ishadow.com, 1 +ishamf.com, 1 +ishet.al, 1 +ishigurodo.com, 1 +ishiharaken.com, 1 +ishii.blog, 1 +ishimen.co.jp, 1 +ishiro.me, 1 +ishland.com, 1 +ishopforpowerserg.com, 1 +ishtyl.com, 1 +isidore.uk, 1 +isidrocamachodiaz.es, 1 +isikdolls.com, 1 +isiklitabela.tk, 1 +isil.fi, 1 +isimonbrown.co.uk, 1 +isimonline.tk, 1 +isincheck.com, 1 +ising.pl, 1 +isiponline.ca, 1 +isis.cloud, 1 +isiso.com.tr, 1 +isistomie.com, 0 +isitan.com, 0 +isitchristmas.com, 1 +isitcoffeetime.com, 1 +isitdoneyet.gov, 1 +isitef.com, 1 +isitmed.com, 1 +isitnuclearwaryet.com, 1 +isitpatchtuesday.com, 1 +isitrest.info, 1 +iska.plus, 0 +iskanderbroere.nl, 1 +iskaron.de, 1 +iskaz.rs, 1 +iskconbd.org, 1 +iskconperth.com, 1 +iskin.xyz, 0 +iskkk.com, 1 +iskkk.net, 1 +iskorka.tk, 1 +iskra.world, 0 +iskurturkiye.cf, 1 +iskurturkiye.ga, 1 +iskurturkiye.gq, 1 +islam-2day.tk, 1 +islam-azeri.tk, 1 +islam-doc.tk, 1 +islam-net.tk, 1 +islam.az, 1 +islam.si, 1 +islam4all.tk, 1 +islam4congo.tk, 1 +islamabadcourt.tk, 1 +islamantarih.tk, 1 +islambolivia.tk, 1 +islamdersi.tk, 1 +islamdin.com, 1 +islamerkantho.com, 0 +islamfirst.ml, 1 +islamicacademy.tk, 1 +islamicarchitecturalheritage.com, 1 +islamicnews.tk, 1 +islamicsolution.tk, 1 +islaminbremen.de, 0 +islamipages.tk, 1 +islamisgreat.tk, 1 +islamiyet.gen.tr, 0 +islamiyet.tk, 1 +islamnews.ga, 1 +islamnewss.tk, 1 +islamo.tk, 1 +islamonline.net, 1 +islamparafriendsclub.ml, 1 +islamqa.info, 1 +islamspread.tk, 1 +islamvictory.com, 1 +islamvictory.net, 1 +islamvictory.org, 1 +island-cruises.tk, 1 +island-line.net, 1 +island-line.nl, 1 +island.is, 1 +islandbuses.info, 1 +islandchillfiji.com.my, 1 +islandcityoregon.gov, 1 +islandheightsborough.gov, 1 +islandhosting.com, 1 +islandinthenet.com, 1 +islandlakeil.gov, 1 +islandmenshealth.com, 1 +islandpumpandtank.com, 0 +islandsbanki.is, 1 +islandsofgreenturtles.tk, 1 +islasvirgenes.org, 1 +islatortuga.eu, 1 +islcustomsbrokers.com, 1 +islekyapi.com, 1 +islensktlambakjot.is, 1 +isleofman.tk, 1 +isletmenlikkursuankara.tk, 1 +isliada.org, 1 +islide-powerpoint.com, 1 +islief.com, 1 +islightdown.today, 1 +islikimas.lt, 1 +islipny.gov, 1 +islykaithecutest.cf, 1 +islykaithecutest.ml, 1 +ismail-biber.tk, 1 +ismailtoraman.com, 1 +ismailtoraman.com.tr, 1 +ismat.com, 0 +ismekkurs.com, 1 +ismena.bg, 1 +isminc.com, 1 +ismywebsitepenalized.com, 1 +isn.cz, 1 +isn.education, 1 +isnot.ai, 1 +iso.fr, 1 +iso27001.dk, 1 +iso27032.com, 1 +isobook.ml, 1 +isofartak.com, 1 +isogg.org, 1 +isognattori.com, 1 +isoip.org, 1 +isolatiehal.nl, 1 +isolation-exterieur-94.fr, 1 +isolation-exterieure-thermique.fr, 1 +isolation-thermique-exterieure.fr, 1 +isolation-thermique.maison, 1 +isolde.com, 1 +isole-lofoten.it, 1 +isolta.com, 1 +isolta.de, 1 +isolta.ee, 1 +isolta.fi, 1 +isolta.lv, 1 +isolta.se, 1 +isopres.de, 1 +isopro.info, 1 +isoroc-nidzica.pl, 1 +isosat.net, 1 +isotope.gov, 1 +isovideo.com, 1 +isowebtech.com, 1 +ispactivo.com, 1 +ispanika.tk, 1 +ispaniola.ga, 1 +ispanskijshuanom.ru, 1 +ispanyadahayat.com, 1 +ispartahaber.cf, 1 +ispartahaber.gq, 1 +ispartahaber.tk, 1 +ispc-synergies.org, 1 +ispfontela.es, 1 +ispmedipv6.se, 1 +isportsfab.com, 1 +ispro-ng.com, 1 +ispsoft.pro, 1 +isputinstillpresident.com, 1 +ispymissions.ga, 1 +isra-mag.com, 1 +israel-alma.org, 1 +israel-in-color.com, 1 +israel-nadlan.com, 1 +israel-real.estate, 1 +israel-web.com, 1 +israel21c.org, 1 +israelandantisemitism.com, 1 +israelandhome.com, 1 +israelbiblicalstudies.com, 1 +israelcareersers.ga, 1 +israelcareersest.ga, 1 +israelflorist.com, 1 +israelitas.tk, 1 +israelitopbox.ga, 1 +israelmesianico.tk, 1 +israelnewswire.tk, 1 +israelpalestinenews.org, 1 +israelportalk.cf, 1 +israelportalk.ga, 1 +israelportalk.gq, 1 +israelportalk.ml, 1 +israelportalk.tk, 1 +israkurort.com, 1 +isramedia.tk, 1 +isreedyinthe.uk, 1 +isreedyinthe.us, 1 +isreedyintheuk.com, 1 +isrib.com, 1 +issa.eu.org, 1 +issaias.net, 0 +issaquah.cam, 1 +issasfrissa.se, 1 +isscouncil.com, 1 +issea.wiki, 1 +issforum.org, 1 +issho.jp, 1 +issio.net, 1 +isslshop.com, 1 +issnet.cf, 1 +issnet.ga, 1 +issnet.gq, 1 +issuerconsulting.com, 1 +issues.email, 1 +issuetrak.com, 1 +issundries.com, 1 +ist-analys.com, 1 +ist-analyse.com, 1 +ist-intim.de, 1 +ist-toll.xyz, 1 +ista-vdm.at, 1 +istagb.ga, 1 +istanbul.systems, 1 +istanbulblog.tk, 1 +istanbulbogazicienstitu.com, 1 +istanbuleskort.tk, 1 +istanbulhaberleri.tk, 1 +istanbulhomes.com, 1 +istanbulmasajsalonu.tk, 1 +istanbulweb.gen.tr, 1 +istdas.lol, 1 +istec.com.ua, 1 +istech.com.tr, 1 +istekparcam.com, 1 +istekparcam.com.tr, 1 +isterfaslur.com, 1 +isthatarabic.com, 1 +istheapplestoredown.com, 1 +istheapplestoredown.de, 1 +isthedoorlocked.com, 1 +isthefieldcontrolsystemdown.com, 1 +istheinternetonfire.com, 1 +istherrienstillcoach.com, 1 +istheservicedown.co.uk, 1 +istheservicedown.com, 1 +istheservicedowncanada.com, 1 +isthisarabic.com, 1 +isthisus.org, 1 +isthnew.com, 1 +istimdead.today, 1 +istitutoimballaggio.org, 1 +istitutoricci.com, 1 +istitutoricci.it, 1 +istitutovivaldi.it, 1 +istkurznochkanzler.at, 1 +istmiregal.nl, 1 +istogether.com, 1 +istories.media, 1 +istorija-balkana.tk, 1 +istormsolutions.co.uk, 1 +istorrent.is, 1 +istratov.tk, 1 +istrosec.com, 1 +istrosec.org, 1 +istschonsolangeinrente.de, 1 +istsi.org, 1 +istudentpro.ml, 1 +istudio.one, 1 +isuggi.com, 1 +isultov.tk, 1 +isutils.com, 1 +isv.online, 1 +isvbscriptdead.com, 1 +isvsecwatch.org, 1 +isvstar.com, 1 +isvw.nl, 0 +iswag.se, 1 +iswapgh.com, 1 +isystem.cf, 1 +isystem.ga, 1 +isystem.gq, 1 +isystem.tk, 1 +isyu.xyz, 1 +iszy.cc, 1 +iszy.xyz, 1 +it-academy.sk, 1 +it-actual.ru, 1 +it-actually.work, 1 +it-altstadt.de, 1 +it-biznes.com, 1 +it-blog.cf, 1 +it-boss.ro, 1 +it-com.ga, 1 +it-connect.fr, 1 +it-cooking.com, 1 +it-ebook.ml, 1 +it-enthusiasts.tech, 1 +it-expert.tk, 1 +it-inside.ch, 1 +it-ip-rudnick.de, 1 +it-jobbank.dk, 1 +it-lobster.com, 1 +it-maker.eu, 1 +it-ngo.com, 1 +it-novosti.tk, 1 +it-perm.tk, 1 +it-rotter.de, 1 +it-seems-to.work, 1 +it-service24.com, 1 +it-stack.de, 1 +it-stek.ru, 1 +it-support-stockholm.se, 1 +it-tainment.de, 1 +it-tekniker.nu, 1 +it-ti.me, 1 +it-volgograd.tk, 1 +it-wars.com, 1 +it-web-entwicklung.de, 1 +it-world.eu, 0 +it-xperts.be, 1 +it-zt.at, 1 +it.com.eg, 0 +it.search.yahoo.com, 0 +it1b.com, 1 +it4sure.nl, 1 +it76.tk, 1 +it82.com, 1 +ita2a.it, 1 +itabenar.tk, 1 +itactiq.com, 1 +itactiq.info, 1 +itad.top, 1 +itaiferber.net, 1 +itaindustrial.com.br, 1 +itaja.com, 1 +itakunai-shika.com, 1 +italbavaro.com, 1 +italdesign.it, 1 +italentado.ml, 1 +italia-facile.ru, 1 +italiaeconomy.it, 1 +italiale.tk, 1 +italian-shoes.tk, 1 +italiana-lacrima.tk, 1 +italiancarservice.nl, 1 +italianerd.com, 1 +italianerd.it, 1 +italianettepizza.com, 1 +italianfoodonlinestores.com, 1 +italianforkids.com.au, 1 +italianhelper.com, 1 +italianluxuryinter.cf, 1 +italianluxuryinter.ga, 1 +italianluxuryinter.gq, 1 +italiano-bello.com, 1 +italianpillow.com, 1 +italianracingteam.tk, 1 +italiansrent.com, 1 +italiansrit.tk, 1 +italianweddingmusicians.com, 1 +italianweddingvideographers.com, 1 +italiasera.it, 1 +italiataxi.ru, 1 +italiatopnews.tk, 1 +italiensk-tolk.dk, 1 +italik.co.uk, 1 +italjet-tuning.tk, 1 +italk.ml, 1 +italserrande.it, 1 +italyinspires.com, 1 +italyisbeautiful.com, 1 +italyspecialty.coffee, 1 +itamservices.nl, 1 +itap.gov, 1 +itape.com, 0 +itaro.bot, 1 +itaro.ee, 1 +itaro.eu, 1 +itascacountymn.gov, 1 +itasis.com.br, 1 +itasolution.it, 1 +itb-online.co.uk, 1 +itbog.org, 1 +itbolagmedipv6.se, 1 +itbrief.asia, 1 +itbrief.co.nz, 1 +itbrief.com.au, 1 +itbrouwerij.be, 1 +itc-lucke.com, 1 +itcamefromtheunderground.tk, 1 +itcbuerobedarf.de, 1 +itcentroamerica.com, 1 +itchy.nl, 1 +itchybrainscentral.com, 1 +itcinfotech.com, 1 +itcloud.ca, 1 +itclub.me, 1 +itclubonline.tk, 1 +itcommodities.club, 1 +itcompanies.net, 1 +itconsulting-wolfinger.de, 1 +itcoolie.in, 1 +itcreative.ro, 1 +itcs.services, 1 +itcyber.pl, 1 +itcybersecurity.gr, 1 +itdashboard.gov, 1 +itdata.tk, 1 +itdoneproperly.com, 1 +itds-consulting.com, 1 +itds-consulting.eu, 1 +itdutchie.com, 1 +itechbrand.com, 1 +itechfast.tk, 1 +itechpros.com.au, 1 +itecor.net, 0 +iteecafe.hu, 1 +itefix.net, 1 +itefix.no, 1 +iteha.de, 1 +iteke.ml, 1 +iteke.tk, 1 +iteks.fr, 1 +iteksys.ru, 1 +item.no, 1 +itemcreator.tk, 1 +itemmc.com, 1 +itempathy.com, 1 +iteon.pl, 1 +itepechi.me, 1 +iteracy.com, 1 +iternova.net, 1 +itero.eu, 1 +iterror.co, 1 +itexpert12.tk, 1 +itexplaineders.ga, 1 +itexplainedest.ga, 1 +itezu.ml, 1 +itfall.tk, 1 +itfh.eu, 0 +itfirmaet.dk, 1 +itfix.org.uk, 1 +itgeeks.nl, 1 +itgoesup.com, 1 +itgoesupent.com, 1 +itgoesupentertainment.com, 1 +ithakama.com, 1 +ithakama.cz, 1 +ithenrik.com, 1 +ithillel.ua, 1 +ithinc.net, 1 +ithjalpforetag.se, 1 +ithmaarbank.com, 1 +ithriveedinburgh.org.uk, 1 +ithuthuat.vn, 1 +itidying.com, 1 +itikon.com, 1 +itilo.de, 0 +itinerance.ca, 1 +itinero.xyz, 1 +itioc10.tk, 1 +itis.gov, 1 +itis4u.ch, 1 +itisjustnot.cricket, 1 +itisyourmoney.co.uk, 1 +itiweb.tk, 1 +itk.se, 1 +itleaked.gq, 1 +itlg.ru, 1 +itlife.tk, 1 +itlitera.com, 1 +itlog.tk, 1 +itlogic.com.au, 1 +itludens.com, 1 +itmastersupport.tk, 1 +itmatournai.tk, 1 +itmax.ua, 1 +itmedicinai.lt, 1 +itmindscape.com, 1 +itmustbee.com, 1 +itmx.cc, 0 +itnet.com.ua, 1 +itninja.one, 1 +itnota.com, 1 +itnow.ng, 1 +itnsusa.com, 1 +itoady.com, 1 +itochan.jp, 1 +itoezichtprotocol.nl, 1 +itoma.tech, 1 +itondersteuning.eu, 1 +itotalaccess.net, 1 +itouriria.com, 1 +itoxic.tk, 1 +itpanda.pl, 1 +itparty.tk, 1 +itpaukku.tk, 1 +itpedia.nl, 1 +itperm.tk, 1 +itplace.bg, 1 +itpol.dk, 1 +itpress.fi, 1 +itpro.ua, 1 +itprotect.pl, 1 +itradeit.in, 1 +itradenetwork.com, 1 +itraffic.cf, 1 +itraffic.tk, 1 +itraincalisthenic.com, 1 +itraveille.fr, 1 +itravelbg.com, 1 +itraveller.net, 1 +itreboot.co.nz, 1 +itrendbuzz.com, 1 +itrew.ru, 1 +itrezzo.com, 1 +itrio.pet, 1 +itrodeo.com, 1 +itrollskogens.tk, 1 +itruss.com.tw, 1 +itruth.tk, 1 +its-aeth.tk, 1 +its-em.ma, 1 +its-gutachten.de, 1 +its-not-your.business, 1 +its-schindler.de, 1 +its-taxi.nl, 1 +its-v.de, 1 +its.gov, 1 +its420somewhere.com, 1 +its4living.com, 1 +its5oclock.eu, 1 +itsabouncything.com, 1 +itsacheckmate.com, 1 +itsakerhetspodden.se, 1 +itsalan.tk, 1 +itsallmath.org, 1 +itsanicedoor.co.uk, 1 +itsaw.de, 1 +itsayardlife.com, 1 +itsbananas.life, 1 +itsbrightly.com, 1 +itsburning.nl, 1 +itscalculator.com, 1 +itscc.kr, 1 +itsch-itsche.com, 1 +itsdcdn.com, 1 +itsec.link, 1 +itsecblog.de, 1 +itsecboecker.de, 1 +itsecrnd.com, 1 +itsecuritycoach.com, 1 +itseeze.com, 1 +itservis.org, 1 +itsevann.com, 1 +itsevident.com, 1 +itsforu.de, 1 +itsgottabedark.com, 1 +itsgreener.com, 1 +itshamradio.com, 1 +itshka.rv.ua, 1 +itsig-faq.de, 1 +itsloution.tk, 1 +itsm.tools, 1 +itsmeaxel.ovh, 1 +itsmycode.com, 1 +itsmyparty.ie, 1 +itsnotnot.tk, 1 +itsnotquitethehilton.com, 0 +itsnudi.com.br, 1 +itsoft.ru, 1 +itsok.de, 1 +itsok.link, 1 +itsoluciones.com.co, 1 +itspartytimeonline.co.uk, 1 +itspartytimesweetinflations.com, 1 +itspersonalizeders.ga, 1 +itspersonalizedest.ga, 1 +itspersonaltraining.nl, 1 +itsquiet.org, 1 +itsrana.com, 1 +itssolidest.ga, 1 +itsstefan.eu, 1 +itstartswithme.ca, 1 +itstatic.tech, 1 +itstimetravel.com, 1 +itsuitsyou.co.za, 1 +itsuka-world.com, 1 +itsundef.in, 0 +itsupport24.tk, 1 +itsupportguys.com, 1 +itswincer.com, 1 +itsybitsytrees.com, 1 +itsynergy.co.uk, 1 +itt-shop.bg, 1 +itt-shop.com, 1 +itt-us.com, 1 +ittgame.tk, 1 +ittreservations.com, 1 +ittykins.com, 1 +itunesgiftcard.in.th, 1 +itur.co.il, 1 +itvaatlik.ee, 1 +itvia.email, 1 +itvia.eu, 1 +itvia.net, 1 +itvia.org, 1 +itviec.com, 1 +itvirtual.tk, 1 +itw.com, 1 +itweak.tk, 1 +itwebentwicklung.de, 1 +itwell.cz, 1 +itwofm.com, 1 +itwolfcl.tk, 1 +itworks.nyc, 1 +itwozi.com, 0 +itx.no, 1 +itxartu.tk, 1 +itxlatam.com, 1 +itxn.cn, 0 +itxnorge.no, 1 +itxuc.com, 1 +ityug247.com, 1 +itzahammer.tk, 1 +itzamnaxelahomestay.tk, 1 +itzap.com.au, 1 +itzer.de, 1 +itzine.ru, 1 +itzkavin.tk, 1 +itzlive.tk, 1 +iubuniversity.tk, 1 +iurisnovagestion.es, 0 +iusedtobelieve.com, 1 +iuspenal.com, 1 +iv-vr.com, 1 +iv-well.com, 1 +iv.pl, 0 +iv4kiso.com, 1 +ivahbbiz.tk, 1 +ivan-maliy.tk, 1 +ivan-popov.tk, 1 +ivan-tadej.tk, 1 +ivan-varga.tk, 1 +ivan1874.cf, 1 +ivan1874.dynu.net, 1 +ivan770.me, 1 +ivana-models-escortservice.de, 0 +ivanaleksandrov.com, 1 +ivanbenito.com, 1 +ivancacic.com, 0 +ivandafish.net, 1 +ivanderevianko.com, 1 +ivanesalud.com, 1 +ivanilla.org, 1 +ivanime.com, 1 +ivankuchin.tk, 1 +ivanmeade.com, 1 +ivanov.icu, 1 +ivanovka.ga, 1 +ivanovocity.tk, 1 +ivanovolive.ru, 1 +ivanpolchenko.com, 1 +ivantedesco.tk, 1 +ivanwolf.ga, 1 +ivanya.tk, 1 +ivanzorin.cf, 1 +ivdnt.org, 1 +ivelop.me, 0 +ivendi.com, 1 +iventishirts.com, 1 +ivermectin.gq, 1 +ivermectinc19.com, 1 +ivertubani.com, 1 +ivetazivot.cz, 1 +ivetebolos.com.br, 1 +ivfausland.de, 1 +ivi.cx, 1 +ivifashion.tk, 1 +ivioschool.nl, 1 +ivisa.ga, 1 +ivisitkorea.com, 1 +ivisitorinsurance.com, 1 +ivixor.ru, 1 +ivjose.com, 0 +ivkom.com, 1 +ivkymppi.fi, 1 +ivmmeta.com, 1 +ivmstatus.com, 1 +ivn555.tk, 1 +ivn777.tk, 1 +ivn888.tk, 1 +ivn999.com, 0 +ivnext.org, 1 +ivo-ouwerkerk.nl, 1 +ivo.co.za, 1 +ivocopro.com, 1 +ivocotec.com, 1 +ivoid.cf, 1 +ivopetkov.com, 1 +ivor.io, 1 +ivor.is, 1 +ivorvanhese.com, 1 +ivorvanhese.nl, 1 +ivory.com, 1 +ivory.de, 1 +ivoryandgrace.com, 1 +ivoryhomes.com, 1 +ivoryonsunset.com, 1 +ivotemahdi.com, 1 +ivoucher-kuwait.com, 1 +ivpark.fr, 1 +ivpbot.tk, 1 +ivpn.net, 1 +ivr.fi, 0 +ivre.rocks, 1 +ivrn.net, 1 +ivs-tech.ru, 1 +ivsign.net, 1 +ivtherapyclinic.ru, 1 +ivy-league-colleges.com, 1 +ivyandrose.co, 1 +ivyhelpers.com, 1 +ivypanda.com, 1 +ivyseeds.cf, 1 +iwalton.com, 1 +iwant.cz, 1 +iwantexchange.com, 1 +iwantpayments.com, 1 +iwanttrack.com, 1 +iwantyoutocomment.tk, 1 +iwascoding.com, 1 +iwascoding.de, 1 +iwasfit.com, 1 +iwashealthy.com, 1 +iwatchcops.com, 1 +iwatchcops.org, 1 +iwatchla.net, 1 +iwate-shien-r5.com, 1 +iwate-tabipro-ver4.jp, 1 +iwatt.sk, 1 +iwch.tk, 1 +iwd.gc.ca, 1 +iwebdna.com, 1 +iwebing.tk, 1 +iweblab.it, 1 +iwebolutions.com, 1 +iwebsolution.tk, 1 +iwec.pk, 1 +iwex.swiss, 1 +iwf.sport, 1 +iwhite.tk, 1 +iwiki.net, 1 +iwismer.ca, 1 +iwmf.ir, 1 +iwonder.tw, 1 +iwp.ch, 1 +iwtsd.gov, 1 +iww.me, 1 +iww.mx, 1 +iww.org.au, 1 +iww.org.nz, 1 +ix.run, 1 +ix8.ru, 0 +ixiaqu.com, 0 +ixir.gen.tr, 1 +ixit.cz, 1 +ixn.com, 1 +ixoso.com, 1 +ixplayer.com, 1 +ixquick-proxy.com, 1 +ixquick.co.uk, 1 +ixquick.com, 1 +ixquick.de, 1 +ixquick.eu, 1 +ixquick.fr, 1 +ixquick.info, 1 +ixquick.nl, 1 +ixtan.ga, 1 +ixware.de, 1 +ixxat.com, 0 +ixypsilon.net, 1 +iy.uy, 1 +iyadalkassab.com, 1 +iyan.es, 1 +iyanmv.com, 1 +iyassu.com, 1 +iyc.web.tr, 1 +iyiarastir.com, 1 +iyibul.net, 1 +iyinolaashafa.com, 1 +iyn.me, 1 +iyouewo.com, 1 +iyoumu.top, 1 +iyspanel.com, 1 +iyume.top, 1 +iz8mbw.net, 1 +izabava.tk, 1 +izabel.tk, 1 +izamulhakeem.tk, 1 +izana.com.br, 1 +izanagi52.ddns.net, 1 +izapi4.fr, 1 +izavel.com, 1 +izb.se, 1 +izbirateli.com, 1 +izecubz.me, 1 +izedge.com, 1 +izi-agency.com, 1 +izipik.gq, 1 +izkustvo.com, 1 +izleorg2.org, 1 +izm.ovh, 1 +izmail-invertor.com.ua, 1 +izmailovo.tk, 1 +izmir-media.cf, 1 +izmir-media.ga, 1 +izmir-media.gq, 1 +izmir-organizasyon.tk, 1 +izmirarabakiralama.name.tr, 1 +izmirarackiralama.name.tr, 1 +izmirescort.tk, 1 +izmireskortlari.tk, 1 +izmirgideracma.com, 1 +izmirotokiralama.name.tr, 1 +izmirprotestan.org, 1 +izmirrentacar.name.tr, 1 +izmirtemizlik.tk, 1 +izodiacsigns.com, 1 +izs.me, 1 +izttech.com, 1 +izuba.info, 0 +izumi-hirodental.com, 1 +izumi-ryokan.com, 1 +izumrudniy.tk, 1 +izvorul-bucovinei.ro, 1 +izxxs.com, 1 +izxxs.net, 1 +izxzw.net, 1 +izzardink.com, 1 +izzqz.me, 1 +izzy.is, 1 +izzy.kiwi, 1 +izzycat.net, 1 +izzymendosa.net, 1 +izzyontour.tk, 1 +j-annonce.co.il, 1 +j-harrison-media.co.uk, 1 +j-harrison.co.uk, 1 +j-library.com, 1 +j-maxton.de, 1 +j-ph.ovh, 1 +j-robertson.com, 1 +j00228.com, 1 +j05.cn, 1 +j0bs.org, 1 +j0e.com, 1 +j0hn.net, 0 +j0hndball.com, 1 +j0m.de, 1 +j0s.eu, 1 +j15h.nu, 1 +j1visahealthinsurance.com, 1 +j2ee.cz, 1 +j2h.de, 1 +j3.cn, 1 +j32663.com, 1 +j32665.com, 1 +j32773.com, 1 +j32774.com, 1 +j32b.com, 1 +j365.me, 1 +j36533.com, 1 +j3dpd.com, 1 +j3e.de, 1 +j4m.xyz, 1 +j5197.co, 1 +j5lx.de, 1 +j5lx.eu, 1 +j5lx.io, 1 +j5s7.de, 1 +j5y.de, 1 +j605.tk, 1 +j6729.co, 1 +j6729.com, 1 +j6957.co, 1 +j6957.com, 0 +j70111.com, 0 +j70222.com, 0 +j70333.com, 0 +j70444.com, 0 +j70555.com, 0 +j82365.com, 1 +j8jp.com, 0 +j9.ag, 0 +j9297.co, 1 +j9507.com, 0 +j9508.com, 0 +j9514.com, 0 +j95app.com, 0 +j95bb.com, 0 +j95cc.com, 0 +j95dd.com, 0 +j95ee.com, 0 +j95ios.com, 0 +j95ss.com, 0 +j95xx.com, 0 +j95zz.com, 0 +j9728.co, 1 +ja-jirei-ienohikari.com, 1 +ja-no-me.ru, 1 +ja-sobstvennik.tk, 1 +ja-tay.sr, 1 +ja-youth.jp, 1 +ja-zur-gs.de, 1 +ja1deijssel.tk, 1 +jaago-pakistan.tk, 1 +jaajko.com, 1 +jaajko.eu, 1 +jaajko.fi, 1 +jaajko.me.uk, 1 +jaajko.site, 1 +jaajko.xyz, 1 +jaakkohannikainen.fi, 1 +jaalits.com, 1 +jaamaa.com, 1 +jaanikese.edu.ee, 1 +jaarverslagveere.nl, 1 +jaaxypro.com, 1 +jab-graphics.com, 1 +jaba.hosting, 1 +jababu.cz, 1 +jabagly.com, 1 +jabal-aqel-albab.tk, 1 +jabba.homelinux.org, 1 +jabbari.io, 1 +jabbas.eu, 1 +jabber.at, 1 +jabber.uk, 1 +jabberd.org, 1 +jabberdog.tk, 1 +jabberfr.org, 1 +jabbers.one, 1 +jabberster.tk, 1 +jabboworld.tk, 1 +jaberg-rutschi.ch, 1 +jabergrutschi.ch, 1 +jabjab.de, 1 +jabou.co.uk, 1 +jabramson.com, 1 +jabramson.net, 1 +jabsolutions.tk, 1 +jacaranda-deutschland.org, 1 +jaccblog.com, 1 +jacek.pro, 1 +jacekowski.org, 1 +jachtbouw.eu, 1 +jachtypruszynski.pl, 1 +jacik.cz, 1 +jack-daw.com, 1 +jack-p2.tech, 1 +jack.fr.eu.org, 1 +jack2celebrities.com, 1 +jackafur.net, 1 +jackal-cogito.tk, 1 +jackandrascals.com, 1 +jackarmail.eu, 1 +jackass-as.com, 1 +jackassofalltrades.org, 1 +jackbauer.tk, 1 +jackblues.tk, 1 +jackdanielssauces.com, 1 +jackdawphoto.co.uk, 1 +jacket-coat.tk, 1 +jackets-coats.tk, 1 +jackets-coatsplus.tk, 1 +jackets-for-men.tk, 1 +jackf.me, 1 +jackgames.net, 1 +jackgreiner.ca, 1 +jackhammerinteractive.com, 1 +jackhoodtransportation.com, 1 +jackienguyen.dk, 1 +jackiestp.com, 1 +jackingramnissanparts.com, 1 +jackinmybox.com, 1 +jackjack.ga, 1 +jackmail.tk, 1 +jackmcgregor.uk, 1 +jackmechanic.com, 1 +jackob.tk, 1 +jackops.com, 1 +jackpothappy.com, 1 +jackripper.tk, 1 +jackrussel.tk, 1 +jackrusselterrier.com.br, 1 +jacksanalytics.com, 1 +jacksball.com, 1 +jacksfeestverhuur.nl, 1 +jackson-quon.com, 1 +jacksonchen666.com, 1 +jacksoncountyfl.gov, 1 +jacksoncountyor.gov, 1 +jacksoncountytn.gov, 1 +jacksoncountywi.gov, 1 +jacksonfdwi.gov, 1 +jacksongoo.de, 1 +jacksonportwi.gov, 1 +jacksonsykes.com, 1 +jacksontwpclermontoh.gov, 1 +jacksontwpfranklinoh.gov, 1 +jacksontwpmcpa.gov, 1 +jacksonville.gov, 1 +jacksonvilleal.gov, 1 +jacksonvillebeach.gov, 1 +jacksorrell.com, 1 +jackspub.net, 1 +jackstone.tk, 1 +jacksutton.info, 1 +jacktor.com, 1 +jackvaley.com, 1 +jackwarren.info, 1 +jackwu.net, 1 +jackylawless.net, 1 +jackyliao.me, 1 +jackyliao123.tk, 1 +jackyyf.com, 0 +jaco.by, 0 +jacobenjogchum.tk, 1 +jacobey.net, 1 +jacobi-server.de, 1 +jacobian.org, 1 +jacobjangles.com, 1 +jacobo.tk, 1 +jacobsenarquitetura.com, 1 +jacobsmeubels.nl, 1 +jacobspctuneup.tk, 1 +jacobtamassiaadvocacia.adv.br, 1 +jacobtaylor.id.au, 1 +jacool.tk, 1 +jacopo.tk, 1 +jacopomolina.me, 1 +jacquant.be, 1 +jacquelinebellefontaine.co.uk, 1 +jacquelinesdream.tk, 1 +jacquesdedixmude.eu, 1 +jacquesfrantz.com, 1 +jaculus.eu, 0 +jad.so, 1 +jadara.info, 1 +jadchaar.me, 1 +jadedmonkey.tk, 1 +jadehairstyle.nl, 1 +jadelsbach.de, 1 +jadesong.cn, 1 +jadesong.net, 1 +jadid-alwadifa.com, 1 +jadidgroup.com, 1 +jadiercms.cf, 1 +jadopado.com, 1 +jadox.com, 1 +jaduniv.cf, 1 +jae.su, 1 +jae.zone, 1 +jaeger.link, 1 +jaehyeon.it, 1 +jaenparaisointerior.es, 1 +jaepinformatica.com, 1 +jaetech.org, 1 +jafarmehdipor.ga, 1 +jag-meccar.tk, 1 +jaga-me.com, 1 +jagad.id, 1 +jagadhatrionline.co.in, 1 +jagaimo.works, 1 +jagan.be, 1 +jagar.com.pl, 1 +jagatreview.com, 1 +jagbouncycastles.co.uk, 1 +jagerkin.tk, 1 +jagerman.com, 1 +jagogame.tk, 1 +jags.tk, 1 +jagspecialisters.ga, 1 +jagspecialistest.ga, 1 +jagsttalschule.de, 1 +jaguar-network.com, 1 +jaguarkuda.com, 1 +jaguarlandrover-asse.be, 1 +jaguarlandrover-occasions.be, 1 +jahanaisamu.com, 1 +jahidhasanmurad.tk, 1 +jahimees.ee, 1 +jahit.tk, 1 +jahner.xyz, 1 +jahubar.tk, 1 +jaialdi.tk, 1 +jaiho-zeetoz1server.ga, 1 +jailbait.ml, 1 +jailbreakingisnotacrime.org, 1 +jailfood.ga, 1 +jailfooders.ga, 1 +jailfoodest.ga, 1 +jailstorm.ml, 1 +jaimechanaga.com, 1 +jainmantras.com, 1 +jaion.tech, 1 +jaion.xyz, 1 +jaipurescort.club, 1 +jaipurescortagency.com, 1 +jairoenfrancien.tk, 1 +jaisiam.co.th, 1 +jaisin.com, 1 +jaispirit.com, 1 +jaiyen.com, 1 +jaiyun.tk, 1 +jajce.tk, 1 +jajojababy.com, 1 +jajycycojota.cf, 1 +jakabszallas.hu, 1 +jakarta-tourism.go.id, 1 +jakarta.ee, 1 +jakartaone.org, 1 +jakartaurbanhosting.com, 1 +jakdelatseo.cz, 1 +jake.eu.org, 1 +jake.ml, 1 +jake.nom.za, 1 +jake.rodeo, 1 +jakegyllenhaal.ga, 1 +jakemansfield.com, 1 +jakereynolds.co, 1 +jakeross.me, 1 +jakerullman.com, 0 +jakeslab.tech, 1 +jakewales.com, 1 +jakincode.army, 1 +jakincode.com, 1 +jako.tk, 1 +jakob-bleek.de, 1 +jakob-server.tk, 1 +jakobczyk.org, 1 +jakobejitblokaci.cz, 1 +jakobhildebrand.de, 1 +jakobkrigovsky.com, 1 +jakobs.systems, 1 +jakobssystems.net, 1 +jakpost.net, 1 +jakpremyslet.cz, 1 +jakse.fr, 1 +jaksi.io, 1 +jaktang.com, 1 +jakub-boucek.cz, 1 +jakubarbet.eu, 1 +jakubboucek.cz, 1 +jakubklimek.com, 1 +jakubmeysner.com, 1 +jakubsindelar.cz, 1 +jakubvrba.cz, 1 +jakumammy.pl, 1 +jakzostacmilionerem.biz, 1 +jal-ja.com, 1 +jala.tech, 0 +jalebiyat.tk, 1 +jaleesa.sa, 1 +jaleo.cn, 1 +jaliscolindo.tk, 1 +jall.com.br, 1 +jallatte.fr, 1 +jallenfabric.com, 1 +jaloozone.ml, 1 +jalopnik.com, 1 +jaluzelemoderne.ro, 1 +jaluziperde.tk, 1 +jamaat.hk, 1 +jamaica.gq, 1 +jamaicabeachtx.gov, 1 +jamally.co.za, 1 +jambapp.org, 1 +jambb.nu, 1 +jamberry.com.mx, 1 +jambihackerlink.tk, 1 +jambing.cn, 1 +jamboree.online, 1 +jambox.ca, 1 +jambox.pl, 1 +jamcyberinc.com, 1 +jamdro.id, 1 +jamelhammoud.com, 1 +james-bell.co.uk, 1 +james-parker.com, 0 +james.cyou, 1 +james.je, 1 +james.pub, 1 +jamesachambers.com, 1 +jamesaimonetti.com, 1 +jamesandeverett.com, 1 +jamesbillingham.com, 1 +jamesbromberger.com, 1 +jamesbrown.cn, 1 +jamesbrown.us, 1 +jameschorlton.co.uk, 1 +jamesconroyfinn.com, 0 +jamesdorf.com, 1 +jamesedition.com, 1 +jamesevans.is, 1 +jamesgarrigan.info, 1 +jamesgarrigan.nyc, 1 +jamesgreenfield.com, 1 +jameshawk.pl, 1 +jamesheald.com, 1 +jameshenderson.online, 1 +jameshost.net, 1 +jameside.com, 1 +jamesj.me, 0 +jamesjboyer.com, 1 +jamesjj.net, 1 +jamesknd.uk, 0 +jamesl.tk, 1 +jameslahey.com, 1 +jamesmarsh.net, 1 +jamesmcnee.co.uk, 1 +jamesmcnee.com, 1 +jamesmorrison.me, 1 +jamesmurphy.tk, 1 +jamesplumbingcompanypasadenatx.com, 1 +jamespreade.xyz, 1 +jamesredmond.tk, 1 +jamesrobertson.net, 1 +jamesrobertson.sh, 1 +jamesross.name, 1 +jamesrtyrrell.com, 1 +jamessliu.com, 1 +jamessmith.me.uk, 1 +jamestgh.com, 1 +jamestilburg.nl, 1 +jamestmart.in, 1 +jamestown.de, 0 +jamestowncando-nc.gov, 1 +jamesturnerstickley.com, 1 +jameswarp.com, 1 +jameswhite.tech, 1 +jamesxu.com, 1 +jameszero.net, 1 +jamfm.tk, 1 +jamhost.org, 1 +jamie-read-photography.com, 1 +jamie.cymru, 1 +jamie.wales, 1 +jamieb.org, 1 +jamiehansonyoga.com, 1 +jamiehenrybrown.co.uk, 1 +jamiejones.cymru, 1 +jamiejones.wales, 1 +jamielinux.com, 1 +jamiemagee.co.uk, 1 +jamiemagee.dk, 1 +jamiematthews.ml, 1 +jamiepleasants.com, 1 +jamiesnape.io, 1 +jamieweb.net, 1 +jamiiforums.com, 1 +jaminidesign.com, 1 +jamiviz.com, 1 +jamjestsimon.pl, 1 +jamloop.com, 1 +jammucake.com, 1 +jammy4312.me, 1 +jammysplodgers.co.uk, 1 +jamonesrute.com, 1 +jamonsilva.com, 1 +jamstack.icu, 1 +jamstallt.se, 1 +jamstatic.fr, 0 +jamukmod.com, 1 +jamusa.tk, 1 +jamyeprice.com, 0 +jan-and-maaret.de, 1 +jan-becker.com, 1 +jan-bretschneider.de, 1 +jan-bucher.ch, 1 +jan-daniels.de, 1 +jan-graca.tk, 1 +jan-hill.com, 1 +jan-melcher.de, 1 +jan-reiss.de, 1 +jan-rieger.de, 1 +jan-roenspies.de, 1 +jan-von.de, 1 +jan.gl, 1 +jana-rambusch.net, 1 +janada.cz, 1 +janaundgeorgsagenja.eu, 1 +janavish.tk, 1 +janbanach.com.pl, 1 +janbennink.com, 1 +janbilek.cz, 1 +janbretschneider.de, 1 +janbruckner.de, 1 +jancosales.com, 1 +jandenhertog.nl, 1 +jandenul.com, 1 +jandesign.at, 1 +jandev.de, 1 +jandj.yachts, 0 +jandonkers.com, 1 +jandroegehoff.de, 1 +janduchene.ch, 1 +janelauhomes.com, 1 +janelle-jamer.tk, 1 +janellequintana.tk, 1 +janenwouter.tk, 1 +janes.com, 0 +janesaddiction.org, 1 +janetandjohns.tk, 1 +janetedkins.com, 1 +janeweeber.com, 1 +janey.cf, 1 +janeymac.com, 1 +janfennell.tk, 1 +jangl.com, 1 +janheidler.dynv6.net, 1 +janhermann.cz, 1 +janhuelsmann.com, 1 +jani.media, 1 +janik.cz, 1 +janikrabe.com, 1 +janilowski.pl, 1 +janime.top, 1 +janine-und-johannes.de, 1 +janjoris.nl, 1 +jankamp.com, 1 +janker.me, 1 +janklokman.tk, 1 +janmischo.it, 1 +jann.is, 1 +jannehonkonen.tk, 1 +jannes-althoff.de, 1 +jannesmeyer.com, 0 +jannetaflorist.com, 1 +jannhaber.de, 1 +jannis-goeing.de, 1 +jannisfink.de, 1 +janokacer.sk, 1 +janome.club, 1 +janome.com.ua, 1 +janonis.com, 1 +janoshida.hu, 1 +janostheil.de, 1 +janphilip-bernius.de, 1 +janroossien.nl, 1 +jans.cloud, 1 +janschaumann.de, 1 +jansendermatografie.nl, 1 +janservfl.com, 1 +janslab.pl, 1 +janssen.fm, 1 +janterpstra.eu, 1 +jantinaboelens.nl, 1 +january.com, 1 +janujani.com, 1 +janulkowedomki.pl, 1 +janus-it.pl, 1 +janv.it, 1 +janvanmechelen.tk, 1 +janvari.com, 1 +janvaribalint.com, 1 +janvidresearch.com, 1 +janw.me, 1 +janw.xyz, 1 +janwern.com, 1 +janwillhaus.de, 1 +jao-collection.com, 1 +jaot.info, 1 +jaotusvork.ee, 1 +japan-forum.nl, 1 +japan-tent.com, 1 +japan-xxxtube.com, 1 +japan.sh, 1 +japanasonic.ru, 1 +japanchiropractic.com.br, 1 +japanduhoc.com, 1 +japanese-cuisine.com, 1 +japanese-dominatrix.com, 1 +japanese-imperialism971.tk, 1 +japanese-tantra-escort.com, 1 +japaneseacupuncture.london, 1 +japaneseemoticons.org, 0 +japanesekeyboard.net, 1 +japanesemusic.tk, 1 +japanesephotosite.tk, 1 +japanesque.ru, 1 +japaniac.de, 1 +japanknives.tk, 1 +japannext.co.jp, 1 +japanphilosophy.com, 0 +japanporns.pro, 1 +japanroll.cf, 1 +japansepuzzel.tk, 1 +japantravel.tk, 1 +japanwatches.xyz, 1 +japanwowsex.com, 1 +jape.today, 1 +japico.or.jp, 1 +japlin.io, 1 +japlin.tk, 1 +japonskonamiru.cz, 1 +japonyol.net, 1 +japornpics-video.com, 1 +japornpics.com, 1 +jappleng.com, 1 +jaquelin.tk, 1 +jaquishbiomedical.com, 1 +jar.cool, 1 +jaraizaboli.tk, 1 +jaramilloconstrucciones.pe, 1 +jardelatacadao.com.br, 1 +jardigital.com.au, 1 +jardinderline.ch, 1 +jardineras.online, 1 +jardinesimperiales.com, 1 +jaredfernandez.com, 1 +jaredkunz.com, 1 +jaredonline.tk, 1 +jaredratcliff.com, 1 +jaredstevenson.com, 1 +jaresourcehub.org, 1 +jarett-lee.com, 1 +jarigvandaag.nl, 1 +jaris.fi, 1 +jarkkorahkonen.fi, 1 +jarl.ninja, 1 +jarlette.com, 1 +jarlstrom.com, 1 +jarmandental.com, 1 +jarmatys.pl, 1 +jarmix.fi, 1 +jarniashop.se, 1 +jarno.rocks, 1 +jarnobogaert.xyz, 1 +jarnskog.tk, 1 +jarodg.fr, 1 +jarods.org, 0 +jarofthread.com, 1 +jarondl.net, 1 +jaroslavc.eu, 1 +jarovske-udoli.cz, 1 +jarovskeudoli.cz, 1 +jarquedelaval.tk, 1 +jarrettgraham.com, 1 +jarritos.com.sg, 1 +jarritos.es, 1 +jarritosaustralia.com.au, 1 +jarritoseurope.eu, 1 +jarritosfrance.com, 1 +jarroba.com, 1 +jarrods.tech, 1 +jarry.io, 1 +jarsater.com, 0 +jarski.eu, 1 +jarvisairfoil.com, 1 +jas-ac.com, 1 +jas-team.net, 1 +jasasewaspg.com, 1 +jasch.tk, 1 +jaschaa.de, 1 +jasco.gov, 1 +jaseng.ga, 1 +jasewhite.com, 1 +jashinchan.cn, 1 +jasik.xyz, 1 +jasl.works, 1 +jasm1nii.xyz, 1 +jasminedirectory.com, 1 +jasminefields.net, 1 +jasminka.cz, 1 +jasminlive.cam, 1 +jasminsangels.com, 1 +jasminslife.com, 1 +jasminum.uk, 1 +jasmyn.tk, 1 +jasomill.at, 1 +jason-isaacs.tk, 1 +jason.red, 1 +jasonamorrow.com, 0 +jasonchampagne.fr, 1 +jasoncoopermd.com, 1 +jasoncosper.com, 1 +jasoncs.eu.org, 1 +jasongreenwell.com, 1 +jasonhardin.me, 1 +jasonisclever.com, 1 +jasonmili.online, 1 +jasonreadinglandscapes.com.au, 1 +jasonricketts.me, 1 +jasonsansone.com, 1 +jasonsplecoscichlids.com, 1 +jasonthai.me, 0 +jasonvillein.gov, 1 +jasonwei.nctu.me, 1 +jasonwongwr.com, 1 +jasper.link, 1 +jasper.pt, 1 +jasperhammink.com, 0 +jasperhugo.com, 1 +jasperhuttenmedia.com, 1 +jaspernbrouwer.nl, 1 +jasperpatterson.com, 1 +jasperpatterson.me, 1 +jasperpatterson.net, 1 +jaspersreef.com, 1 +jaspertn.gov, 1 +jasperyang.cn, 1 +jaspven.net, 1 +jaspyrbooks.com, 1 +jassecharlie.com, 1 +jastrow.me, 1 +jaszbereny-vechta.eu, 1 +jatekjatek.hu, 1 +jatekvasarlas.hu, 1 +jateng.press, 1 +jatiwahidfurniture.com, 0 +jatransportadora.com, 1 +jaumepons.net, 1 +jav.st, 1 +java-fan.tk, 1 +java-for-minecraft.com, 1 +java-tracking.gq, 1 +javaanalysisers.ga, 1 +javaanalysisest.ga, 1 +javabahia.tk, 1 +javabc.com, 1 +javabot.ml, 1 +javacakegames.com, 1 +javachinna.com, 1 +javaexpert.tk, 1 +javafactory.io, 1 +javafiles.tk, 1 +javafluers.ga, 1 +javafluest.ga, 1 +javan.de, 1 +javanguiano.mx, 0 +javapost.tk, 1 +javasaranamitrasejati.com, 1 +javascriptlab.fr, 1 +javaweb.site, 1 +javaxxz.com, 1 +javedali.tk, 1 +javedhasrat.com, 1 +javfree.me, 1 +javi-soleil.tk, 1 +javierbalvin.com, 1 +javierbarrio.com, 1 +javierfalcon.tk, 1 +javierflorescastillero.es, 1 +javiergddw.com, 1 +javierguandalini.com, 1 +javierjurado.tk, 1 +javiermascherano.tk, 1 +javiersanchez.tk, 1 +javiscoffee.com, 1 +javitron.tk, 1 +javleech.com, 1 +javorina.tk, 1 +javsod.top, 1 +jawharati.tk, 1 +jawo2008.pl, 1 +jaxfstk.com, 1 +jaxxnet.co.uk, 1 +jaxxnet.org, 1 +jay4.is, 1 +jay6.tech, 1 +jayanthreddy.ml, 1 +jayantkageri.in, 1 +jaybeez.tk, 1 +jaybrokers.com, 1 +jayf.de, 1 +jayfreestone.com, 1 +jayharkess.uk, 1 +jayharris.ca, 1 +jayhost.cf, 1 +jayhost.tk, 1 +jayjardine.cf, 1 +jayjardine.ga, 1 +jayjardine.gq, 1 +jayjardine.ml, 1 +jaykuhns.com, 1 +jaylewis.us, 1 +jaylineko.com, 1 +jaymecd.rocks, 1 +jaypandit.me, 1 +jaypark.gq, 1 +jaypeeaman.in, 1 +jaypeeonline.tk, 1 +jayrl.com, 1 +jaysanart.com, 0 +jaysaw.me, 1 +jayschulman.com, 1 +jayspage.tk, 1 +jaytauron.xyz, 1 +jaytx.com, 1 +jayveel.nl, 1 +jayxon.com, 1 +jayxu.com, 1 +jazerxx.com, 1 +jazminguaramato.com, 1 +jazz-alliance.com, 1 +jazz-alliance.org, 1 +jazzab-online.tk, 1 +jazzanet.com, 1 +jazzapart.tk, 1 +jazzband.tk, 1 +jazzfeet.co.uk, 1 +jazzindeck.com, 1 +jazzman.tk, 1 +jazzy-feet.com, 1 +jazzy.id.au, 1 +jazzy.pro, 1 +jazzysumi.com, 1 +jazzyvsart.com, 1 +jb-pixel.tk, 1 +jb0.de, 1 +jb138.cc, 1 +jballelectronics.com, 1 +jbayetsecretariat.be, 1 +jbbd.fr, 1 +jbbdev.com, 1 +jbc88.cc, 1 +jbcharleston.com, 1 +jbcharlestonfss.tv, 1 +jbctransport.ca, 1 +jbdesignfoundations.com, 1 +jbdillon.com, 1 +jberlife.marketing, 1 +jbeta.is, 1 +jbidigital.co.uk, 1 +jblackweb.com, 1 +jblan.ca, 1 +jbloomphotography.com, 1 +jbmechanics.com, 1 +jbnetwork.org, 1 +jboats.com, 1 +jboho.com, 1 +jbond.tk, 1 +jbootsma.com, 1 +jbradaric.me, 1 +jbridal.com.au, 1 +jbs-jardins.ch, 0 +jbs.com.br, 1 +jbsinternational.com, 1 +jbsoftware.ca, 1 +jbspeakr.cc, 1 +jbt-stl.com, 1 +jc6.xyz, 1 +jc666.xyz, 1 +jcadg.com, 1 +jcaicedo.com, 1 +jcaicedo.tk, 1 +jcb.com, 1 +jcbaterias.com.br, 1 +jcbgolfandcountryclub.com, 1 +jcblagri.in, 1 +jccars-occasions.be, 1 +jcchen.art, 1 +jcchouinard.com, 1 +jcdenast.tk, 1 +jcelectronics.com.au, 1 +jcf-office.com, 1 +jchn.be, 1 +jci.bio, 1 +jci.care, 1 +jci.cc, 1 +jci.charity, 1 +jci.chat, 1 +jci.coach, 1 +jci.community, 1 +jci.contact, 1 +jci.direct, 1 +jci.domains, 1 +jci.education, 1 +jci.exchange, 1 +jci.fail, 1 +jci.fyi, 1 +jci.gallery, 1 +jci.gives, 1 +jci.graphics, 1 +jci.group, 1 +jci.guide, 1 +jci.how, 1 +jci.institute, 1 +jci.life, 1 +jci.live, 1 +jci.marketing, 1 +jci.me.uk, 1 +jci.media, 1 +jci.mobi, 1 +jci.name, 1 +jci.ooo, 1 +jci.org.uk, 1 +jci.photography, 1 +jci.pictures, 1 +jci.place, 1 +jci.productions, 1 +jci.promo, 1 +jci.pub, 1 +jci.studio, 1 +jci.systems, 1 +jci.tips, 1 +jci.university, 1 +jci.watch, 1 +jci.wiki, 1 +jci.works, 1 +jci.zone, 1 +jcinet.cc, 1 +jcinet.net, 1 +jcit.xyz, 1 +jclayton.com, 1 +jcleon.tk, 1 +jclp.cf, 1 +jclynne.com, 1 +jcm.cz, 1 +jcmo.gov, 1 +jcmunz.com, 1 +jcode.gov, 1 +jcontspoord.nl, 1 +jcor.me, 0 +jcoscia.com, 1 +jcphotography.dk, 1 +jcra.net, 1 +jcrhcdwy.gov, 1 +jcrobin56.fr, 1 +jcrooke.net, 1 +jcsava.gov, 1 +jcsolutions.tk, 1 +jcus.co, 1 +jcvignoli.com, 1 +jcwebtechnologies.com, 1 +jcwodan.nl, 1 +jd-group.co.uk, 0 +jd-trust.com, 1 +jd1.de, 1 +jd777.vip, 1 +jdc.io, 1 +jdcdirectsales.com, 1 +jdcdirectsales.com.ph, 1 +jdd888.cc, 1 +jdecommastermind.com, 1 +jdefreitas.com, 1 +jdelgado.fr, 1 +jdhigh.com, 1 +jdhouse.com.br, 1 +jdjamescorp.com, 1 +jdjohnsonmedia.com, 1 +jdjohnsonwaterproofing.com, 1 +jdlt.co.uk, 1 +jdm.elk.pl, 1 +jdm.pl, 1 +jdmgarage.com.au, 1 +jdoi.pw, 1 +jdpleisure.co.uk, 1 +jdscastlehire.co.uk, 1 +jdsecurity.com.au, 1 +jdsoft.eu, 1 +jdtangney.com, 1 +jdtic.com, 1 +jdtrust.net, 1 +jdtrust.one, 1 +jduarte.xyz, 1 +je-vends.fr, 0 +je-voyage.net, 1 +je.net.cn, 1 +je2050.de, 1 +jealousy.tk, 1 +jean-luc.org, 1 +jean-remy.ch, 1 +jeancafe.ddns.net, 1 +jeancampa.com, 1 +jeancardeno.com, 1 +jeancarlos.tk, 1 +jeanclaudegolvin.com, 1 +jeandanielfaessler.ch, 1 +jeanettevanrookhuizen.nl, 1 +jeangalea.com, 1 +jeangarcia.tk, 1 +jeaninformatico.tk, 1 +jeankygourmet.com, 1 +jeanmarieayer.ch, 1 +jeanmichelaudet.com, 1 +jeanmusic.tk, 1 +jeannecalment.com, 1 +jeannedekkers.tk, 1 +jeannekunst.tk, 1 +jeannelucienne.fr, 1 +jeannette-py.fr, 1 +jeanniegraefe.tk, 1 +jeannotbel.tk, 1 +jeannotjeux.fr, 1 +jeanphilippe.io, 1 +jeans-butik.tk, 1 +jeans-moda.tk, 1 +jeans-shopping.tk, 1 +jeans-stores.tk, 1 +jeansbutik.tk, 1 +jeansdemodacol.com, 1 +jeanslee.tk, 1 +jeansmoda.tk, 1 +jeansstyle.tk, 1 +jeanstastytreats.co.za, 1 +jeayalar.com, 1 +jec-dekrone.be, 1 +jecho.cn, 1 +jecjacshop.com, 1 +jecnetwork.gq, 1 +jed.site, 1 +jeda.ch, 1 +jeda.im, 1 +jedatw.com, 1 +jedayoshi.me, 1 +jedayoshi.tk, 1 +jedcg.com, 1 +jeddahlyn.nl, 1 +jedepannetonordi.ch, 0 +jedepannetonordi.com, 0 +jedepannetonordi.fr, 0 +jedi-master.tk, 1 +jedi-online.tk, 1 +jedicouncil.tk, 1 +jedilukmas.tk, 1 +jedora.com, 0 +jeek.jp, 0 +jeemain.org, 1 +jeep-diagnost.ml, 1 +jeep4ik.com, 1 +jeepeg.com, 1 +jeepspares.com.au, 1 +jeeptourpocos.com.br, 1 +jeeran.com, 1 +jeeranservices.com, 1 +jeetwin.com, 1 +jeevanmag.tk, 1 +jeevanpaul.in, 0 +jef.yt, 1 +jefaisducafe.mywire.org, 1 +jefcorlabs.com, 1 +jeff-dom.ovh, 1 +jeff.win, 1 +jeffcasavant.com, 0 +jeffcloninger.net, 1 +jeffcom911co.gov, 1 +jeffdaviscountyga.gov, 1 +jeffersoncountyks.gov, 1 +jeffersoncountyne.gov, 1 +jeffersoncountyny.gov, 1 +jeffersoncountyor.gov, 1 +jeffersoncountypa.gov, 1 +jeffersonknoxohio.gov, 1 +jeffersonkyattorney.gov, 1 +jeffersonohio.gov, 1 +jeffersonregan.co.uk, 1 +jeffersonregan.com, 1 +jeffersonregan.net, 1 +jeffersonregan.org, 1 +jeffersonsbourbon.com, 1 +jeffersonvillepdin.gov, 1 +jeffhoy.us, 1 +jeffhoyphotography.com, 1 +jeffhuxley.com, 1 +jeffok.com, 1 +jeffpenchoff.com, 1 +jeffreyhaferman.com, 1 +jeffri.me, 1 +jeffsanders.com, 1 +jeflix.stream, 1 +jefrydco.id, 1 +jefsweden.eu, 1 +jegkorongszovetseg.hu, 1 +jegos.tk, 1 +jehende.fr, 1 +jehjf.com, 1 +jehovahsays.net, 1 +jej.cz, 1 +jej.sk, 1 +jekadvantage.com, 1 +jekhar.com, 1 +jel-tech.com, 0 +jelena-adeli.com, 1 +jelena-karleusa.tk, 1 +jelenkovic.rs, 1 +jell.ie, 1 +jellebo.dk, 1 +jellekaufmann.nl, 1 +jelleluteijn.com, 1 +jelleluteijn.eu, 1 +jelleluteijn.net, 1 +jelleluteijn.nl, 1 +jelleluteijn.pro, 1 +jelleraaijmakers.nl, 1 +jellybeanpress.com, 1 +jellyfin.spdns.eu, 1 +jellyfish.co, 1 +jellyfishlivewire.co.uk, 1 +jellynails.tk, 1 +jellypepper.com, 1 +jellysquid.me, 1 +jelmer.co.uk, 1 +jelmer.uk, 1 +jelmoli-shop.ch, 1 +jelmyto.com, 0 +jelo.tk, 1 +jelobox.tk, 1 +jelocalise.fr, 1 +jem.gov, 1 +jem.style, 1 +jembatankarir.com, 1 +jemezdravo.eu, 1 +jemezsprings-nm.gov, 1 +jemnezymy.com, 1 +jemoreng.tk, 1 +jemputan-karyawan.site, 1 +jems-il.gov, 1 +jemshoes.com, 1 +jemyzdrowo.pl, 1 +jena-fans-aurich.tk, 1 +jena.de, 1 +jena.space, 0 +jencshiny-org.tk, 1 +jendela360.com, 1 +jendialmeditation.com, 1 +jendies.com, 1 +jenelle.ml, 1 +jeneratorkiralama.name.tr, 1 +jenever.amsterdam, 1 +jeney.eu, 1 +jenin.ml, 1 +jenkinscountyga.gov, 1 +jenkinsry.fi, 1 +jenn-pro-graphics.com, 1 +jennahunt.net, 1 +jenne.com, 1 +jennethaarfotografie.nl, 1 +jennette.tk, 1 +jennierobinson.com, 1 +jenniferbuslerinteriors.com, 1 +jenniferchan.id.au, 1 +jenniferehle.tk, 1 +jenniferengerwingaantrouwen.nl, 1 +jenniferfontaine.fr, 1 +jenniferhudsonshow.com, 1 +jenniferjoos.de, 1 +jenniferlucia.com, 1 +jennifermason.eu, 1 +jennifermorrisonart.com, 1 +jennifersauer.nl, 1 +jenniferschmidt.com.au, 1 +jennifertilly.tk, 1 +jenniwiltz.com, 1 +jennyjones.tk, 1 +jennymovies.com, 1 +jennysarl.ch, 0 +jennysbakery.com.au, 1 +jennysource.tk, 1 +jennystella.net, 1 +jennythebaker.com, 1 +jeno.cf, 1 +jenolson.net, 1 +jens-prangenberg.de, 1 +jens.hk, 1 +jensales.com, 1 +jensdesmeyter.be, 1 +jenskliewer.de, 1 +jensrex.dk, 1 +jents.ro, 1 +jenyak.com, 1 +jeoffrey-sanchez.ovh, 1 +jeon.cf, 0 +jepa.si, 1 +jepcraft.ddns.net, 1 +jeproteste.info, 1 +jeps.fi, 1 +jeremiahbenes.com, 1 +jeremiahlee.com, 1 +jeremiebt.com, 1 +jeremy-chen.org, 1 +jeremy-gautier.com, 1 +jeremy.hu, 1 +jeremyatwoodlaw.com, 1 +jeremybentham.com, 1 +jeremybloomfield.co.uk, 1 +jeremyc.ca, 0 +jeremycantu.com, 1 +jeremycrews.com, 1 +jeremyfaton.me, 1 +jeremyharnois.com, 1 +jeremyhodges.uk, 1 +jeremynally.com, 1 +jeremyness.com, 1 +jeremyrobinlyons.com, 1 +jeremysermersheim.com, 1 +jeremywinn.com, 1 +jeremywinn.xyz, 1 +jerichoproject.org, 1 +jerisandoval.tk, 1 +jermann.biz, 1 +jeroendeneef.com, 1 +jeroened.be, 1 +jeroenensanne.wedding, 1 +jeroenstekelenburg.nl, 1 +jerome-r.tk, 1 +jerome.to, 1 +jeromecountyid.gov, 1 +jeromequezel.fr, 1 +jerometejano.tk, 1 +jerret.de, 1 +jerridoswell.tk, 1 +jerryabrams.com, 0 +jerrybustillo.tk, 1 +jerrychacon.com, 1 +jerrysretailstores.com, 1 +jerryweb.org, 1 +jerryyu.ca, 1 +jersec.com, 1 +jerseybikehire.co.uk, 1 +jerseycounty-il.gov, 1 +jerseycountyclerk-il.gov, 1 +jerseyink.net, 1 +jerseyjumpingbeans.co.uk, 1 +jerseylvi2013.org, 1 +jerseywater.je, 1 +jerusalem.estate, 1 +jerusalempersonals.ml, 1 +jerusalempersonalsers.ga, 1 +jerusalempersonalsest.ga, 1 +jerusalemplus.tv, 1 +jesec.cn, 1 +jesec.io, 1 +jesen.org, 1 +jesiensredniowiecza.pl, 1 +jesmatboutique.com, 1 +jesmh.de, 1 +jesolo.tk, 1 +jesperandersson.tk, 1 +jespersen.tk, 1 +jessacharlie.com, 1 +jesscharlie.com, 1 +jesseblum.com, 1 +jessebollinger.com, 1 +jessecharley.com, 1 +jessecharli.com, 1 +jessecharlie.com, 1 +jessecharlie.info, 1 +jessecharlie.net, 1 +jessecharlie.org, 1 +jessecharlienaser.com, 1 +jessekaufman.com, 1 +jesseklaver.nl, 1 +jessem.fr, 1 +jessenaser.com, 1 +jessenaser.net, 1 +jessenaser.org, 1 +jesseonline.tk, 1 +jessesjumpingcastles.co.uk, 1 +jessetorrenga.nl, 1 +jessetrebil.com, 1 +jessetrebilfoundationsystems.com, 1 +jessevictors.com, 1 +jessica-weller.de, 1 +jessicabarends.nl, 1 +jessicabenedictus.nl, 0 +jessicaevrard.com, 1 +jessicahrehor.com, 1 +jessicasmith3d.com, 1 +jessicharlie.com, 1 +jessieabraham.tk, 1 +jessiecharlie.com, 1 +jessihod.com, 1 +jessika-atelier.nl, 1 +jesslynfietje.com, 1 +jesspryles.com, 1 +jessycharlie.com, 1 +jesters-court.net, 1 +jestre.org, 1 +jestyc.com, 1 +jesucristo.ga, 1 +jesuisadmin.fr, 1 +jesuisunpapageek.fr, 1 +jesuiszen.fr, 1 +jesus-rock.tk, 1 +jesuscapitan.tk, 1 +jesuscnasistente.com, 1 +jesusda.tk, 1 +jesusdenazaret.com, 1 +jesusnazarenobaena.tk, 1 +jesusplusnothing.com, 1 +jesusthegoodshepherd.org, 1 +jesusvasquez.tk, 1 +jet-lend.ru, 1 +jet.su, 1 +jetable.org, 1 +jetapi.org, 1 +jetbbs.com, 1 +jetcard.co.uk, 1 +jetchartercanada.com, 1 +jetchartereurope.com, 1 +jetcost.com, 1 +jetcraft.tk, 1 +jetdrywallinteriors.com, 1 +jetfirenetworks.com, 1 +jetflex.de, 1 +jethash.io, 1 +jetkittens.co.uk, 1 +jetmirshatri.com, 0 +jetmusic.tk, 1 +jetpack.com.ar, 1 +jetsadabetchoke77.com, 0 +jetsetretiree.com, 1 +jetshare.co.nz, 1 +jetsieswerda.nl, 1 +jetskerijneveld.nl, 1 +jetsome.co, 0 +jetson.tk, 1 +jetstudio.ch, 0 +jettenbommelaer.nl, 1 +jettenjachtbouw.eu, 1 +jettlarue.com, 1 +jettshome.org, 1 +jetular.com, 1 +jetular.net, 1 +jetwhiz.com, 1 +jetzt-elektromobil.de, 1 +jeugdbrandweerbladel.tk, 1 +jeugdclubjia.tk, 1 +jeugdharmonie-geluwe.tk, 1 +jeugdkans.nl, 1 +jeugdraad.gent, 1 +jeurissen.co, 1 +jeuxerotiques.net, 1 +jevalide.ca, 1 +jevel-mag.tk, 1 +jeveuxchoisir.fr, 1 +jevisite.ca, 1 +jewadianmitra.co.id, 1 +jewadvert.ml, 1 +jewaedv.de, 1 +jeweet.net, 0 +jewelcaddesigns.com, 1 +jewellerynet.com, 1 +jewelleryoutlook.com, 1 +jewelry-directories.tk, 1 +jewelrycoverers.ga, 1 +jewishboston.com, 1 +jewishboyscouts.com, 1 +jewishfed.org, 1 +jewishjourneys.org, 1 +jewishmusic.tk, 1 +jewishphilanthropies.org, 1 +jewishphoenix.com, 1 +jewishquotations.com, 1 +jexler.net, 1 +jey-line.de, 1 +jez.nl, 1 +jezebelsromance.com, 1 +jezero.tk, 1 +jezura.cz, 1 +jezzicat.org, 1 +jf-beco.pt, 1 +jf-fotos.de, 1 +jf-igrejanovadosobral.pt, 1 +jf-madalena.tk, 1 +jf886.cc, 1 +jfbst.net, 1 +jfcare.dk, 1 +jfgselbitztal.tk, 1 +jfhr.de, 1 +jfhr.me, 1 +jfjtransport.com, 1 +jfklibrary.gov, 1 +jflmsan.pt, 1 +jfmdevelopment.ml, 1 +jforums.org, 1 +jfr.im, 1 +jfreitag.de, 1 +jfroyalelogistics.com.ng, 1 +jftn.nl, 1 +jftw.org, 1 +jfuturist.com, 1 +jfvaccountants.nl, 1 +jfy.is, 1 +jfy.jp, 1 +jg-cdn.com, 1 +jg-skid.me, 1 +jg-tc.com, 1 +jg078.com, 1 +jgambard.me, 1 +jgc.li, 1 +jgeverest.com, 1 +jgid.de, 1 +jgke.fi, 1 +jgmenterprises.ca, 1 +jgoldbergmd.com, 1 +jgoldgroup.com, 1 +jgomezweb.es, 1 +jgpeterson.com, 1 +jgregory.co.uk, 1 +jgregory.uk, 1 +jgsbrickwork.co.uk, 1 +jgwb.de, 1 +jgwb.eu, 1 +jh-group.net, 1 +jh4.eu, 1 +jhandke.de, 1 +jharnois.com, 1 +jharnois.net, 1 +jhatpatjobs.com, 1 +jhaudio.com, 1 +jhaveri.net, 1 +jhbgroup.nl, 1 +jhburton.co.uk, 1 +jhcommunitysports.co.uk, 1 +jhe.li, 1 +jhenwei.com.tw, 1 +jhfunerals.com.au, 1 +jhill.de, 1 +jhj.jp, 1 +jhmrcm.com, 1 +jhonesmarcos.tk, 1 +jhonmurillo.ml, 1 +jhonnyjose.com.ar, 1 +jhost.gq, 1 +jhuang.me, 1 +jhw3d.com, 1 +jiacl.com, 1 +jiahao.codes, 1 +jiai.cf, 1 +jiai.gq, 1 +jiai.ml, 1 +jiai.tk, 1 +jialiangkang.com, 1 +jiami.dog, 0 +jianbin.wang, 1 +jiangmei.ml, 1 +jiangmen.tk, 1 +jiangshiart.com, 1 +jiangwu.eu, 1 +jianhuo.cf, 1 +jianhuo.ml, 1 +jianny.me, 1 +jianren.cf, 1 +jianren.ml, 1 +jianshebingtuan.com, 1 +jianwei.wang, 1 +jianyu.io, 1 +jianyuan.art, 1 +jianyuan.pro, 1 +jianzhan.com, 1 +jiaoliuben.com, 1 +jiaoyu8.cn, 1 +jiaqiang.vip, 1 +jiatingtrading.com, 1 +jiaty.com, 1 +jiaxitian.com, 1 +jiayi.eu.org, 1 +jiayi.life, 1 +jiazhao.ga, 0 +jibe.com, 1 +jibeapply.com, 1 +jibecdn.com, 1 +jibungoto.jp, 1 +jicaivvip.com, 1 +jichi.io, 1 +jichi.nz, 1 +jiehun.com.cn, 1 +jieshangwei.com, 1 +jieyang2016.com, 1 +jif.gc.ca, 1 +jigidi.com, 1 +jigsawinsurance.com, 1 +jigsawplanet.com, 1 +jiguang.com, 1 +jigyoushoukei.co.jp, 1 +jiheng.tk, 1 +jiid.ga, 1 +jiji.co.ci, 1 +jiji.co.ke, 1 +jiji.co.ma, 1 +jiji.co.rw, 1 +jiji.co.tz, 1 +jiji.com.bd, 1 +jiji.com.et, 1 +jiji.com.gh, 1 +jiji.ke, 1 +jiji.lk, 1 +jiji.ng, 1 +jiji.sn, 1 +jiji.ug, 1 +jijistatic.com, 1 +jikegu.com, 1 +jikei-reha.com, 1 +jikken.de, 0 +jilaninteraktif.tk, 1 +jilking.ga, 1 +jillamy.com, 1 +jillvirus.tk, 1 +jilworldwide.org, 1 +jimautoservice.pl, 1 +jimbeam-welcomesessions.at, 1 +jimbiproducts.com, 1 +jimbosprint.com, 1 +jimbrown.org, 1 +jimbutlerkiaparts.com, 1 +jimcoggeshall.com, 1 +jimconacher.pro, 1 +jimdorf.com, 1 +jime-hlavou.cz, 1 +jimeaton.com, 1 +jimezdrave.cz, 1 +jimfranke.com, 1 +jimfranke.nl, 1 +jimgarrigan.info, 1 +jimgarrigan.nyc, 1 +jiminny.com, 0 +jimisfanvan.nl, 1 +jimizhou.xyz, 1 +jimjh.com, 1 +jimkanabar.fr, 1 +jimkimmel.com, 1 +jimmiestore.com, 1 +jimmycai.com, 1 +jimmycarterlibrary.gov, 1 +jimmycn.com, 1 +jimmydomingo.tk, 1 +jimmykey.com, 0 +jimmynelson.com, 1 +jimmyrickenbacker.com, 1 +jimobbs.tk, 1 +jimpl.com, 1 +jimsheatandcool.com, 1 +jimslop.nl, 1 +jimucho.online, 1 +jimvophotography.tk, 1 +jimwhitesell.com, 1 +jimwoodrealty.com, 1 +jimwoodrealty.help, 1 +jin-design.si, 1 +jinancy.fr, 1 +jinanshen.com, 1 +jinbbq.com, 1 +jinbijin.nl, 1 +jinbo123.com, 0 +jinbowiki.org, 1 +jinbuguo.com, 1 +jinduoduo369.com, 1 +jinduoduo666.com, 1 +jinduoduo888.com, 1 +jinfbmanagement.com, 1 +jing-in.net, 1 +jingbo.fan, 1 +jinglebugs.co.nz, 1 +jingmi.com.tw, 1 +jinhaagency.com, 1 +jinhaagency1.com, 1 +jinja.ai, 1 +jinjafx.io, 1 +jinkou.cf, 1 +jinkou.ga, 1 +jinkou.gq, 1 +jinkou.ml, 1 +jinliming.ml, 1 +jinng.org, 1 +jino.gq, 1 +jinshabu.net, 1 +jintaiyang123.org, 1 +jiogo.com, 1 +jip2011.jp, 1 +jipsnel.nl, 1 +jira.com, 1 +jirehlov.cn, 1 +jirehlov.com, 1 +jiretvariedades.com, 1 +jiri-vincour.cz, 1 +jiriholy.cz, 1 +jirkanch-ayollar.ga, 1 +jirkanch-ayollar.ml, 1 +jisai.net.cn, 1 +jisaudavel.com.br, 1 +jischool.org, 1 +jiserack.com, 1 +jisnashville.gov, 1 +jitendrapatro.me, 1 +jitprod.com, 1 +jitsipatapoe.ddns.net, 0 +jittruckparts.com, 1 +jiudao.com, 1 +jiveinvestments.com, 1 +jix.im, 1 +jixing.one, 1 +jixun.eu, 1 +jixun.moe, 1 +jixun.uk, 1 +jiyou.pw, 0 +jiyuu-ni.com, 1 +jiyuu-ni.net, 1 +jizzoh.com, 1 +jizzoh.net, 1 +jizzoh.org, 1 +jj5197.co, 1 +jj6729.co, 1 +jj6729.com, 0 +jj6957.co, 1 +jj9297.co, 1 +jj9728.co, 1 +jjfxz.com, 1 +jjjj.loan, 1 +jjlandscapedesign.com, 1 +jjlvk.nl, 1 +jjonaws.com, 1 +jjphotographyia.com, 1 +jjsguitarpickups.com, 1 +jjsmaccountants.com, 1 +jjspartyhire.co.uk, 1 +jjsummerboatparty.co.uk, 1 +jjzmaj.tk, 1 +jk-forensics.de, 1 +jk-regeltechnik.de, 1 +jk-rjevka.gq, 1 +jkarteaga.tk, 1 +jkbfabrics.com, 0 +jkessen.de, 1 +jkest.cc, 1 +jkfasham.com.au, 1 +jkg.tw, 1 +jkinteriorspa.com, 1 +jkloli.tk, 1 +jkmoving.com, 0 +jkng.eu, 1 +jkpg-kontoret.se, 1 +jkrippen.com, 1 +jkts.tk, 1 +jktu.cc, 1 +jkuu.org, 1 +jkv-media.cloud, 1 +jkws2.nl, 1 +jkyuan.tk, 1 +jl-dns.eu, 1 +jl-dns.nl, 1 +jl-exchange.nl, 1 +jl-k.com, 1 +jl-mail.nl, 1 +jl-picard.tk, 1 +jlbleakley.com, 1 +jld.paris, 1 +jldrenergysaver.com, 0 +jliu.xyz, 1 +jlkhosting.com, 1 +jlmintegrated.com.au, 1 +jlmirall.es, 1 +jlmunn.com, 1 +jloh.co, 1 +jloh.codes, 1 +jlot.org, 1 +jlpn.eu, 1 +jlpn.nl, 1 +jlponsetto.com, 1 +jlqwer.com, 1 +jlr-luxembourg.com, 1 +jls.idv.tw, 1 +jltcsecuritygroup.com, 1 +jltctech.com, 1 +jlulug.org, 1 +jlwagner.net, 1 +jm73umh.pw, 1 +jm9.co, 1 +jmanalansan.com, 1 +jmango360.com, 1 +jmap.support, 1 +jmarciniak.it, 1 +jmarineau.com, 1 +jmb-jetshades.com, 1 +jmb.lc, 1 +jmbproject.ga, 1 +jmcataffo.com, 1 +jmce.eu, 1 +jmcleaning.services, 1 +jmdekker.it, 1 +jmedesign.tk, 1 +jmedved.com, 1 +jmeno.eu, 1 +jmentertainment.co.uk, 1 +jmf-clan.tk, 1 +jmg3.dynu.net, 1 +jmha.live, 1 +jmisern.com, 1 +jmk.hu, 1 +jmlegrand.com, 1 +jmm.io, 1 +jmn.pl, 1 +jmob.loan, 1 +jmonagas-portfolio.ml, 1 +jmorahan.net, 1 +jmp.chat, 1 +jmpb.hu, 1 +jms8.net, 1 +jmservices.pro, 1 +jmsjms.cc, 1 +jmsjms.me, 1 +jmsjms.org, 1 +jmsjms.xyz, 1 +jmsmarcelo.tk, 1 +jmsolodesigns.com, 1 +jmsquall.tk, 1 +jmssg.jp, 1 +jmstfv.com, 1 +jmsystems.sk, 1 +jmtk.co, 1 +jmtrv.com.co, 1 +jmwsquared.com, 1 +jmy.fyi, 1 +jmzo.nl, 0 +jn1.me, 1 +jncie.eu, 1 +jnewhook.ca, 1 +jng.pt, 1 +jnjdj.com, 1 +jnjpolymer.com, 1 +jnktn.tv, 1 +jnm-art.com, 1 +jnmpainting.co, 1 +jnmusicgroup.com, 1 +jnr-industry.tk, 1 +jns.org, 1 +jnssnfotografie.nl, 1 +jnsz.hu, 1 +jnx.dk, 1 +jo-2016.tk, 1 +jo-jo-koi.tk, 1 +jo3-w3b-d3v.com, 1 +joa-ebert.com, 1 +joa.fr, 1 +joachimvanrossenberg.com, 1 +joanmoreira.tk, 1 +joannechtler.com, 1 +joannekemarchal.nl, 1 +joanofarcmtcarmel.org, 1 +joansoy.com, 1 +joaobautista.com, 0 +joaojunior.com, 1 +joaoorvalho.com, 1 +joaosampaio.com, 1 +joaosampaio.com.br, 1 +joaquimfialfotografia.com, 1 +job-acasa.tk, 1 +job-chocolat.jp, 1 +job-goo.com, 1 +job-jobs.pl, 1 +job-promotion.jp, 1 +job-uber.com, 1 +job.biz.tr, 1 +job2day.com.ua, 1 +jobadx.com, 1 +jobalicious.nl, 1 +jobanzeigen.de, 1 +jobassadeurs.fr, 1 +jobbkk.com, 1 +jobbnorge.no, 1 +jobbsafari.no, 0 +jobbsafari.se, 1 +jobcenter.tk, 1 +jobcie.com, 1 +jobcorps.gov, 1 +jobcorpsy2y.com, 0 +jobers.co.zw, 1 +jobflyapp.com, 0 +jobfresh.ga, 1 +jobfury.com, 1 +jobgenic.com, 1 +jobhouse.jp, 1 +jobie.tk, 1 +jobig.co.il, 1 +jobin.care, 1 +jobindex.dk, 1 +jobit.gr, 1 +joblife.co.za, 1 +joblover.ml, 1 +jobmarkt21.com, 1 +jobnas.com, 1 +joboutlook.gov.au, 1 +jobrus.ga, 1 +jobrus.ml, 1 +jobs-in-the-middle-east.tk, 1 +jobs-it.tk, 1 +jobs.gov.scot, 1 +jobs.schwarz, 1 +jobs.su, 1 +jobs.ua, 1 +jobs4sales.ch, 1 +jobsboard24.com, 1 +jobscan.co, 1 +jobsconnected.com, 1 +jobscore.com, 1 +jobscout24.ch, 1 +jobseeker.com, 1 +jobseekeritalia.it, 1 +jobsindemedia.nl, 1 +jobsineachstate.com, 1 +jobsisbrown.com, 1 +jobsjj.com, 1 +jobskilled.co.za, 1 +jobsknowlgee.tk, 1 +jobsmali.ml, 1 +jobsmarthasvineyard.com, 1 +jobsmnc.co.id, 1 +jobsnearme.london, 1 +jobsoid.com, 1 +jobsportalbookmarking.tk, 1 +jobsuchmaschine.ch, 1 +jobtools.tk, 1 +jobtread.com, 1 +jobulk.com, 1 +joburgplumbing.co.za, 1 +jobwinner.ch, 1 +jobynet.tk, 1 +jobzcorner.tk, 1 +jocafil.com, 1 +jocata.com, 1 +jocelynjenkins.com, 1 +jochem.cc, 1 +jochem.sh, 1 +jock2go.eu, 1 +jockbusuttil.co.uk, 1 +jockbusuttil.com, 1 +jockbusuttil.uk, 1 +jocomo.gov, 1 +jocuri-noi.tk, 1 +jocurionline.eu, 1 +jodaniels.photography, 1 +jodaviesscountyil.gov, 1 +jodlajodla.si, 1 +jodyboucher.com, 0 +joe-st.de, 1 +joe262.com, 1 +joearodriguez.com, 1 +joecod.es, 1 +joed.tk, 1 +joedavison.me, 1 +joedeblasio.com, 1 +joedight.net, 1 +joedoyle.us, 1 +joedroll.com, 1 +joefixit.co, 1 +joefixit.co.uk, 1 +joehenry.co.uk, 1 +joejacobs.me, 1 +joel-mayer.de, 1 +joel.coffee, 1 +joelandersen.me, 1 +joelbodmer.com, 1 +joelengel.com, 1 +joelfries.com, 1 +joelgugler.com, 1 +joelito.tk, 1 +joelj.org, 1 +joelkoen.com, 1 +joelle.me, 1 +joelleandpeter.co.uk, 1 +joelleisthatbitch.tk, 1 +joellev.nl, 1 +joellimberg.com, 1 +joellombardo.com, 0 +joelmunch.com, 1 +joelving.dk, 0 +joeon.systems, 1 +joepitt.co.uk, 0 +joerg-wellpott.de, 1 +joergschneider.com, 1 +joerss.at, 1 +joeseago.com, 0 +joeshare.info, 1 +joeshimkus.com, 1 +joeskup.com, 1 +joesmotorpool.fr, 1 +joesniderman.com, 1 +joesniderman.net, 1 +joesniderman.org, 1 +joespaintingpgh.com, 1 +joeteach.us, 1 +joettecalabrese.com, 1 +joetyson.io, 1 +joetyson.me, 1 +joeyfelix.com, 1 +joeyhoer.com, 1 +joeysglassbaytown.com, 1 +joeysmith.com, 0 +joeyvanvenrooij.nl, 1 +joeyvilaro.com, 1 +jofel-kinderkleding.tk, 1 +jofogas.hu, 1 +jogg.nl, 1 +joggers.tk, 1 +joggingtips.ga, 1 +jogi-server.de, 1 +jogjacar.com, 1 +jogjakarta.tk, 1 +joglopark.com, 1 +jogorama.com.br, 0 +jogosdeanimais.org, 1 +jogosecodes.com, 0 +jogosfutebolhoje.pt, 1 +jogoshoje.com, 1 +jogoshoje.io, 0 +jogwitz.de, 1 +johan-koffeman.tk, 1 +johanaskalova.cz, 1 +johand.io, 1 +johanlog.com, 1 +johann.tk, 1 +johanna-besmier.fr, 1 +johanna.gallery, 1 +johannabest.com, 1 +johannaojanen.com, 1 +johannavarmala.fi, 1 +johannes-bauer.com, 1 +johannes-schaefer.de, 1 +johannes-sprink.de, 0 +johannes-zinke.de, 1 +johannes.io, 1 +johannes.wtf, 1 +johannesen.tv, 1 +johannfritsche.de, 1 +johanpeeters.com, 1 +johansf.tech, 0 +johego.org, 1 +johlmike.com, 1 +john2point0.com, 1 +johnabraham.net, 1 +johnangellgrant.com, 1 +johnathanhasty.com, 1 +johnball.co, 1 +johnbeerens.com, 1 +johnbeil.com, 1 +johnblackbourn.com, 1 +johnblotsky.tk, 1 +johncam.tk, 1 +johncleary.me, 1 +johncook.co.uk, 1 +johncook.ltd.uk, 1 +johndball.co, 1 +johndball.com, 1 +johndball.info, 1 +johndball.net, 1 +johndball.org, 1 +johndeisher.com, 1 +johndonmoyer.com, 1 +johnex.se, 1 +johnfulgenzi.com, 1 +johngmchenrymd.com, 1 +johngreatwood.com, 1 +johnhenderson-god.com, 1 +johniii.co, 1 +johninwood.com, 1 +johnjayro.com, 1 +johnjohnsons.tk, 1 +johnkastler.net, 1 +johnkraal.com, 1 +johnlewis.com, 1 +johnload.tk, 1 +johnmac.cn, 1 +johnmalloneemd.com, 0 +johnmcc.net, 1 +johnmcintosh.pro, 1 +johnmellison.com, 1 +johnmichel.org, 1 +johnmillerdesign.com, 0 +johnmirenda.com, 1 +johnno.be, 1 +johnnybegood.tk, 1 +johnnybet.com, 1 +johnnybsecure.com, 1 +johnnydoe.tk, 1 +johnnyofans.com, 1 +johnnysandaire.com, 1 +johnocallaghan.tk, 1 +johnocera.com, 1 +johnopdenakker.com, 1 +johnroberts.me, 1 +johnrockefeller.net, 1 +johnrosen.xyz, 1 +johnrosen1.com, 1 +johnrosewicz.com, 1 +johnscottcbe.com, 1 +johnshopkinssolutions.com, 1 +johnsoncowy.gov, 1 +johnsongenealogy.net, 1 +johnsonho.net, 1 +johnsonroofingltd.co.nz, 1 +johnsons.tk, 1 +johnsonsca.com, 1 +johnsonsuk.com, 1 +johnspion.tk, 1 +johnstownpa.gov, 1 +johnstownrockcowi.gov, 1 +johnswarbrick.com, 1 +johnthenerd.com, 1 +johntomasowa.com, 1 +johntrujillomd.com, 1 +johnvanhese.nl, 1 +johnwinter.tk, 1 +johny.tv, 1 +johnyytb.be, 1 +johutha.ch, 1 +joi-dhl.ch, 0 +join-aomori.jp, 1 +join.com, 1 +joinamericacorps.gov, 1 +joinamericorps.gov, 1 +joincahoot.com, 1 +joinclyde.com, 1 +joindiaspora.com, 1 +joinentre.com, 1 +joinet.com, 1 +joinfear.tk, 1 +joingy.com, 1 +joingy.net, 1 +joingy.org, 1 +joinmobilizon.org, 1 +joinpeertube.org, 1 +jointherlworld.com, 1 +jointheunseen.com, 1 +jointotem.com, 1 +jointsache.com, 1 +joinus-outfits.nl, 1 +joj.sk, 1 +jojo-kiss.com, 1 +jojo-pieism.tk, 1 +jokateszunk.hu, 1 +jokedalderup.nl, 1 +jokerme.com, 1 +jokersro.tk, 1 +jokertv.ovh, 1 +jokesbykids.com, 1 +jokewignand.nl, 1 +joksara.tk, 1 +jolette-hernandez.tk, 1 +joletteperu.tk, 1 +jolienoir.net, 1 +joliet.gov, 1 +joliettech.com, 1 +jolihi.de, 1 +joline.me, 1 +jolinebrussel.nl, 1 +jollausers.de, 1 +jolle.io, 1 +jollyfun.tk, 1 +jollygoodspudz.ca, 1 +jollykidswobbleworld.co.uk, 1 +jollytotschildminder.com, 1 +jollytur.com, 1 +jolo.software, 1 +jolokia.ch, 1 +jomactransport.com, 1 +jomagus.de, 1 +jomibe.de, 1 +jomjohor.my, 1 +jomla.ae, 1 +jomo.tv, 1 +jomsolat.tk, 1 +jonadamich.tk, 1 +jonaharagon.com, 1 +jonahburke.com, 1 +jonahperez.com, 1 +jonahtheprophet.tk, 1 +jonandnoraswedding.com, 1 +jonark.co, 1 +jonas-thelemann.de, 1 +jonas.me, 0 +jonasberger.com, 1 +jonasbrothers-la-jonaticas.tk, 1 +jonasdiego.tk, 1 +jonasgregersen.com, 1 +jonasgroth.se, 0 +jonasherkel.de, 1 +jonaskarlssonfoto.se, 1 +jonaskjodt.com, 1 +jonaskoeritz.de, 1 +jonaskruckenberg.de, 0 +jonaslovatouniverse.tk, 1 +jonasvdc.info, 1 +jonasvildmark.com, 1 +jonaswitmer.ch, 1 +jonatan.gq, 1 +jonathan-apps.com, 1 +jonathan-himmelreich.de, 1 +jonathancarter.org, 1 +jonathandaleswindle.com, 1 +jonathandowning.uk, 0 +jonathanisaac.com, 1 +jonathanlara.com, 1 +jonathanmassacand.ch, 1 +jonathanrobichaud.ca, 1 +jonathanrys.com, 1 +jonathansanchez.pro, 1 +jonathansomoza.it, 1 +jonathanwisdom.com, 1 +jonba.tk, 1 +jonbarron.cf, 1 +jonblankenship.com, 1 +jondarby.com, 1 +jondevin.com, 1 +jondowdle.com, 0 +jonesborostatebank.com, 0 +jonescountyiowa.gov, 1 +jonescountyiowaelections.gov, 1 +jonescreektx.gov, 1 +jonesfor.men, 1 +joneslymma.com, 1 +jonesopolis.xyz, 1 +jonestowntx.gov, 1 +jonestrading.com, 1 +jonferwerda.net, 1 +jonfor.net, 1 +jong030.nl, 1 +jongbloed.nl, 1 +jongcaxent.tk, 1 +jongenstromp.tk, 1 +jongenwijs.gent, 1 +jongerenkring.tk, 1 +jongpay.com, 1 +jongtonghapkido.tk, 1 +jonilar.com, 1 +jonin.tk, 1 +jonin2.tk, 1 +jonincharacter.com, 1 +jonipuhakka.fi, 1 +jonizatorywody24.pl, 1 +jonkerkamman.tk, 1 +jonkermedia.nl, 0 +jonkpl.com, 1 +jonlabelle.com, 1 +jonlu.ca, 1 +jonnasbeauty.com, 1 +jonnichols.info, 1 +jonny5.ru, 1 +jonnybarnes.uk, 1 +jonnyflash.tk, 1 +jonnygreenwood.tk, 1 +jonoalderson.com, 1 +jonohewitt.com, 1 +jonola.com, 1 +jonpavelich.com, 1 +jons.org, 1 +jonscaife.com, 1 +jonsey.co, 1 +jonshelton.com, 1 +jonslife.tk, 1 +jonssheds.com, 1 +jonstar.tk, 1 +jony.tk, 1 +joo.ru, 1 +joodari.fi, 1 +joogle.at, 1 +jooksuratas.ee, 1 +jooli.tk, 1 +joom.com, 1 +joomag.com, 1 +joomanji.fr, 1 +joomearaweb.tk, 1 +joomla-leipzig.com, 1 +joomladeveloper.ru, 1 +joomlaguru.pl, 1 +joompress.biz, 1 +joona.pw, 1 +joonstudios.com, 1 +joopzy.com, 1 +joorshin.ir, 1 +joostdeheer.nl, 1 +joostmaglev.nl, 1 +joostvanderlaan.nl, 1 +jootshop.ga, 1 +joovy.com, 1 +jopestkil.com, 0 +jophson.tk, 1 +joqi4.gq, 1 +joran.org, 1 +jorcus.com, 1 +jordan-armstrong.tk, 1 +jordan-collector.tk, 1 +jordan-jungk.de, 1 +jordancards.com, 1 +jordandevelopment.com, 1 +jordanhamilton.me, 1 +jordanlys.com, 1 +jordanmetal.tk, 1 +jordanmlu.nl, 1 +jordannight.net, 1 +jordanp.engineer, 1 +jordanpark.com, 0 +jordanprice.ml, 1 +jordanprogrammer.tk, 1 +jordans.co.uk, 1 +jordanscorporatelaw.com, 1 +jordansfiles.tk, 1 +jordansmovies.tk, 1 +jordansrequests.tk, 1 +jordanstrustcompany.com, 1 +jordhy.com, 1 +jordibelgraver.email, 1 +jordibelgraver.eu, 1 +jordibelgraver.xyz, 1 +jordioller.com, 1 +jordjord.com, 1 +jorexenterprise.com, 1 +jorgelopezorquesta.tk, 1 +jorgemarquez.es, 1 +jorgenegrete.tk, 1 +jorgenson-peninsula.com, 1 +jorisdalderup.nl, 1 +joriz.tk, 1 +jormulti.tk, 1 +jornadahypera.com.br, 1 +jornalalerta.com.br, 1 +jornalaquidf.com.br, 1 +jornalero.tk, 1 +jornes.com, 0 +jorsev.com, 1 +jos-verstappen-fan.tk, 1 +josaa.nic.in, 1 +josannedesign.tk, 1 +josc.com.au, 1 +joscares.com, 1 +jose-alexand.re, 1 +jose-latino.tk, 1 +jose-lesson.com, 1 +jose-manuel-benito-alvarez.tk, 1 +josebernabe.ch, 1 +joseenriquegonzalez.tk, 1 +joseetesser.nl, 1 +josef-lotz.de, 1 +josefernandomorilloardila.tk, 1 +josefinagrau.tk, 1 +josefjanosec.com, 1 +joseflegal.com, 1 +josefottosson.se, 1 +josefranca.pt, 0 +josejorques.tk, 1 +joseluisberrocal.tk, 1 +josemariavazquez.com, 1 +josenastrid.tk, 1 +josepbel.com, 1 +josephalexander.media, 1 +josephanthony.tk, 1 +josephbleroy.com, 1 +josephcz.com, 1 +josephcz.win, 0 +josephcz.xyz, 1 +josephmarino.net, 1 +josephpinder.com, 1 +josephsniderman.com, 1 +josephsniderman.net, 1 +josephsniderman.org, 1 +josephv.website, 1 +josephwright.co.uk, 1 +josephziegler.com, 0 +joserafaelsosa.tk, 1 +joserecetas.com, 1 +josericaurte.com, 1 +josestiller.de, 1 +joseventos.com, 1 +josh-goodrich.com, 1 +josh.life, 1 +joshanders.com, 1 +joshbyrne.com.au, 1 +joshcaluette.com, 1 +joshdiamant.com, 1 +joshfoley.co.uk, 1 +joshgroban.tk, 1 +joshharmon.me, 1 +joshhoffer.com, 1 +joshimedical.com, 1 +joshking.com, 1 +joshlovephotography.co.uk, 1 +joshparker.blog, 1 +joshparker.uk, 1 +joshrickert.com, 1 +joshruppe.com, 1 +joshs.domains, 1 +joshs.guide, 1 +joshs.photos, 1 +joshschmelzle.com, 1 +joshspage.ltd, 1 +joshspage.ltd.uk, 1 +joshspage.uk, 1 +joshthewanderer.com, 1 +joshu.am, 1 +joshua-kuepper.de, 1 +joshua.law, 1 +joshuadiamant.com, 1 +joshuagoss.com, 1 +joshuajohnson.ca, 1 +joshuamessick.com, 1 +joshuanishimura.xyz, 1 +joshuaschmitt.us, 1 +joshuastock.net, 1 +joshygeo.tk, 1 +josiekellys.com, 1 +josiemccoy.co.uk, 1 +josien.fr, 1 +josien.net, 1 +josineto.art, 1 +josipovicstevo.tk, 1 +josisummer.net, 1 +josmith.co.za, 1 +joso.tk, 1 +josoansi.de, 1 +josprox.ovh, 0 +jostle.us, 1 +josuekula.com, 1 +josueteconecta.mx, 1 +josvir.sytes.net, 1 +jot.works, 1 +jotbe.io, 1 +jotes-creations.de, 1 +jotoho.de, 1 +jotoma.de, 1 +joubinkhorsandmd.com, 1 +jouetspetitechanson.com, 1 +jouleperformance.ch, 0 +jouleperformance.de, 0 +jouonline.nl, 1 +jouons-aux-echecs.be, 1 +jourbook.cf, 1 +jourdain.pro, 1 +jourdespa.fr, 1 +journaldesvoisins.com, 0 +journaldufumeur.ch, 1 +journales.com, 1 +journalgameers.ga, 1 +journalgameest.ga, 1 +journalism-schools.com, 1 +journalism.org, 1 +journaliste.tk, 1 +journalisticapp.com, 1 +journalnow.com, 1 +journals.ru, 1 +journalstar.com, 1 +journaltimes.com, 1 +journaway.com, 1 +journeedesfilles.gc.ca, 1 +journey.study, 1 +journeyfriday.rocks, 1 +journeying.ca, 1 +journeyofmymothersson.com, 1 +journeyrent.com, 1 +journeytofi.com, 1 +journeytomastery.net, 1 +joustsec.com, 1 +jouw-job.nl, 1 +jouwbuis.nl, 1 +jouwpaardenbak.nl, 1 +jouwsongteksten.tk, 1 +jouwzorgjob.be, 1 +jovanmarkovic.ga, 1 +jovenescontraelaburrimiento.tk, 1 +jovic.hamburg, 1 +jovisa.com.tw, 1 +joweb.co, 1 +jowm-jo.com, 1 +joworld.net, 0 +joy-ride.yokohama, 1 +joyas.gt, 0 +joybuggy.com, 1 +joyce.tk, 1 +joycejamiewedding.com, 1 +joycemachine.com, 1 +joychetry.com, 1 +joycosmetics.ch, 1 +joydivision.tk, 1 +joydream.tk, 1 +joyfulevents.tk, 1 +joyfulhealthyeats.com, 1 +joyinteractive.tk, 1 +joyinverse.com, 1 +joyjohnston.ca, 0 +joymaxiptv.com, 1 +joymepass.com, 1 +joyouscare.co.uk, 1 +joyousisle.com, 1 +joyqi.com, 1 +joysinventingblog.com, 1 +joystickblog.tk, 1 +jozefjabczun.com, 1 +jozefkvasnica.tk, 1 +jozefmichalmintal.com, 1 +jozefmutis.com, 1 +jozefmutis.sk, 1 +jp.kg, 1 +jp.md, 1 +jp404.com, 1 +jpan007.com, 1 +jpanetta.tk, 1 +jparts.su, 1 +jpaudio.org, 1 +jpbe-network.de, 1 +jpbe.de, 1 +jpc-design.com, 1 +jpcases.com.au, 1 +jpcorriganlaw.com, 1 +jpcrochetapparel.com, 1 +jpdineroasi.com, 1 +jpeg.io, 1 +jpegd.io, 1 +jpekkala.com, 1 +jperformance.nl, 1 +jpg.am, 1 +jpg.fr, 1 +jpgangbang.com, 1 +jpgtopdfc.com, 1 +jphev.de, 1 +jphost.ml, 1 +jpilan.com, 1 +jpinfo.tk, 1 +jpixta.com, 1 +jplennard.com, 1 +jpmelos.com, 1 +jpmelos.com.br, 1 +jpmguitarshop.com.br, 1 +jpngamerswiki.com, 1 +jpope.org, 1 +jppc.net, 1 +jppcadvertising.com, 1 +jpph.org, 0 +jpr.io, 1 +jpralves.net, 1 +jpram.net, 1 +jproducts.nl, 1 +jproxx.com, 1 +jps-selection.co.uk, 1 +jps-selection.com, 1 +jps-selection.eu, 1 +jpshop.ru, 1 +jpsinflatables.co.uk, 1 +jpst.it, 1 +jpvermogensregie.com, 1 +jpvfinanceira.net, 1 +jpvisual.com, 1 +jqlin.com, 1 +jqlsql.com, 1 +jqpowerwash.com, 1 +jqrecycling.com, 1 +jquery.wtf, 1 +jr-signalisation.fr, 1 +jr5devdoug.xyz, 1 +jr5devdouglas.xyz, 1 +jr5proxdoug.xyz, 1 +jrabasco.me, 1 +jrbv.nl, 1 +jrc.cz, 1 +jrc9.ca, 0 +jrchaseify.xyz, 1 +jreb.nl, 1 +jredmond.io, 1 +jreiff.de, 1 +jreinert.com, 1 +jrflorian.com, 1 +jrfortune.com, 1 +jrjuristen.nl, 0 +jrlopezoficial.com, 1 +jrmora.com, 0 +jrnlz.me, 1 +jrock.tk, 1 +jrock.us, 1 +jross.me, 1 +jrroofinglancs.co.uk, 1 +jrrw.de, 1 +jrstehlik.com, 1 +jrstehlik.cz, 1 +jrt.ovh, 1 +jrtapsell.co.uk, 1 +jrtransportedemotos.com.br, 1 +jrucomsoc.tk, 1 +jrulka.ru, 1 +jrwebb.co.nz, 1 +jrwu.win, 1 +jrxpress.com, 1 +jrzapis.com, 1 +jrzhong.com, 1 +jrzid.com, 1 +jrzly.com, 1 +js-web.eu, 1 +js-webcoding.de, 1 +js5203344.com, 1 +js6868.cc, 1 +js86.de, 0 +js889.com, 1 +js93029.com, 1 +jsautomation.co.za, 1 +jsbentertainment.nl, 1 +jsberrylaw.com, 1 +jsbevents.nl, 1 +jsblights.nl, 1 +jsc.mx, 1 +jschumacher.info, 1 +jscsshtml.com, 1 +jsd-aach.de, 1 +jsd-cog.org, 1 +jsdelivr.com, 1 +jsdelivr.net, 1 +jsdesign.mx, 1 +jsdt.ca, 1 +jselby.net, 1 +jsem.fun, 1 +jsemonjr.tech, 1 +jsfloydlaw.com, 0 +jsg.hk, 1 +jsgr.ca, 1 +jsh918.com, 1 +jsidefox.de, 1 +jsjfact.com, 1 +jsjohnsononline.com, 1 +jsjs.net, 1 +jsk26.ru, 1 +jskier.com, 1 +jslots.dk, 1 +jsme.cz, 1 +jsme.fun, 1 +jsn.one, 1 +jsnfwlr.com, 0 +jsnfwlr.io, 0 +jso-crescendo.ch, 1 +json.download, 1 +json.id, 0 +jsonsinc.com, 1 +jsonvalidator.tk, 1 +jsourcery.com, 1 +jsp-cloud.de, 1 +jspartnersinc.com, 1 +jsphys.org.cn, 1 +jspp2023.jp, 1 +jsproxy.tk, 0 +jsre-kinki.jp, 1 +jss6868.cc, 1 +jstanleyasphaltpaving.com, 1 +jstarlab.com, 1 +jsteward.moe, 1 +jstore.ch, 1 +jsvr.tk, 0 +jswebbdevelopment.com, 1 +jswn9945.xyz, 1 +jsx.jp, 1 +jsxc.ch, 1 +jt-evolution.tk, 1 +jtafla.com, 1 +jtcat.com, 1 +jtconsultancy.sg, 1 +jtech.com.br, 1 +jtfew.co.uk, 1 +jtkconstructiongroup.com, 1 +jtl-connect.de, 1 +jtl-connector.de, 1 +jtl-fulfillment.com, 1 +jtl-pos.com, 1 +jtl-software.com, 1 +jtl-software.de, 1 +jtl-url.de, 1 +jtmagen.com, 0 +jtownacademy.com, 1 +jtp.id, 1 +jtrocinski.com, 1 +jtrojanowska.pl, 1 +jts3servermod.com, 1 +jttech.se, 1 +jtxdev.my.id, 1 +jtxmail.org, 1 +jtxserver.xyz, 1 +ju-edu.tk, 1 +ju-rex.eu, 1 +juabcounty.gov, 1 +jualkambing.tk, 1 +juancadc.es, 1 +juancamos.com, 1 +juancarlosflores.tk, 1 +juancarlosgalvez.tk, 1 +juancarlosllaque.com, 1 +juancatalangomez.es, 1 +juanfrancisco.tech, 1 +juanherranz.com, 1 +juanhub.com, 1 +juanitia.com, 1 +juanitofatas.com, 1 +juanjomontecinos.tk, 1 +juanmanuel.tk, 1 +juanmapauso.tk, 1 +juanmasuarez.tk, 1 +juanmazzetti.com, 1 +juanmoreno.tk, 1 +juanpena.tk, 1 +juanrodriguezofficial.tk, 1 +juansebastianveron.tk, 1 +juanxt.ddns.net, 1 +jub0bs.com, 1 +jubelmart.ga, 1 +jubileum.online, 0 +jucca-nautica.si, 1 +jucelo.de, 1 +jucktehkeinen.de, 1 +jucocauca.tk, 1 +jucyhotel.com.au, 1 +jucyhotels.com.au, 1 +judc-ge.ch, 1 +jude.eu.org, 1 +judge.ga, 1 +judge.tk, 1 +judge2020.com, 1 +judgeball.com, 1 +judi-online.ga, 1 +judi.ga, 1 +judi.tk, 1 +judiciary.gov.ph, 1 +judidominokiukiu.ga, 1 +judidominokiukiu.ml, 1 +judithsargentini.nl, 1 +judo2point0.com, 1 +judobasicsers.ga, 1 +judobasicsest.ga, 1 +judobreda.nl, 1 +judochaters.ga, 1 +judochatest.ga, 1 +judoprodeti.cz, 1 +judosaintdenis.fr, 1 +judybai.me, 1 +judykatura.pl, 1 +juegosycodigos.mx, 1 +juejin.com, 1 +juergaperu.tk, 1 +juergen.tk, 1 +juergenklieber.de, 1 +juergenspecht.com, 1 +juergenspecht.de, 1 +juergmeier.ch, 1 +jufem.tk, 1 +jugendfeuerwehr-vechta.de, 1 +jugendforum-schaafheim.de, 1 +jugendhackt.org, 1 +jugendpresse-hessen.de, 1 +jugendpresse.de, 1 +jugendsuenden.info, 1 +jugh.de, 1 +jugoncalv.es, 1 +jugwallonie.be, 1 +juhakoho.com, 1 +juhanihakala.fi, 1 +juhosaastamoinen.com, 1 +juhosaastamoinen.fi, 1 +juhosaastamoinen.net, 1 +juice.cf, 1 +juice.codes, 1 +juicebox.com.au, 1 +juicipattiesfranchising.com, 1 +juicycrones.org.uk, 1 +juicydesigns.co.za, 1 +juicyforum.com, 1 +jujutsuoulu.fi, 1 +jujuygrafico.com.ar, 1 +jukebox-manuals.tk, 1 +jukkakivi.fi, 1 +jukkakivimaki.fi, 1 +jukovka.tk, 1 +juku-wing.jp, 1 +julb.de, 1 +julditec.com, 1 +jule-spil.dk, 1 +julenetxaniz.eus, 1 +julenlanda.com, 0 +julesfrans.be, 1 +julesmiddleton.art, 1 +julesroovers.nl, 1 +julia-clarete.tk, 1 +julia-jones.org, 1 +julia-spriggs.fr, 1 +julia.school, 1 +juliahub.com, 1 +juliajuice.net, 1 +juliakieser.de, 1 +julian-miller.de, 1 +julian-post.de, 0 +julian-uphoff.de, 1 +julian-weigle.de, 1 +julian.tech, 1 +julianaedouglas.ga, 1 +julianatoma.com.br, 1 +julianbarske.de, 1 +julianbh.com, 1 +julianbroadway.com, 1 +julianestrada.es, 1 +juliangonggrijp.com, 1 +juliangramajo.tk, 1 +julianickel.de, 1 +juliankraemer.de, 1 +julianmathis.de, 1 +julianmeyer.de, 1 +julianmontague.io, 1 +julianozucare.tk, 1 +juliansimioni.com, 1 +julianskitchen.ch, 0 +julianvmodesto.com, 1 +julianwallmeroth.de, 1 +julianweigle.de, 1 +julianxhokaxhiu.com, 1 +juliaoantiguidades.com.br, 1 +julias.zone, 1 +juliasugar.net, 1 +juliawebber.co.za, 1 +juliazeengardendesign.co.uk, 1 +julibear.com, 1 +julie-and-stevens-wedding.com, 1 +juliedecubber.com, 1 +juliekoubova.com, 1 +juliekoubova.cz, 1 +juliekoubova.name, 1 +juliekoubova.net, 1 +juliekproperties.com, 1 +juliemaurel.fr, 1 +julien-demare.com, 1 +julien-noyelle.com, 1 +julien.expert, 1 +julienc.io, 1 +juliendoco.com, 1 +julienmotheron.tk, 1 +julienpaterne.com, 0 +juliens.tk, 1 +julienschmidt.com, 1 +julienstalder.ch, 0 +julientartarin.com, 1 +juliepetit.com, 1 +julier.com.br, 1 +julieskitchensf.com, 1 +julieskyhigh.net, 1 +juliet-squad.tk, 1 +julietous.be, 1 +julietta-sanchez.org, 1 +juliettesinteriors.co.uk, 1 +julio.jamil.nom.br, 1 +juliofreitas.com, 1 +juliohernandezgt.com, 1 +juliusklein.tk, 1 +jullensgroningen.com, 1 +julm.de, 1 +julmer.tk, 1 +juls.cloud, 0 +jult.net, 0 +jultube.de, 1 +july52.ru, 1 +jumardotaekwondo.tk, 1 +jumbo-air.de, 1 +jumbopan.net, 1 +jumbopeters.tk, 1 +jumbster.com, 0 +jumeirashoes.com, 1 +jumelagevezin-vezins.tk, 1 +jumellesvision.fr, 1 +jumibow.com, 1 +jumio.com, 1 +jummedia.com.au, 1 +jump4funinflatables.co.uk, 1 +jumpalitan.tk, 1 +jumpandbounce.co.uk, 1 +jumpandjivechildrensparties.co.uk, 1 +jumparoundbouncycastles.co.uk, 1 +jumparty.co.uk, 1 +jumpbuttonnorth.com, 1 +jumpeasy.com.au, 1 +jumperke.be, 1 +jumperweb.tk, 1 +jumping4all.com, 1 +jumping4all.info, 1 +jumping4all.nl, 1 +jumpingcastlesonline.com.au, 1 +jumpingdeliege-vip.be, 1 +jumpingforall.com, 1 +jumpingforall.nl, 1 +jumpingjacksbouncycastles.co.uk, 1 +jumpintogreenerpastures.com, 1 +jumpman-iphone-design.de, 1 +jumpnplay.co.uk, 1 +jumpnplay.com.au, 1 +jumprun.com, 1 +jumpseller.cl, 1 +jumpseller.com, 1 +jumpstartuat.co.za, 1 +jun-e-jay.com, 1 +junbread.win, 1 +junco.nl, 1 +junctioncitywisconsin.gov, 1 +jundongwu.com, 0 +juneau.gov, 1 +juneaucountywi.gov, 1 +junebo.net, 1 +junebo.nu, 1 +junebo.se, 1 +juneereccentre.com.au, 1 +junefolkhogskola.se, 1 +juneis.dog, 1 +junethack.net, 1 +junfk.shop, 1 +junge-linke.tk, 1 +jungefreiheit.de, 1 +jungelinke.tk, 1 +junger-chor-marienburg.de, 1 +junggesellmuc.de, 1 +junglaurbana.tk, 1 +jungle-forums.tk, 1 +jungleducks.ca, 0 +junglejackscastles.co.uk, 1 +junglelab.io, 1 +junglememories.co.uk, 1 +jungleworks.com, 1 +junglist.org, 1 +jungschuetzen.tk, 1 +jungundwild-design.de, 1 +jungyonghwa.tk, 1 +juniet.net, 1 +juniku.tk, 1 +juniorchamber.international, 1 +juniorhandball.com, 0 +juniornasim.cf, 1 +juniorsambo.tk, 1 +juniorsbook.com, 1 +juniorsplanet.in, 1 +juniperroots.ca, 1 +junix.systems, 1 +junjie.pro, 1 +junjun-web.net, 0 +junk-bear.com, 1 +junkcarbin.com, 1 +junkcarboys.ca, 1 +junkdrome.org, 0 +junkersparadise.tk, 1 +junkfoodcafe.com, 1 +junkguy.tk, 1 +junkiedownload.tk, 1 +junkracing.tk, 1 +junksleep.com, 1 +junktojewels.com.au, 1 +junkyardtuning.tk, 1 +junlyu.org, 1 +junomessenger.cf, 1 +junshinkai.ed.jp, 1 +junte.tk, 1 +juntos.gov, 1 +juntosfmc.com.br, 1 +junyan.ga, 1 +junyangz.com, 1 +junyu33.me, 1 +juozasveza.lt, 1 +jupiteram.com, 1 +jupiterfy.com, 1 +juppy.tk, 1 +jura-reiseschutz.de, 1 +jura-versicherungen.de, 1 +juragan.ga, 1 +juraganhp.com, 1 +juragantembakau.com, 1 +jurancic.com, 1 +jurassicbarkharrogate.co.uk, 1 +jurassicworldfilmen.cf, 1 +jurat.online, 1 +jurcic-prpic.hr, 1 +jurena.sk, 1 +jurex-cup.cz, 1 +jurex.cz, 1 +jurexcup.cz, 1 +jurgenfranse.nl, 1 +jurgens.tk, 1 +jurgis.tk, 1 +jurislex.tk, 1 +jurisprudentacedo.com, 1 +jurist-website.de, 1 +jurist.gq, 1 +juristech.io, 1 +juristique.fr, 1 +juristique.info, 1 +juristique.org, 1 +juristique.us, 1 +jurjendevries.com, 0 +jurkomp.ru, 1 +jurnalfm.md, 1 +jurnalilmiah.com, 1 +jurposluga.tk, 1 +jurquestion.tk, 1 +jurriaan.ninja, 1 +jusfitness.com.au, 1 +jusha.cz, 1 +juspay.in, 1 +jusquauxdents.tk, 1 +just-a-clanpage.de, 1 +just-bees.de, 1 +just-heberg.fr, 1 +just-keep-swimming.tk, 1 +just-muh.de, 1 +just-pools.co.za, 1 +just-vet-and-drive.fr, 1 +just-webdesign-berlin.de, 1 +just.nl, 1 +just3preety.com, 1 +just6f.com, 1 +justacoupleofclarkes.co.uk, 1 +justacrazygirl.com, 1 +justanorganizedhome.com, 1 +justanothercompany.name, 1 +justanotherday.tk, 1 +justasdelish.com, 1 +justbelieverecoverypa.com, 1 +justbooktransfers.com, 0 +justboom.co, 1 +justbraces.com.sg, 1 +justbydesign.com, 1 +justcall.io, 1 +justcalm.tk, 1 +justcams.tv, 1 +justchunks.net, 1 +justement.ch, 1 +justf.tk, 1 +justfencingcheshire.co.uk, 1 +justfoodfordogs.com, 1 +justformen.org, 1 +justforschools.co.uk, 1 +justforsunn.com, 1 +justfresh.com, 1 +justfunerals.co.nz, 1 +justgalak.com, 1 +justgalak.org, 1 +justgamblers.com, 1 +justgardenoffices.co.uk, 1 +justgayvideo.com, 1 +justgiving.co.uk, 1 +justgiving.com, 1 +justgiving.io, 1 +justgiving.nl, 1 +justgiving.services, 1 +justice-rains-from-above.tk, 1 +justice.gc.ca, 1 +justice.gov, 1 +justice4amy.org, 1 +justice4chris.org, 1 +justiceforjameela.org, 1 +justifinetwork.com, 1 +justifyloans.com, 1 +justin-p.me, 1 +justin-tech.com, 1 +justin3d.nl, 1 +justindianporn.me, 1 +justinellingwood.com, 1 +justinfreid.com, 1 +justinho.com, 1 +justinmanders.nl, 1 +justinritter.de, 1 +justinsinkula.com, 1 +justinstago.com, 1 +justinstandring.com, 1 +justkidsdental.com, 1 +justknigi.gq, 1 +justlovecoffeefranchise.com, 1 +justmade.com.br, 1 +justmensgloves.com, 1 +justmyblog.net, 1 +justmysocks.xyz, 1 +justnajoua.tk, 1 +justneworleans.com, 1 +justninja.com, 1 +justnu.se, 0 +justor.ru, 1 +justpass.co.uk, 1 +justpass.uk, 1 +justpaste.it, 1 +justpdf.cf, 1 +justpractice.ca, 1 +justquoteme.ga, 1 +justrighthsc.com, 1 +justsa.co.za, 1 +justsandro.tk, 1 +justsellmycar.com, 1 +justshare.tk, 1 +justt-watch-now.xyz, 1 +justupdate.me, 1 +justwannalearn.com, 1 +justweather.org, 1 +justwizards.me, 1 +justyy.com, 1 +justzz.xyz, 1 +juszczak.io, 1 +juszkiewicz.com.pl, 1 +jutella.de, 0 +jutlander-netbank.dk, 1 +jutrainingdiet.fr, 1 +juttaheitland.com, 1 +juul-iversen.dk, 1 +juul.xyz, 0 +juurussuo.tk, 1 +juusujanar.eu, 0 +juvenile-studios.de, 1 +juventudevareira.tk, 1 +juventusmania1897.com, 1 +juventusnews24.com, 1 +juweldot.tk, 1 +juwelier-schmuck.de, 1 +juwelierstoopman.nl, 0 +juweliervanwillegen.nl, 1 +juzgadocaldas.com, 1 +juzz.io, 1 +jv-projects.be, 1 +jvanerp.nl, 1 +jvbouncycastlehire.co.uk, 1 +jvdham.nl, 1 +jvdz.nl, 1 +jvega.me, 1 +jvianes.ddns.net, 1 +jvlfinance.cz, 1 +jvmcomunicacao.com.br, 1 +jvphotoboothhire.co.uk, 1 +jvspin.com, 1 +jvspin13135.top, 1 +jvspinapp.com, 1 +jw-services-stg.org, 1 +jw-services.org, 1 +jw.fail, 1 +jw1.ca, 1 +jwala.diamonds, 1 +jwatt.org, 1 +jwatt.uk, 1 +jwb.red, 1 +jwbrown.com, 1 +jwbrown.nl, 1 +jwbrown.ru, 1 +jwchords.org, 1 +jwds.blog, 1 +jwe.nl, 1 +jweditions.co.uk, 1 +jwhite.network, 1 +jwilsson.com, 0 +jwjwjw.com, 1 +jwmmarketing.com, 1 +jwod.gov, 1 +jwolt-lx.com, 1 +jwplay.ml, 1 +jwpoore.com, 1 +jwr.me, 1 +jwroberts.com, 1 +jwschuepfheim.ch, 1 +jwz.org, 1 +jxcad.com.cn, 1 +jxdsp.com, 1 +jxir.de, 1 +jxltom.com, 1 +jxm.in, 1 +jxs.ch, 1 +jxsmodafeminina.com.br, 1 +jybrid.com, 1 +jydemarked.dk, 1 +jyllandsakvariet.dk, 1 +jyoba.co.jp, 1 +jyoti-fairworks.org, 0 +jysecurity.com, 1 +jyvaskylantykkimies.fi, 1 +jz.lc, 1 +jzagorulko.com, 1 +jzbk.org, 0 +jzeb.co, 1 +jzminimalist.com, 1 +jztkft.hu, 1 +jzwebdesign.ie, 1 +jzz.cool, 1 +k-45.ru, 1 +k-amenix.co.jp, 1 +k-bone.com, 1 +k-collab.com, 1 +k-designstudio.com, 1 +k-h-c.ru, 1 +k-homes.net, 1 +k-labs.be, 1 +k-linkcarecenter.com, 1 +k-matsudaclinic.com, 1 +k-moto.sk, 1 +k-netz.de, 1 +k-pan.com, 1 +k-s-edition.ru, 0 +k-sails.com, 1 +k-scr.me, 1 +k-so.de, 1 +k-system.de, 1 +k-tube.com, 0 +k-will.tk, 1 +k.tt, 1 +k1024.org, 1 +k123123.com, 1 +k1chn.com, 0 +k2.works, 1 +k234234.com, 1 +k258059.net, 1 +k29.ee, 1 +k2industrial.com, 1 +k2velosi.com, 1 +k36533.com, 1 +k38.cc, 1 +k3a.me, 1 +k3concert.nl, 1 +k3nny.fr, 1 +k3t.net, 1 +k4law.com, 1 +k4nzi.duckdns.org, 1 +k507.com, 0 +k51365.com, 1 +k5197.co, 1 +k55655.com, 1 +k583.com, 0 +k60d.com, 1 +k66.ag, 1 +k665.vip, 1 +k6729.co, 1 +k6729.com, 1 +k6957.co, 1 +k6957.com, 0 +k7add.com, 1 +k7azx.com, 1 +k7cl.com, 1 +k8.com, 1 +k80608.com, 1 +k82.org, 1 +k82365.com, 1 +k85.app, 0 +k86.app, 1 +k86681.com, 1 +k86690.com, 0 +k86853.com, 1 +k869.co, 0 +k86921.com, 0 +k86929.com, 0 +k86930.com, 1 +k86967.com, 0 +k87.app, 1 +k87073.com, 0 +k87074.com, 0 +k87075.com, 0 +k87076.com, 0 +k87077.com, 0 +k87079.com, 0 +k87080.com, 0 +k87119.com, 0 +k87121.com, 0 +k87126.com, 0 +k87131.com, 0 +k87133.com, 0 +k87136.com, 0 +k87210.com, 1 +k873.co, 0 +k875.co, 0 +k88107.com, 1 +k88110.com, 0 +k88116.com, 0 +k88127.com, 0 +k88172.com, 1 +k88256.com, 1 +k88257.com, 1 +k88259.com, 1 +k88302.com, 0 +k88306.com, 1 +k88312.com, 0 +k88313.com, 1 +k88327.com, 1 +k886.co, 1 +k88670.com, 0 +k88672.com, 0 +k889.co, 1 +k8892.com, 1 +k89.app, 1 +k8dalao.com, 1 +k8didi.com, 1 +k8gege.com, 1 +k8jiejie.com, 1 +k8laosiji.com, 1 +k8meimei.com, 1 +k8meinv.com, 1 +k8n.de, 1 +k8r.eu, 1 +k8v27.com, 0 +k8vn.com, 0 +k9297.co, 1 +k9728.co, 1 +k9bhh.net, 1 +k9erp.com, 1 +k9lady.ml, 1 +k9life.cf, 1 +k9life.gq, 1 +k9life.ml, 1 +k9swx.com, 1 +ka-kousin.co.jp, 1 +ka4aka.tk, 1 +ka4ka-ru.tk, 1 +ka4ka.cf, 1 +ka4ka.ml, 1 +kaalberry.com, 0 +kaamoscreations.com, 1 +kaamosmail.com, 1 +kaandorpfietsen.nl, 1 +kaanhaa.com, 0 +kaaniche.xyz, 1 +kaany.io, 1 +kaartje.shop, 1 +kaasbesteld.nl, 1 +kaatha-kamrater.se, 0 +kaatsen.tk, 1 +kab-s.de, 1 +kabachok.tk, 1 +kabal.tk, 1 +kabardinka.ga, 1 +kabardino-balkariya.ml, 1 +kabel.cf, 1 +kabel.ga, 1 +kabel.gq, 1 +kabel.ml, 1 +kabeldiertje.nl, 1 +kabellegger.nl, 1 +kabeltv.co.nz, 1 +kabeuchi.com, 1 +kabide.net, 1 +kabinett.cz, 1 +kabir.cf, 1 +kabir.tk, 1 +kablo.tk, 1 +kabluchek.tk, 1 +kabluchok.tk, 1 +kabodo.com, 1 +kaboommagazine.ga, 1 +kaboommagazine.gq, 1 +kaboommagazine.ml, 1 +kabos.art, 1 +kabu-abc.com, 1 +kabuka.jp.net, 1 +kabuki-inc.co.jp, 1 +kabukpsikoloji.com, 1 +kabulboy.tk, 1 +kabulpress.org, 1 +kabushiki.jp, 1 +kabyle.com, 1 +kacanews.com, 1 +kacang-bali.com, 1 +kacgal.com, 1 +kachaem-knigi.gq, 1 +kachat.io, 1 +kachelfm.nl, 1 +kachka.cf, 1 +kachlikova2.cz, 1 +kack.website, 1 +kackyreloaded.com, 1 +kacy-kisha.com, 1 +kada.lk, 1 +kadalove.net, 1 +kaddex.xyz, 1 +kaddify.de, 1 +kadeatwood.com, 1 +kadenafss.com, 1 +kadenba.ch, 1 +kadence.tk, 1 +kadenlegion.com, 1 +kadeshcdc.org, 1 +kadet.net.ru, 1 +kadett-c-club-limburg.tk, 1 +kadhal-kirukkan.tk, 1 +kadidak.com, 0 +kadifeli.com, 1 +kadinbonesulsel.id, 1 +kadinhaber.tk, 1 +kadinhayati.com, 1 +kadinisci.org, 1 +kadinsaglikhaber.tk, 1 +kadinvesaglik.tk, 1 +kadix.com.br, 0 +kado-ya.jp, 1 +kadolis.com, 1 +kadro.com.pl, 1 +kadvi.tk, 1 +kadykchanskiy.ml, 1 +kaeme.com, 1 +kaeptns-sechser.de, 1 +kaeru-seitai.com, 1 +kaese-journal.ch, 1 +kaesehagen.nl, 1 +kafel-ufa.tk, 1 +kafeline.com, 1 +kaffad.site, 1 +kaffeekrone.de, 1 +kaffeepflanze-pflege.de, 1 +kaffeeringe.de, 1 +kaffeesud.org, 1 +kaffeklubben.tk, 1 +kaffeluckan.se, 1 +kafgoldenbearsbor.tk, 1 +kafoom.de, 1 +kagami.tk, 1 +kagata-kids.com, 1 +kagebyvyre.tk, 1 +kagel.ch, 1 +kagelmacher.ch, 1 +kages.at, 1 +kaggle.com, 1 +kagi.com, 1 +kagicomb.org, 1 +kagl.me, 1 +kagomesashi.tk, 1 +kaguramea.fr, 1 +kaha.co.id, 1 +kahane.org, 1 +kahmad.in, 1 +kahoot.it, 1 +kahvakiekkotalkoot.fi, 1 +kai-i.com, 1 +kai-justin.de, 1 +kai-ratzeburg.de, 1 +kai-ruecker.tk, 1 +kaiahealth.com, 1 +kaibaunderwear.com.ar, 1 +kaibinyang.com, 1 +kaibinyang.tk, 1 +kaibo.cz, 1 +kaibo.eu, 1 +kaiche.com, 1 +kaida-rybak.ru, 1 +kaidoblogi.eu, 1 +kaifischer.tv, 1 +kaigojj.com, 1 +kaihipay.jp, 1 +kaijo-physics-club.work, 1 +kaik.io, 1 +kaika-facilitymanagement.de, 1 +kaikei7.com, 1 +kaikrups.com, 1 +kaileymslusser.com, 0 +kaimassagechairs.com, 1 +kaimi.io, 1 +kaimonojyoz.jp, 1 +kainelaw.com, 1 +kainetsoft.com, 1 +kainsanders.com, 1 +kainz.be, 1 +kaiod.tk, 1 +kaioken.bar, 1 +kaion.vn, 1 +kaipel.de, 1 +kairion.de, 0 +kairuitan.com, 0 +kais08.com, 1 +kaisanord.org, 1 +kaiser.ga, 1 +kaiser.wf, 1 +kaiseraerospace.tk, 1 +kaiserinformativo.com, 1 +kaisev.net, 1 +kaishi009.com, 1 +kaishi555.com, 1 +kaisto.net, 0 +kaisyo.co.jp, 1 +kaitol.click, 1 +kaitseministeerium.ee, 0 +kaity-sun.com, 1 +kaiu-sport.de, 1 +kaiusaltd.com, 0 +kaiva.cl, 1 +kaiwritings.com, 1 +kaiwu.xyz, 1 +kaiy.moe, 1 +kaizencraft.ga, 1 +kaizendigitalstudios.live, 1 +kaizenjuku.org, 1 +kaizenreporting.com, 1 +kaizeronion.com, 1 +kaizoku-dmc.com, 1 +kajak.land, 1 +kajalkumar.tk, 1 +kajasafe.fi, 1 +kajirakuda.com, 1 +kajlovo.cz, 1 +kajzonnebeke.tk, 1 +kak-pohudet-legko.ml, 1 +kaka.farm, 0 +kakabo.vn, 1 +kakacon.nz, 1 +kakan.ml, 1 +kakaravaara.fi, 1 +kakatu.ru, 1 +kakazai.com, 1 +kakdolgonline.cf, 1 +kakdoma-23.ru, 1 +kakeru.cf, 1 +kaketang.com, 0 +kakkerlakken.tk, 1 +kakofotmitzaim.cf, 1 +kakofotmitzaim.ga, 1 +kakofotmitzaim.gq, 1 +kakofotmitzaim.ml, 1 +kakofotmitzaim.tk, 1 +kakoo-media.nl, 1 +kakoomedia.nl, 1 +kakpoluchitzaim.cf, 1 +kakpoluchitzaim.ga, 1 +kakpoluchitzaim.gq, 1 +kakpoluchitzaim.ml, 1 +kakpoluchitzaim.tk, 1 +kaksdelatpotolok.ru, 1 +kaktus-tour.cf, 1 +kaktuskola.se, 1 +kakuch.com, 0 +kakvzyatdolg.ga, 1 +kakvzyatdolg.ml, 1 +kakvzyatzaim.cf, 1 +kakvzyatzaim.gq, 1 +kakvzyatzaim.tk, 1 +kal05.tk, 1 +kalababy.bg, 1 +kalabhavashricreations.com, 1 +kaladarb.com, 0 +kalaharifeis.com, 1 +kalakarclub.com, 1 +kalambur.gq, 1 +kalambur.ml, 1 +kalami.nl, 1 +kalamos-psychiatrie.be, 1 +kalamos.tk, 1 +kalamotownship-mi.gov, 1 +kalapatec.id, 1 +kalashnikov.ml, 1 +kalaskvintetten.tk, 1 +kalaspuffar.se, 1 +kalastus.com, 1 +kaldewei.com, 1 +kaleidoscope.co.uk, 1 +kalek.eu, 1 +kalendarabiturienta.tk, 1 +kalender.com, 1 +kalender.goip.de, 1 +kalerne.tk, 1 +kalhufvudet.se, 1 +kaliaa.fi, 1 +kalian.cz, 1 +kaliboairport.tk, 1 +kaliboys.com, 1 +kaliforniya.tk, 1 +kalimantan.tk, 1 +kalimari.tk, 1 +kalimat.gq, 1 +kalimba-hangszerbolt.hu, 1 +kalina.ml, 1 +kaliningrad.gq, 1 +kaliningrad.ml, 1 +kalinka-shop.tk, 1 +kaliocommerce.com, 1 +kalisch.eu, 1 +kalisilat.tk, 1 +kalk-shop.nl, 1 +kalkaskavillagemi.gov, 1 +kalkulacka-havarijni.cz, 1 +kalleanka.tk, 1 +kalligo.ga, 1 +kalligraf.tk, 1 +kallisto.io, 1 +kallosmedicalaesthetics.com, 1 +kalmarbilder.se, 1 +kalmbach.com, 1 +kalmservices.ca, 1 +kalmykia.cf, 1 +kalmykia.tk, 1 +kalogeropoulos-st.com, 1 +kalohan.tk, 1 +kaloix.de, 1 +kalolina.com, 1 +kalombo.ru, 1 +kalompaturi.com, 1 +kalpavriksh.org, 1 +kalsa.ga, 1 +kalsbouncies.com, 1 +kaltenbrunner.it, 1 +kalterersee.ch, 1 +kaltoft.net, 0 +kaluga.cf, 1 +kaluga.gq, 1 +kalugadeti.ru, 1 +kalugin.tk, 1 +kaluja.fi, 1 +kalwak.cr, 1 +kalwestelectric.com, 1 +kalyandevelopers.com, 1 +kalyangupta.ml, 1 +kalyanmatka.guru, 1 +kalyazin-online.tk, 1 +kam-serwis.pl, 1 +kamalame.co, 1 +kamandula.tk, 1 +kamanja.io, 1 +kamareddine.tk, 1 +kamasutra-training.gq, 1 +kamata-saisyuusyou.com, 1 +kamata-shinkyu-seikotsu.jp, 1 +kamataryo.com, 1 +kamatoycleaner.com, 1 +kamazuri.art, 1 +kambistories.com, 1 +kamchatkatravel.tk, 1 +kamchatkawinter.tk, 1 +kamcolorectal.com, 1 +kamel.social, 1 +kameldesign.com, 1 +kameliya.tk, 1 +kamen-master.ru, 1 +kamennyj-pisatel.tk, 1 +kameno-news.tk, 1 +kamer.nl, 1 +kamera.org.tr, 1 +kamerpower.com, 0 +kamery.top, 1 +kameryzababku.sk, 1 +kamey-steuerberatung.de, 1 +kameya.bg, 1 +kami-riha.com, 1 +kamien-ogrodowy.tk, 1 +kamienie-migdalkowe.pl, 1 +kamikami.eu, 1 +kamikatse.net, 1 +kamikatzerl.net, 1 +kamikazeweb.tk, 1 +kamildrozd.tk, 1 +kamilla.ml, 1 +kamilmagdziak.pl, 1 +kamilsevi.com, 0 +kamin-island.ru, 1 +kaminbau-laub.de, 1 +kaminholz.eu, 1 +kaminoke.info, 0 +kaminoweb.com, 1 +kaminy-msk.ru, 0 +kamio.co.uk, 1 +kamisato-ent.com, 1 +kamistik.com, 1 +kamitech.ch, 1 +kamiyo.tk, 1 +kamlunglelystad.tk, 1 +kamnob.com, 1 +kamp-kisten.nl, 1 +kampanyaradar.com, 1 +kampffische.tk, 1 +kampfsportschule-einherjar.de, 1 +kampova.sk, 1 +kamppailusali.fi, 1 +kampungcyber.tk, 1 +kampunginggris-ue.com, 1 +kampusku.tk, 1 +kamrad.tk, 1 +kamranmirhazar.com, 1 +kamu.org, 1 +kamui.co.uk, 1 +kamumisafirhaneleri.com.tr, 1 +kamuniang.org, 1 +kan-ken.fr, 1 +kan.bi, 1 +kan3.de, 1 +kana-mono.biz, 1 +kana.me, 1 +kanabun.top, 1 +kanaete-uranai.com, 1 +kanag.pl, 1 +kanakdharaenterprise.com, 1 +kanal-c.net, 1 +kanal-schaefer.de, 1 +kanal-tv-haensch.de, 0 +kanalasal.id, 0 +kanalbutikken.no, 1 +kanali.info, 1 +kanapa.gq, 1 +kanariesite.tk, 1 +kanatsuki.tk, 1 +kanava.tk, 1 +kancelaria-prawna.pl, 1 +kancelyaria.com.ua, 1 +kancolle.me, 1 +kanctovary.tk, 1 +kandalife.com, 1 +kandelaberi.tk, 1 +kanden-com-reform.com, 1 +kandhamal.org, 1 +kandianshang.com, 1 +kandkforwarding.com, 1 +kandofu.com, 1 +kandr.net, 1 +kandra.com.br, 1 +kandrahechiceravudu.com, 1 +kandrive.gov, 1 +kanduit.live, 1 +kandycoated.com, 1 +kanecastles.com, 1 +kanecountyhospitalut.gov, 1 +kanecountyil.gov, 1 +kanehisa.xyz, 1 +kanehusky.com, 0 +kanetix.ca, 1 +kanganer.com, 1 +kangaroo-bouncycastle.co.uk, 1 +kangarooislandholidayaccommodation.com.au, 1 +kangaroojacks.co.uk, 1 +kangaroos.org, 1 +kangaroosgardencentre.ca, 1 +kangavar.tk, 1 +kangbo.com, 1 +kangdaniel.cn, 1 +kangkai.me, 1 +kangkang.net, 1 +kangkang.org, 1 +kangliortho.com, 1 +kangoeroeteam.tk, 1 +kangouroo.ch, 1 +kangutingo.com, 1 +kangzaber.com, 1 +kaninchenartikel.de, 1 +kanis.ag, 1 +kanitha.sk, 1 +kankakeecountyclerk.gov, 1 +kankerpannekoek.nl, 1 +kankfn.com, 1 +kankimaru.com, 1 +kanna.cf, 1 +kannabia.com, 1 +kannata.ml, 1 +kanneldiamond.com, 1 +kano.fan, 0 +kano.tk, 1 +kanootours.com, 1 +kanosuki.com, 0 +kanotijd.nl, 1 +kanoumokuzai.co.jp, 1 +kanpian369.com, 1 +kanru-clinic.com.tw, 1 +kansai-ramen-derby.com, 1 +kansascityzoo.org, 0 +kansasconstruction.ga, 1 +kansashealth.tk, 1 +kansashighwaypatrol.gov, 1 +kansasnet.tk, 1 +kansasvaccine.gov, 1 +kansasvoterinfo.gov, 1 +kanshutan.com, 1 +kantankye.nl, 1 +kantoorartikelen.nl, 1 +kantoorboel.nl, 1 +kantoormeubilair.nl, 1 +kantora-plovdiv.com, 1 +kantorad.io, 1 +kantorosobisty.pl, 1 +kantrok.com, 1 +kantube.tk, 1 +kanui.ml, 1 +kanuking.de, 1 +kanuvu.de, 1 +kanvasbaski.tk, 1 +kanz.jp, 1 +kanzashi.com, 1 +kanzlei-sixt.de, 1 +kanzshop.com, 1 +kaohongshu.blog, 1 +kaora.cz, 1 +kaosintesta.tk, 1 +kap-kirche.de, 1 +kap.pe, 1 +kapaci.com, 1 +kapanlagi.gq, 1 +kapelya.gq, 1 +kapilarya.com, 1 +kapiorr.duckdns.org, 1 +kapital-kredit.cf, 1 +kapitalsprung.com, 1 +kapitany.tk, 1 +kapiteintje.tk, 1 +kaplan.se, 1 +kaplanco.com, 1 +kaplanprofessional.edu.au, 1 +kaplatzis.com, 1 +kapparhokappa.tk, 1 +kappenstein.org, 0 +kappharn.com, 1 +kappit.dk, 1 +kappow.co.uk, 1 +kapri.dn.ua, 1 +kaproseo.com, 1 +kapsalonlinds.nl, 1 +kapseli.net, 1 +kapsouro-ksimeromata.eu, 1 +kaptadata.com, 1 +kaptamedia.com, 1 +kapui.net, 1 +kapukoaldizkaria.tk, 1 +kapulakennel.tk, 1 +kapunet.tk, 1 +kaputt.com, 1 +kaputtendorf.tk, 1 +kaputtzich.duckdns.org, 1 +kara-fabian.com, 1 +kara-fabian.de, 1 +karabah.cf, 1 +karabah.tk, 1 +karabas.com, 1 +karabukhaber.tk, 1 +karachay.tk, 1 +karacommagere.com, 1 +karada.live, 1 +karadenizhaberleri.tk, 1 +karajonline.tk, 1 +karakafa.net, 1 +karakurt.me, 1 +karamanev.me, 1 +karamel69.ru, 1 +karamomo.net, 1 +karand.me, 1 +karanjthakkar.com, 1 +karanlyons.com, 1 +karantyn.pro, 1 +karaoglanis-info.tk, 1 +karaoglanis.tk, 1 +karaokerentalcalgary.com, 1 +karaokerentaledmonton.com, 1 +karaokerentalmontreal.com, 1 +karaokerentalottawa.com, 1 +karaokerentaltoronto.com, 1 +karaokeyboards.tk, 1 +karapatan.org, 1 +karapuzz.tk, 1 +karasev-stroy.ru, 1 +karasevm.ru, 1 +karasik.by, 1 +karatecabes.tk, 1 +karateclub-waregem.tk, 1 +karatepunkslaroca.tk, 1 +karatesamurai.tk, 1 +karawane.tk, 1 +karayollarimisafirhanesi.com, 1 +karaz.ps, 1 +karbox.de, 1 +kardac.com, 1 +kardia-bordeauxdoggen.tk, 1 +kardize24.pl, 1 +kardjali.bg, 1 +kardla.edu.ee, 1 +kareenaworld.tk, 1 +karel-dingeldey.de, 1 +karel-it.be, 1 +karelgol.tk, 1 +karelia.cf, 1 +karelia.ga, 1 +karelia.ml, 1 +karelin.tk, 1 +kareltrans.tk, 1 +karelvanhecke.com, 1 +karemfouad.com, 1 +karen-homestay.tk, 1 +karencatering.com, 1 +karenerdos.com.au, 1 +karenofarcola.com, 1 +karenvien.ga, 1 +karewan.ovh, 1 +kargas.cf, 1 +kargl.net, 1 +kargotakip.co, 1 +kargotakip.me, 1 +karhukamera.com, 1 +karikatur.cf, 1 +karikatur.ga, 1 +karikatur.ml, 1 +karikatur.tk, 1 +karimova.tk, 1 +karimsaadati.tk, 1 +karimunsejahtera.com, 1 +karina.gd, 1 +karinagallagher.com, 1 +karinahh.net, 1 +karinheinenmaassen.nl, 1 +karinov.co.id, 1 +karinwerner.com, 1 +karit.nz, 1 +kariyermemur.com, 1 +karkey.in, 1 +karkkilandemarit.fi, 1 +karlbowden.com, 1 +karlic.net, 1 +karliekloss.tk, 1 +karlin.run, 1 +karlis-kavacis.id.lv, 1 +karlis.tk, 1 +karlislab.com, 1 +karlloch.de, 1 +karlogavric.com, 1 +karloluiten.nl, 1 +karloskontana.tk, 1 +karlov.tk, 1 +karlproctor.co.uk, 1 +karlskronajk.tk, 1 +karlsmithmn.org, 1 +karlson.gq, 1 +karlswift.com, 0 +karlzotter.com, 1 +karmaassurance.ca, 1 +karmaflux.com, 1 +karmaful.de, 1 +karmagroup.com, 1 +karmainsurance.ca, 1 +karmalighting.com, 1 +karmatrend.cf, 1 +karmelava.tk, 1 +karmil.tk, 1 +karn.nu, 1 +karnage.eu, 1 +karneid.info, 1 +karniz.ml, 1 +karo.pc.pl, 1 +karoche.ga, 1 +karodos.pl, 1 +karolak.fr, 0 +karolaschinkel.de, 1 +karolbiskup.pl, 1 +karolinamed.ru, 1 +karopapier.de, 1 +karopc.pl, 1 +karorally.tk, 1 +karoverwaltung.de, 1 +karpanhellas.com, 0 +karperontspanning.tk, 1 +karperpagina.tk, 1 +karpets.gq, 1 +karpo.tk, 1 +karppaamo.fi, 1 +karr.ga, 1 +karramba.tk, 1 +karriharju.tk, 1 +karrot.world, 1 +karryfishing.com, 1 +karsiyakacilingir.biz.tr, 1 +karsofsystems.com, 1 +karstenhelmbold.de, 1 +karstjewellery.co.uk, 1 +karstransport.tk, 1 +karta-baikala.ml, 1 +karta-mira.com, 1 +karta-paliwowa.pl, 1 +kartacha.com, 1 +kartalvincisletmeciligi.com, 1 +kartar.net, 0 +kartec.com, 1 +kartenmarie.de, 1 +kartenplanet.ch, 1 +kartikmohta.com, 1 +karting-normandie.fr, 1 +kartoffel-stampfer.com, 1 +kartoffel-tobi.de, 1 +kartonki.tk, 1 +kartonmodellbau.org, 1 +kartpower.tk, 1 +karudomizile.de, 1 +karula.org, 0 +karupp-did.net, 1 +karussell.com.tr, 0 +kas.ie, 1 +kasad.com, 1 +kasamatsu-sogo-hoken.com, 1 +kasanikares.com, 1 +kasasaprotect.com, 1 +kasaysayan.tk, 1 +kasei.im, 1 +kasettilamerit.fi, 1 +kaseyhopkins.com, 1 +kashbet.net, 1 +kashbontravels.com, 1 +kashflowcoupon.co.uk, 1 +kashflowpromocode.co.uk, 1 +kashifmajid.tk, 1 +kashifshah.tk, 1 +kashinavi.com, 1 +kashis.com.au, 1 +kashmash.com, 1 +kashmirartquest.tk, 1 +kashousing.tk, 1 +kashta-svgeorgi.com, 1 +kasiafricagroup.org, 1 +kasinobonus.com, 1 +kasinoilmanrekisteroitymista.io, 1 +kasinonetti.com, 1 +kasinopartio.com, 1 +kasis.nl, 1 +kaskadee.eu, 1 +kaskocdn.com, 1 +kaskocloud.com, 1 +kaskodev.com, 1 +kaskojs.com, 1 +kaskoqa.com, 1 +kasparovru.ml, 1 +kasparovru.tk, 1 +kasper-team.tk, 1 +kasperstad.dk, 1 +kass-media.com, 1 +kassa.at, 1 +kassa.com, 1 +kassa.expert, 1 +kassa24.kz, 1 +kasse.at, 1 +kasse.pro, 1 +kassemmal.at, 1 +kassen-zero.net, 1 +kassianoff.fr, 1 +kassola.tk, 1 +kastamonuhaberleri.tk, 1 +kastankaoffice.cz, 1 +kastas.com, 1 +kastas.com.tr, 1 +kastelruth.biz, 1 +kastemperaturen.ga, 1 +kastgroup.com, 1 +kastmedia.com, 1 +kastorsky.ru, 0 +kastrup.is, 1 +kastrupvinduet.dk, 1 +kastuvas-tau.lt, 1 +kasu.ga, 1 +kasvall.com, 1 +kasyna-internetowe.com, 1 +kasynoanalyzer.com, 1 +kat.cat, 1 +kat4at.tk, 1 +katachistore.com, 1 +katagena.com, 1 +kataiszilveszter.hu, 0 +katalog-parfyum.tk, 1 +katalog-serverof.ml, 1 +katalog-serverov.cf, 1 +katalog-serverov.ga, 1 +katalog-serverov.tk, 1 +katalog-tovarov.tk, 1 +katalogbutikker.dk, 1 +katalogharga.cf, 1 +katalogkapsli.pl, 1 +katan-stroi.tk, 1 +katapult-impuls.com, 1 +katapult.es, 0 +katapult.tk, 1 +katarios.tk, 1 +katarpilar.com, 1 +katarsis.lt, 1 +katarsisuib.no, 1 +katartika.tk, 1 +katazuketai.net, 1 +katc.com, 1 +kate-beckinsale.tk, 1 +kate-hurst.com, 1 +katedra.de, 1 +kateduggan.com, 1 +kateduggan.net, 1 +katekligys.com, 1 +katemihalikova.cz, 1 +katenka.tk, 1 +katerinaverbovskaya.com, 1 +katerman.cf, 1 +katerman.ga, 1 +katerman.gq, 1 +katerman.ml, 1 +kateryan.tk, 1 +kateryantv.tk, 1 +katestudio.dk, 1 +katesymmans.co.nz, 1 +katewrightmba.com, 1 +katex.org, 1 +kateysagal.tk, 1 +katfitness.co.uk, 1 +kathakkachakkar.com, 1 +kathardt.de, 1 +katherineandkegan.love, 1 +katherineswynford.tk, 1 +kathleendeisher.com, 1 +kathmandupost.com, 1 +kathrin-maren-enders.de, 1 +kathrynbernardo.tk, 1 +kathy.best, 1 +kathy.lgbt, 1 +kathy.link, 1 +kathyekaan.com, 1 +kathyschlitzer.com, 1 +kati-raumplaner.de, 1 +kati0.com, 1 +katiebenson.tk, 1 +katiechai.xyz, 1 +katiemadethat.shop, 1 +katiepears.net, 1 +katieriker.com, 1 +katieskandy.co.uk, 1 +katieskastles.co.uk, 1 +katio.net, 1 +katiusha.tk, 1 +kativa.it, 1 +katja-nikolic-design.de, 1 +katjapratschke.de, 1 +katka.info, 1 +katmccormick.com, 1 +katnunn.co.uk, 1 +kato-yane.com, 1 +katoikos.world, 1 +katolickaseznamka.cz, 1 +katom.com, 1 +katowice2021.eu, 1 +katrelleonline.tk, 1 +katretter.de, 1 +katrin.tk, 1 +katrinakaifphotos.tk, 1 +katrinasevilla.com, 1 +katrinjanke.de, 0 +katscastles.co.uk, 1 +katsiavarasorthopedics.gr, 1 +katsunet.com, 1 +katsushikacity-cashless.jp, 1 +kattelans.de, 1 +kattelans.eu, 1 +kattelus.tk, 1 +kattens.tk, 1 +katushka.cf, 1 +katushka.ga, 1 +katycollection.com, 0 +katyl.info, 0 +katyusha.net, 1 +katzei.fr, 1 +katzenbrunnen-test.de, 1 +katzensklave.me, 1 +katzrkool.xyz, 1 +kau-boys.com, 1 +kau-boys.de, 1 +kaufberatung.community, 1 +kaufhausdesaffen.com, 1 +kaufkraftkiel.de, 1 +kaufleute-sbh.de, 1 +kaukauna.gov, 1 +kauper.de, 1 +kauperwood.ovh, 1 +kaushal.tk, 1 +kausharach.tk, 1 +kausta.me, 1 +kaustubhk.com, 1 +kavalasite.gr, 1 +kavaplius.lt, 1 +kavatasygarety.tk, 1 +kaveh24.com, 1 +kavelruilonline.nl, 1 +kaverti.com, 1 +kavik.no, 1 +kavin.rocks, 0 +kavinchauhan.in, 1 +kavitech.vn, 1 +kavithai.tk, 1 +kavkaz-info.tk, 1 +kavkaz.cf, 1 +kavli-express.gr, 1 +kavovary-kava.cz, 1 +kavshipping.com, 1 +kawabeest.tk, 1 +kawadoart.com, 1 +kawaii-dollies.tk, 1 +kawaii.su, 1 +kawaiicon.org, 1 +kawaiii.link, 1 +kawaiiku.com, 1 +kawaiiku.de, 1 +kawaiilo.li, 1 +kawamura-inc.jp, 1 +kawandegroup.com, 1 +kawasakipartsonline.co.uk, 1 +kawayii.com, 1 +kawigraphics.com, 1 +kawnation.gov, 1 +kawuk.com, 1 +kay.la, 1 +kay.moe, 1 +kayakaventura.tk, 1 +kayakcastro.tk, 1 +kayakpolouniversidades.tk, 1 +kayashkina.com, 1 +kaydan.io, 1 +kayipkiliseler.com, 1 +kayisir.com, 1 +kayit.co.uk, 1 +kayleen.net, 1 +kaylielaw.com, 1 +kayne.com, 1 +kayon.cf, 1 +kayscs.com, 1 +kayseri.bel.tr, 1 +kayserihaberleri.tk, 1 +kaysville.gov, 1 +kaysvillechurch.com, 1 +kayteedidquiltsandmore.com, 1 +kazakov.lt, 1 +kazan-tury.ml, 1 +kazanasolutions.de, 1 +kazand.lt, 1 +kazandaemon.ru, 1 +kazangoforums.tk, 1 +kazanusadba.cf, 1 +kazap.co.uk, 1 +kazard.co.za, 1 +kazarmy.tk, 1 +kazeso.kz, 1 +kazigk.me, 1 +kazino5.tk, 1 +kazna.ml, 1 +kaznice.art, 1 +kaznur.tk, 1 +kazoohr.com, 1 +kaztest.tk, 1 +kazu-techlab.com, 1 +kazu.click, 1 +kazuhirohigashi.com, 1 +kazumi-clinic.com, 1 +kazumi.ooo, 1 +kazumi.ro, 1 +kazuno-jc.or.jp, 1 +kazvel.com, 1 +kazvet.ru, 1 +kazwolfe.io, 1 +kazy111.info, 1 +kb-psy.fr, 1 +kb096.com, 1 +kb1000.de, 1 +kb1313.com, 1 +kb2121.com, 1 +kb283.com, 1 +kb35.net, 1 +kb38.net, 1 +kb481.com, 0 +kb5050.com, 1 +kb5151.com, 1 +kb5757.com, 1 +kb7070.com, 1 +kb82.net, 1 +kb88dc05.com, 1 +kb88dc12.com, 1 +kb88dc15.com, 1 +kb88dc16.com, 1 +kb88dc17.com, 1 +kb88dc26.com, 1 +kb930.com, 1 +kb9797.com, 1 +kb9988.com, 1 +kba-online.de, 1 +kbb-ev.de, 1 +kbbouncycastlehire.co.uk, 1 +kbc.be, 0 +kbcjiolotterywinners.com, 1 +kbco.net, 1 +kbcr.gov, 1 +kbet168.com, 1 +kbhfuge.dk, 1 +kbit.dk, 1 +kbkstudio.cz, 1 +kbleventhire.co.uk, 1 +kbmhawaii.com, 1 +kboosting.com, 1 +kbsinflatablekingdom.co.uk, 1 +kbst.se, 0 +kbtairmont.com, 1 +kbtit.jp, 1 +kbz.fr, 1 +kc-holzfaeller.de, 1 +kc-hrubeho.cz, 1 +kc-leeuwarden.tk, 1 +kc1hbk.com, 1 +kc3.moe, 1 +kc5mpk.com, 1 +kcc8.com, 1 +kcfiradio.com, 1 +kchanews.com, 1 +kcire.me, 1 +kck-online.tk, 1 +kckarchitects.com, 1 +kcmak.net, 1 +kcmicapital.com, 1 +kcnawatch.org, 1 +kcnexp.eu.org, 1 +kcnwallet.com, 1 +kcnxp.com, 1 +kcomi.com, 1 +kcor.org, 1 +kcpredict.com, 1 +kcptun.com, 1 +kcsconstructioncompany.com, 1 +kcsh.men, 1 +kcsonline.biz, 1 +kcsordparticipation.org, 1 +kcsprayfoam.com, 1 +kcucs.com, 1 +kd-23.ru, 1 +kd-event.de, 1 +kd.net.nz, 1 +kdarawandekar.tk, 1 +kdb.uz, 1 +kdcinfo.com, 1 +kdcompany.ru, 1 +kde-je-skladem.cz, 1 +kdgd.de, 1 +kdiender.nl, 1 +kdistech.nz, 1 +kdizain.ru, 1 +kdjsa.com, 1 +kdk.com.my, 1 +kdl-group.pl, 1 +kdo-ma-dnes-svatek.cz, 1 +kdo-vola.cz, 1 +kdonkers.com, 1 +kdoslavi.cz, 1 +kdpmgi.com, 1 +kdproduction.cz, 1 +kdrama.cc, 1 +kdramaholic.com, 1 +kdrive.tk, 1 +kduggan.net, 1 +kdw.cloud, 1 +kdyby.org, 0 +ke.fo, 1 +ke.ke, 1 +ke8gtp-vf.herokuapp.com, 1 +kea.dk, 1 +keaipublishing.com, 1 +keala.services, 1 +keane.space, 1 +keaneokelley.com, 1 +kearney.io, 1 +kearneycountyne.gov, 1 +kearneyhub.com, 1 +kearnyaz.gov, 1 +keatsandchapman.ie, 1 +keaysmillwork.com, 1 +keb.com.au, 1 +keb.net.au, 1 +kebab.bg, 1 +kebabbesteld.nl, 1 +kebabbruce.com, 0 +kebhanamyanmar.com, 1 +kebo.xyz, 1 +keca.ca, 1 +kech-immobilier.com, 1 +kecht.at, 1 +kecrily.me, 1 +kedarastudios.com, 1 +kedero.com, 1 +kedi.tk, 1 +kedinox.com, 1 +kediri.win, 1 +keditor.biz, 1 +kedungombo.tk, 1 +kedv.es, 1 +kee.fi, 1 +kee.pm, 1 +keeb.supplies, 1 +keeb.supply, 1 +keechain.io, 1 +keeckee.ml, 1 +keeforcecloud.com, 1 +keekmix.nl, 1 +keelandlong.com, 1 +keeleandfinchdentaloffice.com, 1 +keeley.net, 1 +keeleysam.com, 1 +keelove.net, 1 +keemail.me, 1 +keematdekho.com, 1 +keenenh.gov, 1 +keengamer.com, 1 +keep-smiling.tk, 1 +keep.id, 1 +keep.moe, 1 +keepa.com, 1 +keepagree.gq, 1 +keepclean.me, 0 +keeperapp.com, 1 +keeperklan.com, 0 +keepersecurity.com, 1 +keepersecurity.com.au, 1 +keepersecurity.eu, 1 +keepersecurity.jp, 1 +keepersecurity.us, 1 +keepiteasy.eu, 1 +keepitsecure24.com, 1 +keepitsimplebitcoin.com, 1 +keepitweedy.com, 1 +keepleft.gr, 1 +keepsakedna.com, 1 +keepsight.org.au, 1 +keepsolid.com, 1 +keesmartens.tk, 1 +keesslop.nl, 1 +keestalkstech.com, 1 +keetfm.tk, 1 +keevault.pm, 1 +keeweb.info, 1 +keez.cf, 1 +keezin.ga, 1 +kefucha.de, 1 +kegan.lol, 1 +keganthorrez.com, 1 +kegelschiene.net, 1 +kehlenbach.net, 1 +kehrle.xyz, 1 +keian.tk, 1 +keibablood.com, 1 +keiebijters.nl, 1 +keifel.de, 1 +keigakusha.co.jp, 1 +keiji0501.com, 1 +keiju.ee, 1 +keiju.fi, 1 +keijuriini.fi, 1 +keikadreamland.fun, 1 +keil-web.de, 1 +keilycosmetics.com, 1 +kein-fidget-spinner-werden.de, 1 +kein-hindernis.de, 1 +kein-vergessen.tk, 1 +keinanung.nl, 1 +keinefilterblase.de, 1 +keio-bizplaza.jp, 1 +keio-formula.com, 1 +keioni.com, 1 +keiralewis.co.uk, 1 +keirna.com, 1 +keisaku.org, 1 +keishi.co.jp, 1 +keishiando.com, 1 +keishicho-mirai-method.jp, 1 +keisinger.name, 1 +keitaro.io, 1 +keith.pro, 1 +keithazzopardi.tk, 1 +keithmcmillen.com, 1 +keiths.ml, 1 +keithstaxis.co.uk, 1 +keithws.net, 1 +keiyuki.com, 1 +keizeror.gov, 1 +kejar.id, 0 +kejpop.pl, 1 +kekaoxing.com, 1 +kekarimi.com, 1 +keke-shop.ch, 1 +kekku.li, 0 +kekoskee.gov, 1 +keks.loan, 1 +keksi.io, 0 +kelamanproduction.tk, 1 +kelamb.com, 1 +kelantan.tk, 1 +kelantanmudah.com, 0 +kelax.tk, 1 +kelcible.fr, 1 +kelcotool.com, 1 +keldan.fo, 1 +kelder.tk, 1 +kelderro.nl, 1 +kelinda.tk, 1 +kelio.io, 1 +kelis.fr, 1 +kell.tk, 1 +kell3r.ch, 1 +kellansite.com, 1 +keller-aarau.ch, 1 +keller-sports.at, 1 +keller-sports.be, 1 +keller-sports.ch, 1 +keller-sports.co.uk, 1 +keller-sports.com, 1 +keller-sports.de, 1 +keller-sports.dk, 1 +keller-sports.es, 1 +keller-sports.fr, 1 +keller-sports.it, 1 +keller-sports.nl, 1 +keller-x.at, 1 +keller-x.ch, 1 +keller-x.com, 1 +keller-x.de, 1 +keller-x.fr, 1 +keller-x.nl, 1 +keller-x.se, 1 +kellercore.tk, 1 +kellerencompass.com, 1 +kellerlan.org, 0 +kelleylatino.tk, 1 +kelleymcchesney.us, 1 +kellimacconnell.com, 1 +kellyandantony.com, 1 +kellygrenard.com, 1 +kellyosbourne.tk, 1 +kellyskastles.co.uk, 1 +kellyswordshop.com, 1 +kellyvoice.tk, 1 +kellywebcam.tk, 1 +kelm.me, 1 +kelme.com, 1 +keln.net, 1 +kelp.agency, 0 +kelsa.io, 0 +kelsall39.com, 1 +kelteks.com, 1 +kelts.tk, 1 +kelvinchung.tk, 1 +kelvinfichter.com, 0 +kelyan.fr, 1 +kelyon.info, 1 +kemahtx.gov, 1 +kemanai.akita.jp, 1 +kemand.com, 1 +kemba.com, 1 +kembla.com, 1 +kemeha.tk, 1 +kemerovo.gq, 1 +kemerovo.ml, 1 +kemerovo.tk, 1 +kemerovo42.tk, 1 +kemet.co.uk, 1 +kemhan.go.id, 1 +kemian.de, 1 +kemmerer-net.de, 0 +kemono.su, 1 +kempkens.io, 1 +kempnertx.gov, 1 +kemptechnologies.com, 0 +kemptonparkplumbing.co.za, 1 +kemptown.co.uk, 1 +kemptown.com, 1 +kemptown.net, 1 +kemsa.ga, 1 +kemsamnhatban.cf, 1 +kemsamnhatban.ga, 1 +kemsamnhatban.gq, 1 +kemsamnhatban.ml, 1 +kemsamnhatban.tk, 1 +ken-electric.com.br, 1 +ken.fm, 1 +kenbillionsyuan.tk, 1 +kenbonny.net, 0 +kendall.productions, 1 +kendallcountyil.gov, 1 +kendallvillein.gov, 1 +kendermore.it, 1 +kendernet.com, 1 +kendev.com, 1 +kendigawards.com, 1 +kendle.tk, 1 +kendrick.tk, 1 +kendu.si, 0 +kenduct.net, 1 +kenedytx.gov, 1 +kenedytxedc.gov, 1 +kenforeman.com, 1 +kengcoder.com, 1 +kengjoo.store, 1 +kenhhomestay.com, 1 +keniasfamilychildcare.com, 1 +keniff.gq, 1 +kenlewis.com, 1 +kenmo.org, 1 +kennebec.gov, 1 +kennedy.cf, 1 +kennedy.ie, 1 +kennedycorrentes18k.com.br, 1 +kennedyinsurancesolutions.com, 1 +kenners.org, 0 +kennethaasan.no, 1 +kennethandersen.com, 1 +kennethlim.me, 1 +kennethsentillas.com, 1 +kennewell.tk, 1 +kennfixx.com, 1 +kennfixx.de, 1 +kennis.ga, 1 +kennisnetwerkparkeren.nl, 1 +kenny-peck.com, 1 +kenny.technology, 1 +kennychan.xyz, 1 +kennynet.co.uk, 1 +keno.im, 1 +keno.tk, 1 +kenockeetownshipmi.gov, 1 +kenokallinger.at, 1 +kenoschwalb.com, 1 +kenpobolivia.tk, 1 +kenpotalca.tk, 1 +kenrick95.org, 1 +kens.pics, 0 +kensbouncycastles.co.uk, 1 +kensewerdoctor.com, 1 +kenshingakuen.or.jp, 1 +kensho-everyday.com, 1 +kensingtonsqca.com, 1 +kentcountyde.gov, 1 +kentdalevets.co.uk, 1 +kentec.net, 0 +kenteipay.jp, 1 +kenterlis.gr, 1 +kentlove.com, 1 +kento.nl, 1 +kentradioaeromodelers.com, 1 +kentut.xyz, 1 +kenvix.com, 0 +kenw.ca, 1 +kenwood-electronics.co.uk, 1 +kenwood.de, 1 +kenwood.eu, 1 +kenx5.eu.org, 1 +kenyachildrencentres.com, 1 +kenyonleblanc.com, 1 +kenyons.info, 1 +kenzelmann.eu, 1 +kenzelmann.name, 1 +kenzie.com.br, 1 +keops-spine.fr, 1 +keos.ga, 1 +keos.tk, 1 +kep-sbt.hu, 1 +kepak.tk, 1 +kepinski.ch, 0 +kepkonyvtar.hu, 1 +kepleruniklinikum.at, 1 +keponews.com, 1 +kepoper.com, 1 +keppler.tk, 1 +kepppi.com, 1 +kepsbt.hu, 1 +keralamurals.in, 1 +keramed.ga, 1 +keramed.gq, 1 +keramikaopava.cz, 1 +kerautretvian.fr, 1 +kerb-grossauheim.de, 1 +kerb.com, 1 +kerbin.org, 1 +kercovaparty.tk, 1 +kerdry.com, 1 +kerebro.com, 1 +keridos.de, 1 +keritial.eu.org, 1 +kerkdienststream.nl, 1 +kerkeslager.com, 1 +kerkukkitapcisi.com, 1 +kerkukvakfi.org, 1 +kermadec.com, 1 +kermadec.net, 1 +kermisgeluiden.nl, 1 +kermispagina.tk, 1 +kernel-error.com, 1 +kernel-error.de, 1 +kernel-panik.me, 1 +kernel-video-sharing.com, 1 +kernel.nz, 1 +kernelone.com, 1 +kernelpanics.nl, 1 +kernelprogrammer.com, 0 +kernet.com.ar, 1 +kernkompas.nl, 1 +kerocristais.pt, 0 +kerozenn.net, 1 +kerp.se, 0 +kerpen-renovieren.de, 1 +kerrcountytx.gov, 1 +kerrnel.com, 1 +kerroscale.in, 1 +kerryconsulting.com, 1 +kerrydavisguitars.tk, 1 +kersmexico.com, 1 +kerstboomkantenklaar.nl, 1 +kerstpagina.tk, 1 +kersvers.agency, 1 +kertis.tk, 1 +kerus.net, 1 +kervive.com, 1 +kescher.at, 1 +kescher.gay, 1 +kescher.site, 1 +keschi.at, 1 +kesef.org.il, 1 +kesen.news, 1 +kesen.wang, 1 +keshankang.com, 1 +keshankang.org, 1 +keshausconsulting.com, 1 +keshav.cc, 1 +keshavnet.com, 1 +kesifasya.com, 1 +kesinidulu.com, 1 +keskikorpimotorsport.fi, 1 +keskkonnaamet.ee, 0 +keskraamatukogu.ee, 1 +kessa.com, 1 +kesse.ru, 1 +kessel-runners.com, 1 +kesselrun.goip.de, 1 +kesslerandsons.com, 1 +kesteren.org, 1 +ketamine.co.uk, 1 +ketamine.uk, 1 +ketchcdn.com, 1 +ketchikan.gov, 1 +ketemulagi.com, 1 +ketgioisu.tk, 1 +ketoanvietnam.tk, 1 +ketocanine.ca, 1 +ketoconazole.gq, 1 +ketoliv.dk, 1 +ketotadka.com, 1 +kets.ru, 1 +kett.email, 1 +kettererholmes.tk, 1 +kettinggeleider.be, 1 +kettlemetalbbq.com, 1 +kettmail.com, 1 +kettsy.com, 1 +ketty-voyance.com, 0 +ketulgpatel.tk, 1 +ketzer.tk, 1 +keukenhof.nl, 1 +keukenstudio.tk, 1 +keurigbestprice.tk, 1 +keuvelaar.nl, 1 +keuze.nl, 1 +kevansizemore.com, 1 +kevay.nl, 1 +kevchia.com, 1 +kevertje.net, 1 +kevhosting.com, 1 +kevin-darmor.eu, 1 +kevin-emo.com, 1 +kevin-neirynck.tk, 1 +kevin-ta.com, 1 +kevin.tw, 0 +kevinackford.uk, 1 +kevinapease.com, 1 +kevinaud.io, 1 +kevinbardot.alwaysdata.net, 1 +kevinbauer.ca, 1 +kevinbowers.me, 1 +kevinchang.me, 1 +kevincox.ca, 1 +kevincoynepage.tk, 1 +kevincramer.net, 1 +kevinfigueroamusic.tk, 1 +kevinfoley.org, 1 +kevinfumbles.com, 1 +kevingsky.com, 1 +kevinhill.nl, 1 +kevinhq.com, 1 +kevinji.com, 1 +kevinkla.es, 1 +kevinlocke.name, 1 +kevinloganelectrical.co.nz, 1 +kevinmathiesen.tk, 1 +kevinmeijer.nl, 1 +kevinmo.com, 0 +kevinmoreland.com, 1 +kevinmorssink.nl, 1 +kevinn.nl, 1 +kevinpirnie.com, 1 +kevinrandles.com, 0 +kevinrousseeuw.be, 1 +kevinschoenmakers.tk, 1 +kevinscolaro.com, 1 +kevinvanderperren.tk, 1 +kevinvermassen.be, 1 +kevyn.lu, 1 +kewauneeco.gov, 1 +kexingqing.com, 1 +kexino.com, 1 +key-content.com, 1 +key-tracker.de, 1 +key.sa, 1 +key1111.com, 1 +key4.com.ua, 1 +keybase.io, 1 +keyblock.ga, 1 +keyblock.gq, 1 +keyblock.tk, 1 +keyboard-monkeys.net, 1 +keybored.co, 1 +keycat.de, 1 +keycdn.com, 1 +keycdn.xyz, 1 +keycodingjohannesburg.co.za, 1 +keycontainers.co.za, 1 +keydelay.tk, 1 +keyerror.com, 1 +keyesrobot.cn, 1 +keyfortech.com, 1 +keygen.sh, 1 +keyhani.tk, 1 +keyholdingservices.co.uk, 1 +keyhomechecker.com, 1 +keyihao.cn, 1 +keyinfo.io, 1 +keykong.io, 1 +keylength.com, 1 +keymaster.lookout.com, 0 +keymicrosystems.com, 1 +keynes.id.au, 1 +keyoxide.org, 1 +keyphotojs.cf, 1 +keypoint.edu.au, 1 +keypublishing.com, 1 +keyroot.tech, 1 +keys.fedoraproject.org, 1 +keyscore.me, 1 +keyscouts.com, 1 +keyserver.sexy, 0 +keysigma.co.uk, 1 +keysix.com, 1 +keysmedspa.com, 1 +keysofart.com, 1 +keysso.net, 1 +keystoimagination.com, 1 +keystone-europe.com, 1 +keytoenergy.com, 1 +keytomyq.com, 1 +keyua.org, 1 +keyworth-meadow.tk, 1 +keyyek.com, 0 +keziah.de, 1 +kezmanweb.tk, 1 +kezrenbeeming.com, 1 +kf-slot.com, 1 +kf005.com, 0 +kf199.com, 0 +kf2525.com, 1 +kf6636.com, 1 +kf66888.com, 0 +kf6820.com, 1 +kf688.com, 1 +kf7676.com, 0 +kf88666.com, 1 +kf8954.com, 0 +kf8955.com, 0 +kf8956.com, 0 +kf8957.com, 0 +kfassessment.eu, 1 +kfbl.cc, 1 +kfc.bike, 1 +kfgleasing.pl, 1 +kfh.com, 1 +kfirba.me, 1 +kfjgyb.com, 1 +kfk.haus, 1 +kfm.ink, 0 +kfmhf.ca, 1 +kfoundation.org, 1 +kfsys.cc, 1 +kfv-kiel.de, 1 +kfvullnetari-uck.tk, 1 +kfz-hantschel.de, 1 +kfz-sachverstand.de, 1 +kfz-service-wachtmann.de, 1 +kfz.nl, 1 +kfzjeugd.nl, 1 +kg7.pl, 1 +kgdev.fr, 1 +kgk-cgc.ch, 1 +kgk.gov.tr, 1 +kgky.cc, 1 +kgm-irm.be, 1 +kgmediafactory.com, 1 +kgnk.ru, 0 +kgs-neviges.de, 1 +kgt10.ru, 1 +kgun9.com, 1 +kgunion.com, 1 +kgv-zappendorf.tk, 1 +kh.pub.sa, 1 +khab03.ru, 1 +khabar24.tk, 1 +khachhangvietnam.tk, 1 +khadishalatina.com, 1 +khakasiya.ml, 1 +khakasiya.tk, 1 +khakassia.cf, 1 +khakassia.ga, 1 +khakassia.gq, 1 +khakassia.tk, 1 +khaki.ga, 1 +khakiblossom.com, 1 +khakim.gq, 1 +khakim.tk, 1 +khaledalsabt.com, 1 +khaledkhan.ml, 1 +khaleesi.tk, 1 +khalidalnajjar.com, 1 +khalidmail.tk, 1 +khaliinfo.tk, 1 +khalti.com, 1 +khampha.vn, 0 +khanacademy.org, 1 +khanh.sh, 1 +khankandi.tk, 1 +khanovaskola.cz, 1 +khaotipthai.se, 1 +kharatinoil.ml, 1 +kharkiv.tk, 1 +kharkov.tk, 1 +khas.co.uk, 1 +khatoco.com, 1 +khayal-3d.com, 1 +khda.gov.ae, 1 +khdestiny.tk, 1 +khebranet.tk, 1 +khepri.uk, 1 +kheshtar.pl, 1 +khetzal.info, 1 +khey-tv.fr, 1 +khg-orchester.de, 1 +khimno.com, 1 +khipu.com, 1 +khm.v.ua, 1 +khmb.ru, 0 +khmerios.tk, 1 +khmerlive.cf, 1 +khmrynok.com.ua, 1 +khoasweb.tk, 1 +khodromedic.com, 1 +khojhealth.com, 1 +khonaka.com, 1 +khorne.me, 1 +khoteyev.tk, 1 +khouloud.de, 1 +khoury-dulla.ch, 0 +khouryalexandre.com, 0 +khoxuongchothuegiare.vn, 1 +khramtsov.org, 1 +khristov.com, 1 +khronos.org, 1 +khs1994.com, 1 +khslaw.com, 1 +khste-ceciliamoorsel.tk, 1 +khudothiswanpark.vn, 1 +khukhrain.tk, 1 +khusal.tk, 1 +khwezifinancialservices.co.za, 1 +khwiki.com, 1 +ki-management.ch, 1 +ki.ki, 1 +ki6rbv.com, 1 +kiacatherine.sg, 1 +kiadoapartman.hu, 1 +kiahalchemy.com, 1 +kialo-edu.com, 1 +kialo-pro.com, 1 +kialo.com, 1 +kiamehr.tk, 1 +kiano.net, 0 +kiapartsnow.com, 1 +kiapps.ovh, 1 +kiarayoga.com, 1 +kiarey.net, 1 +kiasarnews.tk, 1 +kiasystems.com, 1 +kibea.net, 1 +kibibit.net, 1 +kibickas.lt, 1 +kibizoid.tk, 1 +kibonnu.com, 1 +kichemalamut.tk, 1 +kick-in.nl, 1 +kickasscanadians.ca, 1 +kickasspoker.com, 1 +kickback-studios.com, 1 +kickedmycat.com, 1 +kickex.com, 1 +kickico.com, 1 +kickitfootball.com.au, 1 +kicksecure.com, 1 +kickshack.tk, 1 +kicktipp.at, 1 +kicktipp.ch, 1 +kicktipp.co.uk, 1 +kicktipp.com, 1 +kicktipp.com.br, 1 +kicktipp.de, 1 +kicktipp.es, 1 +kicktipp.it, 1 +kicktipp.nl, 1 +kicktipp.pl, 1 +kicktipp.pt, 1 +kickzy.nl, 1 +kicou.info, 1 +kiczeklaw.com, 1 +kiczela.eu, 1 +kidalt.tk, 1 +kidaptive.com, 1 +kidbacker.com, 1 +kidcentraltn.com, 1 +kidderminster.ac.uk, 1 +kiddies.tk, 1 +kiddieskingdom.tk, 1 +kiddocom.org, 1 +kiddoscape.eu, 1 +kiddyboom.ua, 1 +kiddyland.co.jp, 1 +kidfitseries.com.au, 1 +kidis.lt, 1 +kidisov.tk, 1 +kidm4k.com, 1 +kidnappedbyhamas.ca, 1 +kidney.ca, 1 +kidneydonation.com, 1 +kidneyst.one, 1 +kido-dc.jp, 1 +kidonng.me, 1 +kids-castles.com, 1 +kids-ok.com, 1 +kids-world.dk, 1 +kids.gov, 1 +kids2day.in, 1 +kids360pediatrics.com, 1 +kidsblock.cc, 1 +kidsclub.photos, 1 +kidsdaysout.co.uk, 1 +kidsdinefree.com, 1 +kidsdj.co.uk, 1 +kidsforsavingearth.org, 1 +kidsgoga.ga, 1 +kidsinwoods-interfacesouth.org, 1 +kidslearners.com, 1 +kidsmark.net, 1 +kidsneversleep.com, 0 +kidsontheyard.com, 1 +kidspaper.nl, 1 +kidsplace.tk, 1 +kidsplaybouncycastles.co.uk, 1 +kidstraysers.ga, 1 +kidstraysest.ga, 1 +kidswear.ml, 1 +kidswear.tk, 1 +kidswithguns.tk, 1 +kidtoyshop.ru, 1 +kidwater4ut.gov, 1 +kidz.school.nz, 1 +kidzonet.io, 1 +kidzpartiesllp.co.uk, 1 +kidzsmile.co.uk, 1 +kiebel.de, 1 +kiedys.net, 1 +kiefnersoftware.com, 1 +kiehost.tk, 1 +kiekin.org, 1 +kiekko.pro, 1 +kielux.de, 1 +kielwi.gov, 1 +kienlen.org, 1 +kientrucphunguyen.com, 1 +kienviethung.com, 1 +kieran-mcguire.uk, 1 +kieran.de, 1 +kieranjones.uk, 1 +kieranpotts.com, 1 +kieranweightman.me, 1 +kierlandgolf.com, 0 +kierweb.co.uk, 1 +kiesjeplek.nl, 1 +kiesmedia.com, 0 +kiesuwarbeidsrechtadvocaat.nl, 1 +kiesuwkerstkaart.nl, 1 +kietblog.tk, 1 +kieutruong.com, 1 +kiev-live.tk, 1 +kievanrus.tk, 1 +kievholod.in.ua, 1 +kievkiralikotel.com, 1 +kievlove.tk, 1 +kiewit.com, 1 +kiezlerovi.cz, 1 +kif.rocks, 0 +kiffmarks.com, 1 +kifid.nl, 1 +kigurumi-party.ru, 1 +kihi.news, 1 +kiinanharjakoirat.tk, 1 +kiinteistot-lidl.fi, 1 +kiiteyo.net, 1 +kijkmeaanwanneerik.com, 1 +kik-info.com, 1 +kik-textilien.sk, 1 +kik.at, 1 +kik.cz, 1 +kik.de, 1 +kik.ee, 0 +kik.es, 1 +kik.eu, 1 +kik.hr, 1 +kik.hu, 1 +kik.nl, 1 +kik.pl, 1 +kik.pt, 1 +kik.ro, 1 +kik.si, 1 +kikbb.com, 1 +kiki-voice.jp, 1 +kikikanri.biz, 1 +kikivega.net, 1 +kikki.io, 1 +kiku.pw, 1 +kilian-sommer.de, 1 +kilian.gallery, 1 +kiliansommer.de, 1 +kilianvalkhof.com, 1 +kiliflix.de, 1 +kiliframework.org, 1 +kilimstyle.com, 1 +kilkennyaccountingservices.ie, 1 +kilkimzaibu.tk, 1 +kill.trade, 1 +killallsudoers.cloud, 1 +killaraapartments.com.au, 1 +killarnee.org, 1 +killborn.tk, 1 +killdeer.com, 1 +killedbynlp.com, 1 +killeenhardware.co.uk, 1 +killenny45.hopto.org, 1 +killer-fashion.tk, 1 +killergreen.tk, 1 +killerrabb.it, 1 +killerrobots.com, 1 +killerwebsites.com.au, 1 +killharmonic.tk, 1 +killme.rocks, 1 +killmebaby.ml, 1 +killmenow.tk, 1 +killtv.me, 1 +killua-website.tk, 1 +killymoonbouncycastles.com, 1 +kilo-files.tk, 1 +kilobyte22.de, 1 +kilogram.nl, 1 +kilomberosugar.co.tz, 1 +kilometertje.nl, 1 +kiloton.tk, 1 +kilpiapp.com, 1 +kilte.tk, 1 +kim-coiffure.fr, 1 +kimai.cloud, 1 +kimama-protein.jp, 1 +kimbal.co.uk, 1 +kimballcountyne.gov, 1 +kimballwi.gov, 1 +kimballwv.gov, 1 +kimberleythomson.tk, 1 +kimberlitewaxmelts.co.uk, 1 +kimberlyal.gov, 1 +kimberlycaprice.com, 1 +kimbunlar.tk, 1 +kimdotcom.tk, 1 +kimdumaine.com, 1 +kimerald.tk, 1 +kimgirard.com, 1 +kimherala.xyz, 1 +kimicar.de, 1 +kimino-school.com, 1 +kimiris.com, 0 +kimis.gr, 1 +kimisia.net, 1 +kimitang.com, 1 +kimmel.com, 0 +kimmel.in, 0 +kimmientje.tk, 1 +kimochi.info, 1 +kimono-furuya.com, 1 +kimono-hishiya.jp, 1 +kimono-yamaguchiya.com, 1 +kimonoplatform.com, 1 +kimoo.co, 1 +kimotodental.com, 1 +kimphattai.vn, 1 +kimsesizlereumutol.tk, 1 +kimsufi-jordi.tk, 1 +kimtran.kim, 1 +kimtstore.com, 1 +kimverly.no, 1 +kimxxx.org, 1 +kin-mail.at, 1 +kin-mail.de, 1 +kin-mail.net, 1 +kinaesthetics-begleitung-zuhause.at, 1 +kinaesthetics-forschung.net, 1 +kinaesthetics-net.at, 1 +kinaesthetics-net.ch, 1 +kinaesthetics-net.de, 1 +kinaesthetics-net.eu, 1 +kinaesthetics-net.it, 1 +kinaesthetics-verein.de, 1 +kinaesthetics.at, 1 +kinaesthetics.ba, 1 +kinaesthetics.by, 1 +kinaesthetics.ch, 1 +kinaesthetics.de, 1 +kinaesthetics.dk, 1 +kinaesthetics.es, 1 +kinaesthetics.ge, 1 +kinaesthetics.hr, 1 +kinaesthetics.it, 1 +kinaesthetics.li, 1 +kinaesthetics.net, 1 +kinaesthetics.pl, 1 +kinaesthetics.ro, 1 +kinaesthetics.ru, 1 +kinaesthetik-verein.de, 1 +kinamedia.se, 1 +kinanart.com, 1 +kinanbudotenero.tk, 1 +kinandcarta.com, 1 +kinautas.com, 1 +kincai.de, 1 +kindan.net, 1 +kindapoth.com, 1 +kinde.com, 1 +kinden-giankyou.jp, 1 +kinden-kizuna.com, 1 +kinder-garten.tk, 1 +kinderarzt-berlin-zia.de, 1 +kinderarzt-traunstein.de, 1 +kinderballett-frankfurt.de, 1 +kinderbasar-luhe.de, 1 +kinderbuecher-kostenlos.de, 1 +kinderchirurgie-muenchen.de, 1 +kinderchor-bayreuth.de, 1 +kinderevents-sehnde.de, 1 +kindergarten.vic.gov.au, 1 +kinderhaus-kunterbunt-priestewitz.de, 1 +kinderhilfe-nepal-mitterfels.de, 1 +kinderjugendfreizeitverein.de, 1 +kinderkleding.news, 1 +kindermarket.bg, 1 +kindernothilfe.de, 1 +kinderopvang.gent, 1 +kinderopvangthuis.nl, 1 +kinderosteopathie-osteopathie.de, 1 +kinderpneumologie.ch, 1 +kindertagespflege-rasselbande-halle.de, 1 +kinderzorg.tk, 1 +kindesfreude.ch, 1 +kindfotografie.nl, 1 +kindle, 1 +kindler-design.ch, 1 +kindler.xyz, 1 +kindlezs.com, 1 +kindredcode.com, 1 +kindredcode.net, 1 +kindredcode.org, 1 +kindredspirits.tk, 1 +kindspace.ca, 1 +kine-duthil.fr, 1 +kinebamps.be, 1 +kinebioquimica.com, 1 +kinecenter.ec, 1 +kinecle.com, 1 +kinencoin-tv.com, 1 +kinepolis-studio.ga, 1 +kinerehabqro.com, 1 +kinescopecdn.net, 1 +kinesiologie.tk, 1 +kinesiologikerteminde.dk, 1 +kinesiologiodense.dk, 1 +kinesiologiskolen-syd.dk, 1 +kinesiologiuddannelsen.dk, 1 +kineticsdrive.com, 1 +kinetikos.com.au, 1 +kinetiq.com, 1 +kinfule.tk, 1 +king-of-the-castles.com, 1 +kingandmcgaw.com, 1 +kingant.net, 1 +kinganywhere.eu, 1 +kingautodetailing.id, 1 +kingbot.tk, 1 +kingchess.vip, 1 +kingclass.cn, 1 +kingcourriel.fr, 1 +kingdirectionaldrilling.com, 1 +kingdomcitymo.gov, 1 +kingdomcrawlers.tk, 1 +kingdominnergy.com, 1 +kingdoms.gg, 1 +kingdomshow.mx, 1 +kingedwardvii.co.uk, 1 +kingfast.cc, 1 +kingfast.eu.org, 1 +kingfin.com, 1 +kingfisherhallacademy.org.uk, 1 +kingiescastles.co.uk, 1 +kingjamesbibleonline.org, 1 +kingkongxo.com, 1 +kinglandclearing.com, 1 +kinglier.ga, 1 +kingliey.ga, 1 +kingmakers.academy, 1 +kingofshooting.com, 1 +kingofthecastlecoventry.co.uk, 1 +kingofthecastlesentertainments.co.uk, 1 +kingofthecastlesouthwales.co.uk, 1 +kingofthecastlesrhyl.co.uk, 1 +kingpay.com, 1 +kingpincages.com, 1 +kingsaft.net, 1 +kingsblueblue.com, 0 +kingsburybc.uk, 1 +kingsfoot.com, 1 +kingsfordmi.gov, 1 +kingshome.gr, 1 +kingsley.cc, 1 +kingsolomoncages.com, 1 +kingsound.tk, 1 +kingstake.network, 1 +kingston-fear.com, 1 +kingstonga.gov, 1 +kingstonma.gov, 1 +kingsvilletexas.com, 1 +kingtech8.tk, 1 +kingtreeexperts.com, 1 +kingyo-bowl.com, 1 +kini24.ru, 1 +kinison.com, 1 +kinja.com, 1 +kinjerboerebroelof.tk, 1 +kinkenonline.com, 1 +kinklist.me, 0 +kinksecrets.ga, 1 +kinkvr.com, 1 +kinky-books.com, 1 +kinkyinlaws.com, 1 +kinkyspa.com, 1 +kinnerfisch.cn, 1 +kinnettmemorial.org, 1 +kinnikinnick.com, 0 +kino-boom.tk, 1 +kino-dom.tk, 1 +kino-doma.tk, 1 +kino-room.ga, 1 +kino-zavr.tk, 1 +kinobag.tk, 1 +kinobarashka.ga, 1 +kinoblik.tk, 1 +kinocheck.com, 1 +kinocheck.de, 1 +kinodrom.kiev.ua, 1 +kinodrom.tk, 1 +kinofest.tk, 1 +kinofile.tk, 1 +kinofilmionline.tk, 1 +kinogold.tk, 1 +kinograd.tk, 1 +kinohi.tk, 1 +kinoks.fr, 1 +kinokub.tk, 1 +kinolex.ml, 1 +kinology.tk, 1 +kinomagia.cf, 1 +kinomangas.ml, 1 +kinomangas.tk, 1 +kinomaniac.tk, 1 +kinomoto.ovh, 0 +kinoplex.com.br, 1 +kinoprostor.tv, 1 +kinos.nl, 0 +kinoscope.tk, 1 +kinoserver.ml, 1 +kinosha.tk, 1 +kinoshkahd.tk, 1 +kinoshki.ga, 1 +kinovam.tk, 1 +kinovsem.ml, 1 +kinowork.tk, 1 +kinozone.tk, 1 +kinschots.eu, 1 +kinsei.jp, 1 +kinshipnd.com, 1 +kintawifi.com, 1 +kinter.media, 1 +kinto.pro, 1 +kintone.com, 1 +kintore.tv, 1 +kintsu.com.br, 1 +kintsugi-beauty.com, 0 +kintsugispace.com, 1 +kinualive.com, 1 +kinugasa.or.jp, 1 +kinvault.com, 1 +kinyued.store, 1 +kiocloud.com, 0 +kiokoman.eu.org, 0 +kiomara.com, 1 +kiomoda.com, 1 +kionetworks.com, 0 +kionetworks.es, 1 +kioskcomedy.org, 1 +kiosque-famille.net, 1 +kiosquefamille.fr, 1 +kiot.eu, 1 +kiousis.me, 1 +kiow.com, 1 +kip-ribbetjes-bestellen.be, 1 +kipa.at, 1 +kiparchive.org, 1 +kipcrepair.com, 1 +kipi.si, 1 +kipiradio.com, 1 +kiplelive.com, 1 +kippenbart.gq, 1 +kipriakipita.gr, 1 +kiprinform.com, 1 +kiprotect.com, 1 +kiprusoffsummers.tk, 1 +kiraboshi.xyz, 1 +kiragameforum.net, 1 +kirahvi.me, 1 +kirainmoe.com, 1 +kirakorosi.tk, 1 +kiraku.co, 1 +kiralikjeneratorankara.tk, 1 +kirana.studio, 1 +kiraqueen.net, 1 +kirarie-kusatsu.com, 1 +kirbear.com, 1 +kirbyvt.gov, 1 +kirche-bamberg.de, 1 +kirchen-im-web.de, 0 +kirchenchor-oedsbach.de, 1 +kirchenchor-olzheim.de, 1 +kirchengemeinde-markt-erlbach.de, 1 +kirchner.social, 1 +kircp.com, 1 +kirei.se, 1 +kiret.tk, 1 +kirgistan.tk, 1 +kiriani.me, 1 +kirie-photos.tk, 1 +kirikira.moe, 1 +kirill.ws, 1 +kirillaristov.com, 1 +kirina.nl, 1 +kirinas.com, 1 +kirka.ga, 1 +kirkae.com, 1 +kirkforcongress.com, 1 +kirkforsenate.com, 1 +kirkify.com, 1 +kirkintillochbc.co.uk, 1 +kirkkonummenavhkerho.net, 1 +kirkovsky.com, 1 +kirkwood-smith.com, 1 +kirkwoodfencing.com, 1 +kirkwoodoutdoors.com, 1 +kirmizipill.com, 1 +kiropraktoristockholm.se, 1 +kirov.ml, 1 +kirovcity.tk, 1 +kirovgrad.tk, 1 +kirrie.pe.kr, 1 +kirs.is, 1 +kirsch-gestaltung.de, 1 +kirschbaum.cloud, 1 +kirsehir.tk, 1 +kirsehirhaber.tk, 1 +kirstenbos.ca, 1 +kirstengillibrand.com, 1 +kirstycouture.co.uk, 1 +kirstygreenwoodartist.ga, 1 +kirus.de, 1 +kirwandigital.com, 1 +kisakazan.ml, 1 +kisallatorvos.hu, 1 +kisaragi.fund, 1 +kisaragi.works, 1 +kisaragihayato.com, 1 +kisbridgingloans.co.uk, 1 +kiseimarriage.com, 1 +kisel.org, 1 +kish-takhfif.com, 1 +kishcar.co, 1 +kishenya.ua, 1 +kisiselveri.com, 1 +kiskeedeesailing.com, 1 +kislovodsk-zamok.tk, 1 +kisma.de, 1 +kismy.ga, 1 +kismy.tk, 1 +kismyder.tk, 1 +kissanime.moe, 1 +kisser.name, 1 +kissesb.net, 1 +kissgyms.com, 1 +kissima-gakou.ml, 1 +kissimmee.gov, 1 +kissmateszabolcs.hu, 1 +kissmycreative.com, 1 +kissoft.ro, 1 +kisspeptin.com, 1 +kistenmacher.net, 1 +kistipro.tk, 1 +kisulki.tk, 1 +kisumuterraceapartments.tk, 1 +kisvasut.tk, 1 +kita-bicibici.de, 1 +kita-freie-schule.de, 1 +kita-mfg.com, 1 +kita-nimmersatt-bundorf.de, 1 +kita-sun.com, 1 +kita.moe, 1 +kitabgaul.com, 0 +kitabnamabayi.com, 1 +kitacoffee.com, 1 +kitagawa-internal-medicine-clinic.com, 1 +kitaharima-ikiiki.com, 1 +kitchen-design.cf, 1 +kitchen-design.tk, 1 +kitchenguides.org, 1 +kitchenkettle.com, 1 +kitchenlove.tk, 1 +kitchenpad.biz, 1 +kitchenpad.co.uk, 1 +kitchenpad.info, 1 +kitchenpad.net, 1 +kitchenpad.org, 1 +kitchenpad.us, 1 +kitchenpadtimer.com, 1 +kitchenvile.com, 1 +kitchenware.ml, 1 +kitchenware.tk, 1 +kitchenwarehouseltd.com, 1 +kitchenwarestore.xyz, 1 +kitchfurnit.tk, 1 +kitconcept.com, 1 +kitconcept.de, 1 +kitdealoevera.com, 1 +kite-surf.tk, 1 +kite-surfen.tk, 1 +kiteboard-selbstbau.tk, 1 +kitebowl.ru, 1 +kitenation.com, 1 +kiteschoolamsterdam.nl, 1 +kiteschooledam.nl, 1 +kiteschoolnoordwijk.nl, 1 +kiteschoolofkenpo.co.uk, 1 +kitesurfen.tk, 1 +kitevalley.tk, 1 +kitgratos.tk, 1 +kitke.de, 1 +kitkit.cf, 1 +kitkit.tk, 1 +kitpara.shop, 1 +kits-graphiques-shop.tk, 1 +kits-graphiques.tk, 1 +kitsap.gov, 1 +kitscan.com, 1 +kitseliit.ee, 1 +kitspersonal.tk, 1 +kitsplumbingandheating.com, 1 +kitsquid.de, 1 +kitsuna.eu, 1 +kitta.tk, 1 +kittatinny5.org, 1 +kitten-advice-forum.cf, 1 +kittenexchangeers.ga, 1 +kittenexchangeest.ga, 1 +kittentoob.com, 1 +kittitascounty.gov, 1 +kittleapps.com, 1 +kittmedia.com, 0 +kittnerbg.com, 1 +kittpress.com, 0 +kitty-core.org, 1 +kittyblair.org, 1 +kittygalore.nl, 1 +kittyhacker101.tk, 0 +kittyknickers.com.au, 1 +kittymagician.com, 0 +kittypryde.tk, 1 +kittystar.com, 1 +kittywilder.com, 1 +kivacontainer.com, 1 +kivitelezesbiztositas.hu, 1 +kivitv.com, 1 +kiwee.eu, 1 +kiweeagentur.de, 1 +kiwi.com, 1 +kiwi.global, 1 +kiwi.ki, 1 +kiwibird.tokyo, 1 +kiwicoworking.com, 1 +kiwideo.ro, 1 +kiwiflowershop.com.ua, 1 +kiwilove.es, 1 +kiwing.ddns.net, 1 +kiwipayment.com, 1 +kiwipedia.sk, 1 +kiwiplace.com, 0 +kiwisouvenirs.com, 1 +kiwitastic.com, 1 +kiwiz.co.uk, 1 +kix.moe, 1 +kizetroniko.tk, 1 +kizkulesi.tk, 1 +kizomba.info, 1 +kiztarafi.net, 1 +kizunaai.eu.org, 1 +kizzedbykelz.com, 1 +kizzycode.de, 1 +kj1396.net, 1 +kjaer.io, 1 +kjall.me, 1 +kjarni.cc, 1 +kjarrval.is, 1 +kjccradio.tk, 1 +kjcdaily.xyz, 1 +kjchernov.info, 1 +kjellner.com, 1 +kjellvn.net, 1 +kjfaudio.com, 1 +kjg-dossenheim.org, 1 +kjkesklinna.edu.ee, 1 +kjkmail.de, 1 +kjmedia.dk, 1 +kjnotes.com, 1 +kjrh.com, 1 +kjv.fan, 1 +kk-bs.de, 1 +kk-gruppe.net, 1 +kk.gt, 1 +kk.in.th, 1 +kk.sb, 0 +kk5197.co, 1 +kk575757.com, 1 +kk6729.co, 1 +kk6729.com, 0 +kk6957.co, 1 +kk9297.co, 1 +kk9721.com, 1 +kk9728.co, 1 +kka.vc, 1 +kkangeli.tk, 1 +kkaramela.eu, 1 +kkc.com, 1 +kkcinemas.in, 1 +kkcomcon.com, 1 +kkdesignsco.com, 1 +kke8tt.top, 1 +kkforwarding.com, 1 +kkgn.nl, 1 +kki.org, 1 +kkiskra.tk, 1 +kkk0011.com, 0 +kkk101.com, 0 +kkk102.com, 0 +kkk104.com, 0 +kkk106.com, 0 +kkk109.com, 0 +kkk201.com, 0 +kkk202.com, 0 +kkk203.com, 0 +kkk204.com, 0 +kkk208.com, 0 +kkk209.com, 0 +kkkkk.click, 1 +kklb.de, 1 +kknapredak-rubin.tk, 1 +kkpig.cn, 0 +kkpp.ga, 1 +kkr-bridal.net, 1 +kkren.me, 0 +kks.ch, 1 +kksg-sulzbach.de, 1 +kksg.com, 0 +kksshop.com, 1 +kkws.co, 1 +kkyy.me, 1 +kkzxak47.com, 1 +kl008888.com, 1 +klaasvantornout.tk, 1 +klabnik.cz, 1 +klabnikova.cz, 1 +klacki.de, 1 +klackingtownshipmi.gov, 1 +klad.tk, 1 +kladionice.tv, 1 +kladson.com, 1 +kladzdor.ga, 1 +kladzdor.tk, 1 +klamathrestoration.gov, 1 +klamathtribalhealth.gov, 1 +klanggut.at, 1 +klankenkast.nl, 1 +klanklichaam.be, 1 +klapib.ee, 1 +klapsinakis.gr, 1 +klapty.com, 1 +klares-licht.de, 1 +klarheit.at, 1 +klarika.com, 1 +klarmobil-empfehlen.de, 1 +klart.se, 1 +klaspas.be, 1 +klassen.tk, 1 +klassenfahrt-tirol.at, 1 +klassiekballet.tk, 1 +klassika.cf, 1 +klassika.tk, 1 +klatschreime.de, 1 +klaudialeszczynska.pl, 1 +klauke-enterprises.com, 0 +klaukegear.eu, 1 +klaus-pforte.de, 1 +klausapp.com, 0 +klausbrinch.dk, 1 +klausen.dk, 1 +klausfischer.info, 1 +klausfoerster.tk, 1 +klauspforte.de, 1 +klauswissmann.com, 1 +klautshop.com, 1 +klavarog.tk, 1 +klaver.it, 1 +klaverjassen.tk, 1 +klavierhaus-klavins.de, 1 +klavierwunsch.de, 1 +klaviskripta.com, 1 +klaxon.ml, 1 +klaymemez.com, 1 +kle.cz, 1 +klea.tk, 1 +kleaning.by, 1 +kleebauerhof.com, 1 +kleen.tk, 1 +kleenkraftservices.com, 1 +kleidertauschpartys.de, 1 +kleim.fr, 1 +kleinblogje.nl, 0 +kleine-dingen.nl, 1 +kleine-strandburg-heringsdorf.de, 0 +kleine-strandburg.com, 0 +kleine-strolche-lich.de, 1 +kleine-viecherei.de, 1 +kleineanfragen.de, 1 +kleineserver.nl, 1 +kleinestrandburg-heringsdorf.de, 0 +kleinestrandburg-usedom.de, 0 +kleinfein.co, 1 +kleinhamilton.co.uk, 1 +kleinhaneveld.tk, 1 +kleinhapl.com, 1 +kleinhelena.dynv6.net, 1 +kleinreich.de, 1 +kleins-hutorok.de, 1 +kleinserienproduktion.com, 1 +kleinsys.com, 1 +kleintransporte.net, 0 +kleinwenner.eu, 1 +kleise.gr, 1 +kleki.com, 1 +klementijgerta.tk, 1 +klemkow.net, 1 +klemkow.org, 1 +klempin.co.uk, 1 +klempin.me, 1 +klempin.net, 1 +klempin.org, 1 +klempin.se, 1 +klempin.uk, 1 +klen.ua, 1 +klenc.eu, 1 +kleor.com, 1 +kleteckova.cz, 1 +kletsenenproeven.nl, 1 +kletskoek.com, 1 +kleurbkennen.nl, 1 +kleuro.nl, 1 +klev.tk, 1 +klever.com.mk, 1 +kleverltd.ru, 1 +kli.is, 1 +klickinvite.com, 1 +klickstdu.com, 1 +kliemann.me, 1 +klik3.nl, 0 +klikacc.com, 0 +klikarnia.pl, 1 +kliki.tk, 1 +klikket.dk, 1 +kliklinks.tk, 1 +klikmanga.id, 1 +klikmarket.tk, 1 +klikweb.id, 1 +klima.com, 1 +klimaanlage-fehler.net, 1 +klimaatkids.be, 1 +klimaatstad.gent, 1 +klimacamp-sterkraderwald.de, 1 +klimafakten.de, 1 +klimakamp.nu, 1 +klimakomplekt.com, 1 +klimalaan.no, 1 +klimalan.no, 1 +klimaloven.no, 1 +klimapartner.de, 0 +klimapartner.net, 1 +klimaplattform-milch.de, 1 +klimatt.com, 1 +klimchuk.by, 0 +klimeck.com, 1 +klinesignals.com, 1 +klingeletest.de, 1 +klingenundmesser.com, 1 +klinik-fuer-aesthetische-zahnheilkunde.de, 1 +klinikac.co.id, 0 +klinikasoyuz.ru, 1 +klinikatlantis.com, 1 +klinikum-oberberg.de, 1 +klinikum-oldenburg.de, 1 +klinkenberg.ws, 1 +klinkenbergschoenen.nl, 1 +klinkersnab.ru, 1 +klinknetz.de, 1 +klinkov.tk, 1 +klinlab.cz, 1 +klipa.tk, 1 +klishyn.com, 1 +klitmoeller.de, 1 +klitmoeller.dk, 1 +klitoris.com.tr, 1 +kliu.io, 0 +klj-beveren.tk, 1 +klj-kruibeke.tk, 1 +klj-walshoutem.tk, 1 +kll.li, 1 +klm-huisjes.nl, 1 +klmgewinnspiel.de, 1 +klmhouses.com, 1 +klocast.com, 1 +klocksnack.se, 0 +kloclabs.com, 1 +klogeschichten.net, 1 +kloia.com, 1 +klokhuis.nl, 1 +klokkenluidersvg.nl, 1 +kloop.kg, 1 +klop.info, 1 +klose.family, 1 +klosko.net, 1 +kloudstack.me, 0 +klover-avantages.fr, 1 +klover-cse.fr, 1 +kloza.tk, 1 +kls-desk.com, 1 +kls-platform.com, 1 +klssn.com, 1 +klu.io, 1 +klub-zajmov.ga, 1 +klub.tk, 1 +klubcajovna.cz, 1 +kluberphoto.hu, 1 +klubfitness.pl, 1 +klubgerlach.sk, 1 +klubwsl.tk, 1 +kluck.me, 1 +kludge.eu, 1 +klugemedia.de, 1 +klumba.org, 1 +klusbedrijfdupau.nl, 1 +klushka.cf, 1 +klushnikova.tk, 1 +klustermedia.com, 1 +klusweb-merenwijk.nl, 1 +klutchcard.com, 1 +klute.spdns.de, 1 +kluzza.nl, 1 +klva.cz, 1 +km8.co, 1 +kma.ua, 1 +kmap-state-ks.us, 1 +kmartgifted.com.au, 1 +kmb-chat.de, 1 +kmch.com, 1 +kmdarkmaster.tk, 1 +kmdevelop.com, 1 +kmecnc.com, 1 +kmeditour.net, 1 +kmhesaplama.com, 1 +kmk.hu, 1 +kmkz.jp, 1 +kmoes.ch, 1 +kmov.cc, 1 +kmpropertyfunds.com, 1 +kmpropertyfunds.com.au, 1 +kmrgroup.com, 1 +kmsk.tk, 1 +kmsm.com.au, 1 +kmzs123.cn, 1 +kn007.net, 1 +kn40la.com, 1 +kn4ivj.com, 1 +kn4ola.com, 1 +kn6olc.org, 1 +knabden.co.za, 1 +knabstrup-autoophug.dk, 1 +knallfrosch.ddnss.de, 1 +knapenzutendaal.tk, 1 +knapp.noip.me, 1 +knapp.pro, 1 +knapp.servehttp.com, 1 +knarcraft.net, 1 +knarkkorven.tk, 1 +knarzkopf.de, 1 +knashaug.com, 1 +knauf.com, 1 +knautiluz.net, 0 +knbbw-frnab.tk, 1 +knblog.jp, 1 +kncg.pw, 1 +kndrd.io, 1 +kneblesauto.com, 1 +knecht.ca, 1 +knechtology.com, 1 +kneerux.de, 1 +kneginec.hr, 1 +knegten-agilis.com, 1 +kneli.co.il, 1 +knep.me, 0 +kneppe.me, 1 +knetterbak.nl, 1 +kngk-transavto.ru, 1 +kngkng.com, 1 +knhchula.com, 1 +kniga-ru.tk, 1 +kniga.market, 0 +knigareceptov.cf, 1 +knigareceptov.tk, 1 +knighki-knighki.ml, 1 +knighkidoma.tk, 1 +knightsblog.de, 1 +knightsbridge.net, 1 +knightsfs.ie, 1 +knightsweep.com, 0 +knighulki.cf, 1 +knigi-free.cf, 1 +knigi-market.ml, 1 +knigi-na-dom.cf, 1 +knigi-zdes.gq, 1 +knigifast.ga, 1 +knigiunass.tk, 1 +knihovnajablonne.cz, 1 +knirps.com, 1 +knirps.de, 1 +knirps.fr, 1 +knirps.nl, 1 +knispelonline.de, 1 +knitfarious.com, 1 +knitted-hats.tk, 1 +knitted-things.tk, 1 +knitting-lace.tk, 1 +knitting.cz, 1 +knittingmallers.ga, 1 +knittingmallest.ga, 1 +knittingstory.cf, 1 +knivesandblades.co.uk, 1 +kniwweler.com, 1 +knize.tech, 1 +knizhniy.com, 1 +knjazevac.tk, 1 +knjizevic.at, 0 +knkv.nl, 1 +knmv.nl, 1 +knnet.ch, 1 +knoffyoga.com, 1 +knop.info, 0 +knorrnet.de, 1 +knotenpunkt-nbg.de, 1 +knottcountyky.gov, 1 +know.cf, 1 +know2protect.gov, 1 +knowbook.org, 1 +knowledge-base.info, 0 +knowledgeforce.com, 1 +knowledgehook.com, 1 +knowledgematters.com, 1 +knowledgesuccess.org, 1 +knowlevillagecc.co.uk, 1 +knowmoreplatform.com, 1 +knownsec.cf, 1 +knowrentalsers.ga, 1 +knowrentalsest.ga, 1 +knowthebus.cf, 1 +knowthebus.ga, 1 +knowthebus.gq, 1 +knowuproxy.com, 1 +knowyourday.ai, 1 +knowyourteam.com, 1 +knoxcountyil.gov, 1 +knoxcountyne.gov, 1 +knoxcountytn.gov, 1 +knoxvilleautosalesers.ga, 1 +knoxvilleautosalesest.ga, 1 +knoxvilleimplants.com, 1 +knoxvilletnpolice.gov, 1 +knrt.de, 1 +knrt.eu, 1 +knsrv.ml, 1 +knthost.com, 0 +kntt.lt, 1 +kntxt7.de, 0 +knuckles.tk, 1 +knulla.me, 1 +knulle.me, 1 +knurps.de, 1 +knuterikskare.no, 1 +knuthildebrandt.de, 0 +knuwiki.tk, 1 +knxstore.cz, 1 +knyawningrenovation.com, 1 +knygos.lt, 1 +knzb.nl, 1 +ko80.com, 1 +koaa.com, 1 +koala-pension.de, 1 +koala.one, 0 +koalapress.fr, 0 +koalarong.com, 1 +koalas.org, 1 +koanga.com.au, 1 +koba.jp, 1 +kobalux.com, 1 +kobb.tk, 1 +kobejet.com, 1 +koberl.com, 1 +kobet.tk, 1 +kobezda.net, 1 +kobieta.guru, 1 +kobietydokodu.pl, 1 +kobikian.com, 1 +kobil.com, 1 +kobly.com, 1 +kobofarm.com, 1 +koboldcraft.ch, 1 +koboldmalade.fr, 1 +kobovec.tk, 1 +kobrin.tk, 1 +kobtsev.tk, 1 +kobudo49.fr, 1 +koc.hu, 1 +kocaelihaber.tk, 1 +kocaeliyiseyret.com, 1 +koccoo.ga, 1 +koch-wro.pl, 1 +koch.com.au, 1 +kochadaiyaan.tk, 1 +kochbar.de, 1 +kochcommunity.com, 1 +kochdigital.dk, 1 +kocherev.org, 1 +kochereva.com, 1 +kocheshkov.cf, 1 +kochhar.net, 1 +kochi-death.ml, 1 +kochinke.com, 1 +kochinke.us, 1 +kochrezepte.tk, 1 +kochura.tk, 1 +kocka.cf, 1 +kockanakocko.si, 1 +kocovi.cz, 0 +kod13.com, 1 +kod5.com, 1 +kodak-ism.com, 1 +kodama-dorayaki.co.jp, 1 +kodambroker.com, 1 +kodar.tk, 1 +kodden.com.br, 1 +kode-it.de, 1 +kode.ch, 0 +kodeholic.me, 1 +kodes.com.tr, 1 +kodexplorer.ml, 1 +kodifirestick.info, 1 +kodify.net, 1 +kodigo.me, 1 +kodineuerleben.eu, 1 +kodioso.com, 1 +kodkollen.com, 1 +kodkollen.se, 1 +kodnistudio.com, 1 +koe.dk, 1 +koe.hn, 1 +koe.kr, 0 +koebbes.de, 1 +koeeusa.org, 1 +koef.nl, 1 +koehlhoff.de, 1 +koehn-consulting.com, 1 +koehn.com, 1 +koelbli.ch, 1 +koeldezomerdoor.nl, 1 +koelnerkarneval.de, 1 +koelnmafia.de, 1 +koelschs.de, 1 +koenberkhout.nl, 1 +koenig-pflueger.de, 1 +koenigsbrunner-tafel.de, 1 +koenleemans.nl, 1 +koenrh.com, 1 +koenrh.net, 1 +koenrh.nl, 1 +koenzk.nl, 1 +koerperkult.ch, 1 +koertner-muth.com, 1 +koertner-muth.de, 1 +koethen-markt.de, 1 +koetjesenkanker.nl, 1 +koez-mangal.ch, 1 +koffie-enzo.com, 1 +koffiekoeken.tk, 1 +koffiekompaan.nl, 1 +koffiezine.nl, 1 +kofler.info, 1 +kogak.ninja, 1 +kogax.com, 0 +kogi.fr, 1 +kogotok.gq, 1 +kogotok.ml, 1 +kogudesi.com, 1 +kohaku.love, 1 +kohama-obgy.jp, 1 +kohana.fi, 1 +kohlchan.net, 1 +kohlchan.top, 1 +kohlmajer.de, 1 +kohlpharma.com, 1 +kohparadise.com, 1 +koi-lexikon.de, 1 +koidulag.edu.ee, 1 +koifish.org, 1 +koing.de, 1 +koirala.email, 1 +koiro.fi, 1 +koishi.pro, 1 +koj.co, 1 +koji-tsujitani.net, 1 +kojiishikawa.com, 1 +kojipkgs.fedoraproject.org, 1 +koka-shop.de, 1 +kokakiwi.net, 1 +kokankart.com, 1 +koketteriet.se, 1 +kokk.loan, 1 +koko.news, 1 +kokoiroworks.com, 1 +kokomo.com.au, 1 +kokomoislandfiji.com, 1 +kokomoprivateisland.com, 1 +kokomoresorts.com, 1 +kokona.ch, 1 +kokona.link, 1 +kokoroheart.cf, 1 +kokoronomori.jp, 1 +kokos.pl, 1 +kokteili.tk, 1 +koktelparty.tk, 1 +kokumoto.com, 1 +kokuryu.ch, 1 +kokuyocamlin.com, 1 +kokwatersport.nl, 1 +kokyu-caba.com, 1 +kol7sry.news, 1 +kolabtree.com, 1 +kolaci.tech, 1 +kolaczek.cz, 1 +koladeogunleye.com, 1 +kolakamal.tk, 1 +kolania.com, 1 +kolania.de, 1 +kolania.net, 1 +kolaprestaurant.com, 0 +kolas.in, 1 +kolbeck.tk, 1 +kolbeinsson.se, 1 +kolcsey.eu, 1 +kolfan.tk, 1 +kolhozik.ml, 1 +kolibri.dk, 1 +kolibrikapp.com, 1 +kolibrisolutions.nl, 1 +kolin.org, 1 +kolizaskrap.bg, 1 +kolja-engelmann.de, 1 +kolkataflowermall.com, 1 +kolkatamatrimandir.tk, 1 +kolkinn.no, 1 +kollandsrud.tk, 1 +kollawat.me, 1 +kollega.it, 1 +kollegamenti.it, 1 +kollner.com, 1 +kollross.io, 1 +kolmann.at, 1 +kolmann.eu, 1 +kolmeya.com.br, 1 +kolodec-pod-kluch.ru, 1 +kolonie-am-stadtpark.de, 1 +kolonie.turystyka.pl, 1 +kolorado.tk, 1 +koloradskij-zhuk.tk, 1 +kolorkids.pt, 1 +kolorwell.tk, 1 +kolotsainaskoto.tk, 1 +kolpingsfamilie-vechta-maria-frieden.de, 1 +kolrami.com, 1 +kolsandpeers.com, 1 +koltozzbe.hu, 1 +kolue.com, 1 +koluke.co, 1 +koluke.com, 1 +kolukylaselts.ee, 1 +kolyapetrov.tk, 1 +kom.pe, 1 +komalgandhi.tk, 1 +komall.net, 1 +komarex.pl, 1 +komarh.tk, 1 +komasan.net, 1 +komatsuforklift.com, 1 +kombikredit.de, 1 +komehyo.co.jp, 1 +komelin.com, 0 +kometia.com, 1 +komfort-doma.by, 1 +komfort.kh.ua, 1 +komichcapital.com, 1 +komicloud.com, 1 +komidoc.com, 1 +komikstation.co, 1 +kominfo.go.id, 0 +kominki-sauny.pl, 1 +komintek.ru, 1 +komintern43.tk, 1 +komischkeszeug.de, 1 +komitur.tk, 1 +komlangs.nl, 1 +kommaer.dk, 1 +komment.ml, 1 +kommerciya.cf, 1 +kommerciya.ml, 1 +kommotiv.nl, 0 +kommunalkredit.de, 1 +kommunermeddnssec.se, 1 +kommunermedipv6.se, 1 +kommunikation-czw.de, 1 +kommunistienliitto.tk, 1 +kommx.de, 1 +komodolabs.com, 1 +komoju.com, 1 +komok.co.uk, 1 +komoraoze.cz, 1 +komornikmroczek.pl, 1 +komp-plus.tk, 1 +komp247.pl, 1 +kompanen.nl, 1 +kompaniya-vasya.tk, 1 +kompetenzkurs.de, 1 +kompiwin.com, 1 +komplekt.gq, 1 +komplet.sk, 1 +komplexlysimple.com, 0 +kompliant.nu, 1 +kompotik.tk, 1 +komputer-net.tk, 1 +komsija.tk, 1 +komsomolka.works, 1 +komun.me, 1 +kon-sil.de, 1 +kon.cat, 1 +konaki.net, 1 +konata.tech, 1 +konbantsan.com.tr, 1 +koncertbooking.com, 1 +koncertit.com, 1 +koncertomania.pl, 1 +kondakov.link, 1 +kondakovgorin.us, 1 +kondakovvg.com, 1 +kondi-flex.biz, 1 +kondi-flex.de, 1 +kondi-flex.net, 1 +kondi-flex.org, 1 +kondi-save.biz, 1 +kondi-save.de, 1 +kondiflex.de, 1 +kondiflex.eu, 1 +kondisave.biz, 1 +kondo-kougei.co.jp, 1 +konducars.nl, 1 +konectbus.co.uk, 1 +konetsu.tk, 1 +konf.ga, 1 +konfekcjonowanie.com, 1 +konference.tech, 1 +konfiskator.online, 1 +konflikthaus.de, 1 +konfliktklaerer.de, 1 +konfrontation.tk, 1 +kong.ink, 1 +kongar.org, 1 +kongjie.cf, 1 +kongjie.ml, 1 +kongress-hostessen.de, 1 +koniecfica.sk, 0 +konijnen-knaagdieren.tk, 1 +koningerik.nl, 1 +konings.it, 0 +koningsdag-arnhem.nl, 1 +koningslust.tk, 1 +koninkrijk.net, 1 +konjunktion.tk, 1 +konkai.store, 1 +konkanitv.ga, 1 +konkasidiaris.com, 1 +konklone.com, 1 +konkurs.ba, 1 +konnai.jp, 1 +konnex-it.de, 1 +konnitanaka.com, 1 +konoex.com, 1 +konoka.top, 1 +kononenko.ml, 1 +konopizza.at, 1 +konpyuta.nl, 1 +konser.co.uk, 1 +konsertoversikt.no, 1 +konservy.tk, 1 +konskowola.info.pl, 1 +konsol.pro, 1 +konst.se, 1 +konstanz.tk, 1 +konstitucia.com, 1 +konstructdigital.com, 1 +konsul.ga, 1 +konsul.tk, 1 +konsultacii-buhgaltera.ga, 1 +konsultaciya-astrologa.cf, 1 +konsultaciya-astrologa.ga, 1 +konsultaciya-astrologa.gq, 1 +konsultaciya-astrologa.ml, 1 +konsultaciya-astrologa.tk, 1 +konsultacje-elektryczne.pl, 1 +konsultation.nu, 1 +konsultermedipv6.se, 1 +konta-swiss.ch, 1 +kontabilitet.tk, 1 +kontaxis.org, 1 +kontenido.net, 1 +kontent.ai, 1 +kontikifinance.com, 0 +kontikiindustries.tk, 1 +kontist.com, 1 +kontorhaus-stralsund.de, 1 +kontracrew.tk, 1 +kontrapolis.info, 1 +kontrastonline.tk, 1 +kontrolapovinnosti.cz, 1 +kontur-buh.ru, 1 +kontur.tk, 1 +konturalco.ru, 1 +konus.tk, 1 +konventa.net, 1 +konwerter-online.pl, 1 +konyadireksiyonservisi.com, 1 +konyadireksiyontamiri.com, 1 +konyahaber.tk, 1 +konyalian.com, 1 +konyhaelektronika.hu, 1 +konzaross.tk, 1 +konzepttreu.de, 1 +konzertheld.de, 1 +kood13.com, 1 +koodaklife.com, 1 +koodimasin.ee, 1 +koodimasin.eu, 1 +kooer.org, 1 +koof.win, 1 +kooibeds.com, 0 +kooky.org, 1 +koolauwomenshealthcare.com, 1 +koole.eu, 1 +kooli.ee, 1 +koolikatsed.ee, 1 +koolisw.tk, 1 +koolitee.ee, 1 +kooliveeb.ee, 1 +koolkool.tk, 1 +koomaldreaming.com.au, 0 +kooner.io, 1 +koood13.com, 1 +koopdomeinnaam.nl, 1 +koophost.nl, 1 +kooplokaal.gent, 1 +koopmansamenwerking.nl, 1 +koopraoulu.ddns.net, 1 +koora-lives.tv, 1 +kooranaps.wa.edu.au, 1 +kooratalk.ga, 1 +koot.nl, 1 +koowde.nl, 1 +kooxdiving.com, 1 +koozal.de, 1 +kopany.tk, 1 +kopatych.tk, 1 +kopecode.com, 1 +kopeechka.ml, 1 +koperry.com, 1 +kopeyka.cf, 1 +kopfgeld.tk, 1 +kopfkrieg.org, 0 +kopfsalat.eu, 0 +kopfschaschlik.de, 1 +kopieid.be, 1 +kopijosari.com, 1 +kopipasta.cf, 1 +kopisee.tk, 1 +kopitekno.com, 1 +kopjethee.nl, 0 +koplancpa.com, 1 +koplax-online.com, 1 +koppbilling.com, 1 +koppelvlak.net, 1 +kopretka.cz, 1 +koproskylos.gr, 1 +kopsinc.com, 1 +koptev.ru, 1 +kopteva.ru, 1 +kopular.com, 1 +kopyandsonslandscaping.com, 1 +kopykatz.org, 0 +kor.ovh, 1 +kor1xbet.com, 1 +kora-go.tk, 1 +korabi.tk, 1 +korablino.tk, 1 +korancode.tk, 1 +koranseruya.com, 1 +korbel-loziska.cz, 1 +korben.info, 1 +kordamed.ee, 1 +kordamentha.com, 1 +kordamentha.com.au, 1 +kordut.tk, 1 +korea-1xbet.com, 1 +korea-dpr.org, 1 +korea-onlinecasino.com, 1 +korea1x-bet.com, 1 +koreabestood.ga, 1 +koreaboo.com, 1 +koreanfashion.tk, 1 +koreanhouse.tk, 1 +koreankiosk.ru, 1 +koreanland.ml, 1 +koreanpearls.tk, 1 +koreanrandom.com, 1 +koreanrandom.ru, 1 +koreantextil.com.br, 1 +koreanure.tk, 1 +koreashop24.com, 1 +koredia.com, 1 +koreisai.tech, 1 +koresageart.com, 1 +korespondent.tk, 1 +koretech.nl, 1 +korfbal.nl, 1 +korfballeague.nl, 1 +korfezemlak.com, 1 +korhonen.cc, 1 +korhonen.social, 1 +korikart.com, 1 +korikart.net, 1 +korjoin.com, 1 +korkortet.tk, 1 +korkortonline.se, 1 +korn-klan.tk, 1 +korofilms.com, 1 +koroleva.ml, 1 +korolevstvo-movie.ml, 1 +koroli.tk, 1 +korona-m.bg, 1 +korona-m.eu, 1 +korona-serial.net, 1 +koroshkabir.tk, 1 +korrelzout.nl, 1 +korsordsvar.com, 1 +korst.tk, 1 +korstanjebouw.nl, 1 +korstanjetimmerwerken.nl, 1 +kortarsmagyarfesto.tk, 1 +kortgebyr.dk, 1 +korund.tk, 1 +kos4all.com, 1 +kos9078.com, 1 +kosaki.moe, 1 +kosara.bg, 1 +koscielniak-nieruchomosci.pl, 1 +kose.edu.ee, 1 +koseven.ga, 1 +kosgebkredisi.com, 1 +koshakovo.ga, 1 +koshaq.net, 1 +koshechka.tk, 1 +koshercutleryers.ga, 1 +koshercutleryest.ga, 1 +koshereducationers.ga, 1 +koshereducationest.ga, 1 +kosherfoodreviews.com, 1 +kosherjava.com, 1 +kosherlunchers.ga, 1 +kosherlunchest.ga, 1 +koshkonongwi.gov, 1 +koshturada.by, 1 +koshvolt.com, 1 +kosinc.org, 1 +kosmetykifm.pl, 1 +kosmiq-it.com, 1 +kosmonavt.tk, 1 +kosmopoisk-orel.tk, 1 +kosmoprolet.tk, 1 +kosmosfestival.tk, 1 +kosmosjournal.org, 1 +kosmosol.it, 1 +kosmosradio.tk, 1 +koso.me, 1 +kosovitolinks.tk, 1 +kosovo.gq, 1 +kost-magazin.de, 1 +kostarikanamiru.cz, 1 +kostavro.eu, 1 +kostecka.org, 1 +kostecki.com, 1 +kostecki.org, 1 +kostecki.tel, 1 +kostenloses-forum.tk, 1 +kosterenpartners.com, 1 +kostlyn.com, 1 +kostroma-city.tk, 1 +kostroma.cf, 1 +kostroma.gq, 1 +kostroma.ml, 1 +kostroma.tk, 1 +kostube.tk, 1 +kostya.ws, 1 +kostyumi.tk, 1 +kosupayoi.com, 1 +kosuzu.moe, 1 +koszmetics.com, 1 +kotaartsklan.com, 1 +kotaev.tk, 1 +kotajakarta.info, 1 +kotak.us, 1 +kotakanimeid.com, 1 +kotakonkrit.my, 1 +kotakoo.id, 1 +kotaku.com, 1 +kotaraanglican.org.au, 1 +kotatgent.be, 1 +kother.org, 1 +kotilinkki.fi, 1 +kotisivukone.fi, 1 +kotka.ml, 1 +kotlinfactory.io, 1 +kotly-marten.com.ua, 1 +kotmale.com, 1 +kotobox.net, 1 +kotobuki-healing.com, 1 +kotoishihear.tk, 1 +kotok.tk, 1 +kotomei.moe, 1 +kotonoha.cafe, 1 +kotonozaka.xyz, 1 +kotoopros.tk, 1 +kotori.love, 1 +kotori.style, 1 +kotorimusic.ga, 1 +kotrak.com, 1 +kottbulle.net, 1 +kotthaus-bs.de, 1 +kottur.is, 1 +kotuwa.tk, 1 +kotydomowe.com, 1 +kouberacing.com.br, 1 +koubova.net, 1 +kougeihin.jp, 1 +koujiao.ml, 1 +koujiao.net, 1 +koujo-soukohonpo.com, 1 +koumakan.cc, 1 +kourin.cf, 1 +koushinjo.org, 1 +kouwenhoven.xyz, 1 +kov.space, 1 +kovachica.tk, 1 +kovacia.com, 1 +koval.io, 1 +kovaldo.ru, 1 +kovered.net, 1 +kovnsk.net, 1 +kovrik-tm.com.ua, 1 +kovroedov.ru, 0 +kovspace.com, 1 +kovu.es, 1 +kovuthehusky.com, 1 +kowalmik.tk, 1 +kowalski7.cc, 1 +kowalski7cc.xyz, 1 +kowalstwo.com.pl, 1 +kowarschick.de, 1 +kowas.net, 1 +kowu.ru, 1 +koyaanisqatsi.tk, 1 +koyo.kr, 1 +koyou-nara.com, 1 +kozackibazar.pl, 1 +kozak.cloud, 1 +kozakmateusz.ovh, 1 +kozamac.com, 1 +kozansa.net, 1 +kozarac.tk, 1 +kozbox.com, 1 +kozentic.com, 1 +kozgi.com, 1 +kozhzamenitely.tk, 1 +koziknet.com, 1 +kozitsyn.name, 1 +kozlekedes.info, 1 +kozlov.cf, 1 +kozmetikatrend.hu, 1 +kozmetikus.tk, 1 +kozuch.biz, 1 +kozuna.it, 1 +kozune.com, 1 +kp-opt.ru, 1 +kp-walsh.com, 1 +kp0808.cc, 1 +kp0809.com, 1 +kp45.ru, 1 +kpfanworld.com, 1 +kpinterface.com, 1 +kpinvest.eu, 1 +kpizlog.rs, 1 +kplastics.in, 1 +kplasticsurgery.com, 1 +kplnet.net, 1 +kpmgccc.co.nz, 0 +kpmgclientcollab.co.nz, 0 +kpntdolive.nl, 1 +kpnthings.com, 1 +kpo.fi, 1 +kpop.re, 1 +kpop.ro, 1 +kpopsource.com, 1 +kppnmataram.com, 1 +kprem.com, 1 +kprf-school74.tk, 1 +kproferm.com, 1 +kpumuk.info, 1 +kpx1.de, 1 +kqh.me, 1 +kqrm.co.jp, 1 +kr-beratungscoach.de, 1 +kr-labs.com.ua, 1 +kr.cm, 1 +kr.search.yahoo.com, 0 +kr0n.dk, 1 +kra.ee, 0 +kra2laiz.eu, 1 +kraakgeluiden.tk, 1 +kraavi.com, 1 +krabathor.tk, 1 +krabbelsisters.tk, 1 +krabbit.tw, 1 +krachbumm.de, 1 +krachtinverbinding.nl, 1 +kraemerlaw.com, 1 +krafciarka.pl, 1 +kraft.blog, 1 +kraft.im, 1 +kraft.lol, 1 +kraftek.cf, 1 +kraftfahrtversicherungen24.de, 1 +kraftway.ru, 1 +kraftzeiten.de, 1 +krag.be, 1 +kraga.sk, 1 +krakato.tk, 1 +kraken-ttt.com, 1 +kraken.com, 1 +kraken.io, 0 +krakenfutures.com, 1 +krakenrobotik.de, 1 +krakenventures.com, 1 +krakozyabra.ga, 1 +krakozyabra.gq, 1 +krakozyabra.tk, 1 +kralenparadijs.tk, 1 +kralik.io, 1 +kralovskapradelna.cz, 1 +kram.nz, 1 +kram.tec.br, 1 +kramer-edelstahl.de, 1 +kramersworld.tk, 1 +kramesondemand.com, 1 +kramsj.uk, 1 +kran.ga, 1 +krang.org.uk, 1 +kranjnakolo.ml, 1 +krankenpflege-haushaltshilfe.de, 1 +krankenpflege.ch, 1 +kranservice-alzey.tk, 1 +krapiva.tk, 1 +krasa.at, 1 +krasa.au, 1 +krasa.com.au, 1 +krasa.tk, 1 +krasavchik.by, 1 +kraski.tk, 1 +krasnaya-nit.ga, 1 +krasnodar-pravoved.ru, 1 +krasnodar.one, 1 +krasnodar24.tk, 1 +krasnodarkrai.tk, 1 +krasnoyarsk-24.tk, 1 +krasnoyarsk24.tk, 1 +krasotkafirm.tk, 1 +krasotki.ml, 1 +kratochvilovi.net, 1 +krause-outlet.de, 1 +krauseent.com, 0 +krausekauft.de, 1 +krautomat.com, 1 +kraynik.com, 1 +kraz.tk, 1 +krazykastles.co.uk, 1 +krazykoolkastles.com, 1 +krazyphotobooths.co.uk, 1 +krbzh.ch, 1 +krc.link, 1 +krch.tk, 1 +krd93.ru, 1 +kreanoid-clientportal-aus-dev.azurewebsites.net, 1 +kreanoredact-portal-aus-dev.azurewebsites.net, 1 +kreasim32.co.id, 1 +kreationnext.com, 1 +kreativbande.com, 1 +kreativelabs.ch, 0 +kreativenerds.com.ng, 1 +kreativklinik.at, 1 +kreativoweb.tk, 1 +kreativstrecke.de, 1 +kreatura.tk, 1 +kreatywni.co, 1 +kredi-hesaplama.com, 1 +kredibanka.net, 1 +kredigram.com, 1 +kredit-abzocke.com, 1 +kredit-galerie.de, 1 +kredit-kenntnis.de, 1 +kredit-mit-negativer-schufa.com, 1 +kredit-negative-schufa.de, 1 +kredit-ohne-schufa.de, 1 +kredit-schule.de, 1 +kredit24.de, 1 +kredita.dk, 1 +kreditkarta.ml, 1 +kreditkarten-forum.de, 1 +kreditkoll.nu, 1 +kredito.pt, 1 +kreditonline.ml, 1 +kreditor.gq, 1 +kreditovnet.tk, 1 +kreditsystem.net, 1 +kreditvergleich.org, 1 +kreditzirkus.de, 1 +krednal.ru, 1 +kredytzen.pl, 0 +kreen.org, 1 +krefindo.de, 1 +kreft.tk, 1 +kreftprzewieda.pl, 1 +krehak.com, 1 +kreideseetaucher.de, 1 +kreidl.org, 0 +kreidlernet.tk, 1 +kreiglaw.com, 1 +kreisau.com, 1 +krelln.net, 1 +kremalicious.com, 1 +kremer-sonnenschutzsysteme.de, 1 +kremi.org, 0 +kreno.tech, 1 +krenstetter.at, 1 +kreolis.net, 1 +krepmarket.ru, 1 +kresimir-blazevic.tk, 1 +kreslomeshok.by, 1 +krestanskydarek.cz, 1 +kretaforum.dk, 1 +kretschmann.consulting, 1 +kretschmann.it, 1 +kreuzbergflieger.de, 1 +kreuzpfadfinder.de, 1 +kreuzwortraetsellosungen.com, 1 +kreweofneptune.org, 1 +krey.is, 1 +kreyolgym.fr, 1 +krezimizik.com, 1 +krfoodsng.com, 1 +kridtvejsplanter.dk, 1 +kriechel.de, 1 +kriegserinnerungen.tk, 1 +kriegskindernothilfe.de, 1 +kriener.photography, 1 +kriis.ee, 0 +krik.rs, 1 +kriko.io, 1 +krillz.se, 1 +krilotek.com, 1 +krilov.tk, 1 +krimikiosk.de, 1 +krimisound.com, 1 +krimisound.it, 1 +krimmebel.ru, 1 +krimzeta.com, 1 +krinetzki.de, 0 +kringla.xyz, 1 +kringloopwinkels.tk, 1 +krinnovations.ie, 1 +kripa.tk, 1 +kriptodede.com, 1 +kriptokereso.com, 0 +kriptokoin.com, 1 +kriptomat.io, 1 +kriptopod.com, 1 +kriptopodgon.tk, 1 +kriptosec.com, 1 +krisboeckmans.tk, 1 +krise-chance.ch, 1 +krisenintervention-deutschland.de, 1 +kriseninterventiondeutschland.de, 1 +krisftp.fr, 1 +krishin.tk, 1 +krishnakalisaha.com, 1 +krishnendu.com, 1 +krishnenduayur.org, 1 +krishofer.com, 1 +kriskonaturopathic.com, 1 +kriskras99.nl, 1 +krismurray.co.uk, 1 +krisp.ai, 1 +krispeinture.be, 1 +krispymods.com, 1 +krisstarkey.co.uk, 1 +krist.club, 1 +kristall-energie.at, 0 +kristall.tk, 1 +kristall.xyz, 1 +kristenpaigejohnson.com, 1 +kristina-lari.ru, 1 +kristineskitchenblog.com, 1 +kristjanrang.eu, 0 +kristofba.ch, 1 +kristoffer.is, 1 +kriston.tk, 1 +kristv.com, 1 +kristymiley.com, 1 +kristyvonkashyyyk.net, 1 +kriswauters.tk, 1 +kritatechnosolutions.com, 1 +kritik.com.br, 1 +kritisch-links.de, 1 +kriyayoga.fr, 1 +kriyayoga.mx, 1 +krizevci.info, 1 +krizialim.tk, 1 +krk-gaming.de, 0 +krmela.com, 1 +krmeni.cz, 0 +kroati.de, 1 +kroczynski.net, 1 +kroell.net, 1 +kroenland.at, 1 +kroenland.com, 1 +kroenland.design, 1 +kroglice.si, 1 +krok.gq, 1 +krokedil.se, 1 +kroldata.com, 1 +kroliczki.tk, 1 +kroll.tk, 1 +kromamoveis.com.br, 1 +kromati.co, 1 +kromberg.tk, 1 +kromciri.gq, 1 +krome.sg, 1 +kromonos.net, 1 +kromozottrud.hu, 1 +kroms.org, 1 +krona.ddns.net, 1 +kronanshopping.se, 1 +kroneaustralia.com.au, 1 +kronengruppe.de, 1 +kronofogden.se, 1 +kronosnxs.com, 1 +kronosproject.tk, 1 +kronospsi.es, 1 +krony.de, 1 +kronych.cz, 1 +kroo.com, 1 +kroon.email, 1 +kroonika.ee, 1 +kropkait.pl, 1 +krosovki-nike.tk, 1 +krossakorven.tk, 1 +krossvordy.com, 1 +krouzkyliduska.cz, 0 +krovat.ru, 1 +krovatka.tk, 1 +krovlya911.ru, 1 +krozilla.tk, 1 +krpaforum.org, 1 +krs.cloud, 1 +krsaustralia.com.au, 1 +krsvrs.nl, 1 +krti.com.ua, 1 +krtl.eu.org, 1 +krtl.top, 1 +krubik.tk, 1 +kruchefssensors.azurewebsites.net, 0 +kruchheartbeatdev.azurewebsites.net, 1 +kruchsensorsdev.azurewebsites.net, 0 +krudel.tk, 1 +kruemelundkruemel.de, 1 +krug-munroe.wedding, 1 +krugerengelbrecht.co.za, 1 +krugermillions.org, 1 +krugernationalpark.org.za, 1 +krugersdorpplumber24-7.co.za, 1 +krugoval.hr, 0 +krugson.net, 1 +kruidenboeket.be, 1 +kruin.net, 1 +kruindy.com, 1 +kruis.tk, 1 +kruisselbrink.com, 1 +kruk.co, 1 +krukaze.tk, 1 +krumovgrad.eu, 1 +krumpf.de, 0 +kruno.ooo, 1 +krup.com.ua, 1 +krupa.net.pl, 0 +krusesec.com, 1 +krusic22.com, 1 +krustyland.net, 1 +krutilka.ga, 1 +krutka.cz, 1 +kruu.de, 1 +kruvesh.tk, 1 +krvtz.net, 1 +krx1bet.com, 1 +kry.no, 1 +kry.se, 1 +kryddveitingahus.is, 1 +krymp.no, 1 +kryolansaudi.com, 1 +krypmonet.com, 1 +krypsys.com, 1 +krypt.com, 1 +kryptera.se, 1 +krypterz.com, 1 +kryptix.eu, 1 +kryptix.net, 1 +krypto-webdesign.de, 1 +kryptoforce.com, 1 +kryptologie.tk, 1 +kryptomech.com, 1 +kryptomodkingz.com, 1 +kryptonowosci.pl, 1 +kryptorebels.com, 1 +kryptosekken.no, 1 +kryptowale.com, 1 +kryptux.xyz, 1 +kryshodel.ml, 1 +krystal-framework.ml, 1 +krystalrsimpson.com, 0 +krytykawszystkiego.com, 1 +krytykawszystkiego.pl, 1 +kryx.de, 1 +krzeslaonline.pl, 1 +ks-19.com, 1 +ks-39.com, 1 +ks-59.com, 1 +ks-79.com, 1 +ks-89.com, 1 +ks-niceman.tk, 1 +ks-watch.de, 1 +ks.kr.ua, 1 +ks0098.com, 1 +ks015.com, 1 +ks017.com, 1 +ks0318.com, 1 +ks038.com, 1 +ks058.com, 1 +ks0618.com, 1 +ks0660.com, 1 +ks068.com, 0 +ks0877.com, 1 +ks0886.com, 1 +ks0888.com, 1 +ks0977.com, 1 +ks0990.com, 1 +ks16.net, 1 +ks168158.net, 1 +ks17.net, 1 +ks18.cc, 0 +ks182.com, 1 +ks1athome.co.uk, 1 +ks202.com, 1 +ks2020.vip, 1 +ks206.com, 1 +ks208.com, 1 +ks2235.com, 1 +ks2888.com, 1 +ks298.com, 1 +ks299.net, 0 +ks330.com, 1 +ks335.com, 1 +ks337.com, 1 +ks337.net, 1 +ks339.com, 1 +ks35.cc, 0 +ks3533.com, 1 +ks3536.com, 1 +ks3636.com, 1 +ks3737.com, 1 +ks380.com, 1 +ks381.com, 1 +ks386.com, 1 +ks3888.com, 1 +ks5000.com, 1 +ks515.com, 1 +ks516.com, 1 +ks549.com, 1 +ks5525.com, 1 +ks5528.com, 1 +ks5529.com, 1 +ks5531.com, 1 +ks5532.com, 1 +ks5822.com, 1 +ks5888.com, 1 +ks5888.net, 1 +ks597.com, 1 +ks6225.com, 1 +ks637.com, 1 +ks6522.com, 1 +ks6535.com, 1 +ks657.com, 1 +ks6600.com, 1 +ks668.com, 1 +ks6687.com, 1 +ks680.com, 1 +ks6887.com, 1 +ks79.app, 1 +ks8.net, 1 +ks8112.com, 1 +ks8113.com, 1 +ks8115.com, 0 +ks8128.com, 1 +ks8129.com, 1 +ks8135.com, 1 +ks8152.com, 1 +ks8176.com, 1 +ks8177.com, 1 +ks8211.com, 1 +ks8218.com, 1 +ks8225.com, 1 +ks8265.com, 1 +ks8266.com, 1 +ks8278.com, 1 +ks8802.com, 1 +ks8805.com, 1 +ks8831.com, 1 +ks8836.com, 1 +ks8862.com, 1 +ks8883.com, 0 +ks8886.com, 1 +ks8915.com, 1 +ks9.app, 1 +ks9122.com, 1 +ks920.com, 0 +ks960.com, 1 +ks9696.com, 1 +ks9888.com, 0 +ks99.app, 1 +ksa-lawfirm.com, 1 +ksa.mx, 1 +ksa511.com, 1 +ksabconline.gov, 1 +ksamaps.com, 1 +ksar.tk, 1 +ksato.fr, 0 +ksauhs-med.com, 1 +ksbkrasnodar.ru, 1 +kscarlett.com, 1 +kscds.gov, 1 +kschool.co.in, 1 +ksdot.gov, 1 +kselenia.ee, 1 +kselien.gov, 1 +ksem.tk, 1 +kseniya.tk, 1 +kseniyakoroleva.tk, 1 +ksenomorf.tk, 1 +ksero.center, 1 +ksero.com.pl, 1 +ksero.info, 1 +ksero.wroclaw.pl, 0 +kserownia.eu, 1 +ksexec.gov, 1 +ksg.edu.ee, 1 +ksgamerz.ga, 1 +kshb.com, 1 +kshlm.in, 1 +kshop.gr, 1 +kshpage.in, 1 +ksiegarniabk.pl, 1 +ksiegowosc.pro, 1 +ksk-raduga.tk, 1 +ksm.co.in, 1 +ksnl.net, 1 +ksoc.com, 0 +ksoftware.tk, 1 +ksopp.si, 1 +kspndanautoba.id, 1 +ksrevenue.gov, 1 +ksrv.jp, 1 +kss.com.au, 1 +ksst.by, 1 +ksstille.de, 1 +kst-dlvr.tk, 1 +kst-service.tk, 1 +kstdlvr.by, 1 +kstitleers.ga, 1 +kstitleest.ga, 1 +kstr.us, 1 +kstservice.by, 1 +ksu.kz, 1 +ksuu.loan, 1 +ksv-friesland.nl, 1 +ksvehicles.gov, 1 +ksvip02.com, 1 +ksvip09.com, 1 +ksvoterinfo.gov, 1 +ksw.hr, 1 +kswebtags.gov, 1 +kswork.life, 1 +kt-events.de, 1 +kt-motors.com, 1 +kt.tc, 1 +kt3i.com, 1 +ktateeb.com, 1 +ktbuniversity.com, 1 +kteatras.tk, 1 +ktgy.com, 1 +kthnxbai.xyz, 1 +ktk-pc.de, 1 +ktm-troxler.de, 1 +ktnv.com, 1 +ktty.net, 1 +ktube.yt, 1 +ktuluweb.tk, 1 +ktupad.web.id, 1 +ktw.lv, 0 +ku-7.club, 1 +ku-niederwinkling.de, 1 +ku.ag, 1 +kua.com, 1 +kuaforumden.com, 0 +kuai-ssl.com, 1 +kuairead.com, 0 +kuaishou.cf, 1 +kuaitiyu.org, 1 +kuaiyaojing.com, 1 +kuaiyun.com, 1 +kualo.co.uk, 1 +kualo.com, 1 +kualo.in, 1 +kuba-erlebnisreisen.de, 1 +kuba-orlik.name, 1 +kubabrussel.be, 1 +kubalok.de, 1 +kubanitoscali.com, 1 +kubeofficebooth.com, 1 +kuberkaitseliit.ee, 1 +kuberm.com, 1 +kubern.at, 1 +kubevocalbooth.com, 1 +kubica.ch, 1 +kubierecki.pl, 1 +kubik-rubik.de, 1 +kubit.ai, 1 +kubit.co, 1 +kubit.us, 1 +kublis.ch, 1 +kubmeta.com, 1 +kubnews.ru, 1 +kubo.pw, 1 +kubopro.com, 1 +kubopro.cyou, 1 +kubota.co.nz, 1 +kubota.com.au, 1 +kubotapower.com.au, 1 +kubotek3d.com, 1 +kubrakov.ml, 1 +kubrick.tk, 1 +kubritalk.com, 1 +kubusadvocaten.nl, 1 +kuchen-am-stiel.de, 1 +kuchugury.ru, 1 +kucnibudzet.com, 1 +kucukayvaz.com, 0 +kucukcekmececilingir.gen.tr, 1 +kucukkaymakli.tk, 1 +kudelskisecurity.com, 1 +kudetours.co.za, 1 +kudinilam.tk, 1 +kuditel.net, 1 +kudofoto.com, 1 +kudoran.tk, 1 +kudoway.com, 1 +kuechler.info, 1 +kuehndel.org, 1 +kuehnel-online.eu, 1 +kuemmling.eu, 1 +kuenstler-website.de, 1 +kuepper.tk, 1 +kueri.tech, 1 +kuestensiegel.de, 1 +kufry.cz, 1 +kugelblitz.co, 1 +kuhakukawa.ml, 1 +kuhio.net, 1 +kuhlecloud.co.za, 1 +kuhn-elektrotechnik.de, 1 +kuhne-electronic.de, 1 +kuhnerts.eu, 1 +kuinin.tk, 1 +kuisus.com, 1 +kuitunenguthrie.tk, 1 +kujalichildrenscentre.or.ke, 1 +kukaidh.com, 0 +kukal.cz, 1 +kukeri-karlovo.tk, 1 +kuketz-blog.de, 1 +kuketz-security.de, 1 +kukiulpindo.com, 1 +kukla.club, 1 +kukla.io, 1 +kuko-crews.org, 1 +kukuku.fun, 1 +kukuma.tk, 1 +kukutza.tk, 1 +kul.ee, 0 +kulakov.cf, 1 +kulakov.tk, 1 +kulde.net, 1 +kuldeepg.tk, 1 +kuliahbahasainggris.com, 1 +kuliahwisatahati.com, 1 +kulikov.tk, 1 +kulinarika.net, 1 +kulinaristi.fi, 1 +kulinariya.tk, 1 +kulivps.com, 1 +kulshe.com, 1 +kultamuseo.net, 1 +kultham.ml, 1 +kulthist.tk, 1 +kultmobil.se, 1 +kultur-werkstatt-wulfen.tk, 1 +kultur1.se, 1 +kulturbanause.de, 1 +kulturbiljetter.se, 1 +kulturistika.tk, 1 +kulturmel.ch, 1 +kultus-mv.de, 1 +kuma-it.de, 1 +kumacdn.club, 1 +kumalog.com, 1 +kumanovo.tk, 1 +kumaraguruparan.tk, 1 +kumi.website, 1 +kumidia.jp, 1 +kumilasvegas.com, 1 +kumina.nl, 1 +kumiskiri.com, 1 +kumo.tk, 1 +kumoricon.org, 1 +kumpali.com, 1 +kumpula.tk, 1 +kumu.live, 1 +kumuwiki.de, 1 +kunadomowa.pl, 1 +kunaki.com, 1 +kunalchakate.tk, 1 +kunaldesai.blog, 1 +kunanji.com, 0 +kunashir.tk, 1 +kundenerreichen.com, 1 +kundenerreichen.de, 1 +kundenvertrag.de, 1 +kundesjekk.no, 1 +kundo.se, 1 +kungfudirect.com, 1 +kungsangen.com, 0 +kunitomo.jp, 1 +kunnen.tech, 1 +kunri.tk, 1 +kunsanfss.com, 1 +kunst-im-kokon.de, 1 +kunst-na-arbeid.tk, 1 +kunstcentraal.nl, 0 +kunstdrucke-textildruck.de, 1 +kunsten.be, 1 +kunstenkracht1919.tk, 1 +kunsthandel-augustus-rex.de, 1 +kunstmuseum-moritzburg.de, 1 +kunststoffzaun-berlin.de, 1 +kunstundkulturradioschoepfwerk.tk, 1 +kunstundunrat.de, 1 +kunugi-inc.com, 1 +kunze-medien.de, 0 +kuoruan.com, 1 +kuotiva.com, 1 +kup-sluzbu.cz, 1 +kupaa.ink, 1 +kupferschmids.ch, 1 +kupferstichshop.com, 1 +kupi-ceresit.ru, 1 +kupid.com, 1 +kupidon-rt.ru, 1 +kupil.ru, 1 +kupinska.pl, 1 +kupipled.cf, 1 +kupislivki.tk, 1 +kupitmtz.gq, 1 +kupitnedorogo.com, 0 +kupitraktor.gq, 1 +kupittraktormtz.gq, 1 +kupka.tech, 1 +kupkabn.de, 1 +kupleno.com, 1 +kuplukover.by, 1 +kupoholik.rs, 1 +kupon-proxy6.ru, 1 +kupone.com.br, 1 +kuponigo.com, 1 +kuponmail.tk, 1 +kuponydoher.cz, 1 +kuppingercole.com, 1 +kupriy-coach.ru, 1 +kupschke.net, 1 +kupsluzbu.cz, 1 +kupu.maori.nz, 1 +kupujemprodajem.com, 1 +kura.gg, 1 +kurafuto.homeip.net, 1 +kuralink.se, 1 +kuralreklam.com, 1 +kurani.tk, 1 +kuraraynoritake.eu, 1 +kurashino-mall.com, 1 +kurd-yogurt.tk, 1 +kurdigrafya.com, 1 +kurdinfo.tk, 1 +kurdishcommunityofottawa.tk, 1 +kurdishphotography.tk, 1 +kurdjokes.tk, 1 +kurenivka.tk, 1 +kurer-sreda.ru, 1 +kuretru.com, 1 +kurgan-city.tk, 1 +kurgan.cf, 1 +kurgancity.cf, 1 +kurido-anime.tk, 1 +kurierwilenski.lt, 1 +kurirplus.tk, 1 +kuritsa.tk, 1 +kurnia.tk, 1 +kurniadwin.to, 1 +kuroha.co.uk, 1 +kuroinu.jp, 1 +kuroisalva.xyz, 0 +kuroit.com, 1 +kurona.ga, 1 +kuronarupolyphenol.jp, 1 +kuronekogaro.com, 1 +kuropatina.tk, 1 +kurosawa-yakkyoku.com, 1 +kurrende.nrw, 0 +kurs-dron.pl, 1 +kurs-elektryka.pl, 1 +kurs-fotowoltaika.pl, 1 +kurserne.dk, 1 +kursk-otoplenie.ru, 1 +kursk.cf, 1 +kurssertifikasi.com, 1 +kurswahl-online.de, 1 +kursy-sep.com.pl, 1 +kursyjezykowelublin.pl, 1 +kursypolska.pl, 1 +kurszielnull.de, 1 +kurt-und-herma-roemer-stiftung.de, 1 +kurtdeutscher.com, 1 +kurtisfranklin.com, 1 +kurtki-moda.tk, 1 +kurtlarvadisi-pusu-1.tk, 1 +kurtmclester.com, 0 +kurtneuweiler.com, 1 +kurtosys.com, 1 +kurtschlatzer.com, 1 +kurtschleinbeck.com, 1 +kurumsalseo.com.tr, 1 +kurungkurawal.id, 1 +kuruppa.xyz, 1 +kuruwi.net, 1 +kurz.pw, 1 +kurzly.de, 1 +kurztrip-fuer-verliebte.de, 0 +kurzurlaub.tk, 1 +kusadasiescmagazin.tk, 1 +kusadasihaber.ga, 1 +kusadasihaber.tk, 1 +kusasa.biz, 1 +kuscheln.com, 1 +kuschku.de, 1 +kuscu.de, 1 +kushner-cpa.co.il, 1 +kushwanthreddy.in, 1 +kuslink.tk, 1 +kusmuhendisi.com, 1 +kusochi.eu, 1 +kustarnik.tk, 1 +kustod.io, 1 +kustom-kitchens.com, 1 +kustomcorner.com.au, 1 +kustomer.com, 1 +kustosija.tk, 1 +kustus.com.br, 1 +kustvissen.tk, 1 +kusunokitomori.com, 1 +kutahyaciniyapitasarim.com.tr, 1 +kutaisi.it, 1 +kutalek.cz, 1 +kutalin.com, 1 +kutekeiki.com, 1 +kuti.hu, 1 +kutinsoft.com, 1 +kutombawewe.net, 1 +kutsankaplan.com, 1 +kuttler.eu, 1 +kutvonen.net, 1 +kutyabarathelyek.hu, 1 +kutyamacskashop.hu, 1 +kuudere.moe, 1 +kuukkanen.net, 1 +kuunlamaailm.ee, 1 +kuwago.io, 1 +kuwichitagastro.com, 1 +kuwichitaim.com, 1 +kuzbass-pwl.ru, 1 +kuzelky-cb.cz, 1 +kuzeyegehaber.com, 1 +kuzh.me, 1 +kuzh.tk, 1 +kuzik.tk, 1 +kuzinea.tk, 1 +kuzmik.net, 1 +kuzmik.org, 1 +kuzmiks.com, 1 +kuznica.tk, 1 +kuzov-plus.tk, 1 +kuzovkin.ml, 1 +kv-genebos.tk, 1 +kvadratnimeter.si, 1 +kvadru.cz, 1 +kvalhe.im, 1 +kvalita-1a.cz, 0 +kvalitetsaktiepodden.se, 1 +kvalitetskatalog.tk, 1 +kvarta.tk, 1 +kvartira-grad.tk, 1 +kvartiragrad.tk, 1 +kvasnytskyi.net, 1 +kvasta.se, 1 +kvdb.io, 1 +kvdekolk.tk, 1 +kvest-v-moskve.ga, 1 +kvestiks.ru, 1 +kvetinymilt.cz, 1 +kvetinyumarkety.cz, 1 +kvetuvplotu.cz, 1 +kvhile.com, 1 +kvhv-brussel.be, 1 +kvilt.dk, 1 +kviskoteka.tk, 1 +kvitlyr.tk, 1 +kvmcloud.net, 0 +kvn.tf, 1 +kvnsport.ru, 1 +kvrapi.com, 1 +kvrwines.com, 1 +kvs-demo.com, 1 +kvso.tk, 1 +kvspannum.tk, 1 +kvsplayer.com, 1 +kvsrot.cz, 1 +kvt.berlin, 0 +kw.gt, 1 +kwadraadtevredenheid.nl, 1 +kwakkelglas.nl, 0 +kwalifikacje.gov.pl, 1 +kwc.gov, 1 +kwcolville.com, 1 +kweb.ml, 1 +kwedo.com, 1 +kwench.com, 1 +kwieben.com, 1 +kwikmed.eu, 0 +kwjx2.ga, 1 +kwl.com.au, 1 +kwm.group, 1 +kwnet.info, 1 +kwoll.de, 0 +kwonghei.net, 1 +kwonjiyong.cn, 1 +kwork-garand.tk, 1 +kwx.gg, 1 +kwyxz.org, 1 +kxah35.com, 1 +kxbot.ru, 1 +kxc.email, 1 +kxc.inc, 1 +kxc.sh, 1 +kxc.tools, 1 +kxnrl.com, 1 +kxxv.com, 1 +ky.rs, 1 +ky188.io, 1 +ky89.cc, 1 +ky99.io, 1 +kyaba-kura.jp, 1 +kyahimt.gov, 1 +kyango.com, 1 +kyanjames.com, 1 +kyaru.net, 1 +kyau.net, 1 +kyaulabs.com, 1 +kybalion.info.pl, 1 +kyberna.xyz, 1 +kybi.sk, 1 +kycisrael.com, 1 +kydara.com, 1 +kyj250.com, 1 +kyj322.com, 1 +kyj33.com, 1 +kyj4.com, 1 +kyj44.com, 1 +kyj511.com, 1 +kyj522.com, 1 +kyj544.com, 1 +kyj55.com, 1 +kyj56.com, 1 +kyj57.com, 1 +kyj577.com, 1 +kyj59.com, 1 +kyj599.com, 1 +kyj622.com, 1 +kyj633.com, 1 +kyj644.com, 1 +kyj65.com, 1 +kyj655.com, 1 +kyj67.com, 1 +kyj677.com, 1 +kyj76.com, 1 +kyke.tech, 1 +kylacoin.com, 1 +kylacoin.eu.org, 1 +kylby.com, 1 +kyle-s.com, 1 +kyle.place, 0 +kylebaldw.in, 0 +kyledgoodwin.com, 1 +kyleggiero.me, 1 +kylegislature.gov, 1 +kylegough.co.uk, 1 +kylegutschow.com, 1 +kylehaka.la, 1 +kylehakala.com, 1 +kylelaker.com, 1 +kylelovell.com, 1 +kylepet.co, 1 +kylewentworth.com, 1 +kylianvermeulen.com, 0 +kylianvermeulen.nl, 1 +kylie-pomada.tk, 1 +kylinj.com, 0 +kylinseating.in, 1 +kylsgl.com, 1 +kylvaja.fi, 1 +kymcojp.com, 1 +kymta.com, 1 +kyn.be, 1 +kynaston.org.uk, 1 +kynastonwedding.co.uk, 1 +kyncostyle.com, 1 +kynd.com.au, 0 +kyne.cn, 1 +kyne.wang, 1 +kynect.gov, 1 +kynjatshai.com, 1 +kyobostory-events.com, 1 +kyobusiness.com, 1 +kyochon.fr, 1 +kyoki-railway.co.jp, 1 +kyoox.ch, 1 +kyoox.io, 1 +kyorei.or.jp, 1 +kyosaku.org, 1 +kyoto-sake.net, 1 +kyoto-sowa.co.jp, 1 +kyoto-tomoshibi.jp, 1 +kyrabanx.org, 1 +kyrgizion.tk, 1 +kyrjy.com, 1 +kyrtopoulos.com, 1 +kyrylych.tk, 1 +kysepticservice.com, 1 +kysil.org, 1 +kytkintienautomaalaamo.fi, 1 +kyujin-office.net, 1 +kyunyuki.com, 1 +kyusyu.org, 1 +kyvosinsights.com, 1 +kyzyl-senir.ml, 1 +kz.search.yahoo.com, 0 +kzar.co.uk, 1 +kzforce.tk, 1 +kzsdabas.hu, 1 +kztv10.com, 1 +l-a-b-a.com, 1 +l-a-b-a.ru, 1 +l-atelier-c.com, 1 +l-i-r.tk, 1 +l-ink.eu.org, 1 +l-lab.org, 1 +l-poya.ch, 1 +l.td, 1 +l.tt, 1 +l0re.com, 1 +l17r.eu, 1 +l2.ai, 1 +l214.com, 1 +l2aviation.com, 1 +l2dragonland.tk, 1 +l2guru.ru, 1 +l2kl.com, 1 +l2news.ga, 1 +l2relax.ml, 1 +l2support.tk, 1 +l33roy.com, 1 +l33te.net, 1 +l36533.com, 1 +l4s.me, 1 +l51365.com, 0 +l5197.co, 1 +l6729.co, 1 +l6729.com, 1 +l6957.co, 1 +l7plumbing.com.au, 1 +l7world.com, 1 +l82365.com, 1 +l8x.tech, 1 +l9.fr, 1 +l9297.co, 1 +l9728.co, 1 +la-baldosa.fr, 0 +la-bonne-cuisine.fr, 1 +la-boutique-langlois.fr, 1 +la-casa.tk, 1 +la-com.org, 1 +la-compagnie-des-elfes.fr, 1 +la-fenice-neheim.de, 1 +la-france-ressuscitee.fr, 1 +la-grande-jaugue.fr, 1 +la-kaz-a-velo.fr, 1 +la-laitonnerie.com, 1 +la-maison-neuve.com, 1 +la-paco.tk, 1 +la-petite-entreprise.com, 1 +la-petite-epicerie.fr, 1 +la-ruche.net, 1 +la-sc.com, 1 +la-tourmaline.ch, 1 +la-verite.tk, 1 +la-ville-aux-dames-auto-ecole.com, 1 +la-vraie-histoire.fr, 1 +laa.gov.ly, 1 +laab.gv.at, 1 +laac.io, 1 +laagenciaespacial.com, 1 +laakevahinko.fi, 1 +laanius.dk, 1 +laarroceriacolombiana.com, 1 +laassari.me, 0 +laatikko.io, 1 +laatjeniethackmaken.nl, 1 +lab-advancedservicesportal.com, 1 +lab-oborud.com, 1 +lab-recherche-environnement.org, 1 +laba.ua, 1 +labacanisima.tk, 1 +labadusa.com, 1 +labambi.pl, 1 +labandadeases.es, 1 +labandadelamente.tk, 1 +labandadelexpreso.tk, 1 +labande-annonce.fr, 1 +labanochjonas.se, 1 +labanskoller.se, 1 +labanskollermark.se, 1 +labarcadelperegrino.com, 1 +labassist.lt, 1 +labaugmbh.de, 1 +labayru.eus, 1 +labcenter.com, 1 +labcoat.jp, 1 +labdistill.com, 1 +label-octopus.org, 1 +labeled.vn, 1 +labelfactory.nl, 1 +labels.co.ke, 1 +labequipvn.com, 1 +laberkosmos.tk, 1 +labianstore.com, 1 +labiblioafronebrulepas.com, 0 +labin.tk, 1 +labina.com.tr, 1 +labinator.com, 1 +labinsights.com, 1 +labirint.cf, 1 +lablaser.tk, 1 +lablic-beta.work, 1 +lablnet.tk, 1 +lablue.ch, 1 +lablue.de, 1 +labmakelaar.com, 1 +labmakelaar.eu, 1 +labms.com.au, 1 +labobooks.com, 1 +labodeguitamigueltorres.cl, 1 +labogue.info, 1 +laboiteafred.fr, 1 +laboiteanem.fr, 1 +laboiteare.fr, 0 +laboiteasous.com, 1 +laboma.cz, 1 +laboni.design, 1 +labor-augsburg-mvz.de, 1 +laboratoirehubertcurien.fr, 1 +laboratoria.pro, 1 +laboratoriodelmisterio.co.uk, 1 +laboratoriodemarketingb3.com, 1 +laboratoriomolina.tk, 1 +laborbluesers.ga, 1 +laborbluesest.ga, 1 +labordayauction.org, 1 +labordude.com, 1 +laborriquita.tk, 1 +labortogether.com, 1 +labostark.fr, 1 +labottegafinedistillates.it, 1 +labouncycastlehire.co.uk, 1 +labourmarketinsights.gov.au, 1 +laboutiquedejuliette.com, 1 +laboutiquedeluminia.fr, 1 +laboutiquemarocaineduconvoyeur.com, 1 +laboutiquemarocaineduconvoyeur.ma, 1 +labrat.mobi, 1 +labroma.tk, 1 +labs-is.com, 1 +labs.directory, 1 +labs.lgbt, 1 +labs.ro, 1 +labsector.com, 1 +labsitserviss.lv, 1 +labsys.xyz, 1 +labtalleraudiovisual.tk, 1 +labtechsupplyco.com, 0 +labussola.site, 1 +labworking.lt, 1 +labworks.org, 1 +laby.link, 1 +labyrinthinetool.de, 1 +labyrinthus.tk, 1 +lacaey.se, 1 +lacahsa.gov, 1 +lacalderera.tk, 1 +lacallas.tk, 1 +lacantine.xyz, 1 +lacapsule.org, 1 +lacargo.az, 1 +lacarniceria.tk, 1 +lacarreradelagua.es, 1 +lacarretica.cr, 1 +lacasadelmaniqui.net, 1 +lacasadelours.fr, 1 +lacaserita.org, 1 +lacasseroy.com, 1 +lacavedesergio.fr, 1 +lacaveducinquantenaire.com, 1 +lacazadora.tk, 1 +lacebeauty.it, 1 +laceleste.it, 1 +lacellbedding.com, 1 +lacentral.com, 0 +lacera.gov, 1 +lacetsroses.ch, 1 +laceysfarm.ie, 1 +lacfm.cf, 1 +lachain.io, 1 +lachainedesentrepreneurs.fr, 1 +lachaussettedebrasparts.fr, 1 +lachlan-harris.com, 1 +lachlan.com, 1 +lachlanallison.com, 0 +lachlanb.me, 1 +lachyoga-schwieberdingen.de, 1 +laciana.tk, 1 +lacicloud.net, 1 +lacienciadelpanico.tk, 1 +lacity.gov, 1 +lackan.tk, 1 +lackawannanypolicecorruption.org, 1 +lackfer.tk, 1 +lackierereischmitt.de, 1 +laclaque.ch, 0 +lacledelareussite.com, 0 +lacledeslan.com, 1 +lacledeslan.org, 1 +lacledor.ch, 0 +lacnesidlo.sk, 1 +lacoast.gov, 1 +lacochinacounselor.com, 1 +lacoe.edu, 1 +laconcepcion.tk, 1 +laconiapdnh.gov, 1 +lacontrevoie.fr, 1 +lacoquette.gr, 1 +lacorteimoveis.com.br, 1 +lacoste.net, 1 +lacragamerpanel.ml, 1 +lacrimosa.tk, 1 +lacrinum.com, 1 +lacrosselocatorers.ga, 1 +lacrosselocatorest.ga, 1 +lacrossemortgageers.ga, 1 +lacrossemortgageest.ga, 1 +lacrossetribune.com, 1 +lacrossewi.gov, 1 +lacroy.com.br, 1 +lactatiekundigemanouk.nl, 1 +lacuartaorden.tk, 1 +lacuerba.com, 1 +lacuisine.tk, 1 +lacuna-vermoegen.de, 1 +lacyc3.eu, 1 +lacylynn.net, 1 +lad-china.com, 0 +lada-granta.tk, 1 +lada-plus.tk, 1 +ladadate.com, 1 +ladakhtrip.tours, 1 +ladanivabelgium.tk, 1 +ladanmokhtari.tk, 1 +ladbroke.net, 1 +ladder.sport, 1 +ladeboks.dk, 1 +ladedu.com, 1 +ladelicateparenthese.com, 1 +ladenzeile.at, 1 +ladenzeile.de, 1 +ladepeche.fr, 1 +ladies-shoes.tk, 1 +ladiescode.tk, 1 +ladiesrapide.tk, 1 +ladinvestment.ml, 1 +ladisko.tk, 1 +ladislav-antos.cz, 1 +ladislavbrezovnik.com, 0 +lado.ltd, 1 +lado.site, 1 +ladobe.com.mx, 1 +ladocdn.com, 1 +ladocs.tk, 1 +ladocu.cf, 1 +ladotech.cn, 1 +ladotech.com, 1 +ladraiglaan.com, 1 +ladrones.tk, 1 +laduephoto.com, 1 +ladurbo.tk, 1 +lady-blog.ga, 1 +lady-len.com, 1 +lady-sadieann.co.uk, 1 +lady-wishlist.my.id, 1 +lady007.com.tw, 1 +ladyangelina.org, 1 +ladyanja.org, 1 +ladybanana.co.uk, 1 +ladybird.tk, 1 +ladybirdeducation.co.uk, 1 +ladyblack.tk, 1 +ladyblackdiamoond.com, 1 +ladyboy.tv, 1 +ladyboyfiles.com, 1 +ladyboyreports.com, 1 +ladyboytube.tv, 1 +ladybugjam.com, 1 +ladybugjunction.com, 1 +ladyestelle.org, 1 +ladyisabell666.com, 1 +ladykarame.org, 1 +ladylakefl.gov, 1 +ladylatoria.net, 1 +ladylucks.co.uk, 1 +ladymadd.fr, 1 +ladymakeup.com.ua, 1 +ladymayonline.tk, 1 +ladymeli.org, 1 +ladyofhopeparish.org, 1 +ladyofsongstv.com, 1 +ladyoxytocin.com, 1 +ladysecrets.cf, 1 +ladysecrets.ga, 1 +ladysybella.net, 1 +ladytron.tk, 1 +ladyvampira.com, 1 +ladyvictoriavalente.com, 1 +ladywishlist.my.id, 1 +laecosmetic.com, 1 +laecosmetics.es, 1 +laedia.com, 1 +laegemiddelstyrelsen.dk, 1 +laembajadamexico.com, 1 +laemiliafutbol.tk, 1 +laempresa.tk, 1 +laencina.tk, 1 +laer.ai, 1 +laerdal.com, 1 +laerepenger.no, 1 +laerted.ga, 1 +laeryn.com, 0 +laesisvefurinn.is, 1 +laetitia-hypnocoach.fr, 1 +laettnercamps.com, 1 +laetusinpraesens.org, 1 +laeva.edu.ee, 1 +laextra.mx, 1 +lafansite.tk, 1 +lafantasticatravel.com, 1 +lafattoriabiologica.com, 1 +lafattoriadiclotilde.it, 1 +lafayette-rushford.com, 1 +lafayettechippewawi.gov, 1 +lafayetteco.gov, 1 +lafayettecountymo.gov, 1 +lafayettemalleg.com, 1 +lafayettetnfd.gov, 1 +lafayettewcwi.gov, 1 +lafcoar.gov, 1 +lafeemam.fr, 1 +lafeepraline.fr, 1 +lafermegourmande.fr, 1 +laffer.tk, 1 +laffgaff.com, 1 +lafika.ddns.net, 1 +lafillepolyvalente.ca, 1 +lafillepolyvalente.com, 1 +lafka.org, 1 +laflanelle.fr, 1 +laflash.com, 1 +lafleur-salon.tk, 1 +laforgia.xyz, 1 +lafr4nc3.xyz, 1 +lafraia.com, 1 +lafraia.com.br, 1 +lafsc.co.uk, 1 +lafuentespain.com, 1 +lafuriadelguardiancelta.tk, 1 +lag-fan.tk, 1 +lag-gbr.gq, 1 +lagaleria-ag.com, 1 +lagalerieduchanvre.fr, 1 +lagence.ch, 1 +lagencerie.fr, 1 +lagendijk.org, 1 +lagerauftrag.info, 1 +laget.se, 1 +laghiinitalia.com, 1 +lagier.xyz, 1 +lagin.cz, 1 +laginghanda.gov.ph, 1 +lagit.in, 0 +laglab.org, 0 +lagloriadehuampani.com, 1 +lagodny.eu, 1 +lagom.org.pl, 1 +lagoonrealty.com, 1 +lagos-car-hire.com, 1 +lagoscooperativecollege.com, 1 +lagotto.tk, 1 +lagout.org, 1 +lagovistatexas.gov, 1 +lagracia.com.br, 1 +lagrangiandesign.com, 1 +lagriffeduservice.fr, 1 +lagriot.com, 1 +lagrollabz.it, 1 +lagrotta.pizza, 1 +lagrottabergenopzoom.nl, 1 +lagroza.tk, 1 +lagsoftware.com, 0 +laguiadeliman.com.ar, 1 +laguiadelpapa.com, 1 +laguiainmobiliaria.com.co, 1 +laguinguette.fr, 0 +lagunadiosdalmatians.tk, 1 +lagunakitchenandbath.com, 1 +lagunaklub.tk, 1 +laguscei.com, 1 +laguterbaru.gq, 1 +lahabra.gov, 1 +lahacker.net, 1 +lahaine.org, 1 +lahalleternative.fr, 1 +lahalte-buvette.fr, 1 +lahermandad.tk, 1 +lahirusblog.tk, 1 +lahmer.ma, 1 +lahoguera.tk, 1 +lahoratunante.tk, 1 +lai.is, 1 +lailabanx.org, 1 +lailai.link, 1 +lain.at, 1 +lain.la, 1 +lain.wiki, 1 +laindonleisure.co.uk, 1 +lainoa.eus, 1 +laipert.com, 1 +lairdutemps-bbe.fr, 1 +laisk.ru, 1 +laity.gq, 1 +laiweiyi.com, 1 +lajarana.tk, 1 +lajauria.tk, 1 +lajessaofrancisco.com.br, 1 +lajetlingerie.nl, 1 +laji.fi, 1 +lajijonencadebarbera.com, 1 +lajme-shqip.gq, 1 +lajornadafilipina.com, 1 +lajusta.tk, 1 +lak-berlin.de, 0 +lak.li, 1 +lakabina.tk, 1 +lakatos.tk, 1 +lakatrop.com, 1 +lake-baikal.ml, 1 +lakeandriverrestoration.com, 1 +lakearthurnm.gov, 1 +lakecity-obgyn.com, 1 +lakeclerkfl.gov, 1 +lakecookexteriors.com, 1 +lakecountyclerkfl.gov, 1 +lakecountyco.gov, 1 +lakecountytn.gov, 1 +lakedeltonwi.gov, 1 +lakeee.com, 1 +lakegenevanews.net, 1 +lakehavasuhouserentals.com, 1 +lakeheadfreight.biz, 1 +lakeheadlions.com, 1 +lakelafayettemo.gov, 1 +lakelandbank.com, 1 +lakemary-doctor.com, 1 +lakemillsiowa.gov, 1 +lakenheathfss.com, 1 +lakenheathfss.marketing, 1 +lakenheathfss.support, 1 +lakepoint.gov, 1 +lakerfreight.ca, 1 +lakerfreight.com, 1 +lakersview.com, 1 +lakesaintlouismo.gov, 1 +lakesherwoodelectric.com, 1 +lakesherwoodelectrical.com, 1 +lakesherwoodelectrician.com, 1 +lakesherwoodexteriorlighting.com, 1 +lakesherwoodlandscapelighting.com, 1 +lakesherwoodlighting.com, 1 +lakesherwoodoutdoorlighting.com, 1 +lakeshiremo.gov, 1 +lakesideweb.design, 1 +lakestreetministorage.com, 1 +lakesviewrobina.com.au, 1 +laketanglewoodtx.gov, 1 +laketontwpmi.gov, 1 +laketownmn.gov, 1 +lakeview.photography, 1 +lakevotes.gov, 1 +lakewaccamawnc.gov, 1 +lakewinnipegdatastream.ca, 1 +lakewoodco.gov, 1 +lakewoodcomputerservices.com, 1 +lakewoodcourtoh.gov, 1 +lakewoodoh.gov, 1 +lakichat.fi, 1 +lakkt.de, 1 +lakle.com, 1 +lakonia.com.br, 1 +lakorona.tk, 1 +lakru.one, 1 +laksa.life, 1 +lakupaavi.tk, 1 +lalagunachalate.tk, 1 +lalaloe.be, 1 +lalaog.com, 1 +lalarosas.com, 1 +lalaserniagara.ca, 1 +lalaya.fr, 1 +laled.ch, 0 +laleggepertutti.it, 1 +lalegria.tk, 1 +lalelal.me, 1 +laleli.biz, 1 +lalerou.com, 1 +lalettrepatriote.com, 0 +lalokura.tk, 1 +lalouviere.fr, 1 +lalucepulsata.it, 1 +lalucha.tk, 1 +lalucioledigitale.com, 1 +lalunedangkor.com, 0 +lalyre-corcelles.ch, 0 +lamafioso.com, 1 +lamai-crochets.fr, 1 +lamaisondufort.fr, 1 +lamaisonfantastique.fr, 1 +lamakat.de, 1 +lamalapalabra.tk, 1 +lamaletademano.com, 1 +lamaline.tk, 1 +lamalleauxsaveurs-aubigny.com, 1 +lamanchelibre.fr, 1 +lamanzanamordida.net, 1 +lamarieealhonneur.com, 0 +lamasacre.tk, 1 +lamaskill.com, 1 +lamaturitadidaniele.ml, 1 +lambassadors.com, 1 +lambauer.com, 1 +lambda.sx, 1 +lambdajournal.com, 1 +lambdaof.xyz, 1 +lambertshealthcare.co.uk, 1 +lambertz.xyz, 1 +lamblogs.com, 1 +lamboo.be, 1 +lamborghi.ni, 1 +lamchannang.com, 1 +lamclam.site, 1 +lamcondaugia-khacdaugia.com, 1 +lamconnect.com, 1 +lamdav.com, 1 +lameco.com, 1 +lamed.cz, 1 +lamedog.tk, 1 +lamedubois-parquet.fr, 0 +lamei-group.com, 1 +lameilleurecette.fr, 1 +lamergameryt.xyz, 1 +lamet-kher.tk, 1 +lameusame.be, 1 +lamigoshevora.pt, 1 +laminaatdealer.nl, 1 +laminine.info, 1 +laminsaho.tk, 1 +lamisionband.tk, 1 +lamleybrothers.co.uk, 1 +lammersmarketing.com, 1 +lammertbies.com, 1 +lammertbies.nl, 1 +lamminhquang.com, 1 +lamnea.se, 1 +lamontre.ru, 1 +lamorera.tk, 1 +lamorralla.tk, 1 +lamp.re, 0 +lampandlight.eu, 1 +lamparassevilla.com, 1 +lampbooks.gq, 1 +lampco.com, 1 +lampeetlumiere.fr, 1 +lampenlicht.be, 1 +lampenlicht.nl, 1 +lampenundleuchten.de, 1 +lamper-design.nl, 1 +lampertheimer-zeitung.de, 1 +lamplightvideo.com, 1 +lampposthomeschool.com, 1 +lamppostpublishing.com, 1 +lampsh.ml, 1 +lampsi.ru, 1 +lampyiswiatlo.pl, 1 +lamsa.tk, 1 +lamudi.ga, 1 +lamuixeranga.tk, 1 +lan-der.de, 1 +lan-der.net, 1 +lan-divy.com, 1 +lan-divy.fr, 1 +lan-x.no, 1 +lan.biz.tr, 1 +lan.re, 1 +lanabello.com.br, 1 +lanaengel.com, 1 +lanagiselle.net, 1 +lanahallen.com, 1 +lanailsupplies.com, 1 +lanaturedaure.com, 1 +lanausea.tk, 1 +lanbroa.eu, 1 +lancashirebeekeepers.org.uk, 1 +lancashirecca.org.uk, 1 +lancastercountysc.gov, 1 +lancasterma.gov, 1 +lancastertableandseating.com, 1 +lancastervillageny.gov, 1 +lance.com.br, 1 +lancea.pl, 1 +lancejames.com, 1 +lancelafontaine.com, 1 +lancelhoff.com, 1 +lancelucido.tk, 1 +lancemanion.com, 1 +lancerm.com, 1 +lancertactical.eu, 1 +lanceyip.com, 1 +lanchong.tk, 1 +lanconstruct.be, 1 +lancyvbc.ch, 0 +land.nrw, 0 +landart.tk, 1 +landassessmentservices.com, 1 +landbouwpowers.tk, 1 +landc.com.ua, 1 +landchecker.com.au, 1 +landcomputer.hu, 1 +landegge.nl, 1 +landell.ml, 1 +landers.com.au, 1 +landeseiten-optimieren.de, 1 +landfinity.com, 1 +landflair-magazin.de, 1 +landflirt.de, 1 +landforsale.co.il, 1 +landfrauen-hermetschwil.ch, 1 +landgoeddorrebeek.be, 1 +landgorilla.com, 1 +landindex.io, 1 +landinfo.no, 1 +landingtransport.com, 1 +landkind.com, 1 +landkreis-augsburg.de, 1 +landless-city.net, 1 +landloperfm.tk, 1 +landlordy.com, 1 +landmatrix.org, 0 +landofelves.net, 0 +landofmerlin.tk, 1 +landofoz.dynu.net, 1 +landoftherisingson.com, 0 +landoftile.com, 1 +landolakeswi.gov, 1 +landoncreekapartments.com, 1 +landonkhull.ddns.net, 1 +landoverhillsmd.gov, 1 +landroverexpo.com.au, 1 +landroveruganda.club, 1 +landscape-photography.org, 1 +landscapelightingagoura.com, 1 +landscapelightingagourahills.com, 1 +landscapelightingcalabasas.com, 1 +landscapelightingcamarillo.com, 1 +landscapelightingconejovalley.com, 1 +landscapelightingdosvientos.com, 1 +landscapelightinghiddenhills.com, 1 +landscapelightinglakesherwood.com, 1 +landscapelightingmalibu.com, 1 +landscapelightingmoorpark.com, 1 +landscapelightingnewburypark.com, 1 +landscapelightingoakpark.com, 1 +landscapelightingpacificpalisades.com, 1 +landscapelightingsimivalley.com, 1 +landscapelightingthousandoaks.com, 1 +landscapelightingwestlakevillage.com, 1 +landscapeloaners.ga, 1 +landscapeloanest.ga, 1 +landscapephotography.org.au, 1 +landscapesmore.com, 1 +landscaping-montreal.com, 1 +landscaping.ga, 1 +landscaping.gq, 1 +landscapingrepairers.ga, 1 +landsearch.com, 1 +landsforsale.co.il, 1 +landshaftnic.ru, 1 +landslide.tk, 1 +landtrack.com.au, 1 +landverliebt.de, 1 +landware.cf, 1 +landzicht.tk, 1 +lane.computer, 1 +lanefinder.com, 1 +lanehealth.com, 0 +lanetix.com, 1 +lang-php.com, 1 +langadeduero.tk, 1 +langages-programmation.tk, 1 +langapi.com, 1 +langatang.com, 1 +langauto.hu, 1 +langbein.org, 1 +langcom.org, 1 +langenberg.tk, 1 +langenu.tk, 1 +langer-bauwerk.de, 1 +langgasse-baar.ch, 1 +langhun.me, 1 +langley.tk, 1 +langleyok.gov, 1 +langleyporter.com, 1 +langlois-chateau.fr, 1 +langly.fr, 1 +langrock.info, 1 +langthaler.cc, 1 +langtonsant.es, 1 +languageatplay.de, 1 +languagecert.org, 1 +languagecourse.net, 1 +languageeducation.ml, 1 +languageguesser.com, 1 +languagekeyboard.net, 1 +languages.services, 1 +languagesandnumbers.com, 1 +languageterminal.com, 1 +langworth.com, 0 +langzeit-reisen.com, 1 +langzijn.nl, 1 +lanhhuyet510.tk, 1 +lanhydrockap.co.uk, 1 +lanispa.com, 1 +lankana.tk, 1 +lankarkivet.tk, 1 +lankatongtravel.lk, 1 +lanlaog.com, 1 +lanmail.tk, 1 +lanna.io, 1 +lannainnovation.com, 1 +lannamontessori.com, 1 +lannatefl.com, 1 +lanny.ga, 1 +lannywolfetrio.com, 1 +lanodan.eu, 1 +lanomina.net, 1 +lanostrasalute.it, 1 +lanoticia.com, 0 +lanourotteguiry.fr, 1 +lanparty.si, 1 +lanroamer.de, 1 +lansdell.family, 1 +lanselot.com, 1 +lansenou.com, 1 +lansilesia.tf, 1 +lansingtwpmi.gov, 1 +lansingvotes.gov, 1 +lansink.it, 1 +lansociety.org, 1 +lansoft.site, 1 +lansoftware.eu, 1 +lanternalauth.com, 1 +lanternhealth.org, 1 +lantian.pub, 1 +lanturtle.com, 1 +lanuitshanghai.ca, 1 +lanuovariviera.it, 1 +lanx.com.br, 1 +lanyang.tk, 1 +lanyards.com.au, 1 +lanyardsfactory.com.au, 0 +lanyundev.com, 1 +lanzalex.com, 1 +lanzamientovirtual.es, 1 +lanzarote.com, 1 +lanzastil.com, 1 +lao.dog, 1 +laobayy.com, 1 +laoctavadireccion.tk, 1 +laodongkynghi.info, 1 +laohei.org, 0 +laolaweb.tk, 1 +laoliang.ml, 1 +laomoss.com, 0 +laonawatersewerwi.gov, 1 +laonawi.gov, 1 +laorquestadelamemoria.tk, 1 +laospage.com, 1 +laostiaradio.tk, 1 +laotravoz.tk, 1 +laowang.run, 1 +laoying.tv, 1 +laozhu.me, 1 +lapageamelkor.org, 1 +lapaginadejuanjo.tk, 1 +lapaksulawesi.tk, 1 +lapakus.com, 1 +laparcela.tk, 1 +laparoscopyhospital.com, 1 +lapasticcerianaturale.store, 1 +lapatiala.com, 1 +lapazsheriff.org, 1 +lapcameradongnai.com, 1 +lapcamerahochiminh.com, 1 +lapcoversers.ga, 1 +lapcoversest.ga, 1 +lapdance.tk, 1 +lapeercountymi.gov, 1 +laperfumista.es, 1 +laperla-chemnitz.de, 1 +laperladelduero.tk, 1 +laperreraflamenca.tk, 1 +lapesbaldai.lt, 1 +lapetitefontaine.restaurant, 1 +lapicena.eu, 1 +lapina.tk, 1 +lapinas.com, 1 +lapinator.net, 1 +lapinmalin.tk, 1 +lapismagico.com, 1 +lapix.com.co, 1 +laplace.chat, 1 +laplace.live, 0 +laplace.network, 1 +lapland.shop, 1 +laplanquedujoueur.com, 1 +laplasadalsol.tk, 1 +laplazita.tk, 1 +lapluma.tk, 1 +lapolvora.ga, 1 +lapoly.ga, 1 +laponder.online, 1 +laponders.com, 1 +laporantercepat.com, 1 +laportedufutur.org, 1 +lapositiva.com.pe, 1 +lappari.com, 1 +lappersfort.tk, 1 +lapps.es, 1 +laprairiewi.gov, 1 +laprensadelasagradafamilia.org, 1 +lapseofsanity.net, 1 +lapshore.com, 1 +laptop-sewamurah.com, 1 +laptophub.net, 1 +laptopnaive.com, 1 +laptopnewbie.eu.org, 1 +laptoppowerjackinc.com, 1 +laptopsperu.com, 0 +laptopuri.tk, 1 +laptopvideo2go.com, 1 +laptopworld.dk, 1 +lapublicpress.org, 1 +lapulgaflamenco.com, 1 +laqira.io, 1 +laquestionviterepondue.com, 1 +lara-eu.org, 1 +larabergmann.de, 1 +larabouillere.fr, 1 +laracode.eu, 1 +laracumkitten.org, 1 +laradiorespuestas.tk, 1 +laraemarcos.ga, 1 +laraeph.com, 1 +larafabian.tk, 1 +larafoxx.org, 1 +laralove.org, 1 +laramewa.tk, 1 +laramiecountywy.gov, 1 +laramuredesmots.fr, 1 +laranjada.org, 1 +larasm.tk, 1 +laravel.software, 1 +laravelcommunity.asia, 1 +larawoodarts.com, 1 +larax.tk, 1 +larbertbaptist.org, 1 +larcaenviro.com, 1 +larch.gq, 1 +larche.org.pl, 1 +larchmontbuzz.com, 1 +larchmontny.gov, 1 +larcs.co.uk, 1 +lareclame.fr, 1 +lared-vps.ovh, 1 +lareduction.be, 1 +lareduction.ch, 1 +lareduction.fr, 1 +lareineboudoir.com, 1 +larepenger.no, 1 +larepublicacultural.es, 1 +larete.ch, 1 +large-print.ru, 1 +largerpweor.uk, 1 +largescaleforums.com, 1 +largest-soldiers.cf, 1 +largeviewer.com, 1 +laricameche.com, 0 +larifari.ch, 1 +larigami.de, 1 +larimarhomes.ca, 1 +larimer.gov, 1 +larimercolorado.gq, 1 +lariscus.eu, 1 +larkbury.com, 1 +larkenshine.com, 1 +larkeydesign.com, 1 +larkinkerluke.cf, 1 +larkleclear.com, 1 +larmenta.tk, 1 +laro.tk, 1 +larobba.ddns.net, 1 +laromlab.tk, 1 +larondenet.tk, 1 +larondinedisinfestazione.com, 1 +larosadelosvientos.tk, 1 +larotative.info, 1 +larousse-edu.fr, 1 +larpkalender.ch, 1 +larptreff.de, 1 +larry.buzz, 1 +larryandprisca.it, 1 +larryli.cn, 1 +larrysalibra.com, 1 +lars-kusch.de, 1 +lars-mense.de, 1 +lars-mielke.de, 0 +lars.cloud, 1 +lars.moi, 1 +lars.software, 1 +larsartmann.com, 1 +larsberglund.tk, 1 +larsentransfer.com, 1 +larser.tk, 1 +larseriksson.es, 1 +larsi.org, 1 +larsklene.nl, 1 +larsklint.com, 1 +larsm.org, 1 +larsnittve.tk, 1 +larsvontrier.tk, 1 +lartduportrait.fr, 1 +laruecountyky.gov, 1 +laruralevolution.gov, 1 +larver.tk, 1 +larvps.com, 1 +las-chichis.tk, 1 +las.so, 1 +las7verticales.tk, 1 +lasabina.it, 1 +lasalle.org.co, 1 +lasallecountyil.gov, 1 +lasandwicheriamedellin.com, 1 +lasanious.com, 1 +lasarmas.com, 1 +lasavonnerieducroisic.fr, 1 +lascana.co.uk, 1 +laschimeneas.com, 1 +laschoolpolice.gov, 1 +lascruces.gov, 1 +lasdelgadas.tk, 1 +lasept.com.ua, 1 +laser-toners.tk, 1 +lasercareestetica.com.br, 1 +lasercentral.com.au, 1 +lasercloud.ml, 1 +laserena.tk, 1 +lasereyess.net, 1 +laserhealthsolutions.com, 1 +laserplaza.de, 1 +laserplaza.net, 1 +laserpunch.tk, 1 +lasersolutions.tk, 1 +lasfolladoras.com, 1 +lasik-safely.com, 1 +lasinfusiones.com, 0 +lasiodora.tk, 1 +lasittellecosmetiques.com, 1 +lasix-medication.cf, 1 +lasix-medication.gq, 1 +lasix-medication.tk, 1 +lask.in, 1 +laslilas.tk, 1 +laslo-hauschild.eu, 1 +lasmallbizonline.gov, 1 +lasmesas.tk, 1 +lasmoarquitectos.com, 1 +lasmorfianapoletana.com, 1 +lasofertas.tk, 1 +lasourisglobe-trotteuse.tk, 1 +laspalmerasdelnorte.tk, 1 +laspeligrosas.tk, 1 +laspeludas.tk, 1 +laspequenassemillas.com, 1 +laspirale.tk, 1 +laspoesias.com, 1 +lasrecetasdeguada.com, 1 +lasse-boberg.tk, 1 +lasse-it.dk, 0 +lasseaktiv.art, 1 +lasseaktiv.com, 1 +lasseaktiv.es, 1 +lasseleegaard.com, 1 +lasseleegaard.dk, 1 +lasseleegaard.net, 1 +lasseleegaard.org, 1 +lassencanyonnursery.com, 1 +lassencoe.gov, 1 +lassesworld.com, 1 +lassesworld.se, 1 +lassiutriainen.fi, 1 +lassovideos.com, 1 +lasst-uns-beten.de, 1 +last-strike.org, 1 +lastallaexotics.com, 1 +lastation.ca, 1 +lastbooks.gq, 1 +lastcast.bg, 1 +lastenrad-gifhorn.de, 1 +lastingmarksers.ga, 1 +lastingmarksest.ga, 1 +lastingsmiles.org, 1 +lastkaj14.tk, 1 +lastlowtest.tk, 1 +lastmile.ml, 1 +lastminutehealthcare.com, 1 +lastmohicans.tk, 1 +lastorder.icu, 1 +lastorderguild.tk, 1 +lastorders.tk, 1 +lastoriadellecose.tk, 1 +lastpass.com, 0 +lastrada.tk, 1 +lastrik.ch, 1 +lastsunset.tk, 1 +lasttokengaming.com, 1 +lasttootinaws.com, 1 +lasttweetinaws.com, 1 +lastville.com, 1 +lastwill.ie, 1 +lasvegascasinonews.com, 1 +lasvegasdiscountattractions.com, 1 +lasvegasfit.org, 1 +lasvegasnevada.gov, 1 +laszlo.sh, 1 +laszloinstitute.com, 1 +laszlotamas.hu, 1 +lat.sk, 1 +lata.my, 1 +latabledebry.be, 1 +latahcountyid.gov, 1 +latakuta.com, 1 +latanadelpolpo.it, 1 +latardeurbana.cf, 1 +latardeurbana.ga, 1 +latardeurbana.gq, 1 +latardeurbana.ml, 1 +latardeurbana.tk, 1 +latchplus.com, 1 +late.am, 0 +lateams.ml, 1 +latecnosfera.com, 1 +latedeals.co.uk, 1 +latedecisioners.ga, 1 +latedecisionest.ga, 1 +latefeeking.com, 1 +latefeeking.net, 1 +latefeeking.org, 1 +latelatetoyshow.ie, 1 +lateliercantaldeco.fr, 1 +lateliercreationbougie.fr, 1 +latemarch.com, 1 +laten.tk, 1 +latenitefilms.com, 0 +latentviewanalytics.com, 1 +lateral.dog, 1 +lateralsecurity.com, 0 +lateraltrust.com, 1 +laterremotodealcorcon.tk, 1 +latestbitcoinnews.io, 1 +latestbitcoinnews.org, 1 +latestcoin.tk, 1 +latestimmigrationnews.today, 1 +latestjobhub.in, 1 +latestmobiles.tk, 1 +latestnewsonworld.tk, 1 +latestnewstelugu.com, 1 +latestpornvideos.com, 1 +latestsonglyrics.ml, 1 +latetrain.cn, 1 +latexmattress.com, 1 +latexspuitenspecialist.nl, 1 +lathamlabs.com, 1 +lathamlabs.net, 1 +lathamlabs.org, 1 +lathamwatkinsplatform.com, 1 +latherjacket.com, 1 +latia.tk, 1 +latiamona.com, 1 +latiendawapa.com, 1 +latifolia.com, 1 +latinacon.com, 1 +latinapress.it, 1 +latinatoday.it, 1 +latinmusiccollection.tk, 1 +latinoguysporn.com, 1 +latintoy.com, 0 +latinwomen.tk, 1 +latitudesign.com, 0 +latka.tk, 1 +latnetwork.com, 1 +latoken.com, 1 +latos.tk, 1 +latour-managedcare.ch, 1 +latourist.com, 1 +latremebunda.com, 1 +latrobefinancial.com.cn, 1 +latrynchera.tk, 1 +latticepointconsulting.com, 1 +lattyware.co.uk, 1 +lattyware.com, 1 +latuadro.ga, 1 +latvenergo.lv, 1 +latviaonline.tk, 1 +latvijasvejaparki.lv, 1 +latymer.co.uk, 1 +laubacher.io, 1 +laube-school.com, 1 +laubo.tk, 1 +lauchundei.at, 1 +laud.io, 1 +laudableapps.com, 1 +laudablesites.com, 1 +laudlab.de, 1 +laudon.nl, 1 +laudwein.fr, 1 +laufpix.de, 1 +lauftreff-himmelgeist.de, 0 +laugarvatn.com, 1 +laughinggrapepublishing.com, 1 +laughingloon.com, 1 +laughlinfss.com, 1 +laughlinfss.marketing, 1 +laukstein.com, 1 +laultimaestacion.tk, 1 +launchfinderers.ga, 1 +launchfinderest.ga, 1 +launchgroup.com.au, 1 +launchindonesia.com, 1 +launchpad-app2.com, 1 +launchpadder2.com, 1 +laundrylessonsers.ga, 1 +laundrylessonsest.ga, 1 +laundryshoplocator.com, 1 +laupapk.edu.ee, 1 +laura.network, 1 +lauraandwill.wedding, 0 +laurable.com, 1 +lauradavis.net, 1 +lauraenvoyage.fr, 1 +laurahausmann.de, 1 +laurainnes.tk, 1 +laurakashiwase.com, 1 +laurakentowski.com, 1 +lauralaurant.tk, 1 +lauralinde.de, 1 +lauraohagan.com, 1 +laurasplacefamilysupport.org.au, 1 +laurateen.net, 1 +lauravaindumentaria.com, 1 +laureadesigns.com, 1 +laureaty.tk, 1 +laurelcountycorrectionsky.gov, 1 +laurelcountysheriff.gov, 1 +laurelmd.gov, 1 +lauren.gq, 1 +laurenball.com, 1 +laurencball.com, 1 +laurenceandumehltd.com, 1 +laurencesmits.com, 0 +laurenell.com, 1 +laurenleesmith.tk, 1 +laurenlobue.com, 1 +laurenslatest.com, 1 +laurensvanderblom.nl, 1 +laurentfinance.com, 1 +laurentianlanes.com, 1 +lauresta.lt, 1 +lauresta.lv, 1 +lauretta.io, 1 +lauriane-garcia.avocat.fr, 1 +laurikari.net, 1 +laurindale.tk, 1 +laurineprice.com, 1 +laurinhaepaulo.ga, 1 +lauriuc.sk, 1 +lausannedentiste.ch, 0 +lausannelovers.ch, 0 +laut.digital, 1 +lautremode.com, 0 +lauxincost.cf, 1 +lauzon-hitter.com, 1 +lava.moe, 1 +lavabit.com, 1 +lavabit.no, 1 +lavaggio.it, 1 +lavaggista.it, 1 +lavaldostana.es, 1 +lavalledelgusto.it, 1 +lavalon.tk, 1 +lavamine.tk, 1 +lavamob.com, 1 +lavamobiles.com, 1 +lavanderia.it, 1 +lavanderia.roma.it, 1 +lavarex.co.jp, 1 +lavasing.eu.org, 1 +lavavetri.it, 1 +lavdiazofficial.tk, 1 +laveg.edu.ee, 1 +lavenderx.org, 1 +laventura.tk, 1 +lavhire.tk, 1 +laviaregia.com, 1 +laviedalex.ovh, 1 +lavinaec.com, 1 +lavinya.net, 1 +laviro.tk, 1 +lavish.co.id, 1 +lavita.de, 1 +lavitagarden.tk, 1 +lavka.cf, 1 +lavkafreida.ru, 1 +lavki.tk, 1 +lavndor.net, 1 +lavocedelviolino.it, 1 +lavochka.tk, 1 +lavoieducoeur.be, 1 +lavoiepharmd.com, 1 +lavoixdesmigraineux.fr, 1 +lavoniaga.gov, 1 +lavontx.gov, 1 +lavote.gov, 1 +lavozdelamusicachilena.tk, 1 +lavozderanquil.tk, 1 +lavril.fr, 1 +law-ag.com, 1 +law-colleges.com, 1 +law-moshkovich.co.il, 1 +law-peters.de, 1 +law-profile.com, 1 +law-zur.co.il, 1 +law.co.il, 1 +law.kg, 1 +law22.com, 1 +lawabidingcactus.com, 1 +lawandtheworkplace.com, 1 +lawcancer.cf, 1 +lawcer.com, 1 +lawcover.com.au, 1 +lawda.ml, 1 +lawdepot.ca, 1 +lawebdeljose.tk, 1 +lawebnobasta.tk, 1 +lawebstar.it, 1 +lawenforcementedu.net, 1 +lawfirmyashajustice.co.id, 1 +lawflaws.com, 1 +lawguidesingapore.com, 1 +lawhery.com, 1 +lawinorder.com, 1 +lawinorder.com.au, 1 +lawlessenglish.com, 1 +lawlessfrench.com, 1 +lawlessitalian.com, 1 +lawlessspanish.com, 1 +lawluxury.com, 1 +lawma.one, 1 +lawmint.com, 1 +lawn-seeds.com, 1 +lawnandordercs.com, 1 +lawnenvyva.com, 1 +lawnkitsers.ga, 1 +lawnkitsest.ga, 1 +lawnlessonsers.ga, 1 +lawnlessonsest.ga, 1 +lawnsearchers.ga, 1 +lawnsearchest.ga, 1 +lawnuk.com, 1 +lawpay.com, 1 +lawportal.com.ua, 1 +lawrad.com, 1 +lawrenca.com, 1 +lawrence-institute.com, 1 +lawrence.one, 1 +lawrencebaker.me, 1 +lawrenceberg.nl, 1 +lawrenceclarkemd.com, 1 +lawrencecountyboe-ohio.gov, 1 +lawrencecountyky.gov, 1 +lawrencecountymo.gov, 1 +lawrencecountymo911.gov, 1 +lawrencecountypa.gov, 1 +lawrencecountysd.gov, 1 +lawrencemurgatroyd.com, 1 +lawrencewhiteside.com, 1 +lawrencewi.gov, 1 +lawsoner.tk, 1 +lawsuit.tk, 1 +lawsuitconsultanters.ga, 1 +lawsuitconsultantest.ga, 1 +lawtimesnews.com, 1 +lawton-is.com, 1 +lawvize.com, 1 +lawyer.cf, 1 +lawyerboksburg.co.za, 1 +lawyerdigital.co.bw, 1 +lawyeredu.org, 1 +lawyermidrand.co.za, 1 +lawyerscredentialsers.ga, 1 +lawyerscredentialsest.ga, 1 +lawyerscreenerers.ga, 1 +lawyerscreenerest.ga, 1 +lawyersofmissouri.com, 1 +lawzakon.tk, 1 +lawzana.com, 1 +lawzava.com, 1 +laxaf.com, 1 +laxxl.com, 1 +layan-luxurylighting.com, 1 +layazc.com, 1 +laycock.org.uk, 1 +layer.it, 1 +layermesh.net, 1 +layers.media, 1 +layflamso.tk, 1 +laylo.io, 1 +laylo.nl, 1 +laymans911.info, 1 +layoutsatzunddruck.de, 1 +layt.org, 1 +laythetable.com, 1 +layxw.com, 1 +lazarus.es, 1 +lazarusalliance.com, 1 +lazell.de, 1 +lazell.uk, 1 +lazer.cf, 1 +lazerepilasyonankara.tk, 1 +lazerinitiative.org, 1 +lazerus.net, 1 +lazerus.pw, 1 +lazibeach.tk, 1 +lazionews24.com, 1 +lazisbaiturrahman.org, 1 +lazismuprovgorontalo.or.id, 0 +lazistance.com, 1 +lazo.futbol, 1 +lazonacartagena.tk, 1 +lazonita.tk, 1 +lazorgun.com, 1 +lazosamericaunida.org, 1 +lazosargentina.tk, 1 +lazoscollection.com, 1 +lazowik.pl, 1 +lazownik.pl, 1 +lazudi.com, 1 +lazulu.com, 1 +lazurit.com, 0 +lazyboston.com, 1 +lazyhelp.com, 1 +lazynap.com, 1 +lazysoftware.fr, 1 +lazytapir.com, 1 +lazytux.org, 1 +lazywaves.tk, 1 +lazzo.ml, 1 +lazzzy.com, 1 +lb-music.tk, 1 +lb-toner.de, 1 +lb366.cc, 1 +lba-rpg.tk, 1 +lbarrios.es, 1 +lbayer.com, 1 +lbbw-markets.de, 1 +lbc-podcast.tk, 1 +lbc.gr, 1 +lbda.net, 1 +lbhpartners.com, 1 +lbi-pg.fr, 1 +lbihrhelpdesk.com, 1 +lbio.nl, 1 +lbj.tw, 1 +lbjlibrary.gov, 1 +lbk.vn, 1 +lbls.me, 0 +lbofrance.com, 1 +lbpc.pro, 0 +lbrlh.tk, 1 +lbrli.tk, 1 +lbrls.tk, 1 +lbsg.be, 1 +lbsgroup.co.uk, 1 +lbshoes.bg, 1 +lbwl.com, 1 +lc-cs.com, 0 +lc-promiss.de, 1 +lc-suites.gr, 1 +lc040.com, 1 +lc08080.com, 1 +lc18.vip, 1 +lc3720.com, 0 +lc3736.com, 1 +lc3744.com, 1 +lc3745.com, 1 +lc3759.com, 1 +lc50000.com, 0 +lc58588.com, 0 +lc6601.com, 1 +lc6603.com, 1 +lc6607.com, 1 +lc6632.com, 1 +lc6656.com, 1 +lc6659.com, 1 +lc6665.com, 1 +lc6686.com, 1 +lc7.fun, 1 +lc8005.com, 1 +lc80802.com, 1 +lc80805.com, 1 +lc80806.com, 1 +lc80807.com, 1 +lc80810.com, 1 +lc80811.com, 1 +lc80812.com, 1 +lc80814.com, 1 +lc80815.com, 1 +lc80816.com, 1 +lc80817.com, 1 +lc80820.com, 1 +lc859.com, 0 +lc862.com, 1 +lc863.com, 1 +lc869.com, 1 +lc871.com, 0 +lc873.com, 0 +lc875.com, 0 +lc879.com, 0 +lc8812.com, 1 +lc8820.com, 0 +lc8839.com, 1 +lc8841.com, 1 +lc8881.com, 0 +lc8885.com, 0 +lc8887.com, 0 +lc891.com, 0 +lc897.com, 1 +lc8c.com, 1 +lc8guidance.com, 1 +lc9108.com, 1 +lc9256.com, 0 +lc98.net, 1 +lc9852.com, 1 +lc9862.com, 1 +lc9899.com, 1 +lc9900.com, 1 +lc9910.com, 1 +lc9920.com, 1 +lc9930.com, 1 +lc9940.com, 1 +lc9950.com, 1 +lca.gov, 1 +lcacommons.gov, 1 +lcaonline.tk, 1 +lccwillcounty.gov, 1 +lcdchart.com, 1 +lcdf.education, 1 +lce-events.com, 1 +lcemsami.gov, 1 +lcfwasa.gov, 1 +lcgaj.com, 1 +lcgyfj.com, 1 +lchardingplumbing.com.au, 1 +lcht.ch, 0 +lchtraf.com, 1 +lcistit.ru, 1 +lcl-cargo.ru, 1 +lclarkpdx.com, 1 +lclnet.de, 1 +lcnwallet.com, 1 +lcnxp.com, 1 +lcr94.org, 1 +lcrehlingen.de, 1 +lcrmscp.gov, 1 +lcs.wiki, 1 +lcsoftware.tk, 1 +lcsomo.gov, 1 +lcti.biz, 1 +lcv-psi.com, 1 +lcv-psi.com.br, 1 +lcv.bio, 1 +lcv.email, 1 +lcv.gay, 1 +lcv.lgbt, 1 +lcv.one, 1 +lcv.psc.br, 1 +lcv.rio.br, 1 +lcvip5.com, 1 +lcvip6.com, 1 +lcvip8.com, 1 +lcvleo.net, 1 +lcvmail.com, 1 +lcvmasker.com, 1 +lcvpsi.com.br, 1 +lcvtech.net, 1 +lcwater.com.tw, 1 +lcwc911pa.gov, 1 +lcwebsite.cn, 1 +lcx.cc, 1 +lcy.cat, 1 +lcy.moe, 1 +ld-begunjscica.si, 1 +ldcraft.pw, 1 +lddr.io, 1 +ldemb.com, 1 +ldesignweb.com, 1 +ldgardenservices.co.uk, 1 +ldiesel.ca, 1 +ldjb.jp, 1 +ldlcorrentes.com.br, 1 +ldlorangecountylocksmith.com, 1 +ldm2468.com, 1 +ldsvoicesoftherestoration.com, 1 +ldtborovina.cz, 1 +ldts.es, 1 +ldts.us, 1 +ldtv.top, 1 +ldvsoft.net, 0 +ldwiki.ml, 1 +le-13.fr, 1 +le-bar.org, 1 +le-caprice.co.uk, 1 +le-clos-st-loup.fr, 1 +le-club.co, 1 +le-controle-parental.fr, 1 +le-creux-du-van.ch, 0 +le-drive-de-just-vet.fr, 1 +le-forum.tk, 1 +le-fumoir.com, 1 +le-h.de, 1 +le-marais.be, 1 +le-page.info, 0 +le-palantir.com, 1 +le-parrain-boursorama.fr, 1 +le-reso.com, 1 +le-romien.tk, 1 +le-stroke-of-genius.com, 1 +le-tempo.com, 1 +le-therapeute.com, 1 +le-upfitter.com, 1 +le-vario.net, 1 +le0n.ddns.net, 1 +le0yn.ml, 1 +le130rb.com, 1 +le20dinant.be, 1 +le42mars.fr, 1 +lea.pet, 0 +lead2022.academy, 1 +leadbook.ru, 1 +leadbox.cz, 1 +leadcalyx.com, 1 +leadcricket.com, 1 +leadercreative.ga, 1 +leaderfreight.tk, 1 +leadergamer.com.tr, 1 +leaderinnetflow.com, 1 +leaderoftheresistance.com, 0 +leaderoftheresistance.net, 0 +leadersaudit.ga, 1 +leadership-insight.nz, 1 +leadgem.co.uk, 1 +leadgenie.me, 1 +leadinforce.com, 1 +leadmusic.nl, 1 +leadnxt.co.in, 1 +leadnxt.com, 1 +leadonvale-stemcell.co.uk, 1 +leadplus.com.au, 1 +leadplusdev.com.au, 1 +leadquest.nl, 1 +leadsformoney.tk, 1 +leadsonline.com, 1 +leadvales.com, 1 +leaf-nail.com, 1 +leafandseed.co.uk, 1 +leafans.tk, 0 +leafbodhi.com, 1 +leafinote.com, 1 +leafinote.net, 1 +leafland.co.nz, 1 +leafletdistributionmanchester.com, 1 +leafos.org, 1 +leaftracker.org, 1 +leafurban.com, 1 +leaguecitytexas.gov, 1 +leak.media, 1 +leakbrasil.tk, 1 +leakcontroltherapy.com, 1 +leakedbabes.tv, 1 +leakedminecraft.net, 1 +leakfix.nl, 1 +leaknet.tk, 1 +leales.org, 1 +lealove.net, 1 +lealuestern.com, 1 +lean-consulting.cf, 1 +leandoo.com, 1 +leandre.cn, 1 +leandrebergeron.com, 1 +leandri-campana-avocat.fr, 1 +leandromarcolino.tk, 1 +leandromoreno.co, 1 +leanheat.fi, 1 +leanovent.cloud, 1 +leanovent.de, 1 +leanrtech.com, 1 +leansixsigmadefinition.com, 1 +leaodarodesia.com.br, 1 +leap-mission.com, 1 +leapandjump.co.uk, 1 +leapday.us, 1 +leapworks.io, 1 +leapxx.pro, 1 +lear.com.br, 1 +lear.com.ua, 1 +leardev.de, 1 +learn-everything.info, 1 +learn-freely.com, 1 +learn-smart.uk, 1 +learn-this.tk, 1 +learn2fly.training, 1 +learnapp.com, 1 +learnatf.gov, 1 +learnattack.de, 1 +learncoding.tk, 1 +learncrypto.live, 1 +learncrypto.show, 1 +learndoj.gov, 1 +learnedhacker.com, 1 +learnerdriving.com, 1 +learnforestry.com, 1 +learnhowtoplayguitar.tk, 1 +learning-id.com, 1 +learningaboutcarinsurance.com, 1 +learningis1.st, 1 +learningisprogress.com, 1 +learningladderacademy.net, 1 +learninglaw.com, 1 +learningman.top, 1 +learningsolution.tk, 1 +learnjapanesedaily.com, 1 +learnk12.org, 1 +learnlux.com, 1 +learnosity.com, 1 +learnoutlive.com, 1 +learnpedestal.com, 1 +learnpianogreece.com, 1 +learnpine.com, 0 +learnplayground.com, 1 +learnpythonthehardway.org, 1 +learnsafe.com, 1 +learnspace.co.za, 1 +learntamil.tk, 1 +learnthetruth.tk, 1 +learntobeonline.com, 1 +learntofly.tk, 1 +learntosurfcaparica.com, 1 +learntosurflisbon.com, 1 +learntotradethemarket.com, 1 +learntube.cz, 0 +learnupon.com, 1 +learnwelsh.cymru, 1 +learnwithcorne.com, 1 +leasecar.uk, 1 +leaseit24.com, 1 +leaselink.pl, 1 +leasenow.tk, 1 +leaseourthings.com, 1 +leaseplanbank.de, 1 +leaseplanbank.nl, 1 +leasing.my, 1 +leasing.sos.pl, 1 +leasit.de, 1 +leastsignificantbit.de, 1 +leather-underwear.tk, 1 +leather.io, 0 +leathercollection.co.uk, 1 +leathercollection.de, 1 +leathercollection.es, 1 +leathercollection.fr, 1 +leatherfur.tk, 1 +leatherfurnitureexpo.com, 1 +leathergoods.tk, 1 +leathersofacleaning.co.uk, 1 +leatherstreet.tk, 1 +leatherwill.com.ua, 1 +leauda.fr, 1 +leavealink.tk, 1 +leavenworthcounty.gov, 1 +leaving.africa, 1 +lebabyfoot.fr, 1 +lebal.se, 1 +lebanesearmy.gov.lb, 1 +lebaneseastronomygroup.tk, 1 +lebanoncountypa.gov, 1 +lebanondodgewi.gov, 1 +lebanonfireoregon.gov, 1 +lebanonoregon.gov, 1 +lebanonscafe.com, 1 +lebarbatruc.com, 1 +lebarmode.fr, 1 +lebarmy.gov.lb, 1 +lebarmy.org, 1 +lebeachvillage.com, 1 +lebedovskiy.tk, 1 +leben-pflegen.ch, 1 +lebendige-heilkunst.de, 1 +lebenpflegen-march.ch, 1 +lebenpflegen.ch, 1 +lebens-fluss.at, 1 +lebenshilfe-hannover.de, 1 +lebensinselparaguay.tk, 1 +lebensmittelwarnung.de, 1 +lebesis.tk, 1 +lebihan.pl, 1 +lebkuchen-schmidt.com, 1 +leblanc.io, 0 +leblancq.ca, 1 +leblob.fr, 1 +leblogdumineur.fr, 1 +lebonheurdesgens.com, 1 +lebourgeo.is, 1 +lebozec.org, 1 +lebureau.tk, 1 +lebuys.ca, 1 +lebv.org, 1 +lecandide.info, 1 +lecannabis.at, 1 +lecannabiste.com, 1 +lecannabiste.fr, 1 +lecatal.ca, 1 +leccamilafi.ga, 1 +lecceprima.it, 1 +lecciculturadelvino.it, 1 +leccotoday.it, 1 +lecercleguimard.fr, 1 +lechateaurestaurant.com, 1 +lechaudrondupertuis.ch, 1 +lecheng.in, 1 +lecheng2.com, 1 +lecheng3.com, 1 +lecheng5288.com, 1 +lecheng7.com, 1 +lecheng88.com, 1 +lecheng88.net, 0 +lechenietravami.cf, 1 +lechim-prosto.ru, 1 +lechite.ga, 1 +lechocolatier.com, 1 +lechompenchaine.fr, 1 +lechrismaran.com, 1 +lecken.tk, 1 +leckererezepte.ch, 1 +leclaire.com.br, 1 +leclercbrico.fr, 1 +lecoinchocolat.com, 1 +lecoindufeuhabitat.com, 1 +leconnecteur-biarritz.fr, 1 +lecourriercauchois.fr, 1 +lecrayondemarz.com, 0 +lecreative.tk, 1 +lecteurs.com, 0 +lectormanga.top, 1 +lecturaweb.tk, 1 +lecul.site, 1 +led-sk.ru, 1 +led.xyz, 0 +ledburyvets.co.uk, 1 +leddeluxe.ml, 1 +leddingplasticsurgery.com, 1 +ledebergleeft.be, 1 +ledecologie.com.br, 1 +ledeguisement.com, 1 +ledensite.com, 1 +lederjackekaufen.tk, 1 +ledgerscope.net, 0 +ledigajobb.se, 1 +ledlampor365.se, 1 +ledlight.com, 1 +lednavi.de, 1 +ledpartyfloors.com, 1 +ledscontato.com.br, 1 +ledshop.mx, 1 +ledspadova.eu, 1 +leducq.eu, 1 +leducq.name, 1 +leduquwiki.cf, 1 +ledvalgustid.ee, 1 +ledwit.ru, 1 +lee.in, 1 +lee.net, 1 +lee.nl.eu.org, 1 +leeaaronsrealestate.com, 1 +leeapk.com, 1 +leebiblestudycenter.co.uk, 1 +leebiblestudycenter.com, 1 +leebiblestudycentre.com, 1 +leebiblestudycentre.org, 1 +leebladon.com, 1 +leebruce.tk, 1 +leech.ga, 1 +leech.tk, 1 +leeclemens.net, 0 +leecountyfl.gov, 1 +leecountyil.gov, 1 +leecountync.gov, 1 +leedsmoneyman.com, 1 +leee.eu.org, 1 +leee.nl.eu.org, 1 +leefbaargijzegem.be, 1 +leefbaarkrimpen.nl, 0 +leefgratis.tk, 1 +leefindlow.com, 1 +leefjongeren.nl, 1 +leefl.gov, 1 +leekimball.com, 1 +leekspin.ml, 1 +leekspin.tk, 1 +leelanautownshipmi.gov, 1 +leelaylay.com, 1 +leelou.wedding, 1 +leeman.nl, 1 +leen.io, 0 +leena.ai, 1 +leenaluhtanen.net, 1 +leendebroekertfonds.nl, 1 +leere.me, 1 +leerkotte.eu, 1 +leerliga.de, 1 +leerob.io, 1 +leerox.co, 1 +leertipp.de, 1 +leeryan.tk, 1 +leesilvey.com, 0 +leet2.com, 1 +leetbunny.tk, 1 +leetcode.com, 1 +leetcode.net, 1 +leetizia.net, 1 +leetsuliangkkproduction.tk, 1 +leevealdc.com, 1 +leeyoungaeph.tk, 1 +lefaivre-ferry.ca, 1 +lefarsankids.com.br, 1 +lefcoaching.nl, 1 +lefebvristes.com, 1 +lefebvristes.fr, 1 +lefevre-ec.fr, 1 +lefichier.net, 1 +lefilradio.fr, 1 +leflorecountyok.gov, 1 +leflox.cf, 1 +lefonddeloeil.com, 0 +lefreka.fr, 1 +lefroyee.com, 1 +left-baggage.co.uk, 1 +left.it, 1 +leftbrainsolutions.com.au, 1 +leftclick.cloud, 1 +leftcoasthauling.com, 1 +lefthandwater.gov, 1 +lefucine.com, 1 +lega-dental.com, 1 +legacktem.com, 1 +legacy.bank, 1 +legacydriving.co.za, 1 +legacyfarmstx.com, 1 +legacygame.ga, 1 +legacygame.gq, 1 +legacyofkain.tk, 1 +legacysoft.ml, 1 +legacyumc.org, 1 +legadental.com, 1 +legadosindumentaria.com.ar, 1 +legaillart.fr, 1 +legal-aid.tk, 1 +legal-eye.co.uk, 1 +legalagenda.ga, 1 +legalanchor.ga, 1 +legalatlanta.com, 1 +legalatlantic.ga, 1 +legalband.club, 1 +legalbeagle.com.hk, 1 +legalbeagles.info, 1 +legalbeast.ga, 1 +legalbetcanada.com, 1 +legalcalculator.ga, 1 +legalcanal.ga, 1 +legalcellar.ga, 1 +legalcircus.ga, 1 +legalclearance.ga, 1 +legalco.tk, 1 +legalcollector.ga, 1 +legalconnect.com, 1 +legalconstruct.ga, 1 +legalcorner.com, 1 +legalcorporation.ga, 1 +legalcrunch.ga, 1 +legalcrystal.ga, 1 +legalcustom.ga, 1 +legaldelta.ga, 1 +legaldish.ga, 1 +legaldodge.ga, 1 +legalebony.ga, 1 +legalecasinosnederland.nl, 1 +legalepic.ga, 1 +legaleus.co.uk, 1 +legalfalcon.ga, 1 +legalfighter.ga, 1 +legalflavor.ga, 1 +legalglamour.ga, 1 +legalglory.ga, 1 +legalgoddess.ga, 1 +legalgrace.ga, 1 +legalhandy.ga, 1 +legalhotrod.ga, 1 +legalhusky.ga, 1 +legalintergrity.ga, 1 +legalis.pl, 1 +legalisierung.tk, 1 +legalit.es, 1 +legaliz.ml, 1 +legalizeit.tk, 1 +legaljewel.ga, 1 +legaljoker.ga, 1 +legalloco.ga, 1 +legallowprice.ga, 1 +legalmatche.ga, 1 +legalmillions.ga, 1 +legalnations.ga, 1 +legalne-kasyna.com, 1 +legalnews.cf, 1 +legalnews.ml, 1 +legalnorthamerican.ga, 1 +legaloriginal.ga, 1 +legalphase.ga, 1 +legalpicker.ga, 1 +legalpickup.ga, 1 +legalplace.fr, 1 +legalplatinum.ga, 1 +legalpremier.ga, 1 +legalprestige.ga, 1 +legalpro.tk, 1 +legalpronto.ga, 1 +legalrapid.ga, 1 +legalrazor.ga, 1 +legalremarkable.ga, 1 +legalrobot-uat.com, 1 +legalrobot.com, 1 +legalrule.ga, 1 +legalsample.ga, 1 +legalsearch.nl, 1 +legalservicespanel.gov.au, 1 +legalsoldier.ga, 1 +legalsouthbeach.ga, 1 +legalsrit.tk, 1 +legalsustain.ga, 1 +legalthunder.ga, 1 +legaltings.com, 1 +legaltip.eu, 1 +legaltity.com, 1 +legaltreasure.ga, 1 +legalunique.ga, 1 +legalverde.ga, 1 +legalwaterfront.ga, 1 +legalyankee.ga, 1 +legamedamore.net, 1 +legato.marketing, 1 +legatofmrc.fr, 1 +legatrace.com, 1 +legba.in, 1 +legeaz.net, 1 +legen.sk, 1 +legend-of-pirates.tk, 1 +legendblogers.ga, 1 +legendblogest.ga, 1 +legendesdechine.ch, 0 +legendgrafix.tk, 1 +legendofdragoon.org, 1 +legendofkrystal.com, 1 +legendofmi.com, 1 +legends-game.ru, 0 +legendtourism.com, 1 +legendwiki.com, 1 +legentic.com, 1 +leger-voertuigen.tk, 1 +legere.info, 1 +leggyeggy.ga, 1 +legible.es, 1 +legilimens.de, 1 +legiofte.com, 1 +legioiedifrancy.com, 1 +legion.ge, 1 +legionisci.com, 1 +legioniv.org, 1 +legions.tk, 1 +legionwood.tk, 1 +legiscontabilidade.com.br, 1 +legislationupdateservice.co.uk, 1 +legit.nz, 1 +legitedelaguiole.com, 1 +legitedeprecy.com, 1 +legkie-recepty.tk, 1 +legko-pohudet.cf, 1 +legko-pohudet.ml, 1 +legko-pohudet.tk, 1 +legna.roma.it, 1 +legnami24.it, 1 +legoktm.com, 1 +legoutcheznous.com, 1 +legoutdesplantes.be, 1 +legow.tk, 1 +legowerewolf.net, 1 +legrand-ia.gov, 1 +legrandvtc.fr, 1 +legrimoiredessenteurs.fr, 1 +legro.tk, 1 +legrub.net, 1 +legtech.lu, 1 +legterm.cz, 1 +leguano-barfusspark.eu, 1 +legyenkianegykereked.hu, 1 +lehifibernetwork.gov, 1 +lehighcountypa.gov, 1 +lehighvalleypeds.com, 1 +lehmanns.de, 1 +lehmitz-weinstuben.de, 1 +lehnc.ddns.net, 1 +lehokolo.eu, 1 +lehollandaisvolant.net, 1 +lehrgang-zum-brandschutzhelfer.de, 1 +lehu.in, 1 +lehvyn.org, 0 +leia.cc, 1 +leibniz-gymnasium-altdorf.de, 1 +leibniz-trifft.de, 1 +leibniztrifft.de, 1 +leicabiosystems.com, 1 +leicester.bike, 1 +leicesterastronomicalsociety.co.uk, 1 +leicestermoneyman.com, 1 +leicestervt.gov, 1 +leidegoncalves.com, 0 +leideninternationalreview.com, 1 +leier.ml, 1 +leighneithardt.com, 1 +leignier.org, 1 +leilaelu.com.br, 1 +leilakaleva.fi, 1 +leilautourdumon.de, 1 +leilonorte.com, 1 +leiming.co, 1 +leipzig.photo, 1 +leipziger-triathlon.de, 1 +leism.com, 1 +leism.de, 1 +leism.eu, 1 +leism.net, 1 +leism.org, 1 +leismail.com, 1 +leismann.sbs, 1 +leismann.tel, 1 +leismann.uk, 1 +leisure-blog.com, 1 +leisure-supplies-show.co.uk, 1 +leisure.cf, 1 +leisure.ga, 1 +leisure.tk, 1 +leisurecooker.co.uk, 1 +leisurecooker.ie, 1 +leisurevip.com, 1 +leit.kr, 1 +leitz-cloud.com, 1 +leiyinan.com, 1 +lejardindesmesanges.fr, 1 +lejlax.com, 1 +lejournaldublog.com, 1 +lekarkabajkopisarka.pl, 1 +lekarz-wizyty.pl, 1 +lekasedgar.com, 1 +lekitable.fr, 1 +lekkergoings.nl, 1 +leko.tk, 1 +lekota.co.uk, 1 +leksi.si, 1 +lektier.cf, 1 +lel.lol, 1 +leladesign.it, 1 +lelehei.com, 1 +leleimports.store, 1 +leliekerk.nl, 1 +leliveld.nl, 1 +leliveld.org, 1 +lellek.at, 1 +lellikellyshop.bg, 1 +lellyboi.ml, 1 +lelo.com.pl, 1 +lelubre.info, 1 +lelulove.net, 1 +lelux.net, 1 +lelux.site, 1 +lem0n.eu.org, 1 +lemarcheelagrandeguerra.it, 1 +lemarquier.com, 1 +lemasdupalus.com, 1 +lemat.de, 1 +lemazol.fr, 1 +lemberg.ml, 1 +lemco.dk, 1 +lemedecin.fr, 1 +lemediajustice.fr, 1 +lemediateur-creditagricole-nord-est.com, 1 +lemefly.com, 1 +lemeridienchambers.com, 1 +lemgstudio.com, 1 +lemieuxproducts.com, 1 +leminhduong.com, 1 +lemitron.fr, 1 +lemitti.com, 1 +lemler.family, 1 +lemmamedia.com, 1 +lemmy.cafe, 1 +lemmy.name, 1 +lemmyfund.org, 1 +lemni.top, 1 +lemoine.at, 1 +lemon.nl.eu.org, 1 +lemonadefashion.com, 1 +lemonardo.ga, 1 +lemoncloud.eu.org, 1 +lemoniax.com, 0 +lemonpic.ga, 1 +lemonpool.com.tr, 1 +lemonrfx.com, 1 +lemonrockbiketours.com, 1 +lemonrotools.com, 1 +lemonsociety.cf, 1 +lemonsoftware.eu.org, 1 +lemontownshippa.gov, 1 +lemonwater.tk, 1 +lemr.fr, 1 +lemzarcapital.com, 0 +lena-klein.de, 1 +lena-klein.eu, 1 +lena-nitro.org, 1 +lenafonster.se, 1 +lenagroben.de, 1 +lenalio.fr, 1 +lenamorino.net, 1 +lenaneva.ru, 0 +lenardoips.tk, 1 +lenasophie.net, 1 +lence.net, 1 +lencia.ga, 1 +lenczewski.ddns.net, 1 +lendahandmissionteams.org, 1 +lendera.mx, 1 +lendingmate.ca, 1 +lendingpoint.com, 1 +lendinvest.com, 1 +lendme.com.au, 1 +lendme.dk, 1 +lenemes.tk, 1 +lenergietoutcompris.fr, 1 +lengby.com, 1 +lengoo.com, 1 +lengua-alemana.tk, 1 +lenguajecoloquial.com, 1 +lenguajecoloquial.es, 1 +lenguajedeprogramacion.com, 1 +lenguasgermanicas.tk, 1 +lengyelnyelvoktatas.hu, 1 +lengyelul.hu, 1 +lenhatthanh.com, 1 +lenhotec.pt, 1 +lenidh.de, 1 +lenifuchs.net, 1 +lenii.com, 1 +lenina72.tk, 1 +leninalbertop.com.ve, 1 +lenit.nl, 1 +lenkeran.tk, 1 +lenkunz.me, 1 +lenn-blaschke.com, 1 +lennard-indlekofer.de, 1 +lennard.tk, 1 +lennard0711.eu, 1 +lennartoldenburg.de, 1 +lennox.cf, 1 +lennoxsd.gov, 1 +lennusadam.eu, 1 +lennybruce.tk, 1 +lennyendewespen.tk, 1 +lennyobez.be, 1 +lennyrodriguez.com, 1 +lenoblpech.ru, 1 +lenoirnc.gov, 1 +lenord.fr, 1 +lenorefan.tk, 1 +lenostech.gr, 1 +lenou.nl, 1 +lenovovietnam.net, 1 +lenqiue.com, 0 +lenr-experiment.tk, 1 +lenr-forum.com, 1 +lens.google.com, 1 +lenseshop.tk, 1 +lenspirations.com, 1 +lenstamiri.com, 1 +lenstore.co.uk, 1 +lensual.space, 0 +lenta-ru.tk, 1 +lentanews.ml, 1 +lentesbrasil.com, 1 +lents.xyz, 1 +lentusaudio.nl, 1 +lenuagebauche.org, 1 +lenumerozero.info, 1 +lenyip.com, 1 +lenyip.works, 1 +leo-boutique.fr, 1 +leo-music.tk, 1 +leo-translate.com.ua, 1 +leo.gov, 1 +leoandpeto.com, 1 +leob.in, 0 +leoburnett.com, 1 +leocollo.com, 1 +leodraxler.at, 1 +leojweda.com, 1 +leokoo.com, 0 +leola.cz, 1 +leola.sk, 1 +leolabs.space, 1 +leolawi.gov, 1 +leomarcou.fr, 1 +leomax.ru, 1 +leominstercu.com, 0 +leomwilson.com, 0 +leon-16255.space, 1 +leon-tec.co.jp, 1 +leon-tech.com, 1 +leon.wtf, 1 +leonard.io, 0 +leonardaccessories.com, 1 +leonardcamacho.me, 1 +leonardcyber.com, 0 +leonardlorenz.de, 1 +leonardocontreras.com, 1 +leonardocremonesi.it, 1 +leonardoealessandra.com, 1 +leonardofavio.tk, 1 +leonardoferrera.com, 1 +leonardoneiva.com.br, 1 +leonardostart.tk, 1 +leonardtheologicalcollege.com, 1 +leonauto.de, 1 +leonbania.com, 1 +leonbuitendam.nl, 1 +leoncss.ml, 1 +leongalin.tk, 1 +leonhooijer.nl, 0 +leonidas-dovido.tk, 1 +leoniepur-porn.com, 1 +leonieroessler.com, 1 +leonieslonging.org, 1 +leonklingele.de, 1 +leonpa.gov, 1 +leonplast.tk, 1 +leontiekoetter.de, 1 +leontworzy.pl, 1 +leontyev.tk, 1 +leonvermunt.com, 1 +leonvermunt.nl, 1 +leonvotes.gov, 1 +leonyork.com, 1 +leopardstudio.tk, 1 +leopastel.net, 1 +leoseguin.fr, 1 +leoservicosetc.com, 1 +leoservicosetc.com.br, 1 +leoservicosetc.email, 1 +leoservicosetc.live, 1 +leoservicosetc.online, 1 +leoservicosetc.rio.br, 1 +leoservicosetc.store, 1 +leoservicosetc.world, 1 +leosopenmind.com, 1 +leosty.com, 1 +leovanna.co.uk, 1 +leowkahman.com, 1 +lep.gov, 1 +lepalierjuridique.com, 1 +lepallec.tv, 1 +lepartiecomemoracoes.com.br, 1 +lepat.es, 1 +lepatch.jp, 1 +lepblog.tk, 1 +lepenis.fr, 0 +leper.ga, 1 +lepetitendroit.fr, 1 +lepetitkids.com.br, 1 +lephilnet.tk, 1 +lepidum.jp, 1 +leping.com, 1 +lepka.tk, 1 +lepkov.ru, 1 +leplus.net, 1 +leplus.org, 1 +leporem.com.br, 1 +leportschools.com, 1 +leppis-it.de, 1 +lepraconsf.com, 1 +leprekon.tk, 1 +lepressoir-info.org, 1 +leps.fr, 1 +leptitbaltar.com, 1 +leptotrichia.tk, 1 +lepuyenvelay-tourisme.fr, 1 +lequerceagriturismo.com, 1 +lequest.dk, 1 +lequocthai.com, 1 +ler3.com, 1 +lerameau.fr, 1 +lerefuge.xyz, 1 +lerika.tk, 1 +lerks.blog, 1 +lerku.com, 1 +lernenamsee.ch, 1 +lernerspersonalinjury.ca, 0 +lernorteuropa.com, 1 +lernorteuropa.de, 1 +lernorteuropa.eu, 1 +lernpfad.ch, 1 +leros.bg, 1 +leroytwp-calhounmi.gov, 1 +lerryn.net, 1 +lertsiritravel.net, 1 +les-aides.fr, 1 +les-ateliers-de-melineo.be, 0 +les-epris.fr, 1 +les-explos.com, 1 +les-formations.fr, 1 +les-inoxydables.com, 1 +les-pipelettes-de-narbonne.com, 1 +les-pros-du-drone.com, 1 +les-universalistes.be, 1 +lesa-kiev.biz.ua, 1 +lesa.biz.ua, 1 +lesa.boutique, 1 +lesacredescouleurs.fr, 1 +lesalpinistes.com, 1 +lesamisdelaroumanie.com, 1 +lesamoureuxdangelique.ovh, 1 +lesargentinas.tk, 1 +lesartisanes.fr, 1 +lesas.tk, 1 +lesbea.com, 1 +lesbi-porno-video.ru, 1 +lesbianlovers.tk, 1 +lesbicas.com.pt, 1 +lesblogueuses.fr, 1 +lesbonzoms.alwaysdata.net, 1 +lesborgestv.cat, 1 +lesbrillantsdaristide.com, 1 +lescarnetsderoutedesophie.com, 1 +leschamoisduvercors.fr, 1 +lescommunes.com, 1 +lescomptoirsdepierrot.com, 1 +lesconcours.tk, 1 +lescoquetteriesdenais.fr, 1 +lescouturesdisa.fr, 1 +lescrieursduweb.com, 0 +lesdeuxfilles.be, 1 +lesdouceursdeliyana.com, 1 +leseditionsbraquage.com, 1 +lesershop24.de, 1 +lesformations.net, 0 +lesfouines.com, 1 +lesfurets.com, 1 +lesgarianes.com, 1 +lesgitesdusapey.fr, 0 +lesgoodnews.fr, 1 +leshetu.com, 0 +leshok.tk, 1 +leshop.ch, 1 +lesin.tk, 1 +lesitederencontre.fr, 1 +lesjardinsdemathieu.net, 0 +leskei.ru, 1 +leslhassadeluminia.fr, 1 +leslie.horse, 1 +lesmajuscules.fr, 1 +lesmatinesdheres.fr, 1 +lesmills-redirect-test.azurewebsites.net, 1 +lesmontagne.net, 1 +lesnet.co.uk, 1 +lesnoticiesdensergialarcon.site, 1 +lesours.in, 1 +lesparqueteurs.xyz, 1 +lespasseursdelivres.fr, 1 +lespatriotes.tk, 1 +lespecialiste-pradelexcellence.com, 1 +lesperlesdunet.tk, 1 +lespinasse.org, 1 +lesplatanes.ch, 0 +lesportmusic.tk, 1 +lesprofsplacotent.com, 1 +lesptitspasdelyne.fr, 1 +lesptitstutos.fr, 1 +lesquatredauphins.fr, 0 +lesrivesdegaronne.com, 1 +lessavonnables.fr, 1 +lesschwab-privacyportal-ui.azurewebsites.net, 1 +lessets-graphiques.com, 1 +lessiamia.net, 1 +lessing.consulting, 1 +lessis.moe, 1 +lessonsofacto.com, 1 +lesspass.com, 1 +lestanzedelgattopardo.it, 1 +lesterchan.net, 1 +lesterrassesdusoleil.ch, 0 +lestravauxduparticulier.fr, 1 +lestrokeofgenius.com, 1 +lestudiopecot.fr, 1 +lesummeira.is, 1 +lesvertsmaroc.tk, 1 +lesycr.cz, 1 +lesyndicat.info, 0 +leszonderstress.nl, 1 +letableaunoir.fr, 1 +letaman.tk, 1 +letao18.com, 0 +letchikleha.tk, 1 +letdownloads.tk, 1 +letec.be, 1 +leteckedarky.cz, 1 +letemps.ch, 1 +letempsdujasmin.fr, 1 +leter.io, 0 +leterroirdesvignobles.fr, 1 +letgodbetrue.com, 1 +lethalgaming.tk, 1 +lethalhardcore.com, 1 +lethosdesigns.co.uk, 1 +lethosdesigns.com, 1 +letic.fr, 1 +leticia.com.tw, 1 +leticia.ml, 1 +letiloulous.fr, 1 +letipweb.tk, 1 +letitfleet.io, 1 +letitfly.me, 1 +letiziamx.com, 0 +letmdesigncommercial.com, 1 +letmebet.de, 1 +letmepost.com, 1 +letnik.tk, 1 +leto12.xyz, 0 +letocar.com, 1 +letopise.com, 1 +letraba.com, 1 +letranif.net, 1 +letras.com, 1 +letras.mus.br, 1 +letras10.co, 1 +letraschile.com, 1 +lets-go-acoustic.de, 0 +lets.nu, 0 +letsbrand-holding.com, 1 +letsbrand-holding.nl, 1 +letsbrandholding.com, 1 +letsbrandholding.nl, 1 +letscahoot.net, 1 +letscrackit.ml, 1 +letsdebug.net, 1 +letsdevelop.com.br, 1 +letsdocode.com, 1 +letsdoeit.com, 1 +letsdothatagain.gq, 1 +letsdothatagain.ml, 1 +letsdothatagain.tk, 1 +letselhulpservice.nl, 1 +letsencrypt-for-cpanel.com, 1 +letsflyinto.space, 1 +letsgame.nl, 1 +letsgetintouch.com, 1 +letsgo.icu, 1 +letsgomaldives.com, 1 +letsgowhilewereyoung.com, 1 +letsknow.ga, 1 +letsknow.tk, 1 +letson.me, 1 +letsorganise.uk, 1 +letspartyrugby.co.uk, 1 +letsplayourgameagain.gq, 1 +letsrave.tk, 1 +letstalk.video, 1 +letstryanal.com, 1 +lette.tk, 1 +letterbox-online.de, 1 +letterrill.gq, 1 +lettersblogatory.com, 1 +lettings101.org, 0 +letto.ru, 1 +lettori.club, 1 +lettragetattoo.tk, 1 +lettrefrancophile.ga, 1 +lettres-motivation.net, 1 +lettucegeek.com, 1 +letturaveloce.tk, 1 +letusdothehomework.com, 1 +letustravel.tk, 1 +letvikar.dk, 1 +letweedoo.com, 1 +letyro.pl, 1 +letzi-immobilien.ch, 1 +leuchtmann.ch, 1 +leucothea.org, 1 +leuenhagen.com, 1 +leukert.org, 1 +leulu.com, 1 +leusemiamusic.tk, 1 +leuthardtfamily.com, 1 +leutransporteur.com, 1 +leuvensefilmclub.tk, 1 +lev103.com, 1 +levabilligt.com, 1 +levans.fr, 0 +levantage.tk, 1 +levante.net.nz, 1 +levaomat.com, 1 +levaquin750.ga, 1 +levati.name, 1 +leveeroadstudio.com, 1 +level33.com.sg, 1 +level37.tk, 1 +level4.parts, 1 +level5-drywall.com, 1 +level6.me, 1 +levelaccordingly.com, 1 +levelninehvac.com, 1 +levelrankings.com, 1 +levels.one, 1 +levelsoft.ml, 1 +levelum.com, 1 +levelupdisability.com.au, 1 +leveluplv.com, 1 +leveluprankings.com, 1 +levelx.team, 1 +levendwater.org, 1 +levensbron.nl, 1 +leventismotors.com.ng, 1 +leverj.io, 1 +levermann.eu, 1 +leviaan.nl, 1 +leviathan-studio.com, 1 +leviathanfan.tk, 1 +leviathanstory.tk, 1 +levico.tk, 1 +levida.ca, 1 +levidromelist.com, 1 +levineteamestates.com, 1 +levinus.de, 1 +levis.fun, 1 +levis.name, 1 +levischuck.com, 1 +levisenlaw.com, 1 +levitate.ro, 0 +levitatingx.com, 1 +levitation.tk, 1 +levlagom.com, 1 +levna-knihovna.cz, 1 +levolor.com, 1 +levonet.sk, 1 +levothyroxineonline.gq, 1 +levs.tk, 1 +levy.org, 1 +levyinstitute.com, 1 +levyinstitute.net, 1 +levyinstitute.org, 1 +levymultiplier.com, 1 +levymultiplier.org, 1 +levyntgard.tk, 1 +lew.im, 1 +lewdawson.com, 0 +lewdgamer.com, 1 +lewebdantoine.fr, 1 +leweslivingstreets.tk, 1 +lewiatan.opole.pl, 1 +lewig.net, 1 +lewis-sharp.com, 1 +lewiscollard.com, 1 +lewiscountyny.gov, 1 +lewiscountytn.gov, 1 +lewisdatasecurity.com, 0 +lewisjuggins.co.uk, 1 +lewismcyoutube.uk, 1 +lewistonutah.gov, 1 +lewt.me, 1 +lex-legal.com.ua, 1 +lex18.com, 1 +lexapro-price.ga, 1 +lexautoservice.nl, 1 +lexblogplatform.com, 1 +lexblogplatformthree.com, 1 +lexch.com, 1 +lexdavicont.ro, 1 +lexdigital.pl, 1 +lexe.club, 1 +lexeri.com, 1 +lexgo.be, 1 +lexgo.lu, 1 +lexic.co, 1 +lexico.pt, 1 +lexicography.online, 1 +lexicore.ga, 1 +lexifax.ga, 1 +lexikon24.tk, 1 +lexington-credit-repair.com, 1 +lexingtonil.gov, 1 +lexingtonok.gov, 1 +lexinter.net, 1 +lexiprof.com, 1 +lexis.ml, 1 +lexitthemovie.tk, 1 +lexjunkie.xyz, 1 +lexmedia.ro, 1 +lexmondcommunications.com, 1 +lexoh.com, 1 +lexpartsofac.com, 1 +lexpert.ca, 1 +lexreception.com, 1 +lexsc.gov, 1 +lextechsuite.com, 1 +lexum.com, 1 +lexuspartsnow.com, 1 +lexvademecum.com, 1 +lexway.pk, 1 +leyaonline.com, 1 +leybelsgarden.cf, 1 +leyendaluzrenacer.com, 1 +leyeslaboralesdecolorado.gov, 1 +leyfutmex.com, 1 +leyhorizontal.es, 1 +leylalips.org, 1 +leymaritima.com, 1 +leytron.tk, 1 +lez.gent, 1 +lez2020.be, 1 +lez2020.gent, 1 +lezbomovies.com, 1 +lezdombliss.com, 1 +lezdomsm.com, 1 +lezen.tk, 1 +lezgetreal.com, 1 +lezhang.top, 1 +leziblog.cn, 1 +lezzetyurdu.com.tr, 1 +lf-space.com, 1 +lfashion.eu, 1 +lfc.com.pl, 1 +lfcnsv.de, 1 +lff.club, 1 +lffweb.ga, 1 +lfg.com.ph, 1 +lfgss.com, 1 +lfi-mv.de, 0 +lfmosqueira.com.br, 1 +lfn.moe, 1 +lfnaturopathie.com, 1 +lforum.tk, 1 +lfrconseil.com, 1 +lfyhokk.tk, 1 +lg-obchod.cz, 1 +lg-store.sk, 1 +lg-world.cz, 1 +lg.gz.cn, 1 +lg0.site, 1 +lg2.com, 1 +lgam.com, 1 +lgbt-colleges.com, 1 +lgbt.io, 1 +lgbt.ventures, 1 +lgbtqtherapyspace.com, 1 +lgbtventures.com, 1 +lgbusiness.es, 0 +lgelectric.cz, 1 +lgelectric.eu, 1 +lgerman.de, 1 +lgesteticaautomotiva.com.br, 1 +lghfinancialstrategy.ch, 0 +lgiswa.com.au, 1 +lgmars.xyz, 1 +lgmotors.cz, 1 +lgnsh.fr, 1 +lgobchod.cz, 1 +lgp.go.th, 1 +lgrs.com.au, 1 +lgscripts.com.br, 1 +lgsg.us, 1 +lgstore.cz, 1 +lgstore.sk, 1 +lgsystem.cz, 1 +lgsystems.cz, 1 +lgtrees.co.uk, 1 +lgv-france.com, 1 +lgworld.cz, 1 +lhajn.cz, 1 +lhakustik.se, 1 +lhasaapso.com.br, 1 +lhconsult.tk, 0 +lheinrich.org, 1 +lhffinanceira.online, 1 +lhm.de, 1 +lhokseumawekota.go.id, 1 +lhost.su, 1 +lhp-creation.com, 1 +lhp-creation.fr, 1 +lhr.wiki, 1 +lhsj28.com, 1 +lhsj68.com, 1 +lhsj78.com, 1 +lhv.nl, 1 +li-de.tk, 1 +li-ke.co.jp, 1 +li-n.net, 1 +li-project.com, 1 +li.fi, 1 +li.gz.cn, 1 +li.search.yahoo.com, 0 +li1436-89.members.linode.com, 1 +li985.com, 0 +lia-fox.org, 1 +liaengel.com, 1 +liaiai.com, 1 +lialash.pro, 1 +lialeone.org, 1 +lialion.de, 1 +liam-is-a-nig.ga, 1 +liam-le-may.fr, 1 +liam-w.io, 1 +liam.bzh, 1 +liam.ovh, 1 +liambaron.com, 1 +liamelliott.me, 1 +liamlin.me, 1 +liamsteckler.com, 1 +lian-in.net, 1 +liana.site, 1 +lianand.com, 1 +liangbi.ml, 1 +liange.com, 1 +liangfaner.com, 1 +lianglongcredit.com, 1 +liangxingai.com, 1 +liangyichen.net, 1 +lianhe.art, 1 +lianid.com, 1 +lianka.eu, 1 +lianka.pl, 1 +lianka.uk, 1 +lianwen.kim, 1 +lianxin.com, 1 +liaozheqi.cn, 1 +liar.wiki, 1 +lib.pm, 1 +lib.rs, 1 +lib64.net, 1 +libanswers.com, 1 +libanswers.net, 1 +libapps.com, 0 +libapps.net, 1 +libart.so, 1 +libauth.com, 1 +libbitcoin.org, 1 +libble.eu, 1 +libcal.com, 1 +libcal.net, 1 +libchat.com, 1 +libchat.net, 1 +libcip.org, 1 +libcmodbus.org, 1 +libconnect.com, 1 +libconnect.net, 1 +libcrc.org, 1 +libcrm.com, 1 +libcrm.net, 1 +libelle.nl, 1 +libelulaweb.tk, 1 +liberad.fr, 1 +liberal.ru, 1 +liberalartsedu.org, 1 +liberale-demokraten.de, 1 +liberalis.tk, 1 +liberapay.com, 1 +liberategrace.com, 1 +liberation2020.com, 1 +liberationgroup.com, 1 +liberationtek.com, 0 +liberatupotencial.site, 1 +liberda.nl, 1 +liberdademg.com.br, 1 +liberecstehovani.cz, 1 +libermoto.fr, 1 +liberta-me.org, 1 +libertacao.tk, 1 +libertadgreen.tk, 1 +libertarian-party.com, 1 +libertas-tech.com, 1 +libertas.co.jp, 1 +liberte-toujours.tk, 1 +libertino.tk, 1 +libertis.ga, 1 +liberty-city.tk, 1 +liberty-host.tk, 1 +liberty-med.ru, 1 +liberty-univers.art, 1 +liberty-universe.art, 1 +liberty.co.uk, 1 +libertybaptistmn.org, 1 +libertycountyflsoe.gov, 1 +libertydentalplan.com, 1 +libertyga.tk, 1 +libertygrovewi.gov, 1 +libertyhillssewer.gov, 1 +libertylakewapd.gov, 1 +libertyland.tk, 1 +libertylondon.com, 1 +libertyreversemortgage.com, 1 +libertystation.com, 1 +libertytereconoce.com, 1 +libertytwpadamspa.gov, 1 +libertyvault.us, 1 +libertywines.co.uk, 0 +libertywines.ie, 0 +libertyxpress.tk, 1 +libfins.org, 1 +libgame.com, 1 +libget.com, 1 +libgraphe.me, 1 +libguides.com, 0 +libguides.net, 1 +libhttp.org, 1 +libinsight.com, 1 +libinsight.net, 1 +libivis.com, 1 +liblogo.com, 1 +libmpq.org, 1 +libnull.com, 1 +libot.eu.org, 1 +libpdf.org, 1 +libportal.cf, 1 +libractes.tk, 1 +libraideos.tk, 1 +librairiez.ca, 1 +librairiez.com, 1 +librairiezbookstore.com, 1 +libramedia.ru, 1 +libranet.eu, 1 +libraries.vic.gov.au, 1 +librarika.com, 1 +librarium.tk, 1 +library-quest.com, 1 +library.nhs.uk, 1 +libraryh3lp.com, 1 +libraryofcode.org, 1 +libraryofcode.us, 1 +librarytapes.tk, 1 +librarytools.com, 1 +libravatar.org, 1 +librazy.org, 1 +libre-innovation.org, 1 +libre-service.de, 1 +libre.cr, 1 +libre.university, 1 +libreai.nl.eu.org, 1 +libreboot.org, 1 +librebox.de, 1 +librechat.ai, 0 +libredns.eu, 1 +libreduca.com, 1 +libreexpresion.tk, 1 +libreho.st, 1 +librelamp.com, 1 +libremail.nl, 1 +librematrix.com, 1 +libremedia.video, 1 +librends.org, 1 +libreoffice.ee, 1 +libreofficefromcollabora.com, 1 +libreplanet.org, 1 +libreria-ouroboros.tk, 1 +libreriaelzocalo.cl, 1 +librervac.org, 1 +libresoft.ml, 1 +libressobooks.sk, 1 +libreview.com, 1 +libreview.ru, 1 +librisulibri.it, 1 +librosantimateria.com, 1 +librosdelasteroide.com, 1 +librosdescargas.club, 1 +librosgratisnet.tk, 1 +librosparareinventarse.es, 1 +libruis.com, 0 +libscpi.org, 1 +libskia.so, 1 +libslack.org, 1 +libsodium.org, 1 +libstaffer.com, 1 +libstaffer.net, 1 +libstick.org, 1 +libstock.si, 1 +libwizard.com, 1 +libwizard.net, 1 +libyanexpert.ml, 1 +lic39.ru, 1 +licence-registry.com, 1 +licencja-na-drona.pl, 1 +licencja-na-drony.pl, 1 +licensecrack.com, 1 +licensediscovery.io, 1 +licenseplates.cc, 1 +licenzacalcio.tk, 1 +liceoc9.tk, 1 +licesisters.com, 1 +lichess.org, 1 +lichnyj-astrolog.cf, 1 +lichnyj-astrolog.ga, 1 +lichnyj-astrolog.gq, 1 +lichnyj-astrolog.ml, 1 +lichnyj-astrolog.tk, 1 +lichtbild.nrw, 1 +lichtbildfotos.de, 1 +lichtcam.ddns.net, 0 +lichtfestival.be, 1 +lichtfestival.gent, 1 +lichtfestivalgent.be, 1 +lichtfestivalgent.com, 1 +lichtfestivalgent.tv, 1 +lichtfestivalghent.be, 1 +lichtfestivalghent.com, 1 +lichtjesavondkoedijk.nl, 1 +lichtmetzger.de, 0 +lichtplatformnsvv.nl, 1 +lichtschatten.tk, 1 +lichtsturm.net, 1 +lichttechnik-tumler.com, 1 +lichtval.tk, 1 +licia-music.com, 1 +lickd.co, 1 +lickingcounty.gov, 1 +licloud.homeip.net, 1 +licoreseugenioavila.com, 1 +licx.ml, 1 +licx.ru, 1 +lida-vets.co.uk, 1 +lidarwindtechnolog.cf, 1 +lidarwindtechnolog.ga, 1 +lidaumba.com, 1 +lidavidm.me, 1 +lidel.org, 1 +lidernaturascarlettbados.com, 1 +liderok.tk, 1 +lidkoping.se, 1 +lidl-gewinnspiel.de, 1 +lidl-holidays.com, 1 +lidl-immobilien.de, 1 +lidl-kochen.de, 1 +lidl-shop.be, 1 +lidl-shop.cz, 1 +lidl-shop.nl, 1 +lidl-shop.sk, 1 +lidl-sklep.pl, 1 +lidl-stikeez.si, 1 +lidl-vins.fr, 1 +lidl.at, 1 +lidl.be, 1 +lidl.de, 1 +lidl.es, 1 +lidlonline.es, 1 +lidlovajogurteka.si, 1 +lidodecor.com, 1 +lidogr.com, 1 +lidong.me, 1 +lidosparesort.com, 1 +lidtkemotors.com, 1 +liduan.net, 0 +lieba.ch, 1 +liebel.org, 1 +lieben.tk, 1 +lieberwirth.biz, 1 +liecomiribea.cf, 1 +lied8.eu, 1 +liegveld.nl, 1 +liehuojun.com, 0 +liella.me, 1 +liemen.net, 1 +liena.be, 0 +liendar-silver.com, 1 +lienhuyghebaert.tk, 1 +lier.link, 1 +lier.tk, 1 +lieren4x4.nl, 1 +lierohell.tk, 1 +liesbethkeijzer.nl, 1 +lieuu.com, 0 +lifamily.xyz, 1 +lifanov.com, 1 +lifars.com, 0 +lifco-industrie.com, 1 +life-emotions.pt, 1 +life-in-hell.tk, 1 +life-is-riddle.tk, 1 +life-mastery-tv.com, 1 +life-style.tk, 1 +life-tec.tk, 1 +life-time.nl, 1 +life24korea.com, 1 +life29.com, 1 +life360.com, 1 +life4net.tk, 1 +lifeandhealthtips.tk, 1 +lifeandhowtosurviveit.com, 1 +lifeartstudios.net, 1 +lifeasgame.tk, 1 +lifeatthemax.graphics, 1 +lifeatthemax.marketing, 1 +lifeatthemax.us, 1 +lifebymargot.co.uk, 1 +lifecare.org, 1 +lifecism.com, 1 +lifecoach.tw, 1 +lifecoachkatrien.be, 1 +lifeconnections.ro, 1 +lifecraft.cf, 1 +lifedrops.com.au, 1 +lifefaithtruth.com, 1 +lifefoto.de, 1 +lifegoesonsojustsmile.tk, 1 +lifehacker.com, 1 +lifeinheart.com, 1 +lifeinhellfansite.tk, 1 +lifeinhex.com, 1 +lifeinsurancepro.org, 1 +lifeintwentys.com, 1 +lifeisabug.com, 1 +lifeismmo.com, 1 +lifeispain.tk, 1 +lifeisqi.nl, 1 +lifekeycounsel.com, 1 +lifekirov.tk, 1 +lifekiss.ru, 1 +lifelessandcalm.com, 1 +lifelineanimal.org, 1 +lifelinespublishing.com, 1 +lifelinesupport.org, 1 +lifelinksystems.com, 1 +lifelock.ml, 1 +lifelovers.tk, 1 +lifemalayalam.com, 1 +lifematenutrition.com, 1 +lifemcserver.com, 1 +lifemstyle.com, 1 +lifenews24.tk, 1 +lifenexto.com, 1 +lifengoal.com, 1 +lifepathdoc.com, 1 +liferay.com, 1 +lifereset.it, 1 +lifesaverhindi.tk, 1 +lifeseatsers.ga, 1 +lifeseatsest.ga, 1 +lifeset.pp.ua, 1 +lifesettlements.com, 1 +lifeskills-education.co.uk, 0 +lifeslice.online, 1 +lifeslonglist.com, 1 +lifesoccer.tk, 1 +lifestorage.com, 0 +lifestyle.bg, 1 +lifestyle7788.com, 1 +lifestyledoctor.in, 1 +lifestylefoodies.com, 1 +lifestylehousing.in, 1 +lifestylexplocial.tk, 1 +lifetech.com.my, 1 +lifetimefitness.tk, 1 +lifetimemedsers.ga, 1 +lifetimemedsest.ga, 1 +lifetimetraining.co.uk, 1 +lifetoolscdc.com, 1 +lifetree.network, 1 +lifeupgame.fr, 1 +lifewithdyna.com, 1 +lifexpert.tk, 1 +lifi.digital, 1 +lifi.is, 1 +liftagacademy.com, 1 +liftedpixel.net, 1 +liftie.info, 1 +liftingchat.com, 1 +liftntake.com, 1 +liftyourgame.com, 1 +lig.ink, 0 +liga.ng, 1 +liga99.tk, 1 +ligacontrachetos.tk, 1 +ligadegamers.com, 1 +ligadelconsorcista.org, 1 +ligadosgames.com, 1 +ligare-fp.com, 1 +ligaro.nl, 1 +light.law, 1 +light.mail.ru, 1 +lightandvideo.com, 1 +lightbearer.tk, 1 +lightbluelearning.com, 1 +lightbox.co, 1 +lightcp.com, 1 +lightcraftmc.tk, 1 +lightdark.xyz, 1 +lightfestivalghent.be, 1 +lightfestivalghent.com, 1 +lightfoot.co.uk, 1 +lighthouse-rbg.de, 1 +lighthouseglobal.com, 1 +lighthouseguild.org, 1 +lighthouseinstruments.com, 1 +lighthousepointfl.gov, 1 +lightingagoura.com, 1 +lightingagourahills.com, 1 +lightingcalabasas.com, 1 +lightingconejovalley.com, 1 +lightingdosvientos.com, 1 +lightinghiddenhills.com, 1 +lightinglakesherwood.com, 1 +lightingmalibu.com, 1 +lightingmoorpark.com, 1 +lightingnewburypark.com, 1 +lightingoakpark.com, 1 +lightingpacificpalisades.com, 1 +lightingsimivalley.com, 1 +lightingthousandoaks.com, 1 +lightingwestlakevillage.com, 1 +lightme.us, 1 +lightmere.com, 1 +lightning.com, 1 +lightning.community, 1 +lightning.engineering, 1 +lightningcollectors.com, 1 +lightningpatrolers.ga, 1 +lightningpatrolest.ga, 1 +lightningprotocol.finance, 0 +lightnings.tk, 1 +lightningseed.net, 1 +lightningwirelabs.com, 1 +lightoflifehomoeopathyclinic.com, 1 +lightography.com, 1 +lightonelectrical.com.au, 1 +lightpod.com.au, 1 +lightquantum.moe, 1 +lightrun.com, 1 +lights0123.com, 1 +lightsfromspace.com, 0 +lightsheep.no, 0 +lightsouts.com, 1 +lightsoverlapland.com, 1 +lightsproject.com, 1 +lightstands.xyz, 1 +lighttp.com, 0 +lightupcollective.co.uk, 1 +lightupkapiti.nz, 1 +lightweighthr.com, 1 +lightwitch.org, 0 +lightworks.tk, 1 +lightyear.no, 1 +ligiptv.tk, 1 +ligmadrive.com, 1 +ligneclaire.tk, 1 +lignemalin.com, 1 +lignite.com, 1 +lignoma.com, 1 +ligonier.com, 1 +ligustinus.tk, 1 +lihi-home.co.il, 1 +lihj.eu.org, 1 +lihj.me, 1 +lihuenjardin.com, 1 +liikluslab.ee, 1 +liisauusitaloarola.fi, 1 +liivimeretuulepark.ee, 1 +lijana.rs, 1 +lijero.co, 1 +liji.ru, 1 +lijie.org, 1 +lijstbob.nl, 1 +lijstje.be, 1 +lijstje.nl, 1 +likans.tk, 1 +like-boss.ga, 1 +like-rabota.tk, 1 +likeablehub.com, 1 +likeageek.tk, 1 +likeany.com, 1 +likebee.gr, 1 +likebot.ml, 1 +likecrabwalkslowly.ml, 1 +likedobrasil.com, 1 +likefast.tk, 1 +likefluence.com, 1 +likegeeks.com, 1 +likehifi.de, 1 +likemovies.de, 1 +likenewhearing.com.au, 1 +likenosis.com, 1 +likere.com, 1 +likesec.net, 1 +likesec.se, 1 +likesforinsta.com, 1 +likesolidaria.com.co, 1 +likestudio.com.ua, 1 +likewatercs.com, 1 +likhner.com, 0 +likme.tv, 1 +likui.me, 1 +lilai107.com, 1 +lilai116.com, 0 +lilai18.ph, 1 +lilai2211.com, 1 +lilai3366.com, 1 +lilai5566.com, 0 +lilai634.com, 1 +lilai6616.com, 1 +lilai6677.com, 1 +lilai6688.com, 0 +lilai777.com, 1 +lilai838.com, 1 +lilai8866.com, 0 +lilai9966.com, 1 +lilaplus.com.tr, 1 +lilawadee.tk, 1 +lile.cl, 1 +lilianejuchli.ch, 1 +liliang.moe, 1 +lilicloth.com, 1 +lilidarcek.sk, 0 +lilie.fr, 1 +lilievabien.fr, 1 +lilighazaryan.tk, 1 +lilimusic.tk, 1 +lilisg.tk, 1 +lilith-magic-molds.com, 1 +lilith-magic.com, 1 +lilithfund.org, 1 +lilithqueisser.de, 1 +lilium.com, 1 +liliwarrior.com, 1 +liliweb.tk, 1 +lillalisa.tk, 1 +lillaparken.se, 1 +lille.ml, 1 +lillenordmann.no, 1 +lillieprivat.org, 1 +lilly-lil.net, 1 +lilly-lil.org, 1 +lillylove.net, 1 +lillywhitehotelgroup.com.au, 1 +lilola.de, 1 +lilou-sportswear.com, 1 +lilousportswear.com, 1 +lilpwny.com, 1 +lilstarry.com, 1 +liltv.media, 1 +lily-bearing.com, 0 +lily-inn.com, 1 +lily-luv.com, 1 +lily.flowers, 1 +lilyallenlife.ga, 1 +lilylasvegas.com, 1 +lilypad.gg, 1 +lilypadwikisecret.tk, 1 +lilysbouncycastles.com, 1 +lilyvet.com, 1 +lim-light.com, 1 +lim.gr, 1 +limanhaber.net, 1 +limaohio.gov, 1 +limap.ch, 1 +limatownshipmi.gov, 1 +limawi.io, 1 +limbaido.tk, 1 +limberg.me, 1 +limbo-online.tk, 1 +limbra.tk, 1 +limburg.nl, 1 +limc.me, 1 +lime-host.cf, 1 +lime-host.tk, 1 +limechain.tech, 1 +limecho.net, 1 +limehost.com, 1 +limehotel.tk, 1 +limelightnashville.cf, 1 +limelightnashville.ga, 1 +limelightnashville.gq, 1 +limenaria-beach.tk, 1 +limenotlemon.com, 1 +limepot.xyz, 1 +limescapes.com.au, 1 +limesparrow.cf, 1 +limestart.cn, 1 +limestonecleaningchicago.com, 1 +limestonemechanical.ca, 1 +limetee.cz, 1 +limetorrent.gq, 1 +limetw.eu.org, 1 +limewtea.com, 0 +limingtonmaine.gov, 1 +limitbreak.com, 1 +limitdropers.ga, 1 +limitdropest.ga, 1 +limitededitioncomputers.com, 1 +limitededitionsolutions.com, 1 +limitlex.com, 1 +limitshareers.ga, 1 +limitshareest.ga, 1 +limiturls.ga, 1 +limnt.cn, 1 +limo.pl, 0 +limo.sh, 1 +limoairporttoronto.net, 1 +limoforsale.com, 1 +limoshka.ru, 1 +limousine.milano.it, 1 +limousineservicezurich.com, 0 +limouzines.cf, 1 +limouzy-combi.com, 1 +limpiadordeporos.online, 1 +limpid.nl, 1 +limsia.co, 1 +limsia.com, 1 +limstash.com, 1 +limules.ch, 0 +limx.win, 1 +lin.fi, 1 +linafernandez.com.co, 1 +linaklein.de, 1 +linalove.net, 1 +linalynn.com, 1 +linan.info, 1 +linan.site, 1 +linaproclinic.com, 1 +linawinter.com, 1 +linawinter.net, 1 +lincasonline.tk, 1 +lincdavis.com, 1 +lince-bonares.tk, 1 +lincolnadamscountywi.gov, 1 +lincolnbrokerage.com, 1 +lincolncountyga.gov, 1 +lincolncountyid.gov, 1 +lincolncountymoclerk.gov, 1 +lincolncountync.gov, 1 +lincolncountyne.gov, 1 +lincolncountysd.gov, 1 +lincolncountysheriffok.gov, 1 +lincolncountytn.gov, 1 +lincolncountywy.gov, 1 +lincolnil.gov, 1 +lincolnimps.tk, 1 +lincolnmoneyman.com, 1 +lincolnparkpressurewashing.com, 1 +lincolnri.gov, 1 +lincolnshirefdil.gov, 1 +lincolnstreetband.tk, 1 +lincolntownshipnewaygocountymi.gov, 1 +lincolnzoo.org, 1 +lincore.ru, 1 +lind-bohanon.org, 1 +lindajahn.de, 1 +lindakloenreizen.nl, 1 +lindalap.fi, 1 +lindalush.net, 1 +lindamadu.com.br, 1 +lindanblog.com, 1 +lindaolsson.com, 1 +lindazi.com, 1 +lindbladcruises.com, 1 +lindeal.com, 0 +lindemontessori.cz, 1 +linden-nj.gov, 1 +linden.me, 0 +linden.tk, 1 +lindenfd-nj.gov, 1 +lindenlibrary-nj.gov, 1 +lindentx.gov, 1 +lindependant.fr, 1 +lindependant.ml, 1 +lindernational.com, 1 +lindeskar.se, 1 +lindgrenracing.tk, 1 +lindipendente.online, 1 +lindler.rocks, 1 +lindner-architektur.ruhr, 1 +lindner-edv.at, 1 +lindnerhof-taktik.de, 1 +lindnerhof.info, 1 +lindnerova.cz, 1 +lindo.ru, 1 +lindogdahl.dk, 1 +lindon.gov, 1 +lindon.pw, 1 +lindoors.tk, 1 +lindows.tk, 1 +lindquistnet.us, 1 +lindsay-lohan.tk, 1 +lindsaygorski.com, 1 +lindsborgks.gov, 1 +lindseyadelman.com, 1 +lindseyfansite.tk, 1 +lindskogen.se, 1 +lindung.pp.ua, 1 +line.biz, 1 +line.co.nz, 0 +line.me.uk, 1 +linea-nova.be, 1 +lineacreative.com, 1 +lineaesse5.it, 1 +lineageos.org, 1 +lineamortal.tk, 1 +linebet.com, 1 +linebet02489q.com, 1 +linebet17654d.com, 1 +linebooks.cf, 1 +linedance.tk, 1 +lineinchina-enterprise.tw, 1 +linejuby.dk, 1 +lineman.edu, 1 +lineru.com, 1 +lineshop.ml, 1 +linestep.jp, 1 +lineto.com, 1 +linext.cn, 0 +linfadenopatia.com, 1 +linfamilygc.com, 1 +linge-ma.ro, 1 +lingerie.com.br, 1 +lingeriecollect.ga, 1 +lingeriesilhouette.com, 1 +lingolia.com, 0 +lingros-test.tk, 1 +lingshan.tk, 1 +lingua-arabica.org, 1 +lingua.tk, 1 +lingualeo.com, 1 +linguamilla.com, 1 +linguarama.com, 1 +linguaromanica.tk, 1 +linguatrip.com, 1 +linguword.com, 1 +lingvist.com, 1 +linhaoyi.com, 0 +linherest.tk, 1 +linhim.de, 1 +linhua.org, 1 +linjerry.tk, 1 +link-group.tk, 1 +link-knighki.cf, 1 +link-list.tk, 1 +link-live.com, 1 +link-man.net, 1 +link-medital.com, 1 +link-net.ga, 1 +link-sanitizer.com, 1 +link.co.uk, 1 +link.com, 1 +link24.tk, 1 +link26.tk, 1 +link2link.tk, 1 +link2serve.com, 1 +link2u.tk, 1 +link9.net, 1 +linkagencia.co, 1 +linkare.be, 1 +linkare.com, 1 +linkare.eu, 1 +linkare.pt, 1 +linkat4.cz, 1 +linkatak.ga, 1 +linkbong.tk, 1 +linkbooks.ga, 1 +linkcat.tk, 1 +linkdesign.tk, 1 +linkdolar.tk, 1 +linkdr.uk, 1 +linke-kommunalpolitik.de, 1 +linked.fm, 1 +linkedpipes.com, 1 +linkenheil.org, 1 +linker-wenzel.com, 1 +linkersconnect.com, 1 +linkgiamgia.com, 1 +linkie.vn, 1 +linkinbooks.gq, 1 +linkindex.net, 1 +linking.ml, 1 +linkinpark4ever.tk, 1 +linkinparkoutpost.tk, 1 +linkla.ma, 1 +linklocker.co, 1 +linkmauve.fr, 1 +linkmycyber.training, 1 +linknaarlinux.tk, 1 +linknavigator.tk, 1 +linko-pomoika.tk, 1 +linkonaut.net, 1 +linkopia.com, 1 +linkportal.tk, 1 +linkposts.tk, 1 +linkrehberi.tk, 1 +linkriver.io, 1 +linkroll.cf, 1 +links22.com, 1 +linksafe.ga, 1 +linksanitizer.com, 1 +linksbridge.com, 1 +linkscloud.org, 1 +linksecure.nl, 1 +linksextremist.at, 1 +linksite.tk, 1 +linksmatrix.tk, 1 +linkspace.tk, 1 +linksphotograph.com, 1 +linkst.co, 0 +linkstagr.am, 1 +linkthis.me, 1 +linkthis.ml, 1 +linkthisstatus.ml, 1 +linkto.cf, 1 +linku.com, 1 +linkurio.us, 1 +linkurious.com, 1 +linkuva.tk, 1 +linkview.tk, 1 +linkware.it, 1 +linkwater.org, 1 +linkwheel.tk, 1 +linky.tk, 1 +linkycat.com, 1 +linmania.tk, 1 +linmarrdavao.com, 1 +linnaclinic.com, 1 +linnaeusgroup.co.uk, 1 +linncfs.top, 1 +linncosomo.gov, 1 +linncounty-ia.gov, 1 +linncountyelections-ia.gov, 1 +linncountyiowa.gov, 1 +linncountyor.gov, 1 +linngde.com, 1 +lino.cooking, 1 +linocolombo.tk, 1 +linocomm.com, 1 +linocomm.net, 1 +linocomm.nl, 1 +linomass.com, 1 +linomass.nl, 1 +linonin.tk, 1 +linoplan.be, 1 +linoplan.com, 1 +linoplan.dk, 1 +linoplan.eu, 1 +linoplan.fr, 1 +linoplan.info, 1 +linoplan.net, 1 +linoplan.nl, 1 +linoscan.com, 1 +linoscan.nl, 1 +linoskin.com, 1 +linoskin.nl, 1 +linostor.com, 1 +linostor.nl, 1 +linoszpadel.tk, 1 +linotrac.com, 1 +linotrac.nl, 1 +linotype.tk, 1 +linpx.com, 0 +linqhost.nl, 1 +linserto.it, 1 +linshiyouxiang.com, 1 +linss.com, 1 +lintmx.com, 1 +linu.gq, 1 +linuq.org, 1 +linusdrop.tips, 1 +linuslagerhjelm.se, 1 +linusruckstuhl.ch, 1 +linux-admin-california.com, 1 +linux-admin.tk, 1 +linux-audit.com, 1 +linux-florida.com, 1 +linux-help.org, 1 +linux-mint-czech.cz, 1 +linux-pc.ml, 1 +linux-share.tk, 1 +linux-taganrog.tk, 1 +linux-techie.com, 1 +linux-tips.us, 1 +linux-vme.org, 1 +linux.cn, 0 +linux.conf.au, 1 +linux.fi, 1 +linux.im, 1 +linux.pizza, 1 +linux3.org, 1 +linux4.de, 1 +linux4all.tk, 1 +linuxarequipa.tk, 1 +linuxbabe.com, 1 +linuxbg.eu, 1 +linuxbierwanderung.com, 0 +linuxbloc.tk, 1 +linuxbsd.tk, 1 +linuxcbt.com, 1 +linuxcommand.ru, 1 +linuxdashboard.com, 1 +linuxdays.cz, 1 +linuxdoc.org, 1 +linuxforu.tk, 1 +linuxforum.ch, 1 +linuxforwindows.com, 1 +linuxgiggle.com, 1 +linuxguru.tk, 1 +linuxhandbook.com, 1 +linuxhostingdelhi.com, 1 +linuxhostingindia.in, 1 +linuxhostsupport.com, 1 +linuxiac.com, 1 +linuxil.org, 1 +linuxincluded.com, 1 +linuxiuvat.de, 1 +linuxkompis.se, 1 +linuxlatbot.tk, 1 +linuxlounge.net, 1 +linuxmalta.tk, 1 +linuxnews.de, 1 +linuxonline.tk, 1 +linuxproject.net, 1 +linuxsecurity.expert, 1 +linuxtage.at, 1 +linuxwerkstatt.net, 1 +linuz.it, 1 +linvosges.com, 1 +linx.net, 1 +linxmind.eu, 1 +linxtter.com, 1 +linyunbin.com, 1 +linz.eu.org, 1 +linz.host, 1 +linzeliang.com, 1 +linzyjx.com, 1 +liodex.com, 1 +lion-king.ru, 1 +lion3star.store, 1 +lionchita.tk, 1 +lionessport.com, 0 +lionhosting.nl, 1 +lionkitchenremodel.com, 1 +lionland.tk, 1 +lionpa.ws, 1 +lions.gr.jp, 1 +lionsk.tk, 1 +lioraaja.com, 1 +liorggi.ga, 1 +lip.pt, 1 +lipacom.ga, 1 +lipartydepot.com, 1 +lipator.cf, 1 +lipeck.ga, 1 +lipeck.tk, 1 +lipetsk-centralniy.cf, 1 +lipetsk48.tk, 1 +lipex.com, 1 +lipighor.com, 1 +lipighor.xyz, 1 +lipnihezron.tk, 1 +lipo.lol, 1 +lipoabaltimore.org, 1 +lipovka.tk, 1 +lipowebsite.tk, 1 +lippu1.fi, 1 +lips.ne.jp, 1 +liptor.gq, 1 +lipturess.tk, 1 +liq.com.br, 1 +liqd.net, 1 +liqiang.com, 1 +liqiuyu.com, 1 +liqueur.wiki, 1 +liquid.cz, 1 +liquid.network, 1 +liquid.place, 1 +liquidation.tk, 1 +liquidbounce.tk, 1 +liquidcorp.fr, 1 +liquidflash.ml, 1 +liquidhost.co, 1 +liquidinternet.co, 1 +liquidradio.pro, 1 +liquidwarp.net, 1 +liquidweb.tk, 1 +liquipedia.net, 1 +liquiritia.tk, 1 +liquorice.co.za, 1 +lirc572.com, 1 +lirelesgens.com, 1 +liress.gq, 1 +liri.ie, 1 +lirico.ca, 1 +lirion.de, 1 +lirlandais.ch, 0 +lirnberger.com, 1 +lirui.nl.eu.org, 1 +lirui.org, 1 +lirui.tech, 1 +lis-na-plasty.cz, 1 +lis.koeln, 1 +lisa-mainz.tk, 1 +lisa.xyz, 1 +lisabel.ca, 1 +lisadelbo.tk, 1 +lisahh-jayne.com, 0 +lisahutson.co.uk, 1 +lisaloves.tk, 1 +lisamaffia.tk, 1 +lisanotes.com, 1 +lisanshizmetleri.com, 1 +lisapinder.com, 1 +lisapo.info, 1 +lisas.ml, 1 +lisasack.net, 1 +lisasc.gq, 1 +lisasworkshop.co.uk, 1 +lisavrobinson.tk, 1 +lisaweilandt.com, 1 +lisbon-pre-1755-earthquake.org, 1 +lisbonwi.gov, 1 +lisburnhottubnbounce.co.uk, 1 +lishayut-prav.cf, 1 +lishayut-prav.ga, 1 +lishayut-prav.gq, 1 +lishayut-prav.ml, 1 +lishayut-prav.tk, 1 +lishup.com, 1 +lisiano.eu, 1 +lisieuxarquitetura.com.br, 1 +lisinphotography.com, 1 +lisius.ga, 1 +liskgdt.net, 1 +lislan.org.uk, 1 +lisnail.gr, 1 +lisowski-development.com, 0 +lisowski-photography.com, 1 +lissabon.tk, 1 +lissabonsite.tk, 1 +lissajouss.tk, 1 +lissauer.com, 1 +lisslonglegs.com, 1 +lissongallery.com, 1 +list-gymnasium.de, 1 +list1.tk, 1 +listach.tk, 1 +listahu.org, 1 +listapp.uz, 1 +liste.net.tr, 1 +listekdo.fr, 1 +listen.dk, 1 +listener.ga, 1 +listening-skills.eu, 1 +listenkj.com, 1 +listenup.study, 1 +lister-kirchweg.de, 1 +listerplace.co.uk, 1 +listerventures.com, 0 +listiclepal.com, 1 +listim.com, 0 +listinfinity.net, 1 +listing.gq, 1 +listisima.com, 1 +listkeeper.io, 0 +listminut.be, 1 +listoffreeware.com, 1 +listratenkov.com, 1 +lists.fedoraproject.org, 1 +lists.mayfirst.org, 0 +lists.stg.fedoraproject.org, 1 +listsothebysrealtyhk.com, 1 +lit-verlag.de, 1 +litaphoenix.net, 1 +litarvan.com, 1 +litcc.com, 1 +litchfieldpark.gov, 1 +litchidova.nl, 1 +litcomphonors.com, 1 +lite-1x0801165.top, 1 +lite-1x132537.top, 1 +lite-1x378220.top, 1 +lite-1x389463.top, 1 +lite-1x4720786.top, 1 +lite-1x562968.top, 1 +lite-1x563355.top, 1 +lite-1x5942934.top, 1 +lite-1x605138.top, 1 +lite-1x6274108.top, 1 +lite-1x682393.top, 1 +lite-1x7814040.top, 1 +lite-1x8343697.top, 1 +lite-1x9264112.top, 1 +lite-1x9866970.top, 0 +lite-chat.tk, 1 +liteanalytics.com, 1 +litebit.de, 1 +litebit.eu, 1 +litebit.nl, 1 +litebitcdn.eu, 1 +litebits.com, 1 +litebooks.gq, 1 +litecache.de, 1 +litecloud.ml, 1 +litecoinnews.club, 1 +litehost24.tk, 1 +litemere.org, 1 +litemere.us, 0 +litemind.com, 0 +liteminer.cf, 1 +litepay.ch, 1 +literacychannel.ga, 1 +literapedia-bern.ch, 1 +literaria.tk, 1 +literatura-portal.cf, 1 +literaturaacessivel.com.br, 1 +literature-schools.com, 1 +literaturka.ga, 1 +literaturkreis-online.at, 1 +literaturkreis-online.ch, 1 +literaturkreis-online.de, 1 +literaturkreis.online, 1 +literaturpreis.online, 1 +literaturtage-recklinghausen.de, 1 +literie06.com, 1 +literoticavod.com, 1 +litespeed-webserver.de, 1 +litespeedanalytics.com, 1 +litespeedwebserver.de, 1 +litfest.ru, 1 +litfin.name, 1 +litfl.com, 1 +lithesalar.se, 1 +lithianissaneugeneparts.com, 1 +lithiumhosting.com, 0 +litiab.tk, 1 +litigatech.com, 1 +litkicks.com, 1 +litnis.com, 1 +litolin.tk, 1 +litorallimpo.com.br, 1 +litportal.gq, 1 +litteraturkanonen.se, 1 +litterfreeriversandstreams.eu, 1 +little-brother.eu, 1 +little-cake.com, 1 +little-luk.com, 1 +little-news.gq, 1 +little-shield.com, 1 +little.recipes, 1 +littlebar.tk, 1 +littlebestfriend.de, 1 +littlebig.co, 1 +littlebirds.cf, 1 +littlebites.co.nz, 1 +littleblackfish.se, 1 +littlebootshonduras.tk, 1 +littleboutiqueshop.co.uk, 1 +littleboutiqueshop.com, 1 +littleboutiqueshop.uk, 1 +littlecreatures.com.au, 1 +littlecreekhosting.com, 1 +littledev.nl, 0 +littleduck.eu.org, 1 +littleduck.xyz, 1 +littlefairy.no, 1 +littlefamilyadventure.com, 1 +littlefingersindia.com, 1 +littlefiredragon.tk, 1 +littlefool.de, 1 +littleforkmn.gov, 1 +littlegiants.edu.au, 1 +littlegianttraveler.com, 1 +littlegleemonster.com, 1 +littlehacker.tk, 1 +littlehide.gq, 1 +littlehoop.edu, 1 +littleireland.co.uk, 1 +littlelucifercafe.tk, 1 +littlemaple.tk, 1 +littlemaster.tk, 1 +littlenicky.org, 1 +littlenina.nz, 0 +littleorangecookbook.com, 1 +littleorchardpreschool.us, 1 +littlepigcreek.com.au, 1 +littlepincha.fr, 0 +littleqiu.net, 1 +littlericket.me, 1 +littleriverfreerange.ga, 1 +littlerose.ml, 1 +littlerphotographie.fr, 1 +littles.moe, 1 +littlescallywagsplay.co.uk, 1 +littleservice.cn, 1 +littlesk.in, 1 +littleskin.cn, 1 +littleson.com.br, 0 +littlesouls.ml, 1 +littlewatcher.com, 1 +littleyokohamakennel.tk, 1 +liturgical.net, 1 +liturkey.tk, 1 +litvideoserver.de, 1 +litz.ca, 1 +litzenberger.ca, 1 +liubliu.co.uk, 1 +liud.im, 1 +liudon.com, 1 +liuhecai.com, 1 +liujr.tk, 1 +liujunyang.com, 0 +liukang.com, 1 +liukang.tech, 1 +liul.in, 1 +liuliuya.com.tw, 1 +liulo.cf, 1 +liups.one, 1 +liuq.org, 1 +liuqiao.best, 1 +liuqiao.cf, 1 +liuqiao.eu.org, 1 +liuqiao.ga, 1 +liuqiao.gq, 1 +liuqiao.ml, 1 +liuqiao.pp.ua, 1 +liuqiao.tk, 1 +liuqiaolovecaonali.ml, 1 +liushuyu.tk, 1 +livadm.ml, 1 +livdesign.com.tw, 1 +live-home-cams.com, 1 +live-knigi.cf, 1 +live-news.gq, 1 +live-tv-channels.org, 1 +live-z-rejstejna.cz, 1 +live.ac.cn, 1 +live2play.ml, 1 +live2travelmore.us, 1 +live4k.media, 1 +live8811.com, 1 +live8899.cn, 1 +live8899.co, 1 +live8899.net, 1 +live9922.com, 1 +liveachievers.tk, 1 +liveandalucia.es, 1 +liveanimations.org, 1 +livebandphotos.com, 1 +livebarmenu.com, 1 +livebeachcam.net, 1 +livebestbooks.gq, 1 +livebookmark.ml, 1 +livebox-mag.fr, 1 +livebythesun.de, 1 +livecards.co.uk, 1 +livecards.es, 1 +livecards.it, 1 +livecast.com.tr, 1 +livecchi.cloud, 1 +livechads.com, 1 +livechads.org, 1 +liveciv.top, 1 +livecommande.fr, 1 +liveconcertvideo.tk, 1 +livedesign.at, 1 +livedomain.at, 1 +livedrawtogel.id, 1 +liveeventartist.ca, 1 +liveeventpainter.ca, 1 +liveevents.ee, 1 +liveflooring.com, 1 +livefoot.fr, 1 +liveforspeed.se, 1 +livefortheviews.com, 1 +liveinmelbourne.vic.gov.au, 1 +liveint.org, 1 +liveit.pt, 1 +liveita.com, 1 +liveitmerck.ca, 1 +livejasmin-online.com, 1 +livejasmin.dk, 1 +livejh.tk, 1 +livekaarten.be, 1 +livekaarten.nl, 1 +livekey.tk, 1 +livekooora.online, 1 +livekort.com, 1 +livekort.dk, 1 +livekort.no, 1 +livekort.se, 1 +livekortti.fi, 1 +livela.jp, 1 +livelexi.com, 1 +livelifewithintent.com, 1 +livelink.tk, 1 +livelondon.fr, 1 +livelong.tk, 1 +livelonglife.tk, 1 +livelovelaughlg.com, 1 +liveman.dk, 1 +livemomentum.ml, 1 +livemosspointe.com, 1 +livenewsrussia.tk, 1 +liveomadic.com, 1 +liveoutdoor.ga, 1 +livepainter.ca, 1 +livepaperhelp.com, 1 +liveperformersmeeting.net, 1 +livepix.gg, 1 +liveplaygo.com, 1 +livepodcast.ru, 1 +livepornguide.com, 1 +livequote.info, 1 +liveregistratie.nl, 1 +liverfoundation.org, 1 +liverider.co.jp, 1 +liverkids.tk, 1 +livermoreca.gov, 1 +livermorefireco.gov, 1 +livero.pl, 1 +liverobot8.com, 1 +liverobot888.com, 1 +liverpoolmoneyman.com, 1 +liversurgery.com, 1 +livescore-fixedmatches.com, 1 +livesexcalls.co.uk, 1 +liveskype.com, 1 +livesportts.ml, 1 +livestone.tk, 1 +livestrana.tk, 1 +livestreamtvbox.com, 1 +livesure.com, 1 +liveteachers.in, 1 +livetilesglobal.com, 1 +livetopknigi.gq, 1 +livetoride.co.za, 1 +liveutifree.com, 1 +livevacancies.co.uk, 1 +livewebtutor.com, 1 +liveweddingartist.ca, 1 +liveweddingpainter.ca, 1 +livewirecommunications.co.uk, 1 +livezrejstejna.cz, 1 +livfcshop.com, 1 +livi.co, 1 +livi.co.uk, 1 +livi.fr, 1 +living-legends.tk, 1 +living-space.co.nz, 1 +living-with-outlook-2010.com, 1 +living.video, 1 +living2000.com, 1 +livingafrugallife.com, 1 +livingbitsandthings.com, 1 +livingconfidently.com, 1 +livingdex.ca, 1 +livingdocs.io, 1 +livinghebrew.tk, 1 +livinginhimalone.com, 1 +livingislands.org, 1 +livingislands.tv, 1 +livinglab.be, 1 +livinglifesecurely.com, 1 +livinglink.be, 1 +livinglocalapp.com, 1 +livingoutdoors.ga, 1 +livingstonca.gov, 1 +livingtired.org, 1 +livingtohearsix.com, 1 +livingworduk.org, 1 +livinkitchen.tk, 1 +livive.com, 1 +livli.cz, 1 +livli.pl, 1 +livli.sk, 1 +livnev.me, 1 +livnev.xyz, 1 +livogeva.dk, 1 +livornonellarete.tk, 1 +livornotoday.it, 1 +livrariacoad.com.br, 1 +livrariaideak.com.br, 1 +livrariause.com, 1 +livres-et-stickers.com, 1 +livresetmanuscrits.com, 1 +livroseuniformes.com.br, 1 +livspace.com, 1 +livsta.ca, 1 +lixi.today, 1 +lixiaoyu.live, 1 +lixinnovations.com, 1 +lixis.com, 1 +lixtick.com, 1 +lixvapes.com, 1 +lixx.org, 1 +liyin.date, 1 +liying-sub.buzz, 1 +liyingcloud.org, 1 +liz-ate.com, 1 +liz-fry.com, 0 +liz.ee, 1 +liza.fashion, 1 +lizagalore.tk, 1 +lizaminnelli.tk, 1 +lizardsystems.com, 1 +lizardtech.top, 1 +lizcheney.com, 1 +lizeal.tk, 1 +lizheng.de, 1 +lizhi.io, 1 +lizhihezi.com, 1 +lizhuan.cn, 0 +lizlew.is, 1 +liznewton.com.au, 1 +liztattoo.se, 1 +lizteacher.com, 1 +lizufyr.eu, 1 +lizzandra.tk, 1 +lizzaran.io, 1 +lizzian.uk, 1 +lizzwood.com, 1 +lizzymcc.com, 1 +lizzysdoggrooming.com, 1 +lizzythepooch.com, 1 +lj-creation.com, 1 +ljason.cn, 1 +ljc.ro, 1 +ljekarne-plantak.hr, 1 +ljoonal.xyz, 1 +ljpc-hosting.nl, 1 +ljpc.nl, 1 +ljpc.solutions, 1 +ljs.io, 1 +ljskatt.com, 1 +ljskatt.no, 1 +ljsport.nl, 1 +ljubescica.hr, 1 +ljungabolet.se, 1 +ljusdal.se, 1 +ljw.me, 1 +lk-hardware.cz, 1 +lk1.bid, 1 +lkbk.uk, 1 +lkellar.org, 1 +lkff.nl, 1 +lkhrs.com, 1 +lklyrics.com, 1 +lkmt.us, 1 +lknw.de, 1 +lkp111138.me, 1 +lkqpickyourpart.com, 1 +lktvchannel.com, 1 +lkwmodellbau.at, 1 +ll.gr, 1 +ll5197.co, 1 +ll6729.co, 1 +ll6729.com, 0 +ll6957.co, 1 +ll9297.co, 1 +ll9728.co, 1 +llac.org, 1 +llanelli-radio-club.tk, 1 +llanowar.tk, 1 +llantasysuspensiones.shop, 1 +llanterascerca24.com.mx, 1 +llave.io, 1 +llccd.eu.org, 1 +llcgeek.com, 1 +llcig.com, 1 +llcigroup.com, 1 +lldigital.co.il, 1 +lleal.com, 1 +lleidanoticies.com, 1 +llemoz.com, 1 +llinck.fr, 1 +llinternational.tk, 1 +llm-guide.com, 1 +lloretparty.de, 1 +lloyd-day.me, 1 +lloydrogerspencer.com, 1 +llrpartners.com, 1 +llumar.com, 1 +llvm.us, 1 +llyncelyn.com, 1 +lm-architecture.com, 1 +lm-landscapes.co.uk, 1 +lm1628.com, 1 +lm228.cn, 1 +lm228.com, 1 +lm338.cn, 1 +lm338.com, 1 +lmasqueen.com, 1 +lmbyrne.co.uk, 1 +lmde.fr, 1 +lmh-style.com, 1 +lmi3d.com, 1 +lmintlcx.com, 1 +lmmks.com, 1 +lmmtfy.io, 1 +lmr.com, 1 +lmrcirurgiaplastica.pt, 1 +lmrcouncil.gov, 1 +lmsal.com, 1 +lmtls.me, 1 +lmtravis.com, 1 +lmvsci.gov, 1 +ln.io, 1 +lndb.me, 1 +lndrive.space, 1 +lnhydy.cn, 1 +lnk.bio, 1 +lnk.dk, 1 +lnoldan.com, 1 +lnovus.ru, 1 +lnsk.lt, 1 +lnsolucoesfinanceiras.com.br, 1 +lntpower.com, 0 +lnxy.eu, 1 +lnyltx.cn, 1 +lnzphoto.com, 1 +lo-zuromin.tk, 1 +lo.fail, 1 +loackerbusiness.it, 1 +load.pm, 0 +loader.to, 1 +loader.us.com, 1 +loadhourly.tk, 1 +loading.express, 1 +loading.se, 1 +loadlow.me, 1 +loadme.ml, 1 +loadninja.com, 1 +loadover.me, 1 +loadwallet.com, 1 +loafhead.me, 1 +loan-lenders.co.za, 1 +loanathome.com, 1 +loanfreeze.ga, 1 +loanpad.com, 1 +loanpost.com.au, 1 +loanreadycredit.com, 1 +loanscanada.ca, 1 +loansharkpro.com, 1 +loanstreet.nl, 1 +loantillpaydaydelaware.com, 1 +loavies.com, 1 +lob-assets-staging.com, 1 +lob-assets.com, 1 +lob-staging.com, 1 +lobao.eti.br, 1 +lobao.pro.br, 1 +lobbes.nl, 1 +lobbster.co, 1 +lobby.game, 1 +lobbylmb.nl, 1 +lobevert.com, 1 +lobiancocucina.com, 1 +lobin21.com, 1 +lobivia.de, 1 +lobmedya.com, 1 +lobocapoeira.tk, 1 +lobosdomain.ddns.net, 1 +lobosdomain.hopto.org, 1 +lobosdomain.no-ip.info, 1 +lobsangstudio.com, 1 +lobstr.co, 1 +loc-gauthier.fr, 1 +loca-voiture.fr, 1 +locabir.cf, 1 +locadoraequiloc.com.br, 1 +local-insight.com, 1 +local-shop.com, 1 +local360.net, 1 +localassocier.tk, 1 +localbandz.com, 1 +localbiketrader.com, 1 +localbitcoins.com, 1 +localblitz.com, 1 +localbouncycastle.com, 1 +localcdn.org, 1 +localcleann.uk, 1 +localcrew.nl, 1 +localcryptos.com, 1 +locald.at, 1 +localdating.ml, 1 +localdigitaldesign.com, 1 +localethereum.com, 1 +localexpert.realestate, 1 +localexpress.io, 1 +localhandyman.work, 1 +localhorst.duckdns.org, 0 +localisedseo.com, 1 +localize.live, 1 +localized.tk, 1 +localizejs.com, 1 +localizestaging.com, 1 +locall.cf, 1 +locallandscape.services, 1 +locallawfirms.com, 1 +locallhost.me, 1 +localmonero.co, 1 +localnetwork.nz, 1 +localnode.net, 1 +localops.co, 1 +localplumber-uk.com, 1 +localprideart.com, 1 +localprivatediary.com, 1 +localrvs.com, 1 +localsearch.homes, 1 +localseo.ltd, 1 +localseogurus.com, 1 +localseorepair.co, 1 +localseorepair.design, 1 +localseorepair.ltd, 1 +localseorepair.network, 1 +localseorepair.rocks, 1 +localseorepair.services, 1 +localseorepair.world, 1 +localserver.ca, 1 +localspot.pl, 1 +localstartupfest.id, 1 +localstudio.tk, 1 +localtownhouses.ga, 1 +locape.com.br, 1 +locapos.com, 1 +locas.me, 1 +locatecellphone.gq, 1 +locatemypain.com, 1 +location-appartement-dakar.com, 1 +location-fichier-email.com, 1 +location-vacances-campello.com, 1 +location-vacances-croatie.tk, 1 +location-vacances.biz, 1 +locationkaraokemontreal.com, 1 +locationkaraokeottawa.com, 1 +locationkaraokequebec.com, 1 +locationmarrakechvoiture.com, 1 +locations.tk, 1 +locationsiledyeu.fr, 1 +locationvoitureallemagne.com, 1 +locationvoitureangleterre.com, 1 +locationvoitureaustralie.com, 1 +locationvoitureautriche.com, 1 +locationvoiturebelgique.com, 1 +locationvoiturecorse.net, 1 +locationvoitureespagne.com, 1 +locationvoiturefinlande.com, 1 +locationvoitureislande.com, 1 +locationvoitureitalie.com, 1 +locationvoiturenorvege.com, 1 +locationvoiturepaysbas.com, 1 +locationvoitureportugal.com, 1 +locationvoituresuede.com, 1 +locatornet.ga, 1 +locatorplus.gov, 1 +locauxrama.fr, 1 +locchat.com, 1 +loceryl.cl, 1 +lochlans.com, 1 +lochloco.tk, 1 +lock-expert.de, 0 +lock.me, 1 +lock23.ca, 1 +lockaby.org, 1 +lockdownfm.live, 1 +lockemower.com, 1 +locker.plus, 1 +locker3.com, 1 +lockerroomstories.com, 1 +locketurf.com, 1 +lockings.uk, 1 +locklegal.com, 1 +lockless.tk, 1 +locklock.com.br, 1 +locklockbrasil.com.br, 1 +locknlock.com.br, 1 +locknlockbrasil.com.br, 1 +lockoutgroup.com, 1 +lockpick.nl, 1 +lockpicks.se, 1 +lockr.jp, 1 +locksmith-durbannorth.co.za, 1 +locksmithbalchsprings.com, 1 +locksmithdearborn.com, 1 +locksmithdriftwood.com, 1 +locksmithedenvale24-7.co.za, 1 +locksmithedmonds.com, 1 +locksmithforcarshoustontx.com, 1 +locksmithgarland-tx.com, 1 +locksmithglenvista.co.za, 1 +locksmithgrapevinetx.com, 1 +locksmithhillcrest.co.za, 1 +locksmithlakewaytx.com, 1 +locksmithlivoniami.com, 1 +locksmithmadisonheights.com, 1 +locksmithmesquitetexas.com, 1 +locksmithmidrand24-7.co.za, 1 +locksmithmissouricity.com, 1 +locksmithsammamishwa.com, 1 +locksmithsanantoniotexas.com, 1 +locksmithsbluff.com, 1 +locksmithsbuda.com, 1 +locksmithscottsdaleaz.com, 1 +locksmithservice-houston.com, 1 +locksmithsinsanantoniotx.com, 1 +locksmithspring.com, 1 +locksmithspringtx.com, 1 +locksmithssanmarcostx.com, 1 +locksmithstaffordtx.com, 1 +locksmiththewoodlands.com, 1 +locksoflove.org, 1 +locksport.org.nz, 1 +lockwoodchristmastreefarm.com, 1 +loco-concepts.nl, 1 +loco-socials.nl, 1 +loco.gg, 1 +locomotionds.com, 1 +locomotiv.tk, 1 +locomotive.ca, 1 +locomotiveworks.co.uk, 1 +locoroom.com, 1 +locoserver.net, 1 +locspec.com.au, 1 +locstars.com, 1 +locus-cell.com, 1 +locus-dashboard.com, 1 +locus.ml, 1 +locus.tk, 1 +locustvalleyvet.com, 1 +locutusvader.com, 1 +lodash.com, 0 +loddeke.eu, 1 +lode.li, 1 +lode.tk, 1 +lodela.ru, 1 +lodestarss.com, 1 +lodewijkict.nl, 1 +lodewillems.com, 1 +lodger.cf, 1 +lodki-pvh.com, 1 +lodni.site, 1 +lodongxu.com, 1 +lodosswar.tk, 1 +lodus.io, 1 +loekkoopmans.tk, 1 +loeklommers.nl, 1 +loekvormgeving.nl, 1 +loenshotel.de, 1 +loesje.nl, 1 +loew.de, 1 +lofirmo.com, 1 +loforo.com, 1 +loft.com.br, 1 +lofttravel.com, 1 +loftyideas.ml, 1 +loftymedia.ca, 1 +lofw.tk, 1 +log.moe, 1 +log.pw, 0 +log4shell.org, 1 +logactiond.org, 1 +logal.media, 1 +logalot.com, 1 +loganandmaria.com, 1 +logancapital.com, 1 +logancooper.jp, 1 +logancountyks.gov, 1 +logancountyky.gov, 1 +logancountyohio.gov, 1 +loganengineeroh.gov, 1 +loganhealthohio.gov, 1 +logankpaschke.com, 1 +loganmarchione.com, 1 +loganmarchione.rocks, 1 +loganparkneighborhood.org, 1 +loganscene.tk, 1 +logart.tk, 1 +logay.com.br, 1 +logbook.ch, 1 +logbot.info, 1 +logcat.info, 1 +logdoc.tk, 1 +loge.fr, 1 +logement.com, 1 +logement.tk, 1 +logevou-immobilier.tk, 1 +logexplorer.net, 1 +logfile.at, 1 +logfile.ch, 1 +logfinish.com, 1 +logfro.de, 1 +logheavenvt.com, 1 +logic8.ml, 1 +logical-invest.com, 1 +logicalgassolutions.co.uk, 1 +logicalperformance.com, 1 +logicchen.com, 1 +logicdream.tk, 1 +logicgate.com, 1 +logiciel-entreprise-seurann.fr, 1 +logicielscrm.fr, 1 +logicintel.com, 1 +logicio.ch, 0 +logicio.de, 0 +logicio.net, 0 +logicne-hise.si, 1 +logicnets.com, 1 +logico.ar, 1 +logicsale.com, 1 +logicsale.de, 1 +logicsale.fr, 1 +logicsale.it, 1 +logicz.top, 1 +logimap.cz, 1 +login.corp.google.com, 1 +login.gov, 1 +login.launchpad.net, 1 +login.ooo, 1 +login.raiffeisen.ch, 1 +login.sapo.pt, 1 +login.ubuntu.com, 1 +login.yahoo.com, 0 +logingate.hu, 1 +loginsecure.eu, 1 +loginvovchyk.ru, 1 +loginwithmc.com, 1 +logipdv.pt, 1 +logismarket.com, 1 +logismn.gov, 1 +logisparte.com, 1 +logitel.de, 1 +logitheque.tk, 1 +logitracgps.com, 1 +logitrack.tk, 1 +loglineargroup.com, 1 +logndetektor-test.no, 1 +lognetjobs.co.uk, 1 +logodestekhatti.net, 1 +logodevir.biz, 1 +logodevir.org, 1 +logoenvue.fr, 1 +logoesun.com, 1 +logofiyati.com, 1 +logoglo.com, 1 +logoku.com, 1 +logolabben.cf, 1 +logolando.tk, 1 +logomarket.jp, 1 +logon-int.com, 1 +logopaedie-millian.de, 1 +logopaedie-sandkrug.de, 1 +logopaediereinhard.de, 0 +logopedickyden.cz, 1 +logopedie-direct.nl, 1 +logopedietaalrijk.nl, 1 +logopedista.roma.it, 1 +logopedistalanni.it, 1 +logopoeia.com, 1 +logoprofi.tk, 1 +logosnet.com.br, 1 +logosradio.tk, 1 +logostock.jp, 1 +logowik.com, 1 +logram.io, 1 +lograr.me, 1 +logrhythm.com, 1 +logtalk.org, 1 +logtenberg.eu, 1 +logue.media, 1 +logue.tk, 1 +logwise.com, 1 +logydice.com, 1 +logze.nl, 1 +lohanaflores.com.br, 1 +loheprobado.com, 1 +lohkoketju.fi, 1 +lohmeyer.cc, 1 +lohnsteuerhilfe-essen.de, 1 +lohocla.org, 1 +lohr.me, 1 +loic-raymond.fr, 1 +loiit.ga, 1 +loire-en-bateau.fr, 1 +loirevalley.co, 1 +lois-bullion.com, 1 +lois.cf, 1 +loisircreatif.net, 0 +loja-meltech.com.br, 1 +lojaapi.com, 1 +lojaapoio.com.br, 1 +lojabeeways.com.br, 1 +lojadafloresta.pt, 1 +lojadamimo.com.br, 1 +lojadanidrea.com.br, 1 +lojadarenda.com.br, 1 +lojadelicatojatai.com.br, 1 +lojadesomautomotivo.com.br, 1 +lojadewhisky.com.br, 1 +lojadoarcomprimido.com.br, 1 +lojadoprazer.com.br, 1 +lojadosirmaos.com.br, 1 +lojadosomautomotivo.com.br, 1 +lojaestacaosaopedro.com.br, 1 +lojafilipaper.com.br, 1 +lojaflordelaranjeira.com.br, 1 +lojagravataria.com.br, 1 +lojahbk.com.br, 1 +lojahendel.com.br, 1 +lojahunamarcenaria.com.br, 1 +lojak2.com.br, 1 +lojal19.com.br, 1 +lojamagicalx.com, 1 +lojamultplick.com.br, 1 +lojaodo9.com.br, 1 +lojaprimemed.com.br, 1 +lojaprojetoagua.com.br, 1 +lojasoulstyle.com.br, 1 +lojasvictoria.com.br, 1 +lojasvirtuaisesites.com.br, 1 +lojatema.com.br, 1 +lojaterrazul.com.br, 1 +lojatudomi.com.br, 1 +lojausapel.com.br, 1 +lojavirtualdopsicopedagogo.com.br, 1 +lojavirtualinfopaper.com.br, 1 +lojavisamed.com.br, 1 +lojaxo.com.br, 1 +lojistaguarani.com.br, 1 +lojix.com, 0 +lojj.pt, 1 +lokace.eu, 1 +lokan.id, 1 +lokinet.org, 1 +lokjagruktafoundation.com, 1 +lokmon2.eu, 1 +lokomotivaplzen.cz, 1 +lokys.de, 1 +lola.by, 1 +lolacandy.com, 1 +lolalacita.net, 1 +lolalohse.com, 1 +lolas-vip.com, 1 +lolaseuropeancafe.com, 1 +lolbird.tk, 1 +lolcats.cat, 1 +lolchat.tk, 1 +lolcloud.ru, 1 +lolcorp.pl, 1 +lolcosplay.ga, 1 +lolcow.farm, 1 +loldudes.com, 1 +lolfinity.com, 1 +lolfunny.tk, 1 +loli.art, 1 +loli.cam, 1 +loli.com, 1 +loli.edu.kg, 1 +loli.gallery, 1 +loli.io, 1 +loli.net, 1 +loli.ovh, 1 +loli.pet, 1 +loli.win, 1 +loli.world, 1 +loliblogs.cf, 1 +loliblogs.ga, 1 +loliblogs.gq, 1 +loliblogs.ml, 1 +lolibrary.org, 1 +lolic.xyz, 1 +lolicon.eu, 1 +loliel.tk, 1 +lolifamilies.cf, 1 +lolifamilies.ga, 1 +lolifamilies.gq, 1 +lolifamilies.tk, 1 +lolifamily.cf, 1 +lolifamily.ga, 1 +lolifamily.gq, 1 +lolifamily.js.org, 1 +lolifamily.ml, 1 +lolifamily.tk, 1 +lolifox.cf, 1 +loliloli.moe, 1 +loliloli.net, 1 +loliloli.top, 1 +lolinfo.ga, 1 +lolinya.link, 1 +lolio.tw, 1 +loliotero.com, 1 +lolipops.ga, 1 +lolis.stream, 1 +lolitalechat.com, 1 +lolivpn.com, 1 +lolkot.ru, 1 +lolli8.com, 1 +lollipopo69.net, 1 +lollypop.tk, 1 +lollysmalls.com, 1 +lollyteam.tk, 1 +lolmania.tk, 1 +lolnet.tk, 1 +lolnews.cf, 1 +lolnews.ga, 1 +lolnews.tk, 1 +lolo17.com, 1 +lols.gg, 1 +lolware.net, 1 +lom.name, 0 +loma.ml, 1 +lomaster.tk, 1 +lomayko.ml, 1 +lombard.co.uk, 1 +lombard.ie, 1 +lombardiaeconomy.it, 1 +lomex.tk, 1 +lomgo.cf, 1 +lomgo.ga, 1 +lomgo.gq, 1 +lommeregneren.dk, 1 +lommers.org, 1 +lommyfleet.com, 1 +lomond.com.au, 1 +lomuarredi.com, 1 +lomza.tk, 1 +lon-so.com, 1 +lona.io, 1 +lonasdigital.com, 1 +lonavla.tk, 1 +loncarlyonjenkins.com, 1 +london-design.co.uk, 0 +london-electricians.com, 1 +london-mafia.tk, 1 +london-transfers.com, 1 +londoncarpetcleaningltd.co.uk, 1 +londonderrynh.gov, 1 +londonderrynhfire.gov, 1 +londonderrynhpd.gov, 1 +londonelects.org.uk, 1 +londongynaecologist.co, 1 +londonhealthcare.ga, 1 +londonhealthcare.tk, 1 +londonjob.tk, 1 +londonkan.jp, 1 +londonkeyholdingcompany.co.uk, 1 +londonmoneyman.com, 1 +londonnorthwesternrailway.co.uk, 1 +londonpropertymatch.com, 1 +londonschool.mx, 1 +londonseedcentre.co.uk, 1 +londonsoccer.tk, 1 +londontrivia.gq, 1 +londontwpmi.gov, 1 +londonvetspecialists.vet, 1 +londonwomensclinic.com, 1 +londrihost.com.br, 1 +londynelliot.com, 1 +lone-gunman.be, 1 +lone-wolf.tk, 1 +lonely.moe, 1 +lonelyhaoss.com, 1 +lonelyion.com, 1 +lonelypawn.com, 1 +lonelys.se, 1 +lonelytweets.com, 1 +lonelyworld.co.uk, 1 +lonelyworld.tk, 1 +loneronin.tk, 1 +lonerwolf.com, 0 +lonesomecosmonaut.com, 1 +lonestarpediatricdental.com, 1 +lonestarrott.com, 1 +lonewolftech.ga, 1 +long-8.com, 1 +long-9.com, 1 +long-journey.com, 1 +long008.com, 1 +long0310.com, 1 +long0311.com, 1 +long0317.com, 1 +long0318.com, 1 +long0355.com, 1 +long0377.com, 1 +long0398.com, 1 +long0536.com, 1 +long0538.com, 1 +long0539.com, 1 +long0555.com, 1 +long0556.com, 1 +long0728.com, 1 +long0776.com, 1 +long08.com, 1 +long0818.com, 1 +long0877.com, 1 +long0878.com, 1 +long0897.com, 1 +long0898.com, 1 +long0976.com, 1 +long0999.com, 1 +long100.vip, 1 +long113.com, 1 +long266.com, 1 +long68.net, 1 +long688.com, 0 +long8032.com, 1 +longbeachms.gov, 1 +longbeachroleplay.de, 1 +longboatlocal.com, 1 +longbridge.hk, 1 +longbsants.com, 1 +longchampgirls.tk, 1 +longcountyga.gov, 1 +longcovid.academy, 1 +longcovid.blog, 1 +longcovid.forum, 1 +longenyc.com, 1 +longest.tk, 1 +longevityfaq.com, 1 +longevitywi.com, 1 +longflexing.com, 1 +longfordlodge.tk, 1 +longhaircareforum.com, 1 +longhairworld.tk, 1 +longhorn-imports.com, 1 +longhorn.id.au, 1 +longiminus.tk, 1 +longislandbusiness.info, 1 +longislanddigestive.com, 1 +longislandsewerandwatermain.com, 1 +longlakeny.gov, 1 +longlanearchitects.co.uk, 1 +longlink.tk, 1 +longlivehongkong.com, 1 +longma.pw, 1 +longma168.cn, 1 +longma168.com, 1 +longmeadowma.gov, 1 +longmontnetworking.com, 1 +longmontwaterheaters.com, 1 +longoconsulting.us, 1 +longpaddock.qld.gov.au, 1 +longportpd.org, 1 +longstride.net, 1 +longtermcare.gov, 1 +longtermrentalsportugal.com, 1 +longviewnc.gov, 1 +longwoodwrestling.com, 1 +lonleymoon.tk, 1 +lonniec.com, 1 +lonniemason.net, 1 +lonokedistrictcourtar.gov, 1 +lonslai.com, 1 +lonza.ch, 1 +lonza.com, 1 +lonzagroup.net, 1 +loober.tk, 1 +look-books.tk, 1 +look-info.tk, 1 +look-like.tk, 1 +lookae.com, 0 +lookagain.co.uk, 1 +lookasik.eu, 1 +lookastic.com, 1 +lookastic.de, 1 +lookastic.es, 1 +lookastic.fr, 1 +lookastic.ru, 1 +lookathernow.com, 1 +lookatmysco.re, 1 +looker.wang, 0 +lookflyfares.com, 1 +lookie.ml, 1 +lookitdesign.com, 1 +lookscanned.io, 1 +lookshops.cn, 1 +lookshops.com, 1 +looksmax.org, 1 +lookup-dns.net, 1 +loomi.tv, 1 +loomis.center, 1 +loonbedrijfdenboer.nl, 1 +loonbedrijfwierda.nl, 1 +looneymooney.com, 1 +loonindex.be, 1 +loonylatke.com, 1 +loop.co.id, 1 +loopback.kr, 1 +loopcore.de, 1 +loopgolf.co, 0 +loophq.com, 1 +loopingtag.eu, 1 +loopingz.com, 1 +loopkey.com.br, 1 +loopool.tk, 1 +looseleafsecurity.com, 1 +lootdog.io, 1 +loothole.com, 1 +loots.eu, 1 +lootslot.com, 1 +lootstudios.com, 1 +loottitan.com, 1 +looxent.com, 1 +lopendvuurtje.tk, 1 +lopes.at, 1 +lophtalmo.cc, 1 +lopia.jp, 1 +loplovers.tk, 1 +loposchokk.com, 1 +lopp.net, 1 +loqu8.com, 1 +loquo.com, 1 +loqyu.co, 1 +lor.kharkov.ua, 1 +loraincountyohio.gov, 1 +loraincountyrecorder.gov, 1 +lorasong.com, 1 +loratadine10mg.gq, 1 +lorbooks.tk, 1 +lorcalive.co.uk, 0 +lorcamadrid.tk, 1 +lorcanaplayer.com, 1 +lord-design.tk, 1 +lord-of-forex.tk, 1 +lord-voldemort.tk, 1 +lordar.tk, 1 +lordbyron.tk, 1 +lordcaos.tk, 1 +lorddominion.tk, 1 +lordfutbol.tk, 1 +lordgandalf.nl, 1 +lordgrant.tk, 1 +lordkrishna.tk, 1 +lordlink.net, 1 +lordmusic.tk, 1 +lordofcbd.fr, 1 +lordofthecraft.tk, 1 +lordschimney.com, 1 +lordsesshoumaru.tk, 1 +lordshaokahn.tk, 1 +lordskate.tk, 1 +lordusa.com, 1 +lore.azurewebsites.net, 1 +loreedeslandes.com, 1 +loremipsum.info, 1 +lorena-salido.tk, 1 +lorenadumitrascu.ro, 1 +lorengraff.net, 1 +lorenstudioo.com, 1 +lorenz-hundler.co, 1 +lorenzgoossens.be, 1 +lorenzocampagna.myqnapcloud.com, 1 +lorenzodallaga.com, 1 +lorenzodeangelis.tk, 1 +lorenzoprinci.com, 1 +loreofthenorth.com, 1 +loreofthenorth.net, 1 +loreofthenorth.nl, 1 +loricozengeller.com, 1 +lorimar.bg, 1 +lorimullins.com, 1 +lorine.tk, 1 +lorisfnotary.com, 1 +loritaboegl.de, 1 +lorn.tk, 1 +lornabenes.com, 1 +lornategeorge.tk, 1 +lornosa.com, 1 +lorqui.tk, 1 +lorucreative.fi, 1 +los-diablos.tk, 1 +los11mandamientos.tk, 1 +losangelescarpetcleaning.com, 1 +losangelesduiattorney.com, 1 +losangelesprivatejets.com, 1 +losangelestown.com, 1 +losartesanos.cl, 1 +losaucas.tk, 1 +losbandidosdelahoya.tk, 1 +losblancosalbania.cf, 1 +losbunkerschile.tk, 1 +loscamaradasmc.net, 1 +loschilums.tk, 1 +loschuchos.tk, 1 +losconsoladores.com, 1 +losdelapobla.tk, 1 +losdelcyber.tk, 1 +losdelsotano.tk, 1 +losderover.be, 1 +losdeshollinadores.es, 1 +losdingos.tk, 1 +losdisidentes.tk, 1 +losdrogatones.tk, 1 +lose-weight-now.ml, 1 +losedata.tk, 1 +losemperadores.tk, 1 +loser.wtf, 1 +losespiritus.tk, 1 +loseweightbaby.tk, 1 +loseweightin5days.tk, 1 +losfiesteros.tk, 1 +losflamers.tk, 1 +losfugitivos.tk, 1 +losfuocos.tk, 1 +losgastricos.cl, 1 +losgringos.tk, 1 +loshalcones.tk, 1 +loshogares.mx, 1 +losinterrogantes.com, 1 +losjardines.tk, 1 +loslegendarios.tk, 1 +losless.fr, 1 +loslunesalrock.tk, 1 +losmaniatikos.tk, 1 +losmedicamentos.net, 0 +losmejoresgadgets.info, 1 +losmiserables.tk, 1 +losmolinos.tk, 1 +losnervios.tk, 1 +loson.cz, 1 +losopkos.tk, 1 +lospadrinosmagicos.tk, 1 +lospegotes.tk, 1 +lospozuelos.tk, 1 +losratonescoloraos.tk, 1 +losrosales.tk, 1 +losrso.tk, 1 +loss.no, 1 +lossaicos.tk, 1 +lossandthemourningafter.com, 0 +lost-bit.tk, 1 +lost-illusions.tk, 1 +lost-perdidos-hiatus.tk, 1 +lostandfound.mu, 1 +lostandfoundmember.com, 1 +lostandfoundsoftware.com, 1 +lostarkstats.com, 1 +lostarq.com, 1 +lostbubblegame.com, 1 +lostcork.com, 1 +lostcosmonaut.cc, 1 +lostfest.co.uk, 1 +lostfield.tk, 1 +lostfilm-tv.ru, 1 +lostgeek.de, 0 +losthighway.tk, 1 +lostinfilm.org.uk, 1 +lostinfood.co.uk, 1 +lostinlove.tk, 1 +lostinside.tk, 1 +lostinweb.eu, 0 +lostkeys.co.uk, 1 +lostluma.net, 1 +lostproperty.org, 1 +lostprophetschile.tk, 1 +lostsandal.com, 1 +lostserial.cf, 1 +lostserver.com, 1 +loststudios.net, 1 +losttv.tk, 1 +lostwithdan.com, 1 +lostwithiel.org.uk, 1 +lostwithielcommunitycentre.org.uk, 1 +lostwithielu3a.org.uk, 1 +lostwoods.tk, 1 +losviajesdequimyelena.com, 1 +losyandex.tk, 1 +loszucoz.tk, 1 +lotc.cc, 1 +loteamentoabertocapivari.com.br, 1 +lotekk.gq, 1 +lotereiki.tk, 1 +loteriasdominicana.com.do, 1 +lothai.re, 1 +lothlorien.ca, 0 +lotimena.com, 1 +lotl.ru, 1 +lotn.mobi, 1 +lotnonline.com, 1 +lotnonline.net, 1 +lotnonline.nl, 1 +loto-king.com, 1 +lotocash.com, 1 +lotoperu.com, 1 +lotoquine.io, 1 +lotos-ag.ch, 1 +lotro-wiki.com, 1 +lottarewards247.com, 1 +lottcarey.org, 1 +lotteo.com, 1 +lotteryking.net, 1 +lotto.com, 1 +lotto.gt, 1 +lotto.ht, 1 +lotto.monster, 1 +lottobazar.com, 1 +lottodatabase.com, 1 +lottohoy.com, 1 +lottolive24.com, 1 +lottologics.com, 1 +lottolooting.com, 1 +lottomat.com, 1 +lottomonks.com, 1 +lottonigeria.com, 1 +lottopark.com, 1 +lottos.com.au, 1 +lottosonline.com, 1 +lottothaipro.com, 1 +lottoxworld.com, 1 +lottozambia.com, 1 +lotusbook247.com, 1 +lotusdiving.net, 1 +lotuselise.tk, 1 +lotusweb.tk, 1 +lotuswebsolutions.tk, 1 +lotw.de, 1 +lou.ist, 1 +lou.lt, 1 +louange-reconvilier.ch, 0 +louboutin.tk, 1 +louboutinshoessale.tk, 1 +loud-dragon.tk, 1 +loudcloudhealth.com, 1 +louddesignstudios.com, 1 +louderfaster.co.uk, 1 +loudersent.ga, 1 +loudly.com, 1 +loudmouth.tk, 1 +loudontn911.gov, 1 +louerunhacker.fr, 1 +louest.ch, 1 +loueurmeublegestion.expert, 1 +louhiranta.fi, 1 +louhomeworkouts.com, 1 +louisa.tk, 1 +louisacounty.gov, 1 +louisacountyia.gov, 1 +louisapolicefoundation.com, 1 +louisapolicefoundation.org, 1 +louisdefunes.tk, 1 +louisefar.tk, 1 +louisemisellinteriors.co.uk, 1 +louiserutkowski.tk, 1 +louisianalifesciences.gov, 1 +louisianamo.gov, 1 +louisianamusicfactory.com, 1 +louisiananetzero.gov, 1 +louisianarural.gov, 1 +louisianassbci.gov, 1 +louisroyer.ovh, 1 +louisville.gov, 1 +louisvillecarguys.com, 1 +louisvilleconnections.ga, 1 +louisvillefilmfestival.org, 1 +louisvillene.gov, 1 +louisvilleohio.gov, 1 +louiza.tk, 1 +loujaxx.net, 1 +loukas-stoltz.fr, 1 +loukkos.ma, 1 +loune.net, 1 +lounge.guide, 1 +loungecafe.net, 1 +loungecafe.org, 1 +loungepass.com, 1 +loupcountyne.gov, 1 +lourdes.love, 1 +lourdesigns.tk, 1 +lourencolar.com, 1 +lourissa.tk, 1 +lourorestaurante.pt, 1 +loursaint.tk, 1 +lousingchaphu.com, 1 +lousoyolos.fr, 1 +loutro.tk, 1 +louwlemmer.com, 1 +louyu.cc, 1 +lov4affiliate.com, 1 +lovcasino.com, 1 +love-and-hate.cf, 1 +love-books.ga, 1 +love-navigator.tk, 1 +love-palestine.com, 1 +love-planeta.tk, 1 +love-sent.com, 1 +love-spells-tarot.com, 1 +love4musik.com, 1 +love4taylor.eu.org, 1 +love4taylor.xyz, 1 +loveai.org, 0 +loveamber.me, 1 +loveandloyalty.se, 1 +lovebeingsexy.co.uk, 1 +lovebigisland.com, 1 +lovebirdhut.tk, 1 +lovebo9.com, 1 +lovebo9.net, 1 +lovebombed.wtf, 1 +lovebug.beauty, 1 +lovechester.com, 1 +lovecrystal.co.uk, 1 +lovecsnov.tk, 1 +lovedaleschool.tk, 1 +lovedutch.tk, 1 +lovegpl.com, 1 +lovehairstyles.com, 1 +loveherass.com, 1 +loveholidays.com, 1 +loveinabox.pt, 1 +loveismore.de, 0 +loveismore.es, 0 +loveismore.eu, 0 +loveismore.fr, 0 +loveismore.it, 0 +loveismore.org, 0 +loveismore.pl, 0 +loveismore.ru, 0 +loveismore.sk, 0 +loveismystyle.tk, 1 +loveisourweapon.com, 1 +lovejms.com, 1 +lovejoymethodist.org, 1 +lovelandelec.com, 1 +lovelee.tk, 1 +lovelens.li, 0 +loveless.ml, 1 +lovelive-anime.jp, 1 +lovelive-anime.tk, 1 +lovelive.us, 1 +lovelivewiki.com, 1 +lovell.co.uk, 1 +lovellgov.com, 1 +lovelybook4u.gq, 1 +lovelyfamilymm.com, 1 +lovelylanguedoc.com, 1 +lovelytimes.net, 1 +lovemaker.se, 1 +lovemanagementaccounts.co.uk, 1 +lovemasjid.com, 1 +lovememories.cf, 1 +lovemen.cc, 1 +lovemiku.info, 1 +lovemoon.tk, 1 +lovemybubbles.com, 1 +lovenet.tk, 1 +loveni.me, 1 +lovenwishes.com, 1 +loveplanets.tk, 1 +lover-bg.com, 1 +lovereligion.tk, 1 +loverepublic.ru, 1 +loverngifts.com, 1 +loverussiangirls.tk, 1 +loveshop.pt, 1 +lovesmagical.com, 0 +lovesquirting.com.br, 1 +lovessentials.com, 1 +lovetablecloths.co.uk, 1 +lovetarot.jp, 1 +lovethatmakeup.tk, 1 +lovetheprint.co.za, 1 +lovetime.co.il, 1 +lovetowork.tk, 1 +loveuno.com, 1 +loveweddingphotosandfilm.co.uk, 0 +loveyouhome.ua, 1 +lovg.ren, 1 +lovi.at, 1 +lovin.ga, 1 +lovin.tk, 1 +loving-house.com, 1 +lovingbody.yoga, 1 +lovink.net, 1 +lovinoes.de, 1 +lovlyhorses.tk, 1 +lovlyluna.net, 1 +lovlyluna.org, 1 +lovstabanan.se, 1 +low-battery.tk, 1 +low-diets.com, 1 +lowcarbdietmealsmsk.ga, 1 +lowcarbspark.com, 1 +lowcosthost.cf, 1 +lowcostivf.net, 1 +lowcostwire.com.au, 1 +lowell85.com, 1 +lowendblog.com, 1 +loweporn.com, 1 +lower-level.tk, 1 +lower.nu, 1 +lowerchancefordtwppa.gov, 1 +lowercostcalls.com, 1 +lowermydrinking.com, 1 +lowerpricefinder.com, 1 +lowerthetone.com, 1 +lowesprotect.com, 1 +lowlab.io, 1 +lowlevelmusic.com, 1 +lowmagnitude.com, 1 +lowndes-al.gov, 1 +lowriderz.tk, 1 +lowsec.space, 1 +lowtempind.com, 1 +loyaleco.it, 1 +loyaliplaw.com, 1 +loyaltech.ch, 1 +loyaltech.tk, 1 +loyaltyreviewers.ga, 1 +loyisa.cn, 1 +loyloy.net, 1 +loyolahs.edu, 1 +loyverse.town, 1 +lozhka-mernaya.tk, 1 +lp-support.nl, 0 +lp177.fr, 1 +lpc.fun, 1 +lpcd-lafla.gov, 1 +lpcdops-lafla.gov, 1 +lpchemicalsolution.tk, 1 +lpcom.de, 1 +lpdp.photo, 1 +lpemprestimos.online, 1 +lpfan.tk, 1 +lph.saarland, 1 +lphispano.tk, 1 +lpiem.fr, 1 +lpkosovo.tk, 1 +lplbullets.com, 1 +lpmkonji.cf, 1 +lpnjobsite.com, 1 +lpnm.us, 1 +lps.in.ua, 1 +lpsolutions.com, 1 +lpt-nebreziny.cz, 1 +lpt-nebreziny.eu, 1 +lptami.gov, 1 +lqa.org.uk, 1 +lqd.plus, 1 +lqhi.cn, 1 +lqy.me, 1 +lr-expert.ru, 1 +lra-cloud.de, 1 +lrbm.com, 1 +lrc.cn, 1 +lrcr.ch, 0 +lrfix.com, 1 +lricountry.com, 1 +lriese.ch, 1 +lrn.com, 1 +lroc.com.au, 1 +lrp-autorecycling.de, 1 +lrq.icu, 1 +lrssystems.com, 1 +lrumeq.com, 1 +lrv-grobbendonk.tk, 1 +ls-alarm.de, 1 +lsbricks.com, 1 +lsbttiq.org, 1 +lsc-dillingen.de, 1 +lsc-mn.gov, 1 +lsc.ee, 1 +lsc.moe, 1 +lscache.de, 1 +lsd.cat, 1 +lsdev.biz, 1 +lsfnet.org, 1 +lsg2021acm.com, 1 +lshiy.com, 1 +lshydrogenmethane.cz, 1 +lskgreenacquisition.com, 1 +lskgreencomponent.com, 1 +lskgreendevelop.com, 1 +lskgreenenergy.com, 1 +lskgreengroup.cz, 1 +lslbc.gov, 1 +lspdonline.gq, 1 +lsquared.com, 1 +lsquo.com, 1 +lsscreens.de, 1 +lstlx.com, 1 +lstma.com, 1 +lstu.tk, 1 +lsupg.com, 1 +lsxteam.tk, 1 +lsy.cn, 1 +lsys.ac, 1 +lszj.com, 1 +lt.search.yahoo.com, 0 +lt27.de, 1 +ltaake.com, 1 +ltailshort.tk, 1 +ltba.org, 1 +ltcfeds.com, 1 +ltcwaterwijk.nl, 1 +ltdev.im, 1 +ltecode.com, 1 +ltgc.cc, 1 +lthcastings.com, 0 +ltheinrich.de, 1 +ltib.com.au, 1 +ltime.ml, 1 +ltlec.cn, 1 +ltlec.com, 0 +ltlec.net, 1 +ltlec.services, 1 +ltls.org, 1 +ltmw.xyz, 1 +ltn-tom-morel.fr, 1 +ltn.pw, 1 +lto.ru, 1 +ltonlinestore.in, 0 +ltransferts.com, 1 +ltservers.net, 1 +lty.best, 1 +lty.space, 1 +ltycode.org, 1 +lu-rp.es, 1 +lu.search.yahoo.com, 0 +lu0.org, 1 +lu2343.com, 1 +luacustica.tk, 1 +luademelsexshop.com, 1 +lual.tk, 1 +luanvancaohoc.com, 1 +luanxt.tk, 1 +luathungson.vn, 1 +lubar.me, 1 +lubosabo.tk, 1 +lubot.net, 1 +lubotodorov.com, 1 +lubrind.com, 1 +luc-nutrition.tk, 1 +luc-oberson.ch, 0 +luc.li, 1 +luca-app.de, 1 +luca-steeb.com, 1 +lucaconrads.de, 1 +lucade.ddns.net, 0 +lucafontana.net, 1 +lucafrancesca.me, 1 +lucakrebs.de, 1 +lucaplus.com, 1 +lucarautti.com, 1 +lucarelli.fr, 1 +lucas.pet, 1 +lucasartsclassics.com, 1 +lucasbastos.com, 1 +lucasbergen.ca, 1 +lucascantor.com, 1 +lucascaton.com.br, 1 +lucascosta-ido.ml, 1 +lucascountyohiovotes.gov, 1 +lucasdamasceno.com, 1 +lucasem.com, 1 +lucasferraz.com.br, 1 +lucasg.org, 1 +lucasgymnastics.com, 1 +lucasjag.com.br, 1 +lucaslarson.net, 1 +lucasmateus.ga, 1 +lucasmz.eu.org, 1 +lucasvieira.fr, 1 +lucciolachile.com, 1 +lucdethier.be, 1 +luce.life, 1 +lucentioluo.space, 1 +lucentt.co.nz, 1 +lucenttour.tk, 1 +lucerin.ga, 1 +lucesledsbaratas.shop, 1 +luchalibre.tk, 1 +luchandro.tk, 1 +luchshie-experty.top, 0 +luchthavenmaastricht.nl, 1 +luchtspoor.nl, 1 +lucia-art.cf, 1 +lucia-riemer.de, 1 +lucid-light.de, 1 +lucid-reality.ch, 1 +lucidea.com, 1 +lucidframeworks.com, 1 +lucidlabs.in, 1 +lucidlink.com, 1 +lucidoccult.com, 1 +lucidplumbing.com.au, 1 +lucidya.com, 1 +lucie-parizkova.cz, 1 +lucielavickova.com, 1 +luciferblog.tk, 1 +luciferianism.tk, 1 +lucifevesdaubrac.fr, 1 +lucille-thomas.fr, 1 +lucillewillemsen.tk, 1 +luciobarcellona.it, 1 +luciogelsi.com, 1 +lucishere.cz, 1 +luciusweb.es, 1 +luckblock.net, 1 +luckblock.site, 1 +luckeyproductions.com, 1 +luckibots.de, 1 +lucklesslovelocks.com, 1 +luckmoneymyth.com, 1 +lucko.me, 1 +luckperms.net, 1 +lucksh.ga, 1 +lucksh.gq, 1 +lucksh.tk, 1 +luckwi.gov, 1 +lucky-bul.tk, 1 +lucky-frog.co.uk, 1 +lucky-time.tk, 1 +lucky13strategies.com, 1 +luckyabonent.ml, 1 +luckybeantravel.com, 1 +luckyblockland.fr, 1 +luckycasino.se, 1 +luckycastles.co.uk, 1 +luckycloud.de, 1 +luckydag.com, 1 +luckydoglodge.net, 1 +luckyemail.ml, 1 +luckyfrog.hk, 1 +luckymice.ml, 1 +luckyrent.tk, 1 +luckystorevn.com, 1 +luckyxf.com, 1 +lucloud.top, 1 +luclu7.fr, 1 +lucorautopartes.com, 1 +lucrar.pt, 1 +lucschiltz.com, 1 +luctam.com, 1 +lucychan.tk, 1 +lucyhancock.tech, 1 +lucymontebello-arte.com, 1 +lucyparsonslabs.com, 1 +lucysan.net, 1 +lucz.co, 1 +luda.me, 1 +ludasmith.co.uk, 1 +lude.tk, 1 +ludek.biz, 1 +luden.tk, 1 +ludika.tk, 1 +ludikovsky.name, 1 +ludivine-viguie.com, 1 +ludmilla.tk, 1 +ludmillaewagner.ga, 1 +ludo-giuly.tk, 1 +ludofantasy.fr, 1 +ludogogy.co.uk, 1 +ludogue.net, 1 +ludolust.tk, 1 +ludomo.de, 1 +ludong365.com, 1 +ludotech.tk, 1 +ludovic-frank.fr, 1 +ludovic-muller.fr, 1 +ludovic.com.br, 1 +ludovicfernez.com, 1 +ludovicozitelli.it, 1 +ludum-polus.xyz, 1 +ludum.pl, 1 +ludunwayoo.com, 1 +ludwig.im, 1 +ludwiggrill.de, 1 +ludwigjohnson.se, 1 +ludwigpro.net, 1 +ludwigsburger-brauhaus.de, 1 +luedeke-bremen.eu, 1 +lueersen.homedns.org, 1 +luehne.de, 1 +luematecidos.com, 1 +luematecidos.com.br, 1 +luenwarneke.com, 1 +lufa.com, 1 +luffyhair.com, 1 +luftbild-siegerland.de, 1 +luftfilterbegehren.at, 1 +lufthansa.com, 1 +luftreiniger.biz, 1 +lugandbezel.com, 1 +lugaresturisticosdeguatemala.ga, 1 +lugaway.com, 1 +luggagecare.com, 1 +lugimax.com, 1 +luginbuehl.be, 1 +luginbuehl.eu, 1 +lugobama.tk, 1 +lugros.tk, 1 +lugui.in, 1 +lui.vn, 1 +luijten.it, 1 +luinonotizie.it, 1 +luis-portfolio.es, 1 +luis.ee, 1 +luis.fi, 1 +luisa-birkner.de, 1 +luisafernandapenuela.com, 1 +luisanalopilatogrecia.tk, 1 +luisaviles.tk, 1 +luisbacher.tk, 1 +luisbustamante.mx, 1 +luisfreire.ml, 1 +luisillo.tk, 1 +luisjosesaldana.com, 1 +luismiguelcolombia.tk, 1 +luisnavarrosl.tk, 1 +luisnet.tk, 1 +luisrubiqwe.ml, 1 +luisv.me, 1 +luisvmf.com, 1 +luisvmf.tk, 1 +luisyr.com, 1 +luiza-fashion.com, 1 +luiza.ga, 1 +luizafigueiredo.com.br, 1 +luje.net, 1 +luje.nl, 1 +lujin.ml, 1 +luk.earth, 1 +luk.photo, 1 +lukas-gorr.de, 1 +lukas-meixner.com, 1 +lukas-schauer.de, 1 +lukas-webdesign.tk, 1 +lukas.im, 1 +lukas2511.de, 1 +lukasapetra.com, 1 +lukasberan.com, 1 +lukasberan.cz, 1 +lukasbures.com, 1 +lukaschiu.com, 1 +lukasfelder.tk, 1 +lukasgimberis.com, 1 +lukaskollmer.de, 1 +lukasldc.com, 1 +lukasmatuska.cz, 0 +lukasrod.cz, 1 +lukasschauer.de, 1 +lukasunger.cz, 1 +lukasunger.net, 1 +lukasw.tk, 1 +lukaswiden.com, 1 +lukaszczyk.de, 1 +lukaszderlatka.pl, 1 +lukaszuk.pl, 1 +lukaszwojcik.com, 1 +lukaszwojcik.net, 1 +lukatz.de, 1 +luke.id, 1 +luke6887.me, 1 +lukeandjesse.wedding, 1 +lukeistschuld.de, 1 +lukekuza.com, 1 +lukekuza.me, 1 +lukem.eu, 1 +lukem.net, 1 +lukeplant.me.uk, 1 +luker.org, 1 +lukersallamericanstorage.com, 1 +lukersstorage.com, 1 +lukerstorage.com, 1 +lukertech.net, 1 +lukesbouncycastlehire.com, 1 +lukestert.com, 0 +lukesutton.info, 1 +lukeswiki.eu, 1 +luketscharke.com, 1 +lukezweb.tk, 1 +lukin.ga, 1 +lukka.tk, 1 +lukmanulhakim.id, 1 +lukolab.lt, 1 +lukonet.com, 1 +lukullpizza.de, 1 +lule-kendo.tk, 1 +lullugun.net, 1 +luls.tk, 1 +luluca.com.br, 1 +luludapomerania.com, 1 +lulugold.ba, 1 +lumacurve.com, 1 +lumaesthetic.co.uk, 1 +lumapr.com, 1 +lumbardhi.tk, 1 +lumbercartel.ca, 1 +lumberjackman.tk, 1 +lumbre-encendedores.com, 1 +lumchan.tk, 1 +lumenapp.com, 1 +lumenore.com, 0 +lumentell.us, 1 +lumer.tech, 1 +lumi.com, 1 +lumien.net, 1 +lumieredesoy.com, 1 +luminal-creation.com, 1 +luminalearning.com, 1 +luminaproject.ml, 1 +luminariagames.com, 1 +luminary.pl, 1 +lumindigital.com, 0 +lumineled.se, 1 +lumingze.eu.org, 1 +luminia-informatique.fr, 1 +lumitop.com, 1 +lumixtar.com, 1 +lummi-nsn.gov, 1 +lummihealth.gov, 1 +lumminary.com, 1 +lumoa.me, 1 +lumoria.eu, 1 +lumos.gallery, 1 +lumpenrock.tk, 1 +lumpov.com, 1 +lumpy.ga, 1 +lumsa.university, 1 +lumsdens.ga, 1 +lumus-grafikdesign.de, 1 +lumweb.tk, 1 +luna-corazon.net, 1 +luna-love.net, 1 +luna.ro, 1 +lunaballoonclub.com.au, 1 +lunaburner.ml, 1 +lunaclan.tk, 1 +lunacraft.ga, 1 +lunadea.tk, 1 +lunademiel.org, 1 +lunafag.ru, 1 +lunagiftables.com, 1 +lunagrill.com, 1 +lunalove.de, 1 +lunalovely.net, 1 +lunaluna.com, 1 +lunalya.de, 1 +lunanova.moe, 1 +lunaonline.tk, 1 +lunapps.com, 1 +lunar6.ch, 0 +lunares.pl, 1 +lunarflake.com, 1 +lunarhost.cf, 1 +lunaribes.ch, 1 +lunarlog.com, 1 +lunarsoft.net, 1 +lunartail.nl, 1 +lunarum.tk, 1 +lunascope.ru, 1 +lunasqu.ee, 1 +lunastrail.com, 1 +luncfreak.com, 1 +lunchcafe-inderoos.nl, 1 +lund.se, 1 +lundlist.net, 1 +lundscape.com, 1 +lune-indigo.ch, 0 +lune.gay, 1 +lunekes.com, 1 +lunenburg-gilmanvt.gov, 1 +lunenburgva.gov, 1 +lunepieters.co.za, 1 +lunextd.com, 1 +lungta.pro, 1 +lunguflorin.ro, 1 +lungvictorycarpet.com, 1 +luniak.net, 1 +lunight.ml, 1 +lunite.net, 1 +lunite.tk, 1 +lunivertdelyne.fr, 1 +lunix.io, 1 +lunk.it, 1 +lunlixiaozhan.icu, 1 +luntadila.ga, 1 +lunulanails.nl, 1 +luochunhui.com, 1 +luoe.me, 1 +luoh.cc, 1 +luoh.me, 1 +luohua.im, 1 +luojan.com, 1 +luoli.one, 1 +luoliguan10.com, 1 +luoliguan11.com, 1 +luoliguan12.com, 1 +luoliguan13.com, 1 +luoliguan14.com, 1 +luoliguan15.com, 1 +luoliguan17.com, 1 +luoliguan18.com, 1 +luoliguan4.com, 1 +luoliguan5.com, 1 +luoliguan6.com, 1 +luoliguan9.com, 1 +luonggia.tk, 1 +luongvu.com, 0 +luongyen.com, 1 +luoshifeng.com, 1 +luotianyi.online, 1 +luowu.cc, 1 +luoxingyu.ml, 1 +lupa.cz, 1 +lupa.mk, 1 +luparacoes.com.br, 1 +lupecode.com, 1 +lupinencyclopedia.com, 1 +lupnix.org, 1 +lupocattivoblog.com, 1 +luppa.loan, 1 +lupriflex.com, 1 +luqsus.pl, 1 +luripump.se, 1 +lurishop.com.br, 1 +lurkmirror.ml, 1 +lushclub.tk, 1 +lushersolutions.com, 1 +lushnikov-alex.ru, 1 +lushnja.tk, 1 +lusis.fr, 1 +lusitom.com, 1 +luso-livros.net, 1 +lusoft.cz, 1 +lusosider.pt, 1 +lusson.fr, 1 +lust.works, 1 +lustanslakejer.tk, 1 +lusteniny.cz, 1 +lustgarten.org, 1 +lustiger-kellner.de, 1 +lustigetweets.at, 1 +lustrecloud.art, 1 +lusynth.com, 0 +luteijn.biz, 1 +luteijn.cloud, 1 +luteijn.email, 1 +lutendo.com, 1 +lutesite.tk, 1 +lutherus.tk, 1 +lutify.me, 1 +lutoma.org, 1 +lutricia.tk, 1 +lutruwita.com, 1 +luukaslindsey.tk, 1 +luukdebruincv.nl, 0 +luukklene.nl, 1 +luukuton.fi, 1 +luulosairaus.com, 1 +luuppi.fi, 1 +luv-scent.com, 1 +luv.asn.au, 1 +luv2watchmycam.com, 1 +luvare.com, 1 +luvey.com, 1 +luvmihome.com, 1 +luvscent.com, 1 +lux-house.tk, 1 +luxanos.com, 1 +luxarchive.tk, 1 +luxaterra.com, 1 +luxcaravan.com, 0 +luxcraft.eng.br, 0 +luxden.com, 1 +luxe-in.gr, 1 +luxe.digital, 1 +luxebadkameraccessoires.nl, 1 +luxedentalfl.com, 1 +luxegram.co, 1 +luxehomecompany.com, 1 +luxelyhome.com, 1 +luxemburgsite.tk, 1 +luxeturf.com.au, 1 +luxfosdecoenterprise.com, 1 +luxhair.com.ua, 1 +luxhome.tk, 1 +luxinfine.su, 1 +luxinmo.com, 1 +luxmedia.co.in, 1 +luxonengineering.com, 1 +luxonmx.com, 1 +luxosemimos.com.br, 1 +luxoticlingerieandswimwear.com, 0 +luxplay.com.tw, 1 +luxsat.tk, 1 +luxsci.com, 1 +luxstil.ga, 1 +luxulyanvalley.co.uk, 1 +luxur.is, 1 +luxure.cl, 1 +luxury-tours.in, 1 +luxuryandexecutivetravel.co.uk, 1 +luxurydress.tk, 1 +luxuryfashion.hu, 1 +luxurygifts.tk, 1 +luxuryhome.co.id, 1 +luxuryhomeinfo.tk, 1 +luxuryhomenews.tk, 1 +luxuryhomepro.tk, 1 +luxuryhomerebuild.tk, 1 +luxuryhomeuk.tk, 1 +luxuryhomeusa.tk, 1 +luxuryhous.ru, 1 +luxuryislandtrips.com, 1 +luxurymedina.com, 1 +luxurynsight.net, 0 +luxuryoutbacktours.com.au, 1 +luxuryportal.net, 1 +luxuryspeed.tk, 1 +luxurystays.in, 1 +luxurythatlasts.com, 1 +luxurywatchesworldwide.com, 1 +luxuryweddingsindonesia.com, 1 +luxushair.com, 1 +luxusnivoucher.cz, 1 +luxusnyvoucher.sk, 1 +luxusy.pl, 1 +luxuszugreisen.info, 1 +luxvacuos.net, 1 +luxwatch.com, 1 +luyckx.net, 1 +luyungterd.com, 0 +luzfaltex.com, 1 +luzi-type.ch, 1 +luzica.tk, 1 +lv.lk, 1 +lv.search.yahoo.com, 0 +lv0.it, 0 +lv5.top, 1 +lvcshu.com, 1 +lvdgroup-innov8.com, 1 +lvdr.tech, 1 +lvee.org, 1 +lvfc.co, 1 +lvftw.com, 1 +lvg-heidelberg.info, 1 +lvg.cl, 1 +lvguitars.com, 1 +lvkasz.us, 1 +lvkaszus.pl, 1 +lvlv.cf, 1 +lvm.me, 1 +lvna.capital, 1 +lvnacapital.com, 1 +lvnya.top, 1 +lwb.pt, 1 +lwd-temp.top, 1 +lwems.co.uk, 1 +lwgwiki.com, 1 +lwis.me, 1 +lwisa.ma, 1 +lwl-foej-bewerbung.de, 1 +lwl.moe, 1 +lwnlh.com, 1 +lwqwq.com, 1 +lwsl.ink, 1 +lx-blog.cn, 1 +lx-is.lu, 1 +lxai.net, 1 +lxd.cc, 0 +lxd.tw, 1 +lxiii.eu, 1 +lxiv.eu, 1 +lxn.re, 1 +lxnchan.cn, 1 +lxshowcnc.com, 1 +lxx4380.com, 1 +lxx77.com, 1 +ly-nux.fr, 1 +lyam.fr, 1 +lyanaprintable.com, 1 +lyap-lyandiya.ga, 1 +lyax.be, 1 +lycan.me, 1 +lycaonsec.com, 1 +lychankiet.name.vn, 0 +lycly.me, 1 +lydianibley.com, 1 +lydiawebfans.tk, 1 +lydudlejning.net, 1 +lyfbits.com, 1 +lyfepyle.com, 1 +lyftrideestimate.com, 1 +lyftservice.se, 1 +lyklasmidur.is, 1 +lykope.com, 1 +lyla-pressing.com, 1 +lyme-regis-accommodation.co.uk, 1 +lymia.moe, 1 +lymiahugs.com, 1 +lyna.ml, 1 +lyncag.org, 1 +lyncoin.com, 1 +lyndhurstohio.gov, 1 +lyndo.ga, 1 +lyndontownshipmi.gov, 1 +lynero.dk, 1 +lyness.io, 1 +lyness.uk, 1 +lyngvaer.no, 1 +lynho.com.br, 1 +lynk.hopto.org, 1 +lynkmi.com, 1 +lynnbosten.nl, 1 +lynnco.com, 1 +lynndye.com, 1 +lynnejeancleaning.com, 1 +lynnellneri.com, 1 +lynnesbian.space, 1 +lynnfieldhigh97.com, 1 +lynnfieldma.gov, 1 +lynnlaytonnissanparts.com, 1 +lynnvartan.com, 1 +lynth.io, 1 +lynthium.com, 1 +lynwilliams.com, 1 +lynwoodca.gov, 1 +lynx-webservice.com, 0 +lynx.nl, 1 +lynxbroker.com, 1 +lynxbroker.cz, 1 +lynxbroker.pl, 1 +lynxbroker.sk, 1 +lynxriskmanager.com, 1 +lyodiet.it, 1 +lyon-interactive.com, 1 +lyon-synergie.com, 1 +lyonelkaufmann.ch, 0 +lyonliving.com, 1 +lyonsbytes.com, 1 +lyontwp-higginsmi.gov, 1 +lyradhealth.com, 0 +lyrae.de, 1 +lyrenhex.com, 1 +lyrex.net, 1 +lyric.co.uk, 1 +lyrica.systems, 1 +lyrical-nonsense.com, 1 +lyricfm.ie, 1 +lyricheaven.com, 1 +lyricsbase.com, 1 +lyricsforyou.gq, 1 +lyricsroll.com, 0 +lyricsupdater.tk, 1 +lyriksidan.ga, 1 +lyrique.ch, 1 +lys.ch, 0 +lysander-hans.com, 1 +lyscnd.com, 1 +lysel.net, 1 +lysergion.com, 1 +lysethcreation.com, 1 +lyst.co.uk, 1 +lyteclinic.com, 0 +lyubov-sovmestimost.cf, 1 +lyuda.tk, 1 +lyukaacom.ru, 1 +lyuks-parfyum.tk, 1 +lyuly.com, 1 +lyx.dk, 1 +lyxel-staging.tk, 1 +lz.lv, 1 +lz.sb, 1 +lz233.ac.cn, 1 +lzcreation.com, 1 +lzqii.cn, 1 +lzwc.nl, 1 +lzwwebsite.tk, 1 +lzzr.me, 1 +m-16.ml, 1 +m-22.com, 1 +m-ast.de, 1 +m-beshr.tk, 1 +m-cert.fr, 0 +m-ch.ml, 1 +m-chemical.com.hk, 1 +m-em.co.jp, 1 +m-enterprise.net, 1 +m-epigrafes.gr, 1 +m-exchange.ml, 1 +m-fashion.com.ua, 1 +m-gaming.tk, 1 +m-generator.com, 1 +m-h-b.fr, 1 +m-hydravlika.com.ua, 1 +m-i.si, 1 +m-idea.jp, 1 +m-mail.fr, 1 +m-monitor.pl, 1 +m-mts.ru, 1 +m-nasiri.com, 1 +m-net.de, 1 +m-o-v-i-e.tk, 1 +m-o-x.de, 1 +m-of-love.de, 1 +m-office.pl, 1 +m-producties.nl, 1 +m-ses.fr, 1 +m-team.cc, 1 +m-warrior.tk, 1 +m.ac, 1 +m.facebook.com, 1 +m.mail.ru, 1 +m.me, 1 +m.sb, 1 +m08.co, 1 +m0t0k1ch1.com, 1 +m1-garand-rifle.com, 1 +m132.eu, 1 +m134.eu, 1 +m1d1.black, 1 +m1gun.tk, 1 +m1hax.uk, 1 +m23cal.eu, 1 +m24o.net, 1 +m2designer.com.br, 1 +m2dleadership.com, 1 +m2epro.com, 1 +m2i-api.com, 1 +m2icondb.com, 1 +m2il.co, 1 +m2international.com, 1 +m2jest1c.ml, 1 +m2os.com, 1 +m2tm.fr, 1 +m3-software.com, 1 +m360.com.ph, 1 +m36533.com, 1 +m3ntor.tech, 1 +m3rck.ch, 1 +m42-gmbh.de, 1 +m426.ch, 1 +m4all.gr, 1 +m4g.ru, 1 +m4rcus.de, 1 +m5197.co, 1 +m5industries.com, 1 +m5wl5r.com, 1 +m6729.co, 1 +m6729.com, 0 +m6957.co, 1 +m6pub.fr, 0 +m7rxx.com, 1 +m82365.com, 1 +m8593.com, 1 +m9297.co, 1 +m9728.co, 1 +m9t.ch, 1 +ma-bimbo.com, 1 +ma-canne-a-peche.fr, 1 +ma-decheterie-du-domicile.fr, 1 +ma-eir.nl, 1 +ma-lex.ma, 1 +ma-ligne.co, 1 +ma-paroisse.ch, 1 +ma-queue.com, 1 +ma-subvention-electrique.com, 1 +ma-ze-linux.tk, 1 +ma109.org, 1 +ma110.org, 1 +ma162.org, 1 +ma2t.com, 1 +maa2.com, 1 +maaamet.ee, 0 +maadi.tk, 1 +maafushiscuba.com, 1 +maagdesigns.com.uy, 1 +maahchepen.tk, 1 +maaiai.com, 1 +maailm.tk, 1 +maaldrift.tk, 1 +maaleht.ee, 1 +maaret.de, 1 +maarivpn.com, 1 +maarja.edu.ee, 1 +maartenderaedemaeker.be, 1 +maartenvandekamp.nl, 1 +maasstaddinerexpres.nl, 1 +maat.pt, 1 +maatt.ch, 1 +maatt.fr, 0 +maatwerkopruimcoaching.nl, 1 +maatwerkzorgcoaching.nl, 1 +maavaishnowsewatrust.com, 1 +maaya.jp, 1 +mab.com, 1 +maba.tk, 1 +mabankonline.com, 1 +mabelmartinez.es, 1 +mable.com.au, 1 +mableton.gov, 1 +mabnn.org, 1 +mabnn.ru, 1 +mabnn.spb.ru, 1 +mabra.com, 1 +mabusalah.tk, 1 +mac-i-tea.ch, 0 +mac-iphone.com, 1 +mac-world.pl, 1 +mac.biz.tr, 1 +macabeo.bio, 1 +macallan-tls.com, 1 +macallantls.com, 1 +macangus-wainwright.com, 1 +macaos.com, 1 +macapflag.com, 1 +macappstudio.com, 1 +macappstudiobridge.com, 1 +macappstudioprojects.com, 1 +macaque.io, 0 +macarenagomezfan.tk, 1 +macaroons.tk, 1 +macaroonshindig.tk, 1 +macautocouture.ga, 1 +macautocouture.gq, 1 +macautocouture.ml, 1 +macaw.de, 1 +macaw.lt, 1 +macaw.net, 1 +macaws.org, 1 +macbo.de, 1 +maccabi-dent.com, 1 +macchinetedesche.it, 1 +macdj.tk, 1 +macdonaldplasticsurgery.ca, 1 +macedonian-hotels.com.mk, 1 +macedonian-hotels.mk, 1 +macegroup.com, 1 +macehead.tk, 1 +maceinturecuir.com, 1 +maces-net.de, 1 +macfieclansociety.org, 1 +macgeneral.de, 1 +macgenius.com, 1 +mach-it.com.ar, 1 +mach-it.com.uy, 1 +mach-politik.ch, 1 +mach.com.ar, 1 +macha.cloud, 1 +machaaltricks.tk, 1 +machbach.com, 1 +machbach.net, 0 +machbel.com, 1 +machelpnashville.com, 1 +machiavelli.tk, 1 +machikka.com, 0 +machin.email, 1 +machinatio.ga, 1 +machine.email, 1 +machinebazar.com, 1 +machineidle.com, 1 +machinerysafety101.com, 1 +machineseeker.com, 1 +machineseeker.es, 1 +machinio.com, 1 +machissenefre.ga, 1 +machled.com.ar, 1 +machmit.tk, 1 +machnho.com, 1 +macho-i-botan.tk, 1 +machon.biz, 1 +machosting.jp, 1 +machtweb.de, 1 +machupicchu.tk, 1 +machwasgeil.es, 1 +macil.tech, 1 +macinyasha.net, 1 +macioszektv.eu, 1 +mack-eng.com, 1 +mack.im, 1 +mack.space, 1 +mackanz.tk, 1 +mackenziedatastream.ca, 1 +macker.io, 1 +mackeysack.com, 1 +mackies.ga, 1 +mackinawil.gov, 1 +mackinvia.com, 1 +macksproductions.in, 1 +maclafferty.be, 1 +macleans.ca, 1 +maclemon.at, 1 +macleod.io, 1 +macley.nl, 1 +macmor.com, 1 +macna.com.sa, 1 +macnemo.de, 1 +macnetwork.eu, 0 +macnetwork.fr, 0 +macnetwork.net, 0 +macnews.org, 1 +macnugget.org, 1 +maco.org.uk, 1 +macon.de, 1 +maconcountymo.gov, 1 +maconnerie-dcs.ch, 1 +macosx86.ml, 1 +macoupinvotes.gov, 1 +macpaw.com, 1 +macpress.com.br, 1 +macreosolutions.com, 1 +macroeng.tk, 1 +macroestetica.com, 1 +macrogamer.com, 1 +macropremia.com.ar, 1 +macros.co.jp, 1 +macrosec.tech, 1 +macroseo.tk, 1 +macrotech.tk, 1 +macskorlari.net, 1 +macsoftware.org, 1 +macsonuclari.com.tr, 1 +macsonuclari.mobi, 1 +macstore.pe, 0 +macvcure.com, 1 +macvidcards.eu, 1 +mad-in-love.com, 1 +mad-rabbit.com, 1 +mad.es, 1 +mad2moi.com, 1 +madadmin.com, 1 +madae.nl, 1 +madamasr.com, 1 +madamcougar.com, 1 +madame-kosmetikstudio.de, 1 +madameblueimages.com, 1 +madamegarage.nl, 1 +madamemeringue.nl, 1 +madbicicletas.com, 1 +madbin.com, 1 +madbouncycastles.co.uk, 1 +madcloud.io, 1 +madcosao.gov, 1 +madcs.nl, 0 +maddi.biz, 1 +maddie.gay, 1 +maddin.ga, 1 +made-to-usb.com, 1 +made.md, 1 +made2coach.com, 1 +madebydusk.com, 1 +madebyesmel.com, 1 +madebyhand.art, 1 +madebyshore.com, 1 +madebythijmen.nl, 1 +madecenter.com.br, 1 +madechocolaterie.nl, 1 +madeforelle.shop, 1 +madeglobal.com, 1 +madeinabyss-manga-new.com, 1 +madeinamerica.gov, 1 +madeincana.com, 1 +madeincanarias.net, 1 +madeinchezmoi.net, 0 +madeinsport.com, 1 +madeinua.com, 1 +madeira.link, 1 +madeiraislandnews.com, 1 +madeiranuncios.pt, 1 +madeitstick.com, 1 +madelynn.me, 0 +mademoe.com, 1 +maden.com, 1 +madenco.nl, 1 +mader-logistik.de, 1 +mader.jp, 1 +maderasbrown.com, 1 +madetosave.org, 1 +madewithcollab.com, 1 +madewithopendata.org, 1 +madeyra.com, 1 +madge.tk, 1 +madhawaweb.tk, 1 +madhon.co.uk, 1 +madhon.com, 1 +madhyrecords.com, 1 +madian.tk, 1 +madinahtech360.com, 1 +madinatalzahra.org, 1 +madinatech360.com, 1 +madinina.tk, 1 +madintouch.com, 1 +madison.com, 1 +madisoncountyalema.gov, 1 +madisoncountyhelps.com, 1 +madisoncountyil.gov, 1 +madisoncountyky.gov, 1 +madisoncountyne.gov, 1 +madisonent-facialplasticsurgery.com, 1 +madisonhind.com, 1 +madisonmobilenotary.com, 1 +madisonpressurewashing.com, 1 +madisonprocaccini.tk, 1 +madisonsjewelersorlando.com, 1 +madisonsquarerealestate.com, 1 +madisontwpmi.gov, 1 +madkids.ga, 1 +madknight.tk, 1 +madlandezboard.tk, 1 +madlife.fr, 1 +madluging.tk, 1 +madmasters.tk, 1 +madmaxstore.it, 1 +madmoizelle.com, 1 +madnetwork.org, 1 +madobe.tk, 1 +madokami.net, 1 +madokami.pw, 1 +madonnadellafibra.gq, 1 +madonnamedia.tk, 1 +madorijewelry.com, 1 +madost.one, 1 +madou278.ru, 1 +madprod.tk, 1 +madpsy.uk, 1 +madrakmoadel.ir, 1 +madrasareforms.cf, 1 +madrasareforms.ga, 1 +madrasareforms.ml, 1 +madreacqua.org, 1 +madrecha.com, 0 +madreluna.it, 1 +madresdelacruz.tk, 1 +madrese.tk, 1 +madrespect.com, 1 +madride.tk, 1 +madridistas.com, 1 +madscientistwebdesign.com, 1 +madsihle.com, 1 +madskauts.tk, 1 +madskill.tk, 1 +madskills.tk, 1 +madsklitgaard.dk, 1 +madskristensen.dk, 1 +madspeed-performance.tk, 1 +madsstorm.dk, 0 +madteam.tk, 1 +madtown.tk, 1 +madu369.com, 1 +maduexclusive.com, 1 +maduracion.com, 1 +maduradas.info, 1 +maduradas.net, 1 +madviewer.tk, 1 +madvoxel.com, 1 +madwarlock.com, 1 +mae-berlinistanbul.com, 1 +maedacolo.com.br, 1 +maedchenflohmarkt.at, 1 +maedchenflohmarkt.de, 1 +maeitems.ca, 1 +maeko.fr, 1 +maeliacreation.fr, 1 +maeln.com, 1 +maelstrom-fury.eu, 1 +maelstrom.ninja, 1 +maeprototipi.it, 1 +maersktankers.com, 1 +maerzpa.de, 1 +maestrocabins.co.uk, 1 +maestrocasas.es, 1 +maestrocasas.pt, 1 +maestrocase.it, 1 +maestrochalet.fr, 1 +maestroholzbau.de, 1 +maestrotuinhuizen.nl, 1 +maeterlinck100.be, 1 +maev.si, 1 +maeva-beauty.com, 1 +maeva-beauty.fr, 1 +maeva.com, 1 +maevelyfotografia.com, 1 +maewongaming.tk, 1 +maff.co.uk, 1 +maff.scot, 1 +mafia-web.tk, 1 +mafiaclan.tk, 1 +mafiaclub.ml, 1 +mafiaforum.de, 1 +mafiagames.tk, 1 +mafiamohaa.tk, 1 +mafiasi.de, 1 +mafiatown.pl, 1 +mafondue.ch, 0 +mafworld.com, 1 +mafy.fi, 1 +magaconnection.com, 1 +magadan.ga, 1 +magadan.gq, 1 +magadan.ml, 1 +magaliff.net, 1 +magaria.ml, 1 +magasindejouets.com, 1 +magasinsalledebain.be, 1 +magasinsalledebain.fr, 1 +magasinsalledebains.be, 1 +magasinsalledebains.fr, 1 +magasinsenfrance.com, 1 +magaso.tk, 1 +magaviva.com, 1 +magazilla.ga, 1 +magazin4ik.ga, 1 +magazinecards.ga, 1 +magazinedabeleza.net, 1 +magazinedotreino.com.br, 1 +magazinhaberi.tk, 1 +magazone.cf, 1 +magazone.gq, 1 +magazone.ml, 1 +magazynauto.pl, 1 +magbt.net, 1 +magdahavas.com, 1 +magdakostyra.pl, 1 +magdalena-pulawska.pl, 1 +magdalenabus.tk, 1 +magdalenatransa.tk, 1 +magdeburg.directory, 1 +magdic.eu, 1 +magebit.com, 1 +magebrawl.com, 1 +magel.io, 1 +magellan-met.ru, 1 +magenbrot.net, 0 +magenda.sk, 1 +magenkompass.de, 0 +magentaize.net, 1 +magentazorg.nl, 1 +magento-ecommerce.co.za, 0 +magentodevelopment.co.uk, 1 +magentrix.com, 1 +magenx.com, 1 +magepro.fr, 1 +magescobd.com, 1 +magewell.nl, 1 +maggianos.com, 1 +maggie-shaw.co.uk, 0 +maggie.gy, 1 +maggiemcgee.tk, 1 +maggot.cf, 1 +maggsy.co.uk, 1 +magi-cake.com, 1 +magiamgiashopee.vn, 1 +magiamgiatot.tk, 1 +magic-3dprint.nl, 1 +magic-cakes.nl, 1 +magic-cards.info, 1 +magic-carpetcleaning.co.uk, 1 +magic-cheerleading.tk, 1 +magic-city.quest, 1 +magic-fly.de, 1 +magic-network.tk, 1 +magic-photo-events.fr, 1 +magic5.ro, 1 +magical-secrets.com, 0 +magical.rocks, 1 +magicalcodewit.ch, 1 +magicalvegas.it, 1 +magicalwishes.tk, 1 +magicamulet.me, 1 +magicball.co, 1 +magicball.ga, 1 +magicbar.tk, 1 +magicbeanschool.com, 1 +magicbroccoli.de, 1 +magiccards.info, 1 +magicdesktop.com, 1 +magicdlp.com, 1 +magicdust.com.au, 1 +magicflora.tk, 1 +magiciansofchaos.tk, 1 +magicitaca.com, 0 +magicjudges.org, 1 +magickmale.de, 1 +magiclen.org, 1 +magicline.com, 1 +magiclogix.com, 1 +magicnethosting.com, 1 +magicomotor.com, 1 +magicorama.com, 1 +magicorange.com, 1 +magicpaper.net, 1 +magicpill.com.au, 1 +magicpowertissue.com, 1 +magicsms.pl, 1 +magicspaceninjapirates.de, 1 +magicstay.com, 1 +magictable.com, 1 +magictallguy.tk, 1 +magicthecreation.tk, 1 +magicvalley.com, 1 +magicvaporizers.at, 0 +magicvaporizers.be, 0 +magicvaporizers.co.uk, 0 +magicvaporizers.com, 0 +magicvaporizers.cz, 0 +magicvaporizers.de, 0 +magicvaporizers.dk, 0 +magicvaporizers.ee, 0 +magicvaporizers.es, 0 +magicvaporizers.fi, 0 +magicvaporizers.fr, 0 +magicvaporizers.gr, 0 +magicvaporizers.hr, 0 +magicvaporizers.hu, 0 +magicvaporizers.ie, 0 +magicvaporizers.it, 0 +magicvaporizers.lu, 0 +magicvaporizers.nl, 0 +magicvaporizers.pl, 0 +magicvaporizers.pt, 0 +magicvaporizers.se, 0 +magicvaporizers.si, 0 +magicvaporizers.sk, 0 +magicvodi.at, 1 +magicvoordeel.nl, 1 +magieshop.nl, 1 +magija.ga, 1 +magikbyte.com, 1 +magique.tk, 1 +magiskmanager.com, 1 +magiskzip.com, 1 +magisterjuris.com, 1 +magisternegi.tk, 1 +magliner.com, 1 +magnacarebroker.com, 1 +magnacumlaude.co, 1 +magnamus.it, 1 +magnate.co, 1 +magnatechnology.com, 1 +magneetfolie.nl, 1 +magnes.priv.pl, 1 +magnesium-biomed.ch, 1 +magnesy-neodymowe.com.pl, 1 +magnesy-neodymowe.pl, 1 +magnesy-tanio.net, 1 +magnesy.de, 1 +magnesy.net.pl, 1 +magnesy.priv.pl, 1 +magnet.pub, 1 +magnetar.com, 1 +magnetgaming.com, 1 +magnetic-ink.dk, 1 +magnetic.su, 1 +magneticanvil.com, 1 +magneticarrow.com, 1 +magneticarrowdev.com, 1 +magneticattraction.com.au, 1 +magneticspringsoh.gov, 1 +magnetoai.com, 1 +magnetoscopio.tk, 1 +magnetoterapiapertutti.com, 1 +magnetpass.uk, 1 +magnets.jp, 1 +magnetsdb.com, 1 +magnetto.ga, 1 +magnettracker.com, 1 +magnetvpn.com, 1 +magniezetassocies.fr, 1 +magnifact.com, 1 +magnific.tk, 1 +magniflood.com, 1 +magnit-akciya.tk, 1 +magnitgang.ml, 1 +magnitola.ml, 1 +magnoliadoulas.com, 1 +magnoliastrong.com, 1 +magnoliawi.gov, 1 +magnosautos.ng, 1 +magnumresearch.com, 1 +magnunbaterias.com.br, 1 +magnusdemant.ch, 1 +magnusfulton.com, 1 +magnusj.net, 1 +magnuspro.cz, 1 +magnuspro.sk, 1 +magnuz.tk, 1 +magodasredes.com.br, 1 +magok.ru, 1 +magonote-nk.com, 1 +magornitho.org, 1 +magosmedellin.com, 1 +magraebela.com, 1 +magsdata.com, 1 +magu.kz, 1 +mague.org, 1 +maguire.email, 1 +maguire.tk, 1 +maguroalmare.com.br, 1 +maguspace.com, 0 +maguy-energies.com, 1 +magwin.co.uk, 1 +magyal.hu, 1 +magyarepitok.hu, 1 +mah-nig.ga, 1 +mahabharat.tk, 1 +mahadihasan.cf, 1 +mahadsunnah.com, 1 +mahalaraibanda.ro, 1 +mahali.tk, 1 +mahalux.com, 1 +mahalux.cz, 1 +mahalux.de, 1 +mahalux.eu, 1 +maharishikaa.org, 1 +mahaskacountyia.gov, 1 +mahatenders.gov.in, 1 +mahatmarice.com, 1 +mahatmayoga.org, 1 +mahavirmandirpatna.org, 1 +mahawi.sk, 1 +mahayana.tk, 1 +mahayogam.org, 1 +mahbobmax.tk, 1 +mahboobi.tk, 1 +mahdafweb.tk, 1 +mahealthsurveys.gov, 1 +maherhost.uk, 1 +maheshbabuphotography.tk, 1 +maheshpur.tk, 1 +maheshpurnews24.tk, 1 +maheshwaran.tk, 1 +mahgu.com, 1 +mahi.be, 1 +mahieu-wonen.nl, 1 +mahindrahomefinance.com, 1 +mahirakyildiz.com, 1 +mahjong-navi.com, 1 +mahjong.org, 1 +mahjonggames.tk, 1 +mahjongrush.com, 1 +mahler.io, 1 +mahmalci.net, 1 +mahmoodmehrabi.com, 1 +mahmoodmehrabi.ir, 1 +mahmoudeeb.com, 1 +mahnaz.tk, 1 +mahnwache-luetzerath.org, 1 +mahorka.tk, 1 +mahou-sanmiguel.com, 1 +mahtabichat.ml, 1 +mahtra.edu.ee, 1 +mahurivaishya.co.in, 1 +mahurivaishya.com, 1 +mai.ru, 1 +maiaimobiliare.ro, 1 +maialeechin.com, 1 +maiateam.pt, 1 +maib.tas.gov.au, 1 +maichun.info, 0 +maid.gg, 1 +maid.tk, 1 +maidalawfirm.com, 1 +maidenliput.fi, 1 +maidens.se, 1 +maidenworld.tk, 1 +maidoty.net, 1 +maie.ro, 1 +maiebanatulfruncea.com, 1 +maiet.net, 1 +maigesellschaft-lammersdorf.de, 1 +maijia800.com, 1 +maik-mahlow.de, 1 +maikendener.com, 1 +maikhuong.tk, 1 +maikoloc.com, 1 +mail-de.jp, 1 +mail-delivery.ga, 1 +mail-ink.com, 1 +mail-rotter.de, 1 +mail-routing.net, 1 +mail-settings.google.com, 1 +mail-signatures.com, 1 +mail.ch, 1 +mail.co.uk, 1 +mail.com, 1 +mail.cx, 1 +mail.de, 1 +mail.fr, 1 +mail.google.com, 1 +mail.storage, 1 +mail.td, 1 +mail.tm, 1 +mail.yahoo.com, 0 +mail180.com, 1 +mail4you.in, 1 +mailanyzer.com, 1 +mailbase.cf, 1 +mailbox.mg, 1 +mailbox.org, 1 +mailboy.ml, 1 +mailboy.tk, 1 +mailbywire.com, 1 +mailchaud.com, 1 +mailcubexs.tk, 1 +maildrops.tk, 1 +mailer-olivea.cz, 1 +mailer.me, 1 +mailex.cf, 1 +mailexpresso.tk, 1 +mailexx.ga, 1 +mailexx.gq, 1 +mailexx.ml, 1 +mailfence.com, 1 +mailflank.com, 0 +mailflex.my.id, 1 +mailgenius.com, 1 +mailgun.com, 1 +mailhardener.com, 1 +mailia.me, 1 +mailinabox.email, 1 +mailinabox.ml, 1 +mailinaitor.tk, 1 +mailingproduct.tk, 1 +mailinizer.com, 1 +mailinyzer.com, 1 +mailjet.com, 1 +mailjunkey.tk, 1 +maillotdefoot.tk, 1 +maillotfoot.tk, 1 +mailmaid.de, 1 +mailman.ml, 1 +mailmaster.tk, 1 +mailmerc.com, 1 +mailmum.io, 1 +mailnara.co.kr, 1 +mailnerds.de, 1 +mailomat.swiss, 1 +mailon.ga, 1 +mailosaur.com, 1 +mailpass.ml, 1 +mailplus.com.au, 1 +mailsac.com, 1 +mailsend.ml, 1 +mailstart.ga, 1 +mailstation.de, 1 +mailsupport.cz, 1 +mailtelligent.com, 1 +mailtobiz.tk, 1 +mailtracker.ml, 1 +mailum.org, 0 +mailwala.tk, 1 +mailway.io, 1 +mailxpress.ga, 1 +maimaiyeuem.tk, 1 +maimemostatus.com, 1 +main-bvxea6i-sw23ji6z2nxsu.us-4.platformsh.site, 1 +main-spitze.de, 1 +main1.host, 1 +maindrivekew.com.au, 1 +mainechiro.com, 1 +mainehousing.org, 0 +mainelosap.gov, 1 +mainframeserver.space, 1 +mainhattan-handwerker.de, 1 +mainhuyahan.tk, 1 +mainlined.org, 1 +mainone.net, 1 +mainserver.co.za, 1 +mainstaysafetywedge.com, 1 +mainstortho.com, 1 +maintainyourwebsite.help, 1 +maintenance-traceur-hp.fr, 1 +mainzbiomed.com, 1 +mainzelmaennchen.net, 1 +mainzer-allerlei.de, 1 +maiorapostas.com, 1 +maioresemelhores.com, 1 +mair.best, 1 +mairamerlotto.com.br, 1 +mairangiautomotive.co.nz, 1 +mairie-landry.com, 1 +mairie-sornay.fr, 1 +mairiedakieni.ga, 1 +mairiedemoncelsurseille.com, 1 +maisallianz.com, 1 +maisapanama.com, 1 +maiscuidar.com, 1 +maiscupoes.com, 1 +maisecom.com.br, 1 +maisempregonet.com, 1 +maisgasolina.com, 1 +maisie.nl, 1 +maison-auriat.fr, 1 +maison-coutin.com, 1 +maison-du-mineur.com, 1 +maison-du-savon-de-marseille.fr, 1 +maison-et-domotique.com, 1 +maison-haimard.fr, 1 +maisondelafigue.com, 1 +maisongabrielle.com.br, 1 +maisonkobe.fr, 1 +maisonmere.group, 1 +maisonpourtous.ca, 1 +maisonrouge-musee.fr, 1 +maisonsdenfrance-cls.fr, 1 +maisproduzida.com.br, 1 +maistempo.com.br, 1 +maitemerino.net, 1 +maitheme.com, 1 +maiti.info, 1 +maitlandcashforcars.com.au, 1 +maitrelucas.fr, 1 +maitrise-orthopedique.com, 1 +maitum.de, 1 +maizeks.gov, 1 +maizuru-ongaku-kan.com, 1 +maj.ac, 1 +majahoidja.ee, 1 +majalahka.com, 1 +majalahponsel.org, 1 +majalmirasol.com, 1 +majameer.com, 1 +majasballites.lv, 1 +majavucic.com, 1 +majaweb.cz, 1 +majelisriyadhah.com, 1 +majemedia.com, 1 +majesnix.org, 1 +majestas.tk, 1 +majestic-files.com, 1 +majestic-rp.ru, 1 +majestic.games, 0 +majestio.tk, 1 +majid.info, 1 +majisign.co.uk, 1 +majkassab.com, 1 +majkassab.net, 1 +majkassab.org, 1 +majkl.me, 1 +majkyto.cz, 1 +majlovesreg.one, 1 +majolka.com, 1 +majorcore.com, 1 +majorhifi.com, 1 +majorpaintingco.com, 1 +majorsanat.com, 1 +majusainsurance.com, 1 +makaleci.com, 1 +makalu.me, 1 +makanj.tk, 1 +makaradigital.com, 0 +makariza.com.co, 1 +makasetesan.com, 1 +make-a-difference-daily.com, 1 +make-my-link-longer.ml, 1 +make-my-link-longer.xyz, 1 +make.org, 1 +make50aday.tk, 1 +makeacrowd.eu, 1 +makeagif.com, 1 +makeaoffice.nl, 1 +makechanges.com.au, 1 +makedin.net, 1 +makedonija.net.mk, 1 +makeh2o.com, 1 +makeit-so.de, 0 +makeitpopadvertising.com, 1 +makeitshort.ml, 1 +makeitsimple.pt, 1 +makejusticework.org.uk, 1 +makelindazi.com, 1 +makellos-kosmetik.de, 1 +makemejob.com, 1 +makemillion.tk, 1 +makemoney-plan.tk, 1 +makemoney.ng, 1 +makemusic-asia.com, 1 +makemyassignmentbest.com, 1 +makemynewspaper.com, 1 +makemypost.com, 1 +makenaiyo-fx.com, 1 +makenprint.uk, 1 +makeovershop.ro, 1 +makepro.net, 1 +maker.systems, 1 +maker.to, 0 +makera.ga, 1 +makerdao.com, 1 +makermiles.com, 1 +makermiles.net, 1 +makermiles.org, 1 +makertown.jp, 1 +makesenseofdata.co.uk, 1 +maketheconnection.net, 1 +maketodiet.com, 1 +makeupartistedu.org, 1 +makeupevelinua.cf, 1 +makeupevelinua.ga, 1 +makeupillusion.com, 1 +makeuplove.nl, 1 +makeuppleasure.it, 1 +makeurbiz.com, 1 +makeurl.ml, 1 +makeus.tk, 1 +makewebbetter.com, 1 +makfra.com, 0 +makhmudov.net, 1 +makhzan.org, 1 +maki-chan.de, 1 +maki-it.de, 1 +makilingchallenge.tk, 1 +making-it.nl, 1 +makingbusinessmatter.co.uk, 1 +makingmemoney.cf, 1 +makingmemoney.ga, 1 +makingmemoney.gq, 1 +makingmemoney.ml, 1 +makingmoneyathome.tk, 1 +makingmoves.gq, 1 +makingmusichappen.com, 1 +makkiyaz.tk, 1 +makkusu.photo, 1 +maklerinfo.biz, 1 +makohu.tk, 1 +makomako.tk, 1 +makonet.com.au, 0 +makos.jp, 1 +makowitz.cz, 1 +makrama.shop, 1 +makromedikal.com.tr, 1 +maksa.ga, 1 +maksibetgiris.com, 1 +maksima.kh.ua, 1 +maksimmrvica.tk, 1 +maksimyugai.com, 1 +maksmedia.tk, 1 +maksnet.net, 0 +maksonshop.ga, 1 +maksoud-karim.net, 1 +maksport.ml, 1 +maksutov.tk, 1 +maktoob.search.yahoo.com, 0 +makuisa.fi, 1 +makulatura.cf, 1 +makuonline.tk, 1 +makuquina.tk, 1 +makura.fun, 1 +malabarismo.tk, 1 +malacat.com, 1 +malachiteauth.com, 1 +maladie-autoimmune.fr, 1 +malafidezoeker.nl, 1 +malagabaterias.com, 1 +malagarental.com, 1 +malagarental.es, 1 +malahov.tk, 1 +malamutedoalasca.com.br, 1 +malardalenvvs.se, 1 +malareal.com.br, 1 +malariaadvice.gq, 1 +malariabehaviorsurvey.org, 1 +malash.me, 1 +malatyahaberleri.tk, 1 +malavida.tk, 1 +malavirgen.tk, 1 +malayalamtalkies.tk, 1 +malaysia.cf, 1 +malaysia.search.yahoo.com, 0 +malaysiabrands.com.my, 1 +malaysiainternship.my, 1 +malaysianews.ga, 1 +malaysianews.gq, 1 +malaysianews.ml, 1 +malaysianews.tk, 1 +malaysianhairextensions.tk, 1 +malaysiasentral.com, 1 +malaysiatxt.com, 1 +malaysurveys.com, 1 +malcathatochen.co.il, 1 +malcolmellis.com, 1 +malcolmsterling.com, 1 +malcomterry.com, 1 +maldenvotes.com, 1 +maldives-showing.cf, 1 +maldives-showing.ga, 1 +maldives.cx, 1 +maldivestraveller.mv, 1 +male-cats-spray.ml, 1 +maleaccess.com, 1 +malebooks.ml, 1 +malechastityjournal.com, 1 +malecki.tk, 1 +malecondemusique.fr, 1 +maleevcues.com, 1 +malego.be, 1 +malekperiodontics.com, 1 +malenaamatomd.com, 1 +malenyflorist.com.au, 1 +malermeister-kessler.de, 1 +malermeister-tichnau.de, 1 +malerponge.de, 1 +malesoowki.blog, 1 +malestrippersmanchester.co.uk, 1 +malevus.com, 1 +maleyco.tk, 1 +maleylabapplications.org, 1 +malezan.com, 1 +malflutningsstofan.is, 1 +malfunction.tk, 1 +malhasgusmao.com.br, 1 +maliar.fr, 1 +malibaby.ga, 1 +malibu-electric.com, 1 +malibudread.fr, 1 +malibuexteriorlighting.com, 1 +malibulingerie.com, 1 +malibumodas.com.br, 1 +maliciousdeath.tk, 1 +malicis.com, 0 +malik.holdings, 1 +malik.id, 1 +malikcomputers.tk, 1 +malikdeenarislamicacademy.tk, 1 +maliksofts.com, 1 +malikussa.id, 1 +malikussaid.com, 1 +malimusavirler.tk, 1 +malinaclub.com, 1 +malinheadview.ie, 1 +malinmethod.com, 1 +malisheva-blog.cf, 1 +malisheva-blog.ga, 1 +maliweb.ml, 1 +malkaso.com.ua, 1 +malkingroup.com.au, 1 +malkiteribki.com, 1 +malkoun.com, 1 +malkovich.cf, 1 +malkovich.ga, 1 +mall.cz, 1 +mall.hr, 1 +mall.hu, 1 +mall.pl, 1 +mall.sk, 1 +mallach.net, 1 +mallasvita.com, 1 +malles.org, 1 +mallgastronomico.com.ar, 1 +mallhabana.com, 1 +mallofit.com, 1 +mallonline.com.br, 1 +mallorca.tk, 1 +mallorca2024.com, 1 +mallpass.ga, 1 +malltina.com, 0 +malmyzh.tk, 1 +malone.link, 0 +maloneyja.com, 1 +malorita.tk, 1 +malp.cc, 1 +malphisruul.de, 1 +malscan.com, 0 +malsignature.com, 1 +malta-firma.com, 1 +maltarugs.com, 1 +maltasite.tk, 1 +maltaultrastifo.tk, 1 +maltegegner.de, 0 +malu.style, 1 +malvinas-falklands.tk, 1 +malvy.kiev.ua, 1 +malwar.ee, 1 +malwar.eu, 1 +malware.watch, 1 +malwareincidentresponse.com, 1 +malwareinvestigator.gov, 1 +malwaretips.com, 1 +malwarewise.com, 1 +malwarez.xyz, 1 +malworld.me, 1 +malwr.ee, 1 +malypiesekzuzi.pl, 1 +mamabatataya.com, 1 +mamacasinos.com, 1 +mamacitaz.com, 1 +mamacoolinar.bg, 1 +mamadoma.com.ua, 1 +mamaisonsherby.ca, 1 +mamamoet.ru, 1 +maman-geek.com, 1 +mamanakormit.tk, 1 +mamanecesitaungintonic.com, 1 +mamanetplus.fr, 1 +mamanzari.com, 1 +mamanzaris.com, 1 +mamaplus.net, 1 +mamaruga.com, 1 +mamasorganizedchaos.com, 1 +mamastyle.store, 1 +mamaxi.org, 1 +mamaznaet.ml, 1 +mambas.cn, 1 +mambos.tk, 1 +mamburao.tk, 1 +mame.cl, 1 +mamiechacha.com, 1 +mamijaclean.tk, 1 +mamilitante.fr, 1 +mamilove.com, 1 +mamlaka.ml, 1 +mamlaka.tk, 1 +mammabelly.com.br, 1 +mammaklader.tk, 1 +mammal-taxonomy.tk, 1 +mammals.net, 1 +mammooc.org, 1 +mammothlakesmls.net, 1 +mammothpublishing.org, 1 +mamochka.org.ua, 0 +mamodsteam.tk, 1 +mamohe.de, 1 +mamoni.co, 1 +mamont.cloud, 1 +mamontov.tk, 1 +mamopracuj.pl, 1 +mamoris-net.jp, 1 +mamospienas.lt, 1 +mamot.fr, 1 +mamradost.sk, 1 +mamsds.com, 1 +mamtapark.tk, 1 +mamuko.nl, 1 +mamunlyric.tk, 1 +man-man.nl, 1 +man-stuff.co.uk, 1 +man3s.jp, 0 +mana.ee, 1 +mana.wiki, 1 +manab-it.com, 1 +manach.net, 1 +manaenergija.lv, 1 +manage.cm, 1 +manage.com, 0 +manageairlinesbooking.com, 1 +manageathome.co.uk, 1 +managed-it.africa, 1 +managed-it.co.za, 1 +managedcontractors.co.uk, 1 +managedhosting.de, 0 +managedserver.it, 1 +managedservicesraleighnc.com, 1 +managedwphosting.nl, 1 +managefile.tk, 1 +managefuhui.com, 1 +management-companie.ro, 1 +managementboek.nl, 1 +managementforstartups.com, 0 +manageprefs.com, 1 +manageprojects.com, 0 +manager.linode.com, 0 +managment.io, 1 +manalu.cz, 1 +manaonetrading.com, 1 +manasakcijas.lv, 1 +manaspaul.tk, 1 +manateepao.gov, 1 +manatees.com.au, 1 +manatees.net, 1 +manausagil.com, 1 +manavgabhawala.com, 1 +manawa.tech, 1 +manawill.jp, 1 +manawithtea.com, 1 +manbetx1998.live, 1 +manboy.tk, 1 +mancaverevolution.com, 1 +manchester.careers, 1 +manchesterairportparking24.co.uk, 1 +manchestermn.gov, 1 +manchestermoneyman.com, 1 +manchestertechservices.co.uk, 1 +manchesterwi.gov, 1 +manchopancho.de, 1 +mancrates.com, 1 +mandala-ausmalbilder.de, 1 +mandala-book.tk, 1 +mandalayogaspa.com, 1 +mandanudes.ae, 1 +mandaraequestrian.com, 1 +mandarinplay.tk, 1 +mandatkollen.se, 1 +mandaz.eu, 1 +mandcbouncycastlehire.co.uk, 1 +mandediary.com, 1 +mandefender.tk, 1 +mandela-effect-wiki.tk, 1 +mandelaeffect.tk, 1 +manderstam.com, 1 +mandiblackburnphoto.com, 1 +mandospersonalizados.es, 1 +manducoshop.com, 1 +mandynamic.gr, 1 +manegehenriet.tk, 1 +manegestalflicka.tk, 1 +maneggio.milano.it, 1 +manekin.cf, 1 +manekin.ga, 1 +manekin.gq, 1 +manekin.ml, 1 +manelbenlloch.com, 1 +manelli.fr, 1 +maneql.co.jp, 1 +maneql.info, 1 +manero.de, 1 +manesht.ir, 1 +manfiction.com, 1 +manforums.com, 1 +manfred-feiger.com, 1 +manfred-kostner.tk, 1 +manfredgruber.at, 1 +manfredi.io, 1 +manfredimatteo.com, 1 +manfredschafer.ch, 1 +manfree.tk, 1 +manga-life.info, 1 +manga-passion.de, 1 +manga-republic.com, 1 +manga.ax, 1 +manga1000.top, 1 +manga1001.top, 1 +manga168.com, 1 +mangabond.tk, 1 +mangaboxes.ml, 1 +mangacat.ga, 1 +mangadex.org, 1 +mangaesp.tk, 1 +mangafreak.tk, 1 +mangagaga.tk, 1 +mangahigh.com, 1 +mangajp.top, 0 +mangakita.net, 1 +manganimefan.tk, 1 +mangapoi.com, 1 +mangareactor.tk, 1 +mangas.eu.org, 1 +mangatafestas.com.br, 1 +mangaworld.gq, 1 +mangeur-de-cigogne.tk, 1 +mangfoldimai.no, 1 +mangga.cloud, 1 +mangio.co.uk, 1 +mangnhuapvc.com.vn, 1 +mango-zajm.gq, 1 +mango888.com, 1 +mangoservers.tk, 1 +mangotwoke.co.uk, 1 +manguyen.de, 0 +manhack.net, 1 +manhassetparkdistrictny.gov, 1 +manhattan.at, 1 +manhattanchoralensemble.org, 1 +manhattanda.org, 1 +manhattandermatologistsnyc.com, 1 +manhattanfruitier.com, 1 +manhattanks.gov, 1 +manhattanlife.com, 1 +manhuagui.com, 1 +manhwasco.net, 1 +mani.tw, 1 +maniacoland.com, 1 +maniadicane.com.br, 0 +maniaiti.nz, 1 +manial4d2.ml, 1 +maniasoft.pl, 1 +maniazul.tk, 1 +manicbouncycastles.co.uk, 1 +manicminers.tk, 1 +manicode.com, 1 +manicur-salon.tk, 1 +manicuradegel.es, 1 +manif-est.info, 1 +manikinuk.tk, 1 +manilacrawl.com, 1 +maniorpedi.com, 1 +maniosglass.gr, 1 +manipil.ch, 0 +manipurmatka.net, 1 +manisahaberleri.tk, 1 +manitaggarwal.com, 0 +manito.kr, 1 +manitoulinairport.ca, 1 +manitoulinairport.com, 1 +manitoulinglobalforwarding.ca, 1 +manitoulinglobalforwarding.co, 1 +manitoulinglobalforwarding.com, 1 +manitoulinglobalforwarding.mx, 1 +manitoulingolf.com, 1 +manitoulingroup.ca, 1 +manitoulingroup.co, 1 +manitoulingroup.com, 1 +manitoulinheavyhaul.ca, 1 +manitoulinheavyhaul.com, 1 +manitoulinlogistics.ca, 1 +manitoulinlogistics.com, 1 +manitoulintransport.ca, 1 +manitoulintransport.co, 1 +manitoulintransport.com, 1 +manitoulintransport.info, 1 +manitoulintransport.net, 1 +manitoulinusedequipment.ca, 1 +manitoulinusedequipment.com, 1 +manitoulinwarehousing.com, 1 +manitouspringsco.gov, 1 +manitowoccountywi.gov, 1 +manitowocwi.gov, 1 +manja-und-martin.de, 1 +manjalcouture.com, 1 +manjaro.ru, 1 +mankier.com, 1 +mankomarketing.com, 1 +manku.pl, 1 +manmatters.com, 1 +mann-und-maeuse.de, 1 +mannaelectric.com, 0 +mannafields.org, 1 +mannat-hallmumbra.com, 1 +manneguiden.no, 1 +mannenzang.tk, 1 +mannhaarkunst.com, 1 +mannheimbloggt.tk, 1 +mannigroup.com, 1 +manningtreetilesandflooring.co.uk, 1 +mannnen.nl, 1 +mannservrice.cf, 1 +manoek.dynu.net, 1 +manofmany.com, 1 +manofmanythings.com, 1 +manogara.tk, 1 +manoha-proservices.fr, 1 +manoila.co.uk, 1 +manoirdecontres.com, 1 +manojsharan.me, 1 +manolitodarts.tk, 1 +manologaribay.tk, 1 +manonandre-avocat.fr, 1 +manoro.de, 1 +manortx.gov, 1 +manova.cz, 1 +manowarus.com, 1 +manporn.xxx, 1 +manpro.systems, 1 +manrollo.com, 1 +mansarda-life.net, 1 +mansdell.net, 1 +mansfeld.pl, 1 +manshamita.com, 1 +manshatech.com, 1 +mansikka-sachi.com, 1 +mansionflip.com, 1 +manski.net, 1 +mansle.fr, 1 +mansoorkhan.tk, 1 +mansora.co, 1 +mansora.io, 1 +mansora.net, 1 +mansour.io, 1 +mansurov.tk, 1 +mantachiepharmacy.com, 1 +mantalak.com, 1 +mantaoilco.com, 1 +mantaro.site, 1 +manteca.gov, 1 +manteligencia.com, 1 +mantelligence.com, 1 +mantenimiento-zaragoza.com, 1 +mantenimientoimpresoras.com, 1 +mantenimientosenjardineriaypiscinasveracruz.com, 1 +mantex.ml, 1 +manti.by, 1 +mantor.org, 0 +mantra.pictures, 1 +mantraptownshipmn.gov, 1 +mantul.top, 0 +manual-directory.com, 1 +manual-pdf.com, 1 +manualdousuario.net, 0 +manuall.ae, 1 +manuall.co.uk, 1 +manuall.cz, 1 +manuall.de, 1 +manuall.dk, 1 +manuall.es, 1 +manuall.fi, 1 +manuall.fr, 1 +manuall.hu, 1 +manuall.info.tr, 1 +manuall.it, 1 +manuall.jp, 1 +manuall.kr, 1 +manuall.no, 1 +manuall.pl, 1 +manuall.pt, 1 +manuall.ro, 1 +manuall.se, 1 +manuall.sk, 1 +manualowl.com, 1 +manualscollection.com, 1 +manualsnet.com, 1 +manuel-herrmann.de, 1 +manuel-schefczyk.de, 1 +manuel7espejo.com, 1 +manuelahidalgo.org, 1 +manuelboelstler.tk, 1 +manuelcancelas.com, 1 +manueldelgadohomes.com, 1 +manueldossantos.tk, 1 +manuelefior.tk, 1 +manuelefysiotherapeut.nl, 1 +manueljirado.tk, 1 +manuelosorio.me, 1 +manuelperujo.ch, 1 +manuelraimo.cf, 1 +manuelrueger.de, 1 +manufacturedhomemoving.com, 1 +manufacturing.gov, 1 +manufacturingsupportgroup.co.uk, 1 +manufacturingusa.com, 1 +manulife.ca, 1 +manulization.com, 1 +manulization.ru, 1 +manumagnum.com, 1 +manuscript.com, 1 +manuscripteditorial.com, 1 +manuscriptlink.com, 1 +manusiasosial.tk, 1 +manusje-van-alles.nl, 1 +manutenzionecaldaie.it, 1 +manutenzionegiardini.it, 1 +manutenzionestabili.it, 1 +manuth.life, 1 +manutouch.com.cn, 1 +manwork.tk, 1 +manwv.gov, 1 +manychat.com, 1 +manyebook.com, 1 +manyetikboya.com, 1 +manyhotfiesta.ml, 1 +manylots.ru, 1 +manyo.jp, 1 +manypets.com, 1 +manyproservices.com, 1 +manytricks.com, 1 +manytubes.ga, 1 +manyzero.ml, 1 +manzanagroup.ru, 1 +manzanita-nsn.gov, 1 +maomihz.com, 1 +maone.net, 1 +maorilandfilm.co.nz, 1 +maorx.cn, 1 +maoshuai.bid, 1 +maoshuai.cc, 1 +maoshuai.club, 1 +maoshuai.cn, 0 +maoshuai.co, 1 +maoshuai.cx, 1 +maoshuai.fun, 1 +maoshuai.hk, 1 +maoshuai.in, 1 +maoshuai.ltd, 1 +maoshuai.me, 1 +maoshuai.net, 1 +maoshuai.online, 1 +maoshuai.org, 1 +maoshuai.pw, 1 +maoshuai.ren, 1 +maoshuai.site, 1 +maoshuai.store, 1 +maoshuai.tw, 1 +maoshuai.vip, 1 +maoshuai.wang, 1 +maoshuai.win, 1 +maoshuai.xyz, 1 +maowtm.org, 1 +maozedong.red, 1 +map-immo.fr, 1 +map.fund, 1 +map4erfurt.de, 1 +map4jena.de, 1 +mapa-airsoft-akci.cz, 1 +mapapeterie.ca, 1 +mapasmundi.com.br, 1 +mapausenaturelle.fr, 1 +mapblender.com, 1 +mapchange.org, 1 +mapduce.com, 1 +mapdump.com, 1 +mapi.eu.org, 1 +mapillary.com, 1 +maplebgm.cc, 1 +maplegrove.cf, 1 +maplegrovetownshipmi.gov, 1 +mapleholland.tk, 1 +maplehome.tk, 1 +maplehousehomeinvestors.com, 1 +maples.com, 1 +mapletime.com, 1 +mapletokyo.top, 1 +mapletonmn.gov, 1 +maplevalleytwpmi.gov, 1 +maplewood.tk, 1 +maplewoodnj.gov, 1 +mappingfutures.org, 1 +mappingspaceperu.com, 1 +mapresidentielle.fr, 1 +mapsindoors.com, 1 +mapsly.com, 1 +mapstack.org, 1 +maptician.com, 1 +mapuut.net, 1 +maqs.tk, 1 +maquena.org, 1 +maquetasdeaviones.tk, 1 +maquetting.com, 1 +maquiguarda.pt, 1 +maquinariahosteleriaocasion.com, 1 +maquinariaspesadas.org, 0 +maquinasperfectas.tk, 1 +maquinasquepiensan.tk, 1 +mar-eco.no, 1 +mar.pt, 1 +mara.paris, 1 +marabook.fr, 1 +marabumadrid.com, 1 +maracarlinicourses.com, 1 +maracit.tk, 1 +maraichere-gourmande.org, 1 +marajo.ml, 1 +marajo.tk, 1 +marakovits.net, 1 +maralclock.ir, 1 +maranathacarechildren.com, 1 +maranightmare.net, 1 +maransurology.com, 1 +maranza.org, 1 +marasma.tk, 1 +marathoncitywi.gov, 1 +marathons.tk, 1 +marauderos.tk, 1 +marazul.tk, 1 +marbellaoptic.ro, 1 +marbermedical.com, 1 +marble.com, 1 +marbleceramiccorp.com.au, 1 +marbleme.jp, 1 +marblenexus.de, 1 +marbogardenlidkoping.se, 1 +marbree.eu, 1 +marc-beninca.fr, 1 +marc-hammer.de, 1 +marc-hoffrichter.de, 1 +marc-schlagenhauf.de, 0 +marc.info, 1 +marcago.com, 1 +marcaixala.me, 1 +marcapollo.ml, 1 +marcbeije.com, 1 +marcberndtgen.de, 1 +marcceleiro.com, 1 +marcdietschi.com, 1 +marcel-preuss.de, 1 +marcel-waldvogel.ch, 1 +marcelabarrozo.tk, 1 +marcelheemels.org, 1 +marcelino.cf, 1 +marcelinofranchini.com, 1 +marcelinofranchini.eu, 1 +marcelinofranchini.info, 1 +marcelinofranchini.net, 1 +marcelinofranchini.org, 1 +marcelkooiman.com, 1 +marcell-jansen.tk, 1 +marcelmarnitz.com, 1 +marcelofernandez.tk, 1 +marcelois.me, 1 +marcelovasconcelos.com.br, 1 +marcelpreuss.de, 1 +marcelsiegert.com, 1 +marcelwaldvogel.ch, 1 +marcelwiedemeier.com, 1 +marcelwolf.coach, 1 +marcenariaembh.com.br, 1 +marcgoertz.de, 1 +march-consulting.jp, 1 +marcha.org.ar, 1 +marchagen.nl, 1 +marchellenevers.tk, 1 +marchenzen.nl, 1 +marchesini.com, 1 +marchesini.com.ua, 1 +marcheuparis.com, 1 +marchhappy.tech, 0 +marchinghatters.tk, 1 +marchingnorth.com, 1 +marchoffrichter.de, 1 +marchouben.nl, 1 +marchqualitymeats.com, 1 +marchukov.com, 1 +marcianoandtopazio.com, 1 +marcillacetfils.fr, 1 +marclange.net, 1 +marco-burmeister.de, 1 +marco-hegenberg.net, 1 +marco-reitmeier.de, 1 +marco-s.net, 1 +marcoaurelio.tk, 1 +marcocasoni.com, 1 +marcoececilia.it, 1 +marcoherten.com, 1 +marcoklomp.nl, 1 +marcolattanzio.tk, 1 +marcopiottante.tk, 1 +marcopolo-restaurant.com, 1 +marcoreitmeier.de, 1 +marcorubiol.com, 1 +marcositaliandeli.co.uk, 0 +marcossan.com, 1 +marcosteixeira.tk, 1 +marcotolk.com, 1 +marcovery.com, 1 +marcretzlaff.com, 1 +marcschlagenhauf.de, 0 +marcsello.com, 1 +marcsferraripage.tk, 1 +marcus-scheffler.com, 1 +marcus.pw, 0 +marcusburghardt.tk, 1 +marcusds.ca, 1 +marcuskoh.com, 1 +marcusporter.tk, 1 +marcusquinn.com, 1 +marcusstafford.com, 1 +marcypro.com, 1 +marczocher.de, 1 +mardelcupon.com, 1 +mardigrasnapkins.com, 1 +mardinhaberleri.tk, 1 +mardinsondakika.tk, 1 +mare-sylt.de, 1 +mare.org.mk, 1 +mare92.cz, 1 +marebca.xyz, 1 +marechal-company.com, 1 +mareforfa.com, 1 +maregionsud.fr, 1 +marei.ad, 1 +mareinitalia.com, 1 +marekkohn.tk, 1 +marekkorlak.com, 1 +mareklecian.cz, 1 +marelijah.org, 1 +marengomi.gov, 1 +maresencial.com, 1 +maresimone.com, 1 +marex.host, 1 +marfadelivery.tk, 1 +marga-marga.tk, 1 +margagriesser.de, 1 +margan.ch, 1 +margaret.land, 1 +margaretgel.com, 1 +margaridamendessilva.com, 1 +margaritafries.com, 1 +margatroid.com, 1 +margaux-perrin.com, 1 +margauxnennig.com, 1 +margays.de, 1 +margeriam.com, 1 +margherita.cl, 1 +margintoniks.fr, 1 +margo-co.ch, 0 +margo.ml, 1 +margolcia.com.pl, 1 +margolis.gq, 1 +margotbworldnews.tk, 1 +margotdesign.ovh, 1 +margots.biz, 1 +margots.tech, 1 +margriet.nl, 1 +margus.uk, 0 +marhamat.cf, 1 +marhobateren.tk, 1 +mari-ie.ro, 1 +maria-blanco.tk, 1 +maria-kirilenko.tk, 1 +maria-sharapova.tk, 1 +mariaalcazar.com, 1 +mariaangelamacario.com, 1 +mariadelcastillo.com, 1 +mariaelisaejunior.ga, 1 +mariafernanda.com.br, 1 +mariage-protestant.ch, 0 +mariage-reussi.fr, 1 +mariagealamontagne.com, 1 +mariages.net, 1 +mariahandnasty.com, 1 +mariahcareyvenezuela.tk, 1 +mariaisabel.tk, 1 +marialopez.tk, 1 +mariamenounos.tk, 1 +mariamia.org, 1 +mariamindbodyhealth.com, 1 +marianatherapy.com, 1 +marianelaisashi.com, 1 +marianhoenscheid.de, 1 +mariannethijssen.nl, 1 +marianneveenstra.tk, 1 +marianrivera.tk, 1 +mariansalzman.com, 1 +mariapanina.ru, 1 +mariapietropola.com, 1 +mariart.studio, 1 +mariasavchenko.com, 1 +mariasemarias.com.br, 1 +mariaterbildt.tk, 1 +mariavilleme.gov, 1 +mariberceritera.online, 1 +marie-pettenbeck-schule.de, 1 +marie-psy.fr, 1 +marie.club, 1 +mariealber.cz, 1 +mariearthur.fr, 1 +mariecurie.tk, 1 +mariejulien.com, 1 +mariella-sun.net, 1 +marielouise.tk, 1 +mariemccaig.co.uk, 1 +mariemiramont.fr, 1 +mariereichl.cz, 1 +mariescountymo.gov, 1 +marieskyler.net, 1 +marietrap.ch, 0 +marifilmines.com, 1 +marijang.id, 1 +marijuanajobscannabiscareers.com, 1 +marik.net.br, 1 +marikafranke.de, 1 +marikekinze.de, 1 +marillatownshipmi.gov, 1 +marilower.tk, 1 +marilsnijders.nl, 1 +marilynandsarah.org, 1 +marilynmonroy.com.ec, 1 +marin-dom.ru, 0 +marin-tullet.com, 0 +marina-group.tk, 1 +marina-tsvetaeva.ml, 1 +marinaborregoterapeuta.pt, 1 +marinadarje.com, 1 +marinamontana.net, 1 +marinapetruzio.it, 1 +marinapozzoli.tk, 1 +marinaquip.com, 1 +marinarinaldi.ml, 1 +marinasmad.com, 1 +marinat.de, 1 +marinat2012.de, 1 +marinazarza.es, 1 +marine.gov, 1 +marinecadastre.gov, 1 +marinedesign.tk, 1 +marineecologyfiji.com, 1 +marinekaplama.com, 1 +marinela.tk, 1 +marinelausa.com, 0 +marinella.tk, 1 +marinershousecalstock.com, 1 +marinettecountywi.gov, 1 +marinettewi.gov, 1 +mario-ancic.tk, 1 +mario-sarto.com, 1 +mario.com.ua, 1 +mario420.ga, 1 +marioabela.com, 1 +marioberluchi.by, 0 +mariogarcia.tk, 1 +mariogeckler.de, 0 +marioncounty911illinois.gov, 1 +marioncountyar.gov, 1 +marioncountyil.gov, 1 +marioncountyiowa.gov, 1 +marioncountyms.gov, 1 +marioncountyohio.gov, 1 +marioncountysheriffar.gov, 1 +marioncountytn.gov, 1 +marionflclerk.gov, 1 +mariontwpcvxmi.gov, 1 +marioserver.ml, 1 +mariospizzaoxford.co.uk, 1 +mariouniversalis.fr, 1 +mariowiki.com, 1 +mariposah.ch, 1 +marisamorby.com, 0 +marisasitaliankitchen.com, 1 +mariskavankasbergen.nl, 1 +mariskax.net, 1 +marismenos.tk, 1 +maritiemshertogenbosch.nl, 1 +maritime-mea.com, 1 +maritimehistory.org.uk, 1 +maritimeinstitute.sg, 1 +maritlarsen.ml, 1 +maritlarsen.tk, 1 +marius-schmalz.de, 1 +mariusschulz.com, 1 +marix.ro, 1 +marizaikonomi.tk, 1 +marj3.com, 1 +marjadeleeuw.nl, 1 +marjanne.tk, 1 +marjeta-gurtner.ch, 1 +marjoleindens.be, 1 +marjon.photography, 1 +marjonruns.nl, 1 +marjorie-wiki.de, 1 +marjoriebarretto.tk, 1 +marjoriecarvalho.com.br, 1 +mark-a-hydrant.com, 1 +mark-armstrong-gaming.com, 1 +mark-dietzer.de, 1 +mark-semmler.de, 1 +mark1998.com, 1 +markandrosalind.co.uk, 1 +markantalyamasajsalonu-bayanmasoz-cim.cf, 1 +markco.fi, 1 +markdain.net, 1 +markdixon.name, 1 +markecubanos.com, 1 +markedplassen.no, 1 +markellos-olive.gr, 1 +markenet.co, 1 +markentier.tech, 1 +market-garden.tk, 1 +market.android.com, 1 +marketadvisory.com.au, 0 +marketbasket.tk, 1 +marketcavalli.it, 1 +marketcrypto.id, 1 +marketerprofesional.com, 0 +marketespace.fr, 0 +marketfeed.news, 1 +marketforce.com, 1 +marketgarden.tk, 1 +marketgrid.ml, 1 +marketgrid.tk, 1 +marketia.ml, 1 +marketing-advertising.eu, 1 +marketing-schools.org, 1 +marketing1-0-1.com, 1 +marketing4trends.com, 1 +marketinganalytics.africa, 1 +marketingautomationplan.nl, 1 +marketingbab.com, 1 +marketingbrandingnews.com, 1 +marketingbrandingnews.net, 1 +marketingcareeredu.org, 1 +marketingco.nl, 1 +marketingconcafe.com, 1 +marketingdesignu.cz, 1 +marketingdigitalefisiente.com, 1 +marketingdominante.com.br, 1 +marketingforfood.com, 1 +marketingmd.com, 1 +marketingpalace.tk, 1 +marketingstrategy.gq, 1 +marketingtrendnews.com, 1 +marketingtutor.net, 1 +marketingwelt-lipp.de, 1 +marketingypublicidaddigital.com.mx, 1 +marketio.ai, 1 +marketizare.ro, 1 +marketking.ga, 1 +marketmotion.com.au, 1 +marketnews.com, 1 +marketone.com, 1 +marketplace.org, 1 +marketplace.tf, 1 +marketplacetue.nl, 1 +marketresearch.biz, 1 +marketsearch.ga, 1 +marketsnerd.com, 1 +marketsosyali.tk, 1 +markettailor.io, 0 +marketvalue.gq, 1 +marketvolume.com, 1 +marketyourcup.com, 1 +markfietje.eu, 1 +markfisher.photo, 1 +markhaehnel.de, 1 +markhedrick.com, 1 +markholden.guru, 1 +markhoodauthor.com, 1 +markhoodbooks.com, 1 +markhoodphoto.com, 1 +markhoodwrites.com, 1 +markhornsby.co.uk, 1 +markhornsby.uk, 1 +markido.com, 1 +markisa.ninja, 1 +markitanova-anna.tk, 1 +markitee.com, 0 +markitzeroday.com, 1 +markjansen.tk, 1 +markkirkforillinois.com, 1 +markkirkforsenate.com, 1 +markkusilvennoinen.fi, 1 +marklehane.com, 1 +markllego.com, 1 +markmet.fi, 1 +markmetcalfe.io, 1 +markmorris.com.au, 1 +markocloud.com, 1 +markoglou.com.gr, 1 +markoh.co.uk, 1 +markprof.ru, 1 +markpulido.net, 1 +markri.nl, 1 +markridgwell.co.uk, 1 +markridgwell.com, 1 +marks.sa, 1 +marksa.net, 1 +markshroyer.com, 1 +marksm.it, 1 +marksmanhomes.com, 1 +marksouthall.com, 1 +markstevenkirk.com, 1 +markstickley.co.uk, 1 +markt-heiligenstadt.de, 0 +markt8asten.nl, 1 +marktcontact.com, 1 +markterweele.nl, 1 +marktgemeinde-glonn.de, 1 +marktgorman.com, 1 +marktguru.at, 1 +marktguru.de, 1 +markthisforme.com, 1 +markup-ua.com, 1 +markus-blog.de, 1 +markus-enzweiler.de, 1 +markus-keppeler.de, 1 +markus-musiker.de, 1 +markus-ullmann.de, 1 +markus289.com, 1 +markusabraham.com, 1 +markusehrlicher.de, 1 +markusgran.de, 1 +markushof.it, 1 +markusjanzen.de, 1 +markuskeppeler.de, 1 +markuskeppeler.no-ip.biz, 1 +markuslintula.fi, 1 +markusmani.tk, 1 +markusribs.com, 1 +markusritzmann.ch, 0 +markusueberallassetmanagement.de, 1 +markusueberallconsulting.de, 1 +markusweimar.de, 1 +markuswirnsperger.com, 1 +marlboroughchamber.nz, 1 +marlboroughfarmersmarket.tk, 1 +marlen.cz, 1 +marlenefavela.tk, 1 +marlenekrasa.com, 1 +marliesfens.nl, 1 +marliesslomp.nl, 1 +marlonbellmann.de, 1 +marlonbellmann.eu, 1 +marlosoft.net, 1 +marmaluot.com, 1 +marmarahaberleri.tk, 1 +marmarahastanesi.com.tr, 1 +marmelab.com, 1 +marmelo.digital, 1 +marmista.roma.it, 1 +marmitethegreyhound.com, 1 +marmo.gallery, 1 +marmo.tk, 1 +marmotte.love, 1 +marmurmedical.com, 1 +marny.eu, 1 +marocmail.ma, 1 +marocnews.tk, 1 +marocweb.tk, 1 +maroebeni.tk, 1 +marolu.one, 1 +maroochydorecentre.com, 1 +maroochydorecitycenter.com, 1 +maroochydorecitycenter.com.au, 1 +maroochydorecitycentre.com, 1 +maroochydorecitycentre.com.au, 1 +maroochydorecitycentre.net.au, 1 +maroquineriepirlot.be, 0 +maroshionline.tk, 1 +maroussia.tk, 1 +marouviere.fr, 1 +marpa-wohnen.de, 1 +marplo.net, 1 +marqperso.ch, 1 +marqueandbrew.com, 1 +marqued.com, 1 +marquepersonnelle.ch, 1 +marqueswines.co.uk, 1 +marquimanagement.com, 1 +marquisepools.com, 1 +marrai.de, 1 +marrakech-camel-trips.com, 1 +marrakech-tours-in-morocco.com, 1 +marrakechairporttransfer.com, 1 +marrakechauxiliaire.com, 1 +marrakeche.com, 1 +marrakechtriptours.com, 1 +marredesefairebaladersurlenet.com, 1 +marretada.org, 1 +marriage-shrine.jp, 1 +marriageinchrist.com, 1 +marrickvilleapartments.com.au, 1 +marronniergate.com, 0 +marropax.com, 1 +marryfox.net, 1 +mars-infos.org, 1 +mars.army, 1 +mars.navy, 1 +marsafc.tk, 1 +marsanvet.com, 1 +marsatapp.com, 1 +marshaiargentina.com, 1 +marshall-allman.tk, 1 +marshallcoms.gov, 1 +marshallcountyillinois.gov, 1 +marshallcountywv.gov, 1 +marshallruskwi.gov, 1 +marshallscastles.com, 1 +marshallsheriffms.gov, 1 +marshallwilson.com, 1 +marshfieldvillagevt.gov, 1 +marshfieldvt.gov, 1 +marshmallow.co, 1 +marshmallow.com, 1 +marshmallowchallenge.com, 1 +marshop.tk, 1 +marsicano.tk, 1 +marsikelektro.cz, 1 +marsilioblack.tk, 1 +marsmediavideo.com, 1 +marta-chat.ga, 1 +marta.uz, 0 +martacooks.com, 1 +martapratsmakeup.com, 1 +martasibaja.com, 1 +martastandzoninteriors.com, 1 +martastroll.com, 1 +martdev.com, 1 +martec.dk, 1 +martel-innovate.com, 0 +martelange.ovh, 1 +martelliyaqub.co.nz, 1 +martellosecurity.com, 1 +martemeo-wetterau.de, 1 +martensson.io, 1 +martesanamilano.com, 1 +marthakenney.com, 1 +marthas.sale, 1 +marthasvillemo.gov, 1 +marti201.ga, 1 +martial-arts.tk, 1 +martialarts-wels.at, 1 +martialartsbrownsplains.ga, 1 +martialgym.tk, 1 +martian.community, 1 +martian.tk, 1 +martide.com, 1 +martijnschreuders.tk, 1 +martijnvanderzande.nl, 1 +martijnvdputten.tk, 1 +martin-burger.net, 1 +martin-caslavsky.tk, 1 +martin-loewer.de, 1 +martin-mattel.com, 1 +martin-prell.de, 1 +martin-smith.info, 1 +martin-weil.de, 1 +martin.vet, 0 +martinaachen.tk, 1 +martinalonsovega.tk, 1 +martinarnold.co.uk, 1 +martinassurfdepot.tk, 1 +martinbaileyphotography.com, 0 +martinbiely.com, 1 +martinboerhof.nl, 1 +martincernac.cz, 1 +martincornelissen.tk, 1 +martindales.ltd.uk, 1 +martine.nu, 1 +martinebot.com, 1 +martinelias.cz, 1 +martineric.tk, 1 +martineve.com, 0 +martinfresow.de, 1 +martinhal.cn, 1 +martinhal.com, 1 +martinhalfamilyblog.com, 1 +martinhalholiday.com, 1 +martinhalliving.com, 1 +martinhalpropertysales.com, 1 +martinhalresidences.com, 1 +martinhaunschmid.com, 0 +martinho.tk, 1 +martinishotpodcast.com, 1 +martinkunc.tk, 1 +martinkus.eu, 1 +martinlukes.cz, 1 +martinmawbycurtaintracks.co.uk, 1 +martinmaze.com, 1 +martinmuc.de, 1 +martino.ga, 1 +martinploug.dk, 1 +martinpohl.cz, 0 +martinreed.net, 1 +martins.im, 1 +martinschulze.org, 1 +martinschurdak.tk, 1 +martinsferryoh.gov, 1 +martinsouza.net, 1 +martinstepar.cz, 1 +martinsvillebulletin.com, 1 +martinus.cafe, 1 +martinverkerkonline.tk, 1 +martinvillalba.com, 1 +martinvillalba.com.ar, 1 +martinvillalba.info, 1 +martinvillalba.net, 1 +martinvillalba.org, 1 +martinvotes.gov, 1 +martinwhelton.uk, 1 +martnlab.com, 1 +martonveronika.tk, 1 +martstop.ir, 1 +martstroy.ru, 1 +marturet.com, 1 +marty.me.uk, 1 +martyrium.tk, 1 +marufmusic.tk, 1 +maruja.tk, 1 +marula-oel.de, 1 +marulaweb.com, 1 +marunouchi-hotel.co.jp, 1 +marustat.ru, 1 +marvaco.cf, 1 +marvaco.ga, 1 +marvaco.tk, 1 +marvelcargiveaways.co.uk, 1 +marveld.nl, 1 +marvelmoviemarathon.com, 1 +marvelo.cf, 1 +marvelouspainting.com, 1 +marvelweed.ru, 1 +marvin-elsen.com, 1 +marvin.is, 1 +marvin.rocks, 1 +marvinelsen.com, 1 +marvingazibaric.io, 1 +marvinkeller.de, 0 +marvinxyz.de, 1 +marvnet.cf, 1 +marvnet.design, 1 +marvnet.ga, 1 +marvnet.gq, 1 +marvnet.ml, 1 +marvnet.tk, 1 +marvnetdigital.cf, 1 +marvnetdigital.ga, 1 +marvnetdigital.gq, 1 +marvnetdigital.ml, 1 +marvnetdigital.tk, 1 +marvnetforum.cf, 1 +marvnetforum.ga, 1 +marvnetforum.gq, 1 +marvnetforum.ml, 1 +marvnetforum.tk, 1 +marvos.se, 1 +marw.org, 1 +marwadionline.com, 1 +marxist.party, 1 +marxists.org, 1 +marxmyths.org, 1 +marxpark.tk, 1 +mary-e-kay.tk, 1 +maryamghorbani.com, 1 +maryannhaircpa.com, 1 +marycliffpress.com, 1 +marycowanceramics.com, 1 +maryeileen90.party, 1 +maryeileenkelly.com, 1 +maryhaze.net, 1 +marykatrinaphotography.com, 1 +marykirsch.net, 1 +marylandbasementandcrawlspacewaterproofing.com, 1 +marylandcomptroller.gov, 1 +marylandtaxes.gov, 1 +marylandtraditions.org, 1 +maryleemacdonald.org, 1 +maryluzturismo.co, 1 +marymaloney.tk, 1 +marymount.edu.mx, 1 +marypierce.tk, 1 +maryrock.net, 1 +maryrose.org, 1 +marysvilleks.gov, 1 +marytetzstore.com.br, 1 +marywet.net, 1 +marzio.co.za, 1 +mas.be, 1 +mas.bg, 1 +masadaoffensive.com, 1 +masafarms.com, 1 +masajilanver.tk, 1 +masakanibu.ga, 1 +masakigarden.com, 1 +masalaband.tk, 1 +masaloku.com.tr, 1 +masanteadelavenir.fr, 1 +masanunciosimpresos.com, 1 +masarik.sh, 1 +masaze-hanka.cz, 1 +mascarablond.tk, 1 +mascarbo.tk, 1 +mascarillas.blog, 1 +mascenter.xyz, 1 +maschine.email, 1 +maschinen.email, 1 +maschinensucher.de, 1 +mascorazon.com, 1 +mascotarios.org, 1 +mascoteando.net, 1 +masdemariette.com, 1 +masdemexico.com, 1 +masduta.co, 1 +masdzub.com, 1 +masepps.pe, 1 +maservant.com, 1 +maservant.net, 1 +masfloss.net, 1 +mashairi.co.ke, 1 +masharphomecooking.com, 1 +mashek.net, 1 +mashin.al, 1 +mashina.world, 0 +mashinavremeni.ml, 1 +mashine-art.ru, 1 +mashinist.tk, 1 +mashonkavortu.tk, 1 +mashoom.co.uk, 1 +mashrmail.com, 1 +mashrmail.io, 1 +mashtibax.ga, 1 +masiavillalonga.com, 1 +masinaspalat.info, 1 +masiniunelte.store.ro, 1 +masinky.tk, 1 +masite.net, 1 +mask-skin.tk, 1 +maskamuse.com, 1 +masked.love, 1 +maskedemail.nl, 1 +maskedworld.tk, 1 +maskerking.com, 1 +maskim.fr, 1 +masking.my.id, 1 +maskinkultur.com, 1 +maskmail.co, 1 +maskmy.id, 1 +maskova.net, 1 +maskstyle.tk, 1 +maslenka.tk, 1 +maslin.io, 1 +maslow.tk, 1 +masmusica.tk, 1 +masmusicaradio.tk, 1 +maso-corto.com, 1 +masob.site, 1 +masoftware.ddns.net, 1 +masoncountyil.gov, 1 +masoncountywa.gov, 1 +masoncountywaelections.gov, 1 +masoncountywv.gov, 1 +masonkysheriff.gov, 1 +masqueless.org, 1 +masqueradecostumes.tk, 1 +masrilanguage.tk, 1 +masrud.com, 1 +masrur.org, 1 +mass-analytics.com, 1 +mass.pt, 1 +massaer.tk, 1 +massage-californien.tk, 1 +massage-colleges.com, 1 +massage-la-clusaz.com, 1 +massage-technique.tk, 1 +massage-vitalite.fr, 1 +massage-well.ch, 1 +massage4u.net, 0 +massageandwellbeing.com, 1 +massagecoolangatta.com.au, 1 +massagecupping.com, 1 +massagegunadvice.com, 1 +massagehabits.com, 1 +massagekartan.ga, 1 +massagepraktijkamyklappe.nl, 1 +massages-du-monde-charente.fr, 1 +massagespaindia.com, 1 +massagetable.shop, 1 +massagetherapylicense.org, 1 +massagetherapyschoolsinformation.com, 1 +massaggi.it, 1 +massaggio.it, 1 +massagik.ml, 1 +massanews.com, 1 +massapothecary.com, 1 +massauditor.gov, 1 +massazh.cf, 1 +massbank.eu, 1 +massconsultores.com, 1 +masse.org, 1 +massfone.com, 1 +masshost.tk, 1 +masshpc.gov, 1 +massive.tk, 1 +massiveanalyser.com, 1 +massiveassault.tk, 1 +masskick.ga, 1 +massmurder.tk, 1 +massmutualascend.com, 0 +massolutions.pro, 1 +masspingtool.com, 1 +masstercurssos.com, 1 +massvow.com, 1 +masta.me, 1 +mastah.fr, 1 +mastd.fr, 1 +mastd.me, 0 +mastd.onl, 1 +mastdatabase.co.uk, 1 +mastdi.eu, 1 +mastelic.net, 1 +mastellone.us, 1 +master-net.org, 1 +master-tmb.ru, 1 +master.shop, 1 +masteranimal.tk, 1 +mastercardpac.com, 1 +mastercareplus-demo.com, 1 +mastercareplus-staging.com, 1 +mastercareplus-uat.com, 1 +mastercareplus.com, 1 +mastercomfig.com, 1 +masterdan.net, 1 +masterdemolitioninc.com, 1 +masterdesingweb.tk, 1 +masterdigitale.com, 1 +masterdistillers.net, 1 +masterdrilling.com, 1 +mastere.tn, 1 +masterflitzer.xyz, 1 +masterglasses.ru, 1 +mastergrampartners.com, 1 +masterhelenaroma.com, 1 +masterimperia.com, 1 +masterin.it, 1 +masterinchess.com, 1 +masterise.tv, 1 +masterjuantex-projects.tk, 1 +masterkitchen.com.br, 1 +masternetix.ga, 1 +masternetltd.com, 1 +masterofallscience.com, 1 +masterofazoth.tk, 1 +masterofbytes.ch, 1 +masterpassword.org, 1 +masterplc.com, 1 +masterprophetlibrary.com, 1 +masterproseo.ru, 1 +masterpsylogos.ru, 1 +masterquest.tk, 1 +masters-burrell.co.uk, 1 +masters-education.com, 1 +masters-in-special-education.com, 1 +mastersadistancia.com, 1 +mastersindatascience.org, 1 +mastersinesl.org, 1 +mastersinlibraryscience.net, 1 +mastersofscale.com, 1 +mastersplace.tk, 1 +masterstation.net, 1 +mastersthesiswriting.com, 1 +masterstruckingacademy.com, 1 +masterstuff.de, 1 +mastertent.com, 1 +masterton.com.au, 1 +mastertutoriales.com, 0 +masterunblock.com, 0 +masterurist.ru, 1 +mastervision.tk, 1 +masterwank.com, 1 +masterwayhealth.com, 1 +mastiffingles.com.br, 1 +mastilenergy.us, 1 +mastips.cl, 1 +mastodon-poradnik.pl, 1 +mastodon.au, 1 +mastodon.blue, 0 +mastodon.com.pl, 1 +mastodon.cr, 1 +mastodon.ee, 1 +mastodon.fun, 1 +mastodon.org.uk, 1 +mastodon.pizza, 1 +mastodon.pl, 0 +mastodon.top, 1 +mastodon.uno, 1 +mastodont.tk, 1 +mastpartners.com, 1 +masuclub.jp, 1 +masuclub.net, 1 +masumitsu.jp, 1 +masumreza.tk, 1 +masun.org, 1 +maswali.com, 1 +mat-berenbostel.de, 1 +mat.co.th, 1 +mat.com.vn, 1 +mat.services, 1 +mat.tt, 1 +mat99.dk, 1 +mata-i-nautisme.fr, 1 +matador-group.eu, 1 +matafonov.tk, 1 +mataharitimoer.tk, 1 +matanz.de, 1 +matapacoin.org, 1 +matarbyte.se, 1 +matarees.com, 1 +matarrosabierzo.com, 1 +matatabimix.com, 1 +matatall.com, 1 +matc.net, 1 +match.audio, 1 +match.by, 1 +match2meet.io, 1 +matcha-iga.jp, 1 +matcha14.com, 1 +matchday.cz, 1 +matchflix.ch, 1 +matchimmo.fr, 1 +matchlive.ga, 1 +matchmeup.de, 1 +matchmove.com, 1 +matchpointusa.com, 1 +matco.ca, 0 +mate.academy, 1 +mate.software, 1 +matega.hu, 1 +mateiko.by, 1 +matej-oliva.cz, 1 +matejgroma.com, 1 +matejkosiarcik.com, 1 +matel.org, 1 +matematik-ozel-ders.tk, 1 +matematikformulleri.com, 1 +matematikkulubu.tk, 1 +matematyka.wiki, 1 +matemonsac.com, 0 +mateoconlechuga.com, 1 +matepro.pl, 1 +materasocial.live, 1 +materassi.roma.it, 1 +materassicatania.it, 1 +materi.co.id, 1 +materiaischiquinho.com.br, 1 +material-ui.com, 1 +material-world-fuyouhin.com, 1 +material.security, 1 +materialdeconstruccion.com.mx, 1 +materialism.com, 1 +materialyinzynierskie.pl, 1 +materiel-grand-format.fr, 1 +maternityfashion.in, 1 +maternoinfantile.online, 1 +maternum.com, 1 +mateslibres.com, 1 +matetineamoi.fr, 1 +mateuszchyla.pl, 1 +mateuszmajewski.com, 1 +mateuszpilszek.pl, 1 +matewanwv.gov, 1 +mateworks.hu, 1 +matglobal.tech, 1 +matgodt.no, 1 +math-coaching.com, 1 +math-colleges.com, 1 +math-drills.com, 1 +math-net.ru, 1 +math.hamburg, 1 +mathalexservice.info, 1 +mathavuzteknolojileri.com.tr, 1 +mathdf.com, 1 +matheball.de, 1 +mathebau.de, 1 +mathebibel.de, 1 +mathechor.de, 1 +mathematica.org, 1 +mathematik.rocks, 1 +matheo-schefczyk.de, 1 +mathers.ovh, 1 +mathes.berlin, 1 +matheusmacedo.ddns.net, 1 +mathewlane.com, 1 +mathhire.org, 1 +mathias.re, 0 +mathiasbynens.be, 1 +mathiasgarbe.de, 1 +mathiasheise.de, 1 +mathiaswagner.org, 1 +mathieu-marteau.fr, 0 +mathieuchollet.eu, 1 +mathieugrant.com, 1 +mathieuguimond.com, 1 +mathieui.net, 1 +mathijskingma.nl, 1 +mathiveri.tk, 1 +mathleaks.com, 1 +mathleaks.se, 1 +mathnet.ru, 1 +maths.network, 1 +mathschool.lt, 1 +mathsource.ga, 1 +mathspace.co, 1 +mathswithcorne.com, 1 +mathteacheredu.org, 1 +mathys.io, 1 +mati.gq, 1 +mati.lol, 1 +mati.tk, 1 +maticz.com, 1 +matijakolaric.com, 1 +matildeferreira.co.uk, 1 +matillat.ovh, 1 +matindustrial.com, 1 +matipl.pl, 1 +matis.rs, 1 +matiu.tk, 1 +matjaz.it, 1 +matkuling.com, 1 +matkuling.no, 1 +matlss.com, 1 +matnkat.com, 1 +matocmedia.com, 1 +matok.me.uk, 1 +matolab.lt, 1 +matomari.tk, 1 +matopu.tk, 1 +matoutepetiteboutique.com, 1 +matov.tk, 1 +matovaya-pomada.ml, 1 +matozone.com, 1 +matpools.com, 1 +matreon.nl, 1 +matrichelp.co.za, 1 +matrieux.dk, 1 +matrimonio.com, 1 +matrimonio.com.co, 1 +matrimonio.com.pe, 1 +matrimonios.cl, 1 +matrimoniosriviera.com, 1 +matrimonybest.com, 1 +matriterie-sdv.ro, 1 +matrix-pm.com, 1 +matrix-team.tk, 1 +matrix.org, 1 +matrix3dp.com, 1 +matrix40.com, 1 +matrixbricks.com, 1 +matrixengineered.com, 1 +matrixfm.tk, 1 +matrixglobalsms.com, 1 +matrixhealthcare.ca, 1 +matrixmedia.ro, 1 +matrixmold.com, 1 +matrixpost.net, 1 +matrixread.com, 0 +matrixreq.com, 0 +matroskin.ml, 1 +matsson.com, 1 +matsu.gov, 1 +matsushima-kosodate.com, 1 +matt-brooks.com, 1 +matt-royal.com.cy, 1 +matt.re, 1 +mattab.xyz, 1 +mattadams.info, 1 +mattajones.com, 1 +mattandreko.com, 1 +mattandyana.com, 1 +mattaponi.gov, 1 +mattari-app.com, 1 +mattatoio.eu, 1 +mattbailey.tech, 1 +mattberryman.org, 1 +mattbiscay.com, 1 +mattbray.com, 1 +mattbsg.xyz, 1 +mattchellew.net, 1 +mattcoles.io, 1 +mattconstruction.com, 1 +mattcorallo.com, 1 +mattcorp.com, 1 +mattdbarton.com, 1 +mattelek.com, 1 +mattelekharris.com, 1 +mattentaart.tk, 1 +matteobrenci.com, 1 +matteomarescotti.it, 1 +matteosaturn.com, 1 +matteozinnia.it, 1 +mattersource.com, 1 +mattessons.co.uk, 1 +mattferderer.com, 1 +mattfiore.com, 1 +mattga.ca, 1 +mattgemmell.com, 1 +mattgoddardphotography.co.uk, 1 +matthew-carson.info, 1 +matthew-cash.com, 1 +matthewaker.com, 1 +matthewberry.co.za, 1 +matthewburket.com, 1 +matthewcollins.me, 1 +matthewgallagher.co.uk, 1 +matthewgraybosch.com, 1 +matthewgrow.com, 1 +matthewhaeck.com, 1 +matthewimaniphotography.ga, 1 +matthewj.ca, 1 +matthewkairys.com, 1 +matthewkenny.co.uk, 1 +matthewkerley.com, 1 +matthewlankford.com, 1 +matthewljiang.com, 1 +matthewohare.com, 0 +matthewoliver.com, 1 +matthewoshea.tk, 1 +matthewprenger.com, 1 +matthewrochow.com, 1 +matthewsaeger.com, 1 +matthewsfuneralhome.com, 1 +matthewtester.com, 1 +matthewthode.com, 1 +matthewthode.net, 1 +matthewthode.org, 1 +matthey.nl, 1 +matthi.coffee, 1 +matthi3u.xyz, 1 +matthias-lohr.com, 1 +matthias-lohr.net, 1 +matthias-muenzner.de, 1 +matthias-wimmer.de, 1 +matthiasadler.info, 1 +matthiaserb.com, 1 +matthiaslohr.net, 1 +matthiasmueller.me, 1 +matthiasott.ch, 1 +matthiasott.com, 1 +matthiasschwab.de, 1 +matthiasweiler.de, 0 +matthiaswillemsen.me, 1 +matthieu-munoz.fr, 1 +matthieuchedidweb.tk, 1 +matthieuschlosser.fr, 1 +matthijssen.info, 1 +matthijsvos.com, 1 +matthijsvos.org, 1 +mattia98.org, 0 +mattiascibien.net, 0 +mattisclever.com, 1 +mattlaks.com, 1 +mattmarkel.com, 1 +mattmarkelmedia.com, 1 +mattmatters.io, 1 +mattmccutchen.net, 1 +mattmcshane.com, 1 +mattmoorcroft.com, 1 +mattmorrissound.co.uk, 1 +mattnetwork83.com, 1 +mattonline.me, 1 +mattpeterson.com, 1 +mattpippen.com, 1 +mattprice.eu, 1 +mattquintanilla.xyz, 1 +mattres.com, 1 +mattresscleaningcampsbay.co.za, 1 +mattresscleaningcapetown.co.za, 1 +mattresscleaningdurban.co.za, 1 +mattresscleaninghoutbay.co.za, 1 +mattresscleaningseapoint.co.za, 1 +mattresscleaningwesterncape.co.za, 1 +mattressdiscounters.com, 1 +mattressfirm.org, 1 +mattressfundraiser.net, 1 +mattressman.co.uk, 1 +mattressomni.ng, 1 +mattrubin.me, 1 +mattrude.com, 1 +matts.systems, 1 +matts.world, 1 +mattsavin.me, 1 +mattshi.com, 1 +mattslack.me, 1 +mattsmissionblog.com, 1 +mattsvensson.com, 1 +mattwill.be, 1 +matucloud.de, 1 +matuntu.ml, 1 +mature-lovers.com, 1 +mature-orgasm.com, 1 +matureasspics.com, 1 +maturebbwtube.com, 1 +maturebigass.com, 1 +maturecharm.com, 1 +maturefucktube.com, 1 +maturegrandtube.com, 1 +matureladiespics.com, 1 +matureporn-videos.com, 1 +matureporn.com, 1 +maturepornpics.com, 1 +maturepussypics.com, 1 +maturetube.tv, 1 +maturexthumbs.com, 1 +matuslab.net, 1 +matway.com, 1 +matway.net, 1 +matyldamost.cz, 1 +matze.co, 1 +matze.org, 0 +matzoos.com, 1 +mau.bot, 1 +mau.chat, 1 +mau.fi, 1 +mau.life, 1 +mau.lu, 1 +mau.photos, 1 +maubot.xyz, 1 +maudfourier.com, 0 +mauditeboisson.tk, 1 +maudok.gov, 1 +mauhalito.tk, 1 +mauicharm.com, 1 +mauldincookfence.com, 1 +mauletsmallorca.tk, 1 +maumovie.ml, 1 +maunium.net, 1 +mauracher.cc, 1 +maurice-walker.com, 0 +mauricechavez.tk, 1 +mauricedb.nl, 1 +mauriceje.ga, 1 +mauricespapens.tk, 1 +mauricio-ochmann.tk, 1 +mauriciog.com.ar, 0 +mauricioghiorzi.com.ar, 0 +mauricioquadradoconsultor.com.br, 1 +mauricioquadradocontador.com.br, 1 +mauriciosilva.tk, 1 +mauriciotoussaint.tk, 1 +mauriciotoussaintarte.tk, 1 +mauritsverelst.com, 1 +mauroalejandro.co, 1 +mauronovellas.es, 1 +maurovacca.com, 1 +maurrikone.com, 1 +maury-moteurs.com, 1 +mausmani.tk, 1 +mausoleum.ga, 1 +maut1.de, 1 +mauticamp.ng, 1 +mauto.md, 1 +mautwelt.de, 1 +maveeranpasupathi.tk, 1 +maven-cap.com, 1 +maven.ng, 0 +mavente.fr, 1 +maventrading.com, 1 +mavenvets.co.uk, 1 +mavericklabel.com, 1 +maverickmobilemechanics.com, 1 +maveris.com, 0 +maviepearl.net, 1 +mavrick.tk, 1 +mavro.cf, 1 +mavro.ga, 1 +mavro.gq, 1 +mawinguhost.co.ke, 1 +mawkebaljalal.com, 1 +mawo.olkusz.pl, 1 +mawrex.tech, 1 +max-anime.tk, 1 +max-apk.com, 0 +max-cafe.cz, 1 +max-moeglich.de, 1 +max-went.pl, 1 +max.gov, 1 +max00365.com, 1 +max11365.com, 0 +max1365.com, 0 +max22365.com, 0 +max2365.com, 0 +max33365.com, 0 +max3365.com, 0 +max4365.com, 0 +max44365.com, 0 +max5365.com, 0 +max55365.com, 0 +max6365.com, 0 +max66365.com, 0 +max77365.com, 0 +max8365.com, 0 +max88365.com, 0 +max9365.com, 0 +max96.de, 1 +maxalbanesi.it, 1 +maxaro.nl, 1 +maxb.fm, 1 +maxbike.tk, 1 +maxboobs.com, 1 +maxbruckner.de, 1 +maxbruckner.org, 1 +maxbuelk.de, 1 +maxbytes.nl, 0 +maxcash.com, 1 +maxchan.info, 1 +maxclean.ml, 1 +maxcleaning.be, 1 +maxconstructionmachinery.com, 1 +maxdargent.com, 1 +maxdata.pt, 1 +maxedgymequipment.com, 1 +maxgamez.tk, 1 +maxh.me.uk, 1 +maxh.name, 1 +maxhamon.ovh, 1 +maxhoechtl.at, 1 +maxhorvath.com, 1 +maxi-retail.ru, 1 +maxibanki.ovh, 1 +maxiclin.pt, 1 +maxico.tk, 1 +maxigiga.com, 1 +maxiglobal.net, 1 +maxihide.tk, 1 +maxihyp.de, 1 +maxim.live, 1 +maxima.at, 0 +maximababy.de, 1 +maximalsparen.com, 1 +maximanet.tk, 1 +maximbaz.com, 1 +maximdeboiserie.be, 1 +maximdens.be, 1 +maximeferon.fr, 1 +maximegagnon.io, 1 +maximemalfoy.com, 1 +maximemichaud.me, 1 +maximilian-graf.de, 1 +maximilian-greger.com, 1 +maximilian-staedtler.de, 1 +maximiliancole.tk, 1 +maximiliangaedig.com, 1 +maximiliankaul.de, 1 +maximiliankrieg.de, 1 +maximoguk.com, 1 +maximosilupu.tk, 1 +maximovie.eu, 1 +maxims-travel.com, 1 +maximumcontrol.nl, 1 +maximumphysiotherapy.com, 1 +maximusconstrutora.com.br, 1 +maximusrose.com, 1 +maxindo.net.id, 1 +maxinesbydennees.com, 1 +maxipcalls.com, 0 +maxipro.ru, 1 +maxiservak.ml, 1 +maxisito.it, 1 +maxivisor.ga, 1 +maxjacobs.com.au, 1 +maxkaul.de, 1 +maxlaumeister.com, 1 +maxley.yachts, 1 +maxmanus.ga, 1 +maxmarket.bg, 1 +maxmatthe.ws, 0 +maxmilton.com, 1 +maxmind-test.com, 1 +maxmuen.de, 1 +maxmusic.tk, 1 +maxmusical.ml, 1 +maxnac.tk, 1 +maxopen.cf, 1 +maxopolyworldnews.com, 1 +maxp.info, 0 +maxpl0it.com, 1 +maxpoint.it, 1 +maxportal.tk, 1 +maxprog.com, 1 +maxqda.com, 1 +maxqda.de, 1 +maxr1998.de, 0 +maxrandolph.com, 1 +maxrickettsuy.com, 1 +maxrider.tk, 1 +maxroganov.tk, 1 +maxs.com, 1 +maxschleiffer.com, 1 +maxtransport.az, 1 +maxtruxa.com, 1 +maxundlara.at, 1 +maxundlara.com, 1 +maxundlara.eu, 1 +maxundlara.org, 1 +maxuniverse.de, 1 +maxus.com.py, 1 +maxus.tk, 1 +maxvaluedeals.com, 1 +maxwaellenergie.de, 1 +maxweiss.io, 1 +maxwell-english.co.jp, 0 +maxwellblog.com, 1 +maxwellcity.cf, 1 +maxwellcity.ga, 1 +maxwellcity.ml, 1 +maxwellmoore.co.uk, 1 +maxwittfeld.tech, 1 +may24.tw, 1 +mayaimplant.com, 1 +mayamaibach.org, 1 +mayamarquez.co, 1 +mayamushrooms.co.uk, 1 +mayanaturopathy.co.uk, 1 +mayanet.tk, 1 +mayangateway.com, 1 +mayashoefke.tk, 1 +mayavi.co.in, 0 +maybeonline.de, 1 +maybeshewill.xyz, 1 +maybeul.com, 1 +mayblossom.net, 1 +maycarivero.com, 1 +maydaystrategies.com, 1 +maydex.info, 1 +mayerbrownllz.com, 1 +mayfieldheightsohio.gov, 1 +mayflowerbocawina.tk, 1 +mayflowercreative.com, 1 +mayflowerfairytales.com, 1 +mayiadvise.nl, 1 +mayito.tk, 1 +mayki.ga, 1 +maykitut.tk, 1 +maynails.com.br, 1 +maynardnetworks.com, 0 +maynesoftware.co.uk, 1 +mayomarquees.com, 1 +mayopartyhire.com, 1 +mayorcahill.com, 1 +mayre-idol.tk, 1 +mayrivermontessori.com, 1 +maysambotros.tk, 1 +mayslandingcornholeleague.com, 1 +maythai.eu, 1 +maythai.pl, 1 +maytretrungphuong.com, 1 +maywood-il.gov, 1 +mayx.eu.org, 1 +mazartdesign.tk, 1 +mazavto.ml, 1 +mazcue.com, 0 +mazda-mps.de, 1 +mazda-thermote.com, 1 +mazda626.net, 1 +mazdaofgermantown.com, 1 +mazdel.tk, 1 +maze.com.br, 1 +maze.fr, 0 +mazenitude.fr, 1 +mazepa.ml, 1 +mazet-machines-a-coudre.fr, 1 +mazhab.tk, 1 +mazik.tk, 1 +mazken.tk, 1 +mazternet.ru, 1 +mazurlabs.tk, 1 +mazury-invest.pl, 1 +mazzotta.me, 1 +mb-amenagements.be, 1 +mb-analytics.at, 1 +mb-demo.net, 1 +mb-is.info, 1 +mb-server.de, 1 +mb-t.net, 1 +mb300sd.com, 1 +mbaasy.com, 1 +mbaestlein.de, 1 +mbainflatables.co.uk, 1 +mbalaw.pl, 1 +mbanogmat.com, 1 +mbar.us, 1 +mbarbadun.es, 0 +mbardot.com, 0 +mbasic.facebook.com, 0 +mbcars.be, 0 +mbci.gov, 1 +mbcoaching40.fr, 1 +mbcom.de, 1 +mbd2021cm.com, 1 +mbda.gov, 1 +mbddash-staging.azurewebsites.net, 1 +mbdou50.ru, 1 +mbdrogenbos-usedcars.be, 1 +mbeach.fr, 1 +mbed.com, 1 +mbed.org, 1 +mbedcloud.com, 1 +mbedcloudintegration.net, 1 +mbfiles.tk, 1 +mbi.nl, 1 +mbilker.us, 1 +mbinf.de, 0 +mbinformatik.de, 0 +mbjeng.com, 0 +mbk.net.pl, 1 +mblankhorst.nl, 1 +mble.mg, 1 +mbmassageterapi.se, 1 +mbong.kr, 1 +mbpskill.co.id, 1 +mbr-net.de, 1 +mbr.moe, 1 +mbr.pw, 1 +mbrd.de, 1 +mbrental.fr, 1 +mbrjun.cn, 1 +mbsec.net, 1 +mbsunu.com, 1 +mbsync4supply.com, 1 +mbt-constructions.co.uk, 1 +mbtaadvisoryboard.gov, 1 +mbudy.in, 1 +mburaks.com, 1 +mburns.duckdns.org, 1 +mbvelden.nl, 1 +mbw.org.au, 1 +mbwemmel-usedcars.be, 1 +mbwsignup.com, 1 +mc-auth.com, 1 +mc-connect.net, 1 +mc-dos.ru, 1 +mc-jobs.net, 1 +mc-mods.org, 1 +mc-sin.ch, 1 +mc-teemocraft.tk, 1 +mc.ax, 1 +mc007.xyz, 1 +mc2informatique.fr, 1 +mc3dreal.de, 1 +mc4free.cc, 1 +mc5zvezd.ru, 0 +mcagon.tk, 1 +mcahm.eu.org, 1 +mcalert.in, 1 +mcaps-mn.gov, 1 +mcb-bank.com, 1 +mcbbs.wiki, 1 +mcbooks.vn, 0 +mccannhealth.com, 1 +mccannworldgroup.com, 1 +mccarthyprestige.com.au, 1 +mccarthystonefoundation.org, 0 +mccasa.com.br, 1 +mccinc.ca, 1 +mcclaincountyok.gov, 1 +mccn.pp.ua, 1 +mccommando.tk, 1 +mcconciergerie.com, 1 +mcconecountymt.gov, 1 +mccoolesredlioninn.com, 1 +mccordscvs.com, 1 +mccormicklaw.com.au, 1 +mccsquantico.marketing, 1 +mcculloughjchris.com, 0 +mcculloughsgolf.com, 1 +mccurtainems.gov, 1 +mcdanieldevelopmentservices.com, 1 +mcdean.com, 1 +mcdeed.net, 1 +mcdermottautomotive.com, 1 +mcdesigns68.co.uk, 1 +mcdgenclikkulubu.org, 1 +mcdona1d.me, 1 +mcdonaldcountymissouri.gov, 1 +mcdonalds.cloud, 1 +mcdonalds.co.il, 1 +mcdonalds.design, 1 +mcdowellcountyncboe.gov, 1 +mcdowellcountywv.gov, 1 +mcdowellnews.com, 1 +mcdreamcity.com, 1 +mcdsg.net, 1 +mcduff.ga, 1 +mce.eu, 1 +mce.nyc, 1 +mce55.eu, 1 +mcea-hld.jp, 1 +mceconferencecentre.eu, 1 +mcemyigit.com.tr, 1 +mcescher.com, 1 +mceyedol.tk, 1 +mcfallout.ru, 1 +mcfarlow.sk, 1 +mcfipvt.com, 1 +mcfreedom.eu, 1 +mcg4loans.com, 1 +mcgaccountancy.co.uk, 1 +mcgarrybair.com, 1 +mcgavocknissanwichitaparts.com, 1 +mcgillsbuses.co.uk, 1 +mcgovernance.com, 1 +mcgrand.shop, 1 +mcgregortx.gov, 1 +mch2022.org, 1 +mchaelkordomain.tk, 1 +mchan.us, 1 +mchel.net, 1 +mchenrycountyclerkil.gov, 1 +mchollet.eu, 1 +mchopkins.net, 1 +mchost.no, 1 +mchristopher.com, 1 +mchughisle.net, 1 +mci.gov.sg, 0 +mcideas.tk, 1 +mcintyredisplays.com, 1 +mcirculo.com.br, 1 +mcivor.me, 1 +mcjackk77.me, 1 +mcjars.com, 1 +mckay-bednar.net, 1 +mckeancountypa.gov, 1 +mckendry.com, 1 +mckendry.consulting, 1 +mckenna.academy, 0 +mckenney.xyz, 1 +mckenzielandscaping.ca, 1 +mckernan.in, 0 +mckhan.com, 1 +mckinley1.com, 1 +mckinleytk.com, 1 +mckinneyisdtx.gov, 1 +mckleenz.com, 1 +mckycraft.xyz, 1 +mcl.de, 1 +mcl.gg, 1 +mclanedirect.com, 1 +mclanexpress.com, 1 +mclast.de, 1 +mclear.in, 1 +mcleishandmatthews.com.au, 1 +mclennan.gov, 1 +mcleodcountymn.gov, 1 +mcleodgaming.com, 1 +mcleodoptical.com, 1 +mclinflatables.co.uk, 1 +mclmotors.co.uk, 1 +mcmillan.ski, 1 +mcmillanskiclub.com, 1 +mcmillanskiclub.com.au, 1 +mcmind.ddns.net, 1 +mcmk.in, 1 +mcnairinternational.com, 1 +mcnav.net, 1 +mcnet.care, 1 +mcnext.net, 1 +mcnoobs.pro, 1 +mcon.se, 1 +mconline.sg, 1 +mcos.nc, 1 +mcost.no, 1 +mcoutinho.pt, 0 +mcpa.top, 0 +mcpaoffice.com, 1 +mcpart.land, 1 +mcpat.com, 1 +mcpe.computer, 1 +mcpepc.com, 1 +mcpepc.me, 0 +mcplayman.de, 1 +mcprocdn.com, 1 +mcraft.ru, 1 +mcregex.com, 1 +mcrn.jp, 1 +mcrook.com, 1 +mcroyal.fr, 1 +mcs-nl.com, 1 +mcsa-usa.org, 1 +mcsdatum.co.uk, 1 +mcseboard.de, 1 +mcserverslisting.net, 1 +mcsfikirsanat.com, 1 +mcsidan.tk, 1 +mcsmart.ru, 1 +mcsnovatamabayan.com, 1 +mcsoneca.tk, 1 +mcsrvstat.us, 1 +mcstaralliance.com, 1 +mctea.tk, 1 +mctherealm.net, 1 +mctitan.net, 1 +mctools.org, 1 +mctwcloud.tk, 1 +mcubedigital.com, 1 +mcukhost.co.uk, 1 +mcuuid.net, 1 +mcversions.net, 1 +mcvs.net, 1 +mcwrapper.com, 1 +mcycbd.com.au, 1 +mcyukon.com, 1 +md-1xbet.com, 1 +md-clinica.com.ua, 1 +md-events.tk, 1 +md-mb.ro, 1 +md-progressistes.fr, 1 +md-service.net, 1 +md28.in, 1 +md5file.com, 1 +mdaemon.de, 1 +mdaemon.tips, 1 +mdangels.org, 1 +mdatc.gov, 1 +mdazo.net, 1 +mdbre.gov, 1 +mdbug.de, 1 +mdca-jp.org, 1 +mdcloudps.com, 1 +mdconnect.asia, 1 +mddetails.com, 1 +mddietclinic.com, 1 +mddistributorsstore.com, 1 +mdeep.ru, 0 +mdek.at, 1 +mdewendt.de, 1 +mdf-bis.com, 0 +mdf-nakladki.kiev.ua, 1 +mdgsocialmediasecurity.com, 1 +mdgx.com, 1 +mdinstituteplasticsurgery.com, 1 +mdinvest.nz, 1 +mdir.tk, 1 +mditsa.de, 1 +mdiv.pl, 1 +mdjobsite.com, 1 +mdl.co.ua, 1 +mdlayher.com, 1 +mdleom.com, 1 +mdma.net, 1 +mdmed.clinic, 1 +mdns.eu, 1 +mdosch.de, 1 +mdpp.com.br, 1 +mdpparish.com, 1 +mdrsp.de, 1 +mdrthmcs.io, 1 +mds-paris.com, 1 +mdsave.com, 1 +mdscomp.net, 1 +mdsglobal.com, 1 +mdtaxconnect.gov, 1 +mdtorelli.it, 1 +mdwedding168.com, 1 +mdwellness.ca, 1 +mdwftw.com, 1 +mdx.no, 1 +mdxdave.de, 0 +mdxn.org, 1 +me-groups.com, 1 +me-mainz.de, 1 +me-news.tk, 1 +me-soft.nl, 1 +me.com.br, 1 +me.net.nz, 0 +me.vu, 1 +me2md.com, 1 +me7878.com, 1 +mea-vota-uitvaart.nl, 1 +mea.com.lb, 1 +meadowfen.farm, 1 +meadowfenfarm.com, 1 +meadowviewfarms.org, 1 +meadvillems.gov, 1 +mealcast.ml, 1 +mealpedant.com, 1 +meals.lv, 1 +mealsnmemories.in, 1 +meamod.com, 0 +meandmyemotions.org, 1 +meanevo.com, 1 +meangreenjunk.com, 1 +meaningfulbits.io, 1 +meanit.ie, 1 +meanjstraininginstitute.com, 1 +meany.xyz, 1 +meao.market, 1 +meao.online, 1 +meao.pictures, 1 +meao.ru, 1 +meapbot.com, 1 +meapbot.net, 1 +meapbot.org, 1 +meapbot.pro, 1 +measiedu.org, 1 +measureaustralia.com.au, 1 +measurementsolutionsinc.com, 1 +measureyourpenis.today, 1 +meat-berry.ru, 1 +meat-education.com, 1 +meat.org.uk, 1 +meatfoods.com.br, 1 +meatfreecarnivore.com, 1 +meavagas.com, 1 +meazurelearning.com, 1 +mebehliyetsinavsorulari.com, 1 +mebel-dnr.ml, 1 +mebel-voronezh.cf, 1 +mebelconcept.tk, 1 +mebelipalitra.ru, 0 +mebelipetrov.com, 1 +mebeliside.bg, 1 +mebelisk.com.br, 1 +mebelizori.com, 1 +mebelnik.pro, 1 +mebeloffice.com.ua, 1 +mebelok.com, 1 +mebelradom.com, 1 +mebelshik.tk, 1 +mebinrobin.com, 1 +meblerymar.pl, 1 +mebtall.ru, 1 +mec.gub.uy, 1 +mec010.com, 1 +mec020.com, 1 +mec021.com, 1 +mec022.com, 1 +mec023.com, 1 +mec024.com, 1 +mec025.com, 1 +mec027.com, 1 +mec028.com, 1 +mec029.com, 1 +mec0310.com, 1 +mec0311.com, 1 +mec0312.com, 1 +mec0313.com, 1 +mec0314.com, 1 +mec0315.com, 1 +mec0316.com, 1 +mec0317.com, 1 +mec0318.com, 1 +mec0319.com, 1 +mec0335.com, 1 +mec0350.com, 1 +mec0351.com, 1 +mec0352.com, 1 +mec0353.com, 1 +mec0354.com, 1 +mec0355.com, 1 +mec0356.com, 1 +mec0357.com, 1 +mec0358.com, 1 +mec0359.com, 1 +mec0370.com, 1 +mec0371.com, 1 +mec0372.com, 1 +mec0373.com, 1 +mec0374.com, 1 +mec0375.com, 1 +mec0376.com, 1 +mec0377.com, 1 +mec0378.com, 1 +mec0379.com, 1 +mec0391.com, 1 +mec0392.com, 1 +mec0393.com, 1 +mec0394.com, 1 +mec0395.com, 1 +mec0396.com, 1 +mec0398.com, 1 +mec0410.com, 1 +mec0411.com, 1 +mec0412.com, 1 +mec0413.com, 1 +mec0414.com, 1 +mec0415.com, 1 +mec0416.com, 1 +mec0419.com, 1 +mec0421.com, 1 +mec0429.com, 1 +mec0431.com, 1 +mec0432.com, 1 +mec0433.com, 1 +mec0434.com, 1 +mec0435.com, 1 +mec0436.com, 1 +mec0437.com, 1 +mec0438.com, 1 +mec0439.com, 1 +mec0440.com, 1 +mec0450.com, 1 +mec0451.com, 1 +mec0452.com, 1 +mec0453.com, 1 +mec0454.com, 1 +mec0455.com, 1 +mec0456.com, 1 +mec0457.com, 1 +mec0458.com, 1 +mec0459.com, 1 +mec0470.com, 1 +mec0471.com, 1 +mec0472.com, 1 +mec0473.com, 1 +mec0474.com, 1 +mec0475.com, 1 +mec0476.com, 1 +mec0477.com, 1 +mec0478.com, 1 +mec0479.com, 1 +mec0482.com, 1 +mec0483.com, 1 +mec0510.com, 1 +mec0511.com, 1 +mec0512.com, 1 +mec0513.com, 1 +mec0514.com, 1 +mec0515.com, 1 +mec0516.com, 1 +mec0517.com, 1 +mec0518.com, 1 +mec0519.com, 1 +mec0523.com, 1 +mec0530.com, 1 +mec0531.com, 1 +mec0532.com, 1 +mec0533.com, 1 +mec0534.com, 1 +mec0535.com, 1 +mec0536.com, 1 +mec0537.com, 1 +mec0538.com, 1 +mec0539.com, 1 +mec0550.com, 1 +mec0551.com, 1 +mec0552.com, 1 +mec0553.com, 1 +mec0554.com, 1 +mec0555.com, 1 +mec0556.com, 1 +mec0557.com, 1 +mec0558.com, 1 +mec0559.com, 1 +mec0561.com, 1 +mec0562.com, 1 +mec0563.com, 1 +mec0564.com, 1 +mec0565.com, 1 +mec0566.com, 1 +mec0570.com, 1 +mec0571.com, 1 +mec0572.com, 1 +mec0573.com, 1 +mec0574.com, 1 +mec0575.com, 1 +mec0576.com, 1 +mec0577.com, 1 +mec0578.com, 1 +mec0579.com, 1 +mec0580.com, 1 +mec0591.com, 1 +mec0592.com, 1 +mec0593.com, 1 +mec0594.com, 1 +mec0595.com, 1 +mec0596.com, 1 +mec0597.com, 1 +mec0598.com, 1 +mec0599.com, 1 +mec0660.com, 1 +mec0661.com, 1 +mec0662.com, 1 +mec0663.com, 1 +mec0691.com, 1 +mec0692.com, 1 +mec0701.com, 1 +mec0710.com, 1 +mec0711.com, 1 +mec0712.com, 1 +mec0713.com, 1 +mec0714.com, 1 +mec0715.com, 1 +mec0716.com, 1 +mec0717.com, 1 +mec0718.com, 1 +mec0719.com, 1 +mec0722.com, 1 +mec0724.com, 1 +mec0728.com, 1 +mec0730.com, 1 +mec0731.com, 1 +mec0732.com, 1 +mec0733.com, 1 +mec0734.com, 1 +mec0735.com, 1 +mec0736.com, 1 +mec0737.com, 1 +mec0738.com, 1 +mec0739.com, 1 +mec0743.com, 1 +mec0744.com, 1 +mec0745.com, 1 +mec0746.com, 1 +mec0751.com, 1 +mec0752.com, 1 +mec0753.com, 1 +mec0754.com, 1 +mec0755.com, 1 +mec0756.com, 1 +mec0757.com, 1 +mec0758.com, 1 +mec0759.com, 1 +mec0760.com, 1 +mec0762.com, 1 +mec0763.com, 1 +mec0765.com, 1 +mec0766.com, 1 +mec0768.com, 1 +mec0769.com, 1 +mec0770.com, 1 +mec0771.com, 1 +mec0772.com, 1 +mec0773.com, 1 +mec0774.com, 1 +mec0775.com, 1 +mec0776.com, 1 +mec0777.com, 1 +mec0778.com, 1 +mec0779.com, 1 +mec0790.com, 1 +mec0791.com, 1 +mec0792.com, 1 +mec0793.com, 1 +mec0794.com, 1 +mec0795.com, 1 +mec0796.com, 1 +mec0797.com, 1 +mec0798.com, 1 +mec0799.com, 1 +mec0810.com, 1 +mec0811.com, 1 +mec0812.com, 1 +mec0813.com, 1 +mec0814.com, 1 +mec0816.com, 1 +mec0817.com, 1 +mec0818.com, 1 +mec0819.com, 1 +mec0826.com, 1 +mec0827.com, 1 +mec0830.com, 1 +mec0831.com, 1 +mec0832.com, 1 +mec0833.com, 1 +mec0834.com, 1 +mec0835.com, 1 +mec0836.com, 1 +mec0837.com, 1 +mec0838.com, 1 +mec0839.com, 1 +mec0840.com, 1 +mec0851.com, 1 +mec0852.com, 1 +mec0853.com, 1 +mec0854.com, 1 +mec0855.com, 1 +mec0856.com, 1 +mec0857.com, 1 +mec0858.com, 1 +mec0859.com, 1 +mec0870.com, 1 +mec0871.com, 1 +mec0872.com, 1 +mec0873.com, 1 +mec0874.com, 1 +mec0875.com, 1 +mec0876.com, 1 +mec0877.com, 1 +mec0878.com, 1 +mec0879.com, 1 +mec0881.com, 1 +mec0883.com, 1 +mec0886.com, 1 +mec0887.com, 1 +mec0888.com, 1 +mec0890.com, 1 +mec0891.com, 1 +mec0898.com, 1 +mec0899.com, 1 +mec0910.com, 1 +mec0911.com, 1 +mec0912.com, 1 +mec0913.com, 1 +mec0914.com, 1 +mec0915.com, 1 +mec0916.com, 1 +mec0917.com, 1 +mec0919.com, 1 +mec0930.com, 1 +mec0931.com, 1 +mec0932.com, 1 +mec0933.com, 1 +mec0934.com, 1 +mec0935.com, 1 +mec0936.com, 1 +mec0937.com, 1 +mec0938.com, 1 +mec0941.com, 1 +mec0943.com, 1 +mec0951.com, 1 +mec0952.com, 1 +mec0953.com, 1 +mec0954.com, 1 +mec0971.com, 1 +mec0972.com, 1 +mec0973.com, 1 +mec0974.com, 1 +mec0975.com, 1 +mec0976.com, 1 +mec0977.com, 1 +mec0991.com, 1 +mec111.com, 1 +mec111.net, 1 +mec222.com, 1 +mec222.net, 1 +mec333.com, 1 +mec333.net, 1 +mec539.com, 1 +mec555.com, 1 +mec555.net, 1 +mec666.net, 1 +mec760.com, 1 +mec777.net, 1 +mec825.com, 1 +mec888.com, 1 +mec888.net, 1 +mec999.com, 1 +mec999.net, 1 +mecalux.com, 1 +mecalux.es, 1 +mecanicoautomotriz.org, 0 +mecanique-casa.com, 1 +mecari.tk, 1 +meccanico.milano.it, 1 +meccano.srl, 1 +meccrcog-oh.gov, 1 +mecenat-cassous.com, 1 +mecenatfoot.fr, 1 +mechafightclub.com, 1 +mechanical.tk, 1 +mechanics-schools.com, 1 +mechanicweb.com, 1 +mechanus.io, 1 +mechasdepelo.com, 0 +mechaspartans6648.com, 1 +mechinfinity.tk, 1 +mechmk1.me, 1 +mechsoftgroup.com, 1 +mechta.gq, 1 +meciel.net, 1 +mecloudprinter.com, 1 +mecomed.com, 1 +mecp.de, 1 +med-banki.ru, 1 +med-colleges.com, 1 +med-flex.com, 1 +med-line.cf, 1 +med-metrix.com, 0 +med-nagoya-neurosurgery.jp, 1 +med-otzyv.ru, 1 +med-spravca.ml, 1 +med.aid.pl, 1 +meda.bg, 1 +medaboutme.ru, 1 +medalerthelp.org, 1 +medali21.tk, 1 +medaliturki.tk, 1 +medalofvalor.gov, 1 +medbankishop.ru, 1 +medbiocompany.com, 1 +medbiocompany.ml, 1 +medbreaker-friends.at, 1 +medbreaker.one, 0 +medcab.in, 1 +medcartoon.com, 1 +medcentr.online, 1 +medcentrnadezhda.ru, 1 +medcir.com.br, 1 +medcorfu.gr, 1 +medd.com.au, 1 +meddata.pp.ua, 1 +meddatix.com, 1 +meddiehub.com, 1 +meddin.com, 1 +mede-handover.azurewebsites.net, 1 +medebridge.com.au, 1 +medec.ec, 1 +medecinesalternatives-developpementspirituelcreatif.com, 1 +medefield.com, 1 +medeinos.lt, 0 +medelement.com, 1 +medellinencanciones.tk, 1 +medfind.link, 1 +medfordoregon.gov, 1 +medfordwi.gov, 1 +medguide-bg.com, 1 +medhatzaki.com, 1 +medhiwa.com, 1 +medhy.fr, 1 +medi-link.co.il, 0 +medi.com.br, 1 +media-cable-solutions.de, 1 +media-credit.eu, 1 +media-cube.com, 1 +media-fleet.fr, 1 +media-instance.ru, 1 +media-journalism.org, 1 +media-land.tk, 1 +media-library.co.uk, 1 +media-serwis.com, 1 +media-start.tk, 1 +media-store.ir, 1 +media-street.co.uk, 1 +media-valko.hu, 1 +media-webs5.com, 1 +media24.world, 1 +media4u.tk, 1 +mediaarea.net, 1 +mediaareplural.ca, 1 +mediabackoffice.co.jp, 1 +mediabeestjes.nl, 1 +mediablaster.com, 1 +mediabogen.net, 1 +mediabola.net, 1 +mediabookdb.de, 0 +mediabooks.ml, 1 +mediaboutique.nl, 1 +mediacenter.dynv6.net, 1 +mediacluster.de, 1 +mediacolor.fr, 1 +mediadex.be, 1 +mediafly.com, 1 +mediafocus.biz, 1 +mediaforkids.org, 1 +mediagetnews.tk, 1 +mediagrand.net, 1 +mediagus.com, 1 +mediahaus.de, 0 +mediajurnal.com, 1 +medialab.nrw, 1 +medialine.ag, 1 +medialine.com, 1 +medialinkz.ga, 1 +medialunaventura.com, 1 +medialys.ca, 1 +mediamarket42.tk, 1 +mediamarkt.pl, 1 +mediametrix.ru, 1 +mediamonitors.net, 1 +mediamora.nl, 1 +medianbases.ga, 1 +mediantechnologies.com, 1 +mediaoffice.ae, 1 +mediapark.uz, 1 +mediapart.fr, 1 +mediapath.gr, 0 +mediapost-publicite.fr, 1 +mediaprint-eco.com, 1 +mediarenegades.net, 1 +mediarithmics.com, 1 +mediarithmics.io, 1 +mediarquita.com, 1 +medias-presse.info, 1 +mediasagasocialseo.com, 1 +mediaserver7.com, 1 +mediasklep24.pl, 1 +mediaspike.com, 1 +mediassist.in, 1 +mediassistindia.com, 1 +mediassistindia.net, 1 +mediassisttpa.in, 1 +mediasst.com, 1 +mediastroke.com, 1 +mediataput.ga, 1 +mediathekview.de, 0 +mediation-mv.de, 1 +mediationculturelleclp.ch, 0 +mediatorzy.waw.pl, 1 +mediatrust.org, 1 +mediaukkies.nl, 0 +mediawax.be, 1 +mediaweb.com.ve, 1 +mediawijsheid.nl, 0 +mediawijzer.net, 0 +mediawiki.com, 1 +mediawiki.org, 1 +medibooker.com.au, 1 +medic-world.com, 1 +medic808.com, 1 +medicairsolutions.com, 1 +medical-assistant-colleges.com, 1 +medical-centr.tk, 1 +medical-contact.de, 1 +medical-hospital-beds.com, 1 +medical-instinct.de, 0 +medical-tiny.com, 1 +medical-tiny.de, 1 +medicalabroad.org, 0 +medicalaegis.com, 1 +medicalassistantadvice.com, 1 +medicalassistantschools.com, 1 +medicalauction.ga, 1 +medicalbillingcodingworld.com, 1 +medicalbillrights.gov, 1 +medicalbrace.net, 1 +medicalcountermeasures.gov, 1 +medicaldispute.tk, 1 +medicaleyetec.fr, 1 +medicalhelp.com.br, 1 +medicallicensing.com, 1 +medicalonliner.tk, 1 +medicalpeople.tk, 1 +medicalphysicistservices.com, 1 +medicalsite.tk, 1 +medicalsland.com, 1 +medicaltiny.com, 1 +medicaltiny.de, 1 +medicaltools.de, 1 +medicalys-tunisie.com, 0 +medicare-providers.net, 1 +medicareadvantage.com, 1 +medicareclinic.tk, 1 +medicarecompareusa.com, 1 +medicarecoveragefinder.com, 1 +medicareinfo.org, 1 +medicaremarket.com, 1 +medicaresupplement.com, 1 +medicasa-gmbh.de, 1 +medicel.com, 1 +medicenteritalia.it, 1 +medichat.ml, 1 +medicimaging.com, 1 +medicina-interventionala.ro, 1 +medicina-news.tk, 1 +medicinae.solutions, 1 +medicinaesolutions.com, 1 +medicinaesolutions.com.br, 1 +medicinalflora.com.br, 1 +medicinasportpadova.it, 1 +medicine.com, 1 +medicine.lv, 1 +medicinesfast.com, 0 +medicinia.com.br, 1 +medicininismetalas.lt, 1 +medicinskavranje.edu.rs, 1 +mediciventures.com, 1 +mediclinik.tk, 1 +medicm.jp, 1 +medicompany.tk, 1 +medicoresponde.com.br, 1 +medictools.de, 1 +medicus.ai, 1 +medidordehumedad.online, 1 +mediengestalter-website.de, 1 +medienhelden.de, 1 +medienweite.de, 1 +medievalexpert.com, 1 +medifab.online, 1 +medifit.si, 1 +medifoto.tk, 1 +medigap-quote.net, 1 +medihost.com.au, 1 +medihostsolutions.com.au, 1 +medikuma.com, 1 +medilogistics.co.za, 1 +medinacountyohio.gov, 1 +medinaelst.nl, 1 +medinc.tk, 1 +mediniti.com, 1 +medino.com, 1 +medinorte.es, 1 +medinside.ch, 0 +medinside.li, 0 +medinsider.ch, 0 +medinsider.li, 0 +mediolan.pl, 1 +medirota.com, 1 +medisense.tk, 1 +mediskin.ro, 1 +medisuv.ga, 1 +medisysintl.net, 1 +medisystempharmacy.com, 1 +meditacionesparasanar.club, 1 +meditadvisors.com, 1 +meditarenargentina.org, 1 +meditateinolympia.org, 1 +meditation-music.shop, 1 +meditation-rennes.org, 1 +meditationsydney.org.au, 1 +meditel.nl, 1 +meditez.ca, 1 +meditrak.ml, 1 +medium.com, 1 +mediums.cf, 1 +medivisionsc.com, 1 +medivox.tk, 1 +mediweed.tk, 1 +mediziner-goettingen.tk, 1 +medja.net, 1 +medklee.com, 1 +medkliniks.ru, 1 +medlemsraadgiveren.no, 1 +medlemsradgiveren.no, 1 +medlineplus.gov, 1 +medlink.pl, 1 +medmark.com, 1 +medmobil.ru, 1 +mednews.net.ua, 1 +medo64.com, 1 +medofis.com, 1 +medorand.gov, 1 +medosedu.in, 1 +medousaclinique.com, 1 +medovea.ru, 1 +medovoe.ml, 1 +medpeer.co.jp, 1 +medpeer.jp, 1 +medportalmd.tk, 1 +medpost.com, 1 +medprozone.com, 1 +medreich.com, 1 +medrol.cf, 1 +meds.ru, 1 +medsanuk.co.uk, 1 +medscangroup.ru, 1 +medschat.com, 1 +medschrome.com, 1 +medscope.com.au, 1 +medscope.tk, 1 +medservice.cz, 1 +medsi-online.tk, 1 +medsilset.com.br, 1 +medsister.tk, 1 +medsol.co.za, 0 +medsovet.tv, 1 +medspecial.tk, 1 +medstatix-dev.com, 1 +medstatix.co, 1 +medsync.nl, 1 +medtalents.ch, 1 +medtankers.management, 0 +medtech-jp.net, 1 +medtehnika.ua, 1 +medtronicpain.com, 1 +medullaortopedi.com, 1 +medunovi.com, 1 +medusa.wtf, 1 +meduza.io, 1 +medvedikorenka.cz, 1 +medvedivka.tk, 1 +medvedka-nasekomoe.tk, 1 +medvedkovo-hovrino.ru, 1 +medvesajt.hu, 1 +medvet.com.es, 1 +medvidi.com, 1 +medy-me.com, 1 +medyahabertv.com, 1 +medyaweb.net, 1 +medycznyangielski.pl, 1 +medyotan.ga, 1 +medyumzeyneleroglu.com, 1 +medza.ru, 1 +medzinenews.com, 0 +meedoennoordkop.nl, 0 +meek.ml, 1 +meekhak.com, 1 +meeko.cc, 1 +meekru.com, 1 +meektech.com, 1 +meenzen.net, 1 +meeo7.tk, 1 +meepbot.net, 1 +meepbot.org, 1 +meepbot.pro, 1 +meeque.de, 1 +meer-der-ideen.de, 1 +meeras.ga, 1 +meereskunst.de, 1 +meerman.nl, 0 +meerpadel.nl, 1 +meesenburg.ro, 1 +meesman.nl, 1 +meesteresmisty.nl, 1 +meet, 1 +meet.google.com, 1 +meetanshi.com, 1 +meetbeagle.com, 1 +meetbot.fedoraproject.org, 1 +meetcleo.com, 1 +meetfranz.com, 1 +meetfriends.tk, 1 +meeting-server.ml, 1 +meetingvotes.com, 1 +meetjeslandsetriathlon.tk, 1 +meetmaps.com, 1 +meetmarlo.com, 1 +meetmibaby.co.uk, 1 +meetmonarch.com, 1 +meetmygoods.com, 1 +meetmyown.ga, 1 +meetmyown.tk, 1 +meetsummer.org, 1 +meetthesinglessda.co.uk, 1 +meettheslavs.com, 1 +meetville.com, 1 +meetyou.me, 1 +meeusen-usedcars.be, 1 +meewan.fr, 1 +meeztech.com, 1 +meeztertom.nl, 1 +mefano.com, 1 +meffrepatrimoine.com, 1 +meg-a-bounce.co.uk, 1 +mega-aukcion.ru, 1 +mega-byte.nl, 0 +mega-feeling.de, 1 +mega-jeans.ru, 1 +mega-microstories.com, 1 +mega.co.nz, 1 +mega.io, 0 +mega.nz, 1 +megaar.tk, 1 +megabike.tk, 1 +megabook.ml, 1 +megabooker.hr, 1 +megabounce.co.uk, 1 +megabouncingcastles.com, 1 +megacellenerji.com, 1 +megadrol.com, 1 +megaelettrostimolatore.com, 1 +megafilez.tk, 1 +megaflix.nl, 1 +megaflowers.ru, 1 +megagame.zapto.org, 1 +megagifs.de, 1 +megahertzdesigns.pro, 1 +megaherz.tk, 1 +megahobby.jp, 1 +megahost.kz, 1 +megahostingbr.tk, 1 +megahouse.co.jp, 1 +megaimpressao3d.com.br, 1 +megainflatables.co.uk, 1 +megainformatyk.pl, 1 +megajackpot.ph, 1 +megajackpot.win, 1 +megajatek.hu, 1 +megakoncert90.cz, 1 +megalibportal.ga, 1 +megalibrarygirl.ml, 1 +megalogistic.ru, 1 +megalol.tk, 1 +megalonomia.ml, 1 +megam.host, 1 +megamarket-russia.ru, 1 +megamillions.tk, 1 +megamisja.pl, 1 +megamov.eu, 1 +megamov.fr, 1 +megamov.pro, 1 +meganandmarc.us, 1 +meganholliday.blog, 1 +meganmarston.cf, 1 +meganmarston.ga, 1 +meganruggiero.com, 0 +megaobzor.com, 1 +megaparadise.ml, 1 +megapari.com, 1 +megapixel.cz, 1 +megaplan.cz, 1 +megaplan.ru, 1 +megaportal.ga, 1 +megaportal.tk, 1 +megaprofi.tk, 1 +megarap.cf, 1 +megaron.at, 1 +megasesso.com, 1 +megasitesoficial.tk, 1 +megasunsunglasses.bg, 1 +megateam.tk, 1 +megatom.net.br, 1 +megatyumen.ru, 1 +megauction.tk, 1 +megavasoc.com.ar, 1 +megaviews.tk, 1 +megavoyages.ca, 1 +megawebsite.tk, 1 +megawhat.energy, 1 +megaxchange.cash, 1 +megayachts.world, 1 +megazigzag.com, 1 +megeve-tourisme.fr, 1 +megger-aktionen.de, 1 +megger.li, 1 +meggidesign.com, 1 +meggie.tk, 1 +megh.tv, 1 +megin.gq, 1 +megin.tk, 1 +meginajums1.space, 1 +megmaster.com, 1 +megnetix.tk, 1 +mego-tracer.de, 1 +mego.cloud, 1 +mego.gmbh, 1 +megotracer.de, 1 +megumico.net, 1 +megztosidejos.lt, 1 +meh.is, 1 +mehalick.com, 1 +meharossii.ru, 1 +mehdavia.tk, 1 +mehdi-lifestyle.com, 1 +mehdibouchema.be, 1 +mehdimassage.com, 1 +meherbaba.sk, 1 +mehhh.xyz, 1 +mehibo.tk, 1 +mehlogy.com, 1 +mehlvilletermiteandpestcontrolinc.com, 1 +mehmet.net, 1 +mehmetince.net, 1 +mehode.com, 1 +mehostdd.com, 0 +mehrabpurtimes.tk, 1 +mehrgarh.tk, 1 +mehrleben.at, 1 +mehrnevesht.com, 1 +mehrwert.de, 1 +meia.ir, 1 +meiaiai.com, 1 +meideas108.com, 1 +meidev.co, 0 +meierhofer.net, 1 +meiersmarkus.de, 1 +meifacil.com, 1 +meigetsuen1980.com, 1 +meijburg.com, 1 +meikampf.de, 1 +meikan.moe, 1 +meil.se, 1 +meiler.cf, 1 +meilink.eu, 0 +meilleur-casino-bitcoin.com, 1 +meilleur-casino-fiable.com, 1 +meilleursagents.com, 1 +meilleursavis.fr, 1 +meilleursjeuxporno.fr, 1 +meilleurstrucs.com, 1 +meima.cc, 1 +meimeistartup.com, 1 +mein-arabischkurs.de, 1 +mein-betriebsrat.digital, 1 +mein-domizil.at, 1 +mein-es1.de, 1 +mein-gehalt.at, 1 +mein-muehlhausen.bayern, 1 +mein-neuer-garten.de, 1 +mein-restaurant.digital, 1 +mein-webportal.de, 0 +meinadultportalcheck.com, 1 +meinbetriebsrat24.de, 1 +meincenter-meinemeinung.de, 1 +meincoach.at, 1 +meindm.at, 1 +meine-email-im.de, 1 +meine-email-im.net, 1 +meine-finanzanalyse.de, 1 +meine-immofinanzierung.de, 1 +meine-lebensenergie-staerken.de, 1 +meine-mav.digital, 1 +meine-mobile-reiseagentur.de, 1 +meineip.eu, 1 +meineit.dvag, 1 +meinerabatt.de, 1 +meinereiseangebote.de, 1 +meinevorlagen.com, 1 +meineweidegans.at, 1 +meinewolke.pw, 1 +meineziege.de, 1 +meinezuckerbaeckerei.de, 1 +meinflirtportalcheck.com, 1 +meinflirtportalcheck.de, 1 +meinforum.net, 1 +meinhard.com, 1 +meinpalestina.de, 1 +meinpflegedienst.net, 1 +meinstartinsleben.com, 1 +meinstartinsleben.de, 1 +meinstift.ch, 1 +meintragebaby.de, 1 +meinungsplatz.ch, 1 +meinungsplatz.de, 1 +meiqia.com, 0 +meirifuli6.com, 1 +meis.space, 1 +meise.cf, 1 +meise.ml, 1 +meistaramajas.lv, 1 +meister-stuecke.com, 1 +meister-texte.com, 1 +meister-wuttke.de, 1 +meisterlabs.com, 1 +meisternote.com, 1 +meisterplan.com, 1 +meisterplan.io, 1 +meisterprep.com, 1 +meistertask.com, 1 +meistronamai.lt, 1 +meitan.gz.cn, 1 +meitianyixiaobu.com, 1 +meiyi.ga, 1 +meiyouad.com, 1 +mejofi.com, 1 +mejofi.eu, 1 +mejofi.net, 1 +mejofi.nl, 1 +mejofi.org, 1 +mejor-broker.com, 1 +mejor-vpn.com, 1 +mejorator.net, 1 +mejorator.org, 1 +mejorespatineteselectricos.es, 1 +mejorfiltrodeagua.com, 1 +mejovonakowogov.gq, 1 +mejpbs.com, 1 +mekajen.com, 1 +mekaleskirit.tk, 1 +mekanika.com.my, 1 +mekanismo.tk, 1 +mekatro.tech, 1 +mekatronika.tk, 1 +mekatrotekno.com, 1 +mekawy.tk, 1 +mekegi.com, 1 +meken.com, 1 +mekhaodee.com, 1 +mekkaoui.cf, 1 +mekker.dk, 1 +meklon.net, 1 +mekomit.co.il, 1 +mekongmontessori.com, 1 +mel-bet.com, 1 +melagenina.tk, 1 +melanfengshui.com, 1 +melaniatrump.com, 0 +melanie-guy.fr, 1 +melanie-schwarze.de, 1 +melaniebernhardt.com, 1 +melaniec-thebest.tk, 1 +melaniefaucher.ca, 1 +melaniegowen.com, 0 +melaniegruber.de, 1 +melanieschweiger.com, 1 +melanin.cf, 1 +melanto.ro, 1 +melaodealmeirim.pt, 1 +melbar.com.au, 0 +melbet-sp.com, 1 +melbet.com, 1 +melbet.mobi, 1 +melbet27.com, 1 +melbet33011.com, 1 +melbetaffiliates.com, 1 +melbetapp.com, 1 +melbetua.com, 1 +melbourneapartments.website, 1 +melbournebushwalkers.org.au, 1 +melbournecivilcelebrant.tk, 1 +melbournefringe.com.au, 1 +melbournehookah.com.au, 1 +melbournehousesitters.com, 1 +melcher.it, 1 +melchizedek-forum.de, 1 +melda-agustin.tk, 1 +melda.ru, 1 +meldcode-assistent.nl, 1 +melderegister-auskunft.de, 1 +meldjeaan.be, 1 +meldknop.nl, 1 +meldpuntemma.nl, 1 +meldsluikstort.gent, 1 +mele.ro, 1 +melectronics-ostschweiz.ch, 1 +meledia.com, 0 +melenchatsmelenchiens.fr, 1 +melhorproduto.com.br, 1 +meli-deluxe.org, 1 +melicove.com, 1 +melideluxe.org, 1 +melihacar.com.tr, 1 +melikoff.es, 1 +melillimonartesania.com, 1 +melina-schefczyk.de, 1 +melinacurves.com, 1 +melinamay.net, 1 +melino.com.ua, 1 +meliowebweer.nl, 1 +melisica.tk, 1 +melissaadkins.com, 1 +melissaauclaire.com, 1 +melissadeluxe.com, 1 +melissageorge.tk, 1 +melissalb.tk, 1 +melissameuwszen.nl, 1 +meliyb.ga, 1 +melkboshigh.co.za, 1 +melkiran.tk, 1 +melkoghonning.no, 1 +mellenbergerathletics.com, 1 +mellika.ch, 1 +mellonexia.ml, 1 +mellonne.com, 1 +melnessgroup.com, 1 +melodee.de, 1 +melodict.com, 1 +melodija.tk, 1 +melodiouscode.co.uk, 1 +melodiouscode.com, 1 +melodiouscode.net, 1 +melodiouscode.uk, 1 +melody-lyrics.com, 1 +melody.my, 1 +melodycenter.de, 1 +melonhub.com, 1 +melonstudios.net, 1 +melopie.com, 1 +melpomene.me, 1 +melrosemichaels.net, 1 +melrosewi.gov, 1 +meltdownresearch.com, 1 +melted.me, 1 +meltina-hotel.com, 1 +meltybit.com, 1 +melusine.eu, 1 +melvillecity.com.au, 1 +melvinsfrance.tk, 1 +melvintemo.com, 1 +melyssamonroy.com, 1 +mema.recipes, 1 +memberbaz.ml, 1 +memberclicks.net, 1 +memberplushq.com, 1 +members-arbourlake.com, 1 +members-only-shopping.com, 1 +members.nearlyfreespeech.net, 0 +membershipservices.org.uk, 1 +membersolutions.com, 1 +memberstweets.com, 1 +memdoc.org, 1 +meme, 1 +meme.fi, 1 +meme.institute, 1 +memecentral.org, 1 +memecoin.org, 1 +mememan.org, 1 +memememememememe.me, 1 +memento-mori.cf, 1 +memetrash.co.uk, 1 +memez.download, 1 +memind.net, 1 +memiux.com, 1 +memnet.com.au, 1 +memo-linux.com, 1 +memo.ee, 1 +memoire-resistance-ariege.fr, 1 +memoireimplicite.com, 1 +memoirmedie.dk, 1 +memolestas.tk, 1 +memorablewords.org, 1 +memoriaacademy.com, 1 +memorial.com.tr, 1 +memoriaseternizadas.com.br, 1 +memories-factory.pt, 1 +memorind.com, 1 +memoryex.net, 1 +memoryjoggerlibrary.com, 1 +memorylines.ml, 1 +memoryofyou.eu, 1 +memoryplex.com, 1 +memphisrap.com, 1 +memphisthemusical.com, 1 +mempool.chat, 1 +mempool.de, 1 +mempool.ninja, 1 +mempool.space, 1 +memrise.com, 1 +memurvadisi.tk, 1 +men-costumes.tk, 1 +men.com, 1 +menanam.net, 1 +menandsny.gov, 1 +menaraannonces.com, 1 +menardcountyil.gov, 1 +menashawi.gov, 1 +menazimkhan.tk, 1 +menddie.com, 1 +mendekuitxua.tk, 1 +mendel.tk, 1 +menden.com, 1 +mendipbouncycastles.co.uk, 1 +mendix-apps.com, 1 +mendmybackprogram.com, 0 +mendocinocounty.gov, 1 +mendomaps.com, 1 +mendonca.co, 1 +mendonvt.gov, 1 +mendovoice.com, 1 +mendozagenevieve.com, 1 +mendrala.eu, 1 +mendrala.net, 1 +menerga.it, 1 +mengjianjiemeng.com, 1 +mengjiucai.com, 1 +mengliangyun.xyz, 1 +mengma.pub, 1 +mengqingzhong.cn, 1 +mengqingzhong.com, 1 +mengqingzhong.com.cn, 1 +mengyibai.com, 1 +menh.vn, 1 +menhera.org, 0 +menielias.com, 1 +menlo-partner1-admin.com, 1 +menlo-partner1.com, 1 +menlo-vmware.io, 1 +menlo.cloud, 1 +menlo.security, 1 +menlofire.gov, 1 +menlogov-admin.com, 1 +menlogov.com, 1 +menlosecurity.com, 1 +menlosecurity.jp, 1 +menlotraining.com, 1 +menlotraining.net, 1 +menlotraining.org, 1 +menn.tk, 1 +mennace.com, 1 +mennetwork.com, 1 +menno.cloud, 0 +menno.me, 1 +mennohouse.ca, 1 +menole.com, 1 +menole.de, 1 +menole.net, 1 +menomg.com, 1 +menomineecountymi.gov, 1 +menomineemi.gov, 1 +menotag.com, 1 +mens-qzin.jp, 1 +mens-v.com, 1 +mens-watch.tk, 1 +mensagemaniversario.com.br, 1 +mensagemdaluz.com, 1 +mensagensaniversario.com.br, 1 +mensagensdeconforto.com.br, 1 +mensagensperfeitas.com.br, 0 +mensaj.es, 1 +mensajeurbano.tk, 1 +mensajitos.tk, 1 +mensarena.gr, 1 +mensasifrovacka.cz, 1 +mensch-peter.me, 1 +menschocolat.jp, 1 +mensconvoy.tk, 1 +menselijkembryo.tk, 1 +menshaircuts.com, 0 +menshairstylestoday.com, 1 +menshealthcollective.au, 1 +menspeak.ga, 1 +menswear.tk, 1 +mental-check.jp, 1 +mentalcalculations.tk, 1 +mentalcraft.tk, 1 +mentalevolution.tk, 1 +mentalhealthcounselorlicense.com, 1 +mentalhealthmn.org, 1 +mentalhealthtimes.tk, 1 +mentalizes.tk, 1 +mentalpage.com, 1 +mentalproblems.tk, 1 +mentaltraining-fuer-musiker.ch, 1 +mentecuriosa.net, 1 +menteofficial.com, 1 +menterarchitects.com, 1 +mentes-inquietas.tk, 1 +mentesinquietas.tk, 1 +menthiere.fr, 1 +menti.com, 1 +mentimeter.com, 1 +mentiq.az, 1 +mentolo.tk, 1 +mentonein.gov, 1 +mentor.gov, 1 +mentoriademercadeo.com, 1 +mentoringauchan.es, 1 +mentrixpill.com, 1 +menuel.me, 1 +menufree.org, 1 +menuiserie-deumer.be, 1 +menupay.com, 1 +menureader.ml, 1 +menurutparaahli.com, 1 +menzel-motors.com, 0 +menzel4you.tk, 1 +menzietti.it, 1 +meo.cz, 1 +meo.de, 1 +meo.es, 1 +meoption.biz, 1 +meoteam.dk, 1 +meou.pictures, 1 +meow-games.com, 1 +meow.cloud, 0 +meow.enterprises, 1 +meow.plus, 1 +meower.org, 1 +meowstodon.net, 1 +meowtech.network, 1 +mepassport.com, 1 +mepau.com.au, 1 +mepc.jp, 1 +mepcoeng.ac.in, 1 +meperidina.com, 1 +mephedrone.org, 1 +mepresto.com, 1 +meps.net, 1 +mera.ddns.net, 1 +merabsurviladze.com, 1 +meraki.hu, 1 +meralda.eu, 1 +meralda.net, 1 +meralda.org, 1 +meraldamulder.com, 1 +meraldamulder.eu, 1 +meraldamulder.net, 1 +meraldamulder.org, 1 +meran.in, 1 +meransuedtirol.com, 1 +meravirsa.com, 1 +mercadobitcoin.com.br, 1 +mercadocampesino.com.co, 1 +mercadohype.tk, 1 +mercadoleal.com.br, 1 +mercadolibre.cl, 1 +mercadolibre.co.cr, 1 +mercadolibre.com.ar, 1 +mercadolibre.com.bo, 1 +mercadolibre.com.co, 1 +mercadolibre.com.do, 1 +mercadolibre.com.ec, 1 +mercadolibre.com.gt, 1 +mercadolibre.com.hn, 1 +mercadolibre.com.mx, 1 +mercadolibre.com.ni, 1 +mercadolibre.com.pa, 1 +mercadolibre.com.pe, 1 +mercadolibre.com.py, 1 +mercadolibre.com.sv, 1 +mercadolibre.com.uy, 1 +mercadolibre.com.ve, 1 +mercadolibrefz.tk, 1 +mercadolivre.com.br, 1 +mercadopago.cl, 0 +mercadopago.com, 1 +mercadopago.com.ar, 1 +mercadopago.com.br, 1 +mercadopago.com.co, 1 +mercadopago.com.ec, 1 +mercadopago.com.mx, 1 +mercadopago.com.pe, 1 +mercadopago.com.uy, 1 +mercadopago.com.ve, 1 +mercadoprop.la, 1 +mercanix.co.uk, 1 +mercatino-olomouc.cz, 1 +mercatinomusicale.com, 1 +mercatoitticosbt.it, 1 +mercedelectionsca.gov, 1 +mercedes-anciennes.fr, 1 +mercedes-benz-arena-stuttgart.de, 1 +mercedes-benz-kiev.com, 1 +mercedes-benz.art, 1 +mercedes-benz.com.py, 1 +mercelo.com, 1 +mercenaryvfx.com, 1 +mercercountyohio.gov, 1 +mercercountypa.gov, 1 +mercerisland.gov, 1 +merchant-portal.co.kr, 1 +merchantsbankofindiana.com, 0 +merchcity.com, 1 +merchentpro.biz, 1 +merchstudio.ru, 1 +merck-animal-health-usa.com, 1 +merco.com.au, 1 +mercode.eu.org, 1 +mercosuleditora.com.br, 1 +mercredifiction.io, 1 +mercure.dk, 1 +mercury-pool.com, 1 +mercury.com, 1 +mercury.foundation, 0 +mercury.photo, 1 +mercurycards.com, 1 +mercurysquad.tk, 1 +mercyseverity.tk, 1 +merelaager.ee, 1 +merelskleertjes.tk, 1 +merenbach.com, 1 +merenita.eu, 1 +merenita.net, 1 +merenita.nl, 1 +merezha.ua, 1 +mergegroup.com.au, 1 +mergellina.tk, 1 +meribook.com, 1 +meridanas.me, 1 +meridiangroup.ml, 1 +meridianmetals.com, 1 +meridianoshop.com.br, 1 +meridiansteel.co.uk, 1 +meridianstore.com.br, 1 +merikserver.tk, 1 +merionwest.com, 1 +merisia.ca, 1 +meritcb.eu, 1 +meritec.co.uk, 1 +meritsol.com, 1 +meritus.com.au, 1 +merkatal.com, 1 +merkattumaa.tk, 1 +merkchest.tk, 1 +merke.tk, 1 +merkel.me, 1 +merklin.gq, 1 +merlet.eu, 1 +merlin-memorial.de, 1 +merlin.dk, 1 +merlinnot.com, 1 +merlinsmagic.tk, 1 +merlinsoap.com, 1 +merloaded.rocks, 1 +mermakov.info, 1 +mernau.co, 1 +merojob.com, 1 +merpay.com, 1 +merrickcountyne.gov, 1 +merrillanwi.gov, 1 +merrimacwi.gov, 1 +merrison.uk, 1 +merrychristmas.ml, 1 +merryxmas2015.tk, 1 +mersa-co.ir, 1 +merson.org, 1 +merson.tv, 1 +merstham.cricket, 1 +mersthamcc.co.uk, 1 +mertak.cz, 1 +mertcangokgoz.com, 1 +mertuslu.com, 1 +meruhealth.com, 1 +mervart.co.uk, 1 +mervetekinmimarlikinsaat.com.tr, 1 +mervewear.com, 1 +merylholloway.com, 1 +merza.is, 1 +merzai.co.uk, 1 +mes-bouquins.fr, 1 +mes-courriers.fr, 1 +mes-finances.be, 1 +mes-vacances.tk, 1 +mes10doigts.ovh, 1 +mesaazpolice.gov, 1 +mesabi.ga, 1 +mesalancasterpa.gov, 1 +mesappros.com, 1 +mesasysillas.site, 1 +mesbonnesrecettes.com, 1 +mescadeaux.com, 1 +mescaline.com, 1 +mescaline.org, 1 +mescaline.uk, 1 +mescaline.wiki, 1 +mesdagh.be, 1 +mesec.cz, 1 +mesh.gov, 1 +meshachgt.com, 1 +meshdigital.io, 1 +meshekard.co.il, 1 +meshflow.be, 1 +meshflow.net, 1 +meshintranet.com, 1 +meshok.ru, 1 +meshotes.com, 1 +mesjumelles.fr, 1 +meskdeals.com, 1 +meskiukas.tk, 1 +meslekkursu.com, 1 +mesmer.tk, 1 +mesologie-soesterberg.nl, 1 +mesomeds.com, 1 +mesonandino.tk, 1 +mesondelcazador.com, 1 +mesos.cl, 1 +mesothelioma.com, 1 +mesotheliomacentre.tk, 1 +mesotheliomalawfirm-worldwide.tk, 1 +mesquitegcd.gov, 1 +mesquitelandscapeservices.com, 1 +messageclient.gq, 1 +messagely.com, 1 +messagescelestes-archives.ca, 1 +messagevortex.com, 1 +messagevortex.net, 1 +messaha.tk, 1 +messcoutsandguides.tk, 1 +messdorferfeld.de, 1 +messemakine.com, 1 +messen.tk, 1 +messenger.com, 0 +messengerkids.com, 1 +messengersofjoy.net, 1 +messengerupdate.com, 1 +messengerwebbrands.com, 1 +messengerwebdesign.com, 1 +messer24.ch, 1 +messerschmitt-kawasaki.de, 1 +messifan.tk, 1 +messinale.tk, 1 +messinatoday.it, 1 +messonline.tk, 1 +messure.ru, 1 +mestazitrka.cz, 1 +mestovpohybu.cz, 1 +mesuaferrea.com, 1 +mesutates.tk, 1 +mesvision.com, 1 +mesvt.com, 1 +meszlenyiattila.tk, 1 +meta-db.com, 1 +meta-word.com, 1 +meta.com, 1 +meta4.be, 1 +meta48.live, 1 +metaalshopper.nl, 1 +metablog.xyz, 1 +metabound.co.uk, 1 +metabox.io, 1 +metacareers.com, 1 +metachthonia.io, 1 +metaclays.io, 1 +metacoda.com, 1 +metacode.biz, 1 +metacompliance.com, 1 +metacortex.cf, 1 +metacred.com, 1 +metacritic.com, 1 +metadata.be, 1 +metadata.io, 1 +metadedi.net, 1 +metaether.net, 1 +metafiz.ml, 1 +metaformarketing.com, 1 +metagaming.tk, 1 +metaintro.net, 1 +metait.de, 1 +metaiverse.info, 1 +metakari.one, 1 +metal-madness.tk, 1 +metal-news.tk, 1 +metal-rock.tk, 1 +metalarea.ru, 1 +metalargentum.tk, 1 +metalbus.tk, 1 +metalcity.tk, 1 +metalcon.az, 1 +metalcorenews.ga, 1 +metalempire.tk, 1 +metaleonsociety.io, 0 +metalequipped.com, 1 +metalevolution.tk, 1 +metalgie.work, 1 +metalgoth.tk, 1 +metalhouse.tk, 1 +metaljournal.tk, 1 +metaljunkiez.com, 1 +metallbau-gehr.de, 1 +metallheads.tk, 1 +metallictrading.ga, 1 +metalliran.tk, 1 +metallization.tk, 1 +metallobaza.ml, 1 +metalloiskateli.com.ua, 1 +metallomania.it, 1 +metallosajding.ru, 1 +metallrecycling.org, 1 +metalmaniac.tk, 1 +metalmonocle.com, 0 +metalnight.tk, 1 +metalnivrati-iasenko.com, 1 +metalpesado.tk, 1 +metalsoviet.tk, 1 +metaltracks.tk, 1 +metalu.ch, 0 +metalunion.tk, 1 +metalwarrior.tk, 1 +metalweaverscreations.com, 1 +metalworkingexpo.com, 1 +metamorfosis.cf, 1 +metamorphouse.ch, 1 +metanoia8295.com, 1 +metanoiaphotography.com, 1 +metanomial.com, 1 +metanumbers.com, 1 +metapeen.nl, 1 +metaphilic.tk, 1 +metaprivatewealth.com, 0 +metapsychie.com, 1 +metapublic.com, 1 +metasearch.nl, 1 +metaskil.com, 1 +metasolutions.se, 1 +metasophi.com, 1 +metasquare.com.au, 1 +metasquare.nyc, 1 +metastasys.net, 1 +metasurfforecast.com, 1 +metasysteminfo.com, 1 +metaurl.io, 1 +metavr.ru, 1 +metaword.co.jp, 1 +metaword.com, 1 +metaword.net, 1 +metaword.org, 1 +metaximas-taverna.gr, 1 +metayou.gq, 1 +metcalfecountyky.gov, 1 +metebalci.com, 1 +meteo-parc.com, 1 +meteoabegondo.tk, 1 +meteobox.co, 1 +meteobox.com, 1 +meteobox.cz, 1 +meteobox.de, 1 +meteobox.es, 1 +meteobox.fr, 1 +meteobox.mx, 1 +meteobox.pl, 1 +meteobox.sk, 1 +meteobox.tk, 1 +meteocat.net, 1 +meteocuenca.tk, 1 +meteohuertamur.tk, 1 +meteonederbetuwe.nl, 1 +meteopievedicampo.ddns.net, 1 +meteoradar.ch, 1 +meteosat.tk, 1 +meteoweb.eu, 1 +meteowiki.tk, 1 +meter.md, 1 +meterhost.com, 1 +meterinsight.com, 1 +metex.exchange, 1 +metformin365.tk, 1 +methamphetamine.co.uk, 1 +method.com, 1 +methode.com, 1 +methodfactory.com, 1 +methodist.com.tr, 1 +methodprinting.com, 1 +methodsofcare.com, 1 +methotrexatee.gq, 1 +methotrexates.gq, 1 +methuen.gov, 1 +methusalem.tk, 1 +methwhore.date, 1 +methylone.com, 1 +metin2.community, 1 +metin2.download, 1 +metin2.top, 1 +metin2blog.de, 1 +metin2dev.org, 1 +metinarslanturk.com, 1 +metiz.site, 1 +metizsoft.com, 1 +metkos.pl, 1 +metkov.com.ua, 1 +metkovic-news.com, 1 +metmetfamily.fr, 1 +meto.eu.org, 0 +metodomontessoriano.com, 1 +metodosilvaniaderejuvenescimento.com, 1 +metop.de, 1 +metprint.hu, 1 +metradar.ch, 1 +metric.ai, 0 +metricmutt.com, 1 +metrika.ml, 1 +metriks.ru, 1 +metrix-money-ptc.com, 1 +metro-detroit.com, 1 +metro-vet.co.uk, 1 +metro-web.net, 1 +metroarchive.jp, 1 +metrobank.com.ph, 1 +metrobriefs.com, 0 +metrobus.co.uk, 1 +metrocraft2033.tk, 1 +metrodemaracaibo.tk, 1 +metrodemedellin.gov.co, 1 +metrofree.ga, 1 +metrohd.com, 1 +metroline.ml, 1 +metrolisboa.pt, 1 +metrolush.com, 1 +metromark.net, 1 +metron-eging.com, 1 +metron-networks.com, 1 +metron-online.com, 1 +metron.mv, 1 +metronidazolee.gq, 1 +metronik.it, 1 +metronome.ga, 1 +metroparks.net, 1 +metrophone.vn, 1 +metroplanorlando.gov, 1 +metroplex.me, 1 +metropole.com.au, 1 +metropolis.ga, 1 +metropolis5000.tk, 1 +metropolisdawn.de, 1 +metropolisdawn.net, 1 +metropolisil.gov, 1 +metroproductiongroup.com, 1 +metrorealestatepros.com, 0 +metrothessalonikis.tk, 1 +metroval.tk, 1 +metroymca.org, 1 +metrss.com, 1 +metrss.eu, 1 +metrss.net, 1 +metsasta.com, 1 +metsosivut.fi, 1 +metspoedbeschikbaar.nl, 1 +mettelenejohansson.dk, 1 +mettin.org, 1 +metu.social, 1 +metver.tk, 1 +metyweb.ga, 0 +metzgermark.com, 1 +meuautotrac.com.br, 1 +meubanco7.com.br, 1 +meubebepa.com.br, 1 +meublesrosa.be, 1 +meuemby.com, 1 +meugamer.com, 1 +meugibi.com, 1 +meulenerkes.tk, 1 +meulivro.biz, 1 +meulk.co.uk, 1 +meulocal.ml, 1 +meuneneoficial.com.br, 1 +meupatrocinio.com, 1 +meurisse.org, 1 +meusartis.ca, 1 +meuscabeloscacheados.com.br, 1 +meusextosentido.com, 1 +meusucesso.com, 1 +meutia.net, 1 +mevanshop.com, 1 +mevaturizm.com.tr, 1 +meveydesign.tk, 1 +mevissenpsychotrauma.nl, 1 +mevrouwtjepeper.nl, 0 +mevsalud.cl, 1 +mew.build, 1 +mew.vn, 1 +mex-it-up.com, 1 +mexaliu.ml, 1 +mexby.com, 1 +mexicankrill.com, 1 +mexico.rs, 1 +mexico.sh, 1 +mexicobeachfl.gov, 1 +mexicocsd.gov, 1 +mexicodental.co, 1 +mexicojetcharter.com, 1 +mexicom.org, 1 +mexicosrit.tk, 1 +mexior.nl, 1 +mexiquilanj.com, 1 +mexticket.com, 1 +meyafloors.com, 1 +meyateks.com, 1 +meydan.tv, 1 +meyer-horn.de, 1 +meyeraviation.com, 1 +meyersconstructionandconsulting.com, 1 +meypell.com, 1 +meyrawinkel.nl, 1 +meys.io, 1 +mezcal.amsterdam, 1 +mezedokamomata.tk, 1 +meziblog.cz, 1 +mezinfo.tk, 1 +mezio.pt, 1 +mezquetillas.tk, 1 +mezzanine.net, 1 +mezzehuis.be, 1 +mezzoettaro.it, 1 +mf-fischer.de, 1 +mf-natuurfotografie.nl, 1 +mf.me, 1 +mfa.tw, 1 +mfactory.ca, 1 +mfamonitor.com, 1 +mfatravaux.fr, 1 +mfavis.com, 1 +mfcentral.com, 1 +mfdy66.com, 1 +mfedderke.com, 0 +mfen.de, 1 +mfg-fx.com, 1 +mfgo.link, 1 +mfgusa.com, 1 +mfiles.pl, 1 +mfinanse.pl, 1 +mfischer-it.de, 0 +mfits.co.uk, 1 +mflodin.se, 1 +mfmarquesantos.pt, 1 +mfoda-eg.com, 1 +mforum.com.au, 1 +mfotel.pl, 1 +mfpccprod.com, 1 +mfr-lameignanne.fr, 1 +mfrepair.com, 1 +mft-license.com, 1 +mft.global, 1 +mfxbe.de, 0 +mfxer.com, 1 +mfxm.fr, 1 +mfyy123.com, 1 +mg-case.com, 1 +mgaconsulting.org.uk, 1 +mgae.com, 1 +mgaroz.pro, 1 +mgatreeservices.com, 1 +mgc.com.tr, 1 +mgclercoh.gov, 1 +mgcs.org, 1 +mgdigitalmarketing.com.au, 1 +mgf.mx, 1 +mgfashion.ae, 1 +mgfgroup.ca, 1 +mgfgroup.com, 1 +mgfgroup.mx, 1 +mgfgroup.us, 1 +mgfnow.com, 1 +mgfpatrimoine.com, 1 +mghiorzi.com.ar, 0 +mghw.ch, 1 +mgi.gov, 1 +mgic.com, 1 +mgientertainment.com, 1 +mgis.com, 1 +mgkl.ru, 1 +mgknet.com, 1 +mgldiffusion.fr, 1 +mglobalservices.com, 1 +mgmd.org, 1 +mgmeet.com, 1 +mgmpic.com, 1 +mgmultiservicessrl.it, 1 +mgo-ostenfelde.tk, 1 +mgonline.tk, 1 +mgousse.tk, 1 +mgr-dev.tech, 1 +mgrcred.online, 1 +mgriff.id.au, 1 +mgrossklaus.de, 0 +mgrt.net, 1 +mgsdb.com, 1 +mgsisk.com, 1 +mgtbaas.eu, 1 +mgvideo.com.au, 1 +mh-cdn.de, 1 +mh-hannover.de, 0 +mh.com.fj, 1 +mh2.in, 1 +mha.fi, 1 +mhabdullah.tk, 1 +mhadegree.org, 1 +mhadot.com, 1 +mhainfantandtoddler.com, 1 +mhalfter.de, 1 +mhammerbacher.me, 1 +mhand.org, 1 +mhasika.tk, 1 +mhastey.com, 1 +mhatlaw.com, 1 +mhcdesignstudio.com, 1 +mheistermann.de, 1 +mhermans.nl, 1 +mhf.gc.ca, 1 +mhg-platform.com, 1 +mhgeay.fr, 1 +mhginsurance.com, 1 +mhh.de, 0 +mhi.com, 1 +mhi.web.id, 1 +mhiler.com, 1 +mhilger.de, 1 +mhjuma.com, 1 +mhmfoundationrepair.com, 1 +mhonline.fr, 1 +mhtdesign.net, 1 +mhuig.top, 1 +mhurologytriad.org, 1 +mi-amigo.tk, 1 +mi-beratung.de, 1 +mi-ras.ru, 1 +mi.ras.ru, 1 +mi.sc, 1 +mi1k.cn, 1 +mi80.com, 1 +mia-manager.dk, 1 +mia.gent, 1 +mia.tw, 0 +mia3d.fr, 1 +miaadler.net, 1 +miaairportvillas.com, 1 +miability.com, 1 +miablow.net, 1 +miacuario.cl, 1 +miadennees.com, 1 +miagentemicasa.com, 1 +miagexport.com, 1 +miah.top, 1 +miaha.ch, 1 +mialma.live, 1 +miami.gov, 1 +miamibeachcommunitychurch.com, 1 +miamicountyohioauditor.gov, 1 +miamidadeclerk.gov, 1 +miamifl.casa, 1 +miamifl.homes, 1 +mianbao.ga, 1 +mianfei.us, 1 +miankamran.tk, 1 +mianra.ddns.net, 1 +miao.team, 1 +miaoft.com, 0 +miaovps.com, 0 +miaowo.org, 1 +miap.eu, 1 +miarecki.eu, 1 +miartwalk.com, 1 +miasarafina.de, 1 +miasegurado.com, 1 +miasma.tk, 1 +miasonne.com, 1 +miatabox.com, 1 +miatfactory.be, 1 +miatgent.be, 1 +miathepintzu.com, 1 +miavierra.org, 1 +miaw.ooo, 1 +mibaso.com, 1 +mibeneficio.cl, 1 +mibh.de, 1 +miboulot.com, 1 +mibuiin.com, 1 +mica-zeitz.de, 1 +mica.ml, 1 +micado-software.com, 1 +micah.soy, 1 +micamisetaestampada.com, 1 +micanetic.com, 1 +micareklamajansi.com, 1 +micasayestilo.com, 1 +micase.info, 1 +micatalogo.club, 1 +micay.ca, 1 +micbase.com, 1 +miccaldo.tk, 1 +miccgolf.com, 1 +miccomi.com, 1 +micdagostini.com, 1 +michadenheijer.com, 1 +michael-glaser.de, 1 +michael-hess.com, 1 +michael-r.ddns.net, 1 +michael-r.dynv6.net, 1 +michael-rigart.be, 1 +michael-schefczyk.de, 1 +michael-schilling.de, 0 +michael-simon.de, 1 +michael-steinhauer.eu, 1 +michael.band, 1 +michael.com, 1 +michael.ie.eu.org, 1 +michael.zone, 1 +michaelabbas.tk, 1 +michaelamead.com, 1 +michaelasawyer.com, 1 +michaelband.co, 1 +michaelband.com, 1 +michaelbeer.co.uk, 1 +michaelbondar.tk, 1 +michaelboogerd.tk, 1 +michaelcailloux.com, 1 +michaelcassar.com, 1 +michaelcrane.live, 1 +michaeldancot.com, 1 +michaeldjoseph.com, 1 +michaeleisen.org, 1 +michaelessek.com, 1 +michaelfoods.com, 1 +michaelglaser.de, 1 +michaelgroves.tk, 1 +michaelgwynn.tk, 1 +michaelhastrich.nl, 1 +michaelhayes.tk, 1 +michaelhebblethwaite.com, 1 +michaelholidaybooks.com, 1 +michaeliannetta.tk, 1 +michaeliscorporation.com, 1 +michaelismold.com, 1 +michaelizquierdo.com, 1 +michaeljames.com.au, 1 +michaeljdennis.com, 0 +michaeljohnsrestaurant.com, 1 +michaelkennedy.ie, 1 +michaelkiske.tk, 1 +michaelkleinert.de, 1 +michaelklos.nl, 1 +michaelkorsgill.tk, 1 +michaelkuehn.tk, 1 +michaell.io, 1 +michaelleibundgut.com, 1 +michaelliunsky.cn, 1 +michaelloveys.com, 1 +michaeln.net, 1 +michaelolson.blog, 1 +michaelpelletterie.it, 1 +michaelpfrommer.de, 1 +michaelpfrommer.pub, 1 +michaelpmullally.com, 1 +michaelrigart.be, 1 +michaelschmidt.ch, 1 +michaelschubert.com, 0 +michaelschule-rheine.de, 1 +michaelsnoeren.nl, 0 +michaelstoffer.com, 1 +michaeltaboada.me, 1 +michaeltittes.de, 1 +michaeltruskowski.com, 1 +michaelvician.me, 0 +michaelwermeester.com, 1 +michaelwmckinney.com, 1 +michaelworth.au, 1 +michal-klabnik.com, 1 +michal-klabnik.cz, 1 +michal-spacek.com, 1 +michal-spacek.cz, 1 +michalchomo.eu, 1 +michaldudek.it, 1 +michalinastrzyz.xyz, 1 +michalis.xyz, 1 +michalklabnik.com, 1 +michalklabnik.cz, 1 +michalkral.tk, 1 +michalkunicki.pl, 1 +michalmlozniak.com, 1 +michalpodraza.pl, 1 +michalspacek.com, 1 +michalspacek.cz, 1 +michalstepar.cz, 1 +michalszotkowski.cz, 1 +michalwiglasz.cz, 1 +michaonline.de, 1 +micharts.biz, 1 +michasfahrschule.com, 1 +michel-cloud.de, 1 +michel-kratochvil.tk, 1 +michel-pilaert.coach, 1 +michel-wein.de, 1 +micheladisavino.tk, 1 +michelangelo1978.com, 1 +michelangelofoundation.org, 1 +michelbenita.com, 1 +michelcoumes.com, 1 +micheldoultremont.com, 1 +michele.ga, 1 +michelegreenmd.com, 1 +michelgolfier.ml, 1 +michelinb2b.com, 1 +michelinmedia.com, 1 +michelkok.tk, 1 +michellavat.com, 1 +michelledonelan.co.uk, 0 +michellelowery.com, 1 +michelletmc.com, 1 +michelletrachtenberg.tk, 1 +michelskovbo.dk, 1 +micheltronchetti.fr, 1 +michelwolf.ch, 1 +michey.tk, 1 +michielbijland.nl, 1 +michielskleding.be, 1 +michielvanfastenhout.nl, 1 +michielwalrave.tk, 1 +michig.tk, 1 +michiganacousticneuroma.com, 1 +michiganautolaw.com, 1 +michiganearhearing.com, 1 +michiganhealth.tk, 1 +michiganrebates.com, 1 +michigantestingairbalancing.com, 1 +michilaw.com, 1 +michmexguides.com.mx, 1 +michu-it.com, 1 +michu.pl, 1 +mick.au, 1 +mickael.org, 1 +mickaelbonnard.fr, 1 +mickel.tk, 1 +mickelvaessen.com, 1 +mickey-krasilnikov.com, 1 +mickeyspizzalincolnpark.com, 1 +mickybottenberg.com, 1 +mickyfanclub.tk, 1 +micled.com, 1 +micled.net, 1 +micled.org, 1 +micluz.shop, 1 +micoff.tk, 1 +micolab.com, 1 +micompa.co, 1 +micon.ro, 1 +micospa.gq, 1 +micourt.gov, 1 +micr0lab.org, 1 +micra.org.uk, 1 +micrm.vn, 1 +micro-credit.tk, 1 +microbiologist.tk, 1 +microbiologyinfo.com, 1 +microbiota-insect-vectors.group, 1 +microbiote-insectes-vecteurs.group, 1 +microbird.club, 1 +microblink.com, 1 +microcert.cn, 1 +microchains.network, 1 +microcomploja.com.br, 1 +microcosm.com, 1 +microdata.es, 1 +microdesic.com, 1 +microdot.fr, 1 +microdots.de, 1 +microdrive.pt, 1 +microferma.site, 1 +microfinance-crimea.ru, 0 +microfusa.com, 1 +microgroove.jp, 1 +microhydrony.org, 1 +microjovem.pt, 1 +microl.ink, 1 +microland.one, 1 +microloan.pk, 1 +microlog-online.de, 1 +microlog.org, 1 +micromagic.fi, 1 +micromaid.cf, 1 +micromata.de, 1 +micromicro.cc, 1 +micronotfound.gq, 1 +micropigmentacaobh.com.br, 1 +micropigmentadordesucesso.com, 1 +micropigpets.com, 1 +microsoft, 1 +microsoftedgeinsider.com, 1 +microtel2notch.tk, 1 +microtube.tk, 1 +microvb.com, 1 +microwesen.de, 1 +microworkers.com, 1 +microzubr.com, 1 +micruity.com, 1 +mics-notrack.com, 1 +micsell.com, 1 +micsoft.gq, 1 +miculturaservicios.gob.do, 1 +micxel.com.au, 1 +midaero.co.uk, 1 +midair.io, 1 +midam.sk, 1 +midamericapiering.com, 1 +midasauctions.com, 1 +midasbay-free.ml, 1 +midcarolinaregionalairport.com, 1 +midcarolinaregionalairport.org, 1 +midcolumbiainsurance.com, 1 +middag.com.br, 1 +middelstaedt.com, 1 +middle-way.de, 1 +middleboroughma.gov, 1 +middleeasy.com, 1 +middlesbroughmoneyman.com, 1 +middlesexpolicenc.gov, 1 +middlesexwoodpigeonclub.co.uk, 1 +middletonshoppingcentre.co.uk, 1 +middletowndelcopa.gov, 1 +middletownny.gov, 1 +middletownri.gov, 1 +middleware.services, 1 +mide.gob.do, 1 +midea.kg, 1 +mideo.tk, 1 +midesa.eu, 1 +midesa.it, 1 +midgawash.com, 1 +midi-coquillages.com, 1 +midi-olympique.fr, 1 +midia.tk, 1 +midiaid.de, 0 +midial.cz, 1 +midiet.co.za, 1 +midilibre.fr, 1 +midislandrealty.com, 0 +midkam.ca, 1 +midlandcountymi.gov, 1 +midlandsfundays.co.uk, 1 +midlandslotus.co.uk, 1 +midlandsphotobooths.co.uk, 1 +midmichiganasphaltpaving.com, 1 +midnight-gaming-community.tk, 1 +midnightmango.co.uk, 1 +midnightmechanism.com, 1 +mido.ga, 1 +mido4link.tk, 1 +midohiowsd.gov, 1 +midos.house, 1 +midpss.lt, 1 +midrange.com, 1 +midress.club, 1 +midrra.com, 1 +midspace.co.uk, 1 +midspss.lt, 1 +midstatebasement.com, 1 +midterm.us, 1 +midtownflooring.ca, 1 +midtownsmilesdentalcare.com, 1 +midville-ga.gov, 1 +midwaycitysanitaryca.gov, 1 +midwayrecovery.com, 1 +midwest-hidta.gov, 1 +midwest737simulations.com, 1 +midwestbloggers.org, 1 +midwestdfe.com, 1 +midwestinjurylawyers.com, 1 +midwestragdolls.com, 1 +midwestrecyclingcorp.com, 1 +midwife360.com, 1 +midwifeschooling.com, 1 +midyatotantik.tk, 0 +midyefilesi.com.tr, 1 +miedge.net, 1 +miegl.com, 1 +miegl.cz, 1 +mielboreal.com, 0 +mieldemexico.us, 1 +mielelpinsapar.com, 0 +mielke-it.ch, 1 +miem.us, 1 +miembarcacion.com, 1 +miemus.eu, 1 +mieresabadus.ro, 1 +mierloiu.ro, 1 +miesmuschel.tk, 1 +mieszkania-wroclaw.tk, 1 +mieterschutzkartei.de, 1 +mietwohnungen-vermietung.com, 1 +mieuxgrandir.ch, 0 +mifacturabolivia.com, 1 +mifflincountypa.gov, 1 +miffy.me, 1 +mifirm.net, 0 +miftahulteknik.com, 1 +mig5.net, 1 +mig81.com, 1 +migg.it, 1 +miggy.org, 1 +mighit.ml, 1 +mightycause.com, 1 +mightyfive.tk, 1 +mightyjo.org, 1 +mightytext-ios.tk, 1 +mightytips.biz, 1 +mightytips.com.br, 1 +mightytips.hu, 1 +migliorailtuoambiente.it, 1 +miglioricasinoonline.info, 1 +migliorisitiincontri.it, 1 +mignet.io, 1 +mignonne.com, 1 +mignonneapi.com, 1 +migrafill.net, 1 +migraine-en-werk.nl, 1 +migrainereliefplan.com, 1 +migrantskillsregister.org.uk, 1 +migrantworker.gov, 1 +migraplus.ru, 1 +migratiolex.com, 1 +migrations.tk, 1 +migrinfo.fr, 1 +miguel-platteel.fr, 1 +miguel.pw, 1 +miguelalonso.tk, 1 +miguelangeljulvez.com, 1 +miguelcollections.com, 1 +miguelcolmenares.com, 1 +migueldemoura.com, 1 +migueldominguez.ch, 0 +miguelgfierro.com, 0 +miguelito.tk, 1 +miguelmenendez.pro, 1 +miguelmoura.com, 1 +migueloblitas.tk, 1 +miguelpallardo.tk, 1 +miguia.tv, 1 +mihaiordean.com, 1 +mihaiturcu.ninja, 1 +mihalgrameno.ml, 1 +mihalicka.com, 1 +mihanwebtest.tk, 1 +miharu.moe, 1 +mihaylov.tk, 1 +mihgroup.eu.org, 1 +mihgroup.net, 1 +mihir.ch, 1 +mihirsingh.com, 1 +mihnea.net, 1 +mihu233.com.cn, 1 +miih-kiosk.com, 1 +miimhort.com, 1 +miisy.com, 1 +miisy.eu, 1 +miisy.me, 1 +miit-informain.pt, 1 +mija-fotografie.de, 1 +mijam.xyz, 1 +mijlanduitvaartzorg.nl, 1 +mijn-maagband.tk, 1 +mijnafspraak.nl, 1 +mijnblog.nl, 1 +mijncloud.space, 1 +mijndiad.com, 1 +mijndiad.nl, 1 +mijnejk.nl, 1 +mijnenergiemissie.nl, 1 +mijnetz.nl, 1 +mijngeldcoach.nl, 1 +mijngent.be, 1 +mijnhosting.org, 0 +mijnkantoor.net, 1 +mijnkerstkaarten.be, 1 +mijnkwadraad.nl, 1 +mijnmedirisk.nl, 1 +mijnnaamdag.nl, 1 +mijnonesie.nl, 1 +mijnrecepten.be, 1 +mijnrecepten.com, 1 +mijnrecepten.eu, 1 +mijnrecepten.nl, 1 +mijnreisoverzicht.nl, 1 +mijnsite.ovh, 1 +mijnstembureau-aaenhunze.nl, 1 +mijnstembureau-almere.nl, 1 +mijnstembureau-alphen-chaam.nl, 1 +mijnstembureau-amersfoort.nl, 1 +mijnstembureau-amsterdam.nl, 1 +mijnstembureau-baarle-nassau.nl, 1 +mijnstembureau-beek.nl, 1 +mijnstembureau-beuningen.nl, 1 +mijnstembureau-boekel.nl, 1 +mijnstembureau-coevorden.nl, 1 +mijnstembureau-denhelder.nl, 1 +mijnstembureau-dijkenwaard.nl, 1 +mijnstembureau-enschede.nl, 1 +mijnstembureau-geldrop-mierlo.nl, 1 +mijnstembureau-gilzerijen.nl, 1 +mijnstembureau-goirle.nl, 1 +mijnstembureau-groningen.nl, 1 +mijnstembureau-haarlemmermeer.nl, 1 +mijnstembureau-harderwijk.nl, 1 +mijnstembureau-helmond.nl, 1 +mijnstembureau-hilvarenbeek.nl, 1 +mijnstembureau-hollandskroon.nl, 1 +mijnstembureau-kerkrade.nl, 1 +mijnstembureau-koggenland.nl, 1 +mijnstembureau-leiden.nl, 1 +mijnstembureau-leiderdorp.nl, 1 +mijnstembureau-loonopzand.nl, 1 +mijnstembureau-losser.nl, 1 +mijnstembureau-midden-groningen.nl, 1 +mijnstembureau-molenlanden.nl, 1 +mijnstembureau-oisterwijk.nl, 1 +mijnstembureau-oosterhout.nl, 1 +mijnstembureau-pekela.nl, 1 +mijnstembureau-rijssen-holten.nl, 1 +mijnstembureau-s-hertogenbosch.nl, 1 +mijnstembureau-schagen.nl, 1 +mijnstembureau-staphorst.nl, 1 +mijnstembureau-steenbergen.nl, 1 +mijnstembureau-tynaarlo.nl, 1 +mijnstembureau-utrecht.nl, 1 +mijnstembureau-veendam.nl, 1 +mijnstembureau-waadhoeke.nl, 1 +mijnstembureau-waalre.nl, 1 +mijnstembureau-weert.nl, 1 +mijnstembureau-westerwolde.nl, 1 +mijnstembureau-wierden.nl, 1 +mijnstembureau-woensdrecht.nl, 1 +mijnstembureau-zoetermeer.nl, 1 +mijnstembureau-zundert.nl, 1 +mijnstembureau-zwijndrecht.nl, 1 +mijnstembureau.nl, 1 +mijntelefoonboek.com, 1 +mijntransacties.nl, 0 +mijnvogaanvraag.nl, 1 +mijnwefact.nl, 1 +mika.moe, 1 +mikado-rybak.ru, 1 +mikadoe.nl, 1 +mikaelf.com, 0 +mikaeljansson.net, 1 +mikaelk.tk, 1 +mikaelkulig.com, 1 +mikaila.tk, 1 +mikakalathil.ca, 1 +mikakalevi.com, 1 +mikaknuutila.com, 1 +mikaknuutila.fi, 1 +mikaknuutila.photography, 1 +mikalikes.men, 1 +mikanakashima.com, 1 +mike-bland.com, 1 +mike-burns.com, 1 +mike-et-pascale-sanger.com, 1 +mikeandemily.duckdns.org, 1 +mikeblog.site, 1 +mikebolynnbuilders.com, 1 +mikeburns.tk, 1 +mikecapson.com, 0 +mikecb.org, 1 +mikechasejr.tk, 1 +mikegao.org, 1 +mikegerwitz.com, 1 +mikeguy.co.uk, 1 +mikehamburg.com, 1 +mikeklidjian.com, 1 +mikekreuzer.com, 1 +mikelawson.com, 1 +mikelpradera.tk, 1 +mikelundpainting.com, 1 +mikemcgeephotography.com, 1 +mikemooresales.com, 1 +mikeowens.us, 1 +mikeprocopio.com, 1 +mikerichards.email, 0 +mikerichards.gallery, 0 +mikerichards.photography, 0 +mikerichards.photos, 0 +mikerichards.pictures, 0 +mikerichardsphotography.com, 0 +mikeschaffnerphotography.com, 1 +mikesplumbingswfl.com, 0 +mikesystems.tk, 1 +miketabor.com, 1 +miketheuer.com, 1 +mikethiessen.net, 1 +mikevesch.com, 1 +mikewestonline.com, 1 +mikewieland.ch, 1 +mikewillia.ms, 1 +mikewrites.online, 1 +mikeybot.com, 1 +mikeylab.com, 1 +mikeyroxtravels.com, 1 +mikhail-youzhny.tk, 1 +mikhailkolesnikov.tk, 1 +mikhalt.tk, 1 +mikhirev.ru, 1 +mikhlevich.ru, 1 +miki-boras.de, 1 +miki.community, 1 +miki.it, 1 +mikiclinic-sendai.com, 1 +mikino.cf, 1 +mikino.ga, 1 +mikino.gq, 1 +mikino.ml, 1 +mikkei.space, 1 +mikkel.cc, 1 +mikkelladegaard.dk, 0 +mikkelscheike.com, 1 +mikkelvej.dk, 1 +mikkohuupponen.com, 1 +mikkonen.bio, 1 +mikkonen.com, 1 +miklcct.com, 1 +miklima.pl, 1 +mikodojo.tk, 1 +mikonmaa.fi, 1 +mikori.sk, 1 +mikorrhiza-gomba.hu, 1 +mikos.tk, 1 +mikoulloa.com, 1 +mikper.com, 1 +mikrokosmos.tk, 1 +mikropixel.de, 1 +mikrotech.co.za, 1 +mikrothink.com, 1 +mikrotike.tk, 1 +mikrozajmy-na-kartu.cf, 1 +miku-doujin.com, 1 +miku.cloud, 1 +miku.party, 1 +miku.tips, 1 +mikumiku.stream, 1 +mikunosworld.com, 1 +mikusa.xyz, 1 +mikysgrill.it, 1 +mil-spec.ch, 0 +mil.ee, 0 +mil0.com, 1 +milacronindia.com, 1 +milaelaine.net, 1 +milagrotequila.com, 1 +milahendri.com, 1 +milakirschner.de, 1 +milan-news.ml, 1 +milaneziadvocacia.com, 1 +milani.io, 1 +milania.de, 1 +milanm.org, 1 +milanmi.gov, 1 +milano-web.it, 1 +milanoclownfestival.tk, 1 +milanodigitalweek.com, 1 +milanotoday.it, 1 +milanow67.ml, 1 +milanpala.cz, 0 +milanstephan.de, 0 +milanvit.net, 1 +milanvreeken.nl, 1 +milapopovich.com, 1 +milasescmagazin.tk, 1 +milatlumaczenia.pl, 1 +milavica.tk, 1 +milavicca.tk, 1 +milbournequine.co.uk, 1 +milcahsmusings.com, 1 +milchweg.com, 1 +milcrofton.gov, 1 +mildridesua.com, 1 +mile6.com, 1 +milehighmedia.com, 1 +mileme.com, 1 +milenaria.es, 1 +mileonapp.com, 1 +miles-and-more-kreditkarte.com, 0 +milesaddict.com, 1 +milesapart.dating, 1 +milescitymt.gov, 1 +milesconsulting.io, 1 +milesdewitt.com, 1 +milestonehotel.com, 1 +milestonemachine.com, 1 +milestonephysicaltherapy.ca, 1 +miletic.net, 1 +mileyweasel.de, 1 +milfanaltube.com, 1 +milfbank.com, 1 +milfed.com, 1 +milfedin.com, 1 +milfgalleries.com, 1 +milfhunter.com, 1 +milfmoms.tv, 1 +milfordfiremi.gov, 1 +milfordtwpmi.gov, 1 +milfporn.tv, 1 +milfpornograph.com, 1 +milfsection.com, 1 +milhistwiki.tk, 1 +milhoazul.com.br, 1 +miliodemendralejo.tk, 1 +militaria.hu, 1 +military-equipment.tk, 1 +military-veteran.com, 1 +militaryaviationsafety.gov, 1 +militaryconsumer.gov, 1 +militaryfetish.tk, 1 +militaryonesource.mil, 1 +militarypumps.com, 1 +militarysrit.tk, 1 +miliumnet.tk, 1 +milivcounty.gov, 1 +milk.games, 1 +milkaalpesiutazas.hu, 1 +milkacat.com, 1 +milkagyengedseg.hu, 1 +milkaholic.ml, 1 +milkameglepetes.hu, 1 +milkbarncreamery.com, 1 +milkice.me, 1 +milkingit.net, 1 +milkingmachine.tk, 1 +milkmoovement.io, 1 +milkopet.com, 1 +milktea.info, 0 +milkteacant.com, 1 +milkwoodrestaurant.com, 0 +milkyperu.com, 1 +milkypond.org, 1 +milkywan.fr, 1 +milladeo.tk, 1 +millalex.com, 1 +millant.ovh, 1 +millasexshopoficial.com.br, 1 +millburyma.gov, 1 +millcreekut.gov, 1 +millcreekwa.gov, 1 +millefleurs.eu, 1 +millennialbella.net, 1 +millennium-thisiswhoweare.net, 1 +millenniumfalcon.org, 1 +millenniumhotels.com, 1 +millenniumweb.com, 0 +miller-alex.de, 1 +miller-shop.cf, 1 +milleralarms.co.uk, 1 +millerandzois.com, 1 +millercountyga.gov, 1 +millercountymo.gov, 1 +millerfabricationsolutions.com, 1 +millerfamilyfarmtx.com, 1 +millermotorswestbank.com, 1 +milleron.net, 1 +milleron.xyz, 1 +millesime-communication.fr, 1 +millettable.com, 1 +millhill.org.uk, 1 +millhousen.tech, 1 +milliarden-liste.de, 1 +millibirlik.tk, 1 +millibitcoin.jp, 1 +milliecdn.com, 1 +milliegrace.org, 1 +millikart.az, 1 +millionaireclub.tk, 1 +millionairemethodsacademy.tk, 1 +millionairessecrets.com, 1 +millioncloud.org, 1 +millioncombolist.tk, 1 +milliongrounds.com, 1 +millionlearn.org, 1 +millionmakers.com, 1 +millionseha.com, 1 +millistice.com, 1 +millistream.com, 1 +millix.com, 1 +millnet.cloud, 1 +millonario.tk, 1 +millscountyiowa.gov, 1 +millscountytx.gov, 1 +millsidecentre.org, 1 +milltime.se, 1 +millwooddentalcentre.com, 1 +millwoodwa.gov, 1 +milmesetas.com, 1 +milmiedos.tk, 1 +milmmed.ru, 1 +milnerga.gov, 1 +milodistradfallning.com, 1 +milomedia.net, 1 +milor.nl, 1 +milosguide.dk, 1 +milpitas.gov, 1 +milr.dk, 1 +miltau.de, 1 +miltonga.gov, 1 +miltontwpmi.gov, 1 +miltor.by, 1 +miltor.com.ua, 1 +miltor.ru, 1 +miluneetsens.fr, 1 +milvilla.com, 1 +milvus.com.br, 1 +milwaukee-webdesigner.com, 1 +milwaukeecreative.com, 1 +milwaukeeinternational.tk, 1 +milwaukeetool.eu, 1 +mim-standaard.nl, 1 +mim.am, 1 +mim.properties, 1 +mimamau.de, 1 +mimavision.ddns.net, 1 +mimemo.io, 1 +mimemoriadepez.com, 1 +mimeo.digital, 1 +mimercadillo.tk, 1 +mimgnj.com, 1 +mimikov.cz, 1 +mimithedog.com, 1 +mimm.gov, 1 +mimocad.io, 1 +mimoesthetic.com, 1 +mimonia.cf, 1 +mimonia.ga, 1 +mimonia.gq, 1 +mimorin.tk, 1 +mimovrste.com, 1 +mimoza.tk, 1 +mimscellaneous.com, 1 +mimumimu.net, 1 +mimundodxn.com, 1 +mimusic.cf, 1 +min-forsyning.dk, 1 +min.io, 1 +min.kiwi, 0 +min2.ru, 1 +minacssas.com, 1 +minademonic.org, 1 +minaio.tk, 1 +minakov.pro, 1 +minamassimo.org, 1 +minamisouma-furusato.jp, 1 +minamo.io, 1 +minantavla.se, 0 +minapan.ro, 1 +minapin.com, 1 +minaprine.com, 1 +minasfor.com.br, 1 +minatokucarpet.com, 1 +minced.cf, 1 +minclaw.com, 1 +mincom.ga, 1 +mind-books.gq, 1 +mind-box.ch, 0 +mind-drama.com, 1 +mind-farma.com, 1 +mind-hochschul-netzwerk.de, 1 +mind-media.com, 1 +mind-moves.es, 1 +mindandfull.ga, 1 +mindask.tk, 1 +mindblown.pl, 1 +mindbounce.com, 1 +mindbox.cat, 1 +mindbuild.com, 1 +mindcms.nl, 1 +mindcoding.ro, 1 +mindcraft.ga, 1 +minddistortion.tk, 1 +minddrive.cf, 1 +mindeasy.co.nz, 1 +mindenitt.ga, 1 +mindequityinternational.com, 1 +mindera.com, 0 +mindfab.de, 1 +mindfactory.de, 1 +mindflowmarketing.com, 1 +mindfulnessjourney.ca, 1 +mindhand.com, 1 +mindjee.tk, 1 +mindleaking.org, 1 +mindmax.fi, 1 +mindmeister.com, 1 +mindmusic.online, 1 +mindmynature.com, 1 +mindomo.com, 1 +mindonmymoney.nl, 1 +mindox.com.br, 1 +mindprod.com, 1 +mindrepair.net, 1 +mindresti.tk, 1 +mindrnd.com, 1 +mindscapephotos.de, 1 +mindset-energie.ch, 1 +mindsight.com.br, 1 +mindspliteffect.tk, 1 +mindstream.one, 1 +mindthe5.com, 1 +mindthe5.org, 1 +mindtherock.com, 1 +mindtickle.com, 1 +mindvsmind.tk, 1 +mindwork.space, 1 +mindywalker.co, 1 +mine-craftlife.com, 1 +mine-pixl.de, 1 +mine-temoin.fr, 1 +mine260309.me, 0 +minebbs.com, 1 +minebitcoin.tk, 1 +minecity.fun, 1 +minecraft-forum.eu, 1 +minecraft-game.ga, 1 +minecraft-server.eu, 1 +minecraft.buzz, 1 +minecraft.com.br, 1 +minecraft.social, 1 +minecraft.vip, 1 +minecraft.wiki, 1 +minecraftbestroyale.gq, 1 +minecraftdolarcube.gq, 1 +minecrafteasy.gq, 1 +minecraften.net, 0 +minecraftforever.tk, 1 +minecraftforum.de, 1 +minecraftforum.fun, 1 +minecraftforum.ovh, 1 +minecraftgoldwar.tk, 1 +minecraftgta5.ml, 1 +minecraftjustone.ga, 1 +minecraftnewserie.tk, 1 +minecraftonlinesfull.tk, 1 +minecraftrealgold.gq, 1 +minecraftrealgold.ml, 1 +minecraftruns.ml, 1 +minecrafts.gq, 1 +minecraftstal.com, 1 +minecraftwin.gq, 1 +minecraftx.ml, 1 +minefields.tk, 1 +minefort.com, 1 +minehash.tk, 1 +minehattan.de, 1 +minelands.ml, 1 +minelight.ml, 1 +minelucky.net, 1 +minenash.com, 1 +minepack.net, 1 +mineralnibani.bg, 1 +minered.org, 1 +minerstat.com, 1 +minersvillepa.gov, 1 +minerva2015.it, 1 +minervaaschools.com, 1 +minervabi.com, 1 +minervacars.com, 1 +mines-stetienne.fr, 1 +minesouls.fr, 1 +minestealth.xyz, 1 +minestory.cf, 1 +minesweepergame.de, 1 +minetracker.dk, 1 +mineturtle.de, 1 +minez-nightswatch.com, 0 +minf3-games.de, 1 +minfin.gov.ua, 1 +mingkai.me, 1 +mingle2.com, 1 +mingming.info, 0 +mingram.net, 1 +mingwah.ch, 0 +mingy.ddns.net, 1 +mingyannet.com, 1 +minh.at, 0 +minhanossasenhora.com.br, 1 +minhanwindow.vn, 1 +minhng99.cloud, 1 +minhng99.eu, 1 +minhtuongcomputer.com, 1 +minhyukpark.com, 1 +mini-igra.tk, 1 +mini-piraten.de, 1 +mini-rock-festival.de, 1 +mini-zoo.club, 1 +mini2.fi, 1 +minialbums.ga, 1 +miniatomium.tk, 1 +minibabi.site, 1 +minibackpackgirls.cf, 1 +minibaggerverleih-aulendorf.de, 1 +minibardelivery.com, 1 +minibikini.cf, 1 +minibomba.pro, 1 +minibrewery.cf, 1 +minibus-service.ru, 1 +minibusrent.ro, 1 +minicampingshalom.nl, 1 +minican.net, 1 +miniclip.com, 1 +minics.tk, 1 +minidrett.no, 1 +minifree.org, 1 +minigames.com, 1 +minigermanauto.com, 1 +minigolf-oase.com, 0 +minigolf-reisinger.com, 1 +minigolfandgames.co.uk, 1 +minikasinosblackandred.es, 1 +minikidz.es, 1 +minikin.tk, 1 +minikneet.com, 1 +minikneet.nl, 1 +miniliga.at, 1 +minimal-apps.de, 1 +minimal-nothing.ml, 1 +minimal-website.ch, 0 +minimalistbaker.com, 1 +minimalistmenu.com, 1 +minimaliston.com, 1 +minimalmx.io, 1 +minimayhemsoftplay.co.uk, 1 +minimegaarcade.com, 1 +minimonies.tk, 1 +minimotogp.tk, 1 +minin.tk, 1 +mining-club.tk, 1 +mining.diamonds, 1 +miningtronics.com, 0 +minintendo.tk, 1 +minipc.de, 1 +minipigscare.com, 1 +minir.ru, 1 +minirizhi.com, 1 +miniskylab.com, 1 +miniso.me, 1 +minisoft4u.ir, 1 +ministerioaguadevida.tk, 1 +ministeriodeeducacion.gob.do, 1 +ministory.tk, 1 +ministryofinternet.eu, 1 +ministryofvillas.com, 1 +ministudio.ml, 1 +minitaq.com, 1 +minitec.ro, 1 +minitruckin.net, 1 +minitrucktalk.com, 1 +minivaro.de, 1 +miniverse.social, 1 +minivideoadapterssales.tk, 1 +miniwallaby.com, 1 +minix.jp, 1 +minjusticia.gob.cl, 1 +mink-coat.tk, 1 +minka.net.bo, 1 +minkafighter.de, 1 +minkafighter.eu, 1 +minkatilmancoaching.nl, 1 +minkymoon.jp, 1 +minlly.com, 1 +minload.com, 1 +minly.com, 1 +minmaxgame.com, 1 +minna.tk, 1 +minnesota8.org, 1 +minnesotacitymn.gov, 1 +minnesotahealthcareconsortium.gov, 1 +minnesotalakemn.gov, 1 +minng.cc, 1 +minnisites.com, 1 +minnit.chat, 1 +minobar.com, 1 +minocyclinee.gq, 1 +minocyclinehere.gq, 1 +minocyclines.gq, 1 +minohtaurov.cf, 1 +minor.news, 1 +minorice.net, 1 +minorisa.tk, 1 +minoritywhip.gov, 1 +minotauro.com.ar, 1 +minotnd.gov, 1 +minoxbahia.com.br, 1 +minpingvin.dk, 1 +minpolit.com, 1 +minquipo.nl, 1 +minsk-city.tk, 1 +minsk-cops.tk, 1 +minsk-music.tk, 1 +minsub.jp, 1 +mint-frauen-bw.de, 0 +mintal.is, 1 +mintblau.com, 1 +mintclass.com, 1 +mintdsmile.com.au, 1 +mintea-noua.ro, 1 +mintea.pw, 1 +mintea.xyz, 1 +minternals.com, 1 +minterslab.com, 1 +mintersvault.com, 1 +mintert.net, 1 +mintfirsts.co.uk, 1 +mintfirsts.com, 1 +mintitafever.tk, 1 +minto.cc, 1 +mintogardens.org.au, 1 +minton.systems, 1 +mintosherbs.com, 1 +mintosoft.net, 1 +mintse.com, 0 +mintstar.net, 1 +minttang.cn, 0 +mintymoney.com, 1 +mintywhite.com, 1 +minu.link, 1 +minube.co.cr, 1 +minul.in, 1 +minungdomsbolig.dk, 1 +minutashop.ru, 1 +minuteflightdeals.com, 1 +minutemanplumbingtulsa.com, 1 +minuten-drogentests.de, 1 +minutepunchline.com, 1 +minuterice.com, 1 +minutocultural.com.br, 1 +minux.info, 1 +minweb.org, 1 +minxmine.eu.org, 1 +minzdravri.ru, 1 +mio-ip.ch, 1 +miobeach.nl, 1 +miodimleko.pl, 1 +miodziki.pl, 0 +miomiojoyeria.com, 1 +miorganics.ro, 1 +miottawavotes.gov, 1 +mipapo.de, 1 +mipediatra.tk, 1 +mipesa.cz, 1 +mipiaci.co.nz, 0 +mipiaci.com.au, 0 +miplanilla.com, 1 +mipnet.cl, 1 +mipromo.com, 1 +mipropertiesnorth.com, 1 +miproximopaso.org, 1 +miprudelafi.ga, 1 +mipueblito.tk, 1 +mipymesenlinea.com, 1 +mir-faktov.tk, 1 +mir-koji.tk, 1 +mir-multimedia.tk, 1 +mir-obshenia.tk, 1 +mir-pressy.ga, 1 +mir-tiktak.tk, 1 +mir-torgovli.tk, 1 +mir.do, 1 +mir.pe, 1 +mir24.tk, 1 +mira.fun, 1 +mira.systems, 1 +mira.vip, 1 +mirabella.tk, 1 +miraclesformya.org, 1 +mirades.es, 1 +mirador.co.uk, 1 +mirador.com, 1 +miradordelcondado.com, 1 +mirage-project.tk, 1 +miragenews.com, 1 +miragg.cf, 1 +miraggiostudio.com, 1 +miragrey-porn.com, 1 +miraheze.org, 1 +mirahezebots.org, 1 +mirai-coupon.com, 1 +miraizu-recruit.com, 1 +mirakl.com, 0 +miraldi.eu, 1 +miramanga.org, 1 +miramar-obgyn.com, 1 +miramar.ca, 1 +miramichireader.ca, 1 +mirandaberkhof.com, 1 +mirandakids.bg, 1 +miranza.es, 1 +mirasee.com, 1 +mirasmun.tk, 1 +miratechgroup.com, 1 +miraxe.cf, 1 +miraxe.ga, 1 +miraxe.gq, 1 +mirazonline.tk, 1 +mirazperu.tk, 1 +mircarfinder.ru, 1 +mircreditov.tk, 1 +mircsohbet.tk, 1 +mirdetaley.tk, 1 +mireiaseuba.com, 1 +mireillewendling.com.br, 1 +miremedio.cl, 1 +mirepublic.co.nz, 1 +mireservaonline.es, 1 +miriamgamburd.com, 1 +miriamharel.tk, 1 +mirinfonews.tk, 1 +mirjamderijk.nl, 1 +mirkino.tk, 1 +mirknighechek.tk, 1 +mirknighek.cf, 1 +mirknighek.gq, 1 +mirkofranz.de, 1 +mirkomainardi.com, 1 +mirkout.com, 1 +mirkvartir.tk, 1 +mirmax.ch, 1 +mirnesnet.tk, 1 +mirnews.ml, 1 +mirobuvi.com.ua, 1 +mirogrdnika.info, 1 +miroirbythalia.shop, 1 +mirokon.tk, 1 +mironet.cz, 1 +mironi.ml, 1 +mironized.com, 1 +mironov.tk, 1 +miroslavholec.cz, 1 +mirotakampus.com, 0 +mirprav.tk, 1 +mirri.net, 1 +mirrordream.net, 1 +mirrormirror.tk, 1 +mirrormirrorhairstyles.com, 1 +mirrorsedgearchive.de, 1 +mirrorsedgearchive.ga, 1 +mirrorwood.com, 1 +mirrorz.help, 1 +mirs.ky, 1 +mirshak.com, 0 +mirtazapine.gq, 1 +mirte-engelhard.com, 1 +mirte-engelhard.nl, 1 +mirtentov.ru, 1 +mirtes.cz, 1 +mirtouf.fr, 1 +mirumhongkong.com, 1 +mirvent.site, 1 +mirvolgograda.ml, 1 +mirwild.cf, 1 +mirwild.gq, 1 +miryam-martinez.tk, 1 +mirzetonline.tk, 1 +mis1042.com, 0 +mis1042.top, 1 +misa.org, 1 +misaka.me, 1 +misakacloud.net, 1 +misakaloli.com, 0 +misakastudio.com, 1 +misaki0.jp, 1 +misakiya.co.jp, 1 +misalacuna.cl, 1 +misanci.cz, 1 +mischolz.de, 1 +misclick.net, 1 +misclick.nl, 1 +misco.it, 1 +misconfigured.io, 1 +miscuadros.tk, 1 +miscursosdebelleza.com, 1 +misfit-media.com, 1 +mishamayfairart.com, 1 +mishaomar.tk, 1 +mishavayner.com, 1 +mishkinn.ru, 1 +mishpatim.tk, 1 +mishrahome.com, 1 +mishraurology.com, 1 +mishraweb.com, 1 +misiepluszowe.com, 1 +misinstrumentos.com, 1 +misiunas.eu, 1 +misjoyas.com.es, 0 +misk.com, 1 +miskara.com, 1 +miskatonic.org, 1 +misoji-resist.com, 1 +misol.kr, 1 +misooda.in, 1 +mispelis.tk, 1 +mispromo.com, 1 +misreflexiones.tk, 1 +misreports.in, 1 +miss-inventory.co.uk, 1 +miss.com.tw, 1 +missadrastea.org, 1 +missakari.com, 1 +missaocadastrobv.com.br, 1 +missapk.com, 1 +missbitcoin.nl, 1 +missblisshair.com.au, 1 +missdoertie.net, 1 +missdoggystyle.com, 1 +missdream.org, 1 +misseguf.dk, 1 +missevent.pl, 1 +missflora.se, 1 +missguidedus.com, 1 +missilovely.tk, 1 +missingchildreneurope.eu, 1 +missinglinks.tk, 1 +mission-gesundheit.online, 1 +mission-orange.de, 1 +missions.me, 1 +missionsgemeinde.de, 1 +missionskreis-kueps.de, 1 +mississaugaelite.com, 1 +misskappababy.com, 1 +misskey.art, 1 +misslollipop.fr, 1 +missmaid.co.uk, 1 +missmaid.com, 1 +missmeydan.com, 1 +misson.ovh, 1 +missoula.gov, 1 +missoulacountymt.gov, 1 +missoulian.com, 1 +missouri-sky.tk, 1 +missouriheatingcoolingadvice.com, 1 +missourivalleyhomes.com, 1 +missoy.me, 1 +misspoliticsaustralia.cf, 1 +misspoliticsaustralia.ga, 1 +misspoliticsaustralia.gq, 1 +misspoliticsaustralia.ml, 1 +missthetoro.tk, 1 +misstika-bijoux.com, 1 +misstress.cf, 1 +missualready.com, 1 +missuniverse.tk, 1 +missworldinfo.tk, 1 +missycosmeticos.com.br, 1 +missycraindance.com, 1 +missyjay.tk, 1 +missyou.link, 1 +mist79.ru, 1 +mistacms.com, 0 +mistades.ga, 1 +mistajsay.com, 1 +mister-auto.co.uk, 1 +mister-auto.com, 1 +mister-auto.de, 1 +mister-auto.es, 1 +mister-auto.it, 1 +mister-auto.nl, 1 +mister-matthew.de, 1 +misterbandb.com, 1 +misterboddy.com, 1 +misterd.ml, 1 +misterdomain.eu, 1 +mistergermany.tk, 1 +mistergout.com, 1 +misterkeltic.com, 1 +misterl.net, 1 +misterorion.com, 1 +mistertesi.it, 1 +misteryrip.tk, 1 +mistinecn.com, 0 +mistitservices.in, 1 +mistrasolutions.com, 1 +mistreaded.com, 1 +mistress-lucia.tk, 1 +mistressnadine.tk, 1 +mistressofbeads.tk, 1 +mistyoverlookranch.com, 1 +misupportit.dk, 1 +misura.re, 1 +misw.jp, 1 +miswonline.nl, 1 +mit-dem-rad-zur-arbeit.de, 0 +mit-dem-rad-zur-uni.de, 0 +mit-sexchat-geld-verdienen.com, 1 +mit-uns.org, 1 +mit.akita.jp, 1 +mit.dk, 1 +mit.edu.it, 1 +mit.gg, 0 +mita-beutel.tk, 1 +mita.me, 1 +mitarbeiterbefragungen.com, 1 +mitarbeitermotivation-anleitungen.de, 1 +mitarrangement.dk, 1 +mitchell.to, 1 +mitchellcountync.gov, 1 +mitchelmore.ca, 1 +mitchkalf.nl, 0 +mitchkiah.com, 1 +mitdip-mit-group-ch.azurewebsites.net, 1 +mite3.nl, 1 +mitechtrading.com, 1 +mitel.io, 1 +mitelec.es, 1 +miteltest.com, 1 +mitenloytaatoita.fi, 1 +mitenloytaatyota.fi, 1 +mitensaadatoita.fi, 1 +mitensaadatyota.fi, 1 +mitev.gq, 1 +mitevi.com, 1 +mitgrussen.de, 1 +mithgol.tk, 1 +mithril.email, 1 +mithypnoseweiter.de, 1 +mitiad.gq, 1 +mitico.at, 1 +miticobikes.at, 1 +miticobikes.com, 1 +mitiendademunecas.com, 1 +mitigant.io, 1 +mitigationcommission.gov, 1 +mitik974.me, 1 +mitikas.de, 1 +mitiko.xyz, 1 +mitindo.it, 1 +mitior.net, 1 +mitjavila.com, 1 +mito-meishi.shop, 1 +mitokashi.ml, 1 +mitranlogistik.com, 1 +mitraseo.tk, 1 +mitratech.com.br, 1 +mitrausahagoto.com, 1 +mitrausahatani.com, 1 +mitrax.com.br, 1 +mitre10.com.au, 0 +mitrecaasd.org, 1 +mitremai.org, 1 +mitrostudios.com, 1 +mitsign.com, 1 +mitsonnenbrillen.de, 1 +mitsov.eu, 1 +mitsu.com, 1 +mitsu.in, 1 +mitsubishi-motors.com.co, 0 +mitsubishi-stanok.ru, 1 +mitsubishielectric-rce.eu, 1 +mitsukisushi.com, 1 +mitt.ca, 1 +mittagonghomestead.com.au, 1 +mittarinvaihto.fi, 1 +mittdolcino.com, 1 +mittelalter-lexikon.de, 1 +mittelhessen.de, 1 +mittelunsachlich.de, 1 +mittendorff.tk, 1 +mittenofficesystems.com, 1 +mitterbach.org, 1 +mittid.dk, 1 +mittilmeld.dk, 1 +mittwoch-nacht.net, 1 +mitulv4u.tk, 1 +mitzpettel.com, 1 +miui-germany.de, 1 +miui.kr, 1 +miukimodafeminina.com, 1 +mivestuariolaboral.com, 1 +mividasecreta.tk, 1 +mivm.cn, 1 +mivne.co.il, 1 +mivo.es, 1 +mivzak.im, 1 +mivzakim.biz, 1 +mivzakim.cf, 1 +mivzakim.ga, 1 +mivzakim.gq, 1 +mivzakim.info, 1 +mivzakim.ml, 1 +mivzakim.mobi, 1 +mivzakim.net, 1 +mivzakim.org, 1 +mivzakim.tk, 1 +mivzakim.tv, 1 +mivzaklive.co.il, 0 +miweb.ec, 1 +miwebmadrid.es, 1 +mix-books.ga, 1 +mix-channel.ml, 1 +mix-master.fr, 1 +mix-recruit.jp, 1 +mix.my, 1 +mixandplay.tk, 1 +mixedanimals.com, 1 +mixedrecipe.com, 1 +mixerfestival.com.br, 1 +mixes.cloud, 1 +mixescloud.com, 1 +mixfix.com.br, 1 +mixgreen.de, 1 +mixify.ga, 1 +mixinglight.com, 1 +mixingnight.com, 1 +mixingnightaudio.com, 1 +mixizle.com, 1 +mixmastermitch.com, 1 +mixmastersdeejays.tk, 1 +mixmister.com, 1 +mixmix.tk, 1 +mixmovi.com, 1 +mixnix.tk, 1 +mixnmojo.com, 1 +mixom.net, 1 +mixon.tk, 1 +mixpanel.com, 1 +mixposure.com, 1 +mixtafrica.com, 1 +mixx.com.hk, 1 +miyagi-ctr.com, 1 +miyagi-r.com, 1 +miyajima-ken.jp, 1 +miyako-kyoto.jp, 1 +miyamane-room.com, 1 +miyanaga.tech, 1 +miyasyou.com, 1 +miyatakaikei.com, 1 +miyavru.com, 1 +miyazakian.com, 1 +miyohiro.net, 1 +miyoshi-kikaku.co.jp, 1 +miyoshi-kikaku.com, 0 +mizar.im, 0 +mizik.cz, 1 +miziklakay.com, 1 +mizipack.com, 0 +mizoey.se, 1 +mizon.com.pe, 1 +mizrahi-tefahot.co.il, 1 +mizternational.com, 1 +mizu.coffee, 1 +mizucoffee.net, 1 +mizuhobank.co.id, 1 +mizuhofutures.com, 1 +mizuiromoon.com, 1 +mizukoshika.jp, 1 +mizumax.me, 1 +mj-reit.com, 1 +mj420.com, 0 +mjacobson.net, 1 +mjanja.ch, 1 +mjasm.org, 1 +mjbeventspr.com, 0 +mjbtechtips.com, 1 +mjcstsul2022.tk, 1 +mjf.cz, 1 +mjhs.org, 1 +mjhsfoundation.org, 1 +mjjshow.eu.org, 1 +mjlwebdev.pl, 1 +mjmpartnerlink.com.au, 1 +mjniessen.com, 1 +mjollnir.fr, 1 +mjpromotions.nl, 1 +mjpronk.nl, 1 +mjrlegends.com, 1 +mjsacco-dwi.com, 1 +mjsports.bet, 1 +mjstudios.tech, 0 +mjstudios.tk, 1 +mjt.me.uk, 1 +mjuktvatten.nu, 1 +mjwadvisory.com.au, 1 +mjzdaman.tk, 1 +mk-builder.net, 1 +mk-translations.ua, 1 +mk.gov.tr, 1 +mk89.de, 1 +mkaciuba.com, 0 +mkakh.xyz, 1 +mkala.ru, 1 +mkalisch.de, 1 +mkbd.ru, 1 +mkbeindhoven.nl, 1 +mkbet.tk, 1 +mkbofficeshop.nl, 1 +mkbouncycastles.co.uk, 1 +mkbouncyhire.co.uk, 1 +mkboynton.org, 1 +mkcert.org, 1 +mkchandler.com, 1 +mkdevice.it, 1 +mkes.com, 1 +mkey-solution.at, 1 +mkey-solution.com, 1 +mkey-solution.de, 1 +mkey-solutions.at, 1 +mkey-solutions.com, 1 +mkey-solutions.de, 1 +mkey.solutions, 1 +mkeysolution.at, 1 +mkeysolution.com, 1 +mkeysolution.de, 1 +mkeysolutions.at, 1 +mkeysolutions.com, 1 +mkeysolutions.de, 1 +mkg-laposte.info, 1 +mkg-pch.com, 1 +mkg-wiebelskirchen.de, 1 +mkhsoft.eu, 1 +mki-igrushki.ru, 1 +mkie.cf, 1 +mkinfo.com.br, 1 +mkjl.ml, 0 +mkjoyeria.cl, 0 +mkk.de, 1 +mkkcrafts.com, 1 +mkkkrc.ru, 1 +mklenterprises.com, 0 +mklenterprisesacademy.com, 1 +mklenterprisescoaching.com, 1 +mklpedia.de, 1 +mklwork.lt, 1 +mkm.ee, 0 +mkm.szczecin.pl, 1 +mkmaster.tk, 1 +mkmedien.tk, 1 +mknowles.com.au, 1 +mkoppmann.at, 1 +mkpdeepclean.com, 1 +mkpeurope.org, 1 +mkplay.io, 1 +mkprensa.tk, 1 +mkrecek.cz, 1 +mkringel.de, 0 +mksac.co.uk, 1 +mksdarchitects.com, 1 +mkse.com, 1 +mkt.com, 1 +mkt7.de, 1 +mktcoral.com, 1 +mktemp.org, 1 +mkultraclean.com.au, 1 +mkw.st, 1 +mkws.sh, 1 +ml.tax, 1 +ml2d.com, 1 +mlada-moda.cz, 1 +mladamoda.sk, 1 +mladenovac.tk, 1 +mladinskislatna.si, 1 +mladiorl.cz, 1 +mladypodnikatel.cz, 1 +mlaschool.co.za, 1 +mlawfirm.com, 1 +mlcfinvest.in, 1 +mlclaw.com, 1 +mlcnfriends.com, 1 +mlcrosoftonlline.cz, 1 +mlcrosoftonlline.ml, 1 +mlelieveld.com, 1 +mleydier.fr, 1 +mlfilm.ml, 1 +mlgsmokers.tk, 1 +mli-interface-api-test.azurewebsites.net, 1 +mlii.net, 1 +mlirb.com, 1 +mlk.sd, 1 +mlkday.gov, 1 +mllz.com, 1 +mlm-hochzeit.de, 1 +mlmjam.com, 1 +mlmjunction.tk, 1 +mlmowing.com.au, 1 +mlnews.ml, 1 +mlo.no, 1 +mlohr.com, 1 +mlohr.net, 1 +mlonline.com.mx, 1 +mloska.tk, 1 +mlp.horse, 1 +mlpavimentosdehormigonimpreso.com, 1 +mlpk.cz, 1 +mlpvcdn.top, 1 +mlpvector.club, 1 +mlshhz.eu.org, 1 +mlsrv.de, 1 +mlstav.sk, 1 +mlsvallarta.com, 1 +mltrade.ml, 1 +mlukas.xyz, 1 +mlundberg.se, 1 +mluservices.com, 1 +mlv-psychosomatik.de, 1 +mlv.me, 1 +mlwr.ee, 1 +mlytics.com, 1 +mm-sol.com, 1 +mm13.at, 1 +mm5197.co, 1 +mm6729.co, 1 +mm6729.com, 0 +mm6957.co, 1 +mm9297.co, 1 +mm9728.co, 1 +mma-records.de, 1 +mmalisz.com, 1 +mmallardi.no-ip.biz, 1 +mmanews24.com, 1 +mmapiws.com, 1 +mmaps.ddns.net, 1 +mmaps.org, 1 +mmarising.com, 1 +mmarnitz.de, 1 +mmassemblyline.de, 1 +mmav.co, 1 +mmav.live, 1 +mmav.tv, 1 +mmbb.org, 0 +mmcalc.jp, 1 +mmcase.ml, 1 +mmgal.com, 1 +mmhome.fr, 1 +mmilog.hu, 1 +mminsco.com, 0 +mmkstudio-digital.com, 1 +mml.cx, 0 +mmlebanon.com, 1 +mmlstyliser.com, 1 +mmm-boxing.tk, 1 +mmm.lu, 1 +mmmarco.com, 1 +mmmaximaliselmeny.hu, 1 +mmmc.hk, 1 +mmmofnigeria.tk, 1 +mmmonk.net, 1 +mmmsancristobal.es, 1 +mmoe.moe, 1 +mmogah.com, 1 +mmoneko.com, 1 +mmonit.com, 1 +mmorpg-stat.eu, 1 +mmot.sk, 1 +mmpaymentsystem.com, 1 +mmphub.com, 1 +mmprojects.nl, 1 +mmr.ua, 1 +mmrepair.in, 1 +mms.is, 1 +mmsmotor.com.hk, 1 +mmstick.tk, 1 +mmstudio.tk, 1 +mmucha.de, 1 +mmuclassifieds.tk, 1 +mmulder.com, 1 +mmwb.nl, 1 +mmwtrademarks.com.au, 1 +mmxblog.com, 1 +mmxx-distribution.com, 1 +mmzztt.com, 1 +mn-hootsuite.herokuapp.com, 1 +mn.ax, 1 +mnatechnologies.com.au, 1 +mnbg.tk, 1 +mncalliedhealth.com, 1 +mncbank.co.id, 1 +mnccc.gov, 1 +mnciitbhu.me, 1 +mncloud.de, 1 +mncustom.com, 1 +mnd.sc, 1 +mndeveloper.com, 1 +mne.moe, 1 +mnec.io, 1 +mneeb.de, 1 +mnemonic.ninja, 1 +mnemonicninja.com, 1 +mneti.ru, 1 +mngfam.ddns.net, 1 +mnguyen.io, 1 +mnhc.gov, 1 +mnienamel.com, 1 +mniopenresearch.org, 1 +mnium.de, 1 +mnjg123.de, 1 +mnkysoft.com, 1 +mnml.art, 1 +mnml.blog, 1 +mnml.top, 1 +mnmt.no, 1 +mnnknz.de, 1 +mnnon.com, 1 +mnocea.eu, 1 +mnogoigrovka.ru, 1 +mnogoknighek.gq, 1 +mnogoknighek.ml, 1 +mnogoknighek.tk, 1 +mnogosofta.tk, 1 +mnogoznai.tk, 1 +mnotrioesdp.ml, 1 +mnprairie.gov, 1 +mnrloroli.tk, 1 +mnrtechsolutions.com, 1 +mnrv.trade, 1 +mns.co.jp, 1 +mnsaviation.com, 1 +mnsenate.gov, 1 +mnsure.org, 1 +mnsvu.org, 1 +mnt-tech.fr, 1 +mnt9.com, 0 +mnt9.de, 1 +mnvotes.gov, 1 +mo-en-karim.tk, 1 +mo-mochizuki.com, 1 +mo-vvs.dk, 1 +mo.nl, 1 +mo2021.de, 1 +moa.moe, 1 +moabpapier.de, 1 +moabygg.se, 1 +moahmo.com, 0 +moaicar.com, 1 +moas.design, 1 +moas.photos, 1 +moattitlesecurity.com, 1 +mob2con.com.br, 1 +mob889.com, 1 +moba-automation.com, 1 +moba-automation.com.br, 1 +moba-automation.de, 1 +mobal.com, 0 +mobclan.tk, 1 +mobcsp.work, 1 +mobeewash.com, 1 +mobeforlife.com, 0 +moberi.com.ua, 1 +mobex.biz, 1 +mobi-katalog.tk, 1 +mobidevtalk.com, 1 +mobifrance.com, 1 +mobigadget.tk, 1 +mobijo.tk, 1 +mobikasa.com, 1 +mobil-badwimpfen.de, 1 +mobil-bei-uns.de, 1 +mobil11.net, 1 +mobila-chisinau.md, 1 +mobilci.net, 1 +mobildeal.id, 1 +mobile-discothek.at, 1 +mobile-holzofenpizza.de, 1 +mobile-industrial-robots.com, 1 +mobile-ivr.tk, 1 +mobile-master.org, 1 +mobile-news.tk, 1 +mobile-pedia.com, 1 +mobile.de, 1 +mobile.eti.br, 1 +mobile.united.com, 0 +mobile.usaa.com, 0 +mobile360.ph, 1 +mobileague.ml, 1 +mobilebingoclub.co.uk, 1 +mobilebooster.tk, 1 +mobileciti.com.au, 1 +mobilecoin.com, 1 +mobilecraftingco.com, 1 +mobilefactory.io, 1 +mobilegoldcoastelectrical.ga, 1 +mobilehydraulics.com.au, 1 +mobileit.cz, 1 +mobilelaby.com, 1 +mobilelobbyers.ga, 1 +mobilemedics.com, 1 +mobilemondayaustin.com, 1 +mobileone.com.my, 1 +mobilepartner.tk, 1 +mobilephoneadvise.com, 1 +mobiler-handel.de, 1 +mobileread.com, 1 +mobileritelushi.com, 1 +mobilesafe.shop, 1 +mobilesector.de, 1 +mobilesettingers.ga, 1 +mobilesignalsolutions.co.uk, 1 +mobilesms.io, 1 +mobilesnewsworld.ga, 1 +mobilestories.se, 1 +mobilestuff.tk, 1 +mobiletechnews.tk, 1 +mobileteleconferenceers.ga, 1 +mobiletirer.tk, 1 +mobiletop.co.uk, 1 +mobiletraff.co, 1 +mobilewikiserver.com, 1 +mobilgaraj.com, 1 +mobilhaber.ga, 1 +mobilhondatangsel.com, 1 +mobilidadeurbana.ind.br, 1 +mobilificio.roma.it, 1 +mobilisation-generale.org, 0 +mobiliteit.gent, 1 +mobiliteitgent.be, 1 +mobiliteitsbedrijf-gent.be, 1 +mobiliteitsbedrijf.be, 1 +mobiliteitsbedrijfgent.be, 1 +mobiliteitsbedrijfstadgent.be, 1 +mobiliteitstadgent.be, 1 +mobility-events.ch, 1 +mobility-services.eu, 1 +mobilityworks.eu, 0 +mobilityworld.tk, 1 +mobilize.us, 1 +mobilizon.fr, 1 +mobilizon.org, 1 +mobilizone.com, 1 +mobilki.tk, 1 +mobilni.site, 1 +mobilo4ka.ru, 1 +mobilosoft.com, 1 +mobiltank.fr, 1 +mobiltune.tk, 1 +mobilux.lv, 1 +mobincube.com, 1 +mobincube.es, 1 +mobincube.mobi, 1 +mobinet.tk, 1 +mobinst.ml, 1 +mobio.net, 1 +mobiotics.com, 1 +mobiproj.com, 1 +mobiride.co, 1 +mobisaar-cloud.de, 1 +mobistartv.ml, 1 +mobitracker.co, 1 +mobius.network, 1 +mobizma.com, 1 +moblkar.com, 1 +mobmp4.info, 1 +mobobe.com, 1 +mobolight.ml, 1 +mobot.sg, 1 +mobox.health, 1 +mobshop.hu, 1 +mobsitin.tk, 1 +mobtop.ga, 1 +mobtop.ml, 1 +mobycoders.com, 1 +mobydog.net, 1 +mobygeek.com, 1 +mobylette.tk, 1 +moca-2081.com, 1 +moca-2082.com, 1 +moca-kinder.de, 1 +mocent.de, 1 +mochanstore.com, 1 +mochilerostailandia.com, 1 +mochiyuki.net, 1 +mochizuki.moe, 0 +mochoko.com, 1 +mockerel.com, 1 +mockers.tk, 1 +mocknen.net, 1 +mocksvillenc.org, 1 +mocomoco.jp, 1 +mod.af, 0 +mod.gov.lb, 1 +mod.io, 1 +moda-donna.cf, 1 +moda-line.ml, 1 +modacompleta.com.br, 1 +modafilmdmodafinil.com, 1 +modafinil.wiki, 1 +modafinilici.com, 1 +modafinilwizard.co, 1 +modafinilwizard.com, 1 +modafinilyes.com, 1 +modafo.com, 1 +modahaber.com, 1 +modalogi.com, 1 +modalrakyat.com, 1 +modaltraining.co.uk, 1 +modamia.pl, 1 +modamoom.com.br, 1 +modanacrho.tk, 1 +modanese.net, 1 +modanloftsortigashills.com, 1 +modapharma.org, 1 +modasexy.it, 1 +modav.org, 1 +modax.ua, 1 +modbom.com.tw, 1 +modcombo.com, 1 +modcover.com, 1 +modd.com.au, 1 +modded-minecraft-server-list.com, 1 +moddedphones.com, 1 +modderday.com, 1 +moddermore.net, 1 +modding-forum.com, 1 +modding-openmw.com, 0 +modding-welt.com, 1 +moddingworld.tk, 1 +moddiy.com, 1 +moddo.com, 1 +mode-individuell.de, 1 +mode-musthaves.com, 1 +modebest.co.uk, 1 +modecaso.com, 1 +modehaus-marionk.de, 1 +model-school.tk, 1 +model.earth, 1 +modelbase.org, 1 +modelclub-draveil.eu, 1 +modeldanielle.tk, 1 +modeldentalab.lt, 1 +modeldimension.com, 1 +modeldoll.tk, 1 +modelearth.org, 1 +modelfotografie.tk, 1 +modeli.tk, 1 +modelisme-rc.net, 1 +modell-lq.net, 1 +modellbahnshop.de, 1 +modellismo.roma.it, 1 +models-resource.com, 1 +modelspoor-projecten.nl, 1 +modelspoorprojecten.nl, 1 +modem.cf, 1 +modemaille.com, 0 +modemchild.net, 1 +modemguides.com, 1 +modenatoday.it, 1 +modenodf.ru, 1 +moderaterna.se, 1 +moderatoren.org, 1 +modern-family.tv, 1 +modern-gaming.ga, 1 +modernapprenticeships.org, 1 +modernautorepairs.com, 1 +moderncommercialrealestate.com, 1 +moderndayprepping.com, 1 +moderndeck.org, 1 +moderndukes.tk, 1 +moderneraplumbingandgas.com.au, 1 +moderngentlemen.net, 1 +moderniknihovna.cz, 1 +modernindia.ml, 1 +modernizr.com, 0 +modernliferoleplay.cf, 1 +modernmomarchy.com, 1 +modernsaas.net, 1 +modernsavage.coach, 1 +moderntech.dk, 1 +moderntld.net, 1 +moderntrainer.co.za, 1 +moderntreasury.com, 1 +modernwebz.com, 1 +modernworkplacelearning.co.za, 1 +modernx.de, 1 +modesalination.com, 1 +modestoca.gov, 1 +modetalente.com, 1 +modetrends.tk, 1 +modgamer.gq, 1 +modicollege.com, 1 +modifiedmind.com, 1 +modineaviation.com, 1 +modint.nl, 1 +modirhp.ir, 1 +modisarkar.tk, 1 +modistryusercontent.com, 1 +modlimit.cf, 1 +modpop.se, 1 +mods.fm, 1 +modscrew.com, 1 +modsecurity.net, 1 +modszombies.com, 1 +moduhygiene.com, 1 +modul21.eu, 1 +modul8infinity.co, 1 +modul8r.com, 1 +modulebaan.tk, 1 +moduleus.com, 1 +modulex-gmbh.de, 1 +modulkuhni.by, 1 +modulo.ee, 0 +moduloseltaladro.com, 1 +modum.by, 1 +modusawperandi.com, 1 +modusgames.com, 1 +modusit.co.za, 1 +modusmundi.com, 1 +modussystems.com, 1 +modvigilonlinerx.com, 1 +modxvm.com, 1 +modzcenter.com, 1 +modzcenter.es, 1 +moe-max.jp, 1 +moe.best, 0 +moe.blog, 1 +moe.ci, 1 +moe.gov.eg, 1 +moe.tools, 1 +moe4sale.in, 1 +moebeltaxi-berlin.com, 1 +moeblog.cn, 1 +moeblog.top, 1 +moec.top, 1 +moecater.com, 1 +moechel.com, 1 +moefactory.com, 1 +moefi.xyz, 1 +moegato.com, 1 +moegi.ml, 1 +moego.me, 1 +moego.pet, 1 +moehrke.cc, 1 +moekes.amsterdam, 1 +moeking.me, 1 +moeli.org, 1 +moellers.systems, 1 +moeloli.ac.cn, 1 +moelten.org, 1 +moemdom.info, 1 +moenew.top, 1 +moenew.us, 0 +moenjodaro.tk, 1 +moensnatuursteen.be, 1 +moepass.com, 1 +moesborg.dk, 1 +moescat.xyz, 0 +moeslinger-gehmayr.com, 1 +moeto-zdrave.com, 1 +moetrack.com, 1 +moewe.org, 1 +moeyy.tech, 1 +mofbinsurance.com, 1 +mofo.com, 1 +mofohome.dyndns.org, 1 +mofos.com, 1 +mofosnetwork.com, 1 +mogbox.net, 1 +mogica.tk, 1 +mogilev-forum.tk, 1 +moglie.xxx, 1 +mogomix.cf, 1 +mogradus.com, 1 +mogwailabs.de, 1 +mogyuchi.com, 1 +moha-swiss.com, 0 +mohaabobclan.tk, 1 +mohaanation.tk, 1 +mohabatein1.tk, 1 +mohalicity.info, 1 +mohamedalibenammarmaba.tk, 1 +mohamedfouad.tk, 1 +mohamedhamdy.tk, 1 +mohamedhosting.tk, 1 +mohamedsherif.ml, 1 +mohamedsherif.tk, 1 +mohammad-hamarsheh.com, 1 +mohammad-yarahmadi.tk, 1 +mohammadhamed.tk, 1 +mohammadreza-bakhtiari.tk, 1 +mohammed.ga, 1 +mohammedalrifai.tk, 1 +mohave.gov, 1 +mohela.com, 1 +mohelafederal.com, 1 +moheyuddin.tk, 1 +mohister.cn, 1 +mohitchahal.com, 1 +mohot.com.tw, 1 +mohot.fit, 1 +mohot.shop, 1 +mohr-maschinenservice.de, 1 +mohsen-pashootan.vercel.app, 1 +moi-sait.tk, 1 +moikolhoz.ml, 1 +moikolhoz.tk, 1 +moin.solar, 1 +moip.com.br, 1 +moipourtoit.ch, 0 +moipourtoit.com, 0 +moipourtoit.org, 0 +moirre.com, 1 +moisesbarrio.es, 1 +moisesbarrio.me, 1 +moitruongcrsvina.com, 1 +mojaapteka.pl, 1 +mojaczarnastrona.pl, 1 +mojadm.sk, 1 +mojaknjiznica.com, 0 +mojakursumlija.tk, 1 +mojama3dz.com, 1 +mojartech.ml, 1 +mojavenissanofbarstowparts.com, 1 +mojavibe.com, 1 +mojdom.ba, 1 +mojdrvar.tk, 1 +moje-communication.de, 1 +mojeco2.cz, 1 +mojedatovaschranka.cz, 1 +mojefilmy.xyz, 1 +mojetatuaze.pl, 1 +mojeurlopy.pl, 1 +mojilitygroup.com, 1 +mojitoparty-articlespara.website, 1 +mojizuri.cafe, 1 +mojizuri.com, 1 +mojizuri.jp, 1 +mojkragujevac.net, 1 +mojleksikon.com, 1 +mojnet.eu, 1 +mojnet.net, 1 +mojo.az, 1 +mojo.so, 1 +mojobrewband.com, 1 +mojoco.co.za, 1 +mojodentallaboratory.co.uk, 0 +mojomen.com, 1 +mojomen.net, 1 +mojomen.org, 1 +mojoshowers.ga, 1 +mojt.net, 1 +mojtabagol.tk, 1 +mojtest.site, 1 +mojzis.com, 1 +mojzis.cz, 1 +mojzisova.com, 1 +mokadev.com, 0 +mokaszinhaz.tk, 1 +mokeedev.com, 1 +mokeedev.review, 1 +mokhtarmial.com, 1 +mokrynskyi.com, 1 +moksha-movement.com, 1 +mokujinken.tokyo, 1 +mokum-organics.com, 0 +mokutovo.tk, 1 +moldinspectionslosangeles.com, 1 +moldova-online.ml, 1 +moldovanka.tk, 1 +moldovawall.tk, 1 +moldsearchers.ga, 1 +molecularbiosystems.org, 1 +moleestudio.com, 1 +molehill.it, 1 +molekula.hr, 1 +molenaagtekerke.tk, 1 +molenaar-ricardo.tk, 1 +moleskinestudio.com, 1 +molexces.com, 1 +molinillo.tk, 1 +moliporex.com, 1 +moliporex.pt, 1 +molise.store, 1 +molkerei-ammerland.com, 1 +molleron.net, 1 +molletjesveer.tk, 1 +mollie.com, 1 +mollie.nl, 1 +mollybears.org, 1 +mollyblooms.tk, 1 +mollyringworm.tk, 1 +mollysun.net, 1 +molodechno-mk.by, 1 +molodost.ga, 1 +molodost.gq, 1 +molodost.tk, 1 +molokaibreeze.com, 1 +molokov.tk, 1 +molot-tora.ml, 1 +molot-tora24.ga, 1 +molpay.com, 1 +molpek.com, 1 +moltapor.tk, 1 +molti.hu, 1 +molusk.ml, 1 +molwick.com, 1 +mom.life, 1 +moma.co.uk, 1 +moment-terroir.ch, 1 +momentalno.tk, 1 +momentmag.com, 1 +momentum.photos, 1 +momentumcoach.se, 1 +momentumcomfortgear.com, 1 +momentumdash.com, 1 +momentummarketers.ga, 1 +momi-chura.com, 1 +momimi.me, 1 +momistudio.com, 1 +momit.eu, 1 +momjoyas.com, 1 +mommoneymap.com, 1 +mommyapproveders.ga, 1 +mommyapprovedest.ga, 1 +mommydigest.ga, 1 +mommydigesters.ga, 1 +mommydigestest.ga, 1 +mommylessoners.ga, 1 +mommylessonest.ga, 1 +mommypantsest.ga, 1 +momo0v0.club, 1 +momobako.com, 1 +momochrome.online, 1 +momondersteuning.nl, 1 +momove.nl, 1 +moms.com, 1 +momsagainstcooties.com, 1 +momsays.co.za, 1 +momsbangteens.com, 1 +momslickteens.com, 1 +momspublictube.com, 1 +momstableonline.com, 1 +momtazz.net, 1 +momtits.com, 1 +momtubevideos.com, 1 +momy-genealogie.info, 1 +mon-a-lisa.com, 1 +mon-agenda.org, 0 +mon-agora.com, 1 +mon-assurance-deces.fr, 1 +mon-butin.fr, 1 +mon-cartable.fr, 1 +mon-code.net, 1 +mon-compte.bzh, 1 +mon-dolibarr.fr, 0 +mon-habitation.ca, 1 +mon-match.com, 1 +mon-partage.fr, 1 +mon-sac-italien.fr, 1 +mon-trafic.com, 1 +mon22.ch, 0 +monacannation.gov, 1 +monaco-automaten.de, 1 +monaco-info.tk, 1 +monacoexpress.tk, 1 +monad.io, 1 +monagenceentreprise-caap.fr, 1 +monarch.security, 1 +monarchcleanersnc.com, 1 +monarchelectric.com, 1 +monarcjuexpo.ch, 1 +monaroindustrial.com.au, 1 +monasteriumlab.com, 1 +monauralpress.com, 0 +monays.ga, 1 +monbebeautrement.fr, 1 +monbedou.net, 1 +monconcoursdgfip.fr, 1 +mondayaftersunday.com, 1 +mondaynightbrewing.com, 1 +monde-oriental.tk, 1 +monde.win, 1 +mondechenoafrance.tk, 1 +mondedie.fr, 1 +mondholz24.de, 1 +mondo-it.ch, 1 +mondo.rs, 1 +mondocellulari.tk, 1 +mondoffice.com, 1 +mondolila.tk, 1 +mondovisione.com, 1 +mondoviwi.gov, 1 +mondpo.pro, 1 +mondsee-psychotherapie.at, 1 +mondzorgparkzicht.nl, 1 +monechafaudage.com, 1 +moneni.com, 1 +moneoci.com.br, 1 +monerogamez.com, 1 +monese.com, 1 +moneshaq.fr, 1 +moneta-rossii.ru, 1 +monetenfuchs.de, 1 +monetize.ml, 1 +monetizer.co, 1 +monetizer.com, 1 +monetizzando.it, 1 +monetki.net, 1 +monettmo.gov, 1 +monex.ro, 1 +money-book.jp, 1 +money-earning.tk, 1 +money-fast.ga, 1 +money-finder.ml, 1 +money-loan-now.com, 1 +money-okey.tk, 1 +money-quick.cf, 1 +money-spell.com, 1 +money-tapuz.co.il, 1 +money-transfers.tk, 1 +money-trust.ru, 1 +money.bg, 1 +money4net.tk, 1 +moneybill.us, 1 +moneybird.com, 1 +moneybird.de, 1 +moneybird.nl, 1 +moneybirdstorage.com, 1 +moneyblo.com, 1 +moneychill.biz, 1 +moneyclick.tk, 1 +moneycredit.eu, 1 +moneydaily.tk, 1 +moneydecadadia.com, 1 +moneyextra.net, 1 +moneyfactory.gov, 1 +moneyformybeer.com, 1 +moneyfuxx.com, 1 +moneygo.se, 1 +moneygrup.tk, 1 +moneymania.tk, 1 +moneymart.ca, 1 +moneymet.ru, 1 +moneymint.com, 1 +moneyniti.com, 1 +moneyonchain.com, 1 +moneypot.com, 1 +moneyreal.tk, 1 +moneyreview.gr, 1 +moneysavingpro.com, 1 +moneysmart.gov.au, 1 +moneytalks.com, 1 +moneytech.tk, 1 +moneytoday.se, 1 +monfilm.tk, 1 +monforte.tk, 1 +mongla168.net, 1 +mongla88.net, 1 +mongolbox.tk, 1 +mongolito.tk, 1 +monhomecinema.fr, 0 +monibu.org, 1 +monicadurr.com, 1 +monicahq.com, 1 +monicamallampalli.com, 1 +monicanaranjo.tk, 1 +monicapotter.tk, 1 +monicz.pl, 1 +monidenum.fr, 1 +monific.com, 0 +monika.tk, 1 +monikadesign.uk, 1 +monin.net, 1 +moninformaticien.ovh, 0 +monique.io, 1 +moniquedekermadec.com, 1 +moniquevanhoutum.nl, 1 +monirtalk.ml, 1 +monirtalks.ml, 1 +moniteaucountymo.gov, 1 +monitman.solutions, 1 +monitor-mailtracker.com, 1 +monitor365.ch, 1 +monitorashop.com.br, 1 +monitorbandwidth.net, 1 +monitorbox.jp, 1 +monitord.at, 1 +monitordownloadsers.ga, 1 +monitorga.tk, 1 +monitoring-servers.tk, 1 +monitoring.kalisz.pl, 1 +monitoringanetwork.com, 1 +monitoringd.de, 1 +monitoringminecraft.ru, 1 +monitz.de, 1 +moniva.ru, 1 +monix.io, 1 +monjardin.tk, 1 +monjo.io, 1 +monjob.tk, 1 +monkey-donkey.es, 1 +monkey47.com, 1 +monkey47.events, 1 +monkey47shuffle.com, 1 +monkeybusiness.agency, 1 +monkeymills.ga, 1 +monkeys.pt, 1 +monkeysorce.tk, 1 +monkeytek.ca, 1 +monlissagebresilien.com, 1 +monloyer.quebec, 1 +monmouthcountynj.gov, 1 +monmouthmaine.gov, 1 +monmouthor.gov, 1 +monnai.com, 1 +monnaiecourante.tk, 1 +mono-money.com, 1 +mono0x.net, 1 +monobunt.at, 1 +monocircus.com, 1 +monocles.de, 1 +monocyte.host, 1 +monodejuegos.shop, 1 +monodrama.tk, 1 +monohost.ml, 1 +monokli.tk, 1 +monolithapps.com, 1 +monolithic.tk, 1 +monolithindustries.com, 1 +monolithon.net, 1 +monongaliasheriff.gov, 1 +monophy.com, 1 +monopoly.tk, 1 +monorail.cf, 1 +monorail.ga, 1 +monorail.gq, 1 +monordibogue.com, 1 +monorthopedagogue.ca, 1 +monospazzole.roma.it, 1 +monothesis.com, 1 +monoworks.co.jp, 1 +monoxoro.tk, 1 +monpanier-procter-et-gamble.fr, 1 +monplay.host, 1 +monrabais.fr, 1 +monrasp.ddns.net, 1 +monroecountymo.gov, 1 +monroecountyny-opi.gov, 1 +monroecountysheriff-ny.gov, 1 +monroecountywv.gov, 1 +monroect.gov, 1 +monroeoregon.gov, 1 +monroetn.gov, 1 +monsalvat.no, 1 +monshoppingcestcalais.fr, 1 +monsieurbureau.com, 1 +monsieursavon.ch, 0 +monsitemoncommerce.com, 1 +monsonshoney.com.au, 1 +monstahcapital.com, 1 +monster-ryot.com, 1 +monsterandfox.co.uk, 1 +monsterarmsest.ga, 1 +monstercurves.com, 1 +monstergovt.com, 1 +monsterlinkmarketing.com, 1 +monstermashentertainments.co.uk, 1 +monsterminigames.de, 1 +monsterminus.tk, 1 +monstermoney.tk, 1 +monsternet.pl, 1 +monsternotebook.com.tr, 1 +monstersuniversity.ga, 1 +monsterx.cn, 1 +monstl.com, 1 +monstresdesfetes.com, 1 +mont-thabor.fr, 1 +montack.de, 1 +montagetravel.com, 1 +montagnainitalia.com, 1 +montagne-experience.fr, 1 +montaguehotel.com, 1 +montala.com, 1 +montalvofarret.xyz, 1 +montanabiack.de, 1 +montanacreativitymovement.tk, 1 +montanaguard.gov, 1 +montanaonlinedivorce.com, 1 +montanasky.tv, 1 +montanatrouthunters.com, 1 +montanawi.gov, 1 +montanwerk.de, 1 +montarosa.tk, 1 +montas.io, 1 +montcalmcountymi.gov, 1 +montclairca.gov, 1 +montco.today, 1 +montebelloca.gov, 1 +montehermoso.tk, 1 +montelescope.fr, 1 +montenativo.de, 0 +montenegro-yacht.com, 1 +monterey.gov, 1 +montessori-oberhaching.de, 1 +monteurzimmerfrei.de, 1 +monteurzimmerking.deals, 1 +montevue.co.za, 1 +montgomeryboroughpa-police.gov, 1 +montgomerycountyal.gov, 1 +montgomerycountyar.gov, 1 +montgomerycountyclerkoh.gov, 1 +montgomerycountyhealthky.gov, 1 +montgomerycountyia.gov, 1 +montgomerycountyil.gov, 1 +montgomerycountync.gov, 1 +montgomerycountyoh.gov, 1 +montgomerycountypa.gov, 1 +montgomeryfirm.com, 1 +montgomerynj.gov, 1 +montgomeryohio.gov, 1 +montgomeryprobatecourtal.gov, 1 +montgomerysoccer.net, 1 +montgomeryvotesal.gov, 1 +monti.fi, 1 +montiallison.com, 1 +monticelloky.gov, 1 +montillafarm.com, 1 +montoneros.tk, 1 +montop.tk, 1 +montourcounty.gov, 1 +montourcountypa.gov, 1 +montrain.com, 1 +montrain.fr, 1 +montre-luxe-occasion.com, 1 +montrealcatadoptions.com, 1 +montrealwi.gov, 1 +montredeal.fr, 1 +montres-mh-besancon.fr, 1 +montsaintaignan.fr, 1 +montuan.com.br, 1 +montychristie.com, 1 +montyvlogs.com, 1 +monvalleyphotos.com, 1 +monvanityideal.com, 1 +monvoyagedentaire.com, 1 +monweb.tk, 1 +monzaradio.tk, 1 +monzatoday.it, 1 +monzo.me, 1 +monzo.tk, 1 +moocat.me, 1 +moodfabrics.com, 1 +moodfoods.com, 1 +moodforsex.com, 1 +moodgym.com.au, 1 +moodgym.de, 1 +moodifiers.com, 0 +moodle.gq, 1 +moodle.servebbs.com, 1 +moodsta.com, 1 +moodyfss.marketing, 1 +moodyfssrequest.com, 1 +mooglms.com, 1 +mooivoet.nl, 1 +moojp.co.jp, 1 +mooka.tk, 1 +moola.market, 1 +moolah.rocks, 1 +moom20101234567890.tk, 1 +moon.fish, 1 +moonagic.com, 1 +moonagic.io, 1 +moonbench.xyz, 1 +moonbooth.com, 1 +moonboxi.tk, 1 +moonboys.de, 1 +moonbyte.at, 1 +mooncharmshop.com, 1 +moonchart.co.uk, 1 +moondoor.tk, 1 +moondrop.org, 1 +moondsee.de, 1 +moonfist.eu, 1 +moonfreak.tk, 1 +moonhaa.com.br, 1 +mooninvoice.com, 1 +moonkin.eu, 1 +moonlabs.nl, 1 +moonlanders.nl, 0 +moonlight-pr.com, 1 +moonlight-show.tk, 1 +moonlightdesign.org, 1 +moonlightlovers.com, 1 +moonlightlovers.es, 1 +moonlightpicnic.tk, 1 +moonlights.tk, 1 +moonlighttheatre.tk, 1 +moonlit.cloud, 1 +moonlit.games, 1 +moonmelo.com, 1 +moonmoondomain.com, 1 +moonpay.com, 0 +moonpay.io, 1 +moonproject.io, 1 +moonracer.ga, 1 +moonraptor.co.uk, 0 +moonraptor.com, 0 +moonrhythm.info, 0 +moonrhythm.io, 1 +moonsalutations.com, 1 +moonsama.com, 1 +moonshadow.tk, 1 +moonshyne.org, 1 +moonsmanagement.be, 1 +moonspaceart.com, 1 +moonspell.com, 1 +moonssif.com, 1 +moonue.com, 0 +moonvpn.org, 1 +moonwolfwiccanschool.tk, 1 +moonzerotwo.tk, 1 +moopro.nl, 1 +mooreandsmalley.co.uk, 1 +mooreautoglass.com, 1 +moorelife.cn, 1 +mooremi.gov, 1 +mooremillerinvestmentgroup.ca, 1 +mooremoney.co, 1 +mooresvilletribune.com, 1 +mooretownrancheria-nsn.gov, 1 +moorfunevents.co.uk, 1 +moorheadmn.gov, 1 +moormiles.com, 1 +moorparkelectrical.com, 1 +moorparkelectrician.com, 1 +moorparkexteriorlighting.com, 1 +moorparklandscapelighting.com, 1 +moorparklighting.com, 1 +moorparkoutdoorlighting.com, 1 +moorstay.com, 1 +moort.be, 1 +moosic.co, 1 +moosikapp.ml, 1 +moosikapp.tk, 1 +moosmann-moehrle.de, 1 +moosmaus.tk, 1 +moot-info.co.za, 1 +moov.tk, 1 +moova.io, 1 +moove-it.com, 1 +moovemais.com.br, 1 +mopak.tk, 1 +moparcraft.com, 1 +moparcraft.net, 1 +moparcraft.org, 1 +moparinsiders.com, 1 +moparisthe.best, 1 +moparisthebest.com, 1 +moparisthebest.net, 1 +moparisthebest.org, 1 +moparpartsgiant.com, 1 +moparscape.net, 1 +moped-versichern.de, 1 +mopedpress.com, 1 +mopedreifen.de, 0 +mopie.de, 1 +moplay.org, 1 +mopliangxing.com, 1 +mopoclub.ru, 1 +moppeleinhorn.de, 1 +moppelito.tk, 1 +moppenfactory.tk, 1 +moquettes.roma.it, 1 +moquiridatabuaria.com.br, 1 +mor.estate, 0 +mora.pl, 1 +moracont.com, 1 +moradali.tk, 1 +moralcenter.cf, 1 +moralcompass.ga, 1 +moraldehornuez.tk, 1 +moraliswimwear.com, 1 +morandofora.com.br, 0 +moranyachts.com, 1 +morata.tk, 1 +moratilla.ml, 1 +moravostavdruzstvo.cz, 1 +morawiecki.pl, 1 +moraxyc.com, 1 +morbatex.com, 1 +morbitiles.org, 1 +morbius.cz, 1 +morbotron.com, 1 +morc.me, 1 +morchstore.com, 1 +mord-ost.de, 1 +mordamla.com, 1 +mordelles-altitude.fr, 1 +mordovia.cf, 1 +mordovia.ga, 1 +mordovia.gq, 1 +mordovia.tk, 1 +mordoviya.tk, 1 +more-hikkoshi.com, 1 +more-terrain.de, 1 +moreal.co, 1 +moreapp.co.uk, 1 +morebus.co.uk, 1 +morechance.de, 1 +morecigarettes.tk, 1 +morecreativelife.com, 1 +morediets.net, 1 +moreeducation.tk, 1 +morehertz.com, 1 +morehopefoundations.org.uk, 1 +morellilaw.com, 1 +moremindsbetter.com, 1 +morenadacentral.tk, 1 +morenci.ch, 1 +moreniche.com, 1 +moreno820.com.ar, 1 +moreoptimal.com, 1 +moreoptimal.world, 1 +morepablo.com, 1 +moreshop.pl, 1 +morespacestorage.co.uk, 1 +moresw.com, 1 +moretesting.tk, 1 +morethanautodealers.com, 1 +morethancode.be, 1 +morethandigital.info, 1 +moretti.camp, 1 +morevesi.cf, 1 +morewithcore.com, 1 +morfide.com, 1 +morgan-insurance.com, 1 +morgancounty-al.gov, 1 +morgancounty-il.gov, 1 +morgancountymo.gov, 1 +morgancountysheriffal.gov, 1 +morgancountyutah.gov, 1 +morgandesort.com, 1 +morganeb.be, 1 +morgansleisure.co.uk, 1 +morganton.com, 1 +morganwilder.com, 1 +morgengold.de, 1 +morghochak.com, 1 +morgner.com, 1 +mori-cdc.com, 1 +morindesrochersbeaulieu.ca, 1 +morinomiyako-a.co.jp, 1 +morioh.com, 1 +morisakimikiya.com, 1 +morishoji-english-school.com, 0 +moritoworks.com, 1 +moritz-baestlein.de, 1 +moritzkornher.de, 1 +moritztremmel.de, 1 +moriz.de, 1 +moriz.net, 1 +morke.tk, 1 +morleyeaglesteeball.org, 1 +morleygrainger.com, 1 +mormon-colleges.com, 1 +mormonleaks.io, 1 +mormonvoiceers.ga, 1 +mormonvoiceest.ga, 1 +mornatales.tk, 1 +morningbird.eu, 1 +morningcurve.com, 0 +morninggarden.com, 1 +morningstar.moe, 1 +morningstaruniversityonline.com, 1 +moro-gastro.de, 1 +moroccanews.tk, 1 +moroccofriendlytravel.com, 1 +moroccomiami.com, 1 +moroccotodaynews.ga, 1 +moroccotouristguide.com, 1 +moroccotravelingcars.com, 1 +moroccounfiltered.com, 1 +morocotacoin.news, 1 +morogoro.tk, 1 +morooi.cn, 1 +morosystems.cloud, 1 +morox.top, 1 +moroz.cx, 1 +morozko.gq, 1 +morozstudio.tk, 1 +morozyaka.tk, 1 +morph3d.tk, 1 +morphed.io, 1 +morpheusdata.com, 1 +morphisec-utp.com, 1 +morphitattachments.com.au, 1 +morphysm.co, 1 +morphysm.com, 1 +morphysm.de, 1 +morphysm.io, 1 +morphysm.org, 1 +morrellllc.com, 0 +morrharet.se, 1 +morris.computer, 1 +morrisvillemo.gov, 1 +morrisvillenc.gov, 1 +morrowga.gov, 1 +morrowind-finland.tk, 1 +morsang.net, 1 +morselife.org, 1 +morshedinterior.com, 1 +mortaltorment.tk, 1 +mortebrume.eu, 1 +mortengamstpedersen.tk, 1 +mortezaafri.tk, 1 +mortgagecalculator.biz, 1 +mortgageexpert.io, 1 +mortgagetranslations.gov, 1 +mortis.eu, 1 +mortonmspd.gov, 1 +morus.tk, 1 +morvo.mx, 1 +mos-camin.ru, 1 +mosa.guru, 1 +mosa.tk, 1 +mosaic-design.ru, 1 +mosaically.com, 1 +mosaicmarble.com, 1 +mosaicot.com, 1 +mosaique-lachenaie.fr, 1 +mosam.ru, 1 +mosautoshina.ru, 1 +mosboutique.it, 1 +moscardino.net, 1 +moscomes.com, 1 +moscow-moscow.tk, 1 +moscow-new.cf, 1 +moscow.tk, 1 +moscow001.com, 1 +moscowlove.tk, 1 +moscownews.ml, 1 +moscownights.org, 0 +moscowsex.tk, 1 +moscowtimes.tk, 1 +mosdosug.ml, 1 +mosdot.org.il, 1 +moseic.com, 1 +moselwi.gov, 1 +moserhof.it, 1 +moservice.id, 1 +mosfet.cz, 1 +mosfetkiller.de, 1 +mosharof-hossain.ml, 1 +moshaver-tahsili.com, 1 +moshavergroup.com, 1 +moshcore.tk, 1 +moshenniki.cc, 1 +moshiach.ru, 1 +moshiachtime.com, 1 +moshop.com.vn, 1 +moshwire.com, 1 +mosin.org, 1 +mosio.com, 1 +moskas.tk, 1 +moskeedieren.nl, 1 +moskva-city.cf, 1 +moskva-kamen.ru, 1 +moskvagruz.tk, 1 +moskvitch.org, 1 +mosmirmebeli.com, 1 +mosnews.tk, 1 +moso.io, 1 +mosobl.tk, 1 +mosquito-code.com, 1 +mosquito-sklep.pl, 1 +mosquitojoe.com, 1 +mossan.net, 1 +mosscade.com, 1 +mosselle.ro, 1 +mosshi.be, 1 +mossipanama.com, 1 +mossplants.ru, 1 +mossylog.tk, 1 +most.tk, 1 +mostafabanaei.cf, 1 +mostardela.pt, 0 +mostazaketchup.com, 1 +mostbet.com, 1 +mostbet2.com, 1 +mostbetr.com, 1 +mostdisturbingnews.com, 1 +mosternaut.com, 1 +mostfamousbirthdays.com, 1 +mostlyharmless.at, 1 +mostlyoverhead.com, 1 +mostmost.tk, 1 +mostqbalwatanalqahirah.com, 1 +mostquoted.com, 1 +mosttaza.com, 1 +mostware.nl, 0 +mosurist.tk, 1 +moswand.nl, 1 +motability.co.uk, 1 +motchirotchi.com, 1 +motd.ch, 1 +motekforce.link, 1 +motekforcelink.com, 1 +motekforcelink.eu, 1 +motekforcelink.net, 1 +motekforcelink.nl, 1 +motekmedical.com, 1 +motekmedical.eu, 1 +motekmedical.nl, 1 +motekrysen.com, 0 +moteksystems.com, 1 +moteksystems.net, 1 +motezazer.fr, 1 +moth.monster, 1 +motherboard.services, 1 +motherbrain.tk, 1 +motherearth.cf, 1 +mothereff.in, 0 +motherguru.ca, 0 +motherhood.se, 1 +motherhoodinblack.com, 1 +motherlondon.com, 1 +motherofsorrows.net, 1 +mothership.de, 1 +mothersmediaonline.ga, 1 +motichi.cf, 1 +motifstudio.com.ua, 1 +motion504.com, 1 +motional.com, 1 +motiondata-vector.at, 1 +motiondata-vector.com, 1 +motiondreamatix.de, 1 +motionglobeers.ga, 1 +motionory.com, 1 +motiv-rechts.tk, 1 +motiva.health, 1 +motivation.cc, 1 +motivational-babes.com, 1 +motivationalliance.com, 1 +motivness.com, 1 +motivo.nl, 0 +motiweb.fr, 1 +motlife.net, 0 +moto-texnika.tk, 1 +motoactionimola.it, 1 +motoblogism.com, 1 +motoboxbrasil.com.br, 1 +motobrasilferramentas.com.br, 1 +motochileneta.tk, 1 +motoclubentresemana.tk, 1 +motoclubrker.tk, 1 +motocrosssite.tk, 1 +motodb.co.uk, 1 +motodb.net, 1 +motodb.uk, 1 +motodeal.com.ph, 1 +motof.tk, 1 +motoforce.lt, 1 +motofoto.tk, 1 +motogb.net, 1 +motogrupblanes.tk, 1 +motohell.com, 1 +motojato.com.br, 1 +motokados.tk, 1 +motoland.ml, 1 +motolife.tk, 1 +motolinesupply.com, 1 +motomorgen.com, 1 +motonline.com.br, 1 +motor-agro.com, 1 +motor-agro.com.ua, 1 +motor-agro.ru, 1 +motor-cycles.tk, 1 +motor-forum.nl, 1 +motor1.com, 1 +motorbiketenerife.com, 1 +motorbiketourhanoi.com, 1 +motorcitycasino.com, 1 +motorcyclecentral.net, 1 +motordearranque.com.br, 1 +motoridiricerca.tk, 1 +motorinews24.com, 1 +motorkohler.es, 1 +motorline.ru, 1 +motorparts-images.nl, 1 +motorparts-online.com, 1 +motorring.ru, 1 +motorslopers.tk, 1 +motorspeed.de, 1 +motorsplus.com, 0 +motorsport-passion.com, 1 +motorst.dk, 1 +motortg.it, 1 +motortrend.com, 1 +motorways.tk, 1 +motorwrappen.nl, 1 +motoryachtclub-radolfzell.de, 1 +motorz.ca, 1 +motorzone.od.ua, 1 +motoscooter.eu, 1 +motoselfservices.fr, 1 +motospaya.com, 1 +motostyle.ua, 1 +mototax.ch, 1 +mototeam.tk, 1 +mototec.it, 1 +mototsi.com, 1 +mototuristas.tk, 1 +motovaruosad.ee, 1 +motovated.co.nz, 0 +motovio.de, 1 +motovrienden.tk, 1 +motowilliams.com, 1 +motoworld.biz, 1 +motransportinfo.com, 1 +motri-projekt.tk, 1 +motringeneric.tk, 1 +motshop.tk, 1 +motstats.co.uk, 1 +mott.pe, 1 +motte.tattoo, 1 +motto-iikoto.com, 1 +motum.no, 1 +motum.se, 1 +motumblekinge.se, 1 +motumport.se, 1 +motumskane.se, 1 +motun.ga, 1 +mou-pmr.tk, 1 +moube.fr, 1 +mouche.fr, 1 +moucloud.cn, 1 +mouff.li, 1 +mouldboard.ga, 1 +moulin-pomerol.com, 1 +moultonpdtx.gov, 1 +moultriecountyil.gov, 1 +mound.ga, 1 +moundvillewi.gov, 1 +mounimaharaj.tk, 1 +mouniresidences.com, 1 +mountain-retreat-center.com, 1 +mountain-rock.ru, 1 +mountainairandheating.com, 1 +mountainbatchers.de, 1 +mountainbell.net, 1 +mountainchalet.blue, 1 +mountaincitytx.gov, 1 +mountaindiscovery.org, 1 +mountaingrovemo.gov, 1 +mountainprotocol.com, 1 +mountainsandmist.com, 1 +mountainsmokes.com, 0 +mountainspiritinn.com, 1 +mountainspringsrentals.ca, 1 +mountainstage.org, 1 +mountaintree.net, 1 +mountainutilities.eu, 1 +mountairymd.gov, 1 +mountbatten.cz, 1 +mountbrowneguestcottage.ga, 1 +mountcarrollil.gov, 1 +mountclemens.gov, 1 +mountdora.gov, 1 +mountfield.co.nz, 1 +mountjoy.school, 1 +mountknowledge.nl, 1 +mountpost.tk, 1 +mountvernonin.gov, 1 +mountvictoryohio.gov, 1 +mountwashington-ma.gov, 1 +mountzdisposal.com, 1 +mouracloset.com.br, 1 +mourassiloun.com, 1 +mouse-ps.com, 1 +mouseflow.com, 1 +mousepotato.uk, 1 +moushed.tk, 1 +moussa-ibrahim.ml, 1 +moutiezhaller.com, 1 +mov, 1 +mova.club, 1 +movabletype.net, 1 +movacare.de, 1 +movaci.com, 1 +moval.gov, 1 +move-out-cleaning.co.uk, 1 +moveceara.com.br, 1 +movefi.com.br, 1 +moveissul.com.br, 1 +moveltix.net, 1 +movemais.com, 1 +movember.com, 0 +moveme.ca, 0 +movementhub.org, 1 +movementsodom.tk, 1 +moveon4.com, 1 +moveon4.de, 1 +moveonca.com, 1 +moveonfr.com, 1 +moveonlite.com, 1 +moveonru.com, 1 +movepin.com, 1 +movetonewcastle.com.au, 1 +movewellnesslab.com, 1 +movewithfiness.com, 1 +moveyourass.tk, 1 +movfun.ga, 1 +movie-download.cz, 1 +movie-infos.net, 1 +movie-sounds.org, 1 +movie1000.com, 1 +movieboost.nl, 1 +moviebox.com, 1 +movieeveningers.ga, 1 +movieeveningest.ga, 1 +moviefreeze.com, 1 +movieglot.ml, 1 +movieguys.org, 1 +moviejack.org, 0 +moviemadness.uk, 1 +movieoldiesest.ga, 1 +movieredeem.com, 1 +movies-diploma.fun, 1 +movies-fan.tk, 1 +movies1977.ga, 1 +movies4us.me, 1 +moviesetc.net, 1 +moviesrules.tk, 1 +moviestodownload.tk, 1 +movietopper.ml, 1 +movietradition.tk, 1 +moviewatchin.tk, 1 +movihut.com, 1 +moviko.nz, 1 +movil.uno, 1 +movilandroide.com, 1 +moviles.com, 1 +moviltronix.com, 1 +movimento-terra.it, 1 +movimentoterra.roma.it, 1 +moving-pixtures.de, 1 +movingjokesers.ga, 1 +movingjokesest.ga, 1 +movinglogistics.nl, 0 +movingoklahoma.org, 1 +movingservice-houston.com, 1 +movingtohttps.com, 1 +movio.ga, 1 +moviro.net, 1 +movlib.org, 1 +movnest.com, 1 +mowercountymn.gov, 1 +mowing-the-lawn.com, 1 +mowsey.org, 1 +mowster.com, 1 +mowster.net, 1 +moxfield.com, 1 +moxiegirlz.id, 1 +moy-biznes.tk, 1 +moy-gorod.od.ua, 0 +moy-ogorod.info, 1 +moy-urozhay.info, 1 +moy.cat, 1 +moybiznes.tk, 1 +moyer.pub, 0 +moylen.eu, 1 +moyminsk.tk, 1 +moyobi.com, 0 +moyogorod.info, 1 +moyu.host, 0 +moyufangge.com, 1 +moz.idv.tw, 1 +mozambiquetravel.com, 1 +mozartgroup.hu, 1 +mozektevidi.net, 1 +mozfr.org, 1 +mozgb.ru, 1 +mozgovoy.tk, 1 +mozilla-russia.org, 1 +mozilla.cz, 1 +mozo.com.au, 1 +mozzak.tk, 1 +mozzez.de, 1 +mozzi.online, 1 +mozzilla.cz, 1 +mp-bln.de, 1 +mp.gov.in, 1 +mp.org, 1 +mp3.tj, 1 +mp3cut.net, 1 +mp3gratuiti.com, 0 +mp3musicfind.ga, 1 +mp3noi.com, 1 +mp3skull.cf, 1 +mp3sort.biz, 0 +mpa-pro.fr, 1 +mpadegree.org, 1 +mpak.tk, 1 +mpamag.com, 1 +mpc-hc.org, 1 +mpc-view.net, 1 +mpcforum.pl, 1 +mpcmsa.org, 1 +mpdu.tk, 1 +mpebrasil.tk, 1 +mpetroff.net, 1 +mpfront.com, 1 +mpg.gg, 1 +mpg.ovh, 1 +mpgaming.pro, 1 +mpgu.tk, 1 +mphold.ru, 1 +mphprogram.com, 1 +mphprogramslist.com, 1 +mphq.de, 1 +mphwinkel.nl, 1 +mpi-sws.org, 1 +mpi.org, 1 +mpiac.com, 1 +mpk-chayka.org.ua, 1 +mpkrachtig.nl, 1 +mplanetphl.fr, 0 +mplant.io, 1 +mpodraza.eu, 1 +mpodraza.pl, 1 +mpool.eu.org, 1 +mpool.live, 1 +mpornoindir.tk, 1 +mpowr.com, 1 +mpps.it, 1 +mprep.info, 1 +mprsco.eu, 1 +mpsctriskelions.tk, 1 +mpserver12.org, 1 +mpsi1.fr, 1 +mpso.it, 1 +mpsoundcraft.com, 1 +mptdom.com, 1 +mptenders.gov.in, 1 +mptool.pt, 1 +mpu-ibbi.de, 1 +mpu-vorbereitung.com.de, 1 +mpy.ovh, 1 +mqacg.com, 1 +mqas.net, 1 +mqbeauty.com.tw, 1 +mqbx.nl, 1 +mr-7.ru, 1 +mr-a.de, 1 +mr-anderson.org, 0 +mr-bills.com, 1 +mr-brown.tk, 1 +mr-coffee.net, 1 +mr-englischkurse.de, 1 +mr-labo.jp, 1 +mr-moulding-knives.com, 0 +mr-plomberie.com, 0 +mr-wolf.nl, 0 +mr.bet, 1 +mr0.de, 1 +mr1310.com, 1 +mr1xbet.com, 1 +mr3.io, 1 +mr8.de, 1 +mraag.xyz, 1 +mrafrohead.com, 1 +mragroup.net, 1 +mrak.blog, 0 +mralonas.cf, 1 +mralonas.ga, 1 +mralonas.gq, 1 +mralonas.ml, 1 +mralonas.tk, 1 +mramor.ml, 1 +mrandmrsparrot.gr, 1 +mrandyyp.com, 1 +mranimal.tk, 1 +mrazek.biz, 1 +mrbeardcbd.es, 1 +mrbighungary.hu, 1 +mrbounce.com, 1 +mrbouncescrazycastles.co.uk, 1 +mrbouncycastle.com, 1 +mrbusiness360.com, 1 +mrc-productivity.com, 1 +mrca-sharp.com, 0 +mrcelulares.co, 1 +mrclutch.com, 1 +mrcog.tk, 1 +mrcomer.tk, 1 +mrcool.com, 1 +mrcool.store, 1 +mrcooldiy.ca, 1 +mrcooldiy.com, 1 +mrcoolevents.com, 1 +mrcoolfranchise.com, 1 +mrcoolfranchising.com, 1 +mrcooluniversal.ca, 1 +mrcooluniversal.com, 1 +mrcyberpixel.tk, 1 +mrd-rc.com, 1 +mrd-v.com, 1 +mrd.ninja, 1 +mrdatenschutz.de, 1 +mrdayman.com, 1 +mredsanders.net, 1 +mrenegades.com, 1 +mrephrase.com, 1 +mrevolution.eu, 1 +mrewards-production.herokuapp.com, 1 +mrewards-uat.herokuapp.com, 1 +mrfactors.com, 1 +mrfd.nl, 1 +mrfindfix.com, 1 +mrfinka.ml, 1 +mrformaltuxedos.com, 1 +mrfreshtruck.com, 1 +mrg-srv.ru, 1 +mrg-team.ru, 1 +mrgeek.ru, 1 +mrgstaticcdn.ru, 1 +mrgstaticcontent.ru, 1 +mrguider.org, 1 +mrgusercontent.ru, 1 +mrgutternj.com, 1 +mrhc.ru, 1 +mrhost.biz, 1 +mri.community, 1 +mrichard333.com, 1 +mricspatial.com, 1 +mrik.jp, 1 +mrinalpurohit.in, 1 +mrizzio.com, 1 +mrjbanksy.com, 1 +mrjo.sh, 1 +mrjunior.ga, 1 +mrjunior.ml, 1 +mrkapowski.com, 0 +mrknee.gr, 1 +mrkrabat.de, 1 +mrliu.me, 1 +mrlove.tk, 1 +mrmad.com.tw, 1 +mrmanson.tk, 1 +mrmarcie.com, 1 +mrmemory.co.uk, 1 +mrmeomeo.xyz, 1 +mrmn.nl, 1 +mrmoregame.de, 1 +mrmosier.tk, 1 +mrmostafaacademy.tk, 1 +mrnabetterlife.com.sg, 1 +mrnathanpowell.com, 1 +mrnh.tk, 1 +mrnice.ml, 1 +mrnonz.com, 1 +mrnordic.com, 1 +mrpanipiales.com, 1 +mrpcap.com, 1 +mrpetersen.de, 1 +mrplates.co.nz, 1 +mrplates.co.uk, 1 +mrplates.com.au, 1 +mrpluss.ml, 1 +mrpricegroup.com, 1 +mrrjva.gov, 1 +mrs-labo.jp, 1 +mrs-shop.com, 1 +mrsbairds.com, 0 +mrschristine.com, 1 +mrsejf.cz, 1 +mrshahin.cf, 1 +mrshang.tk, 1 +mrsheep.win, 1 +mrshish.com.au, 1 +mrsiding.net, 1 +mrsjinthelibrary.com, 1 +mrsk.me, 1 +mrssclaus.ca, 1 +mrstat.co.uk, 1 +mrston.ml, 1 +mrstuudio.ee, 1 +mrtg.com, 1 +mrtieungao.tk, 1 +mrtskidkispb.ru, 0 +mrtunnel.club, 1 +mru.org, 1 +mruczek.trade, 1 +mruczek.wiki, 1 +mruganiepodspacja.pl, 1 +mruniver.se, 1 +mrupert.com, 1 +mrux.io, 1 +mrux.pl, 1 +mrv.li, 1 +mrvl.net, 1 +mrvnt.co, 1 +mrwacky.com, 1 +mrwen.net, 1 +mrwindow.co.uk, 1 +mrwp.ru, 1 +mrwrestling.tk, 1 +mrxn.net, 1 +mrzonk.cf, 1 +ms-australia.de, 1 +ms-ch.ch, 1 +ms-fassmoebel.de, 1 +ms-wissenschaft.de, 0 +ms295.com, 0 +ms67pta.org, 1 +msa-aesch.ch, 1 +msa.bank, 1 +msahebhonar.com, 1 +msaludasuhogar.com, 1 +msar.eu, 1 +msbdocs.com, 1 +msc-corps.de, 1 +mscc.mu, 1 +mscc.org, 1 +msch.pw, 1 +mschuessler.org, 1 +msda23.gov, 1 +msdnicrosoft.cn, 0 +msdprojectclearmo.gov, 1 +msebera.cz, 1 +msedkiewicz.pl, 1 +mselectronique.tk, 1 +mserve.ddns.net, 1 +mservers.cz, 1 +msfishingcharter.com, 1 +msgallery.tk, 1 +msgauctions.com, 1 +msgr.com, 1 +msgroupitaly.com, 1 +msgs.ee, 1 +msgtrust.com, 1 +msh100.uk, 1 +msha.gov, 1 +mshastanddown.gov, 1 +mshemailmarketer.com.au, 1 +mshgame.ga, 1 +msi-zlin.cz, 1 +msiegmund.com, 1 +msieursvp.fr, 1 +msig-thai.com, 1 +msinc.ru, 1 +msisupplyinc.com, 1 +msize48.ch, 1 +msk-balkon.ru, 1 +msklawyer.com, 1 +msktc.org, 1 +mslivros.com.br, 1 +msm-data.com, 1 +msm.ai, 1 +msmails.de, 1 +msmeble.pl, 1 +msmetana.cz, 1 +msn.cn, 1 +msn.com, 1 +msnarzedzia.pl, 1 +msncash.cf, 1 +msnedu.org, 1 +msngr.com, 1 +msnhdd.info, 1 +msnr.net, 1 +msoc.gent, 1 +msoffice-inc.net, 1 +msoida.me, 1 +msoll.de, 1 +msoll.eu, 1 +msoutlook.info, 1 +msp.com.au, 1 +msp66.de, 0 +mspark.tk, 1 +mspatexas.com, 1 +mspcc.org, 1 +msphotographics.de, 0 +mspnocsupport.com, 1 +msprealestateinc.com, 1 +mspsocial.net, 1 +msquadrat.de, 0 +msquared.id.au, 1 +msr-schaltanlagen.de, 1 +msrf.de, 1 +msroot.de, 1 +msrumon.com, 1 +mss6.com, 1 +mssa.jp, 1 +msscholz.de, 1 +mssm-portal.com, 1 +mssora.com, 1 +mssys.de, 0 +mstazakka.com, 1 +mstdn.blue, 1 +mstdn.fm, 1 +mstdn.fr, 1 +mstdn.im, 1 +mstdn.in.th, 1 +mstdn.io, 1 +mstdn.party, 1 +mstever.com, 1 +mstr-f-dstrctn.de, 1 +mstridde.de, 1 +mstudio.tk, 1 +msu.edu.tr, 1 +msuess.me, 1 +msuna.net, 1 +msv-limpezas.pt, 1 +msvbeveiliging.nl, 1 +mswdtemplate.com, 1 +msx.org, 1 +msyndicate.com, 1 +msz-fotografie.de, 1 +mszavodumiru.cz, 1 +mt-bank.jp, 1 +mt-tech.fi, 1 +mt-west.org, 1 +mt.run, 0 +mt.search.yahoo.com, 0 +mt1016.com, 1 +mt1130.com, 1 +mt2414.com, 1 +mt2ofx.tk, 1 +mt4professional.com, 1 +mta-sts.email, 1 +mta-sts.eu, 1 +mta-sts.nl, 1 +mta.fail, 1 +mta.org.ua, 1 +mtabriz.de, 1 +mtane0412.com, 0 +mtangel.gov, 1 +mtap.in, 1 +mtasa.hu, 1 +mtasts.xyz, 1 +mtataes.gov.ma, 1 +mtauburnassociates.com, 1 +mtb.wtf, 1 +mtbfoodie.com, 1 +mtboutiques.com, 1 +mtcoks.gov, 1 +mtcq.jp, 1 +mtd.org, 1 +mtd.ovh, 1 +mtdnrc.gov, 1 +mte-online.com, 1 +mte.sk, 1 +mtechprecisioninc.com, 1 +mtehe-square.com, 1 +mtel.gr, 1 +mteleport.net, 1 +mtelizabeth.com, 1 +mtf.party, 1 +mtf.rip, 1 +mtf.wiki, 1 +mtfgnettoyage.fr, 1 +mtfwiki.com, 1 +mtfwiki.lgbt, 1 +mtfwiki.net, 1 +mtfwiki.org, 1 +mtfwiki.xyz, 1 +mtgoptex.com, 1 +mtgsuomi.fi, 1 +mthd.link, 1 +mthode.org, 1 +mthrbrd.com, 1 +mthrbrd.net, 1 +mths.be, 0 +mticareportal.com, 1 +mtinz.com, 1 +mtirc.co, 1 +mtjoytwppa.gov, 1 +mtkhs.com, 1 +mtlabs.jp, 1 +mtlconcerts.com, 1 +mtlebanonbaptist.church, 1 +mtlegnews.gov, 1 +mtltransport.com, 1 +mtludlow.co.uk, 1 +mtmedia.org, 1 +mtn-media.de, 1 +mtnc.nl, 1 +mtncoi-coe.com, 1 +mtnvalleyhospice.org, 1 +mtnwebwiz.com, 1 +mtoma.tk, 1 +mtouch.facebook.com, 0 +mtp-services.fr, 1 +mtpa.live, 1 +mtpleasant-tn.gov, 1 +mtr-croatia.tk, 1 +mtr.md, 1 +mtr123.cn, 0 +mtravelers.net, 1 +mtredistricting.gov, 1 +mtrx.tech, 1 +mts-energia.eu, 1 +mts-global.com, 1 +mtsafe.gov, 1 +mtsoftware.com.au, 1 +mtstandard.com, 1 +mtthwbrd.com, 1 +mttoubkaltrek.com, 1 +mtv.re, 1 +mtvernonlisbonpd-ia.gov, 1 +mtvroadies.tk, 1 +mtw.org, 1 +mtwolfpa.gov, 1 +mtz-bu.gq, 1 +mtz-info.gq, 1 +mtz-sng.gq, 1 +mtz80-mtz82.gq, 1 +mtzbelarus.gq, 1 +mtzfederico.com, 1 +mu-sigma.com, 1 +mu-thunder.online, 1 +mu-venezuela.tk, 1 +mu-wi.gov, 1 +mu.ax, 1 +mu.search.yahoo.com, 0 +mu00.org, 1 +mu105.cc, 1 +mu3e.com, 1 +mu3on.com, 1 +muabannhanh.com, 0 +muac-innolab.eu, 1 +muafakatmalaysia.ga, 1 +muafakatmalaysia.gq, 1 +muafakatmalaysia.ml, 1 +muanhamy.vn, 1 +muarstabyggmarknad.tk, 1 +mubase.dk, 1 +muble.tk, 1 +muc.space, 1 +muceniece.tk, 1 +muchamiel.nl, 1 +muchbetterthancash.com, 1 +muchisimos.com, 1 +muchohentai.com, 1 +muchoruidoacademy.com, 1 +muchotrolley.tk, 1 +muckingabout.eu, 1 +muclan.tk, 1 +mucmail.de, 1 +mucustoms.com, 1 +mudanzasjuniorh.com, 1 +mudanzaspacifico.com, 1 +mudanzasuiza.com.ec, 1 +mudanzasytransportesbh.com, 1 +mudaomundo.org, 1 +mudareganhar.pt, 0 +mudasobwa.tk, 1 +mudbenesov.cz, 1 +mudcomplex.ga, 1 +mudcomplexers.ga, 1 +mudcrab.us, 0 +muddy-bugs.co.uk, 1 +muddy-landrover.tk, 1 +mudey.pt, 1 +mudgezero.one, 1 +mudit.xyz, 0 +mudla.net, 1 +mudpiles.cat, 1 +mudramagik.com, 1 +mudrc.net, 1 +mudrex.com, 1 +mudrockrentals.com, 1 +muelhau.pt, 1 +muell-weg.de, 1 +muellapp.com, 0 +mueller-starck.de, 1 +mueller5.eu, 1 +muellerurology.com, 1 +muenchberger.com, 0 +muennich-coll.de, 1 +muenzen.tk, 1 +muenzenforum.tk, 1 +mufi.ga, 1 +mufibot.net, 1 +mufid.tk, 1 +muflon-linux.org, 1 +muga.space, 1 +muganworld.com, 1 +mugawe.com, 1 +mugdost.com, 1 +mugen.technology, 1 +mugfanatic.com, 1 +mugrabyhostel.tk, 1 +mugsstumpaward.com, 1 +muguayuan.com, 1 +muh.io, 1 +muhabarishaji.com, 0 +muhabbet.org, 1 +muhafazakarkiralikvilla.com, 1 +muhammadal-behairi.clinic, 1 +muhammadlukman.ml, 1 +muhammadmunif.ml, 1 +muhammed.tk, 1 +muhanov.net, 1 +muhanova.com, 1 +muhasebeci.org, 1 +muhasebekurslari.tk, 1 +muhcow.dk, 1 +muhibbulislam.tk, 1 +muhiminulhasan.me, 1 +muhlenbergtwppa.gov, 1 +muhrielle.org, 1 +mui.com, 1 +mui.fitness, 1 +mui.kitchen, 1 +mui.news, 1 +mui.pet, 1 +mui.today, 1 +muii.com.br, 1 +muilties.com, 1 +muir.eu.org, 1 +muir.fun, 1 +muir.pp.ua, 1 +muisoft.fi, 1 +muizenpagina.tk, 1 +muizenpuntje.tk, 1 +muj-sejf.eu, 1 +mujemail.ml, 1 +mujerescolombianas.tk, 1 +mujeresfemeninas.com, 1 +mujlinux.cz, 1 +mujoco.org, 1 +muk-kobetsu.com, 1 +mukli.hu, 1 +muku-flooring.com, 1 +mukwa.gov, 1 +mula.tk, 1 +mulaisehat.com, 1 +mulberryar.gov, 1 +mulberryfirear.gov, 1 +mulberrypolicear.gov, 1 +mulchexpressusa.com, 1 +mulder.social, 1 +mulderfamilie.tk, 1 +mulej.net, 1 +mulheres18.com, 1 +muling.lu, 1 +mulk.hopto.org, 1 +mullen.net.au, 1 +mullens-usedcars.be, 1 +mullerkappers.nl, 1 +mullett-townshipmi.gov, 1 +mullinsfarms.com, 1 +muloot.de, 1 +multerer.biz, 1 +multi-cryptex.gq, 1 +multi-fruit.tk, 1 +multi-pribor.ru, 1 +multi-soudures.fr, 1 +multi-tool.ml, 1 +multi-vpn.biz, 1 +multiagent.tk, 1 +multiasistencia.com, 1 +multibomasm.com.br, 1 +multichange.net, 1 +multiclinicacardio.com.br, 1 +multicoin.capital, 0 +multiconsumos.tk, 1 +multicore.cl, 1 +multicorpbra.com, 1 +multifamily.loans, 1 +multigamecard.com, 1 +multigeist.de, 1 +multigo.ru, 1 +multihobby.tk, 1 +multikalender.de, 0 +multilevelmarketing.cf, 1 +multiline.ge, 1 +multilingualpress.org, 1 +multilogik.com, 1 +multimalin.ovh, 1 +multimatte.com, 1 +multimedia-pool.com, 1 +multimedia.or.jp, 1 +multimediaworld.tk, 1 +multimediosmonti.com, 1 +multipassword.com, 1 +multipleapi.de, 1 +multiplex-rc.de, 1 +multiplex.tk, 1 +multiplexcy.com, 1 +multiplier-effect.org, 1 +multiplies.tk, 1 +multiply.co.za, 1 +multipotential-labo.com, 1 +multipuntos.ml, 1 +multirep.ch, 0 +multiroom-streaming.de, 1 +multischool.tk, 1 +multisite.ovh, 1 +multispaninc.com, 1 +multisportaustralia.com.au, 1 +multistas.tk, 1 +multitec.nl, 1 +multitek.no, 1 +multitenantlaravel.com, 1 +multiterm.org, 1 +multitheftauto.com, 1 +multitool.cf, 1 +multitraf.ga, 1 +multivideo.tk, 1 +multivpn.biz, 1 +multivpn.cn.com, 1 +multivpn.co.uk, 1 +multivpn.com.de, 1 +multivpn.com.ua, 1 +multivpn.fr, 1 +multivpn.su, 1 +multnomahvotes.gov, 1 +multsearch.eu.org, 1 +multymaq.com, 0 +mum.ceo, 1 +mum.lu, 1 +muma.cf, 1 +muma.ml, 1 +mumbaionlinegifts.com, 1 +mumbairoleplay.tk, 1 +mumble.be, 1 +muminkoykiran.com, 1 +mummatters.com.au, 1 +mummyandmephotography.com, 1 +mumolabs.com, 1 +mumszab.se, 1 +mumusofa.com.tw, 1 +muna.de, 1 +munakata-cl.jp, 1 +munch.me, 1 +munchcorp.com, 1 +mund-interdisziplinaer.com, 1 +mundo-otaku.tk, 1 +mundoalba.tk, 1 +mundoarabe.com.br, 1 +mundobizarro.tk, 1 +mundocompleto.tk, 1 +mundocristiano.tk, 1 +mundodalua.tk, 1 +mundodasmensagens.com, 1 +mundodastribos.com, 1 +mundodewill.com.br, 1 +mundodocurioso.com.br, 1 +mundodosagapornis.tk, 1 +mundoemalerta.com, 1 +mundofoto.tk, 1 +mundofriki.es, 1 +mundogamers.top, 1 +mundoinfrarrojo.com, 1 +mundojoven.tk, 1 +mundokia.com.co, 0 +mundokinderland.com.br, 1 +mundomagicotv.com, 1 +mundomovie.tk, 1 +mundonow.com, 1 +mundopatchwork.online, 1 +mundoperfecto.net, 1 +mundorealtv.tk, 1 +mundosat.com, 1 +mundoscrapbooking.online, 1 +mundoseth.tk, 1 +mundosteampunk.club, 1 +mundosuiri.ml, 1 +mundschenk.at, 1 +mundtec.com.br, 1 +munduberriak.com, 1 +munduch.cz, 1 +munduch.eu, 1 +muneni.co.za, 1 +munera.ca, 1 +munfordtn.gov, 1 +munialajuela.go.cr, 1 +munibilling.com, 1 +munich-eventlocations.de, 1 +municipioseducadores.es, 1 +munihei.de, 1 +muniplus.com.ar, 1 +munkeeboi.com, 1 +munki.org, 1 +munnezza.tk, 1 +munroads.com, 1 +muntajati-om.com, 0 +muntproever.nl, 1 +muntstuk.com, 1 +munwr.com, 0 +munzlocal10.org.nz, 1 +muoivancauhoivisao.com, 1 +mup-republicanos.tk, 1 +muqqabla.com, 1 +mur-parfait.com, 1 +mur-vegetal-interieur.fr, 1 +muradiyetemizlik.com, 1 +murakami-sah.com, 1 +muralart.ga, 1 +murasaki.co.uk, 1 +murasame.tech, 1 +murashun.jp, 1 +muratatifsayar.com.tr, 1 +muratbekgi.com, 1 +muratcileli.tk, 1 +muratec.tw, 1 +muratoff.pp.ua, 1 +muratore-roma.it, 1 +murciacobras.tk, 1 +murciaprocuradores.tk, 1 +murdercube.com, 1 +murena.io, 1 +murfreesboroar.gov, 1 +murfy.kiwi, 1 +murfy.nz, 1 +murgi.de, 1 +murksbreider.tk, 1 +murl.ml, 1 +murmansk.cf, 1 +murmanskforum24x7.tk, 1 +murmashi.com, 1 +murmashi.ru, 1 +murmures.net, 1 +murof.com.br, 1 +murphy-law.net.ru, 1 +murphydriverewards.com, 0 +murphysfire.gov, 1 +murray.xyz, 1 +murraya.cn, 1 +murraycountymn.gov, 1 +murraywaldren.com, 1 +murrietadogtrainers.com, 1 +murrsuit.eu, 1 +murrsuit.net, 1 +murrsuit.org, 1 +mursa.tk, 1 +mursatov.tk, 1 +murster.tw, 1 +mursu.directory, 1 +murtazamustafahirani.tk, 1 +murz.tv, 1 +murzallawfirm.com, 1 +murzik.space, 1 +musaccostore.com, 0 +musacomo.com, 1 +musafir-aceh.tk, 1 +musasionline.com, 1 +musaslush.com, 1 +musavat.com, 1 +musbizu.com.ng, 1 +muscatinecountyiowa.gov, 1 +muscatinejournal.com, 1 +muscle-home.fr, 1 +muscle-tg.com, 1 +muscleandrecovery.com, 1 +musclecarresearch.com, 1 +musclecarsillustrated.com, 1 +musclecarus.com, 1 +muscles.cf, 1 +muscolinomusic.com, 1 +muscularbabes.net, 1 +musculardystrophyuk.org, 1 +muscuolisq.cf, 1 +musearchengine.com, 1 +museclef.com, 1 +musecomunicazione.it, 1 +musedash.moe, 1 +museeducolombier.fr, 1 +museepab.fr, 1 +musehelix.com, 1 +museloveurania.com, 1 +museo.com.au, 1 +museodefutbol.online, 1 +museodeinsectos.tk, 1 +museodelistmo.tk, 1 +muserver.io, 1 +muses-success.info, 1 +musetti.tw, 1 +museumnachtgent.be, 1 +museumplantinmoretus.be, 1 +museumtravelalliance.com, 1 +museumwaalsdorp.nl, 1 +mush-room.co.jp, 1 +mushel.ddns.net, 1 +mushikabu.net, 1 +mushing.pl, 1 +mushino.com, 1 +mushka.ga, 1 +mushman.tk, 1 +mushroomcloud.moe, 1 +mushroomnetwork.co.za, 1 +mushroomtutor.com, 1 +music-is-my-life.de, 1 +music-privilege.fr, 1 +music-project.eu, 1 +music-store-download.com, 1 +music.amazon.com, 1 +musica.com, 1 +musicales.tk, 1 +musicall.com, 1 +musicalschwarzenburg.ch, 1 +musicandrelated.tk, 1 +musicapara.net, 1 +musicapopolareitaliana.net, 1 +musicaporbolivia.tk, 1 +musicare.com, 1 +musicasbr.com.br, 1 +musicbow.com, 0 +musicbox.party, 1 +musicchris.de, 1 +musicfactory.ml, 1 +musicflac4.tk, 1 +musicfor.us, 1 +musicfreakz.cf, 1 +musicfromgod.com, 1 +musicgamegalaxy.de, 1 +musicgeek.ga, 1 +musicgivesmelife.com, 1 +musichiphop.ga, 1 +musichome.tk, 1 +musicinsiderdigest.com, 1 +musickhouseleveling.com, 1 +musickorea.tk, 1 +musiclenta.tk, 1 +musiclite.tk, 1 +musicmasala.tk, 1 +musicnotesroom.com, 1 +musicompare.com, 1 +musicradar.co.il, 1 +musicradio.ga, 1 +musicradio.gq, 1 +musicradio.tk, 1 +musicrainbow.tk, 1 +musicrepublicmagazine.com, 1 +musicrooz.tk, 1 +musicschoolonline.com, 1 +musicsense.cf, 1 +musicsmoke.tk, 1 +musicsnippet.com, 1 +musicsrv.de, 1 +musicstudio.pro, 1 +musictech.com, 1 +musictools.tk, 1 +musictouch.ru, 1 +musicvideo.club, 1 +musicvietnam.tk, 1 +musicwear.cz, 0 +musigama.tk, 1 +musik-mentaltraining.ch, 1 +musik-reitemann.de, 1 +musik-vereinsbedarf.de, 0 +musikarti.com, 1 +musiker.tk, 1 +musikhaus-korn.de, 1 +musikholics.com, 1 +musikidersi.tk, 1 +musiktag2020.ch, 1 +musikverein-elten.de, 1 +musikverein-schuettorf.de, 1 +musikzentrale.net, 0 +musings.cloud, 1 +musings.tech, 1 +musiq-supreme.tk, 1 +musique2nuit.com, 1 +musiques-traditionnelles.ga, 1 +musition.cloud, 1 +musition.com, 1 +musition.net, 1 +musitioncloud.com, 1 +musitionfirst.com, 1 +muskegoncounty.gov, 1 +muskegontwpmi.gov, 1 +muskegowi.gov, 1 +musketiers.tk, 1 +muskuratimorning.tk, 1 +muslimah.boutique, 1 +muslimbanter.co.za, 1 +muslimmarriage.cf, 1 +muslimpocket.com, 1 +muslimsoul.cf, 1 +muslimsoul.ga, 1 +muslimsoul.gq, 1 +muslimsoul.ml, 1 +muslitocomics.tk, 1 +musmann.io, 1 +musopen.org, 1 +musoscorner.com.au, 1 +muspla.com.br, 1 +mussalains.com, 1 +musselsblog.com, 1 +mussonsppe.com, 1 +mussonstrading.com, 1 +musta.ch, 1 +mustangapparel.ca, 1 +mustard.llc, 1 +mustasj.no, 1 +mustat.com, 1 +muster-folien.de, 1 +muster-schablonen.de, 1 +musterihizmet.com, 1 +musterionsec.com, 1 +mustertexte-musterbewerbung.de, 1 +mustexist.tk, 1 +musthave.tk, 1 +musthavesforreal.com, 1 +musthinsider.com, 1 +mustika.cf, 1 +mustketing.com, 1 +musttest.com, 1 +musttest.email, 1 +musttest.eu, 1 +musttest.net, 1 +musttest.org, 1 +musubi-dev.net, 1 +musulmanesnuevos.tk, 1 +mususu.com, 1 +mutagen.io, 1 +mutahar.me, 1 +mutantmonkey.in, 1 +mutantmonkey.info, 1 +mutantmonkey.sexy, 1 +mutex.tech, 1 +mutfakyolu.com, 1 +muthai.in.th, 1 +mutiararentas.com.my, 1 +mutsumikai8989.com, 1 +mutua.es, 1 +mutua.it, 1 +mutual.ga, 1 +mutualcootradecun.com, 1 +mutualfunds.cf, 1 +mutualfunds.ml, 1 +mutualmoney.ml, 1 +mutualofomahamedicareplans.com, 1 +mutuals.cool, 1 +mutuelle.fr, 1 +muuglu.es, 1 +muunnin.net, 1 +muurari.tk, 1 +muusika.fun, 1 +muusikoiden.net, 1 +muv.co.uk, 1 +muwatenraqamy.org, 1 +muwi.tk, 1 +muxetv.com, 1 +muxup.com, 1 +muy.ooo, 1 +muydelgada.com, 1 +muyinternetsante.tk, 1 +muz-portal.com, 1 +muz2u.ru, 1 +muzcomedia.ru, 1 +muzenzacrianca.tk, 1 +muzetxe.com, 1 +muzeumkomiksu.eu, 0 +muzflix.net, 1 +muzi-tips.tk, 1 +muzi.cz, 1 +muzicamp3.org, 1 +muzicar.rs, 0 +muzicari.tk, 1 +muziekcentrumdebijloke.gent, 1 +muziekluisteren.eu, 1 +muziektermen.tk, 1 +muzikanews.tk, 1 +muzikantine.nl, 1 +muzike.tk, 1 +muzline.ua, 1 +muzmo.ga, 1 +muzotakt.pl, 1 +muzprosvet.tk, 1 +muzykanawesele.info, 1 +mv-schnuppertage.de, 0 +mv-spital.tk, 1 +mv-wohnen.de, 1 +mvandek.nl, 1 +mvarsamis.com, 1 +mvb-it.nl, 1 +mvbits.com, 0 +mvbstyling.nl, 1 +mvbug.com, 1 +mvccp.co.za, 1 +mvdmt.gov, 1 +mvelopes.com, 1 +mventix.com, 1 +mvib.net, 1 +mviess.de, 1 +mvisioncorp.com, 1 +mvistatic.com, 1 +mvmcorps.com, 1 +mvn.lu, 1 +mvno.io, 1 +mvorisek.com, 1 +mvorisek.cz, 1 +mvpinfo.ga, 1 +mvpower.pt, 1 +mvpzd.com, 1 +mvrcheck.com, 1 +mvrdrivingrecords.com, 1 +mvsp.ru, 1 +mvwdca.gov, 1 +mvwoensei.com, 1 +mvwoensei.xyz, 1 +mvwoensel.com, 1 +mvzstartpagina.tk, 1 +mw-power.ru, 1 +mw.search.yahoo.com, 0 +mwahyunz.id, 1 +mwai.edu.ph, 1 +mwamitours.com, 1 +mware-staging.azurewebsites.net, 1 +mwavuli.co.ke, 1 +mway.io, 1 +mwba.org, 1 +mwcwallet.com, 1 +mwd.world, 1 +mwdsls.gov, 1 +mwe.st, 1 +mwezi.org, 1 +mwhcp.org.au, 1 +mwicescholarship.com, 1 +mwinds.tk, 1 +mwmopd.gov, 1 +mwms.nl, 1 +mwnonline.net, 0 +mwohlfarth.de, 1 +mwork.tech, 1 +mwpromotion.fr, 1 +mwr.team, 1 +mwscouts.org, 1 +mwskwong.com, 1 +mwstrategicservices.com, 1 +mwtj.com, 1 +mwtown.gov, 1 +mwu.dk, 1 +mwv2wle.club, 1 +mww.moe, 1 +mx-moto.fr, 0 +mx-quad.fr, 0 +mx-solutions.net, 1 +mx.org.ua, 1 +mx.search.yahoo.com, 0 +mx310.jp, 1 +mx5international.com, 1 +mx86.eu, 1 +mxawei.cn, 1 +mxdanggui.org, 1 +mxdvl.com, 0 +mxes.net, 1 +mxgateway.eu, 1 +mxii.eu.org, 1 +mxin.ltd, 1 +mxn8.com, 1 +mxtm.de, 1 +mxtsoluciones.com.mx, 1 +my-aftershave-store.co.uk, 1 +my-azov.tk, 1 +my-best-wishes.com, 1 +my-bratsk.tk, 1 +my-calend.ru, 1 +my-carrent.de, 1 +my-cars.tk, 1 +my-clubpenguin.tk, 1 +my-contract.ch, 0 +my-contract.info, 0 +my-contract.net, 0 +my-coordinates.com, 1 +my-darkon.ru, 1 +my-demo.co, 1 +my-digital.fr, 1 +my-dns.co.il, 1 +my-documentforce.com, 1 +my-education.tk, 1 +my-finance.tk, 1 +my-force-user-content.com, 1 +my-fuhui.com, 1 +my-gps-tracker.co.uk, 1 +my-host.ovh, 1 +my-how-to-draw.com, 1 +my-hps.de, 1 +my-ifms.com, 1 +my-ip.work, 1 +my-itbk.de, 1 +my-kirov.tk, 1 +my-lightning-container.com, 1 +my-lightning.com, 1 +my-meal.nl, 1 +my-mediahome.ru, 1 +my-meteo.net, 1 +my-mobile-apps.com, 1 +my-montenegro.tk, 1 +my-nextcloud.at, 1 +my-optika.ru, 1 +my-pawnshop.com.ua, 0 +my-pharmacie.com, 1 +my-phone.tk, 1 +my-profile.org, 1 +my-road.de, 1 +my-salesforce-communities.com, 1 +my-salesforce-community-builder.com, 1 +my-salesforce-community-live-preview.com, 1 +my-salesforce-community-preview.com, 1 +my-salesforce-hub.com, 1 +my-salesforce-scrt.com, 1 +my-salesforce-sites.com, 1 +my-salesforce.com, 1 +my-salesforcescrt.com, 1 +my-sex-cam.com, 1 +my-static-demo-808795.c.cdn77.org, 1 +my-static-live-808795.c.cdn77.org, 1 +my-store.ch, 1 +my-stories.ml, 1 +my-story.ml, 1 +my-stuff-online.com, 1 +my-town.tk, 1 +my-tunisia.tk, 1 +my-visualforce.com, 1 +my-web.xyz, 1 +my-webcloud.at, 1 +my-website.top, 1 +my-woodcraft.com, 1 +my.cat, 1 +my.com.my, 1 +my.onlime.ch, 0 +my.urown.cloud, 1 +my.usa.gov, 1 +my1login.com, 1 +my4g.net, 1 +my4thtelco.com.sg, 1 +my4thtelco.sg, 1 +my630.org, 1 +my77.vip, 0 +myabakus.com, 1 +myaccount.google.com, 1 +myaccountview.net, 1 +myactivity.google.com, 1 +myafweb.com, 1 +myaggic.com, 1 +myairware.com, 1 +myakkatactical.com, 1 +myalliance.church, 1 +myalliancechurch.com, 1 +myalpine.shop, 1 +myalsadd.tk, 1 +myamend.com, 1 +myamihealth.com, 1 +myandre.tk, 1 +myandroidfriend.ml, 1 +myanimelist.net, 1 +myanimo.ml, 1 +myanmar-responsiblebusiness.org, 1 +myanmar.gov.mm, 1 +myapexcard.com, 1 +myappworx.com, 1 +myaquariumclub.com, 1 +myaquaterra.tk, 1 +myareaf2a.com, 1 +myarentcar.com, 1 +myarticlelibrary.cf, 1 +myarticles.io, 1 +myartsjournal.com, 1 +myasb.club, 1 +myathena.ai, 0 +myatipfile.com, 1 +myauto.ml, 1 +myayurvedicdiary.com, 1 +mybaby.bg, 1 +mybags.cf, 1 +mybakkupakku.com, 1 +mybank.com, 1 +mybaran.tk, 1 +mybarcelona.tk, 1 +mybathroom.tk, 1 +mybaticloud.com, 1 +mybb.com, 1 +mybb.de, 1 +mybbcode.tk, 1 +mybeancloud.co.za, 1 +mybeautyjobs.de, 1 +mybestbook.tk, 1 +mybestbooks.gq, 1 +mybestteam.tk, 1 +mybicc.org, 1 +mybieo.com, 1 +mybigplunge.com, 1 +mybillie.com, 1 +mybirds.tk, 1 +mybisnis.tk, 1 +mybizzmail.com, 1 +mybloggedlife.com, 1 +myblogwire.org, 1 +myblueprints.org, 1 +mybon.at, 0 +mybon.online, 1 +mybookbee.com, 1 +myboostport.com, 1 +myboothang.com, 1 +myborder.ru, 1 +mybotti.eu, 1 +myboxing.tk, 1 +mybpstar.com, 1 +mybrand.nl, 1 +mybrb.com, 1 +mybreakwatertower.com, 1 +mybritney.tk, 1 +mybro.tv, 1 +mybrokenheart.tk, 1 +mybsms.gr, 1 +mybts.fr, 1 +mybubbleteashop.com, 1 +mybuddytheplumberparkcity.com, 1 +mybudgetapp.com, 1 +mybuildingcertifier.com.au, 1 +mybupa.com.au, 1 +mycaelis.fr, 1 +mycalifornialemonlaw.com, 1 +mycam.gq, 1 +mycandylove.com, 1 +mycardplace.com, 1 +mycarecorner.net, 1 +mycarecrew.co, 1 +mycarinsurance123.com, 0 +mycarwashers.com, 1 +mycase.com.ua, 1 +mycats.tk, 1 +mycaviste.com, 1 +mycbils.uk, 1 +mychamberlain.co.nz, 0 +mychamberlain.com, 1 +mychamberlain.com.au, 0 +mychamberlain.eu, 0 +mychawinda.cf, 1 +mychemromance.tk, 1 +mychicken.info, 1 +mychicken.nl, 1 +mychildatschool.com, 1 +mycigna.com.hk, 1 +mycinema.pro, 1 +mycircleworks.com, 1 +myclang.com, 1 +myclasscam.com, 1 +myclgnotes.com, 1 +myclimate.com, 1 +myclinicalstudybuddy.com, 1 +myclon.tk, 1 +mycloud-system.com, 1 +mycloudbits.me, 1 +mycloudhome.site, 1 +mycloudhome.top, 1 +mycloudhome.xyz, 1 +mycloudkey.net, 1 +mycloudsaas.com, 1 +mycloudsoftware.com.br, 1 +mycodes.com.au, 1 +mycofairtrade.com, 0 +mycoins.gallery, 1 +mycoldjet.com, 1 +mycollegebag.in, 1 +mycolo.gq, 1 +mycolorado.gov, 1 +mycommerce.tk, 1 +mycompanion.cz, 1 +mycompanysite.host, 1 +myconan.net, 1 +myconan.tk, 1 +myconcorde.fr, 1 +myconf.com, 1 +myconf.es, 1 +myconf.uk, 1 +myconferencion.tk, 1 +myconnection.ie, 1 +myconradsiegel.com, 1 +myconsultingresources.com, 1 +mycontactacuvue.fr, 0 +mycontactopticien.fr, 0 +mycontrolmonitor.com, 1 +mycoordinates.xyz, 1 +mycopa.com, 1 +mycorbookkeeping.com, 1 +mycounterstrike.ru, 1 +mycr.eu, 1 +mycreditcardcenter.com, 1 +mycreditjunkie.com, 1 +mycreditunion.gov, 1 +mycredy.com, 1 +mycrm.coach, 0 +mycrowdstack.com, 1 +mycrypnet.io, 1 +mycts.org, 1 +mycues.gov, 1 +mycumortgage.com, 1 +mycyberspace.tech, 1 +mydabb.com, 1 +mydais.org, 1 +mydarkness.cf, 1 +mydarksite.tk, 1 +mydarkstar.net, 1 +mydarwin.co.uk, 1 +mydataprotected.com, 1 +mydating.be, 1 +mydaymark.com, 1 +mydaywebapp.com, 1 +mydeardreams.com, 1 +mydebian.in.ua, 1 +mydedicatedservice.ca, 1 +mydedicatedservice.com, 1 +mydegreeroute.com, 1 +mydentalplan.gr, 1 +mydentist.co.uk, 0 +mydenverhomesource.com, 1 +mydesignrules.com, 1 +mydestiny.tk, 1 +mydetailbox.com, 1 +mydigitalexperience.fr, 1 +mydigitalnation.com, 1 +mydirtyclub.com, 1 +mydirtyhobby.com, 1 +mydirtyhobby.de, 1 +mydirtysexstories.com, 1 +mydisabilitymatters.com, 1 +mydisabilitymatters.org.au, 1 +mydisco.tk, 1 +mydistance.tk, 1 +mydlonline.be, 1 +mydnshost.co.uk, 1 +mydoc.fr, 1 +mydocserve.com, 1 +mydoggyadvisor.com, 1 +mydogispolite.tk, 1 +mydogtrainingcollar.com, 1 +mydolls.ml, 1 +mydomen.ml, 1 +mydoxod.tk, 1 +mydreamlifelab.com, 1 +mydreamshaadi.in, 1 +mydrnetvpn.tk, 1 +mydroneservices.ca, 1 +mydroneservices.com, 1 +mydslwebstats.co.uk, 1 +mydsomanager.com, 1 +myduffyfamily.com, 1 +mydx.ru, 1 +myeasybooking.de, 1 +myebony.cam, 1 +myecms.com, 1 +myedcreview.cf, 1 +myeditclub.ml, 1 +myedu.ga, 1 +myedu.gq, 1 +myeducationhub.tk, 1 +myedumundo.com, 1 +myeisenbahn.de, 1 +myekon.com, 1 +myelebest.ga, 1 +myelka.tk, 1 +myelucidation.com, 1 +myemailadd.net, 1 +myemailsender.tk, 1 +myeml.net, 1 +myenemy.tk, 1 +myenglish.tk, 1 +myensolofts.com, 1 +myentspecialist.sg, 1 +myepass.bg, 1 +myepass.de, 1 +myeriri.com, 1 +myers.house, 1 +myersking.com, 1 +myessaydoc.com, 1 +myessaygeek.com, 1 +myetherwallet.com, 1 +myeventstation.com, 1 +myevive.com, 1 +myexams.nl, 1 +myf.cloud, 1 +myface.pt, 1 +myfae.eu, 1 +myfamilyancestry.tk, 1 +myfamilyfirsthc.com, 1 +myfancyurl.tk, 1 +myfantasysportstalk.com, 1 +myfavmessage.cf, 1 +myfavorite.com.tw, 1 +myfdic.gov, 1 +myfi24.ru, 1 +myfiladelfia.com, 1 +myfile.gq, 1 +myfinance.co.nz, 1 +myfinverse.com, 1 +myfinx.bh, 1 +myfinx.io, 1 +myfirenet.com, 0 +myfirstchessclub.com, 1 +myfishpalace.at, 1 +myfitnessbenefit.com, 1 +myfitnesscare.com, 1 +myflatfinders.com, 1 +myflightrefund.com, 1 +myfloridacfo.gov, 1 +myfloridadeferredcomp.com, 1 +myfloridahouse.gov, 1 +myfloridarealty.com, 1 +myfloridarx.gov, 1 +myformatconverter.com, 0 +myfortdodge.com, 1 +myforum.community, 1 +myfpvstore.com, 1 +myfreespiritpointscard.com, 1 +myfrenchtattoo.fr, 1 +myfsb.bank, 1 +myfuhui.com, 1 +myfunworld.de, 1 +myfursona.com, 1 +myfutanari.com, 1 +myfutureself.com.au, 1 +myfuturewebsite.co.uk, 1 +myfxbook.com, 1 +myfxcm.com, 1 +myg21.com, 1 +mygadgetguardian.lookout.com, 0 +mygallery.homelinux.net, 1 +mygameconsole.tk, 1 +mygaming.news, 1 +mygate.at, 0 +mygaypornstarlist.com, 1 +mygaysitges.com, 1 +mygd.org, 1 +mygear.live, 1 +mygedit.com, 1 +mygedit.info, 1 +mygedit.net, 1 +mygedit.org, 1 +mygeek.tk, 1 +mygeek911.com, 1 +mygeneral.org, 1 +mygeorgia.org, 1 +mygeotrip.com, 1 +mygermanuniversity.com, 1 +mygest.me, 1 +myggkungen.se, 1 +mygigabitnation.com, 1 +mygignation.com, 1 +mygilehery.tk, 1 +mygimp.tk, 1 +mygirlfriendshouse.com, 1 +myglobalopti.nl, 1 +mygnmr.com, 1 +mygobelin.tk, 1 +mygolod.com, 1 +mygomel.tk, 1 +mygov.scot, 1 +mygreatjob.eu, 1 +mygreatlakes.org, 1 +mygreatwebsite.co.uk, 1 +mygreencloset.com, 1 +mygreenrecipes.com, 1 +mygretchen.de, 1 +mygrodno.tk, 1 +mygtcup.co, 1 +mygymer.ch, 1 +myhabitshop.com, 1 +myhappiness.tk, 1 +myhealthchecked.com, 0 +myhealthcheckup.ca, 1 +myhealthcheckup.com, 1 +myhealthsquad.ca, 1 +myhealthyday.com, 1 +myhelcim.com, 1 +myhell-anonim.tk, 1 +myhelo.com, 1 +myhermes.co.uk, 1 +myhfstar.com, 1 +myhkweb.tk, 1 +myhmz.bid, 1 +myhollywoodnews.com, 1 +myhome-24.pl, 1 +myhoor.ga, 1 +myhostname.net, 1 +myhotel.sk, 1 +myhotgirls.ml, 1 +myhouse-ne.co.uk, 1 +myhouse.rocks, 1 +myhousestats.com, 1 +myhub.eu.org, 1 +myhurlburt.marketing, 1 +myhuthwaite.com, 1 +myibidder.com, 1 +myibp.ph, 1 +myicare.org, 1 +myid.be, 1 +myigetit.com, 1 +myimg.cn, 1 +myimmitracker.com, 1 +myinfoenter.tk, 1 +myinjuryattorney.com, 1 +myinsiderplus.com, 1 +myinstapy.ru, 0 +myinsurancesource.com, 1 +myintegrativehealthcenters.com, 1 +myinternist.com, 1 +myinvestinglife.com, 1 +myinvisibleknapsack.com, 1 +myip.com.tw, 1 +myip.solutions, 1 +myisolved.com, 1 +myjbn.org, 1 +myjobsearchengine.com, 1 +myjudo.net, 1 +myjumparoo.co.uk, 1 +myjumpsuit.de, 1 +myjuvelirika.ru, 1 +mykarelia.ga, 1 +mykarelia.tk, 1 +myke.website, 1 +mykelseyonline.com, 1 +mykill.pl, 1 +mykitchen.gq, 1 +mykolhoz.tk, 1 +mykonos-island.tk, 1 +mykontool.de, 1 +mykoreankitchen.com, 1 +mykukun.com, 1 +mykumedir.com, 1 +mykurgan.tk, 1 +mykursumlija.tk, 1 +mylabaih.com, 1 +mylacera.gov, 1 +mylastchapter.tk, 1 +mylatestnews.org, 1 +mylawer.ga, 1 +myld.be, 1 +mylearners.vic.gov.au, 1 +myled.ml, 1 +mylegacyvip.com, 1 +mylene-chandelier.me, 1 +mylever.com, 1 +mylfca.com, 1 +mylifeabundant.com, 1 +mylifeinbalance.be, 1 +mylifesphotograph.com, 1 +myliftmaster.eu, 0 +mylight.tk, 1 +myline.cf, 1 +mylisting.club, 1 +mylittlechat.ru, 1 +mylittleforum.ml, 1 +mylittlegrocer.co.uk, 1 +mylittlegrocer.com, 1 +mylittlewallpaper.com, 1 +mylittlewizard.fr, 1 +myliveupdates.com, 1 +myload.ch, 1 +myloan.hk, 1 +myloanmanager.com, 1 +mylobster.ml, 1 +mylocalairconditioning.com.au, 1 +mylocality.shop, 1 +mylocalmortgage.co.uk, 1 +mylocraft.tk, 1 +myloft.xyz, 1 +myloneworkers.com, 1 +mylotto.co.nz, 1 +mylover.be, 1 +mylrd.xyz, 1 +mylstrom.com, 1 +myltfilm.tk, 1 +myltivarka.ml, 1 +mymagic.ml, 1 +mymagnifi.org, 1 +mymailboxpro.cf, 1 +mymailspace.ml, 1 +mymaineconnection.gov, 1 +mymanagement.ml, 1 +mymartinbeckeropenhab.de, 1 +mymartinbeckeropenhab.eu, 1 +mymartinhalchiado.com, 1 +mymartinhalresidences.com, 1 +mymb.pm, 1 +mymcc.gift, 1 +mymdindia.com, 1 +mymdtaxes.gov, 1 +mymed.de, 1 +mymed.eu, 1 +mymedia.gotdns.com, 1 +mymediabox.com, 1 +mymerlin.co.nz, 0 +mymerlin.com.au, 0 +mymesra.com.my, 1 +mymixtapez.com, 1 +mymkphotography.com, 1 +mymo.in.th, 1 +mymommyworld.com, 1 +mymoneycoin.ml, 1 +mymonture.com, 1 +mymoretrip.com, 1 +mymotor.nl, 1 +mymovein.com, 1 +mymsr.de, 0 +mymun.com, 1 +mymun.net, 1 +mymusiclist.alwaysdata.net, 1 +mymusique.tk, 1 +mymx.lu, 0 +mynak.se, 1 +mynameistavis.com, 1 +mynametags.ae, 1 +mynametags.be, 1 +mynametags.com, 1 +mynametags.com.br, 1 +mynametags.fr, 1 +mynametags.ie, 1 +mynametags.it, 1 +mynametags.mt, 1 +mynametags.nl, 1 +mynametags.pt, 1 +mynas.ovh, 0 +mynaturalmood.es, 1 +mynaturebox.com, 0 +mynaughtyalbum.com, 1 +mynaui.com, 1 +mynavi-kaigo.jp, 1 +myndcommunication.com, 1 +myndighetermeddnssec.se, 1 +myndighetermedipv6.se, 1 +mynerva.io, 1 +mynetblog.com, 1 +mynetflow.com, 1 +mynetpay.be, 1 +mynetworkingbuddy.com, 1 +mynewhorizons.shop, 1 +mynewsfit.com, 1 +mynewsinc.org, 1 +mynext.events, 1 +mynextmove.org, 1 +mynic.my, 1 +mynimo.com, 1 +mynissan.ml, 1 +myniveshak.com, 1 +mynjhelps.gov, 1 +mynn.io, 0 +mynn.ml, 1 +mynook.info, 1 +mynr.ai, 1 +mynrg.gr, 1 +mynutrientcloud.com, 1 +mynxtcld.spdns.de, 1 +myocci.net, 1 +myoctocat.com, 1 +myoddlittleworld.com, 1 +myodysi.com, 1 +myofficeconnect.co.uk, 1 +myokaloosa.gov, 1 +myonline.store, 1 +myonlinemovies.ga, 1 +myonlinevehicleinsurance.com, 1 +myopd.in, 1 +myorder-pg.com, 1 +myorders.co, 1 +myoregon.gov, 1 +myosana.nl, 1 +myoueb.fr, 1 +myoukochou.com, 1 +myoutdooragent.com, 1 +myowncloud.ovh, 1 +myowncloud.pl, 1 +myownconference.com, 1 +myownconference.email, 1 +myowndisk.net, 1 +myowntutor.co.uk, 1 +mypaperdone.com, 1 +mypaperwriter.com, 1 +mypartnernews.com, 1 +mypathologos.gr, 1 +mypay.fr, 1 +mypaypac.com, 1 +mypcb.tk, 1 +mypeace.tk, 1 +mypenza.tk, 1 +mypeople.co.in, 1 +myperfecthome.ca, 1 +myperks.in, 1 +mypersonalpage.tk, 1 +mypetcloud.com, 1 +mypetitjob.fr, 1 +mypetsvetsltd.co.uk, 1 +mypharmjar.com, 1 +myphotogift.in, 1 +myphotonics.ml, 1 +myphotoprism.spdns.de, 1 +myphotos.ga, 1 +myphotoshopbrushes.com, 1 +myphx311.gov, 1 +myphysiocoach.ch, 1 +mypillcard.com, 1 +mypiloteis.com, 1 +mypinellasclerk.gov, 1 +mypivcard.com, 1 +myplaceonline.com, 1 +mypnu.net, 1 +mypogljad.tk, 1 +mypornsnap.top, 1 +myportal.ga, 1 +myposters.tk, 1 +mypowerserg.ca, 1 +mypowerserg.com, 1 +mypowersergca.ca, 1 +mypress.mx, 1 +myprintcard.de, 1 +myproblog.com, 1 +myprofitweb.com, 1 +mypromocode.com, 1 +mypropertal.com, 1 +myproteinpal.co.za, 1 +myprotime.eu, 1 +myproxy.eu.org, 0 +mypskov.tk, 1 +mypsy.online, 1 +mypsychicreadings.tk, 1 +mypvhc.com, 1 +myqrreview.com, 1 +myraboats.tk, 1 +myrandomtips.com, 1 +myrants.org, 1 +myrasp.eu, 1 +myrays.cloud, 1 +myraytech.net, 0 +myreadingmanga.info, 1 +myrealestateautomation.com, 1 +myrealestatemate.com.au, 1 +myred.net, 1 +myredserver.com, 1 +myref.net, 1 +myreferral.systems, 1 +myrekber.co.id, 1 +myremont.tk, 1 +myremotelogin.ddns.net, 1 +myrent.quebec, 1 +myrepubic.net, 1 +myrepubiic.net, 1 +myrepublc.net, 1 +myrepublic.asia, 1 +myrepublic.cf, 1 +myrepublic.cloud, 1 +myrepublic.com.cn, 1 +myrepublic.com.hk, 1 +myrepublic.com.kh, 1 +myrepublic.com.lk, 1 +myrepublic.com.my, 1 +myrepublic.com.ph, 1 +myrepublic.com.tw, 1 +myrepublic.eu.com, 1 +myrepublic.ga, 1 +myrepublic.gq, 1 +myrepublic.icu, 1 +myrepublic.in, 1 +myrepublic.limited, 1 +myrepublic.lk, 1 +myrepublic.ml, 1 +myrepublic.mobi, 1 +myrepublic.my, 1 +myrepublic.net, 1 +myrepublic.net.au, 1 +myrepublic.nz, 1 +myrepublic.ph, 1 +myrepublic.rocks, 1 +myrepublic.run, 1 +myrepublic.tk, 1 +myrepublic.tv, 1 +myrepublic.tw, 1 +myrepublic.us.com, 1 +myrepublic.xyz, 1 +myrepublicau.com, 1 +myrepublicaus.com, 1 +myrepublicbroadband.com.au, 1 +myrepublicfibre.com.au, 1 +myrepublicgroup.com, 1 +myrepublicinternet.com.au, 1 +myrepublicltd.com, 1 +myrepublicmy.com, 1 +myrepublicnz.com, 1 +myrepublicsg.com, 1 +myrepublictelecom.com, 1 +myrepubllc.net, 1 +myresearchapp.com, 1 +myresearchtoolbox.net, 1 +myresidence.de, 1 +myrevery.com, 1 +myreviews.ga, 1 +myrewardspoints.com, 1 +myria.com, 1 +myriad.com, 1 +myriadique.com, 1 +myriadlex.com.tw, 1 +myriadof.com, 1 +myrig.com, 1 +myrig.net, 1 +myrom.tk, 1 +myrotvorets.center, 1 +myrotvorets.news, 1 +myrp.co, 1 +myrtlebeachdogtrainers.com, 1 +myruststats.com, 1 +myrvog.net, 1 +myrvogna.net, 1 +myrxplans.com, 1 +mys.gov.sd, 1 +mysa.tk, 1 +mysafetygear.co.za, 1 +mysafeway.com, 1 +mysaldo.info, 1 +mysam.net, 1 +mysantanderpension.co.uk, 1 +mysavvastraining.com, 1 +mysavvywallet.com, 1 +mysaymk.tk, 1 +mysbaccoach.com, 1 +mysber.ru, 1 +mysbi.tk, 1 +myschool.edu.au, 1 +myschoolitaly.com, 1 +myschoolphoto.org, 1 +myschools.nyc, 1 +mysciencecloset.com, 1 +myseatime.com, 1 +mysecretstylist.ga, 1 +mysecurity.review, 1 +mysecurityevent.de, 1 +myseo.ga, 1 +myservicearl.com, 1 +myserviceportal.de, 1 +myservices.digital, 1 +myservik.ml, 1 +myseu.cn, 1 +mysexpedition.com, 1 +mysexvids.net, 1 +mysexycard.com, 1 +mysexydate24.com, 1 +myshenwang.tk, 1 +myshiftbid.com, 1 +myshikarpur.tk, 1 +myshowbiz.tk, 1 +mysidekick.io, 1 +mysignal.com, 1 +mysill.gr, 1 +mysilvershield.com, 1 +mysisterandi.co.za, 1 +mysitex.com, 1 +myslc.gov, 1 +mysmartloan.ca, 1 +mysmmstore.com, 1 +mysmmstore.in, 1 +mysmsapp.cn, 1 +mysociallinks.org, 1 +mysociety.ml, 1 +mysockfactory.ch, 1 +mysockfactory.com, 1 +mysoftbtrans.com, 1 +mysoftebelge.com, 1 +mysoftlonca.com, 1 +mysoundtalks.com, 0 +mysourceofhealth.com, 0 +myspa.vn, 1 +myspeedcash.com, 1 +myspicer.com, 1 +mysports.com, 1 +mysql-real-escape-string.xyz, 1 +mysqldump-secure.org, 1 +myssl.com, 1 +mystaffonline.com, 1 +mystagic.cloud, 1 +mysteriouscode.com, 1 +mysteriouscode.io, 1 +mysteriousmind.com.au, 1 +mystery-box.cf, 1 +mystery-science-theater-3000.de, 0 +mysterybeer.nl, 1 +mysteryboxes.co.uk, 1 +mysteryboxinc.com, 1 +mysteryfun.house, 1 +mysterymind.ch, 0 +mysteryshow.site, 1 +mystex.me, 1 +mystgames.tk, 1 +mystia.org, 1 +mystic-falls.tk, 1 +mystic-welten.de, 1 +mysticalroseschoolofcaloocan.com, 1 +mysticexperience.com, 1 +mysticgate.it, 1 +mysticmedia.net, 1 +mysticmine.shop, 1 +mysticrealm.tk, 1 +mystiko.eu, 1 +mystinkefinger.de, 1 +mystock911.com, 1 +mystoeckel.de, 1 +mystorage.work, 1 +mystore24.us, 1 +mystorydoctor.com, 1 +mystorymonster.com, 1 +mystown.org, 1 +mystream.com, 1 +mystreet.ga, 1 +mystrength.com, 1 +mystrix-esports.eu, 1 +mystudy.me, 1 +mystudycart.com, 1 +mystudymap.tk, 1 +mystyk.art, 1 +mystylion.com, 1 +mysupplements.ga, 1 +mysurfhostel.com, 0 +myswabi.tk, 1 +myswimmingclub.uk, 1 +myswitchelectric.com, 1 +myswooop.de, 1 +mytamarin.com, 1 +mytana.com, 1 +mytanningcompany.com, 1 +mytaratata.com, 1 +mytc.fr, 1 +myte.ch, 1 +mytea.life, 1 +mytecheg.com, 1 +mytefl.com, 1 +mytests.tk, 1 +mytfg.de, 1 +mythen-fonds.ch, 1 +mythenfonds.ch, 1 +mytherapist.com, 1 +mythicdelirium.com, 1 +mythiqueamerique.fr, 1 +mytime.fr, 1 +mytime.gl, 1 +mytimer.tk, 1 +myting.net, 1 +mytntware.com, 1 +mytoncityut.gov, 1 +mytraiteurs.com, 1 +mytraning.cf, 1 +mytransmissionexperts.com, 1 +mytravelblog.de, 1 +mytravelguide.tk, 1 +mytravelresearch.com, 1 +mytreasury.gov, 1 +mytrendiya.com, 1 +mytrialist.org, 1 +mytribus.com, 1 +mytrinity.com.ua, 1 +mytripcar.co.uk, 1 +mytroc.pro, 1 +mytruecare.org, 1 +mytrustadviser.com, 1 +mytty.net, 1 +mytuleap.com, 1 +mytun.com, 1 +myturf.com.au, 0 +mytuzla.tk, 1 +mytwilight.tk, 1 +myunitard.uk, 1 +myunitypoint.org, 1 +myunraid.ru, 1 +myupdatestudio.com, 1 +myupdatesystems.com, 1 +myupdateweb.com, 1 +myusagepayments.com, 1 +myvaccinefl.gov, 1 +myvacompany.com, 1 +myvalleymarketing.com, 1 +myvau.lt, 1 +myvawic.org, 1 +myvcc.ru, 1 +myvegasadvisor.com, 1 +myveronanj.com, 1 +myvet.ie, 1 +myviewboard.com, 1 +myvoipnews.com, 0 +myvologda.tk, 1 +myvotect.gov, 1 +myvpl.com, 1 +myvulcan-platinum.ru, 1 +mywalletcrypto.cf, 1 +mywapforum.ga, 1 +mywari.com, 1 +myweb360.de, 1 +mywebexperience.gq, 1 +mywebinar.com, 1 +mywebinar.io, 1 +mywebpanel.eu, 1 +mywebpanel.nl, 1 +mywebpharmacy.tk, 1 +mywebserver.ml, 1 +myweightlosstips.tk, 1 +mywestondental.com, 1 +mywifiext.net, 1 +mywihomes.com, 1 +mywikis.net, 1 +mywindscreen.my, 1 +mywish.co.il, 1 +mywonderland.co.nz, 1 +myworkboard.com, 1 +myworkfromhome.ml, 1 +myworkplaceperks.ca, 1 +myworkplaceperks.com, 1 +myworldbbs.tk, 1 +myworth.com.au, 1 +mywrecklawyer.com, 1 +myxnr.com, 1 +myxt.net, 1 +myxxxsite.tk, 1 +myyoutubepage.tk, 1 +myzarabot.tk, 1 +myzina.cz, 0 +myzoetrope.com, 1 +mz-mz.net, 1 +mza.com, 1 +mzademiryolu.com, 1 +mzcsgo.top, 1 +mzflirt.de, 1 +mzitu.com, 1 +mzlive.eu, 1 +mzlog.win, 1 +mzmtech.com, 1 +mzorn.photography, 0 +mzplumber.com, 1 +mzr.jp, 1 +mzri.ru, 1 +mzrme.top, 1 +mzstatic.cc, 1 +mztmzt.com, 1 +mzyxsl.top, 1 +n-cis.ru, 1 +n-design-service.de, 1 +n-design.de, 1 +n-doc.com, 1 +n-doc.de, 1 +n-gram.it, 1 +n-laboratory.jp, 0 +n-linear.org, 1 +n-m.lu, 1 +n-man.info, 1 +n-metz.de, 1 +n-pix.com, 0 +n-tennis.fr, 1 +n-un.de, 0 +n.ee, 1 +n.rich, 1 +n.tt, 1 +n0099.net, 1 +n03.top, 1 +n0paste.tk, 0 +n1.homes, 1 +n15.org, 1 +n16.co, 1 +n1co68.freeboxos.fr, 1 +n1mp.org, 1 +n26.com, 1 +n29.co, 0 +n2diving.net, 1 +n2o.io, 1 +n2oclub.com, 1 +n2z.net, 1 +n36533.com, 1 +n37.co, 1 +n3rd.eu, 1 +n3rd0rama.tk, 1 +n3t.ch, 1 +n4mullingartolongford.ie, 1 +n4zm.com, 1 +n5197.co, 1 +n61roscommon.ie, 1 +n6729.co, 1 +n6729.com, 0 +n6957.co, 1 +n7.education, 1 +n8.gay, 1 +n82365.com, 1 +n87pedia.tk, 1 +n888ok.com, 1 +n8ch.net, 1 +n8mgt.com, 1 +n8nvi.com, 1 +n8s.jp, 1 +n8solutions.biz, 1 +n8solutions.host, 1 +n8solutions.net, 1 +n8solutions.us, 1 +n8ta.com, 1 +n9297.co, 1 +n95.news, 1 +n95s.icu, 1 +n95s.tech, 1 +n9728.co, 1 +na-agency.com, 1 +na-kipre.tk, 1 +na-school.nl, 1 +na.nl, 1 +na1.nl, 1 +naacam.org.za, 1 +naahgluck.de, 1 +naamlint.nl, 1 +naano.org, 1 +naap.tk, 1 +naarenaa.tk, 1 +naaronstoe.nl, 1 +nab-services.ml, 1 +nabaleka.com, 1 +nabc.com.au, 1 +nabeer.ga, 1 +nabeez.cf, 1 +nabidka.net, 1 +nabidkydnes.cz, 1 +nabiev.tk, 1 +nabitrix.tk, 1 +nabokov.tk, 1 +naboplastic.com, 1 +nabosoft.tk, 1 +nabzgroup.com, 1 +nac-6.fr, 1 +nac.gov.pl, 1 +nacfit.com, 1 +nachalniku.cf, 1 +nachalniku.ga, 1 +nachalniku.gq, 1 +nachalniku.ml, 1 +nachalniku.tk, 1 +nachalosbog.bg, 1 +nachalova.tk, 1 +nachbar.chat, 1 +nachdenken-erlaubt.de, 1 +nachoblanco.tk, 1 +nachovni.org, 1 +nachsendeauftrag.net, 0 +nachsenden.info, 1 +nachtmuziek.info, 1 +nacin.com, 1 +nacionale.com, 1 +nacionaltelha.com.br, 1 +nackwallpapers.ml, 1 +nacnkabiltrim.cf, 1 +nacocu.cf, 1 +nacom.tk, 1 +nacoree.ga, 1 +nacres.tk, 1 +nacsonline.tk, 1 +nacu.com.np, 1 +nacua.org, 1 +nacudeck.com, 1 +nacyklo.cz, 1 +nad-r.com, 1 +nada.com, 1 +nada.org, 1 +nadabrahma-hangtalmasszazs.hu, 1 +nadache.info, 1 +nadacnifondacr.cz, 1 +nadaquenosepas.com, 1 +naddi.org, 1 +nadejeproninu.cz, 1 +nadeko.net, 1 +nadelholzkulturen.de, 1 +nadex.com, 1 +nadezhda.ml, 1 +nadiafourcade-photographie.fr, 1 +nadilo.com.br, 1 +nadine-birkner.de, 1 +nadine-chaudier.net, 1 +nadinecays.com, 1 +nadinethings.gq, 1 +nadir.tk, 1 +nadjabenaissa.tk, 1 +nadjasummer.com, 1 +nadlan.immo, 1 +nadlerdentistry.com, 1 +nadoba-msk.ru, 1 +nadomna-rabota.tk, 1 +nadoske.info, 1 +nadsandgams.com, 1 +naduvilathu.tk, 1 +nadyaolcer.fr, 1 +naec.ge, 1 +naeemsafdar.net, 1 +naehenfuerwahrekleinehelden.de, 1 +naehtalente.de, 1 +naemnuk.tk, 1 +naf-connect.com, 1 +nafco-online.com, 1 +nafconnexus.com, 1 +nafezly.com, 1 +nafhomes.com, 1 +nafhroaviano.com, 1 +nafilia.com, 1 +nafod.net, 1 +nafto.org, 1 +nag.org.au, 1 +naga-semi.com, 1 +naga-wedding.tk, 1 +naga.com, 1 +naga.gq, 1 +naga.im, 1 +nagaragem.com.br, 1 +nagashi.ma, 0 +nagato.tk, 1 +nagaya.biz, 1 +nagb.gov, 1 +nagb.org, 1 +nagel-dentaltechnik.de, 1 +nageler.org, 1 +nagelfam.com, 1 +nagelideeen.ml, 1 +naggie.net, 1 +nagoonline.com, 1 +nagoya.tk, 1 +nagpurinstar.tk, 1 +nagrad.tk, 1 +nagya.com, 1 +nagya.eu, 1 +nagya.net, 1 +nagyandras.com, 1 +nagyandras.eu, 1 +nagyandras.net, 1 +nagybotond.com, 0 +nah.nz, 1 +nah.re, 1 +naheulcraft.be, 1 +nahfe.xyz, 1 +nahman.tk, 1 +nahouw.net, 1 +nahrag.tk, 1 +nahrung.de, 1 +nahs-classof1972.com, 1 +nahtanoj.tk, 1 +nahttps.tk, 1 +nahue.ar, 1 +nahue.com.ar, 1 +nahura.com, 1 +nai-job.jp, 1 +naia.me, 1 +naide.ee, 1 +naidoc.org.au, 1 +naifix.com, 1 +naijabeat.com, 1 +naijapower.com, 1 +naijaretro.com, 0 +naijaxnet.com.ng, 1 +naijmobile.com, 1 +naika.clinic, 1 +nailartstudio.it, 1 +nailattitude.ch, 0 +nailchiodo.com, 1 +nailclub.tk, 1 +naildesignsjournal.com, 1 +nailmoscow.ru, 1 +nails-n-more.be, 1 +nailsart.roma.it, 1 +nailshop.gq, 1 +nailsmania.ua, 1 +nailspafinder.com, 1 +naim.tk, 1 +nairamine.org, 1 +nairobibusinessreview.com, 1 +nairus.com.br, 1 +nais.org, 1 +najany.de, 1 +najany.dk, 1 +najany.nl, 1 +najany.se, 1 +najarkadeh.com, 1 +najbezpieczniejsze.pl, 1 +najdou.cz, 1 +naji-astier.com, 1 +najprzepis.pl, 1 +najrecept.sk, 1 +naka.io, 1 +nakaci.de, 1 +nakacide.com, 1 +nakada-shika.com, 1 +nakada4610.com, 1 +nakagawa-d.co.jp, 1 +nakagawa-s.jp, 1 +nakahama-dental.com, 1 +nakajima-kawara.com, 1 +nakalabo.jp, 1 +nakama.tv, 1 +nakamastudios.com, 1 +nakamochi.io, 1 +nakanishi-paint.com, 1 +nakanocity-cashless.jp, 1 +nakayama.industries, 1 +nakayamaresearch.com, 1 +nakazanie.ga, 1 +naked.pics, 1 +nakedalarmclock.me, 1 +nakedbigdickmen.com, 1 +nakedfacts.co.uk, 0 +nakedgirls247.xxx, 1 +nakedinkas.com, 1 +nakedmaturepics.com, 1 +nakedpussypics.com, 1 +nakedpussyvideos.com, 1 +nakedtruth.in, 1 +nakedwomenpics.com, 1 +nakenmodell.tk, 1 +nakib4tech.com, 1 +nakim.cf, 1 +nakin.tk, 1 +nakisa.com, 1 +nakka.ch, 1 +nakkati.tk, 1 +nakliyat.name.tr, 1 +nakliye.name.tr, 1 +nakluky.cz, 1 +nako.blog, 1 +nako.kr, 1 +nako.no, 1 +naksquad.net, 1 +nakukata.com, 1 +nakupi.online, 1 +nakupnabytku.sk, 1 +nalanyinyun.top, 1 +naldydimpudus.com, 1 +nale-hosting.tk, 1 +nalepky-na-zed.cz, 1 +nalepte.cz, 1 +nalexandru.xyz, 1 +nalios.be, 1 +nalle.fi, 1 +nalles.net, 1 +nalresearch.com, 1 +naltrexon.gq, 1 +nalukfitness.com.br, 1 +nalwin.cc, 1 +namaanakperempuan.net, 1 +namabank.com.vn, 1 +namacindia.com, 1 +namalelaki.com, 1 +namamala.com, 1 +namaperempuan.com, 1 +namastehomecooking.com, 1 +namastenaturo.fr, 1 +namastewestland.nl, 1 +namazon.org, 1 +namazvakitleri.com.tr, 0 +namclear.com.na, 1 +name.am, 1 +name.ax, 1 +namecoin.info, 1 +namecoin.org, 1 +namedb.ru, 1 +namegen.jp, 1 +namegrep.com, 1 +nameid.org, 1 +namepros.com, 1 +nameproscdn.com, 1 +namereel.com, 1 +nameserver.tk, 1 +nameshield.com, 1 +nameshield.net, 1 +namesmaker.com, 0 +namesnack.com, 1 +namespacesquatting.com, 1 +namestudio.com, 1 +namestudioapi.com, 1 +nametalent.com, 1 +namethatporn.com, 1 +namethissymbol.com, 1 +nametiles.co, 1 +namevirus.com, 1 +namevirus.net, 1 +namevirus.org, 1 +nami.bo, 1 +nami.exchange, 1 +nami.trade, 1 +namikawatetsuji.jp, 1 +naminam.de, 1 +namlcftc.gov.ae, 1 +nammont.com, 1 +namoro.com.pt, 1 +namozagy.com, 1 +namrs.net, 1 +namsbaekur.is, 1 +namskra.is, 1 +namu.la, 1 +namu.live, 1 +namu.moe, 1 +namu.news, 1 +namu.wiki, 1 +nan0.cloud, 1 +nanafeed.com, 1 +nanaimo.ca, 1 +nanaimoneighbourhoods.ca, 1 +nanaka.love, 1 +nanaya.net, 1 +nanaya.pro, 1 +nanboya.com, 1 +nancecountyne.gov, 1 +nanch.com, 1 +nanco.co.jp, 1 +nanco.jp, 1 +nancytelford.com, 1 +nancytutors.com, 1 +nancyzone.tk, 1 +nandajorna.nl, 1 +nandakumar.co.in, 1 +nandakumar.org, 1 +nandapanithota.xyz, 1 +nandedam.com, 1 +nandedbazar.tk, 1 +nandemo.tk, 1 +nandertga.ddns.net, 1 +nandi.tech, 1 +nandito.tk, 1 +nanfangstone.com, 1 +nange.cn, 1 +nangluongxanhbinhphuoc.com, 1 +nangwizard.net, 1 +nanhuimed.com, 1 +nanhuitop.com, 0 +naninossoftware.tk, 1 +nanjie.com.tw, 1 +nanjiyy.com, 1 +nankiseamansclub.com, 1 +nanmu.me, 1 +nannatextiles.com, 1 +nannatextiles.de, 1 +nannyandhousekeeper.uk, 1 +nannytax.ca, 1 +nano.com.au, 1 +nano.voting, 1 +nanoavionics.com, 1 +nanodynelabs.com, 1 +nanofate.tk, 1 +nanofy.org, 1 +nanogi.ga, 1 +nanogramme.fr, 0 +nanohatsolution.tk, 1 +nanohostsolution.cf, 1 +nanointeractive.cn, 1 +nanolet.ga, 1 +nanollet.org, 1 +nanomicron.eu, 1 +nanomusic.co.kr, 1 +nanopixel.ch, 1 +nanoport.jp, 1 +nanoprogress.pl, 1 +nanosek.pro, 1 +nanosene.com, 1 +nanoshop.ml, 1 +nanospheres.tk, 1 +nanostetic.com, 1 +nanostix.com.my, 1 +nanotechnologist.com, 1 +nanotechnologysolutions.com.au, 1 +nanotechtorsion.com, 1 +nanotipbot.tk, 1 +nanotrasen.org, 0 +nanovolt.nl, 1 +nanowallet.io, 1 +nansa.ch, 1 +nanubo.com, 1 +nanubo.de, 1 +nanucchy.com, 1 +nanxin.xyz, 1 +nao.sh, 1 +naob.no, 1 +naocan.cf, 1 +naocan.ml, 1 +naotron.com, 1 +napavalleyregister.com, 1 +napcae.de, 1 +napervilleweather.com, 1 +naphex.rocks, 1 +napi.edu.ee, 1 +napidoktor.hu, 1 +napifilm.com, 1 +napikuponok.hu, 1 +napilol.ml, 1 +napisdata.us, 1 +napitok.tk, 1 +napituti.cf, 1 +napkins-wholesale.co.za, 1 +napkins-wholesale.com, 1 +napkins-wholesale.in, 1 +napkins-wholesale.nz, 1 +napkins-wholesale.uk, 1 +naplata.mk, 1 +naples.tk, 1 +naplestotalgarage.com, 1 +napnet.hu, 1 +napo.tk, 1 +napoleonoutlawed.tk, 1 +napolict.com, 1 +napolike.it, 1 +napolinissanctparts.com, 1 +napolitoday.it, 1 +napominanie.ml, 1 +napoveda.online, 1 +nappkassen.se, 1 +nappy.co, 1 +nappylaundry.ga, 1 +nappywashing.ga, 1 +naprapativast.se, 1 +naprawa-bazy-danych.pl, 1 +naprodukcji.xyz, 1 +napych.com, 1 +naql.om, 1 +naqrat.sa, 1 +naquebec.tk, 1 +nara.gov, 1 +naraboty.ga, 1 +narada.com.ua, 1 +naradiebosch.sk, 1 +naradiehusqvarna.sk, 1 +naradiemakita.sk, 1 +narafood.ro, 1 +naraku.cc, 1 +naranonsantabarbara.org, 1 +narardetval.se, 1 +narasi.tv, 1 +narayanahealth.org, 1 +narazaka.net, 1 +narcissism.tk, 1 +narcocheck.com, 1 +narcoticsanonymous.tk, 1 +narda-sts.com, 1 +nardamiteq.com, 1 +nardpedro.tk, 1 +narealcomadai.com.br, 1 +narec.org, 1 +narek.tk, 1 +narela.com.mx, 0 +narenderchopra.com, 1 +narevapromotions.com, 1 +narfation.org, 1 +nargileciden.com, 1 +nargileh.nl, 1 +naric.com, 1 +narin.cf, 1 +narindal.ca, 1 +narindal.ch, 1 +naringslivsala.se, 1 +nariohtools.com, 1 +naris-grc.com, 1 +narkasa.com, 1 +narko-stop.org, 1 +narkocenter116.ru, 1 +narmafzar.tk, 1 +narmos.ch, 1 +naro.se, 1 +narodnaya-medizina.tk, 1 +narodniki.com, 1 +narodnyi-potolok.by, 1 +narodowyspispowszechny.pl, 1 +narodserial.cf, 1 +naroph.jp, 1 +naroska.name, 1 +narrativasdigitais.pt, 0 +narrative.network, 1 +narrative.org, 1 +narrenverein-wolkenschieber.de, 1 +narrow.one, 1 +narthollis.net, 1 +nartkoc.com, 1 +nartlift.com, 1 +naruchnie-chasi.com, 1 +narushil-pdd.cf, 1 +narushil-pdd.ga, 1 +narushil-pdd.gq, 1 +narushil-pdd.ml, 1 +narushil-pdd.tk, 1 +naruto-best.tk, 1 +narutodelivery.com.br, 1 +narutolimits.tk, 1 +narutoshippuden.tk, 1 +narutoshow.tk, 1 +narutouzumaki.tk, 1 +narvizit.com, 1 +nary-software.com, 1 +narzedziownia.top, 1 +nas-redes-sociais.com, 1 +nas.gov.ua, 1 +nasaacronyms.com, 1 +nasacxhacxha.org, 1 +nasarawanewsonline.com, 1 +nasavelkaceskoslovenskasvadba.eu, 1 +nasbi.pl, 1 +nascentmaker.com, 1 +naschart.com, 1 +naschenweng.info, 1 +naschenweng.me, 1 +naschtastisch.de, 1 +nascloud.be, 1 +nasdarq.com, 1 +nasecasomira.cz, 1 +nasedluhy.cz, 1 +naseehah.ga, 1 +nasehyar.ir, 1 +nash-dom.tk, 1 +nash-megagid.tk, 1 +nash-server.tk, 1 +nash-shishtavec.tk, 1 +nash2008.com, 1 +nasha-kahovka.tk, 1 +nashareklama.tk, 1 +nashc.net, 1 +nashfm.tk, 1 +nashfutbol.tk, 1 +nashidetki.tk, 1 +nashira.cz, 1 +nashjurist.tk, 1 +nashkrai.ga, 1 +nashsovetik.info, 1 +nashuaradiology.com, 1 +nashuarpc.gov, 1 +nashvillebasements.com, 1 +nashvilledowntown.com, 1 +nashvillelidsurgery.com, 1 +nashvilleplasticsurgery.com, 1 +nashvillesheriff.gov, 1 +nashwaukmn.gov, 1 +nashzhou.me, 1 +nasic-japan.com, 1 +nasilbirsite.tk, 1 +nasimblog.tk, 1 +nasimsabz.com, 1 +nasirrezazi.tk, 1 +naslovi.net, 1 +nasme.tk, 1 +nasosvdom.com, 1 +nasosvdom.com.ua, 1 +nasr.mobi, 1 +nasrabady.tk, 1 +nasrullaganjnews.tk, 1 +nassaucountyfl.gov, 1 +nassautrafficny.gov, 1 +nassconorfolk.com, 1 +nassi.me, 1 +nast.ro, 1 +nast.tk, 1 +nastationztv.com, 1 +nastjenka.tk, 1 +nastunya.tk, 1 +nastyapetrovaflorist.ru, 1 +nastycomics.eu, 1 +nastysclaw.com, 1 +nasvyazi.ga, 1 +naszymzdaniem.pl, 1 +nat-neocron.tk, 1 +nat.ac, 1 +nataez.tk, 1 +nataldigital.com, 1 +natalia-in-quebec.tk, 1 +natalia-shablo.ru, 1 +natalia-venezuela.tk, 1 +nataliaanderson.com.br, 1 +nataliapearl.com, 1 +nataliealba.net, 1 +nataliehershlag.tk, 1 +natanaelys.com, 1 +nataniel-perissier.fr, 1 +natarius.tk, 1 +natariusadvokat.ga, 1 +natasa-theodoridou.tk, 1 +natasabekvalac.tk, 1 +natasasavija.tk, 1 +nataschaskraamzorg.nl, 1 +natashacampos.com.br, 1 +natashacampos.nl, 1 +natashavaz.nl, 1 +natashki.tk, 1 +natbomusic.com, 1 +natchezss.com, 1 +natcredit.ru, 1 +nate.sh, 1 +nateandxtina.wedding, 1 +natedoss.com, 1 +nategreen.org, 0 +natehobi.com, 1 +natelefon.tk, 1 +natenom.com, 1 +natenom.de, 1 +natenom.name, 1 +natenzia.fr, 1 +nateoster.com, 1 +natera.com, 1 +nates.tk, 1 +natesigal.com, 1 +natevolker.com, 1 +natflix.ch, 1 +natgo.xyz, 1 +nathalie-guillaumin.coach, 1 +nathaliedijkxhoorn.com, 1 +nathaliedijkxhoorn.nl, 1 +nathaliesadventure.eu, 1 +nathaliesavale.com, 1 +nathalieschaos.tk, 1 +nathan.ovh, 1 +nathan2055.com, 1 +nathanaeldawe.com, 1 +nathanbarry.com, 1 +nathancrank.com, 1 +nathancuendet.ch, 1 +nathanielknight.ca, 1 +nathanielparker.com, 0 +nathanielparker.de, 0 +nathanielparker.info, 0 +nathanielparker.org, 0 +nathanielsigal.com, 1 +nathankonopinski.com, 1 +nathanmfarrugia.com, 1 +nathanphoenix.com, 1 +nathansmetana.com, 1 +nathenmaxwell.tk, 1 +nathumarket.com.br, 1 +nation.net.pk, 1 +national-anime.com, 1 +national-shitposting.agency, 1 +nationalacademic.nl, 1 +nationalaustriabank.com, 1 +nationalbank.gov, 1 +nationalbankhelp.gov, 1 +nationalbanknet.gov, 1 +nationalcybersecuritysociety.org, 1 +nationalemployertraining.co.uk, 1 +nationaleyecenter.id, 1 +nationalfleetparts.com, 1 +nationalgangcenter.gov, 1 +nationalgridrenewables.com, 1 +nationalhomequotes.com, 1 +nationaljobservice.com, 1 +nationalmall.gov, 1 +nationalmap.gov, 0 +nationalmower.com, 1 +nationalopera.ml, 1 +nationalpriorities.org, 1 +nationalresourcedirectory.gov, 1 +nationalservice.gov, 1 +nationaltestingnetwork.com, 1 +nationaltrails.ru, 1 +nationandfreedom.tk, 1 +nationslending.com, 1 +nationsreportcard.gov, 1 +nationwide.com, 1 +nationwideadvisory.com, 1 +nationx.tk, 1 +nativalab.com, 1 +native2ascii.net, 1 +nativemeadowshoney.com, 1 +nativemusicrecords.cf, 1 +nativeonestop.gov, 1 +nativeproductions.ml, 1 +natives-team.ch, 0 +nativetitle.org.au, 1 +nativitychurchnj.org, 1 +nativitynj.org, 1 +natlec.ch, 1 +natlec.com, 1 +natmal.net, 1 +nato-stamps.tk, 1 +natreningu.net, 1 +natrespro.com, 1 +natronaincident.gov, 1 +natronasheriff.gov, 1 +natropie.pl, 1 +nats-flop.tk, 1 +natty.sh, 1 +natualsmoke.com, 1 +natuerlichabnehmen.ch, 1 +natunion.ga, 1 +natur-care.com, 1 +natur-plus.tk, 1 +natur-seele.de, 1 +natur-udvar.hu, 1 +natur-und-kultur.de, 1 +natur.com, 1 +natura-sense.com, 1 +natura2000.tk, 1 +naturabuy.fr, 1 +naturalbadbreathcures.com, 1 +naturalbladdercontrol.tk, 1 +naturalcosmetics.cf, 1 +naturaldisasters.tk, 1 +naturalflowerpower.com, 1 +naturalhealingguides.com, 1 +naturalkitchen.co.uk, 1 +naturallychildled.com, 1 +naturallygood4u.com, 1 +naturallyuncommon.com, 1 +naturalmentesinescuela.com, 1 +naturalprobiotica.com, 1 +naturalreaders.com, 1 +naturalresources.wales, 1 +naturalstyle.tk, 1 +naturalwellnesssolutions.org, 1 +naturana.news, 1 +naturaprint.fr, 1 +naturart.pt, 1 +nature-avenue.com, 1 +natureandculture.org, 0 +natureclaim.com, 1 +naturedao.hk, 1 +natureexplorer.is, 1 +natureisland.tk, 1 +naturel.tk, 1 +natureleafmarket.co.uk, 1 +naturelife.bg, 1 +naturelk.org, 1 +naturemeadows.in, 1 +naturesbest.co.uk, 1 +natureshealthandbody.com, 1 +naturesupply.eu, 1 +naturheilkunde-sabine-klein.de, 1 +naturheilpraxis-grauer.de, 1 +naturheilpraxis-oida.de, 1 +naturheilpraxis-p-grote.de, 1 +naturliga.tk, 1 +naturopath.tk, 1 +naturopatiasiddharta.com, 1 +naturparadies-rheinauen.de, 1 +naturschutz-holderbank.ch, 1 +naturvit.at, 1 +natusvita.com, 1 +natusvita.com.br, 1 +natuurinhuisheerenveen.tk, 1 +natuurkundegeflipt.nl, 1 +natuurlijk.tk, 1 +natuurlijkehaarkleuring.nl, 1 +natuurophaarmooist.nl, 1 +natviehealthcare.com, 1 +natwest.com, 1 +natwestbusinesshub.com, 1 +natwestgroup.com, 1 +natwestinternational.com, 1 +naucountry.com, 1 +naude.co, 1 +naufalpanjwani.com, 1 +naughty.audio, 1 +naughtydog.com, 1 +nauris.fi, 1 +nauseainthemorning.ml, 1 +nausicaahotel.it, 1 +naut.ca, 1 +nautholl.is, 1 +nautiboat.it, 1 +nauticlink.com, 1 +nautika.tk, 1 +nautiljon.com, 1 +nautiluslabs.com, 1 +nautilusoceanica.com, 1 +nautours.de, 1 +nautsch.de, 1 +nauz-art.com, 1 +nav.no, 1 +nava.org, 1 +navadebejar.tk, 1 +navajasdesupervivencia.es, 1 +navajocountysheriff.gov, 1 +navalarchitect.tk, 1 +navalkejigo.tk, 1 +navaneethnagesh.com, 1 +navarrete.tk, 1 +navasoft.com.tr, 1 +naveengranites.com, 1 +navegantesdelcosmos.ec, 1 +navegarea.tk, 1 +naveka.ga, 1 +navenlle.com, 1 +naviaddress.io, 1 +navidarian.tk, 1 +navienna.com, 1 +navient.com, 1 +navigo-inc.com, 1 +navigo.cc, 1 +navigo.global, 1 +navinka.com, 1 +navionhcs.com, 1 +navirefi.com, 1 +naviteq.eu, 1 +navkor.tk, 1 +navlnachekg.cz, 1 +navnet.ml, 1 +navoiyrapmafia.tk, 1 +navoto.com, 1 +navstevnik.sk, 1 +navycs.com, 1 +navyfederal.org, 1 +nawaf-blog.com, 1 +nawasyo.co.jp, 1 +nawdar.tk, 1 +nawir.de, 1 +nawroth.info, 1 +nawt.pl, 1 +nax.io, 0 +naxcivan.tk, 1 +naxe.lv, 1 +naxsnaps.co.uk, 1 +nayanaas.com, 1 +nayankasturi.eu.org, 1 +nayapakistan.tk, 1 +nayatel.com, 1 +nayefalebrahim.com, 1 +naymai.com, 1 +nayna.tk, 1 +nayr.us, 1 +naz-sciaves.eu, 1 +nazarenohuelva.tk, 1 +nazarenoviso.tk, 1 +nazbol.tk, 1 +nazevfirmy.cz, 1 +nazimogluinsaat.com, 1 +nazmulislam.cf, 1 +nazuna.blue, 1 +nb.mba, 1 +nb.zone, 1 +nb6.de, 1 +nba-2k.com, 1 +nba-croatia.com, 0 +nba.christmas, 1 +nba.com.de, 1 +nba.de.com, 1 +nba.download, 1 +nba.gd, 1 +nba.gs, 1 +nba.gy, 1 +nba.hosting, 1 +nba.im, 1 +nba.live, 1 +nba.lu, 1 +nba.moe, 1 +nba.trade, 1 +nba.vc, 1 +nba.vg, 1 +nba2.com, 1 +nba2k.blog, 1 +nba2k.cc, 1 +nba2k.co, 1 +nba2k.download, 1 +nba2k.live, 1 +nba2k.net, 1 +nba2k.tw, 1 +nba2kcn.com, 1 +nba2kmods.com, 1 +nba2kmt.com, 1 +nba2kmy.team, 1 +nba2kol.com, 1 +nba2konline.com, 1 +nba2konlinex.com, 1 +nba2kqq.com, 1 +nba2kx.com, 1 +nbaac.org, 1 +nbadancers.com, 1 +nbadao.com, 1 +nbade.com, 1 +nbafile.com, 1 +nbagirls.com, 1 +nbaim.com, 1 +nbaimg.com, 1 +nbalivecn.com, 1 +nbalivex.com, 1 +nbao.ca, 1 +nbaot.org, 1 +nbapc.org, 1 +nbapwned.com, 1 +nbari.com, 1 +nbask.com, 1 +nbasky.com, 1 +nbaspot.com, 1 +nbavc.com, 1 +nbavg.com, 1 +nbayouxi.com, 1 +nbc.com.tr, 1 +nbc26.com, 1 +nbf.ae, 1 +nbfl.gov, 1 +nbg.mobi, 1 +nbgrp.org, 1 +nbhwj.com, 1 +nbib.gov, 1 +nbios.net, 1 +nbis.gov, 1 +nbl-forklift.com, 1 +nbm.gov, 1 +nbotvinnik.com, 1 +nbr.uno, 1 +nbrain.de, 1 +nbriresearch.com, 1 +nbrown.us, 1 +nbtc.com, 1 +nbwp.uk, 1 +nbx.com, 1 +nc-beautypro.fr, 1 +nc-formation.fr, 1 +nc-network.io, 1 +nc3rs.org.uk, 1 +ncadc.org, 1 +ncalculators.com, 1 +ncamarquee.co.uk, 1 +ncarmine.com, 1 +ncascade.com, 1 +ncastillo.xyz, 1 +ncat.tokyo, 1 +ncauditor.gov, 1 +ncbham.be, 1 +ncbon.gov, 1 +ncc-efm.com, 1 +ncc-efm.org, 1 +ncc-qualityandsafety.org, 1 +nccauto.gov.in, 1 +ncceh.ca, 1 +nccemail.net, 1 +ncchd.go.jp, 1 +nccny.com, 1 +nccoe.org, 1 +nccpa.net, 1 +ncdc.pt, 1 +ncdpi.gov, 1 +ncdwlq.space, 1 +ncea.net.au, 1 +nceahelp.com, 1 +ncedcloud.gov, 1 +ncegs.sk, 1 +ncem.gov, 1 +ncfireca.gov, 1 +ncgaming.gov, 1 +nch.com, 1 +nchaf-dynamic.gov, 1 +nchaf-static.gov, 1 +nchaf.gov, 1 +nchangfong.com, 0 +nchomeownerassistance.gov, 1 +nchrd.org, 1 +nci.com.es, 1 +nci.systems, 1 +ncic.gg, 1 +ncig.com.au, 1 +ncionline.co.uk, 1 +ncjdigital.com, 1 +ncjrs.gov, 1 +ncksrv.com, 1 +ncksrv.email, 1 +ncksrv.eu, 1 +ncksrv.net, 1 +ncksrv.nl, 1 +ncksrv.org, 1 +nclea.gov, 1 +nclf.net, 0 +ncli-design.com, 1 +ncloud.freeddns.org, 1 +ncmc.me, 1 +ncmedicaidplan.gov, 1 +ncmedicaidplans.gov, 1 +ncmms.gov, 1 +ncncs.com, 1 +ncommenuptial.tk, 1 +ncosc.gov, 1 +ncpc.gov, 1 +ncpimd001.spdns.de, 1 +ncpublichealth.info, 1 +ncpw.gov, 1 +ncr.pub, 1 +ncrjobs.in, 1 +ncrpay.com, 1 +ncrypt.ai, 1 +ncrypt.at, 1 +ncs-cleaning.dk, 1 +ncsbadvisors.gov, 1 +ncsbe-apps.gov, 1 +ncsc.gov.uk, 1 +ncsccs.com, 1 +ncshp.gov, 1 +ncsis.gov, 1 +ncsparta.gov, 1 +ncswa-nm.org, 1 +ncswboard.gov, 1 +nctu.moe, 1 +nctx.co.uk, 1 +ncua.gov, 1 +ncuc.gov, 1 +ncvps.gov, 1 +ndaal.eu, 1 +ndaccount.com, 1 +ndarville.com, 1 +ndbilje.si, 0 +ndcpolipak.com, 1 +ndd.govt.nz, 1 +ndeb-bned.ca, 1 +ndev.tk, 1 +ndhhs.gov, 1 +ndhlink.com, 1 +ndiama.eu.org, 1 +ndigen.com, 1 +ndisreview.gov.au, 1 +ndlegis.gov, 1 +ndlegistest.gov, 1 +ndmath.club, 1 +ndns.ga, 1 +ndpbrn-research.org, 1 +ndpigskin.com, 1 +ndplumbingboard.gov, 1 +ndq.be, 1 +ndrew.me, 1 +nds-helicopter.de, 1 +nds-online.ru, 1 +ndscreening.com, 1 +ndtblog.com, 1 +ndum.ch, 1 +ndvlaw.com, 1 +ndvr.com, 1 +ndx.ee, 1 +ndxinfo.eti.br, 1 +ndy.sex, 1 +ne-on.org, 1 +ne.ax, 1 +nea.gov, 1 +nealvorusphd.com, 1 +neanderthalia.tk, 1 +neapi.com, 1 +nearbi.com.mx, 1 +nearby.in.th, 1 +nearestbusiness.com, 1 +nearlist.com, 1 +nearnorthcustoms.biz, 1 +nearnorthcustoms.co, 1 +nearnorthcustoms.com, 1 +nearnorthcustomsus.com, 1 +nearnorthmassage.com, 1 +nearnorthus.com, 1 +neartothesky.com, 1 +neasahourigan.com, 0 +neatful.eu.org, 1 +neath-afan-gymnastics.com, 1 +neatlife.co.uk, 1 +neatnestsdesign.com, 1 +neatnestsorganizing.com, 1 +neatous.cz, 1 +neatous.net, 1 +neatsvor.at, 1 +neatsvor.lt, 1 +neauviachannel.com, 1 +neave.tv, 1 +neawth.com, 1 +neaz.tk, 1 +neb.li, 1 +neba.io, 1 +nebeauty.it, 1 +nebebra.stream, 1 +nebelhauch.de, 1 +nebenan.de, 1 +nebenbeiblog.ch, 1 +nebix.tk, 1 +nebohost.tk, 1 +neboley.cf, 1 +nebra.io, 1 +nebraskadrypeas.gov, 1 +nebraskajudicial.gov, 1 +nebraskaresearch2.gov, 1 +nebraskawheat.gov, 1 +nebucadnezzer.tk, 1 +nebulae.co, 1 +nebulise.com, 1 +necd.me, 1 +necio.ca, 1 +neckbeard.xyz, 1 +necord.com, 1 +necretro.org, 1 +necromantia.tk, 1 +necronaut.tk, 1 +necronomusick.tk, 1 +necropolis-online.tk, 1 +necta.go.tz, 0 +nectere.ca, 1 +nectir-staging.com, 1 +nectir.co, 1 +necycvet.ru, 0 +nedapflux.com, 1 +nedcdata.org, 1 +nedcv-preview.nl, 1 +nedcv.nl, 1 +nedela.tk, 1 +nedemek.com.tr, 1 +nederbetuwe.nl, 0 +nederlandmobiel.nl, 1 +nederlands-vastgoedfonds.nl, 1 +nederlandse-modelspoor-database.nl, 1 +nederlandwereldwijd.nl, 1 +nedermisp.nl, 1 +nedhome.ml, 1 +nedim-accueil.fr, 1 +nedimon.gq, 1 +nedir.help, 1 +nednex.com, 1 +nedviga.gq, 1 +nedviga.tk, 1 +nedvizhimost.tk, 1 +nedvizhimostthailand.ml, 1 +nedvrf.ru, 1 +nedzadalibegovic.com, 1 +neecist.org, 1 +needfire.ga, 1 +needflare.com, 1 +needing.cf, 1 +needle-demo.azurewebsites.net, 1 +needle.net.nz, 1 +needle.nz, 1 +needme.com, 1 +needmytranscript.com, 1 +needrom.com, 1 +needsth.top, 1 +neeerd.org, 1 +neel.ch, 1 +neemo.nz, 1 +neenahwi.gov, 1 +neenan.com, 1 +neero.fr, 1 +nees.ga, 1 +neesoft.com, 1 +neesousunebonneetoile.ca, 1 +neet-investor.biz, 1 +neetflix.net, 1 +neetze-ferienwohnung.de, 1 +neev.tech, 0 +nefald.fr, 0 +nefertitis.cz, 0 +neff-pressen.de, 1 +nefit-bosch.nl, 1 +nefro-cme.de, 1 +nefthy.de, 1 +neftis.es, 1 +neg9.org, 0 +negabarit.tk, 1 +negai.moe, 0 +negativecrestinegratuite.tk, 1 +negativecurvature.net, 1 +negativeentropy.org, 1 +negativex.gq, 1 +neglected.space, 1 +neglecteddiseases.gov, 1 +negocieipanema.com.br, 1 +negociemos.com.co, 1 +negociequintoandar.com.br, 1 +negocios-imatore.com, 1 +negociosparaoptimistas.com, 1 +negociosurbanos.net, 1 +negoya-shokai.info, 1 +negozimoda.it, 1 +negoziointimo.com, 1 +negr.gay, 1 +negr.tv, 1 +negrete.tk, 1 +negril.com, 0 +neh.gov, 1 +nehalem.gov, 1 +neheim-huesten.de, 1 +nehmer.net, 1 +nehnutelnosti.io, 1 +nehoupat.cz, 1 +nehrp.gov, 1 +nehta.gov.au, 1 +nei.org, 1 +neide.ga, 1 +neighbor.co.il, 1 +neighborhood-threat.tk, 1 +neighborshop.de, 1 +neighborsunitedwilmington.org, 1 +neil-barrett.com, 1 +neil-barrett.uk, 1 +neila.tk, 1 +neilcaruana.com, 1 +neildaniels.com, 1 +neilfarrington.com, 1 +neilgaimanphilippines.tk, 1 +neilpatel.com, 1 +neilrooney.com, 1 +neilwynne.com, 1 +neilyanto.com, 1 +neimadtelliam.fr, 1 +neio.uk, 1 +neishe.net, 1 +neiu.edu, 1 +nej.dk, 0 +nejenpneu.cz, 1 +nejlevnejsi-parapety.cz, 1 +nejmaklerka.cz, 1 +nejrecept.cz, 1 +nejsvetla.cz, 1 +nekb.org, 1 +nekenieh.net, 1 +nekkit.xyz, 1 +nekljudov.ga, 1 +neko-city.tk, 1 +neko-network.tk, 1 +neko-nyan-nuko.com, 1 +neko-nyan.org, 1 +nekochan.blog, 1 +nekodex.net, 1 +nekohana-inuhana.com, 1 +nekoku.io, 1 +nekomanten.de, 1 +nekomata.tk, 1 +nekomimi.pl, 1 +nekomimirouter.com, 1 +nekomimix.net, 1 +nekomiya-sama.top, 1 +nekomoe.moe, 1 +nekondiciya.cf, 1 +nekonet.us, 1 +nekosc.com, 1 +nekox.ml, 1 +nekrasowsky.ml, 1 +nekretnine-lidl.hr, 1 +nekrylov.ee, 0 +nekrylov.org.ru, 0 +nekrylov.spb.ru, 0 +nekusoul.de, 1 +nelebaehre.de, 0 +nelefon.com, 1 +nelegal-edition.ml, 1 +nelegal-edition.tk, 1 +nelflex.com.br, 1 +nelhage.com, 1 +nelili.com, 1 +nelipak.com, 0 +nella-project.org, 1 +nellacms.org, 1 +nellafw.org, 1 +nellen.it, 1 +nellislife.marketing, 1 +nellydallois.fr, 1 +neln.jp, 1 +neln.net, 1 +nelnet.com, 1 +nelnet.net, 1 +nelnetbank.com, 1 +nelosculpteur.fr, 1 +nelson-marine.com, 0 +nelsoncountyky.gov, 1 +nelsonrecruitmentservices.co.uk, 1 +nelsonrodrigues.tk, 1 +nelsontwpoh.gov, 1 +nelsonworldwide.com, 1 +nelswong.com, 1 +nelty.be, 1 +nely.rocks, 1 +nema.gov.au, 1 +nemagiya.tk, 1 +nemahacountyne.gov, 1 +nemberone.com, 1 +nemcd.com, 1 +nemecisolutions.com, 1 +nemecl.eu, 1 +nemesisenterprises.de, 1 +nemesiz.tk, 1 +nemez.net, 1 +nemiroth.net, 1 +nemirow.tk, 1 +nemkoff.tk, 1 +nemnodes.org, 1 +nemo.run, 1 +nemo911.gov, 1 +nemokamas.tk, 1 +nemplex.com, 1 +nemplex.win, 0 +nemplex.xyz, 1 +nems.no, 0 +nemsurvey.dk, 1 +nemtilmeld.dk, 1 +nemumu.com, 1 +nemunai.re, 1 +nemyriv.tk, 1 +nemzetizaszlok.hu, 1 +nen-ga.jp, 1 +nenapu.tk, 1 +nenco.nl, 1 +nenderus.su, 1 +neneko.moe, 1 +nenkin-kikin.jp, 1 +neno.io, 1 +neo-facade.be, 1 +neo-novarion.com, 1 +neo-wave.ro, 1 +neo1.com, 1 +neo2k.dk, 0 +neo2shyalien.eu, 0 +neo4j.com, 1 +neobits.nl, 1 +neoblindados.com.br, 1 +neoblog.tk, 1 +neobt.ro, 1 +neocenter.org, 1 +neochan.net, 1 +neochan.ru, 1 +neocharge.net, 1 +neocities.org, 1 +neoclan.tk, 1 +neocyd.com, 1 +neodaedalus.com.au, 1 +neodigital.bg, 1 +neodrive.ch, 1 +neodruid.tk, 1 +neoedresources.org, 1 +neoeliteconsulting.com, 1 +neofinancial.com, 1 +neogenomics.com, 1 +neograftaustintx.com, 1 +neohu.com, 1 +neoinvestor.club, 1 +neojo.org, 1 +neoko.fr, 1 +neokobe.city, 1 +neokonmarketing.de, 1 +neolaudia.es, 1 +neolinfx.com, 1 +neolininvestment.com, 1 +neolink.com.br, 1 +neom-specificenergy.com, 1 +neom.directory, 1 +neonataleducationalresources.org, 1 +neonatalgoldenhours.org, 1 +neonbutik.com.tr, 1 +neoneuland.de, 1 +neonfestival.net, 1 +neonia.com.pl, 1 +neonigma.tk, 1 +neonknight.ch, 1 +neons.org, 1 +neontemple.net, 1 +neoone.art, 0 +neophilus.net, 1 +neopolis.gr, 1 +neopoly.com, 1 +neopoly.de, 1 +neoreflex.nz, 1 +neorsd.org, 1 +neos.co.jp, 1 +neosdesignstudio.co.uk, 1 +neosecurityteam.tk, 1 +neoshomo.gov, 1 +neosoft.hu, 1 +neosolution.ca, 1 +neossa.com, 1 +neostralis.com, 1 +neostralis.de, 1 +neostralis.net, 1 +neosys.com, 1 +neosys.eu, 1 +neot-shacked.com, 1 +neotech-solutions.com, 1 +neotiv.com, 1 +neotracker.io, 0 +neovapo.com, 1 +neoverify.com, 1 +neoverso.tk, 1 +neovote.com, 1 +neowa.tk, 1 +neowin.net, 1 +neoxcrf.com, 1 +neoz.com.br, 1 +neozeon.io, 1 +nepal-evolution.org, 0 +nepal.ga, 1 +nepalboxoffice.tk, 1 +nepalese.tk, 1 +nepali-fonts.tk, 1 +nepalsnews.tk, 1 +nepartypas.tk, 1 +nepezzano13.com, 1 +neph.social, 1 +nephelae.eu, 1 +nephelion.org, 1 +nephology.net.au, 1 +nephrogo.com, 1 +nephrogo.de, 1 +nephrogo.lt, 1 +nephrolog.lt, 1 +nephy.jp, 1 +neplatnasmlouva.cz, 1 +nepomuk-ev.de, 1 +nepovolenainternetovahazardnihra.cz, 1 +nepozitkova.cz, 1 +neppglobal.top, 1 +nepremicninar.com, 1 +nepremicnine-lidl.si, 1 +nepremicnine.click, 1 +neptun-rio.tk, 1 +neptune.lol, 1 +neptunosrefugio.tk, 1 +nepu.tk, 1 +nerba.net, 1 +nerd.gallery, 1 +nerdalert.dk, 1 +nerdaristocracy.com, 1 +nerdblog.eu, 1 +nerdbox.cc, 1 +nerdca.st, 1 +nerdgebastel.de, 1 +nerdgift.ml, 1 +nerdherd.fun, 1 +nerdherd.ovh, 1 +nerdhouse.io, 1 +nerdies24.de, 0 +nerdin.space, 1 +nerdinator.ddns.net, 1 +nerdjokes.de, 1 +nerdmind.de, 1 +nerdmovieproductions.it, 1 +nerdnet.goip.de, 1 +nerdoftheherd.com, 1 +nerdoutstudios.tv, 1 +nerdplusart.com, 1 +nerdpol.ch, 1 +nerdpol.org, 1 +nerdpress.net, 1 +nerdrush.com, 1 +nerds-gegen-stephan.de, 1 +nerds.company, 0 +nerdsin.space, 1 +nerdsonline.tk, 1 +nerdsuits.tk, 1 +nerdsweide.nl, 1 +nerdszondergrenzen.nl, 1 +nerdvault.one, 1 +nerdwallet.com, 1 +nerdydev.net, 1 +nerdyfam.tech, 1 +nerdygadgets.org, 1 +nerdyspace.net, 1 +nerfcity.tk, 1 +nerfroute.com, 1 +neri.it, 1 +nerion.tk, 1 +nerispa.it, 1 +neriumrx.com, 1 +nerja.es, 1 +nerloee.dk, 1 +neroli.bg, 1 +neroninvestment.org, 1 +neropiceno.tk, 1 +nerot.eu, 1 +neroteknik.com.tr, 1 +nerotv.live, 1 +nerpa-club.ru, 1 +nerss.ca, 1 +nertus.ua, 1 +nerull7.info, 1 +nerv.com.au, 1 +nerven.se, 1 +nervi.ga, 1 +nesabamedia.com, 1 +neseari.com, 1 +nesfb.com, 1 +nesheims.com, 1 +nesheimswaterrestoration.com, 1 +neshkorowi.gov, 1 +neshtata.bg, 1 +neskins.com, 1 +nesoddkatten.no, 1 +nesolabs.com, 1 +nesolabs.de, 1 +nespim.tk, 1 +nespresso.vn, 1 +ness.sh, 1 +nessaesthetics.com, 1 +nesscitycatholic.org, 1 +nesstormented.tk, 1 +nestas.eu, 1 +nestbynature.com, 1 +nesterov.pw, 1 +nestetic.com, 1 +nestforms.com, 1 +nestinvest.com, 1 +nestlanddesign.com, 1 +nestlein.de, 1 +nestone.ru, 1 +nestra.tk, 1 +nestreeo.com, 1 +neswblogs.com, 1 +neswec.org.uk, 1 +net-abuse.email, 1 +net-combo-ja.com, 1 +net-file.tk, 1 +net-news.gq, 1 +net-provider.cloud, 1 +net-safe.info, 1 +net-script.tk, 1 +net-service.cz, 1 +net.nl.eu.org, 1 +net2ftp.com, 1 +net4you.net, 1 +netaap.nl, 1 +netamia.com, 1 +netanin.tk, 1 +netape.nl, 1 +netapps.de, 1 +netba.net, 1 +netbank.com.au, 1 +netbasequid.com, 0 +netbeacon.de, 1 +netbears.com, 1 +netbears.ro, 1 +netbeyond.de, 1 +netbird.tk, 1 +netbit.com.br, 1 +netbows.com, 1 +netbows.es, 1 +netbox.org, 1 +netbrewventures.com, 1 +netbrief.ml, 1 +netbulls.io, 1 +netbuzz.ru, 1 +netcake.in, 1 +netcapital.com, 1 +netcd.tk, 1 +netcenteret.tk, 1 +netchameleon.com, 1 +netcitadel.com, 1 +netcitycheb.ru, 1 +netco-group.de, 1 +netco-privacy.de, 1 +netco-system.de, 1 +netcoolusers.org, 1 +netcoresmartech.com, 1 +netcost-security.fr, 1 +netcrew.de, 1 +netculturejokes.tk, 1 +netd.at, 1 +netdego.jp, 1 +netdex.co, 1 +netdiode.com, 1 +netdiode.eu, 1 +netdiode.net, 1 +netdiode.org, 1 +netdir.tk, 1 +netdisk.io, 1 +netdnstrace1.com, 1 +netdox.asia, 1 +netdox.de, 1 +netducks.com, 1 +netducks.space, 1 +netdude.tk, 1 +netelite.tk, 1 +netera.se, 1 +neteraser.de, 1 +neteye.ru, 1 +netfabb.com, 1 +netface.com.br, 1 +netferie.de, 1 +netferie.dk, 1 +netferie.no, 1 +netfiles.de, 1 +netfirmtextile.com, 1 +netflowanalysissolution.com, 1 +netflowanalysissolutions.com, 1 +netflowcalculator.com, 1 +netflowcollector.com, 1 +netflowknight.com, 1 +netflowknights.com, 1 +netflowreplicator.com, 1 +netflowsword.com, 1 +netflowtoday.com, 1 +netflowtrafficanalysis.net, 1 +netfog.de, 1 +netfolio.pt, 1 +netforall.tk, 1 +netfoundry.io, 1 +netfreedom.tk, 1 +netfs.pl, 1 +netfuture.ch, 1 +netgaming.de, 1 +netgenetiqs.de, 1 +netgroup.dk, 1 +netguide.co.nz, 1 +nethack.ninja, 1 +nethackwiki.com, 1 +nethask.ru, 1 +nethead.at, 1 +netheadsonair.com, 1 +nethealth.cf, 1 +nethealth.ga, 1 +nethealth.tk, 1 +netherite.gg, 1 +netherlandstypography.nl, 1 +netherlandsworldwide.nl, 1 +nethernet.nl.eu.org, 0 +nethorizon.pl, 1 +nethound.ga, 1 +nethouse.se, 1 +nethruster.com, 0 +nethui.nz, 1 +nethunter.top, 1 +netica.fr, 0 +netig.net, 1 +netim.pl, 1 +netipbox.com, 1 +netjobz.tk, 1 +netkappa.gr, 1 +netkigestioncomercial.com, 1 +netkimonos.com.br, 1 +netkolik.org, 1 +netla.tk, 1 +netlab.my.id, 1 +netleaf.ca, 1 +netlentes.com.br, 1 +netletic.com, 1 +netlevel.ga, 1 +netlify.com, 1 +netlocal.ru, 1 +netmaddy.com, 1 +netmagellan.com, 1 +netmagicas.com.br, 1 +netmajstor.eu, 1 +netmania.tk, 1 +netmedia.tk, 1 +netmedicaitalia.it, 1 +netmeister.org, 1 +netmouse.tk, 1 +netmt.de, 1 +netnea.com, 1 +netnl.eu, 1 +netoborona.tk, 1 +netobur.net, 1 +netolink.co.il, 1 +netolink.com, 1 +netor.ga, 1 +netpatient.dk, 1 +netpenge.tk, 1 +netpreneur.co.za, 1 +netprepare.com, 1 +netprofile.com.au, 0 +netrabota.tk, 1 +netracks.ga, 1 +netradyne.com, 1 +netraising.com, 1 +netrecruituk.co.uk, 1 +netreputation.com, 1 +netresec.com, 1 +netreviews.tk, 1 +netrewrite.com, 1 +netrino.be, 1 +netrino.info, 1 +netrino.io, 1 +netrix.de, 1 +netrogue.ninja, 1 +netronix.be, 1 +netrunner.xyz, 1 +nets.com.sg, 1 +netschool.tk, 1 +netsearch.ga, 1 +netsec.cloud, 1 +netsecma.com, 1 +netshopgarden.com.br, 1 +netsite.dk, 1 +netslum.tk, 1 +netsoftit.com, 1 +netsoins.org, 1 +netsparker.com.tr, 0 +netspeedia.net, 1 +netsphere.cloud, 1 +netsphere.cz, 1 +netstjernen.dk, 1 +netstrategy.it, 1 +netsyms.com, 1 +netsystems.pro, 1 +nettamente.com, 1 +nette.org, 1 +nettegeschenke.de, 1 +netter.co.id, 1 +nettgiro.no, 1 +nettia.fi, 0 +nettiger.tk, 1 +nettikasino.top, 1 +nettikasino247.com, 1 +nettiruletti.ga, 1 +nettiruletti.tk, 1 +nettletonms.gov, 1 +nettools.link, 1 +nettoptangida.com, 1 +nettoyage-apres-deces-crime.fr, 1 +nettoyage-hotte-restaurant.net, 1 +nettoyage-syndrome-de-diogene.fr, 1 +nettoyage.email, 1 +nettoyeurtombe.fr, 1 +nettruepro.com, 1 +nettunoguide.dk, 1 +nettx.co.uk, 1 +nettype.ca, 1 +netu.ro, 1 +netube.org, 1 +netunia.org, 1 +netvizura.co.uk, 1 +netvlies.nl, 0 +netvpn.ml, 1 +netvpn.net, 1 +netwarc.eu, 1 +netwarc.nl, 1 +netwatch.me, 1 +netwave.pl, 1 +netwerkgeneeskunde.nl, 1 +netwerkmediawijsheid.nl, 1 +netwerkstoom.nl, 1 +netwidow.com, 1 +netwire-solutions.com, 1 +netwire.tk, 1 +networg.cz, 1 +networg.pl, 1 +network-au-qa-api.azurewebsites.net, 1 +network-midlands.co.uk, 1 +network-midlands.uk, 1 +network-wr.tk, 1 +network.ae, 0 +network23.nl, 1 +networkarena.tk, 1 +networkcoverageplus.com, 1 +networkdiode.com, 1 +networkdiode.eu, 1 +networkdiode.net, 1 +networkdiode.org, 1 +networking-groups.co.uk, 1 +networking4all.com, 1 +networkingnexus.net, 1 +networkingwithfish.com, 1 +networkinternetmonitor.com, 1 +networklessons.com, 1 +networkmas.com, 1 +networkmidlands.co.uk, 1 +networkmidlands.uk, 1 +networkmon.net, 1 +networkperformancemonitoring.net, 1 +networkposting.com, 1 +networksec.info, 1 +networksecuritysolutions.info, 1 +networksolutionsconsultant.com, 1 +networkthreatdetection.com, 1 +networkthreatprotection.com, 1 +networktools.tk, 1 +networktrafficanalysis.net, 1 +networktrafficanalyzer.net, 1 +networktrafficmonitoring.net, 1 +networkuser.de, 1 +networld.to, 1 +networth.at, 1 +networthpal.com, 1 +networthtracker.xyz, 1 +networx-online.de, 1 +netz-noe.at, 1 +netz0.com, 1 +netzabfragen.de, 1 +netzagentur.at, 1 +netzen.tk, 1 +netzer.ml, 1 +netzfabrik.com, 1 +netzfrauen.org, 1 +netzona.org, 1 +netzpolitik.org, 1 +netzquelle.net, 1 +netzsv.website, 1 +netztest.at, 1 +netzvieh.de, 1 +netzwerk-kinderschutz-msh.de, 1 +netzwerk-kvp.de, 1 +netzwerk-lq.com, 1 +netzwerk-sozialliberal.de, 1 +netzwerkwerk.de, 1 +netzwolf.info, 1 +neuber-it.de, 1 +neuber.uno, 1 +neubr.de, 1 +neuca24.pl, 1 +neuch.info, 0 +neue-energien.tk, 1 +neuelandschaft-welzow.de, 1 +neuf-chateaux.com, 1 +neuhaus-city.de, 1 +neukoppel.de, 1 +neuland.technology, 1 +neumanncontractors.com.au, 1 +neumanndredging.com.au, 1 +neumannindustrialcoatings.com.au, 1 +neumarkcb.com, 1 +neumaticar.cl, 0 +neumond.de, 1 +neurabyte.com, 1 +neuraclix.com, 1 +neuralink.com, 1 +neuralkids.org, 1 +neureichenau.de, 1 +neurexcellence.com, 1 +neurido.net, 1 +neurobiology.com, 1 +neurochip.co.uk, 1 +neurochirurgie-hamborn.de, 1 +neurocny.cloud, 1 +neurococi.org, 1 +neurococi.ro, 1 +neurodiversum.space, 1 +neuroethics.com, 1 +neurogroove.info, 1 +neurohouse.com.br, 1 +neurojournal.ru, 1 +neurologia.tk, 1 +neurologie.tk, 1 +neurologysantamonica.com, 1 +neuron22.ru, 1 +neurontinprice.ga, 1 +neuronus.com.br, 1 +neuropharmacology.com, 1 +neurophysiotherapy.ga, 1 +neuropsychologisthouston.com, 1 +neurosurgeryinmexico.com, 1 +neuroticosanonimos.tk, 1 +neuroticpoets.com, 1 +neurotransmitter.net, 1 +neurozentrum-zentralschweiz.ch, 1 +neustadt-keller.de, 1 +neustadtguides.de, 1 +neuteleers.tk, 1 +neutrino.eu.org, 1 +neutron.ch, 1 +neutronfire.com, 1 +nev.si, 1 +neva-star.ml, 1 +neva.li, 1 +nevadacountyca.gov, 1 +nevadafiber.com, 1 +nevadafiber.net, 1 +nevadamentalhealth.com, 1 +nevam.cf, 1 +neve.in.ua, 1 +never-afk.de, 0 +never-mind.tk, 1 +never-more.tk, 1 +never.pet, 1 +neveraquemola.ml, 1 +neverasquemola.ml, 1 +neverendingrejection.tk, 1 +nevergirl.tk, 1 +nevergonnatouchit.tk, 1 +nevergreen.io, 1 +neverhood-tv.tk, 1 +neverland.link, 1 +neverlandindonesia.com, 1 +neverlant.com, 1 +neverlant.org, 1 +neverness.tk, 1 +nevers.fr, 1 +neversayretired.in, 0 +neverwasinparis.com, 1 +nevi.nl, 1 +nevida.ir, 1 +nevim-co-varit.cz, 1 +nevivur.net, 1 +nevntech.com, 1 +nevocloud.com, 1 +nevolution.me, 1 +nevoxo.com, 0 +nevrodiversitet.no, 1 +nevski.eu, 1 +nevychova.cz, 1 +new, 1 +new-1xbet.com, 1 +new-black-order.com, 1 +new-boiler-prices.co.uk, 1 +new-jersey-online-casinos.com, 1 +new-medic.com, 1 +new-mexico-sexcams.com, 1 +new-pornvideos.com, 1 +new-smile.cf, 1 +new-standart.tk, 1 +new-tuning.tk, 1 +new-vip.com, 1 +new-vip1.com, 1 +new-vvip.com, 1 +new-way.ml, 1 +new-web-studio.com, 1 +new-zone.tk, 1 +new10.com, 1 +newage.bg, 1 +newagehoops.com, 1 +newalbanyohio.gov, 1 +newalive.net, 1 +newamericanagent.com, 1 +newamericanfunding.com, 1 +newannual.com, 1 +newantiagingcreams.com, 1 +newapparatus.com, 0 +newarkca.gov, 1 +newarkohio.gov, 1 +newarkwi.gov, 1 +newasa.ga, 1 +newasianbistro.com, 1 +newaygo.gov, 1 +newaygocountymi.gov, 1 +newbabylon.tk, 1 +newbackup.ml, 1 +newbasemedia.us, 1 +newberlinwi.gov, 1 +newberrycounty.gov, 1 +newberryfl.gov, 1 +newbies.tk, 1 +newbietech.cn, 0 +newblogr.com, 1 +newboldwi.gov, 1 +newbownerton.xyz, 1 +newbraunfels.gov, 1 +newbrest.tk, 1 +newbrightonresidents.org.nz, 1 +newbronze.com.br, 1 +newbrunswick.today, 1 +newbrunswickonlinedivorce.com, 1 +newbrunswicktoday.com, 1 +newbss.co.uk, 1 +newbuilding.tk, 1 +newburybouncycastles.co.uk, 1 +newburyparkelectric.com, 1 +newburyparkelectrical.com, 1 +newburyparkelectrician.com, 1 +newburyparkexteriorlighting.com, 1 +newburyparklandscapelighting.com, 1 +newburyparkoutdoorlighting.com, 1 +newburyportma.gov, 1 +newcab.de, 0 +newcapitaldev.com, 1 +newcarlisleohio.gov, 1 +newcars.tk, 1 +newcasinos-au.com, 1 +newcasinos-ca.com, 1 +newcastlemoneyman.com, 1 +newcastleok.gov, 1 +newcc.gov, 1 +newchance.store, 1 +newchapter.com, 1 +newcharmed.tk, 1 +newchester.gov, 1 +newchoicesspb.ru, 1 +newcityinfo.ch, 0 +newcityinfo.info, 1 +newcitystudio.ch, 0 +newcoincasino.com, 1 +newcoly.com, 1 +newcombny.gov, 1 +newconcept.tk, 1 +newcontext.com, 1 +newcreamforface.com, 1 +newcreationperso.com.br, 1 +newcurve.tk, 1 +newday.host, 1 +newdaychristian.com, 1 +newdayproperties.com, 1 +newdayrecordlabel.com, 1 +newdecortrends.com, 1 +newdenversurvivors.tk, 1 +newdietandexercises.tk, 1 +newdimensioninterlock.com, 0 +newdirectionsolar.com.au, 1 +newdunite.com, 1 +newdurhamnh.gov, 1 +newedgeink.ca, 1 +newemage.com.mx, 1 +newendsoft.com, 0 +newengineer.com, 1 +newenglandradioforum.tk, 1 +newenglandworkinjury.com, 1 +newfacialbeautycream.com, 1 +newfairfieldct.gov, 1 +newfangledscoop.com, 1 +newfield-ext.co.jp, 1 +newfiepedia.ca, 1 +newflavor.design, 1 +newfld.com, 1 +newforex.ml, 1 +newforms.nl, 1 +newfoundland-labradorflora.ca, 1 +newfoundlandlabrador.com, 1 +newgarden.tk, 1 +newgardenfarms.org, 1 +newglarusvillagewi.gov, 1 +newgle.xyz, 1 +newgrowbook.com, 0 +newguidance.ch, 0 +newhamyoungbloods.co.uk, 1 +newhavenshiami.gov, 1 +newholland.tk, 1 +newhomedesign.tk, 1 +newhopeplacement.com, 1 +newhoperailroad.com, 1 +newillusion.tk, 1 +newind.info, 1 +newinf.at, 1 +newingtonnhpolice.gov, 1 +newinsane.info, 1 +newipswichnh.gov, 1 +newjerseyvideography.com, 1 +newkaliningrad.ru, 1 +newlands-fasteners.com.au, 1 +newlegalsteroid.com, 1 +newlifebathrooms.com.au, 1 +newlifefund.org, 1 +newlight.net.br, 1 +newlondonhospital.org, 1 +newlovers.ga, 1 +newlovers.gq, 1 +newlynamed.com, 1 +newlytricks.ml, 1 +newmadridcountymo.gov, 1 +newman.ga, 1 +newmansown.co.uk, 1 +newmap.nl.eu.org, 1 +newmarketbouncycastlehire.co.uk, 1 +newmatworld.com, 1 +newmed.com.br, 1 +newmedia.gotdns.com, 1 +newmediaone.net, 1 +newmeproducts.com, 1 +newmex.com.br, 1 +newmilfordct.gov, 1 +newmilfordnj.gov, 1 +newmusic.org, 1 +newmusicjackson.org, 1 +newmuslims.tk, 1 +newmuz.tk, 1 +newnorthfuels.ca, 1 +newnorthfuels.com, 1 +newodesign.com, 1 +newoho.com, 1 +newoldboughtsold.com, 1 +newoldstock.uk, 1 +newonlineroad.com, 1 +neworiflame.tk, 1 +newosis.life, 1 +newpad.de, 1 +newparadigmventures.net, 0 +newparrot.tk, 1 +newphysics.fi, 1 +newplxx.gotdns.com, 1 +newplxx.online, 1 +newpointeg.com, 1 +newportbus.co.uk, 1 +newporthomehealth.com, 1 +newportit.com, 1 +newportri.gov, 1 +newposts.ru, 1 +newpraguemn.gov, 1 +newpress24.tk, 1 +newquilters.com, 1 +newreleases.io, 1 +newrelic.com, 1 +newreop.com, 1 +news-and-blogs.tk, 1 +news-club.tk, 1 +news-novoros.cf, 1 +news-of-russia.gq, 1 +news-offerte.com, 1 +news-police.tk, 1 +news-srilanka.tk, 1 +news-sy.cf, 1 +news-technology.ml, 1 +news-zp.tk, 1 +news.bg, 1 +news123.ga, 1 +news12elite.tk, 1 +news17.tk, 1 +news24rus.tk, 1 +news29.tk, 1 +news53today.tk, 1 +news54.tk, 1 +news5cleveland.com, 1 +news60.tk, 1 +news89.cf, 1 +news89.ga, 1 +news89.gq, 1 +newsadvance.com, 1 +newsall.gr, 1 +newsarmenia.tk, 1 +newsarticle.ml, 1 +newsasia7.com, 1 +newsauto.tk, 1 +newsbali.tk, 1 +newsbay.gr, 1 +newsbeat.kiwi, 1 +newsbes.org, 1 +newsbomba.ml, 1 +newsbusiness.cf, 1 +newscenter.gr, 1 +newscheck.tk, 1 +newschool.ie, 1 +newsclue.org, 1 +newscultural.tk, 1 +newsdiff.eu, 1 +newsdiff.nl, 1 +newsdiffs.eu, 1 +newsdiva.org, 1 +newseon.org, 1 +newserfanekeihani.tk, 1 +newserumforskin.com, 1 +newseue.com, 1 +newsfiber.org, 1 +newsfinale.com, 1 +newsforum.ml, 1 +newsforyou.cf, 1 +newsgenix.org, 1 +newsgroups.io, 1 +newsguyz.com, 1 +newshell.it, 1 +newshome.tk, 1 +newshorehamri.gov, 1 +newshour.media, 1 +newsig.com, 1 +newsignature.com, 1 +newsinfilm.com, 1 +newsinformer.ga, 1 +newsinkansas.ml, 1 +newsinpenn.ml, 1 +newsinplanet.com, 1 +newsinpolitics.ga, 1 +newsireland.tk, 1 +newsiva.org, 1 +newskinlasercenter.com, 1 +newslanka.tk, 1 +newsletteralerts.com, 1 +newsletters.gq, 1 +newslia.org, 1 +newsliner.gq, 1 +newslookup.com, 1 +newsmacro.org, 1 +newsmotor.info, 1 +newsmyth.org, 1 +newsnfl.tk, 1 +newsoul.de, 1 +newspawn.net, 1 +newsportbox.ru, 1 +newspower.ir, 1 +newspriest.com, 1 +newsprix.com, 1 +newspsychology.com, 1 +newsquare.biz, 1 +newsreach.org, 1 +newsteadccc.com.au, 1 +newstel.tk, 1 +newsthai.ml, 1 +newsticker.tk, 1 +newstj.ml, 1 +newstone-tech.com, 1 +newstraveltoday.gq, 1 +newsuk.tk, 1 +newsupdatesdaily.ga, 1 +newsuzbekistan.tk, 1 +newsvideo.tk, 1 +newsvirginian.com, 1 +newsvoice.com, 1 +newswav.com, 1 +newsweekme.com, 1 +newswired.org, 1 +newsworld247.tk, 1 +newsxp.tk, 1 +newsyclub.tk, 1 +newtambov.gq, 1 +newtambov.tk, 1 +newtech.ro, 1 +newtekstil.ga, 1 +newterritorialclaims.tk, 1 +newtlgpacks.ml, 1 +newtodrones.com, 1 +newton-circus.jp, 1 +newtoncomputing.com, 1 +newtoncountymo.gov, 1 +newtonhaus.com, 1 +newtrackon.com, 1 +newtravelplans.com, 1 +newusatoday.ga, 1 +newvehicle.com, 1 +newvisionhealing.com, 1 +newwaterford-oh.gov, 1 +newwavelinen.com, 1 +newway.ie, 1 +newwind.tk, 1 +newwise.com, 1 +newworldnewlife.tk, 1 +newxit.tk, 1 +newyearsdishes.tk, 1 +newyorkcardiac.com, 1 +newyorkcoffeejobs.com, 1 +newyorkdiscountattractions.com, 1 +newyorkland.forsale, 1 +newyorknews.tk, 1 +newyorkrp.tk, 1 +newyorktoutsimplement.com, 1 +newyoushampoo.com, 1 +newz.to, 1 +newzashitnik.tk, 1 +newzealandadventure.tk, 1 +newzealandheatpumps.co.nz, 1 +newzen.fr, 1 +newzertainment.com, 1 +newzlight.com, 1 +newzlyup.com, 1 +newzvilla.ga, 1 +nex.io, 1 +nex.li, 1 +nexcoda.io, 1 +nexd.com, 1 +nexgeneration-solutions.com, 1 +nexgenwebdesign.co.uk, 1 +nexgi.com, 1 +nexhealth.info, 1 +nexicafiles.com, 1 +nexiodev.com, 1 +nexiodevopslocal.com, 1 +nexiopay.com, 1 +nexiopaydev.com, 1 +nexiopaydevopslocal.com, 1 +nexiopaysandbox.com, 1 +nexiopaystaging.com, 1 +nexiopaystg.com, 1 +nexiosandbox.com, 1 +nexiostaging.com, 1 +nexitdata.com, 1 +nexiumgeneric.tk, 1 +nexo.games, 1 +nexon.com.au, 1 +nexril.net, 0 +nexs.gg, 1 +nexscience.tk, 1 +next-geek.fr, 1 +next-idea.co, 1 +next-level-accounting.com, 1 +next-log.ru, 0 +next-tms.com, 1 +next.me, 1 +next24.io, 1 +nextads.ch, 1 +nextbike.tk, 1 +nextcairn.com, 1 +nextcloud-alpha.ddns.net, 1 +nextcloud-miyamoto.spdns.org, 1 +nextcloud-server.spdns.de, 0 +nextcloud.co.za, 1 +nextcloud.com, 1 +nextcloud.nerdpol.ovh, 1 +nextcloudcn.com, 1 +nextclouddarwinkel.nl, 1 +nextcom.digital, 1 +nextdayoff.com, 1 +nextdayvapes.co.uk, 1 +nextedgecloud.com, 1 +nextevolution.co.uk, 1 +nextfm.tk, 1 +nextg.gg, 1 +nextgen-life-insurance.com, 1 +nextgen-wealth.com, 1 +nextgen.com, 0 +nextgen.sk, 1 +nextgenerationaccessories.com, 1 +nextgenerationaccessories.online, 1 +nextgenerationaccessories.ru, 1 +nextgenerationaccessories.store, 1 +nextgenforbbm.com, 1 +nextgenmath.com, 1 +nextgensocialnetwork.com, 1 +nextgenthemes.com, 0 +nextgreatmess.com, 1 +nexthop.co.th, 0 +nextiot.de, 1 +nextitstep.com, 1 +nextiva.com, 1 +nextlegends.gov, 1 +nextlevel-forum.de, 1 +nextlevel-it.co.uk, 1 +nextlevelchess.blog, 1 +nextlevelforum.de, 1 +nextmarkets.com, 1 +nextme.se, 1 +nextnowagency.com, 0 +nextos.com, 1 +nextrader.guru, 0 +nextrasp.it, 1 +nextrec.site, 1 +nextright.tk, 1 +nextsound.tk, 1 +nextsource.com, 1 +nextstep-labs.gr, 1 +nextstepstudios.ga, 1 +nextsulting.com, 1 +nexttv.co.il, 1 +nextus.me, 1 +nextvibration.com, 1 +nextvision.pt, 1 +nextwab.com, 1 +nextworldcoding.ga, 1 +nextzen.com.bd, 1 +nexus, 1 +nexus-start.de, 1 +nexus-vienna.at, 1 +nexusbyte.de, 1 +nexusmedianews.com, 1 +nexussystems.tk, 1 +nexwebsites.com, 1 +nexxss.jp, 1 +nexxus-sistemas.net.br, 1 +nexzcore.com, 1 +nexzus.com, 1 +neyco.fr, 1 +neyer-lorenz.de, 1 +neyjens.com, 1 +nezis.tk, 1 +nezkakukec.si, 1 +nezrouge-est-vaudois.ch, 1 +nezsultan.tk, 1 +nf-tel.com, 1 +nf9q.com, 1 +nfam.de, 1 +nfb-ec.co.za, 1 +nfb-fsg.co.za, 1 +nfb.co.za, 1 +nfbam.co.za, 1 +nfbassetmanagement.co.za, 1 +nfbct.co.za, 1 +nfbec.co.za, 1 +nfbel.co.za, 1 +nfbfsg.co.za, 1 +nfbib.co.za, 1 +nfbpe.co.za, 1 +nfbplett.co.za, 1 +nfbpwm.co.za, 1 +nfbst.co.za, 1 +nfcweb.de, 1 +nfe-elektro.de, 1 +nffpm.ae, 1 +nffs.cf, 1 +nffsimples.com.br, 1 +nfgonlineuk.tk, 1 +nfitraining.nl, 1 +nfl.ddns.net, 1 +nfl.dedyn.io, 1 +nfl.duckdns.org, 1 +nfl.zapto.org, 1 +nflchan.org, 1 +nflo.pl, 1 +nfls.io, 1 +nflsic.org, 1 +nfluence.org, 1 +nfobar.com, 1 +nfoi.pk, 1 +nforto.com, 1 +nfpors.gov, 1 +nfpsa.lv, 1 +nframe.io, 1 +nfs.pub, 1 +nfsec.pl, 1 +nft-dagasi.com, 1 +nft-dev-web.azurewebsites.net, 1 +nft-qa-web.azurewebsites.net, 1 +nft.io, 1 +nftactually.com, 1 +nftdelegation.com, 1 +nftshowroom.com, 1 +ng-musique.com, 1 +ng.edu.ee, 1 +ngarate.com, 1 +ngatikuri.tk, 1 +ngawa-avocat-paris.fr, 1 +ngbilling.com.br, 1 +ngc.gov, 0 +ngclearing.com, 0 +ngecezt.ddns.net, 1 +ngefics.tk, 1 +ngegame.id, 1 +ngelag.com, 1 +ngergs.de, 1 +ngetik.id, 1 +nggukbo9lbfadcf5.gq, 1 +nghe.net, 1 +ngi.eu, 0 +ngiemboon.net, 1 +nginx.io, 1 +nginxtest.ml, 1 +nginxyii.tk, 1 +ngla.gov, 1 +ngmisr.com, 1 +ngmx.com, 1 +ngmx.eu, 1 +ngmx.net, 1 +ngmx.nl, 1 +ngmx.org, 1 +ngmx.social, 1 +ngndn.jp, 1 +ngns.cz, 1 +ngo-online.de, 1 +ngontinhtruyen.com.vn, 1 +ngoresan.tk, 1 +ngorod.tk, 1 +ngplus.name, 1 +ngribok.ru, 1 +ngroupllc.com, 1 +ngservers.com, 0 +ngsmedicare.com, 1 +nguoimuahangmy.com, 1 +nguru.net, 1 +nguyencucthanh.com, 1 +nguyenduythiem.com, 1 +nguyenfamily.cc, 1 +nguyenfamily.tk, 1 +nguyenslist.com, 1 +nguyensuu.tk, 1 +ngvf.de, 1 +ngvgamechanger.com, 1 +ngx.hk, 1 +ngx.im, 1 +ngxmetrics.com, 1 +ngxpkg.com, 1 +nh.ee, 1 +nhacthanhcavietnam.com, 1 +nhadat100.vn, 1 +nhadonghanh.com, 1 +nhai.gov.in, 1 +nhakinh.net, 1 +nhance.pl, 1 +nhanlucnhatban.com, 1 +nharper.org, 1 +nhathaugiare.com, 1 +nhatrang.tk, 1 +nhatrangbooks.com, 1 +nhbp-nsn.gov, 1 +nhbp.gov, 1 +nhccnews.org, 1 +nhcps.com, 1 +nhdecoration.fr, 1 +nhdsilentheroes.org, 1 +nhg.nl, 1 +nhjvillalmanzo.tk, 1 +nhk.jp, 1 +nhnieuws.nl, 1 +nho.do, 1 +nhome.ba, 1 +nhr.nl, 1 +nhscript.tk, 1 +nhsolutions.be, 0 +nhsuites.com, 1 +nhtsa.gov, 1 +nhv-vintagelemans.com, 1 +ni-dieu-ni-maitre.com, 1 +ni-mate.com, 1 +ni-s.de, 1 +ni.search.yahoo.com, 0 +niaa.gov.au, 1 +niadd.com, 1 +niagara.ru, 0 +niagaraconstruction.org, 1 +niagarafalls.ca, 1 +niagaraschoice.org, 1 +niallator.com, 1 +niawier-wetsens.tk, 1 +nibadesign.nl, 1 +nibblehole.com, 1 +nibbler.ai, 1 +nibert.fr, 1 +nibiru.com.uy, 1 +nibletllc.com, 1 +nibouw.nl, 1 +nic.ads, 1 +nic.android, 1 +nic.app, 1 +nic.bnpparibas, 1 +nic.bo, 1 +nic.boo, 1 +nic.cal, 1 +nic.channel, 1 +nic.chrome, 1 +nic.dad, 1 +nic.day, 1 +nic.dclk, 1 +nic.dev, 1 +nic.docs, 1 +nic.drive, 1 +nic.eat, 1 +nic.esq, 1 +nic.fly, 1 +nic.foo, 1 +nic.gbiz, 1 +nic.gle, 1 +nic.gmail, 1 +nic.goog, 1 +nic.google, 1 +nic.gov, 1 +nic.guge, 1 +nic.hangout, 1 +nic.here, 1 +nic.how, 1 +nic.ing, 1 +nic.meet, 1 +nic.meme, 1 +nic.mov, 1 +nic.new, 1 +nic.nexus, 1 +nic.page, 1 +nic.play, 1 +nic.prod, 1 +nic.prof, 1 +nic.rsvp, 1 +nic.soy, 1 +nic.xn--q9jyb4c, 1 +nic.youtube, 1 +nic.zip, 1 +nic199.ru, 1 +nicaieri.ro, 1 +nicanordic.com, 1 +nicastrosalvatore.tk, 1 +nicat.cf, 1 +nicava.com.mx, 1 +nice-autosurf.com, 1 +nice-germany.tk, 1 +nice-links.tk, 1 +nice-pay.com, 1 +nice-school.com.ua, 1 +nice.ch, 1 +nice.com, 0 +niceactimize.com, 0 +niceb5y.net, 0 +nicecockb.ro, 1 +niceguyit.biz, 1 +nicepussypics.com, 1 +nicerings.com, 1 +nicesco.re, 1 +nicestudio.co.il, 1 +nicesurf.tk, 1 +nicetits.pics, 1 +nicevillefl.gov, 1 +nicheosala.info, 1 +nicheosala.tk, 1 +nicher.tk, 1 +nichesite.gq, 1 +nichetest.tk, 1 +nichevideogalore.com, 0 +nichi.co, 1 +nichijou.com, 1 +nichijou.org, 1 +nicholasjohnson.ch, 1 +nicholaslazzerini.com, 1 +nicholasnassar.com, 1 +nicholasquigley.com, 1 +nicholaswilliams.net, 1 +nicholsonkring.tk, 1 +nicht-blau.de, 1 +nichteinschalten.de, 0 +nichthelfer.de, 1 +nichtkunst.tk, 1 +nichya.tk, 1 +nichyaforum.tk, 1 +nicic.gov, 1 +niciunde.ro, 1 +nick-black.com, 1 +nick-slowinski.de, 0 +nick-stone.com, 1 +nickcleans.co.uk, 1 +nickcraver.com, 1 +nickfoerster.io, 1 +nickfreeman.de, 1 +nickfrost.rocks, 1 +nickguyver.com, 1 +nickhawn.com, 0 +nickhitch.co.uk, 1 +nickhowell.co.uk, 0 +nickkallis.com, 1 +nicklock.ml, 1 +nickloose.de, 1 +nickmandler.tk, 1 +nickmazuk.com, 1 +nickmchardy.com, 1 +nickmiller.ie, 1 +nickmorri.com, 0 +nickmorris.name, 0 +nicknames.tk, 1 +nicknamez.tk, 1 +nickoticko.tk, 1 +nickplotnek.co.uk, 1 +nickrickard.co.uk, 1 +nickrickard.uk, 1 +nicks-autos.com, 1 +nickscomputers.nl, 1 +nickserv.eu, 1 +nickserv.org, 1 +nickserv.social, 1 +nickserve.com, 1 +nickserve.eu, 1 +nickserve.net, 1 +nickserve.nl, 1 +nickserve.org, 1 +nickserve.social, 1 +nickstories.de, 1 +nicktamin.de, 1 +nickwasused.cf, 1 +nickwasused.de, 1 +nickwasused.ga, 1 +nickwasused.gq, 1 +nickwasused.ml, 1 +nickwasused.tk, 1 +nickwatton.com, 0 +nickyfoxx.net, 1 +nicn.me, 1 +nico.st, 1 +nicochinese.com, 1 +nicoforconi.it, 1 +nicogrosser.de, 0 +nicoknibbe.nl, 1 +nicokroon.nl, 1 +nicoladixonrealestate.com, 1 +nicolaeiotcu.ro, 1 +nicolaiteglskov.dk, 1 +nicolajanedesigns.co.uk, 1 +nicolalapenta.com, 1 +nicolaleonardi.it, 1 +nicolaottomano.it, 1 +nicolas-benoit-immobilier.fr, 1 +nicolas-bouvier.tk, 1 +nicolas-dumermuth.com, 1 +nicolas-feuillatte.com, 1 +nicolas-hoizey.com, 1 +nicolas-hoizey.photo, 0 +nicolas-simond.ch, 1 +nicolas-simond.com, 1 +nicolaschelly.tk, 1 +nicolasfrebert.fr, 1 +nicolasfriedli.ch, 1 +nicolashervaud.com, 1 +nicolasiung.me, 0 +nicolaslogerot.com, 1 +nicolasprovost.tk, 1 +nicolaszambetti.ch, 1 +nicolaw.uk, 1 +nicole-richie.info, 1 +nicolebracy.com, 1 +nicoleisaacs.com, 1 +nicolemathew.com, 1 +nicoleta-prestescu.tk, 1 +nicolettajennings.com, 1 +nicolettapallotta.com, 1 +nicolettevandervalk.nl, 0 +niconico.ooo, 1 +nicoobank.com, 1 +nicopretzl.de, 1 +nicorevin.ru, 1 +nicosaveyn.be, 1 +nicovip.com, 1 +nicsezcheckfbi.gov, 1 +nicsys.de, 1 +nictiz.nl, 1 +nicul.in, 1 +nicwortel.nl, 1 +nidhoeggr.duckdns.org, 1 +nidialozano.com, 1 +nidosi.nu, 1 +nidosinu.com, 1 +nidsuber.ch, 1 +niduxcomercial.com, 1 +nie-wieder-muede.de, 1 +niebla.com.co, 1 +niederalt.com, 1 +niedermair.bz, 1 +niederohmig.de, 1 +niedersachsen.cloud, 1 +niedlaechelt.de, 1 +nieha.us, 1 +niels-modeltog.tk, 1 +nielsbohr.ai, 1 +nielsdesign.tk, 1 +nielsensaskiagaantrouwen.be, 1 +niemaler.de, 1 +niemandmussirgendwas.de, 1 +niemeyer.org.br, 1 +nien.cf, 1 +nien.co, 1 +nien.com, 1 +nien.eu.org, 1 +nien.gq, 1 +nien.org, 1 +nien.taipei, 1 +nien.tk, 1 +nienfun.com, 1 +nienkeslop.nl, 1 +nierenpraxis-dr-merkel.de, 1 +nierenpraxis-merkel.de, 1 +niers.land, 1 +nierstichting.nl, 1 +nieselregen.com, 1 +niesstar.com, 0 +nietmvwoensel.com, 1 +nietveel.tk, 1 +nietvolgensdeboekjes.nl, 1 +nietzsche.com, 1 +nieuwebroek.com, 1 +nieuwebroek.nl, 1 +nieuwpoort.tk, 1 +nieuwsbegrip.nl, 1 +nieuwsberichten.eu, 1 +nieuwsfiets.nu, 1 +nieuwslagmaat.nl, 1 +nifc.gov, 1 +niferry.co.uk, 1 +niffler.software, 1 +nifleim.net, 1 +niflheimr.es, 1 +niftiestsoftware.com, 1 +niftyninjamarketing.com, 1 +nifume.com, 1 +niga.tk, 1 +nigdeescort.tk, 1 +nigelpentland.co.uk, 1 +nigelvm.com, 1 +nigelwright.com, 1 +nigeriaimagefoundation.org, 1 +nigeriaportal.tk, 1 +nigglipads.com.br, 1 +niggo.eu, 0 +night-academy.pl, 1 +night2stay.cn, 1 +night2stay.de, 1 +night2stay.fr, 1 +night2stay.ru, 1 +nightandthecityofbrokenpromises.tk, 1 +nightblue.ml, 1 +nightblue.tk, 1 +nightbox.cf, 1 +nightbura.biz, 1 +nightcitynews.info, 1 +nightclassifieds.com, 1 +nightdreamer.me, 1 +nightfirecat.com, 1 +nightfoxtips.com, 1 +nighthawks.tk, 1 +nighthawkstrategies.com, 1 +nightingalebabyconcierge.com, 1 +nightkiss66.org, 1 +nightlife.gent, 1 +nightlight.gg, 1 +nightlive.tk, 1 +nightmail.net, 1 +nightmareabyss.top, 0 +nightmarejoker2.com, 1 +nightmoose.org, 1 +nightoutrecords.tk, 1 +nightpass.tk, 1 +nightscapes.tk, 1 +nightscout.host, 1 +nightsi.de, 1 +nightskyalerts.com, 1 +nightsnack.cf, 1 +nightstar-online.tk, 1 +nightstory.tk, 1 +nightvisionradio.tk, 1 +nightwinds.tk, 1 +nightwishchile.tk, 1 +nightwood.cf, 1 +nigmapictures.tk, 1 +nigt.cf, 1 +nih.ao, 1 +nihaarpstars.com, 1 +nihaoonline.tk, 1 +nihilistan.tk, 1 +nihilocomunidad.tk, 1 +nihon-rosoku.com, 1 +nihseniorhealth.gov, 0 +nihtek.in, 1 +nii2.org, 1 +niice.co, 1 +niinaratsula.com, 1 +niit-mts.com, 1 +niit.com, 1 +niitfoundation.org, 1 +niitnguru.com, 1 +niituniversity.in, 1 +niituva.ga, 1 +niiu.digital, 1 +niiucapital.com.sg, 1 +nijiero-ch.com, 0 +nijikata.com, 1 +nijimama-life.com, 1 +nijm.nl, 1 +nijniy-novgorod.tk, 1 +nijofotografie.de, 1 +nijzoon.nl, 0 +nik.io, 1 +nika-travel.ga, 1 +nikabazar.ir, 1 +nikahplus.com, 1 +nikahsekeri.tk, 1 +nikami.tk, 1 +nikandcara.com, 1 +nikant.tk, 1 +nikavandenbos.nl, 1 +nikavenus.com, 1 +nike-studio.com, 1 +nikeairjordan.cc, 1 +nikelunartw.net, 1 +nikesoccerbodotoutlet.ga, 1 +nikest.cf, 1 +nikest.tk, 1 +niket.site, 1 +nikeyichinese.com, 1 +nikhilnimiya.love, 1 +nikhilramakrishnan.tk, 1 +nikimix.com, 0 +nikitacartes.xyz, 0 +nikitagukov.ru, 1 +nikitenko.tk, 1 +nikitin.photo, 1 +nikitina.ml, 1 +nikka.systems, 1 +nikkasystems.com, 1 +nikkei225jp.com, 1 +nikkila.me, 1 +nikkotaytay.tk, 1 +nikksno.io, 1 +niklas.pw, 1 +niklasbabel.com, 1 +niklashagman.se, 1 +niklasstinkt.com, 1 +niko-mapping-studio.tk, 1 +niko-vfx.com, 0 +nikodev.es, 1 +nikoflix.site, 1 +nikolaev.ml, 1 +nikolahost.tk, 1 +nikolahristov.tech, 1 +nikolai-schmidt.tk, 1 +nikolaipribylski.tk, 1 +nikolaj-platoshkin.cf, 1 +nikolajmackowski.dk, 1 +nikolamilekic.com, 1 +nikolasbradshaw.com, 1 +nikon-photocontest.com, 1 +nikoniko-dental-premium.jp, 1 +nikonlibrary.co.uk, 1 +nikonnps.co.uk, 1 +nikonschool.co.uk, 1 +nikosoikonomopoulos.tk, 1 +nikosverths.tk, 1 +nikotiinipussit.com, 1 +nikscloud.eu, 1 +nikz.in, 1 +nil.com, 1 +nil.gs, 0 +nil.mx, 1 +niledevelopmentseg.com, 1 +nilefi.cf, 1 +niles-simmons.de, 1 +niles.xyz, 1 +nilesil.gov, 1 +nilianwo.com, 1 +nilmaraquintela.com.br, 1 +nilnasc.com, 1 +nilosoft.com, 1 +niloxy.com, 1 +nilpointer.com, 1 +nilrem.org, 0 +nils.ch, 1 +nils.moe, 1 +nilsbrisset.info, 1 +nilslandscaping.com.au, 1 +nilsnet.tk, 1 +nilsvital.de, 1 +nim.tw, 1 +nimbl.nz, 1 +nimble.com.br, 1 +nimblefins.co.uk, 1 +nimbo.com.au, 1 +nimbus-link.co.uk, 1 +nimbus-net.tk, 1 +nimbuslink.co.uk, 1 +nimbyte.com, 1 +nimeia.tk, 1 +nimes-ales.fr, 1 +nimfa.ml, 1 +nimfomanki.tk, 1 +nimiedad.com, 1 +nimiq.com, 1 +nimit.se, 1 +nimnadasl.tk, 1 +nimnordic.com, 1 +nimus.tk, 1 +nina-laaf.de, 1 +nina-woerz.tk, 1 +ninaafenehjelm.com, 1 +ninadeissler.de, 1 +ninadevil.org, 1 +ninakoenig.org, 1 +ninanice.net, 1 +ninaobermeier.com, 1 +ninarocha.ch, 1 +ninasky.tk, 1 +ninasofian.ro, 1 +ninaundandre.de, 1 +ninavegas.net, 1 +ninchat.com, 1 +ninebennink.com, 0 +ninedaysmore.tk, 1 +nineenergyservice.com, 1 +ninepints.co, 1 +ninespec.com, 1 +ninetailed.ninja, 1 +ninetaillabs.com, 1 +ninetaillabs.xyz, 1 +nineteensixtyone.co.uk, 1 +ninetyninestreet.co.nz, 1 +ninetyseven.tk, 1 +ninfora.com, 1 +ningrui.me, 0 +ningunlugarestalejos.com, 1 +ningwei.net, 1 +niniko.tk, 1 +ninja-corner.tk, 1 +ninjacomputing.com, 1 +ninjahub.net, 1 +ninjamagic.tk, 1 +ninjaseo.es, 1 +ninjasquad.fr, 1 +ninjaworld.co.uk, 1 +ninkt.com, 1 +ninmegam.gq, 1 +ninnen.com, 1 +ninofink.com, 1 +ninohaslach.ch, 1 +ninoo.nl, 1 +ninovayazilim.com, 1 +ninpang.com, 1 +ninrio.com, 1 +ninsin-akachan.com, 1 +nintendo424.com, 1 +nintendocarddelivery.com, 1 +nintendocollectionsystem.com, 1 +nintendoreporters.com, 1 +ninth.cat, 1 +ninth.moe, 1 +ninth.tw, 1 +ninthc.at, 1 +ninthfloor.org, 1 +ninure.tk, 1 +ninux.ch, 0 +ninverse.com, 1 +niourk.com, 1 +nipax.cz, 1 +nipe-systems.de, 1 +nipit.biz, 1 +nipn-nutrition-platforms.org, 1 +nippel.tk, 1 +nipplefucking.com, 1 +nippon-tour.tk, 1 +nippon.plus, 1 +nipponkempoph.tk, 1 +nipponkousei.com, 1 +nipponnews.tk, 1 +nipponsteelwelding-thai.co.th, 1 +nippynet.tk, 1 +nirada.info, 1 +nirex.as, 1 +nirex.cz, 1 +nirex.sk, 1 +nirhub.ru, 1 +nirjonmela.com, 1 +nirjonmela.net, 1 +nirma.co.in, 1 +nirmalroy.ml, 1 +niro.bio, 1 +nirudo.me, 1 +nirvana-esport.fr, 1 +nirvananirvana.tk, 1 +nirvanashop.com, 1 +nirvel-shop.com, 1 +niscemi.tk, 1 +nishikino-maki.com, 1 +nishimebistro.cz, 1 +nishisbma.com, 1 +nishiwaki-shonaifoods.com, 1 +nishiyama-shoten.com, 1 +nisomnia.com, 1 +nissanofbismarckparts.com, 1 +nissanpartsdeal.com, 1 +nisselist.tk, 1 +nisselrooij.nl, 1 +nissens.com, 1 +nist.tech, 1 +nit.school, 1 +nitaonline.org, 0 +nitecore.ga, 1 +nitendaytowing.ga, 1 +nitifilter.com, 1 +nitix.games, 1 +nitolab.com, 1 +nitoville.com, 1 +nitranoviny.sk, 1 +nitro.az, 1 +nitrocloud.ddns.net, 1 +nitrohorse.com, 0 +nitrokey.com, 1 +nitromaster.tk, 1 +nitromtb.org, 1 +nitropanel.com, 0 +nitropur.com, 1 +nitropur.de, 1 +nitroupload.com, 1 +nitschinger.at, 1 +nitter.hu, 0 +nitter.net, 1 +niu.edu.tw, 1 +niuco.com.br, 1 +niunaimilk.cn, 0 +niutennici.tk, 1 +nivaad.com, 1 +nivarussia.ml, 1 +niveau-klatsch.com, 1 +niveau-texter.de, 1 +nivel03.com, 1 +nivelo.io, 1 +nivoit.cf, 1 +nix-sender.com, 1 +nix-sender.ru, 0 +nix.org.ua, 0 +nix13.xyz, 1 +nixcore.gq, 1 +nixcp.com, 1 +nixie.fashion, 1 +nixonlibrary.gov, 1 +nixor.ee, 0 +nixorigin.one, 1 +nixpare.com, 1 +nixplus.tk, 1 +nixrepair.nl, 1 +nixsub.tk, 1 +nixtest.net, 1 +nixx-gel.cz, 1 +nixx.tk, 1 +nixxin.tk, 1 +niyawe.de, 1 +niyazpoyilan.com, 0 +niyen.com, 1 +niyen.eu, 1 +niyen.net, 1 +niyen.org, 1 +niyen.social, 1 +nizarvoiceover.tk, 1 +nizhaoheng.com, 1 +nizozemsku.nl, 1 +nizwassolutions.com, 1 +nja.id.au, 1 +njast.net, 1 +njbr.ml, 1 +njbr.tk, 1 +njcareers.org, 1 +njccpo.gov, 1 +njdcj.gov, 1 +njdge.gov, 1 +njeda.gov, 1 +njedge.net, 1 +njeri.codes, 1 +njfog.org, 1 +njgames.org, 1 +njhq.org, 1 +njilc.com, 1 +njintl.com, 1 +njleg.gov, 1 +njliner.me, 1 +njliner.net, 1 +njngroup.org, 1 +njpc.org, 1 +njpjanssen.nl, 1 +njpranksters.tk, 1 +njpropertysolutionsrealty.com, 1 +njsbf.org, 1 +njsda.gov, 1 +njshield.gov, 1 +njsp.gov, 1 +njtransfer.org, 1 +njuftp.com, 1 +njvcco.gov, 1 +nk-vision.com, 1 +nk1.de, 1 +nkapliev.org, 1 +nkbi.ru, 1 +nkbwnx.com, 1 +nkg-mosbach.de, 1 +nkg.com.au, 1 +nkghas.com, 1 +nkjwmn.com, 1 +nkjwrs.com, 1 +nkkr.hu, 1 +nklwhx.com, 1 +nko.org, 1 +nkontur.com, 1 +nkorolev.tk, 1 +nkp-media.de, 1 +nkrf.no, 1 +nkrupp.net, 1 +nksmart.ru, 0 +nkvd-farm.ru, 1 +nkx4sjyrk4tcv0sluhwajyc-n6icja9gchqxmhp.com, 0 +nkyrtl.org, 1 +nl-comunistas.tk, 1 +nl-ix.net, 1 +nl.search.yahoo.com, 0 +nl3ehv.nl, 1 +nla.no, 1 +nlap.ca, 0 +nlc-business.com, 1 +nlead.gov, 1 +nllboard.co.uk, 1 +nlm.gov, 1 +nlorganizing.com, 1 +nlponline.com.ua, 1 +nlpperformance.ma, 1 +nlrb.gov, 1 +nlyfeue.gq, 1 +nm.cx, 1 +nm.sl, 1 +nma.is, 1 +nmaedu.org, 1 +nmb.gov, 1 +nmbhgc.org, 1 +nmcep.net, 0 +nmd.so, 1 +nmegent.be, 1 +nmeoverbetuwe.nl, 1 +nmfinanciallaw.com, 1 +nmhp.com, 1 +nmijudiciary.gov, 1 +nmindepth.com, 1 +nmitaylor.com, 1 +nmjusticedata.gov, 1 +nmmlp.org, 1 +nmontag.com, 1 +nms-thoracic-surgery.com, 1 +nmugroup.com, 1 +nmx.de, 1 +nmx.moe, 1 +nn-com.co.jp, 1 +nn-vol.ga, 1 +nn0.net, 1 +nn01.cc, 1 +nn01.com, 1 +nn04.org, 1 +nn5197.co, 1 +nn6729.co, 1 +nn6729.com, 1 +nn6957.co, 1 +nn9297.co, 1 +nn9728.co, 1 +nna774.net, 1 +nnas.org.uk, 1 +nnc.cat, 1 +nnc.im, 1 +nndfn.com, 1 +nnet.ca, 1 +nnews.tk, 1 +nnkkserver02.ddns.net, 1 +nnlm.gov, 1 +nnnn.loan, 1 +nnnnn.click, 1 +nnnovel.com, 1 +nnrevolt.com, 1 +nnss.gov, 1 +no-andishan.ir, 1 +no-b.kiev.ua, 1 +no-bet.ru, 1 +no-cookies.net, 1 +no-data.tk, 1 +no-dev.de, 1 +no-eye-deer.tk, 1 +no-gods-no-masters.com, 1 +no-grey-area.com, 1 +no-ice.be, 1 +no-ice.nl, 1 +no-ip.cz, 1 +no-more-gray-hair.ga, 1 +no-more-gray-hair.gq, 1 +no-more-gray-hair.ml, 1 +no-n.at, 1 +no-nat.de, 1 +no-real.tk, 1 +no-reply.mx, 1 +no-terrorism.tk, 1 +no-war-on-iraq.tk, 1 +no-xice.com, 0 +no.search.yahoo.com, 0 +no112.org, 1 +no1universities.tk, 1 +no2bacoorcityhood.tk, 1 +no34infowey.co.uk, 1 +noaccess.tk, 1 +noacore.ch, 1 +noadi-pixels.tk, 1 +noagendahr.org, 1 +noah-shop.com, 1 +noah-witt.com, 1 +noahjacobson.com, 1 +noahmodas.com.br, 1 +noahs.com, 1 +noahsaso.com, 1 +noamweb.com, 1 +noangel.tk, 1 +noart.tk, 1 +noatec.eu, 1 +noawildschut.com, 1 +noawildschut.nl, 1 +nob.ro, 1 +nobackups.com, 1 +nobasico.com.br, 1 +nobellc.com, 1 +nober.tk, 1 +nobilefoods.com, 1 +nobitschek.de, 1 +noble-diagnostic.com, 1 +noblechemical.com, 1 +nobleco.gov, 1 +noblecountyprosecutoroh.gov, 1 +noblehearinginstitute.com, 1 +nobleparkapartments.com.au, 1 +nobleproducts.biz, 1 +noblesmart.com, 1 +nobletary.com, 1 +noblogs.org, 1 +nobori.cloud, 1 +nobori.ltd, 1 +nobori.me, 1 +nobounce.me, 0 +noboxo.ch, 1 +nobreaks.ca, 1 +nobs.no, 1 +nobsmc.com, 1 +nobunplease.com, 1 +nobutwhy.com, 1 +nobz.com.br, 0 +noc.best, 1 +noc.wang, 1 +nocapplugins.xyz, 1 +noccie.com, 1 +nocillaconchorizo.tk, 1 +nocit.dk, 1 +nocks.com, 1 +noclegiwchecinach.pl, 1 +nocloud.website, 1 +noco.nl, 1 +nocoastpunx.tk, 1 +nocodefactory.io, 1 +nocoffee.tech, 1 +nocoffeetech.de, 1 +nocommentsallowed.com, 1 +nocr.net, 1 +nocreyentes.org, 1 +nocrm.io, 1 +noctinus.tk, 1 +noctisphoto.tk, 1 +nocturnos.tk, 1 +nocturnus.tk, 1 +noctys.com, 1 +nocyclopedia.tk, 1 +nod32.com.pt, 1 +nodde.cf, 1 +nodecdn.net, 1 +nodecore.mine.nu, 1 +nodecraft.com, 1 +nodefoo.com, 1 +nodejs.org, 1 +nodelab-it.de, 1 +nodelia.com, 0 +nodepoet.com, 1 +noderunners.network, 1 +nodespin.com, 1 +nodestination.tk, 1 +nodi.at, 0 +nodi.cloud, 1 +nodie.ga, 1 +nodist.club, 1 +nodkimrecord.com, 1 +nodl.cloud, 1 +nodmarcrecord.com, 1 +noedidacticos.com, 1 +noefio-software.com, 1 +noel.wf, 1 +noel.yt, 1 +noelblog.ga, 1 +noellimpag.me, 0 +noemax.com, 1 +noeontheend.com, 1 +noexcusesc.gov, 1 +noexec.org, 1 +nofilter.gq, 1 +nofrillsdns.com, 1 +noga4you.de, 1 +nogema.net, 1 +nogerondier.eu, 1 +nogetime.com, 1 +nogfw.org, 1 +nogfw.pro, 1 +nogfwsite.com, 1 +nogger.nl, 1 +nogluten.com, 1 +nogmat.org, 1 +nogradhont.hu, 1 +nogre.com, 1 +nogyogyaszat.eu, 0 +nohatenj.gov, 1 +nohats.ca, 1 +nohomeinsurance.com, 1 +nohttps.org, 1 +nohungerfoodbank.org, 1 +nohup.se, 1 +nohup.xyz, 1 +noideas.tk, 1 +noidlikes.coffee, 1 +noiglosujemy.com.pl, 1 +noiglosujemy.pl, 1 +noincludesubdomains.preloaded.test, 0 +noirland.co.nz, 1 +noirmale.com, 1 +noirmalenetwork.com, 1 +noirpvp.com, 1 +noiseboyz.com, 1 +noisebridge.social, 1 +noisky.cn, 1 +noisyfox.cn, 1 +noisyfox.io, 1 +noisyspa.io, 1 +noithat78.com, 1 +noithatbachtin.com, 1 +noithatphangia.net, 1 +noiz.ro, 1 +noj.ac, 0 +nojihata.com, 1 +nojok.es, 1 +nojoumstudio.live, 1 +nojum.tk, 1 +nokarateinthepit.com, 1 +nokchon.tk, 1 +nokia.la, 1 +noknow.ovh, 0 +nokono.com, 1 +nokoshop.fr, 1 +noktadedektor.com, 1 +noktadetectors.com, 1 +noktadetectors.com.br, 1 +noktron.de, 1 +nokumbaya.com, 1 +nokya.tk, 1 +nokzedoc.tv, 1 +nolanpoe.me, 1 +nolanpowellisaho.com, 1 +nolanvilletx.gov, 1 +nolate.de, 1 +nolatepayments.com, 1 +nolaviz.org, 1 +noleggio-bagni-chimici.it, 1 +noleggiobagnichimici.perugia.it, 1 +noleggioimbarcazioni.it, 1 +noleggiolimousine.roma.it, 1 +noleggiovetture.it, 1 +nolimit.bike, 1 +nolinobaby.pl, 1 +nolovus.com, 1 +nolt.io, 1 +nolte-tver.ru, 1 +nolutut.ga, 1 +nomada.gt, 1 +nomadaregalos.com, 1 +nomadcasino.com, 1 +nomadichome.com, 1 +nomadichome.org, 1 +nomadichomes.com, 1 +nomadichomes.org, 1 +nomadiclifes.com, 1 +nomadicrootsco.com, 1 +nomadix.com, 1 +nomadlist.com, 1 +nomadproject.io, 0 +nomadtech.servehttp.com, 1 +nomadworld.net, 1 +nomasfraudecolorado.gov, 1 +nomaspicaduras.com, 1 +nomaster.cc, 1 +nomee6.xyz, 1 +nomerel.com, 1 +nomerodekors-esport.no, 1 +nomerodekors.no, 0 +nomesbiblicos.com, 1 +nomial.co.uk, 1 +nomifensine.com, 1 +nomik.xyz, 1 +nomo.com, 1 +nomore112.org, 1 +nomsing.tk, 1 +nomtechbytes.com, 1 +nomzamo.spdns.org, 1 +noname-ev.de, 0 +nonametheme.com, 1 +nonemail.ch, 1 +nonemu.ninja, 1 +nonnaloreta.it, 1 +nono.fi, 0 +nono303.net, 1 +nonobstant.cafe, 1 +nonpareilonline.com, 1 +nonprofit.info, 1 +nonsa.pl, 1 +nonslipdeckingco.uk, 1 +nonstopjob.ga, 1 +nontonfilem.ml, 1 +nonuplebroken.com, 1 +nonverbalcommunicationcertificate.com, 1 +nonx.pro, 1 +nonxsistent.tk, 1 +nonzero.io, 1 +noob-box.net, 1 +noob-rp.ru, 1 +nooben.com, 1 +noobit.org, 1 +noobow.me, 1 +noobs-in-action.com, 1 +noobsrus.co.uk, 1 +noobsunited.de, 0 +noobswhatelse.net, 1 +noobunbox.net, 1 +noodweer.be, 1 +noom.com, 1 +noon-entertainments.com, 1 +noonan.family, 1 +noonan.tech, 1 +nooneshere.co.uk, 1 +noop.ch, 1 +noop.com.au, 1 +noordbikers.tk, 1 +noorden.com, 1 +noordsee.de, 1 +noordwijk.nl, 1 +nooresunnat.tk, 1 +noorsolidarity.com, 0 +noorzaitribe.ga, 1 +noosebrigade.com, 1 +noosxe.com, 1 +nootropic.com, 1 +nootropicpedia.com, 1 +nootropil.cf, 1 +noovell.com, 1 +nopagefound.com, 1 +nopaincenter.ro, 0 +nopajam.tk, 1 +nopassword.ca, 1 +nopasswords.ca, 1 +nopaste.eu, 1 +nopaynocure.com, 1 +nophelet.com, 1 +nopiamanual.net, 1 +nopm.xyz, 1 +nopropaganda.tk, 1 +nopuedesdejarlopasar.es, 1 +nora-devot.com, 1 +noraahost.com, 1 +noracora.com, 1 +norad.sytes.net, 1 +noradevot.com, 1 +noradevot.org, 1 +noradrenalina.com, 1 +norala.tk, 1 +noralku.net, 1 +norazpublicservice.gov, 1 +norbert-wollheim-platz.tk, 1 +norbertorabinovichblog.com, 0 +norbit.de, 1 +norcalworkcomp.com, 1 +norcconcrete.com, 1 +norcopa.gov, 1 +nord-sud.be, 1 +nordaccount.com, 1 +nordbusinessaccount.com, 1 +nordcheckout.com, 1 +nordcity.ga, 1 +nordcom.io, 1 +norddevelopmentgroup.com, 1 +norden.eu.org, 1 +norden.social, 1 +norderney-zs.de, 1 +nordesttrasporti.it, 1 +nordex.ca, 1 +nordfinck.de, 1 +nordformstore.dk, 1 +nordgravite.fr, 1 +nordhealth.com, 1 +nordhealth.fi, 1 +nordicequities.com, 1 +nordicirc.com, 1 +nordico.club, 1 +nordicportalen.tk, 1 +nordicsemi.com, 1 +nordicsolutionsgroup.com, 1 +nordicsrit.tk, 1 +nordicway.dk, 1 +nordinfo.fi, 1 +nordiskhiss.se, 1 +nordiskhissvarmland.se, 1 +nordlandsbanken.no, 1 +nordlandverliebt.de, 1 +nordlayer.com, 1 +nordlichter-brv.de, 1 +nordlocker.com, 1 +nordmark-pharma.de, 1 +nordmoregatebilklubb.com, 1 +nordpass.asia, 1 +nordpass.com, 1 +nordsec.com, 1 +nordseeblicke.de, 1 +nordstarfossils.com, 1 +nordvestkysten.de, 1 +nordvestkysten.dk, 1 +nordvpn.com, 1 +nordwal.de, 1 +nordwaldzendo.de, 1 +norebase.com, 1 +noref.tk, 1 +noregrets.tk, 1 +noreply.mx, 1 +norestfortheweekend.com, 1 +norfipc.com, 1 +norfolkgardencare.co.uk, 1 +norgesenergi.no, 1 +norichanmama.com, 1 +noriel.ro, 1 +norikazumatsuno.tk, 1 +noripon.blog, 1 +noriskit.nl, 1 +noritakechina.com, 1 +noriva.com.mt, 1 +norlink.ca, 1 +normaculta.com.br, 1 +normalady.com, 1 +normalil.gov, 1 +normalinlinden.de, 1 +normalized.ga, 1 +normalizuj.me, 1 +normalporter.tk, 1 +normalsecurity.com, 1 +norman-legal.com, 1 +norman-preusser-gmbh.de, 1 +normanbauer.com, 1 +normandgascon.com, 1 +normandie-bienetre.com, 1 +normandiereiki.com, 1 +normandy.tk, 1 +normanhurstldc.nsw.edu.au, 1 +normco.re, 0 +normity.nl, 1 +norml.fr, 1 +noroutine.com, 1 +noroutine.me, 1 +norridgewock.gov, 1 +norrisautomotiveinc.com, 1 +norrishome.tk, 1 +norristn.gov, 1 +norrkemi.se, 1 +norrlandsbilverkstad.se, 1 +norrliden.de, 1 +norsewars.com, 1 +norskespilleautomater.com, 1 +norskpensjon.no, 1 +nortecompartidoexperience.es, 1 +nortecultural.tk, 1 +nortek.com, 1 +northafrican.tk, 1 +northamericantrack.com, 0 +northampton-vets.co.uk, 1 +northatlantalawgroup.com, 1 +northatlantalawgroup.net, 1 +northaugustasc.gov, 1 +northbannockfire.gov, 1 +northbayvillage-fl.gov, 1 +northbengaltourism.com, 1 +northboot.xyz, 0 +northbranch-md.com, 0 +northbranfordct.gov, 1 +northbranfordpdct.gov, 1 +northbrisbaneapartments.com.au, 1 +northcapitalb.com, 1 +northcarolinahealth.tk, 1 +northcharlestonsc.gov, 1 +northcoastlabs.com, 1 +northcoastpsychotherapy.com.au, 1 +northcountyfire.gov, 1 +northcountykiaparts.com, 1 +northcreekresort.com, 1 +northcreekresortblue.ca, 1 +northdallasendo.com, 1 +northdavisfireut.gov, 1 +northdevonbouncycastles.co.uk, 1 +northeastcdc.org, 1 +northeasternchimney.com, 1 +northeasternsportfishing.com, 1 +northebridge.com, 0 +northernflame.tk, 1 +northerngate.net, 1 +northernhamsterclub.com, 1 +northernlight.com, 1 +northernlitescourier.ca, 1 +northernpowertrain.com, 1 +northfayettepa.gov, 1 +northfayettepapolice.gov, 1 +northfieldmn.gov, 1 +northfieldnh.gov, 1 +northfinance.dk, 1 +northflightaeromed.org, 1 +northhampton-nh-pd.gov, 1 +northhudsonwi.gov, 1 +northiowatractorride.com, 1 +northkingstownri.gov, 1 +northkoreainsider.tk, 1 +northliner.tk, 1 +northlinkferries.com, 1 +northlinkferries.net, 1 +northmiamibeachfl.gov, 1 +northmountliquor.ca, 1 +northoaksmn.gov, 1 +northokanaganbookkeeping.com, 1 +northplainfield-nj.gov, 1 +northplainfieldnj.gov, 1 +northplattene.gov, 1 +northpointoutdoors.com, 1 +northpole.dance, 1 +northportfl.gov, 1 +northportpdfl.gov, 1 +northpost.is, 1 +northprairiepdwi.gov, 1 +northprairiewi.gov, 1 +northpublicidade.com.br, 1 +northrose.net, 1 +northshoremums.com.au, 1 +northshorevisitor.com, 1 +northstarcommunitytrust.org, 1 +northstarcommunitytrust.org.uk, 1 +northstaredit.org.uk, 1 +northstarmodular.com, 1 +northstartrust.co.uk, 1 +northstartrust.com, 1 +northstartrust.org, 1 +northstartrust.org.uk, 1 +northsummitfireut.gov, 1 +northtek.tk, 1 +northteksystems.com, 1 +northtex.com, 1 +northtexaspiano.org, 1 +northtexasvasectomy.com, 1 +northtints.store, 1 +northtopsailbeachnc.gov, 1 +northtowndental.ca, 1 +northumberlandcountypa.gov, 1 +northumbria.ac.uk, 1 +northwestimaging.com, 1 +northwilkesboronc.gov, 1 +northwoodoh.gov, 1 +northwoodstudios.org, 1 +northzone.ml, 1 +norveg.ru, 1 +norvelltwp-mi.gov, 1 +norwalkct.gov, 1 +norwalkps.org, 0 +norway.ml, 1 +norwayinternetstuffs4u.tk, 1 +norwegian.events, 1 +norwellma.gov, 1 +norwichzen.org.uk, 1 +norwoodma150.gov, 1 +norys-escape.de, 1 +norz.at, 1 +norzetto.com, 1 +nos-oignons.net, 1 +nosacheva.ru, 1 +nosandjayo.com, 1 +nosbenevolesontdutalent.com, 1 +noschairsfauteuils.fr, 1 +noscript.net, 1 +noseastumismo.com, 1 +nosecare.com, 1 +nosecrets.ch, 1 +nosedoctor.net, 1 +nosetup.tk, 1 +noseware-apps.de, 1 +nosfermiers.com, 1 +nosinmiperro.tk, 1 +nosite.co.za, 1 +noskov.org, 1 +nosleepforrobots.com, 1 +noslite.nl, 1 +nosmoke.cc, 1 +nosmoking.tk, 1 +nosoxo.com, 1 +nosproduitsdequalite.fr, 1 +nossaseguros.ao, 1 +nossasenhoradodesterro.com.br, 1 +nossasenhoradopranto.pt, 0 +nossorepresentante.com.br, 1 +nostalgicinfinity.tk, 1 +nostalgie.tk, 1 +nostalgift.ir, 1 +nostalgiktv.ml, 1 +nostalgimidi.se, 1 +nostalgische-attracties.nl, 1 +nostaljicicekcilik.com, 1 +nostar.fr, 1 +nostoautomaatti.fi, 1 +nostosh.eu.org, 1 +nostradansacornella.tk, 1 +nostraforma.com, 0 +nostring.io, 1 +nostrum.ee, 1 +nostrupload.com, 1 +nosuch.site, 1 +nosuch.website, 1 +nosurfinbrighton.tk, 1 +noswap.com, 1 +nosyu.pe.kr, 0 +not-a.link, 1 +not4me.ga, 1 +not4me.tk, 1 +nota-web.com, 1 +nota.moe, 1 +nota.place, 1 +notablepeeps.com, 1 +notabug.eu, 1 +notabug.org, 1 +notacooldomain.com, 1 +notactivelylooking.com, 1 +notadd.store, 1 +notallmine.net, 0 +notalone.gov, 1 +notamo.de, 1 +notar-glagowski.com, 1 +notar-glagowski.de, 1 +notar-peikert.com, 1 +notari.pro, 1 +notariatpublic.com, 1 +notaries-europe.com, 1 +notariosbcn.com, 1 +notarisdecatalunya.org, 1 +notariusz-bialystok.com, 1 +notariuszprzybylowicz.pl, 1 +notariuszsych.pl, 1 +notary-tx.com, 1 +notary24.ru, 1 +notarypublic.co.nz, 1 +notashamedministry.org, 1 +notbolaget.se, 1 +notbot.es, 1 +notby.net, 1 +notcompletelycorrect.com, 1 +notcurses.com, 1 +notdankmemer.lol, 1 +note.ms, 1 +note1024.tk, 1 +note7forever.com, 1 +notebin.xyz, 1 +notebleue.com, 1 +noteboat.net, 1 +notebooksbilliger.de, 1 +notebooksteurer.shop, 1 +notebrook.com, 1 +notecoffee.tw, 1 +noted.de, 1 +notedinstyle.co.uk, 1 +notenarchiv.eu, 1 +notepam.com, 1 +notequal.me, 1 +notesforpebble.com, 1 +noteskeeper.ru, 1 +notfunny.tk, 1 +notgerman.com, 1 +nothinfancy.ca, 1 +nothing.net.nz, 1 +nothing.org.uk, 1 +nothingbundtcakes.com, 1 +noti.tg, 1 +noticiaelmundo.com, 1 +noticias7.org, 1 +noticiasdeautos.site, 1 +noticiasdetv.com, 1 +noticiasdocambio.com.br, 1 +noticiashoy.online, 1 +noticiassonaqui.com, 1 +noticiasymas.cl, 1 +noticieropopular.tk, 1 +noticies.tk, 1 +notienegoyete.ga, 1 +notif-build-laposte.info, 1 +notif-colissimo-laposte.info, 1 +notif-laposte.info, 1 +notif-lidentitenumerique-laposte.info, 1 +notif-lpfr-laposte.info, 1 +notif-moncompte-laposte.info, 1 +notific.at, 1 +notificami.com, 1 +notify.gov, 1 +notifyed.com, 1 +notifymy.team, 1 +notime.tk, 1 +notinglife.com, 1 +notion.so, 1 +notionbackups.com, 1 +notipress.mx, 1 +notisec.hu, 1 +notisecit.hu, 1 +notisphererecalls.com, 1 +notiziarioweb.tk, 1 +notizie.ai, 1 +notliriklagu.com, 1 +notme.cf, 1 +notmyrealmail.com, 1 +notnewz.tk, 1 +notnize.net, 1 +notnl.com, 1 +notofilia.com, 1 +notokyc.com, 1 +notomalayan.tk, 1 +notonprem.com, 1 +notora.tech, 1 +notoriousdev.com, 1 +notre-planete.info, 1 +notrefuse.tk, 1 +notresiteduvercors.tk, 1 +notrid.com, 1 +notryden.com, 1 +notsafefor.work, 1 +notsoape.com, 1 +nottawatwpisabellami.gov, 1 +nottinghammoneyman.com, 1 +nottwo.ru, 1 +notube.cc, 1 +notube.io, 1 +notube.net, 1 +notube.site, 1 +nou9ta.tk, 1 +noudjalink.nl, 1 +nougat-anduze.fr, 1 +noumeet.com, 1 +nouragha.com, 1 +nourishandnestle.com, 1 +nourishbyfrida.com, 1 +noussommesluniversite.org, 1 +nousyukum.com, 1 +nouveau.nl, 1 +nouveauhosting.com.au, 1 +nouvelle.net.au, 1 +nova-dess.ch, 0 +nova-eq.com, 1 +nova-host.ml, 1 +nova-kultura.org, 1 +nova.live, 1 +novabench.com, 0 +novacal.ga, 1 +novacap.ca, 1 +novacoaching.nl, 1 +novacoast.com, 1 +novadir.com, 1 +novafreixo.pt, 1 +novageracao2021.pt, 1 +novaintegra.co, 1 +novaintegra.com, 1 +novak.cf, 1 +novakola.bg, 1 +novalevante.info, 1 +novalite.rs, 0 +novalnet.de, 1 +novanetwork.ml, 1 +novanice.net, 1 +novanta.pl, 1 +novantaphotonics.com, 1 +novaofcalifornia.com, 1 +novaquark.com, 1 +novaratoday.it, 1 +novarock.tk, 1 +novasdecadamanha.com.br, 1 +novashare.io, 1 +novasport.ru, 1 +novasprint.tk, 1 +novastore.com.br, 1 +novastores.co, 1 +novatelecom.cl, 0 +novavax.com, 0 +novaway.ca, 1 +novaya.media, 1 +novaya.no, 1 +novayagazeta.ee, 1 +novayagazeta.eu, 1 +novayagazeta.ru, 1 +novayazemlya.tk, 1 +nove.city, 1 +noveciti.com, 1 +novecity.cloud, 1 +novecity.com, 1 +novecity.info, 1 +novecity.it, 1 +novecity.org, 1 +novecitymail.com, 1 +novecore.pro, 1 +novel543.com, 1 +novelas.net.br, 1 +novelinglife.net, 0 +novelly.in, 1 +novelmic.com, 1 +noveltr.com, 1 +noveltydoorers.ga, 1 +noveltydoorest.ga, 1 +novelvyretraite.fr, 1 +novema.jp, 1 +novenopiso.tk, 1 +novezamky.tk, 1 +novgorod24.tk, 1 +novgorodinfo.tk, 1 +novi-marof.hr, 1 +novias.co.jp, 1 +noviceman.tk, 1 +novichek-plus.ml, 1 +novichok.ml, 1 +novickoe.ml, 1 +novilaw.com, 1 +novilidery.com, 1 +novilist.hr, 1 +novinkihd.tk, 1 +noviny.sk, 1 +novinykraje.cz, 1 +novip.tk, 1 +noviyan.com, 1 +novobi.com, 1 +novobudowa.pl, 1 +novocarrobr.com.br, 1 +novodiegomaia.com.br, 1 +novogimn.tk, 1 +novogradnje.si, 1 +novogrudok.tk, 1 +novojet.cl, 1 +novokurovka.tk, 1 +novokuznetsk.tk, 1 +novonegoc.io, 1 +novoodesabibl.tk, 1 +novoopus.com, 1 +novoresume.com, 1 +novorossiysk.tk, 1 +novorussiya.tk, 1 +novosad-kom.tk, 1 +novosel.ga, 1 +novoselie.ga, 1 +novosibavia.ru, 0 +novosleep.ca, 1 +novosti-novorossii.ml, 1 +novosti-novosibirsk.tk, 1 +novosti-online.tk, 1 +novosti-tv.tk, 1 +novostimira.gq, 1 +novostionline.tk, 1 +novostiz.tk, 1 +novostroyki.ml, 1 +novotoznanie.com, 1 +novparket.ru, 0 +novrazbb.com, 1 +novsti.cf, 1 +novu.com, 1 +novumclinic.pl, 1 +novumnet.com.br, 1 +novurania.com, 0 +novy.software, 1 +novy.vip, 1 +novychas.online, 1 +novye-kuhni.ml, 1 +novysvit.com.ua, 1 +novyzelandnamiru.cz, 1 +now.sh, 1 +now101atm.tk, 1 +nowaccy.info, 1 +nowaesthetic.com, 1 +nowaovivo.com.br, 1 +nowarning.cc, 1 +nowbb.tk, 1 +nowebsite.tk, 1 +nowecor.de, 1 +noweigh.co.uk, 1 +nowhairtime.com, 1 +nowhere.dk, 1 +nowinkijedynki.tk, 1 +nowitzki.network, 1 +nowlas.org, 0 +nowloading.co, 1 +nowloading.tk, 1 +nowoczesnysalon.ga, 1 +nowoe.ru, 1 +nowonline.biz, 1 +nowremindme.com, 1 +nowtime.cc, 1 +nowtips.gq, 1 +nowtricity.com, 1 +nowzad.com, 1 +nowzarimd.com, 1 +noxh.net, 1 +noxi.ga, 1 +noxiouspl.uk, 1 +noxomusic.com, 1 +noxx.global, 1 +noxx.solutions, 1 +noxx.uk, 1 +noy.asia, 1 +noy.cat, 1 +noyoga.at, 1 +noyweb.tools, 1 +nozaka-k.com, 1 +nozel.cf, 1 +nozel.ga, 1 +nozel.gq, 1 +nozesurvival.pl, 1 +nozom.tk, 1 +np-edv.at, 1 +np.search.yahoo.com, 0 +np39.de, 1 +npaf.org, 1 +npaihb.org, 1 +npass.us, 1 +npath.de, 1 +npbeta.com, 1 +npc-ts.org, 1 +npc.org.au, 1 +npclimited.co.uk, 1 +npcradio.tk, 1 +npdigital.com, 1 +npgcdn.net, 1 +nphrm.com, 1 +npjobsite.com, 1 +nplc.cc, 1 +nplindia.org, 1 +npm.li, 1 +npmcdn.com, 1 +npontu.com, 1 +npowerbusinesssolutions.com, 1 +nprb.org, 1 +npregion.org, 1 +npsas.org, 1 +nptelegraph.com, 1 +nptn.tk, 1 +npuer.life, 1 +npws.net, 1 +nqesh.blog, 1 +nqesh.net, 1 +nqesh.org, 1 +nqesh.ph, 1 +nqeshonline.com, 1 +nqeshreviewer.com, 1 +nqhomeinsurance.gov.au, 1 +nqwebdesign.com, 1 +nrac.or.jp, 1 +nrail.eu, 1 +nrbpublishing.com, 1 +nrbri.ru, 1 +nrc-gateway.gov, 1 +nrc.gov, 1 +nrchealth.com, 1 +nrd.gov, 1 +nrdstd.io, 1 +nreihofer.de, 1 +nrev.ch, 1 +nrj-plomberie.com, 1 +nrkn.fr, 1 +nrldc.in, 0 +nrm.co.nz, 1 +nrpyrenees.fr, 1 +nrsmart.com, 1 +nrsweb.org, 1 +nrthcdn.me, 1 +nrvc.net, 1 +nrvn.cc, 1 +nrvnastudios.com, 1 +nrw-stiftung-magazin.de, 1 +ns-frontier.com, 1 +ns-hook.dk, 1 +ns.gov, 1 +ns0.ca, 1 +ns230kvopenhouse.com, 1 +ns2servers.pw, 1 +nsa.ovh, 1 +nsacom.com, 1 +nsadns.uk, 1 +nsamail.uk, 1 +nsapb.bg, 1 +nsb.lk, 1 +nsbfalconacademy.org, 1 +nsbih.ba, 1 +nsboston.org, 1 +nsboutique.com, 1 +nsbufl.gov, 1 +nscai.gov, 1 +nscorporation.co.jp, 1 +nscresearchcenter.org, 1 +nsdcprayerforce.com, 1 +nsec.dk, 1 +nseindia.com, 1 +nsep.gov, 1 +nsepapa.com, 1 +nsfw-story.com, 1 +nsfw.dk, 1 +nshipster.cn, 1 +nshipster.co.kr, 1 +nshipster.com, 1 +nshipster.es, 1 +nshispeed.nl, 1 +nsics.co.jp, 1 +nsikakimoh.com, 1 +nsine.be, 1 +nsinternational.com, 1 +nsinternational.nl, 1 +nsjbio.com, 1 +nskarate.tk, 1 +nsl.co.nz, 1 +nslacandelaria.com, 1 +nsm.ee, 1 +nsmail.cn, 1 +nsmail.com, 1 +nsn.nl, 1 +nsncatalog.com, 1 +nso.ie, 1 +nso.li, 1 +nsoft.nu, 1 +nsoiran.tk, 1 +nsopr.gov, 1 +nsopw.gov, 1 +nsp-discount.com, 1 +nsp.com.ua, 1 +nsp.ua, 1 +nspeaks.com, 0 +nspireoutreach.org, 1 +nspoh.nl, 1 +nsradiology.net, 1 +nssfchile.tk, 1 +nssquad.tk, 1 +nst-maroc.com, 1 +nstatic.xyz, 1 +nstd.net, 1 +nsteck.com, 1 +nstnet.org, 1 +nsu.pw, 1 +nsv.ee, 1 +nswedu.link, 1 +nsworks.com, 0 +nszero.tk, 1 +nta-net.nl, 1 +ntags.org, 1 +ntcoss.org.au, 1 +ntcp.ph, 1 +ntcrmezon.ru, 1 +ntdf.co.uk, 1 +nte.email, 1 +ntecha.com, 1 +ntechp.com, 1 +ntgltema.ml, 1 +ntgvision.com, 1 +nth.sh, 0 +nti.de, 1 +ntia.gov, 1 +ntindependent.com.au, 1 +ntinet.com, 1 +ntinformatique.ca, 1 +ntj125app.com, 1 +ntk-institute.org, 1 +ntlabs.org, 1 +ntnlst.com, 1 +ntokens.com, 1 +ntokens.com.br, 1 +ntotten.com, 1 +ntppool.com, 1 +ntppool.net, 1 +ntppool.org, 1 +ntr.ac.cn, 1 +ntreizel.com, 1 +nts.com, 1 +ntsb.gov, 1 +ntsipl.com, 1 +ntsmcqs.com, 0 +ntsmetrics.com, 1 +ntsp.team, 1 +ntt-buses.com, 1 +ntu.edu.sg, 0 +ntuchinesesociety.com, 0 +ntvtelugu.com, 1 +ntx360grad-fallakte.de, 1 +ntxsolarandconstruction.com, 1 +ntz.im, 1 +nu-pogodi.net, 1 +nu.com.mx, 1 +nu.fi, 1 +nuacht.ie, 1 +nuage-libre.fr, 1 +nuage365.de, 0 +nuanda.es, 1 +nuansagoal.co, 1 +nub.so, 1 +nubank.com.br, 1 +nube.com.br, 1 +nubeaustral.ar, 1 +nubehogar.nsupdate.info, 1 +nubian.cf, 1 +nubian.tk, 1 +nubilum.noip.me, 1 +nubium.net, 1 +nubla.fr, 1 +nubla.io, 1 +nubnology.com, 1 +nubraza.com, 1 +nubu.at, 1 +nubunk.com.ng, 0 +nucciocondorelli.it, 1 +nuckollscountyne.gov, 1 +nuclea.site, 1 +nuclearcake.de, 1 +nuclearforum.tk, 1 +nuclearhell.tk, 1 +nuclearmed.org, 1 +nuclearnation.tk, 1 +nuclearsky.tk, 1 +nucleios.com, 1 +nucleomarketing.com.br, 1 +nucleosynth.space, 1 +nucleus-co.org, 1 +nucleuscore.org, 1 +nucleuspanel.com, 1 +nudaveritas.tk, 1 +nudeai.com, 1 +nudeandfresh.tk, 1 +nudegirlphotos.com, 1 +nudegirls.tv, 1 +nudel.ninja, 1 +nudes.ovh, 1 +nudetube.com, 1 +nudevotion.com, 1 +nudgesecurity.io, 1 +nudo.tk, 1 +nudoleaks.com, 1 +nuecescountytx.gov, 1 +nuel.cl, 1 +nuernberg-finanzen.de, 1 +nuernbergwillwandel.de, 1 +nuespacios.com, 0 +nuestrasdanzashn.tk, 1 +nuetel.com, 1 +nuevacombarbala.tk, 1 +nuevaimagenpublicidad.es, 1 +nuevapublicidad.tk, 1 +nuevaya.com.ni, 0 +nuffield.nl, 1 +nugdev.co, 0 +nuggit.ga, 1 +nugmanov.net, 1 +nugratis.nl, 1 +nugush.tk, 1 +nuhbeg.com, 1 +nuhil.tk, 1 +nuhs.edu.sg, 1 +nuhs.sg, 1 +nuitec.com.br, 1 +nuits-franciliennes.fr, 1 +nuke-masters.tk, 1 +nukeiso.ml, 1 +nukeportal.ml, 1 +nukeportal.tk, 1 +nukeshop.tk, 1 +nukleoti.de, 1 +nukute.com, 0 +nul20.nl, 1 +null-d.com, 1 +null-life.com, 0 +null48.net, 1 +nullbit.tk, 1 +nulldev.org, 1 +nulle-part.org, 1 +nulledme.ga, 1 +nulleds.tk, 1 +nullificatr.tk, 1 +nullonerror.org, 1 +nullop.tech, 1 +nullptr.zone, 1 +nullroute.com, 1 +nullroute.wtf, 1 +nullscripts.tk, 1 +nullsechs.tk, 1 +nullshare.tk, 1 +nulltime.net, 1 +nullvoid.me, 1 +nullxsec.net, 1 +nully.xyz, 1 +nulo.ar, 0 +nuls.io, 1 +nulsc.biz, 1 +numancia.tk, 1 +numarasorgulama.tel, 1 +number.me, 1 +numbercult.net, 1 +numberzero.org, 1 +numbots.com, 1 +numeezy.com, 1 +numerama.com, 1 +numericall.gq, 1 +numeriquoi.com, 1 +numeritelefonici.it, 1 +numerix.com, 1 +numerli.com, 1 +numero1.ch, 0 +numero1.tk, 1 +numerobis.tk, 1 +numerologist.com, 1 +numerosrojos.es, 1 +numerossanos.com.ar, 1 +numerouno.ml, 1 +numerspiral.pt, 1 +numismatix.de, 1 +numismed-seniorcare.de, 1 +nummer378.de, 1 +numo.co, 1 +numwave.nl, 1 +numxl.com, 1 +nunesgh.com, 1 +nunesgh.org, 1 +nunnenmacher.net, 0 +nunnun.jp, 1 +nuno-sarmento.com, 1 +nunoarruda.com, 1 +nunoefabia.tk, 1 +nunogand.com, 1 +nunoleiria.com, 1 +nunomoura.com, 1 +nunoprospero.com, 1 +nunsarean.tk, 1 +nuntiicaelo.in.ua, 1 +nunu.cf, 1 +nunu.ml, 1 +nuooly.com, 1 +nuos.org, 1 +nuovaelle.it, 1 +nuovaguardia.tk, 1 +nuovicasino.it, 1 +nupaybusiness.com.br, 1 +nupixemedia.com, 1 +nuquery.com, 1 +nur-test.de, 1 +nur.berlin, 1 +nuraling.com, 1 +nuranagi.rocks, 1 +nureg.club, 1 +nureg.net, 1 +nuria-fergo.tk, 1 +nuriaamat.com, 1 +nuriacamaras.com, 1 +nurkamol.com, 1 +nurlyn.com, 0 +nurmio.fi, 1 +nurnabi.ml, 1 +nurseactioners.ga, 1 +nurseactionest.ga, 1 +nursejj.com, 1 +nursemom.ca, 1 +nurserystory.co.uk, 1 +nurseslabs.com, 1 +nursetheticsbyliam.co.uk, 1 +nursing-school-degrees.com, 1 +nursing-school2.tk, 1 +nursingconsultant.ca, 1 +nursinghero.com, 1 +nursinglicensure.org, 1 +nursingschool.network, 1 +nursunity.ml, 1 +nurture-thrive.com, 1 +nusabarongmotormalang.com, 1 +nusaceningan.io, 1 +nusantaraku.tk, 1 +nusatrip-api.com, 1 +nussadoclub.org, 1 +nussschale.eu, 1 +nustay.com, 1 +nut.spb.ru, 1 +nutbot.co.uk, 1 +nutleyarchives.org, 1 +nutleyeducationalfoundation.org, 1 +nutleyef.org, 1 +nutmeg.com, 1 +nutra-creations.com, 1 +nutra.tk, 1 +nutralivbio.com, 1 +nutrashop.fr, 1 +nutriciametabolics-shop.de, 1 +nutricionistatulioalmeida.com, 1 +nutriciously.com, 1 +nutriclub.co.id, 1 +nutrifruiti.ca, 1 +nutrifyyourself.com, 1 +nutrijets.com, 1 +nutriment.co.uk, 1 +nutrineyfelipe.com, 1 +nutripedia.gr, 1 +nutripure.fr, 1 +nutrisidangym.com, 1 +nutrislice.com, 1 +nutristories.gr, 1 +nutrition.gov, 1 +nutritiondynamixrd.com, 1 +nutritioned.org, 1 +nutritionfitness.fr, 1 +nutritious.cf, 1 +nutrizionista.roma.it, 1 +nutroeffect.com, 1 +nutsandboltsfoundation.org, 1 +nutsforfruits.com.au, 1 +nutwgent.tk, 1 +nuus.hu, 1 +nuva.hu, 1 +nuvabridge.com, 1 +nuvasystem.com, 1 +nuvechtdal.nl, 1 +nuvini.com, 1 +nuvoagency.com, 1 +nuvolosicuro.io, 1 +nuvotheagency.com, 1 +nuwave.com, 0 +nux.jp, 1 +nuxer.fr, 1 +nuzhenkredit.ga, 1 +nuzhenkredit.gq, 1 +nuzhenkredit.ml, 1 +nuzhenkredit.tk, 1 +nv-art.ru, 1 +nvcmaine.gov, 1 +nvcogct.gov, 1 +nvd.nl, 1 +nvda-addons.org, 1 +nvda.es, 1 +nvdps.gov, 1 +nve-qatar.com, 1 +nvest.co.za, 1 +nvestel.co.za, 1 +nvestholdings.co.za, 1 +nvestholdings.com, 1 +nvestproperties.co.za, 1 +nvests.co.za, 1 +nvestsec.co.za, 1 +nvfh.co.za, 1 +nvfoundation.com, 1 +nvh.group, 1 +nvi-go.nl, 1 +nviewscareer.com, 1 +nvigate.gov, 1 +nvio.mx, 1 +nvkc.nl, 0 +nvl-game.tokyo, 1 +nvleg.gov, 1 +nvlifeinsurance.info, 1 +nvlop.xyz, 0 +nvme.xyz, 1 +nvmo.org, 1 +nvnv.cf, 1 +nvoip.com.br, 1 +nvq.nl, 1 +nvr.bz, 1 +nvrddma.gov, 1 +nvrk.edu.ee, 1 +nvsp.in, 1 +nvtc.gov, 1 +nvtpower.com, 1 +nvtz.nl, 1 +nvz-kennisnet.nl, 1 +nvzhlv.com, 1 +nw-glass.com, 1 +nw-risk.com, 1 +nwaafund.org, 1 +nwbc.gov, 0 +nwcc.bike, 1 +nwcouncil.gov, 1 +nwea.nl, 1 +nwfdaz.gov, 1 +nwfem.com, 1 +nwh.nz, 1 +nwimports.com, 1 +nwitt.us, 1 +nwmpcllc.com, 0 +nwn.fi, 1 +nwoordinances.tk, 1 +nwopage.tk, 1 +nwperformanceandoffroad.com, 1 +nwps.fi, 1 +nwra.com, 1 +nwradio.tk, 1 +nwrp.eu, 1 +nwshell.com, 1 +nwspecialists.com, 1 +nwtl.com, 1 +nwtparks.ca, 0 +nwtrb.gov, 1 +nwuss.okinawa, 1 +nwwnetwork.net, 1 +nx42.pw, 1 +nxcloud.ml, 1 +nxdomain.info, 1 +nxedge.com, 1 +nxf.li, 1 +nxit.ca, 1 +nxlogis.kr, 1 +nxnt.link, 1 +nxplinc.com, 1 +nxstudios.tk, 1 +nxth.io, 1 +nxtport.eu, 1 +nxxcloud.nl, 1 +ny-events.club, 1 +nya-cloud.com, 1 +nya.as, 1 +nya.autos, 1 +nya.chat, 1 +nya.codes, 1 +nya.one, 1 +nya.show, 1 +nya.work, 1 +nyaan.net, 1 +nyaan.org, 1 +nyac.at, 1 +nyadisk.net, 1 +nyahururu.tk, 1 +nyaken.tk, 1 +nyan.it, 0 +nyan.kim, 1 +nyan.stream, 1 +nyangasm.com, 0 +nyangasm.net, 0 +nyangasm.org, 0 +nyanor.cloud, 1 +nyansparkle.com, 1 +nyantec.com, 1 +nyap.org, 1 +nyatane.com, 1 +nyau.me, 1 +nyauth.com, 1 +nyawau.ch, 1 +nyawork.com, 1 +nybcreative.com, 1 +nycctp.com, 1 +nycdentalimplantscenter.com, 1 +nycestateest.ga, 1 +nycgastroenterologists.com, 1 +nych.com, 1 +nycoyote.org, 1 +nycpac.net, 0 +nycstyleboutique.com, 1 +nycu.moe, 1 +nydig.com, 0 +nydnxs.com, 0 +nyeclipse.com, 1 +nyecountynv.gov, 1 +nyerjakekszekkel.hu, 1 +nyerjazoreoval.hu, 1 +nyerjenaheraval.hu, 1 +nyfurnitureoutlets.com, 1 +nygbcomicguide.tk, 1 +nygbtourguide.tk, 1 +nyhaoyuan.net, 1 +nyhemsgarden.se, 1 +nyheter-sverige.ga, 1 +nyiaarhus.dk, 1 +nyiarlumar.tk, 1 +nyiooc.org, 0 +nyirc.gov, 1 +nylasercenter.com.pl, 1 +nylbdc.gov, 1 +nylevemusic.com, 1 +nylipa.gov, 1 +nyliveauctions.com, 1 +nyloc.de, 1 +nym.at, 1 +nynadynasir.co.id, 0 +nynadynasir.my.id, 1 +nyoka-flutter.com, 1 +nyoka-nodejs.com, 1 +nyoka-react.com, 1 +nyoka.io, 1 +nyoka.ru, 1 +nyoliveoil.com, 1 +nyorokko.com, 1 +nyphox.ovh, 1 +nyrany.online, 1 +nyronet.de, 0 +nysis.fr, 1 +nysis.net, 1 +nysis.org, 1 +nystrom.tk, 1 +nystrs.gov, 1 +nystudio107.com, 1 +nysusankitchen.com, 1 +nytrafficticket.com, 1 +nytvattat.tk, 1 +nyupoco.com, 1 +nyuware.pw, 1 +nyxapp.net, 1 +nyyu.tk, 1 +nyzed.com, 1 +nz.search.yahoo.com, 0 +nzb.su, 1 +nzbfinder.ws, 1 +nzbr.de, 1 +nzbstars.com, 1 +nzcorp.dk, 1 +nzdata.org, 1 +nzelaweb.com, 1 +nzfaponline.com, 1 +nzguns.co.nz, 1 +nzhistory.govt.nz, 1 +nzia.tk, 1 +nzmaths.co.nz, 1 +nzmca.org.nz, 1 +nzmomentum.co.nz, 1 +nzno.org.nz, 1 +nzpost.ga, 1 +nzroom.cf, 1 +nzsafety.co.nz, 1 +nzsafetyblackwoods.co.nz, 1 +nzstudy.ac.nz, 1 +nzt.capital, 1 +nzt.co, 1 +nzt.dev, 1 +nzt.foundation, 1 +nzt.holdings, 1 +nzt.io, 1 +nzt.one, 1 +nzt.productions, 1 +nzt.properties, 1 +nzt.services, 1 +nzt.team, 1 +nzt.technology, 1 +nzt.tools, 1 +nzt.ventures, 1 +nztcap.com, 1 +nztcap.de, 1 +nztcapital.com, 1 +nztcapital.de, 1 +nztcapital.net, 1 +nztfoundation.com, 1 +nztholdings.com, 1 +nztproperties.com, 1 +nztservices.com, 1 +nzttechnology.com, 1 +nzttools.com, 1 +nzttools.net, 1 +nztventures.com, 1 +nztventures.de, 1 +nztventures.net, 1 +nzws.me, 0 +o-bereg.ru, 1 +o-coeur-de-la-fleur.fr, 1 +o-dvor.tk, 1 +o-n-s.co.jp, 1 +o-results.ch, 1 +o-ta-su-ke.net, 1 +o.ee, 1 +o00.eu, 1 +o00228.com, 1 +o0c.cc, 1 +o11y.top, 1 +o15y.com, 1 +o2.tn, 1 +o2design.tk, 1 +o2fitnes.ru, 1 +o2solutions.ae, 1 +o2ss.com, 0 +o3.ua, 1 +o36533.com, 1 +o365info.com, 1 +o3c.com.br, 1 +o3ptitschats.fr, 1 +o3swap.com, 1 +o3wallet.com, 1 +o5.cx, 0 +o5.vc, 1 +o5197.co, 1 +o6729.co, 1 +o6729.com, 0 +o6957.co, 1 +o6asan.com, 1 +o6i.de, 1 +o7.nz, 1 +o82365.com, 1 +o9297.co, 1 +o9728.co, 1 +o98.net, 0 +o9solutions.com, 1 +oaaa.org, 1 +oabtherapy.com, 1 +oadeo.com, 1 +oahpmdata.net, 1 +oakbarnvets.com, 1 +oakbarnwellness.com, 1 +oakbottle.com, 1 +oakcreekwi.gov, 1 +oakdale.org, 0 +oakdaleca.gov, 1 +oakdalemn.gov, 1 +oaken.duckdns.org, 1 +oakesfam.net, 1 +oakface.com.au, 1 +oakharbor.gov, 1 +oakhillfl.gov, 1 +oakhillseniors.com, 1 +oakislandnc.gov, 1 +oaklandenrolls.org, 1 +oaklandfire6.com, 1 +oakparkelectrical.com, 1 +oakparkexteriorlighting.com, 1 +oakparklandscapelighting.com, 1 +oakparklighting.com, 1 +oakparkoutdoorlighting.com, 1 +oakrealty.ca, 1 +oakridgeclinic.ca, 1 +oakshield.nl, 1 +oakslim.com, 1 +oaktravel.nl, 1 +oaktree-realtors.com, 0 +oaktreecapital.com, 0 +oaktreelodge.org.uk, 1 +oakwood-park.tk, 1 +oanclothing.com, 1 +oandareview.co, 1 +oanow.com, 1 +oase-fuer-wohlbefinden.ch, 1 +oasegroen.nl, 1 +oasiristorantebagno.it, 1 +oasis-info.co.uk, 1 +oasis.in, 1 +oasisbodycare.jp, 1 +oasisgenetics.com, 1 +oasiskitchens.com, 1 +oasislab.id, 1 +oatmealdome.me, 1 +oatycloud.spdns.de, 1 +oauthaccountmanager.googleapis.com, 1 +oauthdb.com, 1 +obagg.com, 1 +obala.ga, 0 +obalawebsolutions.ml, 1 +obalky-obaly.sk, 1 +obamalibrary.gov, 1 +obamawhitehouse.gov, 1 +obandln.de, 1 +obarax.com, 1 +obatjantungrematik.tk, 1 +obbr.tk, 1 +obcevents.co.uk, 1 +obcfl.com, 1 +obclub.tk, 1 +obcom.tk, 1 +obdinvest.ru, 1 +obdolbacca.ru, 1 +obec-krakovany.cz, 1 +obecvinodol.tk, 1 +obed-doma.tk, 1 +obejor.com.ng, 1 +obelisco.tk, 1 +obelix05.duckdns.org, 1 +oberam.de, 1 +obereg.cf, 1 +obereg.ga, 1 +obereg.ml, 1 +oberg.co, 1 +oberg.us, 1 +oberhofdrinks.com, 1 +obermeiers.eu, 1 +oberoi.de, 1 +obery.com, 1 +obesidadenmallorca.com, 1 +obesidadlavega.com, 1 +obet901vip.com, 1 +obezma.com, 1 +obg-global.com, 1 +obg.ceo, 1 +obgalslancaster.com, 1 +obgynecologistnyc.com, 1 +obgynmaryland.com, 1 +obgynmiamifl.com, 1 +obgynqueensnyc.com, 1 +obi-betriebsrat.tk, 1 +obi-investissements.fr, 1 +obido.pl, 1 +obihoernchen.de, 1 +obioncountytn.gov, 1 +obioncountytn911.gov, 1 +obj.moe, 1 +object.earth, 1 +objectcache.pro, 1 +objectif-securite.ch, 1 +objectif-terre.ch, 0 +objectif-vancouver-2010.fr, 1 +objectifs-fitness.com, 1 +objectivefoodie.com, 1 +objectivity.co.uk, 1 +objectorientedsolutions.com, 1 +objekt-textil.ch, 0 +objetodestaque.com.br, 1 +obl.ong, 1 +oblak.host, 1 +oblak.studio, 1 +oblikdom.pro, 0 +oblinvest.org, 1 +oblitsov.ru, 1 +oblivious.ml, 1 +oblojka.tk, 1 +oblondata.io, 0 +obmen-viz.tk, 1 +obmen-vizitami.ml, 1 +obmenka.tk, 1 +obmennik.tk, 1 +obnalichka.cf, 1 +obnalichka.ga, 1 +obnalichka.gq, 1 +obnalichka.tk, 1 +obocat.tk, 1 +oboes.top, 1 +oboivam.ru, 1 +obomne.tk, 1 +obozrevatel.tk, 1 +obpr.gov.au, 1 +obrabotka-zakazow.tk, 1 +obraideal.com, 1 +obrasereformasbh.com.br, 1 +obrobka-zdjec.pl, 1 +obs.plus, 1 +obsceneeulogy.tk, 1 +obscur.tk, 1 +obscur.us, 1 +obscureware.xyz, 1 +obsd.me, 1 +observability.top, 1 +observatoire-des-partenariats.fr, 1 +observer.com, 1 +obsessedwithknives.ru, 1 +obsessivecompulsiveexplained.com, 1 +obsessivefacts.com, 1 +obsica.com, 1 +obsidianirc.net, 1 +obsproject.com, 1 +obss.com.tr, 1 +obss.tech, 1 +obstgarten.berlin, 1 +obsuzhday.com, 1 +obtima.org, 1 +obu4alka.ru, 1 +obuchowicz.pl, 1 +obuhov.ml, 1 +obuhov.tk, 1 +obuvgarmisch.cz, 1 +obuysya.tk, 1 +obxlistings.com, 1 +obyna3.pl, 1 +obyrai.org.ua, 1 +obyvateleceska.cz, 1 +obzor-znakomstv.tk, 1 +obzory-evgeny.tk, 1 +oc-minecraft.com, 1 +ocabj.net, 1 +ocacnews.net, 1 +ocalafl.gov, 1 +ocalaflwomenshealth.com, 1 +ocalapd.gov, 1 +ocalhukuk.com, 1 +ocapiarquitetura.com.br, 1 +ocarm.org, 1 +ocarupo.com, 0 +ocasio.es, 1 +ocassessor.gov, 1 +ocauditor.gov, 1 +ocb.gov, 1 +ocbc.com, 1 +occ.eu, 1 +occ.gov, 1 +occam-consulting.de, 1 +occasion.nc, 1 +occhelps.gov, 1 +occrp.org, 1 +occu.lt, 1 +occult-magick.ga, 1 +occult-magick.gq, 1 +occult-magick.ml, 1 +occulter.fr, 1 +occultism.tk, 1 +occultisme.tk, 1 +occultumproductions.tk, 1 +occupational-therapy-colleges.com, 1 +occupationaltherapylicense.org, 1 +occupations.org.ru, 1 +occupy4elephants.tk, 1 +occupybakersfield.tk, 1 +occupynightlife.com, 1 +occuspace.io, 1 +ocd2016.com, 1 +ocdadmin.com, 1 +ocdhub.co.za, 1 +ocealy.com, 1 +ocean-of-love.ml, 1 +ocean-sun.com, 1 +oceanaway.tk, 1 +oceanborn.ml, 1 +oceanborn.tk, 1 +oceanbreezehomes.com, 1 +oceancity.vin, 1 +oceancountynj.gov, 1 +oceancrew.org, 1 +oceandns.eu, 1 +oceandns.net, 1 +oceane.training, 1 +oceanearth.us, 1 +oceanfirst.com, 1 +oceaniahome.tk, 1 +oceaniaservergroup.com, 1 +oceanic.global, 1 +oceanings.com, 1 +oceanlogisticgroup.com, 1 +oceanlord.me, 1 +oceanofapk.com, 1 +oceanohost.com, 1 +oceanpark.vn, 1 +oceansedgecustompools.com, 1 +oceanshaman.cf, 1 +oceanshaman.ga, 1 +oceanshaman.gq, 1 +oceanshaman.ml, 1 +oceansidetour.tk, 1 +oceanspraymiami.com, 1 +oceanspringsarchives.net, 0 +oceansurplus.tk, 1 +oceanviewde.gov, 1 +oceanvisuals.com, 1 +ocenilla.ml, 1 +ocenilla.tk, 1 +ocenka-msfo.ru, 1 +ocenka-nedv.ml, 1 +ocenka.tk, 1 +ocennaswgoogle.pl, 1 +ocf.io, 1 +ocfelections.gov, 1 +ocg-card.com, 1 +ochaken.cf, 1 +ochatoosenbei.tk, 1 +ochemindessens.com, 1 +ochioneta.es, 1 +ochki-linzi.tk, 1 +ochobeatsmedia.net, 1 +ochotnicky.com, 1 +ochrepoint.com.au, 1 +ochsenfeld-design.de, 1 +ochsenfeld-fotografie.de, 1 +ochsenfeld.co, 1 +ochsundjunior.ch, 1 +ochsundjunior.swiss, 1 +ochutnejitalii.cz, 1 +ociaw.com, 1 +ocimumcdn.net, 1 +ockendenhemming.co.uk, 1 +oclausen.com, 1 +ocloudhost.com, 1 +oclube.online, 1 +ocmlng.com, 1 +ocmw.gent, 1 +ocmwgent.be, 1 +ocni-ambulance-most.cz, 1 +ocnjapartment.com, 1 +ocnjdaily.com, 1 +ocodo.ru, 1 +ocolere.ch, 1 +oconlakewi.gov, 1 +ocontocountywi.gov, 1 +ocotg.com, 1 +ocponj.gov, 1 +ocprintgraphics.gov, 1 +ocqueoctwpmi.gov, 1 +ocsamochodu.pl, 1 +ocsan.gov, 1 +ocsbl.at, 1 +ocsbl.blog, 1 +ocsbl.ch, 1 +ocsbl.cloud, 1 +ocsbl.co.uk, 1 +ocsbl.com, 1 +ocsbl.consulting, 1 +ocsbl.de, 1 +ocsbl.fr, 1 +ocsbl.group, 1 +ocsbl.info, 1 +ocsbl.link, 1 +ocsbl.media, 1 +ocsbl.net, 1 +ocsbl.network, 1 +ocsbl.nl, 1 +ocsbl.online, 1 +ocsbl.org, 1 +ocsbl.shop, 1 +ocsbl.social, 1 +ocsbl.tech, 1 +ocsbl.uk, 1 +ocsc.pro, 1 +ocsnet.com, 1 +octagon.institute, 1 +octal.es, 0 +octane.co, 1 +octane.net.au, 1 +octanio.com, 1 +octarine.cc, 1 +octarineparrot.com, 1 +octav-avocats.fr, 1 +octav.name, 1 +octavia.net, 1 +octaviorojas.tk, 1 +octaviosimon.com, 1 +octo.im, 1 +octobered.com, 0 +octocaptcha.com, 1 +octod.tk, 1 +octodex.ru, 1 +octoeverywhere.com, 1 +octofox.de, 1 +octohedralpvp.tk, 1 +octolopagon.games, 1 +octopoos.com, 1 +octopoos.org, 1 +octopub.tk, 1 +octopus-apps.be, 1 +octothorpe.club, 1 +octothorpe.ninja, 1 +octovpn.com, 1 +ocufekojip.ga, 1 +ocularsolution.com, 1 +oculta.ml, 1 +oculus.com, 1 +ocunclaimed.gov, 1 +ocuuc.org, 1 +ocvote.gov, 1 +ocwr.gov, 1 +ocydias.tk, 1 +odabilocal.com, 1 +odatakao.com, 1 +oday.org, 1 +odbierzspozywke.pl, 1 +odbtomsk.ru, 1 +odd17.org, 1 +oddfellowwellness.com, 1 +oddformrecords.tk, 1 +oddintely.com, 1 +oddity.tk, 1 +oddlama.org, 1 +oddmouse.com, 0 +oddmuse.org, 1 +oddnumber.ca, 1 +oddoo.net, 1 +oddsandevens.ca, 1 +oddsandevensbookkeeping.ca, 1 +oddscasino.top, 1 +oddsmoneyers.ga, 1 +oddsnet.com, 1 +oddsseeker.com, 1 +oddtime.net, 0 +oddtoes.com, 1 +ode.red, 0 +odedigitale.marketing, 1 +odegua.com, 1 +odejdamoda.tk, 1 +odeliabridal.com, 1 +odensc.com, 1 +odensc.me, 1 +odenvilleal.gov, 1 +odeonentertainment.co.uk, 1 +odesigning.com, 1 +odessalove.tk, 1 +odete.com.br, 1 +odezdaotto.tk, 1 +odhosc.ca, 1 +odiall.co, 1 +odiall.tk, 1 +odiamoselregeton.tk, 1 +odifi.com, 1 +odigitalmarketing.com.br, 1 +odij.nl, 1 +odijmond.nl, 1 +odinpl.com, 1 +odinraz.ga, 1 +odinseye.net, 1 +odinson.tk, 1 +odisealinux.com, 1 +odishainfo.tk, 1 +odishassc.in, 1 +odishatv.in, 1 +odisseo.io, 1 +odlicomul.ga, 1 +odnostranichnik.tk, 1 +odo-pro.ru, 1 +odo.online, 1 +odonata-editions.fr, 1 +odonti.com, 1 +odontoguia.co, 1 +odontologiawilliampizarro.com, 1 +odoo.co.th, 1 +odoppelto.de, 1 +odoranswers.com, 1 +odoru.ga, 1 +odorucinema.ga, 1 +odosblog.de, 1 +odpikedoslike.com, 1 +odsylvie.cz, 1 +odtu.lu, 1 +oducs.org, 1 +odvps.com, 0 +odxin.com, 1 +odysea.cat, 1 +odyso.org, 1 +odyssee-animation.tk, 1 +odyssey44.com, 1 +odysseyofthemind.eu, 1 +odzyskiwanie.biz, 1 +odzywianie.info.pl, 1 +oe-it.ru, 1 +oe.ink, 1 +oe0fcdncxjpdd05b.myfritz.net, 1 +oea.gov, 1 +oec-music.com, 0 +oecdpisaforschools.org, 1 +oecherrezepte.duckdns.org, 1 +oedeemboek.nl, 1 +oegd.at, 1 +oeh.ac.at, 1 +oeilpouroeilcreations.fr, 0 +oeko-bundesfreiwilligendienst-sh.de, 1 +oeko-bundesfreiwilligendienst.de, 1 +oeko-jahr-jubilaeum.de, 1 +oeko-jahr.de, 1 +oelbilder-oelmalerei.de, 1 +oelsner.net, 1 +oemdealsers.ga, 1 +oemparcacim.com, 1 +oemspace.net, 1 +oemwolf.com, 1 +oen.tw, 1 +oeno.link, 1 +oenolab-vidalies.com, 1 +oermen.com, 1 +oertle.tk, 1 +oessi.eu, 1 +oettig.de, 1 +oetzies-quiz.com, 0 +of-sound-mind.com, 1 +of2106.dnsalias.org, 1 +of2m.fr, 1 +ofa.org, 1 +ofallonil.gov, 1 +ofaqim.city, 1 +ofasoft.com, 1 +ofb.uz, 1 +ofcampuslausanne.ch, 0 +ofelia.tk, 1 +ofertasadsl.com, 1 +ofertastop.es, 1 +ofertino.es, 1 +ofertolino.fr, 1 +off-festival.pl, 1 +off-rabota.tk, 1 +off.net.mk, 1 +offbeat-music.com, 1 +offbeatbeats.com, 0 +offbeatbits.com, 0 +offbyinfinity.com, 1 +offcasesstore.com, 1 +offenekommune.de, 1 +offenes-deutschland.de, 1 +offensity.com, 1 +offentligsektormedmoln.se, 1 +offeo.com, 1 +offer-today.ml, 1 +offerhome.com, 1 +offermagnet.co, 0 +offermann-koeln.de, 1 +offers-daraghmehstores.com, 1 +offers.jp, 1 +offgamers.com, 1 +offgames.io, 1 +offgridauto.com, 1 +office, 1 +office-addins.com, 1 +office-aslabo.com, 1 +office-basilique.notaires.fr, 1 +office-de-tourisme.net, 0 +office-dolmetscher-scharnagl.de, 1 +office-furniture-direct.co.uk, 1 +office-house.tk, 1 +office-mizutani.jp, 1 +office-op.tk, 1 +office-ruru.com, 1 +office.urown.cloud, 1 +office2s.com, 1 +office365-apps.com, 1 +office365.us, 1 +officecode.co.uk, 1 +officedivvy.co, 1 +officedivvy.com, 1 +officedivvy.company, 1 +officeefficient.de, 1 +officeface.cf, 1 +officeforstudents.org.uk, 1 +officefundays.co.uk, 1 +officeguide.cz, 1 +officeinteriors.co.nz, 1 +officemaps.net, 1 +officemovepro.com, 1 +officepie.pro, 1 +officerjones.tk, 1 +officert.ga, 1 +official-sensitive.org, 1 +official.link, 1 +official.my, 1 +officialdubaidev.com, 1 +officialhazalturesan.tk, 1 +officialmc2.com, 1 +officialniledevelopments.com, 1 +officialpyramids.com, 1 +officialsunset.com, 1 +officialzzstore.com, 1 +officina.roma.it, 1 +officina.tk, 1 +officium.tech, 1 +offis.de, 0 +offlineauthentication.com, 1 +offpages.cf, 1 +offpages.gq, 1 +offpages.ml, 1 +offpageseopro.tk, 1 +offroadhoverboard.net, 1 +offshoot.rentals, 0 +offshoredaddy.com, 1 +offshoremoney.tk, 1 +offshoretravelsest.ga, 1 +offshorewfs.com, 1 +offshorewindwatchdog.com, 1 +offspringmexico.tk, 1 +offspringzero.tk, 1 +offtherails.ie, 1 +offtheshelf.com, 1 +offtopica.uk, 0 +offworld.com, 1 +ofggolf.com, 1 +oficinadanet.com.br, 1 +oficios.cl, 1 +oficoex.es, 1 +oficomercr.com, 0 +ofileo.fr, 1 +ofina.on.ca, 1 +ofis.tk, 1 +ofisas.cloud, 1 +ofisescort.ga, 1 +ofisescort.tk, 1 +ofkodasplace.nl, 1 +oflow.me, 0 +ofo.moe, 1 +ofo2.com, 0 +ofogh.co, 1 +oformi.net, 1 +oformit-zajm-kruglosutochno.ga, 1 +oformlaj.ga, 1 +ofpad.com, 1 +ofrion.lu, 1 +ofs-28.com, 1 +ofsetas.lt, 1 +oftamedic.com, 0 +oftn.org, 1 +ofuquemalitaestoy.tk, 1 +og-chemistry.ru, 1 +oga.fit, 0 +ogamerezine.tk, 1 +ogarkovo.ml, 1 +ogcloud.io, 1 +ogcurated.com, 1 +ogdensburgnj.gov, 1 +oge.ch, 0 +oge.gov, 1 +ogfarms.in, 1 +oggw.us, 1 +oggyp.com, 1 +ogilvy.com, 1 +ogis.gov, 1 +ogkw.de, 1 +oglebay.com, 1 +oglecountyil.gov, 1 +oglen.ca, 1 +oglesbyil.gov, 1 +oglix.com.br, 1 +ogmworld.tk, 1 +ognedoor.ru, 0 +ognemet.net, 1 +ognyan.tk, 1 +ogo-knigi.ml, 1 +ogogo-knigi.ml, 1 +ogolnotematyczny.pl, 1 +ogorod-money.tk, 1 +ogorodnik.guru, 1 +ogorodoved.info, 1 +ogot.org, 1 +ogoulems.com, 1 +ogrencimerkezi.org, 1 +ogrenciyurtlari.tk, 1 +ogretmenimsanat.com, 0 +ogui.de, 1 +ogunquit.gov, 1 +ogurishun.tk, 1 +ogurus.com, 1 +oguya.ch, 1 +ogyaa.jp, 0 +ogznet.com, 1 +oh-my-lash.nl, 1 +oh14.de, 0 +ohai.is, 1 +ohai.social, 1 +ohai.su, 1 +ohako-inc.jp, 1 +oharas.fr, 1 +ohartl.de, 1 +ohayosoro.me, 1 +ohbabybean.com, 1 +ohcanvas.com, 1 +ohchouette.com, 1 +ohcomassagechairs.com, 1 +oheila.com, 1 +ohentpay.com, 1 +ohglowup.nl, 1 +ohhappy.win, 1 +ohifonly.com, 0 +ohioag.gov, 1 +ohioago.gov, 1 +ohiobrewweek.com, 1 +ohiobusinesscentral.gov, 1 +ohioflockcote.com, 1 +ohiosos.gov, 1 +ohiostateparks.gov, 1 +ohiot21.gov, 1 +ohiotobacco21.gov, 1 +ohiowebtech.com, 1 +ohling.org, 1 +ohlmeier.com, 1 +ohm.sg, 1 +ohmanager.kr, 1 +ohmayonnaise.com, 1 +ohmy.ca, 1 +ohmydish.nl, 1 +ohmygeekettes.fr, 1 +ohmymalware.com, 1 +ohmyunix.com, 1 +ohne-name.de, 1 +ohnonotme.com, 0 +ohol.se, 1 +ohoreviews.com, 1 +ohrange-music.tk, 1 +ohreally.de, 1 +ohrus.mx, 1 +ohsohairy.co.uk, 1 +ohtoy.com, 1 +ohverynice.ml, 1 +ohwatch.co.za, 1 +ohydne.pl, 1 +ohyooo.com, 1 +ohype.ga, 1 +ohype.gq, 1 +oi-wiki.org, 1 +oiahe.org.uk, 1 +oiaposta.com, 1 +oidrava.tk, 1 +oiepoie.nl, 0 +oikontroloi.tk, 1 +oikosweb.com, 1 +oil-heaters.tk, 1 +oilfieldinjury.attorney, 1 +oilman.ml, 1 +oilpaintingsonly.com, 1 +oilsan.com, 1 +oilx.co.uk, 1 +oilyouneed.co.id, 1 +oimexico.tk, 1 +oinimod.com, 1 +oinky.ddns.net, 1 +oirealtor.com, 1 +oirnoir.gq, 1 +oirnoir.ml, 1 +ois.dk, 1 +oisabre.com, 1 +oisd.nl, 1 +oiseauxdesjardins.tk, 1 +oita-homes.com, 1 +oitaven.es, 1 +oiwe.info, 1 +ojapanesetea.ca, 1 +ojdip.net, 1 +ojee.nic.in, 1 +ojjdp.gov, 1 +ojk.ee, 0 +ojp.gov, 1 +ok-travel.tk, 1 +ok.ru, 1 +ok118.com, 1 +ok2a.org, 1 +ok3on.cz, 1 +okachimachi-naka-clinic.jp, 1 +okaidi.es, 1 +okaidi.fr, 1 +okaidi.ro, 1 +okaidi.si, 1 +okami-no-tochi.com, 1 +okanaybek.tk, 1 +okashi.me, 1 +okay.cf, 1 +okay.coffee, 1 +okayloser.com, 1 +okazoo.eu, 1 +okburrito.com, 1 +okcasino.ga, 1 +okchousebuyer.com, 1 +okeechobeecountyfl.gov, 1 +okeepixels.ru, 1 +okelections.gov, 1 +okemahok.gov, 1 +okeydeyim.com, 1 +okhanvatansever.tk, 1 +okhrana.agency, 1 +okib.ca, 1 +okiefrog.org, 1 +okinawa-mag.net, 1 +okinawa-seaside.com, 1 +okinawan-lyrics.com, 1 +okinext.com, 1 +okiram.net, 1 +okis.win, 1 +okkhor52.com, 1 +okkultemysterier.tk, 1 +okkur.community, 1 +okkur.dev, 1 +okkur.io, 1 +okkur.net, 1 +okkur.org, 1 +okkur.team, 1 +okkurlabs.com, 1 +oklahomaced3.gov, 1 +oklahomafibroids.com, 1 +oklahomamoversassociation.org, 1 +oklahomanotepro.com, 1 +oklahomasoftwaresolutions.com, 1 +oklahomaworkstogether.gov, 1 +okmaybe.ca, 1 +okmirror.net, 1 +okmulgeecounty.gov, 1 +okmx.cloud, 1 +okmx.de, 1 +okmzt.com, 1 +okna-tm.kz, 0 +okna-vek.com.ua, 1 +okna.ua, 1 +oknakz-astana.kz, 1 +oknavdom.tk, 1 +oknopvh.ml, 1 +okobojitech.com, 1 +okokorecepten.nl, 1 +okonto.com, 1 +okosg.kr, 1 +okotelecom.ml, 1 +okpo.tk, 1 +okqubit.net, 1 +okr.pub, 1 +okremarketing.com, 1 +okrodrigo.com, 1 +oksafe-t.org, 1 +oksanakazakova.tk, 1 +oksichemk.com, 1 +okskoleni.cz, 1 +oksystem.cz, 1 +oktava.tk, 1 +oktave.co, 1 +oktaybozaci.com, 1 +oktayincesuturizm.com, 1 +oktime.cz, 1 +oktober.tk, 1 +oktoplus.com.br, 1 +oktos.tk, 1 +oktour.ca, 1 +oktransportation.gov, 1 +okubo-shika.jp, 1 +okuguchihifuka-clinic.com, 1 +okukan.com.au, 1 +okulistiyoruz.tk, 1 +okurapictures.com, 1 +okusiassociates.com, 1 +okv.de, 1 +okviz.com, 1 +okwine.ua, 1 +okwu.cz, 1 +ola.finance, 1 +olacatlitter.com, 1 +olafnorge.de, 1 +olafvantol.nl, 1 +olafwalther.de, 1 +olamagri.com, 1 +olamgroup.com, 1 +olamiccutlery.com, 1 +olamisys.com, 1 +olamisys.email, 1 +olamisys.xyz, 1 +olaradio.tk, 1 +olasderisa.tk, 1 +olasouris.com, 0 +olastrafford.org, 1 +olatiferreira.com, 1 +olax.tk, 1 +olb.de, 1 +olbat.net, 1 +olcayanar.com, 1 +olcbrookhaven.org, 1 +old-computer-club.ml, 1 +old-times.ga, 1 +old-tomsk.tk, 1 +old-wheelers.tk, 1 +oldaine.tk, 1 +oldbkcom.tk, 1 +oldbones.tk, 1 +oldbrookinflatables.co.uk, 1 +oldbrookmarqueehire.co.uk, 1 +oldcars.tk, 1 +oldcastle.tk, 1 +oldcc.gov, 1 +oldcity.tk, 1 +oldcitysmokehouse.com, 1 +oldcold.co, 1 +olddisk.ml, 1 +olddragon.com.br, 1 +oldemilllandinghoa.com, 1 +oldenzaal.tk, 1 +older-racer.com, 1 +oldertarl.ddns.net, 1 +olderwomanpics.com, 1 +oldfarming.tk, 1 +oldfieldmusic.tk, 1 +oldfriends.tk, 1 +oldhouse.tk, 1 +oldhousetonewhome.net, 1 +oldiesmusicguide.tk, 1 +oldiesradio.tk, 1 +oldinnpub.tk, 1 +oldita.ru, 1 +oldliverpoolrailways.tk, 1 +oldonyosafaris.com, 1 +oldpc.com.ua, 1 +oldports.org, 1 +oldriver.tk, 1 +oldroadswhippets.tk, 1 +oldrun.is, 1 +oldrup.art, 1 +oldrup.dk, 1 +oldrup.net, 1 +oldscans.tk, 1 +oldschool-criminal.com, 1 +oldschool.wiki, 1 +oldshara.tk, 1 +oldskoolreviews.tk, 1 +oldspice.com, 1 +oldsql.tk, 1 +oldsticker.com, 1 +oldstmary.com, 1 +oldtacomamarine.com, 1 +oldtavern.tk, 1 +oldtimer.tk, 1 +oldtimerclub.tk, 1 +oldtimerparts.de, 0 +oldtimerreifen-moeller.de, 1 +oldtimers.tk, 1 +oldtimesecurity.tk, 1 +oldtowntownship-il.gov, 1 +oldtoystuff.com, 1 +oldvaliken.tk, 1 +oldvps.com, 0 +olea.pk, 1 +oleam.org, 1 +olecoin.io, 1 +oleg.loan, 1 +olegchursin.com, 0 +olegon.ru, 1 +oleksandr-petrusenko.com, 1 +oleksii.name, 0 +olemon.eu.org, 1 +olenergie.com, 1 +olenergie.fr, 1 +olenergies.com, 1 +olenergies.eu, 1 +olenergies.fr, 1 +olennolla.fi, 1 +olennolla.net, 1 +oleodecopayba.com.br, 1 +olepiraatti.fi, 1 +olerogas.xyz, 1 +oles-hundehaus.de, 1 +olesaradio.tk, 1 +olevoitalia.com, 1 +olffi.com, 1 +olfnewcastle.com, 1 +olfsecane.org, 1 +olgallery.tk, 1 +olgamalytcheva.com, 1 +olgamilosevic.edu.rs, 1 +olgapankova.art, 1 +olgaserebrennikova.tk, 1 +olgcc.net, 1 +olgui.net, 0 +olgun.eu, 1 +olhcparish.net, 1 +olibarcenas.es, 0 +olidetrim.com, 1 +oliebollenbakservice.nl, 1 +olifant.fr, 0 +oligenesi.it, 1 +olightstore.ro, 1 +olihar.com, 1 +olimpicmoradebre.tk, 1 +olimpikfit.com, 1 +olimpoao.tk, 1 +olinux.fr, 1 +oliode.tk, 1 +olisius.com, 1 +olitham.com, 1 +olive.my, 1 +oliveandcompany.com, 1 +olivedon.com, 1 +olivejs.com, 1 +oliveoil.bot, 1 +oliveoil.pro, 1 +oliveoilschool.org, 1 +oliveoilshop.com, 1 +oliveoiltest.com, 1 +oliveoiltimes.com, 1 +oliver-wenz.de, 1 +oliverclark.tk, 1 +oliverclausen.com, 1 +oliverdunk.com, 0 +olivereats.ca, 1 +oliverfaircliff.com, 1 +oliverflecke.me, 1 +oliverjoss.com, 1 +oliverlanguages.com, 1 +olivernaraki.com, 1 +oliverniebuhr.de, 1 +oliverspringer.eu, 1 +oliverswindles.com, 1 +oliverwenz.de, 1 +olives.my, 1 +olivetbgc.org, 1 +olivetchurch.org.uk, 0 +olivetownship-mi.gov, 1 +olivia.cf, 1 +olivialufkin.tk, 1 +olivier-giroud.tk, 1 +olivier-rochet.com, 1 +olivier-verbois.fr, 1 +olivierberardphotographe.com, 0 +oliviercreation.tk, 1 +olivierdurand.tk, 1 +olivierpieters.be, 1 +oliviervaillancourt.com, 1 +olivinehoney.com.au, 1 +olivlabs.com, 1 +oljyakatemia.fi, 1 +olk9mo.com, 1 +olkywade.com, 1 +ollerom.com, 1 +ollerom.nl, 1 +ollie.io, 1 +ollielloyd.tk, 1 +ollieowlsblog.com, 1 +ollies.cloud, 1 +ollies.cz, 1 +olliespage.com, 1 +olliespage.net, 1 +olliespage.uk, 1 +ollietoys.com, 1 +ollning.com, 1 +ollo.ga, 1 +olltechjob.com, 1 +olmari.fi, 1 +olmc-nutley.org, 1 +olmcjc.com, 1 +olmcnewark.com, 1 +olmecaaltos.com, 1 +olmet.pl, 1 +olmik.net, 1 +olmportal.com, 1 +olmsted.io, 1 +olmstedcounty.gov, 1 +olmstedtownshipohio.gov, 1 +oloadvid.tk, 1 +olofly.com, 1 +olofsson.cc, 1 +ololmke.org, 1 +olomercy.com, 1 +olopp.org, 1 +olphseaside.org, 1 +olqoa.org, 1 +olschurch.com, 1 +olsen-town.tk, 1 +olsenban.de, 1 +olshop.ai, 1 +olson25.org, 0 +olsonproperties.com, 1 +oluchiedmundmusic.com, 1 +oludeniz.tk, 1 +olustvere.edu.ee, 1 +olxa.tk, 1 +olxdir.tk, 1 +olydent.com, 0 +olyfed.com, 1 +olygazoo.com, 1 +olymp-arts.world, 1 +olympe-transport.fr, 1 +olymperfitness.com, 1 +olympia-blerick.tk, 1 +olympia-londerzeel.tk, 1 +olympiads.ca, 1 +olympiaduilawyers.com, 1 +olympiamanzanilla.tk, 1 +olympic-lodge.com, 1 +olympic-research.com, 1 +olympicfitness.com.mx, 1 +olympiclodge.com, 1 +olympiclodgebyayres.com, 1 +olymptrade.com, 1 +olympusx.co.za, 1 +om.yoga, 1 +oma-opa-enkel-urlaub.de, 0 +oma-opa-enkel.de, 0 +omaedu.ro, 1 +omag.gov, 1 +omaha.com, 1 +omaha.gov, 1 +omahachapterone.org, 1 +omahagutterandsiding.com, 1 +omaharoofpros.com, 1 +omahcoin.com, 1 +omal.info, 1 +omanair.com, 1 +omangrid.com, 1 +omanhr.cf, 1 +omanpost.om, 1 +omarans.com, 1 +omarflorist.com, 1 +omarh.net, 1 +omarhachach.com, 1 +omarhachach.net, 1 +omarhussien.tk, 1 +omarov.tk, 1 +omarpalos.com, 1 +omarsamarah.tk, 1 +omarsuniagamusic.ga, 1 +omart.org, 1 +omarzunic.com, 1 +omatoimi.fi, 1 +omatulevaisuus.fi, 1 +omaweetraad.nl, 1 +omaxe.tk, 1 +omayn.com, 1 +omb.gov, 1 +ombrazur.fr, 1 +ombregialle.it, 1 +omc-copiers.com, 1 +omedita.lt, 1 +omega-intranet.com, 1 +omegachess.tk, 1 +omegacode.pl, 1 +omegahosting.net, 1 +omegamc.ua, 1 +omegarazer.ca, 1 +omegathermoproducts.nl, 1 +omegleporn.to, 1 +omelectricnyc.com, 1 +omenprinting.com.au, 1 +omeopatiadinamica.it, 1 +omerdanismaz.com, 0 +omersalaj.com, 1 +omert.tk, 1 +omerta.tk, 1 +omertabeyond.com, 1 +omertabeyond.net, 1 +omestudios.tk, 1 +ometepeislandinfo.com, 1 +omexcables.com, 1 +omf.link, 1 +omfacialsurgery.com, 1 +omfmf.tk, 1 +omgbouncycastlehire.co.uk, 1 +omgit.works, 1 +omgpu.com, 1 +omgvaneyckwashere.be, 1 +omgvaneyckwashere.com, 1 +omgvaneyckwashere.eu, 1 +omgvaneyckwashere.gent, 1 +omhome.net, 1 +omicaorganics.com, 1 +omicawholesale.com, 1 +omicron3069.com, 1 +omid16b.com, 1 +omidfan.ir, 0 +omintmais.azurewebsites.net, 0 +omipicon.io, 1 +omira.pt, 1 +omitech.co.uk, 1 +omlpar.gov, 1 +ommam.com.br, 1 +ommcitalflex.com, 1 +omn.cc, 1 +omnama.it, 1 +omnel.ml, 1 +omngc.gov, 1 +omniaaerospace.com, 1 +omniaclubs.com, 1 +omniaintranet.com, 1 +omniaintranet.de, 1 +omniaintranet.dk, 1 +omniaintranet.se, 1 +omniarch.se, 0 +omniasl.com, 0 +omniatv.com, 1 +omniballot.us, 1 +omnibot.tv, 1 +omnicourt.jp, 1 +omnidiecasting.com, 1 +omnidigital.ae, 1 +omniflora.shop, 1 +omnifotoside.tk, 1 +omnifurgone.it, 1 +omniga.de, 0 +omnilert.net, 1 +omniscimus.net, 0 +omnisiens.se, 1 +omnisky.dk, 1 +omnissimmo.fr, 1 +omniteck.com, 1 +omnitrack.org, 1 +omnitrattore.it, 1 +omnits.pro, 1 +omny.info, 1 +omorashi.org, 1 +omoteura.com, 1 +omranic.com, 1 +omro-wi.gov, 1 +omroepbaarle.be, 1 +omroepvenray.nl, 1 +omronwellness.com, 1 +omshivalab.com, 1 +omsknews.tk, 1 +omskrock.com, 1 +omskweb.tk, 1 +omstars.com, 1 +omtcloud.jp, 1 +omundojornalismo.pt, 1 +omva.de, 1 +omveda.org, 1 +omxz8.com, 1 +on-air.today, 1 +on-find.com, 1 +on-networkers.cf, 1 +on-networkers.gq, 1 +on-networkers.ml, 1 +on-networkers.tk, 1 +on-running.com, 1 +on-state.com.ua, 1 +on-tandemdrive.com, 1 +on-tandemdrive.nl, 1 +on-targettrainingcourses.com, 1 +on-tech.co.uk, 1 +on-the-wave.com, 1 +on-tv.tk, 1 +on2it.net, 1 +on3.com, 1 +on3static.com, 1 +on5.co.id, 1 +on9.link, 1 +ona.io, 1 +onaboat.se, 1 +onaforums.com, 1 +onahonavi.com, 1 +onai.es, 1 +onair.ovh, 1 +onarto.com, 1 +onavstack.net, 1 +onbettertech.com, 1 +onbley.com.br, 1 +oncaagt.com, 1 +oncc.org, 1 +oncecocuklar.org.tr, 1 +oncemorearoundeternity.com, 1 +oncentive.io, 1 +onceuagain.tk, 1 +onceuponabow.org, 1 +onceuponachicken.com, 1 +onceuponarainbow.co.uk, 1 +oncf.asso.fr, 1 +onchclub.tk, 1 +onclouds.tech, 1 +oncore-eurofins.com, 1 +oncotarget.ru, 1 +ond-inc.com, 1 +ond-inc.jp, 1 +ondafc.es, 1 +ondajoven.tk, 1 +ondav.com, 1 +ondcp.gov, 1 +onde.xyz, 1 +ondeapostar.pt, 1 +ondemandassociate.com, 1 +onderka.com, 1 +onderwijscentrum.gent, 1 +onderwijscentrumgent.be, 1 +onderzoeksraad.nl, 1 +ondevamosjantar.com, 1 +ondiet.biz, 1 +ondoline.ch, 1 +ondoorgrond.tk, 1 +ondra05.cz, 1 +ondradoksy.com, 1 +ondrei.one, 1 +ondrej.org, 1 +ondrejhoralek.cz, 1 +ondrejsramek.cz, 1 +ondrejvasicek.cz, 1 +one-clue.com, 1 +one-cozmic.com, 1 +one-dot.de, 1 +one-host.ga, 1 +one-news.net, 0 +one-piece-fans.com, 1 +one-pixel.tk, 1 +one-resource.com, 1 +one-s.co.jp, 1 +one-tab.com, 1 +one24exp.com, 1 +one3oneapartments.com, 1 +one6688.com, 0 +oneaftac.gov, 1 +oneandfree.org.au, 1 +oneapi.io, 1 +oneartyminute.com, 1 +oneazcu.com, 0 +onebanc.ai, 1 +onebelo.tk, 1 +onebigcow.com, 1 +onebiz.tk, 1 +oneblinc.com, 1 +oneblock.fr, 1 +onebookstore.ml, 1 +onebreadcrumb.com, 1 +onebreadcrumb.com.au, 1 +onecarsource.com, 1 +onecharge.biz, 1 +onechoice.co.nz, 1 +onechronos.com, 1 +oneclick.accountant, 1 +oneclick2books.cf, 1 +oneclickbooks.gq, 1 +oneclickbooks.ml, 1 +oneclickjailbreak.com, 1 +oneclickmoney.cf, 1 +oneclickmoney.ml, 1 +oneclickmoney.tk, 1 +oneclub.ua, 1 +onedaygrandcanyonrafting.com, 1 +onedeal.com.ua, 1 +onedevonshireplace.co.uk, 1 +onediversified.com, 1 +onedoc.ch, 1 +onedot.nl, 1 +onedrive.com, 0 +onee3.org, 1 +oneearthsacredarts.com, 1 +oneem.tk, 1 +oneest.com, 1 +onefabday.com, 1 +onefamily.com, 1 +onefestivalplaza.com.au, 1 +onefestivaltower.au, 1 +onefestivaltower.com, 1 +onefestivaltower.com.au, 1 +onefile.tk, 1 +onefinitee.in, 1 +onefish.cc, 1 +onefocusapp.com, 1 +onefour.ga, 1 +onegeeks.org, 1 +onegroup.ua, 1 +onehealthbehaviors.org, 1 +oneheartbali.church, 0 +onehorizon.it, 1 +onehost.blue, 1 +onehost.kz, 0 +oneidacityny.gov, 1 +oneidacountywi.gov, 1 +oneindex.tk, 1 +oneiroi.co.uk, 1 +oneirosociety.tk, 1 +onekey.so, 1 +onekeycn.com, 1 +oneless.tk, 1 +onelifenutrition.co.uk, 1 +onelinkbpo.com, 1 +onemeter.com, 1 +onemindmedicinals.com, 1 +oneminute.io, 0 +onemix.me, 1 +onemodel.com.au, 1 +onemodel.us, 1 +onemonthcamera.tk, 1 +onemoonmedia.de, 1 +onenetcdn.com, 1 +onenetwork.com, 1 +onenetwork.io, 1 +oneoncology.com, 1 +oneone.moe, 1 +oneonemedia.tk, 1 +oneononeonone.de, 1 +oneononeonone.tv, 1 +onepeloton.ca, 1 +onepeloton.co.uk, 1 +onepeloton.com, 1 +onepersona.io, 1 +onepieceplayer.com, 1 +oneplaykh.com, 1 +onepluscamps.com, 0 +onepointsafeband.ca, 1 +onepointsafeband.com, 1 +onepointzero.com, 1 +onepotliving.com, 1 +oneprediction.com, 1 +onerivermedia.com, 1 +ones.buzz, 1 +onescience.tk, 1 +oneshotmediakc.com, 1 +oneso.win, 1 +onespan.com, 0 +onespiritinc.com, 1 +onesportslive.com, 1 +onestarclassics.com, 1 +onestasolar.com, 1 +onestepbooks.gq, 1 +onestepbooks.ml, 1 +onestopcastles.co.uk, 1 +onestopmedicalsupplies.com, 1 +onestopshop.ml, 1 +onestpasdesanges.fr, 1 +onet.co.jp, 1 +onetakeonehit.tk, 1 +onetap.com, 1 +onetcenter.org, 1 +onetcodeconnector.org, 1 +onetech.it, 1 +oneteg.com, 1 +onetestatatime.com, 1 +onetimegallery.com, 1 +onetly.com, 1 +onetonline.org, 1 +onetouchreveal.com, 1 +onetouchrevealplus.com, 1 +onetouchtour.com, 1 +onetown.gq, 1 +onetranslations.com.br, 1 +onetrust.com, 1 +onets.es, 1 +onetwentyseven001.com, 1 +onetwo-vermietung.de, 1 +onetwosweetatelier.com, 1 +oneupchocolatebars.com, 1 +oneurl.co, 1 +oneway.ga, 1 +oneweb.hu, 1 +onewebdesign.nl, 0 +onewebdev.info, 1 +onewhim.com, 1 +onewyo.gov, 1 +onex.bet, 1 +onezero24.net, 1 +onfaloc.tk, 1 +onfilm.tk, 1 +onfleet.com, 1 +onformative.net, 1 +ong.or.at, 1 +ongea.io, 1 +ongelukvandaag.nl, 1 +ongewenstretour.nl, 1 +ongiaenegogoa.com, 1 +onglobetrotter.com, 1 +ongoal.gr, 1 +onguardonline.gov, 1 +onhistory.co.uk, 1 +onhub1.com, 1 +oni.nl, 1 +onibolt.com, 1 +onice.ch, 1 +onicore.cf, 1 +onidesign.tk, 1 +onilacare.com, 1 +onimaodonto.com.br, 1 +oninpresento.ga, 1 +onionbot.ga, 1 +onionbot.me, 1 +onionflix.net, 1 +onionplay-network.stream, 1 +onionplay.co, 1 +onionplay.org, 1 +onionshare.org, 1 +onionsocial.com, 1 +onionyst.com, 1 +oniria.ch, 0 +oniriamultimedia.com, 1 +onirik-studio.com, 1 +oniuq.com, 1 +onix.eu.com, 1 +onixcco.com.br, 1 +onkfaktor.de, 1 +onkologiya.ga, 1 +onkyousa.com, 1 +onld.de, 1 +onlfait.ch, 0 +onlifehealth.com, 1 +online-audio-converter.com, 1 +online-bookmakers.ru, 1 +online-bouwmaterialen.nl, 1 +online-calculator.com, 1 +online-calculator.xyz, 1 +online-car-show.com, 1 +online-carhire.tk, 1 +online-casino.eu, 1 +online-clothing-store.tk, 1 +online-concepts.net, 1 +online-concepts.nl, 1 +online-consulting-corp.com, 1 +online-content.ru, 1 +online-diary.tk, 1 +online-divorce.co.za, 1 +online-eikaiwa-guide.com, 1 +online-english.tk, 1 +online-fix.me, 1 +online-health-insurance.com, 1 +online-heldin.de, 1 +online-jobs.cf, 1 +online-learning.bg, 1 +online-lernprogramme.de, 1 +online-mobile-phone-shop.tk, 1 +online-news-usa.tk, 1 +online-one-piece.com, 1 +online-pochta.ml, 1 +online-pr.at, 1 +online-series.ru, 1 +online-shop-equipment.tk, 1 +online-sql-editor.com, 1 +online-stopwatch.com, 1 +online-store-phones.tk, 1 +online-taxes.tk, 1 +online-tesis.com, 1 +online-textil.com, 1 +online-textil.cz, 1 +online-textil.sk, 1 +online-umwandeln.de, 1 +online-video-cutter.com, 1 +online-voice-recorder.com, 1 +online-wedding.site, 1 +online-wholesalers.com, 1 +online-xxxmovies.com, 1 +online.forum, 1 +online.marketing, 1 +online.net.gr, 1 +online.swedbank.se, 1 +online24.pt, 1 +online365.ga, 1 +onlineairlinesbooking.com, 1 +onlinebewerbungsserver.de, 1 +onlinebiller.com, 1 +onlinebillingform.com, 1 +onlinebookmarks.tk, 1 +onlinebrides.tk, 1 +onlinebs.tk, 1 +onlinebupropion.gq, 1 +onlinebusiness.law, 1 +onlinecannabiseducation.com, 1 +onlinecarstyling.nl, 1 +onlinecasinoerdk.com, 1 +onlinecasinoknowhow.com, 1 +onlinecasinokoning.com, 1 +onlinecasinos.vlaanderen, 1 +onlinecasinoselite.org, 1 +onlinecasinosportugal.pt, 1 +onlinecasinotrend.nl, 1 +onlinechallenge.nl, 1 +onlinecollegeessay.com, 1 +onlinecosmeticsstore.tk, 1 +onlinecounselingprograms.com, 1 +onlinecrafts.tk, 1 +onlinedapoxetina.gq, 1 +onlinedivorce.com, 1 +onlinedivorce.lawyer, 1 +onlinedoctors24.com, 1 +onlinefabricstore.com, 1 +onlinefashion.it, 1 +onlinefloridadivorce.com, 0 +onlinefurniture.us, 1 +onlinegallery.cf, 1 +onlinegames4free.tk, 1 +onlinegamesforgirls.tk, 1 +onlinegeeks.ru, 1 +onlineglassesreview.com, 1 +onlinehartha.com, 1 +onlinehashfollow.com, 1 +onlinehsa.com, 1 +onlinehypermarket.ru, 1 +onlineinfo.freesite.host, 1 +onlineinfographic.com, 1 +onlineinsurancetips.ga, 1 +onlinejobs.ga, 1 +onlinekansspel.cf, 1 +onlinekansspel.tk, 1 +onlinekasino.de, 1 +onlinekmc.com, 1 +onlineknighki.ga, 1 +onlinekocunuz.com, 1 +onlinekreditmitsofortzusage.com, 1 +onlinelegalmarketing.com, 1 +onlinelegalmedia.com, 1 +onlineloansnocreditcheck.tk, 1 +onlinemag24.com, 0 +onlinemagento.com, 1 +onlinemarketfinds.cf, 1 +onlinemarketingmuscle.com, 1 +onlinemarketingtraining.co.uk, 1 +onlinembapage.com, 1 +onlinemediamasters.com, 1 +onlinemedicalassistantprograms.net, 1 +onlinemphdegree.net, 1 +onlinemswprograms.com, 1 +onlinenewspaperclassifieds.com, 1 +onlineordersnow.com, 1 +onlineorto.com, 1 +onlinepay.tk, 1 +onlinepaydayloans365.tk, 1 +onlineplay.ml, 1 +onlinepokies.me, 1 +onlineporno.cc, 1 +onlineprogrammingbooks.com, 1 +onlinepsychologydegrees.com, 1 +onlineradio.com.pl, 1 +onlineradio.pp.ua, 1 +onlineradiobr.com, 1 +onlineradious.com, 1 +onlinescams.uk, 1 +onlineschipaanpak.nl, 1 +onlinesearningstips.ga, 1 +onlinesellingexperiment.com, 1 +onlineseminar.com, 1 +onlineseminar.es, 1 +onlineseminar.nl, 1 +onlineservisprogrami.com, 1 +onlineshop-helgoland.de, 1 +onlineshopsatkhira.tk, 1 +onlinesitereviews.com, 1 +onlinesorusor.cf, 1 +onlinespielcasino.de, 1 +onlinesports.cf, 1 +onlinesports.tk, 1 +onlinestatic.net, 0 +onlinestoresite.com.au, 1 +onlinesudoku.tk, 1 +onlinesurveys.ac.uk, 1 +onlinesystem.jp, 1 +onlinetadacip.gq, 1 +onlinetextil.cz, 1 +onlineth.com, 1 +onlinetntj.com, 1 +onlinevardenafil.gq, 1 +onlineveilingmeester.nl, 1 +onlineverdict.com, 1 +onlineverdienen.tk, 1 +onlinevergidanismani.com, 1 +onlineviewers.tk, 1 +onlinevisa.ru, 1 +onlinevoting.tk, 1 +onlinewallpapers.tk, 1 +onlineweblearning.com, 1 +onlineworkshops.tk, 1 +onlinewot.ru, 1 +onlinews.ml, 1 +onlinexl.nl, 1 +onlineyearbook.tk, 1 +onlineyos.ru, 1 +onlinezaim.ml, 1 +only.bible, 1 +only.lc, 1 +only3x.com, 1 +only4free.tk, 1 +onlybestporn.com, 1 +onlybooks.gq, 1 +onlycrumbsremain.com, 1 +onlyesb.net, 1 +onlyfans.com, 1 +onlyfans.love, 1 +onlyfitgear.com, 1 +onlyincentivesest.ga, 1 +onlyjedis.com, 1 +onlyjesus.net, 1 +onlylithiumhere.gq, 1 +onlylovastatin.gq, 1 +onlymammoths.com, 1 +onlymyenglish.com, 1 +onlysergio.com, 1 +onlysmoker.com, 1 +onlystars.news, 1 +onlystay.ga, 1 +onlyu.eu, 1 +onlyveg.tk, 1 +onlyvintagewatches.com, 1 +onmaps.de, 1 +onmaru.com, 1 +onmyside.com, 1 +onnatuurlijk.tk, 1 +onnee.ch, 1 +onodera.com.br, 1 +onoelixir.gr, 1 +onohawaiianbbq.com, 1 +onondaga.gov, 1 +ononoki.org, 1 +onoranze-funebri.biz, 1 +onore.org, 1 +onospancakehouse.com, 1 +onoticiado.com.br, 1 +onourwifi.com, 0 +onoweb.be, 1 +onpatient.com, 1 +onpaws.com, 1 +onpay.io, 1 +onpermit.net, 1 +onpointinsights.us, 0 +onpointplugins.com, 1 +onpopup.ga, 1 +onporn.fun, 1 +onrampwallet.com, 1 +onrealt.ru, 0 +onrr.gov, 1 +onsemediagroup.ml, 1 +onsenlaichelesdoigts.be, 1 +onsetupdates.com, 1 +onsinscrit.com, 1 +onsite4u.de, 1 +onsitespeedometer.com, 1 +onslaughtstreetboarding.tk, 1 +onslowsheriffnc.gov, 1 +onsoppad.nl, 1 +onspring.com, 1 +onstat.tk, 1 +onsudoku.com, 1 +onsweb.nl, 1 +ontargetsystem.ru, 1 +ontariocat.com, 1 +ontariocountyny.gov, 1 +ontariodog.com, 1 +ontariohearing.com, 1 +ontarioplace.com, 1 +ontariopropertybuyers.com, 1 +ontariostorage.com, 1 +ontdekhetzelf.nu, 1 +ontestpad.com, 1 +onthe.network, 1 +ontheballbuilding.com.au, 1 +onthecheap.store, 0 +onthegosystems.com, 1 +onthesocials.com.au, 1 +ontheten.org, 1 +onthewaypodcast.com, 1 +ontogenese.net, 1 +ontopoflove.nl, 1 +ontourmarketing.at, 1 +ontrio.cz, 1 +ontrip.dk, 1 +ontrip.kr, 1 +ontsnappingskamer.nl, 1 +ontwerpdenkers.nl, 0 +onul.works, 1 +onurdemirezen.com, 1 +onurer.net, 1 +onurerhan.com, 1 +onurozden.com.tr, 1 +onuruzunonline.com, 1 +onvey.io, 1 +onvisit.net, 1 +onvori.com, 1 +onvori.de, 1 +onvousment.fr, 1 +onwie.com, 1 +onwie.fr, 1 +onwing.ai, 1 +onx.dk, 1 +onysix.de, 1 +onysix.net, 1 +onyx-groups.com, 1 +onyxcts.com, 1 +onyxeg.estate, 1 +onyxfic.cc, 1 +onyxgen.duckdns.org, 1 +onzelievevrouw-veldegem.tk, 1 +onzerelaties.net, 1 +oo5197.co, 1 +oo6729.co, 1 +oo6729.com, 1 +oo6957.co, 1 +oo9297.co, 1 +oo9728.co, 1 +oodlessoftplay.co.uk, 1 +ooeste.com, 0 +oofishing.ru, 1 +oog-osaka.jp, 1 +oogami.name, 1 +oogartsennet.nl, 1 +oogent.be, 1 +ooharttemplates.com, 1 +ooii.net, 1 +oomepu.com, 1 +oomnitza.com, 1 +oomph-delikatessen.tk, 1 +oomuj.info, 1 +oonne.com, 1 +ooo-santal.ml, 1 +ooo.xxx, 1 +oooaltera.ru, 1 +oooh.events, 1 +ooonja.de, 1 +oooo.loan, 1 +ooooo.cz, 1 +ooove.ru, 1 +oopsis.com, 1 +oopure.com, 1 +oorbellen.nl, 1 +oortcast.com, 1 +oositk.tk, 1 +oosm.org, 1 +oosolutions.nl, 1 +oostendevooranker.be, 0 +oot.rs, 1 +op11.co.uk, 0 +op3racional.eu, 1 +opacity.au, 1 +opaco.tk, 1 +opadaily.com, 1 +opale-concept.com, 1 +opalesurfcasting.net, 1 +opalhunter.at, 1 +opalternative.tk, 1 +opap.jp, 1 +oparamo.tk, 1 +oparceirao.com.br, 1 +oparideal.com.br, 1 +oparl.org, 1 +opatowice.tk, 1 +opatut.de, 0 +opbedbugcanines.com, 1 +opcenter.de, 1 +opcionpublicitaria.com, 1 +opcod3.io, 1 +opcoes.net.br, 1 +opd.co.nz, 1 +opdera.org, 1 +opdi.aero, 1 +ope.ee, 1 +opel-focken.de, 1 +opelim.net, 1 +open-ai-chatgpt.ru, 1 +open-banking-access.uk, 1 +open-bs.com, 1 +open-bs.ru, 1 +open-ctp.com, 1 +open-ctp.net, 1 +open-ctp.org, 1 +open-data-apps.org, 1 +open-desk.org, 1 +open-domotics.info, 0 +open-fixture-library.org, 1 +open-future.info, 1 +open-gaming.net, 1 +open-greenenergy.com, 1 +open-infrastructure.net, 1 +open-letters.de, 1 +open-mesh.org, 1 +open-novel.work, 1 +open-procurement.com, 1 +open-sauce-recipes.co.uk, 1 +open-source.gr, 1 +open-to-repair.fr, 0 +open-trip.id, 1 +open-work.space, 1 +open-xchange.com, 1 +open.film, 1 +open.my.id, 1 +open.ru, 1 +openacte.ch, 0 +openaedmap.org, 1 +openagenda.com, 1 +openai.com, 1 +openai.community, 1 +openai.sb, 0 +openalt.org, 1 +openaq-staging.org, 1 +openarch.nl, 1 +openarchivaris.nl, 1 +openbayes.network, 1 +openbayesstatus.com, 1 +openbeecloud.com, 1 +openbet.it, 1 +openbible.com.au, 1 +openbiblebookstore.com.au, 1 +openbleam.com, 1 +openblox.org, 1 +openbriefing.org, 1 +openbsd.cz, 1 +openbsdhosting.com, 1 +openbusiness.tk, 1 +opencache.uk, 1 +opencagedata.com, 1 +opencartbot.com, 1 +opencartspecialist.com, 1 +openchronicles.net, 1 +opencircuit.nl, 1 +opencity.spb.ru, 1 +openclima.com, 1 +openclub24.ru, 1 +openconf.uk, 1 +openconnect.com.au, 1 +opencpes.com, 0 +opencpes.info, 1 +opencpes.io, 1 +opencpes.net, 1 +opencpes.org, 1 +opencrm.co.uk, 1 +openctp.com, 1 +openctp.net, 1 +openctp.org, 1 +opendata.cz, 1 +opendataincubator.eu, 1 +opendesk.cc, 0 +opendisdata.nl, 1 +opendolls.com, 1 +opendsp.ru, 1 +openendpoint.tools, 1 +openevic.info, 1 +openexec.com, 1 +openexec.net, 1 +openfin.co, 1 +openfir.st, 0 +openfitapi-falke.azurewebsites.net, 1 +openfpcdn.io, 1 +openfuture.digital, 1 +opengameart.org, 1 +opengovpartnership.de, 1 +openhandhelds.org, 1 +openhistory.de, 1 +openid.net.br, 1 +openinframap.org, 1 +openinsieme.com, 1 +openintel.com.br, 1 +openintl.com, 1 +openjsf.org, 1 +openjur.de, 1 +openkat.nl, 1 +openkim.org, 1 +openkvk.nl, 1 +openlink.com, 1 +openlitecache.com, 1 +openmail.ml, 1 +openmandriva.org, 1 +openmarkets.com.au, 0 +openmarkets.group, 0 +openmind.ga, 1 +openmindsec.com, 1 +openmindsec.de, 1 +openmined.org, 0 +openmirrors.cf, 1 +openmirrors.ml, 1 +openmtbmap.org, 1 +opennippon.com, 1 +opennippon.ru, 1 +openpictures.ch, 1 +openpowerfoundation.org, 1 +openproject.com, 1 +openproton.cf, 1 +openprovider.nl, 0 +openqnx.com, 1 +openquery.com.au, 1 +openrainbow.ae, 1 +openrainbow.com, 1 +openrainbow.health, 1 +openrainbow.net, 1 +openrainbow.org, 1 +openre.site, 1 +openrealestate.co, 1 +openreel.com, 0 +openremote.io, 1 +openresearch.amsterdam, 1 +openreview.net, 1 +openroademail.com, 1 +openrtm.org, 1 +openruhr.de, 1 +openscience.ml, 1 +opensecurity.in, 1 +opensecurity.pl, 1 +opensim.tk, 1 +openslava.tk, 1 +opensocial.at, 1 +opensocietyuniversitynetwork.org, 1 +opensource-cms.nl, 1 +opensource-training.de, 1 +opensource.fund, 1 +opensourcecombat.com, 1 +opensourcesoftware.rocks, 1 +opensourcesurvey.org, 1 +opensourcex.tk, 1 +openspot.tk, 1 +opensquares.org, 1 +opensrc.one, 1 +openssl.org, 0 +openstandia.jp, 1 +openstem.com.au, 1 +openstreetmap.is, 1 +openstreetmap.org, 1 +opentable.com, 1 +opentable.com.au, 1 +opentenders.tech, 1 +opentrack.info, 1 +opentrader.com.au, 0 +opentrash.org, 1 +openverse.com, 0 +openvision.tk, 1 +openvz.org, 1 +openwaveguide.de, 1 +openwebstandard.org, 1 +openwifi.gr, 1 +openwrt-dist.tk, 1 +openxcom.org, 1 +openyoga.nl, 1 +opera.im, 1 +operacdn.com, 1 +operacionlimpieza.com, 1 +operad.fr, 1 +operadotejo.org, 1 +operahedeland.dk, 1 +operanavigation.ro, 1 +operatic.gq, 1 +operationhomefront.org, 1 +operationkiwi.work, 1 +operationlifeline.ca, 1 +operationlifeline.org, 1 +operationturkey.tk, 1 +operationwarm.org, 1 +operator.tk, 1 +operatoresanitario.it, 1 +operaunica.tk, 1 +operd.gob.do, 1 +opexterminating.com, 1 +opfin.com, 1 +opforintel.com, 1 +opgani7.info, 1 +ophelia.ink, 0 +ophepartners.org, 1 +ophidian.tk, 1 +ophthalmologynotes.tk, 1 +opiates.ca, 1 +opic.gov, 1 +opid.my.id, 1 +opieoils.co.uk, 1 +opil.no, 1 +opimo3d.com.br, 1 +opin.me, 1 +opinie.pl, 1 +opinio.fr, 1 +opinionipannolini.it, 1 +opinioniprodotto.it, 1 +opinionitech.com, 1 +opinionmodel.it, 1 +opiniterupdate.com, 1 +opioidaffectedyouth.org, 1 +opioids.co.uk, 1 +opioids.com, 1 +opioids.gov, 1 +opioids.uk, 1 +opioids.wiki, 1 +opioneers.ga, 1 +opioneers.tk, 1 +opiskelijaradio.com, 1 +opiskelijaradio.fi, 1 +opisrael.tk, 1 +opito.com, 1 +opium.io, 0 +opix.fr, 1 +opl.bz, 1 +oplane.io, 1 +oplata-mvd.ga, 1 +oplata-vklike.tk, 1 +oplata.uz, 1 +oplop.appspot.com, 1 +opm.gov, 1 +opmaakonderscheidingen.nl, 1 +opnx.dk, 1 +opoderdaenergiafeminina.com.br, 1 +opomec.com, 1 +opop.cz, 1 +opopulechki.tk, 1 +oportunidadeganhos.tk, 1 +oportunidadinfinita.tk, 1 +opos.cf, 1 +oposicionescastillayleon.com, 1 +oposicionescorreos.es, 1 +oposicionesprofesores.tk, 1 +opp.moe, 1 +oppa888.com, 1 +oppa888.net, 1 +oppabet.com, 1 +oppada.com, 1 +oppejoud.ee, 1 +oppekepe.org, 0 +opploans.com, 1 +opportunity.de, 1 +opportunityfund.eu, 0 +opportunityliu.top, 1 +opportunitylouisiana.gov, 1 +opposer.me, 1 +oppositehq.com, 0 +oppositionsecurity.com, 1 +oppoweb.ml, 1 +oppress.life, 1 +oppressed.news, 1 +oppstartslos.no, 1 +oppwa.com, 1 +opq.pw, 1 +opraab.ga, 1 +opraser.cz, 1 +oprbox.com, 1 +oprekin.com, 1 +opreturn.org, 1 +opritten-en-terrassen.be, 1 +opritverklikker.nl, 1 +opromox.com, 1 +oprueba.com, 1 +opruimenwerkt.nl, 1 +opryshok.com, 1 +ops.ai, 1 +ops.com.pl, 1 +opsbase.com, 1 +opsecx.com, 1 +opskins.tk, 1 +opskiwi.work, 1 +opsmate.com, 0 +opsnotepad.com, 1 +opso.gov, 1 +opspedia.id, 1 +opstory.com, 1 +opstrengning.tk, 1 +opswill.com, 1 +opsystems.bg, 1 +opta-tv.com, 1 +opteam.pl, 1 +opteamax.de, 1 +opteamax.eu, 1 +optenhoefel.de, 1 +optgo.com.ua, 1 +opti-net.at, 1 +opti-net.solutions, 1 +optic-street.ru, 1 +optical-faking.tk, 1 +opticalprescriptionlab.com, 1 +opticaltest.com, 1 +opticamasvision.com, 1 +opticasocialvision.com, 1 +opticianedu.org, 1 +opticiansri.org, 1 +opticoolheadgear.com, 1 +opticsexplorer.com, 1 +opticstore.com.ua, 1 +optiekzien.nl, 0 +optifleet-evol.net, 1 +optifury.com, 1 +optigazelle.com, 1 +optigear.nl, 1 +optik-sehstern.de, 1 +optik-tamara.de, 1 +optik-trosdorff.de, 1 +optikflow.com, 1 +optikoscolombia.com, 1 +optilan.tk, 1 +optimakers.pl, 1 +optimale.co.uk, 1 +optimall.tk, 1 +optimalrehab.se, 1 +optimalruby.com, 1 +optimaner.pl, 1 +optimed.tk, 1 +optimised.cloud, 1 +optimised.io, 1 +optimisedlabs.co.uk, 1 +optimisedlabs.info, 1 +optimisedlabs.net, 1 +optimisedlabs.uk, 1 +optimist.bg, 1 +optimization-online.org, 1 +optimizationanalyticsest.ga, 1 +optimize-jpg.com, 1 +optimizedlabs.co.uk, 1 +optimizedlabs.info, 1 +optimizedlabs.net, 1 +optimizedlabs.uk, 1 +optimom.ca, 1 +optimon.io, 1 +optimumfmw.com, 1 +optimummanagement.net, 1 +optimummarinemanagement.net, 1 +optimummenhealth.com, 1 +optimumpacific.net, 1 +optimumship.net, 1 +optimumvikingsatcom.com, 1 +optimumwebdesigns.com, 1 +optimus.io, 1 +optimuscrime.net, 1 +optimuslearningschool.com, 1 +optimust.fi, 1 +options-today.com, 1 +optionsfund.cn, 1 +optionskredit.ag, 1 +optionskredit.biz, 1 +optionskredit.com, 1 +optionskredit.eu, 1 +optionskredit.info, 1 +optionskredit.net, 1 +optionskredit.org, 1 +optionsloop.com, 1 +optique-morice.com, 1 +optirank.co, 1 +optisell.ga, 1 +optmos.at, 1 +optogenics.com, 1 +optolamp.com.br, 1 +optomaeurope.com, 0 +optome.com, 1 +optoms.tk, 1 +optoutday.de, 1 +optoutpod.com, 1 +optru.eu.org, 1 +opture.ch, 1 +optykgill.pl, 1 +optymyze.com, 1 +opus-codium.fr, 1 +opus-labs.fr, 1 +opus-nail.com, 1 +opusdei.org, 1 +opuspremiumfilms.com, 1 +opussystems.com.au, 1 +opvakantie-noorwegen.nl, 1 +opvakantie-zweden.nl, 1 +opvoedingswinkelgent.be, 1 +opwaarts.tk, 1 +opwekking.tk, 1 +opzich.nl, 1 +oqevapimivud.tk, 1 +oqkd.eu, 1 +oqpo.ru, 1 +oqrqtn7ynmgc7qrgwd-ubhdvfiymfbjrh5ethdti8.com, 0 +oquedizabiblia.com.br, 1 +oqwebdesign.com, 1 +orablanket.co.nz, 1 +oracle-support.nl, 1 +oracleclown.com, 1 +oracolo.tk, 1 +oraculos.pt, 1 +oraculosiono.net, 0 +oraklinika.tk, 1 +oralb.com, 1 +oraldigital.com.br, 1 +oralemiraza.com, 1 +oralight.ml, 1 +orang-utans.com, 1 +orange.md, 1 +orangeacademy.cz, 1 +orangeappalam.com, 1 +orangecityfl.gov, 1 +orangecookie.com, 1 +orangefinanse.com.pl, 1 +orangehome.ga, 1 +orangejetpack.com, 1 +orangekey.tk, 1 +orangelandgaming.com, 1 +orangenj.gov, 1 +orangenuts.in, 1 +orangepages.ga, 1 +orangerock.tk, 1 +orangeshop.ee, 1 +orangesquash.org.uk, 0 +orangesquirrelevents.co.uk, 1 +orangetexas.gov, 1 +orangetown.com, 1 +orangtua.tk, 1 +oranjee.net, 0 +oranjerie.tk, 1 +orano.vn, 1 +oranous.tk, 1 +oranweb.tk, 1 +oraz.tk, 1 +orazen.it, 1 +orbassano5aele2021.tk, 1 +orbesurgeons.com.au, 1 +orbik.com, 1 +orbit.aero, 1 +orbit.church, 1 +orbita.zp.ua, 1 +orbitabaja.com, 1 +orbitaclub.cf, 1 +orbital3.com, 1 +orbitalcommerce.com.br, 0 +orbitcleaning.com.au, 1 +orbitdefence.co.uk, 1 +orbitfoods.ca, 1 +orbitforum.ga, 1 +orbitgoods.ca, 1 +orbitpro.co, 1 +orbitrock.xyz, 1 +orbits.ga, 1 +orbitum.fr, 1 +orbitum.space, 1 +orbu.net, 1 +orbussoftware.com, 0 +orcada.co, 1 +orcahq.com, 1 +orcamais.com.br, 1 +orcamarine.tk, 1 +orcas.tk, 1 +orcawiki.nl, 1 +orchardnh.org, 1 +orchestra-ppm.io, 1 +orchestra.tk, 1 +orchidcare.co.id, 1 +orchidee-mariage.com, 0 +orchidee-massage.tk, 1 +orchideemilano.it, 1 +orchidhousehotels.com, 1 +orchidinsurance.com, 1 +orchidlive.com, 1 +orchidplantscare.com, 1 +orchids.ua, 1 +orchidsforum.com, 1 +orcomsilver.tk, 1 +orcsnet.com, 1 +ord-airportparking.com, 1 +ordastoikennel.tk, 1 +ordbokpro.se, 1 +ordenmutantes.tk, 1 +order-a-laura.de, 1 +order-ftw.de, 1 +order-tools.io, 1 +order.catering, 1 +order.online, 1 +ordercipro.gq, 1 +orderdiflucan.ga, 1 +ordereze.com, 1 +ordermygear.com, 1 +ordernerd.com, 1 +orderomnicef.gq, 1 +orderpizza.tk, 1 +orderseason.digital, 1 +orderteethest.ga, 1 +ordervaltrexonlines.ga, 1 +ordevanoranjenassau.nl, 1 +ordfejd.se, 1 +ordilo.org, 1 +ordina.tk, 1 +ordinals.com, 1 +ordner.tk, 1 +ordoro.com, 1 +ordr.net, 1 +ordr.no, 1 +ordremk.fr, 1 +orduhaberleri.tk, 1 +ore.cool, 1 +oreber.com, 1 +oref-idf.com, 0 +oref-idf.net, 0 +oref-idf.org, 0 +orefice.roma.it, 1 +oregon2020census.gov, 1 +oregonatv.gov, 1 +oregoncoop.gov, 1 +oregonenergysaver.com, 1 +oregonmenshealth.com, 1 +oregonpasturenetwork.org, 1 +oregonstudentaid.gov, 1 +orel-city.ml, 1 +orel-sait.tk, 1 +orel.ga, 1 +orel.se, 1 +orelblog.tk, 1 +orelferm.ru, 1 +orelnet.tk, 1 +orem.gov, 1 +orenburg-life.tk, 1 +orendamebliv.com.ua, 1 +orendatattoo.bg, 1 +orenohatake.com, 1 +orensport.tk, 1 +oreo.rocks, 1 +oreomuhely.hu, 1 +oresama.studio, 1 +oreshinya.xyz, 1 +oreskylaw.com, 1 +orestadit.dk, 1 +oreto.de, 0 +orevan.net, 1 +orevan.org, 1 +orf-digitalsatkarte.at, 0 +orf-kartentausch.at, 0 +orfelios.com, 1 +orfeo-engineering.ch, 1 +orfininumeister.it, 1 +orfordvillewi.gov, 1 +org-css.tk, 1 +organaqsis.com, 1 +organdonor.gov, 1 +organic.pk, 1 +organicae.com, 1 +organicappraisalers.ga, 1 +organicaromas.com, 1 +organicindiausa.com, 1 +organicmachinery.net, 1 +organicossuliani.com.br, 1 +organicpoint.in, 1 +organicrootsfestival.tk, 1 +organicsearcher.com, 1 +organictanningest.ga, 1 +organisatieteam.nl, 1 +organisation-mariage.net, 1 +organizacasa.com.br, 1 +organizalpha.com, 1 +organizasyon.tk, 1 +organization-of-holidays.tk, 1 +organizedrhyme.tk, 1 +orgasmium.com, 1 +orged.de, 1 +orgoniteindonesia.com, 1 +orgsyn.in, 1 +orgtech.ga, 1 +orgyporngroup.com, 1 +orians.eu, 1 +oriatasi.tk, 1 +oribia.net, 1 +oricejoc.com, 0 +orido.org, 1 +oriental-events.net, 1 +orientalart.nl, 1 +orientalcollege.tk, 1 +orientalcuisine.tk, 1 +orientalgadgets.tk, 1 +orientaltrends.com.br, 1 +orientate.com.mx, 1 +orientir.tk, 1 +oriflamesamara.tk, 1 +oriflameszepsegkozpont.hu, 1 +orifonline.ro, 0 +origami.to, 1 +origamiii.me, 1 +origamiking.wiki, 1 +origemtemperos.com.br, 1 +origenarts.com, 1 +origent.com, 1 +originahl-scripts.com, 1 +original-christstollen.com, 1 +original-christstollen.de, 1 +originalabsinthe.com, 1 +originalbee.co.uk, 1 +originalblackfilms.ga, 1 +originalescaro.tk, 1 +originalmusicstream.tk, 1 +originalniknihy.cz, 0 +originalpharmacygrup.ml, 1 +originalreading.com, 1 +originalseconds.com, 0 +originaltee.uk, 1 +origingames.tk, 1 +originpc.com, 0 +origins-webdesign.fr, 1 +origintlsflexible.com, 1 +origintlsfull.com, 1 +origintlsstrict.com, 1 +origintunes.tk, 1 +orikos.tk, 1 +orikum.org, 0 +orilliacdc.com, 1 +orilon.fr, 1 +orimex-mebel.ru, 1 +orimono.ga, 1 +oriocdn.com, 1 +orion-rentals.tk, 1 +orion-universe.com, 1 +orioneclipse.com, 1 +orionelement.com, 1 +orionfcu.com, 1 +orionfinancialservices.com, 1 +oriongames.eu, 1 +orionlab.com.br, 1 +orionrisk.com, 1 +oris.edu.ee, 1 +oriveda.ch, 1 +oriveda.co.uk, 1 +oriveda.com, 1 +oriveda.nl, 1 +oriya-hrs.com, 1 +orizarja.tk, 1 +orkaev.cf, 1 +orkestar-krizevci.hr, 1 +orkiv.com, 0 +orkkikerho.tk, 1 +orland.tk, 1 +orlandgo.com, 1 +orlandhillspdil.gov, 1 +orlando-marijuana-doctor.com, 1 +orlandobalbas.com, 1 +orlandojetcharter.com, 1 +orlandooutdoor.com, 1 +orlandopooltech.com, 1 +orlandoprojects.com, 1 +orlandorentavilla.com, 1 +orleansiowa.gov, 1 +orleika.io, 1 +orleika.ml, 1 +ormanetrading.com, 1 +ormuratore.com, 1 +ornc.org, 1 +ornikar.com, 1 +ornithopter.tk, 1 +ornitina.com, 1 +ornsyn.no, 1 +ornua.com, 1 +ornz.net, 0 +oro.milano.it, 1 +oro.roma.it, 1 +orocojuco.com, 1 +oroconews.com.br, 1 +orodelsalento.com, 1 +orologeria.roma.it, 1 +orologi.roma.it, 1 +oronomn.gov, 1 +oroshikikin.jp, 1 +orovillelaw.com, 1 +orpf.ir, 1 +orphee-beaute.com, 0 +orpheus.network, 1 +orpheus2.com.ec, 1 +orquestas.tk, 1 +orrs.de, 1 +orsal.fr, 1 +orsgo.com, 1 +ortahisarsigorta.com, 1 +ortanatech.com, 1 +ortecapps-dev.com, 1 +ortecbdp.com, 1 +ortecdna.com, 1 +ortechealthtest.com, 1 +ortegaportfolio.com, 1 +ortegat.com, 1 +ortelius.com, 1 +ortelius.se, 1 +ortemis.host, 1 +orteo.co, 1 +ortho-graz.at, 1 +orthoatthevillage.com, 1 +orthocab.com, 1 +orthocop.cz, 1 +orthodealsers.ga, 1 +orthodontiste-geneve-docteur-rioux.com, 0 +orthodoxy.lt, 0 +orthograph.ch, 1 +orthomolecularproducts.com, 0 +orthopedic-shoes.tk, 1 +orthopedicsalon.tk, 1 +orthoprax.net, 1 +orthoquest.ca, 1 +orthotrafficest.ga, 1 +ortiatuttogas.it, 1 +ortigueira.ga, 1 +ortizmario.com, 1 +ortocraft.tk, 1 +ortoemangiato.it, 1 +ortografiacerta.com.br, 1 +ortoinnovapanama.com, 1 +ortop.ua, 1 +ortopedia.tk, 1 +ortopertutti.it, 1 +ortto.com, 0 +oruggt.is, 1 +orum.in, 1 +orviboperu.com.pe, 1 +orwell.tk, 1 +oryva.com, 1 +oryxlabs.com, 1 +oryxserver.ch, 1 +orzado.com, 1 +orzado.com.ua, 1 +orzechot.pl, 1 +os-s.de, 1 +os-s.net, 1 +os-t.de, 1 +os.web.tr, 1 +os24.cz, 1 +os33.com, 1 +os33.net, 1 +os76.xyz, 1 +osaamiskartoitus.fi, 1 +osac.gov, 1 +osacrypt.studio, 1 +osagecounty-ok.gov, 1 +osagenation-nsn.gov, 1 +osagokasko.ga, 1 +osaka-culture-art.com, 1 +osaka-hero-project.com, 0 +osakaevoce.com.br, 1 +osakagasaustralia.com.au, 1 +osakayuku.com, 1 +osakerekisteri.fi, 1 +osaketori.fi, 1 +osaki.fr, 1 +osallistuvavantaa.fi, 1 +osamabook.tk, 1 +osamakhalid.com, 1 +osamatoon.ml, 1 +osandp.com, 1 +osankj.tk, 1 +osano.com, 1 +osateam.tk, 1 +osawatomieks.org, 1 +osb-alliance.de, 1 +osbeck.com, 1 +osborn.io, 1 +osborne.tk, 1 +osbornecounty.gov, 1 +osborneinn.com, 0 +osbornepro.com, 1 +osburn.com, 1 +osc.gov, 1 +oscar.ms, 1 +oscarapp.net, 1 +oscarmartinez.tk, 1 +oscarr.nl, 1 +oscars-web.tk, 1 +oscarsalas.tk, 1 +oscarspatiobar.com, 1 +oscarvk.ch, 1 +osceolaar.gov, 1 +osceolacountyfl.gov, 1 +osceolacountyia.gov, 1 +osceolafdar.gov, 1 +osceolapdar.gov, 1 +osci.io, 1 +oscloud.com, 1 +oscom.tk, 1 +oscpi.com, 1 +oscreen.ru, 1 +osdeployment.com, 1 +osdeployments.com, 1 +osdls.gov, 1 +oseido.tk, 1 +osepideasthatwork.org, 1 +osereso.tn, 1 +oses.mobi, 0 +osetia.tk, 1 +osetinskie-pirogi.ga, 1 +osetiya.gq, 1 +osetiya.ml, 1 +osez-l-odyssee.fr, 1 +osgroup.tk, 1 +oshayr.com, 1 +oshea.cc, 1 +oshens.com, 1 +osholife.tk, 1 +oshrc.gov, 1 +osi-systems.com, 1 +osiedlemalownicze.wroc.pl, 1 +osimmo.fr, 1 +osindesejados.com.br, 1 +osipenko.ua, 1 +osiris-ai.co.uk, 1 +osirisrising.tk, 1 +osirisrp.online, 1 +osirium.com, 1 +osk-group.ru, 1 +oskety.com, 1 +oskrba.net, 1 +oskrba.online, 1 +oskuro.net, 1 +oslinux.net, 1 +oslo-kammerorkester.no, 1 +osm.is, 1 +osm.org, 1 +osmaniyehaber.tk, 1 +osmanlitakilari.tk, 1 +osmanlitorunu.com, 1 +osmarks.net, 1 +osmarks.tk, 1 +osmdroid.net, 1 +osmosebox.com, 1 +osmosis-inversa.online, 1 +osmre.gov, 1 +osmt.cc, 1 +osnova.cz, 1 +osobnyak.tk, 1 +osohq.com, 1 +osolutionscorp.com, 1 +osom.finance, 1 +osomagicmountain.com, 1 +osomjournal.org, 1 +osoo.kg, 1 +osorezone.com, 1 +osorio.io, 0 +ospis.pl, 1 +ospo-alliance.org, 1 +osrdmo.gov, 1 +osrs.wiki, 1 +osrsmap.net, 1 +osrsplugins.xyz, 1 +ossdiabolo.tk, 1 +osservatorionessuno.it, 1 +osservatorionessuno.org, 1 +ossigeno.tk, 1 +ossipee-nh.gov, 1 +ossrox.org, 1 +osszekotatermeszettel.hu, 1 +ostalb.social, 1 +ostan-collections.net, 1 +ostan-nku.tk, 1 +ostankino.tk, 1 +ostechnix.com, 1 +ostek.tk, 1 +ostendorf.com, 1 +osteolaclusaz.com, 0 +osteopathe-voisine.com, 1 +osteopathie-guggenberger.de, 1 +osteopatiaymasaje.com, 1 +osteriabellavista.ch, 0 +osteriadelponte.tk, 1 +osterkraenzchen.de, 1 +ostermcbride.com, 1 +ostern-osterfest.tk, 1 +ostgotakonst.se, 1 +osti.gov, 1 +ostimwebtasarim.name.tr, 1 +ostimyedekparca.com.tr, 1 +osto.us, 1 +ostp.gov, 1 +ostr.io, 1 +ostra.gg, 1 +ostra.me, 1 +ostrausercontent.com, 1 +ostravskypediatrickyden.cz, 1 +ostrov8.com, 1 +ostrovseocitra.cf, 1 +ostrovseocitra.ga, 1 +ostrovseocitra.gq, 1 +ostrovseocitra.ml, 1 +ostseebad-sellin.de, 1 +ostylelimo.com, 1 +osuarez3.com, 1 +osun.eu, 1 +osuszanie-krakow.pl, 1 +osuszanie-prinz.com.pl, 1 +osuszanie-radom.pl, 1 +osuszanie-warszawa.pl, 1 +osvaldocontreras.tk, 1 +osveld.com, 1 +osvhub.com, 1 +oswaldlabs.com, 1 +oswalds.co.uk, 1 +oswaldsmillaudio.com, 1 +oswegoil.gov, 1 +oswegony.gov, 1 +osworx.net, 1 +ot-honfleur.fr, 1 +ot-vinta.tk, 1 +otaikajang.org, 1 +otakaroltd.co.nz, 1 +otako.pl, 0 +otaku-treasure.com, 1 +otaku.fm, 1 +otakubox.de, 1 +otakucloud.net, 0 +otakuie.tk, 1 +otakurepublic.com, 1 +otakurumi.de, 1 +otakuzonefanzine.tk, 1 +otariarutiunian.com, 1 +otchecker.com, 1 +otd-dentalcare.com, 0 +otdel16.tk, 1 +otdelka56.ml, 1 +otdelka76.tk, 1 +otdelochnik.tk, 1 +otdih-krim.tk, 1 +otdyh-v-abhazii.tk, 1 +oteri.de, 1 +otg-drives.tk, 1 +otgadaika.tk, 1 +oth666.com, 0 +other98.com, 0 +othercdn.com, 1 +otherkinforum.com, 1 +otherlandlabs.com, 0 +otherwise.tk, 1 +othrys.net, 1 +oticasvisao.net.br, 1 +otimismoemrede.tk, 1 +otinane.eu, 1 +otipax.ru, 1 +otiumtech.com, 1 +otixz.com, 1 +otkm-stuttgart.tk, 1 +otmns.net, 1 +otng.us, 1 +otogeworks.com, 1 +otokiralama.name.tr, 1 +otoma.tk, 1 +otomania.tk, 1 +otomauto.com, 1 +otomekaito.xyz, 1 +otomny.fr, 1 +otomobilforumu.com, 1 +otomobilhaber.com, 1 +otonity.com, 1 +otoplastik.ml, 1 +otoplenie-ufa.ml, 1 +otorino.tk, 1 +otorium.gq, 1 +otorrino.pt, 0 +otosemi.com, 0 +otoy.com, 1 +otpbd.xyz, 1 +otpdvi.gov, 1 +otpgoldenfish.ro, 1 +otpnyugdij.hu, 1 +otpportalok.hu, 1 +otprema.hr, 1 +otpsmart.com.ua, 1 +otptikforum.cf, 1 +otr.ie, 1 +otrm.de, 1 +otrosidigo.tk, 1 +otrubah.com, 1 +ots.gov, 1 +otsfreestyle.jp, 1 +otsu.beer, 1 +ott-tv.org, 1 +ottawatribe.gov, 1 +ottens.tk, 1 +otterpops.tk, 1 +ottertailcounty.gov, 1 +ottertailcountymn.gov, 1 +otterupdate.com, 1 +ottervillemo.gov, 1 +otthonelektronika.hu, 1 +otticait.com, 1 +otticaturi.it, 1 +ottingergolf.com, 1 +ottmarliebert.tk, 1 +ottogroup.com, 1 +ottokrake.ba, 1 +ottomanbedsuk.tk, 1 +ottorinoferilli.com, 1 +ottoversand.at, 1 +otuts.eu, 1 +otvaracie-hodiny.sk, 1 +otya.me, 1 +otzyvy.cc, 1 +ouaibe.qc.ca, 1 +ouaie.be, 1 +ouaisetalors.fr, 1 +ouattara.ch, 1 +oudedokken.be, 1 +oudersvannu.nl, 1 +ouestacro.fr, 1 +ouestfrance-auto.pro, 1 +ouezzan.tk, 1 +ouglor.com, 1 +oui-mais-toscope.info, 1 +ouin.land, 1 +ouinex.com, 1 +ouinex.xyz, 1 +ouiouibunny.ch, 1 +ouiouibunny.fr, 1 +oujj.link, 1 +oukasou.moe, 1 +oukasou.xyz, 1 +ouldlamara.tk, 1 +oulunjujutsu.com, 1 +oumactive.com, 1 +ouminews.net, 1 +oumlaut.net, 1 +oumorienteering.com, 1 +oumpower.com, 1 +oumrace.com, 1 +oumsnatch.com, 1 +oumsport.com, 1 +ounage.de, 1 +ouowo.gq, 1 +our-box.de, 1 +our-box.net, 1 +our-little-secret.tk, 1 +our-store.ml, 1 +ourai.ws, 1 +ourayco.gov, 1 +ourchoice2016.com, 1 +ourcloud.at, 1 +ourcodinglives.com, 1 +ourcreolesoul.com, 1 +ourcrowd.com, 1 +ourcybercommunity.com, 1 +ourdocuments.gov, 1 +ourevents.net, 1 +ourfamilyworld.com, 1 +ourgame.ie, 1 +ourharvest.com, 1 +ourhr.club, 1 +ourindiana.gov, 1 +ourladymountcarmel.net, 1 +ourladymtcarmel.org, 0 +ourladyofcalvary.org, 1 +ourladyoftheassumptionchurch.org, 1 +ourladyqueenofmartyrs.org, 1 +ourlink.tk, 1 +ourmarket.live, 1 +ournewsindia.ga, 1 +ourocg.cn, 1 +ouroh2.com, 1 +ouronyx.com, 0 +ourpharmacynetwork.com, 1 +ourphonestoday.com, 1 +ourplanetary.com, 1 +ours.money, 1 +oursaintfrancis.org, 1 +oursibparksplan.com, 1 +oursportscentral.com, 1 +ourstory.rip, 1 +oursurplus.com, 1 +oursweb.com, 1 +oursweb.net, 1 +oursweb.org, 1 +ourtableforseven.com, 1 +ouruglyfood.com, 1 +ourvau.lt, 1 +ourwits.com, 1 +ourworldindata.org, 0 +ourworldspeaks.com, 1 +oust.ch, 0 +oustaou-connect.com, 1 +out-of-england.cf, 1 +out-of-england.ga, 1 +out-of-england.gq, 1 +out-of-england.ml, 1 +outagamie.gov, 1 +outandaboutpv.com, 1 +outbankapp.com, 1 +outbot.com, 1 +outbound.tk, 1 +outbreak.games, 1 +outcasts-guild.eu, 1 +outcomes10.com, 1 +outdoorfurniture.ie, 1 +outdoorgearlab.com, 1 +outdoorimagingportal.com, 1 +outdoorlearningmap.com, 1 +outdoorlightingagoura.com, 1 +outdoorlightingagourahills.com, 1 +outdoorlightingcalabasas.com, 1 +outdoorlightingconejovalley.com, 1 +outdoorlightingdosvientos.com, 1 +outdoorlightinghiddenhills.com, 1 +outdoorlightinglakesherwood.com, 1 +outdoorlightingmalibu.com, 1 +outdoorlightingmoorpark.com, 1 +outdoorlightingnewburypark.com, 1 +outdoorlightingoakpark.com, 1 +outdoorlightingsimivalley.com, 1 +outdoorlightingthousandoaks.com, 1 +outdoorlightingwestlakevillage.com, 1 +outdoormanufaktur.com, 1 +outdoorphoto.co.za, 1 +outdoorsytravel.com, 1 +outerface.net, 1 +outerheaven.pro, 1 +outerlimitsdigital.com, 1 +outernet.tk, 1 +outerspace.ga, 1 +outervision.com, 1 +outetc.com, 1 +outfaced-dancestudio.de, 1 +outfit-weimar.eu, 1 +outgress.com, 1 +outgrow.co, 1 +outhwaite.com, 1 +outincanberra.com.au, 1 +outinnationalsecurity.org, 1 +outka.xyz, 1 +outlaw-star.tk, 1 +outletcity.bg, 1 +outletstoresmalls.com, 1 +outline.ski, 1 +outline.vn, 1 +outlook.com, 1 +outlook.pl, 1 +outlookbythebay.com, 1 +outlookonthedesktop.com, 1 +outlooktransfer.com, 1 +outloudradio.uk, 1 +outnetic.com, 1 +outnow.ch, 1 +outoftheboxfitness.com, 1 +outofthefog.net, 1 +outofyourcomfortzone.net, 1 +outplnr.fr, 1 +output.com, 1 +outrank.co.uk, 1 +outrider.ai, 1 +outshinesolutions.nl, 1 +outsideconnections.com, 1 +outsidershairboutique.com, 1 +outsize.tk, 1 +outsourcify.net, 1 +outsourcingdenomina.co, 1 +outsourcingnominabogota.com, 1 +outstack.vote, 1 +outstanding.tk, 1 +outstandingpromotion.com, 1 +outtask.ai, 0 +outwoodz.co.uk, 1 +outworking.com, 1 +ouverture-coffre-fort.fr, 1 +ouvindo.com.br, 1 +ouwerling.tk, 1 +ov-chipkaart.nl, 1 +ovabastecedoraindustrial.com, 1 +ovalle.tk, 1 +ovallevirtual.tk, 1 +ovationhand.com, 1 +ovc.gov, 1 +ovcttac.gov, 1 +ovegi.co.id, 1 +ovelhaostra.com, 1 +ovelhosabio.com, 1 +ovelhosabio.com.br, 1 +oven.media, 1 +ovenapp.io, 1 +ovenrepairaustin.com, 1 +overa.net, 1 +overallmotivation.com, 1 +overallscanners.tk, 1 +overca.sh, 1 +overcached.com, 1 +overcame.cf, 1 +overcasthq.com, 1 +overclockers.ga, 1 +overclockers.ge, 1 +overcomers.tk, 1 +overdance.com.br, 1 +overdrive-usedcars.be, 0 +overener.biz, 1 +overener.cn, 1 +overener.co, 1 +overener.com, 1 +overener.tech, 1 +overener.us, 1 +overflow.io, 1 +overframe.gg, 1 +overgear.tk, 1 +overground.tk, 1 +overhead.com.pe, 1 +overheek.tk, 1 +overlevers.tk, 1 +overlevingsmessen.nl, 1 +overlook.tk, 1 +overlooklakeaustin.com, 1 +overlord.network, 1 +overmorgen.nl, 1 +overnetfaq.tk, 1 +overnetworld.tk, 1 +overnightglasses.com, 1 +overpb.gq, 1 +overprint-samara.ru, 1 +overps.cf, 1 +overrated.ga, 1 +overratedtech.com, 1 +overrun.tk, 1 +overs.jp, 1 +oversea.com.br, 1 +overseamusic.de, 1 +overseasstudenthealth.com, 1 +overside.ml, 1 +oversight.garden, 1 +oversight.gov, 1 +oversight.nz, 1 +oversightboard.com, 1 +overspace.cloud, 1 +overstemmen.nl, 1 +overstockpromote.com, 1 +overthecloud.it, 1 +overthegate.tk, 1 +overtoncountytn.gov, 1 +overtunes.tk, 1 +overture.london, 1 +overwatchss.club, 1 +overzicht.pro, 1 +overzicht.ws, 1 +ovez.ga, 1 +ovhcdn.pw, 1 +ovidiusbouwbedrijf.nl, 1 +ovidro.pt, 0 +ovirt.org, 1 +oviser.ml, 1 +ovisy.com, 1 +ovni-owners.org.uk, 1 +ovnrain.com, 0 +ovochi.tk, 1 +ovodakadarkut.tk, 1 +ovomope.cn, 1 +ovosimpatico.com, 1 +ovosimpatico.org, 1 +ovpn.com, 1 +ovpn.to, 1 +ovstravel.com, 1 +ovuk.ru, 1 +ovvv.top, 1 +ovvy.net, 0 +owagik.com, 1 +owatonna.gov, 1 +owatonnagrows.gov, 1 +owdeutschland.org, 1 +owenet.net, 1 +owensboroky.gov, 1 +owenschumacher.tk, 1 +owensmith.website, 1 +owensvilleoh.gov, 1 +owethecure.win, 1 +owfactory.com, 1 +owid.cloud, 1 +owise.tk, 1 +owl-media.pl, 1 +owl-media.ru, 1 +owl-media.us, 1 +owl-stat.ch, 0 +owl.net, 1 +owlandbee.co.uk, 1 +owlandbee.eu, 1 +owlandbee.uk, 1 +owlando.com, 1 +owlandrabbitgallery.com, 1 +owlazy.com, 1 +owlbee.be, 1 +owlbee.de, 1 +owlbee.es, 1 +owlbee.eu, 1 +owlbee.fr, 1 +owlbee.it, 1 +owlbee.nl, 1 +owldevelopers.tk, 1 +owlexa.com, 1 +owlhollowbakery.com, 1 +owln.ai, 0 +owlnull.me, 1 +owlscrap.ru, 1 +owlvilleers.ga, 1 +ownagepranks.com, 1 +ownc.at, 1 +owncloud.ch, 1 +owncloud.com, 1 +ownerbusiness.org, 1 +ownergroup.net, 1 +ownersre.com, 1 +ownhosting.cloud, 1 +owningless.fr, 1 +ownparking.com, 1 +ownspec.com, 1 +ownsport.fr, 1 +owntips.ml, 1 +owntournament.org, 1 +ownwolke.de, 1 +ownyourfamily.com, 1 +owo.enterprises, 1 +owo.jp, 1 +owo.li, 0 +owrt-risk.dedyn.io, 1 +owyheecounty.gov, 1 +owysgarden.com.au, 1 +ox.restaurant, 1 +oxalato.com, 1 +oxaliz.gq, 1 +oxanababy.com, 1 +oxborrow.ca, 1 +oxbridge.eu, 1 +oxelie.com, 0 +oxen.io, 1 +oxfordandcambridgetutors.com, 1 +oxfordbio.com, 1 +oxfordbus.co.uk, 1 +oxforddigital.com.au, 1 +oxfordenglish.com.ua, 1 +oxfordkneeinfo.com, 1 +oxfordmd.gov, 1 +oxfordtutors.com, 1 +oxforduniverse.com, 1 +oxfordurgentclinic.com, 1 +oxia.me, 1 +oxialive.fr, 1 +oxiame.eu, 1 +oxibeiras.pt, 1 +oxide.social, 1 +oxidecomputer.net, 1 +oxidecomputer.social, 1 +oxidized.org, 1 +oxigenoinformatica.tk, 1 +oximedia.ga, 1 +oximoron.tk, 1 +oxinarf.pt, 1 +oxizonia.com, 0 +oxlab.com.ar, 1 +oxo.cloud, 0 +oxona.eu, 1 +oxoo.ooo, 1 +oxopackaging.com.au, 0 +oxos.com, 1 +oxots.com, 1 +oxotscovid.com, 1 +oxt.co, 1 +oxwebdevelopment.com.au, 1 +oxxengarde.de, 1 +oxxoshop.com, 0 +oxydac.com, 1 +oxydrate.com, 1 +oxygames.tk, 1 +oxygenated.cf, 1 +oxygenforchennai.com, 1 +oxygin.net, 0 +oxylabs-china.net, 1 +oxylabs.cn, 1 +oxylabs.io, 1 +oxylog.fr, 1 +oxymail.ru, 1 +oxymoron.tk, 1 +oxynux.xyz, 1 +oxytocin.org, 1 +oxytocin.wiki, 1 +oxyx.tk, 1 +oxz.me, 1 +oya.ai, 1 +oyakyamacevler.net, 1 +oyal.co.uk, 1 +oyama-conf.com, 1 +oyama-karate.tk, 1 +oyap.ca, 1 +oyaphwcdsb.com, 1 +oyapkprdsb.ca, 1 +oyaptcdsb.com, 1 +oyaquelegal.com.br, 1 +oyemobile.ca, 1 +oyemobile.com, 1 +oyesunn.com, 0 +oyk13tyuj8ljpete31edj2tes-9if7bi.com, 0 +oyosoft.fr, 1 +oyosoft.net, 1 +oyr79.tk, 1 +oysterboxhotel.com, 1 +oysterworldwide.com, 1 +oyun.news, 1 +oyundijital.com, 1 +oyungg.net, 0 +oyunmadeni.tk, 1 +oyunnetwork.com, 1 +oyunnext.com, 1 +oyunoynuyalim.tk, 1 +oyunshell.com, 1 +oz-artfocus.com, 1 +oz-style.com, 1 +ozacek.fun, 1 +ozantravel.com, 1 +ozark-serial.net, 1 +ozarkinspected.com, 1 +ozaukeecounty.gov, 1 +ozaymotor.com, 1 +ozbekistanhavayolu.com.tr, 1 +ozbolt.eu, 1 +ozcare.org.au, 1 +ozcreatives.tech, 1 +ozdemirgrubu.com, 1 +ozdenotomotiv.com.tr, 1 +ozdevelopment.com, 1 +ozel-ders.tk, 1 +ozelgitardersi.tk, 1 +ozellaruck.tk, 1 +ozelmarmaratip.com, 1 +ozemsec.com.br, 1 +ozerify.com, 1 +ozero-kardyvach.ru, 1 +ozgesezen.com, 1 +ozgurbozkurt.com, 1 +ozgurgokmen.net, 1 +ozgurkazancci.com, 1 +ozhegov.site, 0 +ozli.ga, 1 +ozmo.ml, 1 +ozna.tk, 1 +oznamovacipovinnost.cz, 1 +ozoksteel.com, 1 +ozone-medical.fr, 1 +ozonitron.com, 1 +ozonitron.de, 1 +ozonitron.eu, 1 +ozonstyle.ga, 1 +ozonytron.com, 1 +ozonytron.de, 1 +ozonytron.eu, 1 +ozoz.cc, 1 +oztorah.com, 1 +ozvoip.net, 1 +ozvolvo.org, 1 +ozyurttesisat.com, 1 +ozzie.fr, 1 +ozzyfant.de, 1 +p-art.design, 1 +p-fent.ch, 1 +p-home.tk, 1 +p-insurgence.com, 1 +p-k-b.com, 1 +p-konto.tk, 1 +p-ku.com, 1 +p-p.site, 1 +p-pac.com, 0 +p-pc.de, 1 +p-t.io, 1 +p.ac, 1 +p.lu, 1 +p.sb, 1 +p02.de, 1 +p0l.de, 1 +p1-acc.nl, 1 +p1-apps.nl, 1 +p1-test.nl, 1 +p10.ru, 0 +p1984.nl, 0 +p1cn.com, 1 +p1group.com, 1 +p1ratrulezzz.me, 1 +p22.co, 1 +p2enews.com, 1 +p2p-tv.tk, 1 +p2pool.observer, 1 +p2r.ru, 1 +p3.marketing, 1 +p30mororgar.ir, 1 +p333aa.com, 1 +p333b.net, 1 +p333e.net, 1 +p333j.net, 0 +p35consulting.com, 1 +p36533.com, 1 +p3medicalinc.com, 1 +p3ter.fr, 1 +p4.pm, 1 +p4c-admin.azurewebsites.net, 1 +p4p.click, 1 +p4plus2.com, 1 +p4t.co, 1 +p5197.co, 1 +p5r.uk, 1 +p6729.co, 1 +p6957.co, 1 +p7jl.com, 1 +p7m.de, 1 +p7m.eu, 1 +p7sesvhc.com, 1 +p82365.com, 1 +p8r.de, 1 +p91aa.com, 1 +p9297.co, 1 +p9728.co, 1 +p99perf.com, 1 +p99performance.com, 1 +p9cq.com, 1 +p9d1.com, 1 +pa-w.de, 1 +pa.search.yahoo.com, 0 +pa1ch.fr, 1 +pa5am.nl, 1 +paack.co, 1 +paack.com, 1 +paal.network, 1 +paanews.com, 1 +paarberatung-hn.de, 1 +paardekoopergroup.com, 1 +paardenhulp.nl, 1 +paardensportbak.nl, 1 +paarissohail.tk, 1 +paaseiland.org, 1 +paaspasst.de, 1 +paass.net, 0 +paaster.io, 0 +paazmaya.fi, 1 +pabio.com, 1 +pablikado.cz, 1 +pablo-serrano.com, 1 +pablo-sky.tk, 1 +pablo.im, 0 +pablo.io, 1 +pablo.scot, 1 +pablo.sh, 1 +pabloarcuri.com, 1 +pabloartea.ga, 1 +pabloarteaga.co.uk, 1 +pabloarteaga.com, 1 +pabloarteaga.com.es, 1 +pabloarteaga.es, 1 +pabloarteaga.eu, 1 +pabloarteaga.info, 1 +pabloarteaga.me, 1 +pabloarteaga.name, 1 +pabloarteaga.net, 1 +pabloarteaga.nom.es, 1 +pabloarteaga.org, 1 +pabloarteaga.science, 1 +pabloarteaga.tech, 1 +pabloarteaga.uk, 1 +pabloarteaga.xyz, 1 +pablocamino.tk, 1 +pablocelorio.com, 1 +pablofain.com, 0 +pablofonta.es, 1 +pablolopezlujan.es, 1 +pablomachado.tk, 1 +pablomolina.tk, 1 +pablomoreno.tk, 1 +pablonadiecomotu.tk, 1 +pabloroblesminister.com, 1 +pablosaraiva.com, 1 +pabpunk.tk, 1 +pacas-solution.it, 1 +pacatlantic.com, 1 +pacay.id, 1 +pacch.io, 1 +pacco.tk, 1 +paccolat.name, 1 +pace.car, 0 +pace.cool, 1 +pacecare.com, 1 +pacecounsel.com, 1 +paceda.nl, 1 +pacelink.de, 1 +pacem.global, 1 +pacemakers.ml, 1 +pacemigration.com.au, 0 +pacenterforhearingandbalance.com, 1 +pachaiyappas.org, 1 +pachalingo.tk, 1 +pachamamaproduct.com, 1 +pachamamita.de, 1 +pachinstyle.com, 1 +pachuca.social, 1 +pachuta.pl, 1 +pacificaent.net, 1 +pacificarperu.com, 1 +pacificbags.com.au, 1 +pacificbeachpub.com, 1 +pacificblue.kiwi, 1 +pacificblue.software, 1 +pacificcashforcars.com.au, 1 +pacificcoast.com, 1 +pacificcycling.ga, 1 +pacificgynsurgicalgroup.com, 1 +pacifichospitalists.com, 1 +pacificislander.org, 1 +pacifico.com.pe, 1 +pacificocooler.com, 1 +pacificpackaging.com.au, 1 +pacificpalisadeselectric.com, 1 +pacificpalisadeselectrical.com, 1 +pacificpalisadeslandscapelighting.com, 1 +pacificpalisadeslighting.com, 1 +pacificprivatebank.com, 1 +pacificpuke.com, 1 +pacificrimcollege.online, 1 +pacificscience.com, 1 +pacificstandard.com, 1 +pacificstates.net, 1 +pacifictechnologie.com, 1 +pacifique-web.nc, 1 +pacifistka.tk, 1 +pack-haus.de, 1 +pack.com.ua, 1 +pack.rocks, 1 +pack1537.org, 1 +pack183.com, 1 +pack50cubs.org, 1 +packagestours.com, 1 +packaging-design.net, 1 +packaginghouse.co.nz, 1 +packagingproject.management, 1 +packagist.jp, 1 +packagist.org, 0 +packair.com, 1 +packandseal.in, 1 +packedagain.com, 1 +packer.io, 0 +packetapp.ru, 1 +packetcrash.net, 1 +packetfabric.com, 1 +packetlinux.com, 1 +packetmail.net, 1 +packetnomad.net, 1 +packetoverflow.com, 1 +packlane.com, 1 +packliberte.org, 1 +packservice.es, 1 +packservice.it, 1 +packtracking.org, 1 +packwire.com, 1 +paclease.com.my, 1 +pacman.ltd, 1 +pacobarbera.tk, 1 +pacoda.de, 0 +pacogarcia.tk, 1 +pacogorzados.tk, 1 +pacot.es, 1 +pacpost.live, 1 +pact2017.nl, 1 +pactandoconlamoda.com, 1 +pacteo.com, 1 +pactf-flag-4boxdpa21ogonzkcrs9p.com, 1 +pactf.com, 1 +pactrol.com, 1 +pacxodka.ru, 1 +paczkadlawieznia.pl, 1 +paczkahigieniczna.pl, 1 +paczkazywnosciowa.pl, 1 +pad.wf, 1 +padam-group.com, 1 +padberx-marketing-consultants.de, 1 +padderne.tk, 1 +paddestoelen-encyclopedie.tk, 1 +paddle4ever.hu, 1 +paddy.rocks, 1 +padichota.tk, 1 +padisahbilisim.tk, 1 +padle.ml, 1 +padmagroup.com, 1 +padovaoggi.it, 1 +padpilot.co, 1 +padremiguel.pt, 1 +padron.com.es, 1 +padshah.tk, 1 +paducaheic.com, 1 +padzilla.com, 1 +pae.com, 1 +paedlink.ca, 1 +paegae.gr, 1 +paermartinsson.se, 1 +paesa.es, 1 +paesi.info, 1 +paff.xyz, 1 +paga.red, 1 +pagalnew.com, 1 +pagalofacil.com, 1 +pagalworld-news.ml, 1 +pagalworld.com, 1 +pagalworld.mobi, 1 +pagalworld.name, 1 +pagalworld.us, 1 +pagamesssddr.com, 1 +pagancollective.cf, 1 +paganismguide.com, 1 +paganistisch-forum.tk, 1 +pagatuarriendo.cl, 1 +pagbitcoin.com, 1 +page, 1 +page-engine.tk, 1 +page-speed.ru, 1 +page.lgbt, 1 +page12.tk, 1 +pageboard.fr, 1 +pageboard.io, 1 +pagecdn.io, 1 +pagedesignhub.com, 1 +pagedesignpro.com, 1 +pagedesignshop.com, 1 +pagedesignweb.com, 1 +pagefulloflies.io, 1 +pagenews.tk, 1 +pagenstedt.de, 1 +pagepapi.com, 1 +pagerange.com, 1 +pagerduty.com, 1 +pages-tocaven.com, 1 +pagesdemo.xyz, 1 +pagespeaker.com, 1 +pagespeedwizard.com, 1 +pagestash.net, 1 +pageuppeople.com, 1 +pagevitals.com, 1 +pagewizz.com, 1 +pagexl.com, 1 +pagiamtzis.com, 1 +pagina394.com.br, 1 +paginamaravillosa.tk, 1 +paging.blog, 0 +pagliucadb.ddns.net, 1 +pagodart.com.br, 1 +pagueveloz.com.br, 1 +paguponku.com, 1 +pagure.io, 1 +pagure.org, 1 +pahadee.coffee, 1 +pahe.win, 1 +pahealthbilling.com, 1 +pahira.gq, 1 +paho.org, 1 +pahom.gq, 1 +pahrumpnv.gov, 1 +pahui.cf, 1 +pahui.ml, 1 +pahuudenanatomia.fi, 1 +paide.edu.ee, 1 +paidnaija.com, 0 +paidsurveys.tk, 1 +paidtocode.com, 1 +paidtodesign.com, 1 +paidtodev.com, 1 +paiementdp.com, 1 +paiementpasseport-mali.com, 1 +paige.ai, 1 +paigejulianne.com, 1 +paigethegeek.com, 1 +paiinternational.in, 1 +painart.ru, 1 +paincareehr.com, 1 +painclinic.tk, 1 +paincore.tk, 1 +paindata.dk, 1 +paine.tv, 1 +painefamily.co.uk, 1 +painesvillemunicipalcourt-ohio.gov, 1 +painfreenyc.com, 1 +painful.fun, 1 +painkiller-tech.com, 1 +painkillercart.com, 1 +paint-it.pink, 1 +paint4.life, 1 +paintball-ljubljana.si, 1 +paintball-shop.sk, 1 +paintballer.co, 1 +paintbrush.ga, 1 +paintcolorsbysue.com, 1 +painted-designs.tk, 1 +painteddesertfrenchies.com, 1 +paintingindurban.co.za, 1 +paintingrepair.ga, 1 +paintlabcustom.com.br, 1 +paintpaina.com, 1 +paintprotectionfilm.store, 1 +paintscratch.com, 1 +paio2-rec.com, 1 +paipuman.jp, 1 +paireepinart.com, 1 +pairsclassifiedads.tk, 1 +paisa-dev.azurewebsites.net, 1 +paisleyandsparrow.com, 1 +paistation.ch, 1 +paivafernandes.com.br, 1 +pajadam.me, 1 +pajamka.com.ua, 1 +pajbot.de, 1 +pajobsite.com, 1 +pajuvuo.fi, 1 +pak-kazan.ru, 1 +pakal.org, 1 +pakaranggrek.com, 1 +paket.monster, 1 +paketbox-systems.at, 1 +paketverfolgung.info, 1 +paketwatch.de, 0 +paketwisataliburan.com, 1 +pakeystonesaves.gov, 1 +pakeystonescholars.gov, 1 +pakfactory.com, 1 +pakforces.tk, 1 +pakho.xyz, 1 +pakingas.lt, 1 +pakistan24.tk, 1 +pakistanblogger.tk, 1 +pakistanheadline.tk, 1 +pakistanichatzone.com, 1 +pakistanientertainers.ga, 1 +pakistanmusic.tk, 1 +pakistanpost.ga, 1 +pakitow.fr, 1 +pakjefooi.be, 1 +pakjefooi.com, 1 +pakjefooi.email, 1 +pakjefooi.eu, 1 +pakjefooi.net, 1 +pakjefooi.nl, 1 +pakjefooi.org, 1 +pakkibaat.tk, 1 +pakmarkas.lt, 1 +pakmedia.tk, 1 +paknetworking.org, 1 +pakostane-apartments.tk, 1 +pakpak.tk, 1 +pakpedia.pk, 1 +pakremit.com, 1 +paksui-ne.tk, 1 +palabr.as, 1 +palaceitalia.tk, 1 +palacezamkidwory.com, 1 +paladin.wtf, 1 +paladini.tk, 1 +palaisfrance.com, 1 +palakkad.tk, 1 +palamaailmalta.fi, 1 +palant.info, 1 +palantir.com, 1 +palariviera.com, 1 +palatin.at, 1 +palatineil.gov, 1 +palationtrade.com, 1 +palatte.ml, 1 +palau-pizza.fr, 1 +palavalbasket.it, 1 +palavatv.com, 1 +palawan.jp, 0 +palazzo.work, 1 +palazzodellasalute.it, 1 +palazzofiano.it, 1 +palem.com, 1 +palenque.tk, 1 +paleo.io, 1 +paleodietfoodlist.com, 1 +paleodietrecipes.com, 1 +paleografie.tk, 1 +paleonora.tk, 1 +paleontologiadebagua.tk, 1 +paleoself.com, 1 +paleoso.com, 1 +paleosquawk.com, 1 +palermoantagonista.tk, 1 +palermofc.com, 1 +palermofilmfestival.tk, 1 +palermopride.it, 1 +palermotoday.it, 1 +paless-aless.by, 1 +palessit.com, 1 +palestra.roma.it, 1 +palestraspimentel.com, 1 +paletdecor.com.ua, 1 +palette26.com, 1 +paletten.tk, 1 +palfut.com, 1 +paliucuiciucci.tk, 1 +palkiviadika.ru, 1 +palladium46.com, 1 +palladiumprivate.com, 1 +pallavibhattdesigns.com, 1 +pallavihautecouture.com, 1 +palletflow.com, 1 +palletsprojects.com, 0 +pallhed.se, 1 +palli.ch, 0 +palliativ-del.de, 1 +palmaprop.com, 1 +palmarinaestrada.com.br, 1 +palmatin.com, 1 +palmbayfl.gov, 1 +palmbeachbusinessbroker.com, 1 +palmbeachcounty-fl.gov, 1 +palmbeachcuisine.com, 1 +palmbeachelections.gov, 1 +palmbeachvotes.gov, 1 +palmcoast.gov, 1 +palmcoastbusinessnetwork.com, 1 +palmdesert.gov, 1 +palmedconsultants.com, 1 +palmedconsultants.org, 1 +palmen-apotheke.de, 1 +palmettogba.com, 1 +palmex.com, 1 +palmfan.com, 1 +palmiye.tk, 1 +palmlivingae.com, 1 +palmofinfinity.tk, 1 +palmyramo.gov, 1 +palner.eu, 1 +paloalto.gov, 1 +paloma.tk, 1 +palomalopez.tk, 1 +palomardisplays.com, 1 +palominorp.tk, 1 +palonhs.tk, 1 +palotahaz.hu, 1 +palpitediario.com.br, 1 +paltopro.com, 1 +palworld.cn, 1 +pamajans.com, 0 +pamaniqu.nl, 1 +pamc.tk, 1 +pamiers-citoyenne.fr, 1 +pamlightdesign.com, 1 +pamm.tk, 1 +pamontecarloclub.tk, 1 +pamorana.net, 1 +pamsorel.co.za, 1 +pamukhaliyikama.net, 1 +pamvo.com, 1 +pan-lleveme.com, 1 +pan-portugal.com, 1 +pan.digital, 1 +pana4ucloud.ddns.net, 1 +panaceainfosec.com, 1 +panamacity.gov, 1 +panamacitypolice.gov, 1 +panamatravel.tk, 1 +panamatrippin.com, 1 +panamawebfactory.com, 1 +panangelium.tk, 1 +panasca.is, 1 +panascais.at, 1 +panascais.ch, 1 +panascais.co, 1 +panascais.com, 1 +panascais.cz, 1 +panascais.es, 1 +panascais.fi, 1 +panascais.fr, 1 +panascais.host, 1 +panascais.info, 1 +panascais.io, 1 +panascais.me, 1 +panascais.net, 1 +panascais.network, 1 +panascais.nl, 1 +panascais.org, 1 +panascais.pl, 1 +panascais.pt, 1 +panascais.pw, 1 +panascais.ru, 1 +panascais.site, 1 +panascais.tech, 1 +panascais.us, 1 +panascais.zone, 1 +panasproducciones.com, 1 +panaxis.biz, 1 +panaxis.ch, 1 +panaxis.li, 1 +pancake-world.com, 1 +pancake.gg, 1 +pancani.it, 1 +panchajanyafashions.com, 1 +panda-community.com, 1 +panda-craft.tk, 1 +panda-lang.net, 1 +panda-life.tk, 1 +panda.tf, 1 +pandababy.bg, 1 +pandacbd.com, 1 +pandadoc.com, 1 +pandagiftimport.com, 1 +pandahut.net, 1 +pandakid.tk, 1 +pandalab.care, 1 +pandaltd.nl, 0 +pandamo.pl, 1 +pandamoto.fr, 1 +pandapsy.com, 1 +pandasilk.com, 1 +pandavpn.pro, 1 +pandavpnpro.com, 1 +pandelys.tk, 1 +pandemicflu.gov, 1 +pandemicoversight.gov, 1 +pandillatel.ml, 1 +pandit.tech, 1 +pandithaya.tk, 1 +pandjes.com, 1 +pandkonijn.nl, 1 +pandn-bulgaria.com, 1 +pando-market.com, 1 +pandora-prestige.ru, 1 +pandora-system.ru, 1 +pandora.com.tr, 1 +pandoramutiara.id, 1 +pandorarox.com, 1 +pandorrah.nl, 1 +pandorum.cf, 1 +panduan-hamil.tk, 1 +pandymic.com, 1 +pandys.org, 1 +panel-stroy.cf, 1 +panelbear.com, 1 +paneldewelopera.pl, 1 +paneldoorsolutions.com, 1 +paneldoorsolutions.de, 1 +panele-fotowoltaiczne.pl, 1 +paneljobsers.ga, 1 +panelsandwich.com, 1 +panetolikos.gr, 1 +paneu.de, 1 +panezai.tk, 1 +pang.ga, 1 +pangea-it.com, 1 +pangea.cloud, 1 +pangeaservices.com, 1 +pangolin.exchange, 0 +pangoly.com, 1 +panhandleprairiewings.com, 1 +panhardclub.nl, 0 +panheelstraat.tk, 1 +panic-away.tk, 1 +panic.tk, 1 +panicroomgames.ch, 1 +panictours.tk, 1 +panier-legumes.bio, 1 +panierscadeauxinternationaux.com, 1 +paniigielka.pl, 1 +paniniamerica.net, 1 +panino.gr, 1 +paninohome.com, 1 +paniodpolskiego.eu, 1 +paniyanovska.ua, 1 +panjiva.com, 1 +pankiewiczlaw.com, 1 +pankoff.net, 1 +panlex.org, 1 +panmill.xyz, 1 +panmuseum.gr, 1 +panna-blues.tk, 1 +panneauxpropres.be, 1 +pannellisolari.roma.it, 1 +pannovate.com, 1 +pano-guru.com, 1 +pano.ie, 1 +panoramacambios.com, 1 +panoramahillhotel.com, 1 +panoramaphoto.cf, 1 +panoramica.tk, 1 +panoramique.tk, 1 +panoramiquesorganya.tk, 1 +panoramixbycallens.eu, 1 +panoraven.com, 1 +panorays.com, 1 +panoti.com, 0 +panpsychism.com, 1 +panpsychist.com, 1 +pansec.de, 1 +panser.dk, 1 +pansermuseet.com, 1 +pansermuseet.dk, 1 +pansermuseum.dk, 1 +pansino.net, 1 +pansion-differently.tk, 1 +pansionat-himik.ru, 1 +panskeet.xyz, 1 +pansys.de, 1 +panszelescik.pl, 1 +pantagraph.com, 1 +pantai.com.my, 0 +pantallanotebook.cl, 1 +pantallasyescenarios.com, 0 +pantas.com, 1 +pantera.tk, 1 +panthenolplus.co.uk, 1 +panthenolplus.com, 1 +pantheoncommunity.org, 1 +pantherage.co.uk, 1 +panthercitysand.com, 1 +panthi.lk, 1 +pantingly.tk, 1 +pantonshire.com, 1 +pantou.org, 0 +pantryjars.com, 1 +pants-off.xyz, 0 +pantsu.club, 1 +pantsuservice.tk, 1 +pantuflas.tk, 1 +pantypit.com, 1 +panwchi.com, 1 +panyajt.in.th, 1 +panzdravi.cz, 1 +panzer72.ru, 1 +panzers.tk, 1 +panzerwarmodsru.tk, 1 +pao.moe, 1 +paocaibang.net, 1 +paocloud.co.th, 1 +paolodapul.net, 1 +paolodemichele.it, 0 +paolomargari.tk, 1 +paolomarzano.com, 1 +paolomoriggia.com, 1 +paolotagliaferri.com, 1 +paotang.in.th, 1 +paoyou.ml, 1 +pap-pap.ga, 1 +pap.la, 0 +papa---mama.tk, 1 +papa-online.tk, 1 +papa-webzeit.de, 1 +papabrand.tk, 1 +papadoccaffe.pt, 1 +papadopoulos.me, 1 +papaimama.ru, 1 +papajohns.com.ec, 1 +papakarlohas.ru, 1 +papakarlotools.ru, 1 +papakatsu-life.com, 1 +papapa-members.club, 1 +paparazzie.de, 1 +paparazzo.net, 1 +paparoach-fans.ru, 1 +papastratosmazi.gr, 1 +papatest24.de, 1 +papattesstore.com, 1 +papaya.me.uk, 1 +papayapay.com, 1 +papayapythons.com, 1 +papelariaestacaodopapel.com.br, 1 +papelcraft.co.uk, 1 +papeleo.digital, 1 +papelisimo.es, 1 +paper-cutter.com, 1 +paper.sc, 1 +paper.wf, 1 +paperandpage.com, 1 +papercanyon.com, 1 +paperhoney.by, 1 +paperless.spdns.eu, 1 +papermuseum.jp, 1 +paperplus.com.au, 0 +paperpress.gq, 1 +papersmart.net, 1 +papersowl.com, 1 +papertracker.net, 1 +paperwallets.io, 1 +paperwork.co.za, 1 +paperwritinghelp.net, 1 +paperwritten.com, 1 +papgift.com, 1 +papi.com, 1 +papieri.dental, 1 +papierniak.net, 1 +papierniczy.eu, 1 +papillegustative.com, 1 +papillon-events.be, 1 +papinido4ki.ru, 1 +papkinadochka.ru, 1 +papotage.net, 1 +papouille.ml, 1 +pappacoda.it, 1 +pappasappar.se, 1 +pappu.tk, 1 +pappubracelet.com, 0 +papuzkija.pl, 1 +paqtam.com, 1 +par-allel.ru, 1 +parabellum-barakaldo.tk, 1 +parabolaeditorial.com.br, 1 +parabooking.com, 1 +paraborsa.net, 1 +paracels.tk, 1 +parachute.gov, 1 +parachute.live, 1 +parachutes.tk, 1 +parachuteteam.co.uk, 1 +paracomer.es, 1 +parade-nootdorp.nl, 1 +paradex.io, 1 +paradies-baar.ch, 1 +paradiesgirls.ch, 1 +paradigma-med.ru, 1 +paradigmas.tk, 1 +paradigmshift.com.pk, 1 +paradiscapacitados.site, 1 +paradise-engineer.com, 1 +paradise-engineering.com, 1 +paradise-world.ml, 1 +paradiselost.com, 0 +paradisend.tk, 1 +paradiseprivatehospital.com, 1 +paradisestore.org, 1 +paradisetownshipmi.gov, 1 +paradisim.tk, 1 +paradisu.fr, 1 +paradopolis.com, 1 +paradoxdesigns.org, 1 +paradoxium.ml, 1 +paraelganzo.tk, 1 +parafarmacia.it, 1 +paragliding-lessons.com, 1 +paragonremodeling.com, 0 +paragonsigns.tk, 1 +paragontasarim.com, 1 +paragreen.net, 1 +paraguay.tk, 1 +parakazanmafikirleri.com, 1 +paralegaledu.org, 1 +paraleli.ge, 1 +parallel-creative.co.uk, 1 +parallel-worlds.tk, 1 +paralleum.cz, 1 +paraluman.be, 1 +paralysis.ga, 1 +paramapa.com.py, 1 +paramascotas.vip, 1 +paramithicy.com, 1 +paramloda.online, 1 +paramo-pineiro.tk, 1 +paramountbank.com, 1 +paramountdigitalcopy.com, 1 +paramusborough.gov, 1 +paranoid.is, 1 +paranoidandroid.co, 1 +paranoidandroid.tk, 1 +paranoidpengu.in, 1 +paranoidpenguin.net, 1 +paranormales.tk, 1 +paranoxer.hu, 1 +paranoxido.tk, 1 +parapenteciconia.tk, 1 +parapickgames.ga, 1 +paraplyen.tk, 1 +parapsihologia.tk, 1 +parareflex.fr, 1 +paras.tk, 1 +parasatria.tk, 1 +paraserviceco.com, 1 +parasgroupindia.com, 1 +parasitologyclub.org, 1 +parasomnia.tk, 1 +parastaran.tk, 1 +parasympathy.com, 1 +paratlan.hu, 1 +paratlantalalkozas.hu, 1 +parattusdecora.com.br, 1 +paratupelo.com.es, 1 +paratxt.org, 1 +paraverse.tk, 1 +paravielfalt.zone, 1 +parazyd.cf, 1 +parcare.at, 1 +parcare.be, 1 +parcare.es, 1 +parcare.fr, 1 +parcare.nl, 1 +parcbotanique.com, 1 +parcelauditpartners.com, 1 +parceltrackr.com, 1 +parcelup.com, 1 +parchcraftaustralia.com, 1 +parcheggi-firenze.it, 1 +parcheggio-aeroportofiumicino.it, 1 +parcheggio-aeroportomalpensa.it, 1 +parckwart.de, 1 +parcoursup-nouvelle-caledonie.fr, 1 +parcoursup.fr, 1 +pardal.tk, 1 +pardanaud.com, 1 +paregion13.gov, 1 +parejaideal.es, 1 +parelectric.com, 1 +parelweb.nl, 1 +paremedical.au, 1 +paremvasi.net, 1 +parentelement.com, 1 +parenthood.guide, 1 +parentingplaydough.tk, 1 +parentinterview.com, 1 +parentpay.com, 1 +parentpayments.com.au, 1 +parents-as-allies.com, 1 +parentsandzebrasunited.com, 1 +parentsguidetotheworld.com, 1 +parentsintouch.co.uk, 1 +parentsmaster.com, 1 +parenttheirpassion.com, 1 +pareshukuk.com, 1 +paretoit.com, 1 +paretorule.cf, 1 +parfum-best.ml, 1 +parfumer.tk, 1 +parfumi-eu.com, 1 +parfumi.tk, 1 +parfumtester-100.ml, 1 +parfumuri.blog, 1 +parhelionaerospace.com, 1 +pari-match.in, 1 +pari-vinci.org, 1 +pari.cz, 1 +paribus.io, 1 +parichadrelax.se, 1 +parideal.com, 1 +parideal.de, 1 +paridokhtmoshkzad.com, 1 +paridurable.com, 1 +parikmag-pm.ru, 1 +parikmaxeru.tk, 1 +parimatch-best.com, 1 +parimatch-betting.com, 1 +parimatch-chance.com, 1 +parimatch-email.com, 1 +parimatch-live.com, 1 +parimatch-play.com, 1 +parimatch-plus.com, 1 +parimatch-sport.com, 1 +parimatch-sports.com, 1 +parimatch-world.com, 1 +parimatch.co.tz, 1 +parimatch.com, 1 +parimatch.in, 1 +parimatch.kz, 1 +parimatch.net, 1 +parimatch.tj, 1 +parimatch8.com, 1 +parimatchgo.com, 1 +parimatchlive.com, 1 +parimatchsports.com, 1 +parimatchtop.com, 1 +parina.vn, 1 +parinc.com, 1 +pario.li, 1 +paripesa.com, 1 +paripesa.ng, 1 +paris-elysees.com, 0 +paris-luttes.info, 1 +paris.edu, 1 +parisa-panahi.com, 1 +parisackerman.com, 1 +parisbesttravel.com, 1 +parisdeluxxxe.com, 1 +parisdimitriou.com, 1 +parisdomino.tk, 1 +parisescortgirls.com, 1 +parisfranceparking.com, 1 +parisfranceparking.de, 1 +parisfranceparking.fr, 1 +parisfranceparking.nl, 1 +parishoftheholycross.org, 1 +parishome.jp, 1 +parismalleg.com, 1 +parisportif.tv, 1 +parissportifs.com, 1 +pariu.online, 0 +parizhanka.tk, 1 +park-trek.com, 1 +park.gd, 1 +parkable.com, 1 +parkairecrossing.com, 1 +parkbee.com.br, 1 +parkcare.at, 1 +parkcare.be, 1 +parkcare.co.uk, 1 +parkcare.es, 1 +parkcare.fr, 1 +parkcare.it, 1 +parkcare.nl, 1 +parkcare.pt, 1 +parkcheap.nl, 1 +parkchesterinfo.com, 1 +parkcitycu.org, 1 +parkcounty-wy.gov, 1 +parkcountyco.gov, 1 +parkcountysheriff-wy.gov, 1 +parkderm.com, 1 +parked-domain.net, 1 +parkeer.nl, 1 +parkeerserviceboxtel.nl, 1 +parkefficient.de, 1 +parken-duesseldorfflughafen.de, 1 +parken-flughafenamsterdam.de, 1 +parken-flughafenbremen.de, 1 +parken-flughafendortmund.de, 1 +parken-flughafendresden.de, 1 +parken-flughafeneindhoven.de, 1 +parken-flughafenfrankfurt.de, 1 +parken-flughafenhahn.de, 1 +parken-flughafenhannover.de, 1 +parken-flughafenkoeln.de, 1 +parken-flughafennuernberg.de, 1 +parken-flughafenstuttgart.de, 1 +parken-flughafentegel.de, 1 +parken-flughafenweeze.de, 1 +parken-hamburgflughafen.de, 1 +parken-leipzigflughafen.de, 1 +parkenamflughafen.de, 1 +parkenflughafen-muenchen.de, 1 +parkenflughafenbrandenburg.de, 1 +parkenflughafenlelystad.de, 1 +parker-pllc.com, 1 +parkerco.gov, 1 +parkercs.cf, 1 +parkercs.ga, 1 +parkercs.gq, 1 +parkercs.ml, 1 +parkercs.tech, 1 +parkercs.tk, 1 +parkeren.in, 1 +parkerenamsterdamcentrum.nl, 1 +parkerenbremen-airport.nl, 1 +parkerenbrussel-airport.nl, 1 +parkerencharleroi-airport.nl, 1 +parkerendusseldorf-airport.nl, 1 +parkereneindhoven-airport.nl, 1 +parkerenfrankfurt-airport.nl, 1 +parkerengroningen-airport.nl, 1 +parkerenhahn-airport.nl, 1 +parkerenkeulen-airport.nl, 1 +parkerenlelystad-airport.nl, 1 +parkerenrotterdam-airport.nl, 1 +parkerenrotterdamcentrum.nl, 1 +parkerenschiphol-airport.nl, 1 +parkerenutrechtcentrum.nl, 1 +parkerenweeze-airport.nl, 1 +parkerforum.cf, 1 +parkerforum.tk, 1 +parkers.cf, 1 +parkers.co.uk, 1 +parkers.ga, 1 +parkers.gq, 1 +parkers.ml, 1 +parkers.tk, 1 +parkersweeper.com, 1 +parket.gq, 1 +parketsn.ru, 0 +parkettlegerhandwerk.eu, 1 +parking-aeropuertomadrid.es, 1 +parking-roissycharlesdegaulle.fr, 1 +parkingaeroport-beauvais.fr, 1 +parkingaeroport-bordeaux.fr, 1 +parkingaeroport-charleroi.be, 1 +parkingaeroport-marseille.fr, 1 +parkingaeroport-nantes.fr, 1 +parkingaeroport-nice.fr, 1 +parkingaeroport-orly.fr, 1 +parkingaeroport-zaventem.be, 1 +parkingaeropuerto-alicante.es, 1 +parkingaeropuerto-barcelona.es, 1 +parkingaeropuerto-bilbao.es, 1 +parkingaeropuerto-malaga.es, 1 +parkingaeropuerto-santander.es, 1 +parkingaeropuerto-sevilla.es, 1 +parkingaeropuerto-valencia.es, 1 +parkingcheap.co.uk, 1 +parkinggaragecleaningchicago.com, 1 +parkinggaragepressurewashingchicago.com, 1 +parkinginparis.fr, 1 +parkingmasters.be, 1 +parkingparisnord.fr, 1 +parkingtoday.com, 1 +parkinsons.tk, 1 +parkmycloud.com, 1 +parkofnations.com, 1 +parkos.com, 1 +parkos.de, 1 +parkos.it, 1 +parkos.nl, 1 +parkplus.in.ua, 0 +parkr.io, 0 +parkrangeredu.org, 1 +parkrunstats.servehttp.com, 1 +parkseed.com, 1 +parksi.top, 1 +parkstonegp.com, 1 +parkstreet.com, 1 +parksubaruoemparts.com, 1 +parktownpatrols.co.za, 1 +parktraum.com, 1 +parkujkladne.cz, 1 +parkvetgroup.com, 1 +parkviewmotorcompany.com, 1 +parkwayminyan.org, 1 +parkweiher.koeln, 1 +parkwhiz.com, 1 +parlakjurnal.com, 1 +parlament.cf, 1 +parlamento.gub.uy, 1 +parlamentum.com.br, 1 +parleamonluc.fr, 1 +parleu2016.nl, 1 +parleur.net, 1 +parliamentcamp.com, 1 +parmartecultura.it, 1 +parmatoday.it, 1 +parmels.com.br, 1 +parmoli.tk, 1 +parnassys.net, 1 +parniplus.com, 1 +parnizaziteksasko.cz, 1 +paroisses-theix-surzur.com, 1 +parokia.hu, 1 +parolededieu.org, 1 +paroli.pl, 1 +parolu.io, 1 +paronubi.com, 1 +parool.nl, 1 +parovozov.ga, 1 +paroxetine.gq, 1 +parperfeito.pt, 1 +parpharm.com, 1 +parque-batlle.tk, 1 +parquebatlle.tk, 1 +parquestejo.pt, 1 +parquettista.milano.it, 1 +parquettista.roma.it, 1 +parquettisti.roma.it, 1 +parratennis.com.au, 1 +parrocchiadimeana.tk, 1 +parrocchiamontevecchia.it, 1 +parroquiacorazondemaria.tk, 1 +parroquiadesanlesmes.tk, 1 +parrotbook.cf, 1 +parry.org, 1 +pars.work, 1 +parsdev.com, 0 +parsec.app, 1 +parsemail.org, 1 +parser.nu, 1 +parsi.com, 1 +parsify.eu, 1 +parsiko.com, 1 +parsonsfamilyhomes.com, 1 +parsonspdks.gov, 1 +parsuv.ir, 1 +part.la, 1 +partage.ovh, 1 +parteaga.com, 1 +parteaga.net, 1 +partecipa.tn.it, 1 +partedmagic.com, 1 +partenopei.net, 1 +parthkolekar.me, 1 +parthuisot.fr, 1 +particle-vision.ch, 1 +particles.cf, 1 +particleslam.com, 1 +partido-libertario.tk, 1 +partidolibertario.tk, 1 +partiellkorrekt.de, 1 +partigetir.com, 1 +partigoldendoodle.com, 1 +partii.tk, 1 +partijtjevoordevrijheid.nl, 0 +partijvoordedieren.nl, 1 +partilino.com, 1 +partin.nl, 0 +partiono.com, 1 +partir-en-livre.fr, 1 +partisaani.com, 1 +partisan-berlin.tk, 1 +partituras.tk, 1 +partner-compensation.com, 1 +partner-finden.tk, 1 +partnerbeam.com, 1 +partnerchik.tk, 1 +partnerforex.tk, 1 +partnermobil.de, 1 +partnerobzor.tk, 1 +partnerportal.io, 1 +partners1xbet.com, 1 +partners1xbit.com, 1 +partners1xslot.com, 1 +partners1xslots.com, 1 +partners4results.net, 1 +partnersbiz.com, 1 +partnersconsult.net, 1 +partnersofprc.com, 1 +partnertaxhub.com, 1 +partnerwerk.de, 0 +partofthequeue.cf, 1 +partofthequeue.ga, 1 +partofthequeue.gq, 1 +partofthequeue.ml, 1 +parts4phone.com, 0 +partsandmotorcycles.com, 1 +partsandscore.com, 1 +partsavto.tk, 1 +partsbox.com, 1 +partsbox.io, 1 +partscenterplus.com, 1 +partscov.ga, 1 +partscov.gq, 1 +partsdost.com, 1 +partsestore.com, 1 +partsgeek.com, 1 +partsguysusa.com, 1 +partsinstock.com, 1 +partsworld.bg, 1 +partusedtyres.net, 1 +party-kneipe-bar.com, 1 +party-time-inflatables-durham.co.uk, 1 +partyaccommodationsers.ga, 1 +partyaccommodationsest.ga, 1 +partyausstatter24.de, 1 +partyclub.tk, 1 +partycoin.ga, 1 +partyevents.tk, 1 +partygangsta.de, 1 +partyhireliverpool.co.uk, 1 +partykanal.cz, 1 +partymat.de, 1 +partymusikband.de, 1 +partypearl.de, 1 +partypeeps.tk, 1 +partyphoto.tk, 1 +partyrocksbounce.co.uk, 1 +partyschnaps.com, 1 +partyshop.ge, 1 +partytimeltd.ie, 1 +partywithunicorns.com, 1 +partyyy.io, 1 +partyzone.ie, 1 +paru-design.com, 1 +parvaneh.fr, 1 +parys.org, 1 +pasabahcemagazalari.com, 1 +pasadena.gov, 1 +pasadenapooch.org, 1 +pasarella.eu, 1 +pascal-bourhis.com, 1 +pascal-koelsch.de, 1 +pascal-ua.tk, 1 +pascal-wittmann.de, 1 +pascalchristen.ch, 1 +pascalgames.tk, 1 +pascalhargarter.de, 1 +pascaline-jouis.fr, 1 +pascalleguern.com, 1 +paschmid.ch, 1 +pascoaselecta.com, 1 +pascocountyfl.gov, 1 +pascoflcorrections.gov, 1 +pascopresents.com, 1 +pascosheriff.com, 1 +pascovotes.gov, 1 +pascualberniz.tk, 1 +pascualinmuebles.com, 1 +pasearch.nl, 1 +paseka-putilinyh.ru, 1 +paseodelariviera.com, 1 +pashminacachemire.com, 1 +paslc.gov, 1 +paslerfilm.de, 1 +pasnederland.tk, 1 +pasnine.my.id, 1 +pasportaservo.org, 1 +pasquinelli-truebag.ch, 1 +pass-jobcoaching.nl, 1 +passa.org, 1 +passabook.com, 1 +passau-webdesign.com, 1 +passbolt.com, 1 +passedport.eu, 1 +passedport.net, 1 +passedport.org, 1 +passegginieculle.it, 1 +passendonderwijs.nl, 0 +passengertravelportal.com, 1 +passer.ga, 1 +passer.tk, 1 +passfilesafe.com, 1 +passfindr.com, 1 +passfoto-deinfoto.ch, 1 +passgator.com, 1 +passieposse.nl, 1 +passinggrade.co.id, 1 +passion-billard.fr, 1 +passion-net.fr, 1 +passionatefoodie.co.uk, 1 +passionatehorsemanship.com, 1 +passionatelife.com.au, 1 +passiondesigns.web.id, 1 +passionebenessere.com, 1 +passionegriglia.com, 1 +passionforbusiness.com, 1 +passionpictures.eu, 1 +passions-art.com, 1 +passiton.com, 1 +passive-work.gq, 1 +passivebook.com, 1 +passiveseinkommen.tk, 1 +passivhaus.tk, 1 +passky.org, 1 +passover-fun.com, 1 +passphrase.today, 1 +passport.yandex.by, 1 +passport.yandex.com, 1 +passport.yandex.com.tr, 1 +passport.yandex.kz, 1 +passport.yandex.ru, 1 +passport.yandex.ua, 1 +passportapproved.com, 1 +passportcorporate.com, 1 +passports.govt.nz, 1 +passporttrails.com, 1 +passportunlimited.com, 1 +passrhce.com, 1 +passrhcsa.com, 1 +passthrough.com, 1 +passtooeasy.com, 1 +passumpsicbank.com, 1 +passvanille-reservation.fr, 1 +passvau.lt, 1 +passware.com, 1 +passwd.one, 1 +passwd.org, 1 +password-checker.de, 1 +password.codes, 1 +password.consulting, 1 +passwordgenerator.ml, 1 +passwordlist.io, 0 +passwords.google.com, 1 +passwordsapp.org, 1 +passwordscon.com, 1 +passwordscon.org, 1 +passwordsecurity.info, 1 +passwordsheeters.ga, 1 +passwordsheetest.ga, 1 +passwordsleakcheck-pa.googleapis.com, 1 +passworks.io, 1 +pasta-factory.co.il, 1 +pastaenprosecco.nl, 1 +pastaroomers.ga, 1 +pastaroomest.ga, 1 +paste.fedoraproject.org, 1 +paste.gg, 1 +paste.rodeo, 1 +paste.to, 1 +pastebin.bet, 1 +pastebin.run, 1 +pasteblin.com, 1 +pasteht.ml, 1 +pasteleriaflomar.es, 1 +pastelpixels.studio, 1 +pasternok.org, 1 +pasteros.io, 1 +pastetot.com, 1 +pasteworks.com, 1 +pasticceria.milano.it, 1 +pasticcerialorenzetti.com, 1 +pasticceriaveneziana.ga, 1 +pastillased.gq, 1 +pastinfluences.com.au, 1 +pastorbelgagroenendael.com.br, 1 +pastorcanadense.com.br, 1 +pastordocaucaso.com.br, 1 +pastorello.cf, 1 +pastorello.ga, 1 +pastorello.gq, 1 +pastori-kollegen.de, 1 +pastorluciano.tk, 1 +pastormaremanoabruzes.com.br, 1 +pastorsline.com, 1 +pastorsuico.com.br, 1 +pastry.network, 1 +pastrybakerymachinery.com, 1 +pasugo.tk, 1 +pasyta.gr, 1 +paszkowski.tk, 1 +patagonie.fr, 1 +patagosfm.tk, 1 +patalie.cz, 0 +patalie.sk, 0 +patanegra-jambon.fr, 1 +patanegra-prosciutto.it, 1 +patanegra-schinken.ch, 1 +patanegra-schinken.de, 1 +patapwn.com, 1 +patatbesteld.nl, 1 +patbatesremodeling.com, 0 +patchassociates.com, 1 +patchduty.com, 1 +patchli.fr, 1 +patchofabsence.com, 1 +patchstack.com, 0 +patchyvideo.com, 1 +patdorf.com, 1 +patechmasters.com, 1 +patel.sh, 1 +patelheaters.com, 1 +patent-motorowodny.pl, 1 +patent-sternika.pl, 1 +patentados.com, 1 +patentmanufaktur.video, 1 +patentpanelers.ga, 1 +patentpanelest.ga, 1 +patentu.ga, 1 +patentverwag.com, 1 +paterno-gaming.com, 1 +patersonpdnj.gov, 1 +patguzmanconstruction.com, 1 +pathfinderbank.com, 1 +pathfindergeo.com, 1 +pathofexile2.com, 1 +pathogen.nl, 1 +pathologie-dna.nl, 1 +pathsaversers.ga, 1 +pathsaversest.ga, 1 +pathsha.re, 1 +pathwayscenterforgrief.org, 1 +pathwayscenterforgriefandloss.org, 1 +pathwaysthroughgrief.org, 1 +pathwaytofaith.com, 1 +patience.nl, 1 +patient.info, 1 +patientenverfuegung.digital, 1 +patientup.com, 1 +patientys.com, 1 +patiga.ga, 1 +patikabiztositas.hu, 1 +patikakristaly.hu, 1 +patimbanservisindonesia.co.id, 1 +patin.cf, 1 +patineteselectricosbaratos.net, 1 +patioboreal.ca, 1 +patioroof.cf, 1 +patiosheders.ga, 1 +patioshedest.ga, 1 +patlis.com, 1 +patmanx.tk, 1 +patmos.tech, 0 +patorganiser.co.uk, 1 +patorganiser.com, 1 +patorganiser.com.au, 1 +patpat.com, 1 +patralos.at, 0 +patri.fr, 1 +patric-lenhart.de, 1 +patrice-carriere.tk, 1 +patriceonline.tk, 1 +patricia-lackovic.from.hr, 1 +patriciadelamora.tk, 1 +patriciakraken.at, 1 +patriciaramos.pt, 1 +patriciaroy.co, 1 +patrick-omland.eu, 1 +patrick-robrecht.de, 1 +patrick.dark.name, 1 +patrick.my-gateway.de, 1 +patrick21.ch, 1 +patrickaudley.ca, 1 +patrickaudley.com, 1 +patrickbusch.net, 1 +patrickcontainerrotator.ga, 1 +patrickdankers.nl, 1 +patrickhoefler.net, 1 +patrickpeeters.com, 1 +patrikjohan.cf, 1 +patrikjohan.ga, 1 +patrikjohan.gq, 1 +patrikjohan.tk, 1 +patriksima.cz, 1 +patrina-bukoting.my.id, 0 +patriotbailbondsdenver.com, 1 +patriotbearingsupply.com, 1 +patriotcs.tk, 1 +patriotinsurancebrokers.com, 1 +patriotsaustralia.com, 1 +patriquefashion.tk, 1 +patris-querre.com, 1 +patrisnews.com, 1 +patrocinio.com.br, 1 +patrogers.org, 1 +patrovic.com, 1 +patrycjamichera.com, 1 +patryk.cf, 1 +patrz.eu, 1 +patservicecenter.com, 1 +patsytoforyou.ch, 0 +pattanath.com, 1 +pattayafruitgarden.tk, 1 +pattayawebservices.com, 1 +patterico.com, 1 +pattern.com, 1 +pattersonca.gov, 1 +pattoes.ga, 1 +pattonfanatic.com, 1 +pattuka.com, 1 +pattyboobs.net, 1 +pattyliao.com, 1 +pauct.com, 1 +paudley.ca, 1 +paudley.com, 1 +paudley.org, 1 +pauk.at, 1 +paul-barton.co.uk, 1 +paul-online.tech, 1 +paul-sitarz.com, 1 +paul-zhang.de, 1 +paul.media, 1 +paul.reviews, 1 +paulahot.tk, 1 +paulandmadge.com, 1 +paulanet.tk, 1 +paulasilvasvensson.eu, 1 +paulbaily.com, 1 +paulborza.com, 1 +paulbramhall.uk, 1 +paulbrown.ddns.net, 1 +paulc-themovie.com, 1 +paulchua.tk, 1 +paulcloud.fr, 1 +paulcoldren.org, 1 +pauld.codes, 1 +pauldeconinck.tk, 1 +paulfc.com, 1 +paulgerberrealtors.com, 1 +paulgo.io, 1 +paulhacker.com, 1 +paulharrisoncars.com, 1 +paulibean.tk, 1 +paulinaschubert.net, 1 +paulini.ga, 1 +pauliuspiecius.com, 1 +pauljackson.ga, 1 +pauljamesblinds.co.uk, 1 +pauljmartinez.com, 1 +pauljrowland.co.uk, 1 +pauljzak.com, 1 +paullockaby.com, 1 +paullovestugba.nl, 1 +paulmarc.org, 1 +paulmarvin.tk, 1 +paulmolloy.guitars, 1 +paulmolloydesign.com, 1 +pauloalcalde.co, 1 +pauloalcalde.com, 1 +pauloalcobianeves.pt, 1 +paulober.eu, 1 +pauloboer.nl, 1 +paulocolacino.tk, 1 +paulogarcia.tk, 1 +pauloneto.eu, 1 +paulopaiva.com.br, 1 +paulopeters.com.br, 1 +paulorochago.com.br, 1 +paulov.com, 1 +paulov.info, 1 +paulov.ru, 1 +paulrainesjr.com, 1 +paulrobertlloyd.com, 1 +paulromer.net, 1 +paulrotter.de, 1 +paulrowland.co.uk, 1 +paulrudge.codes, 1 +paulschreiber.com, 1 +paulscustomauto.com, 1 +paulshir.com, 1 +paulshir.is, 1 +paulsitarz.com, 1 +paulsnar.lv, 1 +paulswartz.net, 1 +paultonspark.co.uk, 1 +paultrans-muenchen.de, 1 +paulus-foto.pl, 1 +paulus.cloud, 1 +paulw.io, 1 +paulward.net, 1 +paulwatabe.com, 1 +paulwatler.co.uk, 1 +paulwendelboe.com, 1 +paulwilhelm.de, 1 +pauly-stahlhandel.com, 1 +pauly-stahlhandel.de, 1 +paulzakin.com, 1 +paulzen.me, 1 +pausado.com, 1 +pausewhenagitated.com, 1 +pautadiaria.com, 1 +pavajebucovina.ro, 1 +pavamtio.cz, 1 +pavando.com, 0 +pavcomm.com, 1 +pavel.cc, 1 +paveldesign.tk, 1 +pavelfojt.cz, 1 +pavelfucik.com, 1 +pavelfucik.cz, 1 +pavelfucik.eu, 1 +pavelich.com, 1 +pavelitus.tk, 1 +paveljanda.com, 1 +pavelrebrov.com, 1 +pavelstriz.cz, 1 +paven.io, 0 +pavernosmatao.tk, 1 +paviliontwpmi.gov, 1 +pavingtiles.tk, 1 +pavitrajyotish.com, 0 +pavlic.se, 1 +pavlov-ledec.cz, 1 +pavlova.es, 1 +paw.cloud, 1 +paw.net.pl, 1 +paw.pt, 1 +pawafuru.com, 0 +pawapuro.ga, 1 +pawapuro.tk, 1 +pawchewgo.com, 1 +pawealthmanagement.com, 1 +pawel-international.com, 1 +pawelgo.pl, 1 +pawelnazaruk.com, 1 +pawelurbanek.com, 1 +pawelurbanski.com, 1 +pawgearlab.com, 1 +pawneecountyne.gov, 1 +pawnsoft.tk, 1 +pawp.com, 1 +pawpatrol.tk, 1 +pawpawtownshipmi.gov, 1 +pawserv.pw, 0 +pawsitiv.space, 1 +pawson.tk, 1 +pawspetwear.com.au, 1 +pawsr.us, 1 +pawsru.org, 1 +pawtraitcaptures.com.au, 1 +paxerahealth.com, 1 +paxwinkel.nl, 1 +pay-online.in, 1 +pay.accountant, 1 +pay.apartments, 1 +pay.band, 1 +pay.basketball, 1 +pay.business, 1 +pay.catering, 1 +pay.cleaning, 1 +pay.condos, 1 +pay.construction, 1 +pay.contractors, 1 +pay.dance, 1 +pay.dentist, 1 +pay.dog, 1 +pay.engineer, 1 +pay.equipment, 1 +pay.faith, 1 +pay.flights, 1 +pay.football, 1 +pay.foundation, 1 +pay.gallery, 1 +pay.gov, 0 +pay.graphics, 1 +pay.hockey, 1 +pay.im, 1 +pay.insure, 1 +pay.investments, 1 +pay.kitchen, 1 +pay.lawyer, 1 +pay.llc, 1 +pay.memorial, 1 +pay.mg, 0 +pay.photography, 1 +pay.plumbing, 1 +pay.rent, 1 +pay.rentals, 1 +pay.repair, 1 +pay.sb, 1 +pay.school, 1 +pay.solar, 1 +pay.storage, 1 +pay.surf, 1 +pay.tennis, 1 +pay.ubuntu.com, 1 +pay.university, 1 +pay.video, 1 +pay.wedding, 1 +pay2keep.com, 1 +pay8522.com, 1 +paya.cat, 1 +payam.co.nz, 1 +payam.com.au, 1 +payat.io, 1 +paybackfx.com, 1 +payblog.org, 1 +payboy.biz, 1 +payboy.click, 1 +payboy.rocks, 1 +paybro.eu, 1 +paycardtech.com, 1 +paycentre.com, 1 +paycore.com, 1 +paycore.io, 1 +paydepot.com, 1 +paydoor9.com, 1 +payeasy.tech, 1 +payfare.com, 1 +payfazz.com, 1 +payforpeople.nl, 0 +paygvpn.com, 1 +payhub.jp, 1 +payjunction.com, 1 +payjunctionlabs.com, 1 +paykings.com, 1 +paylabs.co.id, 1 +paylessclinicers.ga, 1 +paylessclinicest.ga, 1 +paylessmealsers.ga, 1 +paylessmealsest.ga, 1 +paylike.io, 1 +paylike.se, 1 +payload.ca, 1 +paylocal.net, 0 +payme.io, 1 +payme.uz, 1 +payment-express.net, 1 +payment-network.com, 0 +payment.vet, 1 +paymentaccuracy.gov, 1 +paymentjs.com, 1 +payments.google.com, 1 +paymentworks.com, 1 +paymeservice.com, 1 +paymongo.com, 1 +paymongo.help, 1 +paymore.org, 1 +paymyphysician.com, 1 +paynexpay.com, 1 +paynuity.com, 1 +payonline-api.xyz, 1 +paypac.com.au, 1 +paypac.org, 1 +paypack.net.au, 1 +paypal.com, 1 +paypal.gift, 1 +paypaq.com, 1 +paypcns.co.uk, 1 +paypod.org, 1 +paypro.nl, 0 +payps.ru, 1 +payraise.us, 1 +payroll.ch, 0 +payroll.myftp.org, 1 +payrollhr.be, 1 +paysap.bt, 1 +paysbuy.com, 1 +paysbuy.net, 1 +paysbuy.org, 1 +payscevennes.fr, 1 +paysensei.com, 1 +paysera.com, 1 +paysera.ee, 1 +paysera.lt, 1 +payservices.com, 1 +paysitesreviews.net, 1 +payskins.xyz, 1 +payslipview.com, 1 +paysomeonetodomyonlineclasses.com, 1 +payspace.com, 1 +paystack.com, 1 +paystarkagency.com, 1 +paysys.jp, 1 +paytm.in, 1 +paytowriteessays.net, 1 +payu.com, 1 +payufin.in, 1 +payupay.ru, 1 +payvalida.com, 1 +paywait.com, 1 +payward.com, 1 +payzang.com, 1 +pazarlab.com, 1 +pazyarmonia.tk, 1 +pb-design.ch, 1 +pb-eatz.com, 1 +pb.ax, 0 +pba.org.uk, 1 +pback.se, 1 +pbbm.com.ph, 1 +pbc.gov, 1 +pbcables.tk, 1 +pbcknd.ml, 1 +pbcpao.gov, 1 +pbdigital.org, 0 +pbern.xyz, 1 +pbest.tk, 1 +pbgfl.gov, 1 +pbhs.co.uk, 1 +pbiexplorer.com, 1 +pbla.biz, 1 +pbmdiscounter.nl, 1 +pbo.vic.gov.au, 1 +pborn.eu, 1 +pbourhis.me, 1 +pbpe.tv, 1 +pbqs.site, 1 +pbr.so, 1 +pbraunschdash.com, 1 +pbrb.gov, 1 +pbrumby.com, 1 +pbsrmoto.com.au, 1 +pbsuite.com, 1 +pbwebdev.com, 1 +pbz.im, 1 +pc-center.tk, 1 +pc-mac.de, 1 +pc-master.pl, 1 +pc-pharma.com, 1 +pc-porady.pl, 1 +pc-remont.tk, 1 +pc-service.me, 1 +pc-servis-brno.com, 1 +pc-soft.gq, 1 +pc-soft.tk, 1 +pc-stuff.tk, 1 +pc-taskal.net, 1 +pc-tech.ga, 1 +pc-tweak.de, 1 +pc-warriors.com, 1 +pc.domains, 1 +pc28yc.com, 1 +pc94666.com, 1 +pcah.gov, 1 +pcast.gov, 1 +pcbarchitect.com, 1 +pcbfl.gov, 1 +pcbmarketing.gq, 1 +pcbmodel.com, 1 +pcbny.com, 1 +pcbooks.in, 1 +pcbricole.fr, 1 +pcbuildinggr.com, 1 +pccartel.com, 1 +pccc.co.za, 1 +pccdal.gov, 1 +pccegoa.org, 1 +pccomc.tk, 1 +pcdekegel.nl, 1 +pcdn.cf, 1 +pcdocjim.com, 1 +pcdomain.com, 1 +pcdroid.ga, 1 +pcdroid.tk, 1 +pcel.com, 1 +pcengines.com.au, 1 +pcexpress.tk, 1 +pcf-frankfurt.de, 1 +pcf.com, 1 +pcfdut.gov, 1 +pcfiles.ga, 1 +pcfunder.co.uk, 1 +pcgalleries.com, 1 +pcgamemc.com, 1 +pcgamingfreaks.at, 1 +pcgverademo.com, 1 +pchan.is, 1 +pchancs.com, 1 +pchelpforum.net, 1 +pci-e.net, 1 +pci4.org, 1 +pcie.ac, 1 +pcipal.com, 1 +pcisecuritystandards.org, 1 +pcissc.org, 1 +pckurzypd.sk, 1 +pclgroup.co.nz, 1 +pclicensekeys.com, 1 +pcloud.com, 1 +pclyst.com, 0 +pcmania.tk, 1 +pcmaw.com, 1 +pcminsk.by, 1 +pcmkrembangan.or.id, 1 +pcmobile.tech, 1 +pcmr.info, 1 +pcmr.rocks, 1 +pcmscientific.com, 1 +pcnaid.com, 1 +pcnetinc.com, 1 +pcnewsoft.tk, 1 +pcnotdienst-oldenburg-rastede.de, 1 +pcpao.gov, 1 +pcpasokh.ir, 1 +pcpirates.tk, 1 +pcplaza.tk, 1 +pcprkolo.pl, 1 +pcproblem.tk, 1 +pcpromaroc.ma, 1 +pcptest-api.azurewebsites.net, 1 +pcpuhastaja.tk, 1 +pcrab.ml, 1 +pcrecovery.ga, 1 +pcrobot.cz, 1 +pcrypt.org, 1 +pcsafe.cf, 1 +pcsbrasil.ml, 1 +pcscotus.gov, 1 +pcsetting.com, 1 +pcsolutionsofwillis.ga, 1 +pcsolutionsofwillis.gq, 1 +pcstoronto.ca, 0 +pcsuniverse.ga, 1 +pcsx2.net, 1 +pcsystem.co.uk, 1 +pctelecom.cf, 1 +pctelecom.ga, 1 +pctelecom.gq, 1 +pctelecom.ml, 1 +pctips.cf, 1 +pctips.gq, 1 +pctips.tk, 1 +pctonic.net, 1 +pctravel.ca, 1 +pctronicks.tk, 1 +pctrouble.net, 1 +pcunddruckerservice.de, 1 +pcunderground.com.ar, 1 +pcvalueservices.com.au, 0 +pcvirusclear.com, 1 +pcw.gov.ph, 1 +pcwdevtwebsite.azurewebsites.net, 1 +pcwiz2u.com, 1 +pcworld.pl, 1 +pcxserver.com, 1 +pd1rnt.nl, 1 +pdamerica.org, 1 +pdavislawgroup.com, 1 +pdax.ph, 1 +pdbj.org, 1 +pderas.com, 1 +pdf-archive.com, 0 +pdf-tool.fr, 1 +pdf.io, 1 +pdf4pro.com, 1 +pdfbear.com, 1 +pdfbook-dl.ml, 1 +pdfbooksonline.gq, 1 +pdfconvert.me, 1 +pdfflier.cf, 1 +pdfget.com, 1 +pdfko.com, 1 +pdflip.cf, 1 +pdfmanga.tk, 1 +pdfmint.com, 1 +pdfpassword.org, 1 +pdfpasswort.de, 1 +pdfpedia.cf, 1 +pdfprostore.cf, 1 +pdfquran.tk, 1 +pdfresizer.com, 1 +pdfsearches.com, 1 +pdfsheeters.ga, 1 +pdfsheetest.ga, 1 +pdihc.com, 1 +pdkrawczyk.com, 1 +pdmonroewi.gov, 1 +pdox.net, 1 +pdpa.ai, 1 +pds.police.uk, 1 +pdsk.ch, 1 +pdtech.ltd, 1 +pdtppfl.gov, 1 +pdvault.co, 1 +pe-bank.jp, 1 +pe-netz.de, 1 +pe-portal.de, 1 +pe.search.yahoo.com, 0 +pe7k.com, 1 +pe7k.de, 1 +pe7k.nl, 1 +peabodytile.com, 1 +peace-is-possible.net, 1 +peaceandjava.com, 1 +peaceandwool.com, 0 +peacedivorce.com, 1 +peaceexpoers.ga, 1 +peaceexpoest.ga, 1 +peacefulrock.com, 1 +peaceispossible.cc, 1 +peacekeeper.tk, 1 +peacekingpod.com, 1 +peacepiperanch.com, 1 +peacetourco.cf, 1 +peacewiththewild.co.uk, 1 +peachbuildingproducts.com, 1 +peachesandchampagne.com, 1 +peachstateaesthetics.com, 1 +peacock.onl, 1 +peacockn.com, 1 +peaici.fr, 1 +peak-careers.com, 1 +peakd.com, 1 +peakhillre.ga, 1 +peakperformance.hr, 1 +peaksalesrecruiting.com, 1 +peakseoservices.co.uk, 1 +peaksloth.com, 1 +peaksports.com, 0 +peaksupport.io, 1 +peakvets.co.uk, 1 +peanutbutter.com, 1 +peanutpay.de, 1 +peanutproductionsnyc.com, 1 +pearbloom.com, 1 +pearlcohen.com, 1 +pearle.nl, 1 +pearljamargentina.tk, 1 +pearloc.com, 1 +pearlsonly.ca, 1 +pearlsonly.com, 1 +pearlsonly.com.au, 1 +pearlsonly.de, 1 +pearlteethers.ga, 1 +pearlteethest.ga, 1 +pearson424.org, 1 +pearsonbsl.com, 1 +pearstudios.cf, 1 +pearvn.tk, 1 +peas-project.com, 1 +pease.co.nz, 1 +peathealth.co.nz, 1 +peatsuki.com, 1 +peawee.co.uk, 1 +peawo.com, 1 +pebblenest.uk, 1 +pebkac.gr, 0 +peblet.be, 1 +pebook.tk, 1 +pec-email.com, 1 +pec.net, 1 +pecadis.de, 1 +pecan.ai, 1 +pecetowicz.pl, 1 +pecheneg.tk, 1 +pechibani.by, 0 +pechka.tk, 1 +pechnik-negara.ru, 0 +pechonova.com, 1 +pecker-johnson.com, 1 +peckway.co.uk, 1 +pecmd.net, 1 +pecs.com, 1 +pecsusa.com, 1 +pect.com.pk, 1 +ped-bike.de, 1 +peda.net, 1 +pedago.it, 1 +pedagoplume.fr, 1 +pedaleuse.be, 1 +pedalia.cc, 1 +pedalirovanie.tk, 1 +pedalr.eu, 1 +peddals.com, 1 +peddy.dyndns.org, 1 +peddyland.tk, 1 +pediatersucha.sk, 1 +pediatricdentistrycenter.com, 1 +pediatricdentistslilburnga.com, 1 +pediatricorthopedic.com, 1 +pedicure-stadspolders.nl, 1 +pedicurean.nl, 1 +pedicureduiven.nl, 1 +pedicurepraktijkvelserbroek.nl, 1 +pedikura-vitu.cz, 1 +pedimanie.cz, 1 +pedimoda.com.br, 1 +pedo.house, 1 +pedodontie.ro, 1 +pedohunters.de, 1 +pedrazanoticias.tk, 1 +pedro.com.es, 1 +pedrobotias.tk, 1 +pedrolamas.com, 1 +pedrollo-ua.com, 1 +pedroministro.pt, 1 +pedromunoz.tk, 1 +pedrooliveira.tk, 1 +pedrosanto.tk, 1 +pedrosart.it, 1 +pedrosaurus.com, 1 +pedrosillo-delosaires.tk, 1 +pedrotimoteo.com, 1 +peduse.com, 1 +pedziran.com, 1 +peekier.com, 1 +peelawayyourpain.com, 1 +peels.fr, 1 +peen.ch, 1 +peenee.in.th, 1 +peenor.xyz, 1 +peep.gq, 1 +peer.travel, 1 +peerberry.com, 1 +peercraft.at, 1 +peercraft.be, 1 +peercraft.biz, 1 +peercraft.ch, 1 +peercraft.cn, 1 +peercraft.co.uk, 1 +peercraft.com, 1 +peercraft.de, 1 +peercraft.dk, 1 +peercraft.es, 1 +peercraft.eu, 1 +peercraft.fr, 1 +peercraft.info, 1 +peercraft.it, 1 +peercraft.net, 1 +peercraft.nl, 1 +peercraft.org, 1 +peercraft.pl, 1 +peercraft.pt, 1 +peercraft.se, 1 +peercraft.us, 1 +peerjs.com, 1 +peername.com, 1 +peerpressurecreative.com, 1 +peers-liste.de, 1 +peers.gq, 1 +peers.tk, 1 +peersquaders.ga, 1 +peersquadest.ga, 1 +peerview.com, 1 +peerviewpress.com, 1 +peervoice.com, 1 +peerweb.com, 1 +peerwebdc.tk, 1 +peetah.com, 0 +peetersport.ee, 1 +peew.de, 1 +peewee-design.tk, 1 +pefile.tk, 1 +pefisa.com.br, 1 +pegas-studio.net, 1 +pegasnet.tk, 1 +pegdown.org, 1 +pegrum.rocks, 1 +pegundugun.tk, 1 +peifeng.li, 1 +peifi.de, 0 +peinture-77.fr, 1 +peippo.at, 1 +peirong.me, 1 +pejic.nl, 1 +pekarstvivetvrzi.cz, 1 +pekcazip.com, 1 +peklostroj.cz, 1 +peklostroj.eu, 1 +peklostroj.sk, 1 +peko.com.mk, 1 +pelagicus.co.uk, 1 +pelajaran.co.id, 1 +pelanucto.cz, 1 +pelata.net, 1 +pelatihanwirausaha.com, 1 +peleti.at, 1 +pelgrimhof.be, 1 +pelhamalrecreation.gov, 1 +pelhamlibraryal.gov, 1 +pelhrimov-strmechy.tk, 1 +pelican.ie, 1 +pelicanottertailmn.gov, 1 +pelicans.tk, 1 +peliculaonline.tk, 1 +peliculaslatino.tk, 1 +pelikone.fi, 1 +pelinca.nl, 1 +pelis-online.net, 1 +pellegrino.ar, 1 +pellet.pordenone.it, 1 +pellet.roma.it, 1 +pelletgrillreviews.com, 1 +pelletizermill.com, 1 +pelletsprice.com, 1 +pelmeni.cf, 1 +pelmeniuralskie.tk, 1 +pelo.tk, 1 +pelopoplot.com, 0 +pelosanimais.org, 1 +pelotonimports.com, 1 +pelsu.fi, 1 +peluche.tk, 1 +peluqueriaalcobendas.es, 1 +peluqueriacanina.tk, 1 +peluqueriacaninacavecanem.es, 1 +pem-jp.co.uk, 1 +pemagrid.org, 1 +pemasalem.com, 1 +pembeteknoloji.com.tr, 1 +pembhi.com, 1 +pembinewi.gov, 1 +pemborongbangunan.id, 1 +pembrokenc.gov, 1 +pemdas.xyz, 1 +pemerintahkota.com, 1 +pemez.com, 1 +pems.gov.au, 1 +pen-sec.de, 1 +pen15art.tk, 1 +pena-party.tk, 1 +pena600.tk, 1 +penatizavarise.com, 1 +penaugustin.com, 1 +penbrookpa.gov, 1 +pencepay.com, 1 +pencil2d.org, 1 +pencillab.cn, 1 +penconsultants.com, 1 +pendidikan.co.id, 1 +pendletoncountyky.gov, 1 +pendletoncountywv.gov, 1 +pendriveapps.com, 1 +pendrivelinux.com, 1 +penedo.tk, 1 +penelopia.pl, 1 +penes.cf, 1 +penetrationstest.se, 1 +penfold.fr, 1 +pengajar.co.id, 1 +pengembangan-web-mp-pd.com, 1 +pengepung.com, 1 +pengi.me, 1 +pengisatelier.net, 1 +pengui.uk, 1 +penguin-stats.cn, 1 +penguin-stats.io, 1 +penguin.co.uk, 1 +penguinclientsystem.com, 1 +penguindominatrix.com, 1 +penguindrum.moe, 1 +penguinos.tk, 1 +penguinprotocols.com, 1 +penguinrandomhousegrupoeditorial.com, 1 +penguins.ca, 1 +penguinshome.tk, 1 +penguinvillage.info, 1 +pengumuman.id, 0 +penholder.ga, 1 +peni.tk, 1 +peniarth.cymru, 1 +peninsula360.com, 1 +penispumpen.se, 1 +pennan.tk, 1 +pennergold.net, 1 +pennhillspa.gov, 1 +pennsauken.gov, 1 +pennyapp.io, 0 +pennybot.tk, 1 +pennylane.com, 1 +pennymail.ga, 1 +pennywise.tk, 1 +peno1.tk, 1 +penopoly.cf, 1 +penopoly.ga, 1 +penopoly.gq, 1 +penopoly.ml, 1 +penopoly.tk, 1 +penorai.ru, 1 +penoray.ru, 1 +penosa.ga, 1 +penrite.pl, 1 +penrose.edu, 1 +pens-money.cf, 1 +pens-money.ga, 1 +pens-money.gq, 1 +pensacolafl.gov, 1 +pensacolawinterfest.org, 1 +pensador.com, 1 +pensador.info, 1 +pensatore.tk, 1 +pensia.tk, 1 +pensieridigitali.tk, 1 +pensierolaterale.tech, 1 +pensioenfonds-ey.nl, 1 +pension-am-alten-waschhaus.de, 1 +pension-chevaux.com, 1 +pension-haus-sonnenschein.de, 1 +pension-ua.tk, 1 +pension.ga, 1 +pensionchien.com, 1 +pensionecani.roma.it, 1 +pensioner-1000.tk, 1 +pensionesdominicanas.com, 1 +pensionstal.tk, 1 +pensiontrackerers.ga, 1 +pensiun.ga, 1 +pensiune-doina.ro, 1 +pensiunea-maria.tk, 1 +pensiunea-paco.ro, 1 +pensiunealido.ro, 1 +pentacodes.com, 0 +pentagon-area.tk, 1 +pentagonix.com.br, 1 +pentagram.cf, 1 +pentagram.me, 1 +pentagrid.ch, 1 +pentamexicali.tk, 1 +pentamultiservice.it, 1 +pentandra.com, 1 +pentaquin.com, 1 +pentaquin.net, 1 +pentatonik.tk, 1 +pentechmc.blog, 1 +pentekdograma.com, 1 +pentest.blog, 1 +pentesterlab.com, 1 +pentestit.com, 1 +pentestpartners.com, 1 +penthy.eu, 1 +pentofun.ch, 1 +pentoo.ch, 1 +pentools.org, 1 +pentopolimer.com, 1 +pentwatertownshipmi.gov, 1 +penuelaspr.gov, 1 +penultimategaming.com, 1 +penya.ga, 1 +penyavictorhernani.tk, 1 +penz.media, 1 +penza-on-line.tk, 1 +penza-today.tk, 1 +penzaonline.cf, 1 +penzionvzahrade.cz, 1 +people.deloitte, 1 +people2hire.co.uk, 1 +peopleandchange.nl, 1 +peoplecareeyesandteeth.com.au, 1 +peoplecarehealthinsurance.com, 1 +peoplecarehealthinsurance.com.au, 1 +peoplecareopticalanddental.au, 1 +peoplecareopticalanddental.com, 1 +peoplecareopticalanddental.com.au, 1 +peoplefinders.ml, 1 +peoplelikemeapp.com, 1 +peopleofcolorcareers.com, 1 +peopleplanetconnect.org, 1 +peoplesbankal.com, 0 +peoplescu.com, 1 +peoplesdecade.org, 1 +peopleskills4u.net, 1 +peoplesliberationfront.tk, 1 +peoplesoft-support.nl, 1 +peoplespets.co.uk, 1 +peoplesplatform.cf, 1 +peoplesplatform.tk, 1 +peoplesrepublicofchinasucks.com, 1 +peoplesrights.org, 1 +peoriacounty.gov, 1 +peoriaelections.gov, 1 +peoriaevents.com, 1 +peoriail.gov, 1 +peoriaparks-il.gov, 1 +pepe.cz, 1 +pepechkov.com, 1 +pepechkova.com, 1 +pepeelektro.sk, 1 +pepegol.it, 1 +pepegym.cz, 1 +pepemodelismo.com.br, 1 +pepenero.ma, 1 +peperiot.com, 1 +peperoni.tk, 1 +peperstraat.online, 1 +pepfar.gov, 1 +pepitadinamitastudios.com, 1 +pepix.pl, 1 +peplex.ddns.net, 1 +peplex.nl, 1 +peppelmedi.fi, 1 +pepperandpartner.com, 1 +peppermillinteriors.com, 1 +peppertalks.com, 1 +peppyflora.com, 1 +pepsi.investments, 1 +pepsipromos.com, 1 +pepta.net, 1 +pepul.com, 1 +pepul.tech, 1 +pepwaterproofingllc.com, 1 +peqal.cf, 1 +pequenaitalia.com.br, 1 +pequenas-historias.tk, 1 +pequenosbichos.com.br, 1 +pequenosfavoritos.com.br, 0 +per-olsson.se, 1 +peraavcilar.com, 1 +peracup.com.tr, 1 +perala.me, 1 +perali.com, 0 +peraparker.cz, 1 +perberestja.gq, 1 +perception-point.io, 1 +perceptive.pro, 1 +perceptyx.com, 1 +perchance.org, 1 +percherosdepared.es, 1 +percherosdepared.online, 1 +percolate.com, 1 +percussiontonal-forum.de, 1 +percy.io, 1 +percydutton.co.uk, 1 +percymagic.tk, 1 +perd.re, 1 +perdanabagus.tk, 1 +perdele-draperii.ro, 1 +perdita-capelli.tk, 1 +perdolyathlendr.tk, 1 +perecraft.com, 1 +peredovaya.tk, 1 +peredoz.tk, 1 +pereezd.ml, 1 +peregrinefund.org, 1 +peregrinus.es, 1 +perekodu.ee, 1 +peremena.ml, 1 +perenne.ee, 1 +perennialte.ch, 1 +perennialwomens.com, 1 +perera.net, 1 +peresypchanka.tk, 1 +pereuda.com, 1 +perevedi.org, 1 +perevedut.cf, 1 +perevod-tekst-pesni.ru, 1 +perewall.tk, 1 +perez-marrero.com, 1 +perezdecastro.org, 0 +perf-b2b.com, 1 +perf1.com, 1 +perfare.net, 1 +perfect-blog.com, 1 +perfect-carstyle.de, 1 +perfect-dream.tk, 1 +perfect-privacy.com, 1 +perfect-seo.ru, 1 +perfect-servers.com, 1 +perfect-tour.ro, 1 +perfect8.com.tw, 1 +perfectbalance.tech, 1 +perfectcloud.org, 1 +perfectcommunity.ga, 1 +perfecteclass.com.cy, 1 +perfectfocuseyecare.com, 1 +perfectgift.com, 0 +perfectgift.tk, 1 +perfectlyluxe.ml, 1 +perfectlyluxe.tk, 1 +perfectmatch.cf, 1 +perfectme.ml, 1 +perfectme.tk, 1 +perfectosidiotaspunk.tk, 1 +perfectplrarticles.ga, 1 +perfectpussypics.com, 1 +perfectsize.pl, 1 +perfectsnap.co.uk, 1 +perfectsoft.tk, 1 +perfecttits.net, 1 +perfectweb.today, 1 +perfectworldbot.tk, 1 +perfekt-style.com, 1 +perfekt2004.com, 1 +perfektesgewicht.com, 1 +perferxprecision.com, 1 +perfmatters.io, 1 +perfmed.ro, 1 +perforlabs.com, 1 +performance-advertising.de, 1 +performance.gov, 1 +performancehealth.com, 0 +performancematters.ie, 1 +performancerh.fr, 1 +performancerunningsolutions.com, 1 +performances-supervision.fr, 1 +performancetillagebolt.com, 1 +performancetransmission.net, 1 +performansguru.com, 1 +performing-art-schools.com, 1 +performingdreams.tk, 1 +performiptv.com, 1 +performiptv.net, 1 +performive.com, 1 +performpracticesolutions.com, 1 +perfumerie.tk, 1 +perfumes.com.br, 1 +perfumesloewe.com, 1 +perfumesweb.com.br, 1 +perfumki.tk, 1 +pergam.by, 0 +pergam.kz, 1 +pergamentka-apartments.cz, 1 +pericsope.gq, 1 +peridotcapitalpartners.com, 1 +perigon.ch, 1 +perini.com.au, 1 +perinton.gov, 1 +periodex.co, 1 +periodicojerez.info, 1 +periodicomirador.com, 1 +periodicopcion.tk, 1 +periodista.tk, 1 +periony.com, 1 +periosearch.tk, 1 +periscope.tv, 1 +periscopeup.com, 1 +perishablepress.com, 1 +peritos-informaticos.com, 1 +perkilo.eu, 1 +perksplus.com, 1 +perlbanjo.com, 1 +perlego.com, 1 +perlesdelumiere.com, 1 +perlina.co.il, 1 +perm-avia.ru, 1 +perm-jur.ch, 0 +perm-juridique.ch, 0 +perm-l2.tk, 1 +perma-batteries.com, 1 +permaculture.cf, 1 +permadi.id, 1 +permaditya.my.id, 1 +permajackofstlouis.com, 1 +permajackstlouis.com, 1 +permak.tk, 1 +permanence-juridique.com, 0 +permanencejuridique-ge.ch, 0 +permanencejuridique.com, 0 +permanencesecretariat.fr, 1 +permanentnyj-makiazh.ru, 1 +permarisk.gov, 1 +permaseal.net, 1 +permasealbasement.com, 1 +permasealbasementsystems.com, 1 +permasealplumbing.com, 1 +permasealwaterproofing.com, 1 +permaset.com.au, 1 +permeance108.com, 1 +permian-elec.com, 1 +permis-a-points-bordeaux.com, 1 +permis-a-points-montpellier.com, 1 +permis-apoints.com, 1 +permis-apoints.fr, 1 +permis.online, 1 +permiscoderoute.fr, 1 +permisecole.com, 1 +permistheorique.be, 1 +permistheoriqueenligne.be, 1 +permitting.gov, 1 +permutationcity.net, 1 +perniciousgames.com, 0 +pernod-ricard.io, 1 +peroduaselangor.com, 1 +peronmedya.com, 1 +perot.me, 1 +perpetual.ga, 1 +perpetualemotion.com, 1 +perpetuum.tk, 1 +perrau.lt, 0 +perreiraproperties.com, 1 +perretes.com.es, 1 +perritas.tk, 1 +perritos.tk, 1 +perron.ml, 1 +perroon.eu, 1 +perrybook.tk, 1 +perrycountyal.gov, 1 +perrycountyil.gov, 1 +perrycountyky.gov, 1 +perrycountymo.gov, 1 +perrycountytn.gov, 1 +perryvilleky.gov, 1 +perryvillemo.gov, 1 +pers-hr.tk, 1 +perscore.tk, 1 +perseo.tk, 1 +persephone.gr, 1 +persey-ssm.com.ua, 1 +persey.tk, 1 +persian-clan.tk, 1 +persiandating.tk, 1 +persianrom.com, 1 +persiart.shop, 1 +persiennexperten.se, 1 +persiennkompaniet.se, 1 +persistence.one, 1 +persistshields.org, 1 +persjrp.ca, 1 +perso.pl, 1 +persoform.ch, 1 +personabrindesbr.com.br, 1 +personacommunications.com.au, 1 +personal-genome.com, 1 +personal-scrum.de, 1 +personal-scrum.eu, 1 +personalaccidentsers.ga, 1 +personalaccidentsest.ga, 1 +personalfunctionaldata.net, 1 +personalhydroponics.com, 1 +personalidadmagnetica.com, 1 +personaliseyourwine.com.au, 1 +personalisiertegeschenke.tk, 1 +personalisiertesgeschenk.tk, 1 +personalityjunkie.com, 1 +personaljokes.cf, 1 +personaljokes.ml, 1 +personaljokesers.ga, 1 +personaljokesest.ga, 1 +personaljourneys.co.nz, 1 +personalnames.net.ru, 1 +personalpages.us, 1 +personalrecreationaltourguides.com, 1 +personaltrainer-senti.de, 1 +personaltraineredu.org, 1 +personalwebsite.services, 1 +personcar.com.br, 1 +persondatakonsulenterne.dk, 1 +personetics.com, 1 +personlookup.com.au, 1 +personnedisparue.fr, 1 +perspective-daily.de, 1 +perspective.com.tr, 0 +perspectives-de-voyage.com, 1 +perspectivum.com, 0 +perspektivwechsel-coaching.de, 0 +perspio.io, 1 +persson.im, 1 +persson.me, 1 +perssonsgarn.se, 1 +persuader-reports.gov, 1 +persuasionmatters.com, 1 +perswayze.com, 1 +perthhillsarmadale.com.au, 1 +perthpregnancycentre.com.au, 1 +perthtrains.net, 1 +perthunicyclists.tk, 1 +perthweekend.com.au, 1 +pertwarp.tk, 1 +perubusca.nl, 1 +perugamerz.tk, 1 +perugiatoday.it, 1 +peruil.gov, 1 +perulinks.tk, 1 +perun.wiki, 1 +perunderforos.tk, 1 +perunsoft.rs, 1 +perupoemas.tk, 1 +peruprogramadores.tk, 1 +perusal.eu, 1 +perusal.social, 1 +perusteet.tk, 1 +peruutetutlennot.fi, 1 +peruvianhairextension.tk, 1 +peruvianhumanhair.tk, 1 +peruvianphotography.com, 1 +peruviantravel.tk, 1 +pervacio.hu, 1 +perved.org, 1 +pervejshijistochnik.tk, 1 +perversa.cl, 1 +pervesk.lt, 1 +pervoklass.cf, 1 +pervomaysk-city.ml, 1 +perzeidi.hr, 1 +pesandansampai.tk, 1 +pesar.tk, 1 +pesc.ru, 1 +pescadorcomunicacao.com, 1 +pescamagnetica.pt, 1 +pescanetworks.tk, 1 +pescans.com, 1 +pescco.com.br, 1 +peshakoo.com, 1 +pesinatsizsenetle.com, 1 +pesitalia.tk, 1 +pesnik.tk, 1 +pesnitut.ga, 1 +pesquisasremuneradas.net, 1 +pessa-webdesign.tk, 1 +pessebrevivent-lallacuna.tk, 1 +pestalertsers.ga, 1 +pestalertsest.ga, 1 +pestcontrol.co.uk, 1 +pestdefense.com, 1 +pesterchum.online, 1 +pesterchum.xyz, 1 +pesthotelers.ga, 1 +pestici.de, 1 +pestkill.info, 1 +pestleandmortar.hk, 1 +pesto.video, 1 +pestpatrol.ga, 1 +pestpilis.hu, 1 +pestra.tk, 1 +pet-cat-accessories.ml, 1 +pet-distributor.cz, 1 +pet-guide.net, 1 +pet-hotel-mura.net, 1 +pet-net.tk, 1 +pet-tekk.co.uk, 1 +peta.tk, 1 +petabits.de, 1 +petabundant.ga, 1 +petal-ms.gov, 1 +petaladdin.com, 1 +petalkr.com, 1 +petalsoft.tk, 1 +petamazing.ga, 1 +petaouchnok.ch, 1 +petar.fyi, 1 +petblaster.ga, 1 +petblender.ga, 1 +petbooking.it, 1 +petbrowser.ga, 1 +petburial.cf, 1 +petcareonline.com, 1 +petcharte.ga, 1 +petclassy.ga, 1 +petclient.ga, 1 +petcollections.ga, 1 +petcollector.ga, 1 +petcolor.ga, 1 +petcounty.ga, 1 +petcrawler.ga, 1 +petdesign.tk, 1 +petdesigning.ga, 1 +petdir.ga, 1 +petdish.ga, 1 +petdollar.ga, 1 +peteacheredu.org, 1 +petech.ro, 1 +petelew.is, 1 +petemerges.com, 1 +petemerges.xyz, 1 +peter-r.co.uk, 1 +peter-taban.de, 1 +peter-zhu.ca, 1 +peter.org.ua, 1 +peterackermans.tk, 1 +peterandjoelle.co.uk, 1 +peterarcherbeyondvision.com, 0 +peterbarrett.ca, 1 +peterbischof.at, 1 +peterborgapps.com, 1 +peterboroughhydroponics.com, 1 +peterbruceharvey.com, 1 +peterbulckaen.tk, 1 +petercai.com, 1 +petercawthron.com, 1 +peterdavehello.org, 1 +peterfiorella.com, 1 +peterfolta.net, 1 +petergudo.tk, 1 +peterhall.au, 1 +peterheery.me, 0 +peterherman.tk, 1 +peterhome.cn, 1 +peterhome.tk, 1 +peterhuetz.at, 1 +peterhuetz.com, 1 +peterjin.org, 1 +peterjohnson.io, 1 +peterkotula.tk, 1 +peterkrivanek.com, 1 +peterkshultz.com, 0 +peterkuma.net, 1 +peterlajos.com, 1 +peterlew.is, 1 +peterlmai.com, 0 +petermaar.com, 1 +petermamo.com, 1 +petermuenster.tk, 1 +peteroerlemans.be, 1 +peterpauer.com, 1 +peterpiperpizza.com, 1 +peters.consulting, 1 +petersburgmi.gov, 1 +peterseninc.com, 1 +petersonbrosrealty.com, 0 +petersport.ee, 1 +petersson-gartengestaltung.de, 1 +petersweb.me.uk, 1 +petervaldesii.com, 0 +petervantriet.nl, 1 +peteryoungfineart.com, 1 +peteschmidt.com.au, 1 +petevagabond.com, 1 +petfa.ga, 1 +petfame.ga, 1 +petfeedback.ga, 1 +petfilter.tk, 1 +petfleet.ga, 1 +petflower.ga, 1 +petfolder.ga, 1 +petgeo.ga, 1 +petgrow.ga, 1 +petgun.ga, 1 +pethandsome.ga, 1 +pethard.ga, 1 +petherwick.co.uk, 1 +petherwick.com, 1 +peticion.tk, 1 +petimagine.ga, 1 +petit-archer.com, 1 +petit-bebe.fr, 1 +petitbleu.fr, 1 +petite-annonce.tk, 1 +petite-maison.ch, 0 +petiteframes.com, 1 +petitenympha.com, 1 +petitions.by, 1 +petitions.pro, 1 +petitmaison.net, 1 +petitnuagephotographie.be, 1 +petitsfrenchies.com, 1 +petitsfreresdespauvres.fr, 1 +petitu.mx, 1 +petjoy.co.za, 1 +petkiss.ga, 1 +petknight.ga, 1 +petless.ga, 1 +petlife.od.ua, 1 +petlife.vet, 1 +petlittle.ga, 1 +petmall.bg, 1 +petmatchmaker.org, 1 +petmegoo.com, 1 +petmessenger.ga, 1 +petmetric.ga, 1 +petnatural.ga, 1 +petnight.ga, 1 +petnow.gr, 1 +petopedia.ga, 1 +petopplis.ga, 1 +petops.de, 1 +petos.tk, 1 +petover.ga, 1 +petpedia.co, 1 +petpipe.ga, 1 +petpower.eu, 1 +petpuppy.tk, 1 +petr.as, 1 +petr.se, 1 +petr22shcool.tk, 1 +petra-toroid.ro, 1 +petrachuk.ru, 1 +petrally.ga, 1 +petrarca.tk, 1 +petras-pfotenuni.de, 1 +petrates.ga, 1 +petredhot.ga, 1 +petrequest.ga, 1 +petrichorsolutions.co, 1 +petrkulik.cz, 1 +petrocheminc.com, 1 +petrochemprojects.ga, 1 +petrol-power.tk, 1 +petroleum-schools.com, 1 +petroleumservicecompany.com, 1 +petroll.ga, 1 +petroscand.eu, 1 +petrostar.com, 1 +petrostathis.com, 0 +petrotamin.ir, 1 +petrotranz.com, 1 +petrotrustlibya.com, 1 +petrov.engineer, 0 +petrovitch.tk, 1 +petrozavodsk.ga, 1 +petruv-grunt.cz, 1 +petruzz.net, 1 +pets4adoption.tk, 1 +pets4life.com.au, 1 +petsafe.net, 0 +petsartcollection.com, 1 +petscams.com, 1 +petschnighof.at, 1 +petsdeners.ga, 1 +petsdenest.ga, 1 +petsidi.com, 1 +petsmundoanimal.com, 1 +petsnapshot.ga, 1 +petsnews.ga, 1 +petsnvets.org, 1 +petspark.tk, 1 +petsplash.ga, 1 +petsru.net, 1 +petstick.ga, 1 +petstok.com.br, 1 +petstreaming.ga, 1 +petsulcatatortoise.com, 1 +petsurreal.ga, 1 +pettersatlher.com.br, 1 +pettopsecret.ga, 1 +pettreasure.ga, 1 +pettreats.com.br, 1 +petunder.ga, 1 +peturnashes.ga, 1 +petutility.tk, 1 +petvisual.ga, 1 +petwall.info, 1 +petwood.co.uk, 1 +petyolo.org, 1 +peuf.shop, 1 +peukert.cc, 1 +peupledefrance.fr, 1 +pevat-ua.tk, 1 +pew.ninja, 1 +pewamo.gov, 1 +pewat.com, 1 +pewforum.org, 1 +pewglobal.org, 1 +pewresearch.org, 1 +pex.digital, 0 +pexlab.net, 1 +peyote.com, 1 +peyote.org, 1 +peyote.wiki, 1 +peyukoshop.com, 1 +pf.dk, 1 +pfa.or.jp, 1 +pfabel.com, 1 +pfadfinder-grossauheim.de, 1 +pfalz-mail.de, 1 +pfandbriefbank.net, 1 +pfandbriefe.de, 1 +pfandbriefsparen.de, 1 +pfannkuchenbratze.de, 1 +pfarchimedes-pensioen123.nl, 1 +pfarr-rad.de, 1 +pfarreiengemeinschaft-neuerburg.de, 1 +pfarrhaus-mon.ch, 1 +pfashionmart.com, 1 +pfcafeen.dk, 1 +pfcardprogram.com, 1 +pfcchavdar.tk, 1 +pfcharland.com, 1 +pfctr.com, 1 +pfd-nz.com, 1 +pfe.rs, 1 +pfefferkuchen-shop.de, 0 +pfefferkuchenprinzessin-dresden.de, 0 +pfefferle.online, 1 +pfeiffer.tech, 1 +pfeifferszilard.hu, 1 +pferdesportclub-chiemgau.de, 1 +pfeuffer-elektro.de, 1 +pff.com.au, 1 +pfft.net, 1 +pfgl.co.uk, 1 +pfingstsportfest.de, 0 +pfish.zone, 1 +pfk.org.pl, 1 +pflan.dk, 1 +pflanzen-shop.ch, 1 +pflanzkompass.at, 1 +pflege.ch, 1 +pfmeasure.com, 1 +pfnpc.org, 1 +pfolta.net, 1 +pfonboarding.org, 1 +pfonks.com, 1 +pfp.com.au, 1 +pfp.works, 1 +pfr.email, 1 +pfr.wtf, 1 +pfrost.me, 1 +pfsandbox.com, 1 +pfsquad.blog, 0 +pfsquad.nu, 1 +pfssales.com, 1 +pfudor.tk, 1 +pfwarriors.com, 1 +pg-forum.at, 1 +pg-forum.ch, 1 +pg-forum.de, 0 +pg-it.at, 1 +pg-mana.net, 1 +pg-sec.com, 1 +pg-sec.cz, 1 +pg-sec.eu, 1 +pg-slot.me, 1 +pgazette.tk, 1 +pggm.nl, 1 +pgh-art.com, 1 +pgica.org, 1 +pgit.at, 1 +pgklaw.com.au, 1 +pglaum.tk, 1 +pgllandscaping.com, 1 +pgln.tk, 1 +pgmann.com, 1 +pgmjr.com, 1 +pgmsource.com, 1 +pgmsp.net, 1 +pgmtechnologies.com, 1 +pgnd.net, 1 +pgnetwork.io, 1 +pgnetwork.net, 1 +pgnetwork.org, 1 +pgp.lol, 1 +pgp.net, 1 +pgp.org.au, 1 +pgpaintanddesign.com, 1 +pgpmail.cc, 1 +pgregg.com, 1 +pgsec.cz, 1 +pgsec.eu, 1 +pgsek.cz, 1 +pgsindustries.com.au, 0 +pgslot.id, 1 +pgsls.com, 1 +pgsupplier.com, 1 +pgwap.com, 1 +pgwellnesscoach.it, 1 +ph-brand.jp, 1 +ph-consult.sk, 1 +ph-ooe.at, 1 +ph.search.yahoo.com, 0 +ph1worlddevelopers.com, 1 +ph3r3tz.net, 1 +ph4nt0m.ddns.net, 0 +ph89.de, 1 +pha.one, 1 +pha.pub, 1 +phaedranyx.co.uk, 1 +phagyo.com, 1 +phannuoc.net, 1 +phantasia.tk, 1 +phantasie.cc, 1 +phantasmag.gq, 1 +phantastikon.de, 1 +phantom-games.tk, 1 +phantomfund.cf, 1 +phantomfund.ml, 1 +phantomfunders.ga, 1 +phantomlighting.com, 1 +phantomlord.tk, 1 +phantomphans.tk, 1 +phantomware.tk, 1 +pharandespaces.com, 1 +pharma-insights.nl, 1 +pharmaabsoluta.com.br, 1 +pharmaboard.de, 1 +pharmaboard.org, 1 +pharmaceuticalcannabis.org, 1 +pharmacie-dufayel.fr, 1 +pharmacie-matignon.com, 1 +pharmaciechatelle.be, 1 +pharmacology.uk, 1 +pharmacy-evalar.ru, 1 +pharmacy.org.pk, 1 +pharmacyevalar.ru, 1 +pharmadrugtest.com, 1 +pharmalab.eu, 1 +pharmalab.fr, 1 +pharmalinkinternational.com, 1 +pharmapolitics.com, 1 +pharmasana.co.uk, 1 +pharmasana.de, 1 +pharmasana.ru, 1 +pharmasyncers.ga, 1 +pharmasyncest.ga, 1 +pharmgkb.org, 0 +pharmica.co.uk, 1 +pharmica.uk, 1 +pharosconsulting.com, 1 +pharside.dyndns.org, 1 +pharynks.com, 1 +pharynx.nl, 1 +phase4electric.com, 1 +phasersec.com, 1 +phastidio.net, 1 +phatblackbooty.com, 1 +phattea.tk, 1 +phbits.com, 1 +phc4submit.org, 1 +phcimages.com, 1 +phcloud.spdns.de, 1 +phcnetworks.net, 0 +phcorner.net, 1 +phd, 1 +phdelivery.com, 1 +phdgames.com, 1 +phdhub.it, 1 +phdk.ir, 1 +phdsolutions.org, 1 +phdwuda.com, 1 +pheasantrunpress.com, 1 +phellow.de, 1 +phellowseven.com, 1 +phelx.de, 1 +phen-garcinia.info, 1 +phenergan.ga, 1 +phenergan.ml, 1 +phenixairsoft.com, 1 +phenixlab.fr, 0 +phenomnaltwincities.com, 1 +phenriques.com, 1 +phenweb.co.uk, 1 +pheramoan.com, 1 +pheromeons.com, 1 +pheromoans.com, 1 +pheromoens.com, 1 +pheromonetalk.com, 0 +pheronome.com, 1 +pheronomes.com, 1 +pheros.com, 1 +pheroz.com, 1 +phesita.gq, 1 +phew.co.nz, 1 +phfrost.nl, 1 +phialo.de, 1 +phibureza.com, 1 +phigrupopolideportivo.es, 0 +phihq.com, 0 +phil-dirt.com, 1 +phil-phillies.com, 1 +phil.red, 1 +phil.to, 1 +phil.tw, 1 +philadelphia.com.mx, 1 +philanima.com, 1 +philarmonic-abaza.tk, 1 +philasd.org, 1 +phildevient.tk, 1 +phildonaldson.com, 1 +phileas-psychiatrie.be, 1 +philia-sa.com, 0 +philipbuckmaster.co.uk, 1 +philipdb.com, 1 +philipdb.nl, 1 +philipdeussen.com, 1 +philipdeussen.de, 1 +philiperiksson.se, 1 +philipkdick.tk, 1 +philipkobelt.ch, 1 +philiplowran.tk, 1 +philipmordue.co.uk, 1 +philipmorrisdirect.co.uk, 1 +philipoff.com, 1 +philipp-trulson.de, 0 +philipp.vip, 1 +philippa.cool, 1 +philippbirkholz.com, 1 +philippbirkholz.de, 1 +philippe-mignotte.fr, 1 +philippebonnard.fr, 1 +philippegoffin.be, 1 +philippehannes.fr, 1 +philippekhau.tk, 1 +philippemunn.photo, 1 +philippheenen.de, 0 +philippinegreenparty.tk, 1 +philippinenewsvanguard.tk, 1 +philippkaindl.de, 1 +philippkeschl.at, 1 +philippwinterberg.com, 1 +philipslater.cf, 1 +philipslater.ga, 1 +philipslater.gq, 1 +philipslater.ml, 1 +philipsmanythougths.cf, 1 +philipsmanythougths.ga, 1 +philipsmanythougths.ml, 1 +philipssupportforum.com, 1 +philipstewart.uk, 1 +philipthomas.com, 1 +philipzhan.com, 1 +philipzhan.tk, 1 +philis-oenologie.fr, 1 +phillipgoldfarb.com, 1 +phillippe-lemarc.ch, 1 +phillipspediatricsoxford.com, 1 +phillprice.com, 0 +phillyhometech.com, 1 +phillyinjurylawyer.com, 1 +philnheimann.com, 1 +philographie.com, 1 +philology.tk, 1 +philomathiclife.com, 1 +philosoftware.com.br, 1 +philosophers.tk, 1 +philosopherswool.com, 1 +philosophy-colleges.com, 1 +philosophyguides.org, 1 +philosophytalk.org, 1 +philphonic.de, 1 +philpropertygroup.com, 0 +philrights.org, 1 +phils1990.com, 1 +philsturgeon.uk, 1 +philward.io, 1 +philwilson-green.cf, 1 +philwilson-green.ga, 1 +philwilson-green.gq, 1 +philwilson-green.ml, 1 +phimmoingay.org, 1 +phimtor.com, 1 +phinikarides.net, 1 +phiomegachi.tk, 1 +phishguard.sa, 1 +phishing-studie.org, 1 +phishing.army, 1 +phishingplanet.com, 1 +phishingusertraining.com, 1 +phisis.com.br, 1 +phive.eu, 1 +phive.social, 1 +phixer.com, 1 +phligence.com, 1 +phobos.tk, 1 +phoebestrong.org, 1 +phoenix-correspondence-commission.gov, 1 +phoenix.dj, 1 +phoenixboard.tk, 1 +phoenixcourt.gov, 1 +phoenixdepositionservices.com, 1 +phoenixfrequency.ga, 1 +phoenixlpgpasig.com, 1 +phoenixmanga.com, 1 +phoenixmunicipalcourt.gov, 1 +phoenixnest.ltd, 1 +phoenixpower.tk, 1 +phoenixsalon.eu, 1 +phoenixurbanspaces.com, 1 +phoenixville.online, 1 +phoenixwebsitedesign.com, 1 +phographer.com, 0 +pholio.com, 1 +phone-service-center.de, 1 +phone-spy.ml, 1 +phone42.com, 1 +phonearena.com, 1 +phonedoc.it, 1 +phonefilter.co.uk, 1 +phonefleet.fr, 1 +phonegnome.com, 1 +phoneia.com, 1 +phoneincentivesers.ga, 1 +phoneincentivesest.ga, 1 +phoneinformation.cf, 1 +phoneinformation.ga, 1 +phoneinformation.gq, 1 +phoneinformation.ml, 1 +phoneinformation.tk, 1 +phonelookupname.ml, 1 +phonenumber-info.co.uk, 1 +phonenumberfind.cf, 1 +phonenumberfind.ga, 1 +phonenumberfind.gq, 1 +phonenumberfind.ml, 1 +phonenumberfind.tk, 1 +phonesbooksest.ga, 1 +phonesexchat.com, 1 +phonesexnumbers.com, 1 +phoneswiz.com, 1 +phonet.tk, 1 +phonetika.org, 1 +phonetrace.tk, 1 +phonetrack.tk, 1 +phonevibrator.com, 1 +phonex.bg, 1 +phonex.com.mx, 1 +phoneyourselfers.ga, 1 +phoneyourselfest.ga, 1 +phonix-company.fr, 1 +phonosynthese.tk, 1 +phonosynthesis.tk, 1 +phorcys.net, 1 +phormance.com, 1 +phormulagroup.com, 1 +phosagro.biz, 0 +phosagro.com, 0 +phosagro.ru, 0 +phosforum.ga, 1 +photistic.org, 1 +photo-blowup.com, 0 +photo-booth.ro, 1 +photo-design.ml, 1 +photo-host.tk, 1 +photo-journ.com, 0 +photo-livesearch.com, 1 +photo-news.tk, 1 +photo-on-event.de, 1 +photo-paysage.com, 1 +photo-travel.tk, 1 +photoartelle.com, 1 +photobank.ml, 1 +photobc.photos, 1 +photobcdev.photos, 1 +photoblock.tk, 1 +photobooth-romania.ro, 1 +photobooth.id, 1 +photobosco.tk, 1 +photobrunobernard.com, 1 +photobyzachary.tk, 1 +photochka.tk, 1 +photoclothing.tk, 1 +photoconferenceers.ga, 1 +photoconferenceest.ga, 1 +photodeal.fr, 1 +photodyna.tk, 1 +photofinale.com, 1 +photogelique.be, 1 +photograf.io, 1 +photograni.ru, 1 +photographe-perigueux.com, 1 +photographe-reims.com, 0 +photographeremploymenters.ga, 1 +photographeremploymentest.ga, 1 +photographerforwedding.tk, 1 +photographersdaydream.com, 1 +photography-workshops.net, 1 +photographyandvideo.tk, 1 +photographyforchange.com, 1 +photographyforchange.org, 1 +photolakeview.com, 1 +photolessya.by, 1 +photomath.com, 1 +photomizer.com, 0 +photomodelcasting.com, 1 +photomosaicwall.ca, 1 +photonclub.ir, 1 +photoncourier.com, 1 +photopalace.tk, 1 +photophobia.tk, 1 +photoprint.tk, 1 +photoprofi.tk, 1 +photops.fr, 1 +photoreal.tk, 1 +photorelive.com, 1 +photosafari.com.my, 1 +photosafaribg.com, 1 +photosavi.com, 1 +photosbyadeline.com, 1 +photosbyzachary.tk, 1 +photoscheduleers.ga, 1 +photoscheduleest.ga, 1 +photoscotland.net, 1 +photosgaia.ch, 1 +photoshop-tipps-und-tricks.de, 1 +photosight.ru, 1 +photosight.tk, 1 +photosoftware.nl, 1 +phototechnique.tk, 1 +phototravel.uk, 1 +phototrio.com, 1 +photoutils.com, 1 +photovoltaik-reinigung.biz, 1 +photowall.tk, 1 +photowire.uk, 1 +photune.net, 1 +phoxden.net, 1 +php.watch, 1 +phpadmin666.com, 1 +phparcade.com, 1 +phparena.net, 1 +phpartners.org, 1 +phpbb-tutorials.cf, 1 +phpbbchinese.com, 0 +phpdevlabs.tk, 1 +phpdorset.co.uk, 1 +phpfactory.io, 1 +phpfashion.com, 1 +phpgalleria.com, 1 +phpinfo.in.th, 1 +phpkari.cz, 1 +phpkoru.com, 1 +phpliteadmin.org, 1 +phpmyadmin.net, 1 +phpmynewsletter.com, 1 +phpnuke-guatemala.tk, 1 +phpprime.com, 1 +phpsecure.info, 1 +phpstan.com, 1 +phpstan.org, 1 +phpunit.de, 1 +phpwebs.com, 1 +phqsoft.com, 1 +phr34kz.pw, 0 +phra.gs, 1 +phreakaus.tk, 1 +phreaker.ml, 1 +phreaknet.org, 1 +phreesia.com, 1 +phrenology.com, 1 +phrive.space, 1 +phrlegal.com, 1 +phruse.com, 1 +phryanjr.com, 0 +phryneas.de, 1 +phsa.au, 1 +phsa.co.nz, 1 +phsa.com.au, 1 +phsa.net.au, 1 +phsa.nz, 1 +phsarapp.com, 1 +phtalent.tk, 1 +phtbth-upload.com, 1 +phuket-idc.com, 1 +phuket-idc.de, 1 +phuket-nash.cf, 1 +phuket-nash.ga, 1 +phuket-tour.ga, 1 +phuketbeach.tk, 1 +phuketdir.com, 1 +phuketroman.tk, 1 +phuketstyle.tk, 1 +phukettour.ga, 1 +phukettravel.gq, 1 +phukienchanh.com, 1 +phulyshop.com, 0 +phumin.in.th, 1 +phuoctran.com.vn, 1 +phuoctran.org, 1 +phuoctran.vn, 1 +phuong.faith, 1 +phurl.de, 1 +phv-bw.de, 1 +phwoarbeauty.com, 1 +phx2-az.tk, 1 +phxserver.net, 0 +phyi.loan, 1 +phyley.com, 1 +phyllischerry.com, 1 +phys.ir, 0 +physia.gr, 1 +physicalism.com, 1 +physicalist.com, 1 +physicalmedicineandrehab.com, 1 +physicaltherapistassistantedu.org, 1 +physicianassistantedu.org, 1 +physicianbookest.ga, 1 +physiciansopticalservice.com, 1 +physicpezeshki.com, 1 +physics-schools.com, 1 +physicsforums.com, 1 +physik.lol, 1 +physio-im-appelbachtal.de, 1 +physio-koenigsee.de, 1 +physiobalance.nl, 1 +physiobrite.tk, 1 +physioteam-franz.de, 1 +physiotherapie-buk.de, 1 +physiotherapie-concept.de, 1 +physiotherapie-seiwald.de, 1 +physiotherapist-physicaltherapist.com, 1 +physiovesenaz.ch, 0 +physis.earth, 1 +phytosunaroms.com, 1 +phyxion.net, 1 +phyzx.com.au, 1 +pi-dash.com, 1 +pi-net.dedyn.io, 1 +pi-supply.com, 1 +pi1.io, 1 +pia-bardo.tk, 1 +piaad9.org, 1 +piadouwes.tk, 1 +piai.cf, 1 +piai.ga, 1 +piai.gq, 1 +piai.ml, 1 +piai.tk, 1 +piaiai.com, 1 +piajuly.net, 1 +pialove.net, 1 +pianetaottica.eu, 1 +pianetaottica.info, 1 +pianetaottica.it, 1 +pianetatatuaggi.it, 1 +piano.io, 1 +pianoadventures.com, 1 +pianodisco.tk, 1 +pianoforpreschoolers.cf, 1 +pianoforpreschoolers.ga, 1 +pianoforpreschoolers.gq, 1 +pianoguy.tk, 1 +pianojockl.org, 1 +pianoo.nl, 1 +pianopronto.com, 1 +pianoschmitz.de, 1 +pianotaku.com, 1 +pianotuning.cn, 0 +piantami.com, 1 +pianyigou.com, 1 +piaohong.tk, 1 +piasativa.com, 1 +piasto.com.cy, 1 +piata-imobiliara.tk, 1 +piataborrachas.com.br, 1 +piatabrasil.com.br, 1 +piatenko.ml, 1 +piatika.com, 1 +piatika.in, 1 +piavonpadberg.com, 1 +piboston.org, 1 +piboubes.me, 1 +pic-sl.com, 1 +pic.gov, 1 +pic.sr, 1 +pic2map.com, 1 +pic2pat.com, 1 +pic2pat.nl, 1 +picalendar.com, 1 +picante.today, 1 +picapollochino.tk, 1 +picasoft.net, 1 +picatavocat.fr, 1 +picatom.com, 0 +piccirello.com, 1 +piccoliamicisport.it, 1 +piccolino.tk, 1 +piccolinokids.gr, 1 +piccolitrasporti.it, 1 +piccolopark.co.nz, 1 +piccolotrasloco.it, 1 +picdefacer.com, 1 +pichainlabs.com, 0 +pichlerei.at, 1 +pick.aw, 1 +pick150.hu, 1 +picka.gift, 1 +pickastock.info, 1 +pickaw.click, 1 +pickaw.com, 1 +pickaw.link, 1 +pickawaycountyohio.gov, 1 +picked.cf, 1 +pickelhaubes.com, 1 +pickemsheet.com, 1 +pickenscountysc.gov, 1 +picketfence.tk, 1 +pickhdtvers.ga, 1 +pickhdtvest.ga, 1 +picklinik.id, 0 +pickmysoap.gr, 1 +picknetworkiscoming.sg, 1 +picknyeroizek.hu, 1 +picksin.club, 1 +picksshop.com, 1 +pickswapers.ga, 1 +pickswapest.ga, 1 +picksygirl.com, 1 +pickupenc.ru, 1 +piclect.com, 1 +picme.tk, 1 +picmms.com, 1 +pico.si, 1 +picobellos.tk, 1 +picofme.io, 1 +picom365.com, 1 +picone.com.au, 1 +piconepress.com, 1 +picordi.fr, 1 +picoulumber.com, 1 +picpay.com, 1 +picr.ws, 1 +picrew.me, 1 +pics.io, 1 +picsalesers.ga, 1 +picsastock.com, 1 +picshare.nz, 1 +picsnmore.de, 1 +picstar.tk, 1 +picsto.re, 0 +pictopat.com, 1 +pictopat.nl, 1 +pictoplasma.com, 1 +pictoriastudios.com, 1 +pictorista.com, 1 +pictr.nl, 1 +picturedent.org, 1 +picturesalon.com, 1 +picturesitaly.com, 1 +picturesoverstillwater.com, 1 +picturesque-games.tk, 1 +picturevictoria.vic.gov.au, 1 +picturingjordan.com, 1 +pidelo-peru.com, 1 +pidgi.net, 1 +pidginpoetry.com, 1 +pidjipi.com, 1 +pidu.jp, 1 +pie-express.xxx, 1 +pieceofcake.solutions, 1 +piecesofmind.in.rs, 1 +piecestech.com, 1 +piechart.ga, 1 +piedrahita.tk, 1 +piedrasblancas.gov, 1 +piedroshop.nl, 1 +piekacz.co.uk, 1 +piekacz.eu.org, 1 +piekacz.net, 1 +piekacz.tel, 1 +piektraining.com, 1 +piel.ai, 1 +piel.vip, 1 +pieland.eu, 1 +pielgrzymappka.pl, 1 +piem.org, 1 +piemonteeconomy.it, 1 +piening.ddns.net, 1 +piensa-escribe.tk, 1 +piepermail.nl, 1 +piepschuimlogo.nl, 1 +pieq.eu, 1 +pieq.eu.org, 1 +pier1url.com, 1 +pier28.com, 1 +pier2pier.org, 1 +piercecountyne.gov, 1 +piercingnagykereskedes.hu, 1 +piercingpiac.hu, 1 +piercraft.com, 1 +pierianservices.com, 1 +pieropuschiavo.it, 1 +pierpaoloamarante.it, 1 +pierre-denoblens.net, 1 +pierre-schmitz.com, 1 +pierreau.fr, 1 +pierreborgmann.de, 1 +pierrejeansuau.fr, 1 +pierreloizeau.com, 1 +pierreterrien.fr, 1 +pierrevieville.fr, 1 +pierreyvesdick.fr, 1 +piersmana.com, 1 +pierson.tk, 1 +pierstone.com, 1 +pietbrakman.tk, 1 +pietcees.nl, 1 +pietechsf.com, 0 +pieter-verweij.nl, 1 +pieterbamps.tk, 1 +pieterbos.nl, 1 +pieterdev.net, 1 +pietraglobal.com, 1 +pietredirapolano.com, 1 +pietron.name, 1 +pietrosoft.tk, 1 +pietrzyk.it, 1 +pieux-expert.com, 1 +piezus.ru, 1 +pif.email, 1 +pif.gov, 1 +pig-breeding.tk, 1 +pig333.com, 1 +pigb.net, 1 +pigdetector.com, 1 +pigeonracinginformation.com, 1 +pigeons-rings.com, 1 +pigfox.com, 1 +piggingcleaning.com, 1 +pigop.com, 1 +pigsbytebooks.org, 1 +pigsforsale.co.za, 1 +pigslv.com, 1 +pigzilla.co, 1 +pihaar.de, 1 +pii-protect.com, 1 +pii.bz, 1 +piifunder.co.uk, 1 +piifunder.uk, 1 +piifunding.com, 1 +piizapp.com, 1 +pijamasbichopreguica.com.br, 1 +pijiutuan.com, 1 +pijuice.com, 1 +pijusmagnificus.com, 1 +pikafan.de, 1 +pikafederation.ca, 1 +pikaramagazine.com, 1 +pikboxstore.com, 0 +pikecoga.gov, 1 +pikecountyil.gov, 1 +pikecountyohcommissioners.gov, 1 +pikeitservices.com.au, 1 +pikeky.gov, 1 +pikepa.gov, 1 +piketonohio.gov, 1 +pikimusic.moe, 1 +pikker.ee, 1 +pikkuegypti.tk, 1 +pikminwiki.com, 1 +pikmy.com, 1 +piknichok.ml, 1 +piksli.si, 1 +pilani.ch, 0 +pilar.moe, 1 +pilarguineagil.com, 1 +pilasebastovce.sk, 1 +pilatesavenue.co.uk, 1 +pilatescenteraz.com, 1 +pilatespt.nl, 1 +pilatesstation.co.th, 1 +pilatus-aircraft.com, 1 +pilbaraports.com.au, 1 +pildat.org, 1 +pileawayremovals.com, 1 +pilgermaske.org, 1 +pili-serv.ovh, 1 +piliszek.net, 1 +pillar.fi, 1 +pillar.ninja, 1 +pillar.us, 1 +pillitteriobgyn.com, 1 +pillow.sk, 1 +pillowcast.net, 1 +pillowexpertsers.ga, 1 +pillowexpertsest.ga, 1 +pillowfort.pub, 1 +pilot-colleges.com, 1 +pilot-gps.africa, 1 +pilot-gps.com, 0 +pilot.co, 1 +pilot.com, 1 +pilotbook.org, 1 +pilotcareercenter.com, 1 +pilotgrowth.com, 1 +pilotinterviews.com, 1 +pilotknobmo.gov, 1 +pilotproject.tk, 1 +pilotshop.com, 1 +pilsen.fun, 1 +pilseta24.lv, 1 +pilsner.nu, 1 +pilsook.com, 1 +pilvi.space, 1 +pilvin.pl, 1 +pimastoneaz.com, 1 +pimhaarsma.nl, 1 +pimhaarsmamedia.nl, 1 +pimichi.com, 1 +pimmel.stream, 1 +pimo.id, 1 +pimoid.fr, 1 +pimplelotionest.ga, 1 +pimpmymac.ru, 1 +pimpmypaper.com, 1 +pimpmyperf.fr, 0 +pimpninjas.org, 1 +pimppublishing.com, 1 +pimpstack.com, 1 +pims-hub.org.uk, 1 +pimylifeup.com, 1 +pin.net.au, 1 +pinalcourtsaz.gov, 1 +pinale.es, 1 +pinalove.com, 1 +pinamals.com, 1 +pinarecordsmusic.tk, 1 +pinaro.de, 1 +pinarshivmarket.com, 1 +pinatubo.tk, 1 +pinball.tk, 1 +pinboxx.com, 1 +pinceau-peinture.com, 1 +pinceaux.org, 1 +pincha.com.tw, 0 +pinched.ga, 1 +pinchoparados.tk, 1 +pinchuk.tk, 1 +pincodeit.com, 1 +pincollector.club, 1 +pincollector.net, 1 +pincong.rocks, 1 +pincsolutions.com, 1 +pindakaas.ga, 1 +pindakaas.tk, 1 +pindanutjes.be, 0 +pindercooling.com, 1 +pindostan.tk, 1 +pinebaylibrary.org, 1 +pinebeachnj.gov, 1 +pinebeecreative.com, 0 +pinebrook.tk, 1 +pinecitymn.gov, 1 +pinecone.io, 0 +pinecountymn.gov, 1 +pinedadegiguela.tk, 1 +pinedahair.com, 1 +pinefinancialgroup.com, 1 +pinegraph.com, 1 +pinegrovetownshipmi.gov, 1 +pinellaslaser.com, 1 +pinellastaxcollector.gov, 1 +pinemountbaptistchurch.org, 1 +pineradelolmo.com, 1 +pinerivermi.gov, 1 +pinesol.com, 1 +pinetreeadvisors.us, 1 +pinflux2.com, 1 +ping-books.cf, 1 +pingce.com, 1 +pingnp.me, 0 +pingodoce.pt, 1 +pingpongparkinson.at, 1 +pingrc.net, 1 +pinguinita.tk, 1 +pinguinreal.sk, 1 +pingvinofnet.ml, 1 +pinhadigital.com, 1 +pinheirobittencourt.com.br, 1 +pinigseu.xyz, 1 +pinimg.com, 1 +pink-check.school, 1 +pink-panther.tk, 1 +pink.nl, 1 +pinkapple.com, 1 +pinkband.tk, 1 +pinkbike.com, 1 +pinkbikecycle.com, 1 +pinkcasino.co.uk, 1 +pinkerton.io, 1 +pinkfoxwebdesign.com, 0 +pinkhatbeard.com, 1 +pinkitalia.tk, 1 +pinklecfest.org, 1 +pinklittlenotebook.com, 1 +pinkmango.travel, 0 +pinkoi.com, 1 +pinkoz.xyz, 1 +pinkpearl.tk, 1 +pinkplay.com.br, 1 +pinkpop.nl, 1 +pinkpussy.tv, 1 +pinkpussypics.com, 1 +pinksec.com.au, 1 +pinkster.tk, 1 +pinktara.hu, 1 +pinkvelvet.tk, 1 +pinkwatertaxis.com.au, 1 +pinkylam.me, 1 +pinleather.rs, 0 +pinmeto.com, 1 +pinnacle-tex.com, 1 +pinnacleallergy.net, 1 +pinnaclecare.com, 1 +pinnaclecommunityservices.com.au, 1 +pinnaclegroupgc.com, 1 +pinnacleholdings.com, 1 +pinnaclelife.co.nz, 0 +pinnaclelife.nz, 1 +pinnacleroofingsolutions.com, 1 +pinnacletrailers.com, 1 +pinnakl.com, 1 +pinnoto.eu.org, 1 +pinnoto.org, 1 +pinoservers.tk, 1 +pinot.it, 1 +pinoy-santi.com, 1 +pinoydeal.ph, 1 +pinoyreal.com, 1 +pinoyseoservices.com, 1 +pinoysurvey.com, 1 +pinoytambayan.ga, 1 +pinoytambayan.tk, 1 +pinoytimes.tk, 1 +pinpaituiguang.com.cn, 1 +pinpayments.com, 1 +pinpointengineer.co.uk, 1 +pinsami.it, 1 +pinsamiprofessional.com, 1 +pinse.la, 1 +pinsi.pt, 1 +pinsource.kz, 1 +pinspiration.com, 1 +pinta.tk, 1 +pinterest.at, 1 +pinterest.ca, 1 +pinterest.ch, 1 +pinterest.cl, 1 +pinterest.co, 1 +pinterest.co.kr, 1 +pinterest.co.uk, 1 +pinterest.com, 1 +pinterest.com.au, 1 +pinterest.com.mx, 1 +pinterest.com.pe, 1 +pinterest.com.py, 1 +pinterest.com.uy, 1 +pinterest.de, 1 +pinterest.dk, 1 +pinterest.ec, 1 +pinterest.engineering, 1 +pinterest.es, 1 +pinterest.fr, 1 +pinterest.ie, 1 +pinterest.info, 1 +pinterest.it, 1 +pinterest.jp, 1 +pinterest.nl, 1 +pinterest.nz, 1 +pinterest.ph, 1 +pinterest.pt, 1 +pinterest.ru, 1 +pinterest.se, 1 +pinterestvideo.com, 1 +pinterjann.is, 1 +pinterst.com, 1 +pintiaktivasyon.com, 1 +pintrest.com, 1 +pinupbets.gq, 1 +pinupsex.com, 1 +pinxporn.net, 1 +pinyonpass.com, 1 +pinyonpass.net, 1 +pinyonpass.org, 1 +pioneer-car.eu, 1 +pioneer-rus.ru, 1 +pioneer.eu, 1 +pioneerbible.org, 1 +pionierboat.cf, 1 +pionierboat.ga, 1 +pionierboat.tk, 1 +pionieren.tk, 1 +pionplex.de, 1 +piovan.com, 1 +pip-maker.com, 1 +pipa-shop.nl, 1 +piparitaikina.fi, 1 +pipeclub.tk, 1 +piped.video, 1 +pipefishdigital.com, 1 +pipelineengineeringsoftware.com, 1 +pipenav.gq, 1 +pipenny.net, 1 +piperswe.me, 1 +pipestonecounty.gov, 1 +pipetehran.ir, 1 +pipetobacco.uk, 1 +pipfrosch.com, 0 +pipglobal.com, 1 +piprivillage.ml, 1 +pipscprd.ca, 1 +piquaoh.gov, 1 +piqueteway.tk, 1 +piraino.fr, 1 +piramalglassusa.com, 1 +piramide.nl, 1 +piranhaattack.tk, 1 +piranja-cola.de, 1 +piranjasoul.de, 1 +pirapiserver.ddns.net, 1 +pirate-proxy.click, 1 +pirate-proxy.club, 1 +pirate-proxy.date, 1 +pirate-proxy.onl, 1 +pirate-proxy.pw, 1 +pirate-proxy.top, 1 +pirate-punk.net, 1 +pirate.chat, 1 +pirate.gq, 0 +piraten-basel.ch, 1 +piraten-kleinbasel.ch, 1 +piraten-recording.tk, 1 +piratenlogin.de, 0 +pirateparty.org.uk, 1 +piratepay.io, 0 +pirateproxy.how, 1 +pirates-comic.com, 1 +piratesbrewcoffee.net, 1 +piratesforums.co, 1 +piratesofthewadden.tk, 1 +piratez.tk, 1 +pircher.co.uk, 1 +pircher.tk, 1 +pires.ovh, 1 +pirman.es, 1 +pirnaaktuell.de, 1 +pirnhub.xyz, 1 +pirofire.bg, 1 +pirofire.com, 1 +pirogi.ga, 1 +piroleikki.co.jp, 1 +pirscapital.com, 1 +pirxpilot.me, 1 +pisaggni.ch, 1 +pisanpeikot.tk, 1 +pisaparaasescolas.pt, 1 +pisarzowa.tk, 1 +pisatoday.it, 1 +piscapisca.pt, 1 +piscesdwarf.com, 1 +piscestrade.com, 1 +piscine.roma.it, 1 +piscines-unibeo.com, 1 +pisearch.cc, 1 +pisearch.cn, 1 +pisemnet.tk, 1 +pisf.in, 1 +pishgamiran.tk, 1 +pisitsolutions.com, 1 +pisk.loan, 1 +piskenfuerwehr.de, 1 +pisquettes.fr, 1 +pissblau.com, 1 +pissflaps.co.uk, 1 +pissflaps.org.uk, 1 +pista73.com, 1 +pistonkandidatu.tk, 1 +pisupp.ly, 1 +piszmak.pl, 1 +pit-book.com, 1 +pit-stop-sto.tk, 1 +pitaiatrade.com, 1 +pitajrobota.com, 1 +pitakashop.hu, 1 +pitang.com, 1 +pitbooks.ga, 1 +pitbullclub.tk, 1 +pitbullsecuritysolutions.ca, 1 +pitc.nl, 1 +pitch.com, 1 +pitchforkunion.tk, 1 +pitchup.com, 1 +pitchupp.com, 0 +pitctestdomain.gov, 1 +piteadetox.com, 1 +piter-auto-painter.ru, 1 +piter-print.tk, 1 +piter178.tk, 1 +piterfish.ru, 1 +pitfire.io, 1 +pitius.tk, 1 +pitman.tk, 1 +pitomec.tk, 1 +pitot-rs.org, 1 +pitrick.tk, 1 +pitrivertribe.gov, 1 +pitshift.click, 1 +pitshift.com, 1 +pitsstop.nu, 1 +pitsundaorgan.tk, 1 +pittandmoore.co.nz, 1 +pittmancentertn.gov, 1 +pittohio.com, 1 +pittsburghfibroids.com, 1 +pittsburghhiresveterans.org, 1 +pittsburgtx.gov, 1 +pittsvillemd.gov, 1 +pitu.gov, 1 +piu.moe, 1 +piuincontri.com, 1 +piuplayer.com, 1 +piurvolium.tk, 1 +pius.com.br, 1 +piute.gov, 1 +piutesd.gov, 1 +pivbar.tk, 1 +pivio.nl, 1 +pivnica.cf, 1 +pivnica.ga, 1 +pivnica.gq, 1 +pivnica.tk, 1 +pivotaltracker.com, 1 +pivotanimation.org, 1 +pivotanimation.tk, 1 +pivovarcunak.cz, 1 +pivx2bitcoin.com, 1 +pivxblockchain.com, 1 +pivxblockchaindownload.com, 1 +piw.pw, 0 +piwko.co, 1 +pix-geeks.com, 1 +pix5.de, 1 +pixaise.pics, 1 +pixalatio.tk, 1 +pixbaton.jp, 1 +pixe2019.org, 1 +pixel-history.tk, 1 +pixel-ninjas.de, 1 +pixel-perfection.com, 1 +pixel-puls.de, 1 +pixel.facebook.com, 0 +pixel.google.com, 1 +pixel4k.com, 1 +pixelats.cat, 1 +pixelbrew.coffee, 1 +pixelcatproductions.net, 1 +pixelchannel.ga, 1 +pixelcomunicacion.com, 1 +pixelcrayons.com, 1 +pixelfiends.tk, 1 +pixelglance.com, 1 +pixelgliders.de, 1 +pixelglue.com.au, 1 +pixelheaven.tk, 1 +pixelhero.co.uk, 0 +pixelion.tk, 1 +pixellent.me, 1 +pixelmarketing.hu, 0 +pixelmattic.com, 1 +pixelmedianetwork.com, 1 +pixelmonworld.fr, 1 +pixelonl.com, 1 +pixelpaper.org, 1 +pixelplex.io, 1 +pixelrain.info, 1 +pixelsbanking.com, 1 +pixelshealth.com, 1 +pixelsketch.co.uk, 1 +pixelsquared.us, 1 +pixelstamp.net, 1 +pixelstrade.com, 1 +pixeltranslating.com, 1 +pixelturkey.art, 1 +pixelturkey.com, 1 +pixelumin3d.com, 1 +pixelurbia.com, 1 +pixeluser.de, 1 +pixelution.at, 1 +pixelw.design, 1 +pixelwijk.de, 1 +pixelz.cc, 1 +pixemoji.com, 1 +pixend.de, 1 +pixeon.com, 1 +pixiin.com, 1 +pixinfo.com, 1 +pixiv.cat, 1 +pixiv.moe, 1 +pixiv.re, 1 +pixlfox.com, 1 +pixloc.fr, 1 +pixnel.com.br, 1 +pixodo.tk, 1 +pixojo.tk, 1 +pixouno.com, 1 +pixshop.fr, 1 +pixstash.net, 1 +pixsystem.com, 1 +pixxxels.cc, 1 +pixyship.com, 1 +pixzilla.de, 1 +pizala.de, 1 +pizdelka.tk, 1 +pizza-24.tk, 1 +pizza-aachen.de, 1 +pizza-calzone.com, 1 +pizza-curator.com, 1 +pizza-house.tk, 1 +pizza2020andcatering.com, 1 +pizzabesteld.nl, 1 +pizzacontenta.tk, 1 +pizzacosi.nl, 1 +pizzafest.ddns.net, 1 +pizzagaming.tk, 1 +pizzagigant.hu, 1 +pizzahut.co.in, 1 +pizzahut.com.tw, 1 +pizzamc.eu, 1 +pizzaplus.tk, 1 +pizzariapartiupizza.com.br, 1 +pizzariaroma.cf, 1 +pizzarts.fr, 1 +pizzaslut.xyz, 1 +pizzeriaamadeus.hr, 1 +pizzeriasmallorca.com, 1 +pizzeriaveneziana.it, 1 +pj11018.com, 1 +pj4488.cc, 1 +pjax.xyz, 1 +pjc.is, 1 +pjentertainments.co.uk, 1 +pjleisure.co.uk, 1 +pjo.no, 1 +pjotor.tk, 1 +pjp.com.mt, 0 +pjshop.cf, 1 +pjsk.cc, 1 +pjsk.eu.org, 1 +pjuu.com, 0 +pjv.co.id, 1 +pk-master.tk, 1 +pk-soft.tk, 1 +pk.search.yahoo.com, 0 +pk7777.com, 1 +pk8k.com, 1 +pkautodesign.com, 0 +pkb.shop, 1 +pkbjateng.com, 1 +pkeus.de, 1 +pkg.one, 1 +pkgbuild.com, 1 +pkgt.de, 0 +pki.com.ru, 1 +pkirwan.com, 1 +pkjtim.com, 1 +pko.ch, 0 +pkov.cz, 1 +pkq5.com, 1 +pkrank.com, 1 +pkservice.tk, 1 +pkshs.my, 1 +pkspskov.tk, 1 +pkvgames.expert, 1 +pkvgamesqq.asia, 1 +pkwebsolutions.cf, 1 +pl-cours.ch, 0 +pl-trans.tk, 1 +pl.search.yahoo.com, 0 +pl2.es, 1 +placasonline.com.br, 1 +placeandsee.com, 1 +placedaffiliate.com, 1 +placedapps.com, 1 +placedsupport.com, 1 +placeforgames.tk, 1 +placehold.co, 1 +placements.io, 1 +placementspot.ca, 1 +placenet.fr, 1 +placeofindia.com, 1 +placepay.com, 1 +placepugs.com, 1 +placeralplato.com, 1 +placercountyelections.gov, 1 +placidoandriolo.tk, 1 +placker.com, 1 +plagiarismcheck.org, 1 +plagu.ee, 1 +plagued.tk, 1 +plaid.com, 1 +plainfieldil.gov, 1 +plainfieldpolicenj.gov, 1 +plainfieldvt.gov, 1 +plaingreenloans.com, 1 +plainjs.com, 1 +plainlanguage.gov, 1 +plainoltrailers.com, 1 +plainsgeorgia.gov, 1 +plainsoftware.org, 1 +plaintech.net.au, 1 +plaintext.pizza, 1 +plaintextpledge.com, 1 +plaintextpledge.email, 1 +plaintextpledge.eu, 1 +plaintextpledge.net, 1 +plaintextpledge.org, 1 +plaintownshipstarkoh.gov, 1 +plaintray.com, 1 +plaisirdumouvement.com, 1 +plaisiretsens.com, 1 +plaisirs-coquins.com, 1 +plakakodlari.com, 1 +plakbak.nl, 1 +plaloo.gq, 1 +plaloo.tk, 1 +plan-immobilier.fr, 1 +plan-it-events.de, 1 +planafy.com, 1 +planbase.com, 1 +planchasvertical.es, 1 +plancke.io, 1 +plandecorones.net, 1 +plandegralba.net, 1 +plandomemanorny.gov, 1 +plandy.me, 1 +planecon.nz, 1 +planeexplanation.com, 1 +planen-bauen.eu, 1 +planer.me, 1 +planet-laas.de, 1 +planet-work.com, 1 +planet.live, 1 +planeta-deti.org, 1 +planeta-remontika.ga, 1 +planetadeti.org, 1 +planetadjs.com, 1 +planetairsports.com, 1 +planetalife.com, 1 +planetamarrom.tk, 1 +planetamend.com, 1 +planetamestizo.tk, 1 +planetamotoshonda.com.br, 1 +planetamusik.tk, 1 +planetandroid.ga, 1 +planetanim.fr, 1 +planetapolska.com, 1 +planetaprogramas.tk, 1 +planetarapluso.tk, 1 +planetarian.moe, 1 +planetasilius.tk, 1 +planetasuboficial.com.br, 1 +planetau2.com, 1 +planetbreath.ch, 0 +planetcbd.net, 1 +planetchiropracticga.com, 1 +planete-lira.fr, 1 +planete-secu.com, 1 +planeteroliste.com, 1 +planeteroliste.fr, 1 +planetfertilityest.ga, 1 +planetgolf.de, 1 +planetgrehen.tk, 1 +planethowl.com, 1 +planeticke.com, 1 +planetickettravel.com, 1 +planetknauer.net, 1 +planetmath.org, 1 +planetmetroidprime.tk, 1 +planetmobile.tk, 1 +planetmugen.tk, 1 +planetonline.tk, 1 +planetpowershell.com, 1 +planetradio.tk, 1 +planetromeo.com, 1 +planetromeofoundation.org, 1 +planetscale.com, 1 +planetstimes.com, 1 +planettimer.com, 1 +planetun.mobi, 1 +planetweb.tk, 1 +planful.com, 0 +planify.io, 0 +planisanin.tk, 1 +planiserin.tk, 1 +planisware.academy, 1 +planisware.cn, 1 +planisware.io, 1 +planisware.live, 1 +planiswareusa.com, 1 +planisys.net, 1 +planitz.com, 1 +planitz.net, 1 +planitz.org, 1 +planium.io, 1 +planled.ga, 1 +planlos.net, 0 +planmember.com, 1 +planmemberpartners.com, 1 +planned-cities.com, 1 +plannedgrocery.com, 1 +plannedlink.com, 1 +planning.center, 1 +planning.ga, 1 +planning.nl, 1 +planningcenter.com, 0 +planningsagenda.nl, 1 +plano.gq, 1 +planodesaude.net.br, 1 +planresto.com, 1 +planriean.com, 1 +planrow.com, 1 +plansaude.med.br, 1 +planshetnik.tk, 1 +plant-gift.jp, 1 +plantacioneseltejo.es, 1 +plantarportugal.org, 1 +plantastique.ch, 0 +planteforum.no, 1 +plantenvinder.nl, 1 +plantepakken.dk, 1 +plantes.ch, 1 +plantezcheznous.com, 1 +planther.nl, 1 +plantidentification.co, 0 +plantinum-cbd.com, 1 +plantmojomagic.com, 1 +plantprosperous.com, 1 +plantroon.com, 1 +plantrustler.com, 1 +plantsupplement.co.uk, 1 +planujemywesele.pl, 1 +planungsdetail.de, 1 +planungsregion-abw.de, 1 +planview.com, 1 +plaque-funeraire.fr, 1 +plaque-immatriculation-auto.com, 1 +plaqueimmat.fr, 1 +plaredo.tk, 1 +plaros.ml, 1 +plasapulsa.tk, 1 +plasesolev.tk, 1 +plasfab.com.au, 1 +plaskiewicz.pl, 1 +plasma.nl.eu.org, 1 +plasmainc.xyz, 1 +plasmatrap.com, 1 +plasofficial.it, 1 +plassmann.ws, 1 +plast.bg, 1 +plast.design, 1 +plastdesign.com.ua, 1 +plastex.tk, 1 +plastic2print.com, 1 +plasticdoctor.co.uk, 1 +plasticdonut.tk, 1 +plasticflash.com, 1 +plasticobiodegradable.com, 1 +plasticosbiobasados.com, 1 +plasticpassion.tk, 1 +plasticscm.com, 1 +plasticstare.com, 1 +plasticsurgeon.ga, 1 +plasticsurgerynola.com, 1 +plasticsurgerypartyers.ga, 1 +plasticsurgerypartyest.ga, 1 +plasticwindows.tk, 1 +plastiform.nl, 1 +plastischechirurgie-linz.at, 1 +plastokna.tk, 1 +plastovelehatko.cz, 1 +plataformaslms.com, 1 +platanakia.tk, 1 +plate.de, 1 +plateforme-exposant.com, 1 +plateformecapitalisation.org, 1 +plateriaaida.tk, 1 +platform-med.org, 1 +platform2020prague.com, 1 +platforma2020praha.cz, 1 +platformadmin.com, 1 +platformio-cn.com, 1 +plathome.co.jp, 1 +platiniumvapes.com, 1 +platinnetz.de, 1 +platinum1.ru, 1 +platinumalertsers.ga, 1 +platinumalertsest.ga, 1 +platinumcalendarest.ga, 1 +platinumcat.info, 1 +platinumgatesecurity.co.uk, 1 +platinumjubilee.gov.au, 1 +platinumkids.com.br, 1 +platinumpoolsaz.com, 1 +platinumsystems.biz, 1 +platinumtalkers.ga, 1 +platinumtalkest.ga, 1 +platitudemusic.com, 1 +platodecomida.com, 1 +platpoint.com, 1 +platschi.net, 1 +plattecountymovotes.gov, 1 +platten-nach-mass.de, 1 +plattenair.tk, 1 +platter.cf, 1 +platter.ga, 1 +platter.gq, 1 +platter.tk, 1 +platterlauncher.com, 1 +plattmakers.de, 0 +platueguide.tk, 1 +platypiduses.com, 1 +plaul.de, 1 +plausibility.cloud, 1 +plaut.sk, 1 +plavdoma.com.ua, 1 +plavormind.tk, 1 +play, 1 +play-asia.com, 1 +play-best-games.com, 1 +play-casino-japan.com, 1 +play-charades.com, 1 +play-lu.com, 1 +play-mate.tk, 1 +play-telochki.tk, 1 +play.cash, 1 +play.google.com, 1 +play3niu1.com, 1 +play3niu11.com, 1 +play3niu18.com, 1 +play3niu22.com, 1 +play3niu33.com, 1 +play3niu55.com, 1 +play3niu58.com, 1 +play3niu66.com, 1 +play3niu68.com, 1 +play3niu8.com, 1 +play3niu88.com, 1 +play595.com, 1 +playabalares.ga, 1 +playandwin.co.uk, 1 +playanka.com, 1 +playapex.cn, 1 +playapex.com.cn, 1 +playapexcn.com, 1 +playasdegalicia.tk, 1 +playavalon.net, 1 +playball.tk, 1 +playcasinos.ca, 1 +playcollect.net, 1 +playdaysparties.co.uk, 1 +playdlawosp.pl, 1 +playdrop.ml, 1 +playeereq.lol, 1 +playelephant.com, 1 +player701.net, 1 +player701.ru, 1 +playerdb.co, 1 +playerslounge.co, 0 +playerup.com, 1 +playface.ml, 1 +playform.cloud, 1 +playfrank.com, 1 +playgame.tk, 1 +playgamenow.tk, 1 +playgameoflife.com, 1 +playgroundhaarlem.nl, 1 +playhappywheelsunblocked.com, 1 +playhothand.com, 1 +playhothands.com, 1 +playinfinity.com, 1 +playinfinityvr.com, 1 +playit.rs, 1 +playkids.com, 1 +playlistresearch.com, 1 +playmat.com, 1 +playmei.com, 0 +playnow.com, 1 +playnuganug.com, 1 +playocean.net, 1 +playorigin.com, 1 +playphoenix.net, 1 +playpirates.com, 1 +playpower.tk, 1 +playreal.cc, 1 +playreal.city, 1 +playreal.com.tw, 1 +playsnake.org, 1 +playsoftware.tk, 1 +playsprout.industries, 1 +playstation-network.ga, 1 +playstation-news.de, 1 +playstationplus.es, 1 +playstationtrophies.org, 1 +playtheme.ru, 1 +playtictactoe.org, 1 +playtoearn.net, 1 +playtop.tk, 1 +playtopia.com, 1 +playtopia.fr, 1 +playtopia.nl, 1 +playtopia.no, 1 +playtzolk.in, 1 +playviolinmusic.com, 1 +playwhyyza.com, 1 +playwright.co, 1 +playxylo.com, 1 +playzone.tk, 1 +plaza.ph, 1 +plazamarinavallarta.com, 1 +plazaproductionone.com, 1 +plazaservicesllc.com, 1 +plazasummerlin.com, 1 +plcclosets.com, 1 +plcgurus.net, 1 +plchardware.com, 1 +pldx.org, 1 +pleasantonca.gov, 1 +pleasantonmobilenotary.com, 1 +pleasantvalleywi.gov, 1 +pleasantviewmi.gov, 1 +pleasantvillepd.org, 1 +please-uwu.me, 1 +pleaseuseansnisupportedbrowser.ml, 1 +pleasure-science.com, 1 +pleasured.tk, 1 +pleasureplanetbrothel.com.au, 1 +pleb.cc, 1 +plebeian.com.tw, 1 +pleeease.io, 1 +pleer.ru, 1 +plegro.com, 1 +pleiadiantalk.tk, 1 +pleiar.no, 1 +pleier.no, 1 +pleijsier.tk, 1 +pleindedemsvaart.tk, 1 +plejdbelysning.se, 1 +plenigo.com, 1 +plenkanaotrez.ml, 1 +plentybetter.com, 1 +plentybetter.org, 1 +pleo.io, 1 +pleskssd1.nl, 1 +plesse.pl, 1 +pletenkin-nn.ru, 1 +plex-server.cz, 1 +plex.tv, 1 +plexa.de, 1 +plexbpvr.ddns.net, 1 +plexhome13.ddns.net, 1 +plexidirect.nl, 1 +plexiglasssheetscuttosize.com, 1 +plexion.cf, 1 +plexion.ga, 1 +plexion.gq, 1 +plexmark.net, 1 +plexmark.tk, 1 +plexnet.cz, 1 +plexopedia.com, 1 +plexpy13.ddns.net, 1 +plextv.de, 1 +plexusmd.com, 0 +plexusworldwide.com, 1 +plgr.cc, 1 +plgr.tech, 1 +plicca.com, 0 +plichso.de, 1 +plicker.net, 1 +plikersi.tk, 1 +plikiai.tk, 1 +plintusof.by, 1 +pliosoft.com, 1 +pliroforikikoufopoulou.gr, 1 +plissee-experte.de, 1 +plitu.de, 1 +plixer.com, 1 +plixer.net, 1 +plkeenecc.com, 1 +pllivres.cf, 1 +plob.org, 1 +plodwithme.com, 1 +ploi.io, 1 +plokko.com, 1 +plomberie-rivesud.ca, 1 +plomeros.cl, 1 +plomin.tk, 1 +plongee-phuket.fr, 1 +ploof-cleaning.gr, 1 +plooij.it, 1 +ploptec.tk, 1 +plothost.com, 1 +plotly.com, 1 +plougastel.com, 1 +plov.loan, 1 +plowerolin.tk, 1 +ploxel.co.uk, 1 +ploxel.com, 1 +plr4wp.com, 1 +plrarena.com, 1 +pltyw.com, 1 +plu.st, 1 +plugcubed.net, 0 +plugin-planet.com, 1 +pluginhayati.tk, 1 +pluginrealty.net, 1 +pluginthemehub.com, 1 +plugshare.com, 1 +pluimveeplanner.nl, 1 +plumage.so, 1 +plumair-ve.com, 1 +plumb.build, 1 +plumber-in-boksburg.co.za, 1 +plumber-in-sandton.co.za, 1 +plumber-kempton.click, 1 +plumber-midrand.click, 1 +plumber-randburg.click, 1 +plumberdurbannorth.co.za, 1 +plumberkingsburgh.co.za, 1 +plumberlewisvilletexas.com, 1 +plumberoftucson.com, 1 +plumberqueensburgh.co.za, 1 +plumberumhlangarocks.co.za, 1 +plumbingbear.com, 1 +plumbingfourways.co.za, 1 +plumbingkingsllc.com, 0 +plumbingmidrand.co.za, 1 +plumbingshop.tk, 1 +plumbware.co.uk, 1 +plumefox.com, 1 +plumlakewi.gov, 1 +plumlocosoft.com, 1 +plumnet.ch, 0 +plumperthumbs.com, 1 +plumpie.net, 0 +plumplat.com, 1 +plumsail.com, 1 +plumz.me, 1 +plur.com.au, 1 +plural.cafe, 1 +pluralistic.net, 1 +pluralpedia.org, 1 +pluricosmetica.com, 1 +plurilock.com, 1 +pluriumint.com, 1 +plurr.me, 1 +plurr.us, 1 +plus-project.co.uk, 1 +plus.google.com, 1 +plus.sandbox.google.com, 1 +plus.st, 1 +plus15.ml, 1 +plus15.tk, 1 +plus1s.site, 1 +plusbeauty.tw, 1 +plusbot.tk, 1 +plusfitness.com.au, 1 +plusgrandevilledefrance.com, 1 +plushev.tk, 1 +pluslink.co.jp, 1 +plusnet.de, 0 +plusport-api.com, 1 +plusport.com, 1 +plusreed.com, 1 +plustech.co.id, 1 +plustwik.com, 1 +pluta.net, 1 +plutiedev.com, 1 +pluto5000.com, 1 +plutopia.ch, 1 +pluvo.site, 1 +pluxml.org, 1 +plyind.com, 1 +plymouthboroughpa.gov, 1 +plymouthbus.co.uk, 1 +plymouthcountyiowa.gov, 1 +plymouthct.gov, 1 +plymouthnh.gov, 1 +plymouthrockwi.gov, 1 +plymouthshawneeindians.org, 1 +plymouthtownshippa.gov, 1 +plymouthwi.gov, 1 +plz.report, 1 +plzdontpwn.me, 1 +plzen-sadrokarton.cz, 1 +plzen.fun, 1 +plzh4x.me, 1 +plztoy.com, 1 +pm-22711.space, 1 +pm-onboarding-external-dev.azurewebsites.net, 1 +pm-partners-management-dev.azurewebsites.net, 1 +pm-schilderwerk.nl, 1 +pm-tm.info, 1 +pm.gov.au, 1 +pm.link, 1 +pm.me, 1 +pm.ua, 1 +pm.uz, 1 +pm13.cz, 1 +pm13.org, 1 +pm25.im, 1 +pma-iss.com, 1 +pma-tools.de, 1 +pmail.tw, 1 +pmalaty.com, 1 +pmarbeid.nl, 1 +pmarques.info, 1 +pmbc.org, 1 +pmbet.vip, 1 +pmbrachyeducation.ca, 1 +pmc-maisons-bois.fr, 1 +pmc.gov.au, 1 +pmcancercampus.ca, 1 +pmcancerclasses.ca, 1 +pmcancerrehab.ca, 1 +pmcaregiver.ca, 1 +pmcc.net, 1 +pmccrystal.com, 1 +pmconsulting.es, 1 +pmcorganometallix.com, 1 +pmcorp.com, 0 +pmcorp.mx, 1 +pmcouvrie.com, 1 +pmctcg.com, 1 +pmctire.com, 0 +pmcvinyladditives.com, 1 +pmdealerest.ga, 1 +pmdistributors.com.au, 1 +pmessage.ch, 1 +pmf.gov, 1 +pmg-offshore-company.com, 1 +pmg.ua, 1 +pmglobal.ro, 1 +pmgroup-global.com, 1 +pmh.codes, 1 +pmi-install.com, 1 +pmi.edu, 1 +pmi.gov, 1 +pmiandulive.com, 1 +pmibags.com, 1 +pmicorp.in, 1 +pmk.ddns.net, 0 +pml4t.net, 1 +pmnaish.co.uk, 1 +pmnd.rs, 1 +pmoreau.org, 1 +pmoscr.com, 1 +pmota.org, 1 +pmp-art.com, 1 +pmp6.fr, 1 +pmpm.tk, 1 +pms.myiphost.com, 1 +pmscomputers.com, 1 +pmsf.eu, 1 +pmsfdev.com, 1 +pmsfoundation.ml, 1 +pmsoft.nl, 0 +pmt-documenten.nl, 1 +pmvmaconnerie.fr, 1 +pn.com.au, 1 +pn.id.lv, 1 +pnakosoft.com, 1 +pnakosoft.com.au, 1 +pnbholdings.com, 1 +pncfx.com, 1 +pneu01.fr, 1 +pneu74.fr, 1 +pneuhaus-lemp.ch, 1 +pneumania.fr, 1 +pneupro.ma, 1 +pnfiles.tk, 1 +png.am, 1 +pnggrid.com, 1 +pnimmobilier.ch, 0 +pnlarticles.com, 1 +pnnl.gov, 1 +pnoec.org.do, 1 +pnr.aero, 1 +pnr.sh, 1 +pnsc.is, 1 +pnut.io, 0 +pnvufs.com, 1 +pnwchirocoverage.com, 1 +po-italy.ru, 1 +po-krasivi.bg, 1 +po-sha-go-vo.ru, 1 +po.cash, 1 +po.ne, 1 +po.net, 1 +poac.net, 1 +pobalkonu.ru, 1 +pobierz.pl, 1 +poc060.com, 1 +poc080.com, 1 +poc090.com, 1 +poc100.com, 1 +poc109.com, 1 +poc11.com, 1 +poc116.com, 1 +poc118.com, 1 +poc119.com, 1 +poc120.com, 1 +poc128.com, 1 +poc13.com, 1 +poc15.com, 1 +poc16.com, 1 +poc17.com, 1 +poc18.com, 1 +poc19.com, 1 +poc21.com, 1 +poc211.com, 1 +poc226.com, 1 +poc228.com, 1 +poc23.com, 1 +poc25.com, 1 +poc26.com, 1 +poc261.com, 1 +poc262.com, 1 +poc27.com, 1 +poc290.com, 1 +poc298.com, 1 +poc31.com, 1 +poc32.com, 1 +poc33.com, 1 +poc35.com, 1 +poc36.com, 1 +poc37.com, 1 +poc38.com, 1 +poc51.com, 1 +poc518.com, 1 +poc52.com, 1 +poc53.com, 1 +poc55.com, 1 +poc56.com, 1 +poc568.com, 1 +poc57.com, 1 +poc58.com, 1 +poc586.com, 1 +poc588.com, 1 +poc59.com, 1 +poc601.com, 1 +poc618.com, 1 +poc63.com, 1 +poc65.com, 1 +poc66.com, 1 +poc661.com, 1 +poc663.com, 1 +poc665.com, 1 +poc668.com, 1 +poc669.com, 1 +poc67.com, 1 +poc68.com, 1 +poc69.com, 1 +poc699.com, 1 +poc71.com, 1 +poc718.com, 1 +poc72.com, 1 +poc75.com, 1 +poc76.com, 1 +poc768.com, 1 +poc77.com, 1 +poc771.com, 1 +poc772.com, 1 +poc773.com, 1 +poc779.com, 1 +poc78.com, 1 +poc79.com, 1 +poc8.com, 1 +poc816.com, 1 +poc86.com, 1 +poc866.com, 1 +poc88.vip, 1 +poc8811.com, 1 +poc882.com, 1 +poc8822.com, 1 +poc883.com, 1 +poc8833.com, 1 +poc885.com, 1 +poc8855.com, 1 +poc886.com, 1 +poc8866.com, 1 +poc887.com, 1 +poc8877.com, 1 +poc888.com, 1 +poc889.com, 1 +poc8899.com, 1 +poc89.com, 1 +poc899.com, 1 +poc916.com, 1 +poc918.com, 1 +poc98.com, 1 +poc99.com, 1 +poc992.com, 1 +poc993.com, 1 +poc995.com, 1 +poc996.com, 1 +poc997.com, 1 +poc998.com, 1 +pocahontascountyiowa.gov, 1 +pocahontascountywv.com, 1 +pocakking.tk, 1 +pocatello.gov, 1 +pocatellonissanparts.com, 1 +pochemuchka-books.com, 1 +pochikikaku.com, 1 +pochkiguru.ru, 1 +pochoden-praha.cz, 1 +pocitacezababku.cz, 1 +pock-programming.net, 1 +pocket-lint.com, 1 +pocketbookdot.tk, 1 +pocketcraft.io, 1 +pocketdeer.cc, 1 +pocketfruity.com, 1 +pocketgamingdirectory.com, 1 +pocketmags.com, 1 +pocketpasta.com, 1 +pockettraveling.tk, 1 +poco.se, 1 +pococo.tk, 1 +pocopizza.co.uk, 1 +pocze.ch, 1 +pod-emnik.by, 1 +pod.lv, 1 +podari-radost.tk, 1 +podari.tk, 1 +podarki-deda-moroza.tk, 1 +podarkiboss.tk, 1 +podarky.gq, 1 +podarochek.tk, 1 +podarochkki.tk, 1 +podatrans.com, 1 +podawful.com, 1 +podawful.pizza, 1 +podcast.style, 1 +podcaster.org.il, 1 +podcastmusic.com, 1 +podcastpulse.net, 1 +podcreative.ca, 1 +podcrto.si, 1 +podcrypters.ga, 1 +podcryptest.ga, 1 +podd.xyz, 1 +podemos.info, 1 +podfastlane.com, 1 +podia.com.gr, 0 +podia.gq, 1 +podipod.com, 1 +podis.ro, 1 +podivilov.com, 1 +podivilov.cz, 1 +podivilov.net, 1 +podivilov.ru, 1 +podnikatel.cz, 1 +podologie-diever.nl, 1 +podologie-tangstedt.de, 1 +podologyclinic.gr, 1 +podolskaya.tk, 1 +podoscop.org, 1 +podparkers.ga, 1 +podparkest.ga, 1 +podprotectionest.ga, 1 +podqueue.fm, 1 +podroof.com, 0 +podroof.com.au, 0 +podrozwmilczeniu.pl, 1 +podshrink.de, 1 +podvenec.tk, 1 +podycust.co.uk, 1 +poed.com.au, 1 +poed.net.au, 1 +poeditor.com, 1 +poehlerflorian.de, 1 +poeleapellets.org, 1 +poemasonline.tk, 1 +poemerx.com, 1 +poemerx.net, 1 +poemindia.cf, 1 +poemlife.com, 1 +poems-bodywear.store, 1 +poemwall.cf, 1 +poemwall.ml, 1 +poemwallers.ga, 1 +poemwallest.ga, 1 +poenhub.xyz, 1 +poetasmenores.tk, 1 +poetenblog.tk, 1 +poeticplanetimagery.com, 1 +poetics.tk, 1 +poetka.tk, 1 +poetry.ge, 1 +poetryinmusic.tk, 1 +poetsgate.com, 1 +poetsjeboot.nl, 1 +poezja.art, 1 +poezja.com.pl, 1 +poezjagala.pl, 1 +pog.im, 1 +pogera.com, 0 +poggensee.it, 1 +pogljad-brest.tk, 1 +pogodavolgograd.tk, 1 +pogodok.tk, 1 +pogomate.com, 1 +pogotowie-komputerowe.tk, 1 +pogotowiekomputeroweolsztyn.pl, 1 +pogrebeniq-sofia.com, 1 +pogrebisky.net, 1 +pohlmann.io, 1 +pohmagazine.org, 1 +pohoron.ru, 1 +poimel.ga, 1 +poimenidou.eu, 1 +poimenidou.gr, 1 +poimenidou.info, 1 +poin.tk, 1 +poinsot.info, 1 +point.pink, 1 +pointaction.com, 1 +pointagri.com, 1 +pointbarre.tk, 1 +pointcab.vn, 1 +pointclickcare.com, 1 +pointel.it, 1 +pointermate.com, 1 +pointforwardinc.net, 1 +pointfoundation.org, 1 +pointhost.de, 1 +pointiswunderland.de, 1 +pointmaquininha.com, 0 +pointpalace.tk, 1 +pointpleasantbeachnj.gov, 1 +pointpur.ch, 1 +points-pote.com, 1 +points4unitedway.com, 1 +pointtosource.com, 1 +pointum.com, 1 +pointworksacademy.com, 1 +pointzip.cf, 1 +pointzip.ml, 1 +pointzipers.ga, 1 +pointzipest.ga, 1 +poiru.net, 1 +poisk-books.ml, 1 +poiskdru.ga, 1 +poiskkladov.tk, 1 +poiskkristinity.ml, 1 +poiskrus.ml, 1 +poisoncolombia.tk, 1 +poisonget-rid-ofac.tk, 1 +poitiers-ttacc-86.eu.org, 1 +pojer.me, 1 +pojoksosmed.com, 1 +pokagontownshipmi.gov, 1 +pokalsocial.de, 1 +poke.blue, 1 +pokedex.mobi, 1 +pokedexer.com, 1 +pokeelektronik.com, 1 +pokeelektronik.com.tr, 1 +pokefarm.com, 1 +pokeforest.io, 1 +pokegourou.com, 1 +pokeinthe.io, 1 +pokelens.tk, 1 +pokeli.de, 1 +pokemmo.com, 1 +pokemmo.eu, 1 +pokemonargentina.tk, 1 +pokemondb.net, 1 +pokemonforums.tk, 1 +pokemongoclub.tk, 1 +pokemonguide.tk, 1 +pokemonlab.com, 1 +pokemonsimulator.com, 1 +pokemonsvet.cz, 1 +pokemontabletopadventures.com, 1 +pokemori.jp, 1 +pokepon.center, 1 +poker4all.tk, 1 +pokerace.cf, 1 +pokerace.tk, 1 +pokeraddressers.ga, 1 +pokeraddressest.ga, 1 +pokeram.ml, 1 +pokerblog.tk, 1 +pokeridioters.ga, 1 +pokeridiotest.ga, 1 +pokerigrach.com, 1 +pokernyheder.io, 1 +pokerreligioners.ga, 1 +pokerreligionest.ga, 1 +pokerslab.com, 1 +pokerstarslearn.com, 1 +pokerventure.ga, 1 +pokerventureers.ga, 1 +pokerventureest.ga, 1 +pokerzone.com, 1 +poki.at, 1 +poki.be, 1 +poki.bg, 1 +poki.by, 1 +poki.ch, 1 +poki.cn, 1 +poki.co.id, 1 +poki.co.il, 1 +poki.com, 1 +poki.com.br, 1 +poki.cz, 1 +poki.de, 1 +poki.dk, 1 +poki.fi, 1 +poki.gr, 1 +poki.it, 1 +poki.jp, 1 +poki.nl, 1 +poki.no, 1 +poki.pl, 1 +poki.pt, 1 +poki.ro, 1 +poki.se, 1 +pokkareindeermeat.com, 1 +pokl.cz, 1 +pokoiki.pl, 1 +pokon548.ink, 1 +pokpok.tk, 1 +pokrowcecardo.pl, 1 +pokupar.com, 1 +pokupkionline.tk, 1 +pokysoia.gov, 1 +pol-members.com, 1 +polaire.org, 1 +polak-import.tk, 1 +polan.tk, 1 +poland.tf, 1 +polanda.com, 1 +polandb2b.directory, 1 +polandtownship.gov, 1 +polar-baer.com, 1 +polarbear.army, 1 +polarhome.tk, 1 +polarisapp.xyz, 1 +polarisengineering.com, 1 +polarispool.com, 0 +polaroidmag.com, 1 +polaschin.ch, 1 +polatas.com.tr, 1 +polatsemih.com, 1 +polbox.fr, 1 +poldrack.me, 1 +pole-mecanique.fr, 1 +pole.net.nz, 1 +poleasingowy.net, 1 +polebarn.com, 1 +polemik.tk, 1 +polenautohuur.nl, 1 +polerka.tk, 1 +polestar.com.tw, 1 +poletaem.tk, 1 +poleznie-soveti.info, 1 +polezno-v-internete.ml, 1 +police-schools.com, 1 +police4tn.gov, 1 +policeauctionsusa.com, 1 +policemanapp.com, 1 +policereferencecheck.com, 1 +policeroleplay.community, 1 +policesromandesrecrutement.ch, 1 +policies.pro, 1 +policybanks.com, 1 +policyhub.gov.au, 1 +policymakr.com, 1 +policymine.com, 1 +policyreporter.us, 1 +policytrusters.ga, 1 +policytrustest.ga, 1 +polidelia.com, 1 +poliermachines.be, 1 +polifisio.com.br, 1 +poliground.com, 1 +polimer39.ml, 1 +polina-gagarina.gq, 1 +polioptics.com, 1 +polis.or.at, 1 +polis.to, 0 +polis812.ru, 1 +polisafety.gr, 1 +polisanaraka.pl, 1 +polisanarciarska.pl, 1 +polish-dictionary.com, 1 +polish-flag.com, 1 +polish-translations.com, 1 +polish-translator.com, 1 +polish-translator.net, 1 +polish-translators.net, 1 +polish.directory, 1 +polishdating.cf, 1 +polishfabrics.com, 1 +polishforums.com, 1 +polishhockey.tk, 1 +polishmarriage.org, 1 +polishmodels.net, 1 +polishtranslation.com, 1 +polisipati.tk, 1 +polismar.com, 1 +polismar.pt, 1 +polismar.uy, 1 +polisport.tk, 1 +polisynazycie.com.pl, 1 +polit-it.pro, 1 +polit.im, 1 +politagree.com, 1 +politeiaudesa.org, 0 +politeka.net, 1 +politex.tk, 1 +politic.org.ua, 1 +political-science-schools.com, 1 +politicalasylum.tk, 1 +politicalscore101.com, 1 +politicaprivacidade.com, 1 +politiciancompare.com, 1 +politicsandnews.cf, 1 +politicsandnews.ga, 1 +politicsandnews.ml, 1 +politicsandnews.tk, 1 +politicsnews.ga, 1 +politicsnews.ml, 1 +politicsnews.tk, 1 +politicsnigeria.com, 1 +politiegent.be, 1 +politik-bei-uns.de, 1 +politik-kommunikation.de, 1 +politisor.com, 1 +politnews5.tk, 1 +politsei.ee, 0 +politvesti.tk, 1 +polkcountyne.gov, 1 +polkcountywi.gov, 1 +polkelections.gov, 1 +polkhealthforanewyou.net, 0 +polki.com, 1 +polknc.gov, 1 +polkswcdiowa.gov, 1 +pollen.co, 1 +pollendine.co.uk, 1 +pollet-ghijs.be, 1 +pollet-ghys.be, 1 +polletmera.com, 0 +pollev-embeds.com, 1 +pollev.com, 1 +polleverywhere.com, 1 +polliga.tk, 1 +pollingplace.uk, 1 +pollnowhere.com, 1 +pollock.gallery, 1 +pollock.tk, 1 +pollpodium.nl, 1 +polly.spdns.org, 1 +pollypaps.ru, 1 +pollyundpaule.de, 1 +polnischestoffe.eu, 1 +polog.tk, 1 +poloil.gov, 1 +polomack.eu, 1 +poloniainfo.com, 1 +polonialidzbark.tk, 1 +polorize.com, 1 +polourize.com, 1 +polski-dentysta-birmingham.uk, 1 +polskiadwokat.org, 1 +polskiemalzenstwo.org, 1 +polskienewsy.tk, 1 +polspam.pl, 1 +poltavawave.com.ua, 1 +poltax.com.pl, 1 +poltsamaa.edu.ee, 1 +poltsamaalasteaed.edu.ee, 1 +poly-fast.com, 0 +poly.se, 1 +polycoise.com, 1 +polycraftual.co.uk, 1 +polygamer.net, 0 +polyglot.com.gr, 1 +polygondemos.com, 1 +polygonthemes.com, 1 +polygraphi.ae, 1 +polymake.org, 1 +polymath.pm, 1 +polymathian.com, 1 +polymax.co.uk, 1 +polymics.com, 1 +polymtl.ca, 0 +polyna.eu, 1 +polynesia.tech, 1 +polynomapp.com, 1 +polypane.rocks, 1 +polyr.xyz, 1 +polyring.ch, 1 +polytarian.com, 1 +polytekniskforening.dk, 1 +polyvalents.fr, 1 +polzaune.de, 1 +pomadgw.xyz, 1 +pomba.pl, 1 +pombalhome.duckdns.org, 1 +pombas.net, 1 +pomdoc.com, 1 +pomelo-paradigm.com, 1 +pomerol-au-coeur.com, 1 +pomfeed.fr, 1 +pomilo.fr, 0 +pommetelecom.fr, 1 +pomockypredeti.sk, 1 +pomocniczy.eu.org, 1 +pomogi-mne.tk, 1 +pomogidrugu.tk, 1 +pomogite.ml, 1 +pomologie.fr, 1 +pomonaca.gov, 1 +pomorskibereg.ml, 1 +pomost.ga, 1 +pomozmruczkom.pl, 1 +pompefunebrilariviera.it, 0 +pompeii.tickets, 1 +pomsinoz.com, 1 +pomtom.co.nz, 1 +ponabana.com, 1 +ponca-nsn.gov, 1 +poncho-bedrucken.de, 0 +pondacademy.com, 1 +pondband.net, 1 +pondof.fish, 1 +pondsama.com, 1 +poneiras.com, 1 +ponga.se, 1 +pongplace.com, 1 +ponio.org, 1 +ponio.xyz, 1 +ponnau.com, 1 +ponpokorin.tk, 1 +ponpon.tk, 1 +ponselsoak.com, 1 +ponsoftware.net, 1 +ponte-camp.de, 1 +ponteggi.it, 1 +ponteggi.roma.it, 1 +pontificia.tk, 1 +pontiwerx.com.au, 1 +pontodogame.com.br, 1 +pontosdevista.pt, 1 +pontosnews.gr, 1 +pontotoccountyms.gov, 1 +pontupagina.com, 1 +ponxel.com, 1 +pony-cl.co.jp, 1 +pony.tf, 1 +ponyar.net, 1 +ponycyclepals.co.uk, 1 +ponydesignclub.nl, 1 +ponyfoo.com, 1 +ponyhof-muensterland.de, 1 +ponytail.fr, 1 +ponytailsdesigns.com, 1 +poobert.tk, 1 +poochpark.tk, 1 +poodleassassin.com, 1 +poodlefan.net, 1 +pooi.me, 1 +poojanews.com, 0 +pookhaarden.nl, 1 +pookl.com, 1 +pool-selber-bauen.de, 1 +pooletranslation.com.au, 1 +poolheatingsolutionswa.com.au, 1 +poolmans.se, 0 +pools.shop, 1 +poolsafely.gov, 1 +poolsafety.gov, 1 +poolsonline.tk, 1 +poolspa.es, 1 +pooltools.net, 1 +poolvilla-margarita.net, 1 +poon.io, 1 +poopa.loan, 1 +poopjournal.rocks, 1 +poopr.ru, 1 +poorclarepa.org, 1 +pooriaarab.com, 1 +poortenautomatiseren.be, 1 +pop-culture.tk, 1 +pop-myworld.com, 1 +pop.dk, 1 +pop.xxx, 1 +pop3.support, 1 +popadvertisementers.ga, 1 +popadvertisementest.ga, 1 +popcarte.com, 1 +popcat.ru, 1 +popcorncult.ru, 1 +popcowboyest.ga, 1 +popcultureshack.com, 1 +popdog.click, 1 +popecountyar.gov, 1 +popecountymn.gov, 1 +popeducation.ga, 1 +popeye.com, 1 +popfitclothing.com, 1 +popflow.cf, 1 +popflow.gq, 1 +popfunko.pt, 1 +popines.tk, 1 +popinga.es, 1 +popinga.it, 1 +popinga.net, 1 +popishop.tk, 1 +popitsnack.com, 1 +popjudge.cf, 1 +popjudge.ml, 1 +popka.sk, 1 +popki.tk, 1 +popkins.cf, 1 +popkins.ga, 1 +popkins.gq, 1 +popkins.ml, 1 +popkins.tk, 1 +poplargrove-il.gov, 1 +poplavok77.tk, 1 +poplite.xyz, 1 +popmagz.com, 1 +popmate.io, 1 +popmatters.com, 1 +popmenu.com, 1 +popmundoforum.tk, 1 +popokin.tk, 1 +popolini.ch, 1 +popolini.com, 1 +popotesetcocottes.fr, 1 +popova.tk, 1 +popoway.cloud, 1 +popoway.me, 1 +popoway9.ml, 1 +poppersareus.com, 1 +poppersy.ml, 1 +poppersy.tk, 1 +popphoto.nl, 1 +poppingdance.tk, 1 +poppinspayroll.com, 1 +poppleriverwi.gov, 1 +popporn.com, 1 +poppsylvie.com, 1 +poppylala.com, 1 +popravilam.by, 1 +popravilam.com, 1 +poprostuakwarystyka.pl, 1 +poptattoo.tk, 1 +poptavka.net, 1 +popular-male-kitten-names.tk, 1 +popularbusinessplatform.com, 1 +popularcar.com, 1 +popularculturegaming.tk, 1 +populardiets.tk, 1 +populardogs.ga, 1 +populardogs.gq, 1 +populardogs.ml, 1 +popularhairstyles.org, 1 +population-ethics.com, 1 +population.gov.au, 0 +popup-stores.online, 1 +popupbazaar.tk, 1 +popwaifu.click, 1 +popxclusive.com, 0 +poquiloco.com, 1 +poquvi.net, 0 +porady-wnetrzarskie.pl, 1 +porady.elblag.pl, 1 +porady.elk.pl, 1 +porady.kalisz.pl, 1 +porady.legnica.pl, 1 +porady.lubin.pl, 1 +porady.malopolska.pl, 1 +porady.mielno.pl, 1 +porady.opole.pl, 1 +porady.org, 1 +porady.pila.pl, 1 +porady.radom.pl, 1 +porady.rybnik.pl, 1 +porady.swinoujscie.pl, 1 +porady.walbrzych.pl, 1 +porady.zgora.pl, 1 +poradywnetrzarskie.pl, 1 +porazarul.by, 1 +porchdaydreamer.com, 1 +porcore.com, 1 +porelcorazon.com, 1 +porelsam.ml, 1 +porevo.tk, 1 +poriadok.eu, 1 +porinnuotiopojat.tk, 1 +pork.org.uk, 1 +porka.gq, 1 +porkbun.com, 1 +porkmart.ga, 1 +porknlaser.com, 1 +porkpiesonline.co.nz, 1 +porlote.com, 1 +porm.club, 1 +porn2019.tk, 1 +porn24-7.com, 1 +porn77.info, 1 +pornagent.de, 1 +pornbabetyra.net, 1 +pornbabetyra.org, 1 +pornbay.eu, 1 +pornbay.org, 1 +pornblog.org, 1 +porncomix69.com, 1 +porncomp.com, 1 +porncompanions.com, 1 +porndoe.com, 1 +porndoepedia.com, 1 +porndragon.net, 1 +pornfacefinder.com, 0 +pornflare.net, 1 +pornforwomentube.com, 1 +pornfreehub.com, 1 +pornfreesites.com, 1 +pornfriends.tk, 1 +porngals4.com, 1 +porngameshub.com, 1 +pornhib.xyz, 1 +pornhub.com, 1 +pornhubapparel.com, 1 +pornhubpremium.com, 1 +pornhun.xyz, 1 +pornimg.net, 1 +porniwi.com, 1 +pornless.biz, 1 +pornline.porn, 1 +pornline.sex, 1 +pornloupe.com, 1 +pornmax.net, 1 +pornmega.net, 1 +porno-chat.it, 1 +porno-geschichten.com, 1 +porno-stars-video.ru, 1 +pornobilder.pics, 1 +pornoclips.net, 1 +pornodvdkopen.nl, 1 +pornogo.sex, 0 +pornogo.tube, 1 +pornohypnosis.tk, 1 +pornokran.com, 1 +pornomens.be, 1 +pornomovies.mobi, 1 +pornomovieshd.com, 1 +pornopark.nl, 1 +pornopica.com, 1 +pornopica.com.br, 1 +pornoplus.fr, 1 +pornorapido.net, 1 +pornovk.xxx, 1 +pornpics.com, 1 +pornpics.de, 1 +pornport.org, 1 +pornrd.com, 1 +pornsticky.com, 1 +pornstop.net, 1 +pornsuper.net, 1 +pornteddy.com, 1 +porntop100.com, 1 +porntube-vidios.ml, 1 +porntvclip.com, 1 +pornultra.net, 1 +pornvideos-tour.com, 1 +pornvideos-tube.com, 1 +pornvideos.tv, 1 +pornvidsfree.com, 1 +pornxxnxx.com, 1 +pornxxxvideos.xyz, 1 +porny.xyz, 1 +porodin.ml, 1 +pororoca.xyz, 1 +porplemontage.com, 1 +porroserver.tk, 1 +pors-sw.cz, 1 +porsche356registry.org, 1 +porschen.fr, 1 +porsolt.com, 1 +port.gdynia.pl, 0 +port.social, 1 +port443.hamburg, 0 +port443.se, 1 +port5060.net, 1 +port67.org, 1 +port80.hamburg, 0 +portable-games.tk, 1 +portablespeakers.tk, 1 +portablespeakersfinder.com, 1 +portadam.com, 1 +portafoliodenegocios.com.mx, 1 +portagecounty-oh.gov, 1 +portagedessiouxmo.gov, 1 +portagein.gov, 1 +portail-familles.net, 1 +portail-partenariats.fr, 1 +portail-rh.fr, 1 +portail.does-it.net, 1 +portal-books.ga, 1 +portal-ekologia.pl, 1 +portal-news.tk, 1 +portal-ru.tk, 1 +portal-uang.com, 1 +portal.fo, 1 +portal.tirol.gv.at, 0 +portaladictos.tk, 1 +portalampgroep.nl, 1 +portalcarriers.com, 1 +portalchega.pt, 1 +portaldamizade.com, 1 +portaldatorcida.com.br, 1 +portaldocredito.pt, 1 +portaldogremista.com.br, 1 +portaleldense.tk, 1 +portalexpressservices.com, 1 +portalm.tk, 1 +portalmundo.xyz, 1 +portalpandalandia.tk, 1 +portalultautv.net, 1 +portalutil.com.br, 1 +portalz.xyz, 1 +portamiinpista.it, 0 +portanatura.it, 1 +portatilea.com, 1 +portativ-mobi.tk, 1 +portcanaveral.gov, 1 +portchesterny.gov, 1 +portcomputingsolutions.com.au, 1 +porte.roma.it, 1 +portedwardswi.gov, 1 +portent.com, 1 +porterbuddy.com, 1 +portercountyin.gov, 1 +porterpeds.com, 1 +portes-imaginaire.org, 1 +portesmagistral.com, 0 +portfolio-anish.tk, 1 +portfoliorlr.es, 1 +portfreezone.com, 1 +porthos.com.ar, 1 +porthueneme.gov, 1 +porthys.pt, 1 +portiapp.mx, 1 +portiaweb.org.uk, 1 +portierato.it, 1 +portingkit.com, 1 +portis.io, 1 +portiva.com, 1 +portmeirion.co.uk, 0 +portoccd.org, 0 +portofala.pt, 1 +portofedmonds.gov, 1 +portofephrata.gov, 1 +portofnenana.gov, 1 +portofsubs.com, 1 +portokalliali.tk, 1 +portonfus.com, 1 +portorchardwa.gov, 1 +portoseguro.med.br, 1 +portosonline.pl, 1 +portovelhoshopping.com.br, 1 +portraitcameos.com, 1 +portsaidyman.tk, 1 +portsdebalears.gob.es, 1 +portservice.se, 1 +portsmouthnhpd.gov, 1 +portsmouthohpd.gov, 1 +portsmouthri.gov, 1 +portsmouthsheriffsofficeva.gov, 1 +portsona.com, 1 +portugal-a-programar.org, 1 +portugal-a-programar.pt, 1 +portugal-car-hire.net, 1 +portugalbycar.com, 1 +portugalivre.tk, 1 +portugalsko.net, 1 +portugalsurflessons.com, 1 +portusidades.com.pt, 1 +portvaletickets.com, 1 +portwashingtonwi.gov, 1 +portwing.gov, 1 +porumaoutrareforma.org, 1 +porumbei.tk, 1 +porwal.pl, 1 +posa.moe, 1 +posaunenchor-senden.de, 1 +posbich.net, 1 +pose-faux-plafond.fr, 1 +poseidon-giesing.de, 1 +poseidonwaterproofing.info, 1 +poseidonwaterproofing.net, 1 +poseidonwaterproofing.org, 1 +poseidonworld.tk, 1 +posh.tech, 1 +poshcastles.co.uk, 1 +poshe.tk, 1 +poshlashes.se, 1 +poshmark.com, 1 +poshsecurity.com, 1 +poshvine.com, 1 +posicionament.tk, 1 +posied.ga, 1 +posijson.stream, 1 +positionus.io, 1 +positivastudios.tk, 1 +positive-thinking-for-you.com, 1 +positive.com.cy, 1 +positive.photography, 1 +positivecoach.org, 1 +positivenames.net, 1 +positiveone.tk, 1 +positiveoutlook.cn, 1 +positiverbeitrag.net, 1 +positiverbeitrag.org, 1 +positivetherapy.in, 1 +positivethinkingmind.com, 1 +positivityoflife.com, 1 +positivos.tk, 1 +positronicmoron.tk, 1 +poslednigenerace.cz, 1 +posoco.in, 1 +pospisilik.eu, 1 +pospisilikovi.cz, 1 +post-anon.tk, 1 +post-darwinian.com, 1 +post-darwinism.com, 1 +post-health.net, 1 +post-office.tk, 1 +post-victoria.com, 1 +post-x.org, 1 +post.com.ar, 1 +post.how, 1 +post.icu, 1 +post.io, 1 +post.kim, 1 +post.lol, 1 +post.tf, 1 +post4me.at, 1 +postacyprus.com, 1 +postal.dk, 1 +postaltreasures.com, 1 +postandfly.com, 1 +postat.com, 1 +postback.io, 0 +postbanken.no, 1 +postblue.info, 1 +postbox.life, 1 +postcardpayment.com, 1 +postcards.tk, 1 +postcodeswag.co.uk, 1 +postcodeswag.com, 1 +postcodeswag.uk, 1 +postdarwinian.com, 1 +postdarwinism.com, 1 +postdeck.de, 1 +postechbamboo.tk, 1 +posteo.de, 1 +posteo.net, 1 +posteo.pro, 1 +postermywall.com, 1 +postern.net, 1 +postern.nl, 1 +postern.org, 1 +postern.uk, 1 +posters.win, 1 +posterspy.com, 1 +postfactum.info, 1 +postfalls-naturopathic.com, 1 +postfalls.gov, 1 +postfallspolice.gov, 1 +postfinance.ch, 1 +postimages.org, 1 +postimg.cc, 1 +postlakeswi.gov, 1 +postlifepreps.com, 1 +postlogistic.tk, 1 +postman.co, 1 +postman.ga, 1 +postmaniac.com, 1 +postmarka.tk, 1 +postmaster.boats, 1 +postmatescode.com, 1 +postmelody.gr, 1 +postmerkezi.tk, 1 +postmistress.email, 1 +postmusicologia.tk, 1 +postn.eu, 1 +postnet.club, 1 +postnext.com, 1 +postolia.cf, 1 +postoyanstvo.cf, 1 +postpot.co.kr, 1 +postscnn.com, 1 +poststar.com, 1 +postsubmeta.net, 1 +posttigo.com, 1 +posturografia.info, 1 +posturographie.info, 1 +posturography.courses, 1 +posturography.education, 1 +posturography.equipment, 1 +posturography.info, 1 +posturography.science, 1 +posturography.software, 1 +posturography.solutions, 1 +posturography.systems, 1 +posturography.training, 1 +posturologie.info, 1 +posturologo.roma.it, 1 +posukovskaschola.cz, 1 +posutochno.ml, 1 +posutochno.tk, 1 +pot-au-feu.info, 1 +potadvisor.com, 1 +potatiz.com, 1 +potato.im, 1 +potatochip.tk, 1 +potatodiet.ca, 1 +potatolighting.com, 1 +potatopro.com, 1 +potatosoft.kr, 1 +potatosouprecipe.ml, 1 +potatotee.com, 1 +potature.it, 1 +potature.org, 1 +potature.rimini.it, 1 +potature.roma.it, 1 +potbelly.com, 1 +potemkin.tk, 1 +potencial-school.ru, 1 +potentialcalm.co.uk, 1 +poterepersonale.it, 1 +pothe.com, 1 +pothe.de, 1 +pothuarivu.tk, 1 +potion.ai, 0 +potionlabs.de, 1 +potlytics.com, 1 +potolok-brest.tk, 1 +potolok.am, 1 +potomac.cf, 1 +potomacanalysis.com, 1 +potomacurology.com, 1 +potomania.cz, 1 +potosi-bolivia.tk, 1 +potosivlgwi.gov, 1 +potosiwi.gov, 1 +potrahushki.tk, 1 +potreningu.pl, 1 +potrillionaires.com, 1 +potsandplanters.com.au, 1 +potsdam.directory, 1 +pottawatomiecountyok.gov, 1 +pottcountyks.gov, 1 +potteranderson.com, 1 +pottercountytexasvotes.gov, 1 +potterish.com, 1 +potterperfect.tk, 1 +pottershouse.tk, 1 +potterybroker.ga, 1 +pottkinder.de, 1 +pottshome.co.uk, 1 +pottsvillepa.gov, 1 +potvorka.tk, 1 +potwin.tk, 1 +potworowski.de, 1 +potz.tk, 1 +pouchulu.tk, 1 +poudlard.fr, 1 +pouets.ovh, 1 +poultryfeedformulation.com, 1 +poun.tk, 1 +poundgatepark.co.uk, 1 +poupaeganha.pt, 1 +poupardinheiro.com.br, 1 +poupee.me, 1 +pourali.com, 1 +poured-floors.tk, 1 +pourout.org, 0 +pousadamaremata.com.br, 1 +pouwels-oss.nl, 1 +povar.ru, 1 +povarenok.cf, 1 +povareshka.tk, 1 +povmacrostabiliteit.nl, 1 +povomo.online, 1 +povzetki-knjig.si, 1 +pow.jp, 1 +powch-dev.com, 1 +powch-dev2.com, 1 +powdercoatatl.com, 1 +powdercoatingatl.com, 1 +powderedcloud.cf, 1 +powderedcloud.ga, 1 +powderkeg.com, 1 +powderlife.com, 1 +powderspraymachine.com, 1 +powelljones.co.uk, 1 +power-bi-connector.be, 1 +power-bi-connector.eu, 1 +power-bi-connector.nl, 1 +power-coonies.de, 1 +power-flowengineer.com, 1 +power-magnetic.ml, 1 +power-of-interest.com, 1 +power-plugins.com, 1 +power-recovery.com, 1 +power-tools24.com, 1 +power100.co.uk, 1 +power2prevent.gov, 1 +poweranalitica.com, 1 +powerb.ch, 1 +powerbalance.tk, 1 +powerball.cf, 1 +powerball.club, 1 +powerbi.istanbul, 1 +powerbux.tk, 1 +powercloud.technology, 1 +powercod.tk, 1 +powercomputers.nl, 1 +powercounty.gov, 1 +powercv.ro, 1 +poweredbyiris.nl, 1 +powerenglish.cl, 1 +powerentertainment.tv, 1 +powerfifty.com, 1 +powerforpeople.tk, 1 +powerfortunes.com, 1 +powerfulcom.net, 1 +powergridess.com, 0 +powergroup.tk, 1 +powerhouse.pro, 1 +powerhousegym.co, 1 +powerinboxperformance.com, 1 +powerlifting.tk, 1 +powerling.com, 1 +powerlp.com, 1 +powermeter.at, 1 +powerpc.pt, 1 +powerpilot.co.za, 1 +powerplan.com, 1 +powerplantmall.com, 1 +powerplatform.istanbul, 1 +powerplay.com, 1 +powerplay.xyz, 1 +powerplayer.tk, 1 +powerroo.com.au, 1 +powersaleskc.com, 1 +powerscif.com, 1 +powerscourt.tk, 1 +powerserg.ca, 1 +powerserg.io, 1 +powerserg.net, 1 +powerserg.shop, 1 +powerserg.us, 1 +powersergcloud.com, 1 +powersergconnect.com, 1 +powersergconsulting.com, 1 +powersergdatasystems.com, 1 +powersergdatasystems.tk, 1 +powersergdynamic.com, 1 +powersergedatasystems.com, 1 +powersergfeds.com, 1 +powersergholdings.com, 1 +powersergisrc.com, 1 +powersergmysteryshopping.com, 1 +powersergopioidoverdoseinterventiontrust.com, 1 +powersergpiv.com, 1 +powersergsecure.com, 1 +powersergsis.com, 1 +powersergsystems.com, 1 +powersergsystems.net, 1 +powersergthisisthetunnelfuckyouscott.com, 1 +powersergthisisthewebsitefuckyouchris.com, 1 +powersergthisisthewebsitefuckyouscott.com, 1 +powersergunited.com, 1 +powersergunited.org, 1 +powersergusercontent.com, 1 +powersergwiring.com, 1 +powersergwiringconsultants.com, 1 +powershaper.io, 1 +powershellmagic.com, 1 +powersolusa.com, 1 +powersport.lt, 1 +powersubmitter.tk, 1 +powersurgedatasystems.com, 1 +powerswitch.org.nz, 1 +powertecno.ml, 1 +powertoolsrater.net, 1 +powertop.com, 1 +powertrike.tk, 1 +powertrunk.com, 1 +poweruser.su, 1 +powervolt.ru, 1 +powerwarranties.com, 1 +powerwellness-korecki.de, 1 +powerwheels.tk, 1 +powerwithpeople.com, 1 +powerzonewrestling.tk, 1 +powmobilegrooming.com, 1 +powwi.co, 1 +poylabo.com, 1 +poynter.net, 1 +pozarevac.tk, 1 +pozd.tk, 1 +pozdravlyalka.gq, 1 +pozemedicale.org, 1 +pozharnyi.tk, 1 +pozitiffchik.ga, 1 +pozitiffchik.ml, 1 +pozitiffchik.tk, 1 +pozitiv.gq, 1 +pozitone.com, 1 +poziworld.com, 1 +poznajrynek.pl, 1 +poznajteneryfe.pl, 1 +poznavatelno.ml, 1 +pozzitiv.ro, 1 +pp.es, 1 +pp3345.net, 1 +pp5197.co, 1 +pp6729.co, 1 +pp6729.com, 1 +pp6957.co, 1 +pp9297.co, 1 +pp9728.co, 1 +ppam.de, 1 +ppapogey.com, 1 +ppapogey.ru, 1 +ppaya.com, 1 +ppbi.com, 1 +ppcgeeks.com, 1 +ppcsesco.com, 1 +ppf.co.uk, 1 +ppg.report, 1 +ppgod.us, 1 +ppipe.net, 1 +ppirs.gov, 1 +ppissis.com.cy, 1 +ppktgti.top, 1 +ppld.org, 1 +pplog.info, 1 +pplsoft.nl, 1 +pplsvc.com, 1 +pplusp.dk, 1 +ppmlocal.com, 1 +ppmoon.com, 1 +ppms.gov, 1 +ppoou.co.uk, 1 +ppoozl.com, 1 +pppo.gov, 1 +ppppp.click, 1 +ppsltd.ca, 1 +ppssh.org, 1 +pptavmdata.org, 1 +ppter8.com, 1 +ppweb.pro, 1 +ppy.sh, 1 +pqd.ru, 1 +pqforce.com, 1 +pqgruber.com, 1 +pqscript.com, 1 +pr-news.spb.ru, 1 +pr-project.tk, 1 +pr.search.yahoo.com, 0 +pr.tn, 1 +pr100.gov, 1 +pr1sm.com, 1 +pr2studio.com, 1 +pr3-space-staging.ga, 1 +pr3.space, 1 +pr92.tk, 1 +pra.rip, 1 +prabhasakshi.com, 1 +prabirghosh.tk, 1 +prac.to, 1 +prachiiimohite.tk, 1 +pracovita.pl, 1 +pracownia-kasi.pl, 1 +pracowniamebli.mazury.pl, 1 +pracsuite.com, 1 +practical-lean.com, 1 +practicalhomes.com.au, 1 +practicallabs.com, 1 +practicepanther.com, 1 +practisforms.com, 1 +practitest.com, 1 +practixdevelopment.com, 1 +practo.com, 1 +practodev.com, 1 +pracusalev.tk, 1 +pradeek.tk, 1 +pradeepagrawal.com, 1 +pradersystems.ch, 1 +pradmin.ru, 1 +prado.it, 1 +pradohalcones.com, 1 +pradyumnashome.com, 1 +praemoveo.net, 1 +praeparation-keppner.de, 1 +praerien-racing.com, 1 +praetzlich-hamburg.de, 1 +praew.com, 1 +pragata.id, 1 +pragatiparasguesthouse.co.in, 1 +prageeth-niranjan.tk, 1 +pragma-messenger.ch, 1 +pragma-solution.com, 1 +pragmatist.nl, 1 +pragrimsby.co.uk, 1 +pragser-tal.net, 1 +pragtravel.cf, 1 +prague-swim.cz, 1 +praguepsychology.com, 1 +praguepsychology.cz, 1 +praha-9.eu, 1 +praha-kominictvi.cz, 1 +praha.tk, 1 +praia.studio, 1 +praiagrande.tk, 1 +prairienursery.com, 1 +prairievilletwp-mi.gov, 1 +praisehim.club, 1 +praiss.net, 1 +prajwal-koirala.com, 1 +prakhar.uk, 1 +prakharprasad.com, 1 +prakharvarta.com, 1 +praksite.fr, 1 +praktijkbeoordelen.nl, 1 +praktijkdevecht.nl, 1 +praktijkmarula.nl, 1 +praktijkpassepartout.nl, 1 +praktijktamaravanoers.nl, 1 +praktijktian.be, 1 +praktijktoetsen.nl, 1 +praktiker.hu, 1 +praktikum.tk, 1 +praladofuturo.blog, 1 +pralaw.com, 1 +praleria.com, 1 +pramuwaskito.org, 1 +prana-coachings.ch, 1 +prana-me.com, 1 +pranabesh.com, 1 +pranafilms.tk, 1 +pranavida.cl, 0 +prancor.ru, 1 +pranita-schals.de, 1 +pranita.cz, 1 +pranita.sk, 1 +prankawards.ga, 1 +pranksearch.ml, 1 +prankstercompany.com, 1 +prashantcafe.tk, 1 +prasinoscomputers.ml, 1 +prasos.fi, 1 +prasso.se, 0 +prateep.io, 1 +pratelloshop.tk, 1 +pratemarkets.com, 1 +praterraines.co.uk, 1 +prathambooks.org, 1 +praticienmedecinechinoise.be, 1 +prato-allo-stelvio.org, 1 +pratopronto.org, 1 +pratorotoli.it, 1 +pratosirunin.ga, 1 +pratyu.sh, 1 +prauxilium.com, 1 +pravac.de, 1 +pravagolosa.cf, 1 +pravagolosa.ga, 1 +pravagolosa.gq, 1 +pravda-tv.com, 1 +praveenawstest1.tk, 1 +praveenjuge.com, 1 +praveenravichandran.xyz, 1 +pravex.com.ua, 1 +pravlife.ru, 1 +pravnisistem.rs, 1 +pravo-brest-belarus.tk, 1 +pravo911.tk, 1 +pravoslavie.tk, 1 +pravoslavnayarus.tk, 1 +pravosudie.tk, 1 +prawer.com, 1 +prawnikdlaanglii.co.uk, 1 +praxino.de, 0 +praxis-dingeldey.de, 1 +praxis-dr-bandulik.de, 1 +praxis-familienglueck.de, 1 +praxis-fickenscher.de, 1 +praxis-kjpt.de, 1 +praxis-liebner.de, 1 +praxis-oranienburg.de, 1 +praxis-rufer.ch, 1 +praxis-sorg-sam.ch, 0 +praxis-waedicity.ch, 1 +praxisamziegetsberg.de, 1 +praxisbiel.de, 1 +praxisfilms.org, 1 +praxisgroup.services, 1 +praxistipp24.com, 1 +prayag.tk, 1 +prazdnik-volgodonsk.tk, 1 +prazdniki-sait.tk, 1 +prazdniktost.tk, 1 +prazeremamamentar.com.br, 1 +prc.gov, 1 +prcarrier.tk, 1 +prcsurvey.com, 1 +prd-use-device-api.azurewebsites.net, 1 +prdashboard.tk, 1 +prdctz.tips, 1 +pre-commit.ci, 1 +pre-commit.com, 1 +pre-renewal.com, 1 +preapps.com, 1 +precambridge.tk, 1 +precedecaritas.com.br, 1 +precedencemedia.com, 1 +precedenceum.com, 1 +precept.uk.com, 1 +preci0.com, 1 +preciadictos.tk, 1 +preciofishbone.com, 1 +preciofishbone.de, 1 +preciofishbone.dk, 1 +preciofishbone.se, 1 +preciofishbone.vn, 1 +preciosmejores.com, 1 +preciousdad.com, 1 +preciouspebble.co.uk, 1 +preciscx.com, 1 +precisebusiness.com, 1 +precisefuture.com, 1 +precisionchiroct.com, 1 +precisionclan.com, 1 +precisioncoolingco.com, 1 +precisioncourt.com, 1 +precisiondentalnyc.com, 1 +precisiondentistrynj.com, 1 +precisiondigital-llc.com, 1 +precisionicerinks.com, 1 +precisionlender.com, 1 +precisionmachineservice.com, 1 +precisionpdr.tech, 1 +precisionsportsonline.com, 1 +precisionstocks.com, 0 +precisiontechcorp.com, 1 +precisionvaccinations.com, 1 +precoro.us, 1 +precutppf.store, 1 +predator-league.com, 1 +predatoria.tk, 1 +predatorworld.tk, 1 +predckazanie.ru, 1 +predication.ch, 1 +predictz.com, 1 +predilife.com, 1 +predkosci.pl, 1 +predmetnyj-fotograf.by, 1 +prednisolone1.gq, 1 +predoiu.ro, 1 +predskazanie.cf, 1 +predskazanie.ml, 1 +predskazanie.tk, 1 +predstavitelstvo-v-sude.tk, 1 +preejaculation.ga, 1 +preescolarsteps.com, 1 +prefabricadosdelcaribe.com, 1 +prefabrik-ev.com, 1 +prefect.cloud, 1 +prefect.io, 0 +prefereal.com, 1 +prefereal.net, 1 +prefereal.org, 1 +preference.ga, 1 +preferredathlete.com, 1 +preferredreverse.com, 1 +preferredservice.ca, 1 +prefix.eu, 1 +preflighthomeinspections.com, 1 +prefontaine.name, 1 +pregen.tk, 1 +pregnancytips.tk, 1 +pregnantorcrazy.com, 1 +preguntasdeciudadania.com, 1 +pregunteleakaren.gov, 1 +preis-alarm.info, 1 +preis-alarm.org, 1 +preisser-it.de, 1 +preisser.it, 1 +prek.se, 1 +prekladysanca.cz, 1 +prelesti.tk, 1 +preloaded-hsts.badssl.com, 1 +preludes.org, 1 +prelved.com, 1 +prelved.es, 1 +prelved.fi, 1 +prelved.fr, 1 +prelved.it, 1 +prelved.nl, 1 +prelved.pl, 1 +prelved.se, 1 +prematureacceleration.club, 1 +premazon.com, 1 +preme.name, 1 +premiachef.com, 1 +premier-dream.co, 1 +premier-hub.com, 1 +premier-pallets.com, 1 +premier-podiatry.com, 1 +premieraviation.com, 1 +premierbouncycastles.co.uk, 1 +premierconveyors.com, 1 +premierdesigns.org, 1 +premierdisco.co.uk, 1 +premiereco.com.sg, 1 +premieresloges.ca, 1 +premierevents.ie, 1 +premierfinance.ae, 1 +premierflmagazine.com, 1 +premierheart.com, 1 +premierleague.gq, 1 +premierloto.cg, 1 +premierloto.cm, 1 +premierloto.co.ke, 1 +premierloto.co.mz, 1 +premierloto.ml, 1 +premierloto.mw, 1 +premierloto.td, 1 +premiermaldives.com, 1 +premiermarketing.co.nz, 1 +premierokchomebuyers.com, 1 +premierpedsny.com, 1 +premierpoolsandspas.com, 1 +premierpups.com, 1 +premierseeds.co.nz, 0 +premiership-predictors.co.uk, 1 +premiersimgl.com, 1 +premioambiente.it, 1 +premiovapozicovna.sk, 1 +premiovicentejorgesilva.pt, 0 +premised.land, 1 +premium-computer.fr, 1 +premium-job.ru, 1 +premiumcredit.am, 1 +premiumcs.ru, 1 +premiumdesign.hr, 1 +premiumkeystore.com, 1 +premiumlegalsupport.ga, 1 +premiumpeaches.com, 1 +premiumpictureframing.com, 1 +premiumshop24.de, 1 +premiumsmile.ru, 1 +premiumturkey.ml, 1 +premiumusedautoparts.com, 1 +premiumwebdesign.it, 1 +premkumar.net, 1 +premlall.com, 1 +premsarswat.me, 1 +premstarinc.com, 1 +prenatal.com, 1 +prenatal.es, 1 +prendashop.es, 1 +prensaalterna.com, 1 +prensahispana.ga, 1 +prensarural.org, 1 +prepa-benjam.fr, 1 +prepa-code.com, 1 +prepagosyescortforyou.com, 1 +prepaid-cards.xyz, 1 +prepaidgirl.com, 1 +prepaidify.com, 1 +prepaidkredietkaart.be, 1 +prepare-job-hunting.com, 0 +prepareforthesat.com, 1 +preparetheword.com, 1 +prepedia.org, 1 +prepfba.com, 1 +prepr.io, 1 +prepress.ru, 1 +preprodfan.gov, 1 +prepscouts.tk, 1 +prepsiedy.cf, 1 +prepz.es, 0 +prequence.com, 1 +preregpharmacy.org, 1 +presbee.com, 1 +presbyterian-colleges.com, 1 +preschoole.gq, 1 +preschoolteacher.org, 1 +presdesdunes.com, 1 +presence-group.com, 1 +presence-relation.fr, 0 +presenciainternet.com, 1 +present-m.com, 1 +presentaline.ch, 1 +presentationmedia.com, 1 +presentationsteknik.org, 1 +presentsofmind.com.au, 1 +preserveart.org, 1 +preservecrownhill.cf, 1 +preservecrownhill.ga, 1 +preservegrandcountyhistory.org, 1 +preserveourhillcountry.org, 1 +preserverollinspass.org, 1 +preserving.tk, 1 +presgrp.com, 1 +presgrp.net, 1 +president.bg, 1 +president.ee, 0 +presidentdirectory.ga, 1 +presidentialinnovationfellows.gov, 1 +presidentialserviceawards.gov, 1 +presidio.gov, 1 +presidiocommercial.gov, 1 +presidiotunneltops.gov, 1 +presly.org, 1 +presnetter.de, 1 +presnya.tk, 1 +presov.ml, 1 +press-edge.tk, 1 +press-lent.com, 1 +press-presse.ca, 1 +press-wall24.ru, 1 +press.lv, 1 +pressakey.com, 1 +pressakey.de, 1 +presscenter.jp, 1 +presscommunity.tk, 1 +presscuozzo.com, 1 +presseagrume.net, 1 +pressed.com, 1 +pressemeddelelse.dk, 1 +pressento.com, 1 +pressfreedomtracker.us, 1 +pressidium.com, 1 +pressimize.com, 1 +presslabs.com, 1 +pressnet.tk, 1 +pressnetwork.tk, 1 +pressnewscafe.gq, 1 +pressofatlanticcity.com, 1 +pressography.org, 1 +pressreleasecentral.tk, 1 +pressreleasepedia.tk, 1 +pressrush.com, 1 +pressspace2hack.com, 1 +pressspacetohack.com, 1 +pressup.it, 1 +pressureradio.com, 1 +pressurewashers.ml, 1 +pressurewashersandiego.com, 1 +pressurewashingchicago.com, 1 +presta-div-airs.fr, 1 +prestaandsons.com.au, 1 +prestaclip.com, 1 +prestar.com.my, 1 +prestaservicesgroup.com, 1 +prestashopmanager.com, 1 +prestatest.tk, 1 +prestatyn-scala.info, 1 +prestatynflowershow.co.uk, 1 +prestec.com, 1 +prestige-car-location.ch, 0 +prestigebouncycastles.co.uk, 1 +prestigecarkeys.com, 1 +prestigeeventshire.co.uk, 1 +prestigehealth.services, 1 +prestigehealthservices.au, 1 +prestigehealthservices.com.au, 1 +prestigelegalgroup.com.au, 1 +prestigerepairs.com.au, 1 +prestigesigns.net, 1 +prestigesoundandlight.co.uk, 1 +prestigestaffingsolutions.org.au, 1 +prestigeworldwidepr.com, 1 +prestigia.com, 1 +prestonadamscountywi.gov, 1 +prestonapp.com, 1 +prestonbrant.com, 1 +prestopermits.com, 1 +prestopizzas63.fr, 1 +prestudenta.sk, 1 +prestupniki.tk, 1 +pretabelamodas.com.br, 1 +pretalx.com, 1 +pretix.eu, 1 +pretome.info, 1 +pretor-sa.com, 1 +pretrialservices.gov, 1 +prettier.fun, 1 +pretty-liars.tk, 1 +pretty-smile.com.tw, 1 +prettybed.com, 1 +prettycities.ga, 1 +prettycloud.net, 1 +prettycloud.org, 1 +prettycobs.com, 1 +prettydirtyteens.com, 1 +prettygirlcheats.com, 1 +prettykeira.tk, 1 +prettynode.com, 0 +prettyporn.com, 1 +prettysimplemom.com, 1 +prettyskin.com.tw, 1 +prettytunesapp.com, 1 +pretzelhands.com, 0 +pretzelx.com, 1 +preums.co, 1 +preussner-grafik-design.de, 1 +prevalent.net, 1 +preventshare.com, 1 +preview-it-now.com, 1 +preview.ninja, 1 +previewfreemovies.com, 1 +previewninja.com, 1 +previewtoday.it, 1 +previh.eu, 1 +previous.one, 1 +previousmagazine.com, 1 +previsiemens.com.br, 0 +previstart.com, 1 +previstart.fr, 1 +prevodkazet.cz, 1 +prevu3d.com, 1 +prexxorvita.com, 1 +prezentmarzen.com, 1 +preziti.eu, 1 +prfanfiction.tk, 1 +prg.rs, 1 +prgrmmr.nl, 1 +pri.email, 1 +priano.com, 0 +price-spider.com, 1 +price-tracker.duckdns.org, 1 +price.com.hk, 1 +priceactionhelp.com, 1 +priceblink.com, 1 +pricefx.com, 1 +pricefx.eu, 1 +pricegg.com, 1 +pricegg.com.ua, 1 +pricegg.ru, 1 +priceless-jewelry.com, 1 +pricelesspics.tk, 1 +pricelistforbxmodules.ga, 1 +pricelooper.com, 0 +priceofbusiness.com, 1 +pricepropharmacy.com, 1 +pricesdoors.com, 1 +priceshop.com, 1 +pricesmax.com.mx, 0 +pricesniffer.co, 1 +pricevillepdal.gov, 1 +pricevortex.com, 1 +pricing-fox.cz, 1 +pricing-fox.sk, 1 +priczone.com, 1 +pride-enterprises.org, 1 +pridecounseling.com, 1 +pridecraft.gay, 1 +prideindomination.com, 1 +pridnestrovye.gq, 1 +pridurok.tk, 1 +prielwurmjaeger.de, 1 +priestess.tk, 1 +prifo.se, 1 +prij.fr, 1 +prijsvergelijken.ml, 1 +prikaznoparty.com, 1 +prikeshsavla.com, 1 +prikolkz.tk, 1 +prikpot.com, 1 +prima-backoefen.de, 1 +prima-badezimmermoebel.de, 1 +prima-digitalkameras.de, 1 +prima-fernseher.de, 1 +prima-gefrierschraenke.de, 1 +prima-herde.de, 1 +prima-informatique.com, 1 +prima-kuehlschraenke.de, 1 +prima-mikrofone.de, 1 +prima-mikrowellen.de, 1 +prima-monitore.de, 1 +prima-pcs.de, 1 +prima-smartphones.de, 1 +prima-tablets.de, 1 +prima-trockner.de, 1 +prima-waschmaschinen.de, 1 +prima-webcams.de, 1 +primadirectory.tk, 1 +primaflorafloristaccrington.co.uk, 1 +primalinea.pro, 1 +primalracing.com, 1 +primalshop.dk, 1 +primalsurvivor.net, 1 +primananda.com, 1 +primanota.ch, 0 +primapak.bg, 1 +primary.health, 1 +primarycareconnect.com.au, 1 +primarydomain.us, 1 +primarysector.space, 1 +primasmartwatches.de, 1 +primates.com, 1 +primaudialrecords.com, 1 +primaveradesign.com.br, 1 +primbit.ru, 1 +prime, 1 +prime-host.ml, 1 +prime-med.com.tw, 1 +primecapsslim.com.br, 1 +primecreative.com.br, 1 +primecursos.com.br, 1 +primed.io, 1 +primedesigns.com.au, 1 +primeequityproperties.com, 1 +primeestates.co, 1 +primeexecutiveoffices.com, 1 +primefinance.co.nz, 1 +primegeradores.com.br, 1 +primegiftindia.com, 1 +primekinoshita.com, 1 +primelogistics.cf, 0 +primemotive.com, 0 +primemotive.com.au, 1 +primeops.co, 1 +primepest.net, 1 +primeprime.cf, 1 +primeratx.gov, 1 +primerdeal.com, 1 +primersbc.com.br, 1 +primesense.com.br, 1 +primesensecosmeticos.com.br, 1 +primetechpa.com, 1 +primetics.co.uk, 0 +primeview.com, 1 +primglaz.ru, 1 +primisbank.com, 1 +primit.com, 1 +primitiv.tk, 1 +primitivesbykathy.com, 1 +primo.be, 1 +primordialsnooze.com, 1 +primorsk.com, 1 +primorski.com, 1 +primorus.lt, 1 +primos-tech.com, 1 +primowatercorp.com, 1 +primrose-2.com, 1 +primrosehillvets.ie, 1 +primrosenyagwaya.online, 1 +primsports.ru, 1 +primyris.fr, 1 +princearmoryacademy.com, 1 +princebazawule.com, 1 +princedavidlodge.org.uk, 1 +princelishan.com, 1 +princelishan.com.tw, 1 +princemathew.tk, 1 +princemolak.ga, 1 +princes-st.org.nz, 1 +princess.software, 1 +princessbackpack.de, 1 +princessefoulard.com, 1 +princesspawg.tk, 1 +princessyachts.com, 1 +princetonmn.gov, 1 +princetonnassaupediatrics.com, 1 +princetonradiationoncology.com, 1 +princetontxcdc.gov, 1 +princevikal.cf, 1 +princez.uk, 1 +princezna.club, 1 +princh.com, 1 +principal.com.my, 1 +principalam.com, 1 +principalcomputers.com.au, 1 +principalhotelcolumbia.com, 1 +principalsexam.com, 1 +principalship.net, 1 +principaltoolbox.com, 1 +principia-journal.de, 1 +principia-magazin.de, 1 +principia-online.de, 1 +princovi.cz, 1 +prinesec.com, 1 +prineville.gov, 1 +prinice.org, 1 +print-street.tk, 1 +printable-map-az.com, 1 +printablemapaz.com, 1 +printablemapforyou.com, 1 +printablerebateform.net, 1 +printableschedule.net, 1 +printandgo.fr, 1 +printbase.cz, 1 +printbigjournal.tk, 1 +printdrivers.org, 1 +printeknologies.com, 1 +printerdrivers.com, 1 +printerem.hu, 1 +printerinks.com, 1 +printerinks.ie, 1 +printerinktoutlet.nl, 1 +printersdrivers.net, 1 +printersupportfaq.com, 1 +printertonerkopen.nl, 1 +printexpress.cloud, 1 +printfn.com, 0 +printful.com, 1 +printkinng.com.tw, 1 +printler.com, 1 +printme.com, 1 +printmet.com, 1 +printmet.ru, 1 +printmijn3dmodel.be, 1 +printmydesigns.ml, 1 +printperfect.ro, 1 +printpoint.tk, 1 +printrr.ca, 1 +printscan.com, 1 +printtara.me, 1 +printtolife.com.au, 1 +printus.pro, 1 +printwasteminimizer.com, 1 +printyour.com.ua, 1 +prinz.gg, 1 +prinzoka.com.br, 1 +prio.pt, 1 +prior-it.be, 0 +prior.cloud, 1 +priorite-education.com, 1 +priorityeducation4u.tk, 1 +priorityelectric-agourahills.com, 1 +priorityelectric-camarillo.com, 1 +priorityelectric-dosvientos.com, 1 +priorityelectric-hiddenhills.com, 1 +priorityelectric-lakesherwood.com, 1 +priorityelectric-moorpark.com, 1 +priorityelectric-newburypark.com, 1 +priorityelectric-simivalley.com, 1 +priorityelectric.biz, 1 +priorityelectric.net, 1 +priorityessays.com, 1 +priorityfakes.com, 1 +prioritynissannewportnewsparts.com, 1 +priorlakemn.gov, 1 +priorshalldental.com, 1 +priscillacouto.com.br, 1 +prisma.io, 0 +prisma.tk, 1 +prismacloud.com, 1 +prismacloud.xyz, 1 +prismaot.tk, 1 +prismapixel.studio, 1 +prismatic.ro, 1 +prismomarketing.com, 1 +prismosystems.com, 1 +prisonerresource.com, 1 +pristinegrace.org, 1 +pristinepotty.com, 1 +prisync.com, 1 +pritchi.tk, 1 +pritti-wummen.de, 1 +priv.au, 1 +priv.gc.ca, 1 +priv.im, 1 +privace.ch, 1 +privaci.ai, 1 +privacy-web.tk, 1 +privacy-week-vienna.at, 1 +privacy-week.at, 1 +privacy-works.tk, 1 +privacy.ac.cn, 1 +privacy.ax, 1 +privacy.com.de, 1 +privacy.repair, 1 +privacybydesign.foundation, 1 +privacycentermqt.com, 1 +privacychick.com, 1 +privacychick.io, 1 +privacycloud.nl, 1 +privacydesign.ch, 1 +privacydev.net, 1 +privacyend.com, 1 +privacyfenceanddeckllc.com, 1 +privacyforpatriots.com, 1 +privacyget.tk, 1 +privacyguides.net, 1 +privacyinternational.org, 1 +privacymanatee.com, 1 +privacynow.eu, 1 +privacypro.io, 1 +privacypros.io, 1 +privacyredirect.com, 1 +privacyscore.org, 1 +privacysecuritybrainiacs.com, 1 +privacystatement.tk, 1 +privacysvcs.net, 1 +privacywe.com, 0 +privacyweek.at, 0 +privacyweek.de, 1 +privacyweek.eu, 1 +privacyweek.wien, 1 +privacyweekvienna.at, 1 +privaday.de, 1 +privalgo.co.uk, 1 +privasphere.com, 1 +privatamateure.com, 1 +private-diary-taka.com, 1 +private-krankenversicherung.tk, 1 +private-relay.email, 1 +private.coffee, 1 +privateadvisorgroup.com, 1 +privateamateure.com, 1 +privatebanks.uk, 1 +privatebin.info, 1 +privateboat.amsterdam, 1 +privatecapsecurity.org, 1 +privatecolor.com, 1 +privatecredit.pro, 1 +privatedata.tk, 1 +privatedomaincontrol.com, 1 +privateger.me, 1 +privategiant.com, 1 +privatehd.to, 1 +privateideas.de, 1 +privateinvestigatoredu.org, 1 +privatejetschina.com, 1 +privatejetsdallas.com, 1 +privatejetsteterboro.com, 1 +privatejosh.cf, 1 +privatemillionaire.com, 1 +privatenebula.eu, 1 +privatepilot.lu, 0 +privaterelay.com, 0 +privatesangels.com, 1 +privateschoolreview.com, 1 +privateservice.cz, 1 +privatetrainingonline.se, 1 +privateuploader.com, 1 +privatevpn.com, 1 +privatfrei.de, 1 +privatmeet.com, 1 +privatstunden.express, 1 +privc.io, 1 +privcloud.cc, 1 +privcloud.org, 1 +privcom.net, 1 +privea.fr, 1 +priveadressen.tk, 1 +privelust.nl, 1 +priverify.com, 1 +privilegevisa.fr, 1 +privo.com, 1 +privorot.cf, 1 +privu.me, 1 +privw.com, 1 +privy-staging.com, 1 +privy.com, 1 +privylabs.com, 1 +prix-carburants-info.fr, 1 +prix-carburants.gouv.fr, 1 +prixlitteraire-cevennes.fr, 1 +prixmetaux.fr, 1 +prixpictet.com, 1 +priyan.nl, 1 +priyan.tk, 1 +priz-kod.ru, 1 +prizcode.ru, 1 +prizecode.ru, 1 +prizehometickets.com.au, 1 +prizelink.com.au, 1 +prizkod.ru, 1 +prizrak-v-dospehah.ga, 1 +prizwiz.com, 1 +prizzlys.com, 1 +prjktruby.com, 0 +prkn.je, 1 +prlved.co.uk, 1 +prmihoc.com, 1 +prnav.com, 1 +pro-alter.ch, 1 +pro-babochek.ru, 1 +pro-ben.sk, 1 +pro-bike.ro, 1 +pro-c.me, 1 +pro-esb.net, 1 +pro-furgoleros.tk, 1 +pro-ing.com, 0 +pro-israel.tk, 1 +pro-kemerovo.ml, 1 +pro-kolhoz.tk, 1 +pro-laser.com, 1 +pro-lq.at, 1 +pro-lq.ch, 1 +pro-lq.com, 1 +pro-lq.de, 1 +pro-lq.hu, 1 +pro-lq.it, 1 +pro-lq.net, 1 +pro-lq.ro, 1 +pro-marienburg.de, 1 +pro-mile.pl, 1 +pro-moed.nl, 1 +pro-ogorod.info, 1 +pro-server.tk, 1 +pro-taucher.com, 1 +pro-taucher.de, 1 +pro-web-design.tk, 1 +pro-wiert.pl, 1 +pro.co.id, 1 +pro.co.il, 1 +pro100systems.com.ua, 1 +pro4x4.com.ua, 0 +proacksecurity.com, 1 +proacousticsusa.com, 1 +proact-it.co.uk, 1 +proactive.run, 1 +proactivenews.ml, 1 +proadvanced.com, 1 +proalist.com, 1 +proalter.ch, 1 +proambt.nl, 1 +proamis-moodle.fi, 1 +proantab.ru, 1 +proarbor.com, 0 +proastec.com.br, 1 +proaudiogc.com, 1 +probably.group, 1 +probablyrational.com, 1 +probase.ph, 1 +probateandplanning.com, 1 +probationforms.com, 1 +probationnotes.com, 1 +probationofficeredu.org, 1 +probely.com, 1 +probiancanarias.com, 1 +probiller.com, 1 +probinarin.ga, 1 +problem-solver.ml, 1 +problemstate.com, 1 +problemstate.de, 1 +problemstate.net, 1 +problemstate.org, 1 +probleu.com, 1 +probonus.tk, 1 +probooks.gq, 1 +probrewer.com, 1 +procalc.be, 1 +procarmanuals.com, 1 +procarmotors.cl, 1 +procarservices.com, 1 +procarswoking.com, 1 +procave.de, 1 +proceed.tk, 1 +procens.us, 0 +procert.ch, 0 +procesadorafenix.com.mx, 1 +processesinmotion.com, 1 +processout.com, 1 +processtec.com.br, 1 +prochainephase.com, 1 +prochaj.ru, 1 +procharter.com, 1 +procinorte.net, 1 +procitec.cz, 1 +proclaiminteractive.com, 1 +proclock.com, 1 +procode.ch, 1 +procode.gq, 1 +procomservices.com, 1 +procor.com, 1 +procore.com, 0 +procore.space, 1 +procostamar.com, 1 +procountor.fi, 1 +procountor.se, 1 +procountorsolo.com, 1 +procrackbox.com, 1 +procrastinatingengineer.uk, 1 +procrastinationland.com, 1 +procreditbank.com.al, 1 +procsec.top, 1 +proctoloji.com, 1 +proctor.ml, 1 +proctorauth.com, 1 +proctorial.cf, 1 +proctorio.com, 1 +proctorio.net, 1 +proculair.com, 1 +proculair.nl, 1 +procurant.com, 1 +procurement.moscow, 0 +procurs.us, 1 +procursus.social, 1 +procurx.pt, 1 +prod-bp-geotab-api.azurewebsites.net, 1 +prod-simplesend-api.azurewebsites.net, 1 +prod-vigl-www-master.azurewebsites.net, 1 +prodampro.ru, 1 +prodatalabs.com, 1 +prodentalsantacruz.es, 1 +prodesigntools.com, 1 +prodesk.bg, 1 +prodhealthcare.org, 1 +prodigibook.com, 1 +prodigyhacking.com, 1 +prodigyhq.io, 1 +prodinger.com, 0 +prodottitipicidellatoscana.it, 1 +prodottogiusto.com, 1 +producemybook.com, 1 +producentbalustrad.pl, 1 +producepromotions.com, 1 +producertools.io, 1 +producerwereld.nl, 1 +productbarcodes.com, 1 +productboard.com, 1 +productdesignsoftware.com.au, 0 +productfurniture.ga, 1 +production.vn, 1 +productionscime.com, 1 +productiv.com, 1 +productive.io, 1 +productivemachine.net, 1 +productiveplastics.com, 1 +productkeyslist.com, 1 +productosdeteruel.es, 0 +productosquimicosrd.com, 1 +productpeo.pl, 1 +products-for-health.tk, 1 +products4more.at, 1 +productsafety.gov.au, 1 +productscastle.com, 1 +productupdates.org, 1 +produform.it, 1 +produits-dantan.com, 1 +produkt.cf, 1 +produra.nl, 1 +produtosdeacademia.com, 1 +prodwa.re, 1 +prodware.fr, 1 +proecommerce.com, 1 +proeflokaalbakker.nl, 1 +proefteksten.nl, 0 +proekt.tk, 1 +proelectro.pro, 1 +proemployeeprotection.com, 1 +proemployeeprotection.net, 1 +proesb.net, 1 +proeski.com, 0 +prof, 1 +prof-toplivo.ru, 1 +prof-waldowski.de, 1 +prof.lv, 1 +profarea.ru, 1 +profbigbang.ru, 1 +profbioresearch.ga, 1 +profboecker.eu, 1 +profchristophergoh.com.sg, 1 +profection.biz, 1 +profession.email, 1 +professionalbeautyshop.it, 1 +professionalblog.tk, 1 +professionalbussines.tk, 1 +professionaleducation.tk, 1 +professionalfinance.uk, 1 +professionallawyer.tk, 1 +professionalportfolio.ga, 1 +professionalrakeback.com, 1 +professionalstandards.org.uk, 1 +professions.org.ru, 1 +professor-d.ga, 1 +professorart.ru, 1 +professorwidget.tk, 1 +proffbar.ru, 1 +profi.de, 1 +profian.com, 1 +proficio.at, 1 +proficio.cz, 1 +proficio.de, 1 +proficio.io, 1 +proficiodigital.pl, 1 +proficiodigital.sk, 1 +profidea.cz, 1 +profielektrik.tk, 1 +profigen.com.br, 1 +profil-doors.spb.ru, 1 +profile.ooo, 1 +profile.tf, 1 +profilepk.com, 1 +profiles.google.com, 1 +profilesw.com, 1 +profiletree.com, 0 +profilewatcher.ga, 1 +profilib.com, 1 +profilib.net, 1 +profilib.top, 1 +profilmedecin.fr, 1 +profilmonline.cn, 1 +profilmonline.com, 1 +profilmonline.jp, 1 +profilwerkstatt.de, 1 +profinetz.de, 1 +profinvestment.com, 1 +profisee.com, 0 +profiservis.info, 1 +profissionalstool.ga, 1 +profit24.ml, 1 +profitable-textilien.ch, 1 +profitableventure.com, 1 +profitablewebprojects.com, 1 +profitdouble.tk, 1 +profitero.com, 1 +profitimages.com, 1 +profitmiracle.tk, 1 +profitsunraveled.com, 1 +profixcap.com, 1 +profloorstl.com, 1 +profmatheus.com, 1 +profmetod.com, 1 +profondeville-sharks.be, 1 +profor.cz, 1 +proformer.io, 1 +proformi.com, 1 +profound-world.com, 1 +profritual.ru, 1 +profsaranya.com, 1 +profservice.it, 1 +proft.eu, 0 +profumeria.roma.it, 1 +profuntime.tk, 1 +profusion.io, 0 +profvideo.kharkov.ua, 1 +profwald.4lima.de, 1 +prog-d.tk, 1 +prog-mailolder.tk, 1 +prog.olsztyn.pl, 1 +prog24.net, 1 +progamehackers.tk, 1 +progaudio.be, 1 +progea.com, 1 +progenda.be, 1 +proger.ga, 1 +proger.ml, 1 +progeste.pt, 1 +progettodighe.it, 1 +progettograjau.com, 1 +progettonazionale.it, 1 +progezi.com, 1 +progg.no, 1 +proggersession.com, 1 +proggersession.de, 1 +proglib.io, 1 +prognoshealth.com, 0 +prognozis.cf, 1 +progolfjourney.com, 1 +progon.cf, 1 +progonsoftware.com, 1 +prograce.info, 1 +program-and.work, 1 +programador-web-freelance.es, 0 +programagrowup.com.br, 1 +programando.tk, 1 +programarya.com, 1 +programaticon.tk, 1 +programer21.com, 1 +programmads.com, 1 +programmaticmagic.com, 1 +programmatv.tk, 1 +programme-launch28-code854-com.ml, 1 +programmed.com.au, 1 +programmervibe.com, 1 +programmes-neufs-corse.fr, 1 +programming-solutions.tk, 1 +programminghomeworkhelp.com, 1 +programnews.tk, 1 +programsareproofs.com, 1 +programshow.com, 1 +programsupport300procent.com, 1 +prograph.tk, 1 +prograppa.tk, 1 +progres.construction, 1 +progresion.co, 1 +progresivoptic.ro, 1 +progresja.com, 1 +progress-linux.org, 1 +progress.photos, 1 +progressive.ml, 1 +progressivecfo.co.nz, 1 +progressivedie.net, 1 +progressivenewz.org, 1 +progressiveplanning.com, 1 +progressivestreetdance.tk, 1 +progressivetree.com, 1 +progressm.tk, 1 +progressnet.nl, 1 +progressonderwijs.nl, 1 +progressportaal.nl, 1 +progressverkiezingen.nl, 1 +progresswww.nl, 1 +progroep.nl, 1 +progtime.net, 1 +prohashing.com, 1 +prohelpers.tk, 1 +prohibition.tk, 1 +prohost24.tk, 1 +prohrcloud.com, 1 +proi.net, 1 +proibidoler.com, 1 +proiceresurfacer.com, 1 +proinn.com.br, 1 +proj.org.cn, 1 +proj3ct.me, 1 +proj6.site, 1 +project-alice.io, 1 +project-forum.tk, 1 +project-ice.org, 1 +project-merlin.co.uk, 1 +project-novis.org, 1 +project-one.co.jp, 1 +project-rune.tech, 1 +project-tamriel.com, 1 +project.ac.cn, 1 +project86fashion.com, 1 +projectalias.com, 1 +projectarmy.net, 0 +projectborealisgitlab.site, 1 +projectbotticelli.com, 1 +projectbuild.tk, 1 +projectcares.tk, 1 +projectcolonisation.tk, 1 +projectcompassion.org, 1 +projectemail.co, 1 +projectfreehosting.ga, 1 +projectgazaabindo.com, 1 +projecthelius.com, 1 +projecthopeless.tk, 1 +projecthosting.nl, 1 +projectimagine.com, 1 +projectinferno.tk, 1 +projection.gq, 1 +projectl1b1t1na.tk, 1 +projectlarix.com, 1 +projectleague.lol, 1 +projectlinuseasttn.org, 1 +projectloaded.com, 1 +projectmailext.co, 1 +projectmaka.io, 1 +projectmakeit.com, 1 +projectmanager.host, 1 +projectmap.solutions, 1 +projectmetrics.co.uk, 1 +projectmidnight.tk, 1 +projectobs.com, 1 +projectobsidian.io, 1 +projectplacebo.ca, 1 +projects.nl.eu.org, 1 +projectsafechildhood.gov, 1 +projectsegfau.lt, 1 +projectskynet.org, 1 +projectsmart.co.uk, 1 +projectstem.org, 1 +projecttalent.be, 1 +projectte.ch, 1 +projecttopics.org, 0 +projectunity.io, 1 +projectvault.ovh, 1 +projectveritasaction.com, 0 +projectview.ai, 1 +projectweb.gr, 1 +projectxyz.eu, 1 +projectzet.tk, 1 +projehocam.com, 1 +projekt-allianz.de, 1 +projekt-manufaktur.de, 1 +projekt-umbriel.de, 1 +projekt-wild.tk, 1 +projektarbeit-projektplanung.de, 1 +projektentwicklung-westfalen.de, 1 +projektzentrisch.de, 1 +projest.ch, 0 +projet-fly.ch, 1 +projet-pastel.be, 1 +projet-saara.com, 1 +projetofinancas.com.br, 1 +projetomovase.com, 1 +projetootaku.net, 1 +projetsvl.com, 1 +prokaza.tk, 1 +prokey-marburg.de, 1 +proklimat.pro, 1 +prokop.ovh, 1 +prokop.uk, 1 +prolens-lankaran.tk, 1 +proletaren.se, 1 +prolikewoah.com, 1 +prolobziki.ru, 1 +prolocofrascarolo.tk, 1 +prologic.bg, 1 +prologicabg.com, 1 +proloyalweb.com, 1 +promajna.tk, 1 +promax.nl, 1 +promea.net, 1 +promecin.com, 1 +promedlatam.com, 1 +promedyczny.pl, 1 +promenics.com, 1 +promentesalzburg.at, 1 +promet.si, 1 +prometey.tk, 1 +prometheanfire.net, 1 +prometheanfire.org, 1 +promethen.com, 1 +prometheus.cf, 1 +prometteur.com, 1 +promiflash.de, 1 +promisedland.tk, 1 +promisesaplus.com, 1 +promislovik.tk, 1 +prommontag.com, 1 +promo-brille.at, 0 +promo-brille.ch, 0 +promo-brille.de, 0 +promo-code.tk, 1 +promo-kodi.tk, 1 +promo.lc, 1 +promobit.com.br, 1 +promobo.fr, 1 +promocao.email, 1 +promocion2007.tk, 1 +promocjedladzieci.pl, 1 +promocodes777.com, 1 +promocodius.com, 1 +promocoespg.pt, 1 +promodance.cz, 1 +promodoble.com, 1 +promods.download, 1 +promods.net, 1 +promods.store, 1 +promofirstmedia.co.id, 1 +promohulp.nl, 0 +promohunt.ru, 0 +promokodi.tk, 1 +promolife.be, 1 +promolover.com, 1 +promomart.eu, 1 +promopirates.com, 1 +promopony.com, 1 +promorder.ru, 1 +promosjungle.com, 1 +promosolucoes.tk, 1 +promotech.pro, 1 +promoteiq.com, 0 +promoterms.com.au, 1 +promoteroute.com, 1 +promotiongeeks.com, 0 +promotionnissanauto.com, 1 +promotionvillanakarin.com, 1 +promotor.ro, 1 +promovendum.nl, 1 +promozioni.it, 1 +prompt-service.ro, 1 +promuovi.tv, 1 +promwad.com, 0 +pron4ik.gq, 1 +pronandi.tk, 1 +pronatec.pro.br, 1 +pronikoho.cz, 1 +pronoundb.org, 1 +pronto-intervento-fognature.it, 1 +pronto-intervento.net, 1 +prontointerventofognature.roma.it, 1 +prontointerventoimmediato.it, 1 +prontossl.com, 1 +pronty.it, 1 +prooffice.de, 1 +proofofwork.art, 1 +proofpoint.com, 1 +proofpointessentials.com, 1 +proofwiki.org, 1 +proos.nl, 1 +propaganda.love, 0 +propagandablog.de, 0 +propagationtools.com, 1 +propanesale.cf, 1 +propbot.com, 1 +propco.co.uk, 1 +propecia.ml, 1 +propeld.com.au, 1 +properchels.com, 1 +propermatches.com, 1 +propersky.com, 1 +propertech.com.br, 1 +properticons.com, 1 +properties.org.il, 1 +propertiesmiami.com, 1 +property-tax.cf, 1 +property-tax.ga, 1 +property-tax.gq, 1 +propertyauctionaction.co.uk, 1 +propertycareincorporated.com, 1 +propertycrawl.com, 1 +propertydealer.ga, 1 +propertyfindercdn.com, 1 +propertyflare.com, 1 +propertygroup.pl, 1 +propertyinspect.com, 1 +propertylondon.co.uk, 1 +propertyme.com.au, 1 +propertymingo.com, 1 +propertyofariana.pw, 1 +propertyofthepeople.org, 1 +propertyone.mk, 1 +propertyrate.com, 1 +propertyroad.co.uk, 1 +propertysales-almeria.com, 1 +propertyselling.ga, 1 +propertysex.com, 1 +propertyupdate.com.au, 1 +propertyworkshop.com, 1 +properwills.com, 1 +propfirmdiscount.com, 1 +prophetdesign.ch, 1 +prophitt.me, 1 +propiedadescima.com, 1 +propiedadesenventaenplayadelcarmen.com, 1 +propiedadesenventaentulum.com, 1 +propiteer.com, 1 +propiteercapitalplc.com, 1 +propmark.com.br, 1 +propolisturkiye.tk, 1 +proporcer.tk, 1 +proposeinspain.net, 1 +propr.no, 1 +propranolol.cf, 1 +propranololgeneric.ml, 1 +proprietairesmaisons.fr, 1 +propseller.com, 1 +propshub.com, 1 +proressource.ca, 0 +proressources.ca, 1 +proris.com, 0 +prosafilosofica.com.br, 1 +prosamineira.com.br, 1 +proschlaf.at, 1 +proscore-vr2005-1plc.de, 1 +proscore-vr2006-1plc.de, 1 +proscost.com, 1 +proserialkey.com, 1 +proservice.website, 1 +proservices.vip, 1 +prosharp.com.au, 1 +proshoereview.com, 1 +proshop.pl, 1 +prosimvstupte.cz, 1 +proslimdiets.com, 1 +prosocialmachines.com, 1 +prosoft.com.es, 1 +prosony.es, 1 +prospa.digital, 1 +prospectky.gov, 1 +prospecto.com.au, 1 +prospecto.ee, 1 +prospecto.hr, 1 +prospecto.lt, 1 +prosperafrica.gov, 1 +prosperbot.com, 1 +prosperfit.com, 1 +prosperi.academy, 0 +prosperityprojectaz.org, 1 +prosperoarts.com.au, 1 +prosperontheweb.com, 1 +prosperstack.com, 1 +prosperus.ru, 1 +prospo.co, 1 +prosport.md, 1 +prosportovani.cz, 1 +prospreads.com, 1 +prostaglandina.com, 1 +prostavropol.cf, 1 +prostecheat.xyz, 1 +prostitutka.cf, 1 +prostitutka.ml, 1 +prostitutki-narvskaja.ga, 1 +prostitytki-nijnevartovsk.club, 1 +prosto-dengi.tk, 1 +prostocash.com, 1 +prostodengi.ml, 1 +prostogame.ga, 1 +prostohobby.ru, 1 +prostoivkusno.ml, 1 +prostoporno.fun, 1 +prostoporno.guru, 1 +prostoporno.life, 1 +prostoporno.live, 1 +prostoporno.love, 1 +prostoporno.net, 1 +prostoporno.sexy, 1 +prostoporno.video, 1 +prostoporno.vip, 1 +prostoporno.zone, 1 +prostor.cf, 1 +prostore.vn, 1 +prostoskidki.ml, 1 +prostozaim.ml, 1 +prostreamstudio.com, 1 +prostye-recepty.com, 1 +prosurf.com.hr, 1 +prosurveillancegear.com, 1 +prosvet.tk, 1 +prosveta1901.tk, 1 +prosvita.dp.ua, 1 +protaaltar.com, 1 +protanki.ml, 1 +protanki.tk, 1 +protapnews.tk, 1 +protecaodns.pt, 1 +proteccaocivil.com, 1 +proteccaocivil.net, 1 +proteccaocivil.org, 1 +protecciondelconsumidor.gov, 1 +proteces.ru, 1 +protecht.com.au, 1 +protechtgroup.com, 1 +proteco.sk, 1 +protectapack.com.au, 1 +protectasecurity.pe, 1 +protected-forms.com, 1 +protectedreport.com, 1 +protectem.de, 1 +protecti.com, 1 +protection-plexi.com, 1 +protection-plexi.fr, 1 +protection.ga, 1 +protectionformula.com.ua, 1 +protectoraircare.com.au, 1 +protectwrap.ml, 1 +protege.moi, 1 +proteh.com.ua, 1 +proteinreport.org, 1 +protek.si, 1 +protek.tk, 1 +proteka.com.tr, 1 +protekpainters.com, 1 +protempore.fr, 1 +protenus.com, 1 +proteogenix-products.com, 1 +proteogenix.science, 1 +protesthongkong.com, 1 +proteus-eretes.nl, 1 +protez.ga, 1 +protez.ml, 1 +protez.tk, 1 +prothots.com, 1 +protic.online, 1 +protic.pt, 1 +protiksana.gr, 1 +protipster.com, 1 +protium.co.in, 1 +proto.io, 1 +protobetatest.com, 1 +protocol.ai, 1 +protocol.co.il, 1 +protocoloantiotario.com.br, 1 +protogenbrainbooster.tk, 1 +protok.tk, 1 +proton.ch, 1 +proton.me, 1 +protonbg.bg, 1 +protonmail.ch, 1 +protonmail.com, 1 +protonpartnersglobal.com, 1 +protonpix.com, 1 +protonvpn.com, 1 +prototayl.gq, 1 +prototech.store, 1 +prototypable.io, 1 +prototype.bg, 1 +prototypefund.de, 1 +prototyping-computer.ml, 1 +prototypofablab.it, 1 +protoxin.net, 0 +protrainerbrasil.com.br, 1 +protranslate24.ru, 1 +protrolley.cf, 1 +protteapapelaria.com.br, 1 +protvplus.ro, 1 +proudplus.com, 1 +proust.ch, 0 +proust.media, 0 +proustmedia.de, 0 +prouveonline.pt, 1 +proux.global, 1 +prove-uru.co.uk, 1 +prove.com, 1 +prove.no, 1 +proveits.me, 0 +provenbyyullia.com, 1 +provence-appartements.com, 0 +provent.io, 0 +provera10mg.tk, 1 +proverb.today, 1 +proverennie-kursi.gq, 1 +proverennie-kursi.ml, 1 +proverennie-kursi.tk, 1 +provereno-rabotaet.gq, 1 +provereno-rabotaet.tk, 1 +proverochka.tk, 1 +provide-vr2002-1plc.de, 1 +provide-vr2003-1plc.com, 1 +provide-vr2003-1plc.de, 1 +provide-vr2004-1plc.de, 1 +provide-vr2005-1plc.de, 1 +provide-vr2006-1plc.de, 1 +provide-your-image.de, 1 +providencecmc.com, 1 +provident1031.com, 1 +providenthousing.com, 1 +providential.be, 1 +providerlijst.ml, 1 +providmedical.com.ua, 1 +provigis.com, 0 +provincialrubber.co.uk, 1 +provinciaotlavoro.it, 1 +provinstyper.com, 1 +provinzblogger.de, 1 +provisionevents.co.uk, 1 +provisionircd.tk, 1 +provitec.com, 1 +provlas.se, 1 +provo.gov, 1 +provocador.es, 1 +proweb-design.no, 1 +prowi.se, 1 +prowindow.sk, 1 +prowise.com, 1 +prowise.me, 1 +prowoodthai.com, 1 +prowpcare.com, 1 +prowrestlingevents.tk, 1 +prox.ru, 1 +proxaccess.com, 1 +proximity.ga, 1 +proximityradio.fr, 1 +proximo.tk, 1 +proxirealtime.com, 1 +proxmox-airsonic.tk, 1 +proxy-bay.cc, 1 +proxy-bay.click, 1 +proxy-bay.me, 1 +proxy-bay.one, 1 +proxy-bay.onl, 1 +proxy-bay.top, 1 +proxybay.ink, 1 +proxybay.red, 1 +proxyhub.eu.org, 1 +proxyline.net, 1 +proxytool.cf, 1 +proyectofreestyle.com, 1 +proyectomca.es, 1 +proyectosaludecuador.org, 1 +proyectosinelec.com, 1 +proyectostep.tk, 1 +prozac20mg.cf, 1 +prozapchast24.ru, 1 +prozhedownload.com, 1 +prozoneplan.com, 1 +prozorlivec.tk, 1 +prpbenevolent.org, 1 +prpbt.io, 1 +prpferrara.it, 1 +prpr.bid, 1 +prpr.cat, 1 +prpr.icu, 1 +prpr.live, 1 +prpr.rip, 1 +prpr.win, 1 +prsbtdc.org, 1 +prsg.tk, 1 +prsnlafk.com, 1 +prstatic.com, 1 +prt.in.th, 1 +prtpe.com, 1 +pru.com.hk, 1 +pru.hk, 1 +pruchovi.tk, 1 +prudenceandthecrow.com, 1 +prudential.com.sg, 1 +pruebapg.cl, 1 +pruebasrapidasdrogas.com, 1 +pruem.software, 1 +pruijn-overheidsadvies.nl, 1 +pruma.com.br, 1 +prushka.gq, 1 +prushka.ml, 1 +prushka.tk, 1 +pruve.it, 1 +prvnirodinna.cz, 1 +prwebconsulting.com, 0 +prwid.gov, 1 +pry.co, 1 +pryan.org, 1 +prylarprylar.se, 1 +prynhawn.com, 1 +prynhawn.net, 1 +prynhawn.org, 1 +prytkov.com, 1 +prywatnie.com, 1 +przemas.pl, 1 +przemek-kuczynski.com, 1 +przemyslprzyszlosci.gov.pl, 1 +przepisykolejowe.tk, 1 +przerabianiezdjec.pl, 1 +przybys.eu, 1 +przyciemnianieszyb.waw.pl, 1 +ps-clinic.jp, 1 +ps-provider.co.jp, 1 +ps-rosatom.ru, 1 +ps-sale.ru, 1 +ps-w.ru, 1 +ps.energy, 1 +ps194.net, 1 +ps194.org, 1 +ps2.io, 1 +ps2911.com, 1 +ps2online.tk, 1 +ps3419.org, 1 +ps4all.nl, 1 +ps5ssd.com, 1 +ps8318.com, 1 +psa-travel-care.com, 1 +psa.at, 1 +psa.gov, 1 +psa.org.au, 1 +psacertified.org, 1 +psaho.ru, 1 +psalivenews.ml, 1 +psalmer.tk, 1 +psasines.pt, 1 +psau.edu.sa, 1 +psauthority.org.uk, 1 +psauxit.com, 0 +psazy.ml, 1 +psb.cloud, 1 +psb1.org, 1 +psb1911.com, 1 +psb4ukr.net, 1 +psb4ukr.org, 1 +psc-elsene.be, 1 +pschierl.com, 1 +pscosigngroup.com, 1 +pscp.tv, 1 +pscr.gov, 1 +pscu.com, 1 +psd-vfx.com, 1 +psdfindia.in, 1 +psdmarket.net, 1 +psdpt-tpfd.gc.ca, 1 +psdreams.com, 1 +psdsfn.com, 1 +psdsuc.com, 1 +pseac.org, 1 +pseek.com, 1 +psemc.com, 1 +pseta.ru, 1 +psevdonim.ga, 1 +psezalla.es, 1 +psg-calw.de, 1 +psge.ps, 1 +pshar.ma, 1 +pshostpk.com, 1 +pshweb.tk, 1 +psi-tv.tk, 1 +psi.gay, 1 +psicanalista.milano.it, 1 +psici.eu, 1 +psicoblog.tk, 1 +psicoexpansao.com.br, 1 +psicologajanainapresotto.com.br, 1 +psicologamarianaortiz.com, 1 +psicologia.gay, 1 +psicologiaparatodos.com.mx, 1 +psicologias.rio.br, 1 +psicologo-especialista-barcelona.com, 1 +psicologo-infantil-barcelona.com, 1 +psicologo.vip, 1 +psicomagia.com.br, 1 +psicometricas.mx, 1 +psihocentrala.com, 1 +psiholognatalija.rs, 1 +psihologonline.tk, 1 +psihology.gq, 1 +psihology.tk, 1 +psihoterapevt1.by, 1 +psihoterapija-slap.hr, 1 +psihotest.tk, 1 +psii.global, 0 +psiint.ca, 1 +psikokoro.com, 1 +psilly.com, 1 +psinergy.info, 1 +psinergyhealth.com, 1 +psinergytech.com, 1 +psinetika.tk, 1 +psionline.com, 0 +psionlinestore.com, 1 +psiplex.cf, 1 +psiplex.ga, 1 +psiplex.gq, 1 +psishop.tk, 1 +psitarz.com, 1 +psixotest.tk, 1 +psixotesty.tk, 1 +pskhu-wedding.ru, 1 +pskov-daily.tk, 1 +pskov.gq, 1 +pskov.ml, 1 +pslf.gov, 1 +pslgroup.com, 1 +psm.org.ph, 1 +psmpl.com, 1 +psncarddelivery.com, 0 +psncardplus.be, 1 +psncardplus.com, 1 +psncardplus.dk, 1 +psncardplus.nl, 1 +psncardplus.se, 1 +psncoach.com, 1 +psncuc.gov, 1 +pso2.icu, 1 +psochecker.com, 1 +pson.ninja, 1 +psono.pw, 1 +psoo.top, 1 +psoppc.com, 1 +psoppc.info, 1 +psoppc.net, 1 +psoppc.org, 1 +psoriasischecker.com, 1 +pspapershow.ga, 1 +pspenvases.es, 1 +psphp.tk, 1 +psplus.ml, 1 +psplus.tk, 1 +psprices.com, 1 +psprsaz.gov, 1 +psps.cat, 1 +psq.com.au, 1 +psreturn.com.au, 1 +pssgcsim.org, 1 +pssjd.org, 1 +pssschristchurch.tk, 1 +pst.edu.au, 1 +pst.moe, 1 +pstake.finance, 1 +pste.pw, 1 +pstrozniak.com, 1 +pstrykmyk.eu, 1 +pstutorials.tk, 1 +psu.je, 1 +psv-herford-badminton.de, 1 +psw-consulting.de, 1 +psw-group.de, 1 +psw-training.de, 1 +psw.net, 1 +pswatcher.com, 1 +psyart.tk, 1 +psycenter.tk, 1 +psych2go.net, 1 +psychcare.cz, 1 +psychedelia.com, 1 +psychedelics.org, 1 +psychiatretdah.fr, 1 +psychiatrie-ricany.cz, 1 +psychiatriepapezova.net, 1 +psychiatriepraktijkutrecht.nl, 1 +psychiatry-clinic.com.tw, 1 +psychic-healer-mariya-i-petrova-boyankinska-b-borovan-bg.com, 1 +psychicfairnetwork.cf, 1 +psychicfairnetwork.gq, 1 +psychicfairnetwork.ml, 1 +psychiq.com, 1 +psychische-systeme.de, 1 +psychistory.ru, 1 +psycho-familles.com, 1 +psycho-lobby.fr, 1 +psycho-news.tk, 1 +psycho.space, 1 +psychoactive.com, 1 +psychoco.net, 1 +psychoesprit.ca, 1 +psychologbruksela.be, 1 +psychologi.cf, 1 +psychologic.tk, 1 +psychologie-hofner.at, 1 +psychologischepraktijkphilips.nl, 1 +psychologist-license.com, 1 +psychologist.ga, 1 +psychologlodz.info, 1 +psychologue-a-paris.com, 1 +psychologue-grenoble.org, 1 +psychologydegreeguide.org, 1 +psychologytests.tk, 1 +psychometric.careers, 1 +psychometrictest.ca, 1 +psychometrictest.co.il, 1 +psychometrictests.ca, 1 +psychometrictests.in, 1 +psychometrictests.uk, 1 +psychometrischetests.de, 1 +psychometrist.ir, 1 +psychomotricien-la-rochelle.com, 1 +psychonaut.tk, 1 +psychonews.tk, 1 +psychopathtest.com, 1 +psychosis.tk, 1 +psychotechnique.africa, 1 +psychotechnique.be, 1 +psychotechnique.ch, 1 +psychotechnique.com, 1 +psychotechnique.lu, 1 +psychotechniquetest.fr, 1 +psychotel.tk, 1 +psychoterapia-skuteczna.pl, 1 +psychotest.gq, 1 +psychotestprep.com, 1 +psychotherapie-ahlmeyer.de, 1 +psychotherapie-kp.de, 0 +psychotherapie-leipzig.eu, 1 +psychotherapie-lichterfelde.berlin, 1 +psychotherapie1220wien.at, 0 +psychotiq.tk, 1 +psychotropical.com, 1 +psychpsyo.com, 1 +psycolleges.com, 1 +psydprograms.org, 1 +psyelena.be, 1 +psygame.cf, 1 +psyh.tk, 1 +psyhoslovar.ru, 1 +psyk-patienten.tk, 1 +psykologtidningen.cf, 1 +psykologtidningen.ga, 1 +psykologtidningen.gq, 1 +psykometrisk.se, 1 +psykosyntes.tk, 1 +psyllabus.ru, 1 +psylliums.com, 1 +psynapse.net.au, 1 +psytrance-pro.com, 1 +pszinfo.hu, 1 +pt-d.ru, 1 +pt-server.de, 1 +pt.im, 1 +pt1xbet.com, 1 +pt4.tech, 1 +pta-security.nl, 1 +pta.world, 1 +ptab2pt.ga, 1 +ptal.eu, 1 +ptasiepodroze.eu, 1 +ptbi.org.pl, 1 +ptboys.tk, 1 +ptbx.co, 1 +ptcbooks.gq, 1 +ptcdogpark.com, 1 +ptcit.com, 1 +ptco.store, 1 +ptcorporategifts.com.sg, 1 +ptczone.tk, 1 +pteceng.com, 1 +ptepanacea.com, 1 +pterodactyl.org.cn, 1 +pterodactylus.cz, 1 +ptfiber.com, 1 +ptfiber.ru, 1 +ptfiber.spb.ru, 1 +ptgoldensun.com, 1 +ptheophanidis.com, 1 +pthsec.com, 1 +pticoaching.nl, 1 +ptit-trocoeur.fr, 1 +ptjobsite.com, 1 +ptlibrary.ml, 1 +ptltrade.com, 1 +ptm.ro, 1 +ptmarquees.ie, 1 +ptmco.org, 1 +ptotoday.com, 1 +ptpasi.ddns.net, 1 +ptrbrs.nl, 1 +ptrdata.com, 1 +ptrl.ws, 1 +ptron.org, 1 +ptrt.xyz, 1 +ptrujillo.com, 1 +ptsadvokat.cf, 1 +ptscrightony.fr, 1 +ptserver.org, 1 +ptservidor.pt, 1 +ptsf.pt, 1 +ptshft.co, 1 +ptsjapan.co.jp, 1 +ptssystems.co.in, 1 +ptt.casa, 1 +ptt.gov, 1 +ptt2.su, 1 +pttimewithtim.com, 1 +pttrains.eu, 1 +ptufdc.com, 1 +ptupapers.tk, 1 +pturl.tk, 1 +pty.gg, 1 +ptzoptics.com, 1 +puac.de, 1 +pub-med.ru, 1 +pub-online.ro, 1 +pubclub.com, 1 +pubertytalk.com, 1 +pubi.me, 1 +pubkgroup.com, 1 +pubkit.io, 1 +publanda.nl, 1 +publi-all.be, 1 +public-files.com, 1 +public-g.de, 1 +public-measures.com, 1 +public-projects.com, 1 +public-projects.de, 1 +public-vocals.de, 1 +public.cat, 1 +publicagent.com, 1 +publiccarauctionscalifornia.com, 1 +publicdatacloud.com, 1 +publicdatafiles.com, 1 +publicdelivery.org, 1 +publicdomainartwork.com, 0 +publichealth.cf, 1 +publichealth.gq, 1 +publichealthcareeredu.org, 1 +publichealthdegrees.org, 1 +publichealthonline.org, 1 +publicintegrity.org, 1 +publicintelligence.net, 1 +publicishealth.es, 1 +publicitar.tk, 1 +publicmarket.com, 1 +publicnode.com, 1 +publicnoticesbaycountyfl.gov, 1 +publicpickups.com, 1 +publicrea.com, 1 +publicschoolreview.com, 1 +publicserviceloanforgiveness.gov, 1 +publicspeakingcamps.com, 1 +publicsuffix.org, 1 +publictechsupport.org, 1 +publicvoid.ga, 1 +publicwhip.org.uk, 1 +publik.ml, 1 +publikum.net, 1 +publimepa.it, 0 +publiq.space, 1 +publis.me, 1 +publish.ga, 1 +publishedpaper.ga, 1 +publisherservices.co, 1 +publishmystory.co, 1 +publishpressnews.tk, 1 +publivate.ca, 1 +publiweb.tk, 1 +publixphere.net, 1 +pubmed2xl.com, 1 +pubquiz-online.nl, 1 +pubsavoy.tk, 1 +puccakir.tk, 1 +puchshop.de, 1 +puckcreations.com, 1 +pucogid.ga, 1 +puddin.ml, 1 +pudding.tk, 1 +puddingtheatre.tk, 1 +pudro.com, 1 +puebladeeca.tk, 1 +puebladesoto.tk, 1 +pueblanmilksnake.com, 1 +pueblocantabro.tk, 1 +pueblocc.edu, 1 +pueblosamerica.com, 1 +puella.xyz, 1 +puenteviejo.tk, 1 +puer.eu.org, 1 +puer8.cn, 1 +puertodramaturgia.tk, 1 +puertoplazalasterrenas.com, 1 +puestifiestas.mx, 1 +puetter.eu, 1 +puffer.blog, 1 +puffy.tube, 1 +puffyan.us, 1 +pugachev.ml, 1 +puggan.se, 1 +pugilares.com.pl, 1 +pugstime.com, 1 +puhe.se, 1 +puhudefu.de, 1 +puissancemac.ch, 0 +puiterwijk.org, 1 +pujasharma.associates, 1 +pujcky.cz, 1 +pujd3.gq, 1 +puka.edu.ee, 1 +pukfalkenberg.dk, 1 +pula-site.tk, 1 +pulcinella.tk, 1 +puli.com.br, 1 +pulinkai.eu.org, 1 +pulinkai.xyz, 1 +pulito.it, 1 +pulitoken.net, 1 +pulitoperfetto.ddns.net, 1 +pulizia.roma.it, 1 +puliziacantine.it, 1 +pulizie.roma.it, 1 +pulizieuffici.milano.it, 1 +pulizievap.it, 1 +pulkovo-cargo.ru, 1 +pulledporkheaven.com, 1 +pulley.co.jp, 1 +pullman.milano.it, 1 +pullman.roma.it, 1 +pullnopunchesradio.tk, 1 +pulower.tk, 1 +pulpan.xyz, 1 +pulpitsupplypreachers.com, 1 +pulpproject.org, 1 +pulsadanvoucher.tk, 1 +pulsagolden.tk, 1 +pulsedive.com, 1 +pulsenetwork.com, 1 +pulser.stream, 1 +pulseroot.ga, 1 +pulsestaffingllc.com, 1 +pulsnitzer-lebkuchen-shop.de, 0 +pulsnitzer-lebkuchen.de, 1 +pulsnitzer-lebkuchen.shop, 0 +pulsnitzer-pfefferkuchen-shop.de, 0 +pulsnitzer-pfefferkuchen.shop, 0 +pulsr.ml, 1 +pulsus.mobi, 1 +pulvislab.it, 1 +pumarin.tk, 1 +pumin.ml, 1 +pump19.eu, 1 +pumpen-blum.de, 1 +pumuntincu.eu.org, 1 +punaise-de-lit-paris.com, 1 +punat.tk, 1 +puncakpass.net, 1 +punchadragon.com, 1 +punchlinetheatre.co.uk, 1 +punchlinetheatre.com, 1 +punctually.gq, 1 +pundak.games, 1 +pundix.com, 1 +puneindia.tk, 1 +punematka.com, 1 +pungatv.ml, 1 +punikonta.de, 1 +punishment.institute, 1 +punitsheth.com, 1 +punjabsind.in, 1 +punk-jazz.tk, 1 +punkapoule.fr, 1 +punkart.tk, 1 +punkas.tk, 1 +punkcolombia.tk, 1 +punkgrossos.com, 1 +punknews.org, 1 +punknmetal.tk, 1 +punkrestaurant.is, 1 +punksway.top, 1 +punkt05.de, 1 +punpoetry.com, 1 +punshjp.com, 1 +puntacanalink.com, 1 +puntacananetwork.com, 1 +puntacanapizza.com, 1 +puntacanavapor.com, 1 +puntaires.com, 1 +puntaprop.com, 1 +puntcunts.com, 1 +puntoaparte.pe, 1 +puntocroce.tk, 1 +puntoestadodemexico.com, 1 +puntogommevenegono.it, 1 +puntonium.hu, 1 +puntopropiedad.com, 1 +puntoremov.ga, 1 +puntualseo.com, 1 +pupboss.com, 1 +pupilgauge.com, 1 +pupok.cf, 1 +pupok.gq, 1 +puppo.space, 1 +puppy.actor, 1 +puppyfinder.com, 1 +puppyfish.com, 1 +puppygock.gay, 1 +puppyirl.gay, 1 +puppykennel.tk, 1 +puppylove.hu, 1 +puq.moe, 1 +pur-institut.fr, 1 +pura-ponia.cf, 1 +pura-ponia.ga, 1 +pura-ponia.gq, 1 +puragreement.tk, 1 +puralifesciences.com, 1 +puravayalchurch.tk, 1 +puravida-estate.com, 1 +puravidaeamor.com.br, 1 +purchasebestone.tk, 1 +purchaserprotect.co.uk, 1 +purchasescooters.ga, 1 +purchasetncrash.gov, 1 +purchasingpower.com, 1 +pure-gmbh.com, 1 +pure-paste.tk, 1 +pure2life.nl, 0 +purear.com.br, 1 +pureart.co.jp, 1 +pureart.jp, 1 +pureatmospherellc.com, 1 +pureaudioplayer.ru, 1 +purecodedigital.com, 1 +purecreative.digital, 1 +puredayshop.com.tw, 1 +puredisinfecting.com, 1 +puredisinfection.com, 1 +puredns.org, 1 +purefarminggame.com, 1 +purefoot.jp, 1 +pureleverage.com, 1 +purelife.photography, 1 +pureliferx.com, 1 +purelovecoaching.fi, 1 +purely.domains, 1 +purelymail.com, 1 +purelypestcontrol.com, 1 +puremosquito.com, 1 +purenhd.com, 1 +purepestandlawn.com, 1 +puresanitization.com, 1 +purestiks.tk, 1 +puretermite.com, 1 +puretone.pro, 1 +purevapeofficial.com, 1 +purevicky.com, 1 +purewaterguide.net, 1 +purewealth.cloud, 1 +purikore.com, 1 +puritanas.tk, 1 +puritas.lk, 1 +purits.de, 1 +purityclothing.co.uk, 1 +purneauniversity.org, 1 +purovive.tk, 1 +puroyorganico.co, 1 +puroyorganico.com.co, 1 +purpl.ink, 1 +purple.tech, 1 +purplehost.com.br, 1 +purplehotel.cf, 1 +purplemath.com, 1 +purplemet.com, 1 +purplemoon.ch, 1 +purplemoon.mobi, 1 +purpleplains.net, 1 +purplepr.bg, 1 +purples.cf, 1 +purples.gq, 1 +purplestar.ch, 1 +purplestar.com, 1 +purplestar.mobi, 1 +purpletter.tk, 1 +purplewindows.net, 1 +purplez.pw, 1 +purplscientific.com, 1 +purpspc.com, 1 +purrclaws.com, 1 +purreview.cf, 1 +purrfectboudoir.com, 1 +purrfectcams.com, 1 +purrfectmembersclub.com, 1 +purrfectswingers.com, 1 +purroy.tk, 1 +purrpley.com, 1 +purrpley.io, 1 +purrpley.me, 1 +purrrpley.com, 1 +purrrpley.dev, 1 +purrrpley.io, 1 +purrrpley.me, 1 +purrrrpley.com, 1 +purrrrpley.io, 1 +purrrrpley.me, 1 +purse-les.com, 1 +purstonlamb.com, 1 +pursuable.cf, 1 +pursuehappiness.tk, 1 +pursuingoutdoors.com, 1 +pursuit-relax.com, 1 +purtahan.tk, 1 +purupuru-shibuya.school, 1 +purupuru.school, 1 +purwantara.id, 1 +puryearlaw.com, 1 +pusatinkubatorbayi.com, 0 +pusatlojistik.com, 1 +puschkin.ga, 1 +pusehusetmalvik.no, 1 +pusera.com, 1 +puset.tk, 1 +push-free.com, 1 +pusha.tk, 1 +pushmetrics.io, 1 +pushoflove.com, 1 +pushok.tk, 1 +pushpanel.io, 1 +pushphp.com, 1 +pushponline.com, 1 +pushthebutton.tk, 1 +pusichatka.ddns.net, 1 +pusra.ga, 1 +pussplay.com, 1 +pussycat.ml, 1 +pussylickingnow.com, 1 +pussyspace.com, 1 +pustak.tk, 1 +pustakvishwa.tk, 1 +pusztul.at, 1 +put-spaseniya.ml, 1 +put.moe, 1 +put.re, 1 +putana.gq, 1 +putanaru.gq, 1 +putani.gq, 1 +putany.tk, 1 +putanypitera.ml, 1 +putasenvalencia.es, 1 +putatara.net, 1 +puteulanus.xyz, 1 +puthenthope.tk, 1 +putin.red, 1 +putitforward.com, 1 +putlire.ga, 1 +putman-it.nl, 1 +putnam-fl.gov, 1 +putnam-ga.gov, 1 +putnamcollision.com, 1 +putnamcountywv.gov, 1 +putnamil.gov, 1 +putnamvalley.gov, 1 +putney.io, 1 +putnik.tk, 1 +putokaz.eu, 0 +putomani.rs, 1 +putre.io, 1 +putrock.be, 1 +putstrategii.ru, 0 +putty.org, 1 +puttymonos.club, 1 +puttymonos.work, 1 +putzigdesign.de, 1 +puur.gent, 1 +puurgent.be, 1 +puxlit.net, 1 +puyallupnissanparts.com, 1 +puyblanc.info, 1 +puzi.nl, 1 +puzz.gg, 1 +puzzlage.com, 1 +puzzle-welt.ch, 1 +puzzlegames.com, 1 +puzzlepiehouse.com, 1 +puzzlepoint.ch, 1 +puzzles-to-print.com, 1 +puzzleswaps.com, 1 +puzzyfun.net, 1 +pv-paderborn-now.de, 1 +pvamg.org, 1 +pvao.gov.ph, 0 +pvawa.com.au, 1 +pvda.nl, 1 +pvdplanet.tk, 1 +pvebuilds.xyz, 1 +pvgvethospital.co.uk, 1 +pvh-membrany.ru, 1 +pvhe.pl, 1 +pvideo.cz, 1 +pvlrmnnk.com, 1 +pvmotorco.com, 1 +pvp-factions.fr, 1 +pvp.edu.ee, 1 +pvpagario.tk, 1 +pvpcraft.ca, 1 +pvpctutorials.de, 1 +pvpheroes.gg, 1 +pvpheroes.no, 1 +pvplist.ml, 1 +pvportal.me, 1 +pvpready.gov, 1 +pvpserverler.pro, 1 +pvpzone.fr, 0 +pvrtours.com, 1 +pvtschlag.com, 0 +pvtx.gov, 1 +pvv-vermietung.de, 1 +pvz.tools, 1 +pw.org, 1 +pwaiwm.site, 0 +pwanotes.ga, 1 +pwaresume.com, 1 +pwbaccountants.com, 1 +pwcva.gov, 1 +pwd.az, 1 +pwd.vc, 1 +pwddelhi.gov.in, 1 +pwdsafe.com, 0 +pwe.vision, 1 +pwg-see.de, 1 +pwn.fi, 1 +pwnedpass.tk, 1 +pwneytelecom.com, 1 +pwnies.dk, 1 +pwoss.xyz, 1 +pws.my, 1 +pwsplash.com, 1 +pwss.gov.au, 1 +pwud.ga, 1 +pxagency.fr, 1 +pxc-coding.com, 1 +pxetech.com, 1 +pxgamer.xyz, 1 +pxl-mailtracker.com, 1 +pxl.cl, 1 +pxl.st, 1 +pxld.sh, 1 +pxnetwork.fr, 1 +pxstart.cz, 1 +pxtwitter.com, 1 +pxventures.com.au, 1 +pxx.io, 1 +py-amf.org, 1 +py.pl, 1 +py.search.yahoo.com, 0 +pya.org.tr, 1 +pybtex.org, 0 +pyca.tk, 1 +pycckue.tk, 1 +pychef.com, 1 +pycoders.com, 1 +pycrc.org, 1 +pycrypto.org, 1 +pycycle.info, 1 +pydotamisa.tk, 1 +pydrocsid.ml, 1 +pygarage.com, 0 +pygb.cl, 1 +pygmyleafchameleon.com, 1 +pygn.win, 1 +pygos.space, 1 +pyhello.world, 1 +pyjiaoyi.cc, 1 +pyjy.org, 0 +pylad.se, 1 +pylon.bot, 1 +pymescentro.net, 1 +pymestari.com, 1 +pymtreceipt.com, 1 +pyopenssl.org, 1 +pypa.io, 1 +pypckomp.ddns.net, 1 +pypi.io, 1 +pypi.org, 1 +pypi.python.org, 1 +pyra-explorer.tk, 1 +pyramidsmalleg.com, 1 +pyramydair.com, 1 +pyrios.pro, 1 +pyro.works, 1 +pyroballpcbs.com, 1 +pyrofestival-vermoise.fr, 1 +pyromaniac.tk, 1 +pyrotechnologie.de, 1 +pyspace.org, 1 +pythia.nz, 1 +python.org, 0 +pythonatrix.com, 1 +pythonblog.tk, 1 +pythondiscord.com, 1 +pythonfactory.io, 1 +pythonhosted.org, 1 +pythonmorsels.com, 1 +pytodon.com, 1 +pytradebot.com.br, 1 +pywikibot.org, 1 +pyxalis.com, 1 +pyxisfreelance.au, 1 +pyxisfreelance.co, 1 +pyxisfreelance.com.au, 1 +pyxo.net, 0 +pyxyp.com, 1 +pzpittsburgh.com, 1 +pzsearch.nl, 1 +pzu-masa.pl, 1 +pzz.by, 1 +q-and-a.tk, 1 +q-inn.com, 1 +q-inn.nl, 1 +q-m.space, 1 +q-mami.com, 1 +q-matrix.de, 1 +q-technologies.com.au, 1 +q.to, 1 +q00228.com, 1 +q01.us, 1 +q1000.nl, 1 +q1q2q3.tk, 1 +q1z.net, 1 +q3.is, 1 +q3cdn.net, 1 +q3jlzwq.com, 1 +q5118.com, 1 +q5197.co, 1 +q6729.co, 1 +q6729.com, 1 +q6957.co, 1 +q78kg.eu.org, 1 +q7k.net, 1 +q82365.com, 1 +q8igh228tq.tk, 1 +q9.ee, 1 +q9.io, 1 +q9297.co, 1 +q9728.co, 1 +qa-brandywineglobal.com, 1 +qa.fedoraproject.org, 1 +qa.stg.fedoraproject.org, 1 +qaabildigital.com, 1 +qabalah.ga, 1 +qabalah.jp, 1 +qabel.de, 1 +qabete.com, 1 +qac.gov, 1 +qaconstrucciones.com, 1 +qadmium.com, 1 +qadmium.tk, 1 +qadrishattari.tk, 1 +qaina.net, 1 +qalab.tk, 1 +qalm.net, 1 +qanatnews.tk, 1 +qani.me, 1 +qaq.cloud, 1 +qaq.icu, 1 +qaq.jp, 1 +qarto.com, 1 +qask.ml, 1 +qasphere.com, 1 +qassay.com, 1 +qatartimes.tk, 1 +qatesol.org.au, 1 +qawasmigroup.com, 1 +qaz.cloud, 1 +qazcloud.com, 0 +qbasic.tk, 1 +qbasicsite.tk, 1 +qbcorescripts.com, 1 +qbits.li, 1 +qbotica.com, 1 +qbrix.dk, 1 +qbstores.com, 1 +qbug.cf, 1 +qc-ikonwork.com, 1 +qc.immo, 1 +qc.search.yahoo.com, 0 +qcbrna.qa, 1 +qcc.gov.ae, 1 +qccareerschool.com, 0 +qcdesignschool.com, 0 +qcdjco.com, 1 +qcdoll.com, 1 +qcert.org, 1 +qclean.com.au, 1 +qcmakeupacademy.com, 0 +qcmlw.com, 1 +qconline.com, 1 +qconnan-photos.fr, 1 +qconomics.com, 1 +qcrx.cn, 0 +qcstudentcenter.com, 0 +qcstyleacademy.com, 0 +qctimes.com, 1 +qctravelschool.com, 0 +qdabogados.com, 1 +qdep.net, 1 +qdm.tw, 1 +qdmnotizie.it, 1 +qdon.space, 1 +qdqlh.cn, 1 +qdrat.ml, 1 +qdrcst.com, 1 +qdstationary.co.uk, 1 +qdstationery.co.uk, 1 +qe-lab.at, 1 +qed.ai, 1 +qeddi.com.au, 1 +qeepintelligence.tk, 1 +qeepitsafe.nl, 1 +qeering.link, 1 +qei.org.au, 1 +qelectrotech.org, 1 +qeros.io, 1 +qeshmminer.com, 1 +qetesh.de, 1 +qetic.co.jp, 1 +qewc.com, 1 +qfes.qld.gov.au, 1 +qfjvv7f.xyz, 1 +qform.ru, 1 +qfurs.ru, 1 +qgblog.org, 0 +qgushi.com, 1 +qhost.cf, 1 +qhse-professionals.nl, 1 +qiai.cf, 1 +qiai.ga, 1 +qiai.gq, 1 +qiai.ml, 1 +qiancao.cf, 1 +qiancao.ml, 1 +qianglie.com, 1 +qiangshen.com, 1 +qianlong.net, 1 +qianmu.com, 1 +qiannews.net, 0 +qianqiao.me, 1 +qianshuo.com, 1 +qiantuwenlu.com, 1 +qianzhanggui.com, 1 +qiaohong.org, 1 +qiaowai.com, 1 +qiayuan.com, 1 +qiber.org, 1 +qicaiyunnan.com, 1 +qicoder.com, 1 +qifu.me, 1 +qifu.org.cn, 1 +qigehl.com, 1 +qihalu.com, 1 +qihc.com, 1 +qihl.gg, 1 +qike.tk, 1 +qikio.com.au, 1 +qimingbu.com, 1 +qimingceming.com, 1 +qin.moe, 1 +qingan.ca, 1 +qingchuan.cc, 1 +qingdu.com, 1 +qingkong.net, 0 +qinglingyu.cn, 1 +qingly.me, 1 +qingniantuzhai.com, 1 +qingpat.com, 0 +qingpei.me, 1 +qingyule.com, 1 +qinlili.bid, 1 +qionouu.cn, 1 +qiqitv.info, 1 +qis.fr, 1 +qisas.com, 1 +qiscience.tk, 1 +qisda.com, 1 +qissajewels.com, 1 +qitabbs.com, 0 +qitano.com, 1 +qitarabutrans.com, 1 +qiu.moe, 0 +qiu006.com, 1 +qiuke.com, 1 +qiuwenbaike.cn, 1 +qiuyiwenyao.com, 1 +qivonline.pt, 1 +qiwi.be, 1 +qix.ca, 1 +qixbit.com, 1 +qixi.biz, 1 +qiyan.email, 0 +qkart.net, 1 +qkek.tk, 1 +qkka.org, 1 +qklshequ.com, 1 +ql.tc, 1 +qlares.nl, 1 +qlarititech.io, 1 +qlc.co.th, 1 +qlcvea.com, 1 +qlcvea.it, 1 +qldconservation.org.au, 1 +qldformulaford.org, 1 +qldnetwork.com.au, 1 +qliving.com, 1 +qlock.mywire.org, 1 +qlrace.com, 0 +qlsh.com, 1 +qm-marzahnnordwest.de, 1 +qm8828.net, 1 +qm8838.net, 1 +qm8888.net, 1 +qmang.com, 1 +qmarket.tk, 1 +qmdcoin.com, 1 +qmee.com, 1 +qmeriaux.fr, 1 +qmp-media.nl, 0 +qnap.co.jp, 1 +qnap.com, 1 +qnap.com.br, 1 +qnap.com.cn, 1 +qnap.com.hk, 1 +qnap.com.tw, 1 +qnap.de, 1 +qnap.hk, 1 +qnap.tw, 1 +qnected.nl, 1 +qnixon.com, 1 +qnotafm.com.co, 1 +qnq.moe, 1 +qnsgmd.com, 1 +qofpeacechurch.org, 1 +qombo.nl, 1 +qoml.net, 1 +qonnected.nl, 1 +qontinuum.space, 1 +qoor.io, 0 +qoostudio.com, 1 +qoptalk.com, 1 +qosim.ga, 1 +qosqo.tk, 1 +qotw.net, 1 +qoyyim.com, 1 +qp666d.com, 1 +qpai.net, 1 +qparents.qld.edu.au, 1 +qpaypro.com, 1 +qpcna.org, 1 +qpi.net.au, 1 +qpipi.com, 1 +qponverzum.hu, 1 +qpsinc.com, 1 +qq.ee, 1 +qq201314.com, 1 +qq5197.co, 1 +qq52o.me, 1 +qq6177.net, 1 +qq6729.co, 1 +qq6729.com, 0 +qq6957.co, 1 +qq885.com, 1 +qq9297.co, 1 +qq9728.co, 1 +qqiao.me, 1 +qqmingzi.cc, 0 +qqq6.com, 0 +qqq67.com, 1 +qqrss.com, 1 +qr.ae, 1 +qr.cl, 1 +qr.gp, 1 +qr.sb, 1 +qr0.ch, 1 +qr1.at, 1 +qraa.qld.gov.au, 1 +qrara.net, 1 +qrbird.com, 1 +qrcoba.org, 1 +qrcodes.tools, 1 +qrcontagion.com, 1 +qrd.by, 1 +qredo.com, 0 +qrida.qld.gov.au, 1 +qrlab.biz, 1 +qrlab.ch, 1 +qrlab.de, 1 +qrlab.eu, 1 +qrlab.info, 1 +qrlab.net, 1 +qrlfinancial.com, 1 +qrmenux.com, 1 +qrpatrol.com, 1 +qrplanet.com, 1 +qrprincipal.com, 1 +qrpth.eu, 1 +qrsa.com.au, 1 +qruiser.com, 1 +qryptopia.com, 1 +qrz.one, 1 +qscloud.de, 1 +qseek.cf, 1 +qslstudio.tk, 1 +qsoblog.gq, 1 +qssupplies.co.uk, 1 +qstivi.de, 1 +qt.ax, 1 +qt.to, 1 +qtacairsoft.com, 1 +qtmd.org, 1 +qtmsheep.com, 0 +qtn.net, 1 +qto.chat, 1 +qto.co, 1 +qto.com, 1 +qto.com.hk, 1 +qto.de, 1 +qto.fr, 1 +qto.info, 1 +qto.name, 1 +qto.net, 1 +qto.org, 1 +qto.support, 1 +qto.wiki, 1 +qtpass.org, 1 +qtpower.co.uk, 1 +qtpower.net, 1 +qtpower.org, 1 +qtspace.cn, 1 +qttransformation.com, 1 +qtv.ge, 1 +qtvr.com, 1 +qu.ax, 1 +quackapp.com, 1 +quad9.com, 1 +quad9.net, 1 +quadcityjuggalos.tk, 1 +quadernoapp.com, 1 +quadomania.tk, 1 +quadrantbusinesssolutions.org, 1 +quadrantrd.com, 1 +quadratimkreis.tk, 1 +quadreon.com, 1 +quadron.hu, 1 +quaedam.org, 1 +quafe.tech, 1 +quakeroaksfarm.org, 1 +quaketips.ga, 1 +quakeworld.tk, 1 +qualbe.com, 1 +qualebroker.com, 1 +qualescegliere.it, 1 +qualiacomputers.com, 1 +qualidesign.com.br, 0 +qualifio.com, 1 +qualita.es, 1 +qualitahub.com, 1 +qualite-ecole-et-formation.ch, 0 +qualith.tk, 1 +quality-automation.de, 0 +quality-homeservice.com, 1 +quality-life.gr, 1 +qualitycarbonfiber.com, 1 +qualitycesspool.com, 1 +qualitycommerical.com, 1 +qualityconcreteleveling.com, 1 +qualityconcreterepair.com, 1 +qualitydns.net, 1 +qualityfireproofing.com, 1 +qualitygame.tk, 1 +qualitymark.com.br, 1 +qualitymudjacking.com, 1 +qualityofcourse.com, 0 +qualityoflife.ga, 1 +qualityoflife.tk, 1 +qualityoutletx.ga, 1 +qualityoutletx.tk, 1 +qualitypiering.com, 1 +qualityplusconsulting.com, 0 +qualitypolyjacking.com, 1 +qualitypropertycare.co.uk, 1 +qualitysistemas.com.br, 1 +qualitytitlepaducah.com, 1 +qualitywaterproofingco.com, 1 +qualityworks.tk, 1 +quall.com, 1 +qualtrics.com, 1 +qualyven.com, 1 +quandoandare.it, 1 +quanquan.cyou, 1 +quanquan.space, 1 +quantability.net, 1 +quantaloupe.tech, 1 +quantalytics.com, 1 +quantaservices.com, 1 +quantatec.com.br, 1 +quantdigit.com, 1 +quantemplate.in, 1 +quanterix.com, 1 +quanterra.ch, 0 +quantfury.com, 1 +quanti.au, 1 +quanticlab.com, 1 +quantifiedcommerce.com, 1 +quantikstudio.tk, 1 +quantiphi.com, 1 +quantiply.tech, 1 +quantolytic.de, 1 +quantomaisconsorcios.com.br, 1 +quantora.nl, 1 +quantris.net, 1 +quantrix.com, 1 +quanttydesignweb.com.br, 1 +quantuin.com, 1 +quantuin.dk, 1 +quantum-evolution.jp, 1 +quantum-lviv.pp.ua, 1 +quantum-mechanics.com, 1 +quantum.gdn, 1 +quantum.gl, 1 +quantum.gov, 1 +quantum.st, 1 +quantum2.xyz, 1 +quantum5.ca, 1 +quantumca.com.cn, 1 +quantumcrypto.nl, 1 +quantumfinance.com.au, 1 +quantumgoldanddiamonds.com, 1 +quantuminformationframework.com, 1 +quantuminks.com, 1 +quantumlink.tk, 1 +quantumortho.com.sg, 1 +quantumpair.net, 1 +quantumshade.ca, 1 +quantumweb.ml, 1 +quantuscreative.com, 1 +quantweb.tk, 1 +quantxperts.com, 1 +quapawnation.gov, 1 +quarantine-system.com, 0 +quareal.ru, 1 +quarep.org, 1 +quarim.cz, 1 +quark.com.pl, 1 +quark.house, 1 +quark.waw.pl, 1 +quarkcore.pt, 1 +quarklab.pl, 1 +quarrymill.com, 1 +quarterfull.com, 1 +quarterhorses.es, 1 +quartix.com, 1 +quartix.fr, 1 +quartogame.tk, 1 +quartus-residentiel.fr, 1 +quartzclinical.com, 1 +quarus.net, 1 +quasarcr.com, 1 +quasarelectronics.co.uk, 1 +quasarhomes.com, 1 +quasetio.ml, 1 +quashed.co.nz, 1 +quasiproxy.com, 1 +quasseldroid.info, 1 +quassowski.de, 1 +quatermass.tk, 1 +quaternion.tk, 1 +quattro.tk, 1 +quatuor-courtage.fr, 1 +quaxio.com, 1 +quay.net, 1 +quayconsultingllc.com, 1 +quaydental.ie, 0 +quba.fr, 1 +qubes-os.org, 1 +qubhockey.tk, 1 +qubicgames.com, 1 +qubitoss.com, 1 +qubitsandbytes.co.uk, 1 +qubyte.codes, 1 +qudini.com, 1 +quebec.ca, 1 +quebeccat.com, 1 +quebeccats.com, 1 +quebecdogs.com, 1 +quebecsolidaire.net, 1 +quedos.com.au, 1 +queencasino.live, 1 +queencdn.com, 1 +queencomplex.net, 1 +queencreekaz.gov, 1 +queenhub.tk, 1 +queenkedi.net, 1 +queenlexie.tk, 1 +queenmargaret.ddns.net, 1 +queenondvd.tk, 1 +queenparis-porn.com, 1 +queenrocks.tk, 1 +queensbotanical.org, 1 +queensfactory.it, 1 +queenshaflo.com, 1 +queenslandtonguetieclinic.com.au, 1 +queenspark.com, 1 +queensrdapartments.com.au, 1 +queenstyles.tk, 1 +queentitine.com, 1 +queenworld.tk, 1 +queer-augsburg.de, 1 +queer.farm, 1 +queer.party, 1 +queer.pl, 1 +queerasfolk.lgbt, 1 +queercinema.ch, 1 +queerfest.tk, 1 +queersin.space, 1 +queerspirit.net, 1 +quegeeks.com, 1 +queirozmiotto.adv.br, 1 +queirozmiotto.com.br, 1 +quel-dj.com, 1 +quelbusinesschoisir.com, 1 +quellarotondasembrafi.ga, 1 +quelle-catalog.tk, 1 +quelle.de, 1 +quelleez.com, 1 +quelleformation.net, 1 +quellenwiese.ski, 0 +quemmeliga.com, 1 +quemquaeritis.tk, 1 +quemvende.pt, 1 +quena-artesania.tk, 1 +quenchwater.com, 1 +quenecesitopara.com, 1 +quenotejodan.cl, 1 +quentar.tk, 1 +quentin-informatique.fr, 1 +quentin-sauvetre.fr, 1 +quentinaurat.com, 1 +quentinchevre.ch, 1 +quentingemine.be, 1 +quepourlesjuristes.fr, 1 +quera.ir, 1 +querelle.tk, 1 +querenciavirtual.com.br, 1 +quermes.net, 1 +quernon.fr, 0 +querocalcular.com.br, 1 +query-massage.com, 0 +query.gov.ps, 1 +quesartencomprar.com, 1 +quesecelebra.info, 1 +quessinternational.com, 1 +quest-on-demand.com, 1 +quest3.co, 1 +quest3.co.uk, 1 +quest3.com, 1 +quest3.info, 1 +quest3.net, 1 +quest3.org, 1 +quest3.tv, 1 +quest3.uk, 1 +quest7.jp, 1 +questbars.cf, 1 +questbars.ga, 1 +questbars.gq, 1 +questforgaming.com, 1 +questfororgasm.com, 1 +questiii.com, 1 +question.cf, 1 +question.com, 1 +questionable.host, 1 +questionandanswer.ml, 1 +questionyu.com, 1 +questofaidance.tk, 1 +questoj.cn, 1 +questsocial.it, 1 +questsys.com, 1 +questthree.com, 1 +quetiapine.life, 1 +quetico.tk, 1 +queup.net, 1 +quevisiongrafica.com, 1 +quezoncity.ml, 1 +quhyu.xyz, 1 +quible.tk, 1 +quic-hosting.de, 1 +quic.cf, 1 +quic.fr, 1 +quic.stream, 1 +quicareer.com, 1 +quichante.com, 1 +quiche-quic.cf, 1 +quichost.com, 1 +quick-and-easy.tk, 1 +quick-seo.tk, 1 +quickassortments.com, 1 +quickbooksguru.com.au, 1 +quickboysvrouwen2.nl, 1 +quickcashcarremovals.com.au, 1 +quickcel.tk, 1 +quickerticker.tk, 1 +quickformspro.com, 1 +quickinfosystem.com, 1 +quickjobsfinder.com, 1 +quicklinks.tk, 1 +quicklinkz.tk, 1 +quicknode.com, 1 +quicko.com, 1 +quickq.nu, 1 +quickquote.pt, 1 +quickrate.de, 1 +quickref.me, 1 +quicksell.co, 1 +quicksell.store, 1 +quickshops.ga, 1 +quickstart.co.za, 1 +quicksupplies.us, 1 +quicksupply.com, 1 +quicktapstudios.com, 1 +quicktaxinmessina.tk, 1 +quicktricks.net, 1 +quickudpinternetconnections.com, 1 +quickvideo.tk, 1 +quickway.cn.com, 1 +quickyshare.com, 1 +quicomo.it, 1 +quidax.com, 1 +quieoltre.it, 1 +quiero.news, 1 +quieroserbombero.org, 1 +quieroserdoula.com, 1 +quieroserdoula.es, 1 +quieroserdoula.org, 1 +quierosermercedario.tk, 1 +quierosersanta.tk, 1 +quiescent.gq, 1 +quiet-downloads.tk, 1 +quiet-waters.org, 1 +quietapple.com, 1 +quietapple.org, 1 +quietlife.tk, 1 +quietplace.tk, 1 +quietstudyactivities.tk, 1 +quietus.gq, 1 +quigley.id.au, 1 +quik.legal, 1 +quikchange.net, 1 +quiksite.com, 1 +quillandinkroleplay.com, 1 +quillandpage.com, 1 +quillandquire.com, 1 +quillwave.com, 1 +quilmo.com, 1 +quiltmc.org, 1 +quimatic.com.br, 1 +quimba.tk, 1 +quimica.science, 1 +quin.md, 0 +quincyclegg.com, 1 +quinder.tk, 1 +quinmedia.tk, 1 +quinn.com, 0 +quinnbet.com, 1 +quinnlabs.com, 0 +quinnlawcenters.com, 1 +quinnstech.ga, 1 +quinpro.nl, 1 +quintacbls.cl, 1 +quintadasmoitas.com, 1 +quintadesanamaro.com, 1 +quintanadelmonte.tk, 1 +quintanilla.tk, 1 +quintenbraakman.com, 1 +quintenbraakman.nl, 1 +quinteroorthodontics.com, 0 +quintessa.org, 1 +quintobarrio.tk, 1 +quintonic.fr, 0 +quiq-api.com, 1 +quiq-cdn.com, 1 +quiq-frp.com, 1 +quiq-in.com, 1 +quiq-uri.com, 1 +quiq-url.com, 1 +quiq.com, 1 +quiq.im, 1 +quiq.sh, 1 +quiq.us, 1 +quiqd.com, 1 +quiqstatus.com, 1 +quiqurl.com, 1 +quiqurls.com, 1 +quire.io, 1 +quirkytravelguy.com, 1 +quisildenafil.gq, 1 +quitri.tk, 1 +quivedo.com, 1 +quiwy.ninja, 1 +quiz.biz, 1 +quizapps.se, 1 +quizhub.ml, 1 +quizinn.live, 1 +quizl.io, 0 +quizlets.tk, 1 +quizmaker.ml, 1 +quizogames.com, 1 +quizz.biz, 1 +quizzard.ga, 1 +quizzard.tk, 1 +quizzen.tk, 1 +quizzhit.com, 1 +qul.link, 1 +qulix.by, 1 +qulix.ch, 1 +qulixqa.com, 0 +qumin.com, 1 +qumirezi.tk, 1 +qunzi.la, 1 +quocdesign.ch, 0 +quoi.xyz, 1 +quoininc.com, 1 +quokka.codes, 1 +quora.com, 1 +quorcis.fr, 1 +quorrax.com, 1 +quotable.ga, 1 +quoteidiot.com, 1 +quoteinfo.net, 1 +quoteoftheday300.ga, 1 +quotescover.com, 1 +quoteshindi.net, 1 +quotesnsayings.net, 1 +quotesofgta.tk, 1 +quotev.com, 1 +quotidiani.net, 1 +quotidianodiragusa.it, 1 +quovadisaustria.com, 1 +quoviz.com, 1 +qupom.com.br, 1 +quppa.net, 1 +quprop.com, 1 +quran-archive.org, 1 +qurani.tk, 1 +quranicremedies.com, 1 +quranliveonline.com, 1 +quranpdf.cf, 1 +quranvoice.tk, 1 +qurium.org, 1 +qurplus.nl, 1 +qusi.cf, 1 +qusi.ml, 1 +qussaikhuli.tk, 1 +quuck.eu, 1 +quuck.nl, 1 +quuz.org, 1 +qv-eherkenning.nl, 1 +qvady.com, 0 +qvg.company, 1 +qvggroup.com, 1 +qvision.ml, 1 +qvq.cloud, 1 +qvq.one, 1 +qwant.com, 1 +qwantjunior.com, 1 +qwanturank.news, 1 +qwarkhealth.com, 1 +qwasar.io, 1 +qwaser.fr, 1 +qwdqwd.de, 1 +qweb.pro, 1 +qwertee.com, 1 +qwerty.work, 1 +qwertyatom100.me, 1 +qwik.space, 1 +qwikdash.com, 1 +qwords.com, 1 +qwq.icu, 0 +qwq.moe, 1 +qwq2333.top, 1 +qwqjsq.net, 1 +qwqjsq8.com, 1 +qwrk.io, 1 +qwus.cf, 1 +qwus.tk, 1 +qx.fi, 1 +qx.se, 1 +qxazusa.xyz, 0 +qxin.info, 1 +qxq.moe, 1 +qxzg.org, 1 +qxzg.xyz, 1 +qxzgssr.xyz, 1 +qy.is, 0 +qz3ldfzr.com, 1 +qzhou.ddns.net, 1 +qzin.jp, 1 +qzlyrics.com, 1 +qzr.fi, 1 +r-ay.cn, 1 +r-baruth.de, 1 +r-core.org, 1 +r-e-a.net, 1 +r-gmp.com, 1 +r-ix.de, 1 +r-re.org, 1 +r-re.ru, 1 +r-reabilitolog.ru, 1 +r-rehab.online, 1 +r-rehab.org, 1 +r-rwebdesign.com, 1 +r-t-b.fr, 1 +r-t-n.tk, 1 +r.nf, 1 +r.pl, 1 +r.sb, 1 +r00tsandwings.com, 1 +r00tsolutions.ca, 1 +r0t.co, 1 +r0uzic.net, 1 +r102.ch, 1 +r15cookie.com, 1 +r17.co.id, 1 +r18.moe, 1 +r1a.eu, 1 +r1ch.net, 1 +r1h3.nl, 1 +r1ss.com, 1 +r2cdn.com, 1 +r2d2pc.com, 1 +r2wind.cn, 1 +r2wind.com, 1 +r33.space, 1 +r36533.com, 1 +r3bl.blog, 1 +r3dh4ck.ml, 1 +r3gi.cz, 1 +r3s1stanc3.me, 1 +r40.us, 1 +r4fo.com, 1 +r4g3baby.com, 1 +r5197.co, 1 +r6729.co, 1 +r6729.com, 1 +r6957.co, 1 +r7.com.au, 1 +r72w.com, 1 +r7h.at, 1 +r82365.com, 1 +r8corporate.com, 1 +r9297.co, 1 +r9728.co, 1 +ra-joergensen.de, 1 +ra-studio.ml, 1 +ra.vc, 1 +ra3y.xyz, 1 +raadgiverborsen.com, 1 +raafwelfaretrustfund.gov.au, 1 +raailto.com, 1 +raamattuopisto.fi, 1 +raar.tk, 1 +raas.today, 1 +raassembly.com, 1 +raaynk.com, 1 +rabalefood.com, 1 +raballder.tk, 1 +rabatcity.tk, 1 +rabatt24.net, 1 +rabatt24.org, 1 +rabattkoll.se, 1 +rabatz.tk, 1 +rabbisacks.org, 1 +rabbit.finance, 1 +rabbitcallcenter.com, 1 +rabbitcare.ae, 1 +rabbitcare.com, 1 +rabbitcare.id, 1 +rabbitcare.my, 1 +rabbitcare.ph, 1 +rabbitcare.qa, 1 +rabbitcare.tl, 1 +rabbitcare.vn, 1 +rabbitdns.org, 1 +rabbitfinance.com, 1 +rabbithash.com, 1 +rabbitinternet.com, 1 +rabbitsearch.org, 1 +rabbitserverlist.com, 1 +rabbitsstore.com, 1 +rabbottweb.com, 1 +rabby.tk, 1 +rabenkralle.tk, 1 +raberget.org, 1 +rabinson2005.tk, 1 +rabota-online.tk, 1 +rabotabiz.tk, 1 +rabotaemdoma.tk, 1 +rabotanet.tk, 1 +rabotaprofily.tk, 1 +rabotayte.tk, 1 +rabotenkadot.tk, 1 +rabynska.eu, 1 +racaliz.tk, 1 +racamera.com, 1 +racasdecachorro.org, 1 +raccoltadifferenziata.it, 1 +raccoltarifiuti.com, 1 +raccoltarifiuti.milano.it, 1 +raccoon.io, 1 +racedrop.tk, 1 +racelandky.gov, 1 +racemanager.io, 1 +racesimscoring.com, 1 +racetraq.net, 1 +rachaelsmaids.com, 1 +rachaeltaylor.tk, 1 +rachelandadamarethebest.com, 1 +rachelchen.me, 1 +racheldiensthuette.de, 1 +rachelmoorelaw.com, 1 +rachelsbouncycastles.co.uk, 1 +racheltinniswood.ie, 1 +rachelwatkins.co.nz, 1 +rachnacollege.tk, 1 +racialmisclassification.org, 1 +racinecounty.gov, 1 +racing-planet.cz, 1 +racingfanclub.tk, 1 +racingteameelde.tk, 1 +racius.com, 1 +rackoon.de, 1 +raclet.co.uk, 1 +raconconsulting.co.uk, 1 +raconteurs.gent, 1 +racquetdepot.co.uk, 1 +racsoft.cl, 1 +ract.au, 1 +ract.club, 1 +ract.co, 1 +ract.info, 1 +ract.net, 1 +ract.net.au, 1 +ractf.co.uk, 1 +racunalo.com, 1 +racunovodstvo-prina.si, 1 +rad-route.de, 1 +rad.com, 1 +rad.plus, 1 +rad2share.com, 1 +rada-group.eu, 1 +radaar.io, 1 +radar.sx, 1 +radarband.tk, 1 +radarbanyumas.co.id, 1 +radarbogor.id, 1 +radarcoupon.ch, 1 +radarcoupon.it, 1 +radarcupao.pt, 1 +radarcupom.com.br, 1 +radarcupon.com.ar, 1 +radarcupon.com.co, 1 +radarcupon.com.mx, 1 +radarcupon.es, 1 +radarcupon.ro, 1 +radardetector.lol, 1 +radarerp.net, 1 +radarfirst.com, 1 +radarstationery.com, 0 +radartatska.se, 0 +radartek.com, 1 +radbag.de, 1 +radbag.nl, 1 +radbee.com, 1 +radchakan.com, 1 +radcliffky.gov, 1 +radcloud.de, 1 +radconinc.net, 1 +radcube.hu, 1 +raddeluxe.com, 1 +raddle.me, 1 +radechefonne.it, 1 +radegundisfest.de, 1 +radekmazar.eu, 1 +radektworek.pl, 1 +rader.ninja, 1 +radeticlaw.com, 1 +radgi.com, 1 +radharanikijay.tk, 1 +radiadores.tk, 1 +radiadoresalternativos.cl, 1 +radiadoressoares.com.br, 1 +radialplus.tk, 1 +radianceswimwear.com, 1 +radiantenergy.tk, 1 +radiantwonder.com, 1 +radiation-oncologist.gr, 1 +radiationserviceswa.com.au, 1 +radiationtherapy.tk, 1 +radiatorendiscounter.nl, 1 +radicaldream.tk, 1 +radicalfuture.tk, 1 +radicalhapa.tk, 1 +radicallycanadian.com, 1 +radicaloptimism.org, 1 +radicalsub.com.br, 1 +radicaltransformationproject.com, 1 +radicalwebdesign.co.uk, 1 +radierprojetos.me, 1 +radio-amezi.tk, 1 +radio-angelos.tk, 1 +radio-az.tk, 1 +radio-bandit.ml, 1 +radio-beer.tk, 1 +radio-bladel.tk, 1 +radio-brest.tk, 1 +radio-club.ml, 1 +radio-delmare.tk, 1 +radio-fly.tk, 1 +radio-luikie.tk, 1 +radio-mix.ml, 1 +radio-mouse.tk, 1 +radio-news.tk, 1 +radio-of-magic.com, 1 +radio-one.ml, 1 +radio-online.com, 1 +radio-online.tk, 1 +radio-pulsar.com, 1 +radio-pulsar.eu, 1 +radio-utopie.de, 1 +radio-valois-multien.fr, 1 +radio.de, 1 +radio.es, 1 +radio.fr, 1 +radio1.ie, 1 +radio404.tk, 1 +radio4friends.tk, 1 +radio56.tk, 1 +radio99.tk, 1 +radioab-normaal.tk, 1 +radioactiv.tk, 1 +radioactivenetwork.xyz, 1 +radioaeropuerto.tk, 1 +radioafibra.com.br, 1 +radioaltamar.tk, 1 +radioalternativa.tk, 1 +radioar.tk, 1 +radioarzua.tk, 1 +radioazioni.tk, 1 +radiobahena.be, 1 +radiobandung.tk, 1 +radioborges.tk, 1 +radiobucarica.cf, 1 +radiocappissima.tk, 1 +radiocartel.tk, 1 +radiocc.ddns.net, 1 +radiocentrafrique.cf, 1 +radiochilac.tk, 1 +radioclandestina.tk, 1 +radiocombinatie-kampen.tk, 1 +radiocommande-forestiere.fr, 1 +radiocommande-industrielle.fr, 1 +radiocomsaocarlos.com.br, 1 +radioconciencia.tk, 1 +radiocrash.tk, 1 +radiocrazy.ml, 1 +radiocristianauniversal.tk, 1 +radioculture.tk, 1 +radiocusco.tk, 1 +radiodance.tk, 1 +radiodarkwolf.tk, 1 +radiodeluxe.ml, 1 +radiodeutsch.com, 1 +radiodevrijheid.tk, 1 +radiodiagonal.tk, 1 +radiodoblen.tk, 1 +radiodxguatemala.tk, 1 +radioelectronic.tk, 1 +radioenam.tk, 1 +radioenergia.tk, 1 +radioesferico.tk, 1 +radioexito.tk, 1 +radiofmimagen.net, 1 +radiofred.tk, 1 +radiogabriela.tk, 1 +radiogaga.ga, 1 +radiogalena.tk, 1 +radiogear.ru, 1 +radiogetsemani.tk, 1 +radiogomezone.tk, 1 +radioharrastus.tk, 1 +radioheikrekel.tk, 1 +radiohlam.cf, 1 +radiohlam.ga, 1 +radiohouse.tk, 1 +radioibiapina.tk, 1 +radioilusion.es, 1 +radioilusiones.tk, 1 +radioiman.net, 1 +radiojackienorth.tk, 1 +radiojeneverstoker.tk, 1 +radioknop.nl, 1 +radiokontakt.tk, 1 +radiokukesi.tk, 1 +radiolanguages.tk, 1 +radiolaparranda.tk, 1 +radiolatinafm.tk, 1 +radiolavka32.ru, 1 +radioldpr.ru, 1 +radiolibertad.tk, 1 +radioliberty.ga, 1 +radiolla.com, 1 +radiolodz.pl, 1 +radiom.fr, 1 +radiomacuto.gq, 1 +radiomagicafm.tk, 1 +radiomakarena.tk, 1 +radiomanifiesto.tk, 1 +radiomaster.tk, 1 +radiomc.tk, 1 +radiomedia.tk, 1 +radiomercure.net, 1 +radiometal.tk, 1 +radiometeor.com, 1 +radiomikelerentxun.tk, 1 +radiomix.cz, 1 +radiomixer.net, 1 +radiomodem.dk, 1 +radiomontebianco.it, 1 +radiomoodmix.tk, 1 +radionalita.tk, 1 +radionetcolombia.tk, 1 +radionikkei.com, 1 +radionojavan.ir, 1 +radionoticias.tk, 1 +radionrg.tk, 1 +radiooffice.tk, 1 +radioombo.xyz, 1 +radioonline.com, 1 +radioparquesur.tk, 1 +radiopatapoe.nl, 1 +radioperfect.tk, 1 +radiopharereims.tk, 1 +radiopicaflor.tk, 1 +radioplayer.ie, 1 +radiopleer.net, 1 +radiopolarniki.spb.ru, 1 +radiopranfm.cf, 1 +radioprimerodemayo.tk, 1 +radiopush.tk, 1 +radior9.it, 1 +radioradicchio.it, 1 +radiorainbow.tk, 1 +radioranking.de, 1 +radiorecord.ml, 1 +radioregional.pt, 1 +radioremix80.tk, 1 +radioricardo.tk, 1 +radios-associatives.tk, 1 +radiosanducito.tk, 1 +radiosatbolivia.com, 1 +radioschool.co.nz, 1 +radioscope.tk, 1 +radiosdeguate.com, 0 +radioseda.ca, 1 +radiosilver.tk, 1 +radiosimba.ug, 1 +radiosterrekijker.tk, 1 +radiosuperplus.tk, 1 +radioszczecin.pl, 1 +radiotataouine.tk, 1 +radiotehnika.tk, 1 +radiotelephoni.tk, 1 +radiotexas.tk, 1 +radiotunes.tk, 1 +radiotuning.tk, 1 +radiotv.tk, 1 +radioumbrella.ga, 1 +radiouniversofm.tk, 1 +radiounofm.tk, 1 +radiounost.tk, 1 +radioventura.tk, 1 +radiovera.ru, 1 +radiovertical.tk, 1 +radiovirgendelcarmen.tk, 1 +radiovolmax.tk, 1 +radiowakeup.tk, 1 +radioxanadu.tk, 1 +radiozetta.tk, 1 +radiozilverster.tk, 1 +radis-adopt.com, 1 +radito.com, 1 +radium-it.ru, 1 +radium.group, 1 +radiumcode.com, 1 +radiumone.io, 1 +radiusmethod.com, 1 +radiusone.com, 1 +radixsalon.tk, 1 +radixweb.com, 1 +radjaternak.com, 1 +radlina.com, 1 +radnas.com, 1 +radnickapartija.tk, 1 +radnicki-nis.tk, 1 +radogear.com, 1 +radoman.ga, 1 +radon.tk, 1 +radopsec.com, 1 +radopsec.net, 1 +radopsec.org, 1 +radost-crikvenica.hr, 1 +radost.digital, 1 +radpath.at, 1 +radreisetraumtreibstoff.de, 1 +radstake.de, 1 +raduga-tv.tk, 1 +raduga4.ml, 1 +radverkehr-kelsterbach.de, 1 +radwebhosting.com, 1 +radyabkhodro.net, 1 +radyn.com, 1 +radyogemisi.com, 1 +radzikow.ski, 1 +raeder-test.azurewebsites.net, 1 +raeu.me, 1 +raeven.nl, 1 +raevinnd.com, 1 +raewardfresh.co.nz, 1 +raf.org, 1 +rafaelangelfg.tk, 1 +rafaelortiz.es, 1 +rafaelsobis.tk, 1 +rafaeltuber.cf, 1 +rafalkukla.com, 1 +rafaprialv.com, 1 +rafaroca.net, 1 +rafclan.tk, 1 +raffaellaosti.com, 1 +raffall.com, 1 +rafinad.io, 1 +rafo.tech, 1 +rafo.tk, 1 +rafsis.com, 0 +raft.pub, 1 +rafting-japan.com, 1 +ragadoor.com, 1 +ragasto.nl, 1 +ragdollrecon.com, 1 +rage-overload.ch, 1 +rage4.com, 1 +ragebin.com, 1 +ragic.com, 1 +raginggaming.ga, 1 +ragingrune.tk, 1 +ragingserenity.com, 1 +ragnamania.tk, 1 +ragnamart.tk, 1 +ragnaroktop.com.br, 1 +ragsnprints.com, 1 +ragstores.com, 1 +ragt.ag, 1 +ragu.co.uk, 1 +ragusina.hr, 1 +rahasyavedicastrology.com, 1 +rahayi.tk, 1 +raheel.cf, 1 +raheel.tk, 1 +raheem.marketing, 1 +rahenytennis.tk, 1 +rahgame.com, 1 +rahil-p.com, 1 +rahilworld.tk, 1 +rahimareports.ml, 1 +rahmans.tk, 1 +rahrahstudios.com, 1 +rahul.moe, 1 +rahulsadarangani.com, 1 +rai88asia.com, 1 +raiceshebreas.org, 1 +raid-runners.fr, 1 +raiden.network, 1 +raidensnakesden.co.uk, 1 +raidensnakesden.com, 1 +raidensnakesden.net, 1 +raidentawork.lt, 1 +raiderhacks.com, 1 +raidkeeper.com, 1 +raidstone.net, 1 +raidstone.rocks, 1 +raiffeisen-kosovo.com, 0 +raiffeisen.al, 0 +raiffeisenbank.ba, 0 +raiffeisenleasing-kosovo.com, 1 +raiilto.com, 1 +raikko.tk, 1 +rail-o-rama.nl, 1 +rail24.nl, 1 +rail360.nl, 1 +railalabwork.lt, 1 +railbird.nl, 1 +railbus.fan, 1 +railcarrxqa.com, 1 +railclub.tk, 1 +railfans.ca, 1 +railfeeding.com, 1 +railgun.ac, 1 +railgun.com.cn, 1 +railgun.email, 1 +railjob.cn, 1 +raillto.com, 1 +railorama.nl, 1 +railpassie.nl, 1 +railroadhistory.net, 1 +railsafetysystems.com.au, 1 +railsideworks.com, 1 +railsimulator.net, 1 +railsperformance.com.br, 1 +railto.cm, 1 +railto.co, 1 +railto.com, 1 +railto.com.de, 1 +railto.com.se, 1 +railto.llc, 1 +railtollc.com, 1 +railvideo.co.uk, 1 +railvideo.net, 1 +railvideo.nl, 1 +railway.moe, 1 +railwayease.com, 1 +rain.bz, 1 +rain.moe, 1 +rainative.com, 1 +rainbeaus.cf, 1 +rainbeaus.ga, 1 +rainbeaus.gq, 1 +rainbeaus.ml, 1 +rainbow-christian.tk, 1 +rainbow-girl.top, 1 +rainbow-web.com, 1 +rainbowbrains.com, 1 +rainbowcomputer.tk, 1 +rainbowflowers.co.uk, 0 +rainbowinflatables.co.uk, 1 +rainbowlaserspewpew.xyz, 1 +rainbowloompattern.com, 1 +rainbowloompatterns.com, 1 +rainbowmath.tk, 1 +rainbowplayschool.in, 1 +rainbowsmoothies.win, 1 +rainbowstars.ru, 1 +rainbowstore.com.au, 1 +rainbowstore.com.ua, 1 +rainbowsushi.dk, 1 +rainbowswingers.net, 1 +rainbowtransport.com, 1 +raincoat.systems, 1 +rainel.at, 1 +rainerstoll.at, 1 +rainevixen.com, 1 +rainfall.ro, 1 +rainforest.engineering, 1 +rainforestfoundation.org, 1 +rainierpros.com, 1 +rainiv.com, 1 +rainmanzone.com, 1 +rainnetwork.tk, 1 +rainnny.club, 1 +rainpaper.com, 1 +raintreatment.ga, 1 +rainturtle.com, 1 +rainuk.com, 1 +rainville.me, 1 +rainway.io, 1 +raipet.no-ip.biz, 1 +raipet.spdns.eu, 1 +raise-educationandwellbeing.co.uk, 1 +raisecorp.com, 1 +raisects.co.uk, 1 +raisetheyouth.co.uk, 1 +raisingresilientreaders.com, 1 +raisioammattilaisille.fi, 1 +raistrick.art, 1 +raistrick.it, 1 +raitotec.com, 1 +raitza.de, 1 +raja.fr, 1 +rajabpour.com, 1 +rajaealhoceima.tk, 1 +rajafashion.tk, 1 +rajapack.be, 1 +rajapack.co.uk, 1 +rajapack.de, 1 +rajapack.es, 1 +rajapack.it, 1 +rajapack.nl, 1 +rajasatour.id, 1 +rajeen.tk, 1 +rajeshkochhar.com, 1 +rajeshkumar.tk, 1 +rajivdeepinsights.com, 1 +rajkapoordas.com, 1 +rajkotupdates.news, 1 +rajofestival.tk, 1 +rajomon.com, 1 +rajrajasthani.tk, 1 +rajsolankimusic.ga, 1 +rajtechnologies.com, 1 +rajudhoni.ga, 1 +rak-business-service.com, 1 +rakennuspeli.com, 1 +rakeshkaryana.com, 1 +raketa.travel, 1 +raketaholst.com.ua, 1 +raketaro.de, 1 +raketenwolke.de, 1 +rakett.org, 0 +rakibzashup.ml, 1 +rakibzashup.tk, 1 +raklouisville.com, 1 +rakom.tk, 1 +rakovec.hr, 1 +raksa.media, 1 +raksha-bandhanwish.ga, 1 +rakshitrekhi.tk, 1 +raku.bzh, 1 +raku.land, 1 +rakugaki.cn, 0 +rakugokai.net, 1 +ralaoui.com, 1 +ralaoui.me, 1 +raleighadultmedicine.com, 1 +raleighboneandjoint.com, 1 +raleighcapitolent.com, 1 +raleighmedicalgroup.com, 1 +raleighpsych.com, 1 +raleighsinuscenter.com, 1 +ralfs-zusizone.de, 1 +rally-base.com, 1 +rally-base.cz, 1 +rally-base.eu, 1 +rally-results.eu, 1 +rally-vysledky.cz, 1 +rallybase.cz, 1 +rallybase.eu, 1 +rallycycling.com, 0 +rallyedu.com, 1 +rallyekrumlov.cz, 1 +rallyfotosaswin.tk, 1 +rallytrophy.tk, 1 +ralphandretta.com, 1 +ralphandretta.net, 1 +ralphandretta.org, 1 +ralphbisschops.com, 1 +ralphdeal.com, 1 +raltha.com, 1 +ralvke.rocks, 1 +ram-tenancy.cf, 1 +ram-tenancy.ga, 1 +ram-tenancy.ml, 1 +ram.nl, 1 +rama.ovh, 1 +ramatola.uk, 0 +ramblingrf.tech, 1 +rambo.codes, 1 +rambus.com, 1 +ramchand.tk, 1 +ramel.tk, 1 +ramen-dealer.de, 1 +ramenramenramen.net, 1 +ramfaseo.ca, 1 +ramfy.ru, 1 +ramiabusalah.tk, 1 +ramieres.cf, 1 +ramirito.tk, 1 +ramitan.com, 1 +ramkot.tk, 1 +ramle.be, 1 +rammstein.pt, 1 +rammsteinaustralia.tk, 1 +rammsteinzone.tk, 1 +ramonahillsideplayers.org, 1 +ramonguilherme.com.br, 0 +ramos.tur.br, 1 +ramowitha.com, 1 +ramp.com, 1 +rampeboreal.ca, 1 +rampestyuma.com, 1 +rampiva.com, 1 +ramplaysugente.tk, 1 +ramrecha.com, 0 +ramsay.xyz, 1 +ramsayshorsetransport.com, 1 +ramsayshorsetransport.com.au, 1 +ramsdensforcash.co.uk, 1 +ramsdensplc.com, 1 +ramseycountymn.gov, 1 +ramseycs.net, 0 +ramsor-gaming.de, 1 +ramt.tk, 1 +ramtechmodular.com, 1 +ramusa.org, 1 +ramydent.no, 1 +ramynetwork.tk, 1 +ramzinex.com, 1 +ran-drunken.tk, 1 +ran-ran.top, 1 +ran-sama.ddns.net, 1 +rana.realestate, 1 +rana.shop, 1 +ranasinha.com, 1 +rancakmedia.com, 1 +rancheriastereo.tk, 1 +ranchesterwy.gov, 1 +ranchocordova.gov, 1 +ranchodoalqueidao.pt, 1 +rancowar.com, 1 +randallcounty.gov, 1 +randallcraig.com, 1 +randallso.gov, 1 +randburgplumbing.co.za, 1 +randc.org, 1 +randdtaxcreditspecialists.com, 1 +randolf.ca, 1 +randolphcountyal.gov, 1 +randolphcountyil.gov, 1 +random-numbers.org, 1 +random-password.org, 1 +random-project.com, 1 +random-samplings.org, 1 +random.org, 1 +randomactsofkindness.org, 1 +randomads.net, 1 +randomadversary.com, 1 +randomarticle.ml, 1 +randombig.cat, 1 +randombit.eu, 0 +randombooks.gq, 1 +randombrainwave.cf, 1 +randombrainwave.ga, 1 +randombrainwave.gq, 1 +randombrainwave.ml, 1 +randomdomain.io, 1 +randomforestweb.com, 1 +randomforum.tk, 1 +randomideas.me, 1 +randomizer.space, 1 +randomkindness.tk, 1 +randomkoalafacts.com, 1 +randompasswordgenerator.fun, 1 +randomquotesapp.com, 1 +randomsearching.ml, 1 +randomserver.pw, 1 +randomserver.xyz, 1 +randomsnapshots.tk, 1 +randomstuffproductions.tk, 1 +randomtest.cf, 1 +randomthings.cf, 1 +randomuuid.org, 1 +randomweb.tk, 1 +randorn.com, 1 +randox.com, 1 +randy.su, 1 +randyandpixel.com, 1 +randyrhoads.tk, 1 +randyselzer.com, 1 +ranfics.tk, 1 +ranfurlychambers.co.nz, 1 +rangde.org, 1 +range.co, 1 +rangeforce.com, 1 +rangeforce.eu, 1 +rangerfiles.tk, 1 +rangersloyalsite.tk, 1 +rangersofbelgium.be, 1 +rangeweb.ga, 1 +ranginkamonkadeh.ir, 1 +rangsmo.se, 0 +rangzol.now.sh, 1 +raniermn.gov, 1 +ranjanbiswas.in, 1 +ranjanbiswas.net, 1 +ranjeetmehta.tk, 1 +rankeco.com, 1 +rankia.ga, 1 +ranking-deli.jp, 1 +ranking-mensesthe.jp, 1 +ranking10hits.tk, 1 +rankingide.tk, 1 +rankingofe.com.pl, 1 +rankingubezpieczeniowy.pl, 1 +rankingubezpieczennazycie.pl, 1 +ranksite.cf, 1 +ranksite.ga, 1 +ranksite.gq, 1 +ranksite.ml, 1 +ranksite.tk, 1 +ranktis.com, 1 +rankya.com, 1 +rannamoisaaiasalong.ee, 1 +rannseier.org, 1 +ranos.org, 1 +ransomspares.co.uk, 1 +ranson.com.au, 1 +ransonwv.gov, 1 +rantalaholcomb.tk, 1 +rantamplan.tk, 1 +rantanda.com, 1 +rante.com, 1 +ranters.nl, 1 +rany.eu.org, 1 +ranyeh.co, 1 +ranyeh.com, 1 +ranzbak.nl, 1 +raoliveoil.ga, 1 +raomed.com.ar, 1 +raovatsaigon.tk, 1 +rap4ever.org, 1 +rapala.com, 1 +rapanui.tk, 1 +rapay.net, 1 +rapbull.net, 1 +rapdinle.tk, 1 +rapenroer.com, 1 +rapenroer.nl, 1 +raphael.li, 1 +raphaeladdile.com, 1 +raphaelcasazza.ch, 0 +raphaelmoura.ddns.net, 1 +raphaelschneider.de, 1 +raphrfg.com, 1 +rapid-care.com, 1 +rapid4all.com, 1 +rapidapp.io, 1 +rapidcenter.tk, 1 +rapidcityjournal.com, 1 +rapidessay.com, 1 +rapidgator.net, 1 +rapidguide.tk, 1 +rapidlegal.com, 1 +rapidoo.com.br, 1 +rapidscale.net, 1 +rapidseo.net, 1 +rapidshit.net, 1 +rapidspike.com, 1 +rapidssl.com.ru, 1 +rapidsslonline.com, 1 +rapidstone.com, 1 +rapnet.com, 1 +raposafixe.pt, 1 +rapoteka.tk, 1 +rappels-produits.com, 1 +rappet.de, 1 +rappisexshop.com, 1 +rapport.link, 1 +raps.org, 1 +rapsconfab.com, 1 +raptechpk.com, 1 +rapu.nz, 1 +rapwoyska.tk, 1 +rapyd.net, 1 +raqebpress.com, 1 +raqoo.jp, 1 +raquelmolinacases.tk, 1 +rar.moe, 1 +raranga.net.nz, 1 +rarbgmirrored.org, 1 +rarbgproxied.org, 1 +rarbgunblocked.org, 1 +rare-x.org, 1 +rarece.cf, 1 +rarediseaseday.org, 1 +rareearthhair.com.au, 1 +rarefish.tk, 1 +raregems.io, 1 +rarehi.com, 1 +rarename.tk, 1 +rarity.tools, 1 +raritysniper.com, 1 +rarlab.com, 1 +rarlabs.com, 1 +raroh73.com, 1 +raroh73.xyz, 1 +rarous.net, 1 +rarsoft.com, 1 +raryosu.info, 1 +rasa.com, 1 +rasadnikcvecaperic.rs, 0 +rasagiline.com, 1 +rasaja.com, 1 +rasberry.cf, 1 +rascals-castles.co.uk, 1 +rascals.ga, 1 +rascalscastles.co.uk, 1 +rascript.tk, 1 +rascvet.tk, 1 +rase.rocks, 1 +raserbajs.tk, 1 +rashamehrnikan.com, 1 +rashane.com, 1 +rashbogota.tk, 1 +rasheed-nuss.tk, 1 +rashmipandit.com, 1 +rashodkin.tk, 1 +raskruti.ga, 1 +raskruti.ml, 1 +raskrutka.cf, 1 +rasmushaslund.com, 1 +rasnyder.com, 1 +rasp-consulting.de, 1 +raspberryultradrops.com, 1 +raspclock.com, 1 +raspitec.ddns.net, 1 +rassadacvetov.com, 0 +rasset.ie, 1 +rassistem.rs, 1 +rassro.sk, 1 +rastabooks.ga, 1 +rasteniem.ru, 1 +rastko-jevtovic.tk, 1 +rasty.cz, 1 +rat.pw, 1 +rataassociates.com, 1 +ratajczak.one, 1 +ratasdesign.com, 1 +ratatosk.net, 1 +ratbarricade.com, 1 +ratd.net, 1 +rate.is, 1 +ratebridge.com, 1 +rateddomain.ml, 1 +ratelimited.me, 1 +ratelsec.com, 1 +ratemyfishtank.com, 1 +ratepayeralliance.org, 1 +rates.ca, 1 +ratespy.com, 1 +rathbonesonline.com, 1 +rathdrum.gov, 1 +rathdrumpolice.gov, 1 +ratherrarerecords.com, 0 +rathgeb.org, 1 +rathmann-couture.de, 1 +rathorian.fr, 1 +rathsallaghhouseonline.com, 1 +ratingostar.com, 1 +ratingus.co, 1 +ratinq.co, 1 +ratiocinat.ga, 1 +ratiocontent.de, 0 +rationalcreation.com, 1 +rationalism.com, 1 +rationalops.com, 1 +ratirl.be, 1 +ratman.xyz, 1 +ratsmicedormice.com, 1 +rattanhousecarpentry.com, 1 +rattattees.com, 1 +rattenkot.io, 1 +ratujemyzwierzaki.net, 1 +ratujmydzikiekoty.org, 1 +ratunek.com.pl, 1 +ratusha.ml, 1 +rauchfrei-info.de, 1 +rauhenebrach.de, 1 +raulc.space, 1 +raulmalea.ro, 1 +raulrivero.es, 1 +raulval.com, 1 +raumausstatter-fangmann.de, 1 +rauros.net, 1 +rausch-extase.ch, 1 +rauschenbach.de, 1 +rauserv.de, 1 +rautarutto.tk, 1 +rava.tk, 1 +ravada-vdi.com, 1 +ravagers.tk, 1 +ravages.tk, 1 +ravalement-facade.net, 1 +ravalement-facade.paris, 1 +ravalement-facades.net, 1 +ravallirepublic.com, 1 +ravchat.com, 1 +raveboy.dyndns.org, 1 +ravefm.tk, 1 +raveharmony.com, 1 +ravelin.click, 1 +ravelin.com, 1 +raven.dog, 1 +raven.express, 1 +ravenandsage.com, 1 +ravencoin.com, 1 +ravencoin.org, 1 +ravenger.net, 1 +ravengergaming.net, 1 +ravenhillavenue.com, 1 +ravennatoday.it, 1 +ravenrealms.tk, 1 +ravenrepublic.net, 1 +ravenrockrp.com, 1 +ravenstonejeweler.com, 1 +raventechnology.es, 1 +ravenx.me, 1 +ravescout.club, 1 +raveseguros.com, 1 +ravesteijn.nl, 1 +ravhaaglanden.org, 1 +ravihotel.com, 0 +ravijuhend.ee, 1 +ravik.tk, 1 +ravimiamet.ee, 0 +ravimiregister.ee, 1 +ravinala-airports.aero, 1 +raviparekh.co.uk, 1 +ravis.org, 1 +ravkavonline.co.il, 1 +ravkr.duckdns.org, 1 +ravnareka.tk, 1 +ravne.land, 1 +ravron.com, 1 +ravse.dk, 1 +raw.nl, 1 +rawa-ruska-union-nationale.fr, 1 +rawballs.nl, 1 +rawbeautysource.com, 1 +rawcom.pl, 1 +rawdamental.com, 1 +rawdutch.nl, 1 +rawfitco.com.au, 1 +rawforce.tk, 1 +rawinfosec.com, 1 +rawley.co.uk, 1 +rawlinswy.gov, 1 +rawlord.ga, 1 +rawmarkable.co.uk, 1 +rawmathub.gr, 1 +rawmonolife.ru, 1 +rawpearls.com, 1 +rawr.sexy, 1 +raxion.cf, 1 +raxion.tk, 1 +ray-works.de, 1 +rayadventure.com, 1 +raycarruthersphotography.co.uk, 1 +raycon.io, 1 +raydius.de, 1 +rayfalling.com, 1 +rayhillforsupremecourt.com, 1 +rayiris.com, 1 +rayj.me, 1 +rayj.org, 1 +raykitchenware.com, 1 +raylo.com, 1 +raym.ml, 1 +raymd.de, 1 +raymondha.ca, 1 +raymondha.com, 1 +raymondvineyards.com, 1 +raymundo.doctor, 1 +raynbo.ai, 1 +raynis.net, 1 +raynoonanwindows.ie, 1 +rayonbricolage.com, 1 +rayonnage-stockage.fr, 1 +raysbarreto.tk, 1 +raysei.com, 1 +raysmtp.ga, 1 +raysolutions.tk, 1 +raystark.com, 1 +raystedman.org, 1 +raytonne.cn, 1 +raytonne.com, 1 +rayusradiology.com, 1 +raywardapparel.com, 1 +raywisdom.tk, 1 +rayworks.de, 1 +rayzer.dk, 1 +razakhanimazhab.tk, 1 +razalabs.com, 1 +razalabs.gr, 1 +razberry.kr, 1 +razborpoletov.cf, 1 +razborpoletov.ml, 1 +razborpoletov.tk, 1 +razborpoletovsite.cf, 1 +razborpoletovsite.ga, 1 +razborpoletovsite.gq, 1 +razborpoletovsite.tk, 1 +razdolnoe.tk, 1 +razeencheng.com, 1 +razgon.ga, 1 +razgon.tk, 1 +raziculacrimi.ro, 1 +razrabo.tk, 1 +razrsec.uk, 1 +razvan.digital, 1 +razvanburz.ro, 1 +razvanvatamanu.ro, 1 +razvlekuha.cf, 1 +razvlekuhablog.tk, 1 +rb-china.net, 1 +rb.cz, 1 +rballday-entertainment.nl, 1 +rbbaader.de, 1 +rbbuae.com, 1 +rbcafe.com, 1 +rbcdn.cz, 1 +rbclub.cz, 1 +rbcosmetici.it, 1 +rbd.events, 1 +rbensch.com, 0 +rbet.tk, 1 +rbh.co.uk, 1 +rbi-admin.com, 1 +rbi-umbrella.com, 1 +rbiacademylms.org, 1 +rbin.nl, 1 +rbknarkers.tk, 1 +rbltracker.com, 1 +rbmafrica.co.za, 1 +rbmland.com, 1 +rbnet.xyz, 1 +rbocache.com, 1 +rbprosthodontics.com, 1 +rbs.co.uk, 1 +rbs.com, 1 +rbsexshop.com.br, 1 +rbsinternational.com, 1 +rbt.rs, 1 +rbt.sx, 1 +rbtvshitstorm.de, 1 +rbunews.tk, 1 +rburchell.com, 0 +rburz.com, 1 +rbx.com, 1 +rbx.gg, 1 +rc-offi.net, 1 +rc-shop.ch, 1 +rc.cruises, 1 +rc1.eu, 1 +rc21x.com, 1 +rc2edit.nl, 1 +rc3n.com, 1 +rc7.ch, 1 +rca.ink, 1 +rca2015.ru, 1 +rcbanger.tk, 1 +rcbtrace.net, 1 +rccars.info, 1 +rcclub.com, 1 +rccom.ru, 1 +rccrush.com, 1 +rcd.cz, 0 +rcdeescolasantcugat.com, 1 +rcdevs.com, 1 +rcdocuments.com, 1 +rcdrone.tk, 1 +rcelectronica.com, 1 +rcfl.gov, 1 +rcforex.com, 1 +rcgoncalves.pt, 1 +rchavez.site, 1 +rchrdsn.uk, 1 +rcips.ky, 1 +rclaywilliamsdo.com, 1 +rclsm.net, 1 +rcmlinx.com, 1 +rcmodelflying.tk, 1 +rcmstream.com, 1 +rcnitrotalk.com, 1 +rcoliveira.com, 1 +rcorporation.be, 1 +rcotec.be, 1 +rcpdesign.cl, 1 +rcphiphop.tk, 1 +rcprogranada.com, 1 +rcraigmurphy.net, 1 +rcrdelecuador.com, 1 +rcru.org, 1 +rcsacessoria.online, 1 +rcsda.net, 1 +rcslt.org, 1 +rcsolutions.nl, 0 +rcsscontractors.com, 1 +rct-chair.com, 1 +rct.sk, 0 +rct.uk, 1 +rctalk.com, 1 +rctiads.com, 1 +rctrk.net, 1 +rctruck.nl, 0 +rctx.tk, 1 +rcubesports.com, 1 +rcxzsc.com, 1 +rd0xb.com, 1 +rdactive.de, 1 +rdb.vote, 1 +rdcdesign.com, 1 +rddjapan.info, 1 +rded.nl, 1 +rdesigner.tk, 1 +rdfencingandgates.co.uk, 1 +rdfmapped.com, 1 +rdforum.org, 1 +rdfproject.it, 1 +rdfz.tech, 1 +rdienclosures.com, 1 +rdimedical.com, 1 +rdl.at, 1 +rdm.lu, 1 +rdmc.academy, 1 +rdmc.biz, 1 +rdmc.center, 1 +rdmc.contact, 1 +rdmc.education, 1 +rdmc.fr, 1 +rdmc.host, 1 +rdmc.info, 1 +rdmc.io, 1 +rdmc.link, 1 +rdmc.live, 1 +rdmc.network, 1 +rdmc.ovh, 1 +rdmc.report, 1 +rdmc.site, 1 +rdmc.sn, 1 +rdmc.support, 1 +rdmc.systems, 1 +rdmc.tel, 0 +rdmc.tn, 1 +rdmc.vision, 1 +rdmc.wiki, 1 +rdmrotterdam.nl, 0 +rdmshit.net, 1 +rdmtaxservice.com, 0 +rdn-team.com, 1 +rdns.gq, 1 +rdo.gg, 1 +rdrama.net, 1 +rdsm.be, 0 +rdtech.de, 1 +rdto.io, 1 +rduser.lol, 1 +rdv-cni.fr, 1 +rdv-coquin-rapide.fr, 1 +rdvobras.pt, 0 +rdwh.tech, 0 +rdwz.one, 1 +re-align.life, 1 +re-arranged.tk, 1 +re-engines.com, 1 +re-leased.com, 1 +re-presented.de, 1 +re-security.com, 1 +re.yt.nom.br, 1 +reach-on.de, 1 +reach.gov, 1 +reach.gov.sg, 1 +reachdigital.com.au, 1 +reachhead.com, 1 +reachley.net, 1 +reachout-ghana.com, 1 +reachout2.nl, 1 +reachrss.com, 1 +reachum.com, 1 +reachwithed.com, 1 +reaconverter.com, 1 +react-db.com, 1 +reacteev.com, 1 +reactfactory.io, 1 +reactheme.com, 1 +reactionindex.com, 1 +reactive-load.com, 1 +reactive-press.com, 1 +reactive.com.ru, 1 +reactivedrop.com, 1 +reactivemarkets.com, 1 +reactor-family.tk, 1 +reactpwa.com, 1 +read-blackclovermanga.com, 1 +read-myheromanga.com, 1 +read.family, 1 +readabilitychecker.com, 1 +readable.pw, 1 +readapt-nutrition.com, 1 +readcomics.gq, 1 +readersfavorite.com, 1 +reades.co.uk, 1 +reades.uk, 1 +readify.net, 1 +readifycloud.com, 1 +reading-assist.com, 1 +readingea.com, 1 +readingoutpost.com, 1 +readingrats.de, 1 +readlater.de, 1 +readless.cf, 1 +readmybeacon.com, 1 +readmynews.cf, 1 +readouble.com, 0 +readpages.gq, 1 +readtome.co.in, 1 +readup.tk, 1 +ready2learn.eu, 1 +ready4bf.tk, 1 +ready5g.net, 1 +readyblinds.com.au, 1 +readycentbid.com, 1 +readycentral.com, 1 +readychurchsites.com, 1 +readyclassroomcentral.com, 1 +readycolorado.gov, 1 +readycontacts.com, 1 +readydedis.com, 1 +readyeutaw.gov, 1 +readyfiction.com, 1 +readyit.pl, 1 +readync.gov, 1 +readyrowan.com, 1 +readyrowan.org, 1 +readyscif.com, 1 +readysell.net, 1 +readysetscif.com, 1 +readysetworkpa.com, 1 +readysetworksd.com, 1 +readystep.ga, 1 +readytocleanga.com, 1 +readytongue.com, 0 +readywithresourcestn.gov, 1 +reaff.com, 0 +reaganlibrary.gov, 1 +reakcjonista.tk, 1 +reaksi.id, 1 +real-blog.eu, 1 +real-it.nl, 1 +real-linux.tk, 1 +real-site.tk, 1 +real-srebrenica-genocide.cf, 1 +real-srebrenica-genocide.ga, 1 +real-srebrenica-genocide.gq, 1 +real-srebrenica-genocide.ml, 1 +real-thailand.tk, 1 +real-work.tk, 1 +real2000.com, 1 +realacademy.net, 1 +realactionslots.com, 1 +realanteile.at, 0 +realbiographies.cf, 1 +realbiz.ml, 1 +realcanada.com.gt, 1 +realcapoeira.ru, 1 +realclinic.jp, 1 +realdomdom.cf, 1 +realestate-in-uruguay.com, 1 +realestate-lidl.at, 1 +realestate-lidl.be, 1 +realestate-lidl.bg, 1 +realestate-lidl.ch, 1 +realestate-lidl.co.uk, 1 +realestate-lidl.com, 1 +realestate-lidl.cz, 1 +realestate-lidl.dk, 1 +realestate-lidl.fr, 1 +realestate-lidl.gr, 1 +realestate-lidl.it, 1 +realestate-lidl.lt, 1 +realestate-lidl.lu, 1 +realestate-lidl.lv, 1 +realestate-lidl.pl, 1 +realestate-lidl.pt, 1 +realestate-lidl.ro, 1 +realestate-lidl.rs, 1 +realestate-lidl.se, 1 +realestate-lidl.sk, 1 +realestateagent-directory.com, 1 +realestatebees.com, 1 +realestateblogs.tk, 1 +realestateboston.tk, 1 +realestateexecutives.tk, 1 +realestategreenville.tk, 1 +realestatekanada.tk, 1 +realestatemaryland.tk, 1 +realestateofnewmexico.com, 1 +realestateonehowell.com, 1 +realestates.istanbul, 1 +realestatesales.gov, 1 +realestatestagingassociation.com, 1 +realestatetennessee.net, 1 +realestatewebnews.tk, 1 +realfamilyincest.com, 1 +realfreedom.city, 0 +realgarant-shop.de, 0 +realgiulianova.it, 1 +realgogo.com, 1 +realgoods.com, 1 +realhelpcompany.ga, 1 +realhorsegirls.net, 1 +realhost.name, 1 +realhypnosistraining.com.au, 1 +realidad.tk, 1 +realimagess.com, 1 +realincest.tv, 1 +realinsurance.com.au, 1 +reality.news, 1 +reality0ne.com, 0 +realitycrazy.com, 1 +realitydudes.com, 1 +realitydudesnetwork.com, 1 +realityjunkies.com, 1 +realitykings.com, 1 +realityrecoverycollective.tk, 1 +realitystudio.org, 1 +realitytoday.cf, 1 +realives.com, 1 +realizegov.com, 1 +realkeywords.ga, 1 +reall.uk, 1 +reallife-it.de, 1 +reallifeforums.com, 0 +reallight.ge, 1 +reallinux.tk, 1 +reallivingcc.com, 1 +reallovetab.ga, 1 +really-simple-plugins.com, 1 +really-simple-ssl.com, 1 +reallyangryaboutchipshops.com, 1 +reallybadidea.tk, 1 +reallycooljobs.ga, 1 +reallyone.com, 1 +reallytrusted.com, 1 +reallywild.tk, 1 +realm-of-shade.com, 1 +realm.is, 1 +realmadrid-bet1x2.com, 1 +realmadridoffice.tk, 1 +realmaturetube.com, 1 +realmixwell.tk, 1 +realmjoin.com, 1 +realmofaesir.com, 1 +realmofespionage.xyz, 1 +realmoney.games, 1 +realnature.com.br, 1 +realneo.me, 1 +realnet.tk, 1 +realno-money.tk, 1 +realonline.com.au, 1 +realoteam.ddns.net, 1 +realpaella.com, 1 +realpropertyprofile.gov, 1 +realpython.com, 1 +realrapfans.tk, 1 +realshopit.blog, 1 +realtechreviews.com, 1 +realtimenetworks.com, 1 +realtimeregister.com, 1 +realtoraidan.com, 1 +realty-pochta.tk, 1 +realtygroup-virginia.com, 1 +realtyofnaples.com, 1 +realtys.ca, 1 +realum.com, 1 +realum.de, 1 +realum.eu, 1 +realum.net, 1 +realvapamarde.cf, 1 +realvisioninternet.com, 1 +realvnc.com, 1 +realvnc.help, 1 +realwaycome.com, 1 +realwebsite.ga, 1 +realwinner.es, 1 +realworldholidays.co.uk, 1 +realyux.com, 1 +reancos.report, 1 +reanimated.eu, 1 +reanimed.com.ua, 1 +reank-mnx.site, 1 +reapandsowmarketing.com, 1 +rearmatch.cf, 1 +rearmatch.ga, 1 +rease.com.au, 1 +reavaninc.com, 1 +reaven.nl, 1 +rebajasoferta.com, 1 +rebalancenyc.com, 1 +rebaltica.lv, 1 +rebane2001.com, 1 +rebargroup.org, 1 +rebase.com.tr, 1 +rebatekey.com, 1 +rebecamode.ch, 1 +rebeccawendlandt.com, 1 +rebeccawilson.co.uk, 1 +rebel-owl.com, 1 +rebel.com.br, 1 +rebelbranding.nl, 1 +rebelchick.tk, 1 +rebelcorp.cloud, 1 +rebelcorp.ltd, 1 +rebeldeway-al.tk, 1 +rebeldeway-ks.tk, 1 +rebelko.de, 1 +rebellecare.com, 1 +rebelliouskitten.art, 1 +rebellyon.info, 1 +rebelonline.nl, 1 +rebelsewerservices.com, 1 +rebelsi.pl, 1 +rebelstudio.ml, 1 +rebelz.se, 1 +rebirthlongboard.co.th, 1 +rebizzield.com, 1 +rebonus.com, 1 +rebootwithnature.in, 0 +reboxetine.com, 1 +reboxonline.com, 1 +rebrandly.com, 1 +rebschool.ml, 1 +rebtoor.com, 0 +rebuga.com, 1 +rebuild96.ru, 1 +rebull.fr, 1 +rebure.com, 1 +rebus.support, 1 +rebusfarm.net, 1 +reby.cf, 1 +reby.tk, 1 +rec.moe, 1 +rec5.nl, 1 +recallinsider.com, 1 +recalls.gov, 1 +recambiospuntored.com, 1 +recantoshop.com.br, 1 +recaptcha-demo.appspot.com, 1 +recaptime.eu.org, 1 +recat-project.eu, 1 +receipts-app.com, 1 +receitas.tk, 1 +receitasdacassia.tk, 1 +receitasdepesos.com.br, 1 +receitasfavoritas.com, 1 +receptenwebsite.com, 1 +reception247.com, 0 +receptionsbook.com, 1 +recessmonkeyz.tk, 1 +recetasboricuas.com, 1 +recetasdelospaises.com, 1 +recetasdemape.com, 1 +recetasget.com, 1 +recetips.com, 1 +recettecookeo.net, 1 +recettes-de-tiramisu.fr, 1 +recettes-series.com, 1 +rechenknaecht.de, 1 +rechenwerk.net, 1 +recherchegruppe.tk, 1 +rechky.tk, 1 +recht.us, 1 +rechten-konsens-brechen.tk, 1 +rechtenliteratuurleiden.nl, 0 +rechtsanwalt-loesener.de, 1 +rechtsanwaltdrach.de, 1 +rechtsanwaltskammer-hamm.de, 1 +rechtschreibpruefung24.de, 1 +rechtsschutz-onlineshops.de, 1 +recidivism.com, 1 +recifaliste.fr, 1 +recipea.com, 1 +recipegym.com, 0 +recipekensaku.com, 1 +recipesbyjaz.com, 1 +recipesdelite.com, 1 +recipeslist.tk, 1 +recipesmadeeasy.co.uk, 1 +recipewebbook.com, 1 +recipex.ru, 1 +recipeyak.com, 1 +recipito.tk, 1 +reciple.kz, 1 +recitoners.net, 1 +reckers-griesbach.com, 1 +recklessly.ga, 1 +reckner.com, 1 +reckoning.gq, 1 +reckontalk.com, 1 +reckord-bau.de, 1 +reckord.org, 1 +reclaimmysparkle.com, 1 +reclaimyourface.eu, 1 +reclamejagers.nl, 1 +reclamewereldsmp.eu, 1 +reclinerfactory.com, 1 +reclusiam.net, 1 +recmon.hu, 1 +recoa.tk, 1 +recoilbox.com, 1 +recolic.cc, 1 +recolic.net, 1 +recollection.fr, 1 +recollective.com, 1 +recolor.ml, 1 +recomendador.cl, 1 +recommend.pro, 1 +recommends.ml, 1 +recompiled.org, 0 +recon-networks.com, 1 +recon.net.br, 1 +reconocimientoincan.org.mx, 1 +recordagrave.org, 1 +recordati.com.tr, 1 +recordmeeting.jp, 1 +recordmeeting.net, 1 +recordproduction.com, 1 +recordsmanagement.gov, 1 +recordstudio.tk, 1 +recouvrement-jmconseil.com, 1 +recoveringfromfaith.com, 1 +recoveringircaddicts.org, 1 +recoveringmarketer.com, 1 +recovers.pl, 1 +recovery.gov.au, 1 +recoveryohio.gov, 1 +recoveryonline.org, 1 +recoveryunplugged.com, 1 +recovre.com.au, 1 +recraft-batteries.com, 1 +recraft-ventures.com, 1 +recraft.energy, 1 +recraft.ventures, 1 +recraftventures.com, 1 +recreatiewoningverzekeringen.nl, 1 +recroommasters.com, 1 +recruit.net, 1 +recruitcrm.io, 0 +recruiterbox.com, 1 +recruiting.ai, 1 +recruitnow.nl, 1 +recruitpedia.co.uk, 1 +recruitpediacorp.com, 1 +recruitsecuritytraining.co.uk, 1 +recruitsecuritytraining.com, 1 +recruitskill.cf, 1 +recruitskill.ga, 1 +recruitskill.gq, 1 +rectale.co, 1 +rectale.com, 1 +rectale.xyz, 1 +rectecforum.com, 1 +rectoraudiparts.com, 1 +rectoverso61.fr, 1 +rectus.co.jp, 1 +recuperation-points.fr, 1 +recuperatucuentaya.com, 1 +recupero.it, 1 +recurly.com, 1 +recursos.vip, 1 +recursoscristianosleinad.com, 1 +recursosilimitados.tk, 1 +recursosimbiopos.com, 1 +recursosmi.com.br, 1 +recursosrev.tk, 1 +recycle-plant.com, 0 +recycle.cf, 1 +recyclebc.ca, 1 +recyclebin.email, 1 +recycledinorsett.co.uk, 1 +recycledinorsett.com, 1 +recyclenow.com, 1 +recycling.tk, 1 +recyclingisland.com, 1 +recyklacekovu.cz, 1 +red-button.hu, 1 +red-dragon.tk, 1 +red-eyed-tree-frogs.com, 1 +red-lightning.tk, 1 +red-official.com, 1 +red-panda.be, 1 +red-planet.tk, 1 +red-t-shirt.ru, 1 +red-train.de, 1 +red-trigger.net, 1 +red-wine.tk, 1 +red031000.com, 1 +red1it.net, 1 +red2fred2.com, 1 +redable.nl, 1 +redacted.finance, 1 +redactibio.com, 1 +redactieco.nl, 1 +redaktcms.com, 1 +redarx.com, 1 +redballoonsecurity.com, 1 +redbeardplumbing.net, 1 +redcabbage.tk, 1 +redcanary.co, 1 +redcandycane.tk, 1 +redcapital.cl, 1 +redcardinal.tk, 1 +redcarnationhotels.com, 1 +redcarpetmonday.com, 1 +redcatrampageforum.com, 1 +redcedar.gov, 1 +redchat.cz, 1 +redcity.apartments, 1 +redcode-web.design, 1 +redcoded.com, 1 +redcone.net, 1 +redcontralarepresion.org, 1 +redcorus.com, 1 +redcreek.tk, 1 +redcross.com.ph, 1 +redcupit.com, 1 +redd.it, 1 +reddark.io, 1 +reddcoin.com, 1 +reddcrypt.com, 1 +reddepsicologosdecr.com, 1 +reddice.tk, 1 +reddingo.at, 1 +reddingo.be, 1 +reddingo.ch, 1 +reddingo.com, 1 +reddingo.com.au, 1 +reddingo.de, 1 +reddingo.es, 1 +reddingo.eu, 1 +reddingo.fr, 1 +reddingo.it, 1 +reddingo.jp, 1 +reddingo.nl, 1 +reddingo.nz, 1 +reddingrancheria-nsn.gov, 1 +reddingsbrigade-zwolle.nl, 1 +reddit.com, 1 +reddit2kindle.com, 1 +redditinc.com, 1 +reddraggone9.com, 0 +reddyai.com, 1 +rede-reim.de, 1 +rede-t.com, 1 +redearsliderturtles.com, 1 +redecsirt.pt, 1 +rededca.com, 1 +rededecuidadores.pt, 1 +redefertig.de, 1 +redefiningstrength.com, 1 +redehiperfarma.com.br, 1 +redelectrical.co.uk, 0 +redemancy.net, 1 +redemption.gq, 1 +redes-neuronales.tk, 1 +redeyeguatemala.tk, 1 +redfish.tk, 1 +redflare.com.au, 1 +redfog.com, 1 +redfox-media.com, 1 +redfox-media.eu, 1 +redfox-media.net, 1 +redfox-media.org, 1 +redfoxlotto.com, 1 +redfoxmarketiing.com, 1 +redfoxwebdesign.com.au, 1 +redgatesoftware.co.uk, 1 +redgeek.cf, 1 +redgeek.ga, 1 +redgeek.gq, 1 +redgeek.ml, 1 +redgranitefdwi.gov, 1 +redgravity.net, 1 +redhackerteam.tk, 1 +redhandedsecurity.com.au, 1 +redhead.id.au, 1 +redheadfuck.com, 1 +redheeler.com.br, 1 +redhillboardriders.tk, 1 +redhookchallenge.org, 1 +redhookny.gov, 1 +redhotmonks.com, 1 +redhotmonks.nl, 1 +redhottube.cf, 1 +redhottube.ga, 1 +redhottube.gq, 1 +redhottube.ml, 1 +redi.tk, 1 +rediafile.com, 1 +rediazauthor.com, 1 +redid.com.au, 1 +redion.me, 1 +redir.me, 1 +redireci.one, 1 +redirecionarnoticias.ml, 1 +redirect.fedoraproject.org, 1 +redirect.pizza, 1 +redirect.stg.fedoraproject.org, 1 +redirect.works, 1 +redirection-plf.online, 1 +rediscoveredfamilies.com, 1 +redisgreen.com, 1 +rediske.me, 1 +redite.co, 1 +redivis.com, 1 +redjuice.co.uk, 1 +redkite.se, 1 +redknothomes.com, 1 +redletter.link, 1 +redlight.net, 1 +redlink.de, 1 +redlink.tk, 1 +redlinker.ml, 1 +redlionclub.ga, 1 +redlionhockwold.com, 1 +redloeki.tk, 1 +redmarker.ai, 1 +redmas.com.co, 1 +redmejoracontinua.com, 1 +redmondoregon.gov, 1 +redmore.me, 1 +redneck-radio.tk, 1 +redneragenturen.org, 1 +rednex.tk, 1 +rednsx.org, 0 +rednumberone.com, 1 +redoikos.org, 1 +redot.com, 1 +redpanda.gay, 1 +redparrotstudios.tk, 1 +redpen.gr, 1 +redper.serveminecraft.net, 1 +redperegrine.com, 0 +redphi.dedyn.io, 1 +redphoenix.tk, 1 +redpitaya.com, 1 +redprice.by, 1 +redq.now.sh, 1 +redrafting.ga, 1 +redragon.co.za, 1 +redraven.studio, 1 +redrealm.tk, 1 +redrivernm.gov, 1 +reds-dev.ga, 1 +redsequence.com, 1 +redshank-largeformat.co.uk, 1 +redshell.pw, 1 +redshiftcybersecurity.co.za, 1 +redshoeswalking.net, 1 +redshop.uk, 1 +redsicom.com, 1 +redsiege.com, 1 +redsift.cloud, 1 +redsift.com, 1 +redsift.io, 1 +redsis.com, 1 +redskullstuff.gq, 1 +redsolutor.gq, 1 +redsquarelasvegas.com, 1 +redstack.tk, 1 +redstarline.be, 1 +redstarpictures.tk, 1 +redstarsurf.com, 1 +redstarwholesale.co.za, 1 +redstoneart-server.top, 1 +redstonehomekits.com, 1 +redstoner.com, 1 +redstonium.net, 1 +redstor.com, 1 +redtails.tk, 1 +redteam-pentesting.de, 1 +redteam.coach, 1 +redteams.fr, 1 +redtomato.ga, 1 +redtrig.ca, 1 +redtrig.com, 1 +redtsar2000papers.tk, 1 +redtubs.tk, 1 +redtune.jp, 1 +reducealcoholism.com, 1 +reducedlens.org, 1 +reducer.co.uk, 1 +reducto.tk, 1 +reduktorntc-k.com.ua, 1 +redunion.tk, 1 +redvau.lt, 1 +redvent-decor.ru, 1 +redvent.ru, 1 +redwater.co.uk, 1 +redwaterhost.com, 1 +redwaymu.cf, 1 +redweek.com, 1 +redwhey.com, 1 +redwiki.tk, 1 +redwillowcountyne.gov, 1 +redwood.pw, 1 +redwoodsgroup.com, 1 +redwoodtoxicology.com, 1 +redzonedaily.com, 1 +reebelo.co.nz, 1 +reebelo.com.au, 1 +reececustom.com, 1 +reedgroup.com, 1 +reedsvillewi.gov, 1 +reedy.tk, 1 +reeftrip.com, 1 +reehomes.com, 1 +reel360.com, 1 +reeladventurefishing.com, 1 +reelchicago.com, 1 +reelgame.ml, 1 +reelnews.ga, 1 +reels.in.th, 1 +reelssaver.com, 1 +reemployks.gov, 1 +reenergo.ru, 1 +reenio.com, 1 +reenio.cz, 1 +reenio.sk, 1 +reentry.gov, 1 +reentrycenterofocala.com, 1 +rees-carter.net, 1 +reesi.site, 1 +reesmichael1.com, 1 +reeson.at, 1 +reeson.de, 1 +reeson.info, 1 +reeson.org, 1 +reevaappliances.co.uk, 1 +reeves-family.com, 1 +reevoo.com, 1 +reezocar.be, 1 +reezocar.com, 1 +refalm.com, 1 +refb.org, 1 +refbanners.com, 1 +refbanners.website, 1 +refer.codes, 1 +refer.nhs.uk, 1 +referat.club, 1 +referati.tk, 1 +referdell.com, 1 +reference-classic.fr, 1 +reference-emploi.com, 1 +reference-expertise.fr, 1 +reference.be, 1 +referencement-local.info, 1 +referenceur.be, 1 +referendumcouncil.org.au, 1 +referko.in, 1 +referrer.website, 1 +reffect.io, 1 +refillrx.com, 1 +refillthecity.eu, 1 +refinedinspectionservices.com, 1 +refinedlightingaz.com, 1 +refinedroomsllc.com, 1 +refinery29.com, 1 +refjob.jp, 1 +reflab.dk, 1 +reflectionsbarlingsbeach.com.au, 1 +reflectionsonthebay.org.au, 1 +reflecton.io, 1 +reflectoring.io, 1 +reflectson.org, 1 +refletindosaude.com.br, 1 +reflets-de-france.fr, 0 +reflets.info, 1 +reflexions.co, 1 +reflexionspain.tk, 1 +reflexive-engineering.com, 1 +refline.ch, 1 +refluxogastroesofagico.ga, 1 +refocusai.com, 1 +refood-cascaiscpr.eu, 1 +refood.com, 1 +reform.ee, 1 +reformando-t.es, 1 +reformasflores.com, 1 +reformation.financial, 1 +reformatreality.com, 1 +reformayobra.com, 1 +reformedermatology.com, 1 +refpa.top, 1 +refpa1342653.top, 1 +refpa170071.top, 1 +refpa4216323.top, 1 +refpa4496162.top, 1 +refpa4903566.top, 1 +refpa5446390.top, 1 +refpa59720.top, 1 +refpa6781648.top, 1 +refpaasxufov.top, 1 +refpabei.top, 1 +refpabuyoj.top, 1 +refpadewok.com, 1 +refpaewsbc.top, 1 +refpaffkansb.top, 1 +refpaicctvtm.top, 1 +refpaiglbwkv.top, 1 +refpaikgai.top, 1 +refpajqhsd.top, 1 +refpakrtsb.top, 1 +refpakwpsrbm.top, 1 +refpalqtdn.top, 1 +refpamjeql.top, 1 +refpanjoke.com, 1 +refpaopsxi.top, 1 +refpaqutiu.top, 1 +refparrknf.top, 1 +refpasra.host, 1 +refpasrasw.world, 1 +refpaswoon.top, 1 +refpatqltx.top, 1 +refpavikwm.top, 1 +refpavnpad.top, 1 +refpaydc.top, 1 +refpayio.top, 1 +refpazkjixes.top, 1 +reframeituk.org.uk, 1 +refresh-dc.org, 1 +refreshcartridges.co.uk, 1 +refreshingserum.com, 1 +refreshliving.us, 1 +refreshmentshop.co.uk, 1 +refrigeracion2hermanos.com.mx, 1 +refrigeratorrepair-austin.com, 1 +refu.net, 0 +refuelcollective.com, 0 +refuelcreative.com.au, 0 +refuelmcconnell.com, 1 +refuelmcconnell.marketing, 1 +refugiodomilitar.com.br, 1 +refundo.cz, 1 +refundo.sk, 1 +refurb-tracker.com, 1 +refusedcarfinance.com, 1 +reg.place, 1 +rega-sport.it, 1 +regacentro.pt, 1 +regain.com, 1 +regain.us, 1 +regal.radio, 1 +regalador.com, 1 +regalcapitalwi.com, 1 +regalfille.com, 1 +regalosymuestrasgratis.com, 1 +regalpaintingfdl.com, 1 +regalradio.net, 1 +regaltheatre.com.au, 1 +regamega.ru, 0 +reganclassics.co.uk, 1 +reganclassics.com, 1 +reganparty.com, 1 +regardezleprogramme.fr, 1 +regasportshop.it, 1 +regata-club.com.ua, 1 +regata2015.tk, 1 +regatesenbretagne.bzh, 1 +regazofotografia.com, 1 +regdomain.ga, 1 +regdomain.tk, 1 +regele.tk, 1 +regenboghorn.com, 0 +regencytablesandsinks.com, 1 +regencywalkinclinic.com, 1 +regendevices.eu, 1 +regeneo.cz, 1 +regenerapoint.it, 1 +regenpfeifer.net, 0 +regensburg-repariert.de, 1 +regent.ac.za, 1 +regentcruises.com, 1 +regentmovies.tk, 1 +regento.bg, 1 +regex.bingo, 1 +regex101.com, 1 +reggaesumfest.com, 1 +reggaexplosion.tk, 1 +reggea.tk, 1 +reggiotoday.it, 1 +regiamo.ch, 1 +regiaodeaveiro.pt, 1 +regie-sc.ch, 1 +regime-anticellulite.com, 1 +regimebonheur.com, 1 +reginaascanio.es, 1 +reginaclinic.jp, 1 +reginalenz.com, 1 +reginfo.gov, 1 +regio-salland.nl, 1 +regiobeveland.nl, 1 +regioinfo.nl, 1 +regiojet.com, 1 +regiojet.cz, 1 +region-vologda.tk, 1 +region22.tk, 1 +region6armymars.org, 1 +regionaalenergieloket.nl, 1 +regional-rabatt.de, 1 +regionalgrowth.com, 1 +regionethost.tk, 1 +regionethungaria.hu, 1 +regionmedia.cf, 1 +regionstea.net, 1 +regioplanverbindt.nl, 1 +regiosalland.nl, 1 +regiovertrieb.de, 0 +regis.tech, 1 +regisearch.co.uk, 1 +registech.com, 1 +register.com.np, 1 +register.to, 0 +registerforevent.co.uk, 1 +registerforhappywellth.com, 1 +registertovoteflorida.gov, 1 +registr.io, 1 +registrarius.org, 1 +registrarplus.net, 1 +registrarplus.nl, 1 +registrierung.tk, 1 +registry.google, 1 +registry.quebec, 1 +registryfinder.com, 1 +registryplus.net, 1 +registryplus.nl, 1 +regmik.ua, 1 +regnix.net, 1 +regnr.info, 1 +regolithmedia.com, 1 +regon.hu, 1 +regospel.tk, 1 +regpacks.com, 1 +regraph.de, 1 +regression.tk, 1 +regsec.com, 1 +regtech.tk, 1 +regtify.com, 1 +regtify.org, 1 +regtransfers.co.uk, 1 +reguladordevoltagem.com.br, 1 +regularizaboti.com.br, 1 +regularlabs.com, 1 +regulations.gov, 1 +regulative.gq, 1 +rehab.cf, 1 +rehab.cn.ua, 1 +rehabilitologist.ru, 1 +rehabphilippines.com, 1 +rehabthailand.com, 1 +rehabthailand.org, 1 +rehasport-informationen.de, 1 +rehasport-marketing.de, 1 +rehasportwelt.de, 1 +rehau-ua.com, 1 +reher.pro, 1 +rehobothbeachde.gov, 1 +rehobothma.gov, 1 +reholi.com.ar, 1 +rehzzo.cloud, 1 +rei.ki, 1 +reiaudio.com.br, 1 +reichardt-home.goip.de, 1 +reichel-steinmetz.de, 1 +reichelt-cloud.de, 1 +reichelt.com, 1 +reichelt.de, 1 +reichelt.nl, 1 +reichl-online.net, 1 +reiciunas.lt, 1 +reidasbombas.com, 1 +reidasmalas.com.br, 1 +reidasofficial.lt, 1 +reidjaeger.com, 1 +reidodice.com, 1 +reidope.com.br, 1 +reidostorrents.com, 1 +reidrice.com, 1 +reifeswinger.com, 1 +reifr.net, 1 +reignsphere.net, 1 +reiki-france.fr, 1 +reikiblog.cf, 1 +reikicrystal.com, 1 +reikimart.com, 1 +reikimaster.tk, 1 +reilly.io, 1 +reimaginebelonging.de, 1 +reimaginebelonging.org, 0 +reimann.me, 1 +reimers.de, 1 +reimsmediaslibres.info, 1 +reinaertvandecruys.com, 1 +reinaertvandecruys.me, 1 +reinaldudrasfamily.ee, 1 +reinascba.com.ar, 1 +reinencaressa.be, 1 +reiner-h.de, 1 +reinfer.io, 1 +reinfo.wiki, 1 +reingroup.ru, 1 +reinhardtsgermanautorepair.com, 1 +reinhardtsgrimma.de, 1 +reinhart-auto.cz, 1 +reinheft.de, 0 +reinierjonker.nl, 1 +reinisch.io, 1 +reinodemurcia.tk, 1 +reinoldus.ddns.net, 1 +reinotools.com, 1 +reinout.nu, 1 +reinouthoornweg.nl, 1 +reintjens.de, 1 +reinventersontravail.com, 1 +reinvention-institute.com, 1 +reirei.cc, 1 +reisbergadr.com, 1 +reisdemuthwiltgen.com, 1 +reisebuero-baader.de, 1 +reisen.ga, 1 +reisenbauer.at, 1 +reisenbauer.ee, 0 +reiseziel-hiddensee.de, 0 +reiseziele.tk, 1 +reishikitchen.co.uk, 1 +reishikitchen.com, 1 +reishiplantkitchen.co.uk, 1 +reishiplantkitchen.com, 1 +reispower.nl, 1 +reisslittle.com, 1 +reissnehme.com, 1 +reisspecialistdevalk.nl, 1 +reitmeier.me, 1 +reitoracle.com, 1 +reitstall-goettingen.de, 1 +reittherapie-tschoepke.de, 1 +reivernet.com, 0 +reja.au, 1 +rejahrehim.com, 1 +rejail.ru, 1 +rejected-by-society.tk, 1 +rejected.tk, 1 +rejective.tk, 1 +rejects.email, 1 +rejido.tk, 1 +rejushiiplotter.ru, 1 +rejuvetclinicpromotion.com, 1 +rekka-j.com, 1 +rekklab.com, 1 +rekkur.com, 1 +rekkur.consulting, 1 +rekkur.de, 1 +rekkur.dev, 1 +rekkur.io, 1 +rekkur.net, 1 +rekkur.org, 1 +rekkur.solutions, 1 +rekkur.team, 1 +rekkur.tech, 1 +rekkur.technology, 1 +rekkursolutions.com, 1 +rekkurtechnology.com, 1 +reklama-crimea.com, 1 +reklamapoumu.ru, 1 +reklamim.tk, 1 +reklamirui.tk, 1 +reklamjog.hu, 1 +reklamy-led.tk, 1 +rekmedia.tk, 1 +rekono.si, 0 +rekorhaliyikama.com, 1 +reksadanapanin.co.id, 1 +rekurasi.com, 1 +rekursion.at, 1 +rel-me.cc, 1 +relais-laguiole.com, 1 +relaisducoustoubi.com, 1 +relatedgroup.com, 1 +relates.link, 1 +relatethesport.com, 0 +relatic.net, 1 +relation.cf, 1 +relationalplayground.com, 1 +relations-business.com, 1 +relationsatwork.net, 1 +relationshiptalk.net, 1 +relationsproblem.nu, 1 +relatosypoesias.tk, 1 +relawan24jam-magetan.pp.ua, 1 +relaxcenternederland.nl, 1 +relaxdata.eu, 1 +relaxhavefun.com, 1 +relaxpointhyncice.cz, 1 +relaxti.me, 1 +relaxxed.nl, 1 +relaxxxed.com, 1 +relaybox.io, 1 +relayto.com, 1 +release-monitoring.org, 1 +releasedate.me, 1 +releaseinternational.org, 1 +releasepoint.com, 1 +releases.live, 1 +releasetimes.io, 1 +relevaillesquebec.com, 1 +relevanttomyinterests.com, 1 +releve-analyser.com, 1 +reley.me, 1 +reliabilityweb.com, 1 +reliablecanadianpharmacy.com, 1 +reliabledegree.com, 1 +reliablemaids.co.uk, 1 +reliablemojo.com, 1 +reliablepi.com, 1 +reliableremovals-blackpool.co.uk, 1 +reliablewire.com, 1 +reliahost.nl, 1 +relialink.co.uk, 1 +reliant.com, 1 +reliant3sixty.com, 1 +reliantpropertygrpri.com, 1 +relic.gq, 1 +relieftn.com, 1 +reliefweb.int, 1 +religious-life.com, 1 +religiousfreedomunderfire.com, 1 +religiya.tk, 1 +relikt.tk, 1 +relines.ru, 1 +relisten.nl, 1 +reloading.ml, 1 +relocatefeds.gov, 1 +relojeriajoyeria.com, 1 +relojes-especiales.com, 1 +relojes-online.com, 1 +relookdecoration.fr, 1 +relsak.cz, 0 +reltio.com, 1 +relution.io, 1 +relvan.com, 1 +relvan.tech, 1 +relyhost.io, 1 +relyon-plasma.com, 1 +relyonnutec.com, 1 +rem-coatings.de, 1 +rem-cond.ru, 1 +rem0te.net, 1 +remain.london, 1 +remake-projects.tk, 1 +remambo.jp, 1 +remarkmart.com, 1 +remateszarate.cl, 0 +remax-direct.co.il, 1 +remax.at, 1 +remaxelite.co.il, 1 +remaxtop.co.il, 1 +remeb.de, 1 +remedi.tokyo, 1 +remediohalkiparaladiabetes.org, 1 +remedionaturales.com, 1 +remedioparaherpes.com, 1 +remedios.com.br, 1 +remedioscaseros.guru, 1 +remejeanne.com, 1 +remembear.com, 1 +remember.de, 1 +rememberingjordan.org, 1 +remembermidi.sytes.net, 1 +rememberthemilk.com, 0 +remembervets.com, 1 +remennik.tk, 1 +remesal.es, 1 +remessaonline.com.br, 1 +remetall.cz, 1 +remezcla.com, 1 +remhomut.ru, 1 +remi-decker.tk, 1 +remi-saurel.com, 1 +remi-theriault.com, 1 +remiafon.com, 1 +remicade.com, 1 +remifajardo.cf, 1 +remilner.co.uk, 1 +reminda.com, 1 +reminded.tk, 1 +remington-europe.com, 1 +remirampin.com, 1 +remissan.com, 1 +remissionclinic.com, 0 +remitano.com, 1 +remix64.com, 1 +remiz.org, 1 +remmik.com, 1 +remminhdang.com, 1 +remo.health, 1 +remodded.cf, 1 +remodded.gq, 1 +remodded.ml, 1 +remodded.tk, 1 +remodelate.mx, 1 +remodelhealth.com, 1 +remodelwithlegacy.com, 1 +remonline.ru, 1 +remont-45.tk, 1 +remont-kazan.tk, 1 +remont-kvartirvmoskve.ga, 1 +remont-naushnikov.tk, 1 +remont-rollet-izgotovlenie.cf, 1 +remont-rukami.tk, 1 +remontdot.tk, 1 +remontfirm.tk, 1 +remonti.info, 1 +remontkompyutera.tk, 1 +remontlog.com, 1 +remontmax.bg, 1 +remontmebliv.lviv.ua, 1 +remonto.tk, 1 +remontpc.cf, 1 +remontpc.tk, 1 +remontportal.tk, 1 +remontstrong.ru, 1 +remonttikauppa.com, 1 +remontuks.ru, 1 +remora.tk, 1 +remorse.ga, 1 +remote-health.net, 1 +remoteassistants.io, 1 +remotebudget.com, 1 +remotedesktop.corp.google.com, 1 +remotedxb.com, 1 +remoteoffice.ga, 1 +remoteok.com, 1 +remoteroom.jp, 1 +remoteshack.cf, 1 +remoteshack.ml, 1 +remoteutilities.com, 1 +remoteworkertech.asia, 1 +remoteworkingpal.com, 1 +remotewx.com, 1 +remotish.com, 1 +removalcellulite.com, 1 +removebg.in, 1 +removedrepo.com, 1 +removerz.ca, 1 +remploy.co.uk, 1 +remptmotors.com, 0 +remsenny.gov, 1 +remservices.ky, 1 +remsoft.com.br, 1 +remwhile.com, 1 +remyb.me, 1 +remyphotography.fr, 1 +remyroguevolution.tk, 1 +rena.am, 1 +renaatsioncke.com, 1 +renaissance.shop, 1 +renard-pierne-avocats.fr, 1 +renascercorretora.com.br, 1 +renascerstp.org, 1 +renate-lietz.de, 1 +renatemamber.nl, 1 +renateonline.tk, 1 +renaudmuller.fr, 1 +renaultclubticino.ch, 0 +rencbrain.com, 1 +rencontredemerde.fr, 1 +rendall.tv, 1 +render.com, 1 +renderatelier.com, 1 +renderferma-cash.tk, 1 +renderloop.com, 1 +renderstack.io, 1 +renderworld.tk, 1 +renderzone.tk, 1 +rendez-vous.gq, 1 +rendezvous-cafe.co.uk, 1 +rendre-service.ch, 0 +rendutowers.org.au, 1 +rene-eizenhoefer.de, 1 +rene-schwarz.com, 0 +rene-stolp.de, 1 +renearends.nl, 1 +renecoignard.co, 1 +renecoignard.com, 1 +renecoignard.fr, 1 +renecoignard.me, 1 +renecoignard.net, 1 +renecoignard.org, 1 +renecoignard.ru, 1 +renedekoeijer.com, 1 +renegadeexploration.com, 1 +renehsz.com, 1 +renem.net, 0 +reneopharma.com, 1 +reneploetz.de, 1 +reneschmidt.de, 1 +reneschroeter.de, 1 +renet.com.br, 1 +renet.tk, 1 +renevo.eu, 1 +renewablekids.tk, 1 +renewablemaine.org, 1 +renewcleaningservices.net, 1 +renewedhr.com, 1 +renewgsa.com, 1 +renewittke.ch, 1 +renewittke.com, 1 +renewmedispa.com, 0 +renewpfc.com, 1 +renezuo.com, 1 +renicimery.com.br, 1 +renjyaku-dental.com, 1 +renkenlaw.com, 1 +renklihobi.com, 1 +rennes-bachata.com, 1 +rennes-blues.com, 1 +rennes-danse-africaine.com, 1 +rennes-danse-orientale.com, 1 +rennes-danses-en-ligne.com, 1 +rennes-hip-hop.com, 1 +rennes-lindy-hop.com, 1 +rennes-pilates.com, 1 +rennes-reggaeton.com, 1 +rennes-rock-6-temps.com, 1 +rennes-salsa-portoricaine.com, 1 +rennes-salsa.com, 1 +rennes-tango.com, 1 +rennes-valse.com, 1 +rennes-west-coast-swing.com, 1 +rennes-yoga.com, 1 +rennes-zumba.com, 1 +rennfire.org, 1 +rennie.com, 1 +renoboston.com, 1 +renocountyks.gov, 1 +renoproject.org, 1 +renorun.ca, 1 +renorun.com, 1 +renos.tk, 1 +renovalar.com.br, 1 +renovandoingresos.com, 1 +renovation-abm.fr, 1 +renovation-de-facade.fr, 1 +renovation-interieur-paris.com, 1 +renovation-maison.paris, 1 +renovationsatl.com, 1 +renovationsf.cf, 1 +renovationsf.ga, 1 +renovera.be, 1 +renovum.es, 1 +renrenche.com, 0 +rens.nu, 1 +renscreations.com, 1 +rent-a-c.io, 1 +rent-a-coder.de, 1 +rent-car.ga, 1 +rent-to-own-home.ga, 1 +rent.ie, 1 +rent.men, 1 +rentacar.name.tr, 1 +rentacaramerica.com, 1 +rentacarankara.com.tr, 1 +rentacarizmir.com.tr, 1 +rentacarmedo.me, 1 +rentaciudadana.co, 1 +rentalboatsafety.com, 1 +rentalharmony.co.za, 1 +rentalseleutheraisland.com, 1 +rentalsport.it, 1 +rentamosandamios.com.mx, 1 +rentandamiosycasetas.com, 1 +rentandgoandalo.it, 1 +rentandgofalcade.it, 1 +rentandgosestriere.it, 1 +rentandgovalmalenco.it, 1 +rentasportexclusive.it, 1 +rentasweb.gob.ar, 1 +rentatrajes.com.mx, 1 +rentbasements.com, 1 +rentberry.com, 1 +rentbrowser.com, 1 +rentcafe.co.uk, 1 +rentex.com, 1 +rentfaster.ca, 1 +renthelper.us, 1 +renticar.com, 1 +rentinsingapore.com.sg, 1 +rently.nl, 1 +rentm.media, 1 +rentmama.cf, 1 +rentmama.ga, 1 +rentmama.gq, 1 +rentmama.ml, 1 +rentmasseur.com, 1 +rentmen.eu, 1 +rentnow.my, 1 +rentourhomeinprovence.com, 1 +rentsbg.com, 1 +rentsucks.com, 1 +renuo.ch, 1 +renusoni.ga, 1 +renusson.com, 1 +renut.com.np, 1 +renverse.co, 1 +renvillecountymn.gov, 1 +renvisegrad.hu, 1 +renwerks.com, 1 +renxinge.cn, 0 +renyiyou.com, 1 +renyu.ai, 1 +reo.gov, 0 +reorz.com, 0 +reox.at, 1 +repaircafe-hanau.de, 1 +repairdriveshafts.tk, 1 +repairingmobile.tk, 1 +repairit.support, 1 +repairland.gr, 1 +repairlinkshop.com, 1 +repairtly.com, 0 +repalriley38.com, 1 +repaper.org, 1 +reparacionesdecalefones.com, 1 +reparacioneslocativas.com.co, 1 +reparacionmovilesmurcia.com, 1 +repararimac.eu, 1 +repararipad.eu, 1 +reparariphone.biz, 1 +repararmac.eu, 1 +repararsamsung.eu, 1 +repararxiaomi.eu, 1 +reparatiecrm.nl, 1 +reparatieferestre.md, 1 +reparation-traceur.com, 1 +reparaturcafe-pfullendorf.de, 1 +reparo.pe, 0 +repasi.org, 1 +repat.de, 1 +repauto.com.ua, 1 +repaxan.com, 1 +repeat.gg, 1 +repettoshoes.tk, 1 +repin.in.ua, 1 +repinger.my.id, 1 +repl.ga, 1 +replacementrate.ga, 1 +replay.ga, 1 +replaynexus.com, 1 +replicacoin.ga, 1 +replicagold.ml, 1 +replici.net, 1 +replikatelefon.tk, 1 +repliksword.com, 1 +repo.ml, 1 +repology.org, 1 +report-incident.de, 1 +report-it.trade, 1 +report-uri.com, 1 +report.cf, 1 +reportallusa.com, 1 +reportband.gov, 1 +reporte.tk, 1 +reportercareer.ga, 1 +reporterre.net, 1 +reporters.ng, 1 +reporting.gov, 1 +reportoid.tk, 1 +reposaarenkuva.fi, 1 +reposeed.dev, 1 +reposeed.org, 1 +represent.us, 1 +reproaccess.gov, 1 +reproductive-revolution.com, 1 +reproductiveaccess.gov, 1 +reproductivehealthservices.gov, 1 +reproductiverevolution.com, 1 +reproductiverights.gov, 1 +reprogramador.com, 1 +reprogramador.es, 1 +reprogramming-predators.com, 1 +reprogrammingpredators.com, 1 +reprolegaldefensefund.org, 1 +reprolegalhelpline.org, 1 +reprorights.gov, 1 +repsltd.co.uk, 1 +repstalent.com, 1 +reptieleninfo.tk, 1 +reptilescan.com, 1 +reptrax.com, 1 +republic.gg, 1 +republic.gr, 1 +republica.gt, 1 +republicafederal.tk, 1 +republicanleader.gov, 1 +republicanwhip.gov, 1 +republicasantabanana.org, 1 +republicmo.gov, 1 +republictelecom.net, 1 +republik-sombora.tk, 1 +republikalajm.com, 1 +republikapost.com, 1 +republique.org, 1 +repuestosmedellin.com, 1 +repugnant-conclusion.com, 1 +repugnantconclusion.com, 1 +reputatiedesigners.nl, 1 +reqionstockholm.se, 1 +request.cf, 1 +requesthymn.com, 1 +requestio.pp.ua, 1 +requestr.co.uk, 1 +requeteguapas.com, 1 +requeue.ga, 1 +requin.tk, 1 +requirements.ga, 1 +rercel.com, 0 +reregu.cf, 1 +reroboto.com, 1 +reroboto.eu, 1 +reroboto.net, 1 +reroboto.org, 1 +reroboto.social, 1 +reroll.tv, 1 +rerumu.com, 1 +resale.condos, 1 +resalerental.com, 1 +resanebartar.tk, 1 +resbi.tk, 1 +resc.la, 1 +rescatec.com, 1 +resch-verlag.com, 1 +resch.pro, 1 +rescms-secure.com, 1 +rescuenode.com, 1 +rescuer.gq, 1 +rescuer.tk, 1 +research-panel.jp, 1 +research.facebook.com, 0 +researchmarathi.com, 1 +researchresults.com, 1 +researchstory.com, 1 +researchtriangle.org, 1 +researchwriting.co.uk, 1 +reseau-ait.ca, 1 +reseau-image.com, 1 +reseau-tee.net, 1 +reseau-web.com, 1 +reseau.je, 1 +reseau007.tk, 1 +resellerprogram.ga, 1 +resellrefreshrepeat.com, 1 +reserva-agora.pt, 1 +reservadecitasonline.com, 1 +reservar-un-hotel.com, 1 +reservationsair.com, 1 +reservetonshift.com, 1 +reservilaisliitto.fi, 1 +reset12.co.uk, 1 +resfriatech.com.br, 1 +reshebnik.ml, 1 +reshka.ga, 1 +residence-donatello.be, 1 +residence-edelweiss.com, 1 +residence-simoncelli.com, 1 +residencedesign.net, 1 +residencemagazine.se, 1 +residencepanoramique.com, 1 +residencescauri.it, 1 +residency-bond.eu, 1 +resident-evil.tk, 1 +residentiallocksmithdallas.com, 1 +residentialmortgageholdings.com, 1 +residentialpressurewashingchicago.com, 1 +residentinfo.net, 1 +residualpayments.com, 1 +resigno.tk, 1 +resilience.sh, 1 +resiliencebox.com, 1 +resilientlouisianacommission.gov, 1 +resilienzatropical.it, 1 +resimdo.de, 1 +resimevi.tk, 1 +resine.roma.it, 1 +resinflooringcompany.com, 1 +resinheaven.com.au, 1 +resisfestival.com, 1 +resist.bot, 1 +resistancebooks.com, 0 +resistav.com, 1 +resivibe.com, 1 +resize2fs.de, 0 +resju21.ch, 1 +resmigazete.gov.tr, 1 +resmim.net, 1 +resolu.ru, 1 +resolute.com, 1 +resolutesystems.com, 1 +resolutewealthmanagement.com, 0 +resolutionnews.cf, 1 +resolutionnews.ga, 1 +resolve-portal.it, 1 +resolved.tk, 1 +resolvefa.co.uk, 1 +resolvefa.com, 1 +resolveit.gq, 1 +resolvergroup.com.au, 1 +resolvo.com, 1 +resoplus.ch, 0 +resort-islands.net, 1 +resort-nuvola.be, 1 +resort.ga, 1 +resortafroditatucepi.com, 1 +resortrealty.com, 0 +resorts.ru, 1 +resortsupportfiji.com, 1 +resoundpro.ca, 1 +resourceconnect.com, 1 +resourceguruapp.com, 1 +resources.flowfinity.com, 1 +resourcesmanagementcorp.com, 1 +resourcespace.com, 1 +respawwn.com, 1 +respectmyprivacy.eu, 1 +respectmyprivacy.net, 1 +respectmyprivacy.nl, 1 +respecttheflame.com, 1 +respinar.com, 1 +respiradores.tk, 1 +respiranto.de, 1 +respiratorytherapistlicense.com, 1 +respire-yoga.fr, 1 +respokare.com, 1 +respon.jp, 1 +respondeck.de, 1 +responer.com, 1 +respons.je, 1 +respons.me, 1 +respons.mobi, 1 +respons.us, 1 +respons.ws, 1 +responscode.eu, 1 +responscode.info, 1 +responscode.mobi, 1 +responscode.nl, 1 +responsecode.info, 1 +responsecode.mobi, 1 +responsecode.nl, 1 +responsible-disclosure.nl, 1 +responsible.ca, 1 +responsibledisclosure.nl, 1 +responsivepaper.com, 1 +respostas.com.br, 1 +ressourcement-interieur.com, 1 +ressourceportal.dk, 1 +ressourcesindivior.com, 1 +ressourcesleopharma.fr, 1 +ressupply.com, 1 +rest-in-moscow.tk, 1 +resta.ga, 1 +restad.org, 1 +restart-brno.cz, 1 +restartperm.ml, 1 +restauraceumichala.cz, 1 +restaurant-de-notenkraker.be, 1 +restaurant-fujiyama.fr, 1 +restaurant-naan.de, 1 +restaurant-neuemuehle.de, 1 +restaurant-oregano.de, 1 +restaurant-rosengarten.at, 1 +restaurant-spartacus.tk, 1 +restaurantcleaningchicago.com, 1 +restaurantdetgulepakhus.tk, 1 +restaurantedonono.com.br, 1 +restaurantepepeyestrella.es, 0 +restauranteplatoubeda.es, 1 +restaurantesimonetti.com.br, 1 +restaurantguru.com, 1 +restauranthugo.nl, 1 +restaurantmadeinitaly.be, 1 +restaurants.sg, 1 +restauranttester.at, 1 +restauratorin-maubach-dresden.de, 1 +restauriedili.roma.it, 1 +restauto.com.ua, 1 +restbygait.com, 1 +restchart.com, 1 +rester-a-domicile.ch, 1 +rester-autonome-chez-soi.ch, 1 +restic.net, 1 +restior.com, 1 +restioson.me, 1 +restless.it, 1 +restlesseshop.com, 1 +restlesslegs.tk, 1 +resto-renaissance.be, 1 +restoclub.ru, 1 +restomojo.tk, 1 +restoran.cf, 1 +restorationphotos.tk, 1 +restorethegulf.gov, 1 +restoringhopeberks.org, 1 +restoruns.com, 1 +restrealitaet.de, 1 +restream.fi, 1 +resultsatretail.com, 1 +resultscx.com, 1 +resultsdate.news, 1 +resume4dummies.com, 1 +resumecompanion.com, 1 +resumegenius.com, 1 +resumegets.com, 1 +resumehelp.com, 1 +resumehelp.io, 1 +resumelibros.tk, 1 +resumenlatinoamericano.org, 1 +resumeprime.com, 1 +resumerabbit.com, 1 +resumeshoppe.com, 1 +resumevalley.com, 1 +resumeworded.com, 1 +resumic.com, 1 +resumic.dev, 1 +resumic.io, 1 +resumic.net, 1 +resumic.org, 1 +resurfacehub.com, 1 +resurgent.network, 1 +resurspartner.tk, 1 +resveratrolsupplement.co.uk, 1 +retailcleaners.ga, 1 +retailcybersolutions.com, 1 +retailing.cf, 1 +retailmarket.net, 1 +retailnext.net, 1 +retaque.tk, 1 +retarara.tk, 1 +retard.ca, 1 +retardedstudios.tk, 1 +retefrati.it, 0 +reteteaz.net, 1 +retetenoi.net, 1 +retetop95.it, 0 +reth.ch, 1 +rethymnorooms.tk, 1 +reticket.me, 1 +reticle.cf, 1 +reticon.de, 1 +retics.cf, 1 +retidurc.fr, 1 +retiesebaan.tk, 1 +retin.ml, 1 +retinaconsultantstexas.com, 1 +retinacv.es, 1 +retinens.com, 1 +retirementincomeplanninggroup.com, 1 +retireyourpassword.org, 1 +retiring-dentist.co.uk, 1 +retiringaccountant.co.uk, 1 +retiringifa.co.uk, 1 +retiva-bet23367.com, 1 +retivabet.com, 1 +retmig.dk, 1 +retmus.com, 1 +reto.ch, 0 +reto.io, 1 +retohaeberli.com, 0 +retokromer.ch, 0 +retool.com, 0 +retornaz.com, 1 +retornaz.eu, 1 +retornaz.fr, 1 +retract.com.au, 1 +retractableawningssydney.com.au, 1 +retraitebysaulsplace.nl, 1 +retro-game.org, 1 +retro-gaming.at, 1 +retro.rocks, 1 +retroarms.com, 1 +retroarms.cz, 1 +retrobook.tk, 1 +retrocdn.net, 1 +retrocircuitos.com, 1 +retrogamenews.tk, 1 +retrohousewifegoesgreen.com, 1 +retroity.net, 1 +retrojar.top, 1 +retrojugo.tk, 1 +retronet.nl, 1 +retropack.org, 1 +retropedal.tk, 1 +retrophoto.fr, 0 +retropixel.ga, 1 +retroride.cz, 1 +retroroundup.com, 0 +retroskoter.tk, 1 +retroslave.ga, 1 +retrotechgeek.net, 1 +retroterminal.com, 1 +retrotown.ws, 1 +retrotubesporn.com, 1 +retrovideospiele.com, 1 +retroworld.tk, 1 +retseptykaboli.cf, 1 +rettar.net, 1 +rette-ein-kinderleben.de, 1 +rettig.xyz, 1 +retube.ga, 1 +return-profit.tk, 1 +return.sh, 1 +returnearly.net, 1 +returnly.com, 1 +returnonerror.com, 1 +reucon.com, 1 +reueljohnk.com, 1 +reulitz.de, 0 +reuna.me, 1 +reunion.tk, 1 +reup.cash, 1 +reurbcaceres.com.br, 1 +reuschtools.com, 1 +reusesti.ro, 1 +reusorecicla.com.br, 1 +reut42.de, 1 +reuter-profishop.de, 0 +reuter.de, 0 +reuterhall.se, 1 +reutersevents.com, 1 +rev-crew.info, 1 +revaio.com, 1 +reval.com, 1 +revalidatiekennisnet.nl, 1 +revaloriza.cf, 1 +revapost.fr, 1 +revayd.net, 1 +revconnect.tk, 1 +revcovi.com, 1 +revda.su, 1 +reveal-sound.com, 1 +reveal11.cloud, 1 +revealcellcamtracker.com, 1 +revealdata.com, 1 +revechat.com, 1 +revellecoaching.com, 0 +revellio.tk, 1 +revenge-spells.com, 1 +revengegames.lv, 1 +revengeofthesomething.tk, 1 +revenue-playbook.com, 1 +revenuegeeks.com, 1 +revenuegrid.com, 1 +reverce.com, 1 +reveriecaps.com.br, 1 +revers.tk, 1 +reverse1999.wiki, 1 +reverseaustralia.com, 1 +reversecanada.com, 1 +reversecrucifixkm.altervista.org, 1 +reversedns.tk, 1 +reverseloansolutions.com, 1 +reversemortgageguides.com, 1 +reversemortgageguides.org, 1 +reversesouthafrica.com, 1 +revgen.life, 1 +revierstrand.de, 1 +review.jp, 1 +review247.ga, 1 +reviewbestseller.com, 1 +reviewchecker.nl, 1 +reviewdetector.ml, 1 +reviewengin.com, 1 +reviewgeek.com, 1 +reviewheaven.ml, 1 +reviewku.id, 1 +reviewninja.net, 1 +reviewpipe.com, 1 +reviews.anime.my, 0 +reviewsfunnel.com, 1 +reviewskia.com, 1 +reviewskia.in, 1 +reviewsonline.ml, 1 +reviewspot.net, 1 +reviewu.ca, 1 +revifymedspa.com, 1 +revijahak.hr, 1 +revintake.com, 1 +revionics.com, 1 +reviquimicos.com, 1 +revis-online.cf, 1 +revis-online.gq, 1 +revis-online.ml, 1 +revis-online.tk, 1 +revisi.id, 1 +revisione.it, 1 +revisionmedia.pl, 1 +revisionnotes.xyz, 1 +revisore.it, 1 +revisores.pt, 1 +revisoronline.cf, 1 +revisoronline.ga, 1 +revisoronline.gq, 1 +revisoronline.ml, 1 +revisoronline.tk, 1 +revista-atalaya.ml, 1 +revista-programar.info, 1 +revistabifrontal.com, 1 +revistacocina.tk, 1 +revistadiscover.com, 1 +revistaespecies.ga, 1 +revistaligustinus.tk, 1 +revistamatg.com, 1 +revitalisierungs-akademie.de, 1 +revivalinhisword.com, 1 +revivalprayerfellowship.com, 1 +revive-me.org, 1 +reviveourhearts.com, 1 +reviveplumbingmelbourne.com.au, 1 +reviviendolavilla.tk, 1 +revizor-online.cf, 1 +revizor-online.ga, 1 +revizor-online.gq, 1 +revizor-online.ml, 1 +revizor-online.tk, 1 +revizor.ml, 1 +revizoronline.tk, 1 +revloop.com, 1 +revmap.com, 1 +revoka.de, 1 +revol.space, 1 +revolucioncharango.com, 1 +revolution-mining.com.au, 1 +revolution.net.nz, 1 +revolutionary.tk, 1 +revolutionaryaim-vienna.tk, 1 +revolutionaryireland.cf, 1 +revolutionaryireland.ga, 1 +revolutionaryireland.gq, 1 +revolutionaryireland.ml, 1 +revolutionengine.tk, 1 +revolutionenkommer.dk, 1 +revolutionhealth.ca, 1 +revolutionizingheartfailure.com, 1 +revolutionofbeauty.tk, 1 +revolutionofgaming.tk, 1 +revolware.com, 1 +revosoft.de, 1 +revres.info, 1 +revspot.net, 1 +revthefox.co.uk, 1 +revton.com, 1 +revuestarlight.me, 1 +revworld.org, 1 +revx.io, 1 +rewardingexcellence.com, 1 +rewardoapp.com, 1 +rewardscout.eu, 1 +rewatch.com, 1 +rewawatch.tk, 1 +rewebsitepro.com, 1 +rewirenewsgroup.com, 1 +rewisto.de, 1 +rewolucja1905.pl, 1 +rewriteguru.com, 1 +rewritertools.com, 1 +rex.red, 1 +rex.st, 1 +rex.tc, 1 +rexbang.tk, 1 +rexbaumgartnerdds.com, 1 +rexburgid.gov, 1 +rexcutty.com, 1 +rexdf.net, 1 +rexel.com, 1 +rexeroofing.com, 1 +rexo.ch, 1 +rexograph.com, 1 +rexskz.info, 1 +rextomanawato4.tk, 1 +rexuy.com, 1 +rexvin.co.id, 0 +rexxworld.com, 1 +reyesfernando.com, 1 +reyesholdings.com, 1 +reyna.cc, 1 +reynders.xyz, 1 +reynoldsburg.gov, 1 +reytorogroup.com, 1 +rezendemultimarcas.com.br, 1 +rezept-planer.de, 1 +rezidencezdanice.cz, 1 +rezio.io, 0 +rezistor.tk, 1 +rezka-burenie.cf, 1 +rezni.cz, 1 +reznik.tk, 1 +reztudio.com, 1 +rezultant.ru, 1 +rezun.cloud, 1 +rf-gamer.gq, 1 +rf.studio, 1 +rfasafedrop.org, 1 +rfbcnet.tk, 1 +rfbz.ca, 1 +rfdirectory.tk, 1 +rfeif.org, 1 +rfg.ru, 1 +rfgadvisorywealth.com, 0 +rfmsconnect.nl, 1 +rfn.cz, 1 +rfnews.tk, 1 +rfoard.com, 1 +rfodistribution.co.za, 1 +rfomega.ga, 1 +rfphero.io, 1 +rfs-zbpe.net, 1 +rfstag.com, 1 +rfstag.org, 1 +rftoon.com, 1 +rfvigo.com, 1 +rfxanalyst.com, 1 +rg.to, 1 +rga.cl, 1 +rgacomputacion.cl, 1 +rgbinnovation.com, 1 +rgbpty.com, 1 +rgc.com.co, 0 +rgdt.tk, 1 +rgf.be, 0 +rgfundraising.com, 1 +rggraphics.mx, 1 +rgnext.com, 1 +rgpd-elearning.com, 1 +rgpdkit.io, 1 +rgservice.ml, 1 +rgtonline.com, 1 +rgz.ee, 1 +rhaegal.me, 1 +rhamzeh.com, 1 +rhaniegghe.be, 1 +rhaniegghesoftwaresecurity.be, 1 +rhbrown.com, 1 +rhcteam.com, 1 +rhd-instruments.com, 1 +rhd-instruments.de, 1 +rhd.org, 1 +rhdiscovery.com, 1 +rhees.nl, 1 +rheijmans.io, 1 +rheijmans.nl, 1 +rheimsandcohen.ltd, 1 +rhein-liebe.de, 1 +rheincargo.com, 1 +rheine.schule, 1 +rheineschulen.de, 1 +rheinland-pilgern.de, 1 +rheinmetall.com, 1 +rheinturm.nrw, 1 +rhelevate.com, 1 +rhese.net, 1 +rhetorical.ml, 0 +rhetthenckel.com, 1 +rhev.in, 1 +rhforum.tk, 1 +rhfs.tk, 1 +rhhd.gov, 1 +rhhfoamsystems.com, 1 +rhicin.com, 1 +rhinelander.ca, 1 +rhinelanderpd.gov, 1 +rhinesuchus.com, 1 +rhino-inquisitor.com, 1 +rhino.co.tz, 1 +rhinobase.net, 1 +rhinoceroses.org, 1 +rhinosf1.com, 1 +rhnet.at, 1 +rho.co, 1 +rhode-island-sexcams.com, 1 +rhodeislandhealth.tk, 1 +rhodes.ml, 1 +rhodesianridgeback.com.br, 1 +rhodos.fr, 1 +rhona.cl, 1 +rhost.nl, 1 +rhowell.io, 1 +rhsb.ch, 1 +rhsbl.com, 1 +rhswl.com, 1 +rhubarb.land, 1 +rhumblineadvisers.com, 1 +rhwebdesigns.co.uk, 1 +rhye.tk, 1 +rhyme.com, 1 +rhymesofreason.com, 1 +rhymeswithmogul.com, 1 +rhynl.io, 1 +rhyno.io, 1 +rhysg.net, 1 +rhysperry.com, 1 +rhysre.net, 1 +rhystagr.am, 1 +rhyswebbmassage.com, 1 +rhythmaning.org, 1 +riable.com, 1 +riacanada.ca, 1 +riachuello.tk, 1 +riaiai.com, 1 +riaki.net, 1 +riaktiv.tk, 1 +rial.space, 1 +rialto.co.nz, 1 +rialtocapital.com, 1 +rian.gq, 1 +riared.net, 1 +riared.org, 1 +riaszto-szereles.eu, 1 +riaudetil.com, 1 +rib-dinslaken.com, 1 +rib-dinslaken.de, 1 +rib-fm.com, 1 +rib-fm.de, 1 +rib-ims.at, 1 +rib-ims.ch, 1 +rib-ims.com, 1 +rib-ims.de, 1 +rib-leipzig.com, 1 +riba-lov.ga, 1 +ribafs.tk, 1 +ribapo.com, 1 +ribar.com, 1 +ribblu.com, 1 +ribccs.com, 1 +ribdigital.com, 0 +ribella.net, 1 +ribes.design, 0 +ribims.de, 1 +ribit4u.co.il, 1 +ribmountainwi.gov, 1 +ribolov.tk, 1 +ribtours.co, 1 +ric-rac.org, 1 +ricardo.nu, 0 +ricardobaptistaleite.pt, 1 +ricardojsanchez.com.ar, 1 +ricardopq.com, 1 +ricardoquaresma.tk, 1 +ricardotaakehb.tk, 1 +ricassiocosta.me, 1 +ricaud.me, 1 +riccy.org, 1 +riceadvice.info, 1 +ricecountymn.gov, 1 +ricedust.com, 1 +ricelasvegas.com, 1 +ricettedellanonna.net, 1 +ricettesemplicieveloci.altervista.org, 1 +rich-good.com, 0 +richadams.me, 1 +richandsteph.co.uk, 1 +richandsteph.uk, 1 +richard-fath.de, 1 +richard-offermanns.nl, 1 +richard-purves.com, 1 +richardb.me, 0 +richardcrosby.co.uk, 1 +richardharpur.com, 1 +richardhicks.us, 1 +richardhouts.tk, 1 +richardinesrolltop.com, 1 +richardjgreen.net, 1 +richardlangham.plumbing, 1 +richardlangworth.com, 1 +richardlevinmd.com, 1 +richardrblocker.net, 1 +richardschut.nl, 1 +richardsdebt.com, 1 +richardson.cam, 1 +richardson.engineering, 1 +richardson.pictures, 1 +richardson.software, 1 +richardson.systems, 1 +richardson.tk, 1 +richardson.tw, 1 +richardsoncountyne.gov, 1 +richardstonerealestate.com, 1 +richbutler.co.uk, 1 +richcat.tw, 1 +richecommecresus.com, 1 +richelelahaise.nl, 0 +richeyweb.com, 1 +richeza.com, 1 +richfieldadamscowi.gov, 1 +richfieldsean.org, 1 +richie.cloud, 0 +richie.fi, 1 +richie.pm, 1 +richiebartlett.com, 1 +richieheijmans.com, 1 +richieheijmans.email, 1 +richieheijmans.eu, 1 +richieheijmans.io, 1 +richieheijmans.network, 1 +richieheijmans.nl, 1 +richieheijmans.one, 1 +richiesroom.com, 1 +richini.com, 1 +richlandcenterwi.gov, 1 +richlandcountyoh.gov, 1 +richlandcountywi.gov, 1 +richlandwa.gov, 1 +richlj.com, 1 +richlj.net, 1 +richlogic.blog, 1 +richmond.com, 1 +richmondca.gov, 1 +richmondcountyclerk.com, 1 +richmondcountync.gov, 1 +richmondkitchens.com.au, 1 +richmondla.gov, 1 +richmondsunlight.com, 1 +richmoney.us, 1 +richmtdriver.com, 1 +richtabak.ru, 1 +richviajero.com, 1 +richwayfun.com, 1 +rickelrath.de, 1 +rickengineering.com, 1 +ricketyspace.net, 0 +rickhoekman.com, 1 +ricki-z.com, 0 +rickmakes.com, 1 +rickmanlegal.com, 1 +rickmartensen.nl, 0 +rickoriginal.nl, 1 +rickrongen.nl, 1 +rickrussellhomes.com, 0 +rickscastles.co.uk, 1 +ricksdailytips.com, 1 +rickvanderzwet.nl, 1 +ricky.photos, 1 +rickyips.tk, 1 +rickyromero.com, 1 +rickysgames.tk, 1 +rico-brase.de, 1 +rico-j.de, 1 +rico.ovh, 1 +ricobaldegger.ch, 1 +ricochet.com, 1 +ricochet.im, 1 +ricoydesign.com, 1 +ricozienke.de, 1 +ridayu.jp, 1 +riddhimarketplace.com, 1 +riddims.co, 1 +riddimsworld.com, 1 +riddler.com.ar, 1 +riddlock.com, 1 +rideapart.com, 1 +rideelectric.gov, 1 +ridegravel.ch, 1 +rideintaxi.com, 1 +rident-estetic.ro, 1 +riderchris.com, 1 +riders.ga, 1 +rides-japan.jp, 1 +ridetour.ru, 1 +rideyourdamn.bike, 1 +ridgecrestca.gov, 1 +ridgefieldct.gov, 1 +ridgespringsc.gov, 1 +ridgewaterlodge.com, 1 +ridgewaywi.gov, 1 +ridgidgear.eu, 1 +ridho.id, 1 +ridingoklahoma.com, 1 +ridingthetigerpro.com, 1 +rido.ml, 1 +ridsdale.ca, 1 +riechsteiner.tech, 1 +riecht-besser.de, 1 +riederle.com, 1 +riedl-shk.de, 1 +riemzac.com, 1 +riesenweber.id.au, 1 +riesheating.com, 1 +rieslingtrailclarecottages.ga, 1 +riess-ambiente.net, 1 +rietspoppen.tk, 1 +rietveldacademie.nl, 1 +riffable.com, 1 +riffnation.tk, 1 +riffreporter.de, 0 +riflajelemn.ro, 1 +rifledesign.co.uk, 1 +rift.pictures, 1 +rifugioselvabella.tk, 1 +rigabeerbike.com, 1 +rigabeerbike.lv, 1 +rigart-michael.be, 1 +rigartmichael.be, 1 +rigelro.ga, 1 +rigeltarot.com, 1 +riggsloves.me, 1 +riggsmarkham.com, 1 +riggtech.com.au, 1 +righettod.eu, 1 +rightblog.tk, 1 +rightbraingroup.com, 1 +rightfulowner.tk, 1 +rightinbox.com, 1 +rightlaw.nz, 1 +rightmovecanada.com, 1 +rightnetworks.com, 1 +rightreview.co.uk, 1 +rights.ninja, 1 +rightschool.cf, 1 +rightsizingcalculator.com, 1 +rightsolutionplumbing.com.au, 1 +rightstartcapital.com, 1 +rightstartent.com, 1 +rightstartinc.com, 1 +rightstuff.link, 1 +rightthingrecruit.com, 1 +righttolife.org.uk, 1 +rigidlandscapes.com.au, 1 +rihappy.tk, 1 +riietr.com, 1 +riigikogu.ee, 0 +riil.org, 1 +riino.site, 1 +rijk-catering.nl, 0 +rijnland.net, 1 +rijonawnings.com, 1 +rijschoolgevonden.nl, 0 +rijschoolrichardschut.nl, 1 +rijsecure.nl, 1 +rijsinkunst.nl, 1 +rik.onl, 1 +rikardhallberg.com, 1 +rikels-slaapexperts.nl, 1 +rikki.moe, 1 +riklewis.com, 1 +rikmeijer.nl, 1 +rikpalm.nl, 1 +riksby.com, 1 +riku.pro, 1 +riku.pw, 1 +rikunori.com.tw, 1 +rileyevans.co.uk, 1 +rileypaige.com, 1 +rileys.club, 0 +rileyskains.com, 0 +rileystar.com, 1 +rilish.cf, 1 +rillet.com, 1 +rilretg.com, 1 +rim-kardzhali.bg, 1 +rim-kardzhali.org, 1 +riman.tk, 1 +rimax.vn, 0 +rimba.eu, 1 +rime.red, 1 +rimessaggio.it, 1 +rimetsu.com, 1 +riministreet.com, 1 +riminitoday.it, 1 +rimnow.mr, 1 +rimnow.net, 1 +rimo.site, 1 +rimonhwang.com, 1 +rimorrecherche.nl, 1 +rimzim.tk, 1 +rinabhabra.com, 1 +rinaent.com, 1 +rincat.ch, 1 +rincon-nsn.gov, 1 +rincondenoticas.com, 1 +rinconga.gov, 1 +rinconplacas.com, 1 +rinconwaterca.gov, 1 +rindepo.com, 1 +rineke.art, 1 +ring.com, 1 +ringgitplus.com, 1 +ringingliberty.com, 1 +ringlightstudios.com, 1 +ringmybell.tk, 1 +ringneckparakeets.com, 1 +ringofglory.ga, 1 +ringofglory.gq, 1 +ringover.com, 1 +rinka.moe, 1 +rinkhill.com, 1 +rinko-mama.com, 1 +rinoartdistrict.org, 1 +rinova.me, 1 +rinsbacherhof.com, 1 +rinskeshomepage.tk, 1 +rintarokobayashi.jp, 1 +rinton.ru, 1 +rinu.cf, 1 +rinvex.com, 1 +rinyui.cn, 1 +rinyui.com, 1 +rioinbox.com.br, 1 +rioloagolf.tk, 1 +riomaisbrindes.com.br, 1 +riomi.org, 1 +riosat.ru, 1 +riosoil.co.uk, 1 +riosoil.com, 1 +riosoils.co.uk, 1 +riosoils.com, 1 +riotest.xyz, 1 +riotseeds.cloud, 1 +rip-sport.cz, 1 +ripadores.tk, 1 +ripcorddesign.com, 1 +ripcordsandbox.com, 1 +ripcurl.tk, 1 +ripenapps.com, 1 +ripetizioni.roma.it, 1 +ripin.org, 1 +ripmixmake.org, 1 +ripon-wi.gov, 1 +riponadvance.com, 1 +ripp-it.com, 1 +ripper.store, 1 +ripplecraft.cn, 1 +ripplemarkeg.com, 0 +ripplenews.club, 1 +ripplenews.co, 1 +ripplenews.io, 1 +ripplenews.live, 1 +ripplenews.news, 1 +ripplenews.online, 1 +ripplenews.ru, 1 +ripplenews.world, 1 +rippling.com, 1 +riproduzionichiavi.it, 1 +riptidetech.io, 1 +ripu-eshii.com, 1 +riri-tendedasole.it, 1 +ririro.com, 1 +ris.fi, 1 +ris2048.pt, 1 +risa.chat, 1 +risada.nl, 1 +risalatconsultants.com, 1 +riscascape.net, 1 +risco.ro, 1 +riscone.info, 1 +riscoscommunity.org, 1 +riscoshardware.tk, 1 +riscure.com, 1 +rise-technologies.com, 1 +rise.com, 1 +rise.global, 1 +rise.md, 1 +risecomedy.com, 1 +risecstate.gov, 1 +riseofmiddle-earth.tk, 1 +riseonline.wiki, 1 +riseproject.ro, 1 +riseshost.ml, 1 +riseup.net, 1 +riseupelectrical.com.au, 1 +rishabh.me, 1 +rishav.top, 1 +risheriffs.gov, 1 +rishikeshan.com, 1 +rishikeshyoga.in, 1 +rishteykaro.com, 1 +risi-china.com, 1 +risilience.com, 1 +rising-cubers.tk, 1 +risingsoftware.com, 1 +risingtidecapital.org, 1 +risitas.com.ar, 1 +riskbase.uk, 1 +riskconsole.com, 1 +riskiq.com, 0 +riskmitigation.ch, 1 +riskstudio.com, 1 +risky.services, 1 +riskymeals.com, 1 +risman.tk, 1 +risonanzamagnetica.roma.it, 1 +risoscotti.es, 0 +risounokareshi.com, 1 +risparmiare.info, 1 +risquefetish.com, 1 +risquefetish.net, 1 +risquefetish.org, 1 +risquefetishtoys.com, 1 +ristioja.ee, 1 +ristisanat.fi, 1 +ristorantedabeni.be, 1 +ristoviitanen.fi, 1 +ristrutturazione.roma.it, 1 +ristrutturazioneappartamenti.milano.it, 1 +ristrutturazioneappartamento.roma.it, 1 +ristrutturazioniappartamentinapoli.it, 1 +risu.to, 1 +risunki.ga, 1 +rit.ee, 0 +rit.space, 1 +ritaescortsdelhi.com, 1 +ritaj.estate, 1 +ritaohio.gov, 1 +ritas.tk, 1 +ritchieneville.tk, 1 +riteboost.com, 1 +ritel.nl, 1 +ritense.com, 0 +ritense.nl, 1 +ritepriceheatingcooling.com.au, 1 +ritepriceroofing.com.au, 1 +riterry.com, 1 +riteway.rocks, 1 +ritirocalcinacci.roma.it, 1 +ritirocalcinacci.viterbo.it, 1 +ritmoloco.fr, 1 +ritmos.tk, 1 +ritmuzic.ml, 1 +ritoge.com, 1 +ritoner.it, 1 +ritos.ru, 1 +ritrium.com, 1 +ritsf.com, 1 +ritsu-life.com, 1 +rittau.org, 1 +rittersprinting.com, 1 +ritual-gratek.ru, 1 +ritual.com, 1 +ritual.ml, 0 +ritunewasser.ch, 1 +ritus.md, 1 +ritzcarltonclub.com, 1 +ritzlux.com.tw, 1 +rivaforum.de, 1 +rivago.tk, 0 +rivals.space, 1 +rivalsa.cn, 1 +rivalsa.net, 1 +rivastation.de, 1 +riveal.fr, 1 +rivenmains.com, 1 +river-rest.com, 1 +river.gq, 1 +riverbednetflowsupport.com, 1 +rivercitybni.com, 1 +rivercitycycling.org, 1 +riverford.co.uk, 1 +riverhoa.org, 1 +riverlandenergy.com, 1 +riverlea.com.au, 1 +riverlinegaragedoor.com, 1 +riveroakaa.com, 0 +riveroaksdentaljax.com, 1 +riverotravel.cl, 1 +riverpark.casa, 1 +riverridgecc.com, 1 +riverroaddental.ca, 1 +riverrun.tk, 1 +rivers.gov, 1 +riverschool.net, 1 +riversidebaptistchurch.net, 1 +riversideiowa.gov, 1 +riversidemo.gov, 1 +riversideradio.nl, 1 +riversmeet.co.uk, 1 +rivertv.ca, 1 +riverviewtree.com, 1 +rivervista-vacationhomes.com, 1 +riverweb.gr, 1 +riverwoods.gov, 1 +rivethealthlaw.com, 1 +rivian.com, 1 +rivian.software, 1 +rivingtongreenwich.co.uk, 1 +rivlo.com, 1 +rivmedia.co.uk, 1 +rivoflor.it, 1 +rivolta.tk, 1 +rivus.net, 1 +riweco.ga, 1 +riwers.io, 1 +rix.ninja, 1 +rixcloud.moe, 1 +rixzz.ovh, 1 +riyono.com, 1 +rizaderindag.com, 1 +rizalpalawan.gov.ph, 0 +rizehaberleri.tk, 1 +rizer.io, 0 +rizhik.com.ua, 1 +rizikaockovani.cz, 1 +rizonrice.club, 1 +rizospastis.gr, 1 +rj-onderneemt.nl, 1 +rjan.nl, 1 +rjbookings.nl, 1 +rjclegeplads.dk, 1 +rje-hub.net, 1 +rjet.com, 1 +rjfedor.com, 1 +rjfedor.ddns.net, 1 +rjhgroup.co.uk, 1 +rjia.gq, 1 +rjmartz.com, 1 +rk-box.ru, 1 +rk-links.ml, 1 +rk-mediawork.de, 0 +rk.com, 1 +rkabworks.uk, 1 +rkbegraafplaats.com, 1 +rkesport.com, 0 +rkfp.cz, 1 +rkkerkjoppe.nl, 1 +rkmedia.no, 1 +rkmns.edu.in, 1 +rknews.tk, 1 +rkowalewski.de, 1 +rkstudio.com, 1 +rl3.de, 1 +rlahaise.nl, 0 +rlalique.com, 1 +rlan.eu.org, 1 +rland.ph, 1 +rlcosmeticsurgery.com, 1 +rld.org, 1 +rleeden.no-ip.co.uk, 1 +rleeden.servehttp.com, 1 +rleeden.servemp3.com, 1 +rleh.de, 1 +rlmud.tk, 1 +rlove.org, 1 +rlptoday.de, 1 +rm-it.de, 1 +rm2brothers.cc, 1 +rmb.li, 1 +rmbnsw.org.au, 1 +rmbs.de, 1 +rmbs.org, 1 +rmcbs.de, 1 +rmcinsuranceservices.com, 1 +rmconsulting.com, 1 +rmdb.tk, 1 +rmdhnreza.my.id, 1 +rmdis.au, 1 +rmdscreen.com, 1 +rme.li, 0 +rmf.io, 1 +rmfscrubs.com, 1 +rmgsm.ir, 1 +rmi.com.ar, 1 +rmit.ee, 0 +rmitobacco.com, 1 +rml-liege.be, 1 +rmm-i.com, 1 +rmmanfredi.com, 1 +rmodular.com, 1 +rmol.tk, 1 +rmp-gebaeudedienste.de, 1 +rmpbuilders.com.au, 1 +rmrcapitalinc.com, 1 +rmrig.org, 1 +rms.com, 1 +rms.sexy, 1 +rmsisrs.com, 1 +rmsk.tk, 1 +rmsliberty.com, 1 +rmsu.pl, 1 +rmsupply.nl, 1 +rmt-construction.co.za, 1 +rmtconstruction.co.za, 1 +rmupasswordstudy.com, 1 +rmurai.com, 0 +rmvalues.com, 1 +rmw-energy.de, 1 +rmyachting.com, 1 +rn29.me, 1 +rnag.ie, 1 +rnb-storenbau.ch, 1 +rnbjunk.com, 1 +rndtool.info, 1 +rnest-maintenance.eu, 1 +rnews.tk, 1 +rngmeme.com, 1 +rnjobsite.com, 1 +rnmkrs.co, 1 +rnp.br, 1 +rntgroup.com, 1 +rntomsn.com, 1 +rntomsnedu.org, 1 +rnz3.net, 1 +ro.co, 1 +ro.exchange, 1 +ro.search.yahoo.com, 0 +ro89.com, 1 +roa.net, 1 +roach.nz, 1 +road-safety.cz, 1 +road-trips.fr, 1 +roadaccident.tk, 1 +roadandtransport.ga, 1 +roadbikes.tk, 1 +roaddoc.de, 1 +roadguard.nl, 0 +roadhousecinemas.com, 1 +roadtochina.tk, 1 +roadtoglory.tk, 1 +roadtopgm.com, 1 +roadtripaustralia.com.au, 1 +roadtripnation.com, 1 +roadtripusa.tk, 1 +roalogic.com, 1 +roamadvisors.com, 1 +roamfreun.tk, 1 +roamroofingco.com, 1 +roams.com.co, 1 +roams.es, 1 +roams.mx, 1 +roanboute.be, 1 +roanoke.com, 1 +roar.com.br, 1 +roaringforkfire.gov, 1 +roastely.com, 1 +roaster.ga, 1 +roastrepublic.co, 1 +roayahnews.com, 1 +rob006.net, 1 +robandjanine.com, 1 +robaxin750mg.ml, 1 +robben.io, 1 +robbertt.com, 0 +robbie.bio, 1 +robbie.contact, 1 +robbie.studio, 0 +robbiebird.tk, 1 +robbiecrash.me, 1 +robbielowe.co, 1 +robbievasquez.com, 1 +robbins-construction.com, 1 +robbinsdalemn.gov, 1 +robbrestyle.com, 1 +robbyzworld.cf, 1 +robdavidson.network, 1 +robersonaudio.tk, 1 +robert-adam.de, 1 +robert-ewert.tk, 1 +robert-flynn.de, 1 +robert-foster.com, 1 +robert-reisemobil.de, 1 +robert-victor.co.uk, 1 +robert-wiek-transporte.de, 1 +robertaltizer.com, 1 +robertattfield.com, 1 +robertayamashita.com, 1 +robertayamashita.com.br, 1 +robertbln.com, 1 +robertcspies.de, 1 +robertdunn.net, 1 +robertg.me, 1 +robertglastra.com, 1 +robertgonzalez.tk, 1 +roberthenrys.com, 1 +roberthurlbut.com, 1 +robertkrueger.de, 1 +robertlowdon.com, 1 +robertlysik.com, 1 +robertmusil.ml, 1 +robertocasares.no-ip.biz, 0 +robertodegroot.tk, 1 +robertodivirgilio.it, 1 +robertoentringer.com, 0 +robertof.ovh, 1 +robertoggarcia.tk, 1 +robertopazeller.ch, 1 +robertoullan.tk, 1 +robertreiser.photography, 1 +robertrijnders.nl, 1 +robertsfinejewelers.com, 1 +robertsjoneslaw.com, 1 +robertsmits.be, 1 +robertson-cg.com, 1 +robertsonblums.com, 1 +robertsoncountytn.gov, 1 +robesoncountync.gov, 1 +robgorman.ie, 1 +robhorstmanshof.nl, 1 +robi-net.it, 1 +robicue.com, 0 +robin-kusch.de, 1 +robin-meis.com, 1 +robin-novotny.com, 1 +robin.co.kr, 1 +robin.info, 1 +robinb0s.nl, 1 +robinbos.nl, 1 +robinbrook.co.uk, 1 +robindirksen.com, 1 +robinevandenbos.nl, 1 +robinflikkema.nl, 1 +robinfrancq.ml, 1 +robinhallnursery.org.uk, 1 +robinhor10.tk, 1 +robinhordon.tk, 1 +robinlinden.eu, 1 +robinloeffel.ch, 0 +robinminto.com, 1 +robinmurez.com, 1 +robinopletal.com, 1 +robinsoncontracting.ca, 1 +robinsonphotos.uk, 1 +robinsonsmalls.com, 1 +robinsonstrategy.com, 1 +robinsonyu.com, 1 +robinsremembered.tk, 1 +robintimmers.nl, 1 +robinvanpersie.tk, 1 +robinvdmarkt.nl, 1 +robinwill.de, 1 +robinwinslow.uk, 1 +robinzone.ua, 1 +robinzorg.nl, 1 +robjager-fotografie.nl, 0 +robkaper.nl, 1 +robkish.life, 1 +roblog.tk, 1 +roblox.com, 1 +robloxenthusiasts.ga, 1 +robnicholls.co.uk, 1 +robobusiness.ga, 1 +robocop.no, 1 +robodeidentidad.gov, 1 +roboform.com, 1 +robohash.org, 1 +robokits.co.in, 1 +roboland.ga, 1 +roboonline.tk, 1 +roboquantico.com, 1 +roboraptor.tk, 1 +roborehber.com, 1 +robot-invest.cf, 1 +robot-invest.ml, 1 +robot.car, 1 +robotask.in, 1 +robotattack.org, 1 +robotbattle.tk, 1 +robotcoral.de, 1 +robotdecocinaya.com, 1 +roboth.am, 1 +robotham.org, 1 +roboticsummit.com.br, 1 +robotimeshop.com, 1 +robotkvarnen.se, 1 +roboto.social, 1 +robotrewrite.com, 1 +robots-ju.ch, 1 +robotsbigdata.com, 1 +robottip.com, 1 +robowars.ga, 1 +robpol86.com, 1 +robs-info.eu, 1 +robspc.repair, 1 +robspeed.rocks, 1 +robstibal.com, 1 +robtatemusic.com, 1 +robtex.com, 1 +robu.in, 1 +robust.ga, 1 +robustac.com, 1 +robuxemporium.com, 1 +robuxkingz.ml, 1 +roc-reo.tk, 1 +roc-taiwan.su, 1 +roc-taiwan.taipei, 1 +roc-tw.tw, 1 +roc.gov.au, 0 +rocabot.ddns.net, 1 +roccasemijoias.com.br, 1 +rochaaricanduva.com.br, 1 +rochakhand-knitcraft.com.np, 1 +rochcloud.cf, 1 +rochediagram.com, 1 +rochesterglobal.com, 1 +rochesternh.gov, 1 +rochestertwpil.gov, 1 +rochesterwi.gov, 1 +rochesterymca.org, 1 +rochow.me, 1 +rocis.gov, 1 +rock-base.tk, 1 +rock-zottegem.be, 1 +rock4life.be, 1 +rocka.me, 1 +rockabilly-sinners.tk, 1 +rockadocious.com, 1 +rockagogo.com, 1 +rockandroll.tk, 1 +rockats.org, 1 +rockbandparty.com, 1 +rockbankland.com.au, 1 +rockbridge.tk, 1 +rockcelebrities.net, 1 +rockcellar.ch, 1 +rockcountyne.gov, 1 +rockcult.ru, 1 +rockdalecoprobatecourt.gov, 1 +rockdaletx.gov, 1 +rockenfolie.com, 0 +rockenfuerlachenhelfen.de, 1 +rockernj.com, 1 +rocket-resume.com, 1 +rocket.is, 1 +rocketbears.com, 1 +rocketcityts.com, 1 +rocketdashboard.com, 1 +rocketdoctor.ca, 1 +rocketdoctor.us, 1 +rocketeer.tk, 1 +rocketevents.com.au, 1 +rocketgnomes.com, 1 +rocketmill.co.uk, 1 +rocketmulejunkremoval.com, 1 +rocketnet.ml, 1 +rocketr.net, 1 +rocketrubber.com, 1 +rocketsales.al, 1 +rocketsales.at, 1 +rocketsales.be, 1 +rocketsales.bg, 1 +rocketsales.by, 1 +rocketsales.cz, 1 +rocketsales.dk, 1 +rocketsales.es, 1 +rocketsales.eu, 1 +rocketsales.fi, 1 +rocketsales.fr, 1 +rocketsales.gr, 1 +rocketsales.io, 1 +rocketsales.it, 1 +rocketsales.lt, 1 +rocketsales.lu, 1 +rocketsales.md, 1 +rocketsales.me, 1 +rocketsales.mk, 1 +rocketsales.pt, 1 +rocketsales.ro, 1 +rocketsales.se, 1 +rocketsales.si, 1 +rocketsales.sk, 1 +rocketsandtutus.com, 1 +rocketsworld.tk, 1 +rockfallsil.gov, 1 +rockfax.com, 1 +rockfordnetworks.com, 1 +rockfordpressurewashing.com, 1 +rockfordtow.com, 1 +rockfreshmanyear.com, 1 +rockfs.ml, 1 +rockingreports.com, 1 +rockinit.tk, 1 +rockinmama.net, 1 +rockinronniescastles.co.uk, 1 +rockislandcountyil.gov, 1 +rockitinflatables.co.uk, 1 +rockitreports.com, 1 +rocklabs.xyz, 1 +rocklandbrownwi.gov, 1 +rocklandcountyny.gov, 1 +rocklinhousecleaning.com, 1 +rocknbluestoday.tk, 1 +rocknreports.com, 1 +rocknrowdyranch.com, 1 +rocknwater.com, 1 +rockpesado.com.br, 1 +rockporttx.gov, 1 +rockrider.tk, 1 +rockriver.tk, 1 +rocksalt.tk, 1 +rockset.com, 1 +rockshooters.com, 1 +rockslideengineering.com, 1 +rocksoundradio.tk, 1 +rockspringswi.gov, 1 +rocktape.com, 1 +rocktonil.gov, 1 +rocktontownshipil.gov, 1 +rockvilledentalarts.com, 1 +rockworldteam.tk, 1 +rockyford-co.gov, 1 +rockymountaininsurancecenter.com, 1 +rockymountainspice.com, 1 +rockymountva.gov, 1 +rockymtnexpress.com, 1 +rockyourlife.gq, 1 +rockyrealestate.com, 1 +rocssti.net, 1 +rodab.party, 1 +rodafe.sk, 1 +rodapiao.com.br, 1 +rodarion.pl, 1 +rodchapman.com, 0 +roddis.net, 1 +rodehutskors.net, 1 +rodelstein.eu, 1 +rodeobull.biz, 1 +rodeodrive.tk, 1 +rodeohire.com, 1 +rodeoimport.com, 1 +rodeosales.co.uk, 1 +roder-skarf.se, 1 +rodest.net, 0 +rodevlaggen.nl, 1 +rodgersawnings.com, 1 +rodichi.net, 1 +rodin.tk, 1 +rodinka.tk, 1 +rodinnebyvanie.eu, 1 +rodinneodpoledne2018.cz, 1 +rodirik.de, 1 +roditely.cf, 1 +rodneybrooksjr.com, 1 +rodnikbel.tk, 1 +rodobike.com.br, 1 +rodokubu.jp, 1 +rodolfo.gs, 1 +rodomonte.org, 1 +rodosto.com, 1 +rodpenroseracing.com.au, 1 +rodrigamer.com, 1 +rodrigoacevedo.com.uy, 1 +rodrigoarayaaliaga.com, 1 +rodrigoarriaran.com, 1 +rodrigocarvalho.blog.br, 1 +rodrigocofre.com, 1 +rodrigodematos.tk, 1 +roeckx.be, 1 +roed.gg, 1 +roeden.dk, 1 +roedesonline.nl, 1 +roedl.de, 1 +roefja.com, 1 +roeitijd.nl, 0 +roelenscitynews.ml, 1 +roelhollander.eu, 1 +roeljoyas.com, 1 +roellcapital.com, 1 +roelmagdaleno.com, 1 +roelof.io, 1 +roelonline.tk, 1 +roels.com, 1 +roelsworld.eu, 1 +roemhild.de, 1 +roenhorst.net, 0 +roeriverbooks.ie, 1 +roerstaafjes.nl, 1 +roethelheim.net, 1 +roethelheim.org, 1 +rofena.org, 1 +rofl.com.ua, 1 +rofrank.space, 1 +rogacevo.tk, 1 +rogagym.com, 1 +rogaineforwomen.ga, 1 +rogalcraigtaylor.com, 1 +rogard.fr, 0 +rogarden.ro, 1 +roge.pw, 1 +rogeiro.net, 1 +rogell.tk, 1 +rogerdat.ovh, 1 +rogerdeflor.tk, 1 +rogerfages-peinture.fr, 1 +rogerhub.com, 1 +rogerkunz.ch, 1 +rogerriendeau.ca, 1 +rogersvilletn.gov, 1 +rogersvilleumc.org, 1 +roggebroek.nl, 1 +rogiershikes.tk, 1 +rogin.tk, 1 +rognhaugen.no, 1 +rogo.cz, 1 +rogoff.xyz, 1 +rogplus.nl, 1 +rogue-e.xyz, 1 +rogue.pw, 1 +roguecoder.net, 1 +roguefortgame.com, 1 +roguelicious.com, 1 +roguenation.space, 1 +roguenetworks.me, 1 +roguerocket.com, 1 +roguetech.ca, 1 +roguetechhub.org, 1 +rohal.tk, 1 +rohanbassett.com, 1 +rohaniways.com, 0 +rohankondvilkar.com, 1 +rohansingh.cf, 1 +rohde.de, 0 +rohedaten.de, 1 +rohitagr.com, 1 +rohitgupta.xyz, 1 +rohkeakirkko.fi, 1 +rohlik.cz, 1 +rohrle.com, 1 +rohrle.net, 1 +rohrle.org, 1 +rohrreinigung-zentrale.de, 1 +rohrstock.at, 1 +roi-project.be, 1 +roi-project.eu, 1 +roiblozyxfswe.ga, 1 +roidsstore.com, 1 +rointe.online, 1 +roircop.info, 1 +roishopper.com, 1 +roisu.org, 0 +rojavainformationcenter.com, 1 +rojiblancos.tk, 1 +rojotv.tk, 1 +rokade.info, 1 +rokales.com, 1 +rokalesalapitvany.com, 1 +rokass.nl, 1 +rokettube.tk, 1 +rokki.ch, 0 +roko-foto.de, 1 +rokudenashi.de, 1 +rokuk.org, 1 +rolamar.com.br, 1 +roland.io, 1 +rolandinsh.com, 0 +rolandlips.com, 1 +rolandog.com, 1 +rolandoredi.com, 1 +rolandozarate.tk, 1 +rolandszabo.com, 1 +rolandvanipenburg.com, 1 +rolc.org.sg, 1 +roldeco.nl, 1 +rolecontj.com, 1 +roleplayhome.com, 1 +roligh.cf, 1 +roligt.tk, 1 +roliki.ml, 1 +roll-bakery.com.tw, 1 +roll.hockey, 1 +roll9.com, 1 +rollatorweb.nl, 1 +rollbackdiabetes.com, 1 +rolledout.info, 1 +rollerderbycollection.ga, 1 +rollerderbywines.ga, 1 +rollerwarehouse.com, 1 +rolleyes.org, 1 +rollforadventure.com.au, 1 +rollingbarge.com, 1 +rollingcouchapp.com, 1 +rollinghillsestates.gov, 1 +rollingshuttle.org, 1 +rollinsdogtraining.com, 1 +rollinspass.org, 1 +rollthedice.tk, 1 +rollthepay.com, 1 +rolotrans.cf, 1 +rolotrans.ga, 1 +rolotrans.gq, 1 +rolotrans.ml, 1 +rolstoelappartementen.tk, 1 +rolzzandik.cf, 1 +roma-servizi.it, 1 +romab.com, 1 +romacoffee.co.nz, 1 +romadiluna.band, 1 +romadprojects.com.au, 1 +romagnaoggi.it, 1 +romail.ml, 1 +romainlapoux.com, 1 +romainlapoux.fr, 1 +roman-pavlik.cz, 1 +roman.systems, 1 +romana.org, 1 +romanceamor.com.pt, 1 +romancerecipes.com, 1 +romancy.tk, 1 +romanglos.de, 1 +romania-film.ml, 1 +romaniacompany.com, 1 +romanian.cam, 1 +romankozak.cz, 1 +romanmichel.de, 1 +romano.guru, 1 +romanos.tk, 1 +romanovka.ml, 1 +romanpavlodar.kz, 1 +romantelychko.com, 1 +romanticdate.ga, 1 +romanticdate.gq, 1 +romanticdate.ml, 1 +romanticdate.tk, 1 +romantico.tk, 1 +romanticsexshopguatemala.com, 1 +romantictoys.nl, 0 +romanticvillas.com.au, 0 +romantik-fm.ml, 1 +romantik-fm.tk, 1 +romantik.cf, 1 +romantik.tk, 1 +romantischetuin.nl, 1 +romanywg.com, 1 +romapk.tk, 1 +romarin.es, 1 +romaservicegroup.it, 1 +romashka.tk, 1 +romasko.ml, 1 +romastantra.com, 1 +romatoday.it, 1 +romatours.pt, 0 +romatrip.it, 1 +romb.tv, 1 +rombarte.pl, 1 +romcom.info, 1 +romdrop.com, 1 +rome-airport.net, 1 +rome.tools, 1 +romediatori.com, 1 +romega.gov, 1 +romegafire.gov, 1 +romegapolice.gov, 1 +romenz.com, 1 +romeoahmed.top, 1 +romeoferraris.com, 1 +romeoijulio.tk, 1 +romerska-ringar.se, 1 +rommelhuntermusic.tk, 1 +rommelmark.nl, 1 +rommelwood.de, 1 +romo-holidays.de, 1 +romo-holidays.dk, 1 +roms.fun, 0 +romspedia.com, 1 +romtex.co.uk, 1 +romun.net, 1 +romy.tw, 1 +ron2k.za.net, 1 +ronaldcantor.com, 1 +ronaldleite.tk, 1 +ronaldvanassen.nl, 1 +ronan.cf, 1 +ronanrbr.com, 1 +ronasit.com, 1 +ronbongamis.com, 1 +ronc.ru, 1 +roncoutilities.com, 1 +ronda.tk, 1 +rondacan.com, 1 +rondommen.nl, 1 +rondouin.fr, 1 +ronem.com.au, 1 +ronforeman.com, 1 +ronghexx.com, 0 +roninathletics.com, 1 +roninf.ch, 1 +roninitconsulting.com, 1 +ronniegane.kiwi, 1 +ronnylindner.de, 1 +ronomon.com, 1 +ronzertnert.xyz, 1 +roobet.com, 1 +roodarvasi.ir, 1 +roodfruit.com, 1 +roodfruit.nl, 1 +roodfruit.studio, 1 +roodgroen.social, 1 +roodhealth.co.uk, 1 +roodo.com, 1 +roof.ai, 0 +roofcareswfl.com, 1 +roofcheckmate.com, 1 +roofer.cf, 1 +roofhaven.co.uk, 1 +roofingandconstructionllc.com, 1 +roofingmaterials.tk, 1 +roofingomaha.com, 1 +roofonline.com, 1 +roofpost.gq, 1 +roofride.com, 1 +roofsandbasements.com, 0 +rooftopapp.com, 1 +roohanionlinespiritualhelp.co.uk, 1 +rooiratel.red, 1 +rook-playz.net, 1 +rookgamingisevil.com, 1 +rookie.com.pl, 1 +rookiemamabear.com, 1 +roolife.xyz, 0 +room-checkin24.de, 1 +room-composite.com, 1 +room.to, 0 +room208.org, 1 +room362.com, 1 +room45.tk, 1 +room8group.com, 0 +roombase.nl, 1 +roomcube.tk, 1 +roomee.tk, 1 +roomguide.info, 1 +roomhub.jp, 1 +roomie.fi, 1 +roomieapp.fi, 1 +roomme.dk, 0 +roommomrescue.com, 1 +roomonline.tk, 1 +roomoutside.com, 1 +rooms.aero, 1 +roomsatevents.eu, 1 +roomstr.de, 1 +rooneyholdings.com, 1 +roopakv.com, 1 +roorda-schilders.nl, 1 +roosendaalsbiergilde.nl, 1 +roosendaalsbockbierfestival.nl, 1 +rooseveltcountymt.gov, 1 +roosterpets.com, 1 +root-books.gq, 1 +root-books.ml, 1 +root-couture.de, 1 +root-space.eu, 1 +root.bg, 1 +root.cz, 1 +root.eu.org, 1 +root.place, 1 +rootandvessel.com, 1 +rootbsd.at, 1 +rootcamp.net, 1 +rootcommand.com, 1 +rootdo.com, 1 +rootdo.org, 1 +rootear.com, 1 +rootedlifemontessori.com, 1 +rooter.group, 1 +rootergroupinc.ca, 1 +rootfor.me, 1 +rootgsm.com, 1 +rootie.de, 1 +rootinchase.com, 1 +rootingpalace.tk, 1 +rootkit.es, 1 +rootlair.com, 1 +rootless.ga, 1 +rootless.tk, 1 +rootly.com, 1 +rootnician.com, 1 +rootonline.de, 1 +rootpak.com, 1 +rootperov.tech, 1 +rootpigeon.com, 1 +rootprompt.at, 1 +rootrelativity.com, 1 +rootroo.com, 1 +roots-example-project.com, 1 +roots.io, 0 +rootsandrain.com, 1 +rootsbar.fr, 0 +rootscope.co.uk, 0 +rootsinmadrid.tk, 1 +rootsland.de, 1 +rootsland.net, 1 +rootsmusicmanagement.tk, 1 +rootstation.de, 1 +rootsweb.com, 1 +rootusers.com, 1 +roozbeh.tk, 1 +rop.cx, 1 +ropd.info, 1 +ropesmart.com, 1 +ropoxcheats.ru, 1 +roques.tk, 1 +roquesevilla.com, 1 +rorelseprojektet.se, 1 +roromendut.online, 1 +rorr.im, 1 +roryneville.com, 1 +rosa-spain.tk, 1 +rosabellas.co.uk, 1 +rosabrasiv.ga, 1 +rosacosmos.tn, 1 +rosaflorbijoux.com.br, 1 +rosalinda.cl, 1 +rosalindturner.co.uk, 1 +rosalopezcortes.tk, 1 +rosamystica.tk, 1 +rosanerolife.tk, 1 +rosangar.com, 1 +rosaquest.ru, 0 +rosary.hounslow.sch.uk, 1 +rosaserra.es, 1 +rosbiznes.tk, 1 +rosclar.com, 0 +roscommontownshipmi.gov, 1 +rosdpk.ru, 1 +rosdver.ru, 1 +rose-corp.co.jp, 1 +rose-prism.org, 1 +roseberyvenues.co.uk, 1 +rosebikes.com, 1 +rosebikes.de, 1 +rosebikes.nl, 1 +roseboom-bouwkundigadvies.nl, 1 +rosebudcountysheriffmt.gov, 1 +rosecoaudit.com, 1 +rosecrance.org, 1 +rosedenellandudno.co.uk, 1 +rosefloricultura.com.br, 1 +rosehishop.com, 1 +rosehosting.reviews, 1 +roseitsolutions.co.uk, 1 +roseliere.com, 0 +roselinlin.com, 1 +rosemariefloydballet.com, 1 +rosemountmn.gov, 1 +rosenberg-fansite.tk, 1 +rosenberggard.se, 1 +rosenheimsingles.de, 1 +rosenkavalier.tk, 1 +rosenkeller.org, 1 +roseon.net, 0 +roseparkhouse.com, 1 +rosesciences.com, 1 +rosesunmotor.com, 1 +rosetiger.life, 1 +rosetravel.de, 0 +rosettapeters.com, 1 +rosetteromance.tk, 1 +rosetwig.ca, 1 +rosetwig.systems, 1 +rosevalleyfolk.com, 1 +rosevillefacialplasticsurgery.com, 1 +rosevillekindy.nsw.edu.au, 1 +rosevilletoday.com, 1 +rosewater.me, 1 +rosewebdesignstudio.co.uk, 1 +rosewebdesignstudio.uk, 1 +rosfan.by, 1 +rosgenea.ru, 1 +roshhashanahfun.com, 1 +roshiya.co.in, 1 +rosi-royal.com, 1 +rosiervandenbosch.nl, 1 +roskillcv.nz, 1 +roskillcv.org.nz, 1 +roslagenshiss.se, 1 +roslagensmansjour.tk, 1 +roslynpad.net, 1 +rosme.it, 1 +rosoft.tk, 1 +rosolioitalicus.com, 1 +rosound.cz, 1 +rosrabota.tk, 1 +ross-mitchell.com, 0 +rosscountyohiocasa.gov, 1 +rosscountyohiocourts.gov, 1 +rosset.me, 1 +rosset.net, 1 +rossia.ga, 1 +rossignoli.it, 1 +rossiyskaja.cf, 1 +rosskopfs.de, 1 +rosslug.org.uk, 1 +rossome.org, 1 +rossstores.com, 1 +rosstownshipmi.gov, 1 +rosstroj-balashiha.ml, 1 +rosstwpmcpa.gov, 1 +rossvillega.gov, 1 +rost.tv, 1 +rostclub.ro, 1 +rosten.tk, 1 +rostirolla.se, 0 +rostlau.be, 1 +rostov-aikido.tk, 1 +rostov-arena.ml, 1 +rostov.cf, 1 +rosty.sh, 1 +roswellcity.tk, 1 +rosystemsint.com, 1 +roszdravnadzor.gov.ru, 1 +rot256.io, 1 +rot47.net, 1 +rotamap.net, 1 +rotanaval.tk, 1 +rotaquote.com, 1 +rotaractclubtucuman.tk, 1 +rotaracthelmond.tk, 1 +rotarusofia.ru, 1 +rotary.org.ru, 1 +rotaryceuta.tk, 1 +rotaryfunds.ga, 1 +rotarykardzhali.org, 1 +rotas-turisticas.com, 1 +rotasgastronomicas.com, 1 +rotasgastronomicas.pt, 1 +rotasturisticas.com, 1 +rotasturisticas.com.pt, 1 +rotasturisticas.net, 1 +rotasturisticas.org, 1 +rotasturisticas.pt, 1 +rotasurbanas.pt, 1 +rotate4all.com, 1 +rotate4u.eu, 1 +rotaville.com, 1 +rotayazilim.net, 1 +roteam.tk, 1 +rotek.at, 1 +roten.email, 1 +rotespotsdam.tk, 1 +rothbruederlein.tk, 1 +rothco.com, 1 +rothe.io, 1 +rothkranz.net, 1 +rothwellgornthomes.com, 1 +rotince.tk, 1 +rotol.me, 1 +rotonde.gq, 1 +rottadeifenici.it, 1 +rottal-inn.de, 1 +rottamazioni.it, 1 +rotterdamapartments.com, 1 +rotterdamjazz.info, 1 +rottie.xyz, 1 +rottnestexpress.com.au, 1 +rottweil-hilft.de, 1 +rottweilerdogcare.com, 1 +rotu.pw, 1 +rotunneling.net, 1 +rouair.com, 1 +rouamatfashion.gr, 1 +roueneternalmagic.fr, 1 +rougechocolat.fr, 1 +rougeetblanc.tk, 1 +roughcopy.com.au, 1 +roughgrain.com, 1 +roughnex.tk, 1 +roughnotes.com, 1 +roughsexporn.com, 1 +roughtime.se, 1 +roulettecarnival.com, 1 +roulettelive.ml, 1 +roulettestar.com, 1 +roulinfo.ch, 0 +roullier.com, 1 +roulons-autrement.com, 1 +roundaboutweb.net, 1 +roundandbrown.com, 1 +roundball.tk, 1 +roundcube.mayfirst.org, 0 +roundgarden.nl, 1 +roundrock-locksmith.com, 1 +roundtablekzn.co.za, 1 +roundtechsquare.com, 1 +roundtoprealestate.com, 0 +roussillon-informatique.fr, 1 +roussos.cc, 1 +roussosmanos.gr, 1 +rout0r.org, 1 +route-wird-berechnet.de, 1 +route66.net, 1 +route66smiles.com, 1 +routechoices.com, 1 +routedlogic.net, 1 +routemates.tk, 1 +router24.info, 1 +routerchart.com, 1 +routerclub.ru, 1 +routerctrl.com, 1 +routerfi.com, 1 +routeto.com, 1 +routetracker.co, 1 +routeur4g.fr, 0 +rouwcentrumterheide.be, 1 +rouyt.com, 1 +rovatronic.tk, 1 +roverglobal.ga, 1 +roveridx.com, 1 +roverkob.dk, 1 +rovetf.tk, 1 +rovezzano.tk, 1 +rovian.ua, 1 +rovid.link, 1 +rovin.tk, 1 +rovity.io, 0 +rovota.com, 1 +rowancasting.ie, 1 +rowancounty911.com, 1 +rowancounty911.org, 1 +rowancountyairport.com, 1 +rowancountync.gov, 1 +rowankaag.nl, 1 +rowanpubliclibrary.com, 1 +rowansheriff.com, 1 +rowansheriff.org, 1 +rowantransit.com, 1 +rowantransit.org, 1 +rowanz.nl, 1 +rowery.org, 1 +rowingsa.asn.au, 1 +rowlog.com, 1 +rowra.org, 1 +roxanaherguz.com, 1 +roxanaramirez.love, 1 +roxanneguinoo.tk, 1 +roxburytech.tk, 1 +roxet.my.id, 1 +roxhillmedia.com, 1 +roxiesbouncycastlehire.co.uk, 1 +roxswinery.com, 1 +roxville.tk, 1 +roy-buehring.de, 1 +roy.wang, 1 +royal-coatings.com, 1 +royal-flowers.dp.ua, 1 +royal-knights.tk, 1 +royal-life.tk, 1 +royal-rangers.de, 1 +royal.io, 1 +royal71.com, 0 +royal806.com, 1 +royal84.com, 0 +royal869.com, 0 +royal876.com, 1 +royal88.com, 1 +royal880.com, 0 +royal8822.com, 0 +royal896.com, 0 +royal929.com, 0 +royal939.com, 1 +royalasianescorts.co.uk, 1 +royalaubar.com, 1 +royalbluewa3.cc, 1 +royalcanin.es, 1 +royalcanin.pt, 1 +royalcaninevent.com, 1 +royalcaribbeanentertainment.com, 1 +royalcavaliers.tk, 1 +royalchallengers.com, 1 +royalchess100.com, 1 +royalcitystudios.ca, 1 +royalcitytaxi.ca, 1 +royalcrowns.tk, 1 +royaldarts.tk, 1 +royaldoorkc.com, 1 +royaleafrica.com, 1 +royalembassys.com, 1 +royalfitnesschennai.in, 1 +royalfloraholland.com, 1 +royalfoundation.com, 1 +royalgdeluxe.al, 1 +royalgrandpalace.th, 1 +royalgroup.msk.ru, 1 +royalhosting.ch, 1 +royalkitchensandfurniture.co.ug, 1 +royalmarinesassociation.org.uk, 1 +royalmech.tk, 1 +royalnissanparts.com, 0 +royaloz.ma, 1 +royalpainters.co, 1 +royalpalmbeachfl.gov, 1 +royalpanda.com, 1 +royalrace.tk, 1 +royalsleeping.com, 1 +royalstylefit.com, 1 +royalsyouthhockey.com, 1 +royaltonvt.gov, 1 +royaltube.net, 1 +royalty-market.com, 1 +royaltyexchange.com, 1 +royaltyk9.com, 1 +royalvortex.co, 1 +royalworldservice.com.ua, 1 +royalyule.com, 1 +royaume-des-chats.fr, 1 +royaume-smoke.com, 1 +royaumesoublies.com, 1 +roycampbell.tk, 1 +royceandsteph.com, 1 +roycestars.com, 1 +roycewilliams.net, 1 +royger.tk, 1 +royoy.com, 1 +royrevell.com, 1 +roystowingrockford.com, 1 +roytuts.com, 1 +royvansichem.nl, 1 +royveenendaal.com, 1 +royxiang.me, 1 +royzez.com, 1 +rozalisbengal.ro, 1 +rozalynne-dawn.ga, 1 +rozar.eu, 1 +rozar.sk, 1 +rozataki.com.tr, 1 +rozemaandag.tk, 1 +rozhodce.cz, 1 +rozprodat.cz, 1 +roztilefona.net, 1 +rp-idskenhuizen.nl, 1 +rp-megapolis.tk, 1 +rp-murk.tk, 1 +rpa.gov, 1 +rpadonline.com, 1 +rpcinmobiliaria.net, 0 +rpg-maker.net, 1 +rpg-maker.org, 1 +rpgchan.cf, 1 +rpgfactory.tk, 1 +rpgfan.com, 1 +rpgmaker.es, 1 +rpgmakers.tk, 1 +rpguru.com, 1 +rpherbig.com, 1 +rphyncice.cz, 1 +rpi-pihole-mon.ddns.net, 1 +rpj.life, 1 +rpm-oldtimer-events.ch, 1 +rpmdrivingschool.com.au, 1 +rpmglobal.com, 1 +rpo97.fm, 0 +rpora.co, 1 +rpower.com, 1 +rpowerpos.com, 1 +rps-auto.com, 1 +rpschultz.de, 1 +rpts.edu, 1 +rpus.co, 1 +rpy.xyz, 1 +rq-labo.jp, 1 +rq.is, 1 +rqvmovies.com, 1 +rr30019.com, 1 +rr361.de, 1 +rr5197.co, 1 +rr6729.co, 1 +rr6729.com, 0 +rr6957.co, 1 +rr9297.co, 1 +rr9728.co, 1 +rrailto.com, 1 +rray.org, 1 +rrbahmedabad.gov.in, 1 +rrbmuzaffarpur.gov.in, 1 +rrbpatna.gov.in, 1 +rrbt.eu, 1 +rrbt.net, 1 +rrbts.com, 1 +rrdesignsuisse.com, 0 +rrdtool.com, 1 +rritv.com, 1 +rrke.cc, 0 +rrmac.ml, 1 +rrmiran.com, 1 +rrssww.space, 1 +rrtribalcourts-nsn.gov, 1 +rrudnik.com, 1 +rrvmz.cf, 1 +rrwolfe.com, 1 +rs-cloud.ddns.net, 1 +rs-devdemo.host, 1 +rs-maschinenverleih.de, 1 +rs.wiki, 1 +rs200.org, 1 +rsa-erp.com, 1 +rsa-services.com, 1 +rsanahuano.com, 1 +rsap.ca, 1 +rsarchive.net, 1 +rsauget.fr, 1 +rsb.net, 1 +rsblake.com, 1 +rsblake.net, 1 +rsc-cronenberg.de, 1 +rsc.wiki, 1 +rschooltoday.com, 1 +rscturmoil.com, 1 +rsdantyslab.lt, 1 +rsdbyroos.nl, 1 +rsdisedezzari.it, 1 +rsdns.ml, 1 +rse-reporting.com, 1 +rsec.kr, 1 +rsecure.tk, 1 +rsfinance.ch, 1 +rsgnl.fr, 1 +rsgx.com, 1 +rsingermd.com, 1 +rsl-hilden.de, 1 +rsl.gd, 1 +rslcaresa.com.au, 1 +rsldb.com, 1 +rslnd.com, 1 +rsm-intern.de, 1 +rsmedic.com, 1 +rsol.fr, 1 +rsolutions-expertises.fr, 1 +rspevents.ro, 1 +rspp.ru, 1 +rsquare.nl, 1 +rsridentassist.com, 1 +rsrnd.org, 1 +rsrural.com.br, 1 +rsrv.fr, 1 +rss.org.uk, 1 +rss.sh, 0 +rss3.co, 1 +rss3.io, 0 +rssfeedblast.com, 1 +rssfeedonline.tk, 1 +rssicons.pl, 1 +rssl.me, 1 +rssproject.nl, 1 +rssr.ddns.net, 1 +rssr.se, 1 +rssreaderone.com, 1 +rstadler.com, 1 +rstsecuritygroup.co.uk, 1 +rsttraining.co.uk, 1 +rsvaachen.de, 1 +rsvp, 1 +rsvpparty.com, 1 +rswebsols.com, 1 +rswm.in, 1 +rszod.com, 1 +rt-inc.com, 1 +rt-praxis-barbara-scheibel.de, 1 +rt.com, 1 +rt22.ch, 1 +rt96.it, 1 +rtarabic.com, 1 +rtate.ca, 1 +rtate.se, 1 +rtc-israel.com, 1 +rtcyber.com, 1 +rtd.uk, 0 +rtde.life, 1 +rtde.live, 1 +rtde.me, 1 +rtde.site, 1 +rtde.tech, 1 +rtde.world, 1 +rtde.xyz, 1 +rte.email, 1 +rte.eu, 1 +rte.host, 1 +rte.ie, 1 +rte.mobi, 1 +rte.radio, 1 +rte1.ie, 1 +rteaertel.ie, 1 +rtebensoc.ie, 1 +rtec.com.tw, 1 +rteguide.ie, 1 +rteinternational.ie, 1 +rtejr.ie, 1 +rtek.se, 1 +rtenews.eu, 1 +rteo.com.au, 1 +rteone.ie, 1 +rteplayer.co.uk, 1 +rteplayer.com, 1 +rteplayer.ie, 1 +rteplayer.org, 1 +rtesport.eu, 1 +rtestore.eu, 1 +rtgame.co.uk, 1 +rtgnews.cf, 1 +rtho.me, 1 +rths.tk, 0 +rtionline.gov.in, 1 +rtjobsite.com, 1 +rtkbe.com, 1 +rtl.de, 1 +rtlspiele.de, 1 +rtm.kr, 1 +rtmoran.org, 1 +rtmtech.ru, 1 +rtp.org, 1 +rtpa.es, 1 +rtparket.ga, 1 +rtsak.com, 1 +rtsr.ch, 0 +rttechlaw.com, 1 +rttreservations.com, 1 +rttss.com, 1 +rttvip.com, 1 +rttvvip.com, 1 +rtveen.nl, 1 +rtvslos.nl, 1 +rtwcourse.com, 1 +ru-acyclopedia.cf, 1 +ru-adv.tk, 1 +ru-auto.tk, 1 +ru-e-business.com, 1 +ru-m.org, 1 +ru-robot.tk, 1 +ru-sale.tk, 1 +ru-sprachstudio.ch, 1 +ru.search.yahoo.com, 0 +ru251.tk, 1 +rua.ink, 0 +ruageek.com, 1 +ruangangkasa.com, 0 +ruanmi.de, 1 +ruanwen168.com, 1 +ruavan.com, 1 +rubashki-opt.ml, 1 +rubashki.tk, 1 +rubbaduckee.tk, 1 +rubber.cf, 1 +rubberband.com, 1 +rubberchicken.net, 1 +rubberduckit.com, 1 +rubberlegscastles.co.uk, 1 +rubbermaidoutlet.com, 0 +rubbix.net, 1 +rubblebenoni.co.za, 1 +rubbleedenvale.co.za, 1 +rubblekempton.co.za, 1 +rubblemidrand.co.za, 1 +rubblerandburg.co.za, 1 +rubbleremovalsjohannesburgsouth.co.za, 1 +rubblesandton.co.za, 1 +rubdiavila.com, 1 +ruben.ga, 1 +rubenbaer.ch, 1 +rubenbrito.net, 1 +rubenfelix.tk, 1 +rubengutierrez.tk, 1 +rubenkruisselbrink.nl, 1 +rubenmamo.com, 1 +rubenpeeters.ml, 1 +rubenplazagarcia.es, 1 +rubenroy.com, 1 +rubenruiz.org, 1 +rubens.cloud, 1 +rubenschulz.nl, 1 +rubenshotel.com, 1 +rubenshuis.be, 1 +rubenslikkarchive.com, 1 +rubensteinphotography.com, 1 +rubensvrouwen.tk, 1 +ruber.cf, 1 +rubia.ca, 1 +rubiales.tk, 1 +rubic.tk, 1 +rubiconwi.gov, 1 +rubidium.ml, 1 +rubidium.se, 1 +rubik.tk, 1 +rubika.com.ua, 1 +rubinamillinery.com, 1 +rubinchyk.tk, 1 +rubinnadlan.co.il, 1 +rubiogafsi.com, 1 +rubirubli.tk, 1 +rubix.com, 1 +rublacklist.net, 1 +rublev.tk, 1 +rubonnek.com, 1 +rubooks.gq, 1 +rubreklama.tk, 1 +ruby-auf-schienen.de, 1 +rubyfactory.io, 1 +rubymaybetranslations.com, 1 +rubymediagroup.com, 1 +rubyonline.tk, 1 +rubyonremote.com, 1 +rubyquincunx.org, 1 +rubyribbon.com, 1 +rubystore.ga, 1 +rucheentreprise.fr, 1 +ruchka-mashinka.gq, 1 +rucinscy.net, 1 +rucinski.ch, 1 +rucinski.eu, 1 +rucinski.uk, 1 +rucksackrebellen.de, 1 +ruckzuck-privatpatient.de, 1 +rud.is, 1 +rudating.tk, 1 +rudd-o.com, 0 +rude.com, 1 +rudefish.tk, 1 +rudewiki.com, 1 +rudianto.id, 1 +rudibora.ml, 1 +rudimentalluxury.com, 1 +rudloff.pro, 1 +rudnikas.com, 1 +rudolf.gq, 1 +rudolph.life, 1 +rudovasky.com, 1 +rudrastyh.com, 1 +rudy.ga, 1 +rudymendoza.tk, 1 +rue-de-la-vieille.fr, 0 +ruebli-kurier.ch, 1 +rueckbeil.com, 1 +rueckert-gymnasium-blog.de, 1 +rueckgr.at, 1 +ruecommune.fr, 1 +ruediger-voigt.eu, 1 +ruedigervoigt.de, 1 +rueduparticulier.tk, 0 +rueg.eu, 1 +ruero.com, 1 +ruerte.net, 1 +ruexpert.cf, 1 +ruf888.com, 1 +rufartabs.ml, 1 +ruffbeatz.com, 1 +ruffcuts.com.au, 1 +ruffinstorage.com, 1 +ruffkatt.com, 1 +ruffm.com, 1 +ruffnecks.tk, 1 +ruflay.ru, 1 +ruforce.ml, 1 +rugadgets.tk, 1 +rugby.tk, 1 +rugby.video, 1 +rugbynow.com, 1 +rugbyrama.fr, 1 +rugcleaninglondon.co.uk, 1 +rugeley-vets.co.uk, 1 +rugged-cctv.com, 0 +rugk.dedyn.io, 1 +rugspa.ie, 1 +rugstorene.co.uk, 1 +rugugu.jp, 1 +ruha.co.in, 1 +ruhigehand.de, 1 +ruhimustafa.tk, 1 +ruhnke.cloud, 0 +ruhproject.kz, 1 +ruhrdurst.tk, 1 +ruhrmobil-e.de, 1 +ruhrnalist.de, 1 +ruhrpott-media.com, 1 +ruhrpott-media.de, 1 +ruhrpott.rodeo, 1 +rui-t.xyz, 1 +ruiduntrading.com, 1 +ruifu.tech, 1 +ruileitao.pt, 1 +ruiming.me, 1 +ruimonteiro.pt, 1 +ruimoreira.co.uk, 1 +ruimtevoor.gent, 1 +ruimtevoorgent.be, 1 +ruin.one, 1 +ruinme.tk, 1 +ruinone.com, 1 +ruinsofchaos.com, 1 +ruiruigeblog.com, 1 +ruitersportbak.nl, 1 +ruixin.org, 1 +rujbin.ddns.net, 1 +ruk.ca, 1 +rukhaiyar.com, 1 +rukiyegarip.art, 1 +ruknguk.tk, 1 +rukouye.cf, 1 +rukouye.ml, 1 +rul.ai, 1 +rulaholding.fi, 1 +rule5.ai, 1 +ruli.tk, 1 +ruliad.de, 1 +rullzer.com, 1 +rultek.tk, 1 +rulu.tv, 1 +rumaenien.immo, 1 +rumah-tanah-dijual.com, 1 +rumah123.com, 1 +rumahbukitpodomoro.com, 1 +rumahcodingtest.tk, 1 +rumahkeadilan.co.id, 1 +rumahkristal.tk, 1 +rumahminimalisoi.com, 1 +rumahpropertigratis.com, 1 +rumahresep.cf, 1 +rumartinez.es, 1 +rumata.pub, 1 +rumatallc.com, 1 +rumbasguayaquil.com, 1 +rumble.com, 1 +rumbleline.ga, 1 +rumeli.edu.tr, 1 +rumemi.com, 1 +rumenka.tk, 1 +ruminecraftru.tk, 1 +rumix.ga, 1 +rumix.tk, 1 +rumlager.de, 1 +rummage4property.co.uk, 1 +rummey.co.uk, 1 +rumreader.com, 1 +rumtaste.com, 1 +rumus.co.id, 1 +rumusbilangan.com, 1 +rumusrumus.com, 1 +rumussoal.com, 1 +run-it-direct.co.uk, 1 +run.vn, 1 +runagain.ch, 0 +runalyze.com, 1 +runame.ml, 1 +runar-data.de, 1 +runbo-australia.ga, 1 +runbo-new-zealand.ga, 1 +runbo-nz.ga, 1 +runboaustralia.ga, 1 +runcarina.com, 1 +rundh-audio.de, 1 +rundh.de, 1 +rundom.co, 1 +rundu.ml, 1 +rundum-service-omh.de, 1 +rundum-sorglos.digital, 1 +rundumcolumn.xyz, 1 +runebet.com, 1 +runeblog.ru, 1 +runecaster.tk, 1 +runementors.com, 0 +runes.cf, 1 +runescape.wiki, 1 +runescapelordsconquest.tk, 1 +runesforbeginners.com, 1 +runet.cf, 1 +runetracker.org, 1 +runeworldforums.tk, 1 +runews.cf, 1 +runfitcoaching.com, 1 +rungie.com, 0 +rungisinternational.com, 1 +rungstedhave.dk, 1 +rungutan.com, 1 +runicspells.com, 1 +runklesecurity.com, 1 +runlet.gq, 1 +runlevel3.de, 1 +runmyprocess.com, 1 +runmyqubit.com, 1 +runmyqubit.de, 1 +runmyvillage.com, 1 +runner.az, 1 +runners.yoga, 1 +runnerslab.com, 1 +running-tiger.ch, 1 +running-tiger.cn, 1 +running-tiger.de, 1 +runningcitadel.com, 1 +runningfast.cf, 1 +runningrabb.it, 1 +runningshows.tk, 1 +runpartner.com, 1 +runrun.es, 1 +runrun.sk, 1 +runschrauger.com, 1 +runvs.io, 1 +ruobiyi.com, 0 +ruobr.ru, 1 +ruonavaara.fi, 1 +ruoskachile.tk, 1 +rupeek.com, 1 +rupeespeaks.tk, 1 +rupeevest.com, 1 +rupom.me, 1 +rupool.tk, 1 +rupostel.com, 1 +rupressa.tk, 1 +ruprivorot.tk, 1 +rupture-skate.tk, 1 +ruptureradio.com, 1 +ruqbnsmokebbq.ga, 1 +ruquiz.tk, 1 +rural-house.tk, 1 +rural.gov, 1 +ruralhousing.es, 1 +ruralis.it, 1 +ruralsuppliesdirect.co.uk, 1 +rurange-les-thionville.fr, 1 +ruri.io, 1 +rurian-gyohen.com, 1 +ruris.bg, 1 +ruro.tk, 1 +rurouni.tk, 1 +rus-blog.tk, 1 +rus-call.com, 1 +rus-manual.tk, 1 +rusa.loan, 1 +rusakov.tk, 1 +rusdigisolutions.com, 1 +ruse.church, 1 +ruseartgallery.tk, 1 +rusenemas.tk, 1 +rusexmany.ml, 1 +rush49.com, 1 +rushashkyfond.com, 1 +rushbmedia.com, 1 +rushcountykansas.gov, 1 +rushhour.nl, 0 +rushmix.com, 0 +rushmyessay.gq, 1 +rushpoppershop.co.uk, 1 +rushriverwi.gov, 1 +rushyo.com, 1 +rusichi.tk, 1 +rusien-den.com, 1 +rusificatio.tk, 1 +rusifikator.tk, 1 +rusiptv.cf, 1 +ruska-modra.cz, 1 +ruskamodra.cz, 1 +ruskcountytx.gov, 1 +ruski.tk, 1 +ruskod.net, 1 +ruslandautohuur.nl, 1 +rusmir.tk, 1 +rusmodel.tk, 1 +rusmolotok.ru, 1 +rusnalog.ru, 1 +rusnicolas.cf, 1 +rusnum.com, 1 +rusnum.ru, 1 +rusorg.de, 1 +ruspolik.ru, 1 +rusposuda.cf, 1 +russ-portal.tk, 1 +russandol.eu, 1 +russchooljordan.tk, 1 +russell-ar.gov, 1 +russell-tech.co.uk, 1 +russellcountyky.gov, 1 +russellenvy.com, 1 +russelljohn.net, 1 +russellmeek.net, 1 +russellshobby.com, 1 +russellupevents.co.uk, 1 +russia-furniture.tk, 1 +russia-knigi.ga, 1 +russia-rp.tk, 1 +russia.wtf, 1 +russiahockey.tk, 1 +russiahunting.tk, 1 +russialife.gq, 1 +russian-artist.tk, 1 +russian-fur.tk, 1 +russian-knights.ru, 1 +russian-page.tk, 1 +russianbearsmotorsport.tk, 1 +russianbluecatsguide.com, 1 +russianbrides.cf, 1 +russianbridge.org, 1 +russianbristol.tk, 1 +russiancrimes.in.ua, 1 +russianews.cf, 1 +russianews.ga, 1 +russianflora.com, 1 +russianflora.ru, 1 +russianpostcalc.ru, 1 +russianpunkrock.tk, 1 +russianrandom.ru, 1 +russiantranslation.tk, 1 +russinfo.net, 1 +russisch.tk, 1 +russograffix.tk, 1 +russpuss.ru, 1 +rust.cf, 1 +rust.mn, 1 +rust.pm, 1 +rust.yokohama, 1 +rustambek.tk, 1 +rustamkhanko.gq, 1 +rustdesk.com, 1 +rustfactory.io, 1 +rustfanatic.com, 1 +rustfu.rs, 1 +rusticpathways.com.au, 1 +rusticroadlandscaping.com, 1 +rusticus-consulting.de, 0 +rustls.com, 1 +rustls.org, 1 +rustonla.gov, 1 +rustup.rs, 1 +rusty44.com, 1 +rustyrambles.com, 0 +rustytub.com, 1 +rusunion.org, 1 +ruswomen.tk, 1 +ruta-66.tk, 1 +rutadelastermitas.tk, 1 +rutadelmejillon.com, 1 +rutar.org, 1 +rutas-turisticas.com, 1 +rutascostarica.viajes, 1 +rutasindonesia.viajes, 1 +rutasmaldivas.viajes, 1 +rutazeus.tk, 1 +ruter.myftp.org, 0 +rutgerbrouwer.tk, 1 +rutgerschimmel.nl, 0 +rutgershealth.org, 1 +ruthbarrettmusic.com, 1 +ruthbellgrahammemorial.org, 1 +ruthhaloho.com, 1 +ruthil.co.il, 1 +ruthil.com, 1 +ruthlavidente.com, 1 +ruthmarques.com.br, 1 +ruthmontenegro.com, 1 +ruthmontenegro.es, 1 +rutiger.com, 1 +rutika.ru, 1 +rutlandma.gov, 1 +rutorka.tk, 1 +ruttenadvocaat.be, 1 +rutterroy.com, 1 +ruud-online.tk, 1 +ruudkoot.nl, 1 +ruurdboomsma.nl, 1 +ruvoip.net, 1 +ruwhof.com, 1 +ruwhof.net, 1 +ruxit.com, 0 +ruya.com, 1 +ruyana.tk, 1 +ruyatabirleri.com, 1 +ruyatabirlerin.gen.tr, 1 +ruzaevka.tk, 1 +ruzomberok.bike, 1 +ruzovyslon.cz, 1 +rv-jpshop.com, 1 +rva.gov, 1 +rvaneijk.io, 1 +rvantwembeke.tk, 1 +rvcamperguide.com, 1 +rvem.org, 1 +rvender.cz, 1 +rvf6.com, 1 +rvmfm.com, 1 +rvoigt.eu, 1 +rvrcleaning.nl, 0 +rvsa2bevestigingen.nl, 1 +rvsa4bevestigingen.nl, 1 +rvsbevestigingen.nl, 1 +rvss-or.gov, 1 +rvvc.im, 1 +rw-invest.com, 1 +rw.search.yahoo.com, 0 +rw2.de, 1 +rwalch.at, 1 +rway.pro, 1 +rwb.charity, 1 +rwbstuff.com, 1 +rwgamernl.ml, 1 +rwhapdentalservicesreport.net, 1 +rwlib.net, 1 +rws-cc.com, 1 +rws-vertriebsportal.de, 1 +rwx.ovh, 1 +rwx.work, 1 +rx-base.nl, 1 +rx-diet.com, 1 +rxbn.de, 1 +rxbusiness.com, 1 +rxcarbon.com, 1 +rxcom.net, 1 +rxphoto.com, 1 +rxtx.pt, 0 +rxxx.ml, 1 +ry88url.com, 1 +ryabinushka.tk, 1 +ryan-13.tk, 1 +ryan-design.com, 1 +ryan-gehring.com, 1 +ryan-goldstein.com, 1 +ryan.black, 1 +ryan.cafe, 1 +ryananeff.com, 1 +ryanclemmer.com, 1 +ryancmassey.com, 1 +ryancompanies.com, 1 +ryandewsbury.co.uk, 1 +ryanfamily.net.au, 1 +ryanhopk.com, 1 +ryanhowell.io, 1 +ryanjarvis.law, 1 +ryankearney.com, 0 +ryankilfedder.com, 1 +ryanonfire.tk, 1 +ryanparman.com, 1 +ryanrichardwalker.com, 1 +ryansmithphotography.com, 1 +ryanwordpress.com, 1 +ryazagro.ru, 1 +ryazan-region.ru, 1 +ryazancity.tk, 1 +rybak-opt.ru, 1 +rybak-russia.ru, 1 +rybalku.ru, 1 +rybarski.com, 1 +rybinsk.ga, 1 +rybnitsa.cf, 1 +rybnitsa.ga, 1 +rybnitsa.gq, 1 +rybnitsa.tk, 1 +rybox.info, 1 +rychlikoderi.cz, 0 +rycose.com, 1 +rycose.net, 1 +rycpk.org, 1 +ryd.no, 1 +rydeify.com, 1 +ryder.tk, 1 +rydercragie.co.uk, 1 +rydercragie.com, 1 +rydercragie.uk, 1 +rydermais.tk, 1 +ryderstatus.com, 1 +rydi.org, 1 +ryejuice.sytes.net, 1 +ryenews.org.uk, 1 +ryfma.com, 1 +ryland.consulting, 0 +rylbyte.com, 1 +rylin.net, 1 +rymanow.tk, 1 +rymdweb.com, 1 +rymergames.tk, 1 +rymshospital.com, 1 +rynekpierwotny.pl, 1 +rynkebo.dk, 1 +ryobitools.eu, 1 +ryoch.in, 1 +ryois.me, 1 +ryois.net, 1 +ryona.agency, 1 +rys.pw, 1 +rythm.es, 1 +ryu-ga-gotoku-audition.com, 1 +ryu22e.org, 1 +ryuanerin.kr, 1 +ryuukei-nf.tk, 1 +ryvit.com, 1 +ryzen.cz, 1 +ryzhov.me, 1 +rzeczy-silene.pl, 1 +rzero.com, 1 +rzero.tk, 1 +rzhv1.cf, 1 +rzip.de, 1 +rzsmt.com, 1 +s-5-university.com, 1 +s-c.se, 1 +s-comp.pl, 1 +s-cubed.net, 1 +s-deal.eu, 1 +s-geiser.de, 1 +s-gong.com, 1 +s-he.at, 1 +s-hertogenbosch.tech, 1 +s-housing.vn, 1 +s-huset.dk, 1 +s-i-m.tk, 1 +s-kaupat.fi, 1 +s-mainte.com, 1 +s-mall.com.sg, 1 +s-n-unso.com, 1 +s-on.li, 1 +s-pro.io, 1 +s-s-paint.com, 1 +s-sisters.ru, 1 +s-team.tk, 1 +s-u.pw, 1 +s-yuz.com, 1 +s-zwrm.de, 1 +s.ai, 1 +s.ee, 1 +s.lu, 1 +s.sb, 1 +s.td, 1 +s.team, 1 +s.tt, 1 +s.wtf, 1 +s007.co, 1 +s0923.com, 1 +s0laris.co.uk, 1 +s0t.ru, 1 +s1-llc.com, 1 +s10y.eu, 1 +s1128.com, 1 +s1l3nt.org, 1 +s1mplescripts.de, 1 +s1ris.org, 1 +s2.coach, 1 +s20121946.ml, 1 +s26s.com, 1 +s2i.ch, 0 +s2member.com, 1 +s2n.tech, 1 +s2t.net, 0 +s36533.com, 1 +s3call.ddns.net, 0 +s3chat.ddns.net, 1 +s3cur1ty.com, 1 +s3cur3.it, 1 +s3file.ddns.net, 1 +s3gfault.com, 1 +s3lph.me, 1 +s3w.es, 1 +s3waas.gov.in, 1 +s402.de, 1 +s404.de, 1 +s44.eu, 1 +s4c.cymru, 0 +s4db.net, 1 +s4hosting.in, 1 +s4media.org, 1 +s4media.xyz, 1 +s4q.me, 1 +s4tips.com, 1 +s4ur0n.com, 1 +s5197.co, 1 +s550.cc, 0 +s551.cc, 0 +s552.cc, 0 +s553.cc, 0 +s556.cc, 0 +s557.cc, 0 +s558.cc, 0 +s559.cc, 0 +s5g8.com, 1 +s6.tel, 1 +s64.cz, 1 +s6729.co, 1 +s6729.com, 1 +s6957.co, 1 +s6jl.com, 1 +s6n.jp, 1 +s6o.de, 1 +s82365.com, 1 +s88.com, 1 +s8a.me, 1 +s92.cloud, 1 +s92.io, 1 +s92.me, 1 +s9297.co, 1 +s95.de, 1 +s9728.co, 1 +s9h.cn, 0 +sa-blog.net, 1 +sa-mp.me, 1 +sa-mp.ro, 1 +sa-refer.nhs.uk, 1 +sa-stu.com, 1 +sa-studio.chat, 1 +sa-studio.ltd, 1 +sa-studio.vip, 1 +sa.gov, 1 +sa.net, 1 +sa68.cc, 1 +sa88.cc, 0 +saadat.in.ua, 1 +saadurrehman.tk, 1 +saam.aero, 1 +saanich.ca, 1 +saap.me, 1 +saaral.org, 1 +saarehaigla.ee, 1 +saaremaa.tk, 1 +saaricraft.ml, 1 +saarloosschilderwerken.nl, 1 +saarteliinid.ee, 1 +saas.de, 1 +saasalerts.com, 1 +saatchiart.com, 1 +saathi.asia, 1 +sab.id, 1 +saba-piserver.info, 1 +saba-shop.tk, 1 +sabachat.tk, 1 +sabahattin-gucukoglu.com, 1 +sabaland.tk, 1 +sabanco.com.br, 1 +sabaplastic.co, 1 +sabasseguros.cl, 1 +sabatikirooms.com, 1 +sabbat-wildfire.tk, 1 +sabbaticalhomes.com, 1 +sabbottlabs.com, 1 +sabedinovski.tk, 1 +saber-nyan.com, 1 +sabesprev.com.br, 1 +sabghijewelers.com, 1 +sabharwallawfirm.ca, 1 +sabhindimai.net, 1 +sabians.tk, 1 +sabiasque.pt, 1 +sabine-forschbach.de, 1 +sabineforschbach.de, 1 +sablanout.com, 1 +sable.gq, 1 +sabmobile.pk, 1 +saborcaribe.tk, 1 +saboresdamontanha.com.br, 1 +sabranie.com, 1 +sabrina-auer.tk, 1 +sabrinajoias.com, 1 +sabrinajoias.com.br, 1 +sabrinajoiasprontaentrega.com.br, 1 +sabrinajoiasvarejo.com.br, 1 +sabrinamiskiewicz.tk, 1 +sabrinarus.tk, 1 +sabrinazeidan.com, 1 +sabrine.tk, 1 +sabris.com, 1 +sabung-ayam.net, 1 +sabworldtricks.tk, 1 +sac-shoes.fr, 1 +sacabc.ca, 1 +sacademica.tk, 1 +sacaentradas.com, 1 +saccani.net, 1 +saccottino.tk, 1 +saccounty.gov, 1 +saccountyiowa.gov, 1 +sace.ca, 1 +sace.org.za, 1 +sacektirme.tk, 1 +sacfreightlines.com, 1 +sacha-botz.com, 0 +sacharidovejednotky.eu, 1 +sachasmets.be, 1 +sachi.lk, 1 +sachiepvien.net, 1 +sachinchauhan.ml, 1 +sachk.com, 0 +sachse.info, 0 +sachsenlady.com, 1 +sachte-restaurant.de, 1 +sacians.tk, 1 +sacibo.ga, 1 +sackmesser.ch, 1 +saclier.at, 1 +saco.tech, 1 +sacodealegria.com, 1 +sacprincesse.com, 1 +sacramentocounty.gov, 1 +sacramentum.tk, 1 +sacreatedesign.com, 1 +sacreativity.com, 1 +sacred-destinee.tk, 1 +sacred-knights.net, 1 +sacredart-murals.co.uk, 1 +sacredheart-cliftonheights.net, 1 +sacredheartbath.org, 1 +sacredheartmission.org, 1 +sacredmessages.net, 1 +sacredsecondhandbooks.com.au, 1 +sacrome.com, 1 +sacrosanctus.tk, 1 +sacscoc.org, 1 +sacwellness.com, 1 +sad-berezka.ru, 0 +sad-ko.ru, 1 +sadbox.es, 1 +sadbox.org, 1 +sadbox.xyz, 1 +sadeedos.systems, 1 +sadeem.space, 1 +sadesign.co.uk, 1 +sadev.co.za, 1 +sadhana.cz, 1 +sadhanaclub.de, 1 +sadhawkict.org, 1 +sadiejanehair.com, 1 +sadiestavern.cf, 1 +sadiestavern.ga, 1 +sadiestavern.gq, 1 +sadiestavern.ml, 1 +sadievilleky.gov, 1 +sadiosang.net, 1 +sadiqloaded.tk, 1 +sadjawebsolutions.com, 1 +sadko-group.com, 1 +sadkodesign.com.ua, 1 +sadmansh.com, 1 +sadou.kyoto.jp, 0 +sadoun.com, 1 +sadovskiy.tech, 1 +sadrailsim.de, 1 +sadsu.com, 0 +sadtxt.com, 1 +sadurscy.pl, 1 +sadus.tk, 1 +saechsischer-christstollen.shop, 0 +saeder-krupp.de, 1 +saeedvaladbaygi.info, 1 +saeidii.com, 1 +saeitalianfood.com, 1 +saenforcement.agency, 1 +saengsook.com, 1 +saengsuk.com, 1 +saevor.com, 1 +saf.earth, 1 +safagiza.ml, 1 +safalfasalonline.in, 1 +safar.sk, 1 +safara.host, 1 +safataviationgroup.com, 1 +safatech.me, 1 +safc.tk, 1 +safe-kim.com, 1 +safeacs.com, 1 +safeadmin.ga, 1 +safeandsecureserver.com, 1 +safearth.training, 1 +safeathomeohio.gov, 1 +safeatlast.co, 1 +safebaseflorida.com, 1 +safebaseinc.com, 1 +safebasementswaterproofing.com, 1 +safebits.ch, 1 +safebits.de, 1 +safebits.eu, 1 +safebits.fr, 1 +safebits.it, 1 +safeblackout.com, 1 +safeboard.ml, 1 +safebus.io, 1 +safecar.gov, 1 +safecircuitelectric.com, 1 +safecoin.tech, 1 +safecso.cf, 1 +safedatabasesystems.com, 1 +safedrivepod.com, 1 +safeers.tk, 1 +safefly.se, 1 +safefreehost.gq, 1 +safefreepornsites.com, 1 +safegas.com.ua, 1 +safegold.ca, 1 +safegroup.pl, 1 +safeguardace.com, 1 +safeguardhosting.ca, 1 +safehero.com, 1 +safeheron.com, 1 +safeheron.vip, 1 +safehouse.zone, 1 +safehousepestcontrol.au, 1 +safeinfra.nl, 1 +safejourney.education, 1 +safekidney.com.tw, 1 +safeme.ga, 1 +safeme.gq, 1 +safemt.gov, 1 +safenetwork.it, 1 +safensoundstoragegroton.com, 1 +safeo.fr, 1 +safeocs.gov, 1 +safeplay.co, 1 +safeplayground.net, 1 +safeporn.org, 1 +safeprint.pt, 1 +safer-software.tk, 1 +safera.com, 1 +safercar.gov, 1 +saferchildren.eu, 0 +saferequest.net, 1 +saferfederalworkforce.gov, 1 +safermao.fr, 1 +saferpost.com, 1 +saferproduct.gov, 1 +saferproducts.gov, 1 +saferrafrica.org, 1 +safersurfing.eu, 0 +safertruck.gov, 1 +safescif.com, 1 +safesearchs.com, 1 +safesecuretrusted.com, 1 +safesecurevital.ca, 1 +safesmartvent.com, 1 +safesoundcounselingllc.com, 1 +safestayok.gov, 1 +safestreets.cf, 1 +safetables.ga, 1 +safethishome.com, 1 +safetrainingservices.co.uk, 1 +safetrax.in, 1 +safety-in-construction.tk, 1 +safety.co.nz, 1 +safetycloud.me, 1 +safetydrivessuccess.com, 1 +safetymeasuresas.com, 1 +safetymp3.com, 1 +safetynames.com, 1 +safetynation.co.uk, 1 +safetynetwork.me, 1 +safetynigeria.com, 1 +safetyrange.com, 1 +safetyrisk.net, 1 +safetysite.tips, 1 +safetysource.co.nz, 1 +safevault.org, 1 +safevisit.com.au, 1 +safewatchsecurity.ie, 1 +safewayins.com, 1 +safewayinsurance.com, 1 +safewaysecurityscreens.com.au, 1 +safewaywaterproofing.com, 1 +safewebsystems.com, 1 +safex.org, 1 +saffron.com, 1 +saffronpreview.global, 1 +safiafashion.kz, 1 +safijourney.com, 1 +safinamide.co.uk, 1 +safiosolutions.com, 1 +safirakbar.tk, 1 +safire.ac.za, 1 +safkgroup.com, 1 +safleo.org, 1 +safquh.com, 1 +sag-consultores.com, 1 +sagacioussuricata.com, 1 +sagagardencentre.co.uk, 1 +sagan.tk, 1 +sagarawat.in, 1 +sagargandecha.com.au, 0 +sagasailing.dk, 1 +sagauae.com, 1 +sageclinic.org, 1 +sagefitness.store, 1 +sagegardens.ca, 1 +sagenesykkel.com, 1 +sagenet.net.au, 0 +sagerus.com, 1 +sageseeds.info, 1 +sagetel.ga, 1 +sageth.com, 1 +saggis.com, 1 +saggytitsporn.com, 1 +saghekin.com, 1 +sagicorgeneral.com, 1 +sagicorlife.com, 1 +sagicorlifeusa.com, 1 +sagitta.hr, 1 +saglik-haberleri.tk, 1 +saglikhaber.tk, 1 +sagliklidegisim.com, 1 +sagnette.xyz, 1 +sago.group, 1 +sagomedia.tk, 1 +sagradamadre.hu, 1 +sagradobyme.cl, 1 +sagretreviso.it, 1 +sahabatnesia.com, 1 +sahafekitap.com, 1 +sahalin.tk, 1 +sahalinskiy.gq, 1 +sahar.io, 1 +saharacloud.com, 1 +sahararun.tk, 1 +saharazik.tk, 1 +saharmassachi.com, 1 +sahb.dk, 1 +sahilbahl.com, 1 +sahinozgenhukuk.com, 1 +sahkotyot.eu, 1 +sahpa.co.za, 1 +saibotk.de, 1 +said.id, 1 +said.it, 1 +said.my.id, 1 +saidpurtechnical.tk, 1 +saidrive.net, 1 +saidrive.online, 1 +saidtezel.com, 0 +saieditor.com, 1 +saifonvillas.com, 1 +saifoundation.in, 1 +saifoundation.org, 1 +saigonflowers.com, 1 +saigonland24h.vn, 1 +saigonstar.de, 1 +saikarra.com, 1 +saikou.moe, 1 +saikouji.tokushima.jp, 1 +sail-holidays-hub.gr, 1 +sail-nyc.com, 1 +sailarmada.com, 1 +sailboatdata.ddns.net, 1 +sailmail.io, 1 +sailormoondoujinshi.org, 1 +sailormoonevents.org, 1 +sailormoonfansubs.com, 1 +sailormoongallery.org, 1 +sailormoonlibrary.org, 1 +sailum.tk, 1 +sailwiz.com, 1 +saily.pl, 1 +saimithrayoga.nl, 1 +saimoe.moe, 1 +saimoe.org, 1 +sainet.xyz, 1 +sainetworks.net, 1 +sainews.net, 1 +sainikbiswas.com, 0 +sainokuni-eng.jp, 1 +sainsburys.jobs, 1 +sainsburysbusinessdirect.co.uk, 1 +sainshand.tk, 1 +saint-bernard-gouesch.fr, 1 +saint-clan.tk, 1 +saint-cyril.com, 1 +saint-peterburg.tk, 1 +saint-petersburg.cf, 1 +saint-petersburg.gq, 1 +saint-petersburg.ml, 1 +saint-ssd.org, 1 +saintaardvarkthecarpeted.com, 1 +saintanne.net, 1 +saintanthonylakin.org, 1 +saintaugustineschool.tk, 1 +saintbernardpetcare.com, 1 +saintefoy-tarentaise.fr, 1 +saintereso.tk, 1 +sainteugenechurch.net, 1 +sainteugeneschurch.com, 1 +saintfrancescabrini.net, 1 +saintgabrielparish.org, 1 +sainth.de, 0 +sainthedwig-saintmary.org, 1 +sainthelena-centersquare.net, 1 +sainthelenaparish.net, 1 +sainthelenas.org, 1 +saintisidorecyo.com, 1 +saintjamestheapostle.org, 1 +saintjosephschurch.net, 1 +saintleochurch.net, 1 +saintlouisfence.com, 1 +saintmarkchurch.net, 1 +saintmaryna.com, 1 +saintmaryscathedral-trenton.org, 1 +saintmichaelpress.tk, 1 +saintpatrick-norristown.net, 1 +saintpetersburg.cf, 1 +saintpetersburg.ga, 1 +saintpetersburg.gq, 1 +saintpetersburg.ml, 1 +saintphilipneri.org, 1 +saintpius.net, 1 +saintpolycarp.org, 1 +saintseiya-temple.tk, 1 +saintspicious.de, 1 +saintsrowmods.com, 1 +sainttheresahome.org.sg, 1 +saintvincent.tk, 1 +saintw.com, 0 +sainzderozas.com, 1 +saipariwar.com, 1 +saipeople.net, 1 +saiputra.com, 1 +saiputra.net, 1 +sairadio.net, 1 +sairadio.net.in, 1 +sairadio.one, 1 +sairai.bid, 1 +sairlerimiz.tk, 1 +sairus.fr, 1 +saisandesh.org, 1 +saisecure.net, 1 +saiserver.net, 1 +saisons-fruits-legumes.fr, 1 +saisyuusyou-ikebukuro.com, 1 +saisyuusyou-omiya.com, 1 +saisyuusyou-takasaki.com, 1 +saisyuusyou-utsunomiya.com, 1 +sait.health, 1 +saitapovan.com, 1 +saitas.net, 1 +saito-koken.co.jp, 1 +saitrance.com, 1 +saitschool.ml, 1 +saitv.net, 1 +saitv.org.in, 1 +saiwebtv.com, 1 +sajabesaya.tk, 1 +sajbersove.rs, 1 +sajdowski.de, 0 +sajetekengineering.com, 1 +sajjadrezaei.fit, 1 +sajjadzaidi.com, 1 +sajt-vizitka-nedorogo.ru, 1 +sajter.ga, 1 +sakac.cz, 1 +sakainvest.com, 1 +sakaki.anime.my, 0 +sakamichi.moe, 1 +sakaritsa-residence.com, 1 +sakaryahaberi.tk, 1 +sakder.com, 1 +sake.my, 1 +sakellariadis.gr, 1 +sakenohana.com, 1 +sakerhetsbubblan.se, 1 +sakiborislam.com, 1 +sakipsabancimuzesi.org, 1 +sakirdak.tk, 1 +sakitama-shika.com, 1 +sakiyamagumi.com, 1 +saklad5.com, 1 +sako-lab.jp, 1 +sakostacloud.de, 1 +sakrajda.eu, 1 +saksham.org, 1 +sakshi.gq, 1 +saksonski-szlak-parowozow.pl, 1 +sakura-paris.org, 1 +sakuracdn.com, 1 +sakuramarketingdigital.com.br, 1 +sakurapalace.tk, 1 +saladgo.id, 1 +saladin.vn, 1 +salahospitality.com, 1 +salalfoundation.ca, 0 +salamanders.tk, 1 +salamence.tk, 1 +salamzibaei.com, 1 +salariominimo.com.co, 1 +salarycalculatoruk.co.uk, 1 +salaryfinance.com, 1 +salas.cf, 1 +salas.tk, 1 +salasbanquetes.cl, 1 +salat-s-krevetkami.ru, 1 +salati.tk, 1 +salatiga.com, 1 +salatiga.net, 1 +salboy.co.uk, 1 +salce.com.au, 1 +salco-company.com, 1 +sald.us, 1 +saldanda.ml, 1 +salde.net, 1 +salduero.tk, 1 +sale-internet.cf, 1 +sale-sokuho.com, 1 +sale4ru.ru, 1 +saleaks.org, 1 +salebaba.com, 1 +saleduck.at, 1 +saleduck.ch, 1 +saleduck.co.id, 1 +saleduck.co.th, 1 +saleduck.com.my, 1 +saleduck.com.ph, 1 +saleduck.com.sg, 1 +saleduck.com.vn, 1 +saleduck.dk, 1 +saleduck.fi, 1 +saleduck.se, 1 +saledump.nl, 1 +saleem.cf, 1 +salegor.tk, 1 +saleh4unraid.cyou, 1 +salekaz.ru, 1 +salemma.gov, 1 +salempress.com, 1 +salensmotors-usedcars.be, 1 +salento-nostro.tk, 1 +salentocab.com, 1 +salerno-on-line.tk, 1 +salernonotizie.it, 1 +salernotoday.it, 1 +salery.ga, 1 +sales-experience.nl, 1 +sales-respect.nl, 1 +salesdesign.vn, 1 +salesdivisie.nl, 1 +salesdock.be, 1 +salesdock.de, 1 +salesdock.nl, 1 +salesflare.com, 1 +salesforce-communities.com, 1 +salesforce-experience.com, 1 +salesforce-hub.com, 1 +salesforce-scrt.com, 1 +salesforce-setup.com, 1 +salesforce-sites.com, 1 +salesforce.com, 1 +salesforce.mil, 1 +salesforceliveagent.com, 1 +salesforcescrt.com, 1 +salesfunnelfirstaid.com, 1 +saleskeyonline.com, 1 +salesoutcomes.com, 1 +salesprocessing.gq, 1 +saletodo.com, 1 +saleturs.tk, 1 +saletzki.de, 1 +salework.net, 0 +salge.rocks, 1 +salhiyatower.com, 1 +salibandy.tk, 1 +salidaswap.com, 1 +salient-dialers.com, 1 +salilab.org, 1 +salim.space, 1 +salimicm.com, 1 +salinecountyks.gov, 1 +salinecountyne.gov, 1 +salinemi.gov, 1 +salinevilleoh.gov, 1 +salins-les-bains.com, 1 +salisburylehighpa.gov, 1 +salisburyreds.co.uk, 1 +salisucre.fr, 1 +salland1.nl, 1 +sallandstorage.nl, 1 +salledebainmontreal.gq, 1 +sallisawok.gov, 1 +sally-secret.com, 1 +sallyandruss.ca, 1 +sallyangeli.tk, 1 +sallycooke.co.uk, 1 +sallydowns.name, 1 +sallyheerenveen.nl, 1 +sallyjo.tk, 1 +sallyman.de, 1 +salmadenora.net, 1 +salman.agency, 1 +salmanravoof.com, 1 +salmati.de, 1 +salmelainenwalter.tk, 1 +salminencrane.tk, 1 +salmo-rybak.ru, 1 +salmonde.de, 1 +salmonella.co.uk, 1 +salmonrecovery.gov, 1 +salmotierra-salvatierra.com, 0 +salnet.wf, 1 +salo.fi, 1 +salon-de-patchouli.com, 1 +salon-hinata.biz, 1 +salon-largo.com, 1 +salon-legato.com, 1 +salon-minipli.de, 1 +salon-svadbi.tk, 1 +salon-yuan.jp, 0 +salon.io, 0 +salon1.ee, 1 +salonasymetria.com, 1 +salonboothuren.amsterdam, 1 +salone-mio.com, 1 +salonestella.it, 1 +saloniestate.ml, 1 +salonist.io, 1 +salonkaufmann.it, 1 +salonmarjon.nl, 1 +salonni.tk, 1 +salonsantebienetre.ch, 0 +salrosadohimalaia.com, 1 +salsa-straubing.de, 1 +salsa.berlin, 1 +salserocafe.com, 0 +salt-travel.cf, 1 +salt.fish, 1 +saltandlight.sg, 1 +saltcave.gq, 1 +saltedfish.network, 1 +saltedge.com, 1 +saltedpasta.com, 1 +salter.com.tr, 1 +saltercane.com, 0 +saltlakecounty.gov, 1 +saltlakehealth.gov, 1 +saltnsauce.cf, 1 +saltnsauce.ga, 1 +saltnsauce.gq, 1 +saltnsauce.ml, 1 +saltrecovery.com.au, 1 +saltro.nl, 0 +saltstack.cz, 1 +saltsugarlove.de, 1 +saltus.ga, 1 +saltwaterfishaspets.com, 1 +saltydogpaddle.org, 1 +saltykai.com, 1 +salud-paratodos.com, 1 +salud.top, 0 +saludakeuring.nl, 1 +saludmas.site, 1 +saludmaspro.com, 1 +saludnutrivida.com, 1 +saluels.servemp3.com, 1 +salukinet.tk, 1 +salunganogroup.com, 1 +salus-cm.care, 1 +salussafety.io, 1 +salut-butovo.cf, 1 +salutenaturale.com.br, 1 +salutes.tk, 1 +salutethefish.com, 1 +salutethegrains.com, 1 +salutethepig.com, 1 +salutparis.ml, 1 +salva.ovh, 1 +salva.re, 1 +salvaalocombia.com, 1 +salvadoralevin.tk, 1 +salvadorcorriols.tk, 1 +salvadorinfantil.tk, 1 +salvalartesicilia.it, 1 +salvameblog.tk, 1 +salverainha.org, 1 +salwyrr.com, 1 +salz-und-sinn.de, 1 +salzamt.tk, 1 +salzburg-erfahren.at, 1 +salzburg-verkehr.at, 1 +salzburgsfinest.tk, 1 +salzerperu.com, 1 +salzmann.solutions, 1 +sam-football.fr, 1 +sam.gov, 1 +sam66.cc, 1 +sam88.cc, 1 +samabest.tk, 1 +samalderson.co.uk, 1 +samandcatonline.tk, 1 +samandej.ir, 1 +samanexports.in, 1 +samangel.org, 1 +samanhatami.ir, 1 +samanthabiggers.com, 1 +samanthasmith.tk, 1 +samar-leyte.tk, 1 +samara-avia.ru, 1 +samara-hosting.tk, 1 +samarhotel.com, 1 +samaritainsmeyrin.ch, 0 +samarpanfurniture.com, 1 +samarth.edu.in, 1 +samarthtyagi.tk, 1 +samatva-yogalaya.com, 1 +samba.org, 1 +sambeso.net, 1 +sambot.ru, 1 +sambot22.tk, 1 +sambuchanan.tk, 1 +samcera.gov, 1 +samclarke.com, 1 +samclarke.uk, 1 +samdev.io, 1 +same.lol, 1 +samedamci.com, 1 +samedis.care, 1 +samegoal.com, 1 +samegoal.org, 1 +samehzidan.com, 1 +samel.de, 1 +samelol.com, 1 +samentest.tk, 1 +samenuitsamenthuis.tk, 1 +samenvoorelkaar.nl, 1 +samenvoormedicatieoverdracht.nl, 1 +samenwerkingsportaal.nl, 1 +samepage.io, 1 +samesound.ru, 1 +sametcanaz.tk, 1 +sameteem.com, 1 +sametimetomorrow.tk, 1 +sameworks.com, 1 +samh.org.uk, 1 +samhall.se, 1 +samhsa.gov, 1 +samhuri.net, 1 +samic.ir, 1 +samic.org, 1 +samic.us, 1 +samifar.in, 1 +samilyanov.tk, 1 +samin.tk, 1 +samir-software.tk, 1 +samiratv.tk, 1 +samishnation.gov, 1 +samisoft.ir, 1 +samiysok.cf, 1 +samkelleher.com, 1 +samkoandmikotoywarehouse.com, 1 +saml-gateway.org, 1 +saml2.com, 1 +samlam.ddns.net, 1 +samlamac.com, 1 +samlaw.co.nz, 0 +sammich.eu, 1 +sammich.social, 1 +sammichscripts.com, 1 +sammyservers.com, 1 +sammyservers.net, 1 +samodel.ml, 1 +samodel.tk, 1 +samogonka.tk, 1 +samokhin.cf, 1 +samorazvitie.ru, 1 +samorzad.gov.pl, 1 +samosad.tk, 1 +samotorsporttyres.com.au, 1 +samoyeddogsguide.com, 1 +samoylov.gq, 1 +samoylyk.net, 0 +samozdraw.ga, 1 +sampaguide.com, 1 +sampath.lk, 1 +sampatjewelers.com, 1 +sample-site.click, 1 +samplefashion.nl, 1 +sampsoncountync.gov, 1 +sampurna.shop, 1 +samroelants.com, 1 +sams.wtf, 1 +samsatcorner.com, 1 +samscollection.in, 1 +samsebe.ml, 1 +samsebe.tk, 1 +samsepi0l.ovh, 1 +samshouseofspaghetti.net, 1 +samson-td.com, 1 +samson.org.au, 1 +samsreseller.com, 1 +samstudios.tk, 1 +samsungbiologics.com, 1 +samsunghalfmarathon.com, 1 +samtalen.nl, 1 +samudranesia.id, 1 +samuel-brown.com, 1 +samuel-philipp.de, 1 +samuelbeckett.tk, 1 +samuelbramley.com, 1 +samuelgd.com, 1 +samuelharmon.com, 1 +samuelkeeley.com, 1 +samuelkyalo.tk, 1 +samuelphotos.com, 1 +samuels-blog.de, 1 +samuels-graphics.tk, 1 +samuelsxpress.com, 1 +samuidiving.net, 1 +samuirehabcenter.com, 1 +samurai-marumori.com, 1 +samuraiskye.com, 1 +samusil.org, 1 +samvanderkris.com, 1 +samwelek.co.uk, 1 +samwilberforce.com, 1 +samwrigley.co.uk, 1 +samwu.tw, 1 +samxoxo.com, 1 +samy.rip, 1 +samyang.tk, 1 +samystic.com, 1 +san-cassiano.com, 1 +san-genesio.net, 1 +san-leonardo.com, 1 +san-martino.org, 1 +san-vigilio-marebbe.net, 1 +san.tv, 1 +san0j.de, 1 +sana-commerce.com, 1 +sana-store.com, 1 +sana-store.cz, 1 +sana-store.sk, 1 +sanagustin.com, 1 +sanalaile.tk, 1 +sanalikaforum.tk, 1 +sanalturcu.com, 1 +sanandreasstories.com, 1 +sanantoniolocksmithtx.com, 1 +sanapaino.fi, 1 +sanasport.at, 1 +sanasport.be, 1 +sanasport.bg, 1 +sanasport.cz, 1 +sanasport.de, 1 +sanasport.fr, 1 +sanasport.hu, 1 +sanasport.it, 1 +sanasport.pl, 1 +sanasport.si, 1 +sanasport.sk, 1 +sanates.cz, 1 +sanatfilan.com, 0 +sanatori-elochka.tk, 1 +sanatori-teterev.tk, 1 +sanatorii-sverdlovskoy-oblasti.ru, 1 +sanatorionosti.com.ar, 1 +sanatstore.ir, 1 +sanayi.gov.tr, 1 +sanbenitocounty-ca-cre.gov, 1 +sanbernardino.gov, 1 +sanbornteam.com, 1 +sanbs.org.za, 1 +sancaktepehaber.tk, 1 +sanche.org, 1 +sanchez.adv.br, 0 +sancpa.ca, 1 +sancraft.de, 1 +sancta-domenica.hr, 1 +sanctio.tk, 1 +sanctum.geek.nz, 0 +sanctus-de.tk, 1 +sanctus.co.uk, 1 +sand-and-mercury.tk, 1 +sand-bleibt.de, 1 +sand-craft.ml, 1 +sand-stoneinc.com, 1 +sand66.cc, 1 +sand66.com, 1 +sandairephotography.com, 1 +sandbox.i.ng, 1 +sandbox.mydigipass.com, 0 +sandelduggal.com, 1 +sanderdesign.tk, 1 +sanderdorigo.nl, 1 +sanderkoenders.eu, 1 +sanderkoenders.nl, 1 +sanderpoppe.com, 0 +sanderscreditrepair.com, 1 +sandersmontalto.com, 1 +sandersonfarms.com, 1 +sanderspies.com, 1 +sanderstaxpro.com, 1 +sandervanderstap.nl, 1 +sandesh.tk, 1 +sandgatebaysidedental.com.au, 1 +sandiegolifechanging.org, 1 +sandiegoluxuryhomes.org, 1 +sandiegotaxpreparation.com, 1 +sandiegotown.com, 1 +sandipmukherjee.tk, 1 +sandiuno.ml, 1 +sandle.uk, 1 +sandlerpartners.com, 1 +sandmanintel.com, 1 +sandmarc.cz, 1 +sandokan.tk, 1 +sandor.wtf, 1 +sandoval.photography, 1 +sandownpolicenh.gov, 1 +sandpaper.com, 1 +sandr0.tk, 1 +sandra-perlbach.de, 1 +sandrabay.com, 1 +sandrabernardo.com, 1 +sandragortemaker.nl, 1 +sandrainden.nl, 1 +sandraindenfotografie.nl, 1 +sandramargolesmd.com, 1 +sandramorrone.tk, 1 +sandras-hobbystueble.de, 1 +sandrasturm.net, 1 +sandravdmeulen.nl, 1 +sandrinesite.tk, 1 +sandrolittke.de, 1 +sandrproperty.com, 1 +sandsclan.tk, 1 +sandspoint.gov, 1 +sandssteelservices.com, 1 +sandstein.de, 1 +sandstroh.network, 1 +sandtears.com, 1 +sandtime.io, 1 +sandtler.moe, 1 +sandton-plumbing.co.za, 1 +sandtonrubbleremovals.co.za, 1 +sanduskycountyoh.gov, 1 +sandwichclub.tk, 1 +sandwichcouncil.tk, 1 +sandwoman.tk, 1 +sandybigboobs.com, 1 +sandybigboobs.net, 1 +sandylanevacations.com, 1 +sandyrobsonhypnotherapy.co.uk, 1 +sandyspringadventurepark.org, 1 +sandyvazquez.com, 1 +sanemind.de, 1 +sanetschka.tk, 1 +sanex.ca, 1 +sanf.org, 1 +sanfernando.tk, 1 +sanfranciscotours.org, 1 +sangamonil.gov, 1 +sangen.ml, 1 +sangheon.com, 1 +sangina.eu, 1 +sangiovannilipioni.tk, 1 +sanglierhurlant.fr, 1 +sangoandmiroku.tk, 1 +sangowen.xyz, 1 +sangreytinta.tk, 1 +sangwanbeach.tk, 1 +sangyoui.health, 1 +sanhotel.ml, 1 +sanidadnaval.cl, 1 +sanierungskonzept.pro, 1 +sanificazioni.roma.it, 1 +sanikapandit.com, 1 +sanilaccounty.gov, 1 +sanilactownshipmi.gov, 1 +sanin.gq, 1 +sanitaer-heinze.com, 1 +sanitaer-notdienst-zentrale.de, 1 +sanitairwinkel.be, 1 +sanitairwinkel.com, 1 +sanitairwinkel.nl, 1 +sanitaria.it, 1 +sanitation-planning-tool.herokuapp.com, 1 +sanitix.com, 1 +sanitizinggurus.com, 1 +sanity.host, 1 +sanity.io, 1 +sanitynet.org, 1 +sanityrant.cf, 1 +sanityrant.ml, 1 +sanjab.io, 1 +sanjanaherath.cf, 1 +sanjaymenon.xyz, 1 +sanjosecolorectal.com, 1 +sanjosecostarica.org, 1 +sanjoweb.tk, 1 +sanjuanchamelco.tk, 1 +sanjuancountywa.gov, 1 +sanjuandeabajo.tk, 1 +sanjuandediosburgos.es, 1 +sanketsu.ml, 0 +sanki.tk, 1 +sankt-kassian.com, 1 +sanktannae-advokater.dk, 1 +sanktpetriskole.dk, 1 +sanliurfahaberi.tk, 1 +sanluisdequillota.tk, 1 +sanmarcovecchio.tk, 1 +sanmina.com, 1 +sanmonjiya-kimono.com, 1 +sanmuding.com, 1 +sanne-content.de, 1 +sannefoltz.com, 1 +sannikfk.gq, 1 +sanodent.com.ua, 1 +sanook69.com, 1 +sanook69s.com, 1 +sanooktiew.com, 0 +sanowski.com, 1 +sanowski.eu, 1 +sanowski.net, 1 +sanpablo.tk, 1 +sanpancrazio.tk, 1 +sanpatigroup-beautysalon.jp, 1 +sanpatigroup-recruit.jp, 1 +sanpatigroup.jp, 1 +sanpatriciocountytx.gov, 1 +sanpham-balea.org, 1 +sanqinyinshi.com.cn, 1 +sanrafaelvigo.org, 1 +sanray73.ru, 1 +sans-hotel.com, 1 +sansairyu-kuyoukai.com, 1 +sansdb.io, 0 +sansdict.ml, 1 +sansgetirsin.com, 1 +sanskarexam.in, 1 +sanskrit.pub, 1 +sanskrit.site, 1 +sanskritiyoga.com, 1 +sansonehowell.com, 1 +sansumclinic.org, 1 +santa-fell-from.space, 1 +santabarbaraca.gov, 1 +santabarbarapix.com, 1 +santacasamarilia.com.br, 1 +santackergaard.nl, 1 +santaclaracounty.gov, 1 +santaclaratx.gov, 1 +santaclarautah.gov, 1 +santaclarita.gov, 1 +santacruzca.gov, 1 +santacruzcountyca.gov, 1 +santacruzgalapagoscruise.com, 1 +santacruzstudio.com.mx, 1 +santafetx.gov, 1 +santaluciatirajana.com, 1 +santamargarita.tk, 1 +santamariadelaisla.tk, 1 +santamariaretreats.co.uk, 1 +santamariaretreats.uk, 1 +santamonicapost123.org, 1 +santander-dojo.com, 1 +santander.com, 0 +santanderassetmanagement.es, 0 +santanderibc.com, 0 +santanderideas.com, 0 +santandertrade.com, 1 +santantonio.tk, 1 +santapace.com.br, 1 +santarosaca.gov, 1 +santarosanm.gov, 1 +santasofiastereo.tk, 1 +santaynezchumash-nsn.gov, 1 +sante-actu.com, 1 +sante-informations.com, 1 +sante.akita.jp, 1 +santegra.tk, 1 +santehnica.ml, 1 +santehnik-dnepr.dp.ua, 1 +santehnik-home.ru, 1 +santehnika-tut.ru, 1 +santekhmarket-nn.ru, 1 +santenatureetcie.com, 0 +santeriabeliefs.com, 1 +santeriasanjorge.com.ar, 1 +santhatela.com.br, 1 +santhoffplumbingco.com, 0 +santhoshveer.com, 1 +santiagogarza.co, 1 +santibanezdetera.tk, 1 +santibz.es, 1 +santillana.com, 1 +santimb.photos, 1 +santippolito-borgo.tk, 1 +santjoandevilassar.tk, 1 +santmark.eu, 1 +santmark.info, 1 +santmark.net, 1 +santmark.org, 1 +santo.fi, 1 +santodelgiorno.it, 1 +santomospb.ru, 1 +santong.tk, 1 +santoscarmelitas.tk, 1 +santosdecordoba.tk, 1 +santoshpandit.com, 1 +santswebdesign.com, 1 +santugon.tk, 1 +santv.cc, 0 +sanuk.com, 1 +sanukarlos.tk, 1 +sanweb.info, 1 +saojudastadeu.edu.br, 1 +saoneth.pl, 1 +saorsa.fr, 1 +saorsat.com, 1 +saorsat.ie, 1 +saorsat.net, 1 +saorsat.tv, 1 +saorview.com, 1 +saorview.ie, 1 +saorview.net, 1 +saorviewconnect.ie, 1 +saorviewconnected.ie, 1 +sap-inc.co.jp, 1 +sapac.es, 1 +sapafolumuxu.tk, 1 +sapancavillalari.com, 1 +sapaship.ru, 1 +saphead.cn, 1 +saphi.re, 1 +saphnelosavings.com, 1 +sapibatam.com, 0 +sapien-ci.com, 1 +sapien.com, 1 +sapience.com, 1 +sapienml.com, 1 +sapiensecure.io, 0 +sapienz.tk, 1 +sapienza-eclipse.com, 1 +sapienzaconsulting.com, 1 +sapik.hu, 1 +sapiperelining.com.au, 1 +sapling.ai, 1 +saplumbers.com.au, 1 +sapmap01.azurewebsites.net, 1 +sapoghki.tk, 1 +sapphi.st, 1 +sapphic.site, 1 +sapphirebet.com, 1 +sapphireblinds.com.au, 1 +sapphireblue.me, 1 +sapphirecleaningwa.com.au, 1 +sapphirepearl.com.sg, 1 +sapphireservicesga.com, 1 +sapporo-asaichi.com, 1 +sapporo.ga, 1 +sapprendre.ch, 0 +saprima.de, 0 +sapti.me, 1 +sapulpaok.gov, 1 +sapulpapd.gov, 1 +sapuseven.com, 1 +saputra.org, 1 +saq.com, 0 +saqara.com, 1 +saracenmarkets.com, 1 +sarae.id, 1 +sarafanchik.tk, 1 +sarafanchiki.tk, 1 +sarafani.tk, 1 +sarafrazan.tk, 1 +sarafshop.tk, 1 +sarah-brown.tk, 1 +sarah-harding.tk, 1 +sarah-huenten.de, 1 +sarah-jane.nl, 1 +sarah-jones.uk, 1 +sarahbaker.co.nz, 1 +sarahbowling.org, 1 +sarahjaneethan.co.uk, 1 +sarahjaneredmond.com, 1 +sarahlicity.co.uk, 1 +sarahlicity.me.uk, 1 +sarahmakmq.com, 1 +sarahmckenna.ie, 0 +sarahmodel.tk, 1 +sarahneumann.tk, 1 +sarahplusdrei.de, 1 +sarahshabrina.tk, 1 +sarahsommer.de, 1 +sarahtamsin.com, 1 +sarahvanessen.tk, 1 +sarahwellington.com, 1 +sarahwikeley.co.uk, 1 +saraleebread.com, 0 +saranamayyappa.tk, 1 +sarand.ch, 0 +saraskins.space, 1 +sarasotadentistry.com, 1 +sarasotaroboticurology.com, 1 +saratogasprings-ut.gov, 1 +saratogawi.gov, 1 +saraton-kasalligi.cf, 1 +saraton-kasalligi.ml, 1 +saraton-kasalligi.tk, 1 +saratov24.tk, 1 +saratovlive.tk, 1 +saratovnews.ml, 1 +saratovtime.tk, 1 +sarayeketabesoti.ir, 1 +sarbarhetsskanning.se, 1 +sarbash.ee, 1 +sarbel.tk, 1 +sarcasmlol.ga, 1 +sarcastic.com.au, 1 +sarcoxiemo.gov, 1 +sard.ro, 1 +sardacompost.it, 1 +sardegnarifiuti.it, 1 +sardegnatirocini.it, 1 +sardine.tk, 1 +sardinhagarcia.pt, 1 +sardinianvillas.co.uk, 1 +sardinianvillas.com, 1 +sardinianvillas.ru, 1 +sardoche.lol, 1 +sarecords.tk, 1 +sareena.org, 1 +sarella.org, 1 +sarems.com, 1 +saresegur.com, 1 +sargar.tk, 1 +sargarmi.tk, 1 +sargenttechnologyservices.com, 1 +sarh.com.au, 1 +sarhua.tk, 1 +saria.fun, 1 +saribunga.id, 1 +sarink.eu, 1 +sarisander.com, 1 +saritas.com.tr, 1 +sarjakuvakauppa.fi, 1 +sarjas.tk, 1 +sarkaridomain.com, 1 +sarkarinaukriworld.net, 1 +sarkariresultz.in, 1 +sarkazam.ml, 1 +sarkchat.cf, 1 +sarki-sozleri.net, 1 +sarkisianbuilders.com, 1 +sarkom.tk, 1 +sarkvideos.cf, 1 +sarmpel.tk, 1 +sarndipity.com, 1 +sarny.at, 1 +sarogiw.tk, 1 +saropa.com, 1 +sarpsb.org, 1 +sarrworld.com, 1 +sars-cov-2.com, 1 +sarto.roma.it, 1 +sartori.tk, 1 +sartoria.milano.it, 1 +sartoria.roma.it, 1 +sarumtechnologies.com, 1 +sarv.com, 1 +sarvaappstage.com, 1 +sarzamintarh.ir, 1 +sas-snowboarding.sk, 1 +sasakala.tk, 1 +sasapost.co, 1 +sasasa.org, 1 +sasazono.com, 1 +sascha-brockel.de, 1 +sascha.io, 1 +sascha.is, 1 +saschabruemmer.de, 1 +saschaeggenberger.ch, 1 +saschaeggenberger.com, 1 +sascorp.co.uk, 1 +sascorp.es, 1 +sash.pw, 1 +sashabognibov.tk, 1 +sashaclothing.tk, 1 +sashakrasnoyarsk.tk, 1 +sashascollections.com, 1 +sashka.com.ua, 1 +sashleighaust.com, 1 +sasioglu.co.uk, 1 +saskiacreations.nl, 1 +saskiadhont.be, 1 +saskialund.de, 1 +sasrobotics.xyz, 1 +sasroli.tk, 1 +sasse9662.net, 1 +sassyporkchop.com, 1 +sastamalandemarit.fi, 1 +sastd.com, 1 +sasthyaseba.com, 1 +sasyabapi.com, 1 +sat-kw.net, 1 +sat-p.tk, 1 +sat4all.com, 1 +sata-group.com, 1 +satai.dk, 1 +satal.in, 1 +satangcorp.com, 1 +satania.moe, 1 +satanindito.tk, 1 +satanspowers.tk, 1 +satario.vn, 1 +satat.cf, 1 +satat.tk, 1 +sataturf.com, 1 +sateahafreedi.com, 1 +sateallia.org, 1 +satelital.tk, 1 +satellights.tk, 1 +satellite-equipment.tk, 1 +satellite-shop.tk, 1 +satellite-top.com, 1 +satellitebeach.gov, 1 +satellites.hopto.me, 1 +satellitetelevision.tk, 1 +satellitetv-deal.com, 1 +satellitetv.tk, 1 +satheeshsbennet.tk, 1 +satimagingcorp.com, 1 +satindolls.tk, 1 +satinn.pl, 1 +satirelabs.com, 1 +satisfaction.su, 1 +satisfactory-calculator.com, 1 +satismeter.com, 1 +satisperfectacollections.com, 1 +satistemsilcileri.com, 1 +sativatunja.com, 1 +satl-lelystad.nl, 1 +satlantis.tk, 1 +satmd.de, 1 +sato-legaloffice.jp, 1 +satopletova.cz, 1 +satoshinumbers.com, 1 +satowa-network.eu, 0 +satpersian.tk, 1 +satplay.host, 1 +satradio.tk, 1 +satramana.org, 1 +satselect.tk, 1 +satserwis.xyz, 1 +satsukii.moe, 1 +satsumi.tk, 1 +satta-company.tk, 1 +sattamatka420.mobi, 0 +sattaresult.in, 1 +sattaresult.net, 1 +sattaresult.net.in, 1 +saturday.kiwi, 1 +saturdayenterprises.ga, 1 +saturn-test.network, 1 +saturne.tk, 1 +saturnjump.com, 1 +saturnus.consulting, 1 +satvasolutions.com, 1 +satwcomic.com, 1 +satya-insights.com, 1 +satyamshivamsundaram.in, 1 +sau.cy, 1 +saubermacher.at, 1 +saubooks.tk, 1 +saucelabs.com, 1 +saudecoluna.com, 1 +saudedigitalnews.com.br, 1 +saudeintimadamulher.com.br, 1 +saudenoclique.com.br, 1 +saudiembassy.net, 1 +saudiglasses.com, 1 +saudinews.ml, 1 +saue.edu.ee, 1 +sauenytt.no, 1 +sauerbrey.eu, 1 +sauerland-rundflug.de, 1 +sauerland-schnittgruen.de, 1 +sauerwetter.tk, 1 +saugatucktownshipmi.gov, 1 +saulchristie.com, 1 +saulsplace.com, 0 +saulsplacehealth.com, 1 +saulsplacewebdesign.com, 1 +saultdefencelaw.ca, 1 +saulvanderbijl.com, 1 +sauna-acties.nl, 1 +saunaempire.lt, 1 +saunafahrten.ch, 1 +saunahats.eu, 1 +saunas.fr, 1 +saunatime.jp, 1 +saunavoordeel.nl, 1 +sauravdas.in, 1 +saurel.me, 1 +saurusly.com, 1 +sauseng.eu, 1 +sauthon.com, 0 +sauvagebridge.nl, 1 +sauve-tes-euros.com, 1 +savaari.com, 1 +savage-harmony.tk, 1 +savagecore.eu, 1 +savanna.io, 1 +savanna.vn.ua, 1 +savannahhappycats.com, 1 +savannapro.vn.ua, 1 +savant-dagen.nl, 1 +savantcare.com, 1 +savatha.tk, 1 +savbus.com, 1 +savbus.net, 1 +savbus.ws, 1 +savchenko.net, 1 +savchook.com, 1 +savconventioncenter.com, 1 +savcurv.com, 1 +save-home.com.tw, 1 +save-me-aachen.de, 1 +save-me-aachen.eu, 1 +save-me-koeln.de, 1 +save-your-bitcoins.com, 1 +save.ch, 1 +save.gov, 1 +saveaward.gov, 1 +savebees.org, 1 +savebt.net, 1 +savedana.tk, 1 +savejonasquinn.tk, 1 +savemyexams.co.uk, 1 +savemylicence.co.uk, 1 +saveolga.tk, 1 +saveoney.ca, 1 +saveora.com, 1 +saveora.shop, 1 +savesilvercreek.com, 1 +savesilvercreek.org, 1 +savesmart.be, 1 +savestatecentral.tk, 1 +savesubs.com, 1 +savetech.tk, 1 +savethedogfishfoundation.org, 1 +savetheinternet.eu, 1 +savetomp3.net, 1 +saveusfromavril.tk, 1 +savewildcats.eu, 1 +savewildcats.foundation, 1 +savewildcats.life, 1 +savewithupgrade.com, 1 +saveworldpets.ga, 1 +saveyourhouse.tk, 1 +saveyourinternet.eu, 1 +savicki.co.uk, 1 +savicki.cz, 1 +savicki.sk, 1 +savilleassessment.com, 1 +savin.ga, 1 +savin.in, 1 +savinggoliath.com, 1 +savingmoses.org, 1 +savingsbondwizard.gov, 1 +savingsoftheyear.com, 1 +savingtails.org, 1 +savitar.guide, 1 +saviynt.com, 0 +savoir.ga, 1 +savonlinnatrujillo.tk, 1 +savonsuuntaporaus.fi, 1 +savoryandpartners.com, 1 +savour-magazine.co.uk, 1 +savransafari.com, 1 +savushkin.tk, 1 +savvice.com.ph, 1 +savvycleaner.com, 1 +savvydevelopment.com, 1 +savvystagingaz.com, 1 +sawanonlinebookstore.com, 1 +sawansasaram.ml, 1 +sawiday.at, 1 +sawiday.be, 1 +sawiday.com, 0 +sawiday.cz, 1 +sawiday.de, 1 +sawiday.es, 1 +sawiday.fi, 1 +sawiday.fr, 1 +sawiday.it, 1 +sawiday.nl, 1 +sawiday.pl, 1 +sawiday.se, 1 +sawikowscy.eu, 1 +sawikowscy.pl, 1 +sawpa.gov, 1 +saxeandthecity.com, 1 +saxifrageleather.com, 1 +saxis.dk, 1 +saxobroko.com, 1 +saxobroko.ga, 1 +saxobroko.gq, 1 +saxocon.com, 1 +saxojoe.co.uk, 1 +saxojoe.de, 1 +saxol-group.com, 1 +saxoncreative.com, 1 +saxophone.tk, 1 +saxotrader.com, 1 +saxynele.tk, 1 +say-it-loud.com, 1 +sayansamanta.com, 0 +sayany.tk, 1 +sayaraautoservices.com, 1 +saybecraft.ru, 1 +saybrus.partners, 1 +saydj.tk, 1 +sayednidhalphoto.tk, 1 +sayeghonline.com, 0 +sayehsazan.ir, 1 +sayers.group, 0 +sayfa.istanbul, 1 +sayfr.com, 0 +sayhanabi.eu.org, 1 +sayhi.com, 1 +sayhuahuo.net, 1 +sayhuahuo.xyz, 1 +sayingimages.com, 1 +sayiw.com, 1 +saymonz.net, 1 +sayprepay.com, 1 +sayura.net, 1 +sayver22.com, 1 +saz-it.de, 1 +saz.sh, 1 +saz9001.com, 1 +saznworld.com, 1 +sazuz.cz, 1 +sb-graph.com, 0 +sb-group.dk, 1 +sb-sd.org, 1 +sb-webdev.de, 1 +sb.ax, 1 +sb.im, 1 +sb.sb, 1 +sb0.io, 1 +sba4u.com, 1 +sba7a.loans, 1 +sbabeshin.tk, 1 +sbacorporation.it, 1 +sbanken.no, 1 +sbankendnb.no, 1 +sbaten.nl, 1 +sbblog.cn, 1 +sbcalitagtag.edu.ph, 1 +sbcargo.com, 1 +sbcbatangas.edu.ph, 1 +sbcmedia.nl, 1 +sbcountyarc.gov, 1 +sbcountyatc.gov, 1 +sbcountywines.com, 1 +sbeech.uk, 0 +sbequineevac.org, 1 +sber-solutions.kz, 1 +sber-solutions.ru, 1 +sber.games, 1 +sberanalytics.ru, 1 +sberbank.ch, 1 +sbercity.ru, 1 +sbercontactmonitoring.ru, 1 +sbermobile.ru, 1 +sbestimes.com, 1 +sbettoken.org, 1 +sbf888.com, 1 +sbgcred.com, 1 +sbhscotland.org.uk, 1 +sbiewald.de, 1 +sbimtopografos.com, 1 +sbin.pt, 1 +sbir.gov, 0 +sbirwot.xyz, 1 +sbl250.com, 1 +sbli.com, 1 +sbm.cloud, 1 +sbm.org.tr, 1 +sbmenedzsment.hu, 1 +sbmsite.cf, 1 +sbmsite.ml, 1 +sbmsitelist.ml, 1 +sbmsitelist.tk, 1 +sbmsmartaccounting.co.uk, 1 +sbmt.cc, 1 +sbo.no, 1 +sbodewissel.tk, 1 +sborka.ml, 1 +sbpk.fr, 1 +sbpropman.co.uk, 1 +sbrc.gov, 1 +sbrouwer.org, 1 +sbrownbourne.com, 0 +sbsavings.bank, 1 +sbscyber.com, 1 +sbspp.ru, 1 +sbsrv.ml, 1 +sbssoft.ru, 1 +sbst.gov, 1 +sbstattoo.com, 1 +sby-tampere.tk, 1 +sc-artworks.co.uk, 0 +sc019.com, 1 +sc2labs.com, 1 +sc2pte.eu, 1 +sc5.jp, 1 +scaarus.com, 1 +scadanews.net, 1 +scaffalature.roma.it, 1 +scaffoldhiremidrand.co.za, 1 +scaffoldhirerandburg.co.za, 1 +scaffoldhiresandton.co.za, 1 +scaffoldingsandton.co.za, 1 +scag9.com, 1 +scai.org, 1 +scala.click, 1 +scalafactory.io, 1 +scalaire.com, 1 +scalaire.fr, 1 +scale.at, 1 +scale.milano.it, 1 +scale.roma.it, 1 +scalecalculation.ml, 1 +scaledge.com, 1 +scalemodeling.tk, 1 +scalesbiolab.com, 1 +scaleskun.com, 1 +scaligerorooms.it, 1 +scaling.solutions, 0 +scalive.tv, 1 +scallywagsbouncycastles.co.uk, 1 +scallywagskids.co.uk, 1 +scalpel.com, 1 +scalr.io, 1 +scamadviser.com, 1 +scamangels.com, 1 +scambistimaturi.com, 1 +scamblockplus.org, 1 +scamwatch.gov.au, 1 +scan.co.uk, 1 +scan.computer, 1 +scanamed.tk, 1 +scanbetting.ga, 1 +scandalindo.ml, 1 +scandalpunk.tk, 1 +scandata.cf, 1 +scandata.tk, 1 +scandesk.com, 1 +scandinavia.ga, 1 +scandinaviancorner.tk, 1 +scandiweb.com, 1 +scaner.ga, 1 +scangeo.net, 1 +scanigma.com, 1 +scanmailx.com, 1 +scanmy.email, 1 +scanningpens.ca, 1 +scanningpens.co.uk, 1 +scanningpens.com, 1 +scanningpens.com.au, 1 +scanpay.dk, 1 +scanprice.us, 1 +scansnus.com, 1 +scantrics.io, 1 +scanutracker.com, 1 +scanyachat.cf, 1 +scapin.dk, 1 +scapp9565.xyz, 1 +scappoose.gov, 1 +scappoosebay-wc.org, 1 +scarabcoder.com, 1 +scaracloud.ddns.net, 1 +scarafaggio.it, 1 +scarboroughscrapcars.com, 1 +scarboroughtec.ac.uk, 1 +scardracs.blog, 1 +scarecrow-cn.com, 1 +scaricamusica.tk, 1 +scarinex.tk, 1 +scarsviewchrysler.com, 1 +scary.cafe, 1 +scaryghost.tk, 1 +scasset.com, 1 +scatdhhs.gov, 1 +scatgirls.net, 1 +scatsbouncingcastles.ie, 1 +scatterd.im, 1 +scatteredcode.net, 1 +scatters.com, 1 +scatterscasino.com, 1 +scavalentenx.duckdns.org, 1 +scavenged.ga, 1 +scbdh.org, 1 +scbodner.com, 1 +sccd.co.uk, 1 +sccoaching.io, 1 +scde.ventures, 1 +scdmx.de, 1 +scdn.us, 1 +sceenfox.de, 1 +scejournals.org, 1 +scenadex.ga, 1 +scenari.eu, 1 +scenari.ovh, 1 +scenarp.pl, 1 +scenastu.pl, 1 +scene.mx, 1 +scenefense.tk, 1 +scenester.tv, 1 +scenetv.ga, 1 +scenic.camera, 1 +scenic.gallery, 1 +scenicbyways.info, 1 +scentiche.com, 1 +scepticism.com, 1 +scers.gov, 1 +scevity.com, 0 +scfpensante.ca, 1 +scfssp.it, 1 +sch44r0n.de, 1 +schaafenstrasse.koeln, 1 +schachburg.de, 1 +schachingerfilm.at, 1 +schadehulpservice.nl, 1 +schaedlingsbekaempfung.tk, 1 +schaerding-innovativ.at, 1 +schafspieker.ddnsking.com, 0 +schallert.com, 0 +schambereich.org, 1 +schamlosharmlos.de, 1 +schampaert.com, 1 +schaper-sport.com, 1 +schastie.ml, 1 +schat.top, 1 +schatderer.com, 1 +schatderer.xyz, 1 +schattenwoelfe.tk, 1 +schattka.com, 1 +schatzibaers.de, 1 +schauergroup.com, 1 +schaumburg-dachundwand.de, 1 +schaumburgil.gov, 1 +schauraum.tk, 1 +schauspielbuehnen.de, 1 +schausteller.de, 1 +schawe.me, 1 +schbebtv.fr, 1 +schdata.de, 1 +schedule-editor.com, 1 +schedulehero.io, 1 +scheervergelijker.nl, 1 +schefczyk.com, 1 +schefczyk.de, 1 +schefczyk.eu, 1 +schefczyk.net, 1 +schefer-mietstapler.de, 1 +scheidegger-kaesealpe.de, 1 +scheidingspuntlansingerland.nl, 1 +scheinerhaus.at, 1 +scheinlichter.de, 1 +schekino.ru, 1 +scheldestromen.nl, 1 +schelkovo.tk, 1 +schella.network, 1 +schellebelle.tk, 1 +schellenberg-web.de, 1 +schellenberg.ac, 1 +schellevis.net, 0 +schemingmind.com, 1 +schenectadycountyny.gov, 1 +schenkel.eti.br, 1 +schenkel.tk, 1 +schenkes.de, 0 +scherfke.de, 1 +schermen-en.nl, 1 +schermkapot.nl, 1 +schertztx.gov, 1 +scheuchenstuel.at, 1 +schgroup.com, 1 +schiau.co, 1 +schiavaonei.tk, 1 +schiavidiabruzzo.tk, 1 +schibsted.com, 1 +schibsted.dk, 1 +schibsted.fi, 1 +schibsted.no, 1 +schibsted.nz, 1 +schibsted.se, 1 +schickert.org, 1 +schicksal.com, 1 +schiedelkonfigurator.hu, 1 +schielandendekrimpenerwaard.nl, 1 +schier.info, 1 +schil.li, 1 +schildbach.de, 1 +schiltron.tk, 1 +schimmel-test.info, 1 +schimmelnagelspecialist.nl, 0 +schindler.be, 1 +schindler.co.il, 1 +schindler.com, 1 +schindler.ie, 1 +schindler.ma, 1 +schindler.nl, 1 +schindler.pl, 1 +schindler.rs, 1 +schindler.sk, 1 +schinkelplatz.com, 1 +schipholwatch.nl, 1 +schipholwatch.org, 1 +schippendale.de, 1 +schiriportal.ch, 1 +schirmer.io, 0 +schittscreek.shop, 1 +schizoid.tk, 1 +schizoids.net, 1 +schizomatrix.cf, 1 +schizomatrix.tk, 1 +schlachter.ca, 1 +schlafteq.com, 1 +schlagenhauf.info, 0 +schlager.de, 1 +schlagma.de, 1 +schlagzeug-lernen.com, 1 +schlappmoebel.de, 1 +schlarb.eu, 1 +schlechtewitze.com, 1 +schleifenbaum.org, 1 +schlitzbergers.com, 1 +schlopolis.tk, 1 +schloss-gottorf.de, 1 +schloss-wackerbarth.de, 1 +schlossanger.de, 1 +schlossberg-hotel-wernigerode.de, 1 +schlossfuchs.de, 1 +schlouk-map.com, 1 +schluderns.org, 1 +schluesseldienst-hannover24.de, 1 +schluesseldienst-haymov.de, 1 +schluesseldienstzentrum.de, 1 +schmaeh-coaching.ch, 1 +schmatloch.cloud, 1 +schmelzle.io, 1 +schmidal-et-fils.fr, 1 +schmidt-fri.de, 1 +schmidt-friesoythe.de, 1 +schmiedbauergut.at, 1 +schmiedecorp.com, 1 +schmiggywibblits.net, 1 +schmitt-etienne.fr, 1 +schmitt-max.com, 1 +schmitt.ws, 0 +schmitzvertalingen.nl, 1 +schmucker.it, 1 +schnalstal.info, 1 +schnapke.name, 1 +schnapsverein.ddns.net, 1 +schnaube.de, 1 +schnauzer-dogs.com, 1 +schneckenhilfe.de, 0 +schnegg.name, 0 +schneider-dresden.de, 1 +schneider-romania.ro, 1 +schneider.co.il, 1 +schneidr.de, 0 +schneids.me, 1 +schnellno.de, 1 +schnippering.com, 1 +schnism.net, 1 +schnitzel-und-co.de, 1 +schnouki.net, 1 +schnuckenhof-wesseloh.de, 1 +schnyder-werbung.ch, 0 +schody-rozycki.pl, 1 +schoenstatt-fathers.link, 1 +schoenstatt.link, 1 +schoepski.de, 1 +schoknecht.net, 1 +schoknecht.one, 1 +schoko-ferien.de, 0 +schokobebe.net, 1 +schokoferien.de, 0 +schokokeks.org, 1 +scholar.group, 0 +scholar.pk, 1 +scholar.site, 0 +scholarbaze.cf, 1 +scholarchip.com, 1 +scholarconnect.com, 1 +scholareducation.tk, 1 +scholarly.com.ph, 1 +scholarly.ph, 1 +scholarnet.cn, 1 +scholars-societas.org, 1 +scholarsclub.club, 1 +scholarships.ga, 1 +scholarships.link, 1 +scholding.ru, 1 +scholenlijst.tk, 1 +scholenprogrammagroningen.nl, 1 +scholi.org, 1 +scholieren.com, 1 +scholingua.com, 1 +schollbox.de, 0 +scholledev.com, 1 +scholohost.tk, 1 +scholtensupport.nl, 1 +scholz-kallies.de, 1 +schonstedt.com, 1 +schont.org, 1 +school-22.tk, 1 +school-27-lpr.tk, 1 +school-33.tk, 1 +school-adventures.tk, 1 +school-counselor.org, 1 +school-id.co.uk, 1 +school-korfbal.nl, 1 +school-project.tk, 1 +school-psychologists.com, 1 +school-register.co.za, 1 +school.in.th, 1 +school16-tob.tk, 1 +school173.tk, 1 +school32.tk, 1 +school43.tk, 1 +school91.ml, 1 +schoolantwoorden.tk, 1 +schoolbag.gq, 1 +schoolbag.ml, 1 +schoolbag.tk, 1 +schoolbytes.com.au, 1 +schoolbytes.education, 1 +schoolcafe.com, 1 +schoolcash.net, 1 +schoolcashonline.com, 1 +schoolcrafttownshipmi.gov, 1 +schooldatasquad.com, 1 +schooldismissalmanager.com, 1 +schooleducationharyana.gov.in, 1 +schoolheads.ph, 1 +schoolhouse.world, 1 +schooli.io, 1 +schoolofequineshiatsu.com, 1 +schoolotzyv.ru, 1 +schoolroom.ga, 1 +schoolrumble.tk, 1 +schoolsafety.gov, 1 +schoolshow.nl, 1 +schoolsonice.nl, 1 +schooltransport.com.au, 1 +schooluniform.com.au, 1 +schoonheidssalon-annelies-santpoort.nl, 1 +schoonheidssalon-annelies-velserbroek.nl, 1 +schoonheym.com, 1 +schoonheym.nl, 1 +schoop.me, 1 +schopenhauer-institut.de, 1 +schorel.eu, 1 +schorel.ovh, 1 +schorelweb.nl, 1 +schorers.org, 1 +schorle.wine, 1 +schottenland.de, 1 +schottlandtaxi.de, 1 +schoutenseo.com, 1 +schrauber.tk, 1 +schrauger.com, 1 +schrauger.info, 1 +schrauger.net, 1 +schrauger.org, 1 +schrauger.run, 1 +schraugerrun.com, 1 +schreibers.ca, 1 +schreilechner.tk, 1 +schreinerei-jahreis.de, 1 +schreinerei-schweikl.de, 1 +schreinert.com, 1 +schrijnwerkerij-deconinck.be, 1 +schrijnwerkerij-deconinck.com, 1 +schrijverspunt.nl, 1 +schritt4fit.de, 1 +schroderusa.cf, 1 +schrodingersscat.com, 1 +schrodingersscat.org, 1 +schroeder-immobilien-sundern.de, 1 +schroederdennis.de, 1 +schroepfi.de, 0 +schroettle.com, 1 +schrok.eu, 1 +schrolm.de, 1 +schsrch.org, 1 +schtiehve.duckdns.org, 1 +schu.be, 1 +schubertgmbh-ingelheim.de, 1 +schubertnest.at, 1 +schuelerzeitung-ideenlos.de, 1 +schuermannhof.de, 1 +schuetzen-ehrenbreitstein.de, 1 +schuetzenverein-schwanfeld.de, 1 +schuhbeck.tk, 1 +schuhbedarf.de, 1 +schuhwelt.de, 1 +schuhzoo.de, 1 +schulden.tk, 1 +schulderinsky.de, 1 +schule.wtf, 0 +schuler.st, 1 +schulferien.org, 1 +schulhomepage.de, 1 +schulid.de, 1 +schull.ch, 0 +schum.world, 0 +schuman.tk, 1 +schumanandmonnet.eu, 1 +schummar.de, 0 +schunako.ch, 1 +schupp.io, 1 +schutte.tk, 1 +schutterij-sintsebastianus-eys.tk, 1 +schutterijschinveld.nl, 0 +schutz-vor-schmutz.de, 1 +schutzkoffer-profilampen.at, 1 +schutznetze24.de, 1 +schutzwerk.com, 1 +schuurmanopleidingen.nl, 1 +schuylercountyil.gov, 1 +schuylercountyny.gov, 1 +schuylerne.gov, 1 +schuylkillcountypa.gov, 1 +schwabenhaus-ka.de, 1 +schwan-gestaltung.de, 1 +schwano-dent.at, 1 +schwartinsky24.de, 1 +schwartz.pro, 1 +schwarz-gelbe-fuechse.de, 1 +schwarzegar.de, 1 +schwarzenberg.tk, 1 +schwarzes-muenchen.de, 1 +schwarztrade.cz, 1 +schwarzwaelder-schinken-verband.de, 1 +schwarzwald-flirt.de, 1 +schwedischezahnaerztin.com, 1 +schwedischezahnaerztin.de, 1 +schweingehabt.expert, 1 +schweiz-sextreffen.ch, 1 +schweizerbanken.tk, 1 +schweizers-restaurant.de, 1 +schwerkraftlabor.de, 1 +schwertkriege.de, 1 +schwienbacher-karl.it, 1 +schwifty.cloud, 1 +schwiha.de, 1 +schwimmschule-kleine-fische.de, 1 +schwinabart.com, 1 +schwingen.net, 1 +schwinger.me, 1 +schwinnbike.ru, 1 +schworak.com, 1 +schwub.de, 1 +sci-internet.tk, 1 +sciagebeton.net, 1 +sciartel.ru, 1 +scias.com, 1 +scib.tk, 1 +sciburg.com, 1 +sciclubappiano.it, 1 +scicollege.org.sg, 1 +scicomm.xyz, 1 +science-questions.org, 1 +science-texts.de, 1 +science.gov, 1 +science360.gov, 1 +science4fun.info, 1 +scienceasfashion.ga, 1 +sciencebase.gov, 1 +sciencedaily.com, 1 +scienceeducation.tk, 1 +scienceeurope.org, 1 +scienceforhealth.eu, 1 +scienceminnesota.com, 1 +sciencemonster.co.uk, 1 +sciencenews.gq, 1 +scienceofpeople.com, 0 +sciencequality.tk, 1 +sciences-world.com, 1 +scienceschool.ml, 1 +sciencesolutions.eu, 1 +sciencetechworld.tk, 1 +sciencetoymaker.org, 1 +sciencetram.tk, 1 +scienceweb.tk, 1 +sciencex.com, 1 +sciencexpo.org.za, 1 +scientia.ga, 1 +scientific-editing.info, 1 +scientific-socialism.cf, 1 +scientific-socialism.ga, 1 +scientific-socialism.ml, 1 +scientificdev.net, 1 +scif.com, 1 +scifplus.com, 1 +scifsafe.com, 1 +scigov.xyz, 1 +scijinks.gov, 1 +scimaxglobal.com, 1 +scindustries.it, 1 +scintillating.stream, 1 +scionasset.com, 0 +sciooregon.gov, 1 +sciotoarts.com, 1 +sciototownship-oh.gov, 1 +scip.ch, 1 +scislowcy.pl, 1 +scisoltd.com, 1 +scit-nsn.gov, 1 +scitheory.com, 1 +scitopia.me, 1 +scituateri.gov, 1 +scity88.com, 1 +scjc-bridge.fr, 1 +sckc.stream, 1 +sclasupplychain.com, 1 +sclause.net, 1 +scloud.link, 1 +sclsnglssttldwn.com, 1 +sclub7esp.tk, 1 +scm-2017.org, 1 +scmestetic.pl, 1 +scmitchell.com, 1 +scms.com.my, 1 +scn9a.com, 1 +scnow.com, 1 +scoaladewebsiteuri.ro, 1 +scoebg.org, 1 +scoffable.com, 1 +scola.id, 1 +scolacdn.com, 1 +scoliosisinstitute.com, 1 +scom.org.uk, 1 +scommessalegale.com, 1 +scommessenonaams.com, 1 +sconecloud.com, 1 +scontomio.com, 1 +scooby.ml, 1 +scoolcode.com, 1 +scoolio.de, 1 +scoop6.co.uk, 1 +scoopcake.com, 1 +scoopcanada.com, 0 +scoopgh.com, 1 +scooply.org, 1 +scootaloo.co.uk, 1 +scootarama.com, 1 +scooterinaustralia.tk, 1 +scootermalagarental.com, 1 +scooters.ltd.uk, 1 +scootersbonaire.com, 1 +scooterservis.com, 1 +scootertechnofrance.tk, 1 +scope.studio, 1 +scopea.fr, 0 +scopechart.com, 1 +scopeglass.com.au, 1 +scopethree.org, 1 +scopus.tk, 1 +scorb.com.br, 1 +scorchers.tk, 1 +scorebet24.com, 1 +scoresense.com, 1 +scoro.com, 1 +scorobudem.ru, 1 +scorpia.co.uk, 1 +scorpiogroup.net, 1 +scorpiomarine.co.in, 1 +scorpioncomputers.nl, 1 +scorpiongames.tk, 1 +scorpions-realm.tk, 1 +scorpions.tk, 1 +scorpiotankers.com, 1 +scothauscounseling.com, 1 +scotiabank.ca, 1 +scotlandinaweek.com, 1 +scotlandrun.com, 1 +scott-lacy.com, 1 +scott-smith.us, 1 +scott.cm, 1 +scott.st, 1 +scott.today, 1 +scottainslie.me.uk, 1 +scottandtammy.com, 1 +scottashley.tk, 1 +scottbot.tk, 1 +scottbroad.com.au, 1 +scottcoil.gov, 1 +scottcountyva.gov, 1 +scottdayman.com, 1 +scottech.com.au, 1 +scottgalvin.com, 1 +scotthelme.co.uk, 1 +scotthelmesucks.com, 1 +scottipc.com, 1 +scottish-paranormal.tk, 1 +scottishcca.co.uk, 1 +scottishcu.org, 1 +scottishseniorsgolf.com, 1 +scottlanderkingman.com, 1 +scottmay.id.au, 1 +scottniven.tk, 1 +scottpilgrim.tk, 1 +scottrae.me.uk, 1 +scottsautocarrier.com, 1 +scottsbluffcountyne.gov, 1 +scottsboropdal.gov, 1 +scottsdaleaz.gov, 1 +scottseditaacting.com, 1 +scottsfreightshipping.com, 1 +scottshorter.com.au, 1 +scottspainting.com, 1 +scottsvalley.gov, 1 +scottsvilleva.gov, 1 +scottymiller.au, 1 +scottyspot.tk, 1 +scounter.tk, 1 +scour.cc, 1 +scoure.de, 1 +scourgesofcarpathia.tk, 1 +scout-korting.tk, 1 +scout.org, 1 +scouteridano.tk, 1 +scouting-kontiki.nl, 1 +scoutingeijsdenonline.tk, 1 +scoutingkontiki.nl, 1 +scoutingmeerhoven.nl, 1 +scoutingridderkerk.nl, 1 +scoutingtungelroy.nl, 1 +scoutingvilsteren.tk, 1 +scoutnation.tk, 1 +scoutnet.de, 1 +scoutreinosa.tk, 1 +scoutsanbartolome.tk, 1 +scoutsanpieropatti.tk, 1 +scoutsdeldesierto.tk, 1 +scoutwired.org, 1 +scp-rustenholz-trens.notaires.fr, 1 +scp500.com, 1 +scpe.eu.org, 1 +scphotography.co.uk, 1 +scpidcard.com, 1 +scpocahontas.nl, 1 +scpower.sg, 1 +scpreplay.net, 1 +scpsecretlab.com, 1 +scpsecretlab.pl, 1 +scpsecretlaboratory.com, 1 +scpsl.ru, 1 +scpslgame.com, 1 +scqpw.com, 1 +scra.gov, 1 +scrabble-solver.com, 1 +scrabblecheat.com, 1 +scrabbleonline.nl, 1 +scrambled.online, 1 +scramsoft.com, 1 +scrantonmma.com, 1 +scrap-car-removal.ca, 1 +scrap.photos, 1 +scrap.tf, 1 +scrapbookdecorations.ga, 1 +scrapcarbrampton.ca, 1 +scrapcars.net.au, 1 +scrapfly.io, 1 +scrapmartine.tk, 1 +scrapmetals.bg, 1 +scrapmycarperth.com.au, 0 +scrapticket.jp, 1 +scratch-ppp.jp, 1 +scratchbot.tk, 1 +scratchzeeland.nl, 1 +scrawn.net, 0 +scrayos.net, 1 +scrc.gov, 1 +screamager.tk, 1 +screamingrooster.co.nz, 1 +scredible.com, 0 +screefox.de, 1 +screen-fox.de, 1 +screen64.tk, 1 +screenart.tv, 0 +screenfax.de, 1 +screenfox.eu, 1 +screenfox.info, 1 +screenfox.net, 1 +screeningmaster.jp, 1 +screeningxchange.com, 1 +screenmachine.com, 1 +screenpublisher.com, 1 +screenrant.com, 1 +screentimelabs.com, 1 +screenwalker.de, 1 +screenwriter.tk, 1 +screenzy.io, 1 +screvencosheriffga.gov, 1 +screvencountyga.gov, 1 +scribblefun.com, 1 +scribbler.tk, 1 +scribd.com, 1 +scriber.to, 1 +scripo-bay.com, 1 +script-sign.com, 1 +script.google.com, 1 +scriptamanent.org, 1 +scripter.co, 1 +scriptgates.ru, 0 +scripthost.org, 1 +scriptjunkie.us, 1 +scriptline.ga, 1 +scriptmaker.tk, 1 +scriptnav.com, 1 +scriptolab.com, 1 +scriptomania.tk, 1 +scriptrock.com, 1 +scriptsrus.tk, 1 +scripty.org, 0 +scrod.me, 1 +scroll-to-top-button.com, 1 +scroollocker.tk, 1 +scrot.de, 1 +scruffy.ga, 1 +scruffymen.com, 1 +scrum.org, 1 +scrumplex.net, 1 +scrumplex.rocks, 1 +scrumpus.com, 1 +scrumstack.co.uk, 1 +scrutinizer.com, 1 +scryfall.com, 1 +scs-technik.de, 1 +scsd.si, 1 +scservis.cz, 1 +scsp.ai, 1 +scsprotect.com, 1 +scstg.net, 1 +sctfpa.gov, 1 +sctiger.me, 1 +sctiger.men, 1 +sctiger.ml, 1 +sctm.at, 1 +sctrainingllc.com, 1 +scubadavediving.com, 1 +scubadiving-phuket.com, 1 +scubahirefiji.com, 1 +scubaland.hu, 1 +scubly.com, 1 +scul.net, 1 +sculptaestheticsclinic.co.uk, 1 +sculpteo.com, 1 +sculpture.support, 1 +sculpturesworldwide.tk, 1 +scunthorpemoneyman.com, 1 +scuola-e-cultura.it, 1 +scuolaguidalame.ch, 0 +scuolamazzini.livorno.it, 1 +scuolaparentalesanpancrazio.it, 1 +scurtam.tk, 1 +scuspd.gov, 1 +scuters.club, 1 +scvilareal.tk, 1 +scvotes.gov, 1 +scw.nz, 1 +scwildflours.com, 1 +scwilliams.co.uk, 1 +scwilliams.uk, 1 +scwind.com, 1 +scylla.live, 1 +scytl.com, 0 +sd.af, 1 +sd.ax, 1 +sd44.ca, 1 +sdaniel55.com, 1 +sdarcc.gov, 1 +sdarot.tw, 1 +sdb.aero, 1 +sdbehavioralhealth.gov, 1 +sdcapp.in, 1 +sdcardrecovery.de, 1 +sdea.ca, 1 +sdebitati.it, 1 +sdesam.ru, 1 +sdeu.fr, 1 +sdfamilycare.org, 1 +sdgllc.com, 1 +sdgrait.tech, 1 +sdguitdagingen.be, 1 +sdguitdagingen.gent, 1 +sdhb.cz, 1 +sdhblatnice.cz, 1 +sdhblatnice.eu, 1 +sdhcounselling.co.uk, 1 +sdho.org, 1 +sdipolanight.co.uk, 1 +sdis-trib.fr, 1 +sdkco.net, 1 +sdn.cz, 1 +sdn3wonocoyo.sch.id, 1 +sdns.fr, 1 +sdns.io, 1 +sdocast.com, 1 +sdp-grupopit.com, 1 +sdp.training, 1 +sdphoto.com.au, 1 +sdpokieswiry.ga, 1 +sdpokieswiry.tk, 1 +sdruzeniprovltavu.cz, 1 +sdsi.us, 1 +sdsite.tk, 1 +sdsmanagement.me, 0 +sdsmt.engineering, 1 +sduconnect.nl, 0 +sdut.gq, 1 +sdvx.net, 0 +sdxcentral.com, 1 +sdyzmun.club, 1 +se-booster.com, 1 +se-center.pl, 1 +se-live.org, 1 +se-theories.org, 1 +se.au, 0 +se.com, 1 +se.gg, 1 +se.search.yahoo.com, 0 +se2.com, 1 +sea-airinternational.tk, 1 +sea-godzilla.com, 1 +sea.zapto.org, 1 +seabooty.com, 1 +seaborn.top, 0 +seachef.it, 1 +seadrive.cc, 1 +seadus.ee, 1 +seaelba.com, 1 +seagulls-luebeck.de, 1 +seahaweb.org, 1 +seaif.org, 1 +seal-tite.eu, 1 +sealart.pl, 1 +sealaw.com, 1 +sealbaker.com, 1 +seallacres.com.br, 1 +sealoffantasy.de, 1 +sealtitebasement.com, 1 +sealvault.org, 1 +seamac.info, 1 +seamester.com, 1 +seamoo.se, 1 +seamus.party, 1 +sean-wright.com, 1 +sean.scot, 1 +seanbright.com, 1 +seanbright.info, 1 +seanbright.net, 1 +seanchaidh.org, 1 +seanchristian.tk, 1 +seancody.com, 1 +seancodynetwork.com, 1 +seandawson.info, 1 +seanein.com, 1 +seanholcroft.co.uk, 1 +seankilgarriff.com, 0 +seanmeedevworld.com, 1 +seanrodda.com, 1 +seanstaffiery.com, 1 +seaoftime.tk, 1 +seaplayhomes.com, 1 +seaportfish.com, 1 +seara-staging.net, 1 +searacon.nl, 1 +searafoodsolutions.com.br, 1 +search, 1 +search-net.tk, 1 +search.gov, 1 +search.yahoo.com, 0 +search4stores.com, 1 +searchable.ml, 1 +searchaudits.com, 1 +searchbar.co.za, 1 +searchbyai.com, 1 +searchbyimages.com, 1 +searchcandy.uk, 1 +searchcoloradohouses.com, 1 +searchdatalogy.com, 1 +searchdogs.ch, 1 +searchenginelinks.co.uk, 1 +searchenginepartner.com, 1 +searchforbeer.com, 1 +searchforjohn.com, 1 +searchfox.org, 1 +searchgurus.ca, 1 +searchmore.dk, 1 +searchpartners.dk, 1 +searchperfumes.ga, 1 +searchtechnology.tk, 1 +searchverdict.com, 1 +searchwork.tk, 1 +searchzone.ch, 0 +seareelfiji.com, 1 +searena.ga, 1 +seark.edu, 1 +searsucker.com, 1 +searx.be, 1 +searx.ca, 1 +searx.ee, 1 +searx.nu, 1 +searx.one, 1 +searx.org, 1 +searx.rocks, 1 +searx.ru, 1 +searx.run, 1 +searx.space, 1 +searx.work, 1 +searxng.cf, 1 +searxng.com, 1 +seashkey.com, 1 +seasidestudios.co.uk, 1 +seasistent.tk, 1 +season.moe, 1 +seasonlevel.com, 1 +seasonsboutique.com.au, 1 +seasonsof.berlin, 1 +seat61.com, 1 +seatbeltpledge.com, 1 +seatinglane2u.com, 1 +seats.aero, 1 +seattle-life.net, 1 +seattlebasementwaterproofers.com, 1 +seattlecannabis.co, 1 +seattledevicerepair.com, 0 +seattleduiattorneys.com, 1 +seattlemesh.net, 1 +seattlewalkinbathtubs.com, 1 +seaview.gq, 1 +seaviewkohchang.com, 1 +seavision-group.com, 1 +seavision-group.it, 1 +seavision-latam.com, 1 +seavision-lixis.com, 1 +seavision-usa.com, 1 +seavision.es, 1 +seavision.eu, 1 +seavision.fr, 1 +seavision.it, 1 +seavision.ru, 1 +seb.surf, 1 +seb8iaan.com, 1 +sebald.com, 1 +sebald.org, 1 +sebar-iklan.gq, 1 +sebariklanmassal.gq, 1 +sebarin.tk, 1 +sebastiaandouma.co.uk, 1 +sebastiaanwijnimport.nl, 1 +sebastian-bravo.com, 1 +sebastian-elisa-pfeifer.eu, 1 +sebastian-haeutle.de, 1 +sebastian-janich.de, 1 +sebastian-kraus.me, 1 +sebastian-kuhnert.de, 1 +sebastian-lutsch.de, 1 +sebastian-michalke.de, 1 +sebastian-reck.de, 1 +sebastian-walla.com, 1 +sebastianblade.com, 1 +sebastianboegl.de, 1 +sebastiandarhoi.cf, 1 +sebastianelectric.org, 1 +sebastianforst.de, 1 +sebastianhofmann.legal, 1 +sebastiantroncoso.tk, 1 +sebastianungureanu.com, 1 +sebastiaperis.com, 1 +sebastien-meric.com, 1 +sebasveeke.nl, 1 +sebba.tk, 1 +sebdat.cloud, 1 +sebeobrana.ml, 1 +sebepoznani.eu, 1 +seberika.tk, 1 +seberova.cz, 1 +sebetesty.cz, 1 +sebgar.ca, 1 +sebi.org, 1 +sebio.be, 1 +sebjacobs.com, 1 +seblod.com, 1 +seblossom.com, 1 +seboh.gov, 1 +seboluo.com, 1 +seboreia.tk, 1 +sebster.com, 1 +seby.io, 1 +sec-consult.com, 1 +sec-tunnel.com, 1 +sec-wiki.com, 1 +sec.ec, 1 +sec.gd, 1 +sec.gov, 1 +sec30.com, 1 +sec3ure.co.uk, 1 +sec530.com, 1 +secadoresdepelo.tk, 1 +secapp.fi, 1 +secard.cc, 1 +secard.me, 1 +secard.xyz, 1 +secaucusnjpolice.gov, 1 +secborder.com, 1 +secctexasgiving.org, 0 +secdaemons.com, 1 +secdfir.com, 1 +secfilingdata.com, 1 +secgui.de, 1 +sech.me, 1 +secinto.com, 1 +secitem.de, 1 +seclimax7.pw, 1 +seclink.link, 1 +seclms.net, 1 +secnet.ga, 1 +secnews.gr, 1 +secolve.com, 1 +secomo.org, 1 +second-life-partner-ichien.com, 1 +secondchancejobsforfelons.com, 1 +secondlife.tk, 1 +secondmeasure.com, 1 +secondnature.bio, 1 +secondnexus.com, 1 +secondorder.xyz, 1 +secondtreasuresmv.com, 1 +secondversion.com, 1 +seconfig.sytes.net, 1 +secong.tk, 1 +secoseal.de, 1 +secpatrol.de, 1 +secpoc.online, 1 +secre.cy, 1 +secrecion.com, 1 +secret-bases.co.uk, 1 +secret-garden.it, 1 +secret-queen.ga, 1 +secret-queen.ml, 1 +secret.garden, 1 +secretagentclub.tk, 1 +secretar.is, 1 +secretary-schools.com, 1 +secretarypics.com, 1 +secretbase.cf, 1 +secretbusiness.tk, 1 +secretcharm.nl, 1 +secretdeals.ga, 1 +secretenergy.com, 1 +secretgardendesigns.shop, 1 +secretimports.com.br, 1 +secretmap.ml, 1 +secretmolodosti.ga, 1 +secretmolodosti.ml, 1 +secretmolodosti.tk, 1 +secretmuseum.net, 1 +secretofanah.com, 1 +secretosbolivia.tk, 1 +secrets-marketing.tk, 1 +secretsbynature.nl, 1 +secretsdujeu.com, 1 +secretservercloud.ca, 1 +secretsofuniverse.in, 1 +secretstomartialarts.tk, 1 +secretum.tech, 1 +secretworld.ml, 1 +secretzone.bg, 1 +secrium.io, 1 +secs.london, 1 +secta.cf, 1 +secteam.ee, 1 +secteam.eu, 1 +sectelligence.com, 1 +sectelligence.nl, 1 +sectember.com, 1 +sectember.events, 1 +sectest.ml, 1 +secthirty.com, 1 +sectigo.com.ru, 1 +sectigostore.com, 1 +sectio-aurea.org, 1 +section-31.org, 1 +section.io, 1 +section508.gov, 1 +section77.de, 1 +sector.cx, 1 +sector.zone, 1 +sector7.nu, 1 +sectrans.tk, 1 +sectun.com, 1 +secu.host, 1 +secularweb.org, 1 +secumailer.com, 1 +secumailer.nl, 1 +secundity.com, 1 +secundity.nl, 1 +secunm.org, 1 +securai.de, 1 +secure-automotive-cloud.com, 1 +secure-automotive-cloud.org, 1 +secure-computing.net, 1 +secure-consult.com, 1 +secure-graphic.de, 1 +secure-gw.de, 1 +secure-it-is.nl, 0 +secure-server-hosting.com, 1 +secure.advancepayroll.com.au, 1 +secure.facebook.com, 0 +secure.wang, 1 +secureapplicationaccess.ca, 1 +secureapplicationaccess.com, 1 +secureauth.com, 1 +securebot.ga, 1 +securebuildingaccess.com, 1 +secured-login.net, 1 +secured.vote, 1 +secureddocumentshredding.com, 1 +securedrop.org, 1 +securedsigning.com, 1 +secureenduserconnection.se, 1 +securefiletransfer.nl, 1 +securegovernment.us, 1 +securehugs.com, 1 +secureideas.com, 0 +secureim.de, 1 +secureinfo.pl, 1 +securekonnect.com, 1 +securelect-inspection.com, 1 +securelogin.nu, 1 +secureo.at, 1 +secureobscure.com, 1 +secureonline.co, 1 +secureonline.nl, 1 +secureprivacy101.org, 1 +secureqbplugin.com, 1 +securerepository.net, 1 +securesense.nl, 1 +securesite.pro, 1 +securesiteaccess.com, 1 +securesnacks.com, 1 +securesuite.co.uk, 0 +securesystems.de, 1 +securetalks.com.br, 1 +securetaxcpa.com, 1 +securetown.top, 0 +securetrustbank.com, 1 +secureutilitypayments.com, 1 +securevideo.com, 1 +securewebcomputing.com, 1 +secureyourerp.nl, 1 +securi-tay.co.uk, 1 +securify.nl, 1 +securimail.ch, 1 +securipy.com, 1 +securist.nl, 1 +securitelandry.com, 1 +securitum.pl, 1 +security-24-7.com, 1 +security-brokers.com, 1 +security-headers-dot-testing-sb6.appspot.com, 1 +security-systems.nl, 1 +security.gives, 1 +security.golf, 1 +security.google.com, 1 +security.pl, 1 +security.xn--q9jyb4c, 1 +security201.co.uk, 1 +security201.com, 1 +securityabstract.com, 1 +securityaware.me, 1 +securitybrief.asia, 1 +securitybrief.co.nz, 1 +securitybrief.com.au, 1 +securitybrief.eu, 1 +securitydelta.nl, 1 +securitydriver.com, 1 +securityescrownews.com, 1 +securityfest.com, 1 +securitygladiators.com, 1 +securityguard-license.org, 1 +securityheaders.com, 1 +securityheaders.io, 1 +securityheaders.nl, 1 +securityindicators.com, 1 +securitypluspro.com, 1 +securitypuppy.com, 1 +securitysense.co.uk, 1 +securitysnobs.com, 0 +securitysoapbox.com, 1 +securitystreak.com, 1 +securitystudio.com, 1 +securitytalent.nl, 1 +securitytalk.pl, 1 +securitytestfan.gov, 1 +securitytrails.com, 1 +securitywatch.co.nz, 1 +securitywithnick.com, 1 +securitywithoutborders.org, 1 +securix.hk, 1 +securl.chat, 1 +securl.link, 1 +securly.me, 1 +securocloud.com, 1 +securoswiss.ch, 1 +securot.eu, 1 +securview.ch, 1 +secuvera.de, 0 +secuxtech.com, 1 +secvuln.info, 1 +secwall.me, 1 +secwatch.nl, 1 +secweb.org, 1 +secyourity.se, 1 +seda.wa.edu.au, 1 +sedico.mx, 1 +sedicomm.com, 1 +sedirector.net, 1 +sedkisghairi.com, 0 +sedl.org, 1 +sedlex.fr, 1 +sedmicka.sk, 0 +sedoexpert.nl, 1 +sedoexperts.nl, 1 +sedonagolfresort.com, 0 +sedro-woolley.gov, 1 +see22.de, 1 +seearmenia.tk, 1 +seebetterlab.com, 1 +seecat.biz, 1 +seedandleisure.co.uk, 1 +seedboite.ovh, 1 +seedbox.fr, 1 +seedbox.hosting, 1 +seedcom.dk, 0 +seedcoworking.es, 1 +seedisclaimers.com, 1 +seedno.de, 1 +seedscientific.com, 1 +seedspark.com, 1 +seedsystemcoaching.com, 1 +seefeldbilder.at, 1 +seehisnudes.com, 0 +seeidinc.com, 1 +seeinred.tk, 1 +seejay.me, 1 +seekicon.com, 1 +seekingalpha.com, 1 +seeks.ru, 1 +seeksupply.ga, 1 +seekweb.com, 1 +seeme.ai, 1 +seemomclick.com, 1 +seemorehere.tk, 1 +seemyreality.tk, 1 +seeonce.co, 1 +seerainer.com, 1 +seerist.com, 1 +seerr.ddns.net, 1 +seesuite.com, 0 +seetheprogress.com, 1 +seetheprogress.de, 1 +seetheprogress.eu, 1 +seetheprogress.net, 1 +seetheprogress.org, 1 +seetow.sg, 1 +seetv.ga, 1 +seewang.me, 1 +seewhatididhere.com, 1 +seewines.com, 1 +seexw.com, 1 +seezeitlodge-bostalsee.de, 1 +sef.co.za, 1 +sefa.cloud, 1 +sefan.ru, 1 +sefodbold.dk, 1 +sefru.de, 1 +seg-leipzig.org, 1 +seg-sys.com, 1 +seg-tox.org, 1 +seg.do, 1 +segamastersystem.tk, 1 +segaretro.org, 1 +segdo.de, 1 +segdo.media, 1 +segdogames.com, 1 +segdomedia.com, 1 +segel-setzen-buch.de, 1 +segm.org, 1 +segmentify.com, 1 +segmentnext.com, 1 +segnalabullo.it, 1 +segnidisegni.eu, 1 +segpay.com, 1 +segulink.com, 1 +segurancaresidencialbh.com.br, 1 +segurancati.com, 1 +segurcaixaadeslas.es, 1 +segurdatacr.com, 1 +segurico.cz, 1 +seguridadconsumidor.gov, 1 +seguridadsistem.tech, 1 +seguridadsistemtienda.tech, 1 +seguromail.com.br, 1 +segurosbantrab.com.gt, 1 +segurosdesaluddominicanos.com, 1 +segurosmaurobracchieri.com, 1 +segurosmr.es, 1 +segurosocial.gov, 0 +segurosproteccion.com, 1 +segv.fi, 1 +sehat-solusi-makmur.com, 1 +sehatpoin.com, 1 +sehatyab.com, 1 +sehd.top, 0 +sehersirin.com, 1 +seheyah.me, 1 +sei-yu.net, 1 +seibert.ninja, 0 +seibu-kikaku.co.jp, 1 +seida.at, 1 +seidel-immobilienberatung.de, 1 +seiffen.de, 1 +seifried.org, 1 +seika-housei.com, 1 +seikatu-navi.com, 1 +seikoman.tk, 1 +seil.de, 1 +seiler-ds.com, 1 +seilergeodrones.com, 1 +seilermicro.com, 1 +seilgold.de, 1 +seimo.cn, 1 +seincojavea.es, 0 +seineoparebrise.fr, 1 +seinfeldquote.com, 1 +seinolab.jp, 1 +seintec-ec.com, 0 +seintje24.nl, 1 +seira.tk, 1 +seirdy.one, 1 +seirei.ne.jp, 1 +seiryokuzai-ch.com, 1 +seisansei.net, 1 +seishinan.xyz, 1 +seishinchuo-lawoffice.com, 1 +seishuncollection.com, 1 +seismas1.com, 1 +seisthewaytobe.com, 1 +seistolzaufdich.de, 1 +seistrup.dk, 1 +seitai-nabejun.jp, 1 +seitai-taiyou.com, 1 +seitanic-cookbook.de, 1 +seitenwaelzer.de, 1 +seitokai.jp, 1 +seiulocal300.org, 1 +seize.io, 1 +seized.gov, 1 +seizethedaybrasil.com.br, 1 +sejageek.com, 1 +sek.ai, 1 +sekainokokki.jp, 1 +sekfung.me, 1 +sekisonn.com, 1 +sekkom.com, 1 +sekoia.io, 1 +sekoya.org, 1 +sekreti-biznesa.cf, 1 +sekretiki.info, 1 +seks-znakomstva.tk, 1 +sekshikayeler.tk, 1 +sektor-news.tk, 1 +sektor.ro, 1 +sektor.tech, 1 +sektor41.com, 1 +sektorgaza.su, 1 +sekundadosetki.pl, 1 +sekurak.pl, 1 +sekusi-tochiki.tk, 1 +sekweta.com, 1 +selang.cf, 1 +selang.ml, 1 +selangdi.com, 1 +selatv.com, 1 +selayar.vacations, 1 +selber-coden.de, 1 +selbst-schmiede.de, 1 +selco-himejiminami.com, 1 +selcukluhali.com.tr, 1 +selcuksportr.com, 1 +selcusters.nl, 1 +seldadogancan.com, 1 +selebrita.ml, 1 +selectables.tk, 1 +selectagents.gov, 1 +selectbusteni.tk, 1 +selected-properties.com, 0 +selectedbym.com, 1 +selectel.ru, 1 +selectionengine.ca, 1 +selectionengine.com, 1 +selectionengine.net, 1 +selectionengine.org, 1 +selector.space, 1 +selectsplat.com, 1 +selegiline.com, 1 +selen.com.br, 1 +selena-armavir.ml, 1 +selenapelletier.tk, 1 +seleondar.ru, 1 +selesnafes.com, 0 +selezionebarbrboguaccero.cf, 1 +selezionebarbrboguaccero.ga, 1 +selezionebarbrboguaccero.tk, 1 +self-business.tk, 1 +self-evident.org, 1 +selfassess.govt.nz, 1 +selfbattery.ga, 1 +selfbestyou.com, 1 +selfcaregate.com, 0 +selfcateringstratford.co.uk, 1 +selfdefinition.org, 1 +selfdefinition.tk, 1 +selfdevelopment.com.au, 1 +selfelec.be, 1 +selfemployed.ga, 1 +selfguidedholiday.com, 1 +selfharm.xyz, 1 +selfici.com, 1 +selfici.cz, 1 +selfiehome.cz, 1 +selfiestick.bg, 1 +selfishness.com, 1 +selfloath.in, 1 +selfmade4u.de, 0 +selfpublishingformula.com, 1 +selfrealize.ga, 1 +selfretire.cf, 1 +selfserverx.com, 0 +selfswrecker.com, 1 +selftech.tk, 1 +selfycheck.it, 1 +selimcerkezi.tk, 1 +selistina.tk, 1 +selkiemckatrick.com, 1 +sell2orbit.com, 1 +sellajoch.com, 1 +sellbit.io, 1 +sellcoins.top, 1 +selldone.com, 1 +selldorado.com, 1 +seller.diamonds, 1 +sellerengine.com, 1 +sellers.market, 1 +sellersfunding.com, 1 +sellersmart1.com, 1 +sellerssignals.com, 1 +sellerstats.ru, 1 +sellerteam.tk, 1 +sellerwiz.io, 1 +sellguard.pl, 1 +sellingsherpa.com, 0 +sellmymobile.com, 1 +sellmyphone.co.uk, 1 +sellmyshares.com.au, 1 +sello.com, 1 +sellocdn.com, 1 +sellorbuy.uk, 1 +sellorbuy.us, 1 +sellphotos.tk, 1 +sellsmartwatches.tk, 1 +selltobluefirefly.com, 1 +selltobpp.com, 1 +selltoec.com, 1 +selltogaprime.com, 1 +selltothousandhills.com, 1 +selltous.com.au, 1 +sellusdtindubai.com, 1 +sellwithsquare.com, 1 +selma.com, 1 +selmatownship-mi.gov, 1 +selmec.com.mx, 1 +selmer-tn.gov, 1 +selmon.ru, 1 +selo-cer.tk, 1 +selo-grncare.tk, 1 +selo.ru, 1 +seloc.org, 1 +selokids.ru, 1 +selsovet56.tk, 1 +seltek.su, 1 +seltendoof.de, 1 +selvaggialucarelli.blog, 1 +selwyn.cc, 1 +sema4.ai, 1 +semacode.com, 1 +semaflex.it, 1 +semaine-cevenole.fr, 1 +semalt.net, 1 +semanaacademica.org.br, 1 +semanarioaqui.tk, 1 +semantic-systems.com, 1 +semantica.cz, 0 +semantics.ga, 1 +semao.org, 1 +semaphore-studios.com, 1 +sembosihosting.tk, 1 +sembska.de, 1 +sembyotic.com, 1 +semcensurabrag.com.br, 1 +semeia.io, 1 +semena-ua.ml, 1 +semenov.ml, 1 +semenov.su, 1 +semenserang.com, 1 +sementes.gratis, 1 +sementesquati.com.br, 1 +semestaindovest.co.id, 1 +semesur.com, 1 +semi.social, 1 +semianalog.com, 1 +semicolon.cf, 1 +semicon.cc, 1 +semiconductors.gov, 1 +semicvetik.tk, 1 +seminarioabdtic.com.br, 1 +seminariruum.ee, 1 +seminarraum-isny.de, 1 +seminolecountyoklahoma.gov, 1 +seminovostoyota.com.br, 1 +semiotical.com, 0 +semiotika.tk, 1 +semira.tk, 1 +semirben.de, 1 +semiread.com, 1 +semiretire.ga, 1 +semiweb.ca, 1 +semmuhely.tk, 1 +semobr.cf, 1 +semops.gq, 1 +semox.de, 1 +semparar.com.br, 1 +sempersolaris.com, 1 +semplicementelight.com, 1 +sempoctet.ca, 1 +sempreupdate.com.br, 1 +semps-2fa.de, 1 +semps-threema.de, 1 +semps.de, 1 +semrecc.gov, 1 +semrush.com, 1 +semsec.net, 1 +semtinde.com, 1 +semver.ca, 1 +semyonov.su, 1 +semyonov.us, 1 +senacor.com, 1 +senamexico.com, 1 +senaofertaeducativa.co, 1 +senaofertaeducativa.com, 1 +senarea.nl, 1 +senarist.tk, 1 +senarius.de, 1 +senat.cz, 1 +senat.ro, 1 +senbil.net, 1 +senbil.video, 1 +sence.gob.cl, 1 +send.tk, 1 +send2sign.net, 1 +sendaddress.com, 1 +sendai-cc.jp, 1 +sendai-cdc.com, 1 +sendai-cooking.com, 1 +sendai-ctr.com, 1 +sendai-himawari.jp, 1 +sendai-rc.com, 1 +sendai-recruit.com, 1 +sendai-sisters.com, 1 +sendai-sougou.com, 1 +sendai-works.com, 1 +sendaimori.com, 1 +sendaiouji.com, 1 +sendbird.com, 1 +sendbox.cz, 1 +sender.party, 1 +sender.services, 1 +senderdb.com, 1 +senderismoinfantil.tk, 1 +senderosdelavida.com, 1 +sendflowers.pk, 1 +sendigperu.com, 1 +sendingbee.com, 1 +senditvia.email, 1 +sendmail.com, 1 +sendonce.io, 1 +sendonomics.com, 1 +sendpulse.com, 1 +sendsonar.com, 1 +sendthisfile.com, 1 +sendtrix.nl, 1 +sendy.land, 1 +sendzik.eu, 1 +senecailpd.gov, 1 +senergiya.tk, 1 +senf-kren.at, 1 +senfcall.de, 1 +senhost.tk, 1 +seni-beladiri.tk, 1 +senibongcove.my, 1 +senibonggolfclub.com.my, 1 +senior-sigan.ml, 1 +seniorcommunitymedia.com, 1 +seniorem.eu, 1 +seniorhost.net, 1 +seniorlivinginvestments.eu, 1 +seniormanager.cz, 1 +seniorsupportservicesohio.com, 1 +senkals.one, 1 +senkyo.watch, 1 +senneeeraerts.be, 1 +sennik.tk, 1 +senoctarsoft.tk, 1 +senok.ml, 1 +senooken.jp, 1 +senor-cheapo.nl, 1 +senork.de, 1 +senpiper.com, 1 +senres.top, 1 +senrj.be, 1 +sens2lavie.com, 1 +sense.eu.com, 1 +sense.finance, 1 +sense.hamburg, 1 +sensebridge.net, 1 +senseful-online.de, 1 +senseful-online.eu, 0 +senseful-online.info, 1 +senseiclassroom.tk, 1 +senseilabs.com, 1 +senselabs.it, 1 +sensepixel.com, 1 +sensepost.com, 1 +senshudo.tv, 1 +sensibleita.tk, 1 +sensiblelanecounty.tk, 1 +sensiblepcsupport.co.uk, 1 +sensical.net, 0 +sensoft-int.com, 1 +sensoft-int.net, 1 +sensoft-int.org, 1 +sensor-dream.ru, 0 +sensoria.com.br, 1 +sensoriels-by-crealyne.fr, 1 +sensormatic.bg, 1 +sensorshop.ir, 0 +sensorsoft-waterontharder.nl, 1 +sensorville.com.br, 1 +sensoscientific.com, 1 +sensound.ml, 1 +sensualism.com, 1 +sensuality-models.com, 1 +sensually.tk, 1 +sensualsexyhot.com.br, 1 +sensuuri.tk, 1 +sentandsecure.com, 1 +sentencing.net, 1 +sentenza.tk, 1 +senteon.co, 1 +senterada.tk, 1 +sentia.com, 1 +sentic.info, 1 +sentiment.rest, 1 +sentiments.io, 1 +sentinel.gov, 1 +sentinelnet.tk, 1 +sentinelproject.io, 1 +sentinels.tk, 1 +sentir.id, 1 +sentirmebien.org, 1 +sentitvia.email, 1 +sentmail.ga, 1 +sentor.se, 1 +sentorsecurity.com, 1 +sentrafield.com, 1 +sentral.com, 1 +sentralegal.com, 1 +sentry.io, 1 +sentry.nu, 1 +sentrybay.com, 1 +sentrytwo.com, 1 +sentworks.com, 1 +senzaparole.de, 1 +senzei.tk, 1 +seo-analyse.com, 1 +seo-blog12.tk, 1 +seo-dr-it.com, 1 +seo-forum.nu, 0 +seo-inc.ru, 1 +seo-linz.at, 1 +seo-obmen.tk, 1 +seo-phpbb.cf, 1 +seo-piar.tk, 1 +seo-portal.tk, 1 +seo-promox.cf, 1 +seo-promox.tk, 1 +seo-reality.cf, 1 +seo-reklama.ml, 1 +seo-reklama.tk, 1 +seo-sem.online, 1 +seo-smo.ml, 1 +seo-smo.tk, 1 +seo-srbija.rs, 1 +seo-tools4u.com, 1 +seo-url.tk, 1 +seo-website.ru, 1 +seo.consulting, 1 +seo.domains, 1 +seo.london, 1 +seo.services, 1 +seo40.fr, 1 +seoagentur-hamburg.com, 1 +seoankara.name.tr, 1 +seoapi.com, 1 +seoarchive.org, 1 +seoargentina.com.ar, 1 +seoblogs.cf, 1 +seobook2015.cf, 1 +seobook2015.ga, 1 +seobook2015.gq, 1 +seobook2016.gq, 1 +seoclubs.tk, 1 +seocontents24.tk, 1 +seocraft.me, 1 +seocreator-blog24.tk, 1 +seodayo.com, 1 +seodefinitivo.com, 1 +seodelhi.com, 1 +seodoma.ml, 1 +seodrug.tk, 1 +seoefectivo.com, 1 +seoenmexico.com.mx, 1 +seoexpert.com.br, 1 +seoforyou.nl, 1 +seogeek.nl, 1 +seogeky.com, 1 +seogilog.com, 1 +seogood.cf, 1 +seohackers.fr, 1 +seohost.pl, 1 +seohouston.com, 1 +seoified.com, 1 +seoinc.com, 1 +seojaguar.tk, 1 +seokatka.tk, 1 +seolabuitest.azurewebsites.net, 1 +seoline.cf, 1 +seolister.cf, 1 +seolisting.cf, 1 +seolisting.tk, 1 +seolizer.de, 1 +seolord.cf, 1 +seomag.tk, 1 +seomarketing.bg, 1 +seomasti.com, 1 +seomaton.com, 1 +seomaton.org, 1 +seomaxion.com, 1 +seomedo.com, 1 +seomen.biz, 1 +seomonk.com, 1 +seonaut.org, 1 +seonoco.com, 1 +seonow.ga, 1 +seonurse.com, 1 +seoonline.cf, 1 +seoonlinejaipur.tk, 1 +seopiar.tk, 1 +seoping.ru, 0 +seoplus.com, 1 +seopost.ga, 1 +seoprnews.cf, 1 +seopromotion.tk, 1 +seoproof.tk, 1 +seoptimize.fr, 1 +seoquero.com, 1 +seoranker.tk, 1 +seorepress.com, 1 +seorus.cf, 1 +seorus.ml, 1 +seoruse.com, 0 +seos.ga, 1 +seoscan.ga, 1 +seoschmiede.at, 1 +seoscribe.net, 1 +seosearch.org, 1 +seoserfing.tk, 1 +seosergio.com, 1 +seoshanti.ru, 0 +seoshnik.tk, 1 +seosmart.gq, 1 +seosof.com, 1 +seosos.gq, 1 +seosos.ml, 1 +seospace.ro, 1 +seospecialist.ma, 1 +seosprint.gq, 1 +seostrit.cf, 1 +seostrit.tk, 1 +seosuccor.com, 1 +seoteam.tk, 1 +seotesty.cz, 1 +seotip.top, 1 +seotipster.com, 1 +seotoolset.tk, 1 +seoturkey.tk, 1 +seotutorials32.tk, 1 +seoulartcollective.tk, 1 +seoulista.vn, 1 +seovision.se, 1 +seovisit.tk, 1 +seovisits.tk, 1 +seoviziti50.tk, 1 +seowebsite.tools, 1 +seowerkz.com, 1 +seowind.io, 1 +seowordpress.pl, 1 +seowork.tk, 1 +seozel.tk, 1 +seozen.ru, 1 +seozen.top, 1 +sep-online.com.pl, 1 +sep.bydgoszcz.pl, 1 +sep.cc, 1 +sep.jgora.pl, 1 +sep.rzeszow.pl, 1 +sep.tarnobrzeg.pl, 1 +sepakbola.id, 1 +separacioniglesiaestado.tk, 1 +sepehrmahan.com, 1 +sepenggal.info, 1 +seproco.com, 0 +septakkordeon.de, 1 +septam-orchestra.fr, 1 +septem.cc, 0 +septemcapital.ru, 1 +septentrionalist.org, 1 +septicrepairspecialists.com, 1 +septics.ga, 1 +septictankpumpingservices.com, 1 +septodont.com.br, 1 +septodont.com.ru, 1 +septodont.in, 1 +septodontchina.com, 1 +septonol.tk, 1 +septs.blog, 1 +sepulcharium.tk, 1 +seputarfinansial.com, 1 +seqing.cf, 1 +sequachee.com, 1 +sequatchiecounty-tn.gov, 1 +sequatchiecountytn.gov, 1 +sequencediagram.org, 1 +sequencing.com, 1 +sequitur.tech, 1 +ser-it.pl, 1 +sera.jp, 1 +serail.biz.id, 1 +seraimu.me, 1 +seraku.co.jp, 1 +seraph.red, 1 +seraph.tokyo, 1 +serasa.com.br, 1 +serasaexperian.com.br, 1 +seratblog.ga, 1 +serban.ro, 1 +serbanpaun.ro, 1 +serbiaonline.tk, 1 +serc.ac.uk, 1 +sercanazizoglu.com, 1 +sercasindustry.tk, 1 +serdarakyildiz.com, 1 +serdarwork.com, 1 +serdengolpinar.tk, 1 +serecoponsillo.it, 1 +sereema.com, 1 +serele.fr, 1 +seren.tk, 1 +serenascreations.com, 1 +serenata.tk, 1 +serenavilage.net, 1 +serenavillage.net, 1 +serenavillageresidence.com, 1 +serenaweb.de, 1 +serendeputy.com, 1 +serenesolutions.nl, 1 +serenityeditor.com, 1 +serenitytvl.com, 1 +seresco.es, 0 +serf.io, 1 +serfas.gr, 1 +serfinansa.com.co, 1 +sergal.club, 1 +sergal.de, 1 +sergal.gay, 1 +serge-design.ch, 1 +sergeemond.ca, 1 +sergefonville.nl, 1 +sergelapointe.ca, 1 +sergeyburov.tk, 1 +sergeyesenin.tk, 1 +sergeykozharinov.com, 1 +sergi.tk, 1 +sergicoll.cat, 1 +sergio-rivero.tk, 1 +sergiochica21.tk, 1 +sergiocv.com, 1 +sergioforsanmateo.com, 1 +sergioforse.com, 1 +sergiogm.es, 1 +sergiogug.tk, 1 +sergiomur.tk, 1 +sergioogarciaa.es, 1 +sergiopereiracouto.tk, 1 +sergiopimpao.pt, 1 +sergiozygcunt.com, 1 +sergiozygmunt.com, 1 +sergiozygmunt.org, 1 +sergivb01.me, 0 +sergos.de, 0 +serguzim.me, 1 +serhan.in, 1 +serial-kinder.tk, 1 +serial2000.tk, 1 +serializacion.mx, 1 +serialize.gq, 1 +serialkey.info, 1 +seriesdatv.pt, 1 +seriesfeed.com, 0 +seriesgratis.tk, 1 +serifosguide.dk, 1 +serije.co, 1 +serinamusic.com, 1 +seringe.com, 1 +seriouss.am, 1 +serioussam.ml, 1 +serkanceyhan.com, 1 +serkanyarbas.com.tr, 1 +serkozh.me, 1 +sermerkt.is, 1 +sernate.com, 1 +seroquel50mg.tk, 1 +seroquelonline.ga, 1 +seroquelonline.tk, 1 +serotiuk.com, 0 +serpenteq.com, 1 +serpes.nz, 1 +serphost.ml, 1 +serpic.photo, 1 +serpinco.com, 1 +serptoolsuite.com, 1 +serpuhof.ru, 1 +serralheriaeseguranca.com.br, 1 +serrande.it, 1 +serrande.roma.it, 1 +serraniadecuencaafondo.tk, 1 +serrano-chris.ch, 0 +serrature.roma.it, 1 +serreshikeclub.tk, 1 +sertaobom.eco.br, 1 +sertaovivo.tk, 1 +sertasimmons.com, 1 +sertec.com.mx, 1 +sertim.tk, 1 +serv.site, 1 +serval-concept.com, 1 +serval-formation.com, 1 +servant42.com, 1 +servantweb.fr, 1 +servatmandi.com, 1 +serve.gov, 1 +serve.work, 1 +servebyte.com, 1 +servecrypt.com, 1 +servecrypt.net, 1 +servecrypt.ru, 1 +serveistic.cat, 1 +serveistic.es, 1 +servelelecciones.cl, 1 +servelink.com, 1 +servend.gov, 1 +servepublic.com, 1 +servepublic.org, 1 +server-bg.net, 1 +server-daten.de, 1 +server-essentials.com, 1 +server-kiste.de, 1 +server-zugang.eu, 1 +server.pro, 1 +server.vote, 1 +server4london.site, 1 +server72a.ddns.net, 1 +server92.eu, 1 +server92.tk, 1 +serveradium.com, 1 +serveradmin.ovh, 1 +serverbin.net, 1 +serverbit.it, 1 +serverco.com, 1 +serverd.de, 1 +serverdechile.tk, 1 +serverdensity.io, 1 +serverdragon.site, 1 +serverexpose.com, 1 +serverfix.net, 1 +serverhost.no, 1 +serverhunter.com, 1 +serverion.ga, 1 +serverka.tk, 1 +serverlauget.no, 1 +serverlein.com, 1 +serverlog.net, 1 +serverlounge.eu, 1 +servermacher.de, 1 +servermaster.sk, 1 +servernerds.net, 1 +serverninja.tk, 1 +serveroffline.net, 1 +serverpedia.de, 1 +servers.vg, 1 +serverscan.com, 1 +serversfrom.space, 1 +serversify.net, 1 +serverstatus.tk, 1 +serverstuff.info, 1 +serversuit.com, 1 +servertastic.com, 1 +servertechsupply.com, 1 +servertutorial.eu, 1 +serveru.us, 1 +servetten-groothandel.nl, 1 +serveur.nl, 1 +serveurs-minecraft.com, 1 +serveursminecraft.org, 1 +servfefe.com, 1 +servi-tek.net, 1 +service-auto-baneasa.com, 1 +service-auto-baneasa.ro, 1 +service-centre.cf, 1 +service-compris.net, 1 +service-soft.de, 1 +service-status.cloud, 1 +service-ways.com, 1 +service-wueste-vodafone.tk, 1 +service.gov.scot, 1 +service.gov.uk, 1 +service.vic.gov.au, 0 +service220.ar, 1 +serviceair.com.ar, 1 +serviceautobaneasa.com, 1 +serviceautobaneasa.ro, 1 +servicebeaute.fr, 1 +serviceboss.de, 1 +servicecentreperth.com.au, 1 +servicedesk.ath.cx, 1 +servicefish.tk, 1 +serviceflow.co.za, 1 +serviceforge.com, 1 +serviceland.am, 1 +servicemasterlawncare.ca, 1 +servicemembers.gov, 1 +servicenow.com, 1 +servicepclaptop.com, 1 +servicesforfree.com, 1 +serviceslotenmaker.nl, 0 +servicesneo.com, 1 +servicesnetpro.com, 1 +servicespot.ca, 1 +servicevie.com, 0 +serviciales.com, 1 +servicii-funerare.tk, 1 +serviciodebarralibreparaeventos.com, 1 +serviciomigraciones.cl, 1 +serviciosdeti.gq, 1 +serviciosfncs.com, 1 +servicioskoinonia.org, 1 +serviciotecnicoencomputacion.com.ve, 0 +servida.ch, 1 +servietten-grosshandel.at, 1 +servietten-grosshandel.be, 1 +servietten-grosshandel.ch, 1 +servietten-grosshandel.de, 1 +serviettes-et-plus.com, 1 +servilletas-de-papel.es, 1 +servilletas-de-papel.mx, 1 +servilonjas.com, 1 +servingbaby.com, 0 +servingroddick.tk, 1 +servingseniors.org, 1 +servingupsouthern.com, 1 +servion.com, 1 +servis-azd.cz, 1 +servis4u.top, 1 +servisin.id, 1 +servispasaoglu.com.tr, 1 +servitel.ga, 1 +servitor.cf, 1 +servitproducts.com, 1 +servivum.com, 1 +serviziocolf.it, 1 +serviziourgente.it, 1 +servmaslt.com, 1 +servn.ca, 1 +servo.org, 1 +servonline.de, 1 +servpress.net, 1 +servrox.solutions, 1 +servtepstore.com, 1 +servtraq-staging.azurewebsites.net, 1 +servtraqazure.com, 1 +servus.ca, 1 +servx.org, 1 +serw.org, 1 +serwetki-papierowe.pl, 1 +serwis-militarny.net, 1 +serwis-telewizorow.pl, 1 +serwis-wroclaw.pl, 1 +serwispv.eu, 1 +serwistomy.pl, 1 +serworkribeirao.com.br, 1 +serx.cf, 1 +seryovpn.com, 1 +ses-egy.com, 1 +ses-offshore.com, 1 +sesa.org, 1 +sesam-biotech.com, 1 +sesamomusical.tk, 1 +sesardeploymentmanager.com, 1 +sesardm.eu, 1 +sescoen.tk, 1 +seseai.ga, 1 +sesenaonline.tk, 1 +sesliturkgencligi.tk, 1 +sesperformance.eu, 1 +sesrdcem.cz, 1 +sessile-oak.co.uk, 1 +session.bbc.co.uk, 1 +session.bbc.com, 1 +sessionslogning.dk, 1 +sestry.tk, 1 +set-freeporn.com, 1 +setabun.or.jp, 1 +seteampty.net, 1 +setenforce.one, 1 +setesat.com.br, 1 +setevik.tk, 1 +sethclinic.com, 1 +sethcorker.com, 1 +sethcurry.ga, 1 +sethforprivacy.com, 1 +sethjust.com, 1 +sethlmatarassomd.com, 1 +sethoedjo.com, 1 +sethriedel.com, 1 +sethvargo.com, 1 +seti-germany.de, 0 +setin.srl, 1 +setkit.net, 1 +setmore.com, 1 +setof88.com, 1 +setonhill.edu, 1 +setphaserstostun.org, 0 +settberg.de, 1 +setterirlandes.com.br, 1 +settimanadellascienza.it, 1 +settleapp.co, 1 +settlingin.ga, 1 +setuid.de, 1 +setuid.io, 1 +setuid0.kr, 1 +setun.tk, 1 +setuplog.io, 1 +setupstreamers.com, 1 +setxxxtube.com, 1 +setzzy.com, 1 +seu.edu.sa, 1 +seucreditodigital.com.br, 1 +seuntaylor.co, 1 +seuplano.com.br, 1 +seutens.be, 1 +seutens.eu, 1 +sevastopol.tk, 1 +sevathian.com, 1 +seven-seas.ml, 1 +sevenartzpublicidad.com, 1 +sevendevilsnc.gov, 1 +sevenfoureight.ml, 1 +sevengang.tk, 1 +sevenhillsapartments.com.au, 1 +sevenicealimentos.com.br, 1 +sevenmatches.com, 1 +sevenrooms.com, 1 +sevenseasmarble.co.uk, 1 +seventeamiles.com, 1 +seventwentynine.com, 1 +seventymania.de, 1 +severac.org, 1 +severesexfilms.com, 1 +severine-trousselard.com, 1 +severing.cf, 1 +seviercountyar.gov, 1 +seviercountyassessor-ar.gov, 1 +sevilinux.es, 1 +sevillacani.tk, 1 +sevillalinces.tk, 1 +sevillanazarena.tk, 1 +sevinci.ch, 1 +sevitahealth.com, 1 +sevocomm.com, 1 +sevsey.ru, 1 +sewa.nu, 1 +sewalaptopm2i.com, 1 +sewardcountyne.gov, 1 +sewatec.com, 1 +sewavillamurah.tk, 1 +sewfarsewgood.uk, 1 +sewing-machines.com.ua, 1 +sewing-world.ru, 1 +sewinginsight.com, 0 +sewingtales.com, 0 +sewoo.co.uk, 1 +seworld.ml, 1 +sex-chat-geld-verdienen.com, 1 +sex-education.com, 1 +sex-sex-cam.com, 1 +sex-videochat.club, 1 +sex5.com, 1 +sexaki.com, 1 +sexandthecitty.tk, 1 +sexarab.live, 1 +sexawynet.cam, 1 +sexcamsbay.com, 1 +sexdocka.nu, 1 +sexedquickies.com, 1 +sexedrescue.com, 1 +sexflare.net, 1 +sexgamesclub.com, 1 +sexgarage.de, 1 +sexgirlfriend.com, 1 +sexgood.com.ua, 1 +sexhab.guru, 1 +sexin.nl, 1 +sexkrd.love, 1 +sexkursk.club, 1 +sexminister.tk, 1 +sexmobil.de, 1 +sexobryansk.guru, 1 +sexocheb.com, 1 +sexoclicker.com, 1 +sexoclicker.net, 1 +sexoclicker.org, 1 +sexocomgravidas.com, 1 +sexokursk.com, 1 +sexologist.cf, 1 +sexonwax.com, 0 +sexosintabues30.com, 1 +sexotomsk.com, 1 +sexoufa.center, 1 +sexoyalta.love, 1 +sexoyrelax.com, 1 +sexpay.net, 1 +sexpdf.com, 1 +sexpression.com.br, 1 +sexshopfacil.com.br, 1 +sexshopnet.com.br, 1 +sexsimf.red, 1 +sexswing.com, 0 +sextacy.tk, 1 +sextapegermany.com, 1 +sextoysproductstore.com, 1 +sextpanther.com, 1 +sextreffendeutschland.com, 1 +sextubespot.com, 1 +sextw.net, 1 +sexualdiversity.org, 1 +sexufa.red, 1 +sexvideochat.it, 1 +sexvideos.tel, 1 +sexvirtualspace.com, 1 +sexworking.com, 1 +sexworkrights.com, 1 +sexxyangie.com, 1 +sexy-mom.org, 1 +sexy-periscope.ml, 1 +sexy-store.nl, 1 +sexyanne.net, 1 +sexybuttpics.com, 1 +sexyfotosvandep.nl, 1 +sexyhub.com, 1 +sexyjanahot.com, 1 +sexyjenjen.net, 1 +sexyleni.org, 1 +sexynakedgirls.pics, 1 +sexynaty.org, 1 +sexynoemi.com, 1 +sexyporn.tv, 1 +sexyrachel846.com, 1 +sexystine.net, 1 +sexyteens.net, 1 +sexyvenushuegel.org, 1 +seyfarth.de, 1 +seykapuertasautomaticas.com, 1 +seymourfanclub.tk, 1 +seypt.de, 1 +seyr.it, 1 +seyr.me, 1 +seyv.io, 1 +seyyarelektrik.com, 1 +sf-builders.com, 1 +sf-kayh.de, 1 +sf3223.com, 1 +sfaparish.org, 1 +sfarc.ml, 1 +sfat.llc, 1 +sfbao.cn, 1 +sfbao.com, 1 +sfbaytransit.org, 1 +sfcardio.fr, 1 +sfccapital.com, 1 +sfccapitalpartners.com, 1 +sfcityoption.org, 1 +sfdchub.com, 1 +sfdcopens.com, 1 +sfdev.ovh, 1 +sfdlsource.tk, 1 +sfee.cl, 1 +sfera360.es, 1 +sfg-net.com, 1 +sfg-net.eu, 1 +sfg-net.net, 1 +sfg-net.org, 1 +sfg-nordholz.de, 1 +sfhp.org, 1 +sfile.eu, 1 +sfirat-haomer.com, 1 +sfleisure.com, 1 +sflhidta.gov, 1 +sfmason.net, 1 +sfnetwork.pl, 1 +sfo-fog.ch, 0 +sfoks33.ru, 1 +sfondo.info, 1 +sfp.net.tr, 1 +sfpdev.com, 1 +sfpebblesstones.com, 1 +sfpuc.gov, 1 +sfslashing.com, 1 +sft-framework.org, 1 +sftool.gov, 1 +sfumusic.com, 1 +sfvonline.nl, 1 +sfweef.gq, 1 +sfxmr.de, 1 +sg-1xbet.com, 1 +sg-gallerylive.it, 1 +sg-strietwald.de, 1 +sg.search.yahoo.com, 0 +sg1.tech, 1 +sga99.biz, 1 +sga99.fun, 1 +sga99.info, 1 +sga99.net, 1 +sga99.top, 1 +sga99.vip, 1 +sgatlantis.tk, 1 +sgbarker.com, 1 +sgbpa.co.uk, 1 +sgcaccounts.co.uk, 1 +sgcountymt.gov, 1 +sgdementia.ca, 1 +sgdi.gov.sg, 1 +sgdm-services.com, 1 +sgfinanceira.online, 1 +sggame990.com, 1 +sght.gallery, 1 +sgitc.de, 1 +sgj0.net, 1 +sglazov.ru, 1 +sglibellen.de, 1 +sgnation.dk, 1 +sgnl.ai, 1 +sgo-overbetuwe.nl, 1 +sgombero.it, 1 +sgoossens.nl, 1 +sgplay.io, 1 +sgrmreproduccionapp.azurewebsites.net, 1 +sgrossi.it, 1 +sgrowe.de, 1 +sgrs.be, 1 +sgrub.xyz, 1 +sgs-systems.de, 1 +sgs.camera, 1 +sgs.systems, 1 +sgsautoparts.com.au, 0 +sgsmart.ru, 1 +sgsosu.net, 1 +sgsp.nl, 1 +sgtcodfish.com, 1 +sgtech.ga, 1 +sgthotshot.com, 1 +sgtool.eu, 1 +sgtrains.com, 1 +sgtsnookums.net, 1 +sgtt.ch, 0 +sgutranscripts.org, 1 +sh-heppelmann.de, 1 +sh-network.de, 1 +sh.com.tr, 1 +sh0rt.in, 1 +sh0rt.zone, 1 +sh0u.jp, 1 +sh0uld.net, 1 +sh1mar.in, 1 +sh4y.cn, 1 +sh4y.com, 1 +sh68.cc, 0 +sha.bi, 1 +sha512.online, 1 +shabaka.org, 1 +shabashka.ml, 1 +shabiwangyou.com, 1 +shackleton.io, 1 +shad.waw.pl, 1 +shade.sh, 1 +shadebarandgrillorlando.com, 1 +shadebarandgrillutica.com, 1 +shadebarandgrillwindsor.com, 1 +shadedesign.cz, 1 +shademid.com, 0 +shadesofgrayadr.com, 1 +shadesofgraylaw.com, 1 +shadex.net, 1 +shadhoc.com, 1 +shadigee.org, 1 +shadikhan.tk, 1 +shadow-forum.tk, 1 +shadow-group.org, 1 +shadowandy.net, 1 +shadowcp.eu, 1 +shadowdomain.ml, 1 +shadowfight2.tk, 1 +shadowfox.tk, 1 +shadowguardian507.tk, 1 +shadowkingdomrecords.com, 1 +shadowkitsune.net, 1 +shadowknight.tk, 1 +shadowlurker.com.au, 1 +shadowmorph.info, 1 +shadowping.com, 1 +shadowplus.net, 0 +shadowsing.com, 1 +shadowsocks.au, 1 +shadowsocks.click, 1 +shadowsocks.com, 1 +shadowsocks.com.au, 1 +shadowsocks.com.hk, 1 +shadowsocks.fr, 0 +shadowsocks.la, 1 +shadowsocks.live, 1 +shadowsocks.nz, 1 +shadowsocks.se, 1 +shadowsocks.software, 1 +shadowsocks.to, 1 +shadowstalkers.tk, 1 +shadowstep.tk, 1 +shadowstrikers.tk, 1 +shadowuniverse.xyz, 1 +shadowvolt.net, 1 +shadrinsk-city.ru, 1 +shadynook.net, 1 +shadypark.tk, 1 +shaeishu.co, 1 +shafa.ua, 1 +shaffermixers.com, 1 +shafrental.id, 1 +shafteldhon.com, 1 +shaftofdarkness.club, 0 +shag-shag.ru, 1 +shahar.cc, 0 +shaharyaranjum.com, 1 +shaheedirfani.tk, 1 +shaheednawazirfani.tk, 1 +shahidafkar.tk, 1 +shahidfakih.com, 1 +shahidflix.ml, 1 +shahidhashmi.net, 1 +shahpurjat.xyz, 1 +shahriar.ca, 1 +shahriar.email, 1 +shahriar.xyz, 1 +shahrsazan.tk, 1 +shahrvand.ga, 1 +shahsaadkhan.tk, 1 +shahyadmusic.com, 1 +shahzaibm.com, 1 +shaicoleman.com, 1 +shaiden-porn.com, 1 +shaik.pl, 1 +shailendra.org, 1 +shailendramishra.com, 1 +shailendramishra.in, 1 +shainessim.com, 1 +shaitan.eu, 1 +shaiyapegasus.tk, 1 +shajeer.tk, 1 +shakalaka.co.za, 1 +shakan.ch, 0 +shakardara.com, 1 +shakebeforeuse.tk, 1 +shaken-kyoto.jp, 1 +shakepay.com, 1 +shakerheightsoh.gov, 1 +shakerventures.com, 1 +shakerwebdesign.net, 1 +shakespeareans.net, 1 +shakespearesolutions.com.au, 0 +shakespearevet.com, 1 +shakesprimer.tk, 1 +shakingthehabitual.com, 1 +shaknews.tk, 1 +shakraphix.tk, 1 +shakthifacility.com, 1 +shalaahmet.tk, 1 +shaloc.site, 1 +shalomamuzik.tk, 1 +shalombolivia.tk, 1 +shalomcottage.tk, 1 +shalyapin.by, 1 +sham-rock.tk, 1 +shamaev.me, 1 +shamami.ml, 1 +shamans.ga, 1 +shambala.cf, 1 +shamed.tk, 1 +shamesofhungary.com, 1 +shamil.tech, 1 +shamimahmed.tk, 1 +shamimmedia.ir, 1 +shamiphotos.tk, 1 +shamokit.com, 1 +shampoo63.ru, 0 +shan.io, 0 +shan.sg, 1 +shan.si, 1 +shaneparker.tk, 1 +shanerichards.tk, 1 +shanetully.com, 1 +shanevandermeer.com, 1 +shanewadleigh.com, 1 +shanghaimineral.com, 0 +shangobud.com, 1 +shanhay.tk, 1 +shaniainternational.tk, 1 +shanikaonline.tk, 1 +shanikofireor.gov, 1 +shanju.tk, 1 +shankangke.com, 1 +shanli.tk, 1 +shansen-online.de, 1 +shansing.cn, 1 +shansing.com, 1 +shansing.net, 1 +shansing.org, 1 +shantelle.tk, 1 +shanteo.com, 1 +shantitsafar.com, 1 +shantiyoga.ro, 1 +shanwong.com, 1 +shanwong.design, 1 +shanxia.com, 1 +shanxiapark.com, 1 +shanyi.space, 1 +shaofu.cf, 1 +shaolin-kungfu.tk, 1 +shaoxia.xyz, 0 +shape.pink, 1 +shapediver.com, 1 +shapelyways.com, 1 +shapers-production.fr, 1 +shapesouthcarolina.gov, 1 +sharaf.net, 1 +sharanyamunsi.net, 1 +sharanyan.com, 1 +shararam-card.tk, 1 +sharats.me, 1 +shardanageometries.it, 1 +shardbyte.com, 1 +share.la, 1 +share2act-dev.io, 1 +share2act-test.io, 1 +shareabc.vip, 1 +shareapollo.com, 1 +shareasale-analytics.com, 1 +sharebot.ga, 1 +shareby.cam, 1 +sharedalbumsf.com, 1 +sharedgoals.co, 1 +sharedhost.de, 1 +sharefox.eu, 0 +sharegate.tk, 1 +sharehabor.org, 1 +sharehousechintai.jp, 1 +sharekey.com, 0 +sharelinks.tk, 1 +sharelovenotsecrets.com, 1 +sharemania.tk, 1 +sharemessage.net, 1 +sharenotes.tk, 1 +sharenz.com, 0 +shareoffice.ch, 1 +sharepointcass.com, 1 +sharepointdrive.com, 1 +sharerotic.com, 1 +sharery.net, 1 +sharescope.co.uk, 1 +shareselecttools.com, 1 +sharethe.link, 1 +sharethemeal.org, 1 +sharetheroad.org, 1 +shareworks.com, 1 +shareworx.net, 1 +sharezen.de, 0 +shariahlawcenter.com, 1 +shariahlawcenter.org, 1 +sharialawcenter.com, 1 +sharialawcenter.org, 1 +shariftown.tk, 1 +sharik-msk.ga, 1 +sharik.ml, 1 +sharine.nl, 1 +sharing-kyoto.com, 1 +sharingcolombia.com, 1 +sharingiscaring.cc, 1 +sharingphotos.co, 0 +sharisharpe.com, 1 +sharix.ml, 1 +shark-host.tk, 1 +shark5060.net, 1 +sharkblog.tk, 1 +sharkey.tk, 1 +sharkeyscuba.com, 1 +sharkie.org.za, 1 +sharking.gq, 1 +sharko.tk, 1 +sharkpaint.tk, 1 +sharks.football, 1 +sharkstriker.com, 1 +sharmafamily.tk, 1 +sharona.cloud, 1 +sharonnh.gov, 1 +sharonpope.com, 1 +sharonsplace.biz, 1 +sharpe-practice.co.uk, 1 +sharpe.systems, 1 +sharpiesscrubs.tk, 1 +sharpletters.net, 1 +sharpmetals.com, 1 +sharpsburg-ga.gov, 1 +sharptudhope.co.nz, 1 +sharren.org, 1 +sharu.me, 1 +sharvey.ca, 1 +shashlik.tk, 1 +shastacounty.gov, 1 +shatabdichildrenschool.tk, 1 +shatalov.com, 1 +shatteredarchive.com, 1 +shaukatkhanum.org.pk, 1 +shaumine.ml, 1 +shaunallen.co.uk, 1 +shaunandamyswedding.com, 1 +shaunc.com, 1 +shaundanielz.com, 1 +shaunthomasart.com, 1 +shavedpics.com, 1 +shavedpussy.tv, 1 +shavedpussypics.com, 1 +shavingks.com, 1 +shavit.space, 1 +shavitech.com, 1 +shawanocountywi.gov, 1 +shawarmapressfranchise.com, 1 +shawcentral.ca, 0 +shawclan.id.au, 1 +shawfamily.id.au, 1 +shawiah.tk, 1 +shawlumber.ca, 1 +shawmutdelivers.com, 1 +shawnalucey.com, 1 +shawnee-nsn.gov, 1 +shawngvs.com, 1 +shawnhogan.com, 1 +shawnleetttt.cyou, 0 +shawnow.com, 1 +shawnz.ca, 1 +shawnz.org, 1 +shawty.tk, 1 +shaytan.tk, 1 +shazbots.org, 1 +shazzlemd.com, 1 +shazzlepro.com, 1 +shc.gov.sa, 1 +shcode.de, 1 +shcsystems.bg, 1 +shd.one, 1 +shdw.cc, 1 +she.kiwi, 1 +she.run, 0 +she.tw, 1 +sheaf.site, 1 +sheaorganics7.com, 1 +shear.tk, 1 +shearin.pro, 1 +sheaspire.com, 1 +sheaspire.com.tw, 1 +sheatoz.com, 1 +sheboygancountywi.gov, 1 +sheboyganfallswi.gov, 1 +shechipin.cf, 1 +shechipin.ga, 1 +shechipin.gq, 1 +shechipin.ml, 1 +shedrentalspot.com, 1 +shedrin.tk, 1 +sheds.online, 1 +shee.org, 1 +sheehans.com.au, 1 +sheehyinfinitioftysonsparts.com, 1 +sheekdeveloper.com, 1 +sheekmedia.com, 1 +sheelyuu.art, 1 +sheenveininstitutestl.com, 1 +sheepfriends.com, 1 +sheepproductions.com, 1 +sheeprock.tk, 1 +sheepsound.tk, 1 +sheepymeh.net, 1 +sheerchain.com, 1 +sheet.host, 1 +sheetengine.net, 1 +sheetsindonesia.com, 1 +sheetstutorial.com, 1 +shef.com, 1 +shefburgers.com, 1 +sheffield-wednesday-fc.tk, 1 +sheffieldjob.net, 1 +sheffieldmoneyman.com, 1 +shefftunes.tk, 1 +shehaal.com, 1 +shehan.live, 1 +shehata.com, 1 +sheika.ro, 1 +sheilasdrivingschool.com, 1 +shek.zone, 1 +shelbycounty-il.gov, 1 +sheldon.sk, 1 +sheldoniowa.gov, 1 +shelehov.tk, 1 +shelf-ssp.com, 1 +shelf.io, 1 +shelfordsandstaplefordscouts.org.uk, 1 +shellavartanian.tk, 1 +shellcon.io, 1 +shellday.cc, 1 +shellfire.de, 1 +shelljuggler.com, 0 +shellopolis.com, 1 +shellot.com, 1 +shellsec.pw, 0 +shellshock.eu, 1 +shellta.com, 1 +shellta.net, 1 +shellwhite.ga, 1 +shellwhite.tk, 1 +shelma.tk, 1 +sheloki.com, 1 +shelterislandtown.gov, 1 +shelterrealestate.com.au, 1 +sheltieplanet.com, 1 +sheltongrp.com, 1 +sheltonvirtual.com, 1 +shelvacu.com, 1 +shemaleflick.com, 1 +shemalehub.com, 1 +shemalepictures.net, 1 +shemaleplus.com, 1 +shemalestrokers.com, 1 +shemalexxxfreetube.com, 1 +shemogo.com, 1 +shemsconseils.ma, 1 +shena.co.uk, 1 +shenandoahrealestate.org, 1 +shenannigans.tk, 1 +shenbibi.com, 0 +shenderman.ml, 1 +shenghaiautoparts.com, 1 +shenghaiautoparts.net, 1 +shenghuang.tk, 1 +shengrenyu.com, 1 +shengyipin.com.my, 1 +shenmiya.com, 1 +shenshi.com, 1 +shentengtu.idv.tw, 1 +sheo-tech.fr, 1 +shepherdsfriendly.co.uk, 1 +shepherdsvilleky.gov, 1 +sheptytsky.ga, 1 +sheratsuki.tk, 1 +sherbers.de, 1 +sheremetka.com, 1 +sheridancountyks.gov, 1 +sheridancountymt.gov, 1 +sheridancountywy.gov, 1 +sheridanil.gov, 1 +sheriffmiamicountyks.gov, 1 +sheriffpawneecountyne.gov, 1 +sheriffpendletoncountyky.gov, 1 +sheriffwashingtoncountymaine.gov, 1 +sherissims.tk, 1 +shermancountyks.gov, 1 +shermancountyne.gov, 1 +shermanms.gov, 1 +shermanshebcowi.gov, 1 +shermantwphuronmi.gov, 1 +sherpa.blog, 1 +sherpnortheast.com, 1 +sherrikelley.com, 1 +sherut.net, 1 +shervinsafineh.com, 1 +shesherownceo.com, 1 +shethbox.com, 1 +shetshivar.com, 1 +shevans.com, 1 +shevet-achim.tk, 1 +sheweek.ml, 1 +shewillcheat.com, 1 +shft.cl, 1 +shgf.de, 1 +shgt.jp, 1 +shgw186.com, 1 +shh-listen.com, 1 +shh.sh, 1 +shh7.com, 1 +shhmale.com, 1 +shi.ma, 1 +shiawasedo.co.jp, 1 +shibainu.com.br, 1 +shibashake.com, 1 +shibayan.jp, 1 +shibbydex.com, 1 +shibeflix.com, 1 +shibleysmiles.com, 1 +shibumi.com, 1 +shichibukai.net, 1 +shichidadoma.ru, 1 +shico.org, 1 +shidai88.cc, 1 +shield.my.id, 1 +shielder.it, 1 +shieldnet.tk, 1 +shieldnsheath.com, 1 +shieldsair.com, 1 +shiellc.com, 1 +shif.tk, 0 +shift-record.com, 1 +shift-to.co.jp, 1 +shiftcrypto.ch, 1 +shiftcrypto.shop, 1 +shiftcrypto.support, 1 +shiftdelete.net, 1 +shiftdevices.com, 1 +shiftfrequency.com, 1 +shiftj.is, 1 +shiftkey.com, 1 +shiftkey.pl, 1 +shiftleft.io, 1 +shiftleft.org, 1 +shifton.com, 1 +shiftsixth.com, 1 +shiga1.jp, 1 +shigaben.or.jp, 1 +shiganmartialarts.com, 1 +shiggles.net, 1 +shiggles.org, 1 +shigizemi.com, 1 +shigotoarimasu.com, 1 +shigotoba.com, 1 +shih-tzu-dogs.com, 1 +shihabuddin.tk, 1 +shihadwiki.com, 1 +shiji.info, 1 +shijij.com, 1 +shijing.me, 1 +shikaku-test.com, 1 +shikiryu.com, 1 +shileo.de, 1 +shilled.tk, 1 +shillongdesign.com.au, 1 +shilpaonline.tk, 1 +shimi.blog, 1 +shimi.guru, 1 +shimi.net, 1 +shimi.photography, 1 +shimitower.pw, 1 +shimmo.de, 1 +shimmy1996.com, 1 +shimo.im, 1 +shin-sekai.de, 1 +shin-yo.de, 1 +shindocuba.tk, 1 +shineads.in, 1 +shineindiarktutorial.ml, 1 +shineleds.ga, 1 +shinenet.cn, 1 +shineon.biz, 1 +shines.ml, 1 +shinetruckleads.com, 1 +shinghoi.com, 1 +shinglereplacementlv.com, 1 +shinice.net, 1 +shining.gifts, 1 +shiningservices.ie, 1 +shiningstarlogistics.com, 1 +shinju.moe, 0 +shinkamigoto.tv, 1 +shinko-osaka.jp, 1 +shinnecock-nsn.gov, 1 +shinnyosangha.org, 0 +shinobi-fansub.ro, 1 +shinochip.ru, 1 +shinodadc-nakano.com, 1 +shinonome-lab.eu.org, 1 +shinsandenki.com, 1 +shinsyo.com, 1 +shinta.ro, 1 +shintoism.com, 1 +shinuytodaati.co.il, 1 +shinycleankitchen.com, 1 +shinyoko-saisyuusyou.com, 1 +shinypebble.uk, 1 +shinyteethand.me, 1 +shiomiya.com, 1 +ship-safely.com, 1 +shipaik.com, 1 +shipard.com, 1 +shipard.cz, 1 +shipard.org, 1 +shipbuddies.com, 1 +shipcloud.io, 0 +shipengliang.com, 1 +shipeurousa.com, 1 +shipgoldchandler.com, 1 +shipham.co.uk, 1 +shipheart.tech, 1 +shipinhuiyi.com, 0 +shipitsmarter.com, 1 +shiplapandshells.com, 1 +shipmile.com, 1 +shipmondo.com, 1 +shipmonk.cloud, 1 +shipmonk.com, 1 +shipnak.com, 1 +shippercenter.info, 1 +shippexx.com, 1 +shipping-trade.ga, 1 +shippinglabel.de, 1 +shippingyourworld.ca, 1 +shippingyourworld.com, 1 +shipshewana.gov, 1 +shiptek.co, 1 +shiptest.net, 1 +shiptron.com, 1 +shiqi.ca, 1 +shiqi.lol, 1 +shiqi.one, 1 +shiqi.online, 1 +shiqi.se, 1 +shiqi.tv, 1 +shiqi1.com, 1 +shiqishidai.cc, 1 +shiqisifu.cc, 1 +shiranaitenshi.tk, 1 +shirao.jp, 1 +shirazi.tk, 1 +shiresvets.com, 1 +shirevirtual.tk, 1 +shireyishunjian.com, 1 +shiriforum.tk, 1 +shirley.li, 1 +shirlygilad.com, 1 +shiro.com.pk, 1 +shiroki-k.net, 1 +shiropaev.tk, 1 +shirosaki-hana.fun, 1 +shirro.com, 1 +shirshik.xyz, 1 +shiryo.ch, 1 +shishadenbosch.nl, 1 +shishamania.de, 1 +shishkin.im, 1 +shishlik.net, 1 +shit.com, 1 +shit.one, 1 +shit.software, 1 +shit.works, 1 +shitara-tateo.jp, 1 +shitbeast.institute, 0 +shitcountries.org, 1 +shitdefined.net.cn, 1 +shitdick.tk, 1 +shitfest.net, 1 +shitmybradsays.com, 1 +shitnikovo.tk, 1 +shitposter.club, 1 +shitposter.io, 1 +shitpostingmain.com, 1 +shitposts.se, 1 +shitproductions.org, 1 +shittyurl.org, 1 +shittywok.tk, 1 +shiva-temple.tk, 1 +shivalikbank.com, 1 +shivamber.com, 1 +shivammathur.com, 1 +shivenjoshi.com, 1 +shivering-isles.com, 0 +shiwa-shop.ml, 1 +shiyouqkl.com, 1 +shiyutech.com, 1 +shk.im, 0 +shk8.tk, 1 +shkafi-krasnodar.tk, 1 +shkola-95.ru, 1 +shkola1.ml, 1 +shkolamishlenia.tk, 1 +shkolladigjitale.com, 1 +shkolnyimir.gq, 1 +shkololo.cf, 1 +shkololo.ga, 1 +shkololo.gq, 1 +shkololo.ml, 1 +shkololo.tk, 1 +shlang.tk, 1 +shlemenkov.by, 1 +shlmag.com, 1 +shlmagazine.com, 1 +shlmail.info, 1 +shlupka.ml, 1 +shlupka.tk, 1 +shlyakpavel.tk, 1 +shlyapa-com.tk, 1 +shlyhi.tk, 1 +shm.ac.jp, 1 +shmidta.tk, 1 +shmilyhua.com, 1 +shmotki.ml, 1 +shmroom.tk, 1 +shmtranslations.com, 1 +shmulvad.com, 1 +shnuff.co.uk, 1 +sho-furtwangen.de, 1 +shoarq.com, 1 +shobujtech.com, 1 +shochikubai.tk, 1 +shochufes.jp, 1 +shock.ee, 0 +shockerdragon.tk, 1 +shocklogic.com, 1 +shockproof.systems, 1 +shodan.io, 1 +shoe.club, 1 +shoejitsu.co, 1 +shoekeys.lt, 1 +shoelevel.com, 1 +shoeline.com, 1 +shoemakerywc.com, 1 +shoeracks.uk, 1 +shoesandmorebdn.com, 0 +shoesonline.co.il, 1 +shoesoutlet.tk, 1 +shoestorebiz.tk, 1 +shoestorenet.tk, 1 +shoestringeventing.co.uk, 1 +shojo.online, 1 +shokaran.tk, 1 +shokofarehab.ir, 1 +shokola.com, 0 +sholtowu.com, 1 +shongshoy.com, 1 +shontakleinpeter.tk, 1 +shooba.net, 1 +shoobacreations.com, 1 +shoosmiths.com, 1 +shooter.dog, 1 +shootpooloklahoma.com, 1 +shootsame.tk, 1 +shop-cnc.de, 1 +shop-cosmetic.tk, 1 +shop-cosmetics.tk, 1 +shop-de-johnniewalker.com, 1 +shop-eldorado.tk, 1 +shop-hellsheadbangers.com, 1 +shop-lingerie.tk, 1 +shop-ok.tk, 1 +shop-s.net, 1 +shop-slivki.tk, 1 +shop3dmili.com, 1 +shop4d.com, 1 +shop4im.com, 1 +shopacer.co.za, 1 +shopadvies.nl, 1 +shopalike.cz, 1 +shopalike.dk, 1 +shopalike.es, 1 +shopalike.fi, 1 +shopalike.fr, 1 +shopalike.hu, 1 +shopalike.it, 1 +shopalike.nl, 1 +shopalike.pl, 1 +shopalike.se, 1 +shopalike.sk, 1 +shopapi.cz, 1 +shoparbonne.co.uk, 1 +shopatkei.com, 1 +shopazmoon.ir, 1 +shopbabymonitors.gq, 1 +shopbackyardpro.com, 1 +shopbakersnook.com, 1 +shopbysarah.com, 1 +shopcceputnam.com, 1 +shopcom.tk, 1 +shopcosmetic.tk, 1 +shopcoupons.co.id, 1 +shopcoupons.my, 1 +shopcoupons.ph, 1 +shopcoupons.sg, 1 +shopcrocs.in, 0 +shopdiy.com, 1 +shopee6.com, 0 +shopexo.in, 1 +shopfazz.com, 1 +shopfinale.com, 1 +shopforcovers.com, 1 +shopforeverproducts.com, 1 +shopfully.com.au, 1 +shophisway.com, 1 +shophumm.com, 1 +shophumm.com.au, 1 +shopific.co, 1 +shopific.com, 1 +shopify.com, 1 +shopify2006.com, 1 +shopifycloud.com, 1 +shopifyfactory.io, 1 +shopikal.com, 1 +shopingbiz.tk, 1 +shopintra.net, 1 +shopkini.com, 0 +shoplandia.co, 1 +shoplogcap.com, 1 +shoplus.com.tw, 1 +shoplyft.co.za, 1 +shopmalinka.cf, 1 +shopmlr.com, 1 +shopnguyenlieumypham.com, 1 +shopofturkey.com, 1 +shoponlinedeals.tk, 1 +shoposal.com, 1 +shoppbs.org, 1 +shoppe561.com, 1 +shopperexperts.com, 1 +shopperexpertss.com, 1 +shoppersdepuertorico.com, 1 +shoppies.tk, 1 +shopping-cart-migration.com, 1 +shopping-il.org.il, 1 +shoppingabundant.ga, 1 +shoppinganchor.ga, 1 +shoppingandreviews.it, 1 +shoppingappeal.ga, 1 +shoppingarrow.ga, 1 +shoppingavatar.ga, 1 +shoppingbad.ga, 1 +shoppingblaster.ga, 1 +shoppingblender.ga, 1 +shoppingblod.ga, 1 +shoppingboulevard.ga, 1 +shoppingbounce.ga, 1 +shoppingbrite.ga, 1 +shoppingcalculator.ga, 1 +shoppingcamel.ga, 1 +shoppingcanal.ga, 1 +shoppingcarnival.ga, 1 +shoppingcatch.ga, 1 +shoppingcellar.ga, 1 +shoppingcharm.ga, 1 +shoppingcharte.ga, 1 +shoppingcheaper.ga, 1 +shoppingcheapest.ga, 1 +shoppingcircus.ga, 1 +shoppingclearance.ga, 1 +shoppingcollections.ga, 1 +shoppingcollector.ga, 1 +shoppingcompanion.ga, 1 +shoppingconstruct.ga, 1 +shoppingcorporation.ga, 1 +shoppingcrawler.ga, 1 +shoppingcreativity.ga, 1 +shoppingcrunch.ga, 1 +shoppingcrystal.ga, 1 +shoppingcupid.ga, 1 +shoppingdepot.ga, 1 +shoppingdesigning.ga, 1 +shoppingdish.ga, 1 +shoppingdivine.ga, 1 +shoppingdowntown.ga, 1 +shoppingduck.ga, 1 +shoppingeagle.ga, 1 +shoppingeastbay.ga, 1 +shoppingecho.ga, 1 +shoppingecono.ga, 1 +shoppingelectra.ga, 1 +shoppingenvy.ga, 1 +shoppingepic.ga, 1 +shoppingexcel.ga, 1 +shoppingfalcon.ga, 1 +shoppingfeature.ga, 1 +shoppingfiesta.ga, 1 +shoppingfighter.ga, 1 +shoppingfleet.ga, 1 +shoppingformula.ga, 1 +shoppinggecko.ga, 1 +shoppingglamour.ga, 1 +shoppingglory.ga, 1 +shoppinggrab.ga, 1 +shoppingguerilla.ga, 1 +shoppinghands.ga, 1 +shoppinghandsome.ga, 1 +shoppinghotrod.ga, 1 +shoppingimagine.ga, 1 +shoppingintergrity.ga, 1 +shoppingiron.ga, 1 +shoppingisrael.org.il, 1 +shoppingjackpot.ga, 1 +shoppingjoker.ga, 1 +shoppingkayak.ga, 1 +shoppinglast.ga, 1 +shoppinglightning.ga, 1 +shoppinglimited.ga, 1 +shoppinglittle.ga, 1 +shoppingloco.ga, 1 +shoppinglowprice.ga, 1 +shoppingmain.ga, 1 +shoppingmeasure.ga, 1 +shoppingmember.ga, 1 +shoppingmeta.ga, 1 +shoppingmetric.ga, 1 +shoppingmillions.ga, 1 +shoppingminer.ga, 1 +shoppingmystical.ga, 1 +shoppingnatural.ga, 1 +shoppingnature.ga, 1 +shoppingnormal.ga, 1 +shoppingnorthamerican.ga, 1 +shoppingnumber.ga, 1 +shoppingocity.ga, 1 +shoppingoffline.ga, 1 +shoppingomatic.ga, 1 +shoppingonlinecoffee2u.com, 1 +shoppingorama.ga, 1 +shoppingoriginal.ga, 1 +shoppingother.ga, 1 +shoppingouter.ga, 1 +shoppingpassport.ga, 1 +shoppingpeace.ga, 1 +shoppingpeach.ga, 1 +shoppingpearl.ga, 1 +shoppingpermanent.ga, 1 +shoppingpersonal.ga, 1 +shoppingphase.ga, 1 +shoppingpicker.ga, 1 +shoppingpickup.ga, 1 +shoppingplatinum.ga, 1 +shoppingplum.ga, 1 +shoppingpresident.ga, 1 +shoppingprestige.ga, 1 +shoppingpriority.ga, 1 +shoppingpure.ga, 1 +shoppingrail.ga, 1 +shoppingrainforest.ga, 1 +shoppingrally.ga, 1 +shoppingrater.ga, 1 +shoppingrazor.ga, 1 +shoppingreadset.ga, 1 +shoppingremarkable.ga, 1 +shoppingreps.ga, 1 +shoppingrequest.ga, 1 +shoppingrex.ga, 1 +shoppingrhino.ga, 1 +shoppingrings.ga, 1 +shoppingrule.ga, 1 +shoppingseason.ga, 1 +shoppingsedona.ga, 1 +shoppingshoot.ga, 1 +shoppingshuffle.ga, 1 +shoppingsignature.ga, 1 +shoppingsilk.ga, 1 +shoppingsleuth.ga, 1 +shoppingsnapshot.ga, 1 +shoppingsparkle.ga, 1 +shoppingstreaming.ga, 1 +shoppingsugar.ga, 1 +shoppingsunflower.ga, 1 +shoppingsuperhero.ga, 1 +shoppingsustain.ga, 1 +shoppingthoughts.com, 1 +shoppingthunder.ga, 1 +shoppingtopsecret.ga, 1 +shoppingtreasure.ga, 1 +shoppingtreats.ga, 1 +shoppingturbo.ga, 1 +shoppingunique.ga, 1 +shoppingurban.ga, 1 +shoppingvariety.ga, 1 +shoppingwaterfront.ga, 1 +shoppingwinner.ga, 1 +shoppingworth.ga, 1 +shoppingyankee.ga, 1 +shoppre.com, 1 +shoppsb.com, 1 +shoppyad.com, 1 +shoprentone.com, 1 +shopsici.com, 1 +shopsmarter.com, 1 +shopstasy.com, 1 +shoptec.sk, 1 +shopteq.hu, 1 +shopthestates.net, 1 +shoptin.de, 1 +shoptio.cz, 1 +shoptions.net, 1 +shoptupperware.in, 1 +shopunderwear.tk, 1 +shopunilever.com, 1 +shopupnorth.com, 1 +shopvcs.com, 1 +shopwebhue.com, 1 +shore.co.il, 1 +shorebreaksecurity.com, 1 +shorehamdental.ca, 1 +shorehamfort.co.uk, 1 +shorehillgolf.com, 1 +shorenstein.com, 1 +shoresofshawneebend.com, 1 +shorewoodil.gov, 1 +shorewoodmn.gov, 1 +shorewoodwi.gov, 1 +shoreyit.com, 1 +shorifhussain.tk, 1 +shorinkarate.tk, 1 +shork.space, 1 +shornehasim.co.il, 1 +short-games.gq, 1 +short-term-plans.com, 1 +short.io, 1 +shortaudition.com, 1 +shortaudition.net, 1 +shortaudition.tv, 1 +shortbread.systems, 1 +shortbreakstudios.com, 1 +shortcircuit-online.tk, 1 +shortcut-link.ga, 1 +shortcut.com, 1 +shortcut.pw, 1 +shortcutable.com, 1 +shorted.one, 1 +shorten.ninja, 1 +shorteral.gov, 1 +shorti.ga, 1 +shortnews.cf, 1 +shortquotesworld.com, 1 +shortr.li, 1 +shortshadows.band, 1 +shortstackcustoms.com, 1 +shortwave.com, 1 +shortwave.tk, 1 +shoruihokan.com, 1 +shoshin-aikido.de, 1 +shoshin.technology, 1 +shoshonecityid.gov, 1 +shossain.tk, 1 +shost.ga, 1 +shota-sekkotsuin.com, 1 +shota.pictures, 1 +shota.soy, 1 +shotbow.net, 1 +shotoniphone.ga, 1 +shotsleeve.com, 1 +shou.si, 1 +shoudanren.jp, 1 +shoujik8.com, 1 +shoujochronicle.org, 1 +shouldbetaught.com, 1 +shoulderandelbowspecialist.com.au, 1 +shouldiclick.it, 1 +shouldiwater.today, 1 +shouldtest.com, 1 +shouldtest.email, 1 +shouldtest.eu, 1 +shouldtest.net, 1 +shouldtest.org, 1 +shouohkai-dental.com, 1 +shoveltoss.com, 0 +shovonhasan.com, 0 +show2all.nl, 0 +showbetgiris.com, 1 +showbits.net, 0 +showcats.tk, 1 +shower.im, 1 +showerdoorco.com, 1 +showersnet.com, 1 +showf.om, 1 +showfom.sb, 1 +showgirls.ga, 1 +showmax.com, 1 +showme.co.za, 1 +showme.hu, 1 +showmeengland.co.uk, 1 +showmethescore.cf, 1 +showmoviz.com, 1 +showmyip.com, 1 +shown.io, 1 +shownet.tk, 1 +showpassword.net, 0 +showroom.co.uk, 1 +showroom.uk, 1 +showroom113.ru, 1 +showroombarral.com, 1 +showslot.com, 1 +showsonar.com, 1 +shoyuf.top, 1 +shpfy-manager.com, 1 +shpil.by, 1 +shpilevsky.name, 1 +shpiliak.com, 1 +shpiliak.ru, 1 +shpori.tk, 1 +shrapnel.com, 0 +shrapnel.ga, 1 +shraymonks.com, 1 +shred.ch, 0 +shredder.tk, 1 +shredoptics.ch, 0 +shreveportlawater.gov, 1 +shreyansh26.me, 1 +shrglobal.com, 1 +shrimpnews.tk, 1 +shrines.ga, 1 +shrines.tk, 1 +shrinidhiclinic.in, 1 +shrinker.tk, 1 +shrinkhub.com, 1 +shrinkmydoc.com, 1 +shroomery.com, 1 +shroomery.net, 1 +shroomery.org, 1 +shropshireautonomy.co.uk, 1 +shropshirebowls.tk, 1 +shrovetide.tv, 1 +shrsl.com, 1 +shrt.tv, 1 +shrub.ca, 1 +shrug.fyi, 1 +shrug.ml, 0 +shssl.vip, 0 +sht-vr-player.cf, 1 +shtaiman.com, 1 +shtaiman.net, 1 +shtaiman.org, 1 +shtaketnik-metall.ru, 1 +shtaketniki.kz, 1 +shtaketniki.ru, 1 +shteiman.com, 1 +shteiman.net, 1 +shteiman.org, 1 +shtfpreparedness.com, 1 +shtorku.com, 1 +shu-fu.net, 1 +shuang.us, 1 +shubhkumar.in, 0 +shucheng.li, 1 +shufersal-cashback.co.il, 1 +shufflecube.tk, 1 +shufflemix.tk, 1 +shuffleradio.nl, 1 +shuffleware.tk, 1 +shugarmanpsychiatric.com, 1 +shugua.com.tw, 1 +shuhacksoc.co.uk, 1 +shui.ga, 0 +shuizilan.com, 1 +shukatsu-ichiba.com, 1 +shulan.moe, 1 +shuletime.ml, 1 +shulker.store, 1 +shulman.tk, 1 +shulyaka.org.ru, 1 +shuma.ga, 1 +shumnyj-istochnik.tk, 1 +shumov.tk, 1 +shunliandongli.cn, 1 +shunliandongli.com, 1 +shunmei-hari.com, 1 +shunter.tk, 1 +shunzi.tk, 1 +shuo.li, 0 +shuomingshu88.com, 1 +shura.eu.org, 1 +shurita.org, 1 +shuset.dk, 1 +shushuwoa.com, 1 +shuttelportal.nl, 1 +shutter-shower.com, 1 +shutterflybusinesssolutions.com, 1 +shutts.com, 1 +shutupandtakemy.codes, 1 +shutupbabyiknowit.party, 1 +shuvodeep.de, 1 +shux.pro, 1 +shuxiaoyi.cn, 1 +shuzicai.cn, 1 +shvedskie-stenki.ml, 1 +shw-bw.dyndns.org, 1 +shw-nc.dyndns.org, 1 +shw-rz.dyndns.org, 1 +shwemyanmarmalay.com, 1 +shwrm.ch, 1 +shy4evr.com, 1 +shymeck.pw, 1 +shymeck.xyz, 1 +shytok.net, 0 +shyuka.me, 1 +si-benelux.nl, 1 +si.insure, 1 +si.to, 1 +si2b.fr, 1 +sia.one, 1 +sia6.com, 1 +siadiamond.com, 1 +siadlak.com, 1 +siaggiusta.com, 1 +siai.cf, 1 +siai.gq, 1 +siai.ml, 1 +sialis.tk, 1 +sialtv.pk, 1 +siamdevsqua.re, 1 +siamdevsquare.com, 1 +siamega.com, 1 +siaminterhost.com, 1 +siamojo.com, 1 +siamrehab.com, 1 +siamsnus.com, 1 +siamwatercraftpromotion.com, 1 +sianjhon.com, 1 +siatris.qc.ca, 1 +siava.ru, 1 +sib-taxi.ru, 1 +sibanyestillwater.com, 1 +sibauto.club, 1 +sibekohirescaffolding.co.za, 1 +siberas.de, 1 +siberia.gq, 1 +siberiactiva.com, 1 +siberiancatsinformation.com, 1 +siberianhealth.com, 1 +siberianhuskypets.com, 1 +siberiaserver.ga, 1 +siberkulupler.com, 1 +sibernet.tk, 1 +sibfk.org, 1 +sibfl.gov, 1 +sibgold.su, 1 +sibi.nl, 1 +sibintek.ru, 1 +sibirium-red.ga, 1 +sibiuindependent.ro, 1 +sibleycounty.gov, 1 +sibleycountyattorney.gov, 1 +sibleyla.gov, 1 +sibnerpartie.tk, 1 +sibpdfl.gov, 1 +sibpizza.com, 1 +sibrenvasse.nl, 1 +sibs-dance-diamonds.ch, 1 +sibu.one, 1 +siccardisport.it, 1 +sice-si.org, 1 +sich-fight.club, 1 +sich-positionieren.net, 1 +siciliadisinfestazioni.it, 1 +siciliamconsulting.com, 1 +sicilianbalm.com, 1 +siciliapulizie.it, 1 +sicilpiuma.it, 1 +sicistroje-kocarek.cz, 1 +sickbrothers.tk, 1 +sicken.eu, 1 +sickhouse.se, 1 +sickmadworld.tk, 1 +sicomasp.com, 1 +sicoobpaulista.com.br, 1 +sicurezza24.info, 1 +sicurezzalavoro24.com, 1 +sicurled.com, 1 +sicvisuals.com, 1 +sicz.de, 1 +sid-giessen.de, 1 +sid500.com, 1 +sidari.tk, 1 +sidas.com, 1 +sidatbacklink.tk, 1 +siddhamehta.tk, 1 +siddigsami.com, 1 +sidecredit.ga, 1 +sidefx.com, 1 +sideleau.com, 1 +sidema.be, 1 +sidemount-tauchen.com, 1 +sideofburritos.com, 1 +sideofburritos.social, 1 +sidepodcast.com, 1 +sidepodcastdaily.com, 1 +sidepodcastextra.com, 1 +sideral.is, 1 +sideshowbarker.net, 1 +sidewalkcleaningchicago.com, 1 +sidewalkpressurewashingchicago.com, 1 +sidhbalibaba.com, 1 +sidi-smotri.ru, 1 +sidianbank.co.ke, 1 +sidik.web.id, 1 +sidingsmedia.com, 1 +sidiprojects.us, 1 +sidirokastro.ga, 1 +sidium.de, 1 +sidmax.ca, 1 +sidneyhaberland.com, 1 +sidneymi.gov, 1 +sidnicio.us, 1 +sidocsa.com, 1 +sidomulyo.tk, 1 +sidonge.com, 0 +sidorovich.tk, 1 +sidpod.ru, 1 +sidsdock.org, 1 +siduga.com, 1 +sie.at, 1 +siebenhirten7.at, 1 +siebeve.be, 1 +siecledigital.fr, 1 +siecon-it.com, 1 +siega.pl, 1 +siegemund-frankfurt.de, 1 +sieglercars.ch, 1 +siegprod.tk, 1 +sieh.es, 1 +sieiro.tk, 1 +siel.nl, 1 +sielsystems.nl, 1 +siemencaes.tk, 1 +siemens.ch, 1 +siemens.co.in, 1 +siemens.co.uk, 1 +siemens.com, 1 +siemens.com.br, 1 +siemens.com.sg, 1 +siemens.es, 1 +siemens.nl, 1 +siemplify-soar.com, 1 +siemplifyg.net, 1 +sientemendoza.com.ar, 1 +siepietnica.tk, 1 +sieplo.nl, 1 +siepomaga.net, 1 +siepomaga.pl, 1 +sierkbornemann.de, 1 +sierom.net, 1 +sierpinska.eu, 1 +sierramadreca.gov, 1 +sierramusic.tk, 1 +sietejefes.com.ar, 1 +sieulog.com, 1 +sieuthithangmay.com, 1 +sifasharing.tk, 1 +sifecs.ml, 1 +siffron.com, 1 +sifnosguide.dk, 1 +sifreuret.com, 0 +sift-tool.org, 0 +sig-io.nl, 1 +sig6.org, 1 +siga.com, 1 +sigabrt.org, 1 +sigateway.com, 1 +sigb.sh, 1 +sigcafe.net, 1 +sigep.org, 1 +sigfridlinden.se, 1 +siggi.io, 1 +sight-restoration.tk, 1 +sight-sound.com, 1 +sightandsound.co.uk, 1 +sightcure.jp, 1 +sightdx.com, 1 +sightful.be, 1 +sightful.eu, 1 +sightful.nl, 1 +sightmachine.com, 0 +sightseeing.news, 1 +sighup.nz, 1 +sigi.tk, 1 +sigint.pw, 0 +sigio.nl, 1 +sigma-apartments.com, 1 +sigma957.net, 1 +sigmacomputers.ga, 1 +sigmaits.net, 1 +sigmalux.ca, 1 +sigmalux.co.nz, 1 +sigmalux.co.uk, 1 +sigmalux.com.au, 1 +sigmalux.es, 1 +sigmalux.fr, 1 +sigmalux.ltd, 1 +sigmalux.lu, 1 +sigmalux.nz, 1 +sigmalux.sarl, 1 +sigmalux.uk, 1 +sigmaomeganu.tk, 1 +sigmasensors.com.br, 1 +sigmateca.tk, 1 +sigmath.net, 1 +sign.dog, 1 +signaconsultoria.com.br, 1 +signage.red, 1 +signal.org, 0 +signal34.com, 1 +signaldc.com, 1 +signaldp.com, 0 +signalmaps.co.uk, 1 +signalstart.com, 1 +signature.in.th, 1 +signature365.com, 1 +signaturedallas.com, 1 +signatureplants.co.nz, 1 +signatureplasticsurgery.net, 1 +signatureresolution.com, 1 +signaturerx.co.uk, 1 +signcreative.de, 1 +signere.com, 1 +signetfm.com, 1 +signicat.com, 0 +signicat.io, 1 +significado.origem.nom.br, 1 +significadodenombres.net, 1 +significados.com, 1 +significados.com.br, 1 +significantbanter.com, 1 +signing-milter.org, 1 +signing.tools, 1 +signinwithmc.com, 1 +signix.net, 1 +signmore.com, 0 +signmycode.com, 1 +signorbet.it, 1 +signpath.io, 1 +signrequest.com, 1 +signrightsigns.co.uk, 1 +signs4vehicles.co.uk, 1 +signsdance.uk, 1 +signslabelstapesandmore.com, 0 +signtul.com, 0 +signup.ly, 1 +signup.ninja, 1 +signupgenius.com, 1 +signuponline.events, 1 +signwell.com, 1 +sigparser.com, 1 +sigptr.me, 1 +sigsync.com, 1 +sigterm.no, 1 +sigterm.sh, 1 +sigurnost.online, 1 +sigvik.ru, 1 +sihirlielma.com, 1 +siika.solutions, 1 +siikaflix.tv, 1 +siimustilak.edu.ee, 1 +sijbesmaverhuizingen.nl, 1 +sijem.si, 1 +sijimi.cn, 1 +sik-it.nl, 1 +sikaranbrotherhood.tk, 1 +sikawebtools.com, 1 +sikayetvar.com, 0 +sike.org, 1 +sikecikcomel.com, 1 +sikevux.se, 1 +sikkasoft.com, 1 +sikkerwindows.dk, 1 +sikkind.com, 0 +siku-shop.ch, 1 +siku.pro, 1 +sil.box, 1 +sila.qa, 1 +silagra.ml, 1 +silalesa.ml, 1 +silasborowy.de, 1 +silashes.com, 1 +silashes.ru, 1 +silbercloud.com, 1 +silberfluss.com, 1 +silberkiste.com, 1 +silbox.ch, 1 +sildenafilcitrate.cf, 1 +sildenafilcitrate100mg.ga, 1 +silent-clean.de, 1 +silent.quest, 1 +silent.se, 1 +silentartifact.org, 1 +silentdream.tk, 1 +silentgreen.tk, 1 +silentkernel.fr, 1 +silentneko.ga, 1 +silentsite.tk, 1 +silentsky.tk, 1 +silentsystem.com, 1 +silentsystem.it, 1 +silentundo.org, 1 +silesianus.pl, 1 +silex.live, 1 +silica-project.com, 1 +silicateillusion.org, 1 +silicon-north.com, 1 +silicon-vision.com, 1 +siliconheartlandohio.gov, 1 +siliconwafer.ltd, 1 +silina.tk, 1 +siliton.pl, 1 +silk, 1 +silken-madame.tk, 1 +silkky.cloud, 1 +silkon.net, 1 +silkproducts.tk, 1 +silkroad-iraq.com, 1 +sillisalaatti.fi, 1 +sillysnapz.co.uk, 1 +silo.org.br, 1 +siloportem.eu, 1 +siloportem.net, 1 +silqueskineyeserum.com, 1 +silsha.me, 1 +silta.tk, 1 +silv.me, 1 +silv.tk, 1 +silver-fenrir.cn, 1 +silver-heart.co.uk, 1 +silver-johnes.tk, 1 +silvera.com.co, 1 +silverairways.com, 0 +silverback.is, 0 +silverbankltd.com, 1 +silverbowflyshop.com, 1 +silverbox.ga, 1 +silverdroid.gq, 1 +silverfalcon.me, 1 +silvergatebank.com, 1 +silvergatebank.net, 1 +silvergoldbull.at, 1 +silvergoldbull.ba, 1 +silvergoldbull.be, 1 +silvergoldbull.bg, 1 +silvergoldbull.bj, 1 +silvergoldbull.by, 1 +silvergoldbull.ca, 1 +silvergoldbull.cl, 1 +silvergoldbull.cm, 1 +silvergoldbull.cn, 1 +silvergoldbull.co, 1 +silvergoldbull.co.ao, 1 +silvergoldbull.co.il, 1 +silvergoldbull.co.no, 1 +silvergoldbull.co.tz, 1 +silvergoldbull.co.uk, 1 +silvergoldbull.com, 1 +silvergoldbull.com.ar, 1 +silvergoldbull.com.au, 1 +silvergoldbull.com.eg, 1 +silvergoldbull.com.gh, 1 +silvergoldbull.com.mt, 1 +silvergoldbull.cr, 1 +silvergoldbull.cz, 1 +silvergoldbull.de, 1 +silvergoldbull.dj, 1 +silvergoldbull.do, 1 +silvergoldbull.ec, 1 +silvergoldbull.ee, 1 +silvergoldbull.es, 1 +silvergoldbull.fi, 1 +silvergoldbull.gd, 1 +silvergoldbull.ge, 1 +silvergoldbull.gl, 1 +silvergoldbull.gr, 1 +silvergoldbull.gt, 1 +silvergoldbull.hk, 1 +silvergoldbull.hn, 1 +silvergoldbull.hr, 1 +silvergoldbull.hu, 1 +silvergoldbull.id, 1 +silvergoldbull.in, 1 +silvergoldbull.is, 1 +silvergoldbull.it, 1 +silvergoldbull.kg, 1 +silvergoldbull.kr, 1 +silvergoldbull.ky, 1 +silvergoldbull.li, 1 +silvergoldbull.lk, 1 +silvergoldbull.lt, 1 +silvergoldbull.lv, 1 +silvergoldbull.ma, 1 +silvergoldbull.md, 1 +silvergoldbull.mk, 1 +silvergoldbull.ml, 1 +silvergoldbull.mw, 1 +silvergoldbull.my, 1 +silvergoldbull.nz, 1 +silvergoldbull.ph, 1 +silvergoldbull.pl, 1 +silvergoldbull.pt, 1 +silvergoldbull.qa, 1 +silvergoldbull.rs, 1 +silvergoldbull.ru, 1 +silvergoldbull.se, 1 +silvergoldbull.si, 1 +silvergoldbull.sn, 1 +silvergoldbull.sv, 1 +silvergoldbull.tg, 1 +silvergoldbull.tj, 1 +silvergoldbull.tn, 1 +silvergoldbull.tt, 1 +silvergoldbull.tw, 1 +silvergoldbull.uy, 1 +silvergoldbull.uz, 1 +silvergoldbull.ws, 1 +silverkattens.tk, 1 +silverlakeks.gov, 1 +silverlinkz.net, 1 +silvermama.co.za, 1 +silvermatch.ga, 1 +silveronline.ml, 1 +silveronline.tk, 1 +silverscopedesign.com, 1 +silverscreenindia.com, 1 +silversgarage.com, 1 +silversgarage.net, 1 +silversgarage.org, 1 +silvershadow.cc, 1 +silverspringdowntown.com, 1 +silverstyle.ua, 1 +silvertorrents.cf, 1 +silverwaregames.io, 1 +silverwind.io, 1 +silverwolf.cn, 1 +silvestri.consulting, 1 +silviacataldi.com, 1 +silviadominguez.tk, 1 +silviaecintia.tk, 1 +silvianavarro.tk, 1 +silviaroddey.tk, 1 +silvine.xyz, 1 +silviorodriguez.tk, 1 +silvius.at, 1 +silvobeat.blog, 1 +silvobeat.com, 1 +silvu.net, 1 +silvullet.com, 1 +sim-karten.net, 1 +sim-minaoshi.jp, 1 +sim-mobile.ml, 1 +sim4seed.org, 1 +simabonnement.nl, 1 +simac.fr, 1 +simam.de, 1 +simantec.cl, 1 +simaogv.net, 1 +simark.ca, 1 +simart.cf, 1 +simartik.com, 1 +simasoft.com, 1 +simava.org, 1 +simbeton.nl, 1 +simbike.ru, 1 +simbolo.co.uk, 0 +simcity-cafe.tk, 1 +simcityjoy.tk, 1 +simcoecurlingclub.ca, 1 +simcongroup.ir, 1 +simdex.org, 1 +simeonoff.ninja, 1 +simeononsecurity.ch, 1 +simeononsecurity.com, 1 +simetal.ch, 0 +simetri.tk, 1 +simetria.org, 1 +simex.tk, 1 +simfdr.com, 1 +simfree-review.com, 1 +simha.online, 1 +simhaf.cf, 1 +similarcontent.com, 1 +similarfans.com, 1 +simivalley.gov, 1 +simivalleyelectrical.com, 1 +simivalleyexteriorlighting.com, 1 +simivalleylandscapelighting.com, 1 +simivalleylighting.com, 1 +simivalleyoutdoorlighting.com, 1 +simkin.tk, 1 +simkova-reality.cz, 1 +simlog.tk, 1 +simmerle.com, 1 +simocar.fr, 0 +simoesgoulart.com.br, 1 +simon-agozzino.fr, 1 +simon-kosmrl-diplomski.xyz, 1 +simon-mueller.de, 1 +simon-templar.fr, 1 +simon.butcher.name, 1 +simon.gr, 1 +simon.lc, 1 +simon3k.moe, 1 +simonastallone.com, 1 +simonberard.garden, 1 +simonbondo.dk, 1 +simoncommunity.org.uk, 0 +simoncook.org, 1 +simoncotsworth.com, 1 +simone.pl, 1 +simone.sh, 1 +simonetti.nl, 1 +simonevans.uk, 1 +simonewebdesign.it, 1 +simonfischer.info, 1 +simonhirscher.de, 1 +simonita.cz, 1 +simonkjellberg.com, 1 +simonkjellberg.se, 1 +simonmaddox.com, 1 +simonoener.com, 1 +simonreich.de, 1 +simonreynoldsfavesunfaves.cf, 1 +simonschmitt.ch, 1 +simonsmh.cc, 1 +simonspeich.ch, 1 +simonspikensmultiplexcinema.uk, 1 +simonsreich.de, 1 +simonssh.ddns.net, 1 +simonweil.com, 0 +simonwessel.net, 1 +simonwoodside.com, 1 +simonzoellner.de, 1 +simosol.de, 1 +simosol.dk, 1 +simotrescu.ro, 1 +simp.beauty, 1 +simpaticotours.com, 1 +simpatie.tk, 1 +simpbx.net, 1 +simpel.nl, 1 +simpelkoken.be, 1 +simpelkoken.com, 1 +simpelkoken.net, 1 +simpelkoken.nl, 1 +simpelkoken.org, 1 +simpelkredit.dk, 1 +simpeo.org, 1 +simpex.ch, 1 +simphome.com, 1 +simphony.cz, 1 +simple-perfect.tk, 1 +simple-test-to-demonstrate-the-maximum-length-of-a-domain-name.com, 1 +simple-test-to-demonstrate-the-maximum-length-of-a-domain-name.eu, 1 +simple-test-to-demonstrate-the-maximum-length-of-a-domain-name.international, 1 +simple.com, 0 +simpleartifact.com, 1 +simpleavenue.com, 1 +simplecallgirls.com, 1 +simplechoicesuper.com.au, 1 +simpleclassiclife.com, 1 +simpleclothing.ro, 1 +simplecmsdemo.com, 1 +simplecoding.click, 1 +simplecompliance.co.uk, 1 +simplecrypt.io, 1 +simplecryptoconvert.com, 1 +simplefx.com, 1 +simplegoodhealth.com, 1 +simplehome.ml, 1 +simpleinfoblog.com, 1 +simpleinout.com, 1 +simpleit.services, 1 +simpleline.studio, 1 +simplelinux.tk, 1 +simplelist.ga, 1 +simplelogin.co, 1 +simplelogin.io, 1 +simpleman.cf, 1 +simplemining.net, 1 +simplenet.io, 1 +simplenet.ro, 1 +simplepaddle.com, 1 +simplepengu.com, 1 +simplepoll.rocks, 1 +simpleports.eu, 1 +simpleports.net, 1 +simpleports.org, 1 +simpleprivacy.fr, 1 +simpleprojects.net, 1 +simplereport.gov, 1 +simplerezo.com, 1 +simplerses.com, 1 +simples.vet, 1 +simplesellatl.com, 1 +simplesend.io, 1 +simpleshow.com, 1 +simplesite.hu, 1 +simplespy.tk, 1 +simplesummerreading.com, 1 +simpletax.ca, 1 +simpletools.tk, 1 +simpletrace.nz, 1 +simplevote.ca, 1 +simplewebarchitecture.com, 1 +simplewire.de, 1 +simplexgame.net, 1 +simplexwireless.com, 1 +simplia.cz, 1 +simpliby.com, 1 +simplicitypvp.net, 1 +simplifiedlaws.com, 1 +simplifixed.com, 1 +simplifyingcollege.com, 1 +simplifylivelove.com, 1 +simplifyvms.com, 1 +simplix.info, 1 +simplixos.org, 1 +simplr.ai, 1 +simplrflex.com, 1 +simplus.id, 1 +simplusbr.com, 1 +simply-bob.de, 1 +simply-pattinson.tk, 1 +simply-pdf.de, 1 +simply-premium.com, 1 +simply.com, 1 +simply.scot, 1 +simply2020.com, 1 +simplybrave.net, 1 +simplycateringequipment.co.uk, 1 +simplycharlottemason.com, 1 +simplychocolate.com, 1 +simplycloud.de, 1 +simplydonelegal.com, 1 +simplydrivennapasonoma.com, 1 +simplyeducate.me, 1 +simplyfitperth.com.au, 1 +simplyfixit.co.uk, 1 +simplyfranciscan.org, 1 +simplyfuture.net, 1 +simplygood.work, 1 +simplyhelen.de, 1 +simplyjet.tk, 1 +simplymaidsaz.com, 1 +simplymeatsmoking.com, 1 +simplymidget.tk, 1 +simplyml.com, 1 +simplyowners.net, 1 +simplyplans.co.uk, 1 +simplyregister.net, 1 +simplyshamal.online, 1 +simplysmartgardening.com, 1 +simplytiles.com, 1 +simplyuniforms.com.au, 1 +simplyvoting.com, 1 +simpplr.com, 1 +simprosuite.com, 1 +simpsoncountyky.gov, 1 +simpul.nl, 1 +simracingcockpit.com, 1 +simrail.cn, 1 +simrail.nl, 1 +simranmehta.ga, 1 +sims4hub.ga, 1 +simscale.com, 1 +simsek.biz.tr, 1 +simservice.dk, 1 +simsim.in, 1 +simsimi.ml, 1 +simsmotorshop.be, 1 +simsnieuws.nl, 1 +simstarstyle.tk, 1 +simul.host, 1 +simulfund.com, 1 +simulhost.com, 1 +simulise.cloud, 1 +simulise.com, 1 +simulise.help, 1 +simulping.com, 1 +simulus.education, 1 +simulus.technology, 1 +simulus.training, 1 +simumiehet.com, 1 +simus.fr, 1 +simyayayinlari.com, 0 +sin-el-fil.com, 0 +sin-nombre-alleria.de, 1 +sin.swiss, 0 +sin4psi77.tk, 1 +sina-praxis.com.mx, 1 +sina.swiss, 1 +sinakuhestani.ir, 0 +sinalizeweb.com.br, 0 +sinan.mobi, 1 +sinanozpinar.com, 1 +sinanozpinar.nl, 1 +sinapuros.tk, 1 +sinarbaktiperdana.id, 1 +sinatralegal.com, 1 +sinavelvet.com, 1 +sinavyo.ml, 1 +sincelockdown.co.uk, 1 +sincemydivorce.com, 1 +sincityfan.tk, 1 +sinclairinat0r.com, 1 +sincordones.net, 1 +sindacato.it, 1 +sindarina.com, 1 +sindarina.eu, 1 +sindarina.net, 1 +sindarina.org, 1 +sindastra.com, 1 +sindastra.de, 1 +sindastra.net, 1 +sindastra.org, 1 +sinde.ru, 1 +sindicatoburgos.org, 0 +sindirectory.com, 1 +sindlerova.com, 1 +sindlerova.cz, 1 +sindominio.net, 1 +sindromebenjamin.tk, 1 +sineadobrien.com, 1 +sinefili.com, 1 +sinemakurd.tk, 1 +sinergify.com, 1 +sinetron.ga, 1 +sinews.tk, 1 +sinfield.com, 0 +sinfoniettabelcanto.org, 1 +sinfully.gq, 1 +sinfully.tk, 1 +sinfulthrills.co.uk, 1 +singaporebrand.com.sg, 1 +singaporeccc.org.sg, 1 +singaporeconventionweek.sg, 1 +singaporecriminaldefencelawyer.com, 1 +singaporedivorcelawyer.com, 1 +singaporefamilylawyer.com, 1 +singaporefreelegaladvice.com, 1 +singaporetoptentravel.com, 1 +singaporewebdesign.tk, 1 +singapur24.tk, 1 +singasia.net, 1 +singcapital.com.sg, 1 +singee.me, 1 +singel.ch, 1 +singen.eu.org, 1 +singer.ru, 1 +singerpragathi.tk, 1 +singerwang.com, 1 +singeyel.gq, 1 +singingblackbird.tk, 1 +singita.com, 1 +single-in-stuttgart.de, 1 +singleeuropeansky.aero, 1 +singlehandedsailing.tk, 1 +singlenine.gq, 1 +singleproduction.com, 1 +singles-aus-hamburg.de, 1 +singles-berlin.de, 1 +singles-day.org.il, 1 +singlesproject.org, 1 +singleton-factory.de, 1 +singleuse.link, 1 +singlu10.org, 0 +singluten.tk, 1 +singreggaeoke.com, 1 +singulair-generic.tk, 1 +sini.tk, 1 +sinibaldi.me, 1 +sinistragiovanile.tk, 1 +sinkaray.com, 1 +sinkfactory.com, 1 +sinkhole-florida.com, 1 +sinkholerepairsflorida.com, 1 +sinkinglure.net, 1 +sinkip.com, 1 +sinluzvenezuela.tk, 1 +sinmarea.com, 1 +sinn-frei.tk, 1 +sinner-rider.tk, 1 +sinnersprojects.ro, 0 +sinnvoll-online.de, 1 +sinnvoll-online.info, 1 +sinog.si, 1 +sinok.tk, 1 +sinonimos.com.br, 1 +sinonimosonline.com, 1 +sinonimosonline.com.br, 1 +sinopx.cf, 1 +sinoscandinavia.se, 1 +sinosky.org, 1 +sinpermiso.info, 1 +sinquin.eu, 1 +sinronet.com, 0 +sinsalida.tk, 1 +sinsin.io, 1 +sinsitio.tk, 1 +sinsolucion.tk, 1 +sint-apollonia-appels.tk, 1 +sint-barbara.tk, 1 +sint-joris.nl, 1 +sint-sebastianus.tk, 1 +sint-servattumus.tk, 1 +sinta-d.com, 1 +sintas.lt, 1 +sintaxis.org, 1 +sintbaafsabdij.gent, 1 +sintbaafsabdijgent.be, 1 +sinterama.biz, 1 +sinterklaas-spelletjes.nl, 1 +sinterklaasnet.tk, 1 +sinthill.com, 1 +sintomasdocancer.com, 1 +sintpietersabdijgent.be, 1 +sintsationeel.nl, 1 +sinuate.gq, 1 +sinuelovirtual.com.br, 1 +sinusbot.online, 1 +sinusitis-bronchitis.ch, 1 +sinvideovault.com, 1 +siogyumolcs.hu, 1 +sion-colony.tk, 1 +sion.info, 1 +siouxcityjournal.com, 1 +siouxcountyne.gov, 1 +siouxfalls.gov, 1 +sipa.nc, 1 +sipa.pf, 1 +sipadmin.ru, 1 +sipd.go.id, 0 +sipede.tk, 1 +siphalor.de, 1 +sipinterdindikcilegon.id, 1 +sipo.tk, 1 +sippanel-stroy.ru, 1 +siproj.com.br, 1 +sipstix.co.za, 1 +siptls.com, 1 +sipuri.me, 1 +sipyuru.com, 1 +sipyuru.lk, 1 +siq.li, 1 +siqi.wang, 1 +sirakov.tk, 1 +siralyvisegrad.hu, 1 +siranap.com, 1 +sirandorung.tk, 1 +sirassiraadjes.nl, 1 +siraweb.org, 1 +sirbio.ru, 1 +sircon.no, 1 +sirena.ml, 1 +sirenassociates.com, 1 +sirenasweet.net, 1 +sirenasweet.org, 1 +sirencallofficial.com, 1 +sirenequestrianvaulting.co.uk, 1 +sirenequestrianvaulting.com, 1 +sirenslove.com, 1 +sirenvaulting.club, 1 +sirenvaulting.co.uk, 1 +sirenvaulting.com, 1 +sirenvaulting.group, 1 +siretaweb.id, 1 +sirfaustobrasil.com.br, 1 +sirg.fr, 1 +siri.cc, 1 +siria.tk, 1 +siris.nl, 1 +sirius-se.hu, 1 +sirius.su, 1 +siriuspro.pl, 1 +siriuspup.com, 1 +sirkusteemuriihela.com, 1 +sirma.com, 1 +sirnakhaber.tk, 1 +siro.gq, 1 +sirovatka.tk, 1 +sirplus.com.ar, 1 +sirpsycho.tk, 1 +sirram.de, 1 +sirtaptap.com, 1 +sirtuins.com, 1 +sirupybartonik.cz, 1 +sirvio.eu, 1 +sirvoy.ca, 1 +sirvoy.co.nz, 1 +sirvoy.co.uk, 1 +sirvoy.co.za, 1 +sirvoy.com, 1 +sirvoy.com.au, 1 +sirvoy.de, 1 +sirvoy.dk, 1 +sirvoy.es, 1 +sirvoy.fi, 1 +sirvoy.fr, 1 +sirvoy.ie, 1 +sirvoy.jp, 1 +sirvoy.nl, 1 +sirvoy.no, 1 +sirvoy.se, 1 +sirzech.my.id, 1 +sis.net.sa, 1 +sisadmin21.tk, 1 +sisap.com, 0 +siscompbolivia.tk, 1 +siscompt.com, 0 +siscowebcrm.it, 1 +siselectrom.com, 1 +siseministeerium.ee, 0 +sisiengineers.gq, 1 +sisirbatu.tk, 1 +sismit.es, 1 +sisms.pl, 1 +sisqo.tk, 1 +sisqualwfm.com, 1 +sissden.eu, 1 +sisseastumine.ee, 1 +sissyroulette.com, 1 +sisteltestserver.com, 1 +sistem-maklumat.com, 1 +sistem-maklumat.com.my, 1 +sistema-trenirovok.ml, 1 +sistema20k.tk, 1 +sistemair.be, 1 +sistemapronto.ml, 1 +sistemaseinformacao.com.br, 1 +sistemasespecializados.com, 1 +sistemista.it, 1 +sistemy48.ru, 0 +sistonenfranco.tk, 1 +sistrade.com, 1 +sisv.eu, 1 +sisver.mx, 1 +sit-brn.ru, 1 +sit-tech.by, 1 +sit.ec, 1 +sit.moe, 1 +sit.sh, 1 +sitak.fi, 1 +sitanleta.de, 1 +sitatravel.gr, 1 +sitc.sk, 1 +sitco.global, 1 +sitcopharma.com, 1 +site-de-paris-en-ligne.fr, 1 +site-development.tk, 1 +site-dns.com, 1 +site-master.ml, 1 +site-oficial-inicio.com, 1 +site-oflcial.com, 1 +site-remont.ml, 1 +site-romania.tk, 1 +site-ua.tk, 1 +site.com, 1 +site.mu, 1 +site2002.tk, 1 +siteadvokat.cf, 1 +sitebrass.ru, 1 +sitebuilderreport.com, 0 +sitecentre.com.au, 1 +sitechange.dedyn.io, 1 +sitechecker.pro, 1 +sitecreation.tk, 1 +sitecreator.tk, 1 +sitecrew.cf, 1 +sitecuatui.com, 1 +sitedebelezaemoda.com.br, 1 +sitedynamix.co.uk, 1 +siteforce.com, 1 +sitehizi.com, 1 +siteintelstage.com, 1 +sitek.rocks, 1 +sitekatalog.tk, 1 +sitelinks.ga, 1 +sitelinks.ml, 1 +sitemai.eu, 1 +sitemap.solutions, 1 +sitemaxiphilippe.ch, 1 +sitempro.com.mx, 0 +sitemydesk.fr, 1 +sitenv.org, 1 +sitepentruprofesori.com, 1 +siteplug.com, 1 +sitepokupok.ru, 1 +siterank.cf, 1 +siterank.gq, 1 +siterapidowp.com.br, 1 +siterencontre.me, 1 +siteru.tk, 1 +sites.google.com, 1 +sites2poker.fr, 1 +sites2rencontre.fr, 1 +sitesara.com, 1 +sitesdesign.tk, 1 +sitesforward.com, 1 +sitesignal.net, 1 +sitesko.de, 1 +sitestudio.tk, 1 +sitesweb.gq, 1 +sitetalk.tk, 1 +sitetuners.com, 1 +siteviseagency.com, 1 +siteweb-seo.fr, 1 +sitgesfilmfestival.com, 1 +sithijaya.tk, 1 +sithmanifest.com, 1 +sitinjau.com, 1 +sitiosantaangela.com.br, 1 +sitischu.com, 1 +sitisnab.kz, 1 +sitnikov.ga, 1 +sito-online.ch, 1 +sittingwell.co.uk, 1 +sittogether.club, 1 +sittogether.tw, 1 +situm.com, 1 +situsbandarq.cf, 1 +situsbandarq.ga, 1 +situsbandarq.ml, 1 +situsbandarq.tk, 1 +sitypro.com, 1 +sitz.ch, 1 +sitzungsdienst.net, 0 +siulam-wingchun.org, 1 +siusto.com, 1 +sivaexports.in, 1 +sivaru.tk, 1 +sivizius.eu, 1 +sivyerge.com, 1 +siw.nl, 1 +siw64.com, 1 +siwa.cf, 1 +siwek.xyz, 1 +siwiki.rs, 1 +siwyd.com, 1 +six27.com, 1 +sixam.co.jp, 1 +sixara.com, 1 +sixcolors.lu, 1 +sixcorners.info, 1 +sixcorners.net, 1 +sixde.com.au, 1 +sixe.es, 1 +sixforkurd.tk, 1 +sixnines.net, 1 +sixpack.gr, 1 +sixpackband.tk, 1 +sixpackholubice.cz, 1 +sixstrings.tk, 1 +sixtiesgroovemachine.com, 1 +sixtiesgroovemachine.nl, 1 +sixyy.com, 1 +siyako.com, 1 +siyuan.com, 1 +sizeofvoid.org, 1 +sizeunknown.com, 1 +sizeunknown.net, 1 +sizinajans.com, 1 +sj-leisure.com, 1 +sja-se-training.com, 1 +sjaakgilsingfashion.nl, 1 +sjaaktrekhaak.nl, 1 +sjbwoodstock.org, 1 +sjcpa.gov, 1 +sjd.is, 0 +sjeverni.info, 1 +sjfss.com, 1 +sjfss.marketing, 1 +sjid.co.uk, 1 +sjiplanning.com.au, 1 +sjleisure.co.uk, 1 +sjlmd.moe, 1 +sjm-hamburg.de, 0 +sjnp.org, 1 +sjoelen.tk, 1 +sjoelsport.nl, 1 +sjoorm.com, 1 +sjorsvanweert.nl, 1 +sjouke.dedyn.io, 1 +sjparanormal.tk, 1 +sjrcommercialfinance.co.uk, 1 +sjrslms.in, 0 +sjs.org.hk, 1 +sjtravel.guru, 1 +sjwheel.net, 1 +sk-ii.com, 1 +sk.tl, 1 +sk4y.net, 1 +sk8israel.com, 1 +skaala.com, 1 +skaapkraalonline.co.za, 1 +skachat-filmi.info, 1 +skachat-programmylini.ga, 1 +skachat-shablon-rezyume-na-angliyskom-yazyk.tk, 1 +skachat-zip.tk, 1 +skachay-knighki.gq, 1 +skachay-photo.gq, 1 +skagen-feriebolig.dk, 1 +skaginn.tv, 1 +skaiman.ga, 1 +skaitliukas.tk, 1 +skalec.org, 1 +skalis-portage.com, 1 +skalniak.pl, 1 +skamper.tk, 1 +skankofamerica.com, 1 +skanray.com, 1 +skarke.se, 1 +skarla.com, 1 +skarox.com, 1 +skarox.ee, 1 +skarox.eu, 1 +skarox.net, 1 +skarox.ru, 1 +skat.dk, 1 +skatefilms.tv, 1 +skateparkmontbriz.tk, 1 +skaterangels.tk, 1 +skaterepublic.tk, 1 +skatesins.ch, 1 +skatesliide.tk, 1 +skateswagger.com, 1 +skatingchina.com, 1 +skatrey.com, 1 +skatteankestyrelsen.dk, 1 +skattebo.no, 1 +skatteforvaltningen.dk, 1 +skazama.com, 1 +skazka.ml, 1 +skazka.ru, 1 +skazochnyj-sait.tk, 1 +skbexteriorcleaningsolutions.com, 1 +skbilisim.tk, 1 +skblab.ru, 1 +skcwood.com, 1 +skday.com, 1 +skedda.com, 1 +skeditor.tk, 1 +skeeley.com, 1 +skeetads.com, 1 +skegnesstec.ac.uk, 1 +skei.org, 1 +skepneklaw.com, 1 +skepp.com, 1 +skepticalsports.com, 1 +skeptics.org, 1 +skeptik.tk, 1 +sketch.io, 1 +sketch.jpn.com, 1 +sketchbox.tk, 1 +sketchmonk.tk, 1 +sketchnote.co, 1 +sketchy.tk, 1 +skew.ch, 1 +skezi.eu, 1 +skgzberichtenbox.nl, 1 +skhaz.io, 1 +skhidnitsa.com.ua, 1 +skhiratemara.ma, 1 +skhire.co.uk, 1 +skhoop.cz, 1 +skhosting.eu, 1 +skhron.com.ua, 1 +ski-outdoor-shop.de, 1 +ski-planet.com, 1 +skibbereencomhaltas.tk, 1 +skibikers.tk, 1 +skid.church, 1 +skiddle.com, 1 +skidka.by, 1 +skidki-ru.cf, 1 +skidkimira.ru, 1 +skidzun.de, 1 +skifairview.com, 1 +skiff.city, 1 +skiff.com, 1 +skiff.town, 1 +skiforlight.ca, 1 +skiftet.org, 1 +skifttiljutlanderbank.dk, 1 +skigebied.nl, 1 +skiingnewsletter.cf, 1 +skiingnewsletter.ga, 1 +skiingproperty.com, 1 +skiinstructor.services, 1 +skikkogbank.no, 1 +skile.ru, 0 +skiley.net, 1 +skilift-quellenwiese.at, 0 +skill-x.ru, 1 +skill.moe, 1 +skill.tk, 1 +skillab.ro, 1 +skillablers.com, 1 +skilldnsproc.com, 1 +skillearning.de, 1 +skillmoe.at, 1 +skillonnet.com, 1 +skillrocket.in, 1 +skills2serve.org, 1 +skillsboffin.com, 1 +skillsenhancementtexas.gov, 1 +skillsenhancementtx.gov, 1 +skillsforall.com, 1 +skillshare.com, 1 +skillsoftcompliance.com, 1 +skilltran.com, 1 +skillup.co, 1 +skillwaze.com, 1 +skiman.tk, 1 +skimbo.tk, 1 +skin-cosmetic.eu, 1 +skin.club, 1 +skinbet.co, 1 +skinboost.ga, 1 +skinboost.ml, 1 +skincare-note.com, 1 +skincareagent.cf, 1 +skincarequeentv.com, 1 +skindb.net, 1 +skinetic.eu, 1 +skinews.tk, 1 +skinexpert.ml, 1 +skinfoodpeachcotton.tk, 1 +sking.io, 1 +skinlords.com, 1 +skinmarket.co, 1 +skinmedshop.ro, 1 +skinmodo.com, 1 +skinnation.tk, 1 +skinnybitch99.net, 1 +skinport.com, 1 +skinpwrd.com, 1 +skinrejuvenate.com.au, 1 +skinrender.ga, 1 +skinseries.cf, 1 +skinsolution.ga, 1 +skinsolutionclinic.com, 1 +skinstyleglobal.com, 1 +skinsuperstore.tk, 1 +skintdad.co.uk, 1 +skintillation.com, 1 +skio.com, 1 +skioakenfull.com, 1 +skip.re, 1 +skipfault.com, 1 +skipperinnovations.com, 0 +skippy.dog, 0 +skipr.co, 1 +skipr.ninja, 1 +skiptadiabetes.com, 1 +skipton.io, 1 +skiptontownhall.co.uk, 1 +skirent-masocorto.com, 1 +skirted.cf, 1 +skirts.tk, 1 +skirtskenya.tk, 1 +skirwin.com, 1 +skischule-sinzheim.de, 1 +skischule-wildewiese.de, 1 +skisportdain.it, 1 +skitecsh.com, 1 +skitop.it, 1 +skitourmag.com, 1 +skitznet.tk, 1 +skizzen-zeichnungen.de, 1 +skj6.ga, 1 +skjt.co.jp, 1 +skk.moe, 1 +skky.net, 1 +skladchinamk.ru, 1 +skladmebliv.ua, 0 +skladnicaksiegarska.pl, 1 +sklepbhp.online, 1 +sklepsnowboardowy.pl, 1 +sklepvoip.tel, 1 +sklepwielobranzowymd.com, 1 +sklisen.tk, 1 +sklotechnik.cz, 1 +skm.dk, 1 +skmedia.ga, 1 +skmp.cc, 1 +skmsport.com, 1 +sknasirali.com, 1 +sknclinics.co.uk, 1 +skoander.com, 1 +skoda-im-dialog.de, 1 +skodapower.tk, 1 +skodapreowned.in, 1 +skoi2023.com, 1 +skoilly.cc, 1 +skoiy.com, 1 +skokie.gov, 1 +skolagatt.is, 1 +skolakrizik.cz, 1 +skolappar.nu, 1 +skolebil.dk, 1 +skolem.de, 1 +skolni-system.eu, 1 +skolnieks.lv, 1 +skolnilogin.cz, 1 +skolniweby.cz, 1 +skolplattformen.org, 1 +skolskyportalporuba.cz, 1 +skooli.com, 1 +skorbord.tk, 1 +skorepova.info, 1 +skoroff.com, 1 +skoropolnolunie.gq, 1 +skorovsud.ru, 1 +skorpil.cz, 1 +skorstensfolket.se, 1 +skory.us, 1 +skorzew.ski, 1 +skoskav.org, 1 +skotobaza.tk, 1 +skotstvo.tk, 1 +skovbosburgerblog.dk, 1 +skovik.com, 1 +skpark.cf, 1 +skpk.de, 1 +skpracta.info, 1 +skpracta.tk, 1 +skprhome.i234.me, 1 +skram.de, 1 +skrepnek-sidebar.tk, 1 +skreutz.com, 1 +skrid.net, 1 +skrillex.tv, 1 +skrin.ru, 1 +skripta.tk, 1 +skriptorium.de, 1 +skrivargarden-nes.cf, 1 +skrivebeskyttet.dk, 1 +skrivebordet.tk, 1 +skrprojects.com.au, 1 +skrsv.net, 1 +skrundz.ca, 1 +skrundz.com, 1 +skrundz.id, 1 +skrydata.ga, 1 +sksdrivingschool.com.au, 1 +sksh.io, 1 +sktan.com, 1 +sktsolution.com, 0 +sktst.dk, 1 +skuizy.ddns.net, 1 +skulblaka.ch, 1 +skuldwyrm.no, 1 +skullcrusher.tk, 1 +skullowner.nl, 1 +skunkapeservers.net, 1 +skupka-zolota-dorogo.ru, 1 +skutry-levne.cz, 1 +skutry.cz, 1 +skux.ch, 1 +skvele-cesko.cz, 1 +skvelecesko.cz, 1 +skvot.de, 1 +skwile-cafe.com, 1 +skwitko.com, 1 +skwlkrs.com, 1 +skxpl.eu.org, 1 +sky-aroma.com, 1 +sky-cargo.at, 1 +sky-coach.com, 1 +sky-coach.nl, 1 +sky-dogs.com, 1 +sky-driver.ch, 1 +sky-live.fr, 1 +sky-motion.de, 1 +sky-music.tk, 1 +sky-of-use.net, 1 +sky-os.ru, 1 +sky-torch.com, 0 +sky-wap.cf, 1 +skyarch.net, 1 +skybirch.com, 1 +skybirds.org, 1 +skyblockmc.eu, 1 +skyblockmc.no, 1 +skyblond.info, 1 +skybloom.com, 1 +skyblue4.com, 1 +skyborne.tk, 1 +skybound.link, 0 +skybrary.aero, 1 +skybrary.eu, 1 +skybrary.info, 1 +skybridge.net, 1 +skycapture.ca, 1 +skychan.org, 1 +skyclinic.ua, 1 +skycmd.net, 1 +skyder.com.mx, 0 +skyder.mx, 0 +skyderby.ru, 1 +skydiveaddiction.com, 1 +skydivegeronimo.com.au, 1 +skydiverecuador.com, 1 +skydivingexperiences.co.uk, 1 +skydoc.uz, 1 +skydragoness.com, 1 +skydrive.live.com, 0 +skydronesolutions.com, 1 +skye.vg, 1 +skyeeverest.tk, 1 +skyem.co.uk, 0 +skyeng.ru, 1 +skyevg.systems, 1 +skyexpressinternational.com, 1 +skyfall.network, 1 +skyfibertech.com, 1 +skyfpicture.tk, 1 +skygame.tk, 1 +skygates.tk, 1 +skyguru.tk, 1 +skyhigh-mizell.tk, 1 +skyhook.earth, 1 +skyhooks.tk, 1 +skyhyve.com.au, 1 +skyhyve.xyz, 1 +skyint.io, 1 +skyla.tk, 1 +skylair.info, 1 +skylandanalytics.net, 1 +skylander.cf, 1 +skylar.ai, 0 +skylarker.org, 1 +skylash.be, 1 +skylgenet.nl, 1 +skylightcreative.com.au, 1 +skylightipv.com, 1 +skylimitmedia.com, 1 +skyline.link, 1 +skyline.tw, 1 +skylineexplorer.com, 1 +skylinehk.org, 1 +skylinehouse.ca, 1 +skylinertech.com, 1 +skylineservers.com, 1 +skylocker.net, 1 +skyltmax.se, 1 +skym-mc.fr, 1 +skymail.de, 1 +skymass.xyz, 1 +skyminds.net, 1 +skymkmk.com, 1 +skymonk.tk, 1 +skynet-research.us, 0 +skynet233.ch, 0 +skynet800.goip.de, 1 +skynetcloud.org, 1 +skynetcloud.site, 1 +skynetnetwork.eu.org, 1 +skynetstores.ae, 1 +skynetz.tk, 1 +skyoceanblue.com, 1 +skyone.host, 1 +skyoy.com, 0 +skypanic.com, 1 +skypark.tk, 1 +skypc.com.ar, 1 +skypce.net, 1 +skype, 1 +skype.com, 0 +skypech.com, 1 +skypefr.com, 1 +skypicker.com, 1 +skyportcloud.com, 1 +skyqueen.cc, 1 +skyquid.co.uk, 1 +skyra.pw, 1 +skyrider.me, 1 +skyrosconsulting.com, 1 +skys-entertainment.com, 1 +skyscanner.ca, 1 +skyscanner.co.in, 1 +skyscanner.com, 1 +skyscanner.com.au, 1 +skyscanner.com.hk, 1 +skyscanner.de, 1 +skyscanner.es, 1 +skyscanner.fr, 1 +skyscanner.gg, 1 +skyscanner.net, 1 +skyscanner.pt, 1 +skyscanner.ru, 1 +skyscnr.com, 1 +skyseo.cf, 1 +skysoftbg.com, 1 +skysplash.gq, 1 +skysprouts.co.uk, 1 +skysuite.nl, 1 +skytamil.net, 1 +skytechosting.com, 1 +skytel.ge, 1 +skyterraathome.com, 1 +skyterraembrace.com, 1 +skyterrawellness.com, 1 +skytickets.ga, 1 +skytiger.ga, 1 +skytown.ga, 1 +skytterlogg.no, 1 +skytterloggen.no, 1 +skyvr.mx, 1 +skywalkersa.ga, 1 +skywatch.com, 1 +skywindowsnj.com, 1 +skyworldserver.ddns.net, 1 +skywt.cn, 0 +skyynet.de, 1 +skyzimba.com.br, 1 +sl-alarm.ru, 1 +sl-bildermacher.de, 1 +sl-informatique.ovh, 1 +sl.al, 1 +sl0.us, 1 +sl41.com.br, 1 +sla.pl, 1 +slaam.tk, 1 +slab.com, 1 +slabserver.com, 1 +slabstage.com, 1 +slack-files.com, 1 +slackline.tk, 1 +sladkiiflirt.ru, 1 +slaek.de, 1 +slagerijdekoekelaere.be, 1 +slagerijrooken.be, 1 +slagerijvanguilik.nl, 1 +slaght.de, 0 +slainvet.net, 1 +slajeslag.nl, 1 +slalix.pw, 1 +slalix.xyz, 1 +slamdunkdedication.tk, 1 +slamhope.gq, 1 +slamix.nl, 1 +slamtradingcards.com.au, 1 +slan.fr, 1 +slangbella.com, 1 +slaninka.eu, 1 +slanterns.net, 1 +slapen17.nl, 1 +slaps.be, 1 +slash64.co.uk, 1 +slash64.uk, 1 +slashbits.no, 1 +slashcam.de, 1 +slashcrypto.org, 1 +slashdigit.com, 1 +slashnroses.com, 1 +slashnroses.nl, 1 +slashorg.net, 1 +slass.fr, 1 +slate.to, 1 +slatechart.com, 1 +slated.ie, 0 +slatemc.com, 1 +slatemc.fun, 1 +slateteams.com, 1 +slathering.cf, 1 +slatteryassetadvisory.com.au, 1 +slaughter.com, 1 +slaughterhouse.fr, 1 +slava.ml, 1 +slavasoloviev.com, 1 +slavasveta.info, 1 +slaveykov.bg, 1 +slavic401k.com, 1 +slavira.ru, 1 +slavomircapik.com, 1 +slaws.io, 1 +slayer.tech, 1 +slayersonline.net, 1 +slayingqueen.com, 1 +slaytec.com, 1 +slb.ru, 1 +slbbiromaru.sch.id, 1 +slbetx.com, 1 +slbknives.com, 1 +slbm.com.au, 1 +slboatstorage.com, 1 +slcdn.net, 1 +sld08.com, 1 +sldev.ovh, 1 +sldlcdn.com, 1 +sldonline.org, 1 +sledgehammerti.me, 1 +sledgeroofing.com, 1 +sledwyoming.com, 1 +sleekfellow.com, 1 +sleekflow.io, 1 +sleep-go.info, 1 +sleep-tight.cf, 1 +sleepawaycampseries.tk, 1 +sleepcouncil.org.uk, 1 +sleepet.tw, 1 +sleepig.com, 1 +sleepily.tk, 1 +sleepingmattressreview.com, 1 +sleepmap.de, 1 +sleepo.ga, 1 +sleeps.jp, 0 +sleepsaround.ga, 1 +sleepshop.be, 1 +sleepstar.co.uk, 1 +sleepstar.fr, 1 +sleepys.net, 1 +sleetandsole.es, 1 +sleetandsole.eu, 1 +sleeuwijkskerkje.nl, 1 +sleio.com, 1 +sleismann.de, 1 +sleismann.eu, 1 +sleismann.org, 1 +slemen.tk, 1 +slepsluzbabeograd.org, 1 +sletaem.ml, 1 +sletat.ru, 1 +slev.tk, 1 +slevermann.de, 0 +slevomat.cz, 1 +slew.gq, 1 +slezenko.tk, 1 +sli.do, 1 +slicedpies.com, 1 +sliceone.com, 1 +slicklines.co.uk, 1 +slidebatch.com, 1 +slidefiftyfamily.tk, 1 +slidemembers.com, 1 +slideproducts.com, 1 +slides.zone, 1 +slideshare.net, 1 +slido.com, 1 +slidstvo.info, 1 +slightshop.com, 1 +slik.ai, 1 +slim-health.com, 1 +slim-slender.com, 1 +slim.ua, 1 +slime5.com.tw, 1 +slimeg.clinic, 1 +slimetutorial.com, 1 +slimgrafix.cz, 1 +slimmarkets.com, 1 +slimmingjabs.com, 1 +slimopweg.be, 1 +slimspots.com, 1 +slimster.nl, 1 +slimtelecom.nl, 1 +slimwindows.cf, 1 +slimwindows.ga, 1 +slimwindows.gq, 1 +slingo-sta.com, 1 +slingoweb.com, 1 +slink.hr, 1 +slinkwa.re, 1 +slinx.tk, 1 +slip-gaming.tk, 1 +slipandfalllawyerhelp.com, 1 +sliphua.work, 1 +slipknot-site.tk, 1 +slipnslide.xxx, 1 +slippening.com, 1 +sliptrickrecords.com, 1 +sliszlaw.com, 1 +slite.com, 1 +sliteapp.com, 1 +slivkadesigns.tk, 1 +slix.io, 1 +slizgawka.eu, 1 +sllatina.tk, 1 +slm-sla.tk, 1 +slma.tk, 1 +sln.cloud, 1 +slo-net.net, 1 +slo-tech.com, 1 +slo.nl, 1 +sloancom.com, 1 +sloanrealtygroup.com, 1 +sloboda.tk, 1 +slobrowink.com, 1 +slobsbeer.com, 1 +slocounty.gov, 1 +slodkiflirt.pl, 1 +sloeproeienalmere.nl, 0 +sloepverhuur-roggebroek.nl, 1 +slogan.tk, 1 +slogancreator.com.au, 1 +slogix.in, 1 +sloneczni.pl, 1 +slonep.net, 1 +slonko.net, 1 +sloopautonoordholland.com, 1 +slootskyartisticdentistry.com, 1 +slopecountynd.gov, 1 +slopeedge.com, 1 +slopeedge.net, 1 +slopeoak.com, 1 +slotarazzi.com, 1 +slotbonus24.com, 1 +slotboss.co.uk, 1 +slotcatalog.com, 1 +sloterplas-beveiliging.nl, 1 +sloterplas-bouw.nl, 1 +sloterplas-management.nl, 1 +slotfara.net, 1 +slotgames.pro, 1 +slotgratisonline.net, 1 +slothless.com, 1 +sloths.org, 1 +sloticagames.com, 1 +slotjava.com.br, 1 +slotjava.es, 1 +slotjava.it, 1 +slotlist.info, 1 +slotmachinesgratisonline.com, 1 +slotmad.com, 1 +slotsinspector.com, 1 +slotsmegacasino.com, 0 +slotsup.com, 1 +slouching.ga, 1 +sloudways.com, 1 +slovakiana.sk, 1 +slovenia-trip.tk, 1 +slovenskekasina.sk, 1 +slovenskycestovatel.sk, 1 +slow.social, 1 +slow.zone, 0 +slowapi.com, 1 +slowcookingperfected.com, 1 +slowfoodandhandforgedtools.com.au, 1 +slowgames.xyz, 1 +slowinski.tk, 1 +slowsocial.email, 1 +slowsocial.eu, 1 +slowsocial.net, 1 +slowsocial.org, 1 +slowsociety.org, 0 +slpidny.gov, 1 +slpm.com, 1 +slpower.com, 1 +slrd-isperih.com, 1 +slrie.de, 1 +slt.ee, 1 +slt24.de, 1 +sltda.gov.lk, 1 +sluciaconstruccion.com, 1 +sluderno.org, 1 +sludge.tk, 1 +slugify.online, 1 +sluhockey.com, 1 +sluimann.de, 1 +sluitkampzeist.nl, 0 +sluitsnel.nl, 1 +slunecnice.cz, 1 +slunyavchik.tk, 1 +sluo.org, 1 +slushat-tekst-pesni.ru, 1 +slushe.com, 1 +slushpool.com, 1 +slutty-girls.cf, 1 +slxh.eu, 1 +slxh.nl, 1 +slyarts.com, 1 +slycegateway.com, 1 +slycepay.com, 1 +slycereporting.com, 1 +slymak.com, 1 +slytigers.tk, 1 +slyvon.com, 1 +slzr.cloud, 1 +sm-kyoushitsu.com, 1 +sm-supplements.gr, 1 +sm.ms, 1 +sm161.cn, 1 +sm2016.ch, 1 +sm2ct.cn, 1 +sma-dev.de, 1 +sma-gift.com, 1 +smackhappy.com, 0 +smadav.ml, 1 +smaksbanken.no, 1 +smalandscountryclub.tk, 1 +small-blog.cf, 1 +small-king.ml, 1 +smallbusinesscharter.org, 1 +smallbytedesign.co, 1 +smallchanges.tv, 1 +smallchat.nl, 1 +smallcraftadvisory.tk, 1 +smallcubed.com, 1 +smalldata.tech, 1 +smalldeveloper.ml, 1 +smalle-voet.de, 1 +smallfarmersjournal.com, 1 +smallfoot.tk, 1 +smallplanet.com, 0 +smalls-world.tk, 1 +smallsiri.gq, 1 +smallsites.eu, 1 +smalltalkconsulting.com, 1 +smalltunepress.tk, 1 +smallville.tk, 1 +smallville25.tk, 1 +smallwhitebear.ga, 1 +smaltimento-rifiuti.com, 1 +smaltimento-rifiuti.org, 1 +smaltimento.caserta.it, 1 +smaltimento.milano.it, 1 +smaltimento.napoli.it, 1 +smaltimento.roma.it, 1 +smaltimento.salerno.it, 1 +smaltimentoamianto.campania.it, 1 +smaltimentoamianto.frosinone.it, 1 +smaltimentoamianto.latina.it, 1 +smaltimentocalcinacci.roma.it, 1 +smaltimentorifiuti.firenze.it, 1 +smaltimentorifiuti.livorno.it, 1 +smaltimentorifiuti.milano.it, 1 +smaltimentorifiuti.napoli.it, 1 +smaltimentorifiuti.prato.it, 1 +smaltimentorifiuti.roma.it, 1 +smaltimentorifiuti.veneto.it, 1 +smanson.duckdns.org, 1 +smaragderna.cf, 1 +smaragderna.ga, 1 +smaragderna.tk, 1 +smares.de, 1 +smaridibor.tk, 1 +smarinintgal.tk, 1 +smarpshare.com, 1 +smarriti.it, 1 +smart-bezpeka.com, 1 +smart-broker.ru, 1 +smart-cp.jp, 1 +smart-fixed.ru, 1 +smart-house.bg, 1 +smart-hub.io, 1 +smart-informatics.com, 1 +smart-klimat.ru, 1 +smart-lab.ch, 1 +smart-mirror.de, 1 +smart-mrt.co.il, 1 +smart-pharma.group, 1 +smart-profile.ro, 1 +smart-travel.tk, 1 +smart-tux.de, 1 +smart-wind.ru, 1 +smart-wohnen.net, 1 +smart-zona.tk, 1 +smartacademy.ge, 1 +smartacademy.pro, 1 +smartagilesolution.com, 1 +smartandcom.ch, 1 +smartapplianceservices.com, 1 +smartar.com, 1 +smartart.gr, 1 +smartart.tk, 1 +smartass.space, 1 +smartass0027.com, 1 +smartassembly.tk, 1 +smartasset.com, 1 +smartbase.de, 1 +smartbear.com, 1 +smartbitcoininvestments.com, 1 +smartbiz.vn, 1 +smartblock.cloud, 1 +smartbuytrends.com, 1 +smartcar.com, 0 +smartcard.tools, 1 +smartcents.gold, 1 +smartcheck.gov, 1 +smartchezvous.com, 1 +smartchoices.ie, 1 +smartclothing.pl, 1 +smartcloudconnect.io, 1 +smartcluster.ga, 1 +smartcommunications.com, 1 +smartcover.tk, 1 +smartcpa.ca, 1 +smartdb.jp, 1 +smartdigital.ga, 1 +smarteco.tk, 1 +smartedukasi.co.id, 1 +smarterskies.gov, 1 +smartersoft-integra.com, 1 +smartersoft.io, 1 +smartertowing.com, 1 +smartest-trading.com, 1 +smartestate.com, 1 +smartevals.com, 1 +smartfaktor.pl, 1 +smartfit.cz, 1 +smartfixmarburg.de, 1 +smartfons.tk, 1 +smartfooding.com, 1 +smartftp.com, 1 +smartgirledits.com, 1 +smartgirls.tk, 1 +smartglassworld.net, 1 +smartgrepp.se, 1 +smartgrid.gov, 1 +smartgridsecurity.com, 1 +smartgridsecurity.org, 1 +smartguardzone.kr, 1 +smarthdd.com, 1 +smarthealthinnovationlab.com, 1 +smarthome365.nl, 1 +smarthomegain.com, 1 +smarthrms.com, 1 +smartick.com.do, 1 +smartit.gr, 1 +smartius.it, 1 +smartjoin.style, 1 +smartland.com, 1 +smartlandapartments.com, 1 +smartlandconstruction.com, 1 +smartlandturnkey.com, 1 +smartleads.tk, 1 +smartleaklocator.com, 1 +smartliferd.ml, 1 +smartlinecomputers.nl, 1 +smartlink.sk, 1 +smartlist.ga, 0 +smartloanhacks.com, 1 +smartlocksmith.com, 1 +smartlogiq.com, 1 +smartlogreturns.com, 0 +smartlogstock.com, 0 +smartlogtower.com, 1 +smartlooks.es, 1 +smartmachine.com, 1 +smartmail24.de, 1 +smartme.pl, 1 +smartmeal.ru, 1 +smartmessages.eu, 1 +smartmessages.net, 1 +smartmeterfraud.tk, 1 +smartminibushire.co.uk, 0 +smartmomsmartideas.com, 1 +smartnanny.cf, 1 +smartnews-smri.com, 1 +smartnoob.de, 1 +smartoctopus.art, 1 +smartografia.pl, 1 +smartoneclub.com, 1 +smartours.com, 1 +smartpanelsmm.com, 1 +smartpatika.hu, 1 +smartpheromones.com, 1 +smartphone-pliable.wtf, 1 +smartphone.nl, 1 +smartphonecases.tk, 1 +smartphonechecker.co.uk, 1 +smartphonefixen.be, 1 +smartphonepliable.co, 1 +smartphonesolution.tk, 1 +smartplus.ae, 1 +smartpolicingplatform.com, 1 +smartpos.net.br, 1 +smartproductguide.com, 1 +smartpti.net, 1 +smartrak.co.nz, 1 +smartrak.com, 1 +smartrecruiters.com, 1 +smartrentacar.ro, 1 +smartresumeservices.com, 1 +smartriotour.com.br, 0 +smartrise.us, 1 +smartroofingandsheetmetal.com, 1 +smartseatravel.com, 1 +smartservices.nl, 0 +smartshiftme.com, 1 +smartshop.gr, 1 +smartshoppers.es, 1 +smartshousekeeper.pt, 1 +smartsitio.com, 1 +smartspace.ml, 1 +smartspace.tk, 1 +smartsparrow.com, 0 +smartsprouts.com, 1 +smartsteelus.com, 1 +smartstep.pt, 1 +smartsupply.global, 1 +smartthursday.hu, 1 +smartvalor.com, 1 +smartwank.com, 1 +smartweb.ge, 1 +smartwebportal.co.uk, 1 +smartwoodczech.cz, 1 +smartwritingservice.com, 1 +smartwurk.nl, 0 +smarty.cz, 1 +smartzonegsm.ro, 1 +smartzonemikulov.cz, 1 +smash-gg.club, 1 +smashbros-chile.tk, 1 +smashbylaney.com, 1 +smashcooper.tk, 1 +smashingconf.com, 1 +smashingmagazine.com, 1 +smashnl.tk, 1 +smashno.ru, 1 +smavesto.de, 1 +smb-analytics.pw, 1 +smb-bsa.ca, 1 +smb.wiki, 1 +smb445.com, 1 +smbabyshop.gr, 1 +smbc.co.id, 1 +smbc.direct, 1 +smbi-gelblasterhq.com.au, 1 +smc.consulting, 1 +smcacre.gov, 1 +smcconsulting.be, 1 +smcconsulting.eu, 1 +smchfujuae.com, 1 +smcj.xyz, 1 +smcpneumatics.com, 1 +smcquistin.uk, 1 +smcvote.gov, 1 +smd-tlt.ru, 1 +smdc.com, 1 +smdcn.net, 1 +smdmetals.com, 1 +sme-gmbh.com, 1 +sme-gmbh.net, 1 +sme.sk, 1 +smedata.sk, 1 +smedix.com, 1 +smeetsengraas.com, 1 +smekonferencie.sk, 1 +smelly.cloud, 1 +smereka.ua, 1 +smeso.it, 1 +smeta.ml, 1 +smetak.cz, 1 +smetana.pro, 1 +smetbuildingproducts.com, 1 +smeuj.nl, 1 +smeweb.com, 1 +smexpt.com, 1 +smeys.be, 1 +smgl.cm, 1 +smh.me, 1 +smhatelier.com, 1 +smi-a.me, 1 +smialnumenor.tk, 1 +smiatek.name, 1 +smicenter.tk, 1 +smicompact.com, 1 +smictecniservi.com, 1 +smiilliin.com, 1 +smiilliin.site, 1 +smikom.ru, 1 +smile-train.org, 1 +smileback.co.uk, 1 +smilecliniq.com, 1 +smilecon.cf, 1 +smiledirectsales.com, 1 +smiledoctors.com, 1 +smileeye.com.tw, 1 +smilegenerator.tk, 1 +smilenwa.com, 1 +smileofindia.co.in, 1 +smilephi.com, 1 +smilessoftplay.co.uk, 1 +smiletrain.ph, 1 +smiletrainbrasil.com, 1 +smiletraincanada.org, 1 +smiletraindubai.org, 1 +smiletrainindia.org, 1 +smiletrainindonesia.org, 1 +smiletrainla.org, 1 +smileykylie.com, 1 +smileys-emojis.com, 1 +smileytechguy.com, 1 +smilingmiao.com, 1 +smime.io, 1 +smimea.info, 1 +smipty.cn, 1 +smipty.com, 1 +smiraus.cz, 1 +smishnik.tk, 1 +smit.com.ua, 1 +smith-solutions.com, 1 +smith-tech.ga, 1 +smith.bz, 1 +smithandellis.com, 1 +smithandnephewpensions.co.uk, 1 +smithandnoble.com, 1 +smithbell.com.ph, 0 +smithchung.eu, 1 +smithcountyelectiontn.gov, 1 +smithcountyms.gov, 1 +smithcountytxtaxrates.gov, 1 +smithf.red, 1 +smithikakart.in, 1 +smithmont.com, 1 +smithsanchez.com, 1 +smithsonian.gov, 1 +smithsstational-fpd.gov, 1 +smithsstational.gov, 1 +smithsystem.net, 1 +smithteresa.tk, 1 +smithwealth.com.au, 1 +smits.com, 1 +smits.frl, 1 +smitsdesigncenter.nl, 1 +smitsmail.net, 1 +smittybilt.com, 1 +smkkesfambatujajar.sch.id, 1 +smkn5smg.sch.id, 1 +sml.lc, 1 +smleaks.com, 1 +smlk.org, 1 +smlstriperfishing.com, 1 +smltour.net, 1 +smm.im, 1 +smm.lu, 1 +smmcab.ru, 1 +smmedia.cz, 1 +smmedya.com, 1 +smmlaba.io, 1 +smmog.tk, 1 +smmpaketleri.com, 1 +smmpanelweb.com, 1 +smmpropaganda.ru, 1 +smmworldbooster.com, 1 +smnz.de, 1 +smogdog.net, 1 +smoivez.tk, 1 +smokeandmirrors.agency, 1 +smokedrhymez.tk, 1 +smokefree.gov, 1 +smokefreeclinic.com.au, 1 +smokefreerowan.org, 1 +smokefreestage.jp, 1 +smokeopedia.com, 1 +smokeping.pl, 1 +smoker.tk, 1 +smokestore.bg, 1 +smoking-robot.com, 1 +smokinghunks.com, 1 +smokingtapes.ga, 1 +smolbotbot.com, 1 +smolensk-i.ru, 1 +smolensk.ml, 1 +smolensk.tk, 1 +smolkatours.com, 1 +smolnikova.tk, 1 +smolny.org, 0 +smoninstitute.com, 1 +smoo.st, 1 +smooth-e.net, 1 +smoothambler.com, 1 +smoothfreight.ca, 1 +smoothics.at, 1 +smoothics.com, 0 +smoothics.eu, 1 +smoothics.mobi, 1 +smoothics.net, 1 +smoothweblife.tv, 1 +smoove.io, 1 +smoqerhome.ddns.net, 1 +smorgasblog.ie, 1 +smoser.eu, 1 +smplace.com, 1 +smplr.uk, 1 +smpn10kotagorontalo.sch.id, 0 +smpnsata.sch.id, 1 +smpositiva.com, 1 +smppcenter.com, 1 +smpred.net, 1 +smprime.com, 1 +smries.com, 1 +smriticharan.com, 1 +smrtgeekdevs.com, 1 +sms-pro.tk, 1 +sms.storage, 1 +sms.to, 1 +sms1.ro, 1 +sms72.tk, 1 +smsalert.mobi, 1 +smsalvand.tk, 1 +smsappointment.com, 0 +smsbd.net, 1 +smsben.com, 0 +smsbrana.cz, 0 +smsg-dev.ch, 0 +smsinger.com, 0 +smsk.email, 1 +smskeywords.co.uk, 1 +smskmail.com, 1 +smsprivacy.org, 1 +smstec.ru, 1 +smstoreoficial.com.br, 1 +smszone.tk, 1 +smtchahal.com, 1 +smtcn.cc, 1 +smtenants.cn, 1 +smtji.com, 1 +smtnet.com, 1 +smtouseef.com, 1 +smtparish.org, 1 +smtpdev.com, 1 +smtpserver.dk, 1 +smuc-koca.si, 1 +smudge.ai, 1 +smuhelper.cn, 1 +smuncensored.com, 1 +smurffi.net, 1 +smurl.tk, 1 +smusg.com, 0 +smutfactor.com, 1 +smvcm.com, 1 +smvpdev.nl, 1 +smvpro.dk, 1 +smwenglish.com, 1 +smx.net.br, 1 +smxconventioncenter.com, 1 +smys.uk, 1 +sn0int.com, 1 +snab-ural.ga, 1 +snabbacash.no, 1 +snacdata.com, 1 +snack-online.com, 1 +snackbartaapje.com, 1 +snackbesteld.nl, 1 +snackbyincome.sg, 1 +snacktakos.gr, 1 +snacky.nl, 1 +snafarms.com, 1 +snafu.cz, 1 +snaildos.tk, 1 +snajdr.online, 1 +snajdrova.eu, 1 +snakafya.com, 1 +snakeanarchy.tk, 1 +snakejs.ga, 1 +snakesandladders.tk, 1 +snakesolid.nl, 1 +snap.com, 1 +snapaffiliate.net, 1 +snapappointments.com, 1 +snapappts.com, 1 +snapbuzz.tk, 1 +snapfinance.com, 1 +snapintegrations.net, 1 +snapkit.com, 1 +snapserv.net, 1 +snapware.tk, 1 +snapworks.net, 1 +snarf.in, 1 +snargol.com, 1 +snatch-note.tk, 1 +snatertlc.it, 1 +snatti.com, 1 +snav.cc, 1 +snazel.ae, 1 +snazel.co.il, 1 +snazel.co.uk, 1 +snazel.de, 1 +snazel.ee, 1 +snazzie.nl, 1 +snco.gov, 1 +snd-zentrum.de, 1 +sndbouncycastles.co.uk, 1 +sndcdn.com, 1 +snea-kers.tk, 1 +sneak.berlin, 1 +sneakers-sports.tk, 1 +sneakers88.it, 1 +sneakersmexs.com, 1 +sneakpod.de, 0 +sneakycode.net, 1 +sneakynote.com, 1 +sneakypaw.com, 1 +sneberger.cz, 0 +sneed.company, 1 +sneed.it, 1 +sneedit.com, 1 +sneedit.de, 1 +sneeit.com, 1 +snegozaderzhatel.ru, 1 +snehasish-chakraborty.com, 1 +snekul.net, 1 +snel4u.nl, 1 +snelbv.nl, 1 +snellius.tk, 1 +snelshops.nl, 1 +snelwebshop.nl, 1 +snelwegzen.nl, 1 +snem.tk, 1 +snerith.com, 1 +snesdev.com, 1 +snetts.com, 1 +snfdata.com, 0 +sngallery.co.uk, 1 +sngnews.tk, 1 +snh.nrw, 1 +snh48live.org, 1 +snic.website, 1 +sniderman-online.com, 1 +sniderman.co.il, 1 +sniderman.eu.org, 1 +sniderman.org, 1 +sniderman.pro, 1 +sniderman.us, 1 +sniderman.xyz, 1 +sniep.net, 1 +sniffing.gq, 1 +sniffnfetch.com, 1 +sniffy.ee, 1 +snip.software, 1 +snipdrive.com, 1 +sniper.cat, 1 +snipermarkettiming.com, 1 +snipl.io, 1 +snippet.host, 1 +snippet.ml, 1 +snippet.press, 1 +snippet.wiki, 0 +snippetpress.com, 1 +snitch.rocks, 1 +snitchnet.tk, 1 +snitko.pro, 1 +snizl.com, 1 +snj.pt, 1 +snlianshang.com, 1 +snnwes.de, 1 +sno-tek.net, 1 +snoerendevelopment.nl, 0 +snooker.tk, 1 +snoot.club, 1 +snorerx.com, 1 +snoringtreatment.tk, 1 +snorkelaroundtheworld.com, 1 +snortfroken.net, 1 +snoska.ga, 1 +snote.io, 1 +snotekbyariens.com, 1 +snoupon.com, 1 +snow-service.it, 1 +snowalerts.nl, 1 +snowapparel.us, 1 +snowatka.com, 1 +snowboard-break.tk, 1 +snowboardforum.tk, 1 +snowcat.tk, 1 +snowchamps.nl, 1 +snowcrestdesign.com, 1 +snowdon.io, 1 +snowdrop.moe, 1 +snowdy.dk, 1 +snowdy.eu, 1 +snowdy.link, 1 +snowflakeaz.gov, 1 +snowfox.ai, 1 +snowhana.com, 1 +snowhaze.ch, 1 +snowhaze.com, 1 +snowman25.de, 1 +snowmassvillage.gov, 1 +snoworld.one, 1 +snowpak.com, 0 +snowparties.com, 1 +snowpaws.de, 1 +snowplanet.tk, 1 +snowplow.forsale, 1 +snowpro.tk, 1 +snowprosinc.com, 1 +snowraven.de, 1 +snowrippers.ro, 0 +snowschool.tk, 1 +snowshoedistrictwv.gov, 1 +snowsubs.moe, 1 +snowvictoria.ga, 1 +snowy.ink, 1 +snowy.land, 1 +snowyluma.com, 1 +snowyluma.me, 1 +snp-media.de, 0 +snperformance.gr, 1 +snrat.com, 1 +snrd-africa.net, 1 +snrd.de, 1 +snrd.eu, 1 +snroth.de, 1 +snrub.co, 1 +sns-beta.com, 1 +sns-dev.com, 1 +sns-tg.pl, 1 +snsirius.cf, 1 +snsp.es, 1 +snsp.nl, 1 +snsp.ro, 1 +sntial.co.za, 1 +sntry.cc, 1 +snugsite.com.au, 1 +snukep.kr, 1 +snwsjz.com, 1 +snyder-ne.gov, 1 +so-academy.fr, 1 +so-link.co, 1 +so-spa.ru, 1 +so.is-a-cpa.com, 1 +so.ninja, 1 +soacompanhantes.vip, 1 +soadultos.com, 1 +soakgames.com, 1 +soap-teco.com, 1 +soapex.com, 1 +soapsspoilers.com, 1 +soar-npc.org, 1 +soat.fr, 0 +soatplus.com, 1 +soax.com, 0 +sobakasite.tk, 1 +sobaki.tk, 1 +sobatiment.fr, 1 +sobchak.ga, 1 +sobersys.com, 1 +sobieray.dyndns.org, 1 +soblaznenie.ru, 1 +soblaznenie2.ru, 1 +sobre.tk, 1 +sobrelixo.tk, 1 +sobreporcentagem.com, 1 +sobuj.me, 1 +soc.net, 1 +soc247.cloud, 1 +socal-babes.com, 1 +socalaccessandvideo.com, 1 +socblock.com, 1 +soccer4live.com, 1 +soccerking-store.com, 1 +soccerquarters.tk, 1 +soccers.fr, 1 +soccorsostradale.lazio.it, 1 +soccorsostradale.roma.it, 1 +socfactor.ru, 1 +sochealth.co.uk, 1 +socheap.win, 1 +sochi-sochno.ru, 1 +sochi.tatar, 1 +sochionline.tk, 1 +soci.ml, 1 +sociaalwerknederland.nl, 1 +sociability.dk, 1 +social-class.ga, 1 +social-directory-list.tk, 1 +social-engineering.tk, 1 +social-line.tk, 1 +social-media-strategy.org.uk, 1 +social-net.ir, 1 +social-network.tk, 1 +social-work-colleges.com, 1 +social-work.tk, 1 +socialab.gr, 1 +socialace.in, 1 +socialair.tk, 1 +socialarchive.nl, 1 +socialblaze.com.au, 1 +socialbook2015.ga, 1 +socialbook2015.gq, 1 +socialbook2015.ml, 1 +socialbook2015.tk, 1 +socialcare.wales, 1 +socialclimb.com, 1 +socialcredit.icu, 1 +socialdemo.ga, 1 +socialdemo.ml, 1 +socialdemo.tk, 1 +socialdevelop.biz, 0 +socialeducation.tk, 1 +socialesactivo.ga, 1 +socialesretro.tk, 1 +socialfreak.cf, 1 +socialgroups.tk, 1 +socialhams.net, 1 +socialhax.com, 1 +socialhp.com, 1 +socialism.tk, 1 +socialist-alliance.org, 0 +socialistregister.com, 1 +socialistyouth.tk, 1 +sociality.io, 1 +socializator.tk, 1 +socialloots.com, 1 +socialmarketingday.nl, 1 +socialmatch.de, 1 +socialmedia-manager.gr, 1 +socialmediadisruption.com, 1 +socialmedias.tk, 1 +socialmeeps.ml, 1 +socialnet.ml, 1 +socialnetworkdemo.tk, 1 +socialnews.ga, 1 +socialnitro.com, 1 +socialnous.co, 1 +socialpa.ws, 1 +socialplace.net, 1 +socialproject.ml, 1 +socials.gq, 1 +socialsecurity.gov, 0 +socialstrata.com, 1 +socialsurvivalist.net, 1 +socialtactics.cf, 1 +socialtactics.ga, 1 +socialtactics.gq, 1 +socialtactics.ml, 1 +socialtick.club, 1 +socialtournaments.com, 0 +socialtranslation.ga, 1 +socialtrends.pl, 1 +socialwave.tk, 1 +socialworkdegrees.org, 1 +socialworkout.net, 1 +socialworkout.org, 1 +socialworkout.tv, 1 +sociedad-electronica.tk, 1 +sociedadadventista.tk, 1 +sociedadcivil.tk, 1 +sociedadderesistencia.tk, 1 +sociedadecologica.tk, 1 +sociedadsostenible.tk, 1 +societatis.fr, 1 +societe-chablaisienne-de-revetements.com, 1 +societe-chablaisienne-de-revetements.fr, 1 +societedescompagnons.fr, 1 +societyawards.com, 1 +societyofbur-q-ua.tk, 1 +societyparty.ga, 1 +socii.network, 1 +socilit.com, 1 +sociobiology.com, 1 +sociofab.com, 1 +sociohosting.es, 1 +sociology-bg.gq, 1 +sociology-schools.com, 1 +sociologyk.nl, 1 +sociopampers.com.ar, 1 +sociopathy.org, 1 +sociosalafuerza.tk, 1 +socious.io, 1 +sociusian.gq, 1 +sockfetish.net, 1 +sockscap64.com, 1 +socksfromholland.com, 1 +socktopus.io, 1 +socomforums.tk, 1 +soconj.gov, 1 +socprime.com, 1 +socratec-pharma.de, 1 +socraticsolutions.us, 1 +socseti.cf, 1 +socseti.ga, 1 +socseti.gq, 1 +socseti.ml, 1 +socstar.ml, 1 +socstation.com, 1 +soczu.duckdns.org, 1 +soda-net.com, 1 +soda.ga, 1 +sodadigital.com.au, 1 +sodafilm.de, 1 +sodalai.tk, 1 +sodel-sa.eu, 1 +soderestore.com, 1 +sodermans.com, 1 +soderparr.com, 1 +sodexam.pro, 1 +sodi.gent, 1 +sodi.nl, 1 +sodigent.be, 1 +sodigent.gent, 1 +sodirace.com, 1 +sodo.top, 1 +sodom-metal.tk, 1 +sodrujestvo.tk, 1 +sodsouthernindiana.com, 1 +sodusny.gov, 1 +soegi-haru.com, 1 +soellc.com, 1 +soellner.info, 1 +soelt.dk, 1 +soelystsaebe.dk, 1 +soengen.com, 1 +soenkem.ddnss.de, 1 +soepvork.nl, 1 +sofa-bed.tk, 1 +sofa-rockers.org, 1 +sofabedshop.de, 1 +sofacamafuton.com.br, 1 +sofasia.com, 1 +sofasthousebuyers.com, 1 +sofaware.eu, 1 +sofdwi.gov, 1 +soff.se, 1 +soffit.com, 1 +sofi.codes, 1 +sofiaestado.com, 1 +sofialobocera.com, 1 +sofianeves.tk, 1 +sofias.tk, 1 +sofiavanmoorsel.com, 1 +sofibox.com, 1 +sofiesteinfeld.com, 1 +sofiesteinfeld.de, 1 +sofoco.us, 1 +sofortcutie24.de, 1 +sofortimplantate-muenchen.de, 1 +sofortindenurlaub.de, 1 +sofpedia.ro, 0 +soft-key.tk, 1 +soft-office.tk, 1 +soft-resets.com, 1 +soft-search-system.tk, 1 +soft.taipei, 1 +soft3arbi.com, 1 +soft41.ru, 1 +soft4led.com, 1 +softandbouncy.co.uk, 1 +softanka.com, 1 +softarabi.com, 1 +softbabyducks.com, 1 +softbit.pt, 1 +softblinds.co.uk, 1 +softchin.ir, 1 +softcom.net, 0 +softcompany.tk, 1 +softcomplex.com, 1 +softconcept.pt, 1 +softcreatr.com, 1 +softcreatr.de, 1 +softekontrack.com, 1 +softelectronet.tk, 1 +softfuture.tk, 1 +softhints.com, 1 +softios.com, 1 +softizy.com, 1 +softlay.com, 1 +softline.ru, 0 +softmas.cl, 1 +softnet-consulting.com, 1 +softonic-ar.com, 1 +softonic-id.com, 1 +softonic-th.com, 1 +softonic.cn, 1 +softonic.com, 1 +softonic.com.br, 1 +softonic.com.tr, 1 +softonic.jp, 1 +softonic.kr, 1 +softonic.nl, 1 +softonic.pl, 1 +softonic.ru, 1 +softonic.vn, 1 +softonit.ru, 1 +softonline.net, 1 +softowe.com, 1 +softpark.cf, 1 +softpark.ml, 1 +softplay4hire.co.uk, 1 +softsecmatheodexelle.be, 1 +softskills.tech, 1 +softskin.ga, 1 +softstack.ru, 1 +softtester.tk, 1 +softview.gq, 1 +softview.tk, 1 +software-search.com, 1 +software-tech.tk, 1 +software-voor-projecten.nl, 1 +software.rocks, 1 +softwareag-stage.cloud, 1 +softwarebeveiligingtestdomein.be, 1 +softwarechris.com, 1 +softwarecloud.ml, 1 +softwareclub.tk, 1 +softwarehexe.de, 1 +softwarepara.net, 1 +softwarepatenten.tk, 1 +softwarepixie.com, 1 +softwaresanta.com, 1 +softwaresecurityandradefernando.be, 1 +softwaterinc.com, 1 +softwearautomation.com, 1 +softweb-dev.de, 1 +softwing.de, 1 +softwsabri.be, 1 +softx.tk, 1 +sog-gilde.tk, 1 +sogaro-realestate.de, 1 +sogec-digital.fr, 1 +sogeek.me, 1 +sogesel.es, 1 +sogetrel-tn.de, 1 +sogno.it, 1 +sogo.com.hk, 1 +sogo.com.my, 0 +sogola.com, 1 +sogoreate-landtrust.org, 1 +sogravatas.com.br, 1 +sogravatas.net.br, 1 +sogut.bel.tr, 1 +sogutma.com.tr, 1 +sohamroy.me, 1 +sohanakhan.tk, 1 +sohanman.com, 1 +sohka.eu, 1 +soho-art.com, 1 +soia.ca, 1 +soilegustafsson.fi, 1 +soillessgeek.com, 1 +soilscapesolutions.com, 1 +soinsparlesmains.fr, 1 +sointelcom.com.co, 1 +soinvett.com, 0 +soissons-technopole.org, 1 +soji.io, 1 +sokak-sanati.tk, 1 +sokenconstruction.com, 1 +soket.ee, 1 +sokkenkraam.nl, 1 +soko.reisen, 1 +sokolin.com, 1 +sokolmelnik.tk, 1 +sokolovskyi.ml, 1 +sokolslavkov.tk, 1 +sokouchousa.net, 1 +sokrabatt.se, 1 +sokretirement.com, 1 +sol-3.de, 0 +sol-design.jp, 1 +sol-negro.tk, 1 +sol.de, 1 +sol24.net, 1 +solaland.co.uk, 1 +solalnathan.com, 1 +solalt.com, 1 +solana-active.tk, 1 +solanacasinos.io, 1 +solanaroyale.com, 0 +solandsimonasphalt.com, 1 +solanocounty.gov, 1 +solanowonen.nl, 1 +solarace.tk, 1 +solaradventures.icu, 1 +solarafrica.com, 1 +solaranalytics.com, 1 +solaranalytics.com.au, 1 +solarandenergyspecialists.com, 1 +solarbattery.ga, 1 +solarbynatureinc.com, 1 +solarcia.com.br, 1 +solareagricola.it, 1 +solarfaa.ir, 1 +solarfever.ga, 1 +solargaming.tk, 1 +solarhome.ml, 1 +solarhome.tk, 1 +solariilacheie.ro, 1 +solarisbank.de, 1 +solarisgroup.com, 1 +solarity.coop, 1 +solarium.gov, 1 +solarium.milano.it, 1 +solarloon.com, 1 +solaronics.tk, 1 +solarpanelquotes.org, 1 +solarpanels.tk, 1 +solarplan-berlin.de, 1 +solarrights.org, 1 +solarscan.com, 1 +solarseason.ga, 1 +solarstrom.net, 1 +solartek.cf, 1 +solartek.ga, 1 +solartek.gq, 1 +solartrackerapp.com, 1 +solartravel.tk, 1 +solarwave.tk, 1 +solarwind.cf, 1 +solati.co, 1 +solautoescuela.com, 1 +solaxfaq.com, 1 +solbjer.se, 1 +solcenter.com, 1 +solcloud.eu, 1 +solcom.de, 1 +solcyber.com, 1 +soldamontanhabeachwear.com.br, 1 +soldarizona.ga, 1 +soldaten-genealogie.tk, 1 +soldbygagan.com, 1 +solden.be, 1 +soldesduck.be, 1 +soldesduck.ch, 1 +soldierangels.tk, 1 +soldieroftruthpublishing.com, 1 +soldiersmg.tk, 1 +sole-erdwaermetauscher.de, 1 +soleanos.tk, 1 +solechuva.com.br, 1 +solectrus.de, 1 +soledadmataro.tk, 1 +soledadpenades.com, 0 +soleil33.net, 1 +solemare-hotel.it, 1 +solencell.com.tr, 1 +solentbasketball.co.uk, 1 +solentbubblesandbounce.co.uk, 1 +solfegiator.ch, 0 +solfipinformatique.org, 1 +solgar.dk, 1 +soli.cafe, 1 +solicafe.at, 1 +solidariaautos.com, 1 +solidarita-kosovo.net, 1 +solidarityzone.org, 1 +solidform.ml, 1 +solidgroundchiro.com, 1 +solidhost.cf, 1 +solidimage.com.br, 1 +solidincome.ga, 1 +solidityfactory.io, 1 +solidnet.software, 1 +solidnetwork.org, 1 +solidpurenonsense.tk, 1 +solidshield.com, 1 +solidsteel.tk, 1 +solidtuesday.com, 1 +solidway.co.nz, 1 +solifi.com, 1 +soligorsk.place, 1 +solihullcarnival.co.uk, 1 +solihullinflatables.com, 1 +solihulllionsclub.org.uk, 1 +solihullobserver.co.uk, 1 +solihullpcrepairs.co.uk, 1 +solikreis-stuttgart.tk, 1 +solipsists.tk, 1 +solisrey.es, 1 +solitaire-game.org, 1 +solitairenetwork.com, 1 +solitary.social, 1 +solitaryride.com, 1 +soliten.de, 1 +soliujing.ml, 1 +solium.com, 1 +soliver-group.com, 1 +sollah.com, 1 +sollahlibrary.com, 1 +solliv.com, 1 +solmek.co.uk, 1 +solnascentepapelaria.com.br, 1 +solntsezaschitnye-ochki.tk, 1 +solo.com.sa, 1 +solobus.com.co, 1 +solocorse.com, 1 +solodukhin.tk, 1 +solofajas.online, 1 +solofi.fr, 1 +sologetaway.ga, 1 +sologoc.com, 1 +sologstrand.com, 1 +sologstrand.dk, 1 +sologstrand.nl, 1 +sologstrand.no, 1 +sologstrand.se, 1 +soloinfo.it, 1 +soloingenieria.tk, 1 +solomidis.tk, 1 +solomo.pt, 1 +solomoncorp.com, 1 +solomonsklash.io, 1 +solongandthanksforallthe.fish, 1 +soloparati.cf, 1 +soloprivacidad.com, 1 +soloproductos.top, 1 +soloreti.com, 1 +soloroboto.com, 1 +solos.im, 1 +solosesso.tk, 1 +solostocks.cl, 1 +solostocks.com, 1 +solostocks.com.ar, 1 +solostocks.com.br, 1 +solostocks.com.co, 1 +solostocks.com.mx, 1 +solostocks.de, 1 +solostocks.fr, 1 +solostocks.it, 1 +solostocks.ma, 1 +solostocks.net, 1 +solostocks.pl, 1 +solostocks.pt, 1 +solovey.su, 0 +solovia.ru, 1 +solovyovalawfirm.com, 1 +solsea.io, 1 +solsi.ga, 1 +solsticecam.com, 1 +soltanastore.com, 1 +soltysblue.pl, 1 +solucion.gq, 1 +solucionesmk.online, 1 +solucionupsperu.com, 1 +solumgb.co.uk, 1 +solunet.com.ar, 1 +solut.ai, 1 +solutek.com.au, 1 +solution24.nl, 1 +solutionalbum.com, 1 +solutionmotsfleches.com, 1 +solutionpieces.com, 1 +solutionplumber.com, 1 +solutions-ii.com, 1 +solutions-it.net, 1 +solutions30.com, 1 +solutionshosted.de, 1 +solutiontutorials.com, 1 +solutys-btp-logistic.com, 1 +solutysmultiservices.com, 1 +soluzionefightlist.altervista.org, 1 +soluzionifightlist.cf, 1 +solv.ws, 1 +solvation.de, 1 +solvaybank.com, 1 +solvedapp.io, 1 +solviejo.tk, 1 +solvin.com, 1 +solviq.com, 1 +solware.co.uk, 1 +solwaveovens.com, 1 +solwayfeeders.com, 1 +solweb.co.uk, 1 +solwit.com, 1 +solxsys.com, 0 +solymar.co, 1 +soma.com.au, 1 +somaar.tk, 1 +somaini.li, 1 +somaliaonline.com, 1 +somalilandtalk.tk, 1 +somanao.com, 1 +somautomotivobr.com.br, 1 +someapi.de, 1 +somecrazy.com, 1 +somedial.ch, 1 +somedomain.tk, 1 +somehsara.tk, 1 +someog.com, 0 +somerm.com, 1 +somerprints.co.uk, 1 +somersbypark.com, 1 +somersetcountynj.gov, 1 +somersetscr.nhs.uk, 1 +somersetwellbeing.nhs.uk, 1 +somersworthnh.gov, 1 +somes.me, 1 +someserver.cf, 1 +something-blue.tk, 1 +something-else.cf, 1 +something.pink, 1 +somethingsimilar.com, 1 +somethingsketchy.net, 1 +somevideotapes.com, 1 +somewherenews.cf, 1 +somewherenews.ga, 1 +somewherenews.gq, 1 +somewherenews.ml, 1 +somi.nl, 1 +sominemo.com, 1 +somix.com, 1 +soml.best, 1 +sommarles.no, 1 +somme.tk, 1 +sommefeldt.com, 1 +sommeil.cl, 1 +sommeilsante.com, 1 +sommer-reitmajer.de, 1 +sommerhusudlejning.com, 1 +sommerles.no, 1 +sommerplassen.no, 1 +somnam.tk, 1 +somni.one, 1 +somnus.com, 1 +somogyivar.hu, 1 +somosbrujas.com, 1 +somosfin-app.com, 1 +somosgesath.com, 1 +somosgratitude.com.br, 1 +somoslaarmenia.com, 1 +somosweb.cf, 1 +somoybuzz.com, 1 +sompo-intl.com, 1 +sompo.com.br, 1 +sompohorizon.com, 1 +somsak.de, 1 +somuchbetterwithage.com, 1 +somweyr.de, 1 +son-onlajn.cf, 1 +son-onlajn.ga, 1 +son-onlajn.gq, 1 +son-onlajn.ml, 1 +son-onlajn.tk, 1 +son-tolkovatel.cf, 1 +son-tolkovatel.ga, 1 +son-tolkovatel.gq, 1 +son-tolkovatel.ml, 1 +son-tolkovatel.tk, 1 +son.ru, 1 +sona-gaming.com, 1 +sona.fr, 1 +sonacupalova.cz, 1 +sonalisharma.co.in, 1 +sonar.ga, 1 +sonaraamat.com, 1 +sonarhmx01.serveftp.org, 1 +sonarhmx02.serveftp.org, 1 +sonarsource.com, 1 +sonavankova.cz, 1 +sonaza.com, 1 +sonaza.fi, 1 +sonbilgi.net, 1 +soncini.ch, 1 +soncnaura.si, 1 +sondebase.com, 1 +sondemitierra.tk, 1 +sonder.com.au, 1 +sonderfloral.com, 1 +sonderkomission.ch, 1 +sondoro.tk, 1 +sondriotoday.it, 1 +sonesinafar.tk, 1 +sonesisonesi.tk, 1 +sonesonesisi.tk, 1 +sonet.digital, 1 +sonet.uz, 1 +song.ski, 1 +songclan.tk, 1 +songdew.com, 1 +songesdeplumes.fr, 1 +songlifty.com, 1 +songsigrewupsinging.com, 1 +songslaura.tk, 1 +songsonline.tk, 1 +songsterr.com, 1 +songsthatsavedyourlife.com, 1 +songtianyi.com, 1 +songun.ml, 1 +songyang.cn, 1 +songzhuolun.com, 1 +sonia.ai, 1 +soniaai.com, 1 +soniaferrer.tk, 1 +sonic.network, 1 +sonic.sk, 0 +sonic.studio, 1 +sonicautomation.ai, 1 +sonicdoe.com, 1 +sonicdx.com.au, 1 +soniclaunchpad.com, 1 +soniclink.tk, 1 +sonicshop.tk, 1 +sonicwanderer.tk, 1 +sonicworld.tk, 1 +sonidosbinaurales.com, 1 +sonidoslibertarios.tk, 1 +sonik.tk, 1 +sonimusic.tk, 1 +soninger.ru, 1 +sonix.dk, 1 +sonixonline.com, 1 +sonixpro.com, 1 +sonja-daniels.com, 1 +sonja-kowa.de, 1 +sonjaruster.de, 1 +sonjaundjeromeheiraten.jetzt, 1 +sonjoux.com, 1 +sonkamusic.tk, 1 +sonlapc.vn, 1 +sonmark.ru, 1 +sonnenbergharrison.law, 1 +sonnendeal.ml, 1 +sonnendeal.tk, 1 +sonnenta.de, 1 +sonneundstrand.de, 1 +sonnik-znachenie-sna.cf, 1 +sonnik-znachenie-sna.ga, 1 +sonnik-znachenie-sna.gq, 1 +sonnik-znachenie-sna.ml, 1 +sonnik-znachenie-sna.tk, 1 +sonnyland.tk, 1 +sonodrom.tk, 1 +sonoecoracao.com.br, 1 +sonofsunart.com, 1 +sonohigurashi.blog, 1 +sonologic.nl, 1 +sonology.tk, 1 +sonomacounty.gov, 1 +sonomacountywriterscamp.com, 1 +sonomotors.com, 1 +sonoratexas.gov, 1 +sonorem-audition.fr, 1 +sonosguide.dk, 1 +sonraisecurity.com, 1 +sons.cf, 1 +sons.tk, 1 +sonsight.tk, 1 +sonsonate.cf, 1 +sonsonate.tk, 1 +sony-psvita.ru, 1 +sonyazi.com, 1 +soohealthy.nl, 1 +soom.ga, 1 +soom.tk, 1 +soomee.be, 1 +soomee1.be, 1 +soontm.net, 1 +soopure.nl, 1 +soopy.moe, 1 +sopelaotaez.tk, 1 +sopenguin.com, 1 +soph.jp, 1 +soph.tk, 1 +soph.us, 1 +sopheos.com, 0 +sopher.io, 1 +sophia.com.br, 1 +sophiaandmatt.co.uk, 1 +sophiafoundation.org, 1 +sophiahatstudio.com, 1 +sophiajaneboutique.com, 1 +sophiakligys.com, 1 +sophiatazar.com, 1 +sophie-revault.fr, 1 +sophiebreslin.co.uk, 1 +sophiekush.com, 1 +sophier.tk, 1 +sophomoric.ga, 1 +sophos.com, 1 +sophus.com.br, 1 +sopilov.tk, 1 +sopira.ru, 1 +sopo.me, 1 +soportelatino.ml, 1 +sopra.tk, 1 +soprabalao.com.br, 1 +sopriza.com, 1 +sopronforras.tk, 1 +soprovise.fr, 1 +sopsop.tk, 1 +soqor-damam.com, 1 +soquee.net, 0 +sor.so, 1 +sorabi.jp, 1 +soraharu.com, 0 +soraiaschneider.com.br, 1 +sorakumo.jp, 1 +sorbire.com, 1 +sorcix.com, 0 +sorellecollection.com.au, 1 +sorellinteriors.com, 1 +soren.xyz, 1 +sorenstudios.com, 1 +sorex.photo, 1 +sorin.cc, 1 +sorincocorada.ro, 1 +sorn.service.gov.uk, 1 +sornyaki.tk, 1 +sorocabacopos.com.br, 0 +sorpresashop.nl, 0 +sorrentofc.com.au, 1 +sorrentoparking.com, 1 +sorridi.xyz, 1 +sorrowfulunfounded.com, 1 +sort.land, 1 +sortandpack.com, 1 +sortaweird.net, 0 +sorted.org.nz, 1 +sorteiosdotom.com.br, 1 +sortek.mk, 1 +sorteonline.com.br, 1 +sorting.ai, 1 +sortirentrenous.com, 1 +sortly.com, 1 +sorubak.com, 1 +soruly.com, 1 +soruly.io, 1 +soruly.moe, 1 +soruly.net, 1 +soruly.org, 1 +sorumatik.co, 1 +sorunrehberi.com, 1 +sorveglianza.roma.it, 1 +sorwi.gov, 1 +sorx.tech, 1 +sorz.org, 1 +sos-brigade.org, 1 +sos-deratisation.com, 1 +sos-elettricista.it, 1 +sos-fabbro.it, 1 +sos-falegname.it, 1 +sos-idraulico.it, 1 +sos-loodgieter.com, 1 +sos-muratore.it, 1 +sos.sk, 0 +sos.xxx, 1 +sosafe-awareness.com, 1 +sosaka.ml, 1 +sosaka.tk, 1 +soscavehumide.fr, 1 +sosecu.red, 1 +sosedisetka.tk, 1 +sosesh.shop, 1 +sosessaimabeilles.com, 1 +sosharch.com, 1 +soshin.cf, 1 +sosimple.academy, 1 +sosisuka.ga, 1 +sosko.in.rs, 1 +soslsd.org, 0 +sosmicro.tk, 1 +sosnovka.ga, 1 +soso.ga, 1 +soso.loan, 1 +soso.ml, 1 +soso.stream, 1 +sosoft.tk, 1 +sosoftplay.co.uk, 1 +sosok.tk, 1 +sosou.eu, 0 +sospechhulp.nl, 1 +sospeed.net, 1 +sosregistration.eu, 1 +sostacancun.com, 1 +soste.fi, 0 +sosteric.si, 1 +sosuchki.com, 1 +sosyalat.com, 1 +sosyalevin.com, 0 +sosyalpro.com.tr, 1 +sosz.org, 1 +sota.sh, 1 +sotadb.info, 1 +sotaltamer.it, 1 +sotar.us, 1 +soterdev.com, 1 +sotieg.fr, 1 +sotin-hr.tk, 1 +sotis.bg, 1 +sotnya.cf, 1 +sotnyk.ml, 1 +sotoasobi.net, 1 +sotocine.tk, 1 +sotolar.com, 1 +sotonlgbt.org.uk, 1 +sotool.dk, 1 +sotovik.tk, 1 +sotrom.com, 1 +sotsiaalkindlustusamet.ee, 0 +sotthewes.nl, 1 +sottilealimentos.com.br, 1 +sottomarini.tk, 1 +sotypicallydutch.nl, 1 +soubriquet.org, 1 +soufastnet.com.br, 1 +souga.eu.org, 1 +sougou.com, 1 +souked.com, 1 +soukka-seura.fi, 1 +soukodou.jp, 1 +soul-of-style.com, 1 +soul-source.co.uk, 1 +soulberber.com, 1 +soulc.ml, 1 +soulcasa.com.br, 1 +soulconstructors.com, 1 +soulcrazy.org, 1 +souldecorpaints.co.nz, 1 +soulema.com, 1 +souletter.com, 1 +soulike.tech, 1 +soulinbusiness.ga, 1 +soulla.tk, 1 +soulmating.de, 1 +soulmusic.tk, 1 +soulnatura.es, 1 +soulogic.com, 1 +soulpetrol.in, 1 +soulpowercoaching.ga, 1 +soulreapers.tk, 1 +soulshare.com, 1 +soulshare.net, 1 +soulshow.tk, 1 +soulsinner.tk, 1 +soulsteer.com, 0 +soulwinning.tk, 1 +soulyfunerals.co.nz, 1 +soulyi.io, 1 +soumen.tk, 1 +soumikghosh.com, 1 +soumission-assurances.ca, 1 +soumissionalarme.ca, 1 +soumya.xyz, 1 +soumya92.me, 1 +sounah.com, 1 +sound-gardens.com, 1 +sound-orpheus.tk, 1 +sound-recording.org, 1 +sound-wave.tk, 1 +sound.as, 1 +soundabout.nl, 1 +soundar.eu.org, 1 +soundar.net, 1 +soundbase.tk, 1 +soundblast.tk, 1 +soundcache.tk, 1 +soundcamp.org, 1 +soundcharts.com, 1 +soundclick.com, 1 +soundcloud-to-mp3.com, 1 +soundcloud.com, 1 +soundee.com, 1 +soundeo.com, 1 +soundeo.net, 1 +soundersmusic.com, 1 +soundexclusive4ever.tk, 1 +soundfingers.com, 0 +soundgasm.net, 1 +soundgo.gq, 1 +soundinthesignals.tk, 1 +soundlight.tk, 1 +soundman.ga, 1 +soundmix.tk, 1 +soundmk.ch, 1 +soundmoney.club, 1 +soundmoney.page, 1 +soundmoney.tech, 1 +soundoffsignal.com, 1 +soundonmike.tk, 1 +soundproofingideas.com, 1 +soundprotectionllc.com, 1 +soundrecords.tk, 1 +soundrelief.com, 0 +soundresource.tk, 1 +soundrise.tk, 1 +sounds-resource.com, 1 +sounds.koeln, 1 +soundservice.gr, 1 +soundshepard.tk, 1 +soundslike.gent, 1 +soundtrash.tk, 1 +soundtube.tk, 1 +soundwavefestival.tk, 1 +soundzimega.tk, 1 +soungui.cm, 1 +soungui.com, 1 +soungui.net, 1 +soupbuahtaza.id, 1 +sour.is, 1 +souravbhor.gq, 1 +souravbhor.ml, 1 +source-clan.tk, 1 +sourceaudio.co.uk, 1 +sourceaudio.com, 1 +sourceaudiodetect.com, 1 +sourcecode.hosting, 1 +sourcecode.love, 1 +sourcecode.tw, 1 +sourcegraph.com, 1 +sourcehut.net, 1 +sources.tk, 1 +sourcesdegarrigue.fr, 1 +sourcexchange.net, 1 +sourcing4exports.co.uk, 1 +sourcitec.com, 1 +souria.tk, 1 +sourlakepd.gov, 1 +sourmatt.xyz, 1 +sourraundweb.tk, 1 +sourse.co, 1 +sous-surveillance.net, 0 +southadamswaterco.gov, 1 +southambouncycastle.co.uk, 1 +southamptontownnypolice.gov, 1 +southbankregister.com.au, 1 +southbaylatherapy.com, 1 +southbendflooring.com, 1 +southboroughma.gov, 1 +southbridge-ma.gov, 1 +southcarolinahealth.tk, 1 +southdakotahealth.tk, 1 +southdakotanet.tk, 1 +southeast-asia.ru, 1 +southeastradiology.com, 1 +southeastvalleyurology.com, 1 +southerncross.tk, 1 +southernforge.com, 1 +southerngospelnow.com, 1 +southerngospelprizes.com, 1 +southernknightsatlanta.com, 1 +southernlights.cf, 1 +southernlights.club, 1 +southernlights.gq, 1 +southernlights.ml, 1 +southernlights.site, 1 +southernmost.us, 1 +southernsecurity.org, 1 +southernsurgicalga.com, 1 +southernvalve.com, 1 +southernviewmedia.com, 1 +southernwatersolutions.com, 1 +southessexstatus.co.uk, 1 +southfieldtownshipmi.gov, 1 +southgatemi.gov, 1 +southgatesystems.com, 1 +southgeorgiacargotrailers.org, 1 +southjacksonville-il.gov, 1 +southjerseyhomes.info, 1 +southkingstownri.gov, 1 +southlakenissanparts.com, 1 +southlaketx.gov, 1 +southlandurology.com, 1 +southmarengo.com, 1 +southmarengoal.gov, 1 +southmelbourne.apartments, 1 +southmill.com, 1 +southmilwaukee.gov, 1 +southmorangtownhouses.com.au, 1 +southogdencity.gov, 1 +southphoenixair.tk, 1 +southridgeservices.com, 1 +southside-crew.com, 1 +southside-digital.co.uk, 1 +southside-tuning-day.de, 1 +southsidebargaincenter.com, 1 +southsidebuildingcenter.com, 1 +southsideplacetx.gov, 1 +southstpaulmn.gov, 1 +southtoowoombahawks.com.au, 0 +southwebsterohio.gov, 1 +southwestkansaslibrarysystem.gov, 1 +southwestpremierurology.com, 1 +southwestrda.org.uk, 1 +southwestwildlife.org, 1 +southwickma.gov, 1 +southwindsor-ct.gov, 1 +southyorkshire-pcc.gov.uk, 1 +southyorkshireviolencereductionunit.com, 1 +soutien-naissance.com, 1 +souto.eu, 1 +souvenir-fashion.com, 1 +souvenirs-gifts.tk, 1 +souzanabellydance.com, 1 +sova-center.ru, 1 +sova.cc, 1 +sova.st, 1 +sova.wiki, 1 +sovendus.ch, 1 +sovendus.com, 1 +sovendus.de, 1 +sovendus.dk, 1 +sovendus.es, 1 +sovendus.fr, 1 +sovendus.it, 1 +sovendus.nl, 1 +sovendus.pl, 1 +sovendus.se, 1 +sovereign.bounceme.net, 1 +sovereignpcs.com, 1 +soverin.net, 1 +sovest.ml, 1 +sovet4ik.info, 1 +soveti.info, 1 +sovetidachniku.info, 1 +sovetiogorodniku.info, 1 +sovhoz.tk, 1 +sovmestimost-goroskop.cf, 1 +sovmestimost-goroskop.ga, 1 +sovmestimost-goroskop.gq, 1 +sovmestimost-goroskop.ml, 1 +sovmestimost-zodiak.gq, 1 +sovos.com, 1 +sovremenik.tk, 1 +sovryn.com, 1 +sovtech.tk, 1 +sovxoz.gq, 1 +sowget.com, 1 +sowhat.dk, 0 +sowncloud.de, 1 +sowndfinancial.com, 1 +sowsmallgarden.com, 1 +sowtarabiya.com, 1 +soybase.org, 1 +soychef.today, 1 +soychile.cl, 1 +soydoula.com, 1 +soydxn.com, 1 +soyezonline.fr, 1 +soyinstalador.cl, 1 +soyladani.com, 1 +soylemeztrading.com, 1 +soyou.jp, 1 +soytusitio.com, 1 +soyuznik.ml, 1 +soyvigilante.com, 1 +sozai-good.com, 1 +sozai.tk, 1 +sozdanie-krana.ml, 1 +soze.in, 1 +sozialabstand.de, 1 +soziale.email, 1 +sozialismus.tk, 1 +sozialistische-gruppe.de, 1 +sozialy.com, 1 +sozlervereplikler.com, 1 +sozole.eu, 1 +sozon.ca, 1 +sp-az.com, 1 +sp-codes.de, 1 +sp-consulting.ch, 1 +sp-dh.com, 1 +sp-gg.com, 1 +sp-magic.de, 1 +sp-moebel.net, 1 +sp-pn.com, 1 +sp-sites.com.au, 1 +sp.rw, 1 +sp03.de, 1 +sp8ce.co, 1 +spa-center.tk, 1 +spaallegretto.com, 1 +spabellabolivia.com, 1 +spac2stock.com, 1 +space-art.tk, 1 +space-combat.tk, 1 +space-for.business, 1 +space-inc.co.jp, 1 +space-it.de, 1 +space-mining.cf, 1 +space-net.ml, 1 +space-station.tk, 1 +space-time-elements.com, 1 +space-y.cf, 1 +space.gov.ae, 1 +spaceage.mp, 1 +spaceanimalnutrition.com, 1 +spaceapi.io, 1 +spacebabies.nl, 1 +spacebear.ee, 1 +spacebestnews.tk, 1 +spacecityweather.com, 1 +spacecorp.de, 1 +spacedance.tk, 1 +spacedogs.ml, 1 +spacedrive.nl, 1 +spacefighters.tk, 1 +spacehey.com, 1 +spacehighway.ms, 1 +spacehighways.net, 1 +spaceholder.cc, 1 +spaceint.fr, 1 +spacekeat.com, 1 +spacelabs.io, 1 +spacelabshealthcare.com, 1 +spacelandpark.ga, 1 +spacelift.io, 1 +spacenerd.it, 1 +spaceon.tk, 1 +spacepirates.tk, 1 +spacepixel.ml, 1 +spacepunks.de, 1 +spacerocksmc.tk, 1 +spaceroot.cz, 1 +spacesedu.com, 1 +spaceshells.tk, 1 +spacestation13.com, 1 +spacetime.am, 0 +spaceunique.de, 1 +spaceunique.eu, 1 +spacewinner.nl, 0 +spacinov.com, 1 +spacivox.com, 1 +spackova.cz, 1 +spacomic.com, 1 +spaconnection.com, 1 +spaconsulting.it, 1 +spactostock.com, 1 +spadok.org.ua, 1 +spaenny.tf, 1 +spaghettiphreakers.tk, 1 +spaghettiwesterns.tk, 1 +spagobudapest.com, 1 +spahireleeds.co.uk, 1 +spainemotions.com, 1 +spaink.net, 1 +spainpol.es, 1 +spajk.cz, 1 +spalnobelyo.com, 1 +spaltron.net, 1 +spamasaurus.com, 1 +spamcage.com, 1 +spamdrain.com, 1 +spamedica.com.co, 1 +spamhunter360.gq, 1 +spamlinks.net, 1 +spammable.com, 1 +spamtuning.tk, 1 +spamty.eu, 1 +spanch.cf, 1 +spanch.ga, 1 +spanch.gq, 1 +spanch.ml, 1 +spanch.tk, 1 +spanchelele.cf, 1 +spanchelele.ga, 1 +spanchelele.gq, 1 +spanchelele.ml, 1 +spanchelele.tk, 1 +spanda.io, 1 +spandrusyszyn.com, 1 +spanglishls.com, 1 +spanien.guide, 1 +spanischunterricht.tk, 1 +spanishblackboard.com, 1 +spanishdogs.tk, 1 +spanishenglish.com, 1 +spanishenglish.net, 1 +spanishnewsarticles.tk, 1 +spanishnow.tk, 1 +spankmonster.com, 1 +spanmass-portal.org, 1 +spanner.tk, 1 +spanner.works, 1 +spanpine.gq, 1 +spanstindrundt.no, 1 +spantrix.com, 1 +spanyolul.hu, 1 +spar-dich-frei.com, 1 +spar-ics.com, 1 +spar-ni.co.uk, 1 +spar.at, 1 +spar.hr, 1 +spar.hu, 1 +spar.si, 1 +sparanoid.blog, 1 +sparanoid.com, 1 +sparanoid.net, 1 +sparanoid.network, 1 +sparanoidstatus.com, 1 +sparatryggt.se, 1 +spare.no, 1 +spare.se, 1 +sparendirekt.at, 1 +spargrancanaria.es, 1 +sparkandglass.com, 1 +sparkar.com, 1 +sparkasse.de, 1 +sparkbase.cn, 1 +sparkeddigital.ca, 1 +sparkedge.eu, 1 +sparkforautism.org, 1 +sparkingscala.com, 1 +sparkl.fm, 1 +sparklabs.com, 1 +sparklatvia.lv, 1 +sparkleapp.com, 1 +sparklebastard.com, 1 +sparklesvt.com, 1 +sparklewindowcleaners.co.za, 1 +sparklingloungecampiglio.it, 1 +sparklyfairy.co.nz, 1 +sparkplug.tk, 1 +sparkpluguniversity.com, 1 +sparkresearch.net, 1 +sparksga.gov, 1 +sparkz.no, 1 +sparmedo.de, 1 +sparprofi.at, 1 +sparrius.com, 1 +sparrowwallet.com, 1 +sparta-en.org, 1 +sparta-szczekociny.tk, 1 +sparta-upice.tk, 1 +sparta.ee, 1 +spartacuslife.com, 1 +spartaermelo.nl, 1 +spartamet.tk, 1 +spartan300.tk, 1 +spartanis.tk, 1 +sparvagn.tk, 1 +sparx.dog, 1 +spasem-park.tk, 1 +spasicilia.it, 1 +spasskellner-comedykellner.ch, 1 +spatialflunky.one, 1 +spatialnom.com, 1 +spatiugratis.tk, 1 +spatter.cf, 1 +spatter.tk, 1 +spatzenwerkstatt.de, 1 +spawn.cz, 1 +spaysy.com, 1 +spazioasperger.it, 1 +spaziobenedetti.com.br, 1 +spaziopervoi.com.br, 1 +spazturtle.co.uk, 1 +spazzacamino.roma.it, 1 +spb-clean.ru, 1 +spbatelec.fr, 1 +spbelect.info, 1 +spbelect.org, 1 +spbet99.com, 1 +spbfavourite.ru, 1 +spbgorod.ru, 1 +spbot.ml, 1 +spc-ag.ch, 1 +spcconnect.com, 1 +spcollege.edu, 1 +spconsult.com.br, 1 +spctech.click, 1 +spd-porta-westfalica.de, 1 +spd-porta-westfalica.eu, 1 +spd15revision.gov, 1 +spdepartamentos.com.br, 1 +spdf.net, 1 +spdfund.org, 1 +spdillini.com, 1 +spdrdng.com, 1 +spe.org.co, 1 +speac.jp, 1 +speacock.co.uk, 1 +speacock.uk, 1 +speak-polish.com, 1 +speak.nl, 0 +speak.software, 1 +speakandgo.education, 1 +speakeasy.co, 1 +speaker-animateur.com, 1 +speakermatch.com, 1 +speakersbusiness.com, 1 +speakersden.tk, 1 +speakersforschools.org, 1 +speakertwpmi.gov, 1 +speakthewordaudio.com, 1 +spear.ga, 1 +spec-auto.com.ua, 0 +spec-ranking.pl, 1 +specdrones.us, 1 +specflow.org, 1 +special-education-degree.net, 1 +special-equipment.tk, 1 +special-ops.org, 1 +specialcameras.tk, 1 +specialcounsel.com, 1 +speciale.cf, 1 +specialeffect.tk, 1 +specialelectronics.tk, 1 +specialisedlightingandtorches.com.au, 1 +specialist.srv.br, 0 +specialistskin.com.sg, 1 +specialized-hosting.eu, 1 +specialnoise.tk, 1 +specialofficesupplies.tk, 1 +specialplasticparts.com, 1 +specialproperties.com, 1 +specialsite.tk, 1 +specialtechnique.tk, 1 +specialtyalloys.ca, 1 +specialtyjets.ca, 1 +specialworld.ml, 1 +speciauxquebec.com, 1 +speciesism.com, 1 +specificenergy.com, 1 +speciosapro.com, 0 +speckle.systems, 1 +speckrot.ru, 1 +specks.tk, 1 +specopssoft.com, 1 +specprawnik.pl, 1 +specs-tech.com, 1 +specsdot.ga, 1 +spectacles.com, 1 +spectemur.tk, 1 +spectrafox.com, 1 +spectre-network.tk, 1 +spectrocoin.com, 1 +spectrosoftware.de, 1 +spectrum-markets.com, 1 +spectrum.co.ae, 0 +spectrum.gov, 1 +spectrum3d.ru, 1 +spectrumelectrical-brisbane.com.au, 1 +spectrumreachadacademy.com, 1 +spectrumreachpayitforward.com, 1 +spectrumtexas.net, 1 +spediscifiori.com, 1 +spedizioni.roma.it, 1 +speechdrop.net, 1 +speechmate.com, 1 +speechmore.ml, 1 +speechpathologygraduateprograms.org, 1 +speechpathologymastersprograms.com, 1 +speed-bonus.tk, 1 +speed-strike.tk, 1 +speed.tk, 1 +speedable.net, 1 +speedcam.tk, 1 +speedcubing.tk, 1 +speeddate.it, 0 +speeddating.mx, 1 +speeder-vpn.tk, 1 +speeder.cf, 1 +speeder.one, 1 +speeders.cf, 1 +speeders.ga, 1 +speedexam.net, 1 +speedhoundz.com, 1 +speedleads.dk, 1 +speedlearning.ml, 1 +speedlearningapp.com, 1 +speedlearningapp1.com, 1 +speedliner.com, 1 +speedmailer.nl, 1 +speedof.me, 1 +speedracer.ca, 1 +speedsvip.cc, 1 +speedtailors.com, 1 +speedtemplate.de, 1 +speedtest-russia.com, 1 +speedvitals.com, 1 +speedwaybring-proposal.cf, 1 +speedwaybusinesspark.com, 1 +speedwell.pt, 1 +speedwp.ch, 1 +speedychat.it, 0 +speedynews.ml, 1 +speedyplatypus.com, 1 +speedzone.bg, 1 +speelfabriek.tk, 1 +speeli.com, 1 +speets.ca, 1 +spegeltankar.tk, 1 +speich.net, 1 +spek.tech, 1 +spekit.com, 1 +spelaspelautomater.ga, 1 +speleo-explo.fr, 1 +speleo.live, 1 +speletrodomesticos.com.br, 1 +spellcheck24.net, 1 +spellchecker.net, 1 +spellchecksquatting.com, 1 +spellic.com, 1 +spelling.ml, 1 +spellslinger.space, 1 +spencernc.gov, 1 +spencerscherer.com, 1 +spend.cloud, 1 +spendable.money, 1 +spendd.co, 1 +spenderservice.net, 1 +spendesk.com, 1 +spendlinq.com, 1 +spendmenot.com, 1 +spendo.gq, 1 +spendwise.com.au, 1 +spenglerei-shop.de, 1 +spenny.tf, 1 +spensix-pekalongan.tk, 1 +spentra.com, 1 +sperandii.it, 1 +sperformance.shop, 1 +spero.solutions, 1 +sperrmuell-berlin.de, 1 +sperrstun.de, 1 +spertto.com, 1 +spes.solutions, 1 +spesaerisparmio.com, 1 +spesys-services.fr, 1 +spetsialist.cf, 1 +spetskabel.ru, 1 +spettacolocame.ga, 1 +speventos.es, 1 +spewingmews.moe, 1 +speww.com, 1 +spfusion.com, 1 +sphaeristerium.it, 1 +sphere-realty.com, 1 +sphereblur.com, 1 +spherejoias.com.br, 1 +sphericalmagic.com, 1 +sphericalvision.cz, 1 +spholdings.us, 1 +sphynx-cats.com, 1 +sphynxboyz.com.au, 1 +spicandspanroofrestoration.com.au, 1 +spice-club.tk, 1 +spicegirlschart.tk, 1 +spiceislandhome.com, 1 +spicejungle.com, 1 +spicelandcorporation.com, 1 +spicemail.cc, 1 +spicemoney.com, 0 +spicerack.co.uk, 0 +spicerack.uk, 1 +spicevids.com, 1 +spicevidsgay.com, 1 +spichki.tk, 1 +spicture.in, 1 +spicydog.org, 1 +spicydog.tk, 1 +spicymatch.com, 1 +spicysubject.com, 1 +spicywombat.com, 1 +spidercrabs.tk, 1 +spidergymrotterdam.tk, 1 +spidermail.tk, 1 +spidermanitalia.tk, 1 +spidernet.tk, 1 +spideroak.com, 1 +spiders.org.ua, 1 +spidersweb.cf, 1 +spidersweb.ga, 1 +spidersweb.gq, 1 +spidertechpromotions.com, 1 +spidometr.ml, 1 +spie-wirliebenkabel.de, 1 +spiegelingenblog.nl, 1 +spiegels-op-maat.nl, 1 +spieka.info, 1 +spielautomaten.cf, 1 +spielbankspezialist.com, 1 +spielcasinos.com, 1 +spiele-gewinnspiele.tk, 1 +spielefant.de, 1 +spielezar.ch, 1 +spielgeld.tk, 1 +spielland.ch, 1 +spiellawine.de, 1 +spielmit.com, 1 +spieltexte.de, 1 +spiet.nl, 1 +spiffsearch.com, 1 +spiga.ch, 0 +spigotdesign.com, 1 +spikar.gr, 1 +spike.sh, 1 +spikejeon.tk, 1 +spikelands.com, 1 +spilka-dyplomativ.tk, 1 +spillbasen.no, 1 +spillersfamily.net, 0 +spillforum.no, 1 +spillhosting.no, 1 +spillmaker.no, 0 +spilnu.dk, 1 +spin.city, 1 +spinal.ga, 1 +spinbetter.com, 1 +spinbetter.life, 1 +spinbetter.online, 1 +spincity-casino.com, 1 +spindelnet.dk, 1 +spinderella.tk, 1 +spindrel.com, 1 +spinecomms.com, 1 +spinemexin.tk, 1 +spinner.dnshome.de, 1 +spinning-portugal.com, 1 +spinolamediation.com, 1 +spinozablue.com, 1 +spinpay.com.br, 1 +spins.city, 1 +spins.fedoraproject.org, 1 +spinscity-casino.info, 1 +spinscity.club, 1 +spinscity.info, 1 +spinscity.net, 1 +spinscity777.info, 1 +spintracer.de, 1 +spireat.it, 1 +spirella-shop.ch, 1 +spirent.com, 1 +spirit-hunters-germany.de, 1 +spirit55555.dk, 1 +spiritbionic.ro, 1 +spiritdesigns.tk, 1 +spiritedengineers.tk, 1 +spiritinthesky.com, 1 +spiritous.cf, 1 +spiritscorp.ddns.net, 1 +spiritual.codes, 0 +spiritualites.ch, 0 +spiritualityrise.com, 1 +spiritualpsychologyofacting.com, 1 +spiritualvybz.com, 1 +spiritworld.ml, 1 +spiro.se, 1 +spiski-domenov.tk, 1 +spisochek.tk, 1 +spisok-domenov.tk, 1 +spit.com.au, 1 +spitalbuhusi.ro, 1 +spitalulbuzau.ro, 1 +spitfireuav.com, 1 +spithoven.tk, 1 +spjaet.dk, 1 +splashily.gq, 1 +splashstoretw.com, 1 +splatjov.space, 1 +splatnet3.net, 1 +splatprofcare.com, 1 +splawoffice.com, 1 +splconsulenza.it, 1 +spleis.no, 1 +splendadent.it, 1 +splendidspoon.com, 0 +splendorservizi.it, 1 +splex.com, 1 +spli.co, 1 +splibrary.tk, 1 +splikity.com, 1 +splimtechco.tk, 1 +splintercake.tk, 1 +splinterface.io, 1 +splintermail.com, 1 +splinternews.com, 1 +split-taxiboat.com, 1 +split.rent, 1 +splitdna.com, 1 +splitero.com, 1 +splitreflection.com, 1 +splnk.net, 1 +sploch.com, 1 +splorge.cloud, 0 +splorge.website, 1 +splunk.net, 1 +splytech.io, 1 +spm-servis.tk, 1 +spmax.design, 1 +spmf.org.sg, 1 +spmfijnmechanica.nl, 1 +spmttest.azurewebsites.net, 1 +spnitalianfestival.com, 1 +spnsv.com, 1 +spocool.com, 1 +spodelime.com, 1 +spofia.nu, 1 +spokanecounty.gov, 1 +spokanevalleywa.gov, 1 +spokeoaffiliates.com, 1 +spokesly.com, 1 +spolekatelier.cz, 1 +spoluck.ca, 1 +spolwind.de, 0 +spom.net, 1 +sponc.de, 1 +spongebobwiki.tk, 1 +sponsor.software, 1 +spoofhaus.com, 1 +spookbook.net, 1 +spookquest.com, 1 +spooks.ga, 1 +spookyinternet.com, 1 +spoorcam.nl, 1 +sporadesnews.gr, 1 +sporenvanslavernijutrecht.nl, 1 +sporeprinters.com, 1 +sporki.fun, 1 +sporq.de, 1 +sporstball.com, 1 +sport-attitude.com, 1 +sport-in-sundern.de, 1 +sport-news.ml, 1 +sport-news24hs.tk, 1 +sport-obzor.tk, 1 +sport-online-ru.cf, 1 +sport-potreby.cz, 1 +sport-potreby.sk, 1 +sport-school.tk, 1 +sport-socken.net, 1 +sport-tv-guide.live, 1 +sport24.by, 1 +sport4sd.com, 1 +sportabatese.tk, 1 +sportabee.com, 0 +sportadictos.com, 1 +sportal.se, 1 +sportalliance.com, 1 +sportboot.mobi, 1 +sportcenter.ga, 1 +sportcenter.ml, 1 +sportchirp.com, 1 +sportclipsfranchise.com, 1 +sportcompactwarehouse.com, 1 +sportcucc.hu, 1 +sportda.tk, 1 +sporte3q.com, 1 +sportedy.com, 1 +sporter.com.hr, 1 +sportfair.it, 1 +sportfits.at, 1 +sportfits.de, 1 +sportfits.eu, 1 +sportfogadas.tk, 1 +sporthotel-rasen.com, 1 +sportify-design.fr, 1 +sportihome.com, 1 +sportinfon.cf, 1 +sportingclubdacruz.pt, 0 +sportivo.cf, 1 +sportivo.ga, 1 +sportivo.tk, 1 +sportli.cz, 1 +sportli.sk, 1 +sportlinks.tk, 1 +sportllux.com.br, 1 +sportmedia.ga, 1 +sportmultimedia.pt, 1 +sportnesia.com, 1 +sportnieuws.nl, 1 +sportnn.tk, 1 +sporto24.ml, 1 +sportovni.site, 1 +sportovnidum.cz, 1 +sportovnivozy.cz, 1 +sportparks.com, 1 +sportparks.org, 1 +sportpiacenza.it, 1 +sportplaatje.nl, 0 +sportposch.com, 1 +sportprint.hr, 1 +sportraucher.tk, 1 +sportrecife.com.br, 1 +sportrent.it, 1 +sports-colleges.com, 1 +sports-equipmen.tk, 1 +sports-news-today.ml, 1 +sports-online.cf, 1 +sports-sites.ml, 1 +sports-wear.tk, 1 +sportsandnews.tk, 1 +sportscanada.tk, 1 +sportsdans.tk, 1 +sportsdeck.tk, 1 +sportsdestinations.com, 1 +sportskibat.tk, 1 +sportsmagy.com, 1 +sportsmania.tk, 1 +sportsmansblog.com, 1 +sportsmashup.com, 1 +sportsmax.tv, 1 +sportspainmanagementnyc.com, 1 +sportspassbremen.de, 1 +sportspeople.com.au, 1 +sportstips.tk, 1 +sportstreetstyle.com, 1 +sportsxplay.com, 1 +sportticino.ch, 0 +sporttomorrow.com, 1 +sporttown.it, 1 +sportvereine.online, 1 +sportverzorging.tk, 1 +sportvision.ml, 1 +sportvissenfun.tk, 1 +sportwars.net, 1 +sportwette.net, 1 +sportwettenbonus.de, 1 +sportwettenschweiz.net, 1 +sportygirlsjewels.ga, 1 +sportztalk.com, 1 +spot-cleaner.tk, 1 +spot-pro.jp, 1 +spotifycodes.com, 1 +spotifyfreetrial.co.uk, 1 +spotifystars.com, 1 +spotifytop.me, 1 +spotless-londoncleaningcompany.com, 1 +spotlessohio.com, 1 +spotlightsrule.com, 1 +spotme.fit, 1 +spotmefit.com, 1 +spotonlive.dk, 1 +spotpetins.com, 1 +spotpetinsurance.ca, 1 +spotsee.io, 0 +spotsolutions.com, 1 +spotswoodvet.com, 1 +spotsylvaniacounty-va.gov, 1 +spotsylvaniacountyva.gov, 1 +spottedfoxdigital.com, 0 +spottedpenguin.co.uk, 1 +spotupload.com, 1 +spotwelders.co.nz, 1 +spotypal.com, 1 +spotzlight.cf, 1 +spotzlight.tk, 1 +spowtr.com, 1 +sppin.fr, 1 +sppit.com, 1 +spr.id.au, 1 +sprachenlernen24.org, 1 +sprachfreudehoch3.de, 1 +sprashivalka.com, 1 +spravka-internet.tk, 1 +spravka.tk, 1 +spravki.cf, 1 +spravochnick.ru, 1 +sprawdz-nip.pl, 1 +sprawdzanie-pozycji.pl, 1 +sprax2013.de, 1 +sprayontv.com, 0 +spreadsheetconverter.co, 1 +spreadsheets.google.com, 1 +spreadshirt.at, 1 +spreadshirt.be, 1 +spreadshirt.ca, 1 +spreadshirt.ch, 1 +spreadshirt.co.uk, 1 +spreadshirt.com, 1 +spreadshirt.com.au, 1 +spreadshirt.de, 1 +spreadshirt.dk, 1 +spreadshirt.es, 1 +spreadshirt.fi, 1 +spreadshirt.fr, 1 +spreadshirt.ie, 1 +spreadshirt.it, 1 +spreadshirt.net, 1 +spreadshirt.nl, 1 +spreadshirt.no, 1 +spreadshirt.pl, 1 +spreadshirt.se, 1 +spreadthejam.tk, 1 +spreadthenews.eu, 1 +spreaf.shop, 1 +spreed.me, 1 +spribe.co, 1 +spribe.io, 1 +spribe.net, 1 +spribe.tech, 1 +spribegaming.com, 1 +spricknet.de, 1 +sprietlopen.tk, 1 +sprillerer.tk, 1 +springbaystudio.com, 1 +springbreak.it, 1 +springdalewi.gov, 1 +springerundpartner.de, 1 +springfieldbricks.com, 0 +springfieldchartertownship.gov, 1 +springfieldsd.gov, 1 +springfieldvt.gov, 1 +springgrillhouse.com, 1 +springgrovepa.gov, 1 +springhillmaine.com, 1 +springhow.com, 1 +springlakemi.gov, 1 +springlanguages.com, 1 +springportmi.gov, 1 +springportny.gov, 1 +springsoffthegrid.com, 1 +springspeedshop.com, 1 +springtxcarpetcleaning.com, 1 +sprintkitchen.com, 1 +sprintlee.com, 1 +sprintswac.tk, 1 +spriterinc.com, 1 +spriters-resource.com, 1 +spritmonitor.de, 1 +spritsail.io, 1 +sprizzy.com, 1 +sprock.io, 0 +sprocktech.com, 1 +sprogress.uz, 1 +sprossen-keimlinge.de, 1 +sprossenwand.de, 1 +sproutsandstems.com, 1 +sproutstudio.com, 1 +sproutstudiostaging.com, 1 +sproutways.com, 1 +sprt.pl, 1 +sprucecreekclubs.com, 1 +sprucecreekgcc.com, 1 +spruces.gq, 1 +sprucingupmamahood.com, 1 +sprueche-zum-valentinstag.de, 1 +sprueche-zur-geburt.info, 1 +sprueche-zur-hochzeit.de, 1 +sprueche-zur-konfirmation.de, 1 +sprutech.de, 1 +sprzataniepopozarze.com.pl, 1 +sps-lehrgang.de, 1 +spslawoffice.com, 1 +spstaticfiles.com, 1 +spstechnical.com, 1 +spt.tf, 1 +spthk.com, 1 +sptk.org, 1 +spuda.net, 1 +spuffin.com, 1 +spufpowered.com, 1 +spur.com.br, 1 +spurghi.roma.it, 1 +spurhaus.com, 1 +spurstark.de, 1 +spurto.in, 1 +sputnik1net.org, 1 +spx.com, 1 +spy-net.tk, 1 +spycam.hopto.me, 1 +spychala-it.de, 1 +spyclub.tk, 1 +spydar007.com, 1 +spydar007.net, 1 +spydar007.wiki, 1 +spydersec.com, 1 +spyequipmentuk.co.uk, 1 +spypornone.com, 1 +spyprofit.ru, 1 +spyre.com, 1 +spyretx.com, 1 +spyroszarzonis.com, 1 +spyse.com, 1 +spytrash.tk, 1 +sq0z.ovh, 1 +sq3dmv.pl, 1 +sqalogic.com, 1 +sqap.pt, 1 +sqclick.com, 1 +sqdll.com, 1 +sqills.com, 0 +sql-injection.cz, 1 +sql-injection.rocks, 1 +sql-oem.com, 1 +sql-query-tool-exact-online.nl, 1 +sql-query-tool.com, 1 +sql-und-xml.de, 1 +sql.bi, 1 +sqlapius.net, 1 +sqlbi.com, 1 +sqldbm.com, 1 +sqli.cz, 1 +sqli.rocks, 1 +sqlinjection.cz, 1 +sqlinjection.rocks, 1 +sqliteonline.com, 1 +sqlwrapper.com, 1 +sqmin.tk, 1 +sqr-training.com, 1 +sqrl.ch, 1 +sqroot.eu, 1 +sqsd.xyz, 1 +squad.fr, 1 +squadco.com, 1 +squadgames.ru, 1 +squamiferum.net, 1 +squardllc.ml, 1 +square-gamers.tk, 1 +square-gaming.org, 1 +square-phone.com, 1 +square-src.de, 0 +square.com, 1 +square.com.mx, 1 +square.engineering, 1 +square.it, 1 +square.ly, 1 +square.mx, 1 +square.site, 1 +squarecdn.com, 1 +squaredancedance.tk, 1 +squaredtechnologies.com, 1 +squareeye.com, 1 +squarefootllcconstruction.com, 0 +squareforums.com, 1 +squaregift.com, 1 +squaregift.net, 1 +squaregift.org, 1 +squareinchhome.com, 1 +squareincircle.me, 1 +squareinstallments.com, 1 +squareinvite.com, 1 +squareinvoices.com, 1 +squarelab.it, 1 +squaremktg.com, 1 +squarenoid.com, 1 +squareoffer.com, 1 +squareonebgc.com.ph, 1 +squarepocketdesign.com, 0 +squareregister.com, 1 +squaresoft.ga, 1 +squaresolutions.com, 1 +squarestagingexternal.com, 1 +squareup.com, 1 +squareupsandbox.com, 1 +squeakie.club, 1 +squeaksscalesandtails.com, 1 +squeaky.services, 1 +squealing-filth.tk, 1 +squeezemetrics.com, 1 +squelcher.cf, 1 +squibby.ml, 1 +squid-board.org, 0 +squid.gay, 1 +squidnovels.tk, 1 +squido.ch, 1 +squidparty.com, 1 +squids.space, 1 +squiresinsurance.net, 1 +squirex2.com, 1 +squirted.com, 1 +squirtingpussygirl.com, 1 +squirtqueen.org, 1 +sqxb0.ga, 1 +sr-33.com, 1 +sr-f.tk, 1 +sr.ht, 1 +sr33.com, 1 +sr88.co.uk, 1 +sr88.me.uk, 1 +srae.me.uk, 1 +sram.top, 1 +srandom.com, 1 +sranje.rocks, 1 +sratim.tv, 1 +sravyareddy.space, 1 +srb.help, 1 +srbc.gov, 1 +src.fedoraproject.org, 1 +src.pp.ua, 1 +srcbolt.com, 1 +srchicmodas.com.br, 1 +srchub.org, 1 +srcpa.gov, 1 +srd.re.kr, 0 +srdmarketingservice.com, 1 +sreb.loan, 1 +srebro.cc, 1 +sreedhareeyam.tk, 1 +sreeharis.tk, 1 +sreenadh.in, 1 +sremodelingnyc.com, 1 +srfloki.com, 1 +srhdesign.co.uk, 1 +sri.com.pa, 0 +sridevi.ru, 1 +srife.net, 1 +srigc.com, 1 +srilanka.travel, 1 +srilankan-hope-for-children.nl, 1 +srilankanguides.com, 1 +sriramdigital.tk, 1 +sriravana.tk, 1 +srishtifibernetnetwork.in, 1 +sristicreationart.com, 1 +sritafrican.tk, 1 +sritalabama.tk, 1 +sritalaska.tk, 1 +sritbeauty.tk, 1 +sritbrazil.tk, 1 +sritcalifornia.tk, 1 +sritcities.tk, 1 +sritclassic.tk, 1 +sritculture.tk, 1 +sritegypt.tk, 1 +srithunters.tk, 1 +sritidaho.tk, 1 +sritsafety.ml, 1 +sritspanish.tk, 1 +srittheatre.tk, 1 +sritvermont.tk, 1 +srix.ml, 1 +srkarra.com, 1 +srkb.net, 1 +srle.tk, 1 +srmi.biz, 1 +srmllc.net, 1 +srmstatic.com, 1 +srnl.gov, 1 +sro.fi, 1 +sro.nl, 1 +srochno-pohudeti.tk, 1 +srochnozaim.gq, 1 +srochnyj-zajm.ga, 1 +sroma.tk, 1 +srorisksolutions.tk, 1 +sros.fi, 1 +sroturkey.tk, 1 +srp.gov, 1 +srpx.de, 1 +srqpedals.com, 1 +srroddy.com, 1 +srs.sg, 0 +srsforward.email, 1 +srsfwd.com, 1 +srsfwd.email, 1 +srsfwd.eu, 1 +srsfwd.net, 1 +srsfwd.org, 1 +srspmatti.in, 1 +srto.win, 1 +srun.in, 0 +sruthisjewellery.com, 1 +srv-4g-test.fr, 1 +srv-home.fr, 1 +srvonfire.com, 1 +srwminc.com, 1 +srx.sx, 1 +ss-news.tk, 1 +ss.com, 1 +ss.lazio.it, 1 +ss.lt, 1 +ss.lv, 1 +ss.ua, 1 +ss09.com, 0 +ss5197.co, 1 +ss64.com, 1 +ss64.org, 1 +ss6729.co, 1 +ss6729.com, 0 +ss6957.co, 1 +ss9188.com, 0 +ss9288.com, 0 +ss9297.co, 1 +ss9397.com, 1 +ss9728.co, 1 +ssa.co.ir, 1 +ssa.gov, 0 +ssaarevents.tk, 1 +ssab.gov, 1 +ssasociety.nl, 1 +ssatpa.com, 1 +ssatripura.com, 1 +ssb.ee, 1 +ssbjk.org, 1 +ssbljk.com, 1 +ssbrm.ch, 1 +ssbwiki.com, 1 +ssc.vg, 0 +sscd.no, 1 +sschd.cc, 0 +sscnapoli.it, 1 +ssconn.com, 1 +sscpsms.biz, 1 +ssdax.com, 1 +ssdpalermo.it, 1 +ssenberg.nl, 1 +ssentinel.com, 1 +sserc.ca, 1 +ssetechnologies.com, 1 +ssf.no, 1 +ssfca.gov, 1 +ssh-keys.online, 1 +ssh-vault.com, 1 +ssh.in.ua, 0 +sshbox.tk, 1 +sshd.site, 1 +sshool.at, 1 +sshwiki.tk, 1 +sshx.top, 1 +ssjid.gov, 1 +ssk.ovh, 1 +sskb-ey.tech, 1 +ssky.cn, 1 +ssl-zertifikate.de, 1 +ssl.com.ru, 1 +ssl.google-analytics.com, 1 +ssl.org, 1 +ssl24.pl, 1 +ssl247.co.uk, 1 +ssl247.com.mx, 1 +ssl247.de, 1 +ssl247.dk, 1 +ssl4all.gq, 1 +sslc.gov, 1 +sslcertificaten.nl, 1 +sslcheck.nl, 1 +sslcloud.net, 1 +ssld.at, 1 +ssldecoder.eu, 1 +ssldev.net, 1 +sslgctx.gov, 1 +sslgram.com, 1 +sslhello.com, 1 +sslle.eu, 1 +sslmate.com, 1 +sslmonitor.eu, 1 +sslmonkey.net, 1 +sslok.com, 0 +sslping.com, 1 +sslpoint.com, 1 +ssls.cz, 1 +sslsecureproxy.com, 1 +sslsurvey.de, 1 +ssltrus.com.cn, 1 +ssm-techmarketing.tk, 1 +ssma.it, 1 +ssmato.me, 1 +ssmd.tk, 1 +ssmic.com, 0 +ssmm88.cc, 1 +ssmothership.tk, 1 +ssmpuc.com, 1 +ssmrca.ca, 1 +ssmwebportal.tk, 1 +ssnetwork.jp, 1 +ssone.ee, 1 +ssprod.tk, 1 +sspu.ml, 1 +ssqq.com, 1 +ssr.llc, 1 +ssradio.live, 1 +ssready.io, 1 +ssrfq.com, 1 +ssrgov.cn, 1 +ssrvpn.tech, 1 +sss.red, 1 +ssshh.com, 1 +sssib.ru, 1 +ssslelectricfencing.co.za, 1 +sssppp.gq, 1 +sssss.click, 1 +sssssssss.com, 0 +sst-racing.ch, 1 +sst.ru, 1 +sstaging.com, 1 +sstestingservice.com, 1 +ssu.moe, 1 +ssuc.net, 1 +ssuiteoffice.com, 1 +ssuitesoft.com, 1 +st-damase.qc.ca, 1 +st-kilian-markt-erlbach.de, 1 +st-li.com, 0 +st-news.de, 1 +st-shakyo.jp, 1 +st-steuern.de, 1 +st42.fr, 1 +staaldart.tk, 1 +staapp.org, 1 +staapprecruiting.org, 1 +staatdesinternets.nl, 1 +staatdesnederlandscheninternets.nl, 1 +staatdesnederlandseninternets.nl, 1 +staatschutz.at, 1 +staatsschutz.at, 1 +staatsschutzgesetz.at, 1 +staatvanhetnederlandscheinternet.nl, 1 +staatvanhetnederlandseinternet.nl, 1 +stabelino.tk, 1 +stabilimento.it, 1 +stabilizatory.ga, 1 +stableflect.finance, 1 +stablelib.com, 1 +stablina.tk, 1 +stacabinetdepot.com, 1 +stacisezeptat.cz, 1 +stackery.io, 1 +stackhub.cc, 1 +stacklasvegas.com, 1 +stackroute.in, 1 +stackshine.com, 1 +stackstartup.com, 1 +stackstartup.tech, 1 +stacky.me, 1 +stad.gent, 1 +stadgent.be, 1 +stadiamaps.com, 1 +stadionmanager.com, 1 +stadionwelt.de, 1 +stadlwirt.at, 1 +stadm.com, 1 +stadspaleizengent.be, 1 +stadtbauwerk.at, 0 +stadtcentrum.it, 1 +stadterneuerung-hwb.de, 1 +stadtkapelle-oehringen.de, 1 +stadtpapa.de, 1 +stadtplan-ilmenau.de, 1 +staer.ro, 1 +staff.direct, 1 +staffaugmentation.ae, 1 +staffaugmentation.al, 1 +staffaugmentation.at, 1 +staffaugmentation.ba, 1 +staffaugmentation.be, 1 +staffaugmentation.bg, 1 +staffaugmentation.ch, 1 +staffaugmentation.co.il, 1 +staffaugmentation.co.uk, 1 +staffaugmentation.com.ar, 1 +staffaugmentation.com.ua, 1 +staffaugmentation.cz, 1 +staffaugmentation.de, 1 +staffaugmentation.dk, 1 +staffaugmentation.ee, 1 +staffaugmentation.es, 1 +staffaugmentation.eu, 1 +staffaugmentation.fi, 1 +staffaugmentation.fr, 1 +staffaugmentation.ge, 1 +staffaugmentation.gr, 1 +staffaugmentation.hr, 1 +staffaugmentation.hu, 1 +staffaugmentation.it, 1 +staffaugmentation.jp, 1 +staffaugmentation.li, 1 +staffaugmentation.lt, 1 +staffaugmentation.lu, 1 +staffaugmentation.lv, 1 +staffaugmentation.md, 1 +staffaugmentation.me, 1 +staffaugmentation.mk, 1 +staffaugmentation.mx, 1 +staffaugmentation.nl, 1 +staffaugmentation.no, 1 +staffaugmentation.pe, 1 +staffaugmentation.ph, 1 +staffaugmentation.pl, 1 +staffaugmentation.pt, 1 +staffaugmentation.ro, 1 +staffaugmentation.rs, 1 +staffaugmentation.si, 1 +staffaugmentation.us, 1 +staffaugmentation.vn, 1 +staffhours.com, 1 +staffi.tk, 1 +staffingnation.com, 1 +staffordpk.tk, 1 +staffsante.fr, 1 +staffsocial.fr, 1 +stage-bluejeans.com, 1 +stage-gate.la, 1 +stage-metrobible.org, 1 +stage-privacyportal-ui.azurewebsites.net, 1 +stage-props-blank-guns.com, 1 +stage-recuperation-points-bordeaux.com, 1 +stage-recuperation-points-lille.com, 1 +stage-recuperation-points-lyon.com, 1 +stage-recuperation-points-marseille.com, 1 +stage-recuperation-points-montpellier.com, 1 +stage-recuperation-points-nantes.com, 1 +stage-recuperation-points-nice.com, 1 +stage-recuperation-points-paris.com, 1 +stage-recuperation-points-reims.com, 1 +stage-recuperation-points-rennes.com, 1 +stage-recuperation-points-strasbourg.com, 1 +stage-recuperation-points-toulouse.com, 1 +stage.wepay.com, 1 +stage4.ch, 1 +stageirites.com, 1 +stageirites.fr, 1 +stageirites.org, 1 +stagend.com, 1 +stagespediatrics.com, 1 +stagewalker.no, 1 +staging-scholar.tk, 1 +stagingcleargrain.com.au, 1 +stagingelpactest.eu, 1 +stagingpepocoin.com, 1 +stagmarketim.com, 1 +stagoz.com, 1 +stahlen.dk, 1 +stahlfors.com, 1 +stahlp.dk, 1 +stahlzart-moebel.de, 1 +stahlzart.at, 1 +stahlzart.com, 1 +stahlzart.de, 1 +stail.eu, 1 +stainfilm.com, 1 +stainhaufen.de, 1 +stainless-steel-cookware.tk, 1 +stainternational.com, 1 +staiprefa.com, 1 +stair.ch, 1 +stairlin.com, 0 +stairmaster.tk, 1 +stajka.tk, 1 +staked.us, 1 +stakedate.com, 0 +stakeholders.ca, 1 +stakingjobs.com, 1 +stako.jp, 1 +stakotec.de, 1 +staktrace.com, 1 +stal-rulon.ru, 1 +stalbansvt.gov, 1 +stalbanswv.gov, 1 +stalder.work, 1 +stalevski.tk, 1 +stalgeraardsbergen.tk, 1 +stalin.tk, 1 +stalker-eyes.ga, 1 +stalker-shop.com, 1 +stalker-source.tk, 1 +stalkerteam.pl, 1 +stalkr.net, 1 +stalkthe.net, 1 +stall-frei.de, 1 +stallardjw.me, 1 +stallbesuch.de, 1 +stallionsnow.com, 1 +stallone.pl, 1 +stalphonsusks.org, 1 +stalplus.ml, 1 +stalstroi.ml, 1 +staltrade.uz, 1 +stalwartshopping.com, 1 +stalworld.tk, 1 +stamant.org, 1 +stamboomforum.nl, 1 +stamboomgids.nl, 1 +stamgent.be, 1 +stamit.nl, 1 +stamkassa.nl, 1 +stammering.ga, 1 +stammtisch-bauwagen.tk, 1 +stammtisch.domains, 1 +stamonicatourandtravel.com, 1 +stampederadon.com, 1 +stamperdle.com, 1 +stampinggroundky.gov, 1 +stampix.com, 1 +stampsbar.co.uk, 0 +stamurai.com, 1 +stanandjerre.org, 1 +stanbul.ru, 1 +stanchierifamilylaw.com, 1 +stancoe.org, 0 +stand.earth, 1 +stand.gg, 1 +standard-mobilitaet.de, 1 +standard-wohnungsbaukredit.ag, 1 +standard-wohnungsbaukredit.biz, 1 +standard-wohnungsbaukredit.com, 1 +standard-wohnungsbaukredit.de, 1 +standard-wohnungsbaukredit.eu, 1 +standard-wohnungsbaukredit.info, 1 +standard-wohnungsbaukredit.net, 1 +standard-wohnungsbaukredit.org, 1 +standard.co.uk, 1 +standardizarea.ro, 1 +standardlifters.com, 1 +standardmetrics.io, 1 +standardnotes.com, 1 +standards.gov, 1 +standardstraversal.jp, 1 +standardwohnungsbaukredit.ag, 1 +standardwohnungsbaukredit.biz, 1 +standardwohnungsbaukredit.com, 1 +standardwohnungsbaukredit.de, 1 +standardwohnungsbaukredit.eu, 1 +standardwohnungsbaukredit.info, 1 +standardwohnungsbaukredit.net, 1 +standardwohnungsbaukredit.org, 1 +standdownofnorthjersey.org, 1 +standford.pe, 1 +standfore.com, 1 +standheizung-shop.de, 1 +standiluminaciones.com, 1 +standingbear.tk, 1 +standoff-magic.ru, 1 +standoffarena.com, 1 +standoffdrop.ru, 1 +standsearch.cf, 1 +standupcomedy.cf, 1 +standupcomedy.ga, 1 +standupcomedy.tk, 1 +standwithhaiti.org, 1 +stanfordny.gov, 1 +stang.moe, 1 +stangeland.tk, 1 +stanglwirt.com, 1 +stanin.net, 1 +stanislav-lysenko.lawyer, 1 +stankingma.com, 1 +stankingma.nl, 1 +stanmed24.pl, 1 +stanmirstudio.pl, 1 +stannesvets.co.uk, 1 +stannri.org, 1 +stanonline.tk, 1 +stanron.com, 1 +stansberryresearch.com, 1 +stansweather.net, 1 +stantabler.com, 1 +stanthony-hightstown.net, 1 +stantonca.gov, 1 +stantoncountyne.gov, 1 +stanwoodwa.gov, 1 +stanza.group, 1 +stape.io, 1 +staplespromo.com, 1 +staplestx.gov, 1 +stapvoorstapduurzaam.nl, 1 +star-citizen.wiki, 1 +star-clean.it, 1 +star-darom.co.il, 1 +star-life.tk, 1 +star-one.co.uk, 1 +star.my.id, 1 +star.watch, 1 +starase.com, 0 +starb.in, 1 +starbaese.de, 1 +starbase01.com, 1 +starboardmarketing.io, 1 +starbreaker.org, 1 +starbt.ro, 1 +starbucks.vn, 1 +starbusiness.ml, 1 +starbyte.co.uk, 1 +starcitizen.tools, 1 +starcitizenreferral.codes, 1 +starcitywv.gov, 1 +starcoachservices.ca, 1 +starcomproj.com, 1 +starconnect.at, 1 +starcraftsource.tk, 1 +starcroisieres.com, 1 +starcubix.com, 1 +starcys.xyz, 1 +stardanceacademy.net, 1 +stardev.ovh, 1 +stardima.com, 1 +stardomino.tk, 1 +stardozen.com, 0 +stardrive.cf, 1 +starease.com, 1 +starease.net, 1 +starengineeringinc.com, 1 +starexponent.com, 1 +starfall.systems, 1 +starfeeling.net, 1 +starfield.ai, 1 +starfieldguide.com, 1 +starfiles.co, 1 +starfm.gq, 1 +starfm.ml, 1 +starfriend.ru, 1 +stargarder-jungs.de, 1 +stargate.gq, 1 +stargazer.de, 1 +stargift.ch, 1 +starglancer.ddns.net, 1 +starherald.com, 1 +stari.co, 1 +stariders.com, 1 +starina.ru, 1 +starinc.xyz, 1 +staring.es, 1 +staring.tk, 1 +staringer.net, 1 +starinsights.com, 1 +starka.st, 1 +starkbim.com, 1 +starking.net.cn, 1 +starking.tk, 1 +starknh.gov, 1 +starkparks.gov, 1 +starkstromkonsument.de, 1 +starkvilleurgentcareclinic.com, 1 +starlabs.bio, 1 +starless.one, 1 +starlim.co.in, 1 +starlim.org, 1 +starlincuesta.gq, 1 +starline.ru, 1 +starlinks.tk, 1 +starlinkz.tk, 1 +starluky.com, 1 +starlux.cz, 1 +starlynr.sk, 1 +starman.agency, 1 +starmyworld.ga, 1 +staroch.name, 1 +starorusing.com, 0 +starover.tk, 1 +starpeak.org, 1 +starphonefix.com, 0 +starpoles.com, 1 +starprime.ch, 1 +starprime.de, 1 +starprime.eu, 1 +starprime.net, 1 +starrace.eu, 1 +starretest.nl, 1 +starreview.tk, 1 +starring.work, 1 +starrosesandplants.com, 1 +starry.blue, 1 +starrynight.com, 1 +starryvoid.com, 1 +starsam80.net, 1 +starsandmanifolds.xyz, 0 +starsbattle.net, 1 +starscream.xyz, 1 +starsessions.cc, 1 +starsguru.com, 1 +starship.xyz, 1 +starsing.bid, 1 +starskim.cn, 1 +starsoft.io, 1 +starspie.com, 1 +start-knighki.gq, 1 +start-nadlan.co.il, 1 +start-school.online, 1 +start.ag, 1 +start.ie, 1 +start.stockholm, 1 +start2dance.tk, 1 +startablog.tv, 1 +startag.xyz, 1 +startandstop.fr, 1 +startaninflatablebusiness.com, 1 +startbetter.tk, 1 +startbiz.biz.id, 1 +startbiz.co.id, 1 +startbiz.my.id, 1 +startbiz.web.id, 1 +startengine.com, 1 +starter.social, 1 +startersiteweb.com, 1 +startgeophysical.ga, 1 +starthubs.uk, 1 +starti.com.ua, 1 +startinganllcbusiness.com, 1 +startingent.be, 1 +startingyourbusiness.com, 1 +startit.bot, 1 +startlab.sk, 1 +startlap.es, 1 +startle.cloud, 1 +startle.studio, 1 +startlgvtraining.co.uk, 1 +startlinks.tk, 1 +startliste.info, 1 +startmail.com, 1 +startner.com, 1 +startpage.com, 1 +startpage.info, 1 +startpage4u.tk, 1 +startplats.tk, 1 +startplaying.games, 1 +startpoint.tk, 1 +starts.sh, 1 +startsafety.uk, 1 +startstack.tech, 1 +starttraffic.uk, 1 +startup-stack.com, 1 +startup-stack.tech, 1 +startup.melbourne, 1 +startupbros.com, 1 +startupgov.lt, 1 +startupisland.tw, 1 +startupislandtaiwan.com, 1 +startupislandtaiwan.net, 1 +startupislandtaiwan.org, 1 +startupopinions.com, 1 +startupstack.cloud, 1 +startupstack.llc, 1 +startupstack.net, 1 +startupstack.online, 1 +startupstack.pro, 1 +startupstack.services, 1 +startupstack.site, 1 +startupstack.software, 1 +startupstack.systems, 1 +startupstack.tech, 1 +startupstack.technology, 1 +startupstacksandbox.com, 1 +startupstacktech.com, 1 +startupswitzerland.com, 1 +startuptechstack.com, 1 +startupum.ru, 1 +startupweb.io, 1 +startupyourmind.com, 1 +startw.cf, 1 +startwithpieter.com, 1 +starvizyon.com, 1 +starwarschronology.com, 1 +starwatches.eu, 1 +starx.ink, 1 +stashbase.org, 1 +stashcast.org, 1 +stashport.org, 1 +stashseed.org, 1 +stasia.ml, 1 +stasiniewicz.com, 1 +stasiniewicz.net, 1 +stass.eu, 1 +stastka.ch, 1 +stasyan.ga, 1 +staszic.waw.pl, 1 +stat-xpert.com, 1 +stat.ink, 1 +statcenter.tk, 1 +state-of-body-and-mind.com, 1 +statecareercenter.com, 1 +statecollegemortgages.com, 1 +stated.gq, 1 +statefunddirect.com, 1 +stateidea.ga, 1 +statejobcenter.com, 1 +statelibraryofiowa.gov, 1 +statelines.ga, 1 +statelywork.com, 1 +statemercantile.com.au, 1 +statenislandonlinecremation.com, 1 +stateofwatourism.com, 1 +statepoint.net, 1 +staterun.tk, 1 +stateserv.com, 1 +statesville.com, 1 +statfluence.com, 1 +statgram.me, 1 +static-assets.io, 1 +static-myfxee-808795.c.cdn77.org, 1 +static-myfxoau-808795.c.cdn77.org, 1 +static-myfxouk-808795.c.cdn77.org, 1 +static.hosting, 1 +static.wepay.com, 1 +staticfury.com, 1 +staticline.de, 1 +staticweb.tk, 1 +statik.space, 1 +statinfer.com, 1 +stationa.ch, 0 +stationary-traveller.eu, 1 +stationaryengines.tk, 1 +stationcharlie.co.za, 1 +stationmedia.tk, 1 +statistician-online.com, 0 +statistik-seminare.de, 1 +statnevlajky.sk, 1 +statnivlajky.cz, 1 +stats-co.eu, 1 +stats-mailtracker.com, 1 +stats.g.doubleclick.net, 1 +stats.moe, 1 +statscrew.com, 1 +statsit.ga, 1 +statsme-app.com, 1 +statspolicy.gov, 1 +status.events, 1 +status.im, 0 +status.vg, 1 +statusbadges.me, 1 +statusboard.eu, 1 +statuscast.com, 1 +statuscode.ch, 0 +statusforward.com, 1 +statushero.com, 1 +statusmachine.com, 1 +statusmantra.tk, 1 +statuswatch.io, 1 +statxperts.com, 1 +stauffer-media.net, 1 +stavanger.kommune.no, 1 +stavgp2.ru, 1 +stavinchains.tk, 1 +stavnager.net, 1 +stavropol-news.ga, 1 +stavros.ovh, 1 +staxflax.tk, 1 +stay-curious.at, 1 +stay4all.nl, 1 +stayby.me, 1 +staycurrent.eu, 1 +staycurrent.nl, 1 +staydryohio.com, 1 +stayglam.com, 1 +staygold.blog, 1 +staygoldenphotobooth.com, 1 +stayinbusiness.nl, 1 +staylovely.tk, 1 +stayme.cz, 1 +stayokay.com, 1 +stazi.tk, 1 +stb-schefczyk.com, 1 +stb-schefczyk.de, 1 +stb-schefczyk.info, 1 +stb-schefczyk.net, 1 +stb-timmler.de, 1 +stb.gov, 1 +stbarnabashealthsystem.com, 1 +stbartholomewmanchester.org, 1 +stbcg.com, 1 +stbk.link, 1 +stbl.org, 1 +stblaw.com, 1 +stc-istok.com.ua, 1 +stc-knrm.nl, 1 +stc.training, 1 +stcatharinesromawolves.tk, 1 +stcc.edu, 1 +stccordoba.com, 1 +stceciliakearny.org, 1 +stcet.ac.in, 1 +stcharlescountycsfamo.gov, 1 +stcharlesparish.gov, 1 +stclairpa.gov, 1 +stclairvet.co.uk, 1 +stclementmatawan.org, 1 +stclementreligioused.org, 1 +stcloudfl.gov, 1 +stcomcybersecurity.net, 1 +stcplasticsurgery.com, 1 +stdavidparish.org, 1 +stdavidtheking.com, 1 +stdenv.de, 1 +stderr.cc, 1 +stderr.ch, 1 +stdev.org, 1 +stdev.top, 1 +stdnet.ru, 1 +stdssr.com, 1 +ste2.de, 1 +steacy.tech, 1 +steak-kojiro.com, 1 +steakovercooked.com, 1 +stealingheather.com, 1 +stealsaga.net, 1 +stealth.net, 1 +stealthbinders.tk, 1 +stealthhaven.xyz, 1 +stealthmodel.fi, 1 +stealthseminar.com, 1 +steam-rewards.tk, 1 +steam-route-saxony.com, 1 +steamcarddelivery.com, 1 +steamcardexchange.net, 1 +steamcars.be, 1 +steamcleaning.expert, 1 +steamcn.info, 1 +steamcrack.ga, 1 +steamdb.info, 1 +steamdeckinfo.org, 1 +steamerrors.com, 1 +steamgifts.com, 1 +steamid.net, 1 +steamid.tools, 1 +steamkeyget.ga, 1 +steamlevelmarket.com, 1 +steamold.com, 0 +steamosaic.com, 1 +steampoweredlawngnome.com, 1 +steampress.io, 1 +steamscore.info, 1 +steamsprays.tk, 1 +steamstat.us, 1 +steamstatus.cn, 1 +steamtrades.com, 1 +stebenkov.tk, 1 +steborio.pw, 1 +steckel.cc, 1 +stecos.co.uk, 1 +stedb.eu, 1 +stedbg.net, 1 +stedelijkorkestpurmerend.nl, 1 +steebel.com.au, 1 +steeble.com.au, 1 +steef389.eu, 1 +steeha.nl, 1 +steel-pc.fr, 1 +steel-pc.lu, 1 +steel-roses.de, 1 +steelbeasts.org, 0 +steelecountymn.gov, 1 +steelecountynd.gov, 1 +steelephys.com.au, 1 +steelfencestlouis.com, 1 +steelfirm.ga, 1 +steelframejourney.com, 1 +steelfxpatinas.com, 1 +steelhouse.com, 1 +steelmounta.in, 1 +steelnavi.jp, 1 +steelpoint.com.pl, 1 +steelportknife.com, 1 +steelsheds.biz, 1 +steelshop.net, 1 +steelsoldiers.com, 1 +steelvortex.tk, 1 +steelway.biz, 1 +steelzone.tk, 1 +steemit.com, 1 +steempeak.com, 1 +steemworld.org, 1 +steemyy.com, 1 +steenkampskraal.com, 1 +steenwijkerland.nl, 1 +steering-wheel.tk, 1 +steevels.nl, 1 +stefaanoyen.be, 1 +stefamedia.com, 1 +stefan-bayer.eu, 1 +stefan-karstens.de, 1 +stefan-rothe.ch, 1 +stefan-schlueter.de, 1 +stefan-schmid.com, 1 +stefan.de, 1 +stefanbayer.de, 1 +stefandesign.tk, 1 +stefanfriedli.ch, 1 +stefangroothuis.tk, 1 +stefania.tk, 1 +stefaniepetermann.eu, 1 +stefaniharvilla.tk, 1 +stefanini.com, 1 +stefanknobel.ch, 1 +stefano-wesel.de, 1 +stefanoiavarone.com, 1 +stefanolsdal.tk, 1 +stefanrusie.ro, 1 +stefanvd.net, 1 +stefany.cloud, 1 +stefany.eu, 1 +stefchapman.tk, 1 +stefcraps.tk, 1 +steffenmeister.com, 1 +steffi-in-australien.com, 1 +steffi-knorn.de, 1 +steffko.net, 1 +stefpastoor.nl, 0 +stegenevieve.gov, 1 +steggemachine.com, 1 +stehlik.co.uk, 1 +stehlik.sk, 1 +steigerlegal.ch, 1 +steinbach.ai, 1 +steiner-dominik.at, 1 +steiner.do, 1 +steiner.is, 1 +steiner.is.it, 1 +steiner.sh, 1 +steinerkovarik.de, 1 +steiners.party, 1 +steingergreeneandfeiner.com, 1 +steingergreenefeiner.com, 1 +steinhartwatches.de, 1 +steinibox.de, 1 +steinmassl.org, 1 +steinmetz.cloud, 1 +stekelenburg.me, 1 +steklein.de, 1 +steleentechnischevraag.com, 1 +steleentechnischevraag.eu, 1 +steleentechnischevraag.nl, 1 +stelem.com, 1 +stelfox.net, 1 +stelga.ca, 1 +steliosmanousakis.gr, 1 +stella-shop.eu, 1 +stellacinderella.net, 1 +stellanova-planeten.de, 0 +stellar.com.de, 1 +stellar.org, 1 +stellarguard.me, 1 +stellarite.io, 1 +stellarium-gornergrat.ch, 1 +stellarlumensnews.today, 1 +stellarosa-clinic.net, 1 +stellarpurr.me, 1 +stellartraderacademy.co.uk, 1 +stellen.ch, 1 +stelleninserate.de, 1 +stellenticket.de, 1 +steller.co, 1 +stelletjeafgebeuktemongolen.tk, 1 +stellexshop.ru, 1 +stelling.nl, 0 +stellmacher.name, 1 +stelovisual.pl, 1 +stels.ml, 1 +stels.tk, 1 +steltzer-scheidung.de, 1 +stelzl.co, 1 +stem16plus.gent, 1 +stematechnologies.ga, 1 +stembureau-nissewaard.nl, 1 +stembureauledenindenhaag.nl, 1 +stembureaunijmegen.nl, 1 +stemcellclinic.design, 1 +stemcellclinic.live, 1 +stemcellclinic.ltd, 1 +stemcellclinic.network, 1 +stemcellclinic.services, 1 +stemcellclinic.store, 0 +stemcellclinic.tech, 1 +stemcellclinic.vip, 1 +stemcellclinic.world, 1 +stemcellsscotland.co.uk, 1 +stemderbomen.tk, 1 +stemgirls.co.za, 1 +stemklank.tk, 1 +stemmayhem.com, 1 +stemoplinks.nl, 1 +sten.photography, 1 +stena.cf, 1 +stenaro.ch, 1 +stencilsaustralia.com.au, 1 +stenhojmedia.dk, 1 +stening.co, 1 +steno.nl, 1 +stenstromen.se, 1 +stenvallmcclain.tk, 1 +stenzhorn-cloud.de, 1 +steolo.com, 1 +step-lead.cc, 1 +step2web-cms.info, 1 +stepanvanek.cz, 1 +stepanyansurgical.com, 1 +steparovi.cz, 1 +stepbrobd.com, 1 +steph.ninja, 0 +steph3n.me, 1 +stephan-matthiesen.de, 1 +stephanao.tk, 1 +stephandriessen.tk, 1 +stephaniecalahan.com, 1 +stephaniedeady.ie, 1 +stephanielacroix.nl, 1 +stephanieleonidasfan.tk, 1 +stephanieschreiber.com, 1 +stephanoptiek.nl, 1 +stephen-oliver-art.co.uk, 1 +stephenbakalian.com, 1 +stephencorp.com, 1 +stephencreilly.com, 1 +stephenhaunts.com, 1 +stephenj.co.uk, 1 +stephenperreira.com, 1 +stephenplustwik.com, 1 +stephenreescarter.net, 1 +stephenschirle.gq, 1 +stephenschirle.ml, 1 +stephenschrauger.com, 1 +stephenschrauger.org, 1 +stephenscity.gov, 1 +stephensol.is, 1 +stephensolis.com, 1 +stephensolis.net, 1 +stephensolisrey.es, 1 +stephensoncountyil.gov, 1 +stephsolis.net, 1 +stephspace.net, 1 +stephycom.com, 1 +stepin.cloud, 0 +steplab.co, 1 +steplogictalent.com, 1 +steponedanceclub.uk, 1 +steppesisters.org, 1 +steppicrew.de, 1 +steppingoutinstyleonline.com, 1 +steppinout.tk, 1 +stepplanning.com, 1 +stepstone.dk, 1 +stepupforeurope.eu, 1 +stepyz.com, 1 +stepzen.com, 1 +ster-enzo.nl, 1 +ster.nl, 1 +sterchit.ch, 1 +stereo.com, 1 +stereoamistadmomos.ga, 1 +stereoamistadmomos.gq, 1 +stereoamistadmomos.ml, 1 +stereob.it, 1 +stereochro.me, 0 +stereoscopio.es, 1 +stereostudio.cf, 1 +stereotyped.de, 1 +sterilium.tk, 1 +sterling.com, 1 +sterlingheights.gov, 1 +sterlinginsurance.com.au, 0 +sterlingtechnotrade.com, 1 +sterlinx.de, 1 +stern-freunde.de, 1 +stern.koeln, 1 +sternadel.pl, 1 +sternen-sitzberg.ch, 1 +sternenbund.info, 1 +sternik-motorowodny.com.pl, 1 +sterno.cf, 1 +sternplastic.com, 1 +sternsinus.com, 1 +sternstrailer.com, 1 +steroids.ga, 1 +steroidswiki.com, 1 +sterr.in, 1 +sterretranen.tk, 1 +sterva.mobi, 0 +sterydki.pl, 1 +sterz.io, 1 +stestena.eu, 1 +stesti.cz, 1 +stethostalk.com, 1 +stetson.edu, 1 +steuerberater-bayreuth.com, 1 +steuerberater-essen-steele.com, 1 +steuerberater-hopfner.de, 1 +steuerberatungs-website.de, 1 +steuerboard.org, 1 +steuerimgriff.de, 1 +steuerkanzlei-edel.de, 1 +steuerteam-kliem.de, 1 +steuertipps-sonderausgaben.de, 1 +steve-mason.tk, 1 +steve.kiwi, 1 +stevebanks.info, 1 +steveborba.com, 1 +stevebuck.tk, 1 +stevecostar.com, 1 +stevedoggett.com, 1 +steveellwood.com, 1 +stevegellerhomes.com, 1 +stevegrav.es, 1 +stevejcraig.com, 1 +stevejobsfollowers.tk, 1 +stevemario.com, 1 +stevemason.tk, 1 +stevemonteyne.be, 1 +steven-klix.de, 0 +steven.photos, 1 +stevenapate.com, 1 +stevenavaldez.tk, 1 +stevenberg.net, 1 +stevenbolgartersnakes.com, 1 +stevendearstyne.com, 1 +stevengoodpaster.com, 1 +stevengrech.com, 1 +stevenhardy.digital, 1 +stevenjacobs.be, 1 +stevenjacobs.eu, 1 +stevenkendypierre.com, 1 +stevenkobes.com, 1 +stevenmdriving.co.uk, 1 +stevenroddis.com, 1 +stevensautotopsandupholstery.com, 1 +stevenscountymn.gov, 1 +stevenshame.com, 1 +stevenski.com, 0 +stevensonal.gov, 1 +stevensontaxservices.com, 1 +stevenspoint.gov, 1 +steventress.com, 1 +steventruesdell.com, 1 +stevenz.blog, 1 +stevenz.net, 1 +stevenz.science, 1 +stevenz.xyz, 1 +steveoswald.tk, 1 +stevepacheco.com, 1 +stevereedmp.co.uk, 1 +stevesbriefmovierecommendations.com, 1 +stevezheng.cf, 1 +stevezheng.tk, 1 +stevezone.in, 1 +steviate.com, 1 +steviate.de, 1 +stevin.com, 1 +stevinson.org, 1 +stewards.tk, 1 +stewart.tk, 1 +stewpolley.com, 1 +stfd-oh.gov, 1 +stfrancisnaugatuck.org, 1 +stg-0-con.com, 1 +stgabrielstowepa.org, 1 +stgeorgegolfing.com, 1 +stgeorgeks.gov, 1 +stgermainwi.gov, 1 +stghv.com, 1 +stgiannanorthfieldnj.org, 1 +stgy.it, 1 +sth.sh, 1 +sthelen.eu, 1 +sthelensoregon.gov, 1 +sthenryrc.org, 1 +sthetix.info, 1 +sthpr.gr, 1 +sthreemarketing.com, 1 +stibal.art, 1 +stichtingcompassroemenie.nl, 1 +stichtingscholierenvervoerzeeland.nl, 1 +stichtingsticky.nl, 0 +stichtingtwigadukina.nl, 1 +stichtingwwtoegankelijk.nl, 1 +stichtsevecht.nl, 1 +stick2bike.de, 1 +stickandpoketattookit.com, 1 +stickerapp.com, 1 +stickerparadise.me, 1 +stickers-garage.com, 1 +stickertrade.me, 1 +stickies.io, 1 +stickmangames.tk, 1 +stickme.be, 1 +stickmy.cn, 1 +sticksandstonescomic.tk, 1 +sticksandstonesland.com, 1 +stickstone.co, 1 +stickswag.cf, 1 +stickswag.eu, 1 +sticky.to, 1 +stickypassword.com, 1 +stickywilds.com, 1 +stidmobile-id.com, 1 +stiebel-eltron.co.nz, 1 +stiebel-eltron.com.au, 1 +stiebel.co.nz, 1 +stiebel.com.au, 1 +stiebelmedia.co.nz, 1 +stiebelmedia.com.au, 1 +stiebelrewards.com.au, 1 +stiebelservice.com.au, 1 +stiebelstore.com.au, 1 +stiehler-leipzig.tk, 1 +stiekemverliefdopjou.nl, 1 +stierheating.com, 1 +stiff.wang, 1 +stifflersmom.ga, 1 +stift-kremsmuenster.at, 1 +stift-kremsmuenster.net, 1 +stiftung-lq.ch, 1 +stiftung-lq.com, 1 +stiftung-lq.net, 1 +stiftungleostrauss.com, 1 +stiftunglq.com, 1 +stigaview.com, 1 +stigviewer.com, 1 +stihiya.tk, 1 +stiira.com, 1 +stijlvol-wonen.com, 1 +stijndv.com, 1 +stijnodink.nl, 1 +stikic.me, 1 +stikkie.me, 1 +stikkyikkys.com, 1 +stikonas.eu, 0 +stila.no, 1 +stileapp.com, 1 +stilecop.com, 1 +stilettobg.com, 1 +stilfoto.net, 1 +stilingavonia.lt, 1 +stilldrunkfromyesterday.com, 1 +stille-post.eu, 1 +stillnessmovement.com, 1 +stillpointmag.org, 1 +stillwatermn.gov, 1 +stillwatertownshipmn.gov, 1 +stillwell.me, 1 +stillwhite.com, 1 +stillwhite.com.au, 1 +stilmobil.se, 1 +stilnaya-odezhda.tk, 1 +stilsvadba.tk, 1 +stiltmedia.com, 1 +stiltnerelectric.com, 1 +stiltsoft.com, 1 +stimex.bg, 1 +stimmgabel.lu, 1 +stimpatico.com, 1 +stimulants.uk, 1 +stina-vino.hr, 1 +stinesvillein.gov, 1 +stingraybook.com, 1 +stinici.site, 1 +stinkefingereinhorn.de, 1 +stinkintechnology.com, 1 +stinkmemes.com, 1 +stinter.cf, 1 +stintup.com, 0 +stiphosting.nl, 1 +stirblaut.de, 1 +stirling.co, 1 +stirlingpoon.com, 1 +stirringphoto.com, 1 +stisidores.org, 1 +stitch.money, 1 +stitchersvillage.com, 1 +stitchfiddle.com, 1 +stitchlabs.com, 1 +stivesbouncycastlehire.co.uk, 1 +stjh.org.sg, 1 +stjlogistics.com, 1 +stjohnbjc.org, 1 +stjohncamden.com, 1 +stjohnin.com, 1 +stjohnin.gov, 1 +stjohnnepomucene.com, 1 +stjohnpa.org, 1 +stjohnsc.com, 1 +stjohnsmi.gov, 1 +stjohnsottsville.org, 1 +stjoseph-stcatherine.org, 1 +stjosephclaremont.org, 1 +stjosephmo.gov, 1 +stjosephri.org, 1 +stjosephspringcity.com, 1 +stjosephtownship.com, 1 +stjscatholicchurch.org, 1 +stjude-ettekkar.tk, 1 +stjustin.org, 1 +stkc.win, 1 +stkeverneparishcouncil.org.uk, 1 +stkevin-stbenedict.org, 1 +stkildaosteopathy.com.au, 1 +stla.net, 1 +stlautoenhancements.com, 1 +stlawco.gov, 1 +stleismann.de, 1 +stlfc.gov, 1 +stlfence.com, 1 +stln.ml, 1 +stlouiscountymovotes.gov, 1 +stlouisfence.com, 1 +stlouisinsuranceco.com, 1 +stlouisnativeflute.com, 1 +stlouisparkmn.gov, 1 +stlouisstabilizing.com, 1 +stlpassports.com, 1 +stlpoolattendants.com, 1 +stlu.de, 1 +stlucieclerk.gov, 1 +stluciesheriff.gov, 1 +stlucievillagefl.gov, 1 +stlueke.de, 1 +stlukenh.org, 1 +stlukesbrandon.org, 1 +stma.is, 1 +stmariagoretti.net, 1 +stmarkcharlotte.org, 1 +stmarkseagirt.com, 1 +stmarthachurch.com, 1 +stmaryextra.uk, 1 +stmaryscountymd.gov, 1 +stmaryskutztown.com, 1 +stmarysmdsao.gov, 1 +stmarysnutley.org, 1 +stmarystfd.org, 1 +stmaryswv.gov, 1 +stmatthewri.org, 1 +stmattsparish.com, 1 +stmattsucc.org, 1 +stmfdky.gov, 1 +stmichaellvt.com, 1 +stmichaelmn.gov, 1 +stmichaelsmajors.tk, 1 +stmltn.com, 1 +stmohrael.org, 1 +stmsolutions.pl, 1 +stmsouthcoventry.com, 1 +stn.me.uk, 0 +stnews.ga, 1 +stnl.de, 0 +stntrading.eu, 1 +sto-garant.nl, 1 +sto.ne, 1 +stock-analysis-on.net, 1 +stockageprive.net, 1 +stockanalysis.com, 1 +stockbrain.co.jp, 1 +stockbridge-ma.gov, 1 +stockbridgevt.gov, 1 +stockgraphicdesigns.com, 1 +stockholm.ga, 1 +stockholm.se, 1 +stockholmpride.org, 1 +stockhuntertrading.com, 1 +stockilluminati.com, 1 +stockmarkettoday.news, 1 +stockmeta.jp, 1 +stockpile.com, 1 +stockportny.gov, 1 +stockportspiritualistchurch.co.uk, 1 +stockpricetrends.com, 1 +stocks-adviser.com, 1 +stockslam.ga, 1 +stocksnews.tk, 1 +stockspy.ru, 1 +stockstuck.com, 1 +stockt-shirtdesigns.com, 1 +stocktonengineering.co.uk, 1 +stocktout.info, 1 +stocktrader.com, 1 +stockway.tk, 1 +stockx.com, 1 +stockx.io, 1 +stockyards.com, 1 +stocorp.com, 1 +stocp.org, 1 +stoddardcountyclerk.gov, 1 +stodieck.com, 1 +stodlinjen.se, 1 +stoeckel.info, 0 +stoeckl-schmaus.com, 1 +stoemp.gent, 1 +stoffelnet.de, 1 +stoffhandwerk.tk, 1 +stohrm.com, 1 +stoianlawfirm.com, 1 +stoicatedy.ovh, 1 +stoicnotaries.com, 1 +stoicsimple.com, 1 +stoicus.com.br, 1 +stoinov.com, 1 +stoiximatikesetairies.tv, 1 +stokkink.com, 1 +stokl.com.au, 0 +stokrotkadelikatesy.pl, 1 +stolarka.tk, 1 +stolarstvi-jiriholy.cz, 1 +stolbart.com, 1 +stolensun.tk, 1 +stolin.info, 1 +stolina.de, 1 +stolkpotplanten.nl, 1 +stoll.info, 1 +stollen-wurm.de, 1 +stollenwurm.de, 1 +stolpe.tk, 1 +stolpe5674.tk, 1 +stolpersteine-dithmarschen.tk, 1 +stolpi.is, 0 +stoltz-it.de, 1 +stomaline.com.ua, 1 +stomatolog-czestochowa.cf, 1 +stomatolog-czestochowa.ga, 1 +stomatolog-czestochowa.gq, 1 +stomatolog.cf, 1 +stomatolog.ga, 1 +stomatologiya.gq, 1 +stomatologiya.ml, 1 +stomproced.ro, 1 +stomt.com, 1 +stone-guru.co.uk, 1 +stone-support.de, 1 +stoneagehealth.com.au, 1 +stoneandtile.design, 1 +stonebriarpropertyinspections.com, 1 +stonechatjewellers.ie, 1 +stonecore.co, 0 +stonecountyar.gov, 1 +stonecutgods.com, 1 +stonedwarf5.net, 1 +stonedworms.de, 0 +stoneedgeconcrete.com, 1 +stonefoot.de, 1 +stonefusion.org.uk, 1 +stonegatewealth.com, 0 +stonegray.ca, 1 +stonehammerhead.org, 1 +stonehurstcap.com, 1 +stonemain.eu, 1 +stonemanbrasil.com.br, 1 +stoneocean.net, 1 +stoneproperty.ie, 1 +stonerwitch.tk, 1 +stonesfamilyrestaurant.com, 1 +stonesgarden.pl, 1 +stonetribute.tk, 1 +stonewallwcidtx.gov, 1 +stoneworld.ga, 1 +stonewuu.com, 1 +stoneydsp.com, 1 +stoningtonboroughct.gov, 1 +stonkslab.com, 1 +stonsil.com, 1 +stonystratford.org, 1 +stoom-stichting.nl, 1 +stoomstichting.be, 1 +stoomstichting.biz, 1 +stoomstichting.com, 1 +stoomstichting.de, 1 +stoomstichting.eu, 1 +stoomstichting.info, 1 +stoomstichting.net, 1 +stoomstichting.nl, 1 +stoomstichting.org, 1 +stoomtreinhuren.nl, 1 +stoomtreinreizen.be, 1 +stoomtreinreizen.com, 1 +stoomtreinreizen.eu, 1 +stoomtreinreizen.nl, 1 +stoomtreinreizen.org, 1 +stop-acouphenes.ch, 1 +stop-activ.ga, 1 +stop-bankrotstvu.ru, 0 +stop-microsoft.org, 1 +stop-nikotin.tk, 1 +stop-russia.tk, 1 +stop-tihange.eu, 1 +stop-tihange.org, 1 +stop.pe, 1 +stopaggressivedriving.com, 1 +stopanskaleasing.mk, 1 +stopautoshop.bg, 1 +stopbullying.gov, 1 +stopever.com, 1 +stopforumspam.com, 1 +stopfraud.gov, 1 +stoph.at, 1 +stopillicit.com, 1 +stopka.tk, 1 +stopkadr-studio.ru, 1 +stopklopam.ru, 1 +stoplossoff.tk, 1 +stopmetbellen.be, 1 +stopmoustic.fr, 0 +stopoverconnections.com, 1 +stoppage.cf, 1 +stopransomware.gov, 1 +stoprat.fr, 1 +stopsafeguardingnow.org.uk, 1 +stopsmoke.gq, 1 +stopssherdenking.tk, 1 +stopsvet.ml, 1 +stopthemoss.com, 1 +stoptheperio.com, 1 +stopthethyroidmadness.com, 1 +stopthinkconnect.jp, 1 +stoptrading.co.uk, 1 +stopves.tk, 1 +stopvirus.in, 1 +stor-guard.com, 1 +stora.mn, 1 +storage-base.de, 1 +storage-books.gq, 1 +storage-in-motion.com, 1 +storageideas.uk, 1 +storageioblog.com, 1 +storagenewsletter.com, 1 +storageshedsnc.com, 1 +storck.com, 1 +stordbatlag.no, 1 +store-en-stock.com, 1 +store10.de, 0 +store71.it, 1 +storeandforward.email, 1 +storeandforward.eu, 1 +storeandforward.nl, 1 +storebusy.nz, 1 +storecard.tk, 1 +storecove.com, 0 +storedieu.com, 1 +storedsafe.com, 1 +storeforward.email, 1 +storeforward.eu, 1 +storeforward.net, 1 +storeforward.nl, 1 +storeforward.org, 1 +storefront.gq, 1 +storefrontcleaningchicago.com, 1 +storeisrael.co.il, 1 +storeit.co.uk, 1 +storemax.com.au, 1 +storepaperoomates.co.bw, 1 +storepaperoomates.com, 1 +storepaperoomates.net, 1 +storephotovoltaique.com, 1 +storeplus.ml, 1 +storepy.com.mx, 1 +storesonline.fr, 1 +storewebshop.com, 1 +storgaarddieu.com, 1 +stori.press, 1 +storiadellarte.com, 1 +storiadirectory.tk, 1 +storiagraph.com, 1 +stories-event.com.ua, 1 +stories-pro.com, 1 +storiesbysign.com, 1 +storillo.com, 1 +storin.nl, 1 +storipress.com, 1 +storipress.pro, 1 +storistalker.com, 1 +storj.io, 1 +storjar.com, 1 +storm-news.tk, 1 +stormairsoft.tk, 1 +storman.com, 1 +stormchile.cl, 1 +stormdamages.claims, 1 +stormestudios.tk, 1 +stormfest.tk, 1 +stormhub.ml, 1 +stormi.io, 1 +stormlab.tk, 1 +stormrider.tk, 1 +stormylegions.tk, 1 +storspillercasino.com, 1 +storungssuche.com, 1 +storvann.net, 1 +storvann.no, 1 +storvault.co.za, 1 +story.be, 1 +story.nl, 1 +storyark.de, 1 +storyark.eu, 1 +storyboardmedia.cl, 1 +storybuilder.me, 1 +storyclash.com, 1 +storycollective.film, 1 +storycopy.org, 1 +storycycle.tk, 1 +storyland.ie, 1 +storyliebe.de, 1 +storymalayalam.com, 1 +storyoneforty.com, 1 +storysift.news, 1 +storytea.top, 1 +storytel.net, 1 +storytell.com, 1 +storytellingforbusiness.com.au, 1 +storytellingsales.com, 1 +storytime.hu, 1 +stotranidhi.com, 1 +stoumann.dk, 1 +stourstreet.com, 1 +stouter.nl, 1 +stoverepairaustin.com, 1 +stovokzal.com.ua, 1 +stoxford.com, 1 +stp-ip.com, 1 +stp-ip.net, 1 +stp.dev, 1 +stpatrick.tk, 1 +stpatrickathenscatskill.org, 1 +stpatrickbayshore.org, 1 +stpatrickkennettsquare.org, 1 +stpatrickri.org, 1 +stpatricks-pelham.com, 1 +stpatricksmapleridge.ca, 1 +stpatsschool.org, 1 +stpaulcatholicchurcheastnorriton.net, 1 +stpaulsbullville.org, 1 +stperseo.tk, 1 +stpetersresidence.org, 0 +stpioparish.com, 1 +stpip.com, 1 +stpip.net, 1 +stps.dk, 0 +str8hd.com, 1 +str92.com, 1 +straalatelier.com, 1 +straatderzotten.nl, 1 +stradedelvino.ch, 1 +stradsolutions.ga, 1 +strafe-muss-sein.at, 1 +strafensau.de, 1 +straffordpub.com, 1 +strahlende-augen.info, 1 +strahovanienet.tk, 1 +straightcurlyhair.tk, 1 +straightlinetutoring.com, 1 +straightnude.com, 1 +strail-english.jp, 1 +strajnar.si, 1 +straka.name, 1 +strakertranslations.com, 1 +strakh.tk, 1 +strakonak.cz, 1 +stralau.kicks-ass.net, 1 +stralenpoedercoaten.nl, 1 +stralingsonzin.com, 1 +strana-snov.tk, 1 +strana.ga, 1 +strandedinotter.space, 1 +strandfuif.tk, 1 +strandhaus-claassen.de, 1 +strandhaus-hinter-der-duene.de, 1 +strandhousedingle.com, 1 +strandkorb-jentzsch.de, 1 +strandom.ru, 1 +strandschnuppern.de, 0 +strange.ga, 1 +strangecharmlabs.com, 1 +strangeelectricdreams.com, 1 +strangelandrecording.com, 1 +strangelandrecordingstudios.com, 1 +strangelandsoundstage.com, 1 +strangelane.com, 1 +strangelanerecords.com, 1 +strangelittlecovers.tk, 1 +strangeminds.social, 1 +strangemusicbox.com, 1 +strangemusichollywood.com, 1 +strangemusicinc.com, 1 +strangemusicinc.net, 1 +strangeonline.tk, 1 +strangers-team.fr, 1 +strangerthingsmerch.co, 1 +strangestfacts.cf, 1 +strangevip.com, 1 +strangeways.ca, 1 +strangeworksinc.com, 1 +strangeworldmerch.com, 1 +strangeworldmerchandising.com, 1 +straniero.net, 1 +strankahrvatskogprava.tk, 1 +straphael-holyangels.com, 1 +strappazzon.xyz, 1 +strashtrading.com, 1 +strass-sur-mesure.fr, 1 +strassberger.tk, 1 +strasweb.fr, 1 +stratahealth.com, 1 +strategery.io, 1 +strategia.tk, 1 +strategicemailservices.com, 1 +strategicenvironmentalassessment.gov.scot, 1 +strategiclivingblog.com, 1 +strategicmanagementinsight.com, 1 +strategicmind.com, 1 +strategicpartnersmedia.com, 1 +strategie-zone.de, 1 +stratego-belgie.tk, 1 +strategy.it, 1 +strategy66.com, 1 +strategybusiness.ga, 1 +stratejm.com, 1 +stratekispiel.at, 1 +stratfordct.gov, 1 +stratfordnh.gov, 1 +stratfordwi.gov, 1 +stratforge.com, 1 +strathspeycrown.com, 1 +strati.com.br, 1 +stratible.com, 0 +stratik.com.co, 1 +stratinator.com, 1 +stratlibs.org.uk, 1 +stratmann-b.de, 1 +stratocumulus.legal, 1 +stratos.support, 1 +stratreg.com, 1 +stratsoftware.com, 1 +strattera.ga, 1 +strattonapps.com, 1 +strattonhats.com, 1 +stratum0.org, 1 +stratuscloud.co.za, 1 +stratuscloud.group, 1 +stratuscloudconsulting.net, 1 +stratuspayments.net, 1 +stratussc.com, 1 +straubis.org, 1 +straubs.eu, 1 +strauss-advisor.de, 1 +strauss.eu.com, 1 +strauss.tirol, 1 +stravato.com, 1 +stravato.net, 1 +stravers.shoes, 1 +strawberries.tk, 1 +strawberry-laser.gr, 1 +strawberry-melon.com, 1 +strawberry.dk, 1 +strawberry.fi, 1 +strawberry.no, 1 +strawberry.se, 1 +strawberrydreadlocks.tk, 1 +strawberryhotels.com, 1 +strawberryplants.org, 1 +strawpoll.fi, 1 +stray-soul.com, 1 +straydio.co.uk, 1 +straylight.tk, 1 +strcat.ga, 1 +strd.co, 1 +stream-box.tk, 1 +stream.gifts, 1 +stream.ru, 0 +streamblur.net, 1 +streamchan.org, 1 +streamcraft.net, 1 +streamelements.com, 1 +streameo.tk, 1 +streamfood.tv, 1 +streamgifter.com, 1 +streamgoalandres.ml, 1 +streaming-download.net, 1 +streamliner.fr, 1 +streamlinerg.com, 1 +streamlineverify.com, 1 +streammasterpro.com, 1 +streamodz.com, 1 +streampanel.net, 1 +streams.dyndns.org, 1 +streamside.tk, 1 +streamsoft.pl, 1 +streamspouredout.com, 1 +streamtelly.com, 1 +streamurl.link, 1 +streamz.be, 1 +streamzilla.com, 1 +streathamfoodfestival.com, 1 +streekproducten.tk, 1 +streekwinkelkatlijk.nl, 1 +streem.com.au, 1 +streem.media, 1 +streemprn.xyz, 1 +streengis.tk, 1 +streepjescodelezer.nl, 1 +streepjesenstipjes.nl, 1 +street-clic.tk, 1 +street-hoops.tk, 1 +street-legal.tk, 1 +street-medics.fr, 1 +street-race.tk, 1 +street-racing.tk, 1 +streetart.tk, 1 +streetartcities.com, 1 +streetballromania.tk, 1 +streetcheck.co.uk, 1 +streetdancecenter.com, 1 +streetdreamz.tk, 1 +streetforceteam.tk, 1 +streetking.tk, 1 +streetliferadio.tk, 1 +streetlightdata.com, 1 +streetmaderecordz.tk, 1 +streets.mn, 1 +streetsalad.tk, 1 +streetshirts.co.uk, 1 +streetspirit.tk, 1 +streetspotr.com, 1 +streetstunters.tk, 1 +streetview.wien, 1 +streetwitnessing.org, 1 +streetwitnessingchurch.com, 1 +strefapi.com, 1 +strefapi.pl, 1 +strefarysunku.pl, 1 +strehl.tk, 1 +stremio.com, 1 +strenge-zucht.schule, 1 +strength-secure.com, 1 +strengthroots.com, 1 +stressdown.ml, 1 +stressed.tk, 1 +stressexplained.com, 1 +stressfrei-marceva.de, 1 +streszczenia.pl, 1 +stretchpc.com, 1 +stretchwrap.co.nz, 1 +strettoweb.com, 1 +striae.cf, 1 +striata.biz, 1 +striata.com, 1 +striata.info, 1 +striata.mobi, 1 +striata.org, 1 +stricken.gq, 1 +stricted.net, 1 +strictlynormal.com, 1 +strideengineering.com.au, 1 +strietwaelder-blaettche.de, 1 +strijdmeevoorvrede.gent, 1 +strijkkraal.tk, 1 +strijkshop.be, 1 +strike.money, 1 +strikeone.io, 1 +strikeout.ga, 1 +strikers.cf, 1 +strikers.futbol, 1 +strikevectorex.com, 1 +strikezonesalessystems.com, 1 +strings.cf, 1 +stripe.com, 1 +striped.horse, 1 +stripped-anarchy.xyz, 1 +strippersinthehoodxxx.com, 1 +striptizer.tk, 1 +stritai.ru, 1 +strixmusic.com, 1 +strizh.com.ua, 1 +strl-tunis.tk, 1 +strm.pl, 1 +strobe.cool, 1 +strobel.cl, 1 +strobotti.com, 1 +stroccounioncity.org, 1 +stroeck.at, 1 +stroeder.com, 1 +stroeder.de, 1 +stroeerdigital.de, 1 +stroginopk.ga, 1 +strogov.me, 1 +strogova.me, 1 +stroifenix.ru, 1 +stroigid.tk, 1 +stroimsami.tk, 1 +stroimvse.ml, 1 +stroiproect.tk, 1 +strojmaster.tk, 1 +strokesb.store, 1 +strokesurvivor.nz, 1 +strom.family, 1 +stromak.cz, 0 +stromberg.marketing, 1 +stromectol.gq, 1 +stromkomfort.cz, 1 +stromsparen24.at, 1 +stromvergleichgaspreis.de, 1 +stromzivota.sk, 1 +strona-na-medal.pl, 1 +strong-game.com, 1 +strong-iptv.online, 1 +strongblock.com, 1 +strongdm.com, 1 +strongencryption.org, 1 +stronger-communities.org.uk, 1 +strongercommunity.org.uk, 1 +strongergateway.com, 1 +stronghermoney.com, 0 +strongmind.be, 1 +strongohio.gov, 1 +strongpassword.club, 1 +strongrandom.com, 0 +strongroom.ai, 1 +strongsalpinesucculents.com, 1 +strongtomorrow.tk, 1 +strongtoto.com, 1 +strongtowerpc.com, 1 +strony365.pl, 1 +stroomacties.nl, 1 +strooming.nl, 0 +stroopwafel.ch, 1 +stropek.eu, 1 +strophicmusic.com, 1 +stropkova.eu, 1 +strosebelmar.com, 1 +strotmann.de, 1 +strousberg.net, 1 +strover.bg, 0 +stroy-klg.ru, 1 +stroyca.tk, 1 +stroydvor.tk, 1 +stroyka-iz-brusa.ru, 1 +stroykomi.tk, 1 +stroymart.bg, 1 +stroymex.online, 1 +stroynet.ml, 1 +stroyservice-tver.ru, 1 +strozik.de, 1 +strrl.com, 1 +strtrade.com, 1 +structurally.net, 1 +structure.gov.au, 1 +strugee.net, 1 +strullmeier.eu, 1 +strumpe.lv, 1 +strunecka.cz, 1 +struxureon.com, 1 +strydom.me.uk, 1 +strypsteen.com, 1 +strypsteen.me, 1 +strzelcy.org.pl, 1 +sts-consulting.it, 1 +stscecyteo.org, 1 +stsen.de, 1 +stsolarenerji.com, 1 +ststanislaus.com, 1 +ststanstrans.org, 1 +ststephensc.gov, 1 +sttammanyurology.com, 1 +sttelemediagdc.in, 1 +sttf.org.uk, 1 +stthomasbrigantine.org, 1 +stthomaschurchri.org, 1 +sttl-topographie.com, 1 +sttpk.id, 0 +sttrv.ru, 1 +stuartbeard.com, 1 +stuartbell.co.uk, 1 +stuartbell.uk, 1 +stuartcrawford.co.nz, 1 +stuartcrawford.nz, 1 +stuarteggerton.com, 1 +stuartfl.gov, 1 +stuartmorris.id.au, 1 +stuartmorris.me, 1 +stuartmorris.name, 1 +stuartmorris.tel, 1 +stuartmoving.com, 1 +stuartparsons.com, 1 +stubbings.de, 0 +stubbingsmail.de, 1 +stubbmail.de, 1 +stubentiga.de, 1 +stuc-groep.nl, 1 +stuccokingsfl.com, 1 +stuckateur-bruno.de, 0 +stucki-bagger.ch, 1 +stuckwithme.tk, 1 +stucydee.nl, 1 +stud-lib.ml, 1 +studay.fr, 1 +studboo.com, 1 +student.andover.edu, 1 +student.faith, 1 +studentaid.gov, 1 +studentenmobiliteit.be, 1 +studentenplaza.tk, 1 +studentenwerk.sh, 1 +studenterguiden.dk, 1 +studentforums.biz, 1 +studenti.tk, 1 +studentinaneta.com, 1 +studentingent.be, 1 +studentite.bg, 1 +studentjournalist.ml, 1 +studentklinikk.no, 1 +studentloans.gov, 1 +studentnep.tk, 1 +studentpop.com, 1 +studentproject.be, 1 +studentquickpay.com, 1 +studentrobotics.org, 1 +students4sports.org, 1 +studentse.fr, 1 +studentsfirstnb.com, 1 +studentstc.cz, 1 +studenttenant.com, 1 +studi-luar-negeri.tk, 1 +studiedeals.dk, 1 +studiekort.se, 1 +studiekortet.com, 1 +studiekortet.eu, 1 +studiekortet.net, 1 +studiekortet.nu, 1 +studiekortet.org, 1 +studiekortet.se, 1 +studienportal.eu, 1 +studierttomnoch.de, 1 +studio-54.tk, 1 +studio-637.com, 1 +studio-abok.com, 1 +studio-architetto.com, 1 +studio-fotografico.ru, 1 +studio-impress.com, 1 +studio-mir.tk, 1 +studio-n.pl, 1 +studio-np.ru, 1 +studio-one.ru, 1 +studio32.tk, 1 +studio4101.ga, 1 +studio413.net, 1 +studio54.tk, 1 +studio678.com, 0 +studio91.tk, 1 +studioabq.com, 1 +studioadevents.com, 1 +studioamoureus.nl, 1 +studioandrew.tk, 1 +studioat55.com, 1 +studioavvocato.milano.it, 1 +studioavvocato.roma.it, 1 +studioavvocato24.it, 1 +studiobrandano.com, 1 +studiocharloslivro.tk, 1 +studioclassic.no, 1 +studiodelbenessere.com, 1 +studiodentisticomasi.com, 1 +studiodentisticosanmarco.it, 0 +studiodoprazer.com.br, 1 +studiodpe.com, 0 +studiodriban.com, 0 +studioelo.com.br, 0 +studioevent.tk, 1 +studiofpvet.it, 1 +studiofutbol.com.ec, 1 +studiogears.com, 1 +studiograou.com, 1 +studiogronda.it, 1 +studiohelder.fr, 0 +studioherc.com, 1 +studiohomebase.amsterdam, 1 +studiolegalemarchi.tk, 1 +studiolegalepaternostro.it, 1 +studiolive.club, 1 +studiolu.tk, 1 +studiolupotti.it, 1 +studiomarcella.com, 1 +studiomenfis.com, 1 +studionowystyl.pl, 1 +studiopanamaitalia.com, 1 +studiopirrate.com, 1 +studioriehl.com, 1 +studioroxo.com, 1 +studioshiftup.net, 1 +studiosql.ml, 1 +studiostawki.com, 1 +studiostudio.net, 1 +studiosuracidenunzio.it, 1 +studiotheatrestains.fr, 1 +studiotolsta.com, 1 +studiovaud.com, 0 +studiowildverband.nl, 1 +studiozef.tk, 1 +studiozes.nl, 1 +studipad.de, 1 +studipro-formation.fr, 1 +studipro-marketing.fr, 1 +studipro.fr, 1 +studisys.net, 1 +studium.cz, 1 +studius.gq, 1 +studiweb.pro, 1 +studport.rv.ua, 1 +studsovet.cf, 1 +studsovet.tk, 1 +studuj.digital, 1 +studujdigital.cz, 1 +studujdigital.eu, 1 +studwebs.ml, 1 +studyarabic.info, 1 +studyarch.tk, 1 +studybay.com, 0 +studybeans.org, 1 +studyclerk.com, 1 +studyero.com, 1 +studyhacker.jp, 1 +studyhacker.net, 1 +studyhub.cf, 1 +studyin.jp, 1 +studyinaustraliafair.africa, 1 +studying-neet.com, 1 +studylink.com, 1 +studylish.com, 1 +studyme.ml, 1 +studynoun.com, 1 +studyosepeti.com, 1 +studyportal.net, 1 +studyservice.net, 1 +studysive.com, 1 +studyspanish-lapaz-bolivia.tk, 1 +studystack.ml, 1 +studytactics.com, 1 +studytour.ml, 1 +studytube.nl, 0 +stuermer.me, 1 +stuetzredli.ch, 1 +stuff-fibre.co.nz, 1 +stuffi.fr, 1 +stuffiwouldbuy.com, 0 +stuffsearth.com, 1 +stuhrs.dk, 1 +stuka-art.de, 0 +stulda.cz, 1 +stumeta.de, 1 +stumeta2018.de, 1 +stumeta2019.de, 1 +stumf.si, 1 +stumpblog.com, 1 +stundenplan-editor.de, 1 +stunnel.org, 1 +stunner.watch, 1 +stunning-dresses.com, 1 +stunningautos.com, 1 +stunningbikecotours.com, 1 +stunninggdansk.com, 1 +stunningkrakow.com, 1 +stunningpoland.com, 1 +stunningpoznan.com, 1 +stunningszczecin.com, 1 +stunningwarsaw.com, 1 +stunningwroclaw.com, 1 +stunov.ga, 1 +stunov.gq, 1 +stuntman.ga, 1 +stuntman.tk, 1 +stuntmen.xyz, 1 +stuntx-server.ga, 1 +stupendousproduce.com, 1 +stuphid.tk, 1 +stupidcupid.tk, 1 +stupidest.org, 1 +stupidstatetricks.com, 1 +stupidthoughts.tk, 1 +stupino-stroy.cf, 1 +sturdybusiness.com, 1 +sturents.com, 1 +sturgeonbaywi.gov, 1 +stut.tk, 1 +stutelage.com, 1 +stutsmancounty.gov, 1 +stuttgart.ga, 1 +stuudium-mail.ee, 1 +stuudium.cloud, 1 +stuudium.com, 1 +stuudium.eu, 1 +stuudium.life, 1 +stuudium.link, 1 +stuudium.net, 1 +stuudium.org, 1 +stuudium.pro, 1 +stuut.info, 1 +stuvel.eu, 1 +stuvus.de, 1 +stuvus.uni-stuttgart.de, 1 +stuyvesantoutdoor.com, 1 +stv.lol, 0 +stview.me, 1 +stvrainsdco.gov, 1 +stwcforum.tk, 1 +stwcreation.com, 1 +stworzwirusa.tk, 1 +stx.ie, 1 +stygium.net, 0 +styilishdress.tk, 1 +style-keeping.com, 1 +style-style.com, 1 +stylearray.com, 1 +stylebajumuslim.com, 1 +stylebeat.tk, 1 +styleci.io, 1 +styleclub.tk, 1 +stylecollective.us, 1 +styledbysally.com.au, 1 +styleelite.tk, 1 +styleetvieperfumes.com, 1 +styleflow.nl, 1 +stylemall.tk, 1 +stylepixo.com, 1 +stylerecap.com, 1 +stylesaag.com, 1 +stylesinmotion.co, 1 +stylesound.tk, 1 +styletheweb.cf, 1 +styletron.org, 1 +stylett.ru, 1 +styletyx.com, 1 +stylezutra.com, 1 +stylidafm.gr, 1 +stylight.co.uk, 1 +stylight.com, 1 +stylight.de, 1 +stylight.fr, 1 +stylight.it, 1 +stylight.nl, 1 +stylingstudio.ga, 1 +stylishentertainment.co.uk, 1 +stylishweddingdisco.co.uk, 1 +stylistbazaar.com, 0 +stylle.me, 1 +styllussports.com.br, 1 +stylodessens.fr, 1 +stylspire.com, 1 +styplon.cf, 1 +stypr.com, 1 +styrerommet.no, 1 +styriswaste.com, 1 +styxxx.de, 1 +su-kacagi.istanbul, 1 +su1ph3r.io, 1 +suachuanha365.com, 1 +sualkuchionline.tk, 1 +suamicowi.gov, 1 +suatdautu.com, 1 +suaudeau.fr, 1 +suaudeau.org, 1 +suayslim.com, 1 +sub-etha.se, 1 +sub-net.at, 1 +sub-topia.de, 1 +subahankamal.tk, 1 +subalert.com, 1 +subanelvolumen.tk, 1 +subaru.pl, 1 +subarudev.pl, 1 +subarupartsdeal.com, 1 +subarus.tk, 1 +subaruxv.pl, 1 +subastasdecarros.net, 1 +subastatutraslado.com.mx, 1 +subbacultcha.tk, 1 +subcero.com.ar, 1 +subdev.org, 1 +subdimension.org, 1 +subdivider.tk, 1 +subestan.tk, 1 +subgirl.ga, 1 +subiblia.com, 1 +subic.ga, 1 +subilarch.net, 0 +subject-barred.cf, 1 +subject-barred.ga, 1 +subjecto.com, 0 +subjektzentrisch.de, 1 +sublettecountywy.gov, 1 +sublimacaoshop.com.br, 1 +sublimated.tk, 1 +sublimesurface.fr, 1 +sublimetours.com, 1 +sublimigeek.fr, 1 +subliminalrecorder.com, 1 +subliminalrecordingsystem.com, 1 +submeet.vet, 1 +submelon.tech, 1 +submit-link.cf, 1 +submiteads.tk, 1 +submittable.com, 1 +submityou-rlink.tk, 1 +submityour-link.tk, 1 +subology.co, 1 +suborbital.io, 1 +subpage.tk, 1 +subscription-list.com, 1 +subscription-plus.uk, 1 +subscriptionplus.uk, 1 +subserv.tk, 1 +subsidioalempleo.cl, 1 +subsistence.wiki, 1 +subsitude.tk, 1 +subsoft.tk, 1 +substanceandprogram.info, 1 +substances.be, 1 +substitutealert.com, 1 +substore.co.il, 1 +subteen.gq, 1 +subterra.tk, 1 +subtitry.ru, 1 +subtituleros.tk, 1 +suburb.social, 1 +suburban-landscape.net, 1 +suburbaninfinitioftroyparts.com, 1 +suburbanprojects.com.au, 1 +suburbanpsych.org, 1 +suburbanurologic.com, 1 +suburbanweldingandsteel.com, 1 +suburbass.tk, 1 +suburbservice.net, 0 +subversionnews.tk, 1 +subvetcustoms.com, 1 +subway.co.id, 1 +subwaysurfers.tk, 1 +subwaytrain.tk, 1 +succesprojekter.dk, 1 +success.pp.ua, 1 +successbox.vn, 1 +successclicker.tk, 1 +successdeliv.com, 1 +successemails.ml, 1 +successible.net, 1 +successive.tech, 1 +successminds.com, 1 +successrice.com, 1 +succmy.wang, 1 +succorfish.net, 1 +succubus.network, 1 +succubus.xxx, 1 +succulentplantguru.com, 1 +succulenty.ru, 1 +sucessclick.gq, 1 +suche.org, 1 +suchhire.com, 1 +suchhunde.wien, 1 +suchmaschinen-werkstatt.de, 1 +suckerpunch.com, 1 +suckmyan.us, 0 +sucks.rip, 1 +sucolab.jp, 1 +sucomado.jp, 1 +sucomaga.jp, 1 +sucretown.net, 1 +sucro.us, 1 +sucsses.cf, 1 +sucsses.ga, 1 +sucsses.gq, 1 +sudabaus.com, 1 +sudak-turizm.tk, 1 +sudametrica.tk, 1 +sudanell.tk, 1 +sudanindependent.com, 1 +sudanindependent.net, 1 +sudaraka.org, 0 +suddenlysavvy.com, 1 +sudeleycastle.co.uk, 1 +sudetytour.cz, 1 +sudo.li, 1 +sudo.ws, 1 +sudoash.com, 1 +sudocat.me, 1 +sudoku-insight.tk, 1 +sudoku.org.ua, 1 +sudoless.com, 1 +sudoless.eu, 1 +sudoless.net, 1 +sudosaveclimate.com, 1 +sudoschool.com, 1 +sudosu.fr, 1 +sudrania.com, 1 +sudtirol.com, 1 +sudya-dredd.ru, 1 +suecaunitedfc.tk, 1 +suedtirolerhotels.it, 1 +sueletricidade.pt, 1 +suelyonjones.com, 1 +suempresa.cloud, 1 +suenotek.com, 1 +sueperclean.com, 1 +suerteloteria.com, 1 +suessenbecker.de, 1 +suessundbitter.de, 1 +suevia-ka.de, 1 +suff.co, 1 +suffix.ru, 1 +sufix.cz, 1 +sufleu.ro, 1 +sufleuri.ro, 1 +sug.hr, 1 +sugarbrother.com, 0 +sugarcube.ml, 1 +sugarcube.tk, 1 +sugardaddy.network, 1 +sugardating.network, 1 +sugarfans.com, 1 +sugarfetch.com, 1 +sugargrant.gq, 1 +sugarlandsara.com, 1 +sugarlandurology.com, 1 +sugarondemand.com, 1 +sugaropencloud.eu, 1 +sugaropencloud.uk, 1 +sugarpiano.com, 1 +sugarroll.ml, 1 +sugarsalted.com, 1 +sugarshin.net, 1 +sugartownfarm.com, 1 +sugaru.pe, 1 +sugatime.tk, 1 +sugattor.ga, 1 +sugawara-soroban.com, 1 +sugayaganka.net, 1 +suggea.com, 1 +suggestim.ch, 0 +sugoicraft.tk, 1 +sugos.cf, 1 +sugos.ga, 1 +sugos.gq, 1 +sugos.ml, 1 +suhost.com.br, 1 +suhost.site, 1 +suhsport.es, 1 +suicide.gq, 1 +suicidegirls.cf, 1 +suicidepreventioncenter.tk, 1 +suidouraku.com, 1 +suijo-bus.osaka, 1 +suike.com, 1 +suikerspinnetje.nl, 1 +suisui.stream, 1 +suite360sel.org, 1 +suiteassured.com, 1 +suitebase.org, 1 +suitecrm.com, 1 +suitemail.org, 1 +suitesafe.org, 1 +suitesapp.com, 1 +suiteuser.org, 1 +suitocracy.com, 1 +suitsandboots.ca, 1 +sujal.com, 1 +sujatadev.in, 1 +sujiao.de, 1 +sujoy.me, 1 +sujoydhar.in, 1 +sukamusik.tk, 1 +suke3.jp, 1 +suki.moe, 1 +sukirastore.com, 1 +sukiu.net, 1 +sukker-oaxaca.com, 1 +sukoyakapp.com, 1 +sukrie.net, 1 +sukruarslan.tk, 1 +suksiriwan.com, 1 +suksit.com, 0 +sulabs.org, 1 +sulakskii-canyon.ru, 1 +sulavius.tech, 1 +sulawesi-adventure.tk, 1 +suleeka.tk, 1 +sulek.eu, 1 +sulemanmalik.tk, 1 +sulemanquotes.tk, 1 +suleri.tk, 1 +sulfegate.org, 1 +sulkmen.tk, 1 +sullinssudspressurewashing.com, 1 +sullivancountypa.gov, 1 +sulman4paf.tk, 1 +sulphurspringsar.gov, 1 +sultans.tk, 1 +sulytics-tool.com, 1 +sum1.tk, 1 +suma.coop, 1 +sumac.is, 1 +sumakola.space, 1 +sumanai.gq, 1 +sumanai.tk, 1 +sumantv.com, 1 +sumaque.com, 1 +sumatogroup.com, 1 +sumatphoto.com, 1 +sumatrabarat.cf, 1 +sumatrabarat.ga, 1 +sumatrabarat.gq, 1 +sumatrabarat.ml, 1 +sumatrabarat.tk, 1 +sumatraselatan.cf, 1 +sumatraselatan.ga, 1 +sumatraselatan.gq, 1 +sumatraselatan.ml, 1 +sumatraselatan.tk, 1 +sumatrautara.cf, 1 +sumatrautara.ga, 1 +sumatrautara.gq, 1 +sumatrautara.ml, 1 +sumatrautara.tk, 1 +sumatriptan365.tk, 1 +sumbur.ga, 1 +sumcrevillent.tk, 1 +sumecho.com, 1 +sumguy.com, 1 +sumhost.ml, 1 +sumiko.moe, 1 +sumill.com, 1 +sumire.ne.jp, 1 +sumisa.cf, 1 +sumit.blog, 1 +sumit.sh, 1 +sumitbot.ga, 1 +sumitchahal.blog, 1 +sumitchahal.com, 1 +sumitronics.com.tw, 1 +sumiyakimatsu.com, 1 +sumkunado.ru, 1 +summa.eu, 0 +summarized.gq, 1 +summaryexecution.com, 1 +summaryexecution.net, 1 +summaryexecution.org, 1 +summer.ga, 1 +summer.today, 1 +summeracademy-china.org, 1 +summerbo.at, 1 +summercampthailand.com, 1 +summerdance.tk, 1 +summerfieldtwpmonroemi.gov, 1 +summerjam.de, 1 +summermc.cc, 1 +summermovies.nyc, 1 +summerschoolcybersecurity.org, 1 +summerstylessalon.com, 1 +summing.ga, 1 +summit-level.ru, 1 +summit-research.org, 1 +summitcountyboe.gov, 1 +summitcustomsbrokers.com, 1 +summitdentistry.nl, 1 +summiteyekc.com, 1 +summitlighthousela.org, 1 +summitms.gov, 1 +summitseodesign.com, 1 +sumner-jc-wi.gov, 1 +sumochki.tk, 1 +sumppumpchicagoil.com, 1 +sumpters.co.nz, 1 +sumran.in, 1 +sumtercountysc.gov, 1 +sumterhousecleaning.com, 1 +sumthing.com, 1 +sumtotal.host, 1 +sumtotallab.host, 1 +sumutoday.com, 1 +sumzero.com, 1 +sun-beach.com.ua, 1 +sun-host.ml, 1 +sun-lounge.be, 1 +sun-shield.fr, 1 +sun-studio.tk, 1 +sun-wellness-online.com.vn, 0 +sun1218.com, 1 +sun1245.com, 1 +sun1338.com, 1 +sun1345.com, 1 +sun1378.com, 1 +sun668.asia, 1 +sun668.co, 1 +sunbeltasphalt.com, 1 +sunbirdgrove.com, 1 +sunbit.com, 1 +sunblind.tk, 1 +sunbnice.com, 1 +sunburstdata.com, 1 +sunby.jp, 1 +sunby.org, 1 +suncanary.tk, 1 +suncat.tk, 1 +sunchasercats.com, 1 +sunchild.ml, 1 +suncity288.com, 1 +suncity288.net, 1 +suncity8118.cn, 1 +suncity8118.com, 1 +suncity818.cn, 1 +suncity818.com, 1 +suncity818.net, 1 +suncity8338.cn, 1 +suncity8338.com, 1 +suncity858.cn, 1 +suncity858.com, 1 +suncity8668.com, 1 +suncity8998.com, 1 +suncitycinemas.com, 1 +suncloud.ch, 0 +suncoastdisplays.com, 1 +suncoastrebuilding.com, 1 +suncomegrain.ga, 1 +suncrypto.in, 1 +sundalandia.pp.ua, 1 +sundanceusa.com, 1 +sunday.pm, 1 +sundayfundayjapan.com, 1 +sundaysky.com, 1 +sunderland.ac.uk, 1 +sunderlandmoneyman.com, 1 +sundhedsdatastyrelsen.dk, 1 +sundhedsvejen.dk, 1 +sundialpowdercoating.com, 1 +sundiel.tk, 1 +sundoctors.com.au, 0 +suneilpatel.com, 1 +sunfeathers.net, 1 +sunfiregold.com, 1 +sunfireshop.com.br, 1 +sunflare.tk, 1 +sunflowercircuitclerk.gov, 1 +sunflyer.cn, 1 +sunfox.cz, 1 +sunfulong.me, 1 +sungalsses.ml, 1 +sunglassstyle.co.nz, 1 +sungreen.info, 1 +sunhaoxiang.net, 1 +sunhills23.ru, 1 +sunho.net.tw, 1 +suniru.com, 0 +sunjaydhama.com, 1 +sunjiutuo.com, 1 +sunjob.tk, 1 +sunkar.tk, 1 +sunkavallymd.com, 1 +sunkimurology.com, 1 +sunlit.cloud, 1 +sunmantechnology.com, 1 +sunmeiren.com, 1 +sunn.ie, 1 +sunnuntaileivonta.fi, 1 +sunnuntaimargariini.fi, 1 +sunnuntaipaasiainen.fi, 1 +sunnuntaipiirakka.fi, 1 +sunnuslight.com, 1 +sunny.co.uk, 1 +sunnyhome.tk, 1 +sunnylyx.com, 1 +sunnynetworks.net, 1 +sunnyoxygen.xyz, 1 +sunnyside-jazzclub.com, 1 +sunnysideinc.ca, 1 +sunnyssingh.tk, 1 +sunnyx3m.com, 1 +sunokuran.tk, 1 +sunpax.ga, 1 +sunpediatrics.com, 1 +sunpig.com.my, 1 +sunpig.com.sg, 1 +sunpig.my, 1 +sunpig.sg, 1 +sunplay.host, 1 +sunpower.id, 1 +sunradio.tk, 1 +sunred.info, 1 +sunred.org, 1 +sunrichtec.com, 1 +sunrise.tk, 1 +sunrisebeachmo.gov, 1 +sunrisebeachtx.gov, 1 +sunroof.ga, 1 +sunroomsbywoodland.com, 1 +sunroomsbywoodlandwindows.com, 1 +sunroomschicagoil.com, 1 +sunsafe.se, 1 +sunsdesign.net, 1 +sunsetfire.de, 1 +sunsetmusic.tk, 1 +sunsetnelson.com, 1 +sunsetservicecentre.ca, 1 +sunsetweb.fr, 1 +sunsetwx.com, 1 +sunshilin.tk, 1 +sunshine-cleaners.com.au, 1 +sunshinefrontier.tk, 1 +sunshinelife.tk, 1 +sunshineoilstop.com, 1 +sunshinerequest.com, 1 +sunshinesf.org, 1 +sunshinesramblings.com, 1 +sunskyview.com, 1 +sunsong.org, 1 +sunsparksolar.co.uk, 1 +sunsquare.cz, 1 +sunstar.bg, 1 +sunstaroptical.com, 1 +sunstyl.fr, 1 +sunsumba.com, 1 +sunsun-jewelry.com, 1 +sunsun.co, 1 +sunsun.com.sg, 1 +sunsungem.com, 1 +sunsungems.com, 1 +sunsunjewellery.com, 1 +sunsunjewelry.com, 1 +sunsunjewelry.net, 1 +sunsunjewelry.org, 1 +sunticschool.org, 1 +sunvillas.vn, 1 +sunwayxfarms.com, 1 +sunwei-proxy.tk, 1 +sunwolf.studio, 1 +sunyanzi.cf, 1 +sunyanzi.tk, 1 +suomensotilas.fi, 1 +suomentilitoimistot.fi, 1 +suomiheraa.com, 1 +suomika.pl, 1 +suourl.com, 0 +sup-net.de, 1 +supa.sexy, 1 +supasomsak.de, 1 +supazena.com, 1 +supdajuice.tk, 1 +supedio.com, 1 +supedium.com, 1 +supel.cf, 1 +supel.ga, 1 +supel.gq, 1 +supel.ml, 1 +super-60.ag, 1 +super-60.biz, 1 +super-60.com, 1 +super-60.de, 1 +super-60.eu, 1 +super-60.info, 1 +super-60.net, 1 +super-60.org, 1 +super-baik.tk, 1 +super-boy.tk, 1 +super-gs.jp, 1 +super-knighki.gq, 1 +super-lolitas.tk, 1 +super-net.tk, 1 +super-o-blog.com, 1 +super-puper.su, 0 +super-silicon.com, 1 +super-trophy.de, 1 +super11.nl, 1 +super365.info, 1 +super365aa.com, 1 +super60.ag, 1 +super60.biz, 1 +super60.de, 1 +super60.eu, 1 +super60.info, 1 +super60.net, 1 +super60.org, 1 +super60plus.de, 1 +superaficionados.com, 1 +superalem.org, 1 +superb.games, 1 +superb.net, 1 +superbart.nl, 1 +superbaskirskij-med.tk, 1 +superbdistribute.com, 1 +superbestpalsclub.tk, 1 +superbir.net, 1 +superbomber.tk, 1 +superboom.dance, 1 +superbouncebouncycastles.com, 1 +superbowlkneel.com, 1 +superbugs.nl, 1 +superbuy.com.tw, 1 +supercalorias.com, 1 +supercarpets.ru, 1 +supercarrot.tk, 1 +supercastlesadelaide.com.au, 1 +supercastlesbrisbane.com.au, 1 +supercastlesmelbourne.com.au, 1 +supercastlessouthsydney.com.au, 1 +supercastlessunshinecoast.com.au, 1 +supercentenarian.com, 1 +supercharged.co.uk, 1 +supercinebattle.fr, 1 +supercontent.cf, 1 +supercontent.ga, 1 +supercontent.ml, 1 +supercontent.tk, 1 +supercorp.cf, 1 +supercours.net, 1 +superdaddy.club, 1 +superdeals.cf, 1 +superdevtools.com, 1 +superdolly.cf, 1 +superdolly.ga, 1 +superdolly.gq, 1 +superdolly.ml, 1 +superdrillers.tk, 1 +superdroni.com, 1 +supereduc.cl, 1 +superenduro.net, 1 +superfaktura.at, 1 +superfaktura.cz, 1 +superfaktura.sk, 1 +superfans.top, 1 +superfastpress.com, 1 +superfastquintessentially.co.uk, 1 +superfavorite.tk, 1 +superfinancial-dorsetbranch.co.uk, 1 +superfluous.tk, 1 +superfly.tk, 1 +superfoodsexplained.com, 1 +superfury.tk, 1 +supergmtransport.com.au, 1 +supergood.ga, 1 +supergoods.tk, 1 +supergrandmasternetwork.com, 1 +supergroup.tk, 1 +superguide.com.au, 1 +superhappiness.com, 1 +superherba.cz, 1 +superherofactory.hu, 1 +superhits.gq, 1 +superhumanendurance.ga, 1 +superhyp.de, 1 +superidea.in, 1 +superidropulitrice.com, 1 +superiordetail.tk, 1 +superiorinngrandmarais.com, 1 +superiormanifestations.com, 1 +superiormusic.tk, 1 +superioroptical.com, 1 +superioropticalva.com, 1 +superiorseamlessinc.com, 1 +superiorvision.com, 1 +superiorwi.gov, 1 +superis.eu, 1 +superkakdoma.ru, 1 +superklima.ro, 0 +superkonsult.se, 1 +superkrasota.tk, 1 +superlevel.de, 1 +superlight.tk, 1 +superlisa.nl, 1 +superlog.tk, 1 +superlol.tk, 1 +supermae.pt, 1 +supermagna.tk, 1 +supermanera.tk, 1 +supermarketkibris.com, 1 +supermarkets.ga, 1 +supermart.tk, 1 +supermarx.nl, 1 +supermedia.cool, 1 +supermeitw.com, 1 +supermercadosdia.com.ar, 1 +supermercato24.it, 1 +supermil.ch, 1 +supermini-games.tk, 1 +supermustang.tk, 1 +supern0va.net, 0 +supernatural-fans.tk, 1 +supernaturalbrand.com, 1 +supernaturalchronicles.com, 1 +supernaut.info, 1 +supernogi.ga, 1 +supernovicebaker.com, 1 +superpaczka24.pl, 1 +superpart.com, 1 +superpase.com, 1 +superpi.noip.me, 1 +superpollo.com.ec, 1 +superpowerexperts.com, 1 +superraclette.fr, 1 +supersahnetorten.de, 1 +superseguros.gob.do, 1 +superservers.ml, 1 +supershrooms.nl, 1 +supersisi.cf, 1 +supersisi.ml, 1 +superskidki.cf, 1 +supersmashflash.com, 1 +supersocial.net, 1 +supersole.net, 0 +supersolenoid.tk, 1 +supersonicsoft.com, 1 +superstargossip.com, 1 +superstarhost.tk, 1 +superstart.tk, 1 +supersteosbouncycastles.com, 1 +superstropdas.nl, 1 +supersu.kr, 1 +superswingtrainer.com, 1 +supertape.com, 1 +supertrade.tk, 1 +supertrophy.de, 1 +supertutorial.com.br, 1 +superunion.com, 1 +superuser.one, 1 +supervasan.se, 1 +supervets.com.au, 1 +supervisorbullying.com, 1 +superway.es, 1 +superwhoopi.tk, 1 +superworks.com, 1 +superzaim.ga, 1 +supfood.cz, 1 +suphelper.ru, 1 +supioka.com, 1 +suplementasi.com, 1 +suplery.com, 1 +suplindex.com, 1 +suplments.co.uk, 1 +suplments.com, 1 +suplments.de, 1 +suplments.fr, 1 +suplments.it, 1 +suplments.pt, 1 +supmil.net, 1 +suppchat.ru, 1 +suppdeals.eu, 1 +supperclub.net, 1 +suppernova.com, 1 +supplement.cf, 1 +supplementaanbiedingen.nl, 1 +supplementalconditions.com, 1 +supplementpolice.tk, 1 +supplements101.net, 1 +supplementwarehouseonline.com, 1 +supplhi.com, 1 +supplierlinkup.com, 1 +suppliersession2021.com, 1 +supplies24.at, 1 +supplies24.es, 1 +supplychainriskmanagement.com, 1 +supplynation.org.au, 1 +supplyoutlook.com, 1 +support-ticino.ch, 1 +support.it, 1 +support.mayfirst.org, 0 +support1448.com, 1 +support1448.org, 1 +support4professionals.nl, 1 +supportal.one, 1 +supportericking.org, 1 +supportfan.gov, 1 +supporthost.com, 1 +supportingspeciallearners.com, 1 +supportiv.com, 0 +supportivecare.org, 1 +supportlafd.org, 1 +supportme123.com, 0 +supportmeindia.com, 1 +suppos-net.tk, 1 +supra.tf, 1 +supracube.com, 1 +supraelco.com, 1 +suprax365.tk, 1 +suprem.biz, 0 +suprem.ch, 0 +supremacrypt.com, 1 +supreme-council.me, 1 +supreme-court.tk, 1 +supremeexclusivecandles.com, 1 +suprememale.tk, 1 +supremestandards.com, 1 +suprintbot.xyz, 1 +supriville.com.br, 1 +supropionegocio.tk, 1 +supweb.ovh, 0 +supwoman.site, 1 +supya.co, 1 +suranganet.tk, 1 +surasak.org, 1 +surasak.tk, 1 +suravi.in.net, 1 +suraya.online, 1 +sure-it.de, 1 +surebets.bet, 1 +surecloud.com, 0 +surefit-oms.com, 1 +surefleet.com.au, 1 +surelyhired.com, 1 +suresi.com.tr, 1 +suresi.gen.tr, 1 +surest.com, 0 +surf1969.tk, 1 +surfacespots.ga, 1 +surfandturfroofing.com, 1 +surfbluewave.com, 1 +surfenergy.tk, 1 +surfingshare.com, 1 +surfkath.de, 1 +surflessonslisbon.com, 1 +surfnetkids.com, 1 +surfnetparents.com, 1 +surfocal.com, 0 +surfocal.net, 1 +surfoleon.tk, 1 +surfseo.ml, 1 +surfseo.tk, 1 +surfsm2.ddns.net, 1 +surgatekno.com, 1 +surgeholdinggroup.com, 1 +surgeongeneral.gov, 1 +surgicalassociates.sg, 1 +surgicalassociateswny.com, 1 +surgicalresourcesgroup.com, 1 +surgispa.net, 1 +surgoinsvilletn.gov, 1 +surialternat.tk, 1 +surik.de, 1 +surikov.tk, 1 +suriname.tk, 1 +suriyainvestments.com, 1 +surkum.eu, 1 +surl.win, 1 +surma.tk, 1 +surnganet.tk, 1 +suroil.com, 1 +suroot.moe, 1 +suros.com.tw, 0 +surpassexam.com, 1 +surpasshosting.com, 1 +surplusdirectory.ml, 1 +surplusrecord.com, 1 +surpreem.com, 1 +surprisepubliclibrary.gov, 1 +surpriz-net.tk, 1 +surrealdb.com, 1 +surrealistas.tk, 1 +surreycyclingclub.co.uk, 1 +surreyheathyc.org.uk, 0 +surreysportspark.co.uk, 1 +surrogacyaccount.com, 1 +surrycountync.gov, 1 +surrycountyncvotes.gov, 1 +surthriveak.com, 1 +suruifu.com, 1 +suruifu.tk, 1 +suruno.com, 0 +survature.com, 1 +surveer.com, 1 +surveyapp.io, 1 +surveyberbayar.com, 1 +surveyhealthcare.com, 1 +surveyorcloud.com, 1 +surveyremover.tk, 1 +surveyspy.net, 1 +surveytester.com, 1 +surveyviet.com, 1 +survicate.com, 1 +survival-mastery.com, 0 +survivalgearideas.com, 1 +survivalknivar.se, 1 +survivebox.fr, 1 +survivebox.net, 1 +survivingmesothelioma.com, 1 +suryayurveda.com, 1 +sus.zone, 1 +susajja.com, 1 +susanacruzdesign.com, 1 +susanagomez.tk, 1 +susanbpilates.co, 1 +susanbpilates.com, 1 +susanmmeyersauthor.com, 1 +susann-kerk.de, 1 +susanna-komischke.de, 1 +susannaridge.com, 1 +susconam.org, 1 +susdomicilios.co, 1 +suse.com, 1 +suseki.ga, 1 +sushi-sakura.tk, 1 +sushi.roma.it, 1 +sushibesteld.nl, 1 +sushifrick.de, 1 +sushikatze.de, 1 +sushilmedicos.tk, 1 +sushiprints.com, 1 +susiestoddart.tk, 1 +suska.tk, 1 +susoft.tk, 1 +susosudon.com, 1 +suspect.id, 1 +suspensebox.com, 1 +suspiciousdarknet.xyz, 1 +suss.be, 1 +sussexheart.com, 1 +sussexsecurityinstallations.co.uk, 1 +sussexwi.gov, 1 +sussmanshank.com, 1 +sustain.software, 1 +sustainability.gov, 1 +sustainabilityknowledgegroup.com, 1 +sustainabilitysmartips.com, 1 +sustainabilitysociety.hk, 1 +sustainableweb.dk, 1 +sustainalists.com, 1 +sustainalytics.com, 0 +sustained.tk, 1 +sustaineukraine.org, 1 +sustainimum.com, 1 +sustainimum.eu, 1 +sustainimum.net, 1 +sustainimum.nl, 1 +sustainimum.org, 1 +sustainoss.org, 1 +sustc.ac.cn, 1 +sustekova.eu, 1 +susthx.com, 1 +susumulus.ml, 1 +suswhw.top, 1 +sut-b.de, 1 +sutabi.tk, 1 +suter.au, 1 +suter.id.au, 1 +suternetwork.ch, 1 +suth.jp, 1 +sutherlinoregon.gov, 1 +sutinenmatthews.tk, 1 +sutmar-anwaltskanzlei.de, 1 +sutore.com, 1 +suttacentral.net, 1 +suttonbank.com, 1 +sutty.nl, 1 +suurhelsinki.cf, 1 +suuria.de, 1 +suutaripaivat.fi, 1 +suv4.net, 1 +suvalor.com, 1 +suvari.com.tr, 1 +suvidhaapay.com, 1 +suvirink.lt, 1 +suvisioninc.com, 1 +suwanneecountyfl.gov, 1 +suwanya.cn, 1 +suwcountyfl.gov, 1 +suwebcreativa.com, 1 +suyati.com, 0 +suzannejauchius.com, 1 +suzansalem.nl, 1 +suzdalgrad.cf, 1 +suziepachecoart.com, 1 +suzikogsm.tk, 1 +suzuki-aps.de, 1 +suzuki.com, 1 +suzukiarindo.co.id, 1 +suzukibali.id, 1 +suzukicintadamai.co.id, 1 +suzukicycles.com, 1 +suzukimarinepress.com, 1 +suzukinjs.co.id, 1 +suzukinozomu.tk, 1 +suzukisumberbaru.co.id, 1 +suzukisurakarta.co.id, 1 +suzukitradajateng.co.id, 1 +suzukitradajatim.co.id, 1 +suzukiumc.co.id, 1 +sv-1966-medenbach.de, 0 +sv-bachum-bergheim.de, 1 +sv-ec-ditzingen.de, 1 +sv-gymlil.de, 1 +sv-schody.cz, 1 +sv-turm-hohenlimburg.de, 1 +sv-webdesign.com, 1 +sv.search.yahoo.com, 0 +sv1862ruesselsheim.de, 0 +sv1880-lichtenau.de, 0 +sv388.bz, 1 +sv443.net, 1 +svager.cz, 1 +svak-gutachter.de, 0 +svanstrom.com, 1 +svanstrom.org, 1 +svantner.sk, 1 +svarka22.ml, 1 +svarka24.com.ua, 1 +svarka26.gq, 1 +svarmax.com.ua, 1 +svarovani.tk, 1 +svatba.cf, 1 +svatba.ml, 1 +svatbamisiaviti.tk, 1 +svatyjur.tk, 1 +svauto.ks.ua, 1 +svc-sitec.com, 1 +svc-sitec.com.mx, 1 +svc-sitec.org, 1 +svc-studioslive-api-dev.azurewebsites.net, 1 +svc-tools.ru, 1 +svc1.xyz, 1 +svcs.pp.ua, 1 +svdb.co, 0 +sve-hosting.nl, 1 +svealandsgruppen.tk, 1 +svecbeton.cz, 1 +svedalataxi.com, 1 +svedorszag.tk, 1 +sveikas.info, 1 +svenbacia.me, 1 +svendgram.com, 1 +svendubbeld.nl, 1 +sveneckelmann.de, 1 +svenhammond.com, 1 +svenjaundchristian.de, 1 +svenmuller.com, 1 +svenmuller.nl, 1 +svenpeter.eu, 1 +svenpeter.info, 1 +svenpeter.me, 1 +svenpeter.net, 1 +svenpeter.org, 1 +svenska.events, 1 +svenskakyrkansunga.tk, 1 +svenskapsalmer.se, 1 +svenskarnaochinternet.se, 1 +svenskdam.se, 1 +svenskmediabevakning.se, 1 +svensson-generators.be, 1 +sverdlov.spb.ru, 1 +sverdlovsk.gq, 1 +sverdlovsk.ml, 1 +sverdlovsk.tk, 1 +sverlo.cf, 1 +svet.tk, 1 +svetandroida.cz, 1 +svetbank.cz, 1 +svetila.com, 1 +svetix.ch, 1 +svetkuenergija.lv, 1 +svetlanamamedova.tk, 1 +svetlayarus.tk, 1 +svetlilo.com, 1 +svetlograd.tk, 1 +svetoch.ga, 1 +svetoch.tk, 1 +svetodiod.gq, 1 +svetonaushniki.tk, 1 +svetplast.spb.ru, 0 +svetrelaxu.cz, 1 +svetserialov.to, 1 +svfitness.ru, 1 +svg-board.ml, 1 +svg.beauty, 0 +svgdesigns.com, 1 +svge.ms, 1 +svgems.xyz, 1 +svgwg.org, 1 +svgzone.tk, 1 +svh.nl, 1 +svhni.nl, 1 +svia.nl, 1 +sviatzoo.com, 1 +svin.loan, 1 +svirel.ga, 1 +svitilny.cz, 1 +sviz.pro, 1 +svj-stochovska.cz, 1 +svjvn.cz, 1 +svkpk.cz, 1 +svlh.gov, 1 +svm-basketball.de, 1 +svn-yokaiispirit.ddns.net, 1 +svnty2.dedyn.io, 1 +svobodny.fr, 1 +svobodnyblog.cz, 1 +svodjapan.info, 1 +svoi-ugolok.tk, 1 +svoimi-slovami.tk, 1 +svorcikova.cz, 1 +svorkmofotball.tk, 1 +svoya-energy.com.ua, 1 +svpe.de, 1 +svpe.eu, 1 +svportalframe.com, 1 +svrjs.org, 1 +svrtech.com.tr, 1 +svrx.one, 1 +svse.global, 1 +svseglobal.com, 1 +svsewerut.gov, 1 +svswebmarketing.com, 1 +svtemplemn.org, 1 +svtl.ch, 1 +svtr.de, 1 +svtv.org, 1 +svwissel.tk, 1 +sw-machines.io, 1 +sw-s.info, 1 +sw-servers.net, 1 +sw33tp34.com, 1 +swa-il.gov, 1 +swabifoundation.tk, 1 +swacash.com, 1 +swacu.org, 1 +swadeshiherbal.com, 1 +swag.live, 1 +swag.pw, 1 +swagat.tk, 1 +swagger.io, 1 +swagger.london, 1 +swaglookbook.com, 1 +swagmoney.enterprises, 1 +swagsocial.net, 0 +swahili-dictionary.com, 1 +swain.tk, 1 +swallowforum.tk, 1 +swallsoft.co.uk, 1 +swallsoft.com, 1 +swanbitcoin.com, 1 +swanbullion.com, 0 +swansdoor.org, 1 +swanseama.gov, 1 +swantonvt.gov, 1 +swanvinylworks.com, 1 +swap-ict.nl, 1 +swap.gg, 1 +swap.ly, 1 +swapbox.tk, 1 +swapfiets.com, 1 +swapfiets.de, 1 +swapfiets.nl, 1 +swapfin.com, 1 +swappa.com, 1 +swapspace.co, 1 +swarfarm.com, 1 +swargvibha.tk, 1 +swarlys-server.de, 1 +swarovskijewelry.tk, 1 +swat.io, 1 +swat4stats.com, 1 +swataratwpauthority-pa.gov, 1 +swatee.com, 1 +swavlambancard.gov.in, 1 +sway-cdn.com, 1 +sway.com, 1 +swayampaaka.com, 1 +swc-cfc.gc.ca, 1 +swcleanair.gov, 1 +swd.media, 1 +swdb.jp, 1 +swe77.com, 1 +swe777.com, 1 +sweak.net, 1 +sweat-shirts.tk, 1 +sweatercon.com, 1 +swebdigitalmarketing.com, 1 +swecha.org, 1 +swedbank.com, 1 +swedbank.se, 1 +swederica.tk, 1 +swedish-saints.tk, 1 +swedish.so, 1 +swedishforces.tk, 1 +swedishhost.com, 1 +swedishhost.se, 1 +sweep-me.net, 1 +sweep-staging.com, 0 +sweep.net, 0 +sweeppeasweeps.com, 1 +sweet-spatula.com, 1 +sweet64.fr, 1 +sweetair.com, 1 +sweetairlines.tk, 1 +sweetamoris.de, 1 +sweetbabyjesus.com, 1 +sweetbasilscafe.com, 1 +sweetcalculus.ru, 1 +sweetcoraline.eu.org, 1 +sweetcorner.tk, 1 +sweetdata.io, 1 +sweetdeko.com, 1 +sweeteleven.tk, 1 +sweetgood.de, 1 +sweetgracemarket.com, 1 +sweethearts.tk, 1 +sweetheartvideo.com, 1 +sweethomesnohomishrenovations.com, 1 +sweethorses.tk, 1 +sweetintrigue.tk, 1 +sweetlegs.jp, 1 +sweetlycakes.com, 1 +sweetparis.cf, 1 +sweetpinkpussy.org, 1 +sweetpummelfee.com, 1 +sweets-mimatsu.com, 1 +sweetsandlifestyle.com, 1 +sweetsideofsweden.com, 1 +sweetsinner.com, 1 +sweetspot.co.kr, 1 +sweetsugarcakes.com, 1 +sweetsusinrw.org, 1 +sweettreatscookiedough.com, 1 +sweetvanilla.jp, 1 +sweetwatercountywy.gov, 1 +sweetwatertn.gov, 1 +sweetwatertx.gov, 1 +sweetydecor.ru, 1 +sweharris.org, 1 +swelife.se, 1 +swellnote.com, 1 +swentr.site, 1 +swerve-media-testbed-03.co.uk, 1 +swet.com.ua, 1 +swetrust.com, 1 +swfmax.com, 1 +swgoh4.life, 1 +swha.xyz, 1 +swhi.net, 1 +swhw.io, 1 +swi.sytes.net, 1 +swiatpilki.com, 1 +swid.co.uk, 1 +swiezastrona.pl, 1 +swift-devedge.de, 1 +swiftbonds.com, 1 +swiftcashforcars.com.au, 1 +swiftcodetoday.com, 1 +swiftcom.co.za, 1 +swiftcrypto.com, 1 +swiftcyclist.com, 1 +swifteh.net, 1 +swiftfactory.io, 1 +swiftgram.ml, 1 +swiftink.com, 1 +swiftirc.net, 1 +swiftmod.net, 1 +swiftmodcdn.net, 1 +swiftopal.com, 1 +swiftoutput.com, 1 +swiftpak.co.uk, 1 +swiftqueue.com, 1 +swiftrecharge.com, 1 +swiggles.com, 1 +swilabible.be, 0 +swilagod.be, 1 +swilatag.be, 1 +swilly.org, 1 +swim-play.ru, 1 +swim-smart.com, 1 +swim.aero, 1 +swimclubinsurance.com, 1 +swimhome.es, 1 +swimlane.com, 1 +swimmingpoolaccidentattorney.net, 1 +swimmingpoolpumpsbassonia.co.za, 1 +swimpool.co.il, 1 +swimpools.co.il, 1 +swimready.net, 1 +swimwear365.co.uk, 1 +swindonbus.co.uk, 1 +swindontennisclub.azurewebsites.net, 1 +swindontennisclub.org, 1 +swineson.me, 1 +swing.berlin, 1 +swingcompleto.com, 1 +swingerclub.in, 1 +swingers.com.pt, 1 +swingle.ga, 1 +swingmonkey.com, 0 +swingstel.tk, 1 +swingular.com, 1 +swingwomenswellness.com, 1 +swingz.com.au, 1 +swipedon.com, 1 +swipelux.com, 1 +swipetv.ie, 1 +swireshipping.com, 1 +swish-ict.com, 1 +swishmail.com, 1 +swiss-apartments.com, 0 +swiss-connection.net, 0 +swiss-export-compliance.com, 1 +swiss-vanilla.ch, 1 +swiss-vanilla.com, 1 +swiss-watch.com.ua, 1 +swissaquashop.ch, 1 +swissbearfoodservices.com, 1 +swissbit.com, 1 +swissborg.com, 1 +swisscannabis.club, 1 +swisschat.tk, 1 +swissdomaintrustee.ch, 1 +swissentreprises.ch, 1 +swisservers.com, 1 +swissfreshaircan.ch, 0 +swissfreshaircan.com, 0 +swissgrid.ch, 0 +swisshex.ch, 1 +swisshex.net, 1 +swissinternationalva.com, 1 +swisslinux.org, 1 +swissneutral.net, 1 +swissnoso.ch, 1 +swissquawk.ch, 1 +swisstechmap.ch, 1 +swisstranslate.ch, 0 +swisstranslate.fr, 0 +swissurf.tk, 1 +swissvanilla.ch, 1 +swissvanilla.com, 1 +swisswebhelp.ch, 1 +swissxperts.ch, 1 +switch-defekt.de, 1 +switch-trader.com, 1 +switch.pt, 0 +switch2osm.org, 1 +switchassur.fr, 1 +switchbacksystems.com, 1 +switchboard.lgbt, 1 +switchbyte.nl, 1 +switcheo.exchange, 0 +switcheo.rocks, 1 +switchinitiatives.com, 1 +switchinitiatives.fr, 1 +switchinitiatives.org, 1 +switchur.com, 1 +swizio.com, 1 +swjen.com.sg, 1 +swjtu.today, 1 +swjz.art, 1 +swkdevserver.tk, 1 +swktestserver.tk, 1 +swmlink.com, 1 +swn-nec.de, 1 +swocaoh.gov, 1 +swoop-qa.cloud, 1 +swoop.cloud, 1 +swopre-appgallop.azurewebsites.net, 1 +swordfeng.xyz, 1 +swordfighting.net, 1 +swordpop.cf, 1 +swordpop.gq, 1 +sworkit.com, 1 +sworn.ga, 1 +swosplinter.nl, 1 +swostik.com, 1 +swot-digital.com, 1 +swparegionalcad.gov, 1 +swpat.org, 1 +swprowood.com, 1 +swqa.hu, 1 +swretail.ga, 1 +swtp-p-appsrv-coordination-backend-businessservices1.azurewebsites.net, 1 +swtp-p-appsrv-donorevaluation-api-businessservices1.azurewebsites.net, 1 +swtp-p-appsrv-protocol-api-businessservices1.azurewebsites.net, 1 +swtrayssq.gq, 1 +swtun.com, 1 +swunmath.com, 1 +swvatoday.com, 1 +swvaux.com, 1 +swwc.com, 1 +swxtd.com, 1 +swy.cz, 1 +swyn.net, 1 +swynwyr.com, 1 +sx3.no, 1 +sx6729.com, 1 +sx8.ovh, 1 +sxilm.com, 1 +sxistolithos.gr, 1 +sxmd99.com, 1 +sy-anduril.de, 1 +sy24.ru, 1 +syaeful12ips.tk, 1 +syakeapps.net, 1 +syakonavi.com, 1 +sybersense.com, 1 +syc-rotterdam.tk, 1 +sycamorememphis.org, 1 +sycca.com, 1 +sychov.pro, 1 +sycorr.com, 1 +sydcatholicschools.nsw.edu.au, 1 +sydgrabber.tk, 1 +sydmoen.com, 1 +sydneyaustralia.tk, 1 +sydneybusinessweb.com.au, 1 +sydneydesignprint.com.au, 1 +sydneyhelicopters.com.au, 1 +sydneylawnandturf.com.au, 0 +sydneylounge.ga, 1 +sydneyshisha.com.au, 1 +sydneysteinger.com, 1 +sydneyvangelder.com, 0 +sydneyvapeshub.com, 1 +syds.xyz, 1 +syedmuhdadasgardezi.tk, 1 +syenar.net, 1 +sygnalista-24.pl, 1 +sykam.com, 1 +sykepleien.no, 0 +sykiotis.com, 1 +sykorp.com, 1 +sylaps.com, 0 +sylcon.es, 0 +sylencegsm.com, 1 +sylfie.net, 1 +sylino.tk, 1 +syllogi.xyz, 1 +sylphix.cn, 1 +sylvaindurand.fr, 1 +sylvaindurand.org, 1 +sylvainkalache.com, 1 +sylvaloir.fr, 1 +sylvangarden.net, 1 +sylvantownshipmi.gov, 1 +sylviaharke.de, 1 +sylviemifsud.fr, 1 +sylwiart.pl, 1 +sylwiaspychala.pl, 1 +sym01.com, 1 +symantec.com.ru, 1 +symatrix.co.uk, 1 +symbility.net, 1 +symbiose-com.ch, 0 +symbiose-immobilier.ch, 0 +symbiose.com, 1 +symbiosecom.ch, 0 +symbiote.com.au, 1 +symbioxr.com, 1 +symbolics.digital, 1 +symbolnodes.org, 1 +symdevinc.com, 1 +symeonchen.com, 1 +symetrix.tk, 1 +symetryk.tk, 1 +symflower.com, 1 +symfoninews.com, 1 +symfora-meander.nl, 1 +syminsight.tk, 1 +symlink.io, 1 +symlnk.de, 1 +symoteb.ir, 1 +sympa-by.eu, 1 +sympletrade.com, 1 +symplexia.com.br, 1 +symplyos.tk, 1 +sympmarc.com, 1 +symposit.com, 1 +symposium.beer, 1 +symptome-erklaert.de, 1 +symvolik.ru, 0 +syna.dev, 1 +syna.site, 1 +synabi.com, 0 +synackrst.net, 1 +synapse.pe, 1 +synapsemedical.com.au, 1 +synapsepain.com, 0 +synaptickz.me, 1 +synccentre.com, 1 +syncevolution.org, 1 +syncgal.com, 1 +synchrocity.no, 1 +synchrocube.com, 1 +synchronic.pl, 1 +synchronicity.cz, 1 +synchronicity.icu, 1 +synchronicity.one, 1 +synchronyse.com, 1 +synclio.com, 1 +syncmylife.net, 0 +syncpal.de, 1 +syncplay.pl, 1 +syncresis.com, 1 +syncrony.com, 1 +syncsci.com, 1 +syncspace.live, 1 +syndicats.de, 1 +syndigo.com, 1 +syndika.co, 1 +syndikalismus-im-laendle.tk, 1 +syneart.com, 1 +synecek11.cz, 1 +synedat.com, 1 +synergia.ink, 1 +synergiamedicalcare.es, 1 +synergiedenken.de, 1 +synergisticsoccer.com, 1 +synergy-logistics.tk, 1 +synergyofserra.com, 1 +synergytherm.com, 1 +synergyzone.tk, 1 +synerio.com, 1 +synerionagile.com, 1 +synfrait.com, 1 +synitsa.tk, 1 +synlab-recrute.fr, 1 +synlab.es, 1 +synology-distribution.de, 1 +synology.com, 0 +synonimluksusu.pl, 1 +synony.me, 1 +synonym24.at, 1 +synoptek.com, 1 +synotna.eu, 1 +synrelay.com, 1 +syntaxnightmare.com, 1 +syntaxsociety.se, 1 +syntech.co.za, 1 +synth.no, 1 +synthax.codes, 1 +synthesis.ru, 1 +syntheticgrassliving.com.au, 1 +synthetictrading.com, 1 +synthetis.com, 1 +synthezis.tk, 1 +synthgularity.net, 1 +syntia.tk, 1 +syntric.io, 1 +syobon.org, 1 +syogainenkin119.com, 1 +syoier.com, 1 +syok.my, 1 +syonix.ru, 1 +syotatakahashi.com, 1 +syphax.ml, 1 +syplasticsurgery.com, 1 +sypp.net, 1 +sypra-host.tk, 1 +sypreformas.tk, 1 +syptak.eu, 1 +syquel-systems.de, 1 +syr.gov, 1 +syracuseut.gov, 1 +syrea.com, 1 +syrianair.cf, 1 +syrianair.ga, 1 +syrianair.ml, 1 +syrianet.cf, 1 +syrius.tk, 1 +syronex.com, 1 +sys-admin.fr, 1 +sys-stat.de, 1 +sys-state.de, 1 +sys-tm.com, 1 +sys.as, 1 +sys001-homenet.duckdns.org, 1 +sysadmin.pm, 1 +sysadmin.xyz, 0 +sysadmin21.tk, 1 +sysadmins.ro, 1 +sysadvisors.pl, 1 +sysaid.com, 1 +sysbert.de, 1 +syscap.co.uk, 1 +syscap.com, 1 +syscap.uk, 1 +syscapassetfinance.uk, 1 +syscaponline.co.uk, 1 +syscom.be, 1 +sysconautomation.com, 1 +syscoon.com, 1 +sysctl.se, 1 +syscurve.com, 1 +sysdb.io, 1 +syselg.com, 1 +sysert.tv, 0 +sysgap-gsci.com, 1 +syska.com, 1 +syslogic.io, 1 +sysmike.de, 1 +sysmike.net, 1 +sysnet.cz, 1 +sysoons.com, 1 +sysopworld.cf, 1 +sysopworld.ga, 1 +sysopworld.gq, 1 +sysopworld.ml, 1 +sysrigar.com, 1 +sysrq.in, 1 +sysrq.tech, 0 +syssolindia.com, 1 +sysstate.de, 1 +systea.fr, 1 +systea.net, 1 +system-admin-girl.com, 1 +system-design.tk, 1 +system-erp.com.pl, 1 +system-fehler.tk, 1 +system-informer.com, 1 +system-m.de, 0 +system.is, 1 +system.md, 1 +system4travel.com, 1 +systemart.pro, 1 +systematic-momo.com, 1 +systematic-momo.dk, 1 +systematik.nu, 1 +systemausfall.org, 1 +systemb.ch, 1 +systemblog.tk, 1 +systemc.com, 0 +systemchange.in, 1 +systemd.ch, 0 +systemd.eu.org, 1 +systemerka.pl, 1 +systemerr.tk, 1 +systemhaus.saarland, 1 +systeminformer.com, 1 +systemintegra.ru, 0 +systemisbusy.info, 1 +systemlead.pl, 1 +systemli.org, 1 +systemonthego.com, 1 +systems-thinking.eu, 1 +systemsense.com.au, 1 +systemsinblue.tk, 1 +systemsoftwareleader.com, 1 +systemswizard.io, 1 +systemtoto.ml, 1 +systemysportowe.pl, 1 +systemzeit.info, 1 +systime.dk, 1 +systoolbox.net, 1 +syswap.fr, 1 +syswiki.org, 1 +sysystems.cz, 1 +syt3.net, 1 +sytenko.org.ua, 1 +sytoshine.com, 1 +syuez.com, 1 +syunpay.cn, 1 +syuumi.eu, 1 +syuumi.me, 1 +syzygy-tables.info, 1 +syzygycareers.com, 1 +sz-ideenlos.de, 1 +sz-lessgym-kamenz.de, 1 +szabadpingvin.eu, 1 +szablinski.pl, 1 +szachowaprzygoda.pl, 1 +szadeczky.com, 1 +szafkirtv.pl, 1 +szakszervezet.work, 1 +szalaiterko.hu, 1 +szamitogepdepo.com, 1 +szamlarobot.hu, 1 +szamotulskanocnapiatka.pl, 1 +szasz.me, 1 +szaszm.tk, 0 +szclsya.me, 1 +szczury.org, 1 +szeged365.hu, 1 +szegediszobafestok.hu, 1 +szektor.com, 1 +szektor.net, 1 +szelagnes.com, 1 +szelagnes.hu, 1 +szemuvegtrend.hu, 1 +szentistvanpt.sk, 1 +szepsegbennedrejlik.hu, 1 +szerbnyelvkonyv.hu, 1 +szerelem.love, 1 +szgfeds.com, 1 +szhighsun.com, 1 +szih.org.pl, 1 +szilaghi.com, 1 +szilagyicsalad.ddns.net, 1 +szili.uk, 1 +sziluett.xyz, 1 +szimpla.hu, 1 +szinezdmagad.hu, 1 +szkkss.com, 0 +szklarnia.pro, 1 +szkolajazdykaleta.pl, 1 +szkolenia-dron.pl, 1 +szlovaknyelv.hu, 1 +szlovennyelv.hu, 1 +szmidtinwest.pl, 1 +szotkowski.fun, 1 +szotkowski.info, 1 +szotkowski.online, 1 +szotkowski.tech, 1 +szpet.jp, 1 +szpf.tf, 1 +szpro.ru, 1 +szs-arbeitssicherheit.de, 1 +szs.space, 1 +szsyidc.cf, 1 +sztfh.hu, 1 +sztoriboljeles.hu, 1 +sztreasure.com, 1 +sztuanzi.top, 1 +sztyup.com, 1 +szuecs.net, 1 +szw-hessen.de, 1 +szwrc.co, 1 +szww99.cc, 1 +szybkiebieganie.pl, 1 +szymczak.at, 1 +szyndler.ch, 1 +szyszkowitz.at, 1 +szzsivf.com, 1 +t-1.org, 0 +t-10.nz, 1 +t-cophony.com, 1 +t-dent.com, 1 +t-fischer.net, 1 +t-hawk.com, 1 +t-inn.tk, 1 +t-m.me, 1 +t-moon.hr, 1 +t-network.nl, 1 +t-op1.com, 1 +t-op10.com, 1 +t-op6.com, 1 +t-op7.com, 1 +t-op8.com, 1 +t-op9.com, 1 +t-pc.org, 1 +t-pravda.net, 1 +t-shirt-template.com, 1 +t-shirts4less.nl, 1 +t-shirty.tk, 1 +t-so.de, 1 +t-unit.ru, 1 +t-wirth.de, 1 +t-zrenia.ru, 1 +t.ar, 1 +t.ee, 1 +t.facebook.com, 0 +t.net.co, 1 +t.pe, 1 +t.rip, 1 +t00228.com, 1 +t08.co, 1 +t09.cc, 1 +t09.co, 1 +t0kie.space, 1 +t0ny.name, 1 +t12u.com, 1 +t1cloud.com, 1 +t1f.ru, 1 +t2-sit-test.tk, 0 +t2000headphones.com, 1 +t2000laserpointers.com, 1 +t22.uk, 1 +t2data.com, 1 +t2informatik.de, 1 +t2tea.com, 1 +t33.eu, 1 +t36533.com, 1 +t3concrete.my, 1 +t3hty.fr, 1 +t3rror.net, 1 +t3terminal.com, 1 +t4-wiki.de, 1 +t404.de, 1 +t47.io, 1 +t4c.link, 1 +t4gh.com, 1 +t5118.com, 1 +t51365.com, 1 +t5197.co, 1 +t630.nl, 1 +t6729.co, 1 +t6957.co, 1 +t7035.com, 0 +t776633.com, 1 +t7e.de, 1 +t7tech.net, 1 +t8.software, 1 +t82365.com, 1 +t8803.com, 1 +t8805.com, 1 +t8807.com, 1 +t8809.com, 1 +t8815.com, 1 +t8817.com, 1 +t8819.com, 1 +t8830.com, 1 +t88gg.com, 1 +t88jj.com, 1 +t88mm.com, 1 +t88nn.com, 1 +t88oo.com, 1 +t88ss.com, 1 +t88vip0.com, 1 +t88vip1.com, 1 +t88vip2.com, 1 +t88vip3.com, 1 +t88vip4.com, 1 +t88vip5.com, 1 +t88vip6.com, 1 +t88vip7.com, 1 +t88ww.com, 1 +t88yy.com, 1 +t8software.cn, 1 +t8software.com.hk, 1 +t8software.nl, 1 +t8w.de, 1 +t90official.games, 1 +t9297.co, 1 +t9728.co, 1 +ta-da.ua, 1 +ta-hiroshi.jp, 1 +ta-maison.fr, 1 +ta-nehisicoates.com, 1 +ta-nuth.nl, 0 +ta-server.nl, 1 +ta-soest.nl, 0 +ta65.com, 1 +taabe.net, 1 +taakjhaknews.com, 1 +taaltaal.nl, 1 +taanishsaifu.gq, 1 +taapk.com, 1 +taarnby.dk, 1 +taartbesteld.nl, 1 +taartenvankoenie.tk, 1 +taartenvanmireille.nl, 1 +taartenvanthea.nl, 1 +taat.edu.ee, 1 +tab.com, 1 +tabacarika.tk, 1 +tabacundo.tk, 1 +tabacundolindo.tk, 1 +tabadotupi.tk, 1 +tabakerka.tk, 1 +tabarnak.ga, 1 +tabby.cz, 1 +tabclassics.tk, 1 +tabe.cn, 1 +tabegamisama.com, 1 +tabelaci.tk, 1 +tabelekaloryczne.waw.pl, 1 +tabella.fi, 1 +taberna.tk, 1 +tabernaalibaba.tk, 1 +tabi-news.com, 1 +tabi-runrun.com, 1 +tabi-time.com, 1 +tabira.tk, 1 +tabisuta.com, 1 +tabiteollisuus.tk, 1 +tablamatica.tk, 1 +tablascreek.com, 1 +tableandhearth.com, 1 +tableconvert.com, 1 +tabledown.ga, 1 +tabledusud.be, 1 +tabledusud.nl, 1 +tablepaddie.com, 1 +tablepaddies.com, 1 +tableres.com, 1 +tablerocksbestrealtors.com, 1 +tablet.facebook.com, 0 +tablet4me.de, 0 +tabletd.com, 1 +tabletennis-reference.com, 1 +tabletennis-tt.tk, 1 +tablethotels.com, 1 +tabletkinamase.ga, 1 +tabletkinatradzik.ga, 1 +tabletopwealth.reviews, 0 +tablettes-tactiles.tk, 1 +tablosec.com, 1 +tably.com, 1 +tablyrics.com, 1 +taboomale.com, 1 +tabordaadvogados.ga, 1 +taborsky.cz, 1 +tabpanelwidget.com, 1 +tabrizbiology.tk, 1 +tabserectilecheap.com, 1 +tabtap.shop, 1 +tabu-bodywear.ch, 1 +tabular.tools, 1 +tabulartools.com, 1 +taburetka.ua, 1 +tac-performance.net, 1 +tac-sys.net, 1 +tache.cc, 1 +tachikawa-saisyuusyou.com, 1 +tachoplus.pl, 1 +tachtien.nl, 1 +tachyonapp.com, 1 +taciso.com, 1 +tackleundies.com, 1 +tackn.jp, 1 +tacoma-dui-attorneys.com, 1 +tacomaautomobile.tk, 1 +tacomaclassifieds.net, 1 +tacomaescorts.net, 1 +tacomarugby.com, 1 +tacomarugby.org, 1 +tacotown.tk, 1 +tactful.ai, 0 +tactical.zone, 1 +tacticalavocado.com, 1 +tacticalsquare.com, 1 +tacticalvote.co.uk, 1 +tactile.love, 1 +tactportal.com, 1 +tactus.nl, 1 +tad.ua, 1 +tadaaam.studio, 1 +tadabase.io, 1 +tadalafil-tablets.tk, 1 +tadalafilindia.gq, 1 +tadj-mahalat.com, 0 +tadjiki.tk, 1 +tadjikistan.tk, 1 +tadluedtke.com, 1 +tadtadya.com, 1 +tadu.de, 1 +tadzkitchen.com, 1 +taebek.tk, 1 +taekwondo-berlin.tk, 1 +taekwondo-hochwald.de, 1 +taetomeister.de, 1 +tafcares.org, 1 +tafdi.net, 1 +taffe-elec.com, 1 +tafinance-association.com, 1 +tafnervotacao.com.br, 1 +tafp3.ga, 1 +tafs.com, 1 +taftok.gov, 1 +tafttx.gov, 1 +tafusu-support.com, 1 +tag-insights.com, 1 +tag-verse.com, 1 +tagabrand.co.uk, 1 +tagalliances.com, 1 +tagalog.com, 1 +tagana-anindustrialpark.tk, 1 +tagat.top, 1 +tagaytayhighlands.com, 1 +tagboards.tk, 1 +tagcorp.ca, 1 +tagderinspiration.ch, 1 +tagesmutter-in-bilm.de, 1 +taggedpdf.com, 0 +taggeru.com, 1 +taggigkaktus.tk, 1 +taghit.tk, 1 +tagid.ga, 1 +tagid.tk, 1 +taginet.com, 1 +tagliando.it, 1 +taglioepiega.com, 1 +taglioepiega.eu, 1 +taglioepiega.it, 1 +tagnull.de, 1 +tagram.net, 1 +tagstationen.se, 1 +tagstatravel.com, 1 +tagsweekly.com, 1 +tagtoys.com, 1 +taguette.com, 1 +taguette.fr, 1 +taguette.org, 1 +tagungsraum-usedom.de, 0 +tagungsraum-zinnowitz.de, 0 +tagungsstaette-usedom.de, 0 +tagungsstaette-zinnowitz.de, 0 +tahabrand.com, 1 +tahaonline.tk, 1 +tahitiodoo.com, 1 +tahititourisme.com, 1 +tahititourisme.fr, 1 +tahlequah.gov, 1 +tahlilsonuclari.site, 1 +tahnee.tk, 1 +tahosa.co, 0 +tahribat.tk, 1 +tahrirbazar.com, 1 +tahugocilebut.com, 1 +tahvienovin.ir, 1 +tahynatozzi.tk, 1 +taiaro.tk, 1 +taibachicken.com, 1 +taichi-jade.com, 1 +taidu.news, 1 +taieki.nl, 1 +taifun-software.de, 1 +taiga-aikidojo.tk, 1 +taigalaloca.net, 1 +taihesy.tk, 1 +taijul.tk, 1 +taikodom.tk, 1 +tail.id.lv, 1 +tail.ml, 1 +tail.wtf, 1 +taildb.com, 1 +taille-haie.org, 1 +tailor.com.br, 1 +tailorbrands.com, 1 +tailored.health, 1 +tailoring.tk, 1 +tailpuff.net, 0 +tails.net, 1 +tailsteak.tk, 1 +tailwindapp.com, 1 +tainiesonline.tk, 1 +taintedart.co.nz, 1 +taipak-krasnoyar.tk, 1 +taipei2025.com, 1 +taipei2038.com, 1 +taishon.nagoya, 1 +taitlinstudio.com, 1 +taittowers.com, 0 +taiwan-kitchen.com, 1 +taiwanbible.com.tw, 1 +taiwanhotspring.net, 1 +taiwania.capital, 1 +taiwania.vc, 1 +taiwaniacapital.com, 1 +taiwaniacapital.com.tw, 1 +taiwaniacapital.tw, 1 +taiwanteama.com.tw, 1 +taiwantechtrek.tk, 1 +taiwantour.info, 0 +taizegroep.nl, 1 +taj-portal.tk, 1 +tajbrighton.tk, 1 +tajemno.net, 1 +tajilamagazine.com.br, 1 +tajmisreg.com, 1 +tajniy-smisl.cf, 1 +tajniy-smisl.ga, 1 +tajniy-smisl.gq, 1 +tajniy-smisl.ml, 1 +tajniy-smisl.tk, 1 +tajper.pl, 1 +tajr.shop, 1 +tajtowereg.com, 1 +tak-it.nl, 1 +tak.gov, 1 +takano-recruit.com, 1 +takano-takuhai.com, 1 +takanogroup.co.jp, 1 +takao-hs.com, 1 +takao.ga, 1 +takarabrig.com, 1 +takase.buzz, 1 +takayaindustries.ml, 1 +take-a-screenshot.org, 1 +take1give1.com, 0 +takeaction.ml, 1 +takeatumble.com.au, 1 +takebackyourstate.com, 1 +takebackyourstate.net, 1 +takebackyourstate.org, 1 +takechargetexas.gov, 1 +takecommunity.com, 1 +takedownthissite.com, 1 +takehomepay.uk, 1 +takeitback.tk, 1 +takemydodgecoins.com, 1 +taken.cf, 1 +taken.pl, 1 +takenote.co, 1 +takeomi.jp, 1 +takepicturesleavefootprints.com, 1 +takeshi.cz, 1 +takestars.tk, 1 +takethatspainfanclub.tk, 1 +takezo.tk, 1 +takhfifeirani.ir, 1 +taki.sh, 1 +taki.sk, 1 +taki.to, 1 +takinet.kr, 1 +takipavm.com, 1 +takipcikutusu.com, 1 +takiplekazan.ga, 1 +takito.net, 1 +takk.pl, 1 +takkaaaaa.com, 1 +takkguitar.net, 1 +takkyu-navi.jp, 1 +takosuke.net, 1 +takotv.com, 1 +takotv.live, 1 +taks.nl, 1 +taksaft.tk, 1 +taksimax.ru, 1 +taksometry.pl, 1 +taktak.co.uk, 0 +taktika.tk, 1 +taktraneh.com, 1 +takuhai12.com, 1 +takumi-s.net, 1 +takumikougyou.co.jp, 1 +takuro.us, 1 +takusan.ru, 1 +takuse.cf, 1 +takysoft.tk, 1 +talado.gr, 0 +talakacaruli.tk, 1 +talalaok.gov, 1 +talcualdigital.com, 1 +taldia.es, 1 +taleatherworks.com, 1 +taleblooplastic.ir, 1 +talendipank.ee, 1 +talengo.com, 1 +talent-safari.com, 1 +talentbazi.com, 1 +talentcast.nl, 1 +talentcast.org, 1 +talenteam.com, 1 +talented.ga, 1 +talentedagents.ga, 1 +talenteer.nl, 1 +talentexcellence.com, 1 +talentguru.ml, 1 +talenthubmpi.com, 1 +talentimpuls.de, 1 +talentio.com, 1 +talentis.net, 1 +talentmill.co, 1 +talentoday.com, 1 +talentplatform.ca, 1 +talentplatform.com, 1 +talentplatform.eu, 1 +talentplatform.us, 1 +talentsplit.com, 1 +talentstimuleren.nl, 1 +talentuar.com, 1 +talentwall.io, 1 +taler.net, 1 +talerakademiet.dk, 1 +talesbazaar.com, 1 +talesfromthebigpig.com, 1 +talesofrashidun.com, 1 +talesoftenko.tk, 1 +talichi.com, 1 +talichi.es, 1 +talideon.com, 0 +talikotang.tk, 1 +talisadesign.fi, 1 +talisman-amulet.ga, 1 +talk.google.com, 1 +talkappin.com.au, 1 +talkbasket.net, 1 +talkbitz.com, 0 +talkeducation.com, 1 +talkgadget.google.com, 1 +talki.tk, 1 +talkinators.tk, 1 +talkingbittersweet.com, 1 +talkingmoose.net, 0 +talkingtodrake.tk, 1 +talkingtoteapots.tk, 1 +talkischeap.co.za, 1 +talkischeap.tk, 1 +talklikeyodaday.tk, 1 +talkmojang.club, 1 +talknetwork.ru, 1 +talkreal.net, 1 +talks.run, 1 +talkscope.cf, 1 +talkscope.ml, 1 +talksileby.tk, 1 +talktobabes.com, 1 +talktobot.com, 1 +talktwincities.com, 1 +talkwithyourbaby.org, 1 +talkx.de, 1 +tallac.tk, 1 +tallahatchiecountysheriffofficems.gov, 1 +tallcraft.com, 1 +tallcraft.net, 1 +tallercommercial.com, 1 +tallercs.tk, 1 +tallerdelcuadro.online, 1 +talleresluse.com, 1 +tallerfrancia2.es, 1 +tallgrasslegal.com, 1 +tallinnsec.ee, 1 +tallinnsex.ee, 1 +tallship.cz, 1 +tallulahbernard.com, 1 +tallwoodmedical.com, 1 +tallyfy.com, 1 +tallylights.com, 1 +talment.com.mx, 1 +talmischleather.com, 1 +taloman.fi, 1 +talonro.com, 1 +talos-app.io, 1 +talos-staging.io, 1 +talpanetwork.com, 0 +talpurwadalions.tk, 1 +taltech.ee, 1 +talun.de, 1 +talusan.tk, 1 +talxis.com, 1 +tam-moon.com, 1 +tam-safe.com, 1 +tam7t.com, 0 +tama.ga, 1 +tamagotchicenter.com, 1 +tamalcloud.com, 1 +tamamlayici.com.tr, 1 +tamarac.gov, 1 +tamareverson.tk, 1 +tamarind.by, 1 +tambayology.com, 1 +tambo.es, 1 +tamboa.com, 1 +tambola.live, 1 +tambosi-odeonsplatz.de, 1 +tambov.cf, 1 +tambov.tk, 1 +tambovcity.tk, 1 +tambre.ee, 1 +tamchunho.com, 1 +tamdaotravelvi.tk, 1 +tamdidpay.tk, 1 +tamedia.ch, 1 +tameru.me, 1 +tamerx.com, 1 +tamgaturk.com, 1 +tami.co.uk, 1 +tamilentertainment.tk, 1 +tamilfunda.com, 1 +tamilglitz.in, 1 +tamilrokers.tk, 1 +tamilsms.blog, 1 +tamiltax.tk, 1 +tamim.io, 1 +tamimmalik.ml, 1 +tamindir.com, 1 +tamistuff.com, 1 +tammie.ga, 1 +tammiku.edu.ee, 1 +tammvee.ee, 1 +tammy.pro, 1 +tamoxifen-citrate.gq, 1 +tamoxifen-citrate.ml, 1 +tamoxifenformen.ga, 1 +tampa.gov, 1 +tampabaybusinesslistings.com, 1 +tampabayhistorycenter.org, 1 +tampabayhometours.info, 1 +tampacific.net, 1 +tampacific.vn, 1 +tampaexplorer.ml, 1 +tampereenliberaalit.tk, 1 +tampus.chat, 1 +tamracapital.sa, 1 +tamriel-rebuilt.org, 1 +tamrielcraft.tk, 1 +tamronhallshow.com, 1 +tamsulosin.gq, 1 +tamuraei.co.jp, 1 +tamylove.net, 1 +tan90.tw, 1 +tanabekensetsu.co.jp, 1 +tanacio.com, 1 +tanakayoshihiko.com, 1 +tanatos.ga, 1 +tanchynski.com, 1 +tancredi.nl, 0 +tancuongtea.tk, 1 +tand-teknik.dk, 1 +tandarts-ict.nl, 1 +tandartsen-ict.nl, 1 +tandartspraktijkreddingius.nl, 1 +tandartszilverschoon.nl, 1 +tandblekningidag.com, 1 +tandcr.com, 1 +tandem-trade.ru, 0 +tandemexhibits.com, 1 +tandempartnerships.com, 0 +tandemtransport.ca, 1 +tandhoutdoors.com, 1 +tandzorg.link, 1 +taneytownmd.gov, 1 +tangai.tk, 1 +tangas.tk, 1 +tangel.me, 1 +tangemann.org, 1 +tangentnet.tech, 1 +tangentnetworks.tech, 1 +tangerangkota.go.id, 1 +tangiblesnft.com, 1 +tangier.tk, 1 +tangipahoa.gov, 1 +tangle-teezer.net, 1 +tangledmeditations.com, 1 +tanglepatterns.com, 1 +tango-cats.de, 1 +tango-networks.com, 0 +tango-querida.tk, 1 +tango.berlin, 1 +tango.info, 1 +tangoalpha.co.uk, 1 +tangoanalytics.com, 1 +tangofoxi.com, 1 +tangosix.rs, 1 +tangs.com, 1 +tangub.today, 1 +tangubpatientmonitoring.com, 1 +tangyue.date, 1 +tangzhao.net, 1 +tanhaa.tk, 1 +tanhongit.com, 1 +taniawizualizacja.pl, 1 +tanie-obraczki-szczecin.tk, 1 +tanie-uprawnienia-sep.pl, 1 +taniguchi.jp.net, 1 +taniguchi.link, 1 +taniguchi.osaka.jp, 1 +taniku-succulent.com, 1 +tanjaradovic.tk, 1 +tanjasavicmusic.tk, 1 +tankdoggear.tk, 1 +tanknology.ca, 1 +tankos.tk, 1 +tankpassen-vergelijken.nl, 1 +tanks.je, 1 +tankski.co.uk, 1 +tankture.com, 1 +tanned.tk, 1 +tannenhof-moelln.de, 1 +tanner.sh, 1 +tanneradvisorysolutions.com.au, 1 +tannercorporation.com, 1 +tannerdewitt.com, 1 +tannerryan.ca, 1 +tannerwilliamson.com, 1 +tannerwj.com, 1 +tannextcloud.cf, 1 +tanningroom.co.uk, 1 +tannlegenityrkia.no, 1 +tanomimaster.com, 1 +tanovar.com, 1 +tanpaoperasi.com, 1 +tanphu.tk, 1 +tanpopo.io, 1 +tantalos.nl, 1 +tantejulia.tk, 1 +tantetilli.de, 0 +tanto259.name, 1 +tantrabali.tk, 1 +tantravoorlichting.nl, 1 +tantrum-rocks.tk, 1 +tantso.com, 1 +tanuki.army, 1 +tanushka.tk, 1 +tanveersingh.tk, 1 +tanweerkhan.tk, 1 +tanya-avdeeva.cf, 1 +tanyanama.com, 1 +tanz-kreativ.de, 0 +tanz.info, 1 +tanzania-chameleon.ga, 1 +tanzanianfilms.tk, 1 +tanzaniauk.org.uk, 1 +tanzhijun.com, 1 +tanzpartner.tk, 1 +tao-energie.tk, 1 +taoaworld.com, 1 +taoburee.com, 0 +taodung.com, 1 +taoismus.eu, 1 +taolu.tv, 1 +taolu168.com, 1 +taolubdsm10.com, 1 +taoofbeauty.tk, 1 +taoscountynm.gov, 1 +taoshu.in, 1 +taosinjurylawyers.com, 1 +taosnm.gov, 1 +taotic.eu, 1 +taowa.ca, 1 +taoyingchang.tk, 1 +tap.az, 1 +tap.bio, 1 +tapbutdao.com, 1 +tapchiphaidep.info, 1 +tapcloud.com, 1 +tapestries.tk, 1 +tapestryjournal.com, 1 +tapesvip.xyz, 1 +tapetenresonanz.de, 1 +taplemon.at, 1 +taplemon.com, 1 +tapmat.com, 1 +tapparellemessina.it, 1 +tappezzeria.roma.it, 1 +tappezziere.milano.it, 0 +tappezziere.roma.it, 1 +tapquad.com, 1 +taprix.org, 1 +tapsnapp.co, 1 +taqamorocco.ma, 1 +taquilla.com, 1 +taqun.club, 1 +tara.ru, 1 +tarabici.tk, 1 +taraiid.com, 1 +tarakan-klopik.tk, 1 +taraksarkar.tk, 1 +taranagar.tk, 1 +tarantino.tk, 1 +tarantul.org.ua, 1 +tarantula-spider.com, 1 +taraori.tk, 1 +tarapacadigitaltv.tk, 1 +tarasecurity.co.uk, 1 +tarasecurity.com, 1 +tarasevich.by, 1 +taravancil.com, 0 +tarbsong.ml, 1 +tarcode.ru, 1 +tardics.com, 1 +tardics.eu, 1 +tardics.net, 1 +tardis.cloud, 1 +tardis.io, 1 +tardishomelab.com, 1 +tarek.wtf, 1 +tarekfadel.com, 1 +tarfand-pc.tk, 1 +tarfandgram.com, 0 +tarfin.com, 1 +targaryen.house, 1 +target.com, 1 +targetbuilding.com, 1 +targetlonglife.tk, 1 +targetmarc.com, 1 +targetsportsworld.com, 0 +targettrend.com, 1 +targeturl.ru, 1 +targetx.pl, 1 +targimieszkaniowe.net, 1 +targoncavasarlas.hu, 1 +tarhunfirin.com, 1 +tarif-pellets.fr, 1 +tarife.at, 1 +tariff.cc, 1 +tarihpedia.com, 1 +tarihvakti.com, 1 +tarija.tk, 1 +tarik.io, 1 +tarikigaru.ga, 1 +tarimaferial.com, 1 +tarimkredi.net, 1 +tarjaturunen.tk, 1 +tarjetasgraficas.tk, 1 +tarjetaspark.es, 1 +tarjetaspersonales.tk, 1 +tarjetondigital.com, 1 +tarkari.tk, 1 +tarkasparrows.org.za, 1 +tarketmedia.com, 1 +tarkett-group.com, 1 +tarkov.tk, 1 +tarocchi.blog, 1 +taron.top, 1 +tarot-online-app.com, 1 +tarot-online-app.de, 1 +tarot-online.cn, 1 +tarot-online.com.pl, 1 +tarot-online.fr, 1 +tarot-online.it, 1 +tarot.vn, 1 +tarotgratis.vip, 1 +tarotreadingexplained.com, 1 +tarper24.net, 1 +tarpsnow.com, 0 +tarrantandharman.com, 1 +tarrasque.io, 1 +tarrytownny.gov, 1 +tarsan.cz, 1 +tarsusdistribution.co.za, 0 +tarsusrx.com, 1 +tartablu.it, 1 +tartaneagle.org.uk, 1 +tartanhamedshop.com.br, 1 +tartu.ee, 0 +tartufomajella.it, 1 +taruntarun.net, 1 +tarus.gq, 1 +tarvit.me, 1 +tarvoo.com, 1 +tarzanka.ml, 1 +tas.best, 1 +tas2580.net, 0 +tasarimgazetesi.com, 1 +tasarimrehberi.com, 1 +tasawehala.com, 1 +tascas.ga, 1 +tasconnect.com, 1 +tascout.com, 1 +tascuro.com, 1 +tasefiling.gov, 1 +tashicell.com, 1 +tasintrip.com, 1 +taskforce.eu, 1 +taskhorizon.audio, 1 +taskin.me, 1 +taskman.london, 1 +taskotron.fedoraproject.org, 1 +taskotron.stg.fedoraproject.org, 1 +taskrunnr.com, 1 +tasks.org, 1 +tasktrek.com, 1 +taskulu.com, 1 +taskulu.ir, 1 +taskus.com, 1 +taskwise.cf, 0 +tasnomanija.rs, 1 +tasogarenoinori.net, 1 +tasonoken.tk, 1 +tasports.com.au, 1 +tasports2043.com.au, 1 +tastenewwines.com, 1 +tasteville.com.au, 1 +tastycake.net, 0 +tastycool.io, 1 +tastyplacement.com, 1 +tastystakes.com, 1 +tastyworksreview.co, 1 +tasvideos.org, 1 +tatamypa.gov, 1 +tataog.com, 1 +tatar-bashqort.tk, 1 +tatara.ne.jp, 1 +tatard.fr, 1 +tataria.tk, 1 +tatarin.ga, 1 +tatarin.gq, 1 +tataristan.tk, 1 +tatarland.tk, 1 +tatarsecurity.ir, 1 +tataru.it, 1 +tatarworld.tk, 1 +tatary.cf, 1 +tatary.tk, 1 +tate.com, 1 +tatecountyms.gov, 1 +tateesq.com, 0 +tateishi-ip.com, 1 +tatemode.com, 1 +taters.org, 1 +tatewake.com, 1 +tatfan.com, 1 +tathanhson.com, 1 +tatiana-kpb.tk, 1 +taticul.ro, 1 +tatilsepeti.com, 1 +tatjana-young.net, 1 +tatler.com, 1 +tato.noip.me, 0 +tatoo-shop.ca, 1 +tatooine.club, 1 +tatort-fanpage.de, 1 +tatsidou.gr, 1 +tatsumi-air.com, 1 +tatsuya.tk, 1 +tatteredatlastales.com, 1 +tattoo-art.tk, 1 +tattoo-artist.org, 1 +tattoo-family.com, 1 +tattoo.roma.it, 1 +tattoocorina.tk, 1 +tattooidee.nl, 1 +tattoomotive.net, 1 +tattoopiercing-wien.at, 1 +tatu-love.tk, 1 +tatuaggi.roma.it, 1 +tatuaggio.co, 1 +tatuering.net, 1 +tatuhagu.gov, 1 +taturukav.tk, 1 +taubenartikel.de, 1 +taubin.cc, 1 +tauedu.org, 1 +taufers.info, 1 +tauntongolf.co.uk, 1 +tauntonpdma.gov, 1 +taunusstein.net, 1 +taura.vn, 1 +tauran.net, 1 +tauriscia.tk, 1 +taurus.edu.pl, 1 +taurusgaming.com, 1 +tava.tk, 1 +tavanahost.com, 0 +tavaresfl.gov, 1 +tavda.info, 1 +tavelbutiken.com, 1 +taverne.tk, 1 +taverns.tk, 1 +tavex.bg, 1 +tavex.dk, 1 +tavex.eu, 1 +tavex.fi, 1 +tavex.hu, 1 +tavex.lt, 1 +tavex.lv, 1 +tavex.no, 1 +tavex.pl, 1 +tavex.ro, 1 +tavex.rs, 1 +tavex.se, 1 +tavexbullion.co.uk, 1 +tavid.ee, 1 +taviskaron.ru, 1 +tavola-cescato.club, 1 +tavolaquadrada.com.br, 1 +tavolartegusto.it, 1 +tavoseimai.lt, 1 +tavsiyeforumu.com, 1 +tavsys.net, 1 +tavukdiyari.net, 1 +tawzea.com, 1 +tax-brain.net, 1 +tax-guard.com, 1 +taxandor.com, 1 +taxassist.co.uk, 1 +taxationweb.co.uk, 1 +taxboard.gov.au, 1 +taxborn.com, 0 +taxdispute.win, 1 +taxesreclaimed.com, 1 +taxfunder.co.uk, 1 +taxfunder.uk, 1 +taxglobalizers.com, 1 +taxhawk.com, 1 +taxi-5plus.ru, 1 +taxi-christian.de, 1 +taxi-collectif.ch, 0 +taxi-domzale.tk, 1 +taxi-doudoune.fr, 1 +taxi-edessas.gr, 1 +taxi-legroux.com, 1 +taxi-meridian.ru, 1 +taxi-puck.pl, 1 +taxi-tienen.com, 1 +taxi-zakaz.ml, 1 +taxi24.ml, 1 +taxi7.be, 1 +taxialcmaria.nl, 1 +taxibiz.ga, 1 +taxicollectif.ch, 0 +taxid-k.be, 1 +taxikraken.tk, 1 +taxiloerrach.de, 1 +taximinvody.ml, 1 +taximovies.gq, 1 +taxinhanhphanthiet24h.vn, 1 +taxipool.co.il, 1 +taxirostova.ru, 1 +taxis-collectifs.ch, 0 +taxisafmatosinhos.pt, 1 +taxiscollectifs.ch, 0 +taxiseek.ga, 1 +taxiunion.info, 1 +taxivip24h.com, 1 +taxlab.co.nz, 0 +taxly.kr, 1 +taxmadras.com, 1 +taxo.fi, 1 +taxpackagesupport.com, 1 +taxprocpa.com, 1 +taxstorestalbans.com.au, 1 +taxteam.co.il, 1 +taxuni.com, 1 +taybee.net, 1 +tayebbayri.com, 1 +tayho24h.com, 1 +taylorandfrancis.com, 1 +tayloraz.gov, 1 +taylorburton-porn.com, 1 +taylorcountyhdwv.gov, 1 +taylorcountyky.gov, 1 +taylorcountywv.gov, 1 +taylored.ga, 1 +taylorelectionsfl.gov, 1 +taylorfarms.com, 1 +taylorfrancis.com, 1 +taylorfry.au, 1 +taylorfry.co.nz, 1 +taylorfry.com, 1 +taylorfry.com.au, 1 +taylorfry.nz, 1 +taylors-castles.co.uk, 1 +taylorshillsamoan.org, 1 +taylorstauss.com, 1 +tazamobile.ga, 1 +tazarelax.es, 1 +tazefiltre.com, 1 +tazefirsat.com, 1 +tazemama.biz, 1 +tazenda.tk, 1 +tazendaforever.tk, 1 +tazewell-il.gov, 1 +tazewellcountyjury.gov, 1 +tazita.tk, 1 +tazz.ro, 1 +tb-bolshevik.tk, 1 +tb-devel.de, 1 +tb-itf.de, 1 +tb.org.tw, 1 +tbahn.de, 1 +tbatr.tk, 1 +tbbank.gov.tm, 1 +tbcinteriorismo.com, 1 +tbcloud.site, 0 +tbebkom.com, 1 +tbejos.com, 1 +tbfocus.com, 1 +tbi.equipment, 1 +tbi.systems, 1 +tbid.gov, 1 +tbird-q.com, 1 +tbitc.ch, 1 +tbksp.org, 1 +tbkwatch.co.za, 1 +tbkwatch.com, 1 +tbkwatch.org.za, 1 +tbld.gov, 1 +tblflip.de, 1 +tblnk.de, 1 +tbonejs.org, 1 +tbox.net, 1 +tbpchan.cz, 1 +tbq-s.com, 1 +tbq-s1.com, 1 +tbreni.hu, 1 +tbrindus.ca, 1 +tbs-certificates.co.uk, 1 +tbscan.com, 1 +tbsmportal.com, 1 +tbspace.de, 1 +tbsstrong.com, 1 +tbsunday.tk, 1 +tbtech.cz, 1 +tbuchloh.de, 1 +tbun.de, 1 +tbunews.com, 1 +tbunews.info, 1 +tbwa.com, 1 +tbwa.com.au, 0 +tbyi.gov, 1 +tbys.us, 1 +tbz-pariv.de, 1 +tc-solutions.be, 1 +tc-tsc.com, 1 +tc.nz, 1 +tc2.hu, 1 +tcacademy.co.uk, 1 +tcade.co, 1 +tcapws-dev.azurewebsites.net, 1 +tcapws-prod.azurewebsites.net, 1 +tcb-a.org, 1 +tcbdarts.nl, 1 +tccc.org.tw, 1 +tcckonsult.com, 1 +tccmb.com, 1 +tccportal.com, 1 +tcddtrensaatleri.com, 1 +tcdn.tech, 1 +tcdww.cn, 1 +tcepc.com, 1 +tcf.org, 1 +tcgc-adms.com, 1 +tcgcardcare.com, 1 +tcgcollector.com, 1 +tcglobal.com, 1 +tcgpraktijk.nl, 1 +tcgrepublic.com, 1 +tch-forum.com, 1 +tchak.be, 1 +tchaka.top, 1 +tchalian-boulonnerie.store, 1 +tchannels.tv, 1 +tcharning.ml, 1 +tchatland.fr, 1 +tche.digital, 1 +tchealers.com, 1 +tcheb.ru, 1 +tchebb.me, 1 +tchncs.de, 1 +tchnics.de, 1 +tcholet.com, 1 +tchoukball.ch, 0 +tchouktchouk-baroum.fr, 1 +tci-style.pl, 1 +tci-thaijo.org, 0 +tci-thailand.org, 1 +tciit.pl, 1 +tcit.fr, 0 +tcj.ir, 1 +tcl.sh, 1 +tcmk-tomsk.ru, 1 +tcmskarate.fr, 1 +tcnapplications.com, 1 +tco.zapto.org, 1 +tcoa.tk, 1 +tcpdf.org, 1 +tcpride.org, 1 +tcptun.com, 1 +tcr-ees.com, 1 +tcrecord.org, 1 +tcsemotion.com, 1 +tcspartner.eu, 1 +tcspartner.net, 1 +tcuprs.com, 1 +tcvanbuuren.tk, 1 +tcvonline.vic.gov.au, 1 +tcvw.org, 1 +tcwis.com, 1 +tcwsites.com.br, 1 +tcybert.com, 1 +tcyoung.co.uk, 1 +td-bambini.com, 1 +td-magellan.ru, 1 +td-olymp.ru, 1 +td-zolotoy.ru, 1 +tda-werbetechnik.de, 1 +tda.de, 1 +tdchrom.com, 0 +tddaij.com, 1 +tddos.pw, 1 +tdeaqua.com, 1 +tdeecalculator.org, 1 +tdelmas.ovh, 1 +tdev.team, 1 +tdk.eu, 1 +tdlesovik.ru, 1 +tdln.tk, 1 +tdn.com, 1 +tdolar.com, 1 +tdr.today, 1 +tdrcartuchos.com.br, 1 +tdro.cf, 1 +tdrs.info, 1 +tds-forum.tk, 1 +tdsb.cf, 1 +tdsb.ml, 1 +tdsbhack.tk, 1 +tdse.de, 1 +tdsf.io, 1 +tdstoragebay.com, 1 +tdtf.eu, 1 +tdtf.hk, 1 +tdtf.nl, 1 +tdvg.nl, 1 +tdxexpedited.com, 1 +tdyx-china.com.cn, 0 +te-ajut.ro, 1 +te-an.tw, 1 +te9.ru, 1 +tea-alpha.gr, 1 +tea-eurobank.gr, 1 +tea.codes, 1 +tea.in.th, 1 +teablr.com, 1 +teach.com, 1 +teach.gq, 1 +teachbase.ru, 1 +teachbiz.net, 1 +teachercall.kr, 1 +teachermommylife.com, 1 +teachernewsbd.com, 1 +teacherph.com, 1 +teacherph.net, 0 +teacherpics.com, 1 +teacherquinten.com, 1 +teacherquotes.gq, 1 +teachersasap.info, 1 +teachertoolsgpt.com, 1 +teaching-certification.com, 1 +teachinginhighered.com, 1 +teachingtoday.education, 1 +teachking.tk, 1 +teachnowprogram.com, 1 +teachonmars.com, 1 +teachpeople.org, 1 +teachwithouttears.com, 1 +teacuppersiancats.com, 1 +teacupyorkiespets.com, 1 +teaeggss.com, 1 +teagardenspa.com, 1 +teaguepdtx.gov, 1 +teahawaii.ga, 1 +teahouse.gq, 1 +teahut.net, 1 +teaine.com, 1 +teainside.ga, 1 +teaks.nl, 1 +tealium.com, 1 +team-17.tk, 1 +team-a.tk, 1 +team-aaa.tk, 1 +team-apollo.tk, 1 +team-atomic.tk, 1 +team-azerty.com, 1 +team-bbd.com, 1 +team-building.madrid, 1 +team-building.tirol, 1 +team-cut.tk, 1 +team-darkness.tk, 1 +team-eklund-motorsport.tk, 1 +team-io.net, 1 +team-royal.tk, 1 +team-russia.tk, 1 +team-swami.com, 1 +team-toranomon.com, 1 +team-work.online, 1 +team.house, 0 +team005helpdesk.ddns.net, 1 +team3.au, 1 +team3482.com, 1 +team7-home.com, 1 +team957.co.uk, 1 +teamarasensas.tk, 1 +teamasea.com, 1 +teamassists.com, 0 +teamawesome.ga, 1 +teamb.nl, 1 +teambalinge.tk, 1 +teambanzai.tk, 1 +teambeam.ru, 0 +teambee.tk, 1 +teambim.eu, 1 +teamcg.ru, 1 +teamclean.bg, 1 +teamcoco.com, 1 +teamcode.tk, 1 +teamcodeorange.tk, 1 +teamcollins.org.nz, 1 +teamconf.ru, 1 +teamdarko.tk, 1 +teamdaylo.xyz, 1 +teamdev.id, 1 +teamdevelopers.ga, 1 +teamdriven.tk, 1 +teamdumondelibre.fr, 1 +teamengland.tk, 1 +teamfriet.nl, 1 +teamhd.org, 1 +teamhealth.com, 1 +teamhinkleyc.com, 0 +teamhybrid.com, 1 +teamhybridforums.com, 1 +teamjiradia.tk, 1 +teamkankun.tk, 1 +teamkgsr.com, 1 +teamkilled.tk, 1 +teamkiller.tk, 1 +teamkoncert.pl, 1 +teamleader-apps-by-invantive.com, 1 +teamlightning.tk, 1 +teamliquid.com, 1 +teamliquid.eu, 1 +teamliquidstarleague.com, 1 +teammateworld.com, 1 +teammojo.org, 1 +teammotorcycle.com, 1 +teamninjaapp.com, 1 +teamnissannorthparts.com, 1 +teamnutrition.fr, 1 +teamos.tk, 1 +teampaddymurphy.ch, 1 +teampaddymurphy.ie, 1 +teampages.com, 1 +teampassword.com, 1 +teampatat.nl, 1 +teamphotonetwork.com, 1 +teampoison.tk, 1 +teampz.com, 1 +teamr3set.com, 1 +teamrecess.com, 1 +teamredfox.tk, 1 +teamrevolution.tk, 1 +teamroom.jp, 1 +teams.microsoft.us, 1 +teamsakura.net, 1 +teamsass.ca, 1 +teamsecure.al, 1 +teamsecure.at, 1 +teamsecure.be, 1 +teamsecure.bg, 1 +teamsecure.ch, 1 +teamsecure.co.il, 1 +teamsecure.co.uk, 1 +teamsecure.com.ua, 1 +teamsecure.cz, 1 +teamsecure.de, 1 +teamsecure.dk, 1 +teamsecure.ee, 1 +teamsecure.es, 1 +teamsecure.fi, 1 +teamsecure.fr, 1 +teamsecure.gr, 1 +teamsecure.hu, 1 +teamsecure.io, 1 +teamsecure.is, 1 +teamsecure.it, 1 +teamsecure.li, 1 +teamsecure.lt, 1 +teamsecure.lu, 1 +teamsecure.lv, 1 +teamsecure.md, 1 +teamsecure.me, 1 +teamsecure.mk, 1 +teamsecure.pl, 1 +teamsecure.pt, 1 +teamsecure.ro, 1 +teamsecure.rs, 1 +teamsecure.ru, 1 +teamsecure.se, 1 +teamsecure.si, 1 +teamsecure.sk, 1 +teamsherry.realtor, 1 +teamshirts.at, 1 +teamshirts.be, 1 +teamshirts.ch, 1 +teamshirts.co.uk, 1 +teamshirts.com, 1 +teamshirts.de, 1 +teamshirts.dk, 1 +teamshirts.fi, 1 +teamshirts.fr, 1 +teamshirts.net, 1 +teamshirts.nl, 1 +teamshirts.no, 1 +teamshirts.se, 1 +teamsignia.com, 1 +teamsomeday.tk, 1 +teamsudan.cf, 1 +teamtheory.io, 1 +teamtirith.com, 1 +teamtomorrow.tk, 1 +teamtotal.com, 1 +teamtrack.uk, 1 +teamup.com, 1 +teamup.rocks, 0 +teamupturn.com, 1 +teamupturn.org, 1 +teamusacreditrepair.com, 0 +teamusec.de, 1 +teamwass.com, 1 +teamwass.eu, 1 +teamwolf.tk, 1 +teamwork-bad-wurzach.de, 1 +teamworld.blog, 1 +teamwpsekure.com, 1 +teamx-gaming.de, 0 +teaparty.id, 1 +teapiraeus.gr, 1 +teara.govt.nz, 1 +teararia.com, 1 +teardrop.tk, 1 +tearihome.com, 1 +tearoomlints.be, 1 +tease.email, 1 +teasenetwork.com, 1 +teaser-trailer.com, 1 +teasers.ga, 1 +teaterbristol.se, 1 +teatrarium.com, 1 +teatrebarcelona.com, 1 +teatroutopia.tk, 1 +teatruastra.org.mt, 1 +teazer.tk, 1 +teb-akademia.pl, 1 +teb-x-1.com, 1 +tebebo.com, 1 +teber.av.tr, 1 +tebian.tk, 1 +tebianco.net, 1 +tebieer.com, 1 +tebodental.com, 1 +tebodentalgroup.com, 1 +tebodentistryatlanta.com, 1 +tebodentistryforkids.com, 1 +teboexperience.com, 1 +tebokidsstore.com, 1 +teboorthodontics.com, 1 +tebothetooth.com, 1 +tebsonati.tk, 1 +tebx-1.com, 1 +tebx1.com, 1 +tec24.ga, 1 +tecart-cloud.de, 1 +tecart-system.de, 0 +tecart.de, 1 +tecartcrm.de, 1 +tecatebeerusa.com, 1 +tece.com, 1 +tece.de, 1 +tecfix.com, 1 +tecfleet.com, 1 +tech-clips.com, 0 +tech-dempaz.com, 1 +tech-essential.com, 1 +tech-guru.ml, 1 +tech-idea.com, 0 +tech-ideas.tk, 1 +tech-leaders.jp, 1 +tech-my.biz, 1 +tech-ninja.de, 0 +tech-post.net, 1 +tech-professor.ir, 1 +tech-rat.com, 1 +tech-seminar.jp, 1 +tech-story.net, 1 +tech-urdu.tk, 1 +tech-value.eu, 1 +tech-zealots.com, 1 +tech-zoom.com, 1 +tech3599.com, 1 +tech3araby.com, 1 +tech4founders.co, 1 +tech4greece.gr, 1 +tech506.com, 1 +techalert.net, 1 +techangel.tk, 1 +techanit.de, 1 +techarab.ga, 1 +techarchive.cf, 1 +techarchive.ml, 1 +techarchive.tk, 1 +techarea.fr, 1 +techarkansas.tk, 1 +techask.it, 1 +techassist.io, 0 +techatt.com, 1 +techava.ru, 1 +techbelife.com, 1 +techbizidea.com, 1 +techblue.co.uk, 1 +techbmc.com, 1 +techbrawl.org, 1 +techbuz.net, 1 +techbuzzonly.com, 1 +techcavern.ml, 1 +techcentral.ml, 1 +techcenturion.com, 1 +techchip.com, 1 +techclan.ga, 1 +techcluster.tk, 1 +techcm.com, 1 +techcody.com, 1 +techcolorado.tk, 1 +techcompany.tk, 1 +techcracky.com, 1 +techcu.lt, 1 +techcult.com, 1 +techcultivation.de, 0 +techcultivation.net, 0 +techcultivation.org, 1 +techdatapark.com, 1 +techday.asia, 1 +techday.co.nz, 1 +techday.com, 1 +techday.com.au, 1 +techday.network, 1 +techdhanush.com, 1 +techdirt.com, 1 +techdocscove.xyz, 1 +techdoms.tk, 1 +techeasyblog.com, 1 +teched-creations.com, 1 +techexpert.tips, 1 +techexplorist.com, 1 +techfibian.tk, 1 +techfinancials.co.za, 1 +techfishnews.com, 1 +techformator.pl, 1 +techforthepeople.org, 1 +techforum.cz, 1 +techframework.com, 1 +techfreepro.ml, 1 +techfuturae.com, 1 +techgama.org, 1 +techgearlab.com, 1 +techgo.re, 1 +techgrance.com, 1 +techguidereview.com, 1 +techguides.tk, 1 +techgurubiz.com, 1 +techhackhome.tk, 1 +techhappy.ca, 1 +techhh.ca, 1 +techhubs.gov, 1 +techie-show.com, 1 +techiecomputers.com, 1 +techiehall.com, 1 +techieidiots.ml, 1 +techieshideaway.com, 1 +techiesmart.tk, 1 +techiestalk.in, 1 +techikoma.social, 1 +techindiana.tk, 1 +techindo.cf, 1 +techinet.pl, 1 +techinsurance.com, 1 +techiseasy.it, 1 +techisfake.ga, 1 +techitalk.ga, 1 +techitsol.tk, 1 +techiwant.com, 1 +techjobplaybook.nyc, 1 +techjobs.be, 1 +techkalture.com, 1 +techkeep.tk, 1 +techkentucky.tk, 1 +techkilla.tk, 1 +techland.net, 1 +techlandgg.com, 1 +techlearningcollective.com, 1 +techlevel.org, 1 +techlit.pk, 1 +techlore.tech, 1 +techlovers.com, 1 +techlr.de, 1 +techmagazine.tk, 1 +techmagick.com, 1 +techmaish.com, 1 +techmammal.de, 1 +techmanstan.com, 1 +techmatter.tk, 1 +techmatters.org, 1 +techmayhem.net, 1 +techmeout.io, 1 +techmerch.ru, 0 +techmusea.com, 1 +technamin.com, 1 +technavio.com, 1 +technewsetc.tk, 1 +technewyork.tk, 1 +technic-piscines.fr, 1 +technic3000.com, 1 +technicabv.nl, 1 +technicalbikram.tk, 1 +technicalbikrammalati.tk, 1 +technicalbrothers.cf, 1 +technicalfiresolutions.com, 1 +technicalforensic.com, 1 +technicalhelps.org, 1 +technicalhub.tk, 1 +technicalities.ca, 1 +technicallyeasy.net, 1 +technicalmarine.solutions, 1 +technicalproblem.tk, 1 +technicaltoolboxes.com, 1 +technicaltrainer.co.za, 1 +technicalustad.com, 1 +technician.academy, 1 +technick.net, 1 +technicodelabels.com, 1 +technicus.nl, 1 +technikoma.com, 1 +technikoma.eu, 1 +technikoma.net, 1 +technikoma.org, 1 +technikoma.social, 1 +technikplanet.de, 1 +techniqueelevage.ddns.net, 1 +techniquetechs.com, 1 +technisys.com, 1 +techno-utopia.com, 1 +techno360.in, 1 +technochat.in, 1 +technocracy.works, 1 +technodance.tk, 1 +technodemarkt.bg, 1 +technodevelopmentera.tk, 1 +technodisaster.com, 1 +technogies.cf, 1 +technogps.com, 1 +technogrand.gq, 1 +technoholod.tk, 1 +technohonks.tk, 1 +technohram.tk, 1 +technoidhost.com, 1 +technoids.tk, 1 +technoledge.jp, 1 +technolink.cf, 1 +technolink.ga, 1 +technologie-innovation.fr, 1 +technology.cx, 1 +technologyabundant.ga, 1 +technologyandroid.tk, 1 +technologyapp.tk, 1 +technologycaptive.ga, 1 +technologycellar.ga, 1 +technologyclassy.ga, 1 +technologycollections.ga, 1 +technologycollector.ga, 1 +technologycompanion.ga, 1 +technologycupid.ga, 1 +technologydesigning.ga, 1 +technologydigital.tk, 1 +technologyecho.ga, 1 +technologyecho.tk, 1 +technologyinformation.tk, 1 +technologyintergrity.ga, 1 +technologyjust.ga, 1 +technologylittle.ga, 1 +technologymessenger.ga, 1 +technologynewss.tk, 1 +technologyscience.tk, 1 +technologysi.com, 1 +technologysnapshot.ga, 1 +technologysoftware.tk, 1 +technologysouthbeach.ga, 1 +technologysprint.ga, 1 +technologysugar.ga, 1 +technologyvisual.ga, 1 +technologywaterfront.ga, 1 +technologywt.com, 1 +technolution.tk, 1 +technolux.net, 0 +technomagia.tk, 1 +technomix.tk, 1 +technopedia.gq, 1 +technorthdakota.tk, 1 +technosapien.ml, 1 +technosorcery.net, 1 +technospeakco.com, 1 +technostone.tk, 1 +technostropic.au, 1 +technostropic.com, 1 +technostropic.net, 1 +technoswag.ca, 1 +technotoday.com.tr, 1 +technotronikcanada.ca, 0 +technovisioneng.com, 1 +technoweb.ga, 1 +technowikis.com, 1 +technowise.tk, 1 +technowiz.tk, 1 +technoyl.com, 1 +techonline.com, 1 +techorbiter.com, 1 +techorganism.com, 1 +techpartes.com.br, 1 +techpedia.it, 1 +techpeer.al, 1 +techpeer.at, 1 +techpeer.be, 1 +techpeer.bg, 1 +techpeer.ch, 1 +techpeer.co.uk, 1 +techpeer.cz, 1 +techpeer.de, 1 +techpeer.dk, 1 +techpeer.ee, 1 +techpeer.es, 1 +techpeer.eu, 1 +techpeer.fr, 1 +techpeer.hu, 1 +techpeer.lt, 1 +techpeer.lu, 1 +techpeer.lv, 1 +techpeer.md, 1 +techpeer.me, 1 +techpeer.nl, 1 +techpeer.pl, 1 +techpeer.pt, 1 +techpeer.ro, 1 +techpeer.rs, 1 +techpeer.se, 1 +techpeer.si, 1 +techpeer.sk, 1 +techpilipinas.com, 1 +techpoint.org, 0 +techpp.com, 1 +techpressable.com, 1 +techprom.tk, 1 +techraptor.net, 1 +techrek.pl, 1 +techreportforall.tk, 1 +techrevolution.lt, 1 +techround.co.uk, 1 +techs.cf, 1 +techsalot.com, 1 +techsat.tk, 1 +techsaviours.online, 1 +techsaviours.org, 1 +techsecrets.tk, 1 +techsee.me, 1 +techserve.ml, 1 +techsharetx.gov, 1 +techshift.eu, 1 +techshift.nl, 1 +techshift.se, 1 +techsite.tk, 1 +techsmartstore.com, 1 +techsna.com, 1 +techsolvency.com, 1 +techsoup.net.nz, 1 +techstackjournal.com, 1 +techsys.ch, 1 +techsys.cz, 1 +techtastic.tk, 1 +techtexas.tk, 1 +techthorne.com, 1 +techtivity.pl, 1 +techto.date, 1 +techtolia.com, 1 +techtouch.tk, 1 +techtoydeveloper.tk, 1 +techtrader.ai, 1 +techtrendnews.tk, 1 +techtrozan.ga, 1 +techunit.org, 1 +techvaz.com, 1 +techview.link, 1 +techviewforum.com, 1 +techvigil.org, 1 +techvision.tk, 1 +techvoice.tk, 1 +techwalker.cf, 1 +techwallet.tk, 1 +techwestsolutions.com.au, 1 +techwin.systems, 1 +techwithcromulent.com, 1 +techwolf12.nl, 1 +techwords.io, 1 +techzant.com, 1 +techzero.cn, 1 +techzjc.com, 0 +tecit.ch, 1 +tecke.tk, 1 +teckgeekz.com, 1 +tecknobox.fr, 1 +tecknologg.website, 1 +teckprojects.com, 1 +tecmarkdig.com, 1 +tecmestre.com.br, 1 +tecne.ws, 1 +tecnicainnovacion.com.mx, 1 +tecnicapotiguar.com.br, 1 +tecnicasapinzon.com, 1 +tecnicfit.ovh, 1 +tecnick.com, 1 +tecnicman.com, 1 +tecnicman.it, 1 +tecnicoadomicilio.com.mx, 1 +tecnicoelettrodomestici.roma.it, 1 +tecnikan.ar, 1 +tecnimas.com.mx, 0 +tecnimotos.com, 1 +tecnitool.es, 1 +tecno-block.ru, 1 +tecno-pack.net, 1 +tecnoarea.com.ar, 1 +tecnoblog.net, 1 +tecnoboxchile.cl, 1 +tecnocomp-systems.com, 1 +tecnodritte.it, 1 +tecnoempleo.com, 1 +tecnofarma.com.pe, 1 +tecnogazzetta.it, 1 +tecnogestionsas.com, 1 +tecnograficaimpresos.com, 1 +tecnoimp.it, 1 +tecnoimpianti.bz.it, 1 +tecnologiahdv.com, 1 +tecnomagazine.net, 1 +tecnonews.cf, 1 +tecnonews.tk, 1 +tecnopiniones.com, 1 +tecnosa.es, 1 +tecnoticiasdigitales.tk, 1 +tecnotrattamenti.it, 1 +tecnovernicisrl.com, 1 +tecnyal.com, 1 +tecob.com, 1 +tecon.co.at, 1 +tecorrs.tk, 1 +tecparsnet.ir, 1 +tecpartnership.com, 1 +tecra.com, 1 +tecroxy.com, 1 +tecsar.cn, 1 +tecsar.org, 1 +tecscipro.de, 1 +tectas.co.jp, 1 +tecumsehmi.gov, 1 +tecwolf.com.br, 1 +tecyt.com, 1 +teczero.co.uk, 1 +ted.do, 0 +tedamos.at, 1 +tedamos.ch, 1 +tedamos.com, 1 +tedamos.de, 1 +tedankara.k12.tr, 1 +teddax.com, 1 +tedder.cc, 1 +teddit.net, 1 +teddybearsnextadventure.com, 1 +teddykatz.com, 1 +teddyss.com, 0 +teddywayne.com, 1 +tedgautsch.com, 1 +tedhardy.com, 1 +tedirgin.tk, 1 +tedroche.com, 1 +tedsdivingsystem.com, 1 +tedsears.net, 1 +tedulearning.com, 1 +tedxencgf.com, 1 +tedxyalesecondaryschool.com, 1 +tedyst.ro, 1 +tee-suche.de, 1 +teecketing.com, 1 +teedinsiam.com, 1 +teefashionstar.com, 1 +teehaus-shila.de, 1 +teekaymedia.tk, 1 +teektalk.org, 1 +teemo.gg, 1 +teemulintula.fi, 1 +teen-club.tk, 1 +teen-porno-video.ru, 1 +teencounseling.com, 1 +teengamer.tk, 1 +teengamingnights.net, 1 +teengirlpics.com, 1 +teenmissions.org, 1 +teenmoviesgallery.ga, 1 +teenoverload.com, 1 +teenpussypornvid.com, 1 +teenringen.nl, 1 +teensexgo.com, 1 +teensifynews.tk, 1 +teenslesbian.com, 1 +teenslikeitbig.com, 1 +teenslovehugecocks.com, 1 +teentinytits.com, 1 +teenusernames.com, 1 +teenviet.ga, 1 +teenwebcams.ml, 1 +teenwolfturkey.tk, 1 +teenworlds.tk, 1 +teenxxx-tube.com, 1 +teenxy.com, 1 +teepak.ml, 1 +teerer.tk, 1 +teestore.ru, 1 +teesypeesy.com, 1 +teethtalkgirl.com, 0 +teetje-doko.de, 1 +teetoptens.com, 1 +teevahasa.com, 1 +teeverse-photography.com, 1 +teeworlds-friends.de, 1 +tefek.cz, 1 +tefinet.sk, 1 +tefline.ir, 1 +tefly-frhaty.com, 1 +tefok.com, 1 +tefoley.com, 1 +tefwin.cf, 1 +teg6.com, 1 +teganlaw.ca, 1 +teganlaw.com, 1 +tege-elektronik.hu, 1 +tegel-schoonmaken.nl, 1 +teh1xbet.com, 1 +tehillimforall.com, 1 +tehnicari-za-racunalstvo.tk, 1 +tehnikarechi.studio, 1 +tehniss.rs, 1 +tehno-kip.ru, 0 +tehno-trust.tk, 1 +tehno3d.ru, 1 +tehnoklubi.ee, 1 +tehnomagija.tk, 1 +tehosmotravto.ru, 1 +tehplace.club, 1 +tehrankey.ir, 1 +tehrantamirgah.com, 1 +teichroeb.net, 1 +teier.eu, 1 +teier.net, 1 +teigtascherlfabrik.net, 1 +teigukitty.tk, 1 +teilenapp.com, 1 +teiron.ml, 1 +teiseken.tk, 1 +teixobactin.com, 1 +tejo.tk, 1 +tejomaya.net, 1 +tek-el.ru, 1 +teka.ro, 1 +tekanswer.com, 1 +tekcafe.vn, 1 +tekchoiceelectronics.com, 1 +tekdt.com, 1 +tekila.cf, 1 +tekila.ga, 1 +tekila.tk, 1 +tekingb.com, 0 +tekirdagemlak.tk, 1 +tekiro.com, 1 +tekittak.com, 1 +tekkenzone.net, 1 +tekme.pt, 1 +teknashop.com, 1 +teknik-sipil.tk, 1 +teknikaldomain.me, 1 +teknikplastik.com.tr, 1 +tekniksnack.se, 1 +teknisetdemarit.fi, 1 +tekniskakustik.se, 1 +teknodaim.com, 1 +teknoforums.com, 1 +teknogeek.id, 1 +teknoharekat.com, 1 +teknomarko.com, 0 +teknon.tk, 1 +teknorix.com, 1 +teknosa.com, 0 +teknotiq.com, 1 +teknow.tk, 1 +teknoweek.com, 0 +teko.se, 1 +tekpon.com, 1 +tekshrek.com, 0 +teksnologi.com, 1 +teksol-boat.ru, 1 +tekstover.tk, 1 +tekstpesni.tk, 1 +tektorg.ru, 1 +tektouch.net, 1 +tektuts.com, 1 +telamon.eu, 1 +telangananews.ml, 1 +telanganatoday.com, 1 +telani.net, 1 +telaviv.estate, 1 +telaviva.com.br, 1 +telavivtips.nl, 1 +telco-motor.fr, 1 +telco.si, 1 +telcodb.net, 1 +telcu.com, 1 +teldak.pt, 1 +teldoop.my.id, 1 +tele-alarme.ch, 1 +tele-assistance.ch, 0 +tele-points.net, 1 +tele-teen.ru, 1 +tele.wiki, 1 +tele2vaxel.se, 1 +teleafrica.ga, 1 +telealarme.ch, 0 +telealarmevalais.ch, 1 +teleassistance-telealarme.com, 1 +teleblog.gq, 1 +telebugs.tk, 1 +telecablenostima.tk, 1 +telecallsrl.com, 1 +telecamera.pro, 0 +telecharger-itunes.com, 1 +telecharger-open-office.com, 1 +telecharger-videos.com, 1 +telecharger-winrar.com, 1 +telechirkut.xyz, 1 +telecomhelp.ru, 1 +telecommande-express.com, 1 +telecommunications.cf, 1 +telecommutejobs.com, 1 +telecomwestland.nl, 1 +teledatos.tk, 1 +telefon.report, 1 +telefonabonnement.dk, 1 +telefoncek.si, 1 +telefonicatech.com, 1 +telefonkort.tk, 1 +telefonni-ustredna.cz, 1 +telefonseelsorge-paderborn.de, 1 +telefoon.nl, 1 +telefunk.tk, 1 +telefusion.de, 1 +telega.gq, 1 +telegaon.com, 1 +telegashop.cf, 1 +telegazeta.com.ua, 1 +telegra.ph, 1 +telegram-gp.ml, 1 +telegram.org, 1 +telegram.poker, 1 +telegramlearn.tk, 1 +telegramseen.com, 1 +telehealthsuite.com, 1 +telehealthventures.com, 0 +telekollektiv.org, 1 +telekomiker.tk, 1 +telekothonbd.com, 1 +teleleafpa.com, 1 +telelog.ml, 1 +telema.tk, 1 +telemaco.tk, 1 +telemetr.io, 0 +telemind.net, 1 +telemitra.com, 1 +telenco-datacenter.com, 1 +telenco-networks.com, 1 +telenovelas-france.tk, 1 +teleogistic.net, 1 +teleoposiciones.es, 1 +telephonedirectories.us, 1 +telephoni-cdma.tk, 1 +telepilote-academy.fr, 1 +telepok.com, 1 +telepons.com, 1 +teleport.com.br, 1 +teleport.sh, 1 +teleport.video, 1 +teleportart.gq, 1 +teleportpink.com, 1 +teleportweb.com.br, 1 +teleradio.ga, 1 +teleradio.tk, 1 +teleroute.com, 1 +telesales.guru, 1 +teleserce.com, 1 +teleshkronja.ml, 1 +teleshop.be, 1 +teleskell.org, 1 +telesoftware.tk, 1 +telesonicengineering.com.my, 1 +telestepina.ru, 1 +teleteen.ru, 1 +teleteleei.ml, 1 +teletexto.com, 1 +teletime.com.br, 1 +teleton.org, 1 +teletxt.me, 1 +teleum.net, 1 +televentabelcorp.com, 1 +televisioncontests.ga, 1 +televisionesendirecto.tk, 1 +televisionsrit.tk, 1 +televizeseznam.cz, 1 +televotia.ch, 1 +telework.gov, 1 +teleworkouts.com, 1 +telexsus.com, 1 +teleyal.blog, 1 +telezon.ru, 1 +telfaircountyga.gov, 1 +telfas.de, 1 +telford.codes, 1 +telhai.ac.il, 1 +telhatelite.com.br, 1 +teligram.ru, 1 +telit.com.br, 1 +telk.kr, 1 +telka-online.tk, 1 +telking.com, 1 +telkom.co.id, 1 +tellaresdo.com, 1 +tellercounty.gov, 1 +tellet.tel, 1 +tellimer.com, 1 +telling-voices.tk, 1 +telling.xyz, 1 +tellingua.com, 1 +tellme.tk, 1 +tellusaboutus.com, 1 +telly.site, 1 +tellygames.com, 1 +tellyourtale.com, 1 +telnet.dk, 1 +telokchki.ga, 1 +telokchki.ml, 1 +teloo.pl, 1 +telos-analytics.com, 1 +telosglobal.io, 1 +telpotas.xyz, 1 +telrock.com, 1 +telsu.fi, 1 +teltru.com, 1 +telugu4u.net, 1 +temaflex.tk, 1 +temariogratis.com, 1 +temariosoposiciones.tk, 1 +tematicas.org, 1 +tematonline.pl, 1 +tembusulaw.com, 1 +temdu.com, 0 +temertysimcentre.com, 1 +temirgaliev.tk, 1 +temizlik.ml, 1 +temizmama.com, 1 +teml.in, 1 +temmyzplace.com, 1 +temnacepel.cz, 1 +temnikova.tk, 1 +temoclub.com, 1 +temofoundation.com, 1 +temogroup.com, 1 +temogroup.org, 1 +temogroupe.com, 1 +temoinfidele.fr, 1 +temoinfo.com, 1 +temonews.com, 1 +temonews.org, 1 +temp-lars.army, 1 +temp.pm, 1 +temp37c.com, 1 +tempa.com.ua, 1 +tempdomain.ml, 1 +tempdomain.tk, 1 +tempefestivalofthearts.com, 1 +temperedglassncase.com, 1 +temperodojuca.com.br, 1 +tempestsoft.com, 1 +tempfiles.ninja, 1 +templars.army, 1 +template-help.fr, 1 +templated.ga, 1 +templatetrip.com, 1 +templeandalucia.tk, 1 +templeoverheaddoors.com, 1 +templete.tk, 1 +tempmail.ninja, 1 +tempo.co, 1 +tempo.com.ph, 1 +tempocams.com, 1 +tempocams.net, 1 +tempocams.org, 1 +temporada.icu, 1 +temporada.tk, 1 +temporal.tk, 1 +temporalmotivation.com, 1 +temporaris.com, 1 +temporaryair.com, 1 +temporaryfencehire.net.au, 1 +temporarysanity.tk, 1 +temporarytattoosguru.com.au, 1 +tempsdexpo.com, 1 +tempsoundsolutions.tk, 1 +tempus-aquilae.de, 1 +tempus.tf, 1 +temtekco.com, 1 +ten-ki-lp.work, 1 +ten-ki-saiyo.online, 1 +tena.ml, 1 +tena.tk, 1 +tenangjiwaku.tk, 1 +tenantacademy.co.za, 1 +tenantoptions.com.au, 1 +tenantprotect.co.za, 1 +tenber.ge, 1 +tenberg.com, 1 +tenbookclub.org, 1 +tencent.xn--vuq861b, 1 +tencur.com, 1 +tendanceaumasculin.fr, 1 +tendanceouest.com, 1 +tendaqu.com, 1 +tende.roma.it, 1 +tendergrupp.ru, 1 +tenderned.nl, 1 +tenderstem.co.uk, 1 +tenderstem.ie, 1 +tendiestown.com, 1 +tendinite.org, 1 +tendiris.ga, 1 +tendmed.com.br, 1 +tendomag.com, 1 +tendure.tk, 1 +tenens.ru, 1 +tenenz.com, 1 +tenerifeautohuur.nl, 1 +teners.me, 1 +tenfeetsquare.net, 1 +tenfingerscollective.tk, 1 +tengodetodo.tk, 1 +tenhourguy.com, 1 +tenispopular.com, 1 +tenisservis.eu, 1 +tenjou-tenge.tk, 1 +tenken1010.org, 1 +tenma.pro, 1 +tennaxia.com, 1 +tenncare.gov, 1 +tennesseejeepsters.com, 1 +tennis-academy-weserbergland.de, 1 +tennis-agesc.fr, 1 +tennis-altai.tk, 1 +tennis-hameln.de, 1 +tennisadmin.com, 1 +tennisapp.de, 1 +tenniscourtsjoburg.com, 1 +tenniscritic.ga, 1 +tennismania.tk, 1 +tennismindgame.com, 1 +tennisnerd.net, 1 +tennisnyi-stol.tk, 1 +tennispensacola.com, 1 +tennisportal.com.ua, 1 +tennisschool.tk, 1 +tennistalk.tk, 1 +tennisweb.cf, 1 +tenno.tools, 1 +tenon-backup.com, 1 +tenryo.work, 0 +tenshindo.ne.jp, 1 +tenshoku-hanashi.com, 1 +tenshokudo.com, 1 +tenshokufair.jp, 1 +tent.io, 1 +tenta.com, 1 +tentacle.monster, 1 +tentacle.net, 1 +tentacletank.com, 1 +tentagent.com, 1 +tenthdimensions.com, 1 +tenthirtyonepictures.com, 1 +tenthousandcoffees.com, 1 +tentoo.nl, 0 +tentq.com, 1 +tentries.com, 1 +tenutachianchizza.it, 0 +tenyx.de, 1 +tenzer.dk, 1 +teoassessoria.com.br, 1 +teodorpravicky.com, 1 +teodw.com, 1 +teodw.net, 1 +teoletextsq.tk, 1 +teologia.promo, 0 +teomahk.de, 1 +teoskanta.fi, 1 +tep.com, 1 +tepaard.ddns.net, 1 +tepautotuning.com, 1 +tepco2021.com, 1 +tepid.org, 1 +tepitus.de, 0 +teplici-crimea.ru, 1 +teplo-russia.ru, 1 +teplo-unit.ru, 1 +teplofom.ru, 1 +teplohod.kharkov.ua, 1 +teplomash24.ru, 1 +teplotehnik.tk, 1 +teplovizor.info, 1 +teppelin.fr, 1 +teppichpracker.at, 1 +tepui.io, 1 +teq-automotive.com, 1 +teqip-pms.gov.in, 1 +tequenikality.net, 1 +tequilaavion.com, 1 +tequilazor.com, 1 +terabyte-computing.com, 1 +terabyte.services, 1 +terabyteharddrive.net, 1 +terabyteit.co.uk, 1 +teracloud.at, 1 +teradatta.ga, 1 +teradatta.gq, 1 +teradatta.tk, 1 +teramind.co, 1 +teramundi.com, 1 +teran.me, 1 +teran.pw, 1 +teran.ru, 1 +teranacreative.com, 1 +terapeuticaenalza.es, 1 +terapiaradial.tk, 1 +terapower.com.tw, 1 +teraren.com, 1 +teraservice.eu, 1 +teraservice.ml, 1 +terass.com, 0 +terbaruberita.id, 1 +terborg600.nl, 1 +tercelonlinelat.tk, 1 +tercodemaria.com.br, 1 +tercosdemaria.com.br, 1 +teremopt.ru, 1 +terence2008.info, 1 +terengganudaily.tk, 1 +terenska-edinica.tk, 1 +terento.org, 1 +teritwarsj.org, 1 +teriva.ua, 1 +term-master.ru, 1 +terma.ml, 1 +termbackti.me, 1 +terme.milano.it, 1 +terme.roma.it, 1 +terme.viterbo.it, 1 +termee.com, 1 +termeh-store.com, 1 +termi.tk, 1 +termifree.tk, 1 +termin-online.com, 0 +terminalyouth.tk, 1 +terminationsremembered.com, 1 +termine.tel, 1 +termino.eu, 1 +terminsrakning.se, 1 +termitinitus.org, 1 +termius.com, 1 +termografiranje.si, 1 +termoidraulica.roma.it, 1 +termoidraulico.milano.it, 1 +termoidraulico.roma.it, 1 +termopares.tk, 1 +termproject.org, 1 +termux.com, 1 +ternex.ru, 1 +ternitoday.it, 1 +terobait48.ru, 1 +teronia.net, 1 +terosclient.de, 1 +terovania.com, 1 +terovania.de, 1 +terovania.games, 1 +terpelpanama.com, 1 +terpotiz.eu, 1 +terpotiz.net, 1 +terra-med.ga, 1 +terra-x.net, 1 +terra.bio, 1 +terra.fitness, 1 +terra7.net, 1 +terrab.de, 1 +terrabela.tk, 1 +terracapital.ma, 1 +terracloud.de, 0 +terraco.ga, 1 +terracom.gr, 1 +terracore.hu, 1 +terracycle.com, 1 +terraesencial.com, 1 +terrafinanz.de, 1 +terraform.io, 0 +terraformator.ru, 1 +terragni-sarasin.ch, 1 +terrakotta.tk, 1 +terraluna.space, 1 +terramineira.com.br, 1 +terraneesens.fr, 1 +terranimo.re, 1 +terranovadesignbuild.com, 1 +terraquercus.tk, 1 +terrariatr.tk, 1 +terrarium.tk, 1 +terrasandcooking.nl, 1 +terrasandcookingoutdoor.nl, 1 +terrasearcher.tk, 1 +terraso.net, 1 +terraso.org, 1 +terrasoverkappingvillage.be, 1 +terrasoverkappingvillage.nl, 1 +terratruehq.com, 1 +terraweb.net, 1 +terrax.net, 1 +terredeshommes.nl, 1 +terrelltx.gov, 1 +terremoto.com.br, 1 +terrenal.tk, 1 +terrenasparadise.com, 1 +terres-et-territoires.com, 1 +terresmagiques.com, 0 +terrexllc.com, 1 +terrischeer.com.au, 1 +territoriesredress.gov.au, 1 +territoriocuchero.tk, 1 +territoriya.tk, 1 +territory.cf, 1 +terroinsect.com.mx, 1 +terrorbilly.com, 1 +terrorblast.tk, 1 +terrorism.lol, 1 +terrty.net, 1 +terryburton.co.uk, 1 +terrybutler.co.uk, 0 +terryjohnsononline.com, 1 +terryoconnor.org, 1 +ters.ga, 1 +terumoindia.com, 1 +terumoindiaskilllab.com, 1 +terumomedical.com, 1 +tervelde.com, 1 +terviseamet.ee, 0 +tervolina.tk, 1 +tesche.biz, 1 +tescoirelandpayslips.com, 1 +tescoludia.sk, 1 +tesdrole.tk, 1 +teseo.kz, 1 +tesharp.com, 1 +teshuzi.com, 1 +teskalabs.com, 1 +tesla-fire.com, 1 +tesla-tula.tk, 1 +tesladeaths.com, 1 +teslam.in, 1 +teslamagician.com, 1 +teslamate.ca, 1 +teslasuit.io, 1 +teslatr.net, 1 +tesorion.nl, 1 +tespent.cn, 1 +tesseract.wiki, 1 +tesseractinitiative.org, 1 +tessierashpool.de, 1 +tessla.org, 1 +test-deployment.xyz, 1 +test-eligibilite-isolation.com, 1 +test-iq.gq, 1 +test-my.tk, 1 +test-na-beremennost.tk, 1 +test-online.tk, 1 +test-privacyportal-ui.azurewebsites.net, 1 +test-school.ml, 1 +test-textbooks.com, 1 +test-verz.online, 1 +test.de, 1 +test.gd, 1 +test.io, 1 +test1-isrewards.com, 1 +test1974.nl, 1 +test2-isrewards.com, 1 +test4pro.ga, 1 +testable.org, 1 +testadren.com, 1 +testadron.com, 1 +testantidrogarapidi.it, 1 +testapfnxg.com, 1 +testaustime.fi, 1 +testazdes.gov, 1 +testbed.fi, 1 +testbirds.cz, 1 +testbirds.sk, 1 +testcase.me, 1 +testcoz.tk, 1 +testdemoweb.tk, 1 +testdevelocidad.com, 1 +testdomens.ga, 1 +testdrogue.fr, 1 +testecta.top, 1 +testehogs.tk, 1 +testem.de, 1 +testemo.tk, 1 +testenopreis.nl, 1 +testeri.fi, 1 +testermerch.pl, 1 +testeveonline.com, 1 +testforce.tk, 1 +testfort.com, 1 +testgeomed.ro, 1 +testgroup.nl, 1 +testheat.org, 1 +testikel.be, 1 +testing-server.tk, 1 +testingbot.com, 1 +testingtask.tk, 1 +testiowa.gov, 1 +testispdomain.ml, 1 +testkinja.com, 1 +testmpf.com, 1 +testmx.email, 1 +testmx.eu, 1 +testmx.org, 1 +testmy.tk, 1 +testomato.com, 0 +testone.com.tr, 1 +testoon.com, 1 +testosterone-complex.com, 1 +testosteronedetective.com, 1 +testovaci.ml, 1 +testpinoy.com, 0 +testplant.com, 1 +testpool.gq, 1 +testpornsite.com, 1 +testprep.online, 1 +testprepinsight.com, 1 +testpsicotecnicos.com.es, 1 +testq.se, 1 +tests-and-tips.info, 1 +tests-und-tipps.info, 1 +tests.pp.ru, 1 +tests.school, 1 +tests.tips, 1 +testsab.com, 1 +testscorpiogroup.net, 1 +testscript.ml, 1 +testservice.nl, 1 +testsitefortask.xyz, 1 +testsity.tk, 1 +testsnelcovid.nl, 1 +testspsicotecnicos.org, 1 +testsweb.ml, 1 +testthis.cf, 1 +testvision.nl, 1 +testyonline.tk, 1 +tetam.dynv6.net, 1 +tetangers.tk, 1 +tetap.fun, 1 +tetete-no-te.com, 1 +tether.com, 1 +tethercasinos.io, 1 +tetherqr.com, 1 +tethys.fr, 1 +teto.nu, 1 +tetonas.tk, 1 +tetorix.gq, 1 +tetovaweb.tk, 1 +tetovo.tk, 1 +tetrabyte.tk, 1 +tetracyclin.gq, 1 +tetracyclin.ml, 1 +tetracyclin.tk, 1 +tetracycline500mg.ga, 1 +tetraktus.org, 1 +tetramax.eu, 1 +tetrarch.co, 1 +tetrimus.com, 1 +tetrisponse.io, 1 +tetsudo.jp.net, 1 +tetsumaki.net, 1 +tetweb.ir, 1 +teu-fel.com, 1 +teufel-cloud.ddns.net, 1 +teufel.de, 1 +teufelaudio.nl, 1 +teufelswerk.net, 1 +teulon.eu, 1 +teungedj.de, 1 +teunmulder.tk, 1 +teunstuinposters.nl, 1 +teusink.eu, 1 +teuto.com.br, 1 +teuton.io, 1 +teutonia-grossenlueder.de, 1 +teutonia08.de, 1 +teva.com, 1 +teveblad.be, 1 +teverzamelen.nl, 1 +tewarilab.co.uk, 1 +tewhare-iti.co.nz, 1 +tewkesburyyoga.com, 1 +tex-izol.ru, 1 +texaport.co.uk, 0 +texarkanatexas.gov, 1 +texarkanatherapycenter.com, 1 +texasbluesalley.com, 1 +texascarauctions.com, 1 +texascharterbuscompany.com, 1 +texascoffee.co, 1 +texasconcretereadymix.com, 1 +texascountymo911.gov, 1 +texascredit.com, 1 +texasdivorceforall.com, 1 +texasgynecomastia.com, 1 +texashealthtrace.gov, 1 +texasintegratedservices.com, 1 +texasnewsusa.tk, 1 +texasonesource.com, 1 +texasonlinedivorce.com, 0 +texasonlinemarriagecounseling.com, 1 +texaspaintingandgutters.com, 1 +texasparkinglotstriping.com, 1 +texasready.gov, 1 +texasteam.tk, 1 +texasultraspirit.com, 1 +texasurodoc.com, 1 +texasvolunteerattorneys.org, 1 +texaswinetrail.com, 1 +texby.com, 1 +texdot.gov, 1 +texel.es, 1 +texel.tk, 1 +texfunding.com, 1 +texican.nl, 1 +texicopolicenm.gov, 1 +texier.mx, 1 +texkey.com, 1 +texkings.com, 1 +texnogu.ru, 1 +texnoguru.tk, 1 +texnolog.tk, 1 +texnotroniks.tk, 1 +texosmotr.tk, 1 +texpresspainting.com, 1 +textadventure.tk, 1 +textassistant.ga, 1 +textcleaner.net, 1 +textcounter.tk, 1 +texteditor.co, 1 +texter-linz.at, 1 +texter.at, 1 +texterseo.at, 1 +texterseo.de, 1 +textieldiscounter.nl, 1 +textil-kyoto.tk, 1 +textiles.tk, 1 +textinmate.com, 1 +textlinktausch.tk, 1 +textonly.email, 1 +textpages.tk, 1 +textpattern.com, 1 +textpro.xyz, 1 +textprotocol.org, 1 +textron.com, 0 +textscout.io, 1 +textsite.tk, 1 +textualapp.com, 1 +textundblog.de, 1 +textura.bg, 1 +textura.gr, 1 +textura.ro, 1 +textures-resource.com, 1 +textus.com, 1 +textzformatter.com, 1 +texus.me, 1 +texy.info, 1 +teycos.com, 1 +teyit.org, 1 +teysens.com, 1 +teyyib.com, 1 +tezcam.tk, 1 +tezgoal.com, 1 +teztarama.com, 1 +tf-amd.com.my, 1 +tf-network.de, 1 +tf2b.com, 1 +tf2calculator.com, 1 +tf2pickup.cz, 1 +tf2pickup.de, 1 +tf2pickup.eu, 1 +tf2pickup.fi, 1 +tf2pickup.it, 1 +tf2pickup.org, 1 +tf2pickup.pl, 1 +tf2pickup.se, 1 +tf2pickup.web.tr, 1 +tf7879.com, 1 +tfadictivo.com, 1 +tfaforms.com, 1 +tfb.az, 1 +tferdinand.net, 1 +tfg-bouncycastles.com, 1 +tfiglobalnews.com, 1 +tfiik.com, 1 +tfinfo.fr, 1 +tfipost.com, 1 +tfk-installatieservice.nl, 1 +tfk.fr, 1 +tfle.xyz, 1 +tflite.com, 1 +tfnapps.de, 1 +tfok.ml, 1 +tfrei.de, 1 +tfscreener.com, 1 +tfsound.cz, 1 +tfsrcymru.org.uk, 1 +tft-cheat-sheet.com, 1 +tfus.co, 1 +tfw-a.com, 1 +tfx.com.br, 1 +tfxstartup.com, 1 +tfxstartup.com.br, 1 +tfyre.co.za, 1 +tg2sclient.com, 1 +tgb.org.uk, 1 +tgcfabian.nl, 1 +tgcgrain.com, 1 +tgenotary.com, 1 +tgexport.eu, 1 +tglbbs.com, 0 +tgmarketingusa.com, 1 +tgo1111.com, 0 +tgo6688.com, 0 +tgo789.com, 0 +tgo8899.com, 1 +tgoaa.com, 1 +tgoall.com, 1 +tgod.co, 1 +tgrade.finance, 0 +tgt.co.il, 0 +tgtw.cc, 1 +tgu15.com, 1 +tgui.eu, 1 +tgui.net, 1 +tgw.com, 1 +tgwork.com, 1 +tgx.rs, 1 +th-1x.com, 1 +th-1xbet.com, 1 +th-fanlist.tk, 1 +th.am, 1 +th.search.yahoo.com, 0 +th2eco.de, 1 +thablubb.de, 1 +thackert.myfirewall.org, 1 +thai-massage.tk, 1 +thai-ridgeback.tk, 1 +thai-tibet.hu, 1 +thai.land, 1 +thai369.com, 1 +thaibizsingapore.com, 0 +thaiboystory.ga, 1 +thaibrokersfx.com, 1 +thaicurry.net, 1 +thaiforexfamily.com, 1 +thaifriendly.com, 1 +thaigirls.cf, 1 +thaihomecooking.com, 1 +thaihong.co.th, 1 +thaihong.com, 1 +thaihotmodels.tk, 1 +thailande-fr.com, 1 +thailandguru.properties, 1 +thailandhotel.tk, 1 +thailandpropertylisting.ga, 1 +thailandvariety.cf, 1 +thaimbc.com, 1 +thaimega.club, 1 +thaiminh.tech, 1 +thaiorchidpetoskey.com, 1 +thaipbspodcast.com, 1 +thaiportal.gq, 1 +thais.tk, 1 +thaislots.online, 1 +thaisolarexpert.com, 1 +thaisurveys.com, 1 +thaitonic.de, 1 +thaiwatsadu.com, 1 +thaiwrestling.tk, 1 +thaixon.co.th, 1 +thajske-masaze-brno.cz, 1 +thajske-masaze-olomouc.cz, 1 +thajske-masaze-vyskov.cz, 1 +thakurmarjhuli.tk, 1 +thalamus.nz, 1 +thalan.fr, 1 +thalgott.net, 0 +thalhammer.it, 1 +thalia.nu, 1 +thalikkunushivatemple.tk, 1 +thalliman.com, 1 +thalmann.fr, 0 +thamesfamilydentistry.com, 1 +thamesvalleybuses.com, 1 +thammachartconnect.com, 1 +thammysen.vn, 1 +thanatoid.net, 1 +thancon.com, 1 +thanhtrungmobile.vn, 1 +thantra.tk, 1 +thapduoc.com, 1 +tharuka.com, 1 +tharuka.de, 1 +thaserv.de, 1 +thassos-world-web.tk, 1 +thassos.tk, 1 +that.host, 1 +thatch.ai, 1 +thatchhealth.com, 1 +thatdaria.com, 1 +thatdarkplace.com, 1 +thatdirtyd.com, 1 +thatmy.com, 1 +thatshayini-sivananthan.fr, 1 +thatskykid.com, 1 +thatssodee.com, 1 +thaumaturgian-national-university.tk, 1 +thavmacode.gr, 1 +thaw.systems, 1 +thawte.com.ru, 1 +thaxton.xyz, 0 +thc-stadvdzon.nl, 1 +thca.ca, 1 +thda.org, 1 +the-ace.tk, 1 +the-allmighty-mike.tk, 1 +the-archive.io, 1 +the-archive.ml, 1 +the-azad.com, 1 +the-big-bang-theory.com, 1 +the-bookies.com, 1 +the-brandidentity.com, 1 +the-buildersyard.com, 1 +the-burtons.xyz, 1 +the-busbys.com, 1 +the-carshop.com, 1 +the-club.fr, 1 +the-crypto-syllabus.com, 1 +the-deep.tk, 1 +the-digital-insurer.com, 1 +the-digitale.com, 0 +the-dream.tk, 1 +the-ear.net, 1 +the-earth-yui.net, 0 +the-egotronic.tk, 1 +the-farm.tk, 1 +the-finance-blog.com, 1 +the-forgotten.net, 1 +the-gist.io, 1 +the-glitch.network, 1 +the-ken.com, 1 +the-lfb.tk, 1 +the-mermaid.tk, 1 +the-metropolitans.tk, 1 +the-muddy-trophy-team.tk, 1 +the-mudmen.tk, 1 +the-naked.com, 1 +the-nose.com, 1 +the-opposites.tk, 1 +the-pcca.org, 1 +the-pressoffice.com, 1 +the-red.pp.ua, 1 +the-small-dick-club.com, 1 +the-snaglist.com, 1 +the-spellcaster.com, 1 +the-spoonfeed.club, 1 +the-storm.tk, 1 +the-tech-trend.com, 1 +the-tg.com, 1 +the-toolshop.com, 1 +the-top.net, 1 +the-trophy-company.com, 1 +the-wandering-midget.tk, 1 +the-winx.tk, 1 +the-woods.org.uk, 1 +the-world.tk, 1 +the-zenti.de, 1 +the.gd, 1 +the1.wiki, 1 +the12by12.com, 1 +the13thtribe.tk, 1 +the51news.ga, 1 +the5th.nl, 1 +the7eye.org.il, 1 +the8rules.co.uk, 1 +thea-team.net, 1 +theabsoluteroof.com, 1 +theacademicpapers.co.uk, 1 +theaccountingcompanyleeds.co.uk, 1 +theaceblock.space, 1 +theactivationfunction.com, 1 +theactuary.ninja, 1 +theadamsonchronicle.tk, 1 +theadelaideshow.com.au, 1 +theadultswiki.com, 1 +theafleo.ga, 1 +theafleo.gq, 1 +theagencywithoutaname.com, 1 +theaidigitalmarketingblog.com, 1 +thealchemistatelier.com, 1 +theallmanteam.com, 1 +thealmoners.com, 1 +thealmsolution.com, 1 +thealonas.cf, 1 +thealonas.ga, 1 +thealonas.gq, 1 +thealonas.ml, 1 +thealonas.tk, 1 +thealphaconnection.com, 1 +theamandatappingclub.tk, 1 +theamandatappingcontest.tk, 1 +theangelgivingtree.com, 1 +theangelgivingtree.info, 1 +theangelgivingtree.net, 1 +theangelgivingtree.org, 1 +theangelushouse.com, 1 +theanimalskingdom.com, 1 +theantarticx.com, 1 +theantisocialengineer.com, 1 +theantnetwork.tk, 1 +theapj.com, 1 +theapplewiki.com, 1 +theapriltears.tk, 1 +theaps.net, 0 +theaquila.tk, 1 +thearcheryguide.com, 1 +thearches.co.uk, 1 +thearchimag.tk, 1 +thearizonatribune.com, 1 +thearkfamily.org, 1 +thearmchairtrader.com, 0 +theasianshooters.com, 1 +theastrocoach.com, 1 +theataraxia.tk, 1 +theataraxiazine.tk, 1 +theater.cf, 1 +theaterfrederik.tk, 1 +theatergroep-o.nl, 1 +theaterreichenhall.tk, 1 +theatertage2024.de, 1 +theatheistbook.com, 1 +theathletic.com, 1 +theatre-schools.com, 1 +theatrefolk.com, 1 +theatrepremol.com, 1 +theatresocietyguts.tk, 1 +theatresuite.tk, 1 +theaus.xyz, 1 +theaustinbulldog.org, 1 +theaustinsevenworkshop.com, 1 +theawesomemuse.com, 1 +thebabelog.cf, 1 +thebabelog.ga, 1 +thebabelog.gq, 1 +thebabypassport.com, 1 +thebacksplashcompany.com, 1 +thebackstage.tk, 1 +thebacteriafight.gq, 1 +thebakersbuddy.co.uk, 1 +thebakery2go.de, 1 +thebalancedsystem.org, 1 +thebannerstore.com, 1 +thebarclay.org, 1 +thebarrens.nu, 1 +thebasementdefender.com, 1 +thebasementdefender.net, 1 +thebasicstudio.com, 1 +thebathroomexchange.ga, 1 +thebbfoundation.org, 1 +thebeardeditdad.com, 1 +thebeatyard.nl, 1 +thebeaulife.co, 1 +thebeautyqueen.tk, 1 +thebedfordcitizen.org, 1 +thebeeyard.org, 1 +thebeginningviolinist.com, 1 +thebenefitcalculator.com, 1 +thebengalinews.tk, 1 +thebenstore.com, 1 +theberries.tk, 1 +thebestfun.co.uk, 1 +thebesthomecooking.ru, 0 +thebestlaos.ga, 1 +thebestnews.ga, 1 +thebestofthesprings.com, 1 +thebestpersonin.ml, 1 +thebestproducts.info, 0 +thebestshopping.tk, 1 +thebetterfit.com, 1 +thebettermagazine.com, 1 +thebhc.org, 1 +thebigbigworld.tk, 1 +thebigbouncetheory.com, 1 +thebigdatacompany.com, 1 +thebigdig.xyz, 1 +thebigslow.com, 1 +thebillingtongroup.com, 1 +thebillu.com, 1 +thebinarys.com, 1 +thebiopoetist.eu.org, 1 +thebirchwoods.com, 1 +thebismarckmarathon.com, 1 +thebit.link, 1 +thebitchneyfiles.tk, 1 +thebiz.tk, 1 +theblackboard.gr, 1 +theblackcat.ga, 1 +theblackknightsings.com, 1 +theblackravens.com, 1 +theblankenshipfirm.com, 1 +theblaqcat.com, 1 +theblink.com, 1 +theblisters.tk, 1 +theblock.co, 1 +theblog.cn, 1 +theblogstarter.com, 1 +theblondeabroad.com, 0 +theblue.tk, 1 +theblueinnovations.com, 1 +thebluered.net, 0 +theblueroofcottage.ca, 1 +thebluub.com, 1 +theboard.tk, 1 +theboardroomsubi.com.au, 1 +theboats.agency, 1 +theboats.club, 1 +theboats.com, 1 +theboats.de, 1 +theboats.online, 1 +theboats.pro, 1 +thebobcoin.io, 1 +thebodylanguageguide.tk, 1 +thebodyshop.bg, 1 +theboltway.com, 1 +thebonerking.com, 1 +thebook.pro, 1 +thebosshub.net, 1 +thebot.net, 1 +theboulders.com, 1 +thebouncedepartment.co.uk, 1 +theboxofcarlos.com, 1 +theboxoutofthebox.com, 1 +theboysrepublic.tk, 1 +thebrag.com, 1 +thebrainfactory.eu, 1 +thebraininitiative.gov, 1 +thebrainwash.tk, 1 +thebranddesign.gq, 1 +thebreakroom.org, 1 +thebrewingtonfamily.net, 1 +thebridalcollection.com, 1 +thebrightons.co.uk, 1 +thebrightons.uk, 1 +thebritishlibraryinstallation.com, 1 +thebroadcastknowledge.com, 1 +thebrookeb.com, 1 +thebsl.ca, 1 +thebss.tk, 1 +thebucklandreligion.tk, 1 +thebuffalotavern.com, 1 +thebugmanfraservalley.com, 1 +thebull.com.au, 1 +thebulletin.io, 1 +thebunnyhutch.org, 1 +theburst.tk, 1 +thebus.top, 1 +thebutterflyencounters.com, 1 +thebuttongame.io, 1 +thebuttonpost.com, 1 +thecakeboxhampton.co.uk, 1 +thecalifornias.tk, 1 +thecalmnessofblankspace.tk, 1 +thecamels.org, 1 +thecameradivision.com, 1 +thecanadarace.com, 1 +thecandidforum.com, 1 +thecandystore.tk, 1 +thecardcloset.com, 1 +thecarolingconnection.com, 1 +thecarpenters.tk, 1 +thecarphunter.tk, 1 +thecarriagerooms.com, 1 +thecatanddogbowl.au, 1 +thecatbowl.com.au, 1 +thecats.tk, 1 +thecavedistro.tk, 1 +thecaveofsatyr.tk, 1 +thecavepeople.is, 1 +thecelticfiles.tk, 1 +theceocollective.com, 1 +thecfef.org, 1 +thechaikinreport.com, 1 +thechallenge.fit, 1 +thechandigarhcity.com, 1 +thechatlinenumbers.com, 1 +thechauffeur-international.com, 1 +thechavs.xyz, 1 +thecheapairlinetickets.com, 1 +thecheat.tk, 1 +thecheese.co.nz, 1 +thechelseadrugstore.ie, 1 +thechemistryisdead.tk, 1 +thecherryship.ch, 0 +thechfdietitian.com, 1 +thechicanos.tk, 1 +thechinaguide.com, 1 +thechoice.tk, 1 +thechosenones.tk, 1 +thecigarlibrary.com, 0 +thecineshoppe.com, 1 +theciso.com, 0 +thecitizen.support, 1 +thecitywarehouse.clothing, 1 +theclarke.house, 1 +theclarke.wedding, 1 +theclearingnw.com, 1 +thecleverhost.co.uk, 1 +theclimbingunit.com, 1 +theclockdepot.com, 1 +theclonker.de, 0 +thecloroxcompany.com, 1 +thecloudadmin.eu, 1 +thecluster.xyz, 1 +thecnstore.com, 1 +thecodeninja.net, 1 +thecodest.co, 1 +thecoffeecamp.com, 1 +thecoffinshop.co.nz, 1 +thecognitivequest.com, 1 +thecolorbarph.com, 1 +thecolorrun.hu, 1 +thecombustionway.com, 0 +thecomedystore.co.uk, 1 +thecommonmen.tk, 1 +thecommunityguide.org, 1 +thecommunitymakers.club, 1 +thecompany.pl, 1 +thecompliancepeople.co.uk, 1 +theconcierge-international.com, 1 +theconcordbridge.azurewebsites.net, 1 +thecondemned.tk, 1 +theconductsoflife.com, 1 +theconsultant.jp, 1 +theconsultingpeople.tk, 1 +thecontentcloud.com, 1 +theconversation.com, 1 +theconverter.net, 0 +theconveyer.org, 1 +thecook.com.co, 1 +thecookiewriter.com, 1 +thecoolbrain.co.uk, 1 +thecoredublin.tk, 1 +thecorianderkitchen.com, 1 +thecorrectblogger.com, 1 +thecostymusic.tk, 1 +thecotsworth.com, 1 +thecoverlot.com, 1 +thecovky.gov, 1 +thecowboy.cafe, 1 +thecowquerie.tk, 1 +thecr3ative.tk, 1 +thecraftingstrider.net, 1 +thecrazybrains.tk, 1 +thecrazyones.hopto.org, 1 +thecrazytravel.com, 1 +thecreativeshour.com, 0 +thecrew-exchange.com, 1 +thecrimson.tk, 1 +thecrochetcottage.net, 1 +thecronosgroup.com, 1 +thecskr.in, 1 +thecstick.com, 1 +thecubepsych.com, 1 +thecup.us, 1 +thecureplainsong.tk, 1 +thecuriousdev.com, 1 +thecursedmercantile.com, 1 +thecurvyfashionista.com, 1 +thecustomdroid.com, 1 +thecustomizewindows.com, 1 +thecyberwire.com, 1 +thecyclistchoice.com, 1 +theda.co.za, 1 +thedaac.org, 1 +thedailybloon.tk, 1 +thedailyexercise.com, 1 +thedailyprosper.com, 0 +thedailyreporteronline.com, 1 +thedailyupvote.com, 1 +thedaimon.cn, 1 +thedanceacademybuckscounty.com, 0 +thedanceranch.com, 1 +thedark.ga, 1 +thedark1337.com, 1 +thedarkages.tk, 1 +thedarkartsandcrafts.com, 1 +thedarkcolonyfansite.tk, 1 +thedarkfusion.tk, 1 +thedarksidesoftwaresecurity.ga, 1 +thedarkteam.tk, 1 +thedataexaminer.com, 1 +thedave.link, 1 +thedave.me, 1 +thedave.photos, 1 +thedawningofdarkness.tk, 1 +thedeathmachine.tk, 1 +thedeathofannakarina.tk, 1 +thedebug.life, 1 +thedefiled.tk, 1 +thedelaunay.com, 1 +thedemocraticstrategist.org, 1 +thedermdetective.com, 1 +thedev.id, 1 +thedevastatedrealm.tk, 1 +thedevilwearswibra.nl, 1 +thedevrycommonsbrasil.com, 0 +thediamondapp.com, 1 +thedietsolutionprog.tk, 1 +thedigitalcurator.art, 1 +thedigitalparadox.tk, 1 +thediligentwoman.com, 1 +thedinnerdetective.com, 1 +thediscforum.tk, 1 +thediscovine.com, 1 +thedistance.co.uk, 1 +thedivineforce.com, 1 +thediyvibe.com, 1 +thedjhookup.com, 1 +thedoc.eu.org, 1 +thedocumentrefinery.com, 1 +thedomainrobot.com, 1 +thedomains.co.uk, 1 +thedonaldarchive.tk, 1 +thedotcom.tk, 1 +thedowlinggroup.com, 1 +thedrakesdebut.com, 1 +thedrawbacks.tk, 1 +thedriftuniversity.com, 1 +thedrivers.tk, 1 +thedrizzle.tk, 1 +thedronechart.com, 1 +thedroneely.com, 1 +theduchessbudapest.com, 1 +thedysfunctionalangel.cf, 1 +thedysfunctionalangel.ga, 1 +thedysfunctionalangel.gq, 1 +thedysfunctionalangel.ml, 1 +theeagle.com, 1 +theebookkeepers.co.za, 1 +theeducationalequalityinstitute.org, 1 +theeducatoronline.com, 1 +theeffingyogablog.com, 1 +theegyptblog.tk, 1 +theeighthbit.com, 0 +theel0ja.info, 1 +theel0ja.ovh, 1 +theeldritchhounds.cf, 1 +theeldritchhounds.gq, 1 +theeldritchhounds.ml, 1 +theelephant.info, 1 +theeliteneet.com, 1 +theemeraldmagazine.com, 1 +theemptyvault.com, 1 +theender.net, 1 +theendlesssixties.com, 0 +theendpoem.com, 0 +theentropyofdelicatewonders.com, 1 +theepankar.com, 1 +theepicsponge.co.uk, 1 +theequinepractice.com, 1 +theerneshot.com, 1 +theescapegame.com, 1 +theestateplanninggroup.com, 1 +theeuropeanlibrary.org, 1 +theevergreen.me, 0 +theeverydayprepper.com, 1 +theexodus.tk, 1 +theexpatriate.de, 1 +theexplorer.ro, 1 +theextract.co.uk, 1 +theeyeopener.com, 1 +theeyewearshop.com.au, 1 +thefabricator.com, 1 +thefabulouslifestyles.com, 1 +thefabulouswomen.com, 1 +thefaircottage.com, 1 +thefairieswantmedead.com, 1 +thefairytale.tk, 1 +thefallen.tk, 1 +thefamilychemist.co.uk, 1 +thefamilygarrison.com, 1 +thefanimatrix.net, 1 +thefantasyrooms.com, 1 +thefarleys.ca, 1 +thefashiondistrict.tk, 1 +thefashionpolos.com, 1 +thefasthire.org, 1 +thefastmode.com, 1 +thefatduck.co.uk, 1 +thefatlosspuzzle.com, 0 +theferrarista.com, 0 +thefibreapp.com, 1 +thefieldservicecompany.nl, 1 +thefinalconflict.tk, 1 +thefinx.io, 1 +thefishshop.ga, 1 +thefitcare.com, 1 +thefitcareerist.com, 1 +theflashback.co.uk, 1 +theflesh.tk, 1 +theflexerzone.ga, 1 +theflowershopdeddington.com, 1 +theflowstudios.com, 1 +theflyingbear.net, 0 +theflyingdutch.tk, 1 +thefnafarchive.org, 1 +thefoodcops.com, 1 +thefooddictator.com, 1 +thefoodieblogger.com, 1 +thefoot.tk, 1 +theforkedspoon.com, 1 +theformtool.com, 1 +thefox.com.fr, 1 +thefranklinnewspost.com, 1 +thefreebay.tk, 1 +thefreemail.com, 1 +thefreethinker.tk, 1 +thefrenchbeautyacademy.edu.au, 1 +thefrenchconnection.tk, 1 +thefridaycinema.com, 1 +thefriedzombie.com, 1 +thefriedzombie.nl, 1 +thefriedzombie.online, 1 +thefriendlyplant.co.za, 1 +thefrontend.agency, 1 +thefrugalvegan.tk, 1 +thefuckingtide.com, 0 +thefulcrum.us, 1 +thefunfirm.co.uk, 1 +thefunzone.tk, 1 +thefurnitureco.uk, 1 +thefurniturefamily.com, 1 +thefusion.net.in, 1 +thefussyeater.ie, 1 +thefutureforward.com, 1 +thefuturetech.ga, 1 +thegab.in, 1 +thegadget.tk, 1 +thegadgetflow.com, 1 +thegallery-restaurant.co.uk, 1 +thegamecave.co.uk, 1 +thegamecollector.tk, 1 +thegantars.tk, 1 +thegasshop.co.uk, 1 +thegasshop.uk, 1 +thegatewaydigital.com, 1 +thegatewaytoanewworld.com, 1 +thegeekdiary.com, 1 +thegeekguy.eu, 1 +thegeeklab.de, 0 +thegeektools.com, 1 +thegemriverside.com.vn, 1 +thegeniusdz.tk, 1 +thegentleman.tk, 1 +thegeriatricdietitian.com, 1 +thegermancoder.com, 1 +thegerwingroup.com, 1 +thegetaway.com, 1 +theghostlytavern.com, 1 +thegiantsdream.tk, 1 +thegildedthistle.com, 1 +thegingersnapbaker.co.za, 1 +theginnylee.com, 1 +thegioibanca.tk, 1 +thegioicovua.com, 1 +thegioidulich.com.vn, 1 +theglencoetorah.com, 1 +theglossymusings.com, 1 +thego2swatking.com, 1 +thegoaescort.com, 1 +thegoldandsilverexchange.com, 1 +thegolden.com, 1 +thegoodinside.com, 1 +thegoodveggie.com, 1 +thegoodvybe.ml, 1 +thegospell.tk, 1 +thegpbox.com, 1 +thegradient.pub, 1 +thegraduatesalon.co.uk, 1 +thegrandline.tk, 1 +thegrandtour.tk, 1 +thegreatcommissionpodcast.com, 1 +thegreatdecay.tk, 1 +thegreatgonzo.uk, 1 +thegreatplains.com, 1 +thegreatsouthernburgerco.ga, 1 +thegreendigest.com, 1 +thegreenfields.se, 1 +thegreenhead.com, 1 +thegreenlawreport.com, 1 +thegreenmanpottery.com, 1 +thegroovecartel.com, 1 +thegrotto.tk, 1 +thegrs.com, 0 +theguerrilla.agency, 0 +thegundogaffair.com, 1 +thegvoffice.net, 1 +thehabitat.com, 1 +thehackerblog.com, 1 +thehackers.cf, 1 +thehadicks.com, 1 +thehairrepublic.net, 1 +thehalchal.com, 1 +thehamiltoncoblog.com, 1 +thehammerfund.com, 1 +thehamptonsvegan.com, 1 +thehappeny.com, 1 +thehappyxwife.ga, 1 +thehardgame.top, 1 +thehasanyildirim.tk, 1 +thehashagency.com.au, 1 +thehassanmusic.tk, 1 +thehasty.com, 1 +thehaxbys.co.uk, 1 +thehaze.org, 1 +theheadplug.tk, 1 +thehealthshed.nl, 1 +theheatingoilclub.co.uk, 1 +thehelper.tk, 1 +thehillstx.gov, 1 +thehiltonfirm.tk, 1 +thehivedesign.org, 1 +thehoff.ddnss.de, 1 +thehollandfam.com, 0 +theholloways.tk, 1 +thehomebakery.ie, 1 +thehomebarista.com, 1 +thehomemademasks.com, 1 +thehomeofthefuture.com, 1 +thehomeschoolsupplyco.com, 0 +thehoney.ga, 1 +thehonorguard.org, 1 +thehookup.be, 1 +thehopefuture.com, 1 +thehorsesadvocate.com, 1 +thehosmers.com, 1 +thehotcasinos.com, 1 +thehotfix.net, 1 +thehotness.tech, 1 +thehotrocks.tk, 1 +thehowlinwolfcafe.ga, 1 +thehudsonindependent.com, 1 +thehumancondition.com, 1 +thehumanizer.tk, 1 +thehumanjoint.com, 1 +thehumorist.tk, 1 +theideaskitchen.com.au, 1 +theidiotboard.com, 1 +theimagefile.com, 1 +theimaginationagency.com, 1 +theinboxpros.com, 1 +theindependent.ca, 0 +theindependent.com, 1 +theindiangraph.tk, 1 +theindiantimes.in, 1 +theindiemood.com, 1 +theinfoblog.com, 1 +theinitium.com, 0 +theinnerprism.com, 1 +theinput.com, 1 +theinsightsfamily.com, 1 +theinstitute.cf, 1 +theintercept.com, 0 +theinternationalgeekconspiracy.eu, 1 +theinventory.com, 1 +theinvisibleman.tk, 1 +theislandtime.com, 1 +theissen.io, 1 +theitaliantimes.it, 1 +theitsage.com, 0 +theixiangrand.gr, 1 +thejacksoninstitute.com.au, 1 +thejewelhut.co.uk, 1 +thejkdrebel.com, 1 +thejoaustralia.com, 1 +thejoneshub.com, 1 +thejonsey.com, 0 +thejourneydesignstudio.com, 1 +thejoykiller.tk, 1 +thejsmodel.com, 1 +thejukebox.tk, 1 +thejunkfiles.com, 1 +thekalakriti.tk, 1 +thekev.in, 1 +thekeymusic.com, 1 +thekickassvirtualassistant.nl, 1 +thekidszone.in, 1 +thekillertoxin.de, 1 +thekingofhate.com, 0 +thekitchendoor.co.nz, 1 +thekitchenfarnborough.co.uk, 1 +thekitchenprofessor.com, 1 +thekitchngic.com, 1 +thekitsunesden.com, 1 +thekittivibe.com, 1 +thekliniquehotdeal.com, 1 +theknightrider.com, 1 +theknittingnetwork.co.uk, 1 +theknockout.tk, 1 +theknowitguy.com, 1 +thekonsulthub.tk, 1 +thekuwayama.net, 1 +thelafayettecompany.com, 1 +thelaimlife.com, 1 +thelakedistrict.tk, 1 +thelancergroup.com, 1 +thelangfords.au, 1 +thelangfords.id.au, 1 +thelanscape.com, 1 +thelansingjournal.com, 1 +thelapine.ca, 1 +thelasallenetwork.com, 1 +thelastsurprise.com, 1 +thelastvikings.tk, 1 +thelatinbrothers.ch, 1 +thelaunchbay.com, 1 +thelaurelchiropractor.com, 1 +thelawyermag.com, 1 +thelazyfox.xyz, 1 +thelazysre.com, 1 +thelbc.io, 0 +thelearninggardener.com, 1 +theleaves.tk, 1 +thelegionshirley.co.uk, 1 +thelematics.com, 1 +thelemonlawcalifornia.com, 1 +thelencystore.com, 1 +thelevelman.com, 1 +thelibertinephilosophy.ga, 1 +thelicensecompany.com, 1 +thelifevison.com, 1 +thelightbulbproject.tk, 1 +thelightingstore.co.uk, 1 +thelightpoints.eu, 1 +thelimitededition.in, 1 +thelinuxspace.com, 1 +thelittlepeartree.eu, 1 +thelocals.ru, 1 +thelockerroom.ie, 1 +thelocxresearch.tk, 1 +thelodgeonlakedetroit.com, 1 +thelondonflorist.com, 1 +thelonelyones.co.uk, 1 +thelonious.nl, 1 +theloop.ai, 1 +theloop.build, 1 +thelordofthewing.cf, 1 +thelordofthewing.ga, 1 +thelordofthewing.gq, 1 +thelordofthewing.ml, 1 +thelordsofthefallen.com, 1 +thelosangelesconservative.com, 1 +thelostfreighter.com, 1 +thelostyankee.com, 1 +thelotter.club, 1 +thelounge.chat, 1 +theloves.com, 1 +thelwallrangers.tk, 1 +themacateam.com, 1 +themacios.com, 1 +themadlabengineer.co.uk, 1 +themagazine.my, 1 +themagazinetimes.com, 1 +themagician.tk, 1 +themainemonitor.org, 1 +themakers.ie, 1 +themallards.info, 1 +themallrats.tk, 1 +themanbbq.com, 1 +themandogs.tk, 1 +themaniaks.tk, 1 +themarkup.org, 1 +themarshallproject.org, 1 +themassageguy.capetown, 1 +themaster.site, 1 +themaster.tk, 1 +themasterplan.com.au, 1 +thematchless.de, 1 +themathbehindthe.science, 1 +themathergroup.com, 1 +themathscentre.com, 1 +themattresswarehouse.co.za, 1 +thematyper.tk, 1 +themayanah.com, 1 +themeapps.ga, 1 +themeccagroupllc.com, 1 +themecraft.studio, 0 +themediaframe.com, 1 +themedictips.com, 1 +themegatones.tk, 1 +thememory.tk, 1 +thementornetwork.com, 1 +themenzentrisch.de, 1 +themeparkfans.tk, 1 +themeparksimulations.tk, 1 +themerchandiser.net, 0 +themerciful.tk, 1 +themeridianway.com, 1 +themesurgeons.net, 1 +themetropreneur.com, 1 +themexicos.tk, 1 +themexx.at, 1 +themiamimarathon.com, 1 +themiddle.co, 1 +themiddlewoman.com.au, 1 +themify.me, 1 +themify.org, 1 +themigraineinstitute.com, 1 +themilanlife.com, 1 +themilfmovies.com, 1 +themindcollection.com, 1 +theminiacs.com, 1 +theminimalistentrepreneur.com, 1 +themiracle.tk, 1 +themirc.tk, 1 +themizellbrothers.tk, 1 +themlmsuccessnow.tk, 1 +themodel.ie, 1 +themodernreviewer.ga, 1 +themologroup.com, 1 +themomentratchada19.com, 1 +themomstudio.tk, 1 +themoneyconverter.com, 1 +themonthly.com.au, 1 +themood.site, 0 +themorningpodcast.tk, 1 +themortgagereports.com, 1 +themostexpensiveworkofart.com, 1 +themount.co.uk, 1 +themountsomerset.co.uk, 1 +themoviepreview.ga, 1 +themprojects.com, 1 +themurrayfamily.me.uk, 1 +themusecollaborative.org, 1 +themusicofchrisbulman.tk, 1 +themusicthatnobodylikes.tk, 1 +themusketeerslodge.com, 1 +themusthaves.de, 1 +thenamingcommission.gov, 1 +thenappylaundry.ga, 1 +thenathanmethod.com, 1 +thenation.tk, 1 +thenational.academy, 1 +thenaturalpath.co.nz, 1 +theneatgadgets.com, 1 +thenest.se, 1 +thenetw.org, 1 +thenew3rs.org, 1 +thenewclassics.com, 1 +thenewissue.tk, 1 +thenewsmill.com, 1 +thenewtoy.net, 1 +thenextweb.com, 1 +thenexwork.com, 1 +thenichecast.com, 1 +thenine.info, 1 +theninenine.com, 1 +theninjasedge.com, 1 +thenobullshit.coach, 1 +thenocman.com, 1 +thenolank.com, 1 +thenorthschool.org.uk, 1 +thenovicechefblog.com, 1 +thenowheremen.com, 1 +thenrdhrd.nl, 1 +thenudge.com, 1 +thenursery.it, 1 +thenutritionalreset.ca, 1 +theo-andreou.org, 1 +theo.agency, 1 +theo.me, 1 +theo546.cloud, 1 +theo546.fr, 1 +theo546.ovh, 1 +theoakageexperiment.com, 1 +theoasis.co.nz, 1 +theobg.co, 1 +theobromos.fr, 0 +theoc4ever.tk, 1 +theocharis.org, 1 +theocjournal.tk, 1 +theocoffee.com, 0 +theocracy.tk, 1 +theocratic.cf, 1 +theocratic.tk, 1 +theocrazzolara.tk, 1 +theodorahome.co, 1 +theodorahome.com.br, 1 +theodoreroosevelt.org, 1 +theodorojr.com.br, 1 +theofficeofangelascott.com, 1 +theoffsetbinary.co.in, 1 +theofleck.com, 0 +theokouzelis.com, 1 +theoldbrewhouse.info, 1 +theoldmill.tk, 1 +theoldnews.net, 1 +theoldschoolgamevault.com, 1 +theolodewijk.nl, 1 +theologique.ch, 1 +theome.ga, 1 +theomegagroup.co.uk, 1 +theonegroup.co.uk, 0 +theonethaimassage.de, 1 +theonikage.tk, 1 +theonion.com, 1 +theonyxzone.com, 1 +theoosmetalart.nl, 1 +theopaczek.com, 1 +theopera.tk, 1 +theoperators.tk, 1 +theophil.tk, 1 +theorchestranow.com, 1 +theorchestranow.org, 1 +theoriecheck.de, 1 +theoriginalassistant.com, 1 +theoriginalcandid.com, 1 +theoriginalmarkz.com, 1 +theoriginalworkshop.com, 1 +theorioncorrelation.com, 1 +theory-test-online.co.uk, 1 +theory.org, 1 +theoryofmind.tk, 1 +theoscure.eu, 1 +theosophic.ga, 1 +theosophie-afrique.org, 1 +theotherside.tk, 1 +theoverfly.co, 1 +theoverground.tk, 1 +thepac.uk, 1 +thepaffy.de, 0 +thepaleodiettips.tk, 1 +thepandacustom.com, 1 +thepaperstore.com, 1 +theparachafamily.tk, 1 +theparallelrevolution.com, 1 +theparklane-sukhumvitbearing.com, 1 +theparkwoodmanor.com, 1 +theparoxetine.gq, 1 +theparthub.com, 1 +theparticipants.tk, 1 +thepartner.co.uk, 1 +thepartydoctors.co.uk, 1 +thepatchworks.org, 1 +thepathsofdiscovery.com, 1 +thepaul.tk, 1 +thepaulagcompany.com, 0 +thepavilionbanbury.co.uk, 0 +thepaymentscompany.com, 1 +thepcweb.tk, 1 +thepeak.com, 1 +thepenguinconspiracy.tk, 1 +thepennyjar.com, 1 +thepennymatters.com, 1 +thepeoplesdata.com, 1 +thepeoplesdata.org, 1 +theperfectmediagroup.com, 1 +theperformanceblog.com, 1 +thepharm.co.nz, 1 +thephoenixdg.com, 1 +thephp.cc, 1 +thepiabo.ovh, 0 +thepiedpiper.co.uk, 1 +thepieslicer.com, 1 +thepigwrestlers.com, 1 +thepilotwoman.cf, 1 +thepilotwoman.ga, 1 +thepilotwoman.gq, 1 +thepilotwoman.ml, 1 +thepinecones.tk, 1 +thepioneersgame.com, 1 +thepiratebay.cf, 1 +thepiratebay.net, 1 +thepiratesociety.org, 1 +thepitsurfhire.co.uk, 1 +thepixel.tk, 1 +theplantpeople.co.nz, 1 +theplaydaysbus.co.uk, 1 +theplazacentre.co.uk, 1 +theploughharborne.co.uk, 1 +thepodcastreviewshow.com, 1 +thepoetryclub.tk, 1 +thepoetryofperfume.com, 1 +thepokerbank.com, 1 +thepokerpeople.com, 1 +thepollitochicken.com, 1 +thepool.tk, 1 +thepopcornfactory.com, 1 +thepowerboys.tk, 1 +thepressleygirls.com, 1 +thepressurewashingdirectory.com, 1 +thepriceisright.tk, 1 +theprimegroup.ca, 1 +theprimepr.in, 1 +theprimetalks.com, 0 +theprincegame.com, 1 +theprinceshort.tk, 1 +theprinterjam.com, 1 +theprintrepublic.com, 1 +thepriorybandbsyresham.co.uk, 1 +theprivacysolution.com, 1 +theprivatetherapyclinic.co.uk, 1 +theprodigaljournal.com, 1 +theproject.cf, 1 +theprojectx.tk, 1 +thepromisemusic.com, 1 +thepsi.com, 0 +theptclist.tk, 1 +theptpractitioner.com.au, 1 +thepulpit.tk, 1 +thepuppetdolls.tk, 1 +thepureplan.com, 1 +thepurplechickens.tk, 1 +thepuzzles.eu.org, 1 +thepyre.tk, 1 +thepyrographytool.com, 1 +theqrl.org, 1 +theqtree.com, 1 +thequillmagazine.org, 1 +theradiojudge.com, 1 +theralino.de, 1 +theramo.re, 1 +theranch.com, 1 +therandombits.com, 1 +therankkings.org, 1 +therap-up.fr, 1 +therapie-fricktal.ch, 1 +therapie-psycho-emotionnelle.fr, 1 +therapiepraxis-westbezirk.de, 1 +therapyclient.com, 1 +therapyconnects.co.uk, 1 +therapyforblackmen.org, 1 +therapyglobe.com, 1 +therapynotes.com, 1 +therapypartner.com, 1 +therapyportal.com, 1 +therapysearch.com, 1 +therapyservices.co.nz, 1 +therapysxm.com, 0 +therapyworks.com, 1 +therasmusgt.tk, 1 +therasmusperu.tk, 1 +theravada.tk, 1 +thereadingresidence.com, 1 +thereafter.ga, 1 +thereal.tk, 1 +therealcomp.ga, 1 +therealcost.gov, 1 +therealcountrydancers.tk, 1 +therealestatesolutionsguy.com, 1 +therealmaids.com, 1 +thereaper.net.au, 1 +thereaper.tk, 1 +theredhouse.org, 1 +theredsgazette.tk, 1 +thereisnocloud.fr, 1 +thereload.com, 1 +therenderingmachine.com, 1 +therenegade.tk, 1 +thereptiles.tk, 1 +theresa-mayer.eu, 1 +theresapolicewi.gov, 1 +theresingles.tk, 1 +therestaurantstore.com, 1 +theretirementincomecalculator.com, 1 +therevenge.me, 1 +therevolutionist.tk, 1 +therhetorical.ml, 0 +therhodesresidences.com, 1 +therichardsfamily.tk, 1 +therisk.global, 1 +theriverspecialist.com, 1 +thermalbad-therme.de, 1 +thermalitowsca.gov, 1 +thermia.co.nz, 1 +thermia.com.au, 1 +thermique.ch, 0 +thermity.com, 1 +thermolamina.nl, 1 +thermorhythm.com, 1 +thermostat.gq, 1 +thermostatsolutions.com, 1 +thermowood-bkh.ru, 1 +therniakov.tk, 1 +theroadrunners.tk, 1 +theroams.co.uk, 1 +therobertcoffeeshow.com, 1 +theroccos.us, 0 +therockawaysny.com, 0 +theroguestormtrooper.com, 1 +therohotel.com, 1 +therokasshow.tk, 1 +theroks.com, 1 +theromexchange.com, 1 +theroot.com, 1 +therootdental.com, 1 +therootshive.com, 1 +theros.org.uk, 1 +therowlinglibrary.com, 1 +theroyal.tk, 1 +therugswarehouse.co.uk, 1 +theruleslawyer.net, 1 +therumfordcitizen.com, 1 +therunawayspremiere.tk, 1 +theruncibleraven.com, 1 +theruraltrust.com, 1 +therusnews.tk, 1 +therustyspoon.net, 1 +therworth.com, 1 +therworth.eu, 1 +therworth.net, 1 +therworth.org, 1 +thesacreds.com, 1 +thesafetymag.com, 1 +thesage.cf, 1 +thesage.ga, 1 +thesagresapartments.com, 1 +thesalonthing.com, 0 +thesaltsanctuaryfl.com, 1 +thesarogroup.com, 1 +thesatriantoshow.tk, 1 +thesaturdaypaper.com.au, 1 +thescienceofdeduction.tk, 1 +thescientists.nl, 1 +thescriptzone.tk, 1 +theseal.tk, 1 +thesearch.com.tw, 1 +thesecondsposts.com, 0 +thesecularparent.com, 1 +thesecurityvault.com, 0 +theseed.io, 1 +theseedbox.xyz, 1 +thesehighsandlows.com, 1 +theselfevidenttruth.com, 1 +thesemisouthernhomemaker.com, 1 +theseofarm.com, 1 +theseoframework.com, 1 +theseosystem.com, 1 +theseotool.site, 1 +theseparationguide.com.au, 1 +theserpent.tk, 1 +theserver.ml, 1 +theserver201.tk, 1 +theserviceyouneed.com, 1 +thesession.org, 1 +thesetwohands864.com, 1 +theseusconsulting.it, 1 +theshaker.com.au, 1 +thesharedbrain.ch, 0 +theshesuite.com, 1 +theshopally.com, 1 +theshots.cz, 1 +theshroomery.org, 1 +thesigit.tk, 1 +thesignacademy.co.uk, 1 +thesignalco.com.au, 1 +thesilentfew.tk, 1 +thesilentlink.org, 1 +thesilentplanet.tk, 1 +thesilentsecrets.com, 1 +thesilverdaisy.com, 1 +thesimons.family, 1 +thesimplehelp.com, 1 +thesimplewebcompany.com, 1 +thesimsbrasil.tk, 1 +thesingaporelawyer.com, 1 +thesinhalanews.lk, 1 +thesipher.tk, 1 +thesis-editor.co.uk, 1 +thesisgeek.com, 1 +thesishelp.net, 1 +thesissurvey.cf, 1 +thesissurvey.gq, 1 +thesistraffic.com, 1 +thesiterank.com, 1 +theskepticalreviewarchive.com, 1 +theskingym.co.uk, 1 +theskiweek.com, 1 +thesled.net, 1 +thesocialitefamily.com, 1 +thesocialmediacentral.com, 1 +thesomepeople.org, 1 +thesoundproofwindows.co.uk, 1 +thesoundstageatstrangeland.com, 1 +thespacegame.tk, 1 +thespanishcollection.com, 1 +thespiritfm.tk, 1 +thespoiler.co.il, 1 +thesponsorshipguy.com, 0 +thesportsroom.tv, 1 +thestandards.tk, 1 +thestatementjewelry.com, 1 +thestationatwillowgrove.com, 1 +thestatuspage.com, 1 +thesteins.org, 0 +thestitchynerd.com, 1 +thestockoasis.com, 1 +thestopoff.tk, 1 +thestoragebay.co.uk, 1 +thestore.tk, 1 +thestoryshack.com, 0 +thestral.pro, 1 +thestralbot.com, 1 +thestrangenessofthings.tk, 1 +thestreet.cz, 1 +thestudioslucan.com, 1 +thestudylink.com, 1 +thestyle.city, 1 +thestylebouquet.com, 1 +thesubsequent.com, 1 +thesubstitute.nl, 1 +thesultans.tk, 1 +thesunshinecoasttourcompany.com.au, 1 +thesupersunday.tk, 1 +thesuppercircle.com, 1 +thesupremacyg.com, 1 +thesurgeons.sg, 1 +theswanstation.tk, 1 +theswanwindsor.co.uk, 1 +theswimdoctors.com, 0 +theswissbay.ch, 0 +thetablehuff.com, 1 +thetakeout.com, 1 +thetampariverwalk.com, 1 +thetandd.com, 1 +thetapirsmouth.com, 1 +thetassos.com, 1 +thetattooedpreacher.com, 1 +theteaaffair.com, 1 +theteaguemovie.tk, 1 +thetebodifference.com, 1 +thetechdude.ga, 1 +thetechnicaldost.com, 1 +thetfordtwpmi.gov, 1 +thetfordvt.gov, 1 +thetherapist.tk, 1 +thethinktankpodcast.co, 1 +thethreadsmiths.com.tw, 1 +thethreepercent.marketing, 1 +thethymevortex.zapto.org, 1 +thetinylife.com, 1 +thetipo.eu, 1 +thetipo.it.eu.org, 1 +thetipo01.tk, 1 +thetogbox.cf, 1 +thetomharling.com, 1 +thetopmovie.gq, 1 +thetopsecretepisode.tk, 1 +thetorlock.com, 1 +thetorturedman.com, 1 +thetotalemaildelivery.com, 1 +thetoto.tk, 1 +thetownehub.com, 1 +thetradinghall.com, 0 +thetrafficgeek.com, 1 +thetravel.com, 1 +thetravelczar.com, 1 +thetravelhack.com, 0 +thetravelinstitute.com, 1 +thetravelstylist.nl, 1 +thetreeradio.com, 1 +thetrendingarticle.com, 1 +thetrendspotter.net, 1 +thetropics.tk, 1 +thetrulycharming.com, 0 +thetrustai.com, 1 +thetruthabouthemp.com, 1 +thetubecopenhagen.com, 1 +thetuxkeeper.de, 0 +thetvtraveler.com, 1 +thetwistedrabbit.com, 1 +theudbs.com, 1 +theuhlesteam.com, 1 +theultimateshave.net, 1 +theunbox.com, 1 +theunconventionalconventionists.tk, 1 +theundefeated.com, 1 +theunderzone.tk, 1 +theuneundtheune.de, 1 +theunitedstates.tk, 1 +theuniversallover.tk, 1 +theuniversitiesofasia.ga, 1 +theunleashedpet.com, 1 +theunstudiedyogi.com, 1 +theunwrittenletters.tk, 1 +theupslady.cf, 1 +theupslady.ga, 1 +theurbandecor.com, 1 +theurdubooks.com, 1 +theuucc.org, 0 +thevacuumpouch.co.uk, 1 +thevalleybucketeers.tk, 1 +thevalueofarchitecture.com, 1 +thevanishedvoyager.ml, 1 +thevegcat.com, 1 +theveggietable.com, 1 +thevelvetlove.tk, 1 +thevenueofhollywood.com, 1 +thevern.co.za, 1 +theverybusyoffice.co.uk, 1 +thevetstop.co.uk, 1 +thevillageok.gov, 1 +thevillasatparkaire.com, 1 +thevine.one, 1 +thevintagenews.com, 0 +theviolenceofdevelopment.com, 1 +thevirajshelke.com, 1 +thevirgin.tk, 1 +thevirtualbookkeepers.com, 0 +thevirtualdetective.games, 1 +thevirtualhealingroom.ca, 1 +thevirtualhealingroom.com, 1 +thevirtuousdog.com, 1 +thevisasofoz.com, 1 +thevoga.com, 1 +thevoid.one, 1 +thevolte.com, 1 +thevoya.ga, 0 +thevpsdude.com, 1 +thewagesroom.co.uk, 1 +thewalkerz.tk, 1 +thewallet.today, 1 +thewarehousefellowship.org, 1 +thewatchdog.com.br, 1 +thewaterfront.org.au, 1 +thewaterfrontpoole.com, 1 +thewave.tk, 1 +thewaxhouse.academy, 1 +thewayofislam.ml, 1 +thewayofthedojo.com, 1 +thewaytoyourself.com, 1 +theweakandthestrong.tk, 1 +thewebbogan.com.au, 1 +thewebcully.com, 1 +thewebguru.net, 1 +thewebmasters.tk, 1 +thewebsitemarketingagency.com, 1 +theweddingfit.com, 1 +theweed.tk, 1 +thewest.tk, 1 +thewhiteboxxx.com, 1 +thewhitedog9487.xyz, 1 +thewhitehorses.tk, 1 +thewhiterabbit.space, 1 +thewhitneypaige.com, 1 +thewickedclan.tk, 1 +thewiki.kr, 1 +thewindow.com, 1 +thewindowcleaningexpert.com, 1 +thewindowcleaningexperts.com, 1 +thewindowcleaningexperts.net, 1 +thewindowsclub.com, 1 +thewinedelivery.ga, 1 +thewisdomtrust.org.uk, 1 +thewish.ml, 1 +thewish.tk, 1 +thewolseley.com, 1 +thewombatsict.com.au, 1 +thewomen.tk, 1 +thewomensbusinesscenter.com, 0 +thewoodkid.com.au, 1 +thewoodlandsviplimousine.com, 1 +thewoods.earth, 1 +thewoolroom.com.au, 1 +theworkingeye.nl, 1 +theworksboulder.com, 1 +theworksheets.com, 1 +theworkshop.tk, 1 +theworld.org, 1 +theworld.tk, 1 +theworldaccordingtocathers.com, 1 +theworldexchange.com, 1 +theworldexchange.net, 1 +theworldexchange.org, 1 +theworldsbestmassagechairs.com, 1 +theworldsend.eu, 1 +theworldtakes.tk, 1 +theworser.tk, 1 +thewpskill.com, 1 +thewraithmovie.tk, 1 +thewrenchmonkey.ca, 1 +thewrightflyer.com, 1 +thewritegrl.com, 1 +thewriteress.com, 1 +thexalla.tk, 1 +thexme.de, 1 +thexpert.ml, 1 +theyacht.ga, 1 +theyachtweek.com, 1 +theyakshack.co.uk, 1 +theyarnhookup.com, 0 +theycallmesnail.tk, 1 +theyear199x.org, 1 +theyearinpictures.co.uk, 1 +theyosh.nl, 1 +theysocial.tk, 1 +thezillersathenshotel.com, 1 +thezone.bg, 1 +thfaid.org, 1 +thghosting.com, 1 +thhomes.vn, 1 +thhost.tk, 1 +thiagoalessio.me, 1 +thiagohersan.com, 1 +thiagolosneves.com.br, 1 +thiagoribeiro.ml, 1 +thiasil.com, 1 +thibault-ml.com, 1 +thibaultbaheux.com, 0 +thibaultwalle.com, 1 +thibautcharles.net, 1 +thibautdecherit.fr, 1 +thibierge-associes.notaires.fr, 1 +thichson.vn, 1 +thickassporn.com, 1 +thieme-it.de, 1 +thienduongthoitrang.vn, 1 +thiepcuoidep.com, 1 +thiepxinh.net, 1 +thierryhayoz.ch, 1 +thierrymazue.com, 1 +thierrymazue.fr, 0 +thiesketelsen.de, 0 +thietbithoathiem.net, 1 +thietkegianhangtttm.com, 1 +thijmen.xyz, 1 +thijmendevalk.nl, 1 +thijmenmathijs.nl, 1 +thijmenverveeltzich.nl, 1 +thijs.amsterdam, 1 +thijs.fr, 1 +thijsenarjan.nl, 1 +thijsslop.com, 1 +thijsslop.eu, 1 +thijsslop.nl, 1 +thijsvanderveen.net, 1 +thikkodi.tk, 1 +thilko.com, 1 +thilobuchholz.de, 1 +thimbros.tk, 1 +thimic.net, 1 +thimic.no, 1 +thinair.co, 1 +thinairsolutions.com, 1 +thinegen.de, 1 +thinfilmview.com, 1 +thing.vn, 1 +thingformatter.net, 1 +thingies.site, 1 +thingsandcode.com, 1 +thingsimplied.com, 0 +thingsivesaid.com, 1 +thingsof.org, 1 +thingswithleaves.co.uk, 1 +think-ai.eu, 1 +think-positive-watches.de, 1 +think.law, 1 +thinkbigdobig.tk, 1 +thinkbigjesse.com, 1 +thinkbot.de, 1 +thinkbrands.co.uk, 1 +thinkcash.nl, 1 +thinkcogency.com, 1 +thinkd2s.com, 1 +thinkdata.com.br, 1 +thinkdigital.co.id, 1 +thinkdigital.tk, 1 +thinkel.tk, 1 +thinkelectric.cf, 1 +thinkelectric.gq, 1 +thinkelectric.ml, 1 +thinkfortune.co, 1 +thinkforyourself.tk, 1 +thinkheaddesign.com, 1 +thinkhealing.co.uk, 1 +thinkific.com, 1 +thinkindifferent.net, 1 +thinkingfaith.org, 1 +thinkingliberty.com, 1 +thinkingnull.com, 0 +thinkingplanet.net, 1 +thinkittech.com, 1 +thinkmaking.org, 1 +thinkmarketing.ca, 1 +thinkprocedural.com, 1 +thinktux.net, 1 +thinkwisesoftware.com, 0 +thinwildmercury.com, 1 +thinxtream.com, 1 +thirdbearsolutions.com, 0 +thirdgenphoto.co.uk, 1 +thirdman.auction, 0 +thirdwave.tk, 1 +thirdwaveanalytics.com, 1 +thirdwaverevenue.com, 1 +thirdworld.moe, 1 +thirteen.pm, 1 +thirtysixseventy.ml, 1 +thiruvarur.org, 1 +thiry-automobiles.net, 1 +thisbowin.com, 1 +thiscloudiscrap.com, 0 +thisdayinhockey.tk, 1 +thisdot.site, 1 +thisfreelife.gov, 1 +thishousedoesnotexist.org, 1 +thisis.id, 1 +thisisacompletetest.ga, 1 +thisisamericansoccer.com, 1 +thisisarecording.com, 1 +thisisart.ie, 1 +thisisbenwoo.com, 1 +thisishugo.com, 1 +thisismit.ch, 1 +thisisrapt.com.au, 0 +thisisreno.com, 1 +thisisrye.com, 1 +thisistechtoday.com, 1 +thisistina.nl, 1 +thisistwice.tk, 1 +thisiswhywemom.com, 1 +thismatter.com, 1 +thismatters.agency, 1 +thismumdoesntknowbest.com, 1 +thisquarterly.sg, 1 +thisserver.dontexist.net, 1 +thissimplifiedhome.com, 1 +thistleandleaves.com, 1 +thistom.de, 1 +thisuniverse.tk, 1 +thisyear.jp, 1 +thitat.net, 1 +thn.la, 1 +thoenesfamilierecht.nl, 1 +thok.de, 1 +tholab.io, 1 +tholcomb.com, 1 +thole.org, 1 +thom4s.info, 1 +thomalaudan.de, 1 +thomaner.de, 1 +thomas-bronniart.com, 1 +thomas-grobelny.de, 1 +thomas-leplus.com, 1 +thomas-sammut.com, 1 +thomas-schmittner.de, 1 +thomas-steel.com, 1 +thomas-suchon.fr, 1 +thomas.computer, 1 +thomas.love, 0 +thomas717.com, 1 +thomasbeckers.be, 1 +thomasboosman.com, 1 +thomasbreads.com, 0 +thomascountyne.gov, 1 +thomasdbrown.com, 1 +thomasduerlund.dk, 1 +thomasebenrett.de, 1 +thomasecookedds.com, 1 +thomaseikel.de, 1 +thomaseyck.com, 1 +thomasfoster.co, 1 +thomasgriffin.com, 1 +thomasgriffin.io, 1 +thomashunter.name, 0 +thomaskaviani.be, 1 +thomasleplus.com, 1 +thomasmeester.nl, 0 +thomasmerritt.de, 1 +thomaspic.com, 1 +thomaspluschris.com, 1 +thomasrichter.de, 1 +thomass.tk, 1 +thomastestor.tk, 1 +thomastimepieces.com.au, 1 +thomastonmaine.gov, 1 +thomasvanlaere.com, 1 +thomasverhelst.be, 1 +thomasvochten.com, 1 +thomaswoo.com, 1 +thomien.de, 1 +thompsonfamily.cloud, 1 +thompsonoh.gov, 1 +thomson-mcduffie.gov, 1 +thomsonbaby.com, 1 +thomsonscleaning.co.uk, 1 +thomspooren.nl, 0 +thomwiggers.nl, 1 +thongnhat.com.vn, 1 +thongsokythuat.vn, 1 +thongtinthethao.net, 1 +thooka.com, 1 +thoplam.com, 1 +thor.edu, 1 +thor.re, 1 +thorbes.ga, 1 +thorbiswebsitedesign.com, 1 +thorborg.dk, 1 +thoreau.tk, 1 +thornhillfamilydental.ca, 1 +thornlaw.co.nz, 1 +thorntonnh.gov, 1 +thorntonshvacservice.com, 1 +thoroquel.org, 1 +thoroughbredrecords.com, 1 +thors-hearth.tk, 1 +thorsten-schaefer.com, 1 +thorstenschaefer.name, 1 +thost3.de, 1 +thotcomputed.com, 1 +thotpublicidad.com, 1 +thots.org, 1 +thoughtexchange.ca, 1 +thoughtexchange.com, 1 +thoughtexchange.net, 1 +thoughtfarmer.com, 1 +thoughtleadersnetwork.nl, 1 +thoughtlessleaders.online, 1 +thoughtspot.com, 1 +thoughtsynth.com, 1 +thoughtsynth.net, 1 +thoughtsynth.org, 1 +thoughtworthy.info, 1 +thousandoaksca.gov, 1 +thousandoakselectrical.com, 1 +thousandoaksexteriorlighting.com, 1 +thousandoakslandscapelighting.com, 1 +thousandoakslighting.com, 1 +thousandoaksoutdoorlighting.com, 1 +thowzzy.be, 1 +thoxyn.com, 1 +thpatch.net, 1 +thpay.com, 1 +thprd.gov, 1 +thr-kurd.tk, 1 +threadabead.com, 1 +threadingcentral.com, 1 +threads.net, 1 +threadscircle.com, 1 +threadsdownloader.com, 1 +threadspecification.com, 1 +threadtrails.com, 1 +threadythready.com, 1 +threatcentral.io, 1 +threatcon.at, 1 +threatcon.blog, 1 +threatcon.ch, 1 +threatcon.de, 1 +threatcon.email, 1 +threatcon.eu, 1 +threatcon.io, 1 +threatcon.link, 1 +threatcon.live, 1 +threatcon.media, 1 +threatcon.net, 1 +threatcon.network, 1 +threatcon.online, 1 +threatcon.org, 1 +threatcon.shop, 1 +threatcon.tv, 1 +threatint.at, 1 +threatint.be, 1 +threatint.blog, 1 +threatint.ch, 1 +threatint.cloud, 1 +threatint.co.uk, 1 +threatint.com, 1 +threatint.com.cy, 1 +threatint.cy, 1 +threatint.de, 1 +threatint.dk, 1 +threatint.es, 1 +threatint.eu, 1 +threatint.fr, 1 +threatint.group, 1 +threatint.info, 1 +threatint.it, 1 +threatint.link, 1 +threatint.lu, 1 +threatint.media, 1 +threatint.network, 1 +threatint.nl, 1 +threatint.online, 1 +threatint.org, 1 +threatint.pl, 1 +threatint.pt, 1 +threatint.tv, 1 +threatint.uk, 1 +threatjammer.com, 1 +threatlabs.eu, 1 +threatlabs.nl, 1 +threatmonitor.io, 1 +threatnix.io, 1 +threatobserver.com, 1 +threatutic.gq, 1 +threatworking.com, 1 +three-wheels.cf, 1 +threedpro.me, 1 +threefantasy.com, 1 +threefisheswebdesign.com, 1 +threefortheroad.tv, 1 +threefours.net, 0 +threelions.ch, 1 +threeluck.sg, 1 +threema.ch, 1 +threema.id, 1 +threenorth.com, 1 +threepeakschallenge.org.uk, 1 +threepeakschallenge.uk, 1 +threeper.org, 1 +threepoint.tk, 1 +threeriversopenhouse.com, 1 +threeshield.ca, 1 +threeshield.com, 1 +threesixteen.com.au, 1 +threethirty.gq, 1 +threewire.com, 1 +threexxx.ch, 1 +threv.net, 1 +thriftdiving.com, 1 +thriftywp.com, 1 +thrillernyc.com, 1 +thrillkill.tk, 1 +thriva.co, 1 +thriveansanm.org, 1 +thriveatfive.org.uk, 1 +thriveondev.com, 1 +thriver.com, 1 +thrivetours.ca, 0 +thrivetracker.com, 1 +throckmortoncountytx.gov, 1 +throneofmolok.tk, 1 +throopny.gov, 1 +throttlerz.in, 1 +throughout.ga, 1 +throughtheglass.photo, 1 +throwaway.link, 1 +throwedrolls.com, 1 +throwmails.com, 1 +throwpass.com, 1 +thrustrules.tk, 1 +ths.li, 1 +thsc.us, 1 +thsclothing.com, 1 +thsconstructors.com, 1 +thscpac.org, 1 +thsecurity.cz, 1 +thtcmaps.sa, 1 +thuban.me, 1 +thuenhapho.com, 1 +thues.eu, 1 +thugcityrecords.tk, 1 +thuisverplegingvandermeiren.be, 1 +thuiswinkel.org, 1 +thumbnail-download.com, 1 +thumbnails.jp, 1 +thumbsnap.com, 1 +thumbsupcandy.com, 1 +thumbtack.com, 1 +thumbzilla.com, 1 +thummer.net, 1 +thunderbase.tk, 1 +thunderbolt.tk, 1 +thundercloud.onthewifi.com, 1 +thunderfield-boat.co.uk, 1 +thunderhead.com, 0 +thunderheadjtc.tk, 1 +thunderkeys.net, 1 +thunderstruckfestival.nl, 1 +thundr.eu, 1 +thunis.com, 1 +thunktank.org, 1 +thunraz.com, 1 +thuongluu.vn, 1 +thurmanny.gov, 1 +thurn.net, 1 +thurstonauditor.gov, 1 +thurstoncountyne.gov, 1 +thurstoncountysheriffne.gov, 1 +thurstonwavotes.gov, 1 +thusa.co.za, 1 +thusoy.com, 1 +thuthuatmac.com, 1 +thutm.com, 1 +thutucxuatnhapkhau.net, 1 +thuviensoft.com, 1 +thuviensoft.net, 1 +thuyetphapmoi.com, 1 +thvideo.tv, 1 +thvr.co, 1 +thw-messenger.de, 1 +thwiki.cc, 1 +thwitt.de, 1 +thxandbye.de, 1 +thycotic.ru, 1 +thynx.io, 0 +thyrex.fr, 0 +thyroidheadnecksurgery.com, 1 +thyscalesbalanced.world, 1 +ti-coast.com, 1 +ti-js.com, 1 +ti-nuage.fr, 1 +ti-pla.net, 1 +ti-planet.org, 1 +ti780.com, 1 +tiagocasalribeiro.ml, 1 +tiagomoraismorgado.tk, 1 +tiagomoreira.pt, 1 +tiagoneves.tk, 1 +tiagonunes.pt, 1 +tiagosimao.com, 1 +tiai.cf, 1 +tiai.gq, 1 +tiai.ml, 1 +tiaki.org, 0 +tiamabi.tk, 1 +tiamarcia.com.br, 1 +tian123.com, 1 +tian888.com, 1 +tianbaobo05.com, 1 +tianbaobo06.com, 1 +tianbaobo07.com, 1 +tianbaobo09.com, 1 +tianbo1088.com, 1 +tianbo1988.com, 1 +tianbo1998.com, 1 +tiandixing.org, 1 +tianeptine.com, 1 +tianibeeming.com, 1 +tianjiaxi.com, 1 +tianjinair.com, 1 +tianle.sh, 1 +tianshili.me, 1 +tiantangbt.com, 1 +tianwen.tk, 1 +tianxicaipiao.com, 1 +tianxicaipiao.win, 1 +tianxicp.com, 1 +tianyis.net, 1 +tianyou-ecjtu.com, 1 +tiarap.org, 1 +tiaria.id, 1 +tiaskipin.tk, 1 +tib1.com, 1 +tibber.com, 1 +tibberdev.com, 1 +tibbitshall.ca, 1 +tibc.ch, 1 +tiberian.tk, 1 +tibiarock.tk, 1 +tibinonest.me, 1 +tibipg.com, 1 +tible.com, 1 +tibovanheule.site, 1 +tibovanheule.space, 0 +tibox.cl, 0 +tiburgundysi.ga, 1 +ticalcgames.tk, 1 +ticfleet.com, 1 +tichdiem80.com, 1 +tichieru.pw, 1 +ticinoscout.ch, 1 +tickertable.com, 0 +tickertoolkit.com, 1 +ticket-time.es, 1 +ticketassist.nl, 1 +ticketbahia.com, 1 +ticketcity.com, 1 +ticketfan.es, 1 +tickethut.be, 1 +ticketingforless.com, 1 +ticketix.com, 1 +ticketmaze.com, 1 +ticketpay.jp, 1 +ticketpro.ca, 1 +ticketrestaurant.us, 1 +ticketrunway.com, 1 +tickets2004.tk, 1 +ticketscheapairfare.com, 1 +ticketscheapairline.com, 1 +ticketscheapflights.com, 1 +ticketslover.com, 1 +ticketsolve.com, 1 +ticketsource.co.uk, 1 +ticketsource.eu, 1 +ticketsource.io, 1 +ticketsource.us, 1 +ticketsourcebeta.co.uk, 1 +ticketswap.co, 1 +ticketswap.co.nz, 1 +ticketswap.dk, 1 +ticketswap.fi, 1 +ticketswap.in, 1 +ticketswap.pt, 1 +ticketswap.ru, 1 +tickettailor.com, 1 +ticketunity.com, 1 +ticketure.com, 1 +tickit.ca, 0 +ticktbox.com, 1 +ticnom.com, 1 +tictac.tk, 1 +tictail.com, 1 +tid.jp, 1 +tida.ge, 1 +tidal.ninja, 1 +tidal.zone, 1 +tide.com, 1 +tidecommunity.tk, 1 +tidehunter.ml, 1 +tideritter.de, 1 +tidewaterwebsites.com, 1 +tidimension.tk, 1 +tidit.nl, 1 +tidlook.co.il, 1 +tidy.chat, 1 +tidych.at, 1 +tidycustoms.net, 1 +tidydiary.com, 1 +tie.pub, 1 +tiederavintola.fi, 1 +tieffeservice.it, 1 +tiekoetter.com, 1 +tielectric.ch, 1 +tielsebakkers.tk, 1 +tiempo3.com, 1 +tiempolibre.nl, 1 +tiendabna.com.ar, 1 +tiendacanper.com, 1 +tiendacomprasegura.com, 1 +tiendadatasystem.es, 1 +tiendadeperros.com, 1 +tiendaengeneral.com, 1 +tiendafetichista.com, 1 +tiendamacoco.com.ar, 1 +tiendamagia.com, 1 +tiendamia.co, 1 +tiendamia.com, 1 +tiendamia.com.do, 1 +tiendamia.com.pa, 1 +tiendamia.com.py, 1 +tiendamia.cr, 1 +tiendaregalos.eu, 1 +tiendatecnologica.net, 1 +tiener-herentals.be, 1 +tienerdienst-johanneskapel.tk, 1 +tiengtrungquoc.net, 1 +tienic.com, 1 +tiens-ib.cz, 1 +tier5industries.com, 1 +tierarzt-karlsruhe-durlach.de, 1 +tierarztpraxis-illerwinkel.de, 1 +tieredaccess.com, 1 +tierfaszienation.de, 1 +tiergear.com.au, 1 +tieronegraphics.com, 1 +tierparadies-muhrielle.org, 1 +tierra-indomables.tk, 1 +tierracenter.com, 1 +tierradeayala.com, 1 +tierrahost.com, 1 +tierramarca.com, 1 +tierraprohibida.net, 1 +tierschutz-niederrhein.de, 1 +tiestofan.tk, 1 +tiete.be, 1 +tietew.jp, 1 +tietew.net, 1 +tietotori.fi, 1 +tieulinh.com, 1 +tiew.pl, 0 +tifa-233.com, 1 +tifan.net, 1 +tifaware.com, 1 +tifenn.eu, 1 +tifenn.nl, 1 +tiffanitooley.tk, 1 +tiffany-angel.com, 1 +tiffany-remixed.tk, 1 +tiffany.moe, 1 +tiffanyblooms.ru, 1 +tiffanychristie.ca, 1 +tiffanywatson.xyz, 1 +tiffnix.com, 1 +tiflonet.tk, 1 +tifokaos.tk, 1 +tiftonga.gov, 1 +tig.mr, 1 +tiga-design.com, 1 +tigercam.cl, 1 +tigerconnect.com, 1 +tigerfm.tk, 1 +tigerforce.tk, 1 +tigergraph.com, 1 +tigergroup.tk, 1 +tigernero.duckdns.org, 1 +tigernode.com, 1 +tigernode.net, 1 +tigertonwi.gov, 1 +tigerupload.tk, 1 +tigerzplace.tk, 1 +tiggeriffic.com, 1 +tiggertracks.com, 1 +tiggi.pw, 1 +tightassanal.com, 1 +tightasspics.com, 1 +tightassporntube.com, 1 +tightenthisshitup.com, 1 +tightpussysex.com, 1 +tigit.co.nz, 1 +tiglitub.com, 1 +tigreblanco.tk, 1 +tigzirt.tk, 1 +tihvin.tk, 1 +tii.audio, 1 +tii.party, 1 +tiihosen.fi, 1 +tiim.technology, 1 +tijden.nu, 1 +tijdvoorgeschiedenis.nl, 1 +tijerascreek.com, 0 +tijerasnm.gov, 1 +tijo.ch, 1 +tijoe.net, 1 +tik.edu.ee, 1 +tik.porn, 1 +tiki-god.co.uk, 1 +tiki.id, 1 +tikimpact.com, 1 +tikitak-o-rama.tk, 1 +tikkio.com, 1 +tikklik.nl, 1 +tikona.ga, 1 +tiktak.su, 1 +tiktok.com, 1 +tiktokdownloader.com, 1 +tiktokgirls.live, 1 +tiktokglobalshop.com, 1 +tiktokglobalshopv.com, 1 +tiktokshop.com, 1 +tiktokv.com, 1 +tikun.tk, 1 +tikuter.me, 1 +tilcra.de, 1 +tilde.green, 1 +tilde.institute, 1 +tilde.link, 1 +tildes.net, 1 +tilecleaningservicepros.com, 1 +tileco.ga, 1 +tileflooringideas.gq, 1 +tileflooringideas.ml, 1 +tilellit.pro, 1 +tilers-world.com, 1 +tilesbay.com, 1 +tilietu.com, 1 +tilikum.io, 1 +tilipalvelutuominen.fi, 1 +tilisi.ga, 1 +tilitoimistokota.fi, 0 +tilitoimistopaiva.fi, 1 +tilitoimistosukkela.fi, 1 +tilitop.tk, 1 +till-grossmann.de, 1 +till.fyi, 1 +till.im, 1 +tillamookcounty.gov, 1 +tillberg.us, 1 +tillehus.frl, 1 +tilleysbouncycastles.co.uk, 1 +tillinger.sk, 1 +tillseasyscore.com, 1 +tillwalldrug.com, 1 +tillydesign.com, 1 +tiloschroeder.space, 1 +tilosp.de, 1 +tiltedscalescollective.org, 1 +tiltedwindmillcrafts.com, 1 +tiltedwindmillpress.com, 1 +tilvids.com, 1 +tilysthings.com, 1 +tim-demisch.com, 1 +tim-demisch.de, 1 +tim-demisch.email, 1 +tim-demisch.eu, 1 +tim-lawrence.cf, 1 +tim-niclas-demisch.de, 1 +tim-niclas-demisch.eu, 1 +tim.org.tr, 1 +tim427.net, 0 +timacdonald.me, 1 +timawesomeness.com, 1 +timbarlotta.com, 1 +timbercreekcanyontx.gov, 1 +timberjewelleryboxes.ga, 1 +timberjoineryperth.com.au, 1 +timbishopartist.com, 1 +timbrust.de, 1 +timbuktutimber.com, 1 +timcamara.com, 1 +timco.cloud, 1 +timdebruijn.nl, 1 +timdemisch.de, 1 +timdemisch.email, 1 +timdemisch.eu, 1 +timdemisch.online, 1 +timdoug.com, 1 +time-business.tk, 1 +time-hotel.cf, 1 +time-killers.tk, 1 +time.cy, 1 +time.gov, 1 +time.ly, 1 +time.sh, 1 +time2060.ru, 1 +time22.com, 1 +time2choose.com, 1 +time4writing.com, 1 +timeai.io, 1 +timeauction.hk, 1 +timeblog.org, 1 +timebomb.tk, 1 +timebookings.cf, 1 +timebox.tk, 1 +timebutler.de, 1 +timecamp.com, 1 +timecamp.pl, 1 +timecaptis.com, 1 +timecarrot.tk, 1 +timecheck.tk, 1 +timedin.net, 1 +timefor.tk, 1 +timeglass.de, 1 +timelapsetv.tk, 1 +timeless-photostudio.com, 1 +timeless-spirit.com, 1 +timelesstopiary.com, 1 +timelesstreasures.tk, 1 +timelettings.com, 1 +timelimit.io, 1 +timelost.tk, 1 +timely.fun, 1 +timely.md, 1 +timelybookkeeper.com, 1 +timelycare.com, 1 +timelyprovider.com, 1 +timemuzz.com, 1 +timeneye.com, 1 +timentask.com, 1 +timeout.co.il, 1 +timeoutdoors.com, 1 +timepassengers.tk, 1 +timeprison.tk, 1 +timepro.sk, 1 +timerace.ml, 1 +timeroll.ml, 1 +timersuite.com, 1 +timertomato.com, 1 +timesamui.com, 1 +timesedlen.dk, 1 +timeserver0.de, 1 +timeserver1.de, 1 +timeserver2.de, 1 +timeserver3.de, 1 +timesheet-plugin.herokuapp.com, 1 +timesheetcomics.com, 1 +timeslive.co.ke, 1 +timesloth.io, 1 +timesmarket.org, 1 +timesofisrael.com, 1 +timesofmalta.com, 1 +timespace.eu.org, 0 +timespreader.com, 0 +timeswath.uk, 1 +timeswiki.org, 1 +timetab.org, 1 +timetastic.co.uk, 1 +timetastic.us, 1 +timeticket.eu, 1 +timeticket.nl, 1 +timetotrade.com, 1 +timetravelforum.tk, 1 +timetreeapp.com, 1 +timeular.com, 1 +timewall.de, 1 +timewasters.nl, 1 +timewasters.tk, 1 +timeweb.io, 1 +timewornlit.com, 1 +timfiedler.net, 1 +timgame.tk, 1 +timhieuthuoc.com, 1 +timi-matik.hu, 1 +timich.ga, 1 +timilion.tk, 1 +timing.com.br, 1 +timjk.de, 0 +timm-fensterbau.de, 1 +timm404.de, 1 +timmcclure.ca, 1 +timmerbedrijfpauel.nl, 1 +timmermansadministratie.nl, 0 +timmermens.com, 1 +timmish.de, 1 +timmy.ws, 1 +timmyrs.de, 1 +timnash.co.uk, 1 +timnegocia.com.br, 1 +timniclasdemisch.de, 1 +timniclasdemisch.eu, 1 +timo-viveen.nl, 1 +timochan.cn, 1 +timomontalto.de, 1 +timonenko.cf, 1 +timonline.tk, 1 +timosfoodbar.nl, 1 +timoso.de, 1 +timotheeduran.com, 1 +timothy.tk, 1 +timothybjacobs.com, 1 +timothyyip.photography, 1 +timowi.de, 1 +timoxbrow.com, 0 +timqueen.com, 1 +timroes.de, 1 +timsayedmd.com, 1 +timscheuermann.ddns.net, 1 +timseverien.com, 0 +timstoffel.net, 0 +timtaubert.de, 1 +timtelfer.com, 1 +timtj.ca, 1 +timtom.ga, 1 +timvanban.vn, 1 +timvandekamp.nl, 1 +timvanheusdencoaching.com, 1 +timverhaegh.de, 1 +timvivian.ca, 1 +timweb.ca, 1 +timx.uk, 1 +timysewyn.be, 0 +tin-bao.com, 1 +tina.is, 1 +tina.media, 1 +tinaarenaweb.tk, 1 +tinaevers.com, 1 +tinakay-photography.com, 1 +tinamajorino.tk, 1 +tinandthyme.uk, 1 +tinapoethe.com, 0 +tinastouchmassage.com, 1 +tinclip.com, 1 +tindallriley.co.uk, 1 +tinder.wiki, 1 +tinderphotos.ga, 1 +tineb.be, 1 +tinevogel.dk, 1 +tinf.de, 1 +tinf15b4.de, 1 +tinfoilsecurity.com, 1 +tinfoleak.com, 1 +tingriev.gq, 1 +tinh.work, 1 +tinhchattrangda.vn, 1 +tinhlai.gq, 1 +tinint.com, 1 +tink.network, 1 +tinka.tk, 1 +tinker.career, 1 +tinkerbeast.com, 1 +tinkerbell.space, 1 +tinkerboard.org, 1 +tinkerdifferent.com, 1 +tinkerhost.net, 1 +tinkerliving.com, 1 +tinkerliving.marketing, 1 +tinkuscochabamba.tk, 1 +tinky.tk, 1 +tinlc.org, 1 +tinmarin.org, 1 +tinmouthvt.gov, 1 +tinneke.tk, 1 +tinnhanhvietnam.tk, 1 +tinnitus.tirol, 1 +tinobeth.com, 1 +tinonawall.co.uk, 1 +tintamas.tk, 1 +tinte24.de, 1 +tintenfix.net, 1 +tintiger.com, 1 +tintoria.roma.it, 1 +tintuonmobile.tk, 1 +tinturanaturale.it, 1 +tiny-house.ro, 1 +tiny-img.com, 1 +tiny-tattoos.tk, 1 +tiny.ee, 1 +tiny777.com, 1 +tinyarcademachines.com, 1 +tinychen.com, 1 +tinycrm.pl, 1 +tinydogllc.com, 0 +tinydogs.ga, 1 +tinyemily.com, 1 +tinyfont.cf, 1 +tinyfont.ml, 1 +tinyguitars.tk, 1 +tinyhouse-bimify.fr, 1 +tinyhousebarat.com, 1 +tinyhousebarat.de, 1 +tinyhousefinance.com.au, 1 +tinyhouseprojects.be, 1 +tinyhouseturkiye.com.tr, 1 +tinylan.com, 1 +tinylink.cf, 1 +tinylotta.com, 1 +tinypic.host, 1 +tinyproxy.cf, 1 +tinyproxy.ga, 1 +tinyradiance.com, 1 +tinyspeck.com, 1 +tinyssh.com, 1 +tinyssh.org, 1 +tinytanuki.com, 1 +tinytownsoftplay.co.uk, 1 +tinytwitter.io, 1 +tinyurl.com, 1 +tinyvpn.org, 1 +tio.run, 1 +tiogacountyny.gov, 1 +tiolou.com.br, 1 +tipi.jp, 1 +tipiakers.club, 1 +tiplanet.org, 1 +tiplitskymd.com, 1 +tipmexico.com, 1 +tipnews.tk, 1 +tipo01.tk, 1 +tipocloud.cf, 1 +tipoftheday.tips, 1 +tipplist.com, 1 +tipps-fuer-den-haushalt.de, 1 +tipranks.com, 1 +tips4gamers.com, 1 +tips4india.tk, 1 +tipsacademicos.com, 1 +tipsfinal.tk, 1 +tipsforgamers.com, 1 +tipskanalen.cf, 1 +tipslifetimefitness.ga, 1 +tipslifetimefitness.gq, 1 +tipsmake.com, 1 +tipsoftech.tk, 1 +tipsplants.com, 1 +tipstersweb.com, 1 +tipsypresent.com, 1 +tiptop.cloud, 1 +tiptoptransmissions.com, 1 +tiptopusholdings.com, 1 +tipulnagish.co.il, 1 +tipwin.com, 1 +tipwin.de, 1 +tipydokasina.cz, 1 +tiqets.com, 0 +tir-mauperthuis.fr, 1 +tiraloche.com, 1 +tirana-chat.tk, 1 +tirandoalplato.tk, 1 +tirapan.top, 1 +tiraspol.tk, 1 +tircentrale.net, 0 +tirebichon.eu, 1 +tiremart.com, 1 +tirflesia.it, 1 +tirgar.org, 1 +tirgul-vertiujeni.tk, 1 +tirion.network, 0 +tirion.org, 0 +tirionnetwork.de, 1 +tirlins.com, 1 +tiroler-kupferschmiede.com, 1 +tirteafuera.tk, 1 +tirupatinightwear.co.in, 1 +tis.rs, 1 +tischlerei-klettke.de, 1 +tisec.info, 1 +tishomingo.news, 1 +tisina.org, 1 +tiski-shop.ru, 1 +tisknunahadry.cz, 1 +tism.in, 1 +tisparking.com, 1 +tissus-paris.com, 1 +tisvapo.it, 1 +tit-cdn.de, 1 +tit-dev.de, 1 +tit-dns.de, 1 +tit-mail.de, 1 +tit.systems, 1 +titahibayresidents.org.nz, 1 +titanandco.com, 1 +titandirect.co.uk, 1 +titanfile.com, 1 +titanicauto.ro, 1 +titaniumconsulting.co.uk, 1 +titantax.com, 1 +titantrades.com, 1 +titantrading.com.au, 1 +titanwaterproofing.com.au, 1 +titanyumkaplama.com, 1 +titelseite.ch, 1 +titiansgirl.com, 1 +titiansgirlphotography.com, 1 +titina.tk, 1 +titivoot.tk, 1 +titlecan.cn, 1 +titlecan.eu.org, 1 +titlecan.ru, 1 +titli.fr, 1 +titom.me, 1 +titomweb.fr, 1 +titouan.co, 0 +titser.ph, 1 +tittelbach.at, 1 +tittlelawgroup.com, 1 +tittlelawgroup.net, 1 +titulares.ar, 0 +titularizadora.com, 1 +titulosuniversitariosalaventa.com, 1 +titusetcompagnies.net, 0 +titusvillepapd.gov, 1 +tivido.nl, 1 +tivit-chill.partners, 1 +tivit-focus-partners.com, 1 +tiwilandcouncil.com, 1 +tixeconsulting.com, 1 +tixel.com, 1 +tixify.com, 1 +tixtips.com, 1 +tiyee.net, 1 +tizen-ru.tk, 1 +tizimin.tk, 1 +tizreu.xyz, 1 +tjampoer.com, 1 +tjbarn.es, 1 +tjebben.tech, 1 +tjgrant.com, 1 +tjian.info, 1 +tjkebayi.com, 1 +tjl.rocks, 0 +tjmarron.co.uk, 1 +tjongeling.tk, 1 +tjpiezo.com, 1 +tjplabs.com, 1 +tjrapid.sk, 1 +tjro.jus.br, 1 +tjsky.net, 0 +tjtechofficial.ga, 1 +tju.me, 1 +tjupt.org, 1 +tjurun.ga, 0 +tjxcanada.ca, 1 +tjxxzy.com, 1 +tjzzz.com, 1 +tk-its.net, 1 +tk-its.org, 1 +tk2net.com, 1 +tkacz.pro, 1 +tkafinearts.net, 1 +tkanemoto.com, 0 +tkanix.ru, 1 +tkarstens.de, 1 +tkcafe.net, 1 +tkcaninetraining.com, 1 +tkd-itf.tk, 1 +tkddn.com, 1 +tkgpm.com, 1 +tkhirianov.tk, 1 +tkhsurgery.com, 1 +tki.jp, 1 +tkiely.net, 1 +tkirch.de, 1 +tklm.pl, 1 +tkmr-gyouseishosi.com, 1 +tkn.me, 1 +tkonstantopoulos.tk, 1 +tkpayrollsolutions.com, 1 +tksainc.com, 1 +tkts.cl, 1 +tkwataneya.tk, 1 +tkwhongkong.tk, 1 +tl.gg, 1 +tlach.cz, 1 +tlanyan.pp.ua, 1 +tlc-environmental.co.uk, 1 +tlca.org, 1 +tlcinteriors.com.au, 1 +tlctrades.com, 1 +tldata.co, 1 +tldplaza.com, 1 +tldrtips.com, 1 +tldtattoo.com, 1 +tlehseasyads.com, 1 +tleng.de, 1 +tleplus.com, 1 +tlercher.de, 1 +tlicycling.com, 1 +tlingitandhaida.gov, 1 +tljcw.com, 1 +tlmedia.online, 1 +tlmicorp.com, 1 +tln.lib.ee, 1 +tlo.xyz, 1 +tloschinski.de, 1 +tloxygen.com, 1 +tloxygen.us, 1 +tlpn.eu, 1 +tlroadmap.io, 1 +tls-proxy.de, 1 +tls.builders, 1 +tls.care, 0 +tls.support, 1 +tlsbv.nl, 1 +tlsdane.com, 1 +tlsinspector.com, 1 +tlsmail.cc, 1 +tlsrobot.se, 1 +tlumaczenie.com, 1 +tlv77.net, 1 +tlyphed.net, 1 +tlys.de, 0 +tm-its.com, 1 +tm-sydney.au, 1 +tm-t.ca, 1 +tm2ts.com, 1 +tm80plus.com, 0 +tmachinery.cz, 1 +tmadev.com.au, 1 +tmartravel.com, 1 +tmatrack.com, 1 +tmbcloud.duckdns.org, 1 +tmberg.cf, 1 +tmberg.eu.org, 1 +tmberg.ga, 1 +tmberg.gq, 1 +tmberg.ml, 1 +tmberg.se.eu.org, 1 +tmberg.tk, 1 +tmbergtmberg.cf, 1 +tmbergtmberg.ga, 1 +tmbergtmberg.gq, 1 +tmbergtmberg.ml, 1 +tmbergtmberg.tk, 1 +tmbservis.cz, 1 +tmc.com.ar, 1 +tmc.com.mt, 1 +tmcjobs.com, 1 +tmcreationweb.com, 1 +tmcrew.org, 1 +tmdb.biz, 1 +tmdmotorhomes.com, 1 +tmeoworld.tk, 1 +tmf.ru, 1 +tmhanoi.com, 1 +tmhr.moe, 1 +tmi-products.eu, 1 +tmi-produkter.se, 1 +tmin.cf, 1 +tmindustrial.com.br, 1 +tmirz.ml, 1 +tmj4.com, 1 +tmm.cx, 1 +tmmapps.com, 1 +tmobilethuis.nl.eu.org, 1 +tmp.sx, 1 +tmpcdn.xyz, 1 +tmpraider.net, 1 +tmpsantos.com.br, 1 +tmpwn.com, 1 +tmredondela.tk, 1 +tmryan.co.uk, 1 +tmshea.com, 1 +tmstats.fr, 1 +tn-bb.com, 1 +tn.fo, 1 +tn0.club, 1 +tnb-plattform.de, 1 +tncrtinfo.com, 1 +tndagc.gov, 1 +tndentalwellness.com, 1 +tnes.dk, 1 +tnmsc.com, 1 +tnonline.net, 1 +tnosha.gov, 1 +tnpds.org.in, 1 +tnrealid.gov, 1 +tnrf.eu, 1 +tnskvi.tk, 1 +tnsos.gov, 1 +tnt-21.com, 1 +tnt.construction, 0 +tnt2k.de, 1 +tntbooks.ca, 1 +tntmobi.com, 1 +tntuservices.com, 1 +tntware.com, 1 +tnurocancer.com, 1 +tnusedoil.gov, 1 +tnutoys.com, 1 +tnved2013-narod.tk, 1 +tnwgrc.com, 1 +tnwildlandfire.gov, 1 +tnwioa.gov, 1 +to-med.ru, 1 +to-ya.jp, 1 +to.cm, 1 +to.gt, 1 +to.md, 1 +to4ka.md, 0 +toabaja.com, 1 +toabr.de, 1 +toad.ga, 1 +toade.com, 1 +toadox.com, 1 +toaks.gov, 1 +toastmasters.tk, 1 +toastrye.com, 1 +toaw.de, 1 +tob-rulez.de, 1 +tobacco.gov, 1 +tobaccolocker.com, 1 +tobbro-trans.de, 1 +tobedo.net, 1 +toberdyne.net, 1 +tobevictorious.com, 1 +tobi-mayer.de, 1 +tobi-server.goip.de, 1 +tobi-videos.goip.de, 1 +tobiaalberti.com, 1 +tobias-bauer.de, 1 +tobias-bauer.eu, 1 +tobias-bauer.fr, 1 +tobias-bauer.net, 1 +tobias-haenel.de, 1 +tobias-kleinmann.de, 1 +tobias-kluge.com, 1 +tobias-olbrich.de, 1 +tobias-picha.de, 1 +tobias-weidhase.de, 1 +tobias.gr, 1 +tobias4.ddns.net, 1 +tobiasbrunner.net, 1 +tobiasconradi.com, 1 +tobiase.de, 1 +tobiasfischer.info, 1 +tobiashorvath.com, 1 +tobiashorvath.de, 1 +tobiashorvath.net, 1 +tobiashorvath.org, 1 +tobiaskorf.de, 1 +tobiasmanske.de, 1 +tobiaspahlings.de, 1 +tobiaspreis.com, 1 +tobiaspreis.de, 1 +tobiassachs.cf, 1 +tobiassachs.de, 1 +tobiassachs.tk, 1 +tobiassattler.com, 1 +tobiaswiese.com, 1 +tobiaswiese.eu, 1 +tobiaswiese.net, 1 +tobiaswiese.org, 1 +tobiaswiese.work, 1 +tobiefornerod.ch, 1 +tobiichi3227.ddns.net, 1 +tobiichi3227.eu.org, 1 +tobinc.ddnss.de, 1 +tobis-rundfluege.de, 1 +tobis.cloud, 1 +tobischo.de, 1 +tobnm.gov, 1 +tobruxo.com.br, 1 +tobtennis.tk, 1 +toby.website, 1 +toby3d.me, 1 +tobyalden.com, 1 +tobyschrapel.com, 0 +tobyx.cc, 1 +tobyx.co, 1 +tobyx.com, 1 +tobyx.de, 1 +tobyx.eu, 1 +tobyx.is, 1 +tobyx.me, 1 +tobyx.net, 1 +tobyx.ooo, 1 +tobyx.org, 1 +tobyx.xyz, 1 +tocasoft.co.uk, 1 +tocco.ch, 1 +tochi-urikata.net, 1 +tochified.com, 1 +tochinoki.co.jp, 1 +tocho-america.com, 1 +tocomtulio.com, 1 +toconnect.me, 1 +todacarreira.com, 1 +todaciencia.com, 1 +todamateria.com, 1 +todamateria.com.br, 1 +todapolitica.com, 1 +todaslascafeteras.com, 1 +todasnoticias.pt, 1 +today.it, 1 +todayer.ru, 1 +todayfashion.info, 1 +todayfinance.news, 1 +todayfinancial.news, 1 +todayhap.net, 1 +todayjobs.pk, 0 +todaylearn.tk, 1 +todaymeow.com, 1 +todayprice.ga, 1 +todaysbestinsurance.com, 1 +todaysparent.com, 1 +todayupdates.ga, 1 +toddcullumresearch.com, 1 +toddexler.com, 1 +toddlerleaf.com, 1 +toddmclauchlin.cf, 1 +toddmclauchlin.ga, 1 +toddmclauchlin.ml, 1 +toddmissiontx.gov, 1 +toddvbanks.com, 1 +todeva.com, 1 +todo-securitywerkstuk.azurewebsites.net, 1 +todo.is, 0 +todobus.tk, 1 +todobuscadores.tk, 1 +todocracy.com, 1 +todocruces.com, 1 +tododescarga.tk, 1 +todoescaperooms.com, 1 +todoescine.com, 1 +todofadingsuns.tk, 1 +todofiesta.com.ar, 1 +todohealth.com, 1 +todoinfo.tk, 1 +todoist.com, 1 +todoist.help, 1 +todoist.net, 1 +todokete.ga, 1 +todolex.tk, 1 +todon.fr, 1 +todoporjesus.net, 1 +todoscheduler.de, 1 +todoscheduler.org, 1 +todoscomciro.com, 1 +todoseaprende.com, 1 +todosquerem.uno, 1 +todosrv.com, 1 +todotiendas.tk, 1 +toeglhofer.at, 1 +toeightycountries.com, 1 +toekomstperspectief.be, 1 +toepferei-langerwehe.de, 1 +toerschaatsenknsb.nl, 1 +toetsplatform.be, 1 +toeverynation.com, 1 +tofa-koeln.de, 1 +tofe.io, 1 +tofilmhub.com, 1 +tofliving.nl, 1 +toftered.se, 0 +tofu.cf, 1 +tofu.kim, 1 +tofuixi.com, 1 +together.gov, 1 +togetherplanning.com, 0 +togetherprice.com, 1 +togetter.com, 1 +togglename.ml, 1 +toggtr.net, 1 +togoweed.co, 1 +togtider.dk, 1 +toh25unblocked.tk, 1 +toheb.de, 0 +tohevn.tk, 1 +toho-tk.com, 1 +tohofc.co.jp, 1 +tohoku-fukushi.com, 1 +tohokufd.com, 1 +toila.best, 1 +toileobscure.fr, 1 +toilet-guru.com, 1 +toimitaax.fi, 1 +toipa.org, 1 +tojeit.cz, 1 +tojevune.cz, 1 +tok4.com, 1 +tokaido-kun.jp, 1 +tokaido.com, 1 +tokaishishisetsukanrikyokai.jp, 1 +tokarconsulting.com, 1 +tokathaberleri.tk, 1 +tokdeccor.com.br, 1 +tokelaunso.tk, 1 +token.im, 1 +tokenizedhq.com, 1 +tokenlon.im, 0 +tokenoftrust.com, 1 +tokens.net, 1 +toki-doki.tk, 1 +tokic.hr, 0 +tokidoki.team, 1 +tokimeko.jp, 0 +tokinoha.net, 1 +tokinohikari.com, 1 +tokinokakehashi.com, 1 +tokinosasae.com, 1 +tokio.fi, 1 +tokiohotel-world.tk, 1 +tokiohotelcroatia.tk, 1 +tokka.com, 1 +tokke.dk, 1 +tokkee.org, 1 +tokky.be, 1 +tokky.eu, 1 +tokky.fr, 1 +tokoangga.com, 1 +tokobelibeli.com, 1 +tokobungaasryflorist.com, 1 +tokobungadilampung.com, 1 +tokocuan.id, 1 +tokoindo.top, 1 +tokokujogja.com, 1 +tokomoto-w.com, 1 +tokopedia.ga, 1 +tokosehatselalu.com, 1 +toku.co, 0 +tokugai.com, 1 +tokusatsunetwork.com, 1 +tokyo-city.ru, 0 +tokyo-co2down.jp, 1 +tokyo-hotel.tk, 1 +tokyo-onkyo.jp, 1 +tokyo-powerstation.com, 1 +tokyoadultguide.com, 1 +tokyodenmarkweek.com, 1 +tokyomakino.com, 1 +tokyosaviva.com, 1 +tokyotalk.tk, 1 +tokyotimeline.com, 1 +tokyu-hoken.co.jp, 1 +tolartx.gov, 1 +tolas.lt, 1 +tolboe.com, 1 +toldos-en-stock.es, 1 +toldosecoberturasbh.com.br, 1 +toldst.dk, 1 +toledo.tk, 1 +toledoappraiser.com, 1 +toledoclassifieds.net, 1 +toledoescorts.net, 1 +toledohydraulic.com, 1 +tolerance-zero.tk, 1 +toleressea.fr, 1 +toles-sur-mesure.fr, 1 +tolgacankurt.com, 1 +tolibanana.com, 1 +tolkienfans.tk, 1 +tolkienlibrary.com, 1 +tolkienmusic.tk, 1 +tolkienwiki.ml, 1 +tolkovanie-sna.tk, 1 +tollandct.gov, 1 +tolle-wolke.de, 0 +tollerunterricht.com, 1 +tollfreeproxy.com, 1 +tollmanz.com, 0 +tolls.eu, 1 +tollsjekk.no, 1 +tollywood.ga, 1 +tolmaidis.com, 1 +tolmandrywall.com, 0 +tolnavar.hu, 1 +tolstoevsky.tk, 1 +tolucreaciones.com, 1 +tom-bmx.com, 1 +tom-crowley.co.uk, 1 +tom-geiger.de, 1 +tom-hanks.tk, 1 +tom-kunze.de, 1 +tom-kurka.cz, 1 +tom.je, 1 +tom0907.eu, 1 +tomabrafix.de, 1 +tomacino.de, 1 +tomaempleo.com, 1 +tomahawkwi.gov, 1 +tomahwi.gov, 1 +toman.rs, 1 +toman.sk, 1 +toman.su, 1 +tomandmara.com, 1 +tomandshirley.com, 1 +tomarlacalle.com, 1 +tomarnarede.pt, 0 +tomartv.pt, 1 +tomasa.cc, 1 +tomasdrtina.cz, 1 +tomashejatko.cz, 1 +tomashouzvicka.pl, 1 +tomasjacik.cz, 1 +tomaskavalek.cz, 0 +tomasmatulevicius.lt, 1 +tomasmoberg.org, 1 +tomasvecera.cz, 0 +tomaszdwornicki.net, 1 +tomatis-nantes.com, 1 +tomatofrogs.com, 1 +tomatohq.com, 1 +tomaz.eu, 1 +tomba.io, 1 +tombaker.me, 0 +tombclan.ga, 1 +tombeantx.gov, 1 +tombolaarcade.co.uk, 1 +tomboonen.tk, 1 +tomboy.org, 1 +tombrossman.com, 1 +tombu.biz, 0 +tombu.info, 0 +tombu.org, 0 +tombu.xyz, 0 +tomcat.ml, 1 +tomchen.org, 1 +tomco-corporation.tk, 1 +tomcort.com, 1 +tomd.ai, 1 +tomdapice.com, 1 +tomdougiamas.com, 1 +tomdudfield.com, 1 +tomend.es, 1 +tomfelton.tk, 1 +tomff.com, 1 +tomfisher.eu, 1 +tomfun.co, 1 +tomgaddis.com, 1 +tomgaechter.ch, 1 +tomget.tk, 1 +tomharling.co.uk, 1 +tomharling.uk, 1 +tomhol.cz, 1 +tomi.ai, 1 +tomi.cc, 1 +tomica.me, 1 +tomik.cloud, 1 +tomik.fun, 1 +tomikoyco.com, 1 +tomiler.com, 1 +tominysun.com, 1 +tomjans.nl, 1 +tomjepp.uk, 1 +tomjn.com, 1 +tomkempers.nl, 1 +tomkleinit.de, 1 +tomkompserwis.pl, 1 +tomkunze.de, 1 +tomkwok.com, 0 +tomlehrersongs.nl, 1 +tomli.blog, 1 +tomm.yt, 1 +tomma.tk, 1 +tommic.eu, 0 +tommihynynen.com, 1 +tommy-bordas.fr, 0 +tommybrown.ru, 1 +tommycarrauto.com, 1 +tommyemo.com, 1 +tommyemo.net, 1 +tommymoya.tv, 1 +tommypa.se, 1 +tommypalarsson.com, 1 +tommypalarsson.se, 1 +tommyphotographie.com, 0 +tommys.com, 1 +tommytran.io, 1 +tomnatt.com, 1 +tomo.gr, 0 +tomoarigato.com, 1 +tomodachi.tk, 1 +tomoko-clinic.jp, 1 +tomorrow-traxx.tk, 1 +tomorrow.one, 1 +tomosm.net, 1 +tomoveornot.de, 1 +tomp2p.net, 1 +tomphenix.com, 1 +tomphill.co.uk, 0 +tomravinmd.com, 1 +tomrei.com, 1 +tomrichards.net, 1 +tomrunting.pro, 1 +toms.ovh, 1 +tomschlick.com, 1 +tomsdevsn.me, 1 +tomsick.it, 1 +tomsk.cf, 1 +tomsk.ml, 1 +tomsk24.tk, 1 +tomsk365.ga, 1 +tomsknet.tk, 1 +tomsknews.tk, 1 +tomslawadvice.com, 1 +tomsoft.hr, 1 +tomspdblog.com, 1 +tomssite.tk, 1 +tomssl.com, 1 +tomstew.art, 1 +tomtelist.tk, 1 +tomthorogood.co.uk, 1 +tomthorogood.net, 1 +tomthorogood.uk, 1 +tomticket.com, 1 +tomudding.nl, 1 +tomvanlaer.be, 1 +tomvannoppen.tk, 1 +tomvst.net, 1 +tomwassenberg.com, 1 +tomwassenberg.nl, 1 +tomwellington.design, 1 +tomwilson.io, 0 +tomwither.com, 1 +tomy.co.za, 1 +tomyork.net, 1 +tonabor.ru, 1 +tonage.de, 1 +tonarinoliusan.com, 1 +tonarinoliusan.net, 1 +tonasketwa.gov, 1 +tonaton.com, 1 +tonazo.tk, 1 +tonburi.jp, 0 +toncusters.nl, 1 +tondles.com, 1 +tone-town.com, 1 +toneelaccent.tk, 1 +tonegidoarchief.nl, 1 +tonemadison.com, 0 +toner24.at, 1 +toner24.co.uk, 1 +toner24.es, 1 +toner24.fr, 1 +toner24.it, 1 +toner24.nl, 1 +toner24.pl, 1 +tonerdepot.de, 1 +tonerjet.at, 1 +tonerjet.co.uk, 1 +tonerklick.de, 1 +tonerkurier.de, 1 +tonermaus.de, 1 +tonermonster.de, 1 +tonex.de, 1 +tonex.nl, 1 +tongkhothanhly.com, 1 +tongli.eu.org, 1 +tonguetechnology.com, 1 +toni-dis.ch, 0 +toniduarte.tk, 1 +tonies.com, 1 +tonifarres.net, 1 +tonifix.fi, 1 +tonight.de, 1 +tonik.tk, 1 +tonimorena.net, 1 +tonkawaok.gov, 1 +tonkayagran.ru, 1 +tonnycat.com, 1 +tono.us, 1 +tonorosario.tk, 1 +tonshaiza.tk, 1 +tonsil-stone.com, 1 +tonsillar-stones.com, 1 +tonsit.com, 1 +tonsit.org, 0 +tonton.cf, 1 +tontonan.gq, 1 +tontonnews.net, 1 +tontonroger.org, 1 +tony-foster.co.uk, 1 +tonyandskye.com, 1 +tonyarcieri.com, 1 +tonydaquin.com, 1 +tonyfanningphotography.co.uk, 1 +tonygallo.tk, 1 +tonyhagerlund.tk, 1 +tonykadleck.com, 1 +tonykarbo.tk, 1 +tonymanning.com, 1 +tonyonsecurity.com, 1 +tonysantos.tk, 1 +tonytan.cn, 1 +tonytan.io, 1 +tonytan.net, 1 +tonyw.xyz, 1 +tonywebster.com, 1 +too.com.ua, 1 +too.gy, 1 +tooadalsauda.kz, 1 +toob.fr, 1 +toobi.co.uk, 1 +toobug.net, 0 +tooelecity.gov, 1 +tooelecountyvotes.gov, 1 +toofab.com, 1 +tooij.com, 1 +tookan.tech, 1 +tookhan.tk, 1 +tool.lu, 1 +toolbox.ninja, 0 +toolboxsoftware.tk, 1 +toolecountysheriffmt.gov, 1 +toolineo.de, 1 +toolip.gr, 1 +toolkits.design, 1 +toolminer.com, 1 +toolroomrecords.com, 1 +tools-services.com.co, 1 +tools.pro, 1 +tools4me.win, 0 +toolsa.bg, 1 +toolsbit.com, 1 +toolsense.io, 1 +toolset.com, 1 +toolsforbiblestudy.com, 1 +toolspain.tk, 1 +toolsu.com, 1 +toolzone.cz, 1 +toom.io, 1 +toomanymallards.com, 1 +toomy.ddns.net, 1 +toomy.pri.ee, 1 +toon.at, 1 +toon.style, 1 +tooncastle.tk, 1 +toondah.com.au, 1 +toondahjobs.com.au, 1 +toondergroup.com, 1 +toonetcreation.com, 1 +toonict.nl, 1 +toonmate.tk, 1 +toonpool.com, 1 +toonsburgh.com, 1 +toontown.team, 1 +toontownrewritten.com, 1 +toool.nl, 1 +toool.nyc, 1 +toool.org, 1 +toopita.com, 1 +toopopular.ga, 1 +toot.community, 0 +toot.haus, 1 +tootbitco.ml, 1 +toothimplantsydney.com.au, 1 +toothless.tk, 1 +toothpique.tk, 1 +toothsearch.tk, 1 +tooti.biz, 1 +tootl.org, 1 +tootsi.edu.ee, 1 +tootsiewootsies4d.com, 1 +toowoombawebdesign.com.au, 1 +top-aanbiedingen.nl, 1 +top-avis.fr, 1 +top-azia.ru, 1 +top-b.net, 1 +top-beauty.cf, 1 +top-casinos.ru, 1 +top-credit.tk, 1 +top-dance.pl, 1 +top-drop.tk, 1 +top-frog.com, 1 +top-info.ga, 1 +top-koupelny.cz, 1 +top-kuwait.com, 1 +top-melody.ru, 1 +top-messenger.com, 1 +top-mining.tk, 1 +top-model.biz, 1 +top-obaly.cz, 1 +top-opakowania.pl, 1 +top-pansionaty.ru, 1 +top-rensner.de, 1 +top-rezepte.de, 1 +top-russian.tk, 1 +top-schools.tk, 1 +top-secret.tk, 1 +top-seminaire.com, 1 +top-service.ml, 1 +top-skins.ml, 1 +top-super-60.ag, 1 +top-super-60.biz, 1 +top-super-60.com, 1 +top-super-60.de, 1 +top-super-60.eu, 1 +top-super-60.info, 1 +top-super-60.net, 1 +top-super-60.org, 1 +top-verhandlungstraining.de, 1 +top-vlm.de, 1 +top-zdrave.bg, 1 +top-zentr.tk, 1 +top.ax, 1 +top1.com.vn, 0 +top10-casinosites.net, 1 +top10.tk, 1 +top100games.ml, 1 +top10antivirus.review, 1 +top10directory.tk, 1 +top10list.tk, 1 +top10llcformationsites.com, 1 +top10media.tk, 1 +top10mountainbikes.info, 1 +top1health.com, 1 +top4shop.de, 1 +top5melhorescursosdedrone.com, 1 +topa.tk, 1 +topagrar.com, 1 +topan.tk, 1 +topandtrending.com, 1 +topanimecharacters.com, 1 +topanlage.de, 1 +toparkinfo.hu, 1 +topas.tk, 1 +topaxi.codes, 0 +topbloc.com, 1 +topbookmarking.cf, 1 +topbouncycastles.co.uk, 1 +topbrasilnews.tk, 1 +topbrunchspots.com, 1 +topbuild.com, 1 +topbusiness.tk, 1 +topbusinesshero.com, 1 +topbusinessnews.today, 1 +topbussines.tk, 1 +topcameras.tk, 1 +topcarehvac.ca, 1 +topcash.co.il, 1 +topcasinobonus.nu, 1 +topchinasupplier.com, 1 +topciderska-crkva.rs, 1 +topclan.tk, 1 +topclassfun.ie, 1 +topcoffee.cf, 1 +topcompany.be, 1 +topcomputacion.com.ar, 1 +topconteudos.com.br, 1 +topconteudos.shop, 1 +topcover.cz, 1 +topdesignfirms.com, 1 +topdesk.net, 1 +topdetal.ru, 1 +topdetoxcleanse.com, 1 +topdoctors.co.uk, 1 +topdoctors.es, 1 +topdoctors.it, 1 +topdocumentaryfilms.com, 1 +topdogsinflatables.co.uk, 1 +topdomainsandhosting.com, 1 +topdosug.ml, 1 +topdroneusa.com, 1 +topeducationhelp.co, 1 +topekafoundationpros.com, 1 +topendcamphire.com.au, 1 +toperadigital.com, 1 +topesdegama.com, 1 +topeyechang.com.tw, 1 +topfd.net, 1 +topferta.com, 1 +topfinanzas.com, 1 +topfiremedia.com, 1 +topfivepercent.co.uk, 1 +topfood.club, 1 +topfreeporn.com, 1 +topgallant.gq, 1 +topgevelbekleding.nl, 1 +topgrading.com, 1 +topgshop.ru, 1 +toph.co, 1 +tophat.studio, 1 +tophatpuffin.com, 0 +tophighnorldiet.gq, 1 +tophomeappliancerepair.com, 1 +tophr.kz, 1 +topicalnet.de, 1 +topicdesk.com, 1 +topicit.net, 1 +topicpoint.tk, 1 +topicpulse.tk, 1 +topicv.com, 0 +topideipodarkov.ru, 1 +topitalianscientists.org, 1 +topjeans.ga, 1 +topjobs.ch, 1 +topknot.gq, 1 +topkorea.ml, 1 +toplevel.nl, 1 +topline.com.sa, 1 +toplink.co.il, 1 +toplist.cz, 1 +toplist.eu, 1 +toplist.sk, 1 +topliste.tk, 1 +toplistforum.tk, 1 +toplockshop.com, 1 +topluxitalia.com, 1 +topmachstudios.com, 1 +topmanitas.es, 1 +topmaxstore.com, 1 +topmba.com.au, 1 +topmmogames.org, 1 +topmoods.com, 1 +topmotoric.com, 1 +topmovie.gq, 1 +topmuzic.tk, 1 +topmuzika.cz, 1 +topmuzika.sk, 1 +topnado.tk, 1 +topnet.tk, 1 +topnews.gq, 1 +topnews333.cf, 1 +topnews333.tk, 1 +topnlist.com, 1 +topnoshgourmet.com, 1 +topnotchendings.com, 1 +topo.com.ro, 1 +topodin.com, 1 +topofart.com, 1 +topofertas.tk, 1 +topofficesupplies.tk, 1 +topofthefreegames.ml, 1 +topographic.tk, 1 +toponlinecasino.be, 1 +toponlinecasinosites.co.uk, 1 +toponlinemarketing.tk, 1 +topophile.net, 1 +topoptics.com.ua, 1 +topotom.tk, 1 +topporn.me, 1 +topppinfo.com, 1 +topprice.ua, 1 +topproductsanalysis.com, 1 +topprogaragedoor.com, 1 +toppsnfts.com, 1 +toppstugansundbyberg.se, 1 +topradiosbrasil.tk, 1 +toprci.com.br, 1 +topreit.ru, 1 +toprelatos.com, 1 +topsailbeachnc.gov, 1 +topsailtechnologies.com, 1 +topseo.gq, 1 +topservercccam.com, 1 +topservercccam.tv, 1 +topservers.ga, 1 +topsexik.cz, 1 +topshelf.tech, 0 +topshop.tk, 1 +topshoptools.com, 1 +topsights.org, 1 +topsmartdesign.com, 1 +topsnow.ru, 1 +topspace.tk, 1 +topspani.cz, 1 +topspin.tk, 1 +topsport.bg, 1 +topsteroidsonline.com, 1 +topstuffz.com, 1 +topsuper60.ag, 1 +topsuper60.biz, 1 +topsuper60.com, 1 +topsuper60.de, 1 +topsuper60.eu, 1 +topsuper60.info, 1 +topsuper60.net, 1 +topsuper60.org, 1 +topsvet.ru, 1 +toptapety.cz, 1 +toptec.net.br, 1 +toptechnews.cf, 1 +toptechnews.tk, 1 +topteen.tk, 1 +topten.com.co, 1 +toptexture.com, 1 +toptheto.com, 1 +toptiernetworks.tk, 1 +toptilebathrooms.co.nz, 1 +toptotosite.com, 1 +toptour.tk, 1 +toptracks.tk, 1 +toptranslation.com, 1 +toptravel.tk, 1 +toptravelgram.com, 1 +toptur.tk, 1 +topu.ro, 1 +topurls.tk, 1 +topvertimai.lt, 1 +topviet.ga, 1 +topvision.es, 1 +topvpn.pl, 1 +topwin.la, 1 +topwindowcleaners.co.uk, 1 +topwonders.tk, 1 +topworkplaces.com, 1 +topwowamazing.com, 1 +topwowdesign.com, 1 +topyachts-shop.com.ua, 1 +topyachts.com.ua, 1 +topzarabotok.ml, 1 +toquechic.com, 1 +tor.taxi, 1 +tor2web.org, 1 +tor4.cf, 1 +torahanytime.com, 0 +toranjchap.com, 1 +torb.com, 1 +torba.tk, 1 +torbay.ga, 1 +torbay.tk, 1 +torbayrise.co.uk, 1 +torbe.es, 1 +torch-fan.site, 1 +torchbankz.com, 1 +torchbearer.tk, 1 +torchmc.ru, 1 +tordenskjold.de, 1 +tordo.net, 1 +toreni.us, 1 +toretfaction.net, 1 +torfbahn.de, 1 +torg-room.ru, 1 +torgoborud.tk, 1 +torgopt.tk, 1 +torgovaya.tk, 1 +toricafe.com, 1 +torigaoka-dc.com, 1 +toriko-official.ml, 1 +torino.fi, 1 +torinotoday.it, 1 +torisamaahirusama.com, 1 +tork.news, 1 +torkel.se, 1 +torlock.com, 1 +torlock2.com, 1 +tormentedradio.com, 0 +tormentgame.com, 1 +tormox.ml, 1 +tornadica.by, 1 +tornado-map.de, 1 +tornadoarchiv.ml, 1 +tornadoautos.com, 1 +tornadodetector.ga, 1 +torngalaxy.com, 1 +tornyosbbq.hu, 1 +torocatala.tk, 1 +toroguapo.com, 1 +torondor.tk, 1 +toronto-escorts.com, 1 +torontoaccesscontrol.com, 1 +torontocorporatelimo.services, 1 +torontogid.cf, 1 +torontohealthcare.tk, 1 +torontolife.com, 1 +torontonews.tk, 1 +torontopostcardclub.com, 1 +torontopowerwalkers.ca, 1 +torontoscrapcarremoval.ca, 1 +torontotransit.tk, 1 +toropova.tk, 1 +toros2.com, 1 +torotoro.co.nz, 1 +torproject.org, 0 +torproject.ovh, 1 +torprojects.com, 1 +torquato.de, 0 +torquayhbc.co.uk, 1 +torquemada.tk, 1 +torrance.gq, 1 +torrba.tk, 1 +torrecilladelaabadesa.tk, 1 +torreconta.pt, 1 +torrededonmiguel.tk, 1 +torrelorenzo.com, 1 +torremarsalou.com, 1 +torrent.fedoraproject.org, 1 +torrent.is, 1 +torrent.tm, 1 +torrentbd.com, 1 +torrentbd.me, 1 +torrentbd.net, 1 +torrentdb.tk, 1 +torrentdownload.gq, 1 +torrentfunk.com, 1 +torrentfunk2.com, 1 +torrentgalaxy.mx, 1 +torrentgalaxy.su, 1 +torrentgalaxy.to, 1 +torrenttop100.net, 1 +torrentz2.al, 1 +torrero.tk, 1 +torresdealbanchez.tk, 1 +torresjaen.tk, 1 +torresshop.es, 0 +torretzalam.com, 1 +torsdammen.se, 1 +torservers.net, 0 +torsten-schmitz.net, 1 +torsten-werner.info, 1 +torstens-buecherecke.de, 1 +torstensenf.de, 1 +torstenzimmermann.com, 1 +tortak.ml, 1 +torte.roma.it, 1 +torticollisexplained.com, 1 +tortikvam.ru, 1 +tortillas-duras.cf, 1 +tortillas-duras.ga, 1 +tortillas-duras.gq, 1 +tortillas-duras.ml, 1 +tortimes.com, 1 +tortocan.com, 1 +tortoises-turtles.com, 1 +tortuga.ga, 1 +tortugan.com.br, 1 +torwart-jugend.de, 1 +tosainu.com.br, 1 +tosatopsicologabologna.com, 1 +tosbourn.com, 1 +toscanaeconomy.it, 1 +toschool.com.br, 1 +toshen.com, 1 +toshicar.com, 1 +toshik.tk, 1 +toshiroz.com, 1 +toshkov.com, 1 +toshl.com, 1 +toskavista.de, 1 +tosolini.info, 1 +tosostav.cz, 1 +tosshi-life.com, 1 +tossitaway.tk, 1 +tosteberg.se, 0 +tot.money, 1 +totaku.ru, 0 +total-chaos.tk, 1 +total-deco.eu, 1 +total-destruction.tk, 1 +total-electric.com, 1 +total-privacy.tk, 1 +total-security.tk, 1 +totalabogados.cl, 1 +totalaccessnicaragua.co, 1 +totalbike.com.br, 1 +totalbyverizon.com, 1 +totalcarcheck.co.uk, 1 +totalcare.co.nz, 1 +totalcarpetcare.co.uk, 1 +totalchecklist.com, 1 +totalcontrols.eu, 1 +totalemaildelivery.com, 1 +totalenergies.ca, 1 +totalenergies.com, 1 +totalenergies.de, 1 +totalenergies.do, 1 +totalengineering.club, 1 +totalenterprise.pl, 1 +totalexpert.net, 1 +totalfitnessandmassage.com.au, 1 +totalforcegym.com, 1 +totalfoundationpros.com, 1 +totalhost.gq, 1 +totalinfo.in, 1 +totalintegratedtherapy.com, 1 +totalityservices.co.uk, 1 +totalleedee.com, 1 +totally-dakota.tk, 1 +totallyjessica.tk, 1 +totallylegitimatehosting.ru, 1 +totallynotaserver.com, 1 +totallyrace.tk, 1 +totallystocks.ga, 1 +totalmdplan.com, 1 +totalmerchandise.co.uk, 1 +totalmerda.tk, 1 +totalnormal.tk, 1 +totalofficeclean.co.uk, 1 +totalpackers.com, 1 +totalparts.com.au, 1 +totalsport-bg.com, 1 +totaltriathlon.com, 1 +totalwebmedia.nl, 1 +totalwebpartners.com, 1 +totalzen.ga, 1 +totch.de, 1 +tote.co.uk, 1 +totemgames.tk, 1 +tothetopmentoring.com, 1 +totheweb.com, 1 +totlan.tk, 1 +totnastic.tk, 1 +toto-realestate.com, 1 +totobetty.com, 1 +totodil.es, 1 +totolabs.com, 1 +totolink.tw, 1 +totora.tk, 1 +totsglobal.com, 1 +totstitles.com, 1 +tottoya.com, 1 +totuus.sk, 1 +totvs.com, 1 +toubkalrando.com, 1 +toucan-informatique.fr, 1 +touch-up-net.com, 1 +touch.facebook.com, 0 +touch.mail.ru, 1 +touch2ship.com, 1 +touchable.gq, 1 +touchanddraw.tk, 1 +touchbasesm2.ca, 1 +touchboobs.ml, 1 +touchdown.co, 1 +touchfoundation.org, 1 +touchfromtheheartmassagetherapyandreflexology.com, 1 +touchingwetpaint.com, 1 +touchka.ga, 1 +touchmark.tk, 1 +touchmekissmee.com, 1 +touchofjapan.com, 1 +touchoflife.in, 1 +touchscreentills.com, 1 +touchspeak.nl, 0 +touchtable.nl, 1 +touchweb.be, 1 +touchweb.ch, 1 +touchweb.fr, 1 +tough-construction.com, 1 +toughcodes.com, 1 +touhidur.ru.com, 1 +touhidur.sa.com, 1 +touhidur.studio, 1 +touhidur.tk, 1 +touhidur.xyz, 1 +touhidur.za.com, 1 +touhidurrr.me, 1 +touhou.ac.cn, 0 +touhou.cc, 1 +touhou.tw, 1 +touhouwiki.net, 1 +toujour.top, 1 +toulis.net, 1 +toulouscope.fr, 1 +toulouselautrec.com.br, 1 +toumeitech.com, 1 +toupcreative.com, 1 +touquet-volley.com, 1 +tour-de-franz.bike, 1 +tour-japan.ml, 1 +tour-vietnam.tk, 1 +touray-enterprise.ch, 1 +tourbryansk.tk, 1 +tourcienaga.tk, 1 +tourdatenarchiv.de, 1 +tourdewestwoud.nl, 1 +tourfunnels.com, 1 +tourgest.net, 1 +touringinmorocco.com, 1 +tourism-exegetai.tk, 1 +tourisme-castillonpujols.fr, 1 +tourisme-dordogne-paysfoyen.com, 1 +tourisme-fronsadais.com, 1 +tourismpskov.tk, 1 +tourismtrain.tk, 1 +touristanalyst.ga, 1 +touristmaker.com, 1 +touristsense.com, 1 +tourmalineskincare.com, 1 +tourmaster.com, 1 +tournamentmgr.com, 1 +tournaments.tk, 1 +tournation.info, 1 +touroogle.com, 1 +tours-in-petersburg.tk, 1 +toursaindia.com, 1 +toursandtransfers.it, 0 +tourshopfresno.com, 1 +toursmontessori.com, 1 +tourteller.com, 1 +tourtransferitaly.it, 1 +tourtrektrip.com, 1 +tourweekend.tk, 1 +tourx.co.nz, 1 +tous-travaux.ch, 0 +tousei.tokyo.jp, 1 +toushi-return.xyz, 1 +toushi-shakkin.com, 1 +touslesdrivers.com, 1 +touslesforums.tk, 1 +tout-a-fait.fr, 1 +tout-art.ch, 1 +toutankamon.tk, 1 +toutart.ch, 1 +toutenmusic.fr, 1 +toutmonexam.fr, 1 +toutvendre.be, 1 +toutvendre.ch, 1 +toutvendre.cm, 1 +toutvendre.es, 1 +toutvendre.fr, 1 +toutvendre.lu, 1 +toutvendre.pics, 1 +toutvendre.uk, 1 +toutvendre.us, 1 +touwhalster.tk, 1 +touyatakenaka.tk, 1 +tovaglioli-di-carta.it, 1 +tovanot.biz, 1 +tovare.com, 1 +tovari-rukodeliya.tk, 1 +tovarypochtoj.tk, 1 +toverland-tickets.nl, 1 +tovp.org, 0 +towardsthecloud.com, 1 +towaway.ru, 1 +towellconstruction.ca, 1 +tower.land, 1 +towerdefen.se, 1 +towerdefence.tk, 1 +towerloan.com, 1 +towers-kolomna.tk, 1 +towersstreet.com, 1 +towessi.tk, 1 +town-night.jp, 1 +townforge.net, 1 +townfremontwi.gov, 1 +townhomeproperties.com, 1 +townhouseregister.com.au, 1 +townifi.ga, 1 +townithacany.gov, 1 +townlaretsota.gq, 1 +townnews.com, 1 +townoconomowoc-wi.gov, 1 +townofadamsgreencountywi.gov, 1 +townofadamsjacksoncowi.gov, 1 +townofadamswi.gov, 1 +townofavonwi.gov, 1 +townofbalsamlakewi.gov, 1 +townofbarneswi.gov, 1 +townofbayfieldwi.gov, 1 +townofbeavermarinettewi.gov, 1 +townofbeecherwi.gov, 1 +townofbelgiumwi.gov, 1 +townofbeloitwi.gov, 1 +townofbrazeauwi.gov, 1 +townofbridgewater.ca, 1 +townofbrillionwi.gov, 1 +townofbrinybreezes-fl.gov, 1 +townofbrooklynwi.gov, 1 +townofbrookwoodal.gov, 1 +townofbrothertownwi.gov, 1 +townofbrunswickwi.gov, 1 +townofbutlerwi.gov, 1 +townofbyronwi.gov, 1 +townofcadizwi.gov, 1 +townofcaledoniacolumbiawi.gov, 1 +townofcampbellwi.gov, 1 +townofcanandaigua.gov, 1 +townofcantonct.gov, 1 +townofcaponbridgewv.gov, 1 +townofcarthagetn.gov, 1 +townofcedarburgwi.gov, 1 +townofchenangony.gov, 1 +townofcherrycreekny.gov, 1 +townofchesterwi.gov, 1 +townofclarnowi.gov, 1 +townofclaytonny.gov, 1 +townofclearfieldwi.gov, 1 +townofclearlakewi.gov, 1 +townofclevelandnc.gov, 1 +townofclymanwi.gov, 1 +townofcohoctonny.gov, 1 +townofcoldspringny.gov, 1 +townofcooperstownwi.gov, 1 +townofcranmoor.gov, 1 +townofdaltonnh.gov, 1 +townofdane.gov, 1 +townofdecaturwi.gov, 1 +townofdepositny.gov, 1 +townofdewhurstwi.gov, 1 +townofdexterwi.gov, 1 +townofdrammen-wi.gov, 1 +townofdraperwi.gov, 1 +townofdrummondmt.gov, 1 +townofdunbarwi.gov, 1 +townofeaugallewi.gov, 1 +townofedenwi.gov, 1 +townofemmetwi.gov, 1 +townofevansny.gov, 1 +townofexcelsiorwi.gov, 1 +townoffairfieldwi.gov, 1 +townoffonddulacwi.gov, 1 +townofforestvernonwi.gov, 1 +townofgalewi.gov, 1 +townofgardenvalleywi.gov, 1 +townofgardnerwi.gov, 1 +townofgermantownwi.gov, 1 +townofgibsonwi.gov, 1 +townofgoldenmeadow-la.gov, 1 +townofgoreok.gov, 1 +townofgraftonwi.gov, 1 +townofgrantsburgwi.gov, 1 +townofgrantshawanowi.gov, 1 +townofgreengrovewi.gov, 1 +townofgreenlake.gov, 1 +townofhamburgny.gov, 1 +townofhamiltonny.gov, 1 +townofharrisonmcwi.gov, 1 +townofhartfordwi.gov, 1 +townofherman-wi.gov, 1 +townofhollandwi.gov, 1 +townofhulbertok.gov, 1 +townofhumeny.gov, 1 +townofhustisford.gov, 1 +townofjacksonadamswi.gov, 1 +townofjacksonwi.gov, 1 +townofjanesvillewi.gov, 1 +townofjohnsonwi.gov, 1 +townofjohnstonsc.gov, 1 +townofjordanwi.gov, 1 +townofkewaskumwi.gov, 1 +townofkeystonewi.gov, 1 +townoflagrangemcwi.gov, 1 +townoflakecityco.gov, 1 +townoflakemarinettewi.gov, 1 +townoflakeviewor.gov, 1 +townoflamartinewi.gov, 1 +townoflandisnc.gov, 1 +townoflebanonny.gov, 1 +townoflebanonwi.gov, 1 +townoflemonweirwi.gov, 1 +townoflenrootwi.gov, 1 +townofleonmocowi.gov, 1 +townofleroywi.gov, 1 +townoflibertyocwi.gov, 1 +townoflincolnforestwi.gov, 1 +townoflindenwi.gov, 1 +townoflomira.gov, 1 +townoflucas-wi.gov, 1 +townofluskwy.gov, 1 +townoflyndonwi.gov, 1 +townoflynneoneidactywi.gov, 1 +townofmackfordwi.gov, 1 +townofmarionwausharawi.gov, 1 +townofmarshfieldwi.gov, 1 +townofmecanwi.gov, 1 +townofmentorwi.gov, 1 +townofmerrillwi.gov, 1 +townofmertonwi.gov, 1 +townofmiltonwi.gov, 1 +townofmineral.net, 1 +townofminocqua.gov, 1 +townofmontereytn.gov, 1 +townofmosineewi.gov, 1 +townofmtpleasantwi.gov, 1 +townofnasewaupeewi.gov, 1 +townofnecedahwi.gov, 1 +townofneenahwi.gov, 1 +townofnevawi.gov, 1 +townofnewdenmarkwi.gov, 1 +townofnewglaruswi.gov, 1 +townofnewhavendunnwi.gov, 1 +townofnewpaltzny.gov, 1 +townofnilesny.gov, 1 +townofnorwaywi.gov, 1 +townofnorwichny.gov, 1 +townofomro.gov, 1 +townofonalaskawi.gov, 1 +townofonondaga.gov, 1 +townoforegonwi.gov, 1 +townofpolk-wi.gov, 1 +townofpoygan.gov, 1 +townofprincessannemd.gov, 1 +townofpulaskiwi.gov, 1 +townofredriverwis.gov, 1 +townofreseburgwi.gov, 1 +townofriblakewi.gov, 1 +townofrichfordwi.gov, 1 +townofrichlandwi.gov, 1 +townofrichmond-walworthwi.gov, 1 +townofrichmondwi.gov, 1 +townofrockwi.gov, 1 +townofrudolphwi.gov, 1 +townofrussellwi.gov, 1 +townofruthnc.gov, 1 +townofrutlandwi.gov, 1 +townofsalemny.gov, 1 +townofsananselmoca.gov, 1 +townofsandcreekwi.gov, 1 +townofsasserga.gov, 1 +townofscottbrownwi.gov, 1 +townofscottsheboyganwi.gov, 1 +townofsenecawoodcowi.gov, 1 +townofsevastopolwi.gov, 1 +townofsheboyganfallswi.gov, 1 +townofsheboyganwi.gov, 1 +townofsidneyny.gov, 1 +townofsigelwoodwi.gov, 1 +townofspiderlakewi.gov, 1 +townofstanley-wi.gov, 1 +townofstarmandny.gov, 1 +townofstockbridge.gov, 1 +townofsturgeonbay-wi.gov, 1 +townofsumrallms.gov, 1 +townofsweetwater.com, 1 +townofsylvesterwi.gov, 1 +townoftaycheedahwi.gov, 1 +townoftheresawi.gov, 1 +townofthomsonmn.gov, 1 +townofthorpwi.gov, 1 +townofthreelakeswi.gov, 1 +townoftroupsburgny.gov, 1 +townofturtlewi.gov, 1 +townofulyssesny.gov, 1 +townofuniondoorwi.gov, 1 +townofuticawi.gov, 1 +townofvarnamtown.gov, 1 +townofvermontwi.gov, 1 +townofveteranny.gov, 1 +townofvinlandwi.gov, 1 +townofwalworthwi.gov, 1 +townofwarrensccwi.gov, 1 +townofwatertownwi.gov, 1 +townofwausaukeewi.gov, 1 +townofwautomawi.gov, 1 +townofwendellnc.gov, 1 +townofwescott-wi.gov, 1 +townofwestfieldsaukwi.gov, 1 +townofwestfordwi.gov, 1 +townofwestportin.gov, 1 +townofweyauwega-wi.gov, 1 +townofwhitewaterwi.gov, 1 +townofwinfieldwi.gov, 1 +townofwinneconne.gov, 1 +townofwittenbergwi.gov, 1 +townofwoodruffwi.gov, 1 +townofwoodvillewi.gov, 1 +townofwordenwi.gov, 1 +townofwrightstownwi.gov, 1 +townofwyomingwi.gov, 1 +townresults.ga, 1 +townshendvt.gov, 1 +townshipofthenorthshore.ca, 1 +townswalker.com, 1 +towolabs.com, 1 +towsonpediatrics.com, 1 +towywebdesigns.uk, 1 +towzone.co.uk, 1 +tox21.gov, 1 +toxicboot.com, 1 +toxicip.com, 1 +toycu.de, 1 +toyduck.ga, 1 +toyfight.co, 0 +toymania.de, 1 +toymarket.tk, 1 +toyonut.co.jp, 0 +toyopac.com, 1 +toyota-kinenkan.com, 1 +toyota.com.sg, 1 +toyotaconnected.co.th, 1 +toyotapartsdeal.com, 1 +toyotapartsprime.com, 1 +toyotasp.ru, 1 +toyouiv.net, 1 +toyouiv.org, 1 +toys-robots.cf, 1 +toys4education.com.au, 1 +toyscenter.it, 1 +toyschina.cf, 1 +toysearcher.ml, 1 +toyshowappeal.ie, 1 +toyshowthemusical.co.uk, 1 +toyshowthemusical.com, 1 +toyshowthemusical.ie, 1 +toysperiod.com, 1 +toysplace.ml, 1 +toystory3.ga, 1 +toyventure.ga, 1 +tozdev.com, 1 +tp-events.co.uk, 1 +tp-genie.com, 1 +tp-properties.co.uk, 1 +tp-shipping.co.uk, 1 +tp-technology.co.uk, 1 +tpa.or.th, 1 +tpala-pg.fr, 1 +tpark.jp, 1 +tpbseries.com, 1 +tpcbf.cn, 1 +tpccf.cn, 1 +tpcff.cn, 1 +tpchan.info, 1 +tpci.biz, 1 +tpcof.cn, 1 +tpcrestorationllc.com, 1 +tpdaniel.fr, 1 +tpedu.eu, 1 +tpedu.hk, 1 +tpedu.nl, 1 +tpeducation.cn, 1 +tpetrov.com, 1 +tpf.hk, 1 +tpgozd.si, 1 +tpiada.tk, 1 +tpk-parma.ru, 1 +tpk.quest, 1 +tplak.com, 1 +tpldevsg-mythiess-dev.azurewebsites.net, 1 +tplive.io, 1 +tplprodsg-mythiess.azurewebsites.net, 1 +tpltestsg-mythiess-test.azurewebsites.net, 1 +tpolemis.com, 1 +tpp-tpc.ga, 1 +tppleague.me, 0 +tpr.hk, 1 +tpress.tk, 1 +tprk.pl, 1 +tpro.rocks, 1 +tproger.ru, 1 +tpu-ltd.co.uk, 1 +tpu.gay, 1 +tpue.de, 1 +tpx.com, 1 +tqaclark.com, 1 +tqdev.com, 0 +tqdn.cn, 1 +tql.plus, 1 +tqnx.link, 0 +tqsintegration.com, 1 +tr.search.yahoo.com, 0 +tr0n.net, 1 +tr3fit.xyz, 1 +tra-tra.be, 1 +traas.org, 1 +trabaja.xyz, 1 +trabajadormigrante.gov, 1 +trabajaenvitamina.cl, 1 +trabajarytrabajar.com, 1 +trabajoenmx.com, 0 +trabajoreal.com, 1 +trabajouniversitario.tk, 1 +trabalance.com, 1 +trabbel.org, 1 +trabia.com, 1 +traccxs.com, 1 +trace.best, 1 +trace.guru, 1 +trace.moe, 1 +trace2race.com, 1 +tracebit.com, 1 +traceflix.com, 1 +tracefy.com, 1 +traceheatinguk.co.uk, 1 +tracelight.io, 0 +tracer.gg, 1 +tracercdn.com, 1 +traceroute.guru, 1 +traceroute.link, 1 +traceroute.network, 1 +tracery.jp, 1 +tracesteps.ga, 1 +tracetracker.com, 1 +tracetracker.no, 1 +traceur-france.fr, 1 +traceyjsvorusphd.com, 1 +tracinsurance.com, 1 +track.plus, 1 +trackadblock.com, 1 +trackballs.gq, 1 +trackchair.com, 1 +trackdays4fun.com, 1 +trackee.link, 1 +tracker-knigi.gq, 1 +tracker.com.ar, 1 +trackerx.ga, 1 +trackeye.dk, 1 +trackfocusdirect.com, 1 +trackify.tk, 1 +trackimo.ca, 1 +tracking-app.tk, 1 +tracking.best, 1 +trackingencomendas.com, 1 +trackinsight.com, 1 +tracklist4u.com, 1 +tracknetsports.com, 1 +trackntack.com, 1 +trackrecord.net, 1 +trackshun.tk, 1 +trackulo.us, 1 +trackyourlogs.com, 1 +tractariauto.tk, 1 +tractarimvbcluj.ro, 1 +tractive.com, 1 +tractor-pulling.fr, 1 +tractor-pulling.tk, 1 +tractorfan.nl, 1 +tractorpumps.com, 1 +tracxn.com, 1 +tracyhaze.net, 1 +tracyrobbinsking.com, 1 +trad-n-vo.com, 1 +trade-arcade.com, 1 +trade-bot.cf, 1 +trade-foods.com, 1 +trade-platform.tk, 1 +trade.gd, 1 +trade.gov, 1 +trade.mn, 1 +trade247.exchange, 1 +trade360solutions.com, 1 +tradeandindustrydev.com, 1 +tradebot.cf, 1 +tradebotcompany.ml, 1 +tradebuilders.com.au, 1 +tradebull.co.in, 0 +tradedesk.co.za, 1 +tradedigital.co, 1 +tradeeasy.com, 1 +tradees.com, 1 +tradefxp.com, 1 +tradeinvent.co.uk, 1 +tradeline.vn, 1 +tradelink.cf, 1 +trademarkregistration-coimbatore.com, 1 +trademen.ga, 1 +trademotion.com, 1 +tradeonfx.com, 1 +tradepass.ru, 1 +tradeplotter.com, 1 +traderfox.de, 1 +traderinside.ga, 1 +traderlion.com, 1 +traderpen.com, 1 +tradersclub.com.br, 1 +tradersport.tk, 1 +tradersrank.ga, 1 +tradesafe.co.za, 1 +tradesecretslaw.com, 1 +tradeshift.com, 1 +tradeshowfreightservices.com, 1 +tradesrenovations.ca, 1 +tradet.fi, 1 +tradeview.eu, 1 +tradewithestonia.com, 0 +tradezlist.tk, 1 +tradgardsmart.se, 1 +tradie.com, 1 +tradik.com, 1 +tradinews.com, 1 +tradinews.fr, 1 +trading-academy.cf, 1 +trading-ea.pt, 1 +tradingdeer.io, 1 +tradingfacile.eu, 1 +tradinghelper.be, 1 +tradingtag.ga, 1 +tradingview.com, 1 +tradition-immobilier.com, 1 +tradition.ch, 1 +tradition.com, 1 +traditional.kz, 1 +traditions.nl, 1 +traditionskapperscollege.nl, 1 +traditionsvivantesenimages.ch, 1 +tradreams.com, 1 +tradu.com, 1 +tradymoney.com, 1 +traegerbox.com, 0 +traegergrills.com, 1 +traf-bonus.tk, 1 +trafarm.ro, 1 +traffic.az, 1 +trafficdirection.tk, 1 +trafficgazelles.com, 0 +trafficgenerator.ga, 1 +trafficjunky.com, 1 +trafficmanager.com, 1 +trafficmanager.ltd, 1 +trafficmanager.xxx, 1 +trafficmgr.net, 1 +trafficpixel.tk, 0 +trafficsafetymarketing.gov, 1 +trafficsale.cf, 1 +traffixdevices.com, 1 +trafic-wap.tk, 1 +traficmusik.net, 1 +trafik.tk, 1 +trafiken.nu, 1 +trafplus.tk, 1 +tragamin.ca, 1 +tragamonedas-gratis.biz, 1 +tragaver.ga, 1 +traghetti.tk, 1 +tragicallytrumped.com, 1 +tragicempire.tk, 1 +tragmi.ch, 1 +traha.org, 1 +trahnisoseda.tk, 1 +trail-alps.ch, 1 +trail-alps.com, 1 +trail.pink, 1 +trailblazercommunitygroups.com, 1 +trailblazers.tk, 1 +trailcloud.ink, 1 +trailerparty.com, 1 +trailforks.com, 1 +trailrider.tk, 1 +trailrighttraining.com, 1 +trailrunbern.ch, 1 +trails-end.com, 1 +trainable.cf, 1 +trainbusferry.com, 1 +traineeshipplaza.nl, 1 +trainex.org, 1 +trainhornforums.com, 0 +trainiac.com.au, 1 +trainingcentral.cf, 1 +trainingcourt.com, 1 +trainingfitstudio.fr, 1 +trainingflow.com, 1 +traininghamburg.de, 1 +traininglife.org, 1 +trainingminds.nl, 1 +trainingproviderresults.gov, 1 +trainings-handschuhe-test.de, 1 +trainingsalicante.tk, 1 +trainingscatalogus.nl, 1 +trainingsecke.de, 1 +trainingstore.fish, 1 +trainingswiese.at, 1 +trainline.io, 1 +trainmagazine.be, 1 +trainmagazine.de, 1 +trainmagazine.nl, 1 +trainme.nl, 1 +trainoclock.com, 1 +trainplaza.be, 1 +trainplaza.net, 1 +trainplaza.nl, 1 +trains.sexy, 1 +trainsgoodplanesbad.com, 0 +trainsnmore.tv, 1 +traintimes.be, 1 +traintimes.ch, 1 +traintimes.dk, 1 +traintimes.fi, 1 +traintimes.lu, 1 +traintimes.nl, 1 +traintimes.se, 1 +traintoday.ca, 1 +traintowin.tv, 1 +trainwiki.tk, 1 +trainyourtribe.com.au, 1 +traista.ru, 1 +traitement-arthrose.fr, 1 +traitement-punaise.paris, 1 +traiteur-laporte.fr, 1 +traiteurpapillonevents.be, 1 +trajectfoto.nl, 1 +trajectvideo.nl, 1 +trakid.com, 1 +trakkr.tk, 0 +trakmd.com, 1 +trakteershop.tk, 1 +trakteren.tk, 1 +traktor-troubadour.tk, 1 +tralalashow.tk, 1 +tralios.de, 1 +tramadol.ga, 1 +tramadolhcl.ga, 1 +tramclub-basel.ch, 1 +tramikshop.ml, 1 +tramitelegal.com.ar, 1 +tramplin.tk, 1 +tramway.org, 1 +tran.pw, 1 +trance-heal.com, 1 +trance-heal.de, 1 +trance-heal.me, 1 +trance-nation.tk, 1 +trance-zone.tk, 1 +tranceheal.com, 1 +tranceheal.me, 1 +trancehost.com, 1 +trancendances.fr, 1 +tranceparadise.tk, 1 +tranceptortechnology.com, 1 +tranche2aml.com, 1 +trandanhland.com, 1 +trangcongnghe.com, 1 +trangthienlong.com.vn, 1 +tranhlavender.com, 1 +tranhmonalisa.vn, 1 +tranhvenus.com, 1 +tranmerelectric.com, 1 +trannysurprise.com, 1 +tranquilidade.ao, 1 +tranquillity.se, 1 +tranquillum.tk, 1 +tranquiloweb.com, 1 +trans-aliyans.tk, 1 +trans.eu, 1 +transacid.de, 0 +transact-online.co.uk, 1 +transactpaymentsltd.com, 1 +transaminasas.com, 1 +transangels.com, 1 +transangelsnetwork.com, 1 +transangelspremium.com, 1 +transanglo.pl, 1 +transappealrights.com, 1 +transav.ru, 1 +transbella.com, 1 +transcend.org, 1 +transcendmotor.sg, 1 +transcendretirement.net, 1 +transco.com.tr, 1 +transcoalition.net, 1 +transcontrol.com.ua, 1 +transcricentro.pt, 1 +transdev.blog, 1 +transdevbus.co.uk, 1 +transdyne.com, 1 +transes.com.tr, 1 +transfair.sh, 1 +transfer-sheregesh.com, 1 +transfer-v-sheregesh.ru, 1 +transfer-vsheregesh.ru, 1 +transfer.pw, 1 +transfera-sheregesh.ru, 1 +transferagent.co, 1 +transferbags.com, 1 +transferistan.com, 1 +transfermate.com, 1 +transfero-sheregesh.ru, 1 +transfers-sheregesh.ru, 1 +transferserver.at, 1 +transferwiseturkiye.com.tr, 1 +transfery-sheregesh.ru, 1 +transfigurewizard.com, 1 +transforleren.nl, 1 +transformaniatime.com, 1 +transformation.gouv.fr, 1 +transformersmmdb.tk, 1 +transformyourmarketing.com, 1 +transforumation.com, 1 +transfurrmation.town, 1 +transgaz.ro, 1 +transgendergedenkdag.nl, 1 +transgenderinfo.nl, 1 +transgendernetwerk.nl, 1 +transgendernetwerk.org, 1 +transglobelogistiques.com, 1 +transharder.com, 1 +transhumanism.co.uk, 1 +transhumanism.org, 1 +transhumanist.co.uk, 1 +transhumanist.com, 1 +transhumanist.net, 1 +transhumanist.org, 1 +transhumanist.uk, 0 +transinbeeld.nl, 1 +transit.my.id, 1 +transitables.tk, 1 +transitllc.ru, 1 +transito.tk, 1 +transitownplaza.com, 1 +transitpoint.us, 1 +translate-polish.com, 1 +translate.googleapis.com, 1 +translatedict.com, 1 +translation-services.ga, 1 +translation.ca, 1 +translationge.com, 1 +translations.com, 1 +translationsfirm.tk, 1 +translationsnz.com, 1 +translatorall.tk, 1 +translatorglobal.tk, 1 +translatoruk.co.uk, 0 +translink.com.au, 1 +translit-net.tk, 1 +translit.ga, 1 +translit.ru, 1 +transmarttouring.com, 1 +transmitit.pl, 1 +transmitrecordings.com, 1 +transmoni.vn, 1 +transmutatie.nl, 1 +transnexus.com, 1 +transon.tk, 1 +transpak-cn.com, 1 +transparency.cf, 1 +transparencyinadmissions.org, 1 +transparencynj.com, 1 +transparent.cf, 1 +transparentpng.com, 1 +transperfect.com, 1 +transport-gura-portitei.com, 1 +transport-gura-portitei.contact, 1 +transport.ninja, 1 +transporta.it, 1 +transportdebateauxmp.ca, 1 +transporterlock.com, 0 +transporteselsol.com, 0 +transportesvarelacr.com, 1 +transportnews.tk, 1 +transsensual.com, 1 +transsensualnetwork.com, 1 +transservice.net.ua, 1 +transsexualpantyhose.com, 1 +transsrit.tk, 1 +transtaboo.com, 1 +transtema-ru.net, 1 +transtrack.net, 1 +transtur.tk, 1 +transumption.com, 1 +transvault.com, 1 +transwank.com, 1 +transwestern.com, 1 +transwestern.net, 1 +trantrongtri.info, 1 +tranvia.info, 1 +tranzact.net, 1 +tranzron.ga, 1 +trapay.net, 1 +trapcall.com, 1 +trapichelaesperanza.com, 1 +trapkitchen.ml, 1 +trappednerve.org, 1 +trappersoutfitters.tk, 1 +traproulette.com, 1 +trapsdirect.com, 1 +trapsexy.com, 1 +trapsexy.net, 1 +trapsexy.org, 1 +trapz.xyz, 1 +trarch.com, 1 +trasandino.tk, 1 +trasatsatelital.com.ar, 1 +trash2treasurecreations.co.za, 1 +trashcanheroes.tk, 1 +trashcraft.tk, 1 +trashexpert.ru, 1 +trashmail.com, 1 +trashnothing.com, 1 +trashpanda.website, 1 +trashwagon.club, 1 +trashy-gypsy.com, 1 +trashygypsy.com, 1 +trashylingerie.ga, 1 +traslocare.roma.it, 1 +traslocatore.roma.it, 1 +traslochi-trasporti-facchinaggio.it, 1 +traslochi.napoli.it, 1 +traslochiinternazionali.it, 1 +trasloco.milano.it, 1 +trasloedil.it, 1 +trasportatori.it, 1 +trasportoambulanzaprivata.it, 1 +trastornoevitacion.com, 1 +trastornolimite.com, 1 +tratamentoparacelulite.net, 1 +tratt.net, 1 +trattamenti.biz, 1 +trattamento-cotto.it, 1 +trattamentocotto.roma.it, 1 +trauerbegleitung-kudla.de, 1 +trauertexte.info, 1 +traumaberatung-lindner.de, 1 +traumahealing.com, 1 +traumahealingaccelerated.com, 1 +traumarecoverysupport.com, 1 +traumfaenger.tk, 1 +traumobjekte.com, 1 +traumobjekte.info, 1 +traumschwingen.de, 1 +traumtrauringe.de, 1 +traut.cloud, 1 +travador.com, 1 +trave.africa, 1 +travel-and-cache.de, 0 +travel-cube.ml, 1 +travel-dealz.de, 1 +travel-rus-club.tk, 1 +travel-to-cuba.tk, 1 +travel-to-morocco-tours.com, 1 +travel-trek.tk, 1 +travel101.tk, 1 +travel2macedonia.com, 1 +travel2macedonia.com.mk, 1 +travel2macedonia.mk, 1 +travel2next.com, 1 +travel2you.ru, 1 +travel365.it, 1 +travel4history.nl, 1 +travel4news.at, 0 +traveladdiction.tk, 1 +traveladventure.ml, 1 +travelairtravel.com, 1 +travelamm.com, 1 +travelanchor.ga, 1 +travelandtourism.tk, 1 +travelarmenia.org, 1 +travelaround.tk, 1 +travelassist.us.com, 1 +travelastscom.ga, 1 +travelback.ga, 1 +travelbangladesh.ga, 1 +travelbiz.cf, 1 +travelbiz.ga, 1 +travelbiz.gq, 1 +travelbuddiesperu.com, 1 +travelbunny.ga, 1 +travelcellar.ga, 1 +travelcenter.tk, 1 +travelchannel.ml, 1 +travelcharm.ga, 1 +travelcheapdeals.com, 1 +travelcircus.ga, 1 +travelclinic.ml, 1 +travelclube.com, 1 +travelclube.com.pt, 1 +travelcollect.ga, 1 +travelcollections.ga, 1 +travelcolor.ga, 1 +travelcompany.tk, 1 +travelcrown.ga, 1 +traveldir.ga, 1 +traveldodge.ga, 1 +traveldoo.com, 1 +traveldragon.ga, 1 +travelecho.ga, 1 +traveleets.com, 1 +travelepoch.com, 1 +travelera.tk, 1 +travelerspress.com, 1 +travelersuniverse.com, 1 +travelescape.tk, 1 +traveleurope.ml, 1 +travelexbiz.com, 1 +travelexecutive.de, 1 +travelexinternational.com, 1 +travelexpress.tk, 1 +travelfarandwide.com, 1 +travelfeature.ga, 1 +travelfield.org, 1 +travelfiesta.ga, 1 +travelflighthotel.com, 1 +travelfoot.com, 1 +travelfriend.tk, 1 +travelfusion.com, 1 +travelgang.ga, 1 +travelgirlsclub.com, 1 +travelglamour.ga, 1 +travelgratis.ga, 1 +travelhands.ga, 1 +travelholicworld.com, 1 +travelhoppers.com, 1 +travelhusky.ga, 1 +traveling-thailand.info, 1 +travelingagency.tk, 1 +travelingbagsmke.com, 0 +travelingthevortex.com, 1 +travelinspirationmag.com, 1 +travelinsurance.co.nz, 1 +travelinsurance.ga, 1 +travelinsured.com, 1 +travelist.co.nz, 1 +traveljunkie.tips, 1 +travelkatta.in, 1 +travelknowledge.org, 1 +travellegacy.ga, 1 +travellets.tk, 1 +travellinginmorocco.com, 0 +travellings.cn, 0 +travellinks.tk, 1 +travellittle.ga, 1 +travellovers.fr, 1 +travelmap.net, 1 +travelmate.cf, 1 +travelmember.ga, 1 +travelmexico42.com, 1 +travelmindsets.com, 1 +travelmontenegro.tk, 1 +travelnano.ga, 1 +travelnatural.ga, 1 +travelnetwork.tk, 1 +travelnews.cf, 1 +travelni.com, 1 +travelnotoria.com, 1 +travelnumber.ga, 1 +travelodge.co.uk, 1 +traveloffline.ga, 1 +travelogue.jp, 1 +travelomega.ga, 1 +travelongravel.tk, 1 +travelook.ml, 1 +travelopedia.ga, 1 +travelouter.ga, 1 +travelove.tk, 1 +travelovernight.ga, 1 +travelpeace.ga, 1 +travelpearl.ga, 1 +travelpenguin.nl, 1 +travelphilippines.tk, 1 +travelphoto.cc, 1 +travelphotographycourse.com, 1 +travelplatinum.ga, 1 +travelplum.ga, 1 +travelpremier.ga, 1 +travelpremium.ga, 1 +travelprestige.ga, 1 +travelpride.ga, 1 +travelquantum.ga, 1 +travelrail.ga, 1 +travelrates.ga, 1 +travelraven.ga, 1 +travelrefund.com, 1 +travelreviews.tk, 1 +travelriny.com, 1 +travelsets.com, 1 +travelshelper.com, 1 +travelshopbooking.com, 1 +travelsignature.ga, 1 +travelsinfozone.com, 1 +travelsites.cf, 1 +travelsites.tk, 1 +travelsoldier.ga, 1 +travelsonic.ga, 1 +travelsouthbeach.ga, 1 +travelstation.tk, 1 +travelstrokes.com, 1 +travelsunflower.ga, 1 +travelsuperhero.ga, 1 +travelsure.tech, 1 +travelsurprise.ga, 1 +traveltains.com, 1 +traveltalk.tk, 1 +travelthing.io, 1 +travelthisweekend.com, 1 +travelthunder.ga, 1 +traveltimeagency.com, 1 +traveltomachupichu.com, 1 +traveltourist.tk, 1 +traveltovietnam.ga, 1 +traveltruster.com, 0 +travelturbo.ga, 1 +travelultra.ga, 1 +travelunicorns.com, 1 +travelunique.ga, 1 +travelup.com, 1 +travelurban.ga, 1 +travelus.nl, 1 +travelvacancy.tk, 1 +travelvictory.ga, 1 +travelvisit.cf, 1 +travelways.ml, 1 +travelwithbender.com, 1 +travelwithjack.com, 1 +travelzoneshop.com, 1 +traverse.com.ua, 0 +travi.org, 1 +travianbattleplanner.com, 1 +travin.tk, 1 +travis.nl, 1 +traviscoesd1tx.gov, 1 +traviscountyappliancerepair.com, 1 +travisf.net, 1 +travisflix.com, 1 +travisforte.io, 1 +travisfranck.com, 1 +travishenning.com, 1 +travislord.xyz, 1 +travkolyl.gq, 1 +travler.net, 1 +travnik24.tk, 1 +travuscka.ru, 1 +trawox.com, 1 +traws.cymru, 1 +traxpayroll.com, 1 +traxstage.com, 1 +trayinc.com, 1 +trayport.com, 1 +traza.cl, 1 +trazodoneonline.tk, 1 +trazodononline.gq, 1 +trazs.com, 1 +trbanka.com, 1 +trblwlf.net, 1 +trcollaborative.com, 1 +trcont.com, 1 +trctaborda.com.br, 1 +trdepoist.net, 1 +treaslockbox.gov, 1 +treasureboxgreetings.com, 1 +treasureislandbeads.ga, 1 +treasurejewelry.shop, 0 +treasuremountainmining.com, 1 +treasuretrooperguide.tk, 1 +treasury.gov.lk, 1 +treasurydirect.gov, 1 +treasuryhunt.gov, 1 +treasuryscams.gov, 1 +treatyoakdental.com, 1 +treatyoself.com.au, 1 +trebek.club, 1 +trebilfoundationsystems.com, 1 +trebnie.nl, 1 +trecebits.com, 1 +trecobox.com.br, 1 +tredegar.com, 1 +tredegarsurfaceprotection.com, 1 +tredto.com, 1 +tree.gdn, 1 +tree0.xyz, 1 +treebaglia.xyz, 1 +treecycle.com.au, 1 +treedoctornearme.com, 1 +treehorn.nl, 1 +treehouseresort.nl, 1 +treeliss.com.br, 1 +treemadeiras.com.br, 1 +treeremovalfourways.co.za, 1 +treeremovalsboksburg.co.za, 1 +treesonthemove.com, 1 +treestarmarketing.com, 1 +treevectors.com, 1 +treexy.com, 1 +treezone.net, 1 +trefpuntdemeent.nl, 1 +trehand.fr, 1 +treibholz-norddeich.de, 1 +treier.xyz, 1 +treinmagazine.be, 1 +treinmagazine.nl, 1 +treinonerd.com, 1 +treinonline.tk, 1 +treintijden.com, 1 +trek-planet.ru, 1 +trekamdienstag.de, 1 +trekintel.com, 1 +trekkerterreur.nl, 1 +trekkertirannie.nl, 1 +trekkertrek.tk, 1 +trekkertrekharpel.tk, 1 +trekking-friends.ch, 1 +trekkinglab.org, 1 +trekonbh.com, 1 +trekosecia.com.br, 1 +trekscaper.tk, 1 +trelleborg.se, 1 +trelliscompany.org, 1 +trembler.org, 1 +treml-sturm.com, 1 +tremol-spedition.com, 1 +tremontil.gov, 1 +tremors.tk, 1 +trempcountywi.gov, 1 +tren-counseling.nl, 1 +trenchapps.com, 1 +trend-calendar.com, 1 +trend-shop.ga, 1 +trendegypt.ml, 1 +trendier.com.co, 1 +trendier.mx, 1 +trendingaffords.com, 1 +trendingdeals.ga, 1 +trendingeducation.tk, 1 +trendingknow.tk, 1 +trendingnewswala.online, 1 +trendingstory.tk, 1 +trendingxxl.nl, 1 +trendkraft.de, 1 +trendmag.bg, 1 +trendme.ga, 1 +trendnews.cf, 1 +trendnews.gq, 1 +trendntech.com, 1 +trendocracy.cf, 1 +trendocracy.ga, 1 +trendocracy.gq, 1 +trendocracy.ml, 1 +trendpanel.tk, 1 +trendparty.net, 1 +trendpie.com, 1 +trendreportdeals.com, 1 +trends-24.nl, 0 +trends-news.tk, 1 +trendsce.com.br, 1 +trendtesettur.com, 0 +trendware.de, 1 +trendycrowds.com, 1 +trendydips.com, 1 +trendyolgo.com, 0 +trendys.ro, 1 +trendzilla.ga, 1 +treningo.rs, 1 +trenorario.it, 1 +trenta.fr, 1 +trentinogenealogy.com, 1 +trentonmakesnews.com, 1 +trentonoh.gov, 1 +trentotoday.it, 1 +trenujskutecznie.com, 1 +trenztec.ml, 1 +tresen-demo.com, 1 +treshermanasshop.com, 1 +tresmaistres.com.br, 1 +tresor.it, 1 +tresorit.com, 1 +tresoro.at, 1 +tresoro.de, 1 +trespedia.com, 1 +tresredatores.tk, 1 +tretail.net, 1 +tretinoin.gq, 1 +tretze-shoes.com, 1 +treurtransport.tk, 1 +trevea.fi, 1 +trevisotoday.it, 1 +trevo-lotofacil.com.br, 0 +trevorblondeel.com, 1 +trevorkay.tk, 1 +trevormarron.co.uk, 1 +trevsanders.co.uk, 1 +treworgeycottages.com, 1 +trexedia.com, 1 +trexweb.tk, 1 +trezor.io, 1 +trezy.me, 1 +trezy.net, 1 +trfmn.gov, 1 +trhastane.com, 1 +trhknih.cz, 1 +tri.gg, 1 +triad.earth, 1 +triadtool.com, 1 +triage.clinic, 1 +triage.com, 1 +triage.md, 1 +triageclinic.com, 1 +triageforensic.com, 1 +trial-server.tk, 1 +trialandsuccess.nl, 1 +trialbyfire.tk, 1 +trialmaaskant.tk, 1 +trials.tk, 1 +trialweb.com.br, 1 +triamudom.in.th, 1 +triamudom.net, 1 +triamudom.org, 1 +triangela.com, 1 +triangela.se, 1 +triangle-energie.com, 1 +trianglecastles.co.uk, 1 +trianglelawngames.com, 1 +trianglepwh.com, 1 +triangletv.rs, 1 +trianglewaverecords.tk, 1 +trib.com, 1 +tribac.de, 1 +tribaldos.com, 0 +tribaljusticeandsafety.gov, 1 +tribalwarsstyles.tk, 1 +tribalzone.tk, 1 +tribe.rs, 1 +tribeca-it.com, 1 +tribecalawsuitloans.com, 1 +tribefanaticsunited.tk, 1 +tribesbeekeepersassociation.com, 0 +tribesofneurot.tk, 1 +tribetokes.com, 1 +tribetrails.com, 1 +tribinagroup.co.id, 1 +tribinary.tk, 1 +tribistovo.tk, 1 +tribunatv.ml, 1 +tribunesia.ga, 1 +tribut.de, 1 +tributh.cf, 1 +tributh.ga, 1 +tributh.gq, 1 +tributh.ml, 1 +tributh.net, 1 +tributh.tk, 1 +tributoconsuegra.tk, 1 +tricare.mil, 1 +tricefy4.com, 1 +tricetirisad.me, 1 +tricherenligne.com, 1 +triciaree.com, 1 +tricityhelpline.com, 1 +tricityrogues.eu, 1 +trickedguys.com, 1 +trickle.works, 1 +tricksforgreeks.com, 1 +trico-pigmentazione.it, 1 +tricolortotal.tk, 1 +tricordmedia.ca, 1 +tricountyathome.com, 1 +tricountyhealthut.gov, 1 +tricountyheatingcooling.com, 1 +tridena.com, 1 +trident-online.de, 1 +trident1000logoi.gr, 1 +tridentdiagnostics.com, 1 +tridentfreightinc.com, 1 +tridentmedia.gq, 1 +tridindia.com, 1 +tridnice.eu, 1 +triedandtruebytrista.com, 1 +triefenbach.com, 1 +triefenbach.eu, 1 +triesteprima.it, 1 +trietment.com, 0 +trieuvy.com, 1 +trifence.ch, 1 +trifence.eu, 1 +trifence.net, 1 +trifence.org, 1 +trifiro.it, 1 +trigate.io, 1 +triggeredpaintz.com, 1 +triggertraders.com, 1 +trigirlpainting.com, 1 +triglovian-clades.com, 1 +trigraph.net, 1 +trigueros.tk, 1 +trigular.de, 1 +trihard.space, 1 +trihedron.tk, 1 +trihunter6000.com, 1 +trik-komputer.tk, 1 +trik.es, 0 +triker.tk, 1 +trikeweb.com, 1 +trikuj.cz, 1 +trillian.im, 1 +trilliondigital.io, 1 +trilliux.me, 1 +trilogymp.com, 1 +trim21.cn, 1 +trimage.org, 1 +trimarix.de, 1 +trimblecombustion.com, 1 +trimblenetworks.com.au, 1 +trimbletl.com, 0 +trimental.de, 1 +trimill.xyz, 1 +trimjoinerycentralcoast.com.au, 1 +trimsalon.tk, 1 +trimsalonelst.nl, 1 +trimtone.com, 1 +trimyourbushforallah.com, 0 +trinartia.com, 1 +trinary.ca, 0 +trinary.tk, 1 +trindonball.com, 1 +trineco.cloud, 1 +trineco.com, 1 +trineco.fi, 1 +tringle.org, 1 +trinhhoangtien.vn, 1 +trinhtrongson.tk, 1 +trini.tk, 1 +trinitasgyor.hu, 1 +trinitatis-leipzig.de, 1 +trinitatiskindergarten.de, 1 +trinitatiskirche-leipzig.de, 1 +trinity.fr.eu.org, 1 +trinity.one, 1 +trinitycore.org, 1 +trinityradioandvideo.org, 1 +trinitysurfaces.com, 1 +trinitywernersville.org, 1 +trinityyardgreetings.com, 1 +trink-und-partyspiele.de, 1 +trinnes.net, 1 +trintocpenalcu.com, 1 +trio.online, 1 +triolait.ca, 1 +triollo-rural.tk, 1 +triomedspa.com, 1 +triomoda.com.br, 1 +trionyx.ph, 1 +triop.se, 1 +triozon.hu, 1 +trip.my, 1 +tripadvicestore.tk, 1 +tripanimal.tk, 1 +triperapp.com, 1 +tripguide.is, 1 +tripisland.tk, 1 +triple1.net, 1 +tripleblossom.com, 1 +triplecrownsports.com, 1 +triplefork.com.ua, 1 +triplejprints.com, 1 +triplekeys.net, 1 +tripleone.co.uk, 1 +triplerinc.ca, 1 +triplesixdesigns.com, 1 +tripletake.com, 1 +triplethreatband.tk, 1 +triplevision.nl, 1 +triplicate.gq, 1 +tripmakery.com, 1 +tripoli.org, 1 +tripolinews.tk, 1 +tripomanija.tk, 1 +tripout.tech, 1 +tripozo.com, 1 +tripp.xyz, 1 +trippati.com, 1 +tripport.com.do, 1 +trips4foodies.com, 1 +tripspoint.com, 1 +triptravels.tk, 1 +tripwire.io, 1 +trisect.uk, 1 +trish-mcevoy.ru, 1 +trisha.tk, 1 +trisolaris.co.uk, 1 +trisomie21-normandie.org, 1 +trissiethehusky.rocks, 1 +tristan.moe, 1 +tristanfarkas.one, 1 +tristansommer.de, 1 +tristatechess.com, 1 +trit.pro, 1 +tritansoft.com, 1 +tritium.cf, 1 +tritoncc.com, 1 +triumc.org, 1 +triumph-duesseldorf.com, 1 +triumph-gera.de, 1 +triumph-hannover.de, 1 +triumph-rheinhessen.de, 1 +triumph-schongau.de, 1 +triumph-stuttgart.de, 1 +triwan.sk, 1 +trixiebooru.org, 1 +trixietainted.net, 1 +trixy.com.br, 1 +triz.co.uk, 0 +trizettoprovider.com, 1 +trkhosting.ga, 1 +trkmakine.com.tr, 1 +trkpuls.tk, 1 +trksystems.com, 1 +trmgo.de, 1 +troc.co.il, 1 +trocaire.org, 1 +trochoi.net, 1 +trockendock.ch, 1 +trockner-fehler.site, 1 +trodat.cf, 1 +trodniescis.gq, 1 +troedel-trolle.de, 1 +troedelhannes.at, 1 +trofeosylogros.com, 1 +trogloditas.tk, 1 +troi.de, 1 +troiaconsultoria.com.br, 1 +troianet.com.br, 1 +trojanchronicles.tk, 1 +trojanherring.com, 1 +trojanrecords.com, 1 +trok.co.il, 1 +trolebusesdevalparaiso.tk, 1 +troll-gaming.tk, 1 +trolla.us, 1 +trolldesign.cf, 1 +trolldi.eu, 1 +trolldi.eu.org, 1 +trollforums.gq, 1 +trollgetslucky.tk, 1 +trollhanttan.cf, 1 +trollhanttan.ga, 1 +trollhanttan.gq, 1 +trollhanttan.tk, 1 +trolliet.fr, 1 +trolling.gq, 1 +trollingeffects.org, 1 +trollmoa.se, 0 +trollolo.tk, 1 +trollos.cf, 1 +trollos.ga, 1 +trollos.gq, 1 +trollos.tk, 1 +trollscave.xyz, 1 +trom.tf, 1 +trommelwirbel.com, 1 +trommstone.de, 1 +trongkhanh.com, 1 +tronika.no, 1 +tronlaserarena.cz, 1 +tronmeo.com, 1 +tronnews.best, 1 +tronnews.co, 1 +tronnews.global, 1 +tronnews.life, 1 +tronnews.live, 1 +tronnews.me, 1 +tronnews.news, 1 +tronnews.world, 1 +tronnews.xyz, 1 +troomcafe.com, 1 +troonnorthgolf.com, 0 +troopaid.info, 1 +troopers.de, 1 +trophcomplewin.ml, 1 +trophies.de, 1 +trophykoi.tk, 1 +trophyshopinc.com, 1 +tropicalhurricanetracker.com, 1 +tropicalislands.tk, 1 +tropicalstandard.com, 1 +tropicalticket.cf, 1 +tropicalticket.ml, 1 +tropicaltravelco.com, 1 +tropicpet.vn, 1 +tropikdeniz.com.tr, 1 +tropiki.tk, 1 +tropiweb.tk, 1 +tropixshipping.com, 1 +troplo.com, 1 +troplo.com.au, 1 +troplo.eu.org, 1 +tropofy.com, 1 +troppotogo.it, 1 +troqueladoras.online, 1 +trosell.net, 1 +trosinenko.com, 1 +tross.tk, 1 +trotec.com, 1 +trotter.cf, 1 +troubles.ru, 1 +troubleshooter.xyz, 1 +troubleshooting.cz, 1 +troubleshooting.support, 1 +troubleshooting.tools, 1 +troubleshootyourvehicle.com, 1 +troupcountyga.gov, 1 +trousers.co.uk, 1 +trouvenet.tk, 1 +trouver-son-chemin.com, 1 +trouvetonbusiness.com, 1 +trouvetonplancul.fr, 1 +trouvez.tk, 1 +trouvons.org, 1 +trouw.nl, 1 +trouwrijk.nl, 1 +trovaprezzi.it, 1 +trovas.ch, 1 +trove.com, 1 +troxal.com, 1 +troyanos.uy, 1 +troyfawkes.com, 1 +troyflexpay.com, 1 +troyhunt.com, 1 +troyhuntstress.com, 1 +troyhuntsucks.com, 1 +troyjanda.com, 1 +troykao.com, 1 +troytn.gov, 1 +troytwpdelawareoh.gov, 1 +troywalworthwi.gov, 1 +troywistcroix.gov, 1 +trpa.gov, 1 +trs.tn, 1 +trtadalafilone.com, 1 +trtadalafilone.net, 1 +trtasarim.tk, 1 +tru.ltd, 1 +truasset.com, 1 +trubapro.com, 0 +trubleeon.fr, 1 +trubmet.tk, 1 +trubos.com.ua, 1 +trucatout.tk, 1 +trucchibellezza.com, 1 +trucchibellezza.it, 1 +truckbossdecks.com, 1 +truckcord.com, 1 +truckdeal.com.ph, 1 +truckerjobusa.com, 1 +truckersdatabase.cf, 1 +truckersmp.com, 1 +truckersworld.tk, 1 +truckingks.gov, 1 +truckscout24.at, 1 +truckscout24.be, 1 +truckscout24.bg, 1 +truckscout24.com, 1 +truckscout24.cz, 1 +truckscout24.de, 1 +truckscout24.dk, 1 +truckscout24.es, 1 +truckscout24.fr, 1 +truckscout24.gr, 1 +truckscout24.hu, 1 +truckscout24.it, 1 +truckscout24.lt, 1 +truckscout24.lv, 1 +truckscout24.nl, 1 +truckscout24.pl, 1 +truckscout24.pt, 1 +truckscout24.ro, 1 +truckscout24.ru, 1 +truckscout24.se, 1 +truckscout24.si, 1 +truckshina-plus.com.ua, 1 +truckspring.com, 1 +trucockpit-demo.com, 1 +trucockpit.ch, 1 +trucockpit.com, 1 +trucosparaelbruto.tk, 1 +trucosuso.org, 1 +trucoswindows.net, 0 +trudicollus.com, 1 +trudo.ca, 1 +trudyblackcrow.tk, 1 +true-colors.tk, 1 +true-itk.de, 1 +trueachievements.com, 1 +trueamateurs.com, 1 +trueasia.ga, 1 +truebarbershopinc.com, 1 +trueccu.com, 1 +truechimer.com, 1 +truecircumcision.tk, 1 +truecosmos.com, 1 +truecrimedaily.com, 1 +truedarkness.tk, 1 +trueduality.net, 1 +trueflowplumbing.com, 1 +trueformroofing.co.nz, 1 +truegether.com, 1 +truehealth.tk, 1 +truekey.com, 1 +truelovesakuya.info, 1 +trueminecraft.com, 1 +truenorthartcollektive.com, 1 +truenorthseedbank.com, 1 +truentumvet.it, 1 +truepartner.academy, 1 +truepartner.asia, 1 +truepartner.capital, 1 +truepartner.cn, 1 +truepartner.education, 1 +truepartner.email, 1 +truepartner.eu, 1 +truepartner.fund, 1 +truepartner.group, 1 +truepartner.hk, 1 +truepartner.holdings, 1 +truepartner.limited, 1 +truepartner.ltd, 1 +truepartner.nl, 1 +truepartner.sg, 1 +truepartner.software, 1 +truepartner.tech, 1 +truepartner.technology, 1 +truepartner.university, 1 +truepartner.us, 1 +truepartneradvisor.cn, 1 +truepartneradvisor.com, 1 +truepartneradvisor.nl, 1 +truepartnercapital.cn, 1 +truepartnercapital.hk, 1 +truepartnercapital.holdings, 1 +truepartnercapital.net, 1 +truepartnercapital.nl, 1 +truepartnercapital.org, 1 +truepartnercapital.sg, 1 +truepartnercapital.us, 1 +truepartnercapitaladvisor.nl, 1 +truepartnercapitalusa.com, 1 +truepartnerchinabondfund.cn, 1 +truepartnerchinafund.cn, 1 +truepartnerchinafuturesfund.cn, 1 +truepartnerchinagrowthfund.cn, 1 +truepartnerchinaoptionsfund.cn, 1 +truepartneredu.com, 1 +truepartnereducation.cn, 1 +truepartnereducation.com, 1 +truepartnerfund.cn, 1 +truepartnerfund.hk, 1 +truepartnerfund.nl, 1 +truepartnerinvestment.com, 1 +truepartnerinvestments.cn, 1 +truepartnerinvestments.com, 1 +truepartnerinvestments.com.hk, 1 +truepartnerinvestments.hk, 1 +truepartnertech.com, 1 +truepartnertech.nl, 1 +truepartnertech.sg, 1 +truepartnertechnology.com, 1 +truepartnertechnology.nl, 1 +truepartnertechnology.sg, 1 +truereligionjeanstore.tk, 1 +truerizm.ru, 1 +truescreen.io, 1 +trueseeing.com, 1 +truessl.shop, 1 +truesteamachievements.com, 1 +truestor.com, 1 +truetraveller.com, 1 +truetrophies.com, 1 +truetype.tech, 0 +trueweb.es, 1 +truewinter.net, 1 +truework.com, 1 +trueworlds.net, 1 +truffe.uk, 1 +trufflemonkey.co.uk, 1 +trufflepig-forensics.com, 1 +truhlarstvi-fise.cz, 1 +truimo.com, 1 +truklink.cf, 1 +truklink.ga, 1 +truklink.gq, 1 +trulock.tk, 1 +trulycharmed.tk, 1 +trumanlibrary.gov, 1 +trumanlibrary.org, 1 +trummer.xyz, 1 +trumpet-call.org, 1 +trumpet-whistleblowing.eu, 1 +trumplibrary.gov, 1 +trumppresidency.org, 1 +trumptragedy.com, 1 +trumptragic.com, 1 +trumpwhitehouse.gov, 1 +trumtruyen.vn, 1 +truncus-encephali.co.uk, 1 +trundr.com, 1 +trunix-forum.tk, 1 +trunk-show.net, 1 +truong.fi, 1 +truonganhdecor.com, 1 +truongnguyen.live, 1 +truongthanhaudio.com, 1 +truopio.com, 1 +truqu.com, 1 +trureg.uk, 1 +truromusicteacher.co.uk, 1 +trusecurity.gq, 1 +truserve.org, 1 +trusifan.tk, 1 +trusitio.com, 1 +truskmedia.tk, 1 +trussgenius.com, 1 +trussville.gov, 1 +trust-btc.ml, 1 +trust-ted.co.uk, 1 +trust.com, 1 +trust.zone, 1 +trust2protect.de, 1 +trustarts.org, 1 +trustcert.net, 1 +trustcert.org, 1 +trustcloud.ai, 1 +trustednetworks.nl, 1 +trustedpropertymanagement.net, 1 +trustedtoolbox.com, 1 +trustee.deals, 1 +trusthook.tk, 1 +trusthub.com, 1 +trustmymail.org, 1 +trustnet.co.il, 0 +trustology.io, 1 +trustpoint.one, 1 +trustreview.tk, 1 +trustserv.de, 1 +trustswiftly.com, 1 +trustvox.com.br, 1 +trustycloud.net, 1 +truten.tk, 1 +truth.com, 1 +truth.tk, 1 +truthdancer.com, 1 +truthmessages.pw, 1 +truthsayer.tk, 1 +truthsocial.com, 1 +trutrip.co, 1 +truvayangin.tk, 1 +trux.tk, 1 +truxa.net, 1 +truxton.tk, 1 +truyen-hentai.co.uk, 1 +truyen-hentai.com, 1 +truyen-hentai.de, 1 +truyen-hentai.fr, 1 +truyen-hentai.ru, 1 +truyenfull.vn, 1 +truyenkiemhiep.com.vn, 1 +truyenmoi.org, 1 +truyenmoivn.com, 1 +truyentienhiep.com.vn, 1 +trveled.com, 1 +trw-reseller.com, 1 +trwebtoon.com, 1 +trxnews.today, 1 +try2admin.pw, 1 +try2hack.it, 1 +tryaatos.com, 1 +trybabyschoice.com, 1 +trycaviar.com, 1 +trychameleon.com, 1 +trydoggo.com, 1 +tryfabulousdiet.com, 1 +tryfabulousskincream.com, 1 +tryfabulousskinserum.com, 1 +tryfrontline.cloud, 1 +tryharder.ca, 1 +tryin.cz, 1 +tryingtotakeoversweden.tk, 1 +tryingtotakeovertheworld.tk, 1 +tryitonline.net, 1 +tryk.tk, 1 +tryknow.com, 1 +trymegadrol.com, 1 +tryndraze.com, 1 +trynewjobs.com, 1 +trynowrinkleseyeserum.com, 1 +trynta.net, 1 +tryonnc.gov, 1 +tryplo.ca, 1 +tryplo.io, 1 +tryplo.net, 1 +tryplo.org, 1 +tryplo.xyz, 1 +trypt.am, 1 +tryptamine.tk, 1 +tryramp.com, 1 +tryreason.com, 1 +tryrebooting.tech, 1 +tryrfsfirst.co.uk, 1 +tryroyalcanin.com, 1 +trystagency.com, 1 +tryti.me, 1 +trytivi.com, 1 +tryupdates.com, 1 +trywesayyes.com, 1 +trz.cz, 1 +ts-farm.ru, 1 +ts-folienmontage.de, 1 +ts-pro-consulting.de, 1 +ts-projects.tk, 1 +ts-public.tk, 1 +ts3-legenda.tech, 1 +ts3.ink, 0 +ts3frei.eu, 1 +ts4rent.eu, 1 +ts5server.eu, 1 +tsacareer.com, 1 +tsacasa.com, 1 +tsacbttest.com, 1 +tsachs.eu, 1 +tsacloud.ml, 1 +tsahf.com, 1 +tsai.com.de, 1 +tsakanakis.tk, 1 +tsaro.io, 1 +tsatestprep.com, 1 +tsatsalashvili.com, 1 +tsb.co.uk, 1 +tsbg.com, 1 +tsbraz.com, 1 +tsbraz.com.br, 1 +tsc.gov, 1 +tsc.tax, 1 +tscampus.online, 1 +tsedryk.ca, 1 +tseng.dedyn.io, 1 +tsentrobuv.tk, 1 +tsenv.net, 1 +tsfempleos.com, 1 +tsg0o0.com, 1 +tsgbcs.org, 1 +tsgbit.net, 1 +tshirai.work, 1 +tshirtgenerator.ga, 1 +tshirtmemoryquilts.com, 1 +tshirtscapetown.com, 1 +tshirtsouthafrica.co.za, 1 +tsico.com, 1 +tsicons.com, 1 +tsig.nl, 1 +tsigaradiko.com, 1 +tsimg.space, 1 +tsiolakisfurs.com, 1 +tsironis-olivenoel.de, 1 +tsja.tk, 1 +tsk.ovh, 1 +tskikoh.com, 1 +tskimwagner.com, 1 +tsla.nu, 1 +tslcontractors.co.uk, 0 +tsmasseur.com, 1 +tsmgroup2.biz, 1 +tsmost.cz, 1 +tsna.cc, 1 +tsoto.net, 1 +tsp.gov, 1 +tspdrits.xyz, 1 +tsproesasac.com, 1 +tsr.best, 1 +tsra.gov.au, 1 +tsriggingequipment.com, 1 +tsrv.pw, 0 +tss.am, 1 +tst-band.tk, 1 +tsu.re, 1 +tsueri.cloud, 1 +tsukhani.com, 1 +tsukikoh.com, 1 +tsukikoh.jp, 1 +tsukuba-it.net, 1 +tsukuba.style, 0 +tsumegumi.com, 1 +tsumi.it, 0 +tsumi.moe, 1 +tsumishima.com, 1 +tsumugu2021.com, 1 +tsunami.gov, 1 +tsunamic.cf, 1 +tsunamikill.tk, 1 +tsundere.moe, 1 +tsura.org, 1 +tsurai.work, 1 +tsurezurematome.ga, 1 +tsurimap.com, 1 +tsuruhime.tk, 1 +tsutawal.com, 1 +tsutaya-ai.com, 1 +tsutsumi-kogyo.jp, 1 +tsuyuzakihiroyuki.com, 1 +tsv-1894.de, 0 +tsv-hittfeld.de, 0 +tsw.ovh, 1 +tsxxlangel.com, 1 +tsybanov.com, 1 +tt-aepfingen.tk, 1 +tt-hardware.com, 1 +tt.gt, 1 +tt0766.com, 1 +tt0966.com, 1 +tt2866.com, 1 +tt2966.com, 1 +tt3666.com, 1 +tt3699.com, 1 +tt3766.com, 0 +tt3999.com, 1 +tt5197.co, 1 +tt6729.co, 1 +tt6729.com, 1 +tt6957.co, 1 +tt7199.com, 1 +tt7299.com, 1 +tt7399.com, 1 +tt8166.com, 1 +tt8266.com, 1 +tt8366.com, 1 +tt9297.co, 1 +tt9728.co, 1 +tt9799.com, 1 +ttb.gov, 1 +ttbonline.gov, 1 +ttc-birkenfeld.de, 1 +ttcak.ddns.net, 1 +ttcf.ca, 1 +ttchan.org, 1 +ttclub.fr, 1 +ttdrive.ru, 1 +ttfin.ch, 1 +tthomes.vn, 1 +ttill.de, 1 +ttkiel.de, 1 +ttlet.com, 1 +ttlg.io, 1 +ttluoli.com, 1 +ttm.jp, 1 +ttnmpls.org, 1 +ttp-shop.com.ua, 1 +ttpwned.com, 1 +ttr-home.com, 1 +ttr3.eu, 1 +ttrade.ga, 1 +ttrecms.com, 1 +tts-assessments.com, 1 +ttshapn.org, 1 +ttsoft.pl, 0 +ttspttsp.com, 1 +ttsteel.co, 1 +ttt-networks.com, 1 +tttfic.com, 1 +ttug.co.uk, 1 +ttunda.com, 1 +ttv-bernisse80.tk, 1 +ttwtrader.com, 1 +tty.space, 1 +tty1.net, 1 +ttyystudio.com, 1 +tu-muenchen.de, 1 +tu6.pm, 1 +tuaflor.com.br, 1 +tualiadaenlimpieza.com, 1 +tuang-tuang.com, 1 +tuasaude.com, 1 +tubach.org, 1 +tubanten.nl, 1 +tubao.com.br, 1 +tubator.com, 1 +tubby.ovh, 1 +tube.tools, 1 +tube8vip.com, 1 +tubebegana.com, 1 +tubedesire.com, 1 +tubehall.com, 1 +tubejack.nl, 1 +tubeju.com, 1 +tubemilf.com, 1 +tubeporn.tv, 1 +tubepornmovies.net, 1 +tubesound.com, 1 +tubeview.cf, 1 +tubeview.ga, 1 +tubexxxone.com, 1 +tubing.cf, 1 +tubs4fun.co.uk, 1 +tubsof.fun, 1 +tubuenpedido.com, 1 +tubul.net, 1 +tubuscador.tk, 1 +tucarora.tk, 1 +tucarroycasa.com, 1 +tucevents.com, 1 +tucidi.net, 1 +tuck2000.com, 1 +tuckerobserver.com, 1 +tuckhayward.art, 1 +tuckmeintebo.com, 1 +tucnak.eu, 1 +tucny.com, 1 +tucson.com, 1 +tucsonfcu.com, 1 +tucsonpcrepair.com, 1 +tucuatro.com, 1 +tucuxi.org, 1 +tudinerito.tk, 1 +tudinhoparasuacasa.com.br, 1 +tudodebompresentes.com.br, 1 +tudorproject.org, 1 +tudorrosesamplerguild.com, 1 +tudosobrehost.com.br, 1 +tudoxwallprinter.com, 1 +tueplay.host, 1 +tueri.eu, 1 +tuerkei-immobilien.tk, 1 +tuespr.com, 1 +tuestilo.nl, 1 +tuev-hessen.de, 1 +tufelicitacion.info, 1 +tuffclassified.com, 1 +tuffmail.com, 1 +tuffmail.net, 1 +tuffsruffs.se, 1 +tufilo.com, 0 +tuftonboronh.gov, 1 +tugadar.com, 1 +tugafm.com, 1 +tugesha.com, 1 +tugnut.tk, 1 +tugrul.blog, 0 +tuhoctainha.net, 1 +tuinaportugal.com, 1 +tuincentersnaet.be, 1 +tuinenhullebroek.be, 1 +tuinenvermeiren.be, 1 +tuingereedschappen.net, 0 +tuinieren.tk, 1 +tuinmeubelkorting.nl, 1 +tuitle.com, 1 +tuja.hu, 1 +tujardin.casa, 1 +tujunfang.com, 1 +tukebab.com, 1 +tuketicihaklari.net, 1 +tukiart.tk, 1 +tula-city.tk, 1 +tula-news.ga, 1 +tulafarms.ga, 1 +tulafarms.gq, 1 +tulalip.gov, 1 +tulana.ga, 1 +tuleap.net, 1 +tuleap.org, 1 +tulevaisuusdemarit.fi, 1 +tuliha.ga, 1 +tulikajain.cf, 1 +tulikajain.ga, 1 +tulikajain.gq, 1 +tulikukko.tk, 1 +tulippublishing.com.au, 1 +tulisan.tk, 1 +tull.tk, 1 +tuller.tk, 1 +tulocura.tk, 1 +tulotos.com, 1 +tulpawiki.org, 1 +tulsa.tech, 1 +tulsameetingroom.com, 1 +tulsaworkshop.org, 1 +tulsaworld.com, 1 +tulumcosmeticos.com.br, 1 +tulup.io, 1 +tum-international.com, 1 +tum.de, 1 +tumagiri.net, 1 +tumanishvili.com, 1 +tumarcafe.com, 1 +tumblenet.tk, 1 +tumblr.com, 1 +tumed-ks.org, 1 +tumedico.es, 1 +tumelum.de, 1 +tumen.cf, 1 +tumen.gq, 1 +tumen.ml, 1 +tumen.tk, 1 +tumentorweb.com.mx, 1 +tumpicon.org, 1 +tumult-productions.tk, 1 +tun.bible, 1 +tuna.be, 1 +tunbiya.com, 1 +tuncelimezaryapimi.com.tr, 1 +tunder.tk, 1 +tundermadar.hu, 1 +tune-web.de, 1 +tunenet.ml, 1 +tuner.cloud, 1 +tunescoot.site, 1 +tuneserver.tk, 0 +tungstenworld.com, 0 +tuning-parts24.de, 1 +tuning-werkstatt-nuernberg.de, 1 +tuningblog.eu, 0 +tunisia-tech.tk, 1 +tunisiadefnews.ga, 1 +tunisiana.tk, 1 +tunisiangamers.tk, 1 +tunisiapress.tk, 1 +tunix-openair.de, 1 +tunktwppolice.gov, 1 +tunnel-staging.googlezip.net, 1 +tunnel.googlezip.net, 1 +tunnel53.net, 1 +tunnelbear.com, 1 +tunnelblick.net, 1 +tunnelbroker.net, 1 +tunnelstore.it, 1 +tunnelstore.net, 1 +tunneltracker.com, 1 +tunnelventilation.pro, 1 +tunnelwatch.com, 1 +tunningcars.tk, 1 +tunochebuena.com, 1 +tunombre.tk, 1 +tuntitili.fi, 1 +tuol-sleng.tk, 1 +tuomiset.com, 1 +tuoni.ga, 1 +tuotromedico.com, 1 +tuotteet.org, 1 +tuou.xyz, 0 +tupahost.net.br, 1 +tupass.pw, 1 +tupatane.gq, 1 +tuperiodico.soy, 0 +tupeuxpastest.ch, 0 +tupi.fm, 1 +tuppenceworth.ie, 1 +tuppennysfireplace.com, 1 +tupperwaresalamanca.com, 1 +tupsicoayuda.com, 0 +tupugoya.org, 1 +tur.bo, 1 +tur17.com, 1 +turadio.tk, 1 +turadionline.cf, 1 +turalt.com, 1 +turanga.tk, 1 +turanlawoffice.com, 1 +turanogluoptik.com, 1 +turbaza.tk, 1 +turbinadordigital.tk, 1 +turbinaonline.tk, 1 +turbineaero.com, 1 +turbinelectricity.ga, 1 +turbo.az, 1 +turbo24.com, 1 +turbocourses.net, 1 +turbodata.no, 1 +turbodata.org, 1 +turbohost.co.mz, 0 +turbomag.pl, 1 +turbomodz.com, 1 +turbomodz.es, 1 +turbosim.de, 1 +turbotube.ga, 1 +turbowheels.biz, 1 +turboworld.tk, 1 +turc.church, 1 +turcan.de, 1 +turciya.cf, 1 +tures-aurina.it, 1 +turf-experts.com, 0 +turfirm.tk, 1 +turgut46.tk, 1 +turi.space, 1 +turikslab.tk, 1 +turing.bio, 1 +turisbrasil.com, 1 +turisbrasil.com.br, 1 +turiscar.pt, 1 +turismoeviagens.com, 1 +turismogdl.com, 1 +turismoliliana.tk, 1 +turismomagdalena.com, 1 +turitzadr.com, 1 +turizm.gq, 1 +turizm.tk, 1 +turizm21.ru, 1 +turizmsektoru.ga, 1 +turizmsektoru.tk, 1 +turkana.tk, 1 +turkanime.co, 1 +turkcechat.tk, 1 +turkcedizin.tk, 1 +turkceingilizce.gen.tr, 1 +turkceyama.com, 1 +turkcoder.tk, 1 +turkdevs.net, 1 +turkey-portal.tk, 1 +turkeyfiles.tk, 1 +turkeymistress.tk, 1 +turkeyobesity.com, 1 +turkeysforlife.com, 1 +turkeysms.com.tr, 1 +turkgiller.com, 1 +turkgrafik.tk, 1 +turkhacks.com, 1 +turkhalkmuzigi.tk, 1 +turkiet.guide, 1 +turkishhackers.tk, 1 +turkishyatirim.com, 1 +turkist.tk, 1 +turkistan-rap.tk, 1 +turkiye.ai, 0 +turkkarate.tk, 1 +turkman.ml, 1 +turkman.tk, 1 +turkmanbox.tk, 1 +turkmanga.com.tr, 1 +turkmannews.tk, 1 +turkmans.tk, 1 +turkmen.news, 1 +turkmenbusiness.tk, 1 +turkmenistanairlines.tm, 1 +turkmens.tk, 1 +turkmirc.tk, 1 +turkmistress.tk, 1 +turkodon.com, 1 +turkology.tk, 1 +turkrap.tk, 1 +turkreno.com, 1 +turkrock.com, 1 +turkron.pro, 0 +turksell.ru, 1 +turksite.tk, 1 +turksiteleri.tk, 1 +turksohbet.com, 1 +turkteam.tk, 1 +turktelekomarenagolleri.tk, 1 +turktree.com, 1 +turkup.ml, 1 +turkuradyo.tk, 1 +turkutitans.tk, 1 +turl.pl, 1 +turlewicz.pl, 1 +turlockca.gov, 1 +turm-umzuege.de, 1 +turn-sticks.com, 1 +turnali.tk, 1 +turnalikoyu.tk, 1 +turnaroundinsights.com, 1 +turnbacktogod.com, 1 +turncircles.com, 1 +turneragsupply.com, 0 +turneroregon.gov, 1 +turnet.tk, 1 +turnierplanung.com, 1 +turnkey-ips.com, 1 +turnkeycybersecurityandprivacysolutions.com, 1 +turnningpoint.xyz, 1 +turnoffthelights.com, 1 +turnoffthelights.video, 1 +turnonsocial.com, 1 +turnosinscripcionchascomus.site, 1 +turnout.rocks, 1 +turnover.cf, 1 +turnto23.com, 1 +turntup.co.jp, 1 +turobot.casa, 1 +turoktv.org, 1 +turpinpesage.fr, 1 +turquoisetassel.com, 1 +turretlabs.io, 1 +tursa.com.au, 1 +turteka.com, 1 +turtle.ai, 0 +turtleduckstudios.com, 1 +turtlehead.tk, 1 +turtles.ga, 1 +turtleteam.fr, 1 +turtunis.ml, 1 +turul.tk, 1 +turuncu-sepet.com, 1 +turunculevye.com, 1 +tus-kikishinkyo.jp, 1 +tus.si, 1 +tusar.cf, 1 +tusar.ga, 1 +tuscanyleather.it, 0 +tusconsultorex.com, 1 +tusdtapi.com, 1 +tusfinanzas.ec, 1 +tusharwalaskar.com, 1 +tusi.co, 1 +tusksol.com, 1 +tuslamparasonline.com, 1 +tusmedicamentos.com, 1 +tusociofinanciero.com, 1 +tussenuur.tk, 1 +tustin.tk, 1 +tusuri.tk, 1 +tut-kino.tk, 1 +tuta.com, 1 +tuta.io, 1 +tuta.pm, 1 +tutamail.com, 1 +tutamon.net, 1 +tutanota.com, 1 +tutanota.de, 1 +tutao.de, 1 +tutarot.club, 1 +tutdevki.tk, 1 +tuteepdf.com, 1 +tutiendard.ga, 1 +tutierra.net, 1 +tutima.com, 1 +tuto-craft.com, 1 +tutocursos.com, 1 +tutomaestro.ca, 1 +tutorcruncher.com, 1 +tutorial90.cf, 1 +tutorialcoding.ga, 1 +tutorialcoding.tk, 1 +tutorialdb.tk, 1 +tutorialehtml.com, 1 +tutorialforest.com, 1 +tutorialhtml.tk, 1 +tutoriali.tk, 1 +tutorialinux.com, 1 +tutorialitmalaysia.tk, 1 +tutorialphotoshop.tk, 1 +tutorials.vg, 1 +tutorialseo.com.br, 1 +tutoriel-arduino.com, 1 +tutoringindustry.tk, 1 +tutorio.ga, 1 +tutormedia.net, 0 +tuts4you.com, 1 +tutteo.com, 1 +tuttimundi.org, 0 +tuttleok.gov, 1 +tuttoandroid.net, 1 +tuttonotizie.eu, 1 +tutu.ro, 1 +tutucos.com, 1 +tutudaju.com, 1 +tuulialaine.com, 1 +tuvankinhdoanhonline.com, 1 +tuvanmat.com, 1 +tuversionplus.com, 1 +tuvingaynay.com, 1 +tuwaner.com, 1 +tuxamca.com, 1 +tuxcare.com, 1 +tuxcloud.duckdns.org, 1 +tuxcloud.net, 1 +tuxflow.de, 0 +tuxforums.com, 1 +tuxhound.org, 1 +tuxie.com, 1 +tuxito.tk, 1 +tuxlife.net, 1 +tuxlinux.tk, 1 +tuxmobil.cf, 1 +tuxpeliculas.com, 1 +tuxphones.com, 1 +tuxpi.com, 1 +tuxplace.nl, 1 +tuxsoul.com, 1 +tuxsrv.com, 1 +tuyen.blog, 1 +tuyen.me, 1 +tuyen.xyz, 1 +tuyetchieuwebsite.tk, 1 +tuz-es-munkavedelem.hu, 1 +tuza.com.au, 1 +tuzaginside.com, 1 +tuzagtcs.com, 1 +tuzaijidi.com, 1 +tuzlamap.tk, 1 +tuzlasite.tk, 1 +tv-hot.com, 1 +tv-mainzlar.de, 1 +tv-online.ml, 1 +tv-programme.be, 1 +tv-programme.com, 1 +tv-radio.com, 1 +tv-sports.fr, 1 +tv-tuners.cf, 1 +tv-zone.tk, 1 +tv.kg, 1 +tv9gujarati.com, 1 +tvabullarbro.tk, 1 +tvaerialsmanchester.com, 1 +tvarkaulietuva.lt, 1 +tvatomic.com, 1 +tvbarled.com, 1 +tvboxstop.com, 1 +tvbracketman.co.uk, 1 +tvcal.net, 1 +tvchannelslive.tk, 1 +tvcmarketing.com, 1 +tvdenevar.net, 0 +tvears.com, 1 +tvenligne.tk, 1 +tver-msk.ru, 1 +tver2000.tk, 1 +tver69.tk, 1 +tveronline.tk, 1 +tvfamilie.be, 1 +tvfans.ga, 1 +tvfans.tk, 1 +tvfcu.com, 1 +tvfr.gov, 1 +tvgsc.sg, 1 +tvguide.com, 1 +tview.co.uk, 1 +tvindia.tk, 1 +tvipper.com, 1 +tvk.tirol, 1 +tvkaista.com, 1 +tvkaista.net, 1 +tvkaista.org, 1 +tvkaren.tk, 1 +tvlanguedoc.com, 1 +tvleaks.se, 1 +tvlplus.net, 1 +tvmice.tk, 1 +tvmodules.it, 1 +tvmounting-houston.com, 1 +tvnow.de, 1 +tvoedelo.ml, 1 +tvoia-dietka.tk, 1 +tvoistatusy.tk, 1 +tvoistili.ml, 1 +tvojeucetnictvi.cz, 1 +tvorog.dedyn.io, 1 +tvos.eu, 1 +tvoyaknighka.ga, 1 +tvoysad.ru, 0 +tvquot.es, 1 +tvrestyler.eu, 1 +tvreviewer.tk, 1 +tvs-virtual.cz, 1 +tvseasons.tk, 1 +tvseries.info, 1 +tvsheerenhoek.nl, 1 +tvsscs.com, 1 +tvstore-247.net, 1 +tvtj.ml, 1 +tvtsvod.com, 1 +tvzahist.com.ua, 1 +tw-louis.com, 0 +tw.edu.pl, 1 +tw.search.yahoo.com, 0 +twa.travel, 1 +twainhartehotels.com, 1 +twakkensi.cf, 1 +twatspot.com, 1 +twb.berlin, 1 +twcgcm.com, 1 +twd2.me, 1 +twd2.net, 0 +twdinjurylaw.com, 1 +twdreview.com, 1 +twdtulelo.hu, 1 +tweakers.com.au, 1 +tweakers.net, 1 +tweakersbadge.nl, 1 +tweaktown.com, 1 +tweaktownforum.com, 1 +tweaky.tk, 1 +tweedagenextravakantie.nl, 1 +tweedandtalon.co.uk, 1 +tweedehandskledij.be, 1 +tweedehandsmerkkledij.be, 1 +tweedekamer.nl, 1 +tweekshow.tk, 1 +tweemaster.tk, 1 +tweeple.ga, 1 +tweetadder.fr, 1 +tweetfinity.com, 1 +tweetfinityapp.com, 1 +tweetyconnect.com, 1 +twelve-inch-classics.tk, 1 +twelve.rocks, 1 +twelvecolonies.tk, 1 +twelvecornerspediatrics.com, 1 +twem.ddns.net, 1 +twerk.tk, 1 +twfwd.email, 1 +twidy.jp, 0 +twidy.uk, 1 +twig.sg, 0 +twigandolive.com, 1 +twilightcookies.ca, 1 +twilightkingdom.tk, 1 +twilightningzone.tk, 1 +twilite.co.uk, 1 +twilite.uk, 1 +twilo-host.de, 1 +twilo.de, 1 +twincap-first.de, 1 +twincapfirst.ch, 1 +twincapsula.co.jp, 1 +twincitynissantxparts.com, 1 +twindii.com, 1 +twinfield-apps.nl, 1 +twinflame.tf, 1 +twinflame.voyage, 1 +twinhealth.com, 1 +twinkpop.com, 1 +twinkseason.com, 1 +twinlakeswi.gov, 1 +twinspringcoupling.com, 1 +twinstudiosparis.com, 1 +twinztech.com, 1 +twist.com, 1 +twistapp.com, 1 +twistbets.com, 1 +twistedfamilies.com, 1 +twistedoakonline.com, 1 +twistedwave.com, 1 +twistersolutions.com, 1 +twistertech.com.br, 1 +twistfix.co.uk, 1 +twistmc.net, 1 +twisto.cz, 1 +twisto.pl, 1 +twistopay.com, 1 +twistpedia.com, 1 +twistys.com, 1 +twistysnetwork.com, 1 +twit-guide.com, 1 +twitchplaysleaderboard.info, 1 +twitchy.tk, 1 +twitcker.com, 1 +twittelzie.nl, 1 +twitter.ax, 1 +twitter.com, 0 +twitterdriver.io, 1 +twittervid.com, 1 +twittpr.com, 1 +twizzle.net, 1 +twl-clan.tk, 1 +twlan.org, 1 +twlitek.com.tw, 1 +twma.pro, 1 +twmartin.codes, 1 +two-step-verification.solutions, 1 +twoandahalfvan.eu, 1 +twobitbusker.com, 1 +twobridges.co.uk, 1 +twobrothersbbq.com, 0 +twocatsinacaravan.xyz, 1 +twocornertiming.com, 1 +twodadsgames.com, 1 +twoef.co.uk, 1 +twofestivaltower.au, 1 +twofestivaltower.com, 1 +twofestivaltower.com.au, 1 +twohuo.com, 1 +twojapogoda.pl, 1 +twojfaktum.pl, 1 +twolinesmedia.eu, 1 +twolittlefleas.co.uk, 1 +twoninersix.com, 1 +twonodes.games, 0 +twopipes.net, 1 +twopipes.org, 1 +twoqi.com, 0 +tworaz.net, 1 +twoseven.xyz, 1 +twospirits.org, 1 +twotravel.world, 1 +twr.org, 1 +twslots.online, 1 +twtf.org.uk, 1 +twtr.email, 1 +twwd.de, 1 +tx299.com, 0 +tx577.com, 1 +txbooster.com, 1 +txcap.org, 1 +txcheckup.com, 1 +txferretrescue.org, 1 +txhb.gov, 1 +txlocksmiththewoodlands.com, 1 +txlrs.org, 1 +txryan.com, 1 +txtd.io, 1 +txtdb.com, 1 +txtdirect.com, 1 +txtdirect.dev, 1 +txtdirect.io, 1 +txtdirect.link, 1 +txtdirect.me, 1 +txtdirect.org, 1 +txtentertainment.ga, 1 +txtfile.eu, 0 +txtnovel.me, 1 +txtnovel.net, 1 +txurologist.com, 1 +txwriterstudio.com, 1 +ty0m.com, 1 +ty529.com, 1 +ty573.com, 1 +ty583.com, 1 +ty587.com, 1 +ty593.com, 1 +ty5998.com, 1 +ty613.com, 1 +ty637.com, 1 +ty679.com, 1 +ty705.com, 1 +ty723.com, 0 +ty736.com, 1 +ty791.com, 1 +ty835.com, 0 +ty935.com, 1 +ty937.com, 1 +ty962.com, 0 +ty965.com, 1 +ty980.com, 1 +tyan.com, 1 +tybox.ca, 1 +tyc001.cc, 1 +tyc009.cc, 1 +tycaa.org, 1 +tycatering.com, 1 +tycho.org, 1 +tycho.tk, 1 +tychoverstraete.be, 1 +tycyc88.com, 1 +tyentitaly.com, 1 +tygochrum.se, 0 +tyinnovations.com, 1 +tyk.io, 1 +tyl.io, 1 +tylb.io, 1 +tyler.rs, 1 +tylerdavies.net, 1 +tylerdurden.ml, 1 +tylergordonhill.com, 1 +tylerharcourt.com, 1 +tylerharcourt.net, 1 +tylerharcourt.org, 1 +tylermade.net, 1 +tylermn.gov, 1 +tylerobrien.org, 1 +tyleromeara.com, 1 +tylerpayne.tk, 1 +tylerschmidtke.com, 0 +tylervigario.com, 1 +tylko-wazne.tk, 1 +tymoch.pl, 1 +tymyrddin.space, 1 +tyndalehouse.com, 1 +tynefm.tk, 1 +tyni-goc.gq, 1 +tyni-gof.gq, 1 +tynki-maszynowe.tk, 1 +tyojyu.or.jp, 0 +type1joe.com, 1 +type1joe.net, 1 +type1joe.org, 1 +type74.ir, 1 +typecheck.io, 1 +typecheckapp.com, 1 +typecho.site, 0 +typeclasses.com, 1 +typecodes.com, 1 +typegrow.com, 1 +typehub.net, 1 +typeof.pw, 1 +typeonejoe.com, 1 +typeonejoe.net, 1 +typeonejoe.org, 1 +typeria.net, 1 +typescript-weekly.com, 1 +typesofdogs.info, 1 +typesofnote.com, 1 +typesolution.pt, 1 +typetwodiabetesexplained.com, 1 +typewolf.com, 1 +typewriter.tk, 1 +typher.eu, 1 +typhlos.fr, 1 +typica.com.tw, 1 +typing.com, 1 +typingcheck.ga, 1 +typist.tech, 1 +typo3.com, 1 +typosphere.fr, 1 +typr.com, 1 +tyr0wl.com, 1 +tyrael.eu, 1 +tyraga.ga, 1 +tyrannize.us, 1 +tyrasuki.be, 1 +tyre-search.ga, 1 +tyree.tech, 1 +tyres-mechanical.com.au, 1 +tyrkey.tk, 1 +tyrocity.com, 1 +tyronega.gov, 1 +tyroola.co.id, 1 +tyroola.co.nz, 1 +tyroola.com.au, 1 +tyroola.de, 1 +tyroola.it, 1 +tyroola.nl, 1 +tyroremotes.co.uk, 1 +tyroremotes.es, 1 +tyroremotes.eu, 1 +tyroremotes.fr, 1 +tyroremotes.nl, 1 +tyroremotes.no, 1 +tyroremotes.pt, 1 +tyroremotes.se, 1 +tyrulez.tk, 1 +tysukakorrekt.ga, 1 +tysye.ca, 1 +tytixazo.tk, 1 +tytocare.com, 1 +tytod.com, 1 +tyukanyo.hu, 1 +tyumen.ga, 1 +tyuning-avto.tk, 1 +tyva.gq, 1 +tyva.ml, 1 +tyva.tk, 1 +tz9.co, 1 +tzchz.pp.ua, 1 +tzdn.gq, 1 +tzeribi.fr, 1 +tzgo.at, 1 +tzifas.com, 0 +tzinsurance.com, 1 +tziyona.net, 1 +tznews.me, 1 +tzonevrakis.gr, 1 +tzsec.com, 1 +tzsrv.cf, 1 +tzsrv.com, 1 +tzsrv.de, 1 +tzsrv.tk, 1 +tzstamp.io, 1 +tzunami.tk, 1 +tzunamiblog.tk, 1 +tzwe.com, 1 +u-chan.com, 0 +u-he.com, 1 +u-olymp.ru, 1 +u-page.nl, 1 +u-watch.it, 1 +u.nu, 1 +u.sb, 1 +u00228.com, 0 +u0060.com, 0 +u0070.com, 1 +u0080.com, 0 +u03.fr, 1 +u05.cn, 1 +u1100.com, 1 +u1144.com, 1 +u12buy.com, 1 +u15.info, 1 +u15b1.com, 1 +u15b2.com, 1 +u15jj.com, 1 +u15p1.com, 1 +u15p2.com, 1 +u15p5.com, 1 +u15p6.com, 1 +u15p7.com, 1 +u15p8.com, 1 +u15x.com, 1 +u175.com, 1 +u29dc.com, 1 +u2b.eu, 1 +u2co.de, 1 +u2croatia.tk, 1 +u2fanlife.com, 1 +u2galicia.tk, 1 +u32i64.cf, 1 +u36533.com, 1 +u4.re, 1 +u4mh-dev-accesscontroller.azurewebsites.net, 1 +u4mh-dev-portal.azurewebsites.net, 1 +u5.re, 1 +u51365.com, 1 +u5197.co, 1 +u6729.co, 1 +u6729.com, 0 +u6957.co, 1 +u6957.com, 0 +u6a5hqf.top, 1 +u7ae.com, 1 +u81365.com, 1 +u82365.com, 1 +u9297.co, 1 +u9728.co, 1 +ua-1x-bet.com, 1 +ua-autonews.tk, 1 +ua-fediland.de, 0 +ua-news.tk, 1 +ua.search.yahoo.com, 0 +ua1xbet.com, 1 +ua1xbet1967.com, 1 +ua577.com, 1 +ua5v.com, 1 +uab.tv, 1 +uachemlabs.com, 1 +uae-auto.ru, 1 +uae-company-service.com, 1 +uaefiu.gov.ae, 1 +uaestorages.com, 1 +uafinance.net, 1 +ualove.tk, 1 +uamxsociologia.tk, 1 +uanews.tk, 1 +uapp.win, 1 +uareferat.tk, 1 +uartpastelpaper.com, 1 +uasaumur.com, 1 +uash.tk, 1 +uasmi.com, 1 +uasonics.tk, 1 +uat-activesg.com, 1 +uat-mypfp.co.uk, 1 +uateach.tk, 1 +uatgootax.ru, 0 +uathq.com, 1 +uatuning.com.ua, 1 +uatx.mx, 1 +uavis.com.au, 1 +ub.edu.vn, 1 +ub.net, 1 +ub3rk1tten.com, 1 +ub889.com, 1 +uba-tra.tk, 1 +ubaid.tk, 1 +ubaldopoa.tk, 1 +ubanks.com.ua, 1 +ubanquity.com, 0 +ubcani.com, 1 +uber-work.tk, 1 +uberactivist.com, 1 +uberalles.live, 1 +uberboxen.net, 1 +ubereatspos.com, 1 +ubergamingworld.tk, 1 +uberhorny.tk, 1 +uberi.fi, 1 +ubermail.me, 1 +uberpromocodes.us, 1 +ubersmith.com, 1 +uberwald.ws, 1 +ubezpieczeniaonline.pl, 1 +ubezpieczeniazyciowe.pl, 1 +ubezpieczenie.com.pl, 1 +ubezpieczeniemieszkania.pl, 1 +ubezpieczenienanarty.pl, 1 +ubezpieczenienarciarskie.pl, 1 +ubezpieczenienazycie.net.pl, 1 +ubezpieczeniepsa.com, 1 +ubezpieczenieturystyczne.com.pl, 1 +ubezpieczeniezycia.pl, 1 +ubezpieczeniezyciowe.pl, 1 +ubezpieczonamama.pl, 1 +ubezpieczonedziecko.pl, 1 +ubicaciones-vitamina.cl, 1 +ubicv.com, 1 +ubill.ge, 1 +ubimail.org, 1 +ubiminds.com, 0 +ubiqubit.it, 1 +ubis.group, 1 +ubiurbe.com, 1 +ubleam.com, 0 +ubn-speed.fr, 0 +ubonit.pl, 1 +uborcare.com, 1 +uborka-812.ru, 1 +uborka-kvartir-moskva.gq, 1 +uborka-snega.ga, 1 +ubun.kr, 1 +ubun.net, 1 +ubuntu-es.org, 1 +ubuntu-tr.net, 1 +ubuntu-tutorials.com, 1 +ubuntu.marketing, 1 +ubuntu18.com, 1 +ubuntuproductions.fi, 1 +ubutovo.ga, 1 +ubwash.re, 1 +ubytovanihyncice.cz, 1 +ubytovnastrazske.sk, 1 +ubzoo.tk, 1 +uc4h.com, 1 +ucac.nz, 0 +ucangiller.com, 1 +ucaskernel.com, 1 +ucayim.com, 1 +ucb.com, 1 +ucbconcierge.jp, 1 +ucbostad.se, 1 +ucch.be, 0 +uccisme.net.ua, 1 +ucdap.com, 1 +ucemich.edu.mx, 1 +ucero.tk, 1 +ucfirst.nl, 1 +ucg-international.com, 1 +uchargeapp.com, 1 +ucheba.cf, 1 +ucheba.ga, 1 +ucheba.gq, 1 +ucheba.tk, 1 +uchicagomedicine.org, 1 +ucibt.com, 1 +ucih.ru, 1 +ucinvest.com.au, 1 +uciplasticsurgery.com, 1 +uck.i.ng, 1 +uckunlaboratuvari.com, 1 +uclf.de, 1 +uclip.club, 1 +ucmatedeveloper.gq, 1 +ucmjlawyers.com, 1 +ucmultrasuoni.it, 1 +ucngame.com, 1 +ucphotography.net.au, 1 +ucppe.org, 1 +ucraft.ai, 1 +ucrdatatool.gov, 1 +ucreate.site, 1 +ucretleri.net, 1 +ucsi.link, 1 +uctarna.online, 1 +ucybodyinc.com, 1 +udaap.org, 1 +udancy.com, 1 +udaneprzepisy.pl, 1 +udb.kr, 1 +udbina.tk, 1 +uddate-linthdcp-3345app.com, 1 +uddate-linthdcp-567app.com, 1 +uddi.ng, 1 +uddin.io, 1 +udemons.be, 1 +udenit.de, 1 +udenlandskecasinoer.dk, 1 +udenlandskeonlinecasino.com, 1 +udenrigspolitik.dk, 1 +udi.no, 1 +udid.fyi, 1 +udien.tk, 1 +udigital.nl, 1 +udik.tk, 1 +udinetoday.it, 1 +udla.edu.ec, 1 +udmarbella.tk, 1 +udmddn.ru, 1 +udmurtia.tk, 1 +udo-luetkemeier.de, 1 +udomain.net, 1 +udp.pw, 0 +udp.sh, 0 +udruga-point.hr, 1 +udsocial.com, 1 +udtonline.com, 1 +udvoukocek.eu, 1 +ue30.fun, 1 +ueba1085.jp, 1 +ueberdosis.io, 0 +uebersetzungscenter.ch, 1 +ueberwachungspaket.at, 1 +uedaviolin.com, 1 +uefeng.com, 0 +uel-thompson-okanagan.ca, 1 +ueliexpress.ch, 1 +uesaz.com, 1 +uesc.org, 1 +uesociedadlimitada.com, 1 +uestc.icu, 1 +uevan.com, 1 +uf-ace.com, 1 +uf-lmsan.pt, 1 +ufa-soft.tk, 1 +ufacesign.in, 1 +ufanet.id, 1 +ufanisi.mx, 1 +ufar-ntds.org, 1 +ufero.co.za, 1 +uffserver.ml, 1 +ufh.com.cn, 1 +ufindme.at, 1 +ufirst.ro, 1 +uflmsan.pt, 1 +ufo.moe, 0 +ufocentre.com, 1 +ufoch.com, 0 +ufoet.cn, 0 +ufologiahistorica.tk, 1 +ufologiaweb.tk, 1 +ufone.com, 1 +ufone.net, 1 +ufopaedia.org, 1 +ufos.tk, 1 +ufplanets.com, 1 +ufst.dk, 1 +ug.gg, 1 +ugarte-zestoa.com, 1 +ugb-verlag.de, 0 +ugc.fr, 1 +ugcdn.com, 1 +ugeek.tk, 1 +ugg.com, 1 +uggedal.com, 1 +ugirlx.com, 1 +ugis.info, 1 +uglycat.com, 1 +uglycat.eu, 1 +uglycat.net, 1 +uglycat.org, 1 +uglycat.social, 1 +uglydogpgh.com, 1 +uglypeople.com, 1 +ugmtc.org, 1 +ugolovnyj-advokat.cf, 1 +ugolsibiri.ru, 1 +ugrod.ru, 1 +ugsonline.tk, 1 +uguragdas.com.tr, 1 +ugurkorkmazyurek.com, 1 +ugurnakliyat.com.tr, 1 +uguu.se, 1 +ugx-mods.com, 1 +ugy.es, 1 +uhasseltctf.be, 1 +uhasseltctf.ga, 1 +uhc.gg, 1 +uhcuhcas.cf, 1 +uhcuhcas.ga, 1 +uhcuhcas.gq, 1 +uhcuhcas.ml, 1 +uhcuhcas.tk, 1 +uhes.com.sg, 1 +uhingaro.com, 0 +uhl.site, 1 +uhlhosting.ch, 1 +uhnwarfarinedu.ca, 1 +uhost.cyou, 1 +uhrenlux.de, 1 +uhuc.de, 1 +uhurl.net, 1 +ui.com, 1 +ui.gov, 1 +ui8.net, 1 +uiberlay.cz, 1 +uicchy.com, 1 +uid0.pl, 1 +uiharu.top, 1 +uika-bogor.ac.id, 1 +uinst.tk, 1 +uinvest.ml, 1 +uinvest.tk, 1 +uiop.link, 1 +uirysa.pl, 1 +uisd.net, 1 +uitdeoudekoektrommel.com, 1 +uiterwijk.org, 1 +uitgeverij-deviant.nl, 1 +uitingent.be, 1 +uitvaartgoessens.be, 1 +uitvaartverzekeringwijzer.net, 0 +uitvaartvrouwenfriesland.nl, 1 +uiuo.de, 1 +uizard.io, 1 +uj2008.com, 1 +ujam.com, 1 +ujeb.link, 1 +ujiyasu.com, 1 +ujjivan.com, 1 +ujob.com.cn, 1 +ujotthon.hu, 1 +ujvary.eu, 1 +uk.search.yahoo.com, 0 +ukari.hokkaido.jp, 0 +ukb.sch.id, 0 +ukbc.london, 1 +ukc2.com, 1 +ukcarers.tk, 1 +ukdefencejournal.org.uk, 1 +ukfoodbox.co.nz, 1 +ukforum.net, 1 +ukhas.net, 1 +ukimmigration.law, 1 +ukitbs.com, 1 +ukiuki.photography, 1 +ukkeyholdingcompany.co.uk, 1 +uklawfirm.tk, 1 +uklidgaraze.fun, 1 +uklizim.fun, 1 +uklizimgaraz.fun, 1 +ukmalls.co.uk, 1 +ukmeetandgreet.com, 1 +ukmerges-vaikyste.lt, 1 +ukmoneyman.com, 1 +ukmortgagecompare.co.uk, 1 +uknew.co, 1 +uknews.ga, 1 +uknews.ml, 1 +uknewsroom.tk, 1 +uknewsweek.com, 1 +ukooku.com, 1 +ukosystudio.com, 1 +ukozliku.cz, 1 +ukpass.co, 1 +ukpr.group, 1 +ukpropertyrescue.com, 1 +ukpts.org, 1 +ukraflora.ua, 1 +ukrainci.com.ua, 1 +ukraine-standart.com.ua, 1 +ukrainians.ch, 1 +ukrainianwall.com, 1 +ukrainskie-konstrukcii.com.ua, 1 +ukrapak.com.ua, 1 +ukrcredit.net, 1 +ukrn.io, 1 +ukrnames.com, 1 +ukrnet.co.uk, 1 +ukrtabletki.tk, 1 +ukrzoloto.ua, 1 +ukseafood.co.uk, 1 +ukshg.org, 1 +uksv.co.uk, 0 +ukta.tk, 1 +uktw.co.uk, 0 +uku.lt, 1 +ukulele.co.nz, 1 +ukulelesite.com.br, 1 +ukunlocks.com, 1 +ukutabs.com, 1 +ukwct.org.uk, 1 +ul-fluglehrer.de, 1 +ulax.org, 1 +ulax.tk, 1 +ulbr.dnshome.de, 1 +ulconnect.com, 1 +uldsh.de, 1 +ulement.com, 1 +ulen.me, 1 +ulet.tk, 1 +ulfmikaelmattsson.se, 1 +ulgaipbox.online, 1 +uli-eckhardt.de, 1 +ulickaprozivot.cz, 1 +ulike123.com, 1 +ulitroyo.com, 1 +ullah.se, 1 +ulli.ml, 1 +ullrich-group.de, 1 +ullrich-services.de, 1 +ulm-eurofox.fr, 1 +ulmer-schneesport.de, 1 +ulnesshealth.com, 1 +ulobby.eu, 1 +uloztoasdilej.cz, 1 +ulprospector.com, 1 +ulrichracing.com, 1 +ulrik.moe, 1 +ulrikethiele.de, 1 +ulsterbank.co.uk, 1 +ulsterbank.ie, 1 +ulsters.cf, 1 +ulstersheriffny.gov, 1 +ultaa.ru, 1 +ultahost.com, 1 +ultalabtests.com, 1 +ultima-ratio.at, 1 +ultimasearch.com, 1 +ultimasword.tk, 1 +ultimate-fireworks.tk, 1 +ultimateappreviews.co, 1 +ultimatebabyshowergifts.ga, 1 +ultimatebattle.tk, 1 +ultimatebattles.club, 1 +ultimatecheerleaders.com, 1 +ultimateclub.tk, 1 +ultimatefilmpromotion.com, 0 +ultimatefxtools.com, 0 +ultimategamechair.com, 1 +ultimategaming.tk, 1 +ultimatehalo.tk, 1 +ultimatelifesupport.ga, 1 +ultimatemafia.be, 1 +ultimatemafia.de, 1 +ultimatemafia.net, 1 +ultimatemafia.nl, 1 +ultimatemapping.tk, 1 +ultimatemotherfuckingwebsite.com, 1 +ultimatempb.com.au, 1 +ultimatepaleoguide.com, 1 +ultimateparts.nl, 1 +ultimatepatrol.de, 1 +ultimatepower.ga, 1 +ultortech.com, 1 +ultra-fast.net, 1 +ultra-pro.ga, 1 +ultra.gen.tr, 1 +ultra.law, 1 +ultra4k.com, 1 +ultrabkk.com, 1 +ultracentr.ml, 1 +ultracoupon.net, 1 +ultrafine.cf, 1 +ultralife.cf, 1 +ultraman.tk, 1 +ultramax.biz, 1 +ultramookie.com, 0 +ultraonline.ml, 1 +ultrapedic.com, 1 +ultrarare.space, 1 +ultras-venlo.tk, 1 +ultrasite.tk, 1 +ultrasocial.ml, 1 +ultrasoftpressurewashing.com, 1 +ultrasoundtechnicianschools.com, 1 +ultrastar-es.org, 1 +ultrasvargon.tk, 1 +ultratechlp.com, 1 +ultratress.com, 1 +ultraviolence.tk, 1 +ultravip.com.br, 1 +ultreya.tk, 1 +ultrixus.rocks, 1 +uludag16.com.tr, 1 +ulugatechsolutions.co.za, 1 +ulusar.com.tr, 1 +ulyanovsk-73.tk, 1 +ulyanovsk73.tk, 1 +ulyanovskcity.tk, 1 +ulysim.com, 1 +ulyssesenergy.it, 1 +um-sachsen-pictures.de, 1 +um.es, 0 +umagoyal.com, 1 +umami.vercel.app, 1 +umamibbqsushi.com, 1 +umamibites.com, 1 +umanews.net, 1 +umanityracing.com, 1 +umanupszn.gov.ua, 1 +umap.uz, 1 +umarjazeer.com, 1 +umaru.gq, 1 +umarysi.fun, 1 +umas.tk, 1 +umashev.ru, 1 +umasoda-tohoku.com, 1 +umassfive.coop, 1 +umasstransit.org, 1 +umatilla.gov, 1 +umatillacounty.gov, 1 +umbertheprussianblue.com, 1 +umbrellamediagroup.com, 1 +umbrellaye.online, 1 +umbria.network, 1 +umbricht.li, 1 +umeligence.cz, 1 +umenlisam.com, 1 +umetro.ru, 1 +umisonoda.com, 1 +umitribe.gov, 1 +umity.com.ua, 1 +umkomaaslodge-aliwalshoal.co.za, 1 +umlcode.com, 1 +ummiabi.id, 1 +umniy-dom.tk, 1 +umnugobi.tk, 1 +umo.ci, 1 +umojacloud.io, 1 +umojo.com, 1 +umoman.ru, 1 +umount.net, 1 +umripd.gov, 1 +umsapi.com, 1 +umspannwerk-leipzig.de, 1 +umtactivation.com, 1 +umtactivation.in, 1 +umutdemir.com, 1 +umv.gov.co, 1 +umwandeln-online.de, 1 +umweltgalerie.de, 1 +umzuege-hannover.net, 1 +umzugsunternehmen.berlin, 1 +umzugsunternehmenberlin.eu, 1 +un-box.org, 1 +un-framed.co.za, 1 +un-zero-un.fr, 1 +unaffectedsound.tk, 1 +unai-yus.tk, 1 +unaidesarrolladorweb.com, 1 +unaligned.net, 1 +unalignment.com, 1 +unanaciounaseleccio.tk, 1 +unangelturbio.tk, 1 +unaone.net, 1 +unapp.me, 1 +unasim.gq, 1 +unataly.gq, 1 +unataz.tk, 1 +unatbeaubrid.cf, 1 +unatco.noip.me, 1 +unausa.com.br, 1 +unautreregard.tk, 1 +unaware.tk, 1 +unbanked.com, 1 +unbelievableplaces.de, 1 +unbelievaboat.com, 1 +unblock-zh.org, 1 +unblockat.tk, 1 +unblocked.cx, 1 +unblocked.lat, 1 +unblocked.one, 1 +unblockit.asia, 1 +unblockit.bet, 1 +unblockit.bio, 1 +unblockit.blue, 1 +unblockit.cat, 1 +unblockit.click, 1 +unblockit.date, 1 +unblockit.ink, 1 +unblockit.ist, 1 +unblockit.me, 1 +unblockit.name, 1 +unblockit.nz, 1 +unblockit.vegas, 1 +unbolt.cf, 1 +unbonavocat.fr, 1 +unboundmoney.com, 1 +unboxed.cf, 1 +unboxinspector.com, 1 +uncarved.com, 1 +uncensoreddns.dk, 1 +uncensoreddns.org, 1 +uncentodecousas.tk, 1 +unchex.com, 1 +unchile.com, 1 +uncinema.cf, 1 +uncivserver.xyz, 1 +unclaimedretirementbenefits.com, 1 +unclebens-specials.gr, 1 +uncontrollablegas.com, 1 +uncorporate.cf, 1 +uncut.wtf, 1 +uncuteyes.tk, 1 +uncuttype.wtf, 1 +undangan-digital.com, 1 +undangankoo.com, 1 +undawns.tk, 1 +undecidable.de, 1 +undegasesc.net, 1 +undelightfully.tk, 1 +undemocracy.cf, 1 +undemocracy.ga, 1 +undemocracy.gq, 1 +undemocracy.ml, 1 +under-wears.tk, 1 +under15.ml, 1 +undercliff.tk, 1 +underconsideration.com, 1 +undercoverxp.tk, 1 +undercucho.tk, 1 +underdestruction.tk, 1 +underdog.tk, 1 +underfloorheating-uk.co.uk, 1 +undergroomed.com, 1 +underground.jp, 1 +undergrounder.ga, 1 +undergroundiron.tk, 1 +undergroundmusic.tk, 1 +underlined.fr, 1 +undernet.org, 1 +undernet.uy, 0 +undershoping.tk, 1 +underskatten.tk, 1 +understandmaths.co.za, 1 +undertow.ga, 1 +underwaterasia.info, 1 +underwear-fashion.tk, 1 +underwearoffer.com, 1 +underwood.tk, 1 +underwoodpatents.com, 1 +underworlds.tk, 1 +underwriting.ai, 1 +undiariodiferente.tk, 1 +undiepatrol.tk, 1 +undo.co.il, 1 +undone.tk, 1 +undp.lt, 1 +une-bonne-nouvelle.fr, 1 +une-femme-dhonneur.tk, 1 +uneaimages.com, 1 +unearth.ca, 1 +unece-deta.eu, 1 +unefuite.ch, 0 +unej.org, 1 +uneltemasini.ro, 1 +unemployment.ga, 1 +unemployment.gov, 1 +unescoclub.tk, 1 +unetyr.gq, 1 +unexcited.tk, 1 +unexpected.nu, 1 +unexplored-belarus.tk, 1 +unexplored-moscow.tk, 1 +unf.dk, 1 +unfabulous.tk, 1 +unfallrechtler.de, 1 +unfamousrecords.tk, 1 +unfathomable.blue, 1 +unfc.nl, 1 +unfixed-soul.tk, 1 +unfollow.today, 1 +unfriend.tk, 1 +unga.dk, 1 +ungaeuropeer.se, 1 +ungainlybeast.com, 1 +ungedient.de, 1 +unghie.com, 0 +ungnyo.org, 1 +ungolianth.tk, 1 +ungooglize.org, 1 +ungovernable.men, 1 +ungrafakta.cf, 1 +ungrafakta.gq, 1 +ungrafakta.tk, 1 +unhabitat.org, 1 +unhappy.tk, 1 +unhub.ru, 1 +uni-arts.com, 1 +uni-chem.rs, 1 +uni-cleaner.com, 1 +uni-watch.com, 1 +uni2share.com, 1 +unia.es, 1 +unian.info, 1 +uniaofraternalraulcury.com.br, 1 +unibaby.com, 1 +unibet.bz, 1 +unibet.ltd, 1 +unibev.net, 1 +unibevltd.com, 1 +unibh.br, 1 +unibolsit.com, 1 +unibuses.co.uk, 1 +unibusreputation.com, 1 +unicarehealth.com.au, 1 +unicef.pl, 1 +unicefcards.cz, 1 +unicefcards.gr, 1 +unicefcards.sk, 1 +unicefcestitke.rs, 1 +unicefkartkidlafirm.pl, 1 +unicefkepeslapok.hu, 1 +unicefvoscilnice.si, 1 +unicintas.com.br, 1 +unicioushop.com, 1 +unicode.gq, 1 +unicode.link, 1 +unicodesign.ch, 1 +unicolabo.jp, 1 +unicomergiraygana.com, 1 +unicoms.biz, 1 +unicoms.travel, 1 +unicoms.vip, 1 +unicool.tk, 1 +unicorn-systems.net, 1 +unicorn.melbourne, 1 +unicorndesign.ninja, 0 +unicornheaven.net, 1 +unicornmusic.tk, 1 +unicornsoft.tk, 1 +unicorntooling.eu, 1 +unicrack.cf, 1 +unicreditbulbank.info, 1 +unicul.tk, 1 +unicycle.ga, 1 +unicycle.show, 1 +unidadvirtual.com, 1 +unidata.ca, 1 +unideb.hu, 1 +unidet.eu, 1 +unieducar.org.br, 1 +uniekglas.nl, 1 +uniex.ch, 1 +uniex.pw, 1 +unifashion.ro, 1 +unifestal.com, 1 +unifiednetwork.me, 1 +unifiedwellness.ca, 1 +uniforcele.com, 1 +uniformebateriasheliar.com.br, 1 +uniforms.com.au, 1 +unify.id, 1 +unihostbrasil.com.br, 1 +unik.bg, 1 +unikainfocom.in, 1 +unike.tech, 1 +unikimages.com, 1 +unikon.su, 1 +unikos.tk, 1 +unikrn.com, 1 +unikrn.space, 1 +unikrn.tech, 1 +unikrnb2b.com, 1 +unilab.com.ph, 1 +unilinkbus.co.uk, 1 +unilinkgroup.com, 1 +unimarijo.com, 1 +unimarvel.tk, 1 +unimax.com.tw, 1 +unimeias.com.br, 1 +unimex.edu.mx, 1 +unimexver.edu.mx, 1 +unimus.net, 1 +unimusica.tk, 1 +uninatural.com.br, 1 +unine.fun, 1 +unionciclistabinefar.tk, 1 +unioncountyilcourts.gov, 1 +unioncountyiowa.gov, 1 +unioncountyncelections.gov, 1 +unioncountyor.gov, 1 +unioncr.uk, 1 +uniondeterapeutas.com, 1 +unionflpa.gov, 1 +unionhoster.ml, 1 +unionlacalera.tk, 1 +unionlife-net.com, 1 +unionmagdalena.tk, 1 +unionmissouri.gov, 1 +unionplat.ru, 1 +unionreports.gov, 1 +uniontestprep.com, 1 +unionvilleheating.com, 1 +unios.tk, 1 +unipart.digital, 0 +unipass.ga, 1 +unipaz.edu.co, 1 +unipig.de, 0 +uniqclothing.co.za, 1 +uniqopter.com, 1 +uniqsys.eu, 1 +unique-app.com, 1 +unique-news.tk, 1 +unique-punk.tk, 1 +unique-urls.tk, 1 +uniquedollz.tk, 1 +uniqueexpression-coaching.de, 1 +uniquehardware.ca, 1 +uniquehardware.net, 1 +uniquemode.nl, 1 +uniquepress.biz, 1 +uniquest.com.au, 1 +uniquestlye.ga, 1 +uniqueworks.tk, 1 +uniqweb.ga, 1 +uniresbajdas.ml, 1 +unis-pour-la-planete.com, 1 +unis-pour-le-climat.com, 1 +uniselectweb.com, 1 +uniserve.com, 1 +unison-d.com, 1 +unisontech.org, 1 +unisplendour.com, 1 +unisul.br, 1 +unisupdi.com, 1 +unisys.net.nz, 0 +unisyssecurity.com, 1 +unit-linked.ru, 1 +unit-soft.com, 0 +unit7jazz.org, 1 +unitanzania.com, 1 +unite-ka.de, 1 +uniteam.ga, 1 +uniteasia.org, 1 +united-dm.ml, 1 +united-schools.net, 1 +united-trackmaniacs.tk, 1 +united-trainers-league.tk, 1 +united.com, 0 +unitedadmins.com, 1 +unitedarmyofentropia.tk, 1 +unitedaviate.com, 1 +unitedbaby.fr, 1 +unitedbusinessbank.com, 1 +unitedcyberdevelopment.com, 1 +unitedfitness.com.au, 1 +unitedforwildlife.org, 0 +unitedhomeservices.com.au, 1 +unitedhoseinc.com, 1 +unitedkingdoms-guild.com, 1 +unitedlisbon.school, 1 +unitedpayment.com, 1 +unitedpsychological.com, 1 +unitedrestorationfl.com, 1 +unitedsiteservices.com, 1 +unitedstables.tk, 1 +unitedstudents.tk, 1 +unitedstudios.ru, 1 +unitedtractors.com, 1 +unitedvalve.com, 1 +unitedweb.com, 1 +unitedwecare.com, 1 +unitedwestand.gov, 1 +uniteforrecovery.govt.nz, 1 +unitefortherecovery.govt.nz, 1 +unitehelivy.be, 1 +uniteinhealth.org, 1 +unitel2000.de, 0 +unitencup.tk, 1 +unither.com, 1 +unitil.com, 1 +unitingwa.org.au, 1 +unitir.gq, 1 +unitizer.com, 1 +unitop.bg, 1 +unity-lepetitshop.com, 1 +unitycardiology.com.au, 1 +unityconsciousnessbooks.com, 1 +unityfactory.io, 1 +unityor.gov, 1 +unitysavannah.org, 1 +unityseguros.com, 1 +unitysyndicate.tk, 1 +unityvox.com, 1 +uniuni.info, 1 +uniup.tk, 1 +univ-segou.ml, 1 +univalence.me, 1 +univaservizi.academy, 1 +univate.berlin, 1 +univercite.ch, 0 +univeril.com, 0 +univerkeys.com, 1 +universal-credit.com, 1 +universal-happiness.com, 1 +universal-mail.ml, 1 +universal-tutorial.com, 1 +universal.at, 1 +universalcircus.tk, 1 +universaldriveshafts.com, 1 +universalecology.tk, 1 +universalmedia.tk, 1 +universalmusic.pl, 0 +universalpaymentgateway.com, 1 +universalplant.com, 1 +universalspf.org, 1 +universalstars.com.au, 1 +universalwebcommunity.tk, 1 +universdejeff.com, 1 +universe.horse, 1 +universe.la, 1 +universe.wtf, 1 +universehistory.net, 1 +universehk.tk, 1 +universeinform.com, 1 +universellafredsdanser.se, 1 +universellesleben.tk, 1 +universemasterplan.com, 1 +universen.tk, 1 +universereligion.com, 1 +universevision.com, 1 +universidadperu.com, 1 +universitapopolaredeglistudidimilano.wiki, 1 +universiteplatformu.com, 1 +universitepourlavie.tk, 1 +universitesegou.ml, 1 +universityadmissions.se, 1 +universitycentre.co.uk, 1 +universityhealthplans.com, 1 +universityhousemates.co.uk, 1 +universityhousemates.uk, 1 +universityinmaryland.com, 1 +universityintexas.com, 1 +universityofedinburgh.org.uk, 1 +universityofnarowal.ga, 1 +universitywafer.com, 1 +universoagropets.com.br, 1 +universocaballo.top, 1 +universodelasaludanimal.com, 1 +universogay.com, 1 +universrumbacongolaise.com, 1 +universus.tk, 1 +univim.edu.mx, 1 +univitale.fr, 0 +unix.family, 1 +unix.lu, 1 +unixadm.org, 1 +unixapp.ml, 1 +unixattic.com, 1 +unixauto.com, 1 +unixauto.de, 1 +unixauto.hu, 1 +unixauto.ro, 1 +unixauto.sk, 1 +unixer.tk, 1 +unixery.de, 1 +unixforum.org, 1 +unixfox.eu, 1 +unixgeeks.net, 1 +unixhost.ga, 1 +unixteam.de, 1 +unixtime.date, 1 +unk.gov, 1 +unkn0wncat.net, 1 +unknown-player.com, 1 +unknown.kyoto, 0 +unknownhacks.tk, 1 +unknownmasses.tk, 1 +unknownnet.tk, 1 +unknowntrailsrider.tk, 1 +unknowntrojan.win, 1 +unko.cz, 1 +unkrn.com, 1 +unleashfido.com, 1 +unli.xyz, 1 +unlimitedconference.id, 1 +unlimiteddata.digital, 1 +unlimiteddsl.ga, 1 +unlimitedheatingcooling.com, 1 +unlimitedpcs.com, 1 +unlimitedzone.tk, 1 +unlocator.com, 1 +unlock-my-sprint.mobi, 1 +unlockauthority.com, 1 +unlockblackberryfree.co.uk, 1 +unlockboot.com, 0 +unlocken.nl, 1 +unlockerboss.com, 1 +unlocks.co.uk, 1 +unlockscheveningen.nl, 1 +unlocktalent.gov, 1 +unlocktoolactivation.com, 1 +unlocktoolactivation.in, 1 +unluco.com, 1 +unmanaged.space, 1 +unmarkdocs.co, 1 +unmask.earth, 1 +unmetric.com, 1 +unminutomami.com, 1 +unmo.com, 1 +unn-edu.info, 1 +unnamed.tk, 1 +unnas.ca, 1 +unniehallyu.co.uk, 1 +uno-express.de, 1 +uno.fi, 1 +uno.uk, 1 +unoccupyabq.org, 1 +unocha.org, 1 +unofficialbpb.tk, 1 +unoodostoques.tk, 1 +unope.ml, 1 +unope.ru, 1 +unope.tk, 1 +unoptional.tk, 1 +unoriginal.tk, 1 +unosconotros.com, 1 +unovosti.tk, 1 +unp.me, 1 +unpar.ac.id, 1 +unparenting.com, 1 +unpi06cannes.fr, 1 +unpi38.fr, 1 +unpkg.com, 1 +unpleasant.tk, 1 +unpluggedjuice.dk, 1 +unplugstore.it, 1 +unply.com, 1 +unpoditalia.se, 1 +unpossible.xyz, 1 +unpost.net, 1 +unpr.dk, 1 +unreal-estate.cz, 1 +unreal-estate.pl, 1 +unreal.dk, 1 +unrealircd-api.org, 1 +unrealircd.org, 1 +unrelated.net.au, 1 +unrepentant.cf, 1 +unrepentant.ga, 1 +unrepentant.ml, 1 +unrestricted.ga, 1 +unri.de, 1 +unric.org, 1 +uns.com, 1 +unsee.cc, 1 +unseeliefilms.com, 1 +unseeliepress.com, 1 +unseen.is, 1 +unser-gartenforum.de, 1 +unsigcrazy.art, 1 +unsourirealecole.fr, 1 +unstable.fun, 1 +unstable.network, 1 +unstable.systems, 1 +unstablewormhole.ltd, 1 +unstockd.org, 1 +unstoppable.money, 1 +unstoppabledomains.com, 1 +unstoppableever.com.br, 1 +unstoppableunits.com, 1 +unsupervised.ca, 1 +untarget.ai, 1 +unterfrauner.it, 1 +unterhaltungsbox.com, 1 +unternehmensberater-website.de, 1 +unternehmensbewertung.pro, 1 +unternehmerrat-hagen.de, 1 +unternimmteam.de, 1 +untethereddog.com, 0 +unti.me, 1 +unti.tk, 1 +untidybits.com, 1 +untitled-home-storage.cyou, 1 +untrading.org, 1 +untro.xyz, 0 +untvweb.com, 1 +unufoundation.com, 1 +unusualhatclub.com, 1 +unusualplaces.org, 1 +unusualsubstance.com, 1 +unveiledgnosis.com, 1 +unveilturkey.com, 1 +unvetalaretraite.ca, 1 +unviajedesabor.com, 1 +unvired.com, 1 +unwa.tk, 1 +unwire.com, 1 +unwiredbrain.com, 0 +unwishingmoon.com, 1 +unworthy.ml, 1 +unx.dk, 1 +unxicdellum.cat, 1 +unyouth.co.nz, 1 +unyouth.nz, 1 +unyouth.org.nz, 1 +uoe.com, 1 +uomo.com.ar, 1 +uopeople.reviews, 1 +uoui.de, 1 +up-obmen.ml, 1 +up-stage.jp, 1 +up.com.au, 1 +up1s.tk, 1 +up2date.com.ua, 1 +up2mark.com, 0 +up2staff.com, 1 +up2tech.fr, 1 +up4cash.com, 1 +upahminimum.com, 1 +upakovka-podarkov.tk, 1 +upandatom.biz, 1 +upandrunningtutorials.com, 1 +upar.org, 1 +upay.ru, 1 +upbad.com, 1 +upbatangan.tk, 1 +upbeatrobot.com, 1 +upbeatrobot.email, 1 +upbeatrobot.eu, 1 +upbeatrobot.net, 1 +upbeatrobot.nl, 1 +upbeatrobot.org, 1 +upbeatrobot.social, 1 +upbtrbt.com, 1 +upbtrbt.eu, 1 +upbtrbt.net, 1 +upbtrbt.nl, 1 +upbtrbt.org, 1 +upcambio.com, 1 +upclinic.ru, 1 +upcloud.cz, 1 +upcwifikeys.com, 1 +upcycleandcompany.com, 1 +upd.jp, 1 +updata.com, 1 +update-linthdcp-567app1.com, 1 +updefense.io, 1 +updoze.com, 1 +upengo.com, 1 +uperne.ro, 1 +upestudios.tk, 1 +upex.tk, 1 +upfield.com, 1 +upflow.io, 1 +upforshare.com, 1 +upfronthealthcare.com, 1 +upfurniture.tk, 1 +upgamerengine.com, 1 +upgamerengine.com.br, 1 +upgamerengine.net, 1 +upgintl.com, 1 +upgrade.com, 1 +upgradeguru.de, 1 +upgradeit.dk, 1 +upgradeloans.com, 1 +upgrades-and-options.com, 1 +upgraid.ru, 1 +upguard.com, 1 +upguard.org, 1 +uphabit.io, 1 +uphold-15-party.com, 1 +upholsterycleanerslondon.co.uk, 1 +upholsterydesign.com.au, 1 +uphost.be, 1 +uphshrine.com, 1 +upitnik.rs, 1 +upjong.co.kr, 1 +uplandsparkmo.gov, 1 +uplaqui.com.br, 1 +uplead.com, 1 +upleveled.io, 1 +uplexis.com.br, 1 +upliftingappalachia.org, 1 +uplinkgame.tk, 1 +uplinklabs.net, 1 +uplinkrev.com, 1 +uplinks24.com, 1 +upload.facebook.com, 0 +uploadbaz.me, 1 +uploadbeta.com, 1 +uploadcare.com, 1 +uploadingsite.com, 1 +uploadletters.com, 1 +uploads.su, 1 +uploadscript.tk, 1 +uploadtokiosk.com, 1 +upmail.ml, 1 +upmchealthsecurity.us, 1 +upmediaclick.com, 1 +upmediaclick.net, 1 +upmediamarketer.ml, 1 +upmls.com, 1 +upmon.com, 1 +upnetwork.ml, 1 +upnext.tk, 1 +upnfm.edu.hn, 1 +upnorth.solutions, 1 +uponsel.com, 1 +uportal.tk, 1 +upp.com, 1 +uppercloud.cf, 1 +upperglass.co.uk, 1 +upperinc.com, 1 +upperskagittribe-nsn.gov, 1 +uppfinnarenc.tk, 1 +upplands-bro.se, 1 +upplevelse.com, 1 +uppsala.tk, 1 +upr.com.ua, 1 +upr.edu, 1 +upr.llc, 1 +upr.si, 1 +upr.ua, 1 +uprawnienia-1kv.pl, 1 +uprawnienia-dronowe.pl, 1 +uprawnienia-drony.pl, 1 +uprawnienia-elektryczne.pl, 1 +uprawnienia-g1.pl, 1 +uprawnienia-motorowodne.pl, 1 +uprawnienia-pomiary.pl, 1 +uprawnienia-sep-1kv.pl, 1 +uprawnienia-sep.com.pl, 1 +uprawnieniaeuropejskie.pl, 1 +uprawnienie-sep.pl, 1 +uprc.edu, 1 +uprep.lol, 1 +uprep.ml, 1 +uprh.edu, 1 +uprint.it, 1 +uprisehigh.com, 1 +upropay.com, 1 +upscaled.nl, 1 +upschreven.blog, 0 +upscope.io, 1 +upsdelperu.com.pe, 1 +upseed.ru, 1 +upsettunnel.com, 1 +upsihologa.com.ua, 0 +upsilonsigmaphi.us, 1 +upsiteseo.com, 1 +upskilllearning.ml, 1 +upskirtmania.tk, 1 +upsocial.ga, 1 +upsocial.pp.ua, 1 +upstairs.one, 1 +upstart.com, 1 +upstatesc.net, 1 +upstream.auto, 1 +uptech.biz.id, 1 +uptechbrasil.com.br, 1 +uptimed.com, 1 +uptimeradar.com, 1 +uptimeuno.com, 1 +uptional.gq, 1 +uptodateinteriors.com, 1 +uptoplay.ovh, 1 +uptownbabe.com, 1 +uptrends.com, 1 +uptrends.de, 1 +uptrex.co.uk, 1 +upundit.com, 1 +upupming.site, 0 +upupor.com, 1 +upviews.tk, 1 +upwardcreative.com, 1 +upwardflourish.com, 1 +upwardtraining.co.uk, 1 +upwork.com, 1 +uq1k.com, 1 +uqschool.com, 1 +uquid.com, 1 +uquidcoin.com, 1 +ur-lauber.de, 1 +ur.nl, 1 +ur2.pw, 1 +urabain.com, 1 +uraimo.com, 1 +urakn0x.tk, 1 +ural-emal.ga, 1 +ural-travel.ml, 1 +ural.cf, 1 +ural.ga, 1 +ural.tk, 1 +uralec.tk, 1 +uralscoin.ml, 1 +uralsite.cf, 1 +uralsk.ml, 1 +uralskaya-garmon.tk, 1 +uralspravka.cf, 1 +urandom.co.uk, 1 +urang-kurai.tk, 1 +uraniborg.net, 1 +uraniumhost.ga, 1 +uranius.eu, 1 +uranmoney.ml, 1 +uranus.cf, 1 +urbackups.com, 1 +urbalex.ch, 0 +urban-culture.fr, 1 +urban-lounge.tk, 1 +urban-news.tk, 1 +urban.melbourne, 1 +urbanagriculturesummit.cf, 1 +urbanail.gov, 1 +urbanarcana.tk, 1 +urbanartisan.cf, 1 +urbanbageecha.com, 1 +urbanbikeweamr.ga, 1 +urbanbooks.tk, 1 +urbancoyoteresearch.com, 0 +urbancreators.dk, 1 +urbane-narrationen.de, 1 +urbanesecurity.com, 1 +urbanevielfalt.de, 1 +urbanface.photography, 1 +urbanfineart.ro, 1 +urbanfoodmarket.nl, 1 +urbanfun.ga, 1 +urbangaming.tk, 1 +urbangardening.ga, 1 +urbangymfirenze.com, 1 +urbanhost.tk, 1 +urbanhotbed.eu, 1 +urbanhub.lt, 1 +urbanietz-immobilien.de, 1 +urbanindustriecoiffure-auray.fr, 1 +urbanism.xyz, 1 +urbanized.tk, 1 +urbanizedrecords.tk, 1 +urbanlounge.tk, 1 +urbanlymodern.com, 1 +urbanmic.com, 1 +urbanmuslim.tk, 1 +urbannewsservice.com, 1 +urbanology.tk, 1 +urbanon.cz, 1 +urbanovich.net, 1 +urbanpiraten.tk, 1 +urbanpromisetrenton.org, 1 +urbansketchers.org, 1 +urbansoundwave.tk, 1 +urbanspitz.tk, 1 +urbanstylestaging.com, 1 +urbantecno.com, 1 +urbantrafficschool.com, 1 +urbantrail.tk, 1 +urbantz.com, 1 +urbanusonline.tk, 1 +urbanwaters.gov, 1 +urbanwave.co.za, 1 +urbanwindows.ca, 1 +urbanxdevelopment.com, 0 +urbarberjerry.com, 1 +urbest.io, 1 +urbex.link, 1 +urbexdk.nl, 1 +urburb.social, 1 +urbv.eu, 1 +urbv.net, 1 +urbv.org, 1 +urcentral.com, 1 +urcentral.eu, 1 +urcentral.net, 1 +urcentral.nl, 1 +urcentral.org, 1 +urcommunitytimebanking.org.au, 1 +urdoverie.com, 1 +ureed.com, 1 +ureka.org, 1 +urfreecon.tk, 1 +urge55.com, 1 +urgences-valais.ch, 1 +urgencesolidarite.fr, 1 +urgent-notice.ml, 1 +urgentcaresouthaven.com, 1 +urgrafix.com, 1 +urion.com.br, 1 +uriport.com, 1 +uriports.com, 1 +uripura.de, 1 +urist1011.ru, 1 +urka.tk, 1 +urke.tk, 1 +urkhole.tk, 1 +urko.shop, 1 +urkonsultant.tk, 1 +urkult.se, 0 +url.fm, 1 +url.gd, 1 +url.ht, 1 +urlakite.com, 1 +urlaub-busreisen.de, 1 +urlaub-fuerteventura.info, 1 +urlaub-leitner.at, 1 +urlaub.de, 1 +urlaubsziele.com, 1 +urlbox.tk, 1 +urlcitr.us, 1 +urlcitrus.com, 1 +urlendecoder.tk, 1 +urlfly.tk, 1 +urlgoo.ga, 1 +urlive.ga, 1 +urljournal.tk, 1 +urlparse.com, 1 +urlrating.com, 1 +urlscan.io, 1 +urlsimple.tk, 1 +urltell.com, 1 +urltodomain.com, 1 +urluno.com, 1 +urlwing.tk, 1 +urlz.ml, 1 +urlz.tk, 1 +urmikron.tk, 1 +uro.soy, 1 +urocentre.ga, 1 +urogen.com, 1 +uroki.tk, 1 +urology.wiki, 1 +urologyoklahoma.com, 1 +urologyspecialistspc.com, 1 +urologywi.com, 1 +uronlinestreams.ga, 1 +uroute.co, 1 +urown.net, 1 +urprayermonk.org, 1 +urrestarazuserranoabogados.com, 1 +ursa-minor-beta.org, 1 +ursae.co, 1 +ursazrnec.com, 1 +ursonatefanzine.tk, 1 +urspringer.com, 1 +urspringer.de, 1 +urstore.ga, 1 +ursula-gadalka.tk, 1 +ursulahadasch.de, 1 +ursuslibris.hu, 1 +urt.fm, 1 +uruguay-experience.com, 1 +urukproject.org, 1 +uruslugi.tk, 1 +urvastekool.edu.ee, 1 +us-10.cc, 1 +us-10.com, 1 +us-films.com, 1 +us-igloopreview.com, 1 +us-immigration.com, 1 +us.ax, 1 +us.gov, 1 +us.kg, 1 +us.marketing, 1 +us.nl.eu.org, 1 +us10.net, 1 +us2uplumbing.com.au, 1 +usa-10.com, 1 +usa-10.net, 1 +usa-greencard.eu, 1 +usa-reisetipps.net, 1 +usa.gov, 1 +usa10.net, 1 +usa250.gov, 1 +usaa.com, 0 +usabackground.com, 1 +usabilis.com, 1 +usability.com.gr, 1 +usability.gov, 1 +usabusinessdirectories.com, 1 +usacainfo.com, 1 +usacarry.com, 1 +usacrime.com, 1 +usadba.net.ru, 1 +usadf.gov, 1 +usadirectory.tk, 1 +usaestaonline.com, 1 +usage.be, 1 +usagi-ku.ga, 1 +usagm.gov, 1 +usagov.gov, 1 +usahealthwebapps.com, 1 +usaherald.com, 1 +usaisilanlari.com, 1 +usait.org, 1 +usajobs.com, 1 +usajobs.gov, 1 +usalearning.gov, 1 +usamale.cf, 1 +usamdt.com, 1 +usamocha.com, 0 +usamultimeters.com, 0 +usanamiru.cz, 1 +usanewsposts.ga, 1 +usanewstrends.ga, 1 +usapel.com.br, 1 +usaprimecredit.org, 1 +usapublicrecords.com, 1 +usascripthelpers.com, 1 +usaseanconnect.gov, 1 +usastaffing.gov, 1 +usatales.com, 0 +usatiuk.com, 1 +usatodaynetworkservice.com, 1 +usatodaysportsplus.com, 1 +usavingsbank.com, 1 +usaweblist.tk, 1 +usawireguard.com, 1 +usbcompatible.com, 1 +usbevents.co.uk, 1 +usbr.gov, 1 +uscc.org.ua, 1 +uscis.gov, 1 +uscitizenship.info, 1 +uscloud.nl, 1 +uscp8.com, 1 +usctt.org, 1 +uscurrency.gov, 1 +uscveteranspark.org, 1 +usda.gov, 1 +usdailyhealth.tk, 1 +usdfc.gov, 1 +usdirectory.com, 1 +usdirectory.tk, 1 +usdoj.gov, 1 +usdoscloud.gov, 1 +usds.gov, 1 +usdty.to, 1 +use.be, 1 +use1.net, 1 +usebosin.gq, 1 +usecamisetas.com, 1 +used-laptop.in, 1 +used255.xyz, 1 +useful-thing.ru, 1 +usefuldiy.com, 1 +usefulinsight.com, 1 +usehonk.com, 1 +usemergencyservices.com, 1 +usenet.tk, 1 +usenethd.li, 1 +usenetreviewz.com, 1 +useon.com, 1 +useon.ru, 0 +user-agent.ml, 1 +user-daitron.jp, 1 +userbase.com, 1 +usercentrics.com, 1 +usercompare.tk, 1 +userflow.com, 1 +userhelp.tk, 1 +username.nz, 1 +userra.gov, 1 +userstation.de, 1 +userstyles.world, 1 +usetypo3.com, 1 +useworkshop.com, 1 +useyourloaf.com, 1 +usgamesinc.com, 1 +usgeneralhealth.tk, 1 +usgeo.gov, 1 +usgovernmentnews.com, 1 +usgs.gov, 1 +ushandbookapp.com, 1 +ushare.ch, 1 +ushealthprovider.ga, 1 +usherwoodexecutivetravel.com, 1 +usicecenter.gov, 1 +usidfc.gov, 1 +usintimate.com.br, 1 +usjobmarket24.com, 1 +usjt.br, 1 +usk-clan.tk, 1 +uskaonline.tk, 1 +uskaria.com, 1 +uskostadariksi.fi, 1 +usleravnekrog.dk, 1 +uslugi-advokata.ga, 1 +uslugi-advokata.tk, 1 +uslugi-online.pl, 1 +uslugi-voronezh.tk, 1 +uslugikoparkalodz.gq, 1 +usmammy.com.tw, 1 +usmantrader.gq, 1 +usmiddleclass.net, 1 +usmint.gov, 1 +usmoneyreserve.com, 1 +usmrecycles.com, 1 +usnews-new.tk, 1 +usnews.ga, 1 +usninosnikrcni.eu, 1 +usnti.com, 1 +usodesu.ga, 1 +usoog.com, 1 +usoptical.com, 1 +uspaacc.com, 1 +usparklodging.com, 1 +uspeh62.tk, 1 +uspeli.ml, 1 +uspesnyprvnacek.cz, 1 +usphs.gov, 1 +uspib.info, 1 +usplate.com, 1 +uspon.tk, 1 +usportsgo.com, 1 +uspory.cz, 1 +uspreventiveservicestaskforce.org, 1 +uspsblog.com, 1 +uspsoig.gov, 1 +usrspace.at, 1 +uss-atlas.de, 1 +uss-electro.ru, 1 +ussemiquincentennial.gov, 1 +ussfcu.org, 1 +ussm.gov, 1 +ussm.tk, 1 +ussnoorinayatkhan.com, 1 +ussst.org, 1 +ussst.org.in, 1 +ust.space, 1 +ustabor.uz, 1 +ustaywell.com, 1 +ustc.fun, 1 +ustensiles-cuisine.boutique, 1 +ustoy.com, 1 +ustr.gov, 1 +ustreasuryetf.com, 1 +ustugov.kiev.ua, 1 +ustugova.kiev.ua, 1 +ustyj.tk, 1 +usu.org.ua, 1 +usuan.net, 1 +usuluddin.ga, 1 +usuluddin.tk, 1 +usuwanie-wirusow-wordpress.pl, 1 +usvisallc.com, 1 +uswitch.com, 1 +usyfawovad.gq, 1 +usygov.ga, 1 +ut-addicted.com, 1 +ut-jobs.net, 1 +ut5s.com, 1 +utafutbol.tk, 1 +utagawavtt.com, 1 +utageno.jp, 1 +utahblackplate.com, 1 +utahblackplates.com, 1 +utahcanyons.org, 1 +utahcountydjcompany.com, 1 +utahdebtcare.com, 1 +utahfanclub.org, 1 +utahfireinfo.gov, 1 +utahlake.gov, 1 +utahlivebands.com, 1 +utahmotors.ru, 1 +utahonlinedivorce.com, 0 +utahphotogs.com, 1 +utaindoradio.cf, 1 +utangard.net, 1 +utaowan.com, 0 +utarn.icu, 1 +utavatu.mk, 1 +utazas-nyaralas.info, 1 +utbabogados.com, 1 +utbosbeekhuuske.tk, 1 +utcast-mate.com, 1 +utcle.org, 1 +utduc.com, 1 +utec.edu.pe, 1 +utepecem.com, 1 +utevai.tk, 1 +uthavi.org, 1 +utiao.net, 1 +utiars.com, 1 +uticagravel.com, 1 +utilajexpert.ro, 1 +utilbot.co, 1 +utilia.tools, 1 +utilidad.tk, 1 +utililab.com, 1 +utilitarian.com, 1 +utilitarian.org, 1 +utilitarianism.com, 1 +utilitarianism.org, 1 +utilitarianism.uk, 1 +utilitarismo.com, 1 +utilitas.ee, 1 +utilitiesconstructionsettlement.com, 1 +utilitronium-shockwave.com, 1 +utilitronium.com, 1 +utilityapi.com, 1 +utilitybot.in, 1 +utilityconcierge.com, 0 +utilityteam.in, 1 +utilitytech.in, 1 +utleg.gov, 1 +utloperadora.com.br, 1 +utobo.com, 1 +utodyg.ga, 1 +utonia.ch, 1 +utopiahsa.com, 1 +utopialgb.org.uk, 1 +utopian-institute.tk, 1 +utopian-surgery.com, 1 +utopiancapitalism.tk, 1 +utopians.dk, 0 +utopiasmart.city, 1 +utopiatech.tk, 1 +utopicestudios.com, 1 +utopique.net, 1 +utopyaforum.tk, 1 +utrace.me, 1 +utrantor.org, 1 +utrymningsplaner.se, 1 +uttama.ga, 1 +uttenheim.net, 1 +utterberry.io, 1 +utterman.se, 1 +uttnetgroup.fr, 1 +utube.ai, 1 +utural.tk, 1 +utusan.com.my, 1 +utw.me, 1 +utwente.io, 1 +utwf.org, 1 +utzon.net, 1 +uu5197.co, 1 +uu6729.co, 1 +uu6729.com, 0 +uu6957.co, 1 +uu9297.co, 1 +uu939.com, 1 +uu9728.co, 1 +uubb.top, 0 +uuin.top, 1 +uuit.nl, 1 +uulu.edu.ee, 1 +uurl.cf, 1 +uurl.ga, 1 +uutf.org.uk, 1 +uuuu.loan, 1 +uuuvn.space, 1 +uv.uy, 1 +uvadag.nl, 1 +uvarov.pw, 0 +uvb.com.co, 1 +uvesco.es, 1 +uvlamp.ee, 1 +uvocorp.com, 1 +uvomaltiv.ch, 1 +uvpress.com, 1 +uvsa.org.au, 1 +uvsar.com, 1 +uvt.com.co, 1 +uvtcinemas.com, 1 +uvx.io, 1 +uwac.co.uk, 0 +uwalumni.com, 0 +uwat.cc, 1 +uwat.cf, 1 +uwdigitaleboekhouder.nl, 1 +uwe-arzt.de, 1 +uwe-r.com, 1 +uwe-reimold.com, 1 +uwe-reimold.de, 1 +uwe.training, 1 +uwe.wtf, 1 +uweeze.com, 1 +uwefreund.com, 1 +uweier.com, 1 +uwereimold.de, 1 +uwesander.de, 1 +uwfreelanceopticien.nl, 1 +uwiventuresltd.com, 1 +uwtd.me, 1 +uwu.lgbt, 0 +uwu.nu, 1 +uwu.tw, 1 +uwwsb.com, 1 +ux-designers.nl, 1 +ux-solution.de, 0 +ux.pub, 1 +uxdesignerjobs.nl, 1 +uxg.ch, 1 +uxpressia.com, 1 +uxteam.com, 1 +uy.search.yahoo.com, 0 +uygindir.ml, 1 +uyz.me, 1 +uz-yulduzlar.tk, 1 +uz.search.yahoo.com, 0 +uz1xbet.com, 1 +uzagmozemunk.ga, 1 +uzagmozemunk.ml, 1 +uzayliyiz.biz, 1 +uzbaza.tk, 1 +uzbek-soft.tk, 1 +uzbekistan24.tk, 1 +uzbekkizlari.cf, 1 +uzbekkizlari.gq, 1 +uzbekkizlari.ml, 1 +uzbekkizlari.tk, 1 +uzbektumblers.tk, 1 +uzbwap.tk, 1 +uze-store.com, 1 +uzhas-uzhasny.ml, 1 +uzhits.cf, 1 +uzidesign.com, 1 +uziregister.nl, 0 +uzkalip.com, 1 +uzmansorusu.com, 1 +uznaychtotakoe.ru, 1 +uzoic.com, 1 +uzone.uk, 0 +uzparimatch.com, 1 +uzsvm.cz, 1 +uztop.ml, 1 +uzzamari.com, 1 +uzzamari.com.br, 1 +v-cn.net, 1 +v-d-p.net, 1 +v-empower.com, 1 +v-gornom.ga, 1 +v-horus.cloud, 1 +v-jo.com, 1 +v-kurgane.tk, 1 +v-media.tk, 1 +v-news.tk, 1 +v-novosibirske.tk, 1 +v-ogorode.info, 1 +v-phoenix.tk, 1 +v-platinum.ru, 1 +v-plus.ru, 1 +v-spin.cz, 1 +v-tek.fi, 1 +v-u-z.ru, 1 +v.pn, 1 +v.ps, 1 +v0ctor.me, 1 +v0i.de, 1 +v0v.cc, 1 +v0v.de, 1 +v1.dk, 1 +v10006.com, 0 +v10008.com, 1 +v139.com, 1 +v1r2zz.tk, 1 +v1sit0r.ru, 1 +v2.digital, 1 +v2.engineer, 1 +v2.pw, 1 +v2bv.net, 1 +v2bv.win, 1 +v2ex.com, 1 +v2mcdev.com, 1 +v2raytech.com, 1 +v2x.sk, 1 +v2xtls.org, 1 +v2yes.com, 1 +v3025.com, 0 +v33v33.com, 1 +v36533.com, 1 +v44v44.com, 1 +v5017.com, 0 +v51365.com, 1 +v5197.co, 1 +v55565.com, 0 +v55v55.com, 1 +v5658.com, 0 +v5ray.club, 1 +v5ray.top, 1 +v6004.com, 1 +v6021.com, 0 +v6170.com, 0 +v6350.com, 0 +v6506.com, 0 +v66255.com, 0 +v66557.com, 0 +v6729.co, 1 +v6752.com, 0 +v6957.co, 1 +v6ss.com, 1 +v700a.com, 1 +v700bb.com, 1 +v700cc.com, 1 +v700dd.com, 1 +v700ee.com, 1 +v700w.com, 1 +v7090.com, 0 +v81365.com, 1 +v82365.com, 1 +v88158.com, 0 +v8abc.com.br, 1 +v8builder.com, 1 +v9285.com, 0 +v9297.co, 1 +v9728.co, 1 +va-11-hall-a.cafe, 1 +va.gov, 0 +va.ua, 1 +va11hal.la, 1 +va11halla.ddns.net, 1 +vaaddress.co, 1 +vaan-arbeidsrecht.nl, 1 +vaarfoto.nl, 1 +vaartjesboten.nl, 1 +vaat.io, 1 +vabusinesses.org, 1 +vacacionesenlinea.com, 1 +vacacionestours.com, 1 +vacaf.org, 1 +vacanze-in-montagna-dolomiti.com, 1 +vacanze-merano.org, 1 +vacatecleaning.melbourne, 1 +vacati0n.tk, 1 +vacation-croatia.com, 1 +vacation-in-pisak.tk, 1 +vacationfund.co, 1 +vacationsforcouples.com, 1 +vacaturesonline.nl, 1 +vaccantcorner.ml, 1 +vaccinateiowa.gov, 1 +vaccine.gov, 1 +vaccines.gov, 1 +vaccineskill.biz, 1 +vaccinestats.net, 1 +vacek.llc, 1 +vacine.gov, 1 +vacines.gov, 1 +vackor.tk, 1 +vackradetaljer.se, 1 +vaclan.tk, 1 +vaclavambroz.eu, 1 +vacome.com, 1 +vacu.store, 1 +vacuna.gov, 1 +vacunas.gov, 1 +vacuumpump.co.id, 1 +vacuumsealers.ml, 1 +vacuumsupplystore.com, 1 +vadang.net, 1 +vadeainterior.com, 1 +vademekum.com, 1 +vader.news, 1 +vaderochvind.se, 1 +vaderqkcloud.ddns.net, 1 +vadiar-angola.tk, 1 +vadidanismanlik.com, 1 +vadik.me, 1 +vadillodelasierra.tk, 1 +vadis.tk, 1 +vadkuhparty.xyz, 1 +vado.li, 1 +vadras.rs, 1 +vaew.com, 1 +vagabond.film, 1 +vagabond.fr, 1 +vagabond.tk, 1 +vagabondages.tk, 1 +vagabondgal.com, 1 +vagabundos.tk, 1 +vagaerg.com, 1 +vagaerg.net, 1 +vaganciatechnology.com, 0 +vagasdeempregos.ga, 1 +vageenadispenser.tk, 1 +vaginalrejuvenationkentucky.com, 1 +vagmour.eu, 1 +vagonetta.tk, 1 +vagpartsdb.com, 1 +vagrantbits.com, 1 +vagrantcloud.com, 1 +vagrantup.com, 0 +vague-normande.com, 1 +vahak.in, 0 +vahl.blue, 1 +vahle.de, 1 +vahoshop.cz, 1 +vaibhavchatarkar.com, 0 +vaidikapriya.pub, 0 +vail.gov, 1 +vaildcrack.com, 1 +vaindil.com, 1 +vaioswolke.xyz, 0 +vairuok.lt, 1 +vak-pobeda.ru, 1 +vakanser.se, 1 +vakantiedetective.nl, 1 +vakantiehuis-ribbers.nl, 1 +vakantiehuisverzekeringen.nl, 1 +vakantieinfo.tk, 1 +vakantieveilingen.be, 1 +vakantieveilingen.nl, 1 +vakantieverblijfalgarve.nl, 1 +vakat.eu, 1 +vakifuniver.ru, 1 +vakita.fi, 1 +vakrebella.no, 1 +vakuutuskanava.fi, 1 +vakwinkeldemo.nl, 1 +val-casies.net, 1 +val-sec.com, 1 +valach.cz, 1 +valagrovoce.com, 1 +valant.io, 1 +valaphee.com, 1 +valariejenkins.com, 1 +valasi.eu, 1 +valassis.com, 1 +valasskyregion.cz, 1 +valbon.pl, 1 +valcano-krd.ru, 1 +valcano.ru, 1 +valdecaballeros.tk, 1 +valdega.org, 1 +valdelcubo.tk, 1 +valdifunes.com, 1 +valdor2.com, 1 +valdres.tk, 1 +valdultimo.org, 1 +valecnatechnika.cz, 1 +valek.net, 1 +valemountchamber.com, 1 +valemusicfest.com.br, 1 +valencia-s-vikoy.ru, 1 +valenciaescatala.tk, 1 +valencianisme.tk, 1 +valencianistas.tk, 1 +valencraft.ca, 1 +valencraft.com, 1 +valenhub.com, 1 +valenhub.es, 1 +valentin-dederer.de, 1 +valentin-ochs.de, 1 +valentin-weibel.com, 1 +valentin.app, 1 +valentinaquino.com, 1 +valentinarosamilia.com, 1 +valentinberclaz.com, 0 +valentinemom.cf, 1 +valentinemom.ga, 1 +valentinemom.gq, 1 +valentinemom.ml, 1 +valentinene.gov, 1 +valentinesongs.com, 1 +valentinoduval.fr, 1 +valentinog.com, 1 +valentinstag.ga, 1 +valentinstag.ml, 1 +valentinvesa.ro, 1 +valentytech.com, 1 +valerian.tk, 1 +valeriansaliou.name, 1 +valeriapanarina.com, 0 +valerieadolff.com, 1 +valerieorsoni.com, 1 +valeriya.life, 1 +valeryvenom.net, 1 +valescarodrigues.com.br, 1 +valgagym.ee, 1 +valgardsempornium.pw, 1 +valgavesi.ee, 1 +valhallastrengthsthbne.com.au, 1 +valiakhmetov.tk, 1 +valiant.finance, 1 +valiantprep.org, 1 +valid.com, 1 +validation.link, 1 +validatis.com, 1 +validator.nu, 1 +validbot.com, 1 +validius.fi, 1 +validius.net, 1 +validptr.zone, 1 +validus.sg, 1 +validvent.com, 1 +valifai.com, 1 +valigate.com, 1 +valigrama.ro, 1 +valika.ee, 1 +valimail.com, 1 +valimised.ee, 0 +valisevoyage.fr, 1 +valitsus.ee, 0 +valivalcoach.com, 1 +valivalcommerce.com, 1 +valkiryan.tk, 1 +valkohalla.dk, 1 +valkohattu.fi, 1 +valkoi-konyvtar.hu, 1 +valkoi-konyvtar.tk, 1 +valkoi-ksk.tk, 1 +valkova.net, 1 +valladolidlempira.tk, 1 +vallansuunta.net, 1 +vallartense.tk, 1 +valledeleresma.tk, 1 +valledibraies.org, 1 +valleditrianotizie.it, 1 +vallee-egoutiers.ca, 1 +valleesenlutte.org, 1 +vallei-veluwe.nl, 1 +vallejo.gov, 1 +vallejoca.gov, 1 +vallen.com, 1 +vallenar.tk, 1 +valleyautofair.com, 1 +valleybrookholidays.com, 1 +valleycom.com, 1 +valleycountyne.gov, 1 +valleydalecottage.com.au, 1 +valleyofdeath.tk, 1 +valleyofpeace.co.nz, 1 +valleyradiologypad.com, 1 +valleyradiologyufe.com, 1 +valleyshop.ca, 1 +valleystories.ga, 1 +valleysupply.biz, 1 +valleywaste.ca, 1 +valleywidetvrepair.ml, 1 +vallutaja.eu, 1 +valnetcdn.com, 1 +valoan.me, 1 +valolo.fr, 1 +valopv.be, 1 +valor-host.ml, 1 +valorantpicker.com, 0 +valorantpornhentai.com, 0 +valordolarblue.com.ar, 1 +valordotrabalho.com.br, 1 +valoriashard.tk, 1 +valorizofficial.com, 1 +valparaiso.tk, 1 +valparaisoin.gov, 1 +valpareso.tk, 1 +valphenn.blue, 1 +valpovo-online.tk, 1 +valsa.mx, 1 +valsenales.it, 1 +valshamar.is, 1 +valskis.lt, 1 +valsorey.ch, 0 +valtech.de, 1 +valtech.io, 1 +valtherperron.nl, 1 +valtlai.fi, 1 +valtoaho.com, 1 +valtool.uk, 1 +valu.com.eg, 1 +valudo.st, 1 +value.gd, 1 +valueaddedonline.com, 1 +valuelinksoftware.com, 1 +valuemyhome.co.uk, 1 +valuemyhome.uk, 1 +valueourmind.com, 1 +valueourminds.com, 1 +valueourminds.org, 1 +valueresearchonline.com, 1 +values.com, 1 +valueseed.net, 1 +valunet.co.za, 1 +valuoo-legal.com, 1 +valuskills.co.za, 1 +valuta-tools.nl, 1 +valuuttamuunnin.com, 1 +valvulasvaneo.com, 1 +vam-podarok.tk, 1 +vam3.com, 1 +vami.tk, 1 +vamoneysearch.gov, 1 +vamonospaportugal.tk, 1 +vamosalvaiazere.pt, 1 +vamosargentina.tk, 1 +vamoscomparar.com, 1 +vamoscurarsintra.pt, 1 +vamosfalardesaude.pt, 1 +vampire-studios.tk, 1 +vampire142.fr, 1 +vampireapocalypsesurvival.com, 1 +vampiresdawn.org, 1 +vampirzine.tk, 1 +vampyrium.com, 0 +vampyrium.net, 0 +vamsucai.com, 1 +vamziyuan.com, 1 +van-assen.com, 1 +van-brandevoort.tk, 1 +van-der-straeten.be, 1 +van.ddns.net, 1 +van11y.net, 1 +vanafhier.nl, 1 +vanarok.xyz, 0 +vanasperenschoenen.nl, 1 +vanbalen.be, 1 +vanbarel.tk, 1 +vanboven.nl, 1 +vanboyvital.tk, 1 +vanbruchem.tk, 1 +vanburencounty-mi.gov, 1 +vanburencountyiowa.gov, 1 +vancityconcerts.com, 1 +vancouver.gov, 1 +vancouvercosmeticsurgery.ca, 1 +vancouverdriveband.com, 1 +vancouverok.com, 1 +vancouverwademolition.com, 1 +vancouverwaseo.org, 1 +vancubers.com, 1 +vandaalen.email, 1 +vandalfsen.me, 1 +vandals.ml, 1 +vandam.io, 1 +vande-walle.eu, 1 +vandegriftplasticsurgery.com, 1 +vandemeent.eu, 1 +vandenbergfss.com, 1 +vandenbroekwi.gov, 1 +vandeput.be, 1 +vander-bugenne.fr, 1 +vanderbeek.be, 1 +vanderbeekonline.nl, 1 +vanderbiltcisa.org, 0 +vanderkley.it, 1 +vanderleeden.servepics.com, 1 +vanderlinde.ml, 1 +vandermeer.frl, 1 +vanderrijt.nl, 1 +vandersmissen.lawyer, 1 +vanderstraeten.dynv6.net, 1 +vanderzwet.net, 1 +vandi.tk, 1 +vandijkmaatwerk.nl, 1 +vandommelenart.com, 0 +vandoornmiddenzeeland.nl, 1 +vandortgroep.nl, 1 +vandrielschoenen.nl, 1 +vandyhacks.org, 1 +vanesaleiro.tk, 1 +vanessaamorosi.tk, 1 +vanessabalibridal.com, 1 +vanessaglendagarcia.tk, 1 +vanessarivas.com, 1 +vaneurology.com, 1 +vaneyckexpo.be, 1 +vaneyckwashere.be, 1 +vaneyckwashere.com, 1 +vaneyckwashere.eu, 1 +vaneyckwashere.gent, 1 +vangest.com, 1 +vangest.pt, 1 +vangoghcoaching.nl, 1 +vanguards.tk, 1 +vanhatten.com, 1 +vanhelsing.ml, 1 +vanhelsing.tk, 1 +vanherle-dakdichting.be, 1 +vanhoudt-usedcars.be, 1 +vanhoutte.be, 0 +vanhove.biz, 1 +vaniamgroup.com, 1 +vanier.gc.ca, 1 +vanilla-official.jp, 1 +vanillacoder.co.za, 1 +vaninsure247.co.uk, 1 +vaniola.com, 1 +vanished.tk, 1 +vanitas.xyz, 0 +vanityestetik.com, 1 +vanityfairnapkins.com, 0 +vanivi.ml, 1 +vanjeveren.nl, 1 +vanlierdezottegem.be, 1 +vanlong.com.vn, 1 +vanmalland.com, 1 +vanmalleghem.eu, 1 +vanna-mechti.tk, 1 +vanna-original.ru, 1 +vanna5.ru, 1 +vannaos.com, 1 +vannaos.net, 1 +vanndigital.com, 1 +vanner.com, 1 +vannoordgouda.nl, 1 +vanouwerkerk.net, 1 +vanquish.tk, 1 +vanral.com.br, 1 +vanrichie.nl, 1 +vanspa.vn, 1 +vanstoftotleven.nl, 1 +vantagepointpreneed.com, 1 +vantagesfa.com, 1 +vantien.com, 1 +vantru.is, 1 +vanuithartenziel.nl, 1 +vanvanlines.com, 1 +vanwa.ch, 1 +vanwertcountyohio.gov, 1 +vanwoensei.xyz, 1 +vanwoensel.directory, 1 +vanwoensel.xyz, 1 +vanwort.de, 1 +vanwunnik.com, 1 +vanya.click, 1 +vanyavpn.com, 1 +vanyavpn.ru, 1 +vaoig.gov, 1 +vapebhd.com, 1 +vapebuddy.ch, 1 +vapeclub.co.uk, 1 +vapecom-shop.com, 1 +vapecraftinc.com, 0 +vapecrunch.com, 1 +vapeforest.co.uk, 1 +vapehousebh.com, 1 +vapehouseksa.com, 1 +vapeking.co.za, 1 +vapensiero.co.uk, 1 +vapesense.co.uk, 1 +vapeshoppos.com, 1 +vapetaclope.cf, 1 +vapevine.ca, 1 +vapex.pl, 1 +vapingdaily.com, 1 +vapocial.com, 1 +vapolik.fr, 1 +vapoo.de, 1 +vapor.cloud, 0 +vapordepot.jp, 1 +vaporquest.tk, 1 +vapotank.com, 1 +vapoteuse.fr, 1 +vapourtown.com, 1 +vapteke.ru, 1 +vaptkidsight.azurewebsites.net, 1 +varaani.tk, 1 +varalaval.com, 1 +varb.in, 1 +varcare.jp, 1 +varda.nl, 1 +vardakeio.gov.gr, 1 +vardenafilhcl.gq, 1 +varela-electricite.fr, 1 +varelaloca.tk, 1 +varghese.de, 1 +variable.dk, 1 +variablyconstant.com, 1 +variance.pl, 1 +varianteespiritual.gal, 1 +variatesonline.tk, 1 +variatkowo.pl, 1 +varied.ga, 1 +varierchairs.com, 1 +variohyp.de, 1 +variomedia.de, 1 +variusunum.com, 1 +varizh.by, 1 +varjo.tk, 1 +varjuring.tk, 1 +varlex.cl, 1 +varlin.tk, 1 +varney.tk, 1 +varnish.ga, 1 +varonahairrestoration.com, 0 +varrogepcentrum.hu, 1 +varshathacker.com, 1 +varun-rajeshwari.tk, 1 +varuniyer.info, 1 +varvitra20mg.ga, 1 +varyrentacar.com, 1 +varztupasaulis.com, 1 +varztupasaulis.eu, 1 +varztupasaulis.lt, 1 +varztupasaulis.net, 1 +vas-webmaster.cz, 1 +vas.com, 1 +vasaconsulting.com, 1 +vasanth.org, 0 +vasaprilezitost.eu, 1 +vasconcellos.casa, 1 +vascularlaser.com.br, 1 +vase-anduze.fr, 1 +vase-dovolena.cz, 1 +vasel.de, 1 +vasel.eu, 1 +vaselin.cf, 1 +vaselin.ga, 1 +vaselin.gq, 1 +vaselin.ml, 1 +vaselin.tk, 1 +vases.tk, 1 +vasficelik.com, 1 +vash-doctor.tk, 1 +vash-dom.tk, 1 +vashdohod.ml, 1 +vashel.us, 1 +vasheradio.tk, 1 +vashmatrass.ru, 1 +vashprazdnik.tk, 1 +vasilev.wtf, 1 +vasilevo.tk, 1 +vasilijeojdanic.ml, 1 +vasilijeojdanic.tk, 1 +vasilikieleftheriou.com, 1 +vasilisa-volodina.cf, 1 +vasilisa-volodina.ga, 1 +vasilisa-volodina.gq, 1 +vasilisa-volodina.ml, 1 +vaskulitis-info.de, 1 +vasp.at, 1 +vassalengine.org, 1 +vassourassaojoao.com.br, 1 +vastdata.com, 0 +vastgoed-lidl.nl, 1 +vastgoedcert.nl, 1 +vastgoedfaculteit.be, 1 +vastu.co.il, 1 +vasya-com.tk, 1 +vasya-odyag.tk, 1 +vasyaka.cf, 1 +vasyaka.ga, 1 +vasyharan.com, 1 +vat-eu.com, 1 +vat-funding.com, 1 +vat.direct, 1 +vatav.eu, 1 +vatav.tk, 1 +vatazhok.com, 1 +vatikantour.tk, 1 +vatlieuhay.com, 1 +vatman.tk, 1 +vatnik.info, 1 +vato.nl, 1 +vatogo-dev2.xyz, 1 +vats.im, 1 +vattulainen.fi, 1 +vauban-ip.com, 1 +vauceri.hr, 1 +vaugarnier.fr, 1 +vaughanrisher.com, 1 +vaulavalpola.tk, 1 +vault.investments, 1 +vault.spdns.eu, 1 +vault12.com, 1 +vault12.io, 1 +vault182.xyz, 1 +vault81.de, 1 +vaultdoma.in, 1 +vaultproject.io, 0 +vaur.fr, 1 +vaurio.tk, 1 +vavabid.be, 1 +vavada.com, 1 +vave.men, 1 +vavel.com, 1 +vawebsite.co, 1 +vawic4retailers.org, 1 +vawlt.io, 1 +vawomenshealth.com, 1 +vaxbook.com, 1 +vayaport.com, 1 +vayaprecio.es, 1 +vayavotarcolorado.gov, 1 +vaygren.com, 1 +vazdemelloconsultoria.com.br, 1 +vb.com.br, 1 +vba.rest, 1 +vbanu.com.ua, 1 +vbelgorode.tk, 1 +vbetcn.com, 1 +vbl.co.th, 1 +vbql.me, 1 +vbsoft.cz, 1 +vbttc.com, 1 +vburyatii.ml, 1 +vbwinery.com, 1 +vc123.xyz, 1 +vcacursus.nl, 1 +vcanederland.nl, 1 +vcard.mx, 1 +vcare.group, 1 +vccload.com, 1 +vccmurah.net, 1 +vccv.cc, 1 +vcdspro.de, 1 +vcebookclub.com.au, 1 +vcelin-na-doliku.cz, 1 +vcf.gov, 1 +vchelyabinske.tk, 1 +vclobby.com, 1 +vcloudways.com, 1 +vcm.ru, 1 +vcmi.download, 1 +vcockpit.de, 1 +vconcept.ch, 1 +vconcept.me, 1 +vconstruct.com, 1 +vcot.info, 1 +vcpa.gov, 1 +vcperinatologickedny.cz, 1 +vcraftaudio.com, 1 +vcross.cf, 1 +vcs-steuern.de, 1 +vcsafrica.com, 1 +vcsjones.codes, 1 +vcsjones.com, 1 +vcsource.tk, 1 +vcti.cloud, 1 +vcz.fr, 1 +vczk.me, 1 +vd42.net, 0 +vda.li, 1 +vdagestan.tk, 1 +vdalabs.com, 1 +vdbongard.com, 1 +vdcomp.cz, 0 +vddruckwerk.de, 1 +vdemuzere.be, 0 +vdheyden.net, 0 +vdim.shop, 1 +vdisk24.de, 1 +vdmeij.com, 1 +vdmeta.com, 1 +vdolg2000rub.ga, 1 +vdolg2000rub.ml, 1 +vdolg8000rub.cf, 1 +vdolg8000rub.ga, 1 +vdolg8000rub.gq, 1 +vdolg8000rub.ml, 1 +vdolg8000rub.tk, 1 +vdotdatasharing.org, 1 +vdownloader.com, 1 +vdprotezai.lt, 1 +vdrei.at, 1 +vdslux.eu, 1 +vdstc.com, 1 +vdw-instruments.com, 1 +vdw.ovh, 1 +ve-1xbet.com, 1 +ve.search.yahoo.com, 0 +ve3oat.ca, 1 +veadoscomfome.tk, 1 +veast.network, 1 +vebbankir-zajm-onlajn.gq, 1 +vebdengi.tk, 1 +vebeco.de, 1 +veber.bg, 1 +veca.tk, 1 +vecara.es, 1 +vecchiofornobarletta.it, 1 +vechainstats.com, 1 +vecherka.tk, 1 +vechersky.tk, 1 +vectomatic.org, 1 +vectops.com, 0 +vector.express, 1 +vectorcardiometry.tk, 1 +vectordtg.com, 0 +vectormagnetics.com, 1 +vectorracquet.com, 1 +vectortrack.com.au, 1 +vectorwish.com, 1 +vectrum.cf, 1 +vedeneev.tk, 1 +vedev.io, 1 +vedma-praktik.com, 1 +vedom.ru, 1 +vedran-zulin.from.hr, 1 +vee.ci, 1 +veeam.com, 1 +veebill.com, 1 +veebiveski.ee, 1 +veefna.com, 1 +veegish.com, 1 +veekshanam.com, 1 +veerleklinge.nl, 1 +veessen.tk, 1 +veethi.com, 1 +veeva.com, 1 +veeva.link, 1 +veg-leiden.nl, 0 +veg.lv, 0 +vega-diva.com, 1 +vega-rumia.pl, 1 +vega.education, 1 +vegalanguageacademy.ca, 1 +vegan-essen.tk, 1 +vegan-kochen.tk, 1 +vegan-pratique.fr, 1 +vegane-proteine.com, 1 +veganenumbers.com, 1 +veganfamiliesclub.com, 1 +vegangaymer.blog, 1 +veganism.co.uk, 1 +veganism.com, 1 +veganismo.tk, 1 +veganitos.tk, 1 +veganmasterrace.com, 1 +veganplace.it, 1 +veganrecipereviews.com, 1 +veganuary.com, 1 +veganvisboer.nl, 1 +veganz.de, 1 +vegardit.com, 1 +vegascasino.news, 1 +vegasconcepts.com, 1 +vegasluxuryestates.com, 1 +vegasrock.tk, 1 +vegavio.com, 1 +vegculinary.com, 1 +vege-tables.fr, 1 +vegekoszyk.pl, 1 +vegepa.com, 1 +vegetariantokyo.net, 1 +vegetarier-sind-moerder.tk, 1 +veggie-einhorn.de, 0 +vegoresto.fr, 1 +vegpro.com, 1 +vegtelenchat.tk, 1 +veguillas.tk, 1 +vegvor.com, 1 +vehicleenquiry.service.gov.uk, 1 +vehiclehistory.gov, 1 +vehicleinfozone.com, 1 +vehicletax.service.gov.uk, 1 +vehicletransportservices.co, 1 +veidiheimar.is, 1 +veii.de, 1 +veikkosimpanen.fi, 1 +veiligesmartcities.nl, 1 +veilletechno-it.info, 1 +veilofsecurity.com, 1 +veincenterbrintonlake.com, 1 +veintidos.com.ar, 1 +vejanoticias.com.br, 1 +vejaparki.lv, 1 +vejas2004.tk, 1 +vejersferie.de, 1 +vek.com.br, 1 +vekashka.gq, 1 +vekenz.com, 1 +vektlofting.tk, 1 +vektor.tk, 1 +vektorparts.ru, 1 +velacartagena.tk, 1 +velassoltas.pt, 1 +veldadvies.nl, 1 +veldhovenactief.nl, 1 +velen.io, 1 +veles-moto.ru, 1 +velesnet.ml, 1 +velforo.com, 1 +veli.ee, 1 +velichkin.tk, 1 +velika-balgaria.tk, 1 +velikijhutir.cherkassy.ua, 1 +velis.tk, 1 +velken.de, 1 +vellandreathcornishcottages.com, 1 +vellingetaxi.se, 1 +velmart.ua, 1 +velmorra.id, 1 +velo-doktor.ch, 1 +velo-volga.tk, 1 +velo24.tk, 1 +velobar.plus, 1 +velociter.net, 1 +velocitycu.com, 0 +velocityelectronics.com, 1 +velocityfiber.com, 1 +velocitygames.tk, 1 +velocityhost.com.au, 1 +velocitytech.com, 1 +velocompany.com, 1 +velocompany.de, 1 +velomap.org, 1 +velonustraduction.com, 1 +velopinion.fr, 1 +veloroute.hamburg, 1 +velosipedi.tk, 1 +velostudio.com.ua, 1 +velotours.ga, 1 +velotyretz.fr, 0 +velovelo.gq, 1 +veluwerally2002.tk, 1 +velvet-tarantula.tk, 1 +velvetempire.tk, 1 +velvetia.no, 1 +vema-bg.com, 1 +venacifuentes.tk, 1 +venali.tk, 1 +venalytics.com, 1 +venangocountypa.gov, 1 +venatorinc.tk, 1 +venbot.tk, 1 +vendaapartamentomoema.com.br, 1 +vendadopinheiro.com, 1 +vendadopinheiro.net, 1 +vendadopinheiro.org, 1 +vendagora.tk, 1 +vendasdealbunsbrasil.tk, 1 +vendee.tk, 1 +vendela.tk, 1 +vendermicasarapido.com.mx, 1 +vendi.it, 1 +vendigital.com, 1 +vendingmachines.tk, 1 +vendisrls.it, 1 +venditorepoa.com.br, 1 +vendloop.com, 1 +vendomicasaenserena.cl, 1 +vendor-finance.uk, 1 +vendorconnect.nyc, 1 +vendorful.com, 1 +vendorleasing.uk, 1 +vendorpedia.com, 1 +vendreacheter.be, 1 +vendreacheter.net, 1 +vendserve.eu, 1 +vendsoefoutra.ga, 1 +vendsoefoutra.ml, 1 +venegreco.com, 1 +venenum.org, 1 +venera-magik.tk, 1 +venere.it, 1 +venesuela.cf, 1 +venetkaarsenovart.com, 1 +venev.com, 1 +venev.name, 1 +venezia.ga, 1 +veneziatoday.it, 1 +venezuelachat.tk, 1 +venezuelalibre.tk, 1 +venga.tk, 1 +vengriya.tk, 1 +venicci.co.uk, 1 +venicecakes.ga, 1 +venicecomputerrepair.com, 1 +venicefl.gov, 1 +venicefloridawebsitedesign.com, 1 +venicerealdeal.com, 1 +venje.pro, 0 +venlafaxine.gq, 1 +venn.com, 1 +venndy.com, 1 +vennet.fr, 1 +vennprime.com, 1 +venomxsecurity.com, 1 +venostech.com, 1 +venstar.com, 1 +ventajasdesventajas.com, 1 +ventana.kz, 1 +ventanillaproveedorespit.com, 1 +ventasreit.com, 1 +ventassantillan.com, 1 +vente-voiture.org, 1 +ventes-privees-flash.fr, 1 +venti-athens.gr, 1 +venti.eu.org, 1 +ventilateurs-plafond.com, 1 +ventiques.com, 1 +ventizo.com, 1 +ventnose.com, 1 +ventolin-hfa.tk, 1 +ventolin.ga, 1 +ventomaxx.de, 1 +ventor.ml, 1 +ventosport.nl, 1 +ventrahealth.com, 0 +ventuordici.org, 1 +venturavwparts.com, 1 +venture.biz.id, 1 +venturebanners.co.uk, 1 +ventureharbour.com, 1 +venturepointe.com, 1 +ventures.lgbt, 1 +ventureslgbt.com, 1 +venturum.com, 1 +venturum.de, 1 +venturum.eu, 1 +venturum.net, 1 +venuedriver.com, 1 +venurse.net, 1 +venus-erotic.com, 1 +venus-football-giveaway.co.uk, 0 +venusbeautyproducts.in, 1 +venusvprincess.com, 1 +venzeo.com, 1 +veobas.com, 1 +veonow.com, 1 +vepein.ga, 1 +vepein.gq, 1 +veply.com, 1 +ver.ma, 1 +ver.re, 1 +vera-1.ru, 1 +verae.tk, 1 +verafin.com, 1 +verakoubova.net, 1 +veramagazine.jp, 0 +veramark.cl, 1 +verasani.ch, 1 +verasani.com, 1 +verascityscience.com, 1 +verasoie.fr, 1 +verasoul.com, 1 +verasrvmobiledetail.com, 1 +verata.co, 0 +verbacxss.it, 1 +verberne.nu, 1 +verbert.be, 1 +verbier-lechable.com, 1 +verbierfestival.com, 0 +verbindingsboerderij.nl, 1 +verbindingsboerderijdekoolberg.nl, 1 +verbmaestro.com, 1 +verboom.co.nz, 1 +verbundkredit.ag, 1 +verbundkredit.biz, 1 +verbundkredit.com, 1 +verbundkredit.de, 1 +verbundkredit.eu, 1 +verbundkredit.info, 1 +verbundkredit.net, 1 +verbundkredit.org, 1 +verbzilla.com, 1 +vercel.co, 1 +vercel.com, 1 +vercel.email, 1 +vercel.org, 1 +vercel.sh, 1 +vercopy.com, 1 +vercountyil.gov, 1 +verdeandco.co.uk, 1 +verdensflag.dk, 1 +verdeplus.net, 1 +verdesfoundation.org, 1 +verdict.gg, 1 +verdict.ro, 1 +verdonkadvocaten.nl, 1 +verduccies.com, 0 +verdugosxerecistas.tk, 1 +veredadelaestrella.tk, 1 +verein-kiekin.de, 1 +vereine-weiskirchen.de, 1 +vereinscheck.de, 1 +vereinswahl.online, 1 +veren-group.ua, 1 +verena.gallery, 1 +vereshagino.tk, 1 +verf.nu, 1 +verfassungsklage.at, 1 +verge-solutions.com, 1 +verge.capital, 1 +vergehealth.com, 1 +vergelijksimonly.nl, 1 +vergelijkwitgoed.nl, 1 +vergesense.com, 1 +vergessen.cn, 1 +vergilioferreira.pt, 1 +vergraal.tk, 1 +verhaltenstherapie-weiden.de, 1 +verhaslaw.com, 1 +verhave.net, 1 +verhoog.xyz, 1 +veri2.com, 1 +verifalia.com, 1 +verificationlink.ga, 1 +verified.lu, 1 +verifiedcliq.com, 1 +verifiedhandles.org, 1 +verifiedjoseph.com, 0 +verifiny.com, 1 +verifize.co.za, 1 +verify.gov.sg, 1 +verifyos.com, 1 +verifyyourip.com, 1 +verigom.com, 1 +verikom.kiev.ua, 1 +verindra.ga, 1 +veriomed.com, 1 +veripn.com, 1 +veritablescreening.com, 1 +veritafineviolins.com, 1 +veritas-data.de, 1 +veritashomeschoolers.org, 1 +veritasinvestmentwealth.com, 1 +veriteliberte.fr, 1 +veriteslibertes.com, 1 +veriteslibertes.fr, 1 +verityinspections.com, 1 +verizonconnect.com, 0 +verkada.com, 1 +verkami.com, 1 +verkeer.gent, 1 +verkeersschoolrichardschut.nl, 1 +verkeersschoolvanhouten.nl, 1 +verkkovalmentajat.fi, 1 +verkossa.tk, 1 +verksampsykologi.com, 1 +verlag-lq.at, 1 +verlag-lq.ch, 1 +verlag-lq.com, 1 +verlag-lq.de, 1 +verlag-lq.net, 1 +verlagdrkovac.de, 0 +verlaglq.com, 1 +verland.org, 1 +verleger.biz, 1 +verliebt-in-bw.de, 1 +verliebt-in-niedersachsen.de, 1 +verliefde-jongens.nl, 1 +verlocke.de, 1 +verloja.com, 1 +verloskundigepraktijktolmiea.nl, 1 +vermaeckbouw.nl, 1 +vermageringsdieetpillen.ga, 1 +vermageringsdieetpillen.gq, 1 +vermageringsdieetpillen.tk, 1 +vermellcollection.com, 1 +vermogeninkaart.nl, 1 +vermont.builders, 1 +vermontbiz.com, 1 +vermontflannel.com, 1 +vermontvilletownshipmi.gov, 1 +vermouth.cf, 1 +vermuetje.nl, 1 +vern.cc, 0 +vernal.gov, 1 +verndale.com, 1 +vernis-marins.com, 1 +vernonfigureskatingclub.com, 1 +vernonfilmsociety.bc.ca, 1 +vernonreinike.com, 1 +vernonsecureselfstorage.ca, 1 +vernonspeedskatingclub.com, 1 +vernonvt.gov, 1 +veronasera.it, 1 +veroncloud.com, 1 +veronic.hu, 1 +veronicasuperguide.nl, 1 +veronique-schmitz.de, 1 +veropharm.ru, 1 +veros-volejbal.tk, 1 +veros.com, 1 +verrame.no, 1 +verry.org, 1 +vers.one, 1 +versa-networks.com, 1 +versagercloud.de, 1 +versahub.com, 1 +versaillestourisme.fr, 1 +versalhost.nl, 1 +versallesin.com, 1 +versanthealth.com, 1 +versata.pt, 1 +versatek.com, 1 +versbesteld.nl, 1 +verschil.info, 1 +verschoren.com, 0 +verschurendegroot.nl, 1 +verse.eu.org, 1 +versfin.net, 1 +versia.ru, 1 +versicherung-website.de, 1 +versicherungen-werner-hahn.de, 1 +versifylabs.com, 1 +versionit.org, 1 +versium.net, 1 +verspai.de, 1 +versprite.com, 1 +verstaanwiskunde.co.za, 1 +verstka.cf, 1 +verstka.ga, 1 +verstka.tk, 1 +verstraetenusedcars.be, 1 +versus-hair.com, 1 +versusforum.tk, 1 +versustexas.com, 1 +vertanex.com, 1 +vertaxaccountants.co.uk, 1 +vertebrates.com, 1 +vertec-cloud.at, 1 +vertec-cloud.com, 1 +vertec-cloud.de, 1 +vertec-test.at, 1 +vertec-test.com, 1 +vertec-test.de, 1 +vertec.com, 1 +verteilergetriebe.info, 1 +vertex-academy.com, 1 +vertexinc.com, 1 +vertexlife.ml, 1 +vertexlife.tk, 1 +vertexsmb.com, 1 +vertexventures.co.il, 1 +vertexventures.sg, 0 +verticalmindventures.com, 1 +verticals.tk, 1 +verticalstructure.com, 1 +verticecloud.com, 1 +verticesedge.com, 1 +vertichost.com, 1 +vertichost.ro, 1 +verticweb.com, 1 +vertigo.name, 0 +vertigomassage.com, 1 +vertikal.tk, 1 +vertiko.de, 1 +vertip.net, 1 +vertispro.com, 1 +vertragsfix.de, 1 +vertrauen.site, 1 +vertretungsplan.io, 1 +vertrieb-strategie.de, 1 +vertrouwenspiegel.nl, 1 +vertymelo.com, 1 +verustracking.com, 1 +verve.com, 1 +vervewellness.co.nz, 1 +verwandlung.org, 1 +verwarring.tk, 1 +very-good.ru, 1 +veryapt.com, 1 +verybin.com, 1 +veryestate.com, 1 +veryfinecommentary.tk, 1 +verygoodmarketing.nl, 1 +verygoodwebsite.ca, 1 +veryhome.com.pe, 1 +verymelon.de, 1 +verymetal.site, 1 +veryssl.com, 1 +veryswing.com, 1 +verzekerdbijhema.nl, 1 +verzekeringsacties.nl, 1 +verzekerjebeter.nl, 0 +verzick.com, 1 +vesa.ro, 1 +vesaviljanen.fi, 1 +vescudero.net, 1 +veseleruska.sk, 1 +veselka.tk, 1 +veselyjpovar.gq, 1 +vesen.tk, 1 +vesinhcongnghiepttchome.com, 1 +vesiskitim.ru, 1 +veski.hr, 1 +vesmail.biz, 1 +vesmail.email, 1 +vesna2011.tk, 1 +vespacascadia.com, 1 +vesseldove.com, 1 +vesselportal.com, 1 +vessentys.com, 1 +vesta.us, 1 +vestacp.top, 1 +vestakassa-online.cf, 1 +vestal.nl, 1 +vestalny.gov, 1 +vestberry.com, 1 +vestd.com, 0 +vestia.nl, 1 +vestibtech.com, 1 +vestibulaire.ch, 1 +vestibular.science, 1 +vestiizhevska.cf, 1 +vestingbar.nl, 1 +vestirnakaret.cz, 1 +vestkyneonline.cz, 1 +vestlundbolargen.tk, 1 +vestnik24.cf, 1 +vestum.ru, 1 +vesuvio.tk, 1 +vet24hour.co.uk, 1 +vet4life.co.uk, 1 +vetafarm.com.au, 1 +vetantumapu.cl, 1 +vetbilgi.com, 1 +vetbits.com, 0 +vetcard.info, 1 +vetch.ga, 1 +vetclick.com, 1 +veteranpcs.com, 1 +veteranreservecorps.com, 1 +veteransadvantage.com, 1 +veteranscrisisline.net, 1 +veteransfirstwatch.com, 1 +veteransholidaylights.com, 1 +veteransroofingllc.com, 1 +veteranticketsfoundation.org, 1 +veterinanmnm.cz, 1 +veterinanmnm.eu, 1 +veterinarian-hospital.com, 1 +veterinarianedu.org, 1 +veterinario.milano.it, 1 +veterinario.roma.it, 1 +veterinary-colleges.com, 1 +veterinaryhelp.cf, 1 +veterinaryvision.co.uk, 1 +veteriner.name.tr, 1 +veterquimica.pe, 1 +vetikalender-berlin.de, 1 +vetinte.eu, 1 +vetitus-teatro.tk, 1 +vetmgmt.com, 1 +vetnet.info, 1 +veto.fish, 1 +vetofish.com, 1 +vetosh.tk, 1 +vetpraxis.de, 1 +vetputten.nl, 1 +vetrehabsummit.com, 1 +vetren.tk, 1 +vetreria.roma.it, 1 +vetres.net.au, 1 +vets.gov, 1 +vets24.ae, 1 +vetscore.co.za, 1 +vetsmarketing.co.za, 1 +vetsource.com, 0 +vettenburg.eu, 1 +vettix.org, 1 +vetuni.cz, 1 +vetuni.eu, 1 +vetustainversion.com, 1 +vetvim.com, 1 +vetvine.com, 1 +veules-les-roses.fr, 1 +veve.com, 1 +veverusak.cz, 1 +vevioz.com, 1 +vexsh.com, 1 +vezettaksii.ru, 1 +veziaici.net, 1 +vezzo.one, 1 +vf-bikes.be, 1 +vf99.com, 1 +vfbikes.be, 1 +vfc.com, 0 +vfdworld.com, 1 +vfg.com.ua, 1 +vfn-nrw.de, 1 +vfnm.de, 1 +vfree.org, 0 +vfu.cz, 1 +vfwpost1.org, 1 +vfxstudy.com, 1 +vg-resource.com, 1 +vgatest.nl, 1 +vgbf.tk, 1 +vgchat.us, 1 +vgcheat.com, 1 +vgdocs.com, 1 +vgerak.com, 1 +vglist.co, 1 +vgopilot.azurewebsites.net, 1 +vgorcum.com, 1 +vgpu.vladimir.ru, 1 +vgropp.de, 1 +vgxcontactcenter.com.br, 1 +vgywm.com, 1 +vhelio.org, 1 +vhg.org, 1 +vhiweb.com, 1 +vhosting-it.com, 1 +vhproductions.tk, 1 +vhumo.com, 1 +via-tygo.com, 1 +via1buynow.com, 1 +viabenefitsaccounts.com, 1 +viacdn.org, 1 +viacheslavpleshkov.com, 1 +viadennis.nl, 1 +viaelegancestore.com.br, 1 +viaeth.io, 1 +viafoura.com, 1 +viaggioincoppia.com, 1 +viaggivistos.com.br, 1 +viagraest.com, 1 +viagramarketim.com, 1 +viagramarketim.org, 1 +viagratop.tk, 1 +viagusto.pl, 1 +viajantecolorido.com.br, 1 +viajantesturismo.com, 1 +viajarconmascotas.pro, 1 +vialibido.com.br, 1 +vialknives.com, 1 +vialorran.com, 0 +vialto.com, 1 +viamax.eu, 1 +viamilitaris.net, 1 +vianetplc.com, 1 +vianica.com, 1 +viaon.net.br, 1 +viapajucara.com.br, 1 +viaprinto.de, 1 +viaprofit.tk, 1 +vias-ferratas.tk, 1 +viasalix.nl, 1 +viasinc.com, 0 +viato.fr, 1 +viaura.biz, 1 +viawave.tk, 1 +viaweb.sa, 1 +viawirelessllc.com, 1 +viba-sweets.de, 1 +vibaphoto.com, 1 +vibaphoto.fr, 1 +vibbo.no, 1 +vibbslist.com, 1 +vibcon.com, 1 +vibehire.co.uk, 1 +vibeonline.tk, 1 +vibgyyor.com, 1 +vibioh.fr, 1 +vibox.co.uk, 1 +vibraagenciadigital.com.br, 1 +vibramycin100mg.tk, 1 +vibrato1-kutikomi.com, 1 +vibrolandia.com, 1 +vibromax.com, 1 +vibromax.net, 1 +vibromax.org, 1 +vicarious.cf, 1 +vicellishoes.com, 1 +vicenez.agency, 1 +vicentaburon.tk, 1 +vicentejr.com.br, 1 +vicenterodriguez81.tk, 1 +vicentico.tk, 1 +vicenzatoday.it, 1 +vicescorts.ga, 1 +vicete.tk, 1 +vichiya.com, 1 +vichovska-vyhlidka.cz, 1 +vician.cz, 1 +vicicode.com, 1 +vicieux.art, 1 +vicinityindustrial.com.au, 1 +vicioanimal.pt, 1 +viciousflora.com, 1 +viciousracing.tk, 1 +vicjuwelen-annelore.be, 1 +vickyflipfloptravels.com, 0 +vickyhundt.com, 1 +vickylarraz.tk, 1 +vickyoliver.tk, 1 +vicmatus.com, 1 +vico.vn, 1 +vicrea.nl, 1 +vicsancab.com, 1 +victimizer.tk, 1 +victora.com, 1 +victorblomberg.se, 1 +victorbuch.cf, 1 +victorc.net, 1 +victorcalvez.com, 1 +victorcanera.com, 1 +victorcarrasco.tk, 1 +victorcarwasher.com, 1 +victoreriksson.ch, 1 +victoreriksson.co, 1 +victoreriksson.es, 1 +victoreriksson.eu, 1 +victoreriksson.info, 1 +victoreriksson.me, 1 +victoreriksson.net, 1 +victoreriksson.nu, 1 +victoreriksson.org, 1 +victoreriksson.se, 1 +victoreriksson.us, 1 +victoreriksson.xyz, 1 +victorhawk.com, 1 +victorhorta.tk, 1 +victoria-clinic.ru, 1 +victoria-legis.ru, 1 +victoria.associates, 1 +victoriaartist.ru, 1 +victoriabeckham.tk, 1 +victoriacountytx.gov, 1 +victoriaharmandjieva.art, 1 +victoriait.com, 1 +victoriait.com.au, 1 +victoriamn.gov, 1 +victorianosaez.tk, 1 +victoriastudio.ru, 1 +victoriavalente.net, 1 +victoridaho.gov, 1 +victorique.moe, 1 +victorjacobs.com, 0 +victornet.de, 1 +victoroilpress.com, 1 +victorpelletmill.com, 1 +victorpericiales.com, 1 +victorricemill.com, 1 +victorrodriguez.ml, 1 +victorunix.com, 1 +victory.radio, 1 +victoryalliance.us, 1 +victorychurch.org.tw, 1 +victoryoutreach.org, 1 +victrays.com, 1 +victusrp.gq, 1 +vicugna.nl, 1 +vicyu.com, 1 +vidaliala.gov, 1 +vidanuevaparaelmundo.net, 1 +vidanuevaparaelmundo.org, 1 +vidaparalela.tk, 1 +vidapositiva.tk, 1 +vidarity.com, 1 +vidassemfronteiras.com, 1 +vidatantrica.com, 1 +vidawichi.tk, 1 +vidaxp.com, 1 +vidazoo.com, 1 +vidb.me, 1 +vidbooster.com, 0 +vidbuchanan.co.uk, 1 +vidcruiter.com, 0 +vide-dressing.org, 0 +vide-greniers.org, 0 +vide-maisons.org, 0 +videferre.tk, 1 +video-converter.com, 1 +video-lab.it, 1 +video-oldenburg.de, 1 +videoarcadia.cf, 1 +videoarcadia.ml, 1 +videobible.com, 1 +videocall.guide, 1 +videochatv.com, 1 +videochums.com, 1 +videoclean.fr, 1 +videoclubhd.ga, 1 +videoclubhd.ml, 1 +videoconferencing.guide, 1 +videoebook.tk, 1 +videoeta.com, 1 +videogameconsole.ir, 1 +videogamer.com, 1 +videogamerreader.tk, 1 +videogamesartwork.com, 1 +videograb.ga, 1 +videograb.ml, 1 +videoguard.nl, 1 +videoha.ml, 1 +videojet.com, 1 +videojuegos.com, 1 +videoload.co, 1 +videomagic.ai, 1 +videomail.io, 1 +videomaker.it, 1 +videomaniya.ml, 1 +videomarketermastery.com, 1 +videonika.tk, 1 +videopediablogs.tk, 1 +videopokerez.cf, 1 +videopornoitaliana.com, 1 +videoprikol.cf, 1 +videoprikoly.ga, 1 +videoregion.ru, 1 +videoremote.tk, 1 +videosengracado.ga, 1 +videoseyred.in, 1 +videoskaseros.com, 1 +videoskazka.tk, 1 +videospericos.tk, 1 +videosporno.life, 1 +videosporno.org, 1 +videot.tk, 1 +videotehnika.tk, 1 +videoueberwachung-set.de, 1 +videouroki.ml, 1 +videov.tk, 1 +videovt.tk, 1 +videozv.tk, 1 +videsk.io, 1 +videt-son.cf, 1 +videt-son.ml, 1 +videt-son.tk, 1 +vidimte.eu, 1 +vidiproject.com, 1 +vidister.de, 0 +viditour-golf.nl, 1 +viditour-zorg.nl, 1 +vidkovaomara.si, 1 +vidlen.com, 1 +vidlen.ru, 1 +vidlyoficial.com, 1 +vidooo.de, 1 +vidracariaembh.com, 1 +vidrop.me, 1 +vidtekno.com, 1 +vidulo.com, 1 +vidyamonk.com, 1 +viedecelibataire.fr, 1 +viega.at, 1 +viega.be, 1 +viega.ca, 1 +viega.ch, 1 +viega.co.uk, 1 +viega.com, 1 +viega.com.au, 1 +viega.cz, 1 +viega.de, 1 +viega.dk, 1 +viega.es, 1 +viega.fi, 1 +viega.fr, 1 +viega.hr, 1 +viega.hu, 1 +viega.in, 1 +viega.it, 1 +viega.lt, 1 +viega.lv, 1 +viega.mx, 1 +viega.nl, 1 +viega.no, 1 +viega.pl, 1 +viega.pt, 1 +viega.ro, 1 +viega.rs, 1 +viega.se, 1 +viega.sg, 1 +viega.si, 1 +viega.sk, 1 +viega.us, 1 +viekelis.lt, 0 +vielfalt.link, 1 +vielleserin.de, 1 +viemeister.com, 1 +viemontante.be, 0 +vienna.photos, 1 +viennadancecrew.at, 1 +viennawi.gov, 1 +vientos.coop, 0 +vientosur.info, 1 +vieon.vn, 1 +viepixel.at, 1 +vierdaagsehotel.nl, 1 +vieref.eu, 1 +vierna.ga, 1 +vierpfeile.de, 1 +vierpluseins.wtf, 1 +vietconghackz.tk, 1 +vietdungit.vn, 0 +vietfes.asia, 1 +vietforum.ml, 1 +vietnam-fishing.com, 1 +vietnam-lifer.com, 1 +vietnam-tours.tk, 1 +vietnameselove.com, 1 +vietnamhairs.com, 1 +vietnamhost.vn, 0 +vietnamphotoblog.com, 0 +vietnamphotographer.net, 1 +vietnamtravelmart.com.vn, 1 +vietnamvisa.cf, 1 +vietnamvisa.ga, 1 +vietquan.net, 1 +viettelstore.vn, 1 +vietzzaune.de, 1 +vieux.pro, 1 +vievolution.tk, 1 +view-page-source.com, 1 +vieweb.tk, 1 +viewer.ga, 1 +viewflix.win, 1 +viewfreescore.com, 1 +viewing.nyc, 1 +viewpointsfromfacebook.com, 1 +viewsea.com, 1 +viewstub.com, 1 +viewzipcode.com, 1 +viez.vn, 1 +vifranco.cl, 1 +vifsoft.com, 1 +vigiesolutions.com, 1 +vigilanciatotal.com, 1 +vigilanciaysalud.com, 1 +vigilantesporcolombia.org, 1 +vigilanza.milano.it, 1 +vigilanza.roma.it, 1 +vigiles.nl, 1 +vigilo.cf, 1 +vigilo.ga, 1 +vigl.biz, 1 +vigliano.com, 1 +vigneshkumar.com, 1 +vignobles-querre.com, 1 +vignoblesdeletat.ch, 1 +vigo-krankenversicherung.de, 1 +vigo-select.de, 1 +vigoinvestments.com, 0 +vigorous.co.il, 1 +vigorspa.it, 1 +vigoxatelier.tech, 1 +vigrid.online, 1 +vigridpartiet.tk, 1 +vihaainfosoft.com, 1 +vihtahousu.fi, 1 +viikko.cf, 1 +viikko.eu, 1 +viikko.ga, 1 +viikko.gq, 1 +viikko.ml, 1 +viilup.com, 1 +viitanen.xyz, 1 +vijay-international.com, 1 +vijayam.ml, 1 +vijaymishra.tk, 1 +vijn.io, 1 +vijoe.org, 1 +vijverbenodigdheden.nl, 1 +vik.bio, 1 +vik.im, 1 +vikalbino.com, 1 +vikalbino.com.br, 1 +vikalpgupta.com, 1 +vikapaula.com, 1 +vikashkendra.com, 1 +vikasinstitute.tk, 1 +vikaviktoria.com, 1 +vikc.ca, 1 +vikcdn.com, 1 +viki.com, 1 +viking-style.ru, 1 +viking-t.com, 1 +vikingconcretefloors.com, 1 +vikiwat.com, 1 +viko.ai, 1 +viko.co.uk, 1 +vikramkulkarni.com, 1 +vikrantkakad.in, 1 +viksbergshr.se, 1 +viktor-chin-kon-sung.com, 1 +viktor-chin-kon-sung.nl, 1 +viktor-chin.com, 1 +viktor-chin.nl, 1 +viktorbarzin.me, 1 +viktorchin.com, 1 +viktorchin.nl, 1 +viktorchin.online, 1 +viktorchin.site, 1 +viktorchinkonsung.com, 1 +viktorchinkonsung.nl, 1 +viktorchinkonsung.online, 1 +viktorchinkonsung.site, 1 +viktoria-goo.com, 1 +viktoria-stube.de, 1 +viktorovi.cz, 1 +viktorprevaric.eu, 1 +viku.fi, 1 +vila-senov.cz, 1 +vila11.com.br, 1 +vilaanimalpetshop.com, 1 +vilabiamodas.com.br, 1 +viladelpingui.net, 1 +vilafloridacapivari.com.br, 1 +vilafrancaeagles.tk, 1 +vilamarija.tk, 1 +vilamoura-car-hire.com, 1 +vilans.nl, 1 +vilantice.cz, 1 +vilavilma.si, 1 +vilavyhlidka.cz, 1 +vilawatt.cat, 1 +vilaydin.com, 1 +vildlaithailand.cf, 1 +vildlaithailand.gq, 1 +vildlaithailand.tk, 1 +vilettecouvreur.fr, 1 +vilgain.at, 1 +vilgain.com, 1 +vilgain.de, 1 +vilgain.hu, 1 +vilgain.it, 1 +vilgain.pl, 1 +vilhe.com, 1 +vilhe.fi, 1 +vilhelmjunnila.fi, 1 +vilife.tk, 1 +viliravnjak.tk, 1 +viliv.com.co, 1 +villa-christina.com, 1 +villa-gockel.de, 1 +villa-luna.it, 1 +villa-ottone.net, 1 +villa-toscana.berlin, 1 +villablancaluarca.es, 1 +villablino.tk, 1 +villaboavida.nl, 1 +villacarralon.tk, 1 +villadelprado.tk, 1 +villaditirano.tk, 1 +villaespanola.tk, 1 +villafiore.com.br, 1 +villafrancis.org.sg, 1 +villagebridalbyomnibus.com, 1 +villagecardshop.co.uk, 1 +villagecenterpediatrics.com, 1 +villagemagazines.co.uk, 1 +villagenscamuria.it, 1 +villageofalbionny.gov, 1 +villageofallouezwi.gov, 1 +villageofalmondwi.gov, 1 +villageofarenawi.gov, 1 +villageofavocawi.gov, 1 +villageofbearlakemi.gov, 1 +villageofbellevuewi.gov, 1 +villageofcallawayne.gov, 1 +villageofcarbonhill-il.gov, 1 +villageofcascadewi.gov, 1 +villageofcascowi.gov, 1 +villageofcatskillny.gov, 1 +villageofcazenoviany.gov, 1 +villageofclaytonmi.gov, 1 +villageofclaytonwi.gov, 1 +villageofclymanwi.gov, 1 +villageofcolemanwi.gov, 1 +villageofcottagegrove.gov, 1 +villageofdousman.gov, 1 +villageofedenwi.gov, 1 +villageoffarwellmi.gov, 1 +villageofforestvillewi.gov, 1 +villageoffremontwi.gov, 1 +villageofgraftonwi.gov, 1 +villageofgrantsburg.gov, 1 +villageofhempsteadpdny.gov, 1 +villageofjacksonwi.gov, 1 +villageoflagrangeohio.gov, 1 +villageoflaurensny.gov, 1 +villageoflavallewi.gov, 1 +villageoflomira.gov, 1 +villageoflonerock-wi.gov, 1 +villageofluxemburgwi.gov, 1 +villageofmenandsny.gov, 1 +villageofmendonmi.gov, 1 +villageofmillerton-ny.gov, 1 +villageofmuirmi.gov, 1 +villageofmukwonago.gov, 1 +villageofnaponeene.gov, 1 +villageofnecedahwi.gov, 1 +villageofnewberlinny.gov, 1 +villageofoakdalewi.gov, 1 +villageofoakfieldwi.gov, 1 +villageofowegony.gov, 1 +villageofpalmyrailmacoupin.gov, 1 +villageofpewaukeewi.gov, 1 +villageofriverbendmo.gov, 1 +villageofsaukvillewi.gov, 1 +villageofsciooh.gov, 1 +villageofsheldonwi.gov, 1 +villageofsirenwi.gov, 1 +villageofstetsonvillewi.gov, 1 +villageofstockbridgemi.gov, 1 +villageofstockbridgewi.gov, 1 +villageoftheresawi.gov, 1 +villageoftikiisland.gov, 1 +villageofwales.gov, 1 +villageofwhitelaw-wi.gov, 1 +villageofwitheewi.gov, 1 +villagephysicians.com, 1 +villagesincrisis.tk, 1 +villageunique.com.br, 1 +villagevet.co.uk, 1 +villagevetcattery.co.uk, 1 +villagockel.de, 1 +villahistoria.ml, 1 +villainsclothing.com.au, 1 +villaismaelcortinas.uy, 1 +villakarma.at, 1 +villakiralik.com, 1 +villalmanzo.tk, 1 +villamenty.com, 1 +villanew.tk, 1 +villanyautosok.hu, 1 +villaparkil.gov, 1 +villapiknik.tk, 1 +villarica.gov, 1 +villas-parfumdemyrte.fr, 1 +villasdelbosque.com.gt, 1 +villasenor.online, 1 +villasfinistere.fr, 1 +villasforsale-bali.com, 1 +villasintrabali.com, 1 +villasupport.it, 1 +villaumbrales.tk, 1 +villavaltava.fi, 1 +villaville.com, 1 +villawirz.it, 1 +ville-ideale.fr, 1 +ville-nesle.fr, 1 +ville-vif.fr, 1 +villegasphoto.com, 1 +villehardouin.fr, 1 +villek.fi, 1 +villekaaria.eu, 1 +villekautto.com, 1 +villenavedornon.fr, 1 +villerez.fr, 1 +villeroy-immobilier-sete.fr, 1 +villers-ecalles.fr, 1 +villesalonen.fi, 1 +villian.tk, 1 +villnoesser-tal.com, 1 +villu.ga, 1 +villu.stream, 1 +viload.org, 1 +vilondo.com, 1 +vilostore.my.id, 1 +viltsu.net, 1 +vilvoordelaan.be, 1 +vima.ch, 0 +vimbom.tk, 1 +vimbowen.xyz, 1 +vimeo.com, 1 +vimeosucks.nyc, 1 +vimexx.nl, 1 +vimium.com, 1 +vimka.gq, 1 +vimoksa.com, 1 +vimworld.com, 1 +vinacaster.com, 1 +vinarstvimodryhrozen.cz, 1 +vinaygakhar.tk, 1 +vinaygarg.com, 1 +vinc.me, 1 +vinc.name.tr, 1 +vincehut.top, 1 +vincemumford.com, 1 +vincent-haupert.de, 1 +vincentcox.com, 0 +vincenticosmeticsurgery.tk, 1 +vincentiliano.tk, 1 +vincentpancol.com, 1 +vincentpo.tk, 1 +vincentsimon.de, 1 +vincentvdsluijs.nl, 1 +vincentwolsink.nl, 0 +vinceracing.tk, 1 +vincexpertconsulting.fr, 1 +vinci-archipel.com, 1 +vinci-foundation.com, 1 +vinci-gestion.com, 1 +vinci-gestion.fr, 1 +vinci-reassurance.com, 1 +vinci-vie.com, 1 +vinci-vie.fr, 0 +vinci-vie.net, 1 +vinci.gr, 1 +vinci.lt, 1 +vinci.lu, 1 +vincible.space, 1 +vinciconps4.it, 1 +vinciladislessia.it, 1 +vincitraining.com, 1 +vinciu.com, 1 +vincour.info, 1 +vindafrid.com, 1 +vindafrid.nu, 1 +vindafrid.se, 1 +vindelicum.eu, 1 +vindeurgent.ro, 1 +vindipoker.dk, 1 +vindnu.dk, 1 +vinduesgrossisten.dk, 1 +vineeth.uk, 1 +vineethavarma.com, 1 +vinehall.ie, 1 +vinelli.de, 1 +vinepower.co.nz, 1 +vineripenutrition.com, 1 +vinesauce.info, 1 +vineta.tk, 1 +vinetalk.net, 1 +vinetech.co.nz, 1 +vineyard-wash.com, 1 +vingaardshus.dk, 1 +vingahiss.se, 1 +vingt.me, 1 +vingtsuncoach.tk, 1 +vinhobros.de, 1 +vinhomes.tv, 1 +vinhomesonline.com, 1 +vinhosdoalentejo.pt, 1 +vinicius.sl, 1 +viniciuscosta.tk, 1 +vinigas.com, 1 +vinihk.com, 0 +vinilart.com, 1 +vinilosdecorativos.net, 1 +vinistas.com, 1 +vinit.tk, 1 +vinnellarabia.com, 1 +vinner.com.au, 0 +vinnie.gq, 1 +vinny.tk, 1 +vinnyvidivici.com, 1 +vinobartonik.cz, 1 +vinocapka.cz, 1 +vinodoc.cz, 1 +vinoffice.vn, 1 +vinohradiv.tk, 1 +vinokourovnet.tk, 1 +vinokurov.tk, 0 +vinolli.de, 1 +vinopan.de, 1 +vinorossoconero.com, 1 +vinoshipper.com, 1 +vinovum.net, 1 +vinoxo.in, 1 +vinsation.com, 1 +vinsetchampagne.fr, 0 +vinsonfinancials.tk, 1 +vinstafood.com, 1 +vintageaudio.tk, 1 +vintagebandfestival.org, 1 +vintagecarparts.co.uk, 1 +vintagecaskandbarrel.com, 1 +vintagecommerce.it, 1 +vintagejeeps.net, 1 +vintagemakeupguide.com, 1 +vintageportgifts.co.uk, 1 +vintagestock.com, 1 +vintagetoydepot.tk, 1 +vintagetrailerbuyers.com, 1 +vintagewedding.tk, 1 +vintazh.net, 1 +vintizen.com, 1 +vintom.com, 1 +vintonia.gov, 1 +vinumenu.com, 1 +vinyl-digital.com, 1 +vinylbasement.tk, 1 +vinylbro.com, 1 +vinylfencestlouis.com, 1 +vinzer.tk, 1 +vinzite.com, 1 +violapiekut.com, 1 +violarenate.com, 1 +violetfairy.tk, 1 +violetgames.com, 1 +violetraven.co.uk, 1 +violettecleaning.be, 1 +violifefoods.com, 1 +violin4fun.nl, 1 +vionicbeach.com, 1 +vionicshoes.com, 1 +vionity.co, 1 +viosey.com, 1 +vioye.com, 1 +vip-banner.tk, 1 +vip-moda.ga, 1 +vip-sauna.tk, 1 +vip-soski.tk, 1 +vip-ssl.com, 1 +vip-transfer.by, 1 +vip00228.com, 0 +vip11018.com, 0 +vip2132.com, 1 +vip22884.com, 0 +vip33138.com, 0 +vip4553.com, 1 +vip45bet365.com, 0 +vip5414.com, 1 +vip6132.com, 1 +vip77018.com, 0 +vip8522.com, 1 +vipaairportsp3.gov, 1 +vipartneriai.lt, 1 +vipdirektolog.ru, 0 +vipenvia.com.br, 1 +viper-drones.com, 1 +vipertechnology.com.br, 1 +vipesball.me, 1 +vipesball.net, 1 +vipfitter.com, 1 +vipframesandtrusses.co.nz, 1 +vipgalant.ru, 1 +viphackers.tk, 1 +vipi.es, 1 +vipkit.com, 1 +vipku.ru, 1 +viplata-mgnovenno.ml, 1 +viplc4.com, 0 +viplc6.com, 0 +viplc68.com, 1 +viplc98.net, 1 +vipline.me, 1 +viplive.tk, 1 +vipllcnj.com, 1 +vipmdh.com.ua, 1 +vipmercedes.by, 1 +viporiflame.tk, 1 +vippclub.be, 1 +viprsolutions.com, 1 +vipsauna.gq, 1 +vipsexvault.com, 1 +vipshop.ga, 1 +vipsibir.cf, 1 +vipstat.pl, 1 +viptravel.tk, 1 +vipturismo-europa.com, 1 +vipus.gq, 1 +vipuser.info, 1 +vipw6600.com, 0 +vipw6603.com, 1 +vipw6606.com, 0 +vipw6608.com, 0 +vir-tec.eu, 0 +vir2.me, 1 +virajtharinda.tk, 1 +viral-loops.com, 1 +viral32111.com, 1 +virala.tk, 1 +viralboombox.xyz, 1 +viralhua.com, 1 +viralinsurance.ga, 1 +viraljobs.ga, 1 +viraloffer.ga, 1 +viralpagi.com, 1 +viralsv.com, 1 +viraltalky.com, 1 +viraltech.cf, 1 +viralted.ml, 1 +viraltobuzz.tk, 1 +viraltube.my, 1 +viralvids.gq, 1 +viraly.me, 1 +viran-khodro.tk, 1 +virazh58.tk, 1 +virbex.com, 0 +vircloud.net, 1 +virga.pp.ua, 1 +virgi.tk, 1 +virgil.gg, 1 +virgilsecurity.com, 1 +virginiaabc.gov, 1 +virginiabeachcoolsculpting.com, 1 +virginiagardens-fl.gov, 1 +virginiahealth.tk, 1 +virginiaisgoingsolar.com, 1 +virginiamnpd.gov, 1 +virginiedelmas.fr, 1 +virginietessier.fr, 1 +virginitychecker.ga, 1 +virginized.tk, 1 +virginpulse.us, 1 +virgintears.tk, 1 +virgontech.tk, 1 +virgosecurity.com.au, 1 +virgulazero.com.br, 1 +viridis-milites.cz, 1 +virima.com, 1 +virimatech.com, 1 +viris.si, 1 +virkhost.com, 1 +virostack.com, 1 +virot.eu, 1 +virtasktic.com, 1 +virtbaza.cf, 1 +virtit.fr, 1 +virtlinux.eu, 1 +virtola.ml, 1 +virtua.com.tr, 1 +virtuaal.com, 1 +virtual-assistant.ml, 1 +virtual-data-room.org, 1 +virtual-dba.com, 1 +virtual-insanity.tk, 1 +virtual-webcam.com, 1 +virtualarkansas.org, 1 +virtualbrands.com, 0 +virtualbrestby.tk, 1 +virtualbruges.tk, 1 +virtualcitehuallaga.com, 1 +virtualcity.tk, 1 +virtualcloud.ddns.net, 1 +virtualcommodities.org, 1 +virtualcomputer.ml, 1 +virtualdesign.tk, 1 +virtualdesignmedia.com, 1 +virtualedge.org, 1 +virtualgovernance.tk, 1 +virtualgraffiti.com, 1 +virtualhawaii360.com, 1 +virtualife.tk, 1 +virtuality4d.com, 1 +virtualization-online.org, 1 +virtuallanding.com, 1 +virtuallifestyle.nl, 1 +virtuallypilates.com, 1 +virtualmachine.tk, 1 +virtualmemento.tk, 1 +virtualmt2.pl, 1 +virtualnet.ec, 1 +virtualpavilion.co, 1 +virtualprom.tk, 1 +virtualroad.org, 1 +virtualsanity.com, 1 +virtualscoutschool.com, 1 +virtualsex.ga, 1 +virtualshell.ml, 1 +virtualtabletop.io, 1 +virtualvaults.com, 0 +virtualx.de, 1 +virtubox.net, 1 +virtubox.xyz, 1 +virtubroker.com.mx, 1 +virtueturkey.ga, 1 +virtuology.com, 1 +virturl.de, 1 +virtus-group.com, 1 +virtusaero.com, 0 +virtwen.com, 1 +virty.cz, 1 +virus.pm, 1 +virusah1n1.com, 1 +virusdelebola.com, 1 +virusmousepads.tk, 1 +virusprotect.ro, 1 +virusquery.com, 1 +visa-master.tk, 1 +visacentre.pk, 1 +visadaifu.com, 0 +visaforest.com, 1 +visafruit.com, 1 +visale.fr, 1 +visalia.gov, 1 +visaliafarmersmarket.com, 0 +visalist.io, 1 +visalogy.com, 1 +visaop.com, 1 +visapourailleurs.fr, 0 +visapro.com, 1 +visapro.me, 1 +visaprolaw.com, 1 +visarewardprogramplatform.com, 1 +visartdecor.com.ua, 1 +visasofoz.com, 1 +visatime.info, 1 +visatitans.ae, 1 +visatitans.ca, 1 +visatitans.co.uk, 1 +visatitans.com, 1 +visavtodor.ru, 1 +visaxplorer.com, 1 +visaya.com.co, 1 +visceralsound.ca, 1 +visconde-de-maua.com.br, 1 +viscondedemaua.com.br, 1 +viscondedemauapousadas.com.br, 1 +viscopic.com, 1 +vise.com, 0 +visegradieskuvo.hu, 1 +visegradtours.hu, 1 +viseum.co.uk, 1 +visforvaccinated.gov, 1 +vishenka.tk, 1 +vishnujyothi.co.uk, 1 +vishwashantiyoga.com, 1 +visiblethoughts.co.uk, 1 +vision-du-net.com, 1 +vision-net.ie, 1 +vision-painting.com, 0 +vision.aero, 1 +vision.edu.sa, 1 +vision2005.tk, 1 +visionagrupo.com, 1 +visionamp.com, 1 +visionations.com, 1 +visioncenter.org, 1 +visioncloud.tk, 1 +visioncraftinc.com, 1 +visiondesign.shop, 1 +visiondetails.ru, 1 +visiondigitalsog.com, 1 +visiondrivers.com, 0 +visioned.net, 1 +visioneducation.tk, 1 +visionexpress.com, 1 +visionexpress.ie, 1 +visiongamestudios.com, 1 +visioniot.com, 1 +visionlearning.com, 1 +visionnissancanandaiguaparts.com, 1 +visionnocturne.tk, 1 +visionoscope.org, 1 +visionpeak.net, 1 +visionproductssoutheast.com, 1 +visionr.com, 1 +visionsc.co.uk, 1 +visionsofmysoul.com, 1 +visiontaiwan.info, 1 +visionthroughknowledge.com, 1 +visiontree-beta.eu, 1 +visionunit.ch, 1 +visionwow.ai, 1 +visionxcreative.gq, 1 +visionzerocfl.gov, 1 +visionzeroreporting.com, 1 +visiquate.com, 1 +visit-sanbenedettodeltronto.it, 1 +visit-thailand.tk, 1 +visit.gent, 1 +visit.natal.br, 1 +visitafuengirola.es, 1 +visitafuengirola.ru, 1 +visitaltai.info, 1 +visitationbvm.net, 1 +visitazores.com, 1 +visitbangkoktravel.com, 1 +visitbelfast.com, 1 +visitbinghamton.org, 1 +visitcambridgeshirefens.org, 1 +visitcamden.com.au, 1 +visitcmafest.com, 1 +visitconwaysc.gov, 1 +visitdubai.com, 1 +visiter-tunis.tk, 1 +visitgaribaldi.gov, 1 +visitgent.be, 1 +visitgent.eu, 1 +visitghent.be, 1 +visitghent.eu, 1 +visithuntingtonwv.org, 1 +visitinvernesslochness.com, 1 +visitislandpond.com, 1 +visitmaine.com, 1 +visitmexico.com, 1 +visitmorelos.mx, 1 +visitnamibia.net, 1 +visitnewcastle.com.au, 1 +visitoractivities.com, 1 +visitorguard.com, 1 +visitorsguide.is, 1 +visitorslist.com, 1 +visitosalnes.com, 1 +visitpare.com, 0 +visitpaul.com, 1 +visits.ga, 1 +visits.tk, 1 +visitsights.com, 1 +visitsights.de, 1 +visitstegen.com, 1 +visitsugartown.com, 1 +visittartu.com, 0 +visittci.com, 1 +visitthematrix.tk, 1 +visituzbekistan.tk, 1 +visitvalenca.com, 0 +visitwv.com, 1 +visitzug.ga, 1 +visma-apps.com, 1 +vismaverzuim.com, 1 +visomdm.com, 1 +visometry.com, 1 +visor.ph, 1 +visordown.com, 1 +visoundcloud.com, 1 +visp.net, 1 +vissanum.com, 1 +visscher.codes, 1 +vista-calculator.ru, 1 +vista-research-group.com, 1 +vista.gov, 1 +vistaalegre.com, 1 +vistaalmar.es, 1 +vistacampus.gov, 1 +vistafolia.com, 1 +vistamatic.eu, 1 +vistapaket.com.ua, 1 +vistapaket.es, 1 +vistapoquei.com.br, 1 +vistastylebuilder.com, 0 +vistavoyage.eu, 1 +vistb.me, 1 +vistec-support.de, 1 +vistmagazine.com, 1 +visu.li, 1 +visual-cockpit.com, 0 +visual-concept.net, 1 +visual-conversion.com, 1 +visual-design.cf, 1 +visual-dreams.de, 1 +visualdrone.co, 1 +visualetiquetas.art.br, 1 +visualforce.com, 1 +visualgnome.com, 1 +visualintent.com.au, 1 +visualizing.info, 1 +visuall.be, 1 +visualmarketingdeals.com, 1 +visualmasters.nl, 1 +visualstories.com, 1 +visualtec.host, 1 +visudira.com, 1 +visunext.de, 1 +visuri.de, 1 +visware.com, 1 +visyeva.hu, 1 +vita-transmr.de, 1 +vitaalcheck.nl, 1 +vitaalfitcoaching.nl, 1 +vitabrillanti.com, 0 +vitaclinicliverpool.co.uk, 1 +vitacore.ru, 1 +vitaerotaksi.ru, 1 +vitafybrands.de, 1 +vitahook.pw, 1 +vitahost.ml, 1 +vitakov.tk, 1 +vital-bg.com, 1 +vital.no, 1 +vital3.cat, 1 +vitalamin.at, 1 +vitalamin.ch, 1 +vitalchoice.com, 1 +vitalengine.com, 1 +vitalhealthandbeauty.co.uk, 1 +vitalia.cz, 1 +vitaline.uz, 1 +vitalismaatjes.nl, 1 +vitalitymedcenters.com, 0 +vitalityscience.com, 0 +vitaliyshepotkov.tk, 1 +vitaliysmagic.com, 1 +vitallearning.dk, 1 +vitallearning.ee, 1 +vitallearning.eu, 1 +vitallearning.no, 1 +vitallearning.se, 1 +vitallife.com, 1 +vitallispsy.be, 1 +vitallispsy.com, 1 +vitallispsy.de, 1 +vitallispsy.eu, 1 +vitallispsy.nl, 1 +vitalpraxis-lietz.de, 1 +vitalshop.tk, 1 +vitalsolutions.ro, 1 +vitalthings.de, 1 +vitalthrills.com, 1 +vitalware.com, 1 +vitamaxxi.com.br, 1 +vitamedgroup.com, 1 +vitamina.cl, 1 +vitamina.com, 1 +vitaminas.me, 1 +vitaminegeszseg.hu, 1 +vitaminka.tk, 1 +vitaminmovie.ga, 1 +vitaminoutlet.net, 1 +vitamister.ch, 1 +vitamixromania.ro, 1 +vitanetonline.com, 1 +vitapingu.de, 1 +vitario.eu, 1 +vitastic.nl, 1 +vitavarese.tk, 1 +vitavista.health, 1 +vitavista.io, 1 +vitay.pl, 1 +viteleaf.com, 1 +viteoscrm.ch, 0 +viterbio.com, 1 +viterboonair.tk, 1 +viteuneexcuse.io, 1 +vitikit.com, 1 +vitkausk.as, 1 +vitlproducts.com, 1 +vitman.tk, 1 +vitoye.com, 1 +vitra-showrooms.co.uk, 1 +vitra-vcare.co.uk, 1 +vitrade.de, 1 +vitrado.de, 1 +vitrinachasov.cf, 1 +vitrineenligne.com, 1 +vitromex.tk, 1 +vitron.ru, 1 +vitsearch.link, 1 +vitto.tk, 1 +vittoria-conseil.com, 1 +vittoria-web.com, 1 +vittoria.consulting, 1 +vittoria.pro, 1 +vittoria.run, 1 +vittoria.studio, 1 +vittoria.tech, 1 +vittoriaconseil.com, 1 +vitucho.tk, 1 +vitus-meppen.de, 1 +viv.fi, 1 +viva.ua, 1 +viva2000.com, 1 +vivablogger.com, 1 +vivabraslav.ga, 1 +vivace.parts, 1 +vivachile.tk, 1 +vivaconagua.org, 1 +vivactis.com, 1 +vivagy.com, 1 +vivahome.tk, 1 +vivaio.roma.it, 1 +vivaiocolombo.com, 1 +vivalacloud.ru, 1 +vivalajack.de, 1 +vivaldi.club, 1 +vivaldi.com, 1 +vivaldi.net, 1 +vivaleisure.com.au, 1 +vivaleisure.group, 1 +vivalocale.com, 1 +vivamortgage.tk, 1 +vivanosports.com.br, 0 +vivapharma.net, 1 +vivas.cf, 1 +vivas.gq, 1 +vivas.ml, 1 +vivas.tk, 1 +vivat.de, 1 +vivatbet.com.ee, 1 +vivatbet.ee, 1 +vivatechnology.com, 1 +vivates.tk, 1 +vivavox.es, 1 +vivavox.tk, 1 +vive.com, 0 +vive.link, 1 +vivediabetes-sanamente.com, 1 +vivekanandaspokenenglish.com, 1 +vivekparekh.ca, 1 +vivekselvakumar.ga, 1 +vivelawir.eu, 1 +vivemedialab.com, 1 +vivemercadosaludable.com, 1 +vivemontecarlo.tk, 1 +vivendi.de, 1 +vivendoapalavra.org, 1 +vivendoderendananet.com.br, 1 +viveoriginals.com, 1 +viveport.com, 1 +viveportal.com, 1 +viveras.ch, 1 +viveremediglia.tk, 1 +viverse.com, 1 +viverstp.net, 0 +vivesaludableconomnilife.com, 1 +vivetoluca.com, 1 +vivezlaromate.com, 1 +vivi.fyi, 0 +vivi.zone, 0 +vivian.tk, 1 +vivianaball.ro, 1 +vivianadavila.com, 1 +vivianargiriou.gr, 0 +vivianbarbieri.com, 1 +vivianlms.ga, 1 +vivianmaier.cn, 1 +vivianshultsart.com, 1 +vivichannel.tk, 1 +vivid-academy.com, 1 +vivide.re, 1 +vividinflatables.co.uk, 1 +viviendacoomeva.com, 1 +viviennelinettevandenassem.tk, 1 +viviennevandenbos.nl, 1 +vivirenelmundo.com, 1 +vivirenelpoblado.com, 1 +vivo.cam, 1 +vivo.vn, 0 +vivoitaliankitchen.com, 1 +vivoldi.com, 1 +vivos.co.il, 1 +vivoseg.com, 0 +vivreenisrael.com, 1 +vivun.com, 1 +viwsec.com.br, 1 +vixlum.com, 1 +vixonline.com.br, 1 +vixrapedia.org, 1 +viyf.org, 1 +viyoga.co, 1 +vizantia.tk, 1 +vize.ai, 0 +vizedia.ga, 1 +vizeenergetiky.cz, 1 +vizela.pt, 1 +vizierdata.ca, 1 +vizion.com, 1 +vizional.com, 0 +vizirinvestimentos.com, 1 +vizit-obmen.tk, 1 +vizit.ml, 1 +vizit.tk, 1 +vizitfree.ml, 1 +vizitnik.tk, 1 +vizmart.ml, 1 +vizyonpara.com, 1 +vizzarragrup.com, 1 +vjeff.com, 1 +vjeff.net, 1 +vjk.dk, 1 +vjn.ee, 1 +vjqlifestyle.com, 1 +vjshi.xyz, 0 +vjshop.vn, 1 +vjuliano.net, 1 +vk-agent.ru, 1 +vk-group.com, 1 +vk-k.com, 1 +vk-random.ml, 1 +vk-srv.ru, 1 +vk.group, 1 +vk.nl, 1 +vk09.ru, 1 +vk1fj.net, 1 +vk2.net, 1 +vk4msl.com, 1 +vkarpaty.tk, 1 +vkavkaz.tk, 1 +vkb-remont.ru, 1 +vkcombo.ru, 1 +vkennke.org, 1 +vkfaces.com, 1 +vkfish.ga, 1 +vkflac.tk, 1 +vkg.nl, 0 +vkgroup.az, 1 +vkh-online.de, 1 +vkikaku.com, 0 +vkino.com, 0 +vkino.ml, 1 +vkirichenko.name, 1 +vkirienko.com, 1 +vklikers.tk, 1 +vkolledzhe.tk, 1 +vkontakte-poisk.ru, 1 +vkox.com, 1 +vkrutilca.tk, 1 +vksportphoto.com, 1 +vkst-field-trials.dk, 1 +vkstaticcdn.ru, 1 +vkstaticcontent.ru, 1 +vkstream.tk, 1 +vkulagin.ru, 1 +vkusercontent.ru, 1 +vkusniy.shop, 1 +vkusnyashka.tk, 1 +vkustradicii.com.ua, 1 +vkusvill.ru, 1 +vl.cloudns.cc, 1 +vl9.de, 1 +vlaamsegemeenschap.tk, 1 +vlaamsetollers.tk, 1 +vlaardingen-enzo.tk, 1 +vlachoshome.com, 1 +vladgazeta.gq, 1 +vladikavkaz-city.tk, 1 +vladimir-chanaev.pro, 1 +vladimir.ml, 1 +vladimirbatrakov.tk, 1 +vladimirchernyshov.ml, 1 +vladimirkarpets.tk, 1 +vladimirovka.ml, 1 +vladimirpenev.tk, 1 +vladivostok-city.tk, 1 +vladivostok.cf, 1 +vladivostok.tk, 1 +vladivostokportal.tk, 1 +vladmoraru.org, 1 +vladreview.com, 1 +vladsfads.com, 1 +vladwp.com, 1 +vlaggen-landen.nl, 1 +vlajo.org, 1 +vlak.hr, 1 +vlakem.net, 1 +vlance.gq, 1 +vlasov.ml, 1 +vlasova-sova.ml, 1 +vlccrussia.ru, 1 +vlci-doupe.cz, 1 +vldkn.net, 1 +vldz.co, 1 +vle.lt, 1 +vleacademy.com, 1 +vleague.tk, 1 +vleesbesteld.nl, 1 +vleij.com, 0 +vleij.family, 1 +vleij.se, 1 +vleo.me, 1 +vlh.dk, 1 +vliegendklokske.com, 1 +vliegherrie.nl, 1 +vlijmscherrup.tk, 1 +vlike.ml, 1 +vlissingse-oratoriumvereniging.nl, 1 +vlndc.org, 1 +vlnv.ca, 1 +vloeck.de, 1 +vloggerfaire.com, 1 +vloggerspace.tk, 1 +vlos.com.pl, 1 +vlovgr.se, 1 +vltonline.org, 1 +vlzbazar.ru, 1 +vm-0.com, 1 +vm.co.mz, 0 +vm.ee, 0 +vm0.eu, 1 +vm88.top, 0 +vmagadane.tk, 1 +vmath.my.id, 1 +vmautorajkot.com, 1 +vmaxleclub.com, 1 +vmc.co.id, 1 +vmccnc.com, 1 +vmconnected.co.uk, 1 +vmedia.ca, 1 +vmf365.tk, 1 +vmgirls.com, 0 +vmhydro.ru, 0 +vmis.nl, 1 +vmlze.cz, 1 +vmm.pw, 1 +vmninja.io, 1 +vmoagents.com, 0 +vmock.com, 1 +vmoe.info, 1 +vmotosoco.lv, 0 +vmst.io, 1 +vmsurgery.org, 1 +vmug.pl, 1 +vmurmanske.tk, 1 +vn.search.yahoo.com, 0 +vn58.com, 1 +vnanet.vn, 1 +vnctdj.fr, 1 +vnd.cloud, 1 +vndb.org, 1 +vneftekamske.tk, 1 +vnetboard.com, 1 +vnikolaev.tk, 1 +vnlfrk.com, 1 +vnministries.org, 1 +vnovosibirske.tk, 1 +vns168.vip, 0 +vns377c.com, 0 +vns377d.com, 0 +vns377e.com, 0 +vns377f.com, 0 +vns377g.com, 0 +vns377h.com, 0 +vns377i.com, 0 +vns377j.com, 0 +vns3780.com, 1 +vns5020.com, 0 +vns5151.com, 0 +vns5353.com, 0 +vns5656.com, 1 +vns5757.com, 0 +vns5858.vip, 1 +vns5959.com, 0 +vns6161.com, 0 +vns6262.com, 0 +vns6363.com, 0 +vns6565.com, 0 +vns6767.com, 0 +vns68611.com, 0 +vns68655.com, 1 +vns68669.com, 1 +vns6868.com, 0 +vns6868.vip, 1 +vns68722.com, 1 +vns6969.com, 0 +vnsc.org, 1 +vnumngr.com, 1 +vnxf.vn, 1 +vnya.loan, 1 +vo-vse-tyajkie.online, 1 +voanaboa.pt, 1 +voatz.com, 1 +vobe.io, 1 +vobis.pl, 1 +vocably.de, 1 +vocaloid.my, 1 +vocalviews.com, 1 +vocationaujourdhui.fr, 1 +vocationnetwork.org, 1 +vocomo.de, 1 +voctto.com.br, 1 +vocus.aero, 1 +vocustest.aero, 1 +vod.uk.com, 0 +vodadombay.cf, 1 +vodafone.com.gh, 1 +vodavoda.tk, 1 +vodb.org, 1 +voddinteriors.com, 1 +vodicak.info, 1 +vodicaknapocitac.sk, 1 +voditel.ua, 1 +vodix.nl, 1 +vodpay.com, 1 +vodpay.net, 1 +vodpay.org, 1 +voeding-en-fitness.nl, 1 +voetbalclubinfo.tk, 1 +voetbalforum.tk, 1 +voetbalindestad.be, 1 +voetbaloptv.nl, 1 +voetbalvanavond.nl, 1 +voetbalwedden.net, 0 +voetbalwedstrijdenvandaag.nl, 1 +voetenreflexmassage.nl, 1 +voetfit47.nl, 1 +voetpunttwente.nl, 1 +voeux.io, 0 +voevm.at, 0 +voevodin.tk, 1 +vofem.ru, 1 +voffka.com, 1 +vofwittenbergwi.gov, 1 +vofy.cz, 1 +vogel-verhuizingen.nl, 1 +vogelbus.ch, 1 +vogelwereld.tk, 1 +vogler.name, 1 +vogt.sh, 1 +vogt.works, 1 +vogue.co.uk, 1 +vogue.cz, 1 +vogue.gr, 1 +voguefabricsstore.com, 1 +voguefrontier.tk, 1 +voi.ch, 1 +voice-of-design.com, 1 +voice-pic.com, 1 +voice.gov.au, 1 +voicedata.tk, 1 +voicemaker.in, 1 +voicenation.com, 1 +voiceofcricket.tk, 1 +voiceofserbia.tk, 1 +voicesoflabor.com, 1 +voicesofspirit.at, 1 +voicesuk.co.uk, 1 +voicu.ch, 0 +voidancerecords.com, 1 +voidbbs.com, 1 +voidbits.io, 1 +voidbot.ai, 1 +voidcore.org, 1 +voide.club, 1 +voidge.cf, 1 +voidhacker.com, 1 +voidi.ca, 1 +voidma.in, 1 +voidpay.com, 1 +voidpay.net, 1 +voidpay.org, 1 +voidscrawl.com, 1 +voidx.top, 1 +voigt-it.solutions, 1 +voileux.org, 1 +voimix.ee, 1 +voinuocsago.com, 1 +voinuocthienmy.com, 1 +voipforbusiness.tk, 1 +voiretmanger.fr, 1 +voiretrevu.ca, 1 +voirfilms.live, 1 +voitolla.com, 1 +voivoinfotech.com, 1 +voix-bien-etre.com, 0 +vojenshandicap.dk, 1 +vojk.au, 1 +vojtat.cz, 1 +vokabl.io, 1 +vokativy.cz, 1 +vokieciupamokos.lt, 1 +vokimberlywi.gov, 1 +vokov.ml, 1 +vokrug.ga, 1 +vokurka.net, 1 +vokzalkursk.ru, 1 +vokzalperm.ru, 1 +volant.digital, 0 +volantinaggioaroma.it, 1 +volarikcapital.eu, 1 +volatile.pw, 1 +volatilesystems.org, 1 +volatilethunk.com, 1 +volatiliza.ga, 1 +volatimer.com, 1 +volcain.io, 1 +volcanconcretos.com, 1 +volcano-irkutsk.ru, 1 +volcano-kazan.ru, 1 +volcano-spb.ru, 1 +volcano-ug.ru, 1 +volcano-vts.ru, 1 +volcano-x.ru, 1 +volcano.lt, 1 +volcano24.ru, 1 +volcano75.ru, 1 +volcanov.ru, 1 +volchara.tk, 1 +volebnipruzkum.eu, 1 +volga.us, 0 +volgar.name, 1 +volgares.ru, 1 +volgavibes.ru, 0 +volgograd-34.tk, 1 +volgograd-privolzskiy.ga, 1 +volgograd34.tk, 1 +volha.tk, 1 +volichat.com, 1 +volin.tk, 1 +volk.ga, 1 +volk.gq, 1 +volkanyilmaz.com.tr, 1 +volker-gropp.de, 1 +volkergropp.de, 1 +volkerwesselstransfer.nl, 1 +volkerwesselswave.nl, 0 +volki.ga, 1 +volki.ml, 1 +volkov.ga, 1 +volksbaufi.de, 1 +volksbaugeld.de, 1 +volksbauzins.de, 1 +volkshypothek.de, 1 +volkskrant.nl, 1 +volkstuinwaregem.tk, 1 +volksvorschlagpmar.ch, 1 +volkswagen.io, 1 +volkswagengolf.tk, 1 +volkswagenmiennam.com.vn, 1 +volkswagensaigon.com.vn, 1 +volkswagensaigon.net, 0 +volkswurst.de, 1 +vollenberg.ca, 1 +volleyballcityofpreston.tk, 1 +volleyballnews.tk, 1 +volleyfreaks.tk, 1 +volleypatos.tk, 1 +vollmondstollen.de, 1 +volnamobile.ru, 1 +volochaevskiy.tk, 1 +volochisk.tk, 1 +voloder.net, 1 +voloevents.com, 1 +vologda-city.ga, 1 +vologda-city.tk, 1 +volosi.cf, 1 +volosi.tk, 1 +voloskova.ru, 1 +volqanic.com, 1 +volreinsistemas.com, 1 +volshebniki.ua, 1 +volt.fm, 1 +volta.io, 1 +voltageelectricity.tk, 1 +voltainsite.com, 1 +voltarengelprice.tk, 1 +voltarengeneric.tk, 1 +voltcloud.net, 1 +voltechtransformer.in, 1 +voltfloyd.com, 1 +volthemes.com, 1 +voltiac.ml, 1 +volto.io, 1 +voltrix.net, 1 +volubilisplus.fr, 1 +volunka.ml, 1 +volunteerham.com, 1 +volunteerhere.ga, 1 +volunteers.tk, 1 +volunteertherealuganda.com, 1 +voluntourism.ga, 1 +volusia.gov, 1 +volusiaelections.gov, 1 +volusiasheriff.gov, 1 +volusiavotes.gov, 1 +volvo1800es.tk, 1 +volvoconnect.com, 1 +vom-achterhof.de, 1 +vomitoxin.ga, 1 +vommu.be, 1 +vomsee.eu, 1 +von-haselberg.de, 1 +vonauw.com, 0 +vonborstelboerner.de, 1 +vonckers.tk, 1 +voncurr.com, 1 +vondenstein.com, 1 +vonfurstenrechtstables.nl, 1 +vonimus.com, 1 +vonitsanet.gr, 1 +vonjohanson.de, 1 +vonkuenheim.de, 1 +vonniehudson.com, 1 +vonpawn.com, 1 +vonski.pl, 1 +vonsponneck.tv, 1 +vonsuri.com, 1 +voodoo-crm.com, 1 +voodoobeginner.com, 1 +voodoocat.cf, 1 +voodooshaman.com, 1 +vooh.in, 1 +vookstock.tk, 1 +voom.pt, 1 +voorde.lol, 1 +voornaam-at-achternaam.be, 1 +vooruitmetjevereniging.nl, 1 +vooxia.xyz, 1 +vop.li, 1 +voprosnik.gq, 1 +voprosownet.tk, 1 +voquent.com, 1 +vorbrodt.blog, 1 +vorderklier.de, 1 +vorlage-musterbriefe.de, 1 +vorlage-mustervertrag.de, 1 +vorlagen-geburtstagsgruesse.de, 1 +vorlif.org, 1 +vorlonempire.org, 1 +vorm2.com, 1 +vorona.tk, 1 +vort-x.com.my, 1 +vortari.tk, 1 +vorte.ga, 1 +vortexevents.net, 1 +vortexhosting.ga, 1 +vortix.tk, 1 +vos-fleurs.ch, 1 +vos-fleurs.com, 1 +vos-systems.com, 1 +vos-systems.es, 1 +vos-systems.eu, 1 +vos-systems.net, 1 +vos-systems.org, 1 +vos.directory, 1 +vosges-tourisme.net, 1 +vosgym.jp, 1 +vosjesweb.nl, 1 +vosk-cream.tk, 1 +vosn.de, 1 +voss-klinik.com, 1 +voss-zaehne.com, 1 +voss-zaehne.de, 1 +vosselaer.com, 1 +vosser.de, 1 +vostok-zapad54.ru, 1 +vostronet.com, 1 +vot-tak-vot.tk, 1 +votajeffcoco.gov, 1 +votan.cf, 1 +vote.gov, 1 +vote.nz, 1 +vote.org, 1 +votealachua.gov, 1 +votebradfordfl.gov, 1 +votebrevard.gov, 1 +votebymail.gov, 1 +votecalhounfl.gov, 1 +votechestercountytn.gov, 1 +votecitrus.gov, 1 +voteclaycountymo.gov, 1 +votecolumbiafl.gov, 1 +votedenton.gov, 1 +votefloydva.gov, 1 +votefranklinfl.gov, 1 +voteglades.gov, 1 +votegulf.gov, 1 +votehamiltoncountyohio.gov, 1 +votehighlands.gov, 1 +votehillsborough.gov, 1 +voteid.ca, 1 +voteidaho.gov, 1 +voteindianriver.gov, 1 +votejacksonfl.gov, 1 +votejeffcoco.gov, 1 +votekansas.gov, 1 +voteks.gov, 1 +votelevy.gov, 1 +votemarion.gov, 1 +votemate.org, 1 +votemt.gov, 1 +votenassaufl.gov, 1 +voteokaloosa.gov, 1 +voteokeechobee.gov, 1 +voteosceola.gov, 1 +votepalmbeach.gov, 1 +votepinellas.gov, 1 +voter-info.uk, 1 +voterconnect.ie, 1 +voteridforme.com, 1 +voterockfordil.gov, 1 +votes-reu.ml, 1 +votesantarosa.gov, 1 +votescotttn.gov, 1 +voteseminole.gov, 1 +votesjc.gov, 1 +votetomgreencounty.gov, 1 +voteurl.cf, 1 +votewa.gov, 1 +votewalton.gov, 1 +votocek.cz, 0 +votockova.cz, 0 +votoot.com, 1 +votre-agence-web.com, 1 +votrepolice.ch, 0 +votresiteweb.ch, 0 +votrespace.ca, 1 +vouchers4u.com, 1 +voucherx.co.uk, 1 +vought-vip.com, 1 +vous-etre-utile-ceidf.fr, 1 +vous-les-jeunnes.tk, 1 +vousnousils.fr, 1 +vov.furniture, 1 +vova.loan, 1 +vovac.tk, 1 +vovachka.tk, 1 +vovkamagazine.tk, 1 +vovladikavkaze.ru, 1 +vovo4ka.tk, 1 +vowsy.club, 0 +vox.de, 1 +voxbras.com.br, 1 +voxeaarecords.com, 1 +voxel.ax, 1 +voxel.cat, 1 +voxel.sh, 1 +voxelcat.de, 1 +voxelcat.jp, 1 +voxeljet.com, 1 +voxengo.com, 1 +voxfa.com, 1 +voxfilmeonline.net, 1 +voxio.nl, 1 +voxpopuli.com, 1 +voxturba.com, 0 +voxx1116.com, 1 +voyage-martinique.fr, 1 +voyage2africa.com, 1 +voyagedeductible.com, 1 +voyageforum.com, 1 +voyageofyume.com, 1 +voyages-groupes-transgallia.com, 1 +voyagesvoyages.net, 1 +voyagewd.world, 1 +voyagewiki.com, 1 +voyagewiki.org, 1 +voyainvestments.com, 1 +voyaker.tk, 1 +voyance-direct.info, 1 +voyancedanslenord.com, 1 +voyeurspyporn.com, 1 +vozami.com, 1 +vozbudim.tk, 1 +vozdux.tk, 1 +vozelocucao.com.br, 1 +vozhatik.cf, 1 +vozhuo.cf, 1 +vozolmarketim.com, 1 +vozpopuli.com, 1 +vp-arc.org, 1 +vparilke.su, 1 +vpetkov.tk, 1 +vpn-suomi.fi, 1 +vpn-sverige.se, 1 +vpn.ht, 1 +vpn4free.ga, 1 +vpnalert.com, 1 +vpnbrains.com, 1 +vpnclient.ru, 1 +vpnemail.com, 1 +vpnent.com, 1 +vpnhongkong.gq, 1 +vpnmag.fr, 1 +vpnpro.com, 1 +vpnservice.nl, 1 +vpoltave.info, 1 +vporno.video, 1 +vpr.expert, 1 +vprotect.ga, 1 +vps-green.com, 1 +vps.auction, 1 +vps.chat, 1 +vps.discount, 1 +vps.hosting, 1 +vps.management, 1 +vps.nl, 1 +vps.tg, 1 +vpsao.org, 1 +vpsboard.com, 1 +vpsdream.dk, 1 +vpsgongyi.com, 0 +vpsji.com, 1 +vpsmore.com, 1 +vpsou.com, 1 +vpsport.ch, 1 +vpsproj.dynu.net, 1 +vpsrussia.com, 1 +vpstrial.net, 1 +vpsvz.cloud, 1 +vpsvz.ninja, 1 +vpswebs.tk, 1 +vpsxhq.com, 1 +vpu-online.com, 1 +vqcymsa.com, 1 +vqebizconsulting.com, 1 +vqeg.org, 1 +vqn.se, 1 +vr-baufi.com, 1 +vr-baufi.info, 1 +vr-baufi24.de, 1 +vr-bauficoncept.de, 1 +vr-baufinanzierung.de, 1 +vr-hypothekenbank.de, 1 +vr-immo-invest.biz, 1 +vr-immo-invest.com, 1 +vr-immo-invest.info, 1 +vr-immobilienkredit.de, 1 +vr-immobilienpool.de, 1 +vr-immocredit.de, 1 +vr-immoexpress.biz, 1 +vr-immoexpress.info, 1 +vr-immoinvest.eu, 1 +vr-immonet.de, 1 +vr-payment.de, 1 +vr-re-bank.org, 1 +vr-realestate.co.uk, 1 +vr-sinterklaashuis.nl, 1 +vr3marcas.com.br, 1 +vrac-drive.ch, 1 +vracdrive.ch, 1 +vrachi.online, 1 +vractive.pl, 1 +vragenlijstsoftware.nl, 1 +vragenvanproust.nl, 1 +vrallart.com, 1 +vramoni.ru, 1 +vran.ga, 1 +vrandopulo.ru, 1 +vravi.tech, 1 +vrba.org, 1 +vrbangers.com, 1 +vrbl.pt, 1 +vrbr.ch, 0 +vrcentrum.cz, 1 +vrchat.community, 1 +vrconk.com, 1 +vrcosplayx.com, 1 +vrcprofile.com, 1 +vrcsearch.com, 1 +vrdennis.tk, 1 +vredesregister.be, 1 +vredesregister.gent, 1 +vreeken-selfstorage.tk, 1 +vreeman.com, 1 +vreemdetante.com, 1 +vreemdetante.eu, 1 +vreemdetante.nl, 1 +vreklame.ml, 1 +vremyachko.tk, 1 +vremyapervyih-hd.tk, 1 +vresonline.gr, 1 +vresportal.co.uk, 1 +vrfoodchannel.com, 1 +vrg-gruppe.de, 1 +vrg.de, 1 +vrgamecritic.com, 1 +vrh.net.au, 1 +vriendenkring-klassiekers.tk, 1 +vriesdonkow.be, 0 +vrifox.cc, 1 +vrij-links.nl, 1 +vrijedomeinnamen.nl, 1 +vrijekunst.tk, 1 +vrijeradio.tk, 1 +vrijgezellen-feest.com, 1 +vrijgezellen-feesten.nl, 1 +vrijgezellenfeestzwolle.com, 1 +vrikshamindia.com, 1 +vrimmoexpress.biz, 1 +vrimmoexpress.eu, 1 +vrimmoinvest.ag, 1 +vrimmoinvest.org, 1 +vrimmoworld.de, 1 +vriresorts.com, 1 +vrisak-generacije.tk, 1 +vrjetpackgame.com, 1 +vrnhn.nl, 1 +vroedvrouwella.be, 1 +vros.co.id, 1 +vrostove.tk, 1 +vrp.moe, 0 +vrre.ag, 1 +vrrebank.info, 1 +vrsmash.com, 1 +vrsystem.com.br, 0 +vrtak-cz.net, 0 +vrtemptation.com, 1 +vrtidaho.gov, 1 +vrtouring.org, 1 +vrumcar.com, 1 +vrzas.net, 1 +vrzl.pro, 1 +vs1177.com, 0 +vs1717.com, 0 +vs2277.com, 0 +vs2828.com, 0 +vs5151.com, 0 +vs603.com, 1 +vs6060.com, 0 +vs6161.com, 0 +vs7711.com, 0 +vs8899.com, 0 +vs9911.com, 0 +vs9977.com, 0 +vsactivity.com, 1 +vsamsonov.com, 1 +vsaratove.tk, 1 +vsatke.tk, 1 +vsc-don-stocksport.de, 1 +vscm888.com, 0 +vscredconsultoria.online, 1 +vsd.sk, 1 +vse-bolezni.tk, 1 +vse-dlya-fermera.tk, 1 +vse-dlya-jinok.tk, 1 +vse-dlya-texniki.tk, 1 +vse-novosti.tk, 1 +vse-potolki.ml, 1 +vse-prosto.tk, 1 +vsean.net, 1 +vsec.co.il, 1 +vsee.com, 1 +vsekulinar.ru, 1 +vsem-reiki.tk, 1 +vsemrabota.ml, 1 +vsenovosti.cf, 1 +vseostile.ml, 1 +vserisuem.ga, 1 +vserus.com, 1 +vserver-preis-vergleich.de, 1 +vseserialy.tk, 1 +vsesrazu-raiffeisen.ru, 1 +vsestiralnie.com, 0 +vsestoki.com, 0 +vsevkusno.tk, 1 +vsevolod.tk, 1 +vsgcommunity.nl, 1 +vshipit.com, 1 +vshop.ir, 1 +vsimosvita.com, 1 +vsl-defi.ch, 0 +vsl.de, 1 +vsmcomunicacao.com.br, 1 +vsnfoto.com, 1 +vsoflavors.com, 1 +vsolovev.com, 1 +vsolvit.com, 1 +vsoy.co.th, 1 +vspin.cz, 1 +vsportage.com, 1 +vss-clan.ml, 1 +vsscr.tech, 1 +vsscrew.tk, 1 +vstavropole.tk, 1 +vstrikovaci-lisy.cz, 1 +vsure.com.au, 1 +vsx.ch, 1 +vsz.me, 1 +vszp.sk, 1 +vtanki.tk, 1 +vtaxi.se, 1 +vtbclub.xyz, 1 +vtbs.moe, 1 +vtcourts.gov, 1 +vtech.com, 1 +vtescebu.com, 1 +vtipe-vylez.cz, 0 +vtivision.com, 1 +vtjud.gov, 1 +vtklan.tk, 1 +vtler-glabbich.de, 0 +vtliving.com, 1 +vtm.be, 1 +vtmgo.be, 1 +vtoroy-kanal.ga, 1 +vtsnetworks.com, 1 +vttnordisere.fr, 1 +vtuber-schedule.info, 1 +vtuber.art, 1 +vtul.io, 1 +vtulinkng.com.ng, 1 +vtupro.com, 1 +vtvnetwork.org, 1 +vtwonen.be, 1 +vtwonen.nl, 1 +vuagym.com, 1 +vuakhuyenmai.vn, 1 +vuath.com, 1 +vucdn.com, 1 +vue-sur-mer.com, 1 +vuefact.com, 1 +vuefactory.io, 1 +vuelacaruru.com, 1 +vuelosabajoprecio.net, 1 +vugt.me, 1 +vuilelakens.be, 1 +vuitimig.com, 1 +vukhoidecor.com, 1 +vulcan-russia.today, 1 +vulcancycling.ga, 1 +vulcannow.ru, 1 +vulcanplatinum-best.com, 1 +vulcanplatinum777-vip.com, 1 +vulcanplatinum777club.com, 1 +vulcanrussia-game.com, 1 +vulcanrussiagame.com, 1 +vuldb.com, 1 +vulgar-teens.tk, 1 +vulkan-24-platinum.ru, 1 +vulkan-platinum-101.ru, 1 +vulkan-platinumclub.ru, 1 +vulkan-russia-pro.com, 1 +vulkan-russia.vip, 1 +vulkan-russiaklub.com, 1 +vulkan.org, 1 +vulkano-online-casino.com, 1 +vulkanplatinum-klub.com, 1 +vulkanprotektor.rs, 1 +vulkanruhe.com, 1 +vulkanruhe.de, 1 +vulkanrussia-avtomat.ru, 1 +vulkanrussia-casinos.com, 1 +vullriede-multimedia.de, 0 +vulndetect.com, 1 +vulndetect.org, 1 +vulnerability.ch, 1 +vulnerabilityscans.nl, 1 +vulnerable.af, 1 +vulnerar.com, 1 +vulners.com, 1 +vulns.sexy, 1 +vulns.xyz, 1 +vulnscan.org, 1 +vulpine.club, 1 +vulpr.com, 1 +vultrhxl.com, 1 +vulyk-medu.com.ua, 1 +vunn.com, 1 +vuojolahti.fi, 0 +vuotila.eu, 1 +vuoto.fi, 1 +vurdst.dk, 1 +vusdigital.com, 0 +vuse.com, 1 +vutrox.com, 1 +vutruso.com, 1 +vux.li, 1 +vuze.camera, 1 +vuzi.fr, 1 +vv066.com, 0 +vv1234.cn, 1 +vv5197.co, 1 +vv6729.co, 1 +vv6729.com, 0 +vv6957.co, 1 +vv9297.co, 1 +vv9728.co, 1 +vvactivia.nl, 1 +vvave.net, 1 +vvcasteren.nl, 1 +vvd.bz, 1 +vvdbronckhorst.nl, 1 +vveactiefbeheer.nl, 0 +vvg-vermietung.de, 1 +vvlemmer.tk, 1 +vvlen.com, 1 +vvoip.org.uk, 1 +vvpn.loan, 1 +vvs.spb.ru, 1 +vvsummer.ml, 1 +vvvvbrest.tk, 1 +vvvvvv.click, 1 +vvvz0.gq, 1 +vvvzeeland.nl, 1 +vvw-8522.com, 1 +vvwraca.gov, 1 +vvzero.cf, 1 +vvzero.com, 1 +vw-touranclub.cz, 1 +vw22.com, 1 +vwcredit.com, 1 +vwforum.ro, 1 +vwfs.ru, 1 +vwfsfcp.com, 1 +vwfsrentacar.co.uk, 1 +vwh-kunden.de, 1 +vwittich.de, 1 +vwoforangeparts.com, 1 +vwp.su, 1 +vwpartsinternational.com, 1 +vwpi.co, 1 +vwsaigon.vn, 0 +vwt-event.nl, 1 +vww-8522.com, 1 +vx.hn, 1 +vxapps.com, 1 +vxl-co.de, 1 +vxl.sh, 0 +vxlabs.de, 1 +vxm.se, 1 +vxz.me, 1 +vyacheslav.ml, 1 +vybavzahradu.cz, 1 +vybeministry.org, 1 +vyber-odhadce.cz, 1 +vyberdomov.cz, 1 +vyberodhadce.cz, 1 +vycius.lt, 1 +vygeja.lt, 1 +vygo.network, 1 +vygo.one, 1 +vyomoverseas.com, 1 +vyorsa.com.mx, 1 +vypij.cz, 1 +vyplnto.cz, 1 +vyre.ovh, 1 +vyresimeonline.cz, 1 +vyroba.site, 1 +vyrubka-derevya.ru, 1 +vys.in, 1 +vyshivanochka.in.ua, 1 +vysko.cz, 1 +vyskocil.com, 1 +vyskocil.eu, 1 +vysoketatry.tk, 1 +vysokij-istochnik.tk, 1 +vysokoe.tk, 1 +vysotka.tk, 1 +vysvetluju.cz, 1 +vyturys.lt, 1 +vyvod-iz-zapoya.online, 1 +vyvygen.org, 1 +vyzner.cz, 1 +vzce.cn, 1 +vzducho-klima.cz, 1 +vzemiseo.com, 1 +vzemisite.com, 1 +vzr-garant.nl, 1 +vzteam.ga, 1 +vzw-muzaik.tk, 1 +vzwregent.be, 1 +vzyatonlinezaim.ga, 1 +vzyatonlinezaim.gq, 1 +vzyatonlinezaim.ml, 1 +vzyatonlinezaim.tk, 1 +vzyatzaimonline.cf, 1 +vzyatzaimonline.ga, 1 +vzyatzaimonline.gq, 1 +vzyatzaimonline.ml, 1 +vzyatzaimonline.tk, 1 +vzzjoias.com.br, 1 +w-architectes.com, 1 +w-hub.ru, 1 +w-oasis.co.jp, 1 +w-p-k.de, 1 +w-spotlight.appspot.com, 1 +w-surgeryhospital.com, 1 +w-w-auto.de, 1 +w-ws.ga, 1 +w.st, 1 +w.wiki, 1 +w0.pw, 1 +w00228.com, 1 +w0102.com, 1 +w03.cn, 1 +w10club.com, 0 +w1n73r.de, 1 +w1nter.xyz, 1 +w2929w.com, 1 +w2ang.cn, 1 +w2ang.com, 1 +w2design.eu, 1 +w2n.me, 1 +w2w.com, 1 +w33b.in, 1 +w365.vip, 0 +w36533.com, 1 +w36594.com, 1 +w398.com, 1 +w3app.nl, 1 +w3ctag.com, 1 +w3ctag.org, 1 +w3d.io, 1 +w3layouts.com, 1 +w3n14izy.cf, 1 +w3n14izy.ga, 1 +w3n14izy.gq, 1 +w3n14izy.ml, 1 +w3n14izy.tk, 1 +w3punkt.de, 1 +w3scan.nl, 1 +w3squad.com, 1 +w40faktory.tk, 1 +w4b.in, 1 +w4eg.de, 1 +w4g-security.com, 1 +w4nvu.org, 1 +w4r.nl, 1 +w4solutions.de, 1 +w4tec.de, 1 +w50.co.uk, 0 +w5050w.com, 1 +w51365.com, 1 +w5197.co, 1 +w5gfe.org, 1 +w60.co, 1 +w61611.net, 1 +w61616.com, 0 +w66133.com, 0 +w66136.net, 0 +w66138.net, 0 +w6616.com, 1 +w661616.com, 0 +w6619.com, 1 +w66938.com, 1 +w6698.com, 0 +w6729.co, 1 +w6729.com, 1 +w6808.com, 1 +w6829.com, 1 +w6832.com, 1 +w6886.com, 1 +w6957.co, 1 +w6957.com, 0 +w7k.de, 1 +w7n.ch, 1 +w8094.com, 1 +w82365.com, 1 +w84.it, 1 +w8605.com, 1 +w8628.com, 1 +w888022.com, 0 +w888033.com, 0 +w888044.com, 0 +w888066.com, 1 +w888077.com, 0 +w888088.com, 0 +w889-line.com, 1 +w889-line.net, 1 +w88clubz.com, 1 +w8less.nl, 1 +w8wat.com, 1 +w9297.co, 1 +w9728.co, 1 +w9nb.radio, 1 +wa-m-web-alpcustomer-portal-caixabank.azurewebsites.net, 1 +wa-m-web-alpcustomer-portal-timfin.azurewebsites.net, 1 +wa-stromerzeuger.de, 0 +wa.me, 1 +waagen.tk, 1 +waaifu.com, 1 +waalsekrook.be, 1 +waani.com, 1 +waavit.com, 1 +waaynex.ch, 1 +waays.eu, 1 +waays.fr, 1 +waayz.eu, 1 +waayz.fr, 1 +wabbel.sa.com, 1 +wabifoggynuts.com, 1 +wabuwa.com, 1 +wacht-auf.de, 1 +wachter.biz, 1 +wachtspoor.nl, 1 +wachtspoor18.nl, 1 +wacken666.com, 1 +wackery.com, 1 +wacky.one, 1 +wackyblackie.eu.org, 1 +wackyblackie.ml, 1 +wackys.com, 1 +wacotrib.com, 1 +wacpericias.com.br, 1 +wade.gdn, 0 +wadebet.com, 1 +wadesboronc.gov, 1 +wadetregaskis.com, 1 +wadidi.com, 1 +wadleyga.gov, 1 +wadsworth.gallery, 1 +wadvisor.com, 1 +waeldertexas.gov, 1 +waelisch.de, 1 +waelti.xxx, 1 +waf.hk, 1 +waf.ninja, 1 +waf.sexy, 1 +wafa4hw.com, 1 +waferscriber.com, 1 +waffeln.jetzt, 1 +waffle-backend-sanggyu.shop, 1 +waffle-sanggyu.tk, 1 +wafflehacks.org, 1 +waffleindex.com, 1 +wafflemakers.ca, 1 +wafni.com, 1 +wagcenter.com, 1 +wage-feeg.gc.ca, 1 +wagesweldandfab.com, 1 +wageverify.com, 1 +waggybytes.com, 1 +wagn3r.de, 1 +wagspuzzle.space, 1 +waguramaurice.cf, 1 +wagyudelicatessen.com, 1 +wahay.org, 1 +wahine.gq, 1 +wahl-co.de, 1 +wahminda.tk, 1 +wahoo-ashland-waverly.com, 1 +wahrnehmungswelt.de, 1 +wahrnehmungswelten.de, 1 +wai-in.com, 1 +wai.run, 1 +waibit.io, 1 +waidfrau.de, 1 +waifu-technologies.com, 1 +waifu-technologies.moe, 1 +waifu.gallery, 1 +waifuist.pro, 1 +waikatowebdesigners.com, 1 +wail.net, 1 +waimanu.io, 1 +waisster.com, 1 +waistawayuk.co.uk, 0 +waitabu.org, 1 +waits.io, 1 +waiwaisw.com, 1 +waiwei.ml, 1 +waixingrenfuli.vip, 1 +wajtc.com, 1 +wak.io, 1 +waka-mono.com, 1 +wakarandroid.com, 1 +wakastream.cc, 1 +wakatime.com, 1 +wake.gov, 1 +wake.net, 1 +wakecounty.gov, 1 +wakecountynorthcarolina.ml, 1 +wakelet.com, 1 +wakenyatulindane.co.ke, 1 +wakeofthepredator.tk, 1 +wakeskincarellc.com, 1 +waketurbulencereport.eu, 1 +wakeupeire.com, 1 +wakeupplatform.com, 1 +wakeupworld.ml, 1 +wakinglighting.com, 1 +wakpamnilake-nsn.gov, 1 +wakullaelectionfl.gov, 1 +wakullavotes.gov, 1 +wakuwakustudyworld.co.jp, 0 +walaa.com.co, 1 +walaamohamed.com, 1 +waldenvt.gov, 1 +waldenwritingcenter.ml, 1 +waldgourmet.de, 1 +waldo.tk, 1 +waldo.vn, 0 +waldorf-augsburg.de, 1 +waldorf-harduf.org, 1 +waldorfdiary.com, 1 +waldparkerwoelfe.tk, 1 +waldpflegeverein.at, 1 +waldportoregon.gov, 1 +waldur.nl, 1 +waldvogel.family, 1 +walent.in, 1 +walentin.co, 1 +walentynki.tk, 1 +walesmaine.gov, 1 +walhal.la, 1 +walian.co.uk, 1 +waligorska.pl, 1 +walk.onl, 1 +walkaround.tk, 1 +walker-foundation.org, 1 +walkera-fans.de, 1 +walkercorp.com.au, 0 +walkercountytx.gov, 1 +walkerfoundation.org.au, 1 +walkergroup.com.au, 1 +walkerinsurance.net, 1 +walkermi.gov, 1 +walkersplayground.tk, 1 +walkfree.org, 1 +walkhighlandsandislands.com, 0 +walkingandcycling.org.uk, 1 +walkingrehabilitation.com, 1 +walkinweb.com, 1 +walklocal.be, 1 +walklocal.gent, 1 +walkman.cloud, 1 +walkman.io, 1 +walkme.com, 1 +walksedona.com, 1 +walksfourpaws.co.uk, 1 +wall-banners.tk, 1 +wall-of-death.co.nz, 1 +wallabag.eu, 1 +wallabag.org, 0 +wallabies.org, 1 +wallace-group.net, 1 +wallacealvesdigital.com.br, 1 +wallacecountyks.gov, 1 +wallacehigh.org.uk, 1 +wallada.tk, 1 +wallaralogistics.com.au, 1 +wallartista.com, 1 +wallbanksweb.net, 1 +wallcs.eu, 1 +wallduck.com, 1 +wallendair.com, 1 +wallers.com, 1 +wallet.google.com, 1 +wallet.pp.ua, 1 +walletconnect.com, 1 +walletconnector.cz, 1 +walletfox.com, 1 +wallethub.com, 1 +wallett.gq, 1 +wallhack.ml, 1 +wallhost.tk, 1 +wallingford.cc, 1 +wallis-inside.ch, 1 +wallisch.pro, 1 +walliscreek.com.au, 1 +wallix.com, 1 +wallmanderstd.se, 1 +wallmarketing.cz, 1 +wallners.se, 1 +wallnj.gov, 1 +wallnot.dk, 1 +wallofclocks.com, 1 +wallpaperstreet.tk, 1 +wallpapertag.com, 1 +wallpaperup.com, 1 +wallrgb.com, 1 +walls.io, 1 +wallsauce.com, 1 +walltech.tk, 1 +walltime.info, 1 +wallumai.com.au, 1 +wally4000.tk, 1 +wallytest.tk, 1 +walma.re, 1 +walnus.com, 1 +walnutcreekca.gov, 1 +walnutcreekpdca.gov, 1 +walnutgrovemo.gov, 1 +walnutvalleywater.gov, 1 +walpu.ski, 1 +walpuski.com, 1 +walruscode.com, 1 +walruses.org, 1 +walrusntiny.com, 1 +walsermedia.com, 1 +walshbanks.com, 1 +walshy.fail, 1 +walter-foerster.de, 1 +walter-mooij-jazztrio.tk, 1 +walter.lc, 1 +waltercedric.com, 0 +waltermulders.be, 1 +walterswholesale.com, 1 +waltravis.com, 1 +waltthirion.com, 1 +walutomat.pl, 1 +walvi.nl, 1 +wamia.wa.gov.au, 1 +wammu.eu, 1 +wamsi.net, 1 +wanabka.tk, 1 +wananavuoutfitters.com, 1 +wanashi.com, 1 +wanda.ch, 1 +wanda76.com, 1 +wanda79.com, 1 +wanda97.com, 1 +wanda98.com, 1 +wandelreizen.eu, 1 +wander.al, 1 +wander.tk, 1 +wanderersfc.tk, 1 +wanderfost.com, 1 +wanderfullcoven.tk, 1 +wanderinghiker.com, 1 +wanderingincaptivity.com, 1 +wanderings.online, 0 +wandystan.eu, 1 +wane.co, 1 +wang.by, 1 +wangbangyu.cf, 1 +wangbangyu.ga, 1 +wangbangyu.gq, 1 +wangbangyu.ml, 1 +wangbangyu.tk, 1 +wangcanmou.com, 1 +wangcun.eu.org, 1 +wangdaijin.com, 1 +wangejiba.com, 0 +wangjiatun.com.tw, 1 +wangluoyunying.com, 1 +wangpedersen.com, 1 +wangpromherb.hu, 1 +wangqiliang.org, 1 +wangql.cn, 1 +wangql.net, 1 +wangqr.org, 1 +wangqr.tk, 1 +wangriwu.com, 1 +wangtanzhang.com, 1 +wangwill.me, 1 +wangyue.blog, 1 +wangzhe100.xyz, 1 +wangzuan168.cc, 1 +wanitasejahtera.com, 1 +wanjuhui.com, 1 +wanlieyan.com, 1 +wannabfit.nl, 1 +wannaknow.tk, 1 +wannaparty.in, 0 +wannapopularnews.cf, 1 +wannaridecostarica.com, 1 +wanorthshoreny.gov, 1 +wantocode.com, 1 +wanybug.cf, 1 +wanybug.ga, 1 +wanybug.gq, 1 +wanybug.tk, 1 +wanzieautomation.com, 1 +wanzieinsuranceservices.com, 1 +waonui.io, 1 +wap-umbrella.tk, 1 +wapa.gov, 1 +wapazewddamcdocmanui6001.azurewebsites.net, 1 +wapazewrdamcdocmanui6001.azurewebsites.net, 1 +wapbd.ga, 1 +wapchan.org, 1 +wapelloia.gov, 1 +wapflash.ml, 1 +wapgame.gq, 1 +wapgu.cc, 1 +wapheat.tk, 1 +wapkarma.tk, 1 +wapkat.tk, 1 +waplumber.com.au, 1 +wapmaster.cf, 1 +wapmaster.ga, 1 +wapnazir.tk, 1 +wapnepal.com.np, 1 +wapnews.tk, 1 +wapnik.tk, 1 +wapo.ro, 1 +wappie.tk, 1 +wapplerbrewing.com, 1 +wapresri.go.id, 1 +wapspaces.tk, 1 +wapsychiatry.com.au, 1 +waptransfer.tk, 1 +wapveil.ml, 1 +waqood.tech, 1 +war-requiem.com, 1 +war-team.com, 1 +waragod.sk, 1 +warbox.ga, 1 +warcraft2016.tk, 1 +warcraftjournal.org, 1 +warcraftwikicz.tk, 1 +ward.nl, 1 +ward2u.com, 1 +wardeath.tk, 1 +wardemons.tk, 1 +warden.navy, 1 +wardnd.gov, 1 +wardogz.tk, 1 +wardonat.tk, 1 +wardow.com, 1 +wardpieters.eu, 1 +wardpieters.online, 1 +wardpieters.xyz, 1 +wardsborovt.gov, 1 +wardslager.com, 1 +warecountyga.gov, 1 +warehost.de, 0 +warehouse-nantes.fr, 1 +warekon.com, 1 +warekon.dk, 1 +waren.io, 1 +waren.one, 1 +warenghem.com, 1 +warengroup.eu, 1 +warengroup.fi, 1 +warengroup.net, 1 +warengroup.org, 1 +warenhosting.com, 1 +warenhuisvandijk.nl, 1 +warenits.at, 0 +warenmedia.com, 1 +warennetworks.com, 1 +warensecurity.com, 1 +wareshoalssc.gov, 1 +warezbook.org, 1 +warezoom.com, 1 +warfarina.com, 1 +warfield.org.uk, 1 +warfighters.de, 1 +wargov.tk, 1 +wargun.ml, 1 +warhaggis.com, 1 +warhistoryonline.com, 0 +warhut.cn, 1 +warid.ga, 1 +warispak.tk, 1 +warking.ml, 1 +warlions.info, 0 +warlords.cf, 1 +warmestwishes.ca, 1 +warmlyyours.com, 1 +warmservers.com, 1 +warmtepomp.express, 1 +warnernh.gov, 1 +waroengkopigazebo.net, 1 +warofelements.de, 1 +waronbrain.com, 1 +warp-radio.net, 1 +warpsubmitter.tk, 1 +warr.ath.cx, 1 +warramir.net, 1 +warrantycontracts.ga, 1 +warrantynowvoid.com, 1 +warrencampdesign.com, 1 +warrencountyga.gov, 1 +warrencountyia.gov, 1 +warrencountyil.gov, 1 +warrencountynj.gov, 1 +warrencountypa.gov, 1 +warrencountyva.gov, 1 +warrenct.gov, 1 +warrenfisher.net, 1 +warrenhousevets.co.uk, 1 +warrenmi.gov, 1 +warrenri.gov, 1 +warrentwpstjosephco-in.gov, 1 +warringtonkidsbouncycastles.co.uk, 1 +warringtonsownbuses.co.uk, 1 +warriorofmars.com, 1 +warrock-es.tk, 1 +warrs.com, 1 +wars.cat, 1 +warschild.org, 1 +warsh.moe, 1 +warsonco.com, 0 +warspot.ru, 1 +warszawa-pranie-dywanow.pl, 1 +warszawa19115.pl, 0 +warszawska285.pl, 1 +wartabank.com, 1 +warteg.com, 1 +warteg.net, 1 +wartegseberangsana.com, 1 +warthog.ml, 1 +wartimecontracting.gov, 1 +wartorngalaxy.com, 1 +wartraining.com.br, 1 +wartung.tk, 1 +warubbermate.co.th, 1 +warungmini-vanwou.nl, 1 +warupu.com, 1 +warwickbucks.gov, 1 +warworld.ml, 1 +was.ch, 1 +wasabiwallet.co, 1 +wasabiwallet.io, 1 +wasatchconstables.com, 1 +wasatchcounty.gov, 1 +waschmaschinen-dienst.de, 1 +waschpark-hantschel.de, 1 +wasdestek.tk, 1 +wasema.com, 1 +wasfestes.de, 1 +wasfuereintheater.com, 1 +wash-house.tk, 1 +washa.tv, 1 +washabich.ch, 1 +washabich.de, 1 +washburnclarkwi.gov, 1 +washburnenglishschool.tk, 1 +washcowi.gov, 1 +washcowisco.gov, 1 +washed-house.info, 1 +washerrepairaustin.com, 1 +washify.com, 1 +washington-ma.gov, 1 +washingtoncopa.gov, 1 +washingtoncountyar.gov, 1 +washingtoncountyhomeoh.gov, 1 +washingtoncountyid.gov, 1 +washingtoncountymn.gov, 1 +washingtoncountyne.gov, 1 +washingtoncountyor.gov, 1 +washingtoncountysheriffne.gov, 1 +washingtoncountytx.gov, 1 +washingtoncountywi.gov, 1 +washingtonenergy.com, 1 +washingtonnewsz.com, 1 +washingtontwpacpa.gov, 1 +washingtonviews.com, 1 +washingtonwatchdog.org, 1 +washoecounty.gov, 1 +washroomcubicles.co.uk, 1 +washsolucoesemlimpeza.com.br, 1 +washtenaw.gov, 1 +washub.org.uk, 1 +washup.tk, 1 +wasi-net.de, 1 +wasielewski.com.de, 1 +wasistderunterschied.com, 1 +wasp.host, 1 +wass.ga, 1 +wassenaar.org, 0 +wasser-technik-rottal.de, 1 +wassermanx.com, 1 +wassim.is, 1 +wastewaterservicesltd.co.uk, 0 +wastewise.com, 0 +wasticker.ru, 1 +wastrel.ch, 1 +wasys.com.br, 1 +wat.sh, 1 +wataclinic.com, 1 +watari-bg.com, 1 +watashi.bid, 1 +wataugatx.gov, 1 +watboeithet.nl, 1 +watch-host.ga, 1 +watch-wiki.org, 1 +watchamovie.ga, 1 +watchcom.co.za, 1 +watchcom.org, 1 +watchcom.org.za, 1 +watchcow.org, 0 +watchdis.tv, 1 +watchdogs.tk, 1 +watchersrealm.tk, 1 +watchface.watch, 1 +watchfreeonline.co.uk, 1 +watchinventory.com, 1 +watchjavidol.com, 0 +watchmetech.com, 1 +watchmoviesgallery.com, 1 +watchmoviesreel.com, 1 +watchparts-and-tools-okayama.co.jp, 1 +watchpeopledie.tv, 1 +watchporninpublic.com, 1 +watchpsllive.com, 1 +watchstyle.com, 1 +watcht20worldcup.com, 1 +watchthis-svp.com, 1 +watchtogether.ch, 1 +watchtolearn.co, 1 +watchurdiet.com, 1 +watchweasel.com, 1 +water-filters.tk, 1 +water-for-africa.org, 1 +water-polo.tk, 1 +water-valley.tk, 1 +water.com, 1 +waterandhealth.org, 1 +waterbassoon.eu.org, 1 +waterborefiji.com, 1 +waterboromaine.gov, 1 +watercold.cool, 1 +waterdogsmokehouse.com, 1 +waterdownmedia.co.uk, 1 +waterdrop.tk, 1 +waterdropcultureproject.com, 1 +waterest.tk, 1 +waterfedpole.com, 0 +waterfordstoves.ie, 1 +waterfordvt.gov, 1 +waterfordwi.gov, 1 +waterforlifecharity.org, 1 +waterheaterleaguecity.com, 1 +waterhouse.tk, 1 +waterjet.com.ru, 1 +waterjet.my, 1 +waterjets.jp, 1 +waterjetsale.com, 1 +waterlanders.tk, 1 +waterlandtuinen.be, 1 +waterleeftinbeek.nl, 1 +waterlemons2k.top, 1 +waterlens.moe, 1 +waterliteracy.tk, 1 +waterloo-abba-show.de, 1 +waterloofaucets.com, 1 +waterlootwpmi.gov, 1 +watermarkktp.com, 1 +watermarkly.com, 0 +watermonitor.gov, 1 +wateroutlook.com, 1 +waterpoint.tk, 1 +waterpolosantona.tk, 1 +waterpolospain.tk, 1 +waterpumps.xyz, 1 +waterpumpu.com, 1 +waterpurificationsupplies.com, 1 +watersb.org, 1 +waterschaplimburg.nl, 1 +waterside-inn.co.uk, 1 +waterside-residents.org.uk, 1 +watersky.tk, 1 +waterslide-austria.at, 0 +watersoul.com, 1 +watersource.ga, 1 +waterstreetloft.com, 1 +watertaxi.com, 1 +waterton.tk, 1 +watertorenstraat.tk, 1 +watertownmi.gov, 1 +watertownmn.gov, 1 +watertownwi.gov, 1 +watertrails.io, 1 +waterville-estatesnh.gov, 1 +watervillevalleynh.gov, 1 +watervillewomenscare.com, 1 +waterworkscondos.com, 1 +watestsite.ovh, 1 +watfordcyclehub.org.uk, 1 +watfordjc.uk, 1 +watgroeitwaar.com, 1 +watgroeitwaar.eu, 1 +watgroeitwaar.net, 1 +watgroeitwaar.nl, 1 +watgroeitwaar.org, 1 +wathory.com, 1 +watisleukemie.tk, 1 +watismijnbandenspanning.nl, 1 +watongaok.gov, 1 +watoo.tech, 1 +watsonsurplus.com, 1 +watsontownshipmi.gov, 1 +wattlefieldpottery.co.uk, 1 +wattmaedchen.de, 1 +watto29.co.jp, 1 +wattpad.com, 1 +wattstrading.co.uk, 1 +watvindtnederland.com, 1 +watzijnmijnkerntalenten.nl, 1 +waukee.gov, 1 +waukeect.com, 1 +waupacacounty-wi.gov, 1 +waupacawi.gov, 1 +wausharacountywi.gov, 1 +wauwatosa.gov, 1 +wav-productions.com, 1 +wav.tv, 1 +wave-cockpit.de, 1 +wave-electronics.com, 0 +wave-inc.co.jp, 1 +wave.is, 1 +wave.md, 1 +wave.red, 1 +waveburst.net, 1 +waveestetic.com, 1 +waveletscreative.org, 1 +wavelifesciences.com, 1 +wavenetwork.com.au, 1 +wavengine.com, 1 +wavered.cf, 1 +waverlypa.gov, 1 +waverlytn.gov, 1 +wavesboardshop.com, 1 +wavesite.tk, 1 +wavin.com, 1 +wawak.pl, 1 +wawapuquy.com, 1 +wawarsingny.gov, 1 +wawasansejarah.com, 1 +wawshop.cz, 1 +wawuwe.com, 1 +waxcollectibles.com, 0 +waxdramatic.com, 1 +waxlrs.com, 1 +way2earning.com, 1 +way2tech.de, 1 +waya0125.com, 1 +wayaberolodge.com, 1 +waybinary.com, 1 +waycoolmail.tk, 1 +waycraze.com, 1 +waycrossga.gov, 1 +wayfairertravel.com, 0 +wayfarium.com, 1 +wayleadr.com, 1 +waynecountyil.gov, 1 +waynecountymi.gov, 1 +waynecountymo.gov, 1 +waynecountyne.gov, 1 +waynecountyny.gov, 1 +waynecountyoh.gov, 1 +waynefarms.com, 1 +wayneforeman.com, 1 +waynefranklin.com, 1 +waynehartman.com, 1 +wayneo.tk, 1 +waynerushbodywork-massage-tauranga-rotorua-bayofplenty-bop.co.nz, 1 +waynesboropa.gov, 1 +waynetworking.com, 1 +waynewashcowi.gov, 1 +wayofleaf.com, 1 +wayohoo.net, 1 +waysandlore.consulting, 1 +waysandlore.fr, 1 +wayscript.io, 1 +waysport.ua, 1 +waytofreedom.tk, 1 +waytogrow.com, 1 +waytt.cf, 1 +wayuanma.com, 0 +wazdan.com, 1 +waze.com, 1 +wazefaher.tk, 1 +wazeibra.com, 1 +wazuh.com, 1 +wazzap.tk, 1 +wb-cw.tech, 1 +wb256.com, 1 +wb6668.net, 1 +wba.or.at, 1 +wbbauth.de, 1 +wbbwbwebweb.cf, 1 +wbca.ca, 1 +wbcasaverde.co, 1 +wbci.us, 0 +wbclink.io, 1 +wbeme2.com, 1 +wbenoordoostpolder.nl, 1 +wbeuil.com, 1 +wbg.li, 1 +wbh.im, 1 +wbhrb.in, 1 +wbldc.in, 1 +wblinks.com, 1 +wbnet.eu, 1 +wbolt.com, 1 +wbookcompany.com, 1 +wbphed.gov.in, 1 +wbsentinel.com, 1 +wbsogids.nl, 1 +wbss.it, 1 +wbt-solutions.ch, 1 +wbt-solutions.net, 1 +wbtechnologie.nl, 1 +wbtenders.gov.in, 1 +wbudd.com, 1 +wbut.ml, 1 +wby.by, 1 +wby.tw, 1 +wc3modding.ml, 1 +wc64.org, 1 +wca.link, 1 +wcally.com, 1 +wcarc.ca, 1 +wcat.in, 1 +wcatherinekendall.co.uk, 1 +wccu.coop, 1 +wcei.com.au, 1 +wcema-ok.gov, 1 +wcfauth.de, 1 +wcfcourier.com, 1 +wcgskibbereen.ie, 1 +wchuan.cn, 1 +wck.com, 1 +wcl.govt.nz, 1 +wcloud.pro, 1 +wcn.life, 0 +wcools.tk, 1 +wcpo.com, 1 +wcrca.org, 0 +wcru.one, 1 +wcs.rs, 1 +wcsoe.gov, 1 +wcss.com, 1 +wctsite.tk, 1 +wcwcd.gov, 1 +wcwcg.net, 1 +wd-api.com, 0 +wd-img.com, 1 +wd-ljt.com, 1 +wd.is, 1 +wd627.com, 1 +wd976.com, 0 +wdambv.nl, 1 +wdcvalencia2022.com, 1 +wdesign.cl, 1 +wdesk.com, 1 +wdf.ink, 1 +wdgpublichealth.ca, 1 +wdic.org, 1 +wdkpurple.lgbt, 1 +wdmcheng.cn, 1 +wdmg.com.ua, 1 +wdmleds.com, 1 +wdmpa.eu.org, 1 +wdmpa.org, 1 +wdnmd.ac.cn, 1 +wdntcr.com, 1 +wdo.org, 1 +wdodelta.nl, 0 +wdol.gov, 1 +wdophoto.com, 1 +wdpapi.io, 1 +wdpui.io, 1 +wdrl.info, 0 +wdsdownload.cf, 1 +wdstrings.com, 1 +wdt.cz, 0 +wdtcinfo.com, 1 +we-bb.com, 1 +we-listen.org, 1 +we-run-linux.de, 1 +we-use-linux.de, 1 +we.serveftp.net, 1 +we168168.com, 1 +we5688.net, 1 +we9988.net, 1 +weacceptbitcoin.gr, 1 +wealthadvisorsmf.com, 1 +wealthadvisorstrust.com, 1 +wealthcreationsolutions.ga, 1 +wealthprofessional.ca, 1 +wealthprojector.com, 1 +wealthprojector.com.au, 1 +wealthsimple.com, 1 +wealthsuccess.edu.vn, 1 +wear-largesizes.tk, 1 +wear-referrals.co.uk, 1 +wear1015.ml, 1 +wear2work.nl, 1 +wearandcare.net, 1 +weare.ie, 1 +weare1inspirit.com, 1 +wearebase.com, 1 +wearebfi.co.uk, 1 +wearecreator.uk, 0 +wearecrew.io, 1 +wearedevs.net, 1 +wearefestival.ml, 1 +weareflo.com, 0 +wearefrantic.com, 1 +wearegenki.com, 1 +wearehackerone.com, 1 +weareher.com, 1 +weareincognito.org, 1 +wearemarketing.com, 1 +wearemojo.com, 1 +wearenh.gov, 1 +wearepapermill.co, 1 +wearepapermill.com, 1 +wearepoo.com, 1 +wearereasonablepeople.com, 1 +wearereasonablepeople.nl, 1 +wearesilverbullet.com, 1 +wearesuma.com, 1 +wearetravellers.nl, 1 +wearetuzag.com, 1 +wearewithyou.org, 1 +weareworldtrippers.com, 1 +wearewp.pro, 1 +wearit.tk, 1 +wearmoi.com, 1 +wearvintage.ml, 1 +wearvr.com, 1 +wearwolf.tk, 1 +weasyl.com, 1 +weather-schools.com, 1 +weather.gov, 1 +weather25.com, 1 +weatherguard.com, 1 +weathermelon.io, 1 +weathermyway.rocks, 1 +weatherproduct.ga, 1 +weavabel.com, 0 +weaveral.gov, 1 +weavers.space, 1 +weaversbazaar.com, 1 +weavile.art, 1 +web-3.ru, 1 +web-advisor.co.uk, 1 +web-aps.tk, 1 +web-art.cz, 1 +web-biz.fr, 1 +web-business.tk, 1 +web-cms.fr, 1 +web-connected.com, 1 +web-create.ml, 1 +web-creations.tk, 1 +web-creato.tk, 1 +web-demarche.com, 1 +web-design-india.com, 1 +web-design-singapore.sg, 1 +web-design.co.il, 1 +web-dev-qa-db-ja.com, 1 +web-direct.nl, 1 +web-disaster.tk, 1 +web-format.tk, 1 +web-fox23.ru, 1 +web-hotel.gr, 1 +web-industry.pro, 1 +web-is-amigo.tk, 1 +web-it-entwicklung.de, 1 +web-lab.ml, 1 +web-log.ml, 1 +web-masterok.ga, 1 +web-mastery.tk, 1 +web-net.tk, 1 +web-odyssey.com, 1 +web-one.net, 1 +web-online.cf, 1 +web-performance.ch, 1 +web-privacy.tk, 1 +web-redactor.com, 1 +web-redactor.net, 1 +web-ross.gq, 1 +web-ross.tk, 1 +web-siena.it, 1 +web-smart.com, 1 +web-snadno.online, 1 +web-space.design, 1 +web-station.tk, 1 +web-stories.at, 0 +web-studio-kzo.ml, 1 +web-style.tk, 1 +web-tcapwebsite-dev.azurewebsites.net, 1 +web-test.gq, 1 +web-town.tk, 1 +web-treff.de, 1 +web-view.ml, 1 +web-wack.at, 1 +web-warrior.de, 1 +web-worker.cn, 1 +web.ca, 1 +web.de, 1 +web.net, 1 +web1212.top, 1 +web1n.com, 0 +web20indexer.com, 1 +web22.eu, 1 +web2ldap.de, 1 +web2screen.tv, 1 +web3mantra.com, 1 +web404.net, 1 +web50aqui.es, 1 +web74.ga, 1 +web76.tk, 1 +webaam.com, 1 +webachtal.com, 1 +webadiccion.net, 1 +webadicta.net, 1 +webadicto.net, 1 +webadmit.org, 1 +webagentur-flake.de, 1 +webaholic.co.in, 1 +webais.ru, 1 +webal.co.uk, 1 +webambacht.nl, 1 +webanalysissolutions.com, 1 +webandmore.de, 1 +webandsun.com, 1 +webanet.eu, 1 +webannonces.tk, 1 +webanyti.me, 1 +webapky.cz, 1 +webappky.cz, 1 +webapplay.com, 1 +webappperformance.com, 1 +webapps-conception.fr, 1 +webart-factory.de, 1 +webartex.ru, 1 +webasto-moscow.ru, 1 +webastra.fr, 1 +webauthnlogin.com, 1 +webautohelper.com, 1 +webawere.com, 1 +webb.se, 1 +webbankir.com, 1 +webbanquyen.com, 1 +webbgro.com, 1 +webbiz.co.uk, 1 +webblawmaine.com, 1 +webbolivia.tk, 1 +webbricks.ru, 1 +webbuilder.de, 1 +webbureauer.dk, 1 +webby-books.com, 1 +webcafe.tk, 1 +webcam-lisa.ml, 1 +webcam-model.tk, 1 +webcam.ninja, 1 +webcamara.sytes.net, 1 +webcamdream.hu, 1 +webcamera-online.tk, 1 +webcamera.io, 1 +webcamrunetki.ga, 1 +webcams.com, 1 +webcams4date.com, 1 +webcamstudio.hu, 1 +webcamtoy.com, 1 +webcamyoung.tk, 1 +webcaptive.com, 1 +webcaptive.net, 1 +webcarebox.com, 1 +webcargonet.com, 1 +webcarlosmartin.tk, 1 +webcarroseletricos.ga, 1 +webcase.tk, 1 +webcatchers.nl, 0 +webce.com, 1 +webce.de, 1 +webcheck.pt, 1 +webclymber.com, 0 +webcoder.cf, 1 +webcoins.tk, 1 +webcollector.ga, 1 +webcontrol.tk, 1 +webcookies.org, 1 +webcover.fr, 1 +webcrazy.ga, 1 +webcreaciones.net, 1 +webcreativa.tk, 1 +webcreative.tk, 1 +webcrial.com.br, 1 +webcrm.com, 1 +webcurtaincall.com, 1 +webdaddyit.ga, 1 +webdating.tk, 1 +webdemaestrias.com, 1 +webdesign-kall.de, 1 +webdesign-note.jp, 1 +webdesignagency.cf, 1 +webdesigncompanyindia.com, 1 +webdesigner4u.net, 0 +webdesignersinchennai.tk, 1 +webdesignfenua.tk, 1 +webdesignlabor.ch, 1 +webdesignplay.com, 1 +webdesignplayground.io, 1 +webdesignrodgau.de, 1 +webdesignsyourway.net, 1 +webdev-cw.me, 1 +webdev-cw.tk, 1 +webdev.solutions, 1 +webdevelop.ninja, 1 +webdevinsider.pl, 1 +webdevoo.com, 1 +webdgc.ro, 1 +webdieta.tk, 1 +webdietrolequinte.it, 0 +webdig.pt, 0 +webdigital.ca, 1 +webdispo.com, 1 +webdl.org, 1 +webdollarvpn.io, 1 +webdoors.ge, 1 +webdrino.com, 1 +webdrops.nl, 1 +webdushowcase.co.uk, 1 +webeast.eu, 1 +webeck-information-systems.at, 1 +webelement.sk, 0 +webemployed.com, 1 +webencrypt.org, 1 +webengage.com, 1 +webenglish.se, 1 +weber-immobilienberatung.de, 1 +weber911.gov, 1 +webera.lt, 1 +webera.pro, 1 +weberbasin.gov, 1 +weberbasinut.gov, 1 +weberelections.gov, 1 +weberl.com, 1 +webers-webdesign.de, 1 +webescucha.tk, 1 +webest.pl, 1 +webexample.win, 0 +webexp.biz, 1 +webexperts.tk, 1 +webexpertsdirect.com.au, 1 +webfeifei.tk, 1 +webfence.pt, 1 +webfigueras.tk, 1 +webfilings-eu-mirror.appspot.com, 1 +webfilings-eu.appspot.com, 1 +webfilings-mirror-hrd.appspot.com, 1 +webfilings.appspot.com, 1 +webfixers.nl, 1 +webfocus.ph, 1 +webfoersterei.de, 1 +webforce.pt, 1 +webformula.in, 0 +webforthemasses.tk, 1 +webfrenz.com, 1 +webfun.tk, 1 +webgadgets.tk, 1 +webgaku.net, 1 +webgamex.ml, 1 +webgarten.ch, 1 +webgeneric.com, 1 +webgeneric.in, 1 +webgentleman.tk, 1 +webgrow.co.za, 1 +webhackspro.com, 1 +webharvest.gov, 1 +webhelpmedica.com, 1 +webhelpmedica.fr, 1 +webhelyesarcu.hu, 1 +webhero.it, 1 +webhoffmann.de, 0 +webhooks.stream, 1 +webhopp.com, 1 +webhosting-erfahrungen.de, 1 +webhosting4u.email, 0 +webhostingblackfriday.deals, 1 +webhostingempresas.com, 1 +webhostingmagic.com, 1 +webhostingmedia.net, 1 +webhostingpros.ml, 1 +webhostings.org, 1 +webhostingshop.ca, 1 +webhostplan.info, 1 +webhostsg.net, 1 +webhotel24.se, 1 +webhotelli.website, 1 +webhotels.tk, 1 +webhotelsoversigt.dk, 1 +webi.ms, 1 +webi.sh, 1 +webia.in.th, 1 +webika.site, 1 +webimagina.tk, 1 +webinarlist.ro, 1 +webinator.tk, 1 +webinformer.tk, 1 +webini.co, 1 +webinke.ga, 1 +webinnovation.ie, 1 +webinstit.net, 1 +webionite.com, 1 +webiroha.com, 1 +webisle.com, 1 +webisoder.net, 1 +webissues.de, 1 +webitentwicklung.de, 1 +webiz.ro, 1 +webizer.fr, 1 +webjobposting.com, 1 +webkam-sex.com, 1 +webkaroindia.com, 1 +webkato.ru, 1 +webkef.com, 1 +webkeks.org, 1 +webkolektiv.com, 1 +webkorobka.tk, 1 +weblagalera.tk, 1 +weblate.com, 1 +weblate.cz, 1 +weblate.org, 1 +weblead.vip, 1 +weblegion.tk, 1 +weblian.ml, 1 +webliberty.ru, 1 +weblibrary.cf, 1 +weblightnovel.tk, 1 +weblights.ml, 1 +webline.ch, 1 +weblinkcity.tk, 1 +weblinkpedia.com, 1 +weblistposting.com, 1 +weblocus.tk, 1 +weblogia.tk, 1 +weblogic.tk, 1 +weblogzwolle.nl, 1 +webmachine.co.za, 1 +webmail.ee, 1 +webmail.gigahost.dk, 0 +webmail.info, 1 +webmail.mayfirst.org, 0 +webmail.onlime.ch, 0 +webmail.schokokeks.org, 1 +webmama.tk, 1 +webmanagement.berlin, 0 +webmandat.fr, 1 +webmandesign.eu, 1 +webmarcosmarquez.tk, 1 +webmaster16.ml, 1 +webmasterblog.tk, 1 +webmasterhall.com, 1 +webmax.cloud, 1 +webmediaclick.com, 1 +webmediaprint.at, 1 +webmediums.com, 1 +webmedpharmacy.co.uk, 1 +webmeister.org, 1 +webmenedzser.hu, 1 +webmetallica.tk, 1 +webmetering.at, 1 +webmethod.email, 1 +webminders.it, 1 +webmining.gq, 1 +webministeriet.net, 1 +webmonsters.tk, 1 +webmore.fr, 1 +webmotelli.fi, 1 +webmotion.com.au, 1 +webmyhealth.com, 1 +webnames.ca, 1 +webnancy.tk, 1 +webnestify.cloud, 1 +webnetmail4u.com, 1 +webnexty.com, 1 +webnoob.net, 1 +webo.agency, 1 +webo.pl, 1 +weboffice.ro, 1 +weboflies.tk, 1 +webofthingsmarwane.xyz, 1 +weboke.nl, 1 +weboost.com.ar, 1 +weboperater.rs, 0 +webowell.fr, 1 +webpage.com.ua, 1 +webpantry.ga, 1 +webparallax.cf, 1 +webpark.ch, 1 +webpcstudio.com, 1 +webperformance.io, 1 +webpiar.tk, 1 +webpitarque.tk, 1 +webpixelia.com, 1 +webpkgcache.com, 1 +webplace4u.nl, 1 +webplatform.news, 1 +webportail.tk, 1 +webpostingmart.com, 1 +webpostingpro.com, 1 +webpostingreviews.com, 1 +webpot.hu, 1 +webprato.it, 1 +webpresence.tk, 1 +webprice.ga, 1 +webproject.rocks, 1 +webprom.net, 1 +webprostitutki.tk, 1 +webpublishing.tk, 1 +webpubsub.com, 1 +webpunk.tk, 1 +webqam.fr, 0 +webquests.tk, 1 +webrabbit.at, 1 +webradio-maroc.tk, 1 +webrand.com, 1 +webranko.tk, 1 +webrebels.org, 0 +webregie.de, 1 +webregion.tk, 1 +webrepresalia.tk, 1 +webringpeopletogether.com.au, 1 +webs4all.ro, 0 +websa.nl, 1 +websanlamuerte.tk, 1 +websayfasi.biz.tr, 1 +webschool21.ml, 1 +websdesignpro.com, 1 +websec.nu, 1 +websectools.com, 1 +webseitendesigner.com, 0 +webseitenserver.com, 0 +webserve.be, 1 +webserverindia.com, 0 +webshaped.de, 1 +webshipper.com, 1 +webshop.nl, 1 +websika.com, 1 +website-engineering.co.za, 1 +website-traffic.shop, 1 +website.builders, 1 +website999.in, 1 +websitebakers.eu, 1 +websiteboost.nl, 1 +websitecalifornia.cf, 1 +websitecenter.tk, 1 +websitecyber.com, 1 +websitedesignersmalappuram.ga, 1 +websitedesignprice.ga, 1 +websitedirectory.nl, 1 +websiteforyou.nl, 0 +websiteirani.tk, 1 +websitelearners.cf, 1 +websiteleichtgemacht.de, 1 +websitemarketers.tk, 1 +websiteout.ca, 1 +websiteout.net, 1 +websitepromotion.ml, 1 +websiterent.ca, 1 +websites4business.ca, 1 +websitesbymark.co.uk, 0 +websitesbywordpress.com, 1 +websitesdallas.com, 1 +websitesdemos.tk, 1 +websiteservice.pro, 1 +websitesthatwork.biz, 1 +websize.me, 1 +websktop.com, 1 +websmartlink.tk, 1 +websoftba.gq, 1 +websofts.co.in, 1 +websolid.be, 1 +websolutionbd.tk, 1 +websouthdesign.com, 1 +websphere.tk, 1 +webspider.tk, 1 +webspotter.nl, 1 +webssupport.ga, 1 +webstaff.xyz, 1 +webstar.tk, 1 +webstart.nl, 1 +webstats.tk, 1 +webstaurant.com, 1 +webstaurantstore.com, 1 +websteam.tk, 1 +webstellung.com, 1 +webstergrovesmo.gov, 1 +websternytoday.gov, 1 +webstop.tk, 1 +webstore.be, 1 +webstreamworld.ae, 1 +webstreamworld.com, 1 +webstreamworld.sg, 1 +webstu.be, 1 +webstylemedia.com, 1 +websubmissions.tk, 1 +websuccess.ga, 1 +websvetaines.lt, 1 +webtalis.nl, 1 +webtasarim.info.tr, 1 +webtasarim.pw, 1 +webtasarimankara.name.tr, 1 +webtasarimi.tk, 1 +webtasarimostim.name.tr, 1 +webtaxi.cf, 1 +webtechmantra.com, 1 +webtechnicom.net, 0 +webtek.nu, 1 +webtele.ga, 1 +webtele.tk, 1 +webtelegram.eu.org, 1 +webtematica.com, 1 +webter.de, 1 +webthreesome.com, 1 +webtobesocial.de, 1 +webtodito.tk, 1 +webtomsk.tk, 1 +webtoolhost.com, 1 +webtools-eqt.co.nz, 1 +webtoolxl.net, 1 +webtoolxl.nl, 1 +webtop.co.il, 1 +webtoro.com, 1 +webtorrent.io, 1 +webtorrent.tk, 1 +webtostore.fr, 1 +webtransfers.ml, 1 +webtrend.ch, 1 +webtrh.cz, 1 +webtropia.com, 0 +webtrustcr.com, 1 +webuildsite.ga, 1 +webukhost.com, 1 +webullreview.co, 1 +webuniverse.ml, 1 +webunix.ga, 1 +webuyloansfast.com, 1 +webvampiro.tk, 1 +webvanced.nl, 1 +webvenezuela.tk, 1 +webverdienst.tk, 1 +webviewcams.com, 1 +webvpsnet.com, 1 +webvpsnet.org, 1 +webwatchdogs.net, 1 +webwatcher.tk, 1 +webwelearn.com, 1 +webwinkelexploitatie.nl, 1 +webwinkelkeur.nl, 1 +webwinkelwestland.nl, 1 +webwit.pro, 1 +webwweb.com.pl, 1 +webyazilim.biz.tr, 1 +webyazilimankara.com, 1 +webycrea.eu, 1 +webyildiz.com, 1 +webyourself.eu, 1 +webzanem.com, 0 +webzarabotok.tk, 1 +wecanvisit.com, 1 +wecareplatform.nl, 1 +weccode.com, 1 +wechange.de, 1 +wechatify.com, 1 +wecleanbins.com, 1 +wecoach.gg, 0 +wecobble.com, 1 +wecodify.nl, 1 +wecorp.org, 1 +wecreate.ml, 1 +wed13spain.tk, 1 +weda.cf, 1 +wedabout.com, 1 +wedatasolution.com.br, 1 +wedceducation.com, 1 +wedcha.com, 1 +weddinal.com, 1 +wedding-dress-hire.tk, 1 +wedding-e-dress.tk, 1 +wedding-page.ga, 1 +wedding-page.tk, 1 +wedding-transportation.com, 1 +wedding-ua.tk, 1 +weddingartist.ca, 1 +weddingbells.ca, 1 +weddingcalculator.ga, 1 +weddingdays.tv, 1 +weddingdressesguide.com, 1 +weddingfantasy.ru, 1 +weddinggoods.tk, 1 +weddinggram.ga, 1 +weddinghotographers.tk, 1 +weddingideas.gq, 1 +weddingpainter.ca, 0 +weddingplanner.tk, 1 +weddingpro.com, 1 +weddingsbynoon.co.uk, 1 +weddingtailor.com.au, 1 +weddingtrunks.tk, 1 +weddingwire.ca, 1 +weddingwire.co.uk, 1 +weddingwire.com, 1 +weddingwire.in, 1 +weddingz.in, 1 +wedefendcharities.org, 1 +wedeliverdavao.com, 1 +wedinspire.com, 1 +wedl.ru, 0 +wedontca.re, 1 +wedontcaregroup.com, 1 +wedontgetpaidenough.com, 1 +wedooper.com, 1 +wedos.com, 1 +wedot.co.uk, 1 +wedplay.host, 1 +wedshoots.com, 1 +weeaboo.ml, 1 +weeb.us, 1 +weebl.me, 1 +weeblr.com, 1 +weecarepreschool.ca, 1 +weed.ren, 1 +weedgranadagrowshop.com, 1 +weedlife.com, 1 +weednews.co, 0 +weedupdate.com, 1 +weedworthy.com, 1 +weedypedia.de, 1 +weefriendskids.com, 1 +week-numbers.org, 1 +week.report, 1 +weekdone.com, 1 +weekendbus.pl, 1 +weekendcandy.com, 1 +weekendcraft.com, 1 +weekendinitaly.com, 1 +weekendplayers.tk, 1 +weekendstartup.ml, 1 +weekly-news.pl, 1 +weekly-residence.com, 1 +weeklyads2.com, 1 +weeklydcoupgen.com, 1 +weektegenarmoede.be, 1 +weemake.fr, 0 +weemakers.fr, 0 +weepycat.com, 1 +weerda.fr, 1 +weernieuws.info, 1 +weerstationgiethoorn.nl, 1 +weerstatistieken.nl, 1 +weetalksls.com, 1 +weetix.fr, 1 +weexend.com, 1 +weezerosos.tk, 1 +weezertabs.tk, 1 +wefact.nl, 1 +wefazemos.com.br, 1 +wefillgood.com, 1 +wefitboilers.com, 1 +wefixmd.com, 1 +wefloridafinancial.com, 1 +weforgood.org.tw, 1 +wefound.com.tw, 1 +wefound.se, 1 +weg-auwald.de, 1 +wegethitched.co.uk, 1 +wegner.no, 1 +wego.ca, 1 +wegonnagetsued.org, 1 +wegotcookies.com, 1 +wegotrip.com, 1 +wegotrip.ru, 1 +wegrzynek.org, 1 +wegrzynek.pl, 1 +wegvielfalt.de, 1 +wehaa-server2.com, 1 +wehaaserver.com, 1 +wehealasone.gov.ph, 1 +wehiremac.uk, 1 +weho.gov, 1 +wehostdnn.com, 1 +wei-mao.com.ua, 1 +weibomiaopai.com, 1 +weideheuvel.org, 1 +weidmannfibertechnology.com, 0 +weig-karton.de, 1 +weighed.ga, 1 +weightlift.ml, 1 +weightlosseasy.cf, 1 +weightlossoutcome.com, 1 +weightprogram.cf, 1 +weihua.life, 1 +weikai.net, 1 +weike.tk, 1 +weiling.clinic, 1 +weils.net, 1 +weiltoast.de, 1 +weimaranerdogcare.com, 1 +weiming.ddns.net, 1 +weimingsci.cn, 1 +weimz.com, 1 +wein.cc, 1 +weinbergerlawgroup.com, 1 +weinboxbuilders.co.nz, 1 +weinfuse.com, 0 +weingut-bernd-klein.de, 1 +weinundsein.com, 1 +weinzierlweb.com, 1 +weiran.org.cn, 1 +weirddisney.com, 1 +weirdesigns.com, 1 +weirdgloop.org, 1 +weirdness.tk, 1 +weirdork.com, 1 +weirdork.eu, 1 +weirdork.net, 1 +weirdork.org, 1 +weirdork.social, 1 +weirdorks.eu, 1 +weirdorks.net, 1 +weirdorks.org, 1 +weirdorks.social, 1 +weirdserver.com, 1 +weirdware.tech, 1 +weis.bz, 1 +weis.duckdns.org, 1 +weisskircher.tk, 1 +weissman.agency, 1 +weiter.so, 1 +weiterbildung-vdz.de, 1 +weitergedacht.eu, 1 +weitsolutions.nl, 1 +weitundbreit.ch, 1 +weitz-porzellan.de, 1 +weitzmangroup.com, 1 +weixinjiefengla.com, 1 +weizenke.im, 1 +wekan.hopto.org, 1 +wekibe.de, 1 +wekipedia.com, 1 +weknowhowtodoit.com, 1 +wekurate.com, 1 +wel.com.br, 1 +weladee.com, 1 +welby.cat, 1 +welches-kinderfahrrad.de, 1 +welcome-tahiti.com, 0 +welcome-werkstatt.com, 1 +welcome26.ch, 0 +welcomehometnt.com, 1 +welcomepowayan.tk, 1 +welcometoohio.gov, 1 +welcoop-logistique.com, 1 +welcorp.com, 1 +weld.gov, 1 +weldersnet.tk, 1 +weldingandwelder.com, 1 +weldynz.co.nz, 1 +welfareness.icu, 1 +welivetogether.com, 1 +well.bayern, 1 +wella-download-center.de, 1 +wellaeducationbook.de, 1 +wellbalancedhealth.ie, 1 +wellbe.com, 1 +wellbeing360.com.au, 1 +wellbutrinxlgeneric.cf, 1 +wellcarehealthsurvey.com, 1 +wellcom.co.il, 1 +wellcomemdhealth.com, 1 +welldoc.com, 1 +welldocinc.com, 1 +wellen-reiten.com, 1 +wellensteyn.ru, 1 +weller.pm, 1 +wellesleycosmeticsurgery.com, 1 +wellesweb.net, 1 +welletin.it, 1 +wellgreece.com, 1 +wellington.govt.nz, 1 +wellist.com, 1 +wellness-alto-adige.net, 1 +wellness-bonbon.de, 0 +wellness-gutschein.de, 1 +wellness-spa-suedtirol.com, 1 +wellnesscheck.net, 1 +wellnesslifestyletravel.com, 1 +wellnessmassage-eitorf.de, 1 +welloca.com, 1 +wellreceived.com, 1 +wellsbourne.co.uk, 1 +wellsolveit.com, 0 +wellspringsga.com, 1 +wellsprung.net, 1 +wellstonok.gov, 1 +wellthy.com, 1 +wellzapness.com, 1 +welmo.fr, 1 +welom.tk, 1 +welove.lk, 1 +welove.tk, 1 +welovecatsandkittens.com, 1 +welovegalicia.com, 1 +welovelinks.com, 1 +weloveliving.it, 1 +welovemail.com, 1 +welovestrawberries.com, 1 +welpen-rucphen.tk, 1 +welpo.me, 1 +welshccf.org.uk, 1 +welshterrier.tk, 1 +welshyak.tk, 1 +welspunindia.com, 1 +welstrim.de, 1 +welt-flaggen.de, 1 +weltderangebote.de, 0 +welteneroberer.de, 1 +weltengilde.de, 1 +weltenhueter.de, 1 +weltentanzer.com, 1 +weltumradler.tk, 1 +weltverschwoerung.de, 1 +welty.cc, 1 +welty.co, 1 +welty.io, 1 +welty.me, 1 +wemadegod.tk, 1 +wemake.cx, 1 +wemakebookkeepingeasy.com, 1 +wemakemx.mx, 1 +wemakeonlinereviews.com, 1 +weme.eco, 1 +wemissyou.tk, 1 +wemovemountains.co.uk, 1 +wenablog.pl, 1 +wenaiwu.net, 1 +wenanmao.com, 1 +wenceslas.org.uk, 1 +wenchengchou.co, 1 +wenchieh.com, 1 +wendkom.com, 1 +wendlberger.net, 1 +wendu.me, 0 +wenducation.nl, 1 +wendy-david.tk, 1 +wendydarling.tk, 1 +wendys-careers.com, 1 +wendysbeautyshop.co.za, 1 +wenger-shop.ch, 1 +wengerwatson.com, 1 +wengyep.com, 1 +wenhelpdesk.tk, 1 +wenjulebu.cc, 1 +wenlopleidingen.nl, 1 +wenmilot.com, 1 +wenoexchange.com, 1 +wensenboomaltrecht.nl, 1 +wenta-computerservice.net, 1 +wenta.de, 1 +wentu.ml, 1 +wentyl.tk, 1 +wenzthewanderer.gq, 1 +weoneit.com, 1 +wep.pw, 1 +wepa.pe, 1 +wepay.com, 1 +wepay.in.th, 1 +wepbiz.com, 1 +weplan-app.com, 1 +weplananalytics.com, 1 +weplay.io, 1 +weplaycollectibles.com, 1 +weplaynaked.dk, 1 +weple.ga, 1 +weple.gq, 1 +weprenup.com, 1 +werbe-markt.de, 1 +werbe-sonnenbrillen.de, 0 +werbeagentur-benningen.de, 1 +werbeagentur-website.de, 1 +werbeagentur.de, 1 +werbefotograf-leitner.de, 1 +werbefotografie-leitner.de, 1 +werbewelt-tv.de, 1 +werbezentrum-stiebler.de, 1 +werbik.at, 1 +werchangemakers.com, 1 +werd.pw, 0 +werehub.org, 1 +wereldkoffie.eu, 1 +wereldplanner.nl, 1 +wereldreizen.tk, 1 +wereldschool.nl, 1 +werhatunsverraten.eu, 1 +werk-34.de, 1 +werk32.net, 1 +werken-bij-inwork.nl, 1 +werkenbijbejo.nl, 0 +werkenbijblokker.nl, 1 +werkenbijbuvo.nl, 1 +werkenbijdfzs.nl, 0 +werkenbijejk.nl, 1 +werkenbijintertoys.nl, 1 +werkenbijmagentazorg.nl, 1 +werkenbijpelsrijcken.nl, 1 +werkenbijpromovendum.nl, 1 +werkenbijsanitairwinkel.be, 1 +werkenbijsanitairwinkel.nl, 1 +werkenbijsherpa.nl, 0 +werkenbijvanderventions.com, 1 +werkenbijvanderventions.nl, 1 +werkeninwesterveld.nl, 1 +werkenontwikkelen2030nh.nl, 1 +werkgroepderdewereld.nl, 1 +werkgroeppaleisparkhetloo.nl, 1 +werkkrew.xyz, 1 +werksalon.at, 1 +werkslimreisslim.nl, 1 +werkstattkinder.de, 1 +werktuigen.nl, 1 +werkzoeken.nl, 1 +wermeester.be, 1 +wermeester.com, 1 +werner-ema.de, 1 +wernerco.com, 1 +wernicke-it.de, 1 +werpo.com.ar, 1 +werranfehtan.org, 1 +wertpapiertreuhand.de, 1 +wertschatz-kommunikation.de, 1 +wervingenselectieamsterdam.nl, 1 +werwolf-live.de, 1 +werxa.cz, 1 +werxus.eu, 1 +weryfikacjapodatnika.pl, 1 +wesecom.com, 1 +wesermarsch-bauelemente.de, 1 +weserv.nl, 1 +wesleyanbank.co.uk, 1 +wesleyarcher.com, 1 +wesleycabus.be, 0 +wesleywarnell.com, 1 +wesoco.de, 1 +wespath.org, 1 +wespeakgeek.co.za, 1 +wespringforward.com, 1 +wesreportportal.com, 1 +wessalicious.com, 1 +wessco.mx, 1 +wesselius.tk, 1 +wessner.co, 0 +wessner.org, 0 +wessobrunn.de, 1 +wessokind.de, 1 +west-contemporary.com, 1 +west-nerica.de, 1 +west-raptors.tk, 1 +west-trans.com.au, 0 +west-wind.net, 1 +west2.cn, 0 +westaf-edit.com, 1 +westappin.com.au, 1 +westbathmaine.gov, 1 +westboroughma.gov, 1 +westbourne-history.org.uk, 1 +westburlingtoniowa.gov, 1 +westburyfestival.org.uk, 1 +westcartilafdnc.gov, 1 +westcentenaryscouts.org.au, 1 +westcentralaor.org, 1 +westcentralmls.com, 1 +westchester-il.gov, 1 +westchesteranxietytreatment.com, 1 +westcoastaggregate.com, 1 +westcoastcastles.com, 1 +westcoastdrones.io, 1 +westcoastdrones.net, 1 +westcoastfood.ca, 1 +westcoastmarineadvisor.com, 1 +westcoastmotors.co.uk, 1 +westcode.de, 1 +westcountrydentalcrafts.uk, 1 +westcountrystalking.com, 1 +westcreekna.org, 1 +westendwifi.net, 1 +westerdraai.tk, 1 +westeremden.com, 1 +westergas.nl, 1 +westernalliancebancorporation.com, 1 +westernpadermatologist.com, 1 +westernparts.com, 0 +westernpsychiatry.com.au, 1 +westernresourceadvocates.org, 1 +westernsydney.com.au, 1 +westernwaterca.gov, 1 +westfairleevt.gov, 1 +westfordwi.gov, 1 +westfund.com.au, 1 +westgatecruiseandtravel.com, 1 +westhamptonma.gov, 1 +westhighlandwhiteterrier.com.br, 1 +westhomesteadpa.gov, 1 +westie.tk, 1 +westjp-tetuke-hosyou.co.jp, 1 +westlab.ch, 1 +westlakehills.gov, 1 +westlaketx.gov, 1 +westlakevillageelectric.com, 1 +westlakevillageelectrical.com, 1 +westlakevillageelectrician.com, 1 +westlakevillageexteriorlighting.com, 1 +westlakevillagelandscapelighting.com, 1 +westlakevillagelighting.com, 1 +westlakevillageoutdoorlighting.com, 1 +westlandcultuur.tk, 1 +westlander-nostalgie.tk, 1 +westlandinsurance.ca, 1 +westlebanonpa.gov, 1 +westlibertykypolice.gov, 1 +westline.com.tr, 1 +westlogistic.com, 1 +westmarlboroughpa.gov, 1 +westmead.org, 1 +westmeadapartments.com.au, 1 +westmelbourne.gov, 1 +westmidlandsbouncycastlehire.co.uk, 1 +westmidlandsinflatables.co.uk, 1 +westmidlandslettings.com, 1 +westmidlandsrailway.co.uk, 1 +westmilwaukeewi.gov, 1 +westminsterco.gov, 1 +westminsternational.com.au, 1 +westmodernclinic.com, 1 +westonma.gov, 1 +westonreed.com, 1 +westoveral.gov, 1 +westpennwire.com, 1 +westphalfamily.com, 1 +westplains.gov, 1 +westpointne.gov, 1 +westporthoney.com, 1 +westportisland.gov, 1 +westportok.gov, 1 +westrandgardeningservices.co.za, 1 +westreet-store.com, 1 +westsalemwi.gov, 1 +westshoresrealty.com, 1 +westside-pediatrics.com, 1 +westsidechildrenstherapy.com, 1 +westskinlaser.com, 1 +westspace.org.uk, 1 +westterrehautein.gov, 1 +westvalleyfiremt.gov, 1 +westvancouver.ca, 1 +westviewpa.gov, 1 +westvillenyc.com, 1 +westvirginiahealth.tk, 1 +westwarwickri.gov, 1 +westwingopenhouse.com, 1 +westwings.tk, 1 +westwoodhillsks.gov, 1 +wesupportthebadge.org, 1 +wesystems.cloud, 0 +wet-dry.world, 1 +wet-international.com, 1 +wet1.com.au, 1 +wetdryvacs.ie, 1 +weteachme.com, 1 +wetheghosts.eu, 1 +wethemovement.org, 1 +wetherbyvets.co.uk, 1 +wetleak.com, 1 +wetpussylipsex.com, 1 +wetpussyporn.com, 1 +wetravel.company, 1 +wetrepublic.com, 1 +wettbuero.com, 1 +wettbuero.de, 1 +wetter.de, 1 +wetthost.com, 1 +wetumpkaal.gov, 1 +wevah.com, 0 +wevenues.com, 1 +wevolver.com, 0 +wevyin.com, 1 +wew881.com, 1 +wew882.com, 1 +wewin889.com, 1 +wewitro.de, 1 +weworkjpn.com, 1 +wexfordbouncycastles.ie, 1 +wexilapp.com, 1 +weyerstall1880.de, 1 +weyhmueller.de, 0 +weyland-yutani.org, 1 +weymouthslowik.com, 1 +weyoui.de, 1 +wf-bigsky-master.appspot.com, 1 +wf-demo-eu.appspot.com, 1 +wf-demo-hrd.appspot.com, 1 +wf-dogfood-hrd.appspot.com, 1 +wf-pentest.appspot.com, 1 +wf-staging-hr.appspot.com, 1 +wf-training-hrd.appspot.com, 1 +wf-training-master.appspot.com, 1 +wf-trial-hrd.appspot.com, 1 +wf336.com, 1 +wfbabfn.com, 1 +wfbvillage.gov, 1 +wforum.nl, 1 +wfschicago.com, 1 +wftbasis.nl, 1 +wfxs.com.tw, 1 +wg-smue.de, 1 +wg-tools.de, 1 +wg2023.com.br, 1 +wgauthier.com, 1 +wgauthier.net, 1 +wgcaobgyn.com, 1 +wgdp.gov, 1 +wge-feg.gc.ca, 1 +wgec-fegc.gc.ca, 1 +wget.cool, 1 +wget.cx, 1 +wget.tw, 1 +wgfl.gov, 1 +wgi.fi, 1 +wgnr.me, 1 +wgom.org, 0 +wgplatform.co.uk, 1 +wgraphics.ru, 1 +wgrfoods.co.uk, 1 +wgrlc.vic.gov.au, 1 +wgrstudio.com, 1 +wgsh.de, 1 +wgsuyi.cf, 1 +wgtrm.com, 1 +wgyt.tk, 1 +wgzdy.top, 0 +wh-guide.de, 1 +wh.gov, 1 +wh0.re, 1 +wh966.com, 0 +whalecrew.com, 1 +whaletail.ai, 0 +whanau.org, 0 +whanglaw.com, 1 +whannell.net, 0 +whaogirls.com, 1 +whapn.sg, 1 +wharfevalleywindows.co.uk, 1 +what-do-kittens-need-to-eat.tk, 1 +what-does-kittens-need.ml, 1 +what-wood.servehttp.com, 1 +what.tf, 1 +what2see.today, 1 +whatabout.ga, 1 +whatabout.tk, 1 +whataboutjonbuckland.tk, 1 +whataboutjoshua.tk, 1 +whatairdefencedoing.com, 1 +whatarepatentsfor.com, 1 +whatcanyoudocampaign.org, 1 +whatclinic.co.uk, 1 +whatclinic.com, 1 +whatclinic.com.ph, 1 +whatclinic.de, 1 +whatclinic.ie, 1 +whatclinic.ru, 1 +whatdevotion.com, 1 +whatdevshouldknow.pl, 1 +whatevents.tk, 1 +whateveritworks.org, 1 +whatevername.tk, 1 +whateverzone.ml, 1 +whatfinger.com, 1 +whatfontis.com, 1 +whatgrowswhere.com, 1 +whatgrowswhere.eu, 1 +whatgrowswhere.net, 1 +whatgrowswhere.nl, 1 +whatgrowswhere.org, 1 +whatimissed.news, 1 +whatisapassword.com, 1 +whatiscss.tk, 1 +whatisinternetsecurity.net, 1 +whatisipfix.com, 1 +whatisl.ovh, 1 +whatismycountry.com, 1 +whatismyip.net, 0 +whatismypublicip.com, 1 +whatisnetflow.com, 1 +whatissflow.com, 1 +whatisthe.cloud, 1 +whatisthisapp.com, 1 +whatiswhatis.com, 1 +whatsapp-plus.com, 1 +whatsapp.com, 1 +whatsapp.net, 1 +whatsapp.ru, 1 +whatsatienda.com, 1 +whatsgood.tk, 1 +whatsinmyjar.com, 1 +whatsitsname.tk, 1 +whatsmychaincert.com, 1 +whatstheirnetworth.com, 1 +whatsupoutdoor.com, 0 +whatsupyo.tk, 1 +whatswrong.blog, 1 +whatthefile.info, 1 +whatthingsweigh.com, 1 +whattimedoiwork.com, 1 +whattominingrigrentals.com, 1 +whatusb.com, 1 +whatwebcando.today, 1 +whatwg.org, 1 +whatzelink.com, 1 +whawtheme.fr, 1 +whd-guide.de, 1 +whdpc.gov, 1 +wheatfieldtwpmi.gov, 1 +wheatgra.in, 1 +wheatland.com, 1 +wheatlandcomt.gov, 1 +wheatridge.gov, 1 +wheelastic.com, 1 +wheelchair-mobility-scooter-rental-london.com, 1 +wheelchair.gq, 1 +wheeler.kiwi.nz, 0 +wheelhero.com, 1 +wheelingisland.com, 1 +wheelnation.net, 1 +wheelspin.ga, 1 +wheelwide.co.uk, 1 +wheelwork.org, 0 +wheelworxrefinishing.com, 1 +wheely.com, 1 +wheelycool.tech, 1 +wheelycoolgear.com, 1 +wheelyking.tk, 1 +when-release.ru, 1 +when.fm, 0 +when.org.il, 1 +when2watch.live, 1 +whenisholiday.com, 1 +whentowork.com, 1 +whenwe.me, 1 +wheon.com, 1 +where2trip.com, 1 +whereapp.social, 1 +wherearethosemorgans.com, 1 +wherecaniwatchanime.com, 1 +wheredoi.click, 1 +wheregoes.com, 1 +whereicode.org, 0 +whereismyorigin.cf, 1 +whereisthekeep.com, 1 +whereiszakir.com, 1 +wheresbuzz.com.au, 1 +wheresthejump.com, 1 +wheretotravel.info, 1 +whereuare.se, 1 +whereveryougo.space, 1 +whexit.nl, 1 +whey-protein.ch, 1 +whichdoctor.com, 1 +whichgender.today, 1 +whichphish.com, 1 +whichwasfirst.com, 1 +whiff-of-grape.ca, 0 +whigfieldspain.tk, 1 +whil.com, 1 +whilsttraveling.com, 1 +whing.org, 1 +whining.blue, 1 +whipnic.com, 1 +whirlpool-luboss.de, 1 +whirlpool.net.au, 1 +whirr.org, 1 +whishart.cf, 1 +whishart.ga, 1 +whishart.gq, 1 +whishart.ml, 1 +whiskersandtails.co.za, 1 +whiskey.com.my, 1 +whiskey.money, 1 +whisky-circle.info, 1 +whisky.com.my, 1 +whisky.money, 1 +whisky.my, 1 +whiskydb.de, 1 +whiskydrivers.tk, 1 +whiskyhammer.com, 1 +whiskymy.com, 1 +whiskyshop.com.my, 1 +whiskyshop.my, 1 +whisp.ly, 0 +whispeer.de, 1 +whisper-net.de, 1 +whisperinghoperanch.org, 1 +whisperlab.org, 1 +whistleblower.gov, 1 +whistleblower.pl, 1 +whistleblower.report, 1 +whistleblowerordning.com, 1 +whistleblowers.org, 1 +whistleblowersoftware.com, 1 +whistlingdog.media, 0 +whitbread.com.au, 1 +whitdoit.tk, 1 +white-hell.tk, 1 +white-ibiza.com, 1 +white-info.tk, 1 +white-noise.tk, 1 +white-rabbit.tk, 1 +white-skull.tk, 1 +white-wolf.tk, 1 +whitealps.at, 0 +whitealps.be, 0 +whitealps.ch, 0 +whitealps.de, 0 +whitealps.fr, 0 +whitealps.net, 0 +whiteantelopeinteriors.com, 1 +whitebirdclinic.org, 1 +whitebox.ga, 1 +whitefieldnhpd.gov, 1 +whitefishtownshipmi.gov, 1 +whitefordtownshipmi.gov, 1 +whitehallal.gov, 1 +whitehatbrokers.com, 1 +whitehathackers.com.br, 1 +whitehats.nl, 1 +whitehorse.ga, 1 +whitehouse.gov, 1 +whitehouse.org, 1 +whitehouseconferenceonaging.gov, 1 +whitehousedrugpolicy.gov, 1 +whiteink.com, 1 +whiteinvestment.estate, 1 +whitejaguars.com, 1 +whitekings.tk, 1 +whitelabeltickets.com, 1 +whitelist-crypto.io, 1 +whitelotto.com, 1 +whitelotuscyp.com, 1 +whitelynx.co, 1 +whitemagic.ga, 1 +whitemanfss.net, 1 +whitemetalperu.tk, 1 +whiteneon.com, 1 +whiteout.wiki, 1 +whitepages.ml, 1 +whitepen.io, 1 +whitepen.tk, 1 +whitepinetn.gov, 1 +whiteprintnews.com, 1 +whiterabbit.group, 0 +whiterabbit.nl, 1 +whiterabbit.org, 1 +whiterabbitcyber.space, 1 +whiterose.goip.de, 1 +whitesalmonwa.gov, 1 +whiteshadowimperium.com, 1 +whiteshelf.org, 1 +whitesoxbestteaminbaseball.com, 1 +whitespace.se, 1 +whitespider.cf, 1 +whitespider.eu.org, 1 +whitespider.gq, 1 +whitespider.ml, 1 +whitespider.tk, 1 +whitestarlegacy.tk, 1 +whitestoneva.gov, 1 +whitesword.tk, 1 +whitevpn.cz, 1 +whitewaterks.gov, 1 +whitewatertownshipmi.gov, 1 +whiteweb.tk, 1 +whitewebhosting.com, 1 +whitewinterwolf.com, 1 +whiteyardcottage.com, 1 +whitfieldcountyga.gov, 1 +whitkirkchurch.org.uk, 0 +whitmanarchive.org, 1 +whitmancounty.gov, 1 +whittle.in, 1 +whittome.com, 1 +whitworth.nyc, 1 +whizkidpcservices.com, 1 +whizzzbang.co.uk, 1 +whm.gc.ca, 1 +whmcsdeveloper.com, 1 +whnpa.org, 1 +who-calledme.com, 1 +who.pm, 0 +whoagirls.com, 1 +whoagirls.net, 0 +whoagirls.org, 1 +whoami.eu.org, 1 +whoami.io, 1 +whoami.red, 1 +whocalld.com, 1 +whocalled.us, 1 +whocrushonme.com, 1 +whodiduexpect.com, 1 +whois.az, 1 +whoisamitsingh.com, 1 +whoiscuter.ml, 1 +whoiscutest.ml, 1 +whoisdhh.com, 0 +whoisonthebench.com, 1 +whoistheorchid.com, 1 +whoiswho.tk, 1 +wholebody.je, 1 +wholegrace.com, 1 +wholesale.cf, 1 +wholesalediamonds.tk, 1 +wholesalediscountsunglasses.com, 1 +wholesalegrowersdirect.com, 1 +wholesalehosting.co.uk, 1 +wholesaleimages.com, 1 +wholesomeharvestbread.com, 0 +wholevood.com, 1 +wholevood.de, 1 +wholewideworldtoys.com, 1 +wholewildworld.de, 1 +whoneedstobeprimaried.today, 1 +whong.media, 1 +whonix.org, 1 +whoopee.my, 0 +whooshkaa.com, 1 +whoplusyou.com, 1 +whoreofwallstreet.tk, 1 +whorepresentsme.us, 1 +whosapeach.tk, 1 +whosneo.com, 1 +whosoldmyemail.ca, 1 +whosoldmyemail.com, 1 +whosts.cn, 1 +whosyourdaddy.ml, 1 +whowherewhen.net, 1 +whqmeps.org, 1 +whqqq.com, 1 +wht.one, 1 +whta.eu, 1 +whta.se, 1 +whtcsj.com, 1 +whub.io, 0 +why-brexit.uk, 1 +why918.com, 0 +whychoosebob.net.au, 1 +whyinsurance.me, 1 +whymps.com, 1 +whynohttps.com, 1 +whynotbi.com, 1 +whypowerbrush.com, 1 +whysoslow.co.uk, 1 +whyteryan.com, 1 +whytls.com, 0 +whywa.com, 1 +whywelive.me, 1 +whyworldhot.com, 1 +whyy.eu.org, 1 +whyzeroturn.com, 1 +wi-q.cloud, 1 +wi-wi.co.jp, 1 +wiagencies.com, 1 +wiai.eu.org, 1 +wiapply.com, 1 +wibbe.link, 1 +wiberg.nu, 1 +wibness.com, 1 +wibu.moe, 1 +wibuw.com, 1 +wicamb.com, 1 +wicca-witchcraft.com, 1 +wiccansupplies.ga, 1 +wiccanwicks.ca, 1 +wiccasima.fr, 1 +wicharypawel.com, 1 +wichitafoundationpros.com, 1 +wichtel-umzuege.de, 1 +wickedsick.tk, 1 +wickedvibes.tk, 1 +wickersmith.com, 1 +wickerwoman.com, 0 +wickrath.com, 1 +wickrath.net, 1 +wicstunvetgroup.co.uk, 1 +widado.com, 1 +widatcp.gov, 1 +widderplasticsurgery.com, 1 +wideboxmacau.com, 0 +widecontrol.it, 1 +wideinfo.org, 1 +widejeans.tk, 1 +wideline.com.au, 1 +widememory.com, 1 +widenews.org, 1 +widescreenfixer.org, 1 +wideshoes.com, 1 +widewebhost.net, 1 +wideworks.agency, 1 +widgetmaker.co.uk, 1 +widma.gov, 1 +widmer.bz, 1 +widner.xyz, 1 +widoj.gov, 1 +widow411.com, 1 +widsl.de, 1 +widum.ru, 1 +widwap.net, 1 +widzenia.pl, 1 +wiebel.org, 1 +wiebetaaltdat.nl, 1 +wieckiewicz.org, 1 +wiederkehrvillagear.gov, 1 +wiedmeyer.de, 1 +wiedu.net, 1 +wieesgeht.com, 1 +wiegandt.org, 1 +wiegedaten.de, 1 +wiek.net, 1 +wieldberis.ru, 1 +wieloswiat.pl, 1 +wielrenbond.ml, 1 +wielrennen-in-zeeland.tk, 1 +wien52.at, 1 +wiender.be, 0 +wieneck-bauelemente.de, 1 +wiener.hr, 1 +wienergyjobs.com, 1 +wieobensounten.de, 1 +wiesbadener-kurier.de, 1 +wiet2home.nl, 1 +wifesbank.com, 1 +wifi-hack.com, 0 +wifi-names.com, 1 +wifi-ooe.at, 1 +wifi.com.vn, 1 +wifi.id, 1 +wificafehosting.com, 1 +wificonnect.cc, 1 +wifimb.cz, 1 +wifipineapple.com, 1 +wifirst.net, 1 +wifishing.tk, 1 +wifiwizardofoz.com, 1 +wigan.ovh, 1 +wiganer.tk, 1 +wigelsworth.io, 1 +wigger.one, 1 +wigggle.it, 1 +wigglywisdom.com, 1 +wigle.net, 1 +wigmore-hall.org.uk, 0 +wigsalon.ga, 1 +wigwam.design, 1 +wihiki.org, 1 +wiiaam.com, 1 +wiikipedia.com, 1 +wiimotion.de, 1 +wiin.co, 1 +wiingy.com, 1 +wiire.me, 0 +wijaya.net, 1 +wijaya2u.com, 1 +wijkbudget.gent, 1 +wijkdezwaenebloeme.tk, 1 +wijnbesteld.nl, 1 +wijnlandkroatie.nl, 1 +wijnservices.nl, 0 +wijsaantwerk.be, 1 +wijseuropa.gent, 1 +wijsvangent.be, 1 +wijwillendit.nl, 1 +wijzeweters.gent, 1 +wijzijnbrandstof.nl, 1 +wijzijnwolf.nl, 1 +wikalin.ski, 1 +wikelia.com, 1 +wikepedia.org, 1 +wiki-books.ga, 1 +wiki-iknownaught.ddns.net, 1 +wiki-pedia.org, 1 +wiki-play.ru, 1 +wiki-rostelecom.ru, 1 +wiki.berlin, 1 +wiki.gallery, 1 +wiki.python.org, 1 +wiki.voyage, 1 +wiki.xin, 1 +wiki24.ru, 1 +wikiboard.tk, 1 +wikibook.com, 1 +wikibooks.org, 1 +wikibooks.pt, 1 +wikibulz.com, 1 +wikibuy.com, 1 +wikicooking.tk, 1 +wikicuida.pt, 1 +wikidata.org, 1 +wikidpedia.org, 1 +wikiepdia.com, 1 +wikiepdia.org, 1 +wikifactory.com, 1 +wikifamily.ga, 1 +wikifamily.tk, 1 +wikifunctions.org, 1 +wikigta.org, 1 +wikihelp.in, 1 +wikihistory.tk, 1 +wikihow-fun.com, 1 +wikihow.com, 1 +wikihow.com.tr, 1 +wikihow.cz, 1 +wikihow.fitness, 1 +wikihow.health, 1 +wikihow.it, 1 +wikihow.jp, 1 +wikihow.life, 1 +wikihow.mom, 1 +wikihow.pet, 1 +wikihow.tech, 1 +wikihow.vn, 1 +wikijunior.com, 1 +wikijunior.net, 1 +wikijunior.org, 1 +wikileaks.ch, 1 +wikilibrary.tk, 1 +wikilink.cf, 1 +wikilink.tk, 1 +wikilinux.xyz, 1 +wikimania.com, 1 +wikimania.org, 1 +wikimatrix.org, 1 +wikimedia-dns.org, 1 +wikimedia.biz, 1 +wikimedia.com.pt, 1 +wikimedia.community, 1 +wikimedia.is, 1 +wikimedia.jp.net, 1 +wikimedia.lt, 1 +wikimedia.org, 1 +wikimedia.us, 1 +wikimedia.xyz, 1 +wikimediacommons.co.uk, 1 +wikimediacommons.info, 1 +wikimediacommons.jp.net, 1 +wikimediacommons.mobi, 1 +wikimediacommons.net, 1 +wikimediacommons.org, 1 +wikimediafoundation.com, 1 +wikimediafoundation.info, 1 +wikimediafoundation.net, 1 +wikimediafoundation.org, 1 +wikimilk.org, 1 +wikimir.tk, 1 +wikimirror.org, 1 +wikinbiography.com, 1 +wikinews.com, 1 +wikinews.de, 1 +wikinews.org, 1 +wikinews.pt, 1 +wikipaedia.net, 1 +wikipedia.bg, 1 +wikipedia.co.il, 1 +wikipedia.co.uk, 1 +wikipedia.co.za, 1 +wikipedia.com, 1 +wikipedia.com.ar, 1 +wikipedia.ee, 1 +wikipedia.es, 1 +wikipedia.fi, 1 +wikipedia.id, 1 +wikipedia.info, 1 +wikipedia.is, 1 +wikipedia.lt, 1 +wikipedia.net, 1 +wikipedia.org, 1 +wikipedia.org.il, 1 +wikipedia.sk, 1 +wikipediafoundation.org, 1 +wikipedial.org, 1 +wikipediazero.org, 1 +wikipeter.nl, 1 +wikipiedi.it, 1 +wikiquote.com, 1 +wikiquote.net, 1 +wikiquote.org, 1 +wikiquote.pt, 1 +wikiquotes.info, 1 +wikirace.tk, 1 +wikisaur.tk, 1 +wikiskripta.eu, 1 +wikislo.net, 1 +wikisorg.tk, 1 +wikisource.com, 1 +wikisource.org, 1 +wikisource.pl, 1 +wikisource.pt, 1 +wikispecies.com, 1 +wikispecies.net, 1 +wikispecies.org, 1 +wikispiel.de, 1 +wikitech.ga, 1 +wikitech.gq, 1 +wikitech.tk, 1 +wikitechsolutions.com, 1 +wikitransporte.tk, 1 +wikiutah.tk, 1 +wikiversity.com, 1 +wikiversity.org, 1 +wikiversity.pt, 1 +wikiversus.com, 1 +wikivisually.com, 1 +wikivoyage.com, 1 +wikivoyage.de, 1 +wikivoyage.eu, 1 +wikivoyage.net, 1 +wikivoyage.org, 1 +wikivoyager.de, 1 +wikivoyager.org, 1 +wikiwp.org, 1 +wikizip.ga, 1 +wikjpedia.org, 1 +wikkelweb.nl, 1 +wikpa.com, 1 +wikpedia.org, 1 +wikproduccions.tk, 1 +wiktionary.com, 1 +wiktionary.eu, 1 +wiktionary.org, 1 +wiktionary.pl, 1 +wiktionary.pt, 1 +wiktor-imbierski.com, 1 +wiktoriaflis.com, 1 +wilane.org, 1 +wilburyvets.co.uk, 1 +wilco-s.nl, 1 +wilcodeboer.me, 1 +wilcojunk.com, 1 +wilcotx.gov, 1 +wild-reels.com, 1 +wild-turtles.com, 1 +wild.at, 1 +wildanalysis.ga, 1 +wildbergh.tk, 1 +wildbirdsuets.com, 1 +wildcard.hu, 1 +wildcardfederal.net, 1 +wildcatdiesel.com.au, 1 +wildcatprotection.org, 1 +wildcaves.co.za, 1 +wildcove.ca, 1 +wildcraft.com, 0 +wildcruisers.tk, 1 +wildercerron.com, 1 +wilderky.gov, 1 +wilderoben.com, 1 +wildfilm.tv, 1 +wildfirechain.xyz, 1 +wildflowers5.com, 1 +wildfoerster.org, 1 +wildfoxlady.com, 1 +wildglass.nl, 1 +wildhelper.com, 1 +wildlifeadaptationstrategy.gov, 1 +wildlifeforafrica.org, 1 +wildmarsian.info, 1 +wildmine.su, 1 +wildonengineering.com.au, 1 +wildowi.cz, 1 +wildrideproject.tk, 1 +wildroseflorist.co.za, 1 +wildsafety.com, 1 +wildsense.tk, 1 +wildtattoo.ru, 1 +wildtrip.blog, 0 +wildvicky.net, 1 +wildwildtravel.com, 1 +wildwind.world, 1 +wildwnc.org, 1 +wildwoodpolice-fl.gov, 1 +wildwoodrockers.tk, 1 +wildzap.ml, 1 +wildzoopark.co.uk, 1 +wildzoopark.com, 1 +wilf1rst.com, 1 +wilfert.cc, 1 +wilfert.xyz, 1 +wilfredswholesale.com.au, 1 +wilfrid-calixte.fr, 0 +wilhelm-nathan.de, 1 +wilhelm-sattler-realschule.de, 1 +wilhelmhansenfonden.dk, 1 +wilhelmina.com, 1 +wili.li, 1 +wiliquet.net, 1 +wilk.tech, 0 +wilkebouwer.nl, 1 +wilkes-barretownship.gov, 1 +wilkincounty.gov, 1 +wilkipedia.org, 1 +wilkushka.com, 1 +wilky44.com, 1 +willalex.com, 1 +willardohio.gov, 1 +willardwi.gov, 1 +willbeonesecurity.xyz, 1 +willcounty.gov, 1 +willcounty911.gov, 1 +willcountyclerk.gov, 1 +willcountysao.gov, 1 +willdropphoto.co.uk, 1 +willekeinden.nl, 1 +willenberg.family, 1 +willerei.com, 1 +willerei.de, 1 +willfarrell.ca, 1 +willflies.com, 1 +willhackett.com, 1 +willhausliving.com, 1 +willi-graf-os.de, 1 +willi-roth-holzbau.ch, 1 +williamarias.tk, 1 +williamblondel.fr, 0 +williamboulton.co.uk, 1 +williamboundsltd.com, 1 +williamfeely.info, 1 +williamgoldberg.cf, 1 +williamjohngauthier.net, 1 +williamle.com, 1 +williamlong.info, 1 +williammcgill.co, 1 +williammcgill.com, 1 +williamparedes.tk, 1 +williampuckering.com, 1 +williamsalexander.com, 1 +williamscomposer.com, 1 +williamscountyoh.gov, 1 +williamsflintlocks.com, 0 +williamshomeheat.co.uk, 0 +williamsigal.com, 1 +williamstonmipd.gov, 1 +williamstownmi.gov, 1 +williamtai.moe, 1 +williamtm.com, 1 +willianchopin.tk, 1 +willich.tk, 1 +williejackson.com, 1 +willighp.de, 1 +willistonpdvt.gov, 1 +willkie.com, 1 +willlewis.co.uk, 1 +willmage.com, 1 +willnorris.com, 1 +willocks.nl, 1 +willoughbyhillsohio.gov, 1 +willow.technology, 1 +willowalexander.co.uk, 1 +willowbrook.co.uk, 1 +willowchild.de, 1 +willowcreektrucking.com, 1 +willowcundy.com, 1 +willowdalechurch.ca, 1 +willowmanorgroup.com, 1 +willowparktx.gov, 1 +willowpassdentalcare.com, 1 +willowpf.com, 1 +wills.co.tt, 1 +willship.co.nz, 0 +willsigal.com, 1 +willspointtx.gov, 1 +willstamper.name, 1 +willsthebest.co.uk, 1 +willstocks.co.uk, 1 +willturner.tk, 1 +willwilkins.com, 1 +willwoodworth.com, 1 +willys.zone, 1 +willywangstory.com.tw, 1 +willywangstory.org, 1 +willzahra.com.au, 1 +wilmette.gov, 1 +wilmingtonzen.tk, 1 +wilmothgroup.com, 1 +wilomark.com, 1 +wils.jp, 1 +wilseyrealty.com, 1 +wilshirelawfirm.com, 1 +wilson-lincoln-wi.gov, 1 +wilsoncountync.gov, 1 +wilsonfire.com, 1 +wilsonlanguage.com, 1 +wilsonovi.com, 1 +wilsontnvotes.gov, 1 +wilsonvilleoregon.gov, 1 +wiltoniowa.gov, 1 +wiltonmanors.gov, 1 +wiltonsandstonequarry.com.au, 1 +wiltrovira.com, 1 +wiltshirefarmfoods.com, 0 +wilypumpkin.com, 1 +wimbledon.com, 1 +wimlanphen.nl, 1 +wimmer-informatik.eu, 1 +wimmer-musik.eu, 1 +wimmer-software.de, 1 +wimmer-software.eu, 1 +wimmer.green, 1 +wimmer.software, 1 +wimmer.tel, 1 +wimmersoftware.de, 1 +wimmersoftware.eu, 1 +win-apuestas.com, 1 +win-fortuna.ml, 1 +win-rar.com, 1 +win-the-1.com, 1 +win11.ren, 1 +win7stylebuilder.com, 0 +win7tips.tk, 1 +win8.am, 1 +win88-line.com, 1 +win88-line.net, 1 +winampnederlands.tk, 1 +winancreekbarn.com, 1 +winario.de, 1 +winaust.com.au, 1 +winball.ml, 1 +winbics.com, 1 +winbignow.click, 1 +wincasinosmoney.com, 1 +wincasinowin.click, 1 +winch-center.de, 1 +winch.expert, 0 +winchendon-ma.gov, 1 +winckelmann2020.com, 1 +wincoil.gov, 1 +wind-riders.cf, 1 +wind.com.do, 1 +windforme.com, 1 +windgucker.de, 1 +windhamct.gov, 1 +windhamvillageoh.gov, 1 +windhamworks.com, 1 +windice1.io, 1 +windictus.net, 1 +windirect.tk, 1 +windirstat.net, 1 +windjetboats.com, 1 +windmillart.net, 1 +windowcleaningexperts.net, 1 +windowreplacement.net, 1 +windows, 1 +windows101tricks.com, 1 +windows11.com.br, 1 +windows311.org, 1 +windowsblogitalia.com, 1 +windowscult.com, 1 +windowsdoors.it, 1 +windowsforum.com, 1 +windowsfreak.de, 0 +windowsindonesia.com, 1 +windowsindonesia.id, 1 +windowslatest.com, 1 +windowsnerd.com, 1 +windowsru.com, 0 +windowsviet.com, 1 +windowsworkstation.com, 1 +windpay.ga, 1 +windr.win, 1 +windrawwin.com, 1 +windrich-werkzeugmaschinen.de, 1 +windriver.org, 1 +windroide.net, 1 +windrunner.se, 1 +windscribe.com, 1 +windsock-app.com, 1 +windsorelectricalservice.com, 1 +windsorite.ca, 1 +windsornc.gov, 1 +windsorrslsubbranch.com.au, 1 +windstreamhosting.com, 1 +windsurfercrs.com, 1 +windturbine.tk, 1 +windwoodmedia.com, 1 +windwords.me, 0 +windybank.net, 1 +windycitylawgroup.com, 1 +windycitypressurewashing.com, 1 +wine-route.net, 1 +wine-yoga.pl, 1 +wine.com.br, 1 +wine.com.my, 1 +wine.money, 1 +wine.my, 1 +wineandcheeseplace.com, 1 +winebrasil.com.br, 1 +winechapter.be, 1 +winedineunwind.org, 1 +winedoor.com, 1 +wineexperience.com.au, 1 +wineforhelp.cz, 1 +winegadgets.ru, 0 +winek.tk, 1 +winenews.it, 1 +wineparis.com, 1 +winerytoursanfrancisco.com, 1 +winezja.pl, 1 +winfieldchen.me, 1 +winfieldtownshipmi.gov, 1 +winfilestorage.tk, 1 +winfuture.de, 1 +wing-tsun.cf, 1 +wing-tsun.ga, 1 +wing-tsun.gq, 1 +wing-tsun.tk, 1 +wingchun.edu.au, 1 +wingchunboxtribe.com, 1 +wingertmd.com, 1 +winghill.com, 0 +wingify.com, 1 +wingmin.net, 1 +wingover.su, 1 +wingpictures.nl, 1 +wings.com.pk, 1 +wings.tours, 1 +wingspatagonia.com, 1 +wingstop.fr, 1 +winhelp21.tk, 1 +winhistory-forum.net, 1 +winkelbalans.nl, 1 +winkelcentrumputten.nl, 1 +winkelmanaz.gov, 1 +winkelvanmorgen.nl, 1 +winkelvansinkel.tk, 1 +winkli.ddns.net, 1 +winktonsibo.tk, 1 +winl-45774.club, 1 +winma.org, 0 +winmax.it, 1 +winmix.nl, 1 +winmodels.org, 1 +winnebagocountyiowa.gov, 1 +winnebagocountywi.gov, 1 +winneconnesd3wi.gov, 1 +winner.ua, 1 +winnercivi.com, 1 +winnersaffiliate.com, 1 +winnerschapelbelgium.be, 1 +winnery.tk, 1 +winning.gq, 1 +winningattitudeawards.org, 1 +winnipegcomputerguy.tk, 1 +winnlandscaping.com, 1 +winona-area-scum.tk, 1 +winonamn.gov, 1 +winoptical.com, 1 +winoptimise.fr, 1 +winov.com.br, 1 +winphonemetro.com, 1 +winpic.co, 1 +winpreso.com, 1 +winrar.com, 1 +winsabayi.tk, 1 +winserver.ne.jp, 1 +winslowhomer.tk, 1 +winslowslair.tk, 1 +winsufi.biz, 1 +wint.global, 1 +wintark.com, 1 +wintechlab.com, 1 +winter-auszeit.de, 0 +winter-elektro.de, 1 +winter-leak.ml, 1 +winter.ae, 1 +winterbergwebcams.com, 1 +winterco.org, 1 +wintercorn.com, 1 +winterdetective.ga, 1 +winterfeldt.de, 0 +winterhavenobgyn.com, 1 +winterhillbank.com, 1 +winteringent.be, 1 +winterlandbeverages.com, 1 +wintermeyer-consulting.de, 1 +wintermeyer.de, 1 +winternacht14.tk, 1 +winteromeo.tk, 1 +winterset.gov, 1 +winterstudies.ga, 1 +winterthur.ch, 1 +winterzine.cf, 1 +wintodoor.com, 1 +winull.de, 1 +winup.org, 1 +winvio.com, 1 +winwares.com, 1 +winwitharval.co.uk, 1 +winwiz1.com, 1 +winxpclub.tk, 1 +winzdevelopment.com, 1 +winzero.tk, 1 +winzong.cn, 1 +winzong.net, 1 +wiocha.pl, 1 +wipa.tk, 1 +wipayfinancial.com, 1 +wipeoutracing.tk, 1 +wipers-nz.co.nz, 1 +wippie.se, 1 +wippler.at, 1 +wippy.tk, 1 +wipro.com.vn, 0 +wir-do.de, 1 +wir-jugendhilfe.de, 1 +wir-machen-druck.de, 1 +wir-pflegen-zuhause.at, 1 +wir-pflegen-zuhause.ch, 1 +wir-pflegen-zuhause.de, 1 +wir-pflegen-zuhause.it, 1 +wirbsinglereview.com, 1 +wire.com, 0 +wirebank.ru, 1 +wired.co.uk, 1 +wiredcolony.com, 1 +wiredrelease.com, 1 +wiredroot.com, 1 +wireheading.com, 1 +wirekeep.com, 1 +wireless-emergency-stop.com, 1 +wireless-kill-switch.com, 1 +wirelessbelgie.tk, 1 +wirelesscctv.tk, 1 +wirelessfestival.co.uk, 1 +wirelessleeuwarden.tk, 1 +wirelesslogic.com, 1 +wirelesslogicnordic.com, 1 +wirelessthief.ga, 1 +wirelly.com, 1 +wireshark.org, 1 +wireshocks.com, 1 +wiretap.cf, 1 +wirethrone.com, 1 +wiretoss.com, 1 +wiretransaction.ga, 1 +wiriamu.net, 1 +wiris.be, 1 +wirkaufen.it, 1 +wirkaufendeinau.to, 1 +wirken.info, 1 +wirksportal.com, 1 +wirkstatt-lq.at, 1 +wirkstatt-lq.ch, 1 +wirkstatt-lq.de, 1 +wirkstatt-lq.net, 1 +wirkstoffreich.de, 1 +wirkungs-forschung.at, 1 +wirkungs-forschung.ch, 1 +wirkungs-forschung.com, 1 +wirkungs-forschung.de, 1 +wirkungs-forschung.net, 1 +wirsberg-studios.de, 1 +wirsing.nl, 1 +wirtanen.tk, 1 +wirtcountywvsheriff.gov, 1 +wirtschaftsberater-website.de, 1 +wis.no, 1 +wisak.me, 1 +wisal.org, 1 +wisardcoin.tk, 1 +wisatabagus.com, 1 +wischu.com, 1 +wiscon.co, 1 +wisconsinnet.tk, 1 +wisdoj.gov, 1 +wisdom-nict.jp, 1 +wisdomcue.com, 0 +wisdomgarden-mr.com, 1 +wisdomgeek.com, 1 +wisdomise.com, 1 +wisdomise.io, 1 +wisdomize.me, 1 +wisdomteethonly.com, 1 +wisdomteethsydney.com.au, 1 +wisdotplans.gov, 1 +wise-parenting.com, 1 +wise.jobs, 1 +wiseadvicetravelling.com, 0 +wisebarber.com, 1 +wiseclinictc.com.tw, 1 +wisecountytx.gov, 1 +wisegoldfish.com, 1 +wisehome.dk, 1 +wiseinternational.org, 1 +wiseitguys.com, 1 +wiselectures.com.au, 1 +wisemans.us, 1 +wisemen.digital, 0 +wisemoney.com.vc, 1 +wisenederland.nl, 1 +wiseradiology.com.au, 1 +wisereducacao.com, 1 +wisereshape.com, 1 +wiserpost.com, 1 +wisersp.com, 1 +wisertp.com, 1 +wisetechglobal.com, 1 +wisetoken.net, 1 +wiseup.com, 1 +wiseupcorp.com, 1 +wiseuplive.com.br, 1 +wisewaynutrition.com, 1 +wishing3.com, 1 +wishingyou.co.uk, 1 +wishlisotr.cf, 1 +wishlisotr.gq, 1 +wishlist.net, 1 +wishlog.fun, 1 +wishmail.cf, 1 +wiska.cn, 1 +wiska.co.kr, 1 +wiska.co.uk, 1 +wiska.com.br, 1 +wiska.es, 1 +wiska.in, 1 +wiska.lat, 1 +wiskundeonderzoek.tk, 1 +wism.io, 1 +wisniewskamakeup.pl, 1 +wisnz.co.nz, 1 +wispmaeksmusic.tk, 1 +wispsuperfoods.com, 1 +wispyon.com, 1 +wisr.com.au, 1 +wiss.co.uk, 0 +wissamnr.be, 1 +wisselink.tk, 1 +wissen-a5.de, 1 +wissen.center, 1 +wissena5.de, 1 +wistaysafe.gov, 1 +wisteriahousedementiacare.co.uk, 1 +wisweb.no, 1 +wit-creations.fr, 1 +wit.ai, 1 +witae.com, 1 +witajmaluszku.pl, 1 +witch-anastasia.com, 1 +witch-spells.com, 1 +witchbeauty.tk, 1 +witcher-rz.com, 1 +witcher.tk, 1 +witchhunt.tk, 1 +witchthicktits.tk, 1 +witez.net, 1 +with-environment.com, 1 +withamscouts.org.uk, 1 +withdati.fr, 1 +withdcc.com, 1 +witheachmile.com, 1 +wither.cf, 1 +witheveryheartbeat.com.au, 1 +withextraveg.net, 1 +withfoundation.org, 1 +withgentlent.com, 1 +withgoogle.com, 1 +withinsecurity.com, 1 +withjoy.com, 1 +withoutessence.io, 1 +withoutlovenotcount.ru, 1 +withpersona.com, 1 +withprocess.com, 1 +withsunglasses.co.uk, 1 +withyoutube.com, 1 +witneywaterpolo.org.uk, 1 +witrey.com, 1 +witron.de, 1 +wits.uk, 1 +witsvideo.com, 1 +witt.link, 1 +wittamer.com, 0 +wittebrug.nl, 1 +wittepapaver.nl, 1 +witteveenbos.com, 1 +wittgen-kfz-technik.de, 1 +witting.co, 0 +wittingtonventures.com, 1 +wittke-group.ch, 1 +wittke-group.cn, 1 +wittke-group.com, 1 +wittke-group.de, 1 +wittke.ch, 1 +wittke.cn, 1 +wittke.li, 1 +wittu.fi, 1 +wittur.com, 1 +witze-fun.de, 1 +witzik.at, 1 +wiut.uz, 1 +wivcfinancialservices.com, 1 +wivoc.nl, 1 +wiwi.nl, 1 +wixadvertising.com, 1 +wixel.tk, 1 +wixmultimedia.com, 1 +wiz.at, 1 +wiz.biz, 1 +wiz.io, 1 +wizadjournal.com, 1 +wizard.gov, 0 +wizardbouncycastles.co.uk, 1 +wizardk.tk, 1 +wizardkami.tk, 1 +wizardmeow.xin, 1 +wizardschool.tk, 1 +wizardswebs.com, 1 +wizathon.com, 1 +wizzair.com, 1 +wizzley.com, 1 +wizznab.tk, 1 +wizzr.nl, 1 +wjb.marketing, 1 +wjcainc.com, 0 +wjci.com, 1 +wjdetailers.com, 1 +wje-online.de, 1 +wjec.co.uk, 1 +wjg.ca, 1 +wjg.dk, 1 +wjg.se, 1 +wjm2038.me, 1 +wjr.io, 1 +wjtje.ga, 1 +wjwieland.dvrdns.org, 0 +wk-tk.com, 1 +wk.pl, 1 +wk577.com, 1 +wkberg.nl, 1 +wkbw.com, 1 +wkd.one, 1 +wkennington.com, 1 +wkitu-test.tk, 1 +wkj-airport.jp, 1 +wkola.tk, 1 +wkshp.link, 1 +wkv.com, 1 +wkweg.online, 1 +wkwsafetysolution.com, 1 +wkymenshealth.com, 1 +wkz.io, 1 +wl-bank.com, 1 +wl-bank.de, 1 +wl-bank.eu, 1 +wlaws.com, 1 +wlbank.de, 1 +wlci.gov, 1 +wlcmedical.com.au, 1 +wlf.is, 1 +wlg.city, 1 +wlmq10086.cn, 1 +wlnk.cc, 1 +wloch.me, 1 +wlolo.com, 1 +wlozku.pl, 1 +wlpc.com, 1 +wlpvzfilmy-onlajnmlawq.tk, 1 +wlt.ca, 1 +wltix.com, 1 +wlwlwx.com, 0 +wm-access.com, 1 +wm-access.de, 1 +wm-referrals.com, 1 +wm275u.top, 1 +wmaccess.com, 1 +wmaccess.de, 1 +wmar2news.com, 1 +wmasphaltservices.com, 1 +wmataoig.gov, 1 +wmc.org, 1 +wmcpaphysicians.com, 1 +wmcuk.net, 1 +wmda.info, 1 +wme.cn, 1 +wmfusercontent.org, 1 +wmi4.com, 1 +wmkowa.de, 1 +wmmi.org, 1 +wmmkf.com, 1 +wmmks.com, 1 +wmmp.link, 1 +wmnrj.com, 1 +wmphonline.com, 1 +wmphvacations.com, 1 +wmsenibong.com.my, 1 +wmsndorgen.cf, 1 +wmsndorgen.ga, 1 +wmsndorgen.gq, 1 +wmsndorgen.ml, 1 +wmsndorgen.tk, 1 +wmtools.me, 1 +wmustore.com, 1 +wnark.com, 1 +wnav.cc, 1 +wnc-frontend-alb-1765173526.ap-northeast-2.elb.amazonaws.com, 1 +wndrdtfd.com, 1 +wnmed.com.au, 1 +wnn8.com, 1 +wns68123.com, 1 +wns6852.com, 1 +wns6862.com, 1 +wns68622.com, 1 +wns6865.com, 1 +wns68666.com, 1 +wns6872.com, 1 +wnsr3970.com, 1 +wnvtech.com, 0 +wnxt.in, 1 +wo-ist-elvira.net, 1 +wo1h3o.com, 1 +wo25.net, 1 +wo2forum.nl, 1 +woadzs.com, 1 +woah.how, 1 +woai.cf, 1 +woaiuhd.com, 1 +woba.cf, 1 +woba.ml, 1 +wobako.pl, 1 +wobble.ninja, 1 +wobblywotnotz.co.uk, 1 +wobker.co, 1 +woblex.cz, 1 +wobuwo.com, 1 +woc.ao, 1 +wochenblatt.com, 1 +wochennummern.de, 1 +wocup.ga, 1 +wod-stavby.cz, 1 +wodarfmankiffen.de, 1 +wodax.dk, 1 +wodboss.com, 1 +wodemo.com, 1 +wodi.cf, 1 +wodi.ml, 1 +wodicka.org, 1 +wodinaz.com, 1 +wodka-division.de, 1 +wodzirej.net.pl, 1 +woeb.fr, 1 +woelckner.com, 1 +wofford-ecs.org, 0 +woffu.com, 1 +wogame.co, 1 +wogame.ink, 1 +wogame.org, 1 +wogame.wiki, 1 +wogame.work, 1 +wogame.works, 1 +woge.cf, 1 +woge.ml, 1 +wogo.org, 1 +woh.org, 1 +woheni.de, 1 +wohnberatung-wien.at, 1 +wohnsitz-ausland.com, 1 +wohnungsaufloesung-berlin.net, 1 +wohnungsbaukredit.ag, 1 +wohnungsbaukredit.biz, 1 +wohnungsbaukredit.com, 1 +wohnungsbaukredit.de, 1 +wohnungsbaukredit.eu, 1 +wohnungsbaukredit.info, 1 +wohnungsbaukredit.org, 1 +wohnungsmarktbeobachtung.de, 1 +wohnzimmer-koch.de, 1 +woi.vision, 1 +wois.info, 1 +wojart.pl, 1 +wojciechowka.pl, 1 +wojciechteichert.pl, 1 +wojtekmaj.pl, 1 +wojtekogrodnik.pl, 1 +wokeanda.com, 1 +wokeupset.ru, 0 +wokfilms.pt, 1 +wokinghammotorhomes.com, 1 +woldars.com, 1 +wolf-haven.tk, 1 +wolf333.com, 1 +wolfachtal-alpaka.de, 1 +wolfarth.info, 1 +wolfermann.org, 1 +wolfermans.com, 1 +wolferstetterkeller.de, 1 +wolfertconsulting.nl, 1 +wolfflabs.com, 1 +wolffproperties.com, 1 +wolfgang-kerschbaumer.at, 1 +wolfgang-kerschbaumer.com, 1 +wolfgang-kerschbaumer.net, 1 +wolfgang-kloke.de, 1 +wolfgang-ziegler.com, 1 +wolfgangkowar.de, 1 +wolfie.tv, 1 +wolflabs.co.uk, 1 +wolflambert.tk, 1 +wolfsburgwest.com, 1 +wolfsense.nl, 1 +wolfshoehle.eu, 1 +wolfskymedia.com, 1 +wolfsmobile.com, 1 +wolfstreet.com, 1 +wolfteam.tk, 1 +wolfvideoproductions.com, 1 +wolfwings.us, 1 +wolfy.design, 1 +wolfy1339.com, 1 +wolkanca.com, 1 +wolkanca.com.tr, 1 +wolke7.wtf, 1 +wolkenputzer.com, 1 +wolkenspeicher.org, 1 +wolkjehosting.nl, 1 +wolkoopjes.nl, 1 +wolkowitz.com, 1 +wollmann.it, 1 +wollongongbaptist.hopto.org, 1 +wollwerk.org, 1 +wolrdwidessl.net, 1 +wolsing.dk, 1 +wolszon.me, 1 +woltauth.de, 1 +woltlab-demo.com, 1 +woltlab.com, 1 +woltlab.de, 1 +wolvcoll.ac.uk, 1 +wolverine-obuv.ru, 1 +wolvesbanemanor.com, 1 +wolvostore.com, 1 +wom.de, 1 +womb.city, 1 +wombathost.uk, 1 +wombatnet.com, 1 +wombatpass.com, 1 +wombatpass.com.au, 1 +wombats.net, 1 +wombere.org, 1 +women-femmes.gc.ca, 1 +women-only.net, 0 +women.gc.ca, 1 +womenagainstviolence.org, 1 +womenbeautyhealth.com, 1 +womenbrace.tk, 1 +womenfashionshirt.tk, 1 +womenofficersofindia.com, 1 +womenonboardskenya.co.ke, 1 +womenridersnow.com, 1 +womens-suits.tk, 1 +womensbiz.tk, 1 +womenscalltoaction.tk, 1 +womensenews.org, 0 +womenshealth.gov, 1 +womensmedassoc.com, 1 +womensshelterofhope.com, 1 +womfs.com.au, 1 +wompenriebler.tk, 1 +womply.com, 1 +woms.top, 1 +womywomwoo.com, 1 +wonderbits.net, 1 +wonderbox.ga, 1 +wonderbox.gq, 1 +wonderbox.ml, 1 +wonderchat.tk, 1 +wondercorner.ca, 1 +wondereur.com, 1 +wonderfall.space, 1 +wonderfuleducation.eu, 1 +wonderfuleducation.nl, 1 +wonderfulworldofwalliams.tk, 1 +wonderhost.info, 1 +wonderhowto.com, 1 +wonderkind.de, 1 +wonderlab.ml, 1 +wonderland-server.net, 1 +wonderlangkawi.com, 1 +wonderleaks.gq, 1 +wondermags.com, 1 +wondermiles.com, 1 +wondermiles.org, 1 +wondersoft.co, 1 +wonderworksonline.com, 1 +wondeur.ai, 1 +wondium.nl, 1 +wonewocwi.gov, 1 +wong-sleweah.tk, 1 +wonghome.net, 1 +wongu.tech, 1 +woning-verfspuiten.be, 1 +woning-verfspuiten.com, 1 +woning-verfspuiten.nl, 1 +woningonderhoud.tk, 1 +woningsnet.nl, 1 +wonko-vs-trader.de, 1 +wonksecurity.com, 1 +wonksecurityblog.com, 1 +woo-jiho.tk, 1 +woo-order.com, 1 +woo.bi, 1 +wooblr.com, 1 +wooby.tk, 1 +wooc.org, 0 +woocommerce-b2b-plugin.com, 1 +woocommerce-multivendor.com, 1 +woocommerce.academy, 1 +wood-crafted.co.uk, 1 +wood-crafted.uk, 1 +wood4heat.ca, 1 +woodandshop.com, 1 +woodbornekitchens.com, 1 +woodbridgegrp.com, 1 +woodbury.io, 1 +woodburynj.gov, 1 +woodcat.net, 1 +woodcentral.com, 1 +woodcock.cloud, 1 +woodcountywi.gov, 1 +woodcraftcompany.ru, 1 +woodensure.com, 1 +woodev.us, 1 +woodfarm2020.com, 1 +woodfencestlouis.com, 1 +woodfordcountyil.gov, 1 +woodfordcountyky.gov, 1 +woodhavenmi.gov, 1 +woodlandboys.com, 1 +woodlandexterior.com, 1 +woodlandsiding.com, 1 +woodlandsunrooms.com, 1 +woodlandsunroomsandenclosures.com, 1 +woodlandsvale.uk, 1 +woodlandwindows.com, 1 +woodlandwindows.net, 1 +woodlawnky.gov, 1 +woodlineds.com, 1 +woodmaster23.ru, 0 +woodminstermanagement.tk, 1 +woodminsterrealty.com, 1 +woodomat.com, 1 +woodomat.net, 1 +woodomat.org, 1 +woodpeckerhallacademy.org.uk, 1 +woodridgeil.gov, 1 +woodrowandallen.com, 1 +woodruffcountyar.gov, 1 +woodsbagot.com, 1 +woodsconsulting.com, 0 +woodscountyok.gov, 1 +woodshouse.ru, 1 +woodsideca.gov, 1 +woodsidepottery.ca, 1 +woodstar.ro, 1 +woodstocknh.gov, 1 +woodstockva.gov, 1 +woodstone.nu, 1 +woodtrust.com, 1 +woodvillems.gov, 1 +woodvillemspolice.gov, 1 +woodward-vets.co.uk, 1 +woodwicker.cl, 1 +woodwo.se, 1 +woodworkcare.com, 1 +woodworkingforabeginner.com, 1 +woodwormtreatment.com, 1 +woody-art.eu, 1 +woodyallen.tk, 1 +woodysinstalaciones.com, 1 +woof.gq, 1 +woofsbakery.com, 1 +woohay.com, 1 +woohoo.in, 1 +woohooyeah.nl, 1 +wookstar.com, 1 +woolfplumbing.com.au, 1 +woolyss.com, 1 +woomu.me, 1 +woonaval.eu, 1 +woonbedrijf.com, 1 +woonboulevardvolendam.nl, 0 +woonplein.tk, 1 +woontegelwinkel.nl, 1 +woonverkoop.be, 1 +woopie.com, 1 +woopiq.com, 0 +wooplaces.com, 1 +wooproducciones.tk, 1 +woordvanvandaag.nl, 1 +woorkup.com, 1 +woorocket.com, 1 +woosh5.com, 1 +woosk.de, 1 +wootality.com, 0 +woothelpdesk.com, 1 +wootkit.tk, 1 +wootware.co.za, 1 +wopr.network, 1 +wops.cc, 1 +worayuthit.com, 1 +worca.de, 1 +worcade.com, 1 +worcesterbouncycastlehire.co.uk, 1 +worcesterbouncycastles.co.uk, 1 +worcestercu.com, 1 +worcesterfestival.co.uk, 1 +worcestermd.gov, 1 +worcesterpethydrotherapy.com, 1 +worcestervets.co.uk, 1 +worcestervetsreferrals.com, 1 +word-grabber.com, 1 +wordbits.net, 0 +wordcounter.net, 1 +wordfast.com, 1 +wordher.com, 1 +wordindonesia.com, 1 +wordindonesia.id, 1 +wordlessecho.com, 1 +wordnietvindbaar.nl, 1 +wordops.io, 1 +wordops.net, 1 +wordpress-crm-plugin.com, 1 +wordpress-crm.pl, 1 +wordpress-inc.ru, 1 +wordpress-szakerto.hu, 1 +wordpress-test.site, 0 +wordpress.com, 0 +wordpressadmin.ru, 1 +wordpressbot.tk, 1 +wordpressdevelopment.ml, 1 +wordpresstrainingtoday.com, 1 +wordregistrar.ga, 1 +words-are-pictures.com, 1 +wordsearchwhiz.com, 1 +wordsforellie.com, 1 +wordsmart.it, 1 +wordsofamaster.com, 1 +wordspam.ga, 1 +wordunscrambler.com, 1 +wordwidessl.net, 1 +wordxtra.net, 1 +wordzite.com, 1 +worf.in, 1 +wori.cf, 1 +wori.ga, 1 +wori.gq, 1 +wori.ml, 1 +wori.tk, 1 +worio.co, 1 +work-at-home.ga, 1 +work-at-home.gq, 1 +work-in-progress.website, 1 +work-msg.com, 1 +work.me, 1 +workaholic.tk, 1 +workaholics.tk, 1 +workaround.run, 1 +workat.tech, 1 +workatclever.com, 1 +workatclever.us, 1 +workatclevyr.us, 1 +workathome.tk, 1 +workathomeideas.tk, 1 +workathomenoscams.com, 1 +workathomeopportunities.tk, 1 +workathomernjobs.tk, 1 +workcare.com, 1 +workcenter.gov, 1 +workcheck.bz, 1 +workclaims.org, 1 +workcloud.jp, 1 +workcost.me, 1 +workelo.eu, 1 +workemy.com, 1 +worker.gov, 1 +workermess.tk, 1 +workers-iran.org, 1 +workerscompensationattorneysandiego.net, 1 +workerscomplawyerhelp.com, 1 +workerselforganisation.cf, 1 +workerselforganisation.ga, 1 +workflowy.com, 1 +workfromhomebusinessopportunities.cf, 1 +workfromhomebusinessopportunities.tk, 1 +workfromhomecareers.tk, 1 +workfromhomeforum.cf, 1 +workfromhomeforum.tk, 1 +workfromhomemom.cf, 1 +workfromhomeoptions.ml, 1 +workfromhomeoptions.tk, 1 +workfromhomesales.tk, 1 +workfromhomesites.ga, 1 +workfromhomesites.ml, 1 +workfromhometexas.tk, 1 +workhandyman.com, 1 +workhorsemkt.com, 1 +workindia.ml, 1 +workinestonia.com, 0 +working-group-cloudsecurityalliance.org, 1 +workingclassmedia.com, 1 +workingfamilies.org.uk, 0 +workinghardinit.work, 1 +workingmachine.info, 1 +workingnotworking.com, 1 +workingproductkeys.info, 1 +workingtalent.nl, 1 +workinnorway.no, 1 +workiva.com, 1 +workjustice.com.au, 1 +worklinepc.com, 1 +worklizard.com, 1 +workmaxidenta.lt, 1 +worknrby.com, 1 +workology.com, 1 +workona.com, 1 +workonit.cf, 1 +workoutdigital.com, 1 +workplace.com, 1 +workplace.tools, 1 +workreap.tk, 1 +workreveal.biz, 1 +works-ginan.jp, 1 +worksheets-to-print.com, 1 +workshop-assets.com, 1 +workshop-email-content.com, 1 +workshop-email-tracking.com, 1 +workshop-spf.net, 1 +workshop-sync.net, 1 +workshop.industries, 1 +workshop.men, 1 +workshopengine.com.au, 1 +workshopszwolle.nl, 1 +workshopzwolle.com, 1 +worksindev.com, 1 +worksitevr.com, 1 +workspace.pt, 1 +worksthatwork.com, 1 +workstride.org, 1 +worktefa.tk, 1 +workthings.de, 1 +workupapp.com, 1 +workwithgo.com, 0 +workwithusaid.gov, 1 +worky.ph, 1 +workzly.in, 1 +world-citizen-report.com, 1 +world-creator.se, 1 +world-documentary.ml, 1 +world-education-association.org, 1 +world-ir.international, 1 +world-lolo.com, 1 +world-mail.org, 1 +world-of-arms.tk, 1 +world-of-tes.tk, 1 +world-politics.tk, 1 +world-selena.tk, 1 +world-tanks.tk, 1 +world-trigger.net, 1 +world-web.pro, 1 +worldaccord.org, 1 +worldarmy.tk, 1 +worldatwork.org, 1 +worldbelow.tk, 1 +worldbirds.com, 1 +worldbirds.org, 1 +worldbusinessarea.tk, 1 +worldbusinessera.tk, 1 +worldcarding.tk, 1 +worldcdg.org, 1 +worldcharteronline.ga, 1 +worldchess.london, 1 +worldcigars.com.br, 1 +worldcircuit.co.uk, 1 +worldclassfriend.com, 1 +worldconsultingchile.tk, 1 +worldcrafts.org, 1 +worldcrunch.com, 1 +worldcup-odds.com, 1 +worlddataexchange.au, 1 +worlddataexchange.com, 1 +worlddataexchange.com.au, 1 +worldeg.estate, 1 +worldessays.com, 1 +worldeventscalendars.com, 1 +worldexpo.ga, 1 +worldfinancenews.org, 1 +worldfootball.tk, 1 +worldgun.ml, 1 +worldhealthcompany.tk, 1 +worldhealthdepartment.tk, 1 +worldhealthdiet.tk, 1 +worldhealthinfo.tk, 1 +worldhealthmedia.tk, 1 +worldhealthnews.tk, 1 +worldhealthsystem.tk, 1 +worldhealthtips.ga, 1 +worldhealthtips.tk, 1 +worldhomeasian.tk, 1 +worldhomebuild.tk, 1 +worldhomecanada.tk, 1 +worldhomedecor.tk, 1 +worldhomedecoration.tk, 1 +worldhomedesign.tk, 1 +worldhomeglobal.tk, 1 +worldhomeimprevement.tk, 1 +worldhomeinfo.tk, 1 +worldhomeinspiration.tk, 1 +worldhomeinterior.tk, 1 +worldhomeinteriror.tk, 1 +worldhomeitaly.tk, 1 +worldhomenews.tk, 1 +worldhomepro.tk, 1 +worldhomeuk.tk, 1 +worldhomeusa.tk, 1 +worldhosting.cf, 1 +worldinfusedcandles.com.au, 1 +worldintercontinental.cf, 1 +worldix.cf, 1 +worldix.gq, 1 +worldix.ml, 1 +worldix.tk, 1 +worldjobs.tk, 1 +worldjusticeproject.org, 1 +worldlandtrust.org, 1 +worldlanguage.tk, 1 +worldluxuryhome.tk, 1 +worldmarathons.tk, 1 +worldmeetings.com, 1 +worldnewsinbox.ga, 1 +worldnewsphoto.tk, 1 +worldofarganoil.com, 1 +worldofbelia.de, 1 +worldofgeekstuff.com, 1 +worldofheroes.ml, 1 +worldoflegion.ml, 1 +worldofparties.co.uk, 1 +worldpage.tk, 1 +worldpayaccessories.com, 1 +worldplayerx.com, 1 +worldpolitics.cf, 1 +worldpool.com.au, 1 +worldrallyforum.tk, 1 +worldranking.tk, 1 +worldrecipes.eu, 1 +worldrism.com, 1 +worldsage.org, 1 +worldsat.tk, 1 +worldsaway.ca, 1 +worldsbest.ga, 1 +worldscoop.org, 1 +worldsfree4u.ga, 1 +worldsgreatestazuredemo.com, 1 +worldsms.tk, 1 +worldsnewshub.com, 1 +worldsport.cf, 1 +worldstone777.com, 1 +worldstyles.cf, 1 +worldsweet.ru, 1 +worldsy.com, 1 +worldsystems.com.co, 1 +worldtalk.de, 1 +worldtattooevents.com, 1 +worldtourismgroup.com, 1 +worldtrandingnews.ml, 1 +worldtravelmagazine.tk, 1 +worldturkmans.tk, 1 +worldupdatereviews.com, 1 +worldviews-debattieren.de, 1 +worldvisa.tk, 1 +worldwallstreet.tk, 1 +worldwar2collector.tk, 1 +worldwideradiosummit.com, 1 +worldwidescience.org, 1 +worldwidessl.net, 1 +worldwinesweb.be, 1 +worlich.tk, 1 +wormate.io, 1 +wormburners.tk, 1 +wormbytes.ca, 1 +wormhol.org, 1 +wormhole.com, 1 +wormhole.ga, 1 +wormholevpn.net, 1 +wormincorporated.tk, 1 +wormpress.com, 1 +worms-cowclan.tk, 1 +wormser-zeitung.de, 1 +worongarymedical.com.au, 1 +worpswede.eu, 1 +worst.horse, 0 +wort-suchen.de, 1 +wortdestages.tk, 1 +worthcountyiowa.gov, 1 +worthenind.com, 1 +worthingtonindustries.com, 0 +worthless.company, 1 +worthlessingratitudecq.cf, 1 +worthlessingratitudecq.gq, 1 +worthlessingratitudecq.ml, 1 +worthlydeals.com, 1 +worthtownshipmi.gov, 1 +worthyblog.com, 1 +worthygo.com, 1 +worzo.tk, 1 +woshiluo.com, 1 +woshiluo.site, 1 +wossl.com, 1 +wossl.net, 1 +wot-life.com, 1 +wot-tudasbazis.hu, 1 +wot-zadrot.com, 1 +wotaku.top, 1 +wotcheats.ru, 1 +woti.dedyn.io, 1 +wotlo.com, 1 +wotsunduk.ru, 1 +wotzadrot.com, 1 +woudenberg.nl, 0 +woulaba.com, 1 +wound-doc.co.uk, 1 +wouter.site, 1 +wouterbruijning.nl, 1 +wouterkobes.nl, 1 +wouterpetri.com, 1 +wouterpetri.xyz, 1 +wouterslop.com, 1 +wouterslop.eu, 1 +wouterslop.nl, 1 +woutervdb.com, 1 +woutiscoding.be, 1 +wovietv.com, 1 +wow-dsg.ch, 1 +wow-foederation.de, 1 +wow-screenshots.net, 1 +wow-serbia.tk, 1 +wow8888.ph, 1 +wowa.ca, 1 +wowaffixes.info, 1 +wowarcaim.ml, 1 +wowbouncycastles.co.uk, 1 +wowchemy.com, 1 +wowcinema.tk, 1 +wowdrive.ga, 1 +wowhampers.ie, 1 +wowhediyelik.com, 1 +wowhelp.it, 1 +wowi-ffo.de, 1 +wowjs.co.uk, 1 +wowjs.org, 1 +wowjs.uk, 1 +wowlegacy.ml, 1 +wowlove.tk, 1 +wowmoroccotours.com, 1 +wownmedia.com, 1 +wownskportal.tk, 1 +wowowow.com, 1 +wowpilates.com, 1 +wowpolisa.pl, 1 +wows-mods.tk, 1 +wows.sb, 1 +wowsosellout.com, 1 +wox.ac, 1 +woyao.ml, 1 +woyzeck.org, 1 +woz.ch, 1 +wozalapha.com, 1 +wozwaardeloket.nl, 1 +wozwebdesign.com.br, 1 +wp-assistance.fr, 1 +wp-bootstrap.org, 1 +wp-bundle.co, 0 +wp-cloud.fi, 0 +wp-fastsearch.de, 1 +wp-in.de, 1 +wp-mix.com, 1 +wp-ninja.tk, 1 +wp-note.it, 1 +wp-op.com, 1 +wp-rebuild.com, 1 +wp-securehosting.com, 1 +wp-stack.pro, 1 +wp-tao.com, 1 +wp-webagentur.de, 1 +wp2static.com, 1 +wpac.de, 1 +wpandup.org, 1 +wpautolistings.com, 1 +wpboot.com, 1 +wpboys.com, 0 +wpbrigade.com, 1 +wpbyte.io, 1 +wpcanban.com, 1 +wpcc.edu, 1 +wpcepat.com, 0 +wpcgm.co.uk, 1 +wpcharged.nz, 1 +wpcheck.io, 1 +wpco.nl, 1 +wpco.se, 1 +wpconcepts.net, 1 +wpcoupons.io, 1 +wpcrs.org, 1 +wpcs.pro, 1 +wpdev.com.au, 1 +wpekspres.com, 1 +wpetri.nl, 1 +wpexpert.com.tr, 1 +wpexplainer.com, 1 +wpexplorer.com, 1 +wpfactory.io, 1 +wpformation.com, 1 +wpforum.tk, 1 +wpfunction.com, 1 +wpg-verwaltungen.de, 1 +wpginvest.com, 1 +wpguvenlik.com, 1 +wphelpdesk.nl, 1 +wphelpwithhomework.tk, 1 +wphlive.tv, 1 +wphost.nl, 0 +wphostee.co.uk, 1 +wphosting.ovh, 1 +wpinabox.de, 1 +wpinfos.de, 0 +wpinsides.com, 1 +wpjzb.com, 1 +wpknol.com, 1 +wpkoridoru.com, 1 +wpldn.uk, 1 +wpletter.de, 1 +wplibrary.net, 1 +wplicious.com, 1 +wplistings.pro, 1 +wpmafias.com, 1 +wpmaintenance.site, 1 +wpmatik.com, 1 +wpmeer.com, 1 +wpmeetup-berlin.de, 1 +wpmet.com, 1 +wpml.org, 1 +wpmu-tutorials.de, 1 +wpnesia.id, 1 +wpnews.cf, 1 +wpnews.ga, 1 +wpnews.gq, 1 +wpnews.ml, 1 +wpnews.tk, 1 +wpnovice.tk, 1 +wpocs.com, 1 +wpoptimalizace.cz, 1 +wppbki1.com, 1 +wprank.net, 1 +wprapide.com, 1 +wpresscoder.com, 1 +wpscholar.com, 1 +wpsecured.net, 1 +wpserp.com, 1 +wpsharks.com, 1 +wpsite.dk, 1 +wpsitemovers.com, 1 +wpsitesuccess.com, 1 +wpslimseo.com, 1 +wpsmackdown.com, 1 +wpspeedcare.com, 1 +wpspeedking.com, 1 +wpsuites.com, 1 +wptests.tk, 1 +wpthemearchive.com, 1 +wptotal.com, 1 +wptrigone.fr, 1 +wptrigone.net, 1 +wpturnedup.com, 1 +wptv.com, 1 +wpuse.ru, 1 +wpwebshop.com, 1 +wpwebtools.com, 1 +wpyukle.net, 1 +wq.ro, 1 +wqaw3.tk, 1 +wr.su, 1 +wrallp.com, 1 +wrap.in.ua, 1 +wrap.org.uk, 1 +wrapit.hu, 1 +wrapitup.co.uk, 1 +wrapping.spb.ru, 1 +wrara.org, 1 +wrathofgeek.com, 1 +wrbunderwriting.com, 0 +wrc-results.com, 1 +wrd48.net, 1 +wrdcfiles.ca, 1 +wrdmrk.com, 1 +wrecked.cf, 1 +wrecked.tk, 1 +wreckeroo.com.au, 1 +wreckingball.hu, 1 +wrecky.com.au, 1 +wregni.com, 1 +wrentham.gov, 1 +wrenthamfire.gov, 1 +wrenthampolice.gov, 1 +wrestlefanent.com, 1 +wresttmb.tk, 1 +wrfalimentos.com.br, 1 +wrglzd.com, 1 +wrgms.com, 1 +wrhomedecor.com.br, 1 +wrightcountymo911.gov, 1 +wrighthassall.co.uk, 1 +wrightpattfss.com, 1 +wrighttownshipottawami.gov, 1 +wrighttownshippa.gov, 1 +wringer.ga, 1 +wristler.eu, 1 +write-right.net, 1 +writeandedit-for-you.com, 1 +writeaword.tk, 1 +writemyessay.today, 1 +writemyessays.com, 1 +writemypaperhub.com, 1 +writemytermpapers.com, 1 +writeoff.me, 1 +writepro.net, 1 +writer24.ru, 1 +writerecommendations.ga, 1 +writerimranc.ca, 1 +writers-club.tk, 1 +writersblock.tk, 1 +writesafer.com, 1 +writestreak.team, 1 +writeyoursmile.com, 1 +writing-expert.com, 1 +writingapps.ga, 1 +writingbee.com, 1 +writingcities.net, 1 +writingiswork.ga, 1 +writingontablets.com, 1 +writingpapersonlineformoney.ga, 1 +writingtoserve.net, 1 +writtenandrecorded.com, 1 +writtenworld.bg, 1 +wrm.sr, 1 +wrmea.org, 1 +wrmh343.org, 1 +wrnck.cloud, 1 +wroclawguide.com, 1 +wrong.wang, 0 +wrozbyonline.pl, 1 +wrozbyzkartklasycznych.pl, 1 +wrp.gov, 1 +wrtv.com, 1 +wrytin.com, 1 +wrzalski.com, 1 +ws159.com, 1 +ws88.top, 0 +wsa.org.nz, 1 +wsa.poznan.pl, 1 +wsadek.ovh, 1 +wsave.be, 1 +wsb.pl, 1 +wsballc.com, 1 +wscad.com, 1 +wscales.com, 0 +wscauth.de, 1 +wscore.me, 1 +wsdcap.com, 1 +wsdcapital.com, 1 +wsdeboer.nl, 1 +wselektro.de, 1 +wseo.pw, 1 +wsgvet.com, 1 +wsheffield.com, 1 +wshop24.biz, 1 +wsl.sh, 1 +wsldp.com, 1 +wsm-naramowice.pl, 1 +wsn.com, 1 +wso01.com, 1 +wsparcie.gov.pl, 1 +wsrc.tk, 1 +wsrn.de, 1 +wsrv.nl, 1 +wss.com.ve, 1 +wsspalluto.de, 1 +wssv.ch, 0 +wstudio.ch, 0 +wsug.gq, 1 +wsv-pfeffingen.de, 1 +wszystkocokocham.com, 1 +wt-server3.de, 1 +wtawi.org, 1 +wtccc.org.uk, 1 +wtdiw.com, 1 +wtfast.com, 1 +wtfbryan.com, 0 +wtfcripto.com, 1 +wtfindonesia.tk, 1 +wtfnope.org, 1 +wth-security.nl, 1 +wth.in, 1 +wthproject.ru, 1 +wtkr.com, 1 +wtmarketing.com, 1 +wtp.co.jp, 1 +wtpdive.jp, 1 +wtpmj.com, 1 +wtsh.de, 1 +wtvr.com, 1 +wtw.io, 1 +wtxl.com, 1 +wuaffiliate.tk, 1 +wualabs.com, 1 +wuast24.de, 1 +wubuwu.com, 1 +wuchipc.com, 1 +wuchoamoveis.com.br, 1 +wucke13.de, 1 +wuellenweber.net, 1 +wuerfel.wf, 1 +wuerfelmail.de, 1 +wuergler-consulting.ch, 1 +wuermlitaucher.ch, 1 +wuestenbergs.tk, 1 +wuevahosting.com, 1 +wuff.gay, 1 +wug.fun, 1 +wug.jp, 1 +wug.news, 1 +wui.fan, 1 +wuifan.com, 1 +wuifan.net, 1 +wuifan.org, 1 +wuji.cz, 1 +wuki.li, 1 +wuknet.com, 1 +wuknet.net, 1 +wulai.cf, 1 +wulai.ml, 1 +wulala.one, 1 +wulel.cn, 0 +wulfrun-invicta.tk, 1 +wum.me, 1 +wuma.ml, 1 +wumai-p.cn, 1 +wumbo.cf, 1 +wumbo.co.nz, 0 +wumbo.ga, 1 +wumbo.gq, 1 +wumbo.kiwi, 1 +wumbo.ml, 1 +wumbo.tk, 1 +wuminhao.com, 1 +wums.org, 1 +wunder.io, 1 +wunderbarespolen.de, 1 +wunderkarten.de, 1 +wunderlist.com, 1 +wundertraining.com.au, 1 +wundi.net, 1 +wunschpreisauto.de, 1 +wunschzettel.de, 1 +wuoppy.com, 1 +wuppertal-2018.de, 0 +wuppertaler-frettchensitterin.tk, 1 +wurm-sb.de, 0 +wurmannsquick.bayern, 0 +wurmannsquick.de, 0 +wurstbrot.cf, 1 +wurstmineberg.de, 1 +wurzelchaos.de, 1 +wurzelkanal.de, 1 +wushka.com.au, 1 +wusu.tk, 1 +wuw.moe, 1 +wuxian.ml, 0 +wuya.eu.org, 1 +wuyifan.ga, 1 +wuyuan.io, 1 +wuz.com.tw, 1 +wuzhuiso.com, 1 +wv-n.de, 1 +wvbold.gov, 1 +wvbvm.gov, 1 +wvdnr.gov, 1 +wver.de, 1 +wvg.myds.me, 1 +wvpbs.ml, 1 +wvpbs.tk, 1 +wvpebd.gov, 1 +wvrtboard.gov, 1 +wvstateparks.com, 1 +wvunclaimedproperty.gov, 1 +wvv-8522.com, 1 +wvw-8522.com, 1 +ww3.myqnapcloud.com, 1 +ww5197.co, 1 +ww6396.com, 0 +ww6729.co, 1 +ww6729.com, 0 +ww6957.co, 1 +ww8989.com, 1 +ww9297.co, 1 +ww9397.com, 0 +ww9721.com, 1 +ww9728.co, 1 +wwa-clan.tk, 1 +wwads.cn, 1 +wwbsb.xyz, 1 +wwc.ren, 1 +wwcowa.gov, 1 +wwcut.com, 1 +wwe.to, 1 +wwgc2011.se, 1 +wwilogistics.com, 1 +wwjd.dynu.net, 1 +wwlc.ch, 1 +wwp-beauty.com, 1 +wwpxbeauty.com, 1 +wws-energysolutions.de, 1 +wws.nu, 1 +wwtelenet.com, 1 +wwtelenet.net, 1 +wwtg.gov, 1 +wwv-8522.com, 1 +wwv-8722.com, 1 +wwvip88.com, 1 +www-33445.com, 1 +www-38978.com, 1 +www-49889.com, 1 +www-68277.com, 1 +www-8225.com, 1 +www-8522.am, 1 +www-8522.com, 1 +www-8722.com, 1 +www-8887999.com, 0 +www-9118.com, 0 +www-9822.com, 1 +www-fwt.com, 1 +www-pheromone.com, 1 +www-pheromones.com, 1 +www.aclu.org, 0 +www.amazon.ca, 1 +www.amazon.cn, 1 +www.amazon.co.jp, 1 +www.amazon.co.uk, 1 +www.amazon.com, 1 +www.amazon.com.au, 1 +www.amazon.com.br, 1 +www.amazon.com.mx, 1 +www.amazon.de, 1 +www.amazon.es, 1 +www.amazon.fr, 1 +www.amazon.in, 1 +www.amazon.it, 1 +www.amazon.nl, 1 +www.banking.co.at, 1 +www.bbc.co.uk, 0 +www.bbc.com, 0 +www.braintreepayments.com, 0 +www.calyxinstitute.org, 1 +www.capitainetrain.com, 0 +www.captaintrain.com, 0 +www.cnet.com, 1 +www.com.gl, 1 +www.dm-drogeriemarkt.ba, 1 +www.dm-drogeriemarkt.bg, 1 +www.dm-drogeriemarkt.it, 1 +www.dm-drogeriemarkt.ro, 1 +www.dm.at, 1 +www.dm.cz, 1 +www.dm.de, 1 +www.dm.hr, 1 +www.dm.hu, 1 +www.dm.mk, 1 +www.dm.pl, 1 +www.dm.rs, 1 +www.dm.si, 1 +www.dropbox.com, 1 +www.dropcam.com, 0 +www.edu.tw, 1 +www.eternalgoth.co.uk, 1 +www.etsy.com, 1 +www.evernote.com, 0 +www.facebook.com, 0 +www.fastmail.com, 1 +www.figma.com, 1 +www.ft.com, 1 +www.g.co, 0 +www.gamesdepartment.co.uk, 0 +www.getcloak.com, 1 +www.gmail.com, 0 +www.googlemail.com, 0 +www.gov.pl, 1 +www.gov.scot, 1 +www.gov.uk, 0 +www.govt.nz, 1 +www.gpo.gov, 1 +www.grc.com, 0 +www.gub.uy, 1 +www.healthcare.gov, 0 +www.heliosnet.com, 1 +www.history.pe, 1 +www.honeybadger.io, 0 +www.hyatt.com, 1 +www.icann.org, 0 +www.irccloud.com, 0 +www.ki, 1 +www.lastpass.com, 0 +www.ledgerscope.net, 0 +www.lookout.com, 1 +www.messenger.com, 1 +www.mojadm.sk, 1 +www.noisebridge.net, 1 +www.opsmate.com, 1 +www.org.gg, 0 +www.paypal.com, 1 +www.python.org, 1 +www.re, 1 +www.rememberthemilk.com, 0 +www.rme.li, 0 +www.sb, 1 +www.simbolo.co.uk, 0 +www.techrepublic.com, 0 +www.theguardian.com, 1 +www.therapynotes.com, 1 +www.tinfoilsecurity.com, 1 +www.tl, 1 +www.torproject.org, 0 +www.tumblr.com, 0 +www.united.com, 1 +www.usaa.com, 0 +www.viasinc.com, 0 +www.vino.com, 0 +www.wepay.com, 1 +www.wordpress.com, 0 +www.zdnet.com, 1 +www00228a.com, 0 +www00228b.com, 0 +www00228c.com, 0 +www00228d.com, 0 +www00228e.com, 0 +www68277.com, 1 +wwwclan.tk, 1 +wwweb.be, 1 +wwwebdesignstudios.com, 1 +wwwhackeronecom.com, 1 +wwwindows.co.uk, 1 +wwwithcarrie.com, 1 +wwwn888.com, 0 +wwwsberdahk.ru, 1 +wwwwnews.tk, 1 +wwwwww.click, 1 +wwx.duckdns.org, 1 +wx37.ac.cn, 1 +wx6688.cc, 0 +wxcafe.net, 1 +wxdisco.com, 1 +wxforums.com, 1 +wxh.jp, 1 +wxhbts.com, 1 +wxkxsw.com, 1 +wxrlab.com, 1 +wxservices.tk, 1 +wxster.com, 1 +wxw.cat, 1 +wxw.guru, 1 +wxw.moe, 1 +wxw.ooo, 1 +wxxm.aero, 1 +wxyz.com, 1 +wxzm.sx, 1 +wy188.cc, 0 +wy6.org, 1 +wyam.io, 1 +wyatttauber.com, 1 +wybar.co.uk, 1 +wybar.uk, 1 +wycena.ga, 1 +wyckoff.vip, 1 +wyckoffspringmeadowcondos.com, 1 +wycombetoday.com, 0 +wycoreconstruction.com, 1 +wyczaruj.pl, 1 +wyday.com, 1 +wydmy.com.pl, 1 +wygibanki.pl, 1 +wygodnie.pl, 1 +wykedways.com, 1 +wykop.pl, 0 +wykopylodz.ga, 1 +wylark.com, 1 +wyldfiresignage.com, 1 +wylog.ph, 1 +wynajemautkrakow.cf, 1 +wynajemautkrakow.ga, 1 +wynajmijkontener.pl, 1 +wyndhamcapital.com, 1 +wyngatepta.com, 1 +wynlv.com, 1 +wynyardwood.co.nz, 1 +wyo.cam, 1 +wyofitclubs.com, 1 +wyofitness.com, 1 +wyomingcountyny.gov, 1 +wyomingcountypa.gov, 1 +wyomingia.gov, 1 +wyomingmi.gov, 1 +wyomingurology.com, 1 +wypiska.pl, 1 +wypozyczalniasamochodowkrakow.gq, 1 +wypracowania.pl, 1 +wyprawywedkarskiepremium.pl, 1 +wyrickstaxidermy.com, 1 +wyrihaximus.net, 1 +wyrimaps.net, 1 +wyriverton.com, 1 +wysa.io, 1 +wyspa.com.pl, 1 +wyssmuller.ch, 0 +wysz.com, 1 +wyydsb.cn, 1 +wyydsb.com, 1 +wyydsb.xin, 1 +wyzj.tv, 1 +wyzl.cc, 1 +wyzwaniemilosci.com, 1 +wz.lviv.ua, 1 +wz.my, 0 +wz.pt, 1 +wzaalpfm.com, 1 +wzajemnie.org.pl, 1 +wzfou.com, 1 +wzh.one, 1 +wzmzw.com, 0 +wzrd.in, 1 +wzrd.pw, 1 +wzutti.com, 0 +wzxaini9.com, 1 +wzyboy.org, 1 +x-6.pl, 1 +x-charge.uk, 1 +x-embed.com, 1 +x-files.tk, 1 +x-iweb.ru, 1 +x-kamera.de, 1 +x-lan.be, 1 +x-net24.pl, 1 +x-one.co.jp, 1 +x-orbit.dk, 1 +x-team.co.il, 1 +x-way.org, 1 +x.io, 1 +x.sb, 1 +x001.org, 1 +x00228.com, 1 +x00701.com, 1 +x00708.com, 0 +x00738.com, 1 +x00776.com, 1 +x00786.com, 0 +x0e.nl, 1 +x0r.be, 1 +x0r.link, 1 +x0rg.org, 1 +x13.com, 1 +x16.in, 1 +x1616.tk, 1 +x17.cafe, 1 +x17.ink, 0 +x2d2.de, 0 +x2oe.com, 1 +x2ox.com, 1 +x2printaccounting.com, 1 +x2studios.com, 1 +x3550.de, 1 +x3650.de, 1 +x36533.com, 1 +x378.ch, 1 +x3803.com, 1 +x3816.com, 1 +x3828.com, 1 +x3x.tc, 1 +x44.at, 1 +x500658.com, 1 +x5197.co, 1 +x58f.com, 1 +x58p.com, 1 +x58t.com, 1 +x58v.com, 1 +x5901.com, 0 +x5902.com, 1 +x5903.com, 0 +x5904.com, 1 +x5905.com, 1 +x5906.com, 0 +x5907.com, 1 +x5908.com, 0 +x5910.com, 0 +x5x.host, 1 +x6.nl, 1 +x61.sh, 1 +x64architecture.com, 1 +x6729.co, 1 +x6957.co, 1 +x7008.com, 0 +x7713.com, 0 +x7718.com, 1 +x7719.com, 0 +x7782.com, 0 +x7785.com, 0 +x7795.com, 0 +x77dd.com, 0 +x77ee.com, 1 +x77hh.com, 0 +x77jj.com, 1 +x77kk.com, 0 +x77mm.com, 0 +x77nn.com, 1 +x77pp.com, 0 +x77qq.com, 0 +x77ww.com, 0 +x7sevenusa.com, 1 +x81vv.com, 1 +x82365.com, 1 +x86.co.kr, 1 +x90.im, 1 +x9016.com, 1 +x9297.co, 1 +x9728.co, 1 +x98v.com, 1 +x98y.com, 1 +x98z.com, 1 +xa.search.yahoo.com, 0 +xa1.uk, 0 +xab199.com, 1 +xab678.com, 1 +xaba.tk, 1 +xabifk.com, 1 +xacker.tk, 1 +xacobeoexperience.com, 1 +xad.ch, 1 +xado-france.com, 1 +xajh.org, 1 +xakep-slon.tk, 1 +xakepctbo.tk, 1 +xakiatech.com, 1 +xalima.gq, 1 +xampusolid.cat, 1 +xanalys.org, 1 +xanderbron.tech, 1 +xanhdecor.com, 1 +xanny.family, 1 +xantec.com.my, 1 +xanthipolis.gr, 1 +xanthopoulos.me, 1 +xants.de, 1 +xanyl.de, 1 +xanzhu.com, 1 +xarangallomangallo.tk, 1 +xarcmastering.com, 1 +xarmenta.tk, 1 +xarxanet.org, 1 +xatr0z.org, 0 +xauzit.com, 1 +xav.ie, 1 +xaver.cash, 1 +xaver.exchange, 1 +xavi.re, 1 +xavier.is, 1 +xavierarroyo.tk, 1 +xaviermalisse.tk, 1 +xavio-design.com, 1 +xavy.fr, 1 +xayah.net, 1 +xaydungphunguyen.com, 1 +xaynhachothue.vn, 1 +xb008.com, 1 +xb053.com, 1 +xb056.com, 1 +xb058.com, 1 +xb1001.com, 1 +xb2002.com, 1 +xb201.com, 0 +xb3008.com, 1 +xb306.com, 1 +xb3888.com, 1 +xb6008.com, 1 +xb601.com, 0 +xb6610.com, 1 +xb6616.com, 1 +xb6632.com, 1 +xb6636.com, 1 +xb6638.com, 1 +xb6639.com, 1 +xb6656.com, 1 +xb6673.com, 1 +xb6676.com, 1 +xb6679.com, 1 +xb6683.com, 1 +xb6692.com, 1 +xb6696.com, 1 +xb6806.com, 1 +xb6808.com, 1 +xb6866.com, 1 +xb6880.com, 1 +xb7001.com, 1 +xb7077.com, 1 +xb7676.com, 1 +xb780.com, 1 +xb8006.com, 1 +xb8018.com, 1 +xb836.com, 1 +xb851.com, 0 +xb852.com, 1 +xb853.com, 0 +xb859.com, 0 +xb8606.com, 1 +xb862.com, 1 +xb865.com, 1 +xb871.com, 1 +xb872.com, 0 +xb873.com, 1 +xb8806.com, 0 +xb8861.com, 1 +xb891.com, 0 +xb893.com, 0 +xb896.com, 1 +xb9009.com, 1 +xb901.com, 0 +xb906.com, 1 +xb913.com, 1 +xb925.com, 1 +xb927.com, 0 +xb935.com, 0 +xb936.com, 0 +xb937.com, 1 +xb953.com, 0 +xb957.com, 1 +xb961.com, 1 +xb962.com, 0 +xb965.com, 0 +xb967.com, 0 +xb971.com, 0 +xb972.com, 1 +xb976.com, 0 +xb980.com, 1 +xb982.com, 1 +xb983.com, 0 +xbanner.tk, 1 +xbb.hk, 1 +xbb.li, 1 +xbc.nz, 1 +xbdm.fun, 1 +xbdmov.com, 1 +xbertschy.com, 1 +xbet104.com, 1 +xbet106.com, 1 +xbetkr.com, 1 +xbigzmedia.tk, 1 +xbjt11.com, 1 +xbjt2.com, 1 +xbjt3.com, 1 +xbjt33.com, 1 +xbjt66.com, 1 +xbjt666.com, 1 +xbjt77.com, 1 +xblau.com, 1 +xbortov.com, 1 +xbox, 1 +xbox-mag.net, 1 +xboxachievements.com, 1 +xboxdynasty.de, 1 +xboxplay.games, 1 +xbrl.online, 1 +xbrlsuccess.appspot.com, 1 +xbros.cz, 1 +xbt.co, 1 +xbtce.com, 1 +xbtmusic.org, 0 +xbvip.net, 1 +xbvip99.com, 1 +xbyl.xn--fiqs8s, 1 +xbyl15.com, 1 +xbyl16.com, 1 +xbyl17.com, 1 +xbyl18.com, 1 +xbyl21.com, 1 +xbyl23.com, 1 +xbyl26.com, 1 +xbyl28.com, 1 +xbyl39.com, 1 +xbyl60.com, 1 +xbyl62.com, 1 +xbyl63.com, 1 +xbyl67.com, 1 +xbyl68.com, 1 +xbyl69.com, 1 +xbyl71.com, 1 +xbyl73.com, 1 +xbyl78.com, 1 +xbyl82.com, 1 +xbyl85.com, 1 +xbyl86.com, 1 +xbyl89.com, 1 +xbyl91.com, 1 +xc01.co, 1 +xc02.co, 0 +xc03.co, 1 +xc06.co, 1 +xc07.co, 1 +xc08.co, 1 +xc09.co, 1 +xc12.co, 1 +xc15.co, 1 +xc9988.cc, 1 +xccc.net, 1 +xce.pl, 1 +xceedgaming.com, 1 +xchangeinfo.com, 1 +xcharge.uk, 1 +xchimera.com, 1 +xchuan.cn, 1 +xcler8.com, 1 +xclirion-support.de, 1 +xcloudways.com, 1 +xcmfu.com, 0 +xcompany.one, 1 +xcontainer.ir, 1 +xcraftsumulator.ru, 1 +xcspy.org, 1 +xcupidon.com, 1 +xcw8886.net, 0 +xcw8888.net, 0 +xcw8889.net, 0 +xcxmiku.com, 0 +xd.cm, 1 +xd.gd.cn, 1 +xd.gov, 1 +xdawn.cn, 1 +xdb.be, 0 +xdos.io, 1 +xdtag.com, 1 +xdty.org, 1 +xduce.com, 1 +xecure.zone, 1 +xedap24h.com, 1 +xeditpro.com, 1 +xeerpa.com, 1 +xeforce.com, 1 +xehopdongmuine.vn, 1 +xehost.com, 1 +xeiropraktiki.gr, 1 +xelesante.jp, 1 +xencrystal.me, 1 +xenfo.ro, 1 +xenical-online.ga, 1 +xenical-online.tk, 1 +xenical.tk, 1 +xenicalonline.gq, 1 +xenicalorlistat.tk, 1 +xenicalpills.tk, 1 +xenocide.tk, 1 +xenomedia.nl, 1 +xenomorph.tk, 1 +xenon.cloud, 1 +xenoncloud.net, 1 +xenophile.name, 1 +xenophobia.ga, 1 +xenoscopic.com, 1 +xenosphere.tk, 1 +xenotropegames.com, 1 +xenoworld.de, 1 +xenox-rp.ru, 1 +xenrox.net, 1 +xentho.net, 1 +xentox.com, 1 +xenwo.com, 1 +xenwo.io, 1 +xeonlab.de, 1 +xeoxaz.com, 1 +xerbisworks.com, 1 +xerdeso.tk, 1 +xerezdeportivo.tk, 1 +xerkus.pro, 1 +xerownia.eu, 1 +xertainty.com, 1 +xertainty.de, 1 +xeryus.nl, 1 +xess.co.uk, 1 +xetown.com, 1 +xevnet.com, 1 +xevolkswagen.com, 1 +xfantasy.su, 1 +xfcy.me, 1 +xfd3.de, 1 +xfinityapparel.com, 1 +xfirma.pl, 1 +xfix.pw, 1 +xfixup.com, 1 +xford.tech, 1 +xforpeople.com, 1 +xfrag-networks.com, 1 +xftp.ml, 1 +xfzhao.com, 1 +xgadget.de, 1 +xgame.com.tr, 1 +xgameshst.com, 1 +xgclan.com, 1 +xgeni.us, 1 +xgn.es, 1 +xgp.pl, 1 +xgpu.deals, 1 +xgreatben.blog, 1 +xgys.net, 0 +xgzepto.cn, 1 +xh.ax, 1 +xh7eee.com, 1 +xhamiadituria.com, 1 +xhamster.com, 1 +xhanster.gq, 1 +xhcmnews.com, 1 +xhibitran.tk, 1 +xhily.com, 0 +xhmikosr.io, 1 +xho.me, 1 +xhtml.club, 1 +xi.ht, 1 +xia.com, 1 +xia.de, 1 +xia100.xyz, 1 +xiahdeh.com, 1 +xiai.cf, 1 +xiai.ga, 1 +xiai.ml, 1 +xiamenshipbuilding.com, 1 +xiamuzi.com, 1 +xiangblog.com, 1 +xianguocy.com, 1 +xiangweiqing.co.uk, 1 +xianjianruishiyouyiyuan.com, 1 +xiannvgong.net, 1 +xianyu.uk, 1 +xiao-sheng.gq, 1 +xiaobai.pro, 0 +xiaobude.cn, 1 +xiaocg.xyz, 1 +xiaodingyi.cn, 1 +xiaohhh.com, 1 +xiaohui.love, 1 +xiaojiyoupin.com, 1 +xiaolanglang.net, 1 +xiaomao.tk, 1 +xiaomibarato.com, 1 +xiaomionline24.pl, 1 +xiaoneijun.cn, 1 +xiaoneimao.cn, 0 +xiaoniaoyou.com, 0 +xiaoqiang.blog, 1 +xiaowangshen.com, 1 +xiaowutou.com, 1 +xiaoxia.li, 1 +xiaoyu.net, 1 +xiaoyy.org, 1 +xiaozonglin.cn, 1 +xiarain.com, 1 +xiaxuejin.cn, 1 +xiazhanjian.com, 0 +xice.cf, 1 +xice.wang, 1 +xicreative.net, 1 +xiecongan.org, 1 +xiedeacc.com, 1 +xier.ch, 1 +xiexiexi.com, 1 +xif.at, 1 +xifrem.com, 1 +xiix.cf, 1 +xile.ml, 1 +xilef.org, 1 +xilegames.com, 1 +xillimite.com, 1 +xilnex.com, 1 +xilo.net, 1 +ximes.com, 1 +ximeshosted.com, 1 +ximg.co, 1 +ximware.com, 1 +xin.moe, 1 +xin365.com, 1 +xinanwork.com, 1 +xinbo010.com, 1 +xinbo016.com, 1 +xinbo018.com, 1 +xinbo019.com, 1 +xinbo020.com, 1 +xinbo026.com, 1 +xinbo028.com, 1 +xinbo030.com, 1 +xinbo038.com, 1 +xinbo050.com, 1 +xinbo056.com, 1 +xinbo059.com, 1 +xinbo060.com, 1 +xinbo066.com, 1 +xinbo068.com, 1 +xinbo069.com, 1 +xinbo070.com, 1 +xinbo076.com, 1 +xinbo078.com, 1 +xinbo079.com, 1 +xinbo080.com, 1 +xinbo086.com, 1 +xinbo088.com, 1 +xinbo089.com, 1 +xinbo090.com, 1 +xinbo096.com, 1 +xinbo098.com, 1 +xinbo099.com, 1 +xinbo120.com, 1 +xinbo129.com, 1 +xinbo130.com, 1 +xinbo138.com, 1 +xinbo150.com, 1 +xinbo156.com, 1 +xinbo158.com, 1 +xinbo160.com, 1 +xinbo170.com, 1 +xinbo178.com, 1 +xinbo179.com, 1 +xinbo180.com, 1 +xinbo186.com, 1 +xinbo190.com, 1 +xinbo196.com, 1 +xinbo198.com, 1 +xinbo200.com, 1 +xinbo218.com, 1 +xinbo238.com, 1 +xinbo256.com, 1 +xinbo258.com, 1 +xinbo260.com, 1 +xinbo266.com, 1 +xinbo268.com, 1 +xinbo269.com, 1 +xinbo270.com, 1 +xinbo276.com, 1 +xinbo278.com, 1 +xinbo279.com, 1 +xinbo280.com, 1 +xinbo286.com, 1 +xinbo290.com, 1 +xinbo296.com, 1 +xinbo298.com, 1 +xinbo306.com, 1 +xinbo308.com, 1 +xinbo316.com, 1 +xinbo318.com, 1 +xinbo326.com, 1 +xinbo338.com, 1 +xinbo350.com, 1 +xinbo356.com, 1 +xinbo359.com, 1 +xinbo369.com, 1 +xinbo376.com, 1 +xinbo378.com, 1 +xinbo379.com, 1 +xinbo38.com, 1 +xinbo380.com, 1 +xinbo386.com, 1 +xinbo389.com, 1 +xinbo390.com, 1 +xinbo396.com, 1 +xinbo398.com, 1 +xinbo400.com, 1 +xinbo401.com, 1 +xinbo406.com, 1 +xinbo407.com, 1 +xinbo466.com, 1 +xinbo468.com, 1 +xinbo478.com, 1 +xinbo480.com, 1 +xinbo496.com, 1 +xinbo498.com, 1 +xinbo506.com, 1 +xinbo508.com, 1 +xinbo516.com, 1 +xinbo526.com, 1 +xinbo528.com, 1 +xinbo536.com, 1 +xinbo538.com, 1 +xinbo556.com, 1 +xinbo566.com, 1 +xinbo570.com, 1 +xinbo576.com, 1 +xinbo578.com, 1 +xinbo580.com, 1 +xinbo586.com, 1 +xinbo590.com, 1 +xinbo600.com, 1 +xinbo608.com, 1 +xinbo609.com, 1 +xinbo610.com, 1 +xinbo676.com, 1 +xinebf.com, 0 +xing.ml, 1 +xingai.ml, 1 +xingzuozixun.com, 1 +xinlandm.com, 1 +xinmeiti168.cn, 1 +xinmeiti365.cn, 1 +xinnermedia.nl, 1 +xinpujing198.com, 0 +xinpujing200.com, 0 +xinpujing518.com, 0 +xinpujing918.com, 0 +xinshanla.com, 1 +xinxeta.es, 1 +xinxin.pl, 1 +xinyazhang.com, 1 +xinyezx.com, 1 +xinyitour.tw, 1 +xio.moe, 1 +xiphwork.de, 1 +xiqonline.com, 1 +xishiduliu.com, 1 +xisu.com, 1 +xitin.tk, 1 +xiufe.ng, 1 +xiufeng.de, 1 +xiufeng.nl, 1 +xiumu.org, 1 +xiurenwang.co, 1 +xiuxiu.cf, 1 +xiuxiu.ga, 1 +xiuxiu.gq, 1 +xiuxiu.ml, 1 +xiuxiumh01.cc, 0 +xixi.com, 1 +xiyu.com, 1 +xjd.vision, 1 +xjf6.com, 1 +xjjeeps.com, 1 +xjjzp.com, 1 +xjjzp.net, 1 +xjpvictor.info, 1 +xjtu.live, 1 +xjtu.love, 1 +xjtv.com, 1 +xjysilicone.com, 1 +xkblog.xyz, 1 +xkcd.pw, 1 +xkviz.net, 1 +xkww3n.cyou, 1 +xkwy2018.cn, 1 +xkwy2018.com, 1 +xkylee.com, 1 +xl-porn.com, 1 +xl3v3r.com, 1 +xlan.be, 1 +xlange.com, 1 +xlaw.com.br, 1 +xlbnas.cafe, 1 +xldl.ml, 1 +xlem.cn, 1 +xlink.com.pl, 1 +xlion.tw, 1 +xlmnews.today, 1 +xlnaudio.com, 1 +xloffice.se, 1 +xloud.cf, 1 +xloutdoor.se, 1 +xloveit.com, 1 +xlr8.shop, 1 +xlr8webshops.com, 1 +xlribbon.ml, 1 +xlrsecurity.com, 1 +xlstat.com, 1 +xluxes.jp, 1 +xm1s.life, 1 +xmag.pl, 1 +xmanshow.tk, 1 +xmanyz.tk, 1 +xmdhs.com, 1 +xmdhs.top, 1 +xmediabigz.tk, 1 +xmediazxy.tk, 1 +xmenrevolution.com, 1 +xmessy.com, 1 +xmisystems.com, 1 +xmiui.com, 1 +xmlseo.ru, 1 +xmnr.net, 1 +xmoj-bbs.tech, 1 +xmv.cz, 1 +xmythology.com, 1 +xmyy.com, 1 +xn------7cdabibmbihbgykn8elfdbfgbeqxmlc3a.tk, 1 +xn------7cdbfcbc0ab6akhadmzphmbibhebcc7b0ahshon.tk, 1 +xn-----6kcamlijegc9ea1aw4ivc.xn--p1ai, 1 +xn-----6kcbb0cahbiskdv1bcj5c7g.tk, 1 +xn-----6kcbjcgl1atjj7aadbkxfxfe7a9yia.xn--p1ai, 1 +xn-----7kcbhdpr0asllefq0bjk.com, 1 +xn-----7kcgqqeagtqecgbhc3aginaie1hwh.tk, 1 +xn-----7kckegeaw8apdfn0d9a0j.xn--p1ai, 1 +xn-----8kcdcb4bffibpgkpbdbcc5cedihs.tk, 1 +xn-----elcblfoyosbv5mwb.xn--p1ai, 1 +xn----4tb0c.xn--p1ai, 1 +xn----7sbabexseekfke3cifnf3b4r.tk, 1 +xn----7sbabrwauchevq0ba.xn--p1ai, 1 +xn----7sbagi4akcjwfceu2aoi5e0eh.xn--p1ai, 1 +xn----7sbarcdvrtr1be.org, 1 +xn----7sbbagp2bcfwdeee1afm.xn--p1ai, 1 +xn----7sbbak4cyaoedjf3m.xn--p1ai, 1 +xn----7sbbfsshjvgyde8g3c.xn--p1ai, 1 +xn----7sbbgbr0arxb4a4exa.com.ua, 1 +xn----7sbbhzfbdo6dnf.tk, 1 +xn----7sbbncaddj9a9b6am9p.tk, 1 +xn----7sbbq5b0a1c.com, 1 +xn----7sbc3abak3afteia.xn--p1ai, 1 +xn----7sbddc9an3aethjp.xn--p1ai, 1 +xn----7sbedlbhv2azb6a.xn--j1amh, 1 +xn----7sbfl2alf8a.xn--p1ai, 1 +xn----7sbkofbbj4akz.xn--80asehdb, 1 +xn----7sblrfhjjgq8g.xn--p1ai, 1 +xn----7sbmucgqdbgwwc5e9b.xn--p1ai, 1 +xn----7sbqlhcsgevuc0j.xn--p1ai, 1 +xn----8hcdn2ankm1bfq.com, 1 +xn----8sbadsuaby8bb4a7cwh.xn--p1ai, 1 +xn----8sbdihuaxb3abob8a.xn--p1ai, 1 +xn----8sbdjbisdat0g.xn--p1ai, 1 +xn----8sbdo7cb0b.xn--p1ai, 1 +xn----8sbggtw.xn--p1ai, 0 +xn----dtbfemantkhdczc.tk, 1 +xn----dtbfemmqjdddczc.tk, 1 +xn----dtbhcpoeofgcvoic1s.xn--p1ai, 1 +xn----etbqa2alia5i.tk, 1 +xn----htbhdmyci.xn--p1ai, 1 +xn----itbanmp3ae.xn--p1ai, 1 +xn----itbkhngkr2a.xn--p1ai, 0 +xn----jtbiihtkil8b4e.xn--p1ai, 1 +xn----mtbckubhv.xn--p1ai, 1 +xn----ncfb.ws, 1 +xn----otbabmp3ae.xn--p1ai, 1 +xn----rtbbavlecj.xn--p1ai, 1 +xn----ylba7abgd9bnh0e.xn--qxa6a, 1 +xn----ymcbah8a8de3hvarv.com, 1 +xn---35-6cdk1dnenygj.xn--p1ai, 1 +xn---71-6cdxtphfkkfrgnoc.xn--p1ai, 1 +xn--061az77a.xn--fiqs8s, 1 +xn--061az77a.xn--fiqz9s, 1 +xn--0kq33cbsi8bk6d417b.com, 1 +xn--0kq33cz5c8wmwrqqw1d.com, 1 +xn--1-9u7ey2dtz3c.com, 0 +xn--12c3bpr6bsv7c.com, 1 +xn--12carbp3gycugf9k9a.xn--o3cw4h, 1 +xn--12cfi6eb4azb7c5cbfw.com, 1 +xn--12cg9bnm5ci2ag9hbcs17a.com, 1 +xn--13-6kc0bufl.xn--p1ai, 1 +xn--15tx89ctvm.xn--6qq986b3xl, 1 +xn--1985-43d6eta0a4g2a.xn--p1ai, 1 +xn--1yst51avkr.ga, 1 +xn--1yst51avkr.xn--6qq986b3xl, 1 +xn--230ap0xpa.com, 1 +xn--24-6kc5agehpdf5a.xn--p1ai, 1 +xn--24-6kch4bfqee.xn--p1ai, 1 +xn--24-glcha1cjdmf1dye.xn--p1ai, 1 +xn--24-glcia8dc.xn--p1ai, 1 +xn--2sxs9ol7o.com, 1 +xn--36-dlcdun7abo4a.xn--p1ai, 1 +xn--3bt625flzps8a.com, 1 +xn--3btta.xn--fiqs8s, 1 +xn--3btta.xn--fiqz9s, 1 +xn--3js556addp80q.cn, 1 +xn--3lqp21gwna.cn, 1 +xn--3st814ec8r.cn, 1 +xn--3stv82k.hk, 1 +xn--3stv82k.tw, 1 +xn--41a.ml, 1 +xn--43-6kc4be0fbz.xn--p1ai, 1 +xn--45i.tk, 1 +xn--4brt03c.xn--fiqs8s, 1 +xn--4brt03c.xn--io0a7i, 1 +xn--4gq45ay49m.com, 1 +xn--4gq62f52gdss.com, 1 +xn--4kro7fswi.xn--6qq986b3xl, 1 +xn--4qs85t91oq9e.com, 1 +xn--54-6kc3btfht.xn--p1ai, 1 +xn--55q36pba3495a.com, 1 +xn--57h.ml, 0 +xn--5dbkjqb0d.com, 1 +xn--5dbkjqb0d.net, 1 +xn--6btn.xn--fiqs8s, 1 +xn--6btn.xn--fiqz9s, 1 +xn--6kru6im1lczj.com, 1 +xn--6o8h.cf, 1 +xn--6qq52xuogcjfw8pwqp.ga, 1 +xn--6qq62xsogfjfs8p1qp.ga, 1 +xn--72c1ar3gd6fvd.xn--o3cw4h, 1 +xn--73-dlclq0cfe.xn--p1ai, 1 +xn--78je2j8a.cafe, 1 +xn--7ca.co, 1 +xn--7dvy22i.com, 0 +xn--7or43h.jp, 1 +xn--7tq776cdf4a.xn--fiqs8s, 1 +xn--7tq776cdf4a.xn--fiqz9s, 1 +xn--7tq798c.ml, 1 +xn--7tqp36c113a.xn--fiqs8s, 1 +xn--7tqp36c113a.xn--fiqz9s, 1 +xn--7xa.google.com, 1 +xn--80a1a8b.tk, 1 +xn--80a5ai3dd.xn--d1at.xn--90a3ac, 1 +xn--80a6a1b.tk, 1 +xn--80a6aq.tk, 1 +xn--80aaa3bgsbbm.tk, 1 +xn--80aaa5ajbrzqd.tk, 1 +xn--80aaaane9bk7bh.tk, 1 +xn--80aaacqdkdv7b0a.tk, 1 +xn--80aaagbtu3bfbullc1c.xn--80asehdb, 1 +xn--80aaaptltzqd.tk, 1 +xn--80aacgbiy5akmx.xn--e1a4c, 1 +xn--80aacorabax9b2a3c.xn--p1ai, 1 +xn--80aae7aeoh.xn--p1ai, 1 +xn--80aahvz2a9a.xn--p1acf, 1 +xn--80aanbkcescrdedmxzcl4pmc.xn--p1acf, 1 +xn--80aapmgginxs3d.xn--p1ai, 1 +xn--80aayajj8aic.xn--p1ai, 1 +xn--80ab1bse.tk, 1 +xn--80abb4bp.tk, 1 +xn--80abmghlx4ajd.tk, 1 +xn--80ace6be.tk, 1 +xn--80achgm7d.tk, 1 +xn--80ack7b.xn--p1ai, 1 +xn--80acqgkhcn.tk, 1 +xn--80acubre5k.tk, 1 +xn--80adbvdjzhptl1be6j.com, 1 +xn--80adc7bbjgi.xn--p1ai, 1 +xn--80adjmbjd1avp5b4a.xn--p1ai, 1 +xn--80adydmce.com, 1 +xn--80ae7bafe4d.tk, 1 +xn--80aebbkaqx6at.xn--p1ai, 1 +xn--80aejhvi0at.xn--90ais, 1 +xn--80aejljbfwxn.xn--p1ai, 1 +xn--80affa6ai0a.tk, 1 +xn--80afvgfgb0aa.xn--p1ai, 1 +xn--80ah4f.xn--p1ai, 1 +xn--80ahclcaoccacrhfebi0dcn5c1jh.xn--p1ai, 1 +xn--80ahjdhy.tk, 1 +xn--80ahnefiifo0g.xn--p1ai, 1 +xn--80aihgal0apt.xn--p1ai, 1 +xn--80ajnofdk.xn--p1ai, 1 +xn--80ajuk.xn--p1ai, 1 +xn--80akjfhoqm2h2a.xn--p1ai, 1 +xn--80aknjgrv.tk, 1 +xn--80aleen8i.site, 1 +xn--80ancacgircb8q.xn--p1ai, 1 +xn--80anogxed.xn--p1ai, 1 +xn--80aocgsfei.xn--p1ai, 1 +xn--80aod6g.tk, 1 +xn--80apbaibrczvs.xn--p1ai, 1 +xn--80axad8esa.tk, 1 +xn--80azep.tk, 1 +xn--8bi.gq, 0 +xn--8n2am80a.tech, 1 +xn--90accgba6bldkcbb7a.xn--p1acf, 1 +xn--90acibo4aazm.com.ua, 1 +xn--90acjfgylpnm.xn--90ais, 1 +xn--90acrudcl3j.com, 0 +xn--90adahrqfmec.xn--p1ai, 1 +xn--90agmsorb.tk, 1 +xn--90aij9af3f.com.ua, 1 +xn--90aimoos.tk, 1 +xn--90aizn.tk, 1 +xn--90amdjbi3c0ec.xn--p1ai, 1 +xn--938h.st, 1 +xn--94q57lcvpw50b.com, 1 +xn--95q32l0t6b9cb17l.cn, 1 +xn--95qy23o.xn--fiqs8s, 1 +xn--95qy23o.xn--fiqz9s, 1 +xn--98jm6m.jp, 1 +xn--9iqy04a7fi01l.com, 1 +xn--9kq.eu.org, 1 +xn--9kqw7o.com, 1 +xn--9xa.fun, 1 +xn--afd-brhl-c6a.de, 1 +xn--afd-hrth-b6a.de, 1 +xn--afdbrhl-r2a.de, 1 +xn--afdhrth-q2a.de, 1 +xn--alcaiz-zwa.tk, 1 +xn--allgu-biker-o8a.de, 1 +xn--andre-is--yz4h8t9azf9596c4rigl8h.moe, 1 +xn--anyd-7na.at, 1 +xn--apaados-6za.es, 1 +xn--arelektrbunerisk-4bc73b.lv, 1 +xn--avocai-timioara-kmf1a.ro, 1 +xn--b-tqa.net, 0 +xn--b1aa9b.tk, 1 +xn--b1ab6abhfh.xn--p1ai, 1 +xn--b1ag9a.xn--p1ai, 1 +xn--b1agcgqrei7i.tk, 1 +xn--b1ayb.tk, 1 +xn--b3c4f.xn--o3cw4h, 1 +xn--baron-bonzenbru-elb.com, 1 +xn--bckerei-wohlgemuth-ltb.de, 1 +xn--bersetzung-8db.cc, 1 +xn--bersetzungen-beglaubigt-bpc.de, 1 +xn--berufsprfung-kinsthetik-b8b50d.ch, 1 +xn--berwachungspaket-izb.at, 1 +xn--betwinnerespaa-2nb.com, 1 +xn--bjugrd-lua.io, 1 +xn--blusastlacotalpeas-20b.online, 1 +xn--bm3bl9r.com, 1 +xn--bnq37rc0nw50b.com, 1 +xn--bognsroad-j3a.dk, 1 +xn--brneruhr-0za.ch, 1 +xn--bruno-hnel-kcb.de, 0 +xn--bwx.xn--fiqs8s, 1 +xn--bwx.xn--fiqz9s, 1 +xn--c-xga.de, 1 +xn--c1aaulbdc.tk, 1 +xn--c1adqibibm8i.com, 1 +xn--c1aehtaetb.xn--p1ai, 1 +xn--c1aid4ap8e.tk, 1 +xn--c1aolabgdj.tk, 1 +xn--c5w032d4vi.cn, 1 +xn--c5w032d4vi.xn--fiqs8s, 1 +xn--c5w032d4vi.xn--fiqz9s, 1 +xn--c5w27q.ml, 1 +xn--c5wy5c025b.cn, 1 +xn--c5wy5c025b.xn--fiqs8s, 1 +xn--c5wy5c025b.xn--fiqz9s, 1 +xn--carlshamnsvxtrike-0qb.se, 1 +xn--cck4ax91r.com, 1 +xn--cck7f515h.com, 1 +xn--cckdrt0kwb4g3cnh.com, 1 +xn--cckvb1cwa0c5br5e2d2711k.net, 1 +xn--cckwcxetd, 1 +xn--cctsgy36bnvprwpekc.com, 1 +xn--chrysopekinsiologie-hzbe.fr, 1 +xn--circul-gva.cc, 1 +xn--circul-u3a.cc, 1 +xn--cisowcy-pjb5t.pl, 1 +xn--contrasea-s6a.cl, 1 +xn--crystal-9e7ua.icu, 1 +xn--cysy13an3a5z7c.xyz, 1 +xn--d1aca2a5al.tk, 1 +xn--d1acfdr6h.com.ua, 1 +xn--d1acj9c.xn--90ais, 1 +xn--d1acmf9g.xn--p1ai, 1 +xn--d1aczdsdn4d.tk, 1 +xn--d1afcjuch.xn--p1ai, 1 +xn--d1awi.tk, 1 +xn--das-anhngerzentrum-rtb.at, 1 +xn--dck0bb4c1guc.jp, 1 +xn--dcko6fsa5b1a8gyicbc.biz, 1 +xn--dckya4a0bya6x.com, 1 +xn--dckya4a0bya6x.jp, 1 +xn--dej-3oa.lv, 1 +xn--detrkl13b9sbv53j.com, 1 +xn--diseadorwebmallorca-y3b.com, 1 +xn--dk8haaa.ws, 1 +xn--dmontaa-9za.com, 1 +xn--dragni-g1a.de, 1 +xn--dragni-g1a.eu, 1 +xn--dtursfest-72a.dk, 1 +xn--durhre-yxa.de, 1 +xn--dviz-5qa.com, 1 +xn--e--0g4aiy1b8rmfg3o.jp, 1 +xn--e--4h4axau6ld4lna0g.com, 1 +xn--e--ig4a4c3f6bvc5et632i.com, 1 +xn--e--k83a5h244w54gttk.xyz, 1 +xn--e1aa7abbg.xn--p1ai, 1 +xn--e1aaavheew.xn--p1ai, 1 +xn--e1aaavheewr.xn--p1ai, 1 +xn--e1aahuqbk6f.tk, 1 +xn--e1aajhbc0amdp4byf.xn--p1ai, 1 +xn--e1aajkmzd.xn--p1ai, 1 +xn--e1adlfhcdo7h.xn--p1ai, 1 +xn--e1afggpjhk3b1e.xn--p1ai, 1 +xn--e1agokg6a9a.tk, 1 +xn--e1aoahhqgn.xn--p1ai, 1 +xn--e1aoddhq.gq, 1 +xn--e1awbbf4g.xn--p1ai, 1 +xn--e1tvpw18d.com, 1 +xn--e1tx9l9xc.xn--6qq986b3xl, 1 +xn--ecki0cd0bu9a4nsjb.com, 1 +xn--eckok2bi6jzkpc.com, 1 +xn--eckok2bi6jzkpc.jp, 1 +xn--ee-zja.de, 1 +xn--eebao6b.com, 1 +xn--eebao6b.net, 1 +xn--eglujemy-23b.net, 1 +xn--ehq091c7jk8qq.com, 1 +xn--ehqw04eq6e.jp, 1 +xn--ehqy0ag27f64i.xyz, 1 +xn--elsignificadodesoar-c4b.com, 1 +xn--eo5aaa.eu.org, 1 +xn--erban-e9b.ro, 1 +xn--erklderbarenben-slbh.dk, 1 +xn--ertvg-pra.no, 1 +xn--et8h.cf, 0 +xn--ettbttreinternet-ynb.se, 1 +xn--ex-1b4auld4fn3u3ck2069g.com, 1 +xn--f1ai7a.tk, 1 +xn--f5q52dc2lgtg336a4xoyxh2oj.tw, 1 +xn--f9jh4f4b4993b66s.tokyo, 1 +xn--fakovcov-gza74b.eu, 1 +xn--fakovec-k6a.eu, 1 +xn--familie-pppinghaus-l3b.de, 1 +xn--feuerlscher-arten-4zb.de, 1 +xn--fhqs21ch1c4t0a.xn--czr694b, 1 +xn--fiqs8syvac75bffa172w.cn, 1 +xn--fiqs8syvak73af2cw10h.cn, 1 +xn--flskeklubben-7cb.dk, 1 +xn--flsterstollen-xob.com, 0 +xn--fp8h58f.ws, 1 +xn--fp8hm6b.ws, 1 +xn--frankierknig-djb.de, 1 +xn--frauenrztin-wedel-vqb.de, 1 +xn--frderer-n2a.de, 1 +xn--fretagsfinanser-8sb.se, 1 +xn--fs5ak3f.com, 1 +xn--g1abhqbgs.xn--p1ai, 1 +xn--gfrr-7qa.li, 1 +xn--gfrrli-yxa.ch, 1 +xn--ggle-qoaa.com, 1 +xn--gi8h6v.ml, 1 +xn--gmq92k.nagoya, 1 +xn--grnderlehrstuhl-0vb.de, 1 +xn--grnstrm-r1ae.nu, 1 +xn--gs8h.eu.org, 1 +xn--h-1ga.net, 1 +xn--h1aaahdlb4aki4h.xn--p1ai, 1 +xn--h1aaakmzd.xn--p1ai, 1 +xn--h1aagcjb0ajh5g.xn--p1ai, 1 +xn--h1aarew7ct.tk, 1 +xn--h1ahbcdb8g.xn--p1ai, 1 +xn--h1aifgllz.xn--p1ai, 1 +xn--h7t906ca.xn--fiqs8s, 1 +xn--h7t906ca.xn--fiqz9s, 1 +xn--helhetsframtrdande-xtb.se, 1 +xn--hfk-allgu-schwaben-stb.de, 1 +xn--hgbk4a00a.com, 1 +xn--hllrigl-90a.at, 0 +xn--hnse-gra.net, 1 +xn--hogarniitojesus-4qb.com, 1 +xn--hsers-kva.de, 1 +xn--ikketenkpdet-1cb.no, 1 +xn--imker-in-nrnberg-szb.de, 1 +xn--int-ru8ea.xn--6qq986b3xl, 1 +xn--internetlnen-1cb.com, 1 +xn--ionunica-29c.ro, 1 +xn--irr.xn--fiqs8s, 1 +xn--is8h6d.gq, 0 +xn--itt6x.xn--fiqs8s, 1 +xn--itt6x.xn--fiqz9s, 1 +xn--itts1a.xn--fiqs8s, 1 +xn--itts1a.xn--fiqz9s, 1 +xn--j1afcdm4f.xn--p1ai, 1 +xn--j1aoca.xn--p1ai, 1 +xn--j4h.cf, 1 +xn--j8se.com, 1 +xn--jkaappi-5waa.fi, 1 +xn--jlq480n2rg, 1 +xn--jp8hx8f.ws, 1 +xn--kckd0bd4a8tp27yee2e.com, 1 +xn--keditr-0xa.biz, 1 +xn--kinsthetik-s5a.ch, 1 +xn--kkcon-fwab.nz, 1 +xn--kl-oja.is, 1 +xn--klmek-0sa.com, 1 +xn--klschs-wxa.de, 1 +xn--ksse-5qa.fi, 1 +xn--ktha-kamrater-pfba.se, 0 +xn--l3cb0bbcf6ezc4a7e.th, 1 +xn--l8j6d.com, 1 +xn--l8jer.moe, 1 +xn--l8js6h.moe, 1 +xn--l8js6h476m.xn--q9jyb4c, 1 +xn--labanskllermark-ftb.se, 1 +xn--lfv405c.com, 1 +xn--ljyakatemia-qfb.fi, 1 +xn--lk1a.moe, 1 +xn--ll-yka.de, 1 +xn--lna-2000-9za.nu, 1 +xn--lna-4000-9za.nu, 1 +xn--locaaomoema-p9a.com.br, 1 +xn--losolivareos-jhb.com, 1 +xn--love-un4c7e0d4a.com, 1 +xn--lrepenger-g3a.no, 1 +xn--lti-3qa.lv, 1 +xn--lzs398g.xn--fiqs8s, 1 +xn--lzs398g.xn--fiqz9s, 1 +xn--m1aba.tk, 1 +xn--m6t22d1b026i1odr9k.cn, 1 +xn--m6to92j.xn--gmqw5a.xn--j6w193g, 1 +xn--m6ty4dmx2a7ki.cn, 1 +xn--m9jy50kkpx.tk, 1 +xn--manuela-stsser-psb.de, 1 +xn--marn-8ra.eu, 1 +xn--martnvillalba-zib.com, 1 +xn--martnvillalba-zib.net, 1 +xn--mbius-jua.band, 1 +xn--mein-kchenhelfer-ozb.de, 1 +xn--mensenges-o1a8c.gq, 1 +xn--mensengesss-t8a.gq, 1 +xn--mentaltraining-fr-musiker-uwc.ch, 1 +xn--mercadonavideo-2nb.com, 1 +xn--mgbbh2a9fub.xn--ngbc5azd, 0 +xn--mgbmmp7eub.com, 1 +xn--mgbpkc7fz3awhe.com, 1 +xn--mgbqq.com, 1 +xn--mgbuq0c.net, 1 +xn--mhringen-65a.de, 1 +xn--mitenlyttit-s8aad6xf.fi, 1 +xn--mitenlyttyt-s8aad6xg.fi, 1 +xn--mitensaadatit-nfb1y.fi, 1 +xn--mitensaadatyt-nfb2y.fi, 1 +xn--mlkky-jua.fr, 1 +xn--mllerhesszimmerli-22b.ch, 1 +xn--mllingen-65a.de, 1 +xn--mnck-5qa.de, 1 +xn--mnich-7ua.de, 1 +xn--mntsamling-0cb.dk, 1 +xn--morrhret-e0a.se, 1 +xn--mxaavenvi2h.live, 0 +xn--myrepubic-wub.net, 1 +xn--myrepublc-x5a.net, 1 +xn--naade-dta.com, 1 +xn--nicieri-b4a.ro, 1 +xn--nidar-tib.org, 1 +xn--nide-loa.ee, 1 +xn--nied-lchelt-q8a.de, 1 +xn--niedlchelt-u5a.de, 1 +xn--nordlicht-hrnum-jtb.de, 1 +xn--nrrdetval-v2ab.se, 1 +xn--nts.xn--fiqs8s, 1 +xn--nts.xn--fiqz9s, 1 +xn--o38h.tk, 1 +xn--o3ca2aced1cc7e5a1jc6h.com, 1 +xn--o77hka.ga, 1 +xn--obt757c.com, 1 +xn--oiqt18e8e2a.eu.org, 1 +xn--oj-uu2c9c422w3mh.com, 0 +xn--okra.xn--6qq986b3xl, 1 +xn--p2v.xn--fiqs8s, 1 +xn--p2v.xn--fiqz9s, 1 +xn--p3t555glxhnwa.com, 1 +xn--p8j9a0d9c9a.xn--q9jyb4c, 1 +xn--pascal-klsch-cjb.de, 1 +xn--patga-p4a.ga, 1 +xn--patiga-syd.ga, 1 +xn--pbt947am3ab71g.com, 1 +xn--pckl4ji.ml, 1 +xn--pckqk6xk43lunk.net, 1 +xn--pe-bka.ee, 1 +xn--petitetoile-gbb.com, 1 +xn--photovoltaik-berwachung-opc.de, 1 +xn--pn1am9c.com, 1 +xn--pq1a637b.xn--6qq986b3xl, 1 +xn--prfontaine-c7a.name, 1 +xn--q2y08clzag4u.tw, 1 +xn--q3cb3bxa0b7h.com, 1 +xn--qckss0j.tk, 1 +xn--qfun83b.ga, 1 +xn--qm1a.xn--fiqs8s, 1 +xn--qm1a.xn--fiqz9s, 1 +xn--r77hya.ga, 1 +xn--r8jzaf7977b09e.com, 1 +xn--rdiger-barney-wob.de, 1 +xn--rdiger-kuhlmann-zvb.de, 1 +xn--registriertesexualstraftter-ykc.de, 1 +xn--rhqv96geyrvng.com, 1 +xn--rih.ml, 1 +xn--rl-wka.ch, 1 +xn--roselire-60a.ch, 0 +xn--roselire-60a.com, 0 +xn--rs5a.xn--fiqs8s, 1 +xn--rs5a.xn--fiqz9s, 1 +xn--rt-cja.eu, 1 +xn--rt-cja.ie, 1 +xn--rtter-kva.eu, 1 +xn--ruanmller-u9a.com, 1 +xn--ruciski-6jb.pl, 1 +xn--s-0fa.fi, 1 +xn--s-1gaa.fi, 1 +xn--s1r71tg0o30bxm52odlvspdop4b.cn, 1 +xn--sb-lka.org, 1 +xn--schcke-yxa.de, 1 +xn--schlerzeitung-ideenlos-ulc.de, 1 +xn--schpski-c1a.de, 1 +xn--schsischer-christstollen-qbc.shop, 0 +xn--schwedischezahnrztin-pzb.de, 1 +xn--skmotoroptimering-zzb.site, 1 +xn--spenijmazania-yhc.pl, 1 +xn--spiraphnix-olb.xyz, 1 +xn--srbarhetsskanning-8qb.se, 1 +xn--srenpind-54a.dk, 1 +xn--ss-sein-fetzt-wob.de, 1 +xn--strandhaus-hinter-der-dne-1wc.de, 1 +xn--stubbfrsning-uppsala-hzb.se, 1 +xn--svezavaukuu-ulb08i.rs, 1 +xn--sz8h.ml, 1 +xn--t-oha.lv, 1 +xn--t8j4aa4nkg1h9bwcvud.com, 1 +xn--t8j4aa4nzg3a5euoxcwee.xyz, 1 +xn--t8jo9k1b.com, 1 +xn--t8qu4voqikh.com, 1 +xn--tagungssttte-usedom-owb.de, 0 +xn--tagungssttte-zinnowitz-84b.de, 0 +xn--tatilgnleri-yhb.com, 1 +xn--tftel-tom-q9a.de, 1 +xn--tgstationen-x8a.se, 1 +xn--thorme-6uaf.ca, 1 +xn--tigreray-i1a.org, 1 +xn--trdler-xxa.xyz, 1 +xn--u8jwd.ga, 1 +xn--u9j920h4sbt5ex10f.online, 1 +xn--u9j933ksxs6hu.com, 1 +xn--u9jv84l7ea468b.com, 1 +xn--u9jy16ncfao19mo8i.nagoya, 1 +xn--uba.eu.org, 1 +xn--ug8h.st, 1 +xn--uist1idrju3i.jp, 1 +xn--ukasik-2db.pl, 1 +xn--ukys-f6a.lt, 1 +xn--underux-0za.eu, 1 +xn--urgencesolidarit-qqb.com, 1 +xn--urgencesolidarit-qqb.fr, 1 +xn--uxqy9syyb.com, 1 +xn--v-wfa35g.ro, 1 +xn--v4q.ml, 1 +xn--v6q426ishax2a.xyz, 1 +xn--vck8crc010pu14e.biz, 1 +xn--vck8crcu789ajtaj92eura.xyz, 1 +xn--vihrekeino-u5a.fi, 1 +xn--vwsv89g.xn--fiqs8s, 1 +xn--vwsv89g.xn--fiqz9s, 1 +xn--vwsw0b.xn--fiqs8s, 1 +xn--vwsw0b.xn--fiqz9s, 1 +xn--vwsw0b192f.xn--fiqs8s, 1 +xn--vwsw0b192f.xn--fiqz9s, 1 +xn--vxsq49l.cn, 1 +xn--w-sgae.eu, 1 +xn--w22a.jp, 1 +xn--wby9t.xyz, 0 +xn--wcs69oyudj44b.xyz, 1 +xn--whakamtt-m7a57hba.org.nz, 1 +xn--wiateko-rjb3t.eu, 1 +xn--woistdermlleimer-rzb.de, 1 +xn--wp9ha.ws, 1 +xn--wq9h.ml, 0 +xn--xft85up3jca.ga, 1 +xn--xwqa8512b.eu.org, 1 +xn--xz1a.jp, 1 +xn--y-5ga.com, 1 +xn--y3cac7d1d.xn--o3cw4h, 1 +xn--y8j148r.xn--q9jyb4c, 0 +xn--y8j2eb5631a4qf5n0h.com, 1 +xn--y8ja6lb.xn--q9jyb4c, 1 +xn--y8jarb5hca.jp, 1 +xn--yj8h0m.ws, 1 +xn--ykqxsg6sqp4cd861a.ml, 1 +xn--ykrp42k.com, 1 +xn--yrvp1ac68c.xn--6qq986b3xl, 1 +xn--z1tq4ldt4b.com, 1 +xn--zca.dk, 1 +xn--zettlmeil-n1a.de, 1 +xn--zr9h.cf, 1 +xn--zr9h.ga, 1 +xn--zr9h.ml, 1 +xn--zr9h.tk, 1 +xn--zsr042b.fun, 1 +xnaas.info, 1 +xnativi.pl, 1 +xnet-x.net, 1 +xnetwork.ml, 1 +xniver.se, 1 +xnix.tk, 1 +xnoe.moe, 1 +xnop.yt, 1 +xnopyt.com, 1 +xnopyt.info, 1 +xnsir.com, 1 +xntrik.wtf, 1 +xnu.kr, 1 +xnxxporns.com, 1 +xo.wtf, 1 +xoan.cf, 1 +xobotun.com, 1 +xocc.cc, 1 +xoda.pw, 1 +xolotto.com, 1 +xolphin.nl, 1 +xombitgames.com, 1 +xombitmusic.com, 1 +xomyak.tk, 1 +xone.cz, 0 +xonobixa.tk, 1 +xoomenergy.com, 1 +xor.ai, 1 +xor.cat, 1 +xor.tools, 1 +xorion.pl, 1 +xorm.io, 1 +xormatic.com, 1 +xosh.fr, 1 +xotictrends.com, 1 +xotika.tv, 1 +xoutpost.com, 1 +xoxo.news, 1 +xp-ochrona.pl, 1 +xp.nsupdate.info, 1 +xpd.se, 1 +xpenology-fr.net, 1 +xperiacode.com, 1 +xperidia.com, 1 +xpertairtx.com, 1 +xpertairwaco.com, 1 +xpertcenter.ch, 0 +xpertcube.com, 1 +xpertmedia.ro, 1 +xpertsunlimited.com, 1 +xpetit.net, 1 +xpews.org, 1 +xpg.jp, 1 +xphelper.tk, 1 +xpint.com, 1 +xpj090.com, 1 +xpj100.com, 0 +xpj678678.com, 1 +xpj90.com, 1 +xpj909.cc, 0 +xpj909.com, 1 +xpj909.in, 0 +xpj909.me, 1 +xpj909.vip, 0 +xpj919.in, 0 +xpj919.me, 0 +xpj919.vip, 0 +xpjab.com, 0 +xpjcu.com, 0 +xpjdi.com, 0 +xpjei.com, 0 +xpjiosapp.com, 0 +xpjwa.com, 0 +xpjwb.com, 0 +xpletus.nl, 1 +xplo.it, 1 +xploredome.pl, 1 +xploredundee.com, 1 +xplozion.tk, 1 +xpods.sg, 1 +xportxpert.com, 1 +xpreflect.co.uk, 1 +xps-auto.com, 1 +xps3dp.com, 1 +xps40.com, 1 +xpsauto.com, 1 +xpsautomation.com, 1 +xpsfactory.com, 1 +xpsinnovation.com, 1 +xpsnow.net, 1 +xpsrobotics.com, 1 +xptrack.com, 1 +xptrackstaging.com, 1 +xpwn.cz, 0 +xq.com, 1 +xq6dtff.top, 1 +xqin.net, 1 +xqk7.com, 1 +xqwqx.com, 1 +xr5.me, 1 +xr5.tech, 1 +xrayreview.ml, 1 +xrbox.me, 1 +xrdd.de, 1 +xreverseporn.com, 1 +xrg.cz, 1 +xrippedhd.com, 1 +xrism.ro, 1 +xrockx.de, 1 +xrp.pp.ua, 1 +xrpnews.info, 1 +xrpscan.com, 1 +xrwracing-france.com, 1 +xs2a.no, 1 +xs4ever.org, 1 +xsait.tk, 1 +xsave.ru, 1 +xscancun.com, 1 +xsden.info, 1 +xsec.me, 1 +xsenya74hram.tk, 1 +xseries-forum.com, 1 +xserownia.cloud, 0 +xserownia.com.pl, 1 +xserownia.eu, 1 +xserownia.info, 0 +xserownia.net, 1 +xserownia.pl, 1 +xsitedleads.com, 1 +xsmobile.de, 1 +xsolla.com, 1 +xss.name, 1 +xss.sk, 1 +xssi.uk, 1 +xsstime.nl, 1 +xsteam.eu, 1 +xstorysnap.com, 1 +xstreamable.com, 1 +xsuper.net, 1 +xsv.cn, 1 +xsz.jp, 1 +xt.om, 1 +xt177.com, 1 +xt71uc.top, 1 +xtaboo3d.com, 1 +xtalpi.com, 1 +xtarget.ru, 1 +xtechkr.com, 1 +xtechtecnologia.tec.br, 1 +xthugboyz.com, 1 +xtianhe.com, 0 +xtips.us, 1 +xtom.africa, 1 +xtom.al, 1 +xtom.amsterdam, 1 +xtom.au, 1 +xtom.ax, 1 +xtom.be, 1 +xtom.bg, 1 +xtom.by, 1 +xtom.ch, 1 +xtom.chat, 1 +xtom.co.uk, 1 +xtom.com, 1 +xtom.com.au, 1 +xtom.com.de, 1 +xtom.com.ee, 1 +xtom.com.hk, 1 +xtom.cy, 1 +xtom.cz, 1 +xtom.de, 1 +xtom.dk, 1 +xtom.ee, 1 +xtom.es, 1 +xtom.eu, 1 +xtom.fi, 1 +xtom.fo, 1 +xtom.fr, 1 +xtom.ge, 1 +xtom.gg, 1 +xtom.gmbh, 1 +xtom.gr, 1 +xtom.hk, 1 +xtom.hr, 1 +xtom.hu, 1 +xtom.im, 1 +xtom.io, 1 +xtom.is, 1 +xtom.it, 1 +xtom.je, 1 +xtom.jp, 1 +xtom.li, 1 +xtom.limited, 1 +xtom.london, 1 +xtom.lt, 1 +xtom.ltd, 1 +xtom.lu, 1 +xtom.lv, 1 +xtom.md, 1 +xtom.me, 1 +xtom.mk, 1 +xtom.moscow, 1 +xtom.nl, 1 +xtom.no, 1 +xtom.nu, 1 +xtom.paris, 1 +xtom.pl, 1 +xtom.pt, 1 +xtom.ro, 1 +xtom.ru, 1 +xtom.si, 1 +xtom.sk, 1 +xtom.social, 1 +xtom.su, 1 +xtom.uk, 1 +xtom.us, 1 +xtom.wiki, 1 +xtom.xyz, 1 +xtorm.ro, 1 +xtournois.com, 1 +xtra.net, 1 +xtrainsights.com, 1 +xtralis.com, 1 +xtreamfire.tk, 1 +xtreme-cs.tk, 1 +xtreme-servers.eu, 1 +xtremealaskainsulation.com, 1 +xtremebouncepartyhire.com.au, 1 +xtremegaming.it, 1 +xtremejetski.ae, 1 +xtremers.tk, 1 +xtremotivation.com, 1 +xtremyblog.com, 1 +xtronics.com, 1 +xts.bike, 1 +xts3636.net, 1 +xtsna.com, 1 +xttt.net, 1 +xtu2.com, 1 +xtzone.be, 1 +xtzs6.vip, 1 +xuab.net, 1 +xuan-hao.com, 1 +xuan.com.my, 1 +xuancommagere.com, 1 +xuanmeishe.net, 0 +xuann.wang, 1 +xubo666.com, 1 +xuc.me, 1 +xucha.ml, 1 +xueaiai.cf, 1 +xueaiai.com, 1 +xueaiai.ml, 1 +xueanquan.com, 1 +xuecheng.com, 1 +xuedianshang.com, 1 +xuehuang666.cn, 1 +xuesoska.ga, 1 +xuewen.ink, 1 +xuewen.me, 1 +xuexi.icu, 0 +xuez.cc, 1 +xuming.studio, 1 +xumm.me, 1 +xunmengdu.com, 1 +xuntaosms.com, 1 +xuntier.ch, 1 +xurl.gq, 1 +xurl.ltd, 1 +xushuai.org, 1 +xusqui.com, 1 +xuwei.de, 1 +xuyh0120.win, 1 +xvadimx.me, 1 +xvaldezendocrino.com, 1 +xvidyo.ga, 1 +xviimusic.com, 1 +xvix.eu, 1 +xvmmod.com, 1 +xvpn.io, 1 +xvt-blog.tk, 1 +xwalck.se, 1 +xwaretech.info, 1 +xwf.fyi, 1 +xwfwrestling.tk, 1 +xwm.ru, 1 +xwndtq.xyz, 1 +xwnu.com, 1 +xworder.tk, 1 +xwp.co, 1 +xx.gl, 1 +xx0r.eu, 1 +xx6729.co, 1 +xx6729.com, 0 +xx6957.co, 1 +xx9297.co, 1 +xx9728.co, 1 +xxdtl.com, 1 +xxffo.com, 1 +xxhd.in, 1 +xxl-bonus.tk, 1 +xxl.dk, 1 +xxl.fi, 1 +xxl.se, 1 +xxl.tax, 1 +xxlpen.eu, 1 +xxlsports.at, 1 +xxvv.loan, 1 +xxx-fiction.com, 1 +xxx-gays.com, 1 +xxxarabgirls.com, 1 +xxxbunker.com, 1 +xxxfreepornclip.com, 1 +xxxgr.net, 1 +xxxite.me, 1 +xxxmoviesdot.com, 1 +xxxomas.com, 1 +xxxoopz.com, 1 +xxxporn-videos.com, 1 +xxxpornohub.net, 1 +xxxshades.com, 1 +xxxshemaleporn.com, 1 +xxxsuper.net, 1 +xxxteen.net, 1 +xxxtophd.com, 1 +xxxtrance.com, 1 +xxxvideos-base.com, 1 +xxxvideos-tube.com, 1 +xxxvids.mobi, 1 +xxxvids.tv, 1 +xxxvv3.com, 1 +xxxvv8.com, 1 +xxxvv9.com, 1 +xxxxlol.com, 1 +xxyy.asia, 1 +xy.ax, 1 +xy366.cc, 1 +xy369.cc, 1 +xy6161.com, 1 +xy6262.com, 1 +xy6729.com, 1 +xy6957.com, 1 +xy7171.com, 1 +xy7272.com, 1 +xy7373.com, 1 +xy96.top, 1 +xyactive.com.au, 1 +xycommunication.com, 1 +xyenon.bid, 1 +xyfun.net, 0 +xyl.cool, 1 +xyloefarmoges.gr, 0 +xyloelia.com, 1 +xylos.nl, 1 +xynta.ch, 1 +xynta.com, 1 +xyquadrat.ch, 1 +xyrexwolf-sebastien-izambard.tk, 1 +xywing.com, 0 +xyz.vn, 1 +xyz2007.com, 1 +xyz234.com, 1 +xyz323.com, 1 +xyz345.com, 1 +xyz543.com, 1 +xyz55.com, 1 +xyz566.com, 1 +xyz566.net, 1 +xyz567.com, 1 +xyz65.com, 1 +xyz66.ai, 1 +xyz66.net, 1 +xyz678.com, 1 +xyz77.com, 1 +xyz788.com, 1 +xyz88.ai, 1 +xyz88.biz, 1 +xyz88.fun, 1 +xyz88.info, 1 +xyz88.life, 1 +xyz88s.com, 1 +xyzcd.ai, 1 +xyzemails.com, 0 +xyzmedia.net, 1 +xyzmedia.rs, 1 +xyzulu.hosting, 1 +xyzxyx.com, 1 +xyzyz.xyz, 1 +xyzzy.earth, 1 +xyzzyyyz.com, 1 +xz0.de, 1 +xzclip.cn, 1 +xzib.com, 1 +xzibits.com, 1 +xzqy.net, 1 +xztech.co, 1 +y-erodoga.com, 1 +y-erogazo.com, 1 +y-nas.tk, 1 +y.com.cm, 1 +y.com.sb, 1 +y09a.com, 0 +y09app.com, 0 +y09app.vip, 0 +y09j.com, 0 +y11n.net, 0 +y2bet.com, 1 +y2dcycleroute.ie, 1 +y2k23.com, 1 +y2s.pw, 1 +y31.jp, 1 +y3451.com, 1 +y3600.cc, 1 +y3600.cz, 1 +y3650.com, 1 +y36500.com, 1 +y3651.com, 0 +y36511.com, 1 +y365188.com, 1 +y3653.com, 1 +y36533.com, 1 +y3654.com, 0 +y3656.com, 1 +y36577.com, 0 +y3bet.com, 1 +y5197.co, 1 +y5bet.com, 1 +y6180.com, 1 +y6729.co, 1 +y6729.com, 1 +y68cc.com, 0 +y68ee.com, 0 +y68ff.com, 0 +y68gg.com, 0 +y68gl.com, 1 +y68hh.com, 0 +y68ii.com, 0 +y68jj.com, 0 +y68jn.com, 1 +y68ll.com, 0 +y68oo.com, 1 +y68pp.com, 0 +y68qq.com, 0 +y68rr.com, 0 +y68sc.com, 1 +y68sz.com, 1 +y68tt.com, 0 +y68uu.com, 0 +y68yy.com, 0 +y68zz.com, 0 +y6957.co, 1 +y6bet.com, 1 +y70102.com, 1 +y70301.com, 1 +y70302.com, 1 +y70303.com, 1 +y7091.com, 1 +y7092.com, 1 +y7093.com, 1 +y890000.com, 0 +y891111.com, 0 +y892222.com, 0 +y893333.com, 0 +y894444.com, 0 +y895555.com, 0 +y896666.com, 0 +y897777.com, 0 +y898888.com, 0 +y89a.com, 0 +y89a.net, 1 +y89aaa.com, 0 +y89b.com, 0 +y89b.net, 1 +y89bbb.com, 0 +y89c.com, 1 +y89c.net, 1 +y89ccc.com, 0 +y89d.com, 1 +y89d.net, 1 +y89dd.com, 1 +y89ddd.com, 1 +y89e.com, 1 +y89e.net, 1 +y89ee.com, 1 +y89eee.com, 1 +y89f.com, 1 +y89f.net, 1 +y89fff.com, 0 +y89g.com, 1 +y89g.net, 1 +y89gg.com, 1 +y89h.net, 1 +y89hh.com, 1 +y89hhh.com, 0 +y89i.com, 0 +y89i.net, 1 +y89ii.com, 1 +y89iii.com, 1 +y89j.com, 1 +y89j.net, 1 +y89jj.com, 1 +y89jjj.com, 0 +y89k.com, 0 +y89kk.com, 1 +y89l.com, 0 +y89ll.com, 1 +y89m.com, 1 +y89n.com, 1 +y89o.com, 1 +y89q.com, 0 +y89r.com, 0 +y89s.com, 0 +y89t.com, 0 +y89u.com, 0 +y89v.com, 1 +y89ww.com, 0 +y89zz.com, 0 +y9297.co, 1 +y9728.co, 1 +y99.in, 1 +ya-hudeu.tk, 1 +ya-hudeyu.gq, 1 +ya-hudeyu.ml, 1 +ya-hudeyu.tk, 1 +ya-madina.tk, 1 +ya-radio.tk, 1 +ya-stroynaya.tk, 1 +ya-zdorova.tk, 1 +ya.mk, 1 +yaateens.org, 1 +yaay.com.br, 1 +yaay.today, 1 +yaazhtech.com, 1 +yaballe.com, 1 +yabbr.com.au, 1 +yabbr.io, 1 +yabo68.com, 0 +yabuisha.jp, 1 +yacca.co.uk, 1 +yacg.asia, 1 +yachatshomesforsale.com, 1 +yachigoya.com, 1 +yachta.kiev.ua, 1 +yachtbuyer.com, 1 +yachtcharterfleet.com, 1 +yachtcita.com, 0 +yachtcrafter.com, 1 +yachtfolio1.com, 1 +yachting-home.com, 1 +yachtlettering.com, 1 +yachtmarket.com.ua, 1 +yachtwaypoints.com, 1 +yacine-app.tv, 1 +yacostasolutions.com, 1 +yadaeditrice.com, 1 +yadnameh.ga, 1 +yaebus.tk, 1 +yaencontre.com, 1 +yafull.com, 1 +yafuoku.ru, 1 +yaghoobi.tk, 1 +yagihiro.tech, 1 +yagizhan.me, 1 +yagliyurt.com, 1 +yagmursoft.tk, 1 +yagoda-malina.tk, 1 +yagodigribi.guru, 1 +yagotour.cf, 1 +yaharu.ru, 1 +yahav.co.il, 1 +yahlab.de, 1 +yahoo.ax, 1 +yahtzeemanifesto.com, 1 +yahvehyireh.com, 1 +yahvk.moe, 1 +yaiho.com, 1 +yaiho.de, 1 +yak-host.tk, 1 +yakbett.de, 1 +yakiimo-sakura.com, 1 +yakimono.ga, 1 +yakimoshi.tk, 1 +yakisakana.tk, 1 +yakkifamirie.tk, 1 +yakmail.tech, 1 +yakovmanshin.com, 1 +yakshop.bg, 1 +yakubovich-les.ru, 1 +yakupyilmazboru.com, 1 +yakutia.tk, 1 +yakutianews.tk, 1 +yakutsk-city.tk, 1 +yakutsk.ml, 1 +yalb.tech, 1 +yalcinkaya.ninja, 0 +yalecleaners.com, 1 +yalla-kora.tv, 1 +yalla-shoots.tv, 1 +yalla-shootx.com, 1 +yallamotor.com, 1 +yalook.com, 1 +yaltaarenda.tk, 1 +yamabara.tk, 1 +yamabi.co, 1 +yamacore.de, 1 +yamadaya.tv, 1 +yamagata-fujinka.jp, 1 +yamagata-healing.com, 1 +yamaken.jp, 1 +yamal-online.ml, 1 +yamal159263.ml, 1 +yamanami.tokyo, 1 +yamanobe-taro.jp, 1 +yamatonetwork.com, 1 +yamazaki-automotive.co.jp, 1 +yame2.com, 1 +yamei1.com, 1 +yamei6688.com, 1 +yamei6699.com, 1 +yamei8.com, 1 +yamei8866.com, 1 +yamei98.com, 1 +yamei99.com, 1 +yamei9955.com, 1 +yamhillcounty.gov, 1 +yamm.io, 1 +yamobila.tk, 1 +yamunaexpresswayplot.com, 1 +yan.gg, 1 +yan.lt, 1 +yan.net.cn, 1 +yan3321.com, 1 +yanaduday.com, 1 +yananikitina.site, 1 +yanaya-k.jp, 1 +yanbohon.com, 1 +yandere.moe, 1 +yandong.tk, 1 +yang1963.com.tw, 1 +yangcs.net, 0 +yangfamily.tw, 1 +yangjingwen.cn, 1 +yangjingwen.com, 1 +yangmao.info, 1 +yangmaodang.org, 0 +yangmi.blog, 1 +yangrq.org, 1 +yangruixin.com, 1 +yangshangzhen.com, 0 +yangwang.tk, 1 +yangxi.tech, 1 +yangyi.ml, 1 +yangzi.ml, 1 +yanhongming.net, 1 +yanik.info, 1 +yanisvaroufakis.eu, 1 +yanivboost.com, 1 +yanjicg.com, 0 +yann.tw, 1 +yannic.world, 0 +yannickkordel.de, 1 +yannickkordel.eu, 1 +yannickvdvelde.tk, 1 +yanniclandsmann.de, 1 +yannikbloscheck.com, 1 +yannsalmon.fr, 1 +yannyann.com, 1 +yanovosibirsk.ml, 1 +yanservices.be, 1 +yansurachman.web.id, 1 +yantarniy.tk, 1 +yantox.com, 1 +yaodownload.com, 1 +yaoge123.com, 1 +yaoostore.com, 1 +yaoyorozu.eu, 1 +yaoyorozu.re, 1 +yap26.cc, 1 +yapan008.com, 1 +yapan222.com, 1 +yapan3.com, 1 +yapan33.com, 1 +yapan333.com, 1 +yapan365.net, 1 +yapan4.com, 1 +yapan44.com, 1 +yapan444.com, 1 +yapan55.com, 1 +yapan555.com, 1 +yapan6.com, 1 +yapan66.com, 1 +yapan666.com, 1 +yapan7.com, 1 +yapan77.com, 1 +yapan777.com, 1 +yapan8.com, 1 +yapan888.com, 1 +yapan9.com, 1 +yapan99.com, 1 +yapan999.com, 1 +yapanwang.com, 1 +yapaytech.com, 1 +yapdentalsurgery.com, 1 +yapmaz.com, 1 +yapper.fr, 1 +yappy.com, 1 +yappy.media, 1 +yarcom.ru, 0 +yardandgardenguru.com, 1 +yardesign.tk, 1 +yardhelp.ga, 1 +yardthyme.com, 1 +yardtower.com, 1 +yaren-it.de, 1 +yaren.it, 1 +yarlesac.com, 1 +yarmarka-megamarket.ru, 1 +yarnandy.com, 1 +yarnsub.com, 1 +yarogneva.ru, 1 +yarokuk.com, 1 +yaroslavia.eu.org, 1 +yaroslavova.tk, 1 +yarowork.jp, 1 +yarplast.tk, 1 +yarr.pt, 1 +yarracitta.tk, 1 +yarravilletownhouses.com.au, 1 +yaru.one, 1 +yarygin.tk, 1 +yasam.co.uk, 1 +yaseen.ae, 1 +yaseiblog.org, 1 +yash.com, 1 +yashinstore.com, 1 +yasic.net, 1 +yasikish.com, 1 +yaslihastabakici.com, 1 +yasmeencreative.com, 1 +yasmin-apartments.cz, 1 +yasmin.ml, 1 +yasmingarcia.tk, 1 +yasraiting.tk, 1 +yasrating.tk, 1 +yassinekbichi.co.uk, 1 +yassinesmael.tk, 1 +yasudaseiki.cn, 1 +yasukevicious.com, 1 +yatai18.com, 1 +yatax.fr, 1 +yateam.cc, 1 +yates.com.au, 1 +yatescountyny.gov, 1 +yatescountysheriff.gov, 1 +yatorie.net, 1 +yatriindia.tk, 1 +yatsat.com, 1 +yatserver.com, 1 +yatstudios.com, 1 +yatsuenpoon.com, 1 +yatum.com.br, 1 +yauatcha.com, 1 +yaucy.win, 1 +yaup.tk, 1 +yaustal.com, 1 +yavapaiaz.gov, 1 +yavapaivotes.gov, 1 +yavar.nl, 1 +yavin4.cf, 1 +yavip8088.com, 1 +yavorivanov.com, 1 +yavuzatasoy.tk, 1 +yawen.me, 1 +yawnbox.com, 1 +yaws.cf, 1 +yaxim.org, 1 +yay-btcl.work, 1 +yay.space, 1 +yayart.club, 1 +yayginegitim.net, 1 +yayl888.com, 1 +yaymaker.com, 1 +yayou.ag, 1 +yazichestvo.tk, 1 +yazik.ga, 1 +yazilim.tk, 1 +yazzys.com, 1 +yb21.cc, 0 +yba-lier.tk, 1 +ybexalev.ga, 1 +ybos.nl, 1 +ybr.ch, 1 +ybr.com, 1 +ybresson.com, 1 +ybrfrance.fr, 1 +ybscareers.co.uk, 1 +ybti.net, 1 +ybvip789.com, 0 +ybzhao.com, 1 +yc1820.com, 1 +ycalculators.com, 1 +ycb.fr, 1 +ycbmdevelopment.com, 1 +ycbmstaging.com, 1 +ycfld.gov, 1 +ych.art, 1 +ycherbonnel.fr, 1 +ycl.org.uk, 1 +yclan.net, 1 +ycnrg.org, 1 +ycodendauteradio.net, 1 +yd.io, 1 +yd163.cc, 1 +yd169.cc, 1 +ydetc.es, 1 +ydt.am, 1 +ydyy99.com, 1 +ydyydy.ml, 1 +yeadonboroughpa.gov, 1 +yearinviewcalendars.com, 1 +yearli.com, 1 +yeartracker.ga, 1 +yebkw.com, 1 +yebshotel.de, 1 +yecdn.com, 1 +yecl.net, 1 +yedeksubay.tk, 1 +yediothamahar.co.il, 1 +yeechie.nl, 0 +yeecord.com, 1 +yeecord.tk, 1 +yeesker.com, 1 +yekaterinburg-city.tk, 1 +yellcosheriffar.gov, 1 +yellcountyar.gov, 1 +yello.co, 1 +yellow.ai, 1 +yellow.place, 1 +yellowbrick.co, 1 +yellowcar.website, 1 +yellowfinlogistics.com, 1 +yellowfolder.com, 1 +yellowhawk.nl, 1 +yellowmessenger.com, 1 +yellowpages.ee, 1 +yellowsource.org, 1 +yellowsquid.uk, 0 +yellowstone.nsupdate.info, 1 +yellowstonecountymt.gov, 1 +yellowstrips.com, 1 +yellowsubmarinebook.com, 1 +yellowtaillasvegas.com, 1 +yellowtails.co.jp, 1 +yellowtrace.net.au, 1 +yellsystem.co.jp, 1 +yelp.at, 1 +yelp.be, 1 +yelp.ca, 1 +yelp.ch, 1 +yelp.cl, 1 +yelp.co.jp, 1 +yelp.co.nz, 1 +yelp.co.uk, 1 +yelp.com, 1 +yelp.com.ar, 1 +yelp.com.au, 1 +yelp.com.br, 1 +yelp.com.hk, 1 +yelp.com.mx, 1 +yelp.com.ph, 1 +yelp.com.sg, 1 +yelp.com.tr, 1 +yelp.com.tw, 1 +yelp.cz, 1 +yelp.de, 1 +yelp.dk, 1 +yelp.es, 1 +yelp.fi, 1 +yelp.fr, 1 +yelp.ie, 1 +yelp.it, 1 +yelp.my, 1 +yelp.nl, 1 +yelp.no, 1 +yelp.pl, 1 +yelp.pt, 1 +yelp.se, 1 +yeltsin.tech, 1 +yeltzland.net, 1 +yemalu.com, 1 +yemekbaz.az, 1 +yemekfirmalari.tk, 1 +yemekfirmasi.tk, 1 +yemeksirketleri.tk, 1 +yemektarifinet.com, 1 +yemenat.tk, 1 +yemenlink.tk, 1 +yenbainet.tk, 1 +yengec.co, 1 +yenidunya.org, 1 +yeniehliyetsinavi.com, 1 +yennhi.co, 1 +yenpape.com, 1 +yep-pro.ch, 0 +yepbitcoin.com, 1 +yepu.cc, 1 +yepu.ga, 1 +yerbasbuenas.tk, 1 +yerf.eu, 1 +yeri.com, 1 +yes-money.cf, 1 +yes-money.ga, 1 +yes-money.gq, 1 +yesapp.tk, 1 +yesasia.com, 1 +yescareer.ga, 1 +yescool.cn, 0 +yesfone.com.br, 1 +yesglasses.com, 1 +yesh.lk, 1 +yesiammaisey.me, 1 +yesichat.com, 1 +yesileczam.com, 1 +yesileczam.net, 1 +yesilliforum.tk, 1 +yesilpanda.com, 1 +yesjobs.ga, 1 +yesleaks.com, 1 +yesmirov.ga, 1 +yesmsp.com, 1 +yesmzt.com, 1 +yesod.in, 1 +yesogovinpetcare.com, 1 +yesolo.tk, 1 +yespornfree.com, 1 +yespornplease.com, 1 +yessirgear.com, 0 +yeste.tk, 1 +yestees.com, 1 +yesterford.com, 1 +yesteryear-chronicle.cf, 1 +yeswecan.co.bw, 1 +yeti.ca, 1 +yeti.com, 1 +yeti.gq, 1 +yetishirt.com, 0 +yetivisite.ch, 1 +yetkiliservisrehberi.com, 1 +yeu.io, 1 +yewan.cf, 1 +yewan.ml, 1 +yewtu.be, 1 +yex.nz, 1 +yex.trade, 1 +yezhan.ml, 1 +yezhong.cf, 1 +yezhong.ml, 1 +yezi.ga, 1 +yezishurb.site, 1 +yf128.cc, 1 +yfeer.com, 0 +yfh.me, 1 +yggdar.ga, 1 +yggdrasildice.com, 1 +ygm.org.uk, 1 +ygobbs.com, 1 +yh12366.com, 1 +yh56787.com, 1 +yh599.cc, 1 +yh64678.com, 1 +yh66689.com, 1 +yh811.com, 1 +yh88890.com, 1 +yh98768.com, 1 +yhaupenthal.org, 1 +yhclinic.com.tw, 1 +yhe.me, 1 +yhenke.de, 0 +yhhvi.cf, 1 +yhn.sh, 1 +yhndnzj.com, 1 +yhong.me, 1 +yhori.xyz, 1 +yhrd.org, 1 +yhsh.xyz, 1 +yhwj.top, 0 +yiai.cf, 1 +yiai.ga, 1 +yiai.gq, 1 +yiai.ml, 1 +yiai.tk, 1 +yibaoweilong.top, 1 +yibei-original.com, 1 +yibin0831.com, 0 +yicc.net, 1 +yichen.me, 1 +yicivideo.com, 1 +yicknam.my, 1 +yifananime.com, 1 +yifanbian.me, 1 +yifansun.net, 1 +yiff.forsale, 1 +yiff.media, 1 +yiff.rest, 1 +yiff.rocks, 1 +yiff.supply, 1 +yigelangzi.com, 1 +yigit.shop, 1 +yiguan.me, 1 +yigujin.cn, 1 +yiheng.moe, 0 +yihome.com.tw, 1 +yihouse.tw, 1 +yijia.support, 1 +yijingying.com, 0 +yikeyong.com, 1 +yilanju.com, 1 +yilconstruction.ca, 1 +yildizkariyerim.com, 1 +yildiznamebaktir.com, 1 +yilmaznargile.com, 1 +yiluup.com, 0 +yimgo.fr, 0 +yinduyy.com, 0 +yinfor.com, 1 +ying.gift, 1 +ying299.com, 1 +ying299.net, 1 +yingatech.com, 1 +yinglinda.love, 1 +yingmei.jp, 1 +yingshu.hopto.org, 1 +yingyj.com, 1 +yingzi.ml, 1 +yinlei.org, 1 +yinmingyang.cn, 1 +yinwa.cf, 1 +yinwa.ml, 1 +yinyang.jp, 1 +yippie.nl, 0 +yisrime.xyz, 1 +yiyuanzhong.com, 1 +yiz96.com, 1 +yizhihuang.org, 1 +yj4p.com, 1 +yjav.tv, 1 +yjdevtech.com, 1 +yjsp.tv, 1 +yjst.cn, 1 +yjsw.sh.cn, 1 +yjz.hk, 1 +ykb.click, 1 +ykgli.cn, 1 +ykj.ca, 1 +ykqpw.com, 1 +yksolutions.ma, 1 +yl-invest.co.il, 1 +ylanan.tk, 1 +ylde.de, 1 +yliarb.ru, 1 +ylilauta.org, 1 +ylivemusic.com, 1 +yloti.com, 1 +ylromania.ro, 1 +ylwd.gov, 1 +ym069.com, 1 +ym181.am, 1 +ym966.com, 1 +ymaca.tk, 1 +ymarion.de, 1 +ymatyt.com, 1 +ymc.moe, 1 +ymca.ga, 1 +ymcapkc.org, 1 +ymdecor.com, 1 +ymg-allergy.jp, 1 +ymlsport.pe, 1 +ymm18.com, 1 +ymoah.nl, 1 +ymos.com.tw, 1 +ymoz.com, 1 +ymtsonline.org, 1 +ymy.moe, 1 +ymy.zone, 1 +yn.org.nz, 1 +ynamly.site, 1 +ynode.com, 1 +yo-digital.ga, 1 +yoa.st, 1 +yoannlatzer.com, 1 +yoast.com, 1 +yoba.co.uk, 1 +yoba.systems, 1 +yobai-grouprec.jp, 1 +yobasystems.co.uk, 1 +yobda.tk, 1 +yobeverages.com, 1 +yobify.com, 1 +yobniyulyu.tk, 1 +yobst.tk, 1 +yochadehe.gov, 1 +yochen.de, 1 +yocoboard.com, 1 +yodababy.com.tw, 1 +yodalef3.tk, 1 +yodaremote.tk, 1 +yodelmobile.com, 1 +yodocon.com, 1 +yoga-alliance-teacher-training.com, 1 +yoga-bien-etre.com, 1 +yoga-erde.de, 1 +yoga-good.fr, 1 +yoga-in-aying.de, 1 +yoga-m.fr, 0 +yoga-masterskaya.ru, 1 +yoga-mindfulness-ibiza.com, 1 +yoga-prive.de, 1 +yoga-school.xyz, 1 +yoga-vakantie-ibiza.nl, 1 +yoga-zentrum-narayani.de, 1 +yoga.is-an-engineer.com, 1 +yogaangels.ga, 1 +yogaanswered.com, 1 +yogaecology.org, 1 +yogaemmental.ch, 1 +yogagadgets.ga, 1 +yogahealsinc.org, 1 +yogahome.com, 1 +yogaillustrations.ga, 1 +yogaillustrations.tk, 1 +yogamarlene.ch, 1 +yogamea.school, 1 +yogananda-roma.org, 1 +yogaovelser.dk, 1 +yogaportalen.dk, 1 +yogaprague.com, 1 +yogaschoolrishikesh.com, 1 +yogasolution.tk, 1 +yogatherapykosha.com, 1 +yogaworld.tk, 1 +yogibear.tk, 1 +yogmoney.com, 1 +yogonet.com, 1 +yogstation.net, 1 +yogularm.de, 1 +yogunet.de, 1 +yohanesedwin.com, 1 +yohanesmario.com, 1 +yohannes.tk, 1 +yoim.cc, 1 +yoitsu.moe, 1 +yoitsu.org, 1 +yokaiispirit.ddns.net, 1 +yokocho373.com, 1 +yokoda.okinawa, 1 +yokohama-idolmaster.jp, 1 +yokohama.ga, 1 +yokohamawakaba-ganka.com, 1 +yokone3-kutikomi.com, 1 +yokorei.yokohama, 1 +yokotafss.marketing, 1 +yokotower.com, 1 +yolandaschocolatiers.com, 1 +yolandgao.me, 1 +yolks.in, 1 +yolo-csgo.com, 1 +yolo.vn, 1 +yoloboatrentals.com, 1 +yolocast.wtf, 1 +yolocounty.gov, 1 +yolocountyca.gov, 1 +yolops.net, 1 +yolosh.se, 1 +yoloyolo.top, 0 +yomena.in, 1 +yomeuno.com, 1 +yomiren.co.jp, 1 +yomiurigolf.co.jp, 1 +yomyyomy.co.jp, 1 +yon.co.il, 0 +yonalink.com, 1 +yoneda-paint.com, 1 +yonema.com, 1 +yongbin.org, 1 +yongkang-clinic.com.tw, 1 +yongseovn.net, 1 +yonistap.com, 1 +yonja.com, 1 +yonkersdentalspa.com, 1 +yoodigital.co, 1 +yoogirls.com, 1 +yoomza.com, 1 +yoonas.com, 1 +yooooex.com, 1 +yoopies.fr, 1 +yooptopian.com, 0 +yoozik.io, 1 +yooznet.com, 1 +yopers.com, 0 +yopmail.com, 1 +yopmail.net, 1 +yoppoy.com, 1 +yops.info.pl, 1 +yoramvandevelde.net, 1 +yorcar.com, 1 +yorcom.nl, 0 +yorcool.nl, 0 +yorcybersec.co.uk, 0 +yordanisp.tk, 1 +yore.tk, 1 +yorganica.ga, 1 +yorgosbos.nl, 1 +yorkacademy.ca, 1 +yorkcountyne.gov, 1 +yorkcountysc.gov, 1 +yorkcountyschools.org, 1 +yorkieloverdiy.com, 1 +yorkiepooexpert.com, 1 +yorkmarkets.com, 1 +yorkmoneyman.com, 1 +yorkroadyums.com, 1 +yorkshiredalesinflatables.co.uk, 1 +yorkshiregardensheds.co.uk, 1 +yorkshiregrit.cc, 1 +yorkshirehousing.co.uk, 1 +yorkshireinflatables.co.uk, 1 +yorkshireterrier.com.br, 1 +yorkshireterrier.dog, 1 +yorkshireterrieraspets.com, 1 +yorktest.com, 1 +yorname.ml, 0 +yornik.nl, 1 +yoru.me, 0 +yoryo.com, 1 +yosakoinight.com, 1 +yosbeda.com, 1 +yosemo.de, 1 +yosh.is, 1 +yosheenetwork.fr, 1 +yoshibaworks.com, 1 +yoshimura-seimenjo.com, 1 +yoshitsugu.net, 1 +yoshiya2020.com, 1 +yoshkar-ola-city.tk, 1 +yosida-dental.com, 1 +yosida95.com, 1 +yosm.net, 1 +yospos.org, 1 +yoti.com, 1 +yoticonnections.com, 1 +yotilabs.com, 1 +yoto.at, 0 +yotta-zetta.com, 1 +yottahash.net, 1 +yotubaiotona.net, 1 +you-working.ru, 1 +you.bo, 0 +you.com.br, 1 +you15iv.com, 1 +youareamazingnd.com, 1 +youavtube.com, 1 +youbehero.com, 1 +youber.cz, 1 +youbetteravoid.me, 1 +youc.ir, 1 +youcanbook.me, 0 +youcanfinance.com.au, 1 +youcanfuckoff.xyz, 1 +youcanhelp.tk, 1 +youcanmakeit.at, 1 +youcruit.com, 1 +youcruit.jobs, 1 +youdino.com, 1 +youdontneedipv6.xyz, 1 +youdungoofd.com, 1 +youearnedit.com, 1 +youenglish.school, 1 +youftp.tk, 1 +yougee.ml, 1 +yougene.me, 1 +yougot.pw, 1 +youhabitat.es, 1 +youhavewords.com, 1 +youhs.top, 0 +youhua.ru, 1 +youiv.info, 1 +youiv.net, 1 +youiv.pw, 1 +youiv.tv, 1 +youiv10.com, 1 +youiv100.com, 1 +youiv20.com, 1 +youivh.com, 1 +youivr.com, 1 +youivt.com, 0 +youjob.us, 1 +youkaryote.com, 1 +youkaryote.org, 1 +youked.com, 1 +youkube.cf, 1 +youla.gq, 1 +youla.ru, 1 +youlikehookups.com, 1 +youliketwinks.com, 1 +youlovehers.com, 1 +youmeandjunee.com.au, 1 +youmiracle.com, 1 +youmonit.me, 1 +youms.de, 1 +younameit.ru, 1 +youneedfame.com, 1 +young-brahmousin.com, 1 +young-celebrities.tk, 1 +young-hands.it, 1 +young-sheldon.com, 1 +young-zy.com, 1 +young.scot, 0 +youngandunited.nl, 0 +youngart.hu, 1 +youngauthentic.cf, 1 +youngbabes.pro, 1 +youngcouple9598.net, 1 +youngdevotion.net, 1 +youngdevotion.org, 1 +youngfree.cn, 1 +younglabour.co.nz, 1 +younglabour.nz, 1 +younglabour.org.nz, 1 +younglions.cf, 1 +youngmodelsagency.tk, 1 +youngpeopleunited.co.uk, 1 +youngsook.org, 1 +youngsophie.net, 1 +youngsoulstudios.com, 0 +youngsvillenc.gov, 1 +youngtube.one, 1 +youngvoicesmatter.org, 1 +youniq.ga, 1 +younl.net, 1 +youpark.no, 1 +youpickfarms.org, 1 +youpreneur.com, 1 +your-computer-is-a-hero.tk, 1 +your-fitness-coach.ch, 1 +your-forum.tk, 1 +your-greece.ga, 1 +your-house-expert.com, 1 +your-idc.tk, 1 +your-kurs.tk, 1 +your-melody.ru, 1 +your-money.info, 1 +your-out.com, 1 +your-restorer.ru, 1 +your-sussex.wedding, 1 +your28days.com, 1 +youracnepro.com, 1 +youran.me, 1 +yourantiquarian.com, 1 +youraudiobooks.xyz, 1 +yourazbraces.com, 1 +yourbenefitsresources.com, 1 +yourberksbucksoxon.wedding, 1 +yourbittorrent.com, 1 +yourbittorrent2.com, 1 +yourblazeguard.com, 1 +yourbodyknows.dk, 1 +yourbodyknows.is, 1 +yourbonus.click, 0 +yourbreakfast.tk, 1 +yourbrewclub.com, 1 +yourbristolsomerset.wedding, 1 +yourbusiness.ml, 1 +yourcareerhost.com, 1 +yourcfo.co.in, 1 +yourcheshiremerseyside.wedding, 1 +yourcomputer.expert, 1 +yourcomputer.tk, 1 +yourconscious.life, 1 +yourcopywriter.it, 1 +yourcrypto.tax, 1 +yourdailyalerts.net, 1 +yourdailyhealthcare.tk, 1 +yourdailylocal.com, 1 +yourdata.ai, 1 +yourdata.ga, 1 +yourdemowebsite.ml, 1 +yourdevoncornwall.wedding, 1 +yourdrive.tk, 1 +youreallyneedthis.co, 1 +youreart.shop, 1 +youreastanglian.wedding, 1 +youreastmidlands.wedding, 1 +youreitbranding.com, 1 +youremailexpert.com, 1 +yourenergy.io, 1 +youreward.ga, 1 +yourfandom.ddns.net, 1 +yourfin.nl, 1 +yourforceserver.com, 1 +yourforcesupport.com, 1 +yourforcesupport.events, 1 +yourforcesupport.me, 1 +yourforcesupport.net, 1 +yourforcesupport.pro, 1 +yourforcesupport.us, 1 +yourforex.org, 1 +yourfriendlytech.com, 1 +yourfuntrivia.com, 1 +yourfuturestrategy.com.au, 1 +yourgadget.ro, 1 +yourgames.tv, 1 +yourgifttoyou.com, 1 +yourgloswilts.wedding, 1 +yourhampshiredorset.wedding, 1 +yourhealthcommunity.com, 1 +yourhearingnetwork.com, 1 +yourhertsbeds.wedding, 1 +yourhomeloanapprovals.com.au, 1 +yourhrworld.com, 1 +yourhumandesign.ch, 1 +yourkent.wedding, 1 +yourkit.com, 1 +yourkrabivilla.com, 1 +yourlanguages.de, 1 +yourlgpd.com, 1 +yourlifespirit.de, 1 +yourloan.gq, 1 +yourlocalsecurity.com, 1 +yourlondon.wedding, 1 +yourlovesong.com.mx, 1 +yourmagicstory.tk, 1 +yourmaki.com, 1 +yourmobility.ga, 1 +yourmodel.fr, 1 +yourms.com, 1 +yourname.xyz, 1 +yournewsfeed.org, 1 +yournortheast.wedding, 1 +yournorthwest.wedding, 1 +youronly.one, 1 +yourpalmbeachcountyrealtor.com, 1 +yourpalstore.com, 1 +yourpersonalfoodnesscoach.nl, 1 +yourpersonalfrance.com, 1 +yourpillstore.com, 1 +yourscotlandtour.co.uk, 1 +yoursfunny.top, 1 +yourskin.nl, 0 +yoursoul.gq, 1 +yoursoulmate.tk, 1 +yoursouthwales.wedding, 1 +yourstake.org, 1 +yourstart.tk, 1 +yourstorebridgwater.co.uk, 1 +yourstoreexeter.co.uk, 1 +yoursupportline.co.uk, 1 +yoursurrey.wedding, 1 +yourtampaparksplan.com, 1 +yourtests.tk, 1 +yourticketbooking.com, 1 +yourtourdesk.com, 0 +yourtwojugs.com, 1 +youruseragent.info, 1 +yourwatchdesign.co.uk, 1 +yourwestmidlands.wedding, 1 +yourworlds.cf, 1 +youryorkshire.wedding, 1 +yourznc.com, 1 +yousee.cf, 1 +yousee.gq, 1 +yousei.ne.jp, 1 +youservice.it, 1 +youshawn.com, 1 +youshouldnthavebeenhacking.com, 1 +yousite.by, 1 +yousound.tk, 1 +youssfitpro.com, 1 +youston.agency, 1 +youstyleski.it, 1 +yousufahmad.ca, 1 +yousuforg.ga, 1 +youth-for-life.tk, 1 +youth-sport.net, 1 +youth.gov, 1 +youthclothing.tk, 1 +youthink.jp, 1 +youthmarketing.com, 1 +youthnews.tk, 1 +youthopportunitieshub.com, 1 +youthpassageways.org, 1 +youthpolicy.org, 1 +youthreach.org, 1 +youthrules.gov, 1 +youthsadda.com, 1 +youtous.me, 1 +youtube, 1 +youtube-notify.com, 1 +youtube.com, 1 +youtubedownloader.com, 1 +youtubekids.com, 1 +youtubelet.com, 1 +youtuberis.lt, 1 +youtuberus.tk, 1 +youwebcams.org, 1 +youyifans.com, 1 +youyoulemon.com, 1 +youyuan.rocks, 1 +youyuandesign.top, 1 +yova.nl, 0 +yovko.net, 0 +yoyohe.com, 1 +yoyojobs.tk, 1 +yoyoost.duckdns.org, 1 +yoyoost.ga, 1 +yozakura.me, 1 +yozhik.tk, 1 +yozucreative.com, 1 +yparches.com, 1 +ypart.eu, 1 +ypdlp.org, 1 +ypea.info, 1 +ypfr.fr, 1 +ypgnews.tk, 1 +ypid.de, 1 +yplanapp.com, 1 +ypopovych.tk, 1 +yporti.net, 1 +ypse.com.br, 1 +ypsitownship.gov, 1 +yq5.de, 1 +yqagizev.tk, 1 +yqjf68.com, 1 +yqmhz.com, 1 +yr-labo.jp, 1 +yr.sa, 1 +yr166166.com, 1 +yrausquin.com, 1 +yrcc878.com, 1 +yrefail.net, 1 +yriik.ml, 1 +yrityksen-perustaminen.net, 1 +yrjanheikki.com, 1 +yrx.me, 1 +yryz.net, 1 +ys96.org, 1 +ysearc.tk, 1 +ysff.me, 1 +ysfridge.com, 1 +ysicorp.com, 1 +yslxxhome.com, 1 +ysmedia.jp, 1 +yspa.tv, 1 +yspertal.party, 1 +ystral.com, 1 +ysuna.xyz, 1 +yt-downloader.xyz, 0 +yt129.com, 1 +yt605.com, 1 +yt629.com, 1 +yt675.com, 1 +yt972.com, 1 +ytcodecs.com, 1 +ytcount.com, 1 +ytec.ca, 1 +ytexa.tk, 1 +ytpak.pk, 1 +ytreza.fr, 1 +ytterland.tk, 1 +ytvwld.de, 0 +ytx588.com, 1 +yu-dkc.com, 1 +yu-mug.jp, 1 +yu.vc, 1 +yuan.ga, 1 +yuan.idv.tw, 0 +yuan.nctu.me, 1 +yuanandyuan.info, 1 +yuanandyuan.me, 1 +yuanben.io, 1 +yuanbenlian.com, 1 +yuanbiji.net, 1 +yuandan.cf, 1 +yuandan.gq, 1 +yuandan.ml, 1 +yuanjiazhao.com, 1 +yuanjiazhao.tk, 1 +yuansecard.me, 1 +yuanxi343.top, 1 +yubi.co, 0 +yubico.com, 1 +yubico.org, 1 +yucaipa.gov, 1 +yucca.cf, 1 +yuccaschidigera.co.uk, 1 +yuce518.com, 1 +yuchun.me, 1 +yude.ml, 1 +yudin.ga, 1 +yue.la, 1 +yue2.net, 1 +yueeeyueee.com, 1 +yuema.net.cn, 1 +yuer.sytes.net, 1 +yuezhengling.link, 1 +yugasun.com, 1 +yugege.cf, 1 +yugioh-duelodefinitivo.tk, 1 +yugiohthenextgeneration.tk, 1 +yugodi.com, 1 +yugohome.com, 1 +yuh-lin.com, 1 +yuh.li, 1 +yuhaoskin.com.tw, 1 +yuharahisako.ga, 1 +yuho.vn, 1 +yui.cat, 1 +yui.jp.md, 1 +yuisyo.ml, 1 +yujixr.net, 1 +yukari.cafe, 1 +yuki-nagato.com, 1 +yuki.xyz, 1 +yukict.com, 1 +yukieda.com, 1 +yukigroup.ru, 1 +yukimituki.net, 1 +yukimiu.cf, 1 +yukimochi.com, 1 +yukimochi.io, 1 +yukimochi.jp, 1 +yukimochi.me, 1 +yukimochi.net, 1 +yukinastorage.net, 0 +yukino.xyz, 1 +yukitty-yukitty.com, 1 +yukkitacari.tk, 1 +yukomgroup.com, 1 +yukon.ca, 1 +yukonconnector.com, 1 +yukonlip.com, 1 +yukoslibrary.ga, 1 +yuksinau.co.id, 1 +yuksinau.id, 1 +yula.cf, 1 +yulaiz.com, 1 +yule.hk, 1 +yuleyule88game.com, 1 +yuliana-hotel.com, 1 +yulsn.io, 1 +yum0.cn, 1 +yumacountyazvotes.gov, 1 +yumacountyco.gov, 1 +yumechi.jp, 1 +yumepolo.com, 1 +yumi2.jp, 1 +yumiandryan.com, 1 +yumisign.com, 1 +yumli.net, 1 +yumm.menu, 1 +yummiyogi.com, 1 +yummycouple.net, 1 +yummydrool.com, 1 +yumtaro.com, 1 +yun-bao.co, 0 +yuna.tg, 0 +yunasecurity.com, 1 +yuncaioo.com, 0 +yunibalance.com, 1 +yunite.one, 1 +yunjishou.pro, 1 +yunloc.com, 1 +yunnet.ru, 1 +yunqueradehenares.tk, 1 +yunzhu.li, 1 +yuplay.com, 1 +yupug.com, 1 +yupulse.be, 1 +yuqi.me, 1 +yuquepay.com, 1 +yura.cf, 1 +yuricarlenzoli.it, 1 +yurikirin.me, 1 +yuriland.xyz, 1 +yurimoens.be, 1 +yurinet.org, 1 +yurisora.com, 1 +yurissimo.ch, 1 +yurissimo.cn, 1 +yurissimo.com, 1 +yurissimo.de, 1 +yurist-vopros.gq, 1 +yuriylysyuk.ru, 1 +yurtdisigocmenlik.com, 1 +yus-azaria.tk, 1 +yusa.me, 1 +yushanfang.recipes, 1 +yusu.org, 1 +yusufipek.me, 1 +yusukekato.com, 1 +yusukesakai.com, 1 +yutabon.com, 0 +yutakato.net, 1 +yutangyun.com, 1 +yuth.in, 0 +yuu.ink, 1 +yuucchi.com, 1 +yuucdn.net, 1 +yuugi.be, 1 +yuuki0xff.jp, 1 +yuumari.com, 1 +yuuta.moe, 1 +yuvaindia.co.in, 1 +yuvaskillfoundation.org, 1 +yuweetek.com, 0 +yuwei.org, 1 +yuweiji.com, 1 +yuweiyang.xyz, 1 +yux.fr, 1 +yuxiangyuan.com, 1 +yuxuan.org, 1 +yuyantang.club, 1 +yuyucn.com, 1 +yuzei.ml, 1 +yuzei.tk, 1 +yuzicare.com, 1 +yuzneri.net, 1 +yuzu.tk, 1 +yuzurisa.com, 1 +yvabph.com, 1 +yvb.moe, 1 +yveslegendre.fr, 0 +yvesx.com, 1 +yveszarkaconsultant.fr, 1 +yvettextreme.com, 1 +yvonnethomet.ch, 1 +yvonnewilhelmi.com, 1 +yw.com, 1 +ywambaguio.org, 1 +ywambutuan.org, 1 +ywamphilippines.org, 1 +ywamshipsphilippines.com, 1 +yx-express.cn, 1 +yxapp10.com, 1 +yxapp20.com, 1 +yxapp30.com, 1 +yxapp43.xyz, 1 +yxapp45.xyz, 1 +yxapp46.xyz, 1 +yxapp47.xyz, 1 +yxapp48.xyz, 1 +yxc.xyz, 1 +yxcpapp08.com, 1 +yxcpapp09.com, 1 +yxcpapp13.com, 1 +yxcpapp14.com, 1 +yxhc.cc, 0 +yxhlz.com, 1 +yxlon.cn, 1 +yxlon.co.jp, 1 +yxlon.com, 1 +yxlon.de, 1 +yxt521.com, 1 +yy-s.net, 1 +yy153.com, 0 +yy366.cc, 0 +yy369.cc, 1 +yy393.com, 0 +yy5197.co, 1 +yy6729.co, 1 +yy6729.com, 1 +yy6957.co, 1 +yy9297.co, 1 +yy9297.com, 0 +yy9721.com, 1 +yy9728.co, 1 +yya.men, 1 +yybx.top, 1 +yyc.city, 1 +yycbike.info, 1 +yyr.im, 1 +yyrss.com, 0 +yyy116.com, 1 +yyy608.com, 1 +yyyy.xyz, 1 +yz86.cc, 1 +yzal.io, 1 +yzarul.com, 1 +yzddd.com, 1 +yzer.club, 1 +yzervast-heestert.be, 1 +yzh8.cc, 1 +yzh8.net, 1 +yzh8.vip, 1 +yzimroni.net, 1 +yzy6666.com, 1 +yzydo.com, 0 +yzyweb.cn, 1 +z-cert.nl, 1 +z-e.eu, 1 +z-epub.com, 1 +z-g-v.nl, 1 +z-kasino.ru, 1 +z-konzept-nutrition.ru, 1 +z-pc.net, 1 +z-rejstejna.cz, 1 +z-vector.com, 1 +z.ee, 1 +z.is, 1 +z.md, 1 +z.mom, 1 +z.org, 1 +z.sh, 1 +z.sv, 1 +z.tl, 1 +z0.pm, 1 +z00228.com, 1 +z0ey.de, 1 +z0rro.net, 1 +z11slot.co, 1 +z1h.de, 1 +z2.fi, 1 +z2a4.com, 1 +z36533.com, 1 +z3marketing.com, 1 +z3r0101.com, 1 +z3s.nl, 1 +z3u5.net, 1 +z3ven.nl, 1 +z4k.de, 1 +z5197.co, 1 +z6.uk, 1 +z6182.com, 1 +z6192.com, 1 +z6218.com, 1 +z6252.com, 1 +z6323.com, 1 +z6359.com, 1 +z6371.com, 1 +z6512.com, 1 +z6519.com, 1 +z6527.com, 1 +z6529.com, 1 +z6573.com, 1 +z6587.com, 1 +z6729.co, 1 +z6729.com, 1 +z6827.com, 1 +z6882.com, 1 +z6897.com, 1 +z6957.co, 1 +z6957.com, 0 +z6wang.com, 1 +z8011.com, 1 +z8012.com, 1 +z8013.com, 1 +z8017.com, 1 +z8023.com, 1 +z8026.com, 1 +z8032.com, 1 +z8038.com, 1 +z8051.com, 1 +z8052.com, 1 +z8053.com, 1 +z8057.com, 1 +z8063.com, 1 +z8066.com, 1 +z8068.com, 1 +z8071.com, 1 +z8079.com, 1 +z8082.com, 1 +z8083.com, 1 +z8086.com, 1 +z8087.com, 0 +z8089.com, 1 +z8106.com, 1 +z8109.com, 1 +z8113.com, 1 +z8120.com, 1 +z8125.com, 1 +z8130.com, 1 +z8132.com, 1 +z8139.com, 1 +z8150.com, 1 +z8170.com, 1 +z8171.com, 1 +z8176.com, 1 +z8177.com, 1 +z8178.com, 1 +z8182.com, 1 +z8187.com, 1 +z8193.com, 1 +z8195.com, 1 +z8196.com, 1 +z8206.com, 1 +z8207.com, 1 +z8209.com, 1 +z8210.com, 1 +z8212.com, 1 +z8218.com, 1 +z8219.com, 1 +z8225.com, 1 +z8226.com, 1 +z8230.com, 1 +z8231.com, 1 +z8232.com, 1 +z82365.com, 1 +z8817.com, 1 +z8826.com, 1 +z8851.com, 1 +z8856.com, 1 +z8861.com, 1 +z8865.com, 1 +z8870.com, 1 +z8875.com, 1 +z8876.com, 1 +z8879.com, 1 +z8891.com, 1 +z8895.com, 1 +z8907.com, 1 +z8908.com, 1 +z8917.com, 1 +z8920.com, 1 +z8922.com, 1 +z9297.co, 1 +z9728.co, 1 +z99944x.xyz, 1 +za.search.yahoo.com, 0 +zaalleatherwear.nl, 1 +zaanlijn.nl, 1 +zaba.training, 1 +zabatsai-sam.tk, 1 +zabbix-monitoring.tk, 1 +zabbix.tips, 1 +zabbixtech.info, 1 +zabe.in, 1 +zaboi.tk, 1 +zabory-klg.ru, 1 +zabszk.net, 1 +zabszk.ovh, 1 +zabukovnik.net, 1 +zac.cy, 1 +zacaloo.com, 1 +zacarias.com.ar, 1 +zacatecasmeetings.com, 1 +zacco.site, 1 +zach.codes, 0 +zacharopoulos.me, 0 +zacharydubois.me, 1 +zacharyschneider.ca, 1 +zacharyschneider.com, 1 +zacharyseguin.ca, 1 +zacharysherman.tk, 1 +zachaysan.com, 1 +zachbolinger.com, 1 +zachborboa.com, 1 +zachfox.photography, 1 +zachgibbens.org, 1 +zachranari.tk, 1 +zachschneider.ca, 1 +zachyang.cn, 1 +zacintosh.com, 1 +zack.today, 0 +zackattack.tk, 1 +zackiarfan.ml, 1 +zacks.eu, 1 +zackzack.at, 1 +zaclys.com, 0 +zad-academy.com, 1 +zadania.wiki, 1 +zadavalka.ru, 1 +zadm.de, 1 +zadrot.tk, 1 +zadroweb.com, 1 +zaelkids.it, 1 +zaem.tv, 1 +zaferaniehearing.com, 1 +zaferbalkan.com, 1 +zaffittv.com, 1 +zaffittv.mx, 1 +zaffke.co, 1 +zafrani.ga, 1 +zagadki-cosmosa.tk, 1 +zagi.net, 1 +zagis.nl, 1 +zagorod.spb.ru, 1 +zagranicablog.tk, 1 +zagruz.tk, 1 +zahari.tk, 1 +zahirdanzavila.com, 1 +zahlensysteme-rechner.de, 1 +zahn-frankl.at, 1 +zahnaerzte-website.de, 1 +zahnarzt-korsos.at, 1 +zahnarzt-kramer.ch, 1 +zahnarzt-kruft.de, 1 +zahnarzt-neudecker.de, 1 +zahnarzt.ac, 1 +zahnarzt.se, 1 +zahnarztpraxis-schaerding.at, 1 +zahnarztpraxis-simone-koch.de, 1 +zahrowski.com, 1 +zaija.tk, 1 +zaim-best.ml, 1 +zaim15min.cf, 1 +zaimdengi.tk, 1 +zaimexpress.cf, 1 +zaimi.ml, 1 +zaimin.ga, 1 +zaimlime.ga, 1 +zaimponuj.pl, 1 +zaimvkredit2.gq, 1 +zaimvkredit3.ga, 1 +zaimvkredit3.gq, 1 +zaimvkredit3.ml, 1 +zaimvkredit4.ml, 1 +zain-hasan.ml, 1 +zainblue.com, 1 +zainzinger.org, 1 +zaitaiguo.com, 1 +zaizaia.cc, 1 +zajc.eu.org, 1 +zajm-bez-otkaza.gq, 1 +zajm-bez-poruchitelej.cf, 1 +zajm-bez-spravok.tk, 1 +zajm-cherez-sms.ml, 1 +zajm-ehkspress.ml, 1 +zajm-na-kartu.tk, 1 +zajm-na-kivi.cf, 1 +zajm-pod-raspisku.cf, 1 +zajm-pod-zalog.ga, 1 +zajm-pod-zalog.gq, 1 +zajmy-contact.cf, 1 +zajmy-contact.ga, 1 +zajmy-contact.gq, 1 +zajmy-contact.tk, 1 +zajsoft.net, 1 +zak.co.at, 1 +zak.org.pl, 1 +zakachat-brauzer.gq, 1 +zakachat-temi.gq, 1 +zakanyszek.hu, 1 +zakaria.website, 1 +zakariya.blog, 1 +zakarotta.ga, 1 +zakarpattya.fun, 1 +zakaz.cf, 1 +zakazbiletov.kz, 1 +zakcutner.com, 1 +zakcutner.uk, 1 +zakelijketaalcursus.nl, 1 +zakes.tk, 1 +zakirov.gq, 1 +zakladam.cz, 1 +zakladki.tk, 1 +zakladybukmacherskie.tv, 1 +zakmccrac.de, 1 +zakojifarm.jp, 1 +zakononline.cf, 1 +zakonu.net.ru, 1 +zakpex.com, 1 +zakr.es, 1 +zakratheme.com, 1 +zakreconysloik.com.pl, 1 +zakrentus-ostrus.space, 1 +zakspartiesandevents.com, 1 +zala.ml, 1 +zalaetavoleibol.tk, 1 +zalan.do, 1 +zalaxx.ddns.net, 1 +zaledia.com, 1 +zalef.tk, 1 +zaleycash.com, 1 +zalgos.xyz, 1 +zalihvoch.ga, 1 +zaloghaz.ro, 1 +zalohovaniburian.cz, 1 +zaltv.com, 1 +zalure.com, 1 +zalvus.com, 1 +zam0th.tk, 1 +zamalektoday.com, 1 +zamarax.com, 1 +zambianewsforum.tk, 1 +zambranopublicidadvideo.com, 1 +zamecnikkladno.cz, 1 +zamenim.tk, 1 +zametkin.tk, 1 +zamki.tk, 1 +zammad.com, 1 +zammad.org, 1 +zamok-love.tk, 1 +zamok.cf, 1 +zamokservis.com, 1 +zamor.com.br, 1 +zamorsky.tk, 1 +zamos.ru, 1 +zamow.co, 1 +zamtech.co.jp, 1 +zanahd.co.za, 1 +zananta.com, 1 +zander.dk, 1 +zandersgroup.com, 1 +zandmhomes.com, 1 +zandra.cf, 1 +zanellidesigns.co.uk, 1 +zaneslaw.com, 1 +zanettimateriais.com.br, 1 +zangerfreddy.tk, 1 +zangerwillem.tk, 1 +zango.com.au, 1 +zankevich.com, 1 +zankevich.net, 1 +zanotti.io, 1 +zanquan.net, 1 +zanreal.net, 1 +zanreal.pl, 1 +zanshinkankarate.com, 1 +zanthed.xyz, 1 +zanthra.com, 1 +zanzariere.roma.it, 1 +zaoai.cf, 1 +zaoai.ga, 1 +zaoai.gq, 1 +zaoai.ml, 1 +zaoai.tk, 1 +zaoext.com, 1 +zaorejas.tk, 1 +zaoren.cf, 1 +zaoren.ga, 1 +zaoren.gq, 1 +zaoren.ml, 1 +zaoren.tk, 1 +zap-mag.ru, 1 +zap-map.com, 1 +zapamini.ml, 1 +zaparoh.com, 1 +zapaska.tk, 1 +zapatilla.com.es, 0 +zapatillas-trekking.com, 1 +zapic.moe, 1 +zapier-staging.com, 1 +zapier.com, 1 +zaplano.tk, 1 +zapmap.com, 1 +zapmaster14.com, 1 +zapnito.com, 1 +zappbuildapps.com, 0 +zappi.io, 1 +zappingarahal.tk, 1 +zappingcuraduria.tk, 1 +zappos, 1 +zapproved.com, 1 +zapreaders.cf, 1 +zaprefy.com, 1 +zapsibir.ru, 1 +zaptorg.xyz, 1 +zapuz.com, 1 +zapzockt.de, 1 +zar-kripto.tk, 1 +zarabiaj.com, 1 +zarabianiewsieci.tk, 1 +zarabizarr.com, 1 +zarabotai-doma.ml, 1 +zarabotki-v-internete.tk, 1 +zarabotok-obzor.ru, 1 +zarabotok-v-internete.ga, 1 +zarabotok-v-internete.gq, 1 +zarabotok-veka.ga, 1 +zarabotok2017.tk, 1 +zarabotok24obzor.ru, 1 +zarabotoker.tk, 1 +zarabotoklaif.tk, 1 +zarabotokvnet.tk, 1 +zarabotokvseti.tk, 1 +zaracraft.tk, 1 +zaramendez.net, 1 +zaratan.fr, 0 +zaratime.com, 1 +zaraweb.net, 1 +zarbis.tk, 1 +zarcik.pl, 1 +zardain.tk, 1 +zarezerwuj-nocleg.com, 1 +zarfla.com, 1 +zarinab.com, 1 +zarja.tk, 1 +zarjadnik.tk, 1 +zarla.com, 1 +zarnu.com, 1 +zarobotok-forum.ga, 1 +zarobotok-forum.gq, 1 +zarobotok-forum.ml, 1 +zarof-fkf.de, 1 +zarok.tv, 1 +zaroktv.com.tr, 1 +zaroktv.krd, 1 +zarra.tk, 1 +zaruhi.ml, 1 +zary.me, 1 +zas4eku.tk, 1 +zaschtnik.ga, 1 +zasolka.guru, 1 +zastawsamochodu.pl, 1 +zastenchivost.tk, 1 +zasudili.ru, 1 +zataz.com, 1 +zatepli.eu, 1 +zaterdagwelpen.tk, 1 +zatp.com, 0 +zatrzymanie.com.pl, 1 +zatsepin.by, 1 +zauberer-bauchredner.ch, 1 +zauberwald.tk, 1 +zaufanatrzeciastrona.pl, 1 +zav-hub.ddns.net, 1 +zavalianis.gr, 1 +zavarkin.tk, 1 +zavec.com.ec, 0 +zavedeno.com, 1 +zaves.tk, 1 +zawo-electric.de, 1 +zawodowe-szkolenia.com, 1 +zayats.tk, 1 +zayavka.cf, 1 +zayavka.ml, 1 +zayla.cz, 1 +zayla.sk, 1 +zaym.tk, 1 +zaympodzalog.cf, 1 +zaympodzalog.ga, 1 +zaympodzalog.gq, 1 +zaympodzalog.ml, 1 +zaympodzalog.tk, 1 +zayzoh.com, 1 +zazaradio.tk, 1 +zazemleno.com, 1 +zazhong.cf, 1 +zazhong.ml, 1 +zazza.tk, 1 +zbanks.cn, 1 +zbarista.co.nz, 1 +zbb.kr, 1 +zberger.com, 1 +zbetcheck.in, 1 +zbib.org, 1 +zbrain.ml, 1 +zbrane-doplnky.cz, 0 +zbrsk.ru, 1 +zbsj.pl, 1 +zbuilderz-lb.com, 1 +zbut.bg, 1 +zbyga.cz, 1 +zbynekuher.cz, 1 +zcapital.ch, 1 +zcarot.com, 1 +zcarrot.com, 1 +zcb.fr, 1 +zcode.tk, 1 +zcompany.ga, 1 +zcompany.tk, 1 +zcon.nl, 1 +zcore.org, 1 +zcr.ca, 1 +zcrypto.ml, 1 +zcwtl.com, 1 +zczc.cz, 1 +zd1010.com, 1 +zd1515.com, 0 +zd209.com, 1 +zd235.com, 0 +zd236.com, 1 +zd273.com, 1 +zd275.com, 1 +zd280.com, 1 +zd303.com, 1 +zd307.com, 1 +zd3434.com, 1 +zd4848.com, 1 +zd623.com, 1 +zd632.com, 1 +zd635.com, 1 +zd6464.com, 1 +zd6565.com, 1 +zd673.com, 1 +zd6862.com, 1 +zd6866.com, 1 +zd6867.com, 1 +zd6879.com, 1 +zd6880.com, 1 +zd6883.com, 1 +zd6885.com, 1 +zd6886.com, 1 +zd6893.com, 1 +zd6898.com, 1 +zd692.com, 1 +zd693.com, 1 +zd726.com, 1 +zd732.com, 1 +zd736.com, 1 +zd753.com, 1 +zd7575.com, 1 +zd759.com, 1 +zd793.com, 1 +zd796.com, 1 +zd803.com, 1 +zd805.com, 1 +zd806.com, 1 +zd826.com, 1 +zd8826.com, 1 +zd8838.com, 1 +zd8839.com, 1 +zd8858.com, 1 +zd8865.com, 1 +zd8869.com, 1 +zd8882.com, 1 +zd9090.com, 1 +zda.ag, 1 +zdbl.de, 1 +zdcs.com, 1 +zdenek-hejl.com, 1 +zdeneklavicky.cz, 1 +zdenekpasek.com, 1 +zdenekpasek.cz, 1 +zdenekspacek.cz, 1 +zdenekvecera.cz, 1 +zdorov-blog.gq, 1 +zdorov.by, 1 +zdorovayasimya.com, 1 +zdorovcentr.ga, 1 +zdorovyj-rebjonok.ru, 1 +zdrapti.tk, 1 +zdrave-konzultace.cz, 1 +zdravec-bg.com, 1 +zdravekonzultace.cz, 1 +zdravesteny.cz, 1 +zdraveziti.eu, 1 +zdravkovic.tk, 1 +zdravnica-polin.com, 1 +zdravshop.sk, 1 +zdravypanak.sk, 1 +zdravystul.cz, 1 +zdrowebodomowe.pl, 1 +zdrowezywienie.edu.pl, 1 +zdxiaoda.me, 1 +zdymak.by, 1 +ze-mag.info, 1 +ze.delivery, 1 +ze3kr.com, 1 +zeadaniel.com, 1 +zeal-and.jp, 1 +zeal-interior.com, 1 +zealar.com.au, 1 +zealworks.jp, 1 +zeanweb.tk, 1 +zeb.fun, 1 +zebbra.ro, 1 +zeblog.tk, 1 +zebra-serwis.pl, 1 +zebradom.ru, 1 +zebraguide.com, 1 +zebravinken.tk, 1 +zebspeech.tk, 1 +zebulon.fr, 1 +zecanard.com, 1 +zecible.fr, 1 +zecircle.xyz, 1 +zeckenhilfe.de, 0 +zectazepia.tk, 1 +zecuur.nl, 1 +zedeko.pl, 1 +zedex.cn, 1 +zednet.tk, 1 +zedshaw.com, 1 +zedtm.ir, 1 +zeedroom.be, 1 +zeeg.me, 1 +zeegeeks.com, 1 +zeegers.family, 1 +zeeheldenwijk-urk.nl, 1 +zeekajakvaren.tk, 1 +zeel.com, 1 +zeelandbrug.tk, 1 +zeeloo.xyz, 1 +zeeshan.website, 0 +zeet.tk, 1 +zeetoppers.nl, 1 +zefort.com, 1 +zegazte.org, 1 +zegels-danst.tk, 1 +zegluje.net, 1 +zeglujemy.net, 1 +zegriesalmansa.tk, 1 +zeguigui.com, 1 +zehdenick-bleibt-bunt.de, 1 +zehka.net, 1 +zehkae.net, 1 +zehnegira.ir, 0 +zehy.de, 1 +zehy.link, 1 +zehy.me, 1 +zehy.net, 1 +zehy.org, 1 +zeibekiko-souvlaki.gr, 1 +zeidlertechnik.de, 1 +zeigren.com, 1 +zeihetecumre.cf, 1 +zeihetecumre.gq, 1 +zeihsel.com, 1 +zeilenmethans.nl, 1 +zeilenvoorondernemers.nl, 1 +zeilenwind.com, 0 +zeilinstructeurs.tk, 1 +zeilles.nu, 1 +zeilschoolneptunus.nl, 1 +zeit.co, 1 +zeit.sh, 1 +zeitgitter.net, 1 +zeitgitter.org, 1 +zeitoununiversity.org, 1 +zeitpunkt-kulturmagazin.de, 1 +zeitschrift-lq.com, 1 +zeitschriftlq.com, 1 +zeitzer-turngala.de, 1 +zekerbewegenhengelo.nl, 1 +zekerheidvanparcelinternational.nl, 1 +zekinteractive.com, 1 +zekra.tk, 1 +zelandnamiru.cz, 1 +zeldaliberty.tk, 1 +zeldamods.org, 1 +zelena-armija.tk, 1 +zelenazeme.cz, 1 +zelendoma.ml, 1 +zeliard.tk, 1 +zelizy.cz, 1 +zelkor.ml, 1 +zelong.tk, 1 +zeloz.xyz, 1 +zelpc.com, 1 +zelvar.cz, 1 +zemledel.info, 1 +zemli.tk, 1 +zemlova.cz, 1 +zemlyaki.ga, 1 +zemlyaki.ml, 1 +zemlyaki.tk, 1 +zemows.industries, 1 +zemtime.com, 1 +zen-solutions.io, 1 +zen-zone.tk, 1 +zenassociates.com, 1 +zenbalans.nl, 1 +zenbox.pl, 1 +zenchain.com, 1 +zencube.ga, 1 +zendarhunters.tk, 1 +zendave.au, 1 +zendev.ga, 1 +zendev.tk, 1 +zendrop.com, 1 +zenerisprojekty.pl, 1 +zenfires.com, 1 +zenfoodbook.com, 1 +zengdong.ren, 1 +zenghuanmin.cn, 0 +zengold.com, 1 +zenideen.com, 1 +zenidees.com, 1 +zeniran.com, 1 +zenisi.com, 1 +zenit505.com, 1 +zenitchik.org, 1 +zenithappliance.co.uk, 1 +zenithmanagement.net, 1 +zenithmedia.ca, 0 +zenithstudylab.org, 1 +zenithvitalcare.com.au, 1 +zenitkft.hu, 1 +zenjify.com, 1 +zenk-security.com, 1 +zenker-hausbau.at, 1 +zenki-manga.tk, 1 +zenkit.com, 1 +zenless.top, 1 +zenlogic.com, 1 +zenluxuryliving.com, 1 +zenmail.ga, 1 +zenmassageusa.com, 1 +zenmod.in.rs, 1 +zeno-dev.com, 1 +zenon.at, 1 +zenon.eu, 1 +zenpromo.ru, 1 +zenrtal-online-russia.ml, 1 +zenseal.co.uk, 1 +zenspace.us, 1 +zenstack.nl, 1 +zenstore.it, 1 +zenti-im-zug.de, 1 +zenti.cloud, 1 +zentoid.com, 1 +zentouch.gq, 1 +zentoy.club, 1 +zentrumfuerchemie.de, 1 +zenvia.com, 1 +zenvideocloud.com, 1 +zenvite.com, 1 +zenways.io, 1 +zeocax.com, 0 +zep.us, 1 +zephyrbk.com, 1 +zephyrbookkeeping.com, 1 +zephyretcoraline.com, 1 +zepig.nl, 1 +zeplin.io, 1 +zeppelflix.de, 1 +zeppelin.ml, 1 +zepter.cf, 1 +zepter.ga, 1 +zepter.gq, 1 +zepter.ml, 1 +zer0.de, 0 +zercutie.com, 1 +zerg.uk, 1 +zergy.net, 1 +zerium.ml, 1 +zerknij.tv, 1 +zerm.eu, 1 +zerm.link, 1 +zero-knigi.ml, 1 +zero-link.com, 1 +zero-sole.com, 1 +zero-stress.net, 1 +zero.lgbt, 1 +zerobelow.net, 1 +zerobelow.org, 1 +zerobounce.net, 1 +zerocalc.be, 1 +zerocash.msk.ru, 1 +zerocms.fr, 1 +zerocomputer.tk, 1 +zerocool.io, 1 +zerocz.eu, 0 +zerodeathsmd.gov, 1 +zerodensity.tv, 1 +zerodhareview.co, 1 +zerodoubtclub.com, 1 +zerofox.gq, 1 +zerofy.de, 0 +zerogamestore.ir, 1 +zerohash.com, 1 +zerohouse.co, 1 +zeroknowledge.me, 1 +zeroland.top, 0 +zerolime.se, 1 +zerolink.click, 1 +zerolink.es, 1 +zeromaxmoving.com, 1 +zeromoment.marketing, 1 +zeronedefi.com, 1 +zeronet.io, 1 +zeroplast24.ru, 1 +zeropoint.bg, 1 +zerosector.io, 1 +zeroseteatacado.com.br, 1 +zerotoleranceclan.tk, 1 +zerotoone.de, 1 +zerotrust.plus, 1 +zerotwo.ga, 1 +zerout.in, 0 +zerowastesonoma.gov, 1 +zeroz.cf, 1 +zeroz.ga, 1 +zeroz.gq, 1 +zeroz.ml, 1 +zerozero.gq, 1 +zertif.info, 1 +zertifikatsshop.de, 1 +zerto.com, 1 +zerty.de, 0 +zeryn.net, 1 +zesgoes.nl, 1 +zeshanfoundation.org, 0 +zespia.tw, 0 +zestedesavoir.com, 1 +zesty.co, 1 +zestylemon.co.uk, 1 +zeta.co.za, 1 +zeta.hk, 1 +zetadisseny.es, 1 +zetaglobal.com, 0 +zetamode.com, 1 +zetasystem.jp, 1 +zetflix.pro, 1 +zetflix.zone, 1 +zetokatowice.pl, 1 +zettahertz.com, 1 +zettaplan.ru, 1 +zettaport.com, 1 +zettlmeissl.de, 1 +zety.com, 1 +zety.es, 1 +zety.fr, 1 +zeus.gent, 1 +zeus.wang, 1 +zeuscorp.ga, 1 +zeusec.co.jp, 1 +zeusembroidery.com.au, 1 +zeusindia.tk, 1 +zevelev.net, 1 +zevenbergenbos.tk, 1 +zevlee.me, 1 +zewtie.com, 1 +zeynabacademy.com, 1 +zeyneleroglu.com.tr, 1 +zeyoking.com, 1 +zezov.com, 1 +zf.com, 1 +zfast.com.br, 1 +zfg.li, 1 +zfid.pl, 1 +zfj.hk, 1 +zfj.la, 0 +zfj.lu, 0 +zfl-site.top, 1 +zfly.me, 1 +zfpsystems.com, 1 +zfree.co.nz, 1 +zfxhzc.blog, 1 +zfyl8.com, 1 +zg-dyw.net, 1 +zgan.ga, 1 +zgmining.com, 0 +zgndh.com, 1 +zgrep.org, 1 +zgyl8.ml, 1 +zh.fyi, 1 +zh.search.yahoo.com, 0 +zhabababa.gq, 1 +zhabagly.com, 1 +zhabthra.com, 1 +zhamolov.tk, 1 +zhan.moe, 1 +zhana-auen.tk, 1 +zhang-hao.com, 1 +zhang.fm, 1 +zhang.ge, 1 +zhang14386.love, 1 +zhangda.xyz, 0 +zhangfangzhou.com, 1 +zhangjet.com, 1 +zhangjing.space, 1 +zhanglizhi.ml, 1 +zhangmenglong.cn, 1 +zhangpeng.ai, 1 +zhangwendao.com, 1 +zhangxiong.work, 1 +zhangyiming.tech, 1 +zhangyuhao.com, 0 +zhankon.com, 0 +zhanxiangyang.com, 1 +zhanzhangb.com, 1 +zhaochen.xyz, 1 +zhaochengtan.com, 1 +zhaodao.ai, 1 +zhaoeq.com, 1 +zhaofeng.li, 0 +zhaohanman.com, 1 +zhaojin97.cn, 0 +zhaopage.com, 1 +zhaostephen.com, 1 +zhaoxixiangban.cc, 1 +zhaozhiru.com, 1 +zhattyt.com, 0 +zhbot.org, 1 +zhceres.com, 1 +zhcexo.com, 1 +zhdun.tk, 1 +zhelanie.ml, 1 +zheldor-dance.ga, 1 +zheldorinform.ga, 1 +zheltyy.at, 1 +zhen-chen.com, 1 +zhengjie.com, 1 +zhengouwu.com, 1 +zhengshu.online, 1 +zhenic.ir, 1 +zhenn.fr, 1 +zhenyan.org, 1 +zhestokiemechtyi.tk, 1 +zhestokijavtor.tk, 1 +zhi.ci, 1 +zhiboba.fun, 1 +zhidkiy-kashtan.ga, 1 +zhih.me, 1 +zhihua-lai.com, 1 +zhijikaoyan.com, 1 +zhikin.com, 1 +zhiku8.com, 1 +zhima.io, 1 +zhimajk.com, 1 +zhimingwang.org, 1 +zhina.wiki, 1 +zhinood.com, 1 +zhis.ltd, 1 +zhitanska.com, 1 +zhivoe.tk, 1 +zhixiu.com, 1 +zhiyulife.pp.ua, 1 +zhizi.ca, 1 +zhl123.com, 1 +zhodani.space, 1 +zhodino.cf, 1 +zhodino.ga, 1 +zhongai.com, 1 +zhonghongshunlian.com, 1 +zhongqiao.com, 1 +zhongxigo.com, 1 +zhongzicili.ws, 1 +zhongzilou.com, 1 +zhouba.cz, 1 +zhoujianghan.com, 0 +zhoujiashu.com, 1 +zhoujunlawer.ml, 1 +zhoukan.fun, 0 +zhoukz.com, 1 +zhousiru.com, 1 +zhoutiancai.cn, 1 +zhouyipro.com, 1 +zhouzanxi.com, 1 +zhovner.com, 1 +zhthings.com, 1 +zhuangqiu.com, 1 +zhuji.com, 1 +zhuji.com.cn, 1 +zhuji.org, 1 +zhuji5.com, 1 +zhujicaihong.com, 1 +zhujiceping.com, 1 +zhujike.com, 1 +zhujike.net, 1 +zhukaev.ml, 1 +zhuktrans.msk.ru, 1 +zhumadilov.kz, 1 +zhunlink.com, 1 +zhuoyuelicai.com, 1 +zhuqiang.com, 1 +zhurnalyu.ga, 1 +zhyz.nl.eu.org, 1 +zhz.moe, 1 +zi.is, 1 +zi5.net, 1 +ziad87.net, 1 +ziai.cf, 1 +ziai.ga, 1 +ziai.gq, 1 +ziai.ml, 1 +ziaiai.com, 1 +ziarajoias.com.br, 1 +ziaulnmonzur.tk, 1 +zidanpainting.com, 0 +ziddea.com, 1 +ziegenhagel.com, 1 +ziegler-heizung-frankfurt.de, 1 +ziemlich-zackig.de, 1 +ziemlichzackig.de, 1 +zifoapptest.com, 1 +ziftone.com, 1 +zigao.info, 1 +zigarn.com, 1 +ziggi.tk, 1 +ziggletech.com, 1 +ziggo.nl, 1 +zighinetto.org, 1 +zigoomar.tk, 1 +zigottos.fr, 1 +zigsphere.com, 0 +zigzagmart.com, 1 +zihao.me, 0 +zihari.com, 1 +zihun.club, 1 +zij-aan-zij.be, 1 +zijinbor.com, 1 +zijingbt.cn, 1 +zijingbt.com, 1 +zijingbt.net, 1 +zijn.co.zw, 1 +zijspancross.tk, 1 +zikinf.com, 1 +zikipedia.ml, 1 +zikirakhirzaman.com, 1 +ziledelaultimagafaavioricai.ro, 1 +ziliotti.com.br, 1 +zilla-sushi.tk, 1 +zillertaleralpen.net, 1 +zilon.com.co, 1 +zilore.com, 1 +zilpay.io, 1 +zilsen.com, 1 +zilsoft.net, 0 +zilv.life, 1 +zilver.nl, 1 +zilverwater.tk, 1 +zima-lito.tk, 1 +zima.io, 1 +zimaoxy.com, 1 +zimbromotor.pt, 1 +zimhosiery.com, 1 +zimiao.moe, 1 +zimkaru.ga, 1 +zimmer-voss.de, 1 +zimperium.com, 1 +zimpler.com, 1 +zinabnews.tk, 1 +zinchenko.gq, 1 +zindagilive.tk, 1 +zindec.com, 1 +zinewords.com, 1 +zingermans.com, 1 +zinglix.xyz, 1 +zingpetfood.com, 1 +zinhar.tk, 1 +zinkmetselwerken.nl, 1 +zinnov.com, 1 +zinnowitzer-ferienwohnung.de, 1 +zinsserplasticsurgery.com, 1 +zio-enzo.eu, 1 +zion-craft.tk, 1 +zionaesthetics.com.sg, 1 +ziondrive.com.br, 1 +zionladderp.com, 1 +zionsvillelocksmiths.com, 1 +ziontech.eu.org, 1 +zip, 1 +zip4.pl, 1 +zipalerts.com, 1 +ziparcfhive.ga, 1 +zipatlas.com, 1 +zipjobs.com, 1 +zipkey.de, 1 +zippie.tk, 1 +zippo-days.me, 0 +zippricami.com, 1 +zippyshare.com, 1 +ziprecruiter.com, 1 +ziqijiang.com, 0 +zir-online.com, 1 +zir.com.ua, 1 +ziraatweb.com, 1 +zircly.com, 1 +zireon.tk, 1 +zirka24.net, 1 +ziroh.be, 1 +ziroux.net, 1 +zirrka.de, 1 +zisoo.nl, 1 +zistemo.com, 1 +zitadel.ch, 0 +zitadel.cloud, 1 +zitadel.com, 1 +zithromaxstrepthroat.gq, 1 +zitobox.com, 1 +zitseng.com, 1 +zitstabureau24.nl, 1 +zivava.ge, 1 +zivot.org, 1 +zivotbezkrutosti.cz, 1 +zivotsdietou.cz, 1 +zivyruzenec.cz, 1 +zixiao.wang, 1 +zixin.com, 1 +ziya.ng, 1 +ziz.exchange, 0 +ziz.nl, 1 +zizcollections.com, 1 +zizibook.ml, 1 +zizin.tk, 1 +zizoled.com, 1 +zjawa.pro, 1 +zjc3.com, 1 +zjeunesse.com, 1 +zjsnrwiki.com, 1 +zju.tv, 1 +zjuqsc.com, 1 +zjy7722.ml, 1 +zjyoulian.cn, 1 +zk.gd, 1 +zk9.nl, 1 +zkbitcoin.com, 1 +zking.ga, 1 +zklcdc.top, 0 +zko.pub, 1 +zkocdn.com, 1 +zkoclub.cn, 1 +zkoclub.com, 1 +zkontrolujsiauto.cz, 1 +zkrd.de, 1 +zkvi.nl, 1 +zkwolf.top, 1 +zl-19.com, 1 +zl-29.com, 1 +zl-59.com, 1 +zl-89.com, 1 +zl.lv, 1 +zl0707.com, 1 +zl071.com, 1 +zl0909.com, 1 +zl0iu.com, 1 +zl1212.com, 1 +zl1515.com, 1 +zl2020.com, 1 +zl2020.vip, 1 +zl2121.com, 1 +zl2727.com, 1 +zl2929.com, 1 +zl2toy.com, 1 +zl335.com, 1 +zl3737.com, 1 +zl4231.com, 1 +zl4290.com, 1 +zl5151.com, 1 +zl6161.com, 1 +zl6868.com, 1 +zl7070.com, 1 +zl7077.com, 1 +zl7171.com, 1 +zl7979.com, 1 +zl8383.com, 1 +zl850.com, 1 +zl861.com, 1 +zl8686.com, 1 +zl8787.com, 1 +zl8824.com, 1 +zl9191.com, 1 +zl969.com, 1 +zl9696.com, 1 +zl9898.com, 1 +zlarin.tk, 1 +zlatakus.cz, 1 +zlatamira.ru, 1 +zlatan-ibrahimovic.tk, 1 +zlatanonline.tk, 1 +zlato.ua, 1 +zlatom.ru, 1 +zlavomat.sk, 1 +zlc1994.com, 1 +zlhuodong.vip, 1 +zlima12.com, 1 +zlogin.nl, 1 +zlotykameleon.tk, 1 +zlotyslawecin.tk, 1 +zloybot.tk, 1 +zlpa.loan, 1 +zlr.hu, 1 +zlypi.com, 1 +zman.co.il, 1 +zmarta.org, 1 +zmc.com.sa, 1 +zmessages.com, 0 +zmeya.tk, 1 +zmgroup.cz, 1 +zmiguel.me, 1 +zmk.fr, 1 +zmprjg.ml, 1 +zms-qs.de, 1 +zmuda.tk, 1 +zmy.im, 0 +zmy666.com, 1 +znachenie-sna.cf, 1 +znachenie-sna.ga, 1 +znachenie-sna.ml, 1 +znachenie-sna.tk, 1 +znaj.ua, 1 +znajdzprzodka.pl, 1 +znakomim.cf, 1 +znakomstva-2013.tk, 1 +znakomstva.gq, 1 +znakomstvablogs.tk, 1 +znakomstvatochka.tk, 1 +znakomstvo.tk, 1 +znalec-okna.cz, 1 +znanie-sila.tk, 1 +znanio.ru, 1 +znanium.com, 1 +znaniya.cf, 1 +znanje.gq, 1 +znation.nl, 1 +znau.ru, 1 +znbr.com, 1 +znd.jp, 1 +znews.vn, 1 +znhglobalresources.com, 1 +znich.tk, 1 +znidar.org, 1 +zniis.ru, 1 +zning.net.cn, 1 +znjc.top, 1 +znowuwrocisz.pl, 1 +znwvw.net, 1 +zobraz.cz, 1 +zochowskiplasticsurgery.com, 1 +zockenbiszumumfallen.de, 1 +zocode.tk, 1 +zocoxx.com, 1 +zode.co, 1 +zodgame.fun, 0 +zodgame.xyz, 1 +zodiac.rs, 1 +zodiacohouses.com, 1 +zodiaconline.com, 1 +zodiak.tk, 1 +zodii.bg, 1 +zoedijital.com, 1 +zoefmasters.be, 1 +zoepolitics.cf, 1 +zoepolitics.ga, 1 +zoepolitics.gq, 1 +zoepolitics.ml, 1 +zoeyachicstore.biz.id, 1 +zoeyvid.de, 1 +zof.kh.ua, 1 +zoflora.co.uk, 1 +zofran-medication.cf, 1 +zofran.ga, 1 +zofran.gq, 1 +zofrancost.ga, 1 +zofrangeneric.ga, 1 +zofranprice.ga, 1 +zofrex.com, 0 +zofzpcb.com, 1 +zogatest.tk, 1 +zogevikst.nl, 1 +zohditech.com, 1 +zohomon.com, 1 +zoidberg.tv, 1 +zoigl.club, 1 +zoisfinefood.fr, 1 +zojadravai.com, 1 +zok-ambicija.tk, 1 +zokdl.zp.ua, 1 +zoki.art, 1 +zoko.tk, 1 +zokuomthawn.tk, 1 +zollernalbtour.de, 1 +zollo-hauswartung.ch, 1 +zollprozess.ch, 1 +zoloft-medication.ml, 1 +zoloftmedication.gq, 1 +zoloftpills.tk, 1 +zoloftprice.cf, 1 +zolondek.ca, 1 +zolotie-ptichki.tk, 1 +zolotistyi-kofe.gq, 1 +zolotoinform.ru, 1 +zolotoioasis.ml, 1 +zolotoy-standart.com.ua, 1 +zolotoyscorpion.ru, 1 +zoltanmatanyi.com, 1 +zolucky.com, 1 +zolushka-1950.tk, 1 +zolw.info, 1 +zom.bi, 1 +zomatree.live, 1 +zombie-40th.com, 1 +zombie.cam, 1 +zombieclown.com, 1 +zombiecomponents.com, 1 +zombiecrowinc.tk, 1 +zombielandkf.tk, 1 +zombieloadattack.com, 1 +zombiemix.tk, 1 +zombiepassions.com, 1 +zombiesecured.com, 1 +zombmage.tk, 1 +zomerschoen.nl, 1 +zomiac.pp.ua, 1 +zona-bellepop.tk, 1 +zona-japonesa.tk, 1 +zonadetestes.com, 1 +zonadjadoel.com, 1 +zonagioco.it, 1 +zonagratisan.ga, 1 +zonainuyasha.tk, 1 +zonajogo.br.com, 1 +zonanews.tk, 1 +zonaperu.tk, 1 +zonaquimica.tk, 1 +zonarumbera.tk, 1 +zonatelevision.tk, 1 +zondervanacademic.com, 1 +zone-de-confiance.fr, 1 +zone-hack.tk, 1 +zone-sys.jp, 1 +zone.ee, 1 +zone.eu, 1 +zone.fi, 1 +zone3000.tk, 1 +zone39.com, 1 +zoneadsl.com, 1 +zoneaffiliation.com, 1 +zoneblog.tk, 1 +zonecheck.org, 1 +zonecloud.ee, 1 +zonehomesolutions.com, 1 +zonemaster.fr, 1 +zonemaster.net, 1 +zonepdf.com, 1 +zones.com, 1 +zonesec.org, 1 +zonesons.com, 1 +zonewatcher.com, 1 +zongboao.com, 1 +zongheng3d.com, 1 +zonglovani.info, 1 +zongzi.zone, 1 +zonky.cz, 1 +zonky.de, 1 +zonneglossis.tk, 1 +zonnenberg.de, 1 +zonnigzieuwent.nl, 1 +zontractors.com, 1 +zoo-dog.ru, 1 +zoo-tver.ru, 1 +zoo.org.au, 1 +zoo24.de, 1 +zooforum.tk, 1 +zoogbook.ml, 1 +zooish.net, 1 +zook.pw, 1 +zook.systems, 1 +zook.tk, 1 +zookids.uy, 1 +zoola.io, 1 +zoolaboo.de, 1 +zoological-gardens.eu, 1 +zoom-eco.net, 1 +zoom.earth, 1 +zoomaal.com, 1 +zoomcar.pro, 1 +zoomek.com, 1 +zoomerhost.com, 1 +zoomgov.com, 1 +zoomir-ra.ru, 1 +zoomsphere.com, 1 +zoon-editor.com, 1 +zoones.net, 1 +zooom.azurewebsites.net, 1 +zooom2.azurewebsites.net, 1 +zoop.ml, 0 +zooparadies.eu, 1 +zoopix.ir, 1 +zooplankton.no, 1 +zoosfera12.ru, 1 +zoot.org, 1 +zootime.net, 1 +zootime.org, 1 +zoowiki.us, 1 +zooxdata.com, 1 +zopyx.com, 1 +zor.com, 1 +zorasvobodova.cz, 1 +zorgclustertool.nl, 1 +zorgenvoorandrea.be, 1 +zorgenvoorherena.be, 1 +zorgenvoorjean.be, 1 +zorgenvoormaria.be, 1 +zorghuys.nl, 1 +zorgnetwerkenabr.nl, 1 +zorgonderwijsnu.nl, 1 +zorgvanoranje.nl, 0 +zorgverzekeringslijn.nl, 1 +zorig.ch, 1 +zork.ca, 1 +zorkin.uz, 1 +zornica.tk, 1 +zorntt.fr, 0 +zorox.sex, 1 +zorro.management, 1 +zorte.net, 1 +zorz.info, 1 +zorzorfm.ml, 1 +zoske.it, 1 +zotan.email, 1 +zotan.network, 1 +zotan.photography, 1 +zotan.photos, 1 +zotan.pictures, 1 +zotan.services, 1 +zotan.stream, 1 +zotan.studio, 1 +zotan.systems, 1 +zotero.org, 1 +zoto.ga, 1 +zottika.com, 1 +zotum.net, 1 +zouaouitransport.fr, 1 +zoubaa.de, 0 +zouk.info, 1 +zouyaoji.top, 1 +zova.io, 1 +zovirax-cream.gq, 1 +zovirax-cream.ml, 1 +zovoscitvfu.cz, 1 +zowe.ru, 1 +zoznamka.tk, 1 +zoznamrealit.sk, 1 +zozzle.co.uk, 1 +zp25.ninja, 1 +zpapieru.pl, 1 +zpasathagroup.com, 1 +zpc.st, 1 +zphmetalus.pl, 1 +zpider.cloud, 1 +zporno.sex, 1 +zpozdeno.cz, 1 +zpozdrowieniem.pl, 1 +zprogramming.tk, 1 +zq.com.sg, 1 +zqwqz.org, 1 +zrali.com, 1 +zravyobrazky.cz, 1 +zravypapir.cz, 1 +zrejstejna.cz, 1 +zrgmedical.com, 1 +zrinski.tk, 1 +zrkhosting.com, 1 +zrkr.de, 1 +zrniecka-pre-sny.sk, 1 +zrnieckapresny.sk, 1 +zrobysama.com.ua, 1 +zrodla.org, 1 +zrs-meissen.de, 1 +zrucne.cz, 1 +zry.io, 1 +zs6688.cc, 0 +zsaqwq.com, 1 +zscaler.es, 1 +zscales.com, 0 +zsdublovice.cz, 1 +zseartcc.org, 1 +zselicivt.hu, 1 +zshmvp.com, 1 +zsien.cn, 1 +zsnm.pl, 1 +zsofit.com.au, 1 +zsoltbereczki.tk, 1 +zsplesivec.cz, 1 +zsq.im, 1 +zsrbcs.com, 1 +zstgmnachod.cz, 1 +zsyaolong.com, 0 +zt360.net, 1 +zta.training, 1 +ztable.io, 1 +ztbro.com, 1 +ztctarrin.com, 1 +zten.org, 1 +ztickerz.nl, 1 +ztmovies.cf, 1 +ztn.sh, 1 +ztu75.ru, 1 +ztv.su, 1 +ztylez.com, 1 +zuan-in.com, 1 +zuan-in.net, 1 +zubby.com, 1 +zubel.it, 0 +zubenciy.tk, 1 +zubilo-perm.ru, 1 +zubnivodni.cz, 1 +zubprotez.ru, 1 +zubr.net, 1 +zubro.net, 0 +zucalgrappe.it, 1 +zudomc.me, 1 +zuefle.net, 1 +zuehlcke.de, 1 +zuehlke-coaching.de, 1 +zuffel.com, 1 +zufuribita.tk, 1 +zug-anwalt.de, 0 +zuhausejobs.at, 1 +zuhausejobs.com, 1 +zuhauserealestate.com, 0 +zuhur2021.tk, 1 +zui.moe, 1 +zuiai.tv, 1 +zuiderlokaal.nl, 1 +zuidplein.nl, 1 +zuijia.com, 1 +zuim.de, 1 +zuitaotu.com, 1 +zuivelonline.nl, 1 +zuiverjegeest.nl, 1 +zukonar.ru, 1 +zukong.party, 1 +zukunft-mobilitaet.net, 1 +zukunftswege.at, 1 +zula.africa, 1 +zulaoyun.ml, 1 +zulfumehmet.tk, 1 +zulu.ro, 1 +zum-baur.de, 1 +zum-ziegenhainer.de, 1 +zumba-oostende.be, 1 +zumba.com, 1 +zumberak.tk, 1 +zummoricambi.com, 1 +zumtaedanceschool.co.za, 1 +zumturm.org, 1 +zumub.com, 1 +zumwildenaffen.com, 1 +zund-app.com, 1 +zundapp.one, 1 +zundapp529.nl, 1 +zundappachterhoek.nl, 1 +zunlong0.com, 1 +zuoai.net, 1 +zuomin.tk, 1 +zupit.it, 1 +zuppy.pm, 1 +zurgl.com, 1 +zurich.co.uk, 1 +zurmas-design.tk, 1 +zuru.ml, 1 +zuru.tk, 1 +zusammen-grossartig.de, 1 +zusjesvandenbos.nl, 1 +zuss.tk, 1 +zusterjansen.nl, 1 +zutobi.com, 0 +zuu.fi, 1 +zuviel.space, 1 +zuyzi.com, 1 +zuzu-market.ru, 1 +zuzulatomas.eu, 1 +zuzumba.es, 1 +zvcdn.de, 1 +zvejonys.lt, 1 +zverovod.info, 1 +zverskij-site.tk, 1 +zvezdy-porno.ml, 1 +zvps.uk, 1 +zvukipro.com, 1 +zvvtheboys.tk, 1 +zvxr.net, 1 +zvz.im, 1 +zwartendijkstalling.nl, 1 +zwedenautohuur.nl, 1 +zwemclub-rob.nl, 1 +zwemschooldezwaantjes.tk, 1 +zwergenfeste.ch, 1 +zwergenfreiheit.at, 1 +zwerimex.com, 1 +zwerkandsons.com, 1 +zwhblog.xyz, 0 +zwickau.de, 1 +zwilla.de, 1 +zwit.au, 1 +zwit.org, 1 +zwitserlandautohuur.nl, 1 +zwitterion.au, 1 +zwitterion.org, 1 +zwk.de, 1 +zwofroue.ch, 1 +zwollemag.nl, 1 +zwollemagazine.nl, 1 +zwr.de, 1 +zwrotzalot.pl, 1 +zwy.ch, 0 +zwyr157wwiu6eior.com, 1 +zwz.cz, 1 +zx1168.com, 0 +zxcs.wiki, 1 +zxdsj1.com, 1 +zxe.com.br, 1 +zxfiles.tk, 1 +zxity.co.uk, 1 +zxity.ltd, 1 +zxity.uk, 1 +zxssl.com, 0 +zxtcode.com, 1 +zy.md, 1 +zy.si, 1 +zybbo.com, 0 +zycao.com, 0 +zycie.news, 1 +zyciedirect.pl, 1 +zyciepl.com, 1 +zycjd.com, 0 +zycrypto.com, 1 +zydecozityradio.tk, 1 +zydronium.com, 1 +zydronium.nl, 1 +zyep.org, 1 +zyex.vip, 1 +zygfrydadamski.tk, 1 +zygmuntsergio.com, 1 +zygozoon.com, 1 +zyiaactive.com, 1 +zylai.com, 1 +zylai.net, 1 +zylo.com, 1 +zymewire.com, 1 +zymmm.com, 1 +zyno.space, 1 +zypernreisen.com, 1 +zypr.pw, 1 +zyrex.eu.org, 1 +zyria.de, 1 +zyrillezuno.com, 1 +zyshow.co, 1 +zyshow.net, 1 +zythom.fr, 1 +zythromax.ga, 1 +zyul.ddns.net, 1 +zywave.co.uk, 1 +zyx3d.tk, 1 +zyzardx.com, 1 +zz5197.co, 1 +zz6729.co, 1 +zz6729.com, 0 +zz6957.co, 1 +zz772.com, 0 +zz9297.co, 1 +zz9728.co, 1 +zz993.com, 1 +zzadmin.de, 1 +zzcc.de, 0 +zzcc.loan, 1 +zzekj.net, 1 +zzf.red, 1 +zzls.xyz, 1 +zzops.eu, 1 +zzops.net, 1 +zzops.nl, 1 +zzops.org, 1 +zzphuis.nl, 1 +zzsec.org, 1 +zzw.ca, 1 +zzz-diary.com, 1 +zzzmode.com, 1 +zzzz365.com, 0 +zzzzz.click, 1 +%% diff --git a/security/manager/ssl/nsSecureBrowserUI.cpp b/security/manager/ssl/nsSecureBrowserUI.cpp new file mode 100644 index 0000000000..4f56d7319f --- /dev/null +++ b/security/manager/ssl/nsSecureBrowserUI.cpp @@ -0,0 +1,168 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsSecureBrowserUI.h" + +#include "mozilla/Assertions.h" +#include "mozilla/Logging.h" +#include "mozilla/Unused.h" +#include "mozilla/dom/Document.h" +#include "nsContentUtils.h" +#include "nsIChannel.h" +#include "nsDocShell.h" +#include "nsIDocShellTreeItem.h" +#include "nsIInterfaceRequestorUtils.h" +#include "nsITransportSecurityInfo.h" +#include "nsIWebProgress.h" +#include "nsNetUtil.h" +#include "mozilla/dom/CanonicalBrowsingContext.h" +#include "mozilla/dom/WindowGlobalParent.h" +#include "mozilla/dom/Element.h" +#include "nsIBrowser.h" + +using namespace mozilla; +using namespace mozilla::dom; + +LazyLogModule gSecureBrowserUILog("nsSecureBrowserUI"); + +nsSecureBrowserUI::nsSecureBrowserUI(CanonicalBrowsingContext* aBrowsingContext) + : mState(0) { + MOZ_ASSERT(NS_IsMainThread()); + + // The BrowsingContext will own the SecureBrowserUI object, we keep a weak + // ref. + mBrowsingContextId = aBrowsingContext->Id(); +} + +NS_IMPL_ISUPPORTS(nsSecureBrowserUI, nsISecureBrowserUI, + nsISupportsWeakReference) + +NS_IMETHODIMP +nsSecureBrowserUI::GetState(uint32_t* aState) { + MOZ_ASSERT(NS_IsMainThread()); + NS_ENSURE_ARG(aState); + + MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, + ("GetState %p mState: %x", this, mState)); + *aState = mState; + return NS_OK; +} + +void nsSecureBrowserUI::RecomputeSecurityFlags() { + // Our BrowsingContext either has a new WindowGlobalParent, or the + // existing one has mutated its security state. + // Recompute our security state and fire notifications to listeners + + RefPtr<WindowGlobalParent> win = GetCurrentWindow(); + mState = nsIWebProgressListener::STATE_IS_INSECURE; + + // Only https is considered secure (it is possible to have e.g. an http URI + // with a channel that has a securityInfo that indicates the connection is + // secure - e.g. h2/alt-svc or by visiting an http URI over an https proxy). + nsCOMPtr<nsITransportSecurityInfo> securityInfo; + if (win && win->GetIsSecure()) { + securityInfo = win->GetSecurityInfo(); + if (securityInfo) { + MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, + (" we have a security info %p", securityInfo.get())); + + nsresult rv = securityInfo->GetSecurityState(&mState); + + // If the security state is STATE_IS_INSECURE, the TLS handshake never + // completed. Don't set any further state. + if (NS_SUCCEEDED(rv) && + mState != nsIWebProgressListener::STATE_IS_INSECURE) { + MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, + (" set mTopLevelSecurityInfo")); + bool isEV; + rv = securityInfo->GetIsExtendedValidation(&isEV); + if (NS_SUCCEEDED(rv) && isEV) { + MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, (" is EV")); + mState |= nsIWebProgressListener::STATE_IDENTITY_EV_TOPLEVEL; + } + } + } + } + + // Add upgraded-state flags when request has been + // upgraded with HTTPS-Only Mode + if (win) { + // Check if top-level load has been upgraded + uint32_t httpsOnlyStatus = win->HttpsOnlyStatus(); + if (!(httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UNINITIALIZED) && + !(httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_EXEMPT)) { + mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED; + } + if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST) { + if (win->GetDocumentURI()->SchemeIs("https")) { + mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADED_FIRST; + } else { + mState |= nsIWebProgressListener::STATE_HTTPS_ONLY_MODE_UPGRADE_FAILED; + } + } + // Add the secruity flags from the window + mState |= win->GetSecurityFlags(); + } + + // If we have loaded mixed content and this is a secure page, + // then clear secure flags and add broken instead. + static const uint32_t kLoadedMixedContentFlags = + nsIWebProgressListener::STATE_LOADED_MIXED_DISPLAY_CONTENT | + nsIWebProgressListener::STATE_LOADED_MIXED_ACTIVE_CONTENT; + if (win && win->GetIsSecure() && (mState & kLoadedMixedContentFlags)) { + // reset state security flag + mState = mState >> 4 << 4; + // set state security flag to broken, since there is mixed content + mState |= nsIWebProgressListener::STATE_IS_BROKEN; + } + + RefPtr<CanonicalBrowsingContext> ctx = + CanonicalBrowsingContext::Get(mBrowsingContextId); + if (!ctx) { + return; + } + + if (ctx->GetDocShell()) { + nsDocShell* nativeDocShell = nsDocShell::Cast(ctx->GetDocShell()); + nativeDocShell->nsDocLoader::OnSecurityChange(nullptr, mState); + } else if (ctx->GetWebProgress()) { + ctx->GetWebProgress()->OnSecurityChange(nullptr, nullptr, mState); + } +} + +NS_IMETHODIMP +nsSecureBrowserUI::GetIsSecureContext(bool* aIsSecureContext) { + MOZ_ASSERT(NS_IsMainThread()); + NS_ENSURE_ARG(aIsSecureContext); + + if (WindowGlobalParent* parent = GetCurrentWindow()) { + *aIsSecureContext = parent->GetIsSecureContext(); + } else { + *aIsSecureContext = false; + } + return NS_OK; +} + +NS_IMETHODIMP +nsSecureBrowserUI::GetSecInfo(nsITransportSecurityInfo** result) { + MOZ_ASSERT(NS_IsMainThread()); + NS_ENSURE_ARG_POINTER(result); + + if (WindowGlobalParent* parent = GetCurrentWindow()) { + *result = parent->GetSecurityInfo(); + } + NS_IF_ADDREF(*result); + + return NS_OK; +} + +WindowGlobalParent* nsSecureBrowserUI::GetCurrentWindow() { + RefPtr<CanonicalBrowsingContext> ctx = + CanonicalBrowsingContext::Get(mBrowsingContextId); + if (!ctx) { + return nullptr; + } + return ctx->GetCurrentWindowGlobal(); +} diff --git a/security/manager/ssl/nsSecureBrowserUI.h b/security/manager/ssl/nsSecureBrowserUI.h new file mode 100644 index 0000000000..a71d9ebde4 --- /dev/null +++ b/security/manager/ssl/nsSecureBrowserUI.h @@ -0,0 +1,53 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsSecureBrowserUIImpl_h +#define nsSecureBrowserUIImpl_h + +#include "nsCOMPtr.h" +#include "nsISecureBrowserUI.h" +#include "nsITransportSecurityInfo.h" +#include "nsIWebProgressListener.h" +#include "nsWeakReference.h" + +class nsITransportSecurityInfo; +class nsIChannel; + +namespace mozilla { +namespace dom { +class Document; +class WindowGlobalParent; +class CanonicalBrowsingContext; +} // namespace dom +} // namespace mozilla + +#define NS_SECURE_BROWSER_UI_CID \ + { \ + 0xcc75499a, 0x1dd1, 0x11b2, { \ + 0x8a, 0x82, 0xca, 0x41, 0x0a, 0xc9, 0x07, 0xb8 \ + } \ + } + +class nsSecureBrowserUI : public nsISecureBrowserUI, + public nsSupportsWeakReference { + public: + explicit nsSecureBrowserUI( + mozilla::dom::CanonicalBrowsingContext* aBrowsingContext); + + NS_DECL_ISUPPORTS + NS_DECL_NSISECUREBROWSERUI + + void RecomputeSecurityFlags(); + + protected: + virtual ~nsSecureBrowserUI() = default; + + mozilla::dom::WindowGlobalParent* GetCurrentWindow(); + + uint32_t mState; + uint64_t mBrowsingContextId; +}; + +#endif // nsSecureBrowserUIImpl_h diff --git a/security/manager/ssl/nsSecurityHeaderParser.cpp b/security/manager/ssl/nsSecurityHeaderParser.cpp new file mode 100644 index 0000000000..d9d9d48bc0 --- /dev/null +++ b/security/manager/ssl/nsSecurityHeaderParser.cpp @@ -0,0 +1,206 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsSecurityHeaderParser.h" +#include "mozilla/Logging.h" + +// The character classes in this file are informed by [RFC2616], Section 2.2. +// signed char is a signed data type one byte (8 bits) wide, so its value can +// never be greater than 127. The following implicitly makes use of this. + +// A token is one or more CHAR except CTLs or separators. +// A CHAR is any US-ASCII character (octets 0 - 127). +// A CTL is any US-ASCII control character (octets 0 - 31) and DEL (127). +// A separator is one of ()<>@,;:\"/[]?={} as well as space and +// horizontal-tab (32 and 9, respectively). +// So, this returns true if chr is any octet 33-126 except ()<>@,;:\"/[]?={} +bool IsTokenSymbol(signed char chr) { + if (chr < 33 || chr == 127 || chr == '(' || chr == ')' || chr == '<' || + chr == '>' || chr == '@' || chr == ',' || chr == ';' || chr == ':' || + chr == '"' || chr == '/' || chr == '[' || chr == ']' || chr == '?' || + chr == '=' || chr == '{' || chr == '}' || chr == '\\') { + return false; + } + return true; +} + +// A quoted-string consists of a quote (") followed by any amount of +// qdtext or quoted-pair, followed by a quote. +// qdtext is any TEXT except a quote. +// TEXT is any 8-bit octet except CTLs, but including LWS. +// quoted-pair is a backslash (\) followed by a CHAR. +// So, it turns out, \ can't really be a qdtext symbol for our purposes. +// This returns true if chr is any octet 9,10,13,32-126 except <"> or "\" +bool IsQuotedTextSymbol(signed char chr) { + return ((chr >= 32 && chr != '"' && chr != '\\' && chr != 127) || + chr == 0x9 || chr == 0xa || chr == 0xd); +} + +// The octet following the "\" in a quoted pair can be anything 0-127. +bool IsQuotedPairSymbol(signed char chr) { return (chr >= 0); } + +static mozilla::LazyLogModule sSHParserLog("nsSecurityHeaderParser"); + +#define SHPARSERLOG(args) MOZ_LOG(sSHParserLog, mozilla::LogLevel::Debug, args) + +nsSecurityHeaderParser::nsSecurityHeaderParser(const nsCString& aHeader) + : mCursor(aHeader.get()), mDirective(nullptr), mError(false) {} + +nsSecurityHeaderParser::~nsSecurityHeaderParser() { + nsSecurityHeaderDirective* directive; + while ((directive = mDirectives.popFirst())) { + delete directive; + } +} + +mozilla::LinkedList<nsSecurityHeaderDirective>* +nsSecurityHeaderParser::GetDirectives() { + return &mDirectives; +} + +nsresult nsSecurityHeaderParser::Parse() { + MOZ_ASSERT(mDirectives.isEmpty()); + SHPARSERLOG(("trying to parse '%s'", mCursor)); + + Header(); + + // if we didn't consume the entire input, we were unable to parse it => error + if (mError || *mCursor) { + return NS_ERROR_FAILURE; + } else { + return NS_OK; + } +} + +bool nsSecurityHeaderParser::Accept(char aChr) { + if (*mCursor == aChr) { + Advance(); + return true; + } + + return false; +} + +bool nsSecurityHeaderParser::Accept(bool (*aClassifier)(signed char)) { + if (aClassifier(*mCursor)) { + Advance(); + return true; + } + + return false; +} + +void nsSecurityHeaderParser::Expect(char aChr) { + if (*mCursor != aChr) { + mError = true; + } else { + Advance(); + } +} + +void nsSecurityHeaderParser::Advance() { + // Technically, 0 is valid in quoted-pair, but we were handed a + // null-terminated const char *, so this doesn't handle that. + if (*mCursor) { + mOutput.Append(*mCursor); + mCursor++; + } else { + mError = true; + } +} + +void nsSecurityHeaderParser::Header() { + Directive(); + while (Accept(';')) { + Directive(); + } +} + +void nsSecurityHeaderParser::Directive() { + mDirective = new nsSecurityHeaderDirective(); + LWSMultiple(); + DirectiveName(); + LWSMultiple(); + if (Accept('=')) { + LWSMultiple(); + DirectiveValue(); + LWSMultiple(); + } + mDirectives.insertBack(mDirective); + SHPARSERLOG(("read directive name '%s', value '%s'", mDirective->mName.Data(), + mDirective->mValue.Data())); +} + +void nsSecurityHeaderParser::DirectiveName() { + mOutput.Truncate(0); + Token(); + mDirective->mName.Assign(mOutput); +} + +void nsSecurityHeaderParser::DirectiveValue() { + mOutput.Truncate(0); + if (Accept(IsTokenSymbol)) { + Token(); + mDirective->mValue.Assign(mOutput); + } else if (Accept('"')) { + // Accept advances the cursor if successful, which appends a character to + // mOutput. The " is not part of what we want to capture, so truncate + // mOutput again. + mOutput.Truncate(0); + QuotedString(); + mDirective->mValue.Assign(mOutput); + Expect('"'); + } +} + +void nsSecurityHeaderParser::Token() { + while (Accept(IsTokenSymbol)) + ; +} + +void nsSecurityHeaderParser::QuotedString() { + while (true) { + if (Accept(IsQuotedTextSymbol)) { + QuotedText(); + } else if (Accept('\\')) { + QuotedPair(); + } else { + break; + } + } +} + +void nsSecurityHeaderParser::QuotedText() { + while (Accept(IsQuotedTextSymbol)) + ; +} + +void nsSecurityHeaderParser::QuotedPair() { Accept(IsQuotedPairSymbol); } + +void nsSecurityHeaderParser::LWSMultiple() { + while (true) { + if (Accept('\r')) { + LWSCRLF(); + } else if (Accept(' ') || Accept('\t')) { + LWS(); + } else { + break; + } + } +} + +void nsSecurityHeaderParser::LWSCRLF() { + Expect('\n'); + if (!(Accept(' ') || Accept('\t'))) { + mError = true; + } + LWS(); +} + +void nsSecurityHeaderParser::LWS() { + // Note that becaue of how we're called, we don't have to check for + // the mandatory presense of at least one of SP or HT. + while (Accept(' ') || Accept('\t')) + ; +} diff --git a/security/manager/ssl/nsSecurityHeaderParser.h b/security/manager/ssl/nsSecurityHeaderParser.h new file mode 100644 index 0000000000..5cb50d425a --- /dev/null +++ b/security/manager/ssl/nsSecurityHeaderParser.h @@ -0,0 +1,78 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsSecurityHeaderParser_h +#define nsSecurityHeaderParser_h + +#include "mozilla/LinkedList.h" +#include "nsCOMPtr.h" +#include "nsString.h" + +// Utility class for handing back parsed directives and (optional) values +class nsSecurityHeaderDirective + : public mozilla::LinkedListElement<nsSecurityHeaderDirective> { + public: + nsCString mName; + nsCString mValue; +}; + +// This class parses security-related HTTP headers like +// Strict-Transport-Security. The Augmented Backus-Naur Form syntax for this +// header is reproduced below, for reference: +// +// Strict-Transport-Security = "Strict-Transport-Security" ":" +// [ directive ] *( ";" [ directive ] ) +// +// directive = directive-name [ "=" directive-value ] +// directive-name = token +// directive-value = token | quoted-string +// +// where: +// +// token = <token, defined in [RFC2616], Section 2.2> +// quoted-string = <quoted-string, defined in [RFC2616], Section 2.2>/ +// +// For further reference, see [RFC6797], Section 6.1 + +class nsSecurityHeaderParser { + public: + // The input to this class must be null-terminated, and must have a lifetime + // greater than or equal to the lifetime of the created + // nsSecurityHeaderParser. + explicit nsSecurityHeaderParser(const nsCString& aHeader); + ~nsSecurityHeaderParser(); + + // Only call Parse once. + nsresult Parse(); + // The caller does not take ownership of the memory returned here. + mozilla::LinkedList<nsSecurityHeaderDirective>* GetDirectives(); + + private: + bool Accept(char aChr); + bool Accept(bool (*aClassifier)(signed char)); + void Expect(char aChr); + void Advance(); + void Header(); // header = [ directive ] *( ";" [ directive ] ) + void Directive(); // directive = directive-name [ "=" directive-value ] + void DirectiveName(); // directive-name = token + void DirectiveValue(); // directive-value = token | quoted-string + void Token(); // token = 1*<any CHAR except CTLs or separators> + void QuotedString(); // quoted-string = (<"> *( qdtext | quoted-pair ) <">) + void QuotedText(); // qdtext = <any TEXT except <"> and "\"> + void QuotedPair(); // quoted-pair = "\" CHAR + + // LWS = [CRLF] 1*( SP | HT ) + void LWSMultiple(); // Handles *( LWS ) + void LWSCRLF(); // Handles the [CRLF] part of LWS + void LWS(); // Handles the 1*( SP | HT ) part of LWS + + mozilla::LinkedList<nsSecurityHeaderDirective> mDirectives; + const char* mCursor; + nsSecurityHeaderDirective* mDirective; + + nsCString mOutput; + bool mError; +}; + +#endif // nsSecurityHeaderParser_h diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp new file mode 100644 index 0000000000..b975d9d66a --- /dev/null +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -0,0 +1,1011 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsSiteSecurityService.h" + +#include "PublicKeyPinningService.h" +#include "mozilla/Assertions.h" +#include "mozilla/Base64.h" +#include "mozilla/LinkedList.h" +#include "mozilla/Logging.h" +#include "mozilla/Preferences.h" +#include "mozilla/Tokenizer.h" +#include "mozilla/dom/PContent.h" +#include "mozilla/dom/ToJSValue.h" +#include "nsCOMArray.h" +#include "nsIScriptSecurityManager.h" +#include "nsISocketProvider.h" +#include "nsIURI.h" +#include "nsNSSComponent.h" +#include "nsNetUtil.h" +#include "nsPromiseFlatString.h" +#include "nsReadableUtils.h" +#include "nsSecurityHeaderParser.h" +#include "nsThreadUtils.h" +#include "nsVariant.h" +#include "nsXULAppAPI.h" +#include "prnetdb.h" + +// A note about the preload list: +// When a site specifically disables HSTS by sending a header with +// 'max-age: 0', we keep a "knockout" value that means "we have no information +// regarding the HSTS state of this host" (any ancestor of "this host" can still +// influence its HSTS status via include subdomains, however). +// This prevents the preload list from overriding the site's current +// desired HSTS status. +#include "nsSTSPreloadListGenerated.inc" + +using namespace mozilla; +using namespace mozilla::psm; + +static LazyLogModule gSSSLog("nsSSService"); + +#define SSSLOG(args) MOZ_LOG(gSSSLog, mozilla::LogLevel::Debug, args) + +static const nsLiteralCString kHSTSKeySuffix = ":HSTS"_ns; + +//////////////////////////////////////////////////////////////////////////////// + +namespace { + +class SSSTokenizer final : public Tokenizer { + public: + explicit SSSTokenizer(const nsACString& source) : Tokenizer(source) {} + + [[nodiscard]] bool ReadBool(/*out*/ bool& value) { + uint8_t rawValue; + if (!ReadInteger(&rawValue)) { + return false; + } + + if (rawValue != 0 && rawValue != 1) { + return false; + } + + value = (rawValue == 1); + return true; + } + + [[nodiscard]] bool ReadState(/*out*/ SecurityPropertyState& state) { + uint32_t rawValue; + if (!ReadInteger(&rawValue)) { + return false; + } + + state = static_cast<SecurityPropertyState>(rawValue); + switch (state) { + case SecurityPropertyKnockout: + case SecurityPropertySet: + case SecurityPropertyUnset: + break; + default: + return false; + } + + return true; + } +}; + +// Parses a state string like "1500918564034,1,1" into its constituent parts. +bool ParseHSTSState(const nsCString& stateString, + /*out*/ PRTime& expireTime, + /*out*/ SecurityPropertyState& state, + /*out*/ bool& includeSubdomains) { + SSSTokenizer tokenizer(stateString); + SSSLOG(("Parsing state from %s", stateString.get())); + + if (!tokenizer.ReadInteger(&expireTime)) { + return false; + } + + if (!tokenizer.CheckChar(',')) { + return false; + } + + if (!tokenizer.ReadState(state)) { + return false; + } + + if (!tokenizer.CheckChar(',')) { + return false; + } + + if (!tokenizer.ReadBool(includeSubdomains)) { + return false; + } + + if (tokenizer.CheckChar(',')) { + // Read now-unused "source" field. + uint32_t unused; + if (!tokenizer.ReadInteger(&unused)) { + return false; + } + } + + return tokenizer.CheckEOF(); +} + +} // namespace + +SiteHSTSState::SiteHSTSState(const nsCString& aHost, + const OriginAttributes& aOriginAttributes, + const nsCString& aStateString) + : mHostname(aHost), + mOriginAttributes(aOriginAttributes), + mHSTSExpireTime(0), + mHSTSState(SecurityPropertyUnset), + mHSTSIncludeSubdomains(false) { + bool valid = ParseHSTSState(aStateString, mHSTSExpireTime, mHSTSState, + mHSTSIncludeSubdomains); + if (!valid) { + SSSLOG(("%s is not a valid SiteHSTSState", aStateString.get())); + mHSTSExpireTime = 0; + mHSTSState = SecurityPropertyUnset; + mHSTSIncludeSubdomains = false; + } +} + +SiteHSTSState::SiteHSTSState(const nsCString& aHost, + const OriginAttributes& aOriginAttributes, + PRTime aHSTSExpireTime, + SecurityPropertyState aHSTSState, + bool aHSTSIncludeSubdomains) + + : mHostname(aHost), + mOriginAttributes(aOriginAttributes), + mHSTSExpireTime(aHSTSExpireTime), + mHSTSState(aHSTSState), + mHSTSIncludeSubdomains(aHSTSIncludeSubdomains) {} + +void SiteHSTSState::ToString(nsCString& aString) { + aString.Truncate(); + aString.AppendInt(mHSTSExpireTime); + aString.Append(','); + aString.AppendInt(mHSTSState); + aString.Append(','); + aString.AppendInt(static_cast<uint32_t>(mHSTSIncludeSubdomains)); +} + +nsSiteSecurityService::nsSiteSecurityService() + : mUsePreloadList(true), mPreloadListTimeOffset(0), mDafsa(kDafsa) {} + +nsSiteSecurityService::~nsSiteSecurityService() = default; + +NS_IMPL_ISUPPORTS(nsSiteSecurityService, nsIObserver, nsISiteSecurityService) + +nsresult nsSiteSecurityService::Init() { + // Don't access Preferences off the main thread. + if (!NS_IsMainThread()) { + MOZ_ASSERT_UNREACHABLE("nsSiteSecurityService initialized off main thread"); + return NS_ERROR_NOT_SAME_THREAD; + } + + mUsePreloadList = mozilla::Preferences::GetBool( + "network.stricttransportsecurity.preloadlist", true); + mozilla::Preferences::AddStrongObserver( + this, "network.stricttransportsecurity.preloadlist"); + mPreloadListTimeOffset = + mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0); + mozilla::Preferences::AddStrongObserver(this, + "test.currentTimeOffsetSeconds"); + nsCOMPtr<nsIDataStorageManager> dataStorageManager( + do_GetService("@mozilla.org/security/datastoragemanager;1")); + if (!dataStorageManager) { + return NS_ERROR_FAILURE; + } + nsresult rv = + dataStorageManager->Get(nsIDataStorageManager::SiteSecurityServiceState, + getter_AddRefs(mSiteStateStorage)); + if (NS_FAILED(rv)) { + return rv; + } + if (!mSiteStateStorage) { + return NS_ERROR_FAILURE; + } + + return NS_OK; +} + +nsresult nsSiteSecurityService::GetHost(nsIURI* aURI, nsACString& aResult) { + nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(aURI); + if (!innerURI) { + return NS_ERROR_FAILURE; + } + + nsAutoCString host; + nsresult rv = innerURI->GetAsciiHost(host); + if (NS_FAILED(rv)) { + return rv; + } + + aResult.Assign(PublicKeyPinningService::CanonicalizeHostname(host.get())); + if (aResult.IsEmpty()) { + return NS_ERROR_UNEXPECTED; + } + + return NS_OK; +} + +static void NormalizePartitionKey(nsString& partitionKey) { + // If present, the partitionKey will be of the form + // "(<scheme>,<domain>[,port>])" (where "<scheme>" will be "https" or "http" + // and "<port>", if present, will be a port number). This normalizes the + // scheme to "https" and strips the port so that a domain noted as HSTS will + // be HSTS regardless of scheme and port, as per the RFC. + Tokenizer16 tokenizer(partitionKey, nullptr, u".-_"); + if (!tokenizer.CheckChar(u'(')) { + return; + } + nsString scheme; + if (!(tokenizer.ReadWord(scheme))) { + return; + } + if (!tokenizer.CheckChar(u',')) { + return; + } + nsString host; + if (!tokenizer.ReadWord(host)) { + return; + } + partitionKey.Assign(u"(https,"); + partitionKey.Append(host); + partitionKey.Append(u")"); +} + +// Uses the previous format of storage key. Only to be used for migrating old +// entries. +static void GetOldStorageKey(const nsACString& hostname, + const OriginAttributes& aOriginAttributes, + /*out*/ nsAutoCString& storageKey) { + storageKey = hostname; + + // Don't isolate by userContextId. + OriginAttributes originAttributesNoUserContext = aOriginAttributes; + originAttributesNoUserContext.mUserContextId = + nsIScriptSecurityManager::DEFAULT_USER_CONTEXT_ID; + nsAutoCString originAttributesSuffix; + originAttributesNoUserContext.CreateSuffix(originAttributesSuffix); + storageKey.Append(originAttributesSuffix); + storageKey.Append(kHSTSKeySuffix); +} + +static void GetStorageKey(const nsACString& hostname, + const OriginAttributes& aOriginAttributes, + /*out*/ nsAutoCString& storageKey) { + storageKey = hostname; + + // Don't isolate by userContextId. + OriginAttributes originAttributesNoUserContext = aOriginAttributes; + originAttributesNoUserContext.mUserContextId = + nsIScriptSecurityManager::DEFAULT_USER_CONTEXT_ID; + NormalizePartitionKey(originAttributesNoUserContext.mPartitionKey); + nsAutoCString originAttributesSuffix; + originAttributesNoUserContext.CreateSuffix(originAttributesSuffix); + storageKey.Append(originAttributesSuffix); +} + +// Expire times are in millis. Since Headers max-age is in seconds, and +// PR_Now() is in micros, normalize the units at milliseconds. +static int64_t ExpireTimeFromMaxAge(uint64_t maxAge) { + return (PR_Now() / PR_USEC_PER_MSEC) + ((int64_t)maxAge * PR_MSEC_PER_SEC); +} + +inline uint64_t AbsoluteDifference(int64_t a, int64_t b) { + if (a <= b) { + return b - a; + } + return a - b; +} + +const uint64_t sOneDayInMilliseconds = 24 * 60 * 60 * 1000; + +nsresult nsSiteSecurityService::SetHSTSState( + const char* aHost, int64_t maxage, bool includeSubdomains, + SecurityPropertyState aHSTSState, + const OriginAttributes& aOriginAttributes) { + nsAutoCString hostname(aHost); + // If max-age is zero, the host is no longer considered HSTS. If the host was + // preloaded, we store an entry indicating that this host is not HSTS, causing + // the preloaded information to be ignored. + if (maxage == 0) { + return MarkHostAsNotHSTS(hostname, aOriginAttributes); + } + + MOZ_ASSERT(aHSTSState == SecurityPropertySet, + "HSTS State must be SecurityPropertySet"); + + int64_t expiretime = ExpireTimeFromMaxAge(maxage); + SiteHSTSState siteState(hostname, aOriginAttributes, expiretime, aHSTSState, + includeSubdomains); + nsAutoCString stateString; + siteState.ToString(stateString); + SSSLOG(("SSS: setting state for %s", hostname.get())); + bool isPrivate = aOriginAttributes.mPrivateBrowsingId > 0; + nsIDataStorage::DataType storageType = + isPrivate ? nsIDataStorage::DataType::Private + : nsIDataStorage::DataType::Persistent; + SSSLOG(("SSS: storing HSTS site entry for %s", hostname.get())); + nsAutoCString value; + nsresult rv = + GetWithMigration(hostname, aOriginAttributes, storageType, value); + // If this fails for a reason other than nothing by that key exists, + // propagate the failure. + if (NS_FAILED(rv) && rv != NS_ERROR_NOT_AVAILABLE) { + return rv; + } + // This is an entirely new entry. + if (rv == NS_ERROR_NOT_AVAILABLE) { + nsAutoCString storageKey; + GetStorageKey(hostname, aOriginAttributes, storageKey); + return mSiteStateStorage->Put(storageKey, stateString, storageType); + } + // Otherwise, only update the backing storage if the currently-stored state + // is different. In the case of expiration time, "different" means "is + // different by more than a day". + SiteHSTSState curSiteState(hostname, aOriginAttributes, value); + if (curSiteState.mHSTSState != siteState.mHSTSState || + curSiteState.mHSTSIncludeSubdomains != siteState.mHSTSIncludeSubdomains || + AbsoluteDifference(curSiteState.mHSTSExpireTime, + siteState.mHSTSExpireTime) > sOneDayInMilliseconds) { + rv = + PutWithMigration(hostname, aOriginAttributes, storageType, stateString); + if (NS_FAILED(rv)) { + return rv; + } + } + + return NS_OK; +} + +// Helper function to mark a host as not HSTS. In the general case, we can just +// remove the HSTS state. However, for preloaded entries, we have to store an +// entry that indicates this host is not HSTS to prevent the implementation +// using the preloaded information. +nsresult nsSiteSecurityService::MarkHostAsNotHSTS( + const nsAutoCString& aHost, const OriginAttributes& aOriginAttributes) { + bool isPrivate = aOriginAttributes.mPrivateBrowsingId > 0; + nsIDataStorage::DataType storageType = + isPrivate ? nsIDataStorage::DataType::Private + : nsIDataStorage::DataType::Persistent; + if (GetPreloadStatus(aHost)) { + SSSLOG(("SSS: storing knockout entry for %s", aHost.get())); + SiteHSTSState siteState(aHost, aOriginAttributes, 0, + SecurityPropertyKnockout, false); + nsAutoCString stateString; + siteState.ToString(stateString); + nsresult rv = + PutWithMigration(aHost, aOriginAttributes, storageType, stateString); + NS_ENSURE_SUCCESS(rv, rv); + } else { + SSSLOG(("SSS: removing entry for %s", aHost.get())); + RemoveWithMigration(aHost, aOriginAttributes, storageType); + } + + return NS_OK; +} + +NS_IMETHODIMP +nsSiteSecurityService::ResetState(nsIURI* aURI, + JS::Handle<JS::Value> aOriginAttributes, + nsISiteSecurityService::ResetStateBy aScope, + JSContext* aCx, uint8_t aArgc) { + if (!aURI) { + return NS_ERROR_INVALID_ARG; + } + + OriginAttributes originAttributes; + if (aArgc > 0) { + // OriginAttributes were passed in. + if (!aOriginAttributes.isObject() || + !originAttributes.Init(aCx, aOriginAttributes)) { + return NS_ERROR_INVALID_ARG; + } + } + nsISiteSecurityService::ResetStateBy scope = + nsISiteSecurityService::ResetStateBy::ExactDomain; + if (aArgc > 1) { + // ResetStateBy scope was passed in + scope = aScope; + } + + return ResetStateInternal(aURI, originAttributes, scope); +} + +// Helper function to reset stored state of the given type for the host +// identified by the given URI. If there is preloaded information for the host, +// that information will be used for future queries. C.f. MarkHostAsNotHSTS, +// which will store a knockout entry for preloaded HSTS hosts that have sent a +// header with max-age=0 (meaning preloaded information will then not be used +// for that host). +nsresult nsSiteSecurityService::ResetStateInternal( + nsIURI* aURI, const OriginAttributes& aOriginAttributes, + nsISiteSecurityService::ResetStateBy aScope) { + if (!aURI) { + return NS_ERROR_INVALID_ARG; + } + nsAutoCString hostname; + nsresult rv = GetHost(aURI, hostname); + if (NS_FAILED(rv)) { + return rv; + } + + OriginAttributes normalizedOriginAttributes(aOriginAttributes); + NormalizePartitionKey(normalizedOriginAttributes.mPartitionKey); + + if (aScope == ResetStateBy::ExactDomain) { + ResetStateForExactDomain(hostname, normalizedOriginAttributes); + return NS_OK; + } + + nsTArray<RefPtr<nsIDataStorageItem>> items; + rv = mSiteStateStorage->GetAll(items); + if (NS_FAILED(rv)) { + return rv; + } + for (const auto& item : items) { + static const nsLiteralCString kHPKPKeySuffix = ":HPKP"_ns; + nsAutoCString key; + rv = item->GetKey(key); + if (NS_FAILED(rv)) { + return rv; + } + nsAutoCString value; + rv = item->GetValue(value); + if (NS_FAILED(rv)) { + return rv; + } + if (StringEndsWith(key, kHPKPKeySuffix)) { + (void)mSiteStateStorage->Remove(key, + nsIDataStorage::DataType::Persistent); + continue; + } + size_t suffixLength = + StringEndsWith(key, kHSTSKeySuffix) ? kHSTSKeySuffix.Length() : 0; + nsCString origin(StringHead(key, key.Length() - suffixLength)); + nsAutoCString itemHostname; + OriginAttributes itemOriginAttributes; + if (!itemOriginAttributes.PopulateFromOrigin(origin, itemHostname)) { + continue; + } + bool hasRootDomain = false; + nsresult rv = net::HasRootDomain(itemHostname, hostname, &hasRootDomain); + if (NS_FAILED(rv)) { + continue; + } + if (hasRootDomain) { + ResetStateForExactDomain(itemHostname, itemOriginAttributes); + } else if (aScope == ResetStateBy::BaseDomain) { + mozilla::dom::PartitionKeyPatternDictionary partitionKeyPattern; + partitionKeyPattern.mBaseDomain.Construct( + NS_ConvertUTF8toUTF16(hostname)); + OriginAttributesPattern originAttributesPattern; + originAttributesPattern.mPartitionKeyPattern.Construct( + partitionKeyPattern); + if (originAttributesPattern.Matches(itemOriginAttributes)) { + ResetStateForExactDomain(itemHostname, itemOriginAttributes); + } + } + } + return NS_OK; +} + +void nsSiteSecurityService::ResetStateForExactDomain( + const nsCString& aHostname, const OriginAttributes& aOriginAttributes) { + bool isPrivate = aOriginAttributes.mPrivateBrowsingId > 0; + nsIDataStorage::DataType storageType = + isPrivate ? nsIDataStorage::DataType::Private + : nsIDataStorage::DataType::Persistent; + RemoveWithMigration(aHostname, aOriginAttributes, storageType); +} + +bool nsSiteSecurityService::HostIsIPAddress(const nsCString& hostname) { + PRNetAddr hostAddr; + PRErrorCode prv = PR_StringToNetAddr(hostname.get(), &hostAddr); + return (prv == PR_SUCCESS); +} + +NS_IMETHODIMP +nsSiteSecurityService::ProcessHeaderScriptable( + nsIURI* aSourceURI, const nsACString& aHeader, + JS::Handle<JS::Value> aOriginAttributes, uint64_t* aMaxAge, + bool* aIncludeSubdomains, uint32_t* aFailureResult, JSContext* aCx, + uint8_t aArgc) { + OriginAttributes originAttributes; + if (aArgc > 0) { + if (!aOriginAttributes.isObject() || + !originAttributes.Init(aCx, aOriginAttributes)) { + return NS_ERROR_INVALID_ARG; + } + } + return ProcessHeader(aSourceURI, aHeader, originAttributes, aMaxAge, + aIncludeSubdomains, aFailureResult); +} + +NS_IMETHODIMP +nsSiteSecurityService::ProcessHeader(nsIURI* aSourceURI, + const nsACString& aHeader, + const OriginAttributes& aOriginAttributes, + uint64_t* aMaxAge, + bool* aIncludeSubdomains, + uint32_t* aFailureResult) { + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; + } + return ProcessHeaderInternal(aSourceURI, PromiseFlatCString(aHeader), + aOriginAttributes, aMaxAge, aIncludeSubdomains, + aFailureResult); +} + +nsresult nsSiteSecurityService::ProcessHeaderInternal( + nsIURI* aSourceURI, const nsCString& aHeader, + const OriginAttributes& aOriginAttributes, uint64_t* aMaxAge, + bool* aIncludeSubdomains, uint32_t* aFailureResult) { + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; + } + if (aMaxAge != nullptr) { + *aMaxAge = 0; + } + + if (aIncludeSubdomains != nullptr) { + *aIncludeSubdomains = false; + } + + nsAutoCString host; + nsresult rv = GetHost(aSourceURI, host); + NS_ENSURE_SUCCESS(rv, rv); + if (HostIsIPAddress(host)) { + /* Don't process headers if a site is accessed by IP address. */ + return NS_OK; + } + + return ProcessSTSHeader(aSourceURI, aHeader, aOriginAttributes, aMaxAge, + aIncludeSubdomains, aFailureResult); +} + +static uint32_t ParseSSSHeaders(const nsCString& aHeader, + bool& foundIncludeSubdomains, bool& foundMaxAge, + bool& foundUnrecognizedDirective, + uint64_t& maxAge) { + // "Strict-Transport-Security" ":" OWS + // STS-d *( OWS ";" OWS STS-d OWS) + // + // ; STS directive + // STS-d = maxAge / includeSubDomains + // + // maxAge = "max-age" "=" delta-seconds v-ext + // + // includeSubDomains = [ "includeSubDomains" ] + // + // The order of the directives is not significant. + // All directives must appear only once. + // Directive names are case-insensitive. + // The entire header is invalid if a directive not conforming to the + // syntax is encountered. + // Unrecognized directives (that are otherwise syntactically valid) are + // ignored, and the rest of the header is parsed as normal. + + constexpr auto max_age_var = "max-age"_ns; + constexpr auto include_subd_var = "includesubdomains"_ns; + + nsSecurityHeaderParser parser(aHeader); + nsresult rv = parser.Parse(); + if (NS_FAILED(rv)) { + SSSLOG(("SSS: could not parse header")); + return nsISiteSecurityService::ERROR_COULD_NOT_PARSE_HEADER; + } + mozilla::LinkedList<nsSecurityHeaderDirective>* directives = + parser.GetDirectives(); + + for (nsSecurityHeaderDirective* directive = directives->getFirst(); + directive != nullptr; directive = directive->getNext()) { + SSSLOG(("SSS: found directive %s\n", directive->mName.get())); + if (directive->mName.EqualsIgnoreCase(max_age_var)) { + if (foundMaxAge) { + SSSLOG(("SSS: found two max-age directives")); + return nsISiteSecurityService::ERROR_MULTIPLE_MAX_AGES; + } + + SSSLOG(("SSS: found max-age directive")); + foundMaxAge = true; + + Tokenizer tokenizer(directive->mValue); + if (!tokenizer.ReadInteger(&maxAge)) { + SSSLOG(("SSS: could not parse delta-seconds")); + return nsISiteSecurityService::ERROR_INVALID_MAX_AGE; + } + + if (!tokenizer.CheckEOF()) { + SSSLOG(("SSS: invalid value for max-age directive")); + return nsISiteSecurityService::ERROR_INVALID_MAX_AGE; + } + + SSSLOG(("SSS: parsed delta-seconds: %" PRIu64, maxAge)); + } else if (directive->mName.EqualsIgnoreCase(include_subd_var)) { + if (foundIncludeSubdomains) { + SSSLOG(("SSS: found two includeSubdomains directives")); + return nsISiteSecurityService::ERROR_MULTIPLE_INCLUDE_SUBDOMAINS; + } + + SSSLOG(("SSS: found includeSubdomains directive")); + foundIncludeSubdomains = true; + + if (directive->mValue.Length() != 0) { + SSSLOG(("SSS: includeSubdomains directive unexpectedly had value '%s'", + directive->mValue.get())); + return nsISiteSecurityService::ERROR_INVALID_INCLUDE_SUBDOMAINS; + } + } else { + SSSLOG(("SSS: ignoring unrecognized directive '%s'", + directive->mName.get())); + foundUnrecognizedDirective = true; + } + } + return nsISiteSecurityService::Success; +} + +// 100 years is wildly longer than anyone will ever need. +const uint64_t sMaxMaxAgeInSeconds = UINT64_C(60 * 60 * 24 * 365 * 100); + +nsresult nsSiteSecurityService::ProcessSTSHeader( + nsIURI* aSourceURI, const nsCString& aHeader, + const OriginAttributes& aOriginAttributes, uint64_t* aMaxAge, + bool* aIncludeSubdomains, uint32_t* aFailureResult) { + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; + } + SSSLOG(("SSS: processing HSTS header '%s'", aHeader.get())); + + bool foundMaxAge = false; + bool foundIncludeSubdomains = false; + bool foundUnrecognizedDirective = false; + uint64_t maxAge = 0; + + uint32_t sssrv = ParseSSSHeaders(aHeader, foundIncludeSubdomains, foundMaxAge, + foundUnrecognizedDirective, maxAge); + if (sssrv != nsISiteSecurityService::Success) { + if (aFailureResult) { + *aFailureResult = sssrv; + } + return NS_ERROR_FAILURE; + } + + // after processing all the directives, make sure we came across max-age + // somewhere. + if (!foundMaxAge) { + SSSLOG(("SSS: did not encounter required max-age directive")); + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_NO_MAX_AGE; + } + return NS_ERROR_FAILURE; + } + + // Cap the specified max-age. + if (maxAge > sMaxMaxAgeInSeconds) { + maxAge = sMaxMaxAgeInSeconds; + } + + nsAutoCString hostname; + nsresult rv = GetHost(aSourceURI, hostname); + NS_ENSURE_SUCCESS(rv, rv); + + // record the successfully parsed header data. + rv = SetHSTSState(hostname.get(), maxAge, foundIncludeSubdomains, + SecurityPropertySet, aOriginAttributes); + if (NS_FAILED(rv)) { + SSSLOG(("SSS: failed to set STS state")); + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_COULD_NOT_SAVE_STATE; + } + return rv; + } + + if (aMaxAge != nullptr) { + *aMaxAge = maxAge; + } + + if (aIncludeSubdomains != nullptr) { + *aIncludeSubdomains = foundIncludeSubdomains; + } + + return foundUnrecognizedDirective ? NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA + : NS_OK; +} + +NS_IMETHODIMP +nsSiteSecurityService::IsSecureURIScriptable( + nsIURI* aURI, JS::Handle<JS::Value> aOriginAttributes, JSContext* aCx, + uint8_t aArgc, bool* aResult) { + OriginAttributes originAttributes; + if (aArgc > 0) { + if (!aOriginAttributes.isObject() || + !originAttributes.Init(aCx, aOriginAttributes)) { + return NS_ERROR_INVALID_ARG; + } + } + return IsSecureURI(aURI, originAttributes, aResult); +} + +NS_IMETHODIMP +nsSiteSecurityService::IsSecureURI(nsIURI* aURI, + const OriginAttributes& aOriginAttributes, + bool* aResult) { + NS_ENSURE_ARG(aURI); + NS_ENSURE_ARG(aResult); + + nsAutoCString hostname; + nsresult rv = GetHost(aURI, hostname); + NS_ENSURE_SUCCESS(rv, rv); + /* An IP address never qualifies as a secure URI. */ + if (HostIsIPAddress(hostname)) { + *aResult = false; + return NS_OK; + } + + return IsSecureHost(hostname, aOriginAttributes, aResult); +} + +// Checks if the given host is in the preload list. +// +// @param aHost The host to match. Only does exact host matching. +// @param aIncludeSubdomains Out, optional. Indicates whether or not to include +// subdomains. Only set if the host is matched and this function returns +// true. +// +// @return True if the host is matched, false otherwise. +bool nsSiteSecurityService::GetPreloadStatus(const nsACString& aHost, + bool* aIncludeSubdomains) const { + const int kIncludeSubdomains = 1; + bool found = false; + + PRTime currentTime = PR_Now() + (mPreloadListTimeOffset * PR_USEC_PER_SEC); + if (mUsePreloadList && currentTime < gPreloadListExpirationTime) { + int result = mDafsa.Lookup(aHost); + found = (result != mozilla::Dafsa::kKeyNotFound); + if (found && aIncludeSubdomains) { + *aIncludeSubdomains = (result == kIncludeSubdomains); + } + } + + return found; +} + +nsresult nsSiteSecurityService::GetWithMigration( + const nsACString& aHostname, const OriginAttributes& aOriginAttributes, + nsIDataStorage::DataType aDataStorageType, nsACString& aValue) { + // First see if this entry exists and has already been migrated. + nsAutoCString storageKey; + GetStorageKey(aHostname, aOriginAttributes, storageKey); + nsresult rv = mSiteStateStorage->Get(storageKey, aDataStorageType, aValue); + if (NS_SUCCEEDED(rv)) { + return NS_OK; + } + if (NS_FAILED(rv) && rv != NS_ERROR_NOT_AVAILABLE) { + return rv; + } + // Otherwise, it potentially needs to be migrated, if it's persistent data. + if (aDataStorageType != nsIDataStorage::DataType::Persistent) { + return NS_ERROR_NOT_AVAILABLE; + } + nsAutoCString oldStorageKey; + GetOldStorageKey(aHostname, aOriginAttributes, oldStorageKey); + rv = mSiteStateStorage->Get(oldStorageKey, + nsIDataStorage::DataType::Persistent, aValue); + if (NS_FAILED(rv)) { + return rv; + } + // If there was a value, remove the old entry, insert a new one with the new + // key, and return the value. + rv = mSiteStateStorage->Remove(oldStorageKey, + nsIDataStorage::DataType::Persistent); + if (NS_FAILED(rv)) { + return rv; + } + return mSiteStateStorage->Put(storageKey, aValue, + nsIDataStorage::DataType::Persistent); +} + +nsresult nsSiteSecurityService::PutWithMigration( + const nsACString& aHostname, const OriginAttributes& aOriginAttributes, + nsIDataStorage::DataType aDataStorageType, const nsACString& aStateString) { + // Only persistent data needs migrating. + if (aDataStorageType == nsIDataStorage::DataType::Persistent) { + // Since the intention is to overwrite the previously-stored data anyway, + // the old entry can be removed. + nsAutoCString oldStorageKey; + GetOldStorageKey(aHostname, aOriginAttributes, oldStorageKey); + nsresult rv = mSiteStateStorage->Remove( + oldStorageKey, nsIDataStorage::DataType::Persistent); + if (NS_FAILED(rv)) { + return rv; + } + } + + nsAutoCString storageKey; + GetStorageKey(aHostname, aOriginAttributes, storageKey); + return mSiteStateStorage->Put(storageKey, aStateString, aDataStorageType); +} + +nsresult nsSiteSecurityService::RemoveWithMigration( + const nsACString& aHostname, const OriginAttributes& aOriginAttributes, + nsIDataStorage::DataType aDataStorageType) { + // Only persistent data needs migrating. + if (aDataStorageType == nsIDataStorage::DataType::Persistent) { + nsAutoCString oldStorageKey; + GetOldStorageKey(aHostname, aOriginAttributes, oldStorageKey); + nsresult rv = mSiteStateStorage->Remove( + oldStorageKey, nsIDataStorage::DataType::Persistent); + if (NS_FAILED(rv)) { + return rv; + } + } + + nsAutoCString storageKey; + GetStorageKey(aHostname, aOriginAttributes, storageKey); + return mSiteStateStorage->Remove(storageKey, aDataStorageType); +} + +// Determines whether or not there is a matching HSTS entry for the given host. +// If aRequireIncludeSubdomains is set, then for there to be a matching HSTS +// entry, it must assert includeSubdomains. +nsresult nsSiteSecurityService::HostMatchesHSTSEntry( + const nsAutoCString& aHost, bool aRequireIncludeSubdomains, + const OriginAttributes& aOriginAttributes, bool& aHostMatchesHSTSEntry) { + aHostMatchesHSTSEntry = false; + // First we check for an entry in site security storage. If that entry exists, + // we don't want to check in the preload lists. We only want to use the + // stored value if it is not a knockout entry, however. + // Additionally, if it is a knockout entry, we want to stop looking for data + // on the host, because the knockout entry indicates "we have no information + // regarding the security status of this host". + bool isPrivate = aOriginAttributes.mPrivateBrowsingId > 0; + nsIDataStorage::DataType storageType = + isPrivate ? nsIDataStorage::DataType::Private + : nsIDataStorage::DataType::Persistent; + SSSLOG(("Seeking HSTS entry for %s", aHost.get())); + nsAutoCString value; + nsresult rv = GetWithMigration(aHost, aOriginAttributes, storageType, value); + // If this fails for a reason other than nothing by that key exists, + // propagate the failure. + if (NS_FAILED(rv) && rv != NS_ERROR_NOT_AVAILABLE) { + return rv; + } + bool checkPreloadList = true; + // If something by that key does exist, decode and process that information. + if (NS_SUCCEEDED(rv)) { + SiteHSTSState siteState(aHost, aOriginAttributes, value); + if (siteState.mHSTSState != SecurityPropertyUnset) { + SSSLOG(("Found HSTS entry for %s", aHost.get())); + bool expired = siteState.IsExpired(); + if (!expired) { + SSSLOG(("Entry for %s is not expired", aHost.get())); + if (siteState.mHSTSState == SecurityPropertySet) { + aHostMatchesHSTSEntry = aRequireIncludeSubdomains + ? siteState.mHSTSIncludeSubdomains + : true; + return NS_OK; + } + } + + if (expired) { + SSSLOG( + ("Entry %s is expired - checking for preload state", aHost.get())); + if (!GetPreloadStatus(aHost)) { + SSSLOG(("No static preload - removing expired entry")); + nsAutoCString storageKey; + GetStorageKey(aHost, aOriginAttributes, storageKey); + rv = mSiteStateStorage->Remove(storageKey, storageType); + if (NS_FAILED(rv)) { + return rv; + } + } + } + return NS_OK; + } + checkPreloadList = false; + } + + bool includeSubdomains = false; + // Finally look in the static preload list. + if (checkPreloadList && GetPreloadStatus(aHost, &includeSubdomains)) { + SSSLOG(("%s is a preloaded HSTS host", aHost.get())); + aHostMatchesHSTSEntry = + aRequireIncludeSubdomains ? includeSubdomains : true; + } + + return NS_OK; +} + +nsresult nsSiteSecurityService::IsSecureHost( + const nsACString& aHost, const OriginAttributes& aOriginAttributes, + bool* aResult) { + NS_ENSURE_ARG(aResult); + *aResult = false; + + /* An IP address never qualifies as a secure URI. */ + const nsCString& flatHost = PromiseFlatCString(aHost); + if (HostIsIPAddress(flatHost)) { + return NS_OK; + } + + nsAutoCString host( + PublicKeyPinningService::CanonicalizeHostname(flatHost.get())); + + // First check the exact host. + bool hostMatchesHSTSEntry = false; + nsresult rv = HostMatchesHSTSEntry(host, false, aOriginAttributes, + hostMatchesHSTSEntry); + if (NS_FAILED(rv)) { + return rv; + } + if (hostMatchesHSTSEntry) { + *aResult = true; + return NS_OK; + } + + SSSLOG(("%s not congruent match for any known HSTS host", host.get())); + const char* superdomain; + + uint32_t offset = 0; + for (offset = host.FindChar('.', offset) + 1; offset > 0; + offset = host.FindChar('.', offset) + 1) { + superdomain = host.get() + offset; + + // If we get an empty string, don't continue. + if (strlen(superdomain) < 1) { + break; + } + + // Do the same thing as with the exact host except now we're looking at + // ancestor domains of the original host and, therefore, we have to require + // that the entry asserts includeSubdomains. + nsAutoCString superdomainString(superdomain); + hostMatchesHSTSEntry = false; + rv = HostMatchesHSTSEntry(superdomainString, true, aOriginAttributes, + hostMatchesHSTSEntry); + if (NS_FAILED(rv)) { + return rv; + } + if (hostMatchesHSTSEntry) { + *aResult = true; + return NS_OK; + } + + SSSLOG( + ("superdomain %s not known HSTS host (or includeSubdomains not set), " + "walking up domain", + superdomain)); + } + + // If we get here, there was no congruent match, and no superdomain matched + // while asserting includeSubdomains, so this host is not HSTS. + *aResult = false; + return NS_OK; +} + +NS_IMETHODIMP +nsSiteSecurityService::ClearAll() { return mSiteStateStorage->Clear(); } + +//------------------------------------------------------------ +// nsSiteSecurityService::nsIObserver +//------------------------------------------------------------ + +NS_IMETHODIMP +nsSiteSecurityService::Observe(nsISupports* /*subject*/, const char* topic, + const char16_t* /*data*/) { + // Don't access Preferences off the main thread. + if (!NS_IsMainThread()) { + MOZ_ASSERT_UNREACHABLE("Preferences accessed off main thread"); + return NS_ERROR_NOT_SAME_THREAD; + } + + if (strcmp(topic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { + mUsePreloadList = mozilla::Preferences::GetBool( + "network.stricttransportsecurity.preloadlist", true); + mPreloadListTimeOffset = + mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0); + } + + return NS_OK; +} diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h new file mode 100644 index 0000000000..f5de35936a --- /dev/null +++ b/security/manager/ssl/nsSiteSecurityService.h @@ -0,0 +1,158 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef __nsSiteSecurityService_h__ +#define __nsSiteSecurityService_h__ + +#include "mozilla/BasePrincipal.h" +#include "mozilla/Dafsa.h" +#include "mozilla/RefPtr.h" +#include "nsCOMPtr.h" +#include "nsIDataStorage.h" +#include "nsIObserver.h" +#include "nsISiteSecurityService.h" +#include "nsString.h" +#include "nsTArray.h" +#include "mozpkix/pkixtypes.h" +#include "prtime.h" + +class nsIURI; + +using mozilla::OriginAttributes; + +// {16955eee-6c48-4152-9309-c42a465138a1} +#define NS_SITE_SECURITY_SERVICE_CID \ + { \ + 0x16955eee, 0x6c48, 0x4152, { \ + 0x93, 0x09, 0xc4, 0x2a, 0x46, 0x51, 0x38, 0xa1 \ + } \ + } + +/** + * SecurityPropertyState: A utility enum for representing the different states + * a security property can be in. + * SecurityPropertySet and SecurityPropertyUnset correspond to indicating + * a site has or does not have the security property in question, respectively. + * SecurityPropertyKnockout indicates a value on a preloaded list is being + * overridden, and the associated site does not have the security property + * in question. + */ +enum SecurityPropertyState { + SecurityPropertyUnset = 0, + SecurityPropertySet = 1, + SecurityPropertyKnockout = 2, +}; + +/** + * SiteHSTSState: A utility class that encodes/decodes a string describing + * the security state of a site. Currently only handles HSTS. + * HSTS state consists of: + * - Hostname (nsCString) + * - Origin attributes (OriginAttributes) + * - Expiry time (PRTime (aka int64_t) in milliseconds) + * - A state flag (SecurityPropertyState, default SecurityPropertyUnset) + * - An include subdomains flag (bool, default false) + */ +class SiteHSTSState { + public: + SiteHSTSState(const nsCString& aHost, + const OriginAttributes& aOriginAttributes, + const nsCString& aStateString); + SiteHSTSState(const nsCString& aHost, + const OriginAttributes& aOriginAttributes, + PRTime aHSTSExpireTime, SecurityPropertyState aHSTSState, + bool aHSTSIncludeSubdomains); + + nsCString mHostname; + OriginAttributes mOriginAttributes; + PRTime mHSTSExpireTime; + SecurityPropertyState mHSTSState; + bool mHSTSIncludeSubdomains; + + bool IsExpired() { + // If mHSTSExpireTime is 0, this entry never expires (this is the case for + // knockout entries). + if (mHSTSExpireTime == 0) { + return false; + } + + PRTime now = PR_Now() / PR_USEC_PER_MSEC; + if (now > mHSTSExpireTime) { + return true; + } + + return false; + } + + void ToString(nsCString& aString); +}; + +struct nsSTSPreload; + +class nsSiteSecurityService : public nsISiteSecurityService, + public nsIObserver { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIOBSERVER + NS_DECL_NSISITESECURITYSERVICE + + nsSiteSecurityService(); + nsresult Init(); + + static nsresult GetHost(nsIURI* aURI, nsACString& aResult); + static bool HostIsIPAddress(const nsCString& hostname); + + protected: + virtual ~nsSiteSecurityService(); + + private: + nsresult SetHSTSState(const char* aHost, int64_t maxage, + bool includeSubdomains, + SecurityPropertyState aHSTSState, + const OriginAttributes& aOriginAttributes); + nsresult ProcessHeaderInternal(nsIURI* aSourceURI, const nsCString& aHeader, + const OriginAttributes& aOriginAttributes, + uint64_t* aMaxAge, bool* aIncludeSubdomains, + uint32_t* aFailureResult); + nsresult ProcessSTSHeader(nsIURI* aSourceURI, const nsCString& aHeader, + const OriginAttributes& aOriginAttributes, + uint64_t* aMaxAge, bool* aIncludeSubdomains, + uint32_t* aFailureResult); + nsresult MarkHostAsNotHSTS(const nsAutoCString& aHost, + const OriginAttributes& aOriginAttributes); + nsresult ResetStateInternal(nsIURI* aURI, + const OriginAttributes& aOriginAttributes, + nsISiteSecurityService::ResetStateBy aScope); + void ResetStateForExactDomain(const nsCString& aHostname, + const OriginAttributes& aOriginAttributes); + nsresult HostMatchesHSTSEntry(const nsAutoCString& aHost, + bool aRequireIncludeSubdomains, + const OriginAttributes& aOriginAttributes, + bool& aHostMatchesHSTSEntry); + bool GetPreloadStatus( + const nsACString& aHost, + /*optional out*/ bool* aIncludeSubdomains = nullptr) const; + nsresult IsSecureHost(const nsACString& aHost, + const OriginAttributes& aOriginAttributes, + bool* aResult); + + nsresult GetWithMigration(const nsACString& aHostname, + const OriginAttributes& aOriginAttributes, + nsIDataStorage::DataType aDataStorageType, + nsACString& aValue); + nsresult PutWithMigration(const nsACString& aHostname, + const OriginAttributes& aOriginAttributes, + nsIDataStorage::DataType aDataStorageType, + const nsACString& aStateString); + nsresult RemoveWithMigration(const nsACString& aHostname, + const OriginAttributes& aOriginAttributes, + nsIDataStorage::DataType aDataStorageType); + + bool mUsePreloadList; + int64_t mPreloadListTimeOffset; + nsCOMPtr<nsIDataStorage> mSiteStateStorage; + const mozilla::Dafsa mDafsa; +}; + +#endif // __nsSiteSecurityService_h__ diff --git a/security/manager/ssl/nsTLSSocketProvider.cpp b/security/manager/ssl/nsTLSSocketProvider.cpp new file mode 100644 index 0000000000..bc26d47966 --- /dev/null +++ b/security/manager/ssl/nsTLSSocketProvider.cpp @@ -0,0 +1,47 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "mozilla/BasePrincipal.h" +#include "nsTLSSocketProvider.h" +#include "nsNSSIOLayer.h" +#include "nsError.h" + +using mozilla::OriginAttributes; + +nsTLSSocketProvider::nsTLSSocketProvider() = default; + +nsTLSSocketProvider::~nsTLSSocketProvider() = default; + +NS_IMPL_ISUPPORTS(nsTLSSocketProvider, nsISocketProvider) + +NS_IMETHODIMP +nsTLSSocketProvider::NewSocket(int32_t family, const char* host, int32_t port, + nsIProxyInfo* proxy, + const OriginAttributes& originAttributes, + uint32_t flags, uint32_t tlsFlags, + PRFileDesc** _result, + nsITLSSocketControl** tlsSocketControl) { + nsresult rv = + nsSSLIOLayerNewSocket(family, host, port, proxy, originAttributes, + _result, tlsSocketControl, true, flags, tlsFlags); + + return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK; +} + +// Add the SSL IO layer to an existing socket +NS_IMETHODIMP +nsTLSSocketProvider::AddToSocket(int32_t family, const char* host, int32_t port, + nsIProxyInfo* proxy, + const OriginAttributes& originAttributes, + uint32_t flags, uint32_t tlsFlags, + PRFileDesc* aSocket, + nsITLSSocketControl** tlsSocketControl) { + nsresult rv = + nsSSLIOLayerAddToSocket(family, host, port, proxy, originAttributes, + aSocket, tlsSocketControl, true, flags, tlsFlags); + + return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK; +} diff --git a/security/manager/ssl/nsTLSSocketProvider.h b/security/manager/ssl/nsTLSSocketProvider.h new file mode 100644 index 0000000000..eeed0ae40c --- /dev/null +++ b/security/manager/ssl/nsTLSSocketProvider.h @@ -0,0 +1,31 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _NSTLSSOCKETPROVIDER_H_ +#define _NSTLSSOCKETPROVIDER_H_ + +#include "nsISocketProvider.h" + +#define NS_STARTTLSSOCKETPROVIDER_CID \ + { /* b9507aec-1dd1-11b2-8cd5-c48ee0c50307 */ \ + 0xb9507aec, 0x1dd1, 0x11b2, { \ + 0x8c, 0xd5, 0xc4, 0x8e, 0xe0, 0xc5, 0x03, 0x07 \ + } \ + } + +class nsTLSSocketProvider : public nsISocketProvider { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSISOCKETPROVIDER + + // nsTLSSocketProvider methods: + nsTLSSocketProvider(); + + protected: + virtual ~nsTLSSocketProvider(); +}; + +#endif /* _NSTLSSOCKETPROVIDER_H_ */ diff --git a/security/manager/ssl/nsVerificationJob.h b/security/manager/ssl/nsVerificationJob.h new file mode 100644 index 0000000000..377cfabb73 --- /dev/null +++ b/security/manager/ssl/nsVerificationJob.h @@ -0,0 +1,48 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _INC_NSVERIFICATIONJOB_H +#define _INC_NSVERIFICATIONJOB_H + +#include "nspr.h" + +#include "nsIX509Cert.h" +#include "nsProxyRelease.h" + +class nsBaseVerificationJob { + public: + virtual ~nsBaseVerificationJob() {} + virtual void Run() = 0; +}; + +class nsCertVerificationJob : public nsBaseVerificationJob { + public: + nsCOMPtr<nsIX509Cert> mCert; + nsMainThreadPtrHandle<nsICertVerificationListener> mListener; + + void Run(); +}; + +class nsCertVerificationResult : public nsICertVerificationResult { + public: + nsCertVerificationResult(); + + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSICERTVERIFICATIONRESULT + + protected: + virtual ~nsCertVerificationResult(); + + private: + nsresult mRV; + uint32_t mVerified; + uint32_t mCount; + char16_t** mUsages; + + friend class nsCertVerificationJob; +}; + +#endif diff --git a/security/manager/ssl/osclientcerts/Cargo.toml b/security/manager/ssl/osclientcerts/Cargo.toml new file mode 100644 index 0000000000..db71b97a46 --- /dev/null +++ b/security/manager/ssl/osclientcerts/Cargo.toml @@ -0,0 +1,32 @@ +[package] +name = "osclientcerts-static" +version = "0.1.4" +authors = ["Dana Keeler <dkeeler@mozilla.com>"] +edition = "2018" +description = "Platform-specific support for client authentication certificates in Firefox" +repository = "https://github.com/mozkeeler/osclientcerts" +license = "MPL-2.0" + +[dependencies] +byteorder = "1.3" +env_logger = {version = "0.10", default-features = false } # disable `regex` to reduce code size +lazy_static = "1" +log = "0.4" +mozilla-central-workspace-hack = { version = "0.1", features = ["osclientcerts-static"], optional = true } + +pkcs11-bindings = "0.1" +rsclientcerts = { path = "../rsclientcerts" } +sha2 = "0.10.2" + +[target."cfg(target_os = \"macos\")".dependencies.core-foundation] +version = "0.9" + +[target."cfg(target_os = \"macos\")".dependencies.libloading] +version = "0.7" + +[target."cfg(target_os = \"windows\")".dependencies.winapi] +version = "0.3" +features = ["errhandlingapi", "wincrypt"] + +[lib] +crate-type = ["staticlib"] diff --git a/security/manager/ssl/osclientcerts/dynamic-library/moz.build b/security/manager/ssl/osclientcerts/dynamic-library/moz.build new file mode 100644 index 0000000000..36c0341ca7 --- /dev/null +++ b/security/manager/ssl/osclientcerts/dynamic-library/moz.build @@ -0,0 +1,33 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +USE_LIBS += ["osclientcerts-static"] + +UNIFIED_SOURCES += [ + "stub.cpp", +] + +if CONFIG["OS_ARCH"] == "WINNT": + OS_LIBS += [ + "advapi32", + "crypt32", + "kernel32", + "ncrypt", + "userenv", + "ws2_32", + "ntdll", + ] + +if CONFIG["OS_ARCH"] == "Darwin": + OS_LIBS += [ + "-framework CoreFoundation", + "-framework Security", + ] + +SharedLibrary("osclientcerts") + +NoVisibilityFlags() +SYMBOLS_FILE = "osclientcerts.symbols" diff --git a/security/manager/ssl/osclientcerts/dynamic-library/osclientcerts.symbols b/security/manager/ssl/osclientcerts/dynamic-library/osclientcerts.symbols new file mode 100644 index 0000000000..562ecea21d --- /dev/null +++ b/security/manager/ssl/osclientcerts/dynamic-library/osclientcerts.symbols @@ -0,0 +1 @@ +C_GetFunctionList diff --git a/security/manager/ssl/osclientcerts/dynamic-library/stub.cpp b/security/manager/ssl/osclientcerts/dynamic-library/stub.cpp new file mode 100644 index 0000000000..bd20c15c4f --- /dev/null +++ b/security/manager/ssl/osclientcerts/dynamic-library/stub.cpp @@ -0,0 +1,8 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is an intentionally empty file. It is necessary for the build system to +// successfully convert a static rust library into a dynamic library on +// Windows. diff --git a/security/manager/ssl/osclientcerts/moz.build b/security/manager/ssl/osclientcerts/moz.build new file mode 100644 index 0000000000..fa484af6a4 --- /dev/null +++ b/security/manager/ssl/osclientcerts/moz.build @@ -0,0 +1,9 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +DIRS += ["dynamic-library"] + +RustLibrary("osclientcerts-static") diff --git a/security/manager/ssl/osclientcerts/src/backend_macos.rs b/security/manager/ssl/osclientcerts/src/backend_macos.rs new file mode 100644 index 0000000000..34386371aa --- /dev/null +++ b/security/manager/ssl/osclientcerts/src/backend_macos.rs @@ -0,0 +1,849 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#![allow(non_upper_case_globals)] + +use core_foundation::array::*; +use core_foundation::base::*; +use core_foundation::boolean::*; +use core_foundation::data::*; +use core_foundation::dictionary::*; +use core_foundation::error::*; +use core_foundation::number::*; +use core_foundation::string::*; +use libloading::{Library, Symbol}; +use pkcs11_bindings::*; +use rsclientcerts::error::{Error, ErrorType}; +use rsclientcerts::manager::{ClientCertsBackend, CryptokiObject, Sign, SlotType}; +use rsclientcerts::util::*; +use sha2::{Digest, Sha256}; +use std::collections::BTreeMap; +use std::convert::TryInto; +use std::os::raw::c_void; + +// Normally we would generate this with a build script, but macos is +// cross-compiled on linux, and we'd have to figure out e.g. include paths, +// etc.. This is easier. +include!("bindings_macos.rs"); + +#[repr(C)] +pub struct __SecIdentity(c_void); +pub type SecIdentityRef = *const __SecIdentity; +declare_TCFType!(SecIdentity, SecIdentityRef); +impl_TCFType!(SecIdentity, SecIdentityRef, SecIdentityGetTypeID); + +#[repr(C)] +pub struct __SecCertificate(c_void); +pub type SecCertificateRef = *const __SecCertificate; +declare_TCFType!(SecCertificate, SecCertificateRef); +impl_TCFType!(SecCertificate, SecCertificateRef, SecCertificateGetTypeID); + +#[repr(C)] +pub struct __SecKey(c_void); +pub type SecKeyRef = *const __SecKey; +declare_TCFType!(SecKey, SecKeyRef); +impl_TCFType!(SecKey, SecKeyRef, SecKeyGetTypeID); + +#[repr(C)] +pub struct __SecPolicy(c_void); +pub type SecPolicyRef = *const __SecPolicy; +declare_TCFType!(SecPolicy, SecPolicyRef); +impl_TCFType!(SecPolicy, SecPolicyRef, SecPolicyGetTypeID); + +#[repr(C)] +pub struct __SecTrust(c_void); +pub type SecTrustRef = *const __SecTrust; +declare_TCFType!(SecTrust, SecTrustRef); +impl_TCFType!(SecTrust, SecTrustRef, SecTrustGetTypeID); + +type SecCertificateCopyKeyType = unsafe extern "C" fn(SecCertificateRef) -> SecKeyRef; +type SecTrustEvaluateWithErrorType = + unsafe extern "C" fn(trust: SecTrustRef, error: *mut CFErrorRef) -> bool; + +#[derive(Ord, Eq, PartialOrd, PartialEq)] +enum SecStringConstant { + // These are available in macOS 10.13 + SecKeyAlgorithmRSASignatureDigestPSSSHA1, + SecKeyAlgorithmRSASignatureDigestPSSSHA256, + SecKeyAlgorithmRSASignatureDigestPSSSHA384, + SecKeyAlgorithmRSASignatureDigestPSSSHA512, +} + +/// This implementation uses security framework functions and constants that +/// are not provided by the version of the SDK we build with. To work around +/// this, we attempt to open and dynamically load these functions and symbols +/// at runtime. Unfortunately this does mean that if a user is not on a new +/// enough version of macOS, they will not be able to use client certificates +/// from their keychain in Firefox until they upgrade. +struct SecurityFramework<'a> { + sec_certificate_copy_key: Symbol<'a, SecCertificateCopyKeyType>, + sec_trust_evaluate_with_error: Symbol<'a, SecTrustEvaluateWithErrorType>, + sec_string_constants: BTreeMap<SecStringConstant, String>, +} + +lazy_static! { + static ref SECURITY_LIBRARY: Result<Library, String> = unsafe { + Library::new("/System/Library/Frameworks/Security.framework/Security") + .map_err(|e| e.to_string()) + }; +} + +impl<'a> SecurityFramework<'a> { + fn new() -> Result<SecurityFramework<'a>, Error> { + let library = match &*SECURITY_LIBRARY { + Ok(library) => library, + Err(e) => return Err(error_here!(ErrorType::ExternalError, e.clone())), + }; + let sec_certificate_copy_key = unsafe { + library + .get::<SecCertificateCopyKeyType>(b"SecCertificateCopyKey\0") + .map_err(|e| error_here!(ErrorType::ExternalError, e.to_string()))? + }; + let sec_trust_evaluate_with_error = unsafe { + library + .get::<SecTrustEvaluateWithErrorType>(b"SecTrustEvaluateWithError\0") + .map_err(|e| error_here!(ErrorType::ExternalError, e.to_string()))? + }; + let mut sec_string_constants = BTreeMap::new(); + let strings_to_load = vec![ + ( + b"kSecKeyAlgorithmRSASignatureDigestPSSSHA1\0".as_ref(), + SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA1, + ), + ( + b"kSecKeyAlgorithmRSASignatureDigestPSSSHA256\0".as_ref(), + SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA256, + ), + ( + b"kSecKeyAlgorithmRSASignatureDigestPSSSHA384\0".as_ref(), + SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA384, + ), + ( + b"kSecKeyAlgorithmRSASignatureDigestPSSSHA512\0".as_ref(), + SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA512, + ), + ]; + for (symbol_name, sec_string_constant) in strings_to_load { + let cfstring_symbol = unsafe { + library + .get::<*const CFStringRef>(symbol_name) + .map_err(|e| error_here!(ErrorType::ExternalError, e.to_string()))? + }; + let cfstring = unsafe { CFString::wrap_under_create_rule(**cfstring_symbol) }; + sec_string_constants.insert(sec_string_constant, cfstring.to_string()); + } + Ok(SecurityFramework { + sec_certificate_copy_key, + sec_trust_evaluate_with_error, + sec_string_constants, + }) + } +} + +struct SecurityFrameworkHolder<'a> { + framework: Result<SecurityFramework<'a>, Error>, +} + +impl<'a> SecurityFrameworkHolder<'a> { + fn new() -> SecurityFrameworkHolder<'a> { + SecurityFrameworkHolder { + framework: SecurityFramework::new(), + } + } + + /// SecCertificateCopyKey is available in macOS 10.14 + fn sec_certificate_copy_key(&self, certificate: &SecCertificate) -> Result<SecKey, Error> { + match &self.framework { + Ok(framework) => unsafe { + let result = + (framework.sec_certificate_copy_key)(certificate.as_concrete_TypeRef()); + if result.is_null() { + return Err(error_here!(ErrorType::ExternalError)); + } + Ok(SecKey::wrap_under_create_rule(result)) + }, + Err(e) => Err(e.clone()), + } + } + + /// SecTrustEvaluateWithError is available in macOS 10.14 + fn sec_trust_evaluate_with_error(&self, trust: &SecTrust) -> Result<bool, Error> { + match &self.framework { + Ok(framework) => unsafe { + Ok((framework.sec_trust_evaluate_with_error)( + trust.as_concrete_TypeRef(), + std::ptr::null_mut(), + )) + }, + Err(e) => Err(e.clone()), + } + } + + fn get_sec_string_constant( + &self, + sec_string_constant: SecStringConstant, + ) -> Result<CFString, Error> { + match &self.framework { + Ok(framework) => match framework.sec_string_constants.get(&sec_string_constant) { + Some(string) => Ok(CFString::new(string)), + None => Err(error_here!(ErrorType::ExternalError)), + }, + Err(e) => Err(e.clone()), + } + } +} + +lazy_static! { + static ref SECURITY_FRAMEWORK: SecurityFrameworkHolder<'static> = + SecurityFrameworkHolder::new(); +} + +fn sec_key_create_signature( + key: &SecKey, + algorithm: SecKeyAlgorithm, + data: &CFData, +) -> Result<CFData, Error> { + let mut error = std::ptr::null_mut(); + let signature = unsafe { + SecKeyCreateSignature( + key.as_concrete_TypeRef(), + algorithm, + data.as_concrete_TypeRef(), + &mut error, + ) + }; + if signature.is_null() { + let error = unsafe { CFError::wrap_under_create_rule(error) }; + return Err(error_here!( + ErrorType::ExternalError, + error.description().to_string() + )); + } + Ok(unsafe { CFData::wrap_under_create_rule(signature) }) +} + +fn sec_key_copy_attributes<T: TCFType>(key: &SecKey) -> CFDictionary<CFString, T> { + unsafe { CFDictionary::wrap_under_create_rule(SecKeyCopyAttributes(key.as_concrete_TypeRef())) } +} + +fn sec_key_copy_external_representation(key: &SecKey) -> Result<CFData, Error> { + let mut error = std::ptr::null_mut(); + let representation = + unsafe { SecKeyCopyExternalRepresentation(key.as_concrete_TypeRef(), &mut error) }; + if representation.is_null() { + let error = unsafe { CFError::wrap_under_create_rule(error) }; + return Err(error_here!( + ErrorType::ExternalError, + error.description().to_string() + )); + } + Ok(unsafe { CFData::wrap_under_create_rule(representation) }) +} + +fn sec_identity_copy_certificate(identity: &SecIdentity) -> Result<SecCertificate, Error> { + let mut certificate = std::ptr::null(); + let status = + unsafe { SecIdentityCopyCertificate(identity.as_concrete_TypeRef(), &mut certificate) }; + if status != errSecSuccess { + return Err(error_here!(ErrorType::ExternalError, status.to_string())); + } + if certificate.is_null() { + return Err(error_here!(ErrorType::ExternalError)); + } + Ok(unsafe { SecCertificate::wrap_under_create_rule(certificate) }) +} + +fn sec_certificate_copy_subject_summary(certificate: &SecCertificate) -> Result<CFString, Error> { + let result = unsafe { SecCertificateCopySubjectSummary(certificate.as_concrete_TypeRef()) }; + if result.is_null() { + return Err(error_here!(ErrorType::ExternalError)); + } + Ok(unsafe { CFString::wrap_under_create_rule(result) }) +} + +fn sec_certificate_copy_data(certificate: &SecCertificate) -> Result<CFData, Error> { + let result = unsafe { SecCertificateCopyData(certificate.as_concrete_TypeRef()) }; + if result.is_null() { + return Err(error_here!(ErrorType::ExternalError)); + } + Ok(unsafe { CFData::wrap_under_create_rule(result) }) +} + +fn sec_identity_copy_private_key(identity: &SecIdentity) -> Result<SecKey, Error> { + let mut key = std::ptr::null(); + let status = unsafe { SecIdentityCopyPrivateKey(identity.as_concrete_TypeRef(), &mut key) }; + if status != errSecSuccess { + return Err(error_here!(ErrorType::ExternalError)); + } + if key.is_null() { + return Err(error_here!(ErrorType::ExternalError)); + } + Ok(unsafe { SecKey::wrap_under_create_rule(key) }) +} + +pub struct Cert { + class: Vec<u8>, + token: Vec<u8>, + id: Vec<u8>, + label: Vec<u8>, + value: Vec<u8>, + issuer: Vec<u8>, + serial_number: Vec<u8>, + subject: Vec<u8>, +} + +impl Cert { + fn new_from_identity(identity: &SecIdentity) -> Result<Cert, Error> { + let certificate = sec_identity_copy_certificate(identity)?; + Cert::new_from_certificate(&certificate) + } + + fn new_from_certificate(certificate: &SecCertificate) -> Result<Cert, Error> { + let label = sec_certificate_copy_subject_summary(certificate)?; + let der = sec_certificate_copy_data(certificate)?; + let der = der.bytes().to_vec(); + let id = Sha256::digest(&der).to_vec(); + let (serial_number, issuer, subject) = read_encoded_certificate_identifiers(&der)?; + Ok(Cert { + class: serialize_uint(CKO_CERTIFICATE)?, + token: serialize_uint(CK_TRUE)?, + id, + label: label.to_string().into_bytes(), + value: der, + issuer, + serial_number, + subject, + }) + } + + fn class(&self) -> &[u8] { + &self.class + } + + fn token(&self) -> &[u8] { + &self.token + } + + fn id(&self) -> &[u8] { + &self.id + } + + fn label(&self) -> &[u8] { + &self.label + } + + fn value(&self) -> &[u8] { + &self.value + } + + fn issuer(&self) -> &[u8] { + &self.issuer + } + + fn serial_number(&self) -> &[u8] { + &self.serial_number + } + + fn subject(&self) -> &[u8] { + &self.subject + } +} + +impl CryptokiObject for Cert { + fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool { + // The modern/legacy slot distinction in theory enables differentiation + // between keys that are from modules that can use modern cryptography + // (namely EC keys and RSA-PSS signatures) and those that cannot. + // However, the function that would enable this + // (SecKeyIsAlgorithmSupported) causes a password dialog to appear on + // our test machines, so this backend pretends that everything supports + // modern crypto for now. + if slot_type != SlotType::Modern { + return false; + } + for (attr_type, attr_value) in attrs { + let comparison = match *attr_type { + CKA_CLASS => self.class(), + CKA_TOKEN => self.token(), + CKA_LABEL => self.label(), + CKA_ID => self.id(), + CKA_VALUE => self.value(), + CKA_ISSUER => self.issuer(), + CKA_SERIAL_NUMBER => self.serial_number(), + CKA_SUBJECT => self.subject(), + _ => return false, + }; + if attr_value.as_slice() != comparison { + return false; + } + } + true + } + + fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> { + let result = match attribute { + CKA_CLASS => self.class(), + CKA_TOKEN => self.token(), + CKA_LABEL => self.label(), + CKA_ID => self.id(), + CKA_VALUE => self.value(), + CKA_ISSUER => self.issuer(), + CKA_SERIAL_NUMBER => self.serial_number(), + CKA_SUBJECT => self.subject(), + _ => return None, + }; + Some(result) + } +} + +#[allow(clippy::upper_case_acronyms)] +#[derive(Clone, Copy, Debug)] +pub enum KeyType { + EC(usize), + RSA, +} + +#[allow(clippy::upper_case_acronyms)] +enum SignParams<'a> { + EC(CFString, &'a [u8]), + RSA(CFString, &'a [u8]), +} + +impl<'a> SignParams<'a> { + fn new( + key_type: KeyType, + data: &'a [u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<SignParams<'a>, Error> { + match key_type { + KeyType::EC(_) => SignParams::new_ec_params(data), + KeyType::RSA => SignParams::new_rsa_params(params, data), + } + } + + fn new_ec_params(data: &'a [u8]) -> Result<SignParams<'a>, Error> { + let algorithm = unsafe { + CFString::wrap_under_get_rule(match data.len() { + 20 => kSecKeyAlgorithmECDSASignatureDigestX962SHA1, + 32 => kSecKeyAlgorithmECDSASignatureDigestX962SHA256, + 48 => kSecKeyAlgorithmECDSASignatureDigestX962SHA384, + 64 => kSecKeyAlgorithmECDSASignatureDigestX962SHA512, + _ => { + return Err(error_here!(ErrorType::UnsupportedInput)); + } + }) + }; + Ok(SignParams::EC(algorithm, data)) + } + + fn new_rsa_params( + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + data: &'a [u8], + ) -> Result<SignParams<'a>, Error> { + if let Some(pss_params) = params { + let algorithm = { + let algorithm_id = match pss_params.hashAlg { + CKM_SHA_1 => SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA1, + CKM_SHA256 => SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA256, + CKM_SHA384 => SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA384, + CKM_SHA512 => SecStringConstant::SecKeyAlgorithmRSASignatureDigestPSSSHA512, + _ => { + return Err(error_here!(ErrorType::UnsupportedInput)); + } + }; + SECURITY_FRAMEWORK.get_sec_string_constant(algorithm_id)? + }; + return Ok(SignParams::RSA(algorithm, data)); + } + + // Handle the case where this is a TLS 1.0 MD5/SHA1 hash. + if data.len() == 36 { + let algorithm = unsafe { + CFString::wrap_under_get_rule(kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw) + }; + return Ok(SignParams::RSA(algorithm, data)); + } + // Otherwise, `data` should be a DigestInfo. + let (digest_oid, hash) = read_digest_info(data)?; + let algorithm = unsafe { + CFString::wrap_under_create_rule(match digest_oid { + OID_BYTES_SHA_256 => kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256, + OID_BYTES_SHA_384 => kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384, + OID_BYTES_SHA_512 => kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512, + OID_BYTES_SHA_1 => kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1, + _ => return Err(error_here!(ErrorType::UnsupportedInput)), + }) + }; + + Ok(SignParams::RSA(algorithm, hash)) + } + + fn get_algorithm(&self) -> SecKeyAlgorithm { + match self { + SignParams::EC(algorithm, _) => algorithm.as_concrete_TypeRef(), + SignParams::RSA(algorithm, _) => algorithm.as_concrete_TypeRef(), + } + } + + fn get_data_to_sign(&self) -> &'a [u8] { + match self { + SignParams::EC(_, data_to_sign) => data_to_sign, + SignParams::RSA(_, data_to_sign) => data_to_sign, + } + } +} + +pub struct Key { + identity: SecIdentity, + class: Vec<u8>, + token: Vec<u8>, + id: Vec<u8>, + private: Vec<u8>, + key_type: Vec<u8>, + modulus: Option<Vec<u8>>, + ec_params: Option<Vec<u8>>, + key_type_enum: KeyType, + key_handle: Option<SecKey>, +} + +impl Key { + fn new(identity: &SecIdentity) -> Result<Key, Error> { + let certificate = sec_identity_copy_certificate(identity)?; + let der = sec_certificate_copy_data(&certificate)?; + let id = Sha256::digest(der.bytes()).to_vec(); + let key = SECURITY_FRAMEWORK.sec_certificate_copy_key(&certificate)?; + let key_type: CFString = get_key_attribute(&key, unsafe { kSecAttrKeyType })?; + let key_size_in_bits: CFNumber = get_key_attribute(&key, unsafe { kSecAttrKeySizeInBits })?; + let mut modulus = None; + let mut ec_params = None; + let sec_attr_key_type_ec = + unsafe { CFString::wrap_under_create_rule(kSecAttrKeyTypeECSECPrimeRandom) }; + let (key_type_enum, key_type_attribute) = + if key_type.as_concrete_TypeRef() == unsafe { kSecAttrKeyTypeRSA } { + let public_key = sec_key_copy_external_representation(&key)?; + let modulus_value = read_rsa_modulus(public_key.bytes())?; + modulus = Some(modulus_value); + (KeyType::RSA, CKK_RSA) + } else if key_type == sec_attr_key_type_ec { + // Assume all EC keys are secp256r1, secp384r1, or secp521r1. This + // is wrong, but the API doesn't seem to give us a way to determine + // which curve this key is on. + // This might not matter in practice, because it seems all NSS uses + // this for is to get the signature size. + let key_size_in_bits = match key_size_in_bits.to_i64() { + Some(value) => value, + None => return Err(error_here!(ErrorType::ValueTooLarge)), + }; + match key_size_in_bits { + 256 => ec_params = Some(ENCODED_OID_BYTES_SECP256R1.to_vec()), + 384 => ec_params = Some(ENCODED_OID_BYTES_SECP384R1.to_vec()), + 521 => ec_params = Some(ENCODED_OID_BYTES_SECP521R1.to_vec()), + _ => return Err(error_here!(ErrorType::UnsupportedInput)), + } + let coordinate_width = (key_size_in_bits as usize + 7) / 8; + (KeyType::EC(coordinate_width), CKK_EC) + } else { + return Err(error_here!(ErrorType::LibraryFailure)); + }; + + Ok(Key { + identity: identity.clone(), + class: serialize_uint(CKO_PRIVATE_KEY)?, + token: serialize_uint(CK_TRUE)?, + id, + private: serialize_uint(CK_TRUE)?, + key_type: serialize_uint(key_type_attribute)?, + modulus, + ec_params, + key_type_enum, + key_handle: None, + }) + } + + fn class(&self) -> &[u8] { + &self.class + } + + fn token(&self) -> &[u8] { + &self.token + } + + fn id(&self) -> &[u8] { + &self.id + } + + fn private(&self) -> &[u8] { + &self.private + } + + fn key_type(&self) -> &[u8] { + &self.key_type + } + + fn modulus(&self) -> Option<&[u8]> { + match &self.modulus { + Some(modulus) => Some(modulus.as_slice()), + None => None, + } + } + + fn ec_params(&self) -> Option<&[u8]> { + match &self.ec_params { + Some(ec_params) => Some(ec_params.as_slice()), + None => None, + } + } + + fn sign_internal( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<Vec<u8>, Error> { + // If this key hasn't been used for signing yet, there won't be a cached key handle. Obtain + // and cache it if this is the case. Doing so can cause the underlying implementation to + // show an authentication or pin prompt to the user. Caching the handle can avoid causing + // multiple prompts to be displayed in some cases. + if self.key_handle.is_none() { + let _ = self + .key_handle + .replace(sec_identity_copy_private_key(&self.identity)?); + } + let key = match &self.key_handle { + Some(key) => key, + None => return Err(error_here!(ErrorType::LibraryFailure)), + }; + let sign_params = SignParams::new(self.key_type_enum, data, params)?; + let signing_algorithm = sign_params.get_algorithm(); + let data_to_sign = CFData::from_buffer(sign_params.get_data_to_sign()); + let signature = sec_key_create_signature(key, signing_algorithm, &data_to_sign)?; + let signature_value = match self.key_type_enum { + KeyType::EC(coordinate_width) => { + // We need to convert the DER Ecdsa-Sig-Value to the + // concatenation of r and s, the coordinates of the point on + // the curve. r and s must be 0-padded to be coordinate_width + // total bytes. + let (r, s) = read_ec_sig_point(signature.bytes())?; + if r.len() > coordinate_width || s.len() > coordinate_width { + return Err(error_here!(ErrorType::InvalidInput)); + } + let mut signature_value = Vec::with_capacity(2 * coordinate_width); + let r_padding = vec![0; coordinate_width - r.len()]; + signature_value.extend(r_padding); + signature_value.extend_from_slice(r); + let s_padding = vec![0; coordinate_width - s.len()]; + signature_value.extend(s_padding); + signature_value.extend_from_slice(s); + signature_value + } + KeyType::RSA => signature.bytes().to_vec(), + }; + Ok(signature_value) + } +} + +impl CryptokiObject for Key { + fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool { + // The modern/legacy slot distinction in theory enables differentiation + // between keys that are from modules that can use modern cryptography + // (namely EC keys and RSA-PSS signatures) and those that cannot. + // However, the function that would enable this + // (SecKeyIsAlgorithmSupported) causes a password dialog to appear on + // our test machines, so this backend pretends that everything supports + // modern crypto for now. + if slot_type != SlotType::Modern { + return false; + } + for (attr_type, attr_value) in attrs { + let comparison = match *attr_type { + CKA_CLASS => self.class(), + CKA_TOKEN => self.token(), + CKA_ID => self.id(), + CKA_PRIVATE => self.private(), + CKA_KEY_TYPE => self.key_type(), + CKA_MODULUS => { + if let Some(modulus) = self.modulus() { + modulus + } else { + return false; + } + } + CKA_EC_PARAMS => { + if let Some(ec_params) = self.ec_params() { + ec_params + } else { + return false; + } + } + _ => return false, + }; + if attr_value.as_slice() != comparison { + return false; + } + } + true + } + + fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> { + match attribute { + CKA_CLASS => Some(self.class()), + CKA_TOKEN => Some(self.token()), + CKA_ID => Some(self.id()), + CKA_PRIVATE => Some(self.private()), + CKA_KEY_TYPE => Some(self.key_type()), + CKA_MODULUS => self.modulus(), + CKA_EC_PARAMS => self.ec_params(), + _ => None, + } + } +} + +impl Sign for Key { + fn get_signature_length( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<usize, Error> { + // Unfortunately we don't have a way of getting the length of a signature without creating + // one. + let dummy_signature_bytes = self.sign(data, params)?; + Ok(dummy_signature_bytes.len()) + } + + // The input data is a hash. What algorithm we use depends on the size of the hash. + fn sign( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<Vec<u8>, Error> { + let result = self.sign_internal(data, params); + if result.is_ok() { + return result; + } + // Some devices appear to not work well when the key handle is held for too long or if a + // card is inserted/removed while Firefox is running. Try refreshing the key handle. + let _ = self.key_handle.take(); + self.sign_internal(data, params) + } +} + +fn get_key_attribute<T: TCFType + Clone>(key: &SecKey, attr: CFStringRef) -> Result<T, Error> { + let attributes: CFDictionary<CFString, T> = sec_key_copy_attributes(key); + match attributes.find(attr as *const _) { + Some(value) => Ok((*value).clone()), + None => Err(error_here!(ErrorType::ExternalError)), + } +} + +// Given a SecIdentity, attempts to build as much of a path to a trust anchor as possible, gathers +// the CA certificates from that path, and returns them. The purpose of this function is not to +// validate the given certificate but to find CA certificates that gecko may need to do path +// building when filtering client certificates according to the acceptable CA list sent by the +// server during client authentication. +fn get_issuers(identity: &SecIdentity) -> Result<Vec<SecCertificate>, Error> { + let certificate = sec_identity_copy_certificate(identity)?; + let policy = unsafe { SecPolicyCreateSSL(false, std::ptr::null()) }; + if policy.is_null() { + return Err(error_here!(ErrorType::ExternalError)); + } + let policy = unsafe { SecPolicy::wrap_under_create_rule(policy) }; + let mut trust = std::ptr::null(); + // Each of SecTrustCreateWithCertificates' input arguments can be either single items or an + // array of items. Since we only want to specify one of each, we directly specify the arguments. + let status = unsafe { + SecTrustCreateWithCertificates( + certificate.as_concrete_TypeRef(), + policy.as_concrete_TypeRef(), + &mut trust, + ) + }; + if status != errSecSuccess { + return Err(error_here!(ErrorType::ExternalError)); + } + if trust.is_null() { + return Err(error_here!(ErrorType::ExternalError)); + } + let trust = unsafe { SecTrust::wrap_under_create_rule(trust) }; + // Disable AIA fetching so that SecTrustEvaluateWithError doesn't result in network I/O. + let status = unsafe { SecTrustSetNetworkFetchAllowed(trust.as_concrete_TypeRef(), 0) }; + if status != errSecSuccess { + return Err(error_here!(ErrorType::ExternalError)); + } + // We ignore the return value here because we don't care if the certificate is trusted or not - + // we're only doing this to build its issuer chain as much as possible. + let _ = SECURITY_FRAMEWORK.sec_trust_evaluate_with_error(&trust)?; + let certificate_count = unsafe { SecTrustGetCertificateCount(trust.as_concrete_TypeRef()) }; + let mut certificates = Vec::with_capacity( + certificate_count + .try_into() + .map_err(|_| error_here!(ErrorType::ValueTooLarge))?, + ); + for i in 1..certificate_count { + let certificate = unsafe { SecTrustGetCertificateAtIndex(trust.as_concrete_TypeRef(), i) }; + if certificate.is_null() { + error!("SecTrustGetCertificateAtIndex returned null certificate?"); + continue; + } + let certificate = unsafe { SecCertificate::wrap_under_get_rule(certificate) }; + certificates.push(certificate); + } + Ok(certificates) +} + +pub struct Backend {} + +impl ClientCertsBackend for Backend { + type Cert = Cert; + type Key = Key; + + fn find_objects(&self) -> Result<(Vec<Cert>, Vec<Key>), Error> { + let mut certs = Vec::new(); + let mut keys = Vec::new(); + let identities = unsafe { + let class_key = CFString::wrap_under_get_rule(kSecClass); + let class_value = CFString::wrap_under_get_rule(kSecClassIdentity); + let return_ref_key = CFString::wrap_under_get_rule(kSecReturnRef); + let return_ref_value = CFBoolean::wrap_under_get_rule(kCFBooleanTrue); + let match_key = CFString::wrap_under_get_rule(kSecMatchLimit); + let match_value = CFString::wrap_under_get_rule(kSecMatchLimitAll); + let vals = vec![ + (class_key.as_CFType(), class_value.as_CFType()), + (return_ref_key.as_CFType(), return_ref_value.as_CFType()), + (match_key.as_CFType(), match_value.as_CFType()), + ]; + let dict = CFDictionary::from_CFType_pairs(&vals); + let mut result = std::ptr::null(); + let status = SecItemCopyMatching(dict.as_CFTypeRef() as CFDictionaryRef, &mut result); + if status == errSecItemNotFound { + return Ok((certs, keys)); + } + if status != errSecSuccess { + return Err(error_here!(ErrorType::ExternalError, status.to_string())); + } + if result.is_null() { + return Err(error_here!(ErrorType::ExternalError)); + } + CFArray::<SecIdentityRef>::wrap_under_create_rule(result as CFArrayRef) + }; + for identity in identities.get_all_values().iter() { + let identity = unsafe { SecIdentity::wrap_under_get_rule(*identity as SecIdentityRef) }; + let cert = Cert::new_from_identity(&identity); + let key = Key::new(&identity); + if let (Ok(cert), Ok(key)) = (cert, key) { + certs.push(cert); + keys.push(key); + } else { + continue; + } + if let Ok(issuers) = get_issuers(&identity) { + for issuer in issuers { + if let Ok(cert) = Cert::new_from_certificate(&issuer) { + certs.push(cert); + } + } + } + } + Ok((certs, keys)) + } +} diff --git a/security/manager/ssl/osclientcerts/src/backend_windows.rs b/security/manager/ssl/osclientcerts/src/backend_windows.rs new file mode 100644 index 0000000000..2a80ff8354 --- /dev/null +++ b/security/manager/ssl/osclientcerts/src/backend_windows.rs @@ -0,0 +1,914 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#![allow(non_camel_case_types)] + +use pkcs11_bindings::*; +use rsclientcerts::error::{Error, ErrorType}; +use rsclientcerts::manager::{ClientCertsBackend, CryptokiObject, Sign, SlotType}; +use rsclientcerts::util::*; +use sha2::{Digest, Sha256}; +use std::convert::TryInto; +use std::ffi::{c_void, CStr, CString}; +use std::ops::Deref; +use std::slice; +use winapi::shared::bcrypt::*; +use winapi::shared::minwindef::{DWORD, PBYTE}; +use winapi::um::errhandlingapi::GetLastError; +use winapi::um::ncrypt::*; +use winapi::um::wincrypt::{HCRYPTHASH, HCRYPTPROV, *}; + +// winapi has some support for ncrypt.h, but not for this function. +extern "system" { + fn NCryptSignHash( + hKey: NCRYPT_KEY_HANDLE, + pPaddingInfo: *mut c_void, + pbHashValue: PBYTE, + cbHashValue: DWORD, + pbSignature: PBYTE, + cbSignature: DWORD, + pcbResult: *mut DWORD, + dwFlags: DWORD, + ) -> SECURITY_STATUS; +} + +/// Given a `CERT_INFO`, tries to return the bytes of the subject distinguished name as formatted by +/// `CertNameToStrA` using the flag `CERT_SIMPLE_NAME_STR`. This is used as the label for the +/// certificate. +fn get_cert_subject_dn(cert_info: &CERT_INFO) -> Result<Vec<u8>, Error> { + let mut cert_info_subject = cert_info.Subject; + let subject_dn_len = unsafe { + CertNameToStrA( + X509_ASN_ENCODING, + &mut cert_info_subject, + CERT_SIMPLE_NAME_STR, + std::ptr::null_mut(), + 0, + ) + }; + // subject_dn_len includes the terminating null byte. + let mut subject_dn_string_bytes: Vec<u8> = vec![0; subject_dn_len as usize]; + let subject_dn_len = unsafe { + CertNameToStrA( + X509_ASN_ENCODING, + &mut cert_info_subject, + CERT_SIMPLE_NAME_STR, + subject_dn_string_bytes.as_mut_ptr() as *mut i8, + subject_dn_string_bytes + .len() + .try_into() + .map_err(|_| error_here!(ErrorType::ValueTooLarge))?, + ) + }; + if subject_dn_len as usize != subject_dn_string_bytes.len() { + return Err(error_here!(ErrorType::ExternalError)); + } + Ok(subject_dn_string_bytes) +} + +/// Represents a certificate for which there exists a corresponding private key. +pub struct Cert { + /// PKCS #11 object class. Will be `CKO_CERTIFICATE`. + class: Vec<u8>, + /// Whether or not this is on a token. Will be `CK_TRUE`. + token: Vec<u8>, + /// An identifier unique to this certificate. Must be the same as the ID for the private key. + id: Vec<u8>, + /// The bytes of a human-readable label for this certificate. Will be the subject DN. + label: Vec<u8>, + /// The DER bytes of the certificate. + value: Vec<u8>, + /// The DER bytes of the issuer distinguished name of the certificate. + issuer: Vec<u8>, + /// The DER bytes of the serial number of the certificate. + serial_number: Vec<u8>, + /// The DER bytes of the subject distinguished name of the certificate. + subject: Vec<u8>, + /// Which slot this certificate should be exposed on. + slot_type: SlotType, +} + +impl Cert { + fn new(cert_context: PCCERT_CONTEXT) -> Result<Cert, Error> { + let cert = unsafe { &*cert_context }; + let cert_info = unsafe { &*cert.pCertInfo }; + let value = + unsafe { slice::from_raw_parts(cert.pbCertEncoded, cert.cbCertEncoded as usize) }; + let value = value.to_vec(); + let id = Sha256::digest(&value).to_vec(); + let label = get_cert_subject_dn(cert_info)?; + let (serial_number, issuer, subject) = read_encoded_certificate_identifiers(&value)?; + Ok(Cert { + class: serialize_uint(CKO_CERTIFICATE)?, + token: serialize_uint(CK_TRUE)?, + id, + label, + value, + issuer, + serial_number, + subject, + slot_type: SlotType::Modern, + }) + } + + fn class(&self) -> &[u8] { + &self.class + } + + fn token(&self) -> &[u8] { + &self.token + } + + fn id(&self) -> &[u8] { + &self.id + } + + fn label(&self) -> &[u8] { + &self.label + } + + fn value(&self) -> &[u8] { + &self.value + } + + fn issuer(&self) -> &[u8] { + &self.issuer + } + + fn serial_number(&self) -> &[u8] { + &self.serial_number + } + + fn subject(&self) -> &[u8] { + &self.subject + } +} + +impl CryptokiObject for Cert { + fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool { + if slot_type != self.slot_type { + return false; + } + for (attr_type, attr_value) in attrs { + let comparison = match *attr_type { + CKA_CLASS => self.class(), + CKA_TOKEN => self.token(), + CKA_LABEL => self.label(), + CKA_ID => self.id(), + CKA_VALUE => self.value(), + CKA_ISSUER => self.issuer(), + CKA_SERIAL_NUMBER => self.serial_number(), + CKA_SUBJECT => self.subject(), + _ => return false, + }; + if attr_value.as_slice() != comparison { + return false; + } + } + true + } + + fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> { + let result = match attribute { + CKA_CLASS => self.class(), + CKA_TOKEN => self.token(), + CKA_LABEL => self.label(), + CKA_ID => self.id(), + CKA_VALUE => self.value(), + CKA_ISSUER => self.issuer(), + CKA_SERIAL_NUMBER => self.serial_number(), + CKA_SUBJECT => self.subject(), + _ => return None, + }; + Some(result) + } +} + +struct CertContext(PCCERT_CONTEXT); + +impl CertContext { + fn new(cert: PCCERT_CONTEXT) -> CertContext { + CertContext(unsafe { CertDuplicateCertificateContext(cert) }) + } +} + +impl Drop for CertContext { + fn drop(&mut self) { + unsafe { + CertFreeCertificateContext(self.0); + } + } +} + +impl Deref for CertContext { + type Target = PCCERT_CONTEXT; + + fn deref(&self) -> &Self::Target { + &self.0 + } +} + +enum KeyHandle { + NCrypt(NCRYPT_KEY_HANDLE), + CryptoAPI(HCRYPTPROV, DWORD), +} + +impl KeyHandle { + fn from_cert(cert: &CertContext) -> Result<KeyHandle, Error> { + let mut key_handle = 0; + let mut key_spec = 0; + let mut must_free = 0; + unsafe { + if CryptAcquireCertificatePrivateKey( + **cert, + CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG, + std::ptr::null_mut(), + &mut key_handle, + &mut key_spec, + &mut must_free, + ) != 1 + { + return Err(error_here!( + ErrorType::ExternalError, + GetLastError().to_string() + )); + } + } + if must_free == 0 { + return Err(error_here!(ErrorType::ExternalError)); + } + if key_spec == CERT_NCRYPT_KEY_SPEC { + Ok(KeyHandle::NCrypt(key_handle as NCRYPT_KEY_HANDLE)) + } else { + Ok(KeyHandle::CryptoAPI(key_handle as HCRYPTPROV, key_spec)) + } + } + + fn sign( + &self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + do_signature: bool, + key_type: KeyType, + ) -> Result<Vec<u8>, Error> { + match &self { + KeyHandle::NCrypt(ncrypt_handle) => { + sign_ncrypt(ncrypt_handle, data, params, do_signature, key_type) + } + KeyHandle::CryptoAPI(hcryptprov, key_spec) => { + sign_cryptoapi(hcryptprov, key_spec, data, params, do_signature) + } + } + } +} + +impl Drop for KeyHandle { + fn drop(&mut self) { + match self { + KeyHandle::NCrypt(ncrypt_handle) => unsafe { + let _ = NCryptFreeObject(*ncrypt_handle); + }, + KeyHandle::CryptoAPI(hcryptprov, _) => unsafe { + let _ = CryptReleaseContext(*hcryptprov, 0); + }, + } + } +} + +fn sign_ncrypt( + ncrypt_handle: &NCRYPT_KEY_HANDLE, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + do_signature: bool, + key_type: KeyType, +) -> Result<Vec<u8>, Error> { + let mut sign_params = SignParams::new(key_type, params)?; + let params_ptr = sign_params.params_ptr(); + let flags = sign_params.flags(); + let mut data = data.to_vec(); + let mut signature_len = 0; + // We call NCryptSignHash twice: the first time to get the size of the buffer we need to + // allocate and then again to actually sign the data, if `do_signature` is `true`. + let status = unsafe { + NCryptSignHash( + *ncrypt_handle, + params_ptr, + data.as_mut_ptr(), + data.len() + .try_into() + .map_err(|_| error_here!(ErrorType::ValueTooLarge))?, + std::ptr::null_mut(), + 0, + &mut signature_len, + flags, + ) + }; + // 0 is "ERROR_SUCCESS" (but "ERROR_SUCCESS" is unsigned, whereas SECURITY_STATUS is signed) + if status != 0 { + return Err(error_here!(ErrorType::ExternalError, status.to_string())); + } + let mut signature = vec![0; signature_len as usize]; + if !do_signature { + return Ok(signature); + } + let mut final_signature_len = signature_len; + let status = unsafe { + NCryptSignHash( + *ncrypt_handle, + params_ptr, + data.as_mut_ptr(), + data.len() + .try_into() + .map_err(|_| error_here!(ErrorType::ValueTooLarge))?, + signature.as_mut_ptr(), + signature_len, + &mut final_signature_len, + flags, + ) + }; + if status != 0 { + return Err(error_here!(ErrorType::ExternalError, status.to_string())); + } + if final_signature_len != signature_len { + return Err(error_here!(ErrorType::ExternalError)); + } + Ok(signature) +} + +fn sign_cryptoapi( + hcryptprov: &HCRYPTPROV, + key_spec: &DWORD, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + do_signature: bool, +) -> Result<Vec<u8>, Error> { + if params.is_some() { + return Err(error_here!(ErrorType::LibraryFailure)); + } + // data will be an encoded DigestInfo, which specifies the hash algorithm and bytes of the hash + // to sign. However, CryptoAPI requires directly specifying the bytes of the hash, so it must + // be extracted first. + let (_, hash_bytes) = read_digest_info(data)?; + let hash = HCryptHash::new(hcryptprov, hash_bytes)?; + let mut signature_len = 0; + if unsafe { + CryptSignHashW( + *hash, + *key_spec, + std::ptr::null_mut(), + 0, + std::ptr::null_mut(), + &mut signature_len, + ) + } != 1 + { + return Err(error_here!( + ErrorType::ExternalError, + unsafe { GetLastError() }.to_string() + )); + } + let mut signature = vec![0; signature_len as usize]; + if !do_signature { + return Ok(signature); + } + let mut final_signature_len = signature_len; + if unsafe { + CryptSignHashW( + *hash, + *key_spec, + std::ptr::null_mut(), + 0, + signature.as_mut_ptr(), + &mut final_signature_len, + ) + } != 1 + { + return Err(error_here!( + ErrorType::ExternalError, + unsafe { GetLastError() }.to_string() + )); + } + if final_signature_len != signature_len { + return Err(error_here!(ErrorType::ExternalError)); + } + // CryptoAPI returns the signature with the most significant byte last (little-endian), + // whereas PKCS#11 expects the most significant byte first (big-endian). + signature.reverse(); + Ok(signature) +} + +struct HCryptHash(HCRYPTHASH); + +impl HCryptHash { + fn new(hcryptprov: &HCRYPTPROV, hash_bytes: &[u8]) -> Result<HCryptHash, Error> { + let alg = match hash_bytes.len() { + 20 => CALG_SHA1, + 32 => CALG_SHA_256, + 48 => CALG_SHA_384, + 64 => CALG_SHA_512, + _ => { + return Err(error_here!(ErrorType::UnsupportedInput)); + } + }; + let mut hash: HCRYPTHASH = 0; + if unsafe { CryptCreateHash(*hcryptprov, alg, 0, 0, &mut hash) } != 1 { + return Err(error_here!( + ErrorType::ExternalError, + unsafe { GetLastError() }.to_string() + )); + } + if unsafe { CryptSetHashParam(hash, HP_HASHVAL, hash_bytes.as_ptr(), 0) } != 1 { + return Err(error_here!( + ErrorType::ExternalError, + unsafe { GetLastError() }.to_string() + )); + } + Ok(HCryptHash(hash)) + } +} + +impl Drop for HCryptHash { + fn drop(&mut self) { + unsafe { + CryptDestroyHash(self.0); + } + } +} + +impl Deref for HCryptHash { + type Target = HCRYPTHASH; + + fn deref(&self) -> &Self::Target { + &self.0 + } +} + +// In some cases, the ncrypt API takes a pointer to a null-terminated wide-character string as a way +// of specifying an algorithm. The "right" way to do this would be to take the corresponding +// &'static str constant provided by the winapi crate, create an OsString from it, encode it as wide +// characters, and collect it into a Vec<u16>. However, since the implementation that provides this +// functionality isn't constant, we would have to manage the memory this creates and uses. Since +// rust structures generally can't be self-referrential, this memory would have to live elsewhere, +// and the nice abstractions we've created for this implementation start to break down. It's much +// simpler to hard-code the identifiers we support, since there are only four of them. +// The following arrays represent the identifiers "SHA1", "SHA256", "SHA384", and "SHA512", +// respectively. +const SHA1_ALGORITHM_STRING: &[u16] = &[83, 72, 65, 49, 0]; +const SHA256_ALGORITHM_STRING: &[u16] = &[83, 72, 65, 50, 53, 54, 0]; +const SHA384_ALGORITHM_STRING: &[u16] = &[83, 72, 65, 51, 56, 52, 0]; +const SHA512_ALGORITHM_STRING: &[u16] = &[83, 72, 65, 53, 49, 50, 0]; + +enum SignParams { + EC, + RSA_PKCS1(BCRYPT_PKCS1_PADDING_INFO), + RSA_PSS(BCRYPT_PSS_PADDING_INFO), +} + +impl SignParams { + fn new( + key_type: KeyType, + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<SignParams, Error> { + // EC is easy, so handle that first. + match key_type { + KeyType::EC => return Ok(SignParams::EC), + KeyType::RSA => {} + } + // If `params` is `Some`, we're doing RSA-PSS. If it is `None`, we're doing RSA-PKCS1. + let pss_params = match params { + Some(pss_params) => pss_params, + None => { + // The hash algorithm should be encoded in the data to be signed, so we don't have to + // (and don't want to) specify a particular algorithm here. + return Ok(SignParams::RSA_PKCS1(BCRYPT_PKCS1_PADDING_INFO { + pszAlgId: std::ptr::null(), + })); + } + }; + let algorithm_string = match pss_params.hashAlg { + CKM_SHA_1 => SHA1_ALGORITHM_STRING, + CKM_SHA256 => SHA256_ALGORITHM_STRING, + CKM_SHA384 => SHA384_ALGORITHM_STRING, + CKM_SHA512 => SHA512_ALGORITHM_STRING, + _ => { + return Err(error_here!(ErrorType::UnsupportedInput)); + } + }; + Ok(SignParams::RSA_PSS(BCRYPT_PSS_PADDING_INFO { + pszAlgId: algorithm_string.as_ptr(), + cbSalt: pss_params.sLen, + })) + } + + fn params_ptr(&mut self) -> *mut std::ffi::c_void { + match self { + SignParams::EC => std::ptr::null_mut(), + SignParams::RSA_PKCS1(params) => { + params as *mut BCRYPT_PKCS1_PADDING_INFO as *mut std::ffi::c_void + } + SignParams::RSA_PSS(params) => { + params as *mut BCRYPT_PSS_PADDING_INFO as *mut std::ffi::c_void + } + } + } + + fn flags(&self) -> u32 { + match *self { + SignParams::EC => 0, + SignParams::RSA_PKCS1(_) => NCRYPT_PAD_PKCS1_FLAG, + SignParams::RSA_PSS(_) => NCRYPT_PAD_PSS_FLAG, + } + } +} + +/// A helper enum to identify a private key's type. We support EC and RSA. +#[allow(clippy::upper_case_acronyms)] +#[derive(Clone, Copy, Debug)] +pub enum KeyType { + EC, + RSA, +} + +/// Represents a private key for which there exists a corresponding certificate. +pub struct Key { + /// A handle on the OS mechanism that represents the certificate for this key. + cert: CertContext, + /// PKCS #11 object class. Will be `CKO_PRIVATE_KEY`. + class: Vec<u8>, + /// Whether or not this is on a token. Will be `CK_TRUE`. + token: Vec<u8>, + /// An identifier unique to this key. Must be the same as the ID for the certificate. + id: Vec<u8>, + /// Whether or not this key is "private" (can it be exported?). Will be CK_TRUE (it can't be + /// exported). + private: Vec<u8>, + /// PKCS #11 key type. Will be `CKK_EC` for EC, and `CKK_RSA` for RSA. + key_type: Vec<u8>, + /// If this is an RSA key, this is the value of the modulus as an unsigned integer. + modulus: Option<Vec<u8>>, + /// If this is an EC key, this is the DER bytes of the OID identifying the curve the key is on. + ec_params: Option<Vec<u8>>, + /// An enum identifying this key's type. + key_type_enum: KeyType, + /// Which slot this key should be exposed on. + slot_type: SlotType, + /// A handle on the OS mechanism that represents this key. + key_handle: Option<KeyHandle>, +} + +impl Key { + fn new(cert_context: PCCERT_CONTEXT) -> Result<Key, Error> { + let cert = unsafe { *cert_context }; + let cert_der = + unsafe { slice::from_raw_parts(cert.pbCertEncoded, cert.cbCertEncoded as usize) }; + let id = Sha256::digest(cert_der).to_vec(); + let id = id.to_vec(); + let cert_info = unsafe { &*cert.pCertInfo }; + let mut modulus = None; + let mut ec_params = None; + let spki = &cert_info.SubjectPublicKeyInfo; + let algorithm_oid = unsafe { CStr::from_ptr(spki.Algorithm.pszObjId) } + .to_str() + .map_err(|_| error_here!(ErrorType::ExternalError))?; + let (key_type_enum, key_type_attribute) = if algorithm_oid == szOID_RSA_RSA { + if spki.PublicKey.cUnusedBits != 0 { + return Err(error_here!(ErrorType::ExternalError)); + } + let public_key_bytes = unsafe { + std::slice::from_raw_parts(spki.PublicKey.pbData, spki.PublicKey.cbData as usize) + }; + let modulus_value = read_rsa_modulus(public_key_bytes)?; + modulus = Some(modulus_value); + (KeyType::RSA, CKK_RSA) + } else if algorithm_oid == szOID_ECC_PUBLIC_KEY { + let params = &spki.Algorithm.Parameters; + ec_params = Some( + unsafe { std::slice::from_raw_parts(params.pbData, params.cbData as usize) } + .to_vec(), + ); + (KeyType::EC, CKK_EC) + } else { + return Err(error_here!(ErrorType::LibraryFailure)); + }; + let cert = CertContext::new(cert_context); + Ok(Key { + cert, + class: serialize_uint(CKO_PRIVATE_KEY)?, + token: serialize_uint(CK_TRUE)?, + id, + private: serialize_uint(CK_TRUE)?, + key_type: serialize_uint(key_type_attribute)?, + modulus, + ec_params, + key_type_enum, + slot_type: SlotType::Modern, + key_handle: None, + }) + } + + fn class(&self) -> &[u8] { + &self.class + } + + fn token(&self) -> &[u8] { + &self.token + } + + fn id(&self) -> &[u8] { + &self.id + } + + fn private(&self) -> &[u8] { + &self.private + } + + fn key_type(&self) -> &[u8] { + &self.key_type + } + + fn modulus(&self) -> Option<&[u8]> { + match &self.modulus { + Some(modulus) => Some(modulus.as_slice()), + None => None, + } + } + + fn ec_params(&self) -> Option<&[u8]> { + match &self.ec_params { + Some(ec_params) => Some(ec_params.as_slice()), + None => None, + } + } + + fn sign_with_retry( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + do_signature: bool, + ) -> Result<Vec<u8>, Error> { + let result = self.sign_internal(data, params, do_signature); + if result.is_ok() { + return result; + } + // Some devices appear to not work well when the key handle is held for too long or if a + // card is inserted/removed while Firefox is running. Try refreshing the key handle. + debug!("sign failed: refreshing key handle"); + let _ = self.key_handle.take(); + self.sign_internal(data, params, do_signature) + } + + /// data: the data to sign + /// do_signature: if true, actually perform the signature. Otherwise, return a `Vec<u8>` of the + /// length the signature would be, if performed. + fn sign_internal( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + do_signature: bool, + ) -> Result<Vec<u8>, Error> { + // If this key hasn't been used for signing yet, there won't be a cached key handle. Obtain + // and cache it if this is the case. Doing so can cause the underlying implementation to + // show an authentication or pin prompt to the user. Caching the handle can avoid causing + // multiple prompts to be displayed in some cases. + if self.key_handle.is_none() { + let _ = self.key_handle.replace(KeyHandle::from_cert(&self.cert)?); + } + let key = match &self.key_handle { + Some(key) => key, + None => return Err(error_here!(ErrorType::LibraryFailure)), + }; + key.sign(data, params, do_signature, self.key_type_enum) + } +} + +impl CryptokiObject for Key { + fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool { + if slot_type != self.slot_type { + return false; + } + for (attr_type, attr_value) in attrs { + let comparison = match *attr_type { + CKA_CLASS => self.class(), + CKA_TOKEN => self.token(), + CKA_ID => self.id(), + CKA_PRIVATE => self.private(), + CKA_KEY_TYPE => self.key_type(), + CKA_MODULUS => { + if let Some(modulus) = self.modulus() { + modulus + } else { + return false; + } + } + CKA_EC_PARAMS => { + if let Some(ec_params) = self.ec_params() { + ec_params + } else { + return false; + } + } + _ => return false, + }; + if attr_value.as_slice() != comparison { + return false; + } + } + true + } + + fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> { + match attribute { + CKA_CLASS => Some(self.class()), + CKA_TOKEN => Some(self.token()), + CKA_ID => Some(self.id()), + CKA_PRIVATE => Some(self.private()), + CKA_KEY_TYPE => Some(self.key_type()), + CKA_MODULUS => self.modulus(), + CKA_EC_PARAMS => self.ec_params(), + _ => None, + } + } +} + +impl Sign for Key { + fn get_signature_length( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<usize, Error> { + match self.sign_with_retry(data, params, false) { + Ok(dummy_signature_bytes) => Ok(dummy_signature_bytes.len()), + Err(e) => Err(e), + } + } + + fn sign( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<Vec<u8>, Error> { + self.sign_with_retry(data, params, true) + } +} + +struct CertStore { + handle: HCERTSTORE, +} + +impl Drop for CertStore { + fn drop(&mut self) { + if !self.handle.is_null() { + unsafe { + CertCloseStore(self.handle, 0); + } + } + } +} + +impl Deref for CertStore { + type Target = HCERTSTORE; + + fn deref(&self) -> &Self::Target { + &self.handle + } +} + +impl CertStore { + fn new(handle: HCERTSTORE) -> CertStore { + CertStore { handle } + } +} + +// Given a pointer to a CERT_CHAIN_CONTEXT, enumerates each chain in the context and each element +// in each chain to gather every CERT_CONTEXT pointed to by the CERT_CHAIN_CONTEXT. +// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_chain_context says +// that the 0th element of the 0th chain will be the end-entity certificate. This certificate (if +// present), will be the 0th element of the returned Vec. +fn gather_cert_contexts(cert_chain_context: *const CERT_CHAIN_CONTEXT) -> Vec<*const CERT_CONTEXT> { + let mut cert_contexts = Vec::new(); + if cert_chain_context.is_null() { + return cert_contexts; + } + let cert_chain_context = unsafe { &*cert_chain_context }; + let cert_chains = unsafe { + std::slice::from_raw_parts( + cert_chain_context.rgpChain, + cert_chain_context.cChain as usize, + ) + }; + for cert_chain in cert_chains { + // First dereference the borrow. + let cert_chain = *cert_chain; + if cert_chain.is_null() { + continue; + } + // Then dereference the pointer. + let cert_chain = unsafe { &*cert_chain }; + let chain_elements = unsafe { + std::slice::from_raw_parts(cert_chain.rgpElement, cert_chain.cElement as usize) + }; + for chain_element in chain_elements { + let chain_element = *chain_element; // dereference borrow + if chain_element.is_null() { + continue; + } + let chain_element = unsafe { &*chain_element }; // dereference pointer + cert_contexts.push(chain_element.pCertContext); + } + } + cert_contexts +} + +pub struct Backend {} + +impl ClientCertsBackend for Backend { + type Cert = Cert; + type Key = Key; + + /// Attempts to enumerate certificates with private keys exposed by the OS. Currently only looks in + /// the "My" cert store of the current user. In the future this may look in more locations. + fn find_objects(&self) -> Result<(Vec<Cert>, Vec<Key>), Error> { + let mut certs = Vec::new(); + let mut keys = Vec::new(); + let location_flags = CERT_SYSTEM_STORE_CURRENT_USER + | CERT_STORE_OPEN_EXISTING_FLAG + | CERT_STORE_READONLY_FLAG; + let store_name = match CString::new("My") { + Ok(store_name) => store_name, + Err(_) => return Err(error_here!(ErrorType::LibraryFailure)), + }; + let store = CertStore::new(unsafe { + CertOpenStore( + CERT_STORE_PROV_SYSTEM_REGISTRY_A, + 0, + 0, + location_flags, + store_name.as_ptr() as *const winapi::ctypes::c_void, + ) + }); + if store.is_null() { + return Err(error_here!(ErrorType::ExternalError)); + } + let find_params = CERT_CHAIN_FIND_ISSUER_PARA { + cbSize: std::mem::size_of::<CERT_CHAIN_FIND_ISSUER_PARA>() as u32, + pszUsageIdentifier: std::ptr::null(), + dwKeySpec: 0, + dwAcquirePrivateKeyFlags: 0, + cIssuer: 0, + rgIssuer: std::ptr::null_mut(), + pfnFindCallback: None, + pvFindArg: std::ptr::null_mut(), + pdwIssuerChainIndex: std::ptr::null_mut(), + pdwIssuerElementIndex: std::ptr::null_mut(), + }; + let mut cert_chain_context: PCCERT_CHAIN_CONTEXT = std::ptr::null_mut(); + loop { + // CertFindChainInStore finds all certificates with private keys in the store. It also + // attempts to build a verified certificate chain to a trust anchor for each certificate. + // We gather and hold onto these extra certificates so that gecko can use them when + // filtering potential client certificates according to the acceptable CAs list sent by + // servers when they request client certificates. + cert_chain_context = unsafe { + CertFindChainInStore( + *store, + X509_ASN_ENCODING, + CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG + | CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG, + CERT_CHAIN_FIND_BY_ISSUER, + &find_params as *const CERT_CHAIN_FIND_ISSUER_PARA + as *const winapi::ctypes::c_void, + cert_chain_context, + ) + }; + if cert_chain_context.is_null() { + break; + } + let cert_contexts = gather_cert_contexts(cert_chain_context); + // The 0th CERT_CONTEXT is the end-entity (i.e. the certificate with the private key we're + // after). + match cert_contexts.get(0) { + Some(cert_context) => { + let key = match Key::new(*cert_context) { + Ok(key) => key, + Err(_) => continue, + }; + let cert = match Cert::new(*cert_context) { + Ok(cert) => cert, + Err(_) => continue, + }; + certs.push(cert); + keys.push(key); + } + None => {} + }; + for cert_context in cert_contexts.iter().skip(1) { + if let Ok(cert) = Cert::new(*cert_context) { + certs.push(cert); + } + } + } + Ok((certs, keys)) + } +} diff --git a/security/manager/ssl/osclientcerts/src/bindings_macos.rs b/security/manager/ssl/osclientcerts/src/bindings_macos.rs new file mode 100644 index 0000000000..7294bbb555 --- /dev/null +++ b/security/manager/ssl/osclientcerts/src/bindings_macos.rs @@ -0,0 +1,79 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This was originally generated by rust-bindgen at build time. Later in +// development it became clear that using bindgen for this library as part of +// mozilla-central would be difficult (if not impossible). So, this was +// converted to a static file and unused declarations were removed. Also, +// intermediate types added by rust-bindgen were removed for clarity. + +pub type OSStatus = i32; +pub const errSecSuccess: OSStatus = 0; +pub const errSecItemNotFound: OSStatus = -25300; + +pub type SecKeyAlgorithm = CFStringRef; + +extern "C" { + // Available starting macOS 10.3 + pub fn SecCertificateGetTypeID() -> CFTypeID; + pub fn SecTrustCreateWithCertificates( + certificates: SecCertificateRef, + policies: SecPolicyRef, + trust: *mut SecTrustRef, + ) -> OSStatus; + pub fn SecIdentityGetTypeID() -> CFTypeID; + pub fn SecIdentityCopyCertificate( + identityRef: SecIdentityRef, + certificateRef: *mut SecCertificateRef, + ) -> OSStatus; + pub fn SecIdentityCopyPrivateKey( + identityRef: SecIdentityRef, + privateKeyRef: *mut SecKeyRef, + ) -> OSStatus; + pub fn SecKeyGetTypeID() -> CFTypeID; + pub fn SecPolicyGetTypeID() -> CFTypeID; + pub fn SecTrustGetTypeID() -> CFTypeID; + + // Available starting macOS 10.6 + pub fn SecCertificateCopyData(certificate: SecCertificateRef) -> CFDataRef; + pub fn SecCertificateCopySubjectSummary(certificate: SecCertificateRef) -> CFStringRef; + pub fn SecItemCopyMatching(query: CFDictionaryRef, result: *mut CFTypeRef) -> OSStatus; + pub fn SecPolicyCreateSSL(server: bool, hostname: CFStringRef) -> SecPolicyRef; + pub static kSecClass: CFStringRef; + pub static kSecAttrKeyType: CFStringRef; + pub static kSecAttrKeySizeInBits: CFStringRef; + pub static kSecMatchLimit: CFStringRef; + pub static kSecMatchLimitAll: CFStringRef; + pub static kSecReturnRef: CFStringRef; + + // Available starting macOS 10.7 + pub fn SecTrustGetCertificateAtIndex(trust: SecTrustRef, ix: CFIndex) -> SecCertificateRef; + pub fn SecTrustGetCertificateCount(trust: SecTrustRef) -> CFIndex; + pub static kSecClassIdentity: CFStringRef; + pub static kSecAttrKeyTypeRSA: CFStringRef; + + // Available starting macOS 10.9 + pub fn SecTrustSetNetworkFetchAllowed(trust: SecTrustRef, allowFetch: Boolean) -> OSStatus; + + // Available starting macOS 10.12 + pub fn SecKeyCreateSignature( + key: SecKeyRef, + algorithm: SecKeyAlgorithm, + data: CFDataRef, + err: *mut CFErrorRef, + ) -> CFDataRef; + pub fn SecKeyCopyAttributes(key: SecKeyRef) -> CFDictionaryRef; + pub fn SecKeyCopyExternalRepresentation(key: SecKeyRef, err: *mut CFErrorRef) -> CFDataRef; + pub static kSecKeyAlgorithmECDSASignatureDigestX962SHA1: CFStringRef; + pub static kSecKeyAlgorithmECDSASignatureDigestX962SHA256: CFStringRef; + pub static kSecKeyAlgorithmECDSASignatureDigestX962SHA384: CFStringRef; + pub static kSecKeyAlgorithmECDSASignatureDigestX962SHA512: CFStringRef; + pub static kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw: CFStringRef; + pub static kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256: CFStringRef; + pub static kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384: CFStringRef; + pub static kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512: CFStringRef; + pub static kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1: CFStringRef; + pub static kSecAttrKeyTypeECSECPrimeRandom: CFStringRef; +} diff --git a/security/manager/ssl/osclientcerts/src/lib.rs b/security/manager/ssl/osclientcerts/src/lib.rs new file mode 100644 index 0000000000..acffe51556 --- /dev/null +++ b/security/manager/ssl/osclientcerts/src/lib.rs @@ -0,0 +1,1237 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#![allow(non_snake_case)] + +extern crate byteorder; +#[cfg(target_os = "macos")] +#[macro_use] +extern crate core_foundation; +extern crate env_logger; +#[cfg(target_os = "macos")] +#[macro_use] +extern crate lazy_static; +#[cfg(target_os = "macos")] +extern crate libloading; +#[macro_use] +extern crate log; +extern crate pkcs11_bindings; +#[macro_use] +extern crate rsclientcerts; +extern crate sha2; +#[cfg(target_os = "windows")] +extern crate winapi; + +use pkcs11_bindings::*; +use rsclientcerts::manager::{ManagerProxy, SlotType}; +use std::ffi::CStr; +use std::sync::Mutex; +use std::thread; + +#[cfg(target_os = "macos")] +mod backend_macos; +#[cfg(target_os = "windows")] +mod backend_windows; + +#[cfg(target_os = "macos")] +use crate::backend_macos::Backend; +#[cfg(target_os = "windows")] +use crate::backend_windows::Backend; + +struct ModuleState { + manager_proxy: ManagerProxy, + mechanisms: Vec<CK_MECHANISM_TYPE>, +} + +/// The singleton `ModuleState` that handles state with respect to PKCS #11. Only one thread +/// may use it at a time, but there is no restriction on which threads may use it. However, as +/// OS APIs being used are not necessarily thread-safe (e.g. they may be using +/// thread-local-storage), the `ManagerProxy` of the `ModuleState` forwards calls from any +/// thread to a single thread where the real `Manager` does the actual work. +static MODULE_STATE: Mutex<Option<ModuleState>> = Mutex::new(None); + +// Obtaining a handle on the manager proxy is a two-step process. First the mutex must be locked, +// which (if successful), results in a mutex guard object. We must then get a mutable refence to the +// underlying manager proxy (if set - otherwise we return an error). This can't happen all in one +// macro without dropping a reference that needs to live long enough for this to be safe. In +// practice, this looks like: +// let mut module_state_guard = try_to_get_module_state_guard!(); +// let manager = module_state_guard_to_manager!(module_state_guard); +macro_rules! try_to_get_module_state_guard { + () => { + match MODULE_STATE.lock() { + Ok(maybe_module_state) => maybe_module_state, + Err(poison_error) => { + log_with_thread_id!( + error, + "previous thread panicked acquiring manager lock: {}", + poison_error + ); + return CKR_DEVICE_ERROR; + } + } + }; +} + +macro_rules! module_state_guard_to_manager { + ($module_state_guard:ident) => { + match $module_state_guard.as_mut() { + Some(module_state) => &mut module_state.manager_proxy, + None => { + log_with_thread_id!(error, "module state expected to be set, but it is not"); + return CKR_DEVICE_ERROR; + } + } + }; +} + +macro_rules! module_state_guard_to_mechanisms { + ($module_state_guard:ident) => { + match $module_state_guard.as_ref() { + Some(module_state) => &module_state.mechanisms, + None => { + log_with_thread_id!(error, "module state expected to be set, but it is not"); + return CKR_DEVICE_ERROR; + } + } + }; +} + +// Helper macro to prefix log messages with the current thread ID. +macro_rules! log_with_thread_id { + ($log_level:ident, $($message:expr),*) => { + $log_level!("{:?} {}", thread::current().id(), format_args!($($message),*)); + }; +} + +/// This gets called to initialize the module. For this implementation, this consists of +/// instantiating the `ManagerProxy`. +extern "C" fn C_Initialize(pInitArgs: CK_VOID_PTR) -> CK_RV { + // This will fail if this has already been called, but this isn't a problem because either way, + // logging has been initialized. + let _ = env_logger::try_init(); + + if pInitArgs.is_null() { + return CKR_DEVICE_ERROR; + } + let init_args_ptr = unsafe { (*(pInitArgs as CK_C_INITIALIZE_ARGS_PTR)).pReserved }; + if init_args_ptr.is_null() { + return CKR_DEVICE_ERROR; + } + let init_args_cstr = unsafe { CStr::from_ptr(init_args_ptr as *mut std::os::raw::c_char) }; + let init_args = match init_args_cstr.to_str() { + Ok(init_args) => init_args, + Err(_) => return CKR_DEVICE_ERROR, + }; + let mechanisms = if init_args == "RSA-PSS" { + vec![CKM_ECDSA, CKM_RSA_PKCS, CKM_RSA_PKCS_PSS] + } else { + vec![CKM_ECDSA, CKM_RSA_PKCS] + }; + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager_proxy = match ManagerProxy::new(Backend {}) { + Ok(p) => p, + Err(e) => { + log_with_thread_id!(error, "C_Initialize: ManagerProxy: {}", e); + return CKR_DEVICE_ERROR; + } + }; + match module_state_guard.replace(ModuleState { + manager_proxy, + mechanisms, + }) { + Some(_unexpected_previous_module_state) => { + #[cfg(target_os = "macos")] + { + log_with_thread_id!(info, "C_Initialize: module state previously set (this is expected on macOS - replacing it)"); + } + #[cfg(target_os = "windows")] + { + log_with_thread_id!( + warn, + "C_Initialize: module state unexpectedly previously set (replacing it)" + ); + } + } + None => {} + } + log_with_thread_id!(debug, "C_Initialize: CKR_OK"); + CKR_OK +} + +extern "C" fn C_Finalize(_pReserved: CK_VOID_PTR) -> CK_RV { + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + match manager.stop() { + Ok(()) => { + log_with_thread_id!(debug, "C_Finalize: CKR_OK"); + CKR_OK + } + Err(e) => { + log_with_thread_id!(error, "C_Finalize: CKR_DEVICE_ERROR: {}", e); + CKR_DEVICE_ERROR + } + } +} + +// The specification mandates that these strings be padded with spaces to the appropriate length. +// Since the length of fixed-size arrays in rust is part of the type, the compiler enforces that +// these byte strings are of the correct length. +const MANUFACTURER_ID_BYTES: &[u8; 32] = b"Mozilla Corporation "; +const LIBRARY_DESCRIPTION_BYTES: &[u8; 32] = b"OS Client Cert Module "; + +/// This gets called to gather some information about the module. In particular, this implementation +/// supports (portions of) cryptoki (PKCS #11) version 2.2. +extern "C" fn C_GetInfo(pInfo: CK_INFO_PTR) -> CK_RV { + if pInfo.is_null() { + log_with_thread_id!(error, "C_GetInfo: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + log_with_thread_id!(debug, "C_GetInfo: CKR_OK"); + let mut info = CK_INFO::default(); + info.cryptokiVersion.major = 2; + info.cryptokiVersion.minor = 2; + info.manufacturerID = *MANUFACTURER_ID_BYTES; + info.libraryDescription = *LIBRARY_DESCRIPTION_BYTES; + unsafe { + *pInfo = info; + } + CKR_OK +} + +/// This module has one slot. +const SLOT_COUNT: CK_ULONG = 1; +const SLOT_ID: CK_SLOT_ID = 1; + +/// This gets called twice: once with a null `pSlotList` to get the number of slots (returned via +/// `pulCount`) and a second time to get the ID for each slot. +extern "C" fn C_GetSlotList( + _tokenPresent: CK_BBOOL, + pSlotList: CK_SLOT_ID_PTR, + pulCount: CK_ULONG_PTR, +) -> CK_RV { + if pulCount.is_null() { + log_with_thread_id!(error, "C_GetSlotList: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + if !pSlotList.is_null() { + if unsafe { *pulCount } < SLOT_COUNT { + log_with_thread_id!(error, "C_GetSlotList: CKR_BUFFER_TOO_SMALL"); + return CKR_BUFFER_TOO_SMALL; + } + unsafe { + *pSlotList = SLOT_ID; + } + }; + unsafe { + *pulCount = SLOT_COUNT; + } + log_with_thread_id!(debug, "C_GetSlotList: CKR_OK"); + CKR_OK +} + +const SLOT_DESCRIPTION_BYTES: &[u8; 64] = + b"OS Client Cert Slot "; + +/// This gets called to obtain information about slots. In this implementation, the token is +/// always present in the singular slot. +extern "C" fn C_GetSlotInfo(slotID: CK_SLOT_ID, pInfo: CK_SLOT_INFO_PTR) -> CK_RV { + if slotID != SLOT_ID || pInfo.is_null() { + log_with_thread_id!(error, "C_GetSlotInfo: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + let slot_info = CK_SLOT_INFO { + slotDescription: *SLOT_DESCRIPTION_BYTES, + manufacturerID: *MANUFACTURER_ID_BYTES, + flags: CKF_TOKEN_PRESENT, + hardwareVersion: CK_VERSION::default(), + firmwareVersion: CK_VERSION::default(), + }; + unsafe { + *pInfo = slot_info; + } + log_with_thread_id!(debug, "C_GetSlotInfo: CKR_OK"); + CKR_OK +} + +const TOKEN_LABEL_BYTES: &[u8; 32] = b"OS Client Cert Token "; +const TOKEN_MODEL_BYTES: &[u8; 16] = b"osclientcerts "; +const TOKEN_SERIAL_NUMBER_BYTES: &[u8; 16] = b"0000000000000000"; + +/// This gets called to obtain some information about tokens. This implementation has one slot, +/// so it has one token. This information is primarily for display purposes. +extern "C" fn C_GetTokenInfo(slotID: CK_SLOT_ID, pInfo: CK_TOKEN_INFO_PTR) -> CK_RV { + if slotID != SLOT_ID || pInfo.is_null() { + log_with_thread_id!(error, "C_GetTokenInfo: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + let mut token_info = CK_TOKEN_INFO::default(); + token_info.label = *TOKEN_LABEL_BYTES; + token_info.manufacturerID = *MANUFACTURER_ID_BYTES; + token_info.model = *TOKEN_MODEL_BYTES; + token_info.serialNumber = *TOKEN_SERIAL_NUMBER_BYTES; + unsafe { + *pInfo = token_info; + } + log_with_thread_id!(debug, "C_GetTokenInfo: CKR_OK"); + CKR_OK +} + +/// This gets called to determine what mechanisms a slot supports. The singular slot supports +/// ECDSA and RSA PKCS1. Depending on the configuration the module was loaded with, it may also +/// support RSA PSS. +extern "C" fn C_GetMechanismList( + slotID: CK_SLOT_ID, + pMechanismList: CK_MECHANISM_TYPE_PTR, + pulCount: CK_ULONG_PTR, +) -> CK_RV { + if slotID != SLOT_ID || pulCount.is_null() { + log_with_thread_id!(error, "C_GetMechanismList: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + let module_state_guard = try_to_get_module_state_guard!(); + let mechanisms = module_state_guard_to_mechanisms!(module_state_guard); + if !pMechanismList.is_null() { + if unsafe { *pulCount as usize } < mechanisms.len() { + log_with_thread_id!(error, "C_GetMechanismList: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + for (i, mechanism) in mechanisms.iter().enumerate() { + unsafe { + *pMechanismList.add(i) = *mechanism; + } + } + } + unsafe { + *pulCount = mechanisms.len() as CK_ULONG; + } + log_with_thread_id!(debug, "C_GetMechanismList: CKR_OK"); + CKR_OK +} + +extern "C" fn C_GetMechanismInfo( + _slotID: CK_SLOT_ID, + _type: CK_MECHANISM_TYPE, + _pInfo: CK_MECHANISM_INFO_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_GetMechanismInfo: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_InitToken( + _slotID: CK_SLOT_ID, + _pPin: CK_UTF8CHAR_PTR, + _ulPinLen: CK_ULONG, + _pLabel: CK_UTF8CHAR_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_InitToken: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_InitPIN( + _hSession: CK_SESSION_HANDLE, + _pPin: CK_UTF8CHAR_PTR, + _ulPinLen: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_InitPIN: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SetPIN( + _hSession: CK_SESSION_HANDLE, + _pOldPin: CK_UTF8CHAR_PTR, + _ulOldLen: CK_ULONG, + _pNewPin: CK_UTF8CHAR_PTR, + _ulNewLen: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_SetPIN: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +/// This gets called to create a new session. This module defers to the `ManagerProxy` to implement +/// this. +extern "C" fn C_OpenSession( + slotID: CK_SLOT_ID, + _flags: CK_FLAGS, + _pApplication: CK_VOID_PTR, + _Notify: CK_NOTIFY, + phSession: CK_SESSION_HANDLE_PTR, +) -> CK_RV { + if slotID != SLOT_ID || phSession.is_null() { + log_with_thread_id!(error, "C_OpenSession: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + // The "modern"/"legacy" slot distinction still exists in ipcclientcerts, + // which shares some library code with this module, to allow for a more + // nuanced notion of whether or not e.g. RSA-PSS is supported. + let session_handle = match manager.open_session(SlotType::Modern) { + Ok(session_handle) => session_handle, + Err(e) => { + log_with_thread_id!(error, "C_OpenSession: open_session failed: {}", e); + return CKR_DEVICE_ERROR; + } + }; + unsafe { + *phSession = session_handle; + } + log_with_thread_id!(debug, "C_OpenSession: CKR_OK"); + CKR_OK +} + +/// This gets called to close a session. This is handled by the `ManagerProxy`. +extern "C" fn C_CloseSession(hSession: CK_SESSION_HANDLE) -> CK_RV { + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + if manager.close_session(hSession).is_err() { + log_with_thread_id!(error, "C_CloseSession: CKR_SESSION_HANDLE_INVALID"); + return CKR_SESSION_HANDLE_INVALID; + } + log_with_thread_id!(debug, "C_CloseSession: CKR_OK"); + CKR_OK +} + +/// This gets called to close all open sessions at once. This is handled by the `ManagerProxy`. +extern "C" fn C_CloseAllSessions(slotID: CK_SLOT_ID) -> CK_RV { + if slotID != SLOT_ID { + log_with_thread_id!(error, "C_CloseAllSessions: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + match manager.close_all_sessions(SlotType::Modern) { + Ok(()) => { + log_with_thread_id!(debug, "C_CloseAllSessions: CKR_OK"); + CKR_OK + } + Err(e) => { + log_with_thread_id!( + error, + "C_CloseAllSessions: close_all_sessions failed: {}", + e + ); + CKR_DEVICE_ERROR + } + } +} + +extern "C" fn C_GetSessionInfo(_hSession: CK_SESSION_HANDLE, _pInfo: CK_SESSION_INFO_PTR) -> CK_RV { + log_with_thread_id!(error, "C_GetSessionInfo: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GetOperationState( + _hSession: CK_SESSION_HANDLE, + _pOperationState: CK_BYTE_PTR, + _pulOperationStateLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_GetOperationState: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SetOperationState( + _hSession: CK_SESSION_HANDLE, + _pOperationState: CK_BYTE_PTR, + _ulOperationStateLen: CK_ULONG, + _hEncryptionKey: CK_OBJECT_HANDLE, + _hAuthenticationKey: CK_OBJECT_HANDLE, +) -> CK_RV { + log_with_thread_id!(error, "C_SetOperationState: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Login( + _hSession: CK_SESSION_HANDLE, + _userType: CK_USER_TYPE, + _pPin: CK_UTF8CHAR_PTR, + _ulPinLen: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_Login: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +/// This gets called to log out and drop any authenticated resources. Because this module does not +/// hold on to authenticated resources, this module "implements" this by doing nothing and +/// returning a success result. +extern "C" fn C_Logout(_hSession: CK_SESSION_HANDLE) -> CK_RV { + log_with_thread_id!(debug, "C_Logout: CKR_OK"); + CKR_OK +} + +extern "C" fn C_CreateObject( + _hSession: CK_SESSION_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, + _phObject: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_CreateObject: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_CopyObject( + _hSession: CK_SESSION_HANDLE, + _hObject: CK_OBJECT_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, + _phNewObject: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_CopyObject: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DestroyObject(_hSession: CK_SESSION_HANDLE, _hObject: CK_OBJECT_HANDLE) -> CK_RV { + log_with_thread_id!(error, "C_DestroyObject: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GetObjectSize( + _hSession: CK_SESSION_HANDLE, + _hObject: CK_OBJECT_HANDLE, + _pulSize: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_GetObjectSize: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +/// This gets called to obtain the values of a number of attributes of an object identified by the +/// given handle. This module implements this by requesting that the `ManagerProxy` find the object +/// and attempt to get the value of each attribute. If a specified attribute is not defined on the +/// object, the length of that attribute is set to -1 to indicate that it is not available. +/// This gets called twice: once to obtain the lengths of the attributes and again to get the +/// values. +extern "C" fn C_GetAttributeValue( + _hSession: CK_SESSION_HANDLE, + hObject: CK_OBJECT_HANDLE, + pTemplate: CK_ATTRIBUTE_PTR, + ulCount: CK_ULONG, +) -> CK_RV { + if pTemplate.is_null() { + log_with_thread_id!(error, "C_GetAttributeValue: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + let mut attr_types = Vec::with_capacity(ulCount as usize); + for i in 0..ulCount as usize { + let attr = unsafe { &*pTemplate.add(i) }; + attr_types.push(attr.type_); + } + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + let values = match manager.get_attributes(hObject, attr_types) { + Ok(values) => values, + Err(e) => { + log_with_thread_id!(error, "C_GetAttributeValue: CKR_ARGUMENTS_BAD ({})", e); + return CKR_ARGUMENTS_BAD; + } + }; + if values.len() != ulCount as usize { + log_with_thread_id!( + error, + "C_GetAttributeValue: manager.get_attributes didn't return the right number of values" + ); + return CKR_DEVICE_ERROR; + } + for (i, value) in values.iter().enumerate().take(ulCount as usize) { + let attr = unsafe { &mut *pTemplate.add(i) }; + if let Some(attr_value) = value { + if attr.pValue.is_null() { + attr.ulValueLen = attr_value.len() as CK_ULONG; + } else { + let ptr: *mut u8 = attr.pValue as *mut u8; + if attr_value.len() != attr.ulValueLen as usize { + log_with_thread_id!(error, "C_GetAttributeValue: incorrect attr size"); + return CKR_ARGUMENTS_BAD; + } + unsafe { + std::ptr::copy_nonoverlapping(attr_value.as_ptr(), ptr, attr_value.len()); + } + } + } else { + attr.ulValueLen = (0 - 1) as CK_ULONG; + } + } + log_with_thread_id!(debug, "C_GetAttributeValue: CKR_OK"); + CKR_OK +} + +extern "C" fn C_SetAttributeValue( + _hSession: CK_SESSION_HANDLE, + _hObject: CK_OBJECT_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_SetAttributeValue: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +fn trace_attr(prefix: &str, attr: &CK_ATTRIBUTE) { + let typ = match unsafe_packed_field_access!(attr.type_) { + CKA_CLASS => "CKA_CLASS".to_string(), + CKA_TOKEN => "CKA_TOKEN".to_string(), + CKA_LABEL => "CKA_LABEL".to_string(), + CKA_ID => "CKA_ID".to_string(), + CKA_VALUE => "CKA_VALUE".to_string(), + CKA_ISSUER => "CKA_ISSUER".to_string(), + CKA_SERIAL_NUMBER => "CKA_SERIAL_NUMBER".to_string(), + CKA_SUBJECT => "CKA_SUBJECT".to_string(), + CKA_PRIVATE => "CKA_PRIVATE".to_string(), + CKA_KEY_TYPE => "CKA_KEY_TYPE".to_string(), + CKA_MODULUS => "CKA_MODULUS".to_string(), + CKA_EC_PARAMS => "CKA_EC_PARAMS".to_string(), + _ => format!("0x{:x}", unsafe_packed_field_access!(attr.type_)), + }; + let value = + unsafe { std::slice::from_raw_parts(attr.pValue as *const u8, attr.ulValueLen as usize) }; + log_with_thread_id!( + trace, + "{}CK_ATTRIBUTE {{ type: {}, pValue: {:?}, ulValueLen: {} }}", + prefix, + typ, + value, + unsafe_packed_field_access!(attr.ulValueLen) + ); +} + +/// This gets called to initialize a search for objects matching a given list of attributes. This +/// module implements this by gathering the attributes and passing them to the `ManagerProxy` to +/// start the search. +extern "C" fn C_FindObjectsInit( + hSession: CK_SESSION_HANDLE, + pTemplate: CK_ATTRIBUTE_PTR, + ulCount: CK_ULONG, +) -> CK_RV { + if pTemplate.is_null() { + log_with_thread_id!(error, "C_FindObjectsInit: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + let mut attrs = Vec::new(); + log_with_thread_id!(trace, "C_FindObjectsInit:"); + for i in 0..ulCount as usize { + let attr = unsafe { &*pTemplate.add(i) }; + trace_attr(" ", attr); + let slice = unsafe { + std::slice::from_raw_parts(attr.pValue as *const u8, attr.ulValueLen as usize) + }; + attrs.push((attr.type_, slice.to_owned())); + } + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + match manager.start_search(hSession, attrs) { + Ok(()) => {} + Err(e) => { + log_with_thread_id!(error, "C_FindObjectsInit: CKR_ARGUMENTS_BAD: {}", e); + return CKR_ARGUMENTS_BAD; + } + } + log_with_thread_id!(debug, "C_FindObjectsInit: CKR_OK"); + CKR_OK +} + +/// This gets called after `C_FindObjectsInit` to get the results of a search. This module +/// implements this by looking up the search in the `ManagerProxy` and copying out the matching +/// object handles. +extern "C" fn C_FindObjects( + hSession: CK_SESSION_HANDLE, + phObject: CK_OBJECT_HANDLE_PTR, + ulMaxObjectCount: CK_ULONG, + pulObjectCount: CK_ULONG_PTR, +) -> CK_RV { + if phObject.is_null() || pulObjectCount.is_null() || ulMaxObjectCount == 0 { + log_with_thread_id!(error, "C_FindObjects: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + let handles = match manager.search(hSession, ulMaxObjectCount as usize) { + Ok(handles) => handles, + Err(e) => { + log_with_thread_id!(error, "C_FindObjects: CKR_ARGUMENTS_BAD: {}", e); + return CKR_ARGUMENTS_BAD; + } + }; + log_with_thread_id!(debug, "C_FindObjects: found handles {:?}", handles); + if handles.len() > ulMaxObjectCount as usize { + log_with_thread_id!(error, "C_FindObjects: manager returned too many handles"); + return CKR_DEVICE_ERROR; + } + unsafe { + *pulObjectCount = handles.len() as CK_ULONG; + } + for (index, handle) in handles.iter().enumerate() { + if index < ulMaxObjectCount as usize { + unsafe { + *(phObject.add(index)) = *handle; + } + } + } + log_with_thread_id!(debug, "C_FindObjects: CKR_OK"); + CKR_OK +} + +/// This gets called after `C_FindObjectsInit` and `C_FindObjects` to finish a search. The module +/// tells the `ManagerProxy` to clear the search. +extern "C" fn C_FindObjectsFinal(hSession: CK_SESSION_HANDLE) -> CK_RV { + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + // It would be an error if there were no search for this session, but we can be permissive here. + match manager.clear_search(hSession) { + Ok(()) => { + log_with_thread_id!(debug, "C_FindObjectsFinal: CKR_OK"); + CKR_OK + } + Err(e) => { + log_with_thread_id!(error, "C_FindObjectsFinal: clear_search failed: {}", e); + CKR_DEVICE_ERROR + } + } +} + +extern "C" fn C_EncryptInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + log_with_thread_id!(error, "C_EncryptInit: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Encrypt( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pEncryptedData: CK_BYTE_PTR, + _pulEncryptedDataLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_Encrypt: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_EncryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, + _pEncryptedPart: CK_BYTE_PTR, + _pulEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_EncryptUpdate: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_EncryptFinal( + _hSession: CK_SESSION_HANDLE, + _pLastEncryptedPart: CK_BYTE_PTR, + _pulLastEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_EncryptFinal: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + log_with_thread_id!(error, "C_DecryptInit: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Decrypt( + _hSession: CK_SESSION_HANDLE, + _pEncryptedData: CK_BYTE_PTR, + _ulEncryptedDataLen: CK_ULONG, + _pData: CK_BYTE_PTR, + _pulDataLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_Decrypt: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pEncryptedPart: CK_BYTE_PTR, + _ulEncryptedPartLen: CK_ULONG, + _pPart: CK_BYTE_PTR, + _pulPartLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_DecryptUpdate: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptFinal( + _hSession: CK_SESSION_HANDLE, + _pLastPart: CK_BYTE_PTR, + _pulLastPartLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_DecryptFinal: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestInit(_hSession: CK_SESSION_HANDLE, _pMechanism: CK_MECHANISM_PTR) -> CK_RV { + log_with_thread_id!(error, "C_DigestInit: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Digest( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pDigest: CK_BYTE_PTR, + _pulDigestLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_Digest: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_DigestUpdate: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestKey(_hSession: CK_SESSION_HANDLE, _hKey: CK_OBJECT_HANDLE) -> CK_RV { + log_with_thread_id!(error, "C_DigestKey: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestFinal( + _hSession: CK_SESSION_HANDLE, + _pDigest: CK_BYTE_PTR, + _pulDigestLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_DigestFinal: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +/// This gets called to set up a sign operation. The module essentially defers to the +/// `ManagerProxy`. +extern "C" fn C_SignInit( + hSession: CK_SESSION_HANDLE, + pMechanism: CK_MECHANISM_PTR, + hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + if pMechanism.is_null() { + log_with_thread_id!(error, "C_SignInit: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + // Presumably we should validate the mechanism against hKey, but the specification doesn't + // actually seem to require this. + let mechanism = unsafe { *pMechanism }; + log_with_thread_id!(debug, "C_SignInit: mechanism is {:?}", mechanism); + let mechanism_params = if mechanism.mechanism == CKM_RSA_PKCS_PSS { + if mechanism.ulParameterLen as usize != std::mem::size_of::<CK_RSA_PKCS_PSS_PARAMS>() { + log_with_thread_id!( + error, + "C_SignInit: bad ulParameterLen for CKM_RSA_PKCS_PSS: {}", + unsafe_packed_field_access!(mechanism.ulParameterLen) + ); + return CKR_ARGUMENTS_BAD; + } + Some(unsafe { *(mechanism.pParameter as *const CK_RSA_PKCS_PSS_PARAMS) }) + } else { + None + }; + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + match manager.start_sign(hSession, hKey, mechanism_params) { + Ok(()) => {} + Err(e) => { + log_with_thread_id!(error, "C_SignInit: CKR_GENERAL_ERROR: {}", e); + return CKR_GENERAL_ERROR; + } + }; + log_with_thread_id!(debug, "C_SignInit: CKR_OK"); + CKR_OK +} + +/// NSS calls this after `C_SignInit` (there are more ways in the PKCS #11 specification to sign +/// data, but this is the only way supported by this module). The module essentially defers to the +/// `ManagerProxy` and copies out the resulting signature. +extern "C" fn C_Sign( + hSession: CK_SESSION_HANDLE, + pData: CK_BYTE_PTR, + ulDataLen: CK_ULONG, + pSignature: CK_BYTE_PTR, + pulSignatureLen: CK_ULONG_PTR, +) -> CK_RV { + if pData.is_null() || pulSignatureLen.is_null() { + log_with_thread_id!(error, "C_Sign: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + let data = unsafe { std::slice::from_raw_parts(pData, ulDataLen as usize) }; + if pSignature.is_null() { + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + match manager.get_signature_length(hSession, data.to_vec()) { + Ok(signature_length) => unsafe { + *pulSignatureLen = signature_length as CK_ULONG; + }, + Err(e) => { + log_with_thread_id!(error, "C_Sign: get_signature_length failed: {}", e); + log_with_thread_id!(error, "C_Sign: try setting security.osclientcerts.assume_rsa_pss_support to false and restarting"); + return CKR_GENERAL_ERROR; + } + } + } else { + let mut module_state_guard = try_to_get_module_state_guard!(); + let manager = module_state_guard_to_manager!(module_state_guard); + match manager.sign(hSession, data.to_vec()) { + Ok(signature) => { + let signature_capacity = unsafe { *pulSignatureLen } as usize; + if signature_capacity < signature.len() { + log_with_thread_id!(error, "C_Sign: CKR_ARGUMENTS_BAD"); + return CKR_ARGUMENTS_BAD; + } + let ptr: *mut u8 = pSignature as *mut u8; + unsafe { + std::ptr::copy_nonoverlapping(signature.as_ptr(), ptr, signature.len()); + *pulSignatureLen = signature.len() as CK_ULONG; + } + } + Err(e) => { + log_with_thread_id!(error, "C_Sign: sign failed: {}", e); + log_with_thread_id!(error, "C_Sign: try setting security.osclientcerts.assume_rsa_pss_support to false and restarting"); + return CKR_GENERAL_ERROR; + } + } + } + log_with_thread_id!(debug, "C_Sign: CKR_OK"); + CKR_OK +} + +extern "C" fn C_SignUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_SignUpdate: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignFinal( + _hSession: CK_SESSION_HANDLE, + _pSignature: CK_BYTE_PTR, + _pulSignatureLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_SignFinal: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignRecoverInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + log_with_thread_id!(error, "C_SignRecoverInit: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignRecover( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pSignature: CK_BYTE_PTR, + _pulSignatureLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_SignRecover: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + log_with_thread_id!(error, "C_VerifyInit: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_Verify( + _hSession: CK_SESSION_HANDLE, + _pData: CK_BYTE_PTR, + _ulDataLen: CK_ULONG, + _pSignature: CK_BYTE_PTR, + _ulSignatureLen: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_Verify: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_VerifyUpdate: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyFinal( + _hSession: CK_SESSION_HANDLE, + _pSignature: CK_BYTE_PTR, + _ulSignatureLen: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_VerifyFinal: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyRecoverInit( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hKey: CK_OBJECT_HANDLE, +) -> CK_RV { + log_with_thread_id!(error, "C_VerifyRecoverInit: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_VerifyRecover( + _hSession: CK_SESSION_HANDLE, + _pSignature: CK_BYTE_PTR, + _ulSignatureLen: CK_ULONG, + _pData: CK_BYTE_PTR, + _pulDataLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_VerifyRecover: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DigestEncryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, + _pEncryptedPart: CK_BYTE_PTR, + _pulEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_DigestEncryptUpdate: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptDigestUpdate( + _hSession: CK_SESSION_HANDLE, + _pEncryptedPart: CK_BYTE_PTR, + _ulEncryptedPartLen: CK_ULONG, + _pPart: CK_BYTE_PTR, + _pulPartLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_DecryptDigestUpdate: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SignEncryptUpdate( + _hSession: CK_SESSION_HANDLE, + _pPart: CK_BYTE_PTR, + _ulPartLen: CK_ULONG, + _pEncryptedPart: CK_BYTE_PTR, + _pulEncryptedPartLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_SignEncryptUpdate: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DecryptVerifyUpdate( + _hSession: CK_SESSION_HANDLE, + _pEncryptedPart: CK_BYTE_PTR, + _ulEncryptedPartLen: CK_ULONG, + _pPart: CK_BYTE_PTR, + _pulPartLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_DecryptVerifyUpdate: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GenerateKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulCount: CK_ULONG, + _phKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_GenerateKey: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GenerateKeyPair( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _pPublicKeyTemplate: CK_ATTRIBUTE_PTR, + _ulPublicKeyAttributeCount: CK_ULONG, + _pPrivateKeyTemplate: CK_ATTRIBUTE_PTR, + _ulPrivateKeyAttributeCount: CK_ULONG, + _phPublicKey: CK_OBJECT_HANDLE_PTR, + _phPrivateKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_GenerateKeyPair: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_WrapKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hWrappingKey: CK_OBJECT_HANDLE, + _hKey: CK_OBJECT_HANDLE, + _pWrappedKey: CK_BYTE_PTR, + _pulWrappedKeyLen: CK_ULONG_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_WrapKey: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_UnwrapKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hUnwrappingKey: CK_OBJECT_HANDLE, + _pWrappedKey: CK_BYTE_PTR, + _ulWrappedKeyLen: CK_ULONG, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulAttributeCount: CK_ULONG, + _phKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_UnwrapKey: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_DeriveKey( + _hSession: CK_SESSION_HANDLE, + _pMechanism: CK_MECHANISM_PTR, + _hBaseKey: CK_OBJECT_HANDLE, + _pTemplate: CK_ATTRIBUTE_PTR, + _ulAttributeCount: CK_ULONG, + _phKey: CK_OBJECT_HANDLE_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_DeriveKey: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_SeedRandom( + _hSession: CK_SESSION_HANDLE, + _pSeed: CK_BYTE_PTR, + _ulSeedLen: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_SeedRandom: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GenerateRandom( + _hSession: CK_SESSION_HANDLE, + _RandomData: CK_BYTE_PTR, + _ulRandomLen: CK_ULONG, +) -> CK_RV { + log_with_thread_id!(error, "C_GenerateRandom: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_GetFunctionStatus(_hSession: CK_SESSION_HANDLE) -> CK_RV { + log_with_thread_id!(error, "C_GetFunctionStatus: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_CancelFunction(_hSession: CK_SESSION_HANDLE) -> CK_RV { + log_with_thread_id!(error, "C_CancelFunction: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +extern "C" fn C_WaitForSlotEvent( + _flags: CK_FLAGS, + _pSlot: CK_SLOT_ID_PTR, + _pRserved: CK_VOID_PTR, +) -> CK_RV { + log_with_thread_id!(error, "C_WaitForSlotEvent: CKR_FUNCTION_NOT_SUPPORTED"); + CKR_FUNCTION_NOT_SUPPORTED +} + +/// To be a valid PKCS #11 module, this list of functions must be supported. At least cryptoki 2.2 +/// must be supported for this module to work in NSS. +static FUNCTION_LIST: CK_FUNCTION_LIST = CK_FUNCTION_LIST { + version: CK_VERSION { major: 2, minor: 2 }, + C_Initialize: Some(C_Initialize), + C_Finalize: Some(C_Finalize), + C_GetInfo: Some(C_GetInfo), + C_GetFunctionList: None, + C_GetSlotList: Some(C_GetSlotList), + C_GetSlotInfo: Some(C_GetSlotInfo), + C_GetTokenInfo: Some(C_GetTokenInfo), + C_GetMechanismList: Some(C_GetMechanismList), + C_GetMechanismInfo: Some(C_GetMechanismInfo), + C_InitToken: Some(C_InitToken), + C_InitPIN: Some(C_InitPIN), + C_SetPIN: Some(C_SetPIN), + C_OpenSession: Some(C_OpenSession), + C_CloseSession: Some(C_CloseSession), + C_CloseAllSessions: Some(C_CloseAllSessions), + C_GetSessionInfo: Some(C_GetSessionInfo), + C_GetOperationState: Some(C_GetOperationState), + C_SetOperationState: Some(C_SetOperationState), + C_Login: Some(C_Login), + C_Logout: Some(C_Logout), + C_CreateObject: Some(C_CreateObject), + C_CopyObject: Some(C_CopyObject), + C_DestroyObject: Some(C_DestroyObject), + C_GetObjectSize: Some(C_GetObjectSize), + C_GetAttributeValue: Some(C_GetAttributeValue), + C_SetAttributeValue: Some(C_SetAttributeValue), + C_FindObjectsInit: Some(C_FindObjectsInit), + C_FindObjects: Some(C_FindObjects), + C_FindObjectsFinal: Some(C_FindObjectsFinal), + C_EncryptInit: Some(C_EncryptInit), + C_Encrypt: Some(C_Encrypt), + C_EncryptUpdate: Some(C_EncryptUpdate), + C_EncryptFinal: Some(C_EncryptFinal), + C_DecryptInit: Some(C_DecryptInit), + C_Decrypt: Some(C_Decrypt), + C_DecryptUpdate: Some(C_DecryptUpdate), + C_DecryptFinal: Some(C_DecryptFinal), + C_DigestInit: Some(C_DigestInit), + C_Digest: Some(C_Digest), + C_DigestUpdate: Some(C_DigestUpdate), + C_DigestKey: Some(C_DigestKey), + C_DigestFinal: Some(C_DigestFinal), + C_SignInit: Some(C_SignInit), + C_Sign: Some(C_Sign), + C_SignUpdate: Some(C_SignUpdate), + C_SignFinal: Some(C_SignFinal), + C_SignRecoverInit: Some(C_SignRecoverInit), + C_SignRecover: Some(C_SignRecover), + C_VerifyInit: Some(C_VerifyInit), + C_Verify: Some(C_Verify), + C_VerifyUpdate: Some(C_VerifyUpdate), + C_VerifyFinal: Some(C_VerifyFinal), + C_VerifyRecoverInit: Some(C_VerifyRecoverInit), + C_VerifyRecover: Some(C_VerifyRecover), + C_DigestEncryptUpdate: Some(C_DigestEncryptUpdate), + C_DecryptDigestUpdate: Some(C_DecryptDigestUpdate), + C_SignEncryptUpdate: Some(C_SignEncryptUpdate), + C_DecryptVerifyUpdate: Some(C_DecryptVerifyUpdate), + C_GenerateKey: Some(C_GenerateKey), + C_GenerateKeyPair: Some(C_GenerateKeyPair), + C_WrapKey: Some(C_WrapKey), + C_UnwrapKey: Some(C_UnwrapKey), + C_DeriveKey: Some(C_DeriveKey), + C_SeedRandom: Some(C_SeedRandom), + C_GenerateRandom: Some(C_GenerateRandom), + C_GetFunctionStatus: Some(C_GetFunctionStatus), + C_CancelFunction: Some(C_CancelFunction), + C_WaitForSlotEvent: Some(C_WaitForSlotEvent), +}; + +/// # Safety +/// +/// This is the only function this module exposes. NSS calls it to obtain the list of functions +/// comprising this module. +/// ppFunctionList must be a valid pointer. +#[no_mangle] +pub unsafe extern "C" fn C_GetFunctionList(ppFunctionList: CK_FUNCTION_LIST_PTR_PTR) -> CK_RV { + if ppFunctionList.is_null() { + return CKR_ARGUMENTS_BAD; + } + // CK_FUNCTION_LIST_PTR is a *mut CK_FUNCTION_LIST, but as per the + // specification, the caller must treat it as *const CK_FUNCTION_LIST. + *ppFunctionList = std::ptr::addr_of!(FUNCTION_LIST) as CK_FUNCTION_LIST_PTR; + CKR_OK +} + +#[cfg_attr(target_os = "macos", link(name = "Security", kind = "framework"))] +extern "C" {} diff --git a/security/manager/ssl/osclientcerts/test/certificate.bin b/security/manager/ssl/osclientcerts/test/certificate.bin Binary files differnew file mode 100644 index 0000000000..01fbafb15c --- /dev/null +++ b/security/manager/ssl/osclientcerts/test/certificate.bin diff --git a/security/manager/ssl/osclientcerts/test/modulus.bin b/security/manager/ssl/osclientcerts/test/modulus.bin new file mode 100644 index 0000000000..a9b09ff53e --- /dev/null +++ b/security/manager/ssl/osclientcerts/test/modulus.bin @@ -0,0 +1,2 @@ +ºˆQ¨DŽÖAýn¶ˆ6=<Ùêä5J´ìõhWl${ÁÇ%¨àؽ±œ›n†òkâ¯Zukjdqz¥Z§E‡÷Õ$œ~ÍCüiÐ8 )“« ÃIäÛ¹LÂklí‚ñ~i±Ó:‹*Aî§pà
ýf+°$’¤}¹ˆay±W=Ò;Åà¸H¨7ÓˆCï'ØU·fZª~/:{€$Ìl—–a[·â–Àu1£‘Ý´Ê÷ü%Ó ï¹§há³{/"oiã´Š•aî&Ö%«‘N6Ë$,¿‹/åñ™1¸³þI#úrQÄ1Õ¬Ú +5í
\ No newline at end of file diff --git a/security/manager/ssl/osclientcerts/test/rsa.bin b/security/manager/ssl/osclientcerts/test/rsa.bin Binary files differnew file mode 100644 index 0000000000..93ededb827 --- /dev/null +++ b/security/manager/ssl/osclientcerts/test/rsa.bin diff --git a/security/manager/ssl/rsclientcerts/Cargo.toml b/security/manager/ssl/rsclientcerts/Cargo.toml new file mode 100644 index 0000000000..14a35918b8 --- /dev/null +++ b/security/manager/ssl/rsclientcerts/Cargo.toml @@ -0,0 +1,10 @@ +[package] +name = "rsclientcerts" +version = "0.1.0" +authors = ["Dana Keeler <dkeeler@mozilla.com>"] +edition = "2018" +license = "MPL-2.0" + +[dependencies] +byteorder = "1.3" +pkcs11-bindings = "0.1" diff --git a/security/manager/ssl/rsclientcerts/src/error.rs b/security/manager/ssl/rsclientcerts/src/error.rs new file mode 100644 index 0000000000..6ef9062d32 --- /dev/null +++ b/security/manager/ssl/rsclientcerts/src/error.rs @@ -0,0 +1,103 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +use std::fmt; + +/// Helper macro to create an Error that knows which file and line it occurred +/// on. Can optionally have some extra information as a String. +#[macro_export] +macro_rules! error_here { + ($error_type:expr) => { + Error::new($error_type, file!(), line!(), None) + }; + ($error_type:expr, $info:expr) => { + Error::new($error_type, file!(), line!(), Some($info)) + }; +} + +/// Error type for identifying errors in this crate. Use the error_here! macro +/// to instantiate. +#[derive(Debug)] +pub struct Error { + typ: ErrorType, + file: &'static str, + line: u32, + info: Option<String>, +} + +impl Error { + pub fn new(typ: ErrorType, file: &'static str, line: u32, info: Option<String>) -> Error { + Error { + typ, + file, + line, + info, + } + } +} + +impl fmt::Display for Error { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + if let Some(info) = &self.info { + write!(f, "{} at {}:{} ({})", self.typ, self.file, self.line, info) + } else { + write!(f, "{} at {}:{}", self.typ, self.file, self.line) + } + } +} + +impl Clone for Error { + fn clone(&self) -> Self { + Error { + typ: self.typ, + file: self.file, + line: self.line, + info: self.info.as_ref().cloned(), + } + } + + fn clone_from(&mut self, source: &Self) { + self.typ = source.typ; + self.file = source.file; + self.line = source.line; + self.info = source.info.as_ref().cloned(); + } +} + +#[derive(Copy, Clone, Debug)] +pub enum ErrorType { + /// An error in an external library or resource. + ExternalError, + /// Unexpected extra input (e.g. in an ASN.1 encoding). + ExtraInput, + /// Invalid argument. + InvalidArgument, + /// Invalid data input. + InvalidInput, + /// An internal library failure (e.g. an expected invariant failed). + LibraryFailure, + /// Truncated input (e.g. in an ASN.1 encoding). + TruncatedInput, + /// Unsupported input. + UnsupportedInput, + /// A given value could not be represented in the type used for it. + ValueTooLarge, +} + +impl fmt::Display for ErrorType { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + let error_type_str = match self { + ErrorType::ExternalError => "ExternalError", + ErrorType::ExtraInput => "ExtraInput", + ErrorType::InvalidArgument => "InvalidArgument", + ErrorType::InvalidInput => "InvalidInput", + ErrorType::LibraryFailure => "LibraryFailure", + ErrorType::TruncatedInput => "TruncatedInput", + ErrorType::UnsupportedInput => "UnsupportedInput", + ErrorType::ValueTooLarge => "ValueTooLarge", + }; + write!(f, "{}", error_type_str) + } +} diff --git a/security/manager/ssl/rsclientcerts/src/lib.rs b/security/manager/ssl/rsclientcerts/src/lib.rs new file mode 100644 index 0000000000..01fa31e204 --- /dev/null +++ b/security/manager/ssl/rsclientcerts/src/lib.rs @@ -0,0 +1,11 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +extern crate byteorder; +extern crate pkcs11_bindings; + +pub mod error; +pub mod manager; +pub mod util; diff --git a/security/manager/ssl/rsclientcerts/src/manager.rs b/security/manager/ssl/rsclientcerts/src/manager.rs new file mode 100644 index 0000000000..507bed3a83 --- /dev/null +++ b/security/manager/ssl/rsclientcerts/src/manager.rs @@ -0,0 +1,671 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +use pkcs11_bindings::*; +use std::collections::{BTreeMap, BTreeSet}; +use std::sync::mpsc::{channel, Receiver, Sender}; +use std::thread; +use std::thread::JoinHandle; +use std::time::{Duration, Instant}; + +use crate::error::{Error, ErrorType}; +use crate::error_here; +use crate::util::*; + +/// Helper enum to differentiate between sessions on the modern slot and sessions on the legacy +/// slot. The former is for EC keys and RSA keys that can be used with RSA-PSS whereas the latter is +/// for RSA keys that cannot be used with RSA-PSS. +#[derive(Clone, Copy, PartialEq)] +pub enum SlotType { + Modern, + Legacy, +} + +pub trait CryptokiObject { + fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool; + fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]>; +} + +pub trait Sign { + fn get_signature_length( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<usize, Error>; + fn sign( + &mut self, + data: &[u8], + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<Vec<u8>, Error>; +} + +pub trait ClientCertsBackend { + type Cert: CryptokiObject; + type Key: CryptokiObject + Sign; + + #[allow(clippy::type_complexity)] + fn find_objects(&self) -> Result<(Vec<Self::Cert>, Vec<Self::Key>), Error>; +} + +/// Helper type for sending `ManagerArguments` to the real `Manager`. +type ManagerArgumentsSender = Sender<ManagerArguments>; +/// Helper type for receiving `ManagerReturnValue`s from the real `Manager`. +type ManagerReturnValueReceiver = Receiver<ManagerReturnValue>; + +/// Helper enum that encapsulates arguments to send from the `ManagerProxy` to the real `Manager`. +/// `ManagerArguments::Stop` is a special variant that stops the background thread and drops the +/// `Manager`. +enum ManagerArguments { + OpenSession(SlotType), + CloseSession(CK_SESSION_HANDLE), + CloseAllSessions(SlotType), + StartSearch(CK_SESSION_HANDLE, Vec<(CK_ATTRIBUTE_TYPE, Vec<u8>)>), + Search(CK_SESSION_HANDLE, usize), + ClearSearch(CK_SESSION_HANDLE), + GetAttributes(CK_OBJECT_HANDLE, Vec<CK_ATTRIBUTE_TYPE>), + StartSign( + CK_SESSION_HANDLE, + CK_OBJECT_HANDLE, + Option<CK_RSA_PKCS_PSS_PARAMS>, + ), + GetSignatureLength(CK_SESSION_HANDLE, Vec<u8>), + Sign(CK_SESSION_HANDLE, Vec<u8>), + Stop, +} + +/// Helper enum that encapsulates return values from the real `Manager` that are sent back to the +/// `ManagerProxy`. `ManagerReturnValue::Stop` is a special variant that indicates that the +/// `Manager` will stop. +enum ManagerReturnValue { + OpenSession(Result<CK_SESSION_HANDLE, Error>), + CloseSession(Result<(), Error>), + CloseAllSessions(Result<(), Error>), + StartSearch(Result<(), Error>), + Search(Result<Vec<CK_OBJECT_HANDLE>, Error>), + ClearSearch(Result<(), Error>), + GetAttributes(Result<Vec<Option<Vec<u8>>>, Error>), + StartSign(Result<(), Error>), + GetSignatureLength(Result<usize, Error>), + Sign(Result<Vec<u8>, Error>), + Stop(Result<(), Error>), +} + +/// Helper macro to implement the body of each public `ManagerProxy` function. Takes a +/// `ManagerProxy` instance (should always be `self`), a `ManagerArguments` representing the +/// `Manager` function to call and the arguments to use, and the qualified type of the expected +/// `ManagerReturnValue` that will be received from the `Manager` when it is done. +macro_rules! manager_proxy_fn_impl { + ($manager:ident, $argument_enum:expr, $return_type:path) => { + match $manager.proxy_call($argument_enum) { + Ok($return_type(result)) => result, + Ok(_) => Err(error_here!(ErrorType::LibraryFailure)), + Err(e) => Err(e), + } + }; +} + +/// `ManagerProxy` synchronously proxies calls from any thread to the `Manager` that runs on a +/// single thread. This is necessary because the underlying OS APIs in use are not guaranteed to be +/// thread-safe (e.g. they may use thread-local storage). Using it should be identical to using the +/// real `Manager`. +pub struct ManagerProxy { + sender: ManagerArgumentsSender, + receiver: ManagerReturnValueReceiver, + thread_handle: Option<JoinHandle<()>>, +} + +impl ManagerProxy { + pub fn new<B: ClientCertsBackend + Send + 'static>(backend: B) -> Result<ManagerProxy, Error> { + let (proxy_sender, manager_receiver) = channel(); + let (manager_sender, proxy_receiver) = channel(); + let thread_handle = thread::Builder::new() + .name("osclientcert".into()) + .spawn(move || { + let mut real_manager = Manager::new(backend); + while let Ok(arguments) = manager_receiver.recv() { + let results = match arguments { + ManagerArguments::OpenSession(slot_type) => { + ManagerReturnValue::OpenSession(real_manager.open_session(slot_type)) + } + ManagerArguments::CloseSession(session_handle) => { + ManagerReturnValue::CloseSession( + real_manager.close_session(session_handle), + ) + } + ManagerArguments::CloseAllSessions(slot_type) => { + ManagerReturnValue::CloseAllSessions( + real_manager.close_all_sessions(slot_type), + ) + } + ManagerArguments::StartSearch(session, attrs) => { + ManagerReturnValue::StartSearch( + real_manager.start_search(session, attrs), + ) + } + ManagerArguments::Search(session, max_objects) => { + ManagerReturnValue::Search(real_manager.search(session, max_objects)) + } + ManagerArguments::ClearSearch(session) => { + ManagerReturnValue::ClearSearch(real_manager.clear_search(session)) + } + ManagerArguments::GetAttributes(object_handle, attr_types) => { + ManagerReturnValue::GetAttributes( + real_manager.get_attributes(object_handle, attr_types), + ) + } + ManagerArguments::StartSign(session, key_handle, params) => { + ManagerReturnValue::StartSign( + real_manager.start_sign(session, key_handle, params), + ) + } + ManagerArguments::GetSignatureLength(session, data) => { + ManagerReturnValue::GetSignatureLength( + real_manager.get_signature_length(session, data), + ) + } + ManagerArguments::Sign(session, data) => { + ManagerReturnValue::Sign(real_manager.sign(session, data)) + } + ManagerArguments::Stop => ManagerReturnValue::Stop(Ok(())), + }; + let stop_after_send = matches!(&results, &ManagerReturnValue::Stop(_)); + match manager_sender.send(results) { + Ok(()) => {} + Err(_) => { + break; + } + } + if stop_after_send { + break; + } + } + }); + match thread_handle { + Ok(thread_handle) => Ok(ManagerProxy { + sender: proxy_sender, + receiver: proxy_receiver, + thread_handle: Some(thread_handle), + }), + Err(_) => Err(error_here!(ErrorType::LibraryFailure)), + } + } + + fn proxy_call(&self, args: ManagerArguments) -> Result<ManagerReturnValue, Error> { + match self.sender.send(args) { + Ok(()) => {} + Err(_) => { + return Err(error_here!(ErrorType::LibraryFailure)); + } + }; + let result = match self.receiver.recv() { + Ok(result) => result, + Err(_) => { + return Err(error_here!(ErrorType::LibraryFailure)); + } + }; + Ok(result) + } + + pub fn open_session(&mut self, slot_type: SlotType) -> Result<CK_SESSION_HANDLE, Error> { + manager_proxy_fn_impl!( + self, + ManagerArguments::OpenSession(slot_type), + ManagerReturnValue::OpenSession + ) + } + + pub fn close_session(&mut self, session: CK_SESSION_HANDLE) -> Result<(), Error> { + manager_proxy_fn_impl!( + self, + ManagerArguments::CloseSession(session), + ManagerReturnValue::CloseSession + ) + } + + pub fn close_all_sessions(&mut self, slot_type: SlotType) -> Result<(), Error> { + manager_proxy_fn_impl!( + self, + ManagerArguments::CloseAllSessions(slot_type), + ManagerReturnValue::CloseAllSessions + ) + } + + pub fn start_search( + &mut self, + session: CK_SESSION_HANDLE, + attrs: Vec<(CK_ATTRIBUTE_TYPE, Vec<u8>)>, + ) -> Result<(), Error> { + manager_proxy_fn_impl!( + self, + ManagerArguments::StartSearch(session, attrs), + ManagerReturnValue::StartSearch + ) + } + + pub fn search( + &mut self, + session: CK_SESSION_HANDLE, + max_objects: usize, + ) -> Result<Vec<CK_OBJECT_HANDLE>, Error> { + manager_proxy_fn_impl!( + self, + ManagerArguments::Search(session, max_objects), + ManagerReturnValue::Search + ) + } + + pub fn clear_search(&mut self, session: CK_SESSION_HANDLE) -> Result<(), Error> { + manager_proxy_fn_impl!( + self, + ManagerArguments::ClearSearch(session), + ManagerReturnValue::ClearSearch + ) + } + + pub fn get_attributes( + &self, + object_handle: CK_OBJECT_HANDLE, + attr_types: Vec<CK_ATTRIBUTE_TYPE>, + ) -> Result<Vec<Option<Vec<u8>>>, Error> { + manager_proxy_fn_impl!( + self, + ManagerArguments::GetAttributes(object_handle, attr_types,), + ManagerReturnValue::GetAttributes + ) + } + + pub fn start_sign( + &mut self, + session: CK_SESSION_HANDLE, + key_handle: CK_OBJECT_HANDLE, + params: Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<(), Error> { + manager_proxy_fn_impl!( + self, + ManagerArguments::StartSign(session, key_handle, params), + ManagerReturnValue::StartSign + ) + } + + pub fn get_signature_length( + &self, + session: CK_SESSION_HANDLE, + data: Vec<u8>, + ) -> Result<usize, Error> { + manager_proxy_fn_impl!( + self, + ManagerArguments::GetSignatureLength(session, data), + ManagerReturnValue::GetSignatureLength + ) + } + + pub fn sign(&mut self, session: CK_SESSION_HANDLE, data: Vec<u8>) -> Result<Vec<u8>, Error> { + manager_proxy_fn_impl!( + self, + ManagerArguments::Sign(session, data), + ManagerReturnValue::Sign + ) + } + + pub fn stop(&mut self) -> Result<(), Error> { + manager_proxy_fn_impl!(self, ManagerArguments::Stop, ManagerReturnValue::Stop)?; + let thread_handle = match self.thread_handle.take() { + Some(thread_handle) => thread_handle, + None => return Err(error_here!(ErrorType::LibraryFailure)), + }; + thread_handle + .join() + .map_err(|_| error_here!(ErrorType::LibraryFailure)) + } +} + +// Determines if the attributes of a given search correspond to NSS looking for all certificates or +// private keys. Returns true if so, and false otherwise. +// These searches are of the form: +// { { type: CKA_TOKEN, value: [1] }, +// { type: CKA_CLASS, value: [CKO_CERTIFICATE or CKO_PRIVATE_KEY, as serialized bytes] } } +// (although not necessarily in that order - see nssToken_TraverseCertificates and +// nssToken_FindPrivateKeys) +fn search_is_for_all_certificates_or_keys( + attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)], +) -> Result<bool, Error> { + if attrs.len() != 2 { + return Ok(false); + } + let token_bytes = vec![1_u8]; + let mut found_token = false; + let cko_certificate_bytes = serialize_uint(CKO_CERTIFICATE)?; + let cko_private_key_bytes = serialize_uint(CKO_PRIVATE_KEY)?; + let mut found_certificate_or_private_key = false; + for (attr_type, attr_value) in attrs.iter() { + if attr_type == &CKA_TOKEN && attr_value == &token_bytes { + found_token = true; + } + if attr_type == &CKA_CLASS + && (attr_value == &cko_certificate_bytes || attr_value == &cko_private_key_bytes) + { + found_certificate_or_private_key = true; + } + } + Ok(found_token && found_certificate_or_private_key) +} + +const SUPPORTED_ATTRIBUTES: &[CK_ATTRIBUTE_TYPE] = &[ + CKA_CLASS, + CKA_TOKEN, + CKA_LABEL, + CKA_ID, + CKA_VALUE, + CKA_ISSUER, + CKA_SERIAL_NUMBER, + CKA_SUBJECT, + CKA_PRIVATE, + CKA_KEY_TYPE, + CKA_MODULUS, + CKA_EC_PARAMS, +]; + +enum Object<B: ClientCertsBackend> { + Cert(B::Cert), + Key(B::Key), +} + +impl<B: ClientCertsBackend> Object<B> { + fn matches(&self, slot_type: SlotType, attrs: &[(CK_ATTRIBUTE_TYPE, Vec<u8>)]) -> bool { + match self { + Object::Cert(cert) => cert.matches(slot_type, attrs), + Object::Key(key) => key.matches(slot_type, attrs), + } + } + + fn get_attribute(&self, attribute: CK_ATTRIBUTE_TYPE) -> Option<&[u8]> { + match self { + Object::Cert(cert) => cert.get_attribute(attribute), + Object::Key(key) => key.get_attribute(attribute), + } + } + + fn id(&self) -> Result<&[u8], Error> { + self.get_attribute(CKA_ID) + .ok_or_else(|| error_here!(ErrorType::LibraryFailure)) + } + + fn get_signature_length( + &mut self, + data: Vec<u8>, + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<usize, Error> { + match self { + Object::Cert(_) => Err(error_here!(ErrorType::InvalidArgument)), + Object::Key(key) => key.get_signature_length(&data, params), + } + } + + fn sign( + &mut self, + data: Vec<u8>, + params: &Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<Vec<u8>, Error> { + match self { + Object::Cert(_) => Err(error_here!(ErrorType::InvalidArgument)), + Object::Key(key) => key.sign(&data, params), + } + } +} + +/// The `Manager` keeps track of the state of this module with respect to the PKCS #11 +/// specification. This includes what sessions are open, which search and sign operations are +/// ongoing, and what objects are known and by what handle. +pub struct Manager<B: ClientCertsBackend> { + /// A map of session to session type (modern or legacy). Sessions can be created (opened) and + /// later closed. + sessions: BTreeMap<CK_SESSION_HANDLE, SlotType>, + /// A map of searches to PKCS #11 object handles that match those searches. + searches: BTreeMap<CK_SESSION_HANDLE, Vec<CK_OBJECT_HANDLE>>, + /// A map of sign operations to a pair of the object handle and optionally some params being + /// used by each one. + signs: BTreeMap<CK_SESSION_HANDLE, (CK_OBJECT_HANDLE, Option<CK_RSA_PKCS_PSS_PARAMS>)>, + /// A map of object handles to the underlying objects. + objects: BTreeMap<CK_OBJECT_HANDLE, Object<B>>, + /// A set of certificate identifiers (not the same as handles). + cert_ids: BTreeSet<Vec<u8>>, + /// A set of key identifiers (not the same as handles). For each id in this set, there should be + /// a corresponding identical id in the `cert_ids` set. + key_ids: BTreeSet<Vec<u8>>, + /// The next session handle to hand out. + next_session: CK_SESSION_HANDLE, + /// The next object handle to hand out. + next_handle: CK_OBJECT_HANDLE, + /// The last time the implementation looked for new objects in the backend. + /// The implementation does this search no more than once every 3 seconds. + last_scan_time: Option<Instant>, + backend: B, +} + +impl<B: ClientCertsBackend> Manager<B> { + pub fn new(backend: B) -> Manager<B> { + Manager { + sessions: BTreeMap::new(), + searches: BTreeMap::new(), + signs: BTreeMap::new(), + objects: BTreeMap::new(), + cert_ids: BTreeSet::new(), + key_ids: BTreeSet::new(), + next_session: 1, + next_handle: 1, + last_scan_time: None, + backend, + } + } + + /// When a new search session is opened (provided at least 3 seconds have elapsed since the + /// last session was opened), this searches for certificates and keys to expose. We + /// de-duplicate previously-found certificates and keys by keeping track of their IDs. + fn maybe_find_new_objects(&mut self) -> Result<(), Error> { + let now = Instant::now(); + match self.last_scan_time { + Some(last_scan_time) => { + if now.duration_since(last_scan_time) < Duration::new(3, 0) { + return Ok(()); + } + } + None => {} + } + self.last_scan_time = Some(now); + let (certs, keys) = self.backend.find_objects()?; + for cert in certs { + let object = Object::Cert(cert); + if self.cert_ids.contains(object.id()?) { + continue; + } + self.cert_ids.insert(object.id()?.to_vec()); + let handle = self.get_next_handle(); + self.objects.insert(handle, object); + } + for key in keys { + let object = Object::Key(key); + if self.key_ids.contains(object.id()?) { + continue; + } + self.key_ids.insert(object.id()?.to_vec()); + let handle = self.get_next_handle(); + self.objects.insert(handle, object); + } + Ok(()) + } + + pub fn open_session(&mut self, slot_type: SlotType) -> Result<CK_SESSION_HANDLE, Error> { + let next_session = self.next_session; + self.next_session += 1; + self.sessions.insert(next_session, slot_type); + Ok(next_session) + } + + pub fn close_session(&mut self, session: CK_SESSION_HANDLE) -> Result<(), Error> { + self.sessions + .remove(&session) + .ok_or_else(|| error_here!(ErrorType::InvalidInput)) + .map(|_| ()) + } + + pub fn close_all_sessions(&mut self, slot_type: SlotType) -> Result<(), Error> { + let mut to_remove = Vec::new(); + for (session, open_slot_type) in self.sessions.iter() { + if slot_type == *open_slot_type { + to_remove.push(*session); + } + } + for session in to_remove { + if self.sessions.remove(&session).is_none() { + return Err(error_here!(ErrorType::LibraryFailure)); + } + } + Ok(()) + } + + fn get_next_handle(&mut self) -> CK_OBJECT_HANDLE { + let next_handle = self.next_handle; + self.next_handle += 1; + next_handle + } + + /// PKCS #11 specifies that search operations happen in three phases: setup, get any matches + /// (this part may be repeated if the caller uses a small buffer), and end. This implementation + /// does all of the work up front and gathers all matching objects during setup and retains them + /// until they are retrieved and consumed via `search`. + pub fn start_search( + &mut self, + session: CK_SESSION_HANDLE, + attrs: Vec<(CK_ATTRIBUTE_TYPE, Vec<u8>)>, + ) -> Result<(), Error> { + let slot_type = match self.sessions.get(&session) { + Some(slot_type) => *slot_type, + None => return Err(error_here!(ErrorType::InvalidArgument)), + }; + // If the search is for an attribute we don't support, no objects will match. This check + // saves us having to look through all of our objects. + for (attr, _) in &attrs { + if !SUPPORTED_ATTRIBUTES.contains(attr) { + self.searches.insert(session, Vec::new()); + return Ok(()); + } + } + // When NSS wants to find all certificates or all private keys, it will perform a search + // with a particular set of attributes. This implementation uses these searches as an + // indication for the backend to re-scan for new objects from tokens that may have been + // inserted or certificates that may have been imported into the OS. Since these searches + // are relatively rare, this minimizes the impact of doing these re-scans. + if search_is_for_all_certificates_or_keys(&attrs)? { + self.maybe_find_new_objects()?; + } + let mut handles = Vec::new(); + for (handle, object) in &self.objects { + if object.matches(slot_type, &attrs) { + handles.push(*handle); + } + } + self.searches.insert(session, handles); + Ok(()) + } + + /// Given a session and a maximum number of object handles to return, attempts to retrieve up to + /// that many objects from the corresponding search. Updates the search so those objects are not + /// returned repeatedly. `max_objects` must be non-zero. + pub fn search( + &mut self, + session: CK_SESSION_HANDLE, + max_objects: usize, + ) -> Result<Vec<CK_OBJECT_HANDLE>, Error> { + if max_objects == 0 { + return Err(error_here!(ErrorType::InvalidArgument)); + } + match self.searches.get_mut(&session) { + Some(search) => { + let split_at = if max_objects >= search.len() { + 0 + } else { + search.len() - max_objects + }; + let to_return = search.split_off(split_at); + if to_return.len() > max_objects { + return Err(error_here!(ErrorType::LibraryFailure)); + } + Ok(to_return) + } + None => Err(error_here!(ErrorType::InvalidArgument)), + } + } + + pub fn clear_search(&mut self, session: CK_SESSION_HANDLE) -> Result<(), Error> { + self.searches.remove(&session); + Ok(()) + } + + pub fn get_attributes( + &self, + object_handle: CK_OBJECT_HANDLE, + attr_types: Vec<CK_ATTRIBUTE_TYPE>, + ) -> Result<Vec<Option<Vec<u8>>>, Error> { + let object = match self.objects.get(&object_handle) { + Some(object) => object, + None => return Err(error_here!(ErrorType::InvalidArgument)), + }; + let mut results = Vec::with_capacity(attr_types.len()); + for attr_type in attr_types { + let result = object + .get_attribute(attr_type) + .map(|value| value.to_owned()); + results.push(result); + } + Ok(results) + } + + /// The way NSS uses PKCS #11 to sign data happens in two phases: setup and sign. This + /// implementation makes a note of which key is to be used (if it exists) during setup. When the + /// caller finishes with the sign operation, this implementation retrieves the key handle and + /// performs the signature. + pub fn start_sign( + &mut self, + session: CK_SESSION_HANDLE, + key_handle: CK_OBJECT_HANDLE, + params: Option<CK_RSA_PKCS_PSS_PARAMS>, + ) -> Result<(), Error> { + if self.signs.contains_key(&session) { + return Err(error_here!(ErrorType::InvalidArgument)); + } + self.signs.insert(session, (key_handle, params)); + Ok(()) + } + + pub fn get_signature_length( + &mut self, + session: CK_SESSION_HANDLE, + data: Vec<u8>, + ) -> Result<usize, Error> { + let (key_handle, params) = match self.signs.get(&session) { + Some((key_handle, params)) => (key_handle, params), + None => return Err(error_here!(ErrorType::InvalidArgument)), + }; + let key = match self.objects.get_mut(key_handle) { + Some(key) => key, + None => return Err(error_here!(ErrorType::InvalidArgument)), + }; + key.get_signature_length(data, params) + } + + pub fn sign(&mut self, session: CK_SESSION_HANDLE, data: Vec<u8>) -> Result<Vec<u8>, Error> { + // Performing the signature (via C_Sign, which is the only way we support) finishes the sign + // operation, so it needs to be removed here. + let (key_handle, params) = match self.signs.remove(&session) { + Some((key_handle, params)) => (key_handle, params), + None => return Err(error_here!(ErrorType::InvalidArgument)), + }; + let key = match self.objects.get_mut(&key_handle) { + Some(key) => key, + None => return Err(error_here!(ErrorType::InvalidArgument)), + }; + key.sign(data, ¶ms) + } +} diff --git a/security/manager/ssl/rsclientcerts/src/util.rs b/security/manager/ssl/rsclientcerts/src/util.rs new file mode 100644 index 0000000000..d0011a0a2e --- /dev/null +++ b/security/manager/ssl/rsclientcerts/src/util.rs @@ -0,0 +1,540 @@ +/* -*- Mode: rust; rust-indent-offset: 4 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +use byteorder::{BigEndian, NativeEndian, ReadBytesExt, WriteBytesExt}; +use std::convert::TryInto; + +use crate::error::{Error, ErrorType}; +use crate::error_here; + +/// Accessing fields of packed structs is unsafe (it may be undefined behavior if the field isn't +/// aligned). Since we're implementing a PKCS#11 module, we already have to trust the caller not to +/// give us bad data, so normally we would deal with this by adding an unsafe block. If we do that, +/// though, the compiler complains that the unsafe block is unnecessary. Thus, we use this macro to +/// annotate the unsafe block to silence the compiler. +#[macro_export] +macro_rules! unsafe_packed_field_access { + ($e:expr) => {{ + #[allow(unused_unsafe)] + let tmp = unsafe { $e }; + tmp + }}; +} + +// The following ENCODED_OID_BYTES_* consist of the encoded bytes of an ASN.1 +// OBJECT IDENTIFIER specifying the indicated OID (in other words, the full +// tag, length, and value). +#[cfg(target_os = "macos")] +pub const ENCODED_OID_BYTES_SECP256R1: &[u8] = + &[0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07]; +#[cfg(target_os = "macos")] +pub const ENCODED_OID_BYTES_SECP384R1: &[u8] = &[0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22]; +#[cfg(target_os = "macos")] +pub const ENCODED_OID_BYTES_SECP521R1: &[u8] = &[0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23]; + +// The following OID_BYTES_* consist of the contents of the bytes of an ASN.1 +// OBJECT IDENTIFIER specifying the indicated OID (in other words, just the +// value, and not the tag or length). +#[cfg(target_os = "macos")] +pub const OID_BYTES_SHA_256: &[u8] = &[0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01]; +#[cfg(target_os = "macos")] +pub const OID_BYTES_SHA_384: &[u8] = &[0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02]; +#[cfg(target_os = "macos")] +pub const OID_BYTES_SHA_512: &[u8] = &[0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03]; +#[cfg(target_os = "macos")] +pub const OID_BYTES_SHA_1: &[u8] = &[0x2b, 0x0e, 0x03, 0x02, 0x1a]; + +// This is a helper function to take a value and lay it out in memory how +// PKCS#11 is expecting it. +pub fn serialize_uint<T: TryInto<u64>>(value: T) -> Result<Vec<u8>, Error> { + let value_size = std::mem::size_of::<T>(); + let mut value_buf = Vec::with_capacity(value_size); + let value_as_u64 = value + .try_into() + .map_err(|_| error_here!(ErrorType::ValueTooLarge))?; + value_buf + .write_uint::<NativeEndian>(value_as_u64, value_size) + .map_err(|_| error_here!(ErrorType::LibraryFailure))?; + Ok(value_buf) +} + +/// Given a slice of DER bytes representing an RSA public key, extracts the bytes of the modulus +/// as an unsigned integer. Also verifies that the public exponent is present (again as an +/// unsigned integer). Finally verifies that reading these values consumes the entirety of the +/// slice. +/// RSAPublicKey ::= SEQUENCE { +/// modulus INTEGER, -- n +/// publicExponent INTEGER -- e +/// } +pub fn read_rsa_modulus(public_key: &[u8]) -> Result<Vec<u8>, Error> { + let mut sequence = Sequence::new(public_key)?; + let modulus_value = sequence.read_unsigned_integer()?; + let _exponent = sequence.read_unsigned_integer()?; + if !sequence.at_end() { + return Err(error_here!(ErrorType::ExtraInput)); + } + Ok(modulus_value.to_vec()) +} + +/// Given a slice of DER bytes representing a DigestInfo, extracts the bytes of +/// the OID of the hash algorithm and the digest. +/// DigestInfo ::= SEQUENCE { +/// digestAlgorithm DigestAlgorithmIdentifier, +/// digest Digest } +/// +/// DigestAlgorithmIdentifier ::= AlgorithmIdentifier +/// +/// AlgorithmIdentifier ::= SEQUENCE { +/// algorithm OBJECT IDENTIFIER, +/// parameters ANY DEFINED BY algorithm OPTIONAL } +/// +/// Digest ::= OCTET STRING +pub fn read_digest_info(digest_info: &[u8]) -> Result<(&[u8], &[u8]), Error> { + let mut sequence = Sequence::new(digest_info)?; + let mut algorithm = sequence.read_sequence()?; + let oid = algorithm.read_oid()?; + algorithm.read_null()?; + if !algorithm.at_end() { + return Err(error_here!(ErrorType::ExtraInput)); + } + let digest = sequence.read_octet_string()?; + if !sequence.at_end() { + return Err(error_here!(ErrorType::ExtraInput)); + } + Ok((oid, digest)) +} + +/// Given a slice of DER bytes representing an ECDSA signature, extracts the bytes of `r` and `s` +/// as unsigned integers. Also verifies that this consumes the entirety of the slice. +/// Ecdsa-Sig-Value ::= SEQUENCE { +/// r INTEGER, +/// s INTEGER } +#[cfg(target_os = "macos")] +pub fn read_ec_sig_point(signature: &[u8]) -> Result<(&[u8], &[u8]), Error> { + let mut sequence = Sequence::new(signature)?; + let r = sequence.read_unsigned_integer()?; + let s = sequence.read_unsigned_integer()?; + if !sequence.at_end() { + return Err(error_here!(ErrorType::ExtraInput)); + } + Ok((r, s)) +} + +/// Given a slice of DER bytes representing an X.509 certificate, extracts the encoded serial +/// number, issuer, and subject. Does not verify that the remainder of the certificate is in any +/// way well-formed. +/// Certificate ::= SEQUENCE { +/// tbsCertificate TBSCertificate, +/// signatureAlgorithm AlgorithmIdentifier, +/// signatureValue BIT STRING } +/// +/// TBSCertificate ::= SEQUENCE { +/// version [0] EXPLICIT Version DEFAULT v1, +/// serialNumber CertificateSerialNumber, +/// signature AlgorithmIdentifier, +/// issuer Name, +/// validity Validity, +/// subject Name, +/// ... +/// +/// CertificateSerialNumber ::= INTEGER +/// +/// Name ::= CHOICE { -- only one possibility for now -- +/// rdnSequence RDNSequence } +/// +/// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName +/// +/// Validity ::= SEQUENCE { +/// notBefore Time, +/// notAfter Time } +#[allow(clippy::type_complexity)] +pub fn read_encoded_certificate_identifiers( + certificate: &[u8], +) -> Result<(Vec<u8>, Vec<u8>, Vec<u8>), Error> { + let mut certificate_sequence = Sequence::new(certificate)?; + let mut tbs_certificate_sequence = certificate_sequence.read_sequence()?; + let _version = tbs_certificate_sequence.read_tagged_value(0)?; + let serial_number = tbs_certificate_sequence.read_encoded_sequence_component(INTEGER)?; + let _signature = tbs_certificate_sequence.read_sequence()?; + let issuer = + tbs_certificate_sequence.read_encoded_sequence_component(SEQUENCE | CONSTRUCTED)?; + let _validity = tbs_certificate_sequence.read_sequence()?; + let subject = + tbs_certificate_sequence.read_encoded_sequence_component(SEQUENCE | CONSTRUCTED)?; + Ok((serial_number, issuer, subject)) +} + +/// Helper macro for reading some bytes from a slice while checking the slice is long enough. +/// Returns a pair consisting of a slice of the bytes read and a slice of the rest of the bytes +/// from the original slice. +macro_rules! try_read_bytes { + ($data:ident, $len:expr) => {{ + if $data.len() < $len { + return Err(error_here!(ErrorType::TruncatedInput)); + } + $data.split_at($len) + }}; +} + +/// ASN.1 tag identifying an integer. +const INTEGER: u8 = 0x02; +/// ASN.1 tag identifying an octet string. +const OCTET_STRING: u8 = 0x04; +/// ASN.1 tag identifying a null value. +const NULL: u8 = 0x05; +/// ASN.1 tag identifying an object identifier (OID). +const OBJECT_IDENTIFIER: u8 = 0x06; +/// ASN.1 tag identifying a sequence. +const SEQUENCE: u8 = 0x10; +/// ASN.1 tag modifier identifying an item as constructed. +const CONSTRUCTED: u8 = 0x20; +/// ASN.1 tag modifier identifying an item as context-specific. +const CONTEXT_SPECIFIC: u8 = 0x80; + +/// A helper struct for reading items from a DER SEQUENCE (in this case, all sequences are +/// assumed to be CONSTRUCTED). +struct Sequence<'a> { + /// The contents of the SEQUENCE. + contents: Der<'a>, +} + +impl<'a> Sequence<'a> { + fn new(input: &'a [u8]) -> Result<Sequence<'a>, Error> { + let mut der = Der::new(input); + let (_, _, sequence_bytes) = der.read_tlv(SEQUENCE | CONSTRUCTED)?; + // We're assuming we want to consume the entire input for now. + if !der.at_end() { + return Err(error_here!(ErrorType::ExtraInput)); + } + Ok(Sequence { + contents: Der::new(sequence_bytes), + }) + } + + // TODO: we're not exhaustively validating this integer + fn read_unsigned_integer(&mut self) -> Result<&'a [u8], Error> { + let (_, _, bytes) = self.contents.read_tlv(INTEGER)?; + if bytes.is_empty() { + return Err(error_here!(ErrorType::InvalidInput)); + } + // There may be a leading zero (we should also check that the first bit + // of the rest of the integer is set). + if bytes[0] == 0 && bytes.len() > 1 { + let (_, integer) = bytes.split_at(1); + Ok(integer) + } else { + Ok(bytes) + } + } + + fn read_octet_string(&mut self) -> Result<&'a [u8], Error> { + let (_, _, bytes) = self.contents.read_tlv(OCTET_STRING)?; + Ok(bytes) + } + + fn read_oid(&mut self) -> Result<&'a [u8], Error> { + let (_, _, bytes) = self.contents.read_tlv(OBJECT_IDENTIFIER)?; + Ok(bytes) + } + + fn read_null(&mut self) -> Result<(), Error> { + let (_, _, bytes) = self.contents.read_tlv(NULL)?; + if bytes.is_empty() { + Ok(()) + } else { + Err(error_here!(ErrorType::InvalidInput)) + } + } + + fn read_sequence(&mut self) -> Result<Sequence<'a>, Error> { + let (_, _, sequence_bytes) = self.contents.read_tlv(SEQUENCE | CONSTRUCTED)?; + Ok(Sequence { + contents: Der::new(sequence_bytes), + }) + } + + fn read_tagged_value(&mut self, tag: u8) -> Result<&'a [u8], Error> { + let (_, _, tagged_value_bytes) = self + .contents + .read_tlv(CONTEXT_SPECIFIC | CONSTRUCTED | tag)?; + Ok(tagged_value_bytes) + } + + fn read_encoded_sequence_component(&mut self, tag: u8) -> Result<Vec<u8>, Error> { + let (tag, length, value) = self.contents.read_tlv(tag)?; + let mut encoded_component_bytes = length; + encoded_component_bytes.insert(0, tag); + encoded_component_bytes.extend_from_slice(value); + Ok(encoded_component_bytes) + } + + fn at_end(&self) -> bool { + self.contents.at_end() + } +} + +/// A helper struct for reading DER data. The contents are treated like a cursor, so its position +/// is updated as data is read. +struct Der<'a> { + contents: &'a [u8], +} + +impl<'a> Der<'a> { + fn new(contents: &'a [u8]) -> Der<'a> { + Der { contents } + } + + // In theory, a caller could encounter an error and try another operation, in which case we may + // be in an inconsistent state. As long as this implementation isn't exposed to code that would + // use it incorrectly (i.e. it stays in this module and we only expose a stateless API), it + // should be safe. + /// Given an expected tag, reads the next (tag, lengh, value) from the contents. Most + /// consumers will only be interested in the value, but some may want the entire encoded + /// contents, in which case the returned tuple can be concatenated. + fn read_tlv(&mut self, tag: u8) -> Result<(u8, Vec<u8>, &'a [u8]), Error> { + let contents = self.contents; + let (tag_read, rest) = try_read_bytes!(contents, 1); + if tag_read[0] != tag { + return Err(error_here!(ErrorType::InvalidInput)); + } + let mut accumulated_length_bytes = Vec::with_capacity(4); + let (length1, rest) = try_read_bytes!(rest, 1); + accumulated_length_bytes.extend_from_slice(length1); + let (length, to_read_from) = if length1[0] < 0x80 { + (length1[0] as usize, rest) + } else if length1[0] == 0x81 { + let (length, rest) = try_read_bytes!(rest, 1); + accumulated_length_bytes.extend_from_slice(length); + if length[0] < 0x80 { + return Err(error_here!(ErrorType::InvalidInput)); + } + (length[0] as usize, rest) + } else if length1[0] == 0x82 { + let (mut lengths, rest) = try_read_bytes!(rest, 2); + accumulated_length_bytes.extend_from_slice(lengths); + let length = lengths + .read_u16::<BigEndian>() + .map_err(|_| error_here!(ErrorType::LibraryFailure))?; + if length < 256 { + return Err(error_here!(ErrorType::InvalidInput)); + } + (length as usize, rest) + } else { + return Err(error_here!(ErrorType::UnsupportedInput)); + }; + let (contents, rest) = try_read_bytes!(to_read_from, length); + self.contents = rest; + Ok((tag, accumulated_length_bytes, contents)) + } + + fn at_end(&self) -> bool { + self.contents.is_empty() + } +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn der_test_empty_input() { + let input = Vec::new(); + let mut der = Der::new(&input); + assert!(der.read_tlv(INTEGER).is_err()); + } + + #[test] + fn der_test_no_length() { + let input = vec![INTEGER]; + let mut der = Der::new(&input); + assert!(der.read_tlv(INTEGER).is_err()); + } + + #[test] + fn der_test_empty_sequence() { + let input = vec![SEQUENCE, 0]; + let mut der = Der::new(&input); + let read_result = der.read_tlv(SEQUENCE); + assert!(read_result.is_ok()); + let (tag, length, sequence_bytes) = read_result.unwrap(); + assert_eq!(tag, SEQUENCE); + assert_eq!(length, vec![0]); + assert_eq!(sequence_bytes.len(), 0); + assert!(der.at_end()); + } + + #[test] + fn der_test_not_at_end() { + let input = vec![SEQUENCE, 0, 1]; + let mut der = Der::new(&input); + let read_result = der.read_tlv(SEQUENCE); + assert!(read_result.is_ok()); + let (tag, length, sequence_bytes) = read_result.unwrap(); + assert_eq!(tag, SEQUENCE); + assert_eq!(length, vec![0]); + assert_eq!(sequence_bytes.len(), 0); + assert!(!der.at_end()); + } + + #[test] + fn der_test_wrong_tag() { + let input = vec![SEQUENCE, 0]; + let mut der = Der::new(&input); + assert!(der.read_tlv(INTEGER).is_err()); + } + + #[test] + fn der_test_truncated_two_byte_length() { + let input = vec![SEQUENCE, 0x81]; + let mut der = Der::new(&input); + assert!(der.read_tlv(SEQUENCE).is_err()); + } + + #[test] + fn der_test_truncated_three_byte_length() { + let input = vec![SEQUENCE, 0x82, 1]; + let mut der = Der::new(&input); + assert!(der.read_tlv(SEQUENCE).is_err()); + } + + #[test] + fn der_test_truncated_data() { + let input = vec![SEQUENCE, 20, 1]; + let mut der = Der::new(&input); + assert!(der.read_tlv(SEQUENCE).is_err()); + } + + #[test] + fn der_test_sequence() { + let input = vec![ + SEQUENCE, 20, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 0, 0, + ]; + let mut der = Der::new(&input); + let result = der.read_tlv(SEQUENCE); + assert!(result.is_ok()); + let (tag, length, value) = result.unwrap(); + assert_eq!(tag, SEQUENCE); + assert_eq!(length, vec![20]); + assert_eq!( + value, + [1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 0, 0] + ); + assert!(der.at_end()); + } + + #[test] + fn der_test_not_shortest_two_byte_length_encoding() { + let input = vec![SEQUENCE, 0x81, 1, 1]; + let mut der = Der::new(&input); + assert!(der.read_tlv(SEQUENCE).is_err()); + } + + #[test] + fn der_test_not_shortest_three_byte_length_encoding() { + let input = vec![SEQUENCE, 0x82, 0, 1, 1]; + let mut der = Der::new(&input); + assert!(der.read_tlv(SEQUENCE).is_err()); + } + + #[test] + fn der_test_indefinite_length_unsupported() { + let input = vec![SEQUENCE, 0x80, 1, 2, 3, 0x00, 0x00]; + let mut der = Der::new(&input); + assert!(der.read_tlv(SEQUENCE).is_err()); + } + + #[test] + fn der_test_input_too_long() { + // This isn't valid DER (the contents of the SEQUENCE are truncated), but it demonstrates + // that we don't try to read too much if we're given a long length (and also that we don't + // support lengths 2^16 and up). + let input = vec![SEQUENCE, 0x83, 0x01, 0x00, 0x01, 1, 1, 1, 1]; + let mut der = Der::new(&input); + assert!(der.read_tlv(SEQUENCE).is_err()); + } + + #[test] + fn empty_input_fails() { + let empty = Vec::new(); + assert!(read_rsa_modulus(&empty).is_err()); + #[cfg(target_os = "macos")] + assert!(read_ec_sig_point(&empty).is_err()); + assert!(read_encoded_certificate_identifiers(&empty).is_err()); + } + + #[test] + fn empty_sequence_fails() { + let empty = vec![SEQUENCE | CONSTRUCTED]; + assert!(read_rsa_modulus(&empty).is_err()); + #[cfg(target_os = "macos")] + assert!(read_ec_sig_point(&empty).is_err()); + assert!(read_encoded_certificate_identifiers(&empty).is_err()); + } + + #[test] + fn test_read_rsa_modulus() { + let rsa_key = include_bytes!("../test/rsa.bin"); + let result = read_rsa_modulus(rsa_key); + assert!(result.is_ok()); + let modulus = result.unwrap(); + assert_eq!(modulus, include_bytes!("../test/modulus.bin").to_vec()); + } + + #[test] + fn test_read_certificate_identifiers() { + let certificate = include_bytes!("../test/certificate.bin"); + let result = read_encoded_certificate_identifiers(certificate); + assert!(result.is_ok()); + let (serial_number, issuer, subject) = result.unwrap(); + assert_eq!( + serial_number, + &[ + 0x02, 0x14, 0x3f, 0xed, 0x7b, 0x43, 0x47, 0x8a, 0x53, 0x42, 0x5b, 0x0d, 0x50, 0xe1, + 0x37, 0x88, 0x2a, 0x20, 0x3f, 0x31, 0x17, 0x20 + ] + ); + assert_eq!( + issuer, + &[ + 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x54, + 0x65, 0x73, 0x74, 0x20, 0x43, 0x41 + ] + ); + assert_eq!( + subject, + &[ + 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x54, + 0x65, 0x73, 0x74, 0x20, 0x45, 0x6e, 0x64, 0x2d, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79 + ] + ); + } + + #[test] + #[cfg(target_os = "windows")] + fn test_read_digest() { + // SEQUENCE + // SEQUENCE + // OBJECT IDENTIFIER 2.16.840.1.101.3.4.2.1 sha-256 + // NULL + // OCTET STRING 1A7FCDB9A5F649F954885CFE145F3E93F0D1FA72BE980CC6EC82C70E1407C7D2 + let digest_info = [ + 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x1, 0x65, 0x03, 0x04, 0x02, + 0x01, 0x05, 0x00, 0x04, 0x20, 0x1a, 0x7f, 0xcd, 0xb9, 0xa5, 0xf6, 0x49, 0xf9, 0x54, + 0x88, 0x5c, 0xfe, 0x14, 0x5f, 0x3e, 0x93, 0xf0, 0xd1, 0xfa, 0x72, 0xbe, 0x98, 0x0c, + 0xc6, 0xec, 0x82, 0xc7, 0x0e, 0x14, 0x07, 0xc7, 0xd2, + ]; + let result = read_digest(&digest_info); + assert!(result.is_ok()); + let digest = result.unwrap(); + assert_eq!( + digest, + &[ + 0x1a, 0x7f, 0xcd, 0xb9, 0xa5, 0xf6, 0x49, 0xf9, 0x54, 0x88, 0x5c, 0xfe, 0x14, 0x5f, + 0x3e, 0x93, 0xf0, 0xd1, 0xfa, 0x72, 0xbe, 0x98, 0x0c, 0xc6, 0xec, 0x82, 0xc7, 0x0e, + 0x14, 0x07, 0xc7, 0xd2 + ] + ); + } +} diff --git a/security/manager/ssl/rsclientcerts/test/certificate.bin b/security/manager/ssl/rsclientcerts/test/certificate.bin Binary files differnew file mode 100644 index 0000000000..01fbafb15c --- /dev/null +++ b/security/manager/ssl/rsclientcerts/test/certificate.bin diff --git a/security/manager/ssl/rsclientcerts/test/modulus.bin b/security/manager/ssl/rsclientcerts/test/modulus.bin new file mode 100644 index 0000000000..a9b09ff53e --- /dev/null +++ b/security/manager/ssl/rsclientcerts/test/modulus.bin @@ -0,0 +1,2 @@ +ºˆQ¨DŽÖAýn¶ˆ6=<Ùêä5J´ìõhWl${ÁÇ%¨àؽ±œ›n†òkâ¯Zukjdqz¥Z§E‡÷Õ$œ~ÍCüiÐ8 )“« ÃIäÛ¹LÂklí‚ñ~i±Ó:‹*Aî§pà
ýf+°$’¤}¹ˆay±W=Ò;Åà¸H¨7ÓˆCï'ØU·fZª~/:{€$Ìl—–a[·â–Àu1£‘Ý´Ê÷ü%Ó ï¹§há³{/"oiã´Š•aî&Ö%«‘N6Ë$,¿‹/åñ™1¸³þI#úrQÄ1Õ¬Ú +5í
\ No newline at end of file diff --git a/security/manager/ssl/rsclientcerts/test/rsa.bin b/security/manager/ssl/rsclientcerts/test/rsa.bin Binary files differnew file mode 100644 index 0000000000..93ededb827 --- /dev/null +++ b/security/manager/ssl/rsclientcerts/test/rsa.bin diff --git a/security/manager/ssl/tests/.eslintrc.js b/security/manager/ssl/tests/.eslintrc.js new file mode 100644 index 0000000000..379eabb2d0 --- /dev/null +++ b/security/manager/ssl/tests/.eslintrc.js @@ -0,0 +1,8 @@ +"use strict"; + +module.exports = { + rules: { + // Disallow non-top level |var| declarations. + "mozilla/var-only-at-top-level": "error", + }, +}; diff --git a/security/manager/ssl/tests/gtest/CoseTest.cpp b/security/manager/ssl/tests/gtest/CoseTest.cpp new file mode 100644 index 0000000000..2f05cad3a7 --- /dev/null +++ b/security/manager/ssl/tests/gtest/CoseTest.cpp @@ -0,0 +1,756 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "gtest/gtest.h" + +#include <assert.h> +#include <stdint.h> +#include <stdio.h> +#include <cstddef> +#include <memory> + +#include <keyhi.h> +#include <nss.h> +#include <pk11pub.h> + +#include <pkcs11t.h> +#include <secmodt.h> +#include <cert.h> + +#include "ScopedNSSTypes.h" +#include "cosec.h" + +namespace mozilla { + +// "This is the content." +const uint8_t PAYLOAD[] = {84, 104, 105, 115, 32, 105, 115, 32, 116, 104, + 101, 32, 99, 111, 110, 116, 101, 110, 116, 46}; + +// This is a COSE signature generated with the cose rust library (see +// third-party/rust/cose). The payload is signed with the P256 key from +// pykey.py. +const uint8_t SIGNATURE[] = { + 0xd8, 0x62, 0x84, 0x59, 0x02, 0xa3, 0xa1, 0x04, 0x82, 0x59, 0x01, 0x4e, + 0x30, 0x82, 0x01, 0x4a, 0x30, 0x81, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x14, 0x5f, 0x3f, 0xae, 0x90, 0x49, 0x30, 0x2f, 0x33, 0x6e, 0x95, + 0x23, 0xa7, 0xcb, 0x23, 0xd7, 0x65, 0x4f, 0xea, 0x3c, 0xf7, 0x30, 0x0a, + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14, + 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, + 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, + 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, + 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x14, 0x31, 0x12, + 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f, + 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, + 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, + 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, + 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, + 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, + 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, + 0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, + 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, + 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, + 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d, + 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75, + 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02, + 0x21, 0x00, 0xc2, 0xe4, 0xc1, 0xa8, 0xe2, 0x89, 0xdc, 0xa1, 0xbb, 0xe7, + 0xd5, 0x4f, 0x5c, 0x88, 0xad, 0xeb, 0xa4, 0x78, 0xa1, 0x19, 0xbe, 0x22, + 0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b, 0x59, 0x01, + 0x4c, 0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x43, 0x63, 0x59, 0xad, 0x04, 0x34, 0x56, 0x80, 0x43, + 0xec, 0x90, 0x6a, 0xd4, 0x10, 0x64, 0x7c, 0x7f, 0x38, 0x32, 0xe2, 0x30, + 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, + 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, + 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, + 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, + 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31, + 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e, + 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, + 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, + 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, + 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, + 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, + 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, + 0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, + 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, + 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, + 0x44, 0x02, 0x20, 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff, + 0xd1, 0x16, 0x4e, 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77, + 0x5c, 0x93, 0x60, 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02, + 0x20, 0x3d, 0x87, 0x0f, 0xac, 0x22, 0x4d, 0x16, 0xd9, 0xa1, 0x95, 0xbb, + 0x56, 0xe0, 0x21, 0x05, 0x93, 0xd1, 0x07, 0xb5, 0x25, 0x3b, 0xf4, 0x57, + 0x20, 0x87, 0x13, 0xa2, 0xf7, 0x78, 0x15, 0x30, 0xa7, 0xa0, 0xf6, 0x81, + 0x83, 0x59, 0x01, 0x33, 0xa2, 0x01, 0x26, 0x04, 0x59, 0x01, 0x2c, 0x30, + 0x82, 0x01, 0x28, 0x30, 0x81, 0xcf, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, + 0x14, 0x2f, 0xc3, 0x5f, 0x05, 0x80, 0xb4, 0x49, 0x45, 0x13, 0x92, 0xd6, + 0x93, 0xb7, 0x2d, 0x71, 0x19, 0xc5, 0x8c, 0x40, 0x39, 0x30, 0x0a, 0x06, + 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x13, 0x31, + 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e, + 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30, + 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, + 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65, 0x2d, 0x70, 0x32, + 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, + 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb, 0x61, 0xe0, 0xf8, + 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2, 0xec, 0x05, 0x0b, + 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f, 0x79, 0x4b, 0x45, + 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d, 0x07, + 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b, 0x7b, + 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, 0x30, 0x0a, 0x06, + 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, + 0x30, 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, + 0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, + 0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, + 0x02, 0x21, 0x00, 0xff, 0x81, 0xbe, 0xa8, 0x0d, 0x03, 0x36, 0x6b, 0x75, + 0xe2, 0x70, 0x6a, 0xac, 0x07, 0x2e, 0x4c, 0xdc, 0xf9, 0xc5, 0x89, 0xc1, + 0xcf, 0x88, 0xc2, 0xc8, 0x2a, 0x32, 0xf5, 0x42, 0x0c, 0xfa, 0x0b, 0xa0, + 0x58, 0x40, 0x1e, 0x6e, 0x08, 0xdf, 0x8f, 0x4f, 0xd6, 0xab, 0x23, 0xae, + 0x84, 0xaa, 0xf3, 0x43, 0x35, 0x9a, 0x53, 0xb9, 0x8b, 0xf9, 0x81, 0xa1, + 0xbc, 0x1e, 0x5c, 0x57, 0x5c, 0x0a, 0x20, 0x37, 0xf4, 0x3d, 0x11, 0x08, + 0xa0, 0x97, 0x4b, 0x68, 0xa4, 0x0f, 0x80, 0xe9, 0x96, 0x30, 0x04, 0x24, + 0x0e, 0x81, 0x3d, 0x2a, 0x8a, 0x64, 0x40, 0x61, 0x5a, 0x19, 0x00, 0xff, + 0x74, 0x40, 0x71, 0x82, 0x65, 0xe9}; + +// This is a COSE signature generated with the cose rust library (see +// third-party/rust/cose). The payload is signed twice; with the P256 and the +// RSA key from pykey.py. +const uint8_t SIGNATURE_ES256_PS256[] = { + 0xd8, 0x62, 0x84, 0x59, 0x08, 0x52, 0xa1, 0x04, 0x84, 0x59, 0x01, 0x4e, + 0x30, 0x82, 0x01, 0x4a, 0x30, 0x81, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x14, 0x5f, 0x3f, 0xae, 0x90, 0x49, 0x30, 0x2f, 0x33, 0x6e, 0x95, + 0x23, 0xa7, 0xcb, 0x23, 0xd7, 0x65, 0x4f, 0xea, 0x3c, 0xf7, 0x30, 0x0a, + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14, + 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, + 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, + 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, + 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x14, 0x31, 0x12, + 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f, + 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, + 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, + 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, + 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, + 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, + 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, + 0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, + 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, + 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, + 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d, + 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75, + 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02, + 0x21, 0x00, 0xc2, 0xe4, 0xc1, 0xa8, 0xe2, 0x89, 0xdc, 0xa1, 0xbb, 0xe7, + 0xd5, 0x4f, 0x5c, 0x88, 0xad, 0xeb, 0xa4, 0x78, 0xa1, 0x19, 0xbe, 0x22, + 0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b, 0x59, 0x01, + 0x4c, 0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x43, 0x63, 0x59, 0xad, 0x04, 0x34, 0x56, 0x80, 0x43, + 0xec, 0x90, 0x6a, 0xd4, 0x10, 0x64, 0x7c, 0x7f, 0x38, 0x32, 0xe2, 0x30, + 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, + 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, + 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, + 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, + 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31, + 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e, + 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, + 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, + 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, + 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, + 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, + 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, + 0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, + 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, + 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, + 0x44, 0x02, 0x20, 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff, + 0xd1, 0x16, 0x4e, 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77, + 0x5c, 0x93, 0x60, 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02, + 0x20, 0x3d, 0x87, 0x0f, 0xac, 0x22, 0x4d, 0x16, 0xd9, 0xa1, 0x95, 0xbb, + 0x56, 0xe0, 0x21, 0x05, 0x93, 0xd1, 0x07, 0xb5, 0x25, 0x3b, 0xf4, 0x57, + 0x20, 0x87, 0x13, 0xa2, 0xf7, 0x78, 0x15, 0x30, 0xa7, 0x59, 0x02, 0xd5, + 0x30, 0x82, 0x02, 0xd1, 0x30, 0x82, 0x01, 0xbb, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x29, 0x6c, 0x1a, 0xd8, 0x20, 0xcd, 0x74, 0x6d, 0x4b, + 0x00, 0xf3, 0x16, 0x88, 0xd9, 0x66, 0x87, 0x5f, 0x28, 0x56, 0x6a, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, + 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, + 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31, + 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f, + 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, + 0x01, 0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, + 0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, + 0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, + 0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, + 0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, + 0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, + 0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, + 0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, + 0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, + 0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, + 0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, + 0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, + 0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, + 0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, + 0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, + 0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, + 0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, + 0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, + 0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, + 0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, + 0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, + 0xac, 0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, + 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, + 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, + 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, + 0x00, 0x23, 0x2f, 0x9f, 0x72, 0xeb, 0x70, 0x6d, 0x9e, 0x3e, 0x9f, 0xd7, + 0x9c, 0xd9, 0x19, 0x7c, 0x99, 0x07, 0xc5, 0x5c, 0x9d, 0xf5, 0x66, 0x9f, + 0x28, 0x8d, 0xfe, 0x0e, 0x3f, 0x38, 0x75, 0xed, 0xee, 0x4e, 0x3f, 0xf6, + 0x6e, 0x35, 0xe0, 0x95, 0x3f, 0x08, 0x4a, 0x71, 0x5a, 0xf2, 0x4f, 0xc9, + 0x96, 0x61, 0x8d, 0x45, 0x4b, 0x97, 0x85, 0xff, 0xb0, 0xe3, 0xbb, 0xb5, + 0xd7, 0x7e, 0xfb, 0xd2, 0xfc, 0xec, 0xfe, 0x42, 0x9f, 0x4e, 0x7b, 0xbf, + 0x97, 0xbb, 0xb4, 0x3a, 0x93, 0x0b, 0x13, 0x61, 0x90, 0x0c, 0x3a, 0xce, + 0xf7, 0x8e, 0xef, 0x80, 0xf5, 0x4a, 0x92, 0xc5, 0xa5, 0x03, 0x78, 0xc2, + 0xee, 0xb8, 0x66, 0x60, 0x6b, 0x76, 0x4f, 0x32, 0x5a, 0x1a, 0xa2, 0x4b, + 0x7e, 0x2b, 0xa6, 0x1a, 0x89, 0x01, 0xe3, 0xbb, 0x55, 0x13, 0x7c, 0x4c, + 0xf4, 0x6a, 0x99, 0x94, 0xd1, 0xa0, 0x84, 0x1c, 0x1a, 0xc2, 0x7b, 0xb4, + 0xa0, 0xb0, 0x3b, 0xdc, 0x5a, 0x7b, 0xc7, 0xe0, 0x44, 0xb2, 0x1f, 0x46, + 0xd5, 0x8b, 0x39, 0x8b, 0xdc, 0x9e, 0xce, 0xa8, 0x7f, 0x85, 0x1d, 0x4b, + 0x63, 0x06, 0x1e, 0x8e, 0xe5, 0xe5, 0x99, 0xd9, 0xf7, 0x4d, 0x89, 0x0b, + 0x1d, 0x5c, 0x27, 0x33, 0x66, 0x21, 0xcf, 0x9a, 0xbd, 0x98, 0x68, 0x23, + 0x3a, 0x66, 0x9d, 0xd4, 0x46, 0xed, 0x63, 0x58, 0xf3, 0x42, 0xe4, 0x1d, + 0xe2, 0x47, 0x65, 0x13, 0x8d, 0xd4, 0x1f, 0x4b, 0x7e, 0xde, 0x11, 0x56, + 0xf8, 0x6d, 0x01, 0x0c, 0x99, 0xbd, 0x8d, 0xca, 0x8a, 0x2e, 0xe3, 0x8a, + 0x9c, 0x3d, 0x83, 0x8d, 0x69, 0x62, 0x8d, 0x05, 0xea, 0xb7, 0xf5, 0xa3, + 0x4b, 0xfc, 0x96, 0xcf, 0x18, 0x21, 0x0a, 0xc7, 0xf3, 0x23, 0x7e, 0x1c, + 0xab, 0xe2, 0xa2, 0xd1, 0x83, 0xc4, 0x25, 0x93, 0x37, 0x80, 0xca, 0xda, + 0xf0, 0xef, 0x7d, 0x94, 0xb5, 0x59, 0x02, 0xd4, 0x30, 0x82, 0x02, 0xd0, + 0x30, 0x82, 0x01, 0xba, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, 0x07, + 0x10, 0xaf, 0xc4, 0x1a, 0x3a, 0x56, 0x4f, 0xd8, 0xc2, 0xcc, 0x46, 0xd7, + 0x5b, 0xdf, 0x1c, 0x4e, 0x2f, 0x49, 0x3a, 0x30, 0x0b, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x30, 0x13, 0x31, 0x11, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f, 0x6f, + 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30, 0x31, + 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, + 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e, 0x74, 0x2d, 0x72, 0x73, + 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, + 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xba, 0x88, + 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd, 0x6e, 0xb6, 0x88, 0x06, + 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4, 0x35, 0x4a, 0xb4, 0xec, + 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7, 0x25, 0xa8, 0xe0, 0xd8, + 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a, 0x86, 0xf2, 0x6b, 0xe2, + 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08, 0x7a, 0xa5, 0x5a, 0xa7, + 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02, 0x7e, 0xcd, 0x43, 0xfc, + 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab, 0x20, 0xc3, 0x49, 0xe4, + 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed, 0x15, 0x82, 0x0f, 0xf1, + 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a, 0x8b, 0x2a, 0x41, 0xee, + 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66, 0x0b, 0x2b, 0xb0, 0x24, + 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90, 0xb1, 0x57, 0x90, 0x3d, + 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8, 0x37, 0xd3, 0x88, 0x43, + 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a, 0xaa, 0x7e, 0x02, 0x90, + 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc, 0x1c, 0x6c, 0x97, 0xad, + 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0, 0x75, 0x31, 0xa3, 0x0c, + 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d, 0x25, 0xd3, 0x09, 0xef, + 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b, 0x2f, 0x22, 0x6f, 0x69, + 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26, 0xd6, 0x25, 0x9d, 0xab, + 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04, 0x2c, 0xbf, 0x16, 0x8b, + 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8, 0xb3, 0xfe, 0x49, 0x23, + 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac, 0xda, 0x18, 0x0a, 0x35, + 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x1d, 0x30, 0x1b, 0x30, + 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, + 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, + 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x5e, 0xba, 0x69, 0x55, + 0x9f, 0xf8, 0xeb, 0x16, 0x21, 0x98, 0xde, 0xb7, 0x31, 0x3e, 0x66, 0xe1, + 0x3b, 0x0c, 0x29, 0xf7, 0x48, 0x73, 0x05, 0xd9, 0xce, 0x5e, 0x4c, 0xbe, + 0x03, 0xc4, 0x51, 0xd6, 0x21, 0x92, 0x40, 0x38, 0xaa, 0x5b, 0x28, 0xb5, + 0xa1, 0x10, 0x52, 0x57, 0xff, 0x91, 0x54, 0x82, 0x86, 0x9e, 0x74, 0xd5, + 0x3d, 0x82, 0x29, 0xee, 0xd1, 0xcf, 0x93, 0xb1, 0x24, 0x76, 0xbb, 0x95, + 0x41, 0x06, 0x7e, 0x40, 0x9b, 0xb4, 0xab, 0x44, 0x34, 0x10, 0x8f, 0xb1, + 0x51, 0x6f, 0xc0, 0x89, 0xd1, 0xa3, 0xc4, 0x9f, 0xb3, 0x48, 0xe1, 0xcd, + 0x73, 0xad, 0xff, 0x42, 0x5f, 0x76, 0x05, 0x60, 0xc5, 0xe0, 0x45, 0x79, + 0x18, 0xa1, 0x19, 0xb8, 0xa7, 0x3a, 0x64, 0xb3, 0x19, 0xba, 0x14, 0xa1, + 0xb5, 0xdc, 0x32, 0xec, 0x09, 0x39, 0x58, 0x54, 0x5b, 0x04, 0xdc, 0x1b, + 0x66, 0x0d, 0x1d, 0x0d, 0xce, 0x7f, 0xfa, 0x24, 0x52, 0x6a, 0xad, 0xe2, + 0xc8, 0x30, 0xaf, 0xf2, 0xaf, 0x63, 0xc5, 0xe2, 0xbf, 0xe2, 0x20, 0x1b, + 0x9e, 0xf9, 0x3d, 0xbc, 0xfb, 0x04, 0x8e, 0xda, 0x7a, 0x1a, 0x5d, 0xd3, + 0x13, 0xd7, 0x00, 0x8e, 0x9b, 0x5d, 0x85, 0x51, 0xda, 0xd3, 0x91, 0x25, + 0xf5, 0x67, 0x85, 0x3e, 0x25, 0x89, 0x5e, 0xcb, 0x89, 0x8a, 0xec, 0x8a, + 0xde, 0x8b, 0xf4, 0x33, 0x5f, 0x76, 0xdb, 0x3d, 0xfc, 0x6a, 0x05, 0x21, + 0x43, 0xb2, 0x41, 0xd8, 0x33, 0x8d, 0xfd, 0x05, 0x5c, 0x22, 0x0a, 0xf6, + 0x90, 0x65, 0x9c, 0x4f, 0x8c, 0x44, 0x9f, 0x2d, 0xca, 0xf3, 0x49, 0x9c, + 0x3a, 0x14, 0x88, 0xab, 0xe4, 0xce, 0xb7, 0xbc, 0x95, 0x22, 0x2e, 0xb1, + 0x82, 0x4c, 0xbf, 0x83, 0x3e, 0x49, 0x72, 0x03, 0x2a, 0x68, 0xe7, 0x2d, + 0xe5, 0x2d, 0x4b, 0x61, 0xb0, 0x8d, 0x0d, 0x0c, 0x87, 0xc6, 0x5c, 0x51, + 0xa0, 0xf6, 0x82, 0x83, 0x59, 0x01, 0x33, 0xa2, 0x01, 0x26, 0x04, 0x59, + 0x01, 0x2c, 0x30, 0x82, 0x01, 0x28, 0x30, 0x81, 0xcf, 0xa0, 0x03, 0x02, + 0x01, 0x02, 0x02, 0x14, 0x2f, 0xc3, 0x5f, 0x05, 0x80, 0xb4, 0x49, 0x45, + 0x13, 0x92, 0xd6, 0x93, 0xb7, 0x2d, 0x71, 0x19, 0xc5, 0x8c, 0x40, 0x39, + 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, + 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x08, 0x69, 0x6e, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, + 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, + 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65, + 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb, + 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2, + 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f, + 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4, + 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, + 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, + 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, + 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, + 0x11, 0x50, 0xcd, 0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, + 0xff, 0xb2, 0x73, 0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, + 0x0a, 0x70, 0xe6, 0x02, 0x21, 0x00, 0xff, 0x81, 0xbe, 0xa8, 0x0d, 0x03, + 0x36, 0x6b, 0x75, 0xe2, 0x70, 0x6a, 0xac, 0x07, 0x2e, 0x4c, 0xdc, 0xf9, + 0xc5, 0x89, 0xc1, 0xcf, 0x88, 0xc2, 0xc8, 0x2a, 0x32, 0xf5, 0x42, 0x0c, + 0xfa, 0x0b, 0xa0, 0x58, 0x40, 0xa3, 0xfb, 0x49, 0xe6, 0x45, 0x29, 0x64, + 0x76, 0xeb, 0x9d, 0xbd, 0xf5, 0x38, 0x56, 0xbe, 0x6e, 0x31, 0x57, 0x73, + 0xc1, 0x2d, 0x3e, 0xac, 0xee, 0xba, 0x55, 0x8e, 0x37, 0xd4, 0xea, 0x80, + 0x25, 0x31, 0x99, 0x9f, 0x4a, 0xb0, 0xf9, 0xd8, 0xb0, 0xed, 0x74, 0xfc, + 0x8c, 0x02, 0xf0, 0x9f, 0x95, 0xf1, 0xaa, 0x71, 0xcc, 0xd2, 0xe7, 0x1a, + 0x6d, 0xd4, 0xed, 0xff, 0xf2, 0x78, 0x09, 0x83, 0x7e, 0x83, 0x59, 0x02, + 0xbb, 0xa2, 0x01, 0x38, 0x24, 0x04, 0x59, 0x02, 0xb3, 0x30, 0x82, 0x02, + 0xaf, 0x30, 0x82, 0x01, 0x99, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, + 0x07, 0x1c, 0x3b, 0x71, 0x08, 0xbe, 0xd7, 0x9f, 0xfd, 0xaf, 0x26, 0xb6, + 0x08, 0xa3, 0x99, 0x06, 0x77, 0x69, 0x32, 0x7e, 0x30, 0x0b, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x30, 0x12, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e, + 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30, 0x31, + 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, + 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x11, 0x31, 0x0f, 0x30, 0x0d, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x06, 0x65, 0x65, 0x2d, 0x72, 0x73, 0x61, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xba, 0x88, 0x51, + 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36, + 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5, + 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f, + 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf, + 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45, + 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e, + 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb, + 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e, + 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7, + 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92, + 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2, + 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef, + 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f, + 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96, + 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91, + 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9, + 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3, + 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91, + 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f, + 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa, + 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac, 0xda, 0x18, 0x0a, 0x35, 0xed, + 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x44, 0x92, 0xbb, 0x8e, 0x83, 0x58, 0x56, 0x2e, 0x7a, 0x86, 0xfa, 0x1d, + 0x77, 0x50, 0x3f, 0x45, 0x8d, 0x90, 0xc4, 0x62, 0x27, 0x21, 0x96, 0x5a, + 0xef, 0x51, 0x78, 0xd7, 0x7d, 0x0d, 0x02, 0x2d, 0x5a, 0x0e, 0x3c, 0x82, + 0x6f, 0x1d, 0x92, 0x87, 0xd5, 0x1a, 0x44, 0xae, 0xa7, 0x92, 0xd1, 0x8b, + 0xfa, 0x16, 0x53, 0x7f, 0xa3, 0x22, 0x96, 0x1a, 0x51, 0x8c, 0xeb, 0xa1, + 0xe6, 0xf6, 0x37, 0x11, 0xfe, 0x7d, 0x53, 0x3f, 0xae, 0xf0, 0x6b, 0xb9, + 0xb1, 0x7a, 0x73, 0x07, 0x14, 0xcf, 0x04, 0x05, 0x93, 0x9e, 0xe3, 0xd2, + 0x4d, 0x9d, 0x6d, 0x35, 0x68, 0xf9, 0x36, 0xe5, 0x10, 0x0a, 0x36, 0xd9, + 0x48, 0xb0, 0x83, 0xd0, 0xb9, 0x58, 0x74, 0x53, 0xb3, 0xbc, 0x99, 0xab, + 0xe1, 0x3e, 0xd5, 0x01, 0x8e, 0xcf, 0x3a, 0x69, 0x93, 0x9e, 0xa7, 0x88, + 0xd4, 0xad, 0x95, 0xf9, 0x2a, 0xb4, 0x7f, 0x95, 0x97, 0x86, 0x50, 0x38, + 0xb1, 0x04, 0x0a, 0xe4, 0x7a, 0xd5, 0x2d, 0x6c, 0xde, 0x3e, 0x1a, 0x47, + 0x17, 0x88, 0x63, 0x20, 0x9d, 0x21, 0x3e, 0x0c, 0x6f, 0xfd, 0x20, 0x54, + 0xd0, 0x67, 0xd2, 0x6b, 0x06, 0xfe, 0x60, 0x13, 0x42, 0x3d, 0xb7, 0xca, + 0xcb, 0xab, 0x7b, 0x5f, 0x5d, 0x01, 0x56, 0xd3, 0x99, 0x80, 0x0f, 0xde, + 0x7f, 0x3a, 0x61, 0x9c, 0xd3, 0x6b, 0x5e, 0xfe, 0xb5, 0xfc, 0x39, 0x8b, + 0x8e, 0xf0, 0x8c, 0x8b, 0x65, 0x46, 0x45, 0xff, 0x47, 0x8f, 0xd4, 0xdd, + 0xae, 0xc9, 0x72, 0xc7, 0x7f, 0x28, 0x86, 0xf1, 0xf7, 0x6e, 0xcb, 0x86, + 0x03, 0xeb, 0x0c, 0x46, 0xe5, 0xa0, 0x6b, 0xef, 0xd4, 0x5e, 0xa4, 0x0f, + 0x53, 0xe1, 0xbc, 0xb4, 0xc9, 0x37, 0x0e, 0x75, 0xdd, 0x93, 0xe8, 0x0f, + 0x18, 0x0a, 0x02, 0x83, 0x17, 0x74, 0xbb, 0x1a, 0x42, 0x5b, 0x63, 0x2c, + 0x80, 0x80, 0xa6, 0x84, 0xa0, 0x59, 0x01, 0x00, 0x51, 0xf4, 0xe6, 0x1c, + 0x18, 0x7b, 0x28, 0xa0, 0x1f, 0x63, 0xbf, 0xa5, 0xbd, 0x89, 0x9f, 0xd9, + 0x30, 0x46, 0x4b, 0x34, 0x9b, 0x9d, 0x0f, 0xb0, 0x33, 0x11, 0xf8, 0xaa, + 0x84, 0x4e, 0xb2, 0xca, 0x29, 0x83, 0x54, 0x28, 0x99, 0x2a, 0x43, 0x7f, + 0xe0, 0xe6, 0xd8, 0xdc, 0xd7, 0xf4, 0xb3, 0xd7, 0xf7, 0x39, 0xd5, 0xdc, + 0xde, 0xdc, 0x23, 0x78, 0xd7, 0x90, 0xc0, 0x52, 0xf5, 0xd2, 0x14, 0x6f, + 0xf9, 0x24, 0x48, 0xc8, 0x75, 0x4a, 0x9a, 0x4c, 0x61, 0x2f, 0x96, 0x4e, + 0xc8, 0x02, 0x95, 0x72, 0xef, 0xbc, 0x91, 0xae, 0xf8, 0x23, 0xfb, 0xba, + 0x9f, 0xfd, 0xe0, 0x1a, 0x8e, 0xa9, 0x03, 0x16, 0x76, 0xf4, 0xdb, 0x81, + 0x5a, 0x69, 0xeb, 0xf5, 0x55, 0xd7, 0x68, 0x28, 0xe4, 0xce, 0xde, 0x1b, + 0xb4, 0x90, 0xac, 0x97, 0x07, 0x15, 0xe0, 0xce, 0x5f, 0x3f, 0x89, 0xaf, + 0xc1, 0xb8, 0x46, 0x5e, 0x87, 0xa1, 0x8d, 0xa7, 0x44, 0x09, 0x02, 0x4e, + 0xbe, 0x6b, 0xfb, 0xab, 0xeb, 0x19, 0x62, 0x9e, 0xb0, 0xef, 0x0a, 0x6b, + 0xcf, 0xe0, 0x00, 0xa9, 0x68, 0x2a, 0x8e, 0xfe, 0x8a, 0xb9, 0x57, 0x52, + 0xb3, 0x08, 0x80, 0x5e, 0xa6, 0x88, 0x5f, 0x31, 0xd1, 0xe9, 0x6d, 0xf7, + 0x54, 0x4e, 0xf8, 0x17, 0xb0, 0x1c, 0xca, 0xa6, 0xa6, 0x80, 0xf8, 0xd8, + 0xf5, 0x94, 0xa4, 0xb2, 0xd0, 0x7e, 0xbb, 0x4f, 0xdb, 0x3a, 0x91, 0x5f, + 0xb3, 0xc1, 0xfa, 0x60, 0xe4, 0xce, 0xe3, 0xe5, 0x14, 0x1f, 0x9c, 0x01, + 0x60, 0xff, 0xe2, 0x09, 0xe6, 0x1a, 0x82, 0x69, 0xb6, 0xeb, 0x52, 0x1e, + 0x3d, 0xc7, 0xfd, 0x69, 0x9d, 0x2a, 0xa5, 0xdb, 0xc1, 0x6a, 0x5a, 0x7d, + 0x23, 0x2a, 0x00, 0xe4, 0x53, 0x16, 0x8e, 0xc1, 0x56, 0xf5, 0x5a, 0x8d, + 0x59, 0x1f, 0x7f, 0xff, 0x77, 0x6f, 0x92, 0xea, 0x5d, 0x31, 0xe9, 0x18}; + +// The RSA intermediate certificate that issued the EE cert used in the +// signature above. The certificate was generated with pycert.py +const uint8_t RSA_INT[] = { + 0x30, 0x82, 0x02, 0xd0, 0x30, 0x82, 0x01, 0xba, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x07, 0x10, 0xaf, 0xc4, 0x1a, 0x3a, 0x56, 0x4f, 0xd8, + 0xc2, 0xcc, 0x46, 0xd7, 0x5b, 0xdf, 0x1c, 0x4e, 0x2f, 0x49, 0x3a, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, + 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, + 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e, + 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, + 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, + 0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd, + 0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4, + 0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7, + 0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a, + 0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08, + 0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02, + 0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab, + 0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed, + 0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a, + 0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66, + 0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90, + 0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8, + 0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a, + 0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc, + 0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0, + 0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d, + 0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b, + 0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26, + 0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04, + 0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8, + 0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac, + 0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, + 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, + 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x5e, 0xba, 0x69, 0x55, 0x9f, 0xf8, 0xeb, 0x16, 0x21, 0x98, 0xde, 0xb7, + 0x31, 0x3e, 0x66, 0xe1, 0x3b, 0x0c, 0x29, 0xf7, 0x48, 0x73, 0x05, 0xd9, + 0xce, 0x5e, 0x4c, 0xbe, 0x03, 0xc4, 0x51, 0xd6, 0x21, 0x92, 0x40, 0x38, + 0xaa, 0x5b, 0x28, 0xb5, 0xa1, 0x10, 0x52, 0x57, 0xff, 0x91, 0x54, 0x82, + 0x86, 0x9e, 0x74, 0xd5, 0x3d, 0x82, 0x29, 0xee, 0xd1, 0xcf, 0x93, 0xb1, + 0x24, 0x76, 0xbb, 0x95, 0x41, 0x06, 0x7e, 0x40, 0x9b, 0xb4, 0xab, 0x44, + 0x34, 0x10, 0x8f, 0xb1, 0x51, 0x6f, 0xc0, 0x89, 0xd1, 0xa3, 0xc4, 0x9f, + 0xb3, 0x48, 0xe1, 0xcd, 0x73, 0xad, 0xff, 0x42, 0x5f, 0x76, 0x05, 0x60, + 0xc5, 0xe0, 0x45, 0x79, 0x18, 0xa1, 0x19, 0xb8, 0xa7, 0x3a, 0x64, 0xb3, + 0x19, 0xba, 0x14, 0xa1, 0xb5, 0xdc, 0x32, 0xec, 0x09, 0x39, 0x58, 0x54, + 0x5b, 0x04, 0xdc, 0x1b, 0x66, 0x0d, 0x1d, 0x0d, 0xce, 0x7f, 0xfa, 0x24, + 0x52, 0x6a, 0xad, 0xe2, 0xc8, 0x30, 0xaf, 0xf2, 0xaf, 0x63, 0xc5, 0xe2, + 0xbf, 0xe2, 0x20, 0x1b, 0x9e, 0xf9, 0x3d, 0xbc, 0xfb, 0x04, 0x8e, 0xda, + 0x7a, 0x1a, 0x5d, 0xd3, 0x13, 0xd7, 0x00, 0x8e, 0x9b, 0x5d, 0x85, 0x51, + 0xda, 0xd3, 0x91, 0x25, 0xf5, 0x67, 0x85, 0x3e, 0x25, 0x89, 0x5e, 0xcb, + 0x89, 0x8a, 0xec, 0x8a, 0xde, 0x8b, 0xf4, 0x33, 0x5f, 0x76, 0xdb, 0x3d, + 0xfc, 0x6a, 0x05, 0x21, 0x43, 0xb2, 0x41, 0xd8, 0x33, 0x8d, 0xfd, 0x05, + 0x5c, 0x22, 0x0a, 0xf6, 0x90, 0x65, 0x9c, 0x4f, 0x8c, 0x44, 0x9f, 0x2d, + 0xca, 0xf3, 0x49, 0x9c, 0x3a, 0x14, 0x88, 0xab, 0xe4, 0xce, 0xb7, 0xbc, + 0x95, 0x22, 0x2e, 0xb1, 0x82, 0x4c, 0xbf, 0x83, 0x3e, 0x49, 0x72, 0x03, + 0x2a, 0x68, 0xe7, 0x2d, 0xe5, 0x2d, 0x4b, 0x61, 0xb0, 0x8d, 0x0d, 0x0c, + 0x87, 0xc6, 0x5c, 0x51}; + +// The RSA root certificate that issued the RSA intermediate certificate above. +// The certificate was generated with pycert.py +const uint8_t RSA_ROOT[] = { + 0x30, 0x82, 0x02, 0xd1, 0x30, 0x82, 0x01, 0xbb, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x29, 0x6c, 0x1a, 0xd8, 0x20, 0xcd, 0x74, 0x6d, 0x4b, + 0x00, 0xf3, 0x16, 0x88, 0xd9, 0x66, 0x87, 0x5f, 0x28, 0x56, 0x6a, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, + 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, + 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31, + 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f, + 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, + 0x01, 0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, + 0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, + 0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, + 0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, + 0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, + 0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, + 0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, + 0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, + 0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, + 0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, + 0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, + 0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, + 0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, + 0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, + 0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, + 0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, + 0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, + 0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, + 0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, + 0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, + 0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, + 0xac, 0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, + 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, + 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, + 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, + 0x00, 0x23, 0x2f, 0x9f, 0x72, 0xeb, 0x70, 0x6d, 0x9e, 0x3e, 0x9f, 0xd7, + 0x9c, 0xd9, 0x19, 0x7c, 0x99, 0x07, 0xc5, 0x5c, 0x9d, 0xf5, 0x66, 0x9f, + 0x28, 0x8d, 0xfe, 0x0e, 0x3f, 0x38, 0x75, 0xed, 0xee, 0x4e, 0x3f, 0xf6, + 0x6e, 0x35, 0xe0, 0x95, 0x3f, 0x08, 0x4a, 0x71, 0x5a, 0xf2, 0x4f, 0xc9, + 0x96, 0x61, 0x8d, 0x45, 0x4b, 0x97, 0x85, 0xff, 0xb0, 0xe3, 0xbb, 0xb5, + 0xd7, 0x7e, 0xfb, 0xd2, 0xfc, 0xec, 0xfe, 0x42, 0x9f, 0x4e, 0x7b, 0xbf, + 0x97, 0xbb, 0xb4, 0x3a, 0x93, 0x0b, 0x13, 0x61, 0x90, 0x0c, 0x3a, 0xce, + 0xf7, 0x8e, 0xef, 0x80, 0xf5, 0x4a, 0x92, 0xc5, 0xa5, 0x03, 0x78, 0xc2, + 0xee, 0xb8, 0x66, 0x60, 0x6b, 0x76, 0x4f, 0x32, 0x5a, 0x1a, 0xa2, 0x4b, + 0x7e, 0x2b, 0xa6, 0x1a, 0x89, 0x01, 0xe3, 0xbb, 0x55, 0x13, 0x7c, 0x4c, + 0xf4, 0x6a, 0x99, 0x94, 0xd1, 0xa0, 0x84, 0x1c, 0x1a, 0xc2, 0x7b, 0xb4, + 0xa0, 0xb0, 0x3b, 0xdc, 0x5a, 0x7b, 0xc7, 0xe0, 0x44, 0xb2, 0x1f, 0x46, + 0xd5, 0x8b, 0x39, 0x8b, 0xdc, 0x9e, 0xce, 0xa8, 0x7f, 0x85, 0x1d, 0x4b, + 0x63, 0x06, 0x1e, 0x8e, 0xe5, 0xe5, 0x99, 0xd9, 0xf7, 0x4d, 0x89, 0x0b, + 0x1d, 0x5c, 0x27, 0x33, 0x66, 0x21, 0xcf, 0x9a, 0xbd, 0x98, 0x68, 0x23, + 0x3a, 0x66, 0x9d, 0xd4, 0x46, 0xed, 0x63, 0x58, 0xf3, 0x42, 0xe4, 0x1d, + 0xe2, 0x47, 0x65, 0x13, 0x8d, 0xd4, 0x1f, 0x4b, 0x7e, 0xde, 0x11, 0x56, + 0xf8, 0x6d, 0x01, 0x0c, 0x99, 0xbd, 0x8d, 0xca, 0x8a, 0x2e, 0xe3, 0x8a, + 0x9c, 0x3d, 0x83, 0x8d, 0x69, 0x62, 0x8d, 0x05, 0xea, 0xb7, 0xf5, 0xa3, + 0x4b, 0xfc, 0x96, 0xcf, 0x18, 0x21, 0x0a, 0xc7, 0xf3, 0x23, 0x7e, 0x1c, + 0xab, 0xe2, 0xa2, 0xd1, 0x83, 0xc4, 0x25, 0x93, 0x37, 0x80, 0xca, 0xda, + 0xf0, 0xef, 0x7d, 0x94, 0xb5}; + +// The P256 intermediate certificate that issued the EE cert used in the +// signatures above. The certificate was generated with pycert.py +const uint8_t P256_INT[] = { + 0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x14, 0x43, 0x63, 0x59, 0xad, 0x04, 0x34, 0x56, 0x80, 0x43, 0xec, + 0x90, 0x6a, 0xd4, 0x10, 0x64, 0x7c, 0x7f, 0x38, 0x32, 0xe2, 0x30, 0x0a, + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14, + 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, + 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, + 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, + 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31, 0x11, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e, 0x74, + 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb, + 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2, + 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f, + 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4, + 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, + 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, + 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, + 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, + 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, + 0x02, 0x20, 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff, 0xd1, + 0x16, 0x4e, 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77, 0x5c, + 0x93, 0x60, 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02, 0x20, + 0x3d, 0x87, 0x0f, 0xac, 0x22, 0x4d, 0x16, 0xd9, 0xa1, 0x95, 0xbb, 0x56, + 0xe0, 0x21, 0x05, 0x93, 0xd1, 0x07, 0xb5, 0x25, 0x3b, 0xf4, 0x57, 0x20, + 0x87, 0x13, 0xa2, 0xf7, 0x78, 0x15, 0x30, 0xa7}; + +// The P256 root certificate that issued the P256 intermediate certificate +// above. The certificate was generated with pycert.py +const uint8_t P256_ROOT[] = { + 0x30, 0x82, 0x01, 0x4a, 0x30, 0x81, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x14, 0x5f, 0x3f, 0xae, 0x90, 0x49, 0x30, 0x2f, 0x33, 0x6e, 0x95, + 0x23, 0xa7, 0xcb, 0x23, 0xd7, 0x65, 0x4f, 0xea, 0x3c, 0xf7, 0x30, 0x0a, + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14, + 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, + 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, + 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, + 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x14, 0x31, 0x12, + 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f, + 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, + 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, + 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, + 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, + 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, + 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, + 0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, + 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, + 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, + 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d, + 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75, + 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02, + 0x21, 0x00, 0xc2, 0xe4, 0xc1, 0xa8, 0xe2, 0x89, 0xdc, 0xa1, 0xbb, 0xe7, + 0xd5, 0x4f, 0x5c, 0x88, 0xad, 0xeb, 0xa4, 0x78, 0xa1, 0x19, 0xbe, 0x22, + 0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b}; + +void check_hard_coded_certs(const uint8_t** cert_chain, size_t cert_chain_len, + const size_t* certs_len) { + // Very hacky and fragile check that the intermediate certs are correct. + switch (cert_chain_len) { + case 2: { + const uint8_t* cert = cert_chain[0]; + size_t cert_len = certs_len[0]; + ASSERT_EQ(cert_len, sizeof(P256_ROOT)); + ASSERT_EQ(0, memcmp(cert, P256_ROOT, cert_len)); + cert = cert_chain[1]; + cert_len = certs_len[1]; + ASSERT_EQ(cert_len, sizeof(P256_INT)); + ASSERT_EQ(0, memcmp(cert, P256_INT, cert_len)); + break; + } + case 4: { + const uint8_t* cert = cert_chain[0]; + size_t cert_len = certs_len[0]; + ASSERT_EQ(cert_len, sizeof(P256_ROOT)); + ASSERT_EQ(0, memcmp(cert, P256_ROOT, cert_len)); + cert = cert_chain[1]; + cert_len = certs_len[1]; + ASSERT_EQ(cert_len, sizeof(P256_INT)); + ASSERT_EQ(0, memcmp(cert, P256_INT, cert_len)); + cert = cert_chain[2]; + cert_len = certs_len[2]; + ASSERT_EQ(cert_len, sizeof(RSA_ROOT)); + ASSERT_EQ(0, memcmp(cert, RSA_ROOT, cert_len)); + cert = cert_chain[3]; + cert_len = certs_len[3]; + ASSERT_EQ(cert_len, sizeof(RSA_INT)); + ASSERT_EQ(0, memcmp(cert, RSA_INT, cert_len)); + break; + } + default: + // In this case something went wrong. + ASSERT_EQ(true, false); + } +} + +/* Verification function called from cose-rust. + * Returns true if everything goes well and the signature is good, false in any + * other case. */ +bool verify_callback(const uint8_t* payload, size_t payload_len, + const uint8_t** cert_chain, size_t cert_chain_len, + const size_t* certs_len, const uint8_t* ee_cert, + size_t ee_cert_len, const uint8_t* signature, + size_t signature_len, uint8_t signature_algorithm, + void* ctx) { + UniquePK11SlotInfo slot(PK11_GetInternalSlot()); + if (!slot) { + return false; + } + + CK_MECHANISM_TYPE mechanism; + SECOidTag oid; + uint32_t hash_length; + SECItem param = {siBuffer, nullptr, 0}; + CK_RSA_PKCS_PSS_PARAMS rsa_pss_params = {CKM_SHA256, CKG_MGF1_SHA256, + SHA256_LENGTH}; + switch (signature_algorithm) { + case (ES256): + mechanism = CKM_ECDSA; + oid = SEC_OID_SHA256; + hash_length = SHA256_LENGTH; + break; + case (PS256): + mechanism = CKM_RSA_PKCS_PSS; + oid = SEC_OID_SHA256; + hash_length = SHA256_LENGTH; + param = {siBuffer, reinterpret_cast<unsigned char*>(&rsa_pss_params), + sizeof(rsa_pss_params)}; + break; + default: + return false; + } + check_hard_coded_certs(cert_chain, cert_chain_len, certs_len); + + uint8_t hash_buf[HASH_LENGTH_MAX]; + SECStatus rv = PK11_HashBuf(oid, hash_buf, payload, payload_len); + if (rv != SECSuccess) { + return false; + } + SECItem hash_item = {siBuffer, hash_buf, hash_length}; + CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB(); + if (!db_handle) { + return false; + } + SECItem der_cert = {siBuffer, const_cast<uint8_t*>(ee_cert), + static_cast<unsigned int>(ee_cert_len)}; + UniqueCERTCertificate cert( + CERT_NewTempCertificate(db_handle, &der_cert, nullptr, false, true)); + if (!cert) { + return false; + } + UniqueSECKEYPublicKey key(CERT_ExtractPublicKey(cert.get())); + if (!key) { + return false; + } + SECItem signature_item = {siBuffer, const_cast<uint8_t*>(signature), + static_cast<unsigned int>(signature_len)}; + rv = PK11_VerifyWithMechanism(key.get(), mechanism, ¶m, &signature_item, + &hash_item, nullptr); + if (rv != SECSuccess) { + return false; + } + + return true; +} + +class psm_COSE : public ::testing::Test {}; + +TEST_F(psm_COSE, CoseTestingSingleSignature) { + SECStatus rv = NSS_NoDB_Init(nullptr); + ASSERT_EQ(SECSuccess, rv); + bool result = + verify_cose_signature_ffi(PAYLOAD, sizeof(PAYLOAD), SIGNATURE, + sizeof(SIGNATURE), nullptr, verify_callback); + ASSERT_TRUE(result); +} + +TEST_F(psm_COSE, CoseTestingTwoSignatures) { + SECStatus rv = NSS_NoDB_Init(nullptr); + ASSERT_EQ(SECSuccess, rv); + bool result = verify_cose_signature_ffi( + PAYLOAD, sizeof(PAYLOAD), SIGNATURE_ES256_PS256, + sizeof(SIGNATURE_ES256_PS256), nullptr, verify_callback); + ASSERT_TRUE(result); +} + +TEST_F(psm_COSE, CoseTestingAlteredPayload) { + SECStatus rv = NSS_NoDB_Init(nullptr); + ASSERT_EQ(SECSuccess, rv); + uint8_t altered_payload[20] = {84, 104, 105, 115, 32, 104, 115, + 32, 116, 104, 101, 32, 99, 111, + 110, 116, 101, 110, 116, 46}; + bool result = verify_cose_signature_ffi( + altered_payload, sizeof(altered_payload), SIGNATURE_ES256_PS256, + sizeof(SIGNATURE_ES256_PS256), nullptr, verify_callback); + ASSERT_FALSE(result); +} + +} // namespace mozilla diff --git a/security/manager/ssl/tests/gtest/DeserializeCertTest.cpp b/security/manager/ssl/tests/gtest/DeserializeCertTest.cpp new file mode 100644 index 0000000000..acad30e2ae --- /dev/null +++ b/security/manager/ssl/tests/gtest/DeserializeCertTest.cpp @@ -0,0 +1,507 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "gtest/gtest.h" + +#include "TransportSecurityInfo.h" +#include "nsCOMPtr.h" +#include "nsITransportSecurityInfo.h" +#include "nsIX509Cert.h" +#include "nsString.h" +#include "mozilla/Maybe.h" + +using namespace mozilla; +using namespace mozilla::psm; + +// nsITransportSecurityInfo de-serializatin tests +// +// These tests verify that we can still deserialize old binary strings +// generated for security info. This is necessary because service workers +// stores these strings on disk. +// +// If you make a change and start breaking these tests, you will need to +// add a compat fix for loading the old versions. For things that affect +// the UUID, but do not break the rest of the format you can simply add +// another hack condition in nsBinaryInputStream::ReadObject(). If you +// change the overall format of the serialization then we will need more +// complex handling in the security info concrete classes. +// +// We would like to move away from this binary compatibility requirement +// in service workers. See bug 1248628. +void deserializeAndVerify(const nsCString& serializedSecInfo, + Maybe<size_t> failedCertChainLength = Nothing(), + Maybe<size_t> succeededCertChainLength = Nothing()) { + nsCOMPtr<nsITransportSecurityInfo> securityInfo; + nsresult rv = TransportSecurityInfo::Read(serializedSecInfo, + getter_AddRefs(securityInfo)); + ASSERT_EQ(NS_OK, rv); + ASSERT_TRUE(securityInfo); + + nsCOMPtr<nsIX509Cert> cert; + rv = securityInfo->GetServerCert(getter_AddRefs(cert)); + ASSERT_EQ(NS_OK, rv); + ASSERT_TRUE(cert); + + nsTArray<RefPtr<nsIX509Cert>> failedCertArray; + rv = securityInfo->GetFailedCertChain(failedCertArray); + ASSERT_EQ(NS_OK, rv); + + if (failedCertChainLength) { + ASSERT_FALSE(failedCertArray.IsEmpty()); + for (const auto& cert : failedCertArray) { + ASSERT_TRUE(cert); + } + ASSERT_EQ(*failedCertChainLength, failedCertArray.Length()); + } else { + ASSERT_TRUE(failedCertArray.IsEmpty()); + } + + nsTArray<RefPtr<nsIX509Cert>> succeededCertArray; + rv = securityInfo->GetSucceededCertChain(succeededCertArray); + ASSERT_EQ(NS_OK, rv); + + if (succeededCertChainLength) { + ASSERT_FALSE(succeededCertArray.IsEmpty()); + for (const auto& cert : succeededCertArray) { + ASSERT_TRUE(cert); + } + ASSERT_EQ(*succeededCertChainLength, succeededCertArray.Length()); + } else { + ASSERT_TRUE(succeededCertArray.IsEmpty()); + } +} + +TEST(psm_DeserializeCert, gecko33) +{ + // clang-format off + // Gecko 33+ vintage Security info serialized with UUIDs: + // - nsISupports 00000000-0000-0000-c000-000000000046 + // - nsISSLStatus fa9ba95b-ca3b-498a-b889-7c79cf28fee8 + // - nsIX509Cert f8ed8364-ced9-4c6e-86ba-48af53c393e6 + nsCString base64Serialization( + "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAQAAgAAAAAAAAAAAAAAAAAAAAA" + "B4vFIJp5wRkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8F+O2DZM7ZTG6GukivU8OT5gAAAAIAAAWpMII" + "FpTCCBI2gAwIBAgIQD4svsaKEC+QtqtsU2TF8ITANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUN" + "lcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFN" + "lcnZlciBDQTAeFw0xNTAyMjMwMDAwMDBaFw0xNjAzMDIxMjAwMDBaMGoxCzAJBgNVBAYTAlVTMRYwFAYDVQQHEw1TYW4gRnJhbmN" + "pc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRUwEwYDVQQKEwxGYXN0bHksIEluYy4xFzAVBgNVBAMTDnd3dy5naXRodWIuY29tMII" + "BIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+9WUCgrgUNwP/JC3cUefLAXeDpq8Ko/U8p8IRvny0Ri0I6Uq0t+RP/nF0LJ" + "Avda8QHYujdgeDTePepBX7+OiwBFhA0YO+rM3C2Z8IRaN/i9eLln+Yyc68+1z+E10s1EXdZrtDGvN6MHqygGsdfkXKfBLUJ1BZEh" + "s9sBnfcjq3kh5gZdBArdG9l5NpdmQhtceaFGsPiWuJxGxRzS4i95veUHWkhMpEYDEEBdcDGxqArvQCvzSlngdttQCfx8OUkBTb3B" + "A2okpTwwJfqPsxVetA6qR7UNc+fVb6KHwvm0bzi2rQ3xw3D/syRHwdMkpoVDQPCk43H9WufgfBKRen87dFwIDAQABo4ICPzCCAjs" + "wHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjswHQYDVR0OBBYEFGS/RLNGCZvPWh1xSaIEcouINIQjMHsGA1UdEQR0MHK" + "CDnd3dy5naXRodWIuY29tggpnaXRodWIuY29tggwqLmdpdGh1Yi5jb22CCyouZ2l0aHViLmlvgglnaXRodWIuaW+CFyouZ2l0aHV" + "idXNlcmNvbnRlbnQuY29tghVnaXRodWJ1c2VyY29udGVudC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwM" + "BBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzMuY3J" + "sMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzMuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb" + "9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQc" + "wAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUN" + "lcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAc4dbVmuKvyI7" + "KZ4Txk+ZqcAYToJGKUIVaPL94e5SZGweUisjaCbplAOihnf6Mxt8n6vnuH2IsCaz2NRHqhdcosjT3CwAiJpJNkXPKWVL/txgdSTV" + "2cqB1GG4esFOalvI52dzn+J4fTIYZvNF+AtGyHSLm2XRXYZCw455laUKf6Sk9RDShDgUvzhOKL4GXfTwKXv12MyMknJybH8UCpjC" + "HZmFBVHMcUN/87HsQo20PdOekeEvkjrrMIxW+gxw22Yb67yF/qKgwrWr+43bLN709iyw+LWiU7sQcHL2xk9SYiWQDj2tYz2soObV" + "QYTJm0VUZMEVFhtALq46cx92Zu4vFwC8AAwAAAAABAQAA"); + // clang-format on + + deserializeAndVerify(base64Serialization); +} + +TEST(psm_DeserializeCert, gecko46) +{ + // clang-format off + // Gecko 46+ vintage Security info serialized with UUIDs: + // - nsISupports 00000000-0000-0000-c000-000000000046 + // - nsISSLStatus fa9ba95b-ca3b-498a-b889-7c79cf28fee8 + // - nsIX509Cert bdc3979a-5422-4cd5-8589-696b6e96ea83 + nsCString base64Serialization( + "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAQAAgAAAAAAAAAAAAAAAAAAAAA" + "B4vFIJp5wRkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAIAAAWzMII" + "FrzCCBJegAwIBAgIQB3pdwzYjAfmJ/lT3+G8+ZDANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUN" + "lcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFN" + "lcnZlciBDQTAeFw0xNjAxMjAwMDAwMDBaFw0xNzA0MDYxMjAwMDBaMGoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybml" + "hMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxGYXN0bHksIEluYy4xFzAVBgNVBAMTDnd3dy5naXRodWIuY29tMII" + "BIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+9WUCgrgUNwP/JC3cUefLAXeDpq8Ko/U8p8IRvny0Ri0I6Uq0t+RP/nF0LJ" + "Avda8QHYujdgeDTePepBX7+OiwBFhA0YO+rM3C2Z8IRaN/i9eLln+Yyc68+1z+E10s1EXdZrtDGvN6MHqygGsdfkXKfBLUJ1BZEh" + "s9sBnfcjq3kh5gZdBArdG9l5NpdmQhtceaFGsPiWuJxGxRzS4i95veUHWkhMpEYDEEBdcDGxqArvQCvzSlngdttQCfx8OUkBTb3B" + "A2okpTwwJfqPsxVetA6qR7UNc+fVb6KHwvm0bzi2rQ3xw3D/syRHwdMkpoVDQPCk43H9WufgfBKRen87dFwIDAQABo4ICSTCCAkU" + "wHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjswHQYDVR0OBBYEFGS/RLNGCZvPWh1xSaIEcouINIQjMHsGA1UdEQR0MHK" + "CDnd3dy5naXRodWIuY29tggwqLmdpdGh1Yi5jb22CCmdpdGh1Yi5jb22CCyouZ2l0aHViLmlvgglnaXRodWIuaW+CFyouZ2l0aHV" + "idXNlcmNvbnRlbnQuY29tghVnaXRodWJ1c2VyY29udGVudC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwM" + "BBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3J" + "sMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb" + "9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3MHU" + "wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQ" + "uY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQE" + "ATxbRdPg+o49+96/P+rbdp4ie+CGtfCgUubT/Z9C54k+BfQO0nbxVgCSM5WZQuLgo2Q+0lcxisod8zxZeU0j5wviQINwOln/iN89" + "Bx3VmDRynTe4CqhsAwOoO1ERmCAmsAJBwY/rNr4mK22p8erBrqMW0nYXYU5NFynI+pNTjojhKD4II8PNV8G2yMWwYOb/u4+WPzUA" + "HC9DpZdrWTEH/W69Cr/KxRqGsWPwpgMv2Wqav8jaT35JxqTXjOlhQqzo6fNn3eYOeCf4PkCxZKwckWjy10qDaRbjhwAMHAGj2TPr" + "idlvOj/7QyyX5m8up/1US8z1fRW4yoCSOt6V2bwuH6cAvAAMAAAAAAQEAAA=="); + // clang-format on + + deserializeAndVerify(base64Serialization); +} + +TEST(psm_DeserializeCert, preSSLStatusConsolidation) +{ + // clang-format off + // Generated using serialized output of test "good.include-subdomains.pinning.example.com" + // in security/manager/ssl/tests/unit/test_cert_chains.js + nsCString base64Serialization( + "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAgAAgAAAAAAAAAAAAAAAAAAAAAB4vFIJp5w" + "RkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAONMIIDiTCCAnGg" + "AwIBAgIUWbWLTwLBvfwcoiU7I8lDz9snfUgwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE2MTEyNzAw" + "MDAwMFoYDzIwMTkwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw" + "ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV" + "JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o" + "N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd" + "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0" + "gg0qLmV4YW1wbGUuY29tghUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs" + "ZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB" + "hhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBE+6IPJK5OeonoQPC4CCWMd69SjhwS7X6TNgxDJzW7" + "qpVm4SFyYZ2xqzr2zib5LsYek6/jok5LPSpJVeFuSeiesvGMxk0O4ZEihPxSM4uR4xpCnPzz7LoFIzMELJv5i+cgLw4+6cINPkLj" + "oCUdb+AXSTur7THJaO75B44I2JjJfMfzgW1FwoWgXL/PQWRw+VY6OY1glqZOXzP+vfSja1SoggpiCzdPx7h1/SEEZov7zhCZXv1C" + "enx1njlpcj9wWEJMsyZczMNtiz5GkRrLaqCz9F8ah3NvkvPAZ0oOqtxuQgMXK/c0OXJVKi0SCJsWqZDoZhCrS/dE9guxlseZqhSI" + "wC8DAwAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYBlZ+xZWUXSH+rm9iRO+Uxl650zaXNL0c/lvXwt//2LGgA" + "AAACZgoyJpFcT/u7IImFpjLfBb3Dl5pUIkzVhYlpa26W6oMAAAAAAAADjTCCA4kwggJxoAMCAQICFFm1i08Cwb38HKIlOyPJQ8/b" + "J31IMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNjExMjcwMDAwMDBaGA8yMDE5MDIwNTAwMDAwMFow" + "GjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2" + "ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC" + "a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk" + "zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+" + "SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHHMIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNvbYIVKi5waW5u" + "aW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZG9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9t" + "YWlucy5waW5uaW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4" + "LzANBgkqhkiG9w0BAQsFAAOCAQEARPuiDySuTnqJ6EDwuAgljHevUo4cEu1+kzYMQyc1u6qVZuEhcmGdsas69s4m+S7GHpOv46JO" + "Sz0qSVXhbknonrLxjMZNDuGRIoT8UjOLkeMaQpz88+y6BSMzBCyb+YvnIC8OPunCDT5C46AlHW/gF0k7q+0xyWju+QeOCNiYyXzH" + "84FtRcKFoFy/z0FkcPlWOjmNYJamTl8z/r30o2tUqIIKYgs3T8e4df0hBGaL+84QmV79Qnp8dZ45aXI/cFhCTLMmXMzDbYs+RpEa" + "y2qgs/RfGodzb5LzwGdKDqrcbkIDFyv3NDlyVSotEgibFqmQ6GYQq0v3RPYLsZbHmaoUiGYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM" + "1YWJaWtuluqDAAAAAAAAAtcwggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYD" + "VQQDDAdUZXN0IENBMCIYDzIwMTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0G" + "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr" + "4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk" + "fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo" + "4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQF" + "MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK" + "9cZFVtzRWYEYkIlicAyTiPw34bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK9" + "22MsOsnrLjNlpRDmuH0VFhb5uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZB" + "bEw7P6+V9zz5cAzaaq7EB0mCE+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBCAAA="); + // clang-format on + + deserializeAndVerify(base64Serialization, Nothing(), Some(2)); +} + +TEST(psm_DeserializeCert, preSSLStatusConsolidationFailedCertChain) +{ + // clang-format off + // Generated using serialized output of test "expired.example.com" + // in security/manager/ssl/tests/unit/test_cert_chains.js + nsCString base64Serialization( + "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAABAAAAAAAAAAA///gCwAAAAAB4vFIJp5w" + "RkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAMgMIIDHDCCAgSg" + "AwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAw" + "MDAwMFoYDzIwMTQwMTAxMDAwMDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEB" + "BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6" + "pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9" + "0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK" + "lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJl" + "ZC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcN" + "AQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzfT+ow5WVsxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7" + "IAMO1CEr5FVdCOVTma5hmu/81rkJLmZ8RQDWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3L9zJ2JqNc60+hB8l" + "297ZaSl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74VkQyNobaFzDZ+Zr3QmfbejEsY2EYnq8XuENgIO4DuYrm80/p6bMO6" + "laB0Uv5W6uXZgBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFwWwtnoK7IAAAMAAAEAAAEAAQAAAAAAAAAAAAAAAZWfsWVlF0h/q5vY" + "kTvlMZeudM2lzS9HP5b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwggMcMIICBKAD" + "AgECAhRj0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAw" + "MDAwWhgPMjAxNDAxMDEwMDAwMDBaMCIxIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEF" + "AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql" + "WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S" + "O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV" + "YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVk" + "LmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0B" + "AQsFAAOCAQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF0DjclopP2B8yxuc/WqIjbN6XdT4Xsg" + "Aw7UISvkVV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrKf/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb" + "3tlpKXSdsp99vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag7gO5iubzT+npsw7qV" + "oHRS/lbq5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAA" + "AAAAAtcwggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENB" + "MCIYDzIwMTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA" + "A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa" + "p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7" + "xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh" + "He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P" + "BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK9cZFVtzRWYEYkIli" + "cAyTiPw34bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK922MsOsnrLjNlpRDm" + "uH0VFhb5uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZBbEw7P6+V9zz5cAza" + "aq7EB0mCE+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBCAZWfsWVlF0h/q5vYkTvlMZeu" + "dM2lzS9HP5b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwggMcMIICBKADAgECAhRj" + "0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAwMDAwWhgP" + "MjAxNDAxMDEwMDAwMDBaMCIxIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A" + "MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc" + "1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf" + "qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl" + "nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVkLmV4YW1w" + "bGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOC" + "AQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF0DjclopP2B8yxuc/WqIjbN6XdT4XsgAw7UISvk" + "VV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrKf/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb3tlpKXSd" + "sp99vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag7gO5iubzT+npsw7qVoHRS/lbq" + "5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAtcw" + "ggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIw" + "MTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw" + "ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV" + "JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o" + "N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd" + "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEG" + "MA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK9cZFVtzRWYEYkIlicAyTiPw3" + "4bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK922MsOsnrLjNlpRDmuH0VFhb5" + "uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZBbEw7P6+V9zz5cAzaaq7EB0mC" + "E+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBC"); + // clang-format on + + deserializeAndVerify(base64Serialization, Some(2)); +} + +TEST(psm_DeserializeCert, preNsIX509CertListReplacement) +{ + // This was the serialized output of test + // "good.include-subdomains.pinning.example.com" // in + // security/manager/ssl/tests/unit/test_cert_chains.js The serialized output + // was generated before we replace nsIX509CertList with Array<nsIX509Cert>, so + // it had the old version of transportSecurityInfo. + nsCString base64Serialization( + "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgA" + "AAAAAAAAAAAAAAAAAAAEAMQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA" + "AAAAONMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQELB" + "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAwMjA1MDAw" + "MDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4I" + "BDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZ" + "wGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tF" + "YIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n" + "FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN" + "7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe" + "2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tg" + "hUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu" + "ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20" + "wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA" + "0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaobK2YRb4OGMxySIKuQ80N0X" + "lO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0swx/+oUxCfLb0VIl/kdUqLkbGY" + "rAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGM" + "yG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41" + "sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16I" + "jWEukvJuU1WwC8AAwAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYBlZ+x" + "ZWUXSH+rm9iRO+Uxl650zaXNL0c/lvXwt//2LGgAAAACZgoyJpFcT/u7IImFpjLfBb3Dl5p" + "UIkzVhYlpa26W6oMAAAAAAAADjTCCA4kwggJxoAMCAQICFA1KP/RtK8+3yYlk8NIWOkyMj0" + "UiMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNzExMjcwMDAwM" + "DBaGA8yMDIwMDIwNTAwMDAwMFowGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjAN" + "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz" + "1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4IC" + "mTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXk" + "D3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK" + "9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP" + "+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHHMIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdI" + "INKi5leGFtcGxlLmNvbYIVKi5waW5uaW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZ" + "G9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9tYWlucy5waW5u" + "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x" + "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEApILjYTMlQmIcmF3xNtsDb5WqGy" + "tmEW+DhjMckiCrkPNDdF5TvsaSyU7PWMxVWNfiUxzXs9UH8D/SiXmc5081cy4eLL9LMMf/q" + "FMQny29FSJf5HVKi5GxmKwJrY3jimS2qlbUR9AZ5mz6MC2pNaYup0GDlPmi/UDrr0/49616" + "IpnHaOl90ytUjdv+uHxjMhv6cGrPiV3oW0XlH+J9XsJPOAA7W/nsPLUQCn/7scylI+bf1IK" + "g7J01qucFHOSCSsKB0+NbEJzaj4NdsePlhlogLFgqUf4SmBxRq+62+CUxhDwCaVnL/VrWWA" + "L8E+/GtsaR6eVzYJY9eiI1hLpLyblNVmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtul" + "uqDAAAAAAAAAtcwggLTMIIBu6ADAgECAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG" + "9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDA" + "yMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDw" + "AwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm" + "24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP" + "8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFth" + "Vt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7Ly" + "JvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NA" + "gMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IB" + "AQAgyCfLAcVs/MkERxunH9pZA4ja1QWWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR" + "3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmL" + "NeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8Oal" + "QICt0M0wx29B6HNof3px2NxKyC6qlf01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+S" + "Xo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB96muQQ2M3WDiMz5ZLI3oMLu8KSPsAA=="); + + deserializeAndVerify(base64Serialization, Nothing(), Some(2)); +} + +TEST(psm_DeserializeCert, preNsIX509CertListReplacementV2) +{ + // Same as the above test, however, this is the v2 version of the + // serialization. + nsCString base64Serialization( + "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgA" + "AAAAAAAAAAAAAAAAAAAEAMgFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA" + "AAAAONMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQELB" + "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAwMjA1MDAw" + "MDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4I" + "BDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZ" + "wGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tF" + "YIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n" + "FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN" + "7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe" + "2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tg" + "hUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu" + "ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20" + "wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA" + "0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaobK2YRb4OGMxySIKuQ80N0X" + "lO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0swx/+oUxCfLb0VIl/kdUqLkbGY" + "rAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGM" + "yG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41" + "sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16I" + "jWEukvJuU1WEwEABAAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYBlZ+x" + "ZWUXSH+rm9iRO+Uxl650zaXNL0c/lvXwt//2LGgAAAACZgoyJpFcT/u7IImFpjLfBb3Dl5p" + "UIkzVhYlpa26W6oMAAAAAAAADjTCCA4kwggJxoAMCAQICFA1KP/RtK8+3yYlk8NIWOkyMj0" + "UiMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNzExMjcwMDAwM" + "DBaGA8yMDIwMDIwNTAwMDAwMFowGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjAN" + "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz" + "1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4IC" + "mTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXk" + "D3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK" + "9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP" + "+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHHMIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdI" + "INKi5leGFtcGxlLmNvbYIVKi5waW5uaW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZ" + "G9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9tYWlucy5waW5u" + "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x" + "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEApILjYTMlQmIcmF3xNtsDb5WqGy" + "tmEW+DhjMckiCrkPNDdF5TvsaSyU7PWMxVWNfiUxzXs9UH8D/SiXmc5081cy4eLL9LMMf/q" + "FMQny29FSJf5HVKi5GxmKwJrY3jimS2qlbUR9AZ5mz6MC2pNaYup0GDlPmi/UDrr0/49616" + "IpnHaOl90ytUjdv+uHxjMhv6cGrPiV3oW0XlH+J9XsJPOAA7W/nsPLUQCn/7scylI+bf1IK" + "g7J01qucFHOSCSsKB0+NbEJzaj4NdsePlhlogLFgqUf4SmBxRq+62+CUxhDwCaVnL/VrWWA" + "L8E+/GtsaR6eVzYJY9eiI1hLpLyblNVmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtul" + "uqDAAAAAAAAAtcwggLTMIIBu6ADAgECAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG" + "9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDA" + "yMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDw" + "AwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm" + "24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP" + "8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFth" + "Vt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7Ly" + "JvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NA" + "gMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IB" + "AQAgyCfLAcVs/MkERxunH9pZA4ja1QWWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR" + "3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmL" + "NeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8Oal" + "QICt0M0wx29B6HNof3px2NxKyC6qlf01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+S" + "Xo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB96muQQ2M3WDiMz5ZLI3oMLu8KSPsAAA="); + + deserializeAndVerify(base64Serialization, Nothing(), Some(2)); +} + +TEST(psm_DeserializeCert, preNsIX509CertListReplacementWithFailedChain) +{ + // This was the serialized output of test "expired.example.com" + // in security/manager/ssl/tests/unit/test_cert_chains.js + // The serialized output was generated before we replace nsIX509CertList with + // Array<nsIX509Cert>, so it had the old version of transportSecurityInfo. + nsCString base64Serialization( + "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAABAA" + "AAAAAAAAA///gCwAAAAEAMQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA" + "AAAAMgMIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQELB" + "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQwMTAxMDAw" + "MDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvc" + "NAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wc" + "clqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk2" + "7lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI" + "H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wn" + "vuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxD" + "HVA6zaGAo17Y0CAwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyB" + "ggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ" + "KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzfT+ow5WV" + "sxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5hmu/81rkJLmZ8RQ" + "DWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3L9zJ2JqNc60+hB8l297Za" + "Sl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74VkQyNobaFzDZ+Zr3QmfbejEsY2EYn" + "q8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZgBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFw" + "WwtnoK7IAAAAAAAEAAAEAAQAAAAAAAAAAAAAAAZWfsWVlF0h/q5vYkTvlMZeudM2lzS9HP5" + "b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwg" + "gMcMIICBKADAgECAhRj0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAw" + "DgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAxMDEwMDAwMDBaMCI" + "xIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAA" + "OCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngfv" + "bGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO" + "7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEP" + "vJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naO" + "Gzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYC" + "jXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUF" + "BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0" + "BAQsFAAOCAQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF" + "0DjclopP2B8yxuc/WqIjbN6XdT4XsgAw7UISvkVV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrK" + "f/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb3tlpKXSdsp99" + "vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag" + "7gO5iubzT+npsw7qVoHRS/lbq5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsm" + "YKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAtcwggLTMIIBu6ADAgECA" + "hQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0" + "IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1R" + "lc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBj" + "YQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJ" + "JwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw" + "JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7f" + "ilhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL" + "8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wC" + "wYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1QWW" + "jsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv6" + "3dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ4" + "69RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf01" + "wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB" + "96muQQ2M3WDiMz5ZLI3oMLu8KSPs"); + + deserializeAndVerify(base64Serialization, Some(2)); +} + +TEST(psm_DeserializeCert, preNsIX509CertListReplacementWithFailedChainV2) +{ + // Same as the above test, however, this is the v2 version of the + // serialization. + nsCString base64Serialization( + "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAABAA" + "AAAAAAAAA///gCwAAAAEAMgFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA" + "AAAAMgMIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQELB" + "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQwMTAxMDAw" + "MDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvc" + "NAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wc" + "clqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk2" + "7lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI" + "H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wn" + "vuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxD" + "HVA6zaGAo17Y0CAwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyB" + "ggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ" + "KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzfT+ow5WV" + "sxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5hmu/81rkJLmZ8RQ" + "DWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3L9zJ2JqNc60+hB8l297Za" + "Sl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74VkQyNobaFzDZ+Zr3QmfbejEsY2EYn" + "q8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZgBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFw" + "WwtnoK7IAAAAAAAEAAAEAAQAAAAAAAAAAAAAAAZWfsWVlF0h/q5vYkTvlMZeudM2lzS9HP5" + "b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwg" + "gMcMIICBKADAgECAhRj0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAw" + "DgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAxMDEwMDAwMDBaMCI" + "xIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAA" + "OCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngfv" + "bGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO" + "7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEP" + "vJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naO" + "Gzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYC" + "jXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUF" + "BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0" + "BAQsFAAOCAQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF" + "0DjclopP2B8yxuc/WqIjbN6XdT4XsgAw7UISvkVV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrK" + "f/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb3tlpKXSdsp99" + "vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag" + "7gO5iubzT+npsw7qVoHRS/lbq5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsm" + "YKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAtcwggLTMIIBu6ADAgECA" + "hQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0" + "IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1R" + "lc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBj" + "YQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJ" + "JwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw" + "JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7f" + "ilhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL" + "8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wC" + "wYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1QWW" + "jsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv6" + "3dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ4" + "69RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf01" + "wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB" + "96muQQ2M3WDiMz5ZLI3oMLu8KSPsAA=="); + + deserializeAndVerify(base64Serialization, Some(2)); +} diff --git a/security/manager/ssl/tests/gtest/HMACTest.cpp b/security/manager/ssl/tests/gtest/HMACTest.cpp new file mode 100644 index 0000000000..434a52d3f0 --- /dev/null +++ b/security/manager/ssl/tests/gtest/HMACTest.cpp @@ -0,0 +1,62 @@ +#include <string> +#include "gtest/gtest.h" + +#include "ScopedNSSTypes.h" +#include "mozilla/gtest/MozAssertions.h" +#include "mozilla/Span.h" +#include "nss.h" +#include "secoidt.h" + +// From RFC 2202 +const unsigned char kTestKey[] = "Jefe"; +const unsigned char kTestInput[] = "what do ya want for nothing?"; + +struct HMACTestCase { + SECOidTag hashAlg; + std::string expectedOutput; +}; + +#define EXPECTED_RESULT(val) std::string(val, sizeof(val) - 1) + +static const HMACTestCase HMACTestCases[] = { + { + SEC_OID_MD5, + EXPECTED_RESULT( + "\x75\x0c\x78\x3e\x6a\xb0\xb5\x03\xea\xa8\x6e\x31\x0a\x5d\xb7\x38"), + }, + { + SEC_OID_SHA256, + EXPECTED_RESULT( + "\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75\xc7" + "\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec\x38\x43"), + }, +}; + +#undef EXPECTED_RESULT + +class psm_HMAC : public ::testing::Test, + public ::testing::WithParamInterface<HMACTestCase> { + public: + void SetUp() override { NSS_NoDB_Init(nullptr); } +}; + +TEST_P(psm_HMAC, Test) { + mozilla::HMAC hmac; + const HMACTestCase& testCase(GetParam()); + nsresult rv = hmac.Begin(testCase.hashAlg, + mozilla::Span(kTestKey, sizeof(kTestKey) - 1)); + ASSERT_NS_SUCCEEDED(rv); + rv = hmac.Update(reinterpret_cast<const unsigned char*>(kTestInput), + sizeof(kTestInput) - 1); + ASSERT_NS_SUCCEEDED(rv); + nsTArray<uint8_t> output; + rv = hmac.End(output); + ASSERT_NS_SUCCEEDED(rv); + EXPECT_EQ(output.Length(), testCase.expectedOutput.length()); + for (size_t i = 0; i < output.Length(); i++) { + EXPECT_EQ(char(output[i]), testCase.expectedOutput[i]); + } +} + +INSTANTIATE_TEST_SUITE_P(psm_HMAC, psm_HMAC, + ::testing::ValuesIn(HMACTestCases)); diff --git a/security/manager/ssl/tests/gtest/MD4Test.cpp b/security/manager/ssl/tests/gtest/MD4Test.cpp new file mode 100644 index 0000000000..0dfc938358 --- /dev/null +++ b/security/manager/ssl/tests/gtest/MD4Test.cpp @@ -0,0 +1,62 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This file tests the md4.c implementation. + +#include "gtest/gtest.h" +#include "md4.h" +#include "mozilla/ArrayUtils.h" +#include "mozilla/Casting.h" + +struct RFC1320TestParams { + const char* data; + const uint8_t expectedHash[16]; +}; + +static const RFC1320TestParams RFC1320_TEST_PARAMS[] = { + {"", + {0x31, 0xd6, 0xcf, 0xe0, 0xd1, 0x6a, 0xe9, 0x31, 0xb7, 0x3c, 0x59, 0xd7, + 0xe0, 0xc0, 0x89, 0xc0}}, + {"a", + {0xbd, 0xe5, 0x2c, 0xb3, 0x1d, 0xe3, 0x3e, 0x46, 0x24, 0x5e, 0x05, 0xfb, + 0xdb, 0xd6, 0xfb, 0x24}}, + {"abc", + {0xa4, 0x48, 0x01, 0x7a, 0xaf, 0x21, 0xd8, 0x52, 0x5f, 0xc1, 0x0a, 0xe8, + 0x7a, 0xa6, 0x72, 0x9d}}, + {"message digest", + {0xd9, 0x13, 0x0a, 0x81, 0x64, 0x54, 0x9f, 0xe8, 0x18, 0x87, 0x48, 0x06, + 0xe1, 0xc7, 0x01, 0x4b}}, + { + "abcdefghijklmnopqrstuvwxyz", + {0xd7, 0x9e, 0x1c, 0x30, 0x8a, 0xa5, 0xbb, 0xcd, 0xee, 0xa8, 0xed, 0x63, + 0xdf, 0x41, 0x2d, 0xa9}, + }, + { + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", + {0x04, 0x3f, 0x85, 0x82, 0xf2, 0x41, 0xdb, 0x35, 0x1c, 0xe6, 0x27, 0xe1, + 0x53, 0xe7, 0xf0, 0xe4}, + }, + { + "1234567890123456789012345678901234567890123456789012345678901234567890" + "1234567890", + {0xe3, 0x3b, 0x4d, 0xdc, 0x9c, 0x38, 0xf2, 0x19, 0x9c, 0x3e, 0x7b, 0x16, + 0x4f, 0xcc, 0x05, 0x36}, + }}; + +class psm_MD4 : public ::testing::Test, + public ::testing::WithParamInterface<RFC1320TestParams> {}; + +TEST_P(psm_MD4, RFC1320TestValues) { + const RFC1320TestParams& params(GetParam()); + uint8_t actualHash[16]; + md4sum(mozilla::BitwiseCast<const uint8_t*, const char*>(params.data), + strlen(params.data), actualHash); + EXPECT_TRUE(mozilla::ArrayEqual(actualHash, params.expectedHash)) + << "MD4 hashes aren't equal for input: '" << params.data << "'"; +} + +INSTANTIATE_TEST_SUITE_P(psm_MD4, psm_MD4, + testing::ValuesIn(RFC1320_TEST_PARAMS)); diff --git a/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp b/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp new file mode 100644 index 0000000000..23d0cefc2b --- /dev/null +++ b/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp @@ -0,0 +1,357 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "CertVerifier.h" +#include "OCSPCache.h" +#include "gtest/gtest.h" +#include "mozilla/BasePrincipal.h" +#include "mozilla/Casting.h" +#include "mozilla/Preferences.h" +#include "mozilla/Sprintf.h" +#include "nss.h" +#include "mozpkix/pkixtypes.h" +#include "mozpkix/test/pkixtestutil.h" +#include "prerr.h" +#include "secerr.h" + +using namespace mozilla::pkix; +using namespace mozilla::pkix::test; + +using mozilla::OriginAttributes; + +template <size_t N> +inline Input LiteralInput(const char (&valueString)[N]) { + // Ideally we would use mozilla::BitwiseCast() here rather than + // reinterpret_cast for better type checking, but the |N - 1| part trips + // static asserts. + return Input(reinterpret_cast<const uint8_t(&)[N - 1]>(valueString)); +} + +const int MaxCacheEntries = 1024; + +class psm_OCSPCacheTest : public ::testing::Test { + protected: + psm_OCSPCacheTest() : now(Now()) {} + + static void SetUpTestCase() { NSS_NoDB_Init(nullptr); } + + const Time now; + mozilla::psm::OCSPCache cache; +}; + +static void PutAndGet( + mozilla::psm::OCSPCache& cache, const CertID& certID, Result result, + Time time, const OriginAttributes& originAttributes = OriginAttributes()) { + // The first time is thisUpdate. The second is validUntil. + // The caller is expecting the validUntil returned with Get + // to be equal to the passed-in time. Since these values will + // be different in practice, make thisUpdate less than validUntil. + Time thisUpdate(time); + ASSERT_EQ(Success, thisUpdate.SubtractSeconds(10)); + Result rv = cache.Put(certID, originAttributes, result, thisUpdate, time); + ASSERT_TRUE(rv == Success); + Result resultOut; + Time timeOut(Time::uninitialized); + ASSERT_TRUE(cache.Get(certID, originAttributes, resultOut, timeOut)); + ASSERT_EQ(result, resultOut); + ASSERT_EQ(time, timeOut); +} + +Input fakeIssuer1(LiteralInput("CN=issuer1")); +Input fakeKey000(LiteralInput("key000")); +Input fakeKey001(LiteralInput("key001")); +Input fakeSerial0000(LiteralInput("0000")); + +TEST_F(psm_OCSPCacheTest, TestPutAndGet) { + Input fakeSerial000(LiteralInput("000")); + Input fakeSerial001(LiteralInput("001")); + + SCOPED_TRACE(""); + PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial001), Success, + now); + Result resultOut; + Time timeOut(Time::uninitialized); + ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial000), + OriginAttributes(), resultOut, timeOut)); +} + +TEST_F(psm_OCSPCacheTest, TestVariousGets) { + SCOPED_TRACE(""); + for (int i = 0; i < MaxCacheEntries; i++) { + uint8_t serialBuf[8]; + snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf), + sizeof(serialBuf), "%04d", i); + Input fakeSerial; + ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4)); + Time timeIn(now); + ASSERT_EQ(Success, timeIn.AddSeconds(i)); + PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success, + timeIn); + } + + Time timeIn(now); + Result resultOut; + Time timeOut(Time::uninitialized); + + // This will be at the end of the list in the cache + CertID cert0000(fakeIssuer1, fakeKey000, fakeSerial0000); + ASSERT_TRUE(cache.Get(cert0000, OriginAttributes(), resultOut, timeOut)); + ASSERT_EQ(Success, resultOut); + ASSERT_EQ(timeIn, timeOut); + // Once we access it, it goes to the front + ASSERT_TRUE(cache.Get(cert0000, OriginAttributes(), resultOut, timeOut)); + ASSERT_EQ(Success, resultOut); + ASSERT_EQ(timeIn, timeOut); + + // This will be in the middle + Time timeInPlus512(now); + ASSERT_EQ(Success, timeInPlus512.AddSeconds(512)); + + static const Input fakeSerial0512(LiteralInput("0512")); + CertID cert0512(fakeIssuer1, fakeKey000, fakeSerial0512); + ASSERT_TRUE(cache.Get(cert0512, OriginAttributes(), resultOut, timeOut)); + ASSERT_EQ(Success, resultOut); + ASSERT_EQ(timeInPlus512, timeOut); + ASSERT_TRUE(cache.Get(cert0512, OriginAttributes(), resultOut, timeOut)); + ASSERT_EQ(Success, resultOut); + ASSERT_EQ(timeInPlus512, timeOut); + + // We've never seen this certificate + static const Input fakeSerial1111(LiteralInput("1111")); + ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey000, fakeSerial1111), + OriginAttributes(), resultOut, timeOut)); +} + +TEST_F(psm_OCSPCacheTest, TestEviction) { + SCOPED_TRACE(""); + // By putting more distinct entries in the cache than it can hold, + // we cause the least recently used entry to be evicted. + for (int i = 0; i < MaxCacheEntries + 1; i++) { + uint8_t serialBuf[8]; + snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf), + sizeof(serialBuf), "%04d", i); + Input fakeSerial; + ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4)); + Time timeIn(now); + ASSERT_EQ(Success, timeIn.AddSeconds(i)); + PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success, + timeIn); + } + + Result resultOut; + Time timeOut(Time::uninitialized); + ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial0000), + OriginAttributes(), resultOut, timeOut)); +} + +TEST_F(psm_OCSPCacheTest, TestNoEvictionForRevokedResponses) { + SCOPED_TRACE(""); + CertID notEvicted(fakeIssuer1, fakeKey000, fakeSerial0000); + Time timeIn(now); + PutAndGet(cache, notEvicted, Result::ERROR_REVOKED_CERTIFICATE, timeIn); + // By putting more distinct entries in the cache than it can hold, + // we cause the least recently used entry that isn't revoked to be evicted. + for (int i = 1; i < MaxCacheEntries + 1; i++) { + uint8_t serialBuf[8]; + snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf), + sizeof(serialBuf), "%04d", i); + Input fakeSerial; + ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4)); + Time timeIn(now); + ASSERT_EQ(Success, timeIn.AddSeconds(i)); + PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success, + timeIn); + } + Result resultOut; + Time timeOut(Time::uninitialized); + ASSERT_TRUE(cache.Get(notEvicted, OriginAttributes(), resultOut, timeOut)); + ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut); + ASSERT_EQ(timeIn, timeOut); + + Input fakeSerial0001(LiteralInput("0001")); + CertID evicted(fakeIssuer1, fakeKey000, fakeSerial0001); + ASSERT_FALSE(cache.Get(evicted, OriginAttributes(), resultOut, timeOut)); +} + +TEST_F(psm_OCSPCacheTest, TestEverythingIsRevoked) { + SCOPED_TRACE(""); + Time timeIn(now); + // Fill up the cache with revoked responses. + for (int i = 0; i < MaxCacheEntries; i++) { + uint8_t serialBuf[8]; + snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf), + sizeof(serialBuf), "%04d", i); + Input fakeSerial; + ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4)); + Time timeIn(now); + ASSERT_EQ(Success, timeIn.AddSeconds(i)); + PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), + Result::ERROR_REVOKED_CERTIFICATE, timeIn); + } + static const Input fakeSerial1025(LiteralInput("1025")); + CertID good(fakeIssuer1, fakeKey000, fakeSerial1025); + // This will "succeed", allowing verification to continue. However, + // nothing was actually put in the cache. + Time timeInPlus1025(timeIn); + ASSERT_EQ(Success, timeInPlus1025.AddSeconds(1025)); + Time timeInPlus1025Minus50(timeInPlus1025); + ASSERT_EQ(Success, timeInPlus1025Minus50.SubtractSeconds(50)); + Result result = cache.Put(good, OriginAttributes(), Success, + timeInPlus1025Minus50, timeInPlus1025); + ASSERT_EQ(Success, result); + Result resultOut; + Time timeOut(Time::uninitialized); + ASSERT_FALSE(cache.Get(good, OriginAttributes(), resultOut, timeOut)); + + static const Input fakeSerial1026(LiteralInput("1026")); + CertID revoked(fakeIssuer1, fakeKey000, fakeSerial1026); + // This will fail, causing verification to fail. + Time timeInPlus1026(timeIn); + ASSERT_EQ(Success, timeInPlus1026.AddSeconds(1026)); + Time timeInPlus1026Minus50(timeInPlus1026); + ASSERT_EQ(Success, timeInPlus1026Minus50.SubtractSeconds(50)); + result = + cache.Put(revoked, OriginAttributes(), Result::ERROR_REVOKED_CERTIFICATE, + timeInPlus1026Minus50, timeInPlus1026); + ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, result); +} + +TEST_F(psm_OCSPCacheTest, VariousIssuers) { + SCOPED_TRACE(""); + Time timeIn(now); + static const Input fakeIssuer2(LiteralInput("CN=issuer2")); + static const Input fakeSerial001(LiteralInput("001")); + CertID subject(fakeIssuer1, fakeKey000, fakeSerial001); + PutAndGet(cache, subject, Success, now); + Result resultOut; + Time timeOut(Time::uninitialized); + ASSERT_TRUE(cache.Get(subject, OriginAttributes(), resultOut, timeOut)); + ASSERT_EQ(Success, resultOut); + ASSERT_EQ(timeIn, timeOut); + // Test that we don't match a different issuer DN + ASSERT_FALSE(cache.Get(CertID(fakeIssuer2, fakeKey000, fakeSerial001), + OriginAttributes(), resultOut, timeOut)); + // Test that we don't match a different issuer key + ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial001), + OriginAttributes(), resultOut, timeOut)); +} + +TEST_F(psm_OCSPCacheTest, Times) { + SCOPED_TRACE(""); + CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000); + PutAndGet(cache, certID, Result::ERROR_OCSP_UNKNOWN_CERT, + TimeFromElapsedSecondsAD(100)); + PutAndGet(cache, certID, Success, TimeFromElapsedSecondsAD(200)); + // This should not override the more recent entry. + ASSERT_EQ( + Success, + cache.Put(certID, OriginAttributes(), Result::ERROR_OCSP_UNKNOWN_CERT, + TimeFromElapsedSecondsAD(100), TimeFromElapsedSecondsAD(100))); + Result resultOut; + Time timeOut(Time::uninitialized); + ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut)); + // Here we see the more recent time. + ASSERT_EQ(Success, resultOut); + ASSERT_EQ(TimeFromElapsedSecondsAD(200), timeOut); + + // Result::ERROR_REVOKED_CERTIFICATE overrides everything + PutAndGet(cache, certID, Result::ERROR_REVOKED_CERTIFICATE, + TimeFromElapsedSecondsAD(50)); +} + +TEST_F(psm_OCSPCacheTest, NetworkFailure) { + SCOPED_TRACE(""); + CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000); + PutAndGet(cache, certID, Result::ERROR_CONNECT_REFUSED, + TimeFromElapsedSecondsAD(100)); + PutAndGet(cache, certID, Success, TimeFromElapsedSecondsAD(200)); + // This should not override the already present entry. + ASSERT_EQ( + Success, + cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED, + TimeFromElapsedSecondsAD(300), TimeFromElapsedSecondsAD(350))); + Result resultOut; + Time timeOut(Time::uninitialized); + ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut)); + ASSERT_EQ(Success, resultOut); + ASSERT_EQ(TimeFromElapsedSecondsAD(200), timeOut); + + PutAndGet(cache, certID, Result::ERROR_OCSP_UNKNOWN_CERT, + TimeFromElapsedSecondsAD(400)); + // This should not override the already present entry. + ASSERT_EQ( + Success, + cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED, + TimeFromElapsedSecondsAD(500), TimeFromElapsedSecondsAD(550))); + ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut)); + ASSERT_EQ(Result::ERROR_OCSP_UNKNOWN_CERT, resultOut); + ASSERT_EQ(TimeFromElapsedSecondsAD(400), timeOut); + + PutAndGet(cache, certID, Result::ERROR_REVOKED_CERTIFICATE, + TimeFromElapsedSecondsAD(600)); + // This should not override the already present entry. + ASSERT_EQ( + Success, + cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED, + TimeFromElapsedSecondsAD(700), TimeFromElapsedSecondsAD(750))); + ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut)); + ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut); + ASSERT_EQ(TimeFromElapsedSecondsAD(600), timeOut); +} + +TEST_F(psm_OCSPCacheTest, TestOriginAttributes) { + CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000); + + // We test two attributes, firstPartyDomain and partitionKey, respectively + // because we don't have entries that have both attributes set because the two + // features that use these attributes are mutually exclusive. + + // Set pref for OCSP cache network partitioning. + mozilla::Preferences::SetBool("privacy.partition.network_state.ocsp_cache", + true); + + SCOPED_TRACE(""); + OriginAttributes attrs; + attrs.mFirstPartyDomain.AssignLiteral("foo.com"); + PutAndGet(cache, certID, Success, now, attrs); + + Result resultOut; + Time timeOut(Time::uninitialized); + attrs.mFirstPartyDomain.AssignLiteral("bar.com"); + ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut)); + + // OCSP cache should not be isolated by containers for firstPartyDomain. + attrs.mUserContextId = 1; + attrs.mFirstPartyDomain.AssignLiteral("foo.com"); + ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut)); + + // Clear originAttributes. + attrs.mUserContextId = 0; + attrs.mFirstPartyDomain.Truncate(); + + // Add OCSP cache for the partitionKey. + attrs.mPartitionKey.AssignLiteral("(https,foo.com)"); + PutAndGet(cache, certID, Success, now, attrs); + + // Check cache entry for the partitionKey. + attrs.mPartitionKey.AssignLiteral("(https,foo.com)"); + ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut)); + + // OCSP cache entry should not exist for the other partitionKey. + attrs.mPartitionKey.AssignLiteral("(https,bar.com)"); + ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut)); + + // OCSP cache should not be isolated by containers for partitonKey. + attrs.mUserContextId = 1; + attrs.mPartitionKey.AssignLiteral("(https,foo.com)"); + ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut)); + + // OCSP cache should not exist for the OAs which has both attributes set. + attrs.mUserContextId = 0; + attrs.mFirstPartyDomain.AssignLiteral("foo.com"); + attrs.mPartitionKey.AssignLiteral("(https,foo.com)"); + ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut)); +} diff --git a/security/manager/ssl/tests/gtest/README.txt b/security/manager/ssl/tests/gtest/README.txt new file mode 100644 index 0000000000..0e51322690 --- /dev/null +++ b/security/manager/ssl/tests/gtest/README.txt @@ -0,0 +1,2 @@ +Please name all test cases in this directory with the prefix "psm". This makes +it easier to run all PSM related GTests at once. diff --git a/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp b/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp new file mode 100644 index 0000000000..0c9d3ef60d --- /dev/null +++ b/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp @@ -0,0 +1,383 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSIOLayer.h" +#include "sslproto.h" +#include "sslerr.h" + +#include "gtest/gtest.h" + +constexpr auto HOST = "example.org"_ns; +const int16_t PORT = 443; + +class psm_TLSIntoleranceTest : public ::testing::Test { + protected: + nsSSLIOLayerHelpers helpers; +}; + +TEST_F(psm_TLSIntoleranceTest, FullFallbackProcess) { + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, helpers.mVersionFallbackLimit); + + // No adjustment made when there is no entry for the site. + { + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); + } + + { + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); + + ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, range.min, + range.max, 0)); + } + + { + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); + + ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, range.min, + range.max, 0)); + } + + { + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.max); + + ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, range.min, + range.max, 0)); + } + + { + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + // When rememberIntolerantAtVersion returns false, it also resets the + // intolerance information for the server. + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); + } +} + +TEST_F(psm_TLSIntoleranceTest, DisableFallbackWithHighLimit) { + // this value disables version fallback entirely: with this value, all efforts + // to mark an origin as version intolerant fail + helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_2; + ASSERT_FALSE(helpers.rememberIntolerantAtVersion( + HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0)); + ASSERT_FALSE(helpers.rememberIntolerantAtVersion( + HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0)); + ASSERT_FALSE(helpers.rememberIntolerantAtVersion( + HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_0, 0)); +} + +TEST_F(psm_TLSIntoleranceTest, FallbackLimitBelowMin) { + // check that we still respect the minimum version, + // when it is higher than the fallback limit + ASSERT_TRUE(helpers.rememberIntolerantAtVersion( + HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1, SSL_LIBRARY_VERSION_TLS_1_2, 0)); + { + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); + } + + ASSERT_FALSE(helpers.rememberIntolerantAtVersion( + HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1, SSL_LIBRARY_VERSION_TLS_1_1, 0)); +} + +TEST_F(psm_TLSIntoleranceTest, TolerantOverridesIntolerant1) { + ASSERT_TRUE(helpers.rememberIntolerantAtVersion( + HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0)); + helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1); + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); +} + +TEST_F(psm_TLSIntoleranceTest, TolerantOverridesIntolerant2) { + ASSERT_TRUE(helpers.rememberIntolerantAtVersion( + HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0)); + helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_2); + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); +} + +TEST_F(psm_TLSIntoleranceTest, IntolerantDoesNotOverrideTolerant) { + // No adjustment made when there is no entry for the site. + helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1); + // false because we reached the floor set by rememberTolerantAtVersion. + ASSERT_FALSE(helpers.rememberIntolerantAtVersion( + HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0)); + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); +} + +TEST_F(psm_TLSIntoleranceTest, PortIsRelevant) { + helpers.rememberTolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_2); + ASSERT_FALSE(helpers.rememberIntolerantAtVersion( + HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0)); + ASSERT_TRUE(helpers.rememberIntolerantAtVersion( + HOST, 2, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0)); + + { + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, 1, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); + } + + { + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, 2, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); + } +} + +TEST_F(psm_TLSIntoleranceTest, IntoleranceReasonInitial) { + ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1)); + + helpers.rememberTolerantAtVersion(HOST, 2, SSL_LIBRARY_VERSION_TLS_1_2); + ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 2)); +} + +TEST_F(psm_TLSIntoleranceTest, IntoleranceReasonStored) { + helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2, + SSL_ERROR_BAD_SERVER); + ASSERT_EQ(SSL_ERROR_BAD_SERVER, helpers.getIntoleranceReason(HOST, 1)); + + helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_1, + SSL_ERROR_BAD_MAC_READ); + ASSERT_EQ(SSL_ERROR_BAD_MAC_READ, helpers.getIntoleranceReason(HOST, 1)); +} + +TEST_F(psm_TLSIntoleranceTest, IntoleranceReasonCleared) { + ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1)); + + helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2, + SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); + ASSERT_EQ(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT, + helpers.getIntoleranceReason(HOST, 1)); + + helpers.rememberTolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_2); + ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1)); +} + +TEST_F(psm_TLSIntoleranceTest, TLSForgetIntolerance) { + { + ASSERT_TRUE(helpers.rememberIntolerantAtVersion( + HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, + 0)); + + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); + } + + { + helpers.forgetIntolerance(HOST, PORT); + + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); + } +} + +TEST_F(psm_TLSIntoleranceTest, TLSDontForgetTolerance) { + { + helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1); + + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); + } + + { + ASSERT_TRUE(helpers.rememberIntolerantAtVersion( + HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, + 0)); + + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); + } + + { + helpers.forgetIntolerance(HOST, PORT); + + SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0, + SSL_LIBRARY_VERSION_TLS_1_2}; + helpers.adjustForTLSIntolerance(HOST, PORT, range); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); + } +} + +TEST_F(psm_TLSIntoleranceTest, TLSPerSiteFallbackLimit) { + constexpr auto example_com = "example.com"_ns; + constexpr auto example_net = "example.net"_ns; + constexpr auto example_org = "example.org"_ns; + + helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_0; + + ASSERT_FALSE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0)); + + helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_2; + + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0)); + + helpers.setInsecureFallbackSites(example_com); + + ASSERT_FALSE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0)); + + helpers.setInsecureFallbackSites("example.com,example.net"_ns); + + ASSERT_FALSE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0)); + + helpers.setInsecureFallbackSites(example_net); + + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_FALSE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0)); + + helpers.setInsecureFallbackSites(""_ns); + + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1)); + ASSERT_TRUE( + helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0)); +} diff --git a/security/manager/ssl/tests/gtest/moz.build b/security/manager/ssl/tests/gtest/moz.build new file mode 100644 index 0000000000..400b1e02cc --- /dev/null +++ b/security/manager/ssl/tests/gtest/moz.build @@ -0,0 +1,24 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +SOURCES += [ + "CoseTest.cpp", + "DeserializeCertTest.cpp", + "HMACTest.cpp", + "MD4Test.cpp", + "OCSPCacheTest.cpp", + "TLSIntoleranceTest.cpp", +] + +LOCAL_INCLUDES += [ + "/security/certverifier", + "/security/manager/ssl", + "/third_party/rust/cose-c/include", +] + +include("/ipc/chromium/chromium-config.mozbuild") + +FINAL_LIBRARY = "xul-gtest" diff --git a/security/manager/ssl/tests/mochitest/browser/browser.toml b/security/manager/ssl/tests/mochitest/browser/browser.toml new file mode 100644 index 0000000000..433fffa4ac --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser.toml @@ -0,0 +1,52 @@ +[DEFAULT] +tags = "psm" +support-files = [ + "*.pem", + "head.js", + "hsts_headers.sjs", + "hsts_headers_framed.html", + "some_content.html", + "some_content_framed.html", + "browser_clientAuth_speculative_connection.html" +] + +["browser_HSTS.js"] +https_first_disabled = true + +["browser_add_exception_dialog.js"] + +["browser_bug627234_perwindowpb.js"] + +["browser_certViewer.js"] +skip-if = ["verify"] + +["browser_certificateManager.js"] + +["browser_clientAuthRememberService.js"] + +["browser_clientAuth_connection.js"] +# Any test that has to delete certificates (e.g. as part of cleanup) is +# fundamentally incompatible with verify due to how NSS handles deleting +# certificates. +skip-if = [ + "verify", + "socketprocess_networking", +] + +["browser_clientAuth_speculative_connection.js"] +skip-if = ["socketprocess_networking"] + +["browser_clientAuth_ui.js"] + +["browser_deleteCert_ui.js"] + +["browser_downloadCert_ui.js"] + +["browser_editCACertTrust.js"] +# An earlier attempt at landing this test resulted in frequent intermittent +# failures, almost entirely on Linux. See Bug 1309519. +skip-if = ["os == 'linux'"] + +["browser_exportP12_passwordUI.js"] + +["browser_loadPKCS11Module_ui.js"] diff --git a/security/manager/ssl/tests/mochitest/browser/browser_HSTS.js b/security/manager/ssl/tests/mochitest/browser/browser_HSTS.js new file mode 100644 index 0000000000..f578ac7c4f --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_HSTS.js @@ -0,0 +1,277 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +// Tests that HTTP Strict Transport Security (HSTS) headers are noted as appropriate. + +// Register a cleanup function to clear all accumulated HSTS state when this +// test is done. +add_task(async function register_cleanup() { + registerCleanupFunction(() => { + let sss = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + sss.clearAll(); + }); +}); + +// In the absense of HSTS information, no upgrade should happen. +add_task(async function test_no_hsts_information_no_upgrade() { + let httpUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl); + Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http"); + gBrowser.removeCurrentTab(); +}); + +// Visit a secure site that sends an HSTS header to set up the rest of the +// test. +add_task(async function see_hsts_header() { + let setHstsUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" + ) + "hsts_headers.sjs"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, setHstsUrl); + gBrowser.removeCurrentTab(); +}); + +// Given a known HSTS host, future http navigations to that domain will be +// upgraded. +add_task(async function test_http_upgrade() { + let httpUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl); + Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https"); + gBrowser.removeCurrentTab(); +}); + +// http navigations to unrelated hosts should not be upgraded. +add_task(async function test_unrelated_domain_no_upgrade() { + let differentHttpUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.org" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, differentHttpUrl); + Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http"); + gBrowser.removeCurrentTab(); +}); + +// http navigations in private contexts shouldn't use information from +// non-private contexts, so no upgrade should occur. +add_task(async function test_private_window_no_upgrade() { + await SpecialPowers.pushPrefEnv({ + set: [["dom.security.https_first_pbm", false]], + }); + let privateWindow = OpenBrowserWindow({ private: true }); + await BrowserTestUtils.firstBrowserLoaded(privateWindow, false); + let url = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(privateWindow.gBrowser, url); + Assert.equal( + privateWindow.gBrowser.selectedBrowser.currentURI.scheme, + "http" + ); + privateWindow.gBrowser.removeCurrentTab(); + privateWindow.close(); +}); + +// Since the header didn't specify "includeSubdomains", visiting a subdomain +// should not result in an upgrade. +add_task(async function test_subdomain_no_upgrade() { + let subdomainHttpUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://test1.example.com" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, subdomainHttpUrl); + Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http"); + gBrowser.removeCurrentTab(); +}); + +// Now visit a secure site that sends an HSTS header that also includes subdomains. +add_task(async function see_hsts_header_include_subdomains() { + let setHstsUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" + ) + "hsts_headers.sjs?includeSubdomains"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, setHstsUrl); + gBrowser.removeCurrentTab(); +}); + +// Now visiting a subdomain should result in an upgrade. +add_task(async function test_subdomain_upgrade() { + let subdomainHttpUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://test1.example.com" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, subdomainHttpUrl); + Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https"); + gBrowser.removeCurrentTab(); +}); + +// Visiting a subdomain with https should result in an https URL (this isn't an +// upgrade - this test is essentially a consistency check). +add_task(async function test_already_https() { + let subdomainHttpsUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://test2.example.com" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, subdomainHttpsUrl); + Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https"); + gBrowser.removeCurrentTab(); +}); + +// Test that subresources are upgraded. +add_task(async function test_iframe_upgrade() { + let framedUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" + ) + "some_content_framed.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, framedUrl); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + await ContentTaskUtils.waitForCondition(() => { + let frame = content.document.getElementById("frame"); + if (frame) { + return frame.baseURI.startsWith("https://"); + } + return false; + }); + }); + gBrowser.removeCurrentTab(); +}); + +// Clear state. +add_task(async function clear_hsts_state() { + let sss = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + sss.clearAll(); +}); + +// Make sure this test is valid. +add_task(async function test_no_hsts_information_no_upgrade_again() { + let httpUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl); + Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http"); + gBrowser.removeCurrentTab(); +}); + +// Visit a site with an iframe that loads first-party content that sends an +// HSTS header. The header should be heeded because it's first-party. +add_task(async function see_hsts_header_in_framed_first_party_context() { + let framedUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" + ) + "hsts_headers_framed.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, framedUrl); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + await ContentTaskUtils.waitForCondition(() => { + return content.document.getElementById("done"); + }); + }); + gBrowser.removeCurrentTab(); +}); + +// Check that the framed, first-party header was heeded. +add_task(async function test_http_upgrade_after_framed_first_party_header() { + let httpUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl); + Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https"); + gBrowser.removeCurrentTab(); +}); + +// Visit a site with an iframe that loads third-party content that sends an +// HSTS header. The header should be ignored because it's third-party. +add_task(async function see_hsts_header_in_third_party_context() { + let framedUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" + ) + "hsts_headers_framed.html?third-party"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, framedUrl); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + await ContentTaskUtils.waitForCondition(() => { + return content.document.getElementById("done"); + }); + }); + gBrowser.removeCurrentTab(); +}); + +// Since the HSTS header was not received in a first-party context, no upgrade +// should occur. +add_task(async function test_no_upgrade_for_third_party_header() { + let url = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.org" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, url); + Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http"); + gBrowser.removeCurrentTab(); +}); + +// Clear state again. +add_task(async function clear_hsts_state_again() { + let sss = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + sss.clearAll(); +}); + +// HSTS information encountered in private contexts should not be used in +// non-private contexts. +add_task( + async function test_no_upgrade_for_HSTS_information_from_private_window() { + await SpecialPowers.pushPrefEnv({ + set: [["dom.security.https_first_pbm", false]], + }); + let privateWindow = OpenBrowserWindow({ private: true }); + await BrowserTestUtils.firstBrowserLoaded(privateWindow, false); + let setHstsUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" + ) + "hsts_headers.sjs"; + await BrowserTestUtils.openNewForegroundTab( + privateWindow.gBrowser, + setHstsUrl + ); + privateWindow.gBrowser.removeCurrentTab(); + + let httpUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" + ) + "some_content.html"; + await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl); + Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http"); + gBrowser.removeCurrentTab(); + + privateWindow.close(); + } +); diff --git a/security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js b/security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js new file mode 100644 index 0000000000..0916ac5ce4 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js @@ -0,0 +1,69 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +// This test makes sure that adding certificate exceptions behaves correctly +// when done from the prefs window + +ChromeUtils.defineESModuleGetters(this, { + BrowserWindowTracker: "resource:///modules/BrowserWindowTracker.sys.mjs", +}); + +function test() { + const EXCEPTIONS_DLG_URL = "chrome://pippki/content/exceptionDialog.xhtml"; + const EXCEPTIONS_DLG_FEATURES = "chrome,centerscreen"; + const INVALID_CERT_DOMAIN = "self-signed.example.com"; + const INVALID_CERT_LOCATION = "https://" + INVALID_CERT_DOMAIN + "/"; + waitForExplicitFinish(); + + function testAddCertificate() { + win.removeEventListener("load", testAddCertificate); + Services.obs.addObserver(async function onCertUI(aSubject, aTopic, aData) { + Services.obs.removeObserver(onCertUI, "cert-exception-ui-ready"); + ok(win.gCert, "The certificate information should be available now"); + + let dialog = win.document.getElementById("exceptiondialog"); + let confirmButton = dialog.getButton("extra1"); + confirmButton.click(); + ok( + params.exceptionAdded, + "The certificate exception should have been added" + ); + + registerCleanupFunction(() => { + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride(INVALID_CERT_DOMAIN, -1, {}); + }); + + BrowserTestUtils.startLoadingURIString(gBrowser, INVALID_CERT_LOCATION); + let loaded = await BrowserTestUtils.browserLoaded( + gBrowser, + false, + INVALID_CERT_LOCATION, + true + ); + ok(loaded, "The certificate exception should allow the page to load"); + + finish(); + }, "cert-exception-ui-ready"); + } + + let bWin = BrowserWindowTracker.getTopWindow(); + let params = { + exceptionAdded: false, + location: INVALID_CERT_LOCATION, + prefetchCert: true, + }; + + let win = bWin.openDialog( + EXCEPTIONS_DLG_URL, + "", + EXCEPTIONS_DLG_FEATURES, + params + ); + win.addEventListener("load", testAddCertificate); +} diff --git a/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js b/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js new file mode 100644 index 0000000000..79e7ad9b12 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js @@ -0,0 +1,94 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +function whenNewWindowLoaded(aOptions, aCallback) { + let win = OpenBrowserWindow(aOptions); + win.addEventListener( + "load", + function () { + aCallback(win); + }, + { once: true } + ); +} + +// This is a template to help porting global private browsing tests +// to per-window private browsing tests +function test() { + // initialization + waitForExplicitFinish(); + let windowsToClose = []; + let testURI = "about:blank"; + let uri; + let gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + + function originAttributes(aIsPrivateMode) { + return aIsPrivateMode ? { privateBrowsingId: 1 } : {}; + } + + function doTest(aIsPrivateMode, aWindow, aCallback) { + BrowserTestUtils.browserLoaded(aWindow.gBrowser.selectedBrowser).then( + () => { + uri = aWindow.Services.io.newURI("https://localhost/img.png"); + gSSService.processHeader( + uri, + "max-age=1000", + originAttributes(aIsPrivateMode) + ); + ok( + gSSService.isSecureURI(uri, originAttributes(aIsPrivateMode)), + "checking sts host" + ); + + aCallback(); + } + ); + + BrowserTestUtils.startLoadingURIString( + aWindow.gBrowser.selectedBrowser, + testURI + ); + } + + function testOnWindow(aOptions, aCallback) { + whenNewWindowLoaded(aOptions, function (aWin) { + windowsToClose.push(aWin); + // execute should only be called when need, like when you are opening + // web pages on the test. If calling executeSoon() is not necesary, then + // call whenNewWindowLoaded() instead of testOnWindow() on your test. + executeSoon(function () { + aCallback(aWin); + }); + }); + } + + // this function is called after calling finish() on the test. + registerCleanupFunction(function () { + windowsToClose.forEach(function (aWin) { + aWin.close(); + }); + uri = Services.io.newURI("http://localhost"); + gSSService.resetState(uri); + }); + + // test first when on private mode + testOnWindow({ private: true }, function (aWin) { + doTest(true, aWin, function () { + // test when not on private mode + testOnWindow({}, function (aWin) { + doTest(false, aWin, function () { + // test again when on private mode + testOnWindow({ private: true }, function (aWin) { + doTest(true, aWin, function () { + finish(); + }); + }); + }); + }); + }); + }); +} diff --git a/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js new file mode 100644 index 0000000000..7f0b8888c1 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js @@ -0,0 +1,112 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// Repeatedly opens the certificate viewer dialog with various certificates and +// determines that the viewer correctly identifies either what usages those +// certificates are valid for or what errors prevented the certificates from +// being verified. + +add_task(async function testCAandTitle() { + let cert = await readCertificate("ca.pem", "CTu,CTu,CTu"); + let url = getURL(cert); + await openCertViewerAndCheckTabName(url, "ca"); +}); + +add_task(async function testSSLEndEntity() { + let cert = await readCertificate("ssl-ee.pem", ",,"); + let url = getURL(cert); + await openCertViewerAndCheckTabName(url, "ssl-ee"); +}); + +add_task(async function testEmailEndEntity() { + let cert = await readCertificate("email-ee.pem", ",,"); + let url = getURL(cert); + await openCertViewerAndCheckTabName(url, "email-ee"); +}); + +add_task(async function testCodeSignEndEntity() { + let cert = await readCertificate("code-ee.pem", ",,"); + let url = getURL(cert); + await openCertViewerAndCheckTabName(url, "code-ee"); +}); + +add_task(async function testExpired() { + let cert = await readCertificate("expired-ca.pem", ",,"); + let url = getURL(cert); + await openCertViewerAndCheckTabName(url, "expired-ca"); +}); + +add_task(async function testUntrusted() { + let cert = await readCertificate("untrusted-ca.pem", "p,p,p"); + let url = getURL(cert); + await openCertViewerAndCheckTabName(url, "untrusted-ca"); +}); + +add_task(async function testInvalid() { + // This certificate has a keyUsage extension asserting cRLSign and + // keyCertSign, but it doesn't have a basicConstraints extension. This + // shouldn't be valid for any usage. Sadly, we give a pretty bad error + // message in this case. + let cert = await readCertificate("invalid.pem", ",,"); + let url = getURL(cert); + await openCertViewerAndCheckTabName(url, "invalid"); +}); + +add_task(async function testLongOID() { + // This certificate has a certificatePolicies extension with a policy with a + // very long OID. This tests that we don't crash when looking at it. + let cert = await readCertificate("longOID.pem", ",,"); + let url = getURL(cert); + await openCertViewerAndCheckTabName(url, "Long OID"); +}); + +/** + * Given a certificate, returns its PEMs (each one of the certificate chain) string in a url. + * + * @param {object} cert + * A certificate object + * @returns {string} an URL for opening the certificate viewer + */ +function getURL(cert) { + // Note that we don't get the certificate chain as in e.g browser/base/content/browser.js, + // because all the .pem files when opened with CS (https://github.com/april/certainly-something) + // shows only one certificate + let derb64 = encodeURIComponent(cert.getBase64DERString()); + return `about:certificate?cert=${derb64}`; +} + +/** + * Given an certificate URL, opens the new certificate viewer and check + * if a certain element exists, with its expected result. + * + * @param {string} url + * The URL with the certificate info + * @param {string} expectedTabName + * The expected name of the tab in the certificate viewer + */ +async function openCertViewerAndCheckTabName(url, expectedTabName) { + await BrowserTestUtils.withNewTab( + { gBrowser, url }, + async function (browser) { + await SpecialPowers.spawn( + browser, + [expectedTabName], + async function (expectedTabName) { + let certificateSection = await ContentTaskUtils.waitForCondition( + () => { + return content.document.querySelector("certificate-section"); + }, + "Certificate section found" + ); + let tabName = + certificateSection.shadowRoot.querySelector( + ".tab[idnumber='0']" + ).textContent; + Assert.equal(tabName, expectedTabName); + } + ); + } + ); +} diff --git a/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js b/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js new file mode 100644 index 0000000000..c6619909d0 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js @@ -0,0 +1,105 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +async function checkServerCertificates(win, expectedValues = []) { + await TestUtils.waitForCondition(() => { + return ( + win.document.getElementById("serverList").itemChildren.length == + expectedValues.length + ); + }, `Expected to have ${expectedValues.length} but got ${win.document.getElementById("serverList").itemChildren.length}`); + await new Promise(win.requestAnimationFrame); + + let labels = win.document + .getElementById("serverList") + .querySelectorAll("label"); + + // The strings we will get from the DOM are localized with Fluent. + // This will wait until the translation is applied. + if (expectedValues.length) { + await BrowserTestUtils.waitForCondition( + () => labels[1].value || !!labels[1].textContent.length, + "At least one label is populated" + ); + } + + expectedValues.forEach((item, i) => { + let hostPort = labels[i * 3].value; + let fingerprint = labels[i * 3 + 1].value || labels[i * 3 + 1].textContent; + + Assert.equal( + hostPort, + item.hostPort, + `Expected override to be ${item.hostPort} but got ${hostPort}` + ); + + Assert.equal( + fingerprint, + item.fingerprint, + `Expected override to have field ${item.fingerprint}` + ); + }); +} + +async function deleteOverride(win, expectedLength) { + win.document.getElementById("serverList").selectedIndex = 0; + await TestUtils.waitForCondition(() => { + return ( + win.document.getElementById("serverList").itemChildren.length == + expectedLength + ); + }); + let newWinPromise = BrowserTestUtils.domWindowOpenedAndLoaded(); + // Since the .click() blocks we need to dispatch it to the main thread avoid that. + Services.tm.dispatchToMainThread(() => + win.document.getElementById("websites_deleteButton").click() + ); + let newWin = await newWinPromise; + newWin.document.getElementById("deleteCertificate").acceptDialog(); + Assert.equal( + win.document.getElementById("serverList").selectedIndex, + 0, + "After deletion we expect the selectedItem to be reset." + ); +} + +add_task(async function test_cert_manager_server_tab() { + let win = await openCertManager(); + + await checkServerCertificates(win); + + win.document.getElementById("certmanager").acceptDialog(); + await BrowserTestUtils.windowClosed(win); + + let cert = await readCertificate("md5-ee.pem", ",,"); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.rememberValidityOverride( + "example.com", + 443, + {}, + cert, + false + ); + + win = await openCertManager(); + + await checkServerCertificates(win, [ + { + hostPort: "example.com:443", + fingerprint: cert.sha256Fingerprint, + }, + ]); + + await deleteOverride(win, 1); + + await checkServerCertificates(win, []); + + win.document.getElementById("certmanager").acceptDialog(); + await BrowserTestUtils.windowClosed(win); + + certOverrideService.clearAllOverrides(); +}); diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js new file mode 100644 index 0000000000..87b476e012 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js @@ -0,0 +1,290 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +/** + * Test certificate (i.e. build/pgo/certs/mochitest.client). + * + * @type {nsIX509Cert} + */ +var cert; +var cert2; +var cert3; + +var sdr = Cc["@mozilla.org/security/sdr;1"].getService(Ci.nsISecretDecoderRing); +var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +var deleted = false; + +const { MockRegistrar } = ChromeUtils.importESModule( + "resource://testing-common/MockRegistrar.sys.mjs" +); + +function findCertByCommonName(commonName) { + for (let cert of certDB.getCerts()) { + if (cert.commonName == commonName) { + return cert; + } + } + return null; +} + +async function testHelper(connectURL, expectedURL) { + let win = await BrowserTestUtils.openNewBrowserWindow(); + + await SpecialPowers.pushPrefEnv({ + set: [["security.default_personal_cert", "Ask Every Time"]], + }); + + BrowserTestUtils.startLoadingURIString( + win.gBrowser.selectedBrowser, + connectURL + ); + + await BrowserTestUtils.browserLoaded( + win.gBrowser.selectedBrowser, + false, + expectedURL, + true + ); + let loadedURL = win.gBrowser.selectedBrowser.documentURI.spec; + Assert.ok( + loadedURL.startsWith(expectedURL), + `Expected and actual URLs should match (got '${loadedURL}', expected '${expectedURL}')` + ); + + await win.close(); + + // This clears the TLS session cache so we don't use a previously-established + // ticket to connect and bypass selecting a client auth certificate in + // subsequent tests. + sdr.logout(); +} + +async function openRequireClientCert() { + gClientAuthDialogService.chooseCertificateCalled = false; + await testHelper( + "https://requireclientcert.example.com:443", + "https://requireclientcert.example.com/" + ); +} + +async function openRequireClientCert2() { + gClientAuthDialogService.chooseCertificateCalled = false; + await testHelper( + "https://requireclientcert-2.example.com:443", + "https://requireclientcert-2.example.com/" + ); +} + +// Mock implementation of nsIClientAuthRememberService +const gClientAuthRememberService = { + forgetRememberedDecision(key) { + deleted = true; + Assert.equal( + key, + "exampleKey2", + "Expected to get the same key that was passed in getDecisions()" + ); + }, + + getDecisions() { + return [ + { + asciiHost: "example.com", + dbKey: cert.dbKey, + entryKey: "exampleKey1", + }, + { + asciiHost: "example.org", + dbKey: cert2.dbKey, + entryKey: "exampleKey2", + }, + { + asciiHost: "example.test", + dbKey: cert3.dbKey, + entryKey: "exampleKey3", + }, + { + asciiHost: "unavailable.example.com", + // This dbKey should not correspond to any real certificate. The first + // 8 bytes have to be 0, followed by the lengths of the serial number + // and issuer distinguished name, respectively, and then followed by + // the bytes of the serial number and finally the encoded issuer + // distinguished name. In this case, the serial number is a single 0 + // byte and the issuer distinguished name is a DER SEQUENCE of length 0 + // (the bytes 0x30 and 0). + // See also the documentation in nsNSSCertificateDB::FindCertByDBKey. + dbKey: "AAAAAAAAAAAAAAABAAAAAgAeAA==", + entryKey: "exampleKey4", + }, + ]; + }, + + QueryInterface: ChromeUtils.generateQI(["nsIClientAuthRememberService"]), +}; + +const gClientAuthDialogService = { + _chooseCertificateCalled: false, + + get chooseCertificateCalled() { + return this._chooseCertificateCalled; + }, + + set chooseCertificateCalled(value) { + this._chooseCertificateCalled = value; + }, + + chooseCertificate(hostname, certArray, loadContext, callback) { + this.chooseCertificateCalled = true; + callback.certificateChosen(certArray[0], true); + }, + + QueryInterface: ChromeUtils.generateQI([Ci.nsIClientAuthDialogService]), +}; + +add_task(async function testRememberedDecisionsUI() { + cert = findCertByCommonName("Mochitest client"); + cert2 = await readCertificate("pgo-ca-all-usages.pem", ",,"); + cert3 = await readCertificate("client-cert-via-intermediate.pem", ",,"); + isnot(cert, null, "Should be able to find the test client cert"); + isnot(cert2, null, "Should be able to find pgo-ca-all-usages.pem"); + isnot(cert3, null, "Should be able to find client-cert-via-intermediate.pem"); + + let clientAuthRememberServiceCID = MockRegistrar.register( + "@mozilla.org/security/clientAuthRememberService;1", + gClientAuthRememberService + ); + + let win = await openCertManager(); + + let listItems = win.document + .getElementById("rememberedList") + .querySelectorAll("richlistitem"); + + Assert.equal( + listItems.length, + 4, + "rememberedList has expected number of items" + ); + + let labels = win.document + .getElementById("rememberedList") + .querySelectorAll("label"); + + Assert.equal( + labels.length, + 12, + "rememberedList has expected number of labels" + ); + + await BrowserTestUtils.waitForCondition( + () => !!labels[10].textContent.length, + "Localized label is populated" + ); + + let expectedHosts = [ + "example.com", + "example.org", + "example.test", + "unavailable.example.com", + ]; + let hosts = [ + labels[0].value, + labels[3].value, + labels[6].value, + labels[9].value, + ]; + let expectedNames = [ + cert.commonName, + cert2.commonName, + cert3.commonName, + "(Unavailable)", + ]; + let names = [ + labels[1].value, + labels[4].value, + labels[7].value, + labels[10].textContent, + ]; + let expectedSerialNumbers = [ + cert.serialNumber, + cert2.serialNumber, + cert3.serialNumber, + "(Unavailable)", + ]; + let serialNumbers = [ + labels[2].value, + labels[5].value, + labels[8].value, + labels[11].textContent, + ]; + + for (let i = 0; i < listItems.length; i++) { + Assert.equal(hosts[i], expectedHosts[i], "got expected asciiHost"); + Assert.equal(names[i], expectedNames[i], "got expected commonName"); + Assert.equal( + serialNumbers[i], + expectedSerialNumbers[i], + "got expected serialNumber" + ); + } + + win.document.getElementById("rememberedList").selectedIndex = 1; + win.document.getElementById("remembered_deleteButton").click(); + + Assert.ok(deleted, "Expected forgetRememberedDecision() to get called"); + + win.document.getElementById("certmanager").acceptDialog(); + await BrowserTestUtils.windowClosed(win); + + MockRegistrar.unregister(clientAuthRememberServiceCID); +}); + +add_task(async function testDeletingRememberedDecisions() { + let clientAuthDialogServiceCID = MockRegistrar.register( + "@mozilla.org/security/ClientAuthDialogService;1", + gClientAuthDialogService + ); + let cars = Cc["@mozilla.org/security/clientAuthRememberService;1"].getService( + Ci.nsIClientAuthRememberService + ); + + await openRequireClientCert(); + Assert.ok( + gClientAuthDialogService.chooseCertificateCalled, + "chooseCertificate should have been called if visiting 'requireclientcert.example.com' for the first time" + ); + + await openRequireClientCert(); + Assert.ok( + !gClientAuthDialogService.chooseCertificateCalled, + "chooseCertificate should not have been called if visiting 'requireclientcert.example.com' for the second time" + ); + + await openRequireClientCert2(); + Assert.ok( + gClientAuthDialogService.chooseCertificateCalled, + "chooseCertificate should have been called if visiting 'requireclientcert-2.example.com' for the first time" + ); + + let originAttributes = { privateBrowsingId: 0 }; + cars.deleteDecisionsByHost("requireclientcert.example.com", originAttributes); + + await openRequireClientCert(); + Assert.ok( + gClientAuthDialogService.chooseCertificateCalled, + "chooseCertificate should have been called after removing all remembered decisions for 'requireclientcert.example.com'" + ); + + await openRequireClientCert2(); + Assert.ok( + !gClientAuthDialogService.chooseCertificateCalled, + "chooseCertificate should not have been called if visiting 'requireclientcert-2.example.com' for the second time" + ); + + MockRegistrar.unregister(clientAuthDialogServiceCID); +}); diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js new file mode 100644 index 0000000000..2eed2b620a --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js @@ -0,0 +1,385 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests various scenarios connecting to a server that requires client cert +// authentication. Also tests that nsIClientAuthDialogService.chooseCertificate +// is called at the appropriate times and with the correct arguments. + +const { MockRegistrar } = ChromeUtils.importESModule( + "resource://testing-common/MockRegistrar.sys.mjs" +); + +const DialogState = { + // Assert that chooseCertificate() is never called. + ASSERT_NOT_CALLED: "ASSERT_NOT_CALLED", + // Return that the user selected the first given cert. + RETURN_CERT_SELECTED: "RETURN_CERT_SELECTED", + // Return that the user canceled. + RETURN_CERT_NOT_SELECTED: "RETURN_CERT_NOT_SELECTED", +}; + +var sdr = Cc["@mozilla.org/security/sdr;1"].getService(Ci.nsISecretDecoderRing); +let cars = Cc["@mozilla.org/security/clientAuthRememberService;1"].getService( + Ci.nsIClientAuthRememberService +); + +var gExpectedClientCertificateChoices; + +// Mock implementation of nsIClientAuthDialogService. +const gClientAuthDialogService = { + _state: DialogState.ASSERT_NOT_CALLED, + _rememberClientAuthCertificate: false, + _chooseCertificateCalled: false, + + set state(newState) { + info(`old state: ${this._state}`); + this._state = newState; + info(`new state: ${this._state}`); + }, + + get state() { + return this._state; + }, + + set rememberClientAuthCertificate(value) { + this._rememberClientAuthCertificate = value; + }, + + get rememberClientAuthCertificate() { + return this._rememberClientAuthCertificate; + }, + + get chooseCertificateCalled() { + return this._chooseCertificateCalled; + }, + + set chooseCertificateCalled(value) { + this._chooseCertificateCalled = value; + }, + + chooseCertificate(hostname, certArray, loadContext, callback) { + this.chooseCertificateCalled = true; + Assert.notEqual( + this.state, + DialogState.ASSERT_NOT_CALLED, + "chooseCertificate() should be called only when expected" + ); + Assert.equal( + hostname, + "requireclientcert.example.com", + "Hostname should be 'requireclientcert.example.com'" + ); + + // For mochitests, the cert at build/pgo/certs/mochitest.client should be + // selectable as well as one of the PGO certs we loaded in `setup`, so we do + // some brief checks to confirm this. + Assert.notEqual(certArray, null, "Cert list should not be null"); + Assert.equal( + certArray.length, + gExpectedClientCertificateChoices, + `${gExpectedClientCertificateChoices} certificates should be available` + ); + + for (let cert of certArray) { + Assert.notEqual(cert, null, "Cert list should contain nsIX509Certs"); + Assert.equal( + cert.issuerCommonName, + "Temporary Certificate Authority", + "cert should have expected issuer CN" + ); + } + + if (this.state == DialogState.RETURN_CERT_SELECTED) { + callback.certificateChosen( + certArray[0], + this.rememberClientAuthCertificate + ); + } else { + callback.certificateChosen(null, this.rememberClientAuthCertificate); + } + }, + + QueryInterface: ChromeUtils.generateQI(["nsIClientAuthDialogService"]), +}; + +add_setup(async function () { + let clientAuthDialogServiceCID = MockRegistrar.register( + "@mozilla.org/security/ClientAuthDialogService;1", + gClientAuthDialogService + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(clientAuthDialogServiceCID); + }); + + // This CA has the expected keyCertSign and cRLSign usages. It should not be + // presented for use as a client certificate. + await readCertificate("pgo-ca-regular-usages.pem", "CTu,CTu,CTu"); + // This CA has all keyUsages. For compatibility with preexisting behavior, it + // will be presented for use as a client certificate. + await readCertificate("pgo-ca-all-usages.pem", "CTu,CTu,CTu"); + // This client certificate was issued by an intermediate that was issued by + // the test CA. The server only lists the test CA's subject distinguished name + // as an acceptible issuer name for client certificates. If the implementation + // can determine that the test CA is a root CA for the client certificate and + // thus is acceptible to use, it should be included in the chooseCertificate + // callback. At the beginning of this test (speaking of this file as a whole), + // the client is not aware of the intermediate, and so it is not available in + // the callback. + await readCertificate("client-cert-via-intermediate.pem", ",,"); + // This certificate has an id-kp-OCSPSigning EKU. Client certificates + // shouldn't have this EKU, but there is at least one private PKI where they + // do. For interoperability, such certificates will be presented for use. + await readCertificate("client-cert-with-ocsp-signing.pem", ",,"); + gExpectedClientCertificateChoices = 3; +}); + +/** + * Test helper for the tests below. + * + * @param {string} prefValue + * Value to set the "security.default_personal_cert" pref to. + * @param {string} urlToNavigate + * The URL to navigate to. + * @param {string} expectedURL + * If the connection is expected to load successfully, the URL that + * should load. If the connection is expected to fail and result in an + * error page, |undefined|. + * @param {boolean} expectCallingChooseCertificate + * Determines whether we expect chooseCertificate to be called. + * @param {object} options + * Optional options object to pass on to the window that gets opened. + * @param {string} expectStringInPage + * Optional string that is expected to be in the content of the page + * once it loads. + */ +async function testHelper( + prefValue, + urlToNavigate, + expectedURL, + expectCallingChooseCertificate, + options = undefined, + expectStringInPage = undefined +) { + gClientAuthDialogService.chooseCertificateCalled = false; + await SpecialPowers.pushPrefEnv({ + set: [["security.default_personal_cert", prefValue]], + }); + + let win = await BrowserTestUtils.openNewBrowserWindow(options); + + BrowserTestUtils.startLoadingURIString( + win.gBrowser.selectedBrowser, + urlToNavigate + ); + if (expectedURL) { + await BrowserTestUtils.browserLoaded( + win.gBrowser.selectedBrowser, + false, + "https://requireclientcert.example.com/", + true + ); + let loadedURL = win.gBrowser.selectedBrowser.documentURI.spec; + Assert.ok( + loadedURL.startsWith(expectedURL), + `Expected and actual URLs should match (got '${loadedURL}', expected '${expectedURL}')` + ); + } else { + await new Promise(resolve => { + let removeEventListener = BrowserTestUtils.addContentEventListener( + win.gBrowser.selectedBrowser, + "AboutNetErrorLoad", + () => { + removeEventListener(); + resolve(); + }, + { capture: false, wantUntrusted: true } + ); + }); + } + + Assert.equal( + gClientAuthDialogService.chooseCertificateCalled, + expectCallingChooseCertificate, + "chooseCertificate should have been called if we were expecting it to be called" + ); + + if (expectStringInPage) { + let pageContent = await SpecialPowers.spawn( + win.gBrowser.selectedBrowser, + [], + async function () { + return content.document.body.textContent; + } + ); + Assert.ok( + pageContent.includes(expectStringInPage), + `page should contain the string '${expectStringInPage}' (was '${pageContent}')` + ); + } + + await win.close(); + + // This clears the TLS session cache so we don't use a previously-established + // ticket to connect and bypass selecting a client auth certificate in + // subsequent tests. + sdr.logout(); +} + +// Test that if a certificate is chosen automatically the connection succeeds, +// and that nsIClientAuthDialogService.chooseCertificate() is never called. +add_task(async function testCertChosenAutomatically() { + gClientAuthDialogService.state = DialogState.ASSERT_NOT_CALLED; + await testHelper( + "Select Automatically", + "https://requireclientcert.example.com/", + "https://requireclientcert.example.com/", + false + ); + // This clears all saved client auth certificate state so we don't influence + // subsequent tests. + cars.clearRememberedDecisions(); +}); + +// Test that if the user doesn't choose a certificate, the connection fails and +// an error page is displayed. +add_task(async function testCertNotChosenByUser() { + gClientAuthDialogService.state = DialogState.RETURN_CERT_NOT_SELECTED; + await testHelper( + "Ask Every Time", + "https://requireclientcert.example.com/", + undefined, + true, + undefined, + // bug 1818556: ssltunnel doesn't behave as expected here on Windows + AppConstants.platform != "win" + ? "SSL_ERROR_RX_CERTIFICATE_REQUIRED_ALERT" + : undefined + ); + cars.clearRememberedDecisions(); +}); + +// Test that if the user chooses a certificate the connection suceeeds. +add_task(async function testCertChosenByUser() { + gClientAuthDialogService.state = DialogState.RETURN_CERT_SELECTED; + await testHelper( + "Ask Every Time", + "https://requireclientcert.example.com/", + "https://requireclientcert.example.com/", + true + ); + cars.clearRememberedDecisions(); +}); + +// Test that the cancel decision is remembered correctly +add_task(async function testEmptyCertChosenByUser() { + gClientAuthDialogService.state = DialogState.RETURN_CERT_NOT_SELECTED; + gClientAuthDialogService.rememberClientAuthCertificate = true; + await testHelper( + "Ask Every Time", + "https://requireclientcert.example.com/", + undefined, + true + ); + await testHelper( + "Ask Every Time", + "https://requireclientcert.example.com/", + undefined, + false + ); + cars.clearRememberedDecisions(); +}); + +// Test that if the user chooses a certificate in a private browsing window, +// configures Firefox to remember this certificate for the duration of the +// session, closes that window (and thus all private windows), reopens a private +// window, and visits that site again, they are re-asked for a certificate (i.e. +// any state from the previous private session should be gone). Similarly, after +// closing that private window, if the user opens a non-private window, they +// again should be asked to choose a certificate (i.e. private state should not +// be remembered/used in non-private contexts). +add_task(async function testClearPrivateBrowsingState() { + gClientAuthDialogService.rememberClientAuthCertificate = true; + gClientAuthDialogService.state = DialogState.RETURN_CERT_SELECTED; + await testHelper( + "Ask Every Time", + "https://requireclientcert.example.com/", + "https://requireclientcert.example.com/", + true, + { + private: true, + } + ); + await testHelper( + "Ask Every Time", + "https://requireclientcert.example.com/", + "https://requireclientcert.example.com/", + true, + { + private: true, + } + ); + await testHelper( + "Ask Every Time", + "https://requireclientcert.example.com/", + "https://requireclientcert.example.com/", + true + ); + // NB: we don't `cars.clearRememberedDecisions()` in between the two calls to + // `testHelper` because that would clear all client auth certificate state and + // obscure what we're testing (that Firefox properly clears the relevant state + // when the last private window closes). + cars.clearRememberedDecisions(); +}); + +// Test that 3rd party certificates are taken into account when filtering client +// certificates based on the acceptible CA list sent by the server. +add_task(async function testCertFilteringWithIntermediate() { + let intermediateBytes = await IOUtils.readUTF8( + getTestFilePath("intermediate.pem") + ).then( + pem => { + let base64 = pemToBase64(pem); + let bin = atob(base64); + let bytes = []; + for (let i = 0; i < bin.length; i++) { + bytes.push(bin.charCodeAt(i)); + } + return bytes; + }, + error => { + throw error; + } + ); + let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent); + nssComponent.addEnterpriseIntermediate(intermediateBytes); + gExpectedClientCertificateChoices = 4; + gClientAuthDialogService.state = DialogState.RETURN_CERT_SELECTED; + await testHelper( + "Ask Every Time", + "https://requireclientcert.example.com/", + "https://requireclientcert.example.com/", + true + ); + cars.clearRememberedDecisions(); + // This will reset the added intermediate. + await SpecialPowers.pushPrefEnv({ + set: [["security.enterprise_roots.enabled", true]], + }); +}); + +// Test that if the server certificate does not validate successfully, +// nsIClientAuthDialogService.chooseCertificate() is never called. +add_task(async function testNoDialogForUntrustedServerCertificate() { + gClientAuthDialogService.state = DialogState.ASSERT_NOT_CALLED; + await testHelper( + "Ask Every Time", + "https://requireclientcert-untrusted.example.com/", + undefined, + false + ); + // This clears all saved client auth certificate state so we don't influence + // subsequent tests. + cars.clearRememberedDecisions(); +}); diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.html b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.html new file mode 100644 index 0000000000..82aac47b2a --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.html @@ -0,0 +1,6 @@ +<!DOCTYPE html> +<html> +<body> +<a href="https://requireclientcert.example.com" id="link">Click Me</a> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js new file mode 100644 index 0000000000..e68568ba86 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js @@ -0,0 +1,84 @@ +/* eslint-disable mozilla/no-arbitrary-setTimeout */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +// Tests that with speculative connections enabled, connections to servers that +// request a client authentication certificate succeed (the specific bug that +// was addressed with this patch involved navigation hanging because the +// connection to the server couldn't make progress without asking for a client +// authentication certificate, but it also wouldn't ask for a client +// authentication certificate until the connection had been claimed, which +// required that it make progress first). + +const { MockRegistrar } = ChromeUtils.importESModule( + "resource://testing-common/MockRegistrar.sys.mjs" +); + +const TEST_PATH = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" +); + +let chooseCertificateCalled = false; + +const clientAuthDialogService = { + chooseCertificate(hostname, certArray, loadContext, callback) { + is( + certArray.length, + 1, + "should have only one client certificate available" + ); + ok( + !chooseCertificateCalled, + "chooseCertificate should only be called once" + ); + chooseCertificateCalled = true; + callback.certificateChosen(certArray[0], false); + }, + + QueryInterface: ChromeUtils.generateQI(["nsIClientAuthDialogService"]), +}; + +add_setup(async function () { + await SpecialPowers.pushPrefEnv({ + set: [ + // Enable speculative connections. + ["network.http.speculative-parallel-limit", 6], + // Always ask to select a client authentication certificate. + ["security.default_personal_cert", "Ask Every Time"], + ], + }); + let clientAuthDialogServiceCID = MockRegistrar.register( + "@mozilla.org/security/ClientAuthDialogService;1", + clientAuthDialogService + ); + registerCleanupFunction(async function () { + MockRegistrar.unregister(clientAuthDialogServiceCID); + }); +}); + +add_task( + async function test_no_client_auth_selection_dialog_for_speculative_connections() { + await BrowserTestUtils.withNewTab( + `${TEST_PATH}browser_clientAuth_speculative_connection.html`, + async browser => { + // Click the link to navigate to a page that requests a client + // authentication certificate. Necko will make a speculative + // connection, but unfortunately there's no event or notification to + // observe. This test ensures that the navigation succeeds and that a + // client authentication certificate was requested. + let loaded = BrowserTestUtils.browserLoaded( + browser, + false, + "https://requireclientcert.example.com/" + ); + await BrowserTestUtils.synthesizeMouseAtCenter("#link", {}, browser); + await loaded; + ok(chooseCertificateCalled, "chooseCertificate must have been called"); + } + ); + } +); diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js new file mode 100644 index 0000000000..9bf961250a --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js @@ -0,0 +1,161 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that the client authentication certificate chooser correctly displays +// provided information and correctly returns user input. + +const TEST_HOSTNAME = "Test Hostname"; +const TEST_ORG = "Test Org"; +const TEST_ISSUER_ORG = "Test Issuer Org"; +const TEST_PORT = 123; + +var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); +/** + * Test certificate (i.e. build/pgo/certs/mochitest.client). + * + * @type {nsIX509Cert} + */ +var cert; + +/** + * Opens the client auth cert chooser dialog. + * + * @param {nsIX509Cert} cert The cert to pass to the dialog for display. + * @returns {Promise} + * A promise that resolves when the dialog has finished loading, with + * an array consisting of: + * 1. The window of the opened dialog. + * 2. The return value nsIWritablePropertyBag2 passed to the dialog. + */ +function openClientAuthDialog(cert) { + let certArray = [cert]; + let retVals = { cert: undefined, rememberDecision: undefined }; + let win = window.openDialog( + "chrome://pippki/content/clientauthask.xhtml", + "", + "", + { hostname: TEST_HOSTNAME, certArray, retVals } + ); + return TestUtils.topicObserved("cert-dialog-loaded").then(() => { + return { win, retVals }; + }); +} + +/** + * Checks that the contents of the given cert chooser dialog match the details + * of build/pgo/certs/mochitest.client. + * + * @param {window} win The cert chooser window. + * @param {string} notBefore + * The formatted notBefore date of mochitest.client. + * @param {string} notAfter + * The formatted notAfter date of mochitest.client. + */ +async function checkDialogContents(win, notBefore, notAfter) { + await TestUtils.waitForCondition(() => { + return win.document + .getElementById("clientAuthSiteIdentification") + .textContent.includes(`${TEST_HOSTNAME}`); + }); + let nicknames = win.document.getElementById("nicknames"); + await TestUtils.waitForCondition(() => { + return nicknames.label == "Mochitest client [03]"; + }); + await TestUtils.waitForCondition(() => { + return nicknames.itemCount == 1; + }); + let subject = win.document.getElementById("clientAuthCertDetailsIssuedTo"); + await TestUtils.waitForCondition(() => { + return subject.textContent == "Issued to: CN=Mochitest client"; + }); + let serialNum = win.document.getElementById( + "clientAuthCertDetailsSerialNumber" + ); + await TestUtils.waitForCondition(() => { + return serialNum.textContent == "Serial number: 03"; + }); + let validity = win.document.getElementById( + "clientAuthCertDetailsValidityPeriod" + ); + await TestUtils.waitForCondition(() => { + return validity.textContent == `Valid from ${notBefore} to ${notAfter}`; + }); + let issuer = win.document.getElementById("clientAuthCertDetailsIssuedBy"); + await TestUtils.waitForCondition(() => { + return ( + issuer.textContent == + "Issued by: OU=Profile Guided Optimization,O=Mozilla Testing,CN=Temporary Certificate Authority" + ); + }); + let tokenName = win.document.getElementById("clientAuthCertDetailsStoredOn"); + await TestUtils.waitForCondition(() => { + return tokenName.textContent == "Stored on: Software Security Device"; + }); +} + +function findCertByCommonName(commonName) { + for (let cert of certDB.getCerts()) { + if (cert.commonName == commonName) { + return cert; + } + } + return null; +} + +add_setup(async function () { + cert = findCertByCommonName("Mochitest client"); + isnot(cert, null, "Should be able to find the test client cert"); +}); + +// Test that the contents of the dialog correspond to the details of the +// provided cert. +add_task(async function testContents() { + const formatter = new Intl.DateTimeFormat(undefined, { + dateStyle: "medium", + timeStyle: "long", + }); + let { win } = await openClientAuthDialog(cert); + await checkDialogContents( + win, + formatter.format(new Date(cert.validity.notBefore / 1000)), + formatter.format(new Date(cert.validity.notAfter / 1000)) + ); + await BrowserTestUtils.closeWindow(win); +}); + +// Test that the right values are returned when the dialog is accepted. +add_task(async function testAcceptDialogReturnValues() { + let { win, retVals } = await openClientAuthDialog(cert); + win.document.getElementById("rememberBox").checked = true; + info("Accepting dialog"); + win.document.getElementById("certAuthAsk").acceptDialog(); + await BrowserTestUtils.windowClosed(win); + + is(retVals.cert, cert, "cert should be returned as chosen cert"); + ok( + retVals.rememberDecision, + "Return value should signal 'Remember this decision' checkbox was checked" + ); +}); + +// Test that the right values are returned when the dialog is canceled. +add_task(async function testCancelDialogReturnValues() { + let { win, retVals } = await openClientAuthDialog(cert); + win.document.getElementById("rememberBox").checked = false; + info("Canceling dialog"); + win.document.getElementById("certAuthAsk").cancelDialog(); + await BrowserTestUtils.windowClosed(win); + + ok( + !retVals.cert, + "Return value should signal user did not choose a certificate" + ); + ok( + !retVals.rememberDecision, + "Return value should signal 'Remember this decision' checkbox was unchecked" + ); +}); diff --git a/security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js new file mode 100644 index 0000000000..a8ff7cc8fb --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js @@ -0,0 +1,259 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests various aspects of the cert delete confirmation dialog. +// Among other things, tests that for each type of cert that can be deleted: +// 1. The various lines of explanation text are correctly set. +// 2. The implementation correctly falls back through multiple cert attributes +// to determine what to display to represent a cert. + +/** + * An array of tree items corresponding to TEST_CASES. + * + * @type {nsICertTreeItem[]} + */ +var gCertArray = []; + +const FAKE_HOST_PORT = "Fake host and port"; + +/** + * @typedef TestCase + * @type {object} + * @property {string} certFilename + * Filename of the cert, or null if we don't want to import a cert for + * this test case (i.e. we expect the hostPort attribute of + * nsICertTreeItem to be used). + * @property {string} expectedDisplayString + * The string we expect the UI to display to represent the given cert. + * @property {string} expectedSerialNumber + * The serial number we expect the UI to display if it exists. + */ + +/** + * A list of test cases representing certs that get "deleted". + * + * @type {TestCase[]} + */ +const TEST_CASES = [ + { + certFilename: null, + expectedDisplayString: FAKE_HOST_PORT, + expectedSerialNumber: null, + }, + { + certFilename: "has-cn.pem", + expectedDisplayString: "Foo", + expectedSerialNumber: null, + }, + { + certFilename: "has-ou.pem", + expectedDisplayString: "Bar", + expectedSerialNumber: null, + }, + { + certFilename: "has-o.pem", + expectedDisplayString: "Baz", + expectedSerialNumber: null, + }, + { + certFilename: "has-non-empty-subject.pem", + expectedDisplayString: "C=US", + expectedSerialNumber: null, + }, + { + certFilename: "has-empty-subject.pem", + expectedDisplayString: "Certificate with serial number: 0A", + expectedSerialNumber: "0A", + }, +]; + +/** + * Opens the cert delete confirmation dialog. + * + * @param {string} tabID + * The ID of the cert category tab the certs to delete belong to. + * @returns {Promise} + * A promise that resolves when the dialog has finished loading, with + * an array consisting of: + * 1. The window of the opened dialog. + * 2. The return value object passed to the dialog. + */ +function openDeleteCertConfirmDialog(tabID) { + let retVals = { + deleteConfirmed: false, + }; + let win = window.openDialog( + "chrome://pippki/content/deletecert.xhtml", + "", + "", + tabID, + gCertArray, + retVals + ); + return new Promise((resolve, reject) => { + win.addEventListener( + "load", + function () { + executeSoon(() => resolve([win, retVals])); + }, + { once: true } + ); + }); +} + +add_setup(async function () { + for (let testCase of TEST_CASES) { + let cert = null; + if (testCase.certFilename) { + cert = await readCertificate(testCase.certFilename, ",,"); + } + let certTreeItem = { + hostPort: FAKE_HOST_PORT, + cert, + QueryInterface: ChromeUtils.generateQI(["nsICertTreeItem"]), + }; + gCertArray.push(certTreeItem); + } +}); + +/** + * Test helper for the below test cases. + * + * @param {string} tabID + * ID of the cert category tab the certs to delete belong to. + * @param {string} expectedTitleL10nId + * The L10nId of title the dialog is expected to have. + * @param {string} expectedConfirmL10nId + * The l10n id of confirmation message the dialog expected to show. + * @param {string} expectedImpactL10nId + * The l10n id of impact the dialog expected to show. + */ +async function testHelper( + tabID, + expectedTitleL10nId, + expectedConfirmL10nId, + expectedImpactL10nId +) { + let [win] = await openDeleteCertConfirmDialog(tabID); + let certList = win.document.getElementById("certlist"); + + Assert.deepEqual( + win.document.l10n.getAttributes(win.document.documentElement), + expectedTitleL10nId, + `Actual and expected titles should match for ${tabID}` + ); + let confirm = win.document.getElementById("confirm"); + Assert.deepEqual( + win.document.l10n.getAttributes(confirm), + expectedConfirmL10nId, + `Actual and expected confirm message should match for ${tabID}` + ); + let impact = win.document.getElementById("impact"); + Assert.deepEqual( + win.document.l10n.getAttributes(impact), + expectedImpactL10nId, + `Actual and expected impact should match for ${tabID}` + ); + + Assert.equal( + certList.itemCount, + TEST_CASES.length, + `No. of certs displayed should match for ${tabID}` + ); + for (let i = 0; i < certList.itemCount; i++) { + let item = certList.getItemAtIndex(i); + if (TEST_CASES[i].expectedSerialNumber == null) { + Assert.equal( + item.label, + TEST_CASES[i].expectedDisplayString, + "Actual and expected display string should match for " + + `index ${i} for ${tabID}` + ); + } else { + Assert.deepEqual( + win.document.l10n.getAttributes(item.children[0]), + { + id: "cert-with-serial", + args: { serialNumber: TEST_CASES[i].expectedSerialNumber }, + }, + "Actual and expected display string should match for " + + `index ${i} for ${tabID}` + ); + } + } + + await BrowserTestUtils.closeWindow(win); +} + +// Test deleting certs from the "Your Certificates" tab. +add_task(async function testDeletePersonalCerts() { + const expectedTitleL10nId = { id: "delete-user-cert-title", args: null }; + const expectedConfirmL10nId = { id: "delete-user-cert-confirm", args: null }; + const expectedImpactL10nId = { id: "delete-user-cert-impact", args: null }; + await testHelper( + "mine_tab", + expectedTitleL10nId, + expectedConfirmL10nId, + expectedImpactL10nId + ); +}); + +// Test deleting certs from the "People" tab. +add_task(async function testDeleteOtherPeopleCerts() { + const expectedTitleL10nId = { id: "delete-email-cert-title", args: null }; + // ’ doesn't seem to work when embedded in the following literals, which is + // why escape codes are used instead. + const expectedConfirmL10nId = { id: "delete-email-cert-confirm", args: null }; + const expectedImpactL10nId = { id: "delete-email-cert-impact", args: null }; + await testHelper( + "others_tab", + expectedTitleL10nId, + expectedConfirmL10nId, + expectedImpactL10nId + ); +}); + +// Test deleting certs from the "Authorities" tab. +add_task(async function testDeleteCACerts() { + const expectedTitleL10nId = { id: "delete-ca-cert-title", args: null }; + const expectedConfirmL10nId = { id: "delete-ca-cert-confirm", args: null }; + const expectedImpactL10nId = { id: "delete-ca-cert-impact", args: null }; + await testHelper( + "ca_tab", + expectedTitleL10nId, + expectedConfirmL10nId, + expectedImpactL10nId + ); +}); + +// Test that the right values are returned when the dialog is accepted. +add_task(async function testAcceptDialogReturnValues() { + let [win, retVals] = await openDeleteCertConfirmDialog( + "ca_tab" /* arbitrary */ + ); + info("Accepting dialog"); + win.document.getElementById("deleteCertificate").acceptDialog(); + await BrowserTestUtils.windowClosed(win); + + Assert.ok( + retVals.deleteConfirmed, + "Return value should signal user accepted" + ); +}); + +// Test that the right values are returned when the dialog is canceled. +add_task(async function testCancelDialogReturnValues() { + let [win, retVals] = await openDeleteCertConfirmDialog( + "ca_tab" /* arbitrary */ + ); + info("Canceling dialog"); + win.document.getElementById("deleteCertificate").cancelDialog(); + await BrowserTestUtils.windowClosed(win); + + Assert.ok( + !retVals.deleteConfirmed, + "Return value should signal user did not accept" + ); +}); diff --git a/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js new file mode 100644 index 0000000000..51715b1352 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js @@ -0,0 +1,134 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that the cert download/import UI correctly identifies the cert being +// downloaded, and allows the trust of the cert to be specified. + +const { MockRegistrar } = ChromeUtils.importESModule( + "resource://testing-common/MockRegistrar.sys.mjs" +); + +/** + * @typedef TestCase + * @type {object} + * @property {string} certFilename + * Filename of the cert for this test case. + * @property {string} expectedDisplayString + * The string we expect the UI to display to represent the given cert. + * @property {nsIX509Cert} cert + * Handle to the cert once read in setup(). + */ + +/** + * A list of test cases representing certs that get "downloaded". + * + * @type {TestCase[]} + */ +const TEST_CASES = [ + { certFilename: "has-cn.pem", expectedDisplayString: "Foo", cert: null }, + { + certFilename: "has-empty-subject.pem", + expectedDisplayString: "Certificate Authority (unnamed)", + cert: null, + }, +]; + +/** + * Opens the cert download dialog. + * + * @param {nsIX509Cert} cert + * The cert to pass to the dialog for display. + * @returns {Promise} + * A promise that resolves when the dialog has finished loading, with + * an array consisting of: + * 1. The window of the opened dialog. + * 2. The return value nsIWritablePropertyBag2 passed to the dialog. + */ +function openCertDownloadDialog(cert) { + let returnVals = Cc["@mozilla.org/hash-property-bag;1"].createInstance( + Ci.nsIWritablePropertyBag2 + ); + let win = window.openDialog( + "chrome://pippki/content/downloadcert.xhtml", + "", + "", + cert, + returnVals + ); + return new Promise((resolve, reject) => { + win.addEventListener( + "load", + function () { + executeSoon(() => resolve([win, returnVals])); + }, + { once: true } + ); + }); +} + +add_setup(async function () { + for (let testCase of TEST_CASES) { + testCase.cert = await readCertificate(testCase.certFilename, ",,"); + Assert.notEqual( + testCase.cert, + null, + `'${testCase.certFilename}' should have been read` + ); + } +}); + +// Test that the trust header message corresponds to the provided cert, and that +// the View Cert button launches the cert viewer for the provided cert. +add_task(async function testTrustHeaderAndViewCertButton() { + for (let testCase of TEST_CASES) { + let [win] = await openCertDownloadDialog(testCase.cert); + let expectedTrustHeaderString = + `Do you want to trust \u201C${testCase.expectedDisplayString}\u201D ` + + "for the following purposes?"; + Assert.equal( + win.document.getElementById("trustHeader").textContent, + expectedTrustHeaderString, + "Actual and expected trust header text should match for " + + `${testCase.certFilename}` + ); + + await BrowserTestUtils.closeWindow(win); + } +}); + +// Test that the right values are returned when the dialog is accepted. +add_task(async function testAcceptDialogReturnValues() { + let [win, retVals] = await openCertDownloadDialog(TEST_CASES[0].cert); + win.document.getElementById("trustSSL").checked = true; + win.document.getElementById("trustEmail").checked = false; + info("Accepting dialog"); + win.document.getElementById("download_cert").acceptDialog(); + await BrowserTestUtils.windowClosed(win); + + Assert.ok( + retVals.get("importConfirmed"), + "Return value should signal user chose to import the cert" + ); + Assert.ok( + retVals.get("trustForSSL"), + "Return value should signal SSL trust checkbox was checked" + ); + Assert.ok( + !retVals.get("trustForEmail"), + "Return value should signal E-mail trust checkbox was unchecked" + ); +}); + +// Test that the right values are returned when the dialog is canceled. +add_task(async function testCancelDialogReturnValues() { + let [win, retVals] = await openCertDownloadDialog(TEST_CASES[0].cert); + info("Canceling dialog"); + win.document.getElementById("download_cert").cancelDialog(); + await BrowserTestUtils.windowClosed(win); + + Assert.ok( + !retVals.get("importConfirmed"), + "Return value should signal user chose not to import the cert" + ); +}); diff --git a/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js b/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js new file mode 100644 index 0000000000..9a36eca7bf --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js @@ -0,0 +1,141 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that the UI for editing the trust of a CA certificate correctly +// reflects trust in the cert DB, and correctly updates trust in the cert DB +// when requested. + +var gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +/** + * The cert we're editing the trust of. + * + * @type {nsIX509Cert} + */ +var gCert; + +/** + * Opens the cert trust editing dialog. + * + * @returns {Promise} + * A promise that resolves when the dialog has finished loading with + * the window of the opened dialog. + */ +function openEditCertTrustDialog() { + let win = window.openDialog( + "chrome://pippki/content/editcacert.xhtml", + "", + "", + gCert + ); + return new Promise((resolve, reject) => { + win.addEventListener( + "load", + function () { + executeSoon(() => resolve(win)); + }, + { once: true } + ); + }); +} + +add_setup(async function () { + // Initially trust ca.pem for SSL but not e-mail. + gCert = await readCertificate("ca.pem", "CT,,"); + Assert.ok( + gCertDB.isCertTrusted( + gCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_SSL + ), + "Sanity check: ca.pem should be trusted for SSL" + ); + Assert.ok( + !gCertDB.isCertTrusted( + gCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_EMAIL + ), + "Sanity check: ca.pem should not be trusted for e-mail" + ); +}); + +// Tests the following: +// 1. The checkboxes correctly reflect the trust set in setup(). +// 2. Accepting the dialog after flipping some of the checkboxes results in the +// correct trust being set in the cert DB. +add_task(async function testAcceptDialog() { + let win = await openEditCertTrustDialog(); + + let sslCheckbox = win.document.getElementById("trustSSL"); + let emailCheckbox = win.document.getElementById("trustEmail"); + Assert.ok(sslCheckbox.checked, "Cert should be trusted for SSL in UI"); + Assert.ok( + !emailCheckbox.checked, + "Cert should not be trusted for e-mail in UI" + ); + + sslCheckbox.checked = false; + emailCheckbox.checked = true; + + info("Accepting dialog"); + win.document.getElementById("editCaCert").acceptDialog(); + await BrowserTestUtils.windowClosed(win); + + Assert.ok( + !gCertDB.isCertTrusted( + gCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_SSL + ), + "Cert should no longer be trusted for SSL" + ); + Assert.ok( + gCertDB.isCertTrusted( + gCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_EMAIL + ), + "Cert should now be trusted for e-mail" + ); +}); + +// Tests the following: +// 1. The checkboxes correctly reflect the trust set in testAcceptDialog(). +// 2. Canceling the dialog even after flipping the checkboxes doesn't result in +// a change of trust in the cert DB. +add_task(async function testCancelDialog() { + let win = await openEditCertTrustDialog(); + + let sslCheckbox = win.document.getElementById("trustSSL"); + let emailCheckbox = win.document.getElementById("trustEmail"); + Assert.ok(!sslCheckbox.checked, "Cert should not be trusted for SSL in UI"); + Assert.ok(emailCheckbox.checked, "Cert should be trusted for e-mail in UI"); + + sslCheckbox.checked = true; + emailCheckbox.checked = false; + + info("Canceling dialog"); + win.document.getElementById("editCaCert").cancelDialog(); + await BrowserTestUtils.windowClosed(win); + + Assert.ok( + !gCertDB.isCertTrusted( + gCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_SSL + ), + "Cert should still not be trusted for SSL" + ); + Assert.ok( + gCertDB.isCertTrusted( + gCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_EMAIL + ), + "Cert should still be trusted for e-mail" + ); +}); diff --git a/security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js b/security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js new file mode 100644 index 0000000000..8e6af27cbb --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js @@ -0,0 +1,164 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that the UI for setting the password on a to be exported PKCS #12 file: +// 1. Correctly requires the password to be typed in twice as confirmation. +// 2. Calculates and displays the strength of said password. + +/** + * @typedef TestCase + * @type {object} + * @property {string} name + * The name of the test case for display purposes. + * @property {string} password1 + * The password to enter into the first password textbox. + * @property {string} password2 + * The password to enter into the second password textbox. + * @property {string} strength + * The expected strength of the password in the range [0, 100]. + */ + +/** + * A list of test cases representing various inputs to the password textboxes. + * + * @type {TestCase[]} + */ +const TEST_CASES = [ + { name: "empty", password1: "", password2: "", strength: "0" }, + { name: "match-weak", password1: "foo", password2: "foo", strength: "10" }, + { + name: "match-medium", + password1: "foo123", + password2: "foo123", + strength: "60", + }, + { + name: "match-strong", + password1: "fooBARBAZ 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三", + password2: "fooBARBAZ 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三", + strength: "100", + }, + { name: "mismatch-weak", password1: "foo", password2: "bar", strength: "10" }, + { + name: "mismatch-medium", + password1: "foo123", + password2: "bar", + strength: "60", + }, + { + name: "mismatch-strong", + password1: "fooBARBAZ 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三", + password2: "bar", + strength: "100", + }, +]; + +/** + * Opens the dialog shown to set the password on a PKCS #12 file being exported. + * + * @returns {Promise} + * A promise that resolves when the dialog has finished loading, with + * an array consisting of: + * 1. The window of the opened dialog. + * 2. The return value nsIWritablePropertyBag2 passed to the dialog. + */ +function openSetP12PasswordDialog() { + let returnVals = Cc["@mozilla.org/hash-property-bag;1"].createInstance( + Ci.nsIWritablePropertyBag2 + ); + let win = window.openDialog( + "chrome://pippki/content/setp12password.xhtml", + "", + "", + returnVals + ); + return new Promise((resolve, reject) => { + win.addEventListener( + "load", + function () { + executeSoon(() => resolve([win, returnVals])); + }, + { once: true } + ); + }); +} + +// Tests that the first password textbox is the element that is initially +// focused. +add_task(async function testFocus() { + let [win] = await openSetP12PasswordDialog(); + Assert.equal( + win.document.activeElement, + win.document.getElementById("pw1"), + "First password textbox should have focus" + ); + await BrowserTestUtils.closeWindow(win); +}); + +// Tests that the password strength algorithm used is reasonable, and that the +// Accept button is only enabled if the two passwords match. +add_task(async function testPasswordStrengthAndEquality() { + let [win] = await openSetP12PasswordDialog(); + let password1Textbox = win.document.getElementById("pw1"); + let password2Textbox = win.document.getElementById("pw2"); + let strengthProgressBar = win.document.getElementById("pwmeter"); + + for (let testCase of TEST_CASES) { + password1Textbox.value = testCase.password1; + password2Textbox.value = testCase.password2; + // Setting the value of the password textboxes via |.value| apparently + // doesn't cause the oninput handlers to be called, so we do it here. + password1Textbox.oninput(); + password2Textbox.oninput(); + + Assert.equal( + win.document.getElementById("setp12password").getButton("accept") + .disabled, + password1Textbox.value != password2Textbox.value, + "Actual and expected accept button disable state should " + + `match for ${testCase.name}` + ); + Assert.equal( + strengthProgressBar.value, + testCase.strength, + `Actual and expected strength value should match for ${testCase.name}` + ); + } + + await BrowserTestUtils.closeWindow(win); +}); + +// Test that the right values are returned when the dialog is accepted. +add_task(async function testAcceptDialogReturnValues() { + let [win, retVals] = await openSetP12PasswordDialog(); + const password = "fooBAR 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三"; + win.document.getElementById("pw1").value = password; + win.document.getElementById("pw2").value = password; + info("Accepting dialog"); + win.document.getElementById("setp12password").acceptDialog(); + await BrowserTestUtils.windowClosed(win); + + Assert.ok( + retVals.get("confirmedPassword"), + "Return value should signal user confirmed a password" + ); + Assert.equal( + retVals.get("password"), + password, + "Actual and expected password should match" + ); +}); + +// Test that the right values are returned when the dialog is canceled. +add_task(async function testCancelDialogReturnValues() { + let [win, retVals] = await openSetP12PasswordDialog(); + info("Canceling dialog"); + win.document.getElementById("setp12password").cancelDialog(); + await BrowserTestUtils.windowClosed(win); + + Assert.ok( + !retVals.get("confirmedPassword"), + "Return value should signal user didn't confirm a password" + ); +}); diff --git a/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js new file mode 100644 index 0000000000..9e4e244123 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js @@ -0,0 +1,312 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the dialog used for loading PKCS #11 modules. + +const { MockRegistrar } = ChromeUtils.importESModule( + "resource://testing-common/MockRegistrar.sys.mjs" +); + +const gMockPKCS11ModuleDB = { + addModuleCallCount: 0, + expectedLibPath: "", + expectedModuleName: "", + throwOnAddModule: false, + + addModule(moduleName, libraryFullPath, cryptoMechanismFlags, cipherFlags) { + this.addModuleCallCount++; + Assert.equal( + moduleName, + this.expectedModuleName, + "addModule: Name given should be what's in the name textbox" + ); + Assert.equal( + libraryFullPath, + this.expectedLibPath, + "addModule: Path given should be what's in the path textbox" + ); + Assert.equal( + cryptoMechanismFlags, + 0, + "addModule: No crypto mechanism flags should be passed" + ); + Assert.equal(cipherFlags, 0, "addModule: No cipher flags should be passed"); + + if (this.throwOnAddModule) { + throw new Error(`addModule: Throwing exception`); + } + }, + + deleteModule(moduleName) { + Assert.ok(false, `deleteModule: should not be called`); + }, + + getInternal() { + throw new Error("not expecting getInternal() to be called"); + }, + + getInternalFIPS() { + throw new Error("not expecting getInternalFIPS() to be called"); + }, + + listModules() { + throw new Error("not expecting listModules() to be called"); + }, + + get canToggleFIPS() { + throw new Error("not expecting get canToggleFIPS() to be called"); + }, + + toggleFIPSMode() { + throw new Error("not expecting toggleFIPSMode() to be called"); + }, + + get isFIPSEnabled() { + throw new Error("not expecting get isFIPSEnabled() to be called"); + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPKCS11ModuleDB"]), +}; + +const gMockPromptService = { + alertCallCount: 0, + expectedText: "", + expectedWindow: null, + + alert(parent, dialogTitle, text) { + this.alertCallCount++; + Assert.equal( + parent, + this.expectedWindow, + "alert: Parent should be expected window" + ); + Assert.equal(dialogTitle, null, "alert: Title should be null"); + Assert.equal( + text, + this.expectedText, + "alert: Actual and expected text should match" + ); + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPromptService"]), +}; + +var gMockPKCS11CID = MockRegistrar.register( + "@mozilla.org/security/pkcs11moduledb;1", + gMockPKCS11ModuleDB +); +var gMockPromptServiceCID = MockRegistrar.register( + "@mozilla.org/prompter;1", + gMockPromptService +); + +var gMockFilePicker = SpecialPowers.MockFilePicker; +gMockFilePicker.init(window); + +var gTempFile = Services.dirsvc.get("TmpD", Ci.nsIFile); +gTempFile.append("browser_loadPKCS11Module_ui-fakeModule"); + +registerCleanupFunction(() => { + gMockFilePicker.cleanup(); + MockRegistrar.unregister(gMockPKCS11CID); + MockRegistrar.unregister(gMockPromptServiceCID); +}); + +function resetCallCounts() { + gMockPKCS11ModuleDB.addModuleCallCount = 0; + gMockPromptService.alertCallCount = 0; +} + +/** + * Opens the dialog shown to load a PKCS #11 module. + * + * @returns {Promise} + * A promise that resolves when the dialog has finished loading, with + * the window of the opened dialog. + */ +function openLoadModuleDialog() { + let win = window.openDialog( + "chrome://pippki/content/load_device.xhtml", + "", + "" + ); + return new Promise(resolve => { + win.addEventListener( + "load", + function () { + executeSoon(() => resolve(win)); + }, + { once: true } + ); + }); +} + +/** + * Presses the browse button and simulates interacting with the file picker that + * should be triggered. + * + * @param {window} win + * The dialog window. + * @param {boolean} cancel + * If true, the file picker is canceled. If false, gTempFile is chosen in + * the file picker and the file picker is accepted. + */ +async function browseToTempFile(win, cancel) { + gMockFilePicker.showCallback = () => { + gMockFilePicker.setFiles([gTempFile]); + + if (cancel) { + info("MockFilePicker returning cancel"); + return Ci.nsIFilePicker.returnCancel; + } + + info("MockFilePicker returning OK"); + return Ci.nsIFilePicker.returnOK; + }; + + info("Pressing browse button"); + win.document.getElementById("browse").doCommand(); + await TestUtils.topicObserved("LoadPKCS11Module:FilePickHandled"); +} + +add_task(async function testBrowseButton() { + let win = await openLoadModuleDialog(); + let pathBox = win.document.getElementById("device_path"); + let originalPathBoxValue = "expected path if picker is canceled"; + pathBox.value = originalPathBoxValue; + + // Test what happens if the file picker is canceled. + await browseToTempFile(win, true); + Assert.equal( + pathBox.value, + originalPathBoxValue, + "Path shown should be unchanged due to canceled picker" + ); + + // Test what happens if the file picker is not canceled. + await browseToTempFile(win, false); + Assert.equal( + pathBox.value, + gTempFile.path, + "Path shown should be same as the one chosen in the file picker" + ); + + await BrowserTestUtils.closeWindow(win); +}); + +function testAddModuleHelper(win, throwOnAddModule) { + resetCallCounts(); + gMockPKCS11ModuleDB.expectedLibPath = gTempFile.path; + gMockPKCS11ModuleDB.expectedModuleName = "test module"; + gMockPKCS11ModuleDB.throwOnAddModule = throwOnAddModule; + + win.document.getElementById("device_name").value = + gMockPKCS11ModuleDB.expectedModuleName; + win.document.getElementById("device_path").value = + gMockPKCS11ModuleDB.expectedLibPath; + + info("Accepting dialog"); + win.document.getElementById("loaddevice").acceptDialog(); +} + +add_task(async function testAddModuleSuccess() { + let win = await openLoadModuleDialog(); + + testAddModuleHelper(win, false); + await BrowserTestUtils.windowClosed(win); + + Assert.equal( + gMockPKCS11ModuleDB.addModuleCallCount, + 1, + "addModule() should have been called once" + ); + Assert.equal( + gMockPromptService.alertCallCount, + 0, + "alert() should never have been called" + ); +}); + +add_task(async function testAddModuleFailure() { + let win = await openLoadModuleDialog(); + gMockPromptService.expectedText = "Unable to add module"; + gMockPromptService.expectedWindow = win; + + // The exception we throw in addModule is first reported as an uncaught + // exception by XPConnect before an exception is propagated to the actual + // caller. + expectUncaughtException(true); + + testAddModuleHelper(win, true); + expectUncaughtException(false); + // If adding a module fails, the dialog will not close. As such, we have to + // close the window ourselves. + await BrowserTestUtils.closeWindow(win); + + Assert.equal( + gMockPKCS11ModuleDB.addModuleCallCount, + 1, + "addModule() should have been called once" + ); + Assert.equal( + gMockPromptService.alertCallCount, + 1, + "alert() should have been called once" + ); +}); + +add_task(async function testCancel() { + let win = await openLoadModuleDialog(); + resetCallCounts(); + + info("Canceling dialog"); + win.document.getElementById("loaddevice").cancelDialog(); + + Assert.equal( + gMockPKCS11ModuleDB.addModuleCallCount, + 0, + "addModule() should never have been called" + ); + Assert.equal( + gMockPromptService.alertCallCount, + 0, + "alert() should never have been called" + ); + + await BrowserTestUtils.windowClosed(win); +}); + +async function testModuleNameHelper(moduleName, acceptButtonShouldBeDisabled) { + let win = await openLoadModuleDialog(); + resetCallCounts(); + + info(`Setting Module Name to '${moduleName}'`); + let moduleNameBox = win.document.getElementById("device_name"); + moduleNameBox.value = moduleName; + // this makes this not a great test, but it's the easiest way to simulate this + moduleNameBox.onchange(); + + let dialogNode = win.document.querySelector("dialog"); + Assert.equal( + dialogNode.getAttribute("buttondisabledaccept"), + acceptButtonShouldBeDisabled ? "true" : "", // it's a string + `dialog accept button should ${ + acceptButtonShouldBeDisabled ? "" : "not " + }be disabled` + ); + + return BrowserTestUtils.closeWindow(win); +} + +add_task(async function testEmptyModuleName() { + await testModuleNameHelper("", true); +}); + +add_task(async function testReservedModuleName() { + await testModuleNameHelper("Root Certs", true); +}); + +add_task(async function testAcceptableModuleName() { + await testModuleNameHelper("Some Module Name", false); +}); diff --git a/security/manager/ssl/tests/mochitest/browser/ca.pem b/security/manager/ssl/tests/mochitest/browser/ca.pem new file mode 100644 index 0000000000..90b269209e --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUCytXeIVSOQ622rYL1uaLSms7TrcwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBEpBaH+earFBTSrKZUsUmxH5q1 +9Ln/OCzi1hB5IHo3haTTKl8xrTe5sI4A7knfwbz9AwbLRW0L3zIAJGPjxhMDxYjn +t5YTQLQwZEbru2A9wCOELiDbXH1kJl0yI2JdGwGMwZ4Y7ifTG5EUEQeVFnDTc2xA +4W/RZBld/6Iqb2ECMc20tjvBSo9YCJ7OEz+gva4OBx+BtK7LHRVLEMBGYet64wi4 +5Y8cdzMwsV69tlLffrwLV32TCt1a4dNLmq9g/vgaONx1B9ltxq8fc8ErzYvYTLsh +0FY0VD/EabvGDnLuIHfTnuD5bbKhRFD8vOEoW+NKEVn3JveM8z6z0LQqt8CB +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ca.pem.certspec new file mode 100644 index 0000000000..6660f5d478 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem new file mode 100644 index 0000000000..0639b2a7b0 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDETCCAfmgAwIBAgIUazXMVwZmjxSa95+Jhrdt0+mMZ3AwDQYJKoZIhvcNAQEL +BQAwQTEoMCYGA1UEAwwfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEV +MBMGA1UECwwMSW50ZXJtZWRpYXRlMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMCcxJTAjBgNVBAMMHGNsaWVudCBjZXJ0IHZpYSBpbnRlcm1lZGlh +dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA +A4IBAQAE8C6ApsLBOltZNrOLFWPb+hKGKJrbUDuvLh8BIXF8GhLz261zEj3IgZMI +yRgVuEmAcjgkqSnuARq8zqGkr2mFT6g2GXix4QrBAuN8kitOki/Ds7yrTsRzk/iO +AzJLa2Uvqa0Ai2cs7XepIAv114sSAIp1kP1+e0R1xi7smoDLFJmzisc7XhFmH4qI +z37aeqU8QdaxJnWF08X+S0Gk5m7qC1ueWgcHEWDq5xenqQYW6IhrEhHEwNLzxs3V +Q+YXIb8TXTNMfcbYr7j2MicoUD+emYGW+Tb/sB4xq1aH3QocJP/6kwpE6iqhjjr9 +HMJwx81SgJXoGs63k+Tf2ih4OPvG +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec new file mode 100644 index 0000000000..cab2448889 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec @@ -0,0 +1,3 @@ +issuer:/CN=Temporary Certificate Authority/OU=Intermediate +subject:client cert via intermediate +extension:extKeyUsage:clientAuth diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem new file mode 100644 index 0000000000..b3321ade96 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSDCCAjCgAwIBAgIUESnNHJJUmr0N5OMLVtpjwidqEu4wDQYJKoZIhvcNAQEL +BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAw +MFowKzEpMCcGA1UEAwwgY2xpZW50IGNlcnQgd2l0aCBPQ1NQU2lnbmluZyBla3Uw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ +PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH +9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw +4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86 +exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0 +ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N +AgMBAAGjITAfMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDCTANBgkqhkiG +9w0BAQsFAAOCAQEAQsoHHdWUfZ+DVMAsLGqRs7wUuK+JUT1ZGBUejm/jHUu53n44 +bd9dROahgeXvTAHvwZqvFNL3qYjJPhbtIYzNYa/OQwQCC9dPv9pPE5npRf64m4qc +sMO1rWkSAnljIfJv+NPugtzfJPTNQ6nimx1CEijKxyv3/5hy2pYMAzMMDMufynID +PlU8QXp6kHq+xYBggX54iHdAyObvD4O6YrFAOo/xXN6iqH4pNimE6m/+gPbWTerf +YCHAWXYfZ4Mq3AnE+Dzkl1XxMCrmS9LFguWSV1Zz8YbzAWgiZ4M5qxP7eaA0hPSY +bNEGLMr+tb3vn7AHGA9LySBZnZG2ZrMOgjdTnA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec new file mode 100644 index 0000000000..5cbd5af8f0 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec @@ -0,0 +1,3 @@ +issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +subject:client cert with OCSPSigning eku +extension:extKeyUsage:clientAuth,OCSPSigning diff --git a/security/manager/ssl/tests/mochitest/browser/code-ee.pem b/security/manager/ssl/tests/mochitest/browser/code-ee.pem new file mode 100644 index 0000000000..00d89a7880 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/code-ee.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAbCgAwIBAgIUcSZpO8heK76gtjUinR9ZHfSXvHIwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowEjEQMA4GA1UEAwwHY29kZS1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMXMBUwEwYDVR0lBAwwCgYI +KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAGJiZ7XrXvVd8x8x+Aq9uPgDAvLU +MBJ2KTGGRcsu3RtTIy4856Ro7dgjuCyX38nX3AqI+geKWCerXe2sbjZ+NVC29Ppx +BvQwq80s6wy0dSReOr/8hFDHFCqJ/jTHCafNFhX77Db+Tt+lWlkf/tGRiO4cqE/r +6ejfJM7ZgNAdXHtY0v2H3DkSa19DUcY+kW45gYfnKkSrwAZFGbF//rb4uJy2i01q +8fvimkpKSIwM6hL6nZdAwzO37xetaH7AhGbjtK9YTiXISfH34zQVjqMH1xddSCU/ +2LBeTxIBj7Pqt2n3diM7cL02Ip3scABoIDdIJkL6I/QcGDg6mUUVBv7cypQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec new file mode 100644 index 0000000000..93f9a84265 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:code-ee +extension:extKeyUsage:codeSigning diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem new file mode 100644 index 0000000000..18d4717a55 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwjCCAaqgAwIBAgIUDwpGZ9TkQ1znfituEv+3wAUjlzcwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKZXhwaXJlZC1jYTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw +MjUwMjA0MDAwMDAwWjAdMRswGQYDVQQDDBJlZS1mcm9tLWV4cGlyZWQtY2EwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT +2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV +JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N +jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA +BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh +He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB +AAEwDQYJKoZIhvcNAQELBQADggEBAE6mku7tzWcfYfAA+8fQAPY5P84NmIXa9aRm +nrcVE0i8w01KmCVA+1PvEosius/Ub6wiaCaze/WUNZig682wCWlbWS4fe+YPyaay +9UqRNSrLfs8PtKa7iMXvrdU22RuM2XVAYysS/gqYCBxbeCzHDUeCB/08Re41XMOt +5Vk0McSwOaZ5XELSWlBeFnSGSyYXKTSKaXtPz1hmRdF7oeAMj8oJb6VCRFTDCZSf +eJN9n4s/TQa5qawlmxiwZIYI8SEir3hhQXF1G/Xf9DQf4EBpm6J5b23SJAUUfDKF +YYr2uDbkzXOiALGvDjJ2HIbNAPbxhJwNqG1gheHcTpLbhmN6KGc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec new file mode 100644 index 0000000000..3e280fc4fc --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec @@ -0,0 +1,2 @@ +issuer:expired-ca +subject:ee-from-expired-ca diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem new file mode 100644 index 0000000000..3a029db49e --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAgIUJajqZUcpJWGn9b/Eqqf0KVSXdqMwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMdW50cnVzdGVkLWNhMCIYDzIwMjIxMTI3MDAwMDAwWhgP +MjAyNTAyMDQwMDAwMDBaMB8xHTAbBgNVBAMMFGVlLWZyb20tdW50cnVzdGVkLWNh +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCEH6bV29DmFXA+Vg1pRbhKaxJ6DosL +puDtx8eWeLz1LZnhDxg7WoxSzg8hSINoht+KeE3mEM1wDlj+CHUaHlHpxXA2jnw0 +qTMOw8/uuR9GegtjP8fxWgDRPE8FdObtqgTwgz3PcFGHHDIbdmBjzldjp+mr9rLA +jLGUaMf2xLHHbIb9tCo06CGKcXs38sxnJLWC1XDe3RK36JD/Ba/6MvjEg7VM9a3T +uQsKNRj64yy+/fTgJ/1VKlXmVHYdwWAYTs/5zYR388M7xOvUHFp2zrDFpnLkdUdh +RPa5v7DKHa504V6dFSkMFkHsk0dNHgTznR1YNMFD7VmMQklMuvvgfQ3L +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec new file mode 100644 index 0000000000..833e1a23a6 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec @@ -0,0 +1,2 @@ +issuer:untrusted-ca +subject:ee-from-untrusted-ca diff --git a/security/manager/ssl/tests/mochitest/browser/email-ee.pem b/security/manager/ssl/tests/mochitest/browser/email-ee.pem new file mode 100644 index 0000000000..d856aa6aa3 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/email-ee.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUVZwQ1Of+nj4eG0+TjbqZffyD1rEwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowEzERMA8GA1UEAwwIZW1haWwtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoG +CCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQCYbnocbOa5AGp4lEMq/ckjdp8J +8WElrTbZmzFbUSdg4t8a3PCNzxpKQbGaQc4q1OtSGxhXNEVGYzxiOWIXIeYkuQWS +Ej2SEk5krcOHgxu3JAucdidSaWNSUlhTpMgN2XekukSbSIE+MHBYgZqIM4yoQe59 +T2ns6fyqErRYpx828YrD2gDYiQAqyJQRA3DaGLRi1kjr8MWnalEgfxUkH7l8Qk09 +TGBmsOVLZaXtbXH3gNWW6275/Ea+zHyON3XrSVPNgXGPK6ZF7fb3sRE+SRaPjqgB +8w2fPZ6y/jw8MklVKiR2zY6GdaDCiX1IxmrsOFy5ANlqTvmOAglCg11pdcTt +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec new file mode 100644 index 0000000000..82e3296706 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:email-ee +extension:extKeyUsage:emailProtection diff --git a/security/manager/ssl/tests/mochitest/browser/expired-ca.pem b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem new file mode 100644 index 0000000000..e019b37127 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUS6xUkMzG2REizII2g+VecO/KqX8wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDExMDEwMTAw +MDAwMFowFTETMBEGA1UEAwwKZXhwaXJlZC1jYTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABJdjrt25wocw4aP +eR1kZuu3WS0bKfuvhQQPFkAG+HYSC5eu0OriQCRlxn+qHY7du9dePcD6DTMDIVDW +r+oBJ9BwCEREyTcV8AEaHdcTAakXOMhq6OOltl6HUu3lSlqRslzAhtl1chM0P8m1 +Aj+ceOkCFHvnsDd+zcSP75u8zzJKypSWQwAg/i5S0BNLOWYarPiczuYi4HAOpwtX +QqlmDNMYySqPFfH72BuQdCLuviBXmMP8/kOouBNP4ti06RR88XgqfoL/jV4gkIM7 +92hXt0WpS/QffjWzLaej39YhW4pMZ+hF4bk9nUCtN/MHtg8WDj1CgfSJZegrl28W +3riMotA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec new file mode 100644 index 0000000000..15bdcd7d73 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:expired-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +validity:20100101-20110101 diff --git a/security/manager/ssl/tests/mochitest/browser/has-cn.pem b/security/manager/ssl/tests/mochitest/browser/has-cn.pem new file mode 100644 index 0000000000..d71fa7af3e --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/has-cn.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1DCCAbygAwIBAgIUcRho0IgxDpQ9mLwrKXdUlGx+17EwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowNzEMMAoGA1UEAwwDRm9vMQwwCgYDVQQLDANCYXIxDDAKBgNVBAoMA0Jh +ejELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAw5KXaTIVAa +aC5Wtey/YCgRodJWV5FBtBDmMBMVS6p9nKltnrLkns1f+nVPwhngoQ6BCbN0omJO +SCziNVK0RA3S1SfVOnz37sD0UodgGURZH2WoyLF5CLiplvkFmtR1E/NLGNSVthBk +lO2U8n4azTjD474/MJfeaafavzp/FfKl/qn9Df+D0GTRuVO/cwTeZgV5Xq+5NQHl +9TaCBWnJT0nCjXD5LY88MkS5gMfKYhg/Ukr+bXIONpoizc8oEbJ/y+zz40YTlyLS +nKd3AGFihWamXUNQoRNrqj0LJjkp4UOHse1NjUR/ELBOFoQ+isc4IlqMs6EJkkrV +nQn1tv3mTZQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec new file mode 100644 index 0000000000..a4a0fcb5fa --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca +subject:/CN=Foo/OU=Bar/O=Baz/C=US diff --git a/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem new file mode 100644 index 0000000000..df14041f69 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICijCCAXKgAwIBAgIBCjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJjYTAi +GA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAAMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG +SIb3DQEBCwUAA4IBAQBu3MN1OSmzWjcY64BjiW16f8z/YzdgGljNnpiq9LBy3TwB +Upd0lgIF6y25W6pAYASM9A+5Wk9T3jHz7cYtvgYsxEvbYF9bNSLTc4EQJpMTQCuc +AcRTuZlGJJmBWAXG+FNgyuSGAHlW5fgv42k5av3Q7irzuDmKTp5nVNwbZ4a8gEyE +xIdECAsN7OZAcafZKHkAFXE+7x5p1HppDUT6Cnud26bRdw3PzacyvgzbEE/E7SAW +fi21fSsY84ybygiV6XXEDGlYMKiXPXNqKOKKQiOaNdjZHjDjs0WzMb3FitM6BJfT +w6yQin/tsf2UbnP/s2hZrCg92fNbCtG3P6MAGdYS +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec new file mode 100644 index 0000000000..6346f7b83a --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject: +serialNumber:10 diff --git a/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem new file mode 100644 index 0000000000..6fe0c66e96 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICqjCCAZKgAwIBAgIUcRygY3MPPtD72llMhdZrkA34zIQwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowDTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACYn +2YYASS0cJRJNbLsF1u0Fst/4JcPQ/U9qzDh+jc5nhStUD4QUS20/dDQaOLX2LWan +cDRxY1gXhN4xCbxMhnh6jzkpj6kFqu4Mf6j5J/3V0l2G3jnyRbd+IY3GYRnj7oDk +1zllpA39hGRo8cdt1KNDwhc1BBfiFIu1M0iUIOEvpK5npKBXuR6z93OUhhtL1Fmf +k73cAm2HGXsUxlPwLV8jlRRyflF7ndT6+CBN9rHdA2enM2J6WgJraWEiISwDvBgs +sbWU/LoyrzsKFhH/TX3lN37VlqKeAmJVu1gC020Wu9G/yfzoaG38CQHwsiiwvwX/ +WDLOLH7F1yB7D+wlFCM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec new file mode 100644 index 0000000000..cc1b668a63 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca +subject:/C=US diff --git a/security/manager/ssl/tests/mochitest/browser/has-o.pem b/security/manager/ssl/tests/mochitest/browser/has-o.pem new file mode 100644 index 0000000000..28080a17a7 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/has-o.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAaCgAwIBAgIUAS43zKpKvEqNftR+iGFQNyxunOEwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowGzEMMAoGA1UECgwDQmF6MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAl6kVxr3IJXmjnJ+SPVLG7b/UiRyPhZ1sEBBT2PLGeOU1bPNn +N4vDiLno2UUNPiZOJi3zkG/ljVAz9mQCVvoxwdtqSjduUk3+rZFWSG4VFuGxc66d +E7R0rTdlaFSdTp0Cf9zSHPIJ+bJzljB6plMzuRxy/PQ2JWii0qmK6pitTNpPrx6K +VspDcdDdLYsrdZ8OeH1NGvqeYCPaweU5Jmt1tmCv3XLB8Zdk091UAuqmZIlGbH5C +rXiDLxqnCr15dQYw/hHKNyRL2kSA8ZpVu/psmznGQB9wePYnjPnMUtJS/CF9pW0Y +2icCxZDUzguu2/1tFT/MVArWlGCR3FUr3XjgJQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec new file mode 100644 index 0000000000..f7cc3ffc73 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca +subject:/O=Baz/C=US diff --git a/security/manager/ssl/tests/mochitest/browser/has-ou.pem b/security/manager/ssl/tests/mochitest/browser/has-ou.pem new file mode 100644 index 0000000000..c5590b5779 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/has-ou.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAgIUa9qwFC5BxyhkqYu+ori020sfdFwwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowKTEMMAoGA1UECwwDQmFyMQwwCgYDVQQKDANCYXoxCzAJBgNVBAYTAlVT +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAJwpYG0a3/hstrP1duw/KaRaQ//NbS +QrlC0EBDjxZghjXjB+s5OTM78MO0Ao7052WgVCA289JWy9v5Pg9ht6KRBjarHSEU +H7IsZ/EkK0sV9aHgM0Lw8mZsG1ZCzkMMcySVzYvxUpKbc056pEuZAkATUNj0SZjx +tQMsqCXW0JvRQLUd7EDiFeGAx5UsRgQ33IUoEXLdJmsj+7RgEYPhX0bTNm18YpZV +MlDmaYXv2gXCYjOJAMcYXlVruHNuuq/cTHCgwIUObqYtEpkIAPqXb0KaoqdTiHn7 +rdWCnOk7BrTHfnoChc5jJvhlKWS7f2UEUw9nJCO1CN13bRQ7AXhZsGrC +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec new file mode 100644 index 0000000000..8879dabf51 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca +subject:/OU=Bar/O=Baz/C=US diff --git a/security/manager/ssl/tests/mochitest/browser/head.js b/security/manager/ssl/tests/mochitest/browser/head.js new file mode 100644 index 0000000000..1ae951d7a5 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/head.js @@ -0,0 +1,82 @@ +/* Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ */ +"use strict"; + +var gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +/** + * List of certs imported via readCertificate(). Certs in this list are + * automatically deleted from the cert DB when a test including this head file + * finishes. + * + * @type {nsIX509Cert[]} + */ +var gImportedCerts = []; + +registerCleanupFunction(() => { + for (let cert of gImportedCerts) { + gCertDB.deleteCertificate(cert); + } +}); + +// This function serves the same purpose as the one defined in head_psm.js. +function pemToBase64(pem) { + return pem + .replace(/-----BEGIN CERTIFICATE-----/, "") + .replace(/-----END CERTIFICATE-----/, "") + .replace(/[\r\n]/g, ""); +} + +/** + * Given the filename of a certificate, returns a promise that will resolve with + * a handle to the certificate when that certificate has been read and imported + * with the given trust settings. + * + * Certs imported via this function will automatically be deleted from the cert + * DB once the calling test finishes. + * + * @param {string} filename + * The filename of the certificate (assumed to be in the same directory). + * @param {string} trustString + * A string describing how the certificate should be trusted (see + * `certutil -A --help`). + * @returns {Promise} + * A promise that will resolve with a handle to the certificate. + */ +function readCertificate(filename, trustString) { + return IOUtils.readUTF8(getTestFilePath(filename)).then( + pem => { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let base64 = pemToBase64(pem); + certdb.addCertFromBase64(base64, trustString); + let cert = certdb.constructX509FromBase64(base64); + gImportedCerts.push(cert); + return cert; + }, + error => { + throw error; + } + ); +} + +/** + * Asynchronously opens the certificate manager. + * + * @returns {Window} a handle on the opened certificate manager window + */ +async function openCertManager() { + let win = window.openDialog("chrome://pippki/content/certManager.xhtml"); + return new Promise((resolve, reject) => { + win.addEventListener( + "load", + function () { + executeSoon(() => resolve(win)); + }, + { once: true } + ); + }); +} diff --git a/security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs b/security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs new file mode 100644 index 0000000000..95eede25f0 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs @@ -0,0 +1,16 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ +"use strict"; + +function handleRequest(request, response) { + let hstsHeader = "max-age=300"; + if (request.queryString == "includeSubdomains") { + hstsHeader += "; includeSubdomains"; + } + response.setHeader("Strict-Transport-Security", hstsHeader); + response.setHeader("Pragma", "no-cache"); + response.setHeader("Cache-Control", "no-cache", false); + response.setHeader("Content-Type", "text/html", false); + response.setStatusLine(request.httpVersion, 200); + response.write("<!DOCTYPE html><html><body><h1>Ok!</h1></body></html>"); +} diff --git a/security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html b/security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html new file mode 100644 index 0000000000..5a0791557b --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> +<body> +<script> + "use strict"; + + let src = document.location.href.replace("hsts_headers_framed.html", "hsts_headers.sjs"); + if (document.location.search == "?third-party") { + src = src.replace("example.com", "example.org"); + } + let frame = document.createElement("iframe"); + frame.setAttribute("src", src); + frame.onload = () => { + let done = document.createElement("h1"); + done.textContent = "done"; + done.setAttribute("id", "done"); + document.body.appendChild(done); + }; + document.body.appendChild(frame); +</script> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/browser/intermediate.pem b/security/manager/ssl/tests/mochitest/browser/intermediate.pem new file mode 100644 index 0000000000..2480febf91 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/intermediate.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWjCCAkKgAwIBAgIUQ98nHYCeqigGsr++R4IpE/QtJTwwDQYJKoZIhvcNAQEL +BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAw +MFowQTEoMCYGA1UEAwwfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEV +MBMGA1UECwwMSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG +A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAWSVWMKE1GS9pXzdJ2pgu501C +H/JSsxDaex9LfN9GGXN4NVDnbgPglf+q1vzY+8XjCGeGVUhum82Ui7s+fjCkDBcO +cY3iss94021rVHhNsdvuMq7BNE/Y7YtKfEQMNKtjoWWiF4OgU5M7NfNsU/oj3ycp +mefk+hNA+blPX9yfACKCeO/6RK5QFakDxZl5ls6KJIgqM2RvJHMBedHqTsfvBCbp +xMojtCZgCtFPGFgAIk2TGzRx5njiZeyseWH/drGdY/YKxJRCu0lLy30zVYJP1Ti/ +s4PSUczBu+6Hrx6PejewWtXcSyeK7E1+Fb7BX1OG9xPzVclUHrO8yuyS12ei7Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec b/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec new file mode 100644 index 0000000000..a562814041 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +subject:/CN=Temporary Certificate Authority/OU=Intermediate +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/mochitest/browser/invalid.pem b/security/manager/ssl/tests/mochitest/browser/invalid.pem new file mode 100644 index 0000000000..0063e0c39d --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/invalid.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwDCCAaigAwIBAgIUfZyrU2miUlovoBEId6Sq0W2+GN4wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowEjEQMA4GA1UEAwwHaW52YWxpZDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgEG +MA0GCSqGSIb3DQEBCwUAA4IBAQB+WgW4wZiskIjyu+7JNHvivXSO3N6F6etrjgKS +0KfvdOYpriS5J4yVsYjiTdlAK+PNgx3V9RDCrYD/lWQKZmMB5eWy5xvPfQvke+PQ +VSo/IXvCWE3jvmNGH/1x0ludyFa08TgbcGGbfkJQhyg00IvdlyFypRzxkSFx4IiC +h5UcZEhR8DhXeIS4Jcy9whcRfqC/rGLOWPS75rXDaSI+qolQlFEvmL0c89yYudtL +g1vQz8YHo3OAqht60gkxMV/dtHwONltxDuO55PXl65Q1OYZGghdUC9q750Hi2U5Y +lpz5GdxqPH1SlC4TFUXcTw+wTywV+OTR3B/lYxzwh6eZgUPW +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec b/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec new file mode 100644 index 0000000000..71a1707c35 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:invalid +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/mochitest/browser/longOID.pem b/security/manager/ssl/tests/mochitest/browser/longOID.pem new file mode 100644 index 0000000000..edbe739c9f --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/longOID.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIESjCCAzKgAwIBAgIUH/LZJJV0+HAiFpg1LFyimJNN2/0wDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwITG9uZyBPSUQwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1 +MDIwNDAwMDAwMFowEzERMA8GA1UEAwwITG9uZyBPSUQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk +e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg +KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI +YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi +lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL +HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjggGQMIIBjDAM +BgNVHRMEBTADAQH/MIIBegYDVR0gBIIBcTCCAW0wggFpBoIBZSqD3OuTf4Pc65N/ +g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zr +k3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D +3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuT +f4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc +65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/ +g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zr +k3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D +3OuTf4Pc65N/ATANBgkqhkiG9w0BAQsFAAOCAQEASReXmbBObPQQC3qN9cFj7txY +ArJ/gW14Os+qqn03/ArWcORIoQF/vD6X8tdV1bKcKzLxqvZ0bdMyaRg2CMUX1LiF +/jfVooot21ZJwh07IKYi8RBm54BAYlAqUB82mMutUc+6Ut/9MqxsAtKoBjjnoV78 +94cf3K/lKoTwdVz9F1L91RC6ARbnU69xcYLGU4Tazt1Zf3VVY4Y5iOxFYLuFcyyW +dwHRaobTjN1OA70e5emPQARbVt+nUbcJPGTUL6kQFxNzRJ2GStqBV2QmxXES/cgw ++itB72hrTgIFFAsi9oYLPXlNIgJ+1T0uq7t8vqenpIZUTmch6ZLomFvRYEBOEQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec b/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec new file mode 100644 index 0000000000..c3c08ac84b --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec @@ -0,0 +1,4 @@ +issuer:Long OID +subject:Long OID +extension:basicConstraints:cA, +extension:certificatePolicies:1.2.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.1 diff --git a/security/manager/ssl/tests/mochitest/browser/md5-ee.pem b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem new file mode 100644 index 0000000000..5c562cf0b4 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrjCCAZagAwIBAgIURRrxes60EYjDGrpfM/azxcVXALQwDQYJKoZIhvcNAQEE +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowETEPMA0GA1UEAwwGbWQ1LWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEBBAUAA4IB +AQBvnuXiImrqTkusX+19BoKO2bQlP5sQLnfTvyOzyHOK5MoDkC7up7bFSnFgOdxH +L2LllEFbS9O26poAMA+EY2sQ6Rn3WiFZUkmF5pKhVp6I90SwIExa13YGyLTqWMsu +ttbwrAXwNIp31mGmt4UNArLoAyyK+nn+juVaPm+C8VORqzCpJVzJt9+35XAnpwt1 +1Q8lYNNulzi+qbZH85LGrUvhPe2tIstUz9SoGfg0ljP/fvinDRoVPOs7i3+x+RM5 +uVeaQ8LZTmAVCfBdD3e18ehYoHFyWPKZClQTR6X2TeLp4/gepissuwWa1igYA9Hi +1tEhEobBwd17/mjr3J/fKnSd +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec new file mode 100644 index 0000000000..279c158026 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:md5-ee +signature:md5WithRSAEncryption diff --git a/security/manager/ssl/tests/mochitest/browser/moz.build b/security/manager/ssl/tests/mochitest/browser/moz.build new file mode 100644 index 0000000000..cfd5452a0e --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/moz.build @@ -0,0 +1,7 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +BROWSER_CHROME_MANIFESTS += ["browser.toml"] diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem new file mode 100644 index 0000000000..9d21112e3c --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmugAwIBAgIUefe9aVUlLbfhs5MiySqADkIcdJ8wDQYJKoZIhvcNAQEL +BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAw +MFowajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD +AgH+MA0GCSqGSIb3DQEBCwUAA4IBAQClgVd2rdbSo0TCmrgszyl7TQ465L+YMlqD +Q/KXpO8H7aKIxptW+7CwfhxnpLd6RLbjsK1K/cFF2a5cVJxsh4t2HoVybjivuOp1 +Yws4/3xVFqu4NsCz2eLHKt3bIZf8TASeJpuvJvNEmqnEHHoRQnfxiQMa0ztcJss7 +Wvb/Nck5iUHTFlkOghgUE3yDZ9yPlofIrCrZiWBGINslHYRZCue0irfv7T40hPyv +hu+agWCdauh/p77+Z6Nq5b7rGNsF8zN0O3W/f4RbGTjzhtPMZcg4fYCLqqv7ML3z +C314G9wQIBPwMjVAEyaOf7G6V48WrRz7q6V83noKmf0vsPGHvH9U +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec new file mode 100644 index 0000000000..4def496f67 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +subject:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +extension:basicConstraints:cA, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem new file mode 100644 index 0000000000..1fda92bb93 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmugAwIBAgIUfy7mnEW2lfad+ZR8vPZUtd+l8KEwDQYJKoZIhvcNAQEL +BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAw +MFowajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD +AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAiC+uvMvWWWs2WYG/Hf3Q18unxl4jV7QhZ +TGpxLCM63AUo0vhCZQia8L0qvvwLJ7RUOnDBQrT6mrGDBi8sWQyzna8X/qA7jD/K +cM2z8QkIs/y8BV1u8KZ68fXqMz6toptWkJK55IFk85GHEDlgPX0lh4SPd4BCuY+X ++v534nMMm8xBtzXZbrvxe2manCFfPIq0yr0Vl+psnAYgVW96JivxqcfiYn59y1n6 +8YZrGgCZ35B5LgLIBzZi5sJtBC/VLRrVGSci8nNGQzqQ5TXDgGns7eO5mOGIy+ZV +l8A03fNLP5lB6QFNvPMg5ux4gKN2VGjPcU+RxdrucDgJU+RgzuGs +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec new file mode 100644 index 0000000000..448e167bd0 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +subject:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/mochitest/browser/revoked.pem b/security/manager/ssl/tests/mochitest/browser/revoked.pem new file mode 100644 index 0000000000..dfdea6aab8 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/revoked.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrzCCAZegAwIBAgIUY6Ozs/15FHnCV6XP+oKphcqua4IwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowEjEQMA4GA1UEAwwHcmV2b2tlZDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOC +AQEAiygONmY4DwqqR/CexFcHaXXE+L+6O4hjvSjC+JfoAaQjULUYMyILyJLgwy5W +sjO7zZBm9lpfOq2APz64rWqAWuxISbUkHTAD+Juqq08ehgCbO+qUqDPdN+8gbTy0 +IhJa5MjRg5eO7ggFLiMlnETI2ZkvQYe/LhGMUzel7sfsWi1eTEsB+BZSHQjUrjn4 +AJ7vBEOmI4c67DbZzhMCr32U6Zkv2J8mcH6H12U+WkyCbPDkx69UK+AqaGeEX+ka +Lmn4Yi5FIP44Vv3IoSy9DMEsjuT+9GHrH9HFgNugThhmNis4DM2wjdbUXdjR/T9e +yhz9WTXANM5omANrP/zH6dNk1g== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec b/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec new file mode 100644 index 0000000000..daf75c670f --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca +subject:revoked diff --git a/security/manager/ssl/tests/mochitest/browser/some_content.html b/security/manager/ssl/tests/mochitest/browser/some_content.html new file mode 100644 index 0000000000..f591f32d3d --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/some_content.html @@ -0,0 +1,6 @@ +<!DOCTYPE html> +<html> +<body> +<h1>Some Content!</h1> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/browser/some_content_framed.html b/security/manager/ssl/tests/mochitest/browser/some_content_framed.html new file mode 100644 index 0000000000..8f8194f9e7 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/some_content_framed.html @@ -0,0 +1,14 @@ +<!DOCTYPE html> +<html> +<body> +<script> + "use strict"; + + let src = document.location.href.replace("https://", "http://"); + let frame = document.createElement("iframe"); + frame.setAttribute("id", "frame"); + frame.setAttribute("src", src); + document.body.appendChild(frame); +</script> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem new file mode 100644 index 0000000000..272be45a76 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUH3+Xdp/O5Rd6jutipltQkifl9ycwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowETEPMA0GA1UEAwwGc3NsLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyEwHzAdBgNVHSUEFjAUBggr +BgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAJTxcdoif/XVwjYR +hPRVCNmy20LErwphK4xK6+X4Zi1DJ/HvAWdjUPOkL/XbnddcoR56E11IgAD2UhLJ +vFNItTVs8NV7kTTf2Jsg4Fn4n3vfOcivdzlFOPIW5UMHUeJ7PNA9emJnK8YXjbrs +KZ0NVZ10H4Fuj+BgscdhvZ2FaHwyUhaJ9RgaORxGo+0pJDey/R9ruSn5CoqkHAFI +bwZ0z22cxjo6hWuewfblsAe8a5Ssbd90q1pXDadcFhQ7Aq+6SJkSCQPiM+Sz/iDN +xz1qCwdO0VjRRmVzweeOj3Ep8ebuUIGmnIdA08xAUztSHTkyXdAprN6EygHpibah +vRfsQrY= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec new file mode 100644 index 0000000000..c4037675f1 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ssl-ee +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem new file mode 100644 index 0000000000..a6d802883b --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuzCCAaOgAwIBAgIUb7DcOwSWh31LKC+TIu6um7tDdIUwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHdW5rbm93bjAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAZMRcwFQYDVQQDDA51bmtub3duLWlzc3VlcjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs +9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8 +HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak +kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet +lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r +kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkq +hkiG9w0BAQsFAAOCAQEASkzl98adoA7+9SxqkkPzL1cXKOMaWCiDsRUElri/B5B9 +UvIRhPIN1MA5NnkM7F2y+md0jF7fQQ0Ui4VaOpGo6iICFYq4g5SwX16HvIM95Uxy +1MK4TfbtaG7aoOvbV8fW8WDXnks2YyY34rd3AMU4xi2a+z7p1tNhU7K6gC5RgH+u +uP/xU0rb+yIyTDApt25QEJBNcLUMLpJN8Zcg5+RKcP4q9YAFkh3tSYhpiZhSgB2q +CTbFMRKpeXNpp9TgvMcAP1kM1UckNoQIyhBwgdtvPjEa0fbz/Wf7fIArCb6sk/jV ++xANql2CVcT07+Juka15opxAsDgwuYnR5eVaCB/DeA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec new file mode 100644 index 0000000000..c76a4e2c7b --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec @@ -0,0 +1,2 @@ +issuer:unknown +subject:unknown-issuer diff --git a/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem new file mode 100644 index 0000000000..fe91a2849c --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUN9RlKkRxZsQXbeuVuTiQV/eq/wUwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFzEVMBMGA1UEAwwMdW50cnVzdGVkLWNhMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAPivTuANdnSMY +9vSbWY1LUYMjcXfeKNYPIB6t9tPjNFOFst2QnRG8qUWUQlj9FaB4uTVagHD6r6Gk +XEbuj3O/IgFfCLPxHebGLw1XlLHfWG9iQiR0bOkmLnlNJdHVJ4uI8aaVU9B80T3x +AzvPAfc4sv/7Fqu9XXHCUx3g6nqyKgcxWoXUe5sX/Wcvtjf3a5HcRUPJ6CYxM36X +RFeoELH79QMnJ4cYLbUWrOO8+n2RH0BnJAnyxBd8bNVknnROzbjq10wi60ei8Eon +8EIPNjveVtlnrAePm4EyTvFTYB8YtUPRTnkfJlRlVRDkRtQlscxdbmPZI/+xeXFu +5zD9Q/ez+Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec new file mode 100644 index 0000000000..04f4430574 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:untrusted-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs new file mode 100644 index 0000000000..96c14f4e65 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs @@ -0,0 +1,7 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Access-Control-Allow-Origin", "*"); + response.write("<html><body>hello!</body></html>"); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/backward.html b/security/manager/ssl/tests/mochitest/mixedcontent/backward.html new file mode 100644 index 0000000000..8699a07dda --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/backward.html @@ -0,0 +1,18 @@ +<!DOCTYPE HTML> +<html> +<head> + <script type="text/javascript"> + "use strict"; + window.onload = function() + { + window.setTimeout(function() + { + SpecialPowers.wrap(window).docShell + .QueryInterface(SpecialPowers.Ci.nsIWebNavigation) + .goBack(); + }, 100); + }; + + </script> +</head> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js b/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js new file mode 100644 index 0000000000..053084a7da --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js @@ -0,0 +1,10 @@ +/* import-globals-from mixedContentTest.js */ +"use strict"; + +document.open(); +document.write("This is insecure XSS script " + document.cookie); +isSecurityState( + "broken", + "security broken after document write from unsecure script" +); +finish(); diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html new file mode 100644 index 0000000000..4bbf9bfe8c --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html @@ -0,0 +1,28 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Bug 383369 test, step 2</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/does_not_exist.css"> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + window.onload = function runTest() { + window.setTimeout(function () { + window.location = + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html?runtest"; + }, 0); + }; + + async function afterNavigationTest() + { + } + + </script> +</head> + +<body> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html new file mode 100644 index 0000000000..276c2343fd --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html @@ -0,0 +1,29 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Bug 383369 test, final step</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + await isSecurityState("secure", "secure page after insecure download and insecure subcontent still secure"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("secure", "still secure after back/forward"); + finish(); + } + + </script> +</head> + +<body> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/download.auto b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto new file mode 100644 index 0000000000..4d2fb7d5ae --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto @@ -0,0 +1 @@ +Temporary file for security/mixedconent tests
\ No newline at end of file diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^ new file mode 100644 index 0000000000..9c3159e153 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^ @@ -0,0 +1,2 @@ +Content-disposition: "attachment" +Content-type: application/x-auto-download diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs new file mode 100644 index 0000000000..9e34227f00 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs @@ -0,0 +1,6 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + //response.setHeader("Content-type", "image/gif"); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs new file mode 100644 index 0000000000..5f78a806b4 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs @@ -0,0 +1,17 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-type", "image/bitmap"); + + let bmpheader = + "\x42\x4D\x36\x10\x0E\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00\x00\x00\x80\x02\x00\x00\xE0\x01\x00\x00\x01\x00\x18\x00\x00\x00\x00\x00\x00\x10\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; + let bmpdatapiece = + "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; + + response.bodyOutputStream.write(bmpheader, 54); + // Fill 640*480*3 nulls + for (let i = 0; i < (640 * 480 * 3) / 64; ++i) { + response.bodyOutputStream.write(bmpdatapiece, 64); + } +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html new file mode 100644 index 0000000000..90523a57f5 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html @@ -0,0 +1,13 @@ +<!DOCTYPE HTML> +<html> +<head> +</head> + +<body> + This is frame 1: + <script> + "use strict"; + document.write(location.href); + </script> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html new file mode 100644 index 0000000000..87765bbb5b --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html @@ -0,0 +1,14 @@ +<!DOCTYPE HTML> +<html> +<head> +</head> + +<body> + This is frame 2: + <script> + "use strict"; + document.write(location.href); + </script> + <iframe src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"></iframe> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html new file mode 100644 index 0000000000..6c7a5473cb --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html @@ -0,0 +1,8 @@ +<!DOCTYPE HTML> +<META http-equiv="Refresh" + Content="0; URL=http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"> +<html> + <body> + Redirecting by meta tag... + </body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs new file mode 100644 index 0000000000..914391e8f5 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs @@ -0,0 +1,9 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 307, "Moved temporarly"); + response.setHeader( + "Location", + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html" + ); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs new file mode 100644 index 0000000000..32afc824ea --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs @@ -0,0 +1,9 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 307, "Moved temporarly"); + response.setHeader( + "Location", + "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html" + ); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs new file mode 100644 index 0000000000..cb966a56d2 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs @@ -0,0 +1,9 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 307, "Moved temporarly"); + response.setHeader( + "Location", + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" + ); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs new file mode 100644 index 0000000000..d128ce2238 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs @@ -0,0 +1,9 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 307, "Moved temporarly"); + response.setHeader( + "Location", + "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" + ); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js b/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js new file mode 100644 index 0000000000..6c300b7fc3 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js @@ -0,0 +1,211 @@ +"use strict"; + +/** + * Helper script for mixed content testing. It opens a new top-level window + * from a secure origin and '?runtest' query. That tells us to run the test + * body, function runTest(). Then we wait for call of finish(). On its first + * call it loads helper page 'backward.html' that immediately navigates + * back to the test secure test. This checks the bfcache. We got second call + * to onload and this time we call afterNavigationTest() function to let the + * test check security state after re-navigation back. Then we again wait for + * finish() call, that this time finishes completelly the test. + */ + +// Tells the framework if to load the test in an insecure page (http://) +var loadAsInsecure = false; +// Set true to bypass the navigation forward/back test +var bypassNavigationTest = false; +// Set true to do forward/back navigation over an http:// page, test state leaks +var navigateToInsecure = false; +// Open the test in two separate windows, test requests sharing among windows +var openTwoWindows = false; +// Override the name of the test page to load, useful e.g. to prevent load +// of images or other content before the test starts; this is actually +// a 'redirect' to a different test page. +var testPage = ""; +// Assign a function to this variable to have a clean up at the end +var testCleanUp = null; +// Contains mixed active content that needs to load to run the test +var hasMixedActiveContent = false; + +// Internal variables +var _windowCount = 0; + +window.onload = async function onLoad() { + if (location.search == "?runtest") { + try { + if (history.length == 1) { + // Each test that includes this helper file is supposed to define + // runTest(). See the top level comment. + await runTest(); // eslint-disable-line no-undef + } else { + // Each test that includes this helper file is supposed to define + // afterNavigationTest(). See the top level comment. + await afterNavigationTest(); // eslint-disable-line no-undef + } + } catch (ex) { + ok(false, "Exception thrown during test: " + ex); + finish(); + } + } else { + window.addEventListener("message", onMessageReceived); + + let secureTestLocation = loadAsInsecure + ? "http://example.com" + : "https://example.com"; + secureTestLocation += location.pathname; + if (testPage != "") { + let array = secureTestLocation.split("/"); + array.pop(); + array.push(testPage); + secureTestLocation = array.join("/"); + } + secureTestLocation += "?runtest"; + + if (hasMixedActiveContent) { + SpecialPowers.pushPrefEnv( + { set: [["security.mixed_content.block_active_content", false]] }, + null + ); + } + if (openTwoWindows) { + _windowCount = 2; + window.open(secureTestLocation, "_new1", ""); + window.open(secureTestLocation, "_new2", ""); + } else { + _windowCount = 1; + window.open(secureTestLocation); + } + } +}; + +function onMessageReceived(event) { + switch (event.data) { + // Indication of all test parts finish (from any of the frames) + case "done": + if (--_windowCount == 0) { + if (testCleanUp) { + testCleanUp(); + } + if (hasMixedActiveContent) { + SpecialPowers.popPrefEnv(null); + } + + SimpleTest.finish(); + } + break; + + // Any other message is an error or success message of a test. + default: + SimpleTest.ok(!event.data.match(/^FAILURE/), event.data); + break; + } +} + +function postMsg(message) { + opener.postMessage(message, "http://mochi.test:8888"); +} + +function finish() { + if (history.length == 1 && !bypassNavigationTest) { + window.setTimeout(() => { + window.location.assign( + navigateToInsecure + ? "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/backward.html" + : "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/backward.html" + ); + }, 0); + } else { + postMsg("done"); + window.close(); + } +} + +function ok(a, message) { + if (!a) { + postMsg("FAILURE: " + message); + } else { + postMsg(message); + } +} + +function is(a, b, message) { + if (a != b) { + postMsg(`FAILURE: ${message}, expected ${b} got ${a}`); + } else { + postMsg(`${message}, expected ${b} got ${a}`); + } +} + +async function isSecurityState(expectedState, message, test) { + if (!test) { + test = ok; + } + + let state = await SpecialPowers.getSecurityState(window); + + let isInsecure = + state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IS_INSECURE; + let isBroken = + state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IS_BROKEN; + let isEV = + state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL; + + let gotState = "secure"; + if (isInsecure) { + gotState = "insecure"; + } else if (isBroken) { + gotState = "broken"; + } else if (isEV) { + gotState = "EV"; + } + + test( + gotState == expectedState, + (message || "") + ", expected " + expectedState + " got " + gotState + ); + + switch (expectedState) { + case "insecure": + test( + isInsecure && !isBroken && !isEV, + "for 'insecure' excpected flags [1,0,0], " + (message || "") + ); + break; + case "broken": + test( + !isInsecure && isBroken && !isEV, + "for 'broken' expected flags [0,1,0], " + (message || "") + ); + break; + case "secure": + test( + !isInsecure && !isBroken && !isEV, + "for 'secure' expected flags [0,0,0], " + (message || "") + ); + break; + case "EV": + test( + !isInsecure && !isBroken && isEV, + "for 'EV' expected flags [0,0,1], " + (message || "") + ); + break; + default: + throw new Error("Invalid isSecurityState state"); + } +} + +function waitForSecurityState(expectedState, callback) { + let roundsLeft = 200; // Wait for 20 seconds (=200*100ms) + let interval = window.setInterval(async () => { + await isSecurityState(expectedState, "", isok => { + if (isok) { + roundsLeft = 0; + } + }); + if (!roundsLeft--) { + window.clearInterval(interval); + callback(); + } + }, 100); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.toml b/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.toml new file mode 100644 index 0000000000..1a37ba6f38 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.toml @@ -0,0 +1,104 @@ +[DEFAULT] +# Disable for Http/3 since Http/3 tests require to run with https. +skip-if = [ + "http3", + "http2", +] +prefs = [ + "security.mixed_content.upgrade_display_content=false", + "dom.security.https_first=false", +] +support-files = [ + "alloworigin.sjs", + "backward.html", + "bug329869.js", + "bug383369step2.html", + "bug383369step3.html", + "download.auto", + "download.auto^headers^", + "emptyimage.sjs", + "hugebmp.sjs", + "iframe.html", + "iframe2.html", + "iframeMetaRedirect.html", + "iframesecredirect.sjs", + "iframeunsecredirect.sjs", + "imgsecredirect.sjs", + "imgunsecredirect.sjs", + "mixedContentTest.js", + "moonsurface.jpg", + "nocontent.sjs", + "redirecttoemptyimage.sjs", + "somestyle.css", + "unsecureIframe.html", + "unsecurePictureDup.html", +] + +["test_bug329869.html"] + +["test_bug383369.html"] +skip-if = ["os == 'android'"] + +["test_bug455367.html"] + +["test_bug472986.html"] + +["test_bug477118.html"] + +["test_bug521461.html"] + +["test_cssBefore1.html"] + +["test_cssContent1.html"] + +["test_cssContent2.html"] + +["test_documentWrite1.html"] + +["test_documentWrite2.html"] + +["test_dynDelayedUnsecurePicture.html"] + +["test_dynDelayedUnsecureXHR.html"] + +["test_dynUnsecureBackground.html"] + +["test_dynUnsecureIframeRedirect.html"] + +["test_dynUnsecurePicture.html"] + +["test_dynUnsecurePicturePreload.html"] + +["test_dynUnsecureRedirect.html"] +skip-if = ["true"] # Bug 487402 intermitently fails, quite often + +["test_innerHtmlDelayedUnsecurePicture.html"] + +["test_innerHtmlUnsecurePicture.html"] + +["test_javascriptPicture.html"] + +["test_secureAll.html"] + +["test_securePicture.html"] + +["test_unsecureBackground.html"] + +["test_unsecureCSS.html"] + +["test_unsecureIframe.html"] + +["test_unsecureIframe2.html"] + +["test_unsecureIframeMetaRedirect.html"] +skip-if = ["true"] # Bug 487632 intermitently fails, quite often + +["test_unsecureIframeRedirect.html"] + +["test_unsecurePicture.html"] + +["test_unsecurePictureDup.html"] + +["test_unsecurePictureInIframe.html"] + +["test_unsecureRedirect.html"] diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg b/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg Binary files differnew file mode 100644 index 0000000000..c0ffca256a --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/moz.build b/security/manager/ssl/tests/mochitest/mixedcontent/moz.build new file mode 100644 index 0000000000..2f41008128 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/moz.build @@ -0,0 +1,7 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +MOCHITEST_MANIFESTS += ["mochitest.toml"] diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs new file mode 100644 index 0000000000..d5d65cf8a4 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs @@ -0,0 +1,5 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 204, "No Content"); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs new file mode 100644 index 0000000000..98ed0a2f52 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs @@ -0,0 +1,9 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 307, "Moved temporarly"); + response.setHeader( + "Location", + "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs" + ); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css b/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css new file mode 100644 index 0000000000..9867e3c41e --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css @@ -0,0 +1,4 @@ +body +{ + background-color: lightBlue; +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html new file mode 100644 index 0000000000..ccb9a8d9cf --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html @@ -0,0 +1,36 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>dymanic script load</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + hasMixedActiveContent = true; + + async function runTest() + { + await isSecurityState("secure"); + window.setTimeout(function () { + let newElement = document.createElement("script"); + newElement.src = "http://example.org/tests/security/manager/ssl/tests/" + + "mochitest/mixedcontent/bug329869.js"; + document.body.appendChild(newElement); + }, 0); + } + + async function afterNavigationTest() + { + await isSecurityState("secure", "when we navigate back, we're loading our secure page again and not loading an insecure script, so our security state is secure"); + finish(); + } + + </script> +</head> + +<body> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html new file mode 100644 index 0000000000..d9298cde3f --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html @@ -0,0 +1,89 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Bug 383369 test</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + // We want to start this test from an insecure context + loadAsInsecure = true; + // We don't want to go through the navigation back/forward test + bypassNavigationTest = true; + + async function runTest() { + let script = SpecialPowers.loadChromeScript(function() { + /* eslint-env mozilla/chrome-script */ + // Force download to be w/o user assistance for our testing mime type + const mimeSvc = Cc["@mozilla.org/mime;1"].getService(Ci.nsIMIMEService); + let handlerInfo = + mimeSvc.getFromTypeAndExtension("application/x-auto-download", "auto"); + handlerInfo.preferredAction = Ci.nsIHandlerInfo.saveToDisk; + handlerInfo.alwaysAskBeforeHandling = false; + handlerInfo.preferredApplicationHandler = null; + + const handlerSvc = Cc["@mozilla.org/uriloader/handler-service;1"] + .getService(Ci.nsIHandlerService); + handlerSvc.store(handlerInfo); + + let profileDir = Services.dirsvc.get("ProfDS", Ci.nsIFile); + profileDir.append("downloads"); + + let prefBranch = Services.prefs.getBranch("browser.download."); + + prefBranch.setCharPref("dir", profileDir.path); + prefBranch.setBoolPref("useDownloadDir", true); + prefBranch.setIntPref("folderList", 2); + + const { Downloads } = + ChromeUtils.importESModule("resource://gre/modules/Downloads.sys.mjs"); + Downloads.getList(Downloads.PUBLIC).then(list => { + list.addView({ + onDownloadAdded(aDownload) { + list.removeView(this); + aDownload.whenSucceeded().then(() => { + list.removeFinished(); + sendAsyncMessage("navigate", "bug383369step2.html"); + }); + }, + }); + sendAsyncMessage("navigate", "download.auto"); + }).catch(console.error); + }); + script.addMessageListener("navigate", function(url) { + window.location = url; + }); + } + + async function afterNavigationTest() {} + + testCleanUp = function cleanup() { + SpecialPowers.loadChromeScript(function() { + const mimeSvc = Cc["@mozilla.org/mime;1"].getService(Ci.nsIMIMEService); + let handlerInfo = + mimeSvc.getFromTypeAndExtension("application/x-auto-download", "auto"); + + const handlerSvc = Cc["@mozilla.org/uriloader/handler-service;1"] + .getService(Ci.nsIHandlerService); + handlerSvc.remove(handlerInfo); + + let prefBranch = Services.prefs.getBranch("browser.download."); + + const prefKeys = ["dir", "useDownloadDir", "folderList"]; + for (let prefKey of prefKeys) { + if (prefBranch.prefHasUserValue(prefKey)) { + prefBranch.clearUserPref(prefKey); + } + } + }); + }; + + </script> +</head> + +<body> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html new file mode 100644 index 0000000000..d2ad64c454 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html @@ -0,0 +1,37 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>No content image doesn't break security</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + SpecialPowers.pushPrefEnv( + {"set": [["security.mixed_content.upgrade_display_content", false]]}, + null); + await isSecurityState("broken", "broken"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html new file mode 100644 index 0000000000..bd55a600ca --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html @@ -0,0 +1,46 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>img.src replace</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + SimpleTest.expectAssertions(0, 4); + + // Clear the default onload assigned to test start because we must + // wait for replaced image to load and only after that test the security state + var onLoadFunction = window.onload; + window.onload = function() + { + let img1 = document.getElementById("img1"); + img1.addEventListener("load", onLoadFunction); + img1.src = "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"; + }; + + async function runTest() + { + await isSecurityState("secure", "secure"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("secure", "secure after navigation"); + finish(); + } + + </script> +</head> + +<body> + <img id="img1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html new file mode 100644 index 0000000000..90932790f0 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html @@ -0,0 +1,34 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Bug 477118</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + await isSecurityState("secure", "data <img> doesn't break security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("secure", "still secure after navigation"); + finish(); + } + + </script> +</head> + +<body> + <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAAN1wAADdcBQiibeAAAAAd0SU1FB9kBDxIAOdxBIbcAAAI+SURBVDjLxZO7TxRhFMV/M/PN7EPYhS02yytggo+ERAgxERsNhYnGzsQojaHT3r9F0cTaUjs6NUQLBRKDi4I8FEwkLMgO+5rdeX3XAoVYiZWnP797cu69Bv8gqZ+0QTqIdRpl1VHGvnV884CJwQgwicVtoB/ku/H4ycOnURgP/Q1g21Fw4+r0RjbbNmaq4ayO35UkXp9S2UzHxK2bE4QNl82FVwD0D49jn+hERBCRgwTiIX7pvGUGYF/BlO327d3ENfV7wuL0AyjPICIsfPvAmev3qdVqlMtlCoUCGxurDPT1kEnPomQKkRTFpXOjh4DN4kvGLuSJ/JC38y/ouXyXYrGIiBDHMVtbu1SrvXTlbfp6HcQcoVwp5hRAaWedPXFYfL+E1lAKswSRy+joKEEQICLkcjm01hiGgRcksW0b4SMKYHb+OSt6ma+VffxWRF3S5OeeMX7pHkqpwy5EBK31H90ogFODF1lbm8OtlEhloDORpbdnhDAMaTabhwbbtkkkEkRRhGVZR4BCfojJO4+o1VwQAItEIolpmliWRVtbG7s/dlDKotGo47U8CvkuAEwA3/eJoxhE0WyGuO4+nucRBAHVahXDMKg3agRhQBAGVKsVtNZHCRzHwTAMcrnc0eX9it3e3g7A6cGzhx0AKHWwQOV5jdXXb2ZOaa3BOP5ffF5ZptVqflG+3xpbWv5kh2FolEo7dnmv7Lium6zXG0nf95MiguM4QTqd9jPZTCvX2eF393QHqVRKZ7KZkP+unzPGLX8Jr7F8AAAAAElFTkSuQmCC" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html new file mode 100644 index 0000000000..59085a5ec4 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html @@ -0,0 +1,39 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Bug 521461</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest"); + + loadAsInsecure = true; + + async function runTest() + { + window.location = "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs"; + window.setTimeout(async () => { + await isSecurityState("insecure", "location.href doesn't effect the security state"); + is(document.body.innerHTML, "This is an unsecure page!\n", "Document has not changed content"); + finish(); + }, 1000); + } + + async function afterNavigationTest() + { + await isSecurityState("insecure", "still not secure after navigation"); + is(document.body.innerHTML, "This is an unsecure page!\n", "Document has not changed content"); + finish(); + } + + </script> +</head> + +<body>This is an unsecure page!</body></html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html new file mode 100644 index 0000000000..98cee1bb53 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html @@ -0,0 +1,42 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>CSS :before styling 1</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + <style type="text/css"> + p:before + { + content: url(http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg); + } + </style> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + await isSecurityState("broken", "insecure content added by :before styling breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <p> + There is a moon surface left to this text + </p> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html new file mode 100644 index 0000000000..5c5019ca78 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html @@ -0,0 +1,41 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>CSS conent styling 1</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <style type="text/css"> + p + { + content: url(http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg); + } + </style> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + await isSecurityState("broken", "insecure content added by :before styling breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <p></p> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html new file mode 100644 index 0000000000..19e5784334 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html @@ -0,0 +1,46 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>CSS conent styling 2</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + if (navigator.platform.startsWith("Mac")) { + SimpleTest.expectAssertions(0, 1); + } + + async function runTest() + { + await isSecurityState("secure"); + document.getElementById("para").style.content = + "url('http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg')"; + + waitForSecurityState("broken", async () => + { + await isSecurityState("broken", "insecure content added by styling breaks security"); + finish(); + }); + } + + async function afterNavigationTest() + { + is(document.getElementById("para").style.content, ""); + await isSecurityState("secure", "security full after navigation"); + finish(); + } + + </script> +</head> + +<body> + <p id="para"></p> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html new file mode 100644 index 0000000000..90eca5bcdb --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html @@ -0,0 +1,38 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>document.write('<img src="http://">')</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + await isSecurityState("broken", "insecure <img> written dynamically breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <script class="testbody" type="text/javascript"> + "use strict"; + document.write( + "<img src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg' />"); + </script> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html new file mode 100644 index 0000000000..e009fd4f54 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html @@ -0,0 +1,40 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>document.write('<iframe src="http://">')</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + hasMixedActiveContent = true; + + async function runTest() + { + await isSecurityState("broken", "insecure iframe written dynamically breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <script class="testbody" type="text/javascript"> + "use strict"; + document.write( + "<iframe src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html'></iframe>"); + </script> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html new file mode 100644 index 0000000000..514902d047 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html @@ -0,0 +1,47 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>img.src changes to unsecure test</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + await isSecurityState("secure"); + window.setTimeout(function() { + // Don't do this synchronously from onload handler + document.getElementById("image1").src = + "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"; + }, 0); + + waitForSecurityState("broken", async () => + { + await isSecurityState("broken", "src='http://...' changed to broken"); + finish(); + }); + } + + async function afterNavigationTest() + { + is(document.getElementById("image1").src, + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg", + "img.src secure again"); + await isSecurityState("secure", "security full after navigation"); + finish(); + } + + </script> +</head> + +<body> + <img id="image1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html new file mode 100644 index 0000000000..d9a8cc8af7 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html @@ -0,0 +1,48 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>unsecure XHR test</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + hasMixedActiveContent = true; + + async function runTest() + { + await isSecurityState("secure"); + window.setTimeout(async () => { + try { + let req = new XMLHttpRequest(); + req.open("GET", "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs", false); + req.send(null); + + // Change should be immediate, the request was sent synchronously + await isSecurityState("broken", "security broken after insecure XHR"); + } catch (ex) { + ok(false, ex); + } + + finish(); + }, 0); + } + + async function afterNavigationTest() + { + await isSecurityState("secure", "security full after navigation"); + finish(); + } + + </script> +</head> + +<body> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html new file mode 100644 index 0000000000..fd66b21a64 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html @@ -0,0 +1,44 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>body.background changes to unsecure test</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + // This test, as is, equals to https://kuix.de/misc/test17/358438.php + + async function runTest() + { + await isSecurityState("secure"); + document.body.background = + "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"; + + waitForSecurityState("broken", async () => { + await isSecurityState("broken", "document.body.background='http://...' changed to broken"); + finish(); + }); + } + + async function afterNavigationTest() + { + is(document.body.background, + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg", + "document backround secure again"); + await isSecurityState("secure", "secure after re-navigation"); + finish(); + } + + </script> +</head> + +<body background="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html new file mode 100644 index 0000000000..8934de4b79 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html @@ -0,0 +1,44 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>iframe.src changes to unsecure redirect test</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + hasMixedActiveContent = true; + + async function runTest() + { + await isSecurityState("secure"); + let self = window; + let iframe = document.getElementById("iframe1"); + iframe.onload = async () => { + await self.isSecurityState("broken", "src='redirect to unsecure' changed to broken"); + self.finish(); + }; + + iframe.src = + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs"; + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <iframe id="iframe1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"></iframe> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html new file mode 100644 index 0000000000..5ef5a28b2c --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html @@ -0,0 +1,46 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>img.src changes to unsecure test</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest"); + + // This test, as is, equals to https://kuix.de/misc/test17/358438.php + + async function runTest() + { + await isSecurityState("secure"); + document.getElementById("image1").src = + "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"; + + window.setTimeout(async () => { + await isSecurityState("broken", "src='http://...' changed to broken"); + finish(); + }, 500); + } + + async function afterNavigationTest() + { + is(document.getElementById("image1").src, + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg", + "img.src secure again"); + await isSecurityState("secure", "security full after navigation"); + finish(); + } + + </script> +</head> + +<body> + <img id="image1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html new file mode 100644 index 0000000000..d8506e8cc5 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html @@ -0,0 +1,36 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>img.src changes to unsecure test</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + (new Image()).src = + "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"; + + async function runTest() + { + await isSecurityState("broken", "(new Image()).src='http://...' changed to broken"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security broken after navigation"); + finish(); + } + + </script> +</head> + +<body> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html new file mode 100644 index 0000000000..a73c7f8619 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html @@ -0,0 +1,39 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>img.src changes to unsecure redirect test</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + await isSecurityState("secure"); + document.getElementById("image1").src = + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs"; + + window.setTimeout(async () => { + await isSecurityState("broken", "src='redirect to unsecure' changed to broken"); + finish(); + }, 500); + } + + async function afterNavigationTest() + { + is(document.getElementById("image1").src, + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg", + "img.src secure again"); + await isSecurityState("secure", "security full after navigation"); + finish(); + } + + </script> +</head> + +<body> + <img id="image1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html new file mode 100644 index 0000000000..45bf140384 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html @@ -0,0 +1,42 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>innerHTML changes to unsecure test</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest"); + + async function runTest() + { + await isSecurityState("secure"); + + window.setTimeout(function () { + document.getElementById("buddy").innerHTML = + "<img id='image1' src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg' />"; + }, 1); + + waitForSecurityState("broken", async () => { + await isSecurityState("broken", "innerHTML loading insecure changed to broken"); + finish(); + }); + } + + async function afterNavigationTest() + { + is(document.getElementById("buddy").innerHTML, "\n", "innerHTML back to previous"); + await isSecurityState("secure"); + finish(); + } + + </script> +</head> + +<body id="buddy"></body></html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html new file mode 100644 index 0000000000..d8b3e5f6e0 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html @@ -0,0 +1,40 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>innerHTML changes to unsecure test</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest"); + + async function runTest() + { + await isSecurityState("secure"); + + document.getElementById("buddy").innerHTML = + "<img id='image1' src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg' />"; + + window.setTimeout(async () => { + await isSecurityState("broken", "innerHTML loading insecure changed to broken"); + finish(); + }, 500); + } + + async function afterNavigationTest() + { + is(document.getElementById("buddy").innerHTML, "\n", "innerHTML back to previous"); + await isSecurityState("secure"); + finish(); + } + + </script> +</head> + +<body id="buddy"></body></html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html new file mode 100644 index 0000000000..66a28ce74e --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html @@ -0,0 +1,34 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Secure img load</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + await isSecurityState("secure", "javascript: <img> should not break security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("secure", "Still secure after renavigation"); + finish(); + } + + </script> +</head> + +<body> + <img src="javascript:'Random data'" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html new file mode 100644 index 0000000000..efd754dd58 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html @@ -0,0 +1,42 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>All secure anti-regression check</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <link rel="stylesheet" type="text/css" + href="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + // Navigation test goes over an insecure page, test state leak + navigateToInsecure = true; + + async function runTest() + { + await isSecurityState("secure", "insecure <img> load breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("secure", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" /> + <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs" /> + <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html new file mode 100644 index 0000000000..961713a2da --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html @@ -0,0 +1,36 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Secure img load</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + loadAsInsecure = true; + + async function runTest() + { + await isSecurityState("insecure", "left insecure"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("insecure", "left insecure after renavigation"); + finish(); + } + + </script> +</head> + +<body> + <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html new file mode 100644 index 0000000000..02fdb29d41 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html @@ -0,0 +1,35 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>background unsecure test</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + // This test, as is, equals to https://kuix.de/misc/test17/358438.php + + async function runTest() + { + await isSecurityState("broken", "security broken"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security after navigation"); + finish(); + } + + </script> +</head> + +<body background="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html new file mode 100644 index 0000000000..c775347e72 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html @@ -0,0 +1,38 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Unsecure css load</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <link rel="stylesheet" type="text/css" + href="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + hasMixedActiveContent = true; + + async function runTest() + { + await isSecurityState("broken", "insecure <img> load breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html new file mode 100644 index 0000000000..291ce3747e --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html @@ -0,0 +1,36 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Unsecure iframe load</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + hasMixedActiveContent = true; + + async function runTest() + { + await isSecurityState("broken", "insecure <iframe> load breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <iframe src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"></iframe> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html new file mode 100644 index 0000000000..8f49ecda51 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html @@ -0,0 +1,36 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Unsecure iframe load</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + hasMixedActiveContent = true; + + async function runTest() + { + await isSecurityState("broken", "insecure <iframe> load breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html"></iframe> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html new file mode 100644 index 0000000000..4eebbf5b22 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html @@ -0,0 +1,36 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Unsecure redirect iframe load</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + window.setTimeout(async () => + { + await isSecurityState("broken", "insecure meta-tag <iframe> load breaks security"); + finish(); + }, 500); + } + + async function afterNavigationTest() + { + window.setTimeout(async () => + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + }, 500); + } + + </script> +</head> + +<body> + <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html"></iframe> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html new file mode 100644 index 0000000000..12a4233494 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html @@ -0,0 +1,36 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Unsecure redirect iframe load</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + hasMixedActiveContent = true; + + async function runTest() + { + await isSecurityState("broken", "insecure <iframe> load breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs"></iframe> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html new file mode 100644 index 0000000000..3c19811db9 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html @@ -0,0 +1,34 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Unsecure img load</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + await isSecurityState("broken", "insecure <img> load breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <img src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html new file mode 100644 index 0000000000..81ed58ffde --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html @@ -0,0 +1,20 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Unsecure img load in two windows</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + openTwoWindows = true; + testPage = "unsecurePictureDup.html"; + + </script> +</head> + +<body> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html new file mode 100644 index 0000000000..21bcf5f810 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html @@ -0,0 +1,36 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Unsecure img in iframe load</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + hasMixedActiveContent = true; + + async function runTest() + { + await isSecurityState("broken", "insecure <img> in an <iframe> load breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <iframe src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html"></iframe> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html new file mode 100644 index 0000000000..82611ff3fe --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html @@ -0,0 +1,36 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Redirect from secure to unsecure img</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + hasMixedActiveContent = true; + + async function runTest() + { + await isSecurityState("broken", "insecure <img> load breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html new file mode 100644 index 0000000000..2282677418 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html @@ -0,0 +1,9 @@ +<!DOCTYPE HTML> +<html> +<head> +</head> + +<body> + <img src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html b/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html new file mode 100644 index 0000000000..7ce3701620 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html @@ -0,0 +1,34 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Unsecure img load in two windows</title> + <script type="text/javascript" src="/MochiKit/Base.js"></script> + <script type="text/javascript" src="/MochiKit/DOM.js"></script> + <script type="text/javascript" src="/MochiKit/Style.js"></script> + <script type="text/javascript" src="/MochiKit/Signal.js"></script> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="mixedContentTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> + + <script class="testbody" type="text/javascript"> + "use strict"; + + async function runTest() + { + await isSecurityState("broken", "insecure <img> load breaks security"); + finish(); + } + + async function afterNavigationTest() + { + await isSecurityState("broken", "security still broken after navigation"); + finish(); + } + + </script> +</head> + +<body> + <img src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs" /> +</body> +</html> diff --git a/security/manager/ssl/tests/mochitest/moz.build b/security/manager/ssl/tests/mochitest/moz.build new file mode 100644 index 0000000000..ddb344c83c --- /dev/null +++ b/security/manager/ssl/tests/mochitest/moz.build @@ -0,0 +1,10 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +TEST_DIRS += [ + "browser", + "mixedcontent", +] diff --git a/security/manager/ssl/tests/moz.build b/security/manager/ssl/tests/moz.build new file mode 100644 index 0000000000..fbf6bc0b06 --- /dev/null +++ b/security/manager/ssl/tests/moz.build @@ -0,0 +1,17 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +DIRS += ["unit"] + +TEST_DIRS += [ + "gtest", + "mochitest", +] + +XPCSHELL_TESTS_MANIFESTS += ["unit/xpcshell.toml"] + +if not CONFIG["MOZ_NO_SMART_CARDS"]: + XPCSHELL_TESTS_MANIFESTS += ["unit/xpcshell-smartcards.toml"] diff --git a/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem new file mode 100644 index 0000000000..cb8876df77 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6DCCAdCgAwIBAgIUd6+Bk3IKBQ1kcwl2Fzr4p/fTVrEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAmMSQwIgYDVQQDDBtFRSB3aXRoIGJhZCBzdWJqZWN0QWx0TmFt +ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAGjHjAcMBoGA1UdEQQTMBGCDyouKi5leGFtcGxlLmNvbTANBgkqhkiG +9w0BAQsFAAOCAQEATDZDK9PvRB0NTC89FVYZWXfiTYJSPa4F06o+edx4Q0qqb3Zz +t6GJv1+wvQ5CpTCNe4NCNV16HZeL135sUosjGCHieVcYTyof5dmdNAapr0bxNFNP +BfSE/LIjksPTnECMUoYZq1E+GVc0zPRWPXiuKcRZSLhcC1KsRRa+dZJIeLYH1DPc +NVRdaGXVJSkddeFs6pqv2VdT3zvct2z61uUFAspVmlyRJJsd1xYgT4Kw432088P+ +JCjftsfGh0qwTFlDt4CBA92CQDWxFiWw7xUWTs0bOFoV7EHhW52Xa6xB8p20dqf/ +nfYjxRCHmVbtU+Xl4r1fEd6mQuHevydoqSGQ0g== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec new file mode 100644 index 0000000000..1b368c26f1 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:EE with bad subjectAltNames +extension:subjectAlternativeName:*.*.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem new file mode 100644 index 0000000000..9faffde6d6 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDKzCCAhOgAwIBAgIUPU/rVUoMybyCeEAWx++fMAuZ6k0wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8xOTQ2MDIxNDAwMDAwMFoYDzIwMzEw +MTAxMDAwMDAwWjAsMSowKAYDVQQDDCFCZWZvcmUgVU5JWCBFcG9jaCBUZXN0IEVu +ZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W +1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq +ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx +0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV +t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo +4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx +1QOs2hgKNe2NAgMBAAGjWzBZMCMGA1UdEQQcMBqCGGJlZm9yZS1lcG9jaC5leGFt +cGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2Nh +bGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBALocgfctX/9NDtkQ7zAkGl14 +UXkXBCq7vn5fKss2bCG7D6M/+Q4ZJ64/QXGK96tKqdJctiyIN3KArnk4/pWfYCQG +DgIHXFAgbKUQU0uiGmPwbPQnYq8la6VEarMrzWnGhqVPG1wsqiO1cnecycvm2W7W +9n7qvw3s2Gf0WZIQKqpNmuhouboeiK1xFxryLWiNaG087WPHb71e1C+1enVb/hJN +E1KD7dBtBh0sOC6bOFdc4BzhDHnDzPSznSqouotHf5U8YniKoPcDCml544msKwP8 +LCj3tG1VdMxL+p83ETDHG6GLUY20R0E6WJJfvfZ3hdxRUKgaAs+diT3xYXXYqTA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec new file mode 100644 index 0000000000..ac97b2231a --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Before UNIX Epoch Test End-entity +validity:19460214-20310101 +extension:subjectAlternativeName:before-epoch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem new file mode 100644 index 0000000000..6cdfa86a25 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUL5tQyA2FR4V3eMcfGyWTxS4vmp0wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8xOTQ2MDIxNDAwMDAwMFoYDzIwMzEw +MTAxMDAwMDAwWjAuMSwwKgYDVQQDDCNCZWZvcmUgVU5JWCBFcG9jaCBUZXN0IElu +dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw +DQYJKoZIhvcNAQELBQADggEBAGDlMbdxc1BHrn6l1svyskkHx68lSeTGVucIpClu +mJIT3rsTR5swYuyvrWe/gqkVqGRv2gIpMUYAJoHWjF4fRyWkIjJz5JnSP5qxFKKk +NFrjXFpGSqxJGtuMUNNGk7P30RLje5aE00bqrZHokfrokzChC3G3QJPOwvJtP1Gk +wldQ8AeoHu/u3oEB3caoC1QpFfgF5kunNETSIxX5bTmsjTSSJnJjnf46FQdbOWUh +P5Qkr6ZNK4ZAOIm+PRRyJ44JiHab+up/cEs17/T5dNcnHCy4TYXquNKwOe35qakm +iexwhKycaAEM0TcTI1OA5K4tCwFvaiOr4eTzxN28Cemd89E= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec new file mode 100644 index 0000000000..835e63f2b6 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Before UNIX Epoch Test Intermediate +validity:19460214-20310101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem new file mode 100644 index 0000000000..a77e87cabc --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWjCCAkKgAwIBAgIUf8gdQ4LFK1Kln5vHKQGFoL3Do/EwDQYJKoZIhvcNAQEL +BQAwLjEsMCoGA1UEAwwjQmVmb3JlIFVOSVggRXBvY2ggVGVzdCBJbnRlcm1lZGlh +dGUwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowODE2MDQGA1UE +AwwtVGVzdCBFbmQtZW50aXR5IHdpdGggQmVmb3JlIFVOSVggRXBvY2ggaXNzdWVy +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABo2IwYDAqBgNVHREEIzAhgh9iZWZvcmUtZXBvY2gtaXNzdWVyLmV4YW1w +bGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2Fs +aG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEACuTyeQ7s3Awm5o/IFgMW3QAJ +FeaHSD5iGBu3BZlKlg11BgJdoaZ0fl/iRRrLKqsKPnK0I8LztLXarNgGcqVclMj0 +mzM83evJvYHkRfk9T54Eb71mO/ZMxWI//6dGP07+EP5/y6i0b67YPcW1pyTq2U41 +6Faf0LPUfMnCBtoEH4EM/jigH4JwXTxcLIX5KMWHOsSseRSC/aENe6h4tEHqXgB3 +B1f5w02D2Wyfg6u8FHYWTkc7DLpZdeSWgcH5oho3QIg2r3Pt6AKhwwiIIDcQw7Zt +cC+s8/5INTGsfYsovF5BIf0wEONkGtF8JtcPEJQA7I+BLnqxLItCSQox2n3JHg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec new file mode 100644 index 0000000000..9aabe21628 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec @@ -0,0 +1,4 @@ +issuer:Before UNIX Epoch Test Intermediate +subject:Test End-entity with Before UNIX Epoch issuer +extension:subjectAlternativeName:before-epoch-issuer.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem new file mode 100644 index 0000000000..69972591d4 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUCfV2HIsCkOeqHcXdhZf6ejBahIswDQYJKoZIhvcNAQEL +BQAwODE2MDQGA1UEAwwtU2VsZi1TaWduZWQgQmVmb3JlIFVOSVggRXBvY2ggVGVz +dCBFbmQtRW50aXR5MCIYDzE5NDYwMjE0MDAwMDAwWhgPMjAzMTAxMDEwMDAwMDBa +MDgxNjA0BgNVBAMMLVNlbGYtU2lnbmVkIEJlZm9yZSBVTklYIEVwb2NoIFRlc3Qg +RW5kLUVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMzMDEwLwYDVR0RBCgwJoIkYmVmb3JlLWVwb2NoLXNl +bGYtc2lnbmVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBCrP9yopCm +BJSG6MIq3olV8meoQ2wIrCm2i1Ob2BI3JXW9CSjtnklmQaXzyEY6EnH7K/qzHMbz +prbtiM+e0GjwwYNDAe3Ad1kUjDUSVnMAYmtTJOYxhmGYztkmM2xkz9Tvn+M4U35A +GXimG82MDslBvDINDCPvwWsjst8oMwDAezpxZP2zZ/BrXbyUvOfCqyWQrRTNfSmF +Aub2UQBdjSCgwY5RpzJ2ib5IWmVm3vPQmhM69FwI3WzWsbOb6MYdyPpnVnlN626l +AwLjoaSP3F/lSgPzDqVKgx6rjqkYANPGaLLXdRH3ynJlxuW9JlamyuEypPIA0+Ml +rvaprkFh5rXU +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec new file mode 100644 index 0000000000..579e85e496 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec @@ -0,0 +1,4 @@ +issuer:Self-Signed Before UNIX Epoch Test End-Entity +subject:Self-Signed Before UNIX Epoch Test End-Entity +validity:19460214-20310101 +extension:subjectAlternativeName:before-epoch-self-signed.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem new file mode 100644 index 0000000000..05959d4c6a --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRTCCAi2gAwIBAgIUcdrK+swAhgsnbPoNXViflHJFgtMwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IEludGVybWVkaWF0ZSB1c2VkIGFz +IEVuZC1FbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjcjBwMAwGA1UdEwQFMAMBAf8wMgYIKwYBBQUHAQEE +JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMCwGA1UdEQQl +MCOCIWNhLXVzZWQtYXMtZW5kLWVudGl0eS5leGFtcGxlLmNvbTANBgkqhkiG9w0B +AQsFAAOCAQEAUV4KW+Z8kuKSA64HNt0qyB2POf/dpZUhUCs/eFw7aamooeH4ZvS6 +Qu1OBFzuU4lYlNOJGBUfYRS0MvUjtYdRGMxhIv/zUBPT1xG0PsOjPj9Y7BbzDbG1 +++O+chZk79KE+9d6QMDquHysRMCku4Ss5wbvOiaJoi5ZnAuqkenzvdS377J4acZ7 +vGyRekqZZssIZ2xnShzXSS5Kexe0B33Ky3Pl3fk7JqMyZDPhLnzRok3sNuZIpB9b +qNYkd0h9V2ZEI2XSRJzhtN1NX72g5NMnmeFJ2YFll69b9xO3mPLKX4k/gy/djZa0 +eCgPydgLZPTagy9hYorKAFR9D7qX8128oQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec new file mode 100644 index 0000000000..8e16705b50 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate used as End-Entity +extension:basicConstraints:cA, +extension:authorityInformationAccess:http://localhost:8888/ +extension:subjectAlternativeName:ca-used-as-end-entity.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.key b/security/manager/ssl/tests/unit/bad_certs/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem new file mode 100644 index 0000000000..7dd59895af --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIUYS+fG1v+p3J2spZDRL6SSVpIFtcwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow +gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp +bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu +ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB+1d8LT9Iaa3WShAqdo54BS4lg +0VHqQeAe7YlFzBjHLi62SRC8kMtn4CrAvtDGh+4xrfUHjkHMwxMhS2SBypPanccy +Hk2LtubcrE7tl0fexB2yfv3+oS5LnMaJ+6svWgq3i31g1YCNoCN+bdvxb3BMKdn5 +tV6OYrhCA/0CHjre34fC7DTb3AmBRSpoJf2QNanCrxi4Nau4TfWzHiUz+RwfDS2/ +Y5GV2rN0Wuw6vd4J5FtHl5G3ThtH+azD0INR9qI8zYtibjkzroXDzXcVXEOQqqtx +UE/ieCiIFKBtbITd2X0ae1MCfyKq3JULr8pWc90hUdSHnZ5OFnuU65s73qXJ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec new file mode 100644 index 0000000000..554339ff52 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test End-entity +extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem new file mode 100644 index 0000000000..d40e5bb529 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgIUY9rgTPnNaqq1Kb0e68iPjjXAJq0wDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUTWlzc2luZyBJbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcw +MDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowJzElMCMGA1UEAwwcZWUtZnJvbS1taXNz +aW5nLWludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG +8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V +gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3 +04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l +0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz +/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMnMCUwIwYDVR0RBBwwGoIJbG9jYWxob3N0 +gg0qLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAptio0ZxdHBqnMsliG +5KJoYAsvv2lG2a/NqBQAZTJCsf3fAi91/p6LnKaS6nKb4n7dk89QD60hyKuWA7vT +xGEPylXVNV7S+YcBT4N69i4igvhLVHJPIvCxS4/IyGZ712E9jbu1beJdD2fyxAZp +cHhRpWlopg0cl+uosiFwuNwWPGvehDa15KAhVI0oERlOY5WjeB4DD1U+43UWAf0C +1/AtnmZw2nkddlHirXnlw2IIrD3hYVjsHa8FHm0j4q7lmAKRC4ilaQWUl/gW81/E +4WAeP59faC6pFy9ZhL9H9vZpoM6pkc8I5+/R34Sk+v8z0hbbiNowVM1sm0GM/erG +CQZm +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec new file mode 100644 index 0000000000..48bb1c6e4a --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec @@ -0,0 +1,3 @@ +issuer:Missing Intermediate +subject:ee-from-missing-intermediate +extension:subjectAlternativeName:localhost,*.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem new file mode 100644 index 0000000000..6aef692e8e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPjCCAiagAwIBAgIUB4TM/Mm0sRhp8Y2i2y5hYIpuS7gwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjArMSkwJwYDVQQDEyBJbW1pbmVudGx5IERpc3RydXN0ZWQgRW5k +IEVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaNvMG0wNwYDVR0RBDAwLoIJbG9jYWxob3N0giFpbW1pbmVu +dGx5LWRpc3RydXN0ZWQuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IB +AQAQeuh9uaIgE6lZcdlwHx1lCacDapi1/UYmchk6JGZa8YPbdvNvlx56C39rrxZm +RMIxb31/ySMWMgfoC5pKzcFIRlolUSUV4NF/ZW/xlkpHUfutTcRAu4bWqj0inGBF +1yMCZtYfyTQKo6zcH2auIFSoGXHchalzBnYjVz2HrJ9ZDJAsQbTIGbxSJb/sdGUG +ASEDVyWuKY8LCJJjUjOBebaal0/ihsFc/9HHv6qxb+qOGpyZ+vBR693Y/iam1Tb3 +uxZeWronSEgidd5FcSxfgYkoSgiUODE56GrBGQHgmrFs346WYVe9AuXZHnl93hs9 +s2yw+cAN+P411cXfdMqwz3lM +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec new file mode 100644 index 0000000000..dd8c6707ce --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:printableString/CN=Imminently Distrusted End Entity +extension:subjectAlternativeName:localhost,imminently-distrusted.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem new file mode 100644 index 0000000000..f0ab42dbac --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIUG50q46ciI2WuRyvXmEZHXT1Z9EkwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME0VFIElzc3VlZCBieSBub24t +Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAGjWzBZMCMGA1UdEQQcMBqCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNv +bTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6 +ODg4OC8wDQYJKoZIhvcNAQELBQADggEBADPjrZ/BNq3Q0vDAP4rkUr+tR4tGtuOu +IhmV4S+6ovyJHBEkR4q1qyHyYObnIKmdNZrFBpNeH2s+X1qe4Ewc4Uk1STFQeELL +QP6ZsbcQdGSfk+KX2t00xTrY2awInlvLQ++eqnDbF4mzC+JMIeDVUxFGbGhKUoRV +ZcO5qnlVIa88Tz3WlgDKDxDjtFui1/xzj4Qx+v7MaNsGBDES+RzX7/qGVvX7v5kh +Moy9c77CdbGoWvKHWjdegGc0jS0zQMV/fE68CJo9a3goWBdIPW4yVCc5bE3Epdyc +w43k0CTyxNwiVw5dr3cl8E+DCwOxrtHeaILp3mR1YBwlV0gDEkLrPt0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec new file mode 100644 index 0000000000..63c36d34b3 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test End-entity +subject:EE Issued by non-CA +extension:subjectAlternativeName:localhost,*.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem new file mode 100644 index 0000000000..98bd3279f9 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6jCCAdKgAwIBAgIUbW/Sp8rvnvpF0amyMiSsV3M65fEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVjEgQ2VydDAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRFRSBJc3N1ZWQgYnkgVjEgQ2VydDCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaMnMCUwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMA0GCSqG +SIb3DQEBCwUAA4IBAQBNhHn/B4FiChMDw6MEqhnYg3il2IRBQXMHKZLXP1MXhITy +kFl/Yz13yrtwREFCgE/yKWgXwVJQ9J0/xk8JeMA/P7NyzfwKUceAyCvcL1ibfacB +ZPCrRicdgK8KXXwAlKrvvXmzrH5mgYdkgpj5DyPiTD6gHXWRTak97anWTjFM2xbK +heg18OMziIVnRt5W203v+JTZEzQfr/c1QE6D9fyxErNSf+rzzrnfTnTiu2fleJ1/ +9zacWZwu6Aq/C4MJAlPP0bFkCjNEMnF1r494ORiUxkGPBJE+Tnj7Gbuhe0jjcrWQ +YXELq5S9zIZ+lUBAR0BXSVsIVa2GKgfevG4azGct +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec new file mode 100644 index 0000000000..9ed9b33db7 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec @@ -0,0 +1,3 @@ +issuer:V1 Cert +subject:EE Issued by V1 Cert +extension:subjectAlternativeName:localhost,*.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem new file mode 100644 index 0000000000..3950bab62f --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIUe9ZaQpC/uQy3a4aB/PFp+i2g9BwwDQYJKoZIhvcNAQEL +BQAwADAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAtMSswKQYD +VQQDDCJFbmQgZW50aXR5IHNpZ25lZCBieSBlbXB0eSBuYW1lIENBMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK +tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N +Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr +sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs +l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl +nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyow +KDAmBgNVHREEHzAdghtlbXB0eWlzc3Vlcm5hbWUuZXhhbXBsZS5jb20wDQYJKoZI +hvcNAQELBQADggEBAJCmZN82+yrgQ1uQNbKtRby+GYdw+6ADG1SlYf1zEc3W2A01 +MaIa8inzgAzNIu+9cMJsjuCHAw8A7CiaKo0bRGWy3mSR1PfsAmqjC2dRZxCif0ik +Tdj3nlbAvUV8p2QVZ77CYUWkv2ZFzwR79OWxRR2UPAo+1QP9odq8DUwLr0lM5mC6 +oTo8GnOknnyn6stq/iblG1mlMBnp3QarxhNAtBMXQOjWrUYmigWVUv5EP80UZ0J0 +A2C0FQ6mR5HaLycI3SlMI7tYg9Ijb9F89UyhAvvsJ8zLclh5QaH63WdGjyS6IVzG +grfoCSqNKU18EHyuBtE3xMh8jpX6XotkqXhxlhQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec new file mode 100644 index 0000000000..a99d84b79e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec @@ -0,0 +1,3 @@ +issuer: +subject:End entity signed by empty name CA +extension:subjectAlternativeName:emptyissuername.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem new file mode 100644 index 0000000000..da9ea15730 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwTCCAamgAwIBAgIUPe0Af59pnC5Ljo4FiB9Q1/kc7BowDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR +qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv +WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+ +rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv +JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5 +Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6 +clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB +BjANBgkqhkiG9w0BAQsFAAOCAQEAH+A0GkIIAKhyd6Ky8CSZXx50LFxrnzVngDfr +F3Yn9ODreH/gafd3Ag+QbXgaOcrYRKiTaECAK5DWKg1jRYrikkUdOd5VyqoIGmgU +/3eVh8cO3XylEapvU7+PQllC0LeXmEHECs1b/fLJ1l+PJYfewHtYl7Xb59bFYkpi +gT936JQNjqQxGfJLDaylD665+Cy17BpTmu5gis+T8BMM6wP2wQ/8azlH2hP5NQl5 +LxgSnsUT5KIL2oIorMDaIapUY3c5NBFkp0QefCdSL0JzMBeBOqhC/ZX6ng1mvbHW +73ns95iBrHUzMylKt2lk64ad+e0o3eYRnvdlilUz9C/XAihQjQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec new file mode 100644 index 0000000000..0a7cfdfd84 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject: +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem new file mode 100644 index 0000000000..1c566e80e4 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDOzCCAiOgAwIBAgIUCaTETyqt/N8/JD/UA6/ZgL81wfUwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMB8xHTAbBgNVBAMMFGV2LXRlc3QtaW50ZXJtZWRpYXRlMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +o3kwdzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBHBggrBgEFBQcBAQQ7MDkw +NwYIKwYBBQUHMAGGK2h0dHA6Ly9sb2NhbGhvc3Q6ODg4OC9ldi10ZXN0LWludGVy +bWVkaWF0ZS8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBCwUAA4IBAQAt +RkahoJhciL6jkf2enZroZsl4Stmdobl1A3ct56YFmmncRlBHo5NDIRNM0sjVXwZT +nXH0oAFNZOLucqJOZ8TBYxIVRiDwTOnJg/ObyCiuG/mWbDQV3vsIsd/CvtcihMym +SjYggiEHqn439wYtI0N5QnT/XZerFP4szSBumaqmGwktbKXuM6zxQ3Omuoy65Mho +t6udcVERBulnRLrOPyRPf6iijcgOEt52AbK5jpx8FCALK1GM0qmXfpOEFYbkr1mC ++jSVY4pSHEJVXfcZYFhoWdVwLS5Hn31Chicy0bzRI3Zl2J2iRZu/URrSVHA5esJb +EQ4t31XwaoevDtMeoxEv +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec new file mode 100644 index 0000000000..d5b5859672 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:ev-test-intermediate +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://localhost:8888/ev-test-intermediate/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test.pem b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem new file mode 100644 index 0000000000..e41661438a --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQjCCAiqgAwIBAgIUWRHuQlrvnOY6rq61b0rQgL7EWp8wDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUZXYtdGVzdC1pbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcw +MDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowEjEQMA4GA1UEAwwHZXYtdGVzdDCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaN/MH0wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vbG9jYWxo +b3N0Ojg4ODgvZXYtdGVzdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0 +CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF +AAOCAQEAdl81wFiPty5Hz9X6zf/urfECVITVvP4zP2UTRt6uFLVJ3c26uumJ6See +I5KS+U7rGzcteD63wz520un3P+e1rOztbkB6ySL/Eu2wmteNz/L2F9I7ebjp0TMs +8zxwO+x9uK4Oh3H+iEIIPcyBXvy04DRNjG7YTwf3JFAfG5H4paYLbLsDmljdAwcu +3tcVFFb5nw5WrfdUWcr6YP9TNWI7Rhzbht8W76+hrKUBEcZyHZ78viCpbIFUIfmG +mlOm+Loqh18Ej+Nq7EU9x9n0DV16TbyFxehcPFfpTYc+Kdm9azT6umIY6/lh3HXg +1lJ0kwfvc0C32XkwvOXu/O0Fz7DLmw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec new file mode 100644 index 0000000000..10f8022585 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec @@ -0,0 +1,5 @@ +issuer:ev-test-intermediate +subject:ev-test +extension:authorityInformationAccess:http://localhost:8888/ev-test/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.key b/security/manager/ssl/tests/unit/bad_certs/evroot.key new file mode 100644 index 0000000000..1d88a930d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/evroot.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh ++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU +dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H +cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y +1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t +oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ +5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB +0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+ ++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE +vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9 +HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE +MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V +vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV +7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH +lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V +jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv +nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui +p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ +zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v +4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA +hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C +pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV +bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3 +mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j +LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf +UVFRDKpassHG6z7+kpXRbowlyRY= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec new file mode 100644 index 0000000000..1a3d76a550 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec @@ -0,0 +1 @@ +ev diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.pem b/security/manager/ssl/tests/unit/bad_certs/evroot.pem new file mode 100644 index 0000000000..13c3031905 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/evroot.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx +MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/ +EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN +RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s +33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd +Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX ++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+ +5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo +UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf +cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY +Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH +z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH +HmbOwao= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec new file mode 100644 index 0000000000..3121f3486e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:evroot +subjectKey:ev +issuerKey:ev +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem new file mode 100644 index 0000000000..a7d657a970 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQw +MTAxMDAwMDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyBggrBgEF +BQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ +KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzf +T+ow5WVsxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5h +mu/81rkJLmZ8RQDWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3 +L9zJ2JqNc60+hB8l297ZaSl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74V +kQyNobaFzDZ+Zr3QmfbejEsY2EYnq8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZ +gBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFwWwtnoK7I= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec new file mode 100644 index 0000000000..0a03bc36f4 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Expired Test End-entity +validity:20130101-20140101 +extension:subjectAlternativeName:expired.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem new file mode 100644 index 0000000000..e03d862761 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUY9VlD+O8GH3DRfxtYTip4pS6eBYwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoYDzIwMTMw +MTAxMDAwMDAwWjAkMSIwIAYDVQQDDBlFeHBpcmVkIFRlc3QgSW50ZXJtZWRpYXRl +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B +AQsFAAOCAQEANf+C+WsnAgYfISDS37prll2DOGYWKajcVZNzkScDzNGkK2s0c/td +Mb+HXehqvYz20hT4wEwQZnPt9qMWH7bBEWiJfw85OINbKmG/i0gjZZDgbFMMdHvc +j6BXJoxL0gAy8fOQyTDuMNX0NBJzSmWhzBsL99BHAWdG6XXQTzSyumiekc8ip4GG +EhJvArbZwgIBigzdpbc/lQI0dR2qER0BUXamWU8fi2RuvQqtEi2ANjJHrWOillXU +PR3j0F2LyvoiYlhiNhE1g3JH4VYZ+3eboRCrjel4J3rZHksN17r6+Fla1/YZdz2l +nAGA5McLBKXYBVcARV4adXlBe1z79TiDeQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec new file mode 100644 index 0000000000..38a0abd8a4 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Expired Test Intermediate +validity:20110101-20130101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem new file mode 100644 index 0000000000..95b9f0c4bc --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIUeVvV7SMvQXrsfRkt0IxcruZ/vlgwDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZRXhwaXJlZCBUZXN0IEludGVybWVkaWF0ZTAiGA8yMDIy +MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAuMSwwKgYDVQQDDCNUZXN0IEVu +ZC1lbnRpdHkgd2l0aCBleHBpcmVkIGlzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNcMFowJAYDVR0RBB0w +G4IZZXhwaXJlZGlzc3Vlci5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQAD +ggEBAG19BBffQq3Zbw/k++j4vtoqq9n2Sgd2pA0yvVpfCaTX5f1EcWzgGMupCEIu +svr6Cc2MStIf7CWNfzAv6Xq8c7ylcAzi8FDzF7rvX/1nYCYjm+rbLdvgpewh5aE5 +b4XG2fNh92kT+yWkElpOr/XW1zJx+AXHlXxJm7CUuL84J5027Dx07Hw961X4RVE5 +zbVvfM17F/ZydyW7gxVid1x+Fg9OxvSf+SHJVWtB7JO0uKqgeD9RzQtZu7umX2Tc +MMmYNCGMxaFqy61X1Y2XR0rhTL9OAI+wrLXZ/fyapITdlsZldljIyhRbIytqglFZ +U5C792+mU+StatopboFrBOEVAtk= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec new file mode 100644 index 0000000000..855f454221 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec @@ -0,0 +1,4 @@ +issuer:Expired Test Intermediate +subject:Test End-entity with expired issuer +extension:subjectAlternativeName:expiredissuer.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem new file mode 100644 index 0000000000..97130645ce --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIUI0vDPCiagS26us97hi/2caCaE0gwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOVW5rbm93biBJc3N1ZXIwIhgPMjAyMjExMjcwMDAwMDBa +GA8yMDI1MDIwNDAwMDAwMFowGjEYMBYGA1UEAwwPSUROIENlcnRpZmljYXRlMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08 +E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc +1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP +DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ +gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV +YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID +AQABozgwNjA0BgNVHREELTArgilidWc0MTM5MDkueG4tLWh4YWpiaGVnMmF6M2Fs +LnhuLS1qeGFscGRscDANBgkqhkiG9w0BAQsFAAOCAQEAfwY2xj26sb/mapkujwEC +aRyjFD5IWz6pKB+4HHkmrI4X55N+6hk3ToQmmiW40O+Pxc96l0PVSHeQaMjMQxtE +1MdAv4S9TOdaUPSHSjUurvP7OxxBMgU7cPUwKCHnkMMjd/CZKrSpEJJz9aArZ1eC +C2c/zt39fZeCyNfXVByoGDEMVZolTTCXy6lE45xvMVaIzKqMy7Fgn36SoPT1N+Ze +FOx1yk03lMDPeDkmD4La9EJZEy0D9TCnO7hJ9mMHMQ9fOLd4NLqcOpLtUj31WTIS +DApIxULfLtGD9FXcxsAxgazsSxlIXGwXjewJPUlf9ywSwtCFukCUWfxJ7nzlxunb +pw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec new file mode 100644 index 0000000000..b3d840fbd3 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec @@ -0,0 +1,3 @@ +issuer:Unknown Issuer +subject:IDN Certificate +extension:subjectAlternativeName:bug413909.xn--hxajbheg2az3al.xn--jxalpdlp diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key new file mode 100644 index 0000000000..d43495f851 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl +GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ +BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh +WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK +1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2 +s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV +nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+ +gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr +QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA +Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh +AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur +SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx +vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx +nmTT4A== +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec new file mode 100644 index 0000000000..21ed73d60b --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec @@ -0,0 +1 @@ +rsa1016 diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem new file mode 100644 index 0000000000..b8257a140c --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtzCCAZ+gAwIBAgIUM6gG7+rX/E6iwOPdTbfDmqmd1ycwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcwMDAw +MDBaGA8yMDI1MDIwNDAwMDAwMFowKTEnMCUGA1UEAwweSW5hZGVxdWF0ZSBLZXkg +U2l6ZSBFbmQtRW50aXR5MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgADSm7Ev +uE/dzSmzpRnLZsQ7jY+L5UW6eThM5mPtA991mRYA65IHkNJTDOzlRNuZpx8FiWo+ +0gcWVTSqmQV+R8R+O8ga2m+h4S43JotQRqVSaPna18y0hdgaLhnVDU8LaFSsr217 +5p2aCDE24Vr6j1PByMhPxgdyed0OVdc2mlvdAgMBAAGjZTBjMC0GA1UdEQQmMCSC +ImluYWRlcXVhdGUta2V5LXNpemUtZWUuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEE +JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3 +DQEBCwUAA4IBAQARywHQubkWb2U0BwsQqs1FfySZaKO0xbKK3Qwl1obo+R579WSJ +WGRAkf7PTJwxsifJ3EHP20jVd3DPSQd2mdCtxGkOwhkdh6GysT+X9DHRD7dAXi2W +QGPR05R1te8j7HqZ1tPNfIzpKR8vfF1MYoBsKN6CMCYBbjsRpD0TVcr8S2PKcZbO +EPnV9a5oYuJ1RqnK/eGnIpPYcqXFUNsc1YxpYCxkWbwXzZ9tW0lYVWo593B0g8EV +FoLyDdLEtUwStHkxHsphrmthasYuDBOTE2O28ctLTl5xpdLyGgn/Wol5tGruwXH5 +u+VDs1FA9S09DwNC/c8lmhAdV32PqPH6PQNR +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec new file mode 100644 index 0000000000..02b595dc9a --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test Intermediate +subject:Inadequate Key Size End-Entity +subjectKey:rsa1016 +extension:subjectAlternativeName:inadequate-key-size-ee.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem new file mode 100644 index 0000000000..6768a41734 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAimgAwIBAgIUL3DrOLET5XwR7CX4bShDdmT6ZNAwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAvMS0wKwYDVQQDDCRJbmFkZXF1YXRlIEtleSBVc2FnZSBUZXN0 +IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjbjBsMAsGA1UdDwQEAwIBAjApBgNVHREEIjAggh5p +bmFkZXF1YXRla2V5dXNhZ2UuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIG +CCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUA +A4IBAQA8v9QkdaYQxGi5VdNBvzpWnRc40tGwNNjMpWHCvGg1WYBC4mro0bT/5Xog +fW3cwMFrIIuNjwHrYx4DqDwTGBbxjkU45DTMydBb51LFl5VShETdRv0Yai9Wvd/Q +Oe84IfHjQXDt8WhrGuiSgDSgGr3XXyJkdAJA9ajS2WVdC/3rupP/jkXOSUNGjouB +WJTzwyNiESuitbzijJOR4eHAMlwepB5gVFgIJQVsOFVlwQ//na1Przj3M2R2Qf1+ +/cQ+KGOrS5+sIRfMT37mlJfLaaJ8o55ljPvo/FItyl28C/mlr7rKR55Bn0VL9EnR +KQIXP7V/QG+OvcCI278C0n/cky3S +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec new file mode 100644 index 0000000000..4d553890b9 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Inadequate Key Usage Test End-entity +extension:keyUsage:cRLSign +extension:subjectAlternativeName:inadequatekeyusage.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem new file mode 100644 index 0000000000..3645c59100 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgIUeTOq+w44V4g+/ZK2O5Xfytj12egwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjA8MTowOAYDVQQDDDFJUCBhZGRyZXNzIGFzIGROU05hbWUgaW4g +c3ViamVjdCBhbHRlcm5hdGl2ZSBuYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoz0wOzA5BgNVHREEMjAwggkx +MjcuMC4wLjGCI2lwQWRkcmVzc0FzRE5TTmFtZUluU0FOLmV4YW1wbGUuY29tMA0G +CSqGSIb3DQEBCwUAA4IBAQB9zxe9n2/b6xqibQH/LdIgczeL+xxvdAnuq0dkjEgO +UcZx3+qdQXL//Iq+dG3nZoaoSqnQMx6KWvlsoVYIyMHlcFyv5EBf6B8feps9i0J+ +YqpuCBp2dGtR4MolxDTKZnk5EopQ/kBckn+qTrOvLCnSy3tfBUvAM67qFW2g1vMG +9kqbZ5cd/ozv3dAW8LYeIKtM2kqDkCQgx7PbbgY2dixqWSyIPEtqOsrAKceJ5Nga +s1sWdlh0o8b9fpl9O9AzkojqqyX5hcdt5XjpntCQCAwsgp2GOqOkkLx7G9cLrLDk +QGUd8FuFAwEe1BQVS8uzUYY0vW8LrOYdqhtDq1a9f5cN +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec new file mode 100644 index 0000000000..26313d82e1 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:IP address as dNSName in subject alternative name +extension:subjectAlternativeName:127.0.0.1,ipAddressAsDNSNameInSAN.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem new file mode 100644 index 0000000000..3f373d09f7 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNjCCAh6gAwIBAgIUGUp8qIucVUZ0D+cPoEILDVfteu8wDQYJKoZIhvcNAQEE +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoYDzIwMTMw +MTAxMDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IE1ENVNpZ25hdHVyZS1FeHBpcmVk +IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjYzBhMCsGA1UdEQQkMCKCIG1kNXNpZ25hdHVyZS1l +eHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQQFAAOCAQEAYMtZZk0A +c3xvnK0PSwNxsWidAdOEY5uOKJTPT1LZFUQsNHw/2f7csfDneTeLNoCNKH7LPF3t +J+zwUMzq1Ut0vIRSs5r84P7LK7KaBRrSwWPSnTP90X4VX3IVIQ7dbwTkrlUaRzfs +B4Pqa/p2GVuvrLmbtmd2SDw+52GubJYVOF6u2s4KKgUGhHWtegzQOsVKTFEOoqBr +X3yDEJhK7M82NMiGtq3Fr5F0sLD6DuGL0Mm7ei9junSLS4sH0M+Hac2BVmXwYNTS +ekKzyjmZ1TYRlo2sCgYyYfCLcTOswG7uVHLU+ie0+Dbaik2NcolUgFNnC7Uk3E+t +DhSRNeOtKglSxw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec new file mode 100644 index 0000000000..e4c2b7008d --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec @@ -0,0 +1,6 @@ +issuer:Test CA +subject:Test MD5Signature-Expired End-entity +validity:20110101-20130101 +signature:md5WithRSAEncryption +extension:subjectAlternativeName:md5signature-expired.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature.pem b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem new file mode 100644 index 0000000000..0ea36040d1 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDLDCCAhSgAwIBAgIUXRKyQjjAU3Ro3Vc/yn+SSF+dGg0wDQYJKoZIhvcNAQEE +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAtMSswKQYDVQQDDCJUZXN0IEVuZC1lbnRpdHkgd2l0aCBNRDUg +c2lnbmF0dXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAaghhtZDVzaWduYXR1cmUuZXhh +bXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9j +YWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBBAUAA4IBAQA4ytFoYqUrspwyjDywhwfj +Vs7iV3dix4JOAkCPYJcyaS4MPGnVjTFKmVASZeb4062FCLYFDxNWhfQqFtynMERo +il/XkwYr5A5Jx4gNKRIwFQ1GWN/3pi3O0FaiwxFPn2FJGJkRKtgZNnfLStys7m/i +isU5okcJtvVpZV3mORciYbPyZbNu0iforwyH4BbnmBClYuftlXgBtTrI3zOCFSUd +I7OzdOqSVUiyft23d1qCfb7vPYrI8UheA8/vgKX41OkxwxFrUYBug/AeQ+9AxTUO +pNzKFQ+LlYAk5B2LcdK758BLyH5Jgpl4X2uS7UdJ0P8FVdrL/pFCdQUAAm0yCurj +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec new file mode 100644 index 0000000000..02742d910e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test End-entity with MD5 signature +signature:md5WithRSAEncryption +extension:subjectAlternativeName:md5signature.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem new file mode 100644 index 0000000000..d5782da2cd --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDKTCCAhGgAwIBAgIUXWNmi3NOMsq8iBKvohtG0kX2YFIwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQw +MTAxMDAwMDAwWjArMSkwJwYDVQQDDCBNaXNtYXRjaC1FeHBpcmVkIFRlc3QgRW5k +LWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXZG9lc250bWF0Y2guZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCt7JzZlMgD/ZHZobiGxcfE/EPQ +/V405Xu7DGdTJh5cTiFF1h3sQl06BfrCEAo0yhOrpPyMtmhTI+rMyF7PvFWZMQ89 +bk9y4cZ7jG1NEd6B+jlYfD4mFbLR3AbMEbf6QVjYDK29+XnjnhvczT5NPPl8g7rF +6y1FhFcFMTGiGZCOyhCz0nXbG/LpP/alH+WucXRdpMLUQbEXEDzWOq5WJ1ZPS556 +2Ouurfr1mkydAlXCGc5RYPVLRY48CwX2z+kfHRnF4TCb3ck5oOlqabP+bc+HD7EE +UgEEdnE6zpUs1D7s8C8Mp89LUcXx+s51/ZUQvGE4btBMML0lNImwwbqxbv02 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec new file mode 100644 index 0000000000..262f08d6be --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Mismatch-Expired Test End-entity +validity:20130101-20140101 +extension:subjectAlternativeName:doesntmatch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem new file mode 100644 index 0000000000..b70a632693 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDLzCCAhegAwIBAgIUcYUtGOYg2nrx/OAYr+cxTZVbv34wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMzMDEwMTAwMDAwMFoYDzIwMzQw +MTAxMDAwMDAwWjAxMS8wLQYDVQQDDCZNaXNtYXRjaC1Ob3QgWWV0IFZhbGlkIFRl +c3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI +UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi +r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x +fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD +7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv +uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj ++nJRxDHVA6zaGAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXZG9lc250bWF0Y2gu +ZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8v +bG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCu5v5Saw0htF59xmKf +CQJ7YI4M/TvuNJjhVdwq5phvEw3k+qweEdpLHERGu4nrzyDTMKqN8kXO6tXUspnh +LpXCvmaDLNxx/UyYofWslqYqFwM4vQ4l5QEUriR1ndMN256ELRSx2cEpWCi9xHMb +1cqB12ulLMCpitmK+NXpflViZy7HliTQOCdwhLPDNWRKsRF85EHOuFzcx4uqfWdw +5zwA0zVOYG21fyY51bhy4oy7HjTWUOrGi/klwzz2TEDTUX6nRHYagrFxO7C1GMlg +pe32InUfLU0rR8G9lP/tSug8HawSH/TCE+63jo2BGWaIYGSd+k11QzU+CsT15+A2 +tbAC +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec new file mode 100644 index 0000000000..947eb7d678 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Mismatch-Not Yet Valid Test End-entity +validity:20330101-20340101 +extension:subjectAlternativeName:doesntmatch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem new file mode 100644 index 0000000000..4902855da5 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDOTCCAiGgAwIBAgIUO1bWrdrsbGfiDSe6i14vOA3vWsIwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoY +DzIwMTMwMTAxMDAwMDAwWjA1MTMwMQYDVQQDDCpNaXNtYXRjaC1VbnRydXN0ZWQt +RXhwaXJlZCBUZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9 +sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5 +TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7 +xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd +tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l +8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjWjBYMCIGA1UdEQQbMBmCF2Rv +ZXNudG1hdGNoLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAlTFY +rHGARngEHz3XEngdY1E3hf2GdITTHssgVRvpW3IvNmUJDhk3zVqvjb2hIVDmxFRv +ad7yCKK7FQum2A1MKZh/Pl7ylWv6vkdtB8HSg9F5qYifyUD/XEjYp3uSrfAXW7Pp +XHZHgBR6nlOB1EpAqrLtpEjxMX6F0fcXClOlWf0UsPLv1M6JvPNns/4tbHBnrhfm +e0DqBMfZIJV7x633eZhpLQmOIA27rZtpElWZsA6Gtenl3szr8mpOgy3hxuEs9oFn +cigHg2ECzaOKM5ayTP0dc2OVbVgUX/2doF8pGHiIKdsThYNLNEOioBZjJhQlreZE +K67bzkMDhLQmMBUMtw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec new file mode 100644 index 0000000000..adc8ebaf8b --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec @@ -0,0 +1,5 @@ +issuer:Other test CA +subject:Mismatch-Untrusted-Expired Test End-entity +validity:20110101-20130101 +extension:subjectAlternativeName:doesntmatch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem new file mode 100644 index 0000000000..fe9483d1fc --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCAhmgAwIBAgIUWSSWGPlmqVnzEP84na8sG5jAu1owDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAtMSswKQYDVQQDDCJNaXNtYXRjaC1VbnRydXN0ZWQg +VGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby +a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC +D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT +iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT +Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+ +SSP6clHEMdUDrNoYCjXtjQIDAQABo1owWDAiBgNVHREEGzAZghdkb2VzbnRtYXRj +aC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6 +Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBACm9SsvbMq2c8TlV +FqDTAp41lfuhUD7xUfknSbfnTYIvxsvZdrKXeMsbOazsMqRrvYZFF3/YKMAzDQb4 +6vxe7rFQ4hbcroV4H1AcztHJ+41jJp8dZ8bTxNpDqapt/B0CokHFK07P87711Zfl +l5V9GV+mGs29xC7RVa6Msr+mRU01FrhXV1nhd7uV7eEEbW9ofc7IW1XwRH3hr5+y +Dme0oJpKsalJwe0PTPOb/GlDyNxlny+g3U/aL6Y4jCld/ZQnspHEuNBzyFwxeQ5n ++xryCStRNr7bre2qVaukp4NCO1u5fObcnRhr7DP0g5huYs0B1DR8kZIRMgQhMMhB +81v6JDM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec new file mode 100644 index 0000000000..91c5f548b6 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec @@ -0,0 +1,4 @@ +issuer:Other test CA +subject:Mismatch-Untrusted Test End-entity +extension:subjectAlternativeName:doesntmatch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem new file mode 100644 index 0000000000..c47146450e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIUQV2JoTMOEIIM5xYwpELqDCVJRkwwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAjMSEwHwYDVQQDDBhNaXNtYXRjaCBUZXN0IEVuZC1lbnRpdHkw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ +PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH +9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw +4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86 +exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0 +ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N +AgMBAAGjeTB3MEEGA1UdEQQ6MDiCF2RvZXNudG1hdGNoLmV4YW1wbGUuY29tgh0q +LmFsc29kb2VzbnRtYXRjaC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQAD +ggEBAFOg3UyvJvHDoWN5CU8UDhrtZ0s/tdD01ISQITB+RliAIGGR1r3WkIh3D9ZC +1Yuq34Q8sID8sE7dnjC3Bh7ByzfuGI5HR4dd6bU8zQuoSVdgIBwemYF6j51DLR+0 +UiMaXxqplE0HYV+AtBPTlkw136yg7BX2fxbNAIdYWygAIXiC4H5vkNVte17ERRNg ++B5mYfoIgMHeNENKxpJVLj8+a8GXlyPEELm6LDiHi9PgwqLsFJYulvkqnw/YkbDs +pXPRQe3QxxJBmn+eCw+olXznGskB4a+Vev8bjOjRPmvP67ueKq4w6vSlysk6v/Fs +pDRj8CgZOSD5Mp8lUros1rZ70hk= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec new file mode 100644 index 0000000000..b93599fc88 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Mismatch Test End-entity +extension:subjectAlternativeName:doesntmatch.example.com,*.alsodoesntmatch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem new file mode 100644 index 0000000000..581579b0fe --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxDCCAaygAwIBAgIUZ347kXsGUKV+lR7xHw9I9BFHqMMwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAiMSAwHgYDVQQDDBdkb2VzbnRtYXRjaC5leGFtcGxlLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAej9Ob7Spd0OI+lYvy05FPK6Lccbi2xtr +1VtrAaJjlyQhVxa0tWQujVaw9tEJHcYlGFuWHn/Ichbfitljg8ebYvcgktVIoNvb ++UEDEjwuAeTSBiMv82Y3Xrw+c7OA1rNoGrkN1kus2DQvHOPODw6tcFwLH8tlNo0M +MYGKxt3MWIlqZfwqY2VOKQ5T1G7vvoYOeuSFdTBIugNTTai2JFdvRMQxYAZIjjGr +2xLPmVSm3QoMa4tvRN2jZ3AwG970esg2JjqGsLRh5mYDmaB5zIc7FIyi6Fu3Cpf1 +R4nYTlvdoOWhy7IQDaizS9+awvgaykPv/cj27Row0uhW1w3o9TU4mQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec new file mode 100644 index 0000000000..86ef45b7ce --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec @@ -0,0 +1,2 @@ +issuer:Test CA +subject:doesntmatch.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/mitm.pem b/security/manager/ssl/tests/unit/bad_certs/mitm.pem new file mode 100644 index 0000000000..fd1bbd505d --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mitm.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIUHSDQM3kwDVGSyrMkUz3GteAahK8wDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOVGVzdCBNSVRNIFJvb3QwIhgPMjAyMjExMjcwMDAwMDBa +GA8yMDI1MDIwNDAwMDAwMFowMDEuMCwGA1UEAwwlVGVzdCBlbmQtZW50aXR5IGlz +c3VlZCBmcm9tIE1JVE0gUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab +bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts +Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI +H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8 +rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX +Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMfMB0wGwYDVR0RBBQwEoIQbWl0bS5l +eGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEALI7p6ZRaY+QXCcgHuKDI7VHJ +4yKagFtAr/f9f29pSyuq0W/dPj2c57uweDTYJ5fLI+geIWbcU/sSUj2zbQ2FeOKs +hKf1eSALCaG7WqLoxwlPNnsCw9RBlV8v5EC3ERdOr5UaoLO6Xo/A9/LGzmhWW16d +3uuVCrTIc+8mpY1ugbpKTTSiK37R6eDj3u2figOmSpl4A9dAZ5iBpXUGV0wRUcfl +C6HqdswAsr6H3tw0pOlpyXnZ0MG/KXT2JagzLySekrC90N9J8GMK2fLAZTepCvMN +2P+B9rKPFGcJSyUCps0ckurFQOJY8un5SYHHGbEloP70E8vMXlzksNS0soAztQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec new file mode 100644 index 0000000000..1439391f1b --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test MITM Root +subject:Test end-entity issued from MITM Root +extension:subjectAlternativeName:mitm.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem new file mode 100644 index 0000000000..46f5d046ae --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIUK8zS92hcfMsHkZraoQ+cLK06N3wwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjApMScwJQYDVQQDDB5FbmQtZW50aXR5IHdpdGggbm8gdmFsaWQg +bmFtZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAGjNjA0MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0 +cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAi1Ym79kpkRin +XlrNEzJ2WVExGaz+ePMH58KmmdfQjmwe+YQtxlmfwSDOBA6lxyJNr/uMTteFrvry +RQY60iAT8KExXTOdSrsoY91RCFj2a4PLWvNRXhnI2pSWJDGsPHfe2/tJTZpL/Ugw +MhYDLxvXijfq/XD/Lklw2ZaaUuFgSd5NlXCmnN/+OryyKrPk9BYIBTLCNKUosKYx +FpiIUWR8fZAJrTpFKUluXeXPK1YX3Fbne66AxEV1ZkALDY8qiHzhJZEnaVBqeoqn +U4KPiC6/BUxC4eRb6M+lP5AABNs8nCjIiOQ4AaWZ9MqTYK85waAXUqXrw3KB0564 +GO8EUl8zIg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec new file mode 100644 index 0000000000..87088e87e5 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:End-entity with no valid names +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem new file mode 100644 index 0000000000..79cc10aa68 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJjCCAg6gAwIBAgIUH+AmYB0Pf6g+gBjtVqu94DStb3UwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMxMDEwMTAwMDAwMFoYDzIwMzIw +MTAxMDAwMDAwWjAoMSYwJAYDVQQDDB1Ob3QgWWV0IFZhbGlkIFRlc3QgRW5kLWVu +dGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u +togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6 +pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL +KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq +fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv +Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za +GAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXbm90eWV0dmFsaWQuZXhhbXBsZS5j +b20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0 +Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB1xgChilLhS38NJG3FU3vyD8LN3uGV +wgzFB33egzO4s4GkPK5zjGpkyQG0ofYFmlbP8NpVrjKykbhbgusdvsZOknuPBBAJ +jgHDrt5fdT4ah7xlRr+o4KC8RpYOZ8pGy6eoheCZZdNvhV3cDVxYWrkFZbdbtvw9 +YqqgpgiFx/j85ZqFudq/ApdMwcueZWPjmc47Y2fsTtrqO7rVVtX9FrG4O3BWcrVH +5RJpwN5mBsC//zNhhuvaGNWZB3XGNH0wgxEweI+cpfufWHnshJFKoEESJBrdHywz ++kuH3ha9W3JwyorON9M7uduDBdUBsjwjwLpYLd+Saie6X+XjROrGYe8f +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec new file mode 100644 index 0000000000..5b60c29ebe --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Not Yet Valid Test End-entity +validity:20310101-20320101 +extension:subjectAlternativeName:notyetvalid.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem new file mode 100644 index 0000000000..0a111582bf --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6zCCAdOgAwIBAgIUW7kXNYkW5OLObAOtdMQ9uL8FHUkwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMxMDEwMTAwMDAwMFoYDzIwMzMw +MTAxMDAwMDAwWjAqMSgwJgYDVQQDDB9Ob3QgWWV0IFZhbGlkIFRlc3QgSW50ZXJt +ZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB +/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRx +CHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMC +OosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdm +Wqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGz +ey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUD +rNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq +hkiG9w0BAQsFAAOCAQEAJgm8BvVnIEy9uGjgTxLcNnIoOZeLgQ9CPrNir6RHzGIK +1hIHcNCDdC2mDc9DvyQ8MQPzJvAiMAOvo1v8yHDijC/mmYi6hTGuC6hDxF2YHKXu +8VZZOSMdaE9pkKUQ8sckzKMS+Oxw8EJOV7VeW/WZsSLKSpba0qAioae7wEBMg0QS +0Mp72+l4nMMUG5T/gzea6gy/nGTb0ghV97K1r5jekFNuy1pZZbKun9lLd9KJNmEs +XiJCn2M7Ce3nEhJfaJcDmz9sde4HOlJ/BVLV9ljkOL2cQ3TxdEkLT9/Unp9dmcLo +1sdvWkwimWiKT3XAs6Df64uM4GYl3PqPH5tQmUyPFg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec new file mode 100644 index 0000000000..8a00f2ee23 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Not Yet Valid Test Intermediate +validity:20310101-20330101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem new file mode 100644 index 0000000000..b6623c88d3 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUDCCAjigAwIBAgIUVZUbrAFbzxSCx0uW6PP7Mrnc0CMwDQYJKoZIhvcNAQEL +BQAwKjEoMCYGA1UEAwwfTm90IFlldCBWYWxpZCBUZXN0IEludGVybWVkaWF0ZTAi +GA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjA0MTIwMAYDVQQDDClU +ZXN0IEVuZC1lbnRpdHkgd2l0aCBub3QgeWV0IHZhbGlkIGlzc3VlcjCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1 +SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+ +zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL +K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc +bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW +JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNg +MF4wKAYDVR0RBCEwH4Idbm90eWV0dmFsaWRpc3N1ZXIuZXhhbXBsZS5jb20wMgYI +KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgv +MA0GCSqGSIb3DQEBCwUAA4IBAQB7ytlByUBPoXEjVgftcrVKa9aYw0IhEenGR7Fb +RI5cNxEwvZzznMKJY9+6GgnW5ZWgP4cQtcwcN76ZwffT6KqgzW8HXe9qgtrvO1s+ +m1nF9QONhnds3UF6rlnDXEh1ijQT4bdZFN7DYdOYB5Dogz64m7xNPjauf3GxjoJQ +Wvo4kITUT7ZozHKYkFNClBhAreHGKKXTYSPNR4WaYk68Bm5cpzag8JyqvomVVIG5 +jLEHgcs45huQu3C0X8S1Zhyuq473eu6dcD0siZANfLAL7BqfEziy2rEl/yi+fiBO +gIQUK5vENXhkKpklKh5/kKcoHvFRHxizzzs8kzFULyKguB2/ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec new file mode 100644 index 0000000000..d8420898e7 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec @@ -0,0 +1,4 @@ +issuer:Not Yet Valid Test Intermediate +subject:Test End-entity with not yet valid issuer +extension:subjectAlternativeName:notyetvalidissuer.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem new file mode 100644 index 0000000000..f4443200c3 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgIUDSf/lOOZ4V0Gb58AN+U6PKy62ewwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAeMRwwGgYDVQQDDBNuc0NlcnRUeXBlIENyaXRpY2FsMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +oz0wOzAjBgNVHREEHDAagglsb2NhbGhvc3SCDSouZXhhbXBsZS5jb20wFAYJYIZI +AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBCwUAA4IBAQBrmPjEIYc0sjzfJWQK +Qr+PTBzyfm1c18ekTdfRlxodCEiFdQGTgpjBRfNTj4jx/6UUgt8qE7HGZaWBa92G +wn3+SAIgpXKlFPUgcsCLIHKkkidiAvG7I2NuwKFW6Ds7CC+rYb1+dGIsGwWoEUKs +q3MAMnN/WaVytbXmGJOn7JuylT4tg/v194aaod1CASFbW/NeXfD+4qihfdxD1uFS +3+555cnftKaJknQ6UJg9HjmJHt6dIzwNJmakC45j9S7NLRCeqirSo+xyQhyWv/MJ +CGC6CLowsYAFhaYcXiZHKoqqdJFvbzIoindgbrL/WJlrs5KAj7NfOT+6Z1urM8DV +C+yD +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec new file mode 100644 index 0000000000..b236bdea47 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:nsCertType Critical +extension:subjectAlternativeName:localhost,*.example.com +extension:nsCertType[critical]:sslServer diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem new file mode 100644 index 0000000000..1dc16fce4c --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMDCCAhigAwIBAgIUMX3oAhLN9HzYX/0s5uMASiDn0cEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAvMS0wKwYDVQQDDCRuc0NlcnRUeXBlIENyaXRpY2FsIFdpdGgg +ZXh0S2V5VXNhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjXTBbMCMGA1UdEQQcMBqCCWxvY2FsaG9zdIINKi5l +eGFtcGxlLmNvbTAUBglghkgBhvhCAQEBAf8EBAMCBkAwCQYDVR0TBAIwADATBgNV +HSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAocIgdBUfN8SorCuR +vKmCZXPIJmN+0p4Rnnej9gPQ+IA3IbZNTabH6Fhxp0oykrqL0pelVqtG7YHBDiUU +z2zOTXn80JaAn5JYao0nX5G9z7RokUNUrbZEDzXZASLa+qmdp2WrWR8QbuvtnCTP +jlWoLeRYQI3jkexfj2Pnvf2O5RqZiYNcDu4qtZq7Eo5HcmMC3EHuMzBqXpz2odev +qo2QxFXv82YLq93BiblDrNNTDowlh7U01h317XITFpfQM760aGyk1aD6tIwonH6S +yMwuySzR6N2s9Y2RWGWXa/cGpLX9QYrTDAkxtx7xRp1Hs+k+WzppeyGqh3iGDY/i +UB7D5w== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec new file mode 100644 index 0000000000..0ae63e20f2 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec @@ -0,0 +1,6 @@ +issuer:Test CA +subject:nsCertType Critical With extKeyUsage +extension:subjectAlternativeName:localhost,*.example.com +extension:nsCertType[critical]:sslServer +extension:basicConstraints:, +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem new file mode 100644 index 0000000000..e9bfb4e163 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAeigAwIBAgIUBXr5v2qiHAIVr8pYXkv4ye0vM1owDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAiMSAwHgYDVQQDDBduc0NlcnRUeXBlIE5vdCBDcml0aWNhbDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaM6MDgwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMBEG +CWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQsFAAOCAQEADrpPjAg6e7Y8viSh +lreRTbaDtyArZ9OoUi5ZmaXgNQ+LaiE06dYBVIhMKAWG8Z0Sn7Hyy2PEzmoPbmbJ +69vIMQnQoyV/HwPBRNpjHOqLrTKMKq0NqvUXjRhlgwNxAFRyZipMZWXc1dLnJ8ds +I+tviCJQ8RDXQplqNX6rkpkEVu5GF6DR6Cu1VkrUCPQFuQA9Gb/ypwP5PLZzm0O5 +plo19+FTfwALxx1rMf1jUf7DxLNmyuvzV+QI/nl8ZKSuSRYzKsaDRu7EBA3jmAfs +lKY4e+Z942WzAdpQuVTYXr3kTkYnAXzJKAm3/LRywjFIa7VubWW+QP6g6X4egJJt +tDaTNQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec new file mode 100644 index 0000000000..a44a1feeef --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:nsCertType Not Critical +extension:subjectAlternativeName:localhost,*.example.com +extension:nsCertType:sslServer diff --git a/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem new file mode 100644 index 0000000000..0800392546 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIUD6kl6/p1UXrkOAxhdpHbYa+B+oQwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAnMSUwIwYDVQQDDBxXcm9uZyBDQSBQaW4gVGVzdCBF +bmQtRW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJ +n3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYCl +HDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzS +pss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2 +mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq +0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZV +Lx0eGR1xIWjTuwIDAQABo4GtMIGqMHQGA1UdEQRtMGuCKCouaW5jbHVkZS1zdWJk +b21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5z +LnBpbm5pbmcuZXhhbXBsZS5jb22CFSoucGlubmluZy5leGFtcGxlLmNvbTAyBggr +BgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8w +DQYJKoZIhvcNAQELBQADggEBAErLSH+7N6ftHfZ87G+BinL+g4W8LNUEVzdqYqjy +yz+QePPG61tK81VZbfVjZmpBri1W3Xlexd0r7I1q8HWixc3r9qzQoUFnAdl1pdy+ +sGQZEV4ltMeVHFUBIM7J23556k+PFNvi98JhHanLiJl9xVbxikXHbpRYBGws+DaX +8fp3Ube23AOtg+OXKWTF8bR9ogk60S7gzyqr3g6UbaGmB1q8w0rqYy2UhtOxkFws +KyIAECe2zEqmQPPmGxc7wziTk/4BrWGhciVUN5OVoEByQZRe0X5DvVA8qdGqKNn7 +7+DxbRh2DAHbkgTMb8r/EVoWD/tH5k+Q9GeWjvHQFmijDO8= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec new file mode 100644 index 0000000000..a905a66ac2 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec @@ -0,0 +1,6 @@ +issuer:Other test CA +subject:Wrong CA Pin Test End-Entity +issuerKey:alternate +subjectKey:alternate +extension:subjectAlternativeName:*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com,*.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key new file mode 100644 index 0000000000..abde350c28 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBdcZSZgmfdwgq +Z5HxuHbDf1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBIC +RMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzH +BuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZm +JUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW +8YfN1U6DKzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4Z +HXEhaNO7AgMBAAECggEAfj9tfLg572auXX3ZL/VBC7NB3BRyjTkDRXDho3B5DzDw +aBNV//QeKtTpqdn86/vRJ736uMAK/7Hzzqcyfq1HqhYh8qwe4UygLwSzsnhgF5gL +GBpEnQOwPmnRErg1ceVUNPASBWV10oMu1nMdznmeN8g/bVHFWrcetYAVrwXhrxXH +R2A+9/J9A6b/BJ2Wu/hUweTlDvWwWND7CBgOCsf3vo8v8Wc9l/yeVduoOAd7v4p8 +/ylihXeFJpzZ1brStXRp5K/NM8TKLS9pnxHnyPvc1ITwjY77ijy4qXLrJL7Zcu+q +5LtxIJPkj+lKRutimodQeMQCGposk8mnA5Dp0KVEAQKBgQDmP8clprp2klp/+MtZ +xPVt1+yD/oW/H1PhHKyagSWLz8CugZB3sPLRR3qvho3mqOy+r3uyKxlvKprYLTKG +8NDMKd5xnl8r6OUJtyhNWWPt02L5J4h6TEqJeZ00DVGzAax2AasnF5Ak/KrdOL9l +Iq9j6xZGHsAqfyewb+Cd3afAoQKBgQDXGLH+n4+Z8A6DKuH73G/iqyfzTgScSYAQ ++g63CEhSGCNGCDtclsPu5VksAUpBDGuTCxZcE7XCaqMurG58klqFUcJRNPL0pyxk +IfGacxSKDt+rpdOmiIs1y6GMAP047lqvC1RXMdcgdhu8ze50SlLKQV6Y5N4Bzf52 +TBlns+jK2wKBgAHlrKJmyUqI0i4TwrkuokcRbGV6B2gXvf0w20s6nTCVuaS2dJZH +4vhOenhPx4OLCMhZcc96A2+jDjuRw8TQ3yePgMG26FnYRWrbE33vqp8fCsW6yakY +T9TqJ51yLqYm8WDXiq17yDhFzLKd8RXIP2G3YiuZvUOcYJtXkKY8WVGBAoGBAIDM +RdENJITuDRKX/Ae/gLO+/0Yeon4fOPNxeJw69mtKDt0hksIneR208cd64ka/NC8x +hWsPVlgbWKlbETHAxTltsqjDxvOeouM2vCBa5qKgs2hp/KmMu6czzwExmm+bsmt8 +oj0wF/xVHNjaiv3Rf2+i4w00hoeYHNYjTVcekLffAoGAb3fAwfKuesFpVhzKSZxS +vfvgTN3M29wSrsWoVpHoWUt+4pkI8w57lqpiVLgO1K7sm5k3gr38ebadjVjGiHD6 +S+G8DDUnKIxcgrtK668V7f8RBAP8eOas5qgoJ79C8M+nUeUHZRxWONuTk90j3R9r +KVFR3kS3f+Vaew3yceGaZcA= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec new file mode 100644 index 0000000000..cbd5f309c0 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec @@ -0,0 +1 @@ +alternate diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem new file mode 100644 index 0000000000..a2e264030a --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIURym6o+VN9xgZXT/QLrvN/nv1ZN4wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoY +DzIwMjUwMTAxMDAwMDAwWjAYMRYwFAYDVQQDDA1PdGhlciB0ZXN0IENBMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5Tiw +bErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROM +AQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5Aql +kdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFC +IGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMP +dLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQAB +ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC +AQEAtXplrvls6HSbbibpzfGxOPmSuh2TH05bE4vQk+d7Kz6EOAFvgTiZbLwTxbrQ +gfrM05t+67C2nAeiwAtW34nUnu6S8MYA6mJjURWICbl7cAvCHuNjg1atVr6f1Y+9 +VFFG6aUibw3bzKneREmDEVcxlEWUaMvv/JjfyMA5veSyX6iTJYkIBrEiVV5Alzg5 +yVHBi6+tpuJDO/YLlG8kmfzkYeJkTyAGx1EJ2yQHim7R232638yb0KrhS4zKsfFU +egHhM4c+MpiCLc9q2EgblbYGx5GM+2leuzXunj1KPClHFrnmkRRm3rcESG2pK9RN +/48Nd38VNofRojEbzDSCdOFmow== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec new file mode 100644 index 0000000000..3bc975aa22 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec @@ -0,0 +1,7 @@ +issuer:Other test CA +subject:Other test CA +issuerKey:alternate +subjectKey:alternate +validity:20150101-20250101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem new file mode 100644 index 0000000000..93c9f2b7b8 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeTCCAmGgAwIBAgIUfQsw0KaNy/+nFopuWJ+eEKJSw4QwDQYJKoZIhvcNAQEL +BQAwMzExMC8GA1UEAwwoVGVzdCBTZWxmLXNpZ25lZCBFbmQtZW50aXR5IHdpdGgg +Q0EgdHJ1ZTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAzMTEw +LwYDVQQDDChUZXN0IFNlbGYtc2lnbmVkIEVuZC1lbnRpdHkgd2l0aCBDQSB0cnVl +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABo4GAMH4wDAYDVR0TBAUwAwEB/zAyBggrBgEFBQcBAQQmMCQwIgYIKwYB +BQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wOgYDVR0RBDMwMYIvc2VsZi1z +aWduZWQtZW5kLWVudGl0eS13aXRoLWNBLXRydWUuZXhhbXBsZS5jb20wDQYJKoZI +hvcNAQELBQADggEBAFtRAr+7ZMSCq6UBxDOil0vEPuaTHs+Jc7NlcBSnaOF7mxNV +fgSzqNuhPm9FSORyVl3PT/JG8i5bAbOUgYgylKijTQwjeA0crDs0CWIbFkxCU1MB +3x2audEKq/LYhDk/6n6w8P8gYk+jpcYdgysF6B6iikopLnvo5tqQe/zOqVAR2glD +wzwT7XfC8v7lqUjFIT5838CecYkcMnmj+Edsd7PWC9EZddx47web0Ovo1slNX414 +3jAfEj37mHP71kFghKl1ReqWo9XZcjMsJeYyIOQroKx+Lqu5F2Nd0fO16ht2jw4E +uPoT3pX7+dHGg61S0HGuBEuBz03wQGjW9L5oBdo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec new file mode 100644 index 0000000000..0ca92d7fd1 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test Self-signed End-entity with CA true +subject:Test Self-signed End-entity with CA true +extension:basicConstraints:cA, +extension:authorityInformationAccess:http://localhost:8888/ +extension:subjectAlternativeName:self-signed-end-entity-with-cA-true.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem new file mode 100644 index 0000000000..3bbcce4046 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIUSQmAnLg5f7XHJpXMHGoQVthOx7AwDQYJKoZIhvcNAQEL +BQAwNTEzMDEGA1UEAwwqU2VsZi1zaWduZWQgSW5hZGVxdWF0ZSBFS1UgVGVzdCBF +bmQtZW50aXR5MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMDUx +MzAxBgNVBAMMKlNlbGYtc2lnbmVkIEluYWRlcXVhdGUgRUtVIFRlc3QgRW5kLWVu +dGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u +togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6 +pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL +KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq +fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv +Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za +GAo17Y0CAwEAAaOBijCBhzALBgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUH +AwEwLwYDVR0RBCgwJoIkc2VsZnNpZ25lZC1pbmFkZXF1YXRlRUtVLmV4YW1wbGUu +Y29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9z +dDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEARyCZt6R4Gd4XDq4rARZJAKicReWt +4XBbZZpJKtuG3qyGfWT4dUHITywT8FtJ95ZBqQi8hbtQl/PUiPHJPweqARxQJYRh +bW46XMD50EYwwfXaauGHRDwgyI7f1LLf974noLxOMffT2P77DvRgyJvr+PRFhVa3 +gppOcosxRK1qpeTucDLZP9P01SNWFMn7KNPLYvgQnUQismn+IaWoAwe3FIjBBzfx +a/BqntkJ6Qwf4+5mzX2EpTHvHNtS4BbExGIFUS+z3pgJSPSgt/YGEMf1w/uw+/j2 +L/IMcLZEVy4L5Czniv+654xQw9JdZFJGBIbq7FJGgWOBfrTwGMzklfl1sQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec new file mode 100644 index 0000000000..477b90ce14 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec @@ -0,0 +1,6 @@ +issuer:Self-signed Inadequate EKU Test End-entity +subject:Self-signed Inadequate EKU Test End-entity +extension:keyUsage:keyEncipherment,dataEncipherment +extension:extKeyUsage:serverAuth +extension:subjectAlternativeName:selfsigned-inadequateEKU.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem new file mode 100644 index 0000000000..32fd470ccd --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh+gAwIBAgIUGZ2ix8Hh3MVHJ9kcaWmxnkd38XQwDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbU2VsZi1zaWduZWQgVGVzdCBFbmQtZW50aXR5MCIYDzIw +MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCYxJDAiBgNVBAMMG1NlbGYt +c2lnbmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x +nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM +wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF +4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20 +yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx +j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNZMFcwIQYDVR0RBBowGIIWc2Vs +ZnNpZ25lZC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGG +Fmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBAC/9ZxxK +Vx6csyDDJ+V37GyDRvbeU6Au6ZKnHqwx8+FONm1VWxFwU4o6uu4T4uBhhIXu/e+y +WXPDRIpbhF+nPEZm1if9Ay02SbvLUf7FX9oI+Xls/53aF3HhYiCF3n2GZisWGHqH +QqNHtlFg1cw44Jq8v2DXaLWO3vuEbdE+r2dvg6yIR0I6qp6H9e32S/SAqt8dFr/p +t80RiP5cur6VHKwmBDK7qmnVzuSu1q2LMhPqoQ8eLvyh/jtDVxZhFcpC/9rCI6nR +jjVFxnq8nYlBKd/wcvYgCFBXPiqpga9454vttE4tFrOfYIoPb9Ir9MfY0zV7CG/m +NDPuAIgMwfzxm1E= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec new file mode 100644 index 0000000000..99a814be17 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec @@ -0,0 +1,4 @@ +issuer:Self-signed Test End-entity +subject:Self-signed Test End-entity +extension:subjectAlternativeName:selfsigned.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/test-ca.pem b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem new file mode 100644 index 0000000000..fcbb0fcb29 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUP6dLBbQh604kiwoRPLpqmHj72UQwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAP1Cj8YbMVIjc +8gaNVwru/NzEZsKjsxt6Iv0iWtHgexzoZnj82GzzgpnEtNz8bfTQvaImdkCHXYoV +wt7BY9ocZBacAPB3QMKF4prgkxwfD+ub6ckbf61o9Vq2aCZdFqO6ef3ji5dkWYBb +zfuQhmVU3RIvl09ajs4PPDmYp3ebiax2xVcBlP+fuDAeRX5y60yJf6eyNCVbC3M6 +OilriARv855NdhLWagwGX24+dP70HZUvISi/xSW+DNHWndqf1DcCnLreFEDq8F80 +hMCFsmJJEu0uqVFGQfItYlywBC0DJ3EU6votzgMuNa4rGBrMUJnHhzoEE0ISnrWk +iAobTR3jsQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec new file mode 100644 index 0000000000..5d2435d7bb --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test CA +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/test-int.pem b/security/manager/ssl/tests/unit/bad_certs/test-int.pem new file mode 100644 index 0000000000..08249b863e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/test-int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw +MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1 +SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+ +zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL +K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc +bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW +JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd +MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB +AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00 +Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM +8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA +IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3 +B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk +rGFLvocT/kym6r8galxCJUo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec new file mode 100644 index 0000000000..33b42c2f41 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate +validity:20150101-20250101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem new file mode 100644 index 0000000000..377ecbbbdc --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqTCCApGgAwIBAgIUMxuPzWMHzKzQQwd8E1ijpVtpcH4wDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbVGVzdCBJbnRlcm1lZGlhdGUgdG8gZGVsZXRlMCIYDzIw +MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMC4xLDAqBgNVBAMMI1Rlc3Qg +RW5kLWVudGl0eSBmcm9tIHVua25vd24gaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HCMIG/MIGIBgNV +HREEgYAwfoIZdW5rbm93bmlzc3Vlci5leGFtcGxlLmNvbYI0dW5rbm93bmlzc3Vl +ci5pbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbYIrdW5rbm93 +bmlzc3Vlci50ZXN0LW1vZGUucGlubmluZy5leGFtcGxlLmNvbTAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZI +hvcNAQELBQADggEBAGculg20nonBLeYKqiSmjpxTvwZ9RwB/nuFIb9oC1SnKOIzs +SuYKcYNIiFz744TuNus+1ueSQV3AWXqj4wDdCS1C+Fx/tQ80Omk0B3JeViHiFEiR +WDA0U0iYEwmsdMaAVor6JD1TGkCeYvO4g/jOv0B9X/vDi238jX/fdC0KihL8JD80 +aq59kCMglwRBwKYwz1kNxEA79ePrqZT533uQabX/Ll+K/BwBfbWV9+hhK4uYC/o0 +kGszNAyf6R6CU2UwDu+Pn4y+9HLcmiKvuzr4B6sHr64zPjC0Z9Nao/5oI6XqUvTT +JLCvPwlTfU/hsrF00pJj0lnPR0KMfvKRXWbZmzs= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec new file mode 100644 index 0000000000..a735c730ca --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate to delete +subject:Test End-entity from unknown issuer +extension:subjectAlternativeName:unknownissuer.example.com,unknownissuer.include-subdomains.pinning.example.com,unknownissuer.test-mode.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem new file mode 100644 index 0000000000..921d14583f --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNjCCAh6gAwIBAgIUGTh5myT/JfbNsso9a1ZhGr8B11gwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoY +DzIwMTMwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFVbnRydXN0ZWQtRXhwaXJlZCBU +ZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAGjYDBeMCgGA1UdEQQhMB+CHXVudHJ1c3RlZC1l +eHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAMktkDNyd +MHFk4K4dcOfi0McOkxvdZW6/Nqts51scx8A3q8sT5pdW3ftBjvN7O+3c1cNGoThG +9SA6uLDV2NT2EQp65yxMZe8j1OHX3qybqZ/RVY5r7VHF4JDsPHHXsgew5+CRGraj +MTIFUqmgAYLMcv74vB0OLIt3JL4XnHVP7atULMLJrOP8QUmkUhZ49MDqyslN0i6w +X7KwhdM00+JKadqUFqOAfhacMHsH5ErsQ3LXrQRMJiFoaVbElMy9e/jJmY7rg4pw +0EMnkt+Vj650FkWsCnLndBia+6z+81L4EZ7uwBeeks2fYhXt85qqkuzmZq2T2diu +ArcEblKIbUYlVg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec new file mode 100644 index 0000000000..3efd1ce677 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec @@ -0,0 +1,5 @@ +issuer:Other test CA +subject:Untrusted-Expired Test End-entity +validity:20110101-20130101 +extension:subjectAlternativeName:untrusted-expired.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem new file mode 100644 index 0000000000..6eda8824a1 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDODCCAiCgAwIBAgIUBe5wWr83A+8lSC5HkQNZYb72bQEwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAwMS4wLAYDVQQDDCVUZXN0IEVuZC1lbnRpdHkgd2l0 +aCB1bnRydXN0ZWQgaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu +Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO +7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf +qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt +HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx +uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo14wXDAmBgNVHREEHzAdght1bnRydXN0 +ZWRpc3N1ZXIuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB +hhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBn159y +BlQmPzzd33Rc8xiLFgS2uaHl2952Il/ab1DueGEsNVlMqFcfU1sQAMmDWIVJaDCg +FQj+HCFy/oKEepWAi3JarAHdJyQ9yYOHJ8BQ4XZ1pUynYlqM50Xki6uy6h3Z2qi0 +20vT4OdDjJ+9O9KZtPGpJ0l8RcA5Ej4bJysMZMaMvw08bD8tUwYpTmWjjuIWCZiC +RmbbDs5rxlwm3bvcrDosoyI0N0H1e8dMRUu4ekhHn8BxenkWkEDhuvAUgwkVndLU +hgoEhqz4MF/96z1Q4PbfgHs/TTtxJtk5pwuUhslbmwBnIcetde/BtYVrYvnpJeOJ +tA19xaSpeQEm4Igh +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec new file mode 100644 index 0000000000..5ba0bc2535 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec @@ -0,0 +1,4 @@ +issuer:Other test CA +subject:Test End-entity with untrusted issuer +extension:subjectAlternativeName:untrustedissuer.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem new file mode 100644 index 0000000000..36296ac616 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrzCCAZcCFG/3/opLWM4t4VPXRjmVR1GM24sGMA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowEjEQMA4GA1UEAwwHVjEgQ2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOC +AQEASPsKZ/FaOpFAgLjGCbqV7MYimvQMcubQHuNle+X1Qv97rqW9pr0ojrAWydkL +b/gYs/SMpBy8JBlR5cnaHuh4BpSyGX2qj5MW+dE/EptcpxegjGGdS/194FRtGjE0 +xAk0niJFgCvt2v6lE24EeZmDecYhchO/HY+OzuNk8ogze+W3YBJDfR0qrBglOW6+ +hPfxtxWs85zwKr3/prtUD8IiAnhCy0uu/FR8x0qelH2VpS7tsDKtwSdcc3uCtoup +gshHVQz3HMt8WZ6d5SIUZpZcbXmoYqmsKOQMYm2+AM+FKEFl0rU05EudOqL4q0sn +nNjDkuOBdXNt4WzEniGIChWzRw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec new file mode 100644 index 0000000000..7824630bbc --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:V1 Cert +version:1 diff --git a/security/manager/ssl/tests/unit/corrupted_crlite_helper.js b/security/manager/ssl/tests/unit/corrupted_crlite_helper.js new file mode 100644 index 0000000000..2587c5dad9 --- /dev/null +++ b/security/manager/ssl/tests/unit/corrupted_crlite_helper.js @@ -0,0 +1,103 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Helper file for tests that initialize CRLite with corrupted `security_state` +// files. +// +// Usage: +// Define nsILocalFile variables for the `crlite.filter`, `crlite.coverage`, +// and `crlite.enrollment` files that should be copied to the new profile, and +// then load this file. The variables should be called `filter`, `coverage`, +// and `enrollment`, respectively. To omit a file, leave the corresponding +// variable `undefined`. +// +// Example: +// let filter = do_get_file("some_test_dir/crlite.filter"); +// let coverage = undefined; +// let enrollment = do_get_file("some_test_dir/crlite.enrollment"); +// load("./corrupted_crlite_helper.js"); +// +// Note: +// The cert_storage library only attempts to read security_state once. So +// this task can only be included once per test file. + +"use strict"; + +/* eslint-disable no-undef */ + +add_task(async function test_crlite_corrupted() { + let securityStateDirectory = do_get_profile(); + securityStateDirectory.append("security_state"); + + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + + if (coverage != undefined) { + coverage.copyTo(securityStateDirectory, "crlite.coverage"); + } + if (enrollment != undefined) { + enrollment.copyTo(securityStateDirectory, "crlite.enrollment"); + } + if (filter != undefined) { + filter.copyTo(securityStateDirectory, "crlite.filter"); + } + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + + // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`. + // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`, + // and it is covered according to `test_crlite_preexisting/crlite.coverage`. + let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem"); + + // The issuer's certificate needs to be available for path building. + let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem"); + ok(issuerCert, "issuer certificate should decode successfully"); + + // If we copied a corrupted file to security_state, then CRLite should not be + // initialized, and we should fall back to OCSP. By setting + // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY here we skip the OCSP test, so there's no + // revocation checking, and the revoked certificate should pass inspection. + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + undefined, + "us-datarecovery.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // We should not have a filter or a stash. + let hasFilter = await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL, + (rv, result) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(result); + } + ); + }); + Assert.equal(hasFilter, false, "CRLite should not have a filter"); + + let hasStash = await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL, + (rv, result) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(result); + } + ); + }); + Assert.equal(hasStash, false, "CRLite should not have a stash"); +}); diff --git a/security/manager/ssl/tests/unit/crlite_enrollment_id.py b/security/manager/ssl/tests/unit/crlite_enrollment_id.py new file mode 100755 index 0000000000..2deb5ad379 --- /dev/null +++ b/security/manager/ssl/tests/unit/crlite_enrollment_id.py @@ -0,0 +1,33 @@ +#!/usr/bin/python + +# Given a PEM encoded X.509 certificate, outputs +# base64(SHA256(subject || spki)) +# where `subject` is the RFC 5280 RDNSequence encoding +# the certificate's subject, and `spki` is the RFC 5280 +# SubjectPublicKeyInfo field encoding the certificate's +# public key. + +import sys +import base64 + +from cryptography import x509 +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives import hashes + +if len(sys.argv) != 2: + print(f"Usage: {sys.argv[0]} <path to pem cert>") + sys.exit(1) + +with open(sys.argv[1], "r") as f: + cert = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None) + +subj = cert.subject.public_bytes() +spki = cert.public_key().public_bytes( + format=serialization.PublicFormat.SubjectPublicKeyInfo, + encoding=serialization.Encoding.DER, +) + +digest = hashes.Hash(hashes.SHA256(), backend=None) +digest.update(subj) +digest.update(spki) +print(base64.b64encode(digest.finalize()).decode("utf-8")) diff --git a/security/manager/ssl/tests/unit/crlite_key.py b/security/manager/ssl/tests/unit/crlite_key.py new file mode 100755 index 0000000000..53d2b2aeaf --- /dev/null +++ b/security/manager/ssl/tests/unit/crlite_key.py @@ -0,0 +1,58 @@ +#!/usr/bin/python + +# Given PEM encoded X.509 certificates Issuer and Subscriber, +# outputs the urlsafe base64 encoding of the SHA256 hash of +# the Issuer's SubjectPublicKeyInfo, and the ascii hex encoding +# of the Subscriber's serial number. + +import sys +import base64 + +from cryptography import x509 +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives import hashes + + +def uint_to_serial_bytes(a): + # Encode the non-negative integer |a| as a DER integer without the leading + # tag and length prefix. The DER encoding of |a| is the shortest octet + # string that encodes |a| in big endian two's complement form. + assert a >= 0 + + # Since |a| is non-negative, the shortest bit string that encodes it in + # big-endian two's complement form has a leading 0 bit. Positive python + # integers have a `bit_length` method that gives the index of the leading 1 + # bit. The minimal two's complement bit length is one more than this. + # + # NB: Python defines |int(0).bit_length() == 0|. The other cases are more + # intuitive; for integers x and k with x >= 0 and k > 0 with 2**k > x we + # have |int(2**k + x).bit_length() == k+1|. + bit_len = 1 + a.bit_length() + byte_len = (bit_len + 7) // 8 + return a.to_bytes(byte_len, byteorder="big", signed=False) + + +if len(sys.argv) != 3: + print(f"Usage: {sys.argv[0]} <path to issuer cert> <path to subscriber cert>") + sys.exit(1) + +with open(sys.argv[1], "r") as f: + issuer = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None) + +with open(sys.argv[2], "r") as f: + subscriber = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None) + +assert issuer.subject.public_bytes() == subscriber.issuer.public_bytes() + +issuer_spki = issuer.public_key().public_bytes( + format=serialization.PublicFormat.SubjectPublicKeyInfo, + encoding=serialization.Encoding.DER, +) +hasher = hashes.Hash(hashes.SHA256(), backend=None) +hasher.update(issuer_spki) +issuer_spki_hash = hasher.finalize() + +subscriber_serial = uint_to_serial_bytes(int(subscriber.serial_number)) + +print(base64.urlsafe_b64encode(issuer_spki_hash).decode("utf-8")) +print(subscriber_serial.hex()) diff --git a/security/manager/ssl/tests/unit/head_psm.js b/security/manager/ssl/tests/unit/head_psm.js new file mode 100644 index 0000000000..d34c7fdc1d --- /dev/null +++ b/security/manager/ssl/tests/unit/head_psm.js @@ -0,0 +1,1247 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ +"use strict"; + +const { AppConstants } = ChromeUtils.importESModule( + "resource://gre/modules/AppConstants.sys.mjs" +); +const { ctypes } = ChromeUtils.importESModule( + "resource://gre/modules/ctypes.sys.mjs" +); +const { FileUtils } = ChromeUtils.importESModule( + "resource://gre/modules/FileUtils.sys.mjs" +); +const { HttpServer } = ChromeUtils.importESModule( + "resource://testing-common/httpd.sys.mjs" +); +const { MockRegistrar } = ChromeUtils.importESModule( + "resource://testing-common/MockRegistrar.sys.mjs" +); +const { NetUtil } = ChromeUtils.importESModule( + "resource://gre/modules/NetUtil.sys.mjs" +); +const { XPCOMUtils } = ChromeUtils.importESModule( + "resource://gre/modules/XPCOMUtils.sys.mjs" +); + +const { X509 } = ChromeUtils.importESModule( + "resource://gre/modules/psm/X509.sys.mjs" +); + +const gIsDebugBuild = Cc["@mozilla.org/xpcom/debug;1"].getService( + Ci.nsIDebug2 +).isDebugBuild; + +// The test EV roots are only enabled in debug builds as a security measure. +const gEVExpected = gIsDebugBuild; + +const CLIENT_AUTH_FILE_NAME = "ClientAuthRememberList.bin"; +const SSS_STATE_FILE_NAME = "SiteSecurityServiceState.bin"; +const SSS_STATE_OLD_FILE_NAME = "SiteSecurityServiceState.txt"; +const CERT_OVERRIDE_FILE_NAME = "cert_override.txt"; + +const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE; +const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE; +const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE; + +// This isn't really a valid PRErrorCode, but is useful for signalling that +// a test is expected to succeed. +const PRErrorCodeSuccess = 0; + +// Sort in numerical order +const SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8; +const SEC_ERROR_BAD_DER = SEC_ERROR_BASE + 9; +const SEC_ERROR_BAD_SIGNATURE = SEC_ERROR_BASE + 10; +const SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11; +const SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12; +const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13; +const SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20; +const SEC_ERROR_UNTRUSTED_CERT = SEC_ERROR_BASE + 21; +const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = SEC_ERROR_BASE + 30; +const SEC_ERROR_CA_CERT_INVALID = SEC_ERROR_BASE + 36; +const SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION = SEC_ERROR_BASE + 41; +const SEC_ERROR_PKCS7_BAD_SIGNATURE = SEC_ERROR_BASE + 47; +const SEC_ERROR_INADEQUATE_KEY_USAGE = SEC_ERROR_BASE + 90; +const SEC_ERROR_INADEQUATE_CERT_TYPE = SEC_ERROR_BASE + 91; +const SEC_ERROR_CERT_NOT_IN_NAME_SPACE = SEC_ERROR_BASE + 112; +const SEC_ERROR_CERT_BAD_ACCESS_LOCATION = SEC_ERROR_BASE + 117; +const SEC_ERROR_OCSP_MALFORMED_REQUEST = SEC_ERROR_BASE + 120; +const SEC_ERROR_OCSP_SERVER_ERROR = SEC_ERROR_BASE + 121; +const SEC_ERROR_OCSP_TRY_SERVER_LATER = SEC_ERROR_BASE + 122; +const SEC_ERROR_OCSP_REQUEST_NEEDS_SIG = SEC_ERROR_BASE + 123; +const SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST = SEC_ERROR_BASE + 124; +const SEC_ERROR_OCSP_UNKNOWN_CERT = SEC_ERROR_BASE + 126; +const SEC_ERROR_OCSP_MALFORMED_RESPONSE = SEC_ERROR_BASE + 129; +const SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE = SEC_ERROR_BASE + 130; +const SEC_ERROR_OCSP_OLD_RESPONSE = SEC_ERROR_BASE + 132; +const SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE = SEC_ERROR_BASE + 141; +const SEC_ERROR_OCSP_INVALID_SIGNING_CERT = SEC_ERROR_BASE + 144; +const SEC_ERROR_POLICY_VALIDATION_FAILED = SEC_ERROR_BASE + 160; +const SEC_ERROR_OCSP_BAD_SIGNATURE = SEC_ERROR_BASE + 157; +const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = SEC_ERROR_BASE + 176; + +const SSL_ERROR_NO_CYPHER_OVERLAP = SSL_ERROR_BASE + 2; +const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12; +const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17; +const SSL_ERROR_WEAK_SERVER_CERT_KEY = SSL_ERROR_BASE + 132; +const SSL_ERROR_DC_INVALID_KEY_USAGE = SSL_ERROR_BASE + 184; + +const SSL_ERROR_ECH_RETRY_WITH_ECH = SSL_ERROR_BASE + 188; +const SSL_ERROR_ECH_RETRY_WITHOUT_ECH = SSL_ERROR_BASE + 189; +const SSL_ERROR_ECH_FAILED = SSL_ERROR_BASE + 190; +const SSL_ERROR_ECH_REQUIRED_ALERT = SSL_ERROR_BASE + 191; + +const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0; +const MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = + MOZILLA_PKIX_ERROR_BASE + 1; +const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2; +const MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = MOZILLA_PKIX_ERROR_BASE + 3; +const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = + MOZILLA_PKIX_ERROR_BASE + 5; +const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = + MOZILLA_PKIX_ERROR_BASE + 6; +const MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING = + MOZILLA_PKIX_ERROR_BASE + 8; +const MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING = + MOZILLA_PKIX_ERROR_BASE + 10; +const MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = MOZILLA_PKIX_ERROR_BASE + 12; +const MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = + MOZILLA_PKIX_ERROR_BASE + 13; +const MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = MOZILLA_PKIX_ERROR_BASE + 14; +const MOZILLA_PKIX_ERROR_MITM_DETECTED = MOZILLA_PKIX_ERROR_BASE + 15; + +// Supported Certificate Usages +const certificateUsageSSLClient = 0x0001; +const certificateUsageSSLServer = 0x0002; +const certificateUsageSSLCA = 0x0008; +const certificateUsageEmailSigner = 0x0010; +const certificateUsageEmailRecipient = 0x0020; + +// A map from the name of a certificate usage to the value of the usage. +// Useful for printing debugging information and for enumerating all supported +// usages. +const allCertificateUsages = { + certificateUsageSSLClient, + certificateUsageSSLServer, + certificateUsageSSLCA, + certificateUsageEmailSigner, + certificateUsageEmailRecipient, +}; + +const NO_FLAGS = 0; + +const CRLiteModeDisabledPrefValue = 0; +const CRLiteModeTelemetryOnlyPrefValue = 1; +const CRLiteModeEnforcePrefValue = 2; +const CRLiteModeConfirmRevocationsValue = 3; + +// Convert a string to an array of bytes consisting of the char code at each +// index. +function stringToArray(s) { + let a = []; + for (let i = 0; i < s.length; i++) { + a.push(s.charCodeAt(i)); + } + return a; +} + +// Converts an array of bytes to a JS string using fromCharCode on each byte. +function arrayToString(a) { + let s = ""; + for (let b of a) { + s += String.fromCharCode(b); + } + return s; +} + +// Commonly certificates are represented as PEM. The format is roughly as +// follows: +// +// -----BEGIN CERTIFICATE----- +// [some lines of base64, each typically 64 characters long] +// -----END CERTIFICATE----- +// +// However, nsIX509CertDB.constructX509FromBase64 and related functions do not +// handle input of this form. Instead, they require a single string of base64 +// with no newlines or BEGIN/END headers. This is a helper function to convert +// PEM to the format that nsIX509CertDB requires. +function pemToBase64(pem) { + return pem + .replace(/-----BEGIN CERTIFICATE-----/, "") + .replace(/-----END CERTIFICATE-----/, "") + .replace(/[\r\n]/g, ""); +} + +function build_cert_chain(certNames, testDirectory = "bad_certs") { + let certList = []; + certNames.forEach(function (certName) { + let cert = constructCertFromFile(`${testDirectory}/${certName}.pem`); + certList.push(cert); + }); + return certList; +} + +function areCertsEqual(certA, certB) { + let derA = certA.getRawDER(); + let derB = certB.getRawDER(); + if (derA.length != derB.length) { + return false; + } + for (let i = 0; i < derA.length; i++) { + if (derA[i] != derB[i]) { + return false; + } + } + return true; +} + +function areCertArraysEqual(certArrayA, certArrayB) { + if (certArrayA.length != certArrayB.length) { + return false; + } + + for (let i = 0; i < certArrayA.length; i++) { + const certA = certArrayA[i]; + const certB = certArrayB[i]; + if (!areCertsEqual(certA, certB)) { + return false; + } + } + return true; +} + +function readFile(file) { + let fstream = Cc["@mozilla.org/network/file-input-stream;1"].createInstance( + Ci.nsIFileInputStream + ); + fstream.init(file, -1, 0, 0); + let available = fstream.available(); + let data = + available > 0 ? NetUtil.readInputStreamToString(fstream, available) : ""; + fstream.close(); + return data; +} + +function addCertFromFile(certdb, filename, trustString) { + let certFile = do_get_file(filename, false); + let certBytes = readFile(certFile); + try { + return certdb.addCert(certBytes, trustString); + } catch (e) {} + // It might be PEM instead of DER. + return certdb.addCertFromBase64(pemToBase64(certBytes), trustString); +} + +function constructCertFromFile(filename) { + let certFile = do_get_file(filename, false); + let certBytes = readFile(certFile); + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + try { + return certdb.constructX509(stringToArray(certBytes)); + } catch (e) {} + // It might be PEM instead of DER. + return certdb.constructX509FromBase64(pemToBase64(certBytes)); +} + +function setCertTrust(cert, trustString) { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + certdb.setCertTrustFromString(cert, trustString); +} + +function getXPCOMStatusFromNSS(statusNSS) { + let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"].getService( + Ci.nsINSSErrorsService + ); + return nssErrorsService.getXPCOMFromNSSError(statusNSS); +} + +// Helper for checkCertErrorGenericAtTime +class CertVerificationExpectedErrorResult { + constructor(certName, expectedError, expectedEVStatus, resolve) { + this.certName = certName; + this.expectedError = expectedError; + this.expectedEVStatus = expectedEVStatus; + this.resolve = resolve; + } + + verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) { + equal( + aPRErrorCode, + this.expectedError, + `verifying ${this.certName}: should get error ${this.expectedError}` + ); + if (this.expectedEVStatus != undefined) { + equal( + aHasEVPolicy, + this.expectedEVStatus, + `verifying ${this.certName}: ` + + `should ${this.expectedEVStatus ? "be" : "not be"} EV` + ); + } + this.resolve(); + } +} + +// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation. +// In particular, hostname is optional. +function checkCertErrorGenericAtTime( + certdb, + cert, + expectedError, + usage, + time, + /* optional */ isEVExpected, + /* optional */ hostname, + /* optional */ flags = NO_FLAGS +) { + return new Promise((resolve, reject) => { + let result = new CertVerificationExpectedErrorResult( + cert.commonName, + expectedError, + isEVExpected, + resolve + ); + certdb.asyncVerifyCertAtTime(cert, usage, flags, hostname, time, result); + }); +} + +// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation. +// In particular, hostname is optional. +function checkCertErrorGeneric( + certdb, + cert, + expectedError, + usage, + /* optional */ isEVExpected, + /* optional */ hostname +) { + let now = new Date().getTime() / 1000; + return checkCertErrorGenericAtTime( + certdb, + cert, + expectedError, + usage, + now, + isEVExpected, + hostname + ); +} + +function checkEVStatus(certDB, cert, usage, isEVExpected) { + return checkCertErrorGeneric( + certDB, + cert, + PRErrorCodeSuccess, + usage, + isEVExpected + ); +} + +function _getLibraryFunctionWithNoArguments( + functionName, + libraryName, + returnType +) { + // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js + let path = ctypes.libraryName(libraryName); + + // XXX really want to be able to pass specific dlopen flags here. + let nsslib; + try { + nsslib = ctypes.open(path); + } catch (e) { + // In case opening the library without a full path fails, + // try again with a full path. + let file = Services.dirsvc.get("GreBinD", Ci.nsIFile); + file.append(path); + nsslib = ctypes.open(file.path); + } + + let SECStatus = ctypes.int; + let func = nsslib.declare( + functionName, + ctypes.default_abi, + returnType || SECStatus + ); + return func; +} + +function clearOCSPCache() { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + certdb.clearOCSPCache(); +} + +function clearSessionCache() { + let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent); + nssComponent.clearSSLExternalAndInternalSessionCache(); +} + +function getSSLStatistics() { + let SSL3Statistics = new ctypes.StructType("SSL3Statistics", [ + { sch_sid_cache_hits: ctypes.long }, + { sch_sid_cache_misses: ctypes.long }, + { sch_sid_cache_not_ok: ctypes.long }, + { hsh_sid_cache_hits: ctypes.long }, + { hsh_sid_cache_misses: ctypes.long }, + { hsh_sid_cache_not_ok: ctypes.long }, + { hch_sid_cache_hits: ctypes.long }, + { hch_sid_cache_misses: ctypes.long }, + { hch_sid_cache_not_ok: ctypes.long }, + { sch_sid_stateless_resumes: ctypes.long }, + { hsh_sid_stateless_resumes: ctypes.long }, + { hch_sid_stateless_resumes: ctypes.long }, + { hch_sid_ticket_parse_failures: ctypes.long }, + ]); + let SSL3StatisticsPtr = new ctypes.PointerType(SSL3Statistics); + let SSL_GetStatistics = null; + try { + SSL_GetStatistics = _getLibraryFunctionWithNoArguments( + "SSL_GetStatistics", + "ssl3", + SSL3StatisticsPtr + ); + } catch (e) { + // On Windows, this is actually in the nss3 library. + SSL_GetStatistics = _getLibraryFunctionWithNoArguments( + "SSL_GetStatistics", + "nss3", + SSL3StatisticsPtr + ); + } + if (!SSL_GetStatistics) { + throw new Error("Failed to get SSL statistics"); + } + return SSL_GetStatistics(); +} + +// Set up a TLS testing environment that has a TLS server running and +// ready to accept connections. This async function starts the server and +// waits for the server to indicate that it is ready. +// +// Each test should have its own subdomain of example.com, for example +// my-first-connection-test.example.com. The server can use the server +// name (passed through the SNI TLS extension) to determine what behavior +// the server side of the text should exhibit. See TLSServer.h for more +// information on how to write the server side of tests. +// +// Create a new source file for your new server executable in +// security/manager/ssl/tests/unit/tlsserver/cmd similar to the other ones in +// that directory, and add a reference to it to the sources variable in that +// directory's moz.build. +// +// Modify TEST_HARNESS_BINS in +// testing/mochitest/Makefile.in and NO_PKG_FILES in +// toolkit/mozapps/installer/packager.mk to make sure the new executable +// gets included in the packages used for shipping the tests to the test +// runners in our build/test farm. (Things will work fine locally without +// these changes but will break on TBPL.) +// +// Your test script should look something like this: +/* + +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// <documentation on your test> + +function run_test() { + do_get_profile(); + add_tls_server_setup("<test-server-name>", "<path-to-certificate-directory>"); + + add_connection_test("<test-name-1>.example.com", + SEC_ERROR_xxx, + function() { ... }, + function(aTransportSecurityInfo) { ... }, + function(aTransport) { ... }); + [...] + add_connection_test("<test-name-n>.example.com", PRErrorCodeSuccess); + + run_next_test(); +} +*/ + +function add_tls_server_setup(serverBinName, certsPath, addDefaultRoot = true) { + add_test(function () { + _setupTLSServerTest(serverBinName, certsPath, addDefaultRoot); + }); +} + +/** + * Add a TLS connection test case. + * + * @param {string} aHost + * The hostname to pass in the SNI TLS extension; this should unambiguously + * identify which test is being run. + * @param {PRErrorCode} aExpectedResult + * The expected result of the connection. If an error is not expected, pass + * in PRErrorCodeSuccess. + * @param {Function} aBeforeConnect + * A callback function that takes no arguments that will be called before the + * connection is attempted. + * @param {Function} aWithSecurityInfo + * A callback function that takes an nsITransportSecurityInfo, which is called + * after the TLS handshake succeeds. + * @param {Function} aAfterStreamOpen + * A callback function that is called with the nsISocketTransport once the + * output stream is ready. + * @param {OriginAttributes} aOriginAttributes (optional) + * The origin attributes that the socket transport will have. This parameter + * affects OCSP because OCSP cache is double-keyed by origin attributes' first + * party domain. + * + * @param {OriginAttributes} aEchConfig (optional) + * A Base64-encoded ECHConfig. If non-empty, it will be configured to the client + * socket resulting in an Encrypted Client Hello extension being sent. The client + * keypair is ephermeral and generated within NSS. + */ +function add_connection_test( + aHost, + aExpectedResult, + aBeforeConnect, + aWithSecurityInfo, + aAfterStreamOpen, + /* optional */ aOriginAttributes, + /* optional */ aEchConfig +) { + add_test(function () { + if (aBeforeConnect) { + aBeforeConnect(); + } + asyncConnectTo( + aHost, + aExpectedResult, + aWithSecurityInfo, + aAfterStreamOpen, + aOriginAttributes, + aEchConfig + ).then(run_next_test); + }); +} + +async function asyncConnectTo( + aHost, + aExpectedResult, + /* optional */ aWithSecurityInfo = undefined, + /* optional */ aAfterStreamOpen = undefined, + /* optional */ aOriginAttributes = undefined, + /* optional */ aEchConfig = undefined +) { + const REMOTE_PORT = 8443; + + function Connection(host) { + this.host = host; + this.thread = Services.tm.currentThread; + this.defer = Promise.withResolvers(); + let sts = Cc["@mozilla.org/network/socket-transport-service;1"].getService( + Ci.nsISocketTransportService + ); + this.transport = sts.createTransport( + ["ssl"], + host, + REMOTE_PORT, + null, + null + ); + if (aEchConfig) { + this.transport.setEchConfig(atob(aEchConfig)); + } + // See bug 1129771 - attempting to connect to [::1] when the server is + // listening on 127.0.0.1 causes frequent failures on OS X 10.10. + this.transport.connectionFlags |= Ci.nsISocketTransport.DISABLE_IPV6; + this.transport.setEventSink(this, this.thread); + if (aOriginAttributes) { + this.transport.originAttributes = aOriginAttributes; + } + this.inputStream = null; + this.outputStream = null; + this.connected = false; + } + + Connection.prototype = { + // nsITransportEventSink + onTransportStatus(aTransport, aStatus, aProgress, aProgressMax) { + if ( + !this.connected && + aStatus == Ci.nsISocketTransport.STATUS_CONNECTED_TO + ) { + this.connected = true; + this.outputStream.asyncWait(this, 0, 0, this.thread); + } + }, + + // nsIInputStreamCallback + onInputStreamReady(aStream) { + try { + // this will throw if the stream has been closed by an error + let str = NetUtil.readInputStreamToString(aStream, aStream.available()); + Assert.equal(str, "0", "Should have received ASCII '0' from server"); + this.inputStream.close(); + this.outputStream.close(); + this.result = Cr.NS_OK; + } catch (e) { + this.result = e.result; + } + this.defer.resolve(this); + }, + + // nsIOutputStreamCallback + onOutputStreamReady(aStream) { + if (aAfterStreamOpen) { + aAfterStreamOpen(this.transport); + } + this.outputStream.write("0", 1); + let inStream = this.transport + .openInputStream(0, 0, 0) + .QueryInterface(Ci.nsIAsyncInputStream); + this.inputStream = inStream; + this.inputStream.asyncWait(this, 0, 0, this.thread); + }, + + go() { + this.outputStream = this.transport + .openOutputStream(0, 0, 0) + .QueryInterface(Ci.nsIAsyncOutputStream); + return this.defer.promise; + }, + }; + + /* Returns a promise to connect to host that resolves to the result of that + * connection */ + function connectTo(host) { + Services.prefs.setCharPref("network.dns.localDomains", host); + let connection = new Connection(host); + return connection.go(); + } + + return connectTo(aHost).then(async function (conn) { + info("handling " + aHost); + let expectedNSResult = + aExpectedResult == PRErrorCodeSuccess + ? Cr.NS_OK + : getXPCOMStatusFromNSS(aExpectedResult); + Assert.equal( + conn.result, + expectedNSResult, + "Actual and expected connection result should match" + ); + if (aWithSecurityInfo) { + aWithSecurityInfo( + await conn.transport.tlsSocketControl.asyncGetSecurityInfo() + ); + } + }); +} + +function _getBinaryUtil(binaryUtilName) { + let utilBin = Services.dirsvc.get("GreD", Ci.nsIFile); + // On macOS, GreD is .../Contents/Resources, and most binary utilities + // are located there, but certutil is in GreBinD (or .../Contents/MacOS), + // so we have to change the path accordingly. + if (binaryUtilName === "certutil") { + utilBin = Services.dirsvc.get("GreBinD", Ci.nsIFile); + } + utilBin.append(binaryUtilName + mozinfo.bin_suffix); + // If we're testing locally, the above works. If not, the server executable + // is in another location. + if (!utilBin.exists()) { + utilBin = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + while (utilBin.path.includes("xpcshell")) { + utilBin = utilBin.parent; + } + utilBin.append("bin"); + utilBin.append(binaryUtilName + mozinfo.bin_suffix); + } + // But maybe we're on Android, where binaries are in /data/local/xpcb. + if (!utilBin.exists()) { + utilBin.initWithPath("/data/local/xpcb/"); + utilBin.append(binaryUtilName); + } + Assert.ok(utilBin.exists(), `Binary util ${binaryUtilName} should exist`); + return utilBin; +} + +// Do not call this directly; use add_tls_server_setup +function _setupTLSServerTest(serverBinName, certsPath, addDefaultRoot) { + asyncStartTLSTestServer(serverBinName, certsPath, addDefaultRoot).then( + run_next_test + ); +} + +async function asyncStartTLSTestServer( + serverBinName, + certsPath, + addDefaultRoot +) { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + // The trusted CA that is typically used for "good" certificates. + if (addDefaultRoot) { + addCertFromFile(certdb, `${certsPath}/test-ca.pem`, "CTu,u,u"); + } + + const CALLBACK_PORT = 8444; + + let greBinDir = Services.dirsvc.get("GreBinD", Ci.nsIFile); + Services.env.set("DYLD_LIBRARY_PATH", greBinDir.path); + // TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD" + // does not return this path on Android, so hard code it here. + Services.env.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb"); + Services.env.set("MOZ_TLS_SERVER_DEBUG_LEVEL", "3"); + Services.env.set("MOZ_TLS_SERVER_CALLBACK_PORT", CALLBACK_PORT); + + let httpServer = new HttpServer(); + let serverReady = new Promise(resolve => { + httpServer.registerPathHandler( + "/", + function handleServerCallback(aRequest, aResponse) { + aResponse.setStatusLine(aRequest.httpVersion, 200, "OK"); + aResponse.setHeader("Content-Type", "text/plain"); + let responseBody = "OK!"; + aResponse.bodyOutputStream.write(responseBody, responseBody.length); + executeSoon(function () { + httpServer.stop(resolve); + }); + } + ); + httpServer.start(CALLBACK_PORT); + }); + + let serverBin = _getBinaryUtil(serverBinName); + let process = Cc["@mozilla.org/process/util;1"].createInstance(Ci.nsIProcess); + process.init(serverBin); + let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + certDir.append(`${certsPath}`); + Assert.ok(certDir.exists(), `certificate folder (${certsPath}) should exist`); + // Using "sql:" causes the SQL DB to be used so we can run tests on Android. + process.run(false, ["sql:" + certDir.path, Services.appinfo.processID], 2); + + registerCleanupFunction(function () { + process.kill(); + }); + + await serverReady; +} + +// Returns an Array of OCSP responses for a given ocspRespArray and a location +// for a nssDB where the certs and public keys are prepopulated. +// ocspRespArray is an array of arrays like: +// [ [typeOfResponse, certnick, extracertnick, thisUpdateSkew]...] +function generateOCSPResponses(ocspRespArray, nssDBlocation) { + let utilBinName = "GenerateOCSPResponse"; + let ocspGenBin = _getBinaryUtil(utilBinName); + let retArray = []; + + for (let i = 0; i < ocspRespArray.length; i++) { + let argArray = []; + let ocspFilepre = do_get_file(i.toString() + ".ocsp", true); + let filename = ocspFilepre.path; + // Using "sql:" causes the SQL DB to be used so we can run tests on Android. + argArray.push("sql:" + nssDBlocation); + argArray.push(ocspRespArray[i][0]); // ocsRespType; + argArray.push(ocspRespArray[i][1]); // nick; + argArray.push(ocspRespArray[i][2]); // extranickname + argArray.push(ocspRespArray[i][3]); // thisUpdate skew + argArray.push(filename); + info("argArray = " + argArray); + + let process = Cc["@mozilla.org/process/util;1"].createInstance( + Ci.nsIProcess + ); + process.init(ocspGenBin); + process.run(true, argArray, argArray.length); + Assert.equal(0, process.exitValue, "Process exit value should be 0"); + let ocspFile = do_get_file(i.toString() + ".ocsp", false); + retArray.push(readFile(ocspFile)); + ocspFile.remove(false); + } + return retArray; +} + +// Starts and returns an http responder that will cause a test failure if it is +// queried. The server identities are given by a non-empty array +// serverIdentities. +function getFailingHttpServer(serverPort, serverIdentities) { + let httpServer = new HttpServer(); + httpServer.registerPrefixHandler("/", function (request, response) { + Assert.ok(false, "HTTP responder should not have been queried"); + }); + httpServer.identity.setPrimary("http", serverIdentities.shift(), serverPort); + serverIdentities.forEach(function (identity) { + httpServer.identity.add("http", identity, serverPort); + }); + httpServer.start(serverPort); + return httpServer; +} + +// Starts an http OCSP responder that serves good OCSP responses and +// returns an object with a method stop that should be called to stop +// the http server. +// NB: Because generating OCSP responses inside the HTTP request +// handler can cause timeouts, the expected responses are pre-generated +// all at once before starting the server. This means that their producedAt +// times will all be the same. If a test depends on this not being the case, +// perhaps calling startOCSPResponder twice (at different times) will be +// necessary. +// +// serverPort is the port of the http OCSP responder +// identity is the http hostname that will answer the OCSP requests +// nssDBLocation is the location of the NSS database from where the OCSP +// responses will be generated (assumes appropiate keys are present) +// expectedCertNames is an array of nicks of the certs to be responsed +// expectedBasePaths is an optional array that is used to indicate +// what is the expected base path of the OCSP request. +// expectedMethods is an optional array of methods ("GET" or "POST") indicating +// by which HTTP method the server is expected to be queried. +// expectedResponseTypes is an optional array of OCSP response types to use (see +// GenerateOCSPResponse.cpp). +// responseHeaderPairs is an optional array of HTTP header (name, value) pairs +// to set in each response. +function startOCSPResponder( + serverPort, + identity, + nssDBLocation, + expectedCertNames, + expectedBasePaths, + expectedMethods, + expectedResponseTypes, + responseHeaderPairs = [] +) { + let ocspResponseGenerationArgs = expectedCertNames.map(function ( + expectedNick + ) { + let responseType = "good"; + if (expectedResponseTypes && expectedResponseTypes.length >= 1) { + responseType = expectedResponseTypes.shift(); + } + return [responseType, expectedNick, "unused", 0]; + }); + let ocspResponses = generateOCSPResponses( + ocspResponseGenerationArgs, + nssDBLocation + ); + let httpServer = new HttpServer(); + httpServer.registerPrefixHandler( + "/", + function handleServerCallback(aRequest, aResponse) { + info("got request for: " + aRequest.path); + let basePath = aRequest.path.slice(1).split("/")[0]; + if (expectedBasePaths.length >= 1) { + Assert.equal( + basePath, + expectedBasePaths.shift(), + "Actual and expected base path should match" + ); + } + Assert.ok( + expectedCertNames.length >= 1, + "expectedCertNames should contain >= 1 entries" + ); + if (expectedMethods && expectedMethods.length >= 1) { + Assert.equal( + aRequest.method, + expectedMethods.shift(), + "Actual and expected fetch method should match" + ); + } + aResponse.setStatusLine(aRequest.httpVersion, 200, "OK"); + aResponse.setHeader("Content-Type", "application/ocsp-response"); + for (let headerPair of responseHeaderPairs) { + aResponse.setHeader(headerPair[0], headerPair[1]); + } + aResponse.write(ocspResponses.shift()); + } + ); + httpServer.identity.setPrimary("http", identity, serverPort); + httpServer.start(serverPort); + return { + stop(callback) { + // make sure we consumed each expected response + Assert.equal( + ocspResponses.length, + 0, + "Should have 0 remaining expected OCSP responses" + ); + if (expectedMethods) { + Assert.equal( + expectedMethods.length, + 0, + "Should have 0 remaining expected fetch methods" + ); + } + if (expectedBasePaths) { + Assert.equal( + expectedBasePaths.length, + 0, + "Should have 0 remaining expected base paths" + ); + } + if (expectedResponseTypes) { + Assert.equal( + expectedResponseTypes.length, + 0, + "Should have 0 remaining expected response types" + ); + } + httpServer.stop(callback); + }, + }; +} + +// Given an OCSP responder (see startOCSPResponder), returns a promise that +// resolves when the responder has successfully stopped. +function stopOCSPResponder(responder) { + return new Promise((resolve, reject) => { + responder.stop(resolve); + }); +} + +// Utility functions for adding tests relating to certificate error overrides + +// Helper function for add_cert_override_test. Probably doesn't need to be +// called directly. +function add_cert_override(aHost, aSecurityInfo) { + let cert = aSecurityInfo.serverCert; + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, true); +} + +// Given a host and an expected error code, tests that an initial connection to +// the host fails with the expected error and that adding an override results +// in a subsequent connection succeeding. +function add_cert_override_test(aHost, aExpectedError) { + add_connection_test( + aHost, + aExpectedError, + null, + add_cert_override.bind(this, aHost) + ); + add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => { + Assert.ok( + aSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN, + "Cert override flag should be set on the security state" + ); + }); +} + +// Helper function for add_prevented_cert_override_test. This is much like +// add_cert_override except it may not be the case that the connection has an +// SecInfo set on it. In this case, the error was not overridable anyway, so +// we consider it a success. +function attempt_adding_cert_override(aHost, aSecurityInfo) { + if (aSecurityInfo.serverCert) { + let cert = aSecurityInfo.serverCert; + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, true); + } +} + +// Given a host and an expected error code, tests that an initial connection to +// the host fails with the expected error and that adding an override does not +// result in a subsequent connection succeeding (i.e. the same error code is +// encountered). +// The idea here is that for HSTS hosts or hosts with key pins, no error is +// overridable, even if an entry is added to the override service. +function add_prevented_cert_override_test(aHost, aExpectedError) { + add_connection_test( + aHost, + aExpectedError, + null, + attempt_adding_cert_override.bind(this, aHost) + ); + add_connection_test(aHost, aExpectedError); +} + +// Helper for asyncTestCertificateUsages. +class CertVerificationResult { + constructor(certName, usageString, successExpected, resolve) { + this.certName = certName; + this.usageString = usageString; + this.successExpected = successExpected; + this.resolve = resolve; + } + + verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) { + if (this.successExpected) { + equal( + aPRErrorCode, + PRErrorCodeSuccess, + `verifying ${this.certName} for ${this.usageString} should succeed` + ); + } else { + notEqual( + aPRErrorCode, + PRErrorCodeSuccess, + `verifying ${this.certName} for ${this.usageString} should fail` + ); + } + this.resolve(); + } +} + +/** + * Asynchronously attempts to verify the given certificate for all supported + * usages (see allCertificateUsages). Verifies that the results match the + * expected successful usages. Returns a promise that will resolve when all + * verifications have been performed. + * Verification happens "now" with no specified flags or hostname. + * + * @param {nsIX509CertDB} certdb + * The certificate database to use to verify the certificate. + * @param {nsIX509Cert} cert + * The certificate to be verified. + * @param {number[]} expectedUsages + * A list of usages (as their integer values) that are expected to verify + * successfully. + * @returns {Promise} + * A promise that will resolve with no value when all asynchronous operations + * have completed. + */ +function asyncTestCertificateUsages(certdb, cert, expectedUsages) { + let now = new Date().getTime() / 1000; + let promises = []; + Object.keys(allCertificateUsages).forEach(usageString => { + let promise = new Promise((resolve, reject) => { + let usage = allCertificateUsages[usageString]; + let successExpected = expectedUsages.includes(usage); + let result = new CertVerificationResult( + cert.commonName, + usageString, + successExpected, + resolve + ); + let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY; + certdb.asyncVerifyCertAtTime(cert, usage, flags, null, now, result); + }); + promises.push(promise); + }); + return Promise.all(promises); +} + +/** + * Loads the pkcs11testmodule.cpp test PKCS #11 module, and registers a cleanup + * function that unloads it once the calling test completes. + * + * @param {nsIFile} libraryFile + * The dynamic library file that implements the module to + * load. + * @param {string} moduleName + * What to call the module. + * @param {boolean} expectModuleUnloadToFail + * Should be set to true for tests that manually unload the + * test module, so the attempt to auto unload the test module + * doesn't cause a test failure. Should be set to false + * otherwise, so failure to automatically unload the test + * module gets reported. + */ +function loadPKCS11Module(libraryFile, moduleName, expectModuleUnloadToFail) { + ok(libraryFile.exists(), "The PKCS11 module file should exist"); + + let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + registerCleanupFunction(() => { + try { + pkcs11ModuleDB.deleteModule(moduleName); + } catch (e) { + Assert.ok( + expectModuleUnloadToFail, + `Module unload should suceed only when expected: ${e}` + ); + } + }); + pkcs11ModuleDB.addModule(moduleName, libraryFile.path, 0, 0); +} + +/** + * @param {string} data + * @returns {string} + */ +function hexify(data) { + // |slice(-2)| chomps off the last two characters of a string. + // Therefore, if the Unicode value is < 0x10, we have a single-character hex + // string when we want one that's two characters, and unconditionally + // prepending a "0" solves the problem. + return Array.from(data, (c, i) => + ("0" + data.charCodeAt(i).toString(16)).slice(-2) + ).join(""); +} + +/** + * @param {string[]} lines + * Lines to write. Each line automatically has "\n" appended to it when + * being written. + * @param {nsIFileOutputStream} outputStream + */ +function writeLinesAndClose(lines, outputStream) { + for (let line of lines) { + line += "\n"; + outputStream.write(line, line.length); + } + outputStream.close(); +} + +/** + * @param {string} moduleName + * The name of the module that should not be loaded. + * @param {string} libraryName + * A unique substring of name of the dynamic library file of the module + * that should not be loaded. + */ +function checkPKCS11ModuleNotPresent(moduleName, libraryName) { + let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + let modules = moduleDB.listModules(); + ok( + modules.hasMoreElements(), + "One or more modules should be present with test module not present" + ); + for (let module of modules) { + notEqual( + module.name, + moduleName, + `Non-test module name shouldn't equal '${moduleName}'` + ); + ok( + !(module.libName && module.libName.includes(libraryName)), + `Non-test module lib name should not include '${libraryName}'` + ); + } +} + +/** + * Checks that the test module exists in the module list. + * Also checks various attributes of the test module for correctness. + * + * @param {string} moduleName + * The name of the module that should be present. + * @param {string} libraryName + * A unique substring of the name of the dynamic library file + * of the module that should be loaded. + * @returns {nsIPKCS11Module} + * The test module. + */ +function checkPKCS11ModuleExists(moduleName, libraryName) { + let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + let modules = moduleDB.listModules(); + ok( + modules.hasMoreElements(), + "One or more modules should be present with test module present" + ); + let testModule = null; + for (let module of modules) { + if (module.name == moduleName) { + testModule = module; + break; + } + } + notEqual(testModule, null, "Test module should have been found"); + notEqual(testModule.libName, null, "Test module lib name should not be null"); + ok( + testModule.libName.includes(ctypes.libraryName(libraryName)), + `Test module lib name should include lib name of '${libraryName}'` + ); + + return testModule; +} + +// Given an nsIX509Cert, return the bytes of its subject DN (as a JS string) and +// the sha-256 hash of its subject public key info, base64-encoded. +function getSubjectAndSPKIHash(nsCert) { + let certBytes = nsCert.getRawDER(); + let cert = new X509.Certificate(); + cert.parse(certBytes); + let subject = cert.tbsCertificate.subject._der._bytes; + let subjectString = arrayToString(subject); + let spkiHashString = nsCert.sha256SubjectPublicKeyInfoDigest; + return { subjectString, spkiHashString }; +} + +function run_certutil_on_directory(directory, args, expectSuccess = true) { + let greBinDir = Services.dirsvc.get("GreBinD", Ci.nsIFile); + Services.env.set("DYLD_LIBRARY_PATH", greBinDir.path); + // TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD" + // does not return this path on Android, so hard code it here. + Services.env.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb"); + let certutilBin = _getBinaryUtil("certutil"); + let process = Cc["@mozilla.org/process/util;1"].createInstance(Ci.nsIProcess); + process.init(certutilBin); + args.push("-d"); + args.push(`sql:${directory}`); + process.run(true, args, args.length); + if (expectSuccess) { + Assert.equal(process.exitValue, 0, "certutil should succeed"); + } +} + +function get_data_storage_contents(dataStorageFileName) { + let stateFile = do_get_profile(); + stateFile.append(dataStorageFileName); + if (!stateFile.exists()) { + return undefined; + } + return readFile(stateFile); +} + +function u16_to_big_endian_bytes(u16) { + Assert.less(u16, 65536); + return [u16 / 256, u16 % 256]; +} + +// Appends a line to the given data storage file (as an nsIOutputStream). +// score is an integer representing the number of unique days the item has been accessed. +// lastAccessed is the day since the epoch the item was last accessed. +// key and value are strings representing the key and value of the item. +function append_line_to_data_storage_file( + outputStream, + score, + lastAccessed, + key, + value, + valueLength = 24, + useBadChecksum = false +) { + let line = arrayToString(u16_to_big_endian_bytes(score)); + line = line + arrayToString(u16_to_big_endian_bytes(lastAccessed)); + line = line + key; + let keyPadding = []; + for (let i = 0; i < 256 - key.length; i++) { + keyPadding.push(0); + } + line = line + arrayToString(keyPadding); + line = line + value; + let valuePadding = []; + for (let i = 0; i < valueLength - value.length; i++) { + valuePadding.push(0); + } + line = line + arrayToString(valuePadding); + let checksum = 0; + Assert.equal(line.length % 2, 0); + for (let i = 0; i < line.length; i += 2) { + checksum ^= (line.charCodeAt(i) << 8) + line.charCodeAt(i + 1); + } + line = + arrayToString( + u16_to_big_endian_bytes(useBadChecksum ? ~checksum & 0xffff : checksum) + ) + line; + outputStream.write(line, line.length); +} diff --git a/security/manager/ssl/tests/unit/moz.build b/security/manager/ssl/tests/unit/moz.build new file mode 100644 index 0000000000..561502dd51 --- /dev/null +++ b/security/manager/ssl/tests/unit/moz.build @@ -0,0 +1,10 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +DIRS += ["tlsserver", "test_signed_apps"] + +if not CONFIG["MOZ_NO_SMART_CARDS"]: + DIRS += ["pkcs11testmodule"] diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem new file mode 100644 index 0000000000..05959d4c6a --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRTCCAi2gAwIBAgIUcdrK+swAhgsnbPoNXViflHJFgtMwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IEludGVybWVkaWF0ZSB1c2VkIGFz +IEVuZC1FbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjcjBwMAwGA1UdEwQFMAMBAf8wMgYIKwYBBQUHAQEE +JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMCwGA1UdEQQl +MCOCIWNhLXVzZWQtYXMtZW5kLWVudGl0eS5leGFtcGxlLmNvbTANBgkqhkiG9w0B +AQsFAAOCAQEAUV4KW+Z8kuKSA64HNt0qyB2POf/dpZUhUCs/eFw7aamooeH4ZvS6 +Qu1OBFzuU4lYlNOJGBUfYRS0MvUjtYdRGMxhIv/zUBPT1xG0PsOjPj9Y7BbzDbG1 +++O+chZk79KE+9d6QMDquHysRMCku4Ss5wbvOiaJoi5ZnAuqkenzvdS377J4acZ7 +vGyRekqZZssIZ2xnShzXSS5Kexe0B33Ky3Pl3fk7JqMyZDPhLnzRok3sNuZIpB9b +qNYkd0h9V2ZEI2XSRJzhtN1NX72g5NMnmeFJ2YFll69b9xO3mPLKX4k/gy/djZa0 +eCgPydgLZPTagy9hYorKAFR9D7qX8128oQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec new file mode 100644 index 0000000000..8e16705b50 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate used as End-Entity +extension:basicConstraints:cA, +extension:authorityInformationAccess:http://localhost:8888/ +extension:subjectAlternativeName:ca-used-as-end-entity.example.com diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem new file mode 100644 index 0000000000..7dd59895af --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIUYS+fG1v+p3J2spZDRL6SSVpIFtcwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow +gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp +bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu +ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB+1d8LT9Iaa3WShAqdo54BS4lg +0VHqQeAe7YlFzBjHLi62SRC8kMtn4CrAvtDGh+4xrfUHjkHMwxMhS2SBypPanccy +Hk2LtubcrE7tl0fexB2yfv3+oS5LnMaJ+6svWgq3i31g1YCNoCN+bdvxb3BMKdn5 +tV6OYrhCA/0CHjre34fC7DTb3AmBRSpoJf2QNanCrxi4Nau4TfWzHiUz+RwfDS2/ +Y5GV2rN0Wuw6vd4J5FtHl5G3ThtH+azD0INR9qI8zYtibjkzroXDzXcVXEOQqqtx +UE/ieCiIFKBtbITd2X0ae1MCfyKq3JULr8pWc90hUdSHnZ5OFnuU65s73qXJ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec new file mode 100644 index 0000000000..554339ff52 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test End-entity +extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem new file mode 100644 index 0000000000..9a85704a2f --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4zCCAcugAwIBAgIUN1YJwqDb7hit7/zGQsHESReD5CMwDQYJKoZIhvcNAQEF +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAoMSYwJAYDVQQDDB1UZXN0IFNIQTEgRGVsZWdhdGVkIFJlc3Bv +bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpn +kfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJE +xYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG +680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYl +R5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbx +h83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkd +cSFo07sCAwEAAaMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF +BQADggEBAHq/8EhMgz0k7VetFlmIAVNnKKo1ME9CVDU1kHZkU4Y9cEDWvSStQkGE +v3xAq74AYWVYETbCyPGKNhCuPlW+pNUpkh+3bA9Og0liOfVCvRbgz2Scy2K3I3PX +cSWPECqAE6NJOmpWGPgIYlgK60ZDgKKhVa5jkdBiIjk04QHQnRKdEFhdvFSOly3J +H03PWi4yxNNIun30I7hZuWKKFiHRHQdvtRr/0rbElFsegwUirgfDS/ybnOJDY/Hk +1//hi0jDr0kfA4DBmxivQs/+2dTvcGn9GcJV1vdUmJZ19mC68UqqEItRiXOhKVV0 +lOFRnC5xID/9+VThV/xaoOV1YHlBjag= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec new file mode 100644 index 0000000000..bdf3e2ee4d --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test SHA1 Delegated Responder +subjectKey:alternate +signature:sha1WithRSAEncryption +extension:extKeyUsage:OCSPSigning diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem new file mode 100644 index 0000000000..d93b4d37a7 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3jCCAcagAwIBAgIUf7d1PDS74OZ84rbuYcT53gA6x9gwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAjMSEwHwYDVQQDDBhUZXN0IERlbGVnYXRlZCBSZXNwb25kZXIw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbD +f1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRI +MwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDs +mMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJp +CIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6D +KzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7 +AgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IB +AQAbr7I0sCC8GZSVY7rcIaEetwz48FDkzTE7OVMxLNMhKsJXwJmaCxvRfMZ+ZRDd +RntaDF8suL6gVCVkIUQwYAT+3joGvO/SEJe3YLaeE2IMGw0zoRrpqP6DYq9+6fS7 +2n1BDu57dsyW8XghG0XH4iGQam5DmgUzts/Uadr7E4D9ibFDlrSRmguEVqpzgwb0 +O6ZMuG88uNWbKAQ4TPOJrR6RUzwURckiTrw3ExtOh70YOVCsyYNc7NtpJft338Se +GQI9UVyi5/wML4HFbyls+1go1o/nHjAbsKsEBfOwE6HTE0CuBW2FPr/3CToaelka +olDHKbozj5v9ejiyXHVOvwdi +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec new file mode 100644 index 0000000000..19971eeb4d --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test Delegated Responder +subjectKey:alternate +extension:extKeyUsage:OCSPSigning diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem new file mode 100644 index 0000000000..4f41fa9361 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAjCCAeqgAwIBAgIUcVj9ek7otTbf7aHOG9p/UQigFt4wDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcwMDAw +MDBaGA8yMDI1MDIwNDAwMDAwMFowPTE7MDkGA1UEAwwyVGVzdCBJbnZhbGlkIERl +bGVnYXRlZCBSZXNwb25kZXIgRnJvbSBJbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbDf1zlOLBsSs0iscvU +b6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRIMwXlE4wBBs8IvpqG +J2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDsmMzkCqWR1ylaf3HF +vmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJpCIgIEUIgaZiKQ/7k +jOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6DKzW4kw90upCqi8dh +ZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7AgMBAAGjFzAVMBMG +A1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQBxKW7KGxLJtq/f +LNqaKClRG4UsGxm9QcBaMJ+9FGXBJiV2EuZ+5IdmI45McydSvBv7h40UcPLpl+Dm +XQilH0YBVX/an946GNG0uC+PEgh86Zv4x2JSZ/mh2Nw1mJwG24uiGJ+c9ng4jwQM +wrgnD7COaQskBui98zhLDxoj/y/HA3bOqiKQTLAoJVpQPmU/WUaXNyNW8j7KKIro +8YzcuvdV04vI7dDO67vQP7eRKkkQggV4btap8YlhSR57IeajrdlyzHlXl+ANUAPg +TH6+mE9di/7/N/e7H/1gqatpoa1Rxc9XoANqoCeTnNEg1snD9KjD8rU2AT6xKJyb +e2vQdfrf +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec new file mode 100644 index 0000000000..be0d3e9e5f --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate +subject:Test Invalid Delegated Responder From Intermediate +subjectKey:alternate +extension:extKeyUsage:OCSPSigning diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem new file mode 100644 index 0000000000..77e2e18008 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8jCCAdqgAwIBAgIUE+9k78S70+47fNpmHkOSE0nynkAwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjA/MT0wOwYDVQQDDDRUZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl +c3BvbmRlciBrZXlVc2FnZSBjcmxTaWduaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHI +wkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNv +I8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7I +SURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIram +nNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIU +DRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQABow8wDTALBgNVHQ8EBAMC +AQIwDQYJKoZIhvcNAQELBQADggEBAKwrK91/08VmhevSsqYzWQSmFPW7df8IKjvl +A6QzTWa2QSDm7MK30ZKHQrTUh3ov+sN+R2dyX9lopouE7xRCo6eUjSCywLResFTU +uj6t2dO//4Pdsd0qw/m48FrF7q+UABzDxugxpU5RLFRtdnXe2X8tJ5llypC2Nn1S +s09rwX8l3V+VRlPQkw56110n/n/4/hLmxUWMrs1eKMn3lwEvJcdSbqtbstuhksrm +/dODn2Ulfu29dL2Qbtbhvp/vNu7z/i6LFD17H12oi+TN3qaAmDlh//Gd3Vz9qqbc +5VOxiOSrr6jTEhghsWx/JIiKaODgKjGigKnvq+cGc9tRwQPXX5E= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec new file mode 100644 index 0000000000..2833ed9b52 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test Invalid Delegated Responder keyUsage crlSigning +subjectKey:alternate +extension:keyUsage:cRLSign diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem new file mode 100644 index 0000000000..e85fe654fd --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3DCCAcSgAwIBAgIUbUSfwq75osxohF3A4Le3+p2/KN8wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjA6MTgwNgYDVQQDDC9UZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl +c3BvbmRlciBObyBleHRLZXlVc2FnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSj +s8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMT +ud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvF +o+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UT +H5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4 +xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA +VKVc1Gdb31hd5bczAxF16Ko67cdggYvZffYIgPbinMLtFfoVmgeHirJwRRypqnse +Ry18lHA+/Qy0qHgPoIQNScXvlyds9+z1AOECi1MzkJhbULR77ZlpWW1tYHfRceVt +7UAEDUZwHOH+13wjvIR2QeYo9owNc9qrI7ENcoZL3gCTndxX/wgn1+ArqLinE9Tg +Kd9zo0y/TaB9KHNRFGTWBfRhzGUlHTRJxYFZ+GFvztWhImg9a7v3V6KSTwMF7I25 +oxevNmSL/8HOyuA1PNXv05UW9zudk7Ta9O150W5XiwVgaDbJPWTmbF43mLn8HA0a +h8W+3xAAbTHI3FTV7fnBUQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec new file mode 100644 index 0000000000..92444c94ad --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:Test Invalid Delegated Responder No extKeyUsage +subjectKey:alternate diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem new file mode 100644 index 0000000000..c9124e08a7 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+DCCAeCgAwIBAgIUe4pzYrUW7Cqv1xQ9g7LiVTwfSZcwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjA9MTswOQYDVQQDDDJUZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl +c3BvbmRlciBXcm9uZyBleHRLZXlVc2FnZTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJ +isSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF +2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElE +WQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzS +g3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0Y +xMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMXMBUwEwYDVR0lBAwwCgYI +KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBADdApuLzME3N8qnz7AANa5LBrpMy +XfuDMqgdgWf8PC38etOIbDNYe6teqWb53TVj9p76JrNMShQOK7psOsdVHIBZaAfc +7hU79JAmABh9H87KZpIh6wN7zHEiU9cc/XjnAVkwKw0KaMnnXZMN0E8plYG9z3T1 +A2h95aOCY/6tG6AGBAnXRqlvW7oOnSwc3QMI7PyV65qoRjPIeq8Ub2B+6r6kXddz +qd9fSHcFkVy/P0wQYz4/UoIEcQGqcQQnpmrMTeHxN+Uhyei0FAHDbCGYQwkXEFyz +qys4kIjH2GZyh//KusdqJ7rjG7f5wPDBq0AbE8h87WCJfdq89cU8hiRkakE= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec new file mode 100644 index 0000000000..bc704fbd41 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test Invalid Delegated Responder Wrong extKeyUsage +subjectKey:alternate +extension:extKeyUsage:codeSigning diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem new file mode 100644 index 0000000000..9a78ab32a1 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJDCCAgygAwIBAgIUNXbnbwDwSpFuzX+TbUC6+0fwluwwDQYJKoZIhvcNAQEL +BQAwNzE1MDMGA1UEAwwsVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdWx0aXBsZSBU +TFMgRmVhdHVyZXMwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFow +LDEqMCgGA1UEAwwhTXVsdGkgVExTIEZlYXR1cmUgVGVzdCBFbmQtRW50aXR5MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08 +E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc +1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP +DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ +gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV +YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID +AQABoy8wLTAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMBEGCCsGAQUFBwEYBAUw +AwIBBTANBgkqhkiG9w0BAQsFAAOCAQEAI6rRgJ9F0L5mIpx9mdZIhN0OUshqD9SO +a94traLS8TWLadiLDcqF3KdCayYYw2OdkLMXB6Cr6dd+9natevak2BTfC3NguyEf +qHF7nBHQi5YMFSWlGxgxDq+XGLA19Dkik7guuHlRsl59C2vJjh2tFphZpuc3nCYW +OK6JPv3Vv8tAJw3z4hfWELaNLRAkHI3KZdEQyd7zHM+o/2mNeyLA5ApqD0K03Aw8 +Y2EJ2YEH6/PkQKdS7Xmska2mUe83s3mny3Q+NEJ9LTJQmJjmUbbEd+nYp/vd+2Ea +DyIuT4onzgcB8ZzEyPUfEs9GWo0H3IP+3elS5vJ4ERp3C57Ps+5MbA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec new file mode 100644 index 0000000000..3fa2793b30 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate With Multiple TLS Features +subject:Multi TLS Feature Test End-Entity +extension:subjectAlternativeName:*.example.com +extension:TLSFeature:OCSPMustStaple diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem new file mode 100644 index 0000000000..8f5e4bf9f6 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJzCCAg+gAwIBAgIUR+ptclhXlqm/j0PzeprCWlXnS+QwDQYJKoZIhvcNAQEL +BQAwNzE1MDMGA1UEAwwsVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdWx0aXBsZSBU +TFMgRmVhdHVyZXMwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFow +LDEqMCgGA1UEAwwhTXVsdGkgVExTIEZlYXR1cmUgVGVzdCBFbmQtRW50aXR5MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08 +E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc +1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP +DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ +gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV +YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID +AQABozIwMDAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMBQGCCsGAQUFBwEYBAgw +BgIBBQIBBjANBgkqhkiG9w0BAQsFAAOCAQEAWFscG4euFpXJ7tpJQOznyNg2k0hk +LFsoWuS2jhRt4OUjkM6u/ClnlmiAqKtPSmm2UzdxivFLWFqP8g0Rycs3MWUi/Bd6 +Ispo+Ms+wTvv+MyfCqQin1V76IqAYylCnvVB0OS/nF4Zfu/NaLmeqplb4PmPNySO +5cQ1Hq2gMwB6Cj4U9rWLhHamZI1zrnEXNnYCKwgZIvpLhuO8ztNzjEnNRX5iUqYZ +QywPemXePxUmpmPtfpLAraAzpewJ9SIVOGMCR3CcwWVi6dQZ52CfEvNaTK/7SUkQ +dEPlaaVgL1FW9uZGRxXiMRgGpzGidnqH2GGDvql0whE2vs+eFHoUYyLhzQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec new file mode 100644 index 0000000000..7a8dd223d0 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate With Multiple TLS Features +subject:Multi TLS Feature Test End-Entity +extension:subjectAlternativeName:*.example.com +extension:TLSFeature:OCSPMustStaple,6 diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem new file mode 100644 index 0000000000..a7e79893df --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCDCCAfCgAwIBAgIUI+sIlPurR9XGLxSPpQhSEkz+zOQwDQYJKoZIhvcNAQEL +BQAwLTErMCkGA1UEAwwiVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdXN0LVN0YXBs +ZTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAaMRgwFgYDVQQD +DA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a +hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t +FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o +N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d +JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4 +s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAtMBgGA1UdEQQRMA+CDSouZXhhbXBs +ZS5jb20wEQYIKwYBBQUHARgEBTADAgEFMA0GCSqGSIb3DQEBCwUAA4IBAQAUNqmA +4xSMFge1DxdUpNn8ZkaHQoA2dZmVTb+mRQ3pKLs3W5CPmweIJpVVILEUVEy9nxxT +L5/iVV/tHz2o8+QcUQHhi+RTIBgQ2KG3euxhtLFg2eKEbH2QkeZZCD8Zw5TCcghz +sqFt9lL3Ksk2FephYV6GT2FbsFr0Vs6wTvjTsVo9XwN43EQ8MLyp3IDFdX6SAJJR +8whSA6vLke6JQ7VlfOuW7EZ9aLpMP1GBBzAc0LLT0qEDOyXAH/Ji0rpukVdLoxEs +J4h5yR5Gowzs9dxDk6ngaXi7R7nXRtiRGRayuqT/7Vxqc/H7DXDijI/2BGvM242R +/CLWVQaMEfPtUAfg +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec new file mode 100644 index 0000000000..352a60675d --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate With Must-Staple +subject:Test End-entity +extension:subjectAlternativeName:*.example.com +extension:TLSFeature:OCSPMustStaple diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem new file mode 100644 index 0000000000..4460f57948 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDITCCAgmgAwIBAgIUP5FghTXhLOeCnB8J1AU/iHTzD5kwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjYzBh +MBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wEQYIKwYBBQUHARgEBTADAgEFMDIG +CCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4 +LzANBgkqhkiG9w0BAQsFAAOCAQEAlWxrFGfHjnpCLDn6hu4w2Zn0GwE9mSPubTGQ +HZMLuWczTz6Gdva2RSSM29d4ujhn/I5B+13WcAilHtKQXI0pW3LZ6Zndi0N7aebQ +ZyS8rSumLr6kEojBDHJ1/RGFoCongTzWQYXgnhvUtEg2eGr1+2+eMqFgjUQbeOmW +9Ynjh7E3iE8GBMnSH+k3BJM2mp2SOJziuCVB9riMfhz5S751++/fZhh/W0ykCIqT +oV1He1ij12qa9ojaS/fTyG5zyfZFtu1Cj4AP66e3BUKH80dhIjutRNG7I+lpdaCW +PZZJjCQz/+Lm6bAK0kEFGUmloIE8325BaIm3WFx41JEorn0mlg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec new file mode 100644 index 0000000000..43edfff0d9 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test End-entity +extension:subjectAlternativeName:*.example.com +extension:TLSFeature:OCSPMustStaple +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem new file mode 100644 index 0000000000..fa359d0b08 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9TCCAd2gAwIBAgIUWfsNrajIjAByAQVlbEbO1z6PVUswDQYJKoZIhvcNAQEL +BQAwLTErMCkGA1UEAwwiVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdXN0LVN0YXBs +ZTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAaMRgwFgYDVQQD +DA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a +hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t +FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o +N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d +JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4 +s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHDAaMBgGA1UdEQQRMA+CDSouZXhhbXBs +ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAKYKwrmKb7vTodoRwFVcgtfGLUZC0aRf +Sr+8x5FWMN4hc/YDr2uu9/DpA8/QRV+F3yOt6VBPgqDA5qeHmH7eQMYjRj16e5TA +NsJdoKpwS9m/7Q/n5Lpla6j4pbgnQCLonvnLuKdqY7VSNmsyTNlfk29BELaowDRq +JKumvZHCBp/lql6j7ivTyKEbzhyQWreXNHhuHAk9b3jd8IIY102kHiLt65jho9+o +Vjk0AtuZ+6HeraduYNIVfNU9K1Mhxihr4WM3zS2feKXLbuE8ZAQ2XCNtBUup2u1M +BWC6XU5QPfMSJERVZ/Ib/e+Vsm7R3HK50DcnTdNX8P9pZTSKNNue/Bw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec new file mode 100644 index 0000000000..8e4a6ac0c5 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test Intermediate With Must-Staple +subject:Test End-entity +extension:subjectAlternativeName:*.example.com diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem new file mode 100644 index 0000000000..1efe224912 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUCZpiLR2ndUffcbxe523KU1xHlp8wDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcwMDAw +MDBaGA8yMDI1MDIwNDAwMDAwMFowLDEqMCgGA1UEAwwhVGVzdCBFbmQtZW50aXR5 +IHdpdGggSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu +Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO +7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf +qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt +HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx +uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAagglsb2NhbGhv +c3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo +dHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCol3N1nPzm +gvOlprRcgehr1/A6DjlMOhxSBva/Kb1daWo9hvm/HsbuuDfuhb2up28tP8bD8BVE +GuJcvHZ4OS6ksScpVK6fqL5LMu9muUC7izCxcoQEV5G9LDZKRJulE4eFUr8Nu5FI +2+onPbt1Eum3Lsm+5Z/xTGsGCrCIVDpAfKzG0XPgzjif/NOwygfWyW59fcj2GfRc +WhARWIm9kfTCPfmhlDm/hvaqDXml40uJSU2HOf3onAI3E6Rlz0VECh0+aoZNXL/1 +8SgeKOR/uvduJl8Y/UHtBVx/q3kLdpUjTrBdKClJXZhpZ0JotI03yjpRpM9nMeUZ +Zeq8d8nZw/kz +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec new file mode 100644 index 0000000000..ae3a51565a --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate +subject:Test End-entity with Intermediate +extension:subjectAlternativeName:localhost,*.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem new file mode 100644 index 0000000000..8b281c227c --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFDCCAfygAwIBAgIUVc3jthuNfUrHgpQaQbQ7kDWCgnkwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAVMRMwEQYDVQQDDApPdGhlciBDZXJ0MIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNV +HREEHDAagglsb2NhbGhvc3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAk +MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEB +CwUAA4IBAQAVcGH8MG2aFqmH7jWZNwhFdhfBtElmYjezVNC2fNo16KcF6vItAJZm +aGSEK4NDv591R75OznDYHdzHpNGlxb4JwmPiU4rOCZyKMUSlDXaqCtRZ67BnUxH6 +pSrCEX80QcVqRlMNjJOqEufiVBgrtlccbtQTUmDiTNCxtfo95GzxitHmHcCUGRFJ +e9Ticu2+gSn39UMzkEREztIv9apBp3PHSqe6JlrthplqVEy39A6RpHRvWVyz51Vm +DPrvv7npTw8Nuxbs7LA4hCFTqDy8xtYhT2h169KPXx6kmhb1vQ76cW+J+7de/LH0 +j4XRlZJhtgO4iwkSJp1evY5G+E+lY9db +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec new file mode 100644 index 0000000000..5756f6ab5f --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Other Cert +extension:subjectAlternativeName:localhost,*.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key new file mode 100644 index 0000000000..abde350c28 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBdcZSZgmfdwgq +Z5HxuHbDf1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBIC +RMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzH +BuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZm +JUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW +8YfN1U6DKzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4Z +HXEhaNO7AgMBAAECggEAfj9tfLg572auXX3ZL/VBC7NB3BRyjTkDRXDho3B5DzDw +aBNV//QeKtTpqdn86/vRJ736uMAK/7Hzzqcyfq1HqhYh8qwe4UygLwSzsnhgF5gL +GBpEnQOwPmnRErg1ceVUNPASBWV10oMu1nMdznmeN8g/bVHFWrcetYAVrwXhrxXH +R2A+9/J9A6b/BJ2Wu/hUweTlDvWwWND7CBgOCsf3vo8v8Wc9l/yeVduoOAd7v4p8 +/ylihXeFJpzZ1brStXRp5K/NM8TKLS9pnxHnyPvc1ITwjY77ijy4qXLrJL7Zcu+q +5LtxIJPkj+lKRutimodQeMQCGposk8mnA5Dp0KVEAQKBgQDmP8clprp2klp/+MtZ +xPVt1+yD/oW/H1PhHKyagSWLz8CugZB3sPLRR3qvho3mqOy+r3uyKxlvKprYLTKG +8NDMKd5xnl8r6OUJtyhNWWPt02L5J4h6TEqJeZ00DVGzAax2AasnF5Ak/KrdOL9l +Iq9j6xZGHsAqfyewb+Cd3afAoQKBgQDXGLH+n4+Z8A6DKuH73G/iqyfzTgScSYAQ ++g63CEhSGCNGCDtclsPu5VksAUpBDGuTCxZcE7XCaqMurG58klqFUcJRNPL0pyxk +IfGacxSKDt+rpdOmiIs1y6GMAP047lqvC1RXMdcgdhu8ze50SlLKQV6Y5N4Bzf52 +TBlns+jK2wKBgAHlrKJmyUqI0i4TwrkuokcRbGV6B2gXvf0w20s6nTCVuaS2dJZH +4vhOenhPx4OLCMhZcc96A2+jDjuRw8TQ3yePgMG26FnYRWrbE33vqp8fCsW6yakY +T9TqJ51yLqYm8WDXiq17yDhFzLKd8RXIP2G3YiuZvUOcYJtXkKY8WVGBAoGBAIDM +RdENJITuDRKX/Ae/gLO+/0Yeon4fOPNxeJw69mtKDt0hksIneR208cd64ka/NC8x +hWsPVlgbWKlbETHAxTltsqjDxvOeouM2vCBa5qKgs2hp/KmMu6czzwExmm+bsmt8 +oj0wF/xVHNjaiv3Rf2+i4w00hoeYHNYjTVcekLffAoGAb3fAwfKuesFpVhzKSZxS +vfvgTN3M29wSrsWoVpHoWUt+4pkI8w57lqpiVLgO1K7sm5k3gr38ebadjVjGiHD6 +S+G8DDUnKIxcgrtK668V7f8RBAP8eOas5qgoJ79C8M+nUeUHZRxWONuTk90j3R9r +KVFR3kS3f+Vaew3yceGaZcA= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec new file mode 100644 index 0000000000..cbd5f309c0 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec @@ -0,0 +1 @@ +alternate diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem new file mode 100644 index 0000000000..a2e264030a --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIURym6o+VN9xgZXT/QLrvN/nv1ZN4wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoY +DzIwMjUwMTAxMDAwMDAwWjAYMRYwFAYDVQQDDA1PdGhlciB0ZXN0IENBMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5Tiw +bErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROM +AQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5Aql +kdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFC +IGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMP +dLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQAB +ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC +AQEAtXplrvls6HSbbibpzfGxOPmSuh2TH05bE4vQk+d7Kz6EOAFvgTiZbLwTxbrQ +gfrM05t+67C2nAeiwAtW34nUnu6S8MYA6mJjURWICbl7cAvCHuNjg1atVr6f1Y+9 +VFFG6aUibw3bzKneREmDEVcxlEWUaMvv/JjfyMA5veSyX6iTJYkIBrEiVV5Alzg5 +yVHBi6+tpuJDO/YLlG8kmfzkYeJkTyAGx1EJ2yQHim7R232638yb0KrhS4zKsfFU +egHhM4c+MpiCLc9q2EgblbYGx5GM+2leuzXunj1KPClHFrnmkRRm3rcESG2pK9RN +/48Nd38VNofRojEbzDSCdOFmow== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec new file mode 100644 index 0000000000..3bc975aa22 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec @@ -0,0 +1,7 @@ +issuer:Other test CA +subject:Other test CA +issuerKey:alternate +subjectKey:alternate +validity:20150101-20250101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key new file mode 100644 index 0000000000..d43495f851 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl +GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ +BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh +WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK +1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2 +s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV +nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+ +gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr +QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA +Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh +AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur +SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx +vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx +nmTT4A== +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec new file mode 100644 index 0000000000..21ed73d60b --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec @@ -0,0 +1 @@ +rsa1016 diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem new file mode 100644 index 0000000000..c165b87af5 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICazCCAVOgAwIBAgIUP/C++7bzNaXCCoB0/+8txWBP2mUwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjA1MTMwMQYDVQQDDCpSU0EgMTAxNiBLZXkgU2l6ZSBUZXN0IERl +bGVnYXRlZCBSZXNwb25kZXIwgZ4wDQYJKoZIhvcNAQEBBQADgYwAMIGIAoGAANKb +sS+4T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJ +aj7SBxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyv +bXvmnZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAaMXMBUwEwYDVR0lBAww +CgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBAKYZrrW7GfM1Uogh3tnqcDJn +5pnr/S1yTcpSAuxPNl/EKty2KkBcM7VMZU5Ac5bRWjG7dEMfSw+67fWWQ+HW/ueS +rZ9cM6AfC1rR1epbW6bmvLFZRkYI9dooVQJ7lQba/SFSO459Nk+QFeTrS3z+/ItP +S/oHpeU76oIRW1/ZMeHHGYalK7pAruMoN0iz3KgU0SnF82cPmlP501pwyh0X1Qa7 +BS/2rW5piVHRJUBycgBnKMdvt2nGL6wJbOCEZ7Dhl0vB+2+EmLq90Yl/myhTglrY +85DXAS66DCIvpJXJm/EsVY38VEkHwZEFHWuad9od8sADn3qQNRaExfkqjbh+Op8= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec new file mode 100644 index 0000000000..05f73368a8 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:RSA 1016 Key Size Test Delegated Responder +subjectKey:rsa1016 +extension:extKeyUsage:OCSPSigning diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem new file mode 100644 index 0000000000..fcbb0fcb29 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUP6dLBbQh604kiwoRPLpqmHj72UQwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAP1Cj8YbMVIjc +8gaNVwru/NzEZsKjsxt6Iv0iWtHgexzoZnj82GzzgpnEtNz8bfTQvaImdkCHXYoV +wt7BY9ocZBacAPB3QMKF4prgkxwfD+ub6ckbf61o9Vq2aCZdFqO6ef3ji5dkWYBb +zfuQhmVU3RIvl09ajs4PPDmYp3ebiax2xVcBlP+fuDAeRX5y60yJf6eyNCVbC3M6 +OilriARv855NdhLWagwGX24+dP70HZUvISi/xSW+DNHWndqf1DcCnLreFEDq8F80 +hMCFsmJJEu0uqVFGQfItYlywBC0DJ3EU6votzgMuNa4rGBrMUJnHhzoEE0ISnrWk +iAobTR3jsQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec new file mode 100644 index 0000000000..5d2435d7bb --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test CA +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem new file mode 100644 index 0000000000..08249b863e --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw +MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1 +SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+ +zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL +K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc +bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW +JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd +MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB +AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00 +Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM +8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA +IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3 +B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk +rGFLvocT/kym6r8galxCJUo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec new file mode 100644 index 0000000000..33b42c2f41 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate +validity:20150101-20250101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem new file mode 100644 index 0000000000..f0b38d26da --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDjCCAfagAwIBAgIUCZ58zcMKqo1fCy+Yck82emMJGwkwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjA3MTUwMwYDVQQDDCxUZXN0IEludGVybWVkaWF0ZSBXaXRoIE11 +bHRpcGxlIFRMUyBGZWF0dXJlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab +bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts +Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI +H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8 +rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX +Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMzMDEwDAYDVR0TBAUwAwEB/zALBgNV +HQ8EBAMCAQYwFAYIKwYBBQUHARgECDAGAgEFAgEGMA0GCSqGSIb3DQEBCwUAA4IB +AQAkPK4BZB0G2WIovt30J+ququdAVY0VjJ9Qs+OiBLCERGGRKzRWgw87bi8tzVcB +gwEdZsd5x2FuOiHHD3uBsFaLr4BwzkRToQkiAvwOrEiUCaZ/PMGrVRbY8NhWqsG/ +4VFy+SkIigvkWQ7OA6ek2lahXwI54+uQ1Fzi2ZX19em3BRQ20vD6ylX2uDj3TQUe +hAvN53076upv9+/hMI8LoKUjE8xR1/52eD+viqLswzF7rqtjRja+yavLyCPqlYPb +xVLrVHJ8hCaXA2AvUXGhqmP6dIHj5HflO/9CSMGCY9ryRKwCmicIqnL37K3jsZjV +nwieZZb3g56QGZfsjVLDh+Yu +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec new file mode 100644 index 0000000000..3f0e925aae --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate With Multiple TLS Features +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:TLSFeature:OCSPMustStaple,6 diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem new file mode 100644 index 0000000000..2f8cdc10e6 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDATCCAemgAwIBAgIUOw4TxnDfhhaenMiNugGiWO0FGokwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAtMSswKQYDVQQDDCJUZXN0IEludGVybWVkaWF0ZSBXaXRoIE11 +c3QtU3RhcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABozAwLjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAR +BggrBgEFBQcBGAQFMAMCAQUwDQYJKoZIhvcNAQELBQADggEBAF8GCC3e4ljAlwhk +xhqRp/v8GoPaz74dwkQFRBSdIBYaELutYft7PHzZHTOdogInX6X+hzbT7DiP8/bV +d79zMU+D5Lz25Lx4Jw+pjQb3mtLwVst0jY7d+7OTs1HVwpuRLECNbJNH3O8TJLfr +gl4P0ErxLQhVG+YA4wvCwDN5IZVfEeUmeQOEf8ZGGsnD8KP+natwUEnJghjVzI1i +yMUyOHX/cfJg8lKGPtsVRkOLKKkJbf6rhazzn3+em5++Amuihmd/91FHjUbwz/FS +V69o77k1709IoogOihPidfOSLujsENTnhivN+9IWkXLfGkZTR0KNaKF5+62LBRnj +l1OoETM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec new file mode 100644 index 0000000000..7c29aa0ad1 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate With Must-Staple +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:TLSFeature:OCSPMustStaple diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build b/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build new file mode 100644 index 0000000000..0eef91b076 --- /dev/null +++ b/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build @@ -0,0 +1,20 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +FINAL_TARGET = "_tests/xpcshell/security/manager/ssl/tests/unit/pkcs11testmodule" + +UNIFIED_SOURCES += [ + "pkcs11testmodule.cpp", +] + +SharedLibrary("pkcs11testmodule") + +# C_GetFunctionList needs to be exported. As it turns out, it's much easier to +# just export all the symbols. +NoVisibilityFlags() +SYMBOLS_FILE = "pkcs11testmodule.symbols" + +NO_PGO = True diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp new file mode 100644 index 0000000000..fb3ff9a10f --- /dev/null +++ b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp @@ -0,0 +1,597 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a testing PKCS #11 module that simulates a token being inserted and +// removed from a slot every 50ms. This is achieved mainly in +// Test_C_WaitForSlotEvent. If the application that loaded this module calls +// C_WaitForSlotEvent, this module waits for 50ms and returns, having changed +// its internal state to report that the token has either been inserted or +// removed, as appropriate. +// This module also provides an alternate token that is always present for tests +// that don't want the cyclic behavior described above. + +#include <assert.h> +#include <atomic> +#include <string.h> + +#if defined(WIN32) +# include <windows.h> // for Sleep +#else +# include <unistd.h> // for usleep +#endif + +#include "pkcs11.h" + +CK_RV Test_C_Initialize(CK_VOID_PTR) { return CKR_OK; } + +CK_RV Test_C_Finalize(CK_VOID_PTR) { return CKR_OK; } + +static const CK_VERSION CryptokiVersion = {2, 2}; +static const CK_VERSION TestLibraryVersion = {0, 0}; +static const char TestLibraryDescription[] = "Test PKCS11 Library"; +static const char TestManufacturerID[] = "Test PKCS11 Manufacturer ID"; + +/* The dest buffer is one in the CK_INFO or CK_TOKEN_INFO structs. + * Those buffers are padded with spaces. DestSize corresponds to the declared + * size for those buffers (e.g. 32 for `char foo[32]`). + * The src buffer is a string literal. SrcSize includes the string + * termination character (e.g. 4 for `const char foo[] = "foo"` */ +template <size_t DestSize, size_t SrcSize> +void CopyString(unsigned char (&dest)[DestSize], const char (&src)[SrcSize]) { + static_assert(DestSize >= SrcSize - 1, "DestSize >= SrcSize - 1"); + memcpy(dest, src, SrcSize - 1); + memset(dest + SrcSize - 1, ' ', DestSize - SrcSize + 1); +} + +CK_RV Test_C_GetInfo(CK_INFO_PTR pInfo) { + if (!pInfo) { + return CKR_ARGUMENTS_BAD; + } + + pInfo->cryptokiVersion = CryptokiVersion; + CopyString(pInfo->manufacturerID, TestManufacturerID); + pInfo->flags = 0; // must be 0 + CopyString(pInfo->libraryDescription, TestLibraryDescription); + pInfo->libraryVersion = TestLibraryVersion; + return CKR_OK; +} + +CK_RV Test_C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR) { return CKR_OK; } + +static int tokenPresent = 0; + +CK_RV Test_C_GetSlotList(CK_BBOOL limitToTokensPresent, + CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) { + if (!pulCount) { + return CKR_ARGUMENTS_BAD; + } + + // We always return slot 2 + CK_ULONG slotCount = 1; + if (!limitToTokensPresent) { + // If we want empty slots, we also return slots 1 and 3 + slotCount += 2; + } else if (tokenPresent) { + // If we don't want empty slots, but token 1 is present, return that (but + // not slot 3) + slotCount++; + } + + if (pSlotList) { + if (*pulCount < slotCount) { + return CKR_BUFFER_TOO_SMALL; + } + // apparently CK_SLOT_IDs are integers [1,N] because + // who likes counting from 0 all the time? + switch (slotCount) { + case 1: + pSlotList[0] = 2; + break; + case 2: + if (tokenPresent) { + pSlotList[0] = 1; + pSlotList[1] = 2; + } else { + pSlotList[0] = 2; + pSlotList[1] = 3; + } + break; + case 3: + pSlotList[0] = 1; + pSlotList[1] = 2; + pSlotList[2] = 3; + break; + default: + assert("Unexpected slot count in Test_C_GetSlotList" == NULL); + return CKR_GENERAL_ERROR; + } + } + + *pulCount = slotCount; + return CKR_OK; +} + +static const char TestSlotDescription[] = "Test PKCS11 Slot"; +static const char TestSlot2Description[] = "Test PKCS11 Slot 二"; +static const char TestSlot3Description[] = "Empty PKCS11 Slot"; + +CK_RV Test_C_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { + if (!pInfo) { + return CKR_ARGUMENTS_BAD; + } + + switch (slotID) { + case 1: + CopyString(pInfo->slotDescription, TestSlotDescription); + pInfo->flags = + (tokenPresent ? CKF_TOKEN_PRESENT : 0) | CKF_REMOVABLE_DEVICE; + break; + case 2: + CopyString(pInfo->slotDescription, TestSlot2Description); + pInfo->flags = CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE; + break; + case 3: + CopyString(pInfo->slotDescription, TestSlot3Description); + pInfo->flags = CKF_REMOVABLE_DEVICE; + break; + default: + return CKR_ARGUMENTS_BAD; + } + + CopyString(pInfo->manufacturerID, TestManufacturerID); + pInfo->hardwareVersion = TestLibraryVersion; + pInfo->firmwareVersion = TestLibraryVersion; + return CKR_OK; +} + +// Deliberately include énye to ensure we're handling encoding correctly. +// The PKCS #11 base specification v2.20 specifies that strings be encoded +// as UTF-8. +static const char TestTokenLabel[] = "Test PKCS11 Tokeñ Label"; +static const char TestToken2Label[] = "Test PKCS11 Tokeñ 2 Label"; +static const char TestTokenModel[] = "Test Model"; + +std::atomic<bool> sLoggedIn = false; + +CK_RV Test_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) { + if (!pInfo) { + return CKR_ARGUMENTS_BAD; + } + + switch (slotID) { + case 1: + CopyString(pInfo->label, TestTokenLabel); + break; + case 2: + CopyString(pInfo->label, TestToken2Label); + break; + default: + return CKR_ARGUMENTS_BAD; + } + + CopyString(pInfo->manufacturerID, TestManufacturerID); + CopyString(pInfo->model, TestTokenModel); + memset(pInfo->serialNumber, 0, sizeof(pInfo->serialNumber)); + pInfo->flags = CKF_TOKEN_INITIALIZED; + if (slotID == 2) { + pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH | + CKF_USER_PIN_INITIALIZED | CKF_LOGIN_REQUIRED; + } + pInfo->ulMaxSessionCount = 1; + pInfo->ulSessionCount = 0; + pInfo->ulMaxRwSessionCount = 1; + pInfo->ulRwSessionCount = 0; + pInfo->ulMaxPinLen = 4; + pInfo->ulMinPinLen = 4; + pInfo->ulTotalPublicMemory = 1024; + pInfo->ulFreePublicMemory = 1024; + pInfo->ulTotalPrivateMemory = 1024; + pInfo->ulFreePrivateMemory = 1024; + pInfo->hardwareVersion = TestLibraryVersion; + pInfo->firmwareVersion = TestLibraryVersion; + memset(pInfo->utcTime, 0, sizeof(pInfo->utcTime)); + + return CKR_OK; +} + +CK_RV Test_C_GetMechanismList(CK_SLOT_ID, CK_MECHANISM_TYPE_PTR, + CK_ULONG_PTR pulCount) { + if (!pulCount) { + return CKR_ARGUMENTS_BAD; + } + + *pulCount = 0; + return CKR_OK; +} + +CK_RV Test_C_GetMechanismInfo(CK_SLOT_ID, CK_MECHANISM_TYPE, + CK_MECHANISM_INFO_PTR) { + return CKR_OK; +} + +CK_RV Test_C_InitToken(CK_SLOT_ID, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR) { + return CKR_OK; +} + +CK_RV Test_C_InitPIN(CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SetPIN(CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG, + CK_UTF8CHAR_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY, + CK_SESSION_HANDLE_PTR phSession) { + switch (slotID) { + case 1: + *phSession = 1; + break; + case 2: + *phSession = 2; + break; + default: + return CKR_ARGUMENTS_BAD; + } + + return CKR_OK; +} + +CK_RV Test_C_CloseSession(CK_SESSION_HANDLE) { return CKR_OK; } + +CK_RV Test_C_CloseAllSessions(CK_SLOT_ID) { return CKR_OK; } + +CK_RV Test_C_GetSessionInfo(CK_SESSION_HANDLE hSession, + CK_SESSION_INFO_PTR pInfo) { + if (!pInfo) { + return CKR_ARGUMENTS_BAD; + } + + switch (hSession) { + case 1: + pInfo->slotID = 1; + pInfo->state = CKS_RO_PUBLIC_SESSION; + break; + case 2: + pInfo->slotID = 2; + pInfo->state = sLoggedIn ? CKS_RO_USER_FUNCTIONS : CKS_RO_PUBLIC_SESSION; + break; + default: + return CKR_ARGUMENTS_BAD; + } + + pInfo->flags = CKF_SERIAL_SESSION; + + return CKR_OK; +} + +CK_RV Test_C_GetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_OBJECT_HANDLE, CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Login(CK_SESSION_HANDLE, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG) { + // Sleep for 3 seconds to simulate the user using a protected auth path. +#ifdef WIN32 + Sleep(3000); // Sleep takes the duration argument as milliseconds +#else + usleep(3000000); // usleep takes the duration argument as microseconds +#endif + sLoggedIn = true; + return CKR_OK; +} + +CK_RV Test_C_Logout(CK_SESSION_HANDLE) { + sLoggedIn = false; + return CKR_OK; +} + +CK_RV Test_C_CreateObject(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG, + CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_CopyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR, + CK_ULONG, CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DestroyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GetObjectSize(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, + CK_ATTRIBUTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, + CK_ATTRIBUTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_FindObjectsInit(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG) { + return CKR_OK; +} + +CK_RV Test_C_FindObjects(CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG, + CK_ULONG_PTR pulObjectCount) { + *pulObjectCount = 0; + return CKR_OK; +} + +CK_RV Test_C_FindObjectsFinal(CK_SESSION_HANDLE) { return CKR_OK; } + +CK_RV Test_C_EncryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Encrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_EncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_EncryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DecryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Decrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DecryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DecryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DigestInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Digest(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DigestKey(CK_SESSION_HANDLE, CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DigestFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Sign(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_VerifyInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Verify(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_VerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_VerifyFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_VerifyRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_VerifyRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DigestEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DecryptDigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DecryptVerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GenerateKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR, + CK_ULONG, CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GenerateKeyPair(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_ATTRIBUTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, + CK_ULONG, CK_OBJECT_HANDLE_PTR, + CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_WrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, + CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_UnwrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, + CK_BYTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG, + CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DeriveKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, + CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SeedRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GenerateRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GetFunctionStatus(CK_SESSION_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_CancelFunction(CK_SESSION_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_WaitForSlotEvent(CK_FLAGS, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR) { +#ifdef WIN32 + Sleep(50); // Sleep takes the duration argument as milliseconds +#else + usleep(50000); // usleep takes the duration argument as microseconds +#endif + *pSlot = 1; + tokenPresent = !tokenPresent; + return CKR_OK; +} + +static CK_FUNCTION_LIST FunctionList = {{2, 2}, + Test_C_Initialize, + Test_C_Finalize, + Test_C_GetInfo, + Test_C_GetFunctionList, + Test_C_GetSlotList, + Test_C_GetSlotInfo, + Test_C_GetTokenInfo, + Test_C_GetMechanismList, + Test_C_GetMechanismInfo, + Test_C_InitToken, + Test_C_InitPIN, + Test_C_SetPIN, + Test_C_OpenSession, + Test_C_CloseSession, + Test_C_CloseAllSessions, + Test_C_GetSessionInfo, + Test_C_GetOperationState, + Test_C_SetOperationState, + Test_C_Login, + Test_C_Logout, + Test_C_CreateObject, + Test_C_CopyObject, + Test_C_DestroyObject, + Test_C_GetObjectSize, + Test_C_GetAttributeValue, + Test_C_SetAttributeValue, + Test_C_FindObjectsInit, + Test_C_FindObjects, + Test_C_FindObjectsFinal, + Test_C_EncryptInit, + Test_C_Encrypt, + Test_C_EncryptUpdate, + Test_C_EncryptFinal, + Test_C_DecryptInit, + Test_C_Decrypt, + Test_C_DecryptUpdate, + Test_C_DecryptFinal, + Test_C_DigestInit, + Test_C_Digest, + Test_C_DigestUpdate, + Test_C_DigestKey, + Test_C_DigestFinal, + Test_C_SignInit, + Test_C_Sign, + Test_C_SignUpdate, + Test_C_SignFinal, + Test_C_SignRecoverInit, + Test_C_SignRecover, + Test_C_VerifyInit, + Test_C_Verify, + Test_C_VerifyUpdate, + Test_C_VerifyFinal, + Test_C_VerifyRecoverInit, + Test_C_VerifyRecover, + Test_C_DigestEncryptUpdate, + Test_C_DecryptDigestUpdate, + Test_C_SignEncryptUpdate, + Test_C_DecryptVerifyUpdate, + Test_C_GenerateKey, + Test_C_GenerateKeyPair, + Test_C_WrapKey, + Test_C_UnwrapKey, + Test_C_DeriveKey, + Test_C_SeedRandom, + Test_C_GenerateRandom, + Test_C_GetFunctionStatus, + Test_C_CancelFunction, + Test_C_WaitForSlotEvent}; + +CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { + *ppFunctionList = &FunctionList; + return CKR_OK; +} diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols new file mode 100644 index 0000000000..562ecea21d --- /dev/null +++ b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols @@ -0,0 +1 @@ +C_GetFunctionList diff --git a/security/manager/ssl/tests/unit/requirements.txt b/security/manager/ssl/tests/unit/requirements.txt new file mode 100644 index 0000000000..095fcb04fc --- /dev/null +++ b/security/manager/ssl/tests/unit/requirements.txt @@ -0,0 +1,6 @@ +lxml +pyasn1 == 0.3.7 +pyasn1_modules == 0.1.5 +ecc +mock +rsa diff --git a/security/manager/ssl/tests/unit/sign_app.py b/security/manager/ssl/tests/unit/sign_app.py new file mode 100755 index 0000000000..5b57e73c4d --- /dev/null +++ b/security/manager/ssl/tests/unit/sign_app.py @@ -0,0 +1,426 @@ +#!/usr/bin/env python3 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Given a directory of files, packages them up and signs the +resulting zip file. Mainly for creating test inputs to the +nsIX509CertDB.openSignedAppFileAsync API. +""" +from base64 import b64encode +from cbor2 import dumps +from cbor2.types import CBORTag +from hashlib import sha1, sha256 +import argparse +from io import StringIO +import os +import re +import six +import sys +import zipfile + +# These libraries moved to security/manager/tools/ in bug 1699294. +sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "tools")) +import pycert +import pycms +import pykey + +ES256 = -7 +ES384 = -35 +ES512 = -36 +KID = 4 +ALG = 1 +COSE_Sign = 98 + + +def coseAlgorithmToPykeyHash(algorithm): + """Helper function that takes one of (ES256, ES384, ES512) + and returns the corresponding pykey.HASH_* identifier.""" + if algorithm == ES256: + return pykey.HASH_SHA256 + if algorithm == ES384: + return pykey.HASH_SHA384 + if algorithm == ES512: + return pykey.HASH_SHA512 + raise UnknownCOSEAlgorithmError(algorithm) + + +# COSE_Signature = [ +# protected : serialized_map, +# unprotected : {}, +# signature : bstr +# ] + + +def coseSignature(payload, algorithm, signingKey, signingCertificate, bodyProtected): + """Returns a COSE_Signature structure. + payload is a string representing the data to be signed + algorithm is one of (ES256, ES384, ES512) + signingKey is a pykey.ECKey to sign the data with + signingCertificate is a byte string + bodyProtected is the serialized byte string of the protected body header + """ + protected = {ALG: algorithm, KID: signingCertificate} + protectedEncoded = dumps(protected) + # Sig_structure = [ + # context : "Signature" + # body_protected : bodyProtected + # sign_protected : protectedEncoded + # external_aad : nil + # payload : bstr + # ] + sigStructure = ["Signature", bodyProtected, protectedEncoded, None, payload] + sigStructureEncoded = dumps(sigStructure) + pykeyHash = coseAlgorithmToPykeyHash(algorithm) + signature = signingKey.signRaw(sigStructureEncoded, pykeyHash) + return [protectedEncoded, {}, signature] + + +# COSE_Sign = [ +# protected : serialized_map, +# unprotected : {}, +# payload : nil, +# signatures : [+ COSE_Signature] +# ] + + +def coseSig(payload, intermediates, signatures): + """Returns the entire (tagged) COSE_Sign structure. + payload is a string representing the data to be signed + intermediates is an array of byte strings + signatures is an array of (algorithm, signingKey, + signingCertificate) triplets to be passed to + coseSignature + """ + protected = {KID: intermediates} + protectedEncoded = dumps(protected) + coseSignatures = [] + for algorithm, signingKey, signingCertificate in signatures: + coseSignatures.append( + coseSignature( + payload, algorithm, signingKey, signingCertificate, protectedEncoded + ) + ) + tagged = CBORTag(COSE_Sign, [protectedEncoded, {}, None, coseSignatures]) + return dumps(tagged) + + +def walkDirectory(directory): + """Given a relative path to a directory, enumerates the + files in the tree rooted at that location. Returns a list + of pairs of paths to those files. The first in each pair + is the full path to the file. The second in each pair is + the path to the file relative to the directory itself.""" + paths = [] + for path, _dirs, files in os.walk(directory): + for f in files: + fullPath = os.path.join(path, f) + internalPath = re.sub(r"^/", "", fullPath.replace(directory, "")) + paths.append((fullPath, internalPath)) + return paths + + +def addManifestEntry(filename, hashes, contents, entries): + """Helper function to fill out a manifest entry. + Takes the filename, a list of (hash function, hash function name) + pairs to use, the contents of the file, and the current list + of manifest entries.""" + entry = "Name: %s\n" % filename + for hashFunc, name in hashes: + base64hash = b64encode(hashFunc(contents).digest()).decode("ascii") + entry += "%s-Digest: %s\n" % (name, base64hash) + entries.append(entry) + + +def getCert(subject, keyName, issuerName, ee, issuerKey="", validity=""): + """Helper function to create an X509 cert from a specification. + Takes the subject, the subject key name to use, the issuer name, + a bool whether this is an EE cert or not, and optionally an issuer key + name.""" + certSpecification = ( + "issuer:%s\n" % issuerName + + "subject:" + + subject + + "\n" + + "subjectKey:%s\n" % keyName + ) + if ee: + certSpecification += "extension:keyUsage:digitalSignature" + else: + certSpecification += ( + "extension:basicConstraints:cA,\n" + + "extension:keyUsage:cRLSign,keyCertSign" + ) + if issuerKey: + certSpecification += "\nissuerKey:%s" % issuerKey + if validity: + certSpecification += "\nvalidity:%s" % validity + certSpecificationStream = StringIO() + print(certSpecification, file=certSpecificationStream) + certSpecificationStream.seek(0) + return pycert.Certificate(certSpecificationStream) + + +def coseAlgorithmToSignatureParams(coseAlgorithm, issuerName, certValidity): + """Given a COSE algorithm ('ES256', 'ES384', 'ES512') and an issuer + name, returns a (algorithm id, pykey.ECCKey, encoded certificate) + triplet for use with coseSig. + """ + if coseAlgorithm == "ES256": + keyName = "secp256r1" + algId = ES256 + elif coseAlgorithm == "ES384": + keyName = "secp384r1" + algId = ES384 + elif coseAlgorithm == "ES512": + keyName = "secp521r1" # COSE uses the hash algorithm; this is the curve + algId = ES512 + else: + raise UnknownCOSEAlgorithmError(coseAlgorithm) + key = pykey.ECCKey(keyName) + # The subject must differ to avoid errors when importing into NSS later. + ee = getCert( + "xpcshell signed app test signer " + keyName, + keyName, + issuerName, + True, + "default", + certValidity, + ) + return (algId, key, ee.toDER()) + + +def signZip( + appDirectory, + outputFile, + issuerName, + rootName, + certValidity, + manifestHashes, + signatureHashes, + pkcs7Hashes, + coseAlgorithms, + emptySignerInfos, + headerPaddingFactor, +): + """Given a directory containing the files to package up, + an output filename to write to, the name of the issuer of + the signing certificate, the name of trust anchor, a list of hash algorithms + to use in the manifest file, a similar list for the signature file, + a similar list for the pkcs#7 signature, a list of COSE signature algorithms + to include, whether the pkcs#7 signer info should be kept empty, and how + many MB to pad the manifests by (to test handling large manifest files), + packages up the files in the directory and creates the output as + appropriate.""" + # The header of each manifest starts with the magic string + # 'Manifest-Version: 1.0' and ends with a blank line. There can be + # essentially anything after the first line before the blank line. + mfEntries = ["Manifest-Version: 1.0"] + if headerPaddingFactor > 0: + # In this format, each line can only be 72 bytes long. We make + # our padding 50 bytes per line (49 of content and one newline) + # so the math is easy. + singleLinePadding = "a" * 49 + # 1000000 / 50 = 20000 + allPadding = [singleLinePadding] * (headerPaddingFactor * 20000) + mfEntries.extend(allPadding) + # Append the blank line. + mfEntries.append("") + + with zipfile.ZipFile(outputFile, "w", zipfile.ZIP_DEFLATED) as outZip: + for fullPath, internalPath in walkDirectory(appDirectory): + with open(fullPath, "rb") as inputFile: + contents = inputFile.read() + outZip.writestr(internalPath, contents) + + # Add the entry to the manifest we're building + addManifestEntry(internalPath, manifestHashes, contents, mfEntries) + + if len(coseAlgorithms) > 0: + coseManifest = "\n".join(mfEntries) + outZip.writestr("META-INF/cose.manifest", coseManifest) + coseManifest = six.ensure_binary(coseManifest) + addManifestEntry( + "META-INF/cose.manifest", manifestHashes, coseManifest, mfEntries + ) + intermediates = [] + coseIssuerName = issuerName + if rootName: + coseIssuerName = "xpcshell signed app test issuer" + intermediate = getCert( + coseIssuerName, + "default", + rootName, + False, + "", + certValidity, + ) + intermediate = intermediate.toDER() + intermediates.append(intermediate) + signatures = [ + coseAlgorithmToSignatureParams( + coseAlgorithm, + coseIssuerName, + certValidity, + ) + for coseAlgorithm in coseAlgorithms + ] + coseSignatureBytes = coseSig(coseManifest, intermediates, signatures) + outZip.writestr("META-INF/cose.sig", coseSignatureBytes) + addManifestEntry( + "META-INF/cose.sig", manifestHashes, coseSignatureBytes, mfEntries + ) + + if len(pkcs7Hashes) != 0 or emptySignerInfos: + mfContents = "\n".join(mfEntries) + sfContents = "Signature-Version: 1.0\n" + for hashFunc, name in signatureHashes: + hashed = hashFunc(six.ensure_binary(mfContents)).digest() + base64hash = b64encode(hashed).decode("ascii") + sfContents += "%s-Digest-Manifest: %s\n" % (name, base64hash) + + cmsSpecification = "" + for name in pkcs7Hashes: + hashFunc, _ = hashNameToFunctionAndIdentifier(name) + cmsSpecification += "%s:%s\n" % ( + name, + hashFunc(six.ensure_binary(sfContents)).hexdigest(), + ) + cmsSpecification += ( + "signer:\n" + + "issuer:%s\n" % issuerName + + "subject:xpcshell signed app test signer\n" + + "extension:keyUsage:digitalSignature" + ) + if certValidity: + cmsSpecification += "\nvalidity:%s" % certValidity + cmsSpecificationStream = StringIO() + print(cmsSpecification, file=cmsSpecificationStream) + cmsSpecificationStream.seek(0) + cms = pycms.CMS(cmsSpecificationStream) + p7 = cms.toDER() + outZip.writestr("META-INF/A.RSA", p7) + outZip.writestr("META-INF/A.SF", sfContents) + outZip.writestr("META-INF/MANIFEST.MF", mfContents) + + +class Error(Exception): + """Base class for exceptions in this module.""" + + pass + + +class UnknownHashAlgorithmError(Error): + """Helper exception type to handle unknown hash algorithms.""" + + def __init__(self, name): + super(UnknownHashAlgorithmError, self).__init__() + self.name = name + + def __str__(self): + return "Unknown hash algorithm %s" % repr(self.name) + + +class UnknownCOSEAlgorithmError(Error): + """Helper exception type to handle unknown COSE algorithms.""" + + def __init__(self, name): + super(UnknownCOSEAlgorithmError, self).__init__() + self.name = name + + def __str__(self): + return "Unknown COSE algorithm %s" % repr(self.name) + + +def hashNameToFunctionAndIdentifier(name): + if name == "sha1": + return (sha1, "SHA1") + if name == "sha256": + return (sha256, "SHA256") + raise UnknownHashAlgorithmError(name) + + +def main(outputFile, appPath, *args): + """Main entrypoint. Given an already-opened file-like + object, a path to the app directory to sign, and some + optional arguments, signs the contents of the directory and + writes the resulting package to the 'file'.""" + parser = argparse.ArgumentParser(description="Sign an app.") + parser.add_argument( + "-i", + "--issuer", + action="store", + help="Issuer name", + default="xpcshell signed apps test root", + ) + parser.add_argument("-r", "--root", action="store", help="Root name", default="") + parser.add_argument( + "--cert-validity", + action="store", + help="Certificate validity; YYYYMMDD-YYYYMMDD or duration in days", + default="", + ) + parser.add_argument( + "-m", + "--manifest-hash", + action="append", + help="Hash algorithms to use in manifest", + default=[], + ) + parser.add_argument( + "-s", + "--signature-hash", + action="append", + help="Hash algorithms to use in signature file", + default=[], + ) + parser.add_argument( + "-c", + "--cose-sign", + action="append", + help="Append a COSE signature with the given " + + "algorithms (out of ES256, ES384, and ES512)", + default=[], + ) + parser.add_argument( + "-z", + "--pad-headers", + action="store", + default=0, + help="Pad the header sections of the manifests " + + "with X MB of repetitive data", + ) + group = parser.add_mutually_exclusive_group() + group.add_argument( + "-p", + "--pkcs7-hash", + action="append", + help="Hash algorithms to use in PKCS#7 signature", + default=[], + ) + group.add_argument( + "-e", + "--empty-signerInfos", + action="store_true", + help="Emit pkcs#7 SignedData with empty signerInfos", + ) + parsed = parser.parse_args(args) + if len(parsed.manifest_hash) == 0: + parsed.manifest_hash.append("sha256") + if len(parsed.signature_hash) == 0: + parsed.signature_hash.append("sha256") + signZip( + appPath, + outputFile, + parsed.issuer, + parsed.root, + parsed.cert_validity, + [hashNameToFunctionAndIdentifier(h) for h in parsed.manifest_hash], + [hashNameToFunctionAndIdentifier(h) for h in parsed.signature_hash], + parsed.pkcs7_hash, + parsed.cose_sign, + parsed.empty_signerInfos, + int(parsed.pad_headers), + ) diff --git a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js new file mode 100644 index 0000000000..8e165b2b8d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js @@ -0,0 +1,46 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// Tests that adding a certificate already present in the certificate database +// with different trust bits than those stored in the database does not result +// in the new trust bits being ignored. + +do_get_profile(); +var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function load_cert(cert, trust) { + let file = "test_intermediate_basic_usage_constraints/" + cert + ".pem"; + return addCertFromFile(certDB, file, trust); +} + +add_task(async function () { + load_cert("ca", "CTu,CTu,CTu"); + let int_cert = load_cert("int-limited-depth", "CTu,CTu,CTu"); + let file = + "test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem"; + let cert_pem = readFile(do_get_file(file)); + let ee = certDB.constructX509FromBase64(pemToBase64(cert_pem)); + await checkCertErrorGeneric( + certDB, + ee, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + // Change the already existing intermediate certificate's trust using + // addCertFromBase64(). + notEqual(int_cert, null, "Intermediate cert should be in the cert DB"); + let base64_cert = int_cert.getBase64DERString(); + let returnedEE = certDB.addCertFromBase64(base64_cert, "p,p,p"); + notEqual(returnedEE, null, "addCertFromBase64 should return a certificate"); + await checkCertErrorGeneric( + certDB, + ee, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLServer + ); +}); diff --git a/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js b/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js new file mode 100644 index 0000000000..6bcd71aaf3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js @@ -0,0 +1,25 @@ +/* -*- tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ +"use strict"; + +function run_test() { + do_get_profile(); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData( + true + ); + + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + add_connection_test("expired.example.com", PRErrorCodeSuccess); + add_test(function () { + certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData( + false + ); + run_next_test(); + }); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem new file mode 100644 index 0000000000..161ce88377 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUXwklABFZn09Yj1azSdQ4kpuizxYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCdpP06UqpAnAAak/i4+LShrIG/ +DdjHLQ8qLChBdPkT6Gxx1XVoNfG3GJsIGCoOf6isORMfBlBXiR5kmLFTE3kJhA/I +pDxDGYDqt9DNb0fxeMpOJxwQ+mBMZIKLPu+nk4jTqUrOX8bLwDMiXTbFeY91SUr8 +4b43YzXVorVQSlYOfcsmrnEfmfJNauHBrzak5BQhsEXHqAI7qV9TCQA1+cGwH8jb +Aw2SyVu1usAyHkM2wCisHXeidf3qR6PxmfLMAgHKXBLz3DsXY30xDI4jJS9MySu9 +lhrs1IJf5PdJk5z5viYqZQemuv0R+R7ItbpCHpreUXh2GutiAY4Xsgrhfcer +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec new file mode 100644 index 0000000000..9c21e7adcf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:ca +validity:20100101-20500101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem new file mode 100644 index 0000000000..a13b0cbcd1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUS00fexo4Y4FagP1oiKQiGCJKd/swDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAGjMx1NAs2guKp3wRRAWdiAw9NCeX+qCsxxkr4jUdgQ14wZwU2fZ/2rK +7Z/StpwlWN+G4dWwCRCjibKvjauQs+XLT9wMO3U/1VBcQda36duX70ss2SAF9crs +dmZdISevFItTn+W6JNyr1Wt2sSiD4buXpW1UzNwuxnWGpo/a++bMEYaM8KDdz73t +KA9VShYNbcrUZgf70bvCbc8BR3vYUwyIp3fP7TngD/dRLYJyv5ayo9VXVJxOzYU7 +/aRrBvAdAL2w8eQzzYm6uyHlOE+imWYix2QOGNFJIiRXFRTii9Rr0o4geW7x2wZJ ++TzO4XPVlax1h6KDPRLsmwhbJDAMuUU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec new file mode 100644 index 0000000000..7a34d0758f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:example.com +validity:20160724-20160924 diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem new file mode 100644 index 0000000000..f2bb8c97d9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUZ3gdKZRvWFYArMRStT2zAGE6JDQwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBABERZmWOEZAI2dQHbpXo7BJFw8eigDs8xWGtnu5UbNFs7zGnXzta0L8T +RBoaWeEbsaVpuGQ648eorgQRGwNdL3JkJb0qHtaSl5/raAOvv+YqmGzZhFWcj3ib +WUOWODdFlY3oUzpPjA+IeRzULya6//s8DhEKfVi2mJXc/sS6fE9J234IhKBysyr1 +cRIApw6OCr0V78TbHzEPh1z0QuMKY8hH0lz3JvQqGD59oTEdSJ5VVbmDLxqqmVtA +/i4j2lYkDos2HvHGP7a/LC20FI0lOcSqazSeKc+y2Mand9tDXCU/dEEYMj1IW5rM +z2+96XzCbJBesYFEEfWXG6XysP3UtE0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec new file mode 100644 index 0000000000..aa682a7afd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:example.com +validity:20150724-20160924 diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem new file mode 100644 index 0000000000..7ac56a0689 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUWxGwhSb8roUQoLNpJajl0X8jk10wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAKxEoWUrHht8zENUlC/3tj/KbDSeaIy5nVE49aJRqHwuSczG5PTDn7sD +rjl6Qq2rx3Z3ftZxJNIdpS3BUeUJ+FsQ2fK3ckDyeWkzxADlWp2l2bgKDtnW5Xjw +lfzFt1Z/4PUmz0JyNGqijvpT/YYM9uM5OOKmKvy6C/6HiIMI2f5pVHM2bFWLuHLI +p9yqp056EKPWCEQbkqseXLS0O8ZyxAyW4kHezUQzn1KFq9IGZu5sBZ8Imop0xnal +2wXCuEisuAIOQNb1l9t+hf/P53+oRLjPbJzuzLZGSNA5PzoTbmZOqOdJS+kCNGCX +IahLlU3dPILDlvl8DLFhk+lz9mA8x90= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec new file mode 100644 index 0000000000..e38478165c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:example.com +validity:20160824-20160924 diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem new file mode 100644 index 0000000000..ba11dcc152 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUOWkKeR6blD0zzhElEnCm4eSqLTAwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl +MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B +AQsFAAOCAQEACPZ4Ed3iONrIIKtg3865taT5TUj4Ts3tnYn4riFqojr6h/CHEDPR +LStAJ4yYGQoTTzQzaxYjEZXHIEI/bCZ1VpGNpZt8DXWsJWwJgt8QUNeYT0eFFE2M +CjrLJC1OIQRvlR89WEbk/q45KBQC0faeizqkAn+YUSG8mjHHbmSO8PWbh4z0YYlg +BjwhTRFWUmWfQKC+mHyWblbYyFKlsFWf6cGOd4qE8N/hIz7oPzI4IPN1EQ/IfaQy +WOOyxPZeu+J5VPlPE10nV5afoRcPLh/6vTwH85tPGzxWU4Jo4NDtFOtZAZR/S7sO +OB/ST8Dbvs7qQFfRtgCtpEMicG7kxO1F+Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec new file mode 100644 index 0000000000..41817bde75 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:example.com +validity:20160724-20160924 +extension:subjectAlternativeName:/O=Example Organization diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem new file mode 100644 index 0000000000..6882ba0554 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUG1q3+RCKIizPHadkamCYLL7cp2swDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl +MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B +AQsFAAOCAQEAqa/ayP8zXODUJJmuZLTJsdT2VaqbOh2WWk2bC2A82feGvCevLuL0 +0gPk+001Zx49Y1erMmt2M1cKtf2Lob8SGLNGUlJf2K7SNJTk7nyog+4UIlK4Hsxo +CQ9sqKGJjkwHTDK1rB9gSW4e27Taj6tudnsUfgKWVzERxipebtLsCvz8Jfa0YLRI +bGr6L4LoWiN2RNiK7/IOycfJ8VLDlBRouHD2Xfu0pFcvymMvfOC7GG4oBAacCKGn +muUfoODgKw2yCIOSe7jsJOQ9yOp03sRipISfO0TALFzJX0V5+7CYDLZYR8vs/F/4 +0cIqkhwyCfUWYsGI4gPPR/nVxNvTRZhiFw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec new file mode 100644 index 0000000000..65acf0b024 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:example.com +validity:20150724-20160924 +extension:subjectAlternativeName:/O=Example Organization diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem new file mode 100644 index 0000000000..cd87acfe48 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUD1kNqQ0aKQ2TJjGUYztUh8I7j4AwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl +MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B +AQsFAAOCAQEAU9n5I/Hdfod2fPBYWHZA/5/SabHkOBUHfrg6UUQYeHagVbqmoTQD +M5F/DcDna+w6nHagIC/GRHBHkgY3Syh8QK5LnL3zi5tC0u4dzysDUjWtEAEgIcWA +/pYtp6qZwJzxvn68PTnYnFDL61+LDLxlUBa2iRieRkCUOokCLL4ce3jsSTuJ+mGk +XoaRrRREgtG5loYK8hFXM1RDkzyCa82DF/qD+iYgUJS9LMXrsksIRHP7Lqzhnwba +Q4N8rgsBDFkNTEAmGcnTLMTlfO+SyKdHZI4n9VHdUQ1n38qFn70jj1YjcqEOFKXb +wldSrYMedEOFVWyXaVWmxMwMTiDIKWMoxg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec new file mode 100644 index 0000000000..140c201434 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:example.com +validity:20160824-20160924 +extension:subjectAlternativeName:/O=Example Organization diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js new file mode 100644 index 0000000000..514964b5fb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js @@ -0,0 +1,78 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function certFromFile(certName) { + return constructCertFromFile(`test_baseline_requirements/${certName}.pem`); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile( + gCertDB, + `test_baseline_requirements/${certName}.pem`, + trustString + ); +} + +function checkCertOn25August2016(cert, expectedResult) { + // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000 + const VALIDATION_TIME = 1472083200; + return checkCertErrorGenericAtTime( + gCertDB, + cert, + expectedResult, + certificateUsageSSLServer, + VALIDATION_TIME, + false, + "example.com" + ); +} + +add_task(async function () { + registerCleanupFunction(() => { + Services.prefs.clearUserPref("privacy.reduceTimerPrecision"); + }); + + Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false); + + loadCertWithTrust("ca", "CTu,,"); + + // At one time there was a preference security.pki.name_matching_mode that + // controlled whether or not mozilla::pkix would fall back to using a + // certificate's subject common name during name matching. This no longer + // exists, and certificates that previously required the fallback should fail + // to verify. + + await checkCertOn25August2016( + certFromFile("no-san-recent"), + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("no-san-old"), + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("no-san-older"), + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("san-contains-no-hostnames-recent"), + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("san-contains-no-hostnames-old"), + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("san-contains-no-hostnames-older"), + SSL_ERROR_BAD_CERT_DOMAIN + ); +}); diff --git a/security/manager/ssl/tests/unit/test_blocklist_onecrl.js b/security/manager/ssl/tests/unit/test_blocklist_onecrl.js new file mode 100644 index 0000000000..d82a493f16 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_blocklist_onecrl.js @@ -0,0 +1,148 @@ +"use strict"; + +do_get_profile(); + +const { Utils } = ChromeUtils.importESModule( + "resource://services-settings/Utils.sys.mjs" +); +const { RemoteSettings } = ChromeUtils.importESModule( + "resource://services-settings/remote-settings.sys.mjs" +); +const { RemoteSecuritySettings } = ChromeUtils.importESModule( + "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs" +); +const { OneCRLBlocklistClient } = RemoteSecuritySettings.init(); + +add_task(async function test_uses_a_custom_signer() { + Assert.notEqual( + OneCRLBlocklistClient.signerName, + RemoteSettings("not-specified").signerName + ); +}); + +add_task(async function test_has_initial_dump() { + Assert.ok( + await Utils.hasLocalDump( + OneCRLBlocklistClient.bucketName, + OneCRLBlocklistClient.collectionName + ) + ); +}); + +add_task(async function test_default_jexl_filter_is_used() { + Assert.deepEqual( + OneCRLBlocklistClient.filterFunc, + RemoteSettings("not-specified").filterFunc + ); +}); + +add_task( + async function test_revocations_are_updated_on_sync_with_cert_storage() { + const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + const has_revocations = () => + new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_REVOCATION, + (rv, hasPriorData) => { + if (rv == Cr.NS_OK) { + return resolve(hasPriorData); + } + return resolve(false); + } + ); + }); + + Assert.ok(!(await has_revocations())); + + await OneCRLBlocklistClient.emit("sync", { + data: { + current: [], + created: [ + { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", + }, + ], + updated: [], + deleted: [], + }, + }); + + Assert.ok(await has_revocations()); + } +); + +add_task(async function test_updated_entry() { + // Revoke a particular issuer/serial number. + await OneCRLBlocklistClient.emit("sync", { + data: { + current: [], + created: [ + { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", + }, + ], + updated: [], + deleted: [], + }, + }); + const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + let issuerArray = [ + 0x30, 0x12, 0x31, 0x10, 0x30, 0xe, 0x6, 0x3, 0x55, 0x4, 0x3, 0xc, 0x7, 0x54, + 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, + ]; + let serialArray = [ + 0x6b, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d, 0xa7, 0x9d, 0xa6, 0xa, 0xc8, 0x26, + 0xd, 0xb9, 0x88, 0x13, 0xce, 0x90, 0x83, + ]; + let revocationState = certStorage.getRevocationState( + issuerArray, + serialArray, + [], + [] + ); + Assert.equal(revocationState, Ci.nsICertStorage.STATE_ENFORCE); + + // Update the revocation to be a different serial number; the original + // (issuer, serial) pair should now not be revoked. + await OneCRLBlocklistClient.emit("sync", { + data: { + current: [], + created: [], + updated: [ + { + old: { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", + }, + new: { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "ALtF+/+w5U0=", + }, + }, + ], + deleted: [], + }, + }); + let oldRevocationState = certStorage.getRevocationState( + issuerArray, + serialArray, + [], + [] + ); + Assert.equal(oldRevocationState, Ci.nsICertStorage.STATE_UNSET); + + let newSerialArray = [0x00, 0xbb, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d]; + let newRevocationState = certStorage.getRevocationState( + issuerArray, + newSerialArray, + [], + [] + ); + Assert.equal(newRevocationState, Ci.nsICertStorage.STATE_ENFORCE); +}); diff --git a/security/manager/ssl/tests/unit/test_broken_fips.js b/security/manager/ssl/tests/unit/test_broken_fips.js new file mode 100644 index 0000000000..2aac2496f7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_broken_fips.js @@ -0,0 +1,61 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that if Firefox attempts and fails to load a PKCS#11 module DB that was +// in FIPS mode, Firefox can still make use of keys in the key database. +// secomd.db can be created via `certutil -N -d <dir>`. Putting it in FIPS mode +// involves running `modutil -fips true -dbdir <dir>`. key4.db is from +// test_sdr_preexisting/key4.db. + +function run_test() { + // Append a single quote and non-ASCII characters to the profile path. + let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR"); + let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile); + file.initWithPath(profd); + file.append("'÷1"); + Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path); + + let profile = do_get_profile(); // must be called before getting nsIX509CertDB + Assert.ok( + /[^\x20-\x7f]/.test(profile.path), + "the profile path should contain a non-ASCII character" + ); + + let keyDBName = "key4.db"; + let keyDBFile = do_get_file(`test_broken_fips/${keyDBName}`); + keyDBFile.copyTo(profile, keyDBName); + + let pkcs11modDBName = "pkcs11.txt"; + let pkcs11modDBFile = do_get_file(`test_broken_fips/${pkcs11modDBName}`); + pkcs11modDBFile.copyTo(profile, pkcs11modDBName); + + let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + ok(!moduleDB.isFIPSEnabled, "FIPS should not be enabled"); + + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + const encrypted = + "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d"; + const expectedResult = "password"; + let decrypted = sdr.decryptString(encrypted); + equal( + decrypted, + expectedResult, + "decrypted ciphertext should match expected plaintext" + ); + + let pkcs11modDBFileFIPS = do_get_profile(); + pkcs11modDBFileFIPS.append(`${pkcs11modDBName}.fips`); + ok( + pkcs11modDBFileFIPS.exists(), + "backed-up PKCS#11 module db should now exist" + ); +} diff --git a/security/manager/ssl/tests/unit/test_broken_fips/key4.db b/security/manager/ssl/tests/unit/test_broken_fips/key4.db Binary files differnew file mode 100644 index 0000000000..8f320dfdbd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_broken_fips/key4.db diff --git a/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt new file mode 100644 index 0000000000..78a11f5fa7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal FIPS PKCS #11 Module +parameters=configdir='.' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM ] } Flags=internal,FIPS,critical + diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js new file mode 100644 index 0000000000..04fa1c655c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js @@ -0,0 +1,56 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests exporting a certificate and key as a PKCS#12 blob and importing it +// again with a new password set. + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx"; +const CERT_COMMON_NAME = "test_cert_from_windows"; +const TEST_CERT_PASSWORD = "é»’ã„"; + +function findCertByCommonName(commonName) { + for (let cert of gCertDB.getCerts()) { + if (cert.commonName == commonName) { + return cert; + } + } + return null; +} + +function run_test() { + // Import the certificate and key so we have something to export. + let cert = findCertByCommonName(CERT_COMMON_NAME); + equal(cert, null, "cert should not be found before import"); + let certFile = do_get_file(PKCS12_FILE); + ok(certFile, `${PKCS12_FILE} should exist`); + let errorCode = gCertDB.importPKCS12File(certFile, TEST_CERT_PASSWORD); + equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be imported"); + cert = findCertByCommonName(CERT_COMMON_NAME); + notEqual(cert, null, "cert should be found now"); + + // Export the certificate and key. + let output = do_get_tempdir(); + output.append("output.p12"); + ok(!output.exists(), "output shouldn't exist before exporting PKCS12 file"); + errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD); + equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be exported"); + ok(output.exists(), "output should exist after exporting PKCS12 file"); + + // We should be able to import the exported blob again using the new password. + errorCode = gCertDB.importPKCS12File(output, TEST_CERT_PASSWORD); + equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be imported"); + output.remove(false /* not a directory; recursive doesn't apply */); + + // Ideally there would be some way to confirm that this actually did anything. + // Unfortunately, since deleting a certificate currently doesn't actually do + // anything until the platform is restarted, we can't confirm that we + // successfully re-imported the certificate. +} diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js new file mode 100644 index 0000000000..25f4ab58bf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js @@ -0,0 +1,117 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests exporting a certificate and key as a PKCS#12 blob if the user has a +// primary password set. + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx"; +const CERT_COMMON_NAME = "test_cert_from_windows"; +const TEST_CERT_PASSWORD = "é»’ã„"; + +var gPrompt = { + password: "password", + clickOk: true, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gPrompt| due to + // how objects get wrapped when going across xpcom boundaries. + alert(title, text) { + info(`alert('${text}')`); + ok(false, "not expecting alert() to be called"); + }, + + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + equal( + text, + "Please enter your Primary Password.", + "password prompt text should be as expected" + ); + equal(checkMsg, null, "checkMsg should be null"); + password.value = this.password; + return this.clickOk; + }, +}; + +const gPromptFactory = { + QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]), + getPrompt: (aWindow, aIID) => gPrompt, +}; + +function findCertByCommonName(commonName) { + for (let cert of gCertDB.getCerts()) { + if (cert.commonName == commonName) { + return cert; + } + } + return null; +} + +function run_test() { + let promptFactoryCID = MockRegistrar.register( + "@mozilla.org/prompter;1", + gPromptFactory + ); + + registerCleanupFunction(() => { + MockRegistrar.unregister(promptFactoryCID); + }); + + // Set a primary password. + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + let token = tokenDB.getInternalKeyToken(); + token.initPassword("password"); + token.logoutSimple(); + + // Import the certificate and key so we have something to export. + let cert = findCertByCommonName(CERT_COMMON_NAME); + equal(cert, null, "cert should not be found before import"); + let certFile = do_get_file(PKCS12_FILE); + ok(certFile, `${PKCS12_FILE} should exist`); + let errorCode = gCertDB.importPKCS12File(certFile, TEST_CERT_PASSWORD); + equal(errorCode, Ci.nsIX509CertDB.Success, "cert should import"); + cert = findCertByCommonName(CERT_COMMON_NAME); + notEqual(cert, null, "cert should be found now"); + + // Log out so we're prompted for the password. + token.logoutSimple(); + + // Export the certificate and key (and don't cancel the password request + // dialog). + let output = do_get_tempdir(); + output.append("output.p12"); + ok(!output.exists(), "output shouldn't exist before exporting PKCS12 file"); + errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD); + equal(errorCode, Ci.nsIX509CertDB.Success, "cert should export"); + ok(output.exists(), "output should exist after exporting PKCS12 file"); + output.remove(false /* not a directory; recursive doesn't apply */); + + // Log out again so we're prompted for the password. + token.logoutSimple(); + + // Attempt to export the certificate and key, but this time cancel the + // password request dialog. The export operation should also be canceled. + gPrompt.clickOk = false; + let output2 = do_get_tempdir(); + output2.append("output2.p12"); + ok(!output2.exists(), "output2 shouldn't exist before exporting PKCS12 file"); + errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD); + equal( + errorCode, + Ci.nsIX509CertDB.ERROR_PKCS12_BACKUP_FAILED, + "cert should not export" + ); + + ok(!output2.exists(), "output2 shouldn't exist after failing to export"); +} diff --git a/security/manager/ssl/tests/unit/test_certDB_import.js b/security/manager/ssl/tests/unit/test_certDB_import.js new file mode 100644 index 0000000000..86c66f4989 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import.js @@ -0,0 +1,187 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the various nsIX509CertDB import methods. + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const CA_CERT_COMMON_NAME = "importedCA"; +const TEST_EMAIL_ADDRESS = "test@example.com"; + +let gCACertImportDialogCount = 0; + +// Mock implementation of nsICertificateDialogs. +const gCertificateDialogs = { + confirmDownloadCACert: (ctx, cert, trust) => { + gCACertImportDialogCount++; + equal( + cert.commonName, + CA_CERT_COMMON_NAME, + "CA cert to import should have the correct CN" + ); + trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL; + return true; + }, + setPKCS12FilePassword: (ctx, password) => { + // This is only relevant to exporting. + ok(false, "setPKCS12FilePassword() should not have been called"); + }, + getPKCS12FilePassword: (ctx, password) => { + // We don't test anything that calls this method yet. + ok(false, "getPKCS12FilePassword() should not have been called"); + }, + + QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]), +}; + +// Implements nsIInterfaceRequestor. Mostly serves to mock nsIPrompt. +const gInterfaceRequestor = { + alert: (title, text) => { + // We don't test anything that calls this method yet. + ok(false, `alert() should not have been called: ${text}`); + }, + + getInterface: iid => { + if (iid.equals(Ci.nsIPrompt)) { + return this; + } + + throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE); + }, +}; + +function getCertAsByteArray(certPath) { + let certFile = do_get_file(certPath, false); + let certBytes = readFile(certFile); + + let byteArray = []; + for (let i = 0; i < certBytes.length; i++) { + byteArray.push(certBytes.charCodeAt(i)); + } + + return byteArray; +} + +function commonFindCertBy(propertyName, value) { + for (let cert of gCertDB.getCerts()) { + if (cert[propertyName] == value) { + return cert; + } + } + return null; +} + +function findCertByCommonName(commonName) { + return commonFindCertBy("commonName", commonName); +} + +function findCertByEmailAddress(emailAddress) { + return commonFindCertBy("emailAddress", emailAddress); +} + +function testImportCACert() { + // Sanity check the CA cert is missing. + equal( + findCertByCommonName(CA_CERT_COMMON_NAME), + null, + "CA cert should not be in the database before import" + ); + + // Import and check for success. + let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem"); + gCertDB.importCertificates( + caArray, + caArray.length, + Ci.nsIX509Cert.CA_CERT, + gInterfaceRequestor + ); + equal( + gCACertImportDialogCount, + 1, + "Confirmation dialog for the CA cert should only be shown once" + ); + + let caCert = findCertByCommonName(CA_CERT_COMMON_NAME); + notEqual(caCert, null, "CA cert should now be found in the database"); + ok( + gCertDB.isCertTrusted( + caCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_EMAIL + ), + "CA cert should be trusted for e-mail" + ); +} + +function testImportEmptyCertPackage() { + // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown. + let byteArray = [ + 0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02, + 0x05, 0xa0, 0x02, 0x30, 0x00, + ]; + gCertDB.importCertificates( + byteArray, + byteArray.length, + Ci.nsIX509Cert.CA_CERT, + gInterfaceRequestor + ); +} + +function testImportEmptyUserCert() { + // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown. + let byteArray = [ + 0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02, + 0x05, 0xa0, 0x02, 0x30, 0x00, + ]; + gCertDB.importUserCertificate( + byteArray, + byteArray.length, + gInterfaceRequestor + ); +} + +function run_test() { + let certificateDialogsCID = MockRegistrar.register( + "@mozilla.org/nsCertificateDialogs;1", + gCertificateDialogs + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(certificateDialogsCID); + }); + + // Sanity check the e-mail cert is missing. + equal( + findCertByEmailAddress(TEST_EMAIL_ADDRESS), + null, + "E-mail cert should not be in the database before import" + ); + + // Import the CA cert so that the e-mail import succeeds. + testImportCACert(); + testImportEmptyCertPackage(); + testImportEmptyUserCert(); + + // Import the e-mail cert and check for success. + let emailArray = getCertAsByteArray("test_certDB_import/emailEE.pem"); + gCertDB.importEmailCertificate( + emailArray, + emailArray.length, + gInterfaceRequestor + ); + let emailCert = findCertByEmailAddress(TEST_EMAIL_ADDRESS); + notEqual(emailCert, null, "E-mail cert should now be found in the database"); + let bundle = Services.strings.createBundle( + "chrome://pipnss/locale/pipnss.properties" + ); + equal( + emailCert.tokenName, + bundle.GetStringFromName("PrivateTokenDescription"), + "cert's tokenName should be the expected localized value" + ); +} diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx Binary files differnew file mode 100644 index 0000000000..e969d672d7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx Binary files differnew file mode 100644 index 0000000000..879d424b85 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx Binary files differnew file mode 100644 index 0000000000..7dcd668121 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem new file mode 100644 index 0000000000..efa03762fb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAgIUD6/AN7kvujBSGBoxvIJq71xFd/UwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw +MjUwMjA0MDAwMDAwWjAhMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29t +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAvpG51OQ2+Le95l9RquNpzG8yn87g1 +wdqBpf29BFl1/fN9MUbvx5IMsyKz2VRuo3CFj95z/uAZyKsZERIfULUlEKjfaqRN +FiT/rXrEAskvVJXnVMYDp+Dr7AEUeXepehfYUKtyAwx4rHe5JIsjmT1aYMRbvkl/ +tfDDC5sKzy/qfGB6/kyJ35yeNkQgqqSjfLcsfBdz5CZ0dqa/jOLZ8FrBtoVk3KlR ++mRmPpDoNOq2Zwvl17CgOwapt2h8S6eayO/ThHp28t2kvGFMDXY5cc3M0Le7If6e +PcGTQk7VBktQfBEwjEHJmXYPXabmVI+ZJaqZ/UQKLiuuWPJjirPev+MF +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec new file mode 100644 index 0000000000..0528bc624a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec @@ -0,0 +1,2 @@ +issuer:importedCA +subject:/emailAddress=test@example.com diff --git a/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 Binary files differnew file mode 100644 index 0000000000..105f918782 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem new file mode 100644 index 0000000000..945070430e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICzDCCAbSgAwIBAgIUORViFMy+rW4CvpGkwIxF31eNvYwwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw +MjUwMjA0MDAwMDAwWjAVMRMwEQYDVQQDDAppbXBvcnRlZENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAM +BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCN8ZydQaRL+zy7g8iXPZ82 +9ApH1/YqbgUE83twolLBerhSDLt94vzXrr+rdx413Wot/KvM9JIVYfERDsAmdwSG +2Nf+Eda/zYWUyeeWCcjXx1mfri0c52A5f+9VMCwy30K8k97ZQk0P3hVt9Bz0TXKz +FCRMJExY4fbeASqT8N3VM2SNh4Lzv5qYXM2bC8fAeZrwDKgolpi/yGLWYxuT4yUo +NYQolHqqFb5z7rd+QiX/Df3kV2ZDMEKOOMELyXpcHo0BtfIrCQsVdwIt1A8xDzHM +HBDT1TbiVm18LdnI6vgX0p8+RyLSTEvf5aPtc3NN/H7lhJXCtV9N6rgHSL5eonRg +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec new file mode 100644 index 0000000000..b168253544 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec @@ -0,0 +1,3 @@ +issuer:importedCA +subject:importedCA +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js new file mode 100644 index 0000000000..521904d432 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js @@ -0,0 +1,123 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests import PKCS12 file by nsIX509CertDB. + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx"; +const PKCS12_FILE_EMPTY_PASS = + "test_certDB_import/cert_from_windows_emptypass.pfx"; +const PKCS12_FILE_NO_PASS = "test_certDB_import/cert_from_windows_nopass.pfx"; +const CERT_COMMON_NAME = "test_cert_from_windows"; +const TEST_CERT_PASSWORD = "é»’ã„"; + +let gTestcases = [ + // Test that importing a PKCS12 file with the wrong password fails. + { + name: "import using incorrect password", + filename: PKCS12_FILE, + passwordToUse: "this is the wrong password", + successExpected: false, + errorCode: Ci.nsIX509CertDB.ERROR_BAD_PASSWORD, + checkCertExist: true, + certCommonName: CERT_COMMON_NAME, + }, + // Test that importing something that isn't a PKCS12 file fails. + { + name: "import non-PKCS12 file", + filename: "test_certDB_import_pkcs12.js", + passwordToUse: TEST_CERT_PASSWORD, + successExpected: false, + errorCode: Ci.nsIX509CertDB.ERROR_DECODE_ERROR, + checkCertExist: true, + certCommonName: CERT_COMMON_NAME, + }, + // Test that importing a PKCS12 file with the correct password succeeds. + // This needs to be last because currently there isn't a way to delete the + // imported certificate (and thus reset the test state) that doesn't depend on + // the garbage collector running. + { + name: "import PKCS12 file", + filename: PKCS12_FILE, + passwordToUse: TEST_CERT_PASSWORD, + successExpected: true, + errorCode: Ci.nsIX509CertDB.Success, + checkCertExist: true, + certCommonName: CERT_COMMON_NAME, + }, + // Same cert file protected with empty string password + { + name: "import PKCS12 file empty password", + filename: PKCS12_FILE_EMPTY_PASS, + passwordToUse: "", + successExpected: true, + errorCode: Ci.nsIX509CertDB.Success, + checkCertExist: false, + certCommonName: CERT_COMMON_NAME, + }, + // Same cert file protected with no password + { + name: "import PKCS12 file no password", + filename: PKCS12_FILE_NO_PASS, + passwordToUse: null, + successExpected: true, + errorCode: Ci.nsIX509CertDB.Success, + checkCertExist: false, + certCommonName: CERT_COMMON_NAME, + }, + // Test a PKCS12 file encrypted using AES + { + name: "import PKCS12 file using AES", + filename: "test_certDB_import/encrypted_with_aes.p12", + passwordToUse: "password", + successExpected: true, + errorCode: Ci.nsIX509CertDB.Success, + checkCertExist: true, + certCommonName: "John Doe", + }, +]; + +function doesCertExist(commonName) { + let allCerts = gCertDB.getCerts(); + for (let cert of allCerts) { + if (cert.commonName == commonName) { + return true; + } + } + + return false; +} + +function runOneTestcase(testcase) { + info(`running ${testcase.name}`); + if (testcase.checkCertExist) { + ok( + !doesCertExist(testcase.certCommonName), + "cert should not be in the database before import" + ); + } + + // Import and check for failure. + let certFile = do_get_file(testcase.filename); + ok(certFile, `${testcase.filename} should exist`); + let errorCode = gCertDB.importPKCS12File(certFile, testcase.passwordToUse); + equal(errorCode, testcase.errorCode, `verifying error code`); + equal( + doesCertExist(testcase.certCommonName), + testcase.successExpected, + `cert should${testcase.successExpected ? "" : " not"} be found now` + ); +} + +function run_test() { + for (let testcase of gTestcases) { + runOneTestcase(testcase); + } +} diff --git a/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js new file mode 100644 index 0000000000..ab1ad36fd2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js @@ -0,0 +1,148 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that a CA certificate can still be imported if the user has a primary +// password set. + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const CA_CERT_COMMON_NAME = "importedCA"; + +let gCACertImportDialogCount = 0; + +// Mock implementation of nsICertificateDialogs. +const gCertificateDialogs = { + confirmDownloadCACert: (ctx, cert, trust) => { + gCACertImportDialogCount++; + equal( + cert.commonName, + CA_CERT_COMMON_NAME, + "CA cert to import should have the correct CN" + ); + trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL; + return true; + }, + setPKCS12FilePassword: (ctx, password) => { + // This is only relevant to exporting. + ok(false, "setPKCS12FilePassword() should not have been called"); + }, + getPKCS12FilePassword: (ctx, password) => { + // We don't test anything that calls this method yet. + ok(false, "getPKCS12FilePassword() should not have been called"); + }, + + QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]), +}; + +var gMockPrompter = { + passwordToTry: "password", + numPrompts: 0, + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gMockPrompter| due to + // how objects get wrapped when going across xpcom boundaries. + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + this.numPrompts++; + if (this.numPrompts > 1) { + // don't keep retrying a bad password + return false; + } + equal( + text, + "Please enter your Primary Password.", + "password prompt text should be as expected" + ); + equal(checkMsg, null, "checkMsg should be null"); + ok(this.passwordToTry, "passwordToTry should be non-null"); + password.value = this.passwordToTry; + return true; + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), + + // Again with the arrow function issue. + getInterface(iid) { + if (iid.equals(Ci.nsIPrompt)) { + return this; + } + + throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE); + }, +}; + +function getCertAsByteArray(certPath) { + let certFile = do_get_file(certPath, false); + let certBytes = readFile(certFile); + + let byteArray = []; + for (let i = 0; i < certBytes.length; i++) { + byteArray.push(certBytes.charCodeAt(i)); + } + + return byteArray; +} + +function findCertByCommonName(commonName) { + for (let cert of gCertDB.getCerts()) { + if (cert.commonName == commonName) { + return cert; + } + } + return null; +} + +function run_test() { + let certificateDialogsCID = MockRegistrar.register( + "@mozilla.org/nsCertificateDialogs;1", + gCertificateDialogs + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(certificateDialogsCID); + }); + + // Set a primary password. + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + let token = tokenDB.getInternalKeyToken(); + token.initPassword("password"); + token.logoutSimple(); + + // Sanity check the CA cert is missing. + equal( + findCertByCommonName(CA_CERT_COMMON_NAME), + null, + "CA cert should not be in the database before import" + ); + + // Import and check for success. + let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem"); + gCertDB.importCertificates( + caArray, + caArray.length, + Ci.nsIX509Cert.CA_CERT, + gMockPrompter + ); + equal( + gCACertImportDialogCount, + 1, + "Confirmation dialog for the CA cert should only be shown once" + ); + + let caCert = findCertByCommonName(CA_CERT_COMMON_NAME); + notEqual(caCert, null, "CA cert should now be found in the database"); + ok( + gCertDB.isCertTrusted( + caCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_EMAIL + ), + "CA cert should be trusted for e-mail" + ); +} diff --git a/security/manager/ssl/tests/unit/test_cert_chains.js b/security/manager/ssl/tests/unit/test_cert_chains.js new file mode 100644 index 0000000000..471bc42c03 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_chains.js @@ -0,0 +1,394 @@ +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// We hard-code the following certificates for the pkcs7 export tests so that we +// don't have to change the test data when the certificates change each year. +// Luckily these tests don't depend on the certificates being valid, so it's ok +// to let them expire. +const gDefaultEEPEM = `-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAw +MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow +gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp +bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu +ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaob +K2YRb4OGMxySIKuQ80N0XlO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4s +v0swx/+oUxCfLb0VIl/kdUqLkbGYrAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU ++aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGMyG/pwas+JXehbReUf4n1ewk84ADtb ++ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41sQnNqPg12x4+WGWiAsWCpR +/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16IjWEukvJuU1W +-----END CERTIFICATE-----`; + +const gTestCAPEM = `-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUKaFwIwCwHXUgKRuOhAX4pjYsmbgwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAw +MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIMgnywHFbPzJ +BEcbpx/aWQOI2tUFlo7MUoPSoACHzoI/HOUTx25eKHlpNK2jSljLufhUd//eCCXg ++OQt4f2N/tRw8gumbs3YDF7+t3ZNGt+iQxZTwN7MKsGIZy+6R523XHw8lpzFX5iz +XgIS+0APlX+XyZk7MRCcBWh6PSaSqEOOvUXVp6Omh3it034kBWnm809TEWmwiVw3 +ssPDmpUCArdDNMMdvQehzaH96cdjcSsguqpX9NcMDUmmiG7HLQ2iy+WSzek9S46S +bKKDLw8Ebevfkl6PEpg+GDulq+EPXayN3AsFXkF8MaFLgfeprkENjN1g4jM+WSyN +6DC7vCkj7A== +-----END CERTIFICATE-----`; + +const gUnknownIssuerPEM = ` +-----BEGIN CERTIFICATE----- +MIIDqTCCApGgAwIBAgIUMRiJ9TrwqTOoVFU+j5FDWDWS1X8wDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbVGVzdCBJbnRlcm1lZGlhdGUgdG8gZGVsZXRlMCIYDzIw +MTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMC4xLDAqBgNVBAMMI1Rlc3Qg +RW5kLWVudGl0eSBmcm9tIHVua25vd24gaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HCMIG/MIGIBgNV +HREEgYAwfoIZdW5rbm93bmlzc3Vlci5leGFtcGxlLmNvbYI0dW5rbm93bmlzc3Vl +ci5pbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbYIrdW5rbm93 +bmlzc3Vlci50ZXN0LW1vZGUucGlubmluZy5leGFtcGxlLmNvbTAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZI +hvcNAQELBQADggEBALAnJjBJ+MOc7kMRzmESYZRSxKak7A1K67xBXWzWmK3t3WXv +e/RLjV/RhbyTN20h2ZjSVcuDzgNYC/RJ/z3Xd5Q9QEGoi1ly84HeaeHw/3kUSHxv +J3JnbPu2lk96U5y7tXEVfbEVZYpx4Us72fuURPWriVldILH2lgrEg+iKZWbY/wcT +vfu1j/flMkGEOpc1HytlmR9fkCDnqzFfcmv7Eh3X1BiSBOIemGnUHxONwlthSE68 +IItE5l3c82G8oQGmve6r0N9h7t6opIjH1koFWMck/pzDA01FmWey4ASdlmjE8NSJ +Al1zsF8EiLOZeI1rvurcXwVOd0Olk9/QT5hwTkk= +-----END CERTIFICATE-----`; + +const gOCSPEEWithIntermediatePEM = ` +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUZ67hS7lHVnCQtXx7oXFlzihqh0cwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAxNzExMjcwMDAw +MDBaGA8yMDIwMDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhVGVzdCBFbmQtZW50aXR5 +IHdpdGggSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu +Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO +7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf +qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt +HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx +uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAagglsb2NhbGhv +c3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo +dHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQAo043hM4Gi +UtoXKOQB2v0C8nF4Yyzpf+i0LlxQCFZkiLYu9pIuQu16I3TbLQRBwhCC0ml7TqJB +AbryzILTorCQP8A1WQa1kt6cb30jCyXLcWnDA/ULPexn9cYm6I0YyLFlnkcVzMGL +Fc+LyWTAPEW5rMauu5iOOp/6L5rBF0M9bg5yXSGNDv8gk3Jc+opJbBDTrAuKDNLp +JSEp4rqovNFnirzlJWDS+ScAsWHtoLcrH6gnQRPsEV1WFQnYr3HkAakYQok9xs5A +ikBS6mgz4/cFBts8bSGSuXxctkN2Ss7Y5l3YmTYKCxPz6retVfrhi/islH4W3z9H +pu3ZqyACO6Lb +-----END CERTIFICATE-----`; + +const gTestIntPEM = ` +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw +MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1 +SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+ +zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL +K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc +bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW +JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd +MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB +AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00 +Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM +8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA +IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3 +B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk +rGFLvocT/kym6r8galxCJUo= +-----END CERTIFICATE-----`; + +function build_cert_list_from_pem_list(pemList) { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let certList = []; + for (let pem of pemList) { + let cert = certdb.constructX509FromBase64(pemToBase64(pem)); + certList.push(cert); + } + return certList; +} + +function test_cert_pkcs7_export() { + // This was generated by running BadCertAndPinningServer locally on the bad_certs + // directory and visiting: + // https://good.include-subdomains.pinning.example.com:8443/ + // and then viewing the certificate chain presented (in the page info dialog) + // and exporting it. + // (NB: test-ca must be imported and trusted for the connection to succeed) + const expectedPKCS7ForDefaultEE = + "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCBmQwggLTMIIBu6ADAgE" + + "CAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZX" + + "N0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB" + + "1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI" + + "BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xz" + + "VJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCy" + + "uwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW" + + "7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE" + + "LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8" + + "wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1Q" + + "WWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMX" + + "v63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKo" + + "Q469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf" + + "01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoU" + + "uB96muQQ2M3WDiMz5ZLI3oMLu8KSPsMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6T" + + "IyPRSIwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAw" + + "MDAwMFoYDzIwMjAwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggE" + + "iMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNU" + + "q07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0" + + "DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ" + + "sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJH" + + "dtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFz" + + "G4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob" + + "3N0gg0qLmV4YW1wbGUuY29tghUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1z" + + "dWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnB" + + "pbm5pbmcuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi" + + "8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvl" + + "aobK2YRb4OGMxySIKuQ80N0XlO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0sw" + + "x/+oUxCfLb0VIl/kdUqLkbGYrAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j" + + "3rXoimcdo6X3TK1SN2/64fGMyG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t" + + "/UgqDsnTWq5wUc5IJKwoHT41sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9W" + + "tZYAvwT78a2xpHp5XNglj16IjWEukvJuU1WMQAAAAAAAAA="; + let certListDefaultEE = build_cert_list_from_pem_list([ + gDefaultEEPEM, + gTestCAPEM, + ]); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let pkcs7DefaultEE = certdb.asPKCS7Blob(certListDefaultEE); + + equal( + btoa(pkcs7DefaultEE), + expectedPKCS7ForDefaultEE, + "PKCS7 export should work as expected for default-ee chain" + ); + + // This was generated by running BadCertAndPinningServer locally on the bad_certs + // directory and visiting: + // https://unknownissuer.example.com:8443/ + // and then viewing the certificate presented (in the add certificate + // exception dialog) and exporting it. + const expectedPKCS7ForUnknownIssuer = + "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCA60wggOpMIICkaADAgE" + + "CAhQxGIn1OvCpM6hUVT6PkUNYNZLVfzANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtUZX" + + "N0IEludGVybWVkaWF0ZSB0byBkZWxldGUwIhgPMjAxNzExMjcwMDAwMDBaGA8yMDIwMDIwN" + + "TAwMDAwMFowLjEsMCoGA1UEAwwjVGVzdCBFbmQtZW50aXR5IGZyb20gdW5rbm93biBpc3N1" + + "ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTw" + + "T2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs" + + "1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkf" + + "bmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA" + + "dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/" + + "l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcIwgb8wgYgGA1UdEQSBgDB+ghl1bm" + + "tub3duaXNzdWVyLmV4YW1wbGUuY29tgjR1bmtub3duaXNzdWVyLmluY2x1ZGUtc3ViZG9tY" + + "Wlucy5waW5uaW5nLmV4YW1wbGUuY29tgit1bmtub3duaXNzdWVyLnRlc3QtbW9kZS5waW5u" + + "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x" + + "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAsCcmMEn4w5zuQxHOYRJhlFLEpq" + + "TsDUrrvEFdbNaYre3dZe979EuNX9GFvJM3bSHZmNJVy4POA1gL9En/Pdd3lD1AQaiLWXLzg" + + "d5p4fD/eRRIfG8ncmds+7aWT3pTnLu1cRV9sRVlinHhSzvZ+5RE9auJWV0gsfaWCsSD6Ipl" + + "Ztj/BxO9+7WP9+UyQYQ6lzUfK2WZH1+QIOerMV9ya/sSHdfUGJIE4h6YadQfE43CW2FITrw" + + "gi0TmXdzzYbyhAaa97qvQ32Hu3qikiMfWSgVYxyT+nMMDTUWZZ7LgBJ2WaMTw1IkCXXOwXw" + + "SIs5l4jWu+6txfBU53Q6WT39BPmHBOSTEAAAAAAAAA"; + let certListUnknownIssuer = build_cert_list_from_pem_list([ + gUnknownIssuerPEM, + ]); + let pkcs7UnknownIssuer = certdb.asPKCS7Blob(certListUnknownIssuer); + equal( + btoa(pkcs7UnknownIssuer), + expectedPKCS7ForUnknownIssuer, + "PKCS7 export should work as expected for unknown issuer" + ); + + // This was generated by running OCSPStaplingServer locally on the ocsp_certs + // directory and visiting: + // https://ocsp-stapling-with-intermediate.example.com:8443/ + // and then viewing the certificate chain presented (in the page info dialog) + // and exporting it. + // (NB: test-ca must be imported and trusted for the connection to succeed) + const expectedPKCS7WithIntermediate = + "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCCPEwggLTMIIBu6ADAgE" + + "CAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZX" + + "N0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB" + + "1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI" + + "BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xz" + + "VJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCy" + + "uwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW" + + "7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE" + + "LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8" + + "wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1Q" + + "WWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMX" + + "v63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKo" + + "Q469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf" + + "01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoU" + + "uB96muQQ2M3WDiMz5ZLI3oMLu8KSPsMIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25i" + + "BPOkIMwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAw" + + "MDAwMFoYDzIwMjUwMTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTC" + + "CASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6u" + + "Q1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8H" + + "mnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh" + + "eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaM" + + "Mkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5" + + "kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EB" + + "AMCAQYwDQYJKoZIhvcNAQELBQADggEBAILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC" + + "2BQF0kMEEB547p+Ms8zdJY00Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77Tk" + + "fmnSnxvPi+0nlA+eM8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22" + + "+AIU7w6wyAIbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubji" + + "Mr3B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpykrGFL" + + "vocT/kym6r8galxCJUowggM1MIICHaADAgECAhRnruFLuUdWcJC1fHuhcWXOKGqHRzANBgk" + + "qhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTAiGA8yMDE3MTEyNz" + + "AwMDAwMFoYDzIwMjAwMjA1MDAwMDAwWjAsMSowKAYDVQQDDCFUZXN0IEVuZC1lbnRpdHkgd" + + "2l0aCBJbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo" + + "RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHE" + + "IeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7q" + + "dw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCAB" + + "iTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd" + + "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjWzBZMCMGA1U" + + "dEQQcMBqCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKw" + + "YBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBACjTj" + + "eEzgaJS2hco5AHa/QLycXhjLOl/6LQuXFAIVmSIti72ki5C7XojdNstBEHCEILSaXtOokEB" + + "uvLMgtOisJA/wDVZBrWS3pxvfSMLJctxacMD9Qs97Gf1xibojRjIsWWeRxXMwYsVz4vJZMA" + + "8Rbmsxq67mI46n/ovmsEXQz1uDnJdIY0O/yCTclz6iklsENOsC4oM0uklISniuqi80WeKvO" + + "UlYNL5JwCxYe2gtysfqCdBE+wRXVYVCdivceQBqRhCiT3GzkCKQFLqaDPj9wUG2zxtIZK5f" + + "Fy2Q3ZKztjmXdiZNgoLE/Pqt61V+uGL+KyUfhbfP0em7dmrIAI7otsxAAAAAAAAAA=="; + let certListWithIntermediate = build_cert_list_from_pem_list([ + gOCSPEEWithIntermediatePEM, + gTestIntPEM, + gTestCAPEM, + ]); + let pkcs7WithIntermediate = certdb.asPKCS7Blob(certListWithIntermediate); + equal( + btoa(pkcs7WithIntermediate), + expectedPKCS7WithIntermediate, + "PKCS7 export should work as expected for chain with intermediate" + ); +} + +function test_cert_pkcs7_empty_array() { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + throws( + () => certdb.asPKCS7Blob([]), + /NS_ERROR_ILLEGAL_VALUE/, + "trying to convert an empty array to pkcs7 should throw" + ); +} + +function run_test() { + do_get_profile(); + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + + add_test(function () { + test_cert_pkcs7_export(); + run_next_test(); + }); + + add_test(function () { + test_cert_pkcs7_empty_array(); + run_next_test(); + }); + + // Test successful connection (failedCertChain should be null) + add_connection_test( + // re-use pinning certs (keeler) + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess, + null, + function withSecurityInfo(aTransportSecurityInfo) { + equal( + aTransportSecurityInfo.failedCertChain.length, + 0, + "failedCertChain for a successful connection should be null" + ); + } + ); + + // Test overrideable connection failure (failedCertChain should be non-null) + add_connection_test( + "expired.example.com", + SEC_ERROR_EXPIRED_CERTIFICATE, + null, + function withSecurityInfo(securityInfo) { + notEqual( + securityInfo.failedCertChain, + null, + "failedCertChain should not be null for an overrideable" + + " connection failure" + ); + let originalCertChain = build_cert_chain(["expired-ee", "test-ca"]); + ok( + areCertArraysEqual(originalCertChain, securityInfo.failedCertChain), + "failedCertChain should equal the original cert chain for an" + + " overrideable connection failure" + ); + } + ); + + // Test overrideable connection failure (failedCertChain should be non-null) + add_connection_test( + "unknownissuer.example.com", + SEC_ERROR_UNKNOWN_ISSUER, + null, + function withSecurityInfo(securityInfo) { + notEqual( + securityInfo.failedCertChain, + null, + "failedCertChain should not be null for an overrideable" + + " connection failure" + ); + let originalCertChain = build_cert_chain(["unknownissuer"]); + ok( + areCertArraysEqual(originalCertChain, securityInfo.failedCertChain), + "failedCertChain should equal the original cert chain for an" + + " overrideable connection failure" + ); + } + ); + + // Test non-overrideable error (failedCertChain should be non-null) + add_connection_test( + "inadequatekeyusage.example.com", + SEC_ERROR_INADEQUATE_KEY_USAGE, + null, + function withSecurityInfo(securityInfo) { + notEqual( + securityInfo.failedCertChain, + null, + "failedCertChain should not be null for a non-overrideable" + + " connection failure" + ); + let originalCertChain = build_cert_chain([ + "inadequatekeyusage-ee", + "test-ca", + ]); + ok( + areCertArraysEqual(originalCertChain, securityInfo.failedCertChain), + "failedCertChain should equal the original cert chain for a" + + " non-overrideable connection failure" + ); + } + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_cert_dbKey.js b/security/manager/ssl/tests/unit/test_cert_dbKey.js new file mode 100644 index 0000000000..3ff36f905c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_dbKey.js @@ -0,0 +1,225 @@ +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// This test tests that the nsIX509Cert.dbKey and nsIX509CertDB.findCertByDBKey +// APIs work as expected. That is, getting a certificate's dbKey and using it +// in findCertByDBKey should return the same certificate. Also, for backwards +// compatibility, findCertByDBKey should ignore any whitespace in its input +// (even though now nsIX509Cert.dbKey will never have whitespace in it). + +function hexStringToBytes(hex) { + let bytes = []; + for (let hexByteStr of hex.split(":")) { + bytes.push(parseInt(hexByteStr, 16)); + } + return bytes; +} + +function encodeCommonNameAsBytes(commonName) { + // The encoding will look something like this (in hex): + // 30 (SEQUENCE) <length of contents> + // 31 (SET) <length of contents> + // 30 (SEQUENCE) <length of contents> + // 06 (OID) 03 (length) + // 55 04 03 (id-at-commonName) + // 0C (UTF8String) <length of common name> + // <common name bytes> + // To make things simple, it would be nice to have the length of each + // component be less than 128 bytes (so we can have single-byte lengths). + // For this to hold, the maximum length of the contents of the outermost + // SEQUENCE must be 127. Everything not in the contents of the common name + // will take up 11 bytes, so the value of the common name itself can be at + // most 116 bytes. + ok( + commonName.length <= 116, + "test assumption: common name can't be longer than 116 bytes (makes " + + "DER encoding easier)" + ); + let commonNameOIDBytes = [0x06, 0x03, 0x55, 0x04, 0x03]; + let commonNameBytes = [0x0c, commonName.length]; + for (let i = 0; i < commonName.length; i++) { + commonNameBytes.push(commonName.charCodeAt(i)); + } + let bytes = commonNameOIDBytes.concat(commonNameBytes); + bytes.unshift(bytes.length); + bytes.unshift(0x30); // SEQUENCE + bytes.unshift(bytes.length); + bytes.unshift(0x31); // SET + bytes.unshift(bytes.length); + bytes.unshift(0x30); // SEQUENCE + return bytes; +} + +function testInvalidDBKey(certDB, dbKey) { + throws( + () => certDB.findCertByDBKey(dbKey), + /NS_ERROR_ILLEGAL_INPUT/, + `findCertByDBKey(${dbKey}) should raise NS_ERROR_ILLEGAL_INPUT` + ); +} + +function testDBKeyForNonexistentCert(certDB, dbKey) { + let cert = certDB.findCertByDBKey(dbKey); + ok(!cert, "shouldn't find cert for given dbKey"); +} + +function byteArrayToByteString(bytes) { + let byteString = ""; + for (let b of bytes) { + byteString += String.fromCharCode(b); + } + return byteString; +} + +function run_test() { + do_get_profile(); + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let cert = constructCertFromFile("bad_certs/test-ca.pem"); + equal( + cert.issuerName, + "CN=" + cert.issuerCommonName, + "test assumption: this certificate's issuer distinguished name " + + "consists only of a common name" + ); + let issuerBytes = encodeCommonNameAsBytes(cert.issuerCommonName); + ok( + issuerBytes.length < 256, + "test assumption: length of encoded issuer is less than 256 bytes" + ); + let serialNumberBytes = hexStringToBytes(cert.serialNumber); + ok( + serialNumberBytes.length < 256, + "test assumption: length of encoded serial number is less than 256 bytes" + ); + let dbKeyHeader = [ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + serialNumberBytes.length, + 0, + 0, + 0, + issuerBytes.length, + ]; + let expectedDbKeyBytes = dbKeyHeader.concat(serialNumberBytes, issuerBytes); + let expectedDbKey = btoa(byteArrayToByteString(expectedDbKeyBytes)); + equal( + cert.dbKey, + expectedDbKey, + "actual and expected dbKey values should match" + ); + + let certFromDbKey = certDB.findCertByDBKey(expectedDbKey); + ok( + areCertsEqual(certFromDbKey, cert), + "nsIX509CertDB.findCertByDBKey should find the right certificate" + ); + + ok( + expectedDbKey.length > 64, + "test assumption: dbKey should be longer than 64 characters" + ); + let expectedDbKeyWithCRLF = expectedDbKey.replace(/(.{64})/, "$1\r\n"); + ok( + expectedDbKeyWithCRLF.indexOf("\r\n") == 64, + "test self-check: adding CRLF to dbKey should succeed" + ); + certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithCRLF); + ok( + areCertsEqual(certFromDbKey, cert), + "nsIX509CertDB.findCertByDBKey should work with dbKey with CRLF" + ); + + let expectedDbKeyWithSpaces = expectedDbKey.replace(/(.{64})/, "$1 "); + ok( + expectedDbKeyWithSpaces.indexOf(" ") == 64, + "test self-check: adding spaces to dbKey should succeed" + ); + certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithSpaces); + ok( + areCertsEqual(certFromDbKey, cert), + "nsIX509CertDB.findCertByDBKey should work with dbKey with spaces" + ); + + // Test some invalid dbKey values. + testInvalidDBKey(certDB, "AAAA"); // Not long enough. + // No header. + testInvalidDBKey( + certDB, + btoa( + byteArrayToByteString( + [0, 0, 0, serialNumberBytes.length, 0, 0, 0, issuerBytes.length].concat( + serialNumberBytes, + issuerBytes + ) + ) + ) + ); + testInvalidDBKey( + certDB, + btoa( + byteArrayToByteString([ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 255, + 255, + 255, + 255, // serial number length is way too long + 255, + 255, + 255, + 255, // issuer length is way too long + 0, + 0, + 0, + 0, + ]) + ) + ); + // Truncated issuer. + testInvalidDBKey( + certDB, + btoa( + byteArrayToByteString([ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 10, 1, 1, 2, 3, + ]) + ) + ); + // Issuer doesn't decode to valid common name. + testDBKeyForNonexistentCert( + certDB, + btoa( + byteArrayToByteString([ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 3, 1, 1, 2, 3, + ]) + ) + ); + + // zero-length serial number and issuer -> no such certificate + testDBKeyForNonexistentCert( + certDB, + btoa( + byteArrayToByteString([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) + ) + ); +} diff --git a/security/manager/ssl/tests/unit/test_cert_eku.js b/security/manager/ssl/tests/unit/test_cert_eku.js new file mode 100644 index 0000000000..de1d5fcbfe --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku.js @@ -0,0 +1,189 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that the extended key usage extension is properly processed by the +// platform when verifying certificates. There are already comprehensive tests +// in mozilla::pkix itself, but these tests serve as integration tests to ensure +// that the cases we're particularly concerned about are correctly handled. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function certFromFile(certName) { + return constructCertFromFile(`test_cert_eku/${certName}.pem`); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile(certdb, `test_cert_eku/${certName}.pem`, trustString); +} + +function checkEndEntity(cert, expectedResult) { + return checkCertErrorGeneric( + certdb, + cert, + expectedResult, + certificateUsageSSLServer + ); +} + +function checkCertOn25August2016(cert, expectedResult) { + // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000 + const VALIDATION_TIME = 1472083200; + return checkCertErrorGenericAtTime( + certdb, + cert, + expectedResult, + certificateUsageSSLServer, + VALIDATION_TIME + ); +} + +add_task(async function () { + registerCleanupFunction(() => { + Services.prefs.clearUserPref("privacy.reduceTimerPrecision"); + }); + Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false); + + loadCertWithTrust("ca", "CTu,,"); + // end-entity has id-kp-serverAuth => success + await checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess); + // end-entity has id-kp-serverAuth => success + await checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess); + // end-entity has extended key usage, but id-kp-serverAuth is not present => + // failure + await checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE); + // end-entity has id-kp-serverAuth => success + await checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess); + + // end-entity has extended key usage, but id-kp-serverAuth is not present => + // failure (in particular, Netscape Server Gated Crypto (also known as + // Netscape Step Up) is not an acceptable substitute for end-entity + // certificates). + // Verify this for all Netscape Step Up policy configurations. + // 0 = "always accept nsSGC in place of serverAuth for CA certificates" + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0); + await checkEndEntity( + certFromFile("ee-nsSGC"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + // 1 = "accept nsSGC before 23 August 2016" + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1); + await checkEndEntity( + certFromFile("ee-nsSGC"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + // 2 = "accept nsSGC before 23 August 2015" + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2); + await checkEndEntity( + certFromFile("ee-nsSGC"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + // 3 = "never accept nsSGC" + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3); + await checkEndEntity( + certFromFile("ee-nsSGC"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + + // end-entity has id-kp-OCSPSigning, which is not acceptable for end-entity + // certificates being verified as TLS server certificates => failure + await checkEndEntity( + certFromFile("ee-SA-OCSP"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + + // intermediate has id-kp-serverAuth => success + loadCertWithTrust("int-SA", ",,"); + await checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess); + // intermediate has id-kp-serverAuth => success + loadCertWithTrust("int-SA-CA", ",,"); + await checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess); + // intermediate has extended key usage, but id-kp-serverAuth is not present + // => failure + loadCertWithTrust("int-CA", ",,"); + await checkEndEntity( + certFromFile("ee-int-CA"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + // intermediate has id-kp-serverAuth => success + loadCertWithTrust("int-SA-nsSGC", ",,"); + await checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess); + + // Intermediate has Netscape Server Gated Crypto. Success will depend on the + // Netscape Step Up policy configuration and the notBefore property of the + // intermediate. + loadCertWithTrust("int-nsSGC-recent", ",,"); + loadCertWithTrust("int-nsSGC-old", ",,"); + loadCertWithTrust("int-nsSGC-older", ",,"); + // 0 = "always accept nsSGC in place of serverAuth for CA certificates" + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0); + info("Netscape Step Up policy: always accept"); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-recent"), + PRErrorCodeSuccess + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-old"), + PRErrorCodeSuccess + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-older"), + PRErrorCodeSuccess + ); + // 1 = "accept nsSGC before 23 August 2016" + info("Netscape Step Up policy: accept before 23 August 2016"); + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-recent"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-old"), + PRErrorCodeSuccess + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-older"), + PRErrorCodeSuccess + ); + // 2 = "accept nsSGC before 23 August 2015" + info("Netscape Step Up policy: accept before 23 August 2015"); + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-recent"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-old"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-older"), + PRErrorCodeSuccess + ); + // 3 = "never accept nsSGC" + info("Netscape Step Up policy: never accept"); + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-recent"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-old"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-older"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + + // intermediate has id-kp-OCSPSigning, which is acceptable for CA + // certificates => success + loadCertWithTrust("int-SA-OCSP", ",,"); + await checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem new file mode 100644 index 0000000000..790e942fbd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvDCCAaSgAwIBAgIUbYeck7JVOWdVm1AGwsw/DzdRnaYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTAxMDEwMDAwMDBaGA8yMDM1MDEwMTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAI0AO+ZBY1oImSrpifcmQZTE/C4xIu7Uu5GX/A7ApQU7 +8UAXivMgRDbtrjOie1HNH9DIxHBCFY/Y7f0VRXxWmPEmT+5LpHrLoi+YF0h2wh/1 +RuiJV1AfaEdVJyNCVDSQrS8BQG5O3LebBq00gjSJSQ4+DHu7YHWkyMIZk+lbBiO1 +GsD0FWBDlOtiMpL/CQWjyiskiqQjrDCs5m0NayqgzYAMtdlEd+pAKEMNO8Fr8xSI +tAlcG4frvH0kLJ2scX9ayvKTZrAiAxJz9CjmmnXOyL78yyr/hkJbzYTvk0+1cClg +J2aGnsFIHgUxEx7sApOqlmG8g1lqL7UPqpi8ItVNl48= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec new file mode 100644 index 0000000000..c6e443f5d8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, +validity:20150101-20350101 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem new file mode 100644 index 0000000000..7c825b6e45 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAgIUG5raDQTHsnMnSlmohQUepi+75WIwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowEDEOMAwGA1UEAwwFZWUtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9 +sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5 +TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7 +xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd +tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l +8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsG +AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAF0cq6IygjIInXKKccUVbsdvQPXCkj +yGi9NQxEVdb6lQyDhsy9REJwGHalKWvU6F2t1pRevaswsLYbJ/rL7Z9mR11S9BVW +3XfQTcug3xRy7gTHm5eC3TvUkXHsEWtou0eooDOdxcXNsfmA7+j4oszFOl9f3+OB +wB0yAg+7n8lnFfBfpR8EjGEqZNYzUClpGqc8R70NnDkebs2H4yIBpnx/la+du+lY +XVEKLrt5G+epKpR7lPqIn3C9+PmvmgwBhYGtyv4E9sgYvEtXHhX+Dz+SsxgembWv +SvDgddYOlFy7jJXOqepO1koiiL0C8vQjbjiNO0WROziOzP6iVp64pu6R +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec new file mode 100644 index 0000000000..d49cabaa2f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-CA +extension:extKeyUsage:clientAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem new file mode 100644 index 0000000000..555e65765b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUOdbcalffVxJ74ddWhQGlOphTnSQwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowEzERMA8GA1UEAwwIZWUtU0EtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjITAfMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAFTkyWBfmB1oT +16ITB/ar4pTtlU1v0vDJ+lKr0EM0sy8DOg6/0aQgjD7YSTbVi31FAuNZGtmkNqcb +YxsP1WhzUTghE6UseHhwuTjeIso3goTD/VMOt/hqSBlu8pSEZmFQr/b5knWmAGoc +vNbiUCr81LcTMBNAWCEbt3Zl+KZWPYyQ5wuEQGv6srL9IGIcSLSHUShPe2NA6wTP +KxcGhw/o77OhStr1ubscnqTalhsAp6Vjk/pp4CiokZmUafS5NzsWL+U1Odh2Yuzx +i7Kg8V/paOSubJSKvQ2G7aldNmxNwE42GpfuJ0vFinissplp8Dy5Rfa/62UiW5Os +BrQ6KRHHHg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec new file mode 100644 index 0000000000..5250cc4a84 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-SA-CA +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem new file mode 100644 index 0000000000..9f0f510941 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1TCCAb2gAwIBAgIUbZ6DHXv0Hy0REhbAruVFisqk1DYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFTETMBEGA1UEAwwKZWUtU0EtT0NTUDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMhMB8wHQYDVR0lBBYw +FAYIKwYBBQUHAwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQADFuhMBFjA +lxWKhGHuGJHQzzTIvLyAudXQiF2GtO/ZmvH3zgSfdbASU/H1H5F/JL8oH3zu1R6x +VNDFTLdwxTiAcScXp+97IWEnJbXpU73guH/AMUah/gwBRwV+0vmNPXlev0R9jfL8 +zw/kXsVgm/Lh95IOgGtCUH6UxNsks60xxPD1aOEqAcU1Qva4wAi929MzjqhR7uYX +7Tfun8ju6Vu41C6xcs9j+wabnAd3vumqIml/QJL/+PJFl81i6YNU77q4KUefGWDW +l7WDpOZFPSgzqPTvSxjOQaW1YJkic0lq/3ud0ljvSUcP02fOXBkugrODQpxYOiHW +gmdHVP4kQXKJ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec new file mode 100644 index 0000000000..3b3eff9ae4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-SA-OCSP +extension:extKeyUsage:serverAuth,OCSPSigning diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem new file mode 100644 index 0000000000..319fd03dfa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1zCCAb+gAwIBAgIUObjrN+paYhRrbpkZSltbNnyDbI4wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFjEUMBIGA1UEAwwLZWUtU0EtbnNTR0MwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjIjAgMB4GA1UdJQQX +MBUGCCsGAQUFBwMBBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQADggEBAEA1ACys +GkObtiWt6/1YrMahD5DpPgD/fFfXo0vOQDBuMhEKpRDm70Wpu0glcp0a+uOsbrif +QlUEPY7FyGdtlH9MQS8biv48GenUNsRJs+AvjqIkY5PKhkH+mxq89O9Nz1JtFK7t +TFD8VbeR3J0EGE8X5/f01ftzzMYoVBqyLEQGYpnFia92oIxNhTtIzzUOP+DyHECL +cSpBBWhXSE8aQYTLpOljVAA0TmhGwqXGxwfoXrSjbdFaK4FDDXbMie214kNW/Zhj +NNiBsye3USuyDKKR4JuiMfAITpknbjW0Ugk/cO9tiagwtQGBlyzGHjZ4YjWbpSVJ +YPUBj+lRSbIIZe4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec new file mode 100644 index 0000000000..4c51425ce7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-SA-nsSGC +extension:extKeyUsage:serverAuth,nsSGC diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem new file mode 100644 index 0000000000..b461819bfd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAgIUFXurM57d4PLGyCwipLoDO2tuXRMwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowEDEOMAwGA1UEAwwFZWUtU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9 +sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5 +TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7 +xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd +tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l +8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQA//SBxqafXNJyykLLSpSSCDdZjorP+ +MuI0XsOYXTuFmnyDdWVEISJyx7aW7rEnrHEnbSDbMOTxB7u6FlMOd5xQnE6Z9IYa +JgJAWYkAt3g4uwjqgXGAduffm8cnuT1zX3XN/hdG7F+gNyrwgWhsBV9KsDUW19qO +u9NYeu+VYJ3d36fa5ZLcqJgb+1it7fX+ofaNqjchiADzTAsgxq4wvR+SNp5VmZk+ +aky/ZCDFtwYJTdwirkQfjGK3BM5iAP6ZBxZ20XjHaHZBfb3Fn4X6oS8GB1rbg5g8 +hQQrpNtZe7RgYk6kDcfa9t1o5ZJtUs7Irtk38gQvSBTNF8d1Fy4J+JEm +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec new file mode 100644 index 0000000000..690f579afa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-SA +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem new file mode 100644 index 0000000000..3f87628485 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtTCCAZ2gAwIBAgIUHchnUOOkEQ3AfkGRNaMhwR7U+U8wDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLWludC1DQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 +wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp +k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh +eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW +EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc +JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEAs+ymnpeKOcj4iCAksWRXPevZh13PdAbmzl4YgWyJrt7QlgrpBYiR +W3cFfYa/nBaYUehCeNEdR8V982i4XwSxliNI8P7KkIhT5bIUqlV4rDdREakDOR1o +TiP1rWzpG8wO05gb34yN7GGDrGfzBuUqg4F8zR+Ik12+FaAjrw5GQcK8/9EgzugW +TEWAAgdctilMcBrtbubRkKhEtKDwrL1hi/LCueZOMu/DtkqrLyRbMy6ZYx/lt6Sa +g5taNygf71ESl9zs0XIw47tpNerazYJppbFyWl419uKbuf9eAvVHW6OpdFPzNLSo +8lID+3W/wVrCz0Anzi2b+QSpwRgn7NFUEg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec new file mode 100644 index 0000000000..670973930d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-CA +subject:ee-int-CA diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem new file mode 100644 index 0000000000..e5ac991bb1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuzCCAaOgAwIBAgIUE9zsz/ZCfAas9g2RV2m4DJrYJLUwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAwwJaW50LVNBLUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAy +NTAyMDQwMDAwMDBaMBcxFTATBgNVBAMMDGVlLWludC1TQS1DQTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs +9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8 +HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak +kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet +lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r +kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkq +hkiG9w0BAQsFAAOCAQEAswZPAmxHpnTQSh3Wk9g0mZPaiGsxvxYCetZ04BQ7KH04 +8ccWp/Ko1nDtjWJqce8NGqbGTE29ZsKQf6tfJqWPNioewtQwBk+4bev9xJShp2Z4 +ewUgH04r02tS2Iaj7JnUqKURpaLPXO2wGUcRfUAdmK58X+xz0oCEQ1tnWzI2HRql +aHT+dktk9115BKGzh8s3qnjbH8GMqUx8jwnk30+7jQdPeTkL3FNUtdzCbgg8c/N7 +YOz1XAWL8mPixxpJt82NCHam3ztqCqP77KmQ3meQ71i9+xxuTmCO1rzzS5O7pLJp +sKQeKHm9whydA+8ee9ZkwK1CLTsP0EmRO/aa3uDvxQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec new file mode 100644 index 0000000000..bd012ab712 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-SA-CA +subject:ee-int-SA-CA diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem new file mode 100644 index 0000000000..63e97c0306 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvzCCAaegAwIBAgIUP5qx4XYdMSegOdUEcxnAtfiMkb0wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLaW50LVNBLU9DU1AwIhgPMjAyMjExMjcwMDAwMDBaGA8y +MDI1MDIwNDAwMDAwMFowGTEXMBUGA1UEAwwOZWUtaW50LVNBLU9DU1AwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEw +DQYJKoZIhvcNAQELBQADggEBAJkfXu+NMyWvMVI9mHdvu4nTcTFpMknmQqij+9O+ +tYPswurw/1Tyxb3cFjAGShusaJm1NzWFIG8e6oEA+hpt8k4g2WVJHeSCIeHUZo5h +AHqwBL/TkLd8jjUdUevFzXu+iwfGbAcmW9H/t61+p4k/xMv5tZ1+4RHa3ey/o7Ng +e2aVMQfg9JqaUFpjvKI8EqumJezr7Kv+jHc89cw3hzlpPoMTSmScfKN5yD3Qz/PF +hfR3sEZ7Q9KAvNFjZeP5Mh1exnUFWL/NyFQmo0ec+Hlh9YzrpcKhmoyaPgWZ5ssT +9vLHbhtMXwp971H4kh4yuofWxud4A/6b5w4uFRsDajARQHs= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec new file mode 100644 index 0000000000..2374d248f6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-SA-OCSP +subject:ee-int-SA-OCSP diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem new file mode 100644 index 0000000000..43f134eeaa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwTCCAamgAwIBAgIUIYjn3UW5pUXKIt8l3bYj/Halm7gwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LVNBLW5zU0dDMCIYDzIwMjIxMTI3MDAwMDAwWhgP +MjAyNTAyMDQwMDAwMDBaMBoxGDAWBgNVBAMMD2VlLWludC1TQS1uc1NHQzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +ATANBgkqhkiG9w0BAQsFAAOCAQEAfC/uTkGqVx3apqzpJvF+TaWFMh8gLbBKZRWD +Cjfly6crWNhONv+vHmbu9Tzh2NeasBsyfnln1phUF9msFg5/GDpbShOIJRv7olHt +mQA8D/M7JzKDGUcro8y60I5AZEmcd8JeMqHfz6/IPTf5sUGm+wnBicKwqCprKxQV +JRHld6hlf8aa/Y5OXoYnVHhC2BruarxTDvD96vcyCXRFQCpOijA28V/ROYruxYyf +M2l2AJSxnjrWaTYJEJXB3j4sFa1ePjxZiWROPf86EwJpqf4jYqUD8VTUqfyIbaxt +6YaCQ6HAsNL+oiF7iSPCxlYRVAYdobPqq52keIqRXELR2JX0Wg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec new file mode 100644 index 0000000000..6c3cb64730 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-SA-nsSGC +subject:ee-int-SA-nsSGC diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem new file mode 100644 index 0000000000..bdd82e942c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtTCCAZ2gAwIBAgIUOYiNPy7G5KxoSBi83HlrLA+DH4kwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LVNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLWludC1TQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 +wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp +k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh +eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW +EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc +JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEAOmuFlvztDm/71lN5fqx7jH1czCCxaUly2TB5lrnCDf9NS0Ah2wng +AoITfXaBHxxQc8aulZfvoDAQujk+xNXpLIRB3FpH6oJwgeCWupSBvkhK7YnIOEn0 +y+acoxEdo+yhpamg94GMundHxsDIHuSf0aAlyOqPPgs3iR1AYoVlHQrISJB89MoQ +bK0vypqNOrPSZqBJKmYdleoI7FZBwaRSo57DG8hUOot7xcYAnchL5UcYwjf3qcze +6rc7Fa2U7diuEuobU1e6uUAxeG/L7BroBpUlwh0TdggPsmfCeiSlVRH1zcjnnsbq +iJuNO3TS0g1/o3X6BW4jU87UDAFF8AKw4Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec new file mode 100644 index 0000000000..72ddb78dfd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-SA +subject:ee-int-SA diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem new file mode 100644 index 0000000000..8e8d4c2c04 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwzCCAaugAwIBAgIUB/nCi+kTmIkobMVqQFtJnevhGwEwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNaW50LW5zU0dDLW9sZDAiGA8yMDE2MDcyNDAwMDAwMFoY +DzIwMTYwOTI0MDAwMDAwWjAbMRkwFwYDVQQDDBBlZS1pbnQtbnNTR0Mtb2xkMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08 +E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc +1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP +DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ +gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV +YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID +AQABMA0GCSqGSIb3DQEBCwUAA4IBAQBcxzg5hx9tQ57Jv3wibAhPktjmqapB2suH +eGE253Xn5haGq+0E3Qkmn7oF1ou6QyLvP+qbElhkx7+eEvhMhzRZFU8XmxzHRqbb +dZ0/MQw+aLEOc4Utl+1n3pDbVhBjoG3yVxyErndHfyXg+hNPMBEPvtfMYnSkKHX1 +3w3pJSs8HtUNMG3jecwXOJic0kUu6V5npNC0KTeZq4OOzp48WCpEfsQ6W5MzR4PN +mrCVU2t1GzCKRNA8E8a9unOcxnukz8FaY9RCkeW3cTwRNt0VaFprX32d1C4mz5rV +vNz/TGA0jy2b4Mg/dpGXrxqyRy1mG3zfs7sDhEoCxLsd/7ytu/bs +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec new file mode 100644 index 0000000000..a21b49b783 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-nsSGC-old +subject:ee-int-nsSGC-old +validity:20160724-20160924 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem new file mode 100644 index 0000000000..4acdf7b59d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxzCCAa+gAwIBAgIUYfx/2lyIWKMRlK/zS6/kmkp+t/MwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPaW50LW5zU0dDLW9sZGVyMCIYDzIwMTUwNzI0MDAwMDAw +WhgPMjAxNjA5MjQwMDAwMDBaMB0xGzAZBgNVBAMMEmVlLWludC1uc1NHQy1vbGRl +cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAbCqK5OcHMj28V1PKiL4CHeN2oTCj +pObUJrAUqsHJbqS2Q+huzzoSsL+yT4uKeiuDMZnKOm8OIZMtM7M4zQb6b5H1Wqm+ +fM5384kUubmSG+CzUd4adK8NjSwgYhgdvAecbzhPS1GUlai9qDJU+elQVIrNZCL4 +6B634koCQkarYybibdXgoum9zzcla0TRXe9rHjb8VYe+BH7tLAnWGpUqw4x36Buz +gv605ApVb+QDAB9NH4/EZ1TXuKby6I9I19EkfADHL5XUKHGFH2EE+6Fsqihgu3QG +NRYMU2GL79bZcwOm2t2v+ZB2fp+UlEs8nykWY7PgwbJ+ObgSauNHhKi5DA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec new file mode 100644 index 0000000000..93e1831a32 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-nsSGC-older +subject:ee-int-nsSGC-older +validity:20150724-20160924 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem new file mode 100644 index 0000000000..557c8276e8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUE/PT07mikR8SeEYcqdLT8IL5vMIwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LW5zU0dDLXJlY2VudDAiGA8yMDE2MDgyNDAwMDAw +MFoYDzIwMTcwODI0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1pbnQtbnNTR0MtcmVj +ZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62 +iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql +WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq +Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ +ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i +b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY +CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAKnYtenyuUSykB8EP4IkEeeVPo +PeZpLKEHHr9CnjIC8b0lHhTsFQhIiNsCWt8xh+JS273QJi/A2rdo1M4KiMZyURne +RZvTBpFu5F8E+VixDP9xmpAffrgqPqgNRyN+co7tUQZgsJHhb8LSKKMHQTMTBOgW +nrVlMR+MwXBBQx7Yc7KkVob8DMWmIAAXlv0JY6ID2lRb4haBVS1gsPIj24mVF8XG +dRJIgtVUvey49/PvErG6FNA32QPDCyv9UOkX9mtpnu9dT+v6mAkbRcSDYAsTTWh2 +seog8fOBA8WoqO+EtTIY2VLiO2G8pTp8MftYVc1Mhd5Kh/ZT+PtdngloPnDM +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec new file mode 100644 index 0000000000..4a3ad8ec05 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-nsSGC-recent +subject:ee-int-nsSGC-recent +validity:20160824-20170824 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem new file mode 100644 index 0000000000..7adea67ec3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgIUDZFQotE9q8gc3a3O4d9a1PgjqXowDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowEzERMA8GA1UEAwwIZWUtbnNTR0MwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGDAWMBQGA1UdJQQNMAsG +CWCGSAGG+EIEATANBgkqhkiG9w0BAQsFAAOCAQEAir0+b53o/nKoO+z/UJprnGW8 +CJ+WrBUnjuk1NoF74BgoQKSlG2ZlPwkJKAu8Ve8U3W2qIifno5KaqSxdpD+SFCHM +UwysBopkxWYw2OnrbFY5+wKDbKbLU52wAL/os0Le7HzmcGYCMRrY3PLFEsBptK+V +d5G81q9xwm71PiYtT552RJ91R2SM/EUwgmsvpnelbxP1pJ6Plo+MyvPTnKWZIqF5 +8dKOlAXISiGKAAecp8zxd+jb6AfFKI57WFO6YQQjp2VNki89W1gXCTBqYwZMZx7c +tNi5yQqqV9yK5Ip3ANVO439YlfC4gXsK+7hWdCY8SAFUw5PK9lV1ADApU729Sg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec new file mode 100644 index 0000000000..43d58ab6d4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-nsSGC +extension:extKeyUsage:nsSGC diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem new file mode 100644 index 0000000000..4e9e6cb3c7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1TCCAb2gAwIBAgIUT16BYsC9ZI2vDs6QjSYscUuqIyswDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowETEPMA0GA1UEAwwGaW50LUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/ +MBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCqtlp70MzK +N04U3vih6vGBQ3uGLrNt9BLPyKMYeL3eBo6A1gpSqYf/Sck0Cz+KfeNsusL8inIU +PyGCs9gT1wxrdQxYjfHJMXMrP+u1mDv6eNAXLEXTw433wvIc5VjyWcC8NzzaRuz+ +q6QI9xFCWpfoRWYLEXGvBQlOl7DhoFoiMc/Kx8KPJjLj30E5ADG7ynEwTHaEWNu+ +W4rtXJFoWWbrcMLiltoGuwXKJMTZXqCxHbE9kPsFfSxjH3pQPrtf4Y9W40U6zptx +fMUsRGQJ62mt6Tw3OqRbKkG+fRTaVepSCb8mWNf1W1MiHsPaj1PJpcGsVFu3Gm5l +BkhLeYqX2Go5 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec new file mode 100644 index 0000000000..e5bc18198c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-CA +extension:basicConstraints:cA, +extension:extKeyUsage:clientAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem new file mode 100644 index 0000000000..a5ef270a62 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4jCCAcqgAwIBAgIUP4iCpE43O1hPtEZ/fyTFYWSLc4cwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFDESMBAGA1UEAwwJaW50LVNBLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo +4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD +SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX +kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx +owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/ +Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoy8wLTAMBgNVHRMEBTAD +AQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF +AAOCAQEASW5cZorOprQwrEB6YMx0DgP4yM+A7xJrvUKYdz3kYp428BYeSLsl8z0I +fwEOscPDq9rpcYZrxs/64zQ3a1AxQZFWZc/xbTLBGfps5TWTr6bjje5SuFzvPQxu +nBLptAO+HGXMhPDTs2KA7QVafTP0PH3YsQKIYMjTAV7KbIKYJETYJom3X8uVBhiT +bKyCfBkPAyR1D2+u5hRHte4Y8Z4SFi4CwqlUyJ6ppikhGjV8SCQT2jxT78LrFbjT +kbzQza/x7rs1PyqSm2chLxzGV+BUy5V0nJtA+t1Be95zIeJN1FSFvtOu2KpDvz1b +9ZBYKb5AIf2QjJFIp7o1Rolj0P17Iw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec new file mode 100644 index 0000000000..94e9a42d48 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-SA-CA +extension:basicConstraints:cA, +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem new file mode 100644 index 0000000000..83016639f4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5DCCAcygAwIBAgIUV9daiZoGrruzgU7Afj/Oqpy1QcswDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFjEUMBIGA1UEAwwLaW50LVNBLU9DU1AwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAtMAwGA1UdEwQF +MAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEB +CwUAA4IBAQBoOOa+LtSngPz1QBWCFBboX9pMXm64hwKgBkMncJVPJIqpmf7HyxJz +h2It7GiMGcYuGxDct/GpHGR9TzLoznajV9DcXfvnBtrBZa/G8I80EqVdbDkLURP2 +7khBWv3790vhQeleM2v8jfLeTTxzQIDy57Mg1K5yKDKRpDZWXAJ6wvLbODbHq9t+ +D190+G7EihlN0Md+APUSzEgPMzqDtp0ke3Al6euO8m8CganCdTJ4lo/SG2jfW2oS +L/yi+pNuevxQoE7myIV47dSTfsyWFD2E2GAySyUAtUQyIS9ALicaaoElaOeT7Tjk +FOTlG3kVrhf1+VrKvVjxYd+2mh2hHTTh +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec new file mode 100644 index 0000000000..c38a640b9b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-SA-OCSP +extension:basicConstraints:cA, +extension:extKeyUsage:serverAuth,OCSPSigning diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem new file mode 100644 index 0000000000..ee0d8f799b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc6gAwIBAgIUITyADt0JBYv3EAW83CqAdT2fbjowDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFzEVMBMGA1UEAwwMaW50LVNBLW5zU0dDMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozAwLjAMBgNVHRME +BTADAQH/MB4GA1UdJQQXMBUGCCsGAQUFBwMBBglghkgBhvhCBAEwDQYJKoZIhvcN +AQELBQADggEBAHuikV1cMD7zxYKkZ7rY9AA4d+TdugXU/70ygEZK4uKESN2MuHoG +k7hyfSsEi7yPWp3QxddaNHOYjjpAGNeZEl2ED1fpfv+c76gSMfsnZJqz2GxRnxFV +evmklE6C6Kze0hnWAUxtxWRCT1Kno5f4z2zIATy90q64owx7F8glRuDUq0vWXp52 +UX4vPDaSpQK4+PQ0g0dKL/kGZrWQgTJUbjcCknW5ZFSpnT+GULrYJC41LBZQYumg +hprz15Q5SDq2EYpURahVOOi+H+tQ+xp15fysWSpmdWpJ/+H5a8iWyf19iBYKDtjt +ck1UrabNzbApyYA2uvqXX4udezF02myrYkE= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec new file mode 100644 index 0000000000..c84201d874 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-SA-nsSGC +extension:basicConstraints:cA, +extension:extKeyUsage:serverAuth,nsSGC diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem new file mode 100644 index 0000000000..9da6a3819c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1TCCAb2gAwIBAgIURcr7Ci/OweRs9NajK7vt5mCQipAwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowETEPMA0GA1UEAwwGaW50LVNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/ +MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBMrePcTsHT +nLBSjhQrJNwM19i2ENWe1025Y7Dq+XDy6p2vwTpDV5XZpc24Oi8yEyccIHOXyey0 +YtvGeNEe8Z1zzXHjD8wQfmt2AU/9VU9niIWaZRjkt0jkkGBqyC5s/Djay3JY/4UH +qYyq3KU8Jj8E20CcD/3Qa1aYoMRx4q8aUVUzjDk4JEKkCH/v6GTQoSXufgrqUVa5 +8CxRIOcsDlidklIZIRL5fboWkAjkJ54aVj3uyo2GgPKJVMulH0GnorY6tQBcL+zm +c7Bd7Z+X2xzAI3hbKoJMSSJXt/Mo/OgBCoAk30KDUDaRcrhVbrFKpF0PSj85Lf6E +hfdCAphhJF3D +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec new file mode 100644 index 0000000000..74bec2b21c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-SA +extension:basicConstraints:cA, +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem new file mode 100644 index 0000000000..e0deef7c3f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIUbXK8dZ2kTHVUtKZ1Uamdr5h27tQwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowGDEWMBQGA1UEAwwNaW50LW5zU0dDLW9sZDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 +wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp +k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh +eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW +EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc +JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMmMCQwDAYDVR0T +BAUwAwEB/zAUBgNVHSUEDTALBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQADggEB +AK/99QYaWy5/SG7iKiGwSgJ49hobsVUf4DTN9+4FIesvXNUtXc+vmPVNwgy8S4Kn +23zOUmp2LaRBQ3VxaiQ0o/RN3ZjULhPhGi3cHsjDTKXH3U0snAloUYONx1JCFOif +RWwLeiyps1oW9ARfUQrbQRtw87ospU5aJ7JSPoVgbCMXubmEpRSeTMv0SHdOs6g7 +ahSaoT7BBRuHDnCb8+ZR509H9Dc4M2Dv4lQ9vlWGZjXnfM1ImIeUBTWQ0fngyoZW +neTStGeL5MmCjjMMupJYbjNsenQXd9doD08+voOfmKgaMQDH0fgEACJHjmmt+eQ4 +j8WZP3lRZHZm/s23xNl+6S4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec new file mode 100644 index 0000000000..35f61671ed --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-nsSGC-old +extension:basicConstraints:cA, +extension:extKeyUsage:nsSGC +validity:20160724-20160924 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem new file mode 100644 index 0000000000..dd709c343d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUITNR+z5zrXNAq+3y9u3et1fNp6YwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowGjEYMBYGA1UEAwwPaW50LW5zU0dDLW9sZGVyMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyYwJDAMBgNV +HRMEBTADAQH/MBQGA1UdJQQNMAsGCWCGSAGG+EIEATANBgkqhkiG9w0BAQsFAAOC +AQEAtkFQHiG8UeleNMgvJVneYQzIQt8wiZwudAH2FdiyeCtYUp95z19IzPlZeYq0 +FXlMJJ+SOn2wSZ9jHshV5VF8S4Rb3ou0EVJcu+X7cs3jOuLtV/KwFDKXrncWpF7L +sH1yGVkAUNMQlE52MgPxg7P6yd+lbU9MlqD5rpifsAecrXzctzi8l3qb2UJvkHku +BLE+ViTnn9RFDQFQ/1AAF9cbSJaUF0rwWznXpB0PAu+v9lBpn9a83/GXZc1SO2mE +MIdgRpuB1Lr+wZq5ulXHAeBJ+kH8lrG2CIXSQPFQjPfiS2D5hM1cdd7GSEh4BoZv +AbTKG12NXN9AG7RpG7upSBG4mQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec new file mode 100644 index 0000000000..f7a870c0f1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-nsSGC-older +extension:basicConstraints:cA, +extension:extKeyUsage:nsSGC +validity:20150724-20160924 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem new file mode 100644 index 0000000000..c5c8e724c2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4DCCAcigAwIBAgIUec5AldPAXDY+y1Q7RfO4SfvteiEwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE3MDgyNDAw +MDAwMFowGzEZMBcGA1UEAwwQaW50LW5zU0dDLXJlY2VudDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMmMCQwDAYD +VR0TBAUwAwEB/zAUBgNVHSUEDTALBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQAD +ggEBAJO1C5eYEk2/+xvgWsCsUZi7PMoZLhb5Jb2V61JMWREfCozmYepqlamR6IZV +fn5Q9OClLtAzSybeia40nsW/xb/o+5zJn0rPzk6JIsMToJk07fqp+uG9LbAM82IV +RnHzmCS4/3n4fl1k1GGL0A/NYBUsilY9oKhVl1zukB/z3ALp9LyProNLsEZmWkl7 +F07+lR9PPMOqA1SuDJmZMyZ4cKDyYYF7NYKGi57xpgpUXGq8IPOKKGq4XlYqQhOQ +sVSuc+16A+NlPwMogczcgTgy7QD6DF4WNOCDGwuF0YB7uROEbYvh4lkKJfhnAtb7 +1/xnmTVssnCTsbppIiXtKs8zzu0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec new file mode 100644 index 0000000000..f421ddc1a8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-nsSGC-recent +extension:basicConstraints:cA, +extension:extKeyUsage:nsSGC +validity:20160824-20170824 diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null.js b/security/manager/ssl/tests/unit/test_cert_embedded_null.js new file mode 100644 index 0000000000..c23717252f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null.js @@ -0,0 +1,54 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that a certificate with a clever subject common name like +// 'www.bank1.com[NUL]www.bad-guy.com' (where [NUL] is a single byte with +// value 0) will not be treated as valid for www.bank1.com. +// Includes a similar test case but for the subject alternative name extension. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +async function do_testcase(certname, checkCommonName) { + let cert = constructCertFromFile(`test_cert_embedded_null/${certname}.pem`); + // Where applicable, check that the testcase is meaningful (i.e. that the + // certificate's subject common name has an embedded NUL in it). + if (checkCommonName) { + equal( + cert.commonName, + "www.bank1.com\\00www.bad-guy.com", + "certificate subject common name should have an embedded NUL byte" + ); + } + await checkCertErrorGeneric( + certdb, + cert, + SSL_ERROR_BAD_CERT_DOMAIN, + certificateUsageSSLServer, + undefined, + "www.bank1.com" + ); + await checkCertErrorGeneric( + certdb, + cert, + SSL_ERROR_BAD_CERT_DOMAIN, + certificateUsageSSLServer, + undefined, + "www.bad-guy.com" + ); +} + +add_task(async function () { + addCertFromFile(certdb, "test_cert_embedded_null/ca.pem", "CTu,,"); + + await do_testcase("embeddedNull", true); + await do_testcase("embeddedNullSAN", false); + await do_testcase("embeddedNullCNAndSAN", true); + await do_testcase("embeddedNullSAN2", false); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem new file mode 100644 index 0000000000..90b269209e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUCytXeIVSOQ622rYL1uaLSms7TrcwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBEpBaH+earFBTSrKZUsUmxH5q1 +9Ln/OCzi1hB5IHo3haTTKl8xrTe5sI4A7knfwbz9AwbLRW0L3zIAJGPjxhMDxYjn +t5YTQLQwZEbru2A9wCOELiDbXH1kJl0yI2JdGwGMwZ4Y7ifTG5EUEQeVFnDTc2xA +4W/RZBld/6Iqb2ECMc20tjvBSo9YCJ7OEz+gva4OBx+BtK7LHRVLEMBGYet64wi4 +5Y8cdzMwsV69tlLffrwLV32TCt1a4dNLmq9g/vgaONx1B9ltxq8fc8ErzYvYTLsh +0FY0VD/EabvGDnLuIHfTnuD5bbKhRFD8vOEoW+NKEVn3JveM8z6z0LQqt8CB +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec new file mode 100644 index 0000000000..6660f5d478 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem new file mode 100644 index 0000000000..db898538a5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxTCCAa2gAwIBAgIUSW4CgJ6IkFhv/K0x6cY0gjS9lUswDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowKDEmMCQGA1UEAwwdd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20w +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ +PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH +9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw +4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86 +exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0 +ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N +AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAF5Bq4udVIsjOTR5V4WzBODNyT5fsBbA +E+apdaosxvkPPv83g4qeSyP3rtIACuCPLk3AxapcRnvaavfP2MAHdkbQGpczV+2s +1RZN94T1ixay8VGQfo5MBYREdSNo5nKUJQceoXUCR9wfOIXST1uBbsua5cW9gN2z +U2QdzsjN5e77FA6M142Sqa72hYtUp+9ObOPlzNxWs8Nh1g9R/LKk1Rqgfo01w5Xd +Vnv0SeCKsvlTgWGJS1CKqM+alR2WLKPwmOKbUYA0AhByCcfWiDV0NygtuOd/R3aS +liyFTG1r34MMLJfXHiBBOJJ0haDTXX27nqC+jGOqZkvQgM/YA0ZiRnc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec new file mode 100644 index 0000000000..d1a32349a2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca +subject:www.bank1.com\0www.bad-guy.com diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem new file mode 100644 index 0000000000..532c76b044 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgIUY1NDoZUfpOeIr6u0nQSJqdZnj3kwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowKDEmMCQGA1UEAwwdd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20w +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ +PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH +9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw +4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86 +exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0 +ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N +AgMBAAGjLDAqMCgGA1UdEQQhMB+CHXd3dy5iYW5rMS5jb20Ad3d3LmJhZC1ndXku +Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQBI1NuS+OXHUhjg6BDmG9aGCLNE29h7qbo8 +hf2UmAJBJKLgatbCujkOQlzE9qU7xpjhuJAMeS1avKuusXJj2hH60oBYqaw6+jFm +7TQwylGOx63X8hFoTrDBQf2jT2cm/hI6tv4v3dwu+1e92UqjRrXMd4DsT25GzyNU +pt7MY02eI76mx6lv6QD/1NGbA1iARcd6rUPdX2giQBtCQ8JsSd07hPYxl1nhjKk2 +nvIAr4pqnN+53/tKm37Fl5M1smBQYGo8Zd4QvsxFdbpBgZ6DGaymtJk++6jzG5gj +lc0b2n/g22VyDvqQ9jDhRUkfVIHqU2B1l/iJw8/fq+hW7S6ewxUB +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec new file mode 100644 index 0000000000..1029d6cdd0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:www.bank1.com\0www.bad-guy.com +extension:subjectAlternativeName:www.bank1.com\0www.bad-guy.com diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem new file mode 100644 index 0000000000..934c1d756a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIUYeZpvD7fZ4XQm0xEoGEMzCqZXcYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowHjEcMBoGA1UEAwwTZW1iZWRkZWQgTlVMIGluIFNBTjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs +9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8 +HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak +kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet +lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r +kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMsMCow +KAYDVR0RBCEwH4Idd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20wDQYJKoZI +hvcNAQELBQADggEBAC/4E5APdTwhhr/li4zbGNBhkiwr59oA3cVDP4NHoh0DyKJb +l4EefchtUOXNZe1GyS8K48JeDT6pedM08rdVZrqlNS2f2YfgkxZH1lk4Yqf6s6Lq +7v9VaJerLTDmDL2OXLIZjDULN5NjVvuWMcYlGBCpPntbbd5hWXECRZXp5NddAXy3 +uHk3NhZmt+HH3J6fzMiiN4MabhJ6m+vqP4S+aNVkCKB37cbZfCxu/O8TrQjZ4JC5 +XDe7L/Xbd8JqfAcKoY8HBWhWwk0a3/9KXXMOLyGG6J5KoRYxO5sgvLpIrUO0xZeU +C3r/t46WC8kRZgfLdKMizBnChQyFM+Pd1cRYxEA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec new file mode 100644 index 0000000000..f224888eee --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:embedded NUL in SAN +extension:subjectAlternativeName:www.bank1.com\0www.bad-guy.com diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem new file mode 100644 index 0000000000..b0d2921c70 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7jCCAdagAwIBAgIUV1dlIGRW1pojbxxDG06QuK12TKowDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFjEUMBIGA1UEAwwLYmFkLWd1eS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOTA3MDUGA1UdEQQu +MCyCC2JhZC1ndXkuY29tgh13d3cuYmFuazEuY29tAHd3dy5iYWQtZ3V5LmNvbTAN +BgkqhkiG9w0BAQsFAAOCAQEACZSJD0vyJtCWL6AgCKaZ8AFSCyN4A3mztbZj8hxM +LGrA3QiwKzbGSv294MnzmtcE9Nd4AMWfLB96FGjLArIr+rSt+T7x8mw9TX0T+5N3 +/0HznoleG8jkRX841b7KjdK+e1rbDJoPGxzqKhGSTMJZA3R+cAZq1jFk7dudUfb8 +PVQNsr2/FDcujeyGtpQ0APqcDZP0AmeBhOGYB5kvbh2Z/Gg+Sf5vfRvnZtfnc5cS +xDaVvNWF6u4BLWbWLt0tYzvzAQEXiehnFqRoOMyR6kamqz5q+o58CHUSlhmoil+6 +8On3EmVPwBEFOHXix9XmISi1buEbVK/bw7sMXCWIaiQJ2g== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec new file mode 100644 index 0000000000..d352d034b6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:bad-guy.com +extension:subjectAlternativeName:bad-guy.com,www.bank1.com\0www.bad-guy.com diff --git a/security/manager/ssl/tests/unit/test_cert_expiration_canary.js b/security/manager/ssl/tests/unit/test_cert_expiration_canary.js new file mode 100644 index 0000000000..4f76555096 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_expiration_canary.js @@ -0,0 +1,40 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Attempts to verify a certificate for a time a few weeks into the future in +// the hopes of avoiding mass test failures when the certificates all expire. +// If this test fails, the certificates probably need to be regenerated. +// See bug 1525191. + +// If this test and only this test fails, do the following: +// 1. Create a bug for the issue in "Core :: Security: PSM". +// 2. Write a patch to temporarily disable the test. +// 3. Land the patch. +// 4. Write a patch to reenable the test but don't land it. +// 5. Needinfo the triage owner of Bugzilla's "Core :: Security: PSM" component +// in the bug. +// 6. Patches to update certificates get created. +// 7. Test the patches with a Try push. +// 8. Land the patches on all trees whose code will still be used when the +// certificates expire in 3 weeks. +add_task(async function () { + do_get_profile(); + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + addCertFromFile(certDB, "bad_certs/test-ca.pem", "CTu,,"); + let threeWeeksFromNowInSeconds = Date.now() / 1000 + 3 * 7 * 24 * 60 * 60; + let ee = constructCertFromFile("bad_certs/default-ee.pem"); + await checkCertErrorGenericAtTime( + certDB, + ee, + PRErrorCodeSuccess, + certificateUsageSSLServer, + threeWeeksFromNowInSeconds, + false, + "test.example.com" + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage.js b/security/manager/ssl/tests/unit/test_cert_keyUsage.js new file mode 100644 index 0000000000..a327cb41fa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage.js @@ -0,0 +1,76 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const caList = [ + "ca-no-keyUsage-extension", + "ca-missing-keyCertSign", + "ca-all-usages", +]; +const eeList = [ + "ee-no-keyUsage-extension", + "ee-keyCertSign-only", + "ee-keyEncipherment-only", + "ee-keyCertSign-and-keyEncipherment", +]; + +const caUsage = [certificateUsageSSLCA]; +const allEEUsages = [ + certificateUsageSSLClient, + certificateUsageSSLServer, + certificateUsageEmailSigner, + certificateUsageEmailRecipient, +]; +const serverEEUsages = [ + certificateUsageSSLServer, + certificateUsageEmailRecipient, +]; + +const expectedUsagesMap = { + "ca-no-keyUsage-extension": caUsage, + "ca-missing-keyCertSign": [], + "ca-all-usages": caUsage, + + "ee-no-keyUsage-extension-ca-no-keyUsage-extension": allEEUsages, + "ee-no-keyUsage-extension-ca-missing-keyCertSign": [], + "ee-no-keyUsage-extension-ca-all-usages": allEEUsages, + + "ee-keyCertSign-only-ca-no-keyUsage-extension": [], + "ee-keyCertSign-only-ca-missing-keyCertSign": [], + "ee-keyCertSign-only-ca-all-usages": [], + + "ee-keyEncipherment-only-ca-no-keyUsage-extension": serverEEUsages, + "ee-keyEncipherment-only-ca-missing-keyCertSign": [], + "ee-keyEncipherment-only-ca-all-usages": serverEEUsages, + + "ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension": serverEEUsages, + "ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign": [], + "ee-keyCertSign-and-keyEncipherment-ca-all-usages": serverEEUsages, +}; + +add_task(async function () { + for (let ca of caList) { + addCertFromFile(certdb, "test_cert_keyUsage/" + ca + ".pem", "CTu,CTu,CTu"); + let caCert = constructCertFromFile("test_cert_keyUsage/" + ca + ".pem"); + await asyncTestCertificateUsages(certdb, caCert, expectedUsagesMap[ca]); + for (let ee of eeList) { + let eeFullName = ee + "-" + ca; + let eeCert = constructCertFromFile( + "test_cert_keyUsage/" + eeFullName + ".pem" + ); + await asyncTestCertificateUsages( + certdb, + eeCert, + expectedUsagesMap[eeFullName] + ); + } + } +}); diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem new file mode 100644 index 0000000000..fcc47fd85e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUDe1q6ojYziBSfJHkmTtEt83Vw1YwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAYMRYwFAYDVQQDDA1jYS1hbGwtdXNhZ2VzMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB/jANBgkqhkiG9w0BAQsFAAOC +AQEAi+zmML7qfqbNp8rzPAkQd8P5vE0l5xG4AsylAzndmyL/nPfAQQMxrfuoa9zE +XddavSOSqFpatcenBiPwpggvq1j5UgJMOnoj3rBVjr8yCwwIg7x932yLsyJ9DHlb +qSYWVsDofJaSKzZIdDvH3yBQOpAh8uuRz+gDAhVD4nl5UflfbKMjsBZn3LNEHlFa +6OyAkQa+RXV91asanQb9rFRYM3c94Bh/HbqksGyS9jAA+QW9ce6VNVVjDVfWwCQ8 +vs76rirUlB6EMPVdUCnBJT/OZflAwlWF0+xoLG2ZmUIGWeazI0BjmMw7l9Pf2zqN +LG/Z/2D8TimQn2pAZjmOxjmrwA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec new file mode 100644 index 0000000000..2ca523c74e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca-all-usages +subject:ca-all-usages +extension:basicConstraints:cA, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem new file mode 100644 index 0000000000..3cef83be1a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUJZzH9PTBdr5A7FdPJ2L2b85kpuswDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIyMTEy +NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAhMR8wHQYDVQQDDBZjYS1taXNzaW5n +LWtleUNlcnRTaWduMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR +qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv +WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+ +rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv +JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5 +Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6 +clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB ++jANBgkqhkiG9w0BAQsFAAOCAQEAJAWJFj7CUXMnEtZO8VwyFIdOa32xxorC0n+1 +7rVpjN/6ukJ+hD4XdGSU6ypcQOPWGDxfarBLpRKRJ/rZ3ZlWc/c18obTEZpLxTiu +4CjnzGOHHRvJbkk5ZKZImUdI1NGctd8zyPlY5dRwRdwmQXqgL/v0MvFVv/89KtSA +Cs++LlA739IPksfAW7frrc0jriGqppI2k93ULLKRmnhPIlBckWGMgKJ+D9hjRSHH +yznC2RPlwwCRNUHTef9E5KCV6FuqShaqsTZMaytiSankzdJyg6KrqqA0SmQjFMGC +ZZnm4NMpJk6+lAKucCwZVWxxQBWhNwYoXITr3DcIlQ/rk6PowA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec new file mode 100644 index 0000000000..26e0158ebe --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca-missing-keyCertSign +subject:ca-missing-keyCertSign +extension:basicConstraints:cA, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem new file mode 100644 index 0000000000..a6b33cf3fe --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6DCCAdCgAwIBAgIUd+/+b6OViN/z518Vygo0rIN07PkwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjIx +MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCMxITAfBgNVBAMMGGNhLW5vLWtl +eVVzYWdlLWV4dGVuc2lvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG +8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V +gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3 +04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l +0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz +/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG +9w0BAQsFAAOCAQEAIL3PuRoO4pfu092wv07yfeAx3mH4TXmiI22IM03Suv3fOo8e +vf/5hCkFqevHVm7FeOC7hBUsT+WuJY/EdLWVULVDKyYiXuteeRMWACxaNCzs2hdC +K1pQ5JbszNJolMqCw9bwXC529nLaGEDRr7IHXkbLtkKZh+2onwVyMsNPwBzgl9yj +sU5WX4k8W8TBEu9qC1W+DXX3/oNKlaVStcdlzmr7m4E+Yf+uN8ZO7sftz6FhosCe +WctIBWP7b2ExQ9WV0RYAtZoVRpBJ4v7G+XMLjIL44BZvsWZsZTmT3Ze0s/EEOJEU +jQs6SAheC7Pelddacnj+1WVeFfZ1/sERFv8ybQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec new file mode 100644 index 0000000000..d32e6a6496 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-no-keyUsage-extension +subject:ca-no-keyUsage-extension +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem new file mode 100644 index 0000000000..b2d623f82c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc6gAwIBAgIUF1M7zz4L8p/8GBCLnMudDPzK98YwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAtMSswKQYDVQQDDCJlZS1rZXlDZXJ0U2lnbi1hbmQt +a2V5RW5jaXBoZXJtZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby +a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC +D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT +iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT +Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+ +SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAiQwDQYJKoZIhvcN +AQELBQADggEBACZoqnvECsTeCsXvcZ+Z9VeT8tZ+WppIXkDx2CwGJV37jr8YIqGK +pH2ehnTHw2LrKgwUruT87sDlB8uj2BOWNGsvkBEGyNIv8oEAIcLdUvUZAdMikkJF +OG+1TH9khFI/n7HpchM6rtYWLzxYTj04qoJ3eLF0hr33XoyOcPpsUSmrlkSAM4Yl +hsJ6iYpjxs5BWPhBSCvNaVCbkmpM7xiuHmL2tnMccE3V6qOnYkbKNyLQh78FE/gt +1isotOwmcqwabBa4u/9vRe4Ml7xsHVjwyDjcr1TCgsNPeFVVe4RyfPW6To6OHvph +L3pZNwXfzUyH9l8jtY+jcjYdJrU+ljDvioI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec new file mode 100644 index 0000000000..0bb2721a31 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-all-usages +subject:ee-keyCertSign-and-keyEncipherment +extension:keyUsage:keyEncipherment,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem new file mode 100644 index 0000000000..7f5f825346 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUYyAduDslJs5hBei/TBi9ZBAtpnYwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIyMTEy +NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAtMSswKQYDVQQDDCJlZS1rZXlDZXJ0 +U2lnbi1hbmQta2V5RW5jaXBoZXJtZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAiQw +DQYJKoZIhvcNAQELBQADggEBAFLqg+rnWd1KVkqcURNvN2YqQal5VxjHtJtOYXEp +P65HyM5rK513E3u68LM+9tktHP5aJgQyHgNB3HaWDhmsiQm+/3k0kY4EOIkO1jAt +r/9GzgVmCpFLLIFa/KTv0t0ao3LPEHqdIgyAWHkWgD9aQcga0t3P4YMOtj6GEoYu +3nuZkEG8YttsbhSTBTZ3rLTjypjA30pIegqZfEgIzdajKHCE7J38+bqixgrE1gt4 +K5F/pKsCba47KD3JpMvvEKp5WtUUugtfUvuofyLnaDM5gLEQnDg++a/kM1C3a++a +N/tfO99TIANpZZaygc0AFKVOJpxgHu6hQkXC92rQhQxITYc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec new file mode 100644 index 0000000000..567ab0ce2d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-missing-keyCertSign +subject:ee-keyCertSign-and-keyEncipherment +extension:keyUsage:keyEncipherment,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem new file mode 100644 index 0000000000..94adc7aeb4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUDULiee2As2QvPhufHircsE44shgwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjIx +MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMC0xKzApBgNVBAMMImVlLWtleUNl +cnRTaWduLWFuZC1rZXlFbmNpcGhlcm1lbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQEAwIC +JDANBgkqhkiG9w0BAQsFAAOCAQEAYTCX75wjj8tkN3Tl2LdB0zNRUoWt6skLIYTz +bwUC1fUE6iJpCWUX+pCLsl5V62uVJrD/7CM4LRH1leaIH5dqK8czmdPLQuJG0NOg +XjfJ7my83AsMHuZt+0P6c9FWbVKJlIH8tWh4SFfIhd/R9fNA75V+h8H776C6wWEt +UYwsYepJyUQwEdDmLmtyy5uLb1G9j6/J/MWfHUfGquXxgsJ6MBIK2+al8bqvwCbU +jt7nfn39811iH2fArH1BK64VBP/yzHaWbiVLG/lKz9VuY3Wz8jvR2P7FXWJYueTU +JTh+Z8VqcZ3Kdsdt82EDyEItU98hVgVxu+T8eBhYtyU/LyrjaQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec new file mode 100644 index 0000000000..c48ef66126 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-no-keyUsage-extension +subject:ee-keyCertSign-and-keyEncipherment +extension:keyUsage:keyEncipherment,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem new file mode 100644 index 0000000000..ee2e4bf68f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1zCCAb+gAwIBAgIUbXF/oBrS0e4ofRESqGt8eE+YGw4wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1rZXlDZXJ0U2lnbi1vbmx5 +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABow8wDTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAIt9ScT3 ++TtBpQKURJG3OiwEOtEg3LgiB2bOy8M5FfHrzJ91nvLXl5Jb/6yYLCsDAIJq6smz +4z+C2yH6M4UfGqU1RFtELOXD0QLR3695woGX94jYw7wgbAwopj/osjQDmEC3AWHk +3T+gQqpnWYJNIVbwjIaZ+3PF1IkWj5CaVAIyeVRONPbhmpK9B7t4ypTmFx0lPjT8 +RpJY2c2t7O3nS9cjKfjNry47+AaaM4qkXKxPn7IWQXHWSBetcS//voiirhgBjmSq +XijFLzs0iTrZZttqlQUzgrckcp4sW37iIz7WXjVGSqsGmEKkSEjzfUhuRANUb4C1 +lsRUbHG+bFei0T8= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec new file mode 100644 index 0000000000..c495ca6d0e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-all-usages +subject:ee-keyCertSign-only +extension:keyUsage:keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem new file mode 100644 index 0000000000..ef21fcf058 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4DCCAcigAwIBAgIUSyMlnKNqTTIqO3hMZIi/JHUbxs0wDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIyMTEy +NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1rZXlDZXJ0 +U2lnbi1vbmx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQAD +ggEBAFzvKvBkm2n5A/4EKpY8zCEtkyRu7O7vPS1QhesGl3X1M7vdPqi6aG/I4F1k +57cpovroCEFlFSUSFEom+xRyMHL/435vHnI+CrDc3F1R6/RIEO78zLf6kNuzKDGJ +BqtT1/JrirPSIvvH6g7LydZdNERDzz9EFhCE87dEC8caUcyknnp6zvgPd/EVQFQ6 +5EXMPRWO5ac4MnmDuCLuzGbL3LVp9A/4An0I86HXnkJt70R7sMSMpbCEaWHJPVj3 +gEeXZLchGpfpb2sQR1Z3BzKEQk748Ssan+DOH7A8OQB04jYd5C18vpK/V1NLjVgg +wZ+ayNVtKZ2ph1RHaXZYZYOWnkg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec new file mode 100644 index 0000000000..23ddd0eb8a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-missing-keyCertSign +subject:ee-keyCertSign-only +extension:keyUsage:keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem new file mode 100644 index 0000000000..82e4e1ad10 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4jCCAcqgAwIBAgIUezNkrO9AXj4PC4Jwdpeq9tNO3gYwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjIx +MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME2VlLWtleUNl +cnRTaWduLW9ubHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsF +AAOCAQEAdqLwVs+dkEZaVsERQz9spSoHqx1q0qoKGUJYhnYDZycY6LCpmfRTkkQN +Y5Go+2LMJ3m88aLI7JpRzRIqwryiFhU7zP1Hqjp65Tma3j6HlKXmEg8wfLmvSrAN +DUT0/HxpR1Hq4ik6op78GTtrplOmsSz8I1QYE/5zWei3Zuay9s9isXLv6yXRzXDP +U9yK2yA4UJeltIJiXpFSKhshJb1y9UOq46+yrfe7XIekqUrlJ8iNcNIyOJ7SEdGO +fDl+iMhNORcMMyFjFaKKMX++V2GNayweU6Jr02K9t5p+M0PdMAKRtev89cy4t6So +/okpqvfW9s70X4gh817h1kiklz8yGQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec new file mode 100644 index 0000000000..a5a2d62a7d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-no-keyUsage-extension +subject:ee-keyCertSign-only +extension:keyUsage:keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem new file mode 100644 index 0000000000..e3864f8d26 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2zCCAcOgAwIBAgIUaR6XoydtDSMh4UJJYaTxGd4CTjEwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAiMSAwHgYDVQQDDBdlZS1rZXlFbmNpcGhlcm1lbnQt +b25seTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u +togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6 +pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL +KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq +fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv +Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za +GAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBCwUAA4IBAQA8 +UCpvQLEtzvq4yPCGJ/G5iftcXRAxjkBG5h36Hbz6WWKJbzdUUyEuYt9MbJf/S7H0 +6uOxudfnihObn9Oc5mS+h9j+g84+9vkFhOBG7L4pNEmzXqs52hBssHziVdZlsTEk +BksZXd4ABdNrRhlUE95HxcxYRPJNmWoGnJoo6GpPmnG0ecFsGXTmH5TViXEHgxJL +y9M65ALhy8dS5QUOuWSTzzn5aFRanikCBVt9NXo+jO/s6+FmjyxuBaCpHcZFiZXt +tCdE3UzjudHnl05aIicWUcYRTJno457KqWgqtXYbwYnMb4ugQdjpgyhDWFOEZdlh +V3mC4EaHlm+I9k7s3kVz +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec new file mode 100644 index 0000000000..08154a53ee --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-all-usages +subject:ee-keyEncipherment-only +extension:keyUsage:keyEncipherment diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem new file mode 100644 index 0000000000..e65300ce6d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5DCCAcygAwIBAgIUY+zxGVzhOR20OLgOX0EMB7vGqC0wDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIyMTEy +NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAiMSAwHgYDVQQDDBdlZS1rZXlFbmNp +cGhlcm1lbnQtb25seTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI +UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi +r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x +fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD +7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv +uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj ++nJRxDHVA6zaGAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEB +CwUAA4IBAQCxM0fNjNAGe1fxAVKRTEJ3f2e+alwU64YGaKK4pPA9RJ/pxLr6HP1U +YEerBUbTWnDVluCx/ZkzBAPgb5ezasRqaCA9TT9dYf4HKPKj+8p0pv3ojHcZJqf3 +vxGkLKxRq2Ye97E+5jW2M3dIq75wW4Yc4rY4f7RASYKWg064O39Ay4YW/M5j/VTu +w9h/1NcXYFUC24gWEnwIBOG20Xy5r5OkY075tVmY1ySeG7VkLY3i3weACFpY7dRp +XUFmUaSnaDAErfBzSYQiZCUMGCPajbqcQTA95/Z8uLPt05IdmQULfF0eLWmwiBGJ +JhcBZ5L9SeV3AJYzJSUxZDikpfCWwNP+ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec new file mode 100644 index 0000000000..9bdcf4b7b8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-missing-keyCertSign +subject:ee-keyEncipherment-only +extension:keyUsage:keyEncipherment diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem new file mode 100644 index 0000000000..143b31a4b1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc6gAwIBAgIUaW6RFCj/GR6VHEK7XKdRe3iIAakwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjIx +MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCIxIDAeBgNVBAMMF2VlLWtleUVu +Y2lwaGVybWVudC1vbmx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby +a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC +D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT +iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT +Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+ +SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCBSAwDQYJKoZIhvcN +AQELBQADggEBAEsYnH3fAHOVvNdaAJZ+SI+JVJNtqm8mjOfAHY2iPvf42eIMQJ2r +XhTnCLqy25EQACVnrYh0p2YW3fXg8jwHbzDACz2MZFyTdEz5FiognWf+LfHDyoMP +S7bHOKGemkLCFHuGzfL+LZ8+yV8RJ9KcCJOke+RFAmcU/t56T0KDKvrdvGAV3wnp +fq0hgqB31H/0gaLjf1wlW8f420z40c8vVfpe1BqjKwWq9jgikAlE1pFZSCORnNjD +Q2kn62M0wXeytaLOaqRhtcu4wBTn1ypUs+DokC+WwN54fyBw2BIIsbWOU39rsW6j +7nH4UvLxTL9KB2EbFHTr+dQ0TWxkf+fiEuQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec new file mode 100644 index 0000000000..a2383ecfdd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-no-keyUsage-extension +subject:ee-keyEncipherment-only +extension:keyUsage:keyEncipherment diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem new file mode 100644 index 0000000000..cf73275a30 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyzCCAbOgAwIBAgIULcEx7oKr1YDS2ss3s4RQdJCOnR4wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAjMSEwHwYDVQQDDBhlZS1uby1rZXlVc2FnZS1leHRl +bnNpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADK7GNqsF/zKD7W1Iq6PgEvk +MI64yXfELuk3h9y9QZr63IbaLBLUoLKxEX03CZBUShPd+FVz+Y93J6+VjkRU7ddb +tE1RknOgtXN+EsU4MRtKyBBVIeqaYUUQ8EPGYiiGIhsmL+NLCbhsCs2ZRBHHEgyG +tbvdcDlce4UHv3fmSNdJ0RK7ffomCpF1CjIDDIbKdD0jveIJLCAXqmHz998ty/3E +ts+KKNYz/FBvqYE/L1Tab0wFJLelwW5BqM0mZoq4ZfaDU1yVBkmrJcyGfF+gjAEs +XGX4OdV5x2A9ke3lSDlwz50Uy5mhyjsTcbUW/OLBOENhU2vgQc+VNW/wmKEHzIA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec new file mode 100644 index 0000000000..6d2e672961 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca-all-usages +subject:ee-no-keyUsage-extension diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem new file mode 100644 index 0000000000..09c40b8583 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1DCCAbygAwIBAgIUWW3V0gwj00M/F/tsm0ACf/nJIjEwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIyMTEy +NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAjMSEwHwYDVQQDDBhlZS1uby1rZXlV +c2FnZS1leHRlbnNpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABNKxssTPCXj +3eI51RfswYOBb80aRYdv7Mm9ZekxgVXUtxGzZVekdQQjEJ59vupi8CP+C9cWuSLD +44qVw80cGgG15GNxBe+ewicFc2UdvLuAO6ZrYM92qW80zXJFbLC0ouksUloUbxup +mdZtDiI/etccsytmZ3528DEHB9TRuWBW7IavdmprWKyyfSze6yEFPxAgm4J0lZ4g +/bEymzSFTTS9rEfd6W3AbsR9UcbzAy1SB7ueKMjE1gywJJQA+oqePqZIQTYrAFis +pIA4/N3tsTu1MZ7SHuovyhoYZG58evKw3TExYy7hsJj0u4CEP8WoN9x333JeAZkb +6ZnNLg0fAZs= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec new file mode 100644 index 0000000000..3cba2f0d81 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca-missing-keyCertSign +subject:ee-no-keyUsage-extension diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem new file mode 100644 index 0000000000..9621cea471 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1jCCAb6gAwIBAgIUB6gSwP2e7JebjDPr1/kGYXG4w7IwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjIx +MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCMxITAfBgNVBAMMGGVlLW5vLWtl +eVVzYWdlLWV4dGVuc2lvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG +8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V +gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3 +04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l +0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz +/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsSRtufFC +I0WR9ub7VG+j5hD92+LN/xxILVlIXU6gpSfnpLn2Pi47K1eVAdkxaURJadvD89fw +u/fnzDG2Reij+jBmz658laKobgIXsdrXuaypvDUac3SP4ZpOD4JcZdkoMHsAfE1C +FADw4GSv+aJeOvj2TByfsnhqQqQe01sjUlQIbM4G5nk7PFK+/Tj9hWpzkW7O/Nf4 +3msO2dubsoy0DvhSzzTn2mOSLxHeoN8AxPuDoEXs9Je7+K3geCVhE0iEIj17BAWP +Cme6X63FaoyzyfN5mXj7OiOUBvwZPtsVBlcQsjtZVldxYlRN9xtS10NrfH3Y6k1U +smbMqMR4jbkyfw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec new file mode 100644 index 0000000000..c850725a63 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca-no-keyUsage-extension +subject:ee-no-keyUsage-extension diff --git a/security/manager/ssl/tests/unit/test_cert_override_read.js b/security/manager/ssl/tests/unit/test_cert_override_read.js new file mode 100644 index 0000000000..3c21601eb8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_override_read.js @@ -0,0 +1,188 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This test checks parsing of the the certificate override file + +function run_test() { + // These are hard-coded to avoid initialization of NSS before setup is complete + // bad_certs/mitm.pem + let cert1 = { + sha256Fingerprint: + "E3:E3:56:4C:6D:81:DA:29:E4:52:20:A1:7A:31:E2:03:F1:82:A6:D5:B1:5B:6A:86:D6:10:CF:AE:BA:3B:35:2A", + }; + // bad_certs/selfsigned.pem + let cert2 = { + sha256Fingerprint: + "9A:C8:37:86:6F:1A:20:A2:31:6F:FE:92:68:CE:05:D2:8C:72:F3:A3:E0:23:3B:AD:8A:28:19:93:82:E8:AE:24", + }; + // bad_certs/noValidNames.pem + let cert3 = { + sha256Fingerprint: + "67:7C:84:51:32:B5:0B:63:E4:40:B4:1A:33:FD:20:34:0A:B3:1D:61:24:F1:7A:40:14:39:05:66:42:FD:C2:EA", + }; + + let profileDir = do_get_profile(); + let overrideFile = profileDir.clone(); + overrideFile.append(CERT_OVERRIDE_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!overrideFile.exists()); + let outputStream = FileUtils.openFileOutputStream(overrideFile); + let lines = [ + "# PSM Certificate Override Settings file", + "# This is a generated file! Do not edit.", + "test.example.com:443:^privateBrowsingId=1\tOID.2.16.840.1.101.3.4.2.1\t" + + cert1.sha256Fingerprint + + "\t", + "test.example.com:443:^privateBrowsingId=2\tOID.2.16.840.1.101.3.4.2.1\t" + + cert1.sha256Fingerprint + + "\t", + "test.example.com:443:^privateBrowsingId=3\tOID.2.16.840.1.101.3.4.2.1\t" + // includes bits and dbKey (now obsolete) + cert1.sha256Fingerprint + + "\tM\t" + + "AAAAAAAAAAAAAAACAAAAFjA5MBQxEjAQBgNVBAMMCWxvY2FsaG9zdA==", + "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + + cert2.sha256Fingerprint + + "\t", + "[::1]:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // IPv6 + cert2.sha256Fingerprint + + "\t", + "old.example.com:443\tOID.2.16.840.1.101.3.4.2.1\t" + // missing attributes (defaulted) + cert1.sha256Fingerprint + + "\t", + ":443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing host name + cert3.sha256Fingerprint + + "\t", + "example.com::\tOID.2.16.840.1.101.3.4.2.1\t" + // missing port + cert3.sha256Fingerprint + + "\t", + "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint + cert2.sha256Fingerprint + + "\t", + "example.com:443:\tOID.0.00.000.0.000.0.0.0.0\t" + // bad OID + cert3.sha256Fingerprint + + "\t", + "example.com:443:\t.0.0.0.0\t" + // malformed OID + cert3.sha256Fingerprint + + "\t", + "example.com:443:\t\t" + // missing OID + cert3.sha256Fingerprint + + "\t", + "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t", // missing fingerprint + ]; + writeLinesAndClose(lines, outputStream); + let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService( + Ci.nsICertOverrideService + ); + notEqual(overrideService, null); + + // Now that the override service is initialized we can actually read the certificates + cert1 = constructCertFromFile("bad_certs/mitm.pem"); + info( + `if this test fails, try updating cert1.sha256Fingerprint to "${cert1.sha256Fingerprint}"` + ); + cert2 = constructCertFromFile("bad_certs/selfsigned.pem"); + info( + `if this test fails, try updating cert2.sha256Fingerprint to "${cert2.sha256Fingerprint}"` + ); + cert3 = constructCertFromFile("bad_certs/noValidNames.pem"); + info( + `if this test fails, try updating cert3.sha256Fingerprint to "${cert3.sha256Fingerprint}"` + ); + + const OVERRIDES = [ + { + host: "test.example.com", + port: 443, + cert: cert1, + attributes: { privateBrowsingId: 1 }, + }, + { + host: "test.example.com", + port: 443, + cert: cert1, + attributes: { privateBrowsingId: 2 }, + }, + { + host: "test.example.com", + port: 443, + cert: cert1, + attributes: { privateBrowsingId: 3 }, + }, + { + host: "example.com", + port: 443, + cert: cert2, + attributes: {}, + }, + { + host: "::1", + port: 443, + cert: cert2, + attributes: {}, + }, + { + host: "example.com", + port: 443, + cert: cert2, + attributes: { userContextId: 1 }, // only privateBrowsingId is used + }, + { + host: "old.example.com", + port: 443, + cert: cert1, + attributes: {}, + }, + ]; + const BAD_OVERRIDES = [ + { + host: "test.example.com", + port: 443, + cert: cert1, + attributes: { privateBrowsingId: 4 }, // wrong attributes + }, + { + host: "test.example.com", + port: 443, + cert: cert3, // wrong certificate + attributes: { privateBrowsingId: 1 }, + }, + { + host: "example.com", + port: 443, + cert: cert3, + attributes: {}, + }, + ]; + + for (let override of OVERRIDES) { + let temp = {}; + ok( + overrideService.hasMatchingOverride( + override.host, + override.port, + override.attributes, + override.cert, + temp + ), + `${JSON.stringify(override)} should have an override` + ); + equal(temp.value, false); + } + + for (let override of BAD_OVERRIDES) { + let temp = {}; + ok( + !overrideService.hasMatchingOverride( + override.host, + override.port, + override.attributes, + override.cert, + temp + ), + `${override} should not have an override` + ); + } +} diff --git a/security/manager/ssl/tests/unit/test_cert_overrides.js b/security/manager/ssl/tests/unit/test_cert_overrides.js new file mode 100644 index 0000000000..a1284cb1df --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_overrides.js @@ -0,0 +1,767 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Tests the certificate overrides we allow. +// add_cert_override_test will queue a test that does the following: +// 1. Attempt to connect to the given host. This should fail with the +// given error. +// 2. Add an override for that host/port/certificate. +// 3. Connect again. This should succeed. + +do_get_profile(); + +// Enable the collection (during test) for all products so even products +// that don't collect the data will be able to run the test without failure. +Services.prefs.setBoolPref( + "toolkit.telemetry.testing.overrideProductsCheck", + true +); + +function check_telemetry() { + let histogram = Services.telemetry + .getHistogramById("SSL_CERT_ERROR_OVERRIDES") + .snapshot(); + equal(histogram.values[0], 0, "Should have 0 unclassified values"); + equal( + histogram.values[2], + 9, + "Actual and expected SEC_ERROR_UNKNOWN_ISSUER values should match" + ); + equal( + histogram.values[3], + 1, + "Actual and expected SEC_ERROR_CA_CERT_INVALID values should match" + ); + equal( + histogram.values[4] || 0, + 0, + "Actual and expected SEC_ERROR_UNTRUSTED_ISSUER values should match" + ); + equal( + histogram.values[5], + 1, + "Actual and expected SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE values should match" + ); + equal( + histogram.values[6] || 0, + 0, + "Actual and expected SEC_ERROR_UNTRUSTED_CERT values should match" + ); + equal( + histogram.values[7] || 0, + 0, + "Actual and expected SEC_ERROR_INADEQUATE_KEY_USAGE values should match" + ); + equal( + histogram.values[8], + 2, + "Actual and expected SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED values should match" + ); + equal( + histogram.values[9], + gIsDebugBuild ? 9 : 8, + "Actual and expected SSL_ERROR_BAD_CERT_DOMAIN values should match" + ); + equal( + histogram.values[10], + 1, + "Actual and expected SEC_ERROR_EXPIRED_CERTIFICATE values should match" + ); + equal( + histogram.values[11], + 2, + "Actual and expected MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY values should match" + ); + equal( + histogram.values[12], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA values should match" + ); + equal( + histogram.values[13], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE values should match" + ); + equal( + histogram.values[14], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE values should match" + ); + equal( + histogram.values[15], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE values should match" + ); + equal( + histogram.values[16], + 2, + "Actual and expected SEC_ERROR_INVALID_TIME values should match" + ); + equal( + histogram.values[17], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME values should match" + ); + equal( + histogram.values[19], + 4, + "Actual and expected MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT values should match" + ); + equal( + histogram.values[20], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_MITM_DETECTED values should match" + ); + + let keySizeHistogram = Services.telemetry + .getHistogramById("CERT_CHAIN_KEY_SIZE_STATUS") + .snapshot(); + equal( + keySizeHistogram.values[0], + 0, + "Actual and expected unchecked key size values should match" + ); + equal( + keySizeHistogram.values[1], + gIsDebugBuild ? 17 : 15, + "Actual and expected successful verifications of 2048-bit keys should match" + ); + equal( + keySizeHistogram.values[2] || 0, + 0, + "Actual and expected successful verifications of 1024-bit keys should match" + ); + equal( + keySizeHistogram.values[3], + 70, + "Actual and expected verification failures unrelated to key size should match" + ); + + run_next_test(); +} + +// Internally, specifying "port" -1 is the same as port 443. This tests that. +function run_port_equivalency_test(inPort, outPort) { + Assert.ok( + (inPort == 443 && outPort == -1) || (inPort == -1 && outPort == 443), + "The two specified ports must be -1 and 443 (in any order)" + ); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + let cert = constructCertFromFile("bad_certs/default-ee.pem"); + let expectedTemporary = true; + certOverrideService.rememberValidityOverride( + "example.com", + inPort, + {}, + cert, + expectedTemporary + ); + let actualTemporary = {}; + Assert.ok( + certOverrideService.hasMatchingOverride( + "example.com", + outPort, + {}, + cert, + actualTemporary + ), + `override set on port ${inPort} should match port ${outPort}` + ); + equal( + actualTemporary.value, + expectedTemporary, + "input override temporary value should match output temporary value" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride("example.com", 563, {}, cert, {}), + `override set on port ${inPort} should not match port 563` + ); + certOverrideService.clearValidityOverride("example.com", inPort, {}); + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.com", + outPort, + {}, + cert, + {} + ), + `override cleared on port ${inPort} should match port ${outPort}` + ); +} + +function run_test() { + run_port_equivalency_test(-1, 443); + run_port_equivalency_test(443, -1); + + Services.prefs.setIntPref("security.OCSP.enabled", 1); + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + }); + fakeOCSPResponder.start(8888); + + add_simple_tests(); + add_localhost_tests(); + add_combo_tests(); + add_distrust_tests(); + + add_test(function () { + fakeOCSPResponder.stop(check_telemetry); + }); + + run_next_test(); +} + +function add_simple_tests() { + add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE); + add_cert_override_test( + "notyetvalid.example.com", + MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE + ); + add_cert_override_test("before-epoch.example.com", SEC_ERROR_INVALID_TIME); + add_cert_override_test( + "before-epoch-self-signed.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); + add_cert_override_test( + "selfsigned.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); + add_cert_override_test("unknownissuer.example.com", SEC_ERROR_UNKNOWN_ISSUER); + add_cert_override_test( + "expiredissuer.example.com", + SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE + ); + add_cert_override_test( + "notyetvalidissuer.example.com", + MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE + ); + add_cert_override_test( + "before-epoch-issuer.example.com", + SEC_ERROR_INVALID_TIME + ); + add_cert_override_test( + "md5signature.example.com", + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + ); + add_cert_override_test( + "emptyissuername.example.com", + MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME + ); + // This has name information in the subject alternative names extension, + // but not the subject common name. + add_cert_override_test("mismatch.example.com", SSL_ERROR_BAD_CERT_DOMAIN); + // This has name information in the subject common name but not the subject + // alternative names extension. + add_cert_override_test("mismatch-CN.example.com", SSL_ERROR_BAD_CERT_DOMAIN); + + // A Microsoft IIS utility generates self-signed certificates with + // properties similar to the one this "host" will present. + add_cert_override_test( + "selfsigned-inadequateEKU.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); + + add_prevented_cert_override_test( + "inadequatekeyusage.example.com", + SEC_ERROR_INADEQUATE_KEY_USAGE + ); + + // Test triggering the MitM detection. We don't set-up a proxy here. Just + // set the pref. Without the pref set we expect an unkown issuer error. + add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER); + add_test(function () { + Services.prefs.setStringPref( + "security.pki.mitm_canary_issuer", + "CN=Test MITM Root" + ); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride("mitm.example.com", 8443, {}); + run_next_test(); + }); + add_cert_override_test("mitm.example.com", MOZILLA_PKIX_ERROR_MITM_DETECTED); + add_test(function () { + Services.prefs.setStringPref( + "security.pki.mitm_canary_issuer", + "CN=Other MITM Root" + ); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride("mitm.example.com", 8443, {}); + run_next_test(); + }); + // If the canary issuer doesn't match the one we see, we exepct and unknown + // issuer error. + add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER); + // If security.pki.mitm_canary_issuer.enabled is false, there should always + // be an unknown issuer error. + add_test(function () { + Services.prefs.setBoolPref( + "security.pki.mitm_canary_issuer.enabled", + false + ); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride("mitm.example.com", 8443, {}); + run_next_test(); + }); + add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER); + add_test(function () { + Services.prefs.clearUserPref("security.pki.mitm_canary_issuer"); + run_next_test(); + }); + + // This is intended to test the case where a verification has failed for one + // overridable reason (e.g. unknown issuer) but then, in the process of + // reporting that error, a non-overridable error is encountered. The + // non-overridable error should be prioritized. + add_test(function () { + let rootCert = constructCertFromFile("bad_certs/test-ca.pem"); + setCertTrust(rootCert, ",,"); + run_next_test(); + }); + add_prevented_cert_override_test( + "nsCertTypeCritical.example.com", + SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION + ); + add_test(function () { + let rootCert = constructCertFromFile("bad_certs/test-ca.pem"); + setCertTrust(rootCert, "CTu,,"); + run_next_test(); + }); + + // Bug 990603: Apache documentation has recommended generating a self-signed + // test certificate with basic constraints: CA:true. For compatibility, this + // is a scenario in which an override is allowed. + add_cert_override_test( + "self-signed-end-entity-with-cA-true.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); + + add_cert_override_test( + "ca-used-as-end-entity.example.com", + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); + + // If an X.509 version 1 certificate is not a trust anchor, we will + // encounter an overridable error. + add_cert_override_test( + "end-entity-issued-by-v1-cert.example.com", + MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA + ); + // If we make that certificate a trust anchor, the connection will succeed. + add_test(function () { + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride( + "end-entity-issued-by-v1-cert.example.com", + 8443, + {} + ); + let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem"); + setCertTrust(v1Cert, "CTu,,"); + clearSessionCache(); + run_next_test(); + }); + add_connection_test( + "end-entity-issued-by-v1-cert.example.com", + PRErrorCodeSuccess + ); + // Reset the trust for that certificate. + add_test(function () { + let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem"); + setCertTrust(v1Cert, ",,"); + clearSessionCache(); + run_next_test(); + }); + + // Due to compatibility issues, we allow overrides for certificates issued by + // certificates that are not valid CAs. + add_cert_override_test( + "end-entity-issued-by-non-CA.example.com", + SEC_ERROR_CA_CERT_INVALID + ); + + // This host presents a 1016-bit RSA key. + add_cert_override_test( + "inadequate-key-size-ee.example.com", + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE + ); + + // The test root is not a built-in (by default), so the invalid dNSName entry + // in the subject alternative name extension is skipped. + add_connection_test( + "ipAddressAsDNSNameInSAN.example.com", + PRErrorCodeSuccess + ); + + if (gIsDebugBuild) { + // Treat the test root like a built-in. + add_test(function () { + let rootCert = constructCertFromFile("bad_certs/test-ca.pem"); + Services.prefs.setCharPref( + "security.test.built_in_root_hash", + rootCert.sha256Fingerprint + ); + run_next_test(); + }); + // If the root is a built-in, the invalid dNSName entry in the subject + // alternative name extension is not skipped, and this result in an error. + add_cert_override_test( + "ipAddressAsDNSNameInSAN.example.com", + SSL_ERROR_BAD_CERT_DOMAIN + ); + // Reset the test root's built-in status. + add_test(function () { + Services.prefs.clearUserPref("security.test.built_in_root_hash"); + run_next_test(); + }); + } + + add_cert_override_test("noValidNames.example.com", SSL_ERROR_BAD_CERT_DOMAIN); + add_cert_override_test( + "badSubjectAltNames.example.com", + SSL_ERROR_BAD_CERT_DOMAIN + ); + + add_cert_override_test( + "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_test(function () { + // At this point, the override for bug413909.xn--hxajbheg2az3al.xn--jxalpdlp + // is still valid. Do some additional tests relating to IDN handling. + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + let uri = Services.io.newURI( + "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp" + ); + let cert = constructCertFromFile("bad_certs/idn-certificate.pem"); + Assert.ok( + certOverrideService.hasMatchingOverride( + uri.asciiHost, + 8443, + {}, + cert, + {} + ), + "IDN certificate should have matching override using ascii host" + ); + Assert.throws( + () => + !certOverrideService.hasMatchingOverride( + uri.displayHost, + 8443, + {}, + cert, + {} + ), + /NS_ERROR_ILLEGAL_VALUE/, + "IDN certificate should not have matching override using (non-ascii) host" + ); + let invalidHost = uri.asciiHost.replace(/./g, c => + String.fromCharCode(c.charCodeAt(0) | 0x100) + ); + Assert.throws( + () => + !certOverrideService.hasMatchingOverride( + invalidHost, + 8443, + {}, + cert, + {} + ), + /NS_ERROR_ILLEGAL_VALUE/, + "hasMatchingOverride should not truncate high-bytes" + ); + run_next_test(); + }); + + add_test(function () { + // Add a bunch of overrides... + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + let cert = constructCertFromFile("bad_certs/default-ee.pem"); + certOverrideService.rememberValidityOverride( + "example.com", + 443, + {}, + cert, + false + ); + Assert.ok( + certOverrideService.hasMatchingOverride("example.com", 443, {}, cert, {}), + "Should have added override for example.com:443" + ); + certOverrideService.rememberValidityOverride( + "example.com", + 80, + {}, + cert, + false + ); + certOverrideService.rememberValidityOverride("::1", 80, {}, cert, false); + Assert.ok( + certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}), + "Should have added override for example.com:80" + ); + certOverrideService.rememberValidityOverride( + "example.org", + 443, + {}, + cert, + false + ); + Assert.ok( + certOverrideService.hasMatchingOverride("example.org", 443, {}, cert, {}), + "Should have added override for example.org:443" + ); + Assert.ok( + certOverrideService.hasMatchingOverride("::1", 80, {}, cert, {}), + "Should have added override for [::1]:80" + ); + // When in a private browsing context, overrides added in non-private + // contexts should match (but not vice-versa). + Assert.ok( + certOverrideService.hasMatchingOverride( + "example.org", + 443, + { privateBrowsingId: 1 }, + cert, + {} + ), + "Should have override for example.org:443 with privateBrowsingId 1" + ); + Assert.ok( + certOverrideService.hasMatchingOverride( + "example.org", + 443, + { privateBrowsingId: 2 }, + cert, + {} + ), + "Should have override for example.org:443 with privateBrowsingId 2" + ); + Assert.ok( + certOverrideService.hasMatchingOverride( + "example.org", + 443, + { firstPartyDomain: "example.org", userContextId: 1 }, + cert, + {} + ), + "Should ignore firstPartyDomain and userContextId when checking overrides" + ); + certOverrideService.rememberValidityOverride( + "example.org", + 80, + {}, + cert, + true + ); + Assert.ok( + certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}), + "Should have added override for example.org:80" + ); + certOverrideService.rememberValidityOverride( + "test.example.org", + 443, + { firstPartyDomain: "example.org", userContextId: 1 }, + cert, + false + ); + Assert.ok( + certOverrideService.hasMatchingOverride( + "test.example.org", + 443, + {}, + cert, + {} + ), + "Should ignore firstPartyDomain and userContextId when adding overrides" + ); + Assert.ok( + certOverrideService.hasMatchingOverride( + "test.example.org", + 443, + { firstPartyDomain: "example.com", userContextId: 2 }, + cert, + {} + ), + "Should ignore firstPartyDomain and userContextId when checking overrides" + ); + certOverrideService.rememberValidityOverride( + "example.test", + 443, + { privateBrowsingId: 1 }, + cert, + false + ); + Assert.ok( + certOverrideService.hasMatchingOverride( + "example.test", + 443, + { privateBrowsingId: 1 }, + cert, + {} + ), + "Should have added override for example.test:443 with privateBrowsingId 1" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.test", + 443, + { privateBrowsingId: 2 }, + cert, + {} + ), + "Should not have override for example.test:443 with privateBrowsingId 2" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.test", + 443, + {}, + cert, + {} + ), + "Should not have override for example.test:443 with non-private OriginAttributes" + ); + // Clear them all... + certOverrideService.clearAllOverrides(); + + // And ensure they're all gone. + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.com", + 443, + {}, + cert, + {} + ), + "Should have removed override for example.com:443" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}), + "Should have removed override for example.com:80" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.org", + 443, + {}, + cert, + {} + ), + "Should have removed override for example.org:443" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}), + "Should have removed override for example.org:80" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.org", + 443, + { privateBrowsingId: 1 }, + cert, + {} + ), + "Should have removed override for example.org:443 with privateBrowsingId 1" + ); + + run_next_test(); + }); +} + +function add_localhost_tests() { + add_cert_override_test("localhost", SEC_ERROR_UNKNOWN_ISSUER); + add_cert_override_test("127.0.0.1", SSL_ERROR_BAD_CERT_DOMAIN); + add_cert_override_test("::1", SSL_ERROR_BAD_CERT_DOMAIN); +} + +function add_combo_tests() { + add_cert_override_test( + "mismatch-expired.example.com", + SSL_ERROR_BAD_CERT_DOMAIN + ); + add_cert_override_test( + "mismatch-notYetValid.example.com", + SSL_ERROR_BAD_CERT_DOMAIN + ); + add_cert_override_test( + "mismatch-untrusted.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_cert_override_test( + "untrusted-expired.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_cert_override_test( + "mismatch-untrusted-expired.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + + add_cert_override_test( + "md5signature-expired.example.com", + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + ); + + add_cert_override_test( + "ca-used-as-end-entity-name-mismatch.example.com", + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); +} + +function add_distrust_tests() { + // Before we specifically distrust this certificate, it should be trusted. + add_connection_test("untrusted.example.com", PRErrorCodeSuccess); + + add_distrust_test( + "bad_certs/default-ee.pem", + "untrusted.example.com", + SEC_ERROR_UNTRUSTED_CERT + ); + + add_distrust_test( + "bad_certs/other-test-ca.pem", + "untrustedissuer.example.com", + SEC_ERROR_UNTRUSTED_ISSUER + ); + + add_distrust_test( + "bad_certs/test-ca.pem", + "ca-used-as-end-entity.example.com", + SEC_ERROR_UNTRUSTED_ISSUER + ); +} + +function add_distrust_test(certFileName, hostName, expectedResult) { + let certToDistrust = constructCertFromFile(certFileName); + + add_test(function () { + // Add an entry to the NSS certDB that says to distrust the cert + setCertTrust(certToDistrust, "pu,,"); + clearSessionCache(); + run_next_test(); + }); + add_prevented_cert_override_test(hostName, expectedResult); + add_test(function () { + setCertTrust(certToDistrust, "u,,"); + run_next_test(); + }); +} diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js new file mode 100644 index 0000000000..1d2c2c1727 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js @@ -0,0 +1,94 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Tests that permanent certificate error overrides can be added even if the +// certificate/key databases are in read-only mode. + +// Helper function for add_read_only_cert_override_test. Probably doesn't need +// to be called directly. +function add_read_only_cert_override(aHost, aSecurityInfo) { + let cert = aSecurityInfo.serverCert; + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + // Setting the last argument to false here ensures that we attempt to store a + // permanent override (which is what was failing in bug 1427273). + certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, false); +} + +// Given a host and an expected error code, tests that an initial connection to +// the host fails with the expected errors and that adding an override results +// in a subsequent connection succeeding. +function add_read_only_cert_override_test(aHost, aExpectedError) { + add_connection_test( + aHost, + aExpectedError, + null, + add_read_only_cert_override.bind(this, aHost) + ); + add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => { + Assert.ok( + aSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN, + "Cert override flag should be set on the security state" + ); + }); +} + +function run_test() { + let profile = do_get_profile(); + const KEY_DB_NAME = "key4.db"; + const CERT_DB_NAME = "cert9.db"; + let srcKeyDBFile = do_get_file( + `test_cert_overrides_read_only/${KEY_DB_NAME}` + ); + srcKeyDBFile.copyTo(profile, KEY_DB_NAME); + let srcCertDBFile = do_get_file( + `test_cert_overrides_read_only/${CERT_DB_NAME}` + ); + srcCertDBFile.copyTo(profile, CERT_DB_NAME); + + // set the databases to read-only + let keyDBFile = do_get_profile(); + keyDBFile.append(KEY_DB_NAME); + keyDBFile.permissions = 0o400; + let certDBFile = do_get_profile(); + certDBFile.append(CERT_DB_NAME); + certDBFile.permissions = 0o400; + + Services.prefs.setIntPref("security.OCSP.enabled", 1); + // Specifying false as the last argument means we don't try to add the default + // test root CA (which would fail). + add_tls_server_setup("BadCertAndPinningServer", "bad_certs", false); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + }); + fakeOCSPResponder.start(8888); + + // Since we can't add the root CA to the (read-only) trust db, all of these + // will result in an "unknown issuer error" and need the "untrusted" error bit + // set in addition to whatever other specific error bits are necessary. + add_read_only_cert_override_test( + "expired.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_read_only_cert_override_test( + "selfsigned.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); + add_read_only_cert_override_test( + "mismatch.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + + add_test(function () { + fakeOCSPResponder.stop(run_next_test); + }); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db Binary files differnew file mode 100644 index 0000000000..3d452f335c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db Binary files differnew file mode 100644 index 0000000000..44d0cb1728 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db diff --git a/security/manager/ssl/tests/unit/test_cert_sha1.js b/security/manager/ssl/tests/unit/test_cert_sha1.js new file mode 100644 index 0000000000..f0a95bcd61 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1.js @@ -0,0 +1,53 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests the rejection of SHA-1 certificates. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +// (new Date("2016-03-01")).getTime() / 1000 +const VALIDATION_TIME = 1456790400; + +function certFromFile(certName) { + return constructCertFromFile("test_cert_sha1/" + certName + ".pem"); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile(certdb, "test_cert_sha1/" + certName + ".pem", trustString); +} + +function checkEndEntity(cert, expectedResult) { + return checkCertErrorGenericAtTime( + certdb, + cert, + expectedResult, + certificateUsageSSLServer, + VALIDATION_TIME + ); +} + +add_task(async function () { + loadCertWithTrust("ca", "CTu,,"); + loadCertWithTrust("int-pre", ",,"); + loadCertWithTrust("int-post", ",,"); + + await checkEndEntity( + certFromFile("ee-pre_int-pre"), + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + ); + await checkEndEntity( + certFromFile("ee-post_int-pre"), + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + ); + await checkEndEntity( + certFromFile("ee-post_int-post"), + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem new file mode 100644 index 0000000000..60140056de --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUUbC4F7yPobFDd+B73iWKejQ3THkwDQYJKoZIhvcNAQEF +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNV +HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCU+Y0AeMXFIfX4/L2aX37uSR70 +pGpPrh0FPOwBO2ETUc4j7Whol9wOSPnUwuPIpiDhar5qRuhY6aCPGTIJbRZrVeXv +T5uFQXq+3CQdIyI55AkFDh9tO7wX7p3pRgzma47mBxIH082Uwy7+eEeQfhuJ5cU4 +e/zyHf6FEdkSrDjgwDip+dn8Q7tnjdaN3WYQjOFRXkHyYCIFkORDPTbYSYZ6DAqq +Q/loKTdrcbyeEwFVBZxQu4Nb6mjhkfk8U+8TIGMCTQXhoQhgMWMeMo2E0kWvYbjc +YDiRzmnsdvPu2LKnTvH28M9ODi3ZzcOuLs6jAKAiXISq0CbmwaddV/oAMoF2 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec new file mode 100644 index 0000000000..7e65e9ee30 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec @@ -0,0 +1,6 @@ +issuer:ca +subject:ca +validity:20100101-20500101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem new file mode 100644 index 0000000000..8fb93e69e3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtTCCAZ2gAwIBAgIUJWQl8gkrLL7gPn47YYMdN7qBP5wwDQYJKoZIhvcNAQEF +BQAwEzERMA8GA1UEAwwIaW50LXBvc3QwIhgPMjAxNjAxMDIwMDAwMDBaGA8yMDE3 +MDIwMTAwMDAwMFowEjEQMA4GA1UEAwwHZWUtcG9zdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 +wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp +k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh +eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW +EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc +JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B +AQUFAAOCAQEAVOPvLS8zwos/RdClnabdxMh5g1WN5T1BsIMExE6oU6sJ7n4HyIXt +RnFTFe0t2CdXBCQPK6qG8ymeLQFNKykYlQxVZb8m5YgUK3k4IeMS/EoX4g7taREI +IwK9/n7+oKZYlz2Q/ro/R2HFmLXsCIUrsxV3vAWQCm8rSeCKzEVNlDaQ5FEMVAM7 +VlNhNNKtUnXkzZ3SRj6O4eOq3G4azr5DNo5kAQPaIbAI3k/3AHyPqIjHcoSiG1Ug +aqzIK6fNNCIAxIKAY2ERJfxA4fPlBZXono2sCOgCdFfF7QAo+o9SO8v3B+djuHgb +flbfdyEnN+y32UpYe3qV8LnFmRqGAe/vbQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec new file mode 100644 index 0000000000..76834f8447 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-post +subject:ee-post +validity:20160102-20170201 +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem new file mode 100644 index 0000000000..2385322a64 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtDCCAZygAwIBAgIUIVsTCuql4BDO2r4O5zePBEoHg3QwDQYJKoZIhvcNAQEF +BQAwEjEQMA4GA1UEAwwHaW50LXByZTAiGA8yMDE2MDEwMTAwMDAwMFoYDzIwMTcw +MjAxMDAwMDAwWjASMRAwDgYDVQQDDAdlZS1wb3N0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB +BQUAA4IBAQCW5zeJg+LzGn07GtdBprRLarL7aLNFSr+s+3yzphq9kN43prElX6eD +gdggPWicZozTm3IFLfJfsuhiodBZjWmkF/dsvvT3W77AcKzNWjShCnnA/Vf5IF6k +U01ROfjmgcX0mMuhVUB7b9Fl6G5DFxJgny2jYehZcJIzWUBLiwu41TIxj5Cv5F9p ++XIHEyygqm8rYzbW8F49FRbsDD9nvhmdVqXsoTaKxY8bsKKu1EpBSBXozRbLKcAn +/zrLy0HHS4qfXTHm0UKt+RCYVylL5I5YGR6rapXHChkBTBHFXdkPVsW5uHKBdBqY +98zoAAMWRvJ3xOuqAbtKG6DKadiOpz6l +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec new file mode 100644 index 0000000000..1e8bb35b34 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-pre +subject:ee-post +validity:20160101-20170201 +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem new file mode 100644 index 0000000000..11a5e41e99 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUOU+CyYnf3GRRgGHvbeJB8HTUvJ4wDQYJKoZIhvcNAQEF +BQAwEjEQMA4GA1UEAwwHaW50LXByZTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMTcw +MjAxMDAwMDAwWjARMQ8wDQYDVQQDDAZlZS1wcmUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEF +BQADggEBACWLcVnT0nNyU/qFZNDZPGDFPuZCXuodBf3sgz1XDmcp5wlH+IjW3J8H +3HH6ZwIUpTtppqVxuvo2y9GP+GNyeXhxmokHTVdKDj8HqYl5lV+reO1UmzEH0AU8 +x3hd2Fkzv/h3N3EPVETWuPiFSB0oAN/xwsXC/7Yi4AY0s/I/4q/vkS76Oa2RyL3f +gbaa80+nR73BX+0wRqyg+Sgo2hOzjkCQchtZPUFYsRLhsHHBnokD8GJlT7NBKSN1 +TFt6uXpfEmqDICoyZoAw6rtnFfdEsZNo+PU6NDN3T0fkolBQPvuzfqcqAl85dpJK +ow8mFKkb2t6qQH98yabi/172l03/P34= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec new file mode 100644 index 0000000000..0f4a6ec257 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-pre +subject:ee-pre +validity:20150101-20170201 +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem new file mode 100644 index 0000000000..94ab4f5b15 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzzCCAbegAwIBAgIUYQ6xulHM0FrQ0sKMdbPI2ecC3PcwDQYJKoZIhvcNAQEF +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjAxMDEwMDAwMDBaGA8yMDI2MDEwMTAw +MDAwMFowEzERMA8GA1UEAwwIaW50LXBvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIB +BjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCJN8/XexXMusXYbhVW +uYA1YpaSTrz96CXlckIuABnzCrGD5iHkfFoB0LPKd+EZ80fdHIvS1zQTYohy6O95 +JageOaTY9HsOEqsgr1BA9VKZW4QlGp7csQzNMa52WRetimv6XY/lrfPf4qAhomWG +/ImmLJpGTVPhEdz6Pl4Kvmf9zNf/BcXtBTWLSGWUC5UItC58WTopqcr5kLg3DmXB +Qr7DjqA7DT92N6qefFkTYspDZJzv0nL9OfqkdCj/s6bm3iisTQq3aek6IP6OEkXF +4TWUF3RDBsyRpG8jt/XsOsrwJDOGZGFPmMTz2uZPsZkeZhU+sfFDWL7wojl7kHV1 +c7f5 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec new file mode 100644 index 0000000000..50156c9f6e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec @@ -0,0 +1,6 @@ +issuer:ca +subject:int-post +validity:20160101-20260101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem new file mode 100644 index 0000000000..0b916d5755 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAgIUYW27TGzVOIbjpG1ADx7m7mZnrNQwDQYJKoZIhvcNAQEF +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDIwMDEwMTAw +MDAwMFowEjEQMA4GA1UEAwwHaW50LXByZTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEG +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAESNgcKkxBwkaBykKo2Q +GzgimnI3eNw8O8GrhefL+r3Ek/CH4/oBHGvfvrz6D19uemdOyHxo5QNW2iWEq0No +pE6Hhm504P1fdkfQvjqjIhu/h3y5QjO3zdMGeVE/39TWAGrGsNFKE+jSxm8IbycF +Ue6165agasf+PhQdorjFca48iLcowKYs5Df0SAhY7zbw1fM1HTr1YGAXc1K9aCA5 +fTmu8Nd0fNKc1NcbNDpdCG2YEj1nox1iMN5A4nY1ve88zJsnlpfsoJkHJqo2Cy+M +mpQSnkTlf3Gfpl8NO3UW9FTcnK8L4Ix2DSNBDe8Yg2YL5w/VIxecFwlmwV0wWdg6 +vl0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec new file mode 100644 index 0000000000..9f0a59ee99 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec @@ -0,0 +1,6 @@ +issuer:ca +subject:int-pre +validity:20100101-20200101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_signatures.js b/security/manager/ssl/tests/unit/test_cert_signatures.js new file mode 100644 index 0000000000..73858afe37 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures.js @@ -0,0 +1,140 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that certificates cannot be tampered with without being detected. +// Tests a combination of cases: RSA signatures, ECDSA signatures, certificate +// chains where the intermediate has been tampered with, chains where the +// end-entity has been tampered, tampering of the signature, and tampering in +// the rest of the certificate. + +do_get_profile(); // must be called before getting nsIX509CertDB +var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +// Reads a PEM-encoded certificate, modifies the nth byte (0-indexed), and +// returns the base64-encoded bytes of the certificate. Negative indices may be +// specified to modify a byte from the end of the certificate. +function readAndTamperWithNthByte(certificatePath, n) { + let pem = readFile(do_get_file(certificatePath, false)); + let der = atob(pemToBase64(pem)); + if (n < 0) { + // remember, n is negative at this point + n = der.length + n; + } + let replacement = "\x22"; + if (der.charCodeAt(n) == replacement) { + replacement = "\x23"; + } + der = der.substring(0, n) + replacement + der.substring(n + 1); + return btoa(der); +} + +// The signature on certificates appears last. This should modify the contents +// of the signature such that it no longer validates correctly while still +// resulting in a structurally valid certificate. +const BYTE_IN_SIGNATURE = -8; +function addSignatureTamperedCertificate(certificatePath) { + let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE); + certdb.addCertFromBase64(base64, ",,"); +} + +function ensureSignatureVerificationFailure(certificatePath) { + let cert = constructCertFromFile(certificatePath); + return checkCertErrorGeneric( + certdb, + cert, + SEC_ERROR_BAD_SIGNATURE, + certificateUsageSSLServer + ); +} + +function tamperWithSignatureAndEnsureVerificationFailure(certificatePath) { + let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE); + let cert = certdb.constructX509FromBase64(base64); + return checkCertErrorGeneric( + certdb, + cert, + SEC_ERROR_BAD_SIGNATURE, + certificateUsageSSLServer + ); +} + +// The beginning of a certificate looks like this (in hex, using DER): +// 30 XX XX XX [the XX encode length - there are probably 3 bytes here] +// 30 XX XX XX [length again] +// A0 03 +// 02 01 +// 02 +// 02 XX [length again - 1 byte as long as we're using pycert] +// XX XX ... [serial number - 20 bytes as long as we're using pycert] +// Since we want to modify the serial number, we need to change something from +// byte 15 to byte 34 (0-indexed). If it turns out that the two length sections +// we assumed were 3 bytes are shorter (they can't be longer), modifying +// something from byte 15 to byte 30 will still get us what we want. Since the +// serial number is a DER INTEGER and because it must be positive, it's best to +// skip the first two bytes of the serial number so as to not run into any +// issues there. Thus byte 17 is a good byte to modify. +const BYTE_IN_SERIAL_NUMBER = 17; +function addSerialNumberTamperedCertificate(certificatePath) { + let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER); + certdb.addCertFromBase64(base64, ",,"); +} + +function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) { + let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER); + let cert = certdb.constructX509FromBase64(base64); + return checkCertErrorGeneric( + certdb, + cert, + SEC_ERROR_BAD_SIGNATURE, + certificateUsageSSLServer + ); +} + +add_task(async function () { + addCertFromFile(certdb, "test_cert_signatures/ca-rsa.pem", "CTu,,"); + addCertFromFile(certdb, "test_cert_signatures/ca-secp384r1.pem", "CTu,,"); + + // Tamper with the signatures on intermediate certificates and ensure that + // end-entity certificates issued by those intermediates do not validate + // successfully. + addSignatureTamperedCertificate("test_cert_signatures/int-rsa.pem"); + addSignatureTamperedCertificate("test_cert_signatures/int-secp384r1.pem"); + await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem"); + await ensureSignatureVerificationFailure( + "test_cert_signatures/ee-secp384r1.pem" + ); + + // Tamper with the signatures on end-entity certificates and ensure that they + // do not validate successfully. + await tamperWithSignatureAndEnsureVerificationFailure( + "test_cert_signatures/ee-rsa-direct.pem" + ); + await tamperWithSignatureAndEnsureVerificationFailure( + "test_cert_signatures/ee-secp384r1-direct.pem" + ); + + // Tamper with the serial numbers of intermediate certificates and ensure + // that end-entity certificates issued by those intermediates do not validate + // successfully. + addSerialNumberTamperedCertificate("test_cert_signatures/int-rsa.pem"); + addSerialNumberTamperedCertificate("test_cert_signatures/int-secp384r1.pem"); + await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem"); + await ensureSignatureVerificationFailure( + "test_cert_signatures/ee-secp384r1.pem" + ); + + // Tamper with the serial numbers of end-entity certificates and ensure that + // they do not validate successfully. + await tamperWithSerialNumberAndEnsureVerificationFailure( + "test_cert_signatures/ee-rsa-direct.pem" + ); + await tamperWithSerialNumberAndEnsureVerificationFailure( + "test_cert_signatures/ee-secp384r1-direct.pem" + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem new file mode 100644 index 0000000000..8b45dad277 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUDV80TugFYIoMPwaiYdawE7V/rjkwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBExDzANBgNVBAMMBmNhLXJzYTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBACQExelnbKhD4GcL +tRqJXQR4AhLmss7ktDqfp+pZiWv+vwJOvsOwspp4kOh3ztz9iX4njQR4bv3TR+sS +eBd2QNbUfUhQjuBewNjADxiNfVj54V1l2Cy7AdkrJ0R7eFQ3MEcff7KTrFKeFi3c +K9BigWa8hlHQ63ttySQpMmolvYbtf2oku/olwX3adpJH3U5HL3syFgNi6VC/kIe+ +Kbgy107DrbXNZwtWFJSH1fFcnPWQeuoYaM3UUXsS8OHlwEBDHK5U5ZFjMVzGdpz3 +R/S/8O5Yd0BH+USVdJ5IzoJA3sCGsrzLAg8fYvs2WtQaBL46geKz2f1ZWh2AtfTO +FtoX8MQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec new file mode 100644 index 0000000000..5890d2db60 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca-rsa +subject:ca-rsa +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem new file mode 100644 index 0000000000..be644e0022 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBjzCCARSgAwIBAgIUDxOVAGBWpISlY8NCTFeThopVpaowCgYIKoZIzj0EAwIw +FzEVMBMGA1UEAwwMY2Etc2VjcDM4NHIxMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAy +NTAyMDQwMDAwMDBaMBcxFTATBgNVBAMMDGNhLXNlY3AzODRyMTB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMt +qM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC +8Fr3Gh/dzIN0qm6pzqMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYI +KoZIzj0EAwIDaQAwZgIxAO0GJz6haDpUtNgaQ3SESJY85j6+gRcD7Nc9cvCiVAZZ +1OxFRuhW515lVbeTqfcA8wIxAOke6+me0k8z0qIWLJAmGhZag42W/SbsPuJMWJDk +FapWgW9aiWoF20d8IqL6w/fj8A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec new file mode 100644 index 0000000000..0701c23c1e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec @@ -0,0 +1,7 @@ +issuer:ca-secp384r1 +subject:ca-secp384r1 +issuerKey:secp384r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem new file mode 100644 index 0000000000..69caa94474 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuTCCAaGgAwIBAgIUM77a0/k/vUucMHymGvhh240zM4AwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBgxFjAUBgNVBAMMDWVlLXJzYS1kaXJlY3QwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZI +hvcNAQELBQADggEBAHVsx0EjIAbpDpvodZ+43WN3trKWP6GM8tN+OHjsN4/fOFb7 +yRBbH/xAXL03WOfFhsJpiKdPTB9op+I3lZ1bfmH91npcaI2jsH9n5Z8YOycgSP/f +cZtKAz3ZjG8zgrnMPQe5aA1NEakcxwPHp7BZeHLKUZ+rVb4YZ9049Lx86XKqsEa1 +0FuPMImqdIvft/XZs31UB1rjHN2AefT0v9MTWsc0nkd/7V6pAUdACX9UxRDzqM+2 +++17MSutN9iosylEzRA3PqbM+57ac12RoHAGoLzhNGYzQED+rcE9/ey9uPktISHF +sxWawVueVntlU0uAB877iaGcqy4XkS1p7dy5P/Y= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec new file mode 100644 index 0000000000..4e25ddcf94 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca-rsa +subject:ee-rsa-direct diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem new file mode 100644 index 0000000000..9a09c3eb49 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUXcTc2SQ1/FZafhESgXzdxvwbIwQwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHaW50LXJzYTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjARMQ8wDQYDVQQDDAZlZS1yc2EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAHowIx3F6a61sqSwLF3Hdgc9IVjR5GYFbM1Oefdn/lFhUF/yWnfbpL6U +vUsAKI0QaisEJk83jvgTSf+OpCS1mJagh0kvpgapOtOlZ5L9QlAoPWZzdjrMaK1A +R7FPHSLQPLiwnYUrVyZ3H7qoohUs7hhnwD/ullXfOq4ls7wIwoFVC2Pqppx0aeTh +hIpL+vG1Fn73ofqj3e24ATY+wQh7QTsrrQv3AOTBCYNWOh6ZOUtBFaoL/s21im9v +VQabX6xtSU9NLo9x0gum/tigqJEFFTEXvz7ybfoVhKkdCnc5R24GfIFzyaLVde4x +ht/M1pt97rpNs1txeixmwuf7A/WtDrw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec new file mode 100644 index 0000000000..b974a0a0a8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-rsa +subject:ee-rsa diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem new file mode 100644 index 0000000000..7d8c08e287 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBdjCB/KADAgECAhQZAHoBt09lI61Q3bCATEjYQtltsTAKBggqhkjOPQQDAjAX +MRUwEwYDVQQDDAxjYS1zZWNwMzg0cjEwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1 +MDIwNDAwMDAwMFowHjEcMBoGA1UEAwwTZWUtc2VjcDM4NHIxLWRpcmVjdDB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22CO +JS3ktxMtqM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXED +viiIz/AC8Fr3Gh/dzIN0qm6pzjAKBggqhkjOPQQDAgNpADBmAjEA7QYnPqFoOlS0 +2BpDdIRIljzmPr6BFwPs1z1y8KJUBlnU7EVG6FbnXmVVt5Op9wDzAjEAlsY+wH/m +rlRsGMhNTmwDCqqe+KNZMWXL2fVWRhIKyAbvhATRsEj/fHMHQTrIoz/0 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec new file mode 100644 index 0000000000..386ab95f78 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca-secp384r1 +subject:ee-secp384r1-direct +issuerKey:secp384r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem new file mode 100644 index 0000000000..9f78ae5596 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbzCB9qADAgECAhRv/VEnsrkCA8hWjtmF8tS/35wV+TAKBggqhkjOPQQDAjAY +MRYwFAYDVQQDDA1pbnQtc2VjcDM4NHIxMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAy +NTAyMDQwMDAwMDBaMBcxFTATBgNVBAMMDGVlLXNlY3AzODRyMTB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMt +qM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC +8Fr3Gh/dzIN0qm6pzjAKBggqhkjOPQQDAgNoADBlAjEA7QYnPqFoOlS02BpDdIRI +ljzmPr6BFwPs1z1y8KJUBlnU7EVG6FbnXmVVt5Op9wDzAjA5lYXxjooU1BfUCwDn +Qk8cNqEXbN6dikgQUMqLRdwnuBGlcV4vQNhyIYUCCg++lUg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec new file mode 100644 index 0000000000..b8f7993be8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec @@ -0,0 +1,5 @@ +issuer:int-secp384r1 +subject:ee-secp384r1 +issuerKey:secp384r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem new file mode 100644 index 0000000000..f4114bdb2c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0jCCAbqgAwIBAgIUU6Hu9o9yM2q0UIz1klSmb3O5j6UwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBIxEDAOBgNVBAMMB2ludC1yc2EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQF +MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgeoEfAYgunOXP +zzhV6ZZog7TziqsNHDLGAFbDjLwPHjMOMkcqzhz+uHrBxViV9dINSJdARqTMoQvL +BGG9DNutm+KjDocWZ8cVcvtleJTYAEpDo1in55t/mD7huUleSuq80whB3uuCDwz5 +TAs9Qfr0AmVTy7rW9/8uO/Tlc89StlqnSQ8QTHfct1egGXG4LY2dKogXq5M+5FrM +VsFc/lDHDzMUDEw8StRbfQGy7HaU5yFoaVcH/KTgem33QmLVAq6v7prqn2MbwSeX +lSbT14cFMBiTY8mUC25sdPbM/AkZLco/1iuNFPR3CqU4o0zO3O8mepJ8TPAaRNHI +38NU05bv +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec new file mode 100644 index 0000000000..a86d28b44a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca-rsa +subject:int-rsa +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem new file mode 100644 index 0000000000..e1800be0c5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBjzCCARWgAwIBAgIUX4m+M8t/s153wAjqZK2IklsRMvwwCgYIKoZIzj0EAwIw +FzEVMBMGA1UEAwwMY2Etc2VjcDM4NHIxMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAy +NTAyMDQwMDAwMDBaMBgxFjAUBgNVBAMMDWludC1zZWNwMzg0cjEwdjAQBgcqhkjO +PQIBBgUrgQQAIgNiAAShaHJDNitcexiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcT +LajOmOgxU05qnAwLCcjWOa3oMgbluoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/w +AvBa9xof3cyDdKpuqc6jHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG +CCqGSM49BAMCA2gAMGUCMQDtBic+oWg6VLTYGkN0hEiWPOY+voEXA+zXPXLwolQG +WdTsRUboVudeZVW3k6n3APMCMGioCMuJu85AGvcYdq3sAV38rWpDJXUt+YkD5C2U +d7O9vkcolgeLW6XiJcOK0I+uQg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec new file mode 100644 index 0000000000..e002a1569a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec @@ -0,0 +1,7 @@ +issuer:ca-secp384r1 +subject:int-secp384r1 +issuerKey:secp384r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_storage.js b/security/manager/ssl/tests/unit/test_cert_storage.js new file mode 100644 index 0000000000..e6bd4d944b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage.js @@ -0,0 +1,258 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This test checks a number of things: +// * it ensures that data loaded from revocations.txt on startup is present +// * it ensures that data served from OneCRL are persisted correctly +// * it ensures that items in the CertBlocklist are seen as revoked by the +// cert verifier +// * it does a sanity check to ensure other cert verifier behavior is +// unmodified + +const { RemoteSecuritySettings } = ChromeUtils.importESModule( + "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs" +); + +// First, we need to setup appInfo for the blocklist service to work +var id = "xpcshell@tests.mozilla.org"; +var appName = "XPCShell"; +var version = "1"; +var platformVersion = "1.9.2"; +const { updateAppInfo } = ChromeUtils.importESModule( + "resource://testing-common/AppInfo.sys.mjs" +); +updateAppInfo({ + name: appName, + ID: id, + version, + platformVersion: platformVersion ? platformVersion : "1.0", + crashReporter: true, +}); + +// we need to ensure we setup revocation data before certDB, or we'll start with +// no revocation.txt in the profile +var gProfile = do_get_profile(); + +var gRevocations = gProfile.clone(); +gRevocations.append("revocations.txt"); +if (!gRevocations.exists()) { + let existing = do_get_file("test_onecrl/sample_revocations.txt", false); + existing.copyTo(gProfile, "revocations.txt"); +} + +var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const certBlocklist = [ + // test with some bad data ... + { + issuerName: "Some nonsense in issuer", + serialNumber: "AkHVNA==", + }, + { + issuerName: "MA0xCzAJBgNVBAMMAmNh", + serialNumber: "some nonsense in serial", + }, + { + issuerName: "and serial", + serialNumber: "some nonsense in both issuer", + }, + // some mixed + // In these case, the issuer name and the valid serialNumber correspond + // to test-int.pem in bad_certs/ + { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "oops! more nonsense.", + }, + { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", + }, + // ... and some good + // In this case, the issuer name and the valid serialNumber correspond + // to other-test-ca.pem in bad_certs/ (for testing root revocation) + { + issuerName: "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=", + serialNumber: "Rym6o+VN9xgZXT/QLrvN/nv1ZN4=", + }, + // These items correspond to an entry in sample_revocations.txt where: + // isser name is the base-64 encoded subject DN for the shared Test + // Intermediate and the serialNumbers are base-64 encoded 78 and 31, + // respectively. + // We need this to ensure that existing items are retained if they're + // also in the blocklist + { + issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl", + serialNumber: "Tg==", + }, + { + issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl", + serialNumber: "Hw==", + }, + // This item revokes same-issuer-ee.pem by subject and pubKeyHash. + { + subject: "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5", + pubKeyHash: "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=", + }, +]; + +function verify_cert(file, expectedError) { + let ee = constructCertFromFile(file); + return checkCertErrorGeneric( + certDB, + ee, + expectedError, + certificateUsageSSLServer + ); +} + +// The certificate blocklist currently only applies to TLS server certificates. +async function verify_non_tls_usage_succeeds(file) { + let ee = constructCertFromFile(file); + await checkCertErrorGeneric( + certDB, + ee, + PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certDB, + ee, + PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certDB, + ee, + PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); +} + +function load_cert(cert, trust) { + let file = "bad_certs/" + cert + ".pem"; + addCertFromFile(certDB, file, trust); +} + +async function update_blocklist() { + const { OneCRLBlocklistClient } = RemoteSecuritySettings.init(); + + const fakeEvent = { + current: certBlocklist, // with old .txt revocations. + deleted: [], + created: certBlocklist, // with new cert storage. + updated: [], + }; + await OneCRLBlocklistClient.emit("sync", { data: fakeEvent }); + // Save the last check timestamp, used by cert_storage to assert + // if the blocklist is «fresh». + Services.prefs.setIntPref( + OneCRLBlocklistClient.lastCheckTimePref, + Math.floor(Date.now() / 1000) + ); +} + +function run_test() { + // import the certificates we need + load_cert("test-ca", "CTu,CTu,CTu"); + load_cert("test-int", ",,"); + load_cert("other-test-ca", "CTu,CTu,CTu"); + + add_task(async function () { + // check some existing items in revocations.txt are blocked. + // This test corresponds to: + // issuer: MBIxEDAOBgNVBAMMB1Rlc3QgQ0E= (CN=Test CA) + // serial: Kg== (42) + let file = "test_onecrl/ee-revoked-by-revocations-txt.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // This test corresponds to: + // issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate) + // serial: Tg== (78) + file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // And this test corresponds to: + // issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate) + // serial: Hw== (31) + // (we test this issuer twice to ensure we can read multiple serials) + file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // Test that a certificate revoked by subject and public key hash in + // revocations.txt is revoked + // subject: MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5 + // (CN=EE Revoked By Subject and PubKey) + // pubkeyhash: VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8= (this is the + // shared RSA SPKI) + file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // Soon we'll load a blocklist which revokes test-int.pem, which issued + // test-int-ee.pem. + // Check the cert validates before we load the blocklist + file = "test_onecrl/test-int-ee.pem"; + await verify_cert(file, PRErrorCodeSuccess); + + // The blocklist also revokes other-test-ca.pem, which issued + // other-ca-ee.pem. Check the cert validates before we load the blocklist + file = "bad_certs/other-issuer-ee.pem"; + await verify_cert(file, PRErrorCodeSuccess); + + // The blocklist will revoke same-issuer-ee.pem via subject / pubKeyHash. + // Check the cert validates before we load the blocklist + file = "test_onecrl/same-issuer-ee.pem"; + await verify_cert(file, PRErrorCodeSuccess); + }); + + // blocklist load is async so we must use add_test from here + add_task(update_blocklist); + + add_task(async function () { + // The blocklist will be loaded now. Let's check the data is sane. + // In particular, we should still have the revoked issuer / serial pair + // that was in revocations.txt but not the blocklist. + let file = "test_onecrl/ee-revoked-by-revocations-txt.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // We should also still have the revoked issuer / serial pairs that were in + // revocations.txt and are also in the blocklist. + file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // The cert revoked by subject and pubkeyhash should still be revoked. + file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // Check the blocklisted intermediate now causes a failure + file = "test_onecrl/test-int-ee.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + await verify_non_tls_usage_succeeds(file); + + // Check the ee with the blocklisted root also causes a failure + file = "bad_certs/other-issuer-ee.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + await verify_non_tls_usage_succeeds(file); + + // Check the ee blocked by subject / pubKey causes a failure + file = "test_onecrl/same-issuer-ee.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + await verify_non_tls_usage_succeeds(file); + + // Check a non-blocklisted chain still validates OK + file = "bad_certs/default-ee.pem"; + await verify_cert(file, PRErrorCodeSuccess); + + // Check a bad cert is still bad (unknown issuer) + file = "bad_certs/unknownissuer.pem"; + await verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER); + }); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js b/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js new file mode 100644 index 0000000000..cabf16b48d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js @@ -0,0 +1,72 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This file tests cert_storage's automatic database recreation mechanism. If +// opening the database for the first time fails, cert_storage will re-create +// it. + +function call_has_prior_data(certStorage, type) { + return new Promise(resolve => { + certStorage.hasPriorData(type, (rv, hasPriorData) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(hasPriorData); + }); + }); +} + +async function check_has_prior_revocation_data(certStorage, expectedResult) { + let hasPriorRevocationData = await call_has_prior_data( + certStorage, + Ci.nsICertStorage.DATA_TYPE_REVOCATION + ); + Assert.equal( + hasPriorRevocationData, + expectedResult, + `should ${expectedResult ? "have" : "not have"} prior revocation data` + ); +} + +async function check_has_prior_cert_data(certStorage, expectedResult) { + let hasPriorCertData = await call_has_prior_data( + certStorage, + Ci.nsICertStorage.DATA_TYPE_CERTIFICATE + ); + Assert.equal( + hasPriorCertData, + expectedResult, + `should ${expectedResult ? "have" : "not have"} prior cert data` + ); +} + +add_task(async function () { + // Create an invalid database. + let fileToCopy = do_get_file("test_cert_storage_broken_db.js"); + let dbDirectory = do_get_profile(); + dbDirectory.append("security_state"); + fileToCopy.copyTo(dbDirectory, "data.mdb"); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + check_has_prior_revocation_data(certStorage, false); + check_has_prior_cert_data(certStorage, false); + + let result = await new Promise(resolve => { + certStorage.setRevocations([], resolve); + }); + Assert.equal(result, Cr.NS_OK, "setRevocations should succeed"); + + check_has_prior_revocation_data(certStorage, true); + check_has_prior_cert_data(certStorage, false); + + result = await new Promise(resolve => { + certStorage.addCerts([], resolve); + }); + Assert.equal(result, Cr.NS_OK, "addCerts should succeed"); + + check_has_prior_revocation_data(certStorage, true); + check_has_prior_cert_data(certStorage, true); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct.js b/security/manager/ssl/tests/unit/test_cert_storage_direct.js new file mode 100644 index 0000000000..a1ba818dd9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct.js @@ -0,0 +1,417 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This file consists of unit tests for cert_storage (whereas test_cert_storage.js is more of an +// integration test). + +do_get_profile(); + +this.certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage +); + +async function addCerts(certInfos) { + let result = await new Promise(resolve => { + certStorage.addCerts(certInfos, resolve); + }); + Assert.equal(result, Cr.NS_OK, "addCerts should succeed"); +} + +async function removeCertsByHashes(hashesBase64) { + let result = await new Promise(resolve => { + certStorage.removeCertsByHashes(hashesBase64, resolve); + }); + Assert.equal(result, Cr.NS_OK, "removeCertsByHashes should succeed"); +} + +function getLongString(uniquePart, length) { + return String(uniquePart).padStart(length, "0"); +} + +class CertInfo { + constructor(cert, subject) { + this.cert = btoa(cert); + this.subject = btoa(subject); + this.trust = Ci.nsICertStorage.TRUST_INHERIT; + } +} +CertInfo.prototype.QueryInterface = ChromeUtils.generateQI(["nsICertInfo"]); + +add_task(async function test_common_subject() { + let someCert1 = new CertInfo( + "some certificate bytes 1", + "some common subject" + ); + let someCert2 = new CertInfo( + "some certificate bytes 2", + "some common subject" + ); + let someCert3 = new CertInfo( + "some certificate bytes 3", + "some common subject" + ); + await addCerts([someCert1, someCert2, someCert3]); + let storedCerts = certStorage.findCertsBySubject( + stringToArray("some common subject") + ); + let storedCertsAsStrings = storedCerts.map(arrayToString); + let expectedCerts = [ + "some certificate bytes 1", + "some certificate bytes 2", + "some certificate bytes 3", + ]; + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should find expected certs" + ); + + await addCerts([ + new CertInfo("some other certificate bytes", "some other subject"), + ]); + storedCerts = certStorage.findCertsBySubject( + stringToArray("some common subject") + ); + storedCertsAsStrings = storedCerts.map(arrayToString); + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should still find expected certs" + ); + + let storedOtherCerts = certStorage.findCertsBySubject( + stringToArray("some other subject") + ); + let storedOtherCertsAsStrings = storedOtherCerts.map(arrayToString); + let expectedOtherCerts = ["some other certificate bytes"]; + Assert.deepEqual( + storedOtherCertsAsStrings, + expectedOtherCerts, + "should have other certificate" + ); +}); + +add_task(async function test_many_entries() { + const NUM_CERTS = 500; + const CERT_LENGTH = 3000; + const SUBJECT_LENGTH = 40; + let certs = []; + for (let i = 0; i < NUM_CERTS; i++) { + certs.push( + new CertInfo( + getLongString(i, CERT_LENGTH), + getLongString(i, SUBJECT_LENGTH) + ) + ); + } + await addCerts(certs); + for (let i = 0; i < NUM_CERTS; i++) { + let subject = stringToArray(getLongString(i, SUBJECT_LENGTH)); + let storedCerts = certStorage.findCertsBySubject(subject); + Assert.equal( + storedCerts.length, + 1, + "should have 1 certificate (lots of data test)" + ); + let storedCertAsString = arrayToString(storedCerts[0]); + Assert.equal( + storedCertAsString, + getLongString(i, CERT_LENGTH), + "certificate should be as expected (lots of data test)" + ); + } +}); + +add_task(async function test_removal() { + // As long as cert_storage is given valid base64, attempting to delete some nonexistent + // certificate will "succeed" (it'll do nothing). + await removeCertsByHashes([btoa("thishashisthewrongsize")]); + + let removalCert1 = new CertInfo( + "removal certificate bytes 1", + "common subject to remove" + ); + let removalCert2 = new CertInfo( + "removal certificate bytes 2", + "common subject to remove" + ); + let removalCert3 = new CertInfo( + "removal certificate bytes 3", + "common subject to remove" + ); + await addCerts([removalCert1, removalCert2, removalCert3]); + + let storedCerts = certStorage.findCertsBySubject( + stringToArray("common subject to remove") + ); + let storedCertsAsStrings = storedCerts.map(arrayToString); + let expectedCerts = [ + "removal certificate bytes 1", + "removal certificate bytes 2", + "removal certificate bytes 3", + ]; + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should find expected certs before removing them" + ); + + // echo -n "removal certificate bytes 2" | sha256sum | xxd -r -p | base64 + await removeCertsByHashes(["2nUPHwl5TVr1mAD1FU9FivLTlTb0BAdnVUhsYgBccN4="]); + storedCerts = certStorage.findCertsBySubject( + stringToArray("common subject to remove") + ); + storedCertsAsStrings = storedCerts.map(arrayToString); + expectedCerts = [ + "removal certificate bytes 1", + "removal certificate bytes 3", + ]; + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should only have first and third certificates now" + ); + + // echo -n "removal certificate bytes 1" | sha256sum | xxd -r -p | base64 + await removeCertsByHashes(["8zoRqHYrklr7Zx6UWpzrPuL+ol8KL1Ml6XHBQmXiaTY="]); + storedCerts = certStorage.findCertsBySubject( + stringToArray("common subject to remove") + ); + storedCertsAsStrings = storedCerts.map(arrayToString); + expectedCerts = ["removal certificate bytes 3"]; + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should only have third certificate now" + ); + + // echo -n "removal certificate bytes 3" | sha256sum | xxd -r -p | base64 + await removeCertsByHashes(["vZn7GwDSabB/AVo0T+N26nUsfSXIIx4NgQtSi7/0p/w="]); + storedCerts = certStorage.findCertsBySubject( + stringToArray("common subject to remove") + ); + Assert.equal(storedCerts.length, 0, "shouldn't have any certificates now"); + + // echo -n "removal certificate bytes 3" | sha256sum | xxd -r -p | base64 + // Again, removing a nonexistent certificate should "succeed". + await removeCertsByHashes(["vZn7GwDSabB/AVo0T+N26nUsfSXIIx4NgQtSi7/0p/w="]); +}); + +add_task(async function test_batched_removal() { + let removalCert1 = new CertInfo( + "batch removal certificate bytes 1", + "batch subject to remove" + ); + let removalCert2 = new CertInfo( + "batch removal certificate bytes 2", + "batch subject to remove" + ); + let removalCert3 = new CertInfo( + "batch removal certificate bytes 3", + "batch subject to remove" + ); + await addCerts([removalCert1, removalCert2, removalCert3]); + let storedCerts = certStorage.findCertsBySubject( + stringToArray("batch subject to remove") + ); + let storedCertsAsStrings = storedCerts.map(arrayToString); + let expectedCerts = [ + "batch removal certificate bytes 1", + "batch removal certificate bytes 2", + "batch removal certificate bytes 3", + ]; + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should find expected certs before removing them" + ); + // echo -n "batch removal certificate bytes 1" | sha256sum | xxd -r -p | base64 + // echo -n "batch removal certificate bytes 2" | sha256sum | xxd -r -p | base64 + // echo -n "batch removal certificate bytes 3" | sha256sum | xxd -r -p | base64 + await removeCertsByHashes([ + "EOEEUTuanHZX9NFVCoMKVT22puIJC6g+ZuNPpJgvaa8=", + "Xz6h/Kvn35cCLJEZXkjPqk1GG36b56sreLyAXpO+0zg=", + "Jr7XdiTT8ZONUL+ogNNMW2oxKxanvYOLQPKBPgH/has=", + ]); + storedCerts = certStorage.findCertsBySubject( + stringToArray("batch subject to remove") + ); + Assert.equal(storedCerts.length, 0, "shouldn't have any certificates now"); +}); + +class CRLiteCoverage { + constructor(ctLogID, minTimestamp, maxTimestamp) { + this.b64LogID = ctLogID; + this.minTimestamp = minTimestamp; + this.maxTimestamp = maxTimestamp; + } +} +CRLiteCoverage.prototype.QueryInterface = ChromeUtils.generateQI([ + "nsICRLiteCoverage", +]); + +add_task(async function test_crlite_filter() { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + addCertFromFile( + certdb, + "test_cert_storage_direct/valid-cert-issuer.pem", + ",," + ); + let validCert = constructCertFromFile( + "test_cert_storage_direct/valid-cert.pem" + ); + addCertFromFile( + certdb, + "test_cert_storage_direct/revoked-cert-issuer.pem", + ",," + ); + let revokedCert = constructCertFromFile( + "test_cert_storage_direct/revoked-cert.pem" + ); + let filterFile = do_get_file( + "test_cert_storage_direct/test-filter.crlite", + false + ); + ok(filterFile.exists(), "test filter file should exist"); + let enrollment = []; + let coverage = []; + let filterBytes = stringToArray(readFile(filterFile)); + // First simualte a filter that does not cover any certificates. With CRLite + // enabled, none of the certificates should appear to be revoked. + let setFullCRLiteFilterResult = await new Promise(resolve => { + certStorage.setFullCRLiteFilter(filterBytes, enrollment, coverage, resolve); + }); + Assert.equal( + setFullCRLiteFilterResult, + Cr.NS_OK, + "setFullCRLiteFilter should succeed" + ); + + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "skynew.jp", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "schunk-group.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // Now replace the filter with one that covers the "valid" and "revoked" + // certificates. CRLite should flag the revoked certificate. + coverage.push( + new CRLiteCoverage( + "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=", + 0, + 1641612275000 + ) + ); + + // crlite_enrollment_id.py test_crlite_filters/issuer.pem + enrollment.push("UbH9/ZAnjuqf79Xhah1mFOWo6ZvgQCgsdheWfjvVUM8="); + // crlite_enrollment_id.py test_crlite_filters/no-sct-issuer.pem + enrollment.push("Myn7EasO1QikOtNmo/UZdh6snCAw0BOY6wgU8OsUeeY="); + // crlite_enrollment_id.py test_cert_storage_direct/revoked-cert-issuer.pem + enrollment.push("HTvSp2263dqBYtgYA2fldKAoTYcEVLPVTlRia9XaoCQ="); + + setFullCRLiteFilterResult = await new Promise(resolve => { + certStorage.setFullCRLiteFilter(filterBytes, enrollment, coverage, resolve); + }); + Assert.equal( + setFullCRLiteFilterResult, + Cr.NS_OK, + "setFullCRLiteFilter should succeed" + ); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "skynew.jp", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "schunk-group.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // If we're only collecting telemetry, none of the certificates should appear to be revoked. + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeTelemetryOnlyPrefValue + ); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "skynew.jp", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "schunk-group.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // If CRLite is disabled, none of the certificates should appear to be revoked. + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeDisabledPrefValue + ); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "skynew.jp", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "schunk-group.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem new file mode 100644 index 0000000000..d775817b33 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEoDCCA4igAwIBAgIQBpaPlkroI1bHThfCtTZbADANBgkqhkiG9w0BAQsFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTE3MTEwNjEyMjI1N1oXDTI3MTEwNjEyMjI1N1owXzEL +MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 +LmRpZ2ljZXJ0LmNvbTEeMBwGA1UEAxMVVGhhd3RlIEVWIFJTQSBDQSAyMDE4MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0Cu52zmdJFnSezXMKvL0rso +WgA/1X7OxjMQHsAllID1eDG836ptJXSTPg+DoEenHfkKyw++wXobgahr0cU/2v8R +WR3fID53ZDhEGHzS+Ol7V+HRtZG5teMWCY7gldtBQH0r7xUEp/3ISVsZUVBqtUmL +VJlf9nxJD6Cxp4LBlcJJ8+N6kSkV+fA+WdQc0HYhXSg3PxJP7XSU28Wc7gf6y9kZ +zQhK4WrZLRrHHbHC2QXdqQYUxR927QV+UCNXnlbTcZy2QpxWTPLzK+/cKXX4cwP6 +MGF7+8RnUgHlij/5V2k/tIF9ep4B72ucqaS/UhEPpIN/T7A3OAw995yrB38glQID +AQABo4IBSTCCAUUwHQYDVR0OBBYEFOcB/AwWGMp9sozshyejb2GBO4Q5MB8GA1Ud +IwQYMBaAFLE+w2kD+L9HAdSYJhoIAu9jZCvDMA4GA1UdDwEB/wQEAwIBhjAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0 +BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0 +LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v +RGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYE +VR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT +MA0GCSqGSIb3DQEBCwUAA4IBAQAWGka+5ffLpfFuzT+WlwDRwhyTZSunnvecZWZT +PPKXipynjpXx5dK8YG+2XoH74285GR1UABuvHMFV94XeDET9Pzz5s/NHS1/eAr5e +GdwfBl80XwPkwXaYqzRtw6J4RAxeLqcbibhUQv9Iev9QcP0kNPyJu413Xov76mSu +JlGThKzcurJPive2eLmwmoIgTPH11N/IIO9nHLVe8KTkt+FGgZCOWHA3kbFBZR39 +Mn2hFS974rhUkM+VS9KbCiQQ5OwkfbZ/6BINkE1CMtiESZ2WkbxJKPsF3dN7p9DF +YWiQSbYjFP+rCT0/MkaHHYUkEvLNPgyJ6z29eMf0DjLu/SXJ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem new file mode 100644 index 0000000000..81e01bd783 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIHOzCCBiOgAwIBAgIQBi31aKBRMQgg1+xDJ+G6/TANBgkqhkiG9w0BAQsFADBf +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVUaGF3dGUgRVYgUlNBIENBIDIwMTgw +HhcNMTgwNTI4MDAwMDAwWhcNMjAwNTIxMTIwMDAwWjCB6zEdMBsGA1UEDwwUUHJp +dmF0ZSBPcmdhbml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCREUxFjAUBgsrBgEE +AYI3PAIBAhMFSGVzc2UxGDAWBgsrBgEEAYI3PAIBAQwHR2llw59lbjERMA8GA1UE +BRMISFJCIDY5MDIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDASBgNV +BAcTC0hldWNoZWxoZWltMRQwEgYDVQQKEwtTY2h1bmsgR21iSDELMAkGA1UECxMC +SVQxGTAXBgNVBAMTEHNjaHVuay1ncm91cC5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCvkuQZz2ExPv9paJb622OOk+o4bWnjDe1zHGK6qnK25mMT +Zldk74sXF+Wfr9lbwqHTcjGhQFwmVDqvtr55KVX8FOv0CSqNaewOrnNrFz8Xg4rn +OlIs3+MmqD5CIK+el0rA+xltEY8WvNlwZKG7yeJYrdsr+5DAThDuwCVe8bU7it4h +sjsMsof5ocee9zDkFThNVGR4sMk5EgBxb1Gt4n9wXUj4OBT78whhlkLH/pVZrrhs +tQwC3q90MOPC5RJcEolSCNjGdHCKRbexmRqJgbJj/qZ9JT+fQ+Ko6a+UAWvc2BUc +POnzGV2GzCdFFGOubJb6RjU0nuPG4Lmdc/BuS9kFAgMBAAGjggNkMIIDYDAfBgNV +HSMEGDAWgBTnAfwMFhjKfbKM7Icno29hgTuEOTAdBgNVHQ4EFgQUNb1SY8Bkil98 +tD8zoxE30jBA1NIwZwYDVR0RBGAwXoIQc2NodW5rLWdyb3VwLmNvbYIUd3d3LnNj +aHVuay1ncm91cC5jb22CG3NjaHVuay1jYXJib250ZWNobm9sb2d5LmNvbYIXc2No +dW5rLXNpbnRlcm1ldGFscy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY2Rw +LnRoYXd0ZS5jb20vVGhhd3RlRVZSU0FDQTIwMTguY3JsMEsGA1UdIAREMEIwNwYJ +YIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv +bS9DUFMwBwYFZ4EMAQEwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRw +Oi8vc3RhdHVzLnRoYXd0ZS5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnRz +LnRoYXd0ZS5jb20vVGhhd3RlRVZSU0FDQTIwMTguY3J0MAkGA1UdEwQCMAAwggF7 +BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AKS5CZC0GFgUh7sTosxncAo8NZgE+Rvf +uON3zQ7IDdwQAAABY6Ze9XAAAAQDAEYwRAIgNUeXL3GwlpGQtTS/wKBlOkHJvHR5 +knSop0OPumeCfQECIEdxY7qr/WRVbWkQFvP48fgWkZHkd4vTq70Y0aaSZTbPAHUA +VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFjpl71tQAABAMARjBE +AiAtxKdc/wum3TE7r9BoRd/gkrjYLWyqeLuL/opRBRy9xwIgPF6uEZxyhEoLZ+9G +AFBAP+X89zjZphVALjIXu0RRea4AdQC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQ +lmQ2jh7RhQAAAWOmXvY1AAAEAwBGMEQCIHc04ERlUbIkVrlC+I89C9xtugvRCwbR +a7qZzSdqHltUAiBRVwTacf1dnO9AgLSgrxft5LV32DvH3qNT7pWYh8dFNjANBgkq +hkiG9w0BAQsFAAOCAQEARJ+tbnM+yS6chgpyzfB3e7IWPq2Den46Ja1H6/4qaKrd +nsbElcvd4cCQf1zYY6jlQkO6qtfMUChKrEar5aqqnyX8x/8T9PkpHp8XyUxgGlmT +hrnHML0gDJFS8O4MB5pFnGkgoOQa+OIQokWCXr4/a4AwsTG3Ms+lC+R+vRYz90lg +TEJLNHB2fSvQyvpXDUL9aAjACBp/9pKxfM9iq06MFO5jP483xJUfdqtVteHMw75w +1mb8IrM9R1dP47GsblTrf2rZYdaoxdyLjtJQG2aaOdU5unE6QeFrXbz0qeTPePs8 +ftuXSW9xb053HjAkCcVo48j07b2cHfU1hxzGGptVbQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite b/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite Binary files differnew file mode 100644 index 0000000000..34ced4b840 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem new file mode 100644 index 0000000000..705827a85e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEkDCCA3igAwIBAgIJIrmxUyPlrv3NMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV +BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw +JQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwHhcNMTgwODIy +MDczMjI0WhcNMjgwODIyMDczMjI0WjBQMQswCQYDVQQGEwJKUDElMCMGA1UEChMc +U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEaMBgGA1UEAxMRQ3Jvc3NUcnVz +dCBEViBDQTUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnTNi5Kgrt +FL8qBuEmpL2gvLFY7f9MEgjzClvic/45ebM+DxZ2CMuqtMtImgf8XPIpLaFFbozx +3VgqH41cmGHbpAoDRKpwfF1f53peHYhRxpOVgcnsiVCPZJPBPCUM9St+cuEjfo0d +YGbr3aG5urdT2zeKIFyxKbggdkU0LVRHwvLFsIpXCn/YK/8Rmx87yW9VB80OXkzf +IQoZop83+aebq1VwzjNCN3u4bWSFLYDyJGqE40WlZ53NZh+TwBsa6gld9YXPGQfx +k8x38zkFXberlMQOYhX9KyuTOMdlFkbx6LfIUqVKJavpcr54+XPzVyeroNPpKxtZ +mEqUYiFjAqUVAgMBAAGjggFeMIIBWjAdBgNVHQ4EFgQUT4twz6lAHJbllF13rNZv +TS2b8ncwHwYDVR0jBBgwFoAUCoWpd2UFmHxAgfgPlyw48QrsPM8wEgYDVR0TAQH/ +BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwSQYDVR0fBEIwQDA+oDygOoY4aHR0 +cDovL3JlcG9zaXRvcnkuc2Vjb210cnVzdC5uZXQvU0MtUm9vdDIvU0NSb290MkNS +TC5jcmwwUgYDVR0gBEswSTBHBgoqgwiMmxtkhwUEMDkwNwYIKwYBBQUHAgEWK2h0 +dHBzOi8vcmVwb3NpdG9yeS5zZWNvbXRydXN0Lm5ldC9TQy1Sb290Mi8wQAYIKwYB +BQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vc2Nyb290Y2EyLm9jc3Auc2Vj +b210cnVzdC5uZXQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD +ggEBABEDSrrhhR+Js5q45yih2Ne4cMLZmrH0AZwU3eM+7HZplzi1EhppgvcYk/2k +LM9haQGWnAZ5wiixLqKu7WlWrHgblZbXyCxALmMBK1rqeP0omxXExqKVqWNHU8KZ +t3jahH1wDYSzfetM7guWR+PAPpb9oQCtAx8DVyI/3Ocswvti/uWb517Bdo6Nd0+9 +mf0LiphNKcSzSFX0s1Cb47cJROYHGBe2J6NUSWR7wE0asPtKsznGyNO+NJCUR+0h +OLN2cA2KJwPhZjYJt8UkucAF/EE7qC0Fc8B9Q/gttQ52en5BZxdkDrHCi4qnsSvi +gueQme/RzYkEaQlNT1WCZ9AIgVE= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem new file mode 100644 index 0000000000..195d2d8ca2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF4DCCBMigAwIBAgIQC3d196+a5UJlyc0yVxB3jjANBgkqhkiG9w0BAQsFADBQ +MQswCQYDVQQGEwJKUDElMCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4s +TFRELjEaMBgGA1UEAxMRQ3Jvc3NUcnVzdCBEViBDQTUwHhcNMTkwNjExMDUyMjEy +WhcNMjEwNjMwMTQ1OTU5WjAUMRIwEAYDVQQDEwlza3luZXcuanAwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeciw7C297026HA4oIwc29vL2h29GVrRF7 +HGdeXzAJA7kh+qwo8rTBFfdX7sgHy6nnE1+flEtFt91Ss8i3BZMEqoFUZFb1jGXd +DbQtmIWxz7O5skkjR1gdKwt9GImy1hEPt8dwU52mwVsSUEKvlZlsjeofUPAEbnYY ++iA/nYaYXiXyCxJzk6Y09VlzghyMIhkLwDa7rL3S9FgUQI6tSUwsiNYNoQzlYgXF +yPfQfd57LbBwZJtqVPC6rjPOZZd0sw7uvrDNuxnAM2k2mzlML9Vwt8EvSlZX60xD +oGQCsQQ/ZgjEQTA8WRZ+fxW/LqQNYYm70KU/1M+e8o4MKmA9xkH5AgMBAAGjggLw +MIIC7DAfBgNVHSMEGDAWgBRPi3DPqUAcluWUXXes1m9NLZvydzA8BggrBgEFBQcB +AQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9kdmNhNS5vY3NwLnNlY29tdHJ1c3Qu +bmV0MCMGA1UdEQQcMBqCCXNreW5ldy5qcIINd3d3LnNreW5ldy5qcDBaBgNVHSAE +UzBRMEUGCiqDCIybG26BVQIwNzA1BggrBgEFBQcCARYpaHR0cHM6Ly9yZXBvMS5z +ZWNvbXRydXN0Lm5ldC9zcHBjYS94dGR2NS8wCAYGZ4EMAQIBMBMGA1UdJQQMMAoG +CCsGAQUFBwMBMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9yZXBvMS5zZWNvbXRy +dXN0Lm5ldC9zcHBjYS94dGR2NS9mdWxsY3JsLmNybDAdBgNVHQ4EFgQUuj9305tQ +JIeVAQtsz9JHx3PTqaQwDgYDVR0PAQH/BAQDAgWgMIIBfgYKKwYBBAHWeQIEAgSC +AW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWtF +Bb6pAAAEAwBHMEUCIHUQkmFzUh01r1Px/zWMZSL21dNNQwM+rN1z0gutxV3JAiEA +jSb2/GAm4+2qiNWDtx1EkHsMXjNW+5S4GhJePexjJR8AdgDuS723dc5guuFCaR+r +4Z5mow9+X7By2IMAxHuJeqj9ywAAAWtFBcdeAAAEAwBHMEUCIDVHdfP9wnVgz45l +eX80DpRCRNEV/OCDwfW+B0g/dveYAiEArbpLQb5Z9hul3r00kF2LrivNuI7kwEBy +MpkYsLtSPJoAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAWtF +BdCQAAAEAwBHMEUCIE2GUo6x3qDrIhacnCmjikBCHF2yT6Fv5GAehZB569YCAiEA +vXwMXV8+y3xNFys+A6u9EjKiy8CTKv+SQxqsJ4s6jK0wDQYJKoZIhvcNAQELBQAD +ggEBAAzlm9W+N5fviTJ9wDsc5nXKYur3744V/cm75+8dUM61Rko1isK6IZt5aNPN +wOfhBsTzHHSYmAFMR9Xjoq8iDYZtIk01IGI6LEWuls9F2hVcERiHMWJOLTiH35xN +vRNTG0AbBdIpTX2sURsoCPJ+8DTnVUr3pTzXnIY4EQ4UXfANuYwceOHShF6UJo/L +PK0uRdHcd5SmMa03gFUdkTc9gU6PIEO/UgubazGh9xDBHtHECeleL+gpSfOP3SkF +7W1RgmbE6WJdVPlto7FRQtl2xIzHs/gNaPezqNKPHgFlx4c+ECTjPLqoW8LdeXu+ +N8dueJg1+h+lQifkmgl23DqEIiI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js b/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js new file mode 100644 index 0000000000..8a757c199c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js @@ -0,0 +1,48 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This file tests that cert_storage correctly persists its "has prior data" +// information across runs of the browser. +// (The test DB files for this test were created by running the test +// `test_cert_storage_broken_db.js` and copying them from that test's profile +// directory.) + +/* eslint-disable no-unused-vars */ +add_task(async function () { + let dbDirectory = do_get_profile(); + dbDirectory.append("security_state"); + let dbFile = do_get_file("test_cert_storage_preexisting/data.safe.bin"); + dbFile.copyTo(dbDirectory, "data.safe.bin"); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + let hasPriorRevocationData = await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_REVOCATION, + (rv, hasPriorData) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(hasPriorData); + } + ); + }); + Assert.equal( + hasPriorRevocationData, + true, + "should have prior revocation data" + ); + + let hasPriorCertData = await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CERTIFICATE, + (rv, hasPriorData) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(hasPriorData); + } + ); + }); + Assert.equal(hasPriorCertData, true, "should have prior cert data"); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb Binary files differnew file mode 100644 index 0000000000..df4cb182a7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin Binary files differnew file mode 100644 index 0000000000..011ed93484 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb Binary files differnew file mode 100644 index 0000000000..dc4b50fdfc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js new file mode 100644 index 0000000000..c444bdd945 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js @@ -0,0 +1,83 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This file tests that cert_storage correctly persists its information across +// runs of the browser specifically in the case of CRLite. +// (The test DB files for this test were created by running the test +// `test_cert_storage_direct.js` and copying them from that test's profile +// directory.) + +/* eslint-disable no-unused-vars */ +add_task(async function () { + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + + let dbDirectory = do_get_profile(); + dbDirectory.append("security_state"); + let crliteFile = do_get_file( + "test_cert_storage_preexisting_crlite/crlite.filter" + ); + crliteFile.copyTo(dbDirectory, "crlite.filter"); + let coverageFile = do_get_file( + "test_cert_storage_preexisting_crlite/crlite.coverage" + ); + coverageFile.copyTo(dbDirectory, "crlite.coverage"); + let enrollmentFile = do_get_file( + "test_cert_storage_preexisting_crlite/crlite.enrollment" + ); + enrollmentFile.copyTo(dbDirectory, "crlite.enrollment"); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + + // Add an empty stash to ensure the filter is considered to be fresh. + await new Promise(resolve => { + certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => { + Assert.equal(rv, Cr.NS_OK, "marked filter as fresh"); + resolve(); + }); + }); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let validCertIssuer = constructCertFromFile( + "test_cert_storage_direct/valid-cert-issuer.pem" + ); + let validCert = constructCertFromFile( + "test_cert_storage_direct/valid-cert.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-10-28T00:00:00Z").getTime() / 1000, + false, + "skynew.jp", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + let revokedCertIssuer = constructCertFromFile( + "test_cert_storage_direct/revoked-cert-issuer.pem" + ); + let revokedCert = constructCertFromFile( + "test_cert_storage_direct/revoked-cert.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "schunk-group.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage Binary files differnew file mode 100644 index 0000000000..2bd13319e5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment new file mode 100644 index 0000000000..aac0238188 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment @@ -0,0 +1 @@ +3)û«Õ¤:Óf£õv¬œ 0ИëðëyæQ±ýý'ŽêŸïÕájfå¨é›à@(,v–~;ÕPÏ;Ò§mºÝÚbØgåt (M‡T³ÕNTbkÕÚ $
\ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter Binary files differnew file mode 100644 index 0000000000..34ced4b840 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin Binary files differnew file mode 100644 index 0000000000..d96571f128 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js new file mode 100644 index 0000000000..45ff78a253 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust.js @@ -0,0 +1,324 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function load_cert(cert_name, trust_string) { + let cert_filename = cert_name + ".pem"; + return addCertFromFile( + certdb, + "test_cert_trust/" + cert_filename, + trust_string + ); +} + +function setup_basic_trusts(ca_cert, int_cert) { + certdb.setCertTrust( + ca_cert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_SSL | Ci.nsIX509CertDB.TRUSTED_EMAIL + ); + + certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0); +} + +async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) { + // On reset most usages are successful + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); + + // Test of active distrust. No usage should pass. + setCertTrust(cert_to_modify_trust, "p,p,p"); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailRecipient + ); + + // Trust set to T - trusted CA to issue client certs, where client cert is + // usageSSLClient. + setCertTrust(cert_to_modify_trust, "T,T,T"); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageSSLServer + ); + + // XXX(Bug 982340) + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageSSLClient + ); + + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); + + // Now tests on the SSL trust bit + setCertTrust(cert_to_modify_trust, "p,C,C"); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLServer + ); + + // XXX(Bug 982340) + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); + + // Inherited trust SSL + setCertTrust(cert_to_modify_trust, ",C,C"); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageSSLServer + ); + // XXX(Bug 982340) + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); + + // Now tests on the EMAIL trust bit + setCertTrust(cert_to_modify_trust, "C,p,C"); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailRecipient + ); + + // inherited EMAIL Trust + setCertTrust(cert_to_modify_trust, "C,,C"); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); +} + +add_task(async function () { + let certList = ["ca", "int", "ee"]; + let loadedCerts = []; + for (let certName of certList) { + loadedCerts.push(load_cert(certName, ",,")); + } + + let ca_cert = loadedCerts[0]; + notEqual(ca_cert, null, "CA cert should have successfully loaded"); + let int_cert = loadedCerts[1]; + notEqual(int_cert, null, "Intermediate cert should have successfully loaded"); + let ee_cert = loadedCerts[2]; + notEqual(ee_cert, null, "EE cert should have successfully loaded"); + + setup_basic_trusts(ca_cert, int_cert); + await test_ca_distrust(ee_cert, ca_cert, true); + + setup_basic_trusts(ca_cert, int_cert); + await test_ca_distrust(ee_cert, int_cert, false); + + // Reset trust to default ("inherit trust") + setCertTrust(ca_cert, ",,"); + setCertTrust(int_cert, ",,"); + + // End-entities can be trust anchors for interoperability with users who + // prefer not to build a hierarchy and instead directly trust a particular + // server certificate. + setCertTrust(ee_cert, "CTu,CTu,CTu"); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem new file mode 100644 index 0000000000..8131655251 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUZUAG1XrIsypGQCcYFFUTqaoZw5MwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA+F3G6RbYWkt2VtLqA43GkRvQg +PZGNxGlXGWazQRKDLXMFtbT9FG2l7nRQPPKhoaeKd+36zBPxgwJaC1+N5e9nxAm/ +YUY4ipA7RAaUf0l6hCyCNnbtd6o6E6hnU4ucX7GvgGQQEdXHPIpzF3AfVZviHVpl +5u02rYNB6wGC9/vSsNKhpGYaIOB2yFzbXhwH4YqC2VwfpukNuSQ7oywFbH2IIj/5 +ik3Mp8uwL1qQ7XcF9se5rtNYcWzNe0aMKS7s/vRn1QeYp5Jsq6kEn0/aNvEmDskR +GAGbbQ/4CQqKH2vqKQRq8KbDlzsxmfEF8cDZzvXZHWtQmGGURy/4ZAytgXFT +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec new file mode 100644 index 0000000000..d809dbd635 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem new file mode 100644 index 0000000000..26d9c4bb0c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4jCCAcqgAwIBAgIUBTLnMBdk7nC9ESAE2f+8kxwS7wwwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozUwMzAxBgNVHSUEKjAoBggrBgEF +BQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDAzANBgkqhkiG9w0BAQsF +AAOCAQEAHWVweJbi7RcBDHJ5c+M9O4LfBbY5F7yUfj426fFutBIYT7gkdZBOLLBA +FXbXMq9OJr//iiU7KdPAk5jeDCKJacP1tDi8vEBG51lt6LDfTYRPn9ncPqlwspIM +xa/Z8yBFfLgwy3NwkuyxLwWsYCNBkTPbumJXYvnyLju+cGLMmToV24qkMLYNg6m9 +316aao5kx9Oo29qmbnUDK1VUjc6ko64ilPH5RxW4HAjhTYN9unY13F+x1i8rrAA4 +29BXxG31UVZA4Jv9KE/Ck2CMAQteuSTq1tgJaklGCwhDg7ARa4lPIANN8v/yiKbJ +ag0EYzra8S1FUoXKsaH/B1falyDt7g== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec new file mode 100644 index 0000000000..9666c18062 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:ee +extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem b/security/manager/ssl/tests/unit/test_cert_trust/int.pem new file mode 100644 index 0000000000..b31a9cda93 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgIUe2LIDV1Nhfro/wXnL4PUQK5N24QwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG +A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjQy0NtsF3aykS9j0nzTjuaXO +H3lWVMJJBYNZw0YcFUIfTFpkAdwLyvWrw9vpNBURseXog/pFe+Wo1vh7LtESg8Kc +WFnE7LWeZSzOLgUTRPuHU45ehkaJpAOXaBUo/RNNYykE44EVIXvNCUuPe06SfSnD +fSHNDdrg0jv4V+Xjoq+8+yhBNmjNNylBMfZmj7NiN8ZKka+AovStBoxuvSD6Oef3 +ENuMtUH10KETCkUf/u04RMU8sTZP65zg2xQ3hcvDAoJvIwwaq/TtcghO0AcD6RbN +yoHIgJe2TiWRltAPOTzm/2OmUGOHin1p4DCA7usZRpU/iRqr06ZZFzBtj+0v4A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec new file mode 100644 index 0000000000..a7f6d81419 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_cert_utf8.js b/security/manager/ssl/tests/unit/test_cert_utf8.js new file mode 100644 index 0000000000..caeddd8158 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_utf8.js @@ -0,0 +1,79 @@ +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function run_test() { + // This certificate has a number of placeholder byte sequences that we can + // replace with invalid UTF-8 to ensure that we handle these cases safely. + let certificateToAlterFile = do_get_file( + "test_cert_utf8/certificateToAlter.pem", + false + ); + let certificateBytesToAlter = atob( + pemToBase64(readFile(certificateToAlterFile)) + ); + testUTF8InField("issuerName", "ISSUER CN", certificateBytesToAlter); + testUTF8InField("issuerOrganization", "ISSUER O", certificateBytesToAlter); + testUTF8InField( + "issuerOrganizationUnit", + "ISSUER OU", + certificateBytesToAlter + ); + testUTF8InField("issuerCommonName", "ISSUER CN", certificateBytesToAlter); + testUTF8InField("organization", "SUBJECT O", certificateBytesToAlter); + testUTF8InField("organizationalUnit", "SUBJECT OU", certificateBytesToAlter); + testUTF8InField("subjectName", "SUBJECT CN", certificateBytesToAlter); + testUTF8InField("displayName", "SUBJECT CN", certificateBytesToAlter); + testUTF8InField("commonName", "SUBJECT CN", certificateBytesToAlter); + testUTF8InField( + "emailAddress", + "SUBJECT EMAILADDRESS", + certificateBytesToAlter + ); +} + +// Every (issuer, serial number) pair must be unique. If NSS ever encounters two +// different (in terms of encoding) certificates with the same values for this +// pair, it will refuse to import it (even as a temporary certificate). Since +// we're creating a number of different certificates, we need to ensure this +// pair is always unique. The easiest way to do this is to change the issuer +// distinguished name each time. To make sure this doesn't introduce additional +// UTF8 issues, always use a printable ASCII value. +var gUniqueIssuerCounter = 32; + +function testUTF8InField(field, replacementPrefix, certificateBytesToAlter) { + let toReplace = `${replacementPrefix} REPLACE ME`; + let replacement = ""; + for (let i = 0; i < toReplace.length; i++) { + replacement += "\xEB"; + } + let bytes = certificateBytesToAlter.replace(toReplace, replacement); + let uniqueIssuerReplacement = + "ALWAYS MAKE ME UNIQU" + String.fromCharCode(gUniqueIssuerCounter); + bytes = bytes.replace("ALWAYS MAKE ME UNIQUE", uniqueIssuerReplacement); + ok( + gUniqueIssuerCounter < 127, + "should have enough ASCII replacements to make a unique issuer DN" + ); + gUniqueIssuerCounter++; + let cert = gCertDB.constructX509(stringToArray(bytes)); + notEqual(cert[field], null, `accessing nsIX509Cert.${field} shouldn't fail`); + notEqual( + cert.getEmailAddresses(), + null, + "calling nsIX509Cert.getEmailAddresses() shouldn't assert" + ); + ok( + !cert.containsEmailAddress("test@test.test"), + "calling nsIX509Cert.containsEmailAddress() shouldn't assert" + ); +} diff --git a/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem new file mode 100644 index 0000000000..ab0efc2cf7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIUTz7zgoTkVoQZ1BOpZr4yFTOu/tYwDQYJKoZIhvcNAQEL +BQAwfDEcMBoGA1UECgwTSVNTVUVSIE8gUkVQTEFDRSBNRTEdMBsGA1UECwwUSVNT +VUVSIE9VIFJFUExBQ0UgTUUxHTAbBgNVBAMMFElTU1VFUiBDTiBSRVBMQUNFIE1F +MR4wHAYDVQQHDBVBTFdBWVMgTUFLRSBNRSBVTklRVUUwIhgPMjAyMjExMjcwMDAw +MDBaGA8yMDI1MDIwNDAwMDAwMFowgY8xHTAbBgNVBAoMFFNVQkpFQ1QgTyBSRVBM +QUNFIE1FMR4wHAYDVQQLDBVTVUJKRUNUIE9VIFJFUExBQ0UgTUUxHjAcBgNVBAMM +FVNVQkpFQ1QgQ04gUkVQTEFDRSBNRTEuMCwGCSqGSIb3DQEJARYfU1VCSkVDVCBF +TUFJTEFERFJFU1MgUkVQTEFDRSBNRTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x +nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM +wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF +4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20 +yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx +j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNRME8wTQYDVR0RBEYwRIIeU1VC +SkVDVCBBTFQgRE5TTkFNRSBSRVBMQUNFIE1FgSJTVUJKRUNUIEFMVCBSRkM4MjJA +TkFNRSBSRVBMQUNFIE1FMA0GCSqGSIb3DQEBCwUAA4IBAQBgHgU9AH3Ajyo5hoiK +SJ6M/Qk1FMecpFox6Fe5krk8K8ECqa+lFXBT9HnYMz5q9dT7++KPrtTNGx+7YUc7 +fRTmhjNMkIiODHTfOeJcc0HadMyP810f6XGoDDQDZqNbcDp5hB81GWZEoiCovhbe +m6rwAKb1sznP16impejUZTHD7EalmbxyIgfl2cX7pjtt4MSsg1EJH3OwSNfMTp4t +X8tm/x9H2auazAedeRV4dZy5NiueVuQgqi3vdjyf9lZUDkmH5GofQwQEzdVKb6Sl +J0OrIn3o8pKrIL5Hc6CGtWrkOCvlWyiHl/1KwwMrZRMzyAFoTum9fRuaDrqV8bsJ +S9ky +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec new file mode 100644 index 0000000000..6579ac5550 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec @@ -0,0 +1,3 @@ +issuer:/O=ISSUER O REPLACE ME/OU=ISSUER OU REPLACE ME/CN=ISSUER CN REPLACE ME/L=ALWAYS MAKE ME UNIQUE +subject:/O=SUBJECT O REPLACE ME/OU=SUBJECT OU REPLACE ME/CN=SUBJECT CN REPLACE ME/emailAddress=SUBJECT EMAILADDRESS REPLACE ME +extension:subjectAlternativeName:SUBJECT ALT DNSNAME REPLACE ME,SUBJECT ALT RFC822@NAME REPLACE ME diff --git a/security/manager/ssl/tests/unit/test_cert_version.js b/security/manager/ssl/tests/unit/test_cert_version.js new file mode 100644 index 0000000000..5bf8dd180f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version.js @@ -0,0 +1,304 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests the interaction between the basic constraints extension and the +// certificate version field. In general, the testcases consist of verifying +// certificate chains of the form: +// +// end-entity (issued by) intermediate (issued by) trusted X509v3 root +// +// where the intermediate is one of X509 v1, v2, v3, or v4, and either does or +// does not have the basic constraints extension. If it has the extension, it +// either does or does not specify that it is a CA. +// +// To test cases where the trust anchor has a different version and/or does or +// does not have the basic constraint extension, there are testcases where the +// intermediate is trusted as an anchor and the verification is repeated. +// (Loading a certificate with trust "CTu,," means that it is a trust anchor +// for SSL. Loading a certificate with trust ",," means that it inherits its +// trust.) +// +// There are also testcases for end-entities issued by a trusted X509v3 root +// where the end-entities similarly cover the range of versions and basic +// constraint extensions. +// +// Finally, there are testcases for self-signed certificates that, again, cover +// the range of versions and basic constraint extensions. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function certFromFile(certName) { + return constructCertFromFile("test_cert_version/" + certName + ".pem"); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile( + certdb, + "test_cert_version/" + certName + ".pem", + trustString + ); +} + +function checkEndEntity(cert, expectedResult) { + return checkCertErrorGeneric( + certdb, + cert, + expectedResult, + certificateUsageSSLServer + ); +} + +function checkIntermediate(cert, expectedResult) { + return checkCertErrorGeneric( + certdb, + cert, + expectedResult, + certificateUsageSSLCA + ); +} + +add_task(async function () { + loadCertWithTrust("ca", "CTu,,"); + + // Section for CAs lacking the basicConstraints extension entirely: + loadCertWithTrust("int-v1-noBC_ca", ",,"); + await checkIntermediate( + certFromFile("int-v1-noBC_ca"), + MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA + ); + await checkEndEntity( + certFromFile("ee_int-v1-noBC"), + MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA + ); + // A v1 certificate with no basicConstraints extension may issue certificates + // if it is a trust anchor. + loadCertWithTrust("int-v1-noBC_ca", "CTu,,"); + await checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess); + + loadCertWithTrust("int-v2-noBC_ca", ",,"); + await checkIntermediate( + certFromFile("int-v2-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v2-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v2-noBC_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v2-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v2-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + + loadCertWithTrust("int-v3-noBC_ca", ",,"); + await checkIntermediate( + certFromFile("int-v3-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v3-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v3-noBC_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v3-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v3-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + + loadCertWithTrust("int-v4-noBC_ca", ",,"); + await checkIntermediate( + certFromFile("int-v4-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v4-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v4-noBC_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v4-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v4-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + + // Section for CAs with basicConstraints not specifying cA: + loadCertWithTrust("int-v1-BC-not-cA_ca", ",,"); + await checkIntermediate( + certFromFile("int-v1-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v1-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v1-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v1-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + + loadCertWithTrust("int-v2-BC-not-cA_ca", ",,"); + await checkIntermediate( + certFromFile("int-v2-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v2-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v2-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v2-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + + loadCertWithTrust("int-v3-BC-not-cA_ca", ",,"); + await checkIntermediate( + certFromFile("int-v3-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v3-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v3-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v3-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + + loadCertWithTrust("int-v4-BC-not-cA_ca", ",,"); + await checkIntermediate( + certFromFile("int-v4-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v4-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v4-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v4-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + + // Section for CAs with basicConstraints specifying cA: + loadCertWithTrust("int-v1-BC-cA_ca", ",,"); + await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess); + loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,"); + await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess); + + loadCertWithTrust("int-v2-BC-cA_ca", ",,"); + await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess); + loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,"); + await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess); + + loadCertWithTrust("int-v3-BC-cA_ca", ",,"); + await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess); + loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,"); + await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess); + + loadCertWithTrust("int-v4-BC-cA_ca", ",,"); + await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess); + loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,"); + await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess); + + // Section for end-entity certificates with various basicConstraints: + await checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess); + + await checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess); + + await checkEndEntity( + certFromFile("ee-v1-BC-cA_ca"), + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); + await checkEndEntity( + certFromFile("ee-v2-BC-cA_ca"), + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); + await checkEndEntity( + certFromFile("ee-v3-BC-cA_ca"), + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); + await checkEndEntity( + certFromFile("ee-v4-BC-cA_ca"), + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); + + // Section for self-signed certificates: + await checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + + await checkEndEntity( + certFromFile("ss-v1-BC-not-cA"), + SEC_ERROR_UNKNOWN_ISSUER + ); + await checkEndEntity( + certFromFile("ss-v2-BC-not-cA"), + SEC_ERROR_UNKNOWN_ISSUER + ); + await checkEndEntity( + certFromFile("ss-v3-BC-not-cA"), + SEC_ERROR_UNKNOWN_ISSUER + ); + await checkEndEntity( + certFromFile("ss-v4-BC-not-cA"), + SEC_ERROR_UNKNOWN_ISSUER + ); + + await checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_version/ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ca.pem new file mode 100644 index 0000000000..84c82941ce --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUJYv6JJKA2mbX4KBRghATFqp+TckwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNV +HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCMsgBmasgEbA7F/RDtbJM56xPl +k1190DI+zwk2/n/4QWCZSHeH7U+C8SRrKqs0CZX1Oaj4bRcaBfhipoy9FOtc4a6D +ibRyZAmZs68dt1mLar6qF5V2s45A5O2rmVF8ZwUq3hZiwrLT3OSX2owaVK70qIfl +1K1oUKNJZapO1ZBBLz1SlLNc3irg1gPiIewR2YAWI56bP91RNHZ18b42utSOetTe +ojC/4Rzu4O6wSWrFV+wUa0bKg41uV0PV4hpBTL22hS9HBgNz1C1EWdhHqIdpibmD +bpc+shHFflt35xoZwUtboV7/2s3tYLyXZv/rJmyex47nLNvaoXz4/WSjrRcI +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec new file mode 100644 index 0000000000..8689ef9ea1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem new file mode 100644 index 0000000000..964b879474 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwDCCAagCFFVRy1zA0UcvELdeXnVBAIQOtIbfMA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa +MBYxFDASBgNVBAMMC2VlLXYxLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAMBgNVHRMEBTADAQH/ +MA0GCSqGSIb3DQEBCwUAA4IBAQC4p7KcEw3nuFjHOtQjRXwgZlL83gZc9aJX0uT6 +hHzJIZr9LQIChkoscwfXiqROsT6pzP5KEDjBUxi7Ny4kh/6ZOYJ1eyrOmWZudF4h +1KcABWvumR+I+t8+Lqc2/RSgXJRITQgEnaR90u/HS/egnaDXt8lig3eQnVxPKVs2 +ubuXsaj3DvvlpeDn7/g7c2TRuEZ3SGI4u6GdAYiyWiVTPWgIZizFIdVnfisKcJpN +OXXNSbMdh90UiQ+T8mb/v5j4GDf+oZsj+pAOrRQKyO2LrAuqjdwkgHRG4QogKsk4 +yLXmbFHB108nMbqOheolUJ4d6OzG8XtPYbRe0avKEu0ApMi2 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..4570e6e3ff --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v1-BC-cA +version:1 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem new file mode 100644 index 0000000000..4853b3e3f9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwTCCAakCFDcGYpOvwTC6XLW4X8wP9Tjg2f7/MA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa +MBoxGDAWBgNVBAMMD2VlLXYxLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMNMAswCQYDVR0TBAIw +ADANBgkqhkiG9w0BAQsFAAOCAQEAHAlMthnDdaDoM1Rdn37koSyCE2pcsvrFvHxw +CSUpWZYJ13HPVJutEqv+Y5N/sVZuis1nphXRLz0GkXoZAkl1C1YoVoA08LCq/Jea +Q/A7B412DQoEp1RaLpW2OkSYtVSCNmvulhV70a6F4zXGd99rl7cNuzoG0MCO7Iw5 +CiFVmM6bOdaChv3vaersxQQdSi90Gcqr/ftwCi+gPF4DxoIQ1JJgERtfwqu45Q0c +ImuhWQCXbq0QD+/f6t8CHNcmOcMLvIW705I0+4cMB1pWIj2SRlqeQ8EsPAYHM2t0 +FbKGzoWPCybHUxn/PHLcIfFl2qFbUPy4ps+Br6X1b6YUxX19Wg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..f4257841fe --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v1-BC-not-cA +version:1 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem new file mode 100644 index 0000000000..6b58f530ea --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrTCCAZUCFH+57OBmUjCZYw2Ge/do2rZouE9dMA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa +MBUxEzARBgNVBAMMCmVlLXYxLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9 +sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5 +TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7 +xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd +tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l +8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEB +AHW55SbY/YY/Hh1E+z1nHRaONh0QQ5pNS93ook4Brk29N8EueX8AzqWGn9Tmh0T7 +SrLIeI3xzDlGVOU+K3NRN6SXyOYdVIHPZXFKCthGb5Q63WZQSoSAdkozc7yrtXcq +HnlA6uGborbz21CcAfE036s+bZ2UH3u5o145HuI9TrcfwTQvo/l8QPOk6W8ifwSv +970y1VXndJeC2qStKtOuji4+qwLWnW7RaJNIU6cJa1iHO5UJwliQwi7V1HqQxoXT +DF/LPYXhb8F6FlYH/bFGhAlleo4RFfBPrqxPfJbnJwXuLJav2dAIQm4JqpOa2d9q +gkx1pIWrzTwE6oYUsxnTCkU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec new file mode 100644 index 0000000000..48fe9e5416 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-v1-noBC +version:1 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem new file mode 100644 index 0000000000..b3f48c069d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxTCCAa2gAwIBAQIUWZgHFAWFqkuCRDmxIf5dm4aDb6UwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFjEUMBIGA1UEAwwLZWUtdjItQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDE3MCIo4Ao8WFYSw0SWCVCChlkMxO +THU8kVk/XB5GrzGxdJ5TpVPNffE3yulZlsjuBGD4KhbTaJadDlNRBMRqp6ze5CdG +TEsCTRtJXEB9kW7eGPIN6OzAaCjQb8TDQP15jZKUzSa1A2EpV0ZyjA5WSBjB6nIl +Njelpm+HzkJHs+mo9Kfz7zLYrDYwQVnv6FdKsltXPFBF0hqrxcIVJJDA+bL1WFIT +g1qpIdx8M2xUQvDGKV/4Ro2/2Q8Y16tKiXrK0FK1hw2oIB/AheuRwQLOoIvRhnnk +Bbh+COp/nTRNTdUQncymUUZCida8jBDHBA//ePdPYr7on/XTs9IpGqI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..f714725d2b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v2-BC-cA +version:2 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem new file mode 100644 index 0000000000..18d23ef06f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAQIUEYwmTGst6bjYEQG+uqyWWF38j6gwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowGjEYMBYGA1UEAwwPZWUtdjItQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV +HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAsB9fFlLubXkLZ3LzD6tK28NfuRWFR +d5eBooSyvu82umf93uT/H4xIC2XrmIZZh3UQ2EJM+oLe2i8cMACPi9yJPl8qaVfT +mXLX9QvVl35jxfVM56uDC+QegeL/DGh3JAR3EpBFbyyp725LfCTsY5KIi0cp/E1s +ORL2rrWwd6h9PuclTBMu4pYk+n4s5i/ZWrwa5Zr4zpwhQB2MGcisq0woTnI2HRSd +W35oMOkjH/QkqcJrO4OdzrXScZcuHt6FbQP4l5IuWSW7slNhVJRKj9V0A3YwpkWM +t8/HBOIFnSwtqfiWRhtL+/+nJ1cZr93ZO4mrNgRP9v30z2zhSgd45CIR +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..db72288814 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v2-BC-not-cA +version:2 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem new file mode 100644 index 0000000000..cf01b46745 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICsjCCAZqgAwIBAQIULz5Y7h71TVskCdD/HXd4lyWpKt4wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFTETMBEGA1UEAwwKZWUtdjItbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF +AAOCAQEAFuDDOtQH1QsOJA0DRJppIArz9C6h/nZzWS9LuoHvwP4/S+sf0QrTtPgQ +5gCvIpo/5lb/gCmUV9kkWw86pNNW/B3dBbKIbfBR611LTV4tBW91IlVDe4qYn7+a +lPDu3IF66egIpDF/OIQ0sgvLqj3qtsG3mR5KBjb24l9LPL1CY6REVS7SYG4tA0SQ +BBDiwzwd0CUcFb1P6KRekQSNCVn8A4w5/CM+cG9utp13CVrLRPAhIPP7cjHRBM7x +X4MVh3dLLowW/auXMpSNKgGRfoEfGjYtaAxYfmnQmkmvcX6MKZ7nD+i/Wxaeaycj +d6sQBP3Q+WfYK0+K+cd+lIL3ZJMcrg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec new file mode 100644 index 0000000000..cc304ab87e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-v2-noBC +version:2 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem new file mode 100644 index 0000000000..57dfc5bc99 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxTCCAa2gAwIBAgIURxj6f/OML7KaPL1omJsuIItKf0UwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFjEUMBIGA1UEAwwLZWUtdjMtQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC7oIvDnOBvp8lr2Q8EfRtB7bd1MVADT +ZeDWLRhcu7PQg9/xYVM1kbP+VSIZEuuEALMIzVGrFp6n6DJyt/t+RMz1WuvQhdZe +SELmtR+wYH8tWjaBXuCyigkNw5e9HnaXhUoNg4/KUwytQDNWq2UmNJ2r9TQ9N/C9 +/MwkMI6ASJGsA3oKkTw53Qkab9+hbVZbKRTIsQxnI8AHyk4I2iquvxrwBTIPcqqR +UrlZCEyVOjC59aIDI9KSN+P3P5evN4yOR1zV6EpgRmvZKflABR5KBmh2uIzV7EOU ++I2Ql/OjOh3zy1NvMsu583PjfPHWVOd8Mnif0XwrqxGMRFxnE/aHAyA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..6f69c35743 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v3-BC-cA +version:3 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem new file mode 100644 index 0000000000..29620c538e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAgIUSykVpjIbgiv17yjdOeUYWttMbRkwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowGjEYMBYGA1UEAwwPZWUtdjMtQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV +HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCD+yO/tIIci17r1epEG3CA424UZN4c +CB331kxTmBz6cALMZqUoR4qbTyfDSXHoDAT6U1N2RW0SAZKEi0lFZzMesYXkNi91 +JpJRPH1/mEoYdOUP/cWXYJdFm7gKYQ4K/QSl66YghsTRym+iZ8+hnBTUxsAojEcP +AzXEMoYoKnoS91iCKkZuMvjHwBjeKY5g+UWKPiyfnVxj/pEIEu/M+NfOPGE/5trF +fcyaf2SfpEYalUk/Z5h54W2ndKy1CA0djcQyM1OV/w5tTRLPQwe9dAwdH+opOkfX +iGwai81WH2KMRZcd+2qvL83+eZNioh1cJpNtTw389+6ItD60wcQoVwgd +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..4a9de06358 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v3-BC-not-cA +version:3 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem new file mode 100644 index 0000000000..5d60fccc7b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICsjCCAZqgAwIBAgIUNZ4VX8V8IsXToRvOZRtJsoV0SZ0wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFTETMBEGA1UEAwwKZWUtdjMtbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF +AAOCAQEAJ3bauHWBfv3bdZ5VBMW0faWGpLEY+z9Sg3NcV+IPHpfUw+XGsZsTt+Rm +/3R8dpEGFclAXEeyJoOeVPkybh17RCt4kZTvZzoctzl7UcwXoboJXiCJCFySR+pY +bD2kXXDKZ1g2GDoVjMB9JmMmWdCAH7o0OtQ9XUfwjhL4vNKCrsOvA9pGP2f1i0wP +Xww/l7JlVEYN3u4AW0WTtsaFwAtmozkIbilrnfXkZRX2Iw6gi7nF7A6k5cGgK6PE +3xvbKh1RWveQJGDPqx+oLMkxZT6Ixk1KSuKAb6ewgoW93l1du6KQYZwpK/jCzoZO +XHc/t1g/HLGYHCevO167SikP/7Beww== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec new file mode 100644 index 0000000000..9d385900f0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-v3-noBC +version:3 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem new file mode 100644 index 0000000000..89ead9b087 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxTCCAa2gAwIBAwIUWyX2EHR0QgbaSz0WBnlqpKh3t5gwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFjEUMBIGA1UEAwwLZWUtdjQtQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBACSrB+Vt8BFxTIaxXVlSZ5Dd0D6TmTZY +0f7eZqC7l6qbwlwdQ3Uhb/ZVZj6sm4aPycwGSkMu71MtRw1einRUd/JnhZQo7Jcj +D031RKKmRryRKqrsebE4yJs2ei412VyK4uXmjqBnC4gYG8uLSlUKHuaz/EdmXLko +LYHNxT7CqqlZd60ct+t8eNRghV+gL8uvAlANOy5hqUdIJL9CpoH17mUws2VcAlcD +mi2qQXieiLmvCNeBXRVxa9DT2PpEmCZcQY9uI4fIlcyB5vu+OcDaDG5tv7kJOFFY +wLGmShbqyiEJilreovmcoKOzAiB+5qdJvAH+xuERsdvs+jroxoqAYwA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..1f44c1dd27 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v4-BC-cA +version:4 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem new file mode 100644 index 0000000000..38e3e0c5e8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAwIUD2iQQyDuD/kaYvdfWMqBrOlJ0tgwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowGjEYMBYGA1UEAwwPZWUtdjQtQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV +HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQC4FvMACdrCMu4gLNUJ8LFj3NWxH0ox +0WuuWRTzFLl42hI96pRim5vCxQfJnpixhawZvtWfKQD4rAP4zK3Ko3xTOiioYc5X +O0eJSXFPhNfCDtTOanLnWNyINVFYvSGHLmjlPDj2f4tuQZGkudvJTAgxT0IELhO6 +xGT6HgUAPb6wjS0OROaR1UIRcsKlghx0qkqWCtMeav0GvOjwY1BSWxO0QTShkwhj +FvtSyKgB1AJ0pqWA3P/hWnybKDshJBlwq4VqmLKkS4RlSJp+Hw3/HpyXe/B16E3C +e/uhKNVUIBSvoBQsvSjByBCYKODLAOuBjT40kZTiQ4wsinEU4dxfnYDE +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..e9659153e5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v4-BC-not-cA +version:4 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem new file mode 100644 index 0000000000..e5a4e75a9b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICsjCCAZqgAwIBAwIUAVzROKWAcT4VaTSmazfbBEj5r+gwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFTETMBEGA1UEAwwKZWUtdjQtbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF +AAOCAQEAF5LhmI7dCeWNCq8N1bxgIQSwanSUYaz0ibJPbfaKtjoT3UKs99jt6pQo ++7zTHqi2aNLzywTW4w7QhKLPnnATFbLVK74XrdPfOrGJNNvcsGRf3V08O/tL/wpx +QtLZ8jWxYDOewdN3mkwcAhNwioD6GvajoYIRUGHtmk4nQZ1LFMRIHDRiylCm/NEw +CZCQArkfCAOW3kxfSlhlUfy8vbs08Fe0cQP+Phg5WwtZaOoZWnnXGdcjGR/pkeaL +8sDeR79YnqdSo6swG/yR7yOSt/c21vUoLXK/sWKBn4ECcjcdn3N4Er5n+1/f6HPt +zRpehsbYsjuac5UCXwf6aoG0Ua76Ww== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec new file mode 100644 index 0000000000..19229ba766 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-v4-noBC +version:4 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem new file mode 100644 index 0000000000..e19734b48d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtDCCAZygAwIBAgIUBT0xH5nYGVlq6UwzjV1QSMfnbbQwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LXYxLUJDLWNBMCIYDzIwMjIxMTI3MDAwMDAwWhgP +MjAyNTAyMDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQAGIGmmLpYn2XLVwIvZuc/PNr0fiT2vPqA4bPyp/EXm6pwc16JjutRH +W9IvqFikIECo0+oSUPBFCApCgbF9gBtrubZ1voX6ke5ylG5/q7S9WE5+RZxVpBK/ +oqG2meKgJN7JoQrF5C3faVHZa/xRr1kHgIIVDw9l+N83b0q+9itrq16NOYrDyWmR +i1nbi0f5Ghtzi6iBiF0wOF/hVeHhWw/3j3ypEi8w3ITqc/xnjq3oa+F+4vqwexo6 +gTO/86sbyhcWbtuSEwv72ucMotx++PocXAkRJKDBzR01sPH/0M/WWKlJhQZ6O+eg +r0svB3HO1u7XWCvm6smiX5xy1Arw0z/Y +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec new file mode 100644 index 0000000000..6a7dc5c436 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v1-BC-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem new file mode 100644 index 0000000000..33b340b2e6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAaCgAwIBAgIUfel822zZsc+NJ43uF/ZNB48zNRcwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LXYxLUJDLW5vdC1jQTAiGA8yMDIyMTEyNzAwMDAw +MFoYDzIwMjUwMjA0MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAA2GmQN2B5gGFd9VUuudJF44TSJL8J8BzbgzCtm0TFwSMowYG +xiJeQ728F8eHeGzKDVDdqecNQEHzLe1uaLnNNJAuQupTi/rWgIL61/HGt6IhWA3+ +7sBYOsJe4YC7sLpvWKwMtt4Ki9j8aKu+0HN4RyQAgEUW+W7/BDRTK3Uc7cnllX/o +qDB90igbEL/dn5Z8hTqUEdeg0jE2K2CWV88fnlLRH/Io1YJA45/shlRZ8Ixnvbg+ +Oq/voyxoG1XRMjM6uJh0jMzH2fbUOq7BqZ+WHpGDL6FmaOdirfMD+lw8Aog+i/LU +gVIL/Z4+lHGb49UFB4f83hVxa5Y9JMgL3ObWEA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..639f83d660 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v1-BC-not-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem new file mode 100644 index 0000000000..30963844dd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUHb+ss9sUhuNu88x+XLeLxAw3YvQwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLaW50LXYxLW5vQkMwIhgPMjAyMjExMjcwMDAwMDBaGA8y +MDI1MDIwNDAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAAr7jmPJ/i/nL9iBIFv4ghVC8PaZvKryqwtjLTLwuF729qStqvy/PCkW +BfNEhiqJCgZn8jnBbVuMpIknTQRLXXnK3rWc6X1NsLdFgPKC2PDj/eTiyueWjzpm +Wl+Y+vHhtFyVOr4zT0AFKEx61ObyfqxmeqLXJn/d3I66IPRVyWq0qek6bD0cWHPC +ZlSRl59IFskA33ffFv/xHyuEfZJgULzMuERLGHU+N8YL5/HgHbIputxoLg6nPOLm +WdejMDnx/ov3JL0FS+BO3l+oX4JEP8Gk+hDk80zu2tTrVwPFgWlDgbZIPwX8rzFB +scvKUTRFu5+3gDd8pVH21V5Kai0sk94= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec new file mode 100644 index 0000000000..d704f3086d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v1-noBC +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem new file mode 100644 index 0000000000..ebcef14af2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtDCCAZygAwIBAgIUQa2vmOFuQIcUEknPf+mySJZYVSAwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LXYyLUJDLWNBMCIYDzIwMjIxMTI3MDAwMDAwWhgP +MjAyNTAyMDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQB/UTVHwjP5qiiLNpuQUGIrfYxqMe5a7GzHlq+TKgzTXhUZLeT9L0c0 +tWfyTQVOj/14LLoughDHCxFQU9PPWu5Zcn08gSzuXlxT1IUzKSvoxnd9ummOLxDx +aBogFYgbXvhCbRBZGl3g8+1TbdrEU7+o91qj6Ud7jo0PEF97HTTWWOznvjH34YjK +6J4BqUQY/NtMLlq9ggTe+4OHsXxJmIwf3T0e26nSGc0G+A6DdculS0PKL69ALsN7 +OqAbutudQiYdhUyOHzHHv1FXFS2XZ3tS0yq0JrXHnL8RhxP3RChBBBXJOzscGYuZ +Q0RbJmvqIv+GLW6GqxeYhUqDP/1UyHnt +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec new file mode 100644 index 0000000000..5d3a65e650 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v2-BC-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem new file mode 100644 index 0000000000..e03916e31e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAaCgAwIBAgIUIw7nW045opL3An26Z8cQF5EwMhAwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LXYyLUJDLW5vdC1jQTAiGA8yMDIyMTEyNzAwMDAw +MFoYDzIwMjUwMjA0MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAFM57PmhaejCsPcL2dJUXbysaivaIED9r6UvdLHahWIagWfLZ +QRAaTGT3u03Yg3ptIw9yVDPJtP6PNbrr2/ZFXvfecUxYaxMFphklBUVG0lazS7pD +Oz8sk7ruhWcsRnQwp9rLaNMvC4fP8gZQ5DWyOkzsiC4EZpgYUwGfT/RxEENqnSWZ +BapNk6Z2PrnNXAKoZjkV17X86wwjSeYIxLtkXQFdDlfPeqkWM8KRNPdvzpG1M/Zc +vivP5ufAbtCrHp5haU5Nlg6m2fjs4JxK0+EyC1c8abkl36TVQSpj7yEnWBwkiCat +V9ep5JkyK5qLT2OGCXzIXelXA+IF/Qq0VrDBtQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..591a16aca0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v2-BC-not-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem new file mode 100644 index 0000000000..f1ed6869f5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUA/rb765ygQD54Le3G4Cs1yyzBsIwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLaW50LXYyLW5vQkMwIhgPMjAyMjExMjcwMDAwMDBaGA8y +MDI1MDIwNDAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAKtL/b4XIvCDeeQ7l7Iyk23fZyxn0HRNnyA37BCilDQr5fYJK35tteiN +kboRwcHmOolh+w9lNzTJgej12MUMQDBbY+N4B89Nit4xmylFxsT40vj8ciEjvpVh +hOGJYBZ+3Azu+eBBAB03fhldFwajVcaU9ySva9wGRKadQrjhjG4P+2s4QmYlvg1D +vCHaelNOh+dCdCIbK0j3ICs7sLkxZXSwd40hSQot1lUocvJe2pClBjc3Ydg7jOk3 +dXP5cOoTkpoXih1WDxHnOx0QXGonLWUwKOFYUa+mFodRlFaND33c/im7PWt+HBN2 +f4GVJb4XkirP1IOnIAmcjNzwiTIK5Bg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec new file mode 100644 index 0000000000..7f99393cf2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v2-noBC +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem new file mode 100644 index 0000000000..a98b90f4a2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtDCCAZygAwIBAgIUefke4gKDXqy7IPjilelBCDu7bRcwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LXYzLUJDLWNBMCIYDzIwMjIxMTI3MDAwMDAwWhgP +MjAyNTAyMDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQBrMCdlJ5eshrJdeo/7ch8WcrGhdAK2G3WKhcRIhWTD+G0GNcBfCbPh +KJLgX+xHM0aE7tafI3FU4lz0jHtjsf9dU2qwoIg/8J0eJMxg840bYa3IK3N8e5Nr +QQBRgN3Hyd3wZNIJLhHpQqRtyAzUTgpuMObUzbOHkwDAb1mqlQTWjGZBzstToRl+ +Xx3DkYmgZF1S79Ze4ojZbtyoS5LD4ZwQLSLnpvPOi2dA8MnXUxqvg/u1DAb6J2nV +zH4z2bo/b1OgaW/cLHl0Xr4h9hkDeVfwjQOBpXEuS59xN96/D66+6iOif5tMwu9E +mvsph4m61j038Bvlye7UKT6CjgldWRl5 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec new file mode 100644 index 0000000000..13af934f29 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v3-BC-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem new file mode 100644 index 0000000000..b20f638bca --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAaCgAwIBAgIUO78FFcR701QsD+vhEppKK3wsDZIwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LXYzLUJDLW5vdC1jQTAiGA8yMDIyMTEyNzAwMDAw +MFoYDzIwMjUwMjA0MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAg2c/f/aD+ppS+ksoNqIvemHUsjQnHuUtvZrYdKjmEkokRX21 +5CzrmmUjBy5NYgtu+6J7c09E1U5MZOE0FwOlLYfQMgJ1rYnVh01o5mNLDXfCOZBG +yyprmTNF3zwyde42nqfusSWjP8NaY1penWue/KtFerl8nrWVZA9LBgNboeDFVKMO +b4t6r0g5fu5rfBh4Qh+0Bn9vyNRSGEGaM0psZWem5lFq8S+k+cWsIhg694BIFrCO +T6vXhQxUzHjcZi0nGkufJnxQDVDCRF75muXPi5rBYVAB8bCss/7hddyBpxM+K7DB +lL7SUzSQZ32bKOux4M33USslVcJD1dO4RJiOFg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..8539715a03 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v3-BC-not-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem new file mode 100644 index 0000000000..c0f9f120b6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUO+QNHqAJb4pTXht/k8UCPzcpyCUwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLaW50LXYzLW5vQkMwIhgPMjAyMjExMjcwMDAwMDBaGA8y +MDI1MDIwNDAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAFiNaZCKsCXUQPRj/EKoso/moCv/QgLjOgUIdDadCeZVhYIz7RNN0Dyw +RZICFMn0P+dGpgEd4cQUZv9BUOpss2PZH6geuNVRvp2vN8wC5GAo0VN98dIGS96e +RRGc1x77buN0pQpORKB9DsHd9XP2LSnW9sO/NSjbApkrREdJl0T+1CcJVO6CQ1Yr +Zl9TPrDacBsQhBV08H6+NAMdoS3BnYFFFnnRPQBV008/0f4Qsj0U8k63LKBJBxuO +JLOxRF5yQKWs7Iv7ETZizf9eV1W5bnbkxrBaB6uDZ2Bw38ZZNJkiETKvSYNuA58i +7mKkskhI8f3ptLuYdehhT89Q8felZmo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec new file mode 100644 index 0000000000..a65e41cea5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v3-noBC +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem new file mode 100644 index 0000000000..1306f85ba2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtDCCAZygAwIBAgIUD9mjlZoVjfS3EEG5Xu47+IlGvZwwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LXY0LUJDLWNBMCIYDzIwMjIxMTI3MDAwMDAwWhgP +MjAyNTAyMDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQBph0HyYKKjKYZVkaicTpNFAvc5Q+w/wIXwsBlzhrej+APOb2eNeV+Y +nbe9BOeYWbGTry6sibd9eL4Ng8ej7NDEKvRjGkel3GiegHSRZ70TioNnSGoeg3Df +VH+a52b9Lfn7gS+Lz43IMEg8zz55bs5eHkUHpwCOZKeqwExifDbMM3wOK0bSJdOR +08QRHCblPToPS7QGK+IQtN+2DhZyar3Mnk45GxckaLGYRezJu4cVbOk7o2TkwMbc +KufwJrM9qglP8DCwr9POUgDAh7955Lv+9h9uD9ptrfGNrTo22qhU3776AMDwLhu2 +7gC5P+RTvV4a+Q5FkaEY2U66QRopAOi6 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec new file mode 100644 index 0000000000..35a3a9ff36 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v4-BC-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem new file mode 100644 index 0000000000..11393b0552 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAaCgAwIBAgIUFVVwfxYgO4bAguVPe+4QH6P/sJ0wDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LXY0LUJDLW5vdC1jQTAiGA8yMDIyMTEyNzAwMDAw +MFoYDzIwMjUwMjA0MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAFzhirn4hAf3L8nBCIywulLfcITjmACfZnez3+xiTGak3oYsP +JRtsoeVwNpPhwxmiEZffH+8mofKOB2JzPWTxwoIbLez3EH3ECDQzPzdhersvg1Id +Bw9eoSbcyUcHe7o6igUV64yrdMqACe4lHSyNN+SC6W88hY2mecSp7fglwERZpUQL +OtU6G3z8SzG3oUhYIegdLor+gnO/N8F1XF5xC39jjl0P4PDUiaf5x//KVhTueBk1 +3DszurRdgqmHfOEzY1tf+jxc5Lo7X0REY13jJmbleaNA8GqpvDffPLzGD3GOUT+H +e1+T7awJUKVXPMlfzm061NHopQJ4Z7L/iI2cEA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..7627d3a8a2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v4-BC-not-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem new file mode 100644 index 0000000000..297cbf65e6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUDWpVe1isv8G4pH8XXE8FNGEjbG8wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLaW50LXY0LW5vQkMwIhgPMjAyMjExMjcwMDAwMDBaGA8y +MDI1MDIwNDAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBABr4HxTCzrA5IahEU9K2Y8GOLbiXAeU1CEOMLFqtXCV7CF90IlyjHjax +ANLRXea0Q7uMU7yJH7fsdg+NwjWmC4EpQyalU/5HbPsPQv540ofVZJK5Sup+ppRT +8Fue6rTgMrpzwbQ42Qi3L5u/fBIDfDfvvBJGTLdZwGB4292Nnl91FZgQ45XgLCK4 +H/vG3a/YbMCi9zHfbHEsYrXzD5R+LaB7n1cyi1RCqct+swHVRYGgbJ1j5FTx5JCz +DHDoKcBoza8ewfwVrFxvLkF76UJwE4pavA8fqtQZdyctCSRSY0GpgK/Oeq1y09fB +ZHYkTVDlvJ7aE+s2Uf949ZBdckomX0M= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec new file mode 100644 index 0000000000..a780337539 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v4-noBC +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/generate.py b/security/manager/ssl/tests/unit/test_cert_version/generate.py new file mode 100755 index 0000000000..2afaace3b9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/generate.py @@ -0,0 +1,93 @@ +#!/usr/bin/env python +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# This file generates the certspec files for test_cert_version.js. The naming +# convention for those files is generally of the form +# "<subject-description>_<issuer-description>.pem.certspec". End-entity +# certificates are generally called "ee". Intermediates are called +# "int". The root CA is called "ca" and self-signed certificates are called +# "ss". +# In the case that the subject and issuer are the same, the redundant part is +# not repeated. +# If there is nothing particularly special about a certificate, it has no +# description ("nothing particularly special" meaning the certificate is X509v3 +# and has or does not have the basic constraints extension as expected by where +# it is in the hierarchy). Otherwise, the description includes its version and +# details about the extension. If the extension is not present, the string +# "noBC" is used. If it is present but the cA bit is not asserted, the string +# "BC-not-cA" is used. If it is present with the cA bit asserted, the string +# "BC-cA" is used. +# For example, a v1 intermediate that does not have the extension that was +# issued by the root CA has the name "int-v1-noBC_ca.pem.certspec". +# A v4 end-entity that does have the extension but does not assert the cA bit +# that was issued by the root CA has the name +# "ee-v4-BC-not-cA_ca.pem.certspec". +# An end-entity issued by a v3 intermediate with the extension that asserts the +# cA bit has the name "ee_int-v3-BC-cA.pem.certspec". + +versions = {"v1": 1, "v2": 2, "v3": 3, "v4": 4} + +basicConstraintsTypes = { + "noBC": "", + "BC-not-cA": "extension:basicConstraints:,", + "BC-cA": "extension:basicConstraints:cA,", +} + + +def writeCertspec(issuer, subject, fields): + filename = "%s_%s.pem.certspec" % (subject, issuer) + if issuer == subject: + filename = "%s.pem.certspec" % subject + with open(filename, "w") as f: + f.write("issuer:%s\n" % issuer) + f.write("subject:%s\n" % subject) + for field in fields: + if len(field) > 0: + f.write("%s\n" % field) + + +keyUsage = "extension:keyUsage:keyCertSign,cRLSign" +basicConstraintsCA = "extension:basicConstraints:cA," + +writeCertspec("ca", "ca", [keyUsage, basicConstraintsCA]) + +for versionStr, versionVal in versions.iteritems(): + # intermediates + versionText = "version:%s" % versionVal + for ( + basicConstraintsType, + basicConstraintsExtension, + ) in basicConstraintsTypes.iteritems(): + intermediateName = "int-%s-%s" % (versionStr, basicConstraintsType) + writeCertspec( + "ca", intermediateName, [keyUsage, versionText, basicConstraintsExtension] + ) + writeCertspec(intermediateName, "ee", []) + + # end-entities + versionText = "version:%s" % versionVal + for ( + basicConstraintsType, + basicConstraintsExtension, + ) in basicConstraintsTypes.iteritems(): + writeCertspec( + "ca", + "ee-%s-%s" % (versionStr, basicConstraintsType), + [versionText, basicConstraintsExtension], + ) + + # self-signed certificates + versionText = "version:%s" % versionVal + for ( + basicConstraintsType, + basicConstraintsExtension, + ) in basicConstraintsTypes.iteritems(): + selfSignedName = "ss-%s-%s" % (versionStr, basicConstraintsType) + writeCertspec( + selfSignedName, selfSignedName, [versionText, basicConstraintsExtension] + ) diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem new file mode 100644 index 0000000000..65788e2190 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbYCFDMToE4TKwoJrRFEIWin02eKF4D+MA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa +MBcxFTATBgNVBAMMDGludC12MS1CQy1jQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEG +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG0KdsktfFzQGcr58b5x +ZzWPxx51X+0umEEks+oJtUicn6k9abyC6V0EF4hP98Civ9xicchxWsgJX6pn/f5m +PJ7OZLJEdw1VK+MQsCuOfLjL9aQDGm1y7JyEjBE4jw8GI8ovdwJNKDADXsD3ramn +Z9XDpxVFXbNNwjGoDnBx7woF5qB0W/ZElbGVAvmse9ART52bCd1CDF1uWYEJXkHa +bTsAziS9RFF9d7R2vYonwJbV6aGOKQ5BgXP10GWcezgGZymwaRuaJArtu6HcRflf +TOHumXMueXcQHD0QYfV7GU3YyOwJBM3s8BIZWBphNfusapgZiRKyXaPyiwpc2NIV +z+0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..77f3ae9147 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v1-BC-cA +extension:keyUsage:keyCertSign,cRLSign +version:1 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem new file mode 100644 index 0000000000..d1369fbdda --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzzCCAbcCFFOzCj37KlSP1SKZCkWORw4lt4fPMA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa +MBsxGTAXBgNVBAMMEGludC12MS1CQy1ub3QtY0EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAsGA1UdDwQE +AwIBBjAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBHgLF5KhgZfWzEH2Jc +zF6myuizV377LX99uyskuKqbMCQRaUFmaBbQ6g2SYiSrb6wIR02LTaJ9EL39lIlp +U+IGCAk0FsrcDc4OH6Z/QL4qC3foqIctdLC6lOGGfeKyeLFCCwvyLx2cS9yQEQ/j +BnVjpwENCx2lLrBuTBWn28Rk9rbanhf7QApIp1U53Lpmbo3Ax1zLMlWlfSzfapvR +k1z8cov2HPyrOuXToRsubdq0T00GY9j9LBwJocCfwlNbw3aqAAXouaR5sTdwwwEQ +5qCVeJtCu8tA+bMVC0SsUMiY5FCZEV2skKb5Ww6cRPipAQNvkjZ/7P5u+Gb3C5rV +w9IC +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..2a366535b6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v1-BC-not-cA +extension:keyUsage:keyCertSign,cRLSign +version:1 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem new file mode 100644 index 0000000000..574cfec262 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvzCCAacCFCWAJwB3SeBN/snVnkeVbHEnb22KMA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa +MBYxFDASBgNVBAMMC2ludC12MS1ub0JDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAQYw +DQYJKoZIhvcNAQELBQADggEBADjWZ0swsQ1tE58wYcooARKJDp+ynL4e/i1zvIhz +pAJJppP7f5BktvjNHyf6Bev/6pUIS6uWJMx2/zh/O7mD4QnmszgLICqWYUBoJJWB +h34HdAKpq3tZDCX11uDL+BE9ZcEtGhizDY5kky88Z3VpoavSN0y3VT7VRW6ioK7a +ow50Cr6dSYZyE77PhBViWRpgHgQIpPBeMsrYh9Nt+4eMwFfOsYajoP1SYc4QiSEQ +fCg2g4w+Iwf+Rd260Y242q9b20EdsG+kmE5t+G1HTFHmsTtgoDquwPKS0xKUoMEV +JCy8oU8kmuUS7D7Arm2nzxS0+aY9Bq1h1zfn5vTAdCuaz7M= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec new file mode 100644 index 0000000000..63bf6ed737 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-v1-noBC +extension:keyUsage:keyCertSign,cRLSign +version:1 diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem new file mode 100644 index 0000000000..4eaf24dfbc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAQIUP4J09v+wB1mdidjzCP6DbDeB1IIwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFzEVMBMGA1UEAwwMaW50LXYyLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E +BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFyM1M3A1xa3F +ir8yHwnmB7LgmqdjiEPg8YxpActQ57qyid8gFcmIjDJncZgRHB2SpFHGdgUBV9N4 +3jyrtGU69+PWUNe7mnRNMARBItjauwQrtP2MaI3NB3O+pNqGrBBz1XhUWb9mkmm9 +Xi/gHTKVYX7fiFGSE8743Pp5ct0XnVICE6LcvlL4hlBLvpFYVb6bqpj1/m20m4HF +wSEK912YFvJXwrHcGWC8i8ltmwRyZiRYCYiwZ/T5YX5UunkEimd1PS2M23Nu0hM5 +E9pCM6QTW0glQkuy/f46vfCtuQdNPBSM5/nizqAxqAiI+C5o72rDHj5ufJNmYFoe +98cs8l6SvQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..ca1bf67a7d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v2-BC-cA +extension:keyUsage:keyCertSign,cRLSign +version:2 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem new file mode 100644 index 0000000000..eceb7b5f96 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1DCCAbygAwIBAQIUIW9TLVTTseA70dK1dOagZQKGWJMwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowGzEZMBcGA1UEAwwQaW50LXYyLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD +VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAA/+CcSehLRv +LRCmdq/SZl5sniK08RK8aTjvvvFdgwE1+qjrh6MGp/BNKiW6iK6ZY4Nzecm7tHZR +Qx2BtsDi92dZR5UfsbHzy+wqoZzOkWf3PkuxB6nZ5LKsegCHGiRSGels3Iji9tsA +pzYjZ6Wv6kx45+IAKp0Hyh99ls5Qi4VQS2UkYdRx3vVisEa0aKaOqkAWyHdtyT/P +WPPb10l8vvH/hPxagz56gmMsWxctF7O4VIWboTX7bM2pw/nJbJUVWz8hvAp8TZDc +OdM70k9KEhTO7KRvovlmKbwhUHVh3aa3nFfc89uux3AV+6RJnu63+Y7UdyDqC6sy +78IwYD4cnzw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..fc28ff150e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v2-BC-not-cA +extension:keyUsage:keyCertSign,cRLSign +version:2 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem new file mode 100644 index 0000000000..2802da20ef --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxDCCAaygAwIBAQIUDz652YsUwHYIvm3ITbhQHnQKzn8wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFjEUMBIGA1UEAwwLaW50LXYyLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE +AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAl6iXL3yO0+qeEMIqdt1OOyHXcwuYgzlb +VOLcC7eDB0bpvuEM94K2GKRrgcPooQjkiz65p0+Og3XI2WMffpQu3uJZh9jmxPaP +mxYAlVm00HfOfoikhhAXhog1mEAPpo2rEMjaQ4zlk6JFr99OAxWf1tZWfvCXlvMB +Gl3CYhPgyhSESqWo3qSpJ8ad429UKYNO2DaCRVb+Cwix/7wno9xtd4zM5857KoiH +uomjtmkq/sLTi7Sskwj+4pY7Zfn7IgB7ystDIaV3vL7SecGhujs6QWwkv6sCDe9I +zGLJbngoqubh0zYyLpooTamawkv7PJTe0JNxSsiSQaWizfF6EM/mDQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec new file mode 100644 index 0000000000..2d3fe59ffa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-v2-noBC +extension:keyUsage:keyCertSign,cRLSign +version:2 diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem new file mode 100644 index 0000000000..4f5393ddf2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUAzvvou3xJqatuq3Ni5WU3XjZErUwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFzEVMBMGA1UEAwwMaW50LXYzLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E +BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAcsFZACYe8BQ5 +lvrpDQk1T7Oap8AP6E5Il6CsxxApt6bWP7GKmV2L1IoaELWr+3+0tjwCqVtyGbOB ++krlXU9q2eSAvwSB4NrhDZc7o6cjOY8s44gnP74SywH2Ugk/F4TeYVrBUlNCUTNm +CrlmUPCY52q6B0lYPzYlwCFV8D6qhVrT/uVOGoac3iOL23SsAAm9iiXcHpt3b/oN +Uai0kW+ieKhbUavqGEeSqKSMxFJKAFStyoS25AoBzrN/LJYB104suST8JqPGyOca ++3yOOBZg1n+t3zAFWRYzRgf7HPVLb1MALtQLjZCg5A0e9vXK5E0HTSUjCszrUd/w +bigId964yw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..56fcb21a03 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v3-BC-cA +extension:keyUsage:keyCertSign,cRLSign +version:3 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem new file mode 100644 index 0000000000..3a39b28b2f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1DCCAbygAwIBAgIUTYM1sQVw4w4tMAQDvOXpkA+qsJ4wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowGzEZMBcGA1UEAwwQaW50LXYzLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD +VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAAMhMUhyb8XY +wYsNSIXUGGQuq8IT2GxSBaJatD66WfzvT2ij6+FGIo96JgkijahqSYuw3n1J+cx5 +UfFRdIxscOeNiA2SEaN2vPeOjx6SEnzR9ISX5ZfP48jbtkaHG1BMuWCNQ3kW34lq +H66LrJIfkEua0dPyVZjQeNM8xh97OG0gtBtEU2saFdHhcVUSaAjzUBMNX96r/rMZ +cvjQ+NyEN/SzFRmgA+i8MLReLjZSuaTwGnFzH0nvsl7t4wyARTvaz2B3XdR2bBYi +0txprfO7e2sW5FDWD8XTvQKjSr47xdEtco2WfgR1bEwSfsZQNcCaBjUQQ/0TYhuA +dJC8P5TnhsU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..a2def8d323 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v3-BC-not-cA +extension:keyUsage:keyCertSign,cRLSign +version:3 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem new file mode 100644 index 0000000000..cf76357178 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxDCCAaygAwIBAgIUf46hAcLOkyyUh/Zpj5xA4V4dSwgwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFjEUMBIGA1UEAwwLaW50LXYzLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE +AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEATphgzjhjAxKENNABoQeFrCgFaGYbBSlJ +NadwUP8zbzFV4RX1KAcyujMWnDzDfIadyMBOgwGyVJ5K9iaBSB6u+S6Od4OvTS2i +LdW+sBwnnyoyx3tCU7cQEp1NuUDS1w4Q8spnh22LqBvznVtprPElqma+trfZTIMt +DX+gcK/rAhLU3NQYVhOZ4cFduOJPIu7YkVj+8wGj27B+UVLzmBhG6gREFQB54LtQ +k0vDOLePiDucabxPdlG25KtxR4GoXwaW49HPetDez+IrSkDWRP7jlItWbvOQT3px ++x5fXycZWXYSB9neEcjlu3vGhfS04EZxVe8GYx79VMaeUPwivvU0dg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec new file mode 100644 index 0000000000..b336397ab6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-v3-noBC +extension:keyUsage:keyCertSign,cRLSign +version:3 diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem new file mode 100644 index 0000000000..0799c0726f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAwIUAcNvCRz9BJocVqD1LRtwiNEarf0wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFzEVMBMGA1UEAwwMaW50LXY0LUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E +BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAGcIJDN3eWDVw +wgE/xySp7WDdAwDJHd9YFoO4kTx54bk0KXoPQIt6tWYC4FaZFn4mJvtEDfC8G8lQ +2umxcSjA+evhPxYfQqVYGMmDI84WkojwCsgFCNJROUMTTGWJU+VYqF9L0FQAl81I +zW16HBW1ZEcH1QnZWV92yXf2Obnxv/OqUilu9/IhoRheC+zVgGLtp5ta+zWiAM/P +BCHZJfLRzaTG1n5HJiFhxi/+rucveyAw2HtdnvxJnkwNOuFvgz+cMm6wF2apE7O+ +8JheSPVbibWiEMR7sg7wW4G/8uqIco/4dmzgydM6p/Z401DCohexGwIxKSnveCut +zWP+u3Y5CQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..12b94e63a5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v4-BC-cA +extension:keyUsage:keyCertSign,cRLSign +version:4 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem new file mode 100644 index 0000000000..c6f6fff986 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1DCCAbygAwIBAwIUK6/SdpdcFaBfz8PVmneAECjP0HUwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowGzEZMBcGA1UEAwwQaW50LXY0LUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD +VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBACeDNdOcWU+E +AQZjoh2Iqmec+Zyt9Z4bDYI54UdbL2P/9T4JgEfT8kx4lPo+eWXR3TgsEXEfS1na +W37k3525XlWvDTWKz5i3iyHNlJ9FIu2eazsaPEjD8tsv9r33cRPqsOLYerHhU1mJ +ucpAtvEC9iU/yQNDaYRimehj5tMXb9Y3HI6fYidno6KVjfTezflBTyCjTwPFsI2k +LAPgStEy8fQ/mZYLTE0UDHfjnq7TxoDKTl3saTI5kbAiLpmfNMxg1mqya+M6pYGN +JGzj2DC95AWAqyKfU8hgt1Nf1h5wsn5ObK0bny5joOddgt5RMGiGbVImro1/gCnM +zWPDHVeKnMw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..43a04f70fd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v4-BC-not-cA +extension:keyUsage:keyCertSign,cRLSign +version:4 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem new file mode 100644 index 0000000000..54c0a4cbda --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxDCCAaygAwIBAwIUGx+3hyQ7xvdNhaPOxEuHhLq6xR0wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFjEUMBIGA1UEAwwLaW50LXY0LW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE +AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAoyOdO55Pl2LJYrzdlltBuryKJCL9JR6s +OL6y5X+PpkOU/woM01J9OPbG0qLhOjDZACUi0/xif794ITYvaCpt2tpymsq8YNuT +MXJ3W42wz2UvMxuT/4DJsZrVRNEaz/BxFRRD4cX5s2wNfbW+HK5BmJCp8ShxLjra +Wbq4tj+MO+g7q/tpt4kjL636E6pB+EKO2I+eIHr9w0rqN4wmqDVNhhYPA79GmP7/ +A1jnD3d515i0R0za5oyiMO5+pBOeS+m7SvWJQ8SAclmTeOVecdEtmRO/av8IKWYM +FOz8sZ35yWXO1oXe0Ap4Y339Cfc9cYGmhexSfTUEuh4PEccSFGOsRA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec new file mode 100644 index 0000000000..4970d1e945 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-v4-noBC +extension:keyUsage:keyCertSign,cRLSign +version:4 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem new file mode 100644 index 0000000000..c03a94442e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbECFB1o2wSSnQ848oSnWxn/rPX213QHMA0GCSqGSIb3DQEBCwUAMBYx +FDASBgNVBAMMC3NzLXYxLUJDLWNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBYxFDASBgNVBAMMC3NzLXYxLUJDLWNBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAMBgNV +HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCyBW26BlMXpiaD3T5lpT4C4tt9 +ilZhEMUnvYHNmMzZ4W9LlwAjpk87mB/Rpmj1+0WNrWzdrqRrEn37FfrLx4My2I/0 +ldltRsRmARLPaO/4kp35nynZtU4NDJWXCfqI98IND4fjpVOl6KHjj0GOtG7kjw0N +rg43ybMrDkNjo5TFPyPLa7TbRU/AC1Ekgk0/xeOcwnKlOkRuIrNY0d9wa5EwG74m +A27h06vDlzBJtuoLG9vpSDMiUZeZ2u/6OqHLD46F+DsKU2fghGSRMSBJZUhwYUqw +lIBpJ5zJVv9ymh0IPI0LEvuQgjsa637u7qkkYH9/9hcqPSPD34VK0gM9tX0F +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec new file mode 100644 index 0000000000..731396f034 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v1-BC-cA +subject:ss-v1-BC-cA +version:1 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem new file mode 100644 index 0000000000..04f367d415 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbYCFAN6bUkpHP4g7bh+SLf3bPaNM775MA0GCSqGSIb3DQEBCwUAMBox +GDAWBgNVBAMMD3NzLXYxLUJDLW5vdC1jQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw +MjUwMjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9zcy12MS1CQy1ub3QtY0EwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj +DTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBACjbHRr7YwhuzSz1eGKG +9DDQVa9EgBoyqkym5D4pqOwgAzhzg944PQHuxZBc+EgX9mg1uoHeql2sCQXe1e4w +ArvIy91LIxERc3gJBrnBPtqhGPWy7ocy9vdLqBff7AJguI2sM+CDi0G0rmW5DYqP +nDZjBRx10vq+SxjoiwKk1GpLMTC9/3cJotxRM9/qj+gxrMwCcpE5FxX8bGLhXYRe +BrNEf0PxJ/7zSvtorKAP4Xaw86D1C0syCbnIeUO/MG5j6DpgaxBx0sq1bMjMVvnJ +JONzwYPcWTUU+P+iuoAyiw379KPMkBGballW7xnE5vV4ghXSJ2+v0MbFtODu4UsP +ucg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..20d716d494 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v1-BC-not-cA +subject:ss-v1-BC-not-cA +version:1 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem new file mode 100644 index 0000000000..5ae313a9c4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtTCCAZ0CFG2H9UtZJlaZgU8dTUaZVFYu98swMA0GCSqGSIb3DQEBCwUAMBUx +EzARBgNVBAMMCnNzLXYxLW5vQkMwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIw +NDAwMDAwMFowFTETMBEGA1UEAwwKc3MtdjEtbm9CQzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 +wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp +k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh +eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW +EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc +JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEATmXm4iolX2Mj0paZM/ImW1sfTDksXd9Z06QkGPFha0Uq4U9KVgEE +ZWoaf3YvBVnC6HRyT9kiC6EhuzeFO1HLFrzegzYtgEMNE/QLULftsBwaO24bpkn0 +vC78g5BhxjXyhKr+kZst7+MBxgfqW1BuBQKjTer+3FaeZ9+psokZJkQ2jjS80hTm +NtYHaGg8boAQqqaRiOmXt7NfanGc3S7v++G+vGS9KPCkwIJahN/QMKOxbfiQaEGB +IMws/eIb2d6Uvjby67w0rmF244+UZl1xVAmZoTzdUG9fxl+mInpQ3GZwXHFIh+dg +T8zacnUf9PUspdSJW4X3KR5zWoFnZ4gPnQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec new file mode 100644 index 0000000000..58d2f0d7f5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ss-v1-noBC +subject:ss-v1-noBC +version:1 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem new file mode 100644 index 0000000000..60cfbf22ce --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAQIUbyOcztDE3bJP/+M+df1pwVApAy4wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLc3MtdjItQkMtY0EwIhgPMjAyMjExMjcwMDAwMDBaGA8y +MDI1MDIwNDAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjItQkMtY0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGH3wSiQNWVlfSRCXqau +kxen6i0L4vYVKxMPI9fGBipm3CdmViU+vH8hfb3l4K/FCczFiI/9BuaYxp/70+Vj +LALgt/IpsFN216nvIJhGY0bc86k24Z0wF1cSUwBfmfTYP93CalnJ2Aja9iyQ8uCP +2ABtrXoNedgm8/mNwk++y/6aCw8nFgzyPHk8q9z7QJYkDk8y09p9StzQL1NhdIAo +TfJKNQwRVFhwDNPFjBFuVskihgiNlNDoCCVelM7d/txubNJHVJdjMV9+z9Tl7EJU +tB9Lvoa4CZ3DaTWcru8BPijpD+MYT6Uvax5GcOkfw9FNBhXvB2GloUdw7H2/kmzu +3lA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec new file mode 100644 index 0000000000..8dbb3a65ad --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v2-BC-cA +subject:ss-v2-BC-cA +version:2 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem new file mode 100644 index 0000000000..b5eed2d114 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAQIUDfKvNtqkNTrPJXWJyvURZqRZVd8wDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPc3MtdjItQkMtbm90LWNBMCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXYyLUJDLW5vdC1jQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAkJhNlMNzsseu +aRxllndNdPhJunXxE79o4JnBH+B/1hPEBxgZhILOCROwATtm2HSLDUH4iHrDdHPC +fHoC1UzQvfBlBvbkK5ILcOdWJeaVV3Fh6BF00q4UxkMdbQ+ClGo0eg2I+03cxIf8 +eM8GGCbGYBn7LItWpDHm16H1Mjmj+JcNNC54XLN2IHNYOZhjM63lF3r5DrgpzsvE +ymU2HSHZ55o+pI5gNR86Pfo66OisJmjO31zK/DkHKcQdXqG/P1Er+q+Xi2skp0kD +uWO4NW3LwfJVKP0zkPxzk8KK4vayhPfu0pknGTaKST3q2M8LDpS5wbCjoRK8apci +Q3VroAPolg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..2b8f4bcc55 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v2-BC-not-cA +subject:ss-v2-BC-not-cA +version:2 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem new file mode 100644 index 0000000000..243b759abb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICujCCAaKgAwIBAQIUf09w6m0orEMyLAe5BWnalXNY/GowDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKc3MtdjItbm9CQzAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw +MjUwMjA0MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12Mi1ub0JDMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG +SIb3DQEBCwUAA4IBAQAihzSymJW+OoCZxc/snHZBhJAmapeAuV6Ud7NfCV/KERh5 +LnhcihI1vKy6b/lklPg1IyNk6krWN0+hBhPq40bWXSoiJSv0Cwhd3seckoH8msZK +2ydbTBiI7Epu+dJPX7v8es7B2XyqkSCWayRShaIt/dYe7MZbUohtucR/Jl4lRFGi +gGrWGvQaw+uAtD8kEUwXds52sUdFNt0iMjNQ95aBj7DM44/GULCZ8AM+B2Q9/yf7 +Viyk8ZXNa8C2GWgJC/KEyT2HnO/8JVahsBeVnzHyP+oCaggBCje4sZOB/s1w7etg +hNk5z9q3AOVlk8K2oiVV2NZsM+6GUFhbArtPy4su +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec new file mode 100644 index 0000000000..7656115a84 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ss-v2-noBC +subject:ss-v2-noBC +version:2 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem new file mode 100644 index 0000000000..47d78ccbfa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAgIUd3ssPRZ7t196ljPylWeq9a2OdP0wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLc3MtdjMtQkMtY0EwIhgPMjAyMjExMjcwMDAwMDBaGA8y +MDI1MDIwNDAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjMtQkMtY0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALieIvBatH7xVUIJ0J7r +tOs/BUtOsZcBKuUmzNU1h6aQfl2m4XrHFTSK2UV2qI0IXeRJSMOxIXqwMb4k4s2d +d/RAPvx8rzNr3auTwxwCi0cLddRnSOsifBtqST7nNfCil3y1wD9amXqf7Y63CfM7 +Af0HJ2+jLKe1McxhpzKZ8SqBU/ks02GaTh60QHmAe9AfnNpf+jVsTpYBni/yeD/O +EMWiqQ7fy7ei5LtCosxuXd8LsVkYQue1AQNqeQUKHVurL5xmI/Wn40+uzUP2kLlh +tSJckYIId/etuphPwMvebVV34US+LPzD4lejavYYPVBibz/7K4tKuyvyhkM6p5hU +1Go= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec new file mode 100644 index 0000000000..df822e99b9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v3-BC-cA +subject:ss-v3-BC-cA +version:3 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem new file mode 100644 index 0000000000..8618f1e387 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUNadML4Cv00eagEJ/J8/g+1F47PowDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPc3MtdjMtQkMtbm90LWNBMCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXYzLUJDLW5vdC1jQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAZmQEP45EbkCB +Q7KMhwZFDRJtbr+OjMAwcwhtFy4dKQF0WArFmUt1ZJMTfOsyyuivd63s0ppkxK11 +LgASOmD/nC8MWxEdxjQE8gm6BWx+8aq5wbpRHaqtJgh814wspzn+bel8WMqm/7ot +0LhPKfz48mrf35tkB68uQcIUUZv7z5G47wbGOAKp1Y6eEurzX3gSNOHsUCRJC9cC +JMMqEikcT0Z2izCb6eiawyZQv2ImGE3k+I09MGKowhepgDRQq5OT1ZbNzF2ZwSRu +3kmnAx+WBpglf/sfQazRNT7HU1HLYoROstyvIgPbA52PdyYolD+w3qwd/VcgQCyk +FZnfeSDzqg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..0b2b575573 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v3-BC-not-cA +subject:ss-v3-BC-not-cA +version:3 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem new file mode 100644 index 0000000000..b66c58fdf4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICujCCAaKgAwIBAgIUKdWlnBlBA9nOA6mMG3KkfU+WLUowDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKc3MtdjMtbm9CQzAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw +MjUwMjA0MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12My1ub0JDMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG +SIb3DQEBCwUAA4IBAQCA7Vy1DesgEw27y5+flhS9/v58Thvjmh2CTVA9tpnPiomc +3IrFCmmQ074j1/V33YJzNEScN8rsgOAcDqSek+QIWzaiKtLSlVC5g9SAEyk6pPE/ +hDmP2F1MinlqZe2EB6NkIhkY2/35I5bGSA6/1nVgV+Tld/UtBo5NFaAssqFx+ZhJ +eOyhm+wL/8IW/8H2XcmJWMRDgLniEX9lfhv6dHoQ7TlnbQnKU3Au8rddUHqgKKH2 +f/b9XZQKmQbM0AlQJA99kh/11/nFdpGUVXCH3ko/4zia3ey0Wlc6g3nYcuP6ajvz +kDbC99LAyua11bHVz3W0Vp0PPTbn0p3CpZgPcKbK +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec new file mode 100644 index 0000000000..96314e51a7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ss-v3-noBC +subject:ss-v3-noBC +version:3 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem new file mode 100644 index 0000000000..e85576ba40 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAwIUA/ItZexsGJ96vHpiZp5xOcdOmngwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLc3MtdjQtQkMtY0EwIhgPMjAyMjExMjcwMDAwMDBaGA8y +MDI1MDIwNDAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjQtQkMtY0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADkEoX9OySyVkxbpDwTM +wf6n3OFwz0IaFYwr/KByvJZFz5rbXkEALDhwXOJ/OLnNzPhCX6IboDEzAiP3xCtz +z1CJEhcg6BPYuLWBzyXaeZkam5f5rp+YdDjTxQv4W3mjTibO0srK/mF1ESJMrVwZ +BipSKVNRqOvCgyC+tsB5j51p6mrazO5XIn4GHMa1KRx85ObAUF91HBX66djl3rpQ +e4mQTFYigEUNWN79CsYFdUJDptyhrRKVJDQjdiy5F3PGw9O1KjOlapMRVVQftDlz +mv+Qd6cXAO180ViZne5f59JsUO72lcoFVSdKXV322UHTLbmbNSgAz309FGrxn2xv +4Yk= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec new file mode 100644 index 0000000000..54269184ed --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v4-BC-cA +subject:ss-v4-BC-cA +version:4 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem new file mode 100644 index 0000000000..7273b5f300 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAwIUfVuMEjAfgTtCH2WzIvkGCaZ8bkQwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPc3MtdjQtQkMtbm90LWNBMCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXY0LUJDLW5vdC1jQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAKDq3h3ozvPP7 +S6ld2jYvhq6py5+sPR2R7MmZ17p3KIlEeLQUanv71sTSo4F54xFH3lq3AjGz2o69 +HRsR9weBaU9KX6h8OIpwxFK1IbTteYW9VriAaGnaYeKXbrSu10/4w6Cs6mgddueK +cUk+1wJYM3VhwFngb1aQyQI08dSfVfi4IAMR0NRQ0FpXBZcI8B8cAx+S6KlxAugJ +zVTLp/nG+x/am8Ztgy2yQ8RlPTN2GZ8S9AUfoQ0TGUfGWn2hw/TUJhlDwVGIwe1S +yqdUtTnaVcCEPnniXLwbx15bkAeDd8psodtMlP2cPILgJe1qzDXcCZ3JbWDt7sx1 +TCt6gCPO7Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..3d65335316 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v4-BC-not-cA +subject:ss-v4-BC-not-cA +version:4 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem new file mode 100644 index 0000000000..ee63a57ec2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICujCCAaKgAwIBAwIUXQ61GNGmZMpilNYCelyBlSdQbcgwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKc3MtdjQtbm9CQzAiGA8yMDIyMTEyNzAwMDAwMFoYDzIw +MjUwMjA0MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12NC1ub0JDMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG +SIb3DQEBCwUAA4IBAQAZ6zzXkcUCra8W6GEXll9GATX9Qg1+qNvtXZ+aGCnv8GZs +eg5T4/0YnHQ+yG/cm1qcnDBUmukSEtCAglBQnE6ie5LWhvL6oHPpDfOL3XAxedKU +SVtFix+paAII97lDd+oY4NmzJcNu90sQ2VxF1qNKRSC2dPbnkYvqw5meMh+8/l6N +5vWXa0Khx2iANA1EENTLf0DzifJQrAKubBlu5nuzc0ctaSF6353bmPZuFFpxujRV +koeDKP4TOR13Qv8gcIC9ZmQA/IP4TNgmqoJ0A2h2aVzy59MGky8X3JEqId04nB81 +ErY8jmJcbH+iRwYstjInWdL94kMOZ9b4hmkD4liT +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec new file mode 100644 index 0000000000..d02e04de51 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ss-v4-noBC +subject:ss-v4-noBC +version:4 diff --git a/security/manager/ssl/tests/unit/test_client_auth_remember_service_read.js b/security/manager/ssl/tests/unit/test_client_auth_remember_service_read.js new file mode 100644 index 0000000000..6b8d4f6e0d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_client_auth_remember_service_read.js @@ -0,0 +1,83 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This tests that the nsIClientAuthRememberService correctly reads its backing +// state file. + +function run_test() { + let stateFile = do_get_profile(); + stateFile.append(CLIENT_AUTH_FILE_NAME); + let outputStream = FileUtils.openFileOutputStream(stateFile); + let keyValuePairs = [ + { + key: "example.com,C9:65:33:89:EE:DC:4D:05:DA:16:3D:D0:12:61:BC:61:21:51:AF:2B:CC:C6:E1:72:B3:78:23:0F:13:B1:C7:4D,", + value: "AAAA", + }, + { + key: "example.com,C9:65:33:89:EE:DC:4D:05:DA:16:3D:D0:12:61:BC:61:21:51:AF:2B:CC:C6:E1:72:B3:78:23:0F:13:B1:C7:4D,^partitionKey=%28https%2Cexample.com%29", + value: "BBBB", + }, + { key: "example.test,,", value: "CCCC" }, + ]; + for (let keyValuePair of keyValuePairs) { + append_line_to_data_storage_file( + outputStream, + 1, + 1, + keyValuePair.key, + keyValuePair.value, + 1024 + ); + } + + let clientAuthRememberService = Cc[ + "@mozilla.org/security/clientAuthRememberService;1" + ].getService(Ci.nsIClientAuthRememberService); + + let dbKey = {}; + ok( + clientAuthRememberService.hasRememberedDecisionScriptable( + "example.com", + {}, + dbKey + ) + ); + equal(dbKey.value, "AAAA"); + + dbKey = {}; + ok( + clientAuthRememberService.hasRememberedDecisionScriptable( + "example.com", + { partitionKey: "(https,example.com)" }, + dbKey + ) + ); + equal(dbKey.value, "BBBB"); + + ok( + !clientAuthRememberService.hasRememberedDecisionScriptable( + "example.org", + {}, + {} + ) + ); + ok( + !clientAuthRememberService.hasRememberedDecisionScriptable( + "example.com", + { partitionKey: "(https,example.org)" }, + {} + ) + ); + + dbKey = {}; + ok( + clientAuthRememberService.hasRememberedDecisionScriptable( + "example.test", + {}, + dbKey + ) + ); + equal(dbKey.value, "CCCC"); +} diff --git a/security/manager/ssl/tests/unit/test_constructX509FromBase64.js b/security/manager/ssl/tests/unit/test_constructX509FromBase64.js new file mode 100644 index 0000000000..400724bef8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_constructX509FromBase64.js @@ -0,0 +1,87 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Checks that ConstructX509FromBase64() accepts valid input and rejects invalid +// input. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function excMessage(e) { + if (e.message) { + let msg = e.message; + if (e.data) { + msg = msg + ": " + e.data; + } + return msg; + } + + return e.toString(); +} + +function testGood(data) { + try { + let cert = certDB.constructX509FromBase64(data.cert); + equal( + cert.commonName, + data.cn, + "Actual and expected commonName should match" + ); + } catch (e) { + info(`Exception: ${excMessage(e)}`); + ok(false, `Should not have gotten an exception for "CN=${data.cn}"`); + } +} + +function testBad(data) { + throws( + () => certDB.constructX509FromBase64(data.input), + data.result, + `Should get "${data.result}" for "${data.input}"` + ); +} + +function run_test() { + const badCases = [ + // Wrong type or too short + { input: null, result: /NS_ERROR_ILLEGAL_VALUE/ }, + { input: "", result: /NS_ERROR_ILLEGAL_VALUE/ }, + { input: "=", result: /NS_ERROR_ILLEGAL_VALUE/ }, + { input: "==", result: /NS_ERROR_ILLEGAL_VALUE/ }, + // Not base64 + { input: "forty-four dead stone lions", result: /NS_ERROR_ILLEGAL_VALUE/ }, + // Not a cert + { + input: "Zm9ydHktZm91ciBkZWFkIHN0b25lIGxpb25z", + result: /NS_ERROR_FAILURE/, + }, + ]; + + // Real certs with all three padding levels + const goodCases = [ + { + cn: "A", + cert: "MIHhMIGcAgEAMA0GCSqGSIb3DQEBBQUAMAwxCjAIBgNVBAMTAUEwHhcNMTEwMzIzMjMyNTE3WhcNMTEwNDIyMjMyNTE3WjAMMQowCAYDVQQDEwFBMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxANFm7ZCfYNJViaDWTFuMClX3+9u18VFGiyLfM6xJrxir4QVtQC7VUC/WUGoBUs9COQIDAQABMA0GCSqGSIb3DQEBBQUAAzEAx2+gIwmuYjJO5SyabqIm4lB1MandHH1HQc0y0tUFshBOMESTzQRPSVwPn77a6R9t", + }, + { + cn: "Bo", + cert: "MIHjMIGeAgEAMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAMTAkJvMB4XDTExMDMyMzIzMjYwMloXDTExMDQyMjIzMjYwMlowDTELMAkGA1UEAxMCQm8wTDANBgkqhkiG9w0BAQEFAAM7ADA4AjEA1FoSl9w9HqMqVgk2K0J3OTiRsgHeNsQdPUl6S82ME33gH+E56PcWZA3nse+fpS3NAgMBAAEwDQYJKoZIhvcNAQEFBQADMQAo/e3BvQAmygiATljQ68tWPoWcbMwa1xxAvpWTEc1LOvMqeDBinBUqbAbSmPhGWb4=", + }, + { + cn: "Cid", + cert: "MIHlMIGgAgEAMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNVBAMTA0NpZDAeFw0xMTAzMjMyMzI2MzJaFw0xMTA0MjIyMzI2MzJaMA4xDDAKBgNVBAMTA0NpZDBMMA0GCSqGSIb3DQEBAQUAAzsAMDgCMQDUUxlF5xKN+8KCSsR83sN+SRwJmZdliXsnBB7PU0OgbmOWN0u8yehRkmu39kN9tzcCAwEAATANBgkqhkiG9w0BAQUFAAMxAJ3UScNqRcjHFrNu4nuwRldZLJlVJvRYXp982V4/kYodQEGN4gJ+Qyj+HTsaXy5x/w==", + }, + ]; + + for (let badCase of badCases) { + testBad(badCase); + } + for (let goodCase of goodCases) { + testGood(goodCase); + } +} diff --git a/security/manager/ssl/tests/unit/test_content_signing.js b/security/manager/ssl/tests/unit/test_content_signing.js new file mode 100644 index 0000000000..1f0f26bd12 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing.js @@ -0,0 +1,438 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// These tests ensure content signatures are working correctly. + +const TEST_DATA_DIR = "test_content_signing/"; + +const ONECRL_NAME = "oneCRL-signer.mozilla.org"; +const ABOUT_NEWTAB_NAME = "remotenewtab.content-signature.mozilla.org"; +var VERIFICATION_HISTOGRAM = Services.telemetry.getHistogramById( + "CONTENT_SIGNATURE_VERIFICATION_STATUS" +); +var ERROR_HISTOGRAM = Services.telemetry.getKeyedHistogramById( + "CONTENT_SIGNATURE_VERIFICATION_ERRORS" +); + +// Enable the collection (during test) for all products so even products +// that don't collect the data will be able to run the test without failure. +Services.prefs.setBoolPref( + "toolkit.telemetry.testing.overrideProductsCheck", + true +); + +function getSignatureVerifier() { + return Cc["@mozilla.org/security/contentsignatureverifier;1"].getService( + Ci.nsIContentSignatureVerifier + ); +} + +function getCertHash(name) { + let cert = constructCertFromFile(`test_content_signing/${name}.pem`); + return cert.sha256Fingerprint.replace(/:/g, ""); +} + +function loadChain(prefix, names) { + let chain = []; + for (let name of names) { + let filename = `${prefix}_${name}.pem`; + chain.push(readFile(do_get_file(filename))); + } + return chain; +} + +function check_telemetry(expected_index, expected, expectedId) { + for (let i = 0; i < 10; i++) { + let expected_value = 0; + if (i == expected_index) { + expected_value = expected; + } + let errorSnapshot = ERROR_HISTOGRAM.snapshot(); + for (let k in errorSnapshot) { + // We clear the histogram every time so there should be only this one + // category. + equal(k, expectedId); + equal(errorSnapshot[k].values[i] || 0, expected_value); + } + equal( + VERIFICATION_HISTOGRAM.snapshot().values[i] || 0, + expected_value, + "count " + + i + + ": " + + VERIFICATION_HISTOGRAM.snapshot().values[i] + + " expected " + + expected_value + ); + } + VERIFICATION_HISTOGRAM.clear(); + ERROR_HISTOGRAM.clear(); +} + +add_task(async function run_test() { + // set up some data + const DATA = readFile(do_get_file(TEST_DATA_DIR + "test.txt")); + const GOOD_SIGNATURE = + "p384ecdsa=" + + readFile(do_get_file(TEST_DATA_DIR + "test.txt.signature")).trim(); + + const BAD_SIGNATURE = + "p384ecdsa=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2r" + + "UWM4GJke4pE8ecHiXoi-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1G" + + "q25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L"; + + let remoteNewTabChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "remote_newtab_ee", + "int", + ]); + + let oneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "onecrl_ee", + "int", + ]); + + let oneCRLBadKeyChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "onecrl_wrong_key_ee", + "int", + ]); + + let noSANChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "onecrl_no_SAN_ee", + "int", + ]); + + let expiredOneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "onecrl_ee_expired", + "int", + ]); + + let notValidYetOneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "onecrl_ee_not_valid_yet", + "int", + ]); + + // Check signature verification works without throwing when using the wrong + // root + VERIFICATION_HISTOGRAM.clear(); + let chain1 = oneCRLChain.join("\n"); + let verifier = getSignatureVerifier(); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIContentSignatureVerifier.ContentSignatureProdRoot + )), + "using the wrong root, signatures should fail to verify but not throw." + ); + // Check for generic chain building error. + check_telemetry(6, 1, getCertHash("content_signing_onecrl_ee")); + + // Check good signatures from good certificates with the correct SAN + ok( + await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + ), + "A OneCRL signature should verify with the OneCRL chain" + ); + let chain2 = remoteNewTabChain.join("\n"); + ok( + await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain2, + ABOUT_NEWTAB_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + ), + "A newtab signature should verify with the newtab chain" + ); + // Check for valid signature + check_telemetry(0, 2, getCertHash("content_signing_remote_newtab_ee")); + + // Check a bad signature when a good chain is provided + chain1 = oneCRLChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + BAD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A bad signature should not verify" + ); + // Check for invalid signature + check_telemetry(1, 1, getCertHash("content_signing_onecrl_ee")); + + // Check a good signature from cert with good SAN but a different key than the + // one used to create the signature + let badKeyChain = oneCRLBadKeyChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + badKeyChain, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the signing key is wrong" + ); + // Check for wrong key in cert. + check_telemetry(9, 1, getCertHash("content_signing_onecrl_wrong_key_ee")); + + // Check a good signature from cert with good SAN but a different key than the + // one used to create the signature (this time, an RSA key) + let rsaKeyChain = oneCRLBadKeyChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + rsaKeyChain, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the signing key is wrong (RSA)" + ); + // Check for wrong key in cert. + check_telemetry(9, 1, getCertHash("content_signing_onecrl_wrong_key_ee")); + + // Check a good signature from cert with good SAN but with no path to root + let missingInt = [oneCRLChain[0], oneCRLChain[2]].join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + missingInt, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the chain is incomplete (missing int)" + ); + // Check for generic chain building error. + check_telemetry(6, 1, getCertHash("content_signing_onecrl_ee")); + + // Check good signatures from good certificates with the wrong SANs + chain1 = oneCRLChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + ABOUT_NEWTAB_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A OneCRL signature should not verify if we require the newtab SAN" + ); + // Check for invalid EE cert. + check_telemetry(7, 1, getCertHash("content_signing_onecrl_ee")); + + chain2 = remoteNewTabChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain2, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A newtab signature should not verify if we require the OneCRL SAN" + ); + // Check for invalid EE cert. + check_telemetry(7, 1, getCertHash("content_signing_remote_newtab_ee")); + + // Check good signatures with good chains with some other invalid names + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + "", + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the SANs do not match an empty name" + ); + // Check for invalid EE cert. + check_telemetry(7, 1, getCertHash("content_signing_onecrl_ee")); + + // Test expired certificate. + let chainExpired = expiredOneCRLChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chainExpired, + "", + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the signing certificate is expired" + ); + // Check for expired cert. + check_telemetry(4, 1, getCertHash("content_signing_onecrl_ee_expired")); + + // Test not valid yet certificate. + let chainNotValidYet = notValidYetOneCRLChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chainNotValidYet, + "", + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the signing certificate is not valid yet" + ); + // Check for not yet valid cert. + check_telemetry(5, 1, getCertHash("content_signing_onecrl_ee_not_valid_yet")); + + let relatedName = "subdomain." + ONECRL_NAME; + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + relatedName, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the SANs do not match a related name" + ); + + let randomName = + "\xb1\x9bU\x1c\xae\xaa3\x19H\xdb\xed\xa1\xa1\xe0\x81\xfb" + + "\xb2\x8f\x1cP\xe5\x8b\x9c\xc2s\xd3\x1f\x8e\xbbN"; + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + randomName, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the SANs do not match a random name" + ); + + // check good signatures with chains that have strange or missing SANs + chain1 = noSANChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the SANs do not match a supplied name" + ); + + // Check malformed signature data + chain1 = oneCRLChain.join("\n"); + let bad_signatures = [ + // wrong length + "p384ecdsa=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ecHiXoi-" + + "7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L==", + // incorrectly encoded + "p384ecdsa='WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ecHiXoi" + + "-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L=", + // missing directive + "other_directive=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ec" + + "HiXoi-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L", + // actually sha256 with RSA + "p384ecdsa=XS_jiQsS5qlzQyUKaA1nAnQn_OvxhvDfKybflB8Xe5gNH1wNmPGK1qN-jpeTfK" + + "6ob3l3gCTXrsMnOXMeht0kPP3wLfVgXbuuO135pQnsv0c-ltRMWLe56Cm4S4Z6E7WWKLPWaj" + + "jhAcG5dZxjffP9g7tuPP4lTUJztyc4d1z_zQZakEG7R0vN7P5_CaX9MiMzP4R7nC3H4Ba6yi" + + "yjlGvsZwJ_C5zDQzWWs95czUbMzbDScEZ_7AWnidw91jZn-fUK3xLb6m-Zb_b4GAqZ-vnXIf" + + "LpLB1Nzal42BQZn7i4rhAldYdcVvy7rOMlsTUb5Zz6vpVW9LCT9lMJ7Sq1xbU-0g==", + ]; + for (let badSig of bad_signatures) { + await Assert.rejects( + verifier.asyncVerifyContentSignature( + DATA, + badSig, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + ), + /NS_ERROR/, + `Bad or malformed signature "${badSig}" should be rejected` + ); + } + + // Check malformed and missing certificate chain data + let chainSuffix = [oneCRLChain[1], oneCRLChain[2]].join("\n"); + let badChains = [ + // no data + "", + // completely wrong data + "blah blah \n blah", + ]; + + let badSections = [ + // data that looks like PEM but isn't + "-----BEGIN CERTIFICATE-----\nBSsPRlYp5+gaFMRIczwUzaioRfteCjr94xyz0g==\n", + // data that will start to parse but won't base64decode + "-----BEGIN CERTIFICATE-----\nnon-base64-stuff\n-----END CERTIFICATE-----", + // data with garbage outside of PEM sections + "this data is garbage\n-----BEGIN CERTIFICATE-----\nnon-base64-stuff\n" + + "-----END CERTIFICATE-----", + ]; + + for (let badSection of badSections) { + // ensure we test each bad section on its own... + badChains.push(badSection); + // ... and as part of a chain with good certificates + badChains.push(badSection + "\n" + chainSuffix); + } + + for (let badChain of badChains) { + await Assert.rejects( + verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + badChain, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + ), + /NS_ERROR/, + `Bad chain data starting "${badChain.substring(0, 80)}" ` + + "should be rejected" + ); + } + + ok( + !(await verifier.asyncVerifyContentSignature( + DATA + "appended data", + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A good signature should not verify if the data is tampered with (append)" + ); + ok( + !(await verifier.asyncVerifyContentSignature( + "prefixed data" + DATA, + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A good signature should not verify if the data is tampered with (prefix)" + ); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA.replace(/e/g, "i"), + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A good signature should not verify if the data is tampered with (modify)" + ); +}); diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem new file mode 100644 index 0000000000..6c80b1be43 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUGU8IXEaU5Al531xp9aITCfLjy/cwDQYJKoZIhvcNAQEL +BQAwKTEnMCUGA1UEAwweeHBjc2hlbGwgc2lnbmVkIGFwcHMgdGVzdCByb290MCIY +DzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMBExDzANBgNVBAMMBmlu +dC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u +togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6 +pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL +KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq +fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv +Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za +GAo17Y0CAwEAAaMlMCMwDAYDVR0TBAUwAwEB/zATBgNVHSUEDDAKBggrBgEFBQcD +AzANBgkqhkiG9w0BAQsFAAOCAQEAQw8azGUnMeiHd6BYf8LZDK2dqsbVpWuDT/td +LNQcYStX4jgPSfSxm9Mg6osXBnEKF83qXoNeP6Zt84WSJDotEf0WlC5JfNZFCMry +vfd7odumxp/00LYaMbVK8Wz2LXXXwjsYF8xoZz6zq1DYviXIMluhcvCMepnCUnbP +hY12tcznmHiHCOoEB1qurCfW8MkIz/GkLa409i7wFE9rsAeuAKgtdTStY5g8qp5j +2KpmTzgfCeDgKwOSEUyW4YZXrvHYpPSnLiFsWvdxG3/D9aZExw1fipvzhpvqZYv9 +u2e7Qpt98Cd+Kitom/uDNmX9hv6E3eBThQI8QpTf43z6w/KD4A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec new file mode 100644 index 0000000000..fc9dfd47ae --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec @@ -0,0 +1,4 @@ +issuer:xpcshell signed apps test root +subject:int-CA +extension:basicConstraints:cA, +extension:extKeyUsage:codeSigning diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem new file mode 100644 index 0000000000..6bed32b275 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUFTE7Mh2mtfWK0CXoxo6Cg3kjXTYwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBExDzANBgNVBAMMBmVlLVJTQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM9MDswEwYDVR0lBAww +CgYIKwYBBQUHAwMwJAYDVR0RBB0wG4IZb25lQ1JMLXNpZ25lci5tb3ppbGxhLm9y +ZzANBgkqhkiG9w0BAQsFAAOCAQEAdc8e+0GrLdxWfJdIUHb+0NX80dUhnJcyVUJs +dDIFnrbobiokoGWFXiJeFP10ykYEdn2J4BcenMlmKiDNe3upy6ptSNscjEu4E5TY +QEy0r0MIA7ip/BoOTUUQhA31njpCaqNFYkoKnOMtrKPqgIs4KhYGInPaGoNCZfNk +698Ybaei7mCr0io4PUQTgCWmgQogSpj2K0qjarF+fsxHBAggUn8o004gI3ITKkms +PjlBh7oUUQlMniwjNCFFzniTKwVww99waMKHacwOwFHTGRTV3VXzIMQztYck/Kxh +LHocSWTGkZM316xaZWme8SIsmszSzE6uU2iU+ewKEtDNNdmGdA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec new file mode 100644 index 0000000000..7b2a02bdaf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-CA +subject:ee-RSA +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:oneCRL-signer.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem new file mode 100644 index 0000000000..ea13c7f53b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICPzCCASegAwIBAgIUA7oml57umCZ/IgF0YUnt3qSjnaIwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE +oWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3Ey2ozpjoMVNOapwMCwnI +1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP8ALwWvcaH93Mg3SqbqnO +oz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAkBgNVHREEHTAbghlvbmVDUkwtc2ln +bmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQBj1PtEW92ZLKQYPRq/ +LJcgVtG8Kch2etUd7d3qepgLPy0QEMYL3U/dRix4RnvIPMJwa+RRjYKshMvK1gU1 +6KZagPWYSVVKWYL/es4XoP4vMre+ya6Z1kJ+23pL2T1qb2Z4CyP39Hz2JdQt9DgN +plyC3Gef5T3UFZV9XGj6EcFsmh8n+SwB5w2/pveeBHbvAN0VDlSrKLZjOlrK1rMd +H0nAjqvNvPs8AzzFUBCebLszrB74fXHQrhdU+SRlczyWWZuCgmksr7z/2V86lIKe +vIG0m/ntP6urXYTf3JqLzuilEc2/WiI+shJprdm5cV64KoIKplAjeC/fSs7GG912 +G51n +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec new file mode 100644 index 0000000000..ab22807b9e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:int-CA +subject:ee +subjectKey:secp384r1 +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:oneCRL-signer.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem new file mode 100644 index 0000000000..ef22669f4d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICTjCCATagAwIBAgIUOQNrYQz01j0SirgoHMLKbtGL9RowDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAx +MDEwMDAwMDBaMBwxGjAYBgNVBAMMEWVlLWludC1DQS1leHBpcmVkMHYwEAYHKoZI +zj0CAQYFK4EEACIDYgAEoWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3 +Ey2ozpjoMVNOapwMCwnI1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP +8ALwWvcaH93Mg3SqbqnOoz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAkBgNVHREE +HTAbghlvbmVDUkwtc2lnbmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IB +AQBZJPo4llgMe5588+BnRLnFguspIiwMWmTeqCfi8VQBx/tUwRiTizbU7J2Yh9bo +yZEPKfPSP2o8J0eSUgvXdVOxU1fNRuocsVfXUlveq5x10ddjXBT9X4AY1mtR7HJw +hl/7269N8b4itfrfvZmCBToJayjv0I2N84bqjpOnXJ/iB5YVdk8oZIJDXWi4SR3B +E9IejwA1fikpt++RjpJSZ1BSNU7FfiyGGUonxHDoP/29znaOJnpAqaH5LVJCRkfN +H12vePBbunZd+ay5r+mMJPaXR+V2sY8OaOfcrPSHQLa8Eb/EEhBuITMKkOucohjx +zqvM6S2iOI9GbwHClybEHRO7 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec new file mode 100644 index 0000000000..48fd9c8cc7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec @@ -0,0 +1,6 @@ +issuer:int-CA +subject:ee-int-CA-expired +subjectKey:secp384r1 +validity:20130101-20140101 +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:oneCRL-signer.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem new file mode 100644 index 0000000000..6cf5c6a312 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICVDCCATygAwIBAgIUbV+rBAfhGRv/bU22A92xneoAy3owDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwNTAwMTAxMDAwMDAwWhgPMjA1MTAx +MDEwMDAwMDBaMCIxIDAeBgNVBAMMF2VlLWludC1DQS1ub3QteWV0LXZhbGlkMHYw +EAYHKoZIzj0CAQYFK4EEACIDYgAEoWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXb +YI4lLeS3Ey2ozpjoMVNOapwMCwnI1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2p +cQO+KIjP8ALwWvcaH93Mg3SqbqnOoz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAk +BgNVHREEHTAbghlvbmVDUkwtc2lnbmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEB +CwUAA4IBAQAjXmLNn2kLa/FzNp7F3PqcSXuAO2jT31Y2g4pZnVqCDfMqplsl2ZFn +oam3wyQnepm3q9DD4BOAW9JFYR3wqnl9cBRNHlSGyjGM4qBpuSD6WxAz7EdFcRO6 +fcA50245fAuB45UJeYJ58QvIBv7AwoBGnqAI7ZDN3eIGopZIL56jiH7vO9WyQPWj +XZAWrXTG68rEf0RxXRtjUv9coFiuInT8+oyXB3NwK2EbaI5IeR+x3qIDEgNKk+t+ +PlE3NrtaAiK19p0s9RtQQilBKNmo+5irrUq/OD2H1aurDaAXpLTM5vLUpfyN3/qD +HzuZujaUIeMsRiXsIRDNql1S+nq4oNRy +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec new file mode 100644 index 0000000000..b2926dfc42 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec @@ -0,0 +1,6 @@ +issuer:int-CA +subject:ee-int-CA-not-yet-valid +subjectKey:secp384r1 +validity:20500101-20510101 +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:oneCRL-signer.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem new file mode 100644 index 0000000000..38a5cb49d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICIDCCAQigAwIBAgIUY7jRIZeIM6YhjwqgwU+oz6TUcqowDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLW5vLVNBTjB2MBAGByqGSM49AgEGBSuB +BAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFT +TmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/d +zIN0qm6pzqMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQAD +ggEBAEqtCU8lSjgP99MrexGbpxALf7VMIufjcXABBvOQOgm2awrncwIHbWRe+0xJ +FrPRGLnvGvwcA5GBTlaQXCvljKOo/2WoIh9BlQbYYKEf8C/IZqt86vXCWuDZE+B/ +DVhjTYG5NQpoJlt9LPakHrYa/hc5aZsCfX/r4kM7a9z+gOrd8Sw8NmsrXYH6btaL +o/5YT2Rk2+MDBcfxOsoDLxn/Mmy/gPArxLDOHqKyKKEXpmuuVdaWTB23ka/aioTE +y/0ofLSPgGkCKMy3IQrsmt2TaZLV8RRTiDy+MZa0lDr7LCblFDELTKqQ/nBb9pEH +rTvkcKcOR/HW0jpq95qMM+fj4oU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec new file mode 100644 index 0000000000..4a9b9a3ceb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-CA +subject:ee-no-SAN +subjectKey:secp384r1 +extension:extKeyUsage:codeSigning diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem new file mode 100644 index 0000000000..0c29e8f29d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICLDCCARSgAwIBAgIUbSoIkbNI9t6sArDLYdbzFiAd0JYwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBcxFTATBgNVBAMMDGVlLXdyb25nLWtleTBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnS +M0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCjPTA7MBMGA1UdJQQMMAoGCCsG +AQUFBwMDMCQGA1UdEQQdMBuCGW9uZUNSTC1zaWduZXIubW96aWxsYS5vcmcwDQYJ +KoZIhvcNAQELBQADggEBAARtyqnHpwUYNk/YrWDukcEhGd/2yRTBR2B2DmzKbQ4h +S7IT+lYWU09oieEF5REWSsZi4Ox2GuYtkdHZhwUIc/S+2/kad5BPM8okDTBNfG8m +LP+O/eIajp5FUj3EMcgfGZIO8FmOd2UDfz2Wz9Bmr7vJLq+oySl9Hs3zOD1SBNQt +Hcn92kDhV+5wzCJnSc0XJ2ceZE6zMEgSiMavtzjNYS+05xoFYYyUyj0AlhOwliqd +KJh2nmgTSiELWor+UHRM1SutD0fAbDtUIayjKzTM4RDfXXNQB46ECDxb1r1N5gtp +hR5shvtmKShLD9jeYeZ+jxATISrp7a59FBGD6uGlOR4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec new file mode 100644 index 0000000000..fbc8e603f4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:int-CA +subject:ee-wrong-key +subjectKey:secp256r1 +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:oneCRL-signer.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem new file mode 100644 index 0000000000..cba7eb1251 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUDCCATigAwIBAgIUF/JDW1X4ZKGHzTxZomDnqIjZmc4wDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE +oWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3Ey2ozpjoMVNOapwMCwnI +1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP8ALwWvcaH93Mg3SqbqnO +o04wTDATBgNVHSUEDDAKBggrBgEFBQcDAzA1BgNVHREELjAsgipyZW1vdGVuZXd0 +YWIuY29udGVudC1zaWduYXR1cmUubW96aWxsYS5vcmcwDQYJKoZIhvcNAQELBQAD +ggEBAEAu16P/xzj+SvJJNjJl/pAJYsI4XVAw2RgOvU6QFW4S11uPdA6hIsuyHpTj +FycLvhbvGqn18b0tw/fftWDuG5SB+uHWMdXLG/iJYfMbBPQJqCKdJFZIcazjnhwV +E4l3Iy1+xOA08sO3soMzxojAzfecu9V1ffyqs2H6eQgf4mrNXPV9QuAjkNblwswz +NnlzwALT0oMGXYxq4sD2uUhIOCrAT4/Yvv6dx/U5d+poP93mfZs/MU05NOhf3lAz +tmNCHTgAB6fDiMbmDR9GmInhdYXW16/dCIRUBjqqRanHPmeO77az/4FLOWdu5at/ +D/jpygc524O22HsEx65ha23PlCQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec new file mode 100644 index 0000000000..81e1eefe1d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:int-CA +subject:ee +subjectKey:secp384r1 +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:remotenewtab.content-signature.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/pysign.py b/security/manager/ssl/tests/unit/test_content_signing/pysign.py new file mode 100644 index 0000000000..23c6128aa2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/pysign.py @@ -0,0 +1,36 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Create an ECDSA signature on the P-384 curve using the SHA-384 hash of data from +stdin. The key used for the signature is the secp384r1Encoded key used in pykey +and pycert. + +The certificates for the content signature tests make use of this program. +You can use pysign.py like this: + +cat test.txt | python pysign.py > test.txt.signature +""" + +import base64 +import binascii +import hashlib +import pathlib +import six +import sys + +import ecdsa + +# For pykey, find the relative file location and add it to path +toolsDir = (pathlib.Path(__file__).parents[4] / "tools").resolve() +sys.path.append(str(toolsDir)) +import pykey + +data = sys.stdin.buffer.read() + +key = pykey.ECCKey("secp384r1") +sig = key.signRaw(b"Content-Signature:\00" + data, pykey.HASH_SHA384) +print(str(base64.b64encode(sig)).replace("+", "-").replace("/", "_")) diff --git a/security/manager/ssl/tests/unit/test_content_signing/test.txt b/security/manager/ssl/tests/unit/test_content_signing/test.txt new file mode 100644 index 0000000000..2daac1cb00 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/test.txt @@ -0,0 +1 @@ +This is a test file to test content-signature verification with a PKI. diff --git a/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature b/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature new file mode 100644 index 0000000000..e613981473 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature @@ -0,0 +1 @@ +hSvmvvA7_QLedDsjRJGBevqLwjPILx1EtWSPP4A0fepaWWPuuZRB8VfDT2j07bKDacRsbmJjmvg_R4CpKmnoWF8-2w5lSszlFFDqYSvQVQxpKhu-HMM_qquu_l0KecQ2 diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash b/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash new file mode 100644 index 0000000000..7bde8641b9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash @@ -0,0 +1 @@ +ÿÿÿÿ
\ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter b/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter Binary files differnew file mode 100644 index 0000000000..f76dd238ad --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment new file mode 100644 index 0000000000..119fd67098 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment @@ -0,0 +1,2 @@ + +
\ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage new file mode 100644 index 0000000000..119fd67098 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage @@ -0,0 +1,2 @@ + +
\ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage Binary files differnew file mode 100644 index 0000000000..787a2bdfc7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage Binary files differnew file mode 100644 index 0000000000..c76b47cac6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage Binary files differnew file mode 100644 index 0000000000..d08c818596 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment Binary files differnew file mode 100644 index 0000000000..3ef70ac188 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js b/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js new file mode 100644 index 0000000000..2b71c3dfe2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js @@ -0,0 +1,17 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted coverage file. Specifically, this handles the case +// where the coverage file is missing. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = undefined; +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js new file mode 100644 index 0000000000..1782885964 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js @@ -0,0 +1,17 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted coverage file. Specifically, this handles the case +// where the coverage file is truncated in a LogID field. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file("test_crlite_corrupted/trunc-log-id.coverage"); +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js new file mode 100644 index 0000000000..0eed16bac3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js @@ -0,0 +1,19 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted coverage file. Specifically, this handles the case +// where the coverage file is truncated in a MinTimestamp field. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file( + "test_crlite_corrupted/trunc-min-timestamp.coverage" +); +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js new file mode 100644 index 0000000000..419a639b07 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js @@ -0,0 +1,19 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted coverage file. Specifically, this handles the case +// where the coverage file is truncated in a MaxTimestamp field. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file( + "test_crlite_corrupted/trunc-max-timestamp.coverage" +); +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_version.js b/security/manager/ssl/tests/unit/test_crlite_coverage_version.js new file mode 100644 index 0000000000..1764e5abaf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_coverage_version.js @@ -0,0 +1,17 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted coverage file. Specifically, this handles the case +// where the coverage file's version is not recognized. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file("test_crlite_corrupted/version-0.coverage"); +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js b/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js new file mode 100644 index 0000000000..5f259f28a2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js @@ -0,0 +1,19 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted enrollment file. Specifically, this handles the case +// where the enrollment file is truncated in an issuer ID field. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file("test_crlite_preexisting/crlite.coverage"); +let enrollment = do_get_file( + "test_crlite_corrupted/trunc-issuer-id.enrollment" +); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js b/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js new file mode 100644 index 0000000000..8c673a47d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js @@ -0,0 +1,17 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted enrollment file. Specifically, this handles the case +// where the enrollment file's version is not recognized. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file("test_crlite_preexisting/crlite.coverage"); +let enrollment = do_get_file("test_crlite_corrupted/version-0.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js b/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js new file mode 100644 index 0000000000..cc947d287f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js @@ -0,0 +1,21 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted filter file. +// +// There are many ways that a filter file could be corrupted, but the parsing +// is done in rust-cascade, not cert_storage, so it is sufficient for us to +// test any form of corruption here. For simplicity we just try to load a +// single \x00 byte as the filter. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file("test_crlite_preexisting/crlite.coverage"); +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_corrupted/hash-alg-0.filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_filters.js b/security/manager/ssl/tests/unit/test_crlite_filters.js new file mode 100644 index 0000000000..55fe4d75e3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters.js @@ -0,0 +1,880 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite filter downloading works correctly. + +// The file `test_crlite_filters/20201017-0-filter` can be regenerated using +// the rust-create-cascade program from https://github.com/mozilla/crlite. +// +// The input to this program is a list of known serial numbers and a list of +// revoked serial numbers. The lists are presented as directories of files in +// which each file holds serials for one issuer. The file names are +// urlsafe-base64 encoded SHA256 hashes of issuer SPKIs. The file contents are +// ascii hex encoded serial numbers. The program crlite_key.py in this directory +// can generate these values for you. +// +// The test filter was generated as follows: +// +// $ ./crlite_key.py test_crlite_filters/issuer.pem test_crlite_filters/valid.pem +// 8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8= +// 00da4f392bfd8bcea8 +// +// $ ./crlite_key.py test_crlite_filters/issuer.pem test_crlite_filters/revoked.pem +// 8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8= +// 2d35ca6503fb1ba3 +// +// $ mkdir known revoked +// $ echo "00da4f392bfd8bcea8" > known/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\= +// $ echo "2d35ca6503fb1ba3" >> known/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\= +// $ echo "2d35ca6503fb1ba3" > revoked/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\= +// +// $ rust-create-cascade --known ./known/ --revoked ./revoked/ +// + +"use strict"; +do_get_profile(); // must be called before getting nsIX509CertDB + +const { RemoteSecuritySettings } = ChromeUtils.importESModule( + "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs" +); +const { TestUtils } = ChromeUtils.importESModule( + "resource://testing-common/TestUtils.sys.mjs" +); + +const { CRLiteFiltersClient } = RemoteSecuritySettings.init(); + +const CRLITE_FILTERS_ENABLED_PREF = + "security.remote_settings.crlite_filters.enabled"; +const INTERMEDIATES_ENABLED_PREF = + "security.remote_settings.intermediates.enabled"; +const INTERMEDIATES_DL_PER_POLL_PREF = + "security.remote_settings.intermediates.downloads_per_poll"; + +// crlite_enrollment_id.py test_crlite_filters/issuer.pem +const ISSUER_PEM_UID = "UbH9/ZAnjuqf79Xhah1mFOWo6ZvgQCgsdheWfjvVUM8="; +// crlite_enrollment_id.py test_crlite_filters/no-sct-issuer.pem +const NO_SCT_ISSUER_PEM_UID = "Myn7EasO1QikOtNmo/UZdh6snCAw0BOY6wgU8OsUeeY="; + +function getHashCommon(aStr, useBase64) { + let hasher = Cc["@mozilla.org/security/hash;1"].createInstance( + Ci.nsICryptoHash + ); + hasher.init(Ci.nsICryptoHash.SHA256); + let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance( + Ci.nsIStringInputStream + ); + stringStream.data = aStr; + hasher.updateFromStream(stringStream, -1); + + return hasher.finish(useBase64); +} + +// Get a hexified SHA-256 hash of the given string. +function getHash(aStr) { + return hexify(getHashCommon(aStr, false)); +} + +// Get the name of the file in the test directory to serve as the attachment +// for the given filter. +function getFilenameForFilter(filter) { + if (filter.type == "full") { + return "20201017-0-filter"; + } + if (filter.id == "0001") { + return "20201017-1-filter.stash"; + } + // The addition of another stash file was written more than a month after + // other parts of this test. As such, the second stash file for October 17th, + // 2020 was not readily available. Since the structure of stash files don't + // depend on each other, though, any two stash files are compatible, and so + // this stash from December 1st is used instead. + return "20201201-3-filter.stash"; +} + +/** + * Simulate a Remote Settings synchronization by filling up the local data with + * fake records. + * + * @param {*} filters List of filters for which we will create records. + * @param {boolean} clear Whether or not to clear the local DB first. Defaults + * to true. + */ +async function syncAndDownload(filters, clear = true) { + const localDB = await CRLiteFiltersClient.client.db; + if (clear) { + await localDB.clear(); + } + + for (let filter of filters) { + const filename = getFilenameForFilter(filter); + const file = do_get_file(`test_crlite_filters/${filename}`); + const fileBytes = readFile(file); + + const record = { + details: { + name: `${filter.timestamp}-${filter.type}`, + }, + attachment: { + hash: getHash(fileBytes), + size: fileBytes.length, + filename, + location: `security-state-workspace/cert-revocations/test_crlite_filters/${filename}`, + mimetype: "application/octet-stream", + }, + incremental: filter.type == "diff", + effectiveTimestamp: new Date(filter.timestamp).getTime(), + parent: filter.type == "diff" ? filter.parent : undefined, + id: filter.id, + coverage: filter.type == "full" ? filter.coverage : undefined, + enrolledIssuers: + filter.type == "full" ? filter.enrolledIssuers : undefined, + }; + + await localDB.create(record); + } + // This promise will wait for the end of downloading. + let promise = TestUtils.topicObserved( + "remote-security-settings:crlite-filters-downloaded" + ); + // Simulate polling for changes, trigger the download of attachments. + Services.obs.notifyObservers(null, "remote-settings:changes-poll-end"); + let results = await promise; + return results[1]; // topicObserved gives back a 2-array +} + +add_task(async function test_crlite_filters_disabled() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, false); + + let result = await syncAndDownload([ + { + timestamp: "2019-01-01T00:00:00Z", + type: "full", + id: "0000", + coverage: [ + { + logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + ], + }, + ]); + equal(result, "disabled", "CRLite filter download should not have run"); +}); + +add_task(async function test_crlite_no_filters() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([]); + equal( + result, + "unavailable", + "CRLite filter download should have run, but nothing was available" + ); +}); + +add_task(async function test_crlite_only_incremental_filters() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + { + timestamp: "2019-01-01T06:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + { + timestamp: "2019-01-01T18:00:00Z", + type: "diff", + id: "0002", + parent: "0001", + }, + { + timestamp: "2019-01-01T12:00:00Z", + type: "diff", + id: "0003", + parent: "0002", + }, + ]); + equal( + result, + "unavailable", + "CRLite filter download should have run, but no full filters were available" + ); +}); + +add_task(async function test_crlite_incremental_filters_with_wrong_parent() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }, + { + timestamp: "2019-01-01T06:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + { + timestamp: "2019-01-01T12:00:00Z", + type: "diff", + id: "0003", + parent: "0002", + }, + { + timestamp: "2019-01-01T18:00:00Z", + type: "diff", + id: "0004", + parent: "0003", + }, + ]); + let [status, filters] = result.split(";"); + equal(status, "finished", "CRLite filter download should have run"); + let filtersSplit = filters.split(","); + deepEqual( + filtersSplit, + ["2019-01-01T00:00:00Z-full", "2019-01-01T06:00:00Z-diff"], + "Should have downloaded the expected CRLite filters" + ); +}); + +add_task(async function test_crlite_incremental_filter_too_early() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + { timestamp: "2019-01-02T00:00:00Z", type: "full", id: "0000" }, + { + timestamp: "2019-01-01T00:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + ]); + equal( + result, + "finished;2019-01-02T00:00:00Z-full", + "CRLite filter download should have run" + ); +}); + +add_task(async function test_crlite_filters_basic() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }, + ]); + equal( + result, + "finished;2019-01-01T00:00:00Z-full", + "CRLite filter download should have run" + ); +}); + +add_task(async function test_crlite_filters_not_cached() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + let filters = [ + { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }, + ]; + let result = await syncAndDownload(filters); + equal( + result, + "finished;2019-01-01T00:00:00Z-full", + "CRLite filter download should have run" + ); + + let records = await CRLiteFiltersClient.client.db.list(); + + // `syncAndDownload` should not cache the attachment, so this download should + // get the attachment from the source. + let attachment = await CRLiteFiltersClient.client.attachments.download( + records[0] + ); + equal(attachment._source, "remote_match"); + await CRLiteFiltersClient.client.attachments.deleteDownloaded(records[0]); +}); + +add_task(async function test_crlite_filters_full_and_incremental() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + // These are deliberately listed out of order. + { + timestamp: "2019-01-01T06:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }, + { + timestamp: "2019-01-01T18:00:00Z", + type: "diff", + id: "0003", + parent: "0002", + }, + { + timestamp: "2019-01-01T12:00:00Z", + type: "diff", + id: "0002", + parent: "0001", + }, + ]); + let [status, filters] = result.split(";"); + equal(status, "finished", "CRLite filter download should have run"); + let filtersSplit = filters.split(","); + deepEqual( + filtersSplit, + [ + "2019-01-01T00:00:00Z-full", + "2019-01-01T06:00:00Z-diff", + "2019-01-01T12:00:00Z-diff", + "2019-01-01T18:00:00Z-diff", + ], + "Should have downloaded the expected CRLite filters" + ); +}); + +add_task(async function test_crlite_filters_multiple_days() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + // These are deliberately listed out of order. + { + timestamp: "2019-01-02T06:00:00Z", + type: "diff", + id: "0011", + parent: "0010", + }, + { + timestamp: "2019-01-03T12:00:00Z", + type: "diff", + id: "0022", + parent: "0021", + }, + { + timestamp: "2019-01-02T12:00:00Z", + type: "diff", + id: "0012", + parent: "0011", + }, + { + timestamp: "2019-01-03T18:00:00Z", + type: "diff", + id: "0023", + parent: "0022", + }, + { + timestamp: "2019-01-02T18:00:00Z", + type: "diff", + id: "0013", + parent: "0012", + }, + { timestamp: "2019-01-02T00:00:00Z", type: "full", id: "0010" }, + { timestamp: "2019-01-03T00:00:00Z", type: "full", id: "0020" }, + { + timestamp: "2019-01-01T06:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + { + timestamp: "2019-01-01T18:00:00Z", + type: "diff", + id: "0003", + parent: "0002", + }, + { + timestamp: "2019-01-01T12:00:00Z", + type: "diff", + id: "0002", + parent: "0001", + }, + { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }, + { + timestamp: "2019-01-03T06:00:00Z", + type: "diff", + id: "0021", + parent: "0020", + }, + ]); + let [status, filters] = result.split(";"); + equal(status, "finished", "CRLite filter download should have run"); + let filtersSplit = filters.split(","); + deepEqual( + filtersSplit, + [ + "2019-01-03T00:00:00Z-full", + "2019-01-03T06:00:00Z-diff", + "2019-01-03T12:00:00Z-diff", + "2019-01-03T18:00:00Z-diff", + ], + "Should have downloaded the expected CRLite filters" + ); +}); + +add_task(async function test_crlite_confirm_revocations_mode() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeConfirmRevocationsValue + ); + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + addCertFromFile(certdb, "test_crlite_filters/issuer.pem", ",,"); + addCertFromFile(certdb, "test_crlite_filters/no-sct-issuer.pem", ",,"); + + let result = await syncAndDownload([ + { + timestamp: "2020-10-17T00:00:00Z", + type: "full", + id: "0000", + coverage: [ + { + logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + { + logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + ], + enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID], + }, + ]); + equal( + result, + "finished;2020-10-17T00:00:00Z-full", + "CRLite filter download should have run" + ); + + // The CRLite result should be enforced for this certificate and + // OCSP should not be consulted. + let validCert = constructCertFromFile("test_crlite_filters/valid.pem"); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + undefined, + "vpn.worldofspeed.org", + 0 + ); + + // OCSP should be consulted for this certificate, but OCSP is disabled by + // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY so this will be treated as a soft-failure + // and the CRLite result will be used. + let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem"); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + undefined, + "us-datarecovery.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // Reload the filter w/o coverage and enrollment metadata. + result = await syncAndDownload([ + { + timestamp: "2020-10-17T00:00:00Z", + type: "full", + id: "0000", + coverage: [], + enrolledIssuers: [], + }, + ]); + equal( + result, + "finished;2020-10-17T00:00:00Z-full", + "CRLite filter download should have run" + ); + + // OCSP will be consulted for the revoked certificate, but a soft-failure + // should now result in a Success return. + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + undefined, + "us-datarecovery.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); +}); + +add_task(async function test_crlite_filters_and_check_revocation() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + addCertFromFile(certdb, "test_crlite_filters/issuer.pem", ",,"); + addCertFromFile(certdb, "test_crlite_filters/no-sct-issuer.pem", ",,"); + + let result = await syncAndDownload([ + { + timestamp: "2020-10-17T00:00:00Z", + type: "full", + id: "0000", + coverage: [ + { + logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + { + logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + ], + enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID], + }, + ]); + equal( + result, + "finished;2020-10-17T00:00:00Z-full", + "CRLite filter download should have run" + ); + + let validCert = constructCertFromFile("test_crlite_filters/valid.pem"); + // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that + // the implementation does not fall back to OCSP fetching, because if it + // did, the implementation would attempt to connect to a server outside the + // test infrastructure, which would result in a crash in the test + // environment, which would be treated as a test failure. + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "vpn.worldofspeed.org", + 0 + ); + + let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem"); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "us-datarecovery.com", + 0 + ); + + // Before any stashes are downloaded, this should verify successfully. + let revokedInStashCert = constructCertFromFile( + "test_crlite_filters/revoked-in-stash.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + revokedInStashCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "stokedmoto.com", + 0 + ); + + result = await syncAndDownload( + [ + { + timestamp: "2020-10-17T03:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + ], + false + ); + equal( + result, + "finished;2020-10-17T03:00:00Z-diff", + "Should have downloaded the expected CRLite filters" + ); + + // After downloading the first stash, this should be revoked. + await checkCertErrorGenericAtTime( + certdb, + revokedInStashCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "stokedmoto.com", + 0 + ); + + // Before downloading the second stash, this should not be revoked. + let revokedInStash2Cert = constructCertFromFile( + "test_crlite_filters/revoked-in-stash-2.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + revokedInStash2Cert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "icsreps.com", + 0 + ); + + result = await syncAndDownload( + [ + { + timestamp: "2020-10-17T06:00:00Z", + type: "diff", + id: "0002", + parent: "0001", + }, + ], + false + ); + equal( + result, + "finished;2020-10-17T06:00:00Z-diff", + "Should have downloaded the expected CRLite filters" + ); + + // After downloading the second stash, this should be revoked. + await checkCertErrorGenericAtTime( + certdb, + revokedInStash2Cert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "icsreps.com", + 0 + ); + + // The other certificates should still get the same results as they did before. + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "vpn.worldofspeed.org", + 0 + ); + + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "us-datarecovery.com", + 0 + ); + + await checkCertErrorGenericAtTime( + certdb, + revokedInStashCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "stokedmoto.com", + 0 + ); + + // This certificate has no embedded SCTs, so it is not guaranteed to be in + // CT, so CRLite can't be guaranteed to give the correct answer, so it is + // not consulted, and the implementation falls back to OCSP. Since the real + // OCSP responder can't be reached, this results in a + // SEC_ERROR_OCSP_SERVER_ERROR. + let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem"); + // NB: this will cause an OCSP request to be sent to localhost:80, but + // since an OCSP responder shouldn't be running on that port, this should + // fail safely. + Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com"); + Services.prefs.setBoolPref("security.OCSP.require", true); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + await checkCertErrorGenericAtTime( + certdb, + noSCTCert, + SEC_ERROR_OCSP_SERVER_ERROR, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "mail233.messagelabs.com", + 0 + ); + Services.prefs.clearUserPref("network.dns.localDomains"); + Services.prefs.clearUserPref("security.OCSP.require"); + Services.prefs.clearUserPref("security.OCSP.enabled"); + + // The revoked certificate example has one SCT from the log with ID "9ly...=" + // at time 1598140096613 and another from the log with ID "XNx...=" at time + // 1598140096917. The filter we construct here fails to cover it by one + // millisecond in each case. The implementation will fall back to OCSP + // fetching. Since this would result in a crash and test failure, the + // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY is used. + result = await syncAndDownload([ + { + timestamp: "2020-10-17T00:00:00Z", + type: "full", + id: "0000", + coverage: [ + { + logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=", + minTimestamp: 0, + maxTimestamp: 1598140096612, + }, + { + logID: "XNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDso=", + minTimestamp: 1598140096917, + maxTimestamp: 9999999999999, + }, + ], + enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID], + }, + ]); + equal( + result, + "finished;2020-10-17T00:00:00Z-full", + "CRLite filter download should have run" + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "us-datarecovery.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); +}); + +add_task(async function test_crlite_filters_avoid_reprocessing_filters() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + { + timestamp: "2019-01-01T00:00:00Z", + type: "full", + id: "0000", + coverage: [ + { + logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + ], + enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID], + }, + { + timestamp: "2019-01-01T06:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + { + timestamp: "2019-01-01T12:00:00Z", + type: "diff", + id: "0002", + parent: "0001", + }, + { + timestamp: "2019-01-01T18:00:00Z", + type: "diff", + id: "0003", + parent: "0002", + }, + ]); + let [status, filters] = result.split(";"); + equal(status, "finished", "CRLite filter download should have run"); + let filtersSplit = filters.split(","); + deepEqual( + filtersSplit, + [ + "2019-01-01T00:00:00Z-full", + "2019-01-01T06:00:00Z-diff", + "2019-01-01T12:00:00Z-diff", + "2019-01-01T18:00:00Z-diff", + ], + "Should have downloaded the expected CRLite filters" + ); + // This simulates another poll without clearing the database first. The + // filter and stashes should not be re-downloaded. + result = await syncAndDownload([], false); + equal(result, "finished;"); + + // If a new stash is added, only it should be downloaded. + result = await syncAndDownload( + [ + { + timestamp: "2019-01-02T00:00:00Z", + type: "diff", + id: "0004", + parent: "0003", + }, + ], + false + ); + equal(result, "finished;2019-01-02T00:00:00Z-diff"); +}); + +let server; + +function run_test() { + server = new HttpServer(); + server.start(-1); + registerCleanupFunction(() => server.stop(() => {})); + + server.registerDirectory( + "/cdn/security-state-workspace/cert-revocations/", + do_get_file(".") + ); + + server.registerPathHandler("/v1/", (request, response) => { + response.write( + JSON.stringify({ + capabilities: { + attachments: { + base_url: `http://localhost:${server.identity.primaryPort}/cdn/`, + }, + }, + }) + ); + response.setHeader("Content-Type", "application/json; charset=UTF-8"); + response.setStatusLine(null, 200, "OK"); + }); + + Services.prefs.setCharPref( + "services.settings.server", + `http://localhost:${server.identity.primaryPort}/v1` + ); + + // Set intermediate preloading to download 0 intermediates at a time. + Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 0); + + Services.prefs.setCharPref("browser.policies.loglevel", "debug"); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter Binary files differnew file mode 100644 index 0000000000..151cac41a9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash Binary files differnew file mode 100644 index 0000000000..d43193a78c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash b/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash Binary files differnew file mode 100644 index 0000000000..52c9ee8d51 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem b/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem new file mode 100644 index 0000000000..ead19e3c14 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx +EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT +EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp +ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3 +MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH +EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE +CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD +EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD +BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv +K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e +cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY +pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n +eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB +AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV +HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv +9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v +b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n +b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG +CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv +MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz +91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2 +RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi +DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11 +GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x +LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem new file mode 100644 index 0000000000..70b86dfd71 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg +U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83 +nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd +KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f +/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX +kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0 +/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C +AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY +aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6 +Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1 +oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD +QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v +d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh +xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB +CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl +5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA +8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC +2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit +c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0 +j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem new file mode 100644 index 0000000000..a690a0ad0d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFpDCCBIygAwIBAgIQDVHBpbd6yyk2LgPoPr9QyjANBgkqhkiG9w0BAQsFADBN +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E +aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMTE4MDAwMDAwWhcN +MjExMTE4MTIwMDAwWjCBlDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju +aWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHTAbBgNVBAoTFFN5bWFudGVjIENv +cnBvcmF0aW9uMRcwFQYDVQQLEw5TeW1hbnRlYy5jbG91ZDEgMB4GA1UEAxMXbWFp +bDIzMy5tZXNzYWdlbGFicy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCyM1Fy9hAlahRqqeEnPKDWgUmsxofivWEWKNeSMEKcnXX3TCQOGbLQTthN +xfNU7IWY8ViTPwQ8JBWWDxNhd6dTYLNnytKrNRG8qDQ3rFMKJY4p0dZImMp55X3W +1xcKMxSOkPv0YUCGp7qlAHq6+N3YY1ILw6MRdJ75Njh4Kw8qe5F3rHLwD+AyYQmx +3WsMCRp5NZtWUcU5Vbc9ca/osrh9xBF7U3ZYR6GoPXQlizrNjXv7/BaKWWO5ChbD +iRI4Nj8d3HhWUHsJoGvYDof5Iudgtbubz3c5cwp6+VNNMas7izpvbixqW8zXdUug +8v5v47IkRNYnlma/zvv2IDC1dVlxAgMBAAGjggI2MIICMjAfBgNVHSMEGDAWgBQP +gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUZnBdWwGQjkPX/+A2ZEYdUdnw +lN8wfQYDVR0RBHYwdIIbY2x1c3RlcjguZXUubWVzc2FnZWxhYnMuY29tgh5jbHVz +dGVyOG91dC5ldS5tZXNzYWdlbGFicy5jb22CHGNsdXN0ZXI4YS5ldS5tZXNzYWdl +bGFicy5jb22CF21haWwyMzMubWVzc2FnZWxhYnMuY29tMA4GA1UdDwEB/wQEAwIF +oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2g +K4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6At +oCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwG +A1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3 +LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggr +BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpo +dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2Vy +dmVyQ0EuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAK7vS/qDcGKb +QYu26+jGtBemopT3+2YJjtALeR62eNhF9LoHu+mnmNLvPI0M0NMhz56Ss/6sUHOz +hJgB98SLAQ5ElSWXrnZThLIjsiH5X5MYTD0Y8MqzoJSi2Lf2Muy/UpyrD3wB14E1 +kUYhvUnaWDDPIN81DCFzEosBmnsRqr5zlcZSKs0e1LVQ8cNkt8svVkiwFgeOIhwo +QF22GJAZPtRceSGlbRTFBYKh+u3KN8eNS/X+C935y+F4J/grufDCzRSGtRRseTcd +1QW49+QME/rx1mBb7id4iXNKxvGuJTivBlxaHWBQLh/RGk39DSdHfjAhYvt2gmxh +C3gxXMNrymE= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem b/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem new file mode 100644 index 0000000000..bac70a76bc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE-----
+MIIGpzCCBY+gAwIBAgIIfLPIa/Mc/f4wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjIwMTA2MDA1MTI5WhcN
+MjMwMjA0MTUxNjQwWjAeMRwwGgYDVQQDExNwZWVrYWJvb3Bob25pY3MuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCKkB+36Yd/mBwwlq/F+B2R/
+ibNdUncADG1+xCB21TB6H0UWR1Aj92ZsIKXwXIyhj02VT58y0Oh4eycsMtEi/lLq
+KXhpWjRAMZaxjdyIrSJxpQVXC3v8Taej6PG2RewGMA3uXj+oWfl7t25JnEes1l2n
+JOnDXs5w4K0aDD1+r7wqCgZA7evmmdK3WJMWD/GSeF2hYcXFgb5dM2TiSRBGkv/9
+jMAvOSuJO8/kxKHLtLfM4I3O0gugB5Uyxtn5a6+P4vOphozsYgHqnSapCV8eAEN2
+SWRhFpfwsbt6/Dw/k38F2A5axSF0n+IQ49ejtWjs+f/GNTloieTsDbcpKkDSEwID
+AQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6
+Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS0zNzEwLmNybDBdBgNVHSAEVjBUMEgG
+C2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMu
+Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGow
+aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUF
+BzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+Z2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDcGA1Ud
+EQQwMC6CE3BlZWthYm9vcGhvbmljcy5jb22CF3d3dy5wZWVrYWJvb3Bob25pY3Mu
+Y29tMB0GA1UdDgQWBBRElZlefxDT9BFjvpeq7zP6TlVv+TCCAYEGCisGAQQB1nkC
+BAIEggFxBIIBbQFrAHcA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4A
+AAF+LN6rOQAABAMASDBGAiEAssjNEfjNFhpQmiFRCFZSr1zZk7ISWHqPIzoghyZ+
+UbgCIQDB6iKxtMkpx1I9P9uL40M93xynsb/3DVl1OX8pSO1n9gB3ADXPGRu/sWxX
+vw+tTG1Cy7u2JyAmUeo/4SrvqAPDO9ZMAAABfizerPwAAAQDAEgwRgIhANUhPyqm
+inLVPy1zUqikc64dwi0P/nvCoNtC1gO2cDHgAiEAjv1Gw04htq5OyTP3XYQTHsZW
+h35omGu+WCS68t8LnIEAdwB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1Lr
+UgAAAX4s3q2BAAAEAwBIMEYCIQDqxot9iMPghZbHZSegX98g1o5dvSsG1azMv290
+Cp+sBgIhALiMl5lj1A3nWkHTQKF9bF3ops5/ZxxJYE7XwBxlkZYYMA0GCSqGSIb3
+DQEBCwUAA4IBAQAOfIC7VLhn3oBYQKTzX4CN+249JN7l5tbSMqC2zjKRjOWOF3p/
+yNb2gk/v6EW0xN024E2yo8K4XF+QJMfzlwpsed1yuziYHIpjeiad7JGUs/57jdCo
+EUQrvwkuIeR5CZrGcXKG8nlVM5SaNhmId8XixnJz7XfEWiCxszlRkXIZ4Uhpwz2D
+XhQ8RE1DhwX3x6oO5y9Eu6o6+bz2Y14E0lL4hCng09UmrOFEUzVcO4bK8qsSp9oe
+1NNPlMQ3SD6RlGBy+2O5Iy8Kj4BRv2US2stuDeZWSvxp6N2RwLGBnDTyT08VAFD5
+SkulqE2/r6AHWNMe649z1clhq14i1+kQjEq5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem new file mode 100644 index 0000000000..9550453493 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIGNTCCBR2gAwIBAgIIFn0oGKdatdgwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV +BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow +GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz +LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1 +cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwOTI3MTE0MzI0WhcN +MjExMDI5MTE0MzI0WjA5MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0 +ZWQxFDASBgNVBAMTC2ljc3JlcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAydMKPhCqRWjy5h1aPUNdRb80kt0hP/g55ytjlSF04PG+1CbIcId1 +GJg1qkbTR1vqZyvaI8wjv3zdfvsvYbka9OQFJiOasJfeqmiA+sDd9AvFiD2EF5zN +D9uKHi+sF8Ut4JMl7jqaRAu/gbjBvY/9ammkz4sUiTlp1x4rteda3tuX9O7yMO7U +ldnyfabHgGmmm8KU3nvRAjNbHCq3J/V/zw8YeolXU5OpOeZMhI8KAGKpxk8tRiIb +LkdSdCTWoKgXO60extYcGTxIT8c8zfY6OoN0VaQY8HA1VyBZQIw2RTWivmI8le0J +ypXYxNcUtInS0ivO4ymiNnCjYR9pgQ6+tQIDAQABo4ICwzCCAr8wDAYDVR0TAQH/ +BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD +AgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Rp +ZzJzMS0yMzM0LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYB +BQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9y +eS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov +L29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNh +dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaA +FEDCvSeOzDSDMKIz1/tss/C0LIDOMCcGA1UdEQQgMB6CC2ljc3JlcHMuY29tgg93 +d3cuaWNzcmVwcy5jb20wHQYDVR0OBBYEFEgqFQnM5zH3cKFGtFanJxxD9zdPMIIB +BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98M +LyALzE7xZOMAAAF0z1/40gAABAMARjBEAiADSOnqg/I15y+dJDSWta8NzBwE6Xti +UzyBKMT2OYHCYwIgb1aFpZxlkhx6XCCuniBLTcr5JbhigoM/lAfUmvvUqrIAdwBc +3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXTPX/oBAAAEAwBIMEYC +IQD6WvavTba+Lydf6uhaaxcRmhuuPeddzSmC8t4+tBLGGgIhANJPxhRl1pGYm6WX +ay9jPCM2SqtBraOJYncaV6k37zGYMA0GCSqGSIb3DQEBCwUAA4IBAQA0IknIoU51 +FCBqpksgo7zR9OJj5MoQmlsQbzSFppdRKgyHhk8rW6IrBi3yrtWjo3HxcwihZlJQ +2AbinRTNnHvBpiiiXXxR5u9yVly+9l3KfF/uHIGMnIqsahaKXNOy5h98uq4o4N0+ +YCGu9wSeDwtaCzdT+V447Fq63nmW629pjwin8FYCz2S8RdztranPZuOgwYqBNlWu +u3Mi9DWIV2hP6eFwMZh7BWgbvnhWiI37TE74YQ+3cEVaLxLHJH9jkBjsel+ZwVIo +9xeE6kGsh5+D0uHS5NWf9zu+fvW0iTgsB8J4VX5OihAa1v4FS4IaF3snkaMa0PCd +MJMOgY5VkZiw +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem new file mode 100644 index 0000000000..1073159662 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIGPTCCBSWgAwIBAgIJAJeW47AXop8NMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD +VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa +MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0 +cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj +dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIwMDgyMjIzMDI0NVoX +DTIxMDkyMTIxMTYxMVowPDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh +dGVkMRcwFQYDVQQDEw5zdG9rZWRtb3RvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANLX8D4Cin6x2bmoSdgnuw9O+tGcD1x1S++3110NJVXUlpSc +3uSUwqpU4rMOkJlRnuaBtHXYUFG8NMMnbTJYY9JuuhAlnHzVqoRWmcTNRp72fpDA +XoD3U20spJeGQZXuQnGfe/k9EouvXt5du029YqItkFbjdbub4FP5MbIz1CWeelEn +fEwpe/peLVYEfKSyYf325tFI9wZhuIM/zTe9DE6lauznM8hg1ioiBujxzeWWSstZ +K2uJKaI8nlWkSr6vwPqJEBvvoShcWHFEmG8SWqPBy1tsNsLNjJkaHfD7gvG/J1Rc +G21D0XO2IA0rEo6lo8MNEkWoHZA/oHO1eHrCjNkCAwEAAaOCAscwggLDMAwGA1Ud +EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB +/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29t +L2dkaWcyczEtMjIzNy5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcG +CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z +aXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0 +dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRp +ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSME +GDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjAtBgNVHREEJjAkgg5zdG9rZWRtb3Rv +LmNvbYISd3d3LnN0b2tlZG1vdG8uY29tMB0GA1UdDgQWBBTP8YI0WwVBgvg5GABQ +fUksbk6evjCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1APZclC/RdzAiFFQYCDCU +Vo7jTRMZM7/fDC8gC8xO8WTjAAABdBhpJtAAAAQDAEYwRAIgcrebTXyuMk/ciVyg +LMbbd6qbkyB3yRAY1QnBs5sGK1ICIGw6EpH/NMXcOfYdkuSmhSYgUx0AIDdT9QWH +rRIT50D3AHUAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF0GGko +AwAABAMARjBEAiBtzQQHVVML3yZhZRsLLhJkYcc11nXeU/S/rouOZCCZQQIgVYKY +jgjCU5HQyY6R5PZQTsCQGWiaOm1VguAIgPbvKzYwDQYJKoZIhvcNAQELBQADggEB +AH6jCZU9+5TMaR5XThGL/z8EYQ1uFVN0hlXXB+gP3IDQLmyxkqrk9cOSf1D6fLRT +5T4tGzPLvmReBLfrzQEkuqkXpUieortbpi116V82K+zBDT5s9Dol6+MxhwIZyZ7K +DkHSbcFyiV9hkr2bf8JZzjvpCOfw9kYZTcYv8M8kheIOQsONdfe/rqNQnMRy56UZ +OGZmxqDT2RwbewHEMAEb5ZsZ55/UHq08vZSVSA8qIqX/BU+7frwwt4vmv4WQ7AoJ +YNml0TdV4R27NlnvhbAclucuqEMBcBg8gNylvKD3Mid7O4c5gCX5Wuml6rLpOr05 +vpJJqSf0uy73EtNcyTqfwUQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem new file mode 100644 index 0000000000..ece7360def --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIHTjCCBjagAwIBAgIILTXKZQP7G6MwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV +BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow +GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz +LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1 +cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwODIyMjM0ODE1WhcN +MjEwMTE0MjEwMzAxWjBDMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0 +ZWQxHjAcBgNVBAMMFSoudXMtZGF0YXJlY292ZXJ5LmNvbTCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAKzuSr8LaH2Aw/G1aKN4URo0RwaFv4+7MzM0RVTB +189BdE8rgNRfxskoAVfte+iftO7P5qjg+1Jx8SCE1ZCNT2TGtcYwlsjyNLnbP3xV +Cq514bODlwimOKLhpUFH1/ofO4/enbU8E4hlxS4DPtOGbsjouTiRHAOLsi7D+WT3 +3pZelFa5Hgmed5dL/CCJTiwbF10lbTXNwLgI7efUqiwvHRwf/CXEW9IvKJ9HG2We +tT9ouQGOHfz4fyGOMN268dHqP89K+auCcf9b3BzzWOsknhmDisl+06WaIJe/W7Dn ++eG07nAuJLhE6nH9KLYiU2X5CHnLPvBTOPDdm/hzH84hnHkX2pSbst4d1aNtU4uP +hyQcE5aMfnV7Yr1ZQUlLreCKzwIAb6BKqF/gHMASXUX7Fw5OFUHxV1xcPbcHQLs6 +D3XAoLBzopTR4YjxIDqhS3pkxHu5u9OEzFfaeP5zYnrj69Bke3lrdbrKV8aXIxHn +xh9xJV4zAaPoHe8ze03zvdBXfu69DU+TTQkRfzJSZx/sXV6BHe15WGSHZxe0i61z +wA1Oi7QgySMKIKSs6dsPOqppmePc3seMJy7y0FSxF1Kq6a1tR+W3j2WT9nY1c4Wb +4LWc+0gDK3nvibJbFqCfnPznq/Q+q0V6m9BqBNjvqyyWXbgzCVn7qcT4apiP47IV ++MiBAgMBAAGjggLSMIICzjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF +BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYn +aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTIyMzcuY3JsMF0GA1UdIARW +MFQwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmlj +YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUH +AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYI +KwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np +dG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4w +NQYDVR0RBC4wLIIVKi51cy1kYXRhcmVjb3ZlcnkuY29tghN1cy1kYXRhcmVjb3Zl +cnkuY29tMB0GA1UdDgQWBBTooRcQfblnnD7pJFCZfGGcf4kD4jCCAQUGCisGAQQB +1nkCBAIEgfYEgfMA8QB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTj +AAABdBiSoGUAAAQDAEgwRgIhAI4Cd+FhKsWdUZkBugaburD9dzdlVHSxKq6oYNyI +vmIIAiEAwlmkvAiPb9nwDirqe7MZud5nu/lmq/Ip7M1xSKuraykAdgBc3EOS/uar +RUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXQYkqGUAAAEAwBHMEUCIQCpYqq+ +Uc881tR+ikvsR97FRl6jBfxG50Sum+cdHEQkYQIgZJbGaeNoDS9+LAKI88NNRiCK +vtQZkwWigDYr+2dWguYwDQYJKoZIhvcNAQELBQADggEBAD+sj44+86AvdVUrAN9h +cU6kt4I6K1TM0KBmKg3rG8JEY7+Ec4Rztls3uviLR0ajH5tkQPwD7vRBVrLVDtQS +Ndt2StR38AXiBRWwewy/sPMz11YzOPLyHaTl4pJVfyzHJ+rPdWuFZLtpTras/MIK +IFnnbInlh5XtRhDCv6UEkAmGu5BeftA+9XxTuZlbwQlO5U1yg9Hqor9zANMqX9Ad +3omIZrPtBkTdVOwHRU8SoaS6XxQ9jxcmWRgNTVAhU1/J7Bgvg3CPSpcHyV78sXkS +D9bb1f4jdadaMKuJc0mTHBAxZenr3IFV8upf2FRTJnrCiS0jX8kKobN/+04Gbev6 +Tr0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem b/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem new file mode 100644 index 0000000000..6769ba3d37 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem @@ -0,0 +1,39 @@ +-----BEGIN CERTIFICATE----- +MIIGyTCCBbGgAwIBAgIJANpPOSv9i86oMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD +VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa +MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0 +cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj +dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4MTAxNTE5NTQxNFoX +DTIwMTAyNDE4MzczOFowQjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh +dGVkMR0wGwYDVQQDExR2cG4ud29ybGRvZnNwZWVkLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKb1cjhtYv6yiyZa1feabWaSBOCmN0JuqXIMkX3r +4g+5heKAwPFlPFbZ3vZ3DQXiliV7jb5nhlx0O6nYG+MoGFmj6hEHDptCASAfdd3j +4tCxg0FlilXgrgMkJCg+SjW0npZ86jMkfc0WzufUyMjxv2pUUicPNXyWbaQr+PCq +zs6AsOkmuQ8RUUAqZ+Q0EJfQnjuhql7NCdByNui9S2LmrPcV6TAHHeTwKX733edv +zsNzaLNgE6TLGXSSRvsW/eZ/uNScPHLybE4wdxxCDwSYCPwaQq34csc3a8SUTWfS +4UkdbOn7j5sZPx7Jj0uUlm20ZDsj2FUi/0SXNvz5flFQbVsCAwEAAaOCA00wggNJ +MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4G +A1UdDwEB/wQEAwIFoDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmdvZGFk +ZHkuY29tL2dkaWcyczEtODc4LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcB +MDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20v +cmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcw +AYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8v +Y2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8G +A1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDkGA1UdEQQyMDCCFHZwbi53 +b3JsZG9mc3BlZWQub3Jnghh3d3cudnBuLndvcmxkb2ZzcGVlZC5vcmcwHQYDVR0O +BBYEFGjmOgodY5yPX19UPVcACFpVExz1MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFp +AWcAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWZ5SxEeAAAE +AwBHMEUCIEL5OLHwBpIALbEnLFQntFlGBe8Oko6U/arr15jU4sLDAiEA6uy8DEnh +PFLOxXDC3ZaeOlK2+cdx76IAr6M6As74ETEAdgDuS723dc5guuFCaR+r4Z5mow9+ +X7By2IMAxHuJeqj9ywAAAWZ5SxMzAAAEAwBHMEUCIFWIeePa6jdf6y9o/YYxoqWr +Je3j8W94e4f5bixaGPiyAiEA7aJRZI+aWCE/zz5DpvcyRgkIoSKS3+dKS2irf/mp +qx0AdQBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWZ5SxPjAAAE +AwBGMEQCIEkYw6g/cIZBdOUh+ETwl2XX2S0Bv8iGGiaOKOoXqVK6AiAh3eqABfMc +9b/wLJZo186YgbzmbZB0N3y5TUJKK1oMYDANBgkqhkiG9w0BAQsFAAOCAQEAPEwx +d597oqiP9/TN8RDrZqhn4uLZ9K5mXOD93RorUN8T8O1kV0B4UcXM1CkU2zxv4a9S +tG3diHjmfJgcrhpa4i19sZD7+QpTU8j0e82JlsB3MpbtuaiBwqb979c5qNPixQlJ +kDs4DWf8kV+4B9/DWWLDKvs+FtL8ST8n+LfwstZqi2EyK+1ZyM0p9hkUAzrT/M2h +Ou1DYELbCt2HaKMHMPSlrkESG7Q9v9Ba23EXElG+oFXxgnPwk4n84rYG8lI8pPyA +clunJNqc2cISUTDMdgGctCFdSVGyEq+8VVG5Y6Od5LMwtOLKcv+VPi17+iGfxNt/ ++dAMbzGIlDuJELwn0g== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting.js b/security/manager/ssl/tests/unit/test_crlite_preexisting.js new file mode 100644 index 0000000000..c788a11b54 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_preexisting.js @@ -0,0 +1,208 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that starting a profile with a preexisting CRLite filter and stash +// works correctly. + +"use strict"; + +add_task(async function test_preexisting_crlite_data() { + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + // These need to be available to be able to find them during path building + // for certificate verification. + let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem"); + ok(issuerCert, "issuer certificate should decode successfully"); + let noSCTCertIssuer = constructCertFromFile( + "test_crlite_filters/no-sct-issuer.pem" + ); + ok( + noSCTCertIssuer, + "issuer certificate for certificate without SCTs should decode successfully" + ); + + let validCert = constructCertFromFile("test_crlite_filters/valid.pem"); + let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem"); + + // We didn't load a data.bin file, so the filter is not considered fresh and + // we should get a "no filter" result. We later test that CRLite considers + // this cert to be revoked. So success here shows that CRLite is not + // consulted when the filter is stale. + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "us-datarecovery.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // Add an empty stash to ensure the filter is considered to be fresh. + await new Promise(resolve => { + certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => { + Assert.equal(rv, Cr.NS_OK, "marked filter as fresh"); + resolve(); + }); + }); + + // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that + // the implementation does not fall back to OCSP fetching, because if it + // did, the implementation would attempt to connect to a server outside the + // test infrastructure, which would result in a crash in the test + // environment, which would be treated as a test failure. + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "vpn.worldofspeed.org", + 0 + ); + + // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that + // the implementation does not fall back to OCSP fetching, because if it + // did, the implementation would attempt to connect to a server outside the + // test infrastructure, which would result in a crash in the test + // environment, which would be treated as a test failure. + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "vpn.worldofspeed.org", + 0 + ); + + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "us-datarecovery.com", + 0 + ); + + let revokedInStashCert = constructCertFromFile( + "test_crlite_filters/revoked-in-stash.pem" + ); + // The stash may not have loaded yet, so await a task that ensures the stash + // loading task has completed. + await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL, + (rv, _) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(); + } + ); + }); + await checkCertErrorGenericAtTime( + certdb, + revokedInStashCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "stokedmoto.com", + 0 + ); + + let revokedInStash2Cert = constructCertFromFile( + "test_crlite_filters/revoked-in-stash-2.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + revokedInStash2Cert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "icsreps.com", + 0 + ); + + // This certificate has no embedded SCTs, so it is not guaranteed to be in + // CT, so CRLite can't be guaranteed to give the correct answer, so it is + // not consulted, and the implementation falls back to OCSP. Since the real + // OCSP responder can't be reached, this results in a + // SEC_ERROR_OCSP_SERVER_ERROR. + let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem"); + // NB: this will cause an OCSP request to be sent to localhost:80, but + // since an OCSP responder shouldn't be running on that port, this should + // fail safely. + Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com"); + Services.prefs.setBoolPref("security.OCSP.require", true); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + await checkCertErrorGenericAtTime( + certdb, + noSCTCert, + SEC_ERROR_OCSP_SERVER_ERROR, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "mail233.messagelabs.com", + 0 + ); + Services.prefs.clearUserPref("network.dns.localDomains"); + Services.prefs.clearUserPref("security.OCSP.require"); + Services.prefs.clearUserPref("security.OCSP.enabled"); + + let notCoveredCert = constructCertFromFile( + "test_crlite_filters/notcovered.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + notCoveredCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2022-01-07T00:00:00Z").getTime() / 1000, + false, + "peekaboophonics.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); +}); + +function run_test() { + let securityStateDirectory = do_get_profile(); + securityStateDirectory.append("security_state"); + // For simplicity, re-use the filter from test_crlite_filters.js. + let crilteFile = do_get_file("test_crlite_filters/20201017-0-filter"); + crilteFile.copyTo(securityStateDirectory, "crlite.filter"); + // This stash file and the following cert storage file were obtained by + // running just the task `test_crlite_filters_and_check_revocation` in + // test_crlite_filters.js, causing it to hang (by adding something like + // `add_test(() => {});`), and then copying the files from the temporary + // profile directory. + let stashFile = do_get_file("test_crlite_preexisting/crlite.stash"); + stashFile.copyTo(securityStateDirectory, "crlite.stash"); + let coverageFile = do_get_file("test_crlite_preexisting/crlite.coverage"); + coverageFile.copyTo(securityStateDirectory, "crlite.coverage"); + let enrollmentFile = do_get_file("test_crlite_preexisting/crlite.enrollment"); + enrollmentFile.copyTo(securityStateDirectory, "crlite.enrollment"); + let certStorageFile = do_get_file( + "test_crlite_preexisting/crlite.enrollment" + ); + certStorageFile.copyTo(securityStateDirectory, "crlite.enrollment"); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage Binary files differnew file mode 100644 index 0000000000..2bd13319e5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment new file mode 100644 index 0000000000..7f34283ded --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment @@ -0,0 +1 @@ +3)û«Õ¤:Óf£õv¬œ 0ИëðëyæQ±ýý'ŽêŸïÕájfå¨é›à@(,v–~;ÕPÏ
\ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash Binary files differnew file mode 100644 index 0000000000..25bd87d8eb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash diff --git a/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js b/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js new file mode 100644 index 0000000000..707e2f400b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js @@ -0,0 +1,91 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted stash file. + +"use strict"; + +add_task(async function test_crlite_stash_corrupted() { + let securityStateDirectory = do_get_profile(); + securityStateDirectory.append("security_state"); + + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + + let coverage = do_get_file("test_crlite_preexisting/crlite.coverage"); + coverage.copyTo(securityStateDirectory, "crlite.coverage"); + + let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); + enrollment.copyTo(securityStateDirectory, "crlite.enrollment"); + + let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + filter.copyTo(securityStateDirectory, "crlite.filter"); + + let stash = do_get_file("test_crlite_corrupted/bad.stash"); + stash.copyTo(securityStateDirectory, "crlite.stash"); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + + // Add an empty stash to ensure the filter is considered to be fresh. + await new Promise(resolve => { + certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => { + Assert.equal(rv, Cr.NS_OK, "marked filter as fresh"); + resolve(); + }); + }); + + // Await a task that ensures the stash loading task has completed. + await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL, + (rv, _) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(); + } + ); + }); + + // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`. + // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`, + // and it is covered according to `test_crlite_preexisting/crlite.coverage`. + let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem"); + + // The issuer's certificate needs to be available for path building. + let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem"); + ok(issuerCert, "issuer certificate should decode successfully"); + + // Loading the stash should not have caused any problems, and `revokedCert` + // should be marked as revoked. + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + undefined, + "us-datarecovery.com", + 0 + ); + + let hasFilter = await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL, + (rv, result) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(result); + } + ); + }); + Assert.equal(hasFilter, true, "CRLite should have a filter"); +}); diff --git a/security/manager/ssl/tests/unit/test_ct.js b/security/manager/ssl/tests/unit/test_ct.js new file mode 100644 index 0000000000..1f436eb44d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct.js @@ -0,0 +1,72 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB + +function expectCT(value) { + return securityInfo => { + Assert.equal( + securityInfo.certificateTransparencyStatus, + value, + "actual and expected CT status should match" + ); + }; +} + +registerCleanupFunction(() => { + Services.prefs.clearUserPref("security.pki.certificate_transparency.mode"); + let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem"); + setCertTrust(cert, ",,"); +}); + +function run_test() { + Services.prefs.setIntPref("security.pki.certificate_transparency.mode", 1); + add_tls_server_setup("BadCertAndPinningServer", "test_ct"); + // These certificates have a validity period of 800 days, which is a little + // over 2 years and 2 months. This gets rounded down to 2 years (since it's + // less than 2 years and 3 months). Our policy requires N + 1 embedded SCTs, + // where N is 2 in this case. So, a policy-compliant certificate would have at + // least 3 SCTs. + add_connection_test( + "ct-valid.example.com", + PRErrorCodeSuccess, + null, + expectCT( + Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT + ) + ); + // This certificate has only 2 embedded SCTs, and so is not policy-compliant. + add_connection_test( + "ct-insufficient-scts.example.com", + PRErrorCodeSuccess, + null, + expectCT( + Ci.nsITransportSecurityInfo + .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS + ) + ); + + // Test that if an end-entity is marked as a trust anchor, CT verification + // returns a "not enough SCTs" result. + add_test(() => { + let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem"); + setCertTrust(cert, "CTu,,"); + clearSessionCache(); + run_next_test(); + }); + add_connection_test( + "ct-valid.example.com", + PRErrorCodeSuccess, + null, + expectCT( + Ci.nsITransportSecurityInfo + .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS + ) + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem new file mode 100644 index 0000000000..7aebc9f70d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEsjCCA5qgAwIBAgIUYWbExaEcWOn8VCnzXCrC8/k1M0swDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjArMSkwJwYDVQQDDCBjdC1pbnN1ZmZpY2llbnQtc2N0cy5leGFt +cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaOCAeEwggHdMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20w +ggG/BgorBgEEAdZ5AgQCBIIBrwSCAasBqQB2ACq4MEQzuRTe0vMeQgfyUcF6N6CS +aFLZCAIG+F5XORYqAAABUfp73AAAAAQDAEcwRQIgXHVRnxMRUM1dit4go7wGMJH/ +snN1XzFk7P3LQoAKcOYCIQDVZ32WWgV1l/Fgxh9REv8IbOX8UFt/Hb9l5PPQ6ERv +vAEvADEI9rbdchgH8BaVhE2FAla2cZNgg9u9OTSgUFJQGiiSAAABUfp73AAAAAQB +AQC3fH7lbEnVInbaJk/wI8y4jxueCV+P6nI00DtbVPVqsHBV4Oc1bFwdHkjlqn+w +fBRcLYSWr3UCRZiZmRdb0mCAV75u+WcvrtdM/eO6dAe7ox81xAUgDK1ncA9W5Lbz +PSyddearapxCdV/6Oq3JolXdIv1UlEHpMOP17rmHr1QZipLyDWpQQkeCNupETa1z +lsv1Md8rgLk+bOtTZkdzDnNiSvSA3LK3MsjUas+VWXDe7JAl5lsk9ZYRWI6rlA3K +1BHH9abwPEatD7WTOMSi0tZmeSF1q+EYyjRfWScJ4ju75/1yc0St1+xd8GO4JUKo +xN2308VafAxkSsDwfVBNGnH9MA0GCSqGSIb3DQEBCwUAA4IBAQBH2tCkLa+cF98t +SvbvzSy6sMkDOgjf+XOIF5mlpoCxwsd6lGzKeRyhNmakLUi66jFWFftCPXfFZYAO +AUw76bNx52iXoUokXS3Oh5uXzKO6JMI/jQnTftLD+KgLOWr4lCyNCFNZfXWPmYHM +fNA2zPwQKvReGI2hH7sD2TPY3DAQnmqjnmJaYt9DzQiT7VkmYSX5SJnFCO2LcZ6T +42EOgkj2145W1+9OC6DYJ9e9CErktB30uSUoNAyQyYuAllQFdhVTqvb/FrV4Pkqh +VPeTPjoeo+rtpQAqeZwVbcir4fBaKVNbZ4iCOvI1wDbGe0en2UnJyQ67135eayVb +ukqayAVP +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec new file mode 100644 index 0000000000..c40f26d5d8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:ct-insufficient-scts.example.com +extension:subjectAlternativeName:*.example.com +extension:embeddedSCTList:secp256r1:20160101,alternate:20160101 diff --git a/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem new file mode 100644 index 0000000000..cbd21c473b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF1zCCBL+gAwIBAgIUY97zMq7V3aBaCVTHabfwACxYt6kwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRjdC12YWxpZC5leGFtcGxlLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaOCAxIwggMOMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wggLwBgorBgEEAdZ5 +AgQCBIIC4ASCAtwC2gEvAFQiJZjzPTZIBULa7ODmuU3hXA7ujFkUykjXXjxIToA/ +AAABUfp73AAAAAQBAQAgzu642vgII0VnX+grl/4o2z1duGvqMcKtYf/Gs9mxKeyl +6DYlWMGPALkGX29oEyZwm/YX7jafTp7MraDiCvsVx/2xm+jmTcIC3l4cP9giAr6T +1+O4XvniBFhfmqfBJOXmmllELPhk/VU/FnYFJFXtm2HIOPRBoQiMrb2Kiam7nZ+T +Wtb8PggqK48NL9iU9gU9SmUFk5q3icGGXzEKorE1V91DIUhUkKSbEh9yKCL9Sqio +8IbWx5BP4vtuj69XzfT1qSLOburnewCfNE9BrBhCQ1tVsI4Ng2sFO+JEesPepw3d +11ePBboYVWBBxWvuZKL2eptjpaA+jTo4it/R9BowAHYAKrgwRDO5FN7S8x5CB/JR +wXo3oJJoUtkIAgb4Xlc5FioAAAFR+nvcAAAABAMARzBFAiBcdVGfExFQzV2K3iCj +vAYwkf+yc3VfMWTs/ctCgApw5gIhAIKEzUrlYjyiprBc8mlQ42D5RKJ8fIDAnesI +iYAZeorVAS8AMQj2tt1yGAfwFpWETYUCVrZxk2CD2705NKBQUlAaKJIAAAFR+nvc +AAAABAEBAEJAqEDjKXvbby+BCNUW9wbZ5j9YQE5nezooC87RG0tYpLSuFg69nInQ +mMMA8nNnkUxsZEOp79lsXP6QD8jMV1UKU8rUyIU2zhC230FTyssyQ1wNyA1WIMnl +y+bohLUToxyIlFv+h9DW5+uDhc1iw13NwNYC2w620XxvdjuPdfGnhtKvdEKJAe/E +GeQdAsLoYBVgMpg2PflwdenBFwdkgttr53rewaOve8977gdnOBvUc5O7dFW4cOcg +/wAriiQVW3BEO9v6jpE4SMm6j19hSUS8LMB6x+/DWv3bBUbfi+GyeR3Mb+VTHmAr +6tr7aAlP/OFDEdkLatOt7UNmV8AB+L4wDQYJKoZIhvcNAQELBQADggEBAIxKu0SR +1wK6CfynqtpSbtRKc8BSSLF12N1eWi+Gakkwr8n6iDKYu/Q2r0Mkxzalq3YROYPx +xd+joPjN2MRdzJNaEfCR963/JjfoO0LR8WLDiMlo/ml+ZZyfOwbyNAg+l5D8JrG2 +IS+/47GVfd1zzzX536nan2Y92kw+Dfw/WXzma3MRQ+CW8Uzqpi6qBAm+kr63TOn1 +qkTIdRL/uZ3dqNqlPQl0IjxPMqtwWAkDkjP9CL/DqTxXO6qSXTdHptBFi3ySSpn4 +lP3nJOWZ35dUDknAoNHO2Uo0PB9njtMsLhUMMY3FQJegq2PgXZJWZ6Zuu7vgKG7O +vjfRjUur20rum0g= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec new file mode 100644 index 0000000000..0ecf46d89c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:ct-valid.example.com +extension:subjectAlternativeName:*.example.com +extension:embeddedSCTList:default:20160101,secp256r1:20160101,alternate:20160101 diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.key b/security/manager/ssl/tests/unit/test_ct/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.pem b/security/manager/ssl/tests/unit/test_ct/default-ee.pem new file mode 100644 index 0000000000..7dd59895af --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/default-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIUYS+fG1v+p3J2spZDRL6SSVpIFtcwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow +gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp +bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu +ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB+1d8LT9Iaa3WShAqdo54BS4lg +0VHqQeAe7YlFzBjHLi62SRC8kMtn4CrAvtDGh+4xrfUHjkHMwxMhS2SBypPanccy +Hk2LtubcrE7tl0fexB2yfv3+oS5LnMaJ+6svWgq3i31g1YCNoCN+bdvxb3BMKdn5 +tV6OYrhCA/0CHjre34fC7DTb3AmBRSpoJf2QNanCrxi4Nau4TfWzHiUz+RwfDS2/ +Y5GV2rN0Wuw6vd4J5FtHl5G3ThtH+azD0INR9qI8zYtibjkzroXDzXcVXEOQqqtx +UE/ieCiIFKBtbITd2X0ae1MCfyKq3JULr8pWc90hUdSHnZ5OFnuU65s73qXJ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec new file mode 100644 index 0000000000..554339ff52 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test End-entity +extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/test_ct/test-ca.pem b/security/manager/ssl/tests/unit/test_ct/test-ca.pem new file mode 100644 index 0000000000..fcbb0fcb29 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUP6dLBbQh604kiwoRPLpqmHj72UQwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAP1Cj8YbMVIjc +8gaNVwru/NzEZsKjsxt6Iv0iWtHgexzoZnj82GzzgpnEtNz8bfTQvaImdkCHXYoV +wt7BY9ocZBacAPB3QMKF4prgkxwfD+ub6ckbf61o9Vq2aCZdFqO6ef3ji5dkWYBb +zfuQhmVU3RIvl09ajs4PPDmYp3ebiax2xVcBlP+fuDAeRX5y60yJf6eyNCVbC3M6 +OilriARv855NdhLWagwGX24+dP70HZUvISi/xSW+DNHWndqf1DcCnLreFEDq8F80 +hMCFsmJJEu0uqVFGQfItYlywBC0DJ3EU6votzgMuNa4rGBrMUJnHhzoEE0ISnrWk +iAobTR3jsQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec new file mode 100644 index 0000000000..5d2435d7bb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test CA +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_data_storage.js b/security/manager/ssl/tests/unit/test_data_storage.js new file mode 100644 index 0000000000..89d6c2f965 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_data_storage.js @@ -0,0 +1,119 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +do_get_profile(); // must be done before instantiating nsIDataStorageManager + +let dataStorageManager = Cc[ + "@mozilla.org/security/datastoragemanager;1" +].getService(Ci.nsIDataStorageManager); +let dataStorage = dataStorageManager.get( + Ci.nsIDataStorageManager.ClientAuthRememberList +); + +add_task(function test_data_storage() { + // Test putting a simple key/value pair. + dataStorage.put("test", "value", Ci.nsIDataStorage.Persistent); + Assert.equal(dataStorage.get("test", Ci.nsIDataStorage.Persistent), "value"); + + // Test that getting a value with the same key but of a different type throws. + Assert.throws( + () => dataStorage.get("test", Ci.nsIDataStorage.Private), + /NS_ERROR_NOT_AVAILABLE/, + "getting a value of a type that hasn't been set yet should throw" + ); + + // Put with Private data shouldn't affect Persistent data + dataStorage.put("test", "private", Ci.nsIDataStorage.Private); + Assert.equal(dataStorage.get("test", Ci.nsIDataStorage.Private), "private"); + Assert.equal(dataStorage.get("test", Ci.nsIDataStorage.Persistent), "value"); + + // Put of a previously-present key overwrites it (if of the same type) + dataStorage.put("test", "new", Ci.nsIDataStorage.Persistent); + Assert.equal(dataStorage.get("test", Ci.nsIDataStorage.Persistent), "new"); + + // Removal should work + dataStorage.remove("test", Ci.nsIDataStorage.Persistent); + Assert.throws( + () => dataStorage.get("test", Ci.nsIDataStorage.Persistent), + /NS_ERROR_NOT_AVAILABLE/, + "getting a removed value should throw" + ); + // But removing one type shouldn't affect the other + Assert.equal(dataStorage.get("test", Ci.nsIDataStorage.Private), "private"); + // Test removing the other type as well + dataStorage.remove("test", Ci.nsIDataStorage.Private); + Assert.throws( + () => dataStorage.get("test", Ci.nsIDataStorage.Private), + /NS_ERROR_NOT_AVAILABLE/, + "getting a removed value should throw" + ); + + // Saturate the storage tables (there is a maximum of 2048 entries for each + // type of data). + for (let i = 0; i < 2048; i++) { + let padded = i.toString().padStart(4, "0"); + dataStorage.put( + `key${padded}`, + `value${padded}`, + Ci.nsIDataStorage.Persistent + ); + dataStorage.put( + `key${padded}`, + `value${padded}`, + Ci.nsIDataStorage.Private + ); + } + // Ensure the data can be read back. + for (let i = 0; i < 2048; i++) { + let padded = i.toString().padStart(4, "0"); + let val = dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Persistent); + Assert.equal(val, `value${padded}`); + val = dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Private); + Assert.equal(val, `value${padded}`); + } + // Remove each entry. + for (let i = 0; i < 2048; i++) { + let padded = i.toString().padStart(4, "0"); + dataStorage.remove(`key${padded}`, Ci.nsIDataStorage.Persistent); + dataStorage.remove(`key${padded}`, Ci.nsIDataStorage.Private); + } + // Ensure the entries are not present. + for (let i = 0; i < 2048; i++) { + let padded = i.toString().padStart(4, "0"); + Assert.throws( + () => dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Persistent), + /NS_ERROR_NOT_AVAILABLE/, + "getting a removed value should throw" + ); + Assert.throws( + () => dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Private), + /NS_ERROR_NOT_AVAILABLE/, + "getting a removed value should throw" + ); + } + // Add new entries. + for (let i = 0; i < 2048; i++) { + let padded = i.toString().padStart(5, "1"); + dataStorage.put( + `key${padded}`, + `value${padded}`, + Ci.nsIDataStorage.Persistent + ); + dataStorage.put( + `key${padded}`, + `value${padded}`, + Ci.nsIDataStorage.Private + ); + } + // Ensure each new entry was added. + for (let i = 0; i < 2048; i++) { + let padded = i.toString().padStart(5, "1"); + let val = dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Persistent); + Assert.equal(val, `value${padded}`); + val = dataStorage.get(`key${padded}`, Ci.nsIDataStorage.Private); + Assert.equal(val, `value${padded}`); + } +}); diff --git a/security/manager/ssl/tests/unit/test_db_format_pref_new.js b/security/manager/ssl/tests/unit/test_db_format_pref_new.js new file mode 100644 index 0000000000..9921948927 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_db_format_pref_new.js @@ -0,0 +1,30 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Tests that when PSM initializes, we create the sqlite-backed certificate and +// key databases. + +function run_test() { + let profileDir = do_get_profile(); + let certificateDBFile = profileDir.clone(); + let certificateDBName = "cert9.db"; + certificateDBFile.append(certificateDBName); + ok( + !certificateDBFile.exists(), + `${certificateDBName} should not exist beforehand` + ); + let keyDBFile = profileDir.clone(); + let keyDBName = "key4.db"; + keyDBFile.append(keyDBName); + ok(!keyDBFile.exists(), `${keyDBName} should not exist beforehand`); + // This should start PSM. + Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports); + ok( + certificateDBFile.exists(), + `${certificateDBName} should exist in the profile` + ); + ok(keyDBFile.exists(), `${keyDBName} should exist in the profile`); +} diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials.js b/security/manager/ssl/tests/unit/test_delegated_credentials.js new file mode 100644 index 0000000000..1bb6f70aad --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials.js @@ -0,0 +1,91 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// Tests handling of certificates marked as permitting delegated credentials + +function shouldBeDelegatedCredential(aTransportSecurityInfo) { + Assert.ok( + aTransportSecurityInfo.isDelegatedCredential, + "This host should have used a delegated credential" + ); +} + +function shouldNotBeDelegatedCredential(aTransportSecurityInfo) { + Assert.ok( + !aTransportSecurityInfo.isDelegatedCredential, + "This host should not have used a delegated credential" + ); +} + +do_get_profile(); + +add_tls_server_setup( + "DelegatedCredentialsServer", + "test_delegated_credentials" +); + +// Test: +// Server certificate supports DC +// Server DC support enabled +// Client DC support disabled +// Result: Successful connection without DC +add_test(function () { + clearSessionCache(); + Services.prefs.setBoolPref( + "security.tls.enable_delegated_credentials", + false + ); + run_next_test(); +}); +add_connection_test( + "delegated-enabled.example.com", + PRErrorCodeSuccess, + null, + shouldNotBeDelegatedCredential +); + +// Test: +// Server certificate does not support DC +// Server DC support enabled +// Client DC support enabled +// Result: SSL_ERROR_DC_INVALID_KEY_USAGE from client when +// checking DC against EE cert, no DC in aTransportSecurityInfo. +add_test(function () { + clearSessionCache(); + Services.prefs.setBoolPref("security.tls.enable_delegated_credentials", true); + run_next_test(); +}); +add_connection_test( + "standard-enabled.example.com", + SSL_ERROR_DC_INVALID_KEY_USAGE, + null, + // We'll never |mHaveCipherSuiteAndProtocol|, + // and therefore can't check IsDelegatedCredential + null +); + +// Test: +// Server certificate supports DC +// Server DC support disabled +// Client DC support enabled +// Result: Successful connection without DC +add_connection_test( + "delegated-disabled.example.com", + PRErrorCodeSuccess, + null, + shouldNotBeDelegatedCredential +); + +// Test: +// Server certificate supports DC +// Server DC support enabled +// Client DC support enabled +// Result: Successful connection with DC +add_connection_test( + "delegated-enabled.example.com", + PRErrorCodeSuccess, + null, + shouldBeDelegatedCredential +); diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key new file mode 100644 index 0000000000..a926a54efb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM +1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48 +9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA +-----END EC PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec new file mode 100644 index 0000000000..03c3ce198f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec @@ -0,0 +1 @@ +secp256r1 diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem new file mode 100644 index 0000000000..643688e5df --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICSDCCATCgAwIBAgIUM6z+Vnq3HV8pHyv35ZBjz7giRBcwDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl +MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMBUxEzARBgNVBAMM +CmRlZmF1bHQtZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGm +ClmshwTi7AULQj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQej +BOqgSqbAo0AwPjATBgNVHSUEDDAKBggrBgEFBQcDATAnBgNVHREEIDAeghxzdGFu +ZGFyZC1lbmFibGVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBD7Waw +5pBh1oIJy1vaoLp3xo1SqC7YmisnqhQRCBd5BjCcPQwKPBZ9gzfi9rTXJu5/g/W+ +XAYBtc5AS+vThnQMwkgsXFvB4+LQIRrruHkh4chjgK+bK1Zqlvld/VmWewE+8nSA +NAhC+q5Jrc+Vls4uXKeKXX3pcHa+P7UVaVlG4vqVqulcZnaBAg4lNhLuobIF3CqU +DtRGgJ23JyafRuMp9V0/lee2oVsp7lCmuQyFk5dE8CI6FHcOUrWr6yvEdqOfXiWY +n9bGzGZQjs/oW5mXd7CJxkhdOiDhPVlysjWVtJ47ToFqbwd2YbfFKsK2CbiLuE7F +BAls8I6YO6+urMmz +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec new file mode 100644 index 0000000000..5ebe9b5ba7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:delegated-credential-intermediate +subjectKey:secp256r1 +subject:default-ee +extension:extKeyUsage:serverAuth +extension:subjectAlternativeName:standard-enabled.example.com diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem new file mode 100644 index 0000000000..5166f297b1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICiTCCAXGgAwIBAgIUOSRu0uvKSamln+G0KNOylpfxiI4wDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl +MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMBcxFTATBgNVBAMM +DGRlbGVnYXRlZC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5 +saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3st +B6ME6qBKpsCjfzB9MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDBI +BgNVHREEQTA/gh1kZWxlZ2F0ZWQtZW5hYmxlZC5leGFtcGxlLmNvbYIeZGVsZWdh +dGVkLWRpc2FibGVkLmV4YW1wbGUuY29tMA8GCSsGAQQBgtpLLAQCBQAwDQYJKoZI +hvcNAQELBQADggEBAF3K+ZdEK4Fr3YR1cX1kDH1wEO7H/2cchr9bwgOrGW3h/7yR +ZHgtju9C+nXqZIz/d1MEMYVtvz/V6HMlS4S35/E/KNn+cIC196F7LoRighKStVb6 +u6RrWNaQHNV8uXLkcWMyCoWjMhwGLy7azgEysRyfP2/GNrGeUPY08oaz39m0mkYo +eTcWUgrU7/dpVp15KqsmgwirCUxqPeMc9wWZ3/RvbblyOkIyMtbQGOAzdYysMm0J +mZwQZUCCiuOqBIzb0EcrOT8cTkD1AbHGGUoNbq6Y+7TEnLDknMYNAhVzDlJWutnu +qx2u2T7JJPjBax3JOHw92onalNphd1RmK7Mn8fs= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec new file mode 100644 index 0000000000..e90fa3b646 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec @@ -0,0 +1,7 @@ +issuer:delegated-credential-intermediate +subject:delegated-ee +subjectKey:secp256r1 +extension:extKeyUsage:serverAuth +extension:keyUsage:digitalSignature,keyEncipherment +extension:subjectAlternativeName:delegated-enabled.example.com,delegated-disabled.example.com +extension:delegationUsage: diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key new file mode 100644 index 0000000000..1c1af40bda --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDADXHobENn6/oN7ZK2S +8i9c7QeJGGU4ZptcbYcs7D2SYSKzk3crV2Av8xNl7+E5MkahZANiAAShaHJDNitc +exiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbl +uoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/wAvBa9xof3cyDdKpuqc4= +-----END EC PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec new file mode 100644 index 0000000000..11f041d996 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec @@ -0,0 +1 @@ +secp384r1 diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem new file mode 100644 index 0000000000..7cf1b3f500 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgIUH9EGlBnFySBNYtqAPDhu3DjZpz8wDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAyMjEx +MjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowIjEgMB4GA1UEAwwXZGVsZWdhdGVk +LWNyZWRlbnRpYWwtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD +AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAdL3peE+U6IfA/hY4/LW0+wm98/Sd6NHUL +WZEfdQsL/8q2mcSIA5vHpj0fyZr/WgKUClhrpoH5pB8D0HRU+tPcSdqBDgAVeU99 +G+Kx9JvKUn2mnGvFnypZ7Hr1Gg6pBm5kXlvw3+aFoLwI8AVbLJPVzIRJ4KYN9jap +YjjklT4OCbFIiRshTniW4FRYveFPXIoQ0rigLVTZ3lW/iywQ9D3g9EXmleqOV+eY +6aKGcLJC4JnRW58Yf4G2DLOdv2MMJBdF+FAw4YlVYvJbRYq3pbF640lteUXuHBSB +3jXIYCwJedNHiFYoqAzbxRxNs1iaVy5T1ezUe1AqS+vbbZSIyrNl +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec new file mode 100644 index 0000000000..91227f5da0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:delegated-credential-ca +subject:delegated-credential-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem new file mode 100644 index 0000000000..8675316243 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIUMcoNwk27t3m9TJXuVhJUt9CVSncwDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAyMjEx +MjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowLDEqMCgGA1UEAwwhZGVsZWdhdGVk +LWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/ +MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAMBXGP30H7gJBhgh/g1xr +ttnV64iLBe671nDogay6wnSvXvpIRT1Io98Z13YRknPUpMu0q0Ci75NGQx2cJzZA +jw6WjWFNqUCB1anTUKiAHAZq/PMndK1qpiKkKEDqrkW2sEApysSaSKCx3UR1qgwr +TMcO03VHJCw2bH7ReYf5/C+K83dgCNf0MHfJxqdLE5EDgm644a/BfKV5PoXDB6Yo +O02e99drimfXZ1ogFmCFwYgoaO33jQI8RGUaHzclbpFHeAApnd42WzDKpR2yrlGW +2JfUwkmr1R9zbNGPw1PeVS60iubte9EXx9zxvl7iM4DZ8h/VDVsrAJJ8DvxRv8H+ +Gg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec new file mode 100644 index 0000000000..64cc4e5693 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec @@ -0,0 +1,4 @@ +issuer:delegated-credential-ca +subject:delegated-credential-intermediate +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_der.js b/security/manager/ssl/tests/unit/test_der.js new file mode 100644 index 0000000000..2d125488e9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_der.js @@ -0,0 +1,345 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +// Tests DER.jsm functionality. + +// Until DER.jsm is actually used in production code, this is where we have to +// import it from. +var { DER } = ChromeUtils.importESModule( + "resource://gre/modules/psm/DER.sys.mjs" +); + +function run_simple_tests() { + throws( + () => new DER.DERDecoder("this is not an array"), + /invalid input/, + "should throw given non-array input" + ); + + let testReadByte = new DER.DERDecoder([0x0a, 0x0b]); + equal(testReadByte.readByte(), 0x0a, "should read 0x0a"); + equal(testReadByte.readByte(), 0x0b, "should read 0x0b"); + throws( + () => testReadByte.readByte(), + /data truncated/, + "reading more data than is available should fail" + ); + + let testReadBytes = new DER.DERDecoder([0x0c, 0x0d, 0x0e]); + deepEqual( + testReadBytes.readBytes(3), + [0x0c, 0x0d, 0x0e], + "should read correct sequence of bytes" + ); + + let testReadNegativeBytes = new DER.DERDecoder([0xff, 0xaf]); + throws( + () => testReadNegativeBytes.readBytes(-4), + /invalid length/, + "reading a negative number of bytes should fail" + ); + + let testReadZeroBytes = new DER.DERDecoder([]); + equal( + testReadZeroBytes.readBytes(0).length, + 0, + "reading zero bytes should result in a zero-length array" + ); + + let testReadTooManyBytes = new DER.DERDecoder([0xab, 0xcd, 0xef]); + throws( + () => testReadTooManyBytes.readBytes(4), + /data truncated/, + "reading too many bytes should fail" + ); + + let testSEQUENCE = new DER.DERDecoder([0x30, 0x01, 0x01]); + let content = testSEQUENCE.readTagAndGetContents(DER.SEQUENCE); + equal(content.length, 1, "content should have length 1"); + equal(content[0], 1, "value of content should be [1]"); + ok(testSEQUENCE.atEnd(), "testSEQUENCE should be at the end of its input"); + testSEQUENCE.assertAtEnd(); + + // The length purports to be 4 bytes, but there are only 2 available. + let truncatedSEQUENCE = new DER.DERDecoder([0x30, 0x04, 0x00, 0x00]); + throws( + () => truncatedSEQUENCE.readTagAndGetContents(DER.SEQUENCE), + /data truncated/, + "should get 'data truncated' error" + ); + + // With 2 bytes of content, there is 1 remaining after reading the content. + let extraDataSEQUENCE = new DER.DERDecoder([0x30, 0x02, 0xab, 0xcd, 0xef]); + content = extraDataSEQUENCE.readTagAndGetContents(DER.SEQUENCE); + equal(content.length, 2, "content should have length 2"); + deepEqual(content, [0xab, 0xcd], "value of content should be [0xab, 0xcd]"); + ok( + !extraDataSEQUENCE.atEnd(), + "extraDataSEQUENCE should not be at the end of its input" + ); + throws( + () => extraDataSEQUENCE.assertAtEnd(), + /extra data/, + "should get 'extra data' error" + ); + + // The length of 0x81 0x01 is invalid because it could be encoded as just + // 0x01, which is shorter. + let invalidLengthSEQUENCE1 = new DER.DERDecoder([0x30, 0x81, 0x01, 0x00]); + throws( + () => invalidLengthSEQUENCE1.readTagAndGetContents(DER.SEQUENCE), + /invalid length/, + "should get 'invalid length' error" + ); + + // Similarly, 0x82 0x00 0x01 could be encoded as just 0x01, which is shorter. + let invalidLengthSEQUENCE2 = new DER.DERDecoder([ + 0x30, 0x82, 0x00, 0x01, 0x00, + ]); + throws( + () => invalidLengthSEQUENCE2.readTagAndGetContents(DER.SEQUENCE), + /invalid length/, + "should get 'invalid length' error" + ); + + // Lengths requiring 4 bytes to encode are not supported. + let unsupportedLengthSEQUENCE = new DER.DERDecoder([ + 0x30, 0x83, 0x01, 0x01, 0x01, + ]); + throws( + () => unsupportedLengthSEQUENCE.readTagAndGetContents(DER.SEQUENCE), + /unsupported length/, + "should get 'unsupported length' error" + ); + + // Indefinite lengths are not supported (and aren't DER anyway). + let unsupportedASN1SEQUENCE = new DER.DERDecoder([ + 0x30, 0x80, 0x01, 0x00, 0x00, + ]); + throws( + () => unsupportedASN1SEQUENCE.readTagAndGetContents(DER.SEQUENCE), + /unsupported asn.1/, + "should get 'unsupported asn.1' error" + ); + + let unexpectedTag = new DER.DERDecoder([0x31, 0x01, 0x00]); + throws( + () => unexpectedTag.readTagAndGetContents(DER.SEQUENCE), + /unexpected tag/, + "should get 'unexpected tag' error" + ); + + let readTLVTestcase = new DER.DERDecoder([0x02, 0x03, 0x45, 0x67, 0x89]); + let bytes = readTLVTestcase.readTLV(); + deepEqual( + bytes, + [0x02, 0x03, 0x45, 0x67, 0x89], + "bytes read with readTLV should be equal to expected value" + ); + + let peekTagTestcase = new DER.DERDecoder([0x30, 0x01, 0x00]); + ok( + peekTagTestcase.peekTag(DER.SEQUENCE), + "peekTag should return true for peeking with a SEQUENCE at a SEQUENCE" + ); + ok( + !peekTagTestcase.peekTag(DER.SET), + "peekTag should return false for peeking with a SET at a SEQUENCE" + ); + peekTagTestcase.readTLV(); + ok( + !peekTagTestcase.peekTag(DER.SEQUENCE), + "peekTag should return false for peeking at a DER with no more data" + ); + + let tlvChoiceTestcase = new DER.DERDecoder([0x31, 0x02, 0xaa, 0xbb]); + let tlvChoiceContents = tlvChoiceTestcase.readTLVChoice([DER.NULL, DER.SET]); + deepEqual( + tlvChoiceContents, + [0x31, 0x02, 0xaa, 0xbb], + "readTLVChoice should return expected bytes" + ); + + let tlvChoiceNoMatchTestcase = new DER.DERDecoder([0x30, 0x01, 0xff]); + throws( + () => tlvChoiceNoMatchTestcase.readTLVChoice([DER.NULL, DER.SET]), + /unexpected tag/, + "readTLVChoice should throw if no matching tag is found" + ); +} + +function run_bit_string_tests() { + let bitstringDER = new DER.DERDecoder([0x03, 0x04, 0x03, 0x01, 0x02, 0xf8]); + let bitstring = bitstringDER.readBIT_STRING(); + equal(bitstring.unusedBits, 3, "BIT STRING should have 3 unused bits"); + deepEqual( + bitstring.contents, + [0x01, 0x02, 0xf8], + "BIT STRING should have expected contents" + ); + + let bitstringTooManyUnusedBits = new DER.DERDecoder([0x03, 0x02, 0x08, 0x00]); + throws( + () => bitstringTooManyUnusedBits.readBIT_STRING(), + /invalid BIT STRING encoding/, + "BIT STRING with too many unused bits should throw" + ); + + // A BIT STRING must have the unused bits byte, and so its length must be at + // least one. + let bitstringMissingUnusedBits = new DER.DERDecoder([0x03, 0x00]); + throws( + () => bitstringMissingUnusedBits.readBIT_STRING(), + /invalid BIT STRING encoding/, + "BIT STRING with missing unused bits (and no contents) should throw" + ); + + // The minimal BIT STRING is 03 01 00 (zero bits of padding and zero bytes of + // content). + let minimalBitstringDER = new DER.DERDecoder([0x03, 0x01, 0x00]); + let minimalBitstring = minimalBitstringDER.readBIT_STRING(); + equal( + minimalBitstring.unusedBits, + 0, + "minimal BIT STRING should have 0 unused bits" + ); + equal( + minimalBitstring.contents.length, + 0, + "minimal BIT STRING should have empty contents" + ); + + // However, a BIT STRING with zero bytes of content can't have any padding, + // because that makes no sense. + let noContentsPaddedBitstringDER = new DER.DERDecoder([0x03, 0x01, 0x03]); + throws( + () => noContentsPaddedBitstringDER.readBIT_STRING(), + /invalid BIT STRING encoding/, + "BIT STRING with no contents with non-zero padding should throw" + ); +} + +function run_compound_tests() { + let derBytes = [ + 0x30, + 0x1a, // SEQUENCE + 0x02, + 0x02, + 0x77, + 0xff, // INTEGER + 0x06, + 0x03, + 0x2b, + 0x01, + 0x01, // OBJECT IDENTIFIER + 0x30, + 0x07, // SEQUENCE + 0x05, + 0x00, // NULL + 0x02, + 0x03, + 0x45, + 0x46, + 0x47, // INTEGER + 0x30, + 0x06, // SEQUENCE + 0x02, + 0x02, + 0x00, + 0xff, // INTEGER + 0x05, + 0x00, + ]; // NULL + let der = new DER.DERDecoder(derBytes); + let contents = new DER.DERDecoder(der.readTagAndGetContents(DER.SEQUENCE)); + let firstINTEGER = contents.readTagAndGetContents(DER.INTEGER); + deepEqual( + firstINTEGER, + [0x77, 0xff], + "first INTEGER should have expected value" + ); + let oid = contents.readTagAndGetContents(DER.OBJECT_IDENTIFIER); + deepEqual( + oid, + [0x2b, 0x01, 0x01], + "OBJECT IDENTIFIER should have expected value" + ); + + let firstNested = new DER.DERDecoder( + contents.readTagAndGetContents(DER.SEQUENCE) + ); + let firstNestedNULL = firstNested.readTagAndGetContents(DER.NULL); + equal( + firstNestedNULL.length, + 0, + "first nested NULL should have expected value (empty array)" + ); + let firstNestedINTEGER = firstNested.readTagAndGetContents(DER.INTEGER); + deepEqual( + firstNestedINTEGER, + [0x45, 0x46, 0x47], + "first nested INTEGER should have expected value" + ); + firstNested.assertAtEnd(); + + let secondNested = new DER.DERDecoder( + contents.readTagAndGetContents(DER.SEQUENCE) + ); + let secondNestedINTEGER = secondNested.readTagAndGetContents(DER.INTEGER); + deepEqual( + secondNestedINTEGER, + [0x00, 0xff], + "second nested INTEGER should have expected value" + ); + let secondNestedNULL = secondNested.readTagAndGetContents(DER.NULL); + equal( + secondNestedNULL.length, + 0, + "second nested NULL should have expected value (empty array)" + ); + secondNested.assertAtEnd(); + + contents.assertAtEnd(); + der.assertAtEnd(); + + let invalidDERBytes = [ + 0x30, + 0x06, // SEQUENCE + 0x30, + 0x02, // SEQUENCE + 0x02, + 0x01, // INTEGER (missing data) + 0x05, + 0x00, // NULL + 0x00, + 0x00, + ]; // (extra data) + let invalidDER = new DER.DERDecoder(invalidDERBytes); + let invalidContents = new DER.DERDecoder( + invalidDER.readTagAndGetContents(DER.SEQUENCE) + ); + let invalidContentsContents = new DER.DERDecoder( + invalidContents.readTagAndGetContents(DER.SEQUENCE) + ); + throws( + () => invalidContentsContents.readTagAndGetContents(DER.INTEGER), + /data truncated/, + "should throw due to missing data" + ); + let nestedNULL = invalidContents.readTagAndGetContents(DER.NULL); + equal(nestedNULL.length, 0, "nested NULL should have expected value"); + invalidContents.assertAtEnd(); + throws( + () => invalidDER.assertAtEnd(), + /extra data/, + "should throw due to extra data" + ); +} + +function run_test() { + run_simple_tests(); + run_bit_string_tests(); + run_compound_tests(); +} diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js new file mode 100644 index 0000000000..945a9ea83f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js @@ -0,0 +1,101 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// Tests handling of Encrypted Client Hello. These ECHConfigs +// can be regenerated by running EncryptedClientHelloServer +// and dumping the output of SSL_EncodeEchConfig. They do not +// expire. An update here is only needed if the host or ECH +// ciphersuite configuration changes, or if the keypair in +// EncryptedClientHelloServer.cpp is modified. + +// Public name: ech-public.example.com +const ECH_CONFIG_FIXED = + "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA"; + +// Public name: ech-public.example.com, Unsupported AEAD to prompt retry_configs from a trusted host. +const ECH_CONFIG_TRUSTED_RETRY = + "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA"; + +// Public name: selfsigned.example.com. Unsupported AEAD to prompt retry_configs from an untrusted host. +const ECH_CONFIG_UNTRUSTED_RETRY = + "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWc2VsZnNpZ25lZC5leGFtcGxlLmNvbQAA"; + +function shouldBeAcceptedEch(aTransportSecurityInfo) { + Assert.ok( + aTransportSecurityInfo.isAcceptedEch, + "This host should have accepted ECH" + ); + Assert.ok( + !aTransportSecurityInfo.usedPrivateDNS, + "This connection does not use DoH" + ); +} + +function shouldBeRejectedEch(aTransportSecurityInfo) { + Assert.ok( + !aTransportSecurityInfo.isAcceptedEch, + "This host should have rejected ECH" + ); + Assert.ok( + !aTransportSecurityInfo.usedPrivateDNS, + "This connection does not use DoH" + ); +} + +do_get_profile(); + +add_tls_server_setup( + "EncryptedClientHelloServer", + "test_encrypted_client_hello" +); + +// Connect directly without ECH first +add_connection_test( + "ech-public.example.com", + PRErrorCodeSuccess, + null, + shouldBeRejectedEch +); + +// Connect with ECH +add_connection_test( + "ech-private.example.com", + PRErrorCodeSuccess, + null, + shouldBeAcceptedEch, + null, + null, + ECH_CONFIG_FIXED +); + +// Trigger retry_configs by setting an ECHConfig with a different. +// AEAD than the server supports. +add_connection_test( + "ech-private.example.com", + SSL_ERROR_ECH_RETRY_WITH_ECH, + null, + null, + null, + null, + ECH_CONFIG_TRUSTED_RETRY +); + +// Trigger retry_configs, but from a host that is untrusted +// (due to a self-signed certificate for the public name). +// Retry_configs must not be used or reported as available. +add_connection_test( + "ech-private.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT, + null, + null, + null, + null, + ECH_CONFIG_UNTRUSTED_RETRY +); + +// A client-only (retry_without_ech) test is located in +// test_encrypted_client_hello_client_only.js We can't easily restart +// a different server (one without ECHConfigs) here, so put that +// test in a different file that launches a non-ECH server. diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem new file mode 100644 index 0000000000..3798f9e7ac --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4DCCAcigAwIBAgIUA30gCeGZUzW19TdSgFzEzsz99F4wDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBgxFjAUBgNVBAMMDWVjaC1wdWJsaWMtZWUwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjJTAjMCEG +A1UdEQQaMBiCFmVjaC1wdWJsaWMuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD +ggEBAAK/T2GpSqzGsq0GIEE5FOwdT0flR4EZF3qPfsBgnqoXuAgEV3kkk3i8Q9uj +GtZy6ZeVoglBNJyu2sk9cQqVBlFH5d8IPonMz00QH+hKVm1wctfrnpIAGI8LJ+I0 +sHuCpZ/UhCIjq1uGIRwk+tevQYEarK+v7yQKSg4ZfNjHJM9ANZdrJIny/CT9vHeY +eXLMpXVjtIQMb7kZhSV0lO+Rsgx1+Va0egAlDQXmlDvgVroZ0NvHYh/PVMpWeM5X +/NofY9aiZTA1mDRiPanEb4tydGhEhxAq0Fkrm+xrvTKZnTr4YiH30jijxdXCxqus +50tWhsXsfrotZo2HIPQidcBMyQg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec new file mode 100644 index 0000000000..d5c332ceec --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:ech-ca +subject:ech-public-ee +extension:subjectAlternativeName:ech-public.example.com diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem new file mode 100644 index 0000000000..956217345d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4jCCAcqgAwIBAgIURclFOLehdaOiDnc45xBlvKkG+kowDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBkxFzAVBgNVBAMMDmVjaC1wcml2YXRlLWVlMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyYwJDAi +BgNVHREEGzAZghdlY2gtcHJpdmF0ZS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF +AAOCAQEAj3KenVOhURkHCinDUd20aOG7Lx/sal+pyqrjZr5SNUZcblvrvZfNg7DB +K80PmoYKcbV00A26AQ85Kw58fvo/eZVQXPFjXjecD6ThNpQUhVGhbOdstf2NFTyY +nvLqMwMacLV8rw5yojzg+Ek+OUAYXDtkOWRONFxNoN/c1VsTJDgEXjtJ0lLl+yTf +z1A6jf0oAZkLImLSPxGDXwJEACteBzipgu7fUO1NdfNzzDyHKXeMtggP/pdzG2zN +ULiW5vWbQ1G1gd3j1CYLp9yjn2FKXsVXBYQe9a38h04yv/E+qMKUOIEdqq/QnOgY +F8fDOg4/pu9jp/yDgaA9kWHHg2viWw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec new file mode 100644 index 0000000000..c152462f0d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:ech-ca +subject:ech-private-ee +extension:subjectAlternativeName:ech-private.example.com diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem new file mode 100644 index 0000000000..dd7563e4ae --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIUU2XHQYKJ564qpSZWtC7yYzDkXOkwDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbU2VsZi1zaWduZWQgVGVzdCBFbmQtZW50aXR5MCIYDzIw +MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCYxJDAiBgNVBAMMG1NlbGYt +c2lnbmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x +nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM +wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF +4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20 +yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx +j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMlMCMwIQYDVR0RBBowGIIWc2Vs +ZnNpZ25lZC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAEKq/dqASIsY1 +VbcEGjEO8BIQTBVtHT0YThCI+nm1PjVU9rnS+5JxJBwC78pYturbF3Lxt7QdYBSu +bM7xCpWVRFcUy2yEXRtCq3JK3gPnyqSEs/t3QKT0xQkbW9KNLb1j/P6sZgaCIrgw +oNb1yxJ3erz7EwIFPPo0fv3pAkNEXiMc5n5qcKBbb2UObkXCG8kozQ8WlYL34ITo +QdYTnV1PFK9Vs6Rdnl3ZT4hvo1lG8DqavO/grDCTowdvC2z0as6bUlpTqBSC01/d +j0aMLR874A3ziqv5wrZMsZ4LHRds5oitYZ+2l5/ipzMIRhGOb+KcoFkugyPj+ygZ +58jtjJscEQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec new file mode 100644 index 0000000000..438a08eba2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec @@ -0,0 +1,3 @@ +issuer:Self-signed Test End-entity +subject:Self-signed Test End-entity +extension:subjectAlternativeName:selfsigned.example.com diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem new file mode 100644 index 0000000000..bf6cdd61e4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUYW+Fuy67Xb3Ao+tju/Rkb1aDZigwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBExDzANBgNVBAMMBmVjaC1jYTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAHlfXnUE2f8W5C5C +ezkHvHpItFTAi6YW73Xra0pLA5G1oL6PV4ep+TKQUTcXvHMMQSCKGHohn9SmyCLD +rMgACAdu8pRizKmqw8gqj63tg2m8WyHZt9sXg5MiV/MyQHGtdwfHSPKTAUzMkbrX +JK8zJVblKGjKEqu8EgUAop1N4D+1aga8BwZIfvMOJ5Xfkftz/6c+jhPnUWwBnIRw +rKX+zEXQJGo1fMWeODGoJeqbih0fxmmpKEXcBlLvuAxTbsG+nxpndfnKlvWsmtBw +pppdvWLEeEZsTYEmxvwAu7era3i+z9ce1Pxfo1YJEIZBG7zC1HpX2s3wQJOEMlX8 +7CIrA7I= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec new file mode 100644 index 0000000000..1735a15075 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ech-ca +subject:ech-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js new file mode 100644 index 0000000000..0949bc6038 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js @@ -0,0 +1,32 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// Public Name = delegated-enabled.example.com +const ECH_CONFIG_FIXED = + "AFD+DQBMTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QdZGVsZWdhdGVkLWVuYWJsZWQuZXhhbXBsZS5jb20AAA=="; +do_get_profile(); + +// An arbitrary, non-ECH server. +add_tls_server_setup( + "DelegatedCredentialsServer", + "test_delegated_credentials" +); + +add_test(function () { + clearSessionCache(); + run_next_test(); +}); + +// Connect, sending ECH. The server is not configured for it, +// but *is* authoritative for the public name. +add_connection_test( + "delegated-disabled.example.com", + SSL_ERROR_ECH_RETRY_WITHOUT_ECH, + null, + null, + null, + null, + ECH_CONFIG_FIXED +); diff --git a/security/manager/ssl/tests/unit/test_enterprise_roots.js b/security/manager/ssl/tests/unit/test_enterprise_roots.js new file mode 100644 index 0000000000..0483e44e45 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_enterprise_roots.js @@ -0,0 +1,83 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests enterprise root certificate support. When configured to do so, the +// platform will attempt to find and import enterprise root certificates. This +// feature is specific to Windows. + +do_get_profile(); // must be called before getting nsIX509CertDB + +const { TestUtils } = ChromeUtils.importESModule( + "resource://testing-common/TestUtils.sys.mjs" +); + +async function check_no_enterprise_roots_imported( + nssComponent, + certDB, + dbKey = undefined +) { + let enterpriseRoots = nssComponent.getEnterpriseRoots(); + notEqual(enterpriseRoots, null, "enterprise roots list should not be null"); + equal( + enterpriseRoots.length, + 0, + "should not have imported any enterprise roots" + ); + if (dbKey) { + let cert = certDB.findCertByDBKey(dbKey); + // If the garbage-collector hasn't run, there may be reachable copies of + // imported enterprise root certificates. If so, they shouldn't be trusted + // to issue TLS server auth certificates. + if (cert) { + await asyncTestCertificateUsages(certDB, cert, []); + } + } +} + +async function check_some_enterprise_roots_imported(nssComponent, certDB) { + let enterpriseRoots = nssComponent.getEnterpriseRoots(); + notEqual(enterpriseRoots, null, "enterprise roots list should not be null"); + notEqual( + enterpriseRoots.length, + 0, + "should have imported some enterprise roots" + ); + let foundNonBuiltIn = false; + let savedDBKey = null; + for (let certDer of enterpriseRoots) { + let cert = certDB.constructX509(certDer); + notEqual(cert, null, "should be able to decode cert from DER"); + if (!savedDBKey) { + foundNonBuiltIn = true; + savedDBKey = cert.dbKey; + info("saving dbKey from " + cert.commonName); + await asyncTestCertificateUsages(certDB, cert, [certificateUsageSSLCA]); + break; + } + } + ok(foundNonBuiltIn, "should have found non-built-in root"); + return savedDBKey; +} + +add_task(async function run_test() { + let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent); + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + nssComponent.getEnterpriseRoots(); // blocks until roots are loaded + await check_some_enterprise_roots_imported(nssComponent, certDB); + Services.prefs.setBoolPref("security.enterprise_roots.enabled", false); + await check_no_enterprise_roots_imported(nssComponent, certDB); + Services.prefs.setBoolPref("security.enterprise_roots.enabled", true); + await TestUtils.topicObserved("psm:enterprise-certs-imported"); + let savedDBKey = await check_some_enterprise_roots_imported( + nssComponent, + certDB + ); + Services.prefs.setBoolPref("security.enterprise_roots.enabled", false); + await check_no_enterprise_roots_imported(nssComponent, certDB, savedDBKey); +}); diff --git a/security/manager/ssl/tests/unit/test_ev_certs.js b/security/manager/ssl/tests/unit/test_ev_certs.js new file mode 100644 index 0000000000..f163623919 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs.js @@ -0,0 +1,310 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that end-entity certificates that should successfully verify as EV +// (Extended Validation) do so and that end-entity certificates that should not +// successfully verify as EV do not. Also tests related situations (e.g. that +// failure to fetch an OCSP response results in no EV treatment). +// +// A quick note about the certificates in these tests: generally, an EV +// certificate chain will have an end-entity with a specific policy OID followed +// by an intermediate with the anyPolicy OID chaining to a root with no policy +// OID (since it's a trust anchor, it can be omitted). In these tests, the +// specific policy OID is 1.3.6.1.4.1.13769.666.666.666.1.500.9.1 and is +// referred to as the test OID. In order to reflect what will commonly be +// encountered, the end-entity of any given test path will have the test OID +// unless otherwise specified in the name of the test path. Similarly, the +// intermediate will have the anyPolicy OID, again unless otherwise specified. +// For example, for the path where the end-entity does not have an OCSP URI +// (referred to as "no-ocsp-ee-path-{ee,int}", the end-entity has the test OID +// whereas the intermediate has the anyPolicy OID. +// For another example, for the test OID path ("test-oid-path-{ee,int}"), both +// the end-entity and the intermediate have the test OID. + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +registerCleanupFunction(() => { + Services.prefs.clearUserPref("network.dns.localDomains"); + Services.prefs.clearUserPref("security.OCSP.enabled"); +}); + +Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); +Services.prefs.setIntPref("security.OCSP.enabled", 1); +const evroot = addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,"); +addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,"); + +const SERVER_PORT = 8888; + +function failingOCSPResponder() { + return getFailingHttpServer(SERVER_PORT, ["www.example.com"]); +} + +class EVCertVerificationResult { + constructor( + testcase, + expectedPRErrorCode, + expectedEV, + resolve, + ocspResponder + ) { + this.testcase = testcase; + this.expectedPRErrorCode = expectedPRErrorCode; + this.expectedEV = expectedEV; + this.resolve = resolve; + this.ocspResponder = ocspResponder; + } + + verifyCertFinished(prErrorCode, verifiedChain, hasEVPolicy) { + equal( + prErrorCode, + this.expectedPRErrorCode, + `${this.testcase} should have expected error code` + ); + equal( + hasEVPolicy, + this.expectedEV, + `${this.testcase} should result in expected EV status` + ); + this.ocspResponder.stop(this.resolve); + } +} + +function asyncTestEV( + cert, + expectedPRErrorCode, + expectedEV, + expectedOCSPRequestPaths, + ocspResponseTypes = undefined +) { + let now = Date.now() / 1000; + return new Promise((resolve, reject) => { + let ocspResponder = expectedOCSPRequestPaths.length + ? startOCSPResponder( + SERVER_PORT, + "www.example.com", + "test_ev_certs", + expectedOCSPRequestPaths, + expectedOCSPRequestPaths.slice(), + null, + ocspResponseTypes + ) + : failingOCSPResponder(); + let result = new EVCertVerificationResult( + cert.subjectName, + expectedPRErrorCode, + expectedEV, + resolve, + ocspResponder + ); + certdb.asyncVerifyCertAtTime( + cert, + certificateUsageSSLServer, + 0, + "ev-test.example.com", + now, + result + ); + }); +} + +function ensureVerifiesAsEV(testcase) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + let expectedOCSPRequestPaths = [`${testcase}-ee`]; + return asyncTestEV( + cert, + PRErrorCodeSuccess, + gEVExpected, + expectedOCSPRequestPaths + ); +} + +function ensureVerifiesAsEVWithNoOCSPRequests(testcase) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected, []); +} + +function ensureVerifiesAsDV(testcase, expectedOCSPRequestPaths = undefined) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + return asyncTestEV( + cert, + PRErrorCodeSuccess, + false, + expectedOCSPRequestPaths ? expectedOCSPRequestPaths : [`${testcase}-ee`] + ); +} + +function ensureVerificationFails(testcase, expectedPRErrorCode) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + return asyncTestEV(cert, expectedPRErrorCode, false, []); +} + +function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + let now = Date.now() / 1000; + let expectedErrorCode = SEC_ERROR_POLICY_VALIDATION_FAILED; + if (expectSuccess && gEVExpected) { + expectedErrorCode = PRErrorCodeSuccess; + } + return new Promise((resolve, reject) => { + let ocspResponder = failingOCSPResponder(); + let result = new EVCertVerificationResult( + cert.subjectName, + expectedErrorCode, + expectSuccess && gEVExpected, + resolve, + ocspResponder + ); + let flags = + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY | Ci.nsIX509CertDB.FLAG_MUST_BE_EV; + certdb.asyncVerifyCertAtTime( + cert, + certificateUsageSSLServer, + flags, + "ev-test.example.com", + now, + result + ); + }); +} + +function ensureNoOCSPMeansNoEV(testcase) { + return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, false); +} + +function ensureVerifiesAsEVWithFLAG_LOCAL_ONLY(testcase) { + return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, true); +} + +function verifyWithOCSPResponseType(testcase, response, expectEV) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + let expectedOCSPRequestPaths = [`${testcase}-ee`]; + let ocspResponseTypes = [response]; + return asyncTestEV( + cert, + PRErrorCodeSuccess, + gEVExpected && expectEV, + expectedOCSPRequestPaths, + ocspResponseTypes + ); +} + +function ensureVerifiesAsDVWithOldEndEntityOCSPResponse(testcase) { + return verifyWithOCSPResponseType(testcase, "longvalidityalmostold", false); +} + +function ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(testcase) { + return verifyWithOCSPResponseType(testcase, "ancientstillvalid", false); +} + +// These should all verify as EV. +add_task(async function plainExpectSuccessEVTests() { + await ensureVerifiesAsEV("anyPolicy-int-path"); + await ensureVerifiesAsEV("test-oid-path"); + await ensureVerifiesAsEV("cabforum-oid-path"); + await ensureVerifiesAsEV("cabforum-and-test-oid-ee-path"); + await ensureVerifiesAsEV("test-and-cabforum-oid-ee-path"); + await ensureVerifiesAsEV("reverse-order-oids-path"); + // In this case, the end-entity has both the CA/B Forum OID and the test OID + // (in that order). The intermediate has the CA/B Forum OID. Since the + // implementation tries all EV policies it encounters, this successfully + // verifies as EV. + await ensureVerifiesAsEV("cabforum-and-test-oid-ee-cabforum-oid-int-path"); + // In this case, the end-entity has both the test OID and the CA/B Forum OID + // (in that order). The intermediate has only the CA/B Forum OID. Since the + // implementation tries all EV policies it encounters, this successfully + // verifies as EV. + await ensureVerifiesAsEV("test-and-cabforum-oid-ee-cabforum-oid-int-path"); +}); + +// These fail for various reasons to verify as EV, but fallback to DV should +// succeed. +add_task(async function expectDVFallbackTests() { + await ensureVerifiesAsDV("anyPolicy-ee-path"); + await ensureVerifiesAsDV("non-ev-root-path"); + await ensureVerifiesAsDV("no-ocsp-ee-path", []); + await ensureVerifiesAsEV("no-ocsp-int-path"); + // In this case, the end-entity has the test OID and the intermediate has the + // CA/B Forum OID. Since the CA/B Forum OID is not treated the same as the + // anyPolicy OID, this will not verify as EV. + await ensureVerifiesAsDV("test-oid-ee-cabforum-oid-int-path"); +}); + +// Test that removing the trust bits from an EV root causes verifications +// relying on that root to fail (and then test that adding back the trust bits +// causes the verifications to succeed again). +add_task(async function evRootTrustTests() { + clearOCSPCache(); + info("untrusting evroot"); + certdb.setCertTrust( + evroot, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.UNTRUSTED + ); + await ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER); + info("re-trusting evroot"); + certdb.setCertTrust( + evroot, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_SSL + ); + await ensureVerifiesAsEV("test-oid-path"); +}); + +// Test that if FLAG_LOCAL_ONLY and FLAG_MUST_BE_EV are specified, that no OCSP +// requests are made (this also means that nothing will verify as EV). +add_task(async function localOnlyMustBeEVTests() { + clearOCSPCache(); + await ensureNoOCSPMeansNoEV("anyPolicy-ee-path"); + await ensureNoOCSPMeansNoEV("anyPolicy-int-path"); + await ensureNoOCSPMeansNoEV("non-ev-root-path"); + await ensureNoOCSPMeansNoEV("no-ocsp-ee-path"); + await ensureNoOCSPMeansNoEV("no-ocsp-int-path"); + await ensureNoOCSPMeansNoEV("test-oid-path"); +}); + +// Prime the OCSP cache and then ensure that we can validate certificates as EV +// without hitting the network. There's two cases here: one where we simply +// validate like normal and then check that the network was never accessed and +// another where we use flags to mandate that the network not be used. +add_task(async function ocspCachingTests() { + clearOCSPCache(); + + await ensureVerifiesAsEV("anyPolicy-int-path"); + await ensureVerifiesAsEV("test-oid-path"); + + await ensureVerifiesAsEVWithNoOCSPRequests("anyPolicy-int-path"); + await ensureVerifiesAsEVWithNoOCSPRequests("test-oid-path"); + + await ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("anyPolicy-int-path"); + await ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("test-oid-path"); +}); + +// Old-but-still-valid OCSP responses are accepted for intermediates but not +// end-entity certificates (because of OCSP soft-fail this results in DV +// fallback). +add_task(async function oldOCSPResponseTests() { + clearOCSPCache(); + + clearOCSPCache(); + await ensureVerifiesAsDVWithOldEndEntityOCSPResponse("anyPolicy-int-path"); + await ensureVerifiesAsDVWithOldEndEntityOCSPResponse("test-oid-path"); + + clearOCSPCache(); + await ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse( + "anyPolicy-int-path" + ); + await ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse("test-oid-path"); +}); diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem new file mode 100644 index 0000000000..b4697cfe15 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVzCCAj+gAwIBAgIUbwD0XgCeMxS5MOc0d8xmf9Gzx+kwDQYJKoZIhvcNAQEL +BQAwIDEeMBwGA1UEAwwVYW55UG9saWN5LWVlLXBhdGgtaW50MCIYDzIwMjIxMTI3 +MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMB8xHTAbBgNVBAMMFGFueVBvbGljeS1l +ZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABo4GFMIGCME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcw +AYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBvbGljeS1lZS1wYXRo +LWVlLzARBgNVHSAECjAIMAYGBFUdIAAwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt +cGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAYxTA02oIEsPT02PhS6ScSijDeF3u +8zC0E8D9d0Jx3gtKnpL7OKxvQ53JK8EhglABJoBDLF7FXb9kG7RuCdzu7PFU1bYQ +uVb7Kb0TEyi9pWN5T9AiHHmvuH8TSOOrZBWOWx+ZvrdpzwnNgzLOCf6v4OATYxOw +C8jw8ZxaD+OmzXXt0vJtexPY31C0DJ9b9Xo4prq1p3PqmXzOGDysGHvhkE4WfH/f +wihKy64g7hwGRYlVfquqpw4NOu3tP0g1nZKvhAWjHcYbjyKagWsEKk/warEfGJP4 +Oi3x2DlLf6xpJd6SWCufvC77yufMr5s99EAAViDSmyv5J/au4xaBmGyLYQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec new file mode 100644 index 0000000000..a9175c32ed --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:anyPolicy-ee-path-int +subject:anyPolicy-ee-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-ee/ +extension:certificatePolicies:any +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem new file mode 100644 index 0000000000..e619dfd5e6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRDCCAiygAwIBAgIUNxMoepEOaQpYT31BFrMD/Z7B9DkwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMCAxHjAcBgNVBAMMFWFueVBvbGljeS1lZS1wYXRoLWludDCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaOBgDB+MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME4GCCsGAQUFBwEBBEIw +QDA+BggrBgEFBQcwAYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBv +bGljeS1lZS1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEB +CwUAA4IBAQCBiyD3v/gx9nMBkq3kHN6lF+x5OAt3/enHwsLPKKQR+wAO44OUG1Ed +McKmdZBpQG+6+bts+7hFpD2X0KoOe68t9UYW2rMFBcqmr9bI+GgupefobrQiUM5+ +3IyFEVQ98LA4+SUcIZwWprqvoJS4SQJpk7mssScjeyiWB8EKiEyOTzBmTYPzO3xw +cy9NnQ8hKQqsmYs9h2HDqyJx5HGByX0j1LR5o+J6Ismh8iUmW82+SPDByF6/Gj0R +8I4Ae31EVsILE9DLoHV3QBxUuR+Vf1ChpZdRWO9rpZTeng+jzJfdsqnCX379vIf6 +vaEUkVFS8467aBpRZ3r7Xfmbx21FuxPE +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec new file mode 100644 index 0000000000..c49f6c4bcc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:anyPolicy-ee-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem new file mode 100644 index 0000000000..0cd376dbd0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaDCCAlCgAwIBAgIUO84CcGnTBu9BMz4TYOnuEQNV4TcwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWYW55UG9saWN5LWludC1wYXRoLWludDAiGA8yMDIyMTEy +NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAgMR4wHAYDVQQDDBVhbnlQb2xpY3kt +aW50LXBhdGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjgZQwgZEwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUF +BzABhjJodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9saWN5LWludC1w +YXRoLWVlLzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREE +FzAVghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB/wMqq +8UupZcCbUZyhhbfn9fYneG3VHo+yEdv1r0Su4qxV/3hFC8t+XhygDq6162x68s8z +uFCjj1lFLCnP2eo4DMQcVeh7im8gqqc0Nk9Ix0EJ6FUYXuuuwxQQ/Y2AgPZCZj4D +xHCBry2nTwm4VB5BrvRSsp/sWh5AqGNOPoJMgXcRuKSZNNc7e0dcjvX2YWo1et3u +SCMlOrTkfwjiQBH0jRQwRLl4wQouZpaijq3xZ24/eFj+Sc2KBsOcq/5tC4OszeHJ +AEFSaEPfkuK9MOEL/2Fp0j9+baarPdhACtMkjLWCOmpIu0PhsxXS9E0hpt5E+qUk +Eq0DaESFkrhEIewJ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec new file mode 100644 index 0000000000..1c643c2f95 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:anyPolicy-int-path-int +subject:anyPolicy-int-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem new file mode 100644 index 0000000000..7467532782 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRjCCAi6gAwIBAgIUS/Uo89DTxT+sWh6HxJ7vj5wekP8wDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMCExHzAdBgNVBAMMFmFueVBvbGljeS1pbnQtcGF0aC1pbnQwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT +2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV +JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N +jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA +BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh +He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB +AAGjgYEwfzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBPBggrBgEFBQcBAQRD +MEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQ +b2xpY3ktaW50LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcN +AQELBQADggEBADVmaATxyEWwYumgxxDW828NxMoDjkPsa06EVGi0AKqDNGmGLUL6 +1h1w/+K8fl2t41MGRwdc33cZOVzURnyUGx0QBeUxGsH+kNMj1wVMy24iCVcvHGja +yHuOmLq5sMBErJhZfgMnvujl3/sFl9ZaT2OjSqa7sofghd5O9xZLtBTsvyvRDnIn +4lQljHVnkoKYJAeBi8X6QbQlXXqEUbnlpTiAPkW/O0EyUP6v/rpcvbOqMD47HdiR +7lOM52u5Pc4Nywqm3Pp4Ob7jTiFJY5YAk3du+UHfCIOP2NiI9wsuvQiY7k31Qiiu +xIJUCPBbWbo8tiFRp7IqKoX+D2FLxh0dcBE= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec new file mode 100644 index 0000000000..5f5adacc7f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:anyPolicy-int-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem new file mode 100644 index 0000000000..337a1af520 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIUZ3fwSK5rjndC9saKVC9SF9bKSo8wDQYJKoZIhvcNAQEL +BQAwPTE7MDkGA1UEAwwyY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLWNhYmZvcnVt +LW9pZC1pbnQtcGF0aC1pbnQwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowPDE6MDgGA1UEAwwxY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLWNhYmZv +cnVtLW9pZC1pbnQtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab +bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts +Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI +H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8 +rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX +Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBuTCBtjBqBggrBgEFBQcBAQReMFww +WgYIKwYBBQUHMAGGTmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9jYWJmb3J1 +bS1hbmQtdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlLzAoBgNV +HSAEITAfMAcGBWeBDAEBMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAV +ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQC3m7B2CxtY +x5uWArmwgaMzKSFaYoCYfDxb73X7tjtm0rcsonpsTyBZzkjTxiHYl96218wWEo2T +XR/S83jo37mfqCZLHgLa6pjxKzc+wdxjGiDjLwPk33IYTaAzfwMeQ0d7BF2xMAsF +fccpgwO5OlntOIJhIMBbtLzJurrdog7Jnl50Dkuh8kfg0Q7L8c3RH0DxNqWE5fQK +OlHW/eYiSZOThT7VzZ8rykaowssMewNcPPya8kaACYSN8izYrbH3ZmlXgeklpuk3 +tPQbNK/wCBIVCb5bAH10CjR3x2sLoDCX5sP6I53jiLr/NiwYms0QfSmZE29kzWwA +N0Lu/bO1fOUU +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec new file mode 100644 index 0000000000..c72237e453 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:cabforum-and-test-oid-ee-cabforum-oid-int-path-int +subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee/ +extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem new file mode 100644 index 0000000000..6e9557ab26 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIUO3DQyhSRUrFxxP6dSHYP00ZUenEwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMD0xOzA5BgNVBAMMMmNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1j +YWJmb3J1bS1vaWQtaW50LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GfMIGcMAwGA1UdEwQFMAMB +Af8wCwYDVR0PBAQDAgEGMGsGCCsGAQUFBwEBBF8wXTBbBggrBgEFBQcwAYZPaHR0 +cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZvcnVtLWFuZC10ZXN0LW9pZC1l +ZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtaW50LzASBgNVHSAECzAJMAcGBWeBDAEB +MA0GCSqGSIb3DQEBCwUAA4IBAQAFT+RvpRQ0WSu6U+C54fDOtOofv28/yALU+yJ4 +oO7ZUtKXyrMb4Ag4MrSaAT8dTZKOkB/Kwx9V4xM6kvF/WpojCKyazeMlqvj4DvAO +RQvYnT8pXiN1WsHU4NaX0l2KvuXWdlgBzq9qgTG8i4yRaCqghZEL583GbVFHLWqI +aiI2lsRgP+SLV9Z0mnDf+taJ82cOH7mwIaMkE459+N1Ni5Pu5LL+hPbCbZm39oKE +N8Xn2Av3VZaxfxOVThibDH6VsaSOnPKMWKcusQtsRA3LVijThjljUAM0bqIHvp8Y +/vQ9JEdgreJ/wUU+CYcnsO+yCmnW3G33xfQ3AskkwD0OZj6C +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec new file mode 100644 index 0000000000..92ebdb37fd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-int/ +extension:certificatePolicies:2.23.140.1.1 diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem new file mode 100644 index 0000000000..6d2c743638 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkjCCAnqgAwIBAgIUDVhIhWMHEXWRG6y+QEWdZ0+muRIwDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwhY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLXBhdGgtaW50 +MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCsxKTAnBgNVBAMM +IGNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GoMIGlMFkG +CCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL3d3dy5leGFtcGxlLmNv +bTo4ODg4L2NhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWVlLzAoBgNVHSAE +ITAfMAcGBWeBDAEBMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl +di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAz/t7laoUyy4Qc +fhIYBeR++dCiUGYFQVX7la17X8IPeaYg6CJ6XzRMs9QYzBBp2C20/0f9A4zKgtuD +kgHJvOFv/y9KThlH/f3bq1bQmcItVuoVG4G6PDfQuvpChiwFzMZlJ9ffZmFFcarI +MenGzJyxp4+WH0JKHFypBYGWZrLjfjbs75TrRALtNWmImWZvp654RxJe8yVyddQw +qRMlzMVU+9sq/Xtfqm2EOoUaydzVvYcRAwHKyC5ZGBH4emSsPyiiXMH4CJZ3n1zb +z/V5I7vT5LTLecOYtxCbUbdNJ06HTla/5F2VZSbhvEKNV1kjlyRN0BpGaiA0tapG +H/+QErlC +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec new file mode 100644 index 0000000000..36f80e017b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:cabforum-and-test-oid-ee-path-int +subject:cabforum-and-test-oid-ee-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-ee/ +extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem new file mode 100644 index 0000000000..22f0b45911 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUS/1bfm0ejkB+2Q/7e+L3OWe5w4kwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMCwxKjAoBgNVBAMMIWNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1w +YXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaOBjTCBijAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBa +BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAGGPmh0dHA6Ly93d3cuZXhhbXBsZS5j +b206ODg4OC9jYWJmb3J1bS1hbmQtdGVzdC1vaWQtZWUtcGF0aC1pbnQvMBEGA1Ud +IAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAZMS9mTlpmz96B0hMZLs0 +PTb/O7BnxtQSk8NzU7KiFcJbkE7ioff1NKdrJomr3dZBPRYKQvqOhUsWbWfsw21E +on0l2Km7jIqaZ1dQpGPUiYobbr0icOhCdA3t0t6M9JIgZqOwMUFCz5oy3Jg4v6py +7KDUz3zkVxpAloaepG7AkS9bd1vCDih3Tht98/+g7DPvtnHjZqPj4RXJ2J3uSTKq +TQXFaPc6hhVrA0KK0Qa205qdgqo2hasEY+6Xe64ZStQkteASKDg1sm111wsxpzxt +HUBVEAXMx9dtmnreyWlU6CQ4fYJtK0FnMJDYDQAVJyMbGB94KGrPM8pr+xkV6mlx +rA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec new file mode 100644 index 0000000000..79ae7ae801 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:cabforum-and-test-oid-ee-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem new file mode 100644 index 0000000000..8c7ed0124e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWDCCAkCgAwIBAgIUO7RJiqqzZm6W9jOCJB+zNXkRMC4wDQYJKoZIhvcNAQEL +BQAwIDEeMBwGA1UEAwwVY2FiZm9ydW0tb2lkLXBhdGgtaW50MCIYDzIwMjIxMTI3 +MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMB8xHTAbBgNVBAMMFGNhYmZvcnVtLW9p +ZC1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABo4GGMIGDME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcw +AYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZvcnVtLW9pZC1wYXRo +LWVlLzASBgNVHSAECzAJMAcGBWeBDAEBMB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhh +bXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAIzzqzMTRCKYyLA8HeY0jJU+mjRj +Ejl1XbRXmQel/aYvKTZyXiRKSA3i+geZauhVfFwsJ+vxGjpGsNdxkRpUaENrHP5u +DnMmeHGHeLAD8hrHlzqYhCRKBhDey/SIEU2+Qd1M9WNzI4kjydLafrKYAZaxhaQm +wJNJ/8fDgo26DQRTWxDcVkI3by6ong2pHF14AemMoXOQ0+IKR2B9is2qvHxFm290 +1v8DaTBgaIuaXzqhSLPp1DHbtX0nUyWjzWwy6bNjKpxydRTP1rgMbjvf3RhVUzdx +GZpVmEF/8fpcBfObFDSKz+/ydoVMz3XlqLiYEIExGTSsCc4PeEfFhOkdbUk= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec new file mode 100644 index 0000000000..86fd9aca39 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:cabforum-oid-path-int +subject:cabforum-oid-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-ee/ +extension:certificatePolicies:2.23.140.1.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem new file mode 100644 index 0000000000..bdbbc02c2b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRTCCAi2gAwIBAgIUQ7X92BWdDkDlFsWTB0LTCDZMcDAwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMCAxHjAcBgNVBAMMFWNhYmZvcnVtLW9pZC1wYXRoLWludDCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaOBgTB/MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME4GCCsGAQUFBwEBBEIw +QDA+BggrBgEFBQcwAYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZv +cnVtLW9pZC1wYXRoLWludC8wEgYDVR0gBAswCTAHBgVngQwBATANBgkqhkiG9w0B +AQsFAAOCAQEAS+XtatnWztt2hsRQA/Gl8KtpXRhZLJetK3G2qFCjXW2KtaMjN3EQ +RoMYXwUW2FgsFPZmwQ1L1Pu52njxnjG0z9CXA6i/g7JJUCNUhcGrQ5zWP1P3YozU +/TwMKNwvyjcO4Ev4obC3grAfJ0S+en8YVeV9Rh/HswaS7Q8A/el9SJi8CMiWVEuW +SYgfgcm8AobKXJNN48DNhY+6GbGRTIm1WuzPQS4C+mTfsJt6Fk695CvL/EjZt8fK +0lI7qKH0o1pM0QKE0VMuvvYasGEYqDxKCSEszfmIr3b4LovzWAWtHnAm7I2PyncG +t3EnieaSRT6Nl8e85VCK20d7ORJpq7iy1g== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec new file mode 100644 index 0000000000..343307164b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:cabforum-oid-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-int/ +extension:certificatePolicies:2.23.140.1.1 diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.key b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key new file mode 100644 index 0000000000..1d88a930d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh ++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU +dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H +cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y +1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t +oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ +5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB +0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+ ++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE +vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9 +HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE +MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V +vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV +7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH +lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V +jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv +nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui +p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ +zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v +4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA +hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C +pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV +bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3 +mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j +LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf +UVFRDKpassHG6z7+kpXRbowlyRY= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec new file mode 100644 index 0000000000..1a3d76a550 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec @@ -0,0 +1 @@ +ev diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem new file mode 100644 index 0000000000..13c3031905 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx +MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/ +EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN +RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s +33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd +Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX ++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+ +5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo +UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf +cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY +Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH +z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH +HmbOwao= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec new file mode 100644 index 0000000000..3121f3486e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:evroot +subjectKey:ev +issuerKey:ev +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem new file mode 100644 index 0000000000..ba722921cb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDEDCCAfigAwIBAgIUd5h9uRYHwBHO8O+ceQhWGi6L90AwDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTbm8tb2NzcC1lZS1wYXRoLWludDAiGA8yMDIyMTEyNzAw +MDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAdMRswGQYDVQQDDBJuby1vY3NwLWVlLXBh +dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAGjQzBBMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB +MB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD +ggEBAGTv4HNZFVEQ0vO8qU1sykwuKMqk7wyXfDHsnzdzt5mGUC9cm6Gd+JisZe9k +krCI719EWOMkBt2xyCmK2TwDvWRK2brMK7BICEeyyOi/znshzOcw2ohtAwJPKMNb +xCx2QePLHXHioOly6StbTUSQtmUJTnNhf0qN+1iqZKi/LrVnm54DC+P8MOHZ+8gW +OM93lMI9Zcq+lTa5GOrbb3JFp9eTLRyYrvugK7gVpAlijvFDknldS+lomz4BY056 +UR8g5RmpTyBgqoJqND6s8zXuyfatcAmOq5apJ5zLcN91GhQJwBk9sg8vwzqRdIww +/dF7FbEbQdfkDWVtuYdsS8ZCZH8= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec new file mode 100644 index 0000000000..ece1cf816f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:no-ocsp-ee-path-int +subject:no-ocsp-ee-path-ee +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem new file mode 100644 index 0000000000..a1d1ab962c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPzCCAiegAwIBAgIUWxoXkZhXFFizdKCQ8MJ8oOfIzEAwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMB4xHDAaBgNVBAMME25vLW9jc3AtZWUtcGF0aC1pbnQwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj +fjB8MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEwGCCsGAQUFBwEBBEAwPjA8 +BggrBgEFBQcwAYYwaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L25vLW9jc3At +ZWUtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOC +AQEAeNGnRLI3C11krIqIXE60uUnV4NZrWSjlFT8iQkohd62uK9i1Xo2PGQbMwdOV +ooXGsLRyz9ZzlKG0W1FN55pLweuD2je4AlV7uZyLIF264m3zLMBcfEfVjqjk6rQf +WccudP7VQ60+5YUsUytXuqp9fF4Ye7UJ+ZwvIexq6RIa20JvR/pPjd/1fzXGYi+/ +/24tCYIjROfNLmW5G7SO2StCN+LJehWTUo76gORpbP6snYON6rxynmbXmbdU96l1 +xp9yZ5cvL1v3971cN/nRCw5k+OiP/O8fxFDsIf2gbqTTz3R0HnmJrEUqr9FrfRlV +P+S2nwNiMV1UWQeQciOIg8WC1A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec new file mode 100644 index 0000000000..5eb952a9a7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:no-ocsp-ee-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-ee-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem new file mode 100644 index 0000000000..a7b7d185ea --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIUG3C5aHEdkynWq8jOXmbjEcP8bgEwDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUbm8tb2NzcC1pbnQtcGF0aC1pbnQwIhgPMjAyMjExMjcw +MDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowHjEcMBoGA1UEAwwTbm8tb2NzcC1pbnQt +cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaOBkjCBjzBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAGG +MGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9uby1vY3NwLWludC1wYXRoLWVl +LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl +di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCsx7sCebbIWdGg +hlkAZ2qV3N/3nZwwvVqekUTu3Vy2fu1zM0KZSPbljjLPEcPPKweoefnAxOLvisBg +GqV9KXBR3sO1fOuK8M1TZtZHl2vkWwqVmogbEN8KOpP/pPySW3DXGPzNlNAWvNrN +gYg8NTWlcmeV2osuGI2GvJF/bf11VAOSeU1ci+TFpUbW/4QrQUqSG/KDWRtv6/BC +omfXJYKGfgWRLH8HS7OlJbBOL3h3BZAhqml9Wl9oRox0ArLhKkpOZ8cZpGpzhkND +DsqhoqSxJEiza0sSFSWJkSCjaY9zrV0UXgi8jxr262/WF6xT6yy6/Gx12hSjcV4U +BcQw+5kM +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec new file mode 100644 index 0000000000..623057e9e9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:no-ocsp-int-path-int +subject:no-ocsp-int-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-int-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem new file mode 100644 index 0000000000..94e308a653 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8jCCAdqgAwIBAgIUWRei++U2nDD/dQeOd2ijbzx8zC0wDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMB8xHTAbBgNVBAMMFG5vLW9jc3AtaW50LXBhdGgtaW50MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +ozAwLjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjARBgNVHSAECjAIMAYGBFUd +IAAwDQYJKoZIhvcNAQELBQADggEBALQe2fdE+JIIcsV2Cwf1oB6VK5hUtLsm8TvY +ju8YICG4maKTDI4X4oungxmlE0okP26KDxERQJzsOs2RKmos95UvOz7LKyKo7aSc +ycAhbpHe30J9KUXDxMMv++2vinjMD2vh30E0XNsLeQsbOXlmla+0lTwsgXFFSQgl +owYxEcGBigqM1Jgp4S9TBwvowktGTPLgiKGr+elIStEFDF/eoEaDRMZ8AshtPC1G +hj40lS2xR8ZgfCvq1Y9xWEK9pDRk4ss03XVVyREOLYHcJx1w3Ekf0DlE7vKosew6 +qOgu6Bk5p59c6mm2E/UqT4Pm2p9X6ZWucgUtOAmySLPs/76Dbk4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec new file mode 100644 index 0000000000..548241de3a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec @@ -0,0 +1,6 @@ +issuer:evroot +subject:no-ocsp-int-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem new file mode 100644 index 0000000000..5c6f435be7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIUHdTPustR4yMtUWmHTSC6+8Y+gfYwDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUbm9uLWV2LXJvb3QtcGF0aC1pbnQwIhgPMjAyMjExMjcw +MDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowHjEcMBoGA1UEAwwTbm9uLWV2LXJvb3Qt +cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaOBkjCBjzBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAGG +MGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9ub24tZXYtcm9vdC1wYXRoLWVl +LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl +di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBgDu2h/ygK4STW +yg5MNipTtaxQtT2a7ho54YlJK+PSXn2wzUVbVthAXbiVMZURHo4FFOTzvh0ItwtO +K0TDiUZO4basEt0Ecxk1bjhh9pY2FhmI1xokC53prGrleO6K4gHXVxmhlA1aM38X +tN9ZuTGlEuo5jFnavZeGoQtkwvtFehxvbDEBZvuyvQ8xIFLvoa8tl9AaQavNpFan +VOpUrRw4oFIUOor6FPBLYoclQhBD+PFwnnMCm5rkiWxeryt//HAJUnypt02Pr1nT +7ibC+/szNTuFuz2P7OTFEre866JfEsI7N58qbc/UZXMTiPJuTS1QdBZHIM62Bde5 +HEKNNyTU +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec new file mode 100644 index 0000000000..9895732b15 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:non-ev-root-path-int +subject:non-ev-root-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem new file mode 100644 index 0000000000..751268f0ed --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSDCCAjCgAwIBAgIULW+4H7y472S+j1855jFlwZNMf+UwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNbm9uLWV2cm9vdC1jYTAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRub24tZXYtcm9vdC1wYXRoLWlu +dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAAaN/MH0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTQYIKwYBBQUH +AQEEQTA/MD0GCCsGAQUFBzABhjFodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv +bm9uLWV2LXJvb3QtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG +9w0BAQsFAAOCAQEAOc/Qs9HsvzVrDoXxK7y6TI1x83ydFRT9pOjnVlrNUAPnjnKZ +acbglf9hni3eaybETDklYf3q9eYBduappGtUD/9pkXT/8xQP5QmBDjVbfaN6xA4P +SPISeMEnUxngLBmhiGSdSF6yqhol5OP83pDP8GnlqSBicfjbLuaAOesExgRnY1jw +rDHWFLp2mvJu2NRUQGowCSWBmeTGwpX3VWVBkzQYMABHDlJHvHsPFe3dH2pkFBxJ +3YpkRaifD87NRGE+AK1fzhhbvbn06xkklLqpr72p9h0BMAzMYnv58CHt1+1/ilVP +0/Al127tRP0cr7I3311b5V2duYHEbR9UJFRGJw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec new file mode 100644 index 0000000000..5ce035ae1e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec @@ -0,0 +1,6 @@ +issuer:non-evroot-ca +subject:non-ev-root-path-int +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem new file mode 100644 index 0000000000..e7da9dc897 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUSwVlCN0qJzWqVXDYUMj6IC1t5B4wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNbm9uLWV2cm9vdC1jYTAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAYMRYwFAYDVQQDDA1ub24tZXZyb290LWNhMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC +AQEAPtd1zsUd6dqBvrL9Y6mwgkEBsd8RcOuQUrOYMQjPYbriJ/4Z4zfNoQnIylQI +rrwRL64PY4rTorTGgebzu5gm+mVXV4Jd6pO6Qv5vL9hKyUGN5lkxoQZOd4WsiFe5 +kbWvOv1LjJ9o5DyWLkL33Tt/seR3Ux54LFDvrFwBpM+r7bxpgrtYB999vQOXGiZP +N9lWi60012u+Opqv5egtveAhC6ShZqBmdoTl0rkI0/LANC7O7jigqyjnRZi7rqBt +0rnRMsTbXMXqfIt8B8kLGDU42dTDz4hK/WjjgcXu3zmHQgZqDxt92rwMexiFpA5Y +HRdDsGt5cseqjfIDzdIVlkELmQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec new file mode 100644 index 0000000000..7b61447a80 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:non-evroot-ca +subject:non-evroot-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem new file mode 100644 index 0000000000..5952997df9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIUAVfMkILMmIPVXjPAz2TIDldGxGAwDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbcmV2ZXJzZS1vcmRlci1vaWRzLXBhdGgtaW50MCIYDzIw +MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCUxIzAhBgNVBAMMGnJldmVy +c2Utb3JkZXItb2lkcy1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GiMIGfMFMGCCsGAQUFBwEBBEcw +RTBDBggrBgEFBQcwAYY3aHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3JldmVy +c2Utb3JkZXItb2lkcy1wYXRoLWVlLzAoBgNVHSAEITAfMAcGBWeBDAEBMBQGEisG +AQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNldi10ZXN0LmV4YW1wbGUuY29t +MA0GCSqGSIb3DQEBCwUAA4IBAQAf6ZBgxU35yF0XHevzE2TBlJaPvPuc7Xj0igxQ +Ba62XSBbcOv1wNG9E6VTgs89eYfra+m7cFWP/J2SRAETWYLB/BQ2+gk5ibLkjpX3 +EgeVtcJAITTNMZ/YwpM0qke7tBj69Wr4fQGCaXrwSjMqXllJG73c2nSYivCwsW88 +jxIX9w6OmBtQ34Zms95xcmjRGnEJsuFIHS6ON6UA66m7/ncNtedZ5BUFPqlDlivn +GPFliWv7/kVavJ9tuBNF3+qa3AKS6y2IcCv8hZcnpp+XejL9S/NC5J2fCzFN52KT +tZ45bWryxg5Ez+vqZ7RLOlA++Qzu6+FJaYDaTV5rIEouxfE0 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec new file mode 100644 index 0000000000..31e3e69e53 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:reverse-order-oids-path-int +subject:reverse-order-oids-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-ee/ +extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem new file mode 100644 index 0000000000..37cc460a58 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaDCCAlCgAwIBAgIUbS+sED9hVuKhOooXAr0l466GF40wDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMCYxJDAiBgNVBAMMG3JldmVyc2Utb3JkZXItb2lkcy1wYXRoLWlu +dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAAaOBnjCBmzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBUBggrBgEF +BQcBAQRIMEYwRAYIKwYBBQUHMAGGOGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4 +OC9yZXZlcnNlLW9yZGVyLW9pZHMtcGF0aC1pbnQvMCgGA1UdIAQhMB8wFAYSKwYB +BAHrSYUahRqFGgGDdAkBMAcGBWeBDAEBMA0GCSqGSIb3DQEBCwUAA4IBAQAc6n0n +2ygc+bXKejoFBGMSHex9WFTYa6n7Ao5PP0ACVIPPjUUZ/5KjBKCRWe8puVLqRk1W +bpyLa1KG/falzrFjj8j+Y0OA2v8veH/DHvUAKOus5ntJPM3xJyV7uGhmYDVulNRr +YPnFduqlBVaxIZOPqESO0T9RLFb4oyTd75uPIJUAGPSYX9kidYUu+LZ7U5sDdJmG +9pT/RDQjokU5pwgr47V7lNQyJBmZYp1I9qVDT1iBA1T0KWfw9Nz0t5dshXZC4aPe +uFJEx0pADVyk3pyzddvXwetFXYA3yPWtZCjXG+03uIE9tgdNyZkUlairwS7WVbHG +UoC9jMK5FGnFhIyH +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec new file mode 100644 index 0000000000..a2b523073e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:reverse-order-oids-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-int/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1 diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem new file mode 100644 index 0000000000..aa095f3d84 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIUISZMV3cxwaLxsL3yccxQyMuUob8wDQYJKoZIhvcNAQEL +BQAwPTE7MDkGA1UEAwwydGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLWNhYmZvcnVt +LW9pZC1pbnQtcGF0aC1pbnQwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowPDE6MDgGA1UEAwwxdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLWNhYmZv +cnVtLW9pZC1pbnQtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab +bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts +Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI +H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8 +rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX +Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBuTCBtjBqBggrBgEFBQcBAQReMFww +WgYIKwYBBQUHMAGGTmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LWFu +ZC1jYWJmb3J1bS1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlLzAoBgNV +HSAEITAfMBQGEisGAQQB60mFGoUahRoBg3QJATAHBgVngQwBATAeBgNVHREEFzAV +ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBcDgBoVa2B +Ziwsi+JNV7c3wAGummbzznkednPMS8ahAuI9UOWi6HkfUPqwPABXJUXFVQR1sofy ++0f1D86NrQv7zErD0tEvL7sguHgjyKNhpsV9KV7c51RF0GCfFNjA2vUweTVYVQgo +/94Kl5EewrS3MaaL6AQX0oR/9BuJZUhcQPf1H6TiSu5wHMTstMF/tzp/5GILKx6S +8x6hEZJbUnnazm3ZGIQkCTY+PimxDfC/3OMO68bJ0nrWMt8dXGWLB0NXiWDV3GpO +HVtd+D6t0MTyVkWMIFOrBX3hDfTkfrljgEDRXgEMzjn956AFQO9YQTEzjdItFPxT +YE9JR5yqlbDp +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec new file mode 100644 index 0000000000..edac2fc1ad --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:test-and-cabforum-oid-ee-cabforum-oid-int-path-int +subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem new file mode 100644 index 0000000000..072ab9f89f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIUbw1m4QOmyPiOAHq+GggyEzBvhfowDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMD0xOzA5BgNVBAMMMnRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1j +YWJmb3J1bS1vaWQtaW50LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GfMIGcMAwGA1UdEwQFMAMB +Af8wCwYDVR0PBAQDAgEGMGsGCCsGAQUFBwEBBF8wXTBbBggrBgEFBQcwAYZPaHR0 +cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3Rlc3QtYW5kLWNhYmZvcnVtLW9pZC1l +ZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtaW50LzASBgNVHSAECzAJMAcGBWeBDAEB +MA0GCSqGSIb3DQEBCwUAA4IBAQB0Qvh7fHW0IDocdxERG8qD2+c7BRxXEJWgRt4f +xU9jSejKVI3QijhjSn+PyXiqhF1hHW037vYY3TQY/jcvE++iwHTTL8C+Zmd+M7pc +WxaJi+dZCE7GAeGLr3fHYaFqkE76hlQ6V3z9ayPC1CZwrpXsA1WQgslHxvi+LJHx +sI8ygsNud8YDxSJQiz9ELik6Cc6MLv9rej/3u0KduQZGItX9nZIcsY0gBYcvJuWY +T/66RhAvowF/kqjPich5J54VOOUwqq10CmpDft6PZuxvOH5GD3kBDsiIXo3NACfS +pqSLeHrI/WqOBcACUCcgt6uYwjC4i8Km4MeRbvecWPAJ11R4 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec new file mode 100644 index 0000000000..68dfd00573 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-int/ +extension:certificatePolicies:2.23.140.1.1 diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem new file mode 100644 index 0000000000..5b23a23056 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkjCCAnqgAwIBAgIUG878Zwj3QMrHTGa2FfvoFFlYZzAwDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwhdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLXBhdGgtaW50 +MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCsxKTAnBgNVBAMM +IHRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GoMIGlMFkG +CCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL3d3dy5leGFtcGxlLmNv +bTo4ODg4L3Rlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWVlLzAoBgNVHSAE +ITAfMBQGEisGAQQB60mFGoUahRoBg3QJATAHBgVngQwBATAeBgNVHREEFzAVghNl +di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBAyulWRI1iZUlK +2vYE91umLRCAYh4v2/+2PCaK0rhKzA/nvYWwMtPKdrMBiCPutL1XsPcf4E92C+Ur +Uk+Fii9GG0/NVJ06MFVxVmyzfibGQZO/zFigx89W0GF+zYbR4PWqd8zOwvVjcW4d +4sKUDrNvytqx+k8MedBOA561jp49R97NS5+L7Cw60FJdqY4DR7YPqMajCoIguTm+ +gl5YM+ZXHGMfaRYksToPj3+jbwAGekIjtlIjGNZC2yexknz1XnbfTEk4h6pkyUcm +9iWdSdE2WYGYFyc7qUHz1PSJadWQM0ZBZPm733+YN3HkSvGpTOjJOK79SNEMkA/i +AcaGhjaI +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec new file mode 100644 index 0000000000..affbd87458 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:test-and-cabforum-oid-ee-path-int +subject:test-and-cabforum-oid-ee-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem new file mode 100644 index 0000000000..85aa46f15f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUOWveMMJU+nLZsk73dwkzgFJ6wKIwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMCwxKjAoBgNVBAMMIXRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1w +YXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaOBjTCBijAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBa +BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAGGPmh0dHA6Ly93d3cuZXhhbXBsZS5j +b206ODg4OC90ZXN0LWFuZC1jYWJmb3J1bS1vaWQtZWUtcGF0aC1pbnQvMBEGA1Ud +IAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAOZUmjoXRjZ/kClVFVdfh +yDe+uAzR7+/aitlLKrbd8Nk+KfzvNkUAobV3qFYcZP757T2rP9YDf26o1//kwYyw +fjj+ooOefRODphmJS0nGBBUU7SDJvYN6OH4U9VgYvYTsvYm3zoRNLCgxd8z5zV8o +beCiWi8Zsw3kSQoMi2Y6y0+edR1945jGafkm865/vTlSC1uSMMNm5Ns6BQrEc9+S +RPSaV5OgEdTXP1obn1Hf+TADElk1xGZcNIavgWxjo8QM7BfPOYMZk0KIW7Pgs0x8 ++ZRhJ+kXHaVaOS9gAIi3koYC0DKcHXNSTXCTC7I34iSMvdVDcWwuRR0YrqYIu0QW +cQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec new file mode 100644 index 0000000000..11630b4b4f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:test-and-cabforum-oid-ee-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem new file mode 100644 index 0000000000..c70ad55ae4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDlTCCAn2gAwIBAgIUaW/3PEK8ARYGWVUA798TUHKnEAQwDQYJKoZIhvcNAQEL +BQAwMDEuMCwGA1UEAwwldGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRo +LWludDAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAvMS0wKwYD +VQQDDCR0ZXN0LW9pZC1lZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtZWUwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj +gaMwgaAwXQYIKwYBBQUHAQEEUTBPME0GCCsGAQUFBzABhkFodHRwOi8vd3d3LmV4 +YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRo +LWVlLzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAV +ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAfD2dMTacd +U21ufl0G0mZRuM5OHrE63tCGzfXSQ5TgE3og97YysimPrLbIa7dnCczTZ60awRFX +ycx8aTW3JB1H2lRB0g8dPzJE9sbkh/vHR4DlYJ8ISXd2gkbBINGy9VvFBOAcPGtW +XpAfFioiX0RPN/RdDuwVaAIfX+x1LRr3CHJUDWctJWpMYwHLtZmDScdwHYXfmdUS +ZnOF8WpJuQE8r1e5SeUSvima22nX9+IzGKz/6t01z+BeNwq5GZW+FCI/57ZKcshn +TwcTKe6ObCfLdjf5AkqI47gvHI/J8Ok6IGHpt6f3Z8czmapSiuvqE7VCHxk9WB6E +fLhH6uUnFktY +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec new file mode 100644 index 0000000000..bd0f955ada --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:test-oid-ee-cabforum-oid-int-path-int +subject:test-oid-ee-cabforum-oid-int-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem new file mode 100644 index 0000000000..477f5aba2e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAk6gAwIBAgIUVUZvMWmRe012qtJnB+pH6CRq8WUwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMDAxLjAsBgNVBAMMJXRlc3Qtb2lkLWVlLWNhYmZvcnVtLW9pZC1p +bnQtcGF0aC1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjgZIwgY8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMC +AQYwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzABhkJodHRwOi8vd3d3LmV4YW1w +bGUuY29tOjg4ODgvdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWlu +dC8wEgYDVR0gBAswCTAHBgVngQwBATANBgkqhkiG9w0BAQsFAAOCAQEAIVYXUG/B +zRSio0gAxeDrJb5DigUcZGcnK39tdfd74W2MUkylo/Yq0cDJwVlsQ/oke5myaJQd +dpf3wZ33ebCOpVArMXNB11iAUTMR57W8ecyiwKhhyPcCOg/NlIfLFJ6PDsC3eCTM +dqMAdRYg/WFqNbfXy/nYEBBuCEv6krpqWjgXKOUqYRpwZasPB9Bdpk3U0IOOFAPj +rhO9ddnQ+IYUshAjVDp7ssSxFCGXJrNPObLnQZ7vGtmHwnIMt9D3Kulz8lZLTzjv +1TfAwwM/qU1iG1Yj+zd2B5RIHcgegT8i/NY607w9+OgAF4PTS6R8pr6s5o2ZvuG5 +EOqXzqa3c0o7Yw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec new file mode 100644 index 0000000000..37d4d133a1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:test-oid-ee-cabforum-oid-int-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-int/ +extension:certificatePolicies:2.23.140.1.1 diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem new file mode 100644 index 0000000000..ad79129976 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWTCCAkGgAwIBAgIUTXff7OYNjOGJ1ucBiXQFwQrnD70wDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRdGVzdC1vaWQtcGF0aC1pbnQwIhgPMjAyMjExMjcwMDAw +MDBaGA8yMDI1MDIwNDAwMDAwMFowGzEZMBcGA1UEAwwQdGVzdC1vaWQtcGF0aC1l +ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAAaOBjzCBjDBJBggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAGGLWh0dHA6 +Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LW9pZC1wYXRoLWVlLzAfBgNVHSAE +GDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNldi10ZXN0LmV4 +YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB/4nd8VD67vZUPTAzzK6U0i5z5 +JfEUHZyodwbEvCMRx4JPzGa/B4Ra9fTk9f3vlgpmbmIXzeW2V2eKeug/qRR6rTk5 +e5vdjMb2V2NVyHE6uqi6U5YPzIqH4CuIrihy/6f2BXGww6N0jaguP9T+O1hjtS+W +kCaUMBIYCp8hnGiKcLDyTPxxysPl0g39ML39Pxgk36C5N/0gAun+4U2El+xy+a2r +MAZchBP9guWBREZfse6wpAJfLpswlaRcsiUm+ohgLb3sKGJOtX7V0vegm5BGkqZK +yMG5MiHhnEep4cMnrEXly81hWbZNHHBnMlNRqDmR8Vex1igG/tMFmuPQr3Xs +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec new file mode 100644 index 0000000000..a9d62c65e9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:test-oid-path-int +subject:test-oid-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem new file mode 100644 index 0000000000..4888db9219 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIUc1xU18+/MWV14ZhLlRYTr84OIJgwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK +tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N +Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr +sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs +l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl +nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GL +MIGIMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEoGCCsGAQUFBwEBBD4wPDA6 +BggrBgEFBQcwAYYuaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3Rlc3Qtb2lk +LXBhdGgtaW50LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATANBgkq +hkiG9w0BAQsFAAOCAQEATHhQmv0hF3M77Re1LYWINecipWJlnilGk5DCCiDyRxmm +LPTJEz4v1NtC6HambYL5TUk878S4zsFV4SSaJ7DuCpq730se7C4fkP642wFuSKIo +ExMPEaE5b10NyKtC47yQkrTBqnvBGrdFyY7awuTCpLK7MpEPIIUNjPUN4M7kj3It +0am6GYVjFzdtY1knyTDQJT2kE8McGOec/CggZucOhjfOyLe6FZLzTY9qmfHlwXb/ +/YgUlGMkQmIYCcEKUcECosIt0TPCjPBvNIovIySHSF77WZS8SR1rIeaznLCAbVbX +rJ79ZtTtK9XceMzas1pz5lDonwtDEDFUJE2p6TX/ug== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec new file mode 100644 index 0000000000..53534eb526 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:test-oid-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-int/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_faulty_server.js b/security/manager/ssl/tests/unit/test_faulty_server.js new file mode 100644 index 0000000000..7536a91104 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server.js @@ -0,0 +1,142 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* based on netwerk/test/unit/test_retry_0rtt.js */ + +"use strict"; + +/* import-globals-from ../../../../../netwerk/test/unit/head_channels.js */ +load("../../../../../netwerk/test/unit/head_channels.js"); + +var httpServer = null; + +let handlerCallbacks = {}; + +function listenHandler(metadata, response) { + info(metadata.path); + handlerCallbacks[metadata.path] = (handlerCallbacks[metadata.path] || 0) + 1; +} + +function handlerCount(path) { + return handlerCallbacks[path] || 0; +} + +ChromeUtils.importESModule("resource://gre/modules/AppConstants.sys.mjs"); + +// Bug 1805371: Tests that require FaultyServer can't currently be built +// with system NSS. +add_setup( + { + skip_if: () => AppConstants.MOZ_SYSTEM_NSS, + }, + async () => { + do_get_profile(); + Services.fog.initializeFOG(); + + httpServer = new HttpServer(); + httpServer.registerPrefixHandler("/callback/", listenHandler); + httpServer.start(-1); + + registerCleanupFunction(async () => { + await httpServer.stop(); + }); + + Services.env.set( + "FAULTY_SERVER_CALLBACK_PORT", + httpServer.identity.primaryPort + ); + await asyncStartTLSTestServer("FaultyServer", "test_faulty_server"); + } +); + +function makeChan(url) { + let chan = NetUtil.newChannel({ + uri: url, + loadUsingSystemPrincipal: true, + }).QueryInterface(Ci.nsIHttpChannel); + + chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI; + return chan; +} + +function channelOpenPromise(chan, flags) { + return new Promise(resolve => { + chan.asyncOpen( + new ChannelListener((req, buffer) => resolve([req, buffer]), null, flags) + ); + }); +} + +add_task( + { + skip_if: () => AppConstants.MOZ_SYSTEM_NSS, + }, + async function testRetryXyber() { + const retryDomain = "xyber-net-interrupt.example.com"; + + Services.prefs.setBoolPref("security.tls.enable_kyber", true); + Services.prefs.setCharPref("network.dns.localDomains", [retryDomain]); + Services.prefs.setIntPref("network.http.speculative-parallel-limit", 0); + + // Get the number of xyber / x25519 callbacks prior to making the request + // ssl_grp_kem_xyber768d00 = 25497 + // ssl_grp_ec_curve25519 = 29 + let countOfXyber = handlerCount("/callback/25497"); + let countOfX25519 = handlerCount("/callback/29"); + let chan = makeChan(`https://${retryDomain}:8443`); + let [, buf] = await channelOpenPromise(chan, CL_ALLOW_UNKNOWN_CL); + ok(buf); + // The server will make a xyber768d00 callback for the initial request, and + // then an x25519 callback for the retry. Both callback counts should + // increment by one. + equal( + handlerCount("/callback/25497"), + countOfXyber + 1, + "negotiated xyber768d00" + ); + equal(handlerCount("/callback/29"), countOfX25519 + 1, "negotiated x25519"); + if (!mozinfo.socketprocess_networking) { + // Bug 1824574 + equal( + 1, + await Glean.tls.xyberIntoleranceReason.PR_END_OF_FILE_ERROR.testGetValue(), + "PR_END_OF_FILE_ERROR telemetry accumulated" + ); + } + } +); + +add_task( + { + skip_if: () => AppConstants.MOZ_SYSTEM_NSS, + }, + async function testNoRetryXyber() { + const retryDomain = "xyber-alert-after-server-hello.example.com"; + + Services.prefs.setBoolPref("security.tls.enable_kyber", true); + Services.prefs.setCharPref("network.dns.localDomains", [retryDomain]); + Services.prefs.setIntPref("network.http.speculative-parallel-limit", 0); + + // Get the number of xyber / x25519 / p256 callbacks prior to making the request + // ssl_grp_kem_xyber768d00 = 25497 + // ssl_grp_ec_curve25519 = 29 + let countOfXyber = handlerCount("/callback/25497"); + let countOfX25519 = handlerCount("/callback/29"); + let chan = makeChan(`https://${retryDomain}:8443`); + let [req] = await channelOpenPromise(chan, CL_EXPECT_FAILURE); + equal(req.status, 0x805a2f4d); // psm::GetXPCOMFromNSSError(SSL_ERROR_HANDSHAKE_FAILED) + // The server will make a xyber768d00 callback for the initial request and + // the client should not retry. + equal( + handlerCount("/callback/25497"), + countOfXyber + 1, + "negotiated xyber768d00" + ); + equal( + handlerCount("/callback/29"), + countOfX25519, + "did not negotiate x25519" + ); + } +); diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key new file mode 100644 index 0000000000..a926a54efb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM +1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48 +9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA +-----END EC PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec new file mode 100644 index 0000000000..03c3ce198f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec @@ -0,0 +1 @@ +secp256r1 diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem new file mode 100644 index 0000000000..9d3b41a1bf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICMjCCARqgAwIBAgIUddkSg4Xa4Tq2i+Q1Ebvjh6EWuAkwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaZmF1bHR5LXNlcnZlci1pbnRlcm1lZGlhdGUwIhgPMjAy +MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowFTETMBEGA1UEAwwKZGVmYXVs +dC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLs +BQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCj +MTAvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5j +b20wDQYJKoZIhvcNAQELBQADggEBAKhgmF34y6L3lvO2tL56geQBnUeY0L/buzAt +tyW+0KqDDFjMrPkF1uKUH4d59xF7mq57KgMNPNyB0kSnlvu09nZP0yD6BQ67biVa +YEyLuaJIfa9Ym51Yjx3GqLIRKiiZ9sAPLalIpguh3yvfEfWwCV6HxHWJv6PJ1zVt +l/89i5J8B+rzRjXluiK+lPiUeRnp2RfXvst1u8KtNh1hbabjAkeox4EXbAqxFTJK +bzp9IwqlNxlKK93WyeF3wCndEn2nFYwSOR8tBZFcTtv9Z8F8Xu2gF5C0GYTfy6iX +Y/N5gkxDUGTn+LtG+VyTNNqmS0bXFFuPbuE0mt9OiAydFKpkgJU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec new file mode 100644 index 0000000000..5d471da110 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:faulty-server-intermediate +subjectKey:secp256r1 +subject:default-ee +extension:extKeyUsage:serverAuth +extension:subjectAlternativeName:*.example.com diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem new file mode 100644 index 0000000000..fdb59ed65a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICFjCB/6ADAgECAhR/GplP7a+yU4EAPSMvru2gC2X6uTANBgkqhkiG9w0BAQsF +ADAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWludGVybWVkaWF0ZTAiGA8yMDIy +MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAUMRIwEAYDVQQDDAluby1zYW4t +ZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AUL +Qj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAoxcw +FTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAmHFKAXfd +4vHVJJ7LBHTp4BGpfNQTQXy7sSTOExJi+2WGqtbAubZUQv71WWXqKf7IBpcxzXBy +D18Hb8aN0wDDVVodQ7eZJ0XPOitfkZeHQHSwhCwinT46030oGffk/m7nRpi/eS/T +7mvFLaYiKRXssP6FxBHCyYd8DLQ0RPTbigyDdrYkqh7dS8Ei06bCJukUrWbACHvW +ONUNiY44VaVK/BBZQHn/nqzgNeYZEd7xhJA2yVboP2xZY5E7426V6dUzfU2zqxld +TNpIDzWmQUUGi080YiYIY24rvjx0Sj7+X2xAYQNXgR16VGpxvi4RcEpzXXafX5e+ +BWRSWF7XdM9k5Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec new file mode 100644 index 0000000000..68eb6b0202 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:faulty-server-intermediate +subjectKey:secp256r1 +subject:no-san-ee +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key new file mode 100644 index 0000000000..a926a54efb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM +1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48 +9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA +-----END EC PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec new file mode 100644 index 0000000000..03c3ce198f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec @@ -0,0 +1 @@ +secp256r1 diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem new file mode 100644 index 0000000000..d90875fdc8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUTz5eaR08Vrv3WMdQyfUb6nPdzWIwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIyMTEyNzAwMDAw +MFoYDzIwMjUwMjA0MDAwMDAwWjAbMRkwFwYDVQQDDBBmYXVsdHktc2VydmVyLWNh +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B +AQsFAAOCAQEAVTes4P52u8R5tF6eEN4IO7sT8YjihE63JQ+VDaV9m/KFA1fuBlDH +4N3LWXK9ilZLQQFl+z+QPYA74dNmzvZPWjsUv0nVLkkV5KPoN1SJV0bZeh8+as4r +Yy6N4wZf43XN0xDYJpPB1TX7UQV/MEumy3HXXFzOyXUBR2bdNspfe6ok70eLOggf +vTT3x8usO1rocX7bYf9eqgID85dDYq/VAJXg6HcEsZJ+w4F7w3BI9K/w2TPu0nAt +TElnzEMcBW235zRXRFV+Z06fUL8mJfzH2IU56CHG7AkCblw5ZqzMtfsjjxRSpzTC +fJC0xufCzKoee4K74JZmgkreL1kqxpfesg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec new file mode 100644 index 0000000000..bcbf751bb2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:faulty-server-ca +subject:faulty-server-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem new file mode 100644 index 0000000000..c25d6cf85d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUUTRjZwJOxeTcJu+hEU5Nslh/bfIwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIyMTEyNzAwMDAw +MFoYDzIwMjUwMjA0MDAwMDAwWjAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWlu +dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw +DQYJKoZIhvcNAQELBQADggEBAFagmFEAlfPNh0dcr8ZP8we4hEpzkLiCkn/bn4+D +aEZps/yPkQ5R+tRLucwVwVKHdaubp3M8TFSWzCD2DRpQxDLbvdY2+jZyXce/fG8x +ar7p/x+NVKeMfbKq/Dqb4v1mg7PERpnIbrzaQco2CkCcoptAcWxMqSSlZwPTqNpH +b7J1fnjasPXS75rSmkNhbXi9AIjIH5qpOmaxOHpMI7IhFbCS01lQZa+w4JHOwKPt +6Omx7pyy1K1vbjOrlF6oX+q625mJA1YXxipkFPM+WVby97fIEnr3HBipY/f+p3UN +toiFaLPMe4yTHVcHxYqroFfLebh6YF17tifc4UnQUBTnk2k= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec new file mode 100644 index 0000000000..5be535c81d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec @@ -0,0 +1,4 @@ +issuer:faulty-server-ca +subject:faulty-server-intermediate +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js new file mode 100644 index 0000000000..3a595a3e08 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js @@ -0,0 +1,119 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- + * vim: sw=2 ts=2 sts=2 + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +// Ensures that HSTS (HTTP Strict Transport Security) information is cleared +// when using "Forget About This Site". + +const { ForgetAboutSite } = ChromeUtils.importESModule( + "resource://gre/modules/ForgetAboutSite.sys.mjs" +); + +do_get_profile(); // must be done before instantiating nsIX509CertDB + +registerCleanupFunction(() => { + Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); +}); + +const GOOD_MAX_AGE_SECONDS = 69403; +const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`; + +const sss = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService +); +const uri = Services.io.newURI("https://a.pinning.example.com"); + +// Test the normal case of processing HSTS headers for a.pinning.example.com, +// using "Forget About Site" on a.pinning2.example.com, and then checking +// that the platform doesn't consider a.pinning.example.com to be HSTS any +// longer. +add_task(async function () { + sss.processHeader(uri, GOOD_MAX_AGE); + + Assert.ok(sss.isSecureURI(uri), "a.pinning.example.com should be HSTS"); + + await ForgetAboutSite.removeDataFromDomain("a.pinning.example.com"); + + Assert.ok( + !sss.isSecureURI(uri), + "a.pinning.example.com should not be HSTS now" + ); +}); + +// Test the case of processing HSTS headers for a.pinning.example.com, using +// "Forget About Site" on example.com, and then checking that the platform +// doesn't consider the subdomain to be HSTS any longer. Also test that +// unrelated sites don't also get removed. +add_task(async function () { + sss.processHeader(uri, GOOD_MAX_AGE); + + Assert.ok( + sss.isSecureURI(uri), + "a.pinning.example.com should be HSTS (subdomain case)" + ); + + // Add an unrelated site to HSTS. + let unrelatedURI = Services.io.newURI("https://example.org"); + sss.processHeader(unrelatedURI, GOOD_MAX_AGE); + Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should be HSTS"); + + await ForgetAboutSite.removeDataFromDomain("example.com"); + + Assert.ok( + !sss.isSecureURI(uri), + "a.pinning.example.com should not be HSTS now (subdomain case)" + ); + + Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should still be HSTS"); +}); + +// Test the case of processing HSTS headers for a.pinning.example.com with +// various originAttributes, using "Forget About Site" on example.com, and +// then checking that the platform doesn't consider the subdomain to be HSTS +// for any originAttributes any longer. Also test that unrelated sites don't +// also get removed. +add_task(async function () { + let originAttributesList = [ + {}, + { userContextId: 1 }, + { firstPartyDomain: "foo.com" }, + { userContextId: 1, firstPartyDomain: "foo.com" }, + ]; + + let unrelatedURI = Services.io.newURI("https://example.org"); + + for (let originAttributes of originAttributesList) { + sss.processHeader(uri, GOOD_MAX_AGE, originAttributes); + + Assert.ok( + sss.isSecureURI(uri, originAttributes), + "a.pinning.example.com should be HSTS (originAttributes case)" + ); + + // Add an unrelated site to HSTS. + sss.processHeader(unrelatedURI, GOOD_MAX_AGE, originAttributes); + Assert.ok( + sss.isSecureURI(unrelatedURI, originAttributes), + "example.org should be HSTS (originAttributes case)" + ); + } + + await ForgetAboutSite.removeDataFromDomain("example.com"); + + for (let originAttributes of originAttributesList) { + Assert.ok( + !sss.isSecureURI(uri, originAttributes), + "a.pinning.example.com should not be HSTS now " + + "(originAttributes case)" + ); + + Assert.ok( + sss.isSecureURI(unrelatedURI, originAttributes), + "example.org should still be HSTS (originAttributes case)" + ); + } +}); diff --git a/security/manager/ssl/tests/unit/test_hash_algorithms.js b/security/manager/ssl/tests/unit/test_hash_algorithms.js new file mode 100644 index 0000000000..51840bbf08 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_hash_algorithms.js @@ -0,0 +1,149 @@ +"use strict"; + +// This file tests various aspects of the nsICryptoHash implementation for all +// of the supported algorithms. + +const messages = ["The quick brown fox jumps over the lazy dog", ""]; +const ALGORITHMS = [ + { + initString: "md5", + initConstant: Ci.nsICryptoHash.MD5, + hexHashes: [ + "9e107d9d372bb6826bd81d3542a419d6", + "d41d8cd98f00b204e9800998ecf8427e", + ], + b64Hashes: ["nhB9nTcrtoJr2B01QqQZ1g==", "1B2M2Y8AsgTpgAmY7PhCfg=="], + }, + { + initString: "sha1", + initConstant: Ci.nsICryptoHash.SHA1, + hexHashes: [ + "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "da39a3ee5e6b4b0d3255bfef95601890afd80709", + ], + b64Hashes: ["L9ThxnotKPzthJ7hu3bnORuT6xI=", "2jmj7l5rSw0yVb/vlWAYkK/YBwk="], + }, + { + initString: "sha256", + initConstant: Ci.nsICryptoHash.SHA256, + hexHashes: [ + "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592", + "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + ], + b64Hashes: [ + "16j7swfXgJRpypq8sAguT41WUeRtPNt2LQLQvzfJ5ZI=", + "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=", + ], + }, + { + initString: "sha384", + initConstant: Ci.nsICryptoHash.SHA384, + hexHashes: [ + "ca737f1014a48f4c0b6dd43cb177b0afd9e5169367544c494011e3317dbf9a509cb1e5dc1e85a941bbee3d7f2afbc9b1", + "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b", + ], + b64Hashes: [ + "ynN/EBSkj0wLbdQ8sXewr9nlFpNnVExJQBHjMX2/mlCcseXcHoWpQbvuPX8q+8mx", + "OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb", + ], + }, + { + initString: "sha512", + initConstant: Ci.nsICryptoHash.SHA512, + hexHashes: [ + "07e547d9586f6a73f73fbac0435ed76951218fb7d0c8d788a309d785436bbb642e93a252a954f23912547d1e8a3b5ed6e1bfd7097821233fa0538f3db854fee6", + "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e", + ], + b64Hashes: [ + "B+VH2VhvanP3P7rAQ17XaVEhj7fQyNeIownXhUNru2Quk6JSqVTyORJUfR6KO17W4b/XCXghIz+gU489uFT+5g==", + "z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==", + ], + }, +]; + +function doHash(algo, value, cmp) { + let hash = Cc["@mozilla.org/security/hash;1"].createInstance( + Ci.nsICryptoHash + ); + hash.initWithString(algo); + + value = new TextEncoder().encode(value); + hash.update(value, value.length); + equal( + hexify(hash.finish(false)), + cmp, + `Actual and expected hash for ${algo} should match` + ); + + hash.initWithString(algo); + hash.update(value, value.length); + equal( + hexify(hash.finish(false)), + cmp, + `Actual and expected hash for ${algo} should match after re-init` + ); +} + +function doHashStream(algo, value, cmp) { + // TODO(Bug 459835): Make updateFromStream() accept zero length streams. + if (!value.length) { + return; + } + + let hash = Cc["@mozilla.org/security/hash;1"].createInstance( + Ci.nsICryptoHash + ); + hash.initWithString(algo); + + let stream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance( + Ci.nsIStringInputStream + ); + stream.setUTF8Data(value); + hash.updateFromStream(stream, stream.available()); + equal( + hexify(hash.finish(false)), + cmp, + `Actual and expected hash for ${algo} should match updating from stream` + ); +} + +function testInitConstantAndBase64( + initConstant, + algoName, + message, + expectedOutput +) { + let value = new TextEncoder().encode(message); + + let hash = Cc["@mozilla.org/security/hash;1"].createInstance( + Ci.nsICryptoHash + ); + hash.init(initConstant); + hash.update(value, value.length); + equal( + hash.finish(true), + expectedOutput, + `Actual and expected base64 hash for ${algoName} should match` + ); +} + +function run_test() { + for (let algo of ALGORITHMS) { + algo.hexHashes.forEach((hash, i) => { + doHash(algo.initString, messages[i], hash); + doHashStream(algo.initString, messages[i], hash); + }); + algo.b64Hashes.forEach((hash, i) => { + testInitConstantAndBase64( + algo.initConstant, + algo.initString, + messages[i], + hash + ); + }); + } + + // Our buffer size for working with streams is 4096 bytes. This tests we + // handle larger inputs. + doHashStream("md5", " ".repeat(4100), "59f337d82f9ef5c9571bec4d78d66641"); +} diff --git a/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js b/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js new file mode 100644 index 0000000000..f2b7016c05 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js @@ -0,0 +1,5 @@ +"use strict"; + +function run_test() { + run_test_in_child("test_hash_algorithms.js"); +} diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js new file mode 100644 index 0000000000..4b09c719fc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js @@ -0,0 +1,138 @@ +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function load_cert(name, trust) { + let filename = "test_intermediate_basic_usage_constraints/" + name + ".pem"; + addCertFromFile(certdb, filename, trust); +} + +function test_cert_for_usages(certChainNicks, expected_usages) { + let certs = []; + for (let i in certChainNicks) { + let certNick = certChainNicks[i]; + let certPEM = readFile( + do_get_file( + "test_intermediate_basic_usage_constraints/" + certNick + ".pem" + ), + false + ); + certs.push(certdb.constructX509FromBase64(pemToBase64(certPEM))); + } + + let cert = certs[0]; + return asyncTestCertificateUsages(certdb, cert, expected_usages); +} + +add_task(async function () { + let ee_usages = [ + certificateUsageSSLClient, + certificateUsageSSLServer, + certificateUsageEmailSigner, + certificateUsageEmailRecipient, + ]; + let ca_usages = [certificateUsageSSLCA]; + let eku_usages = [certificateUsageSSLClient, certificateUsageSSLServer]; + + // Load the ca into mem + let ca_name = "ca"; + load_cert(ca_name, "CTu,CTu,CTu"); + await test_cert_for_usages([ca_name], ca_usages); + + // A certificate with no basicConstraints extension is considered an EE. + await test_cert_for_usages(["int-no-extensions"], ee_usages); + + // int-no-extensions is an EE (see previous case), so no certs can chain to + // it. + await test_cert_for_usages(["ee-int-no-extensions", "int-no-extensions"], []); + + // a certificate with basicConstraints.cA==false is considered an EE. + await test_cert_for_usages(["int-not-a-ca"], ee_usages); + + // int-not-a-ca is an EE (see previous case), so no certs can chain to it. + await test_cert_for_usages(["ee-int-not-a-ca", "int-not-a-ca"], []); + + // a certificate with basicConstraints.cA==false but with the keyCertSign + // key usage may not act as a CA (it can act like an end-entity). + await test_cert_for_usages(["int-cA-FALSE-asserts-keyCertSign"], ee_usages); + await test_cert_for_usages( + ["ee-int-cA-FALSE-asserts-keyCertSign", "int-cA-FALSE-asserts-keyCertSign"], + [] + ); + + // int-limited-depth has cA==true and a path length constraint of zero. + await test_cert_for_usages(["int-limited-depth"], ca_usages); + + // path length constraints do not affect the ability of a non-CA cert to + // chain to to the CA cert. + await test_cert_for_usages( + ["ee-int-limited-depth", "int-limited-depth"], + ee_usages + ); + + // ca + // int-limited-depth (cA==true, pathLenConstraint==0) + // int-limited-depth-invalid (cA==true) + // + await test_cert_for_usages( + ["int-limited-depth-invalid", "int-limited-depth"], + [] + ); + await test_cert_for_usages( + [ + "ee-int-limited-depth-invalid", + "int-limited-depth-invalid", + "int-limited-depth", + ], + [] + ); + + // int-valid-ku-no-eku has keyCertSign + await test_cert_for_usages(["int-valid-ku-no-eku"], ca_usages); + await test_cert_for_usages( + ["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"], + ee_usages + ); + + // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension + // but the KU extension is missing keyCertSign. Note that mozilla::pkix + // doesn't validate certificates with basicConstraints.Ca==true for non-CA + // uses. + await test_cert_for_usages(["int-bad-ku-no-eku"], []); + await test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], []); + + // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension. + // We treat a missing KU as "any key usage is OK". + await test_cert_for_usages(["int-no-ku-no-eku"], ca_usages); + await test_cert_for_usages( + ["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], + ee_usages + ); + + // int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU, + // and EKU=={id-kp-serverAuth,id-kp-clientAuth}. + await test_cert_for_usages(["int-valid-ku-server-eku"], ca_usages); + await test_cert_for_usages( + ["ee-int-valid-ku-server-eku", "int-valid-ku-server-eku"], + eku_usages + ); + + // int-bad-ku-server-eku has basicConstraints.cA==true, a KU without + // keyCertSign, and EKU=={id-kp-serverAuth,id-kp-clientAuth}. + await test_cert_for_usages(["int-bad-ku-server-eku"], []); + await test_cert_for_usages( + ["ee-int-bad-ku-server-eku", "int-bad-ku-server-eku"], + [] + ); + + // int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and + // EKU=={id-kp-serverAuth,id-kp-clientAuth}. + await test_cert_for_usages(["int-no-ku-server-eku"], ca_usages); + await test_cert_for_usages( + ["ee-int-no-ku-server-eku", "int-no-ku-server-eku"], + eku_usages + ); +}); diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem new file mode 100644 index 0000000000..07dc4aa671 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvDCCAaSgAwIBAgIUEYQA33NLz6NiG+8Dgvo+0fQtCvswDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAJxbBQm14oIDu9jStpt92SEUkNZJhtC3N+rGgKBeSKVQ +216uhnu9jsku+/zrrfXIMEuEbfI5nFbwb1CQGUh6GB0rG3i/OtA+OHsFGDuHFSzI +hrnNTrxJf5DTvnLrJNDu+2N2dfeLo+w5Iqbr2uV8GGD/zKSw6EbHyOtE/rLG0NaC +4JxkEUc1tZ5JAZCG36cGWr5jPta2VpzJd3QETSM99tXAjDXbxelR1Bzs3YDuQRjs +YpSZvxDsJlgxw+OlmR8ccxNyeLVKV2hWxJOGGH2sc2jco4dCBmkJJZoShXNIQ2lo +egsQ4BpJQcX+aAOhUd7bfk6D9KIbn7On35pvPJc8Xpw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec new file mode 100644 index 0000000000..eb7c4b4bee --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem new file mode 100644 index 0000000000..a73932af90 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5zCCAc+gAwIBAgIUdTdCi3lbYAGAZjNYCvBsJ4Egs6UwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRaW50LWJhZC1rdS1uby1la3UwIhgPMjAyMjExMjcwMDAw +MDBaGA8yMDI1MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LWJhZC1rdS1u +by1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3 +DQEBCwUAA4IBAQBsXG5TZRDqCzYowxnJx+SVOfW0L+GJ0JyB4Zol6fYO2ppkRXwq +nlbD3eFfhJ1C+SMos7fgqSzC83heQgkMe8Zu7rM/hAoMChaQx0DiuQ/33yBvArrz +T0USPGZRIEBNwm20TZnOGfwWhZoxQyh7tG8Llni6REL4GBdHE0AkZjw55ZRVTju1 +kZUzNC2Y9VLb8xcah03o2SxgMk0MAFJXAc84f4Qno7jHF6ULMcMIxQ6McMnDjmhB ++ySa/hFi5PSwmyR4/CVGpc+WSeq4xhdC6GJ8C8EQltaqc78CgqfqhTnsqDmKPx6O +skfWb1D7sz7KkkF+ugs4f45DaH8FrfG8Wxg2 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..390adf2344 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-bad-ku-no-eku +subject:ee-int-bad-ku-no-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem new file mode 100644 index 0000000000..e3590497c6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUKXEge8YWZLSBNg53NaIga1Z9ILQwDQYJKoZIhvcNAQEL +BQAwIDEeMBwGA1UEAwwVaW50LWJhZC1rdS1zZXJ2ZXItZWt1MCIYDzIwMjIxMTI3 +MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCMxITAfBgNVBAMMGGVlLWludC1iYWQt +a3Utc2VydmVyLWVrdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI +UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi +r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x +fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD +7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv +uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj ++nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCA/gw +DQYJKoZIhvcNAQELBQADggEBAFdPo8XMk+fqv7ep8Wnnf7F1l3CKAzEhEH5YvLo0 +UVFehGcz3OqoMhZukciNzKLWDybHtrtZWCf5sOfz5kB/n+0NTr+JaXyfQraXC5x9 +npwmUqQX8Q4apyaMyXIbfUtzpMYeqL4aMkXVwRnRiU12EI3IV7jHTFy+miZ4Ng+3 +GhEg/vPI2BQZabiC0h0Jtc10R4FYViAad8p7j1EDFpARpxNf+wFeRGfbOLx/NPe4 +tW6XpIzGL0KZiAVWBEZQbNWs6L7hKImqbskcncUO0MOIX3a8Dq3TKdKA+aipA9I5 +XzCATYautVjr/hQx9XhtxbBMiGSHiIAS8nnbJ4fPMFjYIqU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..32bb6c2485 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-bad-ku-server-eku +subject:ee-int-bad-ku-server-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem new file mode 100644 index 0000000000..75a36d8c96 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBTCCAe2gAwIBAgIUS3oym/SmKZr5ztuBmhtBs0GuSoAwDQYJKoZIhvcNAQEL +BQAwKzEpMCcGA1UEAwwgaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNpZ24w +IhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowLjEsMCoGA1UEAwwj +ZWUtaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNpZ24wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkG +A1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3DQEBCwUAA4IBAQAKvhPEZlVG +SGN4ztb6Q5ckHtTga9UbBxfJJ00btP0xYCWvUzF+YRIqNI5JtI/fNac1waF8JIlD +T4l5TmbMOh9m4A4jCt5wLs3i61ZSHKxSfCwSanJr5krRVaFRD+02ujJvEwsf18XV ++woKp6FO3BzRde2HopZe67pvSsFnba6TC7wYjGHN1q5WUh3O/U5NPC9MRSto5xOm +hWI8KMnXbNKGaUE11Bp5AExxBj89mHfJ+GieTRcBV/LB9lDSAGa9ci0qmWBvUiCi +RlT1RZYoxsjvxxHGRtKe2hUJXUjgLaQ5C/e84Z27Xxb9YfIQTZjR2ChVS2EgmEi3 +k9fVuKLvM8rq +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec new file mode 100644 index 0000000000..9e0fb65fd6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-cA-FALSE-asserts-keyCertSign +subject:ee-int-cA-FALSE-asserts-keyCertSign +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem new file mode 100644 index 0000000000..438d05ee44 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9zCCAd+gAwIBAgIUI2r/Fd7yvseRwKsjNLk+upqvezMwDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZaW50LWxpbWl0ZWQtZGVwdGgtaW52YWxpZDAiGA8yMDIy +MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAnMSUwIwYDVQQDDBxlZS1pbnQt +bGltaXRlZC1kZXB0aC1pbnZhbGlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1Ud +DwQEAwID+DANBgkqhkiG9w0BAQsFAAOCAQEAjtSGX+pjliroVL6zD5QUsjMpyv9k +SFyjvMU9aSAT2b2N3D4jZVPfJ6a7k9+uT9GhnYO7X8tAWqxOSmq//JFArcaaBdQN +xeeIOdOejDsd3eqYunflhaESN+0Jn9VXQOArZxNUZMv0U5i4lzkW/A7brw+p+EDv +QL34Ewm6q2RNblPZ/NvnxJ0lX2tg4XrBlDffzvtE8eiChP/X+B2fcKogMU7XYWYF +AhREsryMWWR0DzfInUcyQFQhVK2rNkwn0P+1W6RGKbNYVb/sNu8q8zhoM/bRZZ5h +DmzemVCDenewDozLAaGXXaT4mlvyGSsLySyxRtXGFY+kmEZ+4Hqo0D4Qdg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec new file mode 100644 index 0000000000..f00b4d1591 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-limited-depth-invalid +subject:ee-int-limited-depth-invalid +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem new file mode 100644 index 0000000000..562bd8b0f0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5zCCAc+gAwIBAgIUd8Ott82XwW7of4WG0oKEoPnLvO4wDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwIhgPMjAyMjExMjcwMDAw +MDBaGA8yMDI1MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LWxpbWl0ZWQt +ZGVwdGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3 +DQEBCwUAA4IBAQBdUf6p86i++GEDLq/ztNbdzID7r4JUq05bOCDChc1j+Dp8CL4z +buILruUX8aZfyMgvOfdwsuqA8CppEq7QAxP+fBalodfeOWTF48qpKX0ENu1yQJaX +Dp+RzZTQ/bjTUi/zcgUZDkZiqtzdLt3YDQVLZVlMOU6dzbtx6cLtJoWGR4DFTzPv +fEqNmMkPZLiTEQJxyvtORBnS6EWz4h2szQ5DIdqgQfNBKp83CEgws2P9Ydz2V6Wo +NX7ffo7KFexxcl7yFAZ97VUm7Oh8YUraF3mj7nUs9hPyj2yn87NFuN4WaY5q2Bl4 +xV4DbCubdqJssVoCtOUgauFKkWQvf7pR0Glt +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec new file mode 100644 index 0000000000..df85342d98 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-limited-depth +subject:ee-int-limited-depth +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem new file mode 100644 index 0000000000..d406566089 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5zCCAc+gAwIBAgIUSYi2rd1ebYfAk1hnQd0FepY61yowDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRaW50LW5vLWV4dGVuc2lvbnMwIhgPMjAyMjExMjcwMDAw +MDBaGA8yMDI1MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LW5vLWV4dGVu +c2lvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3 +DQEBCwUAA4IBAQCL7d6lgHbK95To/n7ZMS+5Gz56Po8xq5DnW8Q9zNw78Pt07ef+ +Q+ov9QlS0rBvK6AqMrAGfqzydxYA61i4x72os/47VmbIh/ZqTDrbGVLYkpBoLIpV +RxfTAQZj8oNl6MoSSVcTz3MFVQIz9FKjdpSFsXoEWxVMT1wOoLr5RUVgOkHQm9KS +fP5IlzDu+etdiwkEytfgbkr9cLWyosBUVKrd9dXJ1Po0TtnD4zkyUNxDs6Wpu9TS +ke0uBPaPK8KqU0ptcp3OzFQYgYSHYdbl6ZLXui+GUmaVBNvJLWmA0diAZgF7RTuW +WyOthWc5DNrLnDNhVT39d7CV9HFhRh8mjH6X +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec new file mode 100644 index 0000000000..c5279046d8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-no-extensions +subject:ee-int-no-extensions +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem new file mode 100644 index 0000000000..2f13242e88 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUN1958Pt52Py8qevNt6tVAKuQ+q4wDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LW5vLWt1LW5vLWVrdTAiGA8yMDIyMTEyNzAwMDAw +MFoYDzIwMjUwMjA0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1pbnQtbm8ta3Utbm8t +ZWt1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62 +iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql +WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq +Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ +ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i +b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY +CjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DANBgkqhkiG9w0B +AQsFAAOCAQEArYhtyDOeNGHS2s4D3YQ7WGVeATYhGwJuGRfeN1nzOMNXOrc5gz2m +a7dVUaode+xu1h963xt5bFmIZGP9xSuy3dAuzJ9mKAC/+V6QLjZbiVpmA8jRktBM +HTO5K1n6RrGegSjGipvENZRpTP1H6s1Y4fkl8lVtgUpa1XP/de9qkPepPUSwdzRZ +0MsnI35RGp7C+X94ULIIkCmcMKpf8PcmDELYlcEUDK07GWSRpp91HgLuGIQiyCCg +bvqGzfuL40e49FEL5X8JxY8ymihWXgwGzgloXr/Ym6odNiYOI99KK6w08Kw/T+cy +FzUmLvSjN/9k3Bdo65jBmNwwCZz1tUbwmw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..92ee3cc6d6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-no-ku-no-eku +subject:ee-int-no-ku-no-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem new file mode 100644 index 0000000000..55ca453482 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIUeayLDH+s22BfC1h08wFNYFlJlIkwDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUaW50LW5vLWt1LXNlcnZlci1la3UwIhgPMjAyMjExMjcw +MDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowIjEgMB4GA1UEAwwXZWUtaW50LW5vLWt1 +LXNlcnZlci1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0G +CSqGSIb3DQEBCwUAA4IBAQAHkEmTqmTSU43pHVV+ZYAEKOljrwW7BvNILDtpQgD+ +94wBdkTJWpMHP5WEzeUP9Jh0W+L5KfWUaGld2bF53WFHSHTphucUqxMUlBThs0z+ +G15qGUAIOWutpYHe2tiQnZhu4U1+z2AmOBLB47a5gW4hu4y1j0K8fwsJCfSS9bu0 +xYtLoNwUsfkqnmCQc3z6UUo2dwXV3kpO4NbkhhJwBbYXAursi6gv3zviL7zaEfaP +B5q3OiW0F3qfZgkgEYQdG5qnBnLvFy7fgSgbbpRXq0X8LcW4rD53CXUbZ/OVKK0A +0k5PJPUhQbvJMO2IRyvlX8NJUpm39hH0VV08jyItDEYm +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..c148896710 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-no-ku-server-eku +subject:ee-int-no-ku-server-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem new file mode 100644 index 0000000000..c9ba84156f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIUD7rkIlbxASKFwZSsBkJcHI18bS8wDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LW5vdC1hLWNhMCIYDzIwMjIxMTI3MDAwMDAwWhgP +MjAyNTAyMDQwMDAwMDBaMBoxGDAWBgNVBAMMD2VlLWludC1ub3QtYS1jYTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCA/gwDQYJKoZIhvcNAQELBQADggEB +ADYDPzfhTNy98mCmhZQcO3Cw2b6ns40wkBk2QwOmbF3Y7ah/NRo4ukh5nKmFCWIL +0O5DXptlAc2CPAPV8zrI9e0Taic5Q9Qu46kQ4K+ygvlChob3LwsYBOkyNg5lEjfd +yrihEuZO/vEXqQypgySiUC/CpYzs2ZtQSWfvxBIgL14f1k+6UrLgl7V/n7Mhyecv +xfdkX0QLP61ZpaGU331dGCCcIshUFwCxWD7oAmcSpNHE5/ViWWCk4e2Y3Zo+4OlL +NC/OwYB1b7x7I0YygH1lm/8gEckrrSN7oSI/Ed7b3zVJG2hUQrys2wt+/4eM3dty +6gUFl7ZHrfBS86bd24pqD7I= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec new file mode 100644 index 0000000000..a95b0dc260 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-not-a-ca +subject:ee-int-not-a-ca +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem new file mode 100644 index 0000000000..eb34fe3d7f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6zCCAdOgAwIBAgIUO+gSZWYxor47jvyLUUI9TrUzeXcwDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTaW50LXZhbGlkLWt1LW5vLWVrdTAiGA8yMDIyMTEyNzAw +MDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAhMR8wHQYDVQQDDBZlZS1pbnQtdmFsaWQt +a3Utbm8tZWt1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DANBgkq +hkiG9w0BAQsFAAOCAQEAkiVcd2ofl/HQn8WlBbXWjVob7lT6/Ll/CvmgeZTRbe8Z +FMEbkBxQOrhMVWTR3FsZyv/Y2oYohaiK0jOGw3tKyhEbSjE8iyDKjRLpsXG+byrs +TfqLu1KvfhAyvp1e5cIIOjg3KeXKptCS0AdFAydzlvIXbY2RaznO3mFDrwnvKm9B +gbRr8seEyB4mk2RetHrV+9ZH5tEHbv1kwSTSCrDCxtpFID6sNDB+BU7YJajoRHNv +yYkzQ5uFWCOr5BP/t70nvVv6RZSV7V7b4YeM5FwMYjhGeM030o+llW1sPNSmvWvj +ABeSs4FuketElNamHWB6lrbJUPrxde9PylYZRIy4dg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..89a66b9f97 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-valid-ku-no-eku +subject:ee-int-valid-ku-no-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem new file mode 100644 index 0000000000..c128787aba --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgIUDfZRUq6trpvwZ+DeCOEG4iCGxuAwDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXaW50LXZhbGlkLWt1LXNlcnZlci1la3UwIhgPMjAyMjEx +MjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowJTEjMCEGA1UEAwwaZWUtaW50LXZh +bGlkLWt1LXNlcnZlci1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a +hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t +FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o +N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d +JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4 +s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgP4MA0GCSqGSIb3DQEBCwUAA4IBAQAyL0DG6Cx9aM+2js+AQLl9/3ZOZSGN8NZ3 +q2wZ/mAI9h2w6wizjTuQDPRxyKbDqdQBGmIKfw1CVMOiEXmQZEuQYVr1ZjXQSqM2 +9hbqxocm2PxFbSuWK+8sPoUc0P1ZyZQobcbbCqSckMSvf4rxPrIs9y7w09hFnuYS +YhJcGePbNGQRouQ5MxvQxQWxQQc7KGwvz5GPrkBUeXb7amIMer4kOiQAT2W2dp1f +EmJ0Xi4TULakERHApVDOcrcN5QQ1WWS5/M8cH9YOV4OijhE52MLWNALh3EkROk5O +AACCKlhj6Kpr3cmrI/GN2lIq+jV4MIebnpXIImNbqnKAK9RSMsbg +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..43e83a336e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-valid-ku-server-eku +subject:ee-int-valid-ku-server-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem new file mode 100644 index 0000000000..f63044d4ab --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2DCCAcCgAwIBAgIUZzsgYjfvjZbq7WTdGcipyk+CMkIwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowHDEaMBgGA1UEAwwRaW50LWJhZC1rdS1uby1la3UwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwG +A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH6MA0GCSqGSIb3DQEBCwUAA4IBAQC4LCK7 +qH2FvULMTugwtrvm1swahaJ1+DMwtjF4wE1tKgoFQwq1592GTQ47oihhH9Qmz3EF +kuL1nl+KRjOyKUgehg/cwwJYT0JNNB47hDBQc2vs8AYwcakmMAwS6DxzLz47DqZN +HwdiWTVILd5ReHOv3mypbKVqr1OAG1cxdyNhy4/hGQxXyf2u08Rijj5wrbQoBuJf +LzfZLOE4xHEsPashTghbZqFYBtRXxyJgGMhWgzYTBwojLH/9p6vQXmTRt5nt4pDA +VS1uZaOS8jG4NxWTEC1ucEcmSNdQ4NvWT/3dFE6ov8bd66QyRPgUJ/eMiW0g003O +ezrMAtQkE8Dtyut2 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..f6525449b4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-bad-ku-no-eku +extension:basicConstraints:cA, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem new file mode 100644 index 0000000000..b8b232ab71 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+zCCAeOgAwIBAgIUac94mNlBIJeghgHlpGI0Ivc/Eb8wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowIDEeMBwGA1UEAwwVaW50LWJhZC1rdS1zZXJ2ZXItZWt1MIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK +tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N +Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr +sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs +l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl +nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozww +OjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB+jAdBgNVHSUEFjAUBggrBgEFBQcD +AQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAF0UtDva+INfW5qK9CZLHiOX +GWpCMTn9X7LSxXGmEA/svZV9XH7g9/iF0ueGgyVxc5qbMXbgMHxUZPuze0UuXt8F +/8HRq2uCiNvSf1WWbwy2r6B33vRt1LH9GhazCsQvZdVvYLaTc2/NweKP9/Uv4Djr +u0mKkFCWjnIOVgDHmD7oQAmrBb0K8+ZHuiVXg1OqEj+wrR2TLTBgkhKEo8WWBVQI +Z/ubsSizcz3kqpJyXtcJgypCjbB1C8HkW6OoyP9ODeYKnkM18ldHrzDEnjsldRL6 +zV+Txu+2+r6zpAoIwJhtz1vz876J4NSjyOGhMOEw3RrXy7lExK75SElnOK9BJUo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..2d324508d4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-bad-ku-server-eku +extension:basicConstraints:cA, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem new file mode 100644 index 0000000000..59fd062895 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5DCCAcygAwIBAgIUdx4AwUYkgGlMkxtDYxQxJ+Tuci0wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowKzEpMCcGA1UEAwwgaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNp +Z24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgH+MA0GCSqGSIb3DQEB +CwUAA4IBAQBT5fFH0XnRuCFEEWu/Qj6DAT6IKL++qNGLpAgMfABWgJcVGvU5qyOu +zjAmAtgdwr9Y18A0Vh8lpzN2UVRhKFjU1uS4XYJDs6Y+sc549SDHgA+yNe4PEUV7 +Cy9vuEir7d5C5/g7mbyHVOs3bnRgYrYlbELS7ZlUReQnTPD2y758OiGb9kY4FH5B +EhSYUrnVVZaxDYZEj4Y+/jNZMS1RqEa/TeQLaWXW+vVoSxKennyPkfM2s5yYnfZB +pnWJkxXpO/2mPAuj5XKA+4vQusdRKG8A027CAhFUZY5gjjmKcps39XaKbzvA0B7b +Ct3eTtNad27+ykUMLaEei8jn+tnZyCRv +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec new file mode 100644 index 0000000000..39785d8a48 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-cA-FALSE-asserts-keyCertSign +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem new file mode 100644 index 0000000000..484e6e613b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4jCCAcqgAwIBAgIUAfnkYMPQzubBjzBhfvuwk6J3sQQwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwIhgPMjAyMjExMjcwMDAw +MDBaGA8yMDI1MDIwNDAwMDAwMFowJDEiMCAGA1UEAwwZaW50LWxpbWl0ZWQtZGVw +dGgtaW52YWxpZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF +AAOCAQEAUVWy4usr6Qqy96oTaWW+KRkeImF/kUdZjAWw+uW4+osQvCO4iOfsIGDF +oBiqMVYRGaw5yWqx0ZwSzZEw9Ot9AvKGlLMFYqyRLZK9fHSaWuoxrpIwGO0qaVlF +LfWVYCqMjIyDCDZaof4HGrE3RhMIsGQx1mQniiZmwwutVFTgR0nthN1FbJE9ErCL +R5MgiFs1fqbExe5yuLpsZ8nD5re59WFWuxWy9eANVpjpJvUmjREeL8iXwyRU62NG +fMGoKLd7XW/W0aUfQEqDGb91ky2MRTNMORzs+QSAbm0T7OXuYpXgSIap3GPFin13 +SKLne9xKCrUKtT6lBCtUE/QoZT/eHw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec new file mode 100644 index 0000000000..9fdb2a248a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-limited-depth +subject:int-limited-depth-invalid +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem new file mode 100644 index 0000000000..769a179177 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAgIUUxUrhb4BgjkslVGZAFieWP89+CIwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEzARMA8G +A1UdEwQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBALHkDu7REPT84Nw4FpdZ +FfFvNSj5XhmmFFxegea2LOlBdAQi8E0ylVz5QIFuKfSDVfrBAGo/yesHmhCKEFD2 ++AuSB74HW8uItlam9YdVHtOlnbyhQRWdChadlV2eYhzkLHOC8oZe/0Q+Ycvzr8uq +TzzgMs9nWloEdpOmSCPCfzEF75O+/OPqM1kWJJoif7tZx5kQX/Zqgp9RjaM6rU8J +yyp6uw8j4IXD0DerYISvxkmDxIP7tlcKKjzIXVCb0q01Uk0Bl5th3Gc2nloNmmpr +TZz9rhOFMcVW1nB/0HnDa1ze9jWhzOGBY7/3fEzDrp9pR2fXoR0kiJwz25uhzb6P +KsY= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec new file mode 100644 index 0000000000..64f54b0441 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:int-limited-depth +extension:basicConstraints:cA,0 diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem new file mode 100644 index 0000000000..23c4da1e3a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuTCCAaGgAwIBAgIUI/ihH8S23PSWe3hDO67GzVPRFuQwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowHDEaMBgGA1UEAwwRaW50LW5vLWV4dGVuc2lvbnMwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZI +hvcNAQELBQADggEBACpm2LZdorCud2fv5ZXwqFvs+3Sy6oEaH8t8thUHX7qb1Eyo +vePnwXo6WG864cVrjK/eKY7yuzCRJiG1+spEGHfh+9H1nNixT+XmBCzGhRlo017S +TA1vTuJn6ouVcfpwBnzozxURORvk9sxkcxHVMOOM24ahlXx44htQ/AIw7B6c/NKz +VYIHkMM81E8D7it+sNfpmiSCnFW+yAZ7duzxtR8sJUjX4S7BGjQYPZyqin+7vvlJ +0WcYPlHPbuwajwKo13BE/8xxoQRuTK+PMRtfztWns5VQ/dBxnrq9hLDYfIOL5htc +JLfV0RL5yKVddSU4erqWmHYWJeKGhjkdZepKAhY= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec new file mode 100644 index 0000000000..c99626bd5a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca +subject:int-no-extensions diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem new file mode 100644 index 0000000000..dff2d75ddc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgIUZw7kdUP+d6L0D25eyoo7P30mNpQwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowGzEZMBcGA1UEAwwQaW50LW5vLWt1LW5vLWVrdTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYD +VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATOAxwW9ijLQFXbEizjBHW8sj +phPLYpnwstZQ0rlG2X/XmrWE+jU0EBOXcG0kEM1PkRB/0rKCjklQlAqGupusJVLa +ov55RMInEn1CbJr71TTH6d/Z34kMje6+O4TKxtE5vDH4Wk/CUPUnBc/p3D/wBRe2 +WZwH8Lu+VmBMXB09MkKYT9cBuLeO/pgKj79VA7R4vkUD9Zil57D4bjXpTv3MeSss +mMo9AVoNCpa7ndYgNmCjVe6/pmFDBCciEcq6ILXjU9FRDjlGnDyLh0F9Gi2ujdq8 +1KvPLRZ6cJwYAyFAhUlMIg7uxjj29fC4ig1u5thAFSPW3R3tbUnViXtfLKTYiA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..306a218db9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:int-no-ku-no-eku +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem new file mode 100644 index 0000000000..51bdbecf41 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIUJ1WuvZBW3mlimrxPcn4A8mY8ivkwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowHzEdMBsGA1UEAwwUaW50LW5vLWt1LXNlcnZlci1la3UwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAt +MAwGA1UdEwQFMAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0G +CSqGSIb3DQEBCwUAA4IBAQAgEbrZUafufe5mf2FabYotLgfa0Gpm7VLy7TQmWpB+ +hVQH6S5Aw5+wwf6HUf97Mm0FR4oOSNii0nDT7cvYuZS14F/GX2In5R0/SY0AQb+H +Ozpu6nis2PsSw5/MZw2ezWFVWCKtUM1KoWJytr/DV5iQU52o6gbXR9VTHJ4lE/Lo +JyQwPQlR3av0Igj0tt5v6AJYwJ7ScxByAi/5DAg1S/MQDDoyOukciSguJRgAR6Wo +V2QaQXv2aCysebRXSJqRZkx+Tkx9rKm3Dt4FeQre8O7+te6+pF2N+rc9rw2X/YDb +aM/+oF6n/SjY0I1BHgisTDh74MH1VOX05VAByTSNzJIz +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..1482b627c7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-no-ku-server-eku +extension:basicConstraints:cA, +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem new file mode 100644 index 0000000000..21a9394764 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwzCCAaugAwIBAgIUcYa2sMryjJu9AWZolGBEQIkToB0wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowFzEVMBMGA1UEAwwMaW50LW5vdC1hLWNhMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNVHRME +AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQC3MTzOgdEqT2gVg+VZvwMb97wc/H6kyyTv +xF+cABJ/1oHJR0q9JYixWL4SGVV1zFZllDNIndVje3BkwZBrpEnbpBG6ldNh7SMn +Vcf4lB4o/+f1LtWCJg8rE6LHvBM39akotUi6QS263PGcQR96TfAarMKaBab8arg2 +9GG8IuO4n9ivkfRclte0QJ+T8+gMbxozneoiYh9ZUmPLnZehHW3ilk2nkW6hP2R8 +a5aboRmZfsofUaxfvXMSpYMqo68fNAi/v62JkJtPvTU7s/vtAzQSH9YG9P5pAH23 +Izr2ScQcYsyQUPfYRhBjLAG9wYMglK+n+pg+MIxckAuqqoRC36qJ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec new file mode 100644 index 0000000000..3161680b1c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:int-not-a-ca +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem new file mode 100644 index 0000000000..09cab5445c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2jCCAcKgAwIBAgIUM4OicXZ4gCh8lZlzuvTCXIUBDKYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowHjEcMBoGA1UEAwwTaW50LXZhbGlkLWt1LW5vLWVrdTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs +9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8 +HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak +kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet +lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r +kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBsw +DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAAJn +yDIjm2dDTewadyHcNlES6qFQJtKTfEXpeuwSEjGy1RKhIk2LbDitlop//MOcoLXX +y5bgBZHidWDWrC/9QKGWxRK4O8gyFclfa0LkTyQHiIoEkLokzhW3jy9vha2NCy1a +sXFCHgrDQK3a8vCdmRL3PGRgf91kEkrObNZaGgHfbJMEE8/eLsbMBXwNYlqFIwWI +mtoZhcf9qDQUi10GpZm3ZsYHcWgEytPO+8aN4wnl3J2ExKhzcmnGAgUAH0N17fjO +yf2Oxdsv4T6DU5RFzSogHMq5HPHZ9QI4k397D+aFy9KESkKZQv+4kiCAKQom5BwC +YwXsXQtdkZSI64ED0Io= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..d7f9b0387a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-valid-ku-no-eku +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem new file mode 100644 index 0000000000..1de101fe2c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIURy2A3rBwMm3U4brlrpN4em3dGdcwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowIjEgMB4GA1UEAwwXaW50LXZhbGlkLWt1LXNlcnZlci1la3UwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj +PDA6MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgIEMB0GA1UdJQQWMBQGCCsGAQUF +BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAOxMw/SkInO9x4Yttk/Y9 +Fe70V8UU4Hh1NSLwBpDcH36rJyijb37du3tsygHXkSQmmEjHK0q8KNgvZkA4Bn+O +6zcZxpM60UoUluWUdenprlpbCH7usco1lF4wc0ZhO/IzUz/P0NlHE1f7S92P/zAH ++gW1oQGXA6/zmy06o88JwyzhTcTwcUwc+dsZniF5kGH7fyfls4X+C9loG8Op3Afk +pgDQO2XePhjvWuw8rbFWQWhTnuduG7TRSKUB3q8wdRXdAFW8lmvuWRTCHQnUGbZ4 +jfywTG5vCqOLT+fp5U2HUHOXt3VTznkuXsRXCiRdSUR89rNUeydzCIzuVC4JV16/ +zA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..84314bfa40 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-valid-ku-server-eku +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads.js b/security/manager/ssl/tests/unit/test_intermediate_preloads.js new file mode 100644 index 0000000000..f1568e0a47 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads.js @@ -0,0 +1,528 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; +do_get_profile(); // must be called before getting nsIX509CertDB + +const { RemoteSecuritySettings } = ChromeUtils.importESModule( + "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs" +); +const { TestUtils } = ChromeUtils.importESModule( + "resource://testing-common/TestUtils.sys.mjs" +); +const { IntermediatePreloadsClient } = RemoteSecuritySettings.init(); + +let server; + +const INTERMEDIATES_DL_PER_POLL_PREF = + "security.remote_settings.intermediates.downloads_per_poll"; +const INTERMEDIATES_ENABLED_PREF = + "security.remote_settings.intermediates.enabled"; + +function getHashCommon(aStr, useBase64) { + let hasher = Cc["@mozilla.org/security/hash;1"].createInstance( + Ci.nsICryptoHash + ); + hasher.init(Ci.nsICryptoHash.SHA256); + let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance( + Ci.nsIStringInputStream + ); + stringStream.data = aStr; + hasher.updateFromStream(stringStream, -1); + + return hasher.finish(useBase64); +} + +// Get a hexified SHA-256 hash of the given string. +function getHash(aStr) { + return hexify(getHashCommon(aStr, false)); +} + +function getSubjectBytes(certDERString) { + let bytes = stringToArray(certDERString); + let cert = new X509.Certificate(); + cert.parse(bytes); + return arrayToString(cert.tbsCertificate.subject._der._bytes); +} + +function getSPKIBytes(certDERString) { + let bytes = stringToArray(certDERString); + let cert = new X509.Certificate(); + cert.parse(bytes); + return arrayToString(cert.tbsCertificate.subjectPublicKeyInfo._der._bytes); +} + +/** + * Simulate a Remote Settings synchronization by filling up the + * local data with fake records. + * + * @param {*} filenames List of pem files for which we will create + * records. + * @param {*} options Options for records to generate. + */ +async function syncAndDownload(filenames, options = {}) { + const { + hashFunc = getHash, + lengthFunc = arr => arr.length, + clear = true, + } = options; + + const localDB = await IntermediatePreloadsClient.client.db; + if (clear) { + await localDB.clear(); + } + + let count = 1; + for (const filename of filenames) { + const file = do_get_file(`test_intermediate_preloads/${filename}`); + const certBytes = readFile(file); + const certDERBytes = atob(pemToBase64(certBytes)); + + const record = { + details: { + who: "", + why: "", + name: "", + created: "", + }, + derHash: getHashCommon(certDERBytes, true), + subject: "", + subjectDN: btoa(getSubjectBytes(certDERBytes)), + attachment: { + hash: hashFunc(certBytes), + size: lengthFunc(certBytes), + filename: `intermediate certificate #${count}.pem`, + location: `security-state-workspace/intermediates/${filename}`, + mimetype: "application/x-pem-file", + }, + whitelist: false, + pubKeyHash: getHashCommon(getSPKIBytes(certDERBytes), true), + crlite_enrolled: true, + }; + + await localDB.create(record); + count++; + } + // This promise will wait for the end of downloading. + const updatedPromise = TestUtils.topicObserved( + "remote-security-settings:intermediates-updated" + ); + // Simulate polling for changes, trigger the download of attachments. + Services.obs.notifyObservers(null, "remote-settings:changes-poll-end"); + const results = await updatedPromise; + return results[1]; // topicObserved gives back a 2-array +} + +/** + * Return the list of records whose attachment was downloaded. + */ +async function locallyDownloaded() { + return IntermediatePreloadsClient.client.get({ + filters: { cert_import_complete: true }, + syncIfEmpty: false, + }); +} + +add_task(async function test_preload_empty() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + // load the first root and end entity, ignore the initial intermediate + addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,"); + + let ee_cert = constructCertFromFile( + "test_intermediate_preloads/default-ee.pem" + ); + notEqual(ee_cert, null, "EE cert should have successfully loaded"); + + equal( + await syncAndDownload([]), + "success", + "Preloading update should have run" + ); + + equal( + (await locallyDownloaded()).length, + 0, + "There should have been no downloads" + ); + + // check that ee cert 1 is unknown + await checkCertErrorGeneric( + certDB, + ee_cert, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); +}); + +add_task(async function test_preload_disabled() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, false); + + equal( + await syncAndDownload(["int.pem"]), + "disabled", + "Preloading update should not have run" + ); + + equal( + (await locallyDownloaded()).length, + 0, + "There should have been no downloads" + ); +}); + +add_task(async function test_preload_invalid_hash() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + const invalidHash = + "6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d"; + + const result = await syncAndDownload(["int.pem"], { + hashFunc: () => invalidHash, + }); + equal(result, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 0, + "There should be no local entry" + ); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + // load the first root and end entity, ignore the initial intermediate + addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,"); + + let ee_cert = constructCertFromFile( + "test_intermediate_preloads/default-ee.pem" + ); + notEqual(ee_cert, null, "EE cert should have successfully loaded"); + + // We should still have a missing intermediate. + await checkCertErrorGeneric( + certDB, + ee_cert, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); +}); + +add_task(async function test_preload_invalid_length() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + + const result = await syncAndDownload(["int.pem"], { + lengthFunc: () => 42, + }); + equal(result, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 0, + "There should be no local entry" + ); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + // load the first root and end entity, ignore the initial intermediate + addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,"); + + let ee_cert = constructCertFromFile( + "test_intermediate_preloads/default-ee.pem" + ); + notEqual(ee_cert, null, "EE cert should have successfully loaded"); + + // We should still have a missing intermediate. + await checkCertErrorGeneric( + certDB, + ee_cert, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); +}); + +add_task(async function test_preload_basic() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + // load the first root and end entity, ignore the initial intermediate + addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,"); + + let ee_cert = constructCertFromFile( + "test_intermediate_preloads/default-ee.pem" + ); + notEqual(ee_cert, null, "EE cert should have successfully loaded"); + + // load the second end entity, ignore both intermediate and root + let ee_cert_2 = constructCertFromFile("test_intermediate_preloads/ee2.pem"); + notEqual(ee_cert_2, null, "EE cert 2 should have successfully loaded"); + + // check that the missing intermediate causes an unknown issuer error, as + // expected, in both cases + await checkCertErrorGeneric( + certDB, + ee_cert, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certDB, + ee_cert_2, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); + + let intermediateBytes = readFile( + do_get_file("test_intermediate_preloads/int.pem") + ); + let intermediateDERBytes = atob(pemToBase64(intermediateBytes)); + let intermediateCert = new X509.Certificate(); + intermediateCert.parse(stringToArray(intermediateDERBytes)); + + const result = await syncAndDownload(["int.pem", "int2.pem"]); + equal(result, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 2, + "There should have been 2 downloads" + ); + + // check that ee cert 1 verifies now the update has happened and there is + // an intermediate + + // First verify by connecting to a server that uses that end-entity + // certificate but doesn't send the intermediate. + await asyncStartTLSTestServer( + "BadCertAndPinningServer", + "test_intermediate_preloads" + ); + // This ensures the test server doesn't include the intermediate in the + // handshake. + let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + certDir.append("test_intermediate_preloads"); + Assert.ok(certDir.exists(), "test_intermediate_preloads should exist"); + let args = ["-D", "-n", "int"]; + // If the certdb is cached from a previous run, the intermediate will have + // already been deleted, so this may "fail". + run_certutil_on_directory(certDir.path, args, false); + let certsCachedPromise = TestUtils.topicObserved( + "psm:intermediate-certs-cached" + ); + await asyncConnectTo("ee.example.com", PRErrorCodeSuccess); + let subjectAndData = await certsCachedPromise; + Assert.equal(subjectAndData.length, 2, "expecting [subject, data]"); + // Since the intermediate is preloaded, we don't save it to the profile's + // certdb. + Assert.equal(subjectAndData[1], "0", `expecting "0" certs imported`); + + await checkCertErrorGeneric( + certDB, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + + let localDB = await IntermediatePreloadsClient.client.db; + let data = await localDB.list(); + ok(!!data.length, "should have some entries"); + // simulate a sync (syncAndDownload doesn't actually... sync.) + await IntermediatePreloadsClient.client.emit("sync", { + data: { + current: data, + created: data, + deleted: [], + updated: [], + }, + }); + + // check that ee cert 2 does not verify - since we don't know the issuer of + // this certificate + await checkCertErrorGeneric( + certDB, + ee_cert_2, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); +}); + +add_task(async function test_preload_200() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100); + + const files = []; + for (let i = 0; i < 200; i++) { + files.push(["int.pem", "int2.pem"][i % 2]); + } + + let result = await syncAndDownload(files); + equal(result, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 100, + "There should have been only 100 downloaded" + ); + + // Re-run + result = await syncAndDownload([], { clear: false }); + equal(result, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 200, + "There should have been 200 downloaded" + ); +}); + +add_task(async function test_delete() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100); + + let syncResult = await syncAndDownload(["int.pem", "int2.pem"]); + equal(syncResult, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 2, + "There should have been 2 downloads" + ); + + let localDB = await IntermediatePreloadsClient.client.db; + let data = await localDB.list(); + ok(!!data.length, "should have some entries"); + let subject = data[0].subjectDN; + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + let resultsBefore = certStorage.findCertsBySubject( + stringToArray(atob(subject)) + ); + equal( + resultsBefore.length, + 1, + "should find the intermediate in cert storage before" + ); + // simulate a sync where we deleted the entry + await IntermediatePreloadsClient.client.emit("sync", { + data: { + current: [], + created: [], + deleted: [data[0]], + updated: [], + }, + }); + let resultsAfter = certStorage.findCertsBySubject( + stringToArray(atob(subject)) + ); + equal( + resultsAfter.length, + 0, + "shouldn't find intermediate in cert storage now" + ); +}); + +function findCertByCommonName(certDB, commonName) { + for (let cert of certDB.getCerts()) { + if (cert.commonName == commonName) { + return cert; + } + } + return null; +} + +add_task(async function test_healer() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + // Add an intermediate as if it had previously been cached. + addCertFromFile(certDB, "test_intermediate_preloads/int.pem", ",,"); + // Add an intermediate with non-default trust settings as if it had been added by the user. + addCertFromFile(certDB, "test_intermediate_preloads/int2.pem", "CTu,,"); + + let syncResult = await syncAndDownload(["int.pem", "int2.pem"]); + equal(syncResult, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 2, + "There should have been 2 downloads" + ); + + let healerRanPromise = TestUtils.topicObserved( + "psm:intermediate-preloading-healer-ran" + ); + Services.prefs.setIntPref( + "security.intermediate_preloading_healer.timer_interval_ms", + 500 + ); + Services.prefs.setBoolPref( + "security.intermediate_preloading_healer.enabled", + true + ); + await healerRanPromise; + Services.prefs.setBoolPref( + "security.intermediate_preloading_healer.enabled", + false + ); + + let intermediate = findCertByCommonName( + certDB, + "intermediate-preloading-intermediate" + ); + equal(intermediate, null, "should not find intermediate in NSS"); + let intermediate2 = findCertByCommonName( + certDB, + "intermediate-preloading-intermediate2" + ); + notEqual(intermediate2, null, "should find second intermediate in NSS"); +}); + +function run_test() { + server = new HttpServer(); + server.start(-1); + registerCleanupFunction(() => server.stop(() => {})); + + server.registerDirectory( + "/cdn/security-state-workspace/intermediates/", + do_get_file("test_intermediate_preloads") + ); + + server.registerPathHandler("/v1/", (request, response) => { + response.write( + JSON.stringify({ + capabilities: { + attachments: { + base_url: `http://localhost:${server.identity.primaryPort}/cdn/`, + }, + }, + }) + ); + response.setHeader("Content-Type", "application/json; charset=UTF-8"); + response.setStatusLine(null, 200, "OK"); + }); + + Services.prefs.setCharPref( + "services.settings.server", + `http://localhost:${server.identity.primaryPort}/v1` + ); + + Services.prefs.setCharPref("browser.policies.loglevel", "debug"); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem new file mode 100644 index 0000000000..680b068f34 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+TCCAeGgAwIBAgIUN/Y56TvJcL2liqk2Feh/QfKrlLwwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EwIhgPMjAx +MDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowJTEjMCEGA1UEAwwaaW50ZXJt +ZWRpYXRlLXByZWxvYWRpbmctY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBSPwr2BfSHT3saxwx6YGEautZx +w/sdM9AJAubFLqDd3MYHtzCZcQXaeDGbAzvo8m/PKA4Yt+UYbKyDnRR8sLA4f/iu +z1zHeenlzBWpRVHu/++ZSk/ESwn0zLprIsOcXjaYkbfrqcEGNWvLJzpT4T36Gr9t +DvxHnpsaMsJviZS3WHzTSoioWkcRyF78bYa51ZJWYJHFKZQppqhJ+jcoJhiomRlc +WwhI8NAU3dOOFJuEg/z+vQpcEQi0rRW9J6X/15BUZRQlF5Hs2wilGa8ViNX2+B5I +kjbmNrdT5hcnGEfR7JpHFuihFdxQc4CFY87u1chI8yaHLhhriUP6Jq0+J5ur +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec new file mode 100644 index 0000000000..4ccabc25b3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:intermediate-preloading-ca +subject:intermediate-preloading-ca +validity:20100101-20500101 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem new file mode 100644 index 0000000000..858ef20f77 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDDCCAfSgAwIBAgIUS7nGEU4h320gkvuvan60uF0VLhIwDQYJKoZIhvcNAQEL +BQAwLzEtMCsGA1UEAwwkaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRp +YXRlMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMBkxFzAVBgNV +BAMMDmVlLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu +Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO +7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf +qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt +HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx +uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozIwMDATBgNVHSUEDDAKBggrBgEFBQcD +ATAZBgNVHREEEjAQgg5lZS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA +W7w+FCESgLODEah0v+1zc0BZL5m6rijCDSRmZa3HYU89s6B1SRgbmafY7FmFc/5G +2kYXY+RvXA32A51D4pnwjVtwvtmXj7McF58BnNFrCQFrSK6+9+oDECOeSbY3FYRP +llF+pSghVBOUtqE0YTc4/H8pjEXiuvznaG26/T5wD/hGfQYB6+inuQp6TbaWkEfL +f4PkDz7PH04+lCfbZfZ/XPgkQSIdSFs3aZ6T46srMx+xO6glVDJl0XBNCsNaQODK +8CGNYG+KjJHuIHfan/wq6k/2/C5ikfyhUeDErm9DInqsb4uczq+gXT4M9AzwVohq +8WiC4de5MYrql0Z7Dt3Ldw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec new file mode 100644 index 0000000000..e9decb76dc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:intermediate-preloading-intermediate +subject:ee.example.com +extension:extKeyUsage:serverAuth +extension:subjectAlternativeName:ee.example.com diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem new file mode 100644 index 0000000000..d5334d330e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5zCCAc+gAwIBAgIUV2SZbt8RBtW013yEH3ahP4XhwuEwDQYJKoZIhvcNAQEL +BQAwMDEuMCwGA1UEAwwlaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRp +YXRlMjAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAOMQwwCgYD +VQQDDANlZTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W +1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq +ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx +0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV +t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo +4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx +1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3 +DQEBCwUAA4IBAQCMd2NIGqb9yW6ErW4QtAlSvsgwozizt2HNdPLQT/sqiAyJ1Gao +GpOU+4zNYdUdqGVALYr3gHC7LM5f1OD/h0o8Us357yZc0k4LDf81S3pw5CrUeIrx +7QRUi8YLJxt9w8zjY8F9ZS0ABszPXnip/aOGwqyWifkXUiuFfBBeMVcKS9UXZ1C9 +I72dnWKUo/wqGlNl5dDLLKom5aJGCB19Kw9DAyCr5BUHoy5NQf6K2yPIDiDFynUy +XtEBYBt4X7Y+RCx4UZgGs1jBokPNf3/zhTKihiTwMEp5PZGkYyD6j5w4cVQvxMU+ +29M+FIBbjqEXyj1aPA/dtd2RRqAxI4Axs32s +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec new file mode 100644 index 0000000000..089ac63831 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec @@ -0,0 +1,3 @@ +issuer:intermediate-preloading-intermediate2 +subject:ee2 +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem new file mode 100644 index 0000000000..5d439d02fb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIUa05TmhDT2y7ii4gJ+iRbzLuzI/AwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EwIhgPMjAy +MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowLzEtMCsGA1UEAwwkaW50ZXJt +ZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAkW9Sj+OlrVea +yko6WPtlyUx1zBJhJj7y9geAw+Na5qYjtjNdJven1hJqQ50im8zDjT8JLxKz65Ax +4X0FWvA1g7CdTOv5+Np1fYBCoa0rpujziI0zuYfd8+7noUKZI4FQrYFsoJ9ANNcE +6VENIchgadk1aUeNEKQSJyX12xQj99PpRVTEcEEOuR53CGbYocLVhRw0NTz+AQZ+ +RmUWEyG3H/lGb/udUXo+JdlBVyyjhJes7A7v4K3zSjRuwPJ0rYChWAIP4SkKHErw +hlKgxMGUB7Jm01JVptMNyB9fS6Y2fWpIpGhMQjCmvwFy28nElqD543PlX9BbsiW0 +0C4Z9732NQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec new file mode 100644 index 0000000000..5863b3131f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec @@ -0,0 +1,4 @@ +issuer:intermediate-preloading-ca +subject:intermediate-preloading-intermediate +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem new file mode 100644 index 0000000000..7278d9275c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBTCCAe2gAwIBAgIUW1sp+XyGV3pcORGQACi1fhpzAh4wDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EyMCIYDzIw +MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMDAxLjAsBgNVBAMMJWludGVy +bWVkaWF0ZS1wcmVsb2FkaW5nLWludGVybWVkaWF0ZTIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk +e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg +KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI +YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi +lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL +HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1Ud +EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCsjAE2/+ol +YAHrHkhtSTJ4E18B7DwYWRGQTuxDjPOFLD4jkA3hJDhWDXflx7r53tX+Vy1skX4t +vKVjl4dCGx8on9cB9d17xb69r/NtuASIbx7J0pfn2OSvysryWQIXpLKzyMuphmEu +znQUQGlieUiH2TIaBGiX5pi1/ExrveKS5a0TFA2NYj3aYxtrLDu3zDoKU09T6akk +g6zGrq3YGqpchg7BAfPgGum6T6ZzxGNTMPZ1MIL6GQsFg8vKVn6GWnXMKUQ3Kfen ++R7CqcSxUDjOsVkAuNCUC+D4zCjY22rT9Mkd9x+aB7mkf/IHVrEQlDTtSE7wJpw8 +Jsdvhg1wyErS +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec new file mode 100644 index 0000000000..27e9a008df --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec @@ -0,0 +1,4 @@ +issuer:intermediate-preloading-ca2 +subject:intermediate-preloading-intermediate2 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_keysize.js b/security/manager/ssl/tests/unit/test_keysize.js new file mode 100644 index 0000000000..0fa880f8f1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize.js @@ -0,0 +1,204 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Checks that RSA certs with key sizes below 1024 bits are rejected. +// Checks that ECC certs using curves other than the NIST P-256, P-384 or P-521 +// curves are rejected. + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +/** + * Tests a cert chain. + * + * @param {string} rootKeyType + * The key type of the root certificate, or the name of an elliptic + * curve, as output by the 'openssl ecparam -list_curves' command. + * @param {number} rootKeySize + * @param {string} intKeyType + * @param {number} intKeySize + * @param {string} eeKeyType + * @param {number} eeKeySize + * @param {PRErrorCode} eeExpectedError + * @returns {Promise} a promise that will resolve when the verification has + * completed + */ +function checkChain( + rootKeyType, + rootKeySize, + intKeyType, + intKeySize, + eeKeyType, + eeKeySize, + eeExpectedError +) { + let rootName = "root_" + rootKeyType + "_" + rootKeySize; + let intName = "int_" + intKeyType + "_" + intKeySize; + let eeName = "ee_" + eeKeyType + "_" + eeKeySize; + + let intFullName = intName + "-" + rootName; + let eeFullName = eeName + "-" + intName + "-" + rootName; + + addCertFromFile(certdb, `test_keysize/${rootName}.pem`, "CTu,CTu,CTu"); + addCertFromFile(certdb, `test_keysize/${intFullName}.pem`, ",,"); + let eeCert = constructCertFromFile(`test_keysize/${eeFullName}.pem`); + + info("cert o=" + eeCert.organization); + info("cert issuer o=" + eeCert.issuerOrganization); + return checkCertErrorGeneric( + certdb, + eeCert, + eeExpectedError, + certificateUsageSSLServer + ); +} + +/** + * Tests various RSA chains. + * + * @param {number} inadequateKeySize + * @param {number} adequateKeySize + */ +async function checkRSAChains(inadequateKeySize, adequateKeySize) { + // Chain with certs that have adequate sizes for DV + await checkChain( + "rsa", + adequateKeySize, + "rsa", + adequateKeySize, + "rsa", + adequateKeySize, + PRErrorCodeSuccess + ); + + // Chain with a root cert that has an inadequate size for DV + await checkChain( + "rsa", + inadequateKeySize, + "rsa", + adequateKeySize, + "rsa", + adequateKeySize, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE + ); + + // Chain with an intermediate cert that has an inadequate size for DV + await checkChain( + "rsa", + adequateKeySize, + "rsa", + inadequateKeySize, + "rsa", + adequateKeySize, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE + ); + + // Chain with an end entity cert that has an inadequate size for DV + await checkChain( + "rsa", + adequateKeySize, + "rsa", + adequateKeySize, + "rsa", + inadequateKeySize, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE + ); +} + +async function checkECCChains() { + await checkChain( + "secp256r1", + 256, + "secp384r1", + 384, + "secp521r1", + 521, + PRErrorCodeSuccess + ); + await checkChain( + "secp256r1", + 256, + "secp224r1", + 224, + "secp256r1", + 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); + await checkChain( + "secp256r1", + 256, + "secp256r1", + 256, + "secp224r1", + 224, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); + await checkChain( + "secp224r1", + 224, + "secp256r1", + 256, + "secp256r1", + 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); + await checkChain( + "secp256r1", + 256, + "secp256r1", + 256, + "secp256k1", + 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); + await checkChain( + "secp256k1", + 256, + "secp256r1", + 256, + "secp256r1", + 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); +} + +async function checkCombinationChains() { + await checkChain( + "rsa", + 2048, + "secp256r1", + 256, + "secp384r1", + 384, + PRErrorCodeSuccess + ); + await checkChain( + "rsa", + 2048, + "secp256r1", + 256, + "secp224r1", + 224, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); + await checkChain( + "secp256r1", + 256, + "rsa", + 1016, + "secp256r1", + 256, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE + ); +} + +add_task(async function () { + await checkRSAChains(1016, 1024); + await checkECCChains(); + await checkCombinationChains(); +}); diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem new file mode 100644 index 0000000000..12d255ff17 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4DCCAUmgAwIBAgIUb7AaRI4nwvKvcWGE1Hb0zHF1ackwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwIhgPMjAy +MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh +XzEwMTYtaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwgZ4wDQYJKoZIhvcNAQEB +BQADgYwAMIGIAoGAANKbsS+4T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDr +kgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drX +zLSF2BouGdUNTwtoVKyvbXvmnZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEA +ATANBgkqhkiG9w0BAQsFAAOBgQBxLWLGGcMT2D9iMe8V2PioY1o42AtJQZWoMlax +hZWaOvz0zTxAk6dUrI9YyyAGZX5SLMdlbSrmW4H4quIYF7LPIoxzGsu3sYwFhXYL +o0/u3STuyUPEsZCaejnEhkF4+CyL4nk+oE7Pyf+HM9XrERo0TqhnJmuVWk6dhV9t +kRXIsA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..7b86ef7861 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec @@ -0,0 +1,4 @@ +issuer:int_rsa_1024-root_rsa_1024 +subject:ee_rsa_1016-int_rsa_1024-root_rsa_1024 +issuerKey:rsa1024 +subjectKey:rsa1016 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem new file mode 100644 index 0000000000..15c897db57 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4DCCAUqgAwIBAgIUGav8P8oAdtccsZCOyd9YmOM0dCkwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDE2LXJvb3RfcnNhXzEwMjQwIhgPMjAy +MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh +XzEwMjQtaW50X3JzYV8xMDE2LXJvb3RfcnNhXzEwMjQwgZ8wDQYJKoZIhvcNAQEB +BQADgY0AMIGJAoGBANOpdEAQHrqMXflQPm+TXrUv/rPr6dDcXKzib5c8qUy8DZwx +1mwMATvOnILQ1IAyjfBftrzXmQpTEt2uYVKtbuYcjBvdhmPGi9NiJKmIKueOifVW +39vm9R2mESy/wnyKSTNrQa/bdTIbUrJKc0TRNI5kY1GlUcdXHM2guP419hp1AgMB +AAEwDQYJKoZIhvcNAQELBQADgYAAl+U8RPjdcAAQ1uw3x5flze5jLt1jhrxc6/NP +AsCbmMVo2jnP7/tnXUT27uTfKG6402Kg8QiJWn62ec+gu9jCrFFkmDzJ2hyJsf9H +o9R4jhe5fiNAysdxCdnjhrz2IKn+jsHrddL6cxCmmAXY2Opub5jbllZESnbSgdX0 +JiEz0g== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..326d665dcc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec @@ -0,0 +1,4 @@ +issuer:int_rsa_1016-root_rsa_1024 +subject:ee_rsa_1024-int_rsa_1016-root_rsa_1024 +issuerKey:rsa1016 +subjectKey:rsa1024 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem new file mode 100644 index 0000000000..f1e989e7cb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICRjCCAa+gAwIBAgIUT5GYrIC+vTXxB23P98K9jWSDirAwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMTYwIhgPMjAy +MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowEjEQMA4GA1UEAwwHcnNhMTAy +NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOBgQBFD4AMKLsPDeVrFLT+MAzWkZ/BGj6g +FAynTY+/2i4UI4RJNr2hX1Raho6gAJZwkKWmckt/WzEwFw/RB7F+nj6SiKixhIl6 +Vx8rDV+vh8lv3KvpxALpJ8JH7hOegVOWXH+4NKTGILRz2jkcYi0MK98349oFyGPD +N2GV2tIjVT8KAA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec new file mode 100644 index 0000000000..c44a089ed6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec @@ -0,0 +1,4 @@ +issuer:int_rsa_1024-root_rsa_1016 +subject:ee_rsa_1024-int_rsa_1024-root_rsa_1016 +issuerKey:rsa1024 +subject:rsa1024 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem new file mode 100644 index 0000000000..e07910aeac --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4TCCAUqgAwIBAgIUa8G3HEVIDFQSRGkr1+IFA5BJY6IwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwIhgPMjAy +MjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh +XzEwMjQtaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwgZ8wDQYJKoZIhvcNAQEB +BQADgY0AMIGJAoGBANOpdEAQHrqMXflQPm+TXrUv/rPr6dDcXKzib5c8qUy8DZwx +1mwMATvOnILQ1IAyjfBftrzXmQpTEt2uYVKtbuYcjBvdhmPGi9NiJKmIKueOifVW +39vm9R2mESy/wnyKSTNrQa/bdTIbUrJKc0TRNI5kY1GlUcdXHM2guP419hp1AgMB +AAEwDQYJKoZIhvcNAQELBQADgYEAF5TNolNsoGzHiMqPDDA1OGAxJnJj08l7Bb4n +aZTFbHtowrLZQlStH9kBvBeZmfFAfLJ8LrWKUm4X3488pM8bR2SVP/rzGiJmJSC0 +pxqQMAOuYJr3jnM5VInlGaSW096Rnmj3qJI7RZ7ugdH7YJgYRh0SD5kgs+sRYd/F +Q8/fv8s= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..a6ee408ec9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec @@ -0,0 +1,4 @@ +issuer:int_rsa_1024-root_rsa_1024 +subject:ee_rsa_1024-int_rsa_1024-root_rsa_1024 +issuerKey:rsa1024 +subjectKey:rsa1024 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem new file mode 100644 index 0000000000..cde2ba4987 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBXTCCAQOgAwIBAgIUecAQn0Zh9HDG6fLZ12UYeyAlmuowCgYIKoZIzj0EAwIw +KjEoMCYGA1UEAwwfaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9yc2FfMjA0ODAiGA8y +MDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjA7MTkwNwYDVQQDDDBlZV9z +ZWNwMjI0cjFfMjI0LWludF9zZWNwMjU2cjFfMjU2LXJvb3RfcnNhXzIwNDgwTTAQ +BgcqhkjOPQIBBgUrgQQAIQM5AARmjXLMpv1qGzVXtTZhBNhECOy2N/COjIa7/4LM +6I8AZtevY8Mpi6N3NIoSArA7N/1rH/QVqjEeMAoGCCqGSM49BAMCA0gAMEUCIFx1 +UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiEAlGKsIA91n7cHjCgGRYKH +VWe9rFVH30nHJ0X9p2glIvk= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec new file mode 100644 index 0000000000..87d2f67339 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_rsa_2048 +subject:ee_secp224r1_224-int_secp256r1_256-root_rsa_2048 +issuerKey:secp256r1 +subjectKey:secp224r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem new file mode 100644 index 0000000000..e5ff3fd6be --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBZzCCAQ2gAwIBAgIUC1x3yPYHK5KC0guyjDgVXxweBO4wCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2cjFfMjU2 +MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3AyMjRyMV8yMjQtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2 +cjFfMjU2ME0wEAYHKoZIzj0CAQYFK4EEACEDOQAEZo1yzKb9ahs1V7U2YQTYRAjs +tjfwjoyGu/+CzOiPAGbXr2PDKYujdzSKEgKwOzf9ax/0FaoxHjAKBggqhkjOPQQD +AgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctCgApw5gIhAO+zpu/o +Lo9W8ZtGfbJEnrC5juMw0orQbCfuYpJgeTRZ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..1aadce0765 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_secp256r1_256 +subject:ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp224r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem new file mode 100644 index 0000000000..51e4dd4c14 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbzCCARagAwIBAgIUTZEvp/9N0X2RyKt/aZB8r8CkVVYwCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2cjFfMjU2 +MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3AyNTZrMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2 +cjFfMjU2MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAENe58conY/veoav5dpm2Lwuu2 +qFQ/0v6tCJ9FznrND6ZDgqlQDEHa13D/1LURv0tJLrEjiADDLE92xzo/MpTnxTAK +BggqhkjOPQQDAgNHADBEAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctCgApw +5gIgQXzLognJxafolyv/RKQfbulETuiutH+RVZW5AmE85o0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..ba999e8f14 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_secp256r1_256 +subject:ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp256k1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem new file mode 100644 index 0000000000..119326c51f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBqDCCARKgAwIBAgIUKSb0NwcxUySLk/6rN6sO62gy76IwDQYJKoZIhvcNAQEL +BQAwKjEoMCYGA1UEAwwfaW50X3JzYV8xMDE2LXJvb3Rfc2VjcDI1NnIxXzI1NjAi +GA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjA7MTkwNwYDVQQDDDBl +ZV9zZWNwMjU2cjFfMjU2LWludF9yc2FfMTAxNi1yb290X3NlY3AyNTZyMV8yNTYw +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AULQj48 +9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAMA0GCSqG +SIb3DQEBCwUAA4GAALR1f+neoI7zBc89fS8NUgNVADsRdCzqOJX6YPYxlx3iYhlW +d5qS69+PLxuIK+QvLcfbM7/P5rJZyYTWJFhrygkOEQQRY+Ti6E04IgkILJhJZcMj +Y/colmyHMi7H+yN7aox4iORf0VSiGFNHXqV2QrIt7yevaZvq0O3lxS1N/Dg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..1e2e0a3759 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec @@ -0,0 +1,4 @@ +issuer:int_rsa_1016-root_secp256r1_256 +subject:ee_secp256r1_256-int_rsa_1016-root_secp256r1_256 +issuerKey:rsa1016 +subjectKey:secp256r1 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem new file mode 100644 index 0000000000..06d3e3a18c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBazCCARmgAwIBAgIUV9AvyXLYfsXwsVxn6UVNXcs2/kUwCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AyMjRyMV8yMjQtcm9vdF9zZWNwMjU2cjFfMjU2 +MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyMjRyMV8yMjQtcm9vdF9zZWNwMjU2 +cjFfMjU2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE +4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm +wDAKBggqhkjOPQQDAgNAADA9Ah0Amjxv8EbbcPJV9S/WmFIc1y28BSBjT5W2S7JS +VAIcXTUhqmLEqKYyktBCpWzQv5odIOXyo0WtIjLdEg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..bd7bc770c7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp224r1_224-root_secp256r1_256 +subject:ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256 +issuerKey:secp224r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem new file mode 100644 index 0000000000..45c4754a20 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBczCCARmgAwIBAgIUR4G9BFM2dC1zS3e6CVFZCnGkIkkwCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjI0cjFfMjI0 +MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjI0 +cjFfMjI0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE +4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm +wDAKBggqhkjOPQQDAgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctC +gApw5gIhAL4YvmibHLL2Kh0bZdzbenP9SyZ+9P9yhrNgHZ1pB4li +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec new file mode 100644 index 0000000000..fe7b7f7482 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_secp224r1_224 +subject:ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224 +issuerKey:secp256r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem new file mode 100644 index 0000000000..4e4462b3a9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBczCCARmgAwIBAgIUWVsHbwtzMqc2wh3WFxeAAksMBcgwCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2azFfMjU2 +MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2 +azFfMjU2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE +4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm +wDAKBggqhkjOPQQDAgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctC +gApw5gIhALJyeaQYSfcKQ/6OMAEZ6kVWjs6Kjlm3kF3JvL79h840 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec new file mode 100644 index 0000000000..aefffd9810 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_secp256k1_256 +subject:ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256 +issuerKey:secp256r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem new file mode 100644 index 0000000000..51a2e5200e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBhTCCASygAwIBAgIUVRrpYwC3LmogCScWtHJpcF4PD6EwCgYIKoZIzj0EAwIw +KjEoMCYGA1UEAwwfaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9yc2FfMjA0ODAiGA8y +MDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjA7MTkwNwYDVQQDDDBlZV9z +ZWNwMzg0cjFfMzg0LWludF9zZWNwMjU2cjFfMjU2LXJvb3RfcnNhXzIwNDgwdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAShaHJDNitcexiJ83kVRhWhxz+0je6GPgIpFdtg +jiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbluoE0c6EfozDgXajJbkOD/ieHPalx +A74oiM/wAvBa9xof3cyDdKpuqc4wCgYIKoZIzj0EAwIDRwAwRAIgXHVRnxMRUM1d +it4go7wGMJH/snN1XzFk7P3LQoAKcOYCIFqkHgNFabzHUhzO2wdgyUyazpvq9dC2 +tqcJ9bKnikkf +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec new file mode 100644 index 0000000000..615818d08b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_rsa_2048 +subject:ee_secp384r1_384-int_secp256r1_256-root_rsa_2048 +issuerKey:secp256r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem new file mode 100644 index 0000000000..a37e95545d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB1jCCAVygAwIBAgIUD6n1JM3NC+8tg/511NIiy9tq0kwwCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AzODRyMV8zODQtcm9vdF9zZWNwMjU2cjFfMjU2 +MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3A1MjFyMV81MjEtaW50X3NlY3AzODRyMV8zODQtcm9vdF9zZWNwMjU2 +cjFfMjU2MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBTNycrMR5QQlrycxmdS7C +f1l3NPpmxit5L4jFGdbTfw0W6hxIOhgnoBC5Eo46CAcMoz719Xg1t8G6JR9sw1Id +xCsBBlNFGYG0RdND7tN4KjXWz/D/SE9aiD0gnxuQQrcmcDVosvMm4YuDO92KoHND +krzRlQHhDWmKefU+EeCiK90qrZAwCgYIKoZIzj0EAwIDaAAwZQIxAO0GJz6haDpU +tNgaQ3SESJY85j6+gRcD7Nc9cvCiVAZZ1OxFRuhW515lVbeTqfcA8wIwY5tHRg+l +UUvPCJ4I+AoBunF6mGREeIYONIFBy+2VVFoLU1lpYfknORnB1LSETo/7 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..b2ae9d0c8f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp384r1_384-root_secp256r1_256 +subject:ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256 +issuerKey:secp384r1 +subjectKey:secp521r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem new file mode 100644 index 0000000000..3c0e55148c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB5jCCAU+gAwIBAgIUDfmwgk6LVeIh06pWcUHlMuhH5zcwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMTYtcm9vdF9y +c2FfMTAyNDCBnjANBgkqhkiG9w0BAQEFAAOBjAAwgYgCgYAA0puxL7hP3c0ps6UZ +y2bEO42Pi+VFunk4TOZj7QPfdZkWAOuSB5DSUwzs5UTbmacfBYlqPtIHFlU0qpkF +fkfEfjvIGtpvoeEuNyaLUEalUmj52tfMtIXYGi4Z1Q1PC2hUrK9te+admggxNuFa ++o9TwcjIT8YHcnndDlXXNppb3QIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1Ud +DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQChnRJZnGp6II3xmcwuC2yjt6FAgi+U +OIzRTkdUZwOecCuWSm+CfvZCFdfKa2vebDRL3ylzxR/RapB0ibq/dnOso4Iqac6l +EO4dYSRTSfJc1WgP/lgaHKsS5bI3Ycnel2h+0XYMmRus/GwMUr0LfsxscuFPl3g5 +3elZV3uKQeoKdg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..c6e77116b7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec @@ -0,0 +1,6 @@ +issuer:root_rsa_1024 +subject:int_rsa_1016-root_rsa_1024 +issuerKey:rsa1024 +subjectKey:rsa1016 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem new file mode 100644 index 0000000000..383a1db972 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAVagAwIBAgIUJfow4sYle7pOR9zLmBiO9+TxPSMwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMCoxKDAmBgNVBAMMH2ludF9yc2FfMTAxNi1yb290 +X3NlY3AyNTZyMV8yNTYwgZ4wDQYJKoZIhvcNAQEBBQADgYwAMIGIAoGAANKbsS+4 +T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7S +BxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvm +nZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAaMdMBswDAYDVR0TBAUwAwEB +/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDRwAwRAIgXHVRnxMRUM1dit4go7wG +MJH/snN1XzFk7P3LQoAKcOYCIC2JPJZn7xgwGpuqXKHjpVlofUpyBUA0QjQYPGIv +v8jC +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..27728ca374 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256r1_256 +subject:int_rsa_1016-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:rsa1016 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem new file mode 100644 index 0000000000..5b38861793 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB5jCCAVCgAwIBAgIURRvY0077O5480njGvjcUNJ4f0sEwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAxNjAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMjQtcm9vdF9y +c2FfMTAxNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06l0QBAeuoxd+VA+ +b5NetS/+s+vp0NxcrOJvlzypTLwNnDHWbAwBO86cgtDUgDKN8F+2vNeZClMS3a5h +Uq1u5hyMG92GY8aL02IkqYgq546J9Vbf2+b1HaYRLL/CfIpJM2tBr9t1MhtSskpz +RNE0jmRjUaVRx1cczaC4/jX2GnUCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNV +HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYAAzaHfWTaUGxWr6UAc9ivSGYMsWQsD +eAlpAKq4Br9Kl06UuviKk9+4tFVth3+t07qYON16SQO1u1MnyTxcjlNX1X+zk8SI +Jh2BAM6u0+/K3dqcu4LO93YJeUepgy9G68pJ7daDCWUL/J9Drmd2PYEnK8hfdBws +Bk1frODBUGtGIw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec new file mode 100644 index 0000000000..fafb393bf9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec @@ -0,0 +1,6 @@ +issuer:root_rsa_1016 +subject:int_rsa_1024-root_rsa_1016 +issuerKey:rsa1016 +subjectKey:rsa1024 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem new file mode 100644 index 0000000000..1794edb81e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB5zCCAVCgAwIBAgIUY1MfHECEu1i4yYh6r9/BDwiJq10wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMjQtcm9vdF9y +c2FfMTAyNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06l0QBAeuoxd+VA+ +b5NetS/+s+vp0NxcrOJvlzypTLwNnDHWbAwBO86cgtDUgDKN8F+2vNeZClMS3a5h +Uq1u5hyMG92GY8aL02IkqYgq546J9Vbf2+b1HaYRLL/CfIpJM2tBr9t1MhtSskpz +RNE0jmRjUaVRx1cczaC4/jX2GnUCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNV +HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAJXqg2yaOdLTFE9nxgPVOmsjLHAQ2 +468rivFXr8v8BANu3v0WQmtQoFE2bBHRzkVkF9bDXXc35AGFRHL2RK00jwY9hZbZ +NFFcc3MgajXlkcbRVcLBnMBJMDC+AFv6PLAiGJgSueqESpnoz1XFiivIwda8+A+i +29+oqoeQhpGHXuU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..66891f9793 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec @@ -0,0 +1,6 @@ +issuer:root_rsa_1024 +subject:int_rsa_1024-root_rsa_1024 +issuerKey:rsa1024 +subjectKey:rsa1024 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem new file mode 100644 index 0000000000..bacc182f66 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBYjCCAQmgAwIBAgIUIUOlpYPBjVND/nAJhIR0upmpbD4wCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjI0cjFfMjI0 +LXJvb3Rfc2VjcDI1NnIxXzI1NjBNMBAGByqGSM49AgEGBSuBBAAhAzkABGaNcsym +/WobNVe1NmEE2EQI7LY38I6Mhrv/gszojwBm169jwymLo3c0ihICsDs3/Wsf9BWq +MR6jHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cA +MEQCIFx1UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiADjonYXqZaNN5n +iwRCVAsBPEyHsresykMFdcBSjUCvyA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..89d77d3b89 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256r1_256 +subject:int_secp224r1_224-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp224r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem new file mode 100644 index 0000000000..c2c4f227df --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICJjCCAQ6gAwIBAgIUT5bQrCx7qyB53fFg2lgsZRoujL0wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMjA0ODAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAqMSgwJgYDVQQDDB9pbnRfc2VjcDI1NnIxXzI1Ni1y +b290X3JzYV8yMDQ4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+Pmx +pgpZrIcE4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0H +owTqoEqmwKMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN +AQELBQADggEBAATlOxfTmPCizSmYD/VClnBkX2K5IdOrKPKyMzGRUvg0YHe4ECGp +A7KpFJCuqlQEw4WLXeNQcxYfJ0c1GQYf1jCKtCvH1YJ+weRyM9zQGl6UJ3fgLuXQ ++6/B2Wstmn/NhmbVIEZACpYP2G3ZSAbecWmWzj9JCo4ZdpxUO4LmA+ImW4F+1RHx +ei6GHWT4hEqgCqjkCie4/hzJtOQtevFKuBHivlRSqV9n1wU15FhvgSLJsYOqerl5 +yN37xJzuqGyZi3oLpOSB8SB9DppYRsvAMnL4JelA3ummSeoG7h+njw28Y/8QLXMw +TJjfsemcVk4rU/JvaFlmYid+EwYfCyvqv0g= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec new file mode 100644 index 0000000000..44a65ef5a7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec @@ -0,0 +1,5 @@ +issuer:root_rsa_2048 +subject:int_secp256r1_256-root_rsa_2048 +subjectKey:secp256r1 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem new file mode 100644 index 0000000000..c90304e5c6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBZzCCARWgAwIBAgIUW1iXUMmgMJ/JO+E9WhN0Trc9G98wCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjI0cjFfMjI0MCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2 +LXJvb3Rfc2VjcDIyNHIxXzIyNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/ +u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT +kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG +CCqGSM49BAMCA0AAMD0CHQCaPG/wRttw8lX1L9aYUhzXLbwFIGNPlbZLslJUAhwV +sSxscxkGoauWMHWSJ/d1DpnSqgRcu5UYZaVh +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec new file mode 100644 index 0000000000..66ebc1b93e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp224r1_224 +subject:int_secp256r1_256-root_secp224r1_224 +issuerKey:secp224r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem new file mode 100644 index 0000000000..8070ada2dc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbzCCARWgAwIBAgIUTaVUxZktqQsmYwEXV0tqE4kxslUwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2azFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2 +LXJvb3Rfc2VjcDI1NmsxXzI1NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/ +u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT +kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG +CCqGSM49BAMCA0gAMEUCIFuwodUwyOUnIR4KN5ZCSrU7y4iz4/1EWRdHm5kWKi8d +AiEAgp9WWDLDZ/Ht8uBK7Tfsh8Q63NGLnYU5ouJTZDEi3RM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec new file mode 100644 index 0000000000..c7e190ab0b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256k1_256 +subject:int_secp256r1_256-root_secp256k1_256 +issuerKey:secp256k1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem new file mode 100644 index 0000000000..760c5fade8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbjCCARWgAwIBAgIURS9EXwmJH2cUzWMxz8bTV/BKH2swCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2 +LXJvb3Rfc2VjcDI1NnIxXzI1NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/ +u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT +kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG +CCqGSM49BAMCA0cAMEQCIFx1UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDm +AiAdNj7dCllMk/iATOBGD6PmLfTxh3jhcgQ7iIQdCb5Lpw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..6854d21876 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256r1_256 +subject:int_secp256r1_256-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem new file mode 100644 index 0000000000..110d810cee --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBizCCATKgAwIBAgIUS2z22oddAjnqOtBddcZxdFer3YQwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMzg0cjFfMzg0 +LXJvb3Rfc2VjcDI1NnIxXzI1NjB2MBAGByqGSM49AgEGBSuBBAAiA2IABKFockM2 +K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFTTmqcDAsJyNY5regy +BuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/dzIN0qm6pzqMdMBsw +DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDRwAwRAIgXHVR +nxMRUM1dit4go7wGMJH/snN1XzFk7P3LQoAKcOYCID4do7E1l0QXK3oJ3piry7Z5 +4hbDvS70BzD7ZKq03jbB +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..de8e851981 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256r1_256 +subject:int_secp384r1_384-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem new file mode 100644 index 0000000000..59c181dbd0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB2DCCAUKgAwIBAgIUTzVfvKSTcmX3CJY4Lxg8kPJbUiswDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAxNjAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8xMDE2MIGeMA0G +CSqGSIb3DQEBAQUAA4GMADCBiAKBgADSm7EvuE/dzSmzpRnLZsQ7jY+L5UW6eThM +5mPtA991mRYA65IHkNJTDOzlRNuZpx8FiWo+0gcWVTSqmQV+R8R+O8ga2m+h4S43 +JotQRqVSaPna18y0hdgaLhnVDU8LaFSsr2175p2aCDE24Vr6j1PByMhPxgdyed0O +Vdc2mlvdAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG +SIb3DQEBCwUAA4GAAF51n2FsUvuG3BxazbOYfdr70t71rV2p5W1D661K37y1L1VZ +SZMHBPNz6PUYI0UnvD6UrcmooBxpEzqOa9Vf592KMSU6TzAmZnX1wzcJu2GLQ3/P +ONUu4KP7+Q+LmQbiW1/1VXYFuLC6Py/GwAKq7ueUoGPcm5aWoiv41n6bCEw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec new file mode 100644 index 0000000000..b0b5ba8e5e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec @@ -0,0 +1,6 @@ +issuer:root_rsa_1016 +subject:root_rsa_1016 +issuerKey:rsa1016 +subjectKey:rsa1016 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem new file mode 100644 index 0000000000..61e94c3697 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB2jCCAUOgAwIBAgIUZ6YZgwKszM2uk1okp7DxUOxMZUwwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8xMDI0MIGfMA0G +CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTqXRAEB66jF35UD5vk161L/6z6+nQ3Fys +4m+XPKlMvA2cMdZsDAE7zpyC0NSAMo3wX7a815kKUxLdrmFSrW7mHIwb3YZjxovT +YiSpiCrnjon1Vt/b5vUdphEsv8J8ikkza0Gv23UyG1KySnNE0TSOZGNRpVHHVxzN +oLj+NfYadQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq +hkiG9w0BAQsFAAOBgQDRe6vGacPFx66k4T2SPvTZhEg/oYKEFwkDKdoiLlTzoawJ +SBc2C2VK4kyo9wa1tFp1O1JcDSIf9FBHLVeSB7Dp4pNV6A5mIBU7QqetWY6vpgz4 +osR4QKpYugduRBY3b8cCmzpF5/uV3K1QZLXm82fudCgG58ke781Ati0w7S13Uw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..09cd420f70 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec @@ -0,0 +1,6 @@ +issuer:root_rsa_1024 +subject:root_rsa_1024 +issuerKey:rsa1024 +subjectKey:rsa1024 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem new file mode 100644 index 0000000000..0cc341b1b0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUIWpIxRAOEhE64DCKtC5fpZ734/YwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMjA0ODAiGA8yMDIyMTEyNzAwMDAwMFoY +DzIwMjUwMjA0MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8yMDQ4MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC +AQEAs3abtOFdHZ/Jwe/1VkSuwZb4NfgxqATZ6Nbgpi/aALK77foJ/F4bNUIGKWVW +0dKfBu0kIB1FvBgrXE5bnHRRGDzDJ+M+zzjQbF8bcSL1TB9fuLf+Aq8BtNDeiBVe +GnVoxT2AAya/cg9NMqF/gSMpbS1hlMyLpke1KIIugSsjoTgzBnXJ8hq7HOIpj6Kf +HGu0iVKAwtnojKHvooN5+uvdtLbrrsvdVOCijQaE/oslkne4YR8q38nBEdHHp51R +36gvyOZrSM7m7HyhqdKoNCTrspfnBOGXVgy5Ok6faOobZmX4z6hIAWwWsTdkhBm2 +66PZwUy4Cu7h3LUEVuLPUBZ1Ww== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec new file mode 100644 index 0000000000..cebc2f8e6a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec @@ -0,0 +1,4 @@ +issuer:root_rsa_2048 +subject:root_rsa_2048 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem new file mode 100644 index 0000000000..f5acfdb23c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE----- +MIIBSTCB96ADAgECAhQDuwrIpREBhWT/b35NNn/sP3wr0DAKBggqhkjOPQQDAjAd +MRswGQYDVQQDDBJyb290X3NlY3AyMjRyMV8yMjQwIhgPMjAyMjExMjcwMDAwMDBa +GA8yMDI1MDIwNDAwMDAwMFowHTEbMBkGA1UEAwwScm9vdF9zZWNwMjI0cjFfMjI0 +ME0wEAYHKoZIzj0CAQYFK4EEACEDOQAEZo1yzKb9ahs1V7U2YQTYRAjstjfwjoyG +u/+CzOiPAGbXr2PDKYujdzSKEgKwOzf9ax/0FaoxHqMdMBswDAYDVR0TBAUwAwEB +/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDQQAwPgIdAJo8b/BG23DyVfUv1phS +HNctvAUgY0+VtkuyUlQCHQDE8b0Hyb/ZrhHsDl6KzWmYWipHsIZ277B/SCc8 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec new file mode 100644 index 0000000000..31370f6f73 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp224r1_224 +subject:root_secp224r1_224 +issuerKey:secp224r1 +subjectKey:secp224r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem new file mode 100644 index 0000000000..b832184280 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBWTCCAQCgAwIBAgIUBQ7osp071QhcXj7jOKYaTwutV7AwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2azFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMB0xGzAZBgNVBAMMEnJvb3Rfc2VjcDI1NmsxXzI1 +NjBWMBAGByqGSM49AgEGBSuBBAAKA0IABDXufHKJ2P73qGr+XaZti8LrtqhUP9L+ +rQifRc56zQ+mQ4KpUAxB2tdw/9S1Eb9LSS6xI4gAwyxPdsc6PzKU58WjHTAbMAwG +A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cAMEQCIFuwodUw +yOUnIR4KN5ZCSrU7y4iz4/1EWRdHm5kWKi8dAiAcTVj8WVX3Ga2H8BxG5TBr+rJa +09SnnEO2fT9ACJ2T7A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec new file mode 100644 index 0000000000..c78aa61bba --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256k1_256 +subject:root_secp256k1_256 +issuerKey:secp256k1 +subjectKey:secp256k1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem new file mode 100644 index 0000000000..b91e1b90d3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBXDCCAQOgAwIBAgIUVWrLLxRocoe0xCDWzuvEcsBY8DAwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjIxMTI3MDAwMDAw +WhgPMjAyNTAyMDQwMDAwMDBaMB0xGzAZBgNVBAMMEnJvb3Rfc2VjcDI1NnIxXzI1 +NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLsBQtC +Pjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCjHTAb +MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cAMEQCIFx1 +UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiAfwQsVcY6j3YucVSkIANsF +k1/ckpod6ltqXGtH7If0eQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..4447fc4b47 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256r1_256 +subject:root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize_ev.js b/security/manager/ssl/tests/unit/test_keysize_ev.js new file mode 100644 index 0000000000..8e0edd7851 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev.js @@ -0,0 +1,169 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Checks that RSA certs with key sizes below 2048 bits when verifying for EV +// are rejected. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const SERVER_PORT = 8888; + +function getOCSPResponder(expectedCertNames) { + let expectedPaths = expectedCertNames.slice(); + return startOCSPResponder( + SERVER_PORT, + "www.example.com", + "test_keysize_ev/", + expectedCertNames, + expectedPaths + ); +} + +function loadCert(certName, trustString) { + let certFilename = "test_keysize_ev/" + certName + ".pem"; + addCertFromFile(certDB, certFilename, trustString); + return constructCertFromFile(certFilename); +} + +/** + * Asynchronously runs a single EV key size test. + * + * @param {Array} expectedNamesForOCSP + * An array of nicknames of the certs to be responded to. + * @param {string} rootCertFileName + * The file name of the root cert. Can begin with ".." to reference + * certs in folders other than "test_keysize_ev/". + * @param {Array} intCertFileNames + * An array of file names of any intermediate certificates. + * @param {string} endEntityCertFileName + * The file name of the end entity cert. + * @param {boolean} expectedResult + * Whether the chain is expected to validate as EV. + */ +async function keySizeTestForEV( + expectedNamesForOCSP, + rootCertFileName, + intCertFileNames, + endEntityCertFileName, + expectedResult +) { + clearOCSPCache(); + let ocspResponder = getOCSPResponder(expectedNamesForOCSP); + + loadCert(rootCertFileName, "CTu,CTu,CTu"); + for (let intCertFileName of intCertFileNames) { + loadCert(intCertFileName, ",,"); + } + await checkEVStatus( + certDB, + constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`), + certificateUsageSSLServer, + expectedResult + ); + + await stopOCSPResponder(ocspResponder); +} + +/** + * For debug builds which have the test EV roots compiled in, checks RSA chains + * which contain certs with key sizes adequate for EV are validated as such, + * while chains that contain any cert with an inadequate key size fail EV and + * validate as DV. + * For opt builds which don't have the test EV roots compiled in, checks that + * none of the chains validate as EV. + * + * Note: This function assumes that the key size requirements for EV are greater + * than the requirements for DV. + * + * @param {number} inadequateKeySize + * The inadequate key size of the generated certs. + * @param {number} adequateKeySize + * The adequate key size of the generated certs. + */ +async function checkRSAChains(inadequateKeySize, adequateKeySize) { + // Reuse the existing test RSA EV root + let rootOKCertFileName = "../test_ev_certs/evroot"; + let rootOKName = "evroot"; + let rootNotOKName = "ev_root_rsa_" + inadequateKeySize; + let intOKName = "ev_int_rsa_" + adequateKeySize; + let intNotOKName = "ev_int_rsa_" + inadequateKeySize; + let eeOKName = "ev_ee_rsa_" + adequateKeySize; + let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize; + + // Chain with certs that have adequate sizes for EV and DV + // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch + // will for example not be done for the "ev_int_rsa_2048-evroot" intermediate + // in such a build. + let intFullName = intOKName + "-" + rootOKName; + let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName; + let expectedNamesForOCSP = [eeFullName]; + await keySizeTestForEV( + expectedNamesForOCSP, + rootOKCertFileName, + [intFullName], + eeFullName, + gEVExpected + ); + + // Chain with a root cert that has an inadequate size for EV, but + // adequate size for DV + intFullName = intOKName + "-" + rootNotOKName; + eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName; + expectedNamesForOCSP = [eeFullName]; + await keySizeTestForEV( + expectedNamesForOCSP, + rootNotOKName, + [intFullName], + eeFullName, + false + ); + + // Chain with an intermediate cert that has an inadequate size for EV, but + // adequate size for DV + intFullName = intNotOKName + "-" + rootOKName; + eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName; + expectedNamesForOCSP = [eeFullName]; + await keySizeTestForEV( + expectedNamesForOCSP, + rootOKCertFileName, + [intFullName], + eeFullName, + false + ); + + // Chain with an end entity cert that has an inadequate size for EV, but + // adequate size for DV + intFullName = intOKName + "-" + rootOKName; + eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName; + expectedNamesForOCSP = [eeFullName]; + await keySizeTestForEV( + expectedNamesForOCSP, + rootOKCertFileName, + [intFullName], + eeFullName, + false + ); +} + +add_task(async function () { + Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + let smallKeyEVRoot = constructCertFromFile( + "test_keysize_ev/ev_root_rsa_2040.pem" + ); + equal( + smallKeyEVRoot.sha256Fingerprint, + "40:AB:5D:A5:89:15:A9:4B:82:87:B8:A6:9A:84:B1:DB:" + + "7A:9D:DB:B8:4E:E1:23:E3:C6:64:E7:50:DC:35:8C:68", + "test sanity check: the small-key EV root must have the same " + + "fingerprint as the corresponding entry in ExtendedValidation.cpp" + ); + + await checkRSAChains(2040, 2048); +}); diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem new file mode 100644 index 0000000000..dcc59c2280 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZzCCAk+gAwIBAgIUTSkBrJBpb/fEUqw5bdNPB+G9woAwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQ4LWV2cm9vdDAiGA8yMDIyMTEy +NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff +MjA0MC1ldl9pbnRfcnNhXzIwNDgtZXZyb290MIIBITANBgkqhkiG9w0BAQEFAAOC +AQ4AMIIBCQKCAQAAusBlL9+8AFWIL/uurO7Ij6LQg8KX3V1AZk3T2Q9S+aoCvYpQ ++6FuD9mRh470dfmzUNn44+sqvXF84yewl4hTHxPfjj5OO51ha7ikHlMG7tJHIWMW +EFEYASdqTrZvBzMbXLyLyucBao+bPU8qxFU8Ykz1JjvLNI6IQN5mEocJYKeSGRsT +j7IX92XOx7/46U8Ws5QZv3UExZp+T3m9bRc+nHvz2dKk5zzBgLBZCnPVhPt/ybVP +pURgflP8aFx6Vf1EqB1BQravUepvps6lKWWi6MXYTzygJNb7ubAFuWUc5dny7PQO +1ASYGp/8AmNuMRsJXGMyoMh9w5JxtVUUgXdLAgMBAAGjgYQwgYEwXgYIKwYBBQUH +AQEEUjBQME4GCCsGAQUFBzABhkJodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv +ZXZfZWVfcnNhXzIwNDAtZXZfaW50X3JzYV8yMDQ4LWV2cm9vdC8wHwYDVR0gBBgw +FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEBAI3iCTNz +L6AN2BaWEDQLo9L8mDJafEUvBCCYCx/RhVYYOGHS7ylFuBFXWH2BC42kMatlXGoQ +bTNZdSC8izP2qrVCVkzN08qn7x6qZdFKXQYhSWN8LbUFjfuyh+jSlhFvvHHdUjJN +CKPzkiCKJ8jI4jI9UhjnvQrBkVqk+IjJyGim7bhOR5iXnJyTuU88wuoFxq8PJOm+ +/OVyeB5vOkPWCbm7x7JCKEEI1u+T8nzOT3kIXiCDf2k6plZc2YsDZh8UFjfPjPGK ++RmjWogr9kD9XosXqN4vmTP08Jl53JC46Dp4zI5DXVgXVCSErMNA7B+fOGIawFdN +BsjNCLU5fHoX1Fc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec new file mode 100644 index 0000000000..e64c651bc7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec @@ -0,0 +1,5 @@ +issuer:ev_int_rsa_2048-evroot +subject:ev_ee_rsa_2040-ev_int_rsa_2048-evroot +subjectKey:rsa2040 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2040-ev_int_rsa_2048-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem new file mode 100644 index 0000000000..df01d85b19 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZzCCAlCgAwIBAgIUB0wU6BcJZhQGej2MhMEedgtSjykwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQwLWV2cm9vdDAiGA8yMDIyMTEy +NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff +MjA0OC1ldl9pbnRfcnNhXzIwNDAtZXZyb290MIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo +4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD +SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX +kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx +owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/ +Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GEMIGBMF4GCCsGAQUF +BwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4 +L2V2X2VlX3JzYV8yMDQ4LWV2X2ludF9yc2FfMjA0MC1ldnJvb3QvMB8GA1UdIAQY +MBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAAAjfRe3 +ak4M2phW7vpJyqdVUEMR0Gi/IloeFKQhbWgh7Y0aOuDjdt1N8w1ekz5QSo9Bdh6s +JdGyEQZ7y5kx15fMxOXoLDAQp9H8BzzHYG86PToFOkZoDTdtPdM/P5Z7RpxJtmsR +ES9geRRyClQUX4wrmmrY9TG394r19Ef9X7xit/XCsZcbNDZnPytua/NPvxIG1x/n +e5YWqc3iCQt/mkkxSfpT7F94vQxwGGalZkYWWFPkPFoGCtl4g/QBIswNL5OPpwIF +gezsYSGa66hTWx0M9HHiKBMjGpr6gAlC8dqcNw0zdDpe+HZVt2Uq8k4yMs1nI2Al +PrSwsIRRvJIBkNg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec new file mode 100644 index 0000000000..0b7bfd4269 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec @@ -0,0 +1,5 @@ +issuer:ev_int_rsa_2040-evroot +subject:ev_ee_rsa_2048-ev_int_rsa_2040-evroot +issuerKey:rsa2040 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2040-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem new file mode 100644 index 0000000000..e0219db774 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhjCCAm6gAwIBAgIUMXunKFi5PVKB3hVeGO/F2Op2jSIwDQYJKoZIhvcNAQEL +BQAwKzEpMCcGA1UEAwwgZXZfaW50X3JzYV8yMDQ4LWV2X3Jvb3RfcnNhXzIwNDAw +IhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAwMDAwMFowOjE4MDYGA1UEAwwv +ZXZfZWVfcnNhXzIwNDgtZXZfaW50X3JzYV8yMDQ4LWV2X3Jvb3RfcnNhXzIwNDAw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ +PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH +9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw +4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86 +exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0 +ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N +AgMBAAGjgY4wgYswaAYIKwYBBQUHAQEEXDBaMFgGCCsGAQUFBzABhkxodHRwOi8v +d3d3LmV4YW1wbGUuY29tOjg4ODgvZXZfZWVfcnNhXzIwNDgtZXZfaW50X3JzYV8y +MDQ4LWV2X3Jvb3RfcnNhXzIwNDAvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqF +GgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAQAf7z//TELvrw9Nf3Jf5fdzDUXkyA1C +8eYMWWcG4y3y3jHu5nySIfVFaUhoIrIp90AD6nIUC4uQRwk/6aZ3SaUNcEyJpTJN +iN+BSmYheNsylv2jGACAQ051WACgEGM41HhyVB0so4g3E9fn9Tx6mKqjjPfMFSWJ +Qb4SnpaU4rl6SvRxBSZCyjnKe6YqucEZC7yK96idz7Ojoc32R0LNDGmHz9yNkeOa +UYgBjuRskp8BzCTwVFp0b8CjKuk+Pi+SCdHzfZSfB/nq9jbXXTr12gKFc1TddHm0 +OqepOw+FHw6KP2sC/Gi48dhaQ0JhJMXh4L+mzN4y/yKQk4el7Vt3EMW7 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec new file mode 100644 index 0000000000..a36acf887d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec @@ -0,0 +1,4 @@ +issuer:ev_int_rsa_2048-ev_root_rsa_2040 +subject:ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem new file mode 100644 index 0000000000..a73322ea2b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaDCCAlCgAwIBAgIUa6BUN5nAAXXD0ZHZ3A9BLD3gA9IwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQ4LWV2cm9vdDAiGA8yMDIyMTEy +NzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff +MjA0OC1ldl9pbnRfcnNhXzIwNDgtZXZyb290MIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo +4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD +SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX +kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx +owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/ +Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GEMIGBMF4GCCsGAQUF +BwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4 +L2V2X2VlX3JzYV8yMDQ4LWV2X2ludF9yc2FfMjA0OC1ldnJvb3QvMB8GA1UdIAQY +MBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAQAHplEg +IBXFi86lVPIhmqQj7qcsG+CB0TE1hvG14Q4vmowoSrkykuCD2x6BAhmpOhCCzrQ/ +Cqy1Km9BBYvAAG/kyXnQF493+FarP+UN39kzzkZoV4nk55klSgIKXOxIetSaivq0 +kfDsHwXtZN/RguDqL3IAq4hcQg166VMNIauaNl1/7GHiTWFEqFGwfOz8AzJoI4Zy +GZHpt31edApGeknwUUd88hDENSxatpt1Ik4watIFu6/QARwxS/Lvyg7Qgasb7S/k +XEfVqYufRb06hHn/ku3Kkdoewiym8hfmB5ab15UhMYTk2ZqAIsyqPxOqzazNqelG +cjcuNOFHvSTf0And +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec new file mode 100644 index 0000000000..0b34be6db8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec @@ -0,0 +1,4 @@ +issuer:ev_int_rsa_2048-evroot +subject:ev_ee_rsa_2048-ev_int_rsa_2048-evroot +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem new file mode 100644 index 0000000000..013025037a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVDCCAjygAwIBAgIUUS1yMHrNTB04yhzfgIRlUXAJ1RYwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMCExHzAdBgNVBAMMFmV2X2ludF9yc2FfMjA0MC1ldnJvb3QwggEh +MA0GCSqGSIb3DQEBAQUAA4IBDgAwggEJAoIBAAC6wGUv37wAVYgv+66s7siPotCD +wpfdXUBmTdPZD1L5qgK9ilD7oW4P2ZGHjvR1+bNQ2fjj6yq9cXzjJ7CXiFMfE9+O +Pk47nWFruKQeUwbu0kchYxYQURgBJ2pOtm8HMxtcvIvK5wFqj5s9TyrEVTxiTPUm +O8s0johA3mYShwlgp5IZGxOPshf3Zc7Hv/jpTxazlBm/dQTFmn5Peb1tFz6ce/PZ +0qTnPMGAsFkKc9WE+3/JtU+lRGB+U/xoXHpV/USoHUFCtq9R6m+mzqUpZaLoxdhP +PKAk1vu5sAW5ZRzl2fLs9A7UBJgan/wCY24xGwlcYzKgyH3DknG1VRSBd0sCAwEA +AaOBkDCBjTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBPBggrBgEFBQcBAQRD +MEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9ldl9p +bnRfcnNhXzIwNDAtZXZyb290LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoB +g3QJATANBgkqhkiG9w0BAQsFAAOCAQEABBbmTESafgC0V/hHzhWyyJW1Tyj+MshG +oAS+IGmK/ImxQDL6Q91arnEOxThBuhFbm6ZjG8HGu+KAa+XudoCMN2RHQQzzVEIn +Oewbk/UmjS8fZ88JI9WxUByOxo1CtWCe3XqjInVevzzcpTxHIAuhUjQD/CvHzeFl +pv/6snWb9g4QMdro4FjMjl8qBmm3jwh5wjcDBiMzSbtSUAfF8dcH2haLfQdD+A+T +xxS6JWOMZFR8xQeUPlgqMiKpHZCewVLzZU4HEyUWo1Tc9aaf97T6v0UnDhVSof6/ +Bqavy3XEpi50FD+H5XQUa0ZIoH3D7UmuCRNzjWCmPUyTWosNE4Ghrg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec new file mode 100644 index 0000000000..80be711742 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec @@ -0,0 +1,8 @@ +issuer:evroot +subject:ev_int_rsa_2040-evroot +issuerKey:ev +subjectKey:rsa2040 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2040-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key new file mode 100644 index 0000000000..63b267865f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEtwIBADANBgkqhkiG9w0BAQEFAASCBKEwggSdAgEAAoIBAAC6wGUv37wAVYgv ++66s7siPotCDwpfdXUBmTdPZD1L5qgK9ilD7oW4P2ZGHjvR1+bNQ2fjj6yq9cXzj +J7CXiFMfE9+OPk47nWFruKQeUwbu0kchYxYQURgBJ2pOtm8HMxtcvIvK5wFqj5s9 +TyrEVTxiTPUmO8s0johA3mYShwlgp5IZGxOPshf3Zc7Hv/jpTxazlBm/dQTFmn5P +eb1tFz6ce/PZ0qTnPMGAsFkKc9WE+3/JtU+lRGB+U/xoXHpV/USoHUFCtq9R6m+m +zqUpZaLoxdhPPKAk1vu5sAW5ZRzl2fLs9A7UBJgan/wCY24xGwlcYzKgyH3DknG1 +VRSBd0sCAwEAAQKB/2A9smffl1VcvthrjfNVA0ryjx638+eCnSObzCc6fHppoQvo +8h8bbEsCxrrjcxwxWLW7/0YF9Xq3t7Kgy6LsAFottbHqbgrO6lvHRdzS0OnWuA1+ +sOorwIEnvONfpQxCzEEYcbpZHiO6ajhISjPv8TR/kH7ppakqIxG7C0NVEAIPeOO7 +AAmdtNEYKSgJZQX8uoTzyhI4/R66XuofORu7zFQksWgGP8F+HKbhkSzLpE+dApIw +ih/tuAYSUps59Z0KP4GAtbogETIZf5OlgV3tk43459k8mxV2ZYjzObtZEAr9pJSn +5FLX3UyaGc4uw6M6GLIPC02t4XK+4Z8m8Ny+QQKBgA7Dhpy5LUBsrd96MZqylEi8 +UFoFkTcHhzNh/FuYakmftl7rgVp+N2h9GfEoCHKJ2buIGOe8ylAsSQCtmuzhF5vh +L/PkZ9YG/IIOqPB6yev/4iNuOBaEEgKIIj5C2+aN/ZcqhaZEflFpXyNNp5EcZ8mr +lTHzPfO5lDLU7ojJpO+7AoGADKY5NFSehf6sjg9WBDA/0YSf6Ir0t/fhITKDu8ei +wqUJ+Sc8Qoxo3j25PmFF8bQAvW1KJiYU6QQ602LU66SmuZU5nIk0o5mRIZnoQdjo +2/8EifaeZjeWcwspgFMLMctwaVohYl6irczAnZMFFvqHIhGpHiLdif2et9qFdLci +NbECgYANfTp14X9l+KZYpIXECVwQpPZpeeK3O8qc+O8hJT4frKxtR5H1g5LOhlb4 +jxJAzJDCllPjEAxtejjtRLFjsznl87bjiRISbGmzzv8uUZJCbZZJtv/KGrt10rou +1tmiaqODxZc9ViFv8u25DM+Id0Kg8YOskslM8YdldkXHdy2a1wKBgAP1UBlMEX8k +vqKFsgkFgDL0KYX/Vazr6IsW35o3UntOYdyRpo28mmRRNFKM5fJIvaKJPJbLe+ee +5zmWx8Ild/bC95BAbzRyrbOyEbfpRJTzLFxvzAl4g5/kckwxsGMYokiVZ7T8oDN6 +yxuEEieqpfbHSACiMGkp8CzgOLrZQ99BAoGACAp9v6jCWEgUxxZkxW62LOTK8Wr+ +iNRJkVnWdHdKOj7N3xJWwC/JFSXFJ2kkItCrqU5cQe4S3HG7Zvhnn6F+CW8oCAhR +ugRusxiFwUFOiYWt5ZnZB68XRT0cyuosDQZEP4Nnpr4VSxJeOQ7g2Q90bwiAHdP1 +Nn9Z+6LlpnwF83U= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec new file mode 100644 index 0000000000..f488e73a94 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec @@ -0,0 +1 @@ +rsa2040 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem new file mode 100644 index 0000000000..a824f21311 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDcjCCAlugAwIBAgIUe6r7oOZeGvPiCQzyYHzmsN2cCdAwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQZXZfcm9vdF9yc2FfMjA0MDAiGA8yMDIyMTEyNzAwMDAw +MFoYDzIwMjUwMjA0MDAwMDAwWjArMSkwJwYDVQQDDCBldl9pbnRfcnNhXzIwNDgt +ZXZfcm9vdF9yc2FfMjA0MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG +8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V +gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3 +04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l +0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz +/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBmjCBlzAMBgNVHRMEBTADAQH/MAsGA1Ud +DwQEAwIBBjBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUHMAGGPWh0dHA6Ly93d3cu +ZXhhbXBsZS5jb206ODg4OC9ldl9pbnRfcnNhXzIwNDgtZXZfcm9vdF9yc2FfMjA0 +MC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQEL +BQADggEAAHWhcLzQZ2yiJ1PWSYbzoVhsUieDET0ozszavQNKffv8u5reGrGk82WR +KhGpm6xsQFejGaSchbTS/hERtJb1kiJl632f4HFMv0bbL4+D/E0nu0o0PJ6jnHGx +mMMP8SwEA8Gc/kimeu4wGZRGBqDyI6vCCog7sA/8Kcf8txdHfQgpZOfchf2+M8r9 +GfRQOR0+tc15/D4teI/Vzt0Hawxp+FWQyGJdHC6AvpHycmS4ZzBqeHloh4KQCckv +ogUyG9ZsIPertJxv+pzpG5zJOjq/bJ14XpoLLLOSHYGlRFbPffdXbpC2ZjyW9aqQ +lpP67r/PylcApVEsp99Q/nSVahn3dw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec new file mode 100644 index 0000000000..5bc5674b2c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec @@ -0,0 +1,7 @@ +issuer:ev_root_rsa_2040 +subject:ev_int_rsa_2048-ev_root_rsa_2040 +issuerKey:evRSA2040 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-ev_root_rsa_2040/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem new file mode 100644 index 0000000000..2cb67ec509 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVTCCAj2gAwIBAgIUZUWg4gjvMyq7pPVHIL3dTjVIH78wDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAy +MDQwMDAwMDBaMCExHzAdBgNVBAMMFmV2X2ludF9yc2FfMjA0OC1ldnJvb3QwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT +2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV +JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N +jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA +BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh +He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB +AAGjgZAwgY0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEE +QzBBMD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvZXZf +aW50X3JzYV8yMDQ4LWV2cm9vdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUa +AYN0CQEwDQYJKoZIhvcNAQELBQADggEBAAidI0skeWsWFGYlGGuICCBsFtZI7amL +toBgLMMImP7qeJvn3wqgMHeWc2o0RKGn6HGCLwHFL6QbULufi/LMv9U/rZzzX4uT +w4ao9w+ELEUWNuTnFafpVRJ4k5LsO/mhVHi8D8V9WCx5EzhHygLe2YSitmAct+jI +tLNLSov/04w0erI6QkERTROxVDVRQ0otpxtLJiqbpJv+GSgijyBH5uBe7I87hZ0B +Jsk70eXlyt2lXUULxuIAsUzo4PcOf+ytZkrGwRbGVDmfiLCDH5BMTEsWRu3kMg/1 +iK6TTQa6kHXwpmr2cYDBgy8MjB2QTX/BSQJRHXtXCQ6GGfmzqbUu1Ck= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec new file mode 100644 index 0000000000..a0cb6250dc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:ev_int_rsa_2048-evroot +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key new file mode 100644 index 0000000000..bcd996ab23 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEuQIBADANBgkqhkiG9w0BAQEFAASCBKMwggSfAgEAAoIBAADKcCDcIV9XkU00 +P65KAVERaXr5l6Xs6RhmSZ/CPxuIoRjL0wsQ2Rx7mg1O6JcvyuVsr1fyX8EnWipN +vLmCQowy71h78jh0EDMKD/sWuAKb14OWnvZ19t44wY9nGTy2wHL4sj0LM3QRJiel +e5AFV3HZ5iYD9TeI1/Y6+nJPXRCAlt8x+J8msetffENXmA4Aj81V2CfdJiOVyi9S +ageJfMQMWTs4cW68DKpZZxnG8prJtzp6lEdIo6o+CenrTUYeoAJ+VAkmYUcoudJD +l1z5oFQb79JedrUflREQsOdkT8fjhEF5G20iJzhMuABOIzQjcrHPXMPnPjG3u++h +YOaGLrsCAwEAAQKCAQAAstt0vOkjYqv3KVWmOK6HILowM7t/lxyvORiNdULqocGr +tdIFseIRH0eRwIkRouFB6M/XBUcC0jEAtWQsBuGjGxGK/R+aLzlsztQlxQHZFDXK +hlZ2bO0rk7u4Zp/Om6zXJ9Hayz2vq8MpPjU4nu+OoLWOGusaIOamH5/NRT91Z/4x +0SO2FqJv703x1sn3SQER0Cju/R2XIEWxokInPdemfr8RHbJ0GlqTx7IonMSiNvWp +mm7HqCBv2uHB0EvbsZgNSimMWhfa5BhkdKX3g12IK87ySu9O1vFJ+U2WyffXjmR/ +x3ipAX/yCNO0oXaLGCFiECzasDL6u6s41SAKMkZJAoGADzhE0NTU1qIazXam/DcL +hVDh1+xaYjQXLnkPACmuZR9tXFkzCrGYArnXogfeeh+3eON3T9vcQRdQYz2NGz/g +dQBv/P0dEOdjx6kifS1fDC2t4cnmWcNQoVnTa7mG8SY21PmUKyiLwP4h2oeZR3Fz +FEJJyi44nmxcJap4yMrX1N8CgYANTQvt0ZYvB6Hq1rI6TtZ66vEnDwUqbSm6B0lF +xjYaXE+PB7+FngZ67T9ObjI+8qqKas00CwvcfP5P0ynjyX+HDH93NXksaqnQ9+dU +KijtbwGw5VorjZwkplxtoxTJVIT1x8OVSoG7AWsH7RfumwYDlpW8oFmnn43CQj0y +jVJlpQKBgAnymi/wW+ipbWFLoxsIk1QgqGxrxCuZpmkuoNpXY/AeWWlZt93Oc++c +Lk9uW0BxCIdQDUS6DDzTEyy6J0dfOcLfdVLi0SOiSXpPlwZAKHaaSKNiRlf3K/U5 +89DeI0/szTvooKqQxr9umwvtQwcKJNBh/z7RdRo+8v9/a5C529X7AoGAAaZZ4XDK +wSCgO+HPj53xyqNTsDWTvXR25YU72HTChziGAcbDQc6dHShKXu8aOmadMrgWpers +2LeET+BwZLm8oMKzGNVAJ3s/fxUQ04a7NuA7BHceXSKeiIk+E7dTv7lFGLtjjiQE +vW5qmTwWaNk/wLgv8IqvNDR9P+g5cQjIfKUCgYAEAlfA1KIcC5hDKXxlZS22YwT7 +Jjdz1yi2q/oG03rAymLGKAI+CeN9wKkB5M4SJBgOJYKjqktqGnuY4r1wB3rsFKyK +tmp1XHHg/BAkcfm7wbRqlaoLZF8sOOdkUCiWGeo/XormEDe//PgknyKqTnbioBkJ +8/6ykM6T7fV7EOvnlg== +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec new file mode 100644 index 0000000000..a85e16858b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec @@ -0,0 +1 @@ +evRSA2040 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem new file mode 100644 index 0000000000..fe3abd78a8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4zCCAcygAwIBAgIUJ7nCMgtzNcSPG7jAh3CWzlTGHQgwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQZXZfcm9vdF9yc2FfMjA0MDAiGA8yMDE1MDEwMTAwMDAw +MFoYDzIwMzUwMTAxMDAwMDAwWjAbMRkwFwYDVQQDDBBldl9yb290X3JzYV8yMDQw +MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAAynAg3CFfV5FNND+uSgFR +EWl6+Zel7OkYZkmfwj8biKEYy9MLENkce5oNTuiXL8rlbK9X8l/BJ1oqTby5gkKM +Mu9Ye/I4dBAzCg/7FrgCm9eDlp72dfbeOMGPZxk8tsBy+LI9CzN0ESYnpXuQBVdx +2eYmA/U3iNf2OvpyT10QgJbfMfifJrHrX3xDV5gOAI/NVdgn3SYjlcovUmoHiXzE +DFk7OHFuvAyqWWcZxvKaybc6epRHSKOqPgnp601GHqACflQJJmFHKLnSQ5dc+aBU +G+/SXna1H5URELDnZE/H44RBeRttIic4TLgATiM0I3Kxz1zD5z4xt7vvoWDmhi67 +AgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB +CwUAA4IBAAA/4/YVyeRLPr05Uw5j0JOCx5WNUv2HxemfvTZgF4QEg4vDt8ba3VDR +Xj3Z8hiGYG+s2Wz4k+82wCNRTglm3iutCJ/LbwOAZIa8dFyQUa03EssS0BBvVNhx +uu6+kYMqGteIX5Q94daqZe+0KM9xKbydNCQJKSMD8IV1YHKvotF91MFQHDdnVAZX +anpqDnw0j4YGknFHA1i++0GZC0aWxhRn6Epfza+bYCVogC5BviY6xYIg2kZE8kII +msQ6iUrKQ2OV7HmZ03BdpsGADorycyJ/wRGR3xDDg8RYUur80jU/D0eBq8BX1md8 +Rc+IyDmcFcs7hYRUaJAoxuLPvQ+/vy4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec new file mode 100644 index 0000000000..fd1ade8dea --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec @@ -0,0 +1,7 @@ +issuer:ev_root_rsa_2040 +subject:ev_root_rsa_2040 +issuerKey:evRSA2040 +subjectKey:evRSA2040 +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key new file mode 100644 index 0000000000..1d88a930d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh ++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU +dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H +cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y +1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t +oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ +5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB +0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+ ++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE +vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9 +HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE +MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V +vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV +7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH +lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V +jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv +nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui +p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ +zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v +4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA +hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C +pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV +bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3 +mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j +LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf +UVFRDKpassHG6z7+kpXRbowlyRY= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec new file mode 100644 index 0000000000..1a3d76a550 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec @@ -0,0 +1 @@ +ev diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem new file mode 100644 index 0000000000..13c3031905 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx +MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/ +EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN +RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s +33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd +Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX ++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+ +5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo +UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf +cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY +Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH +z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH +HmbOwao= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec new file mode 100644 index 0000000000..3121f3486e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:evroot +subjectKey:ev +issuerKey:ev +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_logoutAndTeardown.js b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js new file mode 100644 index 0000000000..1582978398 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js @@ -0,0 +1,192 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +"use strict"; + +// This test ensures that in-progress https connections are cancelled when the +// user logs out of a PKCS#11 token. + +// Get a profile directory and ensure PSM initializes NSS. +do_get_profile(); +Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports); + +function getTestServerCertificate() { + const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + const certFile = do_get_file("test_certDB_import/encrypted_with_aes.p12"); + certDB.importPKCS12File(certFile, "password"); + for (const cert of certDB.getCerts()) { + if (cert.commonName == "John Doe") { + return cert; + } + } + return null; +} + +class InputStreamCallback { + constructor(output) { + this.output = output; + this.stopped = false; + } + + onInputStreamReady(stream) { + info("input stream ready"); + if (this.stopped) { + info("input stream callback stopped - bailing"); + return; + } + let available = 0; + try { + available = stream.available(); + } catch (e) { + // onInputStreamReady may fire when the stream has been closed. + equal( + e.result, + Cr.NS_BASE_STREAM_CLOSED, + "error should be NS_BASE_STREAM_CLOSED" + ); + } + if (available > 0) { + let request = NetUtil.readInputStreamToString(stream, available, { + charset: "utf8", + }); + ok( + request.startsWith("GET / HTTP/1.1\r\n"), + "Should get a simple GET / HTTP/1.1 request" + ); + let response = "HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\n\r\n"; + this.output.write(response, response.length); + // Keep writing a response until the client disconnects due to the + // logoutAndTeardown. If the client never disconnects, the test will time + // out, indicating a bug. + while (true) { + this.output.write("a", 1); + } + } + this.output.close(); + info("done with input stream ready"); + } + + stop() { + this.stopped = true; + this.output.close(); + } +} + +class TLSServerSecurityObserver { + constructor(input, output) { + this.input = input; + this.output = output; + this.callbacks = []; + this.stopped = false; + } + + onHandshakeDone(socket, status) { + info("TLS handshake done"); + info(`TLS version used: ${status.tlsVersionUsed}`); + + if (this.stopped) { + info("handshake done callback stopped - bailing"); + return; + } + + let callback = new InputStreamCallback(this.output); + this.callbacks.push(callback); + this.input.asyncWait(callback, 0, 0, Services.tm.currentThread); + + // We've set up everything needed for a successful request/response, + // but calling logoutAndTeardown should cause the request to be cancelled. + Cc["@mozilla.org/security/sdr;1"] + .getService(Ci.nsISecretDecoderRing) + .logoutAndTeardown(); + } + + stop() { + this.stopped = true; + this.input.close(); + this.output.close(); + this.callbacks.forEach(callback => { + callback.stop(); + }); + } +} + +class ServerSocketListener { + constructor() { + this.securityObservers = []; + } + + onSocketAccepted(socket, transport) { + info("accepted TLS client connection"); + let connectionInfo = transport.securityCallbacks.getInterface( + Ci.nsITLSServerConnectionInfo + ); + let input = transport.openInputStream(0, 0, 0); + let output = transport.openOutputStream(0, 0, 0); + let securityObserver = new TLSServerSecurityObserver(input, output); + this.securityObservers.push(securityObserver); + connectionInfo.setSecurityObserver(securityObserver); + } + + // For some reason we get input stream callback events after we've stopped + // listening, so this ensures we just drop those events. + onStopListening() { + info("onStopListening"); + this.securityObservers.forEach(observer => { + observer.stop(); + }); + } +} + +function getStartedServer(cert) { + let tlsServer = Cc["@mozilla.org/network/tls-server-socket;1"].createInstance( + Ci.nsITLSServerSocket + ); + tlsServer.init(-1, true, -1); + tlsServer.serverCert = cert; + tlsServer.setSessionTickets(false); + tlsServer.asyncListen(new ServerSocketListener()); + return tlsServer; +} + +const hostname = "example.com"; + +function storeCertOverride(port, cert) { + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.rememberValidityOverride(hostname, port, {}, cert, true); +} + +function startClient(port) { + let req = new XMLHttpRequest(); + req.open("GET", `https://${hostname}:${port}`); + return new Promise((resolve, reject) => { + req.onload = () => { + ok(false, "should not have gotten load event"); + resolve(); + }; + req.onerror = () => { + ok(true, "should have gotten an error"); + resolve(); + }; + + req.send(); + }); +} + +add_task(async function () { + Services.prefs.setCharPref("network.dns.localDomains", hostname); + let cert = getTestServerCertificate(); + + let server = getStartedServer(cert); + storeCertOverride(server.port, cert); + await startClient(server.port); + server.close(); +}); + +registerCleanupFunction(function () { + Services.prefs.clearUserPref("network.dns.localDomains"); +}); diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate.js b/security/manager/ssl/tests/unit/test_missing_intermediate.js new file mode 100644 index 0000000000..2a723b2a0f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_missing_intermediate.js @@ -0,0 +1,92 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that if a server does not send a complete certificate chain, we can +// make use of cached intermediates to build a trust path. + +const { TestUtils } = ChromeUtils.importESModule( + "resource://testing-common/TestUtils.sys.mjs" +); + +do_get_profile(); // must be called before getting nsIX509CertDB + +registerCleanupFunction(() => { + let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + certDir.append("bad_certs"); + Assert.ok(certDir.exists(), "bad_certs should exist"); + let args = ["-D", "-n", "manually-added-missing-intermediate"]; + run_certutil_on_directory(certDir.path, args, false); +}); + +function run_test() { + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + // If we don't know about the intermediate, we'll get an unknown issuer error. + add_connection_test( + "ee-from-missing-intermediate.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + + // Make BadCertAndPinningServer aware of the intermediate. + add_test(() => { + let args = [ + "-A", + "-n", + "manually-added-missing-intermediate", + "-i", + "test_missing_intermediate/missing-intermediate.pem", + "-a", + "-t", + ",,", + ]; + let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + certDir.append("bad_certs"); + Assert.ok(certDir.exists(), "bad_certs should exist"); + run_certutil_on_directory(certDir.path, args); + run_next_test(); + }); + + // We have to start observing the topic before there's a chance it gets + // emitted. + add_test(() => { + TestUtils.topicObserved("psm:intermediate-certs-cached").then( + subjectAndData => { + Assert.equal(subjectAndData.length, 2, "expecting [subject, data]"); + Assert.equal(subjectAndData[1], "1", `expecting "1" cert imported`); + run_next_test(); + } + ); + run_next_test(); + }); + // Connect and cache the intermediate. + add_connection_test( + "ee-from-missing-intermediate.example.com", + PRErrorCodeSuccess + ); + + // Add a dummy test so that the only way we advance from here is by observing + // "psm:intermediate-certs-cached". + add_test(() => {}); + + // Delete the intermediate on the server again. + add_test(() => { + clearSessionCache(); + let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + certDir.append("bad_certs"); + Assert.ok(certDir.exists(), "bad_certs should exist"); + let args = ["-D", "-n", "manually-added-missing-intermediate"]; + run_certutil_on_directory(certDir.path, args); + run_next_test(); + }); + + // Since we cached the intermediate in gecko, this should succeed. + add_connection_test( + "ee-from-missing-intermediate.example.com", + PRErrorCodeSuccess + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem new file mode 100644 index 0000000000..f2eecbab1f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4DCCAcigAwIBAgIUazqLAdtIsDInWymsEwlRNZZIqaswDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRNaXNzaW5nIEludGVybWVkaWF0ZTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQAD +ggEBAFOZmlCxzl9bxbyKxNOmf/Py63gdJlo610PaEBlNynRVjYciA8HrthfzMNhS +eHYVuHr7Q6ZLhRunz10WuB35iMQ8xKkzs4rsRqNmHElTU/AKm44W7oPUE7yGP3dN +7u1FINDJDB6CPDEDK7iFSUrp++et7vFKH7KHPhCYQdsYvV/MqrnvasR6oAS0ii2q +R7I/6I3cnsCywvAyy1w4dBUjrn93Kh7NdR0efyjb7EKUNhoL2IhnWB+yuNvMdGMs +zmMNjDYXQELyv6DVsh8HQxIyXtzXtglBwPrWXl9/uZ9fxZt0U7T/HoH752f54zPk +HHynrNyUqfvh9AI3Tt0IAbT479c= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec new file mode 100644 index 0000000000..c21e757449 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Missing Intermediate +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_name_constraints.js b/security/manager/ssl/tests/unit/test_name_constraints.js new file mode 100644 index 0000000000..ab38b96a31 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints.js @@ -0,0 +1,71 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// This test tests two specific items: +// 1. Are name constraints properly enforced across the entire constructed +// certificate chain? This makes use of a certificate hierarchy like so: +// - (trusted) root CA with permitted subtree dNSName example.com +// - intermediate CA with permitted subtree dNSName example.org +// a. end-entity with dNSNames example.com and example.org +// (the first entry is allowed by the root but not by the intermediate, +// and the second entry is allowed by the intermediate but not by the +// root) +// b. end-entity with dNSName example.com (not allowed by the intermediate) +// c. end-entity with dNSName examle.org (not allowed by the root) +// d. end-entity with dNSName example.test (not allowed by either) +// All of these cases should fail to verify with the error that the +// end-entity is not in the name space permitted by the hierarchy. +// +// 2. Are externally-imposed name constraints properly enforced? This makes use +// of a certificate hierarchy rooted by a certificate with the same DN as an +// existing hierarchy that has externally-imposed name constraints (DCISS). + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function certFromFile(name) { + return constructCertFromFile(`test_name_constraints/${name}.pem`); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile(certdb, `test_name_constraints/${certName}.pem`, trustString); +} + +function checkCertNotInNameSpace(cert) { + return checkCertErrorGeneric( + certdb, + cert, + SEC_ERROR_CERT_NOT_IN_NAME_SPACE, + certificateUsageSSLServer + ); +} + +function checkCertInNameSpace(cert) { + return checkCertErrorGeneric( + certdb, + cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); +} + +add_task(async function () { + // Test that name constraints from the entire certificate chain are enforced. + loadCertWithTrust("ca-example-com-permitted", "CTu,,"); + loadCertWithTrust("int-example-org-permitted", ",,"); + await checkCertNotInNameSpace(certFromFile("ee-example-com-and-org")); + await checkCertNotInNameSpace(certFromFile("ee-example-com")); + await checkCertNotInNameSpace(certFromFile("ee-example-org")); + await checkCertNotInNameSpace(certFromFile("ee-example-test")); + + // Test that externally-imposed name constraints are enforced (DCISS tests). + loadCertWithTrust("dciss", "CTu,,"); + await checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed")); + await checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked")); +}); diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem new file mode 100644 index 0000000000..4711aeb52f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVzCCAj+gAwIBAgIUI6mWkP5zTmykASccGMuIZiel5n8wDQYJKoZIhvcNAQEL +BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh +cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF +SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw +MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEExCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJDQTEMMAoGA1UECgwDRm9vMRcwFQYDVQQDDA5mb28uZXhhbXBsZS5m +cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAPQS0MUvn+KrIt/nliEzDqwAGSBZX +w/hfssEDGf/8EJxMk8UwM1j0LvLu72DySFOlBP5rMsEBlk8EDgMgVwKl/OlBDSCT +PQQh9ul2wqTTJzJy5sxn+PbuJDy321UCRZRQMBtQs3NcKgKpHsHTU8R7qOrzv0JH +dhSo+BHdmovkzRuk24Y3mv/TMsKicXfB139VaxNiv62wMV+Zl11p5054IVEOKqqQ +E7HnMcyS47AudLDDuVfxALei1IHnRgI8l+AfAWzTFdC7eGq18V+lwZFkKiCvFzVA +K1Jbx8CpyhANAajcOBTVXMWlANKN/1coY7A5tBsXJqWM2FTN12Z6hxJjow== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec new file mode 100644 index 0000000000..1a02a0cc1a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec @@ -0,0 +1,2 @@ +issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr +subject:/C=US/ST=CA/O=Foo/CN=foo.example.fr diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem new file mode 100644 index 0000000000..ddb7b31b5e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWDCCAkCgAwIBAgIUE8HP5mMfdClk3WBDRkQK+NpLT5cwDQYJKoZIhvcNAQEL +BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh +cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF +SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw +MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMEIxCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJDQTEMMAoGA1UECgwDRm9vMRgwFgYDVQQDDA9mb28uZXhhbXBsZS5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAANzAGVYkRHPSSlBPcL63aR2OhhL +kkQSn4UbmBVzxH+qNeMD+RjYS421P5fwScKrALUoNxPCV8H1fY1lFTuso6Cdn1th +QoVLWSgad9v+fZ2uJJlf0hWFMRdBrYKIhM68Y7cXfcDwCqLEr7c9/lVsBmVdVAqY +EHPqDmDnVToC3XKgMXuVol5z8yu4Ki70HMODqdJP1KRP8k45xLn6eeInd8J/hWEe +zbeHk5GBoRMcuDBrHyxBZrtgUPCvc+20ymN/E5cCGkjGtUUF6e5oOJ3zNaQwVAAI +7A3Dfj3Pvltbg9GKHCODVcGhVt9RtJvZMYwdhkLhMsZ8EvFFJmDUFVcq4/o= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec new file mode 100644 index 0000000000..eabee87e83 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec @@ -0,0 +1,2 @@ +issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr +subject:/C=US/ST=CA/O=Foo/CN=foo.example.com diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem new file mode 100644 index 0000000000..abd537d98a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDETCCAfmgAwIBAgIUa+D7Ru/tv4BIrp5R02ihNjlBjNQwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2EtZXhhbXBsZS1jb20tcGVybWl0dGVkMCIYDzIwMjIx +MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCMxITAfBgNVBAMMGGNhLWV4YW1w +bGUtY29tLXBlcm1pdHRlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG +8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V +gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3 +04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l +0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz +/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM5MDcwDAYDVR0TBAUwAwEB/zALBgNVHQ8E +BAMCAQYwGgYDVR0eBBMwEaAPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUA +A4IBAQByx4nIC7QJZvN1JknJSZdm/AiD1WwQ7kKNnpVnj4iv+PexpTXjn+DjNgqi +neKI8QUFA6m6tkNju61/SUHXEi/e6GagnpKqXrZLcmdnm0tXYBxE8FQiA/xc1joe +IOGV8iPmGfaqNFoIBEk3TzagzCggXr14Wa0V7CWI4hS0O9BwEgiwW6JS0tqxwIs2 +2YhBWXKIC5T10+q7HewJClSq9sQO2DMSdVzk56lhabh0q5HSopC6C4IG31Tvn8kB +65/7vyuiZc+d8Qrs6FiYuTx5kNxgZk6EGybeIGsO8hC9SkIapO/fceJR/ZXjRY8t +FR9o4+RWSUDH46GBghI6ymFUOTvI +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec new file mode 100644 index 0000000000..1cc3c1d81b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca-example-com-permitted +subject:ca-example-com-permitted +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:nameConstraints:permitted:example.com diff --git a/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem new file mode 100644 index 0000000000..e640d5c414 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIUZ5yCDkvK/L//BgGU9zNVyxH/zB8wDQYJKoZIhvcNAQEL +BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh +cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF +SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw +MjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMIGFMQswCQYDVQQGEwJGUjEP +MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczEQMA4GA1UEChMHUE0vU0dE +TjEOMAwGA1UECxMFRENTU0kxDjAMBgNVBAMTBUlHQy9BMSMwIQYJKoZIhvcNAQkB +FhRpZ2NhQHNnZG4ucG0uZ291di5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x +nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM +wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF +4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20 +yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx +j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zAL +BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABrf/JNA+DqdYQwn9RYxSt66 +PZhpot1THGjGmav+5zTV7FrwZLkoEuXBcS+Yg3Gvwtfp+2dJ+xgtmM+78ujmxbTI +q4tps6Bny+EKvDOYIjqjxp0adanemfywJmpFH3Tgr82KVTa33UbrhW+YXsUyBQv9 +pvUZfMy0O05SHOlIO3lSpaYzQrxx/e0UnkB0Qchfe1Uyhgq/MHQCNOYV11up7iDU +Sdbq1Nx1Qo6rLeH1z0PJz2uE5hLe9d5hFuCApB0+2eOOvHPz/W6k4AkPeSl2tHr1 +qxMs2wjb/XYyQCieKOD5Hm+8VjHQVOyRBVgHD2avJZdVmrGZ2TKfP15HiPB7YQk= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec new file mode 100644 index 0000000000..5d53706bc5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr +subject:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem new file mode 100644 index 0000000000..562858db61 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/jCCAeagAwIBAgIUSdk8F0jpDEN+YOAzKTHFYPYpSbcwDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIy +MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAhMR8wHQYDVQQDDBZlZS1leGFt +cGxlLWNvbS1hbmQtb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby +a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC +D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT +iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT +Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+ +SSP6clHEMdUDrNoYCjXtjQIDAQABoycwJTAjBgNVHREEHDAaggtleGFtcGxlLmNv +bYILZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAEKJjjUGuvDhrTBOix9j +WAWVAdH5LV9fsi/n6NT8w8tGr5IjqGlEjJThfpDDbnzcXHCO5MdC8IeIAsx4HxiP ++tleJ45bMNiJDgLjXIF7tD+kGXx5BLHeWEgKX4AEwOUyc9MSOQmAzYdapK4/TMJU +O/444FWK8KspiaAvZE+kC0b4gQ5xnEL1+HPJL3rrh0V4iSnvHR+vF8gg0R/okkP5 +LiXVjhVa3ijLFCdB/++Kr3CErtL0Uq0fB4OlK3Oy9B0ieCsnQa3Qy8P9SdsPyM7u +z8AMowAentrU6SpY6z5hWiMpo845g9FWWVHI2YXUjoQvbIhULPcep5u2FJeDbgzk +qjM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec new file mode 100644 index 0000000000..904ca65955 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-example-org-permitted +subject:ee-example-com-and-org +extension:subjectAlternativeName:example.com,example.org diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem new file mode 100644 index 0000000000..33c317c2aa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIUcVSFRcZRaVDvcGI+g4f/MZ75ZE0wDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIy +MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAZMRcwFQYDVQQDDA5lZS1leGFt +cGxlLWNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZI +hvcNAQELBQADggEBAJbo7syEpoGC0BtstIQo98hDnTded5+/cDaqfXj/4aGm8NF+ +vIX9s+J6gNnEZxKm7+5fJF5+jLaRIlJLX/dtRR2jOnNdYPf4oC/MHt9YAqJaYvga +3ZmHllRnAmin4WlxhM6R6cMO7sVI3pe2Q7D/Lw3osm6nDq8ZUwwAiaANCrpWedt2 +OCbbFtY+Yi/P3nRotbh8ImG2yn/UwJOas8KNXaPTPl5JwdEnwvbgJzjJZonhkUoR +8I3t0NnQyVsyZV7B1LUF6Iq7WRf9O6Pex9WKhYEe6scv/jJYdWhnA7lIzlRPKlIS +agkqVxrdVNXeUAwqNYpMliIq9YINaBnjtQAoBlI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec new file mode 100644 index 0000000000..46630c4a1a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-example-org-permitted +subject:ee-example-com +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem new file mode 100644 index 0000000000..bdc1959bd0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIUebhi2NR+oiJuaogfqJhY9T/ScvUwDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIy +MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAZMRcwFQYDVQQDDA5lZS1leGFt +cGxlLW9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwDQYJKoZI +hvcNAQELBQADggEBAHzWG9avWkjx81zISPhrSJsXD4wVrsEFAjI7GPV0ItmoQ8x7 +dKt1G6hEaihrTyfSwibWEB9xy6TFlrPRJKZOVpMtiNWf6iBRdKPgsDW2Ukl99fQL +Vg125SdhbPKTvOti2HvM80H6TKvnKRhz5QaHk6BJu1ky7jTHvZCCigh7BQhISxix +noqhltixD+PfVnn/7Gyu+//fhjUl4qV+Nu9msPoeJL2/ONdx6/LNSIBu20hr4MZx +M+oC5XD77jF1QFT9o+LVr/LtyDcoePM+c8N8HSaxiaCQi7oma6u2SOHsawbrmdYt +2WgYD/ZX1y253n5/N2pXS8PZzLQqXqgNAr672Cg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec new file mode 100644 index 0000000000..6a24090e51 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-example-org-permitted +subject:ee-example-org +extension:subjectAlternativeName:example.org diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem new file mode 100644 index 0000000000..af0e05a6e4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6zCCAdOgAwIBAgIUEZls3sstuzIIOQrIfQZH+nnWIw8wDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIy +MTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9lZS1leGFt +cGxlLXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W +1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq +ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx +0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV +t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo +4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx +1QOs2hgKNe2NAgMBAAGjGzAZMBcGA1UdEQQQMA6CDGV4YW1wbGUudGVzdDANBgkq +hkiG9w0BAQsFAAOCAQEAJUByQ8abS/RVjsiI9eH57oXGIqfgarbC0svvWGK/OEcO +mWGt9VtEYuhrvCR958xTZiwQE9RM/y0ItBTV+FrVqbH1LrSwPR+V/rhOrCsduwJ0 +GkVWJEb+ElW3aEyYjGOG5OaAv7JKbOFMk3mmN2AVoHT9YBwMFCVDFj2wzIJ44rvV +NeFjugXa/6AmPL7zEe0BDFLIlA7eKjam0/uUhj0uxhIYMsNzja0LHwiUIeVTP9ZX +kelXGLwrN1oA39dMrLADZKAwokPtq3gw+EZ1zCcd6PLcyIlzz3VrtQDKBbY9iCg4 +6OgWLdhc8x2mM99Ek4eaTlVyaWaSRzbe35M9ZoNXFQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec new file mode 100644 index 0000000000..0926ce477a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-example-org-permitted +subject:ee-example-test +extension:subjectAlternativeName:example.test diff --git a/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem new file mode 100644 index 0000000000..04d2356add --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDEjCCAfqgAwIBAgIUKbtT4nBoUSNxDQ0ZHmFVyHfiQowwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2EtZXhhbXBsZS1jb20tcGVybWl0dGVkMCIYDzIwMjIx +MTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCQxIjAgBgNVBAMMGWludC1leGFt +cGxlLW9yZy1wZXJtaXR0ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a +hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t +FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o +N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d +JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4 +s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOTA3MAwGA1UdEwQFMAMBAf8wCwYDVR0P +BAQDAgEGMBoGA1UdHgQTMBGgDzANggtleGFtcGxlLm9yZzANBgkqhkiG9w0BAQsF +AAOCAQEArcZT82Z/fm6wjkQ4kq6Gl1vo8eVVB0MFAEfSjBHXL/QLckjqTsCmGg8B +qGLVd8Bs65lyZ1J8teiuUxgXTfZE5C1twt88CsbVV6Q9Z/jr496DsYIPgRb7duaa +YuqhZ91tqdDt6A59xHaxcwRlK1kJNym6f2O2JXd01PWcJWf7NiY7O1F/E8Sh9fNu +Fct/WQ6oSvk5RxDPP5RwaHkIyZCM39B/ImU5HOdilu0EWIA/gugMbn3lyCJjUt7t +ayg6e77PBmpwYkMnyX0ryB8lRgrDzU46DCGB3U4O3nJkaVWDp9ZXHFpzUUfWOcCz +62KbB27bKPa9sGO+kh/kbQmQWx6QBg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec new file mode 100644 index 0000000000..87e2cf8a56 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca-example-com-permitted +subject:int-example-org-permitted +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:nameConstraints:permitted:example.org diff --git a/security/manager/ssl/tests/unit/test_nonascii_path.js b/security/manager/ssl/tests/unit/test_nonascii_path.js new file mode 100644 index 0000000000..3c31640d05 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_nonascii_path.js @@ -0,0 +1,52 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests to make sure that the certificate DB works with non-ASCII paths. + +// Append a single quote and non-ASCII characters to the profile path. +let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR"); +let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile); +file.initWithPath(profd); +file.append("'÷1"); +Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path); + +file = do_get_profile(); // must be called before getting nsIX509CertDB +Assert.ok( + /[^\x20-\x7f]/.test(file.path), + "the profile path should contain a non-ASCII character" +); + +// Restore the original value. +Services.env.set("XPCSHELL_TEST_PROFILE_DIR", profd); + +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function load_cert(cert_name, trust_string) { + let cert_filename = cert_name + ".pem"; + return addCertFromFile( + certdb, + "test_cert_trust/" + cert_filename, + trust_string + ); +} + +function run_test() { + let certList = ["ca", "int", "ee"]; + let loadedCerts = []; + for (let certName of certList) { + loadedCerts.push(load_cert(certName, ",,")); + } + + let ca_cert = loadedCerts[0]; + notEqual(ca_cert, null, "CA cert should have successfully loaded"); + let int_cert = loadedCerts[1]; + notEqual(int_cert, null, "Intermediate cert should have successfully loaded"); + let ee_cert = loadedCerts[2]; + notEqual(ee_cert, null, "EE cert should have successfully loaded"); +} diff --git a/security/manager/ssl/tests/unit/test_nsCertType.js b/security/manager/ssl/tests/unit/test_nsCertType.js new file mode 100644 index 0000000000..8341575473 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_nsCertType.js @@ -0,0 +1,32 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +// +// While the Netscape certificate type extension is not a standard and has been +// discouraged from use for quite some time, it is still encountered. Thus, we +// handle it slightly differently from other unknown extensions. +// If it is not marked critical, we ignore it. +// If it is marked critical: +// If the basic constraints and extended key usage extensions are also +// present, we ignore it, because they are standardized and should convey the +// same information. +// Otherwise, we reject it with an error indicating an unknown critical +// extension. + +"use strict"; + +function run_test() { + do_get_profile(); + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + add_connection_test("nsCertTypeNotCritical.example.com", PRErrorCodeSuccess); + add_connection_test( + "nsCertTypeCriticalWithExtKeyUsage.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "nsCertTypeCritical.example.com", + SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION + ); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js b/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js new file mode 100644 index 0000000000..8650409df7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js @@ -0,0 +1,25 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// This file tests the nsIX509CertValidity implementation. + +function run_test() { + // Date.parse("2013-01-01T00:00:00Z") + const NOT_BEFORE_IN_MS = 1356998400000; + // Date.parse("2014-01-01T00:00:00Z") + const NOT_AFTER_IN_MS = 1388534400000; + let cert = constructCertFromFile("bad_certs/expired-ee.pem"); + + equal( + cert.validity.notBefore, + NOT_BEFORE_IN_MS * 1000, + "Actual and expected notBefore should be equal" + ); + equal( + cert.validity.notAfter, + NOT_AFTER_IN_MS * 1000, + "Actual and expected notAfter should be equal" + ); +} diff --git a/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js b/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js new file mode 100644 index 0000000000..6305b878b4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js @@ -0,0 +1,96 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Checks that various nsIX509Cert attributes correctly handle UTF-8. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function run_test() { + let cert = certDB.constructX509FromBase64( + "MIIF3DCCBMSgAwIBAgIEAJiZbzANBgkqhkiG9w0BAQUFADCCAQ0xYTBfBgNVBAMM" + + "WEkuQ0EgLSBRdWFsaWZpZWQgcm9vdCBjZXJ0aWZpY2F0ZSAoa3ZhbGlmaWtvdmFu" + + "w70gY2VydGlmaWvDoXQgcG9za3l0b3ZhdGVsZSkgLSBQU0VVRE9OWU0xCzAJBgNV" + + "BAYTAkNaMS8wLQYDVQQHDCZQb2R2aW5uw70gbWzDvW4gMjE3OC82LCAxOTAgMDAg" + + "UHJhaGEgOTEsMCoGA1UECgwjUHJ2bsOtIGNlcnRpZmlrYcSNbsOtIGF1dG9yaXRh" + + "IGEucy4xPDA6BgNVBAsMM0FrcmVkaXRvdmFuw70gcG9za3l0b3ZhdGVsIGNlcnRp" + + "ZmlrYcSNbsOtY2ggc2x1xb5lYjAeFw0wMjEyMTIxMzMzNDZaFw0wMzEyMTIxMzMz" + + "NDZaMIIBFDELMAkGA1UEBhMCQ1oxHzAdBgNVBAMeFgBMAHUAZAEbAGsAIABSAGEB" + + "YQBlAGsxGTAXBgNVBAgeEABWAHkAcwBvAQ0AaQBuAGExLzAtBgNVBAceJgBQAGEA" + + "YwBvAHYALAAgAE4A4QBkAHIAYQF+AG4A7QAgADcANgA5MSUwIwYJKoZIhvcNAQkB" + + "FhZsdWRlay5yYXNla0BjZW50cnVtLmN6MRMwEQYDVQQqHgoATAB1AGQBGwBrMQ0w" + + "CwYDVQQrHgQATABSMR8wHQYDVQQpHhYATAB1AGQBGwBrACAAUgBhAWEAZQBrMRMw" + + "EQYDVQQEHgoAUgBhAWEAZQBrMRcwFQYDVQQFEw5JQ0EgLSAxMDAwMzc2OTCBnzAN" + + "BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxc7dGd0cNlHZ7tUUl5k30bfYlY3lnOD0" + + "49JGbTXSt4jNFMRLj6s/777W3kcIdcIwdKxjQULBKgryDvZJ1DAWp2TwzhPDVYj3" + + "sU4Niqb7mOUcp/4ckteUxGF6FmXtJR9+XHTuLZ+omF9HOUefheBKnXvZuqrLM16y" + + "nbJn4sPwwdcCAwEAAaOCAbswggG3MCUGA1UdEQQeMBygGgYKKwMGAQQB3BkCAaAM" + + "DAoxNzYyODk2ODgzMGkGA1UdHwRiMGAwHqAcoBqGGGh0dHA6Ly9xLmljYS5jei9x" + + "aWNhLmNybDAeoBygGoYYaHR0cDovL2IuaWNhLmN6L3FpY2EuY3JsMB6gHKAahhho" + + "dHRwOi8vci5pY2EuY3ovcWljYS5jcmwwHwYDVR0jBBgwFoAUK1oKfvvlDYUsZTBy" + + "vGN701mca/UwHQYDVR0OBBYEFPAs70DB+LS0PnA6niPUfJ5wdQH5MIG4BgNVHSAE" + + "gbAwga0wgaoGCysGAQQBs2EBAQQEMIGaMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3" + + "LmljYS5jei9xY3AvY3BxcGljYTAyLnBkZjBnBggrBgEFBQcCAjBbGllUZW50byBj" + + "ZXJ0aWZpa2F0IGplIHZ5ZGFuIGpha28gS3ZhbGlmaWtvdmFueSBjZXJ0aWZpa2F0" + + "IHYgc291bGFkdSBzZSB6YWtvbmVtIDIyNy8yMDAwIFNiLjAYBggrBgEFBQcBAwQM" + + "MAowCAYGBACORgEBMA4GA1UdDwEB/wQEAwIE8DANBgkqhkiG9w0BAQUFAAOCAQEA" + + "v2V+nnYYMIgabmmgHx49CtlZIHdGS3TuWKXw130xFhbXDnNhEbx3alaskNsvjQQR" + + "Lqs1ZwKy58yynse+eJYHqenmHDACpAfVpCF9PXC/mDarVsoQw7NTcUpsAFhSd/zT" + + "v9jIf3twECyxx/RVzONVcob7nPePESHiKoG4FbtcuUh0wSHvCmTwRIQqPDCIuHcF" + + "StSt3Jr9iXcbXEhe4mSccOZ8N+r7Rv3ncKcevlRl7uFfDKDTyd43SZeRS/7J8KRf" + + "hD/h2nawrCFwc5gJW10aLJGFL/mcS7ViAIT9HCVk23j4TuBjsVmnZ0VKxB5edux+" + + "LIEqtU428UVHZWU/I5ngLw==" + ); + + equal( + cert.emailAddress, + "ludek.rasek@centrum.cz", + "Actual and expected emailAddress should match" + ); + equal( + cert.subjectName, + 'serialNumber=ICA - 10003769,SN=RaÅ¡ek,name=LudÄ›k RaÅ¡ek,initials=LR,givenName=LudÄ›k,E=ludek.rasek@centrum.cz,L="Pacov, Nádražnà 769",ST=VysoÄina,CN=LudÄ›k RaÅ¡ek,C=CZ', + "Actual and expected subjectName should match" + ); + equal( + cert.commonName, + "LudÄ›k RaÅ¡ek", + "Actual and expected commonName should match" + ); + equal(cert.organization, "", "Actual and expected organization should match"); + equal( + cert.organizationalUnit, + "", + "Actual and expected organizationalUnit should match" + ); + equal( + cert.displayName, + "LudÄ›k RaÅ¡ek", + "Actual and expected displayName should match" + ); + equal( + cert.issuerName, + 'OU=Akreditovaný poskytovatel certifikaÄnÃch služeb,O=Prvnà certifikaÄnà autorita a.s.,L="Podvinný mlýn 2178/6, 190 00 Praha 9",C=CZ,CN=I.CA - Qualified root certificate (kvalifikovaný certifikát poskytovatele) - PSEUDONYM', + "Actual and expected issuerName should match" + ); + equal( + cert.issuerCommonName, + "I.CA - Qualified root certificate (kvalifikovaný certifikát poskytovatele) - PSEUDONYM", + "Actual and expected issuerCommonName should match" + ); + equal( + cert.issuerOrganization, + "Prvnà certifikaÄnà autorita a.s.", + "Actual and expected issuerOrganization should match" + ); + equal( + cert.issuerOrganizationUnit, + "Akreditovaný poskytovatel certifikaÄnÃch služeb", + "Actual and expected issuerOrganizationUnit should match" + ); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_caching.js b/security/manager/ssl/tests/unit/test_ocsp_caching.js new file mode 100644 index 0000000000..b964018518 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js @@ -0,0 +1,479 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Checks various aspects of the OCSP cache, mainly to to ensure we do not fetch +// responses more than necessary. + +var gFetchCount = 0; +var gGoodOCSPResponse = null; +var gResponsePattern = []; + +function respondWithGoodOCSP(request, response) { + info("returning 200 OK"); + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + response.write(gGoodOCSPResponse); +} + +function respondWithSHA1OCSP(request, response) { + info("returning 200 OK with sha-1 delegated response"); + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + + let args = [["good-delegated", "default-ee", "delegatedSHA1Signer", 0]]; + let responses = generateOCSPResponses(args, "ocsp_certs"); + response.write(responses[0]); +} + +function respondWithError(request, response) { + info("returning 500 Internal Server Error"); + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + let body = "Refusing to return a response"; + response.bodyOutputStream.write(body, body.length); +} + +function generateGoodOCSPResponse(thisUpdateSkew) { + let args = [["good", "default-ee", "unused", thisUpdateSkew]]; + let responses = generateOCSPResponses(args, "ocsp_certs"); + return responses[0]; +} + +function add_ocsp_test( + aHost, + aExpectedResult, + aResponses, + aMessage, + aOriginAttributes +) { + add_connection_test( + aHost, + aExpectedResult, + function () { + clearSessionCache(); + gFetchCount = 0; + gResponsePattern = aResponses; + }, + function () { + // check the number of requests matches the size of aResponses + equal(gFetchCount, aResponses.length, aMessage); + }, + null, + aOriginAttributes + ); +} + +function run_test() { + do_get_profile(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function (request, response) { + info("gFetchCount: " + gFetchCount); + let responseFunction = gResponsePattern[gFetchCount]; + Assert.notEqual(undefined, responseFunction); + + ++gFetchCount; + responseFunction(request, response); + }); + ocspResponder.start(8888); + + add_tests(); + + add_test(function () { + ocspResponder.stop(run_next_test); + }); + run_next_test(); +} + +function add_tests() { + // Test that verifying a certificate with a "short lifetime" doesn't result + // in OCSP fetching. Due to longevity requirements in our testing + // infrastructure, the certificate we encounter is valid for a very long + // time, so we have to define a "short lifetime" as something very long. + add_test(function () { + Services.prefs.setIntPref( + "security.pki.cert_short_lifetime_in_days", + 12000 + ); + run_next_test(); + }); + + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "expected zero OCSP requests for a short-lived certificate" + ); + + add_test(function () { + Services.prefs.setIntPref("security.pki.cert_short_lifetime_in_days", 100); + run_next_test(); + }); + + // If a "short lifetime" is something more reasonable, ensure that we do OCSP + // fetching for this long-lived certificate. + + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithError], + "expected one OCSP request for a long-lived certificate" + ); + add_test(function () { + Services.prefs.clearUserPref("security.pki.cert_short_lifetime_in_days"); + run_next_test(); + }); + // --------------------------------------------------------------------------- + + // Reset state + add_test(function () { + clearOCSPCache(); + run_next_test(); + }); + + // This test assumes that OCSPStaplingServer uses the same cert for + // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com. + + // Get an Unknown response for the *.example.com cert and put it in the + // OCSP cache. + add_ocsp_test( + "ocsp-stapling-unknown.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + [], + "Stapled Unknown response -> a fetch should not have been attempted" + ); + + // A failure to retrieve an OCSP response must result in the cached Unknown + // response being recognized and honored. + add_ocsp_test( + "ocsp-stapling-none.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + [respondWithError, respondWithError], + "No stapled response -> a fetch should have been attempted" + ); + + // A valid Good response from the OCSP responder must override the cached + // Unknown response. + // + // Note that We need to make sure that the Unknown response and the Good + // response have different thisUpdate timestamps; otherwise, the Good + // response will be seen as "not newer" and it won't replace the existing + // entry. + add_test(function () { + gGoodOCSPResponse = generateGoodOCSPResponse(1200); + run_next_test(); + }); + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "Cached Unknown response, no stapled response -> a fetch" + + " should have been attempted" + ); + + // The Good response retrieved from the previous fetch must have replaced + // the Unknown response in the cache, resulting in the catched Good response + // being returned and no fetch. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Cached Good response -> a fetch should not have been attempted" + ); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function () { + clearOCSPCache(); + run_next_test(); + }); + + // A failure to retrieve an OCSP response will result in an error entry being + // added to the cache. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithError], + "No stapled response -> a fetch should have been attempted" + ); + + // The error entry will prevent a fetch from happening for a while. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure -> a fetch should not have been attempted" + ); + + // The error entry must not prevent a stapled OCSP response from being + // honored. + add_ocsp_test( + "ocsp-stapling-revoked.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + [], + "Stapled Revoked response -> a fetch should not have been attempted" + ); + + // --------------------------------------------------------------------------- + + // Ensure OCSP responses from signers with SHA1 certificates are OK. This + // is included in the OCSP caching tests since there were OCSP cache-related + // regressions when sha-1 telemetry probes were added. + add_test(function () { + clearOCSPCache(); + // set security.OCSP.require so that checking the OCSP signature fails + Services.prefs.setBoolPref("security.OCSP.require", true); + run_next_test(); + }); + + add_ocsp_test( + "ocsp-stapling-none.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + [respondWithSHA1OCSP], + "OCSP signing cert was issued with sha1 - should fail" + ); + + add_test(function () { + Services.prefs.setBoolPref("security.OCSP.require", false); + run_next_test(); + }); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function () { + clearOCSPCache(); + run_next_test(); + }); + + // This test makes sure that OCSP cache are isolated by firstPartyDomain. + + let gObservedCnt = 0; + let protocolProxyService = Cc[ + "@mozilla.org/network/protocol-proxy-service;1" + ].getService(Ci.nsIProtocolProxyService); + + // Observe all channels and make sure the firstPartyDomain in their loadInfo's + // origin attributes are aFirstPartyDomain. + function startObservingChannels(aFirstPartyDomain) { + // We use a dummy proxy filter to catch all channels, even those that do not + // generate an "http-on-modify-request" notification. + let proxyFilter = { + applyFilter(aChannel, aProxy, aCallback) { + // We have the channel; provide it to the callback. + if (aChannel.originalURI.spec == "http://localhost:8888/") { + gObservedCnt++; + equal( + aChannel.loadInfo.originAttributes.firstPartyDomain, + aFirstPartyDomain, + "firstPartyDomain should match" + ); + } + // Pass on aProxy unmodified. + aCallback.onProxyFilterResult(aProxy); + }, + }; + protocolProxyService.registerChannelFilter(proxyFilter, 0); + // Return the stop() function: + return () => protocolProxyService.unregisterChannelFilter(proxyFilter); + } + + let stopObservingChannels; + add_test(function () { + stopObservingChannels = startObservingChannels("foo.com"); + run_next_test(); + }); + + // A good OCSP response will be cached. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "No stapled response (firstPartyDomain = foo.com) -> a fetch " + + "should have been attempted", + { firstPartyDomain: "foo.com" } + ); + + // The cache will prevent a fetch from happening. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure (firstPartyDomain = foo.com) -> a " + + "fetch should not have been attempted", + { firstPartyDomain: "foo.com" } + ); + + add_test(function () { + stopObservingChannels(); + equal(gObservedCnt, 1, "should have observed only 1 OCSP requests"); + gObservedCnt = 0; + run_next_test(); + }); + + add_test(function () { + stopObservingChannels = startObservingChannels("bar.com"); + run_next_test(); + }); + + // But using a different firstPartyDomain should result in a fetch. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "No stapled response (firstPartyDomain = bar.com) -> a fetch " + + "should have been attempted", + { firstPartyDomain: "bar.com" } + ); + + add_test(function () { + stopObservingChannels(); + equal(gObservedCnt, 1, "should have observed only 1 OCSP requests"); + gObservedCnt = 0; + run_next_test(); + }); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function () { + clearOCSPCache(); + run_next_test(); + }); + + // Test that the OCSP cache is not isolated by userContextId. + + // A good OCSP response will be cached. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "No stapled response (userContextId = 1) -> a fetch " + + "should have been attempted", + { userContextId: 1 } + ); + + // The cache will prevent a fetch from happening. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure (userContextId = 1) -> a " + + "fetch should not have been attempted", + { userContextId: 1 } + ); + + // Fetching is prevented even if in a different userContextId. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure (userContextId = 2) -> a " + + "fetch should not have been attempted", + { userContextId: 2 } + ); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function () { + clearOCSPCache(); + run_next_test(); + }); + + // This test makes sure that OCSP cache are isolated by partitionKey. + + add_test(function () { + Services.prefs.setBoolPref( + "privacy.partition.network_state.ocsp_cache", + true + ); + run_next_test(); + }); + + // A good OCSP response will be cached. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "No stapled response (partitionKey = (https,foo.com)) -> a fetch " + + "should have been attempted", + { partitionKey: "(https,foo.com)" } + ); + + // The cache will prevent a fetch from happening. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure (partitionKey = (https,foo.com)) -> a " + + "fetch should not have been attempted", + { partitionKey: "(https,foo.com)" } + ); + + // Using a different partitionKey should result in a fetch. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "Noted OCSP server failure (partitionKey = (https,bar.com)) -> a " + + "fetch should have been attempted", + { partitionKey: "(https,bar.com)" } + ); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function () { + Services.prefs.clearUserPref("privacy.partition.network_state.ocsp_cache"); + clearOCSPCache(); + run_next_test(); + }); + + // This test makes sure that OCSP cache are isolated by partitionKey in + // private mode. + + // A good OCSP response will be cached. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "No stapled response (partitionKey = (https,foo.com)) -> a fetch " + + "should have been attempted", + { partitionKey: "(https,foo.com)", privateBrowsingId: 1 } + ); + + // The cache will prevent a fetch from happening. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure (partitionKey = (https,foo.com)) -> a " + + "fetch should not have been attempted", + { partitionKey: "(https,foo.com)", privateBrowsingId: 1 } + ); + + // Using a different partitionKey should result in a fetch. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "Noted OCSP server failure (partitionKey = (https,bar.com)) -> a " + + "fetch should have been attempted", + { partitionKey: "(https,bar.com)", privateBrowsingId: 1 } + ); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function () { + clearOCSPCache(); + run_next_test(); + }); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js new file mode 100644 index 0000000000..00b1fc02a9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js @@ -0,0 +1,146 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Checks that the security.OCSP.enabled pref correctly controls OCSP fetching +// behavior. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const SERVER_PORT = 8888; + +function certFromFile(filename) { + return constructCertFromFile(`test_ev_certs/${filename}.pem`); +} + +function loadCert(certName, trustString) { + addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString); +} + +function getFailingOCSPResponder() { + return getFailingHttpServer(SERVER_PORT, ["www.example.com"]); +} + +function getOCSPResponder(expectedCertNames) { + return startOCSPResponder( + SERVER_PORT, + "www.example.com", + "test_ev_certs", + expectedCertNames, + [] + ); +} + +// Tests that in ocspOff mode, OCSP fetches are never done. +async function testOff() { + Services.prefs.setIntPref("security.OCSP.enabled", 0); + info("Setting security.OCSP.enabled to 0"); + + // EV chains should verify successfully but never get EV status. + clearOCSPCache(); + let ocspResponder = getFailingOCSPResponder(); + await checkEVStatus( + gCertDB, + certFromFile("test-oid-path-ee"), + certificateUsageSSLServer, + false + ); + await stopOCSPResponder(ocspResponder); + + // A DV chain should verify successfully. + clearOCSPCache(); + ocspResponder = getFailingOCSPResponder(); + await checkCertErrorGeneric( + gCertDB, + certFromFile("non-ev-root-path-ee"), + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await stopOCSPResponder(ocspResponder); +} + +// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs. +async function testOn() { + Services.prefs.setIntPref("security.OCSP.enabled", 1); + info("Setting security.OCSP.enabled to 1"); + + // If a successful OCSP response is fetched, then an EV chain should verify + // successfully and get EV status as well. + clearOCSPCache(); + let ocspResponder = getOCSPResponder(["test-oid-path-ee"]); + await checkEVStatus( + gCertDB, + certFromFile("test-oid-path-ee"), + certificateUsageSSLServer, + gEVExpected + ); + await stopOCSPResponder(ocspResponder); + + // If a successful OCSP response is fetched, then a DV chain should verify + // successfully. + clearOCSPCache(); + ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]); + await checkCertErrorGeneric( + gCertDB, + certFromFile("non-ev-root-path-ee"), + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await stopOCSPResponder(ocspResponder); +} + +// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only. +async function testEVOnly() { + Services.prefs.setIntPref("security.OCSP.enabled", 2); + info("Setting security.OCSP.enabled to 2"); + + // If a successful OCSP response is fetched, then an EV chain should verify + // successfully and get EV status as well. + clearOCSPCache(); + let ocspResponder = gEVExpected + ? getOCSPResponder(["test-oid-path-ee"]) + : getFailingOCSPResponder(); + await checkEVStatus( + gCertDB, + certFromFile("test-oid-path-ee"), + certificateUsageSSLServer, + gEVExpected + ); + await stopOCSPResponder(ocspResponder); + + // A DV chain should verify successfully even without doing OCSP fetches. + clearOCSPCache(); + ocspResponder = getFailingOCSPResponder(); + await checkCertErrorGeneric( + gCertDB, + certFromFile("non-ev-root-path-ee"), + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await stopOCSPResponder(ocspResponder); +} + +add_task(async function () { + registerCleanupFunction(() => { + Services.prefs.clearUserPref("network.dns.localDomains"); + Services.prefs.clearUserPref("security.OCSP.enabled"); + Services.prefs.clearUserPref("security.OCSP.require"); + }); + Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); + // Enable hard fail to ensure chains that should only succeed because they get + // a good OCSP response do not succeed due to soft fail leniency. + Services.prefs.setBoolPref("security.OCSP.require", true); + + loadCert("evroot", "CTu,,"); + loadCert("test-oid-path-int", ",,"); + loadCert("non-evroot-ca", "CTu,,"); + loadCert("non-ev-root-path-int", ",,"); + + await testOff(); + await testOn(); + await testEVOnly(); +}); diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js new file mode 100644 index 0000000000..32ac332e61 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js @@ -0,0 +1,160 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Tests OCSP Must Staple handling by connecting to various domains (as faked by +// a server running locally) that correspond to combinations of whether the +// extension is present in intermediate and end-entity certificates. + +var gExpectOCSPRequest; + +function add_ocsp_test( + aHost, + aExpectedResult, + aStaplingEnabled, + aExpectOCSPRequest = false, + aWithSecurityInfo = undefined +) { + add_connection_test( + aHost, + aExpectedResult, + function () { + gExpectOCSPRequest = aExpectOCSPRequest; + clearOCSPCache(); + clearSessionCache(); + Services.prefs.setBoolPref( + "security.ssl.enable_ocsp_stapling", + aStaplingEnabled + ); + }, + aWithSecurityInfo + ); +} + +function add_tests() { + // Next, a case where it's present in the intermediate, not the ee + add_ocsp_test( + "ocsp-stapling-plain-ee-with-must-staple-int.example.com", + MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, + true + ); + + // We disable OCSP stapling in the next two tests so we can perform checks + // on TLS Features in the chain without needing to support the TLS + // extension values used. + // Test an issuer with multiple TLS features in matched in the EE + add_ocsp_test( + "multi-tls-feature-good.example.com", + PRErrorCodeSuccess, + false + ); + + // Finally, an issuer with multiple TLS features not matched by the EE. + add_ocsp_test( + "multi-tls-feature-bad.example.com", + MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, + false + ); + + // Now a bunch of operations with only a must-staple ee + add_ocsp_test( + "ocsp-stapling-must-staple.example.com", + PRErrorCodeSuccess, + true + ); + + add_ocsp_test( + "ocsp-stapling-must-staple-revoked.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + true + ); + + add_ocsp_test( + "ocsp-stapling-must-staple-missing.example.com", + MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, + true, + true + ); + + add_ocsp_test( + "ocsp-stapling-must-staple-empty.example.com", + SEC_ERROR_OCSP_MALFORMED_RESPONSE, + true + ); + + add_ocsp_test( + "ocsp-stapling-must-staple-missing.example.com", + PRErrorCodeSuccess, + false, + true + ); + + // If the stapled response is expired, we will try to fetch a new one. + // If that fails, we should report the original error. + add_ocsp_test( + "ocsp-stapling-must-staple-expired.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + true, + true + ); + // Similarly with a "try server later" response. + add_ocsp_test( + "ocsp-stapling-must-staple-try-later.example.com", + SEC_ERROR_OCSP_TRY_SERVER_LATER, + true, + true + ); + // And again with an invalid OCSP response signing certificate. + add_ocsp_test( + "ocsp-stapling-must-staple-invalid-signer.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + + // check that disabling must-staple works + add_test(function () { + clearSessionCache(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false); + run_next_test(); + }); + + add_ocsp_test( + "ocsp-stapling-must-staple-missing.example.com", + PRErrorCodeSuccess, + true, + true + ); +} + +function run_test() { + do_get_profile(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + // This test may sometimes fail on android due to an OCSP request timing out. + // That aspect of OCSP requests is not what we're testing here, so we can just + // bump the timeout and hopefully avoid these failures. + Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + ok( + gExpectOCSPRequest, + "Should be getting an OCSP request only when expected" + ); + }); + fakeOCSPResponder.start(8888); + + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + add_tests(); + + add_test(function () { + fakeOCSPResponder.stop(run_next_test); + }); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js new file mode 100644 index 0000000000..ed5d0a3e00 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js @@ -0,0 +1,58 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Test that if an OCSP request is made to a domain that (erroneously) +// has HSTS status, the request is not upgraded from HTTP to HTTPS. + +function run_test() { + do_get_profile(); + // OCSP required means this test will only pass if the request succeeds. + Services.prefs.setBoolPref("security.OCSP.require", true); + + // We don't actually make use of stapling in this test. This is just how we + // get a TLS connection. + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + let args = [["good", "default-ee", "unused", 0]]; + let ocspResponses = generateOCSPResponses(args, "ocsp_certs"); + let goodOCSPResponse = ocspResponses[0]; + + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function (request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + response.write(goodOCSPResponse); + }); + ocspResponder.start(8888); + + // ocsp-stapling-none.example.com does not staple an OCSP response in the + // handshake, so the revocation checking code will attempt to fetch one. + // Since the domain of the certificate's OCSP AIA URI is an HSTS host + // (as added in the setup of this test, below), a buggy implementation would + // upgrade the OCSP request to HTTPS. We specifically prevent this. This + // test demonstrates that our implementation is correct in this regard. + add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess); + add_test(function () { + run_next_test(); + }); + + add_test(function () { + ocspResponder.stop(run_next_test); + }); + + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + let uri = Services.io.newURI("http://localhost"); + SSService.processHeader(uri, "max-age=10000"); + ok( + SSService.isSecureURI(uri), + "Domain for the OCSP AIA URI should be considered a HSTS host, otherwise" + + " we wouldn't be testing what we think we're testing" + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js new file mode 100644 index 0000000000..47b976cf71 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js @@ -0,0 +1,115 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// In which we connect to a host and encounter OCSP responses with the +// Cache-Control header set, which normally Necko would cache. This test +// ensures that these responses aren't cached. PSM has its own OCSP cache, so +// Necko shouldn't also be caching them. + +do_get_profile(); // must be called before getting nsIX509CertDB + +const SERVER_PORT = 8888; + +function add_flush_cache() { + add_test(() => { + // This appears to either fire multiple times or fire once for every + // observer that has ever been passed to flush. To prevent multiple calls to + // run_next_test, keep track of if this observer has already called it. + let observed = false; + let observer = { + observe: () => { + if (!observed) { + observed = true; + run_next_test(); + } + }, + }; + Services.cache2.QueryInterface(Ci.nsICacheTesting).flush(observer); + }); +} + +function add_ocsp_necko_cache_test(loadContext) { + // Pre-testcase cleanup/setup. + add_test(() => { + Services.cache2.clear(); + run_next_test(); + }); + add_flush_cache(); + + let responder; + add_test(() => { + clearOCSPCache(); + clearSessionCache(); + responder = startOCSPResponder( + SERVER_PORT, + "localhost", + "ocsp_certs", + ["default-ee"], + [], + [], + [], + [["Cache-Control", "max-age=1000"]] + ); + run_next_test(); + }); + + // Prepare a connection that will cause an OCSP request. + add_connection_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + null, + null, + null, + loadContext.originAttributes + ); + + add_flush_cache(); + + // Traverse the cache and ensure the response was not cached. + add_test(() => { + let foundEntry = false; + let visitor = { + onCacheStorageInfo() {}, + onCacheEntryInfo( + aURI, + aIdEnhance, + aDataSize, + aFetchCount, + aLastModifiedTime, + aExpirationTime, + aPinned, + aInfo + ) { + Assert.equal( + aURI.spec, + "http://localhost:8888/", + "expected OCSP request URI should match" + ); + foundEntry = true; + }, + onCacheEntryVisitCompleted() { + Assert.ok(!foundEntry, "should not find a cached entry"); + run_next_test(); + }, + QueryInterface: ChromeUtils.generateQI(["nsICacheStorageVisitor"]), + }; + Services.cache2.asyncVisitAllStorages(visitor, true); + }); + + // Clean up (stop the responder). + add_test(() => { + responder.stop(run_next_test); + }); +} + +function run_test() { + Services.prefs.setIntPref("security.OCSP.enabled", 1); + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + add_ocsp_necko_cache_test(Services.loadContextInfo.private); + add_ocsp_necko_cache_test(Services.loadContextInfo.default); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_required.js b/security/manager/ssl/tests/unit/test_ocsp_required.js new file mode 100644 index 0000000000..3b2cceed72 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_required.js @@ -0,0 +1,95 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// In which we connect to a domain (as faked by a server running locally) and +// start up an OCSP responder (also basically faked) that gives a response with +// a bad signature (and later, an empty response). With security.OCSP.require +// set to true, these connections should fail (but they also shouldn't cause +// assertion failures). + +var gOCSPRequestCount = 0; +var gOCSPResponse; + +function run_test() { + do_get_profile(); + Services.prefs.setBoolPref("security.OCSP.require", true); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + // We don't actually make use of stapling in this test. This is just how we + // get a TLS connection. + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + let args = [["bad-signature", "default-ee", "unused", 0]]; + let ocspResponses = generateOCSPResponses(args, "ocsp_certs"); + // Start by replying with a response with a bad signature. + gOCSPResponse = ocspResponses[0]; + + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function (request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + response.write(gOCSPResponse); + gOCSPRequestCount++; + }); + ocspResponder.start(8888); + + add_tests(); + + add_test(function () { + ocspResponder.stop(run_next_test); + }); + + run_next_test(); +} + +function add_tests() { + add_connection_test( + "ocsp-stapling-none.example.com", + SEC_ERROR_OCSP_BAD_SIGNATURE, + function () {}, + function (aTransportSecurityInfo) { + Assert.ok( + aTransportSecurityInfo.madeOCSPRequests, + "An OCSP Request should have been made." + ); + } + ); + add_connection_test( + "ocsp-stapling-none.example.com", + SEC_ERROR_OCSP_BAD_SIGNATURE, + function () {}, + function (aTransportSecurityInfo) { + Assert.ok( + !aTransportSecurityInfo.madeOCSPRequests, + "An OCSP Request should not have been made." + ); + } + ); + add_test(function () { + equal( + gOCSPRequestCount, + 1, + "OCSP request count should be 1 due to OCSP response caching" + ); + gOCSPRequestCount = 0; + // Now set the OCSP responder to reply with 200 OK but empty content. + gOCSPResponse = ""; + clearOCSPCache(); + run_next_test(); + }); + + add_connection_test( + "ocsp-stapling-none.example.com", + SEC_ERROR_OCSP_MALFORMED_RESPONSE, + function () {}, + function (aTransportSecurityInfo) { + Assert.ok( + aTransportSecurityInfo.madeOCSPRequests, + "An OCSP Request should have been made." + ); + } + ); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling.js b/security/manager/ssl/tests/unit/test_ocsp_stapling.js new file mode 100644 index 0000000000..1f183797f6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js @@ -0,0 +1,400 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// In which we connect to a number of domains (as faked by a server running +// locally) with and without OCSP stapling enabled to determine that good +// things happen and bad things don't. + +// Enable the collection (during test) for all products so even products +// that don't collect the data will be able to run the test without failure. +Services.prefs.setBoolPref( + "toolkit.telemetry.testing.overrideProductsCheck", + true +); + +var gExpectOCSPRequest; + +function add_ocsp_test( + aHost, + aExpectedResult, + aStaplingEnabled, + aExpectOCSPRequest = false +) { + add_connection_test(aHost, aExpectedResult, function () { + gExpectOCSPRequest = aExpectOCSPRequest; + clearOCSPCache(); + clearSessionCache(); + Services.prefs.setBoolPref( + "security.ssl.enable_ocsp_stapling", + aStaplingEnabled + ); + }); +} + +function add_tests() { + // In the absence of OCSP stapling, these should actually all work. + add_ocsp_test( + "ocsp-stapling-good.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-revoked.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-good-other-ca.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-malformed.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-srverr.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-trylater.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-needssig.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-unauthorized.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-unknown.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-good-other.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-expired.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-skip-responseBytes.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-critical-extension.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-noncritical-extension.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-empty-extensions.example.com", + PRErrorCodeSuccess, + false, + true + ); + + // Now test OCSP stapling + // The following error codes are defined in security/nss/lib/util/SECerrs.h + + add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true); + + add_ocsp_test( + "ocsp-stapling-revoked.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + true + ); + + // This stapled response is from a CA that is untrusted and did not issue + // the server's certificate. + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let otherTestCA = constructCertFromFile("ocsp_certs/other-test-ca.pem"); + add_test(function () { + certDB.setCertTrust( + otherTestCA, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.UNTRUSTED + ); + run_next_test(); + }); + add_ocsp_test( + "ocsp-stapling-good-other-ca.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + + // The stapled response is from a CA that is trusted but did not issue the + // server's certificate. + add_test(function () { + certDB.setCertTrust( + otherTestCA, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_SSL + ); + run_next_test(); + }); + // TODO(bug 979055): When using ByName instead of ByKey, the error here is + // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases. + add_ocsp_test( + "ocsp-stapling-good-other-ca.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + + // TODO: Test the case where the signing cert can't be found at all, which + // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case. + + add_ocsp_test( + "ocsp-stapling-malformed.example.com", + SEC_ERROR_OCSP_MALFORMED_REQUEST, + true + ); + add_ocsp_test( + "ocsp-stapling-srverr.example.com", + SEC_ERROR_OCSP_SERVER_ERROR, + true + ); + add_ocsp_test( + "ocsp-stapling-trylater.example.com", + SEC_ERROR_OCSP_TRY_SERVER_LATER, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-needssig.example.com", + SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, + true + ); + add_ocsp_test( + "ocsp-stapling-unauthorized.example.com", + SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, + true + ); + add_ocsp_test( + "ocsp-stapling-unknown.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + true + ); + add_ocsp_test( + "ocsp-stapling-good-other.example.com", + MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, + true + ); + // If the server doesn't staple an OCSP response, we continue as normal + // (this means that even though stapling is enabled, we expect an OCSP + // request). + add_connection_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + function () { + gExpectOCSPRequest = true; + clearOCSPCache(); + clearSessionCache(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); + } + ); + add_ocsp_test( + "ocsp-stapling-empty.example.com", + SEC_ERROR_OCSP_MALFORMED_RESPONSE, + true + ); + + add_ocsp_test( + "ocsp-stapling-skip-responseBytes.example.com", + SEC_ERROR_OCSP_MALFORMED_RESPONSE, + true + ); + + add_ocsp_test( + "ocsp-stapling-critical-extension.example.com", + SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, + true + ); + add_ocsp_test( + "ocsp-stapling-noncritical-extension.example.com", + PRErrorCodeSuccess, + true + ); + // TODO(bug 997994): Disallow empty Extensions in responses + add_ocsp_test( + "ocsp-stapling-empty-extensions.example.com", + PRErrorCodeSuccess, + true + ); + + add_ocsp_test( + "ocsp-stapling-delegated-included.example.com", + PRErrorCodeSuccess, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-included-last.example.com", + PRErrorCodeSuccess, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-missing.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-missing-multiple.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-no-extKeyUsage.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-from-intermediate.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-keyUsage-crlSigning.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-wrong-extKeyUsage.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + + // ocsp-stapling-expired.example.com and + // ocsp-stapling-expired-fresh-ca.example.com are handled in + // test_ocsp_stapling_expired.js + + // Check that OCSP responder certificates with key sizes below 1024 bits are + // rejected, even when the main certificate chain keys are at least 1024 bits. + add_ocsp_test( + "keysize-ocsp-delegated.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + + add_ocsp_test( + "revoked-ca-cert-used-as-end-entity.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + true + ); +} + +function check_ocsp_stapling_telemetry() { + let histogram = Services.telemetry + .getHistogramById("SSL_OCSP_STAPLING") + .snapshot(); + equal( + histogram.values[0], + 0, + "Should have 0 connections for unused histogram bucket 0" + ); + equal( + histogram.values[1], + 5, + "Actual and expected connections with a good response should match" + ); + equal( + histogram.values[2], + 18, + "Actual and expected connections with no stapled response should match" + ); + equal( + histogram.values[3] || 0, + 0, + "Actual and expected connections with an expired response should match" + ); + equal( + histogram.values[4], + 21, + "Actual and expected connections with bad responses should match" + ); + run_next_test(); +} + +function run_test() { + do_get_profile(); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + // This test may sometimes fail on android due to an OCSP request timing out. + // That aspect of OCSP requests is not what we're testing here, so we can just + // bump the timeout and hopefully avoid these failures. + Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + ok( + gExpectOCSPRequest, + "Should be getting an OCSP request only when expected" + ); + }); + fakeOCSPResponder.start(8888); + + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + add_tests(); + + add_test(function () { + fakeOCSPResponder.stop(check_ocsp_stapling_telemetry); + }); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js new file mode 100644 index 0000000000..9d533c03da --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js @@ -0,0 +1,324 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Enable the collection (during test) for all products so even products +// that don't collect the data will be able to run the test without failure. +Services.prefs.setBoolPref( + "toolkit.telemetry.testing.overrideProductsCheck", + true +); + +// In which we connect to a number of domains (as faked by a server running +// locally) with OCSP stapling enabled to determine that good things happen +// and bad things don't, specifically with respect to various expired OCSP +// responses (stapled and otherwise). +// According to RFC 6066, if a stapled OCSP response can't be satisfactorilly +// verified, the client should terminate the connection. Unfortunately, due to +// some bugs where servers will staple any old garbage without verifying it, we +// can't be this strict in practice. Originally this caveat only applied to +// expired responses, but recent high-profile failures have caused us to expand +// this to "try later" responses and responses where the signing certificate +// doesn't verify successfully. + +var gCurrentOCSPResponse = null; +var gOCSPRequestCount = 0; + +function add_ocsp_test( + aHost, + aExpectedResult, + aOCSPResponseToServe, + aExpectedRequestCount +) { + add_connection_test( + aHost, + aExpectedResult, + function () { + clearOCSPCache(); + clearSessionCache(); + gCurrentOCSPResponse = aOCSPResponseToServe; + gOCSPRequestCount = 0; + }, + function () { + equal( + gOCSPRequestCount, + aExpectedRequestCount, + "Should have made " + + aExpectedRequestCount + + " fallback OCSP request" + + (aExpectedRequestCount == 1 ? "" : "s") + ); + } + ); +} + +do_get_profile(); +Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); +Services.prefs.setIntPref("security.OCSP.enabled", 1); +// Sometimes this test will fail on android due to an OCSP request timing out. +// That aspect of OCSP requests is not what we're testing here, so we can just +// bump the timeout and hopefully avoid these failures. +Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000); +var args = [ + ["good", "default-ee", "unused", 0], + ["expiredresponse", "default-ee", "unused", 0], + ["oldvalidperiod", "default-ee", "unused", 0], + ["revoked", "default-ee", "unused", 0], + ["unknown", "default-ee", "unused", 0], + ["good", "must-staple-ee", "unused", 0], +]; +var ocspResponses = generateOCSPResponses(args, "ocsp_certs"); +// Fresh response, certificate is good. +var ocspResponseGood = ocspResponses[0]; +// Expired response, certificate is good. +var expiredOCSPResponseGood = ocspResponses[1]; +// Fresh signature, old validity period, certificate is good. +var oldValidityPeriodOCSPResponseGood = ocspResponses[2]; +// Fresh signature, certificate is revoked. +var ocspResponseRevoked = ocspResponses[3]; +// Fresh signature, certificate is unknown. +var ocspResponseUnknown = ocspResponses[4]; +var ocspResponseGoodMustStaple = ocspResponses[5]; + +// sometimes we expect a result without re-fetch +var willNotRetry = 1; +// but sometimes, since a bad response is in the cache, OCSP fetch will be +// attempted for each validation - in practice, for these test certs, this +// means 2 requests because various key sizes are tried. +var willRetry = 2; + +function run_test() { + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function (request, response) { + if (gCurrentOCSPResponse) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + response.write(gCurrentOCSPResponse); + } else { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + response.write("Internal Server Error"); + } + gOCSPRequestCount++; + }); + ocspResponder.start(8888); + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + // In these tests, the OCSP stapling server gives us a stapled + // response based on the host name ("ocsp-stapling-expired" or + // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're + // properly falling back to fetching revocation information. + // For ocsp-stapling-expired.example.com, the OCSP stapling server + // staples an expired OCSP response. The certificate has not expired. + // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling + // server staples an OCSP response with a recent signature but with an + // out-of-date validity period. The certificate has not expired. + add_ocsp_test( + "ocsp-stapling-expired.example.com", + PRErrorCodeSuccess, + ocspResponseGood, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + PRErrorCodeSuccess, + ocspResponseGood, + willNotRetry + ); + // if we can't fetch a more recent response when + // given an expired stapled response, we terminate the connection. + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + expiredOCSPResponseGood, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + expiredOCSPResponseGood, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + oldValidityPeriodOCSPResponseGood, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + oldValidityPeriodOCSPResponseGood, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + null, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + null, + willNotRetry + ); + // Of course, if the newer response indicates Revoked or Unknown, + // that status must be returned. + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + ocspResponseRevoked, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + ocspResponseRevoked, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + ocspResponseUnknown, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + ocspResponseUnknown, + willRetry + ); + + // If the response is expired but indicates Revoked or Unknown and a + // newer status can't be fetched, the Revoked or Unknown status will + // be returned. + add_ocsp_test( + "ocsp-stapling-revoked-old.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + null, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-unknown-old.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + null, + willNotRetry + ); + // If the response is expired but indicates Revoked or Unknown and + // a newer status can be fetched and successfully verified, this + // should result in a successful certificate verification. + add_ocsp_test( + "ocsp-stapling-revoked-old.example.com", + PRErrorCodeSuccess, + ocspResponseGood, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-unknown-old.example.com", + PRErrorCodeSuccess, + ocspResponseGood, + willNotRetry + ); + // If a newer status can be fetched but it fails to verify, the + // Revoked or Unknown status of the expired stapled response + // should be returned. + add_ocsp_test( + "ocsp-stapling-revoked-old.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + expiredOCSPResponseGood, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-unknown-old.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + expiredOCSPResponseGood, + willRetry + ); + + // These tests are verifying that an valid but very old response + // is rejected as a valid stapled response, requiring a fetch + // from the ocsp responder. + add_ocsp_test( + "ocsp-stapling-ancient-valid.example.com", + PRErrorCodeSuccess, + ocspResponseGood, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-ancient-valid.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + ocspResponseRevoked, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-ancient-valid.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + ocspResponseUnknown, + willRetry + ); + + // Test how OCSP-must-staple (i.e. TLS feature) interacts with stapled OCSP + // responses that don't successfully verify. + // A strict reading of the relevant RFCs might say that these connections + // should all fail because a satisfactory stapled OCSP response is not + // present, but for compatibility reasons we fall back to active OCSP fetching + // in these situations. If the fetch succeeds, then connection succeeds. + add_ocsp_test( + "ocsp-stapling-must-staple-expired.example.com", + PRErrorCodeSuccess, + ocspResponseGoodMustStaple, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-must-staple-try-later.example.com", + PRErrorCodeSuccess, + ocspResponseGoodMustStaple, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-must-staple-invalid-signer.example.com", + PRErrorCodeSuccess, + ocspResponseGoodMustStaple, + willNotRetry + ); + + add_test(function () { + ocspResponder.stop(run_next_test); + }); + add_test(check_ocsp_stapling_telemetry); + run_next_test(); +} + +function check_ocsp_stapling_telemetry() { + let histogram = Services.telemetry + .getHistogramById("SSL_OCSP_STAPLING") + .snapshot(); + equal( + histogram.values[0] || 0, + 0, + "Should have 0 connections for unused histogram bucket 0" + ); + equal( + histogram.values[1] || 0, + 0, + "Actual and expected connections with a good response should match" + ); + equal( + histogram.values[2] || 0, + 0, + "Actual and expected connections with no stapled response should match" + ); + equal( + histogram.values[3], + 22, + "Actual and expected connections with an expired response should match" + ); + equal( + histogram.values[4], + 2, + "Actual and expected connections with bad responses should match" + ); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js new file mode 100644 index 0000000000..d9c5986dd0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js @@ -0,0 +1,48 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// In which we connect to a server that staples an OCSP response for a +// certificate signed by an intermediate that has an OCSP AIA to ensure +// that an OCSP request is not made for the intermediate. + +var gOCSPRequestCount = 0; + +function add_ocsp_test(aHost, aExpectedResult) { + add_connection_test(aHost, aExpectedResult, function () { + clearOCSPCache(); + clearSessionCache(); + }); +} + +function run_test() { + do_get_profile(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); + + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function (request, response) { + gOCSPRequestCount++; + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + let body = "Refusing to return a response"; + response.bodyOutputStream.write(body, body.length); + }); + ocspResponder.start(8888); + + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + add_ocsp_test( + "ocsp-stapling-with-intermediate.example.com", + PRErrorCodeSuccess + ); + + add_test(function () { + ocspResponder.stop(run_next_test); + }); + add_test(function () { + equal(gOCSPRequestCount, 0, "No OCSP requests should have been made"); + run_next_test(); + }); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_timeout.js b/security/manager/ssl/tests/unit/test_ocsp_timeout.js new file mode 100644 index 0000000000..8d606bc028 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js @@ -0,0 +1,100 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// This test connects to ocsp-stapling-none.example.com to test that OCSP +// requests are cancelled if they're taking too long. +// ocsp-stapling-none.example.com doesn't staple an OCSP response, so +// connecting to it will cause a request to the OCSP responder. As with all of +// these tests, the OCSP AIA (i.e. the url of the responder) in the certificate +// is http://localhost:8888. Since this test opens a TCP socket listening on +// port 8888 that just accepts connections and then ignores them (with +// connect/read/write timeouts of 30 seconds), the OCSP requests should cancel +// themselves. When OCSP hard-fail is enabled, connections will be terminated. +// Otherwise, they will succeed. + +var gSocketListener = { + onSocketAccepted(serverSocket, socketTransport) { + socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_CONNECT, 30); + socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_READ_WRITE, 30); + }, + + onStopListening(serverSocket, status) {}, +}; + +function run_test() { + do_get_profile(); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + let socket = Cc["@mozilla.org/network/server-socket;1"].createInstance( + Ci.nsIServerSocket + ); + socket.init(8888, true, -1); + socket.asyncListen(gSocketListener); + + add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 1000); + add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 2000); + add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 4000); + + add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 3000); + add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 10000); + add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 15000); + + add_test(function () { + socket.close(); + run_next_test(); + }); + run_next_test(); +} + +function add_one_test(useHardFail, timeoutPrefName, timeoutMilliseconds) { + let startTime; + add_test(function () { + Services.prefs.setBoolPref("security.OCSP.require", useHardFail); + Services.prefs.setIntPref(timeoutPrefName, timeoutMilliseconds); + startTime = new Date(); + run_next_test(); + }); + + add_connection_test( + "ocsp-stapling-none.example.com", + useHardFail ? SEC_ERROR_OCSP_SERVER_ERROR : PRErrorCodeSuccess, + clearSessionCache + ); + + add_test(function () { + let endTime = new Date(); + let timeDifference = endTime - startTime; + info(`useHardFail = ${useHardFail}`); + info(`startTime = ${startTime.getTime()} (${startTime})`); + info(`endTime = ${endTime.getTime()} (${endTime})`); + info(`timeDifference = ${timeDifference}ms`); + // Date() is not guaranteed to be monotonic, so add extra fuzz time to + // prevent intermittent failures (this only appeared to be a problem on + // Windows XP). See Bug 1121117. + const FUZZ_MS = 300; + ok( + timeDifference + FUZZ_MS > timeoutMilliseconds, + `OCSP timeout should be ~${timeoutMilliseconds}s for ` + + `${useHardFail ? "hard" : "soft"}-fail` + ); + // Make sure we didn't wait too long. + // (Unfortunately, we probably can't have a tight upper bound on + // how long is too long for this test, because we might be running + // on slow hardware.) + ok( + timeDifference < 60000, + "Automatic OCSP timeout shouldn't be more than 60s" + ); + + // Reset state + clearOCSPCache(); + Services.prefs.clearUserPref("security.OCSP.require"); + Services.prefs.clearUserPref(timeoutPrefName); + run_next_test(); + }); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_url.js b/security/manager/ssl/tests/unit/test_ocsp_url.js new file mode 100644 index 0000000000..6ff79df03f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url.js @@ -0,0 +1,122 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// In which we try to validate several ocsp responses, checking in particular +// if the ocsp url is valid and the path expressed is correctly passed to +// the caller. + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const SERVER_PORT = 8888; + +function failingOCSPResponder() { + return getFailingHttpServer(SERVER_PORT, ["www.example.com"]); +} + +function start_ocsp_responder(expectedCertNames, expectedPaths) { + return startOCSPResponder( + SERVER_PORT, + "www.example.com", + "test_ocsp_url", + expectedCertNames, + expectedPaths + ); +} + +function check_cert_err(cert_name, expected_error) { + let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem"); + return checkCertErrorGeneric( + certdb, + cert, + expected_error, + certificateUsageSSLServer + ); +} + +add_task(async function () { + addCertFromFile(certdb, "test_ocsp_url/ca.pem", "CTu,CTu,CTu"); + addCertFromFile(certdb, "test_ocsp_url/int.pem", ",,"); + + // Enabled so that we can force ocsp failure responses. + Services.prefs.setBoolPref("security.OCSP.require", true); + + Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + // Note: We don't test the case of a well-formed HTTP URL with an empty port + // because the OCSP code would then send a request to port 80, which we + // can't use in tests. + + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + await check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]); + await check_cert_err("hTTp-url", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("no-host-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = start_ocsp_responder(["no-path-url"], [""]); + await check_cert_err("no-path-url", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err( + "no-scheme-host-port", + SEC_ERROR_CERT_BAD_ACCESS_LOCATION + ); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + // Note: We currently don't have anything that ensures user:pass sections + // weren't sent. The following test simply checks that such sections + // don't cause failures. + clearOCSPCache(); + ocspResponder = start_ocsp_responder(["user-pass"], [""]); + await check_cert_err("user-pass", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); +}); diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem new file mode 100644 index 0000000000..95e43ad50f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc6gAwIBAgIUPcxwWr/R6L+m+gFFiy0rWi66dGIwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBUxEzARBgNVBAMMCmJhZC1zY2hlbWUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMTAvMC0GCCsGAQUF +BwEBBCEwHzAdBggrBgEFBQcwAYYRL3d3dy5leGFtcGxlLmNvbS8wDQYJKoZIhvcN +AQELBQADggEBAIuUhW8MgQTS5W1IU3InmGa7D+HL+UKyep++s+EVn3Kdn2WX14ph +mzuhbJAVC1uMp3DLWlb3KZQcz6DsutRK5y+SEHue4C3eRZJhRUkmU+TsoZDznYVh +KJAsl0IrUhh2XKPVDJ2ZtDiYE4bcPjrrKPgwMqS6hy/Qtllg6NbEAKiP9JKzmTVO +ORaNHgXm3zuyXtJ6wGX6qM2jBLVNeRKWqPiFz61zRgGn6kMNJ7Yl1yRTIaQI8FDi +hh720H3OTWGwXFeLoMuq7dhfTTwuExwko7Z1UieSDDZoFeO2GBAZ7Z4NK7VWSb+D +GiooYhqSaYDoOylk1TfqhfkL9KWgTU7yddY= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec new file mode 100644 index 0000000000..12cc072792 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:bad-scheme +extension:authorityInformationAccess:/www.example.com/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem new file mode 100644 index 0000000000..8131655251 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUZUAG1XrIsypGQCcYFFUTqaoZw5MwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA+F3G6RbYWkt2VtLqA43GkRvQg +PZGNxGlXGWazQRKDLXMFtbT9FG2l7nRQPPKhoaeKd+36zBPxgwJaC1+N5e9nxAm/ +YUY4ipA7RAaUf0l6hCyCNnbtd6o6E6hnU4ucX7GvgGQQEdXHPIpzF3AfVZviHVpl +5u02rYNB6wGC9/vSsNKhpGYaIOB2yFzbXhwH4YqC2VwfpukNuSQ7oywFbH2IIj/5 +ik3Mp8uwL1qQ7XcF9se5rtNYcWzNe0aMKS7s/vRn1QeYp5Jsq6kEn0/aNvEmDskR +GAGbbQ/4CQqKH2vqKQRq8KbDlzsxmfEF8cDZzvXZHWtQmGGURy/4ZAytgXFT +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec new file mode 100644 index 0000000000..d809dbd635 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem new file mode 100644 index 0000000000..b03dd51975 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgIUKYpgWagQQ8rQkCMJK11dU5LYtFEwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBsxGTAXBgNVBAMMEGVtcHR5LXNjaGVtZS11cmwwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjODA2MDQG +CCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYOi8vd3d3LmV4YW1wbGUuY29tOjg4 +ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCOxSgwTWPNpFUf5kZpBLUOMX3/kB5FQVjf +6HxT8xVukgc4LIVSFTGcxjCos3Nw+4KDvVf9Xa3/nVjOL3X+hAFJdzSqFKhu52JT +Edh1t7qZ6F9kbNTtr7kjOoMRlt5kVHTNw8ZhrKWacZCvJjsRlvnc94Waw6Cfj4TV +g7C6hLblo6jIo6yw9AFr4Mei81lwotbNnsP1EoKmGtyuYxnRiDBgatMvIOD/1Dyp +XBT7imr4v9C0ntCNZIKHtTGKdma7nUN47ck9r+RYFAuIJFzTaDg8kqnd5DgB9P1x +Fyggsv4+q5NwuMttNVV1Gql0wKzXffsMimfRLGzL9mqqAh9ZdvNu +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec new file mode 100644 index 0000000000..e8959653f3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:empty-scheme-url +extension:authorityInformationAccess:://www.example.com:8888/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem new file mode 100644 index 0000000000..99cfcf00db --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIUZUXe6sUnYjHg6SGrZoNfo3YLQrQwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBIxEDAOBgNVBAMMB2Z0cC11cmwwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOzA5MDcGCCsGAQUFBwEB +BCswKTAnBggrBgEFBQcwAYYbZnRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvMA0G +CSqGSIb3DQEBCwUAA4IBAQCIEhhV7H0H6dPzGymxFYdq7/wbtOrG2DwAusNe2Ate +2eVNNfovg2unARpWreK9sO2CgGwcHlulNFsHPlcWIPwnvVeOAFz/Rhndl93PYtch +5ZV1gT9WSoDAAcxUkz2ycmjhthOJjxLlJ5WBIgG+GoYeK02/YxC94/7GLCVW66rA +ehCowuSN8p9j9Wmm2Jjna7aVWZHO8lIAEFrEYMHeurYPkDw9y26itn5F/DUmZJB5 +cFiTcU3Qf0R1Eiswh/fhZm6A5cwjViOigKaxTaA4qoEpiVCtbdcWu39Dsp4mi9k2 +JRz425sXav5AGlFt+KidpDB5f5k0S6h1cFCx+2s300Yt +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec new file mode 100644 index 0000000000..9f50a7d792 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:ftp-url +extension:authorityInformationAccess:ftp://www.example.com:8888/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem new file mode 100644 index 0000000000..bc2c6eda60 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9zCCAd+gAwIBAgIUPwOINpymE8g51lV2vT4IYvEfRU0wDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBMxETAPBgNVBAMMCGhUVHAtdXJsMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo +4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD +SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX +kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx +owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/ +Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0QwQjBABggrBgEFBQcB +AQQ0MDIwMAYIKwYBBQUHMAGGJGhUVHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9o +VFRwLXVybDANBgkqhkiG9w0BAQsFAAOCAQEAAkkcJpJzkYUhpq0FQDV/MKQSbdwW +GYsPWxPGkjZvjHfEJ5NEmJQhPU6HSKnQDKp1e2axkhmCvS8Y8/wlS6Cc0np0UU4n +zZYlx15vRBwYlDOprcBsa64xaEXEv3NDnyQTBOGD1SLJgLyA7FmkXv/vcFXr9mga +9tVVa+SFl2vuOYk3NHSGswaja3OW8eCBfrxx1AYkHIsN8OSKNvgLjCr5mMbjAH0C +LDV1+0XiaUyUvKVBvvr7dg4cfzbLtxMBAMEUqlLBfJYZuF4Rpkc8NvHo01FlFl+h +B/f88ihMzQd58g3rp0wzieRZqrVRXn8eMdpGSbMmzAo2WU71lfh+fO9cwQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec new file mode 100644 index 0000000000..10b1504b29 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:hTTp-url +extension:authorityInformationAccess:hTTp://www.example.com:8888/hTTp-url diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem new file mode 100644 index 0000000000..881afe9faf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIUV1jKhIwDRgRkdyJko/7MLL+VmlAwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBQxEjAQBgNVBAMMCWh0dHBzLXVybDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNGMEQwQgYIKwYBBQUH +AQEENjA0MDIGCCsGAQUFBzABhiZodHRwczovL3d3dy5leGFtcGxlLmNvbTo4ODg4 +L2h0dHBzLXVybDANBgkqhkiG9w0BAQsFAAOCAQEADLboQ2R+8RSxfPh2glGvvafl +8KCV/oqMwUpEPVNu9862EVboWei7Xuj3ZLdsorOsasglDEjCutCgyUs4SYIWmoSf +QaA8jTDWwzPbBQE5eQuhzk7pJJWb0fxDUeZva1YJov7ZOsJKbz1pyX7/kRf22NFw +tZid6thLiSe5gVpI9/0Sa10KhKe6H9mZjpeqQaYKFzVNjQPwfmZddN0Bn9dgajJL +NmZk06uuPOHBedHJmlTDGCiPKg8Qtlga2sGWgTaaI1cuO3xAd8ybUG0IooLjpFWC +qwHs9wXJ1Cj/cfmzFcGhO83lpJ6do5TLbVoyDOnp0bUcQdlhhwatkL5mtK+BxQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec new file mode 100644 index 0000000000..891005bf5c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:https-url +extension:authorityInformationAccess:https://www.example.com:8888/https-url diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.key b/security/manager/ssl/tests/unit/test_ocsp_url/int.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec b/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.pem b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem new file mode 100644 index 0000000000..b31a9cda93 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgIUe2LIDV1Nhfro/wXnL4PUQK5N24QwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw +MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG +A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjQy0NtsF3aykS9j0nzTjuaXO +H3lWVMJJBYNZw0YcFUIfTFpkAdwLyvWrw9vpNBURseXog/pFe+Wo1vh7LtESg8Kc +WFnE7LWeZSzOLgUTRPuHU45ehkaJpAOXaBUo/RNNYykE44EVIXvNCUuPe06SfSnD +fSHNDdrg0jv4V+Xjoq+8+yhBNmjNNylBMfZmj7NiN8ZKka+AovStBoxuvSD6Oef3 +ENuMtUH10KETCkUf/u04RMU8sTZP65zg2xQ3hcvDAoJvIwwaq/TtcghO0AcD6RbN +yoHIgJe2TiWRltAPOTzm/2OmUGOHin1p4DCA7usZRpU/iRqr06ZZFzBtj+0v4A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec new file mode 100644 index 0000000000..a7f6d81419 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem new file mode 100644 index 0000000000..e1d99ffe0e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8jCCAdqgAwIBAgIUabKe59RFXji+vmz2hVT2cKegTcYwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBgxFjAUBgNVBAMMDW5lZ2F0aXZlLXBvcnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk +e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg +KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI +YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi +lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL +HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOjA4MDYGCCsG +AQUFBwEBBCowKDAmBggrBgEFBQcwAYYaaHR0cDovL3d3dy5leGFtcGxlLmNvbTot +MS8wDQYJKoZIhvcNAQELBQADggEBAIYQAjUDhkgFfi0C7rHvEaIUpuJzvRlTQAtX ++evW3gHpqKH48CC0/Rg6RLlHhURti+EEVOb7d/3RUfJpsNI3Jl2M3MYaXMf/Un0U +wSGSeKg0JNS+HuQm+HZnQSI3O1yOKUpKoi/RUtYrVzLHHnSyvK4i1QVl7cxhk1SL +7tX77B3iZSEzObG4Yd9a5xrF6l9R1LsyWT6jXJ4j+zVjzBcq3T8ZRkxKi1i6viOD +9bHfyQoqMoeuQH13ENvQm/X2sSEfr+SObsS0clztBaOzZaV+mF7tDt64SuSpVMDG +ncx2f/Z9eTbPrJgAnTPRaHFbzyZdq7C2hMZ+hcKwZGY2tn1JLns= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec new file mode 100644 index 0000000000..fce6d43848 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:negative-port +extension:authorityInformationAccess:http://www.example.com:-1/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem new file mode 100644 index 0000000000..635a7059d9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4zCCAcugAwIBAgIUHX/JG96jB74HqkQdA0vLTUhq+b4wDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBYxFDASBgNVBAMMC25vLWhvc3QtdXJsMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoy0wKzApBggrBgEF +BQcBAQQdMBswGQYIKwYBBQUHMAGGDWh0dHA6Ly86ODg4OC8wDQYJKoZIhvcNAQEL +BQADggEBAAW9QCXaRLhkIBFIDNLycJsDQzPtw3OZmj0u26gglbvFqAuLyyi7pbVB +RSxMLbkrejaDiC0u5Nw5UV18+F2WSm+l8XK7xqbISfTnhBAXXvebdFSJVTfUhxyC +NmOV51Bi6tE8/wZkxVjb9Xk9glWI/secTDUt/1mEE4/aJ0mzO1z0U28jCDrLJYQE +0LHZNk/1KEF8T+Vs1xWKoSEfW7w2AH0imSHHaJop1s8raJP9YloX7BccxD1HA6oE +qb8ANKDJmfHrn3MBZS/AAGp1gh7y8s/7S0LmuhLNADYyaaLdPJXKgZu2KvSmuZxG +KE1qHOuc36X1Sz7NsNjazvBmAqHQMSs= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec new file mode 100644 index 0000000000..4ac76e7eb3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:no-host-url +extension:authorityInformationAccess:http://:8888/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem new file mode 100644 index 0000000000..9ae448aa9d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUDc0Fw6h2xd6MsGfxN1SxVQq80hEwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBYxFDASBgNVBAMMC25vLXBhdGgtdXJsMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozswOTA3BggrBgEF +BQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4 +ODANBgkqhkiG9w0BAQsFAAOCAQEAJvsDo/KBWg+rBqAvztl0dX3gA0ir80umQ9HQ +/bQGWqiWkVzQJ63918RBMZGQDepR7DAkkypJDqvAJ9LBEPRQ9aEEnqX3yeC+SmlG +LJVFR71rejSg9dzfj7q3ZkN+5jkCyzU6qz4hlUmy2ZtD7g3j+JuIXW8GLppvfro7 +q8njhczPm/dIIgrBDkrtXoxkEGf/9oF8qow03+zmt0VdaBXM9JQdXOr0EENkc8WE ++fZAGVZpnb2xnVIfPnRU+iaBfKPYaoPuLDlOkxjS57Ko7zhcqhK5etaUmyIiBK2n +/Kv1I0DcTRcip4iExyHCspJzW9y/NqAKEfu4EmLiZbHrqtA0mA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec new file mode 100644 index 0000000000..497bb28796 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:no-path-url +extension:authorityInformationAccess:http://www.example.com:8888 diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem new file mode 100644 index 0000000000..629489795b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUAbgRbg/m1UnBU4JeU5gdUyeX1PMwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMB4xHDAaBgNVBAMME25vLXNjaGVtZS1ob3N0LXBvcnQwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjITAf +MB0GCCsGAQUFBwEBBBEwDzANBggrBgEFBQcwAYYBLzANBgkqhkiG9w0BAQsFAAOC +AQEAfq+rjh+ps++6y+2FAoCgTSGgHYS2f5wLw1XhF3QYEXJEvUYHTCXjzK7PZ45z +2AYdtCvUbB5EkBD8h0I/qhpvz3he+DvGXyBmq0JK2xLhRZAn5c7bfGf5J1uacBJl +Y+E6cSGtKqOYBnrmwGE50WiAZBvvZ0RoLTy3dkqMDElcLZdZpLbIZLxw9+A1c0Zk +G/9ExpwMF5m7kKou7czWlNUpoEqFZrycg+yNviDphaJON9DVTQZe2W2JkrGzMqq/ +MncnJYDpd5gHiYRbTYStQftVHr5JKKDo85MGelcLpthN6H23+cCabwFvGMSFBSwo +bAtHMWzDus8s1aX6I+fl9lxmAQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec new file mode 100644 index 0000000000..42a555e411 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:no-scheme-host-port +extension:authorityInformationAccess:/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem new file mode 100644 index 0000000000..9fd1e4e4fc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIUMQ4FaOlHRe8APFFKFVuEsyzJ6x4wDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBgxFjAUBgNVBAMMDW5vLXNjaGVtZS11cmwwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk +e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg +KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI +YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi +lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL +HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjNTAzMDEGCCsG +AQUFBwEBBCUwIzAhBggrBgEFBQcwAYYVd3d3LmV4YW1wbGUuY29tOjg4ODgvMA0G +CSqGSIb3DQEBCwUAA4IBAQCD9UOxBwhdtnbSg+eCvTEEL9x8ssiYE8/AuYKsWS/p +Rv7dqR/cRyYJgzQyAlyZAVDBEusDxAMeJhLRu6BqTu4R607lCh17Kzn2omQVsx1V +J1jQWnmOU9VUYDbFgx0Du3q73n/42XaZTIJP3M1b5Mkv9hmPEtvEFNTeqq3SJqJe +a16nqlpJvqhrDq275YSbfv/jtz0cu1MbSmQhK6uC6ToEk7/omZ2lHtIRJhhqTN8b +XqckBz7M0meZzO9LfjGlMx7f+3Qdl/RMq/FYwESzG5Vdjx8lUGcGnpuBdDQsA8YT +03iEvddzfqzOPS6s4tHk/btAVOarcwGp3wJpfqS2YxDX +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec new file mode 100644 index 0000000000..a82196a6d1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:no-scheme-url +extension:authorityInformationAccess:www.example.com:8888/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem new file mode 100644 index 0000000000..c8e6456611 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUczX4OFX/mHvox1wrRPdNp+YQkH0wDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBkxFzAVBgNVBAMMDnVua25vd24tc2NoZW1lMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozYwNDAyBggr +BgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFnR0cDovL3d3dy5leGFtcGxlLmNvbS8w +DQYJKoZIhvcNAQELBQADggEBABBQ89WfNTBdDjN+W8ftdmvOW9vhWbkBBQPZRO/U +HWjOFhMPwn/Nv2RbIl4+b/qFXWp7kvOjZ7bbW4DpVXlmrP9qY9B1SsKs00ZS2N0f ++ty3SQxjTXzXN7Qphwa7TwiGAjiwBFMUvZ1mIEzT0ODF/g6/hG4SxbyMIhOl34CD +VZ/+NyYoPdkWZhJ55OJNRbWNbyphA1LP7GkZK59CZtGhvNvIWFsabPN3ob5X9O+M +cYMxGk3ln1CScEUSz+1k2UM8UufolaWNXllv6AkL4KHwaobkFtWAwCU5g+pH3sEo +D+szKnApDSVzv8tkB/9f4RgyXym+zPvXnHhIbyCaw/bwjII= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec new file mode 100644 index 0000000000..0089455398 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:unknown-scheme +extension:authorityInformationAccess:ttp://www.example.com/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem new file mode 100644 index 0000000000..b673913745 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIUL2u+oKD07Txp4pZFkslIHkaq+jUwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw +MDAwMDBaMBQxEjAQBgNVBAMMCXVzZXItcGFzczCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNGMEQwQgYIKwYBBQUH +AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vdXNlcjpwYXNzQHd3dy5leGFtcGxl +LmNvbTo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAPFnw1V43BlxAtHyhz1oUoKRz +xLBHzSPshe5dlfPZVh8bPgh+6eHDNtvs2IlcC6vAXX/BwCezMSam+3f6fYInih6O +TNCyJ8ZywHuy+aHvULNpUOolVqzJC1J4aaHaZTc3RCA1qbNOfIvDaElB3WPl4izq +ov+JHkx70O3rcSm+9qOCebtLb57iG077p+2jh1jyQEV+XOSnuZqeBi7IvFuairgv +yYcvokJylHmsq4U7rsLIdD7aWTxKaZgi4y2w3/ZGo4v0dqFHTPfSxxvPUYocW0R9 +XgHQrtgfcR6k74NNJNV3/KwAdGaZtxETG8QR56BIJNGat6cWpXlO8Y3xy1TZxA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec new file mode 100644 index 0000000000..337e67e5f9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:user-pass +extension:authorityInformationAccess:http://user:pass@www.example.com:8888/ diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem new file mode 100644 index 0000000000..9b5b6bcbf8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIBHzANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0 +IEludGVybWVkaWF0ZTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAw +WjAwMS4wLAYDVQQDDCVBbm90aGVyIEVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMu +dHh0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62 +iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql +WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq +Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ +ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i +b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY +CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC4QPWiV26uv1EwUr2QkZC7pEXc +8kG/tJlUOkZjhJkXrmKPzP99wOxIzJDPSnsiBb+FIkeRlZYBh4BJ+rjD7v+yA847 +NYw/P9qfLLdPVlM5fbEytQHjzB70XsnP7bEB5VmL167oP64fuVpaQh9znQXQjXw8 +xYfYPM21VXASSfjKtbUNiTyMXetXfwufOOTxe3ulV2JjaaNes8poLFZ0Ikl78oPJ +aRoSmYU7Jxf15rhXqtRLHmd9/KusNUAhVip6A0yP21J/S+FAOCdT158AV3GFedC/ +i/xKe7cNOSPh2s/ZhJeGrceiP+fSBjfkcjmVwY3Qq2K0u4iV4L32Hy7df772 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec new file mode 100644 index 0000000000..d3ba461104 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test Intermediate +subject:Another EE Revoked by revocations.txt +serialNumber:31 diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem new file mode 100644 index 0000000000..ff1cbab707 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIBTjANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0 +IEludGVybWVkaWF0ZTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAw +WjAwMS4wLAYDVQQDDCVBbm90aGVyIEVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMu +dHh0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62 +iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql +WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq +Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ +ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i +b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY +CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBlUJh1KOy5qUMu/lJ3vWPDZ1Vn +dtoODkWS5jgjc6tcyasVu5DHsmCblNGZzJ7INFIiWp2/VI8ohRsxUo23stpKlysa +pkAej/c7Uvnuz3JGvVlfr2Si5OqlpuxUvZms9xcVpq+i3slwjG3i/JXjSbNIReE0 +GpB7k3dkbucLe/5v01m6IX8LiDFcZKmL1JzZTJtpKdeInwNBAHvIJ9lMeuL6rFHZ +3cZde1wXhUsg2N5ZnYe52qyI9QmeQBLSL4zlUZMY8Xny0nHBChrouOfht/jTs8Wo +878HySDzJQSnVbMaQQ7drglwJqz85rEAa28ZbLrCtmN/MrrsLD/N49fDibea +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec new file mode 100644 index 0000000000..10f8f07cce --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test Intermediate +subject:Another EE Revoked by revocations.txt +serialNumber:78 diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem new file mode 100644 index 0000000000..d1f21d2fb7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtzCCAZ+gAwIBAgIBKjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0 +IENBMCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBaMCgxJjAkBgNV +BAMMHUVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMudHh0MIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3 +DQEBCwUAA4IBAQCKZ8Fkq/PRqRt416vv4AiRLvwO3a3/6IdGFnCYQE5WU99oYMzT +JyVF9mzMjRErKPqGhHMYVIu+4O87kUa3lcYFhvXGQmDRglu9ZAZ+liIPnjO+B484 +JNFyJYqZELBr1ndFj5ipJxKe0G/QgaONRIH/4OrM3cabGQnzLZE4BnwkaI8tG3xA +g8R9frLnBK/ShwB95nlZlqLZcz/Dg/reDmfFuG8Qeqx56bWEW9r8QxBJxdJyvZU3 +87wDETb8K54vJEHjKj7aaByTU0ynivXkih5qFbxCPvMaqRtFZm0hnoe51hSmLdPq +r9sdIhxaOWvk1RwLOzPigsbDXpkJp9OuYBQM +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec new file mode 100644 index 0000000000..a2a67d909c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:EE Revoked by revocations.txt +serialNumber:42 diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem new file mode 100644 index 0000000000..479058f9bb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzTCCAbWgAwIBAgIUayHb9Obz2uNyFbwZlXV6mUEdRtAwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjArMSkwJwYDVQQDDCBFRSBSZXZva2VkIEJ5IFN1YmplY3QgYW5k +IFB1YktleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAb5nc34vUDqvmAU3yGnha +fhLCaxIFkNpdQFmbqrZ+0meqA9aGyq0WczoFrDW1UOQ2mgj9ywsnk3SCRlZKApsj +NlOC0BrYW05zLe9yDJMlPd6fykPpCiats4hVRrAjqFkDPxlFuhcTF5FMTats1XYX +emLuJvls5M+3AlE6q3sMTXeJepOThfKkDZBMIlyBQLjq4jLpkFUOALOub1zJIFPM +UJyvJtTvB71KraVXjyknPkIX4MkO94jh7WGDWXLzGRBEjDrH+BD3xlQZf+jD4jyx +vBkyjZX19ncl3pQVv8Uro2tx6dW9868Szs7IaLheQ74EFYWmNq+6xQIMTHlISi8a +1g== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec new file mode 100644 index 0000000000..cadbcf9038 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec @@ -0,0 +1,2 @@ +issuer:Test CA +subject:EE Revoked By Subject and PubKey diff --git a/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem new file mode 100644 index 0000000000..829d60306a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDITCCAgmgAwIBAgIUCRWWg+sxVN12BfGt3Ge//X6/ZoEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAiMSAwHgYDVQQDDBdBbm90aGVyIFRlc3QgRW5kLWVudGl0eTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaNbMFkwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMDIG +CCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4 +LzANBgkqhkiG9w0BAQsFAAOCAQEAQvj0s0hiJIRiOgwOfV1hRfuVj8zBqo1DQzlI +mCH4qhNYfq9wUmPtZaaj9aPXpkMnzxTHArLVeeX8RQP8Wm/4ZJ/jGPPX0le+/jzU +t2bVb32JFWOjcDPK0TAbOrqJQ6p41cYEzS7+E9xQVSCoq6urm8xrUeh89URfG89/ +Gkf4q0ms1NrCzfgxd8gj5jBpArbSp6VtoJ7m0FTPEhTEgGuRACyP1a3gU3ayZzfh +8fy4oiIE86VPMccWXK8LaPnQD/4ksSKnBKSQp/vf3DJ2RLEmVN25bN+oi516PUjC +DvAkhLiqzm6vNktqKQiJuBz0ojMeerd1Cf50Tea0NB0q99tuFw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec new file mode 100644 index 0000000000..8b20f03f59 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Another Test End-entity +extension:subjectAlternativeName:localhost,*.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt b/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt new file mode 100644 index 0000000000..2ee2b87b2a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt @@ -0,0 +1,41 @@ +# a sample revocations.txt for tests +# Lines starting with '#' are ignored - as are empty lines like this: + +# otherwise: +# non-empty lines are treated as base-64 encoded DER DN data (e.g. issuer or +# subject) +# ...unless the line starts with a ' ' (space) character, in which case it's +# assumed to be base-64 encoded DER serial data, or +# the line starts with a '\t' (tab) character, in which case it's assumed to +# be a base-64 encoded SHA256 hash of a public key + +# First a serial with no issuer to ensure this doesn't cause parsing to fail +# (there should be an issuer first, but we need to test this won't fail) + dGVzdA== +# next, let's ensure data that isn't valid base64 doesn't cause breakage. + this serial isn't valid base64 (but then there's no issuer anyway) +Neither is this issuer, though the serial is fine + dGVzdA== +dGVzdA== + in this case, issuer is fine but not the serial +# Next two entries; we can add valid base-64 encoded data for some basic tests: +# issuer is the base-64 encoded subject DN for the shared Test CA +# serial is the base-64 encoded integer 42 +MBIxEDAOBgNVBAMMB1Rlc3QgQ0E= + Kg== +# issuer is the base-64 encoded subject DN for the shared Test Intermediate +# the first serial is the base-64 encoded integer 78 +# the second serial is the base-64 encoded integer 31 +MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl + Tg== + Hw== + c2VyaWFsMi4= +# subject is base-64 encoded subject DN "CN=EE Revoked By Subject and PubKey" +# pubKeyHash is the base-64 encoded sha256 hash of the shared RSA SPKI +MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5 + VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8= +# and some more data to ensure that mixed items don't cause parsing failure +a DN + a serial + a hash + another serial diff --git a/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem new file mode 100644 index 0000000000..ea4de5df48 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6jCCAdKgAwIBAgIUI+fSldu453DNk3lAfGlpSIh/9lEwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMjExMjcwMDAw +MDBaGA8yMDI1MDIwNDAwMDAwMFowJDEiMCAGA1UEAwwZRUUgaXNzdWVkIGJ5IGlu +dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMYMBYwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqG +SIb3DQEBCwUAA4IBAQAXxofSjWj1UxCsKaPgqaeHqerNYTHgn8rLlMtD73pDIiq9 +r+YDWyf8b97RfPFPP2eNDyDmjvbEl6sXwtB9+zxf+rof9jBV1Oxfqf2NkNgOnRHW +pNaFUK8umcLeBR02wpHbjXl3tx5NVk69S/r3J9wyMEsd+Rh2bFE+7KV068AhU++o +edg6Eq5t9biISQwOBFdX7a5I/Jw94kRODJOi+f1zHyJk+o2cI9ZYVdXyWreuLBAn +cj/gAKf8/d2HbbXHysOOCKgYqZKRFVN9vBDjVmIRaRXsW3t8Oxa8/uytPZvoqVLM +8bbJuJE9kTGAhtLlCppIRv4/m4Okh3MBzCY5ZaKB +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec new file mode 100644 index 0000000000..24792d540a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test Intermediate +subject:EE issued by intermediate +extension:subjectAlternativeName:localhost diff --git a/security/manager/ssl/tests/unit/test_osclientcerts_module.js b/security/manager/ssl/tests/unit/test_osclientcerts_module.js new file mode 100644 index 0000000000..bebc0aa58b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_osclientcerts_module.js @@ -0,0 +1,60 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that the platform can load the osclientcerts module. + +// Ensure that the appropriate initialization has happened. +Services.prefs.setBoolPref("security.osclientcerts.autoload", false); +do_get_profile(); + +const { TestUtils } = ChromeUtils.importESModule( + "resource://testing-common/TestUtils.sys.mjs" +); + +async function check_osclientcerts_module_loaded() { + // Loading happens asynchronously, so we have to wait for the notification. + await TestUtils.topicObserved("psm:load-os-client-certs-module-task-ran"); + let testModule = checkPKCS11ModuleExists( + "OS Client Cert Module", + "osclientcerts" + ); + + // Check that listing the slots for the osclientcerts module works. + let testModuleSlotNames = Array.from( + testModule.listSlots(), + slot => slot.name + ); + testModuleSlotNames.sort(); + const expectedSlotNames = ["OS Client Cert Slot"]; + deepEqual( + testModuleSlotNames, + expectedSlotNames, + "Actual and expected slot names should be equal" + ); +} + +add_task(async function run_test() { + // Check that if we haven't loaded the osclientcerts module, we don't find it + // in the module list. + checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts"); + + // Check that enabling the pref that loads the osclientcerts module makes it + // appear in the module list. + Services.prefs.setBoolPref("security.osclientcerts.autoload", true); + await check_osclientcerts_module_loaded(); + + // Check that disabling the pref that loads the osclientcerts module (thus + // unloading the module) makes it disappear from the module list. + Services.prefs.setBoolPref("security.osclientcerts.autoload", false); + checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts"); + + // Check that loading the module again succeeds. + Services.prefs.setBoolPref("security.osclientcerts.autoload", true); + await check_osclientcerts_module_loaded(); + + // And once more check that unloading succeeds. + Services.prefs.setBoolPref("security.osclientcerts.autoload", false); + checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts"); +}); diff --git a/security/manager/ssl/tests/unit/test_oskeystore.js b/security/manager/ssl/tests/unit/test_oskeystore.js new file mode 100644 index 0000000000..fcc9de6c59 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_oskeystore.js @@ -0,0 +1,272 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the methods and attributes for interfacing with nsIOSKeyStore. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +const LABELS = ["mylabel1", "mylabel2", "mylabel3"]; + +async function delete_all_secrets() { + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + for (let label of LABELS) { + if (await keystore.asyncSecretAvailable(label)) { + await keystore.asyncDeleteSecret(label); + ok( + !(await keystore.asyncSecretAvailable(label)), + label + " should be deleted now." + ); + } + } +} + +async function encrypt_decrypt_test() { + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + ok( + !(await keystore.asyncSecretAvailable(LABELS[0])), + "The secret should not be available yet." + ); + + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(recoveryPhrase, "A recovery phrase should've been created."); + let recoveryPhrase2 = await keystore.asyncGenerateSecret(LABELS[1]); + ok(recoveryPhrase2, "A recovery phrase should've been created."); + + let text = new Uint8Array([0x01, 0x00, 0x01]); + let ciphertext = ""; + try { + ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text); + ok(ciphertext, "We should have a ciphertext now."); + } catch (e) { + ok(false, "Error encrypting " + e); + } + + // Decrypting should give us the plaintext bytes again. + try { + let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); + ok( + plaintext.toString() == text.toString(), + "Decrypted plaintext should be the same as text." + ); + } catch (e) { + ok(false, "Error decrypting ciphertext " + e); + } + + // Decrypting with a wrong key should throw an error. + try { + await keystore.asyncDecryptBytes(LABELS[1], ciphertext); + ok(false, "Decrypting with the wrong key should fail."); + } catch (e) { + ok(true, "Decrypting with the wrong key should fail " + e); + } +} + +add_task(async function () { + await delete_all_secrets(); + await encrypt_decrypt_test(); + await delete_all_secrets(); +}); + +// Test that using a recovery phrase works. +add_task(async function () { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(recoveryPhrase, "A recovery phrase should've been created."); + + let text = new Uint8Array([0x01, 0x00, 0x01]); + let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text); + ok(ciphertext, "We should have a ciphertext now."); + + await keystore.asyncDeleteSecret(LABELS[0]); + // Decrypting should fail after deleting the secret. + await keystore + .asyncDecryptBytes(LABELS[0], ciphertext) + .then(() => + ok(false, "decrypting didn't throw as expected after deleting the secret") + ) + .catch(() => + ok(true, "decrypting threw as expected after deleting the secret") + ); + + await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase); + let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); + ok( + plaintext.toString() == text.toString(), + "Decrypted plaintext should be the same as text." + ); + + await delete_all_secrets(); +}); + +// Test that trying to use a non-base64 recovery phrase fails. +add_task(async function () { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + await keystore + .asyncRecoverSecret(LABELS[0], "@##$^&*()#$^&*(@#%&*_") + .then(() => + ok(false, "base64-decoding non-base64 should have failed but didn't") + ) + .catch(() => ok(true, "base64-decoding non-base64 failed as expected")); + + ok( + !(await keystore.asyncSecretAvailable(LABELS[0])), + "we didn't recover a secret, so the secret shouldn't be available" + ); + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok( + recoveryPhrase && !!recoveryPhrase.length, + "we should be able to re-use that label to generate a new secret" + ); + await delete_all_secrets(); +}); + +// Test that re-using a label overwrites any previously-stored secret. +add_task(async function () { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(recoveryPhrase, "A recovery phrase should've been created."); + + let text = new Uint8Array([0x66, 0x6f, 0x6f, 0x66]); + let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text); + ok(ciphertext, "We should have a ciphertext now."); + + let newRecoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(newRecoveryPhrase, "A new recovery phrase should've been created."); + + // The new secret replaced the old one so we shouldn't be able to decrypt the ciphertext now. + await keystore + .asyncDecryptBytes(LABELS[0], ciphertext) + .then(() => + ok(false, "decrypting without the original key should have failed") + ) + .catch(() => + ok(true, "decrypting without the original key failed as expected") + ); + + await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase); + let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); + ok( + plaintext.toString() == text.toString(), + "Decrypted plaintext should be the same as text (once we have the original key again)." + ); + + await delete_all_secrets(); +}); + +// Test that re-using a label (this time using a recovery phrase) overwrites any previously-stored +// secret. +add_task(async function () { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(recoveryPhrase, "A recovery phrase should've been created."); + + let newRecoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(newRecoveryPhrase, "A new recovery phrase should've been created."); + + let text = new Uint8Array([0x66, 0x6f, 0x6f, 0x66]); + let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text); + ok(ciphertext, "We should have a ciphertext now."); + + await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase); + + // We recovered the old secret, so decrypting ciphertext that had been encrypted with the newer + // key should fail. + await keystore + .asyncDecryptBytes(LABELS[0], ciphertext) + .then(() => ok(false, "decrypting without the new key should have failed")) + .catch(() => ok(true, "decrypting without the new key failed as expected")); + + await keystore.asyncRecoverSecret(LABELS[0], newRecoveryPhrase); + let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); + ok( + plaintext.toString() == text.toString(), + "Decrypted plaintext should be the same as text (once we have the new key again)." + ); + + await delete_all_secrets(); +}); + +// Test that trying to use recovery phrases that are the wrong size fails. +add_task(async function () { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + + await keystore + .asyncRecoverSecret(LABELS[0], "") + .then(() => ok(false, "'recovering' with an empty key should have failed")) + .catch(() => ok(true, "'recovering' with an empty key failed as expected")); + ok( + !(await keystore.asyncSecretAvailable(LABELS[0])), + "we didn't recover a secret, so the secret shouldn't be available" + ); + + await keystore + .asyncRecoverSecret(LABELS[0], "AAAAAA") + .then(() => + ok(false, "recovering with a key that is too short should have failed") + ) + .catch(() => + ok(true, "recovering with a key that is too short failed as expected") + ); + ok( + !(await keystore.asyncSecretAvailable(LABELS[0])), + "we didn't recover a secret, so the secret shouldn't be available" + ); + + await keystore + .asyncRecoverSecret( + LABELS[0], + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + ) + .then(() => + ok(false, "recovering with a key that is too long should have failed") + ) + .catch(() => + ok(true, "recovering with a key that is too long failed as expected") + ); + ok( + !(await keystore.asyncSecretAvailable(LABELS[0])), + "we didn't recover a secret, so the secret shouldn't be available" + ); + + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok( + recoveryPhrase && !!recoveryPhrase.length, + "we should be able to use that label to generate a new secret" + ); + ok( + await keystore.asyncSecretAvailable(LABELS[0]), + "the generated secret should now be available" + ); + + await delete_all_secrets(); +}); diff --git a/security/manager/ssl/tests/unit/test_osreauthenticator.js b/security/manager/ssl/tests/unit/test_osreauthenticator.js new file mode 100644 index 0000000000..01784a5fef --- /dev/null +++ b/security/manager/ssl/tests/unit/test_osreauthenticator.js @@ -0,0 +1,27 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests nsIOSReauthenticator.asyncReauthenticateUser(). +// As this gets implemented on various platforms, running this test +// will result in a prompt from the OS. Consequently, we won't be able +// to run this in automation, but it will help in testing locally. +add_task(async function test_asyncReauthenticateUser() { + const reauthenticator = Cc[ + "@mozilla.org/security/osreauthenticator;1" + ].getService(Ci.nsIOSReauthenticator); + ok(reauthenticator, "nsIOSReauthenticator should be available"); + const EXPECTED = false; // Change this variable to suit your needs while testing. + ok( + ( + await reauthenticator.asyncReauthenticateUser( + "this is the prompt string", + "this is the caption string", + null + ) + )[0] == EXPECTED, + "nsIOSReauthenticator.asyncReauthenticateUser should return a boolean array with the first item being the authentication result of: " + + EXPECTED + ); +}); diff --git a/security/manager/ssl/tests/unit/test_password_prompt.js b/security/manager/ssl/tests/unit/test_password_prompt.js new file mode 100644 index 0000000000..cf4c6db7bf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_password_prompt.js @@ -0,0 +1,87 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that PSM can successfully ask for a password from the user and relay it +// back to NSS. Does so by mocking out the actual dialog and "filling in" the +// password. Also tests that providing an incorrect password will fail (well, +// technically the user will just get prompted again, but if they then cancel +// the dialog the overall operation will fail). + +var gMockPrompter = { + passwordToTry: null, + numPrompts: 0, + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gMockPrompter| due to + // how objects get wrapped when going across xpcom boundaries. + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + this.numPrompts++; + if (this.numPrompts > 1) { + // don't keep retrying a bad password + return false; + } + equal( + text, + "Please enter your Primary Password.", + "password prompt text should be as expected" + ); + equal(checkMsg, null, "checkMsg should be null"); + ok(this.passwordToTry, "passwordToTry should be non-null"); + password.value = this.passwordToTry; + return true; + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), +}; + +// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt +// to call promptPassword. We return the mock one, above. +var gWindowWatcher = { + getNewPrompter: () => gMockPrompter, + QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]), +}; + +function run_test() { + do_get_profile(); + + let windowWatcherCID = MockRegistrar.register( + "@mozilla.org/embedcomp/window-watcher;1", + gWindowWatcher + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(windowWatcherCID); + }); + + // Set an initial password. + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + let token = tokenDB.getInternalKeyToken(); + token.initPassword("hunter2"); + token.logoutSimple(); + + // Try with the correct password. + gMockPrompter.passwordToTry = "hunter2"; + // Using nsISecretDecoderRing will cause the password prompt to come up if the + // token has a password and is logged out. + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + sdr.encryptString("poke"); + equal(gMockPrompter.numPrompts, 1, "should have prompted for password once"); + + // Reset state. + gMockPrompter.numPrompts = 0; + token.logoutSimple(); + + // Try with an incorrect password. + gMockPrompter.passwordToTry = "*******"; + throws( + () => sdr.encryptString("poke2"), + /NS_ERROR_FAILURE/, + "logging in with the wrong password should fail" + ); + equal(gMockPrompter.numPrompts, 2, "should have prompted for password twice"); +} diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js new file mode 100644 index 0000000000..1a0fa866aa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pinning.js @@ -0,0 +1,318 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +// +// For all cases, the acceptable pinset includes only certificates pinned to +// Test End Entity Cert (signed by issuer testCA). Other certificates +// are issued by otherCA, which is never in the pinset but is a user-specified +// trust anchor. This test covers multiple cases: +// +// Pinned domain include-subdomains.pinning.example.com includes subdomains +// - PASS: include-subdomains.pinning.example.com serves a correct cert +// - PASS: good.include-subdomains.pinning.example.com serves a correct cert +// - FAIL (strict): bad.include-subdomains.pinning.example.com serves a cert +// not in the pinset +// - PASS (mitm): bad.include-subdomains.pinning.example.com serves a cert not +// in the pinset, but issued by a user-specified trust domain +// +// Pinned domain exclude-subdomains.pinning.example.com excludes subdomains +// - PASS: exclude-subdomains.pinning.example.com serves a correct cert +// - FAIL: exclude-subdomains.pinning.example.com serves an incorrect cert +// (TODO: test using verifyCertNow) +// - PASS: sub.exclude-subdomains.pinning.example.com serves an incorrect cert + +"use strict"; + +// Enable the collection (during test) for all products so even products +// that don't collect the data will be able to run the test without failure. +Services.prefs.setBoolPref( + "toolkit.telemetry.testing.overrideProductsCheck", + true +); + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function add_clear_override(host) { + add_test(function () { + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride(host, 8443, {}); + run_next_test(); + }); +} + +function test_strict() { + // In strict mode, we always evaluate pinning data, regardless of whether the + // issuer is a built-in trust anchor. We only enforce pins that are not in + // test mode. + add_test(function () { + Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); + run_next_test(); + }); + + // Normally this is overridable. But, since we have pinning information for + // this host, we don't allow overrides. + add_prevented_cert_override_test( + "unknownissuer.include-subdomains.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); + + // Issued by otherCA, which is not in the pinset for pinning.example.com. + add_connection_test( + "bad.include-subdomains.pinning.example.com", + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + ); + + // Check that using a FQDN doesn't bypass pinning. + add_connection_test( + "bad.include-subdomains.pinning.example.com.", + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + ); + // For some reason this is also navigable (see bug 1118522). + add_connection_test( + "bad.include-subdomains.pinning.example.com..", + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + ); + + // These domains serve certs that match the pinset. + add_connection_test( + "include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + // This domain serves a cert that doesn't match the pinset, but subdomains + // are excluded. + add_connection_test( + "sub.exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + // This domain's pinset is exactly the same as + // include-subdomains.pinning.example.com, serves the same cert as + // bad.include-subdomains.pinning.example.com, but it should pass because + // it's in test_mode. + add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess); + // Similarly, this pin is in test-mode, so it should be overridable. + add_cert_override_test( + "unknownissuer.test-mode.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.test-mode.pinning.example.com"); +} + +function test_mitm() { + // In MITM mode, we allow pinning to pass if the chain resolves to any + // user-specified trust anchor, even if it is not in the pinset. + add_test(function () { + Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1); + run_next_test(); + }); + + add_connection_test( + "include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + // Normally this is overridable. But, since we have pinning information for + // this host, we don't allow overrides (since building a trusted chain fails, + // we have no reason to believe this was issued by a user-added trust + // anchor, so we can't allow overrides for it). + add_prevented_cert_override_test( + "unknownissuer.include-subdomains.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); + + // In this case, even though otherCA is not in the pinset, it is a + // user-specified trust anchor and the pinning check succeeds. + add_connection_test( + "bad.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + add_connection_test( + "exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "sub.exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess); + add_cert_override_test( + "unknownissuer.test-mode.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.test-mode.pinning.example.com"); +} + +function test_disabled() { + // Disable pinning. + add_test(function () { + Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 0); + run_next_test(); + }); + + add_connection_test( + "include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "bad.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "sub.exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess); + + add_cert_override_test( + "unknownissuer.include-subdomains.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); + add_cert_override_test( + "unknownissuer.test-mode.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.test-mode.pinning.example.com"); +} + +function test_enforce_test_mode() { + // In enforce test mode, we always enforce all pins, even test pins. + add_test(function () { + Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 3); + run_next_test(); + }); + + // Normally this is overridable. But, since we have pinning information for + // this host, we don't allow overrides. + add_prevented_cert_override_test( + "unknownissuer.include-subdomains.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); + + // Issued by otherCA, which is not in the pinset for pinning.example.com. + add_connection_test( + "bad.include-subdomains.pinning.example.com", + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + ); + + // These domains serve certs that match the pinset. + add_connection_test( + "include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + // This domain serves a cert that doesn't match the pinset, but subdomains + // are excluded. + add_connection_test( + "sub.exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + // This domain's pinset is exactly the same as + // include-subdomains.pinning.example.com, serves the same cert as + // bad.include-subdomains.pinning.example.com, is in test-mode, but we are + // enforcing test mode pins. + add_connection_test( + "test-mode.pinning.example.com", + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + ); + // Normally this is overridable. But, since we have pinning information for + // this host (and since we're enforcing test mode), we don't allow overrides. + add_prevented_cert_override_test( + "unknownissuer.test-mode.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.test-mode.pinning.example.com"); +} + +function check_pinning_telemetry() { + let prod_histogram = Services.telemetry + .getHistogramById("CERT_PINNING_RESULTS") + .snapshot(); + let test_histogram = Services.telemetry + .getHistogramById("CERT_PINNING_TEST_RESULTS") + .snapshot(); + // Because all of our test domains are pinned to user-specified trust + // anchors, effectively only strict mode and enforce test-mode get evaluated + equal( + prod_histogram.values[0], + 4, + "Actual and expected prod (non-Mozilla) failure count should match" + ); + equal( + prod_histogram.values[1], + 6, + "Actual and expected prod (non-Mozilla) success count should match" + ); + equal( + test_histogram.values[0], + 2, + "Actual and expected test (non-Mozilla) failure count should match" + ); + equal( + test_histogram.values[1] || 0, + 0, + "Actual and expected test (non-Mozilla) success count should match" + ); + + run_next_test(); +} + +function run_test() { + // Ensure that static pinning works when HPKP is disabled. + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false); + + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + + // Add a user-specified trust anchor. + addCertFromFile(certdb, "bad_certs/other-test-ca.pem", "CTu,u,u"); + + test_strict(); + test_mitm(); + test_disabled(); + test_enforce_test_mode(); + + add_test(function () { + check_pinning_telemetry(); + }); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_module.js b/security/manager/ssl/tests/unit/test_pkcs11_module.js new file mode 100644 index 0000000000..abad2dbb54 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_module.js @@ -0,0 +1,58 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the methods and attributes for interfacing with a PKCS #11 module and +// the module database. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +const gModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB +); + +function run_test() { + // Check that if we have never added the test module, that we don't find it + // in the module list. + checkPKCS11ModuleNotPresent("PKCS11 Test Module", "pkcs11testmodule"); + + // Check that adding the test module makes it appear in the module list. + let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + libraryFile.append("pkcs11testmodule"); + libraryFile.append(ctypes.libraryName("pkcs11testmodule")); + loadPKCS11Module(libraryFile, "PKCS11 Test Module", true); + let testModule = checkPKCS11ModuleExists( + "PKCS11 Test Module", + "pkcs11testmodule" + ); + + // Check that listing the slots for the test module works. + let testModuleSlotNames = Array.from( + testModule.listSlots(), + slot => slot.name + ); + testModuleSlotNames.sort(); + const expectedSlotNames = [ + "Empty PKCS11 Slot", + "Test PKCS11 Slot", + "Test PKCS11 Slot 二", + ]; + deepEqual( + testModuleSlotNames, + expectedSlotNames, + "Actual and expected slot names should be equal" + ); + + // Check that deleting the test module makes it disappear from the module list. + let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + pkcs11ModuleDB.deleteModule("PKCS11 Test Module"); + checkPKCS11ModuleNotPresent("PKCS11 Test Module", "pkcs11testmodule"); + + // Check miscellaneous module DB methods and attributes. + ok(!gModuleDB.canToggleFIPS, "It should NOT be possible to toggle FIPS"); + ok(!gModuleDB.isFIPSEnabled, "FIPS should not be enabled"); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js b/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js new file mode 100644 index 0000000000..e8cbf17abf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js @@ -0,0 +1,46 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that adding modules with invalid names are prevented. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +function run_test() { + let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + libraryFile.append("pkcs11testmodule"); + libraryFile.append(ctypes.libraryName("pkcs11testmodule")); + ok(libraryFile.exists(), "The pkcs11testmodule file should exist"); + + let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + throws( + () => moduleDB.addModule("Root Certs", libraryFile.path, 0, 0), + /NS_ERROR_ILLEGAL_VALUE/, + "Adding a module named 'Root Certs' should fail." + ); + throws( + () => moduleDB.addModule("", libraryFile.path, 0, 0), + /NS_ERROR_ILLEGAL_VALUE/, + "Adding a module with an empty name should fail." + ); + + let bundle = Services.strings.createBundle( + "chrome://pipnss/locale/pipnss.properties" + ); + let rootsModuleName = bundle.GetStringFromName("RootCertModuleName"); + let foundRootsModule = false; + for (let module of moduleDB.listModules()) { + if (module.name == rootsModuleName) { + foundRootsModule = true; + break; + } + } + ok( + foundRootsModule, + "Should be able to find builtin roots module by localized name." + ); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js new file mode 100644 index 0000000000..e4e3467d79 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js @@ -0,0 +1,58 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// In safe mode, PKCS#11 modules should not be loaded. This test tests this by +// simulating starting in safe mode and then attempting to load a module. + +function run_test() { + do_get_profile(); + + // Simulate starting in safe mode. + let xulRuntime = { + inSafeMode: true, + logConsoleErrors: true, + OS: "XPCShell", + XPCOMABI: "noarch-spidermonkey", + invalidateCachesOnRestart: function invalidateCachesOnRestart() { + // Do nothing + }, + QueryInterface: ChromeUtils.generateQI(["nsIXULRuntime"]), + }; + + let xulRuntimeFactory = { + createInstance(iid) { + return xulRuntime.QueryInterface(iid); + }, + }; + + let registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar); + const XULRUNTIME_CONTRACTID = "@mozilla.org/xre/runtime;1"; + const XULRUNTIME_CID = Components.ID( + "{f0f0b230-5525-4127-98dc-7bca39059e70}" + ); + registrar.registerFactory( + XULRUNTIME_CID, + "XULRuntime", + XULRUNTIME_CONTRACTID, + xulRuntimeFactory + ); + + // When starting in safe mode, the test module should fail to load. + let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + let libraryName = ctypes.libraryName("pkcs11testmodule"); + let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + libraryFile.append("pkcs11testmodule"); + libraryFile.append(libraryName); + ok(libraryFile.exists(), "The pkcs11testmodule file should exist"); + throws( + () => + pkcs11ModuleDB.addModule("PKCS11 Test Module", libraryFile.path, 0, 0), + /NS_ERROR_FAILURE/, + "addModule should throw when in safe mode" + ); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_slot.js b/security/manager/ssl/tests/unit/test_pkcs11_slot.js new file mode 100644 index 0000000000..dba2a4d3a1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_slot.js @@ -0,0 +1,161 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the methods and attributes for interfacing with a PKCS #11 slot. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +function find_slot_by_name(module, name) { + for (let slot of module.listSlots()) { + if (slot.name == name) { + return slot; + } + } + return null; +} + +function find_module_by_name(moduleDB, name) { + for (let slot of moduleDB.listModules()) { + if (slot.name == name) { + return slot; + } + } + return null; +} + +var gPrompt = { + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gPrompt| due to + // how objects get wrapped when going across xpcom boundaries. + alert(title, text) { + equal( + text, + "Please authenticate to the token “Test PKCS11 Tokeñ 2 Labelâ€. " + + "How to do so depends on the token (for example, using a fingerprint " + + "reader or entering a code with a keypad)." + ); + }, +}; + +const gPromptFactory = { + QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]), + getPrompt: (aWindow, aIID) => gPrompt, +}; + +function run_test() { + MockRegistrar.register("@mozilla.org/prompter;1", gPromptFactory); + + let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + libraryFile.append("pkcs11testmodule"); + libraryFile.append(ctypes.libraryName("pkcs11testmodule")); + loadPKCS11Module(libraryFile, "PKCS11 Test Module", false); + + let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + let testModule = find_module_by_name(moduleDB, "PKCS11 Test Module"); + notEqual(testModule, null, "should be able to find test module"); + let testSlot = find_slot_by_name(testModule, "Test PKCS11 Slot 二"); + notEqual(testSlot, null, "should be able to find 'Test PKCS11 Slot 二'"); + + equal( + testSlot.name, + "Test PKCS11 Slot 二", + "Actual and expected name should match" + ); + equal( + testSlot.desc, + "Test PKCS11 Slot 二", + "Actual and expected description should match" + ); + equal( + testSlot.manID, + "Test PKCS11 Manufacturer ID", + "Actual and expected manufacturer ID should match" + ); + equal( + testSlot.HWVersion, + "0.0", + "Actual and expected hardware version should match" + ); + equal( + testSlot.FWVersion, + "0.0", + "Actual and expected firmware version should match" + ); + equal( + testSlot.status, + Ci.nsIPKCS11Slot.SLOT_NOT_LOGGED_IN, + "Actual and expected status should match" + ); + equal( + testSlot.tokenName, + "Test PKCS11 Tokeñ 2 Label", + "Actual and expected token name should match" + ); + + let testToken = testSlot.getToken(); + notEqual(testToken, null, "getToken() should succeed"); + equal( + testToken.tokenName, + "Test PKCS11 Tokeñ 2 Label", + "Spot check: the actual and expected test token names should be equal" + ); + ok(!testToken.isInternalKeyToken, "This token is not the internal key token"); + + testToken.login(true); + ok(testToken.isLoggedIn(), "Should have 'logged in' successfully"); + + testSlot = find_slot_by_name(testModule, "Empty PKCS11 Slot"); + notEqual(testSlot, null, "should be able to find 'Empty PKCS11 Slot'"); + equal(testSlot.tokenName, null, "Empty slot is empty"); + equal( + testSlot.status, + Ci.nsIPKCS11Slot.SLOT_NOT_PRESENT, + "Actual and expected status should match" + ); + + let bundle = Services.strings.createBundle( + "chrome://pipnss/locale/pipnss.properties" + ); + let internalModule = find_module_by_name( + moduleDB, + "NSS Internal PKCS #11 Module" + ); + notEqual(internalModule, null, "should be able to find internal module"); + let cryptoSlot = find_slot_by_name( + internalModule, + bundle.GetStringFromName("TokenDescription") + ); + notEqual(cryptoSlot, "should be able to find internal crypto slot"); + equal( + cryptoSlot.desc, + bundle.GetStringFromName("SlotDescription"), + "crypto slot should have expected 'desc'" + ); + equal( + cryptoSlot.manID, + bundle.GetStringFromName("ManufacturerID"), + "crypto slot should have expected 'manID'" + ); + let keySlot = find_slot_by_name( + internalModule, + bundle.GetStringFromName("PrivateTokenDescription") + ); + notEqual(keySlot, "should be able to find internal key slot"); + equal( + keySlot.desc, + bundle.GetStringFromName("PrivateSlotDescription"), + "key slot should have expected 'desc'" + ); + equal( + keySlot.manID, + bundle.GetStringFromName("ManufacturerID"), + "key slot should have expected 'manID'" + ); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_token.js b/security/manager/ssl/tests/unit/test_pkcs11_token.js new file mode 100644 index 0000000000..575fc26b88 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_token.js @@ -0,0 +1,149 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the methods and attributes for interfacing with a PKCS #11 token, using +// the internal key token. +// We don't use either of the test tokens in the test PKCS #11 module because: +// 1. Test token 1 cyclically inserts and removes itself in a tight loop. +// Using token 1 would complicate the test and introduce intermittent +// failures. +// 2. Neither test token implements login or password related functionality. +// We want to test such functionality. +// 3. Using the internal token lets us actually test the internal token works +// as expected. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +function checkBasicAttributes(token) { + let bundle = Services.strings.createBundle( + "chrome://pipnss/locale/pipnss.properties" + ); + + let expectedTokenName = bundle.GetStringFromName("PrivateTokenDescription"); + equal( + token.tokenName, + expectedTokenName, + "Actual and expected name should match" + ); + equal( + token.tokenManID, + bundle.GetStringFromName("ManufacturerID"), + "Actual and expected manufacturer ID should match" + ); + equal( + token.tokenHWVersion, + "0.0", + "Actual and expected hardware version should match" + ); + equal( + token.tokenFWVersion, + "0.0", + "Actual and expected firmware version should match" + ); + equal( + token.tokenSerialNumber, + "0000000000000000", + "Actual and expected serial number should match" + ); +} + +/** + * Checks the various password related features of the given token. + * The token should already have been init with a password and be logged into. + * The password of the token will be reset after calling this function. + * + * @param {nsIPK11Token} token + * The token to test. + * @param {string} initialPW + * The password that the token should have been init with. + */ +function checkPasswordFeaturesAndResetPassword(token, initialPW) { + ok( + !token.needsUserInit, + "Token should not need user init after setting a password" + ); + ok( + token.hasPassword, + "Token should have a password after setting a password" + ); + + ok( + token.checkPassword(initialPW), + "checkPassword() should succeed if the correct initial password is given" + ); + token.changePassword(initialPW, "newPW ÿ 一二三"); + ok( + token.checkPassword("newPW ÿ 一二三"), + "checkPassword() should succeed if the correct new password is given" + ); + + ok( + !token.checkPassword("wrongPW"), + "checkPassword() should fail if an incorrect password is given" + ); + ok( + !token.isLoggedIn(), + "Token should be logged out after an incorrect password was given" + ); + ok( + !token.needsUserInit, + "Token should still be init with a password even if an incorrect " + + "password was given" + ); + + token.reset(); + ok(token.needsUserInit, "Token should need password init after reset"); + ok(!token.hasPassword, "Token should not have a password after reset"); + ok(!token.isLoggedIn(), "Token should be logged out of after reset"); +} + +function run_test() { + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + let token = tokenDB.getInternalKeyToken(); + notEqual(token, null, "The internal token should be present"); + ok( + token.isInternalKeyToken, + "The internal token should be represented as such" + ); + + checkBasicAttributes(token); + + ok(!token.isLoggedIn(), "Token should not be logged into yet"); + // Test that attempting to log out even when the token was not logged into + // does not result in an error. + token.logoutSimple(); + ok(!token.isLoggedIn(), "Token should still not be logged into"); + ok( + !token.hasPassword, + "Token should not have a password before it has been set" + ); + + let initialPW = "foo 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/? 一二三"; + token.initPassword(initialPW); + token.login(/* force */ false); + ok(token.isLoggedIn(), "Token should now be logged into"); + + checkPasswordFeaturesAndResetPassword(token, initialPW); + + // We reset the password previously, so we need to initialize again. + token.initPassword("arbitrary"); + ok( + token.isLoggedIn(), + "Token should be logged into after initializing password again" + ); + token.logoutSimple(); + ok( + !token.isLoggedIn(), + "Token should be logged out after calling logoutSimple()" + ); + + ok( + token.needsLogin(), + "The internal token should always need authentication" + ); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js b/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js new file mode 100644 index 0000000000..127c533439 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js @@ -0,0 +1,20 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the methods for interfacing with the PKCS #11 token database. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +function run_test() { + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + + notEqual( + tokenDB.getInternalKeyToken(), + null, + "The internal token should be non-null" + ); +} diff --git a/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem b/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem new file mode 100644 index 0000000000..8401bd3e87 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAsegAwIBAgIQDGdiB3elq8S6U12Nrc+a1zAKBggqhkjOPQQDAzBhMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu +ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe +Fw0xODEyMjExMjAwMDBaFw0zMTA2MDgxMjAwMDBaMGIxHDAaBgNVBAMME0FwcGxl +IElTVCBDQSA4IC0gRzExIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5 +MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABC1UjmiwEBPv9C3b2AmyQ+idZZluNLjUl8mOydaoIjcyyHFg +7rDx8sVk9rpHX/zmB3gyLfbKgCDJ/XD4cpMhiEWjggFeMIIBWjAdBgNVHQ4EFgQU +w8SkWAVj14MGupaN3LKPMva7t0EwHwYDVR0jBBgwFoAUs9tIpPmhxdiuNkHMEWNp +Yim8S8YwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF +BQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF +BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEIGA1UdHwQ7MDkwN6A1oDOG +MWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RHMy5j +cmwwWwYDVR0gBFQwUjAMBgoqhkiG92NkBQsEMAgGBmeBDAECAjA4BgpghkgBhv1s +AAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMw +CgYIKoZIzj0EAwMDZwAwZAIwaMzTwP/37zR/ZM5T7OGnd9hYStUPL3QlqDXGhNUZ +cUZM7UmDZWvBS97XS9wKCtxPAjAeetP564whYQw4g3yLIEqpXNiHCW1Pf1e+uXMa +g1fK+AQr8p7TR2320C8NorVUcfM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem b/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem new file mode 100644 index 0000000000..5e3054e80e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIGnzCCBkWgAwIBAgIQVwXojWDvTZtfUY6TR9QUTDAKBggqhkjOPQQDAjBiMRww +GgYDVQQDDBNBcHBsZSBJU1QgQ0EgOCAtIEcxMSAwHgYDVQQLDBdDZXJ0aWZpY2F0 +aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMw +HhcNMTkwMzExMjEzMjQxWhcNMjEwNDA5MjEzMjQxWjB2MRYwFAYDVQQDDA1jZHMu +YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuNjY1MDM1 +MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD +VQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJHADA5vqarO+Cj0Ha6T +uh/JhKmaIVuz0z7dVZUIBgVbxNOE3FW8zJTH20k4NBAnls3IXkJEiOWtt8GZbzlS +cXijggTHMIIEwzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMPEpFgFY9eDBrqW +jdyyjzL2u7dBMH4GCCsGAQUFBwEBBHIwcDA0BggrBgEFBQcwAoYoaHR0cDovL2Nl +cnRzLmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmRlcjA4BggrBgEFBQcwAYYsaHR0 +cDovL29jc3AuYXBwbGUuY29tL29jc3AwMy1hcHBsZWlzdGNhOGcxMDUwGAYDVR0R +BBEwD4INY2RzLmFwcGxlLmNvbTCB/gYDVR0gBIH2MIHzMIHwBgoqhkiG92NkBQsE +MIHhMIGkBggrBgEFBQcCAjCBlwyBlFJlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNh +dGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiBhbnkgYXBwbGlj +YWJsZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UgYW5kL29yIGNlcnRpZmlj +YXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wOAYIKwYBBQUHAgIwLAwqaHR0cDov +L3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMB0GA1UdJQQWMBQG +CCsGAQUFBwMCBggrBgEFBQcDATA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmNybDAdBgNVHQ4EFgQUtfKFXS+GsdSn +im90n/2GX/X47rgwDgYDVR0PAQH/BAQDAgOIMIICbgYKKwYBBAHWeQIEAgSCAl4E +ggJaAlgAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWlutS/9 +AAAEAwBHMEUCIQC7JOfynh9ir4vZfE39sB2b7b9u6hwSo3i1A0WMCsB2kwIgHnqJ +dmGCaGHryIgFREBginRf879Km3zjdnCR4XjGTN4AdgDuS723dc5guuFCaR+r4Z5m +ow9+X7By2IMAxHuJeqj9ywAAAWlutS/9AAAEAwBHMEUCIQD+dYvPDT3PQ6T4eqqF +SSHsHU+ETeeMIhPWF1+5xxt0igIgbjEPNy+PV3wa0+dw4Umqvlp4padXYhF/zxKQ +UVSF5u0AdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWlutTHE +AAAEAwBHMEUCIQCsggeANxAqJffU5L8inc3QZCQpC5f3ILhwSymugYaelQIgOKLJ +RmDt2rvI10G661L9MO0g4SHSbGZcTnkMVzUlSOUAdgBvU3asMfAxGdiZAKRRFf93 +FRwR2QLBACkGjbIImjfZEwAAAWlutTH/AAAEAwBHMEUCIFA7S1eyu7kxhvnAmVyB +fJUi7cy2/bizaC0LLE0w35dNAiEA+aIKxhYy6VAAyGAmTiAOA/VU/pDtQp4uUIKF +azgRpscAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWlutTA2 +AAAEAwBHMEUCIQDkm2/8xF0dSiyO/o8iwKPjEgYYhokUM03KLiSZWUSRzQIgMp5z +ryZTqIHFLgbE0y7L8CCDvgZRRyoKbnBcCaGJJ1gwCgYIKoZIzj0EAwIDSAAwRQIh +AKJgejWMoWWP42EQIPsvua2biHvRng0QcgA3+0GLzcjXAiBr2xfk0vGWinDLG3gz +m73X42sCFxyMZrLDbgyeBQNI8A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.key b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem new file mode 100644 index 0000000000..7dd59895af --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIUYS+fG1v+p3J2spZDRL6SSVpIFtcwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUw +MjA0MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow +gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp +bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu +ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB+1d8LT9Iaa3WShAqdo54BS4lg +0VHqQeAe7YlFzBjHLi62SRC8kMtn4CrAvtDGh+4xrfUHjkHMwxMhS2SBypPanccy +Hk2LtubcrE7tl0fexB2yfv3+oS5LnMaJ+6svWgq3i31g1YCNoCN+bdvxb3BMKdn5 +tV6OYrhCA/0CHjre34fC7DTb3AmBRSpoJf2QNanCrxi4Nau4TfWzHiUz+RwfDS2/ +Y5GV2rN0Wuw6vd4J5FtHl5G3ThtH+azD0INR9qI8zYtibjkzroXDzXcVXEOQqqtx +UE/ieCiIFKBtbITd2X0ae1MCfyKq3JULr8pWc90hUdSHnZ5OFnuU65s73qXJ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec new file mode 100644 index 0000000000..554339ff52 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test End-entity +extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem new file mode 100644 index 0000000000..95316b235e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPjCCAiagAwIBAgIUN+Dcp+HeMvZhIJ3BD5af4bwrj4IwDQYJKoZIhvcNAQEL +BQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT +HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwIhgPMjAxNjA2MDEwMDAwMDBa +GA8yMDUwMDEwMTAwMDAwMFowKTEnMCUGA1UEAwweZWUtZnJvbS1hbGxvd2xpc3Qt +YWZ0ZXItY3V0b2ZmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR +qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv +WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+ +rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv +JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5 +Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6 +clHEMdUDrNoYCjXtjQIDAQABozowODA2BgNVHREELzAtgitzeW1hbnRlYy1hbGxv +d2xpc3QtYWZ0ZXItY3V0b2ZmLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IB +AQB/2Pgyyje+T4uKkibYZ537NZB6OUvef4nrGtswjxKbUnHzrLK1kJd3mtyNpydK +fzW8WV1CR+nltFI5oaoOAf26FuQfaoCADmlmFlirgnm2fEH2xCokDCQHIgQxNwXr +Ok6JTHWeuaOsu+verDPjkuUATnONY+FRTBxfPh5B3OA+aBO62bAeNCAjIya1U60S +emAnleYtwhXs0Q9TLsR7O7aSYP3FgnqnWPuOkPF3wrUiE8Nrd3givz5OJW42IU63 +ijiojHtPpjAiudbzD8y1zuDcxTxiI4jEjTDS1kIqnvHd3f4bSxpgcQUPk44nu+wO +j5+as/TRu5dC+xHmWCVT10yd +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec new file mode 100644 index 0000000000..c8a4249dfc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2 +subject:ee-from-allowlist-after-cutoff +validity:20160601-20500101 +extension:subjectAlternativeName:symantec-allowlist-after-cutoff.example.com diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem new file mode 100644 index 0000000000..0c8a52b8d6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIUVWP+EbM7hYQLOXoABvWpRwoPWJ0wDQYJKoZIhvcNAQEL +BQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT +HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwIhgPMjAxNDA2MDEwMDAwMDBa +GA8yMDUwMDEwMTAwMDAwMFowKjEoMCYGA1UEAwwfZWUtZnJvbS1hbGxvd2xpc3Qt +YmVmb3JlLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI +UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi +r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x +fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD +7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv +uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj ++nJRxDHVA6zaGAo17Y0CAwEAAaM7MDkwNwYDVR0RBDAwLoIsc3ltYW50ZWMtYWxs +b3dsaXN0LWJlZm9yZS1jdXRvZmYuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD +ggEBAFhn9xNv/Yp1Ua9OX7oXgbVgzxCIAm6/zDK7V4V37P5em/lI85OpbuuTO4ns +9VB2/nijkELhSkiyCjmCaxQhlUBzA/2wJeNIfaWu9Mq5MR6jWShhNXND66lTCDIQ +wGVQkBl8/3OqSD4IFI3pKAiPhCGsUnRIhGSARcrFMQpKssnN5XN1ump1YA7/u6Kv +apNbKccgKvLekO8/kUpFrpHt+uQaNS2IeVrmOnNh4GtyD3DG1ZDcZ1VgLAnzbVUg +xiUbs58mY0o1qumuzqJ0/ie5UPOjWnoXSNq6dd4jqsXcFeYXe106G6arV5BLN1Pa +gNxxfOfBcebE1OwxZpfQwNy3JxI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec new file mode 100644 index 0000000000..51cecd1f8e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2 +subject:ee-from-allowlist-before-cutoff +validity:20140601-20500101 +extension:subjectAlternativeName:symantec-allowlist-before-cutoff.example.com diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem new file mode 100644 index 0000000000..65eab919b5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIUNWWgyC4I0/jmqdamoCRL0qhP3QQwDQYJKoZIhvcNAQEL +BQAwTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5jLjEmMCQG +A1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwIhgPMjAxNjA2MDEw +MDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowKjEoMCYGA1UEAwwfZWUtbm90LWFsbG93 +bGlzdGVkLWFmdGVyLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab +bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts +Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI +H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8 +rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX +Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNAMD4wPAYDVR0RBDUwM4Ixc3ltYW50 +ZWMtbm90LWFsbG93bGlzdGVkLWFmdGVyLWN1dG9mZi5leGFtcGxlLmNvbTANBgkq +hkiG9w0BAQsFAAOCAQEARlQNYz+w2ekzdX8FKwlWoMX6Df5o4ZhXreRK9V4SuYJg +SvAucL35TuTKkBz9C5VPjAL/Qts4n5DKWaWQfsvoCJOGtTMEKd1MEL9RbMFOewI0 +tN9sV9aMNsmhNPL4PB3A7lKJb8gi/tyoN3BXjsaZBxmyi5A6Vt3lyybgMOSTdzR6 +u2XAPm+zNDrOzc2tavZEyhEKzptaJuCQrefcnAM9JTHtJhvJp30WWighJyclqmRX +bLDYaHRRuRI0jkgrrcUKolau8YKsSoIBoxP2aels8drZDH4UAC86GW2iF/tK+J65 ++JJ2Mk9erdcLoYGLxHZqQySpRaFtciSF+Uym1nmNxA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec new file mode 100644 index 0000000000..85edcf742d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others +subject:ee-not-allowlisted-after-cutoff +validity:20160601-20500101 +extension:subjectAlternativeName:symantec-not-allowlisted-after-cutoff.example.com diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem new file mode 100644 index 0000000000..23d6fec107 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDTTCCAjWgAwIBAgIUaxGuzjOrA/2qScMaz5tKQTUrvAYwDQYJKoZIhvcNAQEL +BQAwTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5jLjEmMCQG +A1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwIhgPMjAxNDA2MDEw +MDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowKzEpMCcGA1UEAwwgZWUtbm90LWFsbG93 +bGlzdGVkLWJlZm9yZS1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjQTA/MD0GA1UdEQQ2MDSCMnN5bWFu +dGVjLW5vdC1hbGxvd2xpc3RlZC1iZWZvcmUtY3V0b2ZmLmV4YW1wbGUuY29tMA0G +CSqGSIb3DQEBCwUAA4IBAQBCkIIEXnX/3rv0JuF0FZEpROnQw8zoa4vZjwG1NmvH ++PwnTL7FvBg9QBK0n8ZKfCMqJU98jR5+x6V9Eo2amXEYRAsxCU6kY/Xz43OxGLQz +5cbr9eDswWmt7h/LXl0tsprpgfBNaQ9512UbPMkDG4MSwLjkuTgdnM4dBsLURrAU +5lcukutuNYJ7x92/Ah7hffouB6QHyP80onxqqQTQs2j/0MvJxlUWrnKBzk+B475W +/1iMOCE3r2q6+TVp1sun9mcn7UvRHQRPvjSdjujjJ++5fqH5s4cF2Sv4lv+dEGJn +xrr/a9GA3bUE6Iq9PbAeX3l7RaP+q/znSDBtaLYZ1Xau +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec new file mode 100644 index 0000000000..b736169a04 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others +subject:ee-not-allowlisted-before-cutoff +validity:20140601-20500101 +extension:subjectAlternativeName:symantec-not-allowlisted-before-cutoff.example.com diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem new file mode 100644 index 0000000000..70bfa802ce --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIUHayrfZ5YGkWYRPXIsNuGSemGyk8wDQYJKoZIhvcNAQEL +BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv +bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt +YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv +cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMEkx +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxHb29n +bGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8EBAMCAQYw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUMbnz3c2Evfehzm1LU+L +3UL3alL/C5jteDjrrNqkamAZF26klGAZ5AX2tW6yG4bOnmZMzqkW/NV8+ydE6HGW +oVwm+qekOyR4nSPHS5mZRdHD3uBrVJ0PR2rUyk/6oIVBYEcNHY/vuHMorQ0q2plq +Z+62i1SHuq5qxP9apKmhvmgwvna3ber9VH8DgiZLJRAuiDAXpanGZh37dm/e2ZVI +OgVctvRIb7ETcDrSbj4oOKo4WwFaZHlsN1ee0hstxDnIVXWzu5cCdqGALlw2N1av +RPUgDI0kshVojmvKFwnYptE1Ru+CYf403ZD7gt3ZvHueOTpEEKLRQp1QRELXIx/7 +XQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec new file mode 100644 index 0000000000..518527b741 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec @@ -0,0 +1,5 @@ +issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4 +subject:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2 +validity:20100101-20500101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem new file mode 100644 index 0000000000..819d8a30da --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFzCCAf+gAwIBAgIUBy1RVPb6jMqyBSQwtlK+jZftnKIwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOVW5rbm93biBJc3N1ZXIwIhgPMjAxMDAxMDEwMDAwMDBa +GA8yMDUwMDEwMTAwMDAwMFowTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3Ro +ZXIgQ0EgSW5jLjEmMCQGA1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhl +cnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQAs7dfRClCtgzMfYVRIciVqdjNR+jeFLmYFCDDqx5h6zve4VfxK +AEQPWNsIVdPlu+djILHHd9+RvLSHh5HqeXKppBevnux2SxwfXJQ3T+ysqGxH4tEQ +BCgXryt8v5q/DL9H2+T352NJCh7ZMkftEta3Hchtr4TSaT7udtib1uQ9JeLx97LJ +A6aI8SpfI/as1Ku1LAAV9rfhkJgMyeC0ppMfTVGj/gjgq8fL52/9Su9Id8l+SeYD +yLCXjPX0rhAjTeJyiOpAK9OPQgk7i3DRvdO/F+JCkTNE9V6PLX0J+30g+3YZND+a +R81zibhRfa6Ki5cqRflHYhAY4GCFk7mhHLsL +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec new file mode 100644 index 0000000000..fdcb287cd1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec @@ -0,0 +1,5 @@ +issuer:Unknown Issuer +subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others +validity:20100101-20500101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem new file mode 100644 index 0000000000..9057a0a0dc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkzCCAnugAwIBAgIUSyQ/MON3PZLW/WEcsIuOIT0kUlQwDQYJKoZIhvcNAQEL +BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv +bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt +YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv +cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaME8x +CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNVBAMT +HVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E +BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAfpCigqN5qPf/ +fD6N8a5taq4bsmggdNztYabFOFY8zIRNVYoVVAHd8a5FOlShKw1MTgRNEpzWcN4O +rX16HCaKCJA6mGbkoE/XVqo/shQR1P0U8N75oeWgxd10IsWpJoYYtF38GIM+HZM4 +8NZ/aM2ViKWexlpa7KhmIjCNsP4U+VFXPwLLuKbegQ6miTwdyG5Sq2PLsjQEn4Xq +/nHYyE3Nn+8H+dlyFuWn9XcJN9D9H3NqVGqAvnWWPR0Vz9Q5/iixw2Ym8NWNzlxa +RXLC9Bfg1BDSJLttopU6qGPotuQkhlm1AElcauI9FaWATsdM82tNMK3hrHnTqV28 +C/BiYIunmA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec new file mode 100644 index 0000000000..0c96819f94 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec @@ -0,0 +1,5 @@ +issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4 +subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others +validity:20100101-20500101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem new file mode 100644 index 0000000000..77f5a05963 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID2TCCAsGgAwIBAgIUd4MA0Hhfw36r5rkFHdHo5/oSbTYwDQYJKoZIhvcNAQEL +BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv +bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt +YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv +cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMIGU +MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd +BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxRTBDBgNVBAMTPFN5bWFudGVj +IENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u +togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6 +pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL +KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq +fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv +Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za +GAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEGMAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAKAdvWVDbB3GxOooXgqNElLvjYwmNcWk12CvQnwxglCRytY5 +DX4UhcCJ6TW8pcezPDEdqrkf4iR+UpgDyBUbVa4m5O5MHGYy3nRHfwT/js9hh2PH +gcAmT0ivknTFlEcP4D0kp7HQr2kmlFuW64HOM+/3J7Zyvu3VNYAlqTlxgG7QyRaN +3W3jfDvc5Ol0O0vyFmhHv0k1yOqLJiOmmOOujfltl4Grbvss+wsHjmP+WOH/BYRn +ACDXdvGr9uu0Z2mymqP0Sy2ZKKrbA7dX5Q/RUr4p3EfyDuNgERx+pYXTUeQ3o9sL +ynQmBa+9aWijUN2USC69EDX9zObn7lO8WV19dQM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec new file mode 100644 index 0000000000..f84697130c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4 +subject:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4 +validity:20100101-20500101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js b/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js new file mode 100644 index 0000000000..4c3b9f406f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js @@ -0,0 +1,95 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +do_get_profile(); + +const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +add_tls_server_setup( + "SanctionsTestServer", + "test_sanctions", + /* Don't try to load non-existent test-ca.pem */ false +); + +addCertFromFile(certDB, "test_sanctions/symantec-test-ca.pem", "CTu,u,u"); + +// Add the necessary intermediates. This is important because the test server, +// though it will attempt to send along an intermediate, isn't able to reliably +// pick between the intermediate-other-crossigned and intermediate-other. +add_test(function () { + addCertFromFile( + certDB, + "test_sanctions/symantec-intermediate-allowlisted.pem", + ",," + ); + addCertFromFile( + certDB, + "test_sanctions/symantec-intermediate-other.pem", + ",," + ); + run_next_test(); +}); + +add_connection_test( + "symantec-not-allowlisted-before-cutoff.example.com", + MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, + null, + null +); + +add_connection_test( + "symantec-not-allowlisted-after-cutoff.example.com", + MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, + null, + null +); + +// Add a cross-signed intermediate into the database, and ensure we still get +// the expected error. +add_test(function () { + addCertFromFile( + certDB, + "test_sanctions/symantec-intermediate-other-crossigned.pem", + ",," + ); + run_next_test(); +}); + +add_connection_test( + "symantec-not-allowlisted-before-cutoff.example.com", + MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, + null, + null +); + +// Load the Apple EE cert and its intermediate, then verify +// it at a reasonable time and make sure the allowlists work +add_task(async function () { + addCertFromFile( + certDB, + "test_sanctions/apple-ist-ca-8-g1-intermediate.pem", + ",," + ); + let allowlistedCert = constructCertFromFile( + "test_sanctions/cds-apple-com.pem" + ); + + // Since we don't want to actually try to fetch OCSP for this certificate, + // (as an external fetch is bad in the tests), disable OCSP first. + Services.prefs.setIntPref("security.OCSP.enabled", 0); + + // (new Date("2020-01-01")).getTime() / 1000 + const VALIDATION_TIME = 1577836800; + + await checkCertErrorGenericAtTime( + certDB, + allowlistedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + VALIDATION_TIME + ); +}); diff --git a/security/manager/ssl/tests/unit/test_sdr.js b/security/manager/ssl/tests/unit/test_sdr.js new file mode 100644 index 0000000000..e9e477efc5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sdr.js @@ -0,0 +1,272 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests various aspects of the nsISecretDecoderRing implementation. + +do_get_profile(); + +let gSetPasswordShownCount = 0; + +// Mock implementation of nsITokenPasswordDialogs. +const gTokenPasswordDialogs = { + setPassword(ctx, tokenName) { + gSetPasswordShownCount++; + info(`setPassword() called; shown ${gSetPasswordShownCount} times`); + info(`tokenName: ${tokenName}`); + return false; // Returning false means "the user didn't cancel". + }, + + QueryInterface: ChromeUtils.generateQI(["nsITokenPasswordDialogs"]), +}; + +let gMockPrompter = { + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + // Returning false simulates the user canceling the password prompt. + return false; + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), +}; + +// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt +// to call promptPassword. We return the mock one, above. +let gWindowWatcher = { + getNewPrompter: () => gMockPrompter, + QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]), +}; + +add_task(function setup() { + let windowWatcherCID = MockRegistrar.register( + "@mozilla.org/embedcomp/window-watcher;1", + gWindowWatcher + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(windowWatcherCID); + }); +}); + +add_task(function testEncryptString() { + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + // Test valid inputs for encryptString() and decryptString(). + let inputs = [ + "", + " ", // First printable latin1 character (code point 32). + "foo", + "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?", + "¡äöüÿ", // Misc + last printable latin1 character (code point 255). + "aaa 一二三", // Includes Unicode with code points outside [0, 255]. + ]; + for (let input of inputs) { + let converter = Cc[ + "@mozilla.org/intl/scriptableunicodeconverter" + ].createInstance(Ci.nsIScriptableUnicodeConverter); + converter.charset = "UTF-8"; + + let convertedInput = converter.ConvertFromUnicode(input); + convertedInput += converter.Finish(); + + let encrypted = sdr.encryptString(convertedInput); + + notEqual( + convertedInput, + encrypted, + "Encrypted input should not just be the input itself" + ); + + try { + atob(encrypted); + } catch (e) { + ok(false, `encryptString() should have returned Base64: ${e}`); + } + + equal( + convertedInput, + sdr.decryptString(encrypted), + "decryptString(encryptString(input)) should return input" + ); + } + + // Test invalid inputs for decryptString(). + throws( + () => sdr.decryptString("*"), + /NS_ERROR_ILLEGAL_VALUE/, + "decryptString() should throw if given non-Base64 input" + ); + + // Test calling changePassword() pops up the appropriate dialog. + // Note: On Android, nsITokenPasswordDialogs is apparently not implemented, + // which also seems to prevent us from mocking out the interface. + if (AppConstants.platform != "android") { + let tokenPasswordDialogsCID = MockRegistrar.register( + "@mozilla.org/nsTokenPasswordDialogs;1", + gTokenPasswordDialogs + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(tokenPasswordDialogsCID); + }); + + equal( + gSetPasswordShownCount, + 0, + "changePassword() dialog should have been shown zero times" + ); + sdr.changePassword(); + equal( + gSetPasswordShownCount, + 1, + "changePassword() dialog should have been shown exactly once" + ); + } +}); + +add_task(async function testAsyncEncryptStrings() { + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + // Test valid inputs for encryptString() and decryptString(). + let inputs = [ + "", + " ", // First printable latin1 character (code point 32). + "foo", + "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?", + "¡äöüÿ", // Misc + last printable latin1 character (code point 255). + "aaa 一二三", // Includes Unicode with code points outside [0, 255]. + ]; + + let encrypteds = await sdr.asyncEncryptStrings(inputs); + for (let i = 0; i < inputs.length; i++) { + let encrypted = encrypteds[i]; + let input = inputs[i]; + let converter = Cc[ + "@mozilla.org/intl/scriptableunicodeconverter" + ].createInstance(Ci.nsIScriptableUnicodeConverter); + converter.charset = "UTF-8"; + + let convertedInput = converter.ConvertFromUnicode(input); + convertedInput += converter.Finish(); + notEqual( + convertedInput, + encrypted, + "Encrypted input should not just be the input itself" + ); + + try { + atob(encrypted); + } catch (e) { + ok(false, `encryptString() should have returned Base64: ${e}`); + } + + equal( + convertedInput, + sdr.decryptString(encrypted), + "decryptString(encryptString(input)) should return input" + ); + } +}); + +add_task(async function testAsyncDecryptStrings() { + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + // Test valid inputs for encryptString() and decryptString(). + let testCases = [ + "", + " ", // First printable latin1 character (code point 32). + "foo", + "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?", + "¡äöüÿ", // Misc + last printable latin1 character (code point 255). + "aaa 一二三", // Includes Unicode with code points outside [0, 255]. + ]; + + let convertedTestCases = testCases.map(tc => { + let converter = Cc[ + "@mozilla.org/intl/scriptableunicodeconverter" + ].createInstance(Ci.nsIScriptableUnicodeConverter); + converter.charset = "UTF-8"; + + let convertedInput = converter.ConvertFromUnicode(tc); + convertedInput += converter.Finish(); + return convertedInput; + }); + + let encryptedStrings = convertedTestCases.map(tc => sdr.encryptString(tc)); + let decrypteds = await sdr.asyncDecryptStrings(encryptedStrings); + for (let i = 0; i < encryptedStrings.length; i++) { + let decrypted = decrypteds[i]; + + equal( + decrypted, + testCases[i], + "decrypted string should match expected value" + ); + equal( + sdr.decryptString(encryptedStrings[i]), + convertedTestCases[i], + "decryptString(encryptString(input)) should return the initial decrypted string value" + ); + } +}); + +add_task(async function testAsyncDecryptInvalidStrings() { + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + // Test invalid inputs for sdr.asyncDecryptStrings + let testCases = [ + "~bmV0cGxheQ==", // invalid base64 encoding + "bmV0cGxheQ==", // valid base64 characters but not encrypted + "https://www.example.com", // website address from erroneous migration + ]; + + let decrypteds = await sdr.asyncDecryptStrings(testCases); + equal( + decrypteds.length, + testCases.length, + "each testcase should still return a response" + ); + for (let i = 0; i < decrypteds.length; i++) { + let decrypted = decrypteds[i]; + + equal( + decrypted, + "", + "decrypted string should be empty when trying to decrypt an invalid input with asyncDecryptStrings" + ); + + Assert.throws( + () => sdr.decryptString(testCases[i]), + /NS_ERROR_ILLEGAL_VALUE|NS_ERROR_FAILURE/, + `Check testcase would have thrown: ${testCases[i]}` + ); + } +}); + +add_task(async function testAsyncDecryptLoggedOut() { + // Set a master password. + let token = Cc["@mozilla.org/security/pk11tokendb;1"] + .getService(Ci.nsIPK11TokenDB) + .getInternalKeyToken(); + token.initPassword("password"); + token.logoutSimple(); + + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + await Assert.rejects( + sdr.asyncDecryptStrings(["irrelevant"]), + /NS_ERROR_NOT_AVAILABLE/, + "Check error is thrown instead of returning empty strings" + ); + + token.reset(); + token.initPassword(""); +}); diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting.js b/security/manager/ssl/tests/unit/test_sdr_preexisting.js new file mode 100644 index 0000000000..69b5c194df --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sdr_preexisting.js @@ -0,0 +1,79 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that the SDR implementation is able to decrypt strings encrypted using +// a preexisting NSS key database. Creating the database is straight-forward: +// simply run Firefox (or xpcshell) and encrypt something using +// nsISecretDecoderRing (e.g. by saving a password or directly using the +// interface). The resulting key4.db file (in the profile directory) now +// contains the private key used to encrypt the data. + +function run_test() { + const keyDBName = "key4.db"; + let profile = do_get_profile(); + let keyDBFile = do_get_file(`test_sdr_preexisting/${keyDBName}`); + keyDBFile.copyTo(profile, keyDBName); + + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + let testcases = [ + // a full padding block + { + ciphertext: + "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d", + plaintext: "password", + }, + // 7 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==", + plaintext: "a", + }, + // 6 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==", + plaintext: "bb", + }, + // 1 byte of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==", + plaintext: "!seven!", + }, + // 2 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==", + plaintext: "sixsix", + }, + // long plaintext requiring more than two blocks + { + ciphertext: + "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=", + plaintext: "thisismuchlongerandsotakesupmultipleblocks", + }, + // this differs from the previous ciphertext by one bit and demonstrates + // that this implementation does not enforce message integrity + { + ciphertext: + "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=", + plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks", + }, + ]; + + for (let testcase of testcases) { + let decrypted = sdr.decryptString(testcase.ciphertext); + equal( + decrypted, + testcase.plaintext, + "decrypted ciphertext should match expected plaintext" + ); + } +} diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db Binary files differnew file mode 100644 index 0000000000..8f320dfdbd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js new file mode 100644 index 0000000000..5c1b2bb653 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js @@ -0,0 +1,135 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that the SDR implementation is able to decrypt strings encrypted using +// a preexisting NSS key database that has a password. +// To create such a database, run Firefox (or xpcshell), set a primary +// password, and then encrypt something using nsISecretDecoderRing. + +var gMockPrompter = { + passwordToTry: "password", + numPrompts: 0, + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gMockPrompter| due to + // how objects get wrapped when going across xpcom boundaries. + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + this.numPrompts++; + if (this.numPrompts > 1) { + // don't keep retrying a bad password + return false; + } + equal( + text, + "Please enter your Primary Password.", + "password prompt text should be as expected" + ); + equal(checkMsg, null, "checkMsg should be null"); + ok(this.passwordToTry, "passwordToTry should be non-null"); + password.value = this.passwordToTry; + return true; + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), +}; + +// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt +// to call promptPassword. We return the mock one, above. +var gWindowWatcher = { + getNewPrompter: () => gMockPrompter, + QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]), +}; + +function run_test() { + let windowWatcherCID = MockRegistrar.register( + "@mozilla.org/embedcomp/window-watcher;1", + gWindowWatcher + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(windowWatcherCID); + }); + + // Append a single quote and non-ASCII characters to the profile path. + let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR"); + let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile); + file.initWithPath(profd); + file.append("'÷1"); + Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path); + + let profile = do_get_profile(); // must be called before getting nsIX509CertDB + Assert.ok( + /[^\x20-\x7f]/.test(profile.path), + "the profile path should contain a non-ASCII character" + ); + + let key4DBFile = do_get_file("test_sdr_preexisting_with_password/key4.db"); + key4DBFile.copyTo(profile, "key4.db"); + + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + let testcases = [ + // a full padding block + { + ciphertext: + "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d", + plaintext: "password", + }, + // 7 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==", + plaintext: "a", + }, + // 6 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==", + plaintext: "bb", + }, + // 1 byte of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==", + plaintext: "!seven!", + }, + // 2 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==", + plaintext: "sixsix", + }, + // long plaintext requiring more than two blocks + { + ciphertext: + "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=", + plaintext: "thisismuchlongerandsotakesupmultipleblocks", + }, + // this differs from the previous ciphertext by one bit and demonstrates + // that this implementation does not enforce message integrity + { + ciphertext: + "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=", + plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks", + }, + ]; + + for (let testcase of testcases) { + let decrypted = sdr.decryptString(testcase.ciphertext); + equal( + decrypted, + testcase.plaintext, + "decrypted ciphertext should match expected plaintext" + ); + } + equal( + gMockPrompter.numPrompts, + 1, + "Should have been prompted for a password once" + ); +} diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db Binary files differnew file mode 100644 index 0000000000..959718da34 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs.js b/security/manager/ssl/tests/unit/test_self_signed_certs.js new file mode 100644 index 0000000000..ef0a38f9bc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs.js @@ -0,0 +1,109 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// This test uses a specially-crafted NSS cert DB containing 12 self-signed certificates that all +// have the same subject and issuer distinguished name. Since they all have different keys and none +// of them are trust anchors, there are a large number of potential trust paths that could be +// explored. If our trust domain were naive enough to allow mozilla::pkix to explore them all, it +// would take a long time to perform (mozilla::pkix does have the concept of a path-building budget, +// but even on a fast computer, it takes an unacceptable amount of time to exhaust). To prevent the +// full exploration of this space, NSSCertDBTrustDomain skips searching through self-signed +// certificates that aren't trust anchors, since those would never otherwise be essential to +// complete a path (note that this is only true as long as the extensions we support are restrictive +// rather than additive). +// When we try to verify one of these certificates in this test, we should finish relatively +// quickly, even on slow hardware. +// Should these certificates ever need regenerating, they were produced with the following commands: +// certutil -N -d . --empty-password +// for num in 00 01 02 03 04 05 06 07 08 09 10 11; do +// echo -ne "5\n6\n9\ny\ny\n\ny\n" | certutil -d . -S -s "CN=self-signed cert" -t ,, \ +// -q secp256r1 -x -k ec -z <(date +%s) -1 -2 -n cert$num; sleep 2; +// done + +add_task(async function test_no_overlong_path_building() { + let profile = do_get_profile(); + const CERT_DB_NAME = "cert9.db"; + let srcCertDBFile = do_get_file(`test_self_signed_certs/${CERT_DB_NAME}`); + srcCertDBFile.copyTo(profile, CERT_DB_NAME); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let certToVerify = null; + for (let cert of certDB.getCerts()) { + if (cert.subjectName == "CN=self-signed cert") { + certToVerify = cert; + break; + } + } + notEqual( + certToVerify, + null, + "should have found one of the preloaded self-signed certs" + ); + let timeBefore = Date.now(); + // As mentioned above, mozilla::pkix limits how much it will search for a trusted path, even if a + // trust domain keeps providing potential issuers. So, if we only tried to verify a certificate + // once, this test could potentially pass on a fast computer even if we weren't properly skipping + // unnecessary paths. If we were to try and lower our time limit (the comparison with + // secondsElapsed, below), this test would intermittently fail on slow hardware. By trying to + // verify the certificate 10 times, we hopefully end up with a meaningful test (it should still + // fail on fast hardware if we don't properly skip unproductive paths) that won't intermittently + // time out on slow hardware. + for (let i = 0; i < 10; i++) { + let date = new Date("2019-05-15T00:00:00.000Z"); + await checkCertErrorGenericAtTime( + certDB, + certToVerify, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLCA, + date.getTime() / 1000 + ); + } + let timeAfter = Date.now(); + let secondsElapsed = (timeAfter - timeBefore) / 1000; + ok(secondsElapsed < 120, "verifications shouldn't take too long"); +}); + +add_task(async function test_no_bad_signature() { + // If there are two self-signed CA certificates with the same subject and + // issuer but different keys, where one is trusted, test that using the other + // one as a server certificate doesn't result in a non-overridable "bad + // signature" error but rather a "self-signed cert" error. + let selfSignedCert = constructCertFromFile("test_self_signed_certs/ca1.pem"); + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + addCertFromFile(certDB, "test_self_signed_certs/ca2.pem", "CTu,,"); + await checkCertErrorGeneric( + certDB, + selfSignedCert, + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT, + certificateUsageSSLServer, + false, + "example.com" + ); +}); + +add_task(async function test_no_inadequate_key_usage() { + // If there are two different non-CA, self-signed certificates with the same + // subject and issuer but different keys, test that using one of them as a + // server certificate doesn't result in a non-overridable "inadequate key + // usage" error but rather a "self-signed cert" error. + let selfSignedCert = constructCertFromFile("test_self_signed_certs/ee1.pem"); + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + addCertFromFile(certDB, "test_self_signed_certs/ee2.pem", ",,"); + await checkCertErrorGeneric( + certDB, + selfSignedCert, + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT, + certificateUsageSSLServer, + false, + "example.com" + ); +}); diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem new file mode 100644 index 0000000000..02436d046a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAgIBATANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDDA5TZWxm +LVNpZ25lZCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAZ +MRcwFQYDVQQDDA5TZWxmLVNpZ25lZCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB +/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBACUeP9ynC3AtB+TmlQ8z +1Eo7Vcgd2t1D1l+c9uaSBAb1ajymH/vyFv1/6rJiRF/uQGl2sMmEaLMNMOkD6fke +S6PZ+V8J2n4XOly4UwLpg/bMP8dyEXajGuf/JddsKQaj1241dY8egkGJesArRUH6 ++HBym166t6HJtv7xi4xBiljeS8UW7XQXke/tv4mDLuaITkasOOgyDniJucO46TQh +ZzlEN6DMAicgqpghAlHERUhDoAcEA8m/qpZtA9to7xhzN7AvwU/596oQjyUk0umc +fE7vzatI6+iiCxW9cO93T2lIGzzdz5HlgFinC65VNXSuMYz69A1D6rZ09wZpYZ0G +b/I= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem.certspec new file mode 100644 index 0000000000..97bc2d4ad1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem.certspec @@ -0,0 +1,5 @@ +issuer:Self-Signed CA +subject:Self-Signed CA +serialNumber:1 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem new file mode 100644 index 0000000000..b9207a7d51 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDDA5TZWxm +LVNpZ25lZCBDQTAiGA8yMDIyMTEyNzAwMDAwMFoYDzIwMjUwMjA0MDAwMDAwWjAZ +MRcwFQYDVQQDDA5TZWxmLVNpZ25lZCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJ +isSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF +2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElE +WQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzS +g3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0Y +xMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMdMBswDAYDVR0TBAUwAwEB +/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAJ0DeA2k4D90l9iBmfHt +24F2kB3ZZvqHJBrRJBiz5WrrTbG1QlD9PlKjlePDAegWrsFgCzDVqe/hmOXYgqDO +jXOm0KxulzT18Udsvhat+IHD7qiwOgXHK7nTl2LlM/FptykRbGXfZGvuC/DpJVtl +J84l4FtgzZEdSGLDIxRSPAYViE9wn5vk/sdEzIY1W8/j7W4AKjk13rMwA0+4zlMW +eeVqQOSZRdIgARMS6aB5FEqLVBGpxcRhS2jBpWMltJ7yvbhYiWxZQww/Is0QjxTd +BEiL3cnaUuXjzVnZrYJ4jcvbD0fxlDLz9DVF9iKNV43+20ML8EHe7qdrQ9DZX2i8 +K6c= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem.certspec new file mode 100644 index 0000000000..f827239d2a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem.certspec @@ -0,0 +1,7 @@ +issuer:Self-Signed CA +subject:Self-Signed CA +serialNumber:2 +issuerKey:alternate +subjectKey:alternate +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db b/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db Binary files differnew file mode 100644 index 0000000000..5450fe82e5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem new file mode 100644 index 0000000000..194e9a6ae5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBTZWxm +LVNpZ25lZCBDZXJ0MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa +MBsxGTAXBgNVBAMMEFNlbGYtU2lnbmVkIENlcnQwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAAyarwsbvYKjlS2vQRRzIbbwzwwHROuYI03XL0sbV/T+0VKdd/v4fQe0 +acCKoIewqJhTibykvWPUESoGdOXjzCJZw59XdyyG6o7RsvMazH+/MZap2yqh13tH +n4JVng4+084WcLi9M+IQG3wLvKhgdNd+zVjIgXPNayx8mS0/IeYmhnSW2gbGuwkB +wLI1mU7fI5LqlEfW1bcqTV/P7xMm/eqSCIdFyscABYWMbO6tBxRZA+i+eQ/8WbdE +3/HF1xGAfT2FJIvpjW1lzjYGTLj9Nbk8b77qCN2QOmDCTxHLGJGgMTMibPj6N5dy +N7/rOulljFEzMUS9F4fNJOcXUpoED6Y= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem.certspec new file mode 100644 index 0000000000..9582f7b918 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem.certspec @@ -0,0 +1,3 @@ +issuer:Self-Signed Cert +subject:Self-Signed Cert +serialNumber:1 diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem new file mode 100644 index 0000000000..c683fe188b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBTZWxm +LVNpZ25lZCBDZXJ0MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQwMDAwMDBa +MBsxGTAXBgNVBAMMEFNlbGYtU2lnbmVkIENlcnQwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbDf1zlOLBsSs0iscvUb6Za2ird +QcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo +828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst +/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0i +tqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6DKzW4kw90upCqi8dhZyQqsf1t +YhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7AgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBADBRWFxP9KJKpwRzCzNkdoZ1GlCKFGYqrx5bz9zkjoTcBVmDn0u+mknw +piqBMlzxnVy77V0I/VchD1a5bMjzhUzQgDVI33N+/4R4sVpevJ+p22D1gJMggY17 +ryeBEbd7tkSF+ajT5oWtiQw5Ytstj+cmKmpDqRccjvNtce82m1mg2Na9ZRrDP6cP +E06XgVbYKf7WhWdwTf3fKjwQzfjujndP2ZxSAizNEj5/GaqN4TtQBAl7y2vBgB0c +wrih3DMJkEOJUpjlnaTuB38LG7h6cLoiAHK9I8onVRgN3zAwni/vYylyEnlV1HnX +E/IAiEYBJ0HrAfIrPB1X7E70D64QJ7g= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem.certspec new file mode 100644 index 0000000000..fa45f13078 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem.certspec @@ -0,0 +1,5 @@ +issuer:Self-Signed Cert +subject:Self-Signed Cert +serialNumber:2 +issuerKey:alternate +subjectKey:alternate diff --git a/security/manager/ssl/tests/unit/test_session_resumption.js b/security/manager/ssl/tests/unit/test_session_resumption.js new file mode 100644 index 0000000000..fe7252a630 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_session_resumption.js @@ -0,0 +1,291 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that PSM makes the correct determination of the security status of +// loads involving session resumption (i.e. when a TLS handshake bypasses the +// AuthCertificate callback). + +do_get_profile(); +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +registerCleanupFunction(() => { + Services.prefs.clearUserPref("security.OCSP.enabled"); +}); + +Services.prefs.setIntPref("security.OCSP.enabled", 1); + +addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,"); +addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,"); + +// For expired.example.com, the platform will make a connection that will fail. +// Using information gathered at that point, an override will be added and +// another connection will be made. This connection will succeed. At that point, +// as long as the session cache isn't cleared, subsequent new connections should +// use session resumption, thereby bypassing the AuthCertificate hook. We need +// to ensure that the correct security state is propagated to the new connection +// information object. +function add_resume_non_ev_with_override_test() { + // This adds the override and makes one successful connection. + add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE); + + // This connects again, using session resumption. Note that we don't clear + // the TLS session cache between these operations (that would defeat the + // purpose). + add_connection_test( + "expired.example.com", + PRErrorCodeSuccess, + null, + transportSecurityInfo => { + ok(transportSecurityInfo.resumed, "connection should be resumed"); + ok( + transportSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN, + "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag" + ); + equal( + transportSecurityInfo.succeededCertChain.length, + 0, + "expired.example.com should not have succeededCertChain set" + ); + equal( + transportSecurityInfo.failedCertChain.length, + 2, + "expired.example.com should have failedCertChain set" + ); + equal( + transportSecurityInfo.overridableErrorCategory, + Ci.nsITransportSecurityInfo.ERROR_TIME, + "expired.example.com should have time overridable error category" + ); + ok( + !transportSecurityInfo.isExtendedValidation, + "expired.example.com should not have isExtendedValidation set" + ); + + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride( + "expired.example.com", + 8443, + {} + ); + } + ); +} + +// Helper function that adds a test that connects to ev-test.example.com and +// verifies that it validates as EV (or not, if we're running a non-debug +// build). This assumes that an appropriate OCSP responder is running or that +// good responses are cached. +function add_one_ev_test(resumed) { + add_connection_test( + "ev-test.example.com", + PRErrorCodeSuccess, + null, + transportSecurityInfo => { + equal( + transportSecurityInfo.resumed, + resumed, + "connection should be resumed or not resumed as expected" + ); + ok( + !( + transportSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN + ), + "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag" + ); + equal( + transportSecurityInfo.succeededCertChain.length, + 3, + "ev-test.example.com should have succeededCertChain set" + ); + equal( + transportSecurityInfo.failedCertChain.length, + 0, + "ev-test.example.com should not have failedCertChain set" + ); + equal( + transportSecurityInfo.overridableErrorCategory, + Ci.nsITransportSecurityInfo.ERROR_UNSET, + "ev-test.example.com should not have an overridable error category" + ); + ok( + !gEVExpected || transportSecurityInfo.isExtendedValidation, + "ev-test.example.com should have isExtendedValidation set " + + "(or this is a non-debug build)" + ); + } + ); +} + +// This test is similar, except with extended validation. We should connect +// successfully, and the certificate should be EV in debug builds. Without +// clearing the session cache, we should connect successfully again, this time +// with session resumption. The certificate should again be EV in debug builds. +function add_resume_ev_test() { + const SERVER_PORT = 8888; + let expectedRequestPaths = ["ev-test"]; + let responseTypes = ["good"]; + // Since we cache OCSP responses, we only ever actually serve one set. + let ocspResponder; + // If we don't wrap this in an `add_test`, the OCSP responder will be running + // while we are actually running unrelated testcases, which can disrupt them. + add_test(() => { + ocspResponder = startOCSPResponder( + SERVER_PORT, + "localhost", + "bad_certs", + expectedRequestPaths, + expectedRequestPaths.slice(), + null, + responseTypes + ); + run_next_test(); + }); + // We should be able to connect and verify the certificate as EV (in debug + // builds). + add_one_ev_test(false); + // We should be able to connect again (using session resumption). In debug + // builds, the certificate should be noted as EV. Again, it's important that + // nothing clears the TLS cache in between these two operations. + add_one_ev_test(true); + + add_test(() => { + ocspResponder.stop(run_next_test); + }); +} + +const GOOD_DOMAIN = "good.include-subdomains.pinning.example.com"; + +// Helper function that adds a test that connects to a domain that should +// succeed (but isn't EV) and verifies that its succeededCertChain gets set +// appropriately. +function add_one_non_ev_test() { + add_connection_test( + GOOD_DOMAIN, + PRErrorCodeSuccess, + null, + transportSecurityInfo => { + ok( + !( + transportSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN + ), + `${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag` + ); + ok( + transportSecurityInfo.succeededCertChain, + `${GOOD_DOMAIN} should have succeededCertChain set` + ); + equal( + transportSecurityInfo.overridableErrorCategory, + 0, + `${GOOD_DOMAIN} should not have an overridable error category set` + ); + ok( + !transportSecurityInfo.isExtendedValidation, + `${GOOD_DOMAIN} should not have isExtendedValidation set` + ); + } + ); +} + +// This test is similar, except with non-extended validation. We should connect +// successfully, and the certificate should not be EV. Without clearing the +// session cache, we should connect successfully again, this time with session +// resumption. In this case, though, we want to ensure the succeededCertChain is +// set. +function add_resume_non_ev_test() { + add_one_non_ev_test(); + add_one_non_ev_test(); +} + +const statsPtr = getSSLStatistics(); +const toInt32 = ctypes.Int64.lo; + +// Connect to the same domain with two origin attributes and check if any ssl +// session is resumed. +function add_origin_attributes_test( + originAttributes1, + originAttributes2, + resumeExpected +) { + add_connection_test( + GOOD_DOMAIN, + PRErrorCodeSuccess, + clearSessionCache, + null, + null, + originAttributes1 + ); + + let hitsBeforeConnect; + let missesBeforeConnect; + let expectedHits = resumeExpected ? 1 : 0; + let expectedMisses = 1 - expectedHits; + + add_connection_test( + GOOD_DOMAIN, + PRErrorCodeSuccess, + function () { + // Add the hits and misses before connection. + let stats = statsPtr.contents; + hitsBeforeConnect = toInt32(stats.sch_sid_cache_hits); + missesBeforeConnect = toInt32(stats.sch_sid_cache_misses); + }, + function () { + let stats = statsPtr.contents; + equal( + toInt32(stats.sch_sid_cache_hits), + hitsBeforeConnect + expectedHits, + "Unexpected cache hits" + ); + equal( + toInt32(stats.sch_sid_cache_misses), + missesBeforeConnect + expectedMisses, + "Unexpected cache misses" + ); + }, + null, + originAttributes2 + ); +} + +function add_resumption_tests() { + add_resume_ev_test(); + add_resume_non_ev_test(); + add_resume_non_ev_with_override_test(); + add_origin_attributes_test({}, {}, true); + add_origin_attributes_test({ userContextId: 1 }, { userContextId: 2 }, false); + add_origin_attributes_test({ userContextId: 3 }, { userContextId: 3 }, true); + add_origin_attributes_test( + { firstPartyDomain: "foo.com" }, + { firstPartyDomain: "bar.com" }, + false + ); + add_origin_attributes_test( + { firstPartyDomain: "baz.com" }, + { firstPartyDomain: "baz.com" }, + true + ); +} + +function run_test() { + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + add_resumption_tests(); + // Enable external session cache and reset the status. + add_test(function () { + Services.prefs.setBoolPref("network.ssl_tokens_cache_enabled", true); + certdb.clearOCSPCache(); + run_next_test(); + }); + // Do tests again. + add_resumption_tests(); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_signed_apps.js b/security/manager/ssl/tests/unit/test_signed_apps.js new file mode 100644 index 0000000000..4893bfd714 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps.js @@ -0,0 +1,1038 @@ +"use strict"; + +// Tests the API nsIX509CertDB.openSignedAppFileAsync, which backs add-on +// signature verification. Testcases include various ways of tampering with +// add-ons as well as different hash algorithms used in the various +// signature/metadata files. + +// from prio.h +const PR_RDWR = 0x04; +const PR_CREATE_FILE = 0x08; +const PR_TRUNCATE = 0x20; +const PR_USEC_PER_MSEC = 1000; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +// Creates a new app package based in the inFilePath package, with a set of +// modifications (including possibly deletions) applied to the existing entries, +// and/or a set of new entries to be included. +function tamper(inFilePath, outFilePath, modifications, newEntries) { + let writer = Cc["@mozilla.org/zipwriter;1"].createInstance(Ci.nsIZipWriter); + writer.open(outFilePath, PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE); + try { + let reader = Cc["@mozilla.org/libjar/zip-reader;1"].createInstance( + Ci.nsIZipReader + ); + reader.open(inFilePath); + try { + for (let entryName of reader.findEntries("")) { + let inEntry = reader.getEntry(entryName); + let entryInput = reader.getInputStream(entryName); + try { + let f = modifications[entryName]; + let outEntry, outEntryInput; + if (f) { + [outEntry, outEntryInput] = f(inEntry, entryInput); + delete modifications[entryName]; + } else { + [outEntry, outEntryInput] = [inEntry, entryInput]; + } + // if f does not want the input entry to be copied to the output entry + // at all (i.e. it wants it to be deleted), it will return null. + if (outEntryInput) { + try { + writer.addEntryStream( + entryName, + outEntry.lastModifiedTime, + outEntry.compression, + outEntryInput, + false + ); + } finally { + if (entryInput != outEntryInput) { + outEntryInput.close(); + } + } + } + } finally { + entryInput.close(); + } + } + } finally { + reader.close(); + } + + // Any leftover modification means that we were expecting to modify an entry + // in the input file that wasn't there. + for (let name in modifications) { + if (modifications.hasOwnProperty(name)) { + throw new Error("input file was missing expected entries: " + name); + } + } + + // Now, append any new entries to the end + newEntries.forEach(function (newEntry) { + let sis = Cc["@mozilla.org/io/string-input-stream;1"].createInstance( + Ci.nsIStringInputStream + ); + try { + sis.setData(newEntry.content, newEntry.content.length); + writer.addEntryStream( + newEntry.name, + new Date() * PR_USEC_PER_MSEC, + Ci.nsIZipWriter.COMPRESSION_BEST, + sis, + false + ); + } finally { + sis.close(); + } + }); + } finally { + writer.close(); + } +} + +function removeEntry(entry, entryInput) { + return [null, null]; +} + +function truncateEntry(entry, entryInput) { + if (entryInput.available() == 0) { + throw new Error( + "Truncating already-zero length entry will result in " + + "identical entry." + ); + } + + let content = Cc["@mozilla.org/io/string-input-stream;1"].createInstance( + Ci.nsIStringInputStream + ); + content.data = ""; + + return [entry, content]; +} + +function check_open_result(name, expectedRv) { + return function openSignedAppFileCallback(rv, aZipReader, aSignerCert) { + info("openSignedAppFileCallback called for " + name); + equal(rv, expectedRv, "Actual and expected return value should match"); + equal( + aZipReader != null, + Components.isSuccessCode(expectedRv), + "ZIP reader should be null only if the return value denotes failure" + ); + equal( + aSignerCert != null, + Components.isSuccessCode(expectedRv), + "Signer cert should be null only if the return value denotes failure" + ); + run_next_test(); + }; +} + +function original_app_path(test_name) { + return do_get_file("test_signed_apps/" + test_name + ".zip", false); +} + +function tampered_app_path(test_name) { + return new FileUtils.File( + PathUtils.join( + Services.dirsvc.get("TmpD", Ci.nsIFile).path, + `test_signed_app-${test_name}.zip` + ) + ); +} + +var hashTestcases = [ + // SHA-256 in PKCS#7 + SHA-256 present elsewhere => OK + { name: "app_mf-1-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-1-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-1-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-1-256_sf-256_p7-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-256_sf-256_p7-256", expectedResult: Cr.NS_OK }, + + // SHA-1 in PKCS#7 + SHA-1 present elsewhere => OK + { name: "app_mf-1-256_sf-1-256_p7-1", expectedResult: Cr.NS_OK }, + { name: "app_mf-1-256_sf-1_p7-1", expectedResult: Cr.NS_OK }, + { name: "app_mf-1_sf-1-256_p7-1", expectedResult: Cr.NS_OK }, + { name: "app_mf-1_sf-1_p7-1", expectedResult: Cr.NS_OK }, + + // SHA-256 in PKCS#7 + SHA-256 not present elsewhere => INVALID + { + name: "app_mf-1-256_sf-1_p7-1-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1-256_sf-1_p7-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-1-256_p7-1-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-1-256_p7-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-1_p7-1-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-1_p7-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-256_p7-1-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-256_p7-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-256_sf-1_p7-1-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-256_sf-1_p7-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + + // SHA-1 in PKCS#7 + SHA-1 not present elsewhere => INVALID + { + name: "app_mf-1-256_sf-256_p7-1", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-256_p7-1", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-256_sf-1-256_p7-1", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-256_sf-1_p7-1", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-256_sf-256_p7-1", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, +]; + +// Policy values for the preference "security.signed_app_signatures.policy" +const PKCS7WithSHA1OrSHA256 = 0b0; +const PKCS7WithSHA256 = 0b1; +const COSEAndPKCS7WithSHA1OrSHA256 = 0b10; +const COSEAndPKCS7WithSHA256 = 0b11; +const COSERequiredAndPKCS7WithSHA1OrSHA256 = 0b100; +const COSERequiredAndPKCS7WithSHA256 = 0b101; +const COSEOnly = 0b110; +const COSEOnlyAgain = 0b111; + +function add_signature_test(policy, test) { + // First queue up a test to set the desired policy: + add_test(function () { + Services.prefs.setIntPref("security.signed_app_signatures.policy", policy); + run_next_test(); + }); + // Then queue up the test itself: + add_test(test); +} + +for (let testcase of hashTestcases) { + add_signature_test(PKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path(testcase.name), + check_open_result(testcase.name, testcase.expectedResult) + ); + }); +} + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("empty_signerInfos"), + check_open_result( + "the signerInfos in the PKCS#7 signature is empty", + Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED + ) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("unsigned_app"), + check_open_result("unsigned", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("unknown_issuer_app"), + check_open_result( + "unknown_issuer", + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER) + ) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_signed_with_pkcs7"), + check_open_result("cose_signed_with_pkcs7", Cr.NS_OK) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-256_sf-256_p7-256"), + check_open_result("no COSE but correct PK#7", Cr.NS_OK) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-1_sf-256_p7-256"), + check_open_result( + "no COSE and wrong PK#7 hash", + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + ) + ); +}); + +add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-256_sf-256_p7-256"), + check_open_result( + "COSE signature missing (SHA1 or 256)", + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + ) + ); +}); + +add_signature_test(COSERequiredAndPKCS7WithSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-256_sf-256_p7-256"), + check_open_result( + "COSE signature missing (SHA256)", + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + ) + ); +}); + +add_signature_test(COSERequiredAndPKCS7WithSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_signed"), + check_open_result( + "COSE signature only (PK#7 allowed, not present)", + Cr.NS_OK + ) + ); +}); + +add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_signed"), + check_open_result( + "COSE signature only (PK#7 allowed, not present)", + Cr.NS_OK + ) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_multiple_signed_with_pkcs7"), + check_open_result("cose_multiple_signed_with_pkcs7", Cr.NS_OK) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_int_signed_with_pkcs7"), + check_open_result("COSE signed with an intermediate", Cr.NS_OK) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_signed"), + check_open_result( + "PK7 signature missing", + Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED + ) + ); +}); + +add_signature_test(COSEOnly, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_multiple_signed_with_pkcs7"), + check_open_result( + "Expected only COSE signature", + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + ) + ); +}); + +add_signature_test(COSEOnly, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_multiple_signed"), + check_open_result("only Multiple COSE signatures", Cr.NS_OK) + ); +}); + +add_signature_test(COSEOnly, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_signed"), + check_open_result("only_cose_signed", Cr.NS_OK) + ); +}); + +add_signature_test(COSEOnlyAgain, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_signed"), + check_open_result("only_cose_signed (again)", Cr.NS_OK) + ); +}); + +add_signature_test(COSEOnly, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_signed_with_pkcs7"), + check_open_result( + "COSE only expected but also PK#7 signed", + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + ) + ); +}); + +// Sanity check to ensure a no-op tampering gives a valid result +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("identity_tampering"); + tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, []); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-1_sf-1_p7-1"), + check_open_result("identity_tampering", Cr.NS_OK) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("missing_rsa"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/A.RSA": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("missing_rsa", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("missing_sf"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/A.SF": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("missing_sf", Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("missing_manifest_mf"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/MANIFEST.MF": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "missing_manifest_mf", + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + ) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("missing_entry"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "manifest.json": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("missing_entry", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("truncated_entry"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "manifest.json": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("truncated_entry", Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("truncated_manifestFile"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/MANIFEST.MF": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "truncated_manifestFile", + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + ) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("truncated_signatureFile"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/A.SF": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "truncated_signatureFile", + getXPCOMStatusFromNSS(SEC_ERROR_PKCS7_BAD_SIGNATURE) + ) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("truncated_pkcs7File"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/A.RSA": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("truncated_pkcs7File", Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("unsigned_entry"); + tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, [ + { name: "unsigned.txt", content: "unsigned content!" }, + ]); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("unsigned_entry", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + let tampered = tampered_app_path("unsigned_metainf_entry"); + tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, [ + { name: "META-INF/unsigned.txt", content: "unsigned content!" }, + ]); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "unsigned_metainf_entry", + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + ) + ); +}); + +add_signature_test(PKCS7WithSHA256, function testSHA1Disabled() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-1_sf-1_p7-1"), + check_open_result( + "SHA-1 should not be accepted if disabled by policy", + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + ) + ); +}); + +add_signature_test(PKCS7WithSHA256, function testSHA256WorksWithSHA1Disabled() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-256_sf-256_p7-256"), + check_open_result( + "SHA-256 should work if SHA-1 is disabled by policy", + Cr.NS_OK + ) + ); +}); + +add_signature_test( + PKCS7WithSHA256, + function testMultipleSignaturesWorkWithSHA1Disabled() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-1-256_sf-1-256_p7-1-256"), + check_open_result( + "Multiple signatures should work if SHA-1 is " + + "disabled by policy (if SHA-256 signature verifies)", + Cr.NS_OK + ) + ); + } +); + +var cosePolicies = [ + COSEAndPKCS7WithSHA1OrSHA256, + COSERequiredAndPKCS7WithSHA1OrSHA256, +]; + +// PS256 is not yet supported. +var coseTestcasesStage = [ + { + name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384", + expectedResult: Cr.NS_OK, + root: Ci.nsIX509CertDB.AddonsStageRoot, + }, + { + name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + root: Ci.nsIX509CertDB.AddonsStageRoot, + }, + { + name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256", + expectedResult: Cr.NS_OK, + root: Ci.nsIX509CertDB.AddonsStageRoot, + }, + { + name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + root: Ci.nsIX509CertDB.AddonsStageRoot, + }, +]; + +var coseTestcasesProd = [ + { + name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384", + expectedResult: Cr.NS_OK, + root: Ci.nsIX509CertDB.AddonsPublicRoot, + }, + { + name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + root: Ci.nsIX509CertDB.AddonsPublicRoot, + }, + { + name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256", + expectedResult: Cr.NS_OK, + root: Ci.nsIX509CertDB.AddonsPublicRoot, + }, + { + name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + root: Ci.nsIX509CertDB.AddonsPublicRoot, + }, +]; + +for (let policy of cosePolicies) { + for (let testcase of [...coseTestcasesStage, ...coseTestcasesProd]) { + add_signature_test(policy, function () { + certdb.openSignedAppFileAsync( + testcase.root, + original_app_path(testcase.name), + check_open_result(testcase.name, testcase.expectedResult) + ); + }); + } +} + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigTampered() { + let tampered = tampered_app_path("cose_sig_tampered"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "META-INF/cose.sig": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "cose_sig_tampered", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +// PKCS7 is processed before COSE, so if a COSE signature file is removed or +// tampered with, this appears as a PKCS7 signature verification failure. +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigRemoved() { + let tampered = tampered_app_path("cose_sig_removed"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "META-INF/cose.sig": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("cose_sig_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestTampered() { + let tampered = tampered_app_path("cose_manifest_tampered"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "META-INF/cose.manifest": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "cose_manifest_tampered", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestRemoved() { + let tampered = tampered_app_path("cose_manifest_removed"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "META-INF/cose.manifest": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "cose_manifest_removed", + Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING + ) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileAdded() { + let tampered = tampered_app_path("cose_file_added"); + tamper(original_app_path("cose_signed_with_pkcs7"), tampered, {}, [ + { name: "unsigned.txt", content: "unsigned content!" }, + ]); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("cose_file_added", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileRemoved() { + let tampered = tampered_app_path("cose_file_removed"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "manifest.json": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("cose_file_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileTampered() { + let tampered = tampered_app_path("cose_file_tampered"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "manifest.json": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "cose_file_tampered", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSESigTampered() { + let tampered = tampered_app_path("only_cose_sig_tampered"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "META-INF/cose.sig": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_sig_tampered", + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSESigRemoved() { + let tampered = tampered_app_path("only_cose_sig_removed"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "META-INF/cose.sig": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_sig_removed", + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSEManifestTampered() { + let tampered = tampered_app_path("only_cose_manifest_tampered"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "META-INF/cose.manifest": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_manifest_tampered", + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSEManifestRemoved() { + let tampered = tampered_app_path("only_cose_manifest_removed"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "META-INF/cose.manifest": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_manifest_removed", + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSEFileAdded() { + let tampered = tampered_app_path("only_cose_file_added"); + tamper(original_app_path("only_cose_signed"), tampered, {}, [ + { name: "unsigned.txt", content: "unsigned content!" }, + ]); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_file_added", + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSEFileRemoved() { + let tampered = tampered_app_path("only_cose_file_removed"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "manifest.json": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_file_removed", + Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSEFileTampered() { + let tampered = tampered_app_path("only_cose_file_tampered"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "manifest.json": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_file_tampered", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +// This was signed with only COSE first, and then the contents were tampered +// with (making the signature invalid). Then, the file was signed with +// PKCS7/SHA1. We need to ensure that if we're configured to process COSE, this +// verification fails. +add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_tampered_good_pkcs7"), + check_open_result( + "tampered COSE with good PKCS7 signature should fail " + + "when COSE and PKCS7 is processed", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +add_signature_test(COSEOnly, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_tampered_good_pkcs7"), + check_open_result( + "tampered COSE with good PKCS7 signature should fail " + + "when only COSE is processed", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +// If we're not processing COSE, this should verify successfully. +add_signature_test(PKCS7WithSHA1OrSHA256, function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_tampered_good_pkcs7"), + check_open_result( + "tampered COSE with good PKCS7 signature should succeed" + + "when COSE is not processed", + Cr.NS_OK + ) + ); +}); + +add_test(function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("bug_1411458"), + check_open_result("bug 1411458", Cr.NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO) + ); +}); + +// This has a big manifest file (~2MB). It should verify correctly. +add_test(function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("big_manifest"), + check_open_result("add-on with big manifest file", Cr.NS_OK) + ); +}); + +// This has a huge manifest file (~10MB). Manifest files this large are not +// supported (8MB is the limit). It should not verify correctly. +add_test(function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("huge_manifest"), + check_open_result( + "add-on with huge manifest file", + Cr.NS_ERROR_SIGNED_JAR_ENTRY_INVALID + ) + ); +}); + +// Verification should pass despite a not-yet-valid EE certificate. +// Regression test for bug 1713628 +add_test(function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("validity_not_yet_valid"), + check_open_result("validity_not_yet_valid", Cr.NS_OK) + ); +}); + +// Verification should pass despite an expired EE certificate. +// Regression test for bug 1267318 and bug 1548973 +add_test(function () { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("validity_expired"), + check_open_result("validity_expired", Cr.NS_OK) + ); +}); + +// TODO: tampered MF, tampered SF +// TODO: too-large MF, too-large RSA, too-large SF +// TODO: MF and SF that end immediately after the last main header +// (no CR nor LF) +// TODO: broken headers to exercise the parser diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/README b/security/manager/ssl/tests/unit/test_signed_apps/app/README new file mode 100644 index 0000000000..4f4db4f73e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app/README @@ -0,0 +1 @@ +This is the readme for the test extension. diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png b/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png Binary files differnew file mode 100644 index 0000000000..f4a62faddf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json b/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json new file mode 100644 index 0000000000..eacaedfa7a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json @@ -0,0 +1,5 @@ +{ + "manifest_version": 2, + "name": "Test Extension", + "version": "0.0.1" +} diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest new file mode 100644 index 0000000000..be5069f57b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest @@ -0,0 +1,10 @@ +Manifest-Version: 1.0 + +Name: README +SHA256-Digest: bY0l9xqGJYCpqYeJ0K6q4DWUQqu0mNBFM4H4emhjiJg= + +Name: manifest.json +SHA256-Digest: BTnCpT154N26RZm8bhdD43WXd0tj5bg6ofM19NLI0OE= + +Name: data/image.png +SHA256-Digest: EPjkNZwya9X+pruLlxG+FACLwGC48XU4S9oZOA0lVVQ= diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig Binary files differnew file mode 100644 index 0000000000..ee9f3e2ce9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README new file mode 100644 index 0000000000..46217087d8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README @@ -0,0 +1,2 @@ +This is the readme for the test extension. +This app was created by unzipping only_cose_signed.zip and adding this line (thus invalidating the COSE signature). diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png Binary files differnew file mode 100644 index 0000000000..f4a62faddf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json new file mode 100644 index 0000000000..eacaedfa7a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json @@ -0,0 +1,5 @@ +{ + "manifest_version": 2, + "name": "Test Extension", + "version": "0.0.1" +} diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip Binary files differnew file mode 100644 index 0000000000..48f34fbd78 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip Binary files differnew file mode 100644 index 0000000000..4f2e376440 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip Binary files differnew file mode 100644 index 0000000000..e484ccfdf1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip Binary files differnew file mode 100644 index 0000000000..e1aa3d0dea --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip Binary files differnew file mode 100644 index 0000000000..69ce9ea2e3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip Binary files differnew file mode 100644 index 0000000000..09c2009cc4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip Binary files differnew file mode 100644 index 0000000000..7e6e6ad8e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip Binary files differnew file mode 100644 index 0000000000..d4ae1e1f13 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip Binary files differnew file mode 100644 index 0000000000..1bd8d00b23 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip Binary files differnew file mode 100644 index 0000000000..c076ec01b9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip Binary files differnew file mode 100644 index 0000000000..da29a1b057 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip Binary files differnew file mode 100644 index 0000000000..726ce6d920 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip Binary files differnew file mode 100644 index 0000000000..8e06df3332 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip Binary files differnew file mode 100644 index 0000000000..1ad810331b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip Binary files differnew file mode 100644 index 0000000000..2b163051dd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip Binary files differnew file mode 100644 index 0000000000..c64c184586 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip Binary files differnew file mode 100644 index 0000000000..27729c8dae --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip Binary files differnew file mode 100644 index 0000000000..798ac6858f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip Binary files differnew file mode 100644 index 0000000000..45dddf1ed8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip Binary files differnew file mode 100644 index 0000000000..1e6188de5d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip Binary files differnew file mode 100644 index 0000000000..68cdc0f0ac --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip Binary files differnew file mode 100644 index 0000000000..5ff5f8c946 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip Binary files differnew file mode 100644 index 0000000000..49ac1edc5d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip Binary files differnew file mode 100644 index 0000000000..fb884ed8f1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip Binary files differnew file mode 100644 index 0000000000..e7a6d259fe --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip Binary files differnew file mode 100644 index 0000000000..881db28d9f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip Binary files differnew file mode 100644 index 0000000000..8177c5f58a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip Binary files differnew file mode 100644 index 0000000000..40b4fc7857 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip Binary files differnew file mode 100644 index 0000000000..d364e590e5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip Binary files differnew file mode 100644 index 0000000000..a4353bba19 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip Binary files differnew file mode 100644 index 0000000000..51ae592ee9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip Binary files differnew file mode 100644 index 0000000000..b74e087620 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip Binary files differnew file mode 100644 index 0000000000..772c42e494 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip Binary files differnew file mode 100644 index 0000000000..b1d1999551 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip Binary files differnew file mode 100644 index 0000000000..0ce563680d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip b/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip Binary files differnew file mode 100644 index 0000000000..b2e9e44d19 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip b/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip Binary files differnew file mode 100644 index 0000000000..0b296945ab --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip Binary files differnew file mode 100644 index 0000000000..f1d1447ee2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip Binary files differnew file mode 100644 index 0000000000..e695e856c3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip Binary files differnew file mode 100644 index 0000000000..e3ab79db2c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip Binary files differnew file mode 100644 index 0000000000..6ece7c4a12 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip b/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip Binary files differnew file mode 100644 index 0000000000..02bac29bdc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip b/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip Binary files differnew file mode 100644 index 0000000000..846d36cc3f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/moz.build b/security/manager/ssl/tests/unit/test_signed_apps/moz.build new file mode 100644 index 0000000000..8680c8d457 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/moz.build @@ -0,0 +1,78 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +@template +def SignedAppFile(name, flags, app_directory="app/"): + if not CONFIG["COMPILE_ENVIRONMENT"]: + return + + GENERATED_FILES += [name] + props = GENERATED_FILES[name] + props.script = "/security/manager/ssl/tests/unit/sign_app.py" + props.inputs = [app_directory] + props.flags = flags + # Turn RELATIVEDIR into list entry: like + # 'security/manager/ssl/tests/unit/test_signed_apps' -> + # TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_signed_apps. + files = TEST_HARNESS_FILES.xpcshell + for part in RELATIVEDIR.split("/"): + files = files[part] + files += ["!%s" % name] + + +# Except for unusual testcases (unknown issuer, unsigned app, empty +# signerInfos), the naming scheme is as follows: +# app_mf{-1,-256}_sf{-1,-256}_p7{-1,-256}.zip, where: +# "mf" refers to the manifest file, "sf" refers to the signature file, +# and "p7" refers to the pkcs#7 file. The "{-1,-256}" indicates which +# hash algorithms are present in the corresponding file (both may be +# present). +# For example, "app_mf-1_sf-1-256_p7-256.zip" means that the manifest +# file has sha-1 hashes, the signature file has sha-1 hashes and sha-256 +# hashes, and the pkcs#7 file only has sha-256. +# +# Temporarily disabled. See bug 1256495. +# signed_app_files = ( +# ['unknown_issuer_app.zip', '-i', 'unknown issuer', '-p', 'sha256'], +# ['unsigned_app.zip'], +# ['empty_signerInfos.zip', '-e'], +# ) +# +# for signed_app_file_params in signed_app_files: +# SignedAppFile(signed_app_file_params[0], signed_app_file_params[1:]) +# +# for mf_algs in [['1'], ['256'], ['1', '256']]: +# for sf_algs in [['1'], ['256'], ['1', '256']]: +# for p7_algs in [['1'], ['256'], ['1', '256']]: +# filename = "app_mf-%s_sf-%s_p7-%s.zip" % ('-'.join(mf_algs), '-'.join(sf_algs), '-'.join(p7_algs)) +# args = [] +# for mf_alg in mf_algs: +# args.append('-m') +# args.append('sha%s' % mf_alg) +# for sf_alg in sf_algs: +# args.append('-s') +# args.append('sha%s' % sf_alg) +# for p7_alg in p7_algs: +# args.append('-p') +# args.append('sha%s' % p7_alg) +# SignedAppFile(filename, args) +# +# COSE test-cases +# SignedAppFile('cose_signed_with_pkcs7.zip', ['-c', 'ES256', '-p', 'sha256']) +# SignedAppFile('cose_int_signed_with_pkcs7.zip', ['-c', 'ES256', '-r', 'xpcshell signed apps test root', '-p', 'sha256']) +# SignedAppFile('cose_multiple_signed_with_pkcs7.zip', ['-c', 'ES256', '-c', 'ES384', '-p', 'sha256']) +# SignedAppFile('only_cose_signed.zip', ['-c', 'ES256']) +# SignedAppFile('only_cose_multiple_signed.zip', ['-c', 'ES384', '-c', 'ES256']) +# SignedAppFile('cose_tampered_good_pkcs7.zip', ['-m', 'sha1', '-s', 'sha1', '-p', 'sha1'], 'app_cose_tampered/') +# SignedAppFile('big_manifest.zip', ['-p', 'sha256', '--pad-headers', '2']) +# SignedAppFile('huge_manifest.zip', ['-p', 'sha256', '--pad-headers', '10']) +# SignedAppFile('validity_expired.zip', ['-c', 'ES256', '-p', 'sha256', '--cert-validity', '19700101-19701212']) +# SignedAppFile('validity_not_yet_valid.zip', ['-c', 'ES256', '-p', 'sha256', '--cert-validity', '99990101-99991212']) + +# To generate a new entry, add SignedAppFile, run mach build and copy from +# objdir/_tests/xpcshell/security/manager/ssl/tests/unit/test_signed_apps/ +# to this directory. diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip Binary files differnew file mode 100644 index 0000000000..37d72ddbc0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip Binary files differnew file mode 100644 index 0000000000..d21f797b6d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip b/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip Binary files differnew file mode 100644 index 0000000000..17c0063cce --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip b/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip Binary files differnew file mode 100644 index 0000000000..17a0747667 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip b/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip Binary files differnew file mode 100644 index 0000000000..b9cc2cc31e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip b/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip Binary files differnew file mode 100644 index 0000000000..f08fe14a9a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip diff --git a/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der Binary files differnew file mode 100644 index 0000000000..3c1869b13b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der diff --git a/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec new file mode 100644 index 0000000000..500c4185cd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec @@ -0,0 +1,6 @@ +issuer:xpcshell signed apps test root +subject:xpcshell signed apps test root +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:keyEncipherment,keyCertSign +extension:extKeyUsage:codeSigning diff --git a/security/manager/ssl/tests/unit/test_ssl_status.js b/security/manager/ssl/tests/unit/test_ssl_status.js new file mode 100644 index 0000000000..e8df767c85 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ssl_status.js @@ -0,0 +1,75 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +do_get_profile(); + +function run_test() { + Services.prefs.setIntPref("security.OCSP.enabled", 1); + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + }); + fakeOCSPResponder.start(8888); + + // Test successful connection (failedCertChain should be null, + // succeededCertChain should be set as expected) + add_connection_test( + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess, + null, + function withSecurityInfo(aSecInfo) { + equal( + aSecInfo.failedCertChain.length, + 0, + "failedCertChain for a successful connection should be empty" + ); + ok( + areCertArraysEqual( + aSecInfo.succeededCertChain, + build_cert_chain(["default-ee", "test-ca"]) + ), + "succeededCertChain for a successful connection should be as expected" + ); + } + ); + + // Test failed connection (failedCertChain should be set as expected, + // succeededCertChain should be null) + add_connection_test( + "expired.example.com", + SEC_ERROR_EXPIRED_CERTIFICATE, + null, + function withSecurityInfo(aSecInfo) { + equal( + aSecInfo.succeededCertChain.length, + 0, + "succeededCertChain for a failed connection should be null" + ); + ok( + areCertArraysEqual( + aSecInfo.failedCertChain, + build_cert_chain(["expired-ee", "test-ca"]) + ), + "failedCertChain for a failed connection should be as expected" + ); + } + ); + + // Ensure the correct failed cert chain is set on cert override + let overrideStatus = { + failedCertChain: build_cert_chain(["expired-ee", "test-ca"]), + }; + add_cert_override_test( + "expired.example.com", + SEC_ERROR_EXPIRED_CERTIFICATE, + undefined, + overrideStatus + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_sss_eviction.js b/security/manager/ssl/tests/unit/test_sss_eviction.js new file mode 100644 index 0000000000..6e1e70075f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_eviction.js @@ -0,0 +1,41 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to check that a frequently visited site +// will not be evicted over an infrequently visited site. +function run_test() { + let stateFile = do_get_profile(); + stateFile.append(SSS_STATE_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + let outputStream = FileUtils.openFileOutputStream(stateFile); + let now = new Date().getTime(); + let key = "frequentlyused.example.com"; + let value = `${now + 100000},1,0`; + append_line_to_data_storage_file(outputStream, 4, 1000, key, value); + outputStream.close(); + let siteSecurityService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(siteSecurityService, null); + // isSecureURI blocks until the backing data is read. + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://frequentlyused.example.com") + ) + ); + // The storage limit is currently 2048, so this should cause evictions. + for (let i = 0; i < 3000; i++) { + let uri = Services.io.newURI("http://bad" + i + ".example.com"); + siteSecurityService.processHeader(uri, "max-age=1000"); + } + // The frequently used entry should not be evicted. + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://frequentlyused.example.com") + ) + ); +} diff --git a/security/manager/ssl/tests/unit/test_sss_migration.js b/security/manager/ssl/tests/unit/test_sss_migration.js new file mode 100644 index 0000000000..df174ae309 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_migration.js @@ -0,0 +1,64 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to create a site security service state file +// and see that the site security service reads and migrates it properly. + +function run_test() { + let profileDir = do_get_profile(); + let stateFile = profileDir.clone(); + stateFile.append(SSS_STATE_OLD_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + let outputStream = FileUtils.openFileOutputStream(stateFile); + let now = Date.now(); + let lines = []; + lines.push( + `no-origin-attributes.example.com:HSTS\t0\t0\t${now + 100000},1,0` + ); + lines.push(`not-hsts.example.com:HPKP\t0\t0\t${now + 100000},1,0`); + lines.push( + `with-port.example.com^partitionKey=%28http%2Cexample.com%2C8443%29:HSTS\t0\t0\t${ + now + 100000 + },1,0` + ); + for (let i = 0; lines.length < 1024; i++) { + lines.push(`filler-${i}.example.com:HPKP\t0\t0\t${now + 100000},1,0`); + } + writeLinesAndClose(lines, outputStream); + let sss = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(sss, null); + + // nsISiteSecurityService.isSecureURI will block until the backing file is read. + ok( + sss.isSecureURI( + Services.io.newURI("https://no-origin-attributes.example.com") + ) + ); + ok(!sss.isSecureURI(Services.io.newURI("https://not-hsts.example.com"))); + ok( + sss.isSecureURI(Services.io.newURI("https://with-port.example.com"), { + partitionKey: "(http,example.com,8443)", + }) + ); + ok( + sss.isSecureURI(Services.io.newURI("https://with-port.example.com"), { + partitionKey: "(http,example.com)", + }) + ); + ok( + sss.isSecureURI(Services.io.newURI("https://with-port.example.com"), { + partitionKey: "(http,example.com,8000)", + }) + ); + ok( + sss.isSecureURI(Services.io.newURI("https://with-port.example.com"), { + partitionKey: "(https,example.com)", + }) + ); +} diff --git a/security/manager/ssl/tests/unit/test_sss_originAttributes.js b/security/manager/ssl/tests/unit/test_sss_originAttributes.js new file mode 100644 index 0000000000..9c127adcec --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_originAttributes.js @@ -0,0 +1,105 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- + * vim: sw=2 ts=2 sts=2 + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +// Ensures nsISiteSecurityService APIs respects origin attributes. + +const GOOD_MAX_AGE_SECONDS = 69403; +const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`; + +do_get_profile(); // must be done before instantiating nsIX509CertDB + +let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService); +let host = "a.pinning.example.com"; +let uri = Services.io.newURI("https://" + host); + +// Check if originAttributes1 and originAttributes2 are isolated with respect +// to HSTS storage. +function doTest(originAttributes1, originAttributes2, shouldShare) { + sss.clearAll(); + let header = GOOD_MAX_AGE; + // Set HSTS for originAttributes1. + sss.processHeader(uri, header, originAttributes1); + ok( + sss.isSecureURI(uri, originAttributes1), + "URI should be secure given original origin attributes" + ); + equal( + sss.isSecureURI(uri, originAttributes2), + shouldShare, + "URI should be secure given different origin attributes if and " + + "only if shouldShare is true" + ); + + if (!shouldShare) { + // Remove originAttributes2 from the storage. + sss.resetState(uri, originAttributes2); + ok( + sss.isSecureURI(uri, originAttributes1), + "URI should still be secure given original origin attributes" + ); + } + + // Remove originAttributes1 from the storage. + sss.resetState(uri, originAttributes1); + ok( + !sss.isSecureURI(uri, originAttributes1), + "URI should not be secure after removeState" + ); + + sss.clearAll(); +} + +function testInvalidOriginAttributes(originAttributes) { + let header = GOOD_MAX_AGE; + + let callbacks = [ + () => sss.processHeader(uri, header, originAttributes), + () => sss.isSecureURI(uri, originAttributes), + () => sss.resetState(uri, originAttributes), + ]; + + for (let callback of callbacks) { + throws( + callback, + /NS_ERROR_ILLEGAL_VALUE/, + "Should get an error with invalid origin attributes" + ); + } +} + +function run_test() { + sss.clearAll(); + + let originAttributesList = []; + for (let userContextId of [0, 1, 2]) { + for (let firstPartyDomain of ["", "foo.com", "bar.com"]) { + originAttributesList.push({ userContextId, firstPartyDomain }); + } + } + for (let attrs1 of originAttributesList) { + for (let attrs2 of originAttributesList) { + // SSS storage is not isolated by userContext + doTest( + attrs1, + attrs2, + attrs1.firstPartyDomain == attrs2.firstPartyDomain + ); + } + } + + doTest( + { partitionKey: "(http,example.com,8443)" }, + { partitionKey: "(https,example.com)" }, + true + ); + + testInvalidOriginAttributes(undefined); + testInvalidOriginAttributes(null); + testInvalidOriginAttributes(1); + testInvalidOriginAttributes("foo"); +} diff --git a/security/manager/ssl/tests/unit/test_sss_readstate.js b/security/manager/ssl/tests/unit/test_sss_readstate.js new file mode 100644 index 0000000000..3c78b96ebc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_readstate.js @@ -0,0 +1,141 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to create a site security service state file +// and see that the site security service reads it properly. + +function run_test() { + let stateFile = do_get_profile(); + stateFile.append(SSS_STATE_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + let outputStream = FileUtils.openFileOutputStream(stateFile); + let now = Date.now(); + let keyValuePairs = [ + { key: "expired.example.com", value: `${now - 100000},1,0` }, + { key: "notexpired.example.com", value: `${now + 100000},1,0` }, + // This overrides an entry on the preload list. + { key: "includesubdomains.preloaded.test", value: `${now + 100000},1,0` }, + { key: "incsubdomain.example.com", value: `${now + 100000},1,1` }, + // This overrides an entry on the preload list. + { key: "includesubdomains2.preloaded.test", value: "0,2,0" }, + ]; + for (let keyValuePair of keyValuePairs) { + append_line_to_data_storage_file( + outputStream, + 1, + 1, + keyValuePair.key, + keyValuePair.value + ); + } + // Append a line with a bad checksum. + append_line_to_data_storage_file( + outputStream, + 1, + 1, + "badchecksum.example.com", + `${now + 100000},1,0`, + 24, + true + ); + outputStream.close(); + let siteSecurityService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(siteSecurityService, null); + + // The backing data storage will block until the background task that reads + // the backing file has finished. + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://expired.example.com") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://notexpired.example.com") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://sub.includesubdomains.preloaded.test") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://incsubdomain.example.com") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://sub.incsubdomain.example.com") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://includesubdomains2.preloaded.test") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://sub.includesubdomains2.preloaded.test") + ) + ); + + // Clearing the data should make everything go back to default. + siteSecurityService.clearAll(); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://expired.example.com") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://notexpired.example.com") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://sub.includesubdomains.preloaded.test") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://incsubdomain.example.com") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://sub.incsubdomain.example.com") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://includesubdomains2.preloaded.test") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://sub.includesubdomains2.preloaded.test") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://badchecksum.example.com") + ) + ); +} diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_empty.js b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js new file mode 100644 index 0000000000..76f073e998 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js @@ -0,0 +1,43 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to create an empty site security service state +// file and see that the site security service doesn't fail when reading it. + +function run_test() { + let profileDir = do_get_profile(); + let stateFile = profileDir.clone(); + stateFile.append(SSS_STATE_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + stateFile.create(Ci.nsIFile.NORMAL_FILE_TYPE, 0x1a4); // 0x1a4 == 0o644 + ok(stateFile.exists()); + // Initialize nsISiteSecurityService after do_get_profile() so it + // can read the state file. + let siteSecurityService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(siteSecurityService, null); + // nsISiteSecurityService.isSecureURI blocks until the backing file has been read. + // nonexistent.example.com should never be an HSTS host + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://nonexistent.example.com") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + // notexpired.example.com is an HSTS host in a different test - we + // want to make sure that test hasn't interfered with this one. + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://notexpired.example.com") + ) + ); +} diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js new file mode 100644 index 0000000000..794a402702 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js @@ -0,0 +1,77 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to create a mostly bogus old site security +// service state file and see that the site security service migrates it +// to the new format properly, discarding invalid data. + +function run_test() { + let profileDir = do_get_profile(); + let stateFile = profileDir.clone(); + stateFile.append(SSS_STATE_OLD_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + let outputStream = FileUtils.openFileOutputStream(stateFile); + let expiryTime = Date.now() + 100000; + let lines = [ + // General state file entry tests. + `example1.example.com\t0\t0\t${expiryTime},1,0`, + "I'm a lumberjack and I'm okay; I work all night and I sleep all day!", + "This is a totally bogus entry\t", + "0\t0\t0\t0\t", + "\t\t\t\t\t\t\t", + "example.com\t\t\t\t\t\t\t", + "example3.example.com\t0\t\t\t\t\t\t", + `example2.example.com\t0\t0\t${expiryTime},1,0`, + // HSTS state string parsing tests + `extra.comma.example.com\t0\t0\t${expiryTime},,1,0`, + "empty.statestring.example.com\t0\t0\t", + "rubbish.statestring.example.com\t0\t0\tfoobar", + `spaces.statestring.example.com\t0\t0\t${expiryTime}, 1,0 `, + `invalid.expirytime.example.com\t0\t0\t${expiryTime}foo123,1,0`, + `text.securitypropertystate.example.com\t0\t0\t${expiryTime},1foo,0`, + `invalid.securitypropertystate.example.com\t0\t0\t${expiryTime},999,0`, + `text.includesubdomains.example.com\t0\t0\t${expiryTime},1,1foo`, + `invalid.includesubdomains.example.com\t0\t0\t${expiryTime},1,0foo`, + ]; + writeLinesAndClose(lines, outputStream); + + let siteSecurityService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(siteSecurityService, null); + + const HSTS_HOSTS = [ + "https://example1.example.com", + "https://example2.example.com", + ]; + for (let host of HSTS_HOSTS) { + ok( + siteSecurityService.isSecureURI(Services.io.newURI(host)), + `${host} should be HSTS enabled` + ); + } + + const NOT_HSTS_HOSTS = [ + "https://example.com", + "https://example3.example.com", + "https://extra.comma.example.com", + "https://empty.statestring.example.com", + "https://rubbish.statestring.example.com", + "https://spaces.statestring.example.com", + "https://invalid.expirytime.example.com", + "https://text.securitypropertystate.example.com", + "https://invalid.securitypropertystate.example.com", + "https://text.includesubdomains.example.com", + "https://invalid.includesubdomains.example.com", + ]; + for (let host of NOT_HSTS_HOSTS) { + ok( + !siteSecurityService.isSecureURI(Services.io.newURI(host)), + `${host} should not be HSTS enabled` + ); + } +} diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_huge.js b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js new file mode 100644 index 0000000000..50b4f2198c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js @@ -0,0 +1,72 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to create an old site security service state +// file that is too large and see that the site security service migrates it to +// the new format properly. + +function run_test() { + let profileDir = do_get_profile(); + let stateFile = profileDir.clone(); + stateFile.append(SSS_STATE_OLD_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + let outputStream = FileUtils.openFileOutputStream(stateFile); + let expiryTime = Date.now() + 100000; + let lines = []; + for (let i = 0; i < 10000; i++) { + // The 0s will all get squashed down into one 0 when they are read. + // This is just to make the file size large (>2MB). + lines.push( + `example${i}.example.com\t` + + "0000000000000000000000000000000000000000000000000\t" + + "00000000000000000000000000000000000000\t" + + `${expiryTime},1,0` + ); + } + writeLinesAndClose(lines, outputStream); + + let siteSecurityService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(siteSecurityService, null); + + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://example0.example.com") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://example423.example.com") + ) + ); + ok( + siteSecurityService.isSecureURI( + Services.io.newURI("https://example1023.example.com") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://example1024.example.com") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://example1025.example.com") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://example9000.example.com") + ) + ); + ok( + !siteSecurityService.isSecureURI( + Services.io.newURI("https://example99999.example.com") + ) + ); +} diff --git a/security/manager/ssl/tests/unit/test_sss_resetState.js b/security/manager/ssl/tests/unit/test_sss_resetState.js new file mode 100644 index 0000000000..4a667c05f0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_resetState.js @@ -0,0 +1,62 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that resetting HSTS state in the way the "forget about this site" +// functionality does works as expected for preloaded and non-preloaded sites. + +do_get_profile(); + +var gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService +); + +function test_removeState(originAttributes) { + info(`running test_removeState(originAttributes=${originAttributes})`); + // Simulate visiting a non-preloaded site by processing an HSTS header check + // that the HSTS bit gets set, simulate "forget about this site" (call + // removeState), and then check that the HSTS bit isn't set. + let notPreloadedURI = Services.io.newURI("https://not-preloaded.example.com"); + ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes)); + gSSService.processHeader(notPreloadedURI, "max-age=1000;", originAttributes); + ok(gSSService.isSecureURI(notPreloadedURI, originAttributes)); + gSSService.resetState(notPreloadedURI, originAttributes); + ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes)); + + // Simulate visiting a non-preloaded site that unsets HSTS by processing + // an HSTS header with "max-age=0", check that the HSTS bit isn't + // set, simulate "forget about this site" (call removeState), and then check + // that the HSTS bit isn't set. + gSSService.processHeader(notPreloadedURI, "max-age=0;", originAttributes); + ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes)); + gSSService.resetState(notPreloadedURI, originAttributes); + ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes)); + + // Simulate visiting a preloaded site by processing an HSTS header, check + // that the HSTS bit is still set, simulate "forget about this site" + // (call removeState), and then check that the HSTS bit is still set. + let preloadedHost = "includesubdomains.preloaded.test"; + let preloadedURI = Services.io.newURI(`https://${preloadedHost}`); + ok(gSSService.isSecureURI(preloadedURI, originAttributes)); + gSSService.processHeader(preloadedURI, "max-age=1000;", originAttributes); + ok(gSSService.isSecureURI(preloadedURI, originAttributes)); + gSSService.resetState(preloadedURI, originAttributes); + ok(gSSService.isSecureURI(preloadedURI, originAttributes)); + + // Simulate visiting a preloaded site that unsets HSTS by processing an + // HSTS header with "max-age=0", check that the HSTS bit is what we + // expect (see below), simulate "forget about this site" (call removeState), + // and then check that the HSTS bit is set. + gSSService.processHeader(preloadedURI, "max-age=0;", originAttributes); + ok(!gSSService.isSecureURI(preloadedURI, originAttributes)); + gSSService.resetState(preloadedURI, originAttributes); + ok(gSSService.isSecureURI(preloadedURI, originAttributes)); +} + +function run_test() { + test_removeState({}); + test_removeState({ privateBrowsingId: 1 }); +} diff --git a/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js b/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js new file mode 100644 index 0000000000..e462eb78f4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js @@ -0,0 +1,59 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to ensure that Firefox sanitizes site security +// service data on shutdown if configured to do so. + +ChromeUtils.defineESModuleGetters(this, { + Sanitizer: "resource:///modules/Sanitizer.sys.mjs", + TestUtils: "resource://testing-common/TestUtils.sys.mjs", +}); + +Sanitizer.onStartup(); + +// This helps us away from test timed out. If service worker manager(swm) hasn't +// been initilaized before profile-change-teardown, this test would fail due to +// the shutdown blocker added by swm. Normally, swm should be initialized before +// that and the similar crash signatures are fixed. So, assume this cannot +// happen in the real world and initilaize swm here as a workaround. +Cc["@mozilla.org/serviceworkers/manager;1"].getService( + Ci.nsIServiceWorkerManager +); + +add_task(async function run_test() { + do_get_profile(); + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + let header = "max-age=50000"; + SSService.processHeader(Services.io.newURI("https://example.com"), header); + await TestUtils.waitForCondition(() => { + let stateFileContents = get_data_storage_contents(SSS_STATE_FILE_NAME); + return stateFileContents + ? stateFileContents.includes("example.com") + : false; + }); + + // Configure Firefox to clear this data on shutdown. + Services.prefs.setBoolPref( + Sanitizer.PREF_SHUTDOWN_BRANCH + "siteSettings", + true + ); + Services.prefs.setBoolPref(Sanitizer.PREF_SANITIZE_ON_SHUTDOWN, true); + + // Simulate shutdown. + Services.startup.advanceShutdownPhase( + Services.startup.SHUTDOWN_PHASE_APPSHUTDOWNTEARDOWN + ); + Services.startup.advanceShutdownPhase( + Services.startup.SHUTDOWN_PHASE_APPSHUTDOWN + ); + + await TestUtils.waitForCondition(() => { + let stateFile = do_get_profile(); + stateFile.append(SSS_STATE_FILE_NAME); + return !stateFile.exists(); + }); +}); diff --git a/security/manager/ssl/tests/unit/test_sss_savestate.js b/security/manager/ssl/tests/unit/test_sss_savestate.js new file mode 100644 index 0000000000..6963f18d81 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_savestate.js @@ -0,0 +1,91 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to see that the site security service properly +// writes its state file. + +ChromeUtils.defineESModuleGetters(this, { + TestUtils: "resource://testing-common/TestUtils.sys.mjs", +}); + +const EXPECTED_ENTRIES = 5; +const EXPECTED_HSTS_COLUMNS = 3; + +function contents_is_as_expected() { + // The file consists of a series of [score][last accessed][key][value], where + // score and last accessed are 2 bytes big-endian, key is 0-padded to 256 + // bytes, and value is 0-padded to 24 bytes. + // Each score will be 1, and last accessed is some number of days (>255) + // since the epoch, so there will be 3 non-0 bytes just in front of the key. + // Splitting by 0 and filtering out zero-length strings will result in a series of + // [BBBkey1, value1, BBBkey2, value2, ...], where "BBB" are the score and + // last accessed bytes, which are ignored here. + let contents = get_data_storage_contents(SSS_STATE_FILE_NAME); + if (!contents) { + return false; + } + let keysAndValues = contents.split("\0").filter(s => !!s.length); + let keys = keysAndValues + .filter((_, i) => i % 2 == 0) + .map(key => key.substring(3)); + let values = keysAndValues.filter((_, i) => i % 2 == 1); + + if (keys.length != EXPECTED_ENTRIES || values.length != EXPECTED_ENTRIES) { + return false; + } + + let sites = {}; // a map of domain name -> [the entry in the state file] + for (let i in keys) { + let host = keys[i]; + let entry = values[i].split(","); + equal(entry.length, EXPECTED_HSTS_COLUMNS); + sites[host] = entry; + } + + // each sites[url][1] should be SecurityPropertySet (i.e. 1). + // sites[url][2] corresponds to includeSubdomains, so every other one should + // be set (i.e. 1); + return ( + sites["includesubdomains.preloaded.test"][1] == 1 && + sites["includesubdomains.preloaded.test"][2] == 0 && + sites["a.example.com"][1] == 1 && + sites["a.example.com"][2] == 1 && + sites["b.example.com"][1] == 1 && + sites["b.example.com"][2] == 0 && + sites["c.c.example.com"][1] == 1 && + sites["c.c.example.com"][2] == 1 && + sites["d.example.com"][1] == 1 && + sites["d.example.com"][2] == 0 + ); +} + +function process_headers() { + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + + let uris = [ + Services.io.newURI("http://includesubdomains.preloaded.test"), + Services.io.newURI("http://a.example.com"), + Services.io.newURI("http://b.example.com"), + Services.io.newURI("http://c.c.example.com"), + Services.io.newURI("http://d.example.com"), + ]; + + for (let i = 0; i < 1000; i++) { + let uriIndex = i % uris.length; + // vary max-age, but have it be within one day of one year + let maxAge = "max-age=" + (i + 31536000); + // have every other URI set includeSubdomains + let includeSubdomains = uriIndex % 2 == 1 ? "; includeSubdomains" : ""; + SSService.processHeader(uris[uriIndex], maxAge + includeSubdomains); + } +} + +function run_test() { + do_get_profile(); + process_headers(); + TestUtils.waitForCondition(contents_is_as_expected); +} diff --git a/security/manager/ssl/tests/unit/test_sts_fqdn.js b/security/manager/ssl/tests/unit/test_sts_fqdn.js new file mode 100644 index 0000000000..3c136a9d99 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sts_fqdn.js @@ -0,0 +1,40 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ +"use strict"; + +function run_test() { + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + let uri = Services.io.newURI("https://example.com"); + let uri1 = Services.io.newURI("https://example.com."); + let uri2 = Services.io.newURI("https://example.com.."); + ok(!SSService.isSecureURI(uri)); + ok(!SSService.isSecureURI(uri1)); + // These cases are only relevant as long as bug 1118522 hasn't been fixed. + ok(!SSService.isSecureURI(uri2)); + + SSService.processHeader(uri, "max-age=1000;includeSubdomains"); + ok(SSService.isSecureURI(uri)); + ok(SSService.isSecureURI(uri1)); + ok(SSService.isSecureURI(uri2)); + + SSService.resetState(uri); + ok(!SSService.isSecureURI(uri)); + ok(!SSService.isSecureURI(uri1)); + ok(!SSService.isSecureURI(uri2)); + + // Somehow creating this malformed URI succeeds - we need to handle it + // gracefully. + uri = Services.io.newURI("https://../foo"); + equal(uri.host, ".."); + throws( + () => { + SSService.isSecureURI(uri); + }, + /NS_ERROR_UNEXPECTED/, + "Malformed URI should be rejected" + ); +} diff --git a/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js new file mode 100644 index 0000000000..4ffac59356 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js @@ -0,0 +1,55 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +function check_ip(s, v, ip) { + let str = "https://"; + if (v == 6) { + str += "["; + } + str += ip; + if (v == 6) { + str += "]"; + } + str += "/"; + + let uri = Services.io.newURI(str); + ok(!s.isSecureURI(uri)); + + let parsedMaxAge = {}; + let parsedIncludeSubdomains = {}; + s.processHeader( + uri, + "max-age=1000;includeSubdomains", + {}, + parsedMaxAge, + parsedIncludeSubdomains + ); + ok( + !s.isSecureURI(uri), + "URI should not be secure if it contains an IP address" + ); + + /* Test that processHeader will ignore headers for an uri, if the uri + * contains an IP address not a hostname. + * If processHeader indeed ignore the header, then the output parameters will + * remain empty, and we shouldn't see the values passed as the header. + */ + notEqual(parsedMaxAge.value, 1000); + notEqual(parsedIncludeSubdomains.value, true); + notEqual(parsedMaxAge.value, undefined); + notEqual(parsedIncludeSubdomains.value, undefined); +} + +function run_test() { + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + + check_ip(SSService, 4, "127.0.0.1"); + check_ip(SSService, 4, "10.0.0.1"); + check_ip(SSService, 6, "2001:db8::1"); + check_ip(SSService, 6, "1080::8:800:200C:417A"); +} diff --git a/security/manager/ssl/tests/unit/test_sts_parser.js b/security/manager/ssl/tests/unit/test_sts_parser.js new file mode 100644 index 0000000000..3d99a44e79 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sts_parser.js @@ -0,0 +1,126 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- + * vim: sw=2 ts=2 sts=2 + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +// STS parser tests + +let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService); + +function testSuccess(header, expectedMaxAge, expectedIncludeSubdomains) { + let dummyUri = Services.io.newURI("https://foo.com/bar.html"); + let maxAge = {}; + let includeSubdomains = {}; + + sss.processHeader(dummyUri, header, {}, maxAge, includeSubdomains); + + equal(maxAge.value, expectedMaxAge, "Did not correctly parse maxAge"); + equal( + includeSubdomains.value, + expectedIncludeSubdomains, + "Did not correctly parse presence/absence of includeSubdomains" + ); +} + +function testFailure(header) { + let dummyUri = Services.io.newURI("https://foo.com/bar.html"); + let maxAge = {}; + let includeSubdomains = {}; + + throws( + () => { + sss.processHeader(dummyUri, header, {}, maxAge, includeSubdomains); + }, + /NS_ERROR_FAILURE/, + "Parsed invalid header: " + header + ); +} + +function run_test() { + // SHOULD SUCCEED: + testSuccess("max-age=100", 100, false); + testSuccess("max-age =100", 100, false); + testSuccess(" max-age=100", 100, false); + testSuccess("max-age = 100 ", 100, false); + testSuccess('max-age = "100" ', 100, false); + testSuccess('max-age="100"', 100, false); + testSuccess(' max-age ="100" ', 100, false); + testSuccess('\tmax-age\t=\t"100"\t', 100, false); + testSuccess("max-age = 100 ", 100, false); + + testSuccess("maX-aGe=100", 100, false); + testSuccess("MAX-age =100", 100, false); + testSuccess("max-AGE=100", 100, false); + testSuccess("Max-Age = 100 ", 100, false); + testSuccess("MAX-AGE = 100 ", 100, false); + + testSuccess("max-age=100;includeSubdomains", 100, true); + testSuccess("max-age=100\t; includeSubdomains", 100, true); + testSuccess(" max-age=100; includeSubdomains", 100, true); + testSuccess("max-age = 100 ; includeSubdomains", 100, true); + testSuccess( + "max-age = 100 ; includeSubdomains", + 100, + true + ); + + testSuccess("maX-aGe=100; includeSUBDOMAINS", 100, true); + testSuccess("MAX-age =100; includeSubDomains", 100, true); + testSuccess("max-AGE=100; iNcLuDeSuBdoMaInS", 100, true); + testSuccess("Max-Age = 100; includesubdomains ", 100, true); + testSuccess("INCLUDESUBDOMAINS;MaX-AgE = 100 ", 100, true); + // Turns out, the actual directive is entirely optional (hence the + // trailing semicolon) + testSuccess("max-age=100;includeSubdomains;", 100, true); + + // these are weird tests, but are testing that some extended syntax is + // still allowed (but it is ignored) + testSuccess("max-age=100 ; includesubdomainsSomeStuff", 100, false); + testSuccess( + "\r\n\t\t \tcompletelyUnrelated = foobar; max-age= 34520103" + + "\t \t; alsoUnrelated;asIsThis;\tincludeSubdomains\t\t \t", + 34520103, + true + ); + testSuccess('max-age=100; unrelated="quoted \\"thingy\\""', 100, false); + + // Test a max-age greater than 100 years. It will be capped at 100 years. + testSuccess("max-age=4294967296", 60 * 60 * 24 * 365 * 100, false); + + // SHOULD FAIL: + // invalid max-ages + testFailure("max-age"); + testFailure("max-age "); + testFailure("max-age=p"); + testFailure("max-age=*1p2"); + testFailure("max-age=.20032"); + testFailure("max-age=!20032"); + testFailure("max-age==20032"); + + // invalid headers + testFailure("foobar"); + testFailure("maxage=100"); + testFailure("maxa-ge=100"); + testFailure("max-ag=100"); + testFailure("includesubdomains"); + testFailure(";"); + testFailure('max-age="100'); + // The max-age directive here doesn't conform to the spec, so it MUST + // be ignored. Consequently, the REQUIRED max-age directive is not + // present in this header, and so it is invalid. + testFailure("max-age=100, max-age=200; includeSubdomains"); + testFailure("max-age=100 includesubdomains"); + testFailure("max-age=100 bar foo"); + testFailure("max-age=100randomstuffhere"); + // All directives MUST appear only once in an STS header field. + testFailure("max-age=100; max-age=200"); + testFailure("includeSubdomains; max-age=200; includeSubdomains"); + testFailure("max-age=200; includeSubdomains; includeSubdomains"); + // The includeSubdomains directive is valueless. + testFailure("max-age=100; includeSubdomains=unexpected"); + // LWS must have at least one space or horizontal tab + testFailure("\r\nmax-age=200"); +} diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js new file mode 100644 index 0000000000..6b1b4a5ba6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js @@ -0,0 +1,269 @@ +"use strict"; + +var gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService +); + +function Observer() {} +Observer.prototype = { + observe(subject, topic, data) { + if (topic == "last-pb-context-exited") { + run_next_test(); + } + }, +}; + +var gObserver = new Observer(); + +function cleanup() { + Services.obs.removeObserver(gObserver, "last-pb-context-exited"); + gSSService.clearAll(); +} + +function run_test() { + do_get_profile(); + + registerCleanupFunction(cleanup); + Services.obs.addObserver(gObserver, "last-pb-context-exited"); + + add_test(test_part1); + add_test(test_private_browsing1); + add_test(test_private_browsing2); + + run_next_test(); +} + +function test_part1() { + // check that a host not in the list is not identified as an sts host + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://nonexistent.example.com") + ) + ); + + // check that an ancestor domain is not identified as an sts host + ok(!gSSService.isSecureURI(Services.io.newURI("https://com"))); + + // check that the pref to toggle using the preload list works + Services.prefs.setBoolPref( + "network.stricttransportsecurity.preloadlist", + false + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + Services.prefs.setBoolPref( + "network.stricttransportsecurity.preloadlist", + true + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + + // check that a subdomain is an sts host (includeSubdomains is set) + ok( + gSSService.isSecureURI( + Services.io.newURI("https://subdomain.includesubdomains.preloaded.test") + ) + ); + + // check that another subdomain is an sts host (includeSubdomains is set) + ok( + gSSService.isSecureURI( + Services.io.newURI("https://a.b.c.def.includesubdomains.preloaded.test") + ) + ); + + // check that a subdomain is not an sts host (includeSubdomains is not set) + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://subdomain.noincludesubdomains.preloaded.test") + ) + ); + + // check that a host with a dot on the end won't break anything + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://notsts.nonexistent.example.com.") + ) + ); + + // check that processing a header with max-age: 0 will remove a preloaded + // site from the list + let uri = Services.io.newURI("https://includesubdomains.preloaded.test"); + let subDomainUri = Services.io.newURI( + "https://subdomain.includesubdomains.preloaded.test" + ); + gSSService.processHeader(uri, "max-age=0"); + ok(!gSSService.isSecureURI(uri)); + ok(!gSSService.isSecureURI(subDomainUri)); + // check that processing another header (with max-age non-zero) will + // re-enable a site's sts status + gSSService.processHeader(uri, "max-age=1000"); + ok(gSSService.isSecureURI(uri)); + // but this time include subdomains was not set, so test for that + ok(!gSSService.isSecureURI(subDomainUri)); + gSSService.clearAll(); + + // check that processing a header with max-age: 0 from a subdomain of a site + // will not remove that (ancestor) site from the list + uri = Services.io.newURI( + "https://subdomain.noincludesubdomains.preloaded.test" + ); + gSSService.processHeader(uri, "max-age=0"); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://noincludesubdomains.preloaded.test") + ) + ); + ok(!gSSService.isSecureURI(uri)); + + uri = Services.io.newURI( + "https://subdomain.includesubdomains.preloaded.test" + ); + gSSService.processHeader(uri, "max-age=0"); + // we received a header with "max-age=0", so we have "no information" + // regarding the sts state of subdomain.includesubdomains.preloaded.test specifically, + // but it is actually still an STS host, because of the preloaded + // includesubdomains.preloaded.test including subdomains. + // Here's a drawing: + // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host + // |-- subdomain.includesubdomains.preloaded.test IS sts host + // | `-- another.subdomain.includesubdomains.preloaded.test IS sts host + // `-- sibling.includesubdomains.preloaded.test IS sts host + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://subdomain.includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://sibling.includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI( + "https://another.subdomain.includesubdomains.preloaded.test" + ) + ) + ); + + gSSService.processHeader(uri, "max-age=1000"); + // Here's what we have now: + // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host + // |-- subdomain.includesubdomains.preloaded.test (include subdomains is false) IS sts host + // | `-- another.subdomain.includesubdomains.preloaded.test IS sts host + // `-- sibling.includesubdomains.preloaded.test IS sts host + // Note that another.subdomain.includesubdomains.preloaded.test IS still an sts host, because + // there exists a superdomain that is sts and asserts includeSubdomains (namely, + // includesubdomains.preloaded.test) + ok( + gSSService.isSecureURI( + Services.io.newURI("https://subdomain.includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://sibling.includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI( + "https://another.subdomain.includesubdomains.preloaded.test" + ) + ) + ); + + // Test that an expired non-private browsing entry results in correctly + // identifying a host that is on the preload list as no longer sts. + // (This happens when we're in regular browsing mode, we get a header from + // a site on the preload list, and that header later expires. We need to + // then treat that host as no longer an sts host.) + // (sanity check first - this should be in the preload list) + uri = Services.io.newURI("https://includesubdomains2.preloaded.test"); + ok(gSSService.isSecureURI(uri)); + gSSService.processHeader(uri, "max-age=1"); + do_timeout(1250, function () { + ok(!gSSService.isSecureURI(uri)); + run_next_test(); + }); +} + +const PRIVATE_ORIGIN_ATTRIBUTES = { privateBrowsingId: 1 }; + +function test_private_browsing1() { + gSSService.clearAll(); + let uri = Services.io.newURI("https://includesubdomains.preloaded.test"); + let subDomainUri = Services.io.newURI( + "https://a.b.c.subdomain.includesubdomains.preloaded.test" + ); + // sanity - includesubdomains.preloaded.test is preloaded, includeSubdomains set + ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + ok(gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES)); + + gSSService.processHeader(uri, "max-age=0", PRIVATE_ORIGIN_ATTRIBUTES); + ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES)); + + // check adding it back in + gSSService.processHeader(uri, "max-age=1000", PRIVATE_ORIGIN_ATTRIBUTES); + ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + // but no includeSubdomains this time + ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES)); + + // do the hokey-pokey... + gSSService.processHeader(uri, "max-age=0", PRIVATE_ORIGIN_ATTRIBUTES); + ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES)); + + // Test that an expired private browsing entry results in correctly + // identifying a host that is on the preload list as no longer sts. + // (This happens when we're in private browsing mode, we get a header from + // a site on the preload list, and that header later expires. We need to + // then treat that host as no longer an sts host.) + // (sanity check first - this should be in the preload list) + uri = Services.io.newURI("https://includesubdomains2.preloaded.test"); + ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + gSSService.processHeader(uri, "max-age=1", PRIVATE_ORIGIN_ATTRIBUTES); + do_timeout(1250, function () { + ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + // Simulate leaving private browsing mode + Services.obs.notifyObservers(null, "last-pb-context-exited"); + }); +} + +function test_private_browsing2() { + // if this test gets this far, it means there's a private browsing service + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + // the includesubdomains.preloaded.test entry has includeSubdomains set + ok( + gSSService.isSecureURI( + Services.io.newURI("https://subdomain.includesubdomains.preloaded.test") + ) + ); + + // Now that we're out of private browsing mode, we need to make sure + // we've "forgotten" that we "forgot" this site's sts status. + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains2.preloaded.test") + ) + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js new file mode 100644 index 0000000000..334fbf8a7b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js @@ -0,0 +1,22 @@ +"use strict"; + +function run_test() { + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + let uri = Services.io.newURI("https://includesubdomains.preloaded.test"); + + // check that a host on the preload list is identified as an sts host + ok(SSService.isSecureURI(uri)); + + // now simulate that it's 19 weeks later than it actually is + let offsetSeconds = 19 * 7 * 24 * 60 * 60; + Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds); + + // check that the preloaded host is no longer considered sts + ok(!SSService.isSecureURI(uri)); + + // just make sure we can get everything back to normal + Services.prefs.clearUserPref("test.currentTimeOffsetSeconds"); + ok(SSService.isSecureURI(uri)); +} diff --git a/security/manager/ssl/tests/unit/test_validity.js b/security/manager/ssl/tests/unit/test_validity.js new file mode 100644 index 0000000000..e1ee44b060 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity.js @@ -0,0 +1,106 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that chains containing an end-entity cert with an overly long validity +// period are rejected. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const SERVER_PORT = 8888; + +function getOCSPResponder(expectedCertNames) { + let expectedPaths = expectedCertNames.slice(); + return startOCSPResponder( + SERVER_PORT, + "www.example.com", + "test_validity", + expectedCertNames, + expectedPaths + ); +} + +function certFromFile(filename) { + return constructCertFromFile(`test_validity/${filename}`); +} + +function loadCert(certFilename, trustString) { + addCertFromFile(certDB, `test_validity/${certFilename}`, trustString); +} + +/** + * Asynchronously runs a single EV test. + * + * @param {Array} expectedNamesForOCSP + * An array of nicknames of the certs to be responded to. + * @param {string} rootCertFileName + * The file name of the root cert. Can begin with ".." to reference + * certs in folders other than "test_validity/". + * @param {Array} intCertFileNames + * An array of file names of any intermediate certificates. + * @param {string} endEntityCertFileName + * The file name of the end entity cert. + * @param {boolean} expectedResult + * Whether the chain is expected to validate as EV. + */ +async function doEVTest( + expectedNamesForOCSP, + rootCertFileName, + intCertFileNames, + endEntityCertFileName, + expectedResult +) { + clearOCSPCache(); + let ocspResponder = getOCSPResponder(expectedNamesForOCSP); + + loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu"); + for (let intCertFileName of intCertFileNames) { + loadCert(`${intCertFileName}.pem`, ",,"); + } + await checkEVStatus( + certDB, + certFromFile(`${endEntityCertFileName}.pem`), + certificateUsageSSLServer, + expectedResult + ); + + await stopOCSPResponder(ocspResponder); +} + +async function checkEVChains() { + // Chain with an end entity cert with a validity period that is acceptable + // for EV. + const intFullName = "ev_int_60_months-evroot"; + let eeFullName = `ev_ee_27_months-${intFullName}`; + let expectedNamesForOCSP = [eeFullName]; + await doEVTest( + expectedNamesForOCSP, + "../test_ev_certs/evroot", + [intFullName], + eeFullName, + gEVExpected + ); + + // Chain with an end entity cert with a validity period that is too long + // for EV. + eeFullName = `ev_ee_28_months-${intFullName}`; + expectedNamesForOCSP = [eeFullName]; + await doEVTest( + expectedNamesForOCSP, + "../test_ev_certs/evroot", + [intFullName], + eeFullName, + false + ); +} + +add_task(async function () { + Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + await checkEVChains(); +}); diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem new file mode 100644 index 0000000000..aaf8b498bb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDbTCCAlWgAwIBAgIUY9hPK5Ff+dVl+bpyQq1nHl6nlc8wDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXZXZfaW50XzYwX21vbnRocy1ldnJvb3QwIhgPMjAyMjEx +MTUxMjAwMDBaGA8yMDI1MDIxNTEyMDAwMFowMjEwMC4GA1UEAwwnZXZfZWVfMjdf +bW9udGhzLWV2X2ludF82MF9tb250aHMtZXZyb290MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GGMIGDMGAGCCsG +AQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4 +ODg4L2V2X2VlXzI3X21vbnRocy1ldl9pbnRfNjBfbW9udGhzLWV2cm9vdC8wHwYD +VR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEB +AFyaoN7S5Kj+6FEOtM70dfhnHR8qF+3t946fztY5Ap9P49LmyOusITodzfsaGKB+ +sAA/w1+R/gPBnNjLo+RgaDHjm24dbCQHARIiQwmWZuKpwxV6D3RQUiskFu9JT16U +A/VwrMkDxOUEbNcZ6ysaQ4yNS0OjNzLbWL7Iwwxd8HnSJeyBDhBR2m2d7uIgAP8Z +ZOa3Zbk/Vk/gifnQkX3fExybZHla17rpZ78oUZr3itPTSCoZchZkQRj3YKgbW1eX +spHmm05DEhZrAagXfy5HKGuahT7bH9YdmzYNBudtgo/PT4rYMeRK9KoF2s50yHQ6 +m6MKlx3Fe6rkFI8dQQwKuYU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec new file mode 100644 index 0000000000..d2c7fa1275 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec @@ -0,0 +1,5 @@ +issuer:ev_int_60_months-evroot +subject:ev_ee_27_months-ev_int_60_months-evroot +validity:823 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_27_months-ev_int_60_months-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem new file mode 100644 index 0000000000..4a04867f48 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDbTCCAlWgAwIBAgIUQetbhf/P9ZguDkeS/tY1AQgNWiYwDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXZXZfaW50XzYwX21vbnRocy1ldnJvb3QwIhgPMjAyMjEw +MzEwMDAwMDBaGA8yMDI1MDMwMzAwMDAwMFowMjEwMC4GA1UEAwwnZXZfZWVfMjhf +bW9udGhzLWV2X2ludF82MF9tb250aHMtZXZyb290MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GGMIGDMGAGCCsG +AQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4 +ODg4L2V2X2VlXzI4X21vbnRocy1ldl9pbnRfNjBfbW9udGhzLWV2cm9vdC8wHwYD +VR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEB +AFP2HCOWpflh1TIMdBgnfRGmu2vuDmPCZmYJp0C06UFoMJi9A5XFEUHNKc7zvvof +RhZx7nR03YxNavTclMrnJLFrcL6vaygsuMumsY+ipcCeNVk+AiB4E3iyhfkf8fxE +iU63QXoPAAjv3Tpduv6Qqht0s4A9V5/XtIpOKKkthgIBboxHLg0jfAbEa3pOZXZf +3lebCXyshl7Nxfm7soMLW1uBOtdrZEmSJJLQyPv9oQ5dQFBX2a/4lokdSCfTMng4 +k2UBgbKOf1zJivB0F97FEitw+LJz9HzQ/6HHF9GNYA5VIZTie1xrtUJsCtG2n8VJ +WlX0qTD4H9UKg53KLhLUOro= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec new file mode 100644 index 0000000000..2dcfb2e29c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec @@ -0,0 +1,5 @@ +issuer:ev_int_60_months-evroot +subject:ev_ee_28_months-ev_int_60_months-evroot +validity:854 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_28_months-ev_int_60_months-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem new file mode 100644 index 0000000000..9aef7ce612 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVzCCAj+gAwIBAgIUNUgRbd0SqGrb5aXqd6f3AXyywlowDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjEwNzAyMTIwMDAwWhgPMjAyNjA3 +MDExMjAwMDBaMCIxIDAeBgNVBAMMF2V2X2ludF82MF9tb250aHMtZXZyb290MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08 +E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc +1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP +DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ +gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV +YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID +AQABo4GRMIGOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMFAGCCsGAQUFBwEB +BEQwQjBABggrBgEFBQcwAYY0aHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2V2 +X2ludF82MF9tb250aHMtZXZyb290LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUa +hRoBg3QJATANBgkqhkiG9w0BAQsFAAOCAQEANm/Z3UW4IQGo5WfrEzD80fM73y8R +kt890DnDZPohiyup+YpApWUy/yv0KqBton1qkQwbZY3oiGeKI7FAlTzXexWp86C+ +gL87q07Ys3lxyn1hBJB7kIs0nafNrbHC4wL8WFUCwrjs4vgYMfCVzFBu2Wmwmq5u +7WGUqIF5xK1stag6Ml3g2uyDTMzyesQnTw14a9kBc1iD+i2ZmelP4A0FDT1jXPA5 +fVR4uvaIAzWGUu4JAe8obupzbJIaPAuondHnHSbl/WQDlZSPDarxEML1nS9ltV04 +Xbqu0pVBWyZDGwhSWGGJcOgkipx2Rzkvn5AKgp3qdaweN/rLmNXKY2pqzw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec new file mode 100644 index 0000000000..e169514ffa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec @@ -0,0 +1,8 @@ +issuer:evroot +subject:ev_int_60_months-evroot +issuerKey:ev +validity:1825 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/ev_int_60_months-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.key b/security/manager/ssl/tests/unit/test_validity/evroot.key new file mode 100644 index 0000000000..1d88a930d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/evroot.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh ++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU +dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H +cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y +1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t +oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ +5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB +0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+ ++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE +vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9 +HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE +MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V +vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV +7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH +lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V +jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv +nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui +p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ +zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v +4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA +hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C +pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV +bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3 +mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j +LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf +UVFRDKpassHG6z7+kpXRbowlyRY= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec new file mode 100644 index 0000000000..1a3d76a550 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec @@ -0,0 +1 @@ +ev diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.pem b/security/manager/ssl/tests/unit/test_validity/evroot.pem new file mode 100644 index 0000000000..13c3031905 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/evroot.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx +MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/ +EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN +RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s +33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd +Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX ++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+ +5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo +UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf +cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY +Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH +z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH +HmbOwao= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec new file mode 100644 index 0000000000..3121f3486e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:evroot +subjectKey:ev +issuerKey:ev +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_x509.js b/security/manager/ssl/tests/unit/test_x509.js new file mode 100644 index 0000000000..89fd01e819 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_x509.js @@ -0,0 +1,124 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +// Tests X509.jsm functionality. + +function stringToArray(s) { + let b = []; + for (let i = 0; i < s.length; i++) { + b.push(s.charCodeAt(i)); + } + return b; +} + +function readPEMToBytes(filename) { + return stringToArray(atob(pemToBase64(readFile(do_get_file(filename))))); +} + +function run_test() { + let certificate = new X509.Certificate(); + // We use this certificate because it has a set validity period, which means that when + // the test certificates get regenerated each year, the values in this test won't change. + certificate.parse(readPEMToBytes("bad_certs/expired-ee.pem")); + + equal( + certificate.tbsCertificate.version, + 3, + "expired-ee.pem should be x509v3" + ); + + // serialNumber + deepEqual( + certificate.tbsCertificate.serialNumber, + [ + 0x63, 0xd1, 0x11, 0x00, 0x82, 0xa3, 0xd2, 0x3b, 0x3f, 0x61, 0xb8, 0x49, + 0xa0, 0xca, 0xdc, 0x2e, 0x78, 0xfe, 0xfa, 0xea, + ], + "expired-ee.pem should have expected serialNumber" + ); + + deepEqual( + certificate.tbsCertificate.signature.algorithm._values, + [1, 2, 840, 113549, 1, 1, 11], // sha256WithRSAEncryption + "expired-ee.pem should have sha256WithRSAEncryption signature" + ); + deepEqual( + certificate.tbsCertificate.signature.parameters._contents, + [], + "expired-ee.pem should have NULL parameters for signature" + ); + + equal( + certificate.tbsCertificate.issuer.rdns.length, + 1, + "expired-ee.pem should have one RDN in issuer" + ); + equal( + certificate.tbsCertificate.issuer.rdns[0].avas.length, + 1, + "expired-ee.pem should have one AVA in RDN in issuer" + ); + deepEqual( + certificate.tbsCertificate.issuer.rdns[0].avas[0].value.value, + stringToArray("Test CA"), + "expired-ee.pem should have issuer 'Test CA'" + ); + + equal( + certificate.tbsCertificate.validity.notBefore.time.getTime(), + Date.parse("2013-01-01T00:00:00.000Z"), + "expired-ee.pem should have the correct value for notBefore" + ); + equal( + certificate.tbsCertificate.validity.notAfter.time.getTime(), + Date.parse("2014-01-01T00:00:00.000Z"), + "expired-ee.pem should have the correct value for notAfter" + ); + + equal( + certificate.tbsCertificate.subject.rdns.length, + 1, + "expired-ee.pem should have one RDN in subject" + ); + equal( + certificate.tbsCertificate.subject.rdns[0].avas.length, + 1, + "expired-ee.pem should have one AVA in RDN in subject" + ); + deepEqual( + certificate.tbsCertificate.subject.rdns[0].avas[0].value.value, + stringToArray("Expired Test End-entity"), + "expired-ee.pem should have subject 'Expired Test End-entity'" + ); + + deepEqual( + certificate.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm._values, + [1, 2, 840, 113549, 1, 1, 1], // rsaEncryption + "expired-ee.pem should have a spki algorithm of rsaEncryption" + ); + + equal( + certificate.tbsCertificate.extensions.length, + 2, + "expired-ee.pem should have two extensions" + ); + + deepEqual( + certificate.signatureAlgorithm.algorithm._values, + [1, 2, 840, 113549, 1, 1, 11], // sha256WithRSAEncryption + "expired-ee.pem should have sha256WithRSAEncryption signatureAlgorithm" + ); + deepEqual( + certificate.signatureAlgorithm.parameters._contents, + [], + "expired-ee.pem should have NULL parameters for signatureAlgorithm" + ); + + equal( + certificate.signatureValue.length, + 2048 / 8, + "length of signature on expired-ee.pem should be 2048 bits" + ); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp new file mode 100644 index 0000000000..1ccd5e876b --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp @@ -0,0 +1,141 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a standalone server that uses various bad certificates. +// The client is expected to connect, initiate an SSL handshake (with SNI +// to indicate which "server" to connect to), and verify the certificate. +// If all is good, the client then sends one encrypted byte and receives that +// same byte back. +// This server also has the ability to "call back" another process waiting on +// it. That is, when the server is all set up and ready to receive connections, +// it will connect to a specified port and issue a simple HTTP request. + +#include <stdio.h> + +#include "TLSServer.h" + +using namespace mozilla; +using namespace mozilla::test; + +struct BadCertAndPinningHost { + const char* mHostName; + const char* mCertName; +}; + +// Hostname, cert nickname pairs. +const BadCertAndPinningHost sBadCertAndPinningHosts[] = { + {"expired.example.com", "expired-ee"}, + {"notyetvalid.example.com", "notYetValid"}, + {"before-epoch.example.com", "beforeEpoch"}, + {"before-epoch-self-signed.example.com", "beforeEpochSelfSigned"}, + {"selfsigned.example.com", "selfsigned"}, + {"unknownissuer.example.com", "unknownissuer"}, + {"mismatch.example.com", "mismatch"}, + {"mismatch-CN.example.com", "mismatchCN"}, + {"mitm.example.com", "mitm"}, + {"expiredissuer.example.com", "expiredissuer"}, + {"notyetvalidissuer.example.com", "notYetValidIssuer"}, + {"before-epoch-issuer.example.com", "beforeEpochIssuer"}, + {"md5signature.example.com", "md5signature"}, + {"untrusted.example.com", "default-ee"}, + {"untrustedissuer.example.com", "untrustedissuer"}, + {"mismatch-expired.example.com", "mismatch-expired"}, + {"mismatch-notYetValid.example.com", "mismatch-notYetValid"}, + {"mismatch-untrusted.example.com", "mismatch-untrusted"}, + {"untrusted-expired.example.com", "untrusted-expired"}, + {"md5signature-expired.example.com", "md5signature-expired"}, + {"mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired"}, + {"inadequatekeyusage.example.com", "inadequatekeyusage-ee"}, + {"selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU"}, + {"self-signed-end-entity-with-cA-true.example.com", + "self-signed-EE-with-cA-true"}, + {"ca-used-as-end-entity.example.com", "ca-used-as-end-entity"}, + {"ca-used-as-end-entity-name-mismatch.example.com", + "ca-used-as-end-entity"}, + // All of include-subdomains.pinning.example.com is pinned to End Entity + // Test Cert with nick default-ee. Any other nick will only + // pass pinning when security.cert_pinning.enforcement.level != strict and + // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h. + {"include-subdomains.pinning.example.com", "default-ee"}, + {"good.include-subdomains.pinning.example.com", "default-ee"}, + {"bad.include-subdomains.pinning.example.com", "other-issuer-ee"}, + {"bad.include-subdomains.pinning.example.com.", "other-issuer-ee"}, + {"bad.include-subdomains.pinning.example.com..", "other-issuer-ee"}, + {"exclude-subdomains.pinning.example.com", "default-ee"}, + {"sub.exclude-subdomains.pinning.example.com", "other-issuer-ee"}, + {"test-mode.pinning.example.com", "other-issuer-ee"}, + {"unknownissuer.include-subdomains.pinning.example.com", "unknownissuer"}, + {"unknownissuer.test-mode.pinning.example.com", "unknownissuer"}, + {"nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical"}, + {"nsCertTypeCriticalWithExtKeyUsage.example.com", + "nsCertTypeCriticalWithExtKeyUsage"}, + {"nsCertTypeCritical.example.com", "nsCertTypeCritical"}, + {"end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert"}, + {"end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA"}, + {"inadequate-key-size-ee.example.com", "inadequateKeySizeEE"}, + {"badSubjectAltNames.example.com", "badSubjectAltNames"}, + {"ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN"}, + {"noValidNames.example.com", "noValidNames"}, + {"bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate"}, + {"emptyissuername.example.com", "emptyIssuerName"}, + {"ev-test.example.com", "ev-test"}, + {"ee-from-missing-intermediate.example.com", + "ee-from-missing-intermediate"}, + {"imminently-distrusted.example.com", "ee-imminently-distrusted"}, + {"localhost", "unknownissuer"}, + {"a.pinning.example.com", "default-ee"}, + {"b.pinning.example.com", "default-ee"}, + {"not-preloaded.example.com", "default-ee"}, + {"ee.example.com", "default-ee"}, + {nullptr, nullptr}}; + +int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, + const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize) { + for (uint32_t i = 0; i < aSrvNameArrSize; i++) { + UniquePORTString name( + static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1))); + if (name) { + PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len); + if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr, + nullptr) == SECSuccess) { + return 0; + } + } + } + + return SSL_SNI_SEND_ALERT; +} + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const BadCertAndPinningHost* host = + GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sBadCertAndPinningHosts); + if (!host) { + // No static cert <-> hostname mapping found. This happens when we use a + // collection of certificates in a given directory and build a cert DB at + // runtime, rather than using an NSS cert DB populated at build time. + // (This will be the default in the future.) + // For all given server names, check if the runtime-built cert DB contains + // a certificate with a matching subject CN. + return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize); + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + + UniqueCERTCertificate cert; + SSLKEAType certKEA; + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert, + &certKEA, nullptr)) { + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +int main(int argc, char* argv[]) { + return StartServer(argc, argv, DoSNISocketConfig, nullptr); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp new file mode 100644 index 0000000000..17c12cb34a --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp @@ -0,0 +1,142 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a standalone server used to test Delegated Credentials +// (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03). +// +// The client is expected to connect, initiate an SSL handshake (with SNI +// to indicate which "server" to connect to), and verify the certificate. +// If all is good, the client then sends one encrypted byte and receives that +// same byte back. +// This server also has the ability to "call back" another process waiting on +// it. That is, when the server is all set up and ready to receive connections, +// it will connect to a specified port and issue a simple HTTP request. + +#include <iostream> + +#include "TLSServer.h" + +#include "sslexp.h" + +using namespace mozilla; +using namespace mozilla::test; + +struct DelegatedCertHost { + const char* mHostName; + const char* mCertName; + const char* mDCKeyNick; + bool mEnableDelegatedCredentials; +}; + +const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */; + +// {host, eeCert, dcCert, enableDC} +const DelegatedCertHost sDelegatedCertHosts[] = { + {"delegated-enabled.example.com", "delegated-ee", "delegated.key", true}, + {"standard-enabled.example.com", "default-ee", "delegated.key", true}, + {"delegated-disabled.example.com", "delegated-ee", + /* anything non-null */ "delegated.key", false}, + {nullptr, nullptr, nullptr, false}}; + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const DelegatedCertHost* host = + GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sDelegatedCertHosts); + if (!host) { + return SSL_SNI_SEND_ALERT; + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + std::cerr << "Identified host " << host->mHostName << '\n'; + } + + UniqueCERTCertificate delegatorCert( + PK11_FindCertFromNickname(host->mCertName, nullptr)); + if (!delegatorCert) { + PrintPRError("PK11_FindCertFromNickname failed"); + return SSL_SNI_SEND_ALERT; + } + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + PrintPRError("PK11_GetInternalKeySlot failed"); + return SSL_SNI_SEND_ALERT; + } + + SSLExtraServerCertData extra_data = {ssl_auth_null, + /* Filled in by callee */ nullptr, + nullptr, + nullptr, + /* DC */ nullptr, + /* DC PrivKey */ nullptr}; + + UniqueSECKEYPrivateKey delegatorPriv( + PK11_FindKeyByDERCert(slot.get(), delegatorCert.get(), nullptr)); + if (!delegatorPriv) { + PrintPRError("PK11_FindKeyByDERCert failed"); + return SSL_SNI_SEND_ALERT; + } + + // Find the DC keypair by the file (nick) name. + ScopedAutoSECItem dc; + UniqueSECKEYPrivateKey dcPriv; + if (host->mEnableDelegatedCredentials) { + if (gDebugLevel >= DEBUG_VERBOSE) { + std::cerr << "Enabling a delegated credential for host " + << host->mHostName << '\n'; + } + + if (PK11_NeedLogin(slot.get())) { + SECStatus rv = PK11_Authenticate(slot.get(), PR_TRUE, nullptr); + if (rv != SECSuccess) { + PrintPRError("PK11_Authenticate failed"); + return SSL_SNI_SEND_ALERT; + } + } + UniqueSECKEYPrivateKeyList list(PK11_ListPrivKeysInSlot( + slot.get(), const_cast<char*>(host->mDCKeyNick), nullptr)); + if (!list) { + PrintPRError("PK11_ListPrivKeysInSlot failed"); + return SSL_SNI_SEND_ALERT; + } + SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(list); + + dcPriv.reset(SECKEY_CopyPrivateKey(node->key)); + if (!dcPriv) { + PrintPRError("PK11_ListPrivKeysInSlot could not find dcPriv"); + return SSL_SNI_SEND_ALERT; + } + + UniqueSECKEYPublicKey dcPub(SECKEY_ConvertToPublicKey(dcPriv.get())); + if (!dcPub) { + PrintPRError("SECKEY_ConvertToPublicKey failed"); + return SSL_SNI_SEND_ALERT; + } + + // Create and set the DC. + if (SSL_DelegateCredential(delegatorCert.get(), delegatorPriv.get(), + dcPub.get(), ssl_sig_ecdsa_secp384r1_sha384, + kDCValidFor, PR_Now(), &dc) != SECSuccess) { + PrintPRError("SSL_DelegateCredential failed"); + return SSL_SNI_SEND_ALERT; + } + extra_data.delegCred = &dc; + extra_data.delegCredPrivKey = dcPriv.get(); + + // The list should only have a single key. + PORT_Assert(PRIVKEY_LIST_END(PRIVKEY_LIST_NEXT(node), list)); + } + + if (ConfigSecureServerWithNamedCert(aFd, host->mCertName, nullptr, nullptr, + &extra_data) != SECSuccess) { + PrintPRError("ConfigSecureServerWithNamedCert failed"); + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +int main(int argc, char* argv[]) { + return StartServer(argc, argv, DoSNISocketConfig, nullptr); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp new file mode 100644 index 0000000000..fd284874b3 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp @@ -0,0 +1,178 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a standalone server that offers TLS 1.3 Encrypted +// Client Hello support. + +#include <stdio.h> + +#include "nspr.h" +#include "ScopedNSSTypes.h" +#include "ssl.h" +#include "sslexp.h" +#include "TLSServer.h" +#include <pk11pub.h> +#include <vector> + +using namespace mozilla; +using namespace mozilla::test; + +struct EchHost { + const char* mHostName; + const char* mCertName; +}; + +const std::vector<uint32_t> kSuiteChaCha = { + (static_cast<uint32_t>(HpkeKdfHkdfSha256) << 16) | + HpkeAeadChaCha20Poly1305}; + +// Hostname, cert nickname pairs. +const EchHost sEchHosts[] = {{"ech-public.example.com", "default-ee"}, + {"ech-private.example.com", "private-ee"}, + {"selfsigned.example.com", "selfsigned"}, + {nullptr, nullptr}}; + +int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, + const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize) { + for (uint32_t i = 0; i < aSrvNameArrSize; i++) { + UniquePORTString name( + static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1))); + if (name) { + PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len); + if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr, + nullptr) == SECSuccess) { + return 0; + } + } + } + + return SSL_SNI_SEND_ALERT; +} + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const EchHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sEchHosts); + if (!host) { + PrintPRError("No cert found for hostname"); + return SSL_SNI_SEND_ALERT; + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + + UniqueCERTCertificate cert; + SSLKEAType certKEA; + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert, + &certKEA, nullptr)) { + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +int32_t SetAlpnOptions(PRFileDesc* aFd, uint8_t flags) { + const std::vector<uint8_t> http1 = {0x08, 0x68, 0x74, 0x74, 0x70, + 0x2f, 0x31, 0x2e, 0x31}; + const std::vector<uint8_t> http2 = {0x02, 0x68, 0x32}; + const std::vector<uint8_t> http3 = {0x02, 0x68, 0x33}; + std::vector<uint8_t> alpnVec = {}; + if (flags & 0b001) { + alpnVec.insert(alpnVec.end(), http1.begin(), http1.end()); + } + if (flags & 0b010) { + alpnVec.insert(alpnVec.end(), http2.begin(), http2.end()); + } + if (flags & 0b100) { + alpnVec.insert(alpnVec.end(), http3.begin(), http3.end()); + } + fprintf(stderr, "ALPN Flags: %u\n", flags); + fprintf(stderr, "ALPN length: %zu\n", alpnVec.size()); + if (SSL_SetNextProtoNego(aFd, alpnVec.data(), alpnVec.size()) != SECSuccess) { + fprintf(stderr, "Setting ALPN failed!\n"); + return 1; + } + + return 0; +} + +SECStatus ConfigureServer(PRFileDesc* aFd) { + const char* alpnFlag = PR_GetEnv("MOZ_TLS_ECH_ALPN_FLAG"); + if (alpnFlag) { + uint8_t flag = atoi(alpnFlag); + SetAlpnOptions(aFd, flag); + } + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + PrintPRError("PK11_GetInternalKeySlot failed"); + return SECFailure; + } + + UniqueSECKEYPublicKey pubKey; + UniqueSECKEYPrivateKey privKey; + SECKEYPublicKey* tmpPubKey = nullptr; + SECKEYPrivateKey* tmpPrivKey = nullptr; + + static const std::vector<uint8_t> pkcs8{ + 0x30, 0x67, 0x02, 0x01, 0x00, 0x30, 0x14, 0x06, 0x07, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x02, 0x01, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xda, + 0x47, 0x0f, 0x01, 0x04, 0x4c, 0x30, 0x4a, 0x02, 0x01, 0x01, 0x04, 0x20, + 0x8c, 0x49, 0x0e, 0x5b, 0x0c, 0x7d, 0xbe, 0x0c, 0x6d, 0x21, 0x92, 0x48, + 0x4d, 0x2b, 0x7a, 0x04, 0x23, 0xb3, 0xb4, 0x54, 0x4f, 0x24, 0x81, 0x09, + 0x5a, 0x99, 0xdb, 0xf2, 0x38, 0xfb, 0x35, 0x0f, 0xa1, 0x23, 0x03, 0x21, + 0x00, 0x8a, 0x07, 0x56, 0x39, 0x49, 0xfa, 0xc6, 0x23, 0x29, 0x36, 0xed, + 0x6f, 0x36, 0xc4, 0xfa, 0x73, 0x59, 0x30, 0xec, 0xde, 0xae, 0xf6, 0x73, + 0x4e, 0x31, 0x4a, 0xea, 0xc3, 0x5a, 0x56, 0xfd, 0x0a}; + + SECItem pkcs8Item = {siBuffer, const_cast<uint8_t*>(pkcs8.data()), + static_cast<unsigned int>(pkcs8.size())}; + SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( + slot.get(), &pkcs8Item, nullptr, nullptr, false, false, KU_ALL, + &tmpPrivKey, nullptr); + + if (rv != SECSuccess) { + PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed"); + return SECFailure; + } + privKey.reset(tmpPrivKey); + tmpPubKey = SECKEY_ConvertToPublicKey(privKey.get()); + pubKey.reset(tmpPubKey); + + if (!privKey || !pubKey) { + PrintPRError("ECH/HPKE Public or Private key is null!"); + return SECFailure; + } + + std::vector<uint8_t> echConfig(1000, 0); + unsigned int len = 0; + const PRUint8 configId = 77; + const HpkeSymmetricSuite echCipherSuite = {HpkeKdfHkdfSha256, + HpkeAeadChaCha20Poly1305}; + rv = SSL_EncodeEchConfigId(configId, "ech-public.example.com", 100, + HpkeDhKemX25519Sha256, pubKey.get(), + &echCipherSuite, 1, echConfig.data(), &len, + echConfig.size()); + if (rv != SECSuccess) { + PrintPRError("SSL_EncodeEchConfig failed"); + return rv; + } + + rv = SSL_SetServerEchConfigs(aFd, pubKey.get(), privKey.get(), + echConfig.data(), len); + if (rv != SECSuccess) { + PrintPRError("SSL_SetServerEchConfigs failed"); + return rv; + } + + return SECSuccess; +} + +int main(int argc, char* argv[]) { + int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer); + if (rv < 0) { + return rv; + } +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp new file mode 100644 index 0000000000..38bfa87e1a --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp @@ -0,0 +1,257 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include <stdio.h> + +#include "nspr.h" +#include "ScopedNSSTypes.h" +#include "ssl.h" +#include "ssl3prot.h" +#include "sslexp.h" +#include "sslimpl.h" +#include "TLSServer.h" + +#include "mozilla/Sprintf.h" + +using namespace mozilla; +using namespace mozilla::test; + +enum FaultType { + None = 0, + ZeroRtt, + UnknownSNI, + Xyber, +}; + +struct FaultyServerHost { + const char* mHostName; + const char* mCertName; + FaultType mFaultType; +}; + +const char* kHostOk = "ok.example.com"; +const char* kHostUnknown = "unknown.example.com"; +const char* kHostZeroRttAlertBadMac = "0rtt-alert-bad-mac.example.com"; +const char* kHostZeroRttAlertVersion = + "0rtt-alert-protocol-version.example.com"; +const char* kHostZeroRttAlertUnexpected = "0rtt-alert-unexpected.example.com"; +const char* kHostZeroRttAlertDowngrade = "0rtt-alert-downgrade.example.com"; + +const char* kHostXyberNetInterrupt = "xyber-net-interrupt.example.com"; +const char* kHostXyberAlertAfterServerHello = + "xyber-alert-after-server-hello.example.com"; + +const char* kCertWildcard = "default-ee"; + +/* Each type of failure gets a different SNI. + * the "default-ee" cert has a SAN for *.example.com + * the "no-san-ee" cert is signed by the test-ca, but it doesn't have any SANs. + */ +const FaultyServerHost sFaultyServerHosts[]{ + {kHostOk, kCertWildcard, None}, + {kHostUnknown, kCertWildcard, UnknownSNI}, + {kHostZeroRttAlertBadMac, kCertWildcard, ZeroRtt}, + {kHostZeroRttAlertVersion, kCertWildcard, ZeroRtt}, + {kHostZeroRttAlertUnexpected, kCertWildcard, ZeroRtt}, + {kHostZeroRttAlertDowngrade, kCertWildcard, ZeroRtt}, + {kHostXyberNetInterrupt, kCertWildcard, Xyber}, + {kHostXyberAlertAfterServerHello, kCertWildcard, Xyber}, + {nullptr, nullptr}, +}; + +nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) { + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "sending '%s'\n", aData); + } + + int32_t len = static_cast<int32_t>(aDataLen); + while (len > 0) { + int32_t bytesSent = PR_Send(aSocket, aData, len, 0, PR_INTERVAL_NO_TIMEOUT); + if (bytesSent == -1) { + PrintPRError("PR_Send failed"); + return NS_ERROR_FAILURE; + } + + len -= bytesSent; + aData += bytesSent; + } + + return NS_OK; +} + +// returns 0 on success, non-zero on error +int DoCallback(const char* path) { + UniquePRFileDesc socket(PR_NewTCPSocket()); + if (!socket) { + PrintPRError("PR_NewTCPSocket failed"); + return 1; + } + + uint32_t port = 0; + const char* callbackPort = PR_GetEnv("FAULTY_SERVER_CALLBACK_PORT"); + if (callbackPort) { + port = atoi(callbackPort); + } + if (!port) { + return 0; + } + + PRNetAddr addr; + PR_InitializeNetAddr(PR_IpAddrLoopback, port, &addr); + if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) { + PrintPRError("PR_Connect failed"); + return 1; + } + + char request[512]; + SprintfLiteral(request, "GET %s HTTP/1.0\r\n\r\n", path); + SendAll(socket.get(), request, strlen(request)); + char buf[4096]; + memset(buf, 0, sizeof(buf)); + int32_t bytesRead = + PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT); + if (bytesRead < 0) { + PrintPRError("PR_Recv failed 1"); + return 1; + } + if (bytesRead == 0) { + fprintf(stderr, "PR_Recv eof 1\n"); + return 1; + } + // fprintf(stderr, "%s\n", buf); + return 0; +} + +/* These are very rough examples. In practice the `arg` parameter to a callback + * might need to be an object that holds some state, like the various traffic + * secrets. */ + +/* An SSLSecretCallback is called after every key derivation step in the TLS + * 1.3 key schedule. + * + * Epoch 1 is for the early traffic secret. + * Epoch 2 is for the handshake traffic secrets. + * Epoch 3 is for the application traffic secrets. + */ +void SecretCallbackFailZeroRtt(PRFileDesc* fd, PRUint16 epoch, + SSLSecretDirection dir, PK11SymKey* secret, + void* arg) { + fprintf(stderr, "0RTT handler epoch=%d dir=%d\n", epoch, (uint32_t)dir); + FaultyServerHost* host = static_cast<FaultyServerHost*>(arg); + + if (epoch == 1 && dir == ssl_secret_read) { + sslSocket* ss = ssl_FindSocket(fd); + if (!ss) { + fprintf(stderr, "0RTT handler, no ss!\n"); + return; + } + + char path[256]; + SprintfLiteral(path, "/callback/%d", epoch); + DoCallback(path); + + fprintf(stderr, "0RTT handler, configuring alert\n"); + if (!strcmp(host->mHostName, kHostZeroRttAlertBadMac)) { + SSL3_SendAlert(ss, alert_fatal, bad_record_mac); + } else if (!strcmp(host->mHostName, kHostZeroRttAlertVersion)) { + SSL3_SendAlert(ss, alert_fatal, protocol_version); + } else if (!strcmp(host->mHostName, kHostZeroRttAlertUnexpected)) { + SSL3_SendAlert(ss, alert_fatal, no_alert); + } + } +} + +SECStatus FailingWriteCallback(PRFileDesc* fd, PRUint16 epoch, + SSLContentType contentType, const PRUint8* data, + unsigned int len, void* arg) { + return SECFailure; +} + +void SecretCallbackFailXyber(PRFileDesc* fd, PRUint16 epoch, + SSLSecretDirection dir, PK11SymKey* secret, + void* arg) { + fprintf(stderr, "Xyber handler epoch=%d dir=%d\n", epoch, (uint32_t)dir); + FaultyServerHost* host = static_cast<FaultyServerHost*>(arg); + + if (epoch == 2 && dir == ssl_secret_write) { + sslSocket* ss = ssl_FindSocket(fd); + if (!ss) { + fprintf(stderr, "Xyber handler, no ss!\n"); + return; + } + + if (!ss->sec.keaGroup) { + fprintf(stderr, "Xyber handler, no ss->sec.keaGroup!\n"); + return; + } + + char path[256]; + SprintfLiteral(path, "/callback/%u", ss->sec.keaGroup->name); + DoCallback(path); + + if (ss->sec.keaGroup->name != ssl_grp_kem_xyber768d00) { + return; + } + + fprintf(stderr, "Xyber handler, configuring alert\n"); + if (strcmp(host->mHostName, kHostXyberNetInterrupt) == 0) { + // Install a record write callback that causes the next write to fail. + // The client will see this as a PR_END_OF_FILE / NS_ERROR_NET_INTERRUPT + // error. + ss->recordWriteCallback = FailingWriteCallback; + } else if (!strcmp(host->mHostName, kHostXyberAlertAfterServerHello)) { + SSL3_SendAlert(ss, alert_fatal, close_notify); + } + } +} + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const FaultyServerHost* host = + GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sFaultyServerHosts); + if (!host || host->mFaultType == UnknownSNI) { + PrintPRError("No cert found for hostname"); + return SSL_SNI_SEND_ALERT; + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + + const SSLNamedGroup xyberTestNamedGroups[] = {ssl_grp_kem_xyber768d00, + ssl_grp_ec_curve25519}; + + switch (host->mFaultType) { + case ZeroRtt: + SSL_SecretCallback(aFd, &SecretCallbackFailZeroRtt, (void*)host); + break; + case Xyber: + SSL_SecretCallback(aFd, &SecretCallbackFailXyber, (void*)host); + SSL_NamedGroupConfig(aFd, xyberTestNamedGroups, + mozilla::ArrayLength(xyberTestNamedGroups)); + break; + case None: + break; + default: + break; + } + + UniqueCERTCertificate cert; + SSLKEAType certKEA; + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert, + &certKEA, nullptr)) { + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +SECStatus ConfigureServer(PRFileDesc* aFd) { return SECSuccess; } + +int main(int argc, char* argv[]) { + int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer); + if (rv < 0) { + return rv; + } +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp new file mode 100644 index 0000000000..113e668f89 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp @@ -0,0 +1,168 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 sw=2 tw=80 et: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* This simple program takes a database directory, and one or more tuples like + * <typeOfResponse> <CertNick> <ExtraCertNick> <outPutFilename> + * to generate (one or more) ocsp responses. + */ + +#include <stdio.h> +#include <string> +#include <vector> + +#include "mozilla/ArrayUtils.h" + +#include "cert.h" +#include "nspr.h" +#include "nss.h" +#include "plarenas.h" +#include "prerror.h" +#include "ssl.h" +#include "secerr.h" + +#include "OCSPCommon.h" +#include "ScopedNSSTypes.h" +#include "TLSServer.h" + +using namespace mozilla; +using namespace mozilla::test; + +struct OCSPResponseName { + const char* mTypeString; + const OCSPResponseType mORT; +}; + +const static OCSPResponseName kOCSPResponseNameList[] = { + {"good", ORTGood}, // the certificate is good + {"good-delegated", ORTDelegatedIncluded}, // the certificate is good, using + // a delegated signer + {"revoked", ORTRevoked}, // the certificate has been revoked + {"unknown", ORTUnknown}, // the responder doesn't know if the + // cert is good + {"goodotherca", ORTGoodOtherCA}, // the wrong CA has signed the + // response + {"expiredresponse", ORTExpired}, // the signature on the response has + // expired + {"oldvalidperiod", ORTExpiredFreshCA}, // fresh signature, but old validity + // period + {"empty", ORTEmpty}, // an empty stapled response + + {"malformed", ORTMalformed}, // the response from the responder + // was malformed + {"serverr", ORTSrverr}, // the response indicates there was a + // server error + {"trylater", ORTTryLater}, // the responder replied with + // "try again later" + {"resp-unsigned", ORTNeedsSig}, // the response needs a signature + {"unauthorized", ORTUnauthorized}, // the responder does not know about + // the cert + {"bad-signature", ORTBadSignature}, // the response has a bad signature + {"longvalidityalmostold", + ORTLongValidityAlmostExpired}, // the response is + // still valid, but the generation + // is almost a year old + {"ancientstillvalid", ORTAncientAlmostExpired}, // The response is still + // valid but the generation + // is almost two years old +}; + +bool StringToOCSPResponseType(const char* respText, + /*out*/ OCSPResponseType* OCSPType) { + if (!OCSPType) { + return false; + } + for (auto ocspResponseName : kOCSPResponseNameList) { + if (strcmp(respText, ocspResponseName.mTypeString) == 0) { + *OCSPType = ocspResponseName.mORT; + return true; + } + } + return false; +} + +bool WriteResponse(const char* filename, const SECItem* item) { + if (!filename || !item || !item->data) { + PR_fprintf(PR_STDERR, "invalid parameters to WriteResponse"); + return false; + } + + UniquePRFileDesc outFile( + PR_Open(filename, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0644)); + if (!outFile) { + PrintPRError("cannot open file for writing"); + return false; + } + int32_t rv = PR_Write(outFile.get(), item->data, item->len); + if (rv < 0 || (uint32_t)rv != item->len) { + PrintPRError("File write failure"); + return false; + } + + return true; +} + +int main(int argc, char* argv[]) { + if (argc < 7 || (argc - 7) % 5 != 0) { + PR_fprintf( + PR_STDERR, + "usage: %s <NSS DB directory> <responsetype> " + "<cert_nick> <extranick> <this_update_skew> <outfilename> [<resptype> " + "<cert_nick> <extranick> <this_update_skew> <outfilename>]* \n", + argv[0]); + exit(EXIT_FAILURE); + } + SECStatus rv = InitializeNSS(argv[1]); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed to initialize NSS\n"); + exit(EXIT_FAILURE); + } + UniquePLArenaPool arena(PORT_NewArena(256 * argc)); + if (!arena) { + PrintPRError("PORT_NewArena failed"); + exit(EXIT_FAILURE); + } + + for (int i = 2; i + 3 < argc; i += 5) { + const char* ocspTypeText = argv[i]; + const char* certNick = argv[i + 1]; + const char* extraCertname = argv[i + 2]; + const char* skewChars = argv[i + 3]; + const char* filename = argv[i + 4]; + + OCSPResponseType ORT; + if (!StringToOCSPResponseType(ocspTypeText, &ORT)) { + PR_fprintf(PR_STDERR, "Cannot generate OCSP response of type %s\n", + ocspTypeText); + exit(EXIT_FAILURE); + } + + UniqueCERTCertificate cert(PK11_FindCertFromNickname(certNick, nullptr)); + if (!cert) { + PrintPRError("PK11_FindCertFromNickname failed"); + PR_fprintf(PR_STDERR, "Failed to find certificate with nick '%s'\n", + certNick); + exit(EXIT_FAILURE); + } + + time_t skew = static_cast<time_t>(atoll(skewChars)); + + SECItemArray* response = + GetOCSPResponseForType(ORT, cert, arena, extraCertname, skew); + if (!response) { + PR_fprintf(PR_STDERR, + "Failed to generate OCSP response of type %s " + "for %s\n", + ocspTypeText, certNick); + exit(EXIT_FAILURE); + } + + if (!WriteResponse(filename, &response->items[0])) { + PR_fprintf(PR_STDERR, "Failed to write file %s\n", filename); + exit(EXIT_FAILURE); + } + } + return 0; +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp new file mode 100644 index 0000000000..b35484572f --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp @@ -0,0 +1,153 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a standalone server that delivers various stapled OCSP responses. +// The client is expected to connect, initiate an SSL handshake (with SNI +// to indicate which "server" to connect to), and verify the OCSP response. +// If all is good, the client then sends one encrypted byte and receives that +// same byte back. +// This server also has the ability to "call back" another process waiting on +// it. That is, when the server is all set up and ready to receive connections, +// it will connect to a specified port and issue a simple HTTP request. + +#include <stdio.h> + +#include "OCSPCommon.h" +#include "TLSServer.h" + +using namespace mozilla; +using namespace mozilla::test; + +const OCSPHost sOCSPHosts[] = { + {"ocsp-stapling-good.example.com", ORTGood, nullptr, nullptr}, + {"ocsp-stapling-revoked.example.com", ORTRevoked, nullptr, nullptr}, + {"ocsp-stapling-revoked-old.example.com", ORTRevokedOld, nullptr, nullptr}, + {"ocsp-stapling-unknown.example.com", ORTUnknown, nullptr, nullptr}, + {"ocsp-stapling-unknown-old.example.com", ORTUnknownOld, nullptr, nullptr}, + {"ocsp-stapling-good-other.example.com", ORTGoodOtherCert, + "ocspOtherEndEntity", nullptr}, + {"ocsp-stapling-good-other-ca.example.com", ORTGoodOtherCA, "other-test-ca", + nullptr}, + {"ocsp-stapling-expired.example.com", ORTExpired, nullptr, nullptr}, + {"ocsp-stapling-expired-fresh-ca.example.com", ORTExpiredFreshCA, nullptr, + nullptr}, + {"ocsp-stapling-none.example.com", ORTNone, nullptr, nullptr}, + {"ocsp-stapling-empty.example.com", ORTEmpty, nullptr, nullptr}, + {"ocsp-stapling-malformed.example.com", ORTMalformed, nullptr, nullptr}, + {"ocsp-stapling-srverr.example.com", ORTSrverr, nullptr, nullptr}, + {"ocsp-stapling-trylater.example.com", ORTTryLater, nullptr, nullptr}, + {"ocsp-stapling-needssig.example.com", ORTNeedsSig, nullptr, nullptr}, + {"ocsp-stapling-unauthorized.example.com", ORTUnauthorized, nullptr, + nullptr}, + {"ocsp-stapling-with-intermediate.example.com", ORTGood, nullptr, + "ocspEEWithIntermediate"}, + {"ocsp-stapling-bad-signature.example.com", ORTBadSignature, nullptr, + nullptr}, + {"ocsp-stapling-skip-responseBytes.example.com", ORTSkipResponseBytes, + nullptr, nullptr}, + {"ocsp-stapling-critical-extension.example.com", ORTCriticalExtension, + nullptr, nullptr}, + {"ocsp-stapling-noncritical-extension.example.com", ORTNoncriticalExtension, + nullptr, nullptr}, + {"ocsp-stapling-empty-extensions.example.com", ORTEmptyExtensions, nullptr, + nullptr}, + {"ocsp-stapling-delegated-included.example.com", ORTDelegatedIncluded, + "delegatedSigner", nullptr}, + {"ocsp-stapling-delegated-included-last.example.com", + ORTDelegatedIncludedLast, "delegatedSigner", nullptr}, + {"ocsp-stapling-delegated-missing.example.com", ORTDelegatedMissing, + "delegatedSigner", nullptr}, + {"ocsp-stapling-delegated-missing-multiple.example.com", + ORTDelegatedMissingMultiple, "delegatedSigner", nullptr}, + {"ocsp-stapling-delegated-no-extKeyUsage.example.com", ORTDelegatedIncluded, + "invalidDelegatedSignerNoExtKeyUsage", nullptr}, + {"ocsp-stapling-delegated-from-intermediate.example.com", + ORTDelegatedIncluded, "invalidDelegatedSignerFromIntermediate", nullptr}, + {"ocsp-stapling-delegated-keyUsage-crlSigning.example.com", + ORTDelegatedIncluded, "invalidDelegatedSignerKeyUsageCrlSigning", nullptr}, + {"ocsp-stapling-delegated-wrong-extKeyUsage.example.com", + ORTDelegatedIncluded, "invalidDelegatedSignerWrongExtKeyUsage", nullptr}, + {"ocsp-stapling-ancient-valid.example.com", ORTAncientAlmostExpired, + nullptr, nullptr}, + {"keysize-ocsp-delegated.example.com", ORTDelegatedIncluded, + "rsa-1016-keysizeDelegatedSigner", nullptr}, + {"revoked-ca-cert-used-as-end-entity.example.com", ORTRevoked, + "ca-used-as-end-entity", nullptr}, + {"ocsp-stapling-must-staple.example.com", ORTGood, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-revoked.example.com", ORTRevoked, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-missing.example.com", ORTNone, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-empty.example.com", ORTEmpty, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", ORTGood, + nullptr, "must-staple-ee-with-must-staple-int"}, + {"ocsp-stapling-plain-ee-with-must-staple-int.example.com", ORTGood, + nullptr, "must-staple-missing-ee"}, + {"ocsp-stapling-must-staple-expired.example.com", ORTExpired, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-try-later.example.com", ORTTryLater, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-invalid-signer.example.com", ORTGoodOtherCA, + "other-test-ca", "must-staple-ee"}, + {"multi-tls-feature-good.example.com", ORTNone, nullptr, + "multi-tls-feature-good-ee"}, + {"multi-tls-feature-bad.example.com", ORTNone, nullptr, + "multi-tls-feature-bad-ee"}, + {nullptr, ORTNull, nullptr, nullptr}}; + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const OCSPHost* host = + GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sOCSPHosts); + if (!host) { + return SSL_SNI_SEND_ALERT; + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + + const char* certNickname = + host->mServerCertName ? host->mServerCertName : DEFAULT_CERT_NICKNAME; + + UniqueCERTCertificate cert; + SSLKEAType certKEA; + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, certNickname, &cert, + &certKEA, nullptr)) { + return SSL_SNI_SEND_ALERT; + } + + // If the OCSP response type is "none", don't staple a response. + if (host->mORT == ORTNone) { + return 0; + } + + UniquePLArenaPool arena(PORT_NewArena(1024)); + if (!arena) { + PrintPRError("PORT_NewArena failed"); + return SSL_SNI_SEND_ALERT; + } + + // response is contained by the arena - freeing the arena will free it + SECItemArray* response = GetOCSPResponseForType(host->mORT, cert, arena, + host->mAdditionalCertName, 0); + if (!response) { + return SSL_SNI_SEND_ALERT; + } + + // SSL_SetStapledOCSPResponses makes a deep copy of response + SECStatus st = SSL_SetStapledOCSPResponses(aFd, response, certKEA); + if (st != SECSuccess) { + PrintPRError("SSL_SetStapledOCSPResponses failed"); + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +int main(int argc, char* argv[]) { + return StartServer(argc, argv, DoSNISocketConfig, nullptr); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp new file mode 100644 index 0000000000..9371617305 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp @@ -0,0 +1,87 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a standalone server that uses various bad certificates. +// The client is expected to connect, initiate an SSL handshake (with SNI +// to indicate which "server" to connect to), and verify the certificate. +// If all is good, the client then sends one encrypted byte and receives that +// same byte back. +// This server also has the ability to "call back" another process waiting on +// it. That is, when the server is all set up and ready to receive connections, +// it will connect to a specified port and issue a simple HTTP request. + +#include <stdio.h> + +#include "TLSServer.h" + +using namespace mozilla; +using namespace mozilla::test; + +struct SanctionsCertHost { + const char* mHostName; + const char* mCertName; +}; + +// Hostname, cert nickname pairs. +const SanctionsCertHost sSanctionsCertHosts[] = { + {"symantec-allowlist-after-cutoff.example.com", + "symantec-ee-from-allowlist-after-cutoff"}, + {"symantec-allowlist-before-cutoff.example.com", + "symantec-ee-from-allowlist-before-cutoff"}, + {"symantec-not-allowlisted-after-cutoff.example.com", + "symantec-ee-not-allowlisted-after-cutoff"}, + {"symantec-not-allowlisted-before-cutoff.example.com", + "symantec-ee-not-allowlisted-before-cutoff"}, + {"symantec-unaffected.example.com", "symantec-ee-unaffected"}, + {nullptr, nullptr}}; + +int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, + const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize) { + for (uint32_t i = 0; i < aSrvNameArrSize; i++) { + UniquePORTString name( + static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1))); + if (name) { + PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len); + if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr, + nullptr) == SECSuccess) { + return 0; + } + } + } + + return SSL_SNI_SEND_ALERT; +} + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const SanctionsCertHost* host = + GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sSanctionsCertHosts); + if (!host) { + // No static cert <-> hostname mapping found. This happens when we use a + // collection of certificates in a given directory and build a cert DB at + // runtime, rather than using an NSS cert DB populated at build time. + // (This will be the default in the future.) + // For all given server names, check if the runtime-built cert DB contains + // a certificate with a matching subject CN. + return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize); + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + + UniqueCERTCertificate cert; + SSLKEAType certKEA; + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert, + &certKEA, nullptr)) { + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +int main(int argc, char* argv[]) { + return StartServer(argc, argv, DoSNISocketConfig, nullptr); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build new file mode 100644 index 0000000000..ebf8f8e3e7 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build @@ -0,0 +1,45 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +GeckoSimplePrograms( + [ + "BadCertAndPinningServer", + "DelegatedCredentialsServer", + "EncryptedClientHelloServer", + "GenerateOCSPResponse", + "OCSPStaplingServer", + "SanctionsTestServer", + ], + linkage=None, +) + +if not CONFIG["MOZ_SYSTEM_NSS"]: + # Bug 1805371. See comment in ../lib/moz.build + GeckoSimplePrograms( + [ + "FaultyServer", + ], + linkage=None, + ) + + DEFINES["NSS_USE_STATIC_LIBS"] = True + + LOCAL_INCLUDES += [ + "../../../../../../nss/lib/ssl", + "../lib", + ] + USE_LIBS += [ + "tlsserver", + ] +else: + LOCAL_INCLUDES += [ + "../lib", + ] + USE_LIBS += ["mozpkix", "nspr", "nss", "tlsserver"] + + +if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk": + CXXFLAGS += CONFIG["MOZ_GTK3_CFLAGS"] diff --git a/security/manager/ssl/tests/unit/tlsserver/default-ee.der b/security/manager/ssl/tests/unit/tlsserver/default-ee.der new file mode 100644 index 0000000000..3a9b8fa9bc --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/default-ee.der @@ -0,0 +1,3 @@ +This is now an unused file. It exists to ease the coordination between gecko +development trees and the automation infrastructure that runs periodic updates. +See bug 1203312 and bug 1205406. diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp new file mode 100644 index 0000000000..be9a9af9b1 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp @@ -0,0 +1,204 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "OCSPCommon.h" + +#include <stdio.h> + +#include "mozpkix/test/pkixtestutil.h" +#include "mozpkix/test/pkixtestnss.h" +#include "TLSServer.h" +#include "secder.h" +#include "secerr.h" + +using namespace mozilla; +using namespace mozilla::pkix; +using namespace mozilla::pkix::test; +using namespace mozilla::test; + +static TestKeyPair* CreateTestKeyPairFromCert( + const UniqueCERTCertificate& cert) { + ScopedSECKEYPrivateKey privateKey(PK11_FindKeyByAnyCert(cert.get(), nullptr)); + if (!privateKey) { + return nullptr; + } + ScopedSECKEYPublicKey publicKey(CERT_ExtractPublicKey(cert.get())); + if (!publicKey) { + return nullptr; + } + return CreateTestKeyPair(RSA_PKCS1(), publicKey, privateKey); +} + +SECItemArray* GetOCSPResponseForType(OCSPResponseType aORT, + const UniqueCERTCertificate& aCert, + const UniquePLArenaPool& aArena, + const char* aAdditionalCertName, + time_t aThisUpdateSkew) { + MOZ_ASSERT(aArena); + MOZ_ASSERT(aCert); + // Note: |aAdditionalCertName| may or may not need to be non-null depending + // on the |aORT| value given. + + if (aORT == ORTNone) { + if (gDebugLevel >= DEBUG_WARNINGS) { + fprintf(stderr, + "GetOCSPResponseForType called with type ORTNone, " + "which makes no sense.\n"); + } + return nullptr; + } + + if (aORT == ORTEmpty) { + SECItemArray* arr = SECITEM_AllocArray(aArena.get(), nullptr, 1); + arr->items[0].data = nullptr; + arr->items[0].len = 0; + return arr; + } + + time_t now = time(nullptr) + aThisUpdateSkew; + time_t oldNow = now - (8 * Time::ONE_DAY_IN_SECONDS); + + mozilla::UniqueCERTCertificate cert(CERT_DupCertificate(aCert.get())); + + if (aORT == ORTGoodOtherCert) { + cert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr)); + if (!cert) { + PrintPRError("PK11_FindCertFromNickname failed"); + return nullptr; + } + } + // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic + mozilla::UniqueCERTCertificate issuerCert( + CERT_FindCertIssuer(aCert.get(), PR_Now(), certUsageSSLCA)); + if (!issuerCert) { + PrintPRError("CERT_FindCertIssuer failed"); + return nullptr; + } + Input issuer; + if (issuer.Init(cert->derIssuer.data, cert->derIssuer.len) != Success) { + return nullptr; + } + Input issuerPublicKey; + if (issuerPublicKey.Init(issuerCert->derPublicKey.data, + issuerCert->derPublicKey.len) != Success) { + return nullptr; + } + Input serialNumber; + if (serialNumber.Init(cert->serialNumber.data, cert->serialNumber.len) != + Success) { + return nullptr; + } + CertID certID(issuer, issuerPublicKey, serialNumber); + OCSPResponseContext context(certID, now); + + mozilla::UniqueCERTCertificate signerCert; + if (aORT == ORTGoodOtherCA || aORT == ORTDelegatedIncluded || + aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissing || + aORT == ORTDelegatedMissingMultiple) { + signerCert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr)); + if (!signerCert) { + PrintPRError("PK11_FindCertFromNickname failed"); + return nullptr; + } + } + + ByteString certs[5]; + + if (aORT == ORTDelegatedIncluded) { + certs[0].assign(signerCert->derCert.data, signerCert->derCert.len); + context.certs = certs; + } + if (aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissingMultiple) { + certs[0].assign(issuerCert->derCert.data, issuerCert->derCert.len); + certs[1].assign(cert->derCert.data, cert->derCert.len); + certs[2].assign(issuerCert->derCert.data, issuerCert->derCert.len); + if (aORT != ORTDelegatedMissingMultiple) { + certs[3].assign(signerCert->derCert.data, signerCert->derCert.len); + } + context.certs = certs; + } + + switch (aORT) { + case ORTMalformed: + context.responseStatus = 1; + break; + case ORTSrverr: + context.responseStatus = 2; + break; + case ORTTryLater: + context.responseStatus = 3; + break; + case ORTNeedsSig: + context.responseStatus = 5; + break; + case ORTUnauthorized: + context.responseStatus = 6; + break; + default: + // context.responseStatus is 0 in all other cases, and it has + // already been initialized in the constructor. + break; + } + if (aORT == ORTSkipResponseBytes) { + context.skipResponseBytes = true; + } + if (aORT == ORTExpired || aORT == ORTExpiredFreshCA || + aORT == ORTRevokedOld || aORT == ORTUnknownOld) { + context.thisUpdate = oldNow; + context.nextUpdate = oldNow + Time::ONE_DAY_IN_SECONDS; + } + if (aORT == ORTLongValidityAlmostExpired) { + context.thisUpdate = now - (320 * Time::ONE_DAY_IN_SECONDS); + } + if (aORT == ORTAncientAlmostExpired) { + context.thisUpdate = now - (640 * Time::ONE_DAY_IN_SECONDS); + } + if (aORT == ORTRevoked || aORT == ORTRevokedOld) { + context.certStatus = 1; + } + if (aORT == ORTUnknown || aORT == ORTUnknownOld) { + context.certStatus = 2; + } + if (aORT == ORTBadSignature) { + context.badSignature = true; + } + OCSPResponseExtension extension; + if (aORT == ORTCriticalExtension || aORT == ORTNoncriticalExtension) { + // python DottedOIDToCode.py --tlv + // some-Mozilla-OID 1.3.6.1.4.1.13769.666.666.666.1.500.9.2 + static const uint8_t tlv_some_Mozilla_OID[] = { + 0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85, + 0x1a, 0x85, 0x1a, 0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x02}; + + extension.id.assign(tlv_some_Mozilla_OID, sizeof(tlv_some_Mozilla_OID)); + extension.critical = (aORT == ORTCriticalExtension); + extension.value.push_back(0x05); // tag: NULL + extension.value.push_back(0x00); // length: 0 + extension.next = nullptr; + context.responseExtensions = &extension; + } + if (aORT == ORTEmptyExtensions) { + context.includeEmptyExtensions = true; + } + + if (!signerCert) { + signerCert.reset(CERT_DupCertificate(issuerCert.get())); + } + context.signerKeyPair.reset(CreateTestKeyPairFromCert(signerCert)); + if (!context.signerKeyPair) { + PrintPRError("PK11_FindKeyByAnyCert failed"); + return nullptr; + } + + ByteString response(CreateEncodedOCSPResponse(context)); + if (ENCODING_FAILED(response)) { + PrintPRError("CreateEncodedOCSPResponse failed"); + return nullptr; + } + + SECItem item = {siBuffer, const_cast<uint8_t*>(response.data()), + static_cast<unsigned int>(response.length())}; + SECItemArray arr = {&item, 1}; + return SECITEM_DupArray(aArena.get(), &arr); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h new file mode 100644 index 0000000000..c72eae6a8e --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h @@ -0,0 +1,66 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Implements generating OCSP responses of various types. Used by the +// programs in tlsserver/cmd. + +#ifndef OCSPCommon_h +#define OCSPCommon_h + +#include "ScopedNSSTypes.h" +#include "certt.h" +#include "seccomon.h" + +enum OCSPResponseType { + ORTNull = 0, + ORTGood, // the certificate is good + ORTRevoked, // the certificate has been revoked + ORTRevokedOld, // same, but the response is old + ORTUnknown, // the responder doesn't know if the cert is good + ORTUnknownOld, // same, but the response is old + ORTGoodOtherCert, // the response references a different certificate + ORTGoodOtherCA, // the wrong CA has signed the response + ORTExpired, // the signature on the response has expired + ORTExpiredFreshCA, // fresh signature, but old validity period + ORTNone, // no stapled response + ORTEmpty, // an empty stapled response + ORTMalformed, // the response from the responder was malformed + ORTSrverr, // the response indicates there was a server error + ORTTryLater, // the responder replied with "try again later" + ORTNeedsSig, // the response needs a signature + ORTUnauthorized, // the responder is not authorized for this certificate + ORTBadSignature, // the response has a signature that does not verify + ORTSkipResponseBytes, // the response does not include responseBytes + ORTCriticalExtension, // the response includes a critical extension + ORTNoncriticalExtension, // the response includes an extension that is not + // critical + ORTEmptyExtensions, // the response includes a SEQUENCE OF Extension that is + // empty + ORTDelegatedIncluded, // the response is signed by an included delegated + // responder + ORTDelegatedIncludedLast, // same, but multiple other certificates are + // included + ORTDelegatedMissing, // the response is signed by a not included delegated + // responder + ORTDelegatedMissingMultiple, // same, but multiple other certificates are + // included + ORTLongValidityAlmostExpired, // a good response, but that was generated a + // almost a year ago + ORTAncientAlmostExpired, // a good response, with a validity of almost two + // years almost expiring +}; + +struct OCSPHost { + const char* mHostName; + OCSPResponseType mORT; + const char* mAdditionalCertName; // useful for ORTGoodOtherCert, etc. + const char* mServerCertName; +}; + +SECItemArray* GetOCSPResponseForType( + OCSPResponseType aORT, const mozilla::UniqueCERTCertificate& aCert, + const mozilla::UniquePLArenaPool& aArena, const char* aAdditionalCertName, + time_t aThisUpdateSkew); + +#endif // OCSPCommon_h diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp new file mode 100644 index 0000000000..e4aeda0e82 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp @@ -0,0 +1,694 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "TLSServer.h" + +#include <stdio.h> +#include <string> +#include <thread> +#include <vector> +#include <fstream> +#include <iostream> +#ifdef XP_WIN +# include <windows.h> +#else +# include <unistd.h> +#endif + +#include <utility> + +#include "base64.h" +#include "mozilla/Sprintf.h" +#include "nspr.h" +#include "nss.h" +#include "plarenas.h" +#include "prenv.h" +#include "prerror.h" +#include "prnetdb.h" +#include "prtime.h" +#include "ssl.h" +#include "sslexp.h" +#include "sslproto.h" + +namespace mozilla { +namespace test { + +static const uint16_t LISTEN_PORT = 8443; + +SSLAntiReplayContext* antiReplay = nullptr; + +DebugLevel gDebugLevel = DEBUG_ERRORS; +uint16_t gCallbackPort = 0; + +const std::string kPEMBegin = "-----BEGIN "; +const std::string kPEMEnd = "-----END "; +const char DEFAULT_CERT_NICKNAME[] = "default-ee"; + +struct Connection { + PRFileDesc* mSocket; + char mByte; + + explicit Connection(PRFileDesc* aSocket); + ~Connection(); +}; + +Connection::Connection(PRFileDesc* aSocket) : mSocket(aSocket), mByte(0) {} + +Connection::~Connection() { + if (mSocket) { + PR_Close(mSocket); + } +} + +void PrintPRError(const char* aPrefix) { + const char* err = PR_ErrorToName(PR_GetError()); + if (err) { + if (gDebugLevel >= DEBUG_ERRORS) { + fprintf(stderr, "%s: %s\n", aPrefix, err); + } + } else { + if (gDebugLevel >= DEBUG_ERRORS) { + fprintf(stderr, "%s\n", aPrefix); + } + } +} + +// This decodes a PEM file into `item`. The line endings need to be +// UNIX-style, or there will be cross-platform issues. +static bool DecodePEMFile(const std::string& filename, SECItem* item) { + std::ifstream in(filename); + if (in.bad()) { + return false; + } + + char buf[1024]; + in.getline(buf, sizeof(buf)); + if (in.bad()) { + return false; + } + + if (strncmp(buf, kPEMBegin.c_str(), kPEMBegin.size()) != 0) { + return false; + } + + std::string value; + for (;;) { + in.getline(buf, sizeof(buf)); + if (in.bad()) { + return false; + } + + if (strncmp(buf, kPEMEnd.c_str(), kPEMEnd.size()) == 0) { + break; + } + + value += buf; + } + + unsigned int binLength; + UniquePORTString bin(BitwiseCast<char*, unsigned char*>( + ATOB_AsciiToData(value.c_str(), &binLength))); + if (!bin || binLength == 0) { + PrintPRError("ATOB_AsciiToData failed"); + return false; + } + + if (SECITEM_AllocItem(nullptr, item, binLength) == nullptr) { + return false; + } + + PORT_Memcpy(item->data, bin.get(), binLength); + return true; +} + +static SECStatus AddKeyFromFile(const std::string& path, + const std::string& filename) { + ScopedAutoSECItem item; + + std::string file = path + "/" + filename; + if (!DecodePEMFile(file, &item)) { + return SECFailure; + } + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + PrintPRError("PK11_GetInternalKeySlot failed"); + return SECFailure; + } + + if (PK11_NeedUserInit(slot.get())) { + if (PK11_InitPin(slot.get(), nullptr, nullptr) != SECSuccess) { + PrintPRError("PK11_InitPin failed"); + return SECFailure; + } + } + + SECKEYPrivateKey* privateKey = nullptr; + SECItem nick = {siBuffer, + BitwiseCast<unsigned char*, const char*>(filename.data()), + static_cast<unsigned int>(filename.size())}; + if (PK11_ImportDERPrivateKeyInfoAndReturnKey( + slot.get(), &item, &nick, nullptr, true, false, KU_ALL, &privateKey, + nullptr) != SECSuccess) { + PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed"); + return SECFailure; + } + + SECKEY_DestroyPrivateKey(privateKey); + return SECSuccess; +} + +static SECStatus AddCertificateFromFile(const std::string& path, + const std::string& filename) { + ScopedAutoSECItem item; + + std::string file = path + "/" + filename; + if (!DecodePEMFile(file, &item)) { + return SECFailure; + } + + UniqueCERTCertificate cert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &item, nullptr, false, true)); + if (!cert) { + PrintPRError("CERT_NewTempCertificate failed"); + return SECFailure; + } + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + PrintPRError("PK11_GetInternalKeySlot failed"); + return SECFailure; + } + // The nickname is the filename without '.pem'. + std::string nickname = filename.substr(0, filename.length() - 4); + SECStatus rv = PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE, + nickname.c_str(), false); + if (rv != SECSuccess) { + PrintPRError("PK11_ImportCert failed"); + return rv; + } + + return SECSuccess; +} + +SECStatus LoadCertificatesAndKeys(const char* basePath) { + // The NSS cert DB path could have been specified as "sql:path". Trim off + // the leading "sql:" if so. + if (strncmp(basePath, "sql:", 4) == 0) { + basePath = basePath + 4; + } + + UniquePRDir fdDir(PR_OpenDir(basePath)); + if (!fdDir) { + PrintPRError("PR_OpenDir failed"); + return SECFailure; + } + // On the B2G ICS emulator, operations taken in AddCertificateFromFile + // appear to interact poorly with readdir (more specifically, something is + // causing readdir to never return null - it indefinitely loops through every + // file in the directory, which causes timeouts). Rather than waste more time + // chasing this down, loading certificates and keys happens in two phases: + // filename collection and then loading. (This is probably a good + // idea anyway because readdir isn't reentrant. Something could change later + // such that it gets called as a result of calling AddCertificateFromFile or + // AddKeyFromFile.) + std::vector<std::string> certificates; + std::vector<std::string> keys; + for (PRDirEntry* dirEntry = PR_ReadDir(fdDir.get(), PR_SKIP_BOTH); dirEntry; + dirEntry = PR_ReadDir(fdDir.get(), PR_SKIP_BOTH)) { + size_t nameLength = strlen(dirEntry->name); + if (nameLength > 4) { + if (strncmp(dirEntry->name + nameLength - 4, ".pem", 4) == 0) { + certificates.push_back(dirEntry->name); + } else if (strncmp(dirEntry->name + nameLength - 4, ".key", 4) == 0) { + keys.push_back(dirEntry->name); + } + } + } + SECStatus rv; + for (std::string& certificate : certificates) { + rv = AddCertificateFromFile(basePath, certificate.c_str()); + if (rv != SECSuccess) { + return rv; + } + } + for (std::string& key : keys) { + rv = AddKeyFromFile(basePath, key.c_str()); + if (rv != SECSuccess) { + return rv; + } + } + return SECSuccess; +} + +SECStatus InitializeNSS(const char* nssCertDBDir) { + // Try initializing an existing DB. + if (NSS_Init(nssCertDBDir) == SECSuccess) { + return SECSuccess; + } + + // Create a new DB if there is none... + SECStatus rv = NSS_Initialize(nssCertDBDir, nullptr, nullptr, nullptr, 0); + if (rv != SECSuccess) { + return rv; + } + + // ...and load all certificates into it. + return LoadCertificatesAndKeys(nssCertDBDir); +} + +nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) { + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "sending '%s'\n", aData); + } + + while (aDataLen > 0) { + int32_t bytesSent = + PR_Send(aSocket, aData, aDataLen, 0, PR_INTERVAL_NO_TIMEOUT); + if (bytesSent == -1) { + PrintPRError("PR_Send failed"); + return NS_ERROR_FAILURE; + } + + aDataLen -= bytesSent; + aData += bytesSent; + } + + return NS_OK; +} + +nsresult ReplyToRequest(Connection* aConn) { + // For debugging purposes, SendAll can print out what it's sending. + // So, any strings we give to it to send need to be null-terminated. + char buf[2] = {aConn->mByte, 0}; + return SendAll(aConn->mSocket, buf, 1); +} + +nsresult SetupTLS(Connection* aConn, PRFileDesc* aModelSocket) { + PRFileDesc* sslSocket = SSL_ImportFD(aModelSocket, aConn->mSocket); + if (!sslSocket) { + PrintPRError("SSL_ImportFD failed"); + return NS_ERROR_FAILURE; + } + aConn->mSocket = sslSocket; + + /* anti-replay must be configured to accept 0RTT */ + if (antiReplay) { + SECStatus rv = SSL_SetAntiReplayContext(sslSocket, antiReplay); + if (rv != SECSuccess) { + PrintPRError("error configuring anti-replay "); + return NS_ERROR_FAILURE; + } + } + + SSL_OptionSet(sslSocket, SSL_SECURITY, true); + SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, false); + SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, true); + // Unconditionally enabling 0RTT makes test_session_resumption.js fail + SSL_OptionSet(sslSocket, SSL_ENABLE_0RTT_DATA, + !!PR_GetEnv("MOZ_TLS_SERVER_0RTT")); + + SSL_ResetHandshake(sslSocket, /* asServer */ 1); + + return NS_OK; +} + +nsresult ReadRequest(Connection* aConn) { + int32_t bytesRead = + PR_Recv(aConn->mSocket, &aConn->mByte, 1, 0, PR_INTERVAL_NO_TIMEOUT); + if (bytesRead < 0) { + PrintPRError("PR_Recv failed"); + return NS_ERROR_FAILURE; + } else if (bytesRead == 0) { + PR_SetError(PR_IO_ERROR, 0); + PrintPRError("PR_Recv EOF in ReadRequest"); + return NS_ERROR_FAILURE; + } else { + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "read '0x%hhx'\n", aConn->mByte); + } + } + return NS_OK; +} + +void HandleConnection(PRFileDesc* aSocket, + const UniquePRFileDesc& aModelSocket) { + Connection conn(aSocket); + nsresult rv = SetupTLS(&conn, aModelSocket.get()); + if (NS_FAILED(rv)) { + PR_SetError(PR_INVALID_STATE_ERROR, 0); + PrintPRError("PR_Recv failed"); + exit(1); + } + + // TODO: On tests that are expected to fail (e.g. due to a revoked + // certificate), the client will close the connection wtihout sending us the + // request byte. In those cases, we should keep going. But, in the cases + // where the connection is supposed to suceed, we should verify that we + // successfully receive the request and send the response. + rv = ReadRequest(&conn); + if (NS_SUCCEEDED(rv)) { + rv = ReplyToRequest(&conn); + } +} + +// returns 0 on success, non-zero on error +int DoCallback() { + UniquePRFileDesc socket(PR_NewTCPSocket()); + if (!socket) { + PrintPRError("PR_NewTCPSocket failed"); + return 1; + } + + PRNetAddr addr; + PR_InitializeNetAddr(PR_IpAddrLoopback, gCallbackPort, &addr); + if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) { + PrintPRError("PR_Connect failed"); + return 1; + } + + const char* request = "GET / HTTP/1.0\r\n\r\n"; + SendAll(socket.get(), request, strlen(request)); + char buf[4096]; + memset(buf, 0, sizeof(buf)); + int32_t bytesRead = + PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT); + if (bytesRead < 0) { + PrintPRError("PR_Recv failed 1"); + return 1; + } + if (bytesRead == 0) { + fprintf(stderr, "PR_Recv eof 1\n"); + return 1; + } + fprintf(stderr, "%s\n", buf); + return 0; +} + +SECStatus ConfigSecureServerWithNamedCert( + PRFileDesc* fd, const char* certName, + /*optional*/ UniqueCERTCertificate* certOut, + /*optional*/ SSLKEAType* keaOut, + /*optional*/ SSLExtraServerCertData* extraData) { + UniqueCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr)); + if (!cert) { + PrintPRError("PK11_FindCertFromNickname failed"); + return SECFailure; + } + // If an intermediate certificate issued the server certificate (rather than + // directly by a trust anchor), we want to send it along in the handshake so + // we don't encounter unknown issuer errors when that's not what we're + // testing. + UniqueCERTCertificateList certList; + UniqueCERTCertificate issuerCert( + CERT_FindCertByName(CERT_GetDefaultCertDB(), &cert->derIssuer)); + // If we can't find the issuer cert, continue without it. + if (issuerCert) { + // Sadly, CERTCertificateList does not have a CERT_NewCertificateList + // utility function, so we must create it ourselves. This consists + // of creating an arena, allocating space for the CERTCertificateList, + // and then transferring ownership of the arena to that list. + UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); + if (!arena) { + PrintPRError("PORT_NewArena failed"); + return SECFailure; + } + certList.reset(static_cast<CERTCertificateList*>( + PORT_ArenaAlloc(arena.get(), sizeof(CERTCertificateList)))); + if (!certList) { + PrintPRError("PORT_ArenaAlloc failed"); + return SECFailure; + } + certList->arena = arena.release(); + // We also have to manually copy the certificates we care about to the + // list, because there aren't any utility functions for that either. + certList->certs = static_cast<SECItem*>( + PORT_ArenaAlloc(certList->arena, 2 * sizeof(SECItem))); + if (SECITEM_CopyItem(certList->arena, certList->certs, &cert->derCert) != + SECSuccess) { + PrintPRError("SECITEM_CopyItem failed"); + return SECFailure; + } + if (SECITEM_CopyItem(certList->arena, certList->certs + 1, + &issuerCert->derCert) != SECSuccess) { + PrintPRError("SECITEM_CopyItem failed"); + return SECFailure; + } + certList->len = 2; + } + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + PrintPRError("PK11_GetInternalKeySlot failed"); + return SECFailure; + } + UniqueSECKEYPrivateKey key( + PK11_FindKeyByDERCert(slot.get(), cert.get(), nullptr)); + if (!key) { + PrintPRError("PK11_FindKeyByDERCert failed"); + return SECFailure; + } + + if (extraData) { + SSLExtraServerCertData dataCopy = {ssl_auth_null, nullptr, nullptr, + nullptr, nullptr, nullptr}; + memcpy(&dataCopy, extraData, sizeof(dataCopy)); + dataCopy.certChain = certList.get(); + + if (SSL_ConfigServerCert(fd, cert.get(), key.get(), &dataCopy, + sizeof(dataCopy)) != SECSuccess) { + PrintPRError("SSL_ConfigServerCert failed"); + return SECFailure; + } + + } else { + // This is the deprecated setup mechanism, to be cleaned up in Bug 1569222 + SSLKEAType certKEA = NSS_FindCertKEAType(cert.get()); + if (SSL_ConfigSecureServerWithCertChain(fd, cert.get(), certList.get(), + key.get(), certKEA) != SECSuccess) { + PrintPRError("SSL_ConfigSecureServer failed"); + return SECFailure; + } + + if (keaOut) { + *keaOut = certKEA; + } + } + + if (certOut) { + *certOut = std::move(cert); + } + + SSL_OptionSet(fd, SSL_NO_CACHE, false); + SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, true); + // Unconditionally enabling 0RTT makes test_session_resumption.js fail + SSL_OptionSet(fd, SSL_ENABLE_0RTT_DATA, !!PR_GetEnv("MOZ_TLS_SERVER_0RTT")); + + return SECSuccess; +} + +#ifdef XP_WIN +using PidType = DWORD; +constexpr bool IsValidPid(long long pid) { + // Excluding `(DWORD)-1` because it is not a valid process ID. + // See https://devblogs.microsoft.com/oldnewthing/20040223-00/?p=40503 + return pid > 0 && pid < std::numeric_limits<PidType>::max(); +} +#else +using PidType = pid_t; +constexpr bool IsValidPid(long long pid) { + return pid > 0 && pid <= std::numeric_limits<PidType>::max(); +} +#endif + +PidType ConvertPid(const char* pidStr) { + long long pid = strtoll(pidStr, nullptr, 10); + if (!IsValidPid(pid)) { + return 0; + } + return static_cast<PidType>(pid); +} + +int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig, + void* sniSocketConfigArg, ServerConfigFunc configFunc) { + if (argc != 3) { + fprintf(stderr, "usage: %s <NSS DB directory> <ppid>\n", argv[0]); + return 1; + } + const char* nssCertDBDir = argv[1]; + PidType ppid = ConvertPid(argv[2]); + + const char* debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL"); + if (debugLevel) { + int level = atoi(debugLevel); + switch (level) { + case DEBUG_ERRORS: + gDebugLevel = DEBUG_ERRORS; + break; + case DEBUG_WARNINGS: + gDebugLevel = DEBUG_WARNINGS; + break; + case DEBUG_VERBOSE: + gDebugLevel = DEBUG_VERBOSE; + break; + default: + PrintPRError("invalid MOZ_TLS_SERVER_DEBUG_LEVEL"); + return 1; + } + } + + const char* callbackPort = PR_GetEnv("MOZ_TLS_SERVER_CALLBACK_PORT"); + if (callbackPort) { + gCallbackPort = atoi(callbackPort); + } + + if (InitializeNSS(nssCertDBDir) != SECSuccess) { + PR_fprintf(PR_STDERR, "InitializeNSS failed"); + return 1; + } + + if (NSS_SetDomesticPolicy() != SECSuccess) { + PrintPRError("NSS_SetDomesticPolicy failed"); + return 1; + } + + NSS_SetAlgorithmPolicy(SEC_OID_XYBER768D00, NSS_USE_ALG_IN_SSL_KX, 0); + + if (SSL_ConfigServerSessionIDCache(0, 0, 0, nullptr) != SECSuccess) { + PrintPRError("SSL_ConfigServerSessionIDCache failed"); + return 1; + } + + UniquePRFileDesc serverSocket(PR_NewTCPSocket()); + if (!serverSocket) { + PrintPRError("PR_NewTCPSocket failed"); + return 1; + } + + PRSocketOptionData socketOption; + socketOption.option = PR_SockOpt_Reuseaddr; + socketOption.value.reuse_addr = true; + PR_SetSocketOption(serverSocket.get(), &socketOption); + + PRNetAddr serverAddr; + PR_InitializeNetAddr(PR_IpAddrLoopback, LISTEN_PORT, &serverAddr); + if (PR_Bind(serverSocket.get(), &serverAddr) != PR_SUCCESS) { + PrintPRError("PR_Bind failed"); + return 1; + } + + if (PR_Listen(serverSocket.get(), 1) != PR_SUCCESS) { + PrintPRError("PR_Listen failed"); + return 1; + } + + UniquePRFileDesc rawModelSocket(PR_NewTCPSocket()); + if (!rawModelSocket) { + PrintPRError("PR_NewTCPSocket failed for rawModelSocket"); + return 1; + } + + UniquePRFileDesc modelSocket(SSL_ImportFD(nullptr, rawModelSocket.release())); + if (!modelSocket) { + PrintPRError("SSL_ImportFD of rawModelSocket failed"); + return 1; + } + + SSLVersionRange range = {0, 0}; + if (SSL_VersionRangeGet(modelSocket.get(), &range) != SECSuccess) { + PrintPRError("SSL_VersionRangeGet failed"); + return 1; + } + + if (range.max < SSL_LIBRARY_VERSION_TLS_1_3) { + range.max = SSL_LIBRARY_VERSION_TLS_1_3; + if (SSL_VersionRangeSet(modelSocket.get(), &range) != SECSuccess) { + PrintPRError("SSL_VersionRangeSet failed"); + return 1; + } + } + + if (PR_GetEnv("MOZ_TLS_SERVER_0RTT")) { + if (SSL_CreateAntiReplayContext(PR_Now(), 1L * PR_USEC_PER_SEC, 7, 14, + &antiReplay) != SECSuccess) { + PrintPRError("Unable to create anti-replay context for 0-RTT."); + return 1; + } + } + + if (SSL_SNISocketConfigHook(modelSocket.get(), sniSocketConfig, + sniSocketConfigArg) != SECSuccess) { + PrintPRError("SSL_SNISocketConfigHook failed"); + return 1; + } + + // We have to configure the server with a certificate, but it's not one + // we're actually going to end up using. In the SNI callback, we pick + // the right certificate for the connection. + // + // Provide an empty |extra_data| to force config via SSL_ConfigServerCert. + // This is a temporary mechanism to work around inconsistent setting of + // |authType| in the deprecated API (preventing the default cert from + // being removed in favor of the SNI-selected cert). This may be removed + // after Bug 1569222 removes the deprecated mechanism. + SSLExtraServerCertData extra_data = {ssl_auth_null, nullptr, nullptr, + nullptr, nullptr, nullptr}; + if (ConfigSecureServerWithNamedCert(modelSocket.get(), DEFAULT_CERT_NICKNAME, + nullptr, nullptr, + &extra_data) != SECSuccess) { + return 1; + } + + // Call back to implementation-defined configuration func, if provided. + if (configFunc) { + if (((configFunc)(modelSocket.get())) != SECSuccess) { + PrintPRError("configFunc failed"); + return 1; + } + } + + if (gCallbackPort != 0) { + if (DoCallback()) { + return 1; + } + } + + std::thread([ppid] { + if (!ppid) { + if (gDebugLevel >= DEBUG_ERRORS) { + fprintf(stderr, "invalid ppid\n"); + } + return; + } +#ifdef XP_WIN + HANDLE parent = OpenProcess(SYNCHRONIZE, false, ppid); + if (!parent) { + if (gDebugLevel >= DEBUG_ERRORS) { + fprintf(stderr, "OpenProcess failed\n"); + } + return; + } + WaitForSingleObject(parent, INFINITE); + CloseHandle(parent); +#else + while (getppid() == ppid) { + sleep(1); + } +#endif + if (gDebugLevel >= DEBUG_ERRORS) { + fprintf(stderr, "Parent process crashed\n"); + } + exit(1); + }).detach(); + + while (true) { + PRNetAddr clientAddr; + PRFileDesc* clientSocket = + PR_Accept(serverSocket.get(), &clientAddr, PR_INTERVAL_NO_TIMEOUT); + HandleConnection(clientSocket, modelSocket); + } +} + +} // namespace test +} // namespace mozilla diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h new file mode 100644 index 0000000000..3927b3e541 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h @@ -0,0 +1,93 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef TLSServer_h +#define TLSServer_h + +// This is a standalone server for testing SSL features of Gecko. +// The client is expected to connect and initiate an SSL handshake (with SNI +// to indicate which "server" to connect to). If all is good, the client then +// sends one encrypted byte and receives that same byte back. +// This server also has the ability to "call back" another process waiting on +// it. That is, when the server is all set up and ready to receive connections, +// it will connect to a specified port and issue a simple HTTP request. + +#include <stdint.h> + +#include "ScopedNSSTypes.h" +#include "mozilla/Casting.h" +#include "prio.h" +#include "secerr.h" +#include "ssl.h" + +namespace mozilla { + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePRDir, PRDir, PR_CloseDir); + +} // namespace mozilla + +namespace mozilla { +namespace test { + +typedef SECStatus (*ServerConfigFunc)(PRFileDesc* fd); + +enum DebugLevel { DEBUG_ERRORS = 1, DEBUG_WARNINGS = 2, DEBUG_VERBOSE = 3 }; + +extern DebugLevel gDebugLevel; + +void PrintPRError(const char* aPrefix); + +// The default certificate is trusted for localhost and *.example.com +extern const char DEFAULT_CERT_NICKNAME[]; + +// ConfigSecureServerWithNamedCert sets up the hostname name provided. If the +// extraData parameter is presented, extraData->certChain will be automatically +// filled in using database information. +// Pass DEFAULT_CERT_NICKNAME as certName unless you need a specific +// certificate. +SECStatus ConfigSecureServerWithNamedCert( + PRFileDesc* fd, const char* certName, + /*optional*/ UniqueCERTCertificate* cert, + /*optional*/ SSLKEAType* kea, + /*optional*/ SSLExtraServerCertData* extraData); + +SECStatus InitializeNSS(const char* nssCertDBDir); + +// StartServer initializes NSS, sockets, the SNI callback, and a default +// certificate. configFunc (optional) is a pointer to an implementation- +// defined configuration function, which is called on the model socket +// prior to handling any connections. +int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig, + void* sniSocketConfigArg, + ServerConfigFunc configFunc = nullptr); + +template <typename Host> +inline const Host* GetHostForSNI(const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, const Host* hosts) { + for (uint32_t i = 0; i < aSrvNameArrSize; i++) { + for (const Host* host = hosts; host->mHostName; ++host) { + SECItem hostName; + hostName.data = BitwiseCast<unsigned char*, const char*>(host->mHostName); + hostName.len = strlen(host->mHostName); + if (SECITEM_ItemsAreEqual(&hostName, &aSrvNameArr[i])) { + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + return host; + } + } + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "could not find host info from SNI\n"); + } + + PR_SetError(SEC_ERROR_INVALID_ARGS, 0); + return nullptr; +} + +} // namespace test +} // namespace mozilla + +#endif // TLSServer_h diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/moz.build b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build new file mode 100644 index 0000000000..54820f9b52 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build @@ -0,0 +1,48 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +UNIFIED_SOURCES += [ + "OCSPCommon.cpp", + "TLSServer.cpp", +] + +USE_LIBS += [ + "mozpkix-testlib", +] + +if not CONFIG["MOZ_SYSTEM_NSS"]: + # Bug 1805371: The FaultyServer binary added in Bug 1754746 needs to + # be statically linked against NSS, but the configuration here breaks + # builds with system NSS. A complete solution involves some changes + # to the NSS build system. For now we're disabling FaultyServer when + # using system NSS and linking the rest of the tests dynamically. + DEFINES["NSS_USE_STATIC_LIBS"] = True + + USE_LIBS += [ + "certdb", + "certhi", + "cryptohi", + "freebl", + "mozpkix", + "mozpkix-testlib", + "nspr", + "nss_static", + "nssb", + "nssdev", + "nsspki", + "pk11wrap", + "smime", + "softokn3", + "sqlite", + "ssl", + ] + + if CONFIG["MOZ_FOLD_LIBS"]: + USE_LIBS += ["nssutil"] + else: + USE_LIBS += ["nssutil3"] + +Library("tlsserver") diff --git a/security/manager/ssl/tests/unit/tlsserver/moz.build b/security/manager/ssl/tests/unit/tlsserver/moz.build new file mode 100644 index 0000000000..1488352914 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/moz.build @@ -0,0 +1,8 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# lib must be first, because cmd depends on its output +DIRS += ["lib", "cmd"] diff --git a/security/manager/ssl/tests/unit/xpcshell-smartcards.toml b/security/manager/ssl/tests/unit/xpcshell-smartcards.toml new file mode 100644 index 0000000000..4e4d47e42f --- /dev/null +++ b/security/manager/ssl/tests/unit/xpcshell-smartcards.toml @@ -0,0 +1,22 @@ +[DEFAULT] +head = "head_psm.js" +tags = "psm" +skip-if = ["os == 'android'"] + +["test_osclientcerts_module.js"] +skip-if = [ + "os == 'linux'", + "os == 'android'", +] + +["test_pkcs11_module.js"] + +["test_pkcs11_moduleDB.js"] + +["test_pkcs11_safe_mode.js"] + +["test_pkcs11_slot.js"] + +["test_pkcs11_token.js"] + +["test_pkcs11_tokenDB.js"] diff --git a/security/manager/ssl/tests/unit/xpcshell.toml b/security/manager/ssl/tests/unit/xpcshell.toml new file mode 100644 index 0000000000..6cfab1a043 --- /dev/null +++ b/security/manager/ssl/tests/unit/xpcshell.toml @@ -0,0 +1,361 @@ +[DEFAULT] +head = "head_psm.js" +tags = "psm condprof" +firefox-appdir = "browser" +skip-if = ["os == 'win' && msix"] # https://bugzilla.mozilla.org/show_bug.cgi?id=1809477 +support-files = [ + "corrupted_crlite_helper.js", + "bad_certs/**", + "ocsp_certs/**", + "test_baseline_requirements/**", + "test_broken_fips/**", + "test_cert_eku/**", + "test_cert_embedded_null/**", + "test_cert_keyUsage/**", + "test_cert_overrides_read_only/**", + "test_cert_sha1/**", + "test_cert_signatures/**", + "test_cert_storage_direct/**", + "test_cert_storage_preexisting/**", + "test_cert_storage_preexisting_crlite/**", + "test_cert_trust/**", + "test_cert_utf8/**", + "test_cert_version/**", + "test_certDB_import/**", + "test_content_signing/**", + "test_crlite_filters/**", + "test_crlite_preexisting/**", + "test_crlite_corrupted/**", + "test_ct/**", + "test_delegated_credentials/**", + "test_encrypted_client_hello/**", + "test_ev_certs/**", + "test_faulty_server/**", + "test_intermediate_basic_usage_constraints/**", + "test_intermediate_preloads/**", + "test_keysize/**", + "test_keysize_ev/**", + "test_missing_intermediate/**", + "test_name_constraints/**", + "test_ocsp_url/**", + "test_onecrl/**", + "test_sanctions/**", + "test_sdr_preexisting/**", + "test_sdr_preexisting_with_password/**", + "test_self_signed_certs/**", + "test_signed_apps/**", + "test_validity/**", + "tlsserver/**", +] + +["test_add_preexisting_cert.js"] + +["test_allow_all_cert_errors.js"] +run-sequentially = "hardcoded ports" + +["test_baseline_requirements_subject_common_name.js"] + +["test_blocklist_onecrl.js"] +# Skip signature tests for Thunderbird (Bug 1341983). +skip-if = ["appname == 'thunderbird'"] +tags = "remote-settings blocklist psm" + +["test_broken_fips.js"] +# FIPS has never been a thing on Android, so the workaround doesn't +# exist on that platform. +# FIPS still works on Linux, so this test doesn't make any sense there. +# FIPS still works on Windows, but running the test to ensure that it does not +# break with a non-ASCII profile path. +skip-if = [ + "os == 'android'", + "os == 'linux'" +] + +["test_certDB_export_pkcs12.js"] + +["test_certDB_export_pkcs12_with_primary_password.js"] + +["test_certDB_import.js"] +# nsCertificateDialogs not available in geckoview, bug 1554276 +skip-if = ["os == 'android' && processor == 'x86_64'"] + +["test_certDB_import_pkcs12.js"] + +["test_certDB_import_with_primary_password.js"] +# nsCertificateDialogs not available in geckoview, bug 1554276 +skip-if = ["os == 'android' && processor == 'x86_64'"] + +["test_cert_chains.js"] +run-sequentially = "hardcoded ports" + +["test_cert_dbKey.js"] + +["test_cert_eku.js"] + +["test_cert_embedded_null.js"] + +["test_cert_expiration_canary.js"] +run-if = ["nightly_build"] + +["test_cert_keyUsage.js"] + +["test_cert_override_read.js"] + +["test_cert_overrides.js"] +run-sequentially = "hardcoded ports" + +["test_cert_overrides_read_only.js"] +run-sequentially = "hardcoded ports" + +["test_cert_sha1.js"] + +["test_cert_signatures.js"] + +["test_cert_storage.js"] +tags = "addons psm blocklist" + +["test_cert_storage_broken_db.js"] + +["test_cert_storage_direct.js"] + +["test_cert_storage_preexisting.js"] + +["test_cert_storage_preexisting_crlite.js"] +# This test cannot succeed on 32-bit platforms. See bugs 1546361 and 1548956. +skip-if = ["bits != 64"] + +["test_cert_trust.js"] + +["test_cert_utf8.js"] + +["test_cert_version.js"] + +["test_client_auth_remember_service_read.js"] +skip-if = ["condprof"] + +["test_constructX509FromBase64.js"] + +["test_content_signing.js"] + +["test_crlite_coverage_missing.js"] + +["test_crlite_coverage_trunc1.js"] + +["test_crlite_coverage_trunc2.js"] + +["test_crlite_coverage_trunc3.js"] + +["test_crlite_coverage_version.js"] + +["test_crlite_enrollment_trunc1.js"] + +["test_crlite_enrollment_version.js"] + +["test_crlite_filter_corrupted.js"] + +["test_crlite_filters.js"] +tags = "remote-settings psm" + +["test_crlite_preexisting.js"] + +["test_crlite_stash_corrupted.js"] + +["test_ct.js"] +# Requires hard-coded debug-only data +skip-if = ["!debug"] +run-sequentially = "hardcoded ports" + +["test_data_storage.js"] + +["test_db_format_pref_new.js"] +# Android always has and always will use the new format, so +# this test doesn't apply. +skip-if = [ + "os == 'android'", + "condprof", +] # Bug 1769154 - as designed + +["test_delegated_credentials.js"] +run-sequentially = "hardcoded ports" + +["test_der.js"] + +["test_encrypted_client_hello.js"] +run-sequentially = "hardcoded ports" + +["test_encrypted_client_hello_client_only.js"] +run-sequentially = "hardcoded ports" + +["test_enterprise_roots.js"] +# This feature is implemented for Windows and OS X. However, we don't currently +# have a way to test it on OS X. +skip-if = ["os != 'win'"] + +["test_ev_certs.js"] +tags = "blocklist psm" +run-sequentially = "hardcoded ports" + +["test_faulty_server.js"] +run-sequentially = "hardcoded ports" + +["test_forget_about_site_security_headers.js"] + +["test_hash_algorithms.js"] + +["test_hash_algorithms_wrap.js"] +# bug 1124289 - run_test_in_child violates the sandbox on android +skip-if = ["os == 'android'"] + +["test_intermediate_basic_usage_constraints.js"] + +["test_intermediate_preloads.js"] +run-sequentially = "hardcoded ports" +tags = "blocklist psm remote-settings" + +["test_keysize.js"] + +["test_keysize_ev.js"] +run-sequentially = "hardcoded ports" + +["test_logoutAndTeardown.js"] +skip-if = ["socketprocess_networking && os == 'linux' && debug"] +run-sequentially = "hardcoded ports" + +["test_missing_intermediate.js"] +run-sequentially = "hardcoded ports" + +["test_name_constraints.js"] + +["test_nonascii_path.js"] + +["test_nsCertType.js"] +run-sequentially = "hardcoded ports" + +["test_nsIX509CertValidity.js"] + +["test_nsIX509Cert_utf8.js"] + +["test_ocsp_caching.js"] +run-sequentially = "hardcoded ports" + +["test_ocsp_enabled_pref.js"] +run-sequentially = "hardcoded ports" + +["test_ocsp_must_staple.js"] +run-sequentially = "hardcoded ports" + +["test_ocsp_no_hsts_upgrade.js"] +run-sequentially = "hardcoded ports" + +["test_ocsp_private_caching.js"] +run-sequentially = "hardcoded ports" +skip-if = ["condprof"] # Bug 1769154 - should look into this + +["test_ocsp_required.js"] +run-sequentially = "hardcoded ports" + +["test_ocsp_stapling.js"] +run-sequentially = "hardcoded ports" + +["test_ocsp_stapling_expired.js"] +run-sequentially = "hardcoded ports" + +["test_ocsp_stapling_with_intermediate.js"] +run-sequentially = "hardcoded ports" + +["test_ocsp_timeout.js"] +skip-if = ["(os == 'win' && socketprocess_networking)"] +run-sequentially = "hardcoded ports" + +["test_ocsp_url.js"] +run-sequentially = "hardcoded ports" + +["test_oskeystore.js"] +skip-if = ["apple_silicon"] # bug 1729538 + +["test_osreauthenticator.js"] +# Reauthentication has been implemented on Windows and MacOS, so running this +# test results in the OS popping up a dialog, which means we can't run it in +# automation. +skip-if = [ + "os == 'win'", + "os == 'mac'" +] + +["test_password_prompt.js"] + +["test_pinning.js"] +run-sequentially = "hardcoded ports" + +["test_sanctions_symantec_apple_google.js"] +run-sequentially = "hardcoded ports" + +["test_sdr.js"] + +["test_sdr_preexisting.js"] +# Not relevant to Android. See the comment in the test. +skip-if = ["os == 'android'"] + +["test_sdr_preexisting_with_password.js"] +# Not relevant to Android. See the comment in the test. +skip-if = ["os == 'android'"] + +["test_self_signed_certs.js"] + +["test_session_resumption.js"] +skip-if = ["os == 'win'"] # Bug 1585916 +run-sequentially = "hardcoded ports" + +["test_signed_apps.js"] + +["test_ssl_status.js"] +run-sequentially = "hardcoded ports" + +["test_sss_eviction.js"] +skip-if = ["condprof"] # Bug 1769154 - as designed + +["test_sss_migration.js"] +skip-if = ["condprof"] # Bug 1769154 - as designed + +["test_sss_originAttributes.js"] + +["test_sss_readstate.js"] +skip-if = ["condprof"] # Bug 1769154 - as designed + +["test_sss_readstate_empty.js"] +skip-if = ["condprof"] # Bug 1769154 - as designed + +["test_sss_readstate_garbage.js"] +skip-if = ["condprof"] # Bug 1769154 - as designed + +["test_sss_readstate_huge.js"] +skip-if = ["condprof"] # Bug 1769154 - as designed + +["test_sss_resetState.js"] + +["test_sss_sanitizeOnShutdown.js"] +firefox-appdir = "browser" +# Sanitization works differently on Android - this doesn't apply. +# browser/modules/Sanitizer.jsm used by the test isn't available in Thunderbird. +skip-if = [ + "os == 'android'", + "appname == 'thunderbird'" +] + +["test_sss_savestate.js"] +skip-if = ["condprof"] # Bug 1769154 - as designed + +["test_sts_fqdn.js"] + +["test_sts_ipv4_ipv6.js"] + +["test_sts_parser.js"] + +["test_sts_preloadlist_perwindowpb.js"] + +["test_sts_preloadlist_selfdestruct.js"] + +["test_validity.js"] +run-sequentially = "hardcoded ports" + +["test_x509.js"] diff --git a/security/manager/tools/.eslintrc.js b/security/manager/tools/.eslintrc.js new file mode 100644 index 0000000000..44c1d9cba6 --- /dev/null +++ b/security/manager/tools/.eslintrc.js @@ -0,0 +1,13 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +module.exports = { + globals: { + // JS files in this folder are commonly xpcshell scripts where |arguments| + // is defined in the global scope. + arguments: false, + }, +}; diff --git a/security/manager/tools/KnownRootHashes.json b/security/manager/tools/KnownRootHashes.json new file mode 100644 index 0000000000..0dc9fa9dd1 --- /dev/null +++ b/security/manager/tools/KnownRootHashes.json @@ -0,0 +1,1343 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +// +//*************************************************************************** +// This is an automatically generated file. It's used to maintain state for +// runs of genRootCAHashes.js; you should never need to manually edit it +//*************************************************************************** + +// Notes: +// binNumber 1 used to be for "GTE_CyberTrust_Global_Root", but that root was +// removed from the built-in roots module, so now it is used to indicate that +// the certificate is not a built-in and was found in the softoken (cert9.db). + +// binNumber 2 used to be for "Thawte_Server_CA", but that root was removed from +// the built-in roots module, so now it is used to indicate that the certificate +// is not a built-in and was found on an external PKCS#11 token. + +// binNumber 3 used to be for "Thawte_Premium_Server_CA", but that root was +// removed from the built-in roots module, so now it is used to indicate that +// the certificate is not a built-in and was temporarily imported from the OS as +// part of the "Enterprise Roots" feature. + +{ + "roots": [ + { + "label": "OU_Equifax_Secure_Certificate_Authority_O_Equifax_C_US", + "binNumber": 4, + "sha256Fingerprint": "CCl6QEfbojaAxzHbbjF2U8p4SOG+vToLAXmnB/ks8Xg=" + }, + { + "label": "OU_VeriSign_Trust_Network_OU___c__1998_VeriSign__Inc____For_authorized_use_only__OU_Class_3_Public_Primary_Certification_Authority___G2_O__VeriSign__Inc___C_US", + "binNumber": 5, + "sha256Fingerprint": "g848Eiloilk9SF+BlzwPkZVDHto3zF42Qw55x6iIY4s=" + }, + { + "label": "GlobalSign_Root_CA", + "binNumber": 6, + "sha256Fingerprint": "69QQQOS7PsdCyeOB0x7ypBpItmhclufO88HfbNQzHJk=" + }, + { + "label": "GlobalSign", + "binNumber": 7, + "sha256Fingerprint": "ykLdQXRf0LgeuQI2LPnYv3Gdob0bHvyUb1tMmfQsG54=" + }, + { + "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G3", + "binNumber": 8, + "sha256Fingerprint": "6wTPXrHzmvp2LyuxIPKWy6Ugwbl9sViVZbgcuaF7ckQ=" + }, + { + "label": "VeriSign_Class_4_Public_Primary_Certification_Authority___G3", + "binNumber": 9, + "sha256Fingerprint": "44k2DQ/brrPSUFhLRzAxTiIvOcFWoCAUTo2WBWF5FQY=" + }, + { + "label": "Entrust_net_Certification_Authority__2048_", + "binNumber": 10, + "sha256Fingerprint": "bcRxcuAcvLC/YlgNiV/iuKya1PhzgB4MELnIN9IesXc=" + }, + { + "label": "Baltimore_CyberTrust_Root", + "binNumber": 11, + "sha256Fingerprint": "Fq9XqfZ2sKsSYJWqXrre8iqzERnWRKyVzUuT2/Pyaus=" + }, + { + "label": "Equifax_Secure_Global_eBusiness_CA_1", + "binNumber": 12, + "sha256Fingerprint": "Xwti6rXjU+plIWUWWPu2U1n0QygKSvvRBNd9EPnwTAc=" + }, + { + "label": "Equifax_Secure_eBusiness_CA_1", + "binNumber": 13, + "sha256Fingerprint": "z1b/RqShhhCd2WWEte61ilEMQnWw5flPQLuuhl4Z9nM=" + }, + { + "label": "AddTrust_Class_1_CA_Root", + "binNumber": 14, + "sha256Fingerprint": "jHIJJ5rATideFtB/07d16AFUtZaARuMfUt0ldmMk6ac=" + }, + { + "label": "AddTrust_External_CA_Root", + "binNumber": 15, + "sha256Fingerprint": "aH+kUTgieP/wyLEfjUPVdmccbrK86rQT+4PZZdBtL/I=" + }, + { + "label": "AddTrust_Public_CA_Root", + "binNumber": 16, + "sha256Fingerprint": "B5HKB0myB4Kq08fXvQzfyUhYNYQ+steZYAnOQ6tsaSc=" + }, + { + "label": "AddTrust_Qualified_CA_Root", + "binNumber": 17, + "sha256Fingerprint": "gJUhCAXbS7w1XkQo2P1uws3jq1+5eplCmI649NzQYBY=" + }, + { + "label": "Entrust_Root_Certification_Authority", + "binNumber": 18, + "sha256Fingerprint": "c8F2Q08bxtWt9FsOducnKHyN5XYWwebmFBorLLx9jkw=" + }, + { + "label": "OU_RSA_Security_2048_V3_O_RSA_Security_Inc", + "binNumber": 19, + "sha256Fingerprint": "r4tnYqHlKCKBYaldXFWe4mYnj3XXnoMBiaUDUGq9a0w=" + }, + { + "label": "GeoTrust_Global_CA", + "binNumber": 20, + "sha256Fingerprint": "/4VqLSUdzYjTZlb0UBJnmM+rqt5AeZxyLeTStds2pzo=" + }, + { + "label": "GeoTrust_Global_CA_2", + "binNumber": 21, + "sha256Fingerprint": "yi2CoIZ3By+KtnZP8DVnbP4+XjJeASFy3z+SCW23m4U=" + }, + { + "label": "GeoTrust_Universal_CA", + "binNumber": 22, + "sha256Fingerprint": "oEWbn2OyJVn1+l1MbbP59y/xk0IDNXjwc78dG0bLuRI=" + }, + { + "label": "GeoTrust_Universal_CA_2", + "binNumber": 23, + "sha256Fingerprint": "oCNPO8hSfKVijuyBrV1piV2laA3JHRy4R38z+Hi5Wws=" + }, + { + "label": "America_Online_Root_Certification_Authority_1", + "binNumber": 24, + "sha256Fingerprint": "d0BzEsY6FT1bwAtOUXWc39rCN9wqM7Z5RumOm/poCuM=" + }, + { + "label": "America_Online_Root_Certification_Authority_2", + "binNumber": 25, + "sha256Fingerprint": "fTtGWmAU5SbAr/zuISfSMRcnrYEcJoQtAGrzcwbMgL0=" + }, + { + "label": "Visa_eCommerce_Root", + "binNumber": 26, + "sha256Fingerprint": "afrJvVX7CseNU7vuXPHVl5if0KqrIKJRUb3xcz7n0SI=" + }, + { + "label": "Certum_CA", + "binNumber": 27, + "sha256Fingerprint": "2OD+vB2y440AlA830n1BNE2ZPnNLmdVlbZd41NgUNiQ=" + }, + { + "label": "AAA_Certificate_Services", + "binNumber": 28, + "sha256Fingerprint": "16eg+11+JzHXcelITrze9x1fDD4KKUh4K8g+4OppnvQ=" + }, + { + "label": "Secure_Certificate_Services", + "binNumber": 29, + "sha256Fingerprint": "vYHOO09lkdEaZ7X8ekf97yVSG/mqThi5498uNKeAO+g=" + }, + { + "label": "Trusted_Certificate_Services", + "binNumber": 30, + "sha256Fingerprint": "PwblVoHUlvW+Fp61OJ+fK4/2HhcI32iBckhJzV0ny2k=" + }, + { + "label": "QuoVadis_Root_Certification_Authority", + "binNumber": 31, + "sha256Fingerprint": "pF7eO7vwnIrhXHLvwHJo1pOiHJlv1R5nygeUYP1tiHM=" + }, + { + "label": "QuoVadis_Root_CA_2", + "binNumber": 32, + "sha256Fingerprint": "haDdfdcgrbf/Bfg9VCsgncf/RSj31nexg4n+peXEnoY=" + }, + { + "label": "QuoVadis_Root_CA_3", + "binNumber": 33, + "sha256Fingerprint": "GPH8fyBd+K3d63/gB91X4683WpxNjXNUa/Tx/tHhjTU=" + }, + { + "label": "OU_Security_Communication_RootCA1_O_SECOM_Trust_net_C_JP", + "binNumber": 34, + "sha256Fingerprint": "515y7Z9WDuxutIAAc6Q/w60ZGVo5IoIBeJWXSpkCa2w=" + }, + { + "label": "Sonera_Class2_CA", + "binNumber": 35, + "sha256Fingerprint": "eQi0AxTBOBALUY0HNYB/+/z4UYoAlTNxBbo4axU92Sc=" + }, + { + "label": "Staat_der_Nederlanden_Root_CA", + "binNumber": 36, + "sha256Fingerprint": "1B2CnowWWYIq+T/OYr/83iZPyE6LlQxf8nXQUjVGlaM=" + }, + { + "label": "UTN___DATACorp_SGC", + "binNumber": 37, + "sha256Fingerprint": "hfsvkd0SJ1oBRbY2U0+EAkrWi2m47ohoT/cRN1gFs0g=" + }, + { + "label": "UTN_USERFirst_Hardware", + "binNumber": 38, + "sha256Fingerprint": "bqVHQdAEZn7tG0gWY0qjp55uS5aVD4J52vyNm9iBITc=" + }, + { + "label": "Chambers_of_Commerce_Root", + "binNumber": 39, + "sha256Fingerprint": "DCWKEqVnSu8l8oun3Prs7qNI5UHm9cxO5jtxs2FgasM=" + }, + { + "label": "Global_Chambersign_Root", + "binNumber": 40, + "sha256Fingerprint": "7zy0F/yOv2+Xh2yeTs453h6l/mSRQdECi30RwLIpjO0=" + }, + { + "label": "NetLock_Kozjegyzoi__Class_A__Tanusitvanykiado", + "binNumber": 41, + "sha256Fingerprint": "fxLNX35eKQ7H2FF51bcsIKW+dQj/21v4GrloSn/J9mc=" + }, + { + "label": "XRamp_Global_Certification_Authority", + "binNumber": 42, + "sha256Fingerprint": "zs3ckFCZ2NrfxbHSCbc3y+LBjPssEMD/C88NMob8GqI=" + }, + { + "label": "OU_Go_Daddy_Class_2_Certification_Authority_O__The_Go_Daddy_Group__Inc___C_US", + "binNumber": 43, + "sha256Fingerprint": "w4Rr8kuek8pkJ0wOxnwezF4CT/ys0tdAGTUOgf5UauQ=" + }, + { + "label": "OU_Starfield_Class_2_Certification_Authority_O__Starfield_Technologies__Inc___C_US", + "binNumber": 44, + "sha256Fingerprint": "FGX6IFOXuHb6pvCplY5VkOQPzH+qT7fCyGd1Iftftlg=" + }, + { + "label": "StartCom_Certification_Authority", + "binNumber": 45, + "sha256Fingerprint": "x2apvvLUBxyGOjGqSSDoE7LRmGCMt7fP4hFDuDbfCeo=" + }, + { + "label": "O_Government_Root_Certification_Authority_C_TW", + "binNumber": 46, + "sha256Fingerprint": "dgApXu/oW54f1iTbdgYqqq5ZgYpU0ndM1MCywBEx4bM=" + }, + { + "label": "Swisscom_Root_CA_1", + "binNumber": 47, + "sha256Fingerprint": "IdsgEjZguy7UGCBdoR7nqFpl4rxuVbWvfniZyKJm2S4=" + }, + { + "label": "DigiCert_Assured_ID_Root_CA", + "binNumber": 48, + "sha256Fingerprint": "PpCZtQFej0hsALzqnREe5yH6ujVaibzx32lWHj3GMlw=" + }, + { + "label": "DigiCert_Global_Root_CA", + "binNumber": 49, + "sha256Fingerprint": "Q0ig6URMeMsmXgWNXolEtNhPlmK9Jtslf4k0pEPHAWE=" + }, + { + "label": "DigiCert_High_Assurance_EV_Root_CA", + "binNumber": 50, + "sha256Fingerprint": "dDHl9MPBzkaQd08LYeBUQIg7qaAe0Aumq9eAbtOxGM8=" + }, + { + "label": "Class_2_Primary_CA", + "binNumber": 51, + "sha256Fingerprint": "D5k8iu+Xuq9WhxQO1ZrRghu0r6zwqppYtdV6M4o6+8s=" + }, + { + "label": "DST_Root_CA_X3", + "binNumber": 52, + "sha256Fingerprint": "BocmAzGnJAPZCfEF5pvPDTLhvSST/8bZIG0RvNZ3Bzk=" + }, + { + "label": "DST_ACES_CA_X6", + "binNumber": 53, + "sha256Fingerprint": "dnyVWnZBLImvaI6QoccPVWz9a2Al2+oQQW1+toMfjEA=" + }, + { + "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_", + "binNumber": 54, + "sha256Fingerprint": "RATjO14UDc+ZgFH9/IAox8gWFcXuc3sRG1iCM6m1NaA=" + }, + { + "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_", + "binNumber": 55, + "sha256Fingerprint": "xHDPVH4jArl3+yndcaiae2wfYHd7Ayn1YBfzKL9Pa+Y=" + }, + { + "label": "SwissSign_Gold_CA___G2", + "binNumber": 56, + "sha256Fingerprint": "Yt0L6bn1ChY+oPjnXAU7HspX6lXIaI9kfGiB8sg1e5U=" + }, + { + "label": "SwissSign_Silver_CA___G2", + "binNumber": 57, + "sha256Fingerprint": "vmxNoru5ulm285OXaDdCRsPABZk/qY8CDR3tvtSKgdU=" + }, + { + "label": "GeoTrust_Primary_Certification_Authority", + "binNumber": 58, + "sha256Fingerprint": "N9UQBsUS6qtiZCHx7IySAT/F+CrpjuUz60YZuN600Gw=" + }, + { + "label": "thawte_Primary_Root_CA", + "binNumber": 59, + "sha256Fingerprint": "jXIvganBE8B5HfE2opZtsmyVCpcdtGtBmfTqVLeL+58=" + }, + { + "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G5", + "binNumber": 60, + "sha256Fingerprint": "ms+rfkPI2IDQayYqlN7u5LRlmYnD0Mrxm69kBeQat98=" + }, + { + "label": "SecureTrust_CA", + "binNumber": 61, + "sha256Fingerprint": "8cG1CuWiDdgDDsn2vCSCPdNntSVXWbTnG2H86fc3XXM=" + }, + { + "label": "Secure_Global_CA", + "binNumber": 62, + "sha256Fingerprint": "QgD1BDrIWQ67Un0gntFQMCn7y9QcobUG7CfxWt59rGk=" + }, + { + "label": "COMODO_Certification_Authority", + "binNumber": 63, + "sha256Fingerprint": "DCzWPfeAb6OZ7egJEWtXW/h5ifBlGPmAjIYFAxeLr2Y=" + }, + { + "label": "Network_Solutions_Certificate_Authority", + "binNumber": 64, + "sha256Fingerprint": "FfC6AKOsevOsiEwHKxARoHe9d8CX9AFksvhZir2Dhgw=" + }, + { + "label": "WellsSecure_Public_Root_Certificate_Authority", + "binNumber": 65, + "sha256Fingerprint": "pxJyrqqjz+hyf3+znw+z0eVCbpBgsG7m8T6aPFgzzUM=" + }, + { + "label": "COMODO_ECC_Certification_Authority", + "binNumber": 66, + "sha256Fingerprint": "F5OSegYUVJeJrc4vjzT38LZtDzrjo7hNIewV27pPrcc=" + }, + { + "label": "IGC_A", + "binNumber": 67, + "sha256Fingerprint": "ub6nhgqWLqNhHauXq22j4hwQaLl9VVde0OESecEciTI=" + }, + { + "label": "OU_Security_Communication_EV_RootCA1_O__SECOM_Trust_Systems_CO__LTD___C_JP", + "binNumber": 68, + "sha256Fingerprint": "oi26aB6XN24tOX1yiq46m2KWuf26YLwuEfZH8sZ1+zc=" + }, + { + "label": "OISTE_WISeKey_Global_Root_GA_CA", + "binNumber": 69, + "sha256Fingerprint": "Qckjhmq0yta3rVeAgVguAgeXpsvfT/94zoOWs4k31/U=" + }, + { + "label": "Microsec_e_Szigno_Root_CA", + "binNumber": 70, + "sha256Fingerprint": "Mno9dhq63qA065mEBidcsaR3bv2uL99tAWjqHE9VZ9A=" + }, + { + "label": "Certigna", + "binNumber": 71, + "sha256Fingerprint": "47ai2y7XzkiEL3rFMkHHtx1UFEv7QMEfPx0LQvXuoS0=" + }, + { + "label": "TC_TrustCenter_Class_2_CA_II", + "binNumber": 72, + "sha256Fingerprint": "5rj4dmSF+Aeuf42sFnBGHwfAoT7vOh/3F1ONerrTkbQ=" + }, + { + "label": "TC_TrustCenter_Class_3_CA_II", + "binNumber": 73, + "sha256Fingerprint": "jaCE/Pmc4Hci+JsyBZOYBvpcuBHhyBP2oQjH0zazQI4=" + }, + { + "label": "TC_TrustCenter_Universal_CA_I", + "binNumber": 74, + "sha256Fingerprint": "6/PAKoeJsft9URmV1mO3KQbZE84NXhBWiop34lhhZ+c=" + }, + { + "label": "Deutsche_Telekom_Root_CA_2", + "binNumber": 75, + "sha256Fingerprint": "thkaUNDDl399qZvNqshqIn2uuWeexwujsMnZInHBcNM=" + }, + { + "label": "ComSign_Secured_CA", + "binNumber": 76, + "sha256Fingerprint": "UHlBx0RgoLRwhiINTpkyVyq10bW7y4mAqxyxdlGoRNI=" + }, + { + "label": "Cybertrust_Global_Root", + "binNumber": 77, + "sha256Fingerprint": "lgrfAGPpY1Z1DCll3QoIZ9oLnL1ud3FK6vsjSas5PaM=" + }, + { + "label": "OU_ePKI_Root_Certification_Authority_O__Chunghwa_Telecom_Co___Ltd___C_TW", + "binNumber": 78, + "sha256Fingerprint": "wKb03GOiS/3PVO8qaggqCnLeNYA+L/X/Unrl2HIG39U=" + }, + { + "label": "T_B_TAK_UEKAE_K_k_Sertifika_Hizmet_Sa_lay_c_s____S_r_m_3", + "binNumber": 79, + "sha256Fingerprint": "5Mc0MNeltQkl30M3Cg0hbpp5udbbg3Ogxp6xzDHHxSo=" + }, + { + "label": "Buypass_Class_2_CA_1", + "binNumber": 80, + "sha256Fingerprint": "D06c3SZLAlVQ0XCAY0AhT+lENMmwL2l+xxD8X+r7Xjg=" + }, + { + "label": "Buypass_Class_3_CA_1", + "binNumber": 81, + "sha256Fingerprint": "t7ErFx+CHaqZDND+UIexKESLqOUYT4TFHgK1yPuWKyQ=" + }, + { + "label": "EBG_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_", + "binNumber": 82, + "sha256Fingerprint": "Na5b3dj3rmNc/7pWgqjwC5X0hGLHEI7poOUpKwdKr7I=" + }, + { + "label": "OU_certSIGN_ROOT_CA_O_certSIGN_C_RO", + "binNumber": 83, + "sha256Fingerprint": "6qlixPpKa6/r5BUZbTUczYiNT1Pz+orm18RmqU5gQrs=" + }, + { + "label": "CNNIC_ROOT", + "binNumber": 84, + "sha256Fingerprint": "4oOTdz2oRaZ58ggMx/tEo7ehw3kst+t3Kf3Lao2Zrqc=" + }, + { + "label": "OU_ApplicationCA_O_Japanese_Government_C_JP", + "binNumber": 85, + "sha256Fingerprint": "LUdDfeF5USFaEvPFjlHHKaWAJu8fzApfs9ncAS9gDRk=" + }, + { + "label": "GeoTrust_Primary_Certification_Authority___G3", + "binNumber": 86, + "sha256Fingerprint": "tHi4EiUN+HhjXCqn7H0VXqpiXugpFuLNKUNhiGzR+9Q=" + }, + { + "label": "thawte_Primary_Root_CA___G2", + "binNumber": 87, + "sha256Fingerprint": "pDENUK8YpkRxkDcqhq+vi5Uf+0Mdg38eVoi0WXHtFVc=" + }, + { + "label": "thawte_Primary_Root_CA___G3", + "binNumber": 88, + "sha256Fingerprint": "SwP0WAetcPIb/Cyuccn95GBMBkz1/7aGuuXbqtf900w=" + }, + { + "label": "GeoTrust_Primary_Certification_Authority___G2", + "binNumber": 89, + "sha256Fingerprint": "Xtt6xDuCoGqHYejXvkl56/JhH33Xm/kcHGtWaiGe12Y=" + }, + { + "label": "VeriSign_Universal_Root_Certification_Authority", + "binNumber": 90, + "sha256Fingerprint": "I5lWESelcSXejO/qYQ3fL6B4tcgGf06CgpC/uGDoSzw=" + }, + { + "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G4", + "binNumber": 91, + "sha256Fingerprint": "ad3X6pC7V8k+E13IXqb81UgLYDI5vcRU/HWLKibPf3k=" + }, + { + "label": "NetLock_Arany__Class_Gold__F_tan_s_tv_ny", + "binNumber": 92, + "sha256Fingerprint": "bGHaw6Le8DFQa+A20qb+QBmU+9E9+cjUZlmSdMRG7Jg=" + }, + { + "label": "Staat_der_Nederlanden_Root_CA___G2", + "binNumber": 93, + "sha256Fingerprint": "ZoyDlH2mO3JL7OF0PDGg5q7Q247Fsxvjd7t4T5G2cW8=" + }, + { + "label": "CA_Disig", + "binNumber": 94, + "sha256Fingerprint": "kr9RGavsytCxMy3E4dBfunW1Z5BE7gyibpMfdE8vM88=" + }, + { + "label": "Juur_SK", + "binNumber": 95, + "sha256Fingerprint": "7MPpw0B1A77gkaqVL0E0j/iLqoY7ImS++sgHkBV06Tk=" + }, + { + "label": "Hongkong_Post_Root_CA_1", + "binNumber": 96, + "sha256Fingerprint": "+eZ9M2xRACrAVMYyAi1m3aLn4//xCtBh7THYu7QQz7I=" + }, + { + "label": "SecureSign_RootCA11", + "binNumber": 97, + "sha256Fingerprint": "vw/u+546WBrV+enbdYmYV0PSYQhcTTFPb11yWapCFhI=" + }, + { + "label": "ACEDICOM_Root", + "binNumber": 98, + "sha256Fingerprint": "A5UPtJpTHz4ZkZQjmN+p4Ooy17oc3ZvIXbV+2UALQ0o=" + }, + { + "label": "Microsec_e_Szigno_Root_CA_2009", + "binNumber": 99, + "sha256Fingerprint": "PF+B/qX6uCxkv6Lq7K/N6OB3/IYgp8rlNxY9827b83g=" + }, + { + "label": "e_Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi", + "binNumber": 100, + "sha256Fingerprint": "5gkHhGWkGXgMtqxMHAv7RlPZ2cxus5Rut/PWmZe61Zg=" + }, + { + "label": "GlobalSign", + "binNumber": 101, + "sha256Fingerprint": "y7Ui17fxJ61qAROGW98c1BAufQdZr2NafPRyDcljxTs=" + }, + { + "label": "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068", + "binNumber": 102, + "sha256Fingerprint": "BASAKL8fKGTUj5rU2DKUNmqCiFZVPzsUMD+QFH9dQO8=" + }, + { + "label": "Izenpe_com", + "binNumber": 103, + "sha256Fingerprint": "JTDMjpgyFQK62W+bH7obCZ4tKZ4PRUi7kU82O8DUUx8=" + }, + { + "label": "Chambers_of_Commerce_Root___2008", + "binNumber": 104, + "sha256Fingerprint": "Bj5K+sSR39My8wibhULpRhfYk9f+lE4Qp5N+4p2Wk8A=" + }, + { + "label": "Global_Chambersign_Root___2008", + "binNumber": 105, + "sha256Fingerprint": "E2M1Q5M0p2mAFqDTJN5yKE4HnXtSILuPvXR4Fu6+uso=" + }, + { + "label": "Go_Daddy_Root_Certificate_Authority___G2", + "binNumber": 106, + "sha256Fingerprint": "RRQLMkfrnMjFtPDXtTCR9zKSCJ5uWmPidJ3TrKkZjto=" + }, + { + "label": "Starfield_Root_Certificate_Authority___G2", + "binNumber": 107, + "sha256Fingerprint": "LOHLC/nS+eECmT++IVFSw7LdDKveHGjlMZuDkVTbt/U=" + }, + { + "label": "Starfield_Services_Root_Certificate_Authority___G2", + "binNumber": 108, + "sha256Fingerprint": "Vo1pBaLIhwikswJRkO3P7bGXSmBqE8blKQ/LKuY+2rU=" + }, + { + "label": "AffirmTrust_Commercial", + "binNumber": 109, + "sha256Fingerprint": "A3arHVTF+YA85LLiAaDufu97V7Y26Kk8m41IYMlvX6c=" + }, + { + "label": "AffirmTrust_Networking", + "binNumber": 110, + "sha256Fingerprint": "CoHsWpKXd/FFkErzjV1Qn2a14sWPzbUxBYsOF/PwtBs=" + }, + { + "label": "AffirmTrust_Premium", + "binNumber": 111, + "sha256Fingerprint": "cKc/fzdrYAdCSJBFNLEUgtW/DmmOzEmN9SV36/LpO5o=" + }, + { + "label": "AffirmTrust_Premium_ECC", + "binNumber": 112, + "sha256Fingerprint": "vXH99tqX5M9i0WR63SWBsH15rfg5frTsupxehIiCFCM=" + }, + { + "label": "Certum_Trusted_Network_CA", + "binNumber": 113, + "sha256Fingerprint": "XFhGjVX1jkl+dDmC0rUAELbRZTdKz4On1KMtt2jEQI4=" + }, + { + "label": "Certinomis___Autorit__Racine", + "binNumber": 114, + "sha256Fingerprint": "/L/iiGIG9ysnWTyLBwKX4S12ntEO15MHBagJjv/BTRc=" + }, + { + "label": "Root_CA_Generalitat_Valenciana", + "binNumber": 115, + "sha256Fingerprint": "jE7f0ENI8yKWnn4ppM1NygBGVQYcFuGwdkIu80KtYw4=" + }, + { + "label": "A_Trust_nQual_03", + "binNumber": 116, + "sha256Fingerprint": "eTy/RVm5/eOKsi3xaGn2mIGuFMSwE5rHiKeKGvzKAvs=" + }, + { + "label": "TWCA_Root_Certification_Authority", + "binNumber": 117, + "sha256Fingerprint": "v9iP4RAcQa4+gBv4vlY1Dum60aa5vVFe3FxtW4cRrEQ=" + }, + { + "label": "OU_Security_Communication_RootCA2_O__SECOM_Trust_Systems_CO__LTD___C_JP", + "binNumber": 118, + "sha256Fingerprint": "UTss7LgQ1M3l3YU5Gt/Gwt1g2Hu3NtK1IUhKpHoOvvY=" + }, + { + "label": "EC_ACC", + "binNumber": 119, + "sha256Fingerprint": "iEl/AWAvMVQkauKMTVrvEPHYfrt2Ym9K4Lf5W6eWh5k=" + }, + { + "label": "Hellenic_Academic_and_Research_Institutions_RootCA_2011", + "binNumber": 120, + "sha256Fingerprint": "vBBPFaSL5wncpUKn4dS5328FRSfoAuqpLVlURCWK/nE=" + }, + { + "label": "Actalis_Authentication_Root_CA", + "binNumber": 121, + "sha256Fingerprint": "VZJghOyWOmS5biq+Ac4LqGpk+/68x6q1r8FVs3/XYGY=" + }, + { + "label": "OU_Trustis_FPS_Root_CA_O_Trustis_Limited_C_GB", + "binNumber": 122, + "sha256Fingerprint": "wbSCmaulII/pYwrOVcpooD7aWlGciAKg06Zzvo+OVX0=" + }, + { + "label": "StartCom_Certification_Authority", + "binNumber": 123, + "sha256Fingerprint": "4XiQ7gmj+/T0i5xBShfWN7elBkfpvHUjInJ/zBdCqRE=" + }, + { + "label": "StartCom_Certification_Authority_G2", + "binNumber": 124, + "sha256Fingerprint": "x7plZ96Tp5iuH6p5HnEtN4+uH5PEOX/qRBu3y+b9WZU=" + }, + { + "label": "Buypass_Class_2_Root_CA", + "binNumber": 125, + "sha256Fingerprint": "mhFAJRl8W7ldlOY9Vc1DeQhHtkayPN8RraSgDv8V+0g=" + }, + { + "label": "Buypass_Class_3_Root_CA", + "binNumber": 126, + "sha256Fingerprint": "7ffrvKJ6KjhNOHt9QBDGZuLttIQ+TCm0rh1bkzLmsk0=" + }, + { + "label": "T_TeleSec_GlobalRoot_Class_3", + "binNumber": 127, + "sha256Fingerprint": "/XPa0xxkT/G0O+8MzdqWcQuc2Ydeyn4xcHrz6W1SK70=" + }, + { + "label": "EE_Certification_Centre_Root_CA", + "binNumber": 128, + "sha256Fingerprint": "PoS6Q0KQhRbndXPAmS8JecoITkaFaB/xlcy6iiKbinY=" + }, + { + "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_", + "binNumber": 129, + "sha256Fingerprint": "l4zZZvL6oHunqpUA2cAunXfyza2mrWunSvS5HGZZPFA=" + }, + { + "label": "D_TRUST_Root_Class_3_CA_2_2009", + "binNumber": 130, + "sha256Fingerprint": "SeekQqzw6mKHBQBUtSVktlDk9J5C40jWqjjgOelXscE=" + }, + { + "label": "D_TRUST_Root_Class_3_CA_2_EV_2009", + "binNumber": 131, + "sha256Fingerprint": "7sVJa5iM6YYluTQJLuwpCL7QsPMWwtRzDITq8fPTSIE=" + }, + { + "label": "PSCProcert", + "binNumber": 132, + "sha256Fingerprint": "PPw8FNH2hP8X44xDykQMALln7JM+i/4GTKHXLJDyrbA=" + }, + { + "label": "China_Internet_Network_Information_Center_EV_Certificates_Root", + "binNumber": 133, + "sha256Fingerprint": "HAHG9Nuy/vwiVYsryjJWP0mESs/DK3vksP9Zn56Mevc=" + }, + { + "label": "Swisscom_Root_CA_2", + "binNumber": 134, + "sha256Fingerprint": "8JsSLHEU9KCb1OpPSpnVWLRuTCXNgRQNKcBWE5FMOEE=" + }, + { + "label": "Swisscom_Root_EV_CA_2", + "binNumber": 135, + "sha256Fingerprint": "2V/qPKTu3OdM1251/G0f9ixEHw+ovHfwNLGeXbJYAV0=" + }, + { + "label": "CA_Disig_Root_R1", + "binNumber": 136, + "sha256Fingerprint": "+W8j9MPnnAd6RpiNWvWQBnag8DnLZF3RdUmyFsgkQM4=" + }, + { + "label": "CA_Disig_Root_R2", + "binNumber": 137, + "sha256Fingerprint": "4j1KA217cOn1lbFCIHnSuR7fux+2UaBjPqqKncX4BwM=" + }, + { + "label": "ACCVRAIZ1", + "binNumber": 138, + "sha256Fingerprint": "mm7AEuGn2p2+NBlNR4rXwNsYIvsHHfEpgUlu0QQ4QRM=" + }, + { + "label": "TWCA_Global_Root_CA", + "binNumber": 139, + "sha256Fingerprint": "WXaQB/doXQ/NUIcvn5XVdVpbK0V9gfNpK2EKmGcvDhs=" + }, + { + "label": "TeliaSonera_Root_CA_v1", + "binNumber": 140, + "sha256Fingerprint": "3Wk2/iH48HfBI6GlIcEiJPciVbc+A6cmBpPooksPo4k=" + }, + { + "label": "E_Tugra_Certification_Authority", + "binNumber": 141, + "sha256Fingerprint": "sL/VK7DX2b2Sv11NwT2iVcAsVC83g2XqiTkR9V5V8jw=" + }, + { + "label": "T_TeleSec_GlobalRoot_Class_2", + "binNumber": 142, + "sha256Fingerprint": "keL1eI1YEOunulhzfeFUio7KzQFFmLwLFD4EGxcFJVI=" + }, + { + "label": "Atos_TrustedRoot_2011", + "binNumber": 143, + "sha256Fingerprint": "81a+okS3qR6zXVPKmteGSs4Bji011fj5bd9opvQapHQ=" + }, + { + "label": "QuoVadis_Root_CA_1_G3", + "binNumber": 144, + "sha256Fingerprint": "ioZv0bJ2tX5XjpIcZYKKK+1Y6fLyiAVBNLfx9L/JzHQ=" + }, + { + "label": "QuoVadis_Root_CA_2_G3", + "binNumber": 145, + "sha256Fingerprint": "j+T7Cvk6TQ1n2wvrsj43xxvzJdy83SQOoE2vWLR+GEA=" + }, + { + "label": "QuoVadis_Root_CA_3_G3", + "binNumber": 146, + "sha256Fingerprint": "iO+B3iAusBhFLkP4ZHJc6l+9H8LZ0gVzBwnF2LhpD0Y=" + }, + { + "label": "DigiCert_Assured_ID_Root_G2", + "binNumber": 147, + "sha256Fingerprint": "fQXrtoIzn4yUUe4JTuv++nlToRTtsvRJSUUvq30vwYU=" + }, + { + "label": "DigiCert_Assured_ID_Root_G3", + "binNumber": 148, + "sha256Fingerprint": "fjfLi0xHCQyrNlUbpvRduEBoD7oWapUtsQBxf0MFP8I=" + }, + { + "label": "DigiCert_Global_Root_G2", + "binNumber": 149, + "sha256Fingerprint": "yzzLt2Ax5eATj43TmiP53kf/w15DwRRM6ifUalqxy18=" + }, + { + "label": "DigiCert_Global_Root_G3", + "binNumber": 150, + "sha256Fingerprint": "Ma1mSPgQQTjHOPOepDIBMzk+OhjMAilu+Xwqye9nMdA=" + }, + { + "label": "DigiCert_Trusted_Root_G4", + "binNumber": 151, + "sha256Fingerprint": "VS973PGnr55s5nIBf08Sq/dyQMeOdhrCA9HZ0grImYg=" + }, + { + "label": "Certification_Authority_of_WoSign", + "binNumber": 152, + "sha256Fingerprint": "SyLVpq7JnzzbeapewGg4R5zV7LpxZPfyLcHWX2PYVwg=" + }, + { + "label": "CA______", + "binNumber": 153, + "sha256Fingerprint": "1vA0vZSqIz8Cl+ykJFsoOXPkR6pZDzEMd/SP34MRIlQ=" + }, + { + "label": "COMODO_RSA_Certification_Authority", + "binNumber": 154, + "sha256Fingerprint": "UvDhxOWOxikpG2AxfwdGcbhdfqgNWwcnNGNTSzK0AjQ=" + }, + { + "label": "USERTrust_RSA_Certification_Authority", + "binNumber": 155, + "sha256Fingerprint": "55PJsC/YqhPiHDEiisywgRlkO3SciYlksXRtRsPUy9I=" + }, + { + "label": "USERTrust_ECC_Certification_Authority", + "binNumber": 156, + "sha256Fingerprint": "T/Rg1Uuchtq/vPxXEuBADSvtP7xNT72qhuBq3NKprXo=" + }, + { + "label": "GlobalSign", + "binNumber": 157, + "sha256Fingerprint": "vslJEcKVVnbbbApVCYbXbjugBWZ8RCyXYrT7t3PeIow=" + }, + { + "label": "GlobalSign", + "binNumber": 158, + "sha256Fingerprint": "F5+8FIo90A/STqE0WMxDv6f1nIGC14OlE/br7BAMiSQ=" + }, + { + "label": "Staat_der_Nederlanden_Root_CA___G3", + "binNumber": 159, + "sha256Fingerprint": "PE+wuVq4swAy9DK4b1Nf4XLBhdD9OYZYN882GH+m9Cg=" + }, + { + "label": "Staat_der_Nederlanden_EV_Root_CA", + "binNumber": 160, + "sha256Fingerprint": "TSSRQUz+lWdG7Ezvps9vcuKKEylDL52KkHrEy12twVo=" + }, + { + "label": "IdenTrust_Commercial_Root_CA_1", + "binNumber": 161, + "sha256Fingerprint": "XVZJm+TS4IvPytCKPjhyPVBQO95waUjkL1VgMBnlKK4=" + }, + { + "label": "IdenTrust_Public_Sector_Root_CA_1", + "binNumber": 162, + "sha256Fingerprint": "MNCJWppEiiYgkWNVItH1IBC1hnrK4Sx475WP1PQ4ny8=" + }, + { + "label": "Entrust_Root_Certification_Authority___G2", + "binNumber": 163, + "sha256Fingerprint": "Q99XdLA+f+9f5A2TGnvt8bsua0JzjE5tOEEQPTqn8zk=" + }, + { + "label": "Entrust_Root_Certification_Authority___EC1", + "binNumber": 164, + "sha256Fingerprint": "Au0OsowU2kUWXFZnkXANZFHX+1bwsqsdO46wcOVu3/U=" + }, + { + "label": "CFCA_EV_ROOT", + "binNumber": 165, + "sha256Fingerprint": "XMPXjk4dXkVUegTmhz5k+Qz5U20czC74APNVxMX9cP0=" + }, + { + "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H5", + "binNumber": 166, + "sha256Fingerprint": "STUbkDREwYXM3FxpPSTYVVyyCNaoFBMHaZ9K8GMZnXg=" + }, + { + "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H6", + "binNumber": 167, + "sha256Fingerprint": "jeeGVeG+f3hHgAuT9pTSHTaMwG4DPn+rBLteuZ2mtwA=" + }, + { + "label": "Certinomis___Root_CA", + "binNumber": 168, + "sha256Fingerprint": "Kpn1vBF0tzy7HWIIhOAcNOUcyzl42hJfDjMmiIO/QVg=" + }, + { + "label": "OISTE_WISeKey_Global_Root_GB_CA", + "binNumber": 169, + "sha256Fingerprint": "a5wI6G6w92fPrWXNmLYhSeVJSmf1hF570e0Bnye4a9Y=" + }, + { + "label": "Certification_Authority_of_WoSign_G2", + "binNumber": 170, + "sha256Fingerprint": "1Ielb4OwdILoXpYzlMHswsnlHQkD7pRrAsMBWB7ZnhY=" + }, + { + "label": "CA_WoSign_ECC_Root", + "binNumber": 171, + "sha256Fingerprint": "i0XaHAb3kesMq/Jr5Yj1+yMWXC5hS/iFVi0NzlCymwI=" + }, + { + "label": "SZAFIR_ROOT_CA2", + "binNumber": 172, + "sha256Fingerprint": "oTOdMygaC1blV9PTKxzn+TZ+sJS9X6cqflAEyN7Xyv4=" + }, + { + "label": "Certum_Trusted_Network_CA_2", + "binNumber": 173, + "sha256Fingerprint": "tnby7drod1zTbLD2PNHUYDlh9J5iZboBOi8DB7bQuAQ=" + }, + { + "label": "Hellenic_Academic_and_Research_Institutions_RootCA_2015", + "binNumber": 174, + "sha256Fingerprint": "oECSmgLOU7Ss9PL/xpgc5ElvdV5tRf4LKmkrzVJSPzY=" + }, + { + "label": "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015", + "binNumber": 175, + "sha256Fingerprint": "RLVFqool5lpzyhXcJ/w20kwcuZU6BmU5sRWC3Eh7SDM=" + }, + { + "label": "Certplus_Root_CA_G1", + "binNumber": 176, + "sha256Fingerprint": "FSpAK/zfLNVIBU0idbOcf8o+wJeAeLDw6nblYabHQz4=" + }, + { + "label": "Certplus_Root_CA_G2", + "binNumber": 177, + "sha256Fingerprint": "bMBQQeZEXnRpbEz7yfgPVDt+q7tEtM5veHxqmXHELxc=" + }, + { + "label": "OpenTrust_Root_CA_G1", + "binNumber": 178, + "sha256Fingerprint": "VsdxKNmMGNkbTP3/vCXukQPUdY6iq62CapDzRX1GDrQ=" + }, + { + "label": "OpenTrust_Root_CA_G2", + "binNumber": 179, + "sha256Fingerprint": "J5lYKf5qdRXBv+hI+cR2HbFsIlkpJXv0DQiU8p6ouvI=" + }, + { + "label": "OpenTrust_Root_CA_G3", + "binNumber": 180, + "sha256Fingerprint": "t8NiMXBugQeMNny4lhmPHjII3ZJpSd2PVwmkEPdbYpI=" + }, + { + "label": "ISRG_Root_X1", + "binNumber": 181, + "sha256Fingerprint": "lrzsBiZJdvN0YHeazyjFp8/oo8Cq4RqP/O4FwL3fCMY=" + }, + { + "label": "OU_AC_RAIZ_FNMT_RCM_O_FNMT_RCM_C_ES", + "binNumber": 182, + "sha256Fingerprint": "68VXDCkBjE1nsaoSe68S9wO0YR68F7fatVc4lBebk/o=" + }, + { + "label": "Amazon_Root_CA_1", + "binNumber": 183, + "sha256Fingerprint": "js3miE89h7ESW6Maw/yxPXAW3n9XzJBP4cuXxq6YGW4=" + }, + { + "label": "Amazon_Root_CA_2", + "binNumber": 184, + "sha256Fingerprint": "G6WyqoxlQBqClgEY+AvsT2IwTYPOxHE6GcOcAR6kbbQ=" + }, + { + "label": "Amazon_Root_CA_3", + "binNumber": 185, + "sha256Fingerprint": "GM5s/nvxTmCy40e43+hoyzHQLrs62icVafUDQ7Rts6Q=" + }, + { + "label": "Amazon_Root_CA_4", + "binNumber": 186, + "sha256Fingerprint": "410oQZ7QICXPppA4zWI5YkWNpcaV+96jwisL+yWJcJI=" + }, + { + "label": "LuxTrust_Global_Root_2", + "binNumber": 187, + "sha256Fingerprint": "VEVfcSnCCxRHxBj5lxaPJMWPxQI79dpb4utuHdiQLtU=" + }, + { + "label": "TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi___Surum_1", + "binNumber": 188, + "sha256Fingerprint": "Ru3DaJBG1TpFP7MQSrgNyuxliyZg6hYp3X6GeZBkhxY=" + }, + { + "label": "GDCA_TrustAUTH_R5_ROOT", + "binNumber": 189, + "sha256Fingerprint": "v/+P0EQzSH1qiqYMGil2ep/Cu7BeQg9xOhO5kokdOJM=" + }, + { + "label": "TrustCor_RootCert_CA_1", + "binNumber": 190, + "sha256Fingerprint": "1A6chs2P5GjBd2lZ9J6ndPpUhoS2xAbzkJJh9NziV1w=" + }, + { + "label": "TrustCor_RootCert_CA_2", + "binNumber": 191, + "sha256Fingerprint": "B1PpQDeMG9Xjg245Xa6ly4OeUEbxvQ6uGVHPEP7HyWU=" + }, + { + "label": "TrustCor_ECA_1", + "binNumber": 192, + "sha256Fingerprint": "WohdsZwB2RLFdZOIk4yvu98DGrLUjpHuFVibQpcdA5w=" + }, + { + "label": "SSL_com_Root_Certification_Authority_RSA", + "binNumber": 193, + "sha256Fingerprint": "hWZqVi7gvlzpJcHYiQpvdqh+wW1NfV8p6nQZzyASO2k=" + }, + { + "label": "SSL_com_Root_Certification_Authority_ECC", + "binNumber": 194, + "sha256Fingerprint": "NBe7BsxgB9oblhySC4q0zj+tgg5Kowuay8SnTr3OvGU=" + }, + { + "label": "SSL_com_EV_Root_Certification_Authority_RSA_R2", + "binNumber": 195, + "sha256Fingerprint": "LnvxbMIkhae74qqGlnUHYbCuOb47L+nQzG1O9zSRQlw=" + }, + { + "label": "SSL_com_EV_Root_Certification_Authority_ECC", + "binNumber": 196, + "sha256Fingerprint": "IqLB973tcEzB5wG19AjDEIgP6Va13ipKRPmchzolp8g=" + }, + { + "label": "GlobalSign", + "binNumber": 197, + "sha256Fingerprint": "LKvq/jfQbKIqunORwAM9JZgpUsRTZHNJdjo6ta1sz2k=" + }, + { + "label": "OISTE_WISeKey_Global_Root_GC_CA", + "binNumber": 198, + "sha256Fingerprint": "hWD5HDYk2rqVcLX+oNvjb/EagyO+lIaFT7PzSlVxGY0=" + }, + { + "label": "GTS_Root_R1", + "binNumber": 199, + "sha256Fingerprint": "KldUceMTQLwhWBy9LPE+FYRjID7OlLz508wZa/CaVHI=" + }, + { + "label": "GTS_Root_R2", + "binNumber": 200, + "sha256Fingerprint": "xF17sI5tZ+YuQjURC1ZOX3j9ku8FjIQK6k5kVddYXGA=" + }, + { + "label": "GTS_Root_R3", + "binNumber": 201, + "sha256Fingerprint": "FdW4d0YZ6n1Uzhym0LDEA+A3qRfxMeigTh5renG6vOU=" + }, + { + "label": "GTS_Root_R4", + "binNumber": 202, + "sha256Fingerprint": "ccylOR+eeUsEgCUws2PhIdqKMEO7JmYv6k3Kf8lRpL0=" + }, + { + "label": "UCA_Global_G2_Root", + "binNumber": 203, + "sha256Fingerprint": "m+oRyXb+AUdkwb5WpvkUtaVgMXq9mYg5M4LlFhqgSTw=" + }, + { + "label": "UCA_Extended_Validation_Root", + "binNumber": 204, + "sha256Fingerprint": "1Dr5s1RzdVyWhPwG19jLcO5cKOdz+ylOtB7nFyKSTSQ=" + }, + { + "label": "Certigna_Root_CA", + "binNumber": 205, + "sha256Fingerprint": "1I09I+7bUKRZ5VGXYBwnd0udexjJTVoFlRGhAlC5MWg=" + }, + { + "label": "emSign_Root_CA___G1", + "binNumber": 206, + "sha256Fingerprint": "QPavA0apmqHNHVVaTpzOYsf5Y0YD7kBmFYM9yMjQA2c=" + }, + { + "label": "emSign_ECC_Root_CA___G3", + "binNumber": 207, + "sha256Fingerprint": "hqHsugicSo07vic0xhK6NB2BPgQ8+eioYs1cV6Nrvms=" + }, + { + "label": "emSign_Root_CA___C1", + "binNumber": 208, + "sha256Fingerprint": "ElYJqjAdoKJJuXqCOctqNCFvRNysnzlUsUKS8ujIYI8=" + }, + { + "label": "emSign_ECC_Root_CA___C3", + "binNumber": 209, + "sha256Fingerprint": "vE2AmxUYnXjbPh2M9PlyanldoWQ8pfE1jh3bDtwNfrM=" + }, + { + "label": "Hongkong_Post_Root_CA_3", + "binNumber": 210, + "sha256Fingerprint": "Wi/APwyDsJC7+kBgSwmIRGx2Nhg9+YRuFxAaRH+479Y=" + }, + { + "label": "Entrust_Root_Certification_Authority___G4", + "binNumber": 211, + "sha256Fingerprint": "2zUX0fZzKi1auXxTPscHee4ycKYvtKxCODckYObwHog=" + }, + { + "label": "Microsoft_ECC_Root_Certificate_Authority_2017", + "binNumber": 212, + "sha256Fingerprint": "NY3znXZK+eG3ZunJct81LuFc+sInr2rR1w6OSm7cugI=" + }, + { + "label": "Microsoft_RSA_Root_Certificate_Authority_2017", + "binNumber": 213, + "sha256Fingerprint": "x0H3D0sqjYi/LnHBQSLvU+8Q66DPpeZM+iD0GIUwc+A=" + }, + { + "label": "e_Szigno_Root_CA_2017", + "binNumber": 214, + "sha256Fingerprint": "vrALMIObm8MsMuREeQWVBkHyZCGxXtCJGYtRiuLqG5k=" + }, + { + "label": "OU_certSIGN_ROOT_CA_G2_O_CERTSIGN_SA_C_RO", + "binNumber": 215, + "sha256Fingerprint": "ZXz+L6c/qjhGJXHzMqI2Okb85wIJUXEHAs37tu7aMwU=" + }, + { + "label": "Trustwave_Global_Certification_Authority", + "binNumber": 216, + "sha256Fingerprint": "l1UgFfXd/DyHiMAGlEVVQIiURQCE8QCGcIa8Giu1jcg=" + }, + { + "label": "Trustwave_Global_ECC_P256_Certification_Authority", + "binNumber": 217, + "sha256Fingerprint": "lFu8gl6lVPSJ0f1Rpz3fLqYkrHAZoFIFIlwip4zPqLQ=" + }, + { + "label": "Trustwave_Global_ECC_P384_Certification_Authority", + "binNumber": 218, + "sha256Fingerprint": "VZA4WcjAw+u4dZ7OTiVXIl/1dYu9OOvUgnZgHhvVgJc=" + }, + { + "label": "NAVER_Global_Root_Certification_Authority", + "binNumber": 219, + "sha256Fingerprint": "iPQ43Pj/0fqPQpEV/+X4KuHgbgxww3X6rXF7NKSecmU=" + }, + { + "label": "AC_RAIZ_FNMT_RCM_SERVIDORES_SEGUROS", + "binNumber": 220, + "sha256Fingerprint": "VUFTsT0s+d23U7++Gk4K4I0KpBhwWP5gorhisuS4e8s=" + }, + { + "label": "GlobalSign_Root_R46", + "binNumber": 221, + "sha256Fingerprint": "T6MSbY06EdHEhVpPgHy61s+RnTpaiLA76ixjctk8QMk=" + }, + { + "label": "GlobalSign_Root_E46", + "binNumber": 222, + "sha256Fingerprint": "y7nETYS4BD4QUOoxpp9RSVXXv9LixrSTAQGa1h2fUFg=" + }, + { + "label": "GLOBALTRUST_2020", + "binNumber": 223, + "sha256Fingerprint": "milqUYLR1FGi439Dm3Tar6JnUjMp+Q+aDSAHwzTiPJo=" + }, + { + "label": "ANF_Secure_Server_Root_CA", + "binNumber": 224, + "sha256Fingerprint": "+4/sdZFpuRBrHlEWRMYYxRMENz9sBkMIjYvv/RuZdZk=" + }, + { + "label": "Certum_EC_384_CA", + "binNumber": 225, + "sha256Fingerprint": "azKAhWJTGKpQ0XPJjYvaCdV+J0E9EUz3h6D10GwDDPY=" + }, + { + "label": "Certum_Trusted_Root_CA", + "binNumber": 226, + "sha256Fingerprint": "/naWVzhVdz43qV561NnMlsMBV8FdMXZbqbFXBOGueP0=" + }, + { + "label": "TunTrust_Root_CA", + "binNumber": 227, + "sha256Fingerprint": "LkQQKrWMuFQZRRyOGdms82Ysr7xhS2pTlgow99Di60E=" + }, + { + "label": "HARICA_TLS_RSA_Root_CA_2021", + "binNumber": 228, + "sha256Fingerprint": "2V0Ojtp5Ulv5vrEbFNIQDTKUmF8MYtn6vZzZmezLex0=" + }, + { + "label": "HARICA_TLS_ECC_Root_CA_2021", + "binNumber": 229, + "sha256Fingerprint": "P5nMR0rPzk3+1YeUZl5HjRVHc58ueA8btMqbEzCX1AE=" + }, + { + "label": "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068", + "binNumber": 230, + "sha256Fingerprint": "V94Fg+/Ssm4DYdqZ2p30ZI3vfuhEHDtyivqbzeD5smo=" + }, + { + "label": "vTrus_ECC_Root_CA", + "binNumber": 231, + "sha256Fingerprint": "MPu6LDIjjiqYVHr5eTHlUEKLmz8cjutmM9z6hsWyfdM=" + }, + { + "label": "vTrus_Root_CA", + "binNumber": 232, + "sha256Fingerprint": "inHeZVkzb0JsJuU4gNANiKGNpMapHw3LYZTiBsXJY4c=" + }, + { + "label": "ISRG_Root_X2", + "binNumber": 233, + "sha256Fingerprint": "aXKbjhWobvwXelevtxcd/GSt0owvyozxUH40RTzLFHA=" + }, + { + "label": "HiPKI_Root_CA___G1", + "binNumber": 234, + "sha256Fingerprint": "8BXOPMI5v+8GS+nx0sQX4aAmSgqUvh8MjRIYZOtpScw=" + }, + { + "label": "GlobalSign", + "binNumber": 235, + "sha256Fingerprint": "sIXXC5ZPGRpz5K8NVK56Dgeq/a+bcd0IYhOKtzJaJKI=" + }, + { + "label": "GTS_Root_R1", + "binNumber": 236, + "sha256Fingerprint": "2UdDKr3nt/qQ/C5rWRAbEoDg4cfk5A+jxoh//1en9M8=" + }, + { + "label": "GTS_Root_R2", + "binNumber": 237, + "sha256Fingerprint": "jSXNlyKdv3A1a9pOs8xzQDHiTPAPr8/TLcdutYQcfqg=" + }, + { + "label": "GTS_Root_R3", + "binNumber": 238, + "sha256Fingerprint": "NNinPuII2bzbDZVlIJNLTkDmlIJZbotvc8hCawEKb0g=" + }, + { + "label": "GTS_Root_R4", + "binNumber": 239, + "sha256Fingerprint": "NJ36QFjF4mMSOzmK55VXPE4TE8g/5o+TVWzV6AMbPH0=" + }, + { + "label": "Telia_Root_CA_v2", + "binNumber": 240, + "sha256Fingerprint": "JCtpdC/LHlsqv5iJi5RXIYdUTltNmRF4ZXNiH2p0uCw=" + }, + { + "label": "D_TRUST_BR_Root_CA_1_2020", + "binNumber": 241, + "sha256Fingerprint": "5ZqqgWAJwiv/WyW6033zBvBJeXwfgdhasInmV72PAEQ=" + }, + { + "label": "D_TRUST_EV_Root_CA_1_2020", + "binNumber": 242, + "sha256Fingerprint": "CBcNGqNkU5AaL5WSReNH2wyNN6uqvFa4GqEA3JWJcNs=" + }, + { + "label": "DigiCert_TLS_ECC_P384_Root_G5", + "binNumber": 243, + "sha256Fingerprint": "AY4T8HclMs+Am9GxcoGGcoP8SMbhO+nGmBKFSkkMGwU=" + }, + { + "label": "DigiCert_TLS_RSA4096_Root_G5", + "binNumber": 244, + "sha256Fingerprint": "NxoA3AUzs3IafutA6EGecHmdKwoPLB2AaTFl987ErXU=" + }, + { + "label": "Certainly_Root_R1", + "binNumber": 245, + "sha256Fingerprint": "d7gs2GRMQwX3rMXLFWtFZ1AEAz1RxgxiAqjgwzRn06A=" + }, + { + "label": "Certainly_Root_E1", + "binNumber": 246, + "sha256Fingerprint": "tFhfIuSsdWpOhhKhNhxdnQMak/2E/rt3j6MGiw/ELcI=" + }, + { + "label": "E_Tugra_Global_Root_CA_RSA_v3", + "binNumber": 247, + "sha256Fingerprint": "72awsQo8258uNkjHa9KvGOrSv+bxF2VeKMQGDaGj9MI=" + }, + { + "label": "E_Tugra_Global_Root_CA_ECC_v3", + "binNumber": 248, + "sha256Fingerprint": "hz9Ghfp/VjYlJS5tNrzX8W/CSVHyZOR+G5VPSQjNyhM=" + }, + { + "label": "Security_Communication_RootCA3", + "binNumber": 249, + "sha256Fingerprint": "JKVcKrBRRC0GF3ZlQSOaStAy18VRdao0/94vvE9cUpQ=" + }, + { + "label": "Security_Communication_ECC_RootCA1", + "binNumber": 250, + "sha256Fingerprint": "50+9pVvVZMRzo2tEGqeZyKaOB3RA6CiLn6HlDku6yhE=" + }, + { + "label": "BJCA_Global_Root_CA2", + "binNumber": 251, + "sha256Fingerprint": "V032kx4ngDlme3IK/cFgD8J+tm3TCSl5+3OFZIchKII=" + }, + { + "label": "BJCA_Global_Root_CA1", + "binNumber": 252, + "sha256Fingerprint": "84lviP58CognZqf6atJ0n7V6fz6Y+3acH6ewnCxE1a4=" + }, + { + "label": "Sectigo_Public_Server_Authentication_Root_R46", + "binNumber": 253, + "sha256Fingerprint": "e7ZHpirurIi/JXqlItAf/qOV4KtFxz+T9lZU7DjyWgY=" + }, + { + "label": "Sectigo_Public_Server_Authentication_Root_E46", + "binNumber": 254, + "sha256Fingerprint": "yQ8m8PsbQBiyIidRm1yitT4spbO+XPGO/hvvRzgMU4M=" + }, + { + "label": "SSL_com_TLS_RSA_Root_CA_2022", + "binNumber": 255, + "sha256Fingerprint": "j699Liy0cJu44LM2Zr91pd1Ftd5ID46o1L/mvrwX8u0=" + }, + { + "label": "SSL_com_TLS_ECC_Root_CA_2022", + "binNumber": 256, + "sha256Fingerprint": "wy/9n0b5NtFsNnOZCVlDS5rWCq+7nnzzNlTxRMwboUM=" + }, + { + "label": "Atos_TrustedRoot_Root_CA_RSA_TLS_2021", + "binNumber": 257, + "sha256Fingerprint": "gakIjqWfs2TFSKb4VVkJm28EBe+/GOUyTsn0V7oAES8=" + }, + { + "label": "Atos_TrustedRoot_Root_CA_ECC_TLS_2021", + "binNumber": 258, + "sha256Fingerprint": "svrlPhTM16uSEgZHAa4nnB2JiPrLd1+ooAiRTmY5iKg=" + }, + { + "label": "TrustAsia_Global_Root_CA_G4", + "binNumber": 259, + "sha256Fingerprint": "vktWy1BWwBNqUm30RFCNqjagtU9C5Kw49yr0cOR5ZUw=" + }, + { + "label": "TrustAsia_Global_Root_CA_G3", + "binNumber": 260, + "sha256Fingerprint": "4NMiausRY8Lkj/m+O1C0xkMb57serMXDa11exQkDmgg=" + }, + { + "label": "CommScope_Public_Trust_RSA_Root_02", + "binNumber": 261, + "sha256Fingerprint": "/+lD15NCS098RAwcPWSNU2PzS4Lch6p6nxGPxd7hAfE=" + }, + { + "label": "CommScope_Public_Trust_RSA_Root_01", + "binNumber": 262, + "sha256Fingerprint": "Ar35bipF3Zvxj8fh298hoDebo8nCYQNEz9jWBv7B7YE=" + }, + { + "label": "CommScope_Public_Trust_ECC_Root_02", + "binNumber": 263, + "sha256Fingerprint": "L/t/gTu7s8iatOgWLQ8W1xUJqDDMnXPCYuUUCHXRrUo=" + }, + { + "label": "CommScope_Public_Trust_ECC_Root_01", + "binNumber": 264, + "sha256Fingerprint": "EUN82nu0XkE2X0WzmjiYaw3gDe80jgx7sIc2M4ALw4s=" + }, + { + "label": "Telekom_Security_TLS_RSA_Root_2023", + "binNumber": 265, + "sha256Fingerprint": "78ZcrbtZrbbv6E2iIxGzViS3GzseoNqLZlUXTsiXhkY=" + }, + { + "label": "Telekom_Security_TLS_ECC_Root_2020", + "binNumber": 266, + "sha256Fingerprint": "V4r03tCFP05ZmNtK6vnL6o2UX2C2IKONGjwTsrx7qOE=" + } + ], + "maxBin": 266 +}
\ No newline at end of file diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json new file mode 100644 index 0000000000..9ea773de31 --- /dev/null +++ b/security/manager/tools/PreloadedHPKPins.json @@ -0,0 +1,207 @@ +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// The top-level element is a dictionary with two keys: "pinsets" maps details +// of certificate pinning to a name and "entries" contains the HPKP details for +// each host. +// +// "pinsets" is a list of objects. Each object has the following members: +// name: (string) the name of the pinset +// sha256_hashes: (list of strings) the set of allowed SPKIs hashes +// +// For a given pinset, a certificate is accepted if at least one of the +// Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified +// as names, which must match up with the name given in the Mozilla root store. +// +// "entries" is a list of objects. Each object has the following members: +// name: (string) the DNS name of the host in question +// include_subdomains: (optional bool) whether subdomains of |name| are also covered +// pins: (string) the |name| member of an object in |pinsets| +// +// "extra_certificates" is a list of base64-encoded certificates. These are used in +// pinsets that reference certificates not in our root program (for example, +// Facebook or intermediate CA certs). + +{ + "chromium_data" : { + "cert_file_url": "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/http/transport_security_state_static.pins?format=TEXT", + "json_file_url": "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/http/transport_security_state_static_pins.json?format=TEXT", + "substitute_pinsets": { + // Use the larger google_root_pems pinset instead of google + "google": "google_root_pems" + }, + "production_pinsets": [ + "google_root_pems", + "facebook", + "ncsccs" + ], + "production_domains": [ + // Chrome's test domains. + "pinningtest.appspot.com", + "pinning-test.badssl.com", + // Tor + "torproject.org", + "blog.torproject.org", + "check.torproject.org", + "dist.torproject.org", + "www.torproject.org", + // SpiderOak + "spideroak.com" + ], + "exclude_domains" : [] + }, + "pinsets": [ + { + "name": "mozilla_services", + "sha256_hashes": [ + // Current Digicert root hierarchy (G1) + // Digicert is migrating users off this root hierarchy + // https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html + "DigiCert Global Root CA", + "DigiCert High Assurance EV Root CA", + // New Digicert root hierarchy (G2) + // Digicert is migrating users to this root hierarchy + // https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html + "DigiCert Global Root G2", + // Future Digicert root hierarchy (G5) + // Digicert will be switching to this root hierarchy in the future + // https://knowledge.digicert.com/generalinformation/digicert-g5-root-and-intermediate-ca-certificate-migration.html + "DigiCert TLS ECC P384 Root G5", + "DigiCert TLS RSA4096 Root G5", + // Current Let’s Encrypt root hierachy + // https://letsencrypt.org/certificates/ + "ISRG Root X1" + ] + }, + // For pinning tests on pinning.example.com, the certificate must be 'End + // Entity Test Cert' + { + "name": "mozilla_test", + "sha256_hashes": [ + "End Entity Test Cert" + ] + }, + // Google's root PEMs. Chrome pins only to their intermediate certs, but + // they'd like us to be more liberal. For the initial list, we are using + // the certs from https://pki.google.com/roots.pem. + // We have no built-in for commented out CAs. + // This list should be updated via the dumpGoogleRoots.js script. + { + "name": "google_root_pems", + "sha256_hashes": [ + "AffirmTrust Commercial", + "AffirmTrust Networking", + "AffirmTrust Premium", + "AffirmTrust Premium ECC", + "Baltimore CyberTrust Root", + "Comodo AAA Services root", + "COMODO Certification Authority", + "COMODO ECC Certification Authority", + "COMODO RSA Certification Authority", + "DigiCert Assured ID Root CA", + "DigiCert Assured ID Root G2", + "DigiCert Assured ID Root G3", + "DigiCert Global Root CA", + "DigiCert Global Root G2", + "DigiCert Global Root G3", + "DigiCert High Assurance EV Root CA", + "DigiCert Trusted Root G4", + "Entrust Root Certification Authority", + "Entrust Root Certification Authority - EC1", + "Entrust Root Certification Authority - G2", + "Entrust.net Premium 2048 Secure Server CA", + "GlobalSign ECC Root CA - R4", + "GlobalSign ECC Root CA - R5", + "GlobalSign Root CA", + "GlobalSign Root CA - R3", + "GlobalSign Root CA - R6", + "Go Daddy Class 2 CA", + "Go Daddy Root Certificate Authority - G2", + "GTS Root R1", + "GTS Root R2", + "GTS Root R3", + "GTS Root R4", + "Starfield Class 2 CA", + "Starfield Root Certificate Authority - G2", + "USERTrust ECC Certification Authority", + "USERTrust RSA Certification Authority" + ] + } + // The list above should be updated via the dumpGoogleRoots.js script. + ], + + "entries": [ + // Only domains that are operationally crucial to Firefox can have per-host + // telemetry reporting (the "id") field + { "name": "addons.mozilla.org", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 1 }, + { "name": "addons.mozilla.net", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 2 }, + // AUS servers MUST remain in test mode + // see: https://bugzilla.mozilla.org/show_bug.cgi?id=1301956#c23 + { "name": "aus4.mozilla.org", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": true, "id": 3 }, + { "name": "aus5.mozilla.org", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": true, "id": 7 }, + // Catchall for applications hosted under firefox.com + // see https://bugzilla.mozilla.org/show_bug.cgi?id=1494431 + { "name": "firefox.com", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": true, "id": 15 }, + // Firefox Accounts & sync + // superseded by catchall for firefox.com, but leaving for tracking + { "name": "accounts.firefox.com", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 4 }, + { "name": "api.accounts.firefox.com", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 5 }, + { "name": "sync.services.mozilla.com", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 13 }, + // Catch-all for all CDN resources, including product delivery + // Telemetry IDs added in bug 1521983. + { "name": "cdn.mozilla.net", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 16 }, + { "name": "cdn.mozilla.org", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 17 }, + { "name": "download.mozilla.org", "include_subdomains": false, + "pins": "mozilla_services", "test_mode": false, "id": 14 }, + // Catch-all for everything hosted under services.mozilla.com + { "name": "services.mozilla.com", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 6 }, + // Catch-all for everything hosted under telemetry.mozilla.org + // MUST remain in test mode in order to receive telemetry on broken pins + { "name": "telemetry.mozilla.org", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": true, "id": 8 }, + // Test Pilot + // superseded by catchall for firefox.com, but leaving for tracking + { "name": "testpilot.firefox.com", "include_subdomains": false, + "pins": "mozilla_services", "test_mode": false, "id": 9 }, + // Crash report sites + { "name": "crash-reports.mozilla.com", "include_subdomains": false, + "pins": "mozilla_services", "test_mode": false, "id": 10 }, + { "name": "crash-reports-xpsp2.mozilla.com", "include_subdomains": false, + "pins": "mozilla_services", "test_mode": false, "id": 11 }, + { "name": "crash-stats.mozilla.org", "include_subdomains": false, + "pins": "mozilla_services", "test_mode": false, "id": 12 }, + { "name": "include-subdomains.pinning.example.com", + "include_subdomains": true, "pins": "mozilla_test", + "test_mode": false }, + // Example domain to collect per-host stats for telemetry tests. + { "name": "exclude-subdomains.pinning.example.com", + "include_subdomains": false, "pins": "mozilla_test", + "test_mode": false }, + { "name": "test-mode.pinning.example.com", "include_subdomains": true, + "pins": "mozilla_test", "test_mode": true } + ], + // When pinning to non-root certs, like intermediates, + // place the PEM of the pinned certificate in this array + // so Firefox can find the subject DN and public key + "extra_certificates": [ + // Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 + // Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1 + "MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrXNSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHlNpi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7DcGu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgzuEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMBAAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsGAQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGxA/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRMUM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOuOsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vwp7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKRPB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5brUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt", + // Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X4 + // Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1 + "MIIFjTCCA3WgAwIBAgIRAJObmZ6kjhYNW0JZtD0gE9owDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0NDM0WhcNMjExMDA2MTU0NDM0WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhJHRCe7eRMdlz/ziq2M5EXLc5CtxErg29RbmXN2evvVBPX9MQVGv3QdqOY+ZtW8DoQKmMQfzRA4n/YmEJYNYHBXiakL0aZD5P3M93L4lry2evQU3FjQDAa/6NhNy18pUxqOj2kKBDSpN0XLM+Q2lLiSJHdFE+mWTDzSQB+YQvKHcXIqfdw2wITGYvN3TFb5OOsEY3FmHRUJjIsA9PWFN8rPbaLZZhUK1D3AqmT561Urmcju9O30azMdwg/GnCoyB1Puw4GzZOZmbS3/VmpJMve6YOlD5gPUpLHG+6tE0cPJFYbi9NxNpw2+0BOXbASefpNbUUBpDB5ZLiEP1rubSFAgMBAAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBTFsatOTLHNZDCTfsGEmQWr5gPiJTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsGAQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBAF4tI1yGjZgld9lP01+zftU3aSV0un0d2GKUMO7GxvwTLWAKQz/eT+u3J4+GvpD+BMfopIxkJcDCzMChjjZtZZwJpIY7BatVrO6OkEmaRNITtbZ/hCwNkUnbk3C7EG3OGJZlo9b2wzA8v9WBsPzHpTvLfOr+dS57LLPZBhp3ArHaLbdk33lIONRPt9sseDEkmdHnVmGmBRf4+J0Wy67mddOvz5rHH8uzY94raOayf20gzzcmqmot4hPXtDG4Y49MoFMMT2kcWck3EOTAH6QiGWkGJ7cxMfSL3S0niA6wgFJtfETETOZu8AVDgENgCJ3DS0bz/dhVKvs3WRkaKuuR/W0nnC2VDdaFj4+CRF8LGtn/8ERaH48TktH5BDyDVcF9zfJ75Scxcy23jAL2N6w3n/t3nnqoXt9Im4FprDr+mP1g2Z6Lf2YA0jE3kZalgZ6lNHu4CmvJYoOTSJw9X2qlGl1K+B4U327rG1tRxgjM76pN6lIS02PMECoyKJigpOSBu4V8+LVaUMezCJH9Qf4EKeZTHddQ1t96zvNd2s9ewSKx/DblXbKsBDzIdHJ+qi6+F9DIVM5/ICdtDdulOO+dr/BXB+pBZ3uVxjRANvJKKpdxkePyluITSNZHbanWRN07gMvwBWOL060i4VrL9er1sBQrRjU9iNpZQGTnLVAxQVFu" + ] +} diff --git a/security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py b/security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py new file mode 100644 index 0000000000..05e0842e2a --- /dev/null +++ b/security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py @@ -0,0 +1,156 @@ +#!/usr/bin/env python3 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +This utility takes a series of https://crt.sh/ identifiers and writes to +stdout all of those certs' distinguished name or SPKI fields in hex, with an +array of all those. You'll need to post-process this list to handle any +duplicates. + +Requires Python 3. +""" +import argparse +import io +import re +import sys + +import requests +from cryptography import x509 +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes +from cryptography.x509.oid import NameOID +from pyasn1.codec.der import decoder, encoder +from pyasn1_modules import pem, rfc5280 + +assert sys.version_info >= (3, 2), "Requires Python 3.2 or later" + + +def hex_string_for_struct(bytes): + return ["0x{:02X}".format(x) for x in bytes] + + +def hex_string_human_readable(bytes): + return ["{:02X}".format(x) for x in bytes] + + +def nameOIDtoString(oid): + if oid == NameOID.COUNTRY_NAME: + return "C" + if oid == NameOID.COMMON_NAME: + return "CN" + if oid == NameOID.LOCALITY_NAME: + return "L" + if oid == NameOID.ORGANIZATION_NAME: + return "O" + if oid == NameOID.ORGANIZATIONAL_UNIT_NAME: + return "OU" + raise Exception("Unknown OID: {}".format(oid)) + + +def print_block(pemData, identifierType="DN", crtshId=None): + substrate = pem.readPemFromFile(io.StringIO(pemData.decode("utf-8"))) + cert, _ = decoder.decode(substrate, asn1Spec=rfc5280.Certificate()) + octets = None + + if identifierType == "DN": + der_subject = encoder.encode(cert["tbsCertificate"]["subject"]) + octets = hex_string_for_struct(der_subject) + elif identifierType == "SPKI": + der_spki = encoder.encode(cert["tbsCertificate"]["subjectPublicKeyInfo"]) + octets = hex_string_for_struct(der_spki) + else: + raise Exception("Unknown identifier type: " + identifierType) + + cert = x509.load_pem_x509_certificate(pemData, default_backend()) + common_name = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0] + block_name = "CA{}{}".format( + re.sub(r"[-:=_. ]", "", common_name.value), identifierType + ) + + fingerprint = hex_string_human_readable(cert.fingerprint(hashes.SHA256())) + + dn_parts = [ + "/{id}={value}".format(id=nameOIDtoString(part.oid), value=part.value) + for part in cert.subject + ] + distinguished_name = "".join(dn_parts) + + print("// {dn}".format(dn=distinguished_name)) + print("// SHA256 Fingerprint: " + ":".join(fingerprint[:16])) + print("// " + ":".join(fingerprint[16:])) + if crtshId: + print("// https://crt.sh/?id={crtsh} (crt.sh ID={crtsh})".format(crtsh=crtshId)) + print("static const uint8_t {}[{}] = ".format(block_name, len(octets)) + "{") + + while len(octets) > 0: + print(" " + ", ".join(octets[:13]) + ",") + octets = octets[13:] + + print("};") + print() + + return block_name + + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument( + "-spki", + action="store_true", + help="Create a list of subject public key info fields", + ) + parser.add_argument( + "-dn", + action="store_true", + help="Create a list of subject distinguished name fields", + ) + parser.add_argument("-listname", help="Name of the final DataAndLength block") + parser.add_argument( + "certId", nargs="+", help="A list of PEM files on disk or crt.sh IDs" + ) + args = parser.parse_args() + + if not args.dn and not args.spki: + parser.print_help() + raise Exception("You must select either DN or SPKI matching") + + blocks = [] + + print( + "// Script from security/manager/tools/crtshToIdentifyingStruct/" + + "crtshToIdentifyingStruct.py" + ) + print("// Invocation: {}".format(" ".join(sys.argv))) + print() + + identifierType = None + if args.dn: + identifierType = "DN" + else: + identifierType = "SPKI" + + for certId in args.certId: + # Try a local file first, then crt.sh + try: + with open(certId, "rb") as pemFile: + blocks.append( + print_block(pemFile.read(), identifierType=identifierType) + ) + except OSError: + r = requests.get("https://crt.sh/?d={}".format(certId)) + r.raise_for_status() + blocks.append( + print_block(r.content, crtshId=certId, identifierType=identifierType) + ) + + print("static const DataAndLength " + args.listname + "[]= {") + for structName in blocks: + if len(structName) < 33: + print(" { " + "{name}, sizeof({name}) ".format(name=structName) + "},") + else: + print(" { " + "{},".format(structName)) + print(" sizeof({})".format(structName) + " },") + print("};") diff --git a/security/manager/tools/crtshToIdentifyingStruct/requirements.txt b/security/manager/tools/crtshToIdentifyingStruct/requirements.txt new file mode 100644 index 0000000000..c5c04ec1cc --- /dev/null +++ b/security/manager/tools/crtshToIdentifyingStruct/requirements.txt @@ -0,0 +1,4 @@ +cryptography >= 1.8 +requests >= 2.0 +pyasn1 >= 0.3 +pyasn1_modules >= 0.1
\ No newline at end of file diff --git a/security/manager/tools/dumpGoogleRoots.js b/security/manager/tools/dumpGoogleRoots.js new file mode 100644 index 0000000000..464febacc5 --- /dev/null +++ b/security/manager/tools/dumpGoogleRoots.js @@ -0,0 +1,108 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This file is a helper script that generates the list of certificates that +// make up the preloaded pinset for Google properties. +// +// How to run this file: +// 1. [obtain firefox source code] +// 2. [build/obtain firefox binaries] +// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell dumpGoogleRoots.js' +// 4. [paste the output into the appropriate section in +// security/manager/tools/PreloadedHPKPins.json] + +Services.prefs.setBoolPref("network.process.enabled", false); + +function downloadRoots() { + let req = new XMLHttpRequest(); + req.open("GET", "https://pki.google.com/roots.pem", false); + try { + req.send(); + } catch (e) { + throw new Error("ERROR: problem downloading Google Root PEMs: " + e); + } + + if (req.status != 200) { + throw new Error( + "ERROR: problem downloading Google Root PEMs. Status: " + req.status + ); + } + + let pem = req.responseText; + let roots = []; + let currentPEM = ""; + let readingRoot = false; + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + for (let line of pem.split(/[\r\n]/)) { + if (line == "-----END CERTIFICATE-----") { + if (currentPEM) { + roots.push(certDB.constructX509FromBase64(currentPEM)); + } + currentPEM = ""; + readingRoot = false; + continue; + } + if (readingRoot) { + currentPEM += line; + } + if (line == "-----BEGIN CERTIFICATE-----") { + readingRoot = true; + } + } + return roots; +} + +function makeFormattedNickname(cert, knownNicknames) { + if (cert.displayName in knownNicknames) { + return `"${cert.displayName}"`; + } + // Otherwise, this isn't a built-in and we have to comment it out. + return `// "${cert.displayName}"`; +} + +function gatherKnownNicknames() { + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let nicknames = {}; + for (let cert of certDB.getCerts()) { + nicknames[cert.displayName] = true; + } + return nicknames; +} + +var knownNicknames = gatherKnownNicknames(); +var roots = downloadRoots(); +var rootNicknames = []; +for (var root of roots) { + rootNicknames.push(makeFormattedNickname(root, knownNicknames)); +} +rootNicknames.sort(function (rootA, rootB) { + let rootALowercase = rootA.toLowerCase().replace(/(^[^"]*")|"/g, ""); + let rootBLowercase = rootB.toLowerCase().replace(/(^[^"]*")|"/g, ""); + if (rootALowercase < rootBLowercase) { + return -1; + } + if (rootALowercase > rootBLowercase) { + return 1; + } + return 0; +}); +dump(" {\n"); +dump(' "name": "google_root_pems",\n'); +dump(' "sha256_hashes": [\n'); +var first = true; +for (var nickname of rootNicknames) { + if (!first) { + dump(",\n"); + } + first = false; + dump(" " + nickname); +} +dump("\n"); +dump(" ]\n"); +dump(" }\n"); diff --git a/security/manager/tools/genRootCAHashes.js b/security/manager/tools/genRootCAHashes.js new file mode 100644 index 0000000000..be0233a0c0 --- /dev/null +++ b/security/manager/tools/genRootCAHashes.js @@ -0,0 +1,275 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// How to run this file: +// 1. [obtain firefox source code] +// 2. [build/obtain firefox binaries] +// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell genRootCAHashes.js \ +// [absolute path to]/RootHashes.inc' + +const nsX509CertDB = "@mozilla.org/security/x509certdb;1"; +const CertDb = Cc[nsX509CertDB].getService(Ci.nsIX509CertDB); + +const { FileUtils } = ChromeUtils.importESModule( + "resource://gre/modules/FileUtils.sys.mjs" +); +const { NetUtil } = ChromeUtils.importESModule( + "resource://gre/modules/NetUtil.sys.mjs" +); +const { CommonUtils } = ChromeUtils.importESModule( + "resource://services-common/utils.sys.mjs" +); + +const FILENAME_OUTPUT = "RootHashes.inc"; +const FILENAME_TRUST_ANCHORS = "KnownRootHashes.json"; +const ROOT_NOT_ASSIGNED = -1; + +const JSON_HEADER = `// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +// +//*************************************************************************** +// This is an automatically generated file. It's used to maintain state for +// runs of genRootCAHashes.js; you should never need to manually edit it +//*************************************************************************** + +// Notes: +// binNumber 1 used to be for "GTE_CyberTrust_Global_Root", but that root was +// removed from the built-in roots module, so now it is used to indicate that +// the certificate is not a built-in and was found in the softoken (cert9.db). + +// binNumber 2 used to be for "Thawte_Server_CA", but that root was removed from +// the built-in roots module, so now it is used to indicate that the certificate +// is not a built-in and was found on an external PKCS#11 token. + +// binNumber 3 used to be for "Thawte_Premium_Server_CA", but that root was +// removed from the built-in roots module, so now it is used to indicate that +// the certificate is not a built-in and was temporarily imported from the OS as +// part of the "Enterprise Roots" feature. + +`; + +const FILE_HEADER = + "/* This Source Code Form is subject to the terms of the Mozilla Public\n" + + " * License, v. 2.0. If a copy of the MPL was not distributed with this\n" + + " * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" + + "\n" + + "/*****************************************************************************/\n" + + "/* This is an automatically generated file. If you're not */\n" + + "/* RootCertificateTelemetryUtils.cpp, you shouldn't be #including it. */\n" + + "/*****************************************************************************/\n" + + "\n" + + "#define HASH_LEN 32\n"; + +const FP_PREAMBLE = + "struct CertAuthorityHash {\n" + + " // See bug 1338873 about making these fields const.\n" + + " uint8_t hash[HASH_LEN];\n" + + " int32_t binNumber;\n" + + "};\n\n" + + "static const struct CertAuthorityHash ROOT_TABLE[] = {\n"; + +const FP_POSTAMBLE = "};\n"; + +// Helper +function writeString(fos, string) { + fos.write(string, string.length); +} + +// Remove all colons from a string +function stripColons(hexString) { + return hexString.replace(/:/g, ""); +} + +// Expect an array of bytes and make it C-formatted +function hexSlice(bytes, start, end) { + let ret = ""; + for (let i = start; i < end; i++) { + let hex = (0 + bytes.charCodeAt(i).toString(16)).slice(-2).toUpperCase(); + ret += "0x" + hex; + if (i < end - 1) { + ret += ", "; + } + } + return ret; +} + +function stripComments(buf) { + let lines = buf.split("\n"); + let entryRegex = /^\s*\/\//; + let data = ""; + for (let i = 0; i < lines.length; i++) { + let match = entryRegex.exec(lines[i]); + if (!match) { + data = data + lines[i]; + } + } + return data; +} + +// Load the trust anchors JSON object from disk +function loadTrustAnchors(file) { + if (file.exists()) { + let stream = Cc["@mozilla.org/network/file-input-stream;1"].createInstance( + Ci.nsIFileInputStream + ); + stream.init(file, -1, 0, 0); + let buf = NetUtil.readInputStreamToString(stream, stream.available()); + return JSON.parse(stripComments(buf)); + } + // If there's no input file, bootstrap. + return { roots: [], maxBin: 0 }; +} + +// Saves our persistence file so that we don't lose track of the mapping +// between bin numbers and the CA-hashes, even as CAs come and go. +function writeTrustAnchors(file) { + let fos = FileUtils.openSafeFileOutputStream(file); + + let serializedData = JSON.stringify(gTrustAnchors, null, " "); + fos.write(JSON_HEADER, JSON_HEADER.length); + fos.write(serializedData, serializedData.length); + + FileUtils.closeSafeFileOutputStream(fos); +} + +// Write the C++ header file +function writeRootHashes(fos) { + try { + writeString(fos, FILE_HEADER); + + // Output the sorted gTrustAnchors + writeString(fos, FP_PREAMBLE); + gTrustAnchors.roots.forEach(function (fp) { + let fpBytes = atob(fp.sha256Fingerprint); + + writeString(fos, " {\n"); + writeString(fos, " /* " + fp.label + " */\n"); + writeString(fos, " { " + hexSlice(fpBytes, 0, 16) + ",\n"); + writeString(fos, " " + hexSlice(fpBytes, 16, 32) + " },\n"); + writeString(fos, " " + fp.binNumber + " /* Bin Number */\n"); + + writeString(fos, " },\n"); + }); + writeString(fos, FP_POSTAMBLE); + + writeString(fos, "\n"); + } catch (e) { + dump("ERROR: problem writing output: " + e + "\n"); + } +} + +// Scan our list (linearly) for the given fingerprint string +function findTrustAnchorByFingerprint(sha256Fingerprint) { + for (let i = 0; i < gTrustAnchors.roots.length; i++) { + if (sha256Fingerprint == gTrustAnchors.roots[i].sha256Fingerprint) { + return i; + } + } + return ROOT_NOT_ASSIGNED; +} + +// Get a clean label for a given certificate; usually the common name. +function getLabelForCert(cert) { + let label = cert.commonName; + + if (label.length < 5) { + label = cert.subjectName; + } + + // replace non-ascii characters + label = label.replace(/[^[:ascii:]]/g, "_"); + // replace non-word characters + label = label.replace(/[^A-Za-z0-9]/g, "_"); + return label; +} + +// Fill in the gTrustAnchors list with trust anchors from the database. +function insertTrustAnchorsFromDatabase() { + // We only want CA certs for SSL + const CERT_TYPE = Ci.nsIX509Cert.CA_CERT; + const TRUST_TYPE = Ci.nsIX509CertDB.TRUSTED_SSL; + + // Iterate through the whole Cert DB + for (let cert of CertDb.getCerts()) { + // Find the certificate in our existing list. Do it here because we need to check if + // it's untrusted too. + + // If this is a trusted cert + if (CertDb.isCertTrusted(cert, CERT_TYPE, TRUST_TYPE)) { + // Base64 encode the hex string + let binaryFingerprint = CommonUtils.hexToBytes( + stripColons(cert.sha256Fingerprint) + ); + let encodedFingerprint = btoa(binaryFingerprint); + + // Scan to see if this is already in the database. + if ( + findTrustAnchorByFingerprint(encodedFingerprint) == ROOT_NOT_ASSIGNED + ) { + // Let's get a usable name; some old certs do not have CN= filled out + let label = getLabelForCert(cert); + + // Add to list + gTrustAnchors.maxBin += 1; + gTrustAnchors.roots.push({ + label, + binNumber: gTrustAnchors.maxBin, + sha256Fingerprint: encodedFingerprint, + }); + } + } + } +} + +// +// PRIMARY LOGIC +// + +if (arguments.length != 1) { + throw new Error( + "Usage: genRootCAHashes.js <absolute path to current RootHashes.inc>" + ); +} + +var trustAnchorsFile = new FileUtils.File( + PathUtils.join( + Services.dirsvc.get("CurWorkD", Ci.nsIFile).path, + FILENAME_TRUST_ANCHORS + ) +); +var rootHashesFile = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile); +rootHashesFile.initWithPath(arguments[0]); + +// Open the known hashes file; this is to ensure stable bin numbers. +var gTrustAnchors = loadTrustAnchors(trustAnchorsFile); + +// Collect all certificate entries +insertTrustAnchorsFromDatabase(); + +// Update known hashes before we sort +writeTrustAnchors(trustAnchorsFile); + +// Sort all trust anchors before writing, as AccumulateRootCA.cpp +// will perform binary searches +gTrustAnchors.roots.sort(function (a, b) { + // We need to work from the binary values, not the base64 values. + let aBin = atob(a.sha256Fingerprint); + let bBin = atob(b.sha256Fingerprint); + + if (aBin < bBin) { + return -1; + } + if (aBin > bBin) { + return 1; + } + return 0; +}); + +// Write the output file. +var rootHashesFileOutputStream = + FileUtils.openSafeFileOutputStream(rootHashesFile); +writeRootHashes(rootHashesFileOutputStream); +FileUtils.closeSafeFileOutputStream(rootHashesFileOutputStream); diff --git a/security/manager/tools/getCTKnownLogs.py b/security/manager/tools/getCTKnownLogs.py new file mode 100755 index 0000000000..677791bffd --- /dev/null +++ b/security/manager/tools/getCTKnownLogs.py @@ -0,0 +1,330 @@ +#!/usr/bin/env python +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Parses a JSON file listing the known Certificate Transparency logs +(log_list.json) and generates a C++ header file to be included in Firefox. + +The current log_list.json file available under security/manager/tools +was originally downloaded from +https://www.certificate-transparency.org/known-logs +and edited to include the disqualification time for the disqualified logs using +https://cs.chromium.org/chromium/src/net/cert/ct_known_logs_static-inc.h +""" + +import argparse +import base64 +import datetime +import json +import os.path +import sys +import textwrap +from string import Template + +import six +import urllib3 + + +def decodebytes(s): + if six.PY3: + return base64.decodebytes(six.ensure_binary(s)) + return base64.decodestring(s) + + +OUTPUT_TEMPLATE = """\ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* This file was automatically generated by $prog. */ + +#ifndef $include_guard +#define $include_guard + +#include "CTLog.h" + +#include <stddef.h> + +struct CTLogInfo +{ + // See bug 1338873 about making these fields const. + const char* name; + // Index within kCTLogOperatorList. + mozilla::ct::CTLogStatus status; + // 0 for qualified logs, disqualification time for disqualified logs + // (in milliseconds, measured since the epoch, ignoring leap seconds). + uint64_t disqualificationTime; + size_t operatorIndex; + const char* key; + size_t keyLength; +}; + +struct CTLogOperatorInfo +{ + // See bug 1338873 about making these fields const. + const char* name; + mozilla::ct::CTLogOperatorId id; +}; + +const CTLogInfo kCTLogList[] = { +$logs +}; + +const CTLogOperatorInfo kCTLogOperatorList[] = { +$operators +}; + +#endif // $include_guard +""" + + +def get_disqualification_time(time_str): + """ + Convert a time string such as "2017-01-01T00:00:00Z" to an integer + representing milliseconds since the epoch. + Timezones in the string are not supported and will result in an exception. + """ + t = datetime.datetime.strptime(time_str, "%Y-%m-%dT%H:%M:%SZ") + epoch = datetime.datetime.utcfromtimestamp(0) + seconds_since_epoch = (t - epoch).total_seconds() + return int(seconds_since_epoch * 1000) + + +def get_hex_lines(blob, width): + """Convert a binary string to a multiline text of C escape sequences.""" + text = "".join(["\\x{:02x}".format(c) for c in blob]) + # When escaped, a single byte takes 4 chars (e.g. "\x00"). + # Make sure we don't break an escaped byte between the lines. + return textwrap.wrap(text, width - width % 4) + + +def get_operator_index(json_data, target_name): + """Return operator's entry from the JSON along with its array index.""" + matches = [ + (operator, index) + for (index, operator) in enumerate(json_data["operators"]) + if operator["name"] == target_name + ] + assert len(matches) != 0, "No operators with id {0} defined.".format(target_name) + assert len(matches) == 1, "Found multiple operators with id {0}.".format( + target_name + ) + return matches[0][1] + + +def get_log_info_structs(json_data): + """Return array of CTLogInfo initializers for the known logs.""" + tmpl = Template( + textwrap.dedent( + """\ + { $description, + $status, + $disqualification_time, // $disqualification_time_comment + $operator_index, // $operator_comment + $indented_log_key, + $log_key_len }""" + ) + ) + initializers = [] + for operator in json_data["operators"]: + operator_name = operator["name"] + for log in operator["logs"]: + log_key = decodebytes(log["key"]) + operator_index = get_operator_index(json_data, operator_name) + if "disqualification_time" in log: + status = "mozilla::ct::CTLogStatus::Disqualified" + disqualification_time = get_disqualification_time( + log["disqualification_time"] + ) + disqualification_time_comment = 'Date.parse("{0}")'.format( + log["disqualification_time"] + ) + else: + status = "mozilla::ct::CTLogStatus::Included" + disqualification_time = 0 + disqualification_time_comment = "no disqualification time" + is_test_log = "test_only" in operator and operator["test_only"] + prefix = "" + suffix = "," + if is_test_log: + prefix = "#ifdef DEBUG\n" + suffix = ",\n#endif // DEBUG" + toappend = tmpl.substitute( + # Use json.dumps for C-escaping strings. + # Not perfect but close enough. + description=json.dumps(log["description"]), + operator_index=operator_index, + operator_comment="operated by {0}". + # The comment must not contain "/". + format(operator_name).replace("/", "|"), + status=status, + disqualification_time=disqualification_time, + disqualification_time_comment=disqualification_time_comment, + # Maximum line width is 80. + indented_log_key="\n".join( + [' "{0}"'.format(l) for l in get_hex_lines(log_key, 74)] + ), + log_key_len=len(log_key), + ) + initializers.append(prefix + toappend + suffix) + return initializers + + +def get_log_operator_structs(json_data): + """Return array of CTLogOperatorInfo initializers.""" + tmpl = Template(" { $name, $id }") + initializers = [] + currentId = 0 + for operator in json_data["operators"]: + prefix = "" + suffix = "," + is_test_log = "test_only" in operator and operator["test_only"] + if is_test_log: + prefix = "#ifdef DEBUG\n" + suffix = ",\n#endif // DEBUG" + toappend = tmpl.substitute(name=json.dumps(operator["name"]), id=currentId) + currentId += 1 + initializers.append(prefix + toappend + suffix) + return initializers + + +def generate_cpp_header_file(json_data, out_file): + """Generate the C++ header file for the known logs.""" + filename = os.path.basename(out_file.name) + include_guard = filename.replace(".", "_").replace("/", "_") + log_info_initializers = get_log_info_structs(json_data) + operator_info_initializers = get_log_operator_structs(json_data) + out_file.write( + Template(OUTPUT_TEMPLATE).substitute( + prog=os.path.basename(sys.argv[0]), + include_guard=include_guard, + logs="\n".join(log_info_initializers), + operators="\n".join(operator_info_initializers), + ) + ) + + +def patch_in_test_logs(json_data): + """Insert Mozilla-specific test log data.""" + max_id = len(json_data["operators"]) + mozilla_test_operator_1 = { + "name": "Mozilla Test Org 1", + "id": max_id + 1, + "test_only": True, + "logs": [ + { + "description": "Mozilla Test RSA Log 1", + # `openssl x509 -noout -pubkey -in <path/to/default-ee.pem>` + "key": """ + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 + ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF + h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n + cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv + OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj + tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt + jQIDAQAB + """, + "operated_by": [max_id + 1], + }, + { + "description": "Mozilla Test EC Log", + # `openssl x509 -noout -pubkey -in <path/to/root_secp256r1_256.pem` + "key": """ + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE4uwFC0I+ + PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqmwA== + """, + "operated_by": [max_id + 1], + }, + ], + } + mozilla_test_operator_2 = { + "name": "Mozilla Test Org 2", + "id": max_id + 2, + "test_only": True, + "logs": [ + { + "description": "Mozilla Test RSA Log 2", + # `openssl x509 -noout -pubkey -in <path/to/other-test-ca.pem>` + "key": """ + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2 + w39c5TiwbErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTE + SDMF5ROMAQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw + 7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1C + aQiICBFCIGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVO + gys1uJMPdLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjT + uwIDAQAB + """, + "operated_by": [max_id + 2], + } + ], + } + json_data["operators"].append(mozilla_test_operator_1) + json_data["operators"].append(mozilla_test_operator_2) + + +def run(args): + """ + Load the input JSON file and generate the C++ header according to the + command line arguments. + """ + if args.file: + print("Reading file: ", args.file) + with open(args.file, "rb") as json_file: + json_text = json_file.read() + elif args.url: + print("Fetching URL: ", args.url) + json_request = urllib3.urlopen(args.url) + try: + json_text = json_request.read() + finally: + json_request.close() + + json_data = json.loads(json_text) + + print("Writing output: ", args.out) + + patch_in_test_logs(json_data) + + with open(args.out, "w") as out_file: + generate_cpp_header_file(json_data, out_file) + + print("Done.") + + +def parse_arguments_and_run(): + """Parse the command line arguments and run the program.""" + arg_parser = argparse.ArgumentParser( + description="Parses a JSON file listing the known " + "Certificate Transparency logs and generates " + "a C++ header file to be included in Firefox.", + epilog="Example: python %s --url" % os.path.basename(sys.argv[0]), + ) + + source_group = arg_parser.add_mutually_exclusive_group(required=True) + source_group.add_argument( + "--file", + nargs="?", + const="log_list.json", + help="Read the known CT logs JSON data from the " + "specified local file (%(const)s by default).", + ) + source_group.add_argument( + "--url", help="Download the known CT logs JSON file " "from the specified URL." + ) + + arg_parser.add_argument( + "--out", + default="../../certverifier/CTKnownLogs.h", + help="Path and filename of the header file " + "to be generated. Defaults to %(default)s", + ) + + run(arg_parser.parse_args()) + + +if __name__ == "__main__": + parse_arguments_and_run() diff --git a/security/manager/tools/log_list.json b/security/manager/tools/log_list.json new file mode 100644 index 0000000000..39c0952634 --- /dev/null +++ b/security/manager/tools/log_list.json @@ -0,0 +1,403 @@ +{ + "version": "20.36", + "log_list_timestamp": "2023-04-11T12:55:27Z", + "operators": [ + { + "name": "Google", + "email": [ + "google-ct-logs@googlegroups.com" + ], + "logs": [ + { + "description": "Google 'Argon2023' log", + "log_id": "6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0JCPZFJOQqyEti5M8j13ALN3CAVHqkVM4yyOcKWCu2yye5yYeqDpEXYoALIgtM3TmHtNlifmt+4iatGwLpF3eA==", + "url": "https://ct.googleapis.com/logs/argon2023/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2019-12-17T18:38:01Z" + } + }, + "temporal_interval": { + "start_inclusive": "2023-01-01T00:00:00Z", + "end_exclusive": "2024-01-01T00:00:00Z" + } + }, + { + "description": "Google 'Argon2024' log", + "log_id": "7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZs=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHblsqctplMVc5ramA7vSuNxUQxcomQwGAVAdnWTAWUYr3MgDHQW0LagJ95lB7QT75Ve6JgT2EVLOFGU7L3YrwA==", + "url": "https://ct.googleapis.com/logs/us1/argon2024/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2022-11-01T18:54:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2024-01-01T00:00:00Z", + "end_exclusive": "2025-01-01T00:00:00Z" + } + }, + { + "description": "Google 'Xenon2023' log", + "log_id": "rfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgoo=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEchY+C+/vzj5g3ZXLY3q5qY1Kb2zcYYCmRV4vg6yU84WI0KV00HuO/8XuQqLwLZPjwtCymeLhQunSxgAnaXSuzg==", + "url": "https://ct.googleapis.com/logs/xenon2023/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2019-12-17T18:38:01Z" + } + }, + "temporal_interval": { + "start_inclusive": "2023-01-01T00:00:00Z", + "end_exclusive": "2024-01-01T00:00:00Z" + } + }, + { + "description": "Google 'Xenon2024' log", + "log_id": "dv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQ=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuWDgNB415GUAk0+QCb1a7ETdjA/O7RE+KllGmjG2x5n33O89zY+GwjWlPtwpurvyVOKoDIMIUQbeIW02UI44TQ==", + "url": "https://ct.googleapis.com/logs/eu1/xenon2024/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2022-11-01T18:54:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2024-01-01T00:00:00Z", + "end_exclusive": "2025-01-01T00:00:00Z" + } + }, + { + "description": "Google 'Icarus' log", + "log_id": "KTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9Hg=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETtK8v7MICve56qTHHDhhBOuV4IlUaESxZryCfk9QbG9co/CqPvTsgPDbCpp6oFtyAHwlDhnvr7JijXRD9Cb2FA==", + "url": "https://ct.googleapis.com/icarus/", + "mmd": 86400, + "state": { + "retired": { + "timestamp": "2022-09-15T00:00:00Z" + } + } + }, + { + "description": "Google 'Pilot' log", + "log_id": "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfahLEimAoz2t01p3uMziiLOl/fHTDM0YDOhBRuiBARsV4UvxG2LdNgoIGLrtCzWE0J5APC2em4JlvR8EEEFMoA==", + "url": "https://ct.googleapis.com/pilot/", + "mmd": 86400, + "state": { + "retired": { + "timestamp": "2022-09-15T00:00:00Z" + } + } + }, + { + "description": "Google 'Rocketeer' log", + "log_id": "7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/cs=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIFsYyDzBi7MxCAC/oJBXK7dHjG+1aLCOkHjpoHPqTyghLpzA9BYbqvnV16mAw04vUjyYASVGJCUoI3ctBcJAeg==", + "url": "https://ct.googleapis.com/rocketeer/", + "mmd": 86400, + "state": { + "retired": { + "timestamp": "2022-09-15T00:00:00Z" + } + } + }, + { + "description": "Google 'Skydiver' log", + "log_id": "u9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YU=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEmyGDvYXsRJsNyXSrYc9DjHsIa2xzb4UR7ZxVoV6mrc9iZB7xjI6+NrOiwH+P/xxkRmOFG6Jel20q37hTh58rA==", + "url": "https://ct.googleapis.com/skydiver/", + "mmd": 86400, + "state": { + "retired": { + "timestamp": "2022-09-15T00:00:00Z" + } + } + } + ] + }, + { + "name": "Cloudflare", + "email": [ + "ct-logs@cloudflare.com", + "brendan@cloudflare.com", + "nick@cloudflare.com", + "pat@cloudflare.com", + "zi@cloudflare.com", + "ivan@cloudflare.com" + ], + "logs": [ + { + "description": "Cloudflare 'Nimbus2023' Log", + "log_id": "ejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61I=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEi/8tkhjLRp0SXrlZdTzNkTd6HqmcmXiDJz3fAdWLgOhjmv4mohvRhwXul9bgW0ODgRwC9UGAgH/vpGHPvIS1qA==", + "url": "https://ct.cloudflare.com/logs/nimbus2023/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2019-10-31T19:22:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2023-01-01T00:00:00Z", + "end_exclusive": "2024-01-01T00:00:00Z" + } + }, + { + "description": "Cloudflare 'Nimbus2024' Log", + "log_id": "2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6s=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEd7Gbe4/mizX+OpIpLayKjVGKJfyTttegiyk3cR0zyswz6ii5H+Ksw6ld3Ze+9p6UJd02gdHrXSnDK0TxW8oVSA==", + "url": "https://ct.cloudflare.com/logs/nimbus2024/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2022-11-30T17:00:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2024-01-01T00:00:00Z", + "end_exclusive": "2025-01-01T00:00:00Z" + } + } + ] + }, + { + "name": "DigiCert", + "email": [ + "ctops@digicert.com" + ], + "logs": [ + { + "description": "DigiCert Yeti2023 Log", + "log_id": "Nc8ZG7+xbFe/D61MbULLu7YnICZR6j/hKu+oA8M71kw=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfQ0DsdWYitzwFTvG3F4Nbj8Nv5XIVYzQpkyWsU4nuSYlmcwrAp6m092fsdXEw6w1BAeHlzaqrSgNfyvZaJ9y0Q==", + "url": "https://yeti2023.ct.digicert.com/log/", + "mmd": 86400, + "state": { + "retired": { + "timestamp": "2022-09-29T00:00:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2023-01-01T00:00:00Z", + "end_exclusive": "2024-01-01T00:00:00Z" + } + }, + { + "description": "DigiCert Yeti2024 Log", + "log_id": "SLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHM=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV7jBbzCkfy7k8NDZYGITleN6405Tw7O4c4XBGA0jDliE0njvm7MeLBrewY+BGxlEWLcAd2AgGnLYgt6unrHGSw==", + "url": "https://yeti2024.ct.digicert.com/log/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2022-11-01T18:54:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2024-01-01T00:00:00Z", + "end_exclusive": "2025-01-01T00:00:00Z" + } + }, + { + "description": "DigiCert Yeti2025 Log", + "log_id": "fVkeEuF4KnscYWd8Xv340IdcFKBOlZ65Ay/ZDowuebg=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE35UAXhDBAfc34xB00f+yypDtMplfDDn+odETEazRs3OTIMITPEy1elKGhj3jlSR82JGYSDvw8N8h8bCBWlklQw==", + "url": "https://yeti2025.ct.digicert.com/log/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2022-11-01T18:54:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2025-01-01T00:00:00Z", + "end_exclusive": "2026-01-01T00:00:00Z" + } + }, + { + "description": "DigiCert Nessie2023 Log", + "log_id": "s3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZo=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXu8iQwSCRSf2CbITGpUpBtFVt8+I0IU0d1C36Lfe1+fbwdaI0Z5FktfM2fBoI1bXBd18k2ggKGYGgdZBgLKTg==", + "url": "https://nessie2023.ct.digicert.com/log/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2019-10-31T19:22:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2023-01-01T00:00:00Z", + "end_exclusive": "2024-01-01T00:00:00Z" + } + }, + { + "description": "DigiCert Nessie2024 Log", + "log_id": "c9meiRtMlnigIH1HneayxhzQUV5xGSqMa4AQesF3crU=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELfyieza/VpHp/j/oPfzDp+BhUuos6QWjnycXgQVwa4FhRIr4OxCAQu0DLwBQIfxBVISjVNUusnoWSyofK2YEKw==", + "url": "https://nessie2024.ct.digicert.com/log/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2022-11-01T18:54:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2024-01-01T00:00:00Z", + "end_exclusive": "2025-01-01T00:00:00Z" + } + }, + { + "description": "DigiCert Nessie2025 Log", + "log_id": "5tIxY0B3jMEQQQbXcbnOwdJA9paEhvu6hzId/R43jlA=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8vDwp4uBLgk5O59C2jhEX7TM7Ta72EN/FklXhwR/pQE09+hoP7d4H2BmLWeadYC3U6eF1byrRwZV27XfiKFvOA==", + "url": "https://nessie2025.ct.digicert.com/log/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2022-11-01T18:54:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2025-01-01T00:00:00Z", + "end_exclusive": "2026-01-01T00:00:00Z" + } + } + ] + }, + { + "name": "Sectigo", + "email": [ + "ctops@sectigo.com" + ], + "logs": [ + { + "description": "Sectigo 'Sabre' CT log", + "log_id": "VYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0ww=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8m/SiQ8/xfiHHqtls9m7FyOMBg4JVZY9CgiixXGz0akvKD6DEL8S0ERmFe9U4ZiA0M4kbT5nmuk3I85Sk4bagA==", + "url": "https://sabre.ct.comodo.com/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2017-10-10T00:38:10Z" + } + } + }, + { + "description": "Sectigo 'Mammoth' CT log", + "log_id": "b1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RM=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7+R9dC4VFbbpuyOL+yy14ceAmEf7QGlo/EmtYU6DRzwat43f/3swtLr/L8ugFOOt1YU/RFmMjGCL17ixv66MZw==", + "url": "https://mammoth.ct.comodo.com/", + "mmd": 86400, + "state": { + "retired": { + "timestamp": "2023-01-15T00:00:00Z" + } + } + } + ] + }, + { + "name": "Let's Encrypt", + "email": [ + "sre@letsencrypt.org" + ], + "logs": [ + { + "description": "Let's Encrypt 'Oak2023' log", + "log_id": "tz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJk=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsz0OeL7jrVxEXJu+o4QWQYLKyokXHiPOOKVUL3/TNFFquVzDSer7kZ3gijxzBp98ZTgRgMSaWgCmZ8OD74mFUQ==", + "url": "https://oak.ct.letsencrypt.org/2023/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2021-03-01T19:24:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2023-01-01T00:00:00Z", + "end_exclusive": "2024-01-07T00:00:00Z" + } + }, + { + "description": "Let's Encrypt 'Oak2024H1' log", + "log_id": "O1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61Bc=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVkPXfnvUcre6qVG9NpO36bWSD+pet0Wjkv3JpTyArBog7yUvuOEg96g6LgeN5uuk4n0kY59Gv5RzUo2Wrqkm/Q==", + "url": "https://oak.ct.letsencrypt.org/2024h1/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2022-11-30T17:00:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2023-12-20T00:00:00Z", + "end_exclusive": "2024-07-20T00:00:00Z" + } + }, + { + "description": "Let's Encrypt 'Oak2024H2' log", + "log_id": "PxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE13PWU0fp88nVfBbC1o9wZfryUTapE4Av7fmU01qL6E8zz8PTidRfWmaJuiAfccvKu5+f81wtHqOBWa+Ss20waA==", + "url": "https://oak.ct.letsencrypt.org/2024h2/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2022-11-30T17:00:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2024-06-20T00:00:00Z", + "end_exclusive": "2025-01-20T00:00:00Z" + } + } + ] + }, + { + "name": "TrustAsia", + "email": [ + "trustasia-ct-logs@trustasia.com" + ], + "logs": [ + { + "description": "Trust Asia Log2023", + "log_id": "6H6nZgvCbPYALvVyXT/g4zG5OTu5L79Y6zuQSdr1Q1o=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpBFS2xdBTpDUVlESMFL4mwPPTJ/4Lji18Vq6+ji50o8agdqVzDPsIShmxlY+YDYhINnUrF36XBmhBX3+ICP89Q==", + "url": "https://ct.trustasia.com/log2023/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2021-03-01T19:24:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2023-01-01T00:00:00Z", + "end_exclusive": "2024-01-01T00:00:00Z" + } + }, + { + "description": "Trust Asia Log2024-2", + "log_id": "h0+1DcAp2ZMd5XPp8omejkUzs5LTiwpGJXS/D+6y/B4=", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp2TieYE/YdfsxvhlKB2gtGYzwyXVCpV4nI/+pCrYj35y4P6of/ixLYXAjhJ0DS+Mq9d/eh7ZhDM56P2JX5ZICA==", + "url": "https://ct2024.trustasia.com/log2024/", + "mmd": 86400, + "state": { + "usable": { + "timestamp": "2023-02-03T08:00:00Z" + } + }, + "temporal_interval": { + "start_inclusive": "2024-01-01T00:00:00Z", + "end_exclusive": "2025-01-01T00:00:00Z" + } + } + ] + } + ] +}
\ No newline at end of file diff --git a/security/manager/tools/mach_commands.py b/security/manager/tools/mach_commands.py new file mode 100644 index 0000000000..e543821dbe --- /dev/null +++ b/security/manager/tools/mach_commands.py @@ -0,0 +1,129 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +import os + +from mach.decorators import Command, CommandArgument +from mach.util import UserError +from mozpack.files import FileFinder +from mozpack.path import basedir + + +def run_module_main_on(module, input_filename, output_is_binary): + """Run the given module (pycert or pykey) on the given + file.""" + # By convention, the specification files have names of the form + # "name.ext.*spec", where "ext" is some extension, and the "*" in + # "*spec" identifies what kind of specification it represents + # (certspec or keyspec). Taking off the ".*spec" part results in the + # desired filename for this file. + output_filename = os.path.splitext(input_filename)[0] + mode = "w" + encoding = "utf-8" + newline = "\n" + if output_is_binary: + mode = "wb" + encoding = None + newline = None + with open(output_filename, mode=mode, encoding=encoding, newline=newline) as output: + module.main(output, input_filename) + + +def is_certspec_file(filename): + """Returns True if the given filename is a certificate + specification file (.certspec) and False otherwise.""" + return filename.endswith(".certspec") + + +def is_keyspec_file(filename): + """Returns True if the given filename is a key specification + file (.keyspec) and False otherwise.""" + return filename.endswith(".keyspec") + + +def is_pkcs12spec_file(filename): + """Returns True if the given filename is a pkcs12 + specification file (.pkcs12spec) and False otherwise.""" + return filename.endswith(".pkcs12spec") + + +def is_specification_file(filename): + """Returns True if the given filename is a specification + file supported by this script, and False otherewise.""" + return ( + is_certspec_file(filename) + or is_keyspec_file(filename) + or is_pkcs12spec_file(filename) + ) + + +def is_excluded_directory(directory, exclusions): + """Returns True if the given directory is in or is a + subdirectory of a directory in the list of exclusions and + False otherwise.""" + + for exclusion in exclusions: + if directory.startswith(exclusion): + return True + return False + + +@Command( + "generate-test-certs", + category="devenv", + description="Generate test certificates and keys from specifications.", +) +@CommandArgument( + "specifications", + nargs="*", + help="Specification files for test certs. If omitted, all certs are regenerated.", +) +def generate_test_certs(command_context, specifications): + """Generate test certificates and keys from specifications.""" + import pycert + import pykey + import pypkcs12 + + if not specifications: + specifications = find_all_specifications(command_context) + + for specification in specifications: + output_is_binary = False + if is_certspec_file(specification): + module = pycert + elif is_keyspec_file(specification): + module = pykey + elif is_pkcs12spec_file(specification): + module = pypkcs12 + output_is_binary = True + else: + raise UserError( + "'{}' is not a .certspec, .keyspec, or .pkcs12spec file".format( + specification + ) + ) + run_module_main_on(module, os.path.abspath(specification), output_is_binary) + return 0 + + +def find_all_specifications(command_context): + """Searches the source tree for all specification files + and returns them as a list.""" + specifications = [] + inclusions = [ + "netwerk/test/unit", + "security/manager/ssl/tests", + "services/settings/test/unit/test_remote_settings_signatures", + "testing/xpcshell/moz-http2", + "toolkit/mozapps/extensions/test/xpcshell/data/productaddons", + ] + exclusions = ["security/manager/ssl/tests/unit/test_signed_apps"] + finder = FileFinder(command_context.topsrcdir) + for inclusion_path in inclusions: + for f, _ in finder.find(inclusion_path): + if basedir(f, exclusions): + continue + if is_specification_file(f): + specifications.append(os.path.join(command_context.topsrcdir, f)) + return specifications diff --git a/security/manager/tools/pycert.py b/security/manager/tools/pycert.py new file mode 100755 index 0000000000..2fe90515e1 --- /dev/null +++ b/security/manager/tools/pycert.py @@ -0,0 +1,805 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Reads a certificate specification from stdin or a file and outputs a +signed x509 certificate with the desired properties. + +The input format is as follows: + +issuer:<issuer distinguished name specification> +subject:<subject distinguished name specification> +[version:{1,2,3,4}] +[validity:<YYYYMMDD-YYYYMMDD|duration in days>] +[issuerKey:<key specification>] +[subjectKey:<key specification>] +[signature:{sha256WithRSAEncryption,sha1WithRSAEncryption, + md5WithRSAEncryption,ecdsaWithSHA256,ecdsaWithSHA384, + ecdsaWithSHA512}] +[serialNumber:<integer in the interval [1, 127]>] +[extension:<extension name:<extension-specific data>>] +[...] + +Known extensions are: +basicConstraints:[cA],[pathLenConstraint] +keyUsage:[digitalSignature,nonRepudiation,keyEncipherment, + dataEncipherment,keyAgreement,keyCertSign,cRLSign] +extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection + nsSGC, # Netscape Server Gated Crypto + OCSPSigning,timeStamping] +subjectAlternativeName:[<dNSName|directoryName|"ip4:"iPV4Address>,...] +authorityInformationAccess:<OCSP URI> +certificatePolicies:[<policy OID>,...] +nameConstraints:{permitted,excluded}:[<dNSName|directoryName>,...] +nsCertType:sslServer +TLSFeature:[<TLSFeature>,...] +embeddedSCTList:[<key specification>:<YYYYMMDD>,...] +delegationUsage: + +Where: + [] indicates an optional field or component of a field + <> indicates a required component of a field + {} indicates a choice of exactly one value among a set of values + [a,b,c] indicates a list of potential values, of which zero or more + may be used + +For instance, the version field is optional. However, if it is +specified, it must have exactly one value from the set {1,2,3,4}. + +Most fields have reasonable default values. By default one shared RSA +key is used for all signatures and subject public key information +fields. Using "issuerKey:<key specification>" or +"subjectKey:<key specification>" causes a different key be used for +signing or as the subject public key information field, respectively. +See pykey.py for the list of available specifications. +The signature algorithm is sha256WithRSAEncryption by default. + +The validity period may be specified as either concrete notBefore and +notAfter values or as a validity period centered around 'now'. For the +latter, this will result in a notBefore of 'now' - duration/2 and a +notAfter of 'now' + duration/2. + +Issuer and subject distinguished name specifications are of the form +'[stringEncoding]/C=XX/O=Example/CN=example.com'. C (country name), ST +(state or province name), L (locality name), O (organization name), OU +(organizational unit name), CN (common name) and emailAddress (email +address) are currently supported. The optional stringEncoding field may +be 'utf8String' or 'printableString'. If the given string does not +contain a '/', it is assumed to represent a common name. If an empty +string is provided, then an empty distinguished name is returned. +DirectoryNames also use this format. When specifying a directoryName in +a nameConstraints extension, the implicit form may not be used. + +If an extension name has '[critical]' after it, it will be marked as +critical. Otherwise (by default), it will not be marked as critical. + +TLSFeature values can either consist of a named value (currently only +'OCSPMustStaple' which corresponds to status_request) or a numeric TLS +feature value (see rfc7633 for more information). + +If a serial number is not explicitly specified, it is automatically +generated based on the contents of the certificate. +""" + +import base64 +import datetime +import hashlib +import re +import socket +import sys +from struct import pack + +import pyct +import pykey +import six +from pyasn1.codec.der import decoder, encoder +from pyasn1.type import constraint, tag, univ, useful +from pyasn1_modules import rfc2459 + + +class Error(Exception): + """Base class for exceptions in this module.""" + + pass + + +class UnknownBaseError(Error): + """Base class for handling unexpected input in this module.""" + + def __init__(self, value): + super(UnknownBaseError, self).__init__() + self.value = value + self.category = "input" + + def __str__(self): + return 'Unknown %s type "%s"' % (self.category, repr(self.value)) + + +class UnknownAlgorithmTypeError(UnknownBaseError): + """Helper exception type to handle unknown algorithm types.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "algorithm" + + +class UnknownParameterTypeError(UnknownBaseError): + """Helper exception type to handle unknown input parameters.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "parameter" + + +class UnknownExtensionTypeError(UnknownBaseError): + """Helper exception type to handle unknown input extensions.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "extension" + + +class UnknownKeyPurposeTypeError(UnknownBaseError): + """Helper exception type to handle unknown key purposes.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "keyPurpose" + + +class UnknownKeyTargetError(UnknownBaseError): + """Helper exception type to handle unknown key targets.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "key target" + + +class UnknownVersionError(UnknownBaseError): + """Helper exception type to handle unknown specified versions.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "version" + + +class UnknownNameConstraintsSpecificationError(UnknownBaseError): + """Helper exception type to handle unknown specified + nameConstraints.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "nameConstraints specification" + + +class UnknownDNTypeError(UnknownBaseError): + """Helper exception type to handle unknown DN types.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "DN" + + +class UnknownNSCertTypeError(UnknownBaseError): + """Helper exception type to handle unknown nsCertType types.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "nsCertType" + + +class UnknownTLSFeature(UnknownBaseError): + """Helper exception type to handle unknown TLS Features.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "TLSFeature" + + +class UnknownDelegatedCredentialError(UnknownBaseError): + """Helper exception type to handle unknown Delegated Credential args.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "delegatedCredential" + + +class InvalidSCTSpecification(Error): + """Helper exception type to handle invalid SCT specifications.""" + + def __init__(self, value): + super(InvalidSCTSpecification, self).__init__() + self.value = value + + def __str__(self): + return repr('invalid SCT specification "{}"' % self.value) + + +class InvalidSerialNumber(Error): + """Exception type to handle invalid serial numbers.""" + + def __init__(self, value): + super(InvalidSerialNumber, self).__init__() + self.value = value + + def __str__(self): + return repr(self.value) + + +def getASN1Tag(asn1Type): + """Helper function for returning the base tag value of a given + type from the pyasn1 package""" + return asn1Type.tagSet.baseTag.tagId + + +def stringToAccessDescription(string): + """Helper function that takes a string representing a URI + presumably identifying an OCSP authority information access + location. Returns an AccessDescription usable by pyasn1.""" + accessMethod = rfc2459.id_ad_ocsp + accessLocation = rfc2459.GeneralName() + accessLocation["uniformResourceIdentifier"] = string + sequence = univ.Sequence() + sequence.setComponentByPosition(0, accessMethod) + sequence.setComponentByPosition(1, accessLocation) + return sequence + + +def stringToDN(string, tag=None): + """Takes a string representing a distinguished name or directory + name and returns a Name for use by pyasn1. See the documentation + for the issuer and subject fields for more details. Takes an + optional implicit tag in cases where the Name needs to be tagged + differently.""" + if string and "/" not in string: + string = "/CN=%s" % string + rdns = rfc2459.RDNSequence() + pattern = "/(C|ST|L|O|OU|CN|emailAddress)=" + split = re.split(pattern, string) + # split should now be [[encoding], <type>, <value>, <type>, <value>, ...] + if split[0]: + encoding = split[0] + else: + encoding = "utf8String" + for pos, (nameType, value) in enumerate(zip(split[1::2], split[2::2])): + ava = rfc2459.AttributeTypeAndValue() + if nameType == "C": + ava["type"] = rfc2459.id_at_countryName + nameComponent = rfc2459.X520countryName(value) + elif nameType == "ST": + ava["type"] = rfc2459.id_at_stateOrProvinceName + nameComponent = rfc2459.X520StateOrProvinceName() + elif nameType == "L": + ava["type"] = rfc2459.id_at_localityName + nameComponent = rfc2459.X520LocalityName() + elif nameType == "O": + ava["type"] = rfc2459.id_at_organizationName + nameComponent = rfc2459.X520OrganizationName() + elif nameType == "OU": + ava["type"] = rfc2459.id_at_organizationalUnitName + nameComponent = rfc2459.X520OrganizationalUnitName() + elif nameType == "CN": + ava["type"] = rfc2459.id_at_commonName + nameComponent = rfc2459.X520CommonName() + elif nameType == "emailAddress": + ava["type"] = rfc2459.emailAddress + nameComponent = rfc2459.Pkcs9email(value) + else: + raise UnknownDNTypeError(nameType) + if not nameType == "C" and not nameType == "emailAddress": + # The value may have things like '\0' (i.e. a slash followed by + # the number zero) that have to be decoded into the resulting + # '\x00' (i.e. a byte with value zero). + nameComponent[encoding] = six.ensure_binary(value).decode( + encoding="unicode_escape" + ) + ava["value"] = nameComponent + rdn = rfc2459.RelativeDistinguishedName() + rdn.setComponentByPosition(0, ava) + rdns.setComponentByPosition(pos, rdn) + if tag: + name = rfc2459.Name().subtype(implicitTag=tag) + else: + name = rfc2459.Name() + name.setComponentByPosition(0, rdns) + return name + + +def stringToAlgorithmIdentifiers(string): + """Helper function that converts a description of an algorithm + to a representation usable by the pyasn1 package and a hash + algorithm constant for use by pykey.""" + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmType = None + algorithm = None + # We add Null parameters for RSA only + addParameters = False + if string == "sha1WithRSAEncryption": + algorithmType = pykey.HASH_SHA1 + algorithm = rfc2459.sha1WithRSAEncryption + addParameters = True + elif string == "sha256WithRSAEncryption": + algorithmType = pykey.HASH_SHA256 + algorithm = univ.ObjectIdentifier("1.2.840.113549.1.1.11") + addParameters = True + elif string == "md5WithRSAEncryption": + algorithmType = pykey.HASH_MD5 + algorithm = rfc2459.md5WithRSAEncryption + addParameters = True + elif string == "ecdsaWithSHA256": + algorithmType = pykey.HASH_SHA256 + algorithm = univ.ObjectIdentifier("1.2.840.10045.4.3.2") + elif string == "ecdsaWithSHA384": + algorithmType = pykey.HASH_SHA384 + algorithm = univ.ObjectIdentifier("1.2.840.10045.4.3.3") + elif string == "ecdsaWithSHA512": + algorithmType = pykey.HASH_SHA512 + algorithm = univ.ObjectIdentifier("1.2.840.10045.4.3.4") + else: + raise UnknownAlgorithmTypeError(string) + algorithmIdentifier["algorithm"] = algorithm + if addParameters: + # Directly setting parameters to univ.Null doesn't currently work. + nullEncapsulated = encoder.encode(univ.Null()) + algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated) + return (algorithmIdentifier, algorithmType) + + +def datetimeToTime(dt): + """Takes a datetime object and returns an rfc2459.Time object with + that time as its value as a GeneralizedTime""" + time = rfc2459.Time() + time["generalTime"] = useful.GeneralizedTime(dt.strftime("%Y%m%d%H%M%SZ")) + return time + + +def serialBytesToString(serialBytes): + """Takes a list of integers in the interval [0, 255] and returns + the corresponding serial number string.""" + serialBytesLen = len(serialBytes) + if serialBytesLen > 127: + raise InvalidSerialNumber("{} bytes is too long".format(serialBytesLen)) + # Prepend the ASN.1 INTEGER tag and length bytes. + stringBytes = [getASN1Tag(univ.Integer), serialBytesLen] + serialBytes + return bytes(stringBytes) + + +class Certificate(object): + """Utility class for reading a certificate specification and + generating a signed x509 certificate""" + + def __init__(self, paramStream): + self.versionValue = 2 # a value of 2 is X509v3 + self.signature = "sha256WithRSAEncryption" + self.issuer = "Default Issuer" + actualNow = datetime.datetime.utcnow() + self.now = datetime.datetime.strptime(str(actualNow.year), "%Y") + aYearAndAWhile = datetime.timedelta(days=400) + self.notBefore = self.now - aYearAndAWhile + self.notAfter = self.now + aYearAndAWhile + self.subject = "Default Subject" + self.extensions = None + # The serial number can be automatically generated from the + # certificate specification. We need this value to depend in + # part of what extensions are present. self.extensions are + # pyasn1 objects. Depending on the string representation of + # these objects can cause the resulting serial number to change + # unexpectedly, so instead we depend on the original string + # representation of the extensions as specified. + self.extensionLines = None + self.savedEmbeddedSCTListData = None + self.subjectKey = pykey.keyFromSpecification("default") + self.issuerKey = pykey.keyFromSpecification("default") + self.serialNumber = None + self.decodeParams(paramStream) + # If a serial number wasn't specified, generate one based on + # the certificate contents. + if not self.serialNumber: + self.serialNumber = self.generateSerialNumber() + # This has to be last because the SCT signature depends on the + # contents of the certificate. + if self.savedEmbeddedSCTListData: + self.addEmbeddedSCTListData() + + def generateSerialNumber(self): + """Generates a serial number for this certificate based on its + contents. Intended to be reproducible for compatibility with + the build system on OS X (see the comment above main, later in + this file).""" + hasher = hashlib.sha256() + hasher.update(six.ensure_binary(str(self.versionValue))) + hasher.update(six.ensure_binary(self.signature)) + hasher.update(six.ensure_binary(self.issuer)) + hasher.update(six.ensure_binary(str(self.notBefore))) + hasher.update(six.ensure_binary(str(self.notAfter))) + hasher.update(six.ensure_binary(self.subject)) + if self.extensionLines: + for extensionLine in self.extensionLines: + hasher.update(six.ensure_binary(extensionLine)) + if self.savedEmbeddedSCTListData: + # savedEmbeddedSCTListData is + # (embeddedSCTListSpecification, critical), where |critical| + # may be None + hasher.update(six.ensure_binary(self.savedEmbeddedSCTListData[0])) + if self.savedEmbeddedSCTListData[1]: + hasher.update(six.ensure_binary(self.savedEmbeddedSCTListData[1])) + serialBytes = [c for c in hasher.digest()[:20]] + # Ensure that the most significant bit isn't set (which would + # indicate a negative number, which isn't valid for serial + # numbers). + serialBytes[0] &= 0x7F + # Also ensure that the least significant bit on the most + # significant byte is set (to prevent a leading zero byte, + # which also wouldn't be valid). + serialBytes[0] |= 0x01 + return serialBytesToString(serialBytes) + + def decodeParams(self, paramStream): + for line in paramStream.readlines(): + self.decodeParam(line.strip()) + + def decodeParam(self, line): + param = line.split(":")[0] + value = ":".join(line.split(":")[1:]) + if param == "version": + self.setVersion(value) + elif param == "subject": + self.subject = value + elif param == "issuer": + self.issuer = value + elif param == "validity": + self.decodeValidity(value) + elif param == "extension": + self.decodeExtension(value) + elif param == "issuerKey": + self.setupKey("issuer", value) + elif param == "subjectKey": + self.setupKey("subject", value) + elif param == "signature": + self.signature = value + elif param == "serialNumber": + serialNumber = int(value) + # Ensure only serial numbers that conform to the rules listed in + # generateSerialNumber() are permitted. + if serialNumber < 1 or serialNumber > 127: + raise InvalidSerialNumber(value) + self.serialNumber = serialBytesToString([serialNumber]) + else: + raise UnknownParameterTypeError(param) + + def setVersion(self, version): + intVersion = int(version) + if intVersion >= 1 and intVersion <= 4: + self.versionValue = intVersion - 1 + else: + raise UnknownVersionError(version) + + def decodeValidity(self, duration): + match = re.search("([0-9]{8})-([0-9]{8})", duration) + if match: + self.notBefore = datetime.datetime.strptime(match.group(1), "%Y%m%d") + self.notAfter = datetime.datetime.strptime(match.group(2), "%Y%m%d") + else: + delta = datetime.timedelta(days=(int(duration) / 2)) + self.notBefore = self.now - delta + self.notAfter = self.now + delta + + def decodeExtension(self, extension): + match = re.search(r"([a-zA-Z]+)(\[critical\])?:(.*)", extension) + if not match: + raise UnknownExtensionTypeError(extension) + extensionType = match.group(1) + critical = match.group(2) + value = match.group(3) + if extensionType == "basicConstraints": + self.addBasicConstraints(value, critical) + elif extensionType == "keyUsage": + self.addKeyUsage(value, critical) + elif extensionType == "extKeyUsage": + self.addExtKeyUsage(value, critical) + elif extensionType == "subjectAlternativeName": + self.addSubjectAlternativeName(value, critical) + elif extensionType == "authorityInformationAccess": + self.addAuthorityInformationAccess(value, critical) + elif extensionType == "certificatePolicies": + self.addCertificatePolicies(value, critical) + elif extensionType == "nameConstraints": + self.addNameConstraints(value, critical) + elif extensionType == "nsCertType": + self.addNSCertType(value, critical) + elif extensionType == "TLSFeature": + self.addTLSFeature(value, critical) + elif extensionType == "embeddedSCTList": + self.savedEmbeddedSCTListData = (value, critical) + elif extensionType == "delegationUsage": + self.addDelegationUsage(critical) + else: + raise UnknownExtensionTypeError(extensionType) + + if extensionType != "embeddedSCTList": + if not self.extensionLines: + self.extensionLines = [] + self.extensionLines.append(extension) + + def setupKey(self, subjectOrIssuer, value): + if subjectOrIssuer == "subject": + self.subjectKey = pykey.keyFromSpecification(value) + elif subjectOrIssuer == "issuer": + self.issuerKey = pykey.keyFromSpecification(value) + else: + raise UnknownKeyTargetError(subjectOrIssuer) + + def addExtension(self, extensionType, extensionValue, critical): + if not self.extensions: + self.extensions = [] + encapsulated = univ.OctetString(encoder.encode(extensionValue)) + extension = rfc2459.Extension() + extension["extnID"] = extensionType + # critical is either the string '[critical]' or None. + # We only care whether or not it is truthy. + if critical: + extension["critical"] = True + extension["extnValue"] = encapsulated + self.extensions.append(extension) + + def addBasicConstraints(self, basicConstraints, critical): + cA = basicConstraints.split(",")[0] + pathLenConstraint = basicConstraints.split(",")[1] + basicConstraintsExtension = rfc2459.BasicConstraints() + basicConstraintsExtension["cA"] = cA == "cA" + if pathLenConstraint: + pathLenConstraintValue = univ.Integer(int(pathLenConstraint)).subtype( + subtypeSpec=constraint.ValueRangeConstraint(0, float("inf")) + ) + basicConstraintsExtension["pathLenConstraint"] = pathLenConstraintValue + self.addExtension( + rfc2459.id_ce_basicConstraints, basicConstraintsExtension, critical + ) + + def addKeyUsage(self, keyUsage, critical): + keyUsageExtension = rfc2459.KeyUsage(keyUsage) + self.addExtension(rfc2459.id_ce_keyUsage, keyUsageExtension, critical) + + def keyPurposeToOID(self, keyPurpose): + if keyPurpose == "serverAuth": + return rfc2459.id_kp_serverAuth + if keyPurpose == "clientAuth": + return rfc2459.id_kp_clientAuth + if keyPurpose == "codeSigning": + return rfc2459.id_kp_codeSigning + if keyPurpose == "emailProtection": + return rfc2459.id_kp_emailProtection + if keyPurpose == "nsSGC": + return univ.ObjectIdentifier("2.16.840.1.113730.4.1") + if keyPurpose == "OCSPSigning": + return univ.ObjectIdentifier("1.3.6.1.5.5.7.3.9") + if keyPurpose == "timeStamping": + return rfc2459.id_kp_timeStamping + raise UnknownKeyPurposeTypeError(keyPurpose) + + def addExtKeyUsage(self, extKeyUsage, critical): + extKeyUsageExtension = rfc2459.ExtKeyUsageSyntax() + for count, keyPurpose in enumerate(extKeyUsage.split(",")): + extKeyUsageExtension.setComponentByPosition( + count, self.keyPurposeToOID(keyPurpose) + ) + self.addExtension(rfc2459.id_ce_extKeyUsage, extKeyUsageExtension, critical) + + def addSubjectAlternativeName(self, names, critical): + IPV4_PREFIX = "ip4:" + + subjectAlternativeName = rfc2459.SubjectAltName() + for count, name in enumerate(names.split(",")): + generalName = rfc2459.GeneralName() + if "/" in name: + directoryName = stringToDN( + name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4) + ) + generalName["directoryName"] = directoryName + elif "@" in name: + generalName["rfc822Name"] = name + elif name.startswith(IPV4_PREFIX): + generalName["iPAddress"] = socket.inet_pton( + socket.AF_INET, name[len(IPV4_PREFIX) :] + ) + else: + # The string may have things like '\0' (i.e. a slash + # followed by the number zero) that have to be decoded into + # the resulting '\x00' (i.e. a byte with value zero). + generalName["dNSName"] = six.ensure_binary(name).decode( + "unicode_escape" + ) + subjectAlternativeName.setComponentByPosition(count, generalName) + self.addExtension( + rfc2459.id_ce_subjectAltName, subjectAlternativeName, critical + ) + + def addAuthorityInformationAccess(self, ocspURI, critical): + sequence = univ.Sequence() + accessDescription = stringToAccessDescription(ocspURI) + sequence.setComponentByPosition(0, accessDescription) + self.addExtension(rfc2459.id_pe_authorityInfoAccess, sequence, critical) + + def addCertificatePolicies(self, policyOIDs, critical): + policies = rfc2459.CertificatePolicies() + for pos, policyOID in enumerate(policyOIDs.split(",")): + if policyOID == "any": + policyOID = "2.5.29.32.0" + policy = rfc2459.PolicyInformation() + policyIdentifier = rfc2459.CertPolicyId(policyOID) + policy["policyIdentifier"] = policyIdentifier + policies.setComponentByPosition(pos, policy) + self.addExtension(rfc2459.id_ce_certificatePolicies, policies, critical) + + def addNameConstraints(self, constraints, critical): + nameConstraints = rfc2459.NameConstraints() + if constraints.startswith("permitted:"): + (subtreesType, subtreesTag) = ("permittedSubtrees", 0) + elif constraints.startswith("excluded:"): + (subtreesType, subtreesTag) = ("excludedSubtrees", 1) + else: + raise UnknownNameConstraintsSpecificationError(constraints) + generalSubtrees = rfc2459.GeneralSubtrees().subtype( + implicitTag=tag.Tag( + tag.tagClassContext, tag.tagFormatConstructed, subtreesTag + ) + ) + subtrees = constraints[(constraints.find(":") + 1) :] + for pos, name in enumerate(subtrees.split(",")): + generalName = rfc2459.GeneralName() + if "/" in name: + directoryName = stringToDN( + name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4) + ) + generalName["directoryName"] = directoryName + else: + generalName["dNSName"] = name + generalSubtree = rfc2459.GeneralSubtree() + generalSubtree["base"] = generalName + generalSubtrees.setComponentByPosition(pos, generalSubtree) + nameConstraints[subtreesType] = generalSubtrees + self.addExtension(rfc2459.id_ce_nameConstraints, nameConstraints, critical) + + def addNSCertType(self, certType, critical): + if certType != "sslServer": + raise UnknownNSCertTypeError(certType) + self.addExtension( + univ.ObjectIdentifier("2.16.840.1.113730.1.1"), + univ.BitString("'01'B"), + critical, + ) + + def addDelegationUsage(self, critical): + if critical: + raise UnknownDelegatedCredentialError(critical) + self.addExtension( + univ.ObjectIdentifier("1.3.6.1.4.1.44363.44"), univ.Null(), critical + ) + + def addTLSFeature(self, features, critical): + namedFeatures = {"OCSPMustStaple": 5} + featureList = [f.strip() for f in features.split(",")] + sequence = univ.Sequence() + for pos, feature in enumerate(featureList): + featureValue = 0 + try: + featureValue = int(feature) + except ValueError: + try: + featureValue = namedFeatures[feature] + except Exception: + raise UnknownTLSFeature(feature) + sequence.setComponentByPosition(pos, univ.Integer(featureValue)) + self.addExtension( + univ.ObjectIdentifier("1.3.6.1.5.5.7.1.24"), sequence, critical + ) + + def addEmbeddedSCTListData(self): + (scts, critical) = self.savedEmbeddedSCTListData + encodedSCTs = [] + for sctSpec in scts.split(","): + match = re.search(r"(\w+):(\d{8})", sctSpec) + if not match: + raise InvalidSCTSpecification(sctSpec) + keySpec = match.group(1) + key = pykey.keyFromSpecification(keySpec) + time = datetime.datetime.strptime(match.group(2), "%Y%m%d") + tbsCertificate = self.getTBSCertificate() + tbsDER = encoder.encode(tbsCertificate) + sct = pyct.SCT(key, time, tbsDER, self.issuerKey) + signed = sct.signAndEncode() + lengthPrefix = pack("!H", len(signed)) + encodedSCTs.append(lengthPrefix + signed) + encodedSCTBytes = b"".join(encodedSCTs) + lengthPrefix = pack("!H", len(encodedSCTBytes)) + extensionBytes = lengthPrefix + encodedSCTBytes + self.addExtension( + univ.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.2"), + univ.OctetString(extensionBytes), + critical, + ) + + def getVersion(self): + return rfc2459.Version(self.versionValue).subtype( + explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) + ) + + def getSerialNumber(self): + return decoder.decode(self.serialNumber)[0] + + def getIssuer(self): + return stringToDN(self.issuer) + + def getValidity(self): + validity = rfc2459.Validity() + validity["notBefore"] = self.getNotBefore() + validity["notAfter"] = self.getNotAfter() + return validity + + def getNotBefore(self): + return datetimeToTime(self.notBefore) + + def getNotAfter(self): + return datetimeToTime(self.notAfter) + + def getSubject(self): + return stringToDN(self.subject) + + def getTBSCertificate(self): + (signatureOID, _) = stringToAlgorithmIdentifiers(self.signature) + tbsCertificate = rfc2459.TBSCertificate() + tbsCertificate["version"] = self.getVersion() + tbsCertificate["serialNumber"] = self.getSerialNumber() + tbsCertificate["signature"] = signatureOID + tbsCertificate["issuer"] = self.getIssuer() + tbsCertificate["validity"] = self.getValidity() + tbsCertificate["subject"] = self.getSubject() + tbsCertificate[ + "subjectPublicKeyInfo" + ] = self.subjectKey.asSubjectPublicKeyInfo() + if self.extensions: + extensions = rfc2459.Extensions().subtype( + explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3) + ) + for count, extension in enumerate(self.extensions): + extensions.setComponentByPosition(count, extension) + tbsCertificate["extensions"] = extensions + return tbsCertificate + + def toDER(self): + (signatureOID, hashAlgorithm) = stringToAlgorithmIdentifiers(self.signature) + certificate = rfc2459.Certificate() + tbsCertificate = self.getTBSCertificate() + certificate["tbsCertificate"] = tbsCertificate + certificate["signatureAlgorithm"] = signatureOID + tbsDER = encoder.encode(tbsCertificate) + certificate["signatureValue"] = self.issuerKey.sign(tbsDER, hashAlgorithm) + return encoder.encode(certificate) + + def toPEM(self): + output = "-----BEGIN CERTIFICATE-----" + der = self.toDER() + b64 = six.ensure_text(base64.b64encode(der)) + while b64: + output += "\n" + b64[:64] + b64 = b64[64:] + output += "\n-----END CERTIFICATE-----" + return output + + +# The build harness will call this function with an output +# file-like object and a path to a file containing a +# specification. This will read the specification and output +# the certificate as PEM. +def main(output, inputPath): + with open(inputPath) as configStream: + output.write(Certificate(configStream).toPEM() + "\n") + + +# When run as a standalone program, this will read a specification from +# stdin and output the certificate as PEM to stdout. +if __name__ == "__main__": + print(Certificate(sys.stdin).toPEM()) diff --git a/security/manager/tools/pycms.py b/security/manager/tools/pycms.py new file mode 100755 index 0000000000..1717513fdf --- /dev/null +++ b/security/manager/tools/pycms.py @@ -0,0 +1,219 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Reads a specification from stdin and outputs a PKCS7 (CMS) message with +the desired properties. + +The specification format is as follows: + +sha1:<hex string> +sha256:<hex string> +signer: +<pycert specification> + +Eith or both of sha1 and sha256 may be specified. The value of +each hash directive is what will be put in the messageDigest +attribute of the SignerInfo that corresponds to the signature +algorithm defined by the hash algorithm and key type of the +default key. Together, these comprise the signerInfos field of +the SignedData. If neither hash is specified, the signerInfos +will be an empty SET (i.e. there will be no actual signature +information). +The certificate specification must come last. +""" + +import base64 +import sys +from io import StringIO + +import pycert +import pykey +from pyasn1.codec.der import decoder, encoder +from pyasn1.type import tag, univ +from pyasn1_modules import rfc2315, rfc2459 + + +class Error(Exception): + """Base class for exceptions in this module.""" + + pass + + +class UnknownDirectiveError(Error): + """Helper exception type to handle unknown specification + directives.""" + + def __init__(self, directive): + super(UnknownDirectiveError, self).__init__() + self.directive = directive + + def __str__(self): + return "Unknown directive %s" % repr(self.directive) + + +class CMS(object): + """Utility class for reading a CMS specification and + generating a CMS message""" + + def __init__(self, paramStream): + self.sha1 = "" + self.sha256 = "" + signerSpecification = StringIO() + readingSignerSpecification = False + for line in paramStream.readlines(): + if readingSignerSpecification: + print(line.strip(), file=signerSpecification) + elif line.strip() == "signer:": + readingSignerSpecification = True + elif line.startswith("sha1:"): + self.sha1 = line.strip()[len("sha1:") :] + elif line.startswith("sha256:"): + self.sha256 = line.strip()[len("sha256:") :] + else: + raise UnknownDirectiveError(line.strip()) + signerSpecification.seek(0) + self.signer = pycert.Certificate(signerSpecification) + self.signingKey = pykey.keyFromSpecification("default") + + def buildAuthenticatedAttributes(self, value, implicitTag=None): + """Utility function to build a pyasn1 AuthenticatedAttributes + object. Useful because when building a SignerInfo, the + authenticatedAttributes needs to be tagged implicitly, but when + signing an AuthenticatedAttributes, it needs the explicit SET + tag.""" + if implicitTag: + authenticatedAttributes = rfc2315.Attributes().subtype( + implicitTag=implicitTag + ) + else: + authenticatedAttributes = rfc2315.Attributes() + contentTypeAttribute = rfc2315.Attribute() + # PKCS#9 contentType + contentTypeAttribute["type"] = univ.ObjectIdentifier("1.2.840.113549.1.9.3") + contentTypeAttribute["values"] = univ.SetOf(rfc2459.AttributeValue()) + # PKCS#7 data + contentTypeAttribute["values"][0] = univ.ObjectIdentifier( + "1.2.840.113549.1.7.1" + ) + authenticatedAttributes[0] = contentTypeAttribute + hashAttribute = rfc2315.Attribute() + # PKCS#9 messageDigest + hashAttribute["type"] = univ.ObjectIdentifier("1.2.840.113549.1.9.4") + hashAttribute["values"] = univ.SetOf(rfc2459.AttributeValue()) + hashAttribute["values"][0] = univ.OctetString(hexValue=value) + authenticatedAttributes[1] = hashAttribute + return authenticatedAttributes + + def pykeyHashToDigestAlgorithm(self, pykeyHash): + """Given a pykey hash algorithm identifier, builds an + AlgorithmIdentifier for use with pyasn1.""" + if pykeyHash == pykey.HASH_SHA1: + oidString = "1.3.14.3.2.26" + elif pykeyHash == pykey.HASH_SHA256: + oidString = "2.16.840.1.101.3.4.2.1" + else: + raise pykey.UnknownHashAlgorithmError(pykeyHash) + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmIdentifier["algorithm"] = univ.ObjectIdentifier(oidString) + # Directly setting parameters to univ.Null doesn't currently work. + nullEncapsulated = encoder.encode(univ.Null()) + algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated) + return algorithmIdentifier + + def buildSignerInfo(self, certificate, pykeyHash, digestValue): + """Given a pyasn1 certificate, a pykey hash identifier + and a hash value, creates a SignerInfo with the + appropriate values.""" + signerInfo = rfc2315.SignerInfo() + signerInfo["version"] = 1 + issuerAndSerialNumber = rfc2315.IssuerAndSerialNumber() + issuerAndSerialNumber["issuer"] = self.signer.getIssuer() + issuerAndSerialNumber["serialNumber"] = certificate["tbsCertificate"][ + "serialNumber" + ] + signerInfo["issuerAndSerialNumber"] = issuerAndSerialNumber + signerInfo["digestAlgorithm"] = self.pykeyHashToDigestAlgorithm(pykeyHash) + rsa = rfc2459.AlgorithmIdentifier() + rsa["algorithm"] = rfc2459.rsaEncryption + rsa["parameters"] = univ.Null() + authenticatedAttributes = self.buildAuthenticatedAttributes( + digestValue, + implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0), + ) + authenticatedAttributesTBS = self.buildAuthenticatedAttributes(digestValue) + signerInfo["authenticatedAttributes"] = authenticatedAttributes + signerInfo["digestEncryptionAlgorithm"] = rsa + authenticatedAttributesEncoded = encoder.encode(authenticatedAttributesTBS) + signature = self.signingKey.sign(authenticatedAttributesEncoded, pykeyHash) + # signature will be a hexified bit string of the form + # "'<hex bytes>'H". For some reason that's what BitString wants, + # but since this is an OCTET STRING, we have to strip off the + # quotation marks and trailing "H". + signerInfo["encryptedDigest"] = univ.OctetString(hexValue=signature[1:-2]) + return signerInfo + + def toDER(self): + contentInfo = rfc2315.ContentInfo() + contentInfo["contentType"] = rfc2315.signedData + + signedData = rfc2315.SignedData() + signedData["version"] = rfc2315.Version(1) + + digestAlgorithms = rfc2315.DigestAlgorithmIdentifiers() + digestAlgorithms[0] = self.pykeyHashToDigestAlgorithm(pykey.HASH_SHA1) + signedData["digestAlgorithms"] = digestAlgorithms + + dataContentInfo = rfc2315.ContentInfo() + dataContentInfo["contentType"] = rfc2315.data + signedData["contentInfo"] = dataContentInfo + + certificates = rfc2315.ExtendedCertificatesAndCertificates().subtype( + implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0) + ) + extendedCertificateOrCertificate = rfc2315.ExtendedCertificateOrCertificate() + certificate = decoder.decode( + self.signer.toDER(), asn1Spec=rfc2459.Certificate() + )[0] + extendedCertificateOrCertificate["certificate"] = certificate + certificates[0] = extendedCertificateOrCertificate + signedData["certificates"] = certificates + + signerInfos = rfc2315.SignerInfos() + + if len(self.sha1) > 0: + signerInfos[len(signerInfos)] = self.buildSignerInfo( + certificate, pykey.HASH_SHA1, self.sha1 + ) + if len(self.sha256) > 0: + signerInfos[len(signerInfos)] = self.buildSignerInfo( + certificate, pykey.HASH_SHA256, self.sha256 + ) + signedData["signerInfos"] = signerInfos + + encoded = encoder.encode(signedData) + anyTag = univ.Any(encoded).subtype( + explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0) + ) + + contentInfo["content"] = anyTag + return encoder.encode(contentInfo) + + def toPEM(self): + output = "-----BEGIN PKCS7-----" + der = self.toDER() + b64 = base64.b64encode(der) + while b64: + output += "\n" + b64[:64] + b64 = b64[64:] + output += "\n-----END PKCS7-----\n" + return output + + +# When run as a standalone program, this will read a specification from +# stdin and output the certificate as PEM to stdout. +if __name__ == "__main__": + print(CMS(sys.stdin).toPEM()) diff --git a/security/manager/tools/pyct.py b/security/manager/tools/pyct.py new file mode 100644 index 0000000000..8f9d61b72b --- /dev/null +++ b/security/manager/tools/pyct.py @@ -0,0 +1,103 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Helper library for creating a Signed Certificate Timestamp given the +details of a signing key, when to sign, and the certificate data to +sign. Currently only supports precert_entry types. See RFC 6962. +""" + +import binascii +import calendar +import hashlib +from struct import pack + +import pykey +from pyasn1.codec.der import encoder + + +class InvalidKeyError(Exception): + """Helper exception to handle unknown key types.""" + + def __init__(self, key): + self.key = key + + def __str__(self): + return 'Invalid key: "%s"' % str(self.key) + + +class SCT(object): + """SCT represents a Signed Certificate Timestamp.""" + + def __init__(self, key, date, tbsCertificate, issuerKey): + self.key = key + self.timestamp = calendar.timegm(date.timetuple()) * 1000 + self.tbsCertificate = tbsCertificate + self.issuerKey = issuerKey + + def signAndEncode(self): + """Returns a signed and encoded representation of the SCT as a + string.""" + # The signature is over the following data: + # sct_version (one 0 byte) + # signature_type (one 0 byte) + # timestamp (8 bytes, milliseconds since the epoch) + # entry_type (two bytes [0, 1] - currently only precert_entry is + # supported) + # signed_entry (bytes of PreCert) + # extensions (2-byte-length-prefixed, currently empty (so two 0 + # bytes)) + # A PreCert is: + # issuer_key_hash (32 bytes of SHA-256 hash of the issuing + # public key, as DER-encoded SPKI) + # tbs_certificate (3-byte-length-prefixed data) + timestamp = pack("!Q", self.timestamp) + hasher = hashlib.sha256() + hasher.update(encoder.encode(self.issuerKey.asSubjectPublicKeyInfo())) + issuer_key_hash = hasher.digest() + len_prefix = pack("!L", len(self.tbsCertificate))[1:] + data = ( + b"\0\0" + + timestamp + + b"\0\1" + + issuer_key_hash + + len_prefix + + self.tbsCertificate + + b"\0\0" + ) + if isinstance(self.key, pykey.ECCKey): + signatureByte = b"\3" + elif isinstance(self.key, pykey.RSAKey): + signatureByte = b"\1" + else: + raise InvalidKeyError(self.key) + # sign returns a hex string like "'<hex bytes>'H", but we want + # bytes here + hexSignature = self.key.sign(data, pykey.HASH_SHA256) + signature = binascii.unhexlify(hexSignature[1:-2]) + # The actual data returned is the following: + # sct_version (one 0 byte) + # id (32 bytes of SHA-256 hash of the signing key, as + # DER-encoded SPKI) + # timestamp (8 bytes, milliseconds since the epoch) + # extensions (2-byte-length-prefixed data, currently + # empty) + # hash (one 4 byte representing sha256) + # signature (one byte - 1 for RSA and 3 for ECDSA) + # signature (2-byte-length-prefixed data) + hasher = hashlib.sha256() + hasher.update(encoder.encode(self.key.asSubjectPublicKeyInfo())) + key_id = hasher.digest() + signature_len_prefix = pack("!H", len(signature)) + return ( + b"\0" + + key_id + + timestamp + + b"\0\0\4" + + signatureByte + + signature_len_prefix + + signature + ) diff --git a/security/manager/tools/pykey.py b/security/manager/tools/pykey.py new file mode 100755 index 0000000000..fec8021c26 --- /dev/null +++ b/security/manager/tools/pykey.py @@ -0,0 +1,957 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Reads a key specification from stdin or a file and outputs a +PKCS #8 file representing the (private) key. Also provides +methods for signing data and representing the key as a subject +public key info for use with pyasn1. + +The key specification format is as follows: + +default: a 2048-bit RSA key +alternate: a different 2048-bit RSA key +ev: a 2048-bit RSA key that, when combined with the right pycert + specification, results in a certificate that is enabled for + extended validation in debug Firefox (see ExtendedValidation.cpp). +evRSA2040: a 2040-bit RSA key that, when combined with the right pycert + specification, results in a certificate that is enabled for + extended validation in debug Firefox. +rsa2040: a 2040-bit RSA key +rsa1024: a 1024-bit RSA key +rsa1016: a 1016-bit RSA key +secp256k1: an ECC key on the curve secp256k1 +secp244r1: an ECC key on the curve secp244r1 +secp256r1: an ECC key on the curve secp256r1 +secp384r1: an ECC key on the curve secp384r1 +secp521r1: an ECC key on the curve secp521r1 +""" + +import base64 +import binascii +import hashlib +import math +import sys + +import ecdsa +import rsa +import six +from pyasn1.codec.der import encoder +from pyasn1.type import namedtype, tag, univ +from pyasn1_modules import rfc2459 + +# "constants" to make it easier for consumers to specify hash algorithms +HASH_MD5 = "hash:md5" +HASH_SHA1 = "hash:sha1" +HASH_SHA256 = "hash:sha256" +HASH_SHA384 = "hash:sha384" +HASH_SHA512 = "hash:sha512" + + +# NOTE: With bug 1621441 we migrated from one library for ecdsa to another. +# These libraries differ somewhat in terms of functionality and interface. In +# order to ensure there are no diffs and that the generated signatures are +# exactly the same between the two libraries, we need to patch some stuff in. + + +def _gen_k(curve): + # This calculation is arbitrary, but it matches what we were doing pre- + # bug 1621441 (see the above NOTE). Crucially, this generation of k is + # non-random; the ecdsa library exposes an option to deterministically + # generate a value of k for us, but it doesn't match up to what we were + # doing before so we have to inject a custom value. + num_bytes = int(math.log(curve.order - 1, 2) + 1) // 8 + 8 + entropy = int.from_bytes(b"\04" * num_bytes, byteorder="big") + p = curve.curve.p() + return (entropy % (p - 1)) + 1 + + +# As above, the library has built-in logic for truncating digests that are too +# large, but they use a slightly different technique than our previous library. +# Re-implement that logic here. +def _truncate_digest(digest, curve): + i = int.from_bytes(digest, byteorder="big") + p = curve.curve.p() + while i > p: + i >>= 1 + return i.to_bytes(math.ceil(i.bit_length() / 8), byteorder="big") + + +def byteStringToHexifiedBitString(string): + """Takes a string of bytes and returns a hex string representing + those bytes for use with pyasn1.type.univ.BitString. It must be of + the form "'<hex bytes>'H", where the trailing 'H' indicates to + pyasn1 that the input is a hex string.""" + return "'%s'H" % six.ensure_binary(string).hex() + + +class UnknownBaseError(Exception): + """Base class for handling unexpected input in this module.""" + + def __init__(self, value): + super(UnknownBaseError, self).__init__() + self.value = value + self.category = "input" + + def __str__(self): + return 'Unknown %s type "%s"' % (self.category, repr(self.value)) + + +class UnknownKeySpecificationError(UnknownBaseError): + """Helper exception type to handle unknown key specifications.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "key specification" + + +class UnknownHashAlgorithmError(UnknownBaseError): + """Helper exception type to handle unknown key specifications.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "hash algorithm" + + +class UnsupportedHashAlgorithmError(Exception): + """Helper exception type for unsupported hash algorithms.""" + + def __init__(self, value): + super(UnsupportedHashAlgorithmError, self).__init__() + self.value = value + + def __str__(self): + return 'Unsupported hash algorithm "%s"' % repr(self.value) + + +class RSAPublicKey(univ.Sequence): + """Helper type for encoding an RSA public key""" + + componentType = namedtype.NamedTypes( + namedtype.NamedType("N", univ.Integer()), + namedtype.NamedType("E", univ.Integer()), + ) + + +class RSAPrivateKey(univ.Sequence): + """Helper type for encoding an RSA private key""" + + componentType = namedtype.NamedTypes( + namedtype.NamedType("version", univ.Integer()), + namedtype.NamedType("modulus", univ.Integer()), + namedtype.NamedType("publicExponent", univ.Integer()), + namedtype.NamedType("privateExponent", univ.Integer()), + namedtype.NamedType("prime1", univ.Integer()), + namedtype.NamedType("prime2", univ.Integer()), + namedtype.NamedType("exponent1", univ.Integer()), + namedtype.NamedType("exponent2", univ.Integer()), + namedtype.NamedType("coefficient", univ.Integer()), + ) + + +class ECPrivateKey(univ.Sequence): + """Helper type for encoding an EC private key + ECPrivateKey ::= SEQUENCE { + version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), + privateKey OCTET STRING, + parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, + (NOTE: parameters field is not supported) + publicKey [1] BIT STRING OPTIONAL + }""" + + componentType = namedtype.NamedTypes( + namedtype.NamedType("version", univ.Integer()), + namedtype.NamedType("privateKey", univ.OctetString()), + namedtype.OptionalNamedType( + "publicKey", + univ.BitString().subtype( + explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1) + ), + ), + ) + + +class ECPoint(univ.Sequence): + """Helper type for encoding a EC point""" + + componentType = namedtype.NamedTypes( + namedtype.NamedType("x", univ.Integer()), + namedtype.NamedType("y", univ.Integer()), + ) + + +class PrivateKeyInfo(univ.Sequence): + """Helper type for encoding a PKCS #8 private key info""" + + componentType = namedtype.NamedTypes( + namedtype.NamedType("version", univ.Integer()), + namedtype.NamedType("privateKeyAlgorithm", rfc2459.AlgorithmIdentifier()), + namedtype.NamedType("privateKey", univ.OctetString()), + ) + + +class RSAKey(object): + # For reference, when encoded as a subject public key info, the + # base64-encoded sha-256 hash of this key is + # VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8= + sharedRSA_N = int( + "00ba8851a8448e16d641fd6eb6880636103d3c13d9eae4354ab4ecf56857" + "6c247bc1c725a8e0d81fbdb19c069b6e1a86f26be2af5a756b6a6471087a" + "a55aa74587f71cd5249c027ecd43fc1e69d038202993ab20c349e4dbb94c" + "c26b6c0eed15820ff17ead691ab1d3023a8b2a41eea770e00f0d8dfd660b" + "2bb02492a47db988617990b157903dd23bc5e0b8481fa837d38843ef2716" + "d855b7665aaa7e02902f3a7b10800624cc1c6c97ad96615bb7e29612c075" + "31a30c91ddb4caf7fcad1d25d309efb9170ea768e1b37b2f226f69e3b48a" + "95611dee26d6259dab91084e36cb1c24042cbf168b2fe5f18f991731b8b3" + "fe4923fa7251c431d503acda180a35ed8d", + 16, + ) + sharedRSA_E = 65537 + sharedRSA_D = int( + "009ecbce3861a454ecb1e0fe8f85dd43c92f5825ce2e997884d0e1a949da" + "a2c5ac559b240450e5ac9fe0c3e31c0eefa6525a65f0c22194004ee1ab46" + "3dde9ee82287cc93e746a91929c5e6ac3d88753f6c25ba5979e73e5d8fb2" + "39111a3cdab8a4b0cdf5f9cab05f1233a38335c64b5560525e7e3b92ad7c" + "7504cf1dc7cb005788afcbe1e8f95df7402a151530d5808346864eb370aa" + "79956a587862cb533791307f70d91c96d22d001a69009b923c683388c9f3" + "6cb9b5ebe64302041c78d908206b87009cb8cabacad3dbdb2792fb911b2c" + "f4db6603585be9ae0ca3b8e6417aa04b06e470ea1a3b581ca03a6781c931" + "5b62b30e6011f224725946eec57c6d9441", + 16, + ) + sharedRSA_P = int( + "00dd6e1d4fffebf68d889c4d114cdaaa9caa63a59374286c8a5c29a717bb" + "a60375644d5caa674c4b8bc7326358646220e4550d7608ac27d55b6db74f" + "8d8127ef8fa09098b69147de065573447e183d22fe7d885aceb513d9581d" + "d5e07c1a90f5ce0879de131371ecefc9ce72e9c43dc127d238190de81177" + "3ca5d19301f48c742b", + 16, + ) + sharedRSA_Q = int( + "00d7a773d9ebc380a767d2fec0934ad4e8b5667240771acdebb5ad796f47" + "8fec4d45985efbc9532968289c8d89102fadf21f34e2dd4940eba8c09d6d" + "1f16dcc29729774c43275e9251ddbe4909e1fd3bf1e4bedf46a39b8b3833" + "28ef4ae3b95b92f2070af26c9e7c5c9b587fedde05e8e7d86ca57886fb16" + "5810a77b9845bc3127", + 16, + ) + sharedRSA_exp1 = int( + "0096472b41a610c0ade1af2266c1600e3671355ba42d4b5a0eb4e9d7eb35" + "81400ba5dd132cdb1a5e9328c7bbc0bbb0155ea192972edf97d12751d8fc" + "f6ae572a30b1ea309a8712dd4e33241db1ee455fc093f5bc9b592d756e66" + "21474f32c07af22fb275d340792b32ba2590bbb261aefb95a258eea53765" + "5315be9c24d191992d", + 16, + ) + sharedRSA_exp2 = int( + "28b450a7a75a856413b2bda6f7a63e3d964fb9ecf50e3823ef6cc8e8fa26" + "ee413f8b9d1205540f12bbe7a0c76828b7ba65ad83cca4d0fe2a220114e1" + "b35d03d5a85bfe2706bd50fce6cfcdd571b46ca621b8ed47d605bbe765b0" + "aa4a0665ac25364da20154032e1204b8559d3e34fb5b177c9a56ff93510a" + "5a4a6287c151de2d", + 16, + ) + sharedRSA_coef = int( + "28067b9355801d2ef52dfa96d8adb589673cf8ee8a9c6ff72aeeabe9ef6b" + "e58a4f4abf05f788947dc851fdaa34542147a71a246bfb054ee76aa346ab" + "cd2692cfc9e44c51e6f069c735e073ba019f6a7214961c91b26871caeabf" + "8f064418a02690e39a8d5ff3067b7cdb7f50b1f53418a703966c4fc774bf" + "7402af6c43247f43", + 16, + ) + + # For reference, when encoded as a subject public key info, the + # base64-encoded sha-256 hash of this key is + # MQj2tt1yGAfwFpWETYUCVrZxk2CD2705NKBQUlAaKJI= + alternateRSA_N = int( + "00c175c65266099f77082a6791f1b876c37f5ce538b06c4acd22b1cbd46f" + "a65ada2add41c8c2498ac4a3b3c1f61487f41b698941bd80a51c3c120244" + "c584a4c4483305e5138c0106cf08be9a862760bae6a2e8f36f23c5d98313" + "b9dfaf378345dace51d4d6dcd2a6cb3cc706ebcd3070ec98cce40aa591d7" + "295a7f71c5be66691d2b2dfec84944590bc5a3ea49fd93b1d753405f1773" + "7699958666254797ed426908880811422069988a43fee48ce68781dd22b6" + "a69cd28375131f932b128ce286fa7d251c062ad27ef016f187cdd54e832b" + "35b8930f74ba90aa8bc76167242ab1fd6d62140d18c4c0b8c68fc3748457" + "324ad7de86e6552f1d1e191d712168d3bb", + 16, + ) + alternateRSA_E = 65537 + alternateRSA_D = int( + "7e3f6d7cb839ef66ae5d7dd92ff5410bb341dc14728d39034570e1a37079" + "0f30f0681355fff41e2ad4e9a9d9fcebfbd127bdfab8c00affb1f3cea732" + "7ead47aa1621f2ac1ee14ca02f04b3b2786017980b181a449d03b03e69d1" + "12b83571e55434f012056575d2832ed6731dce799e37c83f6d51c55ab71e" + "b58015af05e1af15c747603ef7f27d03a6ff049d96bbf854c1e4e50ef5b0" + "58d0fb08180e0ac7f7be8f2ff1673d97fc9e55dba838077bbf8a7cff2962" + "857785269cd9d5bad2b57469e4afcd33c4ca2d2f699f11e7c8fbdcd484f0" + "8d8efb8a3cb8a972eb24bed972efaae4bb712093e48fe94a46eb629a8750" + "78c4021a9a2c93c9a70390e9d0a54401", + 16, + ) + alternateRSA_P = int( + "00e63fc725a6ba76925a7ff8cb59c4f56dd7ec83fe85bf1f53e11cac9a81" + "258bcfc0ae819077b0f2d1477aaf868de6a8ecbeaf7bb22b196f2a9ad82d" + "3286f0d0cc29de719e5f2be8e509b7284d5963edd362f927887a4c4a8979" + "9d340d51b301ac7601ab27179024fcaadd38bf6522af63eb16461ec02a7f" + "27b06fe09ddda7c0a1", + 16, + ) + alternateRSA_Q = int( + "00d718b1fe9f8f99f00e832ae1fbdc6fe2ab27f34e049c498010fa0eb708" + "4852182346083b5c96c3eee5592c014a410c6b930b165c13b5c26aa32eac" + "6e7c925a8551c25134f2f4a72c6421f19a73148a0edfaba5d3a6888b35cb" + "a18c00fd38ee5aaf0b545731d720761bbccdee744a52ca415e98e4de01cd" + "fe764c1967b3e8cadb", + 16, + ) + alternateRSA_exp1 = int( + "01e5aca266c94a88d22e13c2b92ea247116c657a076817bdfd30db4b3a9d" + "3095b9a4b6749647e2f84e7a784fc7838b08c85971cf7a036fa30e3b91c3" + "c4d0df278f80c1b6e859d8456adb137defaa9f1f0ac5bac9a9184fd4ea27" + "9d722ea626f160d78aad7bc83845ccb29df115c83f61b7622b99bd439c60" + "9b5790a63c595181", + 16, + ) + alternateRSA_exp2 = int( + "0080cc45d10d2484ee0d1297fc07bf80b3beff461ea27e1f38f371789c3a" + "f66b4a0edd2192c227791db4f1c77ae246bf342f31856b0f56581b58a95b" + "1131c0c5396db2a8c3c6f39ea2e336bc205ae6a2a0b36869fca98cbba733" + "cf01319a6f9bb26b7ca23d3017fc551cd8da8afdd17f6fa2e30d34868798" + "1cd6234d571e90b7df", + 16, + ) + alternateRSA_coef = int( + "6f77c0c1f2ae7ac169561cca499c52bdfbe04cddccdbdc12aec5a85691e8" + "594b7ee29908f30e7b96aa6254b80ed4aeec9b993782bdfc79b69d8d58c6" + "8870fa4be1bc0c3527288c5c82bb4aebaf15edff110403fc78e6ace6a828" + "27bf42f0cfa751e507651c5638db9393dd23dd1f6b295151de44b77fe55a" + "7b0df271e19a65c0", + 16, + ) + + evRSA_N = int( + "00b549895c9d00108d11a1f99f87a9e3d1a5db5dfaecf188da57bf641368" + "8f2ce4722cff109038c17402c93a2a473dbd286aed3fdcd363cf5a291477" + "01bdd818d7615bf9356bd5d3c8336aaa8c0971368a06c3cd4461b93e5142" + "4e1744bb2eaad46aab38ce196821961f87714a1663693f09761cdf4d6ba1" + "25eacec7be270d388f789f6cdf78ae3144ed28c45e79293863a7a22a4898" + "0a36a40e72d579c9b925dff8c793362ffd6897a7c1754c5e97c967c3eadd" + "1aae8aa2ccce348a0169b80e28a2d70c1a960c6f335f2da09b9b643f5abf" + "ba49e8aaa981e960e27d87480bdd55dd9417fa18509fbb554ccf81a4397e" + "8ba8128a34bdf27865c189e5734fb22905", + 16, + ) + evRSA_E = 65537 + evRSA_D = int( + "00983d54f94d6f4c76eb23d6f93d78523530cf73b0d16254c6e781768d45" + "f55681d1d02fb2bd2aac6abc1c389860935c52a0d8f41482010394778314" + "1d864bff30803638a5c0152570ae9d18f3d8ca163efb475b0dddf32e7e16" + "ec7565e6bb5e025c41c5c66e57a03cede554221f83045347a2c4c451c3dc" + "e476b787ce0c057244be9e04ef13118dbbb3d5e0a6cc87029eafd4a69ed9" + "b14759b15e39d8a9884e56f54d2f9ab013f0d15f318a9ab6b2f73d1ec3c9" + "fe274ae89431a10640be7899b0011c5e5093a1834708689de100634dabde" + "60fbd6aaefa3a33df34a1f36f60c043036b748d1c9ee98c4031a0afec60e" + "fda0a990be524f5614eac4fdb34a52f951", + 16, + ) + evRSA_P = int( + "00eadc2cb33e5ff1ca376bbd95bd6a1777d2cf4fac47545e92d11a6209b9" + "d5e4ded47834581c169b3c884742a09ea187505c1ca55414d8d25b497632" + "d5ec2aaa05233430fad49892777a7d68e038f561a3b8969e60b0a263defb" + "fda48a9b0ff39d95bc88b15267c8ade97b5107948e41e433249d87f7db10" + "9d5d74584d86bcc1d7", + 16, + ) + evRSA_Q = int( + "00c59ae576a216470248d944a55b9e9bf93299da341ec56e558eba821abc" + "e1bf57b79cf411d2904c774f9dba1f15185f607b0574a08205d6ec28b66a" + "36d634232eaaf2fea37561abaf9d644b68db38c9964cb8c96ec0ac61eba6" + "4d05b446542f423976f5acde4ecc95536d2df578954f93f0cfd9c58fb78b" + "a2a76dd5ac284dc883", + 16, + ) + evRSA_exp1 = int( + "00c1d2ef3906331c52aca64811f9fe425beb2898322fb3db51032ce8d7e9" + "fc32240be92019cf2480fcd5e329837127118b2a59a1bfe06c883e3a4447" + "f3f031cd9aebd0b8d368fc79740d2cce8eadb324df7f091eafe1564361d5" + "4920b01b0471230e5e47d93f8ed33963c517bc4fc78f6d8b1f9eba85bcce" + "db7033026508db6285", + 16, + ) + evRSA_exp2 = int( + "008521b8db5694dfbe804a315f9efc9b65275c5490acf2a3456d65e6e610" + "bf9f647fc67501d4f5772f232ac70ccdef9fc2a6dfa415c7c41b6afc7af9" + "d07c3ca03f7ed93c09f0b99f2c304434322f1071709bbc1baa4c91575fa6" + "a959e07d4996956d95e22b57938b6e47c8d51ffedfc9bf888ce0d1a3e42b" + "65a89bed4b91d3e5f5", + 16, + ) + evRSA_coef = int( + "00dc497b06b920c8be0b0077b798e977eef744a90ec2c5d7e6cbb22448fa" + "c72da81a33180e0d8a02e831460c7fc7fd3a612f7b9930b61b799f8e908e" + "632e9ba0409b6aa70b03a3ba787426263b5bd5843df8476edb5d14f6a861" + "3ebaf5b9cd5ca42f5fbd2802e08e4e49e5709f5151510caa5ab2c1c6eb3e" + "fe9295d16e8c25c916", + 16, + ) + + evRSA2040_N = int( + "00ca7020dc215f57914d343fae4a015111697af997a5ece91866499fc23f" + "1b88a118cbd30b10d91c7b9a0d4ee8972fcae56caf57f25fc1275a2a4dbc" + "b982428c32ef587bf2387410330a0ffb16b8029bd783969ef675f6de38c1" + "8f67193cb6c072f8b23d0b3374112627a57b90055771d9e62603f53788d7" + "f63afa724f5d108096df31f89f26b1eb5f7c4357980e008fcd55d827dd26" + "2395ca2f526a07897cc40c593b38716ebc0caa596719c6f29ac9b73a7a94" + "4748a3aa3e09e9eb4d461ea0027e540926614728b9d243975cf9a0541bef" + "d25e76b51f951110b0e7644fc7e38441791b6d2227384cb8004e23342372" + "b1cf5cc3e73e31b7bbefa160e6862ebb", + 16, + ) + evRSA2040_E = 65537 + evRSA2040_D = int( + "00b2db74bce92362abf72955a638ae8720ba3033bb7f971caf39188d7542" + "eaa1c1abb5d205b1e2111f4791c08911a2e141e8cfd7054702d23100b564" + "2c06e1a31b118afd1f9a2f396cced425c501d91435ca8656766ced2b93bb" + "b8669fce9bacd727d1dacb3dafabc3293e35389eef8ea0b58e1aeb1a20e6" + "a61f9fcd453f7567fe31d123b616a26fef4df1d6c9f7490111d028eefd1d" + "972045b1a242273dd7a67ebf111db2741a5a93c7b2289cc4a236f5a99a6e" + "c7a8206fdae1c1d04bdbb1980d4a298c5a17dae4186474a5f7835d882bce" + "f24aef4ed6f149f94d96c9f7d78e647fc778a9017ff208d3b4a1768b1821" + "62102cdab032fabbab38d5200a324649", + 16, + ) + evRSA2040_P = int( + "0f3844d0d4d4d6a21acd76a6fc370b8550e1d7ec5a6234172e790f0029ae" + "651f6d5c59330ab19802b9d7a207de7a1fb778e3774fdbdc411750633d8d" + "1b3fe075006ffcfd1d10e763c7a9227d2d5f0c2dade1c9e659c350a159d3" + "6bb986f12636d4f9942b288bc0fe21da8799477173144249ca2e389e6c5c" + "25aa78c8cad7d4df", + 16, + ) + evRSA2040_Q = int( + "0d4d0bedd1962f07a1ead6b23a4ed67aeaf1270f052a6d29ba074945c636" + "1a5c4f8f07bf859e067aed3f4e6e323ef2aa8a6acd340b0bdc7cfe4fd329" + "e3c97f870c7f7735792c6aa9d0f7e7542a28ed6f01b0e55a2b8d9c24a65c" + "6da314c95484f5c7c3954a81bb016b07ed17ee9b06039695bca059a79f8d" + "c2423d328d5265a5", + 16, + ) + evRSA2040_exp1 = int( + "09f29a2ff05be8a96d614ba31b08935420a86c6bc42b99a6692ea0da5763" + "f01e596959b7ddce73ef9c2e4f6e5b40710887500d44ba0c3cd3132cba27" + "475f39c2df7552e2d123a2497a4f97064028769a48a3624657f72bf539f3" + "d0de234feccd3be8a0aa90c6bf6e9b0bed43070a24d061ff3ed1751a3ef2" + "ff7f6b90b9dbd5fb", + 16, + ) + evRSA2040_exp2 = int( + "01a659e170cac120a03be1cf8f9df1caa353b03593bd7476e5853bd874c2" + "87388601c6c341ce9d1d284a5eef1a3a669d32b816a5eaecd8b7844fe070" + "64b9bca0c2b318d540277b3f7f1510d386bb36e03b04771e5d229e88893e" + "13b753bfb94518bb638e2404bd6e6a993c1668d93fc0b82ff08aaf34347d" + "3fe8397108c87ca5", + 16, + ) + evRSA2040_coef = int( + "040257c0d4a21c0b9843297c65652db66304fb263773d728b6abfa06d37a" + "c0ca62c628023e09e37dc0a901e4ce1224180e2582a3aa4b6a1a7b98e2bd" + "70077aec14ac8ab66a755c71e0fc102471f9bbc1b46a95aa0b645f2c38e7" + "6450289619ea3f5e8ae61037bffcf8249f22aa4e76e2a01909f3feb290ce" + "93edf57b10ebe796", + 16, + ) + + rsa2040_N = int( + "00bac0652fdfbc0055882ffbaeaceec88fa2d083c297dd5d40664dd3d90f" + "52f9aa02bd8a50fba16e0fd991878ef475f9b350d9f8e3eb2abd717ce327" + "b09788531f13df8e3e4e3b9d616bb8a41e5306eed2472163161051180127" + "6a4eb66f07331b5cbc8bcae7016a8f9b3d4f2ac4553c624cf5263bcb348e" + "8840de6612870960a792191b138fb217f765cec7bff8e94f16b39419bf75" + "04c59a7e4f79bd6d173e9c7bf3d9d2a4e73cc180b0590a73d584fb7fc9b5" + "4fa544607e53fc685c7a55fd44a81d4142b6af51ea6fa6cea52965a2e8c5" + "d84f3ca024d6fbb9b005b9651ce5d9f2ecf40ed404981a9ffc02636e311b" + "095c6332a0c87dc39271b5551481774b", + 16, + ) + rsa2040_E = 65537 + rsa2040_D = int( + "603db267df97555cbed86b8df355034af28f1eb7f3e7829d239bcc273a7c" + "7a69a10be8f21f1b6c4b02c6bae3731c3158b5bbff4605f57ab7b7b2a0cb" + "a2ec005a2db5b1ea6e0aceea5bc745dcd2d0e9d6b80d7eb0ea2bc08127bc" + "e35fa50c42cc411871ba591e23ba6a38484a33eff1347f907ee9a5a92a23" + "11bb0b435510020f78e3bb00099db4d1182928096505fcba84f3ca1238fd" + "1eba5eea1f391bbbcc5424b168063fc17e1ca6e1912ccba44f9d0292308a" + "1fedb80612529b39f59d0a3f8180b5ba201132197f93a5815ded938df8e7" + "d93c9b15766588f339bb59100afda494a7e452d7dd4c9a19ce2ec3a33a18" + "b20f0b4dade172bee19f26f0dcbe41", + 16, + ) + rsa2040_P = int( + "0ec3869cb92d406caddf7a319ab29448bc505a05913707873361fc5b986a" + "499fb65eeb815a7e37687d19f128087289d9bb8818e7bcca502c4900ad9a" + "ece1179be12ff3e467d606fc820ea8f07ac9ebffe2236e38168412028822" + "3e42dbe68dfd972a85a6447e51695f234da7911c67c9ab9531f33df3b994" + "32d4ee88c9a4efbb", + 16, + ) + rsa2040_Q = int( + "0ca63934549e85feac8e0f5604303fd1849fe88af4b7f7e1213283bbc7a2" + "c2a509f9273c428c68de3db93e6145f1b400bd6d4a262614e9043ad362d4" + "eba4a6b995399c8934a399912199e841d8e8dbff0489f69e663796730b29" + "80530b31cb70695a21625ea2adccc09d930516fa872211a91e22dd89fd9e" + "b7da8574b72235b1", + 16, + ) + rsa2040_exp1 = int( + "0d7d3a75e17f65f8a658a485c4095c10a4f66979e2b73bca9cf8ef21253e" + "1facac6d4791f58392ce8656f88f1240cc90c29653e3100c6d7a38ed44b1" + "63b339e5f3b6e38912126c69b3ceff2e5192426d9649b6ffca1abb75d2ba" + "2ed6d9a26aa383c5973d56216ff2edb90ccf887742a0f183ac92c94cf187" + "657645c7772d9ad7", + 16, + ) + rsa2040_exp2 = int( + "03f550194c117f24bea285b209058032f42985ff55acebe88b16df9a3752" + "7b4e61dc91a68dbc9a645134528ce5f248bda2893c96cb7be79ee73996c7" + "c22577f6c2f790406f3472adb3b211b7e94494f32c5c6fcc0978839fe472" + "4c31b06318a2489567b4fca0337acb1b841227aaa5f6c74800a2306929f0" + "2ce038bad943df41", + 16, + ) + rsa2040_coef = int( + "080a7dbfa8c2584814c71664c56eb62ce4caf16afe88d4499159d674774a" + "3a3ecddf1256c02fc91525c527692422d0aba94e5c41ee12dc71bb66f867" + "9fa17e096f28080851ba046eb31885c1414e8985ade599d907af17453d1c" + "caea2c0d06443f8367a6be154b125e390ee0d90f746f08801dd3f5367f59" + "fba2e5a67c05f375", + 16, + ) + + rsa1024_N = int( + "00d3a97440101eba8c5df9503e6f935eb52ffeb3ebe9d0dc5cace26f973c" + "a94cbc0d9c31d66c0c013bce9c82d0d480328df05fb6bcd7990a5312ddae" + "6152ad6ee61c8c1bdd8663c68bd36224a9882ae78e89f556dfdbe6f51da6" + "112cbfc27c8a49336b41afdb75321b52b24a7344d1348e646351a551c757" + "1ccda0b8fe35f61a75", + 16, + ) + rsa1024_E = 65537 + rsa1024_D = int( + "5b6708e185548fc07ff062dba3792363e106ff9177d60ee3227162391024" + "1813f958a318f26db8b6a801646863ebbc69190d6c2f5e7723433e99666d" + "76b3987892cd568f1f18451e8dc05477c0607ee348380ebb7f4c98d0c036" + "a0260bc67b2dab46cbaa4ce87636d839d8fddcbae2da3e02e8009a21225d" + "d7e47aff2f82699d", + 16, + ) + rsa1024_P = int( + "00fcdee570323e8fc399dbfc63d8c1569546fb3cd6886c628668ab1e1d0f" + "ca71058febdf76d702970ad6579d80ac2f9521075e40ef8f3f39983bd819" + "07e898bad3", + 16, + ) + rsa1024_Q = int( + "00d64801c955b4eb75fbae230faa8b28c9cc5e258be63747ff5ac8d2af25" + "3e9f6d6ce03ea2eb13ae0eb32572feb848c32ca00743635374338fedacd8" + "c5885f7897", + 16, + ) + rsa1024_exp1 = int( + "76c0526d5b1b28368a75d5d42a01b9a086e20b9310241e2cd2d0b166a278" + "c694ff1e9d25d9193d47789b52bb0fa194de1af0b77c09007f12afdfeef9" + "58d108c3", + 16, + ) + rsa1024_exp2 = int( + "008a41898d8b14217c4d782cbd15ef95d0a660f45ed09a4884f4e170367b" + "946d2f20398b907896890e88fe17b54bd7febe133ebc7720c86fe0649cca" + "7ca121e05f", + 16, + ) + rsa1024_coef = int( + "22db133445f7442ea2a0f582031ee214ff5f661972986f172651d8d6b4ec" + "3163e99bff1c82fe58ec3d075c6d8f26f277020edb77c3ba821b9ba3ae18" + "ff8cb2cb", + 16, + ) + + rsa1016_N = int( + "00d29bb12fb84fddcd29b3a519cb66c43b8d8f8be545ba79384ce663ed03" + "df75991600eb920790d2530cece544db99a71f05896a3ed207165534aa99" + "057e47c47e3bc81ada6fa1e12e37268b5046a55268f9dad7ccb485d81a2e" + "19d50d4f0b6854acaf6d7be69d9a083136e15afa8f53c1c8c84fc6077279" + "dd0e55d7369a5bdd", + 16, + ) + rsa1016_E = 65537 + rsa1016_D = int( + "3c4965070bf390c251d5a2c5277c5b5fd0bdee85cad7fe2b27982bb28511" + "4a507004036ae1cf8ae54b25e4db39215abd7e903f618c2d8b2f08cc6cd1" + "2dbccd72205e4945b6b3df389e5e43de0a148bb2c84e2431fdbe5920b044" + "bb272f45ecff0721b7dfb60397fc613a9ea35c22300530cae8f9159c534d" + "f3bf0910951901", + 16, + ) + rsa1016_P = int( + "0f9f17597c85b8051b9c69afb55ef576c996dbd09047d0ccde5b9d60ea5c" + "67fe4fac67be803f4b6ac5a3f050f76b966fb14f5cf105761e5ade6dd960" + "b183ba55", + 16, + ) + rsa1016_Q = int( + "0d7b637112ce61a55168c0f9c9386fb279ab40cba0d549336bba65277263" + "aac782611a2c81d9b635cf78c40018859e018c5e9006d12e3d2ee6f346e7" + "9fa43369", + 16, + ) + rsa1016_exp1 = int( + "09fd6c9a3ea6e91ae32070f9fc1c210ff9352f97be5d1eeb951bb39681e9" + "dc5b672a532221b3d8900c9a9d99b9d0a4e102dc450ca1b87b0b1389de65" + "16c0ae0d", + 16, + ) + rsa1016_exp2 = int( + "0141b832491b7dd4a83308920024c79cae64bd447df883bb4c5672a96bab" + "48b7123b34f26324452cdceb17f21e570e347cbe2fd4c2d8f9910eac2cb6" + "d895b8c9", + 16, + ) + rsa1016_coef = int( + "0458dd6aee18c88b2f9b81f1bc3075ae20dc1f9973d20724f20b06043d61" + "47c8789d4a07ae88bc82c8438c893e017b13947f62e0b18958a31eb664b1" + "9e64d3e0", + 16, + ) + + def __init__(self, specification): + if specification == "default": + self.RSA_N = self.sharedRSA_N + self.RSA_E = self.sharedRSA_E + self.RSA_D = self.sharedRSA_D + self.RSA_P = self.sharedRSA_P + self.RSA_Q = self.sharedRSA_Q + self.RSA_exp1 = self.sharedRSA_exp1 + self.RSA_exp2 = self.sharedRSA_exp2 + self.RSA_coef = self.sharedRSA_coef + elif specification == "alternate": + self.RSA_N = self.alternateRSA_N + self.RSA_E = self.alternateRSA_E + self.RSA_D = self.alternateRSA_D + self.RSA_P = self.alternateRSA_P + self.RSA_Q = self.alternateRSA_Q + self.RSA_exp1 = self.alternateRSA_exp1 + self.RSA_exp2 = self.alternateRSA_exp2 + self.RSA_coef = self.alternateRSA_coef + elif specification == "ev": + self.RSA_N = self.evRSA_N + self.RSA_E = self.evRSA_E + self.RSA_D = self.evRSA_D + self.RSA_P = self.evRSA_P + self.RSA_Q = self.evRSA_Q + self.RSA_exp1 = self.evRSA_exp1 + self.RSA_exp2 = self.evRSA_exp2 + self.RSA_coef = self.evRSA_coef + elif specification == "evRSA2040": + self.RSA_N = self.evRSA2040_N + self.RSA_E = self.evRSA2040_E + self.RSA_D = self.evRSA2040_D + self.RSA_P = self.evRSA2040_P + self.RSA_Q = self.evRSA2040_Q + self.RSA_exp1 = self.evRSA2040_exp1 + self.RSA_exp2 = self.evRSA2040_exp2 + self.RSA_coef = self.evRSA2040_coef + elif specification == "rsa2040": + self.RSA_N = self.rsa2040_N + self.RSA_E = self.rsa2040_E + self.RSA_D = self.rsa2040_D + self.RSA_P = self.rsa2040_P + self.RSA_Q = self.rsa2040_Q + self.RSA_exp1 = self.rsa2040_exp1 + self.RSA_exp2 = self.rsa2040_exp2 + self.RSA_coef = self.rsa2040_coef + elif specification == "rsa1024": + self.RSA_N = self.rsa1024_N + self.RSA_E = self.rsa1024_E + self.RSA_D = self.rsa1024_D + self.RSA_P = self.rsa1024_P + self.RSA_Q = self.rsa1024_Q + self.RSA_exp1 = self.rsa1024_exp1 + self.RSA_exp2 = self.rsa1024_exp2 + self.RSA_coef = self.rsa1024_coef + elif specification == "rsa1016": + self.RSA_N = self.rsa1016_N + self.RSA_E = self.rsa1016_E + self.RSA_D = self.rsa1016_D + self.RSA_P = self.rsa1016_P + self.RSA_Q = self.rsa1016_Q + self.RSA_exp1 = self.rsa1016_exp1 + self.RSA_exp2 = self.rsa1016_exp2 + self.RSA_coef = self.rsa1016_coef + else: + raise UnknownKeySpecificationError(specification) + + def toDER(self): + privateKeyInfo = PrivateKeyInfo() + privateKeyInfo["version"] = 0 + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmIdentifier["algorithm"] = rfc2459.rsaEncryption + # Directly setting parameters to univ.Null doesn't currently work. + nullEncapsulated = encoder.encode(univ.Null()) + algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated) + privateKeyInfo["privateKeyAlgorithm"] = algorithmIdentifier + rsaPrivateKey = RSAPrivateKey() + rsaPrivateKey["version"] = 0 + rsaPrivateKey["modulus"] = self.RSA_N + rsaPrivateKey["publicExponent"] = self.RSA_E + rsaPrivateKey["privateExponent"] = self.RSA_D + rsaPrivateKey["prime1"] = self.RSA_P + rsaPrivateKey["prime2"] = self.RSA_Q + rsaPrivateKey["exponent1"] = self.RSA_exp1 + rsaPrivateKey["exponent2"] = self.RSA_exp2 + rsaPrivateKey["coefficient"] = self.RSA_coef + rsaPrivateKeyEncoded = encoder.encode(rsaPrivateKey) + privateKeyInfo["privateKey"] = univ.OctetString(rsaPrivateKeyEncoded) + return encoder.encode(privateKeyInfo) + + def toPEM(self): + output = "-----BEGIN PRIVATE KEY-----" + der = self.toDER() + b64 = six.ensure_text(base64.b64encode(der)) + while b64: + output += "\n" + b64[:64] + b64 = b64[64:] + output += "\n-----END PRIVATE KEY-----" + return output + + def asSubjectPublicKeyInfo(self): + """Returns a subject public key info representing + this key for use by pyasn1.""" + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmIdentifier["algorithm"] = rfc2459.rsaEncryption + # Directly setting parameters to univ.Null doesn't currently work. + nullEncapsulated = encoder.encode(univ.Null()) + algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated) + spki = rfc2459.SubjectPublicKeyInfo() + spki["algorithm"] = algorithmIdentifier + rsaKey = RSAPublicKey() + rsaKey["N"] = univ.Integer(self.RSA_N) + rsaKey["E"] = univ.Integer(self.RSA_E) + subjectPublicKey = univ.BitString( + byteStringToHexifiedBitString(encoder.encode(rsaKey)) + ) + spki["subjectPublicKey"] = subjectPublicKey + return spki + + def sign(self, data, hashAlgorithm): + """Returns a hexified bit string representing a + signature by this key over the specified data. + Intended for use with pyasn1.type.univ.BitString""" + hashAlgorithmName = None + if hashAlgorithm == HASH_MD5: + hashAlgorithmName = "MD5" + elif hashAlgorithm == HASH_SHA1: + hashAlgorithmName = "SHA-1" + elif hashAlgorithm == HASH_SHA256: + hashAlgorithmName = "SHA-256" + elif hashAlgorithm == HASH_SHA384: + hashAlgorithmName = "SHA-384" + elif hashAlgorithm == HASH_SHA512: + hashAlgorithmName = "SHA-512" + else: + raise UnknownHashAlgorithmError(hashAlgorithm) + rsaPrivateKey = rsa.PrivateKey( + self.RSA_N, self.RSA_E, self.RSA_D, self.RSA_P, self.RSA_Q + ) + signature = rsa.sign(data, rsaPrivateKey, hashAlgorithmName) + return byteStringToHexifiedBitString(signature) + + +ecPublicKey = univ.ObjectIdentifier("1.2.840.10045.2.1") +secp256k1 = univ.ObjectIdentifier("1.3.132.0.10") +secp224r1 = univ.ObjectIdentifier("1.3.132.0.33") +secp256r1 = univ.ObjectIdentifier("1.2.840.10045.3.1.7") +secp384r1 = univ.ObjectIdentifier("1.3.132.0.34") +secp521r1 = univ.ObjectIdentifier("1.3.132.0.35") + + +def longToEvenLengthHexString(val): + h = format(val, "x") + if not len(h) % 2 == 0: + h = "0" + h + return h + + +class ECCKey(object): + secp256k1KeyPair = ( + "35ee7c7289d8fef7a86afe5da66d8bc2ebb6a8543fd2fead089f45ce7acd0fa6" + + "4382a9500c41dad770ffd4b511bf4b492eb1238800c32c4f76c73a3f3294e7c5", + "67cebc208a5fa3df16ec2bb34acc59a42ab4abb0538575ca99b92b6a2149a04f", + ) + + secp224r1KeyPair = ( + "668d72cca6fd6a1b3557b5366104d84408ecb637f08e8c86bbff82cc" + + "00e88f0066d7af63c3298ba377348a1202b03b37fd6b1ff415aa311e", + "04389459926c3296c242b83e10a6cd2011c8fe2dae1b772ea5b21067", + ) + + secp256r1KeyPair = ( + "4fbfbbbb61e0f8f9b1a60a59ac8704e2ec050b423e3cf72e923f2c4f794b455c" + + "2a69d233456c36c4119d0706e00eedc8d19390d7991b7b2d07a304eaa04aa6c0", + "2191403d5710bf15a265818cd42ed6fedf09add92d78b18e7a1e9feb95524702", + ) + + secp384r1KeyPair = ( + "a1687243362b5c7b1889f379154615a1c73fb48dee863e022915db608e252de4b71" + + "32da8ce98e831534e6a9c0c0b09c8d639ade83206e5ba813473a11fa330e05da8c9" + + "6e4383fe27873da97103be2888cff002f05af71a1fddcc8374aa6ea9ce", + "035c7a1b10d9fafe837b64ad92f22f5ced0789186538669b5c6d872cec3d926122b" + + "393772b57602ff31365efe1393246", + ) + + secp521r1KeyPair = ( + "014cdc9cacc47941096bc9cc66752ec27f597734fa66c62b792f88c519d6d37f0d1" + + "6ea1c483a1827a010b9128e3a08070ca33ef5f57835b7c1ba251f6cc3521dc42b01" + + "0653451981b445d343eed3782a35d6cff0ff484f5a883d209f1b9042b726703568b" + + "2f326e18b833bdd8aa0734392bcd19501e10d698a79f53e11e0a22bdd2aad90", + "014f3284fa698dd9fe1118dd331851cdfaac5a3829278eb8994839de9471c940b85" + + "8c69d2d05e8c01788a7d0b6e235aa5e783fc1bee807dcc3865f920e12cf8f2d29", + ) + + def __init__(self, specification): + if specification == "secp256k1": + key_pair = self.secp256k1KeyPair + self.keyOID = secp256k1 + self.curve = ecdsa.SECP256k1 + elif specification == "secp224r1": + key_pair = self.secp224r1KeyPair + self.keyOID = secp224r1 + self.curve = ecdsa.NIST224p + elif specification == "secp256r1": + key_pair = self.secp256r1KeyPair + self.keyOID = secp256r1 + self.curve = ecdsa.NIST256p + elif specification == "secp384r1": + key_pair = self.secp384r1KeyPair + self.keyOID = secp384r1 + self.curve = ecdsa.NIST384p + elif specification == "secp521r1": + key_pair = self.secp521r1KeyPair + self.keyOID = secp521r1 + self.curve = ecdsa.NIST521p + else: + raise UnknownKeySpecificationError(specification) + + self.public_key, self.private_key = ( + binascii.unhexlify(key_pair[0]), + binascii.unhexlify(key_pair[1]), + ) + self.key = ecdsa.SigningKey.from_string(self.private_key, curve=self.curve) + + def getPublicKeyHexifiedString(self): + """Returns the EC public key as a hex string using the uncompressed + point representation. This is intended to be used in the encoder + functions, as it surrounds the value with ''H to indicate its type.""" + p1, p2 = ( + self.public_key[: len(self.public_key) // 2], + self.public_key[len(self.public_key) // 2 :], + ) + # We don't want leading zeroes. + p1, p2 = (p1.lstrip(b"\0"), p2.lstrip(b"\0")) + # '04' indicates that the points are in uncompressed form. + return byteStringToHexifiedBitString(b"\04" + p1 + p2) + + def toPEM(self): + """Return the EC private key in PEM-encoded form.""" + output = "-----BEGIN EC PRIVATE KEY-----" + der = self.toDER() + b64 = six.ensure_text(base64.b64encode(der)) + while b64: + output += "\n" + b64[:64] + b64 = b64[64:] + output += "\n-----END EC PRIVATE KEY-----" + return output + + def toDER(self): + """Return the EC private key in DER-encoded form, encoded per SEC 1 + section C.4 format.""" + privateKeyInfo = PrivateKeyInfo() + privateKeyInfo["version"] = 0 + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmIdentifier["algorithm"] = ecPublicKey + algorithmIdentifier["parameters"] = self.keyOID + privateKeyInfo["privateKeyAlgorithm"] = algorithmIdentifier + ecPrivateKey = ECPrivateKey() + ecPrivateKey["version"] = 1 + ecPrivateKey["privateKey"] = self.private_key + ecPrivateKey["publicKey"] = univ.BitString( + self.getPublicKeyHexifiedString() + ).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)) + ecPrivateKeyEncoded = encoder.encode(ecPrivateKey) + privateKeyInfo["privateKey"] = univ.OctetString(ecPrivateKeyEncoded) + return encoder.encode(privateKeyInfo) + + def asSubjectPublicKeyInfo(self): + """Returns a subject public key info representing + this key for use by pyasn1.""" + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmIdentifier["algorithm"] = ecPublicKey + algorithmIdentifier["parameters"] = self.keyOID + spki = rfc2459.SubjectPublicKeyInfo() + spki["algorithm"] = algorithmIdentifier + spki["subjectPublicKey"] = univ.BitString(self.getPublicKeyHexifiedString()) + return spki + + def signRaw(self, data, hashAlgorithm): + """Performs the ECDSA signature algorithm over the given data. + The returned value is a string representing the bytes of the + resulting point when encoded by left-padding each of (r, s) to + the key size and concatenating them. + """ + assert hashAlgorithm.startswith("hash:") + hashAlgorithm = hashAlgorithm[len("hash:") :] + k = _gen_k(self.curve) + digest = hashlib.new(hashAlgorithm, six.ensure_binary(data)).digest() + digest = _truncate_digest(digest, self.curve) + # NOTE: Under normal circumstances it's advisable to use + # sign_digest_deterministic. In this case we don't want the library's + # default generation of k, so we call the normal "sign" method and + # inject it here. + return self.key.sign_digest(digest, sigencode=ecdsa.util.sigencode_string, k=k) + + def sign(self, data, hashAlgorithm): + """Returns a hexified bit string representing a + signature by this key over the specified data. + Intended for use with pyasn1.type.univ.BitString""" + # signRaw returns an encoded point, which is useful in some situations. + # However, for signatures on X509 certificates, we need to decode it so + # we can encode it as a BITSTRING consisting of a SEQUENCE of two + # INTEGERs. + raw = self.signRaw(data, hashAlgorithm) + point = ECPoint() + point["x"] = int.from_bytes(raw[: len(raw) // 2], byteorder="big") + point["y"] = int.from_bytes(raw[len(raw) // 2 :], byteorder="big") + return byteStringToHexifiedBitString(encoder.encode(point)) + + +def keyFromSpecification(specification): + """Pass in a specification, get the appropriate key back.""" + if specification.startswith("secp"): + return ECCKey(specification) + return RSAKey(specification) + + +# The build harness will call this function with an output file-like +# object and a path to a file containing a specification. This will +# read the specification and output the key as ASCII-encoded PKCS #8. +def main(output, inputPath): + with open(inputPath) as configStream: + output.write(keyFromSpecification(configStream.read().strip()).toPEM() + "\n") + + +# When run as a standalone program, this will read a specification from +# stdin and output the certificate as PEM to stdout. +if __name__ == "__main__": + print(keyFromSpecification(sys.stdin.read().strip()).toPEM()) diff --git a/security/manager/tools/pypkcs12.py b/security/manager/tools/pypkcs12.py new file mode 100644 index 0000000000..ab4c42d53c --- /dev/null +++ b/security/manager/tools/pypkcs12.py @@ -0,0 +1,124 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Reads a specification from stdin or a file and outputs a PKCS12 +file with the desired properties. + +The input format currently consists of a pycert certificate +specification (see pycert.py). +Currently, keys other than the default key are not supported. +The password that is used to encrypt and authenticate the file +is "password". +""" + +import base64 +import os +import shutil +import subprocess +import sys + +import mozinfo +import pycert +import pykey +import six +from mozfile import NamedTemporaryFile + + +class Error(Exception): + """Base class for exceptions in this module.""" + + pass + + +class OpenSSLError(Error): + """Class for handling errors when calling OpenSSL.""" + + def __init__(self, status): + super(OpenSSLError, self).__init__() + self.status = status + + def __str__(self): + return "Error running openssl: %s " % self.status + + +def runUtil(util, args): + env = os.environ.copy() + if mozinfo.os == "linux": + pathvar = "LD_LIBRARY_PATH" + app_path = os.path.dirname(util) + if pathvar in env: + env[pathvar] = "%s%s%s" % (app_path, os.pathsep, env[pathvar]) + else: + env[pathvar] = app_path + proc = subprocess.run( + [util] + args, + env=env, + universal_newlines=True, + ) + return proc.returncode + + +class PKCS12(object): + """Utility class for reading a specification and generating + a PKCS12 file""" + + def __init__(self, paramStream): + self.cert = pycert.Certificate(paramStream) + self.key = pykey.keyFromSpecification("default") + + def toDER(self): + with NamedTemporaryFile(mode="wt+") as certTmp, NamedTemporaryFile( + mode="wt+" + ) as keyTmp, NamedTemporaryFile(mode="rb+") as pkcs12Tmp: + certTmp.write(self.cert.toPEM()) + certTmp.flush() + keyTmp.write(self.key.toPEM()) + keyTmp.flush() + openssl = shutil.which("openssl") + status = runUtil( + openssl, + [ + "pkcs12", + "-export", + "-inkey", + keyTmp.name, + "-in", + certTmp.name, + "-out", + pkcs12Tmp.name, + "-passout", + "pass:password", + ], + ) + if status != 0: + raise OpenSSLError(status) + return pkcs12Tmp.read() + + def toPEM(self): + output = "-----BEGIN PKCS12-----" + der = self.toDER() + b64 = six.ensure_text(base64.b64encode(der)) + while b64: + output += "\n" + b64[:64] + b64 = b64[64:] + output += "\n-----END PKCS12-----" + return output + + +# The build harness will call this function with an output +# file-like object and a path to a file containing a +# specification. This will read the specification and output +# the PKCS12 file. +def main(output, inputPath): + with open(inputPath) as configStream: + output.write(PKCS12(configStream).toDER()) + + +# When run as a standalone program, this will read a specification from +# stdin and output the PKCS12 file as PEM to stdout. +if __name__ == "__main__": + print(PKCS12(sys.stdin).toPEM()) |